Esempio n. 1
0
        /// <summary>
        /// Fake Taskmgr APIBypassing BY 小可, Translation BY NIMO1993.
        /// </summary>
        public static void DarkUnHSEagle()
        {
            /*
             * 感謝 大可 提供PEB偽造ImagePathName方法,原C++作
             	_asm
                {
                    mov eax,fs:[0x30]    //eax points to PEB
                    mov eax,[eax+0x010]  //eax points to _PEB->_RTL_USER_PROCESS_PARAMETERS
                    add eax,0x38         //eax points to ImagePathName(UNICODE_STRING)
                    add eax,0x4			 //UNICODE_STRING.Buffer
                    mov ebx,wszImagePathName
                    mov [eax],ebx
                    mov eax,[eax]
                }
            */
            API.PROCESS_BASIC_INFORMATION PBI = new API.PROCESS_BASIC_INFORMATION();
            int nsize;

            API.NtQueryInformationProcess((IntPtr)(-1), API.PROCESSINFOCLASS.ProcessBasicInformation, ref PBI, Marshal.SizeOf(typeof(API.PROCESS_BASIC_INFORMATION)), out nsize);
            int PEBBaseAddress = PBI.PebBaseAddress;
            int RTL_USER_PROCESS_PARAMETERS = Marshal.ReadInt32((IntPtr)(PEBBaseAddress + 0x10));
            int ImagePathName_UNICODE_STRING = RTL_USER_PROCESS_PARAMETERS + 0x38;
            int UNICODE_STRING_Buffer = ImagePathName_UNICODE_STRING + 0x4; //儲存字串所在位址的Buffer
            IntPtr FakeTaskMgr = Marshal.StringToHGlobalAuto(Environment.SystemDirectory + @"\" + Program.tak);
            Marshal.WriteIntPtr((IntPtr)UNICODE_STRING_Buffer, FakeTaskMgr); //置換成自己偽裝的位址
            Environment.CurrentDirectory = Environment.SystemDirectory;
        }
Esempio n. 2
0
        /// <summary>
        /// Fake Taskmgr APIBypassing BY 小可, Translation BY NIMO1993.
        /// </summary>
        public static void DarkUnHSEagle()
        {
            /*
             * 感謝 大可 提供PEB偽造ImagePathName方法,原C++作
             *  _asm
             *  {
             *              mov eax,fs:[0x30]    //eax points to PEB
             *          mov eax,[eax+0x010]  //eax points to _PEB->_RTL_USER_PROCESS_PARAMETERS
             *          add eax,0x38         //eax points to ImagePathName(UNICODE_STRING)
             *          add eax,0x4			 //UNICODE_STRING.Buffer
             *          mov ebx,wszImagePathName
             *          mov [eax],ebx
             *          mov eax,[eax]
             *  }
             */
            API.PROCESS_BASIC_INFORMATION PBI = new API.PROCESS_BASIC_INFORMATION();
            int nsize;

            API.NtQueryInformationProcess((IntPtr)(-1), API.PROCESSINFOCLASS.ProcessBasicInformation, ref PBI, Marshal.SizeOf(typeof(API.PROCESS_BASIC_INFORMATION)), out nsize);
            int    PEBBaseAddress = PBI.PebBaseAddress;
            int    RTL_USER_PROCESS_PARAMETERS  = Marshal.ReadInt32((IntPtr)(PEBBaseAddress + 0x10));
            int    ImagePathName_UNICODE_STRING = RTL_USER_PROCESS_PARAMETERS + 0x38;
            int    UNICODE_STRING_Buffer        = ImagePathName_UNICODE_STRING + 0x4; //儲存字串所在位址的Buffer
            IntPtr FakeTaskMgr = Marshal.StringToHGlobalAuto(Environment.SystemDirectory + @"\" + Program.tak);

            Marshal.WriteIntPtr((IntPtr)UNICODE_STRING_Buffer, FakeTaskMgr); //置換成自己偽裝的位址
            Environment.CurrentDirectory = Environment.SystemDirectory;
        }