Repository for DoublePulsar DLL/Shellcode uploader programs
- Python shellcode uploader that interfaces with DoublePulsar
- Python DLL uploader that interfaces with DoublePulsar
- Python Exe in a DLL uploader that interfaces with DoublePulsar
- C# shellcode uploader that interfaces with DoublePulsar
- C# DLL file uploader that interfaces with DoublePulsar
- DoublePulsar Upload Shellcode - completed and working, inject your shellcode into any process you desire
- DoublePulsar Upload DLL - completed, functionality works but DLL runs only in the context of LSASS
- DoublePulsar Upload DLL with an embedded exe ( Wannacry method ) - completed, functionality works but DLL runs only in the context of LSASS and drops the executable as "mssecsvc.exe". Currently only in Python.
- Fix bugs
- More testing
- GUI for Python
- GUI for C#
-
Doublepulsar_UploadDLL - Python & C# - This program is intended for DLLs. This program sends 4 SMB packets. 1 negotiation, 1 session setup, 1 tree connect, 1 Ping Trans2 SESSION_SETUP request and an Execution Trans2 SESSION_SETUP packet. The Ping Trans2 SESSION_SETUP request packet is sent to obtain the SMB signature in the Trans2 SESSION_SETUP response packet. This signature is processed through the DoublePulsar XOR key calculator. The program then reads a DLL file (Example: payload.dll) and combines it with 64 bit kernel and userland shellcode to run the DLL ( Stolen from Wannacry ) and XORs the buffer with the DoublePulsar XOR key we calculated from the SMB signature. A packet is generated by allocating memory, copying the Trans2 packet, editing the values needed for the SMB transaction to work ( UserID, TreeID, TotalDataCount, DataCount, ByteCount ) then copying the XORed data (kernel shellcode (userland shellcode included) + DLL) to the end and loop through it sending it at a total packet length of 4096 bytes at a time to DoublePulsar. Total packet length = 4178. 4096 is for the XOR encrypted data. Will also implement using SMB & TRANSACTION2 structure.
-
Doublepulsar_UploadShellcode - Python & C# - This program sends 5 SMB packets. 1 negotiation, 1 session setup, 1 tree connect, 1 Ping Trans2 SESSION_SETUP packet and 1 execute Trans2 SESSION_SETUP packet. The Trans2 SESSION SETUP request packet is sent to obtain the SMB signature in the TRANS2 SESSION_SETUP response packet. This signature is processed through the DoublePulsar XOR key calculator. The program then copies kernel shellcode and sample shellcode from a buffer, it XORs the buffer with the DoublePulsar XOR key we calculated from the SMB signature. A packet is generated by allocating memory, copying the Trans2 exec packet (from Wannacry), edits the values needed for the SMB transaction to work ( UserID, TreeID, TotalDataCount, DataCount, ByteCount ) then copying the SESSION_SETUP Parameters and 4096 bytes of XORed shellcode data (the encrypted shellcode) to the end and send it at a total packet length of 4178 bytes to DoublePulsar. Total packet length = 4178. NetBIOS length will be 4174 since the NetBIOS header does NOT count itself for the size. 12 bytes of this packet is for the Doublepulsar SESSION_PARAMETERS. 4096 is for the XORed encrypted data. Will also implement using SMB & TRANSACTION2 structure.
-
Python version:
-
DoublePulsar_UploadExe.py - This program is intended for executables. The executable will be read into memory and placed in a Wannacry launcher DLL and sent via DoublePulsar. 1 negotiation, 1 session setup, 1 tree connect, 1 Ping Trans2 SESSION_SETUP packet and 1 exec Trans2 SESSION_SETUP packet. The Trans2 SESSION SETUP request packet is sent to obtain the SMB signature in the Trans2 SESSION_SETUP response packet. This signature is processed through the DoublePulsar XOR key calculator. Then the program reads an EXE file (Example: putty.exe) and combines it with 64 bit kernel and userland shellcode & a skeleton DLL file ( Stolen from Wannacry ) and XORs the buffer with the DoublePulsar XOR key we calculated from the SMB signature. A packet is generated by allocating memory, copying the Trans2 packet, editing the values needed for the SMB transaction to work ( UserID, TreeID, TotalDataCount, DataCount, ByteCount) then copying the XORed data (kernel shellcode + DLL + Executable) to the end and loop through it sending it at a total packet length of 4096 bytes at a time to DoublePulsar. Total packet length = 4178. NetBIOS length will be 4174 since the NetBIOS header does NOT count itself for the size. 12 bytes of this packet is for the Doublepulsar SESSION_PARAMETERS. 4096 is for the XORed encrypted data.
