EXCLUSIVE
EXCLUSIVE
- Статус
- Оффлайн
- Регистрация
- 21 Июн 2025
- Сообщения
- 145
- Реакции
- 43
FASM.
Написал пару программ полезных, чтобы новички изучали и добавляли что-то от себя.
PE-парсер.
Парсит информацию из:
1. DOS HEADER
2. FILE HEADER
3. OPTIONAL HEADER
4. DATA DIRECTORIES
5. Все секции
6. Импортированные .dll и библиотеки в программу
7. Информация касаемо BeingDebugged.
--
Получение информации про PC через PEB.
Программа получает всю информацию касаемо PC минуя API-вызовы, также выводит путь до опредленной папки через AppData(можно заменить)
--
DEP-Checker
Получает список процессов с их PID через Nt функции и выводит информацию касаемо DEP.
--
Process Inspector
Выводит инфромацию про ImageBase/Size/загруженные .dll получив информацию о всех процессах через Nt.
Написал пару программ полезных, чтобы новички изучали и добавляли что-то от себя.
PE-парсер.
Парсит информацию из:
1. DOS HEADER
2. FILE HEADER
3. OPTIONAL HEADER
4. DATA DIRECTORIES
5. Все секции
6. Импортированные .dll и библиотеки в программу
7. Информация касаемо BeingDebugged.
ASM:
; // AUTHOR KVANTOR815
format PE64 console
entry start
include 'win64a.inc'
section '.data' data readable writeable
information_s db "PE PARSER",10,0
dos_format db '--- DOS HEADER ---', 10,\
'Magic: %X (%c%c)', 10,\
'e_cp: %d', 10,\
'e_lfanew: 0x%X', 10, 0
lin db "---------------------------",10,0
file_format db '--- FILE HEADER ---', 10,\
'Machine: 0x%X', 10,\
'Sections: %d', 10,\
'TimeDateStamp: 0x%X', 10, 0
opt_format db '--- OPTIONAL HEADER ---', 10,\
'Entry Point: 0x%X', 10,\
'Image Base: 0x%llX', 10,\
'Size of Image: 0x%X', 10, 0
dir_format db '--- DATA DIRECTORIES ---', 10,\
'Export Table RVA: 0x%X (Size: 0x%X)', 10,\
'Import Table RVA: 0x%X (Size: 0x%X)', 10, 0
sec_format db '--- SECTION [%d] ---', 10,\
'Name: %.8s', 10,\
'VAddress: 0x%X', 10,\
'RawOffset: 0x%X', 10, 0
dll_format db 'Imported DLL: %s', 10, 0
func_format db ' |-- Funcion: %s', 10, 0
ord_format db ' |-- Ordinal: %d', 10, 0
peb_format db '--- PEB DEBUGG ---', 10,\
'BeingDebugged: %d', 10, 0
hMod dq 0
section '.text' code readable executable
start:
sub rsp, 48h
lea rcx, [information_s]
call [printf]
call [_getch]
xor rcx, rcx
call [GetModuleHandleA]
mov [hMod], rax
cmp word [rax], 0x5A4D
jne exit_program
mov rbx, rax
lea rcx, [dos_format]
movzx rdx, word [rbx]
mov r8, rdx
and r8, 0xFF
mov r9, rdx
shr r9, 8
movzx rax, word [rbx + 0x04]
mov [rsp + 32], rax
mov eax, dword [rbx + 0x3C]
mov [rsp + 40], rax
call [printf]
lea rcx, [lin]
call[printf]
mov eax, dword [rbx + 0x3C]
add rbx, rax
cmp dword [rbx], 0x00004550
jne exit_program
movzx rdx, word [rbx+4]
movzx r8, word [rbx+6]
mov r9d, dword [rbx+8]
lea rcx, [file_format]
call[printf]
call[_getch]
lea rcx, [lin]
call[printf]
mov edx, dword[rbx+40]
mov r8, qword[rbx+48]
mov r9d, dword[rbx+80]
lea rcx, [opt_format]
call[printf]
call[_getch]
lea rcx, [lin]
call[printf]
mov edx, dword[rbx+136]
mov r8d, dword[rbx+136+4]
mov r9d, dword[rbx+144]
mov eax, dword[rbx+144+4]
mov [rsp+32], rax
lea rcx, [dir_format]
call[printf]
call[_getch]
lea rcx, [lin]
call[printf]
movzx rsi, word [rbx + 6]
movzx rax, word [rbx + 20]
lea r12, [rbx + 24]
add r12, rax
xor r13, r13
.section_loop:
inc r13
push rsi
push r12
push r13
sub rsp, 40
lea rcx, [sec_format]
mov rdx, r13
lea r8, [r12]
mov r9d, dword [r12 + 12]
mov eax, dword [r12 + 20]
mov [rsp + 32], rax
call [printf]
call[_getch]
add rsp, 40
pop r13 r12 rsi
add r12, 40
dec rsi
jnz .section_loop
lea rcx, [lin]
call[printf]
mov eax, dword [rbx + 144]
test eax, eax
jz .all_done
mov r14, [hMod]
add r14, rax
.dll_loop:
mov eax, dword [r14 + 12]
test eax, eax
jz .all_done
lea rcx, [dll_format]
mov rdx, [hMod]
add rdx, rax
mov r9, rdx
push r14 r9
sub rsp, 32
call [printf]
add rsp, 32
pop r9 r14
mov eax, dword [r14]
test eax, eax
jnz .has_int
mov eax, dword [r14 + 16]
.has_int:
mov r10, [hMod]
add r10, rax
.next_function:
mov r11, [r10]
test r11, r11
jz .skip_to_next_dll
mov rax, 0x8000000000000000
test r11, rax
jnz .skip_func_name
add r11, [hMod]
add r11, 2
push r14 r10 r9
sub rsp, 32
lea rcx, [func_format]
mov rdx, r11
call [printf]
add rsp, 32
pop r9 r10 r14
.skip_func_name:
add r10, 8
jmp .next_function
.skip_to_next_dll:
call [_getch]
add r14, 20
jmp .dll_loop
.all_done:
call DEBUGGED
DEBUGGED:
lea rcx, [lin]
call[printf]
mov rbx, [gs:60h]
movzx eax, byte [rbx+0x02]
xor rdx, rdx
mov dl, al
lea rcx, [peb_format]
call[printf]
call[_getch]
ret
exit_program:
call [_getch]
xor rcx, rcx
call [ExitProcess]
section '.idata' import data readable
library kernel32, 'KERNEL32.DLL',\
msvcrt, 'MSVCRT.DLL'
import kernel32,\
GetModuleHandleA, 'GetModuleHandleA',\
ExitProcess, 'ExitProcess'
import msvcrt,\
printf, 'printf',\
_getch, '_getch'--
Получение информации про PC через PEB.
Программа получает всю информацию касаемо PC минуя API-вызовы, также выводит путь до опредленной папки через AppData(можно заменить)
ASM:
;// author KVANTOR815
format PE64 console
entry start
include 'win64a.inc'
struc MEMORYSTATUSEX {
dwLength dd ?
dwMemoryLoad dd ?
ullTotalPhys dq ?
ullAvailPhys dq ?
ullTotalPageFile dq ?
ullAvailPageFile dq ?
ullTotalVirtual dq ?
ullAvailVirtual dq ?
ullAvailExtendedVirtual dq ?
}
section '.data' data readable writeable
info db "-- information for pc and crypto-stealer PoC --", 10, 0
infoPEB db '--- PEB Info ---', 10, \
'PEB Address: 0x%p', 10, \
'Processors Count: %d', 10, 0
infoOS db 'OS Build: %d', 10, 0
infoARC db '--- Header Info ---', 10, \
'Machine ID: 0x%04X (8664 = x64, 014C = x86)', 10, 0
infoPC db 'Computer Name: %ls', 10, 0
lin db "-------------crypto stealer-----------------", 10, 0
sGetProcAddr db 'GetProcAddress', 0
infoExodus db 'Exodus Path: %ls\Exodus\exodus.wallet', 10, 0
sAppData db 'A',0,'P',0,'P',0,'D',0,'A',0,'T',0,'A',0,'=',0
align 8
mem_status MEMORYSTATUSEX
section '.bss' readable writeable
hKernel32 dq ?
_GetProcAddress dq ?
_GlobalMemoryStatusEx dq ?
section '.text' code readable executable
start:
sub rsp, 28h
call peb_parse
lea rcx, [info]
call [printf]
call [_getch]
mov rax, [gs:60h]
mov rsi, rax
lea rcx, [infoPEB]
mov rdx, rsi
movzx r8, byte [rsi+0xB8]
call [printf]
lea rcx, [infoOS]
mov edx, dword [rsi+120h]
call [printf]
call [_getch]
mov rbx, [rsi+10h]
mov eax, dword [rbx+3Ch]
add rax, rbx
movzx rdx, word [rax+4]
lea rcx, [infoARC]
call [printf]
call [_getch]
mov rax, [rsi+20h]
mov r12, [rax+80h]
find_pc:
mov rdi, r12
cmp word [rdi], 'C'
jne next_str
cmp word [rdi+22], 'E'
jne next_str
cmp word [rdi+24], '='
je PC_name_found
next_str:
mov ax, [r12]
add r12, 2
test ax, ax
jnz next_str
cmp word [r12], 0
je print_lin
jmp find_pc
PC_name_found:
add rdi, 26
lea rcx, [infoPC]
mov rdx, rdi
call[printf]
print_lin:
lea rcx, [lin]
call[printf]
call [_getch]
; ------------ get exodus wallet PoC
mov rax, [rsi+20h]
mov r12, [rax+80h]
find_appdata:
mov rdi, r12
cmp word [rdi], 'A'
jne .next_env
cmp word [rdi+14], '='
je .appdata_found
.next_env:
mov ax, [r12]
add r12, 2
test ax, ax
jnz .next_env
cmp word [r12], 0
je .exit_search
jmp find_appdata
.appdata_found:
add rdi, 16
lea rcx, [infoExodus]
mov rdx, rdi
call [printf]
call [_getch]
.exit_search:
xor ecx, ecx
call[ExitProcess]
peb_parse:
push rbx
push rdi
push rsi
push r12
mov rax, [gs:60h]
mov rax, [rax + 18h]
mov rax, [rax + 20h]
mov rax, [rax]
mov rax, [rax]
mov rbx, [rax + 20h]
mov [hKernel32], rbx
mov edi, [rbx + 3Ch]
add rdi, rbx
mov eax, [rdi + 88h]
add rax, rbx
mov r12, rax
mov ecx, [r12 + 18h]
mov r8d, [r12 + 20h]
add r8, rbx
xor r9, r9
.find_name_loop:
cmp r9, rcx
jae .not_found
mov edi, [r8 + r9*4]
add rdi, rbx
lea rsi, [sGetProcAddr]
push rdi
push rsi
.compare:
mov dl, [rdi]
mov al, [rsi]
cmp dl, al
jne .next_name
test dl, dl
jz .found
inc rdi
inc rsi
jmp .compare
.next_name:
pop rsi
pop rdi
inc r9
jmp .find_name_loop
.found:
pop rsi
pop rdi
mov r10d, [r12 + 24h]
add r10, rbx
movzx r11d, word [r10 + r9*2]
mov r10d, [r12 + 1Ch]
add r10, rbx
mov eax, [r10 + r11*4]
add rax, rbx
mov [_GetProcAddress], rax
jmp end_proc
.not_found:
xor rax, rax
end_proc:
pop r12
pop rsi
pop rdi
pop rbx
ret
section '.idata' import data readable
library kernel32, 'KERNEL32.DLL',\
msvcrt, 'MSVCRT.DLL'
import kernel32,\
ExitProcess,'ExitProcess'
import msvcrt,\
printf, 'printf',\
_getch, '_getch'--
DEP-Checker
Получает список процессов с их PID через Nt функции и выводит информацию касаемо DEP.
ASM:
; // author KVANTOR815
format PE64 console
entry start
include 'win64a.inc'
struc UNICODE_STRING {
.Length dw ?
.MaximumLength dw ?
.Padding dd ?
.Buffer rq 1
}
struc SYSTEM_PROCESS_INFORMATION {
.NextEntryOffset dd ?
.NumberOfThreads dd ?
.WorkingSetPrivateSize dq ?
.HardFaultCount dd ?
.NumberOfThreadsHighWatermark dd ?
.CycleTime dq ?
.CreateTime dq ?
.UserTime dq ?
.KernelTime dq ?
.ImageName UNICODE_STRING
.BasePriority dd ?
.Reserved dd ?
.UniqueProcessId rq 1
.InheritedFromUniqueProcessId rq 1
.HandleCount dd ?
.SessionId dd ?
.UniqueProcessKey rq 1
.PeakVirtualSize rq 1
.VirtualSize rq 1
.PageFaultCount dd ?
.Reserved2 dd ?
.PeakWorkingSetSize rq 1
.WorkingSetSize rq 1
.QuotaPeakPagedPoolUsage rq 1
.QuotaPagedPoolUsage rq 1
.QuotaPeakNonPagedPoolUsage rq 1
.QuotaNonPagedPoolUsage rq 1
.PagefileUsage rq 1
.PeakPagefileUsage rq 1
.PrivatePageCount rq 1
.ReadOperationCount dq ?
.WriteOperationCount dq ?
.OtherOperationCount dq ?
.TransferCount dq ?
}
virtual at 0
SYSTEM_PROCESS_INFORMATION SYSTEM_PROCESS_INFORMATION
end virtual
section '.data' data readable writeable
INFO db "~~~~~~~~~ DEP checker v0.2 ~~~~~~~~~~~~", 10, 0
fmt_proc db "PID: %4d | Name: %ls", 10, 0
flagsses db " -> DEP = %d", 10, 0
errors db "error, process saved PPL!", 10, 0
flagss dq 0
perm dd 0
align 16
bytes_returned dd ?
heap_handle dq ?
buffer_ptr dq ?
section '.text' code readable executable
start:
sub rsp, 58h
lea rcx, [INFO]
call[printf]
call[_getch]
; function
mov rcx, 5
xor rdx, rdx
xor r8d, r8d
lea r9, [bytes_returned]
call[NtQuerySystemInformation]
call[GetProcessHeap]
mov [heap_handle], rax
mov rcx, rax
xor rdx, rdx
mov r8d, [bytes_returned]
add r8d, 40000h
call [HeapAlloc]
mov [buffer_ptr], rax
mov rcx, 5
mov rdx, rax
mov r8d, [bytes_returned]
add r8d, 40000h
lea r9, [bytes_returned]
call[NtQuerySystemInformation]
mov rsi, [buffer_ptr]
.next_proc:
mov r12, [rsi+SYSTEM_PROCESS_INFORMATION.UniqueProcessId]
test r12, r12
jz .name_skip
mov r8, [rsi+SYSTEM_PROCESS_INFORMATION.ImageName.Buffer]
test r8, r8
jz .name_skip
mov ecx, 0x1410
xor edx, edx
mov r8, r12
call [OpenProcess]
cmp rax, 0
je .PPL_process
test rax, rax
jz .name_skip
mov rbx, rax
mov rcx, rbx
lea rdx, [flagss]
lea r8, [perm]
call[GetProcessDEPPolicy]
lea rcx, [fmt_proc]
mov rdx, r12
mov r8, [rsi+SYSTEM_PROCESS_INFORMATION.ImageName.Buffer]
call [printf]
call[_getch]
lea rcx, [flagsses]
mov edx, dword [flagss]
call[printf]
mov rcx, rbx
call[CloseHandle]
.name_skip:
mov eax, [rsi + SYSTEM_PROCESS_INFORMATION.NextEntryOffset]
test eax, eax
jz .done
add rsi, rax
jmp .next_proc
.PPL_process:
lea rcx,[errors]
call[printf]
jmp .name_skip
.done:
call [_getch]
add rsp, 58h
ret
section '.idata' import data readable writeable
library kernel32, 'kernel32.dll', \
ntdll, 'ntdll.dll', \
msvcrt, 'msvcrt.dll'
import kernel32, \
GetProcessHeap, 'GetProcessHeap',\
HeapAlloc,'HeapAlloc',\
OpenProcess,'OpenProcess',\
CloseHandle,'CloseHandle',\
ExitProcess, 'ExitProcess',\
GetProcessDEPPolicy,'GetProcessDEPPolicy'
import ntdll, \
NtQuerySystemInformation,'NtQuerySystemInformation', \
NtQueryInformationProcess,'NtQueryInformationProcess', \
NtReadVirtualMemory, 'NtReadVirtualMemory'
import msvcrt, \
printf, 'printf', \
_getch, '_getch'--
Process Inspector
Выводит инфромацию про ImageBase/Size/загруженные .dll получив информацию о всех процессах через Nt.
ASM:
; AUTHOR KVANTOR815
format PE64 console
entry start
include 'C:\flat\include\win64a.inc'
include 'structureProcessInspector.inc'
section '.data' data readable writeable
informat db "-- process inspector --", 10, 0
fmt_proc db 10, "PID: %4d | Name: %ls", 10, 0
fmt_base db " -> ImageBase: 0x%p", 10, 0
fmt_size db " -> ImageSize: %d bytes", 10, 0
fmt_imp_dll db " -> [use dll]: %s", 10, 0
fmt_imp_f db " |-- %s", 10, 0
section '.bss' readable writeable
align 16
bytes_returned dd ?
heap_handle dq ?
buffer_ptr dq ?
pbi rb 48
image_base dq ?
pe_offset dd ?
image_size dd ?
import_rva dd ?
thunk_rva dd ?
func_ptr rq 1
temp_buf rb 256
section '.text' code readable executable
start:
sub rsp, 58h
lea rcx, [informat]
call [printf]
mov rcx, 5
xor rdx, rdx
xor r8d, r8d
lea r9, [bytes_returned]
call [NtQuerySystemInformation]
call [GetProcessHeap]
mov [heap_handle], rax
mov rcx, rax
xor rdx, rdx
mov r8d, [bytes_returned]
add r8d, 40000h
call [HeapAlloc]
mov [buffer_ptr], rax
test rax, rax
jz .exit
mov rcx, 5
mov rdx, rax
mov r8d, [bytes_returned]
add r8d, 40000h
lea r9, [bytes_returned]
call [NtQuerySystemInformation]
mov rsi, [buffer_ptr]
.next_proc:
mov r12, [rsi+SYSTEM_PROCESS_INFORMATION.UniqueProcessId]
test r12, r12
jz .name_skip
mov r8, [rsi+SYSTEM_PROCESS_INFORMATION.ImageName.Buffer]
test r8, r8
jz .name_skip
mov ecx, 0x1410
xor edx, edx
mov r8, r12
call [OpenProcess]
test rax, rax
jz .name_skip
mov rbx, rax
lea rcx, [fmt_proc]
mov rdx, r12
mov r8, [rsi+SYSTEM_PROCESS_INFORMATION.ImageName.Buffer]
call [printf]
mov rcx, rbx
xor rdx, rdx
lea r8, [pbi]
mov r9d, 48
mov qword [rsp + 32], 0
call [NtQueryInformationProcess]
mov rdx, qword [pbi + 8]
test rdx, rdx
jz .close_h
add rdx, 10h
mov rcx, rbx
lea r8, [image_base]
mov r9, 8
mov qword [rsp+32], 0
call [NtReadVirtualMemory]
lea rcx, [fmt_base]
mov rdx, [image_base]
call [printf]
mov rcx, rbx
mov rdx, [image_base]
add rdx, 3Ch
lea r8, [pe_offset]
mov r9, 4
call [NtReadVirtualMemory]
mov rcx, rbx
mov rdx, [image_base]
mov eax, [pe_offset]
add rdx, rax
mov r15, rdx
add rdx, 50h
lea r8, [image_size]
mov r9, 4
call [NtReadVirtualMemory]
lea rcx, [fmt_size]
mov edx, [image_size]
call [printf]
mov rdx, r15
add rdx, 90h
mov rcx, rbx
lea r8, [import_rva]
mov r9, 4
call [NtReadVirtualMemory]
mov eax, [import_rva]
test eax, eax
jz .close_h
mov r13, [image_base]
add r13, rax
.loop_dll:
mov rcx, rbx
mov rdx, r13
add rdx, 12
lea r8, [temp_buf]
mov r9, 4
call [NtReadVirtualMemory]
mov eax, dword [temp_buf]
test eax, eax
jz .close_h
mov rcx, rbx
mov rdx, [image_base]
add rdx, rax
lea r8, [temp_buf]
mov r9, 128
call [NtReadVirtualMemory]
lea rcx, [fmt_imp_dll]
lea rdx, [temp_buf]
call [printf]
mov rcx, rbx
mov rdx, r13
lea r8, [thunk_rva]
mov r9, 4
call [NtReadVirtualMemory]
mov eax, [thunk_rva]
test eax, eax
jnz .has_thunk
mov rcx, rbx
mov rdx, r13
add rdx, 16
lea r8, [thunk_rva]
mov r9, 4
call [NtReadVirtualMemory]
.has_thunk:
mov r14, [image_base]
add r14, qword [thunk_rva]
.next_dll:
add r13, 20
jmp .loop_dll
.close_h:
mov rcx, rbx
call [CloseHandle]
.name_skip:
mov eax, [rsi + SYSTEM_PROCESS_INFORMATION.NextEntryOffset]
test eax, eax
jz .done
add rsi, rax
jmp .next_proc
.done:
call [_getch]
.exit:
add rsp, 58h
xor ecx, ecx
call [ExitProcess]
section '.idata' import data readable writeable
library kernel32, 'kernel32.dll', \
ntdll, 'ntdll.dll', \
msvcrt, 'msvcrt.dll'
import kernel32, \
GetProcessHeap, 'GetProcessHeap',\
HeapAlloc,'HeapAlloc',\
OpenProcess,'OpenProcess',\
CloseHandle,'CloseHandle',\
ExitProcess, 'ExitProcess'
import ntdll, \
NtQuerySystemInformation,'NtQuerySystemInformation', \
NtQueryInformationProcess,'NtQueryInformationProcess', \
NtReadVirtualMemory, 'NtReadVirtualMemory'
import msvcrt, \
printf, 'printf', \
_getch, '_getch'
ASM:
struc UNICODE_STRING {
.Length dw ?
.MaximumLength dw ?
.Padding dd ?
.Buffer rq 1
}
struc SYSTEM_PROCESS_INFORMATION {
.NextEntryOffset dd ?
.NumberOfThreads dd ?
.WorkingSetPrivateSize dq ?
.HardFaultCount dd ?
.NumberOfThreadsHighWatermark dd ?
.CycleTime dq ?
.CreateTime dq ?
.UserTime dq ?
.KernelTime dq ?
.ImageName UNICODE_STRING
.BasePriority dd ?
.Reserved dd ?
.UniqueProcessId rq 1
.InheritedFromUniqueProcessId rq 1
.HandleCount dd ?
.SessionId dd ?
.UniqueProcessKey rq 1
.PeakVirtualSize rq 1
.VirtualSize rq 1
.PageFaultCount dd ?
.Reserved2 dd ?
.PeakWorkingSetSize rq 1
.WorkingSetSize rq 1
.QuotaPeakPagedPoolUsage rq 1
.QuotaPagedPoolUsage rq 1
.QuotaPeakNonPagedPoolUsage rq 1
.QuotaNonPagedPoolUsage rq 1
.PagefileUsage rq 1
.PeakPagefileUsage rq 1
.PrivatePageCount rq 1
.ReadOperationCount dq ?
.WriteOperationCount dq ?
.OtherOperationCount dq ?
.TransferCount dq ?
}
virtual at 0
SYSTEM_PROCESS_INFORMATION SYSTEM_PROCESS_INFORMATION
end virtual
