help for create loader with packed program
hi
I have a plan and I want to write a loader for it Because the packed program takes a while to load in memory I wanted to see how to load loaders for such programs I will send an example that uses the following functions to load the desired part in memory and then start patching Function: CreateToolhelp32Snapshot Process32FirstW Process32NextW OpenProcess Module32FirstW ReadProcessMemory VirtualProtectEx WriteProcessMemory |
please help
|
Use advanced loader generator,if i remember have options like sleep and wait until first windows before apply the patches,the final loader is a VB6 packed with upx,just unpack it and you can check how works.
Here a very good basic example made by Xylitol https://github.com/Xyl2k/Xylitol-MAS...der)/patch.asm |
long ago when I was learning programming I wrote a simple library for patching memory on the fly.
It supports Wait till first window of process and wait until some fixed bytes are decrypted in memory. I should full fill your requirements https://github.com/GautamGreat/LoaderEngine |
Below is an example of a loader using the Cheat Engine that I found on the net.
<?xml version="1.0" encoding="utf-8"?> <CheatTable CheatEngineTableVersion="31"> <CheatEntries/> <UserdefinedSymbols/> <LuaScript>PROCESS_NAME = 'GDAE3.86.pro.exe' -------- -------- Auto Attach -------- local autoAttachTimer = nil ---- variable to hold timer object local autoAttachTimerInterval = 1000 ---- Timer intervals are in milliseconds local autoAttachTimerTicks = 0 ---- variable to count number of times the timer has run local autoAttachTimerTickMax = 5000 ---- Set to zero to disable ticks max local function autoAttachTimer_tick(timer) ---- Timer tick call back ---- Destroy timer if max ticks is reached if autoAttachTimerTickMax > 0 and autoAttachTimerTicks >= autoAttachTimerTickMax then timer.destroy() end ---- Check if process is running if getProcessIDFromProcessName(PROCESS_NAME) ~= nil then timer.destroy() ---- Destroy timer openProcess(PROCESS_NAME) ---- Open the process writeBytes(0x00458816, 0xb8, 0x01, 0x00, 0x00, 0x00 ) writeBytes(0x00448120, 0xc7, 0x83, 0x70, 0x09, 0x00, 0x00, 0x01, 0x00, 0x00) writeBytes(0x0044812A, 0xe9, 0x9c, 0x00, 0x00, 0x00, 0x90, 0x90 ) writeBytes(0x004485E6, 0xeb) writeBytes(0x00443973, 0xeb) ---pause() end autoAttachTimerTicks = autoAttachTimerTicks + 1 ---- Increase ticks end autoAttachTimer = createTimer(getMainForm()) ---- Create timer with the main form as it's parent autoAttachTimer.Interval = autoAttachTimerInterval ---- Set timer interval autoAttachTimer.OnTimer = autoAttachTimer_tick ---- Set timer tick call back </LuaScript> </CheatTable> I hope you find it useful. |
Patching by Hooking
If the target has more than one protection layer, you need to patch them in order. Try to hook to WINAPI which is being used by program during unpacking (HeapAlloc, VirtualAlloc, CreateFile ...)
Below sample uses ms detours to hook to DeviceIOControl to check the memory of target. When memory compare is equal, then patching first layer. If you need to more patching after first layer unpacking, you have to continue to check the memory of program. After final patching, you can detach DeviceIOControl. Code:
// dllmain.cpp : Defines the entry point for the DLL application. |
Quote:
This is my Loader in Delphi Program (Some function in my programing library but i think you understand) Code:
function Loader_PEFile(FName: string; FCRC32: string; pbyte: array of Byte; quygia128 |
Quote:
pch.h detours.h and Programming IDE and compiler thanks |
how do use this
https://github.com/GautamGreat/LoaderEngine please example |
Quote:
Code:
program Project1; |
Please send the following files as well
pch.h detours.h and Programming IDE and compiler thanks |
Quote:
|
try MS Visual Studio
|
I will compile in visual studio 2012
But he made a mistake error C1083: Cannot open include file: 'pch.h': No such file or directory plz help for compile thanks |
comment it out and configure your project not to use precompiled headers
hope this helps |
All times are GMT +8. The time now is 11:31. |
Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2024, vBulletin Solutions, Inc.
Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX