basic loader (32bit/64bit)

[icrypto]

.This is a very basic loader without Address Space Layout Randomization support

It Can build to produce 32bit or 64bit application (MASM32 or MASM64)
 

ifndef _Win64
include masm32rt.inc
else
include masm64rt.inc
endif
 
.const
    filename          db "victim.exe", 0
    targetaddress     dd 403000h
    values            db 4 dup(90h,90h,90h,90h)

    sinfo STARTUPINFO<>
    pinfo PROCESS_INFORMATION<>
 
.code
    start proc
        invoke CreateProcessA, addr filename, NULL, 0, 0, 0, CREATE_SUSPENDED, 0, 0, addr sinfo, addr pinfo
        invoke WriteProcessMemory, pinfo.hProcess, targetaddress, addr values, 4, NULL
        invoke ResumeThread, pinfo.hThread
        invoke ExitProcess, 0
        ret 0
    start endp
end

[kesmezar]

 ->لقد غيرتها إلى 32 بت

Your code does not work as such. I ran it with some change

.386 
.model flat,stdcall 
option casemap:none 

ifndef _Win64;
include masm32rt.inc;
else;
include masm64rt.inc;
endif;
      
.data 
filename          db "test.exe", 0
targetaddress     dd 004012D8h 
values            byte 74h ;dup(90h,90h,90h,90h)
sinfo STARTUPINFO<>
pinfo PROCESS_INFORMATION<>

.code
start: ;->64bit not use
loader proc public
invoke CreateProcess, addr filename, NULL, 0, 0, 0, CREATE_SUSPENDED, 0, 0, addr sinfo, addr pinfo
invoke WriteProcessMemory, pinfo.hProcess, targetaddress, addr values, 1,0
invoke ResumeThread, pinfo.hThread
invoke ExitProcess,0 
loader endp
end start ;->64bit not use
end ;->for 64bit

[icrypto]

.Your code does not work as such. I ran it with some change

:MASM64 Assembler doesn't accept

.386
.model flat,stdcall

:and this Entrypoint format

start:
         
end start

 : Instead it accept this Entrypoint format

start proc

start endp

.For 64bit build I'm using ml64.exe from Visual Studio
?Can you successfully build 64bit application with your modified code

[kesmezar]

I just added 32bit. Since I don't use 64bit, I don't have a chance to try it.
أضفت 32 بت. نظرًا لأنني لا أستخدم 64 بت ، فليس لدي فرصة لتجربته.

[icrypto]

I just added 32bit. Since I don't use 64bit, I don't have a chance to try it.

 
 

;
; This is a very basic loader without Address Space Layout Randomization support.
; It Can build to produce 32bit or 64bit application (MASM32 or MASM64)
;

ifndef _Win64
include masm32rt.inc
else
include masm64rt.inc
endif
 
.const
    filename          db "test.exe", 0
    targetaddress     dd 4012D8h
    values            db 1 dup(74h)

    sinfo STARTUPINFO<>
    pinfo PROCESS_INFORMATION<>
 
.code
    start proc
        invoke CreateProcessA, addr filename, NULL, 0, 0, 0, CREATE_SUSPENDED, 0, 0, addr sinfo, addr pinfo
        invoke WriteProcessMemory, pinfo.hProcess, targetaddress, addr values, 1, NULL
        invoke ResumeThread, pinfo.hThread
        invoke ExitProcess, 0
        ret 0
    start endp
end

 

! Ok
.I Can't download your attachment yet, but I adapted my sample to work with your provided address of [test.exe] application

.Attached 32bit and 64bit build from my previous code

[kesmezar]

Ok now let's make this a serial sniffer. Convert to 64bit.

https://dosya.co/l3361g3yraiu/test.exe.html
 

 
;for 64bit this area erase
;;;;;;;;;;;;;;;;;;;;;;;;;;
.386 
.model flat,stdcall 
option casemap:none 
;;;;;;;;;;;;;;;;;;;;;;;;;;


ifndef _Win64
include masm32rt.inc
else
include masm64rt.inc
endif
 
.const
    filename          db "test.exe", 0
    targetaddress equ 004012A5h ;targetaddress dd 4012A5h;This is snif address not patch
    ;values           db 1 dup(74h)
    
LOOOP db 0EBh,0FEh,0
ORIG db 00h,00h,0
baslik db "your serial :",0
    
.data

    sinfo STARTUPINFO<>
    pinfo PROCESS_INFORMATION<>
    CTX CONTEXT<>

.data?
beax db 50 dup (?)
oku db 50 dup(?)
 
.code
start:;64bit not use
    snif proc public  
        invoke CreateProcessA, addr filename, NULL, 0, 0, 0, CREATE_SUSPENDED, 0, 0, addr sinfo, addr pinfo
 
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
invoke ReadProcessMemory,pinfo.hProcess,targetaddress ,addr ORIG,2,0
invoke WriteProcessMemory,pinfo.hProcess,targetaddress ,addr LOOOP,2,0
        invoke ResumeThread,pinfo.hThread
        mov CTX.ContextFlags,CONTEXT_FULL
invoke GetThreadContext,pinfo.hThread,addr CTX
@dongu:
invoke GetThreadContext,pinfo.hThread,addr CTX
.if CTX.regEip!= targetaddress
JMP @dongu
.endif
invoke SuspendThread,pinfo.hThread
invoke GetThreadContext,pinfo.hThread,addr CTX
invoke ReadProcessMemory,pinfo.hProcess,CTX.regEax,addr beax,50,oku
invoke MessageBox,0,addr beax,addr baslik,MB_OK
invoke WriteProcessMemory,pinfo.hProcess,targetaddress,addr ORIG,2,0
        ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
    
        invoke ResumeThread, pinfo.hThread
        invoke ExitProcess, 0
    snif endp
end start;64bit not use 
end

[icrypto]

Convert to 64bit

! Done

 

include masm64rt.inc
 
.const
    filename              db    "test.exe", 0
    targetaddress         equ   004012A5h
    
    InfiniteLoopBytes     db    0EBh, 0FEh, 0
    OriginalBytesBuff     db    00h, 00h, 0
    SerialMsg             db    "Your valid serial is: %s", 10, 0
    
.data
    sinfo STARTUPINFO<>
    pinfo PROCESS_INFORMATION<>
    
    align 8
    ctx CONTEXT64<>

.data?
    RealSerialBuff        db    20+1 dup (?)
 
.code
start proc  
    invoke CreateProcessA, addr filename, NULL, 0, 0, 0, CREATE_SUSPENDED, 0, 0, addr sinfo, addr pinfo
 
    invoke ReadProcessMemory, pinfo.hProcess, targetaddress, addr OriginalBytesBuff, 2, 0
    invoke WriteProcessMemory, pinfo.hProcess, targetaddress, addr InfiniteLoopBytes, 2, 0
    invoke ResumeThread, pinfo.hThread
    
    mov    ctx.ContextFlags, CONTEXT_FULL
    invoke GetThreadContext, pinfo.hThread, addr ctx
    
    @InfiniteLoop:
    invoke GetThreadContext, pinfo.hThread, addr ctx
    .if (ctx.Rip ~= targetaddress)
    jmp @InfiniteLoop
    .endif
    
    invoke SuspendThread, pinfo.hThread
    invoke GetThreadContext, pinfo.hThread, addr ctx

    mov    rax, qword ptr ctx+120 ;; --> ctx.Rax :)
    invoke ReadProcessMemory, pinfo.hProcess, rax, addr RealSerialBuff, 20, 0
    
    invoke printf, addr  SerialMsg, addr RealSerialBuff
    invoke WriteProcessMemory, pinfo.hProcess, targetaddress, addr OriginalBytesBuff, 2, 0
    
    invoke ResumeThread, pinfo.hThread
    invoke getchar
    invoke ExitProcess, 0
    ret 0
start endp
end

.Attached 64bit build