Merge branch 'main' into interrogate-scan

Author: leonav-unizar

CMakeLists.txt

@@ -1,8 +1,8 @@
-cmake_minimum_required(VERSION 3.10)
+cmake_minimum_required(VERSION 3.15)
 
 set(CMAKE_SYSTEM_NAME Windows)
-project(Craperv2 VERSION 1.0.1)
-set(PROGRAM_NAME "CRAPER")
+project(KeyReaper VERSION 1.5.0)
+set(PROGRAM_NAME "KeyReaper")
 
 set(MSVC True)
 set(CMAKE_CXX_STANDARD 20)
@@ -27,7 +27,7 @@ endif()
 
 ## Ease for includes
 add_library(common_includes INTERFACE)
-target_include_directories(common_includes INTERFACE ${PROJECT_SOURCE_DIR}/include/craper)
+target_include_directories(common_includes INTERFACE ${PROJECT_SOURCE_DIR}/include/keyreaper)
 target_include_directories(interrogate_include INTERFACE ${PROJECT_SOURCE_DIR}/include/interrogate)
 
 # 3rd parties
@@ -60,6 +60,21 @@ FetchContent_Declare(
 )
 FetchContent_MakeAvailable(cli11_proj)
 
+FetchContent_Declare(
+    tomlplusplus
+    GIT_REPOSITORY https://github.com/marzer/tomlplusplus.git
+    GIT_TAG        v3.4.0
+)
+FetchContent_MakeAvailable(tomlplusplus)
+
+FetchContent_Declare(
+    nng
+    GIT_REPOSITORY https://github.com/nanomsg/nng.git
+    GIT_TAG        v1.10.1
+)
+FetchContent_MakeAvailable(nng)
+target_include_directories(common_includes INTERFACE ${nng_SOURCE_DIR}/include)
+
 # TitanEngine
 set(TITAN_ENGINE_DIR "${CMAKE_SOURCE_DIR}/TitanEngine")
 set(TITAN_ENGINE_DLL "${TITAN_ENGINE_DIR}/TitanEngine_${ARCHITECTURE_APPEND}.dll")
@@ -68,7 +83,7 @@ include_directories(${TITAN_ENGINE_DIR})
 
 ### Binaries #############
 
-set(EXECUTABLE_NAME "craper")
+set(EXECUTABLE_NAME "KeyReaper")
 
 # Set version number
 configure_file(
@@ -78,17 +93,20 @@ configure_file(
 )
 
 add_executable(${EXECUTABLE_NAME}
+    ${SOURCE_BASE_DIR}/config.cc
     ${SOURCE_BASE_DIR}/program_result.cc
     ${SOURCE_BASE_DIR}/key.cc
     ${interrogate_SOURCE_DIR}/aes.c
     ${SOURCE_BASE_DIR}/scanners.cc
     ${SOURCE_BASE_DIR}/key_scanner.cc
+    ${SOURCE_BASE_DIR}/injection/custom_ipc.cc
+    ${SOURCE_BASE_DIR}/injection/injector.cc
     ${SOURCE_BASE_DIR}/process_capturer.cc
     ${CMAKE_CURRENT_BINARY_DIR}/main.cc
 )
 
 # Link nlohmann/json to your executable
-target_link_libraries(${EXECUTABLE_NAME} PRIVATE nlohmann_json CLI11::CLI11 common_includes interrogate_include ${TITAN_ENGINE_LIB})
+target_link_libraries(${EXECUTABLE_NAME} PRIVATE nng nlohmann_json CLI11::CLI11 tomlplusplus::tomlplusplus interrogate_include common_includes ${TITAN_ENGINE_LIB})
 # Executable output
 set_target_properties(${EXECUTABLE_NAME} PROPERTIES OUTPUT_NAME "${EXECUTABLE_NAME}_${ARCHITECTURE_APPEND}")
 # TitanEngine DLL dependency
@@ -101,6 +119,7 @@ add_custom_command(TARGET ${EXECUTABLE_NAME} POST_BUILD
 set(EXECUTABLE_NAME "ransy")
 add_executable(${EXECUTABLE_NAME}
     ${SOURCE_BASE_DIR}/key.cc
+    ${SOURCE_BASE_DIR}/cryptoapi.cc
     ${SOURCE_BASE_DIR}/program_result.cc
     ${SOURCE_BASE_DIR}/custom-ransomware/basic-ransomware.cc
 )
@@ -126,39 +145,22 @@ set_target_properties(${EXECUTABLE_NAME} PROPERTIES OUTPUT_NAME "${EXECUTABLE_NA
 
 
 # --- Injected DLL -----------------
-set(LIBRARY_NAME "evil")
+set(LIBRARY_NAME "injectable_server")
 add_library(${LIBRARY_NAME} SHARED
     ${SOURCE_BASE_DIR}/program_result.cc
-    ${SOURCE_BASE_DIR}/injection/interproc_coms.cc
+    ${SOURCE_BASE_DIR}/cryptoapi.cc
+    ${SOURCE_BASE_DIR}/injection/custom_ipc.cc
     ${SOURCE_BASE_DIR}/injection/cryptoapi_key_exporter.cc
 )
-target_link_libraries(${LIBRARY_NAME} PRIVATE common_includes)
+target_link_libraries(${LIBRARY_NAME} PRIVATE nng common_includes)
 set_target_properties(${LIBRARY_NAME} PROPERTIES OUTPUT_NAME "${LIBRARY_NAME}_${ARCHITECTURE_APPEND}")
 
 # --- Test Injector ----------------
 set(EXECUTABLE_NAME "injector")
 add_executable(${EXECUTABLE_NAME}
     ${SOURCE_BASE_DIR}/program_result.cc
-    ${SOURCE_BASE_DIR}/injection/interproc_coms.cc
-    ${SOURCE_BASE_DIR}/injection/injector.cc
+    ${SOURCE_BASE_DIR}/injection/custom_ipc.cc
+    ${SOURCE_BASE_DIR}/injection/injector_program.cc
 )
-target_link_libraries(${EXECUTABLE_NAME} PRIVATE common_includes)
-set_target_properties(${EXECUTABLE_NAME} PROPERTIES OUTPUT_NAME "${EXECUTABLE_NAME}_${ARCHITECTURE_APPEND}")
-
-set(EXECUTABLE_NAME "test_client")
-add_executable(${EXECUTABLE_NAME}
-    ${SOURCE_BASE_DIR}/program_result.cc
-    ${SOURCE_BASE_DIR}/injection/interproc_coms.cc
-    ${SOURCE_BASE_DIR}/injection/test/test_client.cc
-)
-target_link_libraries(${EXECUTABLE_NAME} PRIVATE common_includes)
-set_target_properties(${EXECUTABLE_NAME} PROPERTIES OUTPUT_NAME "${EXECUTABLE_NAME}_${ARCHITECTURE_APPEND}")
-
-set(EXECUTABLE_NAME "test_server")
-add_executable(${EXECUTABLE_NAME}
-    ${SOURCE_BASE_DIR}/program_result.cc
-    ${SOURCE_BASE_DIR}/injection/interproc_coms.cc
-    ${SOURCE_BASE_DIR}/injection/test/test_server.cc
-)
-target_link_libraries(${EXECUTABLE_NAME} PRIVATE common_includes)
+target_link_libraries(${EXECUTABLE_NAME} PRIVATE nng common_includes)
 set_target_properties(${EXECUTABLE_NAME} PROPERTIES OUTPUT_NAME "${EXECUTABLE_NAME}_${ARCHITECTURE_APPEND}")

README.md

@@ -68,9 +68,9 @@ It is split into two main subcommands (so far) which allows us to scan for keys
 and managing processes' execution `proc`. You can invoke the program with the help
 flag for further information.
 ```
-PS C:\> .\craper_x86.exe --help
-CRAPER: cryptographic key recovery for live processes
-Usage: C:\craper_x86.exe [OPTIONS] SUBCOMMAND
+PS C:\> .\KeyReaper_x86.exe --help
+KeyReaper: cryptographic key recovery for live processes
+Usage: C:\KeyReaper_x86.exe [OPTIONS] SUBCOMMAND
 
 Options:
   -h,--help                   Print this help message and exit
@@ -83,9 +83,9 @@ Subcommands:
 Subcommands have also a help menu with information.
 
 ```
-PS C:\> .\craper_x86.exe scan --help
+PS C:\> .\KeyReaper_x86.exe scan --help
 Scan for keys in the process
-Usage: C:\craper_x86.exe scan [OPTIONS]
+Usage: C:\KeyReaper_x86.exe scan [OPTIONS]
 
 Options:
   -h,--help                   Print this help message and exit
@@ -102,7 +102,7 @@ Options:
 
 An example execution:
 ```
-PS C:\> .\craper_x86.exe scan -p 1717 -b ntpause -o "keys.json" --scanners crapi roundkey
+PS C:\> .\KeyReaper_x86.exe scan -p 1717 -b ntpause -o "keys.json" --scanners crapi roundkey
 ```
 
 ## Library

include/craper/injection/interproc_coms.h

@@ -0,0 +1,26 @@
+#ifndef CONFIG_H_
+#define CONFIG_H_
+
+#include <toml++/toml.hpp>
+#include <string>
+#include <program_result.h>
+
+class Config {
+ public:
+  static Config& Instance();  // Singleton accessor
+
+  error_handling::ProgramResult Load(const std::string& filename);
+
+  std::wstring GetKeyExtractorDLLPath() const;
+
+ private:
+  Config() = default;  // Private constructor
+  ~Config() = default;
+
+  Config(const Config&) = delete;
+  Config& operator=(const Config&) = delete;
+
+  std::string key_extractor_dll_;
+};
+
+#endif  // CONFIG_H_

include/keyreaper/config.h

@@ -57,6 +57,26 @@ struct HCRYPTKEY {
   magic_s *magic; // XOR-ed
 };
 
+/**
+ * This function performs the necessary indirections
+ *  to get the pointer to the CRYPTKEY struct from
+ *  the HCRYPTKEY struct.
+ * DON'T use it on a dump, as it does not calculate
+ *  the offsets.
+ */
+cryptoapi::key_data_s* GetKeyStruct(::HCRYPTKEY key);
+
+/**
+ * This function sets the exportable bit of an HCRYPTKEY
+ *  to be able to export it with CryptExportKey even if
+ *  it was not generated with the CRYPT_EXPORTABLE flag set.
+ * Will work with any type of key, but bare in mind that 
+ *  private pairs check other things too.
+ * DO NOT use it on a dump, as it does not calculate
+ *  the offsets.
+ */
+void ForceExportBit(::HCRYPTKEY key);
+
 } // namespace cryptoapi
 } // namespace key_scanner