Exetools

Exetools (https://forum.exetools.com/index.php)
-   Source Code (https://forum.exetools.com/forumdisplay.php?f=46)
-   -   Tiny Basic Downloader Builder (Proof of Concept) (https://forum.exetools.com/showthread.php?t=19944)

YANiS 09-18-2021 23:09

Tiny Basic Downloader Builder (Proof of Concept)
 
1 Attachment(s)
PHP Code:

/*
    MSVC
    Tiny Basic Downloader Builder (Proof of Concept)
    by YANiS

    This code snippet is provided 'as is' without warranty of any kind.
    No malicious uses are allowed.
*/

#include <windows.h>
#include "resource.h"

BOOL CALLBACK DlgProc(HWND hwndUINT uMsgWPARAM wParam,LPARAM lParam) {

    
unsigned char url[50] = {0};
    
unsigned char path[50] = {0};

    switch (
uMsg) {
    case 
WM_CLOSE:
        
EndDialog(hwnd0);
        break;

    case 
WM_INITDIALOG:
        
SetWindowTextA(hwnd"Basic Downloader Builder (Proof of Concept)");
        
SendDlgItemMessageA(hwndIDC_URLEM_LIMITTEXT500);
        
SendDlgItemMessageA(hwndIDC_PATHEM_LIMITTEXT500);
        
SetFocus(GetDlgItem(hwndIDC_URL));
        return 
FALSE;

    case 
WM_COMMAND:
        switch(
LOWORD(wParam)) {

        case 
IDB_BUILD:

            if((
GetDlgItemTextA(hwndIDC_URL, (LPSTR)url50+1) < 5) || (GetDlgItemTextA(hwndIDC_PATH, (LPSTR)path50+1) < 5) ) {
                
SetWindowTextA(GetDlgItem(hwndIDC_STATUS), "Status: URL or PATH error!");
                return 
1;
            }

            
unsigned char *lpBuffer NULL;
            
size_t fileSize 0;

            
HANDLE hFile CreateFileA("stub.bin",
                                       
GENERIC_READ,
                                       
FILE_SHARE_READ,
                                       
NULL,
                                       
OPEN_EXISTING,
                                       
FILE_ATTRIBUTE_NORMAL,
                                       
NULL);

            if (
hFile == INVALID_HANDLE_VALUE) {
                
SetWindowTextA(GetDlgItem(hwndIDC_STATUS), "Status: CreateFile error!");
                return 
1;
            }

            
fileSize GetFileSize(hFile0);
            if (
fileSize == 0) {
                
SetWindowTextA(GetDlgItem(hwndIDC_STATUS), "Status: GetFileSize error!");

                
CloseHandle(hFile);
                return 
1;
            }

            
lpBuffer = (unsigned char *)VirtualAlloc(NULL,
                       
fileSize,
                       
MEM_COMMIT,
                       
PAGE_READWRITE);

            if (
lpBuffer == NULL) {
                
SetWindowTextA(GetDlgItem(hwndIDC_STATUS), "Status: VirtualAlloc error!");
                
CloseHandle(hFile);
                return 
1;
            }

            
DWORD bytesRead;
            if (!
ReadFile(hFile,
                          
lpBuffer,
                          
fileSize,
                          &
bytesRead,
                          
NULL) || bytesRead != fileSize) {

                
SetWindowTextA(GetDlgItem(hwndIDC_STATUS), "Status: ReadFile error!");
                return 
1;
            }
            
CloseHandle(hFile);
            
#ifdef _WIN64
            
strcpy((char*)(lpBuffer 0x230), (char*)url);  // for stub 64-bit
            
strcpy((char*)(lpBuffer 0x268), (char*)path); // for stub 64-bit
#else            
            
strcpy((char*)(lpBuffer 0x218), (char*)url);  // for stub 32-bit
            
strcpy((char*)(lpBuffer 0x24C), (char*)path); // for stub 32-bit
#endif

            
hFile CreateFileA("downloader.exe",
                                
GENERIC_WRITE,
                                
0,
                                
NULL,
                                
CREATE_ALWAYS,
                                
FILE_ATTRIBUTE_NORMAL,
                                
NULL);

            if (
hFile == INVALID_HANDLE_VALUE) {
                
SetWindowTextA(GetDlgItem(hwndIDC_STATUS), "Status: WriteFile error!");
                return 
1;
            }

            
DWORD bytesWritten;
            
WriteFile(hFile,
                      
lpBuffer,
                      
fileSize,
                      &
bytesWritten,
                      
NULL);

            
CloseHandle(hFile);

            
SetWindowTextA(GetDlgItem(hwndIDC_STATUS), "Status: FINISHED");
            break;
        }
    default:
        return 
FALSE;
    }
    return 
TRUE;
}

int main() {
    
DialogBoxParamA(GetModuleHandleA(NULL),
                    
MAKEINTRESOURCE(IDD_BUILDER),
                    
NULL,
                    (
DLGPROC)DlgProc,
                    (
LPARAM)NULL);
    return 
0;


PHP Code:

/*
    MSVC
    Tiny Basic stub with markers
    by YANiS

    This code snippet is provided 'as is' without warranty of any kind.
    No malicious uses are allowed.
*/

#include <windows.h>
#include <urlmon.h>

#define URL_MARKER            "[url_marker......................................]"
#define FILE_PATH_MARKER    "[file_marker.....................................]"

void main() {

    
URLDownloadToFileA(NULL,                // LPUNKNOWN pCaller,
                       
URL_MARKER,            // LPCSTR szURL,
                       
FILE_PATH_MARKER,    // LPCSTR szFileName,
                       
0,                    // DWORD dwReserved,
                       
NULL);                // LPBINDSTATUSCALLBACK lpfnCB

    
MessageBoxA(NULL,
                
URL_MARKER,
                
FILE_PATH_MARKER,
                
MB_ICONINFORMATION);


    
ExitProcess(0);


Source and binaries (X86, X64, arm32 and arm64) attached.

chants 09-20-2021 09:08

This is not PHP code but C code. Also hardcoding the string locations is not really a good way to go as this will not be platform, compiler or linker independent. Win7 vs Win10, MSVC 14 vs 16, gcc vs MSVC, etc. One idea is to instead generate a symbol file e.g. PDB that contains the symbols with the string offsets, or at least search the file for the marker strings. 50 bytes for URL and path is ok for PoC but not practical.

YANiS 09-20-2021 17:49

Quote:

Originally Posted by chants (Post 123759)
This is not PHP code but C code. Also hardcoding the string locations is not really a good way to go as this will not be platform, compiler or linker independent. Win7 vs Win10, MSVC 14 vs 16, gcc vs MSVC, etc. One idea is to instead generate a symbol file e.g. PDB that contains the symbols with the string offsets, or at least search the file for the marker strings. 50 bytes for URL and path is ok for PoC but not practical.

The main purpose of this snippet is to try to build smallest! as possible working binary with MSVC compiler/Linker (GUI - API).
Also get (produce) a clean assembly to trace and understand easily!
It's a very basic PoC for only learning purpose.

YANiS.


All times are GMT +8. The time now is 14:35.

Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2024, vBulletin Solutions, Inc.
Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX