C a VB6, Ayuda :P

Iniciado por F3B14N, 29 Septiembre 2010, 05:46 AM

0 Miembros y 1 Visitante están viendo este tema.

F3B14N

Hola c0ders, hace mucho que quiero intento portar este source, y ahora me volvio la urgencia de este code, le agradeceria mucho que solucionaran los errorsillos que tiene (estoy confundido con los dwDataSize y dwCallSize, me confundo con el tipo de variables al calcular los datos e intento pero no logro :( )...
Codigo C: http://www.rohitab.com/discuss/topic/31453-cc-createremotethreadex%3B/

VB6:
Private Declare Function GetModuleHandle Lib "KERNEL32" Alias "GetModuleHandleA" (ByVal lpModuleName As String) As Long
Private Declare Function GetProcAddress Lib "KERNEL32" (ByVal hModule As Long, ByVal lpProcName As String) As Long

Private Declare Function HeapAlloc Lib "KERNEL32" (ByVal hHeap As Long, ByVal dwFlags As Long, ByVal dwBytes As Long) As Long
Private Declare Function GetProcessHeap Lib "KERNEL32" () As Long
Private Declare Function HeapFree Lib "KERNEL32" (ByVal hHeap As Long, ByVal dwFlags As Long, ByRef lpMem As Any) As Long
Private Declare Function VirtualAllocEx Lib "KERNEL32" (ByVal hProcess As Long, ByRef lpAddress As Any, ByRef dwSize As Long, ByVal flAllocationType As Long, ByVal flProtect As Long) As Long
Private Declare Function WriteProcessMemory Lib "KERNEL32" (ByVal hProcess As Long, ByRef lpBaseAddress As Any, ByRef lpBuffer As Any, ByVal nSize As Long, ByRef lpNumberOfBytesWritten As Long) As Long
Private Declare Sub CopyMemory Lib "MSVBVM60" Alias "__vbaCopyBytes" (ByVal Size As Long, Dest As Any, Source As Any)

Private Declare Function CreateRemoteThread Lib "KERNEL32" (ByVal hProcess As Long, lpThreadAttributes As Any, ByVal dwStackSize As Long, lpStartAddress As Long, lpParameter As Any, ByVal dwCreationFlags As Long, lpThreadId As Long) As Long

Private Const MEM_COMMIT = &H1000
Private Const PAGE_EXECUTE_READWRITE As Long = &H40
Private Const HEAP_ZERO_MEMORY As Long = &H8

Private Function CreateRemoteThreadEx(hProcess As Long, _
                                      lpThreadAttributes As Variant, _
                                      dwStackSize As Long, _
                                      lpStartAddress As Long, _
                                      dwCreationFlags As Long, _
                                      lpThreadId As Long, _
                                      ParamArray vParameters() As Variant)
    Dim ASM_CALLGATE(39) As Byte
    Dim lpLocal As Long
    Dim lpRemote As Long
    Dim lpData As Long
    Dim lpCode As Long
    Dim dwAmount  As Long
    Dim dwDataSize As Long
    Dim dwCallSize  As Long
    Dim dwWritten  As Long
   
    Dim i As Long
   
   '{
        ' CALL $+0x1D
        ' PUSH EAX
        ' PUSH 90C35858 (code for POP EAX\nPOP EAX\nRETN)"
        ' PUSH MEM_RELEASE
        ' PUSH 1
        ' PUSH 00000000 (-> PUSH lpRemote)
        ' PUSH ESP
        ' ADD DWORD [ESP], 0x0C
        ' PUSH 00000000 (-> PUSH VirtualFree)
        ' RETN
        ' PUSH 00000000 (-> PUSH lpStartAddress)
        ' RETN
    '}
   
    For i = 0 To 39
        ASM_CALLGATE(i) = CByte(Choose(i + 1, &HE8, &H1D, &H0, &H0, &H0, &H50, &H68, &H58, &H58, &HC3, &H90, &H68, &H0, &H40, _
                                              &H0, &H0, &H6A, &H1, &H68, &H0, &H0, &H0, &H0, &H54, &H83, &H4, &H24, &HC, _
                                              &H68, &H0, &H0, &H0, &H0, &HC3, &H68, &H0, &H0, &H0, &H0, &HC3))
    Next i
   
    If UBound(vParameters) <> -1 Then
        dwAmount = UBound(vParameters)
        For i = 0 To dwAmount
            dwDataSize = dwDataSize + LenB(vParameters(i))
        Next i
        dwCallSize = UBound(ASM_CALLGATE) + dwAmount * (4 + 1) + dwDataSize
       
        'Allocate memory for callgate constructing (local process)
        lpLocal = HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, dwCallSize)
        If lpLocal = 0 Then: GoTo Error
       
        'Allocate memory from remote process
        lpRemote = VirtualAllocEx(hProcess, 0&, dwCallSize, MEM_COMMIT, PAGE_EXECUTE_READWRITE)
        If lpRemote = 0 Then: GoTo Error
       
        Call CopyMemory(4, ByVal VarPtr(ASM_CALLGATE(19)), lpRemote)
        Call CopyMemory(4, ByVal VarPtr(ASM_CALLGATE(35)), lpStartAddress)
        Call CopyMemory(4, ByVal VarPtr(ASM_CALLGATE(29)), GetProcAddress(GetModuleHandle("KERNEL32"), "VirtualFree"))
    End If
   
    Call WriteProcessMemory(hProcess, lpRemote, lpLocal, dwCallSize, dwWritten)
    Call HeapFree(GetProcessHeap(), 0, lpLocal)
    If dwWritten = 0 Then: GoTo Error

    CreateRemoteThreadEx = CreateRemoteThread(hProcess, lpThreadAttributes, dwStackSize, (lpRemote + dwDataSize), 0, dwCreationFlags, lpThreadId)
    Exit Function
Error:
   
End Function


Gracias

Slek Hacker

Jaja, yo estoy intentando hacer lo mismo pero sin DLL, inyectar código VB directamente.
Lo siento no te puedo ayudar >.<

Saludos!

cobein

Lo mire muy por arriba y donde te complicas mucho es con el tema de el VirtualFree, no es 100% necesario lo que utilices pero bueno. La funcion que tenes que armar (shellcode) es como un callapi basicamente.

Otra cosa que vi en el codigo es que utilizas el Heap para armar la funcion, esto lo podes reemplzar facilmente por un bytearray para no complicar mas las cosas.

Muy a lo bruto te diria que necesitas 5 bytes por cada parametro que le pases mas otros 5 para el call (esto podria ser mas si queres limpiar etc) si pasas strings una manera de hacerlo es reservar memoria para copiar el string y despues pushear el address an el stack... Si no me equivoco hay un modulo por ahi para hacer esto me parece que en HH
http://www.advancevb.com.ar
Más Argentino que el morcipan
Aguante el Uvita tinto, Tigre, Ford y seba123neo
Karcrack es un capo.

F3B14N

#3
Cita de: cobein en 29 Septiembre 2010, 19:40 PM
Lo mire muy por arriba y donde te complicas mucho es con el tema de el VirtualFree, no es 100% necesario lo que utilices pero bueno. La funcion que tenes que armar (shellcode) es como un callapi basicamente.

Otra cosa que vi en el codigo es que utilizas el Heap para armar la funcion, esto lo podes reemplzar facilmente por un bytearray para no complicar mas las cosas.

Muy a lo bruto te diria que necesitas 5 bytes por cada parametro que le pases mas otros 5 para el call (esto podria ser mas si queres limpiar etc) si pasas strings una manera de hacerlo es reservar memoria para copiar el string y despues pushear el address an el stack... Si no me equivoco hay un modulo por ahi para hacer esto me parece que en HH

Hola cobein, primero que nada te agradezco mucho que te hayas tomado el tiempo de mirar el coude. Voy a probar con la data que me dijiste de los parametros, sé que varias cosas no son necesarias, y yo habia intentado antes de encontrar este crearlo desde 0, pero no pude lograrlo (aunque estuve muy cerca) e intente portar el codigo en C que si funcionaba :P

Option Explicit

Private Declare Function OpenProcess Lib "kernel32" (ByVal dwDesiredAccess As Long, ByVal bInheritHandle As Long, ByVal dwProcessId As Long) As Long
Private Declare Function GetModuleHandle Lib "kernel32" Alias "GetModuleHandleA" (ByVal lpModuleName As String) As Long
Private Declare Function GetProcAddress Lib "kernel32" (ByVal hModule As Long, ByVal lpProcName As String) As Long

Private Declare Function WriteProcessMemory Lib "kernel32" (ByVal hProcess As Long, lpBaseAddress As Any, lpBuffer As Any, ByVal nSize As Long, lpNumberOfBytesWritten As Long) As Long
Private Declare Function VirtualAllocEx Lib "kernel32" (ByVal hProcess As Long, lpAddress As Any, ByVal dwSize As Long, ByVal flAllocationType As Long, ByVal flProtect As Long) As Long
Private Declare Function VirtualFreeEx Lib "kernel32" (ByVal hProcess As Long, lpAddress As Any, ByVal dwSize As Long, ByVal dwFreeType As Long) As Long

Private Declare Function CreateRemoteThread Lib "kernel32" (ByVal hProcess As Long, lpThreadAttributes As Any, ByVal dwStackSize As Long, lpStartAddress As Long, lpParameter As Any, ByVal dwCreationFlags As Long, lpThreadId As Long) As Long
Private Declare Function WaitForSingleObject Lib "kernel32" (ByVal hHandle As Long, ByVal dwMilliseconds As Long) As Long
Private Declare Function CloseHandle Lib "kernel32" (ByVal hObject As Long) As Long

Private Declare Sub CopyMemory Lib "MSVBVM60" Alias "__vbaCopyBytes" (ByVal Size As Long, Dest As Any, Source As Any)

Private Const PROCESS_ALL_ACCESS = &H1F0FFF
Private Const MEM_COMMIT = &H1000
Private Const MEM_RELEASE = &H8000
Private Const PAGE_READWRITE = &H4
Private Const INFINITE = &HFFFFFFFF

Public Function ExecuteDll(lPid As Long) As Boolean
   Dim hVictim As Long
   Dim hInject As Long
   Dim lParamAddress As Long
   Dim lStartAddress As Long
   Dim bB() As Byte
   
   hVictim = OpenProcess(PROCESS_ALL_ACCESS, 0, lPid)
   If hVictim = 0 Then Exit Function
   '===
   Call PutThunk("68" & GetLng(500) & "68" & GetLng(500), bB)
   '===
   lStartAddress = GetProcAddress(GetModuleHandle("KERNEL32"), "Beep"): If lStartAddress = 0 Then GoTo Error
   lParamAddress = VirtualAllocEx(hVictim, 0&, UBound(bB), MEM_COMMIT, PAGE_READWRITE): If lParamAddress = 0 Then GoTo Error
   Call WriteProcessMemory(hVictim, ByVal lParamAddress, ByVal VarPtr(bB(0)), UBound(bB), ByVal 0&)
   '===
   hInject = CreateRemoteThread(hVictim, ByVal 0&, 0&, ByVal lStartAddress, ByVal lParamAddress, 0, ByVal 0&)
   If hInject = 0 Then: GoTo Error
   '===
   
   Call WaitForSingleObject(hInject, INFINITE)
   Call CloseHandle(hVictim)
   Call CloseHandle(hInject)
   
   ExecuteDll = True
   Exit Function
   
Error:
   Call CloseHandle(hInject)
   Call CloseHandle(hVictim)
   
   ExecuteDll = False
End Function

Private Function GetLng(ByVal lLng As Long) As String
   Dim lTMP                        As Long

   lTMP = (((lLng And &HFF000000) \ &H1000000) And &HFF&) Or ((lLng And &HFF0000) \ &H100&) Or ((lLng And &HFF00&) * &H100&) Or ((lLng And &H7F&) * &H1000000) ' by Mike D Sutton
   If (lLng And &H80&) Then lTMP = lTMP Or &H80000000

   GetLng = String$(8 - Len(Hex$(lTMP)), "0") & Hex$(lTMP)
End Function

Private Sub PutThunk(ByVal sThunk As String, ByRef bvRet() As Byte)
   Dim i As Long
   
   ReDim bvRet((Len(sThunk) \ 2) - 1)
   
   For i = 0 To Len(sThunk) - 1 Step 2
       bvRet(i / 2) = CByte("&H" & Mid$(sThunk, i + 1, 2))
   Next i
End Sub


Si lo testeas podras ver que si se llama el API y se pasan parametros, pero erroneamente y por eso queda un BEEP muy largo :P
Gracias capo P_P

Slek Hacker

Claro, ya entiendo, estaba muy equivocado, disculpen mi ignorancia.