[SRC] VB6 0 API

Miseryk · 17 Octubre 2014, 16:22 PM

Bueno hace poco hice algo para ejecutar APIs sin declararlas, 0 API.

Posteado en http://hackhound.org/forums/topic/6634-0-api/

Código (vb) [Seleccionar]


Option Explicit

'You must compile Native and check 'Remove Array Bound Checks'

'---------------------------------------------------------------------------------------
' Module    : mMemory
' Author    : Karcrack
' Date      : 20/09/2011
' Purpose   : Work with memory withouth using any API
' History   : 20/09/2011 First cut
'---------------------------------------------------------------------------------------
 
Private bvHack(0)               As Byte
Private lHackDelta              As Long
Private bInitialized            As Boolean

Public Function Initialize() As Boolean
    On Error GoTo Error_Handle
 
    bvHack(-1) = bvHack(-1) 'Error check
    lHackDelta = VarPtr(bvHack(0))
 
    Initialize = True
    bInitialized = Initialize
    Exit Function
Error_Handle:
    If Err.Number = 9 Then Debug.Print "Remember to tick 'Remove array boundary check' and compile before using"
    End
End Function
 
Public Function GetByte(ByVal lptr As Long) As Byte
    If bInitialized Then GetByte = bvHack(lptr - lHackDelta)
End Function
 
Public Function GetWord(ByVal lptr As Long) As Integer
    If bInitialized Then GetWord = MakeWord(GetByte(lptr + &H0), GetByte(lptr + &H1))
End Function
 
Public Function GetDWord(ByVal lptr As Long) As Long
    If bInitialized Then GetDWord = MakeDWord(GetWord(lptr + &H0), GetWord(lptr + &H2))
End Function
 
Public Sub PutByte(ByVal lptr As Long, ByVal bByte As Byte)
    If bInitialized Then bvHack(lptr - lHackDelta) = bByte
End Sub
 
Public Sub PutWord(ByVal lptr As Long, ByVal iWord As Integer)
    If bInitialized Then Call PutByte(lptr + &H0, iWord And &HFF): Call PutByte(lptr + &H1, (iWord And &HFF00&) \ &H100)
End Sub
 
Public Sub PutDWord(ByVal lptr As Long, ByVal lDWord As Long)
    If bInitialized Then Call PutWord(lptr + &H0, IIf(lDWord And &H8000&, lDWord Or &HFFFF0000, lDWord And &HFFFF&)): Call PutWord(lptr + &H2, (lDWord And &HFFFF0000) \ &H10000)
End Sub
 
Private Function MakeWord(ByVal loByte As Byte, ByVal hiByte As Byte) As Integer '[http://www.xbeat.net/vbspeed/c_MakeWord.htm#MakeWord02]
    If hiByte And &H80 Then
        MakeWord = ((hiByte * &H100&) Or loByte) Or &HFFFF0000
    Else
        MakeWord = (hiByte * &H100) Or loByte
    End If
End Function
 
Private Function MakeDWord(ByVal LoWord As Integer, ByVal HiWord As Integer) As Long '[http://www.xbeat.net/vbspeed/c_MakeD...m#MakeDWord05]
    MakeDWord = (HiWord * &H10000) Or (LoWord And &HFFFF&)
End Function

Código (vb) [Seleccionar]


Option Explicit

'Private Declare Function VirtualAlloc Lib "kernel32" (ByVal lpAddress As Long, ByVal dwSize As Long, ByVal flAllocationType As Long, ByVal flProtect As Long) As Long

'Sore wa watashi no monode wa arimasen.
Public Function CallAPI_NotMine(ByVal vForm As Form, ByVal sLib As String, ByVal sProc As String, ParamArray vParams() As Variant) As Long
Dim c_ASM(28) As Currency, bvLib() As Byte, bvProc() As Byte, laParam() As Long, ubParam As Long, bInitialized As Boolean, i As Long

If bInitialized = False Then
    c_ASM(0) = 725985647539103.3577@: c_ASM(1) = 465082451154280.4619@: c_ASM(2) = 174754948986808.1932@
    c_ASM(3) = 353151298900331.7606@: c_ASM(4) = -842056535466254.24@: c_ASM(5) = -158485362956912.3259@
    c_ASM(6) = -151289242656700.5557@: c_ASM(7) = -129660215991460.1245@: c_ASM(8) = -457434111994534.3183@
    c_ASM(9) = -145719479559932.942@: c_ASM(10) = -836727781740640.7692@: c_ASM(11) = 540785052671076.873@
    c_ASM(12) = -842945876107851.5061@: c_ASM(13) = -436817922147838.1567@: c_ASM(14) = -36546947.8739@
    c_ASM(15) = 34438797019703.0793@: c_ASM(16) = -190689866724056.7239@: c_ASM(17) = -59310703.0909@
    c_ASM(18) = -26865768425160.8957@: c_ASM(19) = -82935132042744.5623@: c_ASM(20) = -1607042434518.5911@
    c_ASM(21) = -55225496747848.4993@: c_ASM(22) = 850252832244421.5689@: c_ASM(23) = -836310804921489.818@
    c_ASM(24) = 7079432546648.5829@: c_ASM(25) = -748820712252184.718@: c_ASM(26) = -850720513820548.8302@
    c_ASM(27) = -28815265.8452@: c_ASM(28) = -143712485721099.5542@
    bInitialized = True
End If

bvLib = StrConv(sLib & vbNullChar, vbFromUnicode): bvProc = StrConv(sProc & vbNullChar, vbFromUnicode): ubParam = UBound(vParams): ReDim laParam(0 To ubParam)

For i = 0 To ubParam
    laParam(i) = CLng(vParams(i))
Next i

Call NewMisery.CallAPI(NewMisery.FunctionAddress(vForm, "VirtualAlloc"), VarPtr(VarPtr(c_ASM(0))), VarPtr(UBound(c_ASM) + 1), VarPtr(&H1000), VarPtr(&H40))

CallAPI_NotMine = MyCallWindowProcA(VarPtr(c_ASM(0)), VarPtr(bvLib(0)), VarPtr(bvProc(0)), ubParam + 1, VarPtr(laParam(0)))
End Function

Código (vb) [Seleccionar]


Option Explicit

'---------------------------------------------------------------------------------------
' Don't use VirusTotal, use http://nodistribute.com instead
'
' Module    : NewMisery (Im horrible for names...)
' Author    : Misery (Miseryk) Inspired by OXYMORON
' Date      : 17/07/2014 (Start) | 15/09/2014 (End)
' Purpose   : 0 API
'---------------------------------------------------------------------------------------

Public KernelBase As Long
Public Base As Long 'With no use, just test
Public BkAddVal As Long '[Me.Point(8@)] backup => CALL [EAX+2D0]
Public User32 As Long

Private Sub Initialize()
Call Karcrack.Initialize
End Sub

Public Function GetFuncAddr(ByVal lAddr As Long) As Long
GetFuncAddr = lAddr
End Function

Public Sub Init(ByVal vForm As Form)
Call Initialize

Dim ASM_c(7) As Currency

ASM_c(0) = 259535234953094.8442@
ASM_c(1) = 350419256390428.4982@
ASM_c(2) = 465082451153964.2368@
ASM_c(3) = 117108873756465.8452@
ASM_c(4) = 64246993287716.5497@
ASM_c(5) = -518518030442266.1493@
ASM_c(6) = -30494267.8016@
ASM_c(7) = -801556291178923.7505@

BkAddVal = Karcrack.GetDWord(Karcrack.GetDWord(ObjPtr(vForm)) + &H2D0)

Call Karcrack.PutDWord(Karcrack.GetDWord(ObjPtr(vForm)) + &H2D0, VarPtr(ASM_c(0)))

Call vForm.Point(VarPtr(KernelBase), VarPtr(Base))

Call Karcrack.PutDWord(Karcrack.GetDWord(ObjPtr(vForm)) + &H2D0, BkAddVal)

Call Patch(vForm)
End Sub

Private Sub Patch(ByVal vForm As Form)
Dim ASM_c(5) As Currency

ASM_c(0) = 537140736891580.1227@
ASM_c(1) = 583913078498908.8528@
ASM_c(2) = -854952546922381.2279@
ASM_c(3) = -841638429847924.6252@
ASM_c(4) = -116134715448543.5308@
ASM_c(5) = -802975980578020.9409@

Dim Address As Long

Address = NewMisery.GetFuncAddr(AddressOf CallAPI) + 11

Dim MyPushes(6) As Long

MyPushes(0) = VarPtr(0)
MyPushes(1) = 51
MyPushes(2) = VarPtr(ASM_c(0))
MyPushes(3) = Address
MyPushes(4) = -1
MyPushes(5) = KernelBase
MyPushes(6) = NewMisery.FunctionAddress(vForm, "WriteProcessMemory")

Dim ASM_c2(6) As Currency

ASM_c2(0) = -856471559609067.0246@
ASM_c2(1) = 367493325241674.242@
ASM_c2(2) = 828635112938277.7599@
ASM_c2(3) = -842503583785949.618@
ASM_c2(4) = 5202119258820.4106@
ASM_c2(5) = -119118.2336@
ASM_c2(6) = -802970373083417.7606@

BkAddVal = Karcrack.GetDWord(Karcrack.GetDWord(ObjPtr(vForm)) + &H2D0)

Call Karcrack.PutDWord(Karcrack.GetDWord(ObjPtr(vForm)) + &H2D0, VarPtr(ASM_c2(0)))

Call vForm.Point(VarPtr(MyPushes(0)), 0)

Call Karcrack.PutDWord(Karcrack.GetDWord(ObjPtr(vForm)) + &H2D0, BkAddVal)
End Sub

Public Function ConvertToMisery(ByVal vForm As Form, ByVal AddressSrc As Long, ByVal AddressDst As Long) As Long
Dim c_ASM(2) As Long

c_ASM(0) = -64731961
c_ASM(1) = AddressSrc
c_ASM(2) = -64723713

ConvertToMisery = NewMisery.CallAPI(NewMisery.FunctionAddress(vForm, "WriteProcessMemory"), VarPtr(-1), AddressDst, VarPtr(VarPtr(c_ASM(0))), VarPtr(12), VarPtr(VarPtr(0)))
End Function

Public Function CallAPI(ByVal Address As Long, ParamArray vParams() As Variant) As Long
Address = KernelBase + Address
DoEvents: DoEvents: DoEvents
DoEvents: DoEvents: DoEvents
DoEvents: DoEvents: DoEvents
DoEvents: DoEvents: DoEvents
DoEvents: DoEvents: DoEvents
DoEvents: DoEvents: DoEvents
End Function

Public Function MyCallWindowProcA(ByVal lpPrevWndFunc As Long, ByVal hWnd As Long, ByVal Msg As Long, ByVal wParam As Long, ByVal lParam As Long) As Long
DoEvents
DoEvents
End Function

Public Function MyGetProcAddress(ByVal hModule As Long, ByVal lpProcName As String) As Long
DoEvents
DoEvents
End Function

Public Function FunctionAddress(ByVal vForm As Form, ByVal StrFunction As String) As Long
Dim strFunc() As Byte
Dim Offset As Long

Dim ASM_c(19) As Currency

ASM_c(0) = 814232361510246.7936@
ASM_c(1) = 350419227990245.6828@
ASM_c(2) = 465082451153964.2368@
ASM_c(3) = 117108873756465.8452@
ASM_c(4) = 461280767645907.9819@
ASM_c(5) = -459709328520114.7076@
ASM_c(6) = -118880.7541@
ASM_c(7) = -835887271382144.2318@
ASM_c(8) = 886420572523377.9787@
ASM_c(9) = 839808409003602.7148@
ASM_c(10) = 840567380577989.5332@
ASM_c(11) = -100852514478035.1214@
ASM_c(12) = -428637109111001.2498@
ASM_c(13) = -64280619725626.29@
ASM_c(14) = -273730417291300.9967@
ASM_c(15) = 204338008016006.1199@
ASM_c(16) = -854998653806026.0861@
ASM_c(17) = -511608917668079.9976@
ASM_c(18) = 190267051.2127@
ASM_c(19) = -802975918745080.576@

BkAddVal = Karcrack.GetDWord(Karcrack.GetDWord(ObjPtr(vForm)) + &H2D0)

Call Karcrack.PutDWord(Karcrack.GetDWord(ObjPtr(vForm)) + &H2D0, VarPtr(ASM_c(0)))

strFunc = StrConv(StrFunction & Chr(0), vbFromUnicode)

Call vForm.Point(VarPtr(Offset), VarPtr(strFunc(0)))

Call Karcrack.PutDWord(Karcrack.GetDWord(ObjPtr(vForm)) + &H2D0, BkAddVal)

FunctionAddress = Offset
End Function

Public Sub GetUser32(ByVal vForm As Form)
Dim LoadLibrary As Long
Dim ASM_c(9) As Currency

LoadLibrary = NewMisery.FunctionAddress(vForm, "LoadLibraryW")
LoadLibrary = LoadLibrary + KernelBase

ASM_c(0) = 814232361510246.7936@
ASM_c(1) = 100060056.7804@
ASM_c(2) = 497206524950976.384@
ASM_c(3) = 331470430218173.2864@
ASM_c(4) = 8356415879.68@
ASM_c(5) = -840821747844015.7184@
ASM_c(6) = 654401063636671.802@
ASM_c(7) = 79190153.865@
ASM_c(8) = 12469341468280.2432@
ASM_c(9) = -802991806362733.7728@

BkAddVal = Karcrack.GetDWord(Karcrack.GetDWord(ObjPtr(vForm)) + &H2D0)

Call Karcrack.PutDWord(Karcrack.GetDWord(ObjPtr(vForm)) + &H2D0, VarPtr(ASM_c(0)))

Call vForm.Point(VarPtr(User32), VarPtr(LoadLibrary))

Call Karcrack.PutDWord(Karcrack.GetDWord(ObjPtr(vForm)) + &H2D0, BkAddVal)
End Sub

Código (vb) [Seleccionar]


Option Explicit

Private Sub Command1_Click()
Call NewMisery.Init(Me)

Call NewMisery.GetUser32(Me)

Dim User32Add As Long

User32Add = NewMisery.User32

Call ConvertToMisery(Me, NewMisery.KernelBase + NewMisery.FunctionAddress(Me, "GetProcAddress"), NewMisery.GetFuncAddr(AddressOf MyGetProcAddress))
Call ConvertToMisery(Me, NewMisery.MyGetProcAddress(User32Add, StrConv("CallWindowProcA", vbFromUnicode)), NewMisery.GetFuncAddr(AddressOf MyCallWindowProcA))

MsgBox "Done."
End Sub

Private Sub Command2_Click()
'My manner of calling API could be a shit, maybe, who knows?, so call this
'This is not mine, but it calls MyCallWindowProcA(overwrite) and NewMisery.CallAPI(VirtualAlloc)
Call NotMine.CallAPI_NotMine(Me, "user32", "MessageBoxW", 0, StrPtr("t_Invoke works"), StrPtr("victory"), &H40)
End Sub

Functiona en XP, 7 y 8, pero en 8 para 64 hay que hacer un mini cambio el cual quedaría funcionando para XP 7 y 8 en 32 y 64, pero hasta el momento lo libero así (Y)

Saludos.

Test Foro de elhacker.net SMF 2.1

[SRC] VB6 0 API

Miseryk