[HELP]Invoke by Hash

Iniciado por Swellow, 11 Diciembre 2011, 18:30 PM

0 Miembros y 1 Visitante están viendo este tema.

Swellow

Hola amigos!

I'm trying to use the CallAPIByHash by Karcrack but I can't get it working... Can anyone tell me what's wrong in my code? I've used Karcrack's Hash Generator to generate the hashes.

Public Function GetResDataBytes(ByVal ResType As Long, ByVal ResName As Long) As Byte()
   Dim hRsrc As Long
   Dim hGlobal As Long
   Dim lpData As Long
   Dim Size As Long
   Dim hMod As Long
   Dim B() As Byte

   hMod = App.hInstance
   
   'FindResourceW,&H3BD09A6B
   hRsrc = Invoke(("KERNEL32"), (&H3BD09A6B), hMod, ResName, ResType)

   If hRsrc > 0 Then
       'LoadResource,&H934E1F7B
       hGlobal = Invoke(("KERNEL32"), (&H934E1F7B), hMod, hRsrc)
       'LockResource,&H9A4E2F7B
       lpData = Invoke(("KERNEL32"), (&H9A4E2F7B), hGlobal)
       'SizeofResource,&H3F2A9609
       Size = Invoke(("KERNEL32"), (&H3F2A9609), hMod, hRsrc)
       If Size > 0 Then
           ReDim B(0 To Size) As Byte
           'RtlMoveMemory,&HCF14E85B
           Invoke ("KERNEL32"), (&HCF14E85B), VarPtr(B(0)), lpData, Size
           'FreeResource,&H54423F7C
           Invoke ("KERNEL32"), (&H54423F7C), hGlobal

           GetResDataBytes = B()
       End If
       'FreeLibrary,&H4DC9D5A0
       Invoke ("KERNEL32"), (&H4DC9D5A0), hMod
   End If
End Function


CallAPIByHash Code:

Option Explicit
Private Type DWORD_L
    D1      As Long
End Type

Private Type DWORD_B
    B1      As Byte:    B2      As Byte:   B3      As Byte:    B4      As Byte
End Type

Public Declare Function CWPW Lib "user32" Alias "CallWindowProcW" (ByVal Address As Any, Optional ByVal Param1 As Long, Optional ByVal Param2 As Long, Optional ByVal Param3 As Long, Optional ByVal Param4 As Long) As Long

Private bInitialized_Inv        As Boolean
Private ASM_gAPIPTR(0 To 170)   As Byte
Private ASM_cCODE(0 To 255)     As Byte

Public Function Invoke(ByVal sDLL As String, ByVal hHash As Long, ParamArray vParams() As Variant) As Long
    Dim vItem                   As Variant
    Dim bsTmp                   As DWORD_B
    Dim lAPI                    As Long
    Dim i                       As Long
    Dim w                       As Long

    If Not bInitialized_Inv Then
        For Each vItem In Array(&HE8, &H22, &H0, &H0, &H0, &H68, &HA4, &H4E, &HE, &HEC, &H50, &HE8, &H43, &H0, &H0, &H0, &H83, &HC4, &H8, &HFF, &H74, &H24, &H4, &HFF, &HD0, &HFF, &H74, &H24, &H8, &H50, &HE8, &H30, &H0, &H0, &H0, &H83, &HC4, &H8, &HC3, &H56, &H55, &H31, &HC0, &H64, &H8B, &H70, &H30, &H8B, &H76, &HC, &H8B, &H76, &H1C, &H8B, &H6E, &H8, &H8B, &H7E, &H20, &H8B, &H36, &H38, &H47, &H18, &H75, &HF3, &H80, &H3F, &H6B, &H74, &H7, &H80, &H3F, &H4B, &H74, &H2, &HEB, &HE7, &H89, &HE8, &H5D, &H5E, &HC3, &H55, &H52, &H51, _
                                &H53, &H56, &H57, &H8B, &H6C, &H24, &H1C, &H85, &HED, &H74, &H43, &H8B, &H45, &H3C, &H8B, &H54, &H5, &H78, &H1, &HEA, &H8B, &H4A, &H18, &H8B, &H5A, &H20, &H1, &HEB, &HE3, &H30, &H49, &H8B, &H34, &H8B, &H1, &HEE, &H31, &HFF, &H31, &HC0, &HFC, &HAC, &H84, &HC0, &H74, &H7, &HC1, &HCF, &HD, &H1, &HC7, &HEB, &HF4, &H3B, &H7C, &H24, &H20, &H75, &HE1, &H8B, &H5A, &H24, &H1, &HEB, &H66, &H8B, &HC, &H4B, &H8B, &H5A, &H1C, &H1, &HEB, &H8B, &H4, &H8B, &H1, &HE8, &H5F, &H5E, &H5B, &H59, &H5A, &H5D, &HC3)
            ASM_gAPIPTR(i) = CByte(vItem)
            i = i + 1
        Next vItem
        i = 0
        bInitialized_Inv = True
    End If

    lAPI = CWPW(VarPtr(ASM_gAPIPTR(0)), StrPtr(sDLL), hHash)

    If lAPI Then
        For w = UBound(vParams) To LBound(vParams) Step -1
            vItem = vParams(w)
            bsTmp = SliceLong(CLng(vItem))
            '// PUSH ADDR
            ASM_cCODE(i) = &H68:            i = i + 1
            ASM_cCODE(i) = bsTmp.B1:        i = i + 1
            ASM_cCODE(i) = bsTmp.B2:        i = i + 1
            ASM_cCODE(i) = bsTmp.B3:        i = i + 1
            ASM_cCODE(i) = bsTmp.B4:        i = i + 1
        Next w

        bsTmp = SliceLong(lAPI)
        '// MOV EAX, ADDR
        ASM_cCODE(i) = &HB8:                i = i + 1
        ASM_cCODE(i) = bsTmp.B1:            i = i + 1
        ASM_cCODE(i) = bsTmp.B2:            i = i + 1
        ASM_cCODE(i) = bsTmp.B3:            i = i + 1
        ASM_cCODE(i) = bsTmp.B4:            i = i + 1
        '// CALL EAX
        ASM_cCODE(i) = &HFF:                i = i + 1
        ASM_cCODE(i) = &HD0:                i = i + 1
        '// RET
        ASM_cCODE(i) = &HC3:                i = i + 1

        Invoke = CWPW(VarPtr(ASM_cCODE(0)))
    Else
        Invoke = -1
        'Err.Raise -1, , "Bad Hash or wrong DLL"
    End If
End Function

Private Function SliceLong(ByVal lLong As Long) As DWORD_B
    Dim tL                      As DWORD_L

    tL.D1 = lLong
    LSet SliceLong = tL
End Function


Gracias ;D

x64core


Swellow

Cita de: RHL en 11 Diciembre 2011, 18:52 PM
tu hash esta malo

porque? I've used the Karcrack Generator and only added "&H" before every generated, anything else must be done?

Thanks

x64core

un ejemplo de como se hace:


'ECF0B366 = SetCursorPos
Private Sub Form_Load()


Debug.Print Invoke("user32", &HECF0B366, &H40, &H40)


End Sub



BAS:


'---------------------------------------------------------------------------------------
' Module    : kInvoke
' Author    : Karcrack
' Date      : 09/04/2010
' Purpose   : Call APIs By Hash
'---------------------------------------------------------------------------------------

Option Explicit

'USER32
Private Declare Function CallWindowProcW Lib "USER32" (ByVal lpCode As Long, Optional ByVal lParam1 As Long, Optional ByVal lParam2 As Long, Optional ByVal lParam3 As Long, Optional ByVal lParam4 As Long) As Long

Private Const THUNK_GETAPIPTR       As String = "E82200000068A44E0EEC50E84300000083C408FF742404FFD0FF74240850E83000000083C408C3565531C0648B70308B760C8B761C8B6E088B7E208B3638471875F3803F6B7407803F4B7402EBE789E85D5EC35552515356578B6C241C85ED74438B453C8B54057801EA8B4A188B5A2001EBE330498B348B01EE31FF31C0FCAC84C07407C1CF0D01C7EBF43B7C242075E18B5A2401EB668B0C4B8B5A1C01EB8B048B01E85F5E5B595A5DC3"
Private Const THUNK_CALLCODE        As String = "<PUSHES>B8<API_PTR>FFD0C3"
Private ASM_GETAPIPTR(0 To 170)     As Byte
Private ASM_CALLCODE(0 To 255)      As Byte

Public Function Invoke(ByVal sDLL As String, ByVal hHash As Long, ParamArray vParams() As Variant) As Long
   Dim vItem                       As Variant
   Dim lAPI                        As Long
   Dim sThunk                      As String

   Call PutThunk(THUNK_GETAPIPTR, ASM_GETAPIPTR)
   lAPI = CallWindowProcW(VarPtr(ASM_GETAPIPTR(0)), StrPtr(sDLL), hHash)

   If lAPI Then
       For Each vItem In vParams
           sThunk = "68" & GetLng(CLng(vItem)) & sThunk
       Next vItem

       sThunk = Replace$(Replace$(THUNK_CALLCODE, "<PUSHES>", sThunk), "<API_PTR>", GetLng(lAPI))
       Call PutThunk(sThunk, ASM_CALLCODE)
       Invoke = CallWindowProcW(VarPtr(ASM_CALLCODE(0)))
   Else
       Invoke = -1
       Err.Raise -1, , "Bad Hash or wrong DLL"
   End If
End Function

Private Function GetLng(ByVal lLng As Long) As String
   Dim lTMP                        As Long

   lTMP = (((lLng And &HFF000000) \ &H1000000) And &HFF&) Or ((lLng And &HFF0000) \ &H100&) Or ((lLng And &HFF00&) * &H100&) Or ((lLng And &H7F&) * &H1000000) ' by Mike D Sutton
   If (lLng And &H80&) Then lTMP = lTMP Or &H80000000

   GetLng = String$(8 - Len(Hex$(lTMP)), "0") & Hex$(lTMP)
End Function

Private Sub PutThunk(ByVal sThunk As String, ByRef bvRet() As Byte)
   Dim i                           As Long

   For i = 0 To Len(sThunk) - 1 Step 2
       bvRet((i / 2)) = CByte("&H" & Mid$(sThunk, i + 1, 2))
   Next i
End Sub


tambien recordar que para generar el hash debe ser el propio nombre de la api por ejemplo
copymemory seria la "rtlmovememory" y bien escrita

Swellow

Gracias for your help man but I found the problem. The problem is because of RtlMoveMemory, if I don't invoke RtlMoveMemory then it's working. What must be changed on that line to make it working with Invoke by Hash?

'RtlMoveMemory | &HCF14E85B
Invoke ("kernel32"), (&HCF14E85B), VarPtr(B(0)), lpData, Size

Thanks

x64core

definitivamente hay algo malo :P no se si es con la API :P
si hay suerte espero que venga karcrack a resolverlo o alguien mas :P
yo lo intente por un buen tiempo y no pude :P el hash esta bien, los parametros se pasan correctamente mi conclusion es que
hay problema con la API :P

Swellow

Cita de: RHL en 15 Diciembre 2011, 04:55 AM
definitivamente hay algo malo :P no se si es con la API :P
si hay suerte espero que venga karcrack a resolverlo o alguien mas :P
yo lo intente por un buen tiempo y no pude :P el hash esta bien, los parametros se pasan correctamente mi conclusion es que
hay problema con la API :P

I am now 100% sure it was because of RtlMoveMemory or it must be invoked differently for CallAPIByHash but I found a way to get this working, simply by using vbaCopyBytes =)

Karcrack

I've not checked the hashes... I guess they're fine if you've used the full API name...

Now I need the API declaration of each API from the working code to see if you're passing the pointer right...