Mensajes

Elektro, thank you very much.

[RtlGetNtVersionNumber]

Hello,

i have th following declaration of RtlGetNtVersionNumber:

Código [Seleccionar] Expandir

Public Declare Sub RtlGetNtVersionNumber Lib "ntdll.dll" (ByRef MajorVersion As Long, ByRef MinorVersion As Long, ByRef BuildNumber As Integer)

and using like this:

Código (vb) [Seleccionar] Expandir



Dim OsBuild As Integer
Dim MaN As Long, MiN As Long
Dim FilePath As String

Call RtlGetNtVersionNumber(MaN, MiN, OsBuild)
Select Case OsBuild
   Case 2600
       FilePath = "\WinXPSssdt.txt"
   Case 3750
       FilePath = "\Win2k3x86Sssdt.txt"
   Case 6000
       FilePath = "\VistaX86Sssdt.txt"
   Case 7600
       FilePath = "\Win7x86Sssdt.txt"
   Case 9200
       FilePath = "\Win8x86Sssdt.txt"
   Case 9600
       FilePath = "\Win81x86Sssdt.txt"
   Case 10240
       FilePath = "\Win10Th1x86Sssdt.txt"
   Case 10586
       FilePath = "\Win10Th2x86Sssdt.txt"
   Case Else
       MsgBox "Current System is not supported", vbExclamation, "Error": End
End Select


but i'm getting this error saying:

"Can't find DLL entry point RtlGetNtVersionNumber in ntdll.dll"

some idea how solve?

thank you by any suggestion.

Olá amigos, venho procurando algum código de Manual Map dll Injection en VB6, mas até agora só encontrei RunPE's. Alguém saberia informar se já foi deixado aqui algo desse tipo?

Gracias

Hello friends,

I have a javascript code and this .js is crypted with a a very strange algorithm.

Then I want any help for try decrypt this script, he contains some functions that I'm needing for implement in a another project.

I had discovered that site used for ofuscate was https://javascriptobfuscator.com/javascript-Obfuscator.aspx

Any help will welcome.

Here is original code: http://pastebin.com/KRQWffhr

obfuscated and I had used this site http://javascriptbeautifier.com/ and he made half of deobfuscation and this is final result: http://pastebin.com/Laipv8ND

[MOD EDIT: No hacer doble post.]

Desgraciadamente no sé delphi... pero vamos, si la DLL esta bién generada esque tiene que funcionar...  

@fary

aquí está el archivo DLL compilado para que pueda probar.

PS: Este archivo DLL sólo muestra un cuadro de mensaje.

Si es posible, también quería un ejemplo de su DLL probado con el código del inyector



@fary, por favor podía leer mi última respuesta?

gracias.

MOD EDIT: No hacer doble post.

Si. La dll como la generas?

generada con Delphi XE5 configurado para proyecto del 64 bits (dll)

Código [Seleccionar] Expandir


library Project1;

uses
  System.SysUtils,
  System.Classes,
  Variants,
  Winapi.Windows;

type ENoThread = class(Exception);

function StartFunc(InVal:DWORD):DWORD;stdcall;
begin
MessageBoxW(0,'I am in your target : Dll file','woO!',0)
end;

procedure MakeThread;
var AId:DWORD;
     AHandle:HWND;
begin
  AHandle:=CreateThread(nil,0,@StartFunc,nil,0,AId);
  if (AHandle = 0) then raise ENoThread.Create('Could not create thread');
end;

procedure mydllproc(Reason: Integer);
begin
  case Reason of
    DLL_PROCESS_ATTACH:
      begin
         MakeThread;
      end;
  end;
end;

begin
  DllProc := mydllproc;
  mydllproc(DLL_PROCESS_ATTACH);

end.


El código funciona....  

En Windows 7 64bit?

[Módulo1.bas]

hola,

Tengo un inyector DLL compilado con Visual Basic 6 y estoy tratando de inyectar mi DLL (x64) en notepad.exe x64, pero nada funciona.


Había buscado en la web acerca de esto y vi esto:

[IMPORTANT: 32-BIT / 64-BIT]

This is a portability table:

32bit program inject 32bit dll in a 32bit target
32bit program inject 64bit dll in a 64bit target
64bit program inject 32bit dll in a 32bit target
64bit program inject 64bit dll in a 64bit target

Si esto es cierto, por lo que mi inyector deberá está trabajando.

¿Puede alguien ayudarme por favor?

código utilizado:

Módulo1.bas

Código [Seleccionar] Expandir


Option Explicit

Private Const INFINITE                  As Long = &HFFFF

Private Const TOKEN_ADJUST_PRIVILEGES   As Long = &H20
Private Const TOKEN_QUERY               As Long = &H8
Private Const SE_PRIVILEGE_ENABLED      As Long = &H2
Private Const ANYSIZE_ARRAY             As Long = 1

Private Const SE_DEBUG_NAME             As String = "SeDebugPrivilege"

Private Const PAGE_READWRITE            As Long = &H4
Private Const MEM_RELEASE               As Long = &H8000
Private Const MEM_COMMIT                As Long = &H1000

Private Const STANDARD_RIGHTS_REQUIRED  As Long = &HF0000
Private Const SYNCHRONIZE               As Long = &H100000
Private Const PROCESS_VM_OPERATION As Long = (&H8)
Private Const PROCESS_VM_WRITE As Long = (&H20)

Private Const TH32CS_SNAPPROCESS As Long = 2&


Private Const PROCESS_ALL_ACCESS        As Long = _
                                       (STANDARD_RIGHTS_REQUIRED Or SYNCHRONIZE Or PROCESS_VM_WRITE Or PROCESS_VM_OPERATION Or &HFFF)

Private Type PROCESSENTRY32
   dwSize As Long
   cntUsage As Long
   th32ProcessID As Long
   th32DefaultHeapID As Long
   th32ModuleID As Long
   cntThreads As Long
   th32ParentProcessID As Long
   pcPriClassBase As Long
   dwFlags As Long
   szexeFile As String * 260
End Type

Private Type Luid
   lowpart                     As Long
   highpart                    As Long
End Type

Private Type LUID_AND_ATTRIBUTES
   pLuid                       As Luid
   Attributes                  As Long
End Type

Private Type TOKEN_PRIVILEGES
   PrivilegeCount              As Long
   Privileges(ANYSIZE_ARRAY)   As LUID_AND_ATTRIBUTES
End Type

Private Declare Function OpenProcess Lib "kernel32" (ByVal dwDesiredAccess As Long, ByVal bInheritHandle As Long, ByVal dwProcessId As Long) As Long
Private Declare Function GetProcAddress Lib "kernel32" (ByVal hModule As Long, ByVal lpProcName As String) As Long
Private Declare Function GetModuleHandle Lib "kernel32" Alias "GetModuleHandleA" (ByVal lpModuleName As String) As Long
Private Declare Function VirtualAllocEx Lib "kernel32" (ByVal hProcess As Long, ByVal lpAddress As Long, ByVal dwSize As Long, ByVal flAllocationType As Long, ByVal flProtect As Long) As Long
Private Declare Function WriteProcessMemory Lib "kernel32" (ByVal hProcess As Long, lpBaseAddress As Any, lpBuffer As Any, ByVal nSize As Long, lpNumberOfBytesWritten As Long) As Long
Private Declare Function CloseHandle Lib "kernel32" (ByVal hObject As Long) As Long
Private Declare Function CreateRemoteThread Lib "kernel32" (ByVal hProcess As Long, lpThreadAttributes As Long, ByVal dwStackSize As Long, lpStartAddress As Long, lpParameter As Any, ByVal dwCreationFlags As Long, lpThreadId As Long) As Long
Private Declare Function VirtualFreeEx Lib "kernel32.dll" (ByVal hProcess As Long, ByRef lpAddress As Any, ByRef dwSize As Long, ByVal dwFreeType As Long) As Long
Private Declare Function WaitForSingleObject Lib "kernel32" (ByVal hHandle As Long, ByVal dwMilliseconds As Long) As Long
Private Declare Function OpenProcessToken Lib "advapi32" (ByVal ProcessHandle As Long, ByVal DesiredAccess As Long, TokenHandle As Long) As Long
Private Declare Function LookupPrivilegeValue Lib "advapi32" Alias "LookupPrivilegeValueA" (ByVal lpSystemName As String, ByVal lpName As String, lpLuid As Luid) As Long
Private Declare Function AdjustTokenPrivileges Lib "advapi32" (ByVal TokenHandle As Long, ByVal DisableAllPrivileges As Long, NewState As TOKEN_PRIVILEGES, ByVal BufferLength As Long, PreviousState As Any, ReturnLength As Long) As Long
Private Declare Function GetCurrentProcess Lib "kernel32" () As Long
Private Declare Function CreateToolhelp32Snapshot Lib "kernel32.dll" (ByVal lFlags As Long, lProcessID As Long) As Long
Private Declare Function ProcessFirst Lib "kernel32.dll" Alias "Process32First" (ByVal hSnapshot As Long, uProcess As PROCESSENTRY32) As Long
Private Declare Function ProcessNext Lib "kernel32.dll" Alias "Process32Next" (ByVal hSnapshot As Long, uProcess As PROCESSENTRY32) As Long


Public Function InjectByPID(ByVal sDllPath As String, ByVal lProcessID As Long) As Boolean
   Dim lProc As Long
   Dim lLibAdd As Long
   Dim lMem As Long
   Dim lRet As Long
   Dim lThread As Long

   On Local Error GoTo InjectByPID_Error

   '//Adjust token privileges to open system processes
   Call AdjustPrivileges(GetCurrentProcess)

   '// Open the process with all access
   lProc = OpenProcess(PROCESS_ALL_ACCESS, False, lProcessID)
   If lProc = 0 Then GoTo InjectByPID_Error

   '// Get the address of LoadLibrary
   lLibAdd = GetProcAddress(GetModuleHandle("kernel32.dll"), "LoadLibraryA")
   If lLibAdd = 0 Then GoTo InjectByPID_Error

   '// Allocate memory to hold the path to the Dll File in the process's memory
   lMem = VirtualAllocEx(lProc, 0, Len(sDllPath), MEM_COMMIT, PAGE_READWRITE)
   If lMem = 0 Then GoTo InjectByPID_Error

   '// Write the path to the Dll File in the location just created
   Call WriteProcessMemory(lProc, ByVal lMem, ByVal sDllPath, Len(sDllPath), lRet)
   If lRet = 0 Then GoTo InjectByPID_Error

   '// Create a remote thread that starts begins at the LoadLibrary function and _
    is passed are memory pointer
   lThread = CreateRemoteThread(lProc, ByVal 0, 0, ByVal lLibAdd, ByVal lMem, 0, 0&)
   If lThread = 0 Then GoTo InjectByPID_Error

   '// Wait for the thread to finish
   Call WaitForSingleObject(lThread, INFINITE)

   '// Free the memory created on the other process
   Call VirtualFreeEx(lProc, lMem, Len(sDllPath), MEM_RELEASE)

   '//Release the handle to the other process
   Call CloseHandle(lProc)

   InjectByPID = True

   On Error GoTo 0
   Exit Function

InjectByPID_Error:
   '// Free the memory created on the other process
   Call VirtualFreeEx(lProc, lMem, Len(sDllPath), MEM_RELEASE)
   '//Release the handle to the other process
   Call CloseHandle(lProc)
End Function

Public Function AdjustPrivileges(ByVal lProcessID As Long) As Boolean
   Dim lToken              As Long
   Dim tTOKEN_PRIVILEGES   As TOKEN_PRIVILEGES

   On Local Error GoTo AdjustPrivileges_Error

   If Not OpenProcessToken(lProcessID, TOKEN_ADJUST_PRIVILEGES Or TOKEN_QUERY, lToken) = 0 Then
       With tTOKEN_PRIVILEGES
           If LookupPrivilegeValue(vbNullString, SE_DEBUG_NAME, .Privileges(0).pLuid) = 0 Then
               Exit Function
           End If
           .PrivilegeCount = 1
           .Privileges(0).Attributes = SE_PRIVILEGE_ENABLED
       End With
       If Not AdjustTokenPrivileges(lToken, 0, tTOKEN_PRIVILEGES, Len(tTOKEN_PRIVILEGES), 0&, 0&) = 0 Then
           AdjustPrivileges = True
       End If
   End If

   On Error GoTo 0
   Exit Function

AdjustPrivileges_Error:

End Function

'Get PID
Public Function whereISmyFUFUprocess(ByVal ProcessName As String) As Long
   Dim procSnapshot As Long
   Dim uProcess As PROCESSENTRY32
   Dim success As Long
   Dim ProcessId As Long
   Dim ProcessId_found As Boolean

   ProcessId_found = False
   
   procSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0&)

   If procSnapshot = -1 Then Exit Function

   uProcess.dwSize = Len(uProcess)
   success = ProcessFirst(procSnapshot, uProcess)

   If success = 1 Then
       Do
           If LCase(VBA.Left$(uProcess.szexeFile, InStr(1, uProcess.szexeFile, Chr(0)) - 1)) = LCase(ProcessName) Then
               ProcessId = uProcess.th32ProcessID
               Debug.Print "First process found with PID: " & ProcessId
                   If ProcessId_found = True Then
                       Debug.Print "Second process found with PID: " & ProcessId
                       whereISmyFUFUprocess = ProcessId
                       Exit Do
                   End If
                 ProcessId_found = True
           End If
       Loop While ProcessNext(procSnapshot, uProcess)

   End If
   
   If whereISmyFUFUprocess = 0 Then
       whereISmyFUFUprocess = ProcessId
   End If
   
   Call CloseHandle(procSnapshot)
   
End Function



Form 1

Código [Seleccionar] Expandir


Private Declare Sub Sleep Lib "kernel32.dll" (ByVal dwMilliseconds As Long)


Private Sub Command1_Click()

Dim PID As Long


' // Run Notepad
   Shell "notepad.exe", vbNormalFocus
   
   Sleep 1000
   
  PID = whereISmyFUFUprocess("notepad.exe")
 
  Sleep 1000
 
  InjectByPID "Project1.dll", PID

End Sub


He probado el código de abajo, pero no funciona para mí. ¿Alguna sugestion?

Código [Seleccionar] Expandir


Private Const DWM_EC_DISABLECOMPOSITION As Long = 0
Private Const DWM_EC_ENABLECOMPOSITION As Long = 1

Private Declare Function DwmEnableComposition Lib "dwmapi" (uCompositionAction As Long) As Long

Private Function SUCCEEDED(hr As Long) As Boolean
   SUCCEEDED = (hr >= 0)
End Function
Private Function FAILED(hr As Long) As Boolean
   FAILED = (hr < 0)
End Function

Private Sub Form_Load()
   If SUCCEEDED(DwmEnableComposition(DWM_EC_DISABLECOMPOSITION)) Then
       MsgBox "Vista Aero est Desactive"
   Else
       MsgBox "Vista Aero n'a pas pu etre Desactive"
   End If

End Sub

Private Sub Form_QueryUnload(Cancel As Integer, UnloadMode As Integer)
   MsgBox Cancel
   MsgBox UnloadMode
   If SUCCEEDED(DwmEnableComposition(DWM_EC_ENABLECOMPOSITION)) Then
       MsgBox "Vista Aero est Active"
   Else
       MsgBox "Vista Aero n'a pas pu etre active"
   End If

End Sub


Already solved. Thank you friend.