Conquer Loader Class in VB.net

07/22/2011 17:39 xmen01235#1
Code:
Public Class bypassclient
    Public Enum ProcessAccessFlags As UInteger
        All = &H1F0FFF
        Terminate = &H1
        CreateThread = &H2
        VMOperation = &H8
        VMRead = &H10
        VMWrite = &H20
        DupHandle = &H40
        SetInformation = &H200
        QueryInformation = &H400
        Synchronize = &H100000
    End Enum

    <DllImport("kernel32.dll")> _
    Private Shared Function OpenProcess(ByVal dwDesiredAccess As ProcessAccessFlags, _
                                        <MarshalAs(UnmanagedType.Bool)> ByVal bInheritHandle As Boolean, _
                                        ByVal dwProcessId As Integer) As IntPtr
    End Function
    <DllImport("kernel32.dll", SetLastError:=True)> _
    Public Shared Function CloseHandle(ByVal hObject As IntPtr) As <MarshalAs(UnmanagedType.Bool)> Boolean
    End Function

    <DllImport("kernel32.dll", SetLastError:=True)> _
    Public Shared Function WriteProcessMemory(ByVal hProcess As IntPtr, ByVal lpBaseAddress As IntPtr, ByVal lpBuffer As Byte(), ByVal nSize As System.UInt32, <Out()> ByRef lpNumberOfBytesWritten As Int32) As Boolean
    End Function
    Public Declare Function GetProcAddress Lib "kernel32.dll" _
    (ByVal hModule As IntPtr, ByVal procName As String) As IntPtr

    <DllImport("kernel32.dll")> _
    Public Shared Function GetModuleHandle(ByVal lpModuleName As String) As IntPtr
    End Function

    <DllImport("kernel32.dll", CharSet:=CharSet.Auto, SetLastError:=True)> _
    Public Shared Function LoadLibrary(<MarshalAs(UnmanagedType.LPStr)> ByVal lpFileName As String) As IntPtr
    End Function
    <DllImport("kernel32.dll", CharSet:=CharSet.Auto, SetLastError:=True)> _
    Public Shared Function FreeLibrary(ByVal hModule As IntPtr) As Boolean
    End Function

    Public Sub New()
    End Sub
    Public Function connect2IP(ByVal PID As Integer, ByVal IPAdd As String) As Integer
        Dim ws2Handle As IntPtr = LoadLibrary("WS2_32.dll")
        If ws2Handle = vbNull Then
            FreeLibrary(ws2Handle)
            Return 1
        End If
        Dim cHandle As IntPtr = OpenProcess(ProcessAccessFlags.VMOperation Or ProcessAccessFlags.VMRead Or ProcessAccessFlags.VMWrite Or _
                                            ProcessAccessFlags.All, True, PID)
        If cHandle = vbNull Then
            FreeLibrary(ws2Handle)
            Return 2
        End If
        Dim inet_addr As IntPtr = GetProcAddress(GetModuleHandle("WS2_32.dll"), "inet_addr")
        If inet_addr = vbNull Then
            FreeLibrary(ws2Handle)
            Return 3
        End If
        Dim buffer() As Byte = {&HB8, &H0, &H0, &H0, &H0, &HC2, &H4, &H0, &H90, &H90}
        Dim byteIPaddress() As Byte = IPAddress.Parse(IPAdd).GetAddressBytes()
        System.Buffer.BlockCopy(byteIPaddress, 0, buffer, 1, byteIPaddress.Length)
        Dim bytesWritten As Integer = 0
        If Not WriteProcessMemory(cHandle, inet_addr, buffer, buffer.Length, bytesWritten) Then
            FreeLibrary(ws2Handle)
            Return 4
        End If
        CloseHandle(cHandle)
        FreeLibrary(ws2Handle)
        Return 0
    End Function
End Class
You can use it in your proxy :).

But it will only work only on 32bits and I have no idea how to make it run in 64bits windows 7.
07/22/2011 17:42 xmen01235#2
Implementation of the class:


Dim _redirect As bypassclient = New bypassclient()
Dim status As Integer = _redirect.connect2IP(PID, ProxyIPAddress)

If status = 0 Then
msgbox "Bypass successfully"
End If

PID -> is the process ID of the target conquer.
ProxyIPAddress -> your LAN IP like (192.168.1.x)
07/22/2011 17:45 _DreadNought_#3
C# Implementation of your class:
Code:
using Microsoft.VisualBasic;
using System;
using System.Collections;
using System.Collections.Generic;
using System.Data;
using System.Diagnostics;
using System.Runtime.InteropServices;
public class bypassclient
{
	public enum ProcessAccessFlags : uint
	{
		All = 0x1f0fff,
		Terminate = 0x1,
		CreateThread = 0x2,
		VMOperation = 0x8,
		VMRead = 0x10,
		VMWrite = 0x20,
		DupHandle = 0x40,
		SetInformation = 0x200,
		QueryInformation = 0x400,
		Synchronize = 0x100000
	}

	[DllImport("kernel32.dll")]
	private static extern IntPtr OpenProcess(ProcessAccessFlags dwDesiredAccess, 	[MarshalAs(UnmanagedType.Bool)]
bool bInheritHandle, int dwProcessId);
	[DllImport("kernel32.dll", SetLastError = true)]
	[return: MarshalAs(UnmanagedType.Bool)]
	public static extern bool CloseHandle(IntPtr hObject);

	[DllImport("kernel32.dll", SetLastError = true)]
	public static extern bool WriteProcessMemory(IntPtr hProcess, IntPtr lpBaseAddress, byte[] lpBuffer, System.UInt32 nSize, 	[Out()]
ref Int32 lpNumberOfBytesWritten);
	[DllImport("kernel32.dll", CharSet = CharSet.Ansi, SetLastError = true, ExactSpelling = true)]
	public static extern IntPtr GetProcAddress(IntPtr hModule, string procName);

	[DllImport("kernel32.dll")]
	public static extern IntPtr GetModuleHandle(string lpModuleName);

	[DllImport("kernel32.dll", CharSet = CharSet.Auto, SetLastError = true)]
	public static extern IntPtr LoadLibrary(	[MarshalAs(UnmanagedType.LPStr)]
string lpFileName);
	[DllImport("kernel32.dll", CharSet = CharSet.Auto, SetLastError = true)]
	public static extern bool FreeLibrary(IntPtr hModule);

	public bypassclient()
	{
	}
	public int connect2IP(int PID, string IPAdd)
	{
		IntPtr ws2Handle = LoadLibrary("WS2_32.dll");
		if (ws2Handle == Constants.vbNull) {
			FreeLibrary(ws2Handle);
			return 1;
		}
		IntPtr cHandle = OpenProcess(ProcessAccessFlags.VMOperation | ProcessAccessFlags.VMRead | ProcessAccessFlags.VMWrite | ProcessAccessFlags.All, true, PID);
		if (cHandle == Constants.vbNull) {
			FreeLibrary(ws2Handle);
			return 2;
		}
		IntPtr inet_addr = GetProcAddress(GetModuleHandle("WS2_32.dll"), "inet_addr");
		if (inet_addr == Constants.vbNull) {
			FreeLibrary(ws2Handle);
			return 3;
		}
		byte[] buffer = {
			0xb8,
			0x0,
			0x0,
			0x0,
			0x0,
			0xc2,
			0x4,
			0x0,
			0x90,
			0x90
		};
		byte[] byteIPaddress = IPAddress.Parse(IPAdd).GetAddressBytes();
		System.Buffer.BlockCopy(byteIPaddress, 0, buffer, 1, byteIPaddress.Length);
		int bytesWritten = 0;
		if (!WriteProcessMemory(cHandle, inet_addr, buffer, buffer.Length, ref bytesWritten)) {
			FreeLibrary(ws2Handle);
			return 4;
		}
		CloseHandle(cHandle);
		FreeLibrary(ws2Handle);
		return 0;
	}
}
07/22/2011 17:52 xmen01235#4
Quote:
Originally Posted by _DreadNought_ View Post
C# Implementation of your class:
Code:
using Microsoft.VisualBasic;
using System;
using System.Collections;
using System.Collections.Generic;
using System.Data;
using System.Diagnostics;
using System.Runtime.InteropServices;
public class bypassclient
{
	public enum ProcessAccessFlags : uint
	{
		All = 0x1f0fff,
		Terminate = 0x1,
		CreateThread = 0x2,
		VMOperation = 0x8,
		VMRead = 0x10,
		VMWrite = 0x20,
		DupHandle = 0x40,
		SetInformation = 0x200,
		QueryInformation = 0x400,
		Synchronize = 0x100000
	}

	[DllImport("kernel32.dll")]
	private static extern IntPtr OpenProcess(ProcessAccessFlags dwDesiredAccess, 	[MarshalAs(UnmanagedType.Bool)]
bool bInheritHandle, int dwProcessId);
	[DllImport("kernel32.dll", SetLastError = true)]
	[return: MarshalAs(UnmanagedType.Bool)]
	public static extern bool CloseHandle(IntPtr hObject);

	[DllImport("kernel32.dll", SetLastError = true)]
	public static extern bool WriteProcessMemory(IntPtr hProcess, IntPtr lpBaseAddress, byte[] lpBuffer, System.UInt32 nSize, 	[Out()]
ref Int32 lpNumberOfBytesWritten);
	[DllImport("kernel32.dll", CharSet = CharSet.Ansi, SetLastError = true, ExactSpelling = true)]
	public static extern IntPtr GetProcAddress(IntPtr hModule, string procName);

	[DllImport("kernel32.dll")]
	public static extern IntPtr GetModuleHandle(string lpModuleName);

	[DllImport("kernel32.dll", CharSet = CharSet.Auto, SetLastError = true)]
	public static extern IntPtr LoadLibrary(	[MarshalAs(UnmanagedType.LPStr)]
string lpFileName);
	[DllImport("kernel32.dll", CharSet = CharSet.Auto, SetLastError = true)]
	public static extern bool FreeLibrary(IntPtr hModule);

	public bypassclient()
	{
	}
	public int connect2IP(int PID, string IPAdd)
	{
		IntPtr ws2Handle = LoadLibrary("WS2_32.dll");
		if (ws2Handle == Constants.vbNull) {
			FreeLibrary(ws2Handle);
			return 1;
		}
		IntPtr cHandle = OpenProcess(ProcessAccessFlags.VMOperation | ProcessAccessFlags.VMRead | ProcessAccessFlags.VMWrite | ProcessAccessFlags.All, true, PID);
		if (cHandle == Constants.vbNull) {
			FreeLibrary(ws2Handle);
			return 2;
		}
		IntPtr inet_addr = GetProcAddress(GetModuleHandle("WS2_32.dll"), "inet_addr");
		if (inet_addr == Constants.vbNull) {
			FreeLibrary(ws2Handle);
			return 3;
		}
		byte[] buffer = {
			0xb8,
			0x0,
			0x0,
			0x0,
			0x0,
			0xc2,
			0x4,
			0x0,
			0x90,
			0x90
		};
		byte[] byteIPaddress = IPAddress.Parse(IPAdd).GetAddressBytes();
		System.Buffer.BlockCopy(byteIPaddress, 0, buffer, 1, byteIPaddress.Length);
		int bytesWritten = 0;
		if (!WriteProcessMemory(cHandle, inet_addr, buffer, buffer.Length, ref bytesWritten)) {
			FreeLibrary(ws2Handle);
			return 4;
		}
		CloseHandle(cHandle);
		FreeLibrary(ws2Handle);
		return 0;
	}
}
Cool....Btw Credit goes to nullable of codexplosion(for his c++ example related program)
07/22/2011 23:11 _DreadNought_#5
Yeah, Thought it looked similar.
07/23/2011 00:06 IAmHawtness#6
Pretty nice, works flawlessly.

However, just so are aware, when you call the
Code:
GetModuleHandle("WS2_32.dll")
You are retreiving the memory address of the module inside your own program, not the remote program which you are re-directing.

Fortunately, this usually isn't a problem, at least not with most system DLLs since they're almost always located at the same address in all processes, at least until your computer is restarted :p.

Nontheless, good job
07/23/2011 02:42 xmen01235#7
Quote:
Originally Posted by IAmHawtness View Post
Pretty nice, works flawlessly.

However, just so are aware, when you call the
Code:
GetModuleHandle("WS2_32.dll")
You are retreiving the memory address of the module inside your own program, not the remote program which you are re-directing.

Fortunately, this usually isn't a problem, at least not with most system DLLs since they're almost always located at the same address in all processes, at least until your computer is restarted :p.

Nontheless, good job
Thanks master... Hope someday I can be as proficient as you in memory things.