Exetools  

Go Back   Exetools > General > Source Code

Notices

Reply
 
Thread Tools Display Modes
  #1  
Old 09-18-2021, 23:09
YANiS YANiS is offline
Friend
 
Join Date: Sep 2021
Posts: 2
Rept. Given: 0
Rept. Rcvd 0 Times in 0 Posts
Thanks Given: 0
Thanks Rcvd at 3 Times in 2 Posts
YANiS Reputation: 0
Tiny Basic Downloader Builder (Proof of Concept)

PHP Code:
/*
    MSVC
    Tiny Basic Downloader Builder (Proof of Concept)
    by YANiS

    This code snippet is provided 'as is' without warranty of any kind.
    No malicious uses are allowed.
*/

#include <windows.h>
#include "resource.h"

BOOL CALLBACK DlgProc(HWND hwndUINT uMsgWPARAM wParam,LPARAM lParam) {

    
unsigned char url[50] = {0};
    
unsigned char path[50] = {0};

    switch (
uMsg) {
    case 
WM_CLOSE:
        
EndDialog(hwnd0);
        break;

    case 
WM_INITDIALOG:
        
SetWindowTextA(hwnd"Basic Downloader Builder (Proof of Concept)");
        
SendDlgItemMessageA(hwndIDC_URLEM_LIMITTEXT500);
        
SendDlgItemMessageA(hwndIDC_PATHEM_LIMITTEXT500);
        
SetFocus(GetDlgItem(hwndIDC_URL));
        return 
FALSE;

    case 
WM_COMMAND:
        switch(
LOWORD(wParam)) {

        case 
IDB_BUILD:

            if((
GetDlgItemTextA(hwndIDC_URL, (LPSTR)url50+1) < 5) || (GetDlgItemTextA(hwndIDC_PATH, (LPSTR)path50+1) < 5) ) {
                
SetWindowTextA(GetDlgItem(hwndIDC_STATUS), "Status: URL or PATH error!");
                return 
1;
            }

            
unsigned char *lpBuffer NULL;
            
size_t fileSize 0;

            
HANDLE hFile CreateFileA("stub.bin",
                                       
GENERIC_READ,
                                       
FILE_SHARE_READ,
                                       
NULL,
                                       
OPEN_EXISTING,
                                       
FILE_ATTRIBUTE_NORMAL,
                                       
NULL);

            if (
hFile == INVALID_HANDLE_VALUE) {
                
SetWindowTextA(GetDlgItem(hwndIDC_STATUS), "Status: CreateFile error!");
                return 
1;
            }

            
fileSize GetFileSize(hFile0);
            if (
fileSize == 0) {
                
SetWindowTextA(GetDlgItem(hwndIDC_STATUS), "Status: GetFileSize error!");

                
CloseHandle(hFile);
                return 
1;
            }

            
lpBuffer = (unsigned char *)VirtualAlloc(NULL,
                       
fileSize,
                       
MEM_COMMIT,
                       
PAGE_READWRITE);

            if (
lpBuffer == NULL) {
                
SetWindowTextA(GetDlgItem(hwndIDC_STATUS), "Status: VirtualAlloc error!");
                
CloseHandle(hFile);
                return 
1;
            }

            
DWORD bytesRead;
            if (!
ReadFile(hFile,
                          
lpBuffer,
                          
fileSize,
                          &
bytesRead,
                          
NULL) || bytesRead != fileSize) {

                
SetWindowTextA(GetDlgItem(hwndIDC_STATUS), "Status: ReadFile error!");
                return 
1;
            }
            
CloseHandle(hFile);
            
#ifdef _WIN64
            
strcpy((char*)(lpBuffer 0x230), (char*)url);  // for stub 64-bit
            
strcpy((char*)(lpBuffer 0x268), (char*)path); // for stub 64-bit
#else            
            
strcpy((char*)(lpBuffer 0x218), (char*)url);  // for stub 32-bit
            
strcpy((char*)(lpBuffer 0x24C), (char*)path); // for stub 32-bit
#endif

            
hFile CreateFileA("downloader.exe",
                                
GENERIC_WRITE,
                                
0,
                                
NULL,
                                
CREATE_ALWAYS,
                                
FILE_ATTRIBUTE_NORMAL,
                                
NULL);

            if (
hFile == INVALID_HANDLE_VALUE) {
                
SetWindowTextA(GetDlgItem(hwndIDC_STATUS), "Status: WriteFile error!");
                return 
1;
            }

            
DWORD bytesWritten;
            
WriteFile(hFile,
                      
lpBuffer,
                      
fileSize,
                      &
bytesWritten,
                      
NULL);

            
CloseHandle(hFile);

            
SetWindowTextA(GetDlgItem(hwndIDC_STATUS), "Status: FINISHED");
            break;
        }
    default:
        return 
FALSE;
    }
    return 
TRUE;
}

int main() {
    
DialogBoxParamA(GetModuleHandleA(NULL),
                    
MAKEINTRESOURCE(IDD_BUILDER),
                    
NULL,
                    (
DLGPROC)DlgProc,
                    (
LPARAM)NULL);
    return 
0;

PHP Code:
/*
    MSVC
    Tiny Basic stub with markers
    by YANiS

    This code snippet is provided 'as is' without warranty of any kind.
    No malicious uses are allowed.
*/

#include <windows.h>
#include <urlmon.h>

#define URL_MARKER            "[url_marker......................................]"
#define FILE_PATH_MARKER    "[file_marker.....................................]"

void main() {

    
URLDownloadToFileA(NULL,                // LPUNKNOWN pCaller,
                       
URL_MARKER,            // LPCSTR szURL,
                       
FILE_PATH_MARKER,    // LPCSTR szFileName,
                       
0,                    // DWORD dwReserved,
                       
NULL);                // LPBINDSTATUSCALLBACK lpfnCB

    
MessageBoxA(NULL,
                
URL_MARKER,
                
FILE_PATH_MARKER,
                
MB_ICONINFORMATION);


    
ExitProcess(0);

Source and binaries (X86, X64, arm32 and arm64) attached.
Attached Files
File Type: rar tiny_builder_stub_POC.rar (10.7 KB, 5 views)
Reply With Quote
The Following User Says Thank You to YANiS For This Useful Post:
Stingered (09-20-2021)
  #2  
Old 09-20-2021, 09:08
chants chants is offline
VIP
 
Join Date: Jul 2016
Posts: 621
Rept. Given: 19
Rept. Rcvd 41 Times in 25 Posts
Thanks Given: 570
Thanks Rcvd at 928 Times in 423 Posts
chants Reputation: 41
This is not PHP code but C code. Also hardcoding the string locations is not really a good way to go as this will not be platform, compiler or linker independent. Win7 vs Win10, MSVC 14 vs 16, gcc vs MSVC, etc. One idea is to instead generate a symbol file e.g. PDB that contains the symbols with the string offsets, or at least search the file for the marker strings. 50 bytes for URL and path is ok for PoC but not practical.
Reply With Quote
  #3  
Old 09-20-2021, 17:49
YANiS YANiS is offline
Friend
 
Join Date: Sep 2021
Posts: 2
Rept. Given: 0
Rept. Rcvd 0 Times in 0 Posts
Thanks Given: 0
Thanks Rcvd at 3 Times in 2 Posts
YANiS Reputation: 0
Quote:
Originally Posted by chants View Post
This is not PHP code but C code. Also hardcoding the string locations is not really a good way to go as this will not be platform, compiler or linker independent. Win7 vs Win10, MSVC 14 vs 16, gcc vs MSVC, etc. One idea is to instead generate a symbol file e.g. PDB that contains the symbols with the string offsets, or at least search the file for the marker strings. 50 bytes for URL and path is ok for PoC but not practical.
The main purpose of this snippet is to try to build smallest! as possible working binary with MSVC compiler/Linker (GUI - API).
Also get (produce) a clean assembly to trace and understand easily!
It's a very basic PoC for only learning purpose.

YANiS.
Reply With Quote
The Following 2 Users Say Thank You to YANiS For This Useful Post:
chants (09-26-2021), niculaita (09-21-2021)
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is On



All times are GMT +8. The time now is 08:46.


Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX
( 1998 - 2021 )