XR3X
Clicky

Jump to content


Photo

[VB6] HackHound.org PE Toolbox v0.1 [SRC]


  • You cannot start a new topic
  • Please log in to reply
20 replies to this topic

#1 NiTrOwow

NiTrOwow

    |MZ|(•̪̀●́)=ε/̵͇̿̿/'̿̿ ̿ ̿̿

  • Administrators
  • Reputation: 332
    Very Good
  • 832 posts
Contributor

Posted 22 December 2012 - 12:56 AM

64yhd.png

•Credits: me, ZeR0/0cm4n icon & clone module and un4seen for Bass lib and vb wrapper
•Date: 22-12-2012
•Purpose: Clone file header information, change icon, filepumper. Cloning files


Note: cloning filesize of exe does only work with PE's that are bigger in size than the selected PE that you want to change.
Size must me below 2MB. Icons are fine in a lot of sizes. 32x32 up to 256x256 i believe.

Attached Files



#2 Dante

Dante

    Intermediate Member

  • Notorious
  • Reputation: 107
    Very Good
  • 186 posts
Contributor

Posted 22 December 2012 - 04:22 AM

That's f~€\%g awesome.
Promise to take a look at it.

“The path to paradise begins in hell.” ― Dante Alighieri


#3 http-nuke

http-nuke

    Intermediate Member

  • Associate
  • Reputation: 119
    Very Good
  • 180 posts
Contributor

Posted 22 December 2012 - 05:41 AM

damn nice one bro :)
+ the hole code is well organized ;)
There are 10 types of people in this world, those who understand binary and those who dont.Posted Image

#4 NiTrOwow

NiTrOwow

    |MZ|(•̪̀●́)=ε/̵͇̿̿/'̿̿ ̿ ̿̿

  • Administrators
  • Reputation: 332
    Very Good
  • 832 posts
Contributor

Posted 22 December 2012 - 11:04 AM

damn nice one bro :)
+ the hole code is well organized ;)


Could be better but i dont care the stuff works, haha..
I also released the source to prevent people from saying OMG it is detected as a Tr.Dropper.vb.Gen !?! Because it opens a binary file and adds lots if nulls at eof etc.. it also drops bass lib and the xm music file @ app path. Because i don't want to drop shit in %temp% or something else so people dont think it is backdoored.

#5 http-nuke

http-nuke

    Intermediate Member

  • Associate
  • Reputation: 119
    Very Good
  • 180 posts
Contributor

Posted 22 December 2012 - 07:29 PM

heheheh
but good point, but i think whos gonna be looking for these type of source codes, must know something about it... dropping files, false alarms...etc.
There are 10 types of people in this world, those who understand binary and those who dont.Posted Image

#6 NiTrOwow

NiTrOwow

    |MZ|(•̪̀●́)=ε/̵͇̿̿/'̿̿ ̿ ̿̿

  • Administrators
  • Reputation: 332
    Very Good
  • 832 posts
Contributor

Posted 22 December 2012 - 09:15 PM

heheheh
but good point, but i think whos gonna be looking for these type of source codes, must know something about it... dropping files, false alarms...etc.


Nah kids download them and they get a warning from their anti-virus engine. Trojan dropper found. And the other things that happen after that are clear..

#7 http-nuke

http-nuke

    Intermediate Member

  • Associate
  • Reputation: 119
    Very Good
  • 180 posts
Contributor

Posted 22 December 2012 - 09:28 PM

heh your right
just like this one

Please Login or Register to see this Hidden Content


after uploading the source files >> detected,detected,detected,detected...thanks for explaining anyway :)
There are 10 types of people in this world, those who understand binary and those who dont.Posted Image

#8 NiTrOwow

NiTrOwow

    |MZ|(•̪̀●́)=ε/̵͇̿̿/'̿̿ ̿ ̿̿

  • Administrators
  • Reputation: 332
    Very Good
  • 832 posts
Contributor

Posted 23 December 2012 - 11:41 AM

heh your right
just like this one

Please Login or Register to see this Hidden Content


after uploading the source files >> detected,detected,detected,detected...thanks for explaining anyway :)

Yup. Thats what i mean. And if they can't even compile it than its their problem.

#9 Hess

Hess

    Advanced Member

  • Associate
  • Reputation: 96
    Good
  • 416 posts
  • LocationBelgrade
Contributor

Posted 02 May 2013 - 09:49 AM

Good thing indeed , compiled by myself and it's okay. :) One good thing: The bigger source - smaller executable ! :)



#10 Hess

Hess

    Advanced Member

  • Associate
  • Reputation: 96
    Good
  • 416 posts
  • LocationBelgrade
Contributor

Posted 05 May 2013 - 01:39 AM

I haven't seen file cloner for a long time , as for kids , it is impossible to get rid of them. Also %temp% could make even let's say average users to start thinking about backdoor inside , so app path is best solution. :)



#11 NiTrOwow

NiTrOwow

    |MZ|(•̪̀●́)=ε/̵͇̿̿/'̿̿ ̿ ̿̿

  • Administrators
  • Reputation: 332
    Very Good
  • 832 posts
Contributor

Posted 05 May 2013 - 10:44 AM

I haven't seen file cloner for a long time , as for kids , it is impossible to get rid of them. Also %temp% could make even let's say average users to start thinking about backdoor inside , so app path is best solution. :)


Indeed that's why i used app.path. So that it wont look suspicious to people.

#12 d3m

d3m

    Intermediate Member

  • Collaborator
  • Reputation: 80
    Good
  • 157 posts

Posted 05 May 2013 - 09:31 PM

What a pity that code is on VB, i leave this lng a long time ago =)

Let's rewrite it to pascal\cpp and it must be opensource.



#13 Hess

Hess

    Advanced Member

  • Associate
  • Reputation: 96
    Good
  • 416 posts
  • LocationBelgrade
Contributor

Posted 06 May 2013 - 01:28 AM

Embarcadero Delphi XE.x and Visual C++ could be a good solution ?



#14 d3m

d3m

    Intermediate Member

  • Collaborator
  • Reputation: 80
    Good
  • 157 posts

Posted 06 May 2013 - 09:54 AM

Hess

Even delphi 7 and VC6++ will be a good solution...



#15 NiTrOwow

NiTrOwow

    |MZ|(•̪̀●́)=ε/̵͇̿̿/'̿̿ ̿ ̿̿

  • Administrators
  • Reputation: 332
    Very Good
  • 832 posts
Contributor

Posted 06 May 2013 - 06:54 PM

Hess
Even delphi 7 and VC6++ will be a good solution...


Indeed. I think i will try VC6+ some time. I mean you can do much more with it than crappy VB6.

#16 d3m

d3m

    Intermediate Member

  • Collaborator
  • Reputation: 80
    Good
  • 157 posts

Posted 06 May 2013 - 10:45 PM

Anyway in delphi it can be done too... with more abilities



#17 NiTrOwow

NiTrOwow

    |MZ|(•̪̀●́)=ε/̵͇̿̿/'̿̿ ̿ ̿̿

  • Administrators
  • Reputation: 332
    Very Good
  • 832 posts
Contributor

Posted 07 May 2013 - 05:05 PM

Anyway in delphi it can be done too... with more abilities

Anyway in delphi it can be done too... with more abilities


I didn't know. Really never tried delphi. I want to learn C++ first and than i'll look intro delphi etc.
Because VB6 is limited till the bone.

#18 Hess

Hess

    Advanced Member

  • Associate
  • Reputation: 96
    Good
  • 416 posts
  • LocationBelgrade
Contributor

Posted 09 May 2013 - 08:52 PM

I did , I learned Pascal in highschool and Pascal is actually core of Delphi. :) But , there is one stupid thing , I can not get rid of Delphi runtimes from code and executable , from 8.2 kb source , I got 1.58 mb exe. :S If I could obtain somewhere old Pascal compiler , Delphi part will be pruned and exe will be even smaller than source code. :S



#19 Ravage

Ravage

    Advanced Member

  • Administrators
  • Reputation: 340
    Very Good
  • 472 posts

Posted 10 May 2013 - 05:05 AM

1.5Mb???
What compiler are you using?

#20 Mephisto

Mephisto

    Beginner

  • Members
  • Reputation: 8
    Neutral
  • 21 posts

Posted 10 May 2013 - 03:10 PM

Do some googling, there was something like Delphi 2007 Express Edition or something, where the Express removed the Classes.pas and Windows.pas or something.

 

Anyway 1.5MB is quite a lot, I got around 500kB at least. What Libs are you using? try to minimize the usage of "use".

Read what dynamic importing using GetProcAddress is. Static Importing will do the Trick to, however.

Try to exclude Windows.pas and simply copy out the defines and then load only the neccessary things by "import 'user32.dll'", I don't remember the exact syntax, tho.

Also the Classes is nice to have TMemoryStream etc, but if it is for Malware Coding: Copy it out, Do it your own or use Array of Byte.