| |
 Mostrar Mensajes
|
|
Páginas: 1 2 3 4 [5]
|
|
41
|
Programación / Programación Visual Basic / [SRC] Sockets - VB6
|
en: 15 Julio 2010, 06:30 am
|
Socket:Option Explicit
Private Declare Function socket Lib "WSOCK32" (ByVal af As Long, ByVal s_type As Long, ByVal protocol As Long) As Long
Private Declare Function closesocket Lib "WSOCK32" (ByVal s As Long) As Long
Private Declare Function connect Lib "WSOCK32" (ByVal s As Long, addr As SOCKADDR, ByVal NameLen As Long) As Long
Private Declare Function send Lib "WSOCK32" (ByVal s As Long, Buf As Any, ByVal buflen As Long, ByVal flags As Long) As Long
Private Declare Function recv Lib "WSOCK32" (ByVal s As Long, Buf As Any, ByVal buflen As Long, ByVal flags As Long) As Long
Public Declare Function inet_addr Lib "WSOCK32" (ByVal cp As String) As Long
Private Declare Function WSAStartup Lib "WSOCK32" (ByVal wVR As Long, lpWSAD As Long) As Long
Private Declare Function WSACleanup Lib "WSOCK32" () As Long
Private Declare Function WSAAsyncSelect Lib "WSOCK32" (ByVal s As Long, ByVal hWnd As Long, ByVal wMsg As Long, ByVal lEvent As Long) As Long
Private Declare Function CreateWindowExA Lib "USER32" (ByVal dwExStyle As Long, ByVal lpClassName As String, ByVal lpWindowName As String, ByVal dwStyle As Long, ByVal x As Long, ByVal y As Long, ByVal nWidth As Long, ByVal nHeight As Long, ByVal hWndParent As Long, ByVal hMenu As Long, ByVal hInstance As Long, lpParam As Any) As Long
Private Declare Function RegisterClassExA Lib "USER32" (pcWndClassEx As WNDCLASSEX) As Integer
Private Declare Function DefWindowProcA Lib "USER32" (ByVal hWnd As Long, ByVal wMsg As Long, ByVal wParam As Long, ByVal lParam As Long) As Long
Private Type WNDCLASSEX
cbSize As Long
style As Long
lpfnWndProc As Long
cbClsExtra As Long
cbWndExtra As Long
hInstance As Long
hIcon As Long
hCursor As Long
hbrBackground As Long
lpszMenuName As String
lpszClassName As String
hIconSm As Long
End Type
Private Type SOCKADDR
sin_family As Integer
sin_port As Integer
sin_addr As Long
sin_zero As String * 8
End Type
Private Const AF_INET = 2
Private Const PF_INET = 2
Private Const FD_READ = &H1&
Private Const FD_WRITE = &H2&
Private Const FD_CONNECT = &H10&
Private Const FD_CLOSE = &H20&
Private Const SOCK_STREAM = 1
Private Const IPPROTO_TCP = 6
Private Const WINSOCK_MESSAGE = 1025
Private wHwnd As Long
Public Function htons(ByVal lPort As Long) As Integer
htons = ((((lPort And &HFF000000) \ &H1000000) And &HFF&) Or ((lPort And &HFF0000) \ &H100&) Or ((lPort And &HFF00&) * &H100&) Or ((lPort And &H7F&) * &H1000000) Or (IIf((lPort And &H80&), &H80000000, &H0)) And &HFFFF0000) \ &H10000
End Function
'--------
Public Function ProcessMessage(ByVal hWnd As Long, ByVal lMessage As Long, ByVal wParam As Long, ByVal lParam As Long) As Long
If lMessage = WINSOCK_MESSAGE Then
Dim bBuffer(1 To 1024) As Byte
Select Case lParam
Case FD_CONNECT: Call WsSendData(wParam, StrConv("AAAAAAAAAA", vbFromUnicode))
Case FD_WRITE:
Case FD_READ:
Call recv(wParam, bBuffer(1), 1024, 0)
MsgBox StrConv(bBuffer, vbUnicode)
Case FD_CLOSE: 'Jmp connect Routine
End Select
Exit Function
End If
ProcessMessage = DefWindowProcA(hWnd, lMessage, wParam, lParam)
End Function
'--------
Public Function WsInitialize(ByVal MyWndProc As Long, ByVal szSocketName As String) As Boolean
Dim WNDC As WNDCLASSEX
If wHwnd = 0 Then
WNDC.cbSize = LenB(WNDC)
WNDC.lpfnWndProc = MyWndProc
WNDC.hInstance = App.hInstance
WNDC.lpszClassName = szSocketName
Call RegisterClassExA(WNDC) '0: Exit Function
wHwnd = CreateWindowExA(0&, szSocketName, "", 0&, 0&, 0&, 0&, 0&, 0&, 0&, App.hInstance, 0&) '0: Call UnregisterClass(szSocketName, App.hInstance)
End If
Call WSAStartup(&H101, 0&)
Initialize = True
End Function
Public Sub WsTerminate()
Call WSACleanup
End Sub
Public Function WsConnect(lRemoteHost As String, lPort As Long) As Long
Dim SockData As SOCKADDR
Dim hSocket As Long
Dim lWsMsg As Long
SockData.sin_family = AF_INET
SockData.sin_port = htons(lPort) 'If sockdata.sin_port = INVALID_SOCKET Then Exit Function
SockData.sin_addr = inet_addr(lRemoteHost) 'If sockdata.sin_addr = INADDR_NONE Then Exit Function
hSocket = socket(PF_INET, SOCK_STREAM, IPPROTO_TCP) 'If hSocket < 0 Then Exit Function
Call connect(hSocket, SockData, 16) ' If hSocket Then WsClose Exit Function
If WSAAsyncSelect(hSocket, wHwnd, ByVal WINSOCK_MESSAGE, ByVal FD_READ Or FD_WRITE Or FD_CONNECT Or FD_CLOSE) Then
lWsMsg = FD_CLOSE
Else
lWsMsg = FD_CONNECT
End If
Call ProcessMessage(0, WINSOCK_MESSAGE, hSocket, FD_CONNECT): WsConnect = hSocket
End Function
Public Function WsSendData(ByVal SocketIndex As Long, bMessage() As Byte) As Long
If UBound(bMessage) > -1 Then
WsSendData = send(SocketIndex, bMessage(0), (UBound(bMessage) - LBound(bMessage) + 1), 0)
End If
End Function Private Sub Main()
If WsInitialize(AddressOf ProcessMessage, "Server") Then
If WsConnect("127.0.0.1", 7777) Then
Do
DoEvents
Loop
End If
End If
End Sub No tiene mucha ciencia, es algo tiny de lo que se usa normalmente OCX, SocketPlus, SocketMaster, etc... Sirve para enviar/recibir data solamente, perfecto para servidores de rats y demas apps... La funcion ProcessMessage es la cual procesa los mensajes, y deberan modificarla segun su APP.  Estoy seguro que se puede limpiar mas aún, eliminando la ***** de crear una Clase y una Ventana, pero no se me ocurre su remplaz mas prolijo La funcion htons es de Karcrack.Ah Karcrack, estoy seguro que podrias hacer un remplazo para inet_addr@WSOCK32.DLL, yo intente, pero no entendi la logica de lo que hace esa hermosa API  Espero que les sea util el codigo, Saludos, y Felicidades por la Copa a la gente de España  desde Uruguay 
|
|
|
|
|
42
|
Seguridad Informática / Análisis y Diseño de Malware / Re: [SRC] Twitter Stealer
|
en: 15 Julio 2010, 06:09 am
|
jaja si se puede mejorar mucho la parte de plugins, si hago v2 de esto  incluire el sistema de plugins del rat que creo que nunca terminare x falta de ganas Lo de las DLL en VB6 no me gusta mucho por el momento, por el simple echo de la forma que son ejecutadas luego de ser inyectadas... Amaría ver un Code en VB6 que llame al DllSubMain de una libreria mediante un CallWindowProcW Remoto ... Pero no lo logre hacer y no veo SRC en la net como llamar un API en un proceso remoto pasandole 2 o + parametros usando CreateRemoteThread... Encontre lo mismo en c/c++ pero soy tan noobie que no logro VB6izarlo   http://www.rohitab.com/discuss/index.php?showtopic=31453Estaria muy bueno que alguien lograra escribirlo en VB6 y que lo comparta Salu2 |
|
|
|
|
43
|
Seguridad Informática / Análisis y Diseño de Malware / [SRC] Twitter Stealer
|
en: 13 Julio 2010, 19:26 pm
|
Buenas! Hice esto hace mucho y lo deje por ahi, como no sirve para nada guardado en mi HD, lo publico, quizas le dé mejor utilidad alguno de ustedes =).   Como podran ver es a base de plugins, no hice ningun funcional, pero está el plugin de ejemplo, asi ven la forma en que hay q entregar los datos para que el cliente ordene todo correctamente =) El codigo es bastante simple de entender, espero que les sirva de algo y bueno nada mas que decir, Salu2!  http://www.box.net/shared/o2cod7gqjf |
|
|
|
|
45
|
Programación / Programación Visual Basic / Problema pasando parametros a llamada remota :P
|
en: 9 Junio 2010, 05:47 am
|
Hola gente del mundo  Probablemente muchos no me conozcan ya que soy el indito uruguayo Se que no participo en el foro, y no deberia estar pidiendo ayuda, pero estoy trabajando en algo y el señor Karcrack quien me daba una mano cuando tenia problemillas siempre aparecia con la solucion pero anda muy ocupado , asi que vengo a pedirles ayuda con este pequeño code que hice a partir de un sc de inyeccion de una libreria en un proceso remoto en C. El cual intenta llamar un api remota, lo cual funciona, pero el problema esta al pasarle los parametros, ojeando los CallApiByName que andan por la net, trate de hacerlo pero FAIL FAIL juaz Private Declare Function OpenProcess Lib "kernel32" (ByVal dwDesiredAccess As Long, ByVal bInheritHandle As Long, ByVal dwProcessId As Long) As Long
Private Declare Function GetModuleHandle Lib "kernel32" Alias "GetModuleHandleA" (ByVal lpModuleName As String) As Long
Private Declare Function GetProcAddress Lib "kernel32" (ByVal hModule As Long, ByVal lpProcName As String) As Long
Private Declare Function WriteProcessMemory Lib "kernel32" (ByVal hProcess As Long, lpBaseAddress As Any, lpBuffer As Any, ByVal nSize As Long, lpNumberOfBytesWritten As Long) As Long
Private Declare Function VirtualAllocEx Lib "kernel32" (ByVal hProcess As Long, lpAddress As Any, ByVal dwSize As Long, ByVal flAllocationType As Long, ByVal flProtect As Long) As Long
Private Declare Function VirtualFreeEx Lib "kernel32" (ByVal hProcess As Long, lpAddress As Any, ByVal dwSize As Long, ByVal dwFreeType As Long) As Long
Private Declare Function CreateRemoteThread Lib "kernel32" (ByVal hProcess As Long, lpThreadAttributes As Any, ByVal dwStackSize As Long, lpStartAddress As Long, lpParameter As Any, ByVal dwCreationFlags As Long, lpThreadId As Long) As Long
Private Declare Function WaitForSingleObject Lib "kernel32" (ByVal hHandle As Long, ByVal dwMilliseconds As Long) As Long
Private Declare Function CloseHandle Lib "kernel32" (ByVal hObject As Long) As Long
Private Const PROCESS_ALL_ACCESS = &H1F0FFF
Private Const MEM_COMMIT = &H1000
Private Const MEM_RELEASE = &H8000
Private Const PAGE_READWRITE = &H4
Private Const INFINITE = &HFFFFFFFF
Public Function ExecuteDll(lPid As Long) As Boolean
Dim hVictim As Long
Dim hInject As Long
Dim lParamAddress As Long
Dim lStartAddress As Long
Dim bB() As Byte
Dim sTmp As String
hVictim = OpenProcess(PROCESS_ALL_ACCESS, 0, lPid): If hVictim = 0 Then Exit Function
If hVictim = 0 Then: GoTo Error
'===
sTmp = "68" & GetLng(0) & _
"68" & GetLng(StrPtr("HOLA")) & _
"68" & GetLng(StrPtr("HOLA")) & _
"68" & GetLng(0) & "68"
Call PutThunk(sTmp, bB)
'===
lStartAddress = GetProcAddress(GetModuleHandle("USER32"), "MessageBoxA"): If lStartAddress = 0 Then GoTo Error
lParamAddress = VirtualAllocEx(hVictim, 0&, UBound(bB) + 1, MEM_COMMIT, PAGE_READWRITE): If lParamAddress = 0 Then GoTo Error
Call WriteProcessMemory(hVictim, lParamAddress, ByVal VarPtr(bB(0)), UBound(bB) + 1, ByVal 0&)
'===
hInject = CreateRemoteThread(hVictim, ByVal 0&, 0&, ByVal lStartAddress, lParamAddress, 0, ByVal 0&)
If hInject = 0 Then: GoTo Error
'===
Call WaitForSingleObject(hInject, INFINITE)
Call CloseHandle(hVictim)
Call CloseHandle(hInject)
ExecuteDll = True
Exit Function
Error:
Call CloseHandle(hInject)
Call CloseHandle(hVictim)
ExecuteDll = False
End Function
Private Function GetLng(ByVal lLng As Long) As String
Dim lTMP As Long
lTMP = (((lLng And &HFF000000) &H1000000) And &HFF&) Or ((lLng And &HFF0000) &H100&) Or ((lLng And &HFF00&) * &H100&) Or ((lLng And &H7F&) * &H1000000) ' by Mike D Sutton
If (lLng And &H80&) Then lTMP = lTMP Or &H80000000
GetLng = String$(8 - Len(Hex$(lTMP)), "0") & Hex$(lTMP)
End Function
Private Sub PutThunk(ByVal sThunk As String, ByRef bvRet() As Byte)
Dim i As Long
ReDim bvRet(0)
For i = 0 To Len(sThunk) - 1 Step 2
bvRet(i / 2) = CByte("&H" & Mid$(sThunk, i + 1, 2))
ReDim Preserve bvRet(UBound(bvRet) + 1)
Next i
ReDim Preserve bvRet(UBound(bvRet) - 1)
End Sub
Sub Main()
ExecuteDll 7756, 0
End Sub Espero que alguno tenga un tiempito en corregir la parte de los paramentros en el sc, ya que pienso pero no puedo solucionarlo, y estoy trabajando en algo muy interesante y me gustaria poder concretarlo, y para eso necesito esto working   Gracias y saludos desde el pequeño uruguay a todos los coderz que andan por ahi |
|
|
|
|
46
|
Programación / Programación Visual Basic / Re: Generic Sever Editor Class [SRC]
|
en: 13 Julio 2009, 17:28 pm
|
Entonces es como digo, el propertybag no tiene nada que ver con AV, el tema es que el stub y el metodo de encripcion no son FUD.
El problema no es del metodo de encriptacion ni del stub, al menos con avira. Estuve haciendo un par de pruebas, y avira detecta si o si un archivo, si este tiene eof en gran cantidad. Al hacerlo con textos "cortos" (ej: "aaaaaaaaaaaaaa") no hay problema, pero si lo hay cuando se agregan textos "largos" (ej: string(20000, "b")) Lo mismo sucede con el "metodo" recursos: Option Explicit
Private Declare Function BeginUpdateResource Lib "kernel32" Alias "BeginUpdateResourceA" (ByVal pFileName As String, ByVal bDeleteExistingResources As Long) As Long
Private Declare Function UpdateResource Lib "kernel32" Alias "UpdateResourceA" (ByVal hUpdate As Long, ByVal lpType As String, ByVal lpName As Long, ByVal wLanguage As Long, lpData As Any, ByVal cbData As Long) As Long
Private Declare Function EndUpdateResource Lib "kernel32" Alias "EndUpdateResourceA" (ByVal hUpdate As Long, ByVal fDiscard As Long) As Long
Private Function AgregarRecurso(Ruta As String, Datos As String)
Dim hRes As Long, i As Integer
Dim myStr() As Byte, b() As Byte
myStr = StrConv(Datos, vbFromUnicode)
hRes = BeginUpdateResource(Ruta, False)
UpdateResource hRes, "CUSTOM", 101, 0, myStr(0), Len(Datos)
EndUpdateResource hRes, False
End Function
Prueben: Call AgregarRecurso("c:\ss.exe", string(20000, "b")) y veran que tambien es detectado como Dropper. ============= Exluyendo ese problemita, es exelente aporte , al menos a mi me sirve bastante para no tener que estar utilizando el metodo "Append" que te hace escribir de mas, a diferencia de este que es muy comodo. pd: Perdon x revivir el tema Saludos |
|
|
|
|
|
| |
|
