Skip to content

Instantly share code, notes, and snippets.

@hasherezade
Last active Jan 9, 2020
Embed
What would you like to do?
Zbot - checksum to function
#include <Windows.h>
#include <tlhelp32.h>
#include <iostream>
#include <peconv.h> // include libPeConv header
DWORD get_hex_number(char *param)
{
DWORD checksum = 0;
if (sscanf(param, "%X", &checksum) == 0) {
sscanf(param, "%#X", &checksum);
}
return checksum;
}
DWORD get_dec_number(char *param)
{
DWORD num = 0;
sscanf(param, "%d", &num);
return num;
}
bool add_dlls(peconv::ExportsMapper &mapper)
{
HANDLE hModuleSnap = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE32 | TH32CS_SNAPMODULE, GetCurrentProcessId());
if (hModuleSnap == INVALID_HANDLE_VALUE)
{
return false;
}
MODULEENTRY32 me32 = { 0 };
me32.dwSize = sizeof(MODULEENTRY32);
if (!Module32First(hModuleSnap, &me32))
{
CloseHandle(hModuleSnap);
return false;
}
//std::cout << me32.szModule << " : " << std::hex << me32.hModule << "\n";
mapper.add_to_lookup(me32.szModule, LoadLibraryA(me32.szModule));
while (Module32Next(hModuleSnap, &me32)) {
//std::cout << me32.szModule << " : " << std::hex << me32.hModule << "\n";
mapper.add_to_lookup(me32.szModule, LoadLibraryA(me32.szModule));
}
CloseHandle(hModuleSnap);
return true;
}
int main(int argc, char *argv[])
{
if (argc < 4) {
std::cout << "Args: <path to the exe*> <dll_id:dec> <checksum:hex>\n"
"*required exe: Zbot, md5 = ab756f154d266c8ba19bdfa8bcaf1b73" << std::endl;
return 0;
}
LPCSTR pe_path = argv[1];
DWORD dll_id = get_dec_number(argv[2]); //0
DWORD checksum = get_hex_number(argv[3]); //0xD641D17u //(11, 0x7B7D583u);
// manually load the PE file using libPeConv:
size_t v_size = 0;
//if the PE is dropped on the disk, you can load it from the file:
BYTE* my_pe = peconv::load_pe_executable(pe_path, v_size);
if (!my_pe) {
return -1;
}
std::cout << "[+] Loaded!\n";
char (*init_imports_lookup)() = nullptr;
init_imports_lookup = (char(*)())(0x1000 + (ULONG_PTR)my_pe);
if (!init_imports_lookup()) {
std::cout << "[-] Init failed!\n";
return -1;
}
FARPROC(__cdecl *load_func_by_checksum)(DWORD lib_id, DWORD checksum) = nullptr;
load_func_by_checksum = (FARPROC(__cdecl *)(DWORD, DWORD)) (0x151E + (ULONG_PTR)my_pe);
FARPROC proc = load_func_by_checksum(dll_id, checksum);
if (!proc) {
std::cout << "[!] Function not found!\n";
return 1;
}
peconv::ExportsMapper mapper;
add_dlls(mapper);
std::cout << "[+] Function retrieved: " << std::hex << proc << "\n";
const peconv::ExportedFunc *exp = mapper.find_export_by_va((ULONGLONG)proc);
if (exp) {
std::cout << exp->toString() << "\n";
}
system("pause");
return 0;
}
@hasherezade
Copy link
Author

hasherezade commented Jan 9, 2020

Requires original malware:
ab756f154d266c8ba19bdfa8bcaf1b73

Loading

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment