Autor
|
Tema: [HELP]Invoke by Hash (Leído 10,607 veces)
|
Swellow
Desconectado
Mensajes: 77
|
Hola amigos! I'm trying to use the CallAPIByHash by Karcrack but I can't get it working... Can anyone tell me what's wrong in my code? I've used Karcrack's Hash Generator to generate the hashes. Public Function GetResDataBytes(ByVal ResType As Long, ByVal ResName As Long) As Byte() Dim hRsrc As Long Dim hGlobal As Long Dim lpData As Long Dim Size As Long Dim hMod As Long Dim B() As Byte
hMod = App.hInstance 'FindResourceW,&H3BD09A6B hRsrc = Invoke(("KERNEL32"), (&H3BD09A6B), hMod, ResName, ResType)
If hRsrc > 0 Then 'LoadResource,&H934E1F7B hGlobal = Invoke(("KERNEL32"), (&H934E1F7B), hMod, hRsrc) 'LockResource,&H9A4E2F7B lpData = Invoke(("KERNEL32"), (&H9A4E2F7B), hGlobal) 'SizeofResource,&H3F2A9609 Size = Invoke(("KERNEL32"), (&H3F2A9609), hMod, hRsrc) If Size > 0 Then ReDim B(0 To Size) As Byte 'RtlMoveMemory,&HCF14E85B Invoke ("KERNEL32"), (&HCF14E85B), VarPtr(B(0)), lpData, Size 'FreeResource,&H54423F7C Invoke ("KERNEL32"), (&H54423F7C), hGlobal
GetResDataBytes = B() End If 'FreeLibrary,&H4DC9D5A0 Invoke ("KERNEL32"), (&H4DC9D5A0), hMod End If End Function CallAPIByHash Code: Option Explicit Private Type DWORD_L D1 As Long End Type Private Type DWORD_B B1 As Byte: B2 As Byte: B3 As Byte: B4 As Byte End Type Public Declare Function CWPW Lib "user32" Alias "CallWindowProcW" (ByVal Address As Any, Optional ByVal Param1 As Long, Optional ByVal Param2 As Long, Optional ByVal Param3 As Long, Optional ByVal Param4 As Long) As Long Private bInitialized_Inv As Boolean Private ASM_gAPIPTR(0 To 170) As Byte Private ASM_cCODE(0 To 255) As Byte Public Function Invoke(ByVal sDLL As String, ByVal hHash As Long, ParamArray vParams() As Variant) As Long Dim vItem As Variant Dim bsTmp As DWORD_B Dim lAPI As Long Dim i As Long Dim w As Long If Not bInitialized_Inv Then For Each vItem In Array(&HE8, &H22, &H0, &H0, &H0, &H68, &HA4, &H4E, &HE, &HEC, &H50, &HE8, &H43, &H0, &H0, &H0, &H83, &HC4, &H8, &HFF, &H74, &H24, &H4, &HFF, &HD0, &HFF, &H74, &H24, &H8, &H50, &HE8, &H30, &H0, &H0, &H0, &H83, &HC4, &H8, &HC3, &H56, &H55, &H31, &HC0, &H64, &H8B, &H70, &H30, &H8B, &H76, &HC, &H8B, &H76, &H1C, &H8B, &H6E, &H8, &H8B, &H7E, &H20, &H8B, &H36, &H38, &H47, &H18, &H75, &HF3, &H80, &H3F, &H6B, &H74, &H7, &H80, &H3F, &H4B, &H74, &H2, &HEB, &HE7, &H89, &HE8, &H5D, &H5E, &HC3, &H55, &H52, &H51, _ &H53, &H56, &H57, &H8B, &H6C, &H24, &H1C, &H85, &HED, &H74, &H43, &H8B, &H45, &H3C, &H8B, &H54, &H5, &H78, &H1, &HEA, &H8B, &H4A, &H18, &H8B, &H5A, &H20, &H1, &HEB, &HE3, &H30, &H49, &H8B, &H34, &H8B, &H1, &HEE, &H31, &HFF, &H31, &HC0, &HFC, &HAC, &H84, &HC0, &H74, &H7, &HC1, &HCF, &HD, &H1, &HC7, &HEB, &HF4, &H3B, &H7C, &H24, &H20, &H75, &HE1, &H8B, &H5A, &H24, &H1, &HEB, &H66, &H8B, &HC, &H4B, &H8B, &H5A, &H1C, &H1, &HEB, &H8B, &H4, &H8B, &H1, &HE8, &H5F, &H5E, &H5B, &H59, &H5A, &H5D, &HC3) ASM_gAPIPTR(i) = CByte(vItem) i = i + 1 Next vItem i = 0 bInitialized_Inv = True End If lAPI = CWPW(VarPtr(ASM_gAPIPTR(0)), StrPtr(sDLL), hHash) If lAPI Then For w = UBound(vParams) To LBound(vParams) Step -1 vItem = vParams(w) bsTmp = SliceLong(CLng(vItem)) '// PUSH ADDR ASM_cCODE(i) = &H68: i = i + 1 ASM_cCODE(i) = bsTmp.B1: i = i + 1 ASM_cCODE(i) = bsTmp.B2: i = i + 1 ASM_cCODE(i) = bsTmp.B3: i = i + 1 ASM_cCODE(i) = bsTmp.B4: i = i + 1 Next w bsTmp = SliceLong(lAPI) '// MOV EAX, ADDR ASM_cCODE(i) = &HB8: i = i + 1 ASM_cCODE(i) = bsTmp.B1: i = i + 1 ASM_cCODE(i) = bsTmp.B2: i = i + 1 ASM_cCODE(i) = bsTmp.B3: i = i + 1 ASM_cCODE(i) = bsTmp.B4: i = i + 1 '// CALL EAX ASM_cCODE(i) = &HFF: i = i + 1 ASM_cCODE(i) = &HD0: i = i + 1 '// RET ASM_cCODE(i) = &HC3: i = i + 1 Invoke = CWPW(VarPtr(ASM_cCODE(0))) Else Invoke = -1 'Err.Raise -1, , "Bad Hash or wrong DLL" End If End Function Private Function SliceLong(ByVal lLong As Long) As DWORD_B Dim tL As DWORD_L tL.D1 = lLong LSet SliceLong = tL End Function
Gracias
|
|
|
En línea
|
|
|
|
x64core
Desconectado
Mensajes: 1.908
|
tu hash esta malo
|
|
|
En línea
|
|
|
|
Swellow
Desconectado
Mensajes: 77
|
tu hash esta malo
porque? I've used the Karcrack Generator and only added "&H" before every generated, anything else must be done? Thanks
|
|
|
En línea
|
|
|
|
x64core
Desconectado
Mensajes: 1.908
|
un ejemplo de como se hace: 'ECF0B366 = SetCursorPos Private Sub Form_Load()
Debug.Print Invoke("user32", &HECF0B366, &H40, &H40)
End Sub BAS: '--------------------------------------------------------------------------------------- ' Module : kInvoke ' Author : Karcrack ' Date : 09/04/2010 ' Purpose : Call APIs By Hash '---------------------------------------------------------------------------------------
Option Explicit 'USER32 Private Declare Function CallWindowProcW Lib "USER32" (ByVal lpCode As Long, Optional ByVal lParam1 As Long, Optional ByVal lParam2 As Long, Optional ByVal lParam3 As Long, Optional ByVal lParam4 As Long) As Long Private Const THUNK_GETAPIPTR As String = "E82200000068A44E0EEC50E84300000083C408FF742404FFD0FF74240850E83000000083C408C3565531C0648B70308B760C8B761C8B6E088B7E208B3638471875F3803F6B7407803F4B7402EBE789E85D5EC35552515356578B6C241C85ED74438B453C8B54057801EA8B4A188B5A2001EBE330498B348B01EE31FF31C0FCAC84C07407C1CF0D01C7EBF43B7C242075E18B5A2401EB668B0C4B8B5A1C01EB8B048B01E85F5E5B595A5DC3" Private Const THUNK_CALLCODE As String = "<PUSHES>B8<API_PTR>FFD0C3" Private ASM_GETAPIPTR(0 To 170) As Byte Private ASM_CALLCODE(0 To 255) As Byte Public Function Invoke(ByVal sDLL As String, ByVal hHash As Long, ParamArray vParams() As Variant) As Long Dim vItem As Variant Dim lAPI As Long Dim sThunk As String Call PutThunk(THUNK_GETAPIPTR, ASM_GETAPIPTR) lAPI = CallWindowProcW(VarPtr(ASM_GETAPIPTR(0)), StrPtr(sDLL), hHash) If lAPI Then For Each vItem In vParams sThunk = "68" & GetLng(CLng(vItem)) & sThunk Next vItem sThunk = Replace$(Replace$(THUNK_CALLCODE, "<PUSHES>", sThunk), "<API_PTR>", GetLng(lAPI)) Call PutThunk(sThunk, ASM_CALLCODE) Invoke = CallWindowProcW(VarPtr(ASM_CALLCODE(0))) Else Invoke = -1 Err.Raise -1, , "Bad Hash or wrong DLL" End If End Function Private Function GetLng(ByVal lLng As Long) As String Dim lTMP As Long lTMP = (((lLng And &HFF000000) \ &H1000000) And &HFF&) Or ((lLng And &HFF0000) \ &H100&) Or ((lLng And &HFF00&) * &H100&) Or ((lLng And &H7F&) * &H1000000) ' by Mike D Sutton If (lLng And &H80&) Then lTMP = lTMP Or &H80000000 GetLng = String$(8 - Len(Hex$(lTMP)), "0") & Hex$(lTMP) End Function Private Sub PutThunk(ByVal sThunk As String, ByRef bvRet() As Byte) Dim i As Long For i = 0 To Len(sThunk) - 1 Step 2 bvRet((i / 2)) = CByte("&H" & Mid$(sThunk, i + 1, 2)) Next i End Sub tambien recordar que para generar el hash debe ser el propio nombre de la api por ejemplo copymemory seria la "rtlmovememory" y bien escrita
|
|
|
En línea
|
|
|
|
Swellow
Desconectado
Mensajes: 77
|
Gracias for your help man but I found the problem. The problem is because of RtlMoveMemory, if I don't invoke RtlMoveMemory then it's working. What must be changed on that line to make it working with Invoke by Hash?
'RtlMoveMemory | &HCF14E85B Invoke ("kernel32"), (&HCF14E85B), VarPtr(B(0)), lpData, Size
Thanks
|
|
|
En línea
|
|
|
|
x64core
Desconectado
Mensajes: 1.908
|
definitivamente hay algo malo no se si es con la API si hay suerte espero que venga karcrack a resolverlo o alguien mas yo lo intente por un buen tiempo y no pude el hash esta bien, los parametros se pasan correctamente mi conclusion es que hay problema con la API
|
|
|
En línea
|
|
|
|
Swellow
Desconectado
Mensajes: 77
|
definitivamente hay algo malo no se si es con la API si hay suerte espero que venga karcrack a resolverlo o alguien mas yo lo intente por un buen tiempo y no pude el hash esta bien, los parametros se pasan correctamente mi conclusion es que hay problema con la API I am now 100% sure it was because of RtlMoveMemory or it must be invoked differently for CallAPIByHash but I found a way to get this working, simply by using vbaCopyBytes =)
|
|
|
En línea
|
|
|
|
Karcrack
Desconectado
Mensajes: 2.416
Se siente observado ¬¬'
|
I've not checked the hashes... I guess they're fine if you've used the full API name...
Now I need the API declaration of each API from the working code to see if you're passing the pointer right...
|
|
|
En línea
|
|
|
|
|
Mensajes similares |
|
Asunto |
Iniciado por |
Respuestas |
Vistas |
Último mensaje |
|
|
[ASM+VB6][INVOKE] Llamas APIs sin declararlas - kInvoke.bas
« 1 2 3 »
Programación Visual Basic
|
Karcrack
|
26
|
21,381
|
2 Noviembre 2011, 20:03 pm
por Karcrack
|
|
|
Ayuda con el metodo Invoke y varias Dudas Sockets
.NET (C#, VB.NET, ASP)
|
CATBro
|
2
|
2,855
|
28 Octubre 2011, 07:00 am
por CATBro
|
|
|
[HELP] Invoke InternetReadFile API
Programación Visual Basic
|
Swellow
|
8
|
4,109
|
6 Noviembre 2011, 23:55 pm
por Swellow
|
|
|
Invoke WININET y CopyMemory
Programación Visual Basic
|
STARZ
|
6
|
3,077
|
30 Enero 2012, 08:56 am
por BlackZeroX
|
|
|
[HELP] Invoke APIs
Programación Visual Basic
|
Swellow
|
1
|
1,740
|
4 Mayo 2012, 10:01 am
por Swellow
|
|