Get Registry Key DACL Security Descriptor

Delphi, Access, ACL, Registry, SDDL, Security Descriptor

Below code snippet demonstrate how to get DACL Security Descriptor in SDDL format for a targeted registry key. You need to parse the output SDDL string in order to understand access properties for desired keys, there are plenty of articles arround explaining how to understand an SDDL string format. You can also play with flags associated to ConvertSecurityDescriptorToStringSecurityDescriptor call to extract even more information from captured Security Descriptor Pointer after RegGetKeySecurity call. ...

Assignment N°7 - Crypters (Delphi/ASM)

June 17, 2020
CRC32, Delphi, Lazarus, RC4, Shellcode, SLAE32, x86

Assignment Goals This paper is part of the certification process following the SLAE32 course (x86 Assembly Language and Shellcoding on Linux) intended to prepare me to become a future certified OSCE. If you are willing to pass the certification I really suggest you to wait until you finished your own certification process before reading that paper. Why? the goal of that certification is to practice and learn how to solve each assignment by yourself. ...

Get Process Name Method 4 GetProcessImageFileName

April 13, 2020
Delphi, Full Path, GetProcessImageFileName, Image Path, Process Name, Windows API

This time we will use a quite well known API to get the full process image path GetProcessImageFileName documented here. Nothing very complex and this technique works from 32bit to 64bit / 64bit to 32bit processes. // Jean-Pierre LESUEUR (@DarkCoderSc) function PhysicalToVirtualPath(APath : String) : String; var i : integer; ADrive : String; ABuffer : array[0..MAX_PATH-1] of Char; ACandidate : String; begin {$I-} for I := 0 to 25 do begin ADrive := Format('%s:', [Chr(Ord('A') + i)]); /// if (QueryDosDevice(PWideChar(ADrive), ABuffer, MAX_PATH) = 0) then continue; ACandidate := String(ABuffer). ...

Get Process Name Method 3 NtQueryInformationProcess

April 13, 2020
Delphi, Full Path, Image Path, Process Name, Windows API, NtQueryInformationProcess

Yet another technique to get the full image path of a target process using the NtQueryInformationProcess API documented Here This technique from 32bit to 64bit / 64bit to 32bit. // Jean-Pierre LESUEUR (@DarkCoderSc) function PhysicalToVirtualPath(APath : String) : String; var i : integer; ADrive : String; ABuffer : array[0..MAX_PATH-1] of Char; ACandidate : String; begin {$I-} for I := 0 to 25 do begin ADrive := Format('%s:', [Chr(Ord('A') + i)]); /// if (QueryDosDevice(PWideChar(ADrive), ABuffer, MAX_PATH) = 0) then continue; ACandidate := String(ABuffer). ...

Enum Attached Files

March 24, 2020
Delphi, Windows, Attached Files, Enumerate, Open Files, Open Handles

Above snippet demonstrate how to enumerate files openned by running programs on Windows. Some file unlocker use that technique to find where a specific file is attached and then force processes using that file to release it handle (via code injection techniques). I will write an example in a future snippet thread. Notice: At the bottom of that page, you will see a concreate example about how to use that unit. ...

Get DLL Exported Function Address From Memory

March 18, 2020
Delphi, Alternative, DLL, Exported Function, GetProcAddress, Memory

As promised, we will adapt our previous code grab an exported function directly from memory. Serious advantage of this technique: We don’t have to use CreateToolHelp32Snapshot anymore to enumerate modules and catch target module base address. We don’t need to parse PE Header from disk anymore, we will parse PE Header directly from memory. Notice, it is still necessary to use LoadLibrary API to load desired DLL in memory. ...

GetProcAddress API Alternative

March 14, 2020
Delphi, Alternative, Export, GetProcAddress, LoadLibrary, PE Header

In the past two days, I released examples about how to enumerate DLL export table through the PE Header. We will see one concreate example of using the UntEnumDLLExport.pas library to dynamically load API without using the famous Windows API > GetProcAddress() This technique is quite known and often used by some Malware, to mask which API’s they are dynamically loading and avoid Antivirus detection. To do so, we still need to use LoadLibrary() first to load a DLL in memory and retrieve it address, then iterate through loaded DLL export table and catch target function address. ...

DLL Export Enum v1.0 (Open Source + Signed Binary)

March 13, 2020
Delphi, PE Header, DLL Export, Enumerator, Functions, List

This project is mainly created to demonstrate how to use the previously released unit UntEnumDLLExport.pas available > Here The project is open source (see below for github link) and for those who don’t have Delphi installed, you can download the compiled and code signed application (both 32 and 64bit). Available Features Enumerate Exported Functions From DLL. Support Ordinal Value Only. Display Function Address and Relative Address. Support Forwarded Function. ...

Enum DLL Exported Functions

March 12, 2020
Delphi, Windows, DLL, Export, Library, PE Header, Exported Functions

This unit demonstrate how to enumerate DLL exported functions through PE Header manipulation. Features Support both 32 and 64bit DLL’s. Identify exported function names. Identify exported function ordinal value. Support and resolve forwarded function. Identify export function address and relative address. Unit Code (******************************************************************************* Author: -> Jean-Pierre LESUEUR (@DarkCoderSc) License: -> MIT *******************************************************************************) unit UntEnumDLLExport; interface uses Classes, Windows, Generics.Collections, SysUtils; type TExportEntry = class private FName : String; FForwarded : Boolean; FForwardName : String; FRelativeAddr : Cardinal; FAddress : Int64; FOrdinal : Word; {@M} function GetFormatedAddress() : String; function GetFormatedRelativeAddr() : String; public {@C} constructor Create(); {@G/S} property Name : String read FName write FName; property Forwarded : Boolean read FForwarded write FForwarded; property ForwardName : String read FForwardName write FForwardName; property Address : Int64 read FAddress write FAddress; property RelativeAddr : Cardinal read FRelativeAddr write FRelativeAddr; property Ordinal : Word read FOrdinal write FOrdinal; {@G} property FormatedAddress : String read GetFormatedAddress; property FormatedRelativeAddress : String read GetFormatedRelativeAddr; end; TEnumDLLExport = class private FItems : TObjectList<TExportEntry>; FFileName : String; {@M} public {@C} constructor Create(AFileName : String); destructor Destroy(); override; {@M} function Enum() : Integer; {@G} property Items : TObjectList<TExportEntry> read FItems; property FileName : String read FFileName; end; implementation {+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Local Functions +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++} function IntToHexF(AValue : Int64; APad : Word = 0 {0=Auto}) : String; begin if (APad = 0) then begin if (AValue <= High(Word)) then APad := 2 else if (AValue <= High(DWORD)) and (AValue > High(Word)) then APad := 8 else if (AValue <= High(Int64)) and (AValue > High(DWORD)) then APad := 16; end; result := '0x' + IntToHex(AValue, APad); end; {+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ TExportEntry +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++} constructor TExportEntry. ...

Get Process Name Method 1

March 12, 2020
Delphi, Full Path, Image Path, Process Name, Process Id

This one possible technique (through QueryFullProcessImageNameW) to get process image path from it id. This example support Windows Vista to latest Windows version (Actually Windows 10) I will cover other example progressively and compatible with Windows XP and below. // Jean-Pierre LESUEUR (@DarkCoderSc) //... uses Windows, SysUtils; //... function GetProcessName(AProcessID : Cardinal) : String; var hProc : THandle; ALength : DWORD; hDLL : THandle; QueryFullProcessImageNameW : function( AProcess: THANDLE; AFlags: DWORD; AFileName: PWideChar; var ASize: DWORD): BOOL; stdcall; const PROCESS_QUERY_LIMITED_INFORMATION = $00001000; begin result := ''; /// if (TOSVersion. ...