import ZeroAccess

ZeroAccess/README.md

@@ -0,0 +1,52 @@
+
+#ZeroAccess
+
+from: [hfiref0x/ZeroAccess](https://github.com/hfiref0x/ZeroAccess)
+
+## Toolkit for ZeroAccess/Sirefef v3
+
+ZeroAccess is an advanced malware family (probably most advanced from all of available), whose first appearance was in the middle of 2009. Initially Win32 kernel mode rootkit, transformed then into user mode toolkit. Uses self made p2p engine for communication (main purpose - download files). Based on modular structure. Survived multiple takedown attempts (they were mostly serving marketing purposes of various so-called security companies/corporations). Has multiple generations of various toolkit modules. This project provide you insights into ZeroAccess v3 code and several instruments to work with ZeroAccess v3 files. Mostly for education purposes.
+
+# Project Contents
+
+**Umikaze - peer list (@ file) decoder**
+
+Processes input file as ZeroAccess peer file, type required for correct port assignation. 
+Result is output file with Time and IP+Port pairs as text. 
+
+> **Usage:** zadecode peerlist_filename [type 32 or 64, default 32], for example: zadecode s32 32
+
+**Shigure - payload decryptor**
+
+Processes input as ZeroAccess payload container, attempting to decode it using RC4 and extract Microsoft Cabinet afterthat.
+
+> **Usage:** zadecrypt inputfile [outputfile], for example: zadecrypt 80000000.@ out.bin
+
+**Harusame - payload container verificator**
+
+Verifies if given file is valid container for ZeroAccess. Requires EA to be set at input file. More information about verification algorithm can be found in source.
+
+> **Usage:** zacheck inputfile [mode 32 or 64, default 32], for example: zacheck 80000000.@ 32
+
+**Yuudachi - ZeroAccess p2p network crawler**
+
+GUI application that monitors given p2p botnet network and downloads payload from it. Downloaded files contain  all required information for further verification by zacheck tool. Dumps collected peers in ZeroAccess format so they can be used as bootstrap next. Use x86-32 version for win32 botnet and x64 for win64. For work required proper bootstrap list and read/write access to current directory.
+
+**Murasame - dropper extractor**
+
+Extracts actual bot installation dropper from encrypted resource of high level dropper.
+
+> **Usage:** zaextract inputfile [outputfile] hexkey, for example: zaextract highlvlbot.bin lowlvlbot.bin 0x12345678
+
+# System Requirements
+
+Does not require administrative privileges. Some tools may require read/write access for the their directories. Modern compatible NT version required, Windows XP not supported. For best appearance allow zamon32/zamon64 in firewall.
+
+# Build 
+
+Project comes with full source code written in C. 
+In order to build from source you need: Microsoft Visual Studio 2015 U1 and later versions.
+
+# Authors
+
+(c) 2016 ZeroAccess Project

ZeroAccess/Source/Harusame/Harusame.vcxproj

@@ -0,0 +1,231 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project DefaultTargets="Build" ToolsVersion="14.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <ItemGroup Label="ProjectConfigurations">
+    <ProjectConfiguration Include="Debug|Win32">
+      <Configuration>Debug</Configuration>
+      <Platform>Win32</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Release|Win32">
+      <Configuration>Release</Configuration>
+      <Platform>Win32</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Debug|x64">
+      <Configuration>Debug</Configuration>
+      <Platform>x64</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Release|x64">
+      <Configuration>Release</Configuration>
+      <Platform>x64</Platform>
+    </ProjectConfiguration>
+  </ItemGroup>
+  <PropertyGroup Label="Globals">
+    <ProjectGuid>{169C0A78-64AD-4862-A6B6-17E7A3CA9AE3}</ProjectGuid>
+    <Keyword>Win32Proj</Keyword>
+    <RootNamespace>Harusame</RootNamespace>
+    <WindowsTargetPlatformVersion>8.1</WindowsTargetPlatformVersion>
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
+    <ConfigurationType>Application</ConfigurationType>
+    <UseDebugLibraries>true</UseDebugLibraries>
+    <PlatformToolset>v140</PlatformToolset>
+    <CharacterSet>Unicode</CharacterSet>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
+    <ConfigurationType>Application</ConfigurationType>
+    <UseDebugLibraries>false</UseDebugLibraries>
+    <PlatformToolset>v140</PlatformToolset>
+    <WholeProgramOptimization>true</WholeProgramOptimization>
+    <CharacterSet>Unicode</CharacterSet>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
+    <ConfigurationType>Application</ConfigurationType>
+    <UseDebugLibraries>true</UseDebugLibraries>
+    <PlatformToolset>v140</PlatformToolset>
+    <CharacterSet>Unicode</CharacterSet>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
+    <ConfigurationType>Application</ConfigurationType>
+    <UseDebugLibraries>false</UseDebugLibraries>
+    <PlatformToolset>v140</PlatformToolset>
+    <WholeProgramOptimization>true</WholeProgramOptimization>
+    <CharacterSet>Unicode</CharacterSet>
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
+  <ImportGroup Label="ExtensionSettings">
+  </ImportGroup>
+  <ImportGroup Label="Shared">
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <PropertyGroup Label="UserMacros" />
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
+    <LinkIncremental>true</LinkIncremental>
+    <OutDir>.\output\$(Platform)\$(Configuration)\</OutDir>
+    <IntDir>.\output\$(Platform)\$(Configuration)\</IntDir>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
+    <LinkIncremental>true</LinkIncremental>
+    <OutDir>.\output\$(Platform)\$(Configuration)\</OutDir>
+    <IntDir>.\output\$(Platform)\$(Configuration)\</IntDir>
+    <CodeAnalysisRuleSet>SecurityRules.ruleset</CodeAnalysisRuleSet>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
+    <LinkIncremental>false</LinkIncremental>
+    <OutDir>.\output\$(Platform)\$(Configuration)\</OutDir>
+    <IntDir>.\output\$(Platform)\$(Configuration)\</IntDir>
+    <TargetName>zacheck32</TargetName>
+    <CodeAnalysisRuleSet>SecurityRules.ruleset</CodeAnalysisRuleSet>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
+    <LinkIncremental>false</LinkIncremental>
+    <OutDir>.\output\$(Platform)\$(Configuration)\</OutDir>
+    <IntDir>.\output\$(Platform)\$(Configuration)\</IntDir>
+    <TargetName>zacheck64</TargetName>
+  </PropertyGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
+    <ClCompile>
+      <PrecompiledHeader>
+      </PrecompiledHeader>
+      <WarningLevel>Level4</WarningLevel>
+      <Optimization>Disabled</Optimization>
+      <PreprocessorDefinitions>WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <SDLCheck>true</SDLCheck>
+    </ClCompile>
+    <Link>
+      <SubSystem>Console</SubSystem>
+      <GenerateDebugInformation>true</GenerateDebugInformation>
+      <EntryPointSymbol>SfMain</EntryPointSymbol>
+      <AdditionalDependencies>cryptdll.lib;%(AdditionalDependencies)</AdditionalDependencies>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
+    <ClCompile>
+      <PrecompiledHeader>
+      </PrecompiledHeader>
+      <WarningLevel>Level4</WarningLevel>
+      <Optimization>Disabled</Optimization>
+      <PreprocessorDefinitions>_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <SDLCheck>true</SDLCheck>
+    </ClCompile>
+    <Link>
+      <SubSystem>Console</SubSystem>
+      <GenerateDebugInformation>true</GenerateDebugInformation>
+      <EntryPointSymbol>SfMain</EntryPointSymbol>
+      <AdditionalDependencies>cryptdll.lib;%(AdditionalDependencies)</AdditionalDependencies>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
+    <ClCompile>
+      <WarningLevel>Level4</WarningLevel>
+      <PrecompiledHeader>
+      </PrecompiledHeader>
+      <Optimization>MaxSpeed</Optimization>
+      <FunctionLevelLinking>true</FunctionLevelLinking>
+      <IntrinsicFunctions>true</IntrinsicFunctions>
+      <PreprocessorDefinitions>WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <SDLCheck>true</SDLCheck>
+      <MultiProcessorCompilation>true</MultiProcessorCompilation>
+      <ControlFlowGuard>Guard</ControlFlowGuard>
+    </ClCompile>
+    <Link>
+      <SubSystem>Console</SubSystem>
+      <EnableCOMDATFolding>true</EnableCOMDATFolding>
+      <OptimizeReferences>true</OptimizeReferences>
+      <GenerateDebugInformation>No</GenerateDebugInformation>
+      <EntryPointSymbol>SfMain</EntryPointSymbol>
+      <SetChecksum>true</SetChecksum>
+      <AdditionalDependencies>cryptdll.lib;%(AdditionalDependencies)</AdditionalDependencies>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
+    <ClCompile>
+      <WarningLevel>Level4</WarningLevel>
+      <PrecompiledHeader>
+      </PrecompiledHeader>
+      <Optimization>MaxSpeed</Optimization>
+      <FunctionLevelLinking>true</FunctionLevelLinking>
+      <IntrinsicFunctions>true</IntrinsicFunctions>
+      <PreprocessorDefinitions>NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <SDLCheck>true</SDLCheck>
+      <MultiProcessorCompilation>true</MultiProcessorCompilation>
+      <ControlFlowGuard>Guard</ControlFlowGuard>
+    </ClCompile>
+    <Link>
+      <SubSystem>Console</SubSystem>
+      <EnableCOMDATFolding>true</EnableCOMDATFolding>
+      <OptimizeReferences>true</OptimizeReferences>
+      <GenerateDebugInformation>No</GenerateDebugInformation>
+      <EntryPointSymbol>SfMain</EntryPointSymbol>
+      <SetChecksum>true</SetChecksum>
+      <AdditionalDependencies>cryptdll.lib;%(AdditionalDependencies)</AdditionalDependencies>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemGroup>
+    <ClCompile Include="..\minirtl\cmdline.c" />
+    <ClCompile Include="..\minirtl\hextou64.c" />
+    <ClCompile Include="..\minirtl\hextoul.c" />
+    <ClCompile Include="..\minirtl\i64tostr.c" />
+    <ClCompile Include="..\minirtl\itostr.c" />
+    <ClCompile Include="..\minirtl\strtoi.c" />
+    <ClCompile Include="..\minirtl\strtoi64.c" />
+    <ClCompile Include="..\minirtl\strtou64.c" />
+    <ClCompile Include="..\minirtl\strtoul.c" />
+    <ClCompile Include="..\minirtl\u64tohex.c" />
+    <ClCompile Include="..\minirtl\u64tostr.c" />
+    <ClCompile Include="..\minirtl\ultohex.c" />
+    <ClCompile Include="..\minirtl\ultostr.c" />
+    <ClCompile Include="..\minirtl\_filename.c" />
+    <ClCompile Include="..\minirtl\_strcat.c" />
+    <ClCompile Include="..\minirtl\_strcmp.c" />
+    <ClCompile Include="..\minirtl\_strcmpi.c" />
+    <ClCompile Include="..\minirtl\_strcpy.c" />
+    <ClCompile Include="..\minirtl\_strend.c" />
+    <ClCompile Include="..\minirtl\_strlen.c" />
+    <ClCompile Include="..\minirtl\_strncmp.c" />
+    <ClCompile Include="..\minirtl\_strncmpi.c" />
+    <ClCompile Include="..\minirtl\_strncpy.c" />
+    <ClCompile Include="..\minirtl\_strstr.c" />
+    <ClCompile Include="..\minirtl\_strstri.c" />
+    <ClCompile Include="..\shared\cui.c" />
+    <ClCompile Include="..\shared\ea.c" />
+    <ClCompile Include="..\shared\ldr.c" />
+    <ClCompile Include="..\shared\md5.c" />
+    <ClCompile Include="..\shared\util.c" />
+    <ClCompile Include="..\shared\za_crypto.c" />
+    <ClCompile Include="main.c" />
+  </ItemGroup>
+  <ItemGroup>
+    <ClInclude Include="..\minirtl\cmdline.h" />
+    <ClInclude Include="..\minirtl\minirtl.h" />
+    <ClInclude Include="..\minirtl\rtltypes.h" />
+    <ClInclude Include="..\minirtl\_filename.h" />
+    <ClInclude Include="..\shared\cui.h" />
+    <ClInclude Include="..\shared\ea.h" />
+    <ClInclude Include="..\shared\global.h" />
+    <ClInclude Include="..\shared\ldr.h" />
+    <ClInclude Include="..\shared\md5.h" />
+    <ClInclude Include="..\shared\ntos.h" />
+    <ClInclude Include="..\shared\util.h" />
+    <ClInclude Include="..\shared\za.h" />
+    <ClInclude Include="..\shared\za_crypto.h" />
+    <ClInclude Include="..\shared\za_rkey.h" />
+    <ClInclude Include="resource.h" />
+  </ItemGroup>
+  <ItemGroup>
+    <ResourceCompile Include="resource.rc" />
+  </ItemGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
+  <ImportGroup Label="ExtensionTargets">
+  </ImportGroup>
+</Project>