API tools faq
paste
Advertisement
Guest User

main.cpp

a guest
Oct 24th, 2010
159
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
C++ 10.68 KB | None | 0 0
raw download clone embed print report
  1. #include "pefile.h"
  2. #include "RC4.h"
  3.  
  4. DWORD searchNreplace(BYTE *haystack, const BYTE *needle, DWORD dwNeedleSize, DWORD dwHayStackSize, BYTE *replacement)
  5. {
  6.     DWORD counter = 0;
  7.     for(DWORD i = 0; i < dwHayStackSize; i++)
  8.         if(haystack[i] == needle[counter])
  9.         {
  10.             counter++;
  11.             if(counter == dwNeedleSize)
  12.             {
  13.                 for(DWORD j = 0; j < dwNeedleSize; j++)
  14.                     haystack[(i - dwNeedleSize + 1) + j] = replacement[j];
  15.                 return i - dwNeedleSize + 1;
  16.             }
  17.         }
  18.         else
  19.             counter = 0;
  20. }
  21.  
  22. int main(int argc, char **argv)
  23. {
  24.     printf("+--------------------------------------------+\n");
  25.     printf("|                JustCrypt                   |\n");
  26.     printf("|             Coded by Cardano               |\n");
  27.     printf("+--------------------------------------------+\n");
  28.  
  29.     if(argc < 2)
  30.     {
  31.         printf("Bitte uebergeben Sie den Namen einer zu bearbeitenden Datei:\n");
  32.         printf("\t%s <path/filename>.exe\n", argv[0]);
  33.         system("pause");
  34.         exit(0);
  35.     }
  36.  
  37.     BYTE key[] =      { '\x6c', '\x2f', '\xc4', '\x32', '\x7d', '\x70', '\x58', '\x65',
  38.                         '\x24', '\x2f', '\xfc', '\x62', '\x6c', '\x79', '\x58', '\x72',
  39.                         '\x77', '\x58', '\x70', '\x56', '\x56', '\x49', '\x3b', '\x56',
  40.                         '\x2f', '\x59', '\x3e', '\x42', '\x2e', '\x45', '\x78', '\x41'};
  41.  
  42.     BYTE rc4code[] =  { '\x9C', '\x60', '\xBE', '\xAA', '\xAA', '\xAA', '\xAA', '\xBF',
  43.                         '\xDD', '\xDD', '\xDD', '\xDD', '\x33', '\xC0', '\xB0', '\xFF',
  44.                         '\x88', '\x04', '\x30', '\xFE', '\xC8', '\x75', '\xF9', '\x33',
  45.                         '\xDB', '\x50', '\x99', '\x66', '\xB9', '\xCC', '\xCC', '\x66',
  46.                         '\xF7', '\xF1', '\x58', '\x02', '\x1C', '\x30', '\x02', '\x9A',
  47.                         '\xBB', '\xBB', '\xBB', '\xBB', '\x8A', '\x0C', '\x30', '\x86',
  48.                         '\x0C', '\x33', '\x88', '\x0C', '\x30', '\xFE', '\xC0', '\x75',
  49.                         '\xE0', '\x33', '\xDB', '\x33', '\xC9', '\xFE', '\xC0', '\x02',
  50.                         '\x1C', '\x30', '\x8A', '\x14', '\x30', '\x86', '\x14', '\x33',
  51.                         '\x88', '\x14', '\x30', '\x32', '\xD2', '\x8A', '\x14', '\x30',
  52.                         '\x02', '\x14', '\x33', '\x8A', '\x14', '\x32', '\x32', '\x14',
  53.                         '\x39', '\x88', '\x14', '\x39', '\x41', '\x81', '\xF9', '\xEE',
  54.                         '\xEE', '\xEE', '\xEE', '\x7C', '\xD8', '\x68', '\xFF', '\xFF',
  55.                         '\xFF', '\xFF', '\xC3'};
  56.  
  57.     BYTE copycode[] = { '\xBE', '\x11', '\x11', '\x11', '\x11', '\xBF', '\x22', '\x22',
  58.                         '\x22', '\x22', '\xB9', '\x33', '\x33', '\x33', '\x33', '\x32',
  59.                         '\xC0', '\x86', '\x44', '\x31', '\xFF', '\x86', '\x44', '\x39',
  60.                         '\xFF', '\xE2', '\xF4', '\x61', '\x9D', '\x68', '\x44', '\x44',
  61.                         '\x44', '\x44', '\xC3'};
  62.    
  63.     RC4 *rc4 = new RC4(key, sizeof(key));
  64.     PEFile *pefile = new PEFile(argv[1]);
  65.  
  66.     DWORD dwImageBase = pefile->getNTHeaders()->OptionalHeader.ImageBase;
  67.     pefile->getNTHeaders()->OptionalHeader.DllCharacteristics ^= IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE | IMAGE_DLLCHARACTERISTICS_NX_COMPAT;
  68.    
  69.     int iNewSecId = pefile->getSectionIdByRVA(pefile->getNTHeaders()->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].VirtualAddress);
  70.     DWORD rvaOEP = pefile->getNTHeaders()->OptionalHeader.AddressOfEntryPoint;
  71.     DWORD roOEP = pefile->getRawOffsetByRVA(rvaOEP);
  72.     DWORD vaOEP = rvaOEP + pefile->getNTHeaders()->OptionalHeader.ImageBase;
  73.     IMAGE_SECTION_HEADER *ishNew;
  74.     IMAGE_SECTION_HEADER *ishToCrypt = pefile->getSectionHeaderById(pefile->getSectionIdByRVA(rvaOEP));
  75.  
  76.     printf("[*] Bevorzugte ImageBase der Datei: 0x%08x\n", dwImageBase);
  77.     printf("[*] RO Adresse des OEP: 0x%08x\n", roOEP);
  78.     printf("[*] Name der Section des OEP: %8s\n", ishToCrypt->Name);
  79.  
  80.     if(iNewSecId != -1)
  81.     {
  82.         printf("[*] Es wurde eine RelocationSection gefunden\n");
  83.         if(pefile->getSectionHeaderById(iNewSecId - 1)->Characteristics & IMAGE_SCN_MEM_WRITE)
  84.         {
  85.             printf("[*] Die Section vor der RelocSec. hat Schreibberechtigungen\n");
  86.             printf("[*] Die Sections: %8s und %8s werden fusioniert\n", pefile->getSectionHeaderById(iNewSecId), pefile->getSectionHeaderById(iNewSecId-1));
  87.             pefile->getNTHeaders()->OptionalHeader.SizeOfImage -= Align(pefile->getSectionHeaderById(iNewSecId - 1)->Misc.VirtualSize, pefile->getNTHeaders()->OptionalHeader.SectionAlignment);
  88.             pefile->setFileSize(pefile->getFileSize() - pefile->getSectionHeaderById(iNewSecId - 1)->SizeOfRawData);
  89.             pefile->getSectionHeaderById(iNewSecId - 1)->Misc.VirtualSize += sizeof(key) + sizeof(rc4code) + 256;
  90.             pefile->getSectionHeaderById(iNewSecId - 1)->SizeOfRawData = Align(pefile->getSectionHeaderById(iNewSecId - 1)->Misc.VirtualSize, pefile->getNTHeaders()->OptionalHeader.FileAlignment);
  91.             pefile->getNTHeaders()->OptionalHeader.SizeOfImage += Align(pefile->getSectionHeaderById(iNewSecId - 1)->Misc.VirtualSize, pefile->getNTHeaders()->OptionalHeader.SectionAlignment);
  92.             pefile->setFileSize(pefile->getFileSize() + pefile->getSectionHeaderById(iNewSecId - 1)->SizeOfRawData);
  93.             pefile->deleteSectionById(iNewSecId);
  94.             iNewSecId--;
  95.             pefile->getNTHeaders()->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].VirtualAddress = 0x00000000;
  96.             pefile->getNTHeaders()->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].Size = 0x00000000;
  97.         }
  98.         else
  99.         {
  100.             printf("[*] Die Section vor der RelocSec. hat keine Schreibberechtigungen\n");
  101.             printf("[*] Die RelocSec. wird den Beduerfnissen der Stub(s) angepasst\n");
  102.             pefile->getNTHeaders()->OptionalHeader.SizeOfImage -= Align(pefile->getSectionHeaderById(iNewSecId)->Misc.VirtualSize, pefile->getNTHeaders()->OptionalHeader.SectionAlignment);
  103.             pefile->setFileSize(pefile->getFileSize() - pefile->getSectionHeaderById(iNewSecId)->SizeOfRawData);
  104.             pefile->getSectionHeaderById(iNewSecId)->Misc.VirtualSize += sizeof(key) + sizeof(rc4code) + 256;
  105.             pefile->getSectionHeaderById(iNewSecId)->SizeOfRawData = Align(pefile->getSectionHeaderById(iNewSecId)->Misc.VirtualSize, pefile->getNTHeaders()->OptionalHeader.FileAlignment);
  106.             pefile->getSectionHeaderById(iNewSecId)->Characteristics |= IMAGE_SCN_MEM_WRITE;
  107.             pefile->getNTHeaders()->OptionalHeader.SizeOfImage += Align(pefile->getSectionHeaderById(iNewSecId)->Misc.VirtualSize, pefile->getNTHeaders()->OptionalHeader.SectionAlignment);
  108.             pefile->setFileSize(pefile->getFileSize() + pefile->getSectionHeaderById(iNewSecId)->SizeOfRawData);
  109.             pefile->getNTHeaders()->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].VirtualAddress = 0x00000000;
  110.             pefile->getNTHeaders()->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].Size = 0x00000000;
  111.         }
  112.     }
  113.     else
  114.     {
  115.         iNewSecId = pefile->addSection(".misc", sizeof(key) + sizeof(rc4code) + 256, IMAGE_SCN_MEM_READ | IMAGE_SCN_MEM_WRITE | IMAGE_SCN_CNT_INITIALIZED_DATA);
  116.         printf("[*] Es ist keine RelocSec. vorhanden\n");
  117.         printf("[*] Es wurde eine neue Section mit dem Namen %8s angelegt\n", ".misc");
  118.     }
  119.  
  120.     ishNew = pefile->getSectionHeaderById(iNewSecId);
  121.     BYTE *pNewSection = pefile->getPointerToDataByRO(ishNew->PointerToRawData);
  122.  
  123.     // Überprüfen ob am Ende von .text noch Platz für die Copystub ist
  124.     bool bEnoughSpaceForCopyStub = false;
  125.     CODE_CAVE *ccEndText = pefile->getSecEndCCByName((const char *) ishToCrypt->Name);
  126.     if(ccEndText != NULL)
  127.         if(ccEndText->dwCaveSize > sizeof(copycode))
  128.         {
  129.             bEnoughSpaceForCopyStub = true;
  130.             printf("[*] Es wurde ein %d Byte grosses Codecave am Ende von %8s gefunden\n", ccEndText->dwCaveSize, ishToCrypt->Name);
  131.             printf("[*] Dieses wird fuer die CopyStub verwendet\n");
  132.         }
  133.    
  134.     // Bestimmen der virtuellen Addressen und Größen für die Platzhalter
  135.     DWORD vaNewSection = ishNew->VirtualAddress + dwImageBase;
  136.     DWORD vaSBOX = ishNew->VirtualAddress + sizeof(rc4code) + sizeof(key) + dwImageBase;
  137.     DWORD vaKeyAddress = ishNew->VirtualAddress + sizeof(rc4code) + dwImageBase;
  138.     WORD wKeyLen = sizeof(key);
  139.     DWORD vaMessageAddress = vaOEP + sizeof(rc4code);
  140.     DWORD dwMessageLen =  ishToCrypt->VirtualAddress + ishToCrypt->Misc.VirtualSize - ((bEnoughSpaceForCopyStub)?ccEndText->dwCaveSize:0) - rvaOEP;
  141.     DWORD vaNextInstr = ((bEnoughSpaceForCopyStub)
  142.                             ? (pefile->getRVAByRawOffset(ccEndText->RawOffset) + dwImageBase)
  143.                             : (vaSBOX + 256)
  144.                         );
  145.  
  146.     BYTE *pOEP = pefile->getPointerToDataByRO(pefile->getRawOffsetByRVA(rvaOEP));
  147.  
  148.     // Füllen der Platzhalter im RC4-Shellcode
  149.     searchNreplace(rc4code, (const BYTE *) "\xAA\xAA\xAA\xAA", sizeof(DWORD), sizeof(rc4code), (BYTE *) &vaSBOX);
  150.     searchNreplace(rc4code, (const BYTE *) "\xBB\xBB\xBB\xBB", sizeof(DWORD), sizeof(rc4code), (BYTE *) &vaKeyAddress);
  151.     searchNreplace(rc4code, (const BYTE *) "\xCC\xCC", sizeof(WORD), sizeof(rc4code), (BYTE *) &wKeyLen);
  152.     searchNreplace(rc4code, (const BYTE *) "\xDD\xDD\xDD\xDD", sizeof(DWORD), sizeof(rc4code), (BYTE *) &vaMessageAddress);
  153.     searchNreplace(rc4code, (const BYTE *) "\xEE\xEE\xEE\xEE", sizeof(DWORD), sizeof(rc4code), (BYTE *) &dwMessageLen);
  154.     searchNreplace(rc4code, (const BYTE *) "\xFF\xFF\xFF\xFF", sizeof(DWORD), sizeof(rc4code), (BYTE *) &vaNextInstr);
  155.  
  156.  
  157.     // Füllen der Platzhalter im Copy-Shellcode
  158.     DWORD dwSizeRC4Code = sizeof(rc4code);
  159.     searchNreplace(copycode, (const BYTE *) "\x11\x11\x11\x11", sizeof(DWORD), sizeof(copycode), (BYTE *) &vaNewSection);
  160.     searchNreplace(copycode, (const BYTE *) "\x22\x22\x22\x22", sizeof(DWORD), sizeof(copycode), (BYTE *) &vaOEP);
  161.     searchNreplace(copycode, (const BYTE *) "\x33\x33\x33\x33", sizeof(DWORD), sizeof(copycode), (BYTE *) &dwSizeRC4Code);
  162.     searchNreplace(copycode, (const BYTE *) "\x44\x44\x44\x44", sizeof(DWORD), sizeof(copycode), (BYTE *) &vaOEP);
  163.  
  164.     printf("[*] RO Beginn der Encryption: 0x%08x\n", roOEP + sizeof(rc4code));
  165.     printf("[*] RO Ende der Encryption: 0x%08x\n", roOEP + dwMessageLen);
  166.     printf("[*] Anzahl der zu verschl. Bytes: 0x%08x\n", dwMessageLen);
  167.  
  168.     rc4->encrypt(pOEP + sizeof(rc4code), dwMessageLen);
  169.  
  170.     printf("[*] RO der RC4 Stub: 0x%08x\n", roOEP);
  171.  
  172.     if(bEnoughSpaceForCopyStub)
  173.     {
  174.         memcpy(pNewSection, pOEP, sizeof(rc4code));
  175.         memcpy(pOEP, rc4code, sizeof(rc4code));
  176.         memcpy(pNewSection + sizeof(rc4code), key, sizeof(key));
  177.         for(DWORD i = 0; i < 256; i++)
  178.             pNewSection[sizeof(rc4code) + sizeof(key) + i] = 0x00;
  179.         memcpy(pefile->getPointerToDataByRO(ccEndText->RawOffset), copycode, sizeof(copycode));
  180.         printf("[*] RO der CopyStub: 0x%08x\n", ccEndText->RawOffset);
  181.     }
  182.     else
  183.     {
  184.         memcpy(pNewSection, pOEP, sizeof(rc4code));
  185.         memcpy(pOEP, rc4code, sizeof(rc4code));
  186.         memcpy(pNewSection + sizeof(rc4code), key, sizeof(key));
  187.         for(DWORD i = 0; i < 256; i++)
  188.             pNewSection[sizeof(rc4code) + sizeof(key) + i] = 0x00;
  189.         memcpy(pNewSection + sizeof(rc4code) + sizeof(key) + 256, copycode, sizeof(copycode));
  190.         printf("[*] RO der CopyStub: 0x%08x\n", ishNew->PointerToRawData + sizeof(rc4code) + sizeof(key) + 256);
  191.     }
  192.  
  193.     ishToCrypt->Characteristics |= IMAGE_SCN_MEM_WRITE;
  194.     pefile->writePEFile("crypted.exe");
  195.     pefile->~PEFile();
  196.     printf("[*] Ausgabedatei: %s\n", "crypted.exe");
  197.     system("pause");
  198.     return 0;
  199. }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!