Read / Write Array Of Byte

Pages: 123

Malware it's just pictures guys?

Images can be modified to contain malware just as any other type of file on the internet, exploitable by buffer overflows. A very common flaw in a lot of software other than browsers.

https://stackoverflow.com/questions/9675941/how-can-a-virus-exist-in-an-image

A bit of caution and paranoia isn't a bad attitude to have.

seeplus (6457)

A bit of caution and paranoia isn't a bad attitude to have.

Yep. That's why I never open a web page when it's flagged as suspicious...

George P (5600)

I've paid the price for not being cautious more than a few times in the past during the "Wild and Woolly Early Days of the Internet." Loss of computer hardware and money, etc.

I am NOT saying Hawlong is trying to do something. But his choice of that hosting site for the image wasn't a good one since the site is flagged as "bad ju-ju."

Having a git repository on a reputable service like Github might be beneficial. I do.

** Shameless Plug Alert! **

As a matter of fact I have several repos, each one tasked with different uses. My main repo:

https://github.com/GeorgePimpleton

Hawlong (120)

thanks George P I will not upload a picture again :)

Thanks seeplus my code ..


#include <Windows.h>
#include <iostream>
#include <string>
#include <TCHAR.H>
#include <vector>
#include "pscan.h"
#define _CRT_SECURE_NO_WARNINGS


using namespace std;
#pragma comment( lib, "psapi.lib" )

Memory memory;

bool Hook(void * toHook, void * ourFunct, int len)
{
	if (len < 5)
	{
		return false;
	}
	else
	{

	}

	DWORD curProtection;
	VirtualProtect(toHook, len, PAGE_EXECUTE_READWRITE, &curProtection);

	memset(toHook, 0x90, len);

	DWORD relativeAddress = ((DWORD)ourFunct - (DWORD)toHook) - 5;

	*(BYTE*)toHook = 0xE9;
	*(DWORD*)((DWORD)toHook + 1) = relativeAddress; 

	DWORD temp;
	VirtualProtect(toHook, len, curProtection, &temp);

	return true;
}

DWORD jmpBackAddys;
char* sentBuffer;
std::vector<char> logText(73);
int dx = 0;
void __declspec(naked) s_buffer()
{




	__asm
	{

	


		pushad
		pushfd
		
		mov sentBuffer,ebx
		mov dword ptr ss : [ebp - 0x248], ebx
	}
	

	for (char&c : logText)
	{
		c = sentBuffer[dx++]; 
	}



	__asm {
		popfd
		popad


		
		jmp jmpBackAddys
	}





}
DWORD WINAPI MainThread(LPVOID param)
{

		//-------------------------------------
	DWORD ADDJM = 0X00DE4AFF;
	int itemshookLe = 6;
	jmpBackAddys = ADDJM + itemshookLe;
	Hook((void*)ADDJM, s_buffer, itemshookLe);
	//--------------------------------------

	AllocConsole();
	FILE* f;
	freopen_s(&f, "CONOUT$", "w", stdout);

	
	while (true)
	{
		Sleep(5000);




		if (GetAsyncKeyState(VK_ESCAPE)) {
		
		
				for (char i : logText){
	
			        std::cout << i << ' ';
			
		
		        }
		
		
		
		}
	


	}
	fclose(f);
	FreeConsole();
	FreeLibraryAndExitThread((HMODULE)param, 0);



	return 0;







}
BOOL WINAPI DllMain(HINSTANCE hModule, DWORD dwReason, LPVOID lpReserved) {
	switch (dwReason) {
	case DLL_PROCESS_ATTACH:
		CreateThread(0, 0, MainThread, hModule, 0, 0);
		break;
	}

	return TRUE;
}

i copy packet from edx to sentBuffer

__asm{
  mov sentBuffer, ebx
}

i'll edit the packet and after edit copy from sentBuffer to edx ..

__asm{
  mov ebx,sentBuffer
}

why i use unsigned char ?
It works well inside the memory and anything else exe crashed ..
My example Work good

1
2
3


const unsigned char  buff[] = {0x16,0x00,0x6B,0x08,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00};
			const char* packet = reinterpret_cast<const char*>(buff);

Last edited on

George P (5600)

I didn't suggest you shouldn't upload an image.

What I do recommend is "consider choosing a different file hosting site." One that doesn't cause a browser to get all wee-weed up over SSL issues. There are a number available. Reputable hosting sites.

A picture is after all worth a thousand words, ya know. :Þ

George P (5600)

Here's an example of using github to host content, an image:

https://raw.githubusercontent.com/GeorgePimpleton/Win32-games/main/tygp24h.jpg

The picture is part of one of my github repos, https://github.com/GeorgePimpleton/Win32-games

It is easy to extract the URL for the image 'naked' without all the github overhead.

Hawlong (120)

Thank you very much for the clarification <3

seeplus (6457)

Well if you're not getting what you expected from L113-115, are you sure that sentBuffer is pointed to the right memory location (L65 - check that address of sentBuffer is as expected)? Are L62-63 correct? To what is ebx supposed to be pointing to? In the text you mention edx though??

Last edited on

Hawlong (120)

Everything works now and I printed the packet inside the console
using this loop

1
2
3

  for (auto& el : logText)
  	std::cout << std::setfill('0') << std::setw(2) << std::hex << (0xff & (unsigned int)el);
  std::cout << '\n';

The last thing..
how can convert vector logtext to const unsigned char buff[] ?

like this:

1
2

const unsigned char  buff[] = {0x16,0x00,0x6B,0x08,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00};
			const char* packet = reinterpret_cast<const char*>(buff);

Last edited on

jonnin (11333)

the data in the vector is at &vec[0] but you MUST NOT KEEP THIS POINTER.
if the vector decides to resize, via using push-back or other vector tools, the pointer becomes invalid (it changed to another value) and your program will have undefined behavior. You can use it where you know the vector is not changing, eg
sprintf(&vec[0], "hello world"); //ok, if vec has space for the bytes already.
there is also a function that does the same thing, but sometimes you want an offset (eg &vec[42]) which there isn't any other way to get, so for consistency, I just go with the address of instead.

Last edited on

seeplus (6457)

As the size of logText is set (73), then why not use std::array instead of std::vector?

std::array<char, 73> logText;

https://en.cppreference.com/w/cpp/container/array

logText.data() gives the address of the start of the stored data. So:

const char* packet = logtext.data();

George P (5600)

If you are going to use a range-based for loop to walk through your container (you should) and you aren't going to modify the contents consider making the range declaration const.

for (const auto& el : logText)

Hawlong (120)

Thank you jonnin, I will try it

Thanks seeplus , i'll use it

Thanks for the clarification George P ,

Please look at this code not for me (google) I just want to understand one point


Naked void Hooks::Send_Packet_Hook(void)
{
	__asm
	{

		MOV Outgoing_Packet_Length, ECX
			MOV Outgoing_Packet_Pointer, EAX
	}
	Owner->Send_Packet_Hook_Callback();
	__asm
	{
		POPAD
			CALL Properties::Send_Packet_Original_Address
			PUSH Outgoing_Packet_Return_Address
			RET
	}
}


void CBClient::Send_Packet_Hook_Callback()
{
	ByteBuffer Packet((LPVOID)hooks->Outgoing_Packet_Pointer, hooks->Outgoing_Packet_Length);
	switch (Packet.ReadUint16(2))
	{
	case 1564:
		{
		
                        // pla pla pla 
			break;
		}
	}
}

what is this ,explain what this code does
ByteBuffer Packet
i not found any function by this name [packet]

ByteBuffer.h


#ifndef _BYTEBUFFER_H_
#define _BYTEBUFFER_H_

#include "BaseFunctions.h"

class ByteBuffer
{
public:
	ByteBuffer(UCHARARRAY buf, int length);
	ByteBuffer(LPVOID Address, int length);
	ByteBuffer(int length);

	virtual ~ByteBuffer(void);

	void Reverse_At(int StartIndex, int BytesCount);

	UCHARARRAY GetBuffer();
	int GetBufferLength();
	uint32_t ReadUint32(int offset);
	uint16_t ReadUint16(int offset);
	uint8_t ReadByte(int offset);
	void WriteUInt32(uint32_t Value, int offset);
	void WriteUInt16(uint16_t Value, int offset);
	void WriteByte(uint8_t Value, int offset);
	template <typename T> void Write(int offset, T value);
	void WriteString(int offset, std::string value, int length);
	void WriteBytes(int offset , UCHARARRAY value, int length);

	template <typename T> T Read(int offset);
	std::string ReadString(int offset, int length);
	std::vector<uint8_t> ReadBytes(int offset, int length);
private:
	std::vector<uint8_t> buffer;
	int length;
};

template<typename T> T ByteBuffer::Read(int offset) {
	return *(T*)&buffer.data()[offset];
}

template <typename T> void ByteBuffer::Write(int offset, T value){
	*(T*)&buffer.data()[offset] = value;
}

#endif

ByteBuffer.cpp


#include "ByteBuffer.h"

ByteBuffer::ByteBuffer(UCHARARRAY buf, int length)
{
	buffer.resize(length);
	memcpy(buffer.data(), buf,length);
	this->length = length;
}

ByteBuffer::ByteBuffer(LPVOID Address, int length)
{
	buffer.resize(length);
	memcpy(buffer.data(), Address,length);
	this->length = length;
}

ByteBuffer::ByteBuffer(int length)  {
	buffer.resize(length);
	memset(buffer.data() , 0 , length);
	this->length = length;
}

ByteBuffer::~ByteBuffer(void)
{
}

void ByteBuffer::Reverse_At(int StartIndex, int BytesCount)
{
	CHARARRAY Array = new char[BytesCount];
	memcpy(Array, buffer.data() + StartIndex, BytesCount);
	for (int i = 0; i < BytesCount; i++)
	{
		buffer[StartIndex + i] = Array[(BytesCount - 1) - i];
	}
	SAFE_DELETE_ARRAY(Array);
}

UCHARARRAY ByteBuffer::GetBuffer() {
	return this->buffer.data();
}

int ByteBuffer::GetBufferLength() {
	return buffer.size();
}

uint32_t ByteBuffer::ReadUint32(int offset)
{
	return Read<uint32_t>(offset);
}
uint16_t ByteBuffer::ReadUint16(int offset)
{
	return Read<uint16_t>(offset);
}
uint8_t ByteBuffer::ReadByte(int offset)
{
	return Read<uint8_t>(offset);
}
std::vector<uint8_t> ByteBuffer::ReadBytes(int offset, int size) {
	std::vector<uint8_t> result(size, 0);
	memcpy(&result[0], &buffer.data()[offset], size);
	return result;
}
std::string ByteBuffer::ReadString(int offset, int length) {
	std::string str(length, 0);
	strncpy(&str[0], (const char*)&buffer.data()[offset], length);
	return str;
}
void ByteBuffer::WriteUInt32(uint32_t Value, int offset)
{
	Write<uint32_t>(offset, Value);
}
void ByteBuffer::WriteUInt16(uint16_t Value, int offset)
{
	Write<uint16_t>(offset, Value);
}
void ByteBuffer::WriteByte(uint8_t Value, int offset)
{
	Write<uint8_t>(offset, Value);
}
void ByteBuffer::WriteBytes(int offset , uint8_t * value, int length){
	memcpy(&buffer.data()[offset] , value , length);
}
void ByteBuffer::WriteString(int offset, std::string value, int length) {
	if ((int)value.length() < length) {
		memcpy(&buffer.data()[offset], value.c_str(), value.length());
		memset(&buffer.data()[offset+value.length()], 0, length-value.length());
	}
	else memcpy(&buffer.data()[offset], value.c_str(), length);
}


#pragma once
#ifndef _BASEFUNCTION_H
#define _BASEFUNCTION_H

#include <Windows.h>
#include <string>
#include <sstream>
#include <iostream> 
#include <ostream> 
#include <fstream>
#include <Psapi.h>
#include <ctime>
#include <io.h>
#include <fcntl.h>
#include <stdint.h>
#include <vector>

#include "Detours\detours.h"

using namespace std;

typedef struct 
{
	int	x, y, z;

}Point;

typedef char * CHARARRAY;
typedef uint8_t* UCHARARRAY;

#define Naked __declspec (naked)
#define SAFE_DELETE_ARRAY(p) { if(p) { delete[] (p);   (p)=NULL; } }

#ifndef SAFE_DELETE
#ifdef _DEBUG
#define SAFE_DELETE(p){ if(p) delete p; p=NULL; }
#else
#define SAFE_DELETE(p) { if(p) { try{ delete p; } catch(...){} p=NULL; }}
#endif
#endif

/*Converts a long value to string*/
string ToString(long number);
string CleanString(string Str);
/*Converts a string value to unsigned int*/
unsigned int ConvertToInt(string Str);
/*Converts a string value to unsigned long*/
unsigned long ConvertTolong(string Str);
/*Searches for a specified block of char's in a string, Returns True if found*/
bool FindString(string Source, string Value);
/*Returns the current Process Name as string*/
bool GetCurrentProcessName(string &str);
/*Returns the current Directory*/
string CurrentDirectory();
/*Combine's the Current Directory with the Filename and returns a full path to that file*/
string MakeFilePath(const char* Filename);
/*Returns a Random integer based on the max value */
int Random(int Max);
/*Returns a Random integer based on the min/max value */
int Random(int nLow, int nHigh);
Point MakePoint(int X, int Y);
void CreateConsole();
/*Reverses a certain number of bytes in a buffer starting at a certain Index in the buffer*/
void Reverse_Array(CHARARRAY &Buffer, int StartIndex, int BytesCount);
void Console_WriteLine (const char* fmt, ...);

#endif

and this

#pragma once

#include "BaseFunctions.h"
#include "Properties.h"
#include "ByteBuffer.h"

class CBClient;

class Hooks
{
private:
	static CBClient* Owner;


public:
	Hooks(CBClient* Owner)
	{
		this->Owner = Owner;
	}
	static void ADD_Packet(ByteBuffer* Buffer);
	static void Send_Packet_Hook(void);
	static void Receive_Packet_Hook(void);

	static int Outgoing_Packet_Length;
	static int Outgoing_Packet_Pointer;
	static int Outgoing_Packet_Return_Address;


	static int Incoming_Packet_Length;
	static int Incoming_Packet_Pointer;
	static int Incoming_Packet_Return_Address;
	static bool Bypass_Incoming_Packet;

	static std::vector<ByteBuffer*> Packets;
};

1
2

		memcpy((LPVOID)Incoming_Packet_Pointer, (LPVOID)Packets.back()->GetBuffer(), Incoming_Packet_Length);
		Packets.pop_back();

1
2
3

UCHARARRAY ByteBuffer::GetBuffer() {
	return this->buffer.data();
}

I did not understand this [(LPVOID)Packets.back()->GetBuffer()]

Sorry, I'm a beginner in classes

Last edited on

jonnin (11333)

Packet is a variable of type bytebuffer.
you can do it with integers too:
int x(42);

classes, user defined types, can have a 'constructor' that initializes them from parameters.

so...
(LPVOID) is a C style cast operation. It is a microsoft rename of the standard type void pointer. Microsoft renames almost everything in C++ from the lowly bool and int to hiding pointers behind things like this.

Packets is a variable.
apparently packets has a member function (like vectors have .size() ) that presumably gets the back end of a container, called back. That itself is also an object, and that object has a function get buffer.
so, cast the pointer from packet's 'last item on its internal container's internal buffer' and memcpy into it.

chaining like this is pretty common, where an object has a function that returns another object that you immediately access (without assigning it into a temporary) to get at something that it has which may have something else under it ... on and on until you get what you need.

George P (5600)

I did not understand this [(LPVOID)Packets.back()->GetBuffer()]

If'n I understand your question correctly....LPVOID is a Windows Data Type. The WinAPI is strewn with redefs all over the place.

https://learn.microsoft.com/en-us/windows/win32/winprog/windows-data-types

Notice what the definition of LPVOID is:
typedef void *LPVOID;

Should you ever look at legacy Desktop WinAPI code you'll see oodles and oodles of data types specific to Windows. The WinAPI was concocted before C++ was around, MS used C as the base and layered on gobs of stuff.

George P (5600)

And to make things even more confusing (and bloated) with the WinAPI MS added new data types for x64 Windows: fixed-precision data types, pointer-precision types, and specific-pointer-precision types.

https://learn.microsoft.com/en-us/windows/win32/winprog64/the-new-data-types

Hawlong (120)

Thanks all , for the valuable information .

George P I just mean this ->GetBuffer()

George P (5600)

Ah, calling a class method when the object has been instantiated as a pointer.

#include <iostream>

class SimpleClass
{
public:
    SimpleClass() {}
   ~SimpleClass() {}

public:
   void method() { std::cout << "Hello from the SimpleClass!\n"; }

private:
   int var { };
};

int main()
{
   SimpleClass obj;
   obj.method();

   SimpleClass* obj_ptr {};
   obj_ptr->method();
}

https://www.learncpp.com/cpp-tutorial/member-selection-with-pointers-and-references/

Hawlong (120)

Great, thanks a lot

DizzyDon (102)

@GeorgeP: Don't you mean something like this:

   SimpleClass* obj_ptr {&obj};

Otherwise obj_ptr is null.

Pages: 123