Merge pull request #16 from frack113/refactor/tools

Refactor/tools

Cargo.toml

@@ -25,6 +25,7 @@ rpath = false
 winres = "0"
 
 [dependencies]
+base64 = { version = "0.22.1" }
 windows = { version = "0.52", features = [
   "Win32_System_Pipes",
   "Win32_Foundation",
@@ -33,6 +34,7 @@ windows = { version = "0.52", features = [
   "Win32_UI_Shell",
   "Win32_System_IO",
   "Win32_System_Services",
+  "Win32_System_SystemServices",
 ] }
 clap = { version = "4", features = ["derive"] }
 rand = "0"

README.md

@@ -59,3 +59,16 @@ wag.exe <COMMAND>
 ```
 
 Example can be found here [cli_help](./docs/cli_help.md)
+
+# Actions
+
+ - [X] Alternate data stream
+ - [X] BYOVD: load a driver
+ - [X] file drop from executable
+ - [X] mutex
+ - [X] named pipe
+ - [X] ppid spoofing
+ - [ ] Stealer browers information (only open file)
+ - [ ] Stealer cryto wallet (only open file)
+ - [ ] Stealer file of interrest
+ - [ ] WMI action

docs/cli_help.md

@@ -6,93 +6,104 @@ SPDX-License-Identifier: GPL-3.0-or-later
 
 # Ads
 
-`wag ads -f file_full_path -a ads -d data`
+`wag ads -f fullpath -a ads -d data`
 
-| Type           | ads             | data                                                                                                                                     |
-| -------------- | --------------- | ---------------------------------------------------------------------------------------------------------------------------------------- |
-| ZoneTransfer 0 | Zone.Identifier | 5b5a6f6e655472616e736665725d0d0a5a6f6e6549643d300d0a526566657272657255726c3d633a5c77696e646f77735c7761672e7a69700d0a                     |
-| ZoneTransfer 1 | Zone.Identifier | 5b5a6f6e655472616e736665725d0d0a5a6f6e6549643d310d0a526566657272657255726c3d2f2f7376725f41442f7761672e7a69700d0a                         |
-| ZoneTransfer 2 | Zone.Identifier | 5b5a6f6e655472616e736665725d0d0a5a6f6e6549643d320d0a526566657272657255726c3d687474703a2f2f6d79736974652e6f72672f7761672e7a69700d0a       |
-| ZoneTransfer 3 | Zone.Identifier | 5b5a6f6e655472616e736665725d0d0a5a6f6e6549643d330d0a526566657272657255726c3d68747470733a2f2f736f6d65736974652e636f6d2f7761672e7a69700d0a |
-| ZoneTransfer 4 | Zone.Identifier | 5b5a6f6e655472616e736665725d0d0a5a6f6e6549643d340d0a526566657272657255726c3d687474703a2f2f6d616c776172652e6261642f7761672e7a69700d0a     |
-| Sysmon         | sysmon          | 4920616D20746865206265737420746F20686964652066726F6D207379736D6F6E"                                                                      |
+* fullpath: regex of the full path
+* ads: name of the stream
+* data: base64 of the data to write
+
+| Type           | ads             |  data                                                                                        |
+| -------------- | --------------- | -------------------------------------------------------------------------------------------- |
+| ZoneTransfer 0 | Zone.Identifier | W1pvbmVUcmFuc2Zlcl0NClpvbmVJZD0wDQpSZWZlcnJlclVybD1jOlx3aW5kb3dzXHdhZy56aXANCg==             |
+| ZoneTransfer 1 | Zone.Identifier | W1pvbmVUcmFuc2Zlcl0NClpvbmVJZD0xDQpSZWZlcnJlclVybD0vL3N2cl9BRC93YWcuemlwDQo=                 |
+| ZoneTransfer 2 | Zone.Identifier | W1pvbmVUcmFuc2Zlcl0NClpvbmVJZD0yDQpSZWZlcnJlclVybD1odHRwOi8vbXlzaXRlLm9yZy93YWcuemlwDQo=     |
+| ZoneTransfer 3 | Zone.Identifier | W1pvbmVUcmFuc2Zlcl0NClpvbmVJZD0zDQpSZWZlcnJlclVybD1odHRwczovL3NvbWVzaXRlLmNvbS93YWcuemlwDQo= |
+| ZoneTransfer 4 | Zone.Identifier | W1pvbmVUcmFuc2Zlcl0NClpvbmVJZD00DQpSZWZlcnJlclVybD1odHRwOi8vbWFsd2FyZS5iYWQvd2FnLnppcA0K     |
+| Sysmon         | sysmon          | SSBhbSB0aGUgYmVzdCB0byBoaWRlIGZyb20gc3lzbW9u                                                 |
 
 # File
 
 ## magicbytes
 
-| Type | Hex                                                  |
-| ---- | ---------------------------------------------------- |
-| Exe  | 4D5A                                                 |
-| Zip  | 504B0304                                             |
-| Vmdk | 4B444D                                               |
-| Iso  | 4344303031                                           |
-| Txt  | 412073696d706c6520746578742066696c65                 |
-| Ps1  | 77726974652d686f73742022574147207761732048657265220a |
+| Type | Hex                                  |
+| ---- | ------------------------------------ |
+| Exe  | TVo=                                 |
+| Zip  | UEsDBA==                             | 
+| Vmdk | S0RN                                 |
+| Iso  | Q0QwMDE=                             |
+| Txt  | QSBzaW1wbGUgdGV4dCBmaWxl             |
+| Ps1  | d3JpdGUtaG9zdCAiV0FHIHdhcyBIZXJlIgo= |
 
 ## well known File
 
-`wag file-create -f fullpath -m Magicbyte_Hex`
-`wag file-create -v cmd_var -p cmd_path -m Magicbyte_Hex`
-
-| name           | Admin | Magicbyte | fullpath                                     | cmd_var      | cmd_path                               |
-| -------------- | ----- | --------- | -------------------------------------------- | ------------ | -------------------------------------- |
-| NPPSpy         | true  | Exe       | `C:/Windows/System32/NPPSpy\.dll`            |              |                                        |
-| SafetyKatz     | false | Zip       |                                              | SystemRoot   | `Temp\\debug\.bin`                     |
-| SmallSieve_txt | false | Txt       |                                              | LocalAppData | `MicrosoftWindowsOutlookDataPlus\.txt` |
-| SmallSieve_exe | false | Exe       |                                              | AppData      | `OutlookMicrosift\\index\.exe`         |
-| SNAKE_jpsetup  | false | Exe       |                                              | TEMP         | `jpsetup\.exe`                         |
-| SNAKE_jpinst   | false | Exe       |                                              | TEMP         | `jpinst\\.exe`                         |
-| SNAKE_Comadmin | true  | Exe       | `C:\\Windows\\System32\\Com\\Comadmin\.dat`  |              |                                        |
-| COLDSTEEL_exe  | false | Exe       | `C:\\users\\public\\Documents\\dllhost\.exe` |              |                                        |
-| COLDSTEEL_dll  | false | Exe       |                                              | APPDATA      | `newdev\.dll`                          |
-| temp_ps1_12    | false | Ps1       |                                              | SystemRoot   | `temp\[0-9a-f]{12}\.ps1`               |
+`wag file-create -f fullpath -m Magicbyte_Hex `
+
+* fullpath: regex of the full path
+* Magicbyte_Hex: base64 of the magicbytes to write
+* admin: can use `--admin` to check if run as administrator
+
+| Type           | Admin | Magicbyte | fullpath                                                 | 
+| -------------- | ----- | --------- | -------------------------------------------------------- |
+| NPPSpy         | true  | Exe       | `C:/Windows/System32/NPPSpy\.dll`                        | 
+| SafetyKatz     | false | Zip       |  *SystemRoot* + `Temp\\debug\.bin`                       |
+| SmallSieve_txt | false | Txt       |  *LocalAppData* + `MicrosoftWindowsOutlookDataPlus\.txt` |
+| SmallSieve_exe | false | Exe       |  *AppData* + `OutlookMicrosift\\index\.exe`              |
+| SNAKE_jpsetup  | false | Exe       |  *TEMP* + `jpsetup\.exe`                                 |
+| SNAKE_jpinst   | false | Exe       |  *TEMP* + `jpinst\\.exe`                                 |
+| SNAKE_Comadmin | true  | Exe       | `C:\\Windows\\System32\\Com\\Comadmin\.dat`              |
+| COLDSTEEL_exe  | false | Exe       | `C:\\users\\public\\Documents\\dllhost\.exe`             |
+| COLDSTEEL_dll  | false | Exe       |  *APPDATA* + `newdev\.dll`                               |
+| temp_ps1_12    | false | Ps1       |  *SystemRoot* + `temp\[0-9a-f]{12}\.ps1`                 |
+
+Remark: You need to convert the environment variable into a correct regular expression.
 
 # Named pipe
 
-`wag name-pipe -n "regex"`
-
-| name               | regex                                              |                                |
-| ------------------ | -------------------------------------------------- | ------------------------------ |
-| CSExec             | `\\csexecsvc`                                      |                                |
-| psexec             | `\\psexec`                                         |                                |
-| psexec             | `\\PAExec`                                         |                                |
-| psexec             | `\\remcom`                                         |                                |
-| psexec             | `\\csexec`                                         |                                |
-| psexec             | `\\PSEXESVC`                                       |                                |
-| Cobal_strike       | `\\mojo\\.5688\\.8052\\.(?:183894939787088877      | 35780273329370473)[0-9a-f]{2}` |
-| Cobal_strike       | `\\wkssvc_?[0-9a-f]{2}`                            |                                |
-| Cobal_strike       | `\\ntsvcs[0-9a-f]{2}`                              |                                |
-| Cobal_strike       | `\\DserNamePipe[0-9a-f]{2}`                        |                                |
-| Cobal_strike       | `\\SearchTextHarvester[0-9a-f]{2}`                 |                                |
-| Cobal_strike       | `\\mypipe-(?:f                                     | h)[0-9a-f]{2}`                 |
-| Cobal_strike       | `\\windows\\.update\\.manager[0-9a-f]{2,3}`        |                                |
-| Cobal_strike       | `\\ntsvcs_[0-9a-f]{2}`                             |                                |
-| Cobal_strike       | `\\scerpc_?[0-9a-f]{2}`                            |                                |
-| Cobal_strike       | `\\PGMessagePipe[0-9a-f]{2}`                       |                                |
-| Cobal_strike       | `\\MsFteWds[0-9a-f]{2}`                            |                                |
-| Cobal_strike       | `\\f4c3[0-9a-f]{2}`                                |                                |
-| Cobal_strike       | `\\fullduplex_[0-9a-f]{2}`                         |                                |
-| Cobal_strike       | `\\msrpc_[0-9a-f]{4}`                              |                                |
-| Cobal_strike       | `\\win\\msrpc_[0-9a-f]{2}`                         |                                |
-| Cobal_strike       | `\\f53f[0-9a-f]{2}`                                |                                |
-| Cobal_strike       | `\\rpc_[0-9a-f]{2}`                                |                                |
-| Cobal_strike       | `\\spoolss_[0-9a-f]{2}`                            |                                |
-| Cobal_strike       | `\\Winsock2\\CatalogChangeListener-[0-9a-f]{3}-0,` |                                |
-| DiagTrackEoP       | `thisispipe`                                       |                                |
-| EfsPotato          | `\\pipe\\srvsvc`                                   |                                |
-| Credential_Dumping | `\\cachedump`                                      |                                |
-| Credential_Dumping | `\\lsadump`                                        |                                |
-| Credential_Dumping | `\\wceservicepipe`                                 |                                |
-| Koh                | `\\imposecost`                                     |                                |
-| Koh                | `\\imposingcost`                                   |                                |
-| PowerShell         | `\\PSHost`                                         |                                |
-| ADFS               | `\\MICROSOFT##WID\\tsql\\query`                    |                                |
+`wag name-pipe -n name`
+
+* name: named pipe name as a regex
+
+| Type               | name                                               |
+| ------------------ | -------------------------------------------------- | 
+| CSExec             | `\\csexecsvc`                                      |
+| psexec             | `\\psexec`                                         |
+| psexec             | `\\PAExec`                                         |
+| psexec             | `\\remcom`                                         |
+| psexec             | `\\csexec`                                         |
+| psexec             | `\\PSEXESVC`                                       | 
+| Cobal_strike       | `\\wkssvc_?[0-9a-f]{2}`                            | 
+| Cobal_strike       | `\\ntsvcs[0-9a-f]{2}`                              |
+| Cobal_strike       | `\\DserNamePipe[0-9a-f]{2}`                        |
+| Cobal_strike       | `\\SearchTextHarvester[0-9a-f]{2}`                 |
+| Cobal_strike       | `\\windows\\.update\\.manager[0-9a-f]{2,3}`        | 
+| Cobal_strike       | `\\ntsvcs_[0-9a-f]{2}`                             |
+| Cobal_strike       | `\\scerpc_?[0-9a-f]{2}`                            |
+| Cobal_strike       | `\\PGMessagePipe[0-9a-f]{2}`                       |
+| Cobal_strike       | `\\MsFteWds[0-9a-f]{2}`                            |
+| Cobal_strike       | `\\f4c3[0-9a-f]{2}`                                |
+| Cobal_strike       | `\\fullduplex_[0-9a-f]{2}`                         |
+| Cobal_strike       | `\\msrpc_[0-9a-f]{4}`                              |
+| Cobal_strike       | `\\win\\msrpc_[0-9a-f]{2}`                         |
+| Cobal_strike       | `\\f53f[0-9a-f]{2}`                                |
+| Cobal_strike       | `\\rpc_[0-9a-f]{2}`                                |
+| Cobal_strike       | `\\spoolss_[0-9a-f]{2}`                            |
+| Cobal_strike       | `\\Winsock2\\CatalogChangeListener-[0-9a-f]{3}-0,` |
+| DiagTrackEoP       | `thisispipe`                                       |
+| EfsPotato          | `\\pipe\\srvsvc`                                   |
+| Credential_Dumping | `\\cachedump`                                      |
+| Credential_Dumping | `\\lsadump`                                        |
+| Credential_Dumping | `\\wceservicepipe`                                 |
+| Koh                | `\\imposecost`                                     |
+| Koh                | `\\imposingcost`                                   | 
+| PowerShell         | `\\PSHost`                                         | 
+| ADFS               | `\\MICROSOFT##WID\\tsql\\query`                    | 
 
 # Mutex
 
-`wag mutex -n "regex"`
+`wag mutex -n name`
+
+* name: mutex name as a regex
 
-| name       | regex              |
+| Type       | name               |
 | ---------- | ------------------ |
 | avoslocker | `Cheic0WaZie6zeiy` |

src/main.rs

@@ -4,9 +4,10 @@
 
 mod cli;
 mod malware;
+mod windows;
 
-use cli::Arguments;
 use clap::Parser;
+use cli::Arguments;
 
 fn banner() {
     let banner: &str = "

src/malware.rs

@@ -8,4 +8,3 @@ pub mod mutex;
 pub mod namepipe;
 pub mod ppid;
 pub mod service;
-pub mod tools;

src/malware/ads.rs

@@ -6,11 +6,9 @@
 //
 // Last update 20240224
 
-use crate::malware::tools::{
-    hex_to_bytes, regex_to_string, EXIST_ALL_GOOD, EXIST_CLI_ERROR, EXIST_TEST_ERROR,
-};
-
+use base64::engine::{general_purpose, Engine};
 use clap::Parser;
+use regex_generate::{Generator, DEFAULT_MAX_REPEAT};
 use std::path::Path;
 
 #[derive(Parser)]
@@ -19,24 +17,17 @@ pub struct ADS {
         short = 'f',
         long,
         required = true,
-        default_value = "",
         help = "Full path filename (regex)"
     )]
     filename: String,
-    #[clap(
-        short = 'a',
-        long,
-        required = true,
-        default_value = "",
-        help = "ADS to use"
-    )]
+    #[clap(short = 'a', long, required = true, help = "ADS to use")]
     ads: String,
     #[clap(
         short = 'd',
         long,
-        required = true,
-        default_value = "",
-        help = "Data to write in HEX"
+        required = false,
+        default_value = "V2VsY29tZSB0byB0aGUgV0FH",
+        help = "Data to write in base64"
     )]
     data: String,
 }
@@ -79,23 +70,42 @@ impl ADS {
         println!("Alternate Data Stream");
 
         if self.filename.len() > 0 {
-            let fullname: String = regex_to_string(&self.filename);
+            let mut generator: Generator<rand::rngs::ThreadRng> =
+                match Generator::new(&self.filename, rand::thread_rng(), DEFAULT_MAX_REPEAT) {
+                    Ok(generator) => generator,
+                    Err(_) => {
+                        println!("Regex expressions are malformed.");
 
-            let header: Option<Vec<u8>> = hex_to_bytes(&self.data);
-            let payload: Vec<u8> = match header {
-                Some(data) => data,
-                None => vec![70, 114, 97, 99, 107, 49, 49, 51],
-            };
+                        return 1;
+                    }
+                };
+            let mut buffer: Vec<u8> = vec![];
+            generator.generate(&mut buffer).unwrap();
+            let fullname: String = match String::from_utf8(buffer) {
+                Ok(string) => string,
+                Err(_) => {
+                    println!("Filename contains non-utf8 characters.");
 
+                    return 1;
+                }
+            };
             let barrow_ads: String = self.ads.to_string();
+            let payload: Vec<u8> = match general_purpose::STANDARD.decode(self.data.as_str()) {
+                Ok(decoded) => decoded,
+                Err(_) => {
+                    println!("Could not decode the data.");
+
+                    return 1;
+                }
+            };
             let ret_ads: bool = create_ads(fullname, barrow_ads, payload);
             if ret_ads == true {
-                return EXIST_ALL_GOOD;
+                return 0;
             } else {
-                return EXIST_TEST_ERROR;
+                return 1;
             }
         }
 
-        EXIST_CLI_ERROR
+        return 1;
     }
 }