getrektboy724 / sharpunhooker Goto Github PK
View Code? Open in Web Editor NEWC# Based Universal API Unhooker
C# Based Universal API Unhooker
With GameGuard:
[+++] NTDLL.DLL IS UNHOOKED!
[+++] NTDLL.DLL EXPORTS ARE CLEANSED!
[+++] KERNEL32.DLL IS UNHOOKED!
[+++] KERNEL32.DLL EXPORTS ARE CLEANSED!
[+++] KERNEL32.DLL IMPORTS ARE CLEANSED!
[+++] KERNELBASE.DLL IS UNHOOKED!
[+++] KERNELBASE.DLL EXPORTS ARE CLEANSED!
Fatal error. System.AccessViolationException: Attempted to read or write protected memory. This is often an indication that other memory is corrupt.
at System.SpanHelpers.IndexOf(Byte ByRef, Byte, Int32)
at System.String.Ctor(SByte*)
at System.Runtime.InteropServices.Marshal.PtrToStringAnsi(IntPtr)
at SharpUnhooker.IATUnhooker(System.String)
at SharpUnhooker.Main()
I get an Access Violation when attempting to write the original dll bytes back over to the section in memory:
Marshal.Copy(originalTextSectionBytes, 0, moduleTextSectionAddress, originalTextSectionBytes.Length);
Above that, we try and set the protection of this section to writeable. We set the new protection to 0x40 (PAGE_EXECUTE_READWRITE) and the old one is 0x20 (PAGE_EXECUTE_READ). However, when I query the protection of that section again, it comes back as 0x80 (PAGE_EXECUTE_WRITECOPY). Per this article, that seems correct as this section is a memory-mapped file. In theory, writes to this section should create a copy of it that is used in this process. However, I'm not sure if that's what's causing the AV and a crash.
Anyone else seeing this?
Hey,
I'm trying to bypass the example https://github.com/CCob/SylantStrike .
The below is my code snipper using SharpUnhooker:
public class SUUsageExample{
.....
public static void Main()
{
SharpUnhooker.Mein();
byte[] buf = new byte[285] { 0xfc,0x48,0x81,0xe4,0xf0,0....... }; // just message box
run(buf);
}
public static void run(byte[] ShellcodeBytes)
{
SharpUnhooker.Mein();
IntPtr ProcessHandle = new IntPtr(-1); // pseudo-handle for current process
IntPtr ShellcodeBytesLength = new IntPtr(ShellcodeBytes.Length);
IntPtr AllocationAddress = new IntPtr();
IntPtr ZeroBitsThatZero = IntPtr.Zero;
UInt32 AllocationTypeUsed = (UInt32)AllocationType.Commit | (UInt32)AllocationType.Reserve;
Console.WriteLine("[*] Allocating memory...");
NtAllocateVirtualMemory(ProcessHandle, ref AllocationAddress, ZeroBitsThatZero, ref ShellcodeBytesLength, AllocationTypeUsed, 0x04);
Console.WriteLine("[*] Copying Shellcode...");
Marshal.Copy(ShellcodeBytes, 0, AllocationAddress, ShellcodeBytes.Length);
Console.WriteLine("[*] Changing memory protection setting...");
UInt32 newProtect = 0;
Sleep(1000);
Console.WriteLine("[*] ...");
NtProtectVirtualMemory(ProcessHandle, ref AllocationAddress, ref ShellcodeBytesLength, 0x40, ref newProtect);
Console.WriteLine("[*] Passed...");
When hooking with SylantStrike on the process created with the above code, SylantStrike still detects the following call from NTDLL: NtProtectVirtualMemory(ProcessHandle, ref AllocationAddress, ref ShellcodeBytesLength, 0x40, ref newProtect);
This is the output when running the process:
ShellAnuuked.exe
[------------------------------------------]
[SharpUnhookerV4 - C# Based WinAPI Unhooker]
[ Written By GetRektBoy724 ]
[------------------------------------------]
[++++++++++++!SEQUENCE=STARTED!++++++++++++]
----------PHASE 1 == API UNHOOKING----------
[+++] NTDLL.DLL IS UNHOOKED!
[+++] NTDLL.DLL EXPORTS ARE CLEANSED!
[+++] KERNEL32.DLL IS UNHOOKED!
[+++] KERNEL32.DLL EXPORTS ARE CLEANSED!
[+++] KERNELBASE.DLL IS UNHOOKED!
[+++] KERNELBASE.DLL EXPORTS ARE CLEANSED!
[+++] ADVAPI32.DLL IS UNHOOKED!
[+++] ADVAPI32.DLL EXPORTS ARE CLEANSED!
------PHASE 2 == PATCHING AMSI AND ETW------
[*] !AMSI.DLL NOT DETECTED! [*]
[+++] !ETW PATCHED! [+++]
[+++++++++++!SEQUENCE==FINISHED!+++++++++++]
[------------------------------------------]
[SharpUnhookerV4 - C# Based WinAPI Unhooker]
[ Written By GetRektBoy724 ]
[------------------------------------------]
[++++++++++++!SEQUENCE=STARTED!++++++++++++]
----------PHASE 1 == API UNHOOKING----------
[+++] NTDLL.DLL IS UNHOOKED!
[+++] NTDLL.DLL EXPORTS ARE CLEANSED!
[+++] KERNEL32.DLL IS UNHOOKED!
[+++] KERNEL32.DLL EXPORTS ARE CLEANSED!
[+++] KERNELBASE.DLL IS UNHOOKED!
[+++] KERNELBASE.DLL EXPORTS ARE CLEANSED!
[+++] ADVAPI32.DLL IS UNHOOKED!
[+++] ADVAPI32.DLL EXPORTS ARE CLEANSED!
------PHASE 2 == PATCHING AMSI AND ETW------
[*] !AMSI.DLL NOT DETECTED! [*]
[+++] !ETW PATCHED! [+++]
[+++++++++++!SEQUENCE==FINISHED!+++++++++++]
[*] Allocating memory...
[*] Copying Shellcode...
[*] Changing memory protection setting...
[*] ...
This is SylantStrike output:
SylantStrikeInject.exe --dll=SylantStrike.dll --process=ShellAnuuked.exe
Waiting for process events
+ Listening for the following processes: shellanuuked.exe
Injecting process ShellAnuuked.exe(10520) with DLL SylantStrike.dll
Shouldn't NTDLL be unhooked by the time NtProtectVirtualMemory(ProcessHandle, ref AllocationAddress, ref ShellcodeBytesLength, 0x40, ref newProtect);
is called?
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.