captmicro

Lua Hack Kit - why is it detected as a virus?

Jun 26th, 2012
493
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
C 4.24 KB | None | 0 0
  1. DWORD _DataCompare(BYTE *data, BYTE *sig, DWORD siglen)
  2. {
  3.     DWORD i = 0;
  4.     for(; i < siglen; i++)
  5.         if ((sig[i] != '?') && (sig[i] != data[i]))
  6.             return 0;
  7.     return (i == siglen);
  8. }
  9. DWORD _FindPattern(DWORD addr, DWORD len, BYTE *sig, DWORD siglen)
  10. {
  11.     DWORD i = 0;
  12.     for (; i < len; i++)
  13.         if (_DataCompare((BYTE*)(addr+i), sig, siglen))
  14.             return addr + i;
  15.     return 0;
  16. }
  17. LUA_FUNC(SigScan)
  18. {
  19.     HANDLE h = (void*)((DWORD)lua_tointeger(l, 1));
  20.     DWORD dwAddress = (DWORD)lua_tostring(l, 2);
  21.     BYTE *bSig = (BYTE*)lua_tostring(l, 3);
  22.     DWORD dwSigLen = (DWORD)lua_tointeger(l, 4);
  23.    
  24.     //Get address & size of dll
  25.     if (dwAddress == 0) { lua_pushinteger(l, 1); return 1; }
  26.     MEMORY_BASIC_INFORMATION mbi;
  27.     VirtualQueryEx(h, (void*)dwAddress, &mbi, sizeof(MEMORY_BASIC_INFORMATION));
  28.     DWORD dwLen = mbi.RegionSize;
  29.     if (mbi.RegionSize == 0) { lua_pushinteger(l, 2); return 1; }
  30.  
  31.     BYTE *buffer = (BYTE*)HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, 0x1000);
  32.     if (buffer == 0) { lua_pushinteger(l, 3); return 1; }
  33.  
  34.     //Scan every page
  35.     DWORD dwTemp = 0, dwDelta = 0;
  36.     do
  37.     {
  38.         ReadProcessMemory(h, (void*)dwAddress, (void*)buffer, 0x1000, 0);
  39.         dwDelta = _FindPattern(dwAddress, 0x1000, bSig, dwSigLen);
  40.         if (dwDelta != 0)
  41.         {
  42.             HeapFree(GetProcessHeap(), 0, buffer);
  43.             dwDelta -= (DWORD)buffer;
  44.             dwDelta += dwAddress;
  45.             lua_pushinteger(l, dwDelta);
  46.             return 1;
  47.         }
  48.         dwAddress += 0x1000;
  49.     } while (dwAddress < (dwTemp + dwLen));
  50.  
  51.     HeapFree(GetProcessHeap(), 0, buffer);
  52.     lua_pushinteger(l, 4);
  53.     return 1;
  54. }
  55. LUA_FUNC(SetDebugPrivileges)
  56. {
  57.     TOKEN_PRIVILEGES Debug_Privileges;
  58.  
  59.     //STEP 1
  60.     if (!LookupPrivilegeValue (NULL, // Privieleges for the local system
  61.         SE_DEBUG_NAME, // define the name of the privilege
  62.         &Debug_Privileges.Privileges[0].Luid)) // will get the LUID value into this variable
  63.     {   //if function failed, cannot proceed to the next step
  64.         return GetLastError(); //terminate the outer function
  65.     }
  66.  
  67.     //STEP 2
  68.     DWORD err = 0; // define error holder, used to store the error code in case of failure
  69.     HANDLE hToken = 0; //  instantiate a token handle
  70.     if (!OpenProcessToken (GetCurrentProcess (), // current process ID handle
  71.         TOKEN_ADJUST_PRIVILEGES, //set the desired access
  72.         &hToken)) // handle to the token will be held here
  73.     {   // if function failed, cannot proceed to the next step
  74.         err = GetLastError();  
  75.         if (hToken) // if handle is still valid
  76.             CloseHandle (hToken); // destroy it
  77.         return err; //terminate the outer function
  78.     }
  79.  
  80.     //STEP3
  81.     Debug_Privileges.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED; // set to enable privilege
  82.     Debug_Privileges.PrivilegeCount = 1; // working with only one privilege
  83.  
  84.     if (!AdjustTokenPrivileges (hToken, // access token handle
  85.         FALSE, // do not disable privileges
  86.         &Debug_Privileges, // pointer to the token structure
  87.         0,  // no need for a buffer
  88.         NULL, // previous state not set
  89.         NULL)) //  no need for a buffer
  90.     {
  91.         err = GetLastError();
  92.         if (hToken) // if handle is still valid
  93.             CloseHandle (hToken); // destroy it
  94.         return err; //terminate the outer function
  95.     }
  96.  
  97.     return err;
  98. }
  99. BOOL VistaOrHigher()
  100. {
  101.     void *peb;
  102.     _asm
  103.     {
  104.         push EAX
  105.         xor EAX, EAX
  106.         mov EAX, fs:[0x30]
  107.         mov [peb], EAX
  108.         POP EAX
  109.     }
  110.     ULONG OSMinor = *((BYTE*)peb + 0xA4);
  111.     ULONG OSMajor = *((BYTE*)peb + 0xA8);
  112.     ULONG OSPlatform = *((BYTE*)peb + 0xB0);
  113.     BOOL vistaorhigher = 0;
  114.     if (OSPlatform == 2 && OSMajor == 6)
  115.         vistaorhigher = 1;
  116.     return vistaorhigher;
  117. }
  118.  
  119. DWORD RemoteGMH(HANDLE proc, char *module)
  120. {
  121.     //Write module name to process
  122.     void *rModule = VirtualAllocEx(proc, 0, lstrlenA(module), MEM_COMMIT, PAGE_READWRITE);
  123.     if (rModule == 0) { printf("VirtualAllocEx failed\n"); return 0; }
  124.     WriteProcessMemory(proc, rModule, (void*)module, lstrlenA(module), 0);
  125.  
  126.     //Get module handle in process
  127.     HANDLE rModThread = CreateRemoteThread(proc, 0, 0, (LPTHREAD_START_ROUTINE)
  128.         GetProcAddress(GetModuleHandle("kernel32.dll"), "GetModuleHandleA"), rModule, 0, 0);
  129.     DWORD rModResult = WaitForSingleObject(rModThread, INFINITE);
  130.  
  131.     DWORD rModHandle = 0;
  132.     GetExitCodeThread(rModThread, &rModHandle);
  133.     VirtualFreeEx(proc, (void*)rModule, lstrlenA(module), MEM_RELEASE);
  134.     if (rModHandle == 0) { printf("Remote thread exit code is 0\n"); return 0; }
  135.  
  136.     return rModHandle;
  137. }
Add Comment
Please, Sign In to add comment