Thread: [REQ] FWB++

Hello everyone, I'm looking for some working example bypassing fws.
I was looking it in RATs, and I think cybergate got the best one. I tried to disassemble it but I don't have enough time for more analysis.. Just wondering, if someone got something like that.
Never mind which language it will be written, with WinAPI it will be enough.
Thank you ;-)

FWB is usually nothing more than injecting into the Default Browser. If you code Delphi lookup Aphex Inject Library or just search FWB Downloader as there are hundreds of examples.

I was looking for them around here, but can't find any working example which works with full PE Injection, cause browsers are crashing after such method of injection. So, there's not other safe way to do it ?

i tried to inject a rat into iexplore.exe but didn;t work ?

Maybe cause u are trying to inject x86 Code into a x64 process?

My first topic on this forum (as a skid) was asking for FWB#++/whatever). I'll tell you what I wish someone told me

FWB = DLL Injection
FWB++ = Full PE Injection (to default browser)
FWB# = Unhooking apis in the current process (maybe even SSDT, though that is irrelevant now)

I'll be posting a downloader soon that will be a simple example of "FWB++", but there are plenty of examples out there.
Most FWs actually detect this now, just look at comodo.

Originally Posted by Overflowz

I was looking for them around here, but can't find any working example which works with full PE Injection, cause browsers are crashing after such method of injection. So, there's not other safe way to do it ?

It's called RUNPE. Start a process suspended, unmap the memory, inject your PE, change context and you're done.

kubano
I'm not using RATs. Trying to make new one like a challenge for me.
Mitti
Do I look like a skid ? o_O
Joefish
I tried fwb++ and works fine with RunPE method. but not when injecting into browsers or microsoft apps (calc,notepad,mspaint..)
SqUeEzEr
I tried it already but not works fine. I even did relocations and API fixing, but it still fails on most browsers and on every microsoft apps.

Weird, because here it works just fine. Also numerous other programs use the same technique and they seem to do quite well also. Maybe open up a debugger and investigate why it isn't working on your PC?

Originally Posted by Overflowz

kubano
I'm not using RATs. Trying to make new one like a challenge for me.
Mitti
Do I look like a skid ? o_O
Joefish
I tried fwb++ and works fine with RunPE method. but not when injecting into browsers or microsoft apps (calc,notepad,mspaint..)
SqUeEzEr
I tried it already but not works fine. I even did relocations and API fixing, but it still fails on most browsers and on every microsoft apps.

Are you running a 64bit version of windows? If so, it could be because you're injecting a 32bit proggie into a suspended 64bit one.

Also, is DEP enabled? Most skid RunPEs don't set parse the section headers correctly and therefore don't set the proper page attributes, causing DEP to kick in. Consider making your RunPE look at the injected exes IMAGE_SECTION_HEADER.Characteristics and select the appropriate constants (PAGE_READWRITE, PAGE_EXECUTE_READWRITE, etc.)