View Full Version : GCB engine release.
| [Originally Posted by Indy;88388]evaluator A knife is a weapon, but its use is not prohibited for peaceful purposes |
.
| [Originally Posted by Indy;88410]dELTA Interested people should study such mechanisms. Can not be otherwise - is a complex materiel opens up great opportunities. I just do not understand your position, this code as my other technology can be laid only at elite sites. What are you unhappy? |
| [Originally Posted by Indy;88410]If you have a problem that the code affects vx technology, I can give you an example. Simplified example. Need to get control after working ISR: http://indy-vx.narod.ru/Bin/Ki.zip ("http://indy-vx.narod.ru/Bin/Ki.zip") |
| [Originally Posted by Indy;88410]I thought it would be normal technical discussion If something does not suit you, I'll go away. |
| "initial description" |
:| Here is my word processor. It can process words. (wordprocessor.zip) |
| Word 2010 provides an array of new and improved tools that help you look like a design pro and make your important content stand out. * Add impressive formatting effects—such as gradient fills and reflections—directly to the text in your document. You can now apply many of the same effects to text and shapes that you might already use for pictures, charts, and SmartArt graphics. Use new and improved picture editing tools—including versatile artistic effects and advanced correction, color, and cropping tools—to fine-tune every picture in your document to look its absolute best. Choose from more customizable Office themes to coordinate colors, fonts, and graphic formatting effects throughout your documents. Customize themes to use your own personal or business branding. The same Office themes are available in Microsoft PowerPoint and Excel 2010, so it’s easy to give all your documents a consistent, professional look. Make a statement with a wide selection of SmartArt graphics— including many new layouts for organization charts and picture diagrams—to create impressive graphics as easily as typing a bulleted list. SmartArt graphics automatically coordinate with your chosen document theme, so great-looking formatting for all your document content is just a couple of clicks away. |
GCBE::
; GPE Services
test eax,eax
jz QueryOpcodeSize
dec eax
jz QueryPrefixLength
dec eax
jz GpParse
dec eax
jz GpTrace
dec eax
jz GpFastCheckIpBelongToSnapshot
dec eax
jz GpCheckIpBelongToSnapshot
dec eax
jz GpFindCallerBelongToSnapshot
dec eax
jz GpSearchRoutineEntry
dec eax
jz GpQueryRoutineArgsNumber
dec eax
; GCBE service.
jz GpBuildGraph
mov eax,STATUS_INVALID_PARAMETER
ret
%GET_GRAPH_REFERENCE
assume fs:nothing
.686p
.model flat, stdcall
option casemap :none
include \masm32\include\ntdll.inc
includelib \masm32\lib\ntdll.lib
.code
include Engine.inc
%NTERR macro
.if Eax
Int 3
.endif
endm
; 10 args
_imp__RtlCreateUserThread proto \
ProcessHandle:HANDLE, \
SecurityDescriptor:PSECURITY_DESCRIPTOR, \
CreateSuspended:BOOLEAN, \
ZeroBits:ULONG, \
SizeOfStackReserve:ULONG, \
SizeOfStackCommit:ULONG, \
InitialEip:ULONG, \
nitialValueInStack:ULONG, \
OutThreadHandle:PHANDLE, \
OutClientId:PCLIENT_ID
$Msg CHAR "Address: 0x%p, Args: %u", 13, 10, 0
Ep proc
Local GpBase:PVOID, GpSize:ULONG
Local GpLimit:PVOID
Local ArgsCount:ULONG
mov GpBase,NULL
mov GpSize,4*X86_PAGE_SIZE
invoke ZwAllocateVirtualMemory, NtCurrentProcess, addr GpBase, 0, addr GpSize, MEM_COMMIT, PAGE_READWRITE
%NTERR
mov ecx,GpBase
lea edx,GpLimit
mov ebx,dword ptr [_imp__RtlCreateUserThread]
mov GpLimit,ecx
push eax
push eax
push eax
push eax
push eax
push eax
push edx
push ebx
mov eax,GP_PARSE;parse the region in question ebx
Call GP
%NTERR
lea ecx,ArgsCount
push ecx
push GpBase
mov eax,GP_QUERY_ROUTINE_ARGS_NUMBER
Call GP
%NTERR
invoke DbgPrint, addr $Msg, Ebx, ArgsCount
ret
Ep endp
end Ep
.686p
.model flat, stdcall
option casemap :none
include \masm32\include\ntdll.inc
includelib \masm32\lib\ntdll.lib
include \masm32\include\kernel32.inc
includelib \masm32\lib\kernel32.lib
.code GPECODE
include ..\Bin\Gpe.inc
%NTERR macro
.if Eax
Int 3
.endif
endm
%APIERR macro
.if !Eax
Int 3
.endif
endm
Public gChainDispatch
Public gLoadLibraryArg
.data
gSnapshot GP_SNAPSHOT <>
gChainDispatch PVOID ?
gLoadLibraryArg PSTR ?
.code
LoadLibrary2ndDispatch proc C
pushad
invoke DbgPrint, gLoadLibraryArg
popad
jmp gChainDispatch
LoadLibrary2ndDispatch endp
LdrpManifestProberRoutine proc DllBase:PVOID, FullDllPath:PCWSTR, ActivationContext:PVOID
Local Caller:GP_CALLER
lea eax,Caller
push eax
push UserMode
push NULL
push offset gSnapshot
%GPCALL GP_FIND_CALLER_BELONG_TO_SNAPSHOT
.if !Eax
mov edx,Caller.Frame ; ~PspCreateProcess()
lea ecx,LoadLibrary2ndDispatch
mov edx,STACK_FRAME.Next[edx]
xchg STACK_FRAME.Ip[edx],ecx
mov gChainDispatch,ecx
mov edx,dword ptr [edx + sizeof(STACK_FRAME)] ; Arg.
mov gLoadLibraryArg,edx
.endif
xor eax,eax
ret
LdrpManifestProberRoutine endp
LdrSetDllManifestProber proto :PVOID
_imp__LoadLibraryA proto :PSTR
$Dll CHAR "psapi.dll",0
Ep proc
Local GpSize:ULONG
Local OldProtect:ULONG
mov gSnapshot.GpBase,NULL
mov GpSize,1000H * X86_PAGE_SIZE
invoke ZwAllocateVirtualMemory, NtCurrentProcess, addr gSnapshot.GpBase, 0, addr GpSize, MEM_COMMIT, PAGE_READWRITE
mov ebx,gSnapshot.GpBase
%NTERR
add gSnapshot.GpBase,0FFFH * X86_PAGE_SIZE
mov GpSize,X86_PAGE_SIZE
invoke ZwProtectVirtualMemory, NtCurrentProcess, addr gSnapshot.GpBase, addr GpSize, PAGE_NOACCESS, addr OldProtect
%NTERR
mov gSnapshot.GpLimit,ebx
mov gSnapshot.GpBase,ebx
lea ecx,gSnapshot.GpLimit
push eax
push eax
push eax
push eax
push eax
push 1
push GCBE_PARSE_SEPARATE
push ecx
push dword ptr [_imp__LoadLibraryA]
%GPCALL GP_PARSE
%NTERR
invoke LdrSetDllManifestProber, offset LdrpManifestProberRoutine
invoke LoadLibrary, addr $Dll
%APIERR
ret
Ep endp
end Ep
.686p
.model flat, stdcall
option casemap :none
include \masm32\include\ntdll.inc
includelib \masm32\lib\ntdll.lib
_imp__LdrLoadDll proto :PWCHAR, :PULONG, :PUNICODE_STRING, :PHANDLE
.code GPECODE
include ..\Bin\Gpe.inc
%NTERR macro
.if Eax
Int 3
.endif
endm
%APIERR macro
.if !Eax
Int 3
.endif
endm
.code
GCBE_PARSE_NL_UNLIMITED equ -1
TRACE_DATA struct
ScanBase PVOID ?
ScanLimit PVOID ?
Message PSTR ?
MsgLength ULONG ?
Gp PVOID ?
TRACE_DATA ends
PTRACE_DATA typedef ptr TRACE_DATA
TraceCallback proc uses ebx esi edi GpEntry:PVOID, TraceData:PTRACE_DATA
mov eax,GpEntry
test dword ptr [eax + EhEntryType],TYPE_MASK
mov ebx,TraceData
jne Exit ; !HEADER_TYPE_LINE
assume eax:PBLOCK_HEADER
mov esi,[eax].Address
mov edi,[eax]._Size
assume ebx:PTRACE_DATA
Ip:
push esi ; Ip
%GPCALL GP_LDE ; LDE()
cmp al,5
jne @f
cmp byte ptr [esi],68H ; push imm32
mov edx,dword ptr [esi + 1] ; ref.
jne @f
cmp [ebx].ScanBase,edx
ja @f
cmp [ebx].ScanLimit,edx
jbe @f
push esi
push edi
mov esi,edx
mov edi,[ebx].Message
mov ecx,[ebx].MsgLength
cld
repe cmpsb
pop edi
pop esi
jne @f
mov eax,GpEntry
mov [ebx].Gp,eax
jmp Exit
@@:
add esi,eax
sub edi,eax
ja Ip
Exit:
xor eax,eax
ret
TraceCallback endp
$Message CHAR "LdrpResolveDllName", 0
$Ldrp CHAR "Def.: LdrpResolveDllName(), Address: 0x%p, Arg's: %x", 13, 10, 0
assume fs:nothing
Ep proc
Local GpSize:ULONG
Local Snapshot:GP_SNAPSHOT
Local ArgsCount:ULONG
Local OldProtect:ULONG
Local TraceData:TRACE_DATA
Local Gp:PVOID
mov Snapshot.GpBase,NULL
mov GpSize,1000H * X86_PAGE_SIZE
invoke ZwAllocateVirtualMemory, NtCurrentProcess, addr Snapshot.GpBase, 0, addr GpSize, MEM_COMMIT, PAGE_READWRITE
mov ebx,Snapshot.GpBase
%NTERR
add Snapshot.GpBase,0FFFH * X86_PAGE_SIZE
mov GpSize,X86_PAGE_SIZE
invoke ZwProtectVirtualMemory, NtCurrentProcess, addr Snapshot.GpBase, addr GpSize, PAGE_NOACCESS, addr OldProtect
%NTERR
mov Snapshot.GpLimit,ebx
mov Snapshot.GpBase,ebx
lea ecx,Snapshot.GpLimit
push eax
push eax
push eax
push eax
push eax
push GCBE_PARSE_NL_UNLIMITED
push GCBE_PARSE_DISCLOSURE
push ecx
push dword ptr [_imp__LdrLoadDll]
%GPCALL GP_PARSE
%NTERR
mov eax,fs:[TEB.Peb]
mov eax,PEB.Ldr[eax]
mov eax,PEB_LDR_DATA.InLoadOrderModuleList.Flink[eax]
mov eax,LDR_DATA_TABLE_ENTRY.InLoadOrderModuleList.Flink[eax]
mov esi,LDR_DATA_TABLE_ENTRY.DllBase[eax] ; ntdll.dll
invoke RtlImageNtHeader, Esi
%APIERR
mov ecx,IMAGE_NT_HEADERS.OptionalHeader.BaseOfCode[eax]
mov edx,IMAGE_NT_HEADERS.OptionalHeader.SizeOfCode[eax]
mov TraceData.Gp,NULL
add ecx,esi
lea edx,[edx + esi - sizeof $Message]
mov TraceData.Message,offset $Message
mov TraceData.MsgLength,sizeof $Message
mov TraceData.ScanBase,ecx
mov TraceData.ScanLimit,edx
lea ecx,TraceData
lea edx,TraceCallback
push ecx
push edx
push ebx
%GPCALL GP_TRACE
%NTERR
.if TraceData.Gp == NULL
Int 3
.endif
lea ecx,Gp
lea edx,Snapshot
push ecx
push eax
push eax
push 1
push eax
push TraceData.Gp
push edx
%GPCALL GP_SEARCH_ROUTINE_ENTRY
%NTERR
mov ebx,Gp ; ref.
mov eax,dword ptr [ebx + EhEntryType]
and eax,TYPE_MASK
.if Eax != HEADER_TYPE_CALL
Int 3
.endif
assume ebx:PCALL_HEADER
mov ecx,[ebx].BranchLink
lea eax,ArgsCount
and ecx,NOT(TYPE_MASK)
push eax
push ecx
%GPCALL GP_QUERY_ROUTINE_ARGS_NUMBER
%NTERR
invoke DbgPrint, addr $Ldrp, [ebx].BranchAddress, ArgsCount
ret
Ep endp
end Ep
.686p
.model flat, stdcall
option casemap :none
include \masm32\include\ntdll.inc
includelib \masm32\lib\ntdll.lib
.code GPECODE
include ..\Bin\Gpe.inc
GCBE_PARSE_NL_UNLIMITED equ -1
%NTERR macro
.if Eax
Int 3
.endif
endm
.data
pRoutine PVOID offset GPE ; Àäðåñ ðàçáèðàåìîé ïðîöåäóðû.
NestingLevel ULONG GCBE_PARSE_NL_UNLIMITED ; Óðîâåíü âëîæåííîñòè. Äëÿ îäíîé ïðîöåäóðû 1.
.code
$Msg CHAR "0x%X", 13, 10, 0
assume fs:nothing
Ep proc
Local GpBase:PVOID, GpLimit:PVOID, GpSize:ULONG
Local OldProtect:ULONG
mov GpBase,NULL
mov GpSize,1000H * X86_PAGE_SIZE
invoke ZwAllocateVirtualMemory, NtCurrentProcess, addr GpBase, 0, addr GpSize, MEM_COMMIT, PAGE_READWRITE
mov ebx,GpBase
%NTERR
add GpBase,0FFFH * X86_PAGE_SIZE
mov GpSize,X86_PAGE_SIZE
invoke ZwProtectVirtualMemory, NtCurrentProcess, addr GpBase, addr GpSize, PAGE_NOACCESS, addr OldProtect
%NTERR
mov GpLimit,ebx
mov GpBase,ebx
lea ecx,GpLimit
push eax
push eax
push eax
push eax
push eax
push NestingLevel
push GCBE_PARSE_DISCLOSURE
push ecx
push pRoutine
%GPCALL GP_PARSE
%NTERR
xor ebx,ebx
mov esi,GpBase
@@:
test dword ptr [esi + EhEntryType],TYPE_MASK
.if Zero? ; Line
add ebx,dword ptr [esi + EhSize]
.else
push dword ptr [esi + EhAddress]
%GPCALL GP_LDE
add ebx,eax
.endif
add esi,ENTRY_HEADER_SIZE
cmp GpLimit,esi
ja @b
invoke DbgPrint, addr $Msg, Ebx
ret
Ep endp
end Ep
love it...I picked up asm again, just to understand its full potentials..and I've been working alot, so its taken quite a while...
..So I decided to look into to this a little,very interesting subject thanks for the mention of it. | [Originally Posted by evaluator] problem not in weapon/not-weapon, but will be you sued for that-thing. btw, for dld your zip, one must turn off AV. can that behavior avoided? |
| Тут сказали что этот семпл палится как Win32: DNSChanger-VJ. Так вот эта сигнатура лежит в дизасме длин(VirXasm32b). Для устранения проблемы добавить Nop по метке xa_no16. |
ULONG GpGetRelativeLength(PVOID Ip)
{
PVOID GpBase,GpLimit;
ULONG GpSize = 0;
ULONG OldProtect;
ULONG TotalSize = 0;
//Create The Graph
GpBase = NULL;
GpSize = 0x1000 * X86_PAGE_SIZE;
if(NtAllocateVirtualMemory(NtCurrentProcess(),&GpBase, 0,&GpSize, MEM_COMMIT, PAGE_READWRITE) != STATUS_SUCCESS)
{
__asm int 3;
}
GpLimit = GpBase;
GpLimit += 0FFFH * X86_PAGE_SIZE;
GpSize = X86_PAGE_SIZE
if(NtProtectVirtualMemory(NtCurrentProcess(),&GpLimit,&GpSize, PAGE_NOACCESS,&OldProtect) != STATUS_SUCCESS)
{
__asm int 3;
}
GpLimit = GpBase;
//Parse the function to our graph.
if(GpParse(Ip,&GpLimit,GCBE_PARSE_DISCLOSURE,0,0,0,0,0,0) != STATUS_SUCCESS)
{
__asm int 3;
}
GpSize = QueryOpcodeSize(Ip);
Total Size = 0;
do
{
TotalSize += GpSize;
Ip = (PVOID)((*ULONG *)Ip +GpSize);
GpSize = QueryOpcodeSize(Ip);
}while(Ip > GpLimit);
return TotalSize;
}
PVOID GpExtendGraph(PVOID VmAddress)
{
PVOID GpBase,GpLimit;
ULONG GpSize = 0,OldProtect = 0;
MEMORY_BASIC_INFORMATION Mbi = {0};
GpBase = VmAddress;
if(NT_SUCCESS(NtQueryVirtualMemory(NtCurrentProcess(),GpBase,MemoryBasicInformation,&Mbi,sizeof(MEMORY_BASIC_INFORMATION),&GpSize)))
{
SwProtect:
switch(Mbi.AllocationProtect)
{
case PAGE_NOACCESS:
{
GpSize = X86_PAGE_SIZE;
if(NT_SUCCESS(NtProtectVirtualMemory(NtCurrentProcess(),&GpBase,&GpSize,PAGE_READWRITE,&OldProtect)))
{
GpLimit = (PVOID)((ULONG)GpBase + GpSize + 1);//next page
if(NT_SUCCESS(NtAllocateVirtualMemory(NtCurrentProcess(),&GpLimit,0,&GpSize,MEM_COMMIT,PAGE_NOACCESS)))
{
return GpBase;
}
}
break;
}
case PAGE_READWRITE:
{
GpBase = (PVOID)((ULONG)Mbi.BaseAddress + (ULONG)Mbi.RegionSize + 0x1);//next page
if(NT_SUCCESS(NtQueryVirtualMemory(NtCurrentProcess(),GpBase,MemoryBasicInformation,&Mbi,sizeof(MEMORY_BASIC_INFORMATION),&GpSize)))
{
__asm jmp SwProtect;
}
break;
}
default:
{
break;
}
}
}
return 0;
}
PVOID GpGraphInit(void)
{
PVOID GpBase = 0, GpLimit = 0;
ULONG GpSize = X86_PAGE_SIZE * 256, OldProtect = 0;
if(NT_SUCCESS(NtAllocateVirtualMemory(NtCurrentProcess(),&GpBase,0,&GpSize,MEM_COMMIT,PAGE_NOACCESS)))
{
GpSize = X86_PAGE_SIZE;
if(NT_SUCCESS(NtProtectVirtualMemory(NtCurrentProcess(),&GpBase,&GpSize,PAGE_READWRITE,&OldProtect)))
{
return GpBase;
}
}
return 0;
}