Mensajes

Solved!

I want to remove all type declares and if possible using MoveMem alternative func but I think I can do this by my own.

Usa el traductor:
http://translate.google.com.sv/?hl=es&tab=wT

Aquí en el foro se escribe español/Castellano, no íngles

I have just edited to spanish

Acabo de editar al español

Hi! Can anyone help me removing Type declares and using MoveMem alternative in that code:

Spanish:

¡Hola! ¿Puede alguien ayudarme a eliminar el tipo de declara y el uso de alternativas MoveMem en ese código:

Código [Seleccionar] Expandir

Option Explicit

Private Declare Function GetModuleHandle Lib "KERNEL32" Alias "GetModuleHandleA" (ByVal lpModuleName As String) As Long

Private Type IMAGE_DOS_HEADER
   e_magic                 As Integer
   e_cblp                  As Integer
   e_cp                    As Integer
   e_crlc                  As Integer
   e_cparhdr               As Integer
   e_minalloc              As Integer
   e_maxalloc              As Integer
   e_ss                    As Integer
   e_sp                    As Integer
   e_csum                  As Integer
   e_ip                    As Integer
   e_cs                    As Integer
   e_lfarlc                As Integer
   e_onvo                  As Integer
   e_res(0 To 3)           As Integer
   e_oemid                 As Integer
   e_oeminfo               As Integer
   e_res2(0 To 9)          As Integer
   e_lfanew                As Long
End Type

Private Type IMAGE_FILE_HEADER
   Machine                 As Integer
   NumberOfSections        As Integer
   TimeDataStamp           As Long
   PointerToSymbolTable    As Long
   NumberOfSymbols         As Long
   SizeOfOptionalHeader    As Integer
   Characteristics         As Integer
End Type

Private Type IMAGE_DATA_DIRECTORY
 VirtualAddress As Long
 isize As Long
End Type

Private Type IMAGE_OPTIONAL_HEADER32
   Magic                   As Integer
   MajorLinkerVersion      As Byte
   MinorLinkerVersion      As Byte
   SizeOfCode              As Long
   SizeOfInitalizedData    As Long
   SizeOfUninitalizedData  As Long
   AddressOfEntryPoint     As Long
   BaseOfCode              As Long
   BaseOfData              As Long
   ImageBase               As Long
   SectionAlignment        As Long
   FileAlignment           As Long
   MajorOperatingSystemVer As Integer
   MinorOperatingSystemVer As Integer
   MajorImageVersion       As Integer
   MinorImageVersion       As Integer
   MajorSubsystemVersion   As Integer
   MinorSubsystemVersion   As Integer
   Reserved1               As Long
   SizeOfImage             As Long
   SizeOfHeaders           As Long
   CheckSum                As Long
   Subsystem               As Integer
   DllCharacteristics      As Integer
   SizeOfStackReserve      As Long
   SizeOfStackCommit       As Long
   SizeOfHeapReserve       As Long
   SizeOfHeapCommit        As Long
   LoaerFlags              As Long
   NumberOfRvaAndSizes     As Long
   DataDirectory(0 To 15) As IMAGE_DATA_DIRECTORY
End Type

Private Type IMAGE_SECTION_HEADER
   Name As String * 8
   VirtualSize As Long
   VirtualAddress As Long
   SizeOfRawData As Long
   PointerToRawData As Long
   PointerToRelocations As Long
   PointerToLinenumbers As Long
   NumberOfRelocations As Integer
   NumberOfLinenumbers As Integer
   Characteristics As Long
End Type

Private Type IMAGE_NT_HEADERS
   Signature As Long
   FileHeader As IMAGE_FILE_HEADER
   OptionalHeader As IMAGE_OPTIONAL_HEADER32
End Type

Private Declare Sub CopyMemory Lib "KERNEL32" Alias "RtlMoveMemory" (Destination As Any, Source As Any, ByVal Length As Long)

Private Function GetSettings(ByVal szTargetSectionName As String) As String
Dim MZHeader As IMAGE_DOS_HEADER
Dim PEHeader As IMAGE_NT_HEADERS
Dim Section As IMAGE_SECTION_HEADER
Dim pMe As Long, pSection As Long
Dim i As Integer
   If Len(szTargetSectionName) < 1 Then Exit Function
       If Len(szTargetSectionName) > 8 Then szTargetSectionName = Left$(szTargetSectionName, 8)
       pMe = GetModuleHandle(vbNullString)
           If pMe Then
               CopyMemory MZHeader, ByVal pMe, Len(MZHeader)
               If MZHeader.e_magic = "&H5A4D" Then
               CopyMemory PEHeader, ByVal pMe + MZHeader.e_lfanew, Len(PEHeader)
               If PEHeader.Signature = "&H4550" Then
               pSection = pMe + MZHeader.e_lfanew + 24 + PEHeader.FileHeader.SizeOfOptionalHeader
               For i = 0 To PEHeader.FileHeader.NumberOfSections - 1
                   CopyMemory Section, ByVal pSection, Len(Section)
                   If Left(Section.Name, Len(szTargetSectionName)) = szTargetSectionName Then
                       GetSettings = String(Section.VirtualSize, Chr(0))
                       CopyMemory ByVal GetSettings, ByVal pMe + Section.VirtualAddress, Section.VirtualSize
                       Exit For
                   End If
                   pSection = pSection + Len(Section)
               Next i
           End If
       End If
   End If
End Function

Solved! Thanks anyways

Hello guys, can anyone help me invoking these APIs:

Código [Seleccionar] Expandir

Private Declare Function LoadLibraryEx _
                Lib "kernel32.dll" _
                Alias "LoadLibraryExA" (ByVal lpLibFileName As String, _
                                        ByVal hFile As Long, _
                                        ByVal dwFlags As Long) As Long

Private Declare Function EnumResourceNames _
                Lib "kernel32.dll" _
                Alias "EnumResourceNamesA" (ByVal hModule As Long, _
                                            ByVal lpType As Long, _
                                            ByVal lpEnumFunc As Long, _
                                            ByVal lParam As Long) As Boolean

Código [Seleccionar] Expandir

hModule = LoadLibraryEx(szFileName, 0, LOAD_LIBRARY_AS_DATAFILE)

Código [Seleccionar] Expandir

Do While EnumResourceNames(hModule, lResourceType, AddressOf EnumResNameProcSplit, 0) = True
Loop

Thanks a lot!

I love to see anything by Karcrack lol even if its something useless i love it lol you are really awesome karcrack I hope to see more coming from you!

What is the alternative function for WriteProcessMemory guys?

Would be really great if anyone could tell me how to :/

definitivamente hay algo malo no se si es con la API
si hay suerte espero que venga karcrack a resolverlo o alguien mas
yo lo intente por un buen tiempo y no pude el hash esta bien, los parametros se pasan correctamente mi conclusion es que
hay problema con la API

I am now 100% sure it was because of RtlMoveMemory or it must be invoked differently for CallAPIByHash but I found a way to get this working, simply by using vbaCopyBytes =)

Gracias for your help man but I found the problem. The problem is because of RtlMoveMemory, if I don't invoke RtlMoveMemory then it's working. What must be changed on that line to make it working with Invoke by Hash?

'RtlMoveMemory | &HCF14E85B
Invoke ("kernel32"), (&HCF14E85B), VarPtr(B(0)), lpData, Size

Thanks