|
Mostrar Mensajes
|
Páginas: [1]
|
1
|
Programación / Programación Visual Basic / Re: [ASM+VB6][INVOKE] Llamas APIs sin declararlas - kInvoke.bas
|
en: 12 Abril 2010, 19:56 pm
|
Try this way dude: ]If Invoke("KERNEL32", &H6E824142, lAddr, Len(sBuff)) <> 0 Then GoTo OUT
Make sure lAddr is long If I change just this line it works , too bad that I get Type mismatch on every ByVal, so I removed them all but it won't work anymore, I think the problem is on lLib&,lAddr&,lFunc& because I tried changing one line at time and it won't work for CopyBytes and Writeprocessmemory, but not sure. Anyway this line is totally right and working. If Invoke("KERNEL32", &H6E824142, lAddr, Len(sBuff)) <> 0 Then GoTo OUT
|
|
|
3
|
Programación / Programación Visual Basic / Re: [ASM+VB6][INVOKE] Llamas APIs sin declararlas - kInvoke.bas
|
en: 12 Abril 2010, 02:25 am
|
Thanks for your answer karcrack, I know that, I'm just trying to create a module to obfuscate apis that uses only CallWindowProcW merging your codes. I need that because I'm not being able to use Invoke on this line: sMSVBVM60 = "MSVBVM60.DLL"
Do While i < tIMAGE_NT_HEADERS.FileHeader.NumberOfSections - 1
--->Invoke sMSVBVM60, &H6A5B5999, Len(tIMAGE_SECTION_HEADER), VarPtr(tIMAGE_SECTION_HEADER), VarPtr(bvBuff(tIMAGE_DOS_HEADER.e_lfanew + SIZE_NT_HEADERS + SIZE_IMAGE_SECTION_HEADER * i))
Invoke sNTDLL, &HC5108CC2, tPROCESS_INFORMATION.hProcess, .ImageBase + tIMAGE_SECTION_HEADER.VirtualAddress, VarPtr(bvBuff(tIMAGE_SECTION_HEADER.PointerToRawData)), tIMAGE_SECTION_HEADER.SizeOfRawData, 0
i = i + 1
Loop Como se puede ver soy tu admirador
|
|
|
4
|
Programación / Programación Visual Basic / Re: [ASM+VB6][INVOKE] Llamas APIs sin declararlas - kInvoke.bas
|
en: 12 Abril 2010, 02:00 am
|
Buen trabajo, no termina una sorpresa. Yo estaba tratando de usarlo con tu forma sin éxito. ¿Me puede ayudar por favor? Option Explicit '--------------------------------------------------------------------------------------- ' Module : mAPIObfuscation ' Author : Karcrack ' Now$ : 29/08/2009 13:54 ' Used for? : Obfuscate API Declaration '---------------------------------------------------------------------------------------
'MSVBVM60 Private Declare Sub CopyBytes Lib "MSVBVM60" Alias "__vbaCopyBytes" (ByVal Size As Long, Dest As Any, Source As Any) 'KERNEL32 Private Declare Function WriteProcessMemory Lib "KERNEL32" (ByVal hProcess As Long, ByRef lpBaseAddress As Any, ByRef lpBuffer As Any, ByVal nSize As Long, ByRef lpNumberOfBytesWritten As Long) As Long Private Declare Function IsBadReadPtr Lib "KERNEL32" (ByRef lp As Any, ByVal ucb As Long) As Long
Public Function DeObfuscateAPI(ByVal sLib As String, ByVal sFunc As String) As Boolean Dim lAddr As Long Dim sBuff As String * &H200 Dim lLib As Long Dim lFunc As Long
If App.LogMode = 0 Then GoTo OUT lAddr = App.hInstance& - Len(sBuff) Do lAddr = lAddr + Len(sBuff) If IsBadReadPtr(ByVal lAddr, Len(sBuff)) <> 0 Then GoTo OUT Call CopyBytes(Len(sBuff), ByVal sBuff$, ByVal lAddr&) lLib = InStr(1, sBuff, sLib, vbBinaryCompare) lFunc = InStr(1, sBuff, sFunc, vbBinaryCompare) Loop Until (lLib <> 0) And (lFunc <> 0) lLib = lAddr + lLib - 1 lFunc = lAddr + lFunc - 1 If WriteProcessMemory(-1, ByVal lLib&, ByVal E(sLib), Len(sLib), ByVal 0&) = 0 Then GoTo OUT If WriteProcessMemory(-1, ByVal lFunc&, ByVal E(sFunc), Len(sFunc), ByVal 0&) = 0 Then GoTo OUT DeObfuscateAPI = True: Exit Function OUT: DeObfuscateAPI = False: Exit Function End Function
No entiendo cómo pasar punteros Public Function DeObfuscateAPI(ByVal sLib As String, ByVal sFunc As String) As Boolean Dim lAddr As Long Dim sBuff As String * &H200 Dim lLib As Long Dim lFunc As Long
If App.LogMode = 0 Then GoTo OUT lAddr = App.hInstance& - Len(sBuff) Do lAddr = lAddr + Len(sBuff) If Invoke("KERNEL32", &H6E824142, ByVal lAddr, Len(sBuff)) <> 0 Then GoTo OUT Call Invoke("MSVBVM60", &H6A5B5999, Len(sBuff), ByVal sBuff$, ByVal lAddr&) lLib = InStr(1, sBuff, sLib, vbBinaryCompare) lFunc = InStr(1, sBuff, sFunc, vbBinaryCompare) Loop Until (lLib <> 0) And (lFunc <> 0) lLib = lAddr + lLib - 1 lFunc = lAddr + lFunc - 1 If Invoke("KERNEL32", &HD83D6AA1, -1, ByVal lLib&, ByVal E(sLib), Len(sLib), ByVal 0&) = 0 Then GoTo OUT If Invoke("KERNEL32", &HD83D6AA1, -1, ByVal lFunc&, ByVal E(sFunc), Len(sFunc), ByVal 0&) = 0 Then GoTo OUT DeObfuscateAPI = True: Exit Function OUT: DeObfuscateAPI = False: Exit Function End Function
|
|
|
|
|
|
|