crazyskate66

Members
  • Content count

    97
  • Joined

  • Last visited

  • Days Won

    2

crazyskate66 last won the day on April 9

crazyskate66 had the most liked content!

Community Reputation

46 Excellent

About crazyskate66

  • Rank
    Member
  • Birthday 07/12/1991
  1. i made this a while back cant remember if it works well, it takes shell code encrypts it save it in to a new project (Your stub) and you simple compile a new stub with your code build in. Credit me and the other coders source code. IT IS ONLY FAIR. Genorator.rar
  2. What are you using this for.. is it for YOU using it or are you hoping to sell it ?
  3. So if i have everything correct your "RunPEProc" is a Procedure in the Dll shell code stored in Shell Code. the Dll has the inject code in it and trys to inject the shell code of the second file in to this current process ? So if everything is correct so far. what you are trying to do over all is encrpyt the shell code of both of them While they are both strings then edit your stub to insert the new encrpyted shell code. then when it runs decrpyt the shell code strings make them an array of bytes again and then pass then to your new decrpyted injection shell code ? Crypter -.> encrpyted RunPe Shell code and Encrpyted Payload Shell code -.> STUB Stub - Decrypt Both - > inject it.
  4. Right so i have looked at the code.... and i have a few questions Some of the code is missing i cant solve the puzzle if parts are missing, I don't understand why you are copying the arrays of bytes in to files ??? and then reading them back to an array seems a bit pointless .... Plus you close hfile1 twice and never close hfile ??? lasty RunPEProc: procedure(Buffer: ByteArray); is missing ?
  5. thanks i wll give it a try but i ended up creating a customer server in delphi to connected to the client and decode the traffic.
  6. @Protocol thank you. @cracksman this is just to format the string RtlStringCbPrintfA(Message, sizeof(Message), "ProcessCreated|%d|%s|%d|%s|", hProcessId, GetProcessNameFromPid(hProcessId), hParentId, GetProcessNameFromPid(hParentId)); <<<< just to format code.WrPipe(Message, sizeof(Message)); <<<<sends the message to usermodeRtlStringCbCatA(Message, sizeof(Message), " "); <<<< clears the message out to blank again. And the dbgprints(""); can be removed all together as they where just for testing.
  7. i allocated a bigger buffer than was need but i got the rest to work. i am just going to use split() in the delphi user mode app to get rid of the rest . lazy here is the code to pass the output to the pipe RtlStringCbPrintfA(Message, sizeof(Message), "ProcessCreated|%d|%s|%d|%s|", hProcessId, GetProcessNameFromPid(hProcessId), hParentId, GetProcessNameFromPid(hParentId)); WrPipe(Message, sizeof(Message)); RtlStringCbCatA(Message, sizeof(Message), " "); Btw i am hating this content approval function on the forum
  8. right i have managed to get it to work with a test message and have it received in the client in the usermode. here is the work source code for the kernel side i am just using the read pipe example above. BOOLEAN WrPipe(void* pBuf, ULONG bufSize) { ULONG dwMode; NTSTATUS ntStatus; int i = 0; LARGE_INTEGER duetime = { 1000 }; HANDLE hPipe; ULONG cbRead; ULONG cbWritten; PWSTR lpszPipename = L"\\\??\\PIPE\\PipeName"; OBJECT_ATTRIBUTES objectAttributes; UNICODE_STRING fullFileName,MessageToSend; IO_STATUS_BLOCK ioStatus; RtlInitUnicodeString(&fullFileName, lpszPipename); //DbgPrint("Pipe Name %s", &fullFileName); InitializeObjectAttributes(&objectAttributes, &fullFileName, OBJ_CASE_INSENSITIVE, NULL, NULL); // Try to open a named pipe; wait for it, if necessary. for (i = 0; i<90; i++) { DbgPrint("Loop Pipe Two"); ntStatus = ZwCreateFile(&hPipe, SYNCHRONIZE | GENERIC_READ | GENERIC_WRITE, &objectAttributes, &ioStatus, NULL, FILE_ATTRIBUTE_NORMAL, FILE_SHARE_READ | FILE_SHARE_WRITE, FILE_OPEN_IF, FILE_SYNCHRONOUS_IO_NONALERT, NULL, 0); // Break if the pipe handle is valid. if (hPipe != INVALID_HANDLE_VALUE) { DbgPrint("Valid Handle Stopping The Loop"); break; } // Exit if an error other than ERROR_PIPE_BUSY occurs. //if (ioStatus.Status != 231L/*ERROR_PIPE_BUSY*/) //{ // return FALSE; //} KeDelayExecutionThread(KernelMode, FALSE, &duetime); } if (hPipe == INVALID_HANDLE_VALUE) { return -1; DbgPrint("Invalid Handle"); } DbgPrint("Pipe 2 Writeing"); ntStatus = ZwWriteFile( hPipe, NULL, NULL, NULL, &ioStatus, pBuf, bufSize, NULL, NULL ); ZwClose(hPipe); return ntStatus; } use WrPipe("HelloFromkernel.",strlen("HelloFromkernel.")); How ever i am unable to pass the same string as the debug message here. DbgPrint("[TestDriver] Process Created : %d [%s] Parent was : %d [%s] \n", hProcessId, GetProcessNameFromPid(hProcessId), hParentId,GetProcessNameFromPid(hParentId)); i receive the correct number of bytes but no text ever in ansi or wide any idea's
  9. I have changed the Debug output Lol // Break if the pipe handle is valid. if (hPipe != INVALID_HANDLE_VALUE) { DbgPrint("Invalid Handle"); break; } (hPipe != INVALID_HANDLE_VALUE) would be a valid pipe. I have also edited the other two write functions out of the code. For the life of me, I could not get my head around why exactly they are in the code. but that is the problem of learning for other peoples code.... i will play around with the code today and post later .
  10. Right i have managed to get something to put out of the pipe final but looks like junk atm. As it doesnt look anything like the message i put in. i will try to fix in the tomorrow if i fix will post it.
  11. I have Updated my code but i still get Invalid Handle Pipe 2 Writeing Please reference the code to see where the debug strings are placed BOOLEAN WrPipe(ULONG offset, PVOID pBuf, ULONG bufSize) { ULONG dwMode; NTSTATUS ntStatus; int i = 0; LARGE_INTEGER duetime = { 1000 }; HANDLE hPipe; ULONG cbRead; ULONG cbWritten; PWSTR lpszPipename = L"\\\\??\\PIPE\\PipeName"; OBJECT_ATTRIBUTES objectAttributes; UNICODE_STRING fullFileName; IO_STATUS_BLOCK ioStatus; RtlInitUnicodeString(&fullFileName, lpszPipename); //DbgPrint("Pipe Name %s", &fullFileName); InitializeObjectAttributes(&objectAttributes, &fullFileName, OBJ_CASE_INSENSITIVE, NULL, NULL); // Try to open a named pipe; wait for it, if necessary. for (i = 0; i<90; i++) { DbgPrint("Loop Pipe Two"); ntStatus = ZwCreateFile(&hPipe, SYNCHRONIZE | GENERIC_READ | GENERIC_WRITE, &objectAttributes, &ioStatus, NULL, FILE_ATTRIBUTE_NORMAL, FILE_SHARE_READ | FILE_SHARE_WRITE, FILE_OPEN,//FILE_OPEN_IF FILE_SYNCHRONOUS_IO_NONALERT, NULL, 0); // Break if the pipe handle is valid. if (hPipe != INVALID_HANDLE_VALUE) { DbgPrint("Invalid Handle"); break; } // Exit if an error other than ERROR_PIPE_BUSY occurs. //if (ioStatus.Status != 231L/*ERROR_PIPE_BUSY*/) //{ // return FALSE; //} KeDelayExecutionThread(KernelMode, FALSE, &duetime); } if (hPipe == INVALID_HANDLE_VALUE) return -1; DbgPrint("Pipe 2 Writeing"); ntStatus = ZwWriteFile( hPipe, NULL, NULL, NULL, &ioStatus, &offset, sizeof(offset), NULL, NULL ); if (NT_SUCCESS(ntStatus)) { // DbgPrint("Pipe2 write 2"); ntStatus = ZwWriteFile( hPipe, NULL, NULL, NULL, &ioStatus, &bufSize, sizeof(bufSize), NULL, NULL ); } if (NT_SUCCESS(ntStatus)) { DbgPrint("Pipe 2 Write 3"); ntStatus = ZwWriteFile( hPipe, NULL, NULL, NULL, &ioStatus, pBuf, bufSize, NULL, NULL ); } ZwClose(hPipe); return ntStatus; }
  12. Edited This is the kernel Pipe i created.. Probably not great i know, i am new to C++ void SentToUserMode(IN UCHAR * pBuf) { NTSTATUS ntStatus; HANDLE hPipe; PWSTR lpszPipename = "\\\\.\\PIPE\\TestPipe"; OBJECT_ATTRIBUTES objectAttributes; UNICODE_STRING fullFileName; IO_STATUS_BLOCK ioStatus; DbgPrint("Pipe Called %s",pBuf); RtlInitUnicodeString(&fullFileName, lpszPipename); InitializeObjectAttributes(&objectAttributes, &fullFileName, OBJ_CASE_INSENSITIVE, NULL, NULL); ntStatus = ZwCreateFile(&hPipe, SYNCHRONIZE | GENERIC_READ | GENERIC_WRITE, &objectAttributes, &ioStatus, NULL, FILE_ATTRIBUTE_NORMAL, FILE_SHARE_READ | FILE_SHARE_WRITE, FILE_OPEN_IF, FILE_SYNCHRONOUS_IO_NONALERT, NULL, 0); ntStatus = ZwWriteFile(hPipe, NULL, NULL, NULL, &ioStatus, &pBuf, sizeof(&pBuf), NULL, NULL); if (ntStatus == STATUS_SUCCESS) DbgPrint("NtStatus Successful"); { if (hPipe != INVALID_HANDLE_VALUE) { DbgPrint("Writing to file"); ntStatus = ZwWriteFile(hPipe, NULL, NULL, NULL, &ioStatus, &pBuf, sizeof(pBuf), NULL, NULL); if (ntStatus != STATUS_SUCCESS) DbgPrint("Written to file"); } } ZwClose(hPipe); } and i am using Viotto's Pipe example in Delphi to crevice the message.
  13. @cracksman. thank you for your help i have been trying to get named pipes to work for a few days now, with very little success. my driver creates file with a valid handle and from what i can determine writes to the pipe but no thing pops up on the Delphi user mode application. I have had more success with OICTRL with getting a message from the user mode app to the driver and back to the user mode app but this is not Ideal as it requires the user mode app to loop sending the same message and checking if the last reply is the same or not. What i am trying to achieve is the driver to dispatch a message to user mode with the Process Id, Process path and Process parent. So they can be tracked. So far i have had very limited success, as there are not very many example of this. I have tried doing my own research but being dyslexic i don't learn very quickly for text however i am able to work out what is doing on and then modify it quickly from seeing code. not to mention i have never been tort to code i have tort my self . So thank you once again i will give it a go.
  14. Hi Guys. Has anyone got a full example of both sides of this with an example of passing 2 integers. I am being lazy at the moment and what to finish my side project. anyone ?
  • Who's Online   0 Members, 0 Anonymous, 71 Guests (See full list)

    There are no registered users currently online