Brief translation for some files located in project Pegasus source code leak...
\Pegasus\README.TXT
Project Pegasus - Content brief description
Pegasus - complex structured project for x32 and x64 platforms.
Installer injects system kernel into svchost process memory and deletes the source file.
The initial installer passes the execution controls in the following way:
Shellcode -> InstallDispatcherDll
New process passes the execution controls in the following way:
Shellcode -> WorkDispatcherDll -> all other modules
If installing over existing deployment, the build ID check is performed and if found below or equal the current version the installation is canceled.
Modules functionality will take a while to explain and describe in here. If absolutely necessary look at the corresponding source code - the description there is well structured and documented.
Microsoft Visual Studio 2013+ and PHP Tools for Visual Studio from Devsense are required to build the project.
Folders description:
binres
Compiled modules and other code for x32 and x64 platforms
BUILDS
Final installers for both platforms, debug and release version depending on the sub folder it's stored in.
inc
Program libraries used by different sub-projects.
InstallDispatcherDll
Installer module, performs injects into a new process
InstallerExe
Initial installer project
lib
Files necessary for compiling the project without MSVCRT
LZ4_pack
Resource packing utility
mod_CmdExec
Command execution module using the panel(new process, console command, etc)
mod_DomainReplication
Domain propagation module
mod_KBRI
KBR payment swapping module
mod_KBRI_hd
Injector module that intercepts KBR data exchange process and receives swapped data from mod_KBRI
mod_LogonPasswords
Password extraction module, re-written and patched mimikatz code
mod_NetworkConnectivity
Communication module, including using pipes for machines with restricted network access
RemoteServiceExe
Special Executable file that is uploaded to a remote system in case of domain propagation scenario.
shared
Common header and configuration files
Shellcode
Attached libraries load and execution shellcode
tools
Project assembly scripts and utilities
WEB
Client part of the admin panel, integrated into Studio project
web-adminpart
Admin panel, copy from the development server
WorkDispatcherDll
System kernel
In general case,
\shared\config.h is configured first
\tools\MAKE_INSTALLERS.BAT with Release or Debug parameter assembles the rest
\BUILDS\ folder will contain the final build
No comments:
Post a Comment