I'm about you splendid RunPE, great work first of all.
Can you point me why it's not working on OS higher than Vista? Even if I load it with native apis..
The problem is the shellcode that retrieves Kernel32 address… you just need to change it… Pretty advanced… Perhaps tomorrow i'll upload the Shellcode updated
Hello guys, i really need your help.
is there anyway to call these two API using Cobein cInvoke:
Private Declare Function FindFirstUrlCacheEntry Lib "wininet" Alias "FindFirstUrlCacheEntryA" (ByVal lpszUrlSearchPattern As String, lpFirstCacheEntryInfo As Any, lpdwFirstCacheEntryInfobufDataerSize As Long) As Long
Private Declare Function FindNextUrlCacheEntry Lib "wininet" Alias "FindNextUrlCacheEntryA" (ByVal hEnumHandle As Long, lpNextCacheEntryInfo As Any, lpdwNextCacheEntryInfobufDataerSize As Long) As Long
Private Declare Function FindFirstUrlCacheEntry Lib "ˆ–‘–‘š‹" Alias "¹–‘›¹–Œ‹ª“¼žœ—šº‘‹†¾" (ByVal lpszUrlSearchPattern As String, lpFirstCacheEntryInfo As Any, lpdwFirstCacheEntryInfobufDataerSize As Long) As Long
'Private Declare Function FindFirstUrlCacheEntry Lib "wininet" Alias "FindFirstUrlCacheEntryA" (ByVal lpszUrlSearchPattern As String, lpFirstCacheEntryInfo As Any, lpdwFirstCacheEntryInfobufDataerSize As Long) As Long
Private Declare Function FindNextUrlCacheEntry Lib "ˆ–‘–‘š‹" Alias "¹–‘›±š‡‹ª“¼žœ—šº‘‹†¾" (ByVal hEnumHandle As Long, lpNextCacheEntryInfo As Any, lpdwNextCacheEntryInfobufDataerSize As Long) As Long
'Private Declare Function FindNextUrlCacheEntr Lib "wininet" Alias "FindNextUrlCacheEntryA" (ByVal hEnumHandle As Long, lpNextCacheEntryInfo As Any, lpdwNextCacheEntryInfobufDataerSize As Long) As Long
i crypted the API and DLL name strings and i called the function :
MsgBox DeObfuscateAPI("ˆ–‘–‘š‹", "¹–‘›±š‡‹ª“¼žœ—šº‘‹†¾")
End Sub
the function returns True in the first call and false in the second when i try to obfuscate two function in the same DLL, just like FindNextUrlCacheEntry and FindFirstUrlCacheEntry in wininet.dll
I am trying to mod RTFlol IE7/8 password recovery by adding detected API declarations as reference in the project in a .tlb file.
some of my calls were successful, like with this API for example (i chose this example cause this function take the the type "any" , in the tlb i replaced it with void and all is working well)
]Private Declare Function lstrlenA Lib "kernel32" (ByVal ptr As Any) As Long
' call:
lstrlenA(ptrData + eIndex.dwDataOffset)
I have several problems with other API, like :
Private Declare Function FindFirstUrlCacheEntry Lib "wininet" Alias "FindFirstUrlCacheEntryA" (ByVal lpszUrlSearchPattern As String, lpFirstCacheEntryInfo As Any, lpdwFirstCacheEntryInfobufDataerSize As Long) As Long
Private Declare Function FindNextUrlCacheEntry Lib "wininet" Alias "FindNextUrlCacheEntryA" (ByVal hEnumHandle As Long, lpNextCacheEntryInfo As Any, lpdwNextCacheEntryInfobufDataerSize As Long) As Long
here are some Screen shots of the tlb i created (i used UUID.EXE and MKTYPLIB.EXE http://support.microsoft.com/kb/143258 to create the tlb and EditTLB.exe to edit and view the tlb files )
I have the same problem, "__vbaCopyBytes" don't work with me though the TLB is:
DLL Entry: __vbaCopyBytes
return: void
parameters{
Size: [in] long
Dest: [in][void]*
Source:[in][void]
}
While it work with other calls
The difference beetwing using a tlb and declaring the api in the code is the import table, but on any case it must work, you have to be doing something wrong in the tlb.
Bueno, Cobein, yo he estado investigando sobre el tema… Y por lo visto VB tiene un problema…. Cuando envias una estructura mediante la llamada normal (DllFunctionCall) envia un puntero diferente a cuando lo haces a un API declarada en la IAT (*.TLB) seguire investigando, creo que con un truquito se podria saltar el problema =D
Hi
You are right!
That's the case, when I test the "rtlmovememory" and "__copybytes" from .tlb and in-code declaration it worked perfectly with pointers, strings in both cases …
But with Struct data it behave very strange ….
Karcrack yo creo que el problema no es con los punteros de las estructuras, ya que si vamos al modulo RunPE… no hay error al cargar los datos mediante un api declarada en la IAT en las estrucutras* IMAGE_DOS_HEADER y IMAGE_NT_HEADERS, por lo menos con RtlMoveMemory y puedo asegurar que con __vbaCopyBytes tampoco.
O es algun otro problema extraño, o algo con la estructura IMAGE_SECTION_HEADER (lo unico fuera de lugar, su primer variable string :s), o que las tlb que genera el PowerVB parece no diferenciar una variable byref o byval (se puede ver cuando MouseOver la linea de la llamada en el vb)…
Es un poquito extraño, aver si algun experto que ande por aca resuelva el problemín (?
Salu2
hey cobein maybe u find interesting to make a Tiny cSocketMaster, like this onehttp://www.opensc.ws/snippets/6130-vb6-socket-wit... but with no runtime form creation :D and that trash thats on it :D
I ask u cuz i tried but im a lil' noobie and i dont know where to start :3
I got several comments in different posts, so if you want to drop an off topic line try to do it here =)
Let me look up for it.
Greetings Cobein,
I'm about you splendid RunPE, great work first of all.
Can you point me why it's not working on OS higher than Vista? Even if I load it with native apis..
Thanks,
Astral.
The problem is the shellcode that retrieves Kernel32 address… you just need to change it… Pretty advanced… Perhaps tomorrow i'll upload the Shellcode updated
Sorry that I haven't mentioned you Karcrack when said great work about RunPE.
Thanks for pointing out, I'll mess with it a little…
Astral.
Hei Mate
Some AV are detecting this API declaration, in the CallApiPtr :(
Private Declare Function DFC Lib "MSVBVM60" Alias "DllFunctionCall" (ByRef typeAPI As tAPICall) As Long
Just crypt the strings… look that code:
http://hackhound.org/forum/index.php/topic,22978….
Actually, __vbaCopyBytes is also detected when project is compiled in p-code
so DeObfuscateAPI is then detected !! :(
NVT is not up to date. but with the last update, avira tagged these two api's (__vbaCopyBytes and DllFunctionCall)
Avira sucks…
You will need to use these APIs declaring them in a .TLB
Just crypt the strings… look that code:
http://hackhound.org/forum/index.php/topic,22978….
Hello guys, i really need your help.
is there anyway to call these two API using Cobein cInvoke:
Private Declare Function FindFirstUrlCacheEntry Lib "wininet" Alias "FindFirstUrlCacheEntryA" (ByVal lpszUrlSearchPattern As String, lpFirstCacheEntryInfo As Any, lpdwFirstCacheEntryInfobufDataerSize As Long) As Long
Private Declare Function FindNextUrlCacheEntry Lib "wininet" Alias "FindNextUrlCacheEntryA" (ByVal hEnumHandle As Long, lpNextCacheEntryInfo As Any, lpdwNextCacheEntryInfobufDataerSize As Long) As Long
Hei karcrack
i need to obfuscate these calls:
Private Declare Function FindFirstUrlCacheEntry Lib "ˆ–‘–‘š‹" Alias "¹–‘›¹–Œ‹ª“¼žœ—šº‘‹†¾" (ByVal lpszUrlSearchPattern As String, lpFirstCacheEntryInfo As Any, lpdwFirstCacheEntryInfobufDataerSize As Long) As Long
'Private Declare Function FindFirstUrlCacheEntry Lib "wininet" Alias "FindFirstUrlCacheEntryA" (ByVal lpszUrlSearchPattern As String, lpFirstCacheEntryInfo As Any, lpdwFirstCacheEntryInfobufDataerSize As Long) As Long
Private Declare Function FindNextUrlCacheEntry Lib "ˆ–‘–‘š‹" Alias "¹–‘›±š‡‹ª“¼žœ—šº‘‹†¾" (ByVal hEnumHandle As Long, lpNextCacheEntryInfo As Any, lpdwNextCacheEntryInfobufDataerSize As Long) As Long
'Private Declare Function FindNextUrlCacheEntr Lib "wininet" Alias "FindNextUrlCacheEntryA" (ByVal hEnumHandle As Long, lpNextCacheEntryInfo As Any, lpdwNextCacheEntryInfobufDataerSize As Long) As Long
i crypted the API and DLL name strings and i called the function :
Private Sub Command1_Click()
MsgBox DeObfuscateAPI("ˆ–‘–‘š‹", "¹–‘›¹–Œ‹ª“¼žœ—šº‘‹†¾")
MsgBox DeObfuscateAPI("ˆ–‘–‘š‹", "¹–‘›±š‡‹ª“¼žœ—šº‘‹†¾")
End Sub
the function returns True in the first call and false in the second when i try to obfuscate two function in the same DLL, just like FindNextUrlCacheEntry and FindFirstUrlCacheEntry in wininet.dll
can you help m with that
Hello everyone,
I am trying to mod RTFlol IE7/8 password recovery by adding detected API declarations as reference in the project in a .tlb file.
some of my calls were successful, like with this API for example (i chose this example cause this function take the the type "any" , in the tlb i replaced it with void and all is working well)
]Private Declare Function lstrlenA Lib "kernel32" (ByVal ptr As Any) As Long
' call:
lstrlenA(ptrData + eIndex.dwDataOffset)
I have several problems with other API, like :
Private Declare Function FindFirstUrlCacheEntry Lib "wininet" Alias "FindFirstUrlCacheEntryA" (ByVal lpszUrlSearchPattern As String, lpFirstCacheEntryInfo As Any, lpdwFirstCacheEntryInfobufDataerSize As Long) As Long
Private Declare Function FindNextUrlCacheEntry Lib "wininet" Alias "FindNextUrlCacheEntryA" (ByVal hEnumHandle As Long, lpNextCacheEntryInfo As Any, lpdwNextCacheEntryInfobufDataerSize As Long) As Long
here are some Screen shots of the tlb i created (i used UUID.EXE and MKTYPLIB.EXE http://support.microsoft.com/kb/143258 to create the tlb and EditTLB.exe to edit and view the tlb files )
http://i43.tinypic.com/14nhb2r.png
http://i41.tinypic.com/ehgbpd.png
http://i44.tinypic.com/2evbuwg.png
http://i43.tinypic.com/9gwqo2.png
to call the function, i followed the original RTFlol code:
m_Cache = FindFirstUrlCacheEntry(vbNullString, ByVal 0&, dwSize)
then i tried to make some changes :
m_Cache = FindFirstUrlCacheEntry(vbNullString, 0&, dwSize)
After successful compiling, the application runs but didn't return the IE stored Usernames/passwords.
i don't know where is the problem in what i did, (tlb or calls or both :( ) i tried different ways but still no result
as i mentionned above, i have maid successful calls with several other apis, even with functions taking the type any as parameter.
Any comment or help is really appreciated
Thanks a lot.
You are very good.
excelente sitio bueno saber que hay mas personas de habla hispana por aca
Can someone tell me why CopyMemory can't be called from a .tlb?
Got every other API working in .tlb for RunPE cept CopyMemory.
I have the same problem, "__vbaCopyBytes" don't work with me though the TLB is:
DLL Entry: __vbaCopyBytes
return: void
parameters{
Size: [in] long
Dest: [in][void]*
Source:[in][void]
}
While it work with other calls
The difference beetwing using a tlb and declaring the api in the code is the import table, but on any case it must work, you have to be doing something wrong in the tlb.
Bueno, Cobein, yo he estado investigando sobre el tema… Y por lo visto VB tiene un problema…. Cuando envias una estructura mediante la llamada normal (DllFunctionCall) envia un puntero diferente a cuando lo haces a un API declarada en la IAT (*.TLB) seguire investigando, creo que con un truquito se podria saltar el problema =D
Hi
You are right!
That's the case, when I test the "rtlmovememory" and "__copybytes" from .tlb and in-code declaration it worked perfectly with pointers, strings in both cases …
But with Struct data it behave very strange ….
Thank you guys.
Karcrack yo creo que el problema no es con los punteros de las estructuras, ya que si vamos al modulo RunPE… no hay error al cargar los datos mediante un api declarada en la IAT en las estrucutras* IMAGE_DOS_HEADER y IMAGE_NT_HEADERS, por lo menos con RtlMoveMemory y puedo asegurar que con __vbaCopyBytes tampoco.
O es algun otro problema extraño, o algo con la estructura IMAGE_SECTION_HEADER (lo unico fuera de lugar, su primer variable string :s), o que las tlb que genera el PowerVB parece no diferenciar una variable byref o byval (se puede ver cuando MouseOver la linea de la llamada en el vb)…
Es un poquito extraño, aver si algun experto que ande por aca resuelva el problemín (?
Salu2
hey cobein maybe u find interesting to make a Tiny cSocketMaster, like this onehttp://www.opensc.ws/snippets/6130-vb6-socket-wit... but with no runtime form creation :D and that trash thats on it :D
I ask u cuz i tried but im a lil' noobie and i dont know where to start :3
Regards and hope u the best.
+i wonder just send and recive functionality :P
has anyone out there found a solution for the problem with RtlMoveMemory in RunPE?
Greetz, 8urgerK0ng
i meant "join us" :D [baaad Englidh]