crash.software
Projects
Pull Requests
Issues
Builds
ekko-rs
Code
Files
Commits
Branches
Tags
Pull Requests
Code Comments
Code Compare
Issues
Builds
Statistics
Child Projects
cra.sh
RESTful API
Projects STRLCPY ekko-rs Commits 788094eb
🤬
  • ■ ■ ■ ■ ■ ■
    .gitignore
     1 +# Generated by Cargo
     2 +# will have compiled files and executables
     3 +/target/
     4 + 
     5 +# Remove Cargo.lock from gitignore if creating an executable, leave it for libraries
     6 +# More information here https://doc.rust-lang.org/cargo/guide/cargo-toml-vs-cargo-lock.html
     7 +Cargo.lock
     8 + 
     9 +# These are backup files generated by rustfmt
     10 +**/*.rs.bk
     11 + 
  • ■ ■ ■ ■ ■ ■
    Cargo.toml
     1 +[package]
     2 +name = "ekko-rs"
     3 +version = "0.1.0"
     4 +edition = "2021"
     5 + 
     6 +# See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html
     7 +[profile.release]
     8 +opt-level = "z" # Optimize for size.
     9 +lto = true # Enable Link Time Optimization
     10 +codegen-units = 1 # Reduce number of codegen units to increase optimizations.
     11 +panic = "abort" # Abort on panic
     12 +strip = true # Automatically strip symbols from the binary.
     13 + 
     14 +[dependencies]
     15 +env_logger = "0.9.0"
     16 +log = "0.4.17"
     17 +obfstr = "0.4.3"
     18 +ntapi = "0.4.0"
     19 + 
     20 +[dependencies.windows-sys]
     21 +version = "0.45.0"
     22 +features = [
     23 + "Win32_Foundation",
     24 + "Win32_Security",
     25 + "Win32_System_Threading",
     26 + "Win32_UI_WindowsAndMessaging",
     27 + "Win32_System_Memory",
     28 + "Win32_System_Diagnostics_Debug",
     29 + "Win32_System_SystemServices",
     30 + "Win32_System_WindowsProgramming",
     31 + "Win32_System_LibraryLoader",
     32 + "Win32_NetworkManagement_IpHelper",
     33 + "Win32_Networking_WinSock",
     34 + "Win32_System_SystemInformation",
     35 + "Win32_System_Environment",
     36 + "Win32_System_ProcessStatus",
     37 + "Win32_Globalization",
     38 + "Win32_System_Diagnostics_ToolHelp",
     39 + "Win32_System_Kernel",
     40 + "Win32_System_Pipes",
     41 + "Win32_Storage_FileSystem",
     42 + "Win32_System_IO",
     43 +]
     44 + 
  • ■ ■ ■ ■ ■ ■
    LICENSE
     1 +MIT License
     2 + 
     3 +Copyright (c) 2022 memN0ps
     4 + 
     5 +Permission is hereby granted, free of charge, to any person obtaining a copy
     6 +of this software and associated documentation files (the "Software"), to deal
     7 +in the Software without restriction, including without limitation the rights
     8 +to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
     9 +copies of the Software, and to permit persons to whom the Software is
     10 +furnished to do so, subject to the following conditions:
     11 + 
     12 +The above copyright notice and this permission notice shall be included in all
     13 +copies or substantial portions of the Software.
     14 + 
     15 +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
     16 +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
     17 +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
     18 +AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
     19 +LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
     20 +OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
     21 +SOFTWARE.
     22 + 
  • ■ ■ ■ ■ ■ ■
    README.md
     1 +# Ekko in Rust
     2 + 
     3 +Work in progress (incomplete)
     4 + 
     5 +## Credits / References
     6 + 
     7 +- [@C5pider](https://twitter.com/C5pider) https://github.com/Cracked5pider/Ekko/
     8 +- [Austin Hudson (@SecIdiot)](https://twitter.com/ilove2pwn_) https://suspicious.actor/2022/05/05/mdsec-nighthawk-study.html
     9 +- Originally discovered by [Peter Winter-Smith](peterwintrsmith) and used in MDSec’s Nighthawk
  • ■ ■ ■ ■ ■ ■
    src/ekko.rs
     1 +use windows_sys::Win32::{System::{Diagnostics::Debug::{CONTEXT, IMAGE_NT_HEADERS64, RtlCaptureContext}, Threading::{CreateEventW, CreateTimerQueue, CreateTimerQueueTimer, WT_EXECUTEINTIMERTHREAD}, LibraryLoader::{GetProcAddress, GetModuleHandleA}, SystemServices::IMAGE_DOS_HEADER}, Foundation::{HANDLE, UNICODE_STRING}};
     2 +use std::{mem::zeroed, ptr::null_mut, ffi::c_void};
     3 + 
     4 +pub fn ekko(sleep_time: u32) {
     5 + let ctx_thread: CONTEXT = unsafe { zeroed::<CONTEXT>() };
     6 + let rop_prot_rw: CONTEXT = unsafe { zeroed::<CONTEXT>() };
     7 + let rop_mem_enc: CONTEXT = unsafe { zeroed::<CONTEXT>() };
     8 + let rop_delay: CONTEXT = unsafe { zeroed::<CONTEXT>() };
     9 + let rop_mem_dec: CONTEXT = unsafe { zeroed::<CONTEXT>() };
     10 + let rop_prot_rx: CONTEXT = unsafe { zeroed::<CONTEXT>() };
     11 + let rop_set_evt: CONTEXT = unsafe { zeroed::<CONTEXT>() };
     12 + 
     13 + //let h_timer_queue: HANDLE = 0;
     14 + let mut h_new_timer: HANDLE = 0;
     15 + //let h_event: HANDLE = 0;
     16 + //let image_base: *mut c_void = null_mut();
     17 + //let image_size: u32 = 0;
     18 + let old_protect = 0;
     19 + 
     20 + // This can be a randomly generated key
     21 + let key_buf: [i8; 16] = [0x55, 0x55, 0x55, 0x55, 0x55, 0x55, 0x55, 0x55, 0x55, 0x55, 0x55, 0x55, 0x55, 0x55, 0x55, 0x55];
     22 + let key: UNICODE_STRING = unsafe { zeroed::<UNICODE_STRING>() };
     23 + let img: UNICODE_STRING = unsafe { zeroed::<UNICODE_STRING>() };
     24 + 
     25 + //let nt_continue: *mut c_void = null_mut();
     26 + //let sys_func032: *mut c_void = null_mut();
     27 + 
     28 + let h_event = unsafe { CreateEventW(null_mut(), 0, 0, null_mut()) };
     29 + let h_timer_queue = unsafe { CreateTimerQueue() };
     30 + 
     31 + let nt_continue = unsafe { GetProcAddress(GetModuleHandleA("ntdll".as_ptr()), "NtContinue".as_ptr()) };
     32 + let sys_func032 = unsafe { GetProcAddress(GetModuleHandleA("Ntdll".as_ptr()), "SystemFunction032".as_ptr()) };
     33 + 
     34 + let image_base = unsafe { GetModuleHandleA(null_mut()) };
     35 + let dos_header = image_base as *mut IMAGE_DOS_HEADER;
     36 + let nt_headesr = unsafe { (*dos_header).e_lfanew as *mut IMAGE_NT_HEADERS64 };
     37 + let image_size = unsafe { (*nt_headesr).OptionalHeader.SizeOfImage };
     38 + 
     39 + key.Buffer = key_buf.as_mut_ptr() as *mut u16;
     40 + key.Length = key_buf.len() as _; // 16
     41 + key.MaximumLength = key_buf.len() as _; // 16
     42 + 
     43 + img.Buffer = image_base as *mut u16;
     44 + 
     45 + type fnRtlCaptureContext = unsafe extern "system" fn(contextrecord: *mut CONTEXT);
     46 + let sucesss = unsafe {
     47 + CreateTimerQueueTimer(&mut h_new_timer, h_timer_queue, Some(fnRtlCaptureContext), &ctx_thread as *const _ as *const _, 0, 0, WT_EXECUTEINTIMERTHREAD)
     48 + };
     49 +
     50 + if (sucesss != 0) {
     51 + 
     52 + }
     53 +}
  • ■ ■ ■ ■ ■ ■
    src/main.rs
     1 +mod ekko;
     2 + 
     3 +fn main() {
     4 + env_logger::init();
     5 + log::info!("[*] Ekko Sleep Obfuscation by @memN0ps. Full credits to Paul (@C5pider), Austin Hudson (@SecIdiot), Peter Winter-Smith (@peterwintrsmith)");
     6 + 
     7 + loop {
     8 + // Start Sleep Obfuscation
     9 + ekko::ekko();
     10 + }
     11 +}
     12 + 
Please wait...
Page is in error, reload to recover