Informatica e Cinema: 2012

giovedì 10 maggio 2012

How to patch Adobe Flash Player (ocx v.11.2.202.233)

Since less than a year ago I patched the v10, today I wanted to also patch Adobe Flash Player v11 since it prevents you from saving data audio-video to disk.
One of the many functions CreateFileW of the ocx Adobe Flash Player prevent from reading the temporary files (xxx.tmp) having blocked the share in read-write, but this small modification changes the parameters for CreateFileW so that now the files are permanently on the temp folder and can also be read as you download a flv video streaming (beware: the temp files should be deleted every time, otherwise the folder temp is filled)

Works only who has the flash version 11.2.202.233.
Path: "C:\WINDOWS\system32\Macromed\Flash\Flash32_11_2_202_233.ocx"

Attention, if you make changes, remember to make a copy!

- v. 11.2.202.233 - not patched (from hex editor)-

- v.11.2.202.233 - patched (from hex editor 2 bytes modified)-

-view from debugger (parameters for CreateFileW) -

mercoledì 9 maggio 2012

splitter horizontal from hooking mouse (with hook-subclassing shellcode)

aaaaaaaaa
Private Declare Function SelectObject Lib "gdi32" (ByVal hdc As Long, ByVal hObject As Long) As Long
Private Declare Function DeleteObject Lib "gdi32" (ByVal hObject As Long) As Long
Private Declare Function PatBlt Lib "gdi32" (ByVal hdc As Long, ByVal x As Long, ByVal y As Long, ByVal nWidth As Long, ByVal nHeight As Long, ByVal dwRop As Long) As Long
Private Declare Function CreatePatternBrush Lib "gdi32" (ByVal hBitmap As Long) As Long
Private Declare Function CreateBitmapIndirect Lib "gdi32" (lpBitmap As BITMAP) As Long
Private Declare Function CreateDCAsNull Lib "gdi32" Alias "CreateDCA" (ByVal lpDriverName As String, lpDeviceName As Any, lpOutput As Any, lpInitData As Any) As Long
Private Declare Function DeleteDC Lib "gdi32" (ByVal hdc As Long) As Long
Private Const PATINVERT = &H5A0049       ' (DWORD) dest = pattern XOR dest
Private Const DSTINVERT = &H550009       ' (DWORD) dest = (NOT dest)
Private Declare Function GetWindowRect Lib "user32" (ByVal hwnd As Long, lpRect As RECT) As Long

Private Declare Function WindowFromPoint Lib "user32.dll" (ByVal xPoint As Long, ByVal yPoint As Long) As Long
Private Declare Function GetCursorPos Lib "user32.dll" (ByRef lpPoint As POINTAPI) As Long

Private dist As Integer

Private m_lPattern(0 To 3) As Long
Private m_hBrush As Long

Private Type BITMAP '24 bytes
   bmType As Long
   bmWidth As Long
   bmHeight As Long
   bmWidthBytes As Long
   bmPlanes As Integer
   bmBitsPixel As Integer
   bmBits As Long
End Type

Private Type RECT
   left As Long
   top As Long
   right As Long
   bottom As Long
End Type

Private Type POINTAPI
    x As Long
    y As Long
End Type


Dim cHookMouse As cHookCallback

Private Sub Form_Unload(Cancel As Integer)
    Set cHookMouse = Nothing
End Sub

Private Sub Form_Load()
    Dim tbm As BITMAP
    Dim hBm As Long
    
    Set cHookMouse = New cHookCallback
    Call cHookMouse.shk_SetHook(WH_MOUSE, , eMsgWhen.MSG_AFTER, , 1, Me)
    
   For i = 0 To 3
      m_lPattern(i) = &HAAAA5555
   Next i
   
   DestroyBrush
      
   ' Create a monochrome bitmap containing the desired pattern:
   tbm.bmType = 0
   tbm.bmWidth = 16
   tbm.bmHeight = 8
   tbm.bmWidthBytes = 2
   tbm.bmPlanes = 1
   tbm.bmBitsPixel = 1
   tbm.bmBits = VarPtr(m_lPattern(0))
   hBm = CreateBitmapIndirect(tbm)

   ' Make a brush from the bitmap bits
   m_hBrush = CreatePatternBrush(hBm)

   '// Delete the useless bitmap
   DeleteObject hBm
   
   dist = (pic2.top - pic1.Height)

End Sub

Private Sub DestroyBrush()
   If Not (m_hBrush = 0) Then
      DeleteObject m_hBrush
      m_hBrush = 0
   End If
End Sub

Private Sub PicContainer_MouseDown(Button As Integer, Shift As Integer, x As Single, y As Single)
    If Button = 1 Then
        Dim rc As RECT
        Dim rc2 As RECT
        
        GetWindowRect PicContainer.hwnd, rc
        GetWindowRect pic1.hwnd, rc2
        
        lhDC = CreateDCAsNull("DISPLAY", ByVal 0&, ByVal 0&, ByVal 0&)
        hOldBrush = SelectObject(lhDC, m_hBrush)
        
        PicContainer.Refresh
        PatBlt lhDC, rc.left, rc2.bottom, rc2.right - rc.left, dist, PATINVERT
        SelectObject lhDC, hOldBrush
        DeleteDC lhDC
    End If
End Sub

Private Sub PicContainer_MouseMove(Button As Integer, Shift As Integer, x As Single, y As Single)
    If Button = 1 Then
        Dim rc As RECT
        Dim rc2 As RECT
        
        GetWindowRect PicContainer.hwnd, rc
        GetWindowRect pic1.hwnd, rc2
        
        lhDC = CreateDCAsNull("DISPLAY", ByVal 0&, ByVal 0&, ByVal 0&)
        hOldBrush = SelectObject(lhDC, m_hBrush)
        
        PicContainer.Refresh
        PatBlt lhDC, rc.left, rc2.bottom, rc2.right - rc.left, dist, PATINVERT
        SelectObject lhDC, hOldBrush
        DeleteDC lhDC
        
        mouse_y = y
        If y < 10 Then Exit Sub
        If y >= PicContainer.Height - 10 Then Exit Sub
        pic1.Height = y
        pic2.top = pic1.Height + dist
        pic2.Height = PicContainer.Height - pic1.Height - dist
        
    End If
End Sub

Private Sub PicContainer_MouseUp(Button As Integer, Shift As Integer, x As Single, y As Single)
    If Button = 1 Then
        Dim rc As RECT
        Dim rc2 As RECT
        
        GetWindowRect PicContainer.hwnd, rc
        GetWindowRect pic1.hwnd, rc2
        
        lhDC = CreateDCAsNull("DISPLAY", ByVal 0&, ByVal 0&, ByVal 0&)
        hOldBrush = SelectObject(lhDC, m_hBrush)
        
        PicContainer.Refresh
        PatBlt lhDC, rc.left, rc2.bottom, rc2.right - rc.left, dist, PATINVERT 'doppio si riazzera
        PatBlt lhDC, rc.left, rc2.bottom, rc2.right - rc.left, dist, PATINVERT
        SelectObject lhDC, hOldBrush
        DeleteDC lhDC
    End If
End Sub

' ordinal #1 from vtable function VB (subclassing shellcode)
Private Sub HookProcMouse(ByVal bBefore As Boolean, _
                        ByRef bHandled As Boolean, _
                        ByRef lReturn As Long, _
                        ByVal nCode As Long, _
                        ByVal wParam As Long, _
                        ByVal lParam As Long, _
                        ByVal lHookType As eHookType, _
                        ByRef lParamUser As Long)

        If nCode > 0 Then
            Dim hwnd As Long
            Dim pt As POINTAPI
            
            GetCursorPos pt
            hwnd = WindowFromPoint(pt.x, pt.y)
            If hwnd = frm.PicContainer.hwnd Then
                MousePointer = 99
                MouseIcon = imgCursorSplitterHorizontal.Picture
            Else
                MousePointer = 0
            End If
        End If
End Sub

avoiding flicker from form child mdi when one child is maximized

frms() is a array of child form mdi

EnumChildWindows frmMdi.hWnd, AddressOf EnumChildProc, 0

Public Function EnumChildProc(ByVal hWnd As Long, ByVal lParam As Long) As Boolean
    Dim strClass As String

    strClass = Space(255)
    ret = GetClassName(hWnd, strClass, 255)
    If Left(strClass, 9) = "MDIClient" Then
        hwndMDI = hWnd ' << hwndMDI is handle of Mdi client
        EnumChildProc = False
    Else
        EnumChildProc = True
    End If
End Function



Private Sub TabStrip_Click()
        .......
    If frms(TabStrip.Tag).WindowState = 2 Then
        ret = ShowWindow(hwndMDI, SW_HIDE)
        frms(TabStrip.SelectedItem.Index).WindowState = 2
        frms(TabStrip.SelectedItem.Index).Hide
        frms(TabStrip.SelectedItem.Index).ZOrder
        frms(TabStrip.SelectedItem.Index).Show
        ret = ShowWindow(hwndMDI, SW_SHOWNA)
    Else
        frms(TabStrip.SelectedItem.Index).ZOrder
    End If
        ........
End Sub

mercoledì 22 febbraio 2012

VB6: get PEB - LDR_MODULE - RTL_USER_PROCESS_PARAMETERS

module

************************************************************************
' BY DAVIDE CHIAPPETTA 'THE JOHNNYMNEMONIC'
' http://www.facebook.com/davide.chiappetta
'***********************************************************************


Public Declare Sub CopyMemory Lib "kernel32" Alias "RtlMoveMemory" (pDst As Any, ByVal pSrc As Long, ByVal ByteLen As Long)
Public Declare Function CallWindowProc Lib "user32" Alias "CallWindowProcA" (ByVal lpPrevWndFunc As String, ByRef hWnd As Long, 
ByRef msg As Long, ByRef wParam As Long, ByRef lParam As Long) As Long

'typedef struct _PEB_LDR_DATA {
'  ULONG                   Length;
'  BOOLEAN                 Initialized;                      //warning!! -> DWORD
'  PVOID                   SsHandle;
'  LIST_ENTRY              InLoadOrderModuleList;            //Doubly linked list containing pointers to LDR_MODULE structure for 
previous and next module in load order.
'  LIST_ENTRY              InMemoryOrderModuleList;          //As above, but in memory placement order.
'  LIST_ENTRY              InInitializationOrderModuleList;  //As InLoadOrderModuleList, but in initialization order.
'} PEB_LDR_DATA;
'
' typedef struct LIST_ENTRY
' {
'   struct LIST_ENTRY *Flink;  //FORWARD LINK CHAIN
'   struct LIST_ENTRY *Blink;  //BACK LINK CHAIN
'};


'  typedef struct _LDR_MODULE {
'  LIST_ENTRY              InLoadOrderModuleList;            //Pointers to previous and next LDR_MODULE in load order.
'  LIST_ENTRY              InMemoryOrderModuleList;          //Pointers to previous and next LDR_MODULE in memory placement order.
'  LIST_ENTRY              InInitializationOrderModuleList;  //Pointers to previous and next LDR_MODULE in initialization order.
'  PVOID                   BaseAddress;
'  PVOID                   EntryPoint;
'  ULONG                   SizeOfImage;
'  UNICODE_STRING          FullDllName;
'  UNICODE_STRING          BaseDllName;
'  ULONG                   Flags;
'  SHORT                   LoadCount;                        //quante volte è stato caricato in memoria (reference_count++)
'  SHORT                   TlsIndex;
'  LIST_ENTRY              HashTableEntry;                   //LIST_ENTRY contains pointer to LdrpHashTable. Both prev and next 
values are the same. LdrpHashTable it is table of LIST_ENTRY structures points to LDR_MODULE for current process.
'
'  ULONG                   TimeDateStamp;                    //lo stesso che si trova nel PE della DLL
'
'}LDR_MODULE;


Public Type LIST_ENTRY
    Flink As Long
    Blink As Long
End Type

 Public Type PEB_LDR_DATA
    Length As Long
    Initialized As Long
    SsHandle As Long
    InLoadOrderModuleList As LIST_ENTRY
    InMemoryOrderModuleList As LIST_ENTRY
    InInitializationOrderModuleList As LIST_ENTRY
 End Type
 
 Public Type UNICODE_STRING
    Length As Integer
    MaximumLength As Integer
    buffer As Long
 End Type
 
 Public Type LDR_MODULE
    a_InLoadOrderModuleList As LIST_ENTRY          '//Pointers to previous and next LDR_MODULE in load order.
    b_InMemoryOrderModuleList As LIST_ENTRY           '//Pointers to previous and next LDR_MODULE in memory placement order.
    c_InInitializationOrderModuleList As LIST_ENTRY   '//Pointers to previous and next LDR_MODULE in initialization order.
    d_BaseAddress As Long
    e_vEntryPoint As Long
    f_SizeOfImage As Long
    g_FullDllName As UNICODE_STRING
    h_BaseDllName As UNICODE_STRING
    i_Flags As Long
    l_LoadCount As Integer                      '//quante volte è stato caricato in memoria (reference_count++)
    m_TlsIndex As Integer
    n_HashTableEntry As LIST_ENTRY                   '//LIST_ENTRY contains pointer to LdrpHashTable. Both prev and next values are 
the same. LdrpHashTable it is table of LIST_ENTRY structures points to LDR_MODULE for current process.
    o_TimeDateStamp As Long                   '//lo stesso che si trova nel PE della DLL
End Type

'typedef struct RTL_DRIVE_LETTER_CURDIR
' {
'  USHORT Flags;
'  USHORT Length;
'  ULONG TimeStamp;
'  UNICODE_STRING DosPath;
'} RTL_DRIVE_LETTER_CURDIR, *PRTL_DRIVE_LETTER_CURDIR;

'typedef struct _RTL_USER_PROCESS_PARAMETERS  //RTL_USER_PROCESS_PARAMETERS is located at address 0x20000 (for all processes created 
by call WIN32 API CreateProcess).
'{
'  ULONG                   MaximumLength;            //Should be set before call RtlCreateProcessParameters.
'  ULONG                   Length;                   //Length of valid structure.
'  ULONG                   Flags;
'  ULONG                   DebugFlags;
'  PVOID                   ConsoleHandle;            //HWND to console window associated with process (if any).
'  ULONG                   ConsoleFlags;
'  HANDLE                  StdInputHandle;
'  HANDLE                  StdOutputHandle;
'  HANDLE                  StdErrorHandle;
'  UNICODE_STRING          CurrentDirectoryPath;     //Specified in DOS-like symbolic link path, ex: "C:\WinNT\SYSTEM32"
'  HANDLE                  CurrentDirectoryHandle;   //Handle to FILE object.
'  UNICODE_STRING          DllPath;                  //DOS-like paths separated by ';' where system shoult search for DLL files.
'  UNICODE_STRING          ImagePathName;            //Full path in DOS-like format to process'es file image.
'  UNICODE_STRING          CommandLine;              //Command line.
'  PVOID                   Environment;              //Pointer to environment block (see RtlCreateEnvironment).
'  ULONG                   StartingPositionLeft;
'  ULONG                   StartingPositionTop;
'  ULONG                   Width;
'  ULONG                   Height;
'  ULONG                   CharWidth;
'  ULONG                   CharHeight;
'  ULONG                   ConsoleTextAttributes;
'  ULONG                   WindowFlags;
'  ULONG                   ShowWindowFlags;
'  UNICODE_STRING          WindowTitle;
'  UNICODE_STRING          DesktopName;              //Name of WindowStation and Desktop objects, where process is assigned.
'  UNICODE_STRING          ShellInfo;
'  UNICODE_STRING          RuntimeData;
'  RTL_DRIVE_LETTER_CURDIR DLCurrentDirectory[0x20];
'} RTL_USER_PROCESS_PARAMETERS, *PRTL_USER_PROCESS_PARAMETERS;

Public Type RTL_DRIVE_LETTER_CURDIR
    Flags As Integer
    Length As Integer
    TimeStamp As Long
    DosPath As UNICODE_STRING
End Type

Public Type RTL_USER_PROCESS_PARAMETERS            'is located at address 0x20000 (for all processes created by call WIN32 API 
CreateProcess).
    a_MaximumLength As Long                           '//Should be set before call RtlCreateProcessParameters.
    b_Length As Long                                  '//Length of valid structure.
    a_Flags As Long
    a_DebugFlags As Long
    c_ConsoleHandle As Long                           '//HWND to console window associated with process (if any).
    d_ConsoleFlags As Long
    e_StdInputHandle As Long
    f_StdOutputHandle As Long
    g_StdErrorHandle As Long
    h_CurrentDirectoryPath As UNICODE_STRING          '//Specified in DOS-like symbolic link path, ex: "C:\WinNT\SYSTEM32"
    i_CurrentDirectoryHandle As Long                  '//Handle to FILE object.
    l_DllPath As UNICODE_STRING                       '//DOS-like paths separated by ';' where system shoult search for DLL files.
    m_ImagePathName As UNICODE_STRING                 '//Full path in DOS-like format to process'es file image.
    n_CommandLine As UNICODE_STRING                   '//Command line.
    o_Environment As Long                             '//Pointer to environment block (see RtlCreateEnvironment).
    p_StartingPositionLeft As Long
    q_StartingPositionTop As Long
    r_Width As Long
    s_Height As Long
    t_CharWidth As Long
    u_CharHeight As Long
    v_ConsoleTextAttributes As Long
    z_WindowFlags As Long
    z1_ShowWindowFlags As Long
    z2_WindowTitle As UNICODE_STRING
    z3_DesktopName As UNICODE_STRING                   '//Name of WindowStation and Desktop objects, where process is assigned.
    z4_ShellInfo As UNICODE_STRING
    z5_RuntimeData As UNICODE_STRING
    z6_DLCurrentDirectory(&H20) As RTL_DRIVE_LETTER_CURDIR ' array of 0x20
End Type

Public Function getBuffUNICODE_STRING(us As UNICODE_STRING) As String
    Dim tmpBuff() As Byte
    
    'essendo gia unicode (0 alternati a caratteri) nel vb diventa stringa senza conversione perche il vb ha le stringhe unicode, (il C/C++ mentre le stringhe sono ascii e allora ci vuole la conversione unicode ascii)
    ReDim tmpBuff(us.Length) As Byte
    CopyMemory tmpBuff(0), ByVal us.buffer, us.Length
    getBuffUNICODE_STRING = tmpBuff
End Function 


form

************************************************************************
' BY DAVIDE CHIAPPETTA 'THE JOHNNYMNEMONIC'
' http://www.facebook.com/davide.chiappetta
'***********************************************************************

Private Sub Form_Load()
    Dim asm As String
    Dim lngRet As Long
    Dim ped_data  As PEB_LDR_DATA
    Dim ldr As LDR_MODULE
    Dim ptrAddrNext As Long
    Dim rtlUserProc As RTL_USER_PROCESS_PARAMETERS

'*************************************************************************
    'get PEB and then LDR_MODULE
    
    '7C881AFB    55                  PUSH EBP
    '7C881AFC    8BEC                MOV EBP,ESP
    '7C881AFE    64:A1 30000000      MOV EAX,FS:[30] '<<<< PEB
    '7C881B04    8B40 0C             MOV EAX,[EAX+C] '<<<< LDR_MODULE
    '7C881B07    8BE5                MOV ESP,EBP
    '7C881B09    5D                  POP EBP
    '7C881B0A    C3                  RETN    

    asm = makeAsm("55")
    asm = asm & makeAsm("8BEC")
    asm = asm & makeAsm("64A130000000") '<<<< PEB
    asm = asm & makeAsm("8B400C")       '<<<< LDR_MODULE
    asm = asm & makeAsm("8BE5")
    asm = asm & makeAsm("5D")
    asm = asm & makeAsm("C3")
'*************************************************************************    
    lngRet = CallWindowProc(asm, 0, 0, 0, 0)
    
    CopyMemory ped_data, ByVal lngRet, Len(ped_data)
    
    ptrAddrNext = ped_data.InLoadOrderModuleList.Flink
    
    Do While (True)
        a = a + 1
        CopyMemory ldr, ByVal ptrAddrNext, Len(ldr)
        
        With ldr
        
            If .d_BaseAddress = 0 Then
                Exit Do
            End If
            
            Debug.Print Hex(.a_InLoadOrderModuleList.Flink)
            Debug.Print Hex(.b_InMemoryOrderModuleList.Flink)
            Debug.Print Hex(.c_InInitializationOrderModuleList.Flink)
            Debug.Print Hex(.d_BaseAddress)
            Debug.Print Hex(.e_vEntryPoint)
            Debug.Print Hex(.f_SizeOfImage)
            Debug.Print getBuffUNICODE_STRING(.g_FullDllName)
            Debug.Print getBuffUNICODE_STRING(.h_BaseDllName)
            Debug.Print Hex(.i_Flags)
            Debug.Print "dll caricata " & Hex(.l_LoadCount) & " volte"
            Debug.Print Hex(.m_TlsIndex)
            Debug.Print Hex(.n_HashTableEntry.Flink)
            Debug.Print Hex(.o_TimeDateStamp)
            
            'next structure LDR_MODULE
            ptrAddrNext = .a_InLoadOrderModuleList.Flink
        End With
    Loop
    
'*************************************************************************    
 'get PEB and then RTL_USER_PROCESS_PARAMETERS
    
    '7C881AFB    55                  PUSH EBP
    '7C881AFC    8BEC                MOV EBP,ESP
    '7C881AFE    64:A1 30000000      MOV EAX,FS:[30]  '<<<< PEB
    '........    8B40 10             MOV EAX,[EAX+10] '<<<< RTL_USER_PROCESS_PARAMETERS
    '7C881B07    8BE5                MOV ESP,EBP
    '7C881B09    5D                  POP EBP
    '7C881B0A    C3                  RETN
    
    asm = makeAsm("55")
    asm = asm & makeAsm("8BEC")
    asm = asm & makeAsm("64A130000000") '<<<< PEB
    asm = asm & makeAsm("8B4010")       '<<<< RTL_USER_PROCESS_PARAMETERS
    asm = asm & makeAsm("8BE5")
    asm = asm & makeAsm("5D")
    asm = asm & makeAsm("C3")
'*************************************************************************
    lngRet = CallWindowProc(asm, 0, 0, 0, 0) 'ret usually is address 0x2000
    
    CopyMemory rtlUserProc, ByVal lngRet, Len(rtlUserProc)
    
    With rtlUserProc
        Debug.Print Hex(.a_MaximumLength)
        Debug.Print Hex(.b_Length)
        Debug.Print Hex(.a_Flags)
        Debug.Print Hex(.a_DebugFlags)
        Debug.Print Hex(.c_ConsoleHandle)
        Debug.Print Hex(.d_ConsoleFlags)
        Debug.Print Hex(.e_StdInputHandle)
        Debug.Print Hex(.f_StdOutputHandle)
        Debug.Print Hex(.g_StdErrorHandle)
        Debug.Print getBuffUNICODE_STRING(.h_CurrentDirectoryPath)
        Debug.Print Hex(.i_CurrentDirectoryHandle)
        Debug.Print getBuffUNICODE_STRING(.l_DllPath)
        Debug.Print getBuffUNICODE_STRING(.m_ImagePathName)
        Debug.Print getBuffUNICODE_STRING(.n_CommandLine)
        Debug.Print Hex(.o_Environment)
        Debug.Print Hex(.p_StartingPositionLeft)
        Debug.Print Hex(.q_StartingPositionTop)
        Debug.Print Hex(.r_Width)
        Debug.Print Hex(.s_Height)
        Debug.Print Hex(.t_CharWidth)
        Debug.Print Hex(.u_CharHeight)
        Debug.Print Hex(.v_ConsoleTextAttributes)
        Debug.Print Hex(.z_WindowFlags)
        Debug.Print Hex(.z1_ShowWindowFlags)
        Debug.Print getBuffUNICODE_STRING(.z2_WindowTitle)
        Debug.Print getBuffUNICODE_STRING(.z3_DesktopName)
        Debug.Print getBuffUNICODE_STRING(.z4_ShellInfo)
        Debug.Print getBuffUNICODE_STRING(.z5_RuntimeData)
        
        'RTL_DRIVE_LETTER_CURDIR
        For a = 0 To &H20 - 1
            If .z6_DLCurrentDirectory(a).DosPath.Length > 0 Then
                Debug.Print Hex(.z6_DLCurrentDirectory(a).Flags)
                Debug.Print Hex(.z6_DLCurrentDirectory(a).TimeStamp)
                Debug.Print getBuffUNICODE_STRING(.z6_DLCurrentDirectory(a).DosPath)
            End If
        Next a
    End With
    
End Sub
Function makeAsm(ByVal riga) As String
    For a = 1 To Len(riga) Step 2
        strAsm = strAsm & Chr("&H" & Mid(riga, a, 2))
    Next a
    makeAsm = strAsm
End Function