MIDNIGHTTRAIN

Covert Stage-3 Persistence Framework utilizing NVRAM variables

Read About It Here

Warning

This is a PoC framework and as such will not be maintained. Sorry!

It has been made as a small weekend project and has received limited testing ergo, bugs/undefined behaviour is to be expected. However, I am willing to fix critical bugs in my spare time should you encounter them so feel free to open an issue.

It supports x64 implants only and all testing was done on:

• Windows 10 x64 version 1903
• Windows 10 x64 version 2004

Usage

Here's a guide to testing the framework in 10 easy steps:

1. Make sure you have a working VC++ 2019 dev environment set up beforehand.
2. Place your 64-bit Staged Meterpreter/Beacon shellcode payload in `Bin` as `payload_x64.bin`. You might need to use sRDI to convert DLLs to PIC blob if your framework doesn't support the generation of Staged payloads as shellcode.
3. Open an x64 Developer Command Prompt.
4. git clone https://github.com/slaeryan/MIDNIGHTTRAIN.git - To clone the repository.
5. cd MIDNIGHTTRAIN & cd Gremlin & compile64.bat - To build the Gremlin implant.
6. cd .. & cd Gargoyle & compile64.bat - To build the Gargoyle implant.
7. You'll find two compiled implant DLLs in the `Bin` folder named `gremlin_x64.dll` and `gargoyle_x64.dll`.
8. cd Python & python ConvertToShellcode.py ../Bin/gargoyle_x64.dll - To convert Gargoyle DLL to PIC blob.
9. cd .. & cd Scratchpad & compile64.bat - To build the loader for inline execution of shellcode blob.
10. Finally to test, loader <path-to-gargoyle_x64.bin>

Author

Upayan (@slaeryan) [slaeryan.github.io]

Caveats

• Need an elevated context to install persistence.
• Maximum permissible size of payload usable with this framework is ~36 kB. Need to craft a custom stager within the size limit to use Stageless payloads.

Credits

1. https://github.com/perturbed-platypus - Big thanks to @TTimzen & @r00tkillah for their wonderful research.
2. https://gist.github.com/jthuraisamy/e602d5d870230df3ce00178001f9ac16 - Another PoC thanks to @Jackson_T
3. @am0nsec for dropping dem hints regarding the token impersonation.
4. CIA Vault7 leaks - I have a joke but it is REDACTED.
5. @monoxgas for sRDI and being an awesome researcher in general!
6. Mr. Base64 - for the review and code improvements. +1 for being a top-level guy! You can find him hanging out here 0x00sec Discord with a bunch of other really cool peeps.

License

All the code included in this project is licensed under the terms of the GNU GPLv2 license.