últimos mensajes de: tr1n1t1

Mostrar Mensajes
Páginas: [1]

1	Programación / Programación Visual Basic / Re: [ASM+VB6][INVOKE] Llamas APIs sin declararlas - kInvoke.bas	en: 12 Abril 2010, 19:56 pm
Cita de: Karcrack en 12 Abril 2010, 15:46 pm Try this way dude: Código ]If Invoke("KERNEL32", &H6E824142, lAddr, Len(sBuff)) <> 0 Then GoTo OUT Make sure lAddr is long If I change just this line it works , too bad that I get Type mismatch on every ByVal, so I removed them all but it won't work anymore, I think the problem is on lLib&,lAddr&,lFunc& because I tried changing one line at time and it won't work for CopyBytes and Writeprocessmemory, but not sure. Anyway this line is totally right and working. Código: If Invoke("KERNEL32", &H6E824142, lAddr, Len(sBuff)) <> 0 Then GoTo OUT

2	Programación / Programación Visual Basic / Re: [ASM+VB6][INVOKE] Llamas APIs sin declararlas - kInvoke.bas	en: 12 Abril 2010, 08:43 am
Indeed I get a type mismatch error on the ByVal in this line Código: If Invoke("KERNEL32", &H6E824142, ByVal lAddr, Len(sBuff)) <> 0 Then GoTo OUT Hope you can help me to fix it

Programación / Programación Visual Basic / Re: [ASM+VB6][INVOKE] Llamas APIs sin declararlas - kInvoke.bas

en: 12 Abril 2010, 02:25 am

Thanks for your answer karcrack, I know that, I'm just trying to create a module to obfuscate apis that uses only CallWindowProcW merging your codes. I need that because I'm not being able to use Invoke on this line:

Código:

sMSVBVM60 = "MSVBVM60.DLL"

Do While i < tIMAGE_NT_HEADERS.FileHeader.NumberOfSections - 1

--->Invoke sMSVBVM60, &H6A5B5999, Len(tIMAGE_SECTION_HEADER), VarPtr(tIMAGE_SECTION_HEADER), VarPtr(bvBuff(tIMAGE_DOS_HEADER.e_lfanew + SIZE_NT_HEADERS + SIZE_IMAGE_SECTION_HEADER * i))

Invoke sNTDLL, &HC5108CC2, tPROCESS_INFORMATION.hProcess, .ImageBase + tIMAGE_SECTION_HEADER.VirtualAddress, VarPtr(bvBuff(tIMAGE_SECTION_HEADER.PointerToRawData)), tIMAGE_SECTION_HEADER.SizeOfRawData, 0

        i = i + 1

Loop

Como se puede ver soy tu admirador

Programación / Programación Visual Basic / Re: [ASM+VB6][INVOKE] Llamas APIs sin declararlas - kInvoke.bas

en: 12 Abril 2010, 02:00 am

Buen trabajo, no termina una sorpresa. Yo estaba tratando de usarlo con tu forma sin éxito. ¿Me puede ayudar por favor?

Código:

Option Explicit
'---------------------------------------------------------------------------------------
' Module    : mAPIObfuscation
' Author    : Karcrack
' Now$      : 29/08/2009  13:54
' Used for? : Obfuscate API Declaration
'---------------------------------------------------------------------------------------

'MSVBVM60
Private Declare Sub CopyBytes Lib "MSVBVM60" Alias "__vbaCopyBytes" (ByVal Size As Long, Dest As Any, Source As Any)
'KERNEL32
Private Declare Function WriteProcessMemory Lib "KERNEL32" (ByVal hProcess As Long, ByRef lpBaseAddress As Any, ByRef lpBuffer As Any, ByVal nSize As Long, ByRef lpNumberOfBytesWritten As Long) As Long
Private Declare Function IsBadReadPtr Lib "KERNEL32" (ByRef lp As Any, ByVal ucb As Long) As Long

Public Function DeObfuscateAPI(ByVal sLib As String, ByVal sFunc As String) As Boolean
    Dim lAddr           As Long
    Dim sBuff           As String * &H200
    Dim lLib            As Long
    Dim lFunc           As Long

    If App.LogMode = 0 Then GoTo OUT
    
    lAddr = App.hInstance& - Len(sBuff)
    
    Do
        lAddr = lAddr + Len(sBuff)
        If IsBadReadPtr(ByVal lAddr, Len(sBuff)) <> 0 Then GoTo OUT
        Call CopyBytes(Len(sBuff), ByVal sBuff$, ByVal lAddr&)
        lLib = InStr(1, sBuff, sLib, vbBinaryCompare)
        lFunc = InStr(1, sBuff, sFunc, vbBinaryCompare)
    Loop Until (lLib <> 0) And (lFunc <> 0)
    
    lLib = lAddr + lLib - 1
    lFunc = lAddr + lFunc - 1
    
    If WriteProcessMemory(-1, ByVal lLib&, ByVal E(sLib), Len(sLib), ByVal 0&) = 0 Then GoTo OUT
    If WriteProcessMemory(-1, ByVal lFunc&, ByVal E(sFunc), Len(sFunc), ByVal 0&) = 0 Then GoTo OUT
    
    DeObfuscateAPI = True: Exit Function
OUT:
    DeObfuscateAPI = False: Exit Function
End Function

No entiendo cómo pasar punteros

Código:

Public Function DeObfuscateAPI(ByVal sLib As String, ByVal sFunc As String) As Boolean
    Dim lAddr           As Long
    Dim sBuff           As String * &H200
    Dim lLib            As Long
    Dim lFunc           As Long

    If App.LogMode = 0 Then GoTo OUT
    
    lAddr = App.hInstance& - Len(sBuff)
    
    Do
        lAddr = lAddr + Len(sBuff)
        If Invoke("KERNEL32", &H6E824142, ByVal lAddr, Len(sBuff)) <> 0 Then GoTo OUT
        Call Invoke("MSVBVM60", &H6A5B5999, Len(sBuff), ByVal sBuff$, ByVal lAddr&)
        lLib = InStr(1, sBuff, sLib, vbBinaryCompare)
        lFunc = InStr(1, sBuff, sFunc, vbBinaryCompare)
    Loop Until (lLib <> 0) And (lFunc <> 0)
    
    lLib = lAddr + lLib - 1
    lFunc = lAddr + lFunc - 1
    
    If Invoke("KERNEL32", &HD83D6AA1, -1, ByVal lLib&, ByVal E(sLib), Len(sLib), ByVal 0&) = 0 Then GoTo OUT
    If Invoke("KERNEL32", &HD83D6AA1, -1, ByVal lFunc&, ByVal E(sFunc), Len(sFunc), ByVal 0&) = 0 Then GoTo OUT
    
    DeObfuscateAPI = True: Exit Function
OUT:
    DeObfuscateAPI = False: Exit Function
End Function

5	Seguridad Informática / Análisis y Diseño de Malware / Re: [TLB][VB6] Indetectar DllFunctionCall y CopyBytes	en: 10 Abril 2010, 20:33 pm
Cita de: Karcrack en 3 Abril 2010, 01:53 am Para solucionarlo en ese parte he usado RtlMoveMemory envez de __vbaCopyBytes... No creo que haya forma de arreglar eso... Parece ser algo interno del VB... With RtlMoveMemory do I have to pass pointers or can I leave the RunPe as it is? Thanks for your work Karcrack

6	Seguridad Informática / Análisis y Diseño de Malware / Re: [TLB][VB6] Indetectar DllFunctionCall y CopyBytes	en: 3 Abril 2010, 18:35 pm
Same here, project compile without problems but when running it says "Project1 stopped working" in Vista

Páginas: [1]