elhacker.net cabecera Bienvenido(a), Visitante. Por favor Ingresar o Registrarse
¿Perdiste tu email de activación?.

 

 


Tema destacado:


+  Foro de elhacker.net
|-+  Programación
| |-+  Programación General
| | |-+  .NET (C#, VB.NET, ASP)
| | | |-+  Programación Visual Basic (Moderadores: LeandroA, seba123neo)
| | | | |-+  [VB6][SRC] Memory Regions
0 Usuarios y 1 Visitante están viendo este tema.
Páginas: [1] Ir Abajo Respuesta Imprimir
Autor Tema: [VB6][SRC] Memory Regions  (Leído 3,774 veces)
Miseryk

Desconectado Desconectado

Mensajes: 225


SI.NU.SA U.GU.DE (2NE1 - D-Unit)


Ver Perfil
[VB6][SRC] Memory Regions
« en: 13 Febrero 2015, 13:48 pm »

Una manera de detectar intrusos.

Posteado en: http://hackhound.org/forums/topic/7209-vb6src-memory-regions/

Modulo:
Código
  1. Option Explicit
  2.  
  3. 'typedef enum _MEMORY_INFORMATION_CLASS {
  4. '    MemoryBasicInformation,
  5. '    MemoryWorkingSetList,
  6. '    MemorySectionName
  7. '} MEMORY_INFORMATION_CLASS;
  8.  
  9. Public Enum MEMORY_INFORMATION_CLASS
  10.    MemoryBasicInformation = 0
  11.    MemoryWorkingSetList
  12.    MemorySectionName
  13. End Enum
  14.  
  15. 'typedef struct _MEMORY_BASIC_INFORMATION {
  16. '    PVOID BaseAddress;
  17. '    PVOID AllocationBase;
  18. '    DWORD AllocationProtect;
  19. '    SIZE_T RegionSize;
  20. '    DWORD State;
  21. '    DWORD Protect;
  22. '    DWORD Type;
  23. '} MEMORY_BASIC_INFORMATION, *PMEMORY_BASIC_INFORMATION;
  24.  
  25. Public Type MEMORY_BASIC_INFORMATION
  26.    BaseAddress As Long
  27.    AllocationBase As Long
  28.    AllocationProtect As Long
  29.    RegionSize As Long
  30.    State As Long
  31.    Protect As Long
  32.    Type As Long
  33. End Type
  34.  
  35. 'typedef struct _FUNCTION_INFORMATION {
  36. '    char name[64];
  37. '    ULONG_PTR VirtualAddress;
  38. '} FUNCTION_INFORMATION, *PFUNCTION_INFORMATION;
  39.  
  40. Public Type FUNCTION_INFORMATION
  41.    name As String * 64
  42.    VirtualAddress As Long
  43. End Type
  44.  
  45. 'typedef struct _MODULE_INFORMATION
  46. '{
  47. '    PVOID BaseAddress;
  48. '    PVOID AllocationBase;
  49. '    DWORD AllocationProtect;
  50. '    SIZE_T RegionSize;
  51. '    DWORD State;
  52. '    DWORD Protect;
  53. '    DWORD Type;
  54. '    WCHAR szPathName[MAX_PATH];
  55. '    PVOID EntryAddress;
  56. '    PFUNCTION_INFORMATION Functions;
  57. '    DWORD FunctionCount;
  58. '    DWORD SizeOfImage;
  59. '}MODULE_INFORMATION, *PMODULE_INFORMATION;
  60.  
  61. Public Type MODULE_INFORMATION
  62.    BaseAddress As Long
  63.    AllocationBase As Long
  64.    AllocationProtect As Long
  65.    RegionSize As Long
  66.    State As Long
  67.    Protect As Long
  68.    Type As Long
  69.    szPathName(1 To 520) As Byte
  70.    EntryAddress As Long
  71.    Functions As Long 'VarPtr(MODULE_INFORMATION), es un puntero, PFUNCTION_INFORMATION Functions;
  72.    FunctionCount As Long
  73.    SizeOfImage As Long
  74. End Type
  75.  
  76. 'struct UNICODE_STRING {
  77. '    USHORT  Length;
  78. '    USHORT  MaximumLength;
  79. '    PWSTR    Buffer;
  80. '};
  81.  
  82. Public Type UNICODE_STRING
  83.    Length As Integer
  84.    MaximumLength As Integer
  85.    Buffer As Long 'PWSTR    Buffer;
  86. End Type
  87.  
  88. 'typedef UNICODE_STRING *PUNICODE_STRING;
  89.  
  90. Public Const PAGE_NOACCESS = &H1
  91. Public Const PAGE_READONLY = &H2
  92. Public Const PAGE_READWRITE = &H4
  93. Public Const PAGE_WRITECOPY = &H8
  94. Public Const PAGE_EXECUTE = &H10
  95. Public Const PAGE_EXECUTE_READ = &H20
  96. Public Const PAGE_EXECUTE_READWRITE = &H40
  97. Public Const PAGE_EXECUTE_WRITECOPY = &H80
  98. Public Const PAGE_GUARD = &H100
  99. Public Const PAGE_NOCACHE = &H200
  100. Public Const PAGE_WRITECOMBINE = &H400
  101. Public Const MEM_COMMIT = &H1000
  102. Public Const MEM_RESERVE = &H2000
  103. Public Const MEM_DECOMMIT = &H4000
  104. Public Const MEM_RELEASE = &H8000
  105. Public Const MEM_FREE = &H10000
  106. Public Const MEM_PRIVATE = 20000
  107. Public Const MEM_MAPPED = &H40000
  108. Public Const MEM_RESET = &H80000
  109. Public Const MEM_TOP_DOWN = &H100000
  110. Public Const MEM_WRITE_WATCH = &H200000
  111. Public Const MEM_PHYSICAL = &H400000
  112. Public Const MEM_ROTATE = &H800000
  113. Public Const MEM_LARGE_PAGES = &H20000000
  114. Public Const MEM_4MB_PAGES = &H80000000
  115.  
  116. 'typedef LONG (WINAPI *ZWQUERYVIRTUALMEMORY)(
  117. '    HANDLE ProcessHandle,
  118. '    PVOID BaseAddress,
  119. '    MEMORY_INFORMATION_CLASS MemoryInformationClass,
  120. '    PVOID MemoryInformation,
  121. '    ULONG MemoryInformationLength,
  122. '    PULONG ReturnLength
  123. ');
  124.  
  125. Public Declare Function ZwQueryVirtualMemory Lib "NTDLL.DLL" (ByVal ProcessHandle As Long, ByVal BaseAddress As Long, ByVal MemoryInformationClass As MEMORY_INFORMATION_CLASS, ByVal MemoryInformation As Long, ByVal MemoryInformationLength As Long, ByVal ReturnLength As Long) As Long
  126.  
  127. Public Declare Function GetCurrentProcess Lib "kernel32" () As Long
  128.  
  129. Public Declare Function VirtualQuery Lib "kernel32" (ByRef lpAddress As Any, ByRef lpBuffer As MEMORY_BASIC_INFORMATION, ByVal dwLength As Long) As Long
  130.  
  131. Public Declare Sub ZeroMemory Lib "kernel32.dll" Alias "RtlZeroMemory" (Destination As Any, ByVal Length As Long)
  132.  
  133. Public Declare Sub RtlMoveMemory Lib "kernel32.dll" (hpvDest As Any, hpvSource As Any, ByVal cbCopy As Long)
  134.  
  135.  
  136.  
  137. Private Declare Function OpenProcess Lib "kernel32" (ByVal dwDesiredAccess As Long, ByVal bInheritHandle As Long, ByVal dwProcessId As Long) As Long
  138. Private Declare Function CloseHandle Lib "kernel32" (ByVal hObject As Long) As Long
  139. Public Declare Function ReadProcessMemory Lib "kernel32" (ByVal hProcess As Long, ByVal lpBaseAddress As Any, lpBuffer As Any, ByVal nSize As Long, lpNumberOfBytesWritten As Long) As Long
  140. Public Declare Function GetCurrentProcessId Lib "kernel32" () As Long
  141. Public Declare Function LoadLibraryA Lib "kernel32" (ByVal lpLibFileName As String) As Long
  142.  
  143. Public Const PROCESS_ALL_ACCESS = &H1F0FFF  'Specifies all possible access flags for the process object.
  144. Public Const PROCESS_CREATE_THREAD = &H2   'Enables using the process handle in the CreateRemoteThread function to create a thread in the process.
  145. Public Const PROCESS_DUP_HANDLE = &H40  'Enables using the process handle as either the source or target process in the DuplicateHandle function to duplicate a handle.
  146. Public Const PROCESS_QUERY_INFORMATION = &H400 'Enables using the process handle in the GetExitCodeProcess and GetPriorityClass functions to read information from the process object.
  147. Public Const PROCESS_SET_INFORMATION = &H200  'Enables using the process handle in the SetPriorityClass function to set the priority class of the process.
  148. Public Const PROCESS_TERMINATE = &H1 'Enables using the process handle in the TerminateProcess function to terminate the process.
  149. Public Const PROCESS_VM_OPERATION = &H8 'Enables using the process handle in the VirtualProtectEx and WriteProcessMemory functions to modify the virtual memory of the process.
  150. Public Const PROCESS_VM_READ = &H10     'Enables using the process handle in the ReadProcessMemory function to read from the virtual memory of the process.
  151. Public Const PROCESS_VM_WRITE = &H20 'Enables using the process handle in the WriteProcessMemory function to write to the virtual memory of the process.
  152. Public Const SYNCHRONIZE = &H100000   'Enables using the process handle in any of the wait functions to wait for the process to terminate.
  153.  
  154. Private Declare Sub CopyMemory Lib "kernel32" Alias "RtlMoveMemory" (hpvDest As Any, hpvSource As Any, ByVal cbCopy As Long)
  155.  
  156. 'The WideCharToMultiByte function maps a wide-character string to a new character string.
  157. 'The function is faster when both lpDefaultChar and lpUsedDefaultChar are NULL.
  158.  
  159. 'CodePage
  160. Private Const CP_ACP = 0 'ANSI
  161. Private Const CP_MACCP = 2 'Mac
  162. Private Const CP_OEMCP = 1 'OEM
  163. Private Const CP_UTF7 = 65000
  164. Private Const CP_UTF8 = 65001
  165.  
  166. 'dwFlags
  167. Private Const WC_NO_BEST_FIT_CHARS = &H400
  168. Private Const WC_COMPOSITECHECK = &H200
  169. Private Const WC_DISCARDNS = &H10
  170. Private Const WC_SEPCHARS = &H20 'Default
  171. Private Const WC_DEFAULTCHAR = &H40
  172.  
  173. Private Declare Function WideCharToMultiByte Lib "kernel32" (ByVal CodePage As Long, ByVal dwFlags As Long, ByVal lpWideCharStr As Long, ByVal cchWideChar As Long, ByVal lpMultiByteStr As Long, ByVal cbMultiByte As Long, ByVal lpDefaultChar As Long, ByVal lpUsedDefaultChar As Long) As Long
  174.  
  175. Public Function ByteArrayToString(Bytes() As Byte) As String
  176. Dim iUnicode As Long, i As Long, j As Long
  177.  
  178. On Error Resume Next
  179. i = UBound(Bytes)
  180.  
  181. If (i < 1) Then
  182.    'ANSI, just convert to unicode and return
  183.    ByteArrayToString = StrConv(Bytes, vbUnicode)
  184.    Exit Function
  185. End If
  186. i = i + 1
  187.  
  188. 'Examine the first two bytes
  189. CopyMemory iUnicode, Bytes(0), 2
  190.  
  191. If iUnicode = Bytes(0) Then 'Unicode
  192.    'Account for terminating null
  193.    If (i Mod 2) Then i = i - 1
  194.    'Set up a buffer to recieve the string
  195.    ByteArrayToString = String$(i / 2, 0)
  196.    'Copy to string
  197.    CopyMemory ByVal StrPtr(ByteArrayToString), Bytes(0), i
  198. Else 'ANSI
  199.    ByteArrayToString = StrConv(Bytes, vbUnicode)
  200. End If
  201. End Function
  202.  
  203. Public Function StringToByteArray(strInput As String, Optional bReturnAsUnicode As Boolean = True, Optional bAddNullTerminator As Boolean = False) As Byte()
  204. Dim lRet As Long
  205. Dim bytBuffer() As Byte
  206. Dim lLenB As Long
  207.  
  208. If bReturnAsUnicode Then
  209.    'Number of bytes
  210.    lLenB = LenB(strInput)
  211.    'Resize buffer, do we want terminating null?
  212.    If bAddNullTerminator Then
  213.        ReDim bytBuffer(lLenB)
  214.    Else
  215.        ReDim bytBuffer(lLenB - 1)
  216.    End If
  217.    'Copy characters from string to byte array
  218.    CopyMemory bytBuffer(0), ByVal StrPtr(strInput), lLenB
  219. Else
  220.    'METHOD ONE
  221. '        'Get rid of embedded nulls
  222. '        strRet = StrConv(strInput, vbFromUnicode)
  223. '        lLenB = LenB(strRet)
  224. '        If bAddNullTerminator Then
  225. '            ReDim bytBuffer(lLenB)
  226. '        Else
  227. '            ReDim bytBuffer(lLenB - 1)
  228. '        End If
  229. '        CopyMemory bytBuffer(0), ByVal StrPtr(strInput), lLenB
  230.  
  231.    'METHOD TWO
  232.    'Num of characters
  233.    lLenB = Len(strInput)
  234.    If bAddNullTerminator Then
  235.        ReDim bytBuffer(lLenB)
  236.    Else
  237.        ReDim bytBuffer(lLenB - 1)
  238.    End If
  239.    lRet = WideCharToMultiByte(CP_ACP, 0&, ByVal StrPtr(strInput), -1, ByVal VarPtr(bytBuffer(0)), lLenB, 0&, 0&)
  240. End If
  241.  
  242. StringToByteArray = bytBuffer
  243. End Function
  244.  

Form:
Agregar RitchTextBox (llenar el texto), un Label (para el address del for) y un CommandButton (acción)
Código
  1. Private Sub Command1_Click()
  2. 'MEMORY_BASIC_INFORMATION mbi;
  3. Dim mbi As MEMORY_BASIC_INFORMATION
  4.  
  5. 'MODULE_INFORMATION mi;
  6. Dim mi As MODULE_INFORMATION
  7.  
  8. 'BYTE szBuffer[MAX_PATH * 2 + 4] = { 0 };
  9. Dim szBuffer(523) As Byte
  10.  
  11. Dim i As Integer
  12.  
  13. 'PUNICODE_STRING usSectionName;
  14. Dim usSectionName As UNICODE_STRING
  15.  
  16. Dim hProcess As Long
  17.  
  18. hProcess = GetCurrentProcess()
  19.  
  20. Dim Addr As Long
  21.  
  22. Dim READABLE As Long
  23.  
  24. READABLE = (PAGE_EXECUTE_READ + PAGE_EXECUTE_READWRITE + PAGE_EXECUTE_WRITECOPY + PAGE_READONLY + PAGE_READWRITE + PAGE_WRITECOPY)
  25.  
  26. txtSections.Text = ""
  27.  
  28. Addr = 0
  29.  
  30. Dim hRet As Long
  31. Dim asd As String
  32.  
  33. Dim zBytes() As Byte
  34.  
  35. txtSections.Visible = False
  36.  
  37. ReDim zBytes(0) As Byte
  38.  
  39. While VirtualQuery(Addr, mbi, 28)
  40.    DoEvents
  41.    Label1.Caption = "0x" & Hex(Addr)
  42.    If (mbi.State And MEM_COMMIT) Then
  43.        If (mbi.AllocationProtect And READABLE) Then
  44.            hRet = ZwQueryVirtualMemory(hProcess, Addr, MemoryBasicInformation, VarPtr(mbi), &H1C, 0&)
  45.  
  46.            txtSections.Text = txtSections.Text & "Add: " & Hex(Addr) & " - Size: " & Hex(mbi.RegionSize) & vbNewLine
  47.  
  48.            For i = LBound(szBuffer) To UBound(szBuffer)
  49.                szBuffer(i) = 0
  50.            Next i
  51.  
  52.            For i = LBound(zBytes) To UBound(zBytes)
  53.                zBytes(i) = 0
  54.            Next i
  55.  
  56.            If (hRet >= 0) Then
  57.                If (mbi.Type <> MEM_FREE) Then
  58.  
  59.                    hRet = ZwQueryVirtualMemory(hProcess, Addr, MemorySectionName, VarPtr(szBuffer(0)), &H20C, 0&)
  60.  
  61.                    If (hRet >= 0) Then
  62.                        Call ZeroMemory(mi, &H234)
  63.                        Call RtlMoveMemory(mi, mbi, &H1C)
  64.  
  65.                        Call ReadProcessMemory(hProcess, VarPtr(szBuffer(0)), usSectionName.Length, &H2, 0&)
  66.                        Call ReadProcessMemory(hProcess, VarPtr(szBuffer(2)), usSectionName.MaximumLength, &H2, 0&)
  67.  
  68.                        ReDim zBytes(usSectionName.Length * 2)
  69.  
  70.                        'How do I know is offset 8? It's simple.... "Aliens"
  71.                        Call ReadProcessMemory(hProcess, VarPtr(szBuffer(8)), zBytes(0), usSectionName.Length * 2, 0&)
  72.  
  73.                        txtSections.Text = txtSections.Text & ByteArrayToString(zBytes) & " (" & usSectionName.Length & "/" & usSectionName.MaximumLength & ")" & vbNewLine & vbNewLine
  74.                    End If
  75.                End If
  76.            End If
  77.        End If
  78.    End If
  79.  
  80.    txtSections.SelStart = Len(txtSections)
  81.  
  82.    If Addr >= &H7FFF0000 Then
  83.        GoTo salir
  84.    End If
  85.    Addr = (mbi.BaseAddress) + mbi.RegionSize
  86. Wend
  87.  
  88. salir:
  89.  
  90. txtSections.Visible = True
  91.  
  92. MsgBox "Done"
  93. End Sub
  94.  

Resultado:
Código
  1. Add: 0 - Size: 1000
  2. Add: 10000 - Size: 1000
  3. Add: 20000 - Size: 1000
  4. Add: 21000 - Size: 1000
  5. Add: 30000 - Size: 1000
  6. Add: 129000 - Size: 1000
  7. Add: 12A000 - Size: 1000
  8. Add: 130000 - Size: 1000
  9. Add: 134000 - Size: 1000
  10. Add: 140000 - Size: 1000
  11. Add: 141000 - Size: 1000
  12. Add: 150000 - Size: 1000
  13. \Device\HarddiskVolume2\Windows\System32\locale.nls
  14.  
  15. Add: 1B7000 - Size: 1000
  16. Add: 1C0000 - Size: 1000
  17. Add: 1C1000 - Size: 1000
  18. Add: 1D0000 - Size: 1000
  19. Add: 1DA000 - Size: 1000
  20. Add: 1E0000 - Size: 1000
  21. Add: 1E7000 - Size: 1000
  22. Add: 1F0000 - Size: 1000
  23. Add: 1F2000 - Size: 1000
  24. Add: 200000 - Size: 1000
  25. Add: 201000 - Size: 1000
  26. Add: 210000 - Size: 1000
  27. Add: 211000 - Size: 1000
  28. Add: 220000 - Size: 1000
  29. Add: 222000 - Size: 1000
  30. Add: 230000 - Size: 1000
  31. Add: 232000 - Size: 1000
  32. Add: 240000 - Size: 1000
  33. Add: 241000 - Size: 1000
  34. Add: 250000 - Size: 1000
  35. Add: 252000 - Size: 1000
  36. Add: 260000 - Size: 1000
  37. Add: 2F3000 - Size: 1000
  38. Add: 360000 - Size: 1000
  39. Add: 361000 - Size: 1000
  40. Add: 370000 - Size: 1000
  41. \Device\HarddiskVolume2\Windows\System32\TABCTL32.OCX
  42.  
  43. Add: 37D000 - Size: 1000
  44. Add: 380000 - Size: 1000
  45. \Device\HarddiskVolume2\Windows\System32\RICHTX32.OCX
  46. Add: 3D0000 - Size: 1000
  47. Add: 3D1000 - Size: 1000
  48. Add: 3E0000 - Size: 1000
  49. Add: 400000 - Size: 1000
  50. \Device\HarddiskVolume2\Misery-PC\[New Programming 2014]\[AO]\OffiHack\test\Project1.exe
  51.  
  52. Add: 401000 - Size: 1000
  53. \Device\HarddiskVolume2\Misery-PC\[New Programming 2014]\[AO]\OffiHack\test\Project1.exe
  54.  
  55. Add: 42D000 - Size: 1000
  56. \Device\HarddiskVolume2\Misery-PC\[New Programming 2014]\[AO]\OffiHack\test\Project1.exe
  57.  
  58. Add: 430000 - Size: 1000
  59. \Device\HarddiskVolume2\Misery-PC\[New Programming 2014]\[AO]\OffiHack\test\Project1.exe
  60.  
  61. Add: 431000 - Size: 1000
  62. Add: 440000 - Size: 1000
  63. Add: 441000 - Size: 1000
  64. Add: 4C0000 - Size: 1000
  65. Add: 4E0000 - Size: 1000
  66. Add: 4E3000 - Size: 1000
  67. Add: 4F0000 - Size: 1000
  68. Add: 4FF000 - Size: 1000
  69. Add: 5B0000 - Size: 1000
  70. Add: 5B3000 - Size: 1000
  71. Add: 5B8000 - Size: 1000
  72. Add: 5C0000 - Size: 1000
  73. Add: 6C1000 - Size: 1000
  74. Add: 6D0000 - Size: 1000
  75. Add: 87A000 - Size: 1000
  76. Add: 12D0000 - Size: 1000
  77. Add: 12E0000 - Size: 1000
  78. Add: 16D0000 - Size: 1000
  79. \Device\HarddiskVolume2\Windows\Globalization\Sorting\SortDefault.nls
  80.  
  81. Add: 199F000 - Size: 1000
  82. Add: 19A0000 - Size: 1000
  83. Add: 1A7F000 - Size: 1000
  84. Add: 1A80000 - Size: 1000
  85. Add: 1A82000 - Size: 1000
  86. Add: 1B80000 - Size: 1000
  87. Add: 1B90000 - Size: 1000
  88. Add: 1BAE000 - Size: 1000
  89. Add: 1BD0000 - Size: 1000
  90. Add: 1CF0000 - Size: 1000
  91. Add: 1CF2000 - Size: 1000
  92. Add: 1D00000 - Size: 1000
  93. Add: 1D90000 - Size: 1000
  94. Add: 1DD0000 - Size: 1000
  95. Add: 1F00000 - Size: 1000
  96. Add: 1F03000 - Size: 1000
  97. Add: 1F10000 - Size: 1000
  98. Add: 1FA0000 - Size: 1000
  99. Add: 1FC7000 - Size: 1000
  100. Add: 1FE0000 - Size: 1000
  101. Add: 2356000 - Size: 1000
  102. Add: 2360000 - Size: 1000
  103. Add: 2370000 - Size: 1000
  104. Add: 2760000 - Size: 1000
  105. Add: 2B61000 - Size: 1000
  106. Add: 2B70000 - Size: 1000
  107. \Device\HarddiskVolume2\Windows\Fonts\StaticCache.dat
  108.  
  109. Add: 34A0000 - Size: 1000
  110. Add: 35D0000 - Size: 1000
  111. Add: 35D1000 - Size: 1000
  112. Add: 35E0000 - Size: 1000
  113. Add: 10000000 - Size: 1000
  114. \Device\HarddiskVolume2\Program Files\Unlocker\UnlockerHook.dll
  115.  
  116. Add: 10001000 - Size: 1000
  117. \Device\HarddiskVolume2\Program Files\Unlocker\UnlockerHook.dll
  118.  
  119. Add: 10002000 - Size: 1000
  120. \Device\HarddiskVolume2\Program Files\Unlocker\UnlockerHook.dll
  121.  
  122. Add: 10003000 - Size: 1000
  123. \Device\HarddiskVolume2\Program Files\Unlocker\UnlockerHook.dll
  124.  
  125. Add: 10004000 - Size: 1000
  126. \Device\HarddiskVolume2\Program Files\Unlocker\UnlockerHook.dll
  127.  
  128. Add: 10005000 - Size: 1000
  129. Add: 20000000 - Size: 1000
  130. \Device\HarddiskVolume2\Windows\System32\RICHTX32.OCX
  131.  
  132. Add: 20001000 - Size: 1000
  133. \Device\HarddiskVolume2\Windows\System32\RICHTX32.OCX
  134.  
  135. Add: 2001E000 - Size: 1000
  136. \Device\HarddiskVolume2\Windows\System32\RICHTX32.OCX
  137.  
  138. Add: 2001F000 - Size: 1000
  139. \Device\HarddiskVolume2\Windows\System32\RICHTX32.OCX
  140.  
  141. Add: 20030000 - Size: 1000
  142. \Device\HarddiskVolume2\Windows\System32\RICHTX32.OCX
  143.  
  144. Add: 20032000 - Size: 1000
  145. Add: 212F0000 - Size: 1000
  146. \Device\HarddiskVolume2\Windows\System32\TABCTL32.OCX
  147.  
  148. Add: 212F1000 - Size: 1000
  149. \Device\HarddiskVolume2\Windows\System32\TABCTL32.OCX
  150.  
  151. Add: 21313000 - Size: 1000
  152. \Device\HarddiskVolume2\Windows\System32\TABCTL32.OCX
  153.  
  154. Add: 21316000 - Size: 1000
  155. \Device\HarddiskVolume2\Windows\System32\TABCTL32.OCX
  156.  
  157. Add: 21321000 - Size: 1000
  158. \Device\HarddiskVolume2\Windows\System32\TABCTL32.OCX
  159.  
  160. Add: 21323000 - Size: 1000
  161. Add: 5C290000 - Size: 1000
  162. \Device\HarddiskVolume2\Windows\System32\oledlg.dll
  163.  
  164. Add: 5C291000 - Size: 1000
  165. \Device\HarddiskVolume2\Windows\System32\oledlg.dll
  166.  
  167. Add: 5C2A5000 - Size: 1000
  168. \Device\HarddiskVolume2\Windows\System32\oledlg.dll
  169.  
  170. Add: 5C2A6000 - Size: 1000
  171. \Device\HarddiskVolume2\Windows\System32\oledlg.dll
  172.  
  173. Add: 5C2A7000 - Size: 1000
  174. \Device\HarddiskVolume2\Windows\System32\oledlg.dll
  175.  
  176. Add: 5C2AC000 - Size: 1000
  177. Add: 65D90000 - Size: 1000
  178. \Device\HarddiskVolume2\Windows\System32\riched20.dll
  179.  
  180. Add: 65D91000 - Size: 1000
  181. \Device\HarddiskVolume2\Windows\System32\riched20.dll
  182.  
  183. Add: 65DF7000 - Size: 1000
  184. \Device\HarddiskVolume2\Windows\System32\riched20.dll
  185.  
  186. Add: 65DF8000 - Size: 1000
  187. \Device\HarddiskVolume2\Windows\System32\riched20.dll
  188.  
  189. Add: 65E06000 - Size: 1000
  190. Add: 713E0000 - Size: 1000
  191. \Device\HarddiskVolume2\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.18201_none_ec80f00e8593ece5\comctl32.dll
  192.  
  193. Add: 713E1000 - Size: 1000
  194. \Device\HarddiskVolume2\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.18201_none_ec80f00e8593ece5\comctl32.dll
  195.  
  196. Add: 71456000 - Size: 1000
  197. \Device\HarddiskVolume2\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.18201_none_ec80f00e8593ece5\comctl32.dll
  198.  
  199. Add: 71458000 - Size: 1000
  200. \Device\HarddiskVolume2\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.18201_none_ec80f00e8593ece5\comctl32.dll
  201.  
  202. Add: 71459000 - Size: 1000
  203. \Device\HarddiskVolume2\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.18201_none_ec80f00e8593ece5\comctl32.dll
  204.  
  205. Add: 71464000 - Size: 1000
  206. Add: 72940000 - Size: 1000
  207. \Device\HarddiskVolume2\Windows\System32\msvbvm60.dll
  208.  
  209. Add: 72941000 - Size: 1000
  210. \Device\HarddiskVolume2\Windows\System32\msvbvm60.dll
  211.  
  212. Add: 72A4A000 - Size: 1000
  213. \Device\HarddiskVolume2\Windows\System32\msvbvm60.dll
  214.  
  215. Add: 72A51000 - Size: 1000
  216. \Device\HarddiskVolume2\Windows\System32\msvbvm60.dll
  217.  
  218. Add: 72A52000 - Size: 1000
  219. \Device\HarddiskVolume2\Windows\System32\msvbvm60.dll
  220.  
  221. Add: 72A93000 - Size: 1000
  222. Add: 742C0000 - Size: 1000
  223. \Device\HarddiskVolume2\Windows\System32\riched32.dll
  224.  
  225. Add: 742C1000 - Size: 1000
  226. \Device\HarddiskVolume2\Windows\System32\riched32.dll
  227.  
  228. Add: 742C3000 - Size: 1000
  229. \Device\HarddiskVolume2\Windows\System32\riched32.dll
  230.  
  231. Add: 742C4000 - Size: 1000
  232. \Device\HarddiskVolume2\Windows\System32\riched32.dll
  233.  
  234. Add: 742C6000 - Size: 1000
  235. Add: 74640000 - Size: 1000
  236. \Device\HarddiskVolume2\Windows\System32\dwmapi.dll
  237.  
  238. Add: 74641000 - Size: 1000
  239. \Device\HarddiskVolume2\Windows\System32\dwmapi.dll
  240.  
  241. Add: 7464C000 - Size: 1000
  242. \Device\HarddiskVolume2\Windows\System32\dwmapi.dll
  243.  
  244. Add: 7464E000 - Size: 1000
  245. \Device\HarddiskVolume2\Windows\System32\dwmapi.dll
  246.  
  247. Add: 74653000 - Size: 1000
  248. Add: 74C20000 - Size: 1000
  249. \Device\HarddiskVolume2\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
  250.  
  251. Add: 74C21000 - Size: 1000
  252. \Device\HarddiskVolume2\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
  253.  
  254. Add: 74D6C000 - Size: 1000
  255. \Device\HarddiskVolume2\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
  256.  
  257. Add: 74D6E000 - Size: 1000
  258. \Device\HarddiskVolume2\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
  259.  
  260. Add: 74D6F000 - Size: 1000
  261. \Device\HarddiskVolume2\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
  262.  
  263. Add: 74DBE000 - Size: 1000
  264. Add: 74DC0000 - Size: 1000
  265. \Device\HarddiskVolume2\Windows\System32\uxtheme.dll
  266.  
  267. Add: 74DC1000 - Size: 1000
  268. \Device\HarddiskVolume2\Windows\System32\uxtheme.dll
  269.  
  270. Add: 74DFA000 - Size: 1000
  271. \Device\HarddiskVolume2\Windows\System32\uxtheme.dll
  272.  
  273. Add: 74DFB000 - Size: 1000
  274. \Device\HarddiskVolume2\Windows\System32\uxtheme.dll
  275.  
  276. Add: 74DFC000 - Size: 1000
  277. \Device\HarddiskVolume2\Windows\System32\uxtheme.dll
  278.  
  279. Add: 74E00000 - Size: 1000
  280. Add: 75C70000 - Size: 1000
  281. \Device\HarddiskVolume2\Windows\System32\cryptbase.dll
  282.  
  283. Add: 75C71000 - Size: 1000
  284. \Device\HarddiskVolume2\Windows\System32\cryptbase.dll
  285.  
  286. Add: 75C79000 - Size: 1000
  287. \Device\HarddiskVolume2\Windows\System32\cryptbase.dll
  288.  
  289. Add: 75C7A000 - Size: 1000
  290. \Device\HarddiskVolume2\Windows\System32\cryptbase.dll
  291.  
  292. Add: 75C7C000 - Size: 1000
  293. Add: 75C80000 - Size: 1000
  294. \Device\HarddiskVolume2\Windows\System32\sxs.dll
  295.  
  296. Add: 75C81000 - Size: 1000
  297. \Device\HarddiskVolume2\Windows\System32\sxs.dll
  298.  
  299. y blablabla
  300.  


« Última modificación: 13 Febrero 2015, 21:10 pm por Miseryk » En línea

Can you see it?
The worst is over
The monsters in my head are scared of love
Fallen people listen up! It’s never too late to change our luck
So, don’t let them steal your light
Don’t let them break your stride
There is light on the other side
And you’ll see all the raindrops falling behind
Make it out tonight
it’s a revolution

CL!!!
okik


Desconectado Desconectado

Mensajes: 462


Ver Perfil
Re: [VB6][SRC] Memory Regions
« Respuesta #1 en: 13 Febrero 2015, 18:44 pm »

Hola,
Esto...disculpa mi ignorancia, pero, no me ha quedado muy claro para que sirve esto.... :¬¬


En línea

Miseryk

Desconectado Desconectado

Mensajes: 225


SI.NU.SA U.GU.DE (2NE1 - D-Unit)


Ver Perfil
Re: [VB6][SRC] Memory Regions
« Respuesta #2 en: 13 Febrero 2015, 20:37 pm »

Para detectar regiones externas.

Edit: como por ejemplo

\Device\HarddiskVolume2\Program Files\Unlocker\UnlockerHook.dll

Que es un programa externo que inyectó esa DLL.
En línea

Can you see it?
The worst is over
The monsters in my head are scared of love
Fallen people listen up! It’s never too late to change our luck
So, don’t let them steal your light
Don’t let them break your stride
There is light on the other side
And you’ll see all the raindrops falling behind
Make it out tonight
it’s a revolution

CL!!!
Páginas: [1] Ir Arriba Respuesta Imprimir 

Ir a:  

Mensajes similares
Asunto Iniciado por Respuestas Vistas Último mensaje
memory card
Juegos y Consolas
gorfix 1 2,024 Último mensaje 20 Enero 2005, 01:36 am
por thehiphapper
Memory Stick PRO Duo de ...... ¡¡¡¡ 10 GB!!!
Diseño Gráfico
el-brujo 1 5,153 Último mensaje 16 Septiembre 2005, 20:20 pm
por Sagman
Error 7: Out of memory.
Programación Visual Basic
CRAB 3 2,139 Último mensaje 27 Noviembre 2005, 00:44 am
por Slasher-K
Ayuda con memory.dll C#
.NET (C#, VB.NET, ASP)
ELMU3RT0 1 3,105 Último mensaje 6 Febrero 2022, 00:59 am
por **Aincrad**
Among Us Memory ?? 🤷‍♂️
.NET (C#, VB.NET, ASP)
joseencio 7 4,533 Último mensaje 16 Febrero 2022, 19:14 pm
por **Aincrad**
WAP2 - Aviso Legal - Powered by SMF 1.1.21 | SMF © 2006-2008, Simple Machines