-
-
Save hasherezade/6662b534d08786ddf1ba73457d4b94fe to your computer and use it in GitHub Desktop.
Magniber tester
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#pragma once | |
#include <windows.h> | |
// function encrypting the file: | |
__int64 __fastcall encrypt_file(WCHAR* filename); | |
// function perfoming the RSA encryption with the given parameters: | |
void* __fastcall protect_by_assymetric_crypt( | |
DWORD* out_buf, | |
DWORD* padded_data_M, | |
DWORD* rsa_pub_e, | |
int rsa_pub_e_size, | |
DWORD* rsa_pub_n, | |
unsigned int rsa_pub_n_size); |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#include <windows.h> | |
#include <iostream> | |
#include <detours.h> //Requires MS Detours library | |
#include "util.h" | |
#include "magni_api.h" | |
BYTE* g_Shellc = nullptr; | |
size_t g_ShellcSize = 0; | |
decltype(&encrypt_file) _encrypt_file = nullptr; | |
decltype(&protect_by_assymetric_crypt) _protect_by_assymetric_crypt = nullptr; | |
bool init_functions() | |
{ | |
if (!g_Shellc) return false; | |
_encrypt_file = reinterpret_cast<decltype(&encrypt_file)>(g_Shellc + 0x4B30); | |
_protect_by_assymetric_crypt = reinterpret_cast<decltype(&protect_by_assymetric_crypt)>(g_Shellc + 0x1980); | |
return true; | |
} | |
void* __fastcall my_protect_by_assymetric_crypt( | |
DWORD* out_buf, | |
DWORD* padded_data_m, | |
DWORD* rsa_pub_e, | |
int rsa_pub_e_size, | |
DWORD* rsa_pub_n, | |
unsigned int rsa_pub_n_size) | |
{ | |
std::cout << __FUNCTION__ << "\n"; | |
dump_to_file("rsa_pub_e.bin", rsa_pub_e, rsa_pub_e_size); | |
dump_to_file("rsa_pub_n.bin", rsa_pub_n, rsa_pub_n_size); | |
dump_to_file("padded_data_m.bin", padded_data_m, rsa_pub_n_size); | |
void* val = _protect_by_assymetric_crypt(out_buf, padded_data_m, rsa_pub_e, rsa_pub_e_size, rsa_pub_n, rsa_pub_n_size); | |
dump_to_file("out_buf.bin", out_buf, rsa_pub_n_size); | |
return val; | |
} | |
void hook_apis() | |
{ | |
DetourTransactionBegin(); | |
DetourUpdateThread(GetCurrentThread()); | |
DetourAttach(&(PVOID&)_protect_by_assymetric_crypt, my_protect_by_assymetric_crypt); | |
DetourTransactionCommit(); | |
} | |
int wmain(int argc, WCHAR*argv[]) | |
{ | |
const char shc_file[] = "magni.shc"; // sample: 3a2b8ef624b4318fc142a6266c70f88799e80d10566f6dd2d8d74e91d651491a | |
g_Shellc = load_file(shc_file, g_ShellcSize, PAGE_EXECUTE_READWRITE); | |
if (!g_Shellc) { | |
std::cerr << "Failed to load the shellcode! Missing file: " << shc_file << "\n"; | |
return (-1); | |
} | |
if (argc < 2) { | |
std::cout << "Args: <file path>\n"; | |
return 0; | |
} | |
init_functions(); | |
hook_apis(); | |
WCHAR* filename = argv[1]; | |
std::cout << "Encrypt res: " << _encrypt_file(filename) << "\n"; | |
return 0; | |
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#include "util.h" | |
BYTE* alloc_aligned(size_t buffer_size, DWORD protect, ULONGLONG desired_base) | |
{ | |
if (!buffer_size) return NULL; | |
BYTE* buf = (BYTE*)VirtualAlloc((LPVOID)desired_base, buffer_size, MEM_COMMIT | MEM_RESERVE, protect); | |
return buf; | |
} | |
bool free_aligned(BYTE* buffer) | |
{ | |
if (buffer == nullptr) return true; | |
if (!VirtualFree(buffer, 0, MEM_RELEASE)) { | |
#ifdef _DEBUG | |
std::cerr << "Releasing failed" << std::endl; | |
#endif | |
return false; | |
} | |
return true; | |
} | |
BYTE* load_file(IN const char* filename, OUT size_t& read_size, DWORD protection) | |
{ | |
HANDLE file = CreateFileA(filename, GENERIC_READ, FILE_SHARE_READ, 0, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, 0); | |
if (file == INVALID_HANDLE_VALUE) { | |
#ifdef _DEBUG | |
std::cerr << "Could not open file!" << std::endl; | |
#endif | |
return nullptr; | |
} | |
HANDLE mapping = CreateFileMapping(file, 0, PAGE_READONLY, 0, 0, 0); | |
if (!mapping) { | |
#ifdef _DEBUG | |
std::cerr << "Could not create mapping!" << std::endl; | |
#endif | |
CloseHandle(file); | |
return nullptr; | |
} | |
BYTE* dllRawData = (BYTE*)MapViewOfFile(mapping, FILE_MAP_READ, 0, 0, 0); | |
if (!dllRawData) { | |
#ifdef _DEBUG | |
std::cerr << "Could not map view of file" << std::endl; | |
#endif | |
CloseHandle(mapping); | |
CloseHandle(file); | |
return nullptr; | |
} | |
size_t r_size = GetFileSize(file, 0); | |
if (read_size != 0 && read_size <= r_size) { | |
r_size = read_size; | |
} | |
if (IsBadReadPtr(dllRawData, r_size)) { | |
std::cerr << "[-] Mapping of " << filename << " is invalid!" << std::endl; | |
UnmapViewOfFile(dllRawData); | |
CloseHandle(mapping); | |
CloseHandle(file); | |
return nullptr; | |
} | |
BYTE* localCopyAddress = alloc_aligned(r_size, protection, 0); | |
if (localCopyAddress != nullptr) { | |
memcpy(localCopyAddress, dllRawData, r_size); | |
read_size = r_size; | |
} | |
else { | |
read_size = 0; | |
#ifdef _DEBUG | |
std::cerr << "Could not allocate memory in the current process" << std::endl; | |
#endif | |
} | |
UnmapViewOfFile(dllRawData); | |
CloseHandle(mapping); | |
CloseHandle(file); | |
return localCopyAddress; | |
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#pragma once | |
#include <windows.h> | |
#include <iostream> | |
BYTE* alloc_aligned(size_t buffer_size, DWORD protect, ULONGLONG desired_base); | |
bool free_aligned(BYTE* buffer); | |
BYTE* load_file(IN const char* filename, OUT size_t& read_size, DWORD protection); | |
template<typename T> | |
void print_buffer(T* buf, size_t buf_size) | |
{ | |
std::cout << "Buf of size: " << std::dec << buf_size <<"\n"; | |
size_t size = buf_size * sizeof(T); | |
for (size_t i = 0; i < buf_size; ++i) { | |
std::cout << std::hex << (int)buf[i] << ", "; | |
} | |
std::cout << "\n"; | |
} | |
template<typename T> | |
bool dump_to_file(const char *filename, T* buf, size_t buf_size) | |
{ | |
FILE* fp = fopen(filename, "wb"); | |
if (!fp) { | |
return false; | |
} | |
fwrite(buf, sizeof(T), buf_size, fp); | |
fclose(fp); | |
return true; | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment