Exetools  

Go Back   Exetools > General > General Discussion
Reload this Page help for create loader with packed program
Register Forum Rules FAQ Calendar Mark Forums Read

Notices

Reply
 
Thread Tools Display Modes
  #1  
Old 02-04-2021, 15:32
raduga_fb raduga_fb is offline
Family
  
Join Date: Nov 2012
Posts: 73
Rept. Given: 3
Rept. Rcvd 127 Times in 23 Posts
Thanks Given: 2
Thanks Rcvd at 132 Times in 33 Posts
raduga_fb Reputation: 100-199 raduga_fb Reputation: 100-199
Patching by Hooking
If the target has more than one protection layer, you need to patch them in order. Try to hook to WINAPI which is being used by program during unpacking (HeapAlloc, VirtualAlloc, CreateFile ...)

Below sample uses ms detours to hook to DeviceIOControl to check the memory of target. When memory compare is equal, then patching first layer. If you need to more patching after first layer unpacking, you have to continue to check the memory of program. After final patching, you can detach DeviceIOControl.



Code:
// dllmain.cpp : Defines the entry point for the DLL application.
#include "pch.h"

#include <iostream>
#include <vector>
#include <Windows.h>
#include <tlhelp32.h>

#include "detours.h"

#pragma comment(lib, "detours.lib")

using namespace std;

BOOL WINAPI My_DeviceIoControl(
    HANDLE       hDevice,
    DWORD        dwIoControlCode,
    LPVOID       lpInBuffer,
    DWORD        nInBufferSize,
    LPVOID       lpOutBuffer,
    DWORD        nOutBufferSize,
    LPDWORD      lpBytesReturned,
    LPOVERLAPPED lpOverlapped
);

static BOOL(WINAPI* Ori_DeviceIoControl) (
    HANDLE       hDevice,
    DWORD        dwIoControlCode,
    LPVOID       lpInBuffer,
    DWORD        nInBufferSize,
    LPVOID       lpOutBuffer,
    DWORD        nOutBufferSize,
    LPDWORD      lpBytesReturned,
    LPOVERLAPPED lpOverlapped
    ) = NULL;



BYTE bytes_written_1[] = { 0x33, 0xC0, 0xC2, 0x0C, 0x00, 0x90 }; 
BYTE bytes_written_2[] = { 0x33, 0xC0, 0xC2, 0x0C, 0x00, 0x90x 0x90 }; 


DWORD GetProcId(const wchar_t* procName)
{
    DWORD procId = 0;
    HANDLE hSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
    if (hSnap != INVALID_HANDLE_VALUE)
    {
        PROCESSENTRY32 procEntry;
        procEntry.dwSize = sizeof(procEntry);

        if (Process32First(hSnap, &procEntry))
        {
            do
            {
                if (!_wcsicmp(procEntry.szExeFile, procName))
                {
                    procId = procEntry.th32ProcessID;
                    break;
                }
            } while (Process32Next(hSnap, &procEntry));

        }
    }
    CloseHandle(hSnap);
    return procId;
}

DWORD GetModuleBaseAddress(DWORD procId, const wchar_t* modName)
{
    DWORD modBaseAddr = 0;
    HANDLE hSnap = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE | TH32CS_SNAPMODULE32, procId);
    if (hSnap != INVALID_HANDLE_VALUE)
    {
        MODULEENTRY32 modEntry;
        modEntry.dwSize = sizeof(modEntry);
        if (Module32First(hSnap, &modEntry))
        {
            do
            {
                if (!_wcsicmp(modEntry.szModule, modName))
                {
                    modBaseAddr = (DWORD)modEntry.modBaseAddr;
                    break;
                }
            } while (Module32Next(hSnap, &modEntry));
        }
    }
    CloseHandle(hSnap);
    return modBaseAddr;
}




BOOL APIENTRY DllMain(HMODULE hDLL,
    DWORD  ul_reason_for_call,
    LPVOID lpReserved
)
{
    HMODULE dll_module_1 = GetModuleHandleA("kernel32.dll");

    if (!dll_module_1)
    {
        DWORD dw = GetLastError();
        MessageBox(NULL, L"The library could not load", L"ERROR", MB_OK);
    }

    {
        switch (ul_reason_for_call)
        {
        case DLL_PROCESS_ATTACH:

            DetourRestoreAfterWith();

            Ori_DeviceIoControl = (BOOL(WINAPI*) (HANDLE, DWORD, LPVOID, DWORD, LPVOID, DWORD, LPDWORD, LPOVERLAPPED)) DetourFindFunction("kernel32.dll", "DeviceIoControl");

            DisableThreadLibraryCalls(hDLL);
            DetourTransactionBegin();
            DetourUpdateThread(GetCurrentThread());

            DetourAttach(&(PVOID&)Ori_DeviceIoControl, My_DeviceIoControl);

            if (DetourTransactionCommit() != NO_ERROR)
                MessageBox(NULL, L"Detour Attach Error", NULL, MB_OK);

                break;

        case DLL_THREAD_ATTACH:
        case DLL_THREAD_DETACH:
        case DLL_PROCESS_DETACH:

            DetourTransactionBegin();
            DetourUpdateThread(GetCurrentThread());
            DetourDetach(&(PVOID&)Ori_DeviceIoControl, My_DeviceIoControl);
            DetourTransactionCommit();

            break;
        }
        return TRUE;
    }
}

BOOL WINAPI My_DeviceIoControl(
    HANDLE       hDevice,
    DWORD        dwIoControlCode,
    LPVOID       lpInBuffer,
    DWORD        nInBufferSize,
    LPVOID       lpOutBuffer,
    DWORD        nOutBufferSize,
    LPDWORD      lpBytesReturned,
    LPOVERLAPPED lpOverlapped
)

{

    DWORD processID = GetProcId(L"??????.exe");
    HANDLE hProcess = OpenProcess(PROCESS_VM_OPERATION | PROCESS_VM_READ | PROCESS_VM_WRITE, FALSE, processID);
    DWORD moduleBase = GetModuleBaseAddress(processID, L"?????.exe");

    if (moduleBase != 0)
    {
        DWORD target_adres = moduleBase + ??????;
        DWORD* target_adres_ = 0;
        DWORD dwLen_ = 0;
        BOOL sonuc = false;

        DWORD* control_1 = (DWORD*)0x0???????;
        DWORD* control_2 = (DWORD*)0x0???????;

        DWORD oldprotect;

        if (target_adres != 0)
        {
            ReadProcessMemory(hProcess, (LPVOID)target_adres, (LPVOID)&target_adres_, 4, NULL);

            if (target_adres_ == control_1)
            {
                unsigned int length_ = 6;

                VirtualProtectEx(hProcess, (LPVOID)target_adres, length_, PAGE_EXECUTE_READWRITE, &oldprotect);
                sonuc = WriteProcessMemory(hProcess, (LPVOID)target_adres, &bytes_written_1, length_, &dwLen_);		// 1st patch (1st Layer)
                VirtualProtectEx(hProcess, (LPVOID)target_adres, length_, oldprotect, &oldprotect);

		...
		...


                if (sonuc)
                {
                    //MessageBox(NULL, L"patched", NULL, MB_OK);			// 1st layer is OK, patched
                }
            }
        }

        target_adres = moduleBase + 0x0???;						// 2nd layer (if needed)

        if (target_adres != 0)
        {
            ReadProcessMemory(hProcess, (LPVOID)target_adres, (LPVOID)&target_adres_, 4, NULL);

            if (target_adres_ == control_2)
            {
                unsigned int length_= 7;

                VirtualProtectEx(hProcess, (LPVOID)hedef_adres, uzunluk, PAGE_EXECUTE_READWRITE, &oldprotect);
                sonuc = WriteProcessMemory(hProcess, (LPVOID)hedef_adres, &bytes_written_4, uzunluk, &dwLen_);		// 2nd patch (2nd layer)
                VirtualProtectEx(hProcess, (LPVOID)hedef_adres, uzunluk, oldprotect, &oldprotect);
		
		...
		...


            DetourTransactionBegin();											// JOB is done, it is time to Detach
            DetourUpdateThread(GetCurrentThread());
            DetourDetach(&(PVOID&)Ori_DeviceIoControl, My_DeviceIoControl);
            DetourTransactionCommit();

  
            }
        }

    }


    BOOL fake_handle = false;

    fake_handle = Ori_DeviceIoControl(hDevice, dwIoControlCode, lpInBuffer, nInBufferSize, lpOutBuffer, nOutBufferSize, lpBytesReturned, lpOverlapped);

    return fake_handle;

}
Reply With Quote
The Following 5 Users Say Thank You to raduga_fb For This Useful Post:
countryboy (09-22-2021), mcr4ck (02-04-2021), niculaita (07-22-2021), sh3dow (07-26-2021), user1 (07-31-2021)
  #2  
Old 02-04-2021, 18:41
mcr4ck mcr4ck is offline
Friend
  
Join Date: Nov 2019
Location: iran
Posts: 53
Rept. Given: 0
Rept. Rcvd 1 Time in 1 Post
Thanks Given: 39
Thanks Rcvd at 30 Times in 16 Posts
mcr4ck Reputation: 1
Quote:
Originally Posted by raduga_fb View Post
If the target has more than one protection layer, you need to patch them in order. Try to hook to WINAPI which is being used by program during unpacking (HeapAlloc, VirtualAlloc, CreateFile ...)

Below sample uses ms detours to hook to DeviceIOControl to check the memory of target. When memory compare is equal, then patching first layer. If you need to more patching after first layer unpacking, you have to continue to check the memory of program. After final patching, you can detach DeviceIOControl.



Code:
// dllmain.cpp : Defines the entry point for the DLL application.
#include "pch.h"

#include <iostream>
#include <vector>
#include <Windows.h>
#include <tlhelp32.h>

#include "detours.h"

#pragma comment(lib, "detours.lib")

using namespace std;

BOOL WINAPI My_DeviceIoControl(
    HANDLE       hDevice,
    DWORD        dwIoControlCode,
    LPVOID       lpInBuffer,
    DWORD        nInBufferSize,
    LPVOID       lpOutBuffer,
    DWORD        nOutBufferSize,
    LPDWORD      lpBytesReturned,
    LPOVERLAPPED lpOverlapped
);

static BOOL(WINAPI* Ori_DeviceIoControl) (
    HANDLE       hDevice,
    DWORD        dwIoControlCode,
    LPVOID       lpInBuffer,
    DWORD        nInBufferSize,
    LPVOID       lpOutBuffer,
    DWORD        nOutBufferSize,
    LPDWORD      lpBytesReturned,
    LPOVERLAPPED lpOverlapped
    ) = NULL;



BYTE bytes_written_1[] = { 0x33, 0xC0, 0xC2, 0x0C, 0x00, 0x90 }; 
BYTE bytes_written_2[] = { 0x33, 0xC0, 0xC2, 0x0C, 0x00, 0x90x 0x90 }; 


DWORD GetProcId(const wchar_t* procName)
{
    DWORD procId = 0;
    HANDLE hSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
    if (hSnap != INVALID_HANDLE_VALUE)
    {
        PROCESSENTRY32 procEntry;
        procEntry.dwSize = sizeof(procEntry);

        if (Process32First(hSnap, &procEntry))
        {
            do
            {
                if (!_wcsicmp(procEntry.szExeFile, procName))
                {
                    procId = procEntry.th32ProcessID;
                    break;
                }
            } while (Process32Next(hSnap, &procEntry));

        }
    }
    CloseHandle(hSnap);
    return procId;
}

DWORD GetModuleBaseAddress(DWORD procId, const wchar_t* modName)
{
    DWORD modBaseAddr = 0;
    HANDLE hSnap = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE | TH32CS_SNAPMODULE32, procId);
    if (hSnap != INVALID_HANDLE_VALUE)
    {
        MODULEENTRY32 modEntry;
        modEntry.dwSize = sizeof(modEntry);
        if (Module32First(hSnap, &modEntry))
        {
            do
            {
                if (!_wcsicmp(modEntry.szModule, modName))
                {
                    modBaseAddr = (DWORD)modEntry.modBaseAddr;
                    break;
                }
            } while (Module32Next(hSnap, &modEntry));
        }
    }
    CloseHandle(hSnap);
    return modBaseAddr;
}




BOOL APIENTRY DllMain(HMODULE hDLL,
    DWORD  ul_reason_for_call,
    LPVOID lpReserved
)
{
    HMODULE dll_module_1 = GetModuleHandleA("kernel32.dll");

    if (!dll_module_1)
    {
        DWORD dw = GetLastError();
        MessageBox(NULL, L"The library could not load", L"ERROR", MB_OK);
    }

    {
        switch (ul_reason_for_call)
        {
        case DLL_PROCESS_ATTACH:

            DetourRestoreAfterWith();

            Ori_DeviceIoControl = (BOOL(WINAPI*) (HANDLE, DWORD, LPVOID, DWORD, LPVOID, DWORD, LPDWORD, LPOVERLAPPED)) DetourFindFunction("kernel32.dll", "DeviceIoControl");

            DisableThreadLibraryCalls(hDLL);
            DetourTransactionBegin();
            DetourUpdateThread(GetCurrentThread());

            DetourAttach(&(PVOID&)Ori_DeviceIoControl, My_DeviceIoControl);

            if (DetourTransactionCommit() != NO_ERROR)
                MessageBox(NULL, L"Detour Attach Error", NULL, MB_OK);

                break;

        case DLL_THREAD_ATTACH:
        case DLL_THREAD_DETACH:
        case DLL_PROCESS_DETACH:

            DetourTransactionBegin();
            DetourUpdateThread(GetCurrentThread());
            DetourDetach(&(PVOID&)Ori_DeviceIoControl, My_DeviceIoControl);
            DetourTransactionCommit();

            break;
        }
        return TRUE;
    }
}

BOOL WINAPI My_DeviceIoControl(
    HANDLE       hDevice,
    DWORD        dwIoControlCode,
    LPVOID       lpInBuffer,
    DWORD        nInBufferSize,
    LPVOID       lpOutBuffer,
    DWORD        nOutBufferSize,
    LPDWORD      lpBytesReturned,
    LPOVERLAPPED lpOverlapped
)

{

    DWORD processID = GetProcId(L"??????.exe");
    HANDLE hProcess = OpenProcess(PROCESS_VM_OPERATION | PROCESS_VM_READ | PROCESS_VM_WRITE, FALSE, processID);
    DWORD moduleBase = GetModuleBaseAddress(processID, L"?????.exe");

    if (moduleBase != 0)
    {
        DWORD target_adres = moduleBase + ??????;
        DWORD* target_adres_ = 0;
        DWORD dwLen_ = 0;
        BOOL sonuc = false;

        DWORD* control_1 = (DWORD*)0x0???????;
        DWORD* control_2 = (DWORD*)0x0???????;

        DWORD oldprotect;

        if (target_adres != 0)
        {
            ReadProcessMemory(hProcess, (LPVOID)target_adres, (LPVOID)&target_adres_, 4, NULL);

            if (target_adres_ == control_1)
            {
                unsigned int length_ = 6;

                VirtualProtectEx(hProcess, (LPVOID)target_adres, length_, PAGE_EXECUTE_READWRITE, &oldprotect);
                sonuc = WriteProcessMemory(hProcess, (LPVOID)target_adres, &bytes_written_1, length_, &dwLen_);		// 1st patch (1st Layer)
                VirtualProtectEx(hProcess, (LPVOID)target_adres, length_, oldprotect, &oldprotect);

		...
		...


                if (sonuc)
                {
                    //MessageBox(NULL, L"patched", NULL, MB_OK);			// 1st layer is OK, patched
                }
            }
        }

        target_adres = moduleBase + 0x0???;						// 2nd layer (if needed)

        if (target_adres != 0)
        {
            ReadProcessMemory(hProcess, (LPVOID)target_adres, (LPVOID)&target_adres_, 4, NULL);

            if (target_adres_ == control_2)
            {
                unsigned int length_= 7;

                VirtualProtectEx(hProcess, (LPVOID)hedef_adres, uzunluk, PAGE_EXECUTE_READWRITE, &oldprotect);
                sonuc = WriteProcessMemory(hProcess, (LPVOID)hedef_adres, &bytes_written_4, uzunluk, &dwLen_);		// 2nd patch (2nd layer)
                VirtualProtectEx(hProcess, (LPVOID)hedef_adres, uzunluk, oldprotect, &oldprotect);
		
		...
		...


            DetourTransactionBegin();											// JOB is done, it is time to Detach
            DetourUpdateThread(GetCurrentThread());
            DetourDetach(&(PVOID&)Ori_DeviceIoControl, My_DeviceIoControl);
            DetourTransactionCommit();

  
            }
        }

    }


    BOOL fake_handle = false;

    fake_handle = Ori_DeviceIoControl(hDevice, dwIoControlCode, lpInBuffer, nInBufferSize, lpOutBuffer, nOutBufferSize, lpBytesReturned, lpOverlapped);

    return fake_handle;

}
Please send the following files as well
pch.h
detours.h

and
Programming IDE and compiler

thanks
Reply With Quote
The Following User Says Thank You to mcr4ck For This Useful Post:
countryboy (09-22-2021)
  #3  
Old 02-06-2021, 04:40
mcr4ck mcr4ck is offline
Friend
  
Join Date: Nov 2019
Location: iran
Posts: 53
Rept. Given: 0
Rept. Rcvd 1 Time in 1 Post
Thanks Given: 39
Thanks Rcvd at 30 Times in 16 Posts
mcr4ck Reputation: 1
Please send the following files as well
pch.h
detours.h

and
Programming IDE and compiler

thanks
Reply With Quote
The Following User Says Thank You to mcr4ck For This Useful Post:
niculaita (02-06-2021)
Reply

« Previous Thread | Next Thread »
Thread Tools
Display Modes
Hybrid Mode Hybrid Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
QLoader - Quickly create a non-exe loader for application vic4key Community Tools 6 07-07-2022 23:11
dot net - how to create keygen using program's code Maltese General Discussion 5 06-15-2011 09:02


All times are GMT +8. The time now is 20:05.

Aaron's homepage - Top

Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX, chessgod101
( Since 1998 )