API tools faq
paste
captmicro

Lua Hack Kit - why is it detected as a virus?

captmicro
Jun 26th, 2012
456
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
C 4.24 KB | None | 0 0
raw download clone embed print report
  1. DWORD _DataCompare(BYTE *data, BYTE *sig, DWORD siglen)
  2. {
  3.     DWORD i = 0;
  4.     for(; i < siglen; i++)
  5.         if ((sig[i] != '?') && (sig[i] != data[i]))
  6.             return 0;
  7.     return (i == siglen);
  8. }
  9. DWORD _FindPattern(DWORD addr, DWORD len, BYTE *sig, DWORD siglen)
  10. {
  11.     DWORD i = 0;
  12.     for (; i < len; i++)
  13.         if (_DataCompare((BYTE*)(addr+i), sig, siglen))
  14.             return addr + i;
  15.     return 0;
  16. }
  17. LUA_FUNC(SigScan)
  18. {
  19.     HANDLE h = (void*)((DWORD)lua_tointeger(l, 1));
  20.     DWORD dwAddress = (DWORD)lua_tostring(l, 2);
  21.     BYTE *bSig = (BYTE*)lua_tostring(l, 3);
  22.     DWORD dwSigLen = (DWORD)lua_tointeger(l, 4);
  23.    
  24.     //Get address & size of dll
  25.     if (dwAddress == 0) { lua_pushinteger(l, 1); return 1; }
  26.     MEMORY_BASIC_INFORMATION mbi;
  27.     VirtualQueryEx(h, (void*)dwAddress, &mbi, sizeof(MEMORY_BASIC_INFORMATION));
  28.     DWORD dwLen = mbi.RegionSize;
  29.     if (mbi.RegionSize == 0) { lua_pushinteger(l, 2); return 1; }
  30.  
  31.     BYTE *buffer = (BYTE*)HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, 0x1000);
  32.     if (buffer == 0) { lua_pushinteger(l, 3); return 1; }
  33.  
  34.     //Scan every page
  35.     DWORD dwTemp = 0, dwDelta = 0;
  36.     do
  37.     {
  38.         ReadProcessMemory(h, (void*)dwAddress, (void*)buffer, 0x1000, 0);
  39.         dwDelta = _FindPattern(dwAddress, 0x1000, bSig, dwSigLen);
  40.         if (dwDelta != 0)
  41.         {
  42.             HeapFree(GetProcessHeap(), 0, buffer);
  43.             dwDelta -= (DWORD)buffer;
  44.             dwDelta += dwAddress;
  45.             lua_pushinteger(l, dwDelta);
  46.             return 1;
  47.         }
  48.         dwAddress += 0x1000;
  49.     } while (dwAddress < (dwTemp + dwLen));
  50.  
  51.     HeapFree(GetProcessHeap(), 0, buffer);
  52.     lua_pushinteger(l, 4);
  53.     return 1;
  54. }
  55. LUA_FUNC(SetDebugPrivileges)
  56. {
  57.     TOKEN_PRIVILEGES Debug_Privileges;
  58.  
  59.     //STEP 1
  60.     if (!LookupPrivilegeValue (NULL, // Privieleges for the local system
  61.         SE_DEBUG_NAME, // define the name of the privilege
  62.         &Debug_Privileges.Privileges[0].Luid)) // will get the LUID value into this variable
  63.     {   //if function failed, cannot proceed to the next step
  64.         return GetLastError(); //terminate the outer function
  65.     }
  66.  
  67.     //STEP 2
  68.     DWORD err = 0; // define error holder, used to store the error code in case of failure
  69.     HANDLE hToken = 0; //  instantiate a token handle
  70.     if (!OpenProcessToken (GetCurrentProcess (), // current process ID handle
  71.         TOKEN_ADJUST_PRIVILEGES, //set the desired access
  72.         &hToken)) // handle to the token will be held here
  73.     {   // if function failed, cannot proceed to the next step
  74.         err = GetLastError();  
  75.         if (hToken) // if handle is still valid
  76.             CloseHandle (hToken); // destroy it
  77.         return err; //terminate the outer function
  78.     }
  79.  
  80.     //STEP3
  81.     Debug_Privileges.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED; // set to enable privilege
  82.     Debug_Privileges.PrivilegeCount = 1; // working with only one privilege
  83.  
  84.     if (!AdjustTokenPrivileges (hToken, // access token handle
  85.         FALSE, // do not disable privileges
  86.         &Debug_Privileges, // pointer to the token structure
  87.         0,  // no need for a buffer
  88.         NULL, // previous state not set
  89.         NULL)) //  no need for a buffer
  90.     {
  91.         err = GetLastError();
  92.         if (hToken) // if handle is still valid
  93.             CloseHandle (hToken); // destroy it
  94.         return err; //terminate the outer function
  95.     }
  96.  
  97.     return err;
  98. }
  99. BOOL VistaOrHigher()
  100. {
  101.     void *peb;
  102.     _asm
  103.     {
  104.         push EAX
  105.         xor EAX, EAX
  106.         mov EAX, fs:[0x30]
  107.         mov [peb], EAX
  108.         POP EAX
  109.     }
  110.     ULONG OSMinor = *((BYTE*)peb + 0xA4);
  111.     ULONG OSMajor = *((BYTE*)peb + 0xA8);
  112.     ULONG OSPlatform = *((BYTE*)peb + 0xB0);
  113.     BOOL vistaorhigher = 0;
  114.     if (OSPlatform == 2 && OSMajor == 6)
  115.         vistaorhigher = 1;
  116.     return vistaorhigher;
  117. }
  118.  
  119. DWORD RemoteGMH(HANDLE proc, char *module)
  120. {
  121.     //Write module name to process
  122.     void *rModule = VirtualAllocEx(proc, 0, lstrlenA(module), MEM_COMMIT, PAGE_READWRITE);
  123.     if (rModule == 0) { printf("VirtualAllocEx failed\n"); return 0; }
  124.     WriteProcessMemory(proc, rModule, (void*)module, lstrlenA(module), 0);
  125.  
  126.     //Get module handle in process
  127.     HANDLE rModThread = CreateRemoteThread(proc, 0, 0, (LPTHREAD_START_ROUTINE)
  128.         GetProcAddress(GetModuleHandle("kernel32.dll"), "GetModuleHandleA"), rModule, 0, 0);
  129.     DWORD rModResult = WaitForSingleObject(rModThread, INFINITE);
  130.  
  131.     DWORD rModHandle = 0;
  132.     GetExitCodeThread(rModThread, &rModHandle);
  133.     VirtualFreeEx(proc, (void*)rModule, lstrlenA(module), MEM_RELEASE);
  134.     if (rModHandle == 0) { printf("Remote thread exit code is 0\n"); return 0; }
  135.  
  136.     return rModHandle;
  137. }
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!