public static Boolean passHookDataByPipe(HOOKDAT oHookDat) { lock (lockDataOperation) { try { NamedPipeClientStream pipe = new NamedPipeClientStream("localhost", sDataPipe, PipeDirection.InOut); try { // Can we connect to the pipe? pipe.Connect(50); // Unclear if we need a small buffer time here pipe.ReadMode = PipeTransmissionMode.Message; // Turn object into byte array Byte[] bStruct = ObjectToByteArray(oHookDat); // Write data Byte[] ecnHookDat = arrayToAESArray(bStruct); pipe.Write(ecnHookDat, 0, ecnHookDat.Length); pipe.Close(); return(true); } catch { pipe.Close(); return(false); } } catch { return(false); } } }
public static HOOKDAT AESUnKeyObject(Byte[] bPipeData) { // Result object HOOKDAT oHook = new HOOKDAT(); // Decrypt Byte[][] aSHAKeyMatt = ComputeSha256KeyMat(sAESKey); Byte[] bDecrypt = DecryptArrayFromAES256(bPipeData, aSHAKeyMatt[0], aSHAKeyMatt[1]); if (bDecrypt.Length > 0) { try { oHook = ByteArrayToObject(bDecrypt); } catch { oHook.iType = 2; } } else { oHook.iType = 3; } return(oHook); }
public static HOOKDAT ByteArrayToObject(Byte[] arrBytes) { //--- Array structure // [UInt32 Type]--[UInt32 Size]--[UTF8 sFuncName]--[UInt32 Size]--[Byte[] Hook data] //--- // Result object HOOKDAT oHookDat = new HOOKDAT(); // Populate object oHookDat.iType = BitConverter.ToUInt32(arrBytes, 0); UInt32 iFuncNameSize = BitConverter.ToUInt32(arrBytes, 4); oHookDat.sHookFunc = Encoding.UTF8.GetString(arrBytes, 8, (Int32)iFuncNameSize); UInt32 iDataSize = BitConverter.ToUInt32(arrBytes, 8 + (Int32)iFuncNameSize); if (oHookDat.iType == 0) { oHookDat.sHookData = Encoding.UTF8.GetString(arrBytes, 12 + (Int32)iFuncNameSize, (Int32)iDataSize); } else { oHookDat.bHookData = new Byte[iDataSize]; Array.Copy(arrBytes, 12 + (Int32)iFuncNameSize, oHookDat.bHookData, 0, iDataSize); } return(oHookDat); }
public static void ListenNamedPipe(Int32 iSeconds) { // Set up a timer Stopwatch tTimer = new Stopwatch(); tTimer.Start(); Console.WriteLine("\n[+] Creating Bates pipe listener.."); Console.WriteLine(@" |_ \\.\pipe\" + sDataPipe); Console.WriteLine(" |_ " + iSeconds + "s timer"); Console.WriteLine(" |_ Waiting for client"); // Loop while (tTimer.Elapsed.TotalSeconds < iSeconds) { var oPipe = new NamedPipeServerStream(sDataPipe, PipeDirection.InOut, NamedPipeServerStream.MaxAllowedServerInstances, PipeTransmissionMode.Message); oPipe.WaitForConnection(); Byte[] messageBytes = ReadMessage(oPipe); // Process data HOOKDAT oHook = AESUnKeyObject(messageBytes); if (oHook.iType == 2 || oHook.iType == 3) { if (oHook.iType == 2) { Console.WriteLine("\n[!] Failed to decrypt pipe data.."); } else { Console.WriteLine("\n[!] Invalid data.."); } } else { Console.WriteLine("\n[+] Dendron client connected"); Console.WriteLine(" |_ Function : " + oHook.sHookFunc); if (oHook.iType == 0) { Console.WriteLine(" |_ Data Type : String"); Console.WriteLine(" |_ Data : \n\n" + oHook.sHookData); } else { Console.WriteLine(" |_ Data Type : Byte[]"); Console.WriteLine(" |_ Data : \n\n" + HexDump(oHook.bHookData)); } } } }
public static Byte[] ObjectToByteArray(HOOKDAT oHookDat) { //--- Array structure // [UInt32 Type]--[UInt32 Size]--[UTF8 sFuncName]--[UInt32 Size]--[Byte[] Hook data] //--- // Create elements Byte[] bType = BitConverter.GetBytes(oHookDat.iType); Byte[] bSFunc = Encoding.UTF8.GetBytes(oHookDat.sHookFunc); Byte[] bISFunc = BitConverter.GetBytes((UInt32)bSFunc.Length); Byte[] bData; Byte[] bIData; if (oHookDat.iType == 0) { bData = Encoding.UTF8.GetBytes(oHookDat.sHookData); bIData = BitConverter.GetBytes((UInt32)bData.Length); } else { bData = oHookDat.bHookData; bIData = BitConverter.GetBytes((UInt32)bData.Length); } // Make array UInt32 iArrLen = (UInt32)(bType.Length + bSFunc.Length + bISFunc.Length + bData.Length + bIData.Length); Byte[] bResArray = new byte[iArrLen]; // Populate array // --> Kind of ugly but ¯\_(ツ)_/¯ Buffer.BlockCopy(bType, 0, bResArray, 0, bType.Length); Buffer.BlockCopy(bISFunc, 0, bResArray, bType.Length, bISFunc.Length); Buffer.BlockCopy(bSFunc, 0, bResArray, bType.Length + bISFunc.Length, bSFunc.Length); Buffer.BlockCopy(bIData, 0, bResArray, bType.Length + bISFunc.Length + bSFunc.Length, bIData.Length); Buffer.BlockCopy(bData, 0, bResArray, bType.Length + bISFunc.Length + bSFunc.Length + bIData.Length, bData.Length); return(bResArray); }