basic loader (32bit/64bit) - نسخة قابلة للطباعة

basic loader (32bit/64bit) - نسخة قابلة للطباعة

+- الفريق العربي للهندسة العكسية (https://www.at4re.net/f)
+-- قسم : منتديات البرمجة - Programming Forums (https://www.at4re.net/f/forum-5.html)
+--- قسم : البرمجة بالأسمبلي - Assembly Section (https://www.at4re.net/f/forum-16.html)
+--- الموضوع : basic loader (32bit/64bit) (/thread-2510.html)

basic loader (32bit/64bit) - icrypto - 31-01-2021

.This is a very basic loader without Address Space Layout Randomization support

It Can build to produce 32bit or 64bit application (MASM32 or MASM64)

ifndef _Win64
include masm32rt.inc
else
include masm64rt.inc
endif
 
.const
    filename          db "victim.exe", 0
    targetaddress     dd 403000h
    values            db 4 dup(90h,90h,90h,90h)

    sinfo STARTUPINFO<>
    pinfo PROCESS_INFORMATION<>
 
.code
    start proc
        invoke CreateProcessA, addr filename, NULL, 0, 0, 0, CREATE_SUSPENDED, 0, 0, addr sinfo, addr pinfo
        invoke WriteProcessMemory, pinfo.hProcess, targetaddress, addr values, 4, NULL
        invoke ResumeThread, pinfo.hThread
        invoke ExitProcess, 0
        ret 0
    start endp
end

RE: basic loader (32bit/64bit) - kesmezar - 31-01-2021

->لقد غيرتها إلى 32 بت

Your code does not work as such. I ran it with some change

.386 
.model flat,stdcall 
option casemap:none 

ifndef _Win64;
include masm32rt.inc;
else;
include masm64rt.inc;
endif;
      
.data 
filename          db "test.exe", 0
targetaddress     dd 004012D8h 
values            byte 74h ;dup(90h,90h,90h,90h)
sinfo STARTUPINFO<>
pinfo PROCESS_INFORMATION<>

.code
start: ;->64bit not use
loader proc public
invoke CreateProcess, addr filename, NULL, 0, 0, 0, CREATE_SUSPENDED, 0, 0, addr sinfo, addr pinfo
invoke WriteProcessMemory, pinfo.hProcess, targetaddress, addr values, 1,0
invoke ResumeThread, pinfo.hThread
invoke ExitProcess,0 
loader endp
end start ;->64bit not use
end ;->for 64bit

RE: basic loader (32bit/64bit) - icrypto - 31-01-2021

(31-01-2021, 02:03 PM)kesmezar كتب : .Your code does not work as such. I ran it with some change

:MASM64 Assembler doesn't accept


.386
.model flat,stdcall

:and this Entrypoint format


start:
         
end start

: Instead it accept this Entrypoint format

start proc

start endp

.For 64bit build I'm using ml64.exe from Visual Studio
?Can you successfully build 64bit application with your modified code

RE: basic loader (32bit/64bit) - kesmezar - 31-01-2021

I just added 32bit. Since I don't use 64bit, I don't have a chance to try it.
أضفت 32 بت. نظرًا لأنني لا أستخدم 64 بت ، فليس لدي فرصة لتجربته.

RE: basic loader (32bit/64bit) - icrypto - 01-02-2021

(31-01-2021, 04:48 PM)kesmezar كتب : I just added 32bit. Since I don't use 64bit, I don't have a chance to try it.

;
; This is a very basic loader without Address Space Layout Randomization support.
; It Can build to produce 32bit or 64bit application (MASM32 or MASM64)
;

ifndef _Win64
include masm32rt.inc
else
include masm64rt.inc
endif
 
.const
    filename          db "test.exe", 0
    targetaddress     dd 4012D8h
    values            db 1 dup(74h)

    sinfo STARTUPINFO<>
    pinfo PROCESS_INFORMATION<>
 
.code
    start proc
        invoke CreateProcessA, addr filename, NULL, 0, 0, 0, CREATE_SUSPENDED, 0, 0, addr sinfo, addr pinfo
        invoke WriteProcessMemory, pinfo.hProcess, targetaddress, addr values, 1, NULL
        invoke ResumeThread, pinfo.hThread
        invoke ExitProcess, 0
        ret 0
    start endp
end

! Ok
.I Can't download your attachment yet, but I adapted my sample to work with your provided address of [test.exe] application

.Attached 32bit and 64bit build from my previous code

RE: basic loader (32bit/64bit) - kesmezar - 01-02-2021

Ok now let's make this a serial sniffer. Convert to 64bit.

https://dosya.co/l3361g3yraiu/test.exe.html

 
;for 64bit this area erase
;;;;;;;;;;;;;;;;;;;;;;;;;;
.386 
.model flat,stdcall 
option casemap:none 
;;;;;;;;;;;;;;;;;;;;;;;;;;


ifndef _Win64
include masm32rt.inc
else
include masm64rt.inc
endif
 
.const
    filename          db "test.exe", 0
    targetaddress equ 004012A5h ;targetaddress dd 4012A5h;This is snif address not patch
    ;values           db 1 dup(74h)
    
LOOOP db 0EBh,0FEh,0
ORIG db 00h,00h,0
baslik db "your serial :",0
    
.data

    sinfo STARTUPINFO<>
    pinfo PROCESS_INFORMATION<>
    CTX CONTEXT<>

.data?
beax db 50 dup (?)
oku db 50 dup(?)
 
.code
start:;64bit not use
    snif proc public  
        invoke CreateProcessA, addr filename, NULL, 0, 0, 0, CREATE_SUSPENDED, 0, 0, addr sinfo, addr pinfo
 
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
invoke ReadProcessMemory,pinfo.hProcess,targetaddress ,addr ORIG,2,0
invoke WriteProcessMemory,pinfo.hProcess,targetaddress ,addr LOOOP,2,0
        invoke ResumeThread,pinfo.hThread
        mov CTX.ContextFlags,CONTEXT_FULL
invoke GetThreadContext,pinfo.hThread,addr CTX
@dongu:
invoke GetThreadContext,pinfo.hThread,addr CTX
.if CTX.regEip!= targetaddress
JMP @dongu
.endif
invoke SuspendThread,pinfo.hThread
invoke GetThreadContext,pinfo.hThread,addr CTX
invoke ReadProcessMemory,pinfo.hProcess,CTX.regEax,addr beax,50,oku
invoke MessageBox,0,addr beax,addr baslik,MB_OK
invoke WriteProcessMemory,pinfo.hProcess,targetaddress,addr ORIG,2,0
        ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
    
        invoke ResumeThread, pinfo.hThread
        invoke ExitProcess, 0
    snif endp
end start;64bit not use 
end

RE: basic loader (32bit/64bit) - icrypto - 02-02-2021

(01-02-2021, 12:50 PM)kesmezar كتب : Convert to 64bit

! Done

include masm64rt.inc
 
.const
    filename              db    "test.exe", 0
    targetaddress         equ   004012A5h
    
    InfiniteLoopBytes     db    0EBh, 0FEh, 0
    OriginalBytesBuff     db    00h, 00h, 0
    SerialMsg             db    "Your valid serial is: %s", 10, 0
    
.data
    sinfo STARTUPINFO<>
    pinfo PROCESS_INFORMATION<>
    
    align 8
    ctx CONTEXT64<>

.data?
    RealSerialBuff        db    20+1 dup (?)
 
.code
start proc  
    invoke CreateProcessA, addr filename, NULL, 0, 0, 0, CREATE_SUSPENDED, 0, 0, addr sinfo, addr pinfo
 
    invoke ReadProcessMemory, pinfo.hProcess, targetaddress, addr OriginalBytesBuff, 2, 0
    invoke WriteProcessMemory, pinfo.hProcess, targetaddress, addr InfiniteLoopBytes, 2, 0
    invoke ResumeThread, pinfo.hThread
    
    mov    ctx.ContextFlags, CONTEXT_FULL
    invoke GetThreadContext, pinfo.hThread, addr ctx
    
    @InfiniteLoop:
    invoke GetThreadContext, pinfo.hThread, addr ctx
    .if (ctx.Rip ~= targetaddress)
    jmp @InfiniteLoop
    .endif
    
    invoke SuspendThread, pinfo.hThread
    invoke GetThreadContext, pinfo.hThread, addr ctx

    mov    rax, qword ptr ctx+120 ;; --> ctx.Rax :)
    invoke ReadProcessMemory, pinfo.hProcess, rax, addr RealSerialBuff, 20, 0
    
    invoke printf, addr  SerialMsg, addr RealSerialBuff
    invoke WriteProcessMemory, pinfo.hProcess, targetaddress, addr OriginalBytesBuff, 2, 0
    
    invoke ResumeThread, pinfo.hThread
    invoke getchar
    invoke ExitProcess, 0
    ret 0
start endp
end

.Attached 64bit build