elhacker.net cabecera Bienvenido(a), Visitante. Por favor Ingresar o Registrarse
¿Perdiste tu email de activación?.

 

 


Tema destacado: Introducción a Git (Primera Parte)


+  Foro de elhacker.net
|-+  Programación
| |-+  Programación General
| | |-+  .NET (C#, VB.NET, ASP)
| | | |-+  Programación Visual Basic (Moderadores: LeandroA, seba123neo)
| | | | |-+  [SRC] VB6 0 API		0 Usuarios y 1 Visitante están viendo este tema.
Páginas: [1] Ir Abajo Respuesta Imprimir
Autor Tema: [SRC] VB6 0 API  (Leído 1,638 veces)
Miseryk

Desconectado Desconectado

Mensajes: 225


SI.NU.SA U.GU.DE (2NE1 - D-Unit)


Ver Perfil
[SRC] VB6 0 API
« en: 17 Octubre 2014, 16:22 pm »
Bueno hace poco hice algo para ejecutar APIs sin declararlas, 0 API.

Posteado en http://hackhound.org/forums/topic/6634-0-api/

Código
  1. Option Explicit
  2.  
  3. 'You must compile Native and check 'Remove Array Bound Checks'
  4.  
  5. '---------------------------------------------------------------------------------------
  6. ' Module    : mMemory
  7. ' Author    : Karcrack
  8. ' Date      : 20/09/2011
  9. ' Purpose   : Work with memory withouth using any API
  10. ' History   : 20/09/2011 First cut
  11. '---------------------------------------------------------------------------------------
  12.  
  13. Private bvHack(0)               As Byte
  14. Private lHackDelta              As Long
  15. Private bInitialized            As Boolean
  16.  
  17. Public Function Initialize() As Boolean
  18.     On Error GoTo Error_Handle
  19.  
  20.     bvHack(-1) = bvHack(-1) 'Error check
  21.     lHackDelta = VarPtr(bvHack(0))
  22.  
  23.     Initialize = True
  24.     bInitialized = Initialize
  25.     Exit Function
  26. Error_Handle:
  27.     If Err.Number = 9 Then Debug.Print "Remember to tick 'Remove array boundary check' and compile before using"
  28.     End
  29. End Function
  30.  
  31. Public Function GetByte(ByVal lptr As Long) As Byte
  32.     If bInitialized Then GetByte = bvHack(lptr - lHackDelta)
  33. End Function
  34.  
  35. Public Function GetWord(ByVal lptr As Long) As Integer
  36.     If bInitialized Then GetWord = MakeWord(GetByte(lptr + &H0), GetByte(lptr + &H1))
  37. End Function
  38.  
  39. Public Function GetDWord(ByVal lptr As Long) As Long
  40.     If bInitialized Then GetDWord = MakeDWord(GetWord(lptr + &H0), GetWord(lptr + &H2))
  41. End Function
  42.  
  43. Public Sub PutByte(ByVal lptr As Long, ByVal bByte As Byte)
  44.     If bInitialized Then bvHack(lptr - lHackDelta) = bByte
  45. End Sub
  46.  
  47. Public Sub PutWord(ByVal lptr As Long, ByVal iWord As Integer)
  48.     If bInitialized Then Call PutByte(lptr + &H0, iWord And &HFF): Call PutByte(lptr + &H1, (iWord And &HFF00&) \ &H100)
  49. End Sub
  50.  
  51. Public Sub PutDWord(ByVal lptr As Long, ByVal lDWord As Long)
  52.     If bInitialized Then Call PutWord(lptr + &H0, IIf(lDWord And &H8000&, lDWord Or &HFFFF0000, lDWord And &HFFFF&)): Call PutWord(lptr + &H2, (lDWord And &HFFFF0000) \ &H10000)
  53. End Sub
  54.  
  55. Private Function MakeWord(ByVal loByte As Byte, ByVal hiByte As Byte) As Integer '[http://www.xbeat.net/vbspeed/c_MakeWord.htm#MakeWord02]
  56.     If hiByte And &H80 Then
  57.         MakeWord = ((hiByte * &H100&) Or loByte) Or &HFFFF0000
  58.     Else
  59.         MakeWord = (hiByte * &H100) Or loByte
  60.     End If
  61. End Function
  62.  
  63. Private Function MakeDWord(ByVal LoWord As Integer, ByVal HiWord As Integer) As Long '[http://www.xbeat.net/vbspeed/c_MakeD...m#MakeDWord05]
  64.     MakeDWord = (HiWord * &H10000) Or (LoWord And &HFFFF&)
  65. End Function
  66.  

Código
  1. Option Explicit
  2.  
  3. 'Private Declare Function VirtualAlloc Lib "kernel32" (ByVal lpAddress As Long, ByVal dwSize As Long, ByVal flAllocationType As Long, ByVal flProtect As Long) As Long
  4.  
  5. 'Sore wa watashi no monode wa arimasen.
  6. Public Function CallAPI_NotMine(ByVal vForm As Form, ByVal sLib As String, ByVal sProc As String, ParamArray vParams() As Variant) As Long
  7. Dim c_ASM(28) As Currency, bvLib() As Byte, bvProc() As Byte, laParam() As Long, ubParam As Long, bInitialized As Boolean, i As Long
  8.  
  9. If bInitialized = False Then
  10.     c_ASM(0) = 725985647539103.3577@: c_ASM(1) = 465082451154280.4619@: c_ASM(2) = 174754948986808.1932@
  11.     c_ASM(3) = 353151298900331.7606@: c_ASM(4) = -842056535466254.24@: c_ASM(5) = -158485362956912.3259@
  12.     c_ASM(6) = -151289242656700.5557@: c_ASM(7) = -129660215991460.1245@: c_ASM(8) = -457434111994534.3183@
  13.     c_ASM(9) = -145719479559932.942@: c_ASM(10) = -836727781740640.7692@: c_ASM(11) = 540785052671076.873@
  14.     c_ASM(12) = -842945876107851.5061@: c_ASM(13) = -436817922147838.1567@: c_ASM(14) = -36546947.8739@
  15.     c_ASM(15) = 34438797019703.0793@: c_ASM(16) = -190689866724056.7239@: c_ASM(17) = -59310703.0909@
  16.     c_ASM(18) = -26865768425160.8957@: c_ASM(19) = -82935132042744.5623@: c_ASM(20) = -1607042434518.5911@
  17.     c_ASM(21) = -55225496747848.4993@: c_ASM(22) = 850252832244421.5689@: c_ASM(23) = -836310804921489.818@
  18.     c_ASM(24) = 7079432546648.5829@: c_ASM(25) = -748820712252184.718@: c_ASM(26) = -850720513820548.8302@
  19.     c_ASM(27) = -28815265.8452@: c_ASM(28) = -143712485721099.5542@
  20.     bInitialized = True
  21. End If
  22.  
  23. bvLib = StrConv(sLib & vbNullChar, vbFromUnicode): bvProc = StrConv(sProc & vbNullChar, vbFromUnicode): ubParam = UBound(vParams): ReDim laParam(0 To ubParam)
  24.  
  25. For i = 0 To ubParam
  26.     laParam(i) = CLng(vParams(i))
  27. Next i
  28.  
  29. Call NewMisery.CallAPI(NewMisery.FunctionAddress(vForm, "VirtualAlloc"), VarPtr(VarPtr(c_ASM(0))), VarPtr(UBound(c_ASM) + 1), VarPtr(&H1000), VarPtr(&H40))
  30.  
  31. CallAPI_NotMine = MyCallWindowProcA(VarPtr(c_ASM(0)), VarPtr(bvLib(0)), VarPtr(bvProc(0)), ubParam + 1, VarPtr(laParam(0)))
  32. End Function
  33.  

Código
  1. Option Explicit
  2.  
  3. '---------------------------------------------------------------------------------------
  4. ' Don't use VirusTotal, use http://nodistribute.com instead
  5. '
  6. ' Module    : NewMisery (Im horrible for names...)
  7. ' Author    : Misery (Miseryk) Inspired by OXYMORON
  8. ' Date      : 17/07/2014 (Start) | 15/09/2014 (End)
  9. ' Purpose   : 0 API
  10. '---------------------------------------------------------------------------------------
  11.  
  12. Public KernelBase As Long
  13. Public Base As Long 'With no use, just test
  14. Public BkAddVal As Long '[Me.Point(8@)] backup => CALL [EAX+2D0]
  15. Public User32 As Long
  16.  
  17. Private Sub Initialize()
  18. Call Karcrack.Initialize
  19. End Sub
  20.  
  21. Public Function GetFuncAddr(ByVal lAddr As Long) As Long
  22. GetFuncAddr = lAddr
  23. End Function
  24.  
  25. Public Sub Init(ByVal vForm As Form)
  26. Call Initialize
  27.  
  28. Dim ASM_c(7) As Currency
  29.  
  30. ASM_c(0) = 259535234953094.8442@
  31. ASM_c(1) = 350419256390428.4982@
  32. ASM_c(2) = 465082451153964.2368@
  33. ASM_c(3) = 117108873756465.8452@
  34. ASM_c(4) = 64246993287716.5497@
  35. ASM_c(5) = -518518030442266.1493@
  36. ASM_c(6) = -30494267.8016@
  37. ASM_c(7) = -801556291178923.7505@
  38.  
  39. BkAddVal = Karcrack.GetDWord(Karcrack.GetDWord(ObjPtr(vForm)) + &H2D0)
  40.  
  41. Call Karcrack.PutDWord(Karcrack.GetDWord(ObjPtr(vForm)) + &H2D0, VarPtr(ASM_c(0)))
  42.  
  43. Call vForm.Point(VarPtr(KernelBase), VarPtr(Base))
  44.  
  45. Call Karcrack.PutDWord(Karcrack.GetDWord(ObjPtr(vForm)) + &H2D0, BkAddVal)
  46.  
  47. Call Patch(vForm)
  48. End Sub
  49.  
  50. Private Sub Patch(ByVal vForm As Form)
  51. Dim ASM_c(5) As Currency
  52.  
  53. ASM_c(0) = 537140736891580.1227@
  54. ASM_c(1) = 583913078498908.8528@
  55. ASM_c(2) = -854952546922381.2279@
  56. ASM_c(3) = -841638429847924.6252@
  57. ASM_c(4) = -116134715448543.5308@
  58. ASM_c(5) = -802975980578020.9409@
  59.  
  60. Dim Address As Long
  61.  
  62. Address = NewMisery.GetFuncAddr(AddressOf CallAPI) + 11
  63.  
  64. Dim MyPushes(6) As Long
  65.  
  66. MyPushes(0) = VarPtr(0)
  67. MyPushes(1) = 51
  68. MyPushes(2) = VarPtr(ASM_c(0))
  69. MyPushes(3) = Address
  70. MyPushes(4) = -1
  71. MyPushes(5) = KernelBase
  72. MyPushes(6) = NewMisery.FunctionAddress(vForm, "WriteProcessMemory")
  73.  
  74. Dim ASM_c2(6) As Currency
  75.  
  76. ASM_c2(0) = -856471559609067.0246@
  77. ASM_c2(1) = 367493325241674.242@
  78. ASM_c2(2) = 828635112938277.7599@
  79. ASM_c2(3) = -842503583785949.618@
  80. ASM_c2(4) = 5202119258820.4106@
  81. ASM_c2(5) = -119118.2336@
  82. ASM_c2(6) = -802970373083417.7606@
  83.  
  84. BkAddVal = Karcrack.GetDWord(Karcrack.GetDWord(ObjPtr(vForm)) + &H2D0)
  85.  
  86. Call Karcrack.PutDWord(Karcrack.GetDWord(ObjPtr(vForm)) + &H2D0, VarPtr(ASM_c2(0)))
  87.  
  88. Call vForm.Point(VarPtr(MyPushes(0)), 0)
  89.  
  90. Call Karcrack.PutDWord(Karcrack.GetDWord(ObjPtr(vForm)) + &H2D0, BkAddVal)
  91. End Sub
  92.  
  93. Public Function ConvertToMisery(ByVal vForm As Form, ByVal AddressSrc As Long, ByVal AddressDst As Long) As Long
  94. Dim c_ASM(2) As Long
  95.  
  96. c_ASM(0) = -64731961
  97. c_ASM(1) = AddressSrc
  98. c_ASM(2) = -64723713
  99.  
  100. ConvertToMisery = NewMisery.CallAPI(NewMisery.FunctionAddress(vForm, "WriteProcessMemory"), VarPtr(-1), AddressDst, VarPtr(VarPtr(c_ASM(0))), VarPtr(12), VarPtr(VarPtr(0)))
  101. End Function
  102.  
  103. Public Function CallAPI(ByVal Address As Long, ParamArray vParams() As Variant) As Long
  104. Address = KernelBase + Address
  105. DoEvents: DoEvents: DoEvents
  106. DoEvents: DoEvents: DoEvents
  107. DoEvents: DoEvents: DoEvents
  108. DoEvents: DoEvents: DoEvents
  109. DoEvents: DoEvents: DoEvents
  110. DoEvents: DoEvents: DoEvents
  111. End Function
  112.  
  113. Public Function MyCallWindowProcA(ByVal lpPrevWndFunc As Long, ByVal hWnd As Long, ByVal Msg As Long, ByVal wParam As Long, ByVal lParam As Long) As Long
  114. DoEvents
  115. DoEvents
  116. End Function
  117.  
  118. Public Function MyGetProcAddress(ByVal hModule As Long, ByVal lpProcName As String) As Long
  119. DoEvents
  120. DoEvents
  121. End Function
  122.  
  123. Public Function FunctionAddress(ByVal vForm As Form, ByVal StrFunction As String) As Long
  124. Dim strFunc() As Byte
  125. Dim Offset As Long
  126.  
  127. Dim ASM_c(19) As Currency
  128.  
  129. ASM_c(0) = 814232361510246.7936@
  130. ASM_c(1) = 350419227990245.6828@
  131. ASM_c(2) = 465082451153964.2368@
  132. ASM_c(3) = 117108873756465.8452@
  133. ASM_c(4) = 461280767645907.9819@
  134. ASM_c(5) = -459709328520114.7076@
  135. ASM_c(6) = -118880.7541@
  136. ASM_c(7) = -835887271382144.2318@
  137. ASM_c(8) = 886420572523377.9787@
  138. ASM_c(9) = 839808409003602.7148@
  139. ASM_c(10) = 840567380577989.5332@
  140. ASM_c(11) = -100852514478035.1214@
  141. ASM_c(12) = -428637109111001.2498@
  142. ASM_c(13) = -64280619725626.29@
  143. ASM_c(14) = -273730417291300.9967@
  144. ASM_c(15) = 204338008016006.1199@
  145. ASM_c(16) = -854998653806026.0861@
  146. ASM_c(17) = -511608917668079.9976@
  147. ASM_c(18) = 190267051.2127@
  148. ASM_c(19) = -802975918745080.576@
  149.  
  150. BkAddVal = Karcrack.GetDWord(Karcrack.GetDWord(ObjPtr(vForm)) + &H2D0)
  151.  
  152. Call Karcrack.PutDWord(Karcrack.GetDWord(ObjPtr(vForm)) + &H2D0, VarPtr(ASM_c(0)))
  153.  
  154. strFunc = StrConv(StrFunction & Chr(0), vbFromUnicode)
  155.  
  156. Call vForm.Point(VarPtr(Offset), VarPtr(strFunc(0)))
  157.  
  158. Call Karcrack.PutDWord(Karcrack.GetDWord(ObjPtr(vForm)) + &H2D0, BkAddVal)
  159.  
  160. FunctionAddress = Offset
  161. End Function
  162.  
  163. Public Sub GetUser32(ByVal vForm As Form)
  164. Dim LoadLibrary As Long
  165. Dim ASM_c(9) As Currency
  166.  
  167. LoadLibrary = NewMisery.FunctionAddress(vForm, "LoadLibraryW")
  168. LoadLibrary = LoadLibrary + KernelBase
  169.  
  170. ASM_c(0) = 814232361510246.7936@
  171. ASM_c(1) = 100060056.7804@
  172. ASM_c(2) = 497206524950976.384@
  173. ASM_c(3) = 331470430218173.2864@
  174. ASM_c(4) = 8356415879.68@
  175. ASM_c(5) = -840821747844015.7184@
  176. ASM_c(6) = 654401063636671.802@
  177. ASM_c(7) = 79190153.865@
  178. ASM_c(8) = 12469341468280.2432@
  179. ASM_c(9) = -802991806362733.7728@
  180.  
  181. BkAddVal = Karcrack.GetDWord(Karcrack.GetDWord(ObjPtr(vForm)) + &H2D0)
  182.  
  183. Call Karcrack.PutDWord(Karcrack.GetDWord(ObjPtr(vForm)) + &H2D0, VarPtr(ASM_c(0)))
  184.  
  185. Call vForm.Point(VarPtr(User32), VarPtr(LoadLibrary))
  186.  
  187. Call Karcrack.PutDWord(Karcrack.GetDWord(ObjPtr(vForm)) + &H2D0, BkAddVal)
  188. End Sub
  189.  

Código
  1. Option Explicit
  2.  
  3. Private Sub Command1_Click()
  4. Call NewMisery.Init(Me)
  5.  
  6. Call NewMisery.GetUser32(Me)
  7.  
  8. Dim User32Add As Long
  9.  
  10. User32Add = NewMisery.User32
  11.  
  12. Call ConvertToMisery(Me, NewMisery.KernelBase + NewMisery.FunctionAddress(Me, "GetProcAddress"), NewMisery.GetFuncAddr(AddressOf MyGetProcAddress))
  13. Call ConvertToMisery(Me, NewMisery.MyGetProcAddress(User32Add, StrConv("CallWindowProcA", vbFromUnicode)), NewMisery.GetFuncAddr(AddressOf MyCallWindowProcA))
  14.  
  15. MsgBox "Done."
  16. End Sub
  17.  
  18. Private Sub Command2_Click()
  19. 'My manner of calling API could be a shit, maybe, who knows?, so call this
  20. 'This is not mine, but it calls MyCallWindowProcA(overwrite) and NewMisery.CallAPI(VirtualAlloc)
  21. Call NotMine.CallAPI_NotMine(Me, "user32", "MessageBoxW", 0, StrPtr("t_Invoke works"), StrPtr("victory"), &H40)
  22. End Sub
  23.  

Functiona en XP, 7 y 8, pero en 8 para 64 hay que hacer un mini cambio el cual quedaría funcionando para XP 7 y 8 en 32 y 64, pero hasta el momento lo libero así (Y)

Saludos.
« Última modificación: 20 Octubre 2014, 15:14 pm por Miseryk » En línea
Can you see it?
The worst is over
The monsters in my head are scared of love
Fallen people listen up! It’s never too late to change our luck
So, don’t let them steal your light
Don’t let them break your stride
There is light on the other side
And you’ll see all the raindrops falling behind
Make it out tonight
it’s a revolution

CL!!!
Páginas: [1] Ir Arriba Respuesta Imprimir 

Ir a:  
WAP2 - Aviso Legal - Powered by SMF 1.1.21 | SMF © 2006-2008, Simple Machines