module************************************************************************ ' BY DAVIDE CHIAPPETTA 'THE JOHNNYMNEMONIC' ' http://www.facebook.com/davide.chiappetta '*********************************************************************** Public Declare Sub CopyMemory Lib "kernel32" Alias "RtlMoveMemory" (pDst As Any, ByVal pSrc As Long, ByVal ByteLen As Long) Public Declare Function CallWindowProc Lib "user32" Alias "CallWindowProcA" (ByVal lpPrevWndFunc As String, ByRef hWnd As Long, ByRef msg As Long, ByRef wParam As Long, ByRef lParam As Long) As Long 'typedef struct _PEB_LDR_DATA { ' ULONG Length; ' BOOLEAN Initialized; //warning!! -> DWORD ' PVOID SsHandle; ' LIST_ENTRY InLoadOrderModuleList; //Doubly linked list containing pointers to LDR_MODULE structure for previous and next module in load order. ' LIST_ENTRY InMemoryOrderModuleList; //As above, but in memory placement order. ' LIST_ENTRY InInitializationOrderModuleList; //As InLoadOrderModuleList, but in initialization order. '} PEB_LDR_DATA; ' ' typedef struct LIST_ENTRY ' { ' struct LIST_ENTRY *Flink; //FORWARD LINK CHAIN ' struct LIST_ENTRY *Blink; //BACK LINK CHAIN '}; ' typedef struct _LDR_MODULE { ' LIST_ENTRY InLoadOrderModuleList; //Pointers to previous and next LDR_MODULE in load order. ' LIST_ENTRY InMemoryOrderModuleList; //Pointers to previous and next LDR_MODULE in memory placement order. ' LIST_ENTRY InInitializationOrderModuleList; //Pointers to previous and next LDR_MODULE in initialization order. ' PVOID BaseAddress; ' PVOID EntryPoint; ' ULONG SizeOfImage; ' UNICODE_STRING FullDllName; ' UNICODE_STRING BaseDllName; ' ULONG Flags; ' SHORT LoadCount; //quante volte è stato caricato in memoria (reference_count++) ' SHORT TlsIndex; ' LIST_ENTRY HashTableEntry; //LIST_ENTRY contains pointer to LdrpHashTable. Both prev and next values are the same. LdrpHashTable it is table of LIST_ENTRY structures points to LDR_MODULE for current process. ' ' ULONG TimeDateStamp; //lo stesso che si trova nel PE della DLL ' '}LDR_MODULE; Public Type LIST_ENTRY Flink As Long Blink As Long End Type Public Type PEB_LDR_DATA Length As Long Initialized As Long SsHandle As Long InLoadOrderModuleList As LIST_ENTRY InMemoryOrderModuleList As LIST_ENTRY InInitializationOrderModuleList As LIST_ENTRY End Type Public Type UNICODE_STRING Length As Integer MaximumLength As Integer buffer As Long End Type Public Type LDR_MODULE a_InLoadOrderModuleList As LIST_ENTRY '//Pointers to previous and next LDR_MODULE in load order. b_InMemoryOrderModuleList As LIST_ENTRY '//Pointers to previous and next LDR_MODULE in memory placement order. c_InInitializationOrderModuleList As LIST_ENTRY '//Pointers to previous and next LDR_MODULE in initialization order. d_BaseAddress As Long e_vEntryPoint As Long f_SizeOfImage As Long g_FullDllName As UNICODE_STRING h_BaseDllName As UNICODE_STRING i_Flags As Long l_LoadCount As Integer '//quante volte è stato caricato in memoria (reference_count++) m_TlsIndex As Integer n_HashTableEntry As LIST_ENTRY '//LIST_ENTRY contains pointer to LdrpHashTable. Both prev and next values are the same. LdrpHashTable it is table of LIST_ENTRY structures points to LDR_MODULE for current process. o_TimeDateStamp As Long '//lo stesso che si trova nel PE della DLL End Type 'typedef struct RTL_DRIVE_LETTER_CURDIR ' { ' USHORT Flags; ' USHORT Length; ' ULONG TimeStamp; ' UNICODE_STRING DosPath; '} RTL_DRIVE_LETTER_CURDIR, *PRTL_DRIVE_LETTER_CURDIR; 'typedef struct _RTL_USER_PROCESS_PARAMETERS //RTL_USER_PROCESS_PARAMETERS is located at address 0x20000 (for all processes created by call WIN32 API CreateProcess). '{ ' ULONG MaximumLength; //Should be set before call RtlCreateProcessParameters. ' ULONG Length; //Length of valid structure. ' ULONG Flags; ' ULONG DebugFlags; ' PVOID ConsoleHandle; //HWND to console window associated with process (if any). ' ULONG ConsoleFlags; ' HANDLE StdInputHandle; ' HANDLE StdOutputHandle; ' HANDLE StdErrorHandle; ' UNICODE_STRING CurrentDirectoryPath; //Specified in DOS-like symbolic link path, ex: "C:\WinNT\SYSTEM32" ' HANDLE CurrentDirectoryHandle; //Handle to FILE object. ' UNICODE_STRING DllPath; //DOS-like paths separated by ';' where system shoult search for DLL files. ' UNICODE_STRING ImagePathName; //Full path in DOS-like format to process'es file image. ' UNICODE_STRING CommandLine; //Command line. ' PVOID Environment; //Pointer to environment block (see RtlCreateEnvironment). ' ULONG StartingPositionLeft; ' ULONG StartingPositionTop; ' ULONG Width; ' ULONG Height; ' ULONG CharWidth; ' ULONG CharHeight; ' ULONG ConsoleTextAttributes; ' ULONG WindowFlags; ' ULONG ShowWindowFlags; ' UNICODE_STRING WindowTitle; ' UNICODE_STRING DesktopName; //Name of WindowStation and Desktop objects, where process is assigned. ' UNICODE_STRING ShellInfo; ' UNICODE_STRING RuntimeData; ' RTL_DRIVE_LETTER_CURDIR DLCurrentDirectory[0x20]; '} RTL_USER_PROCESS_PARAMETERS, *PRTL_USER_PROCESS_PARAMETERS; Public Type RTL_DRIVE_LETTER_CURDIR Flags As Integer Length As Integer TimeStamp As Long DosPath As UNICODE_STRING End Type Public Type RTL_USER_PROCESS_PARAMETERS 'is located at address 0x20000 (for all processes created by call WIN32 API CreateProcess). a_MaximumLength As Long '//Should be set before call RtlCreateProcessParameters. b_Length As Long '//Length of valid structure. a_Flags As Long a_DebugFlags As Long c_ConsoleHandle As Long '//HWND to console window associated with process (if any). d_ConsoleFlags As Long e_StdInputHandle As Long f_StdOutputHandle As Long g_StdErrorHandle As Long h_CurrentDirectoryPath As UNICODE_STRING '//Specified in DOS-like symbolic link path, ex: "C:\WinNT\SYSTEM32" i_CurrentDirectoryHandle As Long '//Handle to FILE object. l_DllPath As UNICODE_STRING '//DOS-like paths separated by ';' where system shoult search for DLL files. m_ImagePathName As UNICODE_STRING '//Full path in DOS-like format to process'es file image. n_CommandLine As UNICODE_STRING '//Command line. o_Environment As Long '//Pointer to environment block (see RtlCreateEnvironment). p_StartingPositionLeft As Long q_StartingPositionTop As Long r_Width As Long s_Height As Long t_CharWidth As Long u_CharHeight As Long v_ConsoleTextAttributes As Long z_WindowFlags As Long z1_ShowWindowFlags As Long z2_WindowTitle As UNICODE_STRING z3_DesktopName As UNICODE_STRING '//Name of WindowStation and Desktop objects, where process is assigned. z4_ShellInfo As UNICODE_STRING z5_RuntimeData As UNICODE_STRING z6_DLCurrentDirectory(&H20) As RTL_DRIVE_LETTER_CURDIR ' array of 0x20 End Type Public Function getBuffUNICODE_STRING(us As UNICODE_STRING) As String Dim tmpBuff() As Byte 'essendo gia unicode (0 alternati a caratteri) nel vb diventa stringa senza conversione perche il vb ha le stringhe unicode, (il C/C++ mentre le stringhe sono ascii e allora ci vuole la conversione unicode ascii) ReDim tmpBuff(us.Length) As Byte CopyMemory tmpBuff(0), ByVal us.buffer, us.Length getBuffUNICODE_STRING = tmpBuff End Functionform************************************************************************ ' BY DAVIDE CHIAPPETTA 'THE JOHNNYMNEMONIC' ' http://www.facebook.com/davide.chiappetta '*********************************************************************** Private Sub Form_Load() Dim asm As String Dim lngRet As Long Dim ped_data As PEB_LDR_DATA Dim ldr As LDR_MODULE Dim ptrAddrNext As Long Dim rtlUserProc As RTL_USER_PROCESS_PARAMETERS '************************************************************************* 'get PEB and then LDR_MODULE '7C881AFB 55 PUSH EBP '7C881AFC 8BEC MOV EBP,ESP '7C881AFE 64:A1 30000000 MOV EAX,FS:[30] '<<<< PEB '7C881B04 8B40 0C MOV EAX,[EAX+C] '<<<< LDR_MODULE '7C881B07 8BE5 MOV ESP,EBP '7C881B09 5D POP EBP '7C881B0A C3 RETN asm = makeAsm("55") asm = asm & makeAsm("8BEC") asm = asm & makeAsm("64A130000000") '<<<< PEB asm = asm & makeAsm("8B400C") '<<<< LDR_MODULE asm = asm & makeAsm("8BE5") asm = asm & makeAsm("5D") asm = asm & makeAsm("C3") '************************************************************************* lngRet = CallWindowProc(asm, 0, 0, 0, 0) CopyMemory ped_data, ByVal lngRet, Len(ped_data) ptrAddrNext = ped_data.InLoadOrderModuleList.Flink Do While (True) a = a + 1 CopyMemory ldr, ByVal ptrAddrNext, Len(ldr) With ldr If .d_BaseAddress = 0 Then Exit Do End If Debug.Print Hex(.a_InLoadOrderModuleList.Flink) Debug.Print Hex(.b_InMemoryOrderModuleList.Flink) Debug.Print Hex(.c_InInitializationOrderModuleList.Flink) Debug.Print Hex(.d_BaseAddress) Debug.Print Hex(.e_vEntryPoint) Debug.Print Hex(.f_SizeOfImage) Debug.Print getBuffUNICODE_STRING(.g_FullDllName) Debug.Print getBuffUNICODE_STRING(.h_BaseDllName) Debug.Print Hex(.i_Flags) Debug.Print "dll caricata " & Hex(.l_LoadCount) & " volte" Debug.Print Hex(.m_TlsIndex) Debug.Print Hex(.n_HashTableEntry.Flink) Debug.Print Hex(.o_TimeDateStamp) 'next structure LDR_MODULE ptrAddrNext = .a_InLoadOrderModuleList.Flink End With Loop '************************************************************************* 'get PEB and then RTL_USER_PROCESS_PARAMETERS '7C881AFB 55 PUSH EBP '7C881AFC 8BEC MOV EBP,ESP '7C881AFE 64:A1 30000000 MOV EAX,FS:[30] '<<<< PEB '........ 8B40 10 MOV EAX,[EAX+10] '<<<< RTL_USER_PROCESS_PARAMETERS '7C881B07 8BE5 MOV ESP,EBP '7C881B09 5D POP EBP '7C881B0A C3 RETN asm = makeAsm("55") asm = asm & makeAsm("8BEC") asm = asm & makeAsm("64A130000000") '<<<< PEB asm = asm & makeAsm("8B4010") '<<<< RTL_USER_PROCESS_PARAMETERS asm = asm & makeAsm("8BE5") asm = asm & makeAsm("5D") asm = asm & makeAsm("C3") '************************************************************************* lngRet = CallWindowProc(asm, 0, 0, 0, 0) 'ret usually is address 0x2000 CopyMemory rtlUserProc, ByVal lngRet, Len(rtlUserProc) With rtlUserProc Debug.Print Hex(.a_MaximumLength) Debug.Print Hex(.b_Length) Debug.Print Hex(.a_Flags) Debug.Print Hex(.a_DebugFlags) Debug.Print Hex(.c_ConsoleHandle) Debug.Print Hex(.d_ConsoleFlags) Debug.Print Hex(.e_StdInputHandle) Debug.Print Hex(.f_StdOutputHandle) Debug.Print Hex(.g_StdErrorHandle) Debug.Print getBuffUNICODE_STRING(.h_CurrentDirectoryPath) Debug.Print Hex(.i_CurrentDirectoryHandle) Debug.Print getBuffUNICODE_STRING(.l_DllPath) Debug.Print getBuffUNICODE_STRING(.m_ImagePathName) Debug.Print getBuffUNICODE_STRING(.n_CommandLine) Debug.Print Hex(.o_Environment) Debug.Print Hex(.p_StartingPositionLeft) Debug.Print Hex(.q_StartingPositionTop) Debug.Print Hex(.r_Width) Debug.Print Hex(.s_Height) Debug.Print Hex(.t_CharWidth) Debug.Print Hex(.u_CharHeight) Debug.Print Hex(.v_ConsoleTextAttributes) Debug.Print Hex(.z_WindowFlags) Debug.Print Hex(.z1_ShowWindowFlags) Debug.Print getBuffUNICODE_STRING(.z2_WindowTitle) Debug.Print getBuffUNICODE_STRING(.z3_DesktopName) Debug.Print getBuffUNICODE_STRING(.z4_ShellInfo) Debug.Print getBuffUNICODE_STRING(.z5_RuntimeData) 'RTL_DRIVE_LETTER_CURDIR For a = 0 To &H20 - 1 If .z6_DLCurrentDirectory(a).DosPath.Length > 0 Then Debug.Print Hex(.z6_DLCurrentDirectory(a).Flags) Debug.Print Hex(.z6_DLCurrentDirectory(a).TimeStamp) Debug.Print getBuffUNICODE_STRING(.z6_DLCurrentDirectory(a).DosPath) End If Next a End With End Sub Function makeAsm(ByVal riga) As String For a = 1 To Len(riga) Step 2 strAsm = strAsm & Chr("&H" & Mid(riga, a, 2)) Next a makeAsm = strAsm End Function
mercoledì 22 febbraio 2012
VB6: get PEB - LDR_MODULE - RTL_USER_PROCESS_PARAMETERS
Iscriviti a:
Commenti sul post (Atom)
Nessun commento:
Posta un commento