说实话,写这个东西真的听蛋疼。谁能告诉我C#内嵌汇编中一旦改写ebx的值就报错,这是为什么。
using System.Runtime.InteropServices;
using System.Diagnostics;
static byte[] codeBytesx64 = {0x64,0xA1,
0x30,0x00,0x00,0x00,0x89,0x44,0x24,0x04,
0x05,0x00,0x10,0x00,0x00,0x8B,0x40,0x20,
0x83,0xC0,0x60,0x83,0xC0,0x08,0x8B,0x4C,
0x24, 0x04,0x89,0x08,0xC3
};
static byte[] codeBytesx86 = {0x64, 0xA1, 0x30,
0x00 ,0x00 ,0x00 ,0x8B ,0x40,0x10, 0x83, 0xC0,
0x38 ,0x83 ,0xC0 ,0x04 ,0x8B,0x4C, 0x24 ,0x04 ,
0x89, 0x08,0xC3
};
byte[] patchBytes = {
0x43,0x00,0x3a,0x00,0x5c,0x00,0x57,0x00,0x69,
0x00,0x6e,0x00,0x64,0x00,0x6f,0x00,0x77,0x00,
0x73,0x00,0x5c,0x00,0x73,0x00,0x79,0x00,0x73,
0x00,0x74,0x00,0x65,0x00,0x6d,0x00,0x33,0x00,
0x32,0x00,0x5c,0x00,0x73,0x00,0x76,0x00,0x63,
0x00,0x68,0x00,0x6f,0x00,0x73,0x00,0x74,0x00,
0x2e,0x00,0x65,0x00,0x78,0x00,0x65,0x00,0x00
};
delegate void AddProc(byte[] p1);
private void Form1_Load(object sender, EventArgs e)
{
IntPtr handle = IntPtr.Zero;
if (Is64Bit() == true){
handle = VirtualAlloc(
IntPtr.Zero,
codeBytesx64.Length,
MEM_COMMIT | MEM_RESERVE,
PAGE_EXECUTE_READWRITE);
Marshal.Copy(codeBytesX64, 0, handle, codeBytesX64.Length);}
else{
handle = VirtualAlloc(
IntPtr.Zero,
codeBytesx86.Length,
MEM_COMMIT | MEM_RESERVE,
PAGE_EXECUTE_READWRITE);
Marshal.Copy(codeBytesX86, 0, handle, codeBytesX86.Length);}
try
{
AddProc add
= Marshal.GetDelegateForFunctionPointer(handle, typeof(AddProc)) as AddProc;
add(patchBytes);
}
finally
{
VirtualFree(handle, 0, MEM_RELEASE);
}
MessageBox.Show("Bypass HackShield Kernel Inine and ssdt Hook.!");
}
private static bool Is64Bit() {
bool retVal;
IsWow64Process(Process.GetCurrentProcess().Handle, out retVal);
return retVal; }
[DllImport("kernel32.dll", SetLastError = true, CallingConvention = CallingConvention.Winapi)]
[return: MarshalAs(UnmanagedType.Bool)]
public static extern bool IsWow64Process([In] IntPtr hProcess, [Out] out bool lpSystemInfo);
/*[DllImport("Runtimesupport.dll", EntryPoint = "InitreplacePath", ExactSpelling = false,
CallingConvention = CallingConvention.Cdecl)]
public static extern void InitreplacePath();*/
[DllImport("Kernel32.dll", EntryPoint = "VirtualAlloc")]
public static extern IntPtr VirtualAlloc(IntPtr address, int size, uint allocType, uint protect);
[DllImport("Kernel32.dll", EntryPoint = "VirtualFree")]
public static extern bool VirtualFree(IntPtr address, int size, uint freeType);
64位下测试:
+0x050 DllPath : _UNICODE_STRING "F:\SCC_20120913\bong!Car\bong!Car\bin\Debug;C:\Windows\system32;C:\Windows\system;C:\Windows;.;C:\Windows\System32;C:\Python27;C:\Windows\system32;C:\Windows;C:\Windows\system32\wbem;C:\Python27;C:\Windows\system32;C:\Windows;C:\Windows\system32\wbem;C:\Python27;C:\Windows\system32;C:\Windows;C:\Windows\system32\wbem;E:\Program Files (x86)\Microsoft Visual Studio\Common\Tools\WinNT;E:\Program Files (x86)\Microsoft Visual Studio\Common\MSDev98\Bin;E:\Program Files (x86)\Microsoft Visual Studio\Common\Tools;E:\Program Files (x86)\Microsoft Visual Studio\VC98\binncludefiles (x86)\microsoft visual studio\vc98\mfc\includeΐ;E:\Program Files (x86)\IDM Computer Solutions\UltraEdit\"
+0x060 ImagePathName : _UNICODE_STRING "C:\Windows\system32\svchost.exe"
+0x070 CommandLine : _UNICODE_STRING ""F:\SCC_20120913\bong!Car\bong!Car\bin\Debug\bong!Car.exe" "
+0x080 Environment : 0x00000000`003f1320 Void
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)