elhacker.net cabecera Bienvenido(a), Visitante. Por favor Ingresar o Registrarse
¿Perdiste tu email de activación?.

 

 


Tema destacado: Entrar al Canal Oficial Telegram de elhacker.net


+  Foro de elhacker.net
|-+  Programación
| |-+  Programación General
| | |-+  .NET (C#, VB.NET, ASP)
| | | |-+  Programación Visual Basic (Moderadores: LeandroA, seba123neo)
| | | | |-+  [SRC] GetPath EXE Opened		0 Usuarios y 1 Visitante están viendo este tema.
Páginas: [1] Ir Abajo Respuesta Imprimir
Autor Tema: [SRC] GetPath EXE Opened  (Leído 1,380 veces)
Miseryk

Desconectado Desconectado

Mensajes: 225


SI.NU.SA U.GU.DE (2NE1 - D-Unit)


Ver Perfil
[SRC] GetPath EXE Opened
« en: 9 Febrero 2015, 14:53 pm »
Bueno, éste es un tema que ví en foro.elhacker.net/programacion_visual_basic/abrir_ejecutable_en_un_form_iquestes_posible_abrir_chrome-t429104.0.html para obtener el path de un archivo en ejecución sin hooks, aparentemente vé de donde se abrió, ahora posteo el código y un par de ejemplos:

Código
  1. Option Explicit
  2.  
  3. Public Declare Function OpenProcess Lib "kernel32" (ByVal dwDesiredAccess As Long, ByVal bInheritHandle As Long, ByVal dwProcessId As Long) As Long
  4. Public Declare Function CloseHandle Lib "kernel32" (ByVal hObject As Long) As Long
  5. Public Declare Function ReadProcessMemory Lib "kernel32" (ByVal hProcess As Long, ByVal lpBaseAddress As Any, lpBuffer As Any, ByVal nSize As Long, lpNumberOfBytesWritten As Long) As Long
  6. Public Declare Function GetCurrentProcessId Lib "kernel32" () As Long
  7. Public Declare Function LoadLibraryA Lib "kernel32" (ByVal lpLibFileName As String) As Long
  8.  
  9. Public Const PROCESS_ALL_ACCESS = &H1F0FFF  'Specifies all possible access flags for the process object.
  10. Public Const PROCESS_CREATE_THREAD = &H2   'Enables using the process handle in the CreateRemoteThread function to create a thread in the process.
  11. Public Const PROCESS_DUP_HANDLE = &H40  'Enables using the process handle as either the source or target process in the DuplicateHandle function to duplicate a handle.
  12. Public Const PROCESS_QUERY_INFORMATION = &H400 'Enables using the process handle in the GetExitCodeProcess and GetPriorityClass functions to read information from the process object.
  13. Public Const PROCESS_SET_INFORMATION = &H200  'Enables using the process handle in the SetPriorityClass function to set the priority class of the process.
  14. Public Const PROCESS_TERMINATE = &H1 'Enables using the process handle in the TerminateProcess function to terminate the process.
  15. Public Const PROCESS_VM_OPERATION = &H8 'Enables using the process handle in the VirtualProtectEx and WriteProcessMemory functions to modify the virtual memory of the process.
  16. Public Const PROCESS_VM_READ = &H10     'Enables using the process handle in the ReadProcessMemory function to read from the virtual memory of the process.
  17. Public Const PROCESS_VM_WRITE = &H20 'Enables using the process handle in the WriteProcessMemory function to write to the virtual memory of the process.
  18. Public Const SYNCHRONIZE = &H100000   'Enables using the process handle in any of the wait functions to wait for the process to terminate.
  19.  
  20. Private Declare Sub CopyMemory Lib "kernel32" Alias "RtlMoveMemory" (hpvDest As Any, hpvSource As Any, ByVal cbCopy As Long)
  21.  
  22. 'The WideCharToMultiByte function maps a wide-character string to a new character string.
  23. 'The function is faster when both lpDefaultChar and lpUsedDefaultChar are NULL.
  24.  
  25. 'CodePage
  26. Private Const CP_ACP = 0 'ANSI
  27. Private Const CP_MACCP = 2 'Mac
  28. Private Const CP_OEMCP = 1 'OEM
  29. Private Const CP_UTF7 = 65000
  30. Private Const CP_UTF8 = 65001
  31.  
  32. 'dwFlags
  33. Private Const WC_NO_BEST_FIT_CHARS = &H400
  34. Private Const WC_COMPOSITECHECK = &H200
  35. Private Const WC_DISCARDNS = &H10
  36. Private Const WC_SEPCHARS = &H20 'Default
  37. Private Const WC_DEFAULTCHAR = &H40
  38.  
  39. Private Declare Function WideCharToMultiByte Lib "kernel32" (ByVal CodePage As Long, ByVal dwFlags As Long, ByVal lpWideCharStr As Long, ByVal cchWideChar As Long, ByVal lpMultiByteStr As Long, ByVal cbMultiByte As Long, ByVal lpDefaultChar As Long, ByVal lpUsedDefaultChar As Long) As Long
  40.  
  41. Public Function ByteArrayToString(Bytes() As Byte) As String
  42. Dim iUnicode As Long, i As Long, j As Long
  43.  
  44. On Error Resume Next
  45. i = UBound(Bytes)
  46.  
  47. If (i < 1) Then
  48.     'ANSI, just convert to unicode and return
  49.     ByteArrayToString = StrConv(Bytes, vbUnicode)
  50.     Exit Function
  51. End If
  52. i = i + 1
  53.  
  54. 'Examine the first two bytes
  55. CopyMemory iUnicode, Bytes(0), 2
  56.  
  57. If iUnicode = Bytes(0) Then 'Unicode
  58.     'Account for terminating null
  59.     If (i Mod 2) Then i = i - 1
  60.     'Set up a buffer to recieve the string
  61.     ByteArrayToString = String$(i / 2, 0)
  62.     'Copy to string
  63.     CopyMemory ByVal StrPtr(ByteArrayToString), Bytes(0), i
  64. Else 'ANSI
  65.     ByteArrayToString = StrConv(Bytes, vbUnicode)
  66. End If
  67. End Function
  68.  
  69. Public Function StringToByteArray(strInput As String, Optional bReturnAsUnicode As Boolean = True, Optional bAddNullTerminator As Boolean = False) As Byte()
  70. Dim lRet As Long
  71. Dim bytBuffer() As Byte
  72. Dim lLenB As Long
  73.  
  74. If bReturnAsUnicode Then
  75.     'Number of bytes
  76.     lLenB = LenB(strInput)
  77.     'Resize buffer, do we want terminating null?
  78.     If bAddNullTerminator Then
  79.         ReDim bytBuffer(lLenB)
  80.     Else
  81.         ReDim bytBuffer(lLenB - 1)
  82.     End If
  83.     'Copy characters from string to byte array
  84.     CopyMemory bytBuffer(0), ByVal StrPtr(strInput), lLenB
  85. Else
  86.     'METHOD ONE
  87. '        'Get rid of embedded nulls
  88. '        strRet = StrConv(strInput, vbFromUnicode)
  89. '        lLenB = LenB(strRet)
  90. '        If bAddNullTerminator Then
  91. '            ReDim bytBuffer(lLenB)
  92. '        Else
  93. '            ReDim bytBuffer(lLenB - 1)
  94. '        End If
  95. '        CopyMemory bytBuffer(0), ByVal StrPtr(strInput), lLenB
  96.  
  97.     'METHOD TWO
  98.     'Num of characters
  99.     lLenB = Len(strInput)
  100.     If bAddNullTerminator Then
  101.         ReDim bytBuffer(lLenB)
  102.     Else
  103.         ReDim bytBuffer(lLenB - 1)
  104.     End If
  105.     lRet = WideCharToMultiByte(CP_ACP, 0&, ByVal StrPtr(strInput), -1, ByVal VarPtr(bytBuffer(0)), lLenB, 0&, 0&)
  106. End If
  107.  
  108. StringToByteArray = bytBuffer
  109. End Function
  110.  

Código
  1. Option Explicit
  2.  
  3. Private Sub Command1_Click()
  4. Dim handle_Process As Double
  5.  
  6. handle_Process = OpenProcess(PROCESS_ALL_ACCESS, False, Val(Text1.Text))
  7.  
  8. If handle_Process <> 0 Then
  9.     Dim zBytes(256) As Byte
  10.  
  11.     Dim lb As Long
  12.  
  13.     lb = LoadLibraryA("KERNEL32.DLL")
  14.  
  15.     If lb = 0 Then
  16.         lb = &H77C50000
  17.     End If
  18.  
  19.     'kernel32.dll+C6320
  20.     '0x77D16320
  21.     If ReadProcessMemory(handle_Process, lb + &HC6320, zBytes(0), 256, 0&) <> 0 Then
  22.         Clipboard.SetText ByteArrayToString(zBytes)
  23.         MsgBox Clipboard.GetText
  24.     Else
  25.         MsgBox "Error al ejecutar ReadProcessMemory. (" & Err.LastDllError & ")"
  26.     End If
  27.  
  28.     Call CloseHandle(handle_Process)
  29. Else
  30.     MsgBox "Error al ejecutar OpenProcess. (" & Err.LastDllError & ")"
  31. End If
  32. End Sub
  33.  
  34. Private Sub Form_Load()
  35. Text1.Text = GetCurrentProcessId()
  36. End Sub
  37.  

TaskMgr:
opera.exe 236 C:\Program Files\Opera\20.0.1387.91\opera.exe
OUTPUT: C:\Program Files\Opera\

McTray.exe 1796 C:\Program Files\McAfee\Common Framework\McTray.exe
OUTPUT: C:\Program Files\McAfee\Common Framework\

Project1.exe 2368 (éste) C:\Users\***00001**\Desktop\Program Opened from\Project1.exe
OUTPUT: C:\Users\***00001**\Desktop\Program Opened from\

TeamViewer.exe 3308 C:\Program Files\TeamViewer\Version9\TeamViewer.exe
OUTPUT: C:\Windows\system32\ (muestra este output porque se cargó como servicio y aparentemente se abre desde ese path)

cheatengine-i386.exe 4320 C:\Misery-PC\Descargas\CE 6.3\CE 6.3\cheatengine-i386.exe
OUTPUT: C:\Misery-PC\Descargas\CE 6.3\CE 6.3\

UdaterUI.exe 5216 C:\Program Files\McAfee\Common Framework\UdaterUI.exe
OUTPUT: C:\Program Files\McAfee\Common Framework\

notepad++.exe 7464 C:\Program Files\Notepad++\notepad++.exe
OUTPUT: C:\Users\***00001**\Desktop\GOTTA DO\ (abrí un txt desde ese lugar)

Si bien no muestra el path del ejecutable, muestra el path de donde se abrió, seguramente que por el address KERNEL32.DLL+offset debe estar el path original del .exe, cualquier cosa nueva la posteo.

Saludos.
En línea
Can you see it?
The worst is over
The monsters in my head are scared of love
Fallen people listen up! It’s never too late to change our luck
So, don’t let them steal your light
Don’t let them break your stride
There is light on the other side
And you’ll see all the raindrops falling behind
Make it out tonight
it’s a revolution

CL!!!
Páginas: [1] Ir Arriba Respuesta Imprimir 

Ir a:  
WAP2 - Aviso Legal - Powered by SMF 1.1.21 | SMF © 2006-2008, Simple Machines