الفريق العربي للهندسة العكسية

الفريق العربي للهندسة العكسية > منتديات البرمجة - Programming Forums > البرمجة بالأسمبلي - Assembly Section > basic loader (32bit/64bit)
نسخة كاملة : basic loader (32bit/64bit)
أنت حالياً تتصفح نسخة خفيفة من المنتدى . مشاهدة نسخة كاملة مع جميع الأشكال الجمالية .

icrypto

31-01-2021, 11:33 AM
.This is a very basic loader without Address Space Layout Randomization support
It Can build to produce 32bit or 64bit application (MASM32 or MASM64)
 
ifndef _Win64
include masm32rt.inc
else
include masm64rt.inc
endif
 
.const
    filename          db "victim.exe", 0
    targetaddress     dd 403000h
    values            db 4 dup(90h,90h,90h,90h)

    sinfo STARTUPINFO<>
    pinfo PROCESS_INFORMATION<>
 
.code
    start proc
        invoke CreateProcessA, addr filename, NULL, 0, 0, 0, CREATE_SUSPENDED, 0, 0, addr sinfo, addr pinfo
        invoke WriteProcessMemory, pinfo.hProcess, targetaddress, addr values, 4, NULL
        invoke ResumeThread, pinfo.hThread
        invoke ExitProcess, 0
        ret 0
    start endp
end

kesmezar

31-01-2021, 02:03 PM
 ->لقد غيرتها إلى 32 بت

Your code does not work as such. I ran it with some change
.386 
.model flat,stdcall 
option casemap:none 

ifndef _Win64;
include masm32rt.inc;
else;
include masm64rt.inc;
endif;
      
.data 
filename          db "test.exe", 0
targetaddress     dd 004012D8h 
values            byte 74h ;dup(90h,90h,90h,90h)
sinfo STARTUPINFO<>
pinfo PROCESS_INFORMATION<>

.code
start: ;->64bit not use
loader proc public
invoke CreateProcess, addr filename, NULL, 0, 0, 0, CREATE_SUSPENDED, 0, 0, addr sinfo, addr pinfo
invoke WriteProcessMemory, pinfo.hProcess, targetaddress, addr values, 1,0
invoke ResumeThread, pinfo.hThread
invoke ExitProcess,0 
loader endp
end start ;->64bit not use
end ;->for 64bit

icrypto

31-01-2021, 03:37 PM
(31-01-2021, 02:03 PM)kesmezar كتب : [ -> ].Your code does not work as such. I ran it with some change
:MASM64 Assembler doesn't accept

.386
.model flat,stdcall

:and this Entrypoint format

start:
         
end start
 : Instead it accept this Entrypoint format
start proc

start endp

.For 64bit build I'm using ml64.exe from Visual Studio
?Can you successfully build 64bit application with your modified code

kesmezar

31-01-2021, 04:48 PM
I just added 32bit. Since I don't use 64bit, I don't have a chance to try it.
أضفت 32 بت. نظرًا لأنني لا أستخدم 64 بت ، فليس لدي فرصة لتجربته.

icrypto

01-02-2021, 11:14 AM
(31-01-2021, 04:48 PM)kesmezar كتب : [ -> ]I just added 32bit. Since I don't use 64bit, I don't have a chance to try it.
 
 
;
; This is a very basic loader without Address Space Layout Randomization support.
; It Can build to produce 32bit or 64bit application (MASM32 or MASM64)
;

ifndef _Win64
include masm32rt.inc
else
include masm64rt.inc
endif
 
.const
    filename          db "test.exe", 0
    targetaddress     dd 4012D8h
    values            db 1 dup(74h)

    sinfo STARTUPINFO<>
    pinfo PROCESS_INFORMATION<>
 
.code
    start proc
        invoke CreateProcessA, addr filename, NULL, 0, 0, 0, CREATE_SUSPENDED, 0, 0, addr sinfo, addr pinfo
        invoke WriteProcessMemory, pinfo.hProcess, targetaddress, addr values, 1, NULL
        invoke ResumeThread, pinfo.hThread
        invoke ExitProcess, 0
        ret 0
    start endp
end
 
! Ok
.I Can't download your attachment yet, but I adapted my sample to work with your provided address of [test.exe] application
.Attached 32bit and 64bit build from my previous code

kesmezar

01-02-2021, 12:50 PM
Ok now let's make this a serial sniffer. Convert to 64bit.

https://dosya.co/l3361g3yraiu/test.exe.html
 
 
;for 64bit this area erase
;;;;;;;;;;;;;;;;;;;;;;;;;;
.386 
.model flat,stdcall 
option casemap:none 
;;;;;;;;;;;;;;;;;;;;;;;;;;


ifndef _Win64
include masm32rt.inc
else
include masm64rt.inc
endif
 
.const
    filename          db "test.exe", 0
    targetaddress equ 004012A5h ;targetaddress dd 4012A5h;This is snif address not patch
    ;values           db 1 dup(74h)
    
LOOOP db 0EBh,0FEh,0
ORIG db 00h,00h,0
baslik db "your serial :",0
    
.data

    sinfo STARTUPINFO<>
    pinfo PROCESS_INFORMATION<>
    CTX CONTEXT<>

.data?
beax db 50 dup (?)
oku db 50 dup(?)
 
.code
start:;64bit not use
    snif proc public  
        invoke CreateProcessA, addr filename, NULL, 0, 0, 0, CREATE_SUSPENDED, 0, 0, addr sinfo, addr pinfo
 
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
invoke ReadProcessMemory,pinfo.hProcess,targetaddress ,addr ORIG,2,0
invoke WriteProcessMemory,pinfo.hProcess,targetaddress ,addr LOOOP,2,0
        invoke ResumeThread,pinfo.hThread
        mov CTX.ContextFlags,CONTEXT_FULL
invoke GetThreadContext,pinfo.hThread,addr CTX
@dongu:
invoke GetThreadContext,pinfo.hThread,addr CTX
.if CTX.regEip!= targetaddress
JMP @dongu
.endif
invoke SuspendThread,pinfo.hThread
invoke GetThreadContext,pinfo.hThread,addr CTX
invoke ReadProcessMemory,pinfo.hProcess,CTX.regEax,addr beax,50,oku
invoke MessageBox,0,addr beax,addr baslik,MB_OK
invoke WriteProcessMemory,pinfo.hProcess,targetaddress,addr ORIG,2,0
        ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
    
        invoke ResumeThread, pinfo.hThread
        invoke ExitProcess, 0
    snif endp
end start;64bit not use 
end

icrypto

02-02-2021, 10:58 AM
(01-02-2021, 12:50 PM)kesmezar كتب : [ -> ]Convert to 64bit
! Done
 
include masm64rt.inc
 
.const
    filename              db    "test.exe", 0
    targetaddress         equ   004012A5h
    
    InfiniteLoopBytes     db    0EBh, 0FEh, 0
    OriginalBytesBuff     db    00h, 00h, 0
    SerialMsg             db    "Your valid serial is: %s", 10, 0
    
.data
    sinfo STARTUPINFO<>
    pinfo PROCESS_INFORMATION<>
    
    align 8
    ctx CONTEXT64<>

.data?
    RealSerialBuff        db    20+1 dup (?)
 
.code
start proc  
    invoke CreateProcessA, addr filename, NULL, 0, 0, 0, CREATE_SUSPENDED, 0, 0, addr sinfo, addr pinfo
 
    invoke ReadProcessMemory, pinfo.hProcess, targetaddress, addr OriginalBytesBuff, 2, 0
    invoke WriteProcessMemory, pinfo.hProcess, targetaddress, addr InfiniteLoopBytes, 2, 0
    invoke ResumeThread, pinfo.hThread
    
    mov    ctx.ContextFlags, CONTEXT_FULL
    invoke GetThreadContext, pinfo.hThread, addr ctx
    
    @InfiniteLoop:
    invoke GetThreadContext, pinfo.hThread, addr ctx
    .if (ctx.Rip ~= targetaddress)
    jmp @InfiniteLoop
    .endif
    
    invoke SuspendThread, pinfo.hThread
    invoke GetThreadContext, pinfo.hThread, addr ctx

    mov    rax, qword ptr ctx+120 ;; --> ctx.Rax :)
    invoke ReadProcessMemory, pinfo.hProcess, rax, addr RealSerialBuff, 20, 0
    
    invoke printf, addr  SerialMsg, addr RealSerialBuff
    invoke WriteProcessMemory, pinfo.hProcess, targetaddress, addr OriginalBytesBuff, 2, 0
    
    invoke ResumeThread, pinfo.hThread
    invoke getchar
    invoke ExitProcess, 0
    ret 0
start endp
end

.Attached 64bit build
الفريق العربي للهندسة العكسية > منتديات البرمجة - Programming Forums > البرمجة بالأسمبلي - Assembly Section > basic loader (32bit/64bit)