help for create loader with packed program
 

hi

I have a plan and I want to write a loader for it

Because the packed program takes a while to load in memory

I wanted to see how to load loaders for such programs

I will send an example that uses the following functions to load the desired part in memory and then start patching

Function:

CreateToolhelp32Snapshot
Process32FirstW
Process32NextW
OpenProcess
Module32FirstW
ReadProcessMemory
VirtualProtectEx
WriteProcessMemory

please help

Use advanced loader generator,if i remember have options like sleep and wait until first windows before apply the patches,the final loader is a VB6 packed with upx,just unpack it and you can check how works.

Here a very good basic example made by Xylitol https://github.com/Xyl2k/Xylitol-MAS...der)/patch.asm

long ago when I was learning programming I wrote a simple library for patching memory on the fly.

It supports Wait till first window of process and wait until some fixed bytes are decrypted in memory. I should full fill your requirements

https://github.com/GautamGreat/LoaderEngine

Below is an example of a loader using the Cheat Engine that I found on the net.


<?xml version="1.0" encoding="utf-8"?>
<CheatTable CheatEngineTableVersion="31">
<CheatEntries/>
<UserdefinedSymbols/>
<LuaScript>PROCESS_NAME = 'GDAE3.86.pro.exe'
--------
-------- Auto Attach
--------
local autoAttachTimer = nil ---- variable to hold timer object
local autoAttachTimerInterval = 1000 ---- Timer intervals are in milliseconds
local autoAttachTimerTicks = 0 ---- variable to count number of times the timer has run
local autoAttachTimerTickMax = 5000 ---- Set to zero to disable ticks max
local function autoAttachTimer_tick(timer) ---- Timer tick call back
---- Destroy timer if max ticks is reached
if autoAttachTimerTickMax &gt; 0 and autoAttachTimerTicks &gt;= autoAttachTimerTickMax then
timer.destroy()
end
---- Check if process is running
if getProcessIDFromProcessName(PROCESS_NAME) ~= nil then
timer.destroy() ---- Destroy timer
openProcess(PROCESS_NAME) ---- Open the process
writeBytes(0x00458816, 0xb8, 0x01, 0x00, 0x00, 0x00 )
writeBytes(0x00448120, 0xc7, 0x83, 0x70, 0x09, 0x00, 0x00, 0x01, 0x00, 0x00)
writeBytes(0x0044812A, 0xe9, 0x9c, 0x00, 0x00, 0x00, 0x90, 0x90 )
writeBytes(0x004485E6, 0xeb)
writeBytes(0x00443973, 0xeb)

---pause()
end
autoAttachTimerTicks = autoAttachTimerTicks + 1 ---- Increase ticks
end
autoAttachTimer = createTimer(getMainForm()) ---- Create timer with the main form as it's parent
autoAttachTimer.Interval = autoAttachTimerInterval ---- Set timer interval
autoAttachTimer.OnTimer = autoAttachTimer_tick ---- Set timer tick call back

</LuaScript>
</CheatTable>


I hope you find it useful.

Patching by Hooking
 

If the target has more than one protection layer, you need to patch them in order. Try to hook to WINAPI which is being used by program during unpacking (HeapAlloc, VirtualAlloc, CreateFile ...)

Below sample uses ms detours to hook to DeviceIOControl to check the memory of target. When memory compare is equal, then patching first layer. If you need to more patching after first layer unpacking, you have to continue to check the memory of program. After final patching, you can detach DeviceIOControl.

You need reached in Memory place you want to patch before :))
This is my Loader in Delphi Program (Some function in my programing library but i think you understand)

BR,
quygia128

Please send the following files as well
pch.h
detours.h

and
Programming IDE and compiler

thanks

how do use this
https://github.com/GautamGreat/LoaderEngine

please example

here is a example code I wrote for a target long ago

Please send the following files as well
pch.h
detours.h

and
Programming IDE and compiler

thanks

how do compile this code?

try MS Visual Studio

I will compile in visual studio 2012

But he made a mistake
error C1083: Cannot open include file: 'pch.h': No such file or directory

plz help for compile
thanks

comment it out and configure your project not to use precompiled headers

hope this helps

I did not catch you
Can you explain in full?
Or compile this at all and tell me the method
Thankful

it is a precompiled header file

look at

BR

I din't notice
If possible, compile this completely and send it to me
Because I do not know much about C or C++ language
Thanks to friends who know me for compiling this and sending it to me

See example - Loader for WIN32-PE (no ASLR!) - Sources for MSVC.

For packed program set in source code:
- Then waits 1 sec while program unpacks itself.

Thanks a lot
But I want to compile this code
Did anyone compile this code?

Parts are missing
...
...

Why do you say parts are missing?
please help

Because parts are missing.
U must have "detours" package with "detours.lib" file for compile this code.
As minimum.

And then replace strings "???????" with valid values.

But.
See my previous post with example of WIN32-PE patch-loader.
Its simple and independent code, works fine on several tasks.

Detours package i do not use, no need.

"detours" package
https://mega.nz/file/SAwS2TzA#RHRKsixO1Eq2vP1589raQrB3sJYoWOFbHHH8fHAMl-A

#include <iostream> // Standard C++ library for console I/O
#include <string> // Standard C++ Library for string manip

#include <Windows.h> // WinAPI Header
#include <TlHelp32.h> //WinAPI Process API


// use this if you want to read the executable from disk
HANDLE MapFileToMemory(LPCSTR filename)
{
std::streampos size;
std::fstream file(filename, std::ios::in | std::ios::binary | std::ios::ate);
if (file.is_open())
{
size = file.tellg();

char* Memblock = new char[size]();

file.seekg(0, std::ios::beg);
file.read(Memblock, size);
file.close();

return Memblock;
}
return 0;
}

int RunPortableExecutable(void* Image)
{
IMAGE_DOS_HEADER* DOSHeader; // For Nt DOS Header symbols
IMAGE_NT_HEADERS* NtHeader; // For Nt PE Header objects & symbols
IMAGE_SECTION_HEADER* SectionHeader;

PROCESS_INFORMATION PI;
STARTUPINFOA SI;

CONTEXT* CTX;

DWORD* ImageBase; //Base address of the image
void* pImageBase; // Pointer to the image base

int count;
char CurrentFilePath[1024];

DOSHeader = PIMAGE_DOS_HEADER(Image); // Initialize Variable
NtHeader = PIMAGE_NT_HEADERS(DWORD(Image) + DOSHeader->e_lfanew); // Initialize

GetModuleFileNameA(0, CurrentFilePath, 1024); // path to current executable

if (NtHeader->Signature == IMAGE_NT_SIGNATURE) // Check if image is a PE File.
{
ZeroMemory(&PI, sizeof(PI)); // Null the memory
ZeroMemory(&SI, sizeof(SI)); // Null the memory

if (CreateProcessA(CurrentFilePath, NULL, NULL, NULL, FALSE,
CREATE_SUSPENDED, NULL, NULL, &SI, &PI)) // Create a new instance of current
//process in suspended state, for the new image.
{
// Allocate memory for the context.
CTX = LPCONTEXT(VirtualAlloc(NULL, sizeof(CTX), MEM_COMMIT, PAGE_READWRITE));
CTX->ContextFlags = CONTEXT_FULL; // Context is allocated

if (GetThreadContext(PI.hThread, LPCONTEXT(CTX))) //if context is in thread
{
// Read instructions
ReadProcessMemory(PI.hProcess, LPCVOID(CTX->Ebx + 8), LPVOID(&ImageBase), 4, 0);

pImageBase = VirtualAllocEx(PI.hProcess, LPVOID(NtHeader->OptionalHeader.ImageBase),
NtHeader->OptionalHeader.SizeOfImage, 0x3000, PAGE_EXECUTE_READWRITE);

// Write the image to the process
WriteProcessMemory(PI.hProcess, pImageBase, Image, NtHeader->OptionalHeader.SizeOfHeaders, NULL);

for (count = 0; count < NtHeader->FileHeader.NumberOfSections; count++)
{
SectionHeader = PIMAGE_SECTION_HEADER(DWORD(Image) + DOSHeader->e_lfanew + 248 + (count * 40));

WriteProcessMemory(PI.hProcess, LPVOID(DWORD(pImageBase) + SectionHeader->VirtualAddress),
LPVOID(DWORD(Image) + SectionHeader->PointerToRawData), SectionHeader->SizeOfRawData, 0);
}
WriteProcessMemory(PI.hProcess, LPVOID(CTX->Ebx + 8),
LPVOID(&NtHeader->OptionalHeader.ImageBase), 4, 0);

// Move address of entry point to the eax register
CTX->Eax = DWORD(pImageBase) + NtHeader->OptionalHeader.AddressOfEntryPoint;
SetThreadContext(PI.hThread, LPCONTEXT(CTX)); // Set the context
ResumeThread(PI.hThread); //´Start the process/call main()

return 0; // Operation was successful.
}
}
}
}

// enter valid bytes of a program here.
unsigned char rawData[37376] = {
0x4D, 0x5A, 0x90, 0x00, 0x03, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00,
0xFF, 0xFF, 0x00, 0x00, 0xB8, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
};

int main()
{
RunPortableExecutable(rawData); // run executable from the array
getchar();
}

But this is a basic example of a RunPe/Process Hollowing related to PE injecton not for the purpose of patch bytes at runtime

google it github is your friend.

Activation Posted Here: Loader V2.1 + Extra Features + Video : by countryboy
 

Hi, mcr4ck

I am countryboy,

I wrote a loader many years ago, the latest Release is posted here ...
There are 2 Versions 32bit, and 64bit, and Loader can also be used as Trial Reset.
I will be releasing a graphical Interface shortly ...

If anyone is interested I wrote a Tutorial, and posted it on CGPersia, and I can post it here if Interested.
The Tutorial is from many years ago, and most of it is Images. I have made a lot of changes over the years.
The code contains all the basic code, and is in Lazarus Pascal.

Have a great day, countryboy

HOW THE ACTIVATION LOADER WORKS :

I wrote the v1 Loader Code many years ago for HitFilm 64 bit, and BuildBox 32 bit, because no 64 bit Loaders were available.
HitFilm can be run in a Debugger, and Code changed, but changes can't be saved, because all Files check others CRC.
BuildBox is slow, unpacks in memory, checks CRC of Patched Network.dll, and checks Code Segment Memory CRC of itself.

LOADER START : Open LoaderConfig.TXT : Set Defaults, Check version, File Size, Setup messages, and minimize Window.
KILL TASK( Program to Patch ) in case it's hung in memory from a previous run.
KILL TASK( START ) : Protection Guards, or Crack protection programs loaded by Program to Patch. Needed in HitFilm.
Message Box( START ), RUN( START ), RUN REGISTRY( Start only ), RUN( BEFOREPATCH ), and after Registry is done.

ASLR : Windows loads programs into random selected Memory requiring search for Program Name to get Segment offset.
GOD LIKE PRIVILEGES are requested to Debug, and change programs memory before loading, and starting.
TIME CRITICAL : Need to wait for Windows to read Hard drive, and load program into Memory before starting search.
Windows Function WaitForSingleObject() waits ReadmemWaitTime : max time in milliseconds to load, and exist in memory,
and Windows Function WaitForDebugEvent waits additional 10 milliseconds maximum to finish loading.

LET THE SEARCH BEGIN : Windows Function EnumProcessModules() used to search for Programs Name in Memory.
While not found : If error then wait 1 millisecond before trying again & if not found after ASLRmemory_MaxAttempts=5000
Set Image Base to Default ASLR, and create a Image Base not found message after 5 seconds the Attempt count.
PACKED SLOW LOADING PROGRAMS : use Windows Function WaitForInputIdle() to wait for program to unpack itself.

IMAGE BASE FOUND : Program Thread is suspended for Patching, and any Error Messages saved.
LoaderConfig.txt opened, and list of Patches done. Code verified to exist before NewCode is written at Offset.
If a Error occurs, Patch number is saved, and Patching continues. Critical Errors are displayed later in a Message Box.
While Thread is suspended : Error messages displayed, and any RUN( AFTERPATCH ), or MsgBox( AFTERPATCH ) are done.

CONTINUE : Resume Thread with Program continuing to Load. Restore any defaults changed like Normal Dos video.
If Close Pop Up Box then Loop through list, close WindowName, and all numerical WindowName1 starting with 1,2,3
If WaitTime= Default wait 35 seconds Maximum for Pop up to load. HitFilm Pop up slow due to Loading Internet images.
BEFORE QUIT : KILL TASK( END ) Kill Programs, RUN( END ) Start Programs, or Message Box( END ), and QUIT !