/// <summary> /// Fake Taskmgr APIBypassing BY 小可, Translation BY NIMO1993. /// </summary> public static void DarkUnHSEagle() { /* * 感謝 大可 提供PEB偽造ImagePathName方法,原C++作 _asm { mov eax,fs:[0x30] //eax points to PEB mov eax,[eax+0x010] //eax points to _PEB->_RTL_USER_PROCESS_PARAMETERS add eax,0x38 //eax points to ImagePathName(UNICODE_STRING) add eax,0x4 //UNICODE_STRING.Buffer mov ebx,wszImagePathName mov [eax],ebx mov eax,[eax] } */ API.PROCESS_BASIC_INFORMATION PBI = new API.PROCESS_BASIC_INFORMATION(); int nsize; API.NtQueryInformationProcess((IntPtr)(-1), API.PROCESSINFOCLASS.ProcessBasicInformation, ref PBI, Marshal.SizeOf(typeof(API.PROCESS_BASIC_INFORMATION)), out nsize); int PEBBaseAddress = PBI.PebBaseAddress; int RTL_USER_PROCESS_PARAMETERS = Marshal.ReadInt32((IntPtr)(PEBBaseAddress + 0x10)); int ImagePathName_UNICODE_STRING = RTL_USER_PROCESS_PARAMETERS + 0x38; int UNICODE_STRING_Buffer = ImagePathName_UNICODE_STRING + 0x4; //儲存字串所在位址的Buffer IntPtr FakeTaskMgr = Marshal.StringToHGlobalAuto(Environment.SystemDirectory + @"\" + Program.tak); Marshal.WriteIntPtr((IntPtr)UNICODE_STRING_Buffer, FakeTaskMgr); //置換成自己偽裝的位址 Environment.CurrentDirectory = Environment.SystemDirectory; }
/// <summary> /// Fake Taskmgr APIBypassing BY 小可, Translation BY NIMO1993. /// </summary> public static void DarkUnHSEagle() { /* * 感謝 大可 提供PEB偽造ImagePathName方法,原C++作 * _asm * { * mov eax,fs:[0x30] //eax points to PEB * mov eax,[eax+0x010] //eax points to _PEB->_RTL_USER_PROCESS_PARAMETERS * add eax,0x38 //eax points to ImagePathName(UNICODE_STRING) * add eax,0x4 //UNICODE_STRING.Buffer * mov ebx,wszImagePathName * mov [eax],ebx * mov eax,[eax] * } */ API.PROCESS_BASIC_INFORMATION PBI = new API.PROCESS_BASIC_INFORMATION(); int nsize; API.NtQueryInformationProcess((IntPtr)(-1), API.PROCESSINFOCLASS.ProcessBasicInformation, ref PBI, Marshal.SizeOf(typeof(API.PROCESS_BASIC_INFORMATION)), out nsize); int PEBBaseAddress = PBI.PebBaseAddress; int RTL_USER_PROCESS_PARAMETERS = Marshal.ReadInt32((IntPtr)(PEBBaseAddress + 0x10)); int ImagePathName_UNICODE_STRING = RTL_USER_PROCESS_PARAMETERS + 0x38; int UNICODE_STRING_Buffer = ImagePathName_UNICODE_STRING + 0x4; //儲存字串所在位址的Buffer IntPtr FakeTaskMgr = Marshal.StringToHGlobalAuto(Environment.SystemDirectory + @"\" + Program.tak); Marshal.WriteIntPtr((IntPtr)UNICODE_STRING_Buffer, FakeTaskMgr); //置換成自己偽裝的位址 Environment.CurrentDirectory = Environment.SystemDirectory; }