I'm not sure what this code does, it is probably malicious.. Please be careful and DO NOT attempt to compile it..
I received a .exe file that probably does something malicious since it was named as ".jpg.exe", it had a fake jpg icon and it has some stealth options like setting the Opacity to 0, ShowInTaskbar to False and many other settings.
I do know VB, but I'm not experienced enough to tell what it does. Can someone please tell me what this person intended to do to my computer with this program?
He had these declarations:
Imports System
Imports System.ComponentModel
Imports System.Drawing
Imports System.IO
Imports System.Reflection
Imports System.Security.Cryptography
Imports System.Windows.Forms
This function
Public Shared Function Decrypt(ByVal input As Byte()) As Byte()
Dim aes As Aes
Dim bytes As New PasswordDeriveBytes("xdldfklgjdfklgjdfklgjdflgkdfj", New Byte() { &H26, &H16, 11, &H4E })
Dim stream As New MemoryStream
aes = New AesManaged With { _
.Key = bytes.GetBytes((aes.KeySize / 8)), _
.IV = bytes.GetBytes((aes.BlockSize / 8)) _
}
Dim stream2 As New CryptoStream(stream, aes.CreateDecryptor, CryptoStreamMode.Write)
stream2.Write(input, 0, input.Length)
stream2.Close
Return stream.ToArray
End Function
I'm assuming this function is meant to decrypt passowrd hashes saved on my computer or something?
And this is the main function, it is very long so I added it to text file:
http://ninjastormns.my3gb.com/DecompiledVBCode.txt
I'm sorry for posting such an unusual question, but I need to know what this guy was after and this felt like the right place to ask. Thank you.
Please note that if this code turns out to be malicious as I'm suspecting, I'll remove it once the question is solved to avoid it being reused.
I did not spend much time on this, but the code as shown simply decrypts a large binary blob into an in-memory assembly, then runs it.
Since the Decrypt routine itself looked harmless, I copied it into a new project, then ran:
System.IO.File.WriteAllBytes("C:\quarantine\danger.out", Decrypt(New Byte() { &HBC, &H7B, 220, &H4F, &H60, &H56, &HCA, ... }))
This wrote the decrypted bytes of the malicious assembly into a file at "C:\quarantine\danger.out". When I did this, my antivirus immediately quarantined the file and flagged it as "Backdoor.Ratenjay", which is listed as a backdoor trojan.
Since I was feeling foolhardy adventurous, I restored the quarantined file and opened it with ILSpy. Among other things, it appears to:
add a firewall exception for itself using netsh
copy itself to the startup folder
log keystrokes
monitor the current foreground window
connect to a dynamic DNS subdomain to send/receive data
save downloaded data to the filesystem, then run the downloaded file
The answer to your question would be that the attacker intended to open a backdoor on your computer in order to monitor your system, and to download and run arbitrary commands.
Related
Scenario:
My company has a legacy (read that as 32 bit) windows form application that will be around for quite some time in the future. This application uses an embedded web browser control that is supplied pages that are contained within the database that it maintains. It was built like this so we could extend/modify as needed. I say this so that I can validate that security is not a concern. Only the application and developers with the correct tools have access to the pages or database. The application is only available inside the office.
There are some processes that I need to accomplish using ActiveX objects that are embedded within the pages/application. One of the biggest and most annoying thing that happens is the ActiveX security warning when I got to create instances of things like “scripting.filesystemobject”. Example:
Set oFSO = CreateObject("Scripting.FileSystemObject")
My solution is to create a DLL that is installed locally on each machine that needs access to the extended functions, have the all the functions (whole DLL ??) marked as safe so that the web browser control does not present the security warning. I have been searching using google and came across very few examples, and all of which are in C# which is not my strongest language.
I’ve had to convert from C to Vb.Net visual basic to get what I have now. When I go to register my DLL, I get the following error message:
C:\Windows\Microsoft.NET\Framework64\v4.0.30319>regasm
Z:\VBNet2017\APIInternal\APIInternal\bin\Debug\APIinternal.dll /tlb
Microsoft .NET Framework Assembly Registration Utility version 4.8.4084.0
for Microsoft .NET Framework version 4.8.4084.0
Copyright (C) Microsoft Corporation. All rights reserved.
Types registered successfully
RegAsm : error RA0000 : Type 'APIInternal.API.Accupay' has an invalid default COM
interface: 'APIInternal.API.Accupay'
UPDATE: Thank you Hans; the error is gone. I've also made some changes in the source code; I changed the ProgID to something that closely resembles where and what this is for. I'm still having issues in creating the object in VB Script.
This is the output from the current version of the code. This is the code, stripped down for clarity:
Option Strict On
Imports System.Runtime.InteropServices
Imports System.IO
Namespace API
Public Interface IAccupay
<DispId(1)>
Function GetFiles(ByVal Folder As String) As List(Of String)
End Interface
<Guid("8B4B5CEF-8B3A-49A1-9053-E909F82D9E73"),
ProgId("AddIn.Accupay"), ClassInterface(ClassInterfaceType.None),
ComDefaultInterface(GetType(IAccupay)), ComVisible(True)>
Public Class Accupay
Implements IAccupay
Private Function GetFiles(Folder As String) As List(Of String) Implements IAccupay.GetFiles
Return Directory.GetFiles(Folder).ToList
End Function
End Class
I have tried just about every combination of ProgID, Name space, Interface name and class name to get this error to go away without any luck. I do know there are other elements that need to be addressed or added, such as error trapping and, if I’m not mistaken, how to actually implement the ObjectSafetyOption which I still don’t know how to do.
I have been using the Guide at the bottom of this article:
Is it possible to mark an ActiveX object as safe so that IE settings need not be changed?, the second answer, but I haven’t had any success.
Please, can someone point me in the right direction, maybe show me what’s wrong with the code that I have and how to physically implement the ObjectSafteyOption that is needed for the web control. Links, additional reading, code examples or comments on how to get this fixed and working would really be appreciated.
Thank you for reading and any help you send my way, Fred
PS: If you need more information, or have a better solution, please don’t hesitate to reply or comment.
UPDATE:
With the code that I have now, I am able to access the DLL in VB.Net visual basic:
Imports System
Imports APIInternal.API
Module Program
Sub Main(args As String())
Dim API As New Accupay
Dim FileList = API.GetFiles("C:\Windows\")
For Each Item As String In FileList
Console.WriteLine(Item)
Next
End Sub
End Module
However, I still can't seem to get the correct calling for a VB Script/html page:
Set Test = CreateObject("Test.Accupay")
Which returns the VB Script error "ActiveX Component can't create object: Test.Accupay or any other iteration of the parts of the name that I tried. I think part of this is that I don't understand how the creation of the project leads to the creation of the object in a com base environment like VB Script.
Fred
The answer to this problem is two fold: You must target the correct platform (X86) AND use the 32 bit version of regasm. Once I realized this was the issue, I was able to create the DLL and use it's functions in the Web Browser control without the active X warning. One example is I can now open the default browser (in this case, NOT IE/EDGE) from a link within the WB Control and another is to get the contents of a folder for further processing within the WB page.
I have referenced a few mentions of how to do this on stackoverflow.
I tried testing from the following reference code :
https://www.dotnetperls.com/process
How to run .exe file by my Webservice?
VERSION: Framework 3.5
VisualStudio2010
When i ran my code below in the browser, I see the bullet point to click on. When I click on it nothing happens. My exe simply locates an xml file and creates a new file from it. I want to use a webservice to run the exe. Is there something I am missing in my code? There are other versions I saw that had more code but I tried them and still had no luck [check my link]
This is my first webservice so I am learning as I go.
Imports System.Web.Services
Imports System.Web.Services.Protocols
Imports System.ComponentModel
Imports System.IO
' To allow this Web Service to be called from script, using ASP.NET AJAX, uncomment the following line.
' <System.Web.Script.Services.ScriptService()> _
<System.Web.Services.WebService(Namespace:="http://localhost/")> _
<System.Web.Services.WebServiceBinding(ConformsTo:=WsiProfiles.BasicProfile1_1)> _
<ToolboxItem(False)> _
Public Class Service1
Inherits System.Web.Services.WebService
Dim File As String
<WebMethod()> _
Public Sub runExe()
Dim exe = "C:\WindowsApplication1\bin\Debug\WindowsApplication1.exe"
'Dim file = "C:\Test\test.xml"
Dim startInfo As New ProcessStartInfo()
startInfo.FileName = exe
'startInfo.Arguments = file
Process.Start(startInfo)
'REFERENCE: https://www.dotnetperls.com/process
End Sub
I also tried calling .exe from another .exe to run a webservice by using
ThreadPool.QueueUserWorkItem(Sub() Process.Start("C:\WindowsApplication1\bin\Debug\WindowsApplication1.exe"))
but the exe didn't run aka I didn't see the new file created in the folder path the exe sends it to.
also tried:
Dim processInfo = New ProcessStartInfo(exe)
Dim process__1 = Process.Start(ProcessInfo)
process__1.WaitForExit(5000)
Dim exitCode = process__1.ExitCode
process__1.Close()
Return
nothing happened
UPDATE:
Didn't think to use a output test to find my issue. I used the following:
While Not process__1.StandardOutput.EndOfStream
Dim line As String = process__1.StandardOutput.ReadLine()
End While
In response to your comment...
well I'm planning to use my asp.net application to communicate with this service to run exe. so I would think client
That's an incorrect understanding of how web applications work. Your server-side ASP.NET code (the VB parts) are just that, server-side. All of that code executes on the web server. The browser/client/etc. has no knowledge of it.
(Imagine for a moment a world where any website you visit could arbitrarily execute any .NET code they want on your computer. Doesn't sound like fun.)
If you want the client to execute an application, you have to send the application to the client (such as a link to download it) and basically ask them to run it. Your server-side code can't automatically execute applications on the client's computer.
I have a SharePoint test website (Azure SharePoint farm) which contains several image files and some document templates. I want to download the images to my local drive. I anticipate looping through a list of URLs, e.g. http://mySharePointSite/Sites/Images/Image01.png and downloading each in turn. I've tried URLDownloadToFile which works great if I put the images on a regular website but I'm unable to get past Windows Security with this approach.
I had a go at creating an InternetExplorer.Application Object (late binding) and can view my images but am unable to download them. Was trying ieApp.ExecWB but this throws a Run Time Error that seems insurmountable.
I've also tried WinHTTP.WinHTTPrequest.5.1 (StackOverflow 22051960) but, while that looked promising it returned a short string "???????" instead of an image.
I'm really hoping for a VBA solution and am wondering if Impersonate User might provide options, or if there are other options (excluding using SendKeys). Sadly I'm pushing the limits of my VBA knowledge and could really use some guidance.
Is it possible to download from share point from VBA?
If so how, am I missing something simple?
I can paste code, but really I'm not sure I have anything worth sharing. If this is not possible or unreliable in VBA then would be possible with VB.Net (my next steepest learning curve)?
Hope this helps someone. I ended up using Visual Studio to create a dll in VB.Net that I can call from VBA. VB.Net dll requires references to microsoft.sharepoint.client
And the VBA code requires a reference to the resulting dll.
Imports Microsoft.SharePoint.Client
Module Module1
Sub Main()
Dim myContext As Microsoft.SharePoint.Client.ClientContext
myContext = New ClientContext("http://TestSP-a.cloudapp.net/sites/Images/")
Dim myCredentials As New System.Net.NetworkCredential
'' I'm accessing a website from the outside so there
'' are no credentials on my PC. If on the same NW I
'' assume I can use the line below instead of the
'' 3 lines that follow.
'myCredentials = System.Net.CredentialCache.DefaultNetworkCredentials
myCredentials.UserName = "UserNameForSharePoint"
myCredentials.Password = "PassWordForSharePoint"
myCredentials.Domain = "" ' <-- Leave Blank
Dim mySiteSP As New Uri("http://TestSP-a.cloudapp.net/sites/Images/Image1.png")
Dim myTemp As String = "C:\temp\test.png"
My.Computer.Network.DownloadFile(mySiteSP, myTemp, myCredentials, True, 600000I, False)
End Sub
End Module
Can anyone recommend what's a good way to encrypt an executable? I was trying to use AxCrypt but I don't like the usage, i.e. you specify a passcode and the person who launches the exe needs to specify the passcode. Is there someway to encrypt it once and users just run the exe without specifying any passwords?
It's basically pointless. If it's a .NET or Java program, obfuscators can improve performance and decrease the executable size and make it difficult to reverse engineer. Packers can decrease executable size. Signing can provide assurance to your users that you built the program. But encryption of the executable for the purpose of hiding it's executable code is rather pointless.
A program which knows how to decrypt itself will contain all the information a hacker needs to compromise the program. You are handing out the lock with the key. However, lets assume you want to put up a small barrier to entry to your program. Maybe you have cheat codes in your game and you don't want someone to be able to just run 'strings' over your program and view them.
What I suggest is packing your program with an a program like UPX. This can further obfuscate your program on disk. Your basic interrogation techniques will only see the tiny decompressor. However, a determined hacker will quickly recognize the compressor program and decompress it. In either case, once a program is running in memory, one can take a core dump of the process, or attach a debugger to it. There isn't much you can do to prevent this on most hardware.
You guy's don't understand the question, it's normal for a programmer to think that way. But as a ethical hacker it is clear that he wants to bypass the antivirus not hide the code, anyway you may use Visual Basic.
for encryption use this code
Public Function TripleDES_Encrypt(ByVal input As String, ByVal pass As String) As String
Dim TripleDES As New System.Security.Cryptography.TripleDESCryptoServiceProvider
Dim Hash_TripleDES As New System.Security.Cryptography.MD5CryptoServiceProvider
Dim encrypted As String = ""
Try
Dim hash(23) As Byte
Dim temp As Byte() = Hash_TripleDES.ComputeHash(System.Text.ASCIIEncoding.ASCII.GetBytes(pass))
Array.Copy(temp, 0, hash, 0, 16)
Array.Copy(temp, 0, hash, 15, 8)
TripleDES.Key = hash
TripleDES.Mode = Security.Cryptography.CipherMode.ECB
Dim DESEncrypter As System.Security.Cryptography.ICryptoTransform = TripleDES.CreateEncryptor
Dim Buffer As Byte() = System.Text.ASCIIEncoding.ASCII.GetBytes(input)
encrypted = Convert.ToBase64String(DESEncrypter.TransformFinalBlock(Buffer, 0, Buffer.Length))
Return encrypted
Catch ex As Exception
End Try
End Function
for decryption
Public Function TripleDES_Decrypt(ByVal input As String, ByVal pass As String) As String
Dim TripleDES As New System.Security.Cryptography.TripleDESCryptoServiceProvider
Dim Hash_TripleDES As New System.Security.Cryptography.MD5CryptoServiceProvider
Dim decrypted As String = ""
Try
Dim hash(23) As Byte
Dim temp As Byte() = Hash_TripleDES.ComputeHash(System.Text.ASCIIEncoding.ASCII.GetBytes(pass))
Array.Copy(temp, 0, hash, 0, 16)
Array.Copy(temp, 0, hash, 15, 8)
TripleDES.Key = hash
TripleDES.Mode = Security.Cryptography.CipherMode.ECB
Dim DESDecrypter As System.Security.Cryptography.ICryptoTransform = TripleDES.CreateDecryptor
Dim Buffer As Byte() = Convert.FromBase64String(input)
decrypted = System.Text.ASCIIEncoding.ASCII.GetString(DESDecrypter.TransformFinalBlock(Buffer, 0, Buffer.Length))
Return decrypted
Catch ex As Exception
End Try
End Function
If you only want specific users to run the exe then, you can define policies under windows that would allow you to run it for only specific users.
but if you want to hide code then:
since you have not mentioned which language you used to make the exe. If its c/c++ its already encrypted enough, it requires some work to get the code from it. If its java or csharp there are obfuscators that you can use. it would somewhat make it difficult to get the code from exe.
To answer the OP, I am not aware of a product that does this. It seems to me that it should be possible.
I'm guessing you are trying to protect your intellectual property by encrypting your executable and not to bypass antivirus programs as others have suggested.
First, a password probably does little to protect your IP by itself. But if that is all you want, then you should be able to save the password to a credential manager.
The problem I see offhand with just a password is that customers could easily share it.
Additional issues with any system: Did you decrypt the executable to storage media? If so, the unencrypted executable can be found and copied. Will the executable run strictly from memory, and if so, how do you keep it from being read from memory using a VM or debugger? If you have another trick, will it work correctly if parts of your program are swapped to disk in a low memory situation?
If decryption is just an algorithm, the algorithm will be on the machine and can be found and reversed engineered.
If the method uses asymmetric (public/private) keys, and the necessary key is available on the machine, the key can be found.
The decryption key will need to be somewhere. If an online broker provides it, you rely on the broker to protect the key that does the decrypting. If you act as the online broker for your customers, you will have more control over the process and you also get to do all the heavy lifting.
A scenario could be that you have a separate public/private set of keys to talk to the key broker. Collect information from the customer machine, encrypt that information into a packet with one of the keys and send that to your key broker system. The key broker has the other key to decode that packet, validates the customer machine is authorized to use the program, and sends the separate decryption key to decrypt the program.
My general answer is that it should be possible to protect your IP without needing to type a password in each time, but it won't be easy and I don't know of any implementations. As others have mentioned, obfuscation is what most people use.
Despite my lack of coding knowledge I managed to write a small little app in VB net that a lot of people are now using. Since I made it for free I have no way of knowing how popular it really is and was thinking I could make it ping some sort of online stat counter so I could figure out if I should port it to other languages. Any idea of how I could ping a url via vb without actually opening a window or asking to receive any data? When I google a lot of terms for this I end up with examples with 50+ lines of code for what I would think should only take one line or so, similar to opening an IE window.
Side Note: Would of course fully inform all users this was happening.
Just a sidenote: You should inform your users that you are doing this (or not do it at all) for privacy concerns. Even if you aren't collecting any personal data it can be considered a privacy problem. For example, when programs collect usage information, they almost always have a box in the installation process asking if the user wants to participate in an "anonymous usage survey" or something similar. What if you just tracked downloads?
Might be easier to track downloads (assuming people are getting this via HTTP) instead of installs. Otherwise, add a "register now?" feature.
You could use something simple in the client app like
Sub PingServer(Server As String, Port As Integer)
Dim Temp As New System.Net.Sockets();
Temp.Connect(Server, Port)
Temp.Close()
End Sub
Get your webserver to listen on a particular port and count connections.
Also, you really shouldn't do this without the user's knowledge, so as others have said, it would be better to count downloads, or implement a registration feature.
I assume you are making this available via a website. So you could just ask people to give you their email address in order to get the download link for the installer. Then you can track how many people add themselves to your email list each month/week/etc. It also means you can email them all when you make a new release so that they can keep up to date with the latest and greatest.
Note: Always ensure they have an unsubscribe link at the end of each email you send them.
The guys over at vbdotnetheaven.com have a simple example using the WebClient, WebRequest and HttpWebRequest classes. Here is their WebClient class example:
Imports System
Imports System.IO
Imports System.Net
Module Module1
Sub Main()
' Address of URL
Dim URL As String = http://www.c-sharpcorner.com/default.asp
' Get HTML data
Dim client As WebClient = New WebClient()
Dim data As Stream = client.OpenRead(URL)
Dim reader As StreamReader = New StreamReader(data)
Dim str As String = ""
str = reader.ReadLine()
Do While str.Length > 0
Console.WriteLine(str)
str = reader.ReadLine()
Loop
End Sub
End Module
.NET? Create an ASMX Web Service and set it up on your web site. Then add the service reference to your app.
EDIT/CLARIFICATION: Your Web Service can then store passed data into a database, instead of relying on Web Logs: Installation Id, Install Date, Number of times run, etc.