Merge pull request #5 from leonav-unizar/interrogate-scan

Interrogate scan

Author: leonav-unizar

CMakeLists.txt

@@ -1,7 +1,7 @@
 cmake_minimum_required(VERSION 3.15)
 
 set(CMAKE_SYSTEM_NAME Windows)
-project(KeyReaper VERSION 1.5.0)
+project(KeyReaper VERSION 1.6.0)
 set(PROGRAM_NAME "KeyReaper")
 
 set(MSVC True)
@@ -27,19 +27,13 @@ endif()
 
 ## Ease for includes
 add_library(common_includes INTERFACE)
+add_library(interrogate_include INTERFACE)
 target_include_directories(common_includes INTERFACE ${PROJECT_SOURCE_DIR}/include/keyreaper)
+target_include_directories(interrogate_include INTERFACE ${PROJECT_SOURCE_DIR}/include/interrogate)
 
 # 3rd parties
 include(FetchContent)
 
-# Interrogate
-FetchContent_Declare(
-    interrogate
-    URL https://sourceforge.net/projects/interrogate/files/interrogate/0.0.4/interrogate-0.0.4-source.tar.gz/download
-    DOWNLOAD_EXTRACT_TIMESTAMP TRUE
-)
-FetchContent_MakeAvailable(interrogate)
-
 # JSON library
 FetchContent_Declare(
   json
@@ -91,6 +85,7 @@ add_executable(${EXECUTABLE_NAME}
     ${SOURCE_BASE_DIR}/config.cc
     ${SOURCE_BASE_DIR}/program_result.cc
     ${SOURCE_BASE_DIR}/key.cc
+    ${SOURCE_BASE_DIR}/interrogate/aes.cc
     ${SOURCE_BASE_DIR}/scanners.cc
     ${SOURCE_BASE_DIR}/key_scanner.cc
     ${SOURCE_BASE_DIR}/injection/custom_ipc.cc
@@ -100,7 +95,7 @@ add_executable(${EXECUTABLE_NAME}
 )
 
 # Link nlohmann/json to your executable
-target_link_libraries(${EXECUTABLE_NAME} PRIVATE nng nlohmann_json CLI11::CLI11 tomlplusplus::tomlplusplus common_includes ${TITAN_ENGINE_LIB})
+target_link_libraries(${EXECUTABLE_NAME} PRIVATE nng nlohmann_json CLI11::CLI11 tomlplusplus::tomlplusplus interrogate_include common_includes ${TITAN_ENGINE_LIB})
 # Executable output
 set_target_properties(${EXECUTABLE_NAME} PROPERTIES OUTPUT_NAME "${EXECUTABLE_NAME}_${ARCHITECTURE_APPEND}")
 # TitanEngine DLL dependency

include/interrogate/aes.h

@@ -0,0 +1,45 @@
+#ifndef AES_INTERROGATE_H
+#define AES_INTERROGATE_H
+
+#include <windows.h>
+#include <vector>
+#include <algorithm>
+
+namespace interrogate {
+
+typedef struct {
+  unsigned int     keytype, /* Keytype to be searched for */
+  keysize,                  /* The key size that are to be searched for */
+  wsize,                    /* The search window size */
+  nofs,                     /* The number of symbols in our alphabet */
+  bitmode,                  /* Bitmode boolean */
+  verbose,                  /* Verbose mode */
+  naivemode,                /* Calculate true entropy */
+  quickmode,                /* Non-overlapping entropy windows */
+  interval,                 /* Only search in interval (boolean) */
+  from,                     /* Starting point */
+  to,                       /* End point */
+  cr3,                      /* CR3 offset in case recunstruction of mem */
+  filelen,                  /* Input file length in bytes */
+  bytethreshold;            /* Threshold for bytecount */
+  FILE    *output_fp;       /* Pointer to output file for statistics */
+  float   threshold;        /* Entropy threshold */
+  long    count;            /* Number of keys found */
+}
+interrogate_context;
+
+void rotate(unsigned char *in);
+unsigned char rcon(unsigned char in);
+unsigned char gmul(unsigned char a, unsigned char b);
+unsigned char gmul_inverse(unsigned char in);
+unsigned char sbox(unsigned char in);
+void schedule_core(unsigned char *in, unsigned char i);
+void expand_key(unsigned char *in);
+void expand_key_192(unsigned char *in);
+void expand_key_256(unsigned char *in);
+
+std::vector<std::vector<BYTE>> aes_search(interrogate_context* ctx, unsigned char* buffer);
+
+} // namespace interrogate
+
+#endif // AES_INTERROGATE_H

src/custom-ransomware/basic-ransomware.cc

@@ -277,7 +277,6 @@ void GenerateKeyChunck(HCRYPTPROV provider, ALG_ID alg, DWORD number_of_keys) {
             if (alg == CALG_RSA_KEYX || alg == CALG_RSA_SIGN) {
                 printf(" [i] Asymmetric algorithm detected\n");
                 data_len = 2048;
-                getchar();
 
                 result = CryptExportKey(key, NULL, PRIVATEKEYBLOB, 0, buffer2, &data_len);
                 if (result == 0) printf(" [x] Could not export the private pair\n");
@@ -450,7 +449,8 @@ int main(int argc, char* argv[]) {
 
     // CheckAllBlockSizes(phProv);
     // GenerateKeyWithIV(phProv);
-    GenerateKeyChunck(phProv, CALG_RSA_KEYX, 1);
+    GenerateKeyChunck(phProv, CALG_AES_128, 1);
+    getchar();
 
     // create a hash object from the CSP (cryptographic service provider)
     HCRYPTHASH hHash;