Search
 
 

Display results as :
 


Rechercher Advanced Search

Latest topics
» ~=?{The future is here, TastyExploit officially open to the public}?=~
Tue Mar 02, 2010 11:00 pm by Dami

» My first aa script
Tue Mar 02, 2010 7:00 am by wafflemaster

» the real story behind Maverin
Tue Mar 02, 2010 1:33 am by SoundOfDeat

» Random spam
Mon Mar 01, 2010 11:52 pm by Danny1994

» [Request] EMS v56 Exe
Mon Mar 01, 2010 12:39 am by Dami

» [Blacklist] NX-Trading Blacklist.
Mon Mar 01, 2010 12:38 am by Danny1994

» I have a question regarding the meso farmer
Sat Feb 27, 2010 10:30 pm by Dami

» What are you listening to now?
Sat Feb 27, 2010 7:57 pm by Noname111111

» Video(s) Of The Day
Sat Feb 27, 2010 7:37 pm by Noname111111

Navigation
 Portal
 Index
 Memberlist
 Profile
 FAQ
 Search
Affiliates
free forum
 



[C#] Using codecaves without any IPC

Go down

[C#] Using codecaves without any IPC

Post by wafflemaster on Wed Dec 23, 2009 5:16 am

A lot of things can be made into codecaves. Delay DupeX, CSEAX Unlimited Attack, and dEM are a couple of examples. But it’s difficult to actually use them because there are so many edits you must do. Some people just decide to use IPC because they're lazy; but there is an alternative: writing the bytes yourrself. It’s fairly easy once you get the hang of it. I’ll use KiKiVac (pseudo-dEM) from EMS v58 as an example, because it’s so short.

In order to properly do a codecave in C#, you must write bytes to at least TWO locations in memory: the location of the allocated memory, and the address of the main opcode. This means you have to manually allocate some memory.

First, allocate some memory using the VirtualAllocEx function, where AllocationSize is the number of bytes you want to write (anything excess does not matter, but try to keep it as small as you can). The value returned by the function is the location of the allocated memory.

IntPtr AllocationAddress = VirtualAllocEx(ProcessHandle, (IntPtr)null, (IntPtr)AllocationSize, 0x1000, 0x40);

WinNT.h:
#define PAGE_EXECUTE_READWRITE 0x40
#define MEM_COMMIT 0x1000

Whenever you use VirtualAllocEx, it always allocates memory until the next page boundary, which is typically a multiple of 0x1000 (4096), so make sure you allocate memory as needed.



Next, you have to fill that allocation with your own bytes. In order to do this, you have to use CE. You can do it without CE, but it’s a giant pain in the ass.

First, find your script. Then, convert it so that it is a codecave. If you don’t know what a codecave is, then give up. Next, use registersymbol on ALL of the variables to declare them as symbols; this is essential to finding the bytes. I did this in the script below.

Next, enable the script and copy all of the modified memory, including the memory at the cave. The things you need to fix are the “jump near” bytes (the ones starting with E9). In order to fix these bytes, you have to use the formula below. Make sure you fix the bytes at the cave and the main address. You should notice that the pointers and offsets are hardcoded; they don’t change unless there is a patch, so you can just leave them that way. See the pictures below for details.



Keep in mind that the current location will be the location of the opcode, not the allocation address. By now, you should have all the stuff fixed, so you should be able to determine the bytes for the jumps. Some values can go up to 0xFFFFFFFF, so make sure your numbers are 64 bit integers. Now, simply create your byte arrays as normal.

Now, you must write your bytes. In order to do this, just use WriteProcessMemory, NtWriteVirtualMemory, or any other API you like. Make sure you write the bytes to the cave first, and then write the bytes to the main address.

When you need to disable the codecave, make sure you do it in this exact order: first use VirtualFreeEx to free the memory you previously allocated, then write the original bytes to the main address.

If you are unsure about allocating memory, then take a look at the program I made. It allocates memory and gives you the location.
mediafire.com ?nyhfnuxogjn

KiKiVac v58 (AA):
Code:
[enable]
registersymbol(KiKiVac)
registersymbol(KiKiReturn)
alloc(KiKiVac, 256)
label(KiKiReturn)

KiKiVac:
mov edx, [009A511C]
lea edx, [edx+e50]
mov ecx, [edx]
mov edx, [009A511C]
lea edx, [edx+e54]
lea eax, [edx]
mov eax, [eax]
jmp KiKiReturn
 
KiKiReturn:
jmp 005BC48D
 
005BC47E:
Jmp KiKiVac
nop
 
[disable]
005BC47E:
DB 8b 8b a0 04 00 00
unregistersymbol(KiKiVac)
unregistersymbol(KiKiReturn)
dealloc(KiKiVac)

Selected memory regions (TYPO: “op should be …[009A511C]”):



Finished code (mirrored at http://wafflemaster.pastebin.com/f6943b5d8):
Code:
        void KiKiVacOn()
        {
            IntPtr KiKiVacMainAddress = (IntPtr)0x5BC47E;
            IntPtr KiKiReturn = (IntPtr)0x5BC48D; //This is equal to KiKiVacMainAddress + 5

            IntPtr KiKiVacLocation = Unmanaged.VirtualAllocEx(ProcessHandle, (IntPtr)null, (IntPtr)32, 0x1000, 0x40); //Allocate some memory

            byte[] JMP5BC48Dbytes = JumpNear((IntPtr)((int)KiKiVacLocation + 0x23), KiKiReturn); //KiKiVacLocation + 0x23 is the location of the opcode  in CE
            byte[] KiKiVacBytes = new byte[] {
                /*KiKiVac:*/
                0x8B, 0x15, 0x1C, 0x51, 0x9A, 00, /*mov edx, [009A511C]*/
                0x8D, 0x92, 0x50, 0x0E, 00, 00, /*lea edx, [edx+00000E50]*/
                0x8B, 0x0A, /*mov ecx, [edx]*/
                0x8B, 0x15, 0x1C, 0x51, 0x9A, 00, /*mov edx, [009A511C]*/
                0x8D, 0x92, 0x54, 0x0E, 00, 00, /*lea edx, [edx+00000E54]*/
                0x8D, 0x02, /*lea eax, [edx]*/
                0x8B, 00, /*mov eax, [eax]*/
                0xEB, 0x03, /*jump short KiKiReturn*/
                0x90, 0x90, 0x90, /*nop, nop, nop*/

                /*KiKiReturn:*/
                JMP5BC48Dbytes[0], JMP5BC48Dbytes[1], JMP5BC48Dbytes[2], JMP5BC48Dbytes[3], JMP5BC48Dbytes[4] //jump near 005BC48D
            };

            byte[] JMPKiKiVacbytes = JumpNear(KiKiVacMainAddress, KiKiVacLocation); //"jmp KiKiVac"
            byte[] JMPKiKiVac = new byte[] {
                JMPKiKiVacbytes[0], JMPKiKiVacbytes[1], JMPKiKiVacbytes[2], JMPKiKiVacbytes[3], JMPKiKiVacbytes[4], /*jump short*/
                0x90 /*a nop to fill the extra space*/
            };

            if (KiKiVacLocation != IntPtr.Zero)
            {
                WriteProcessMemory(KiKiVacLocation, KiKiVacBytes); //write the cave
                WriteProcessMemory(KiKiVacMainAddress, JMPKiKiVac); //write the jump to the cave
            }
        }

        //Function to calculate the 5-byte array for "jump near"
        byte[] JumpNear(IntPtr Location, IntPtr Destination)
        {
            byte[] JMPbytes = new byte[4];
            JMPbytes = BitConverter.GetBytes((UInt64)Destination - (UInt64)Location - (UInt64)5);
            return new byte[] { 0xE9, JMPbytes[0], JMPbytes[1], JMPbytes[2], JMPbytes[3] };
        }

Here's the entire guide as a word document.
mediafire.com ?zkzillicnmz

Credits:
Me (waffle) for writing the guide and updating the script
Dark Byte for CE and his opcode interpreter
kittonkicker for the original KiKiVac script


Last edited by wafflemaster on Wed Dec 23, 2009 11:50 am; edited 6 times in total

wafflemaster
V.I.P
V.I.P

Posts : 123
Join date : 2009-10-27

Back to top Go down

Re: [C#] Using codecaves without any IPC

Post by Ennø on Wed Dec 23, 2009 5:31 am

Dang, I just love you for all these tuts Smile
When I get better at C# I probably gonna need them Smile

Ennø
Bronze Member
Bronze Member

Posts : 220
Join date : 2009-08-15
Age : 24
Location : The Netherlands

Back to top Go down

Re: [C#] Using codecaves without any IPC

Post by wafflemaster on Wed Dec 23, 2009 5:46 am

Ennø wrote:Dang, I just love you for all these tuts Smile
When I get better at C# I probably gonna need them Smile

lol, most of them are just different viewpoints that most people never bothered to consider. C# is one of the EASIEST languages ever made.

wafflemaster
V.I.P
V.I.P

Posts : 123
Join date : 2009-10-27

Back to top Go down

Re: [C#] Using codecaves without any IPC

Post by wafflemaster on Wed Dec 23, 2009 10:27 am

Aw shit, I just realized that I messed up one of the calculations. Let me fix the example so that it will work.

Edit: Everything should be fixed. Please tell me if I screwed up something like a calculation or some shit.

wafflemaster
V.I.P
V.I.P

Posts : 123
Join date : 2009-10-27

Back to top Go down

Re: [C#] Using codecaves without any IPC

Post by Dami on Wed Dec 23, 2009 1:38 pm

Thank you wafflemaster from another great tutorial.
avatar
Dami
Dragon
Dragon

Posts : 1414
Join date : 2009-08-10
Age : 28
Location : Finland

Back to top Go down

Re: [C#] Using codecaves without any IPC

Post by wafflemaster on Thu Dec 24, 2009 8:34 am

yw.

Something just occurred to me.

I think the converted instructions should only be compatible with computers that have the same architecture. The reason is because x64 is supposed to use registers differently. [See Page 50 of the Intel Software Developer's Manual Volume 2A (http://www.intel.com/Assets/PDF/manual/253666.pdf)]
But you can overcome that with an if statement.

Code:
byte[] array;
if (x86)
  array = bla;
else
  array = blablabla;

wafflemaster
V.I.P
V.I.P

Posts : 123
Join date : 2009-10-27

Back to top Go down

Re: [C#] Using codecaves without any IPC

Post by Sponsored content


Sponsored content


Back to top Go down

Back to top


 
Permissions in this forum:
You cannot reply to topics in this forum