Random notes
---------------
https://learn.microsoft.com/en-us/windows/win32/api/wincrypt/nf-wincrypt-cryptgenkey
---------------
https://learn.microsoft.com/en-us/windows/win32/seccrypto/alg-id
ALG_ID
---------------
ucrtbase.dll is Universal C run-time Library
---------------
CryptAcquireContextA
https://learn.microsoft.com/en-us/windows/win32/api/wincrypt/nf-wincrypt-cryptacquirecontexta
#define PROV_RSA_FULL 1
#define PROV_RSA_SIG 2
#define PROV_DSS 3
#define PROV_FORTEZZA 4
#define PROV_MS_EXCHANGE 5
#define PROV_MS_MAIL 5
#define PROV_SSL 6
#define PROV_STT_MER 7
#define PROV_STT_ACQ 8
#define PROV_STT_BRND 9
#define PROV_STT_ROOT 10
#define PROV_STT_ISS 11
#define PROV_RSA_SCHANNEL 12
#define PROV_DSS_DH 13
#define PROV_EC_ECDSA_SIG 14
#define PROV_EC_ECNRA_SIG 15
#define PROV_EC_ECDSA_FULL 16
#define PROV_EC_ECNRA_FULL 17
#define PROV_DH_SCHANNEL 18
#define PROV_SPYRUS_LYNKS 20
#define PROV_RNG 21
#define PROV_INTEL_SEC 22
#define PROV_RSA_AES 24
---------------
CryptImportKey
https://learn.microsoft.com/en-us/windows/win32/api/wincrypt/nf-wincrypt-cryptimportkey
;
---------------
VirtualAlloc
https://learn.microsoft.com/en-us/windows/win32/api/memoryapi/nf-memoryapi-virtualalloc
---------------
SendMessage
https://learn.microsoft.com/en-us/windows/win32/api/winuser/nf-winuser-sendmessage
HWND_BROADCAST = &HFFFF&
HWND_DESKTOP = 0
HWND_NOTOPMOST = -2
HWND_TOP = 0
HWND_TOPMOST = -1
---------------
FARPROC
Its a pointer to a function in a dll
---------------
NtAllocateVirtualMemory
https://learn.microsoft.com/en-us/windows-hardware/drivers/ddi/ntifs/nf-ntifs-ntallocatevirtualmemory
https://learn.microsoft.com/en-us/windows/win32/api/memoryapi/nf-memoryapi-virtualalloc
---------------
NtWriteVirtualMemory
http://undocumented.ntinternals.net/index.html?page=UserMode%2FUndocumented%20Functions%2FMemory%20Management%2FVirtual%20Memory%2FNtWriteVirtualMemory.html
---------------
GetProcAddress
https://learn.microsoft.com/en-us/windows/win32/api/libloaderapi/nf-libloaderapi-getprocaddress
---------------
LoadLibraryA
https://learn.microsoft.com/en-us/windows/win32/api/libloaderapi/nf-libloaderapi-loadlibrarya
---------------
x32dbg
---------------
hit run (go until we hit "entry breakpoint" ... make sure you're not in windows libraries and pre-cursor code before entry/user code even starts)
bp VirtualAlloc
bp VirtualProtect
bp CreateProcessInternalW
bp WriteProcessMemory
bp IsDebuggerPresent (in case seeing anti-debugging)
** if hit, run until return, change EAX = 1 to 0 each time to say "no debugger"
bp NtResumeThread (when see create process internal w for itself)
** if hit NtResumeThread breakpoint open another x32dbg and attach to that new process
then add same breakpoints as before
----------
UPX packed
open in CFF Explorer
Go down to "UPX Utility" option to unpack
-----------
open the dump file in PE Bear
view the imports (you'll see all in red, none resolved, because still mapped into memory)
to unmap, go to "section headers" tab in pebear
in .text change "raw addr" to match the "virtual addr"
(e.g. change from 400 to 100)
change the .rdata, .data, .reloc etc. also to match
back in .text change "raw size" (subtract next section minus previous)
(e.g. if .rdata =22000 and .text = 1000 ... 22000-1000 = 21000 raw size for .text)
for the last section (.reloc) where there is no value to subtract, try to guess until the pebear graph is "full"
return back to "imports" in pebear, and they should now be resolved and readable
similarly view "exports" should look normal
go back to "optional hdr" tab in pe-bear to change "Image Base"
same value that we dumped from Process Hacker memory region (e.g. 0x10000000)
in pe-bear right-click "save the executable" as "unmapped.bin"
should now be able to open "Unmapped.bin" in IDA with no issue
-------------
when you see
RtlAddVectoredExceptionHandler
put a breakpoint on call int3 ; ret (Search for -> Current Module -> Pattern, CC C3)
run, replace each hit with "call eax"
(this exception handler function just creates a trampoline for all int3; ret to be call eax
----------
When you hit CreateProcessInternalW
Add a breakpoint to NtResumeThread
Then grab a copy of the new EXE (for analysis later)
Then attach to the new process (detaching from the other) in x32dbg
Then add your breakpoints (virtualalloc, virtualprotect, etc.)
Then in Process Hacker "Resume" the thread that was paused and it should hit your breakpoints
---------
rdtsc
cpuid
these assembly commands could indicate some sort of anti-sandboxing techniques
-----------
cmp xxx,100h
cmp xxx,256
e.g. for i = 0 to 255
either of these near a loop could indicate RC4 encryption/decryption
------------
wsprintfw(v10, L"%S", v5)
equivalent of v10 = v5
or re-assigning/re-formatting a value to a new variable
UPDATED FRESH FULLZ 2024
ReplyDeleteUSA UK CANADA
Verified & Guaranteed Info
All info will be well checked & well organized
All type of fullz info available
like personal info & Bank|employee info
SSN DOB DL ADDRESS FULLZ
SIN DOB ADDRESS FULLZ
NIN DOB DL SORT CODE ADDRESS FULLZ
BUSINESS EIN COMPANY FULLZ
DL FRONT BACKS & SELFIE WITH SSN
PASSPORT PHOTOS WITH SELFIE
YOUNG AGE FULLZ
CC WITH CVV
DUMPS WITH PIN TRACK 101 & 202
UBEREATS|DOORDASH INFO WITH KYC STUFF
SBA|PUA|UI|LOAN|BENEFITS FILLING FULLZ
Many tools & Tutorials regarding hacking & carding stuu
Loan Methods & Carding methods
Benefits tutorials|Cash Out Tutorials
*Wrong info will be replaced
*Payment upfront & In crypto will be prefer
Contact us for details & Samples
T. Gram (at)leadsupplier / (at)killhacks
I C Q 752822040 / (at)killhacks
Skype (at)peeterhacks
E mail hacksp007 (at) DNMX . org
*Be aware of scammers & fake ID's