首页
社区
课程
招聘
[原创]C# bypass HackShiled Inline and ssdt hook.
发表于: 2012-12-4 12:57 6810

[原创]C# bypass HackShiled Inline and ssdt hook.

2012-12-4 12:57
6810
说实话,写这个东西真的听蛋疼。谁能告诉我C#内嵌汇编中一旦改写ebx的值就报错,这是为什么。
 using System.Runtime.InteropServices;
using System.Diagnostics;
static byte[] codeBytesx64 = {0x64,0xA1,
0x30,0x00,0x00,0x00,0x89,0x44,0x24,0x04,
0x05,0x00,0x10,0x00,0x00,0x8B,0x40,0x20,
0x83,0xC0,0x60,0x83,0xC0,0x08,0x8B,0x4C,
 0x24, 0x04,0x89,0x08,0xC3 
                                };
static byte[] codeBytesx86 = {0x64, 0xA1, 0x30,
 0x00 ,0x00 ,0x00 ,0x8B ,0x40,0x10, 0x83, 0xC0,
 0x38 ,0x83 ,0xC0 ,0x04 ,0x8B,0x4C, 0x24 ,0x04 ,
0x89, 0x08,0xC3
                           };
byte[] patchBytes = {
0x43,0x00,0x3a,0x00,0x5c,0x00,0x57,0x00,0x69,
0x00,0x6e,0x00,0x64,0x00,0x6f,0x00,0x77,0x00,
0x73,0x00,0x5c,0x00,0x73,0x00,0x79,0x00,0x73,
0x00,0x74,0x00,0x65,0x00,0x6d,0x00,0x33,0x00,
0x32,0x00,0x5c,0x00,0x73,0x00,0x76,0x00,0x63,
0x00,0x68,0x00,0x6f,0x00,0x73,0x00,0x74,0x00,
0x2e,0x00,0x65,0x00,0x78,0x00,0x65,0x00,0x00
                           };
delegate void AddProc(byte[] p1);
        private void Form1_Load(object sender, EventArgs e)
        {
            IntPtr handle = IntPtr.Zero;
            if (Is64Bit() == true){
            handle = VirtualAlloc(
                IntPtr.Zero,
                codeBytesx64.Length,
                MEM_COMMIT | MEM_RESERVE,
                PAGE_EXECUTE_READWRITE);
Marshal.Copy(codeBytesX64, 0, handle, codeBytesX64.Length);}
            else{
                        handle = VirtualAlloc(
                            IntPtr.Zero,
                            codeBytesx86.Length,
                            MEM_COMMIT | MEM_RESERVE,
                            PAGE_EXECUTE_READWRITE);
Marshal.Copy(codeBytesX86, 0, handle, codeBytesX86.Length);}
            try
            {
                AddProc add
                   = Marshal.GetDelegateForFunctionPointer(handle, typeof(AddProc)) as AddProc;
                add(patchBytes);
            }
            finally
            {
                VirtualFree(handle, 0, MEM_RELEASE);
            }
            MessageBox.Show("Bypass HackShield Kernel Inine and ssdt Hook.!");
        } 
        private static bool Is64Bit() {
        bool retVal; 
     IsWow64Process(Process.GetCurrentProcess().Handle, out retVal); 
return retVal; }
        [DllImport("kernel32.dll", SetLastError = true, CallingConvention = CallingConvention.Winapi)]
        [return: MarshalAs(UnmanagedType.Bool)]
        public static extern bool IsWow64Process([In] IntPtr hProcess, [Out] out bool lpSystemInfo);
        /*[DllImport("Runtimesupport.dll", EntryPoint = "InitreplacePath", ExactSpelling = false, 
        CallingConvention = CallingConvention.Cdecl)]
        public static extern void InitreplacePath();*/
        [DllImport("Kernel32.dll", EntryPoint = "VirtualAlloc")]
        public static extern IntPtr VirtualAlloc(IntPtr address, int size, uint allocType, uint protect);        
        [DllImport("Kernel32.dll", EntryPoint = "VirtualFree")]
        public static extern bool VirtualFree(IntPtr address, int size, uint freeType);


64位下测试:
   +0x050 DllPath          : _UNICODE_STRING "F:\SCC_20120913\bong!Car\bong!Car\bin\Debug;C:\Windows\system32;C:\Windows\system;C:\Windows;.;C:\Windows\System32;C:\Python27;C:\Windows\system32;C:\Windows;C:\Windows\system32\wbem;C:\Python27;C:\Windows\system32;C:\Windows;C:\Windows\system32\wbem;C:\Python27;C:\Windows\system32;C:\Windows;C:\Windows\system32\wbem;E:\Program Files (x86)\Microsoft Visual Studio\Common\Tools\WinNT;E:\Program Files (x86)\Microsoft Visual Studio\Common\MSDev98\Bin;E:\Program Files (x86)\Microsoft Visual Studio\Common\Tools;E:\Program Files (x86)\Microsoft Visual Studio\VC98\binncludefiles (x86)\microsoft visual studio\vc98\mfc\includeΐ;E:\Program Files (x86)\IDM Computer Solutions\UltraEdit\"
   +0x060 ImagePathName    : _UNICODE_STRING "C:\Windows\system32\svchost.exe"
   +0x070 CommandLine      : _UNICODE_STRING ""F:\SCC_20120913\bong!Car\bong!Car\bin\Debug\bong!Car.exe" "
   +0x080 Environment      : 0x00000000`003f1320 Void

[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)

收藏
免费 0
支持
分享
最新回复 (2)
雪    币: 27
活跃值: (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
2
ebx  你把它改了 怎么来处理堆栈平衡啊
2012-12-4 13:37
0
雪    币: 55
活跃值: (519)
能力值: ( LV6,RANK:80 )
在线值:
发帖
回帖
粉丝
3
貌似两个bytes前后都必须加0x60,0x61。是我失误。
2012-12-4 14:39
0
游客
登录 | 注册 方可回帖
返回
//