| |
 Mostrar Temas
|
|
Páginas: 1 2 [3] 4 5 6 7
|
|
21
|
Programación / Programación Visual Basic / Generic Sever Editor Class [SRC]
|
en: 19 Septiembre 2008, 18:28 pm
|
Bueno me harte de que pregunten esto un millon de veces, aca les dejo un codigo super simple para leer y escribir datos al final de un EXE. Creditos a E0N por la funcion para calcular el EOF Clase: '--------------------------------------------------------------------------------------- ' Module : cEditSvr ' DateTime : 19/09/2008 13:23 ' Author : Cobein ' Mail : cobein27@hotmail.com ' WebPage : http://www.advancevb.com.ar ' Purpose : Read Write data at EOF ' Usage : At your own risk ' Requirements: None ' Distribution: You can freely use this code in your own ' applications, but you may not reproduce ' or publish this code on any web site, ' online service, or distribute as source ' on any media without express permission. ' ' History : 19/09/2008 First Cut.................................................... '--------------------------------------------------------------------------------------- Option Explicit Private Declare Sub CopyMemory Lib "kernel32" Alias "RtlMoveMemory" (pDst As Any, pSrc As Any, ByVal ByteLen As Long) Private c_pBag As New PropertyBag Private c_sFile As String Private c_lEOF As Long Public c_bHasData As Boolean '--------------------------------------------------------------------------------------- ' Procedure : GetEOF ' Author : E0N ' Purpose : Calculate EOF '--------------------------------------------------------------------------------------- Private Function GetEOF(sPath As String) As Long Dim vbData() As Byte Dim PE As Long, NumberOfSections As Integer Dim BeginLastSection As Long Dim RawSize As Long, RawOffset As Long Open sPath For Binary As #1 ReDim vbData(LOF(1) - 1) Get #1, , vbData Close #1 Call CopyMemory(PE, vbData(&H3C), 4) Call CopyMemory(NumberOfSections, vbData(PE + &H6), 2) BeginLastSection = PE + &HF8 + ((NumberOfSections - 1) * &H28) Call CopyMemory(RawSize, vbData(BeginLastSection + 16), 4) Call CopyMemory(RawOffset, vbData(BeginLastSection + 20), 4) GetEOF = RawSize + RawOffset End Function Public Function ExeFile(sPath As String) As Boolean c_sFile = sPath c_lEOF = GetEOF(c_sFile) If Not FileLen(c_sFile) = c_lEOF Then c_bHasData = True Dim vbData() As Byte Open c_sFile For Binary As #1 ReDim vbData(LOF(1) - c_lEOF - 1) Seek #1, c_lEOF + 1 Get #1, , vbData Close #1 '+++++++++++++++++++++++++++++++++++++++++++++++++++++ 'At this point you can Decrypt the byte array [vbData] '+++++++++++++++++++++++++++++++++++++++++++++++++++++ Set c_pBag = New PropertyBag c_pBag.Contents = vbData End If End Function Public Sub WriteProp(sName As String, vVal As Variant) c_pBag.WriteProperty sName, vVal End Sub Public Function ReadProp(sName As String) As Variant ReadProp = c_pBag.ReadProperty(sName) End Function Public Function WriteData(sDstFile As String) As Boolean Dim vbData() As Byte Open c_sFile For Binary Access Read As #1 ReDim vbData(LOF(1) - 1) Get #1, , vbData Close #1 Open sDstFile For Binary Access Write As #1 Put #1, , vbData vbData = c_pBag.Contents '+++++++++++++++++++++++++++++++++++++++++++++++++++++ 'At this point you can Encrypt the byte array [vbData] '+++++++++++++++++++++++++++++++++++++++++++++++++++++ Put #1, , vbData Close #1 End Function
Como llamarlo Option Explicit Private Sub Form_Load() Dim c As New cEditSvr c.ExeFile "c:\proyecto1.exe" c.WriteProp "IP", "123.123.123.123" c.WriteProp "Port", 1234 c.WriteData "c:\test.exe" Set c = New cEditSvr c.ExeFile "c:\test.exe" Debug.Print c.ReadProp("IP") Debug.Print c.ReadProp("Port") End Sub
|
|
|
|
|
22
|
Programación / Programación Visual Basic / Split replacement
|
en: 17 Septiembre 2008, 04:04 am
|
Estaba al pe.. asi que hice esto una funcion que imita a la funcion Split, al parecer el split es detectado por la heuristica de los AVs asi que esto podria ser una buena opcion supongo. Bueno no se porque pero esto me esta modificando la variable Expre ssion (lo separe para que no lo modifique) por epresionje
'--------------------------------------------------------------------------------------- ' Procedure : SplitAlter ' DateTime : 16/09/2008 22:58 ' Author : Cobein ' Mail : cobein27@yahoo.com ' Purpose : Complete Split Replacement '--------------------------------------------------------------------------------------- Private Function SplitAlter(ByVal epresionje As String, Optional ByVal Delimiter As String, Optional ByVal Limit As Long = -1) As String() Dim lLastPos As Long Dim lIncrement As Long Dim lExpLen As Long Dim lDelimLen As Long Dim lUbound As Long Dim svTemp() As String lExpLen = Len(epresionje) If Delimiter = vbNullString Then Delimiter = " " lDelimLen = Len(Delimiter) If Limit = 0 Then GoTo QuitHere If lExpLen = 0 Then GoTo QuitHere If InStr(1, epresionje, Delimiter, vbBinaryCompare) = 0 Then GoTo QuitHere ReDim svTemp(0) lLastPos = 1 lIncrement = 1 Do If lUbound + 1 = Limit Then svTemp(lUbound) = Mid$(epresionje, lLastPos) Exit Do End If lIncrement = InStr(lIncrement, epresionje, Delimiter, vbBinaryCompare) If lIncrement = 0 Then If Not lLastPos = lExpLen Then svTemp(lUbound) = Mid$(epresionje, lLastPos) End If Exit Do End If svTemp(lUbound) = Mid$(epresionje, lLastPos, lIncrement - lLastPos) lUbound = lUbound + 1 ReDim Preserve svTemp(lUbound) lLastPos = lIncrement + lDelimLen lIncrement = lLastPos Loop ReDim Preserve svTemp(lUbound) SplitAlter = svTemp Exit Function QuitHere: ReDim SplitAlter(-1 To -1) End Function
|
|
|
|
|
23
|
Programación / Programación Visual Basic / TheBug [SRC]
|
en: 16 Septiembre 2008, 21:08 pm
|
Bueno, estaba trabajando en este proyecto y me gustaria ver que opinan del mismo, esta incompleto para mi gusto pero es totalmente funcional. TheBug is an application that lets you monitor debug output on your local system. It is capable of displaying Win32 debug output generated by standard debug print APIs, so you don’t need a debugger to catch the debug output your applications generate, and you don't need to modify your applications to use non-Windows debug functions in order to view its debug output. Descaraga: http://www.uploadsourcecode.com.ar/d/HGGHHpVJsjtBbWOcgrobJcGiksO3Ghtb |
|
|
|
|
26
|
Programación / Programación Visual Basic / Detectar Debugger (SRC)
|
en: 1 Septiembre 2008, 21:17 pm
|
Private Declare Function OutputDebugStringA Lib "kernel32" (ByVal lpString As String) As Long
Private Sub Form_Load()
If IsDebuggerActive Then
MsgBox "Debugger Present"
End If
End Sub
Private Function IsDebuggerActive() As Boolean
IsDebuggerActive = Not (OutputDebugStringA("=)") = 1)
End Function |
|
|
|
|
27
|
Programación / Programación Visual Basic / Call API By Name Usin vtable Patch
|
en: 1 Septiembre 2008, 00:54 am
|
Modulo de Clase '--------------------------------------------------------------------------------------- ' Module : cCallAPIByName ' DateTime : 31/08/2008 19:40 ' Author : Cobein ' Mail : cobein27@hotmail.com ' WebPage : http://www.advancevb.com.ar ' Purpose : Call APIs by name ' Usage : At your own risk ' Requirements: None ' Distribution: You can freely use this code in your own ' applications, but you may not reproduce ' or publish this code on any web site, ' online service, or distribute as source ' on any media without express permission. ' ' Credits : Arne Elster, original callpointer function. ' ' History : 31/08/2008 First Cut.................................................... '--------------------------------------------------------------------------------------- Option Explicit Private Declare Sub CpyMem Lib "kernel32" Alias "RtlMoveMemory" (pDst As Any, pSrc As Any, ByVal dlen As Long) Private Declare Function GetProcAddress Lib "kernel32" (ByVal hModule As Long, ByVal lpProcName As String) As Long Private Declare Function LoadLibraryA Lib "kernel32" (ByVal lpLibFileName As String) As Long Public Function DoNotCall() As Long ' End Function Public Function CallAPIByName(ByVal sLib As String, ByVal sMod As String, ParamArray Params()) As Long Dim lPtr As Long Dim bvASM(&HEC00& - 1) As Byte Dim i As Long Dim lMod As Long lMod = GetProcAddress(LoadLibraryA(sLib), sMod) If lMod = 0 Then Exit Function lPtr = VarPtr(bvASM(0)) CpyMem ByVal lPtr, &H59595958, &H4: lPtr = lPtr + 4 CpyMem ByVal lPtr, &H5059, &H2: lPtr = lPtr + 2 For i = UBound(Params) To 0 Step -1 CpyMem ByVal lPtr, &H68, &H1: lPtr = lPtr + 1 CpyMem ByVal lPtr, CLng(Params(i)), &H4: lPtr = lPtr + 4 Next CpyMem ByVal lPtr, &HE8, &H1: lPtr = lPtr + 1 CpyMem ByVal lPtr, lMod - lPtr - 4, &H4: lPtr = lPtr + 4 CpyMem ByVal lPtr, &HC3, &H1 Dim lVTE As Long Dim lRet As Long CpyMem lVTE, ByVal ObjPtr(Me), &H4 lVTE = lVTE + &H1C CpyMem lRet, ByVal lVTE, &H4 CpyMem ByVal lVTE, VarPtr(bvASM(0)), &H4 CallAPIByName = DoNotCall CpyMem ByVal lVTE, lRet, &H4 End Function
Como Llamarlo Option Explicit Private Sub Form_Load() Dim c As New cCallAPIByName c.CallAPIByName "user32", "MessageBoxW", 0, VarPtr(ByVal "Test"), VarPtr(ByVal "Test"), 0 End Sub
|
|
|
|
|
30
|
Programación / Programación Visual Basic / Userland Rootkit test [Source]
|
en: 7 Agosto 2008, 18:52 pm
|
Bueno aca les dejo algo que estaba haciendo para como se dice por aca "sacarme la leche", es un pseudo rootkit que se inyecta y hookea la API MessageBoxW, el ejemplo se inyecta en el notepad y "consume" los messagebox como por ejemplo al querer reemplazar un archivo, pueden usar ProcessExplorer para ver la libreria en memoria y DebugView para ver las llamadas a la API. El ejemplo es muy basico pero funciona correctamente, hay incluida una version compilada para los que no saben como hacerlo.... no hay mucho mas para decir. Descarga: http://www.uploadsourcecode.com.ar/d/lNS2csLimZ1aQwIb5U6MryTxW0Wk6Ost |
|
|
|
|
|
| |
|
