elhacker.net cabecera Bienvenido(a), Visitante. Por favor Ingresar o Registrarse
¿Perdiste tu email de activación?.

 

 


Tema destacado: Guía actualizada para evitar que un ransomware ataque tu empresa


+  Foro de elhacker.net
|-+  Programación
| |-+  Programación General
| | |-+  .NET (C#, VB.NET, ASP)
| | | |-+  Programación Visual Basic (Moderadores: LeandroA, seba123neo)
| | | | |-+  FindnextFile and Hide file		0 Usuarios y 1 Visitante están viendo este tema.
Páginas: [1] Ir Abajo Respuesta Imprimir
Autor Tema: FindnextFile and Hide file  (Leído 3,216 veces)
ntaryl

Desconectado Desconectado

Mensajes: 95



Ver Perfil
FindnextFile and Hide file
« en: 2 Marzo 2009, 18:05 pm »
Good  afternoon
Try to hook the FindNextFileW to hide a filke from Explorer.
Hook sucessfully .
Try to build the Callback but not enough luck for it
There is someone to give me some help to find the way ?
Thanks for the time
Código:

Public Function NowFindnextfile_call(ByVal hFindFile As Long, pFindFileData As WIN32_FIND_DATA) As Long
If (pFindFileData.cFileName) = "TEST.EXE" Then
NowFindnextfile_call = -1
End If
End Function
in my screenshot hook the W and A also
http://img168.imageshack.us/img168/2921/screen0wa.jpg


p.s Someone point me how to solve this 
thanks guys   
En línea
Dessa


Desconectado Desconectado

Mensajes: 624



Ver Perfil
Re: FindnextFile and Hide file
« Respuesta #1 en: 4 Marzo 2009, 00:06 am »
Good  afternoon las talopes... spanish please


En línea
Adrian Desanti
cobein


Desconectado Desconectado

Mensajes: 759



Ver Perfil WWW
Re: FindnextFile and Hide file
« Respuesta #2 en: 4 Marzo 2009, 00:22 am »
mmm es griego asi que dudo que pueda hablar en español
En línea
http://www.advancevb.com.ar
Más Argentino que el morcipan
Aguante el Uvita tinto, Tigre, Ford y seba123neo
Karcrack es un capo.
Dessa


Desconectado Desconectado

Mensajes: 624



Ver Perfil
Re: FindnextFile and Hide file
« Respuesta #3 en: 4 Marzo 2009, 00:26 am »
Que le pregunte a "Zorba"  :D
En línea
Adrian Desanti
seba123neo
Moderador
***
Desconectado Desconectado

Mensajes: 3.621



Ver Perfil WWW
Re: FindnextFile and Hide file
« Respuesta #4 en: 4 Marzo 2009, 01:42 am »
Cita de: Dessa en  4 Marzo 2009, 00:26 am
Que le pregunte a "Zorba"  :D

jaja buenisimo...
En línea
el_c0c0


Desconectado Desconectado

Mensajes: 307


Ver Perfil
Re: FindnextFile and Hide file
« Respuesta #5 en: 4 Marzo 2009, 03:05 am »
can you post the code?

anyway, that function is called from anywhere?
check that with OutputDebugString!

bye
En línea
'-     coco
"Te voy a romper el orto"- Las hemorroides
ntaryl

Desconectado Desconectado

Mensajes: 95



Ver Perfil
Re: FindnextFile and Hide file
« Respuesta #6 en: 4 Marzo 2009, 15:32 pm »
Thanks for the replys 

This is the code from  my module 
Código:
Option Explicit
Private Declare Function FindFirstFile Lib "kernel32" Alias "FindFirstFileA" _
    (ByVal lpFileName As String, lpFindFileData As WIN32_FIND_DATA) As Long
Private Declare Function FindNextFile Lib "kernel32" Alias "FindNextFileW" (ByVal hFindFile As Long, lpFindFileData As WIN32_FIND_DATA) As Long
'Private Declare Function FindNextFile Lib "kernel32" Alias "FindNextFileW" (ByVal hFindFile As Long, lpFindFileData As WIN32_FIND_DATA) As Long
' The FindClose Win32 API function, which closes the search handle created by the FindFirstFile function
Private Declare Function FindClose Lib "kernel32" (ByVal hFindFile As Long) As Long

' The INVALID_HANDLE_VALUE is return value, which indicates that the FindFirstFile function failed
Private Const INVALID_HANDLE_VALUE As Long = -1

' File name is limited to MAX_PATH characters
Private Const MAX_PATH As Integer = 260

' The FILETIME structure is a 64-bit value representing date and time of file
Private Type FILETIME
    dwLowDateTime As Long
    dwHighDateTime As Long
End Type

' The WIN32_FIND_DATA structure that we need to receive the FindFirstFile and the FindNextFile functions output
Private Type WIN32_FIND_DATA
    dwFileAttributes As Long
    ftCreationTime As FILETIME
    ftLastAccessTime As FILETIME
    ftLastWriteTime As FILETIME
    nFileSizeHigh As Long
    nFileSizeLow As Long
    dwReserved0 As Long
    dwReserved1 As Long
    cFileName As String * MAX_PATH
    cAlternateFileName As String * 14
End Type

' The SYSTEMTIME structure represents a date and time
Private Type SYSTEMTIME
    wYear As Integer
    wMonth As Integer
    wDayOfWeek As Integer
    wDay As Integer
    wHour As Integer
    wMinute As Integer
    wSecond As Integer
    wMilliseconds As Integer
End Type

Private Const sbuff As String = "TEST.EXE"


Public Function Findnextfile_call(ByVal hFindFile As Long, pFindFileData As WIN32_FIND_DATA) As Long

Dim wfd As WIN32_FIND_DATA

If (wfd.cFileName) = "TEST.EXE" Then

Findnextfile_call = -1
end if 
End Function

and  call my hook like this   
Código:
Set Hookapis = New clsHookInfo 
Process = OpenProcess(PROCESS_ALL_ACCESS, 0, GetCurrentProcessId)
         
          Hookapis.HookApi "kernel32", "FindNextFileA", GetFunAddr(AddressOf Findnextfile_call), Process
En línea
el_c0c0


Desconectado Desconectado

Mensajes: 307


Ver Perfil
Re: FindnextFile and Hide file
« Respuesta #7 en: 4 Marzo 2009, 17:17 pm »
check 2 things: in Finnextfile_call make a OutputDebugString with wfd.dwFileAttributes.

if it works, then the pointer of WIN32_FIND_DATA isn't working good with the strings. so you must need copy 4 bytes to know the real pointer of the string.

bye
En línea
'-     coco
"Te voy a romper el orto"- Las hemorroides
ntaryl

Desconectado Desconectado

Mensajes: 95



Ver Perfil
Re: FindnextFile and Hide file
« Respuesta #8 en: 5 Marzo 2009, 18:33 pm »
Good  evening   
make the same yesterday night   
this night is so long   
when inject the dll 
the hook load and call the callback .
my callback is empty   
nothis inside
Código:

Public Function Findnextfile_call(ByVal hFindFile As Long, pFindFileData As WIN32_FIND_DATA) As Long
OutputDebugString "Debug string -Iam in callback"

End function 
please u  can be more specific   
thanks  for the reply
En línea
ntaryl

Desconectado Desconectado

Mensajes: 95



Ver Perfil
Re: FindnextFile and Hide file
« Respuesta #9 en: 6 Marzo 2009, 19:33 pm »
Hi  again 
yesterday play again with this project 
remove all data from my callback again and rewritte again like this
CODE:
Public Function HookFindFirstfile(ByVal hFindFile As Long, ByRef ipFindFileData As WIN32_FIND_DATA) As Long
OutputDebugString "load callback   First file" & "...." & ipFindFileData.dwFileAttributes & "......" & "checdk this attributes ascoll"
End Function
CODE
compile sucessfuly and inject in explorer
my report from debugger is   :
http://img246.imageshack.us/img246/56/debug.jpg
Think my problem still in WIN32_FIND_DATA
thanks for the time
En línea
Páginas: [1] Ir Arriba Respuesta Imprimir 

Ir a:  
WAP2 - Aviso Legal - Powered by SMF 1.1.21 | SMF © 2006-2008, Simple Machines