Random notes
---------------
https://learn.microsoft.com/en-us/windows/win32/api/wincrypt/nf-wincrypt-cryptgenkey
---------------
https://learn.microsoft.com/en-us/windows/win32/seccrypto/alg-id
ALG_ID
---------------
ucrtbase.dll is Universal C run-time Library
---------------
CryptAcquireContextA
https://learn.microsoft.com/en-us/windows/win32/api/wincrypt/nf-wincrypt-cryptacquirecontexta
#define PROV_RSA_FULL 1
#define PROV_RSA_SIG 2
#define PROV_DSS 3
#define PROV_FORTEZZA 4
#define PROV_MS_EXCHANGE 5
#define PROV_MS_MAIL 5
#define PROV_SSL 6
#define PROV_STT_MER 7
#define PROV_STT_ACQ 8
#define PROV_STT_BRND 9
#define PROV_STT_ROOT 10
#define PROV_STT_ISS 11
#define PROV_RSA_SCHANNEL 12
#define PROV_DSS_DH 13
#define PROV_EC_ECDSA_SIG 14
#define PROV_EC_ECNRA_SIG 15
#define PROV_EC_ECDSA_FULL 16
#define PROV_EC_ECNRA_FULL 17
#define PROV_DH_SCHANNEL 18
#define PROV_SPYRUS_LYNKS 20
#define PROV_RNG 21
#define PROV_INTEL_SEC 22
#define PROV_RSA_AES 24
---------------
CryptImportKey
https://learn.microsoft.com/en-us/windows/win32/api/wincrypt/nf-wincrypt-cryptimportkey
;
---------------
VirtualAlloc
https://learn.microsoft.com/en-us/windows/win32/api/memoryapi/nf-memoryapi-virtualalloc
---------------
SendMessage
https://learn.microsoft.com/en-us/windows/win32/api/winuser/nf-winuser-sendmessage
HWND_BROADCAST = &HFFFF&
HWND_DESKTOP = 0
HWND_NOTOPMOST = -2
HWND_TOP = 0
HWND_TOPMOST = -1
---------------
FARPROC
Its a pointer to a function in a dll
---------------
NtAllocateVirtualMemory
https://learn.microsoft.com/en-us/windows-hardware/drivers/ddi/ntifs/nf-ntifs-ntallocatevirtualmemory
https://learn.microsoft.com/en-us/windows/win32/api/memoryapi/nf-memoryapi-virtualalloc
---------------
NtWriteVirtualMemory
http://undocumented.ntinternals.net/index.html?page=UserMode%2FUndocumented%20Functions%2FMemory%20Management%2FVirtual%20Memory%2FNtWriteVirtualMemory.html
---------------
GetProcAddress
https://learn.microsoft.com/en-us/windows/win32/api/libloaderapi/nf-libloaderapi-getprocaddress
---------------
LoadLibraryA
https://learn.microsoft.com/en-us/windows/win32/api/libloaderapi/nf-libloaderapi-loadlibrarya
---------------
x32dbg
---------------
hit run (go until we hit "entry breakpoint" ... make sure you're not in windows libraries and pre-cursor code before entry/user code even starts)
bp VirtualAlloc
bp VirtualProtect
bp CreateProcessInternalW
bp WriteProcessMemory
bp IsDebuggerPresent (in case seeing anti-debugging)
** if hit, run until return, change EAX = 1 to 0 each time to say "no debugger"
bp NtResumeThread (when see create process internal w for itself)
** if hit NtResumeThread breakpoint open another x32dbg and attach to that new process
then add same breakpoints as before
----------
UPX packed
open in CFF Explorer
Go down to "UPX Utility" option to unpack
-----------
open the dump file in PE Bear
view the imports (you'll see all in red, none resolved, because still mapped into memory)
to unmap, go to "section headers" tab in pebear
in .text change "raw addr" to match the "virtual addr"
(e.g. change from 400 to 100)
change the .rdata, .data, .reloc etc. also to match
back in .text change "raw size" (subtract next section minus previous)
(e.g. if .rdata =22000 and .text = 1000 ... 22000-1000 = 21000 raw size for .text)
for the last section (.reloc) where there is no value to subtract, try to guess until the pebear graph is "full"
return back to "imports" in pebear, and they should now be resolved and readable
similarly view "exports" should look normal
go back to "optional hdr" tab in pe-bear to change "Image Base"
same value that we dumped from Process Hacker memory region (e.g. 0x10000000)
in pe-bear right-click "save the executable" as "unmapped.bin"
should now be able to open "Unmapped.bin" in IDA with no issue
-------------
when you see
RtlAddVectoredExceptionHandler
put a breakpoint on call int3 ; ret (Search for -> Current Module -> Pattern, CC C3)
run, replace each hit with "call eax"
(this exception handler function just creates a trampoline for all int3; ret to be call eax
----------
When you hit CreateProcessInternalW
Add a breakpoint to NtResumeThread
Then grab a copy of the new EXE (for analysis later)
Then attach to the new process (detaching from the other) in x32dbg
Then add your breakpoints (virtualalloc, virtualprotect, etc.)
Then in Process Hacker "Resume" the thread that was paused and it should hit your breakpoints
---------
rdtsc
cpuid
these assembly commands could indicate some sort of anti-sandboxing techniques
-----------
cmp xxx,100h
cmp xxx,256
e.g. for i = 0 to 255
either of these near a loop could indicate RC4 encryption/decryption
------------
wsprintfw(v10, L"%S", v5)
equivalent of v10 = v5
or re-assigning/re-formatting a value to a new variable
UPDATED FRESH FULLZ 2024
ReplyDeleteUSA UK CANADA
Verified & Guaranteed Info
All info will be well checked & well organized
All type of fullz info available
like personal info & Bank|employee info
SSN DOB DL ADDRESS FULLZ
SIN DOB ADDRESS FULLZ
NIN DOB DL SORT CODE ADDRESS FULLZ
BUSINESS EIN COMPANY FULLZ
DL FRONT BACKS & SELFIE WITH SSN
PASSPORT PHOTOS WITH SELFIE
YOUNG AGE FULLZ
CC WITH CVV
DUMPS WITH PIN TRACK 101 & 202
UBEREATS|DOORDASH INFO WITH KYC STUFF
SBA|PUA|UI|LOAN|BENEFITS FILLING FULLZ
Many tools & Tutorials regarding hacking & carding stuu
Loan Methods & Carding methods
Benefits tutorials|Cash Out Tutorials
*Wrong info will be replaced
*Payment upfront & In crypto will be prefer
Contact us for details & Samples
T. Gram (at)leadsupplier / (at)killhacks
I C Q 752822040 / (at)killhacks
Skype (at)peeterhacks
E mail hacksp007 (at) DNMX . org
*Be aware of scammers & fake ID's
SELLING FULLZ SSN USA NIN UK SIN CANADA
ReplyDeleteAUS SPAIN ITALY GERMANY Fullz available
Fresh Stuff & Fresh Spammed
Available in bulk quantity
Valid & guaranteed info
DL front back with selfie
DL with issue & exp dates
DL with ssn
SSN DOB DL ADDRESS--> USA
NIN DOB DL ADDRESS--> UK
SIN DOB ADDRESS MMN--> CANADA
Tax Return Filling Fullz & KYC Stuff
HACKING & SPAMMING TOOTLS & TUTORIALS
COMPLETE PACKAGES WITH ALL TOOLS & TUTORIALS INCLUDED
SCAM PAGES|SCRIPTING
CASH OUT & CARDING STUFF
LOAN METHODS & CARDING METHODS
Many Other stuff for cashing out|filling for loans|KYC
All stuff will be 101% Genuine, nothing generated or edited
Contact us here only (Be aware from scammers)
Telegram - @ killhacks ' @ leadsupplier
What's App - +1 7277..88..612..9
TG Channel - t.me/ leadsproviderworldwide
Email - hacksp007 at gmail dot com
VK Messenger - @ leadsupplier
USA STUFF:
SSN DOB ADDRESS FULLZ
SSN DOB DL ADDRESS FULLZ
SSN DOB DL ADDRESS EMPLOYEMENT & BANK INFO FULLZ
SSN DOB DL ADDRESS DL ISSUE & EXP INFO FULLZ
FULLZ WITH MVR
USA DL|ID FRONT BACK WITH SELFIE & SSN
USA LLC DOCS
USA W-2 FORMS
USA Passport Photos
High Credit Scores Pros
SweepStakes & Dead Fullz
Business EIN Company Pros|EIN Lookup
Dumps & CC with CVV
--------------------------------------------------
UK (UNITED KINGDOM) STUFF:
NIN DOB ADDRESS FULLZ
NIN DOB DL ADDRESS FULLZ
NIN DOB DL ADDRESS SORT CODE & ACCOUNT NUMBER FULLZ
High Credit Scores Pros Fullz
UK DL Front Back with Selfie
UK Email & Phone number Leads
UK Passports
Consumer Leads UK
Bank Leads with sort code & account number UK Fullz
--------------------------------------------------
CA (CANADA) STUFF:
SIN DOB ADDRESS FULLZ
SIN DOB ADDRESS MMN FULLZ
SIN DOB ADDRESS MMN PHONE POST CODE FULLZ
Canada DL Front Back with Selfie
CA Email & Phone Number leads
High Credit Score Fullz
Canada Passports
---------------------------------------------------
OTHER STUFF WE'RE PROVIDING WITH GUARANTEE:
EMAIL LEADS (Crypto|Unemployement|Casino|Medical|Health|Office365)
Car Database with Vehicle registration numbers
Email Combos
I.P & Proxies
Different type of Docs available
TOOLS AVAILABLE
SMTP RDP SHELLS C-PANELS
KALI LINUX
RATS & VIRUSES
Web-Mailers
SMS & Email Senders
Scam Pages & Scripting
Office365 Spamming Stuff
#FULLZ #TOOLS #TUTORIALS #EBOOKS #USAFULLZ #UKFULLZ #CAFULLZ #DLPHOTOS
#HACKING #SPAMMING #CARDING #SPOOFING #LEADSUSA #COMBOS #CRYPTOLEADS
#UKLEAD #CANADALEADS #HIGHCREDITSCOREPROS #CRYPTOPAYMENTS #PROS #OFFICE365
#SENDERS #FULLZSHOP #DUMPSCVV #CCFULLZ #USACC #FULLZDUMPS #DUMPSID #DUMPSDL
#EMAILLEADS
Contact here only (Be aware from scammers)
Telegram - @ killhacks ' @ leadsupplier
What's App - +1 7277..88..612..9
TG Channel - t.me/ leadsproviderworldwide
Email - hacksp007 at gmail dot com
VK Messenger - @ leadsupplier