sigonasr2
/
RabiRandomTeleportation
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Setup Rabi Ribi memory detection

Browse Source
main
Joshua Sigona 3 years ago
commit 9d0b755340
17 changed files with 416 additions and 0 deletions
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Show Stats Download Patch File Download Diff File
  1. BIN
      bin/sig/MemoryUtils.class
  2. BIN
      bin/sig/RabiRandomTeleportation.class
  3. BIN
      bin/sig/utils/Module.class
  4. BIN
      bin/sig/utils/MyKernel32.class
  5. BIN
      bin/sig/utils/MyUser32.class
  6. BIN
      bin/sig/utils/Psapi$LPMODULEINFO.class
  7. BIN
      bin/sig/utils/Psapi.class
  8. BIN
      bin/sig/utils/PsapiTools.class
  9. BIN
      lib/jna-4.5.0.jar
  10. BIN
      lib/jna-platform-4.5.0.jar
  11. 37
      src/sig/MemoryUtils.java
  12. 61
      src/sig/RabiRandomTeleportation.java
  13. 64
      src/sig/utils/Module.java
  14. 81
      src/sig/utils/MyKernel32.java
  15. 12
      src/sig/utils/MyUser32.java
  16. 57
      src/sig/utils/Psapi.java
  17. 104
      src/sig/utils/PsapiTools.java

BIN
bin/sig/MemoryUtils.class
View File

Binary file not shown.

BIN
bin/sig/RabiRandomTeleportation.class
View File

Binary file not shown.

BIN
bin/sig/utils/Module.class
View File

Binary file not shown.

BIN
bin/sig/utils/MyKernel32.class
View File

Binary file not shown.

BIN
bin/sig/utils/MyUser32.class
View File

Binary file not shown.

BIN
bin/sig/utils/Psapi$LPMODULEINFO.class
View File

Binary file not shown.

BIN
bin/sig/utils/Psapi.class
View File

Binary file not shown.

BIN
bin/sig/utils/PsapiTools.class
View File

Binary file not shown.

BIN
lib/jna-4.5.0.jar
View File

Binary file not shown.

BIN
lib/jna-platform-4.5.0.jar
View File

Binary file not shown.

37
src/sig/MemoryUtils.java
Unescape View File

@ -0,0 +1,37 @@
package sig;
import com.sun.jna.Native;
import com.sun.jna.platform.win32.Advapi32;
import com.sun.jna.platform.win32.Kernel32;
import com.sun.jna.platform.win32.WinNT;
import com.sun.jna.platform.win32.WinDef.DWORD;
import com.sun.jna.platform.win32.WinNT.HANDLEByReference;
public class MemoryUtils {
/**
* Enables debug privileges for this process, required for OpenProcess() to
* get processes other than the current user
*/
public static void enableDebugPrivilege() {
HANDLEByReference hToken = new HANDLEByReference();
boolean success = Advapi32.INSTANCE.OpenProcessToken(Kernel32.INSTANCE.GetCurrentProcess(),
WinNT.TOKEN_QUERY | WinNT.TOKEN_ADJUST_PRIVILEGES, hToken);
if (!success) {
System.out.println("OpenProcessToken failed. Error: {}" + Native.getLastError());
return;
}
WinNT.LUID luid = new WinNT.LUID();
success = Advapi32.INSTANCE.LookupPrivilegeValue(null, WinNT.SE_DEBUG_NAME, luid);
if (!success) {
System.out.println("LookupprivilegeValue failed. Error: {}" + Native.getLastError());
return;
}
WinNT.TOKEN_PRIVILEGES tkp = new WinNT.TOKEN_PRIVILEGES(1);
tkp.Privileges[0] = new WinNT.LUID_AND_ATTRIBUTES(luid, new DWORD(WinNT.SE_PRIVILEGE_ENABLED));
success = Advapi32.INSTANCE.AdjustTokenPrivileges(hToken.getValue(), false, tkp, 0, null, null);
if (!success) {
System.out.println("AdjustTokenPrivileges failed. Error: {}" + Native.getLastError());
}
Kernel32.INSTANCE.CloseHandle(hToken.getValue());
}
}

61
src/sig/RabiRandomTeleportation.java
Unescape View File

@ -0,0 +1,61 @@
package sig;
import sig.utils.PsapiTools;
import java.util.List;
import com.sun.jna.Memory;
import com.sun.jna.Pointer;
import com.sun.jna.platform.win32.Kernel32;
import com.sun.jna.platform.win32.WinNT;
import com.sun.jna.platform.win32.WinNT.HANDLE;
import sig.utils.Module;
public class RabiRandomTeleportation {
final int PROCESS_PERMISSIONS = WinNT.PROCESS_QUERY_INFORMATION | WinNT.PROCESS_VM_READ | WinNT.PROCESS_VM_WRITE;
public HANDLE rabiribiProcess = null;
int rabiRibiPID = -1;
private void CheckRabiRibiClient() {
List<Integer> pids;
try {
pids = PsapiTools.getInstance().enumProcesses();
boolean found=false;
for (Integer pid : pids) {
HANDLE process = Kernel32.INSTANCE.OpenProcess(PROCESS_PERMISSIONS, true, pid);
List<Module> hModules;
try {
hModules = PsapiTools.getInstance().EnumProcessModules(process);
for(Module m: hModules){
//System.out.println(m.getFileName()+":"+m.getEntryPoint());
if (m.getFileName().contains("rabiribi")) {
found=true;
long rabiRibiMemOffset = Pointer.nativeValue(m.getLpBaseOfDll().getPointer());
System.out.println("Found an instance of Rabi-Ribi at 0x"+Long.toHexString(rabiRibiMemOffset)+" | File:"+m.getFileName()+","+m.getBaseName());
rabiRibiPID=pid;
rabiribiProcess=process;
break;
}
}
if (found) {
break;
}
} catch (Exception e) {
e.printStackTrace();
}
if (process!=null) {
Kernel32.INSTANCE.CloseHandle(process);
}
}
if (!found) {
System.out.println("Rabi-Ribi process lost.");
}
} catch (Exception e) {
e.printStackTrace();
}
}
public static void main(String[] args) {
RabiRandomTeleportation app = new RabiRandomTeleportation();
app.CheckRabiRibiClient();
}
}

64
src/sig/utils/Module.java
Unescape View File

@ -0,0 +1,64 @@
package sig.utils;
import sig.utils.Psapi.LPMODULEINFO;
import com.sun.jna.platform.win32.WinDef.HMODULE;
import com.sun.jna.platform.win32.WinNT.HANDLE;
public class Module {
private HANDLE hProcess;
private HMODULE hModule;
private HANDLE lpBaseOfDll = null;
private int SizeOfImage = 0;
private HANDLE EntryPoint = null;
private PsapiTools psapi = PsapiTools.getInstance();
protected Module() {
}
public Module(HANDLE hProcess, HMODULE hModule) {
this.hProcess = hProcess;
this.hModule = hModule;
}
public HMODULE getPointer() {
return hModule;
}
public String getFileName() {
return psapi.GetModuleFileNameExA(hProcess, hModule);
}
public String getBaseName() {
return psapi.GetModuleBaseNameA(hProcess, hModule);
}
private void GetModuleInformation() {
if (lpBaseOfDll == null) {
try {
LPMODULEINFO x = psapi.GetModuleInformation(hProcess, hModule);
lpBaseOfDll = x.lpBaseOfDll;
SizeOfImage = x.SizeOfImage;
EntryPoint = x.EntryPoint;
} catch (Exception e) {
e.printStackTrace();
}
}
}
public HANDLE getLpBaseOfDll() {
GetModuleInformation();
return lpBaseOfDll;
}
public int getSizeOfImage() {
GetModuleInformation();
return SizeOfImage;
}
public HANDLE getEntryPoint() {
GetModuleInformation();
return EntryPoint;
}
}

81
src/sig/utils/MyKernel32.java
Unescape View File

@ -0,0 +1,81 @@
package sig.utils;
import com.sun.jna.Memory;
import com.sun.jna.Native;
import com.sun.jna.platform.win32.Kernel32;
import com.sun.jna.ptr.IntByReference;
public interface MyKernel32 extends Kernel32 {
final Kernel32 INSTANCE = (Kernel32) Native.loadLibrary ("kernel32", Kernel32.class);
// BOOL WINAPI WriteProcessMemory(
// __in HANDLE hProcess,
// __in LPVOID lpBaseAddress,
// __in LPCVOID lpBuffer,
// __in SIZE_T nSize,
// __out SIZE_T *lpNumberOfBytesWritten
// );
boolean WriteProcessMemory(HANDLE p, int address, HANDLE buffer, int size, IntByReference written);
// BOOL WINAPI ReadProcessMemory(
// __in HANDLE hProcess,
// __in LPCVOID lpBaseAddress,
// __out LPVOID lpBuffer,
// __in SIZE_T nSize,
// __out SIZE_T *lpNumberOfBytesRead
// );
boolean ReadProcessMemory(HANDLE hProcess, int inBaseAddress, Memory outputBuffer, int nSize, IntByReference outNumberOfBytesRead);
// HANDLE WINAPI OpenProcess(
// __in DWORD dwDesiredAccess,
// __in BOOL bInheritHandle,
// __in DWORD dwProcessId
// );
HANDLE OpenProcess(int desired, boolean inherit, int pid);
// BOOL WINAPI EnumProcessModules(
// _In_ HANDLE hProcess,
// _Out_ HMODULE *lphModule,
// _In_ DWORD cb,
// _Out_ LPDWORD lpcbNeeded
// );
boolean EnumProcessModules(HANDLE hProcess, HMODULE lphModule, int cb, int lpcbNeeded);
// DWORD WINAPI GetModuleFileName(
// _In_opt_ HMODULE hModule,
// _Out_ LPTSTR lpFilename,
// _In_ DWORD nSize
// );
int GetModuleFileName(HMODULE hModule, String lpFilename, int size);
// DWORD WINAPI GetModuleFileNameEx(
// _In_ HANDLE hProcess,
// _In_opt_ HMODULE hModule,
// _Out_ LPTSTR lpFilename,
// _In_ DWORD nSize
// );
// BOOL WINAPI GetModuleHandleEx(
// _In_ DWORD dwFlags,
// _In_opt_ LPCTSTR lpModuleName,
// _Out_ HMODULE *phModule
// );
int GetModuleHandleExA(int permissions, String lpFilename, HMODULE module);
// BOOL WINAPI EnumProcesses(
// _Out_ DWORD *pProcessIds,
// _In_ DWORD cb,
// _Out_ DWORD *pBytesReturned
// );
boolean EnumProcesses(int[] processIds, int cb, int bytesReturned);
int GetLastError();
}

12
src/sig/utils/MyUser32.java
Unescape View File

@ -0,0 +1,12 @@
package sig.utils;
import com.sun.jna.Native;
import com.sun.jna.platform.win32.User32;
public interface MyUser32 extends User32 {
final User32 INSTANCE = (User32) Native.loadLibrary ("user32", User32.class);
boolean ShowWindow(HWND hWnd, int nCmdShow);
boolean SetForegroundWindow(HWND hWnd);
HWND FindWindowA(String lpClassName, String lpWindowName);
}

57
src/sig/utils/Psapi.java
Unescape View File

@ -0,0 +1,57 @@
package sig.utils;
import java.util.Arrays;
import java.util.List;
import com.sun.jna.Native;
import com.sun.jna.Structure;
import com.sun.jna.platform.win32.WinDef.HMODULE;
import com.sun.jna.platform.win32.WinNT.HANDLE;
import com.sun.jna.ptr.IntByReference;
import com.sun.jna.win32.StdCallLibrary;
public interface Psapi extends StdCallLibrary{
Psapi INSTANCE = (Psapi) Native.loadLibrary("Psapi", Psapi.class);
/*
* http://msdn.microsoft.com/en-us/library/ms682629(VS.85).aspx
*/
boolean EnumProcesses(int[] pProcessIds, int cb, IntByReference pBytesReturned);
/*
* http://msdn.microsoft.com/en-us/library/ms682631(VS.85).aspx
*/
boolean EnumProcessModules(HANDLE hProcess, HMODULE[] lphModule, int cb, IntByReference lpcbNeededs);
boolean EnumProcessModulesEx(HANDLE hProcess, HMODULE[] lphModule, int cb, IntByReference lpcbNeededs, int flags);
/*
* http://msdn.microsoft.com/en-us/library/ms683198(VS.85).aspx
*/
int GetModuleFileNameExA(HANDLE hProcess, HMODULE hModule, byte[] lpImageFileName, int nSize);
int GetModuleBaseNameA(HANDLE hProcess, HMODULE hModule, byte[] lpImageFileName, int nSize);
/*
* http://msdn.microsoft.com/en-us/library/ms684229(VS.85).aspx
*/
public static class LPMODULEINFO extends Structure {
public HANDLE lpBaseOfDll;
public int SizeOfImage;
public HANDLE EntryPoint;
@Override
protected List getFieldOrder() {
return Arrays.asList(new String[] { "lpBaseOfDll", "SizeOfImage", "EntryPoint"});
}
}
/*
* http://msdn.microsoft.com/en-us/library/ms683201(VS.85).aspx
*/
boolean GetModuleInformation(HANDLE hProcess, HMODULE hModule, LPMODULEINFO lpmodinfo, int cb);
}

104
src/sig/utils/PsapiTools.java
Unescape View File

@ -0,0 +1,104 @@
package sig.utils;
import java.util.LinkedList;
import java.util.List;
import sig.utils.Psapi.LPMODULEINFO;
import com.sun.jna.Native;
import com.sun.jna.platform.win32.Kernel32;
import com.sun.jna.platform.win32.WinDef.HMODULE;
import com.sun.jna.platform.win32.WinNT.HANDLE;
import com.sun.jna.ptr.IntByReference;
public class PsapiTools {
private static PsapiTools INSTANCE=null;
private static Psapi psapi = Psapi.INSTANCE;
private static Kernel32 k32 = MyKernel32.INSTANCE;
private PsapiTools(){}
public static PsapiTools getInstance(){
if (INSTANCE==null)
INSTANCE=new PsapiTools();
return INSTANCE;
}
public List<Integer> enumProcesses() throws Exception{
List<Integer> list = new LinkedList<Integer>();
int[] pProcessIds = new int[1024];
IntByReference pBytesReturned = new IntByReference();
boolean success = psapi.EnumProcesses(pProcessIds, pProcessIds.length*Integer.SIZE/8, pBytesReturned);
if (!success){
int err=k32.GetLastError();
throw new Exception("EnumProcesses failed. Error: "+err);
}
int size = (pBytesReturned.getValue()/(Integer.SIZE/8));
for (int i=0;i<size;i++)
list.add(pProcessIds[i]);
return list;
}
public List<Module> EnumProcessModules(HANDLE hProcess) throws Exception{
List<Module> list = new LinkedList<Module>();
HMODULE[] lphModule = new HMODULE[1024];
IntByReference lpcbNeededs= new IntByReference();
boolean success = psapi.EnumProcessModules(hProcess, lphModule, lphModule.length, lpcbNeededs);
if (!success){
int err=k32.GetLastError();
if (err!=6 && err!=299) {
throw new Exception("EnumProcessModules failed. Error: "+err);
}
}
for (int i = 0; i < lpcbNeededs.getValue()/4; i++) {
list.add(new Module(hProcess, lphModule[i]));
}
return list;
}
public List<Module> EnumProcessModulesEx(HANDLE hProcess, int flags) throws Exception{
List<Module> list = new LinkedList<Module>();
HMODULE[] lphModule = new HMODULE[1024];
IntByReference lpcbNeededs= new IntByReference();
boolean success = psapi.EnumProcessModulesEx(hProcess, lphModule, lphModule.length, lpcbNeededs, flags);
if (!success){
int err=k32.GetLastError();
throw new Exception("EnumProcessModules failed. Error: "+err);
}
for (int i = 0; i < lpcbNeededs.getValue()/4; i++) {
list.add(new Module(hProcess, lphModule[i]));
}
return list;
}
public String GetModuleFileNameExA(HANDLE hProcess, HMODULE hModule){
byte[] lpImageFileName= new byte[256];
psapi.GetModuleFileNameExA(hProcess, hModule, lpImageFileName, 256);
return Native.toString(lpImageFileName);
}
public String GetModuleBaseNameA(HANDLE hProcess, HMODULE hModule){
byte[] lpImageFileName= new byte[256];
psapi.GetModuleBaseNameA(hProcess, hModule, lpImageFileName, 256);
return Native.toString(lpImageFileName);
}
public LPMODULEINFO GetModuleInformation(HANDLE hProcess, HMODULE hModule) throws Exception{
LPMODULEINFO lpmodinfo = new LPMODULEINFO();
boolean success = psapi.GetModuleInformation(hProcess, hModule, lpmodinfo, lpmodinfo.size());
if (!success){
int err=k32.GetLastError();
throw new Exception("GetModuleInformation failed. Error: "+err);
}
return lpmodinfo;
}
}
Write Preview
Loading…
Cancel
Save