[VB.NET] ByPassHS_InlineHook 繞過 HS 進程防護

作者: knowlet -
一樣是偽裝工作管理員繞過進程防護...
這裡提供兩個版本

第一個是某大神寫的
Imports System.Runtime.InteropServices

Module ByPassHS2

     _
    Public Structure Process_Basic_Information
        Public ExitStatus As IntPtr
        Public PebBaseAddress As IntPtr
        Public AffinityMask As IntPtr
        Public BasePriority As IntPtr
        Public UniqueProcessID As IntPtr
        Public InheritedFromUniqueProcessId As IntPtr
    End Structure
    Private Enum PROCESSINFOCLASS
        ProcessBasicInformation = 0
        ProcessQuotaLimits
        ProcessIoCounters
        ProcessVmCounters
        ProcessTimes
        ProcessBasePriority
        ProcessRaisePriority
        ProcessDebugPort
        ProcessExceptionPort
        ProcessAccessToken
        ProcessLdtInformation
        ProcessLdtSize
        ProcessDefaultHardErrorMode
        ProcessIoPortHandlers
        ProcessPooledUsageAndLimits
        ProcessWorkingSetWatch
        ProcessUserModeIOPL
        ProcessEnableAlignmentFaultFixup
        ProcessPriorityClass
        ProcessWx86Information
        ProcessHandleCount
        ProcessAffinityMask
        ProcessPriorityBoost
        ProcessDeviceMap
        ProcessSessionInformation
        ProcessForegroundInformation
        ProcessWow64Information
        ProcessImageFileName
        ProcessLUIDDeviceMapsEnabled
        ProcessBreakOnTermination
        ProcessDebugObjectHandle
        ProcessDebugFlags
        ProcessHandleTracing
        ProcessIoPriority
        ProcessExecuteFlags
        ProcessResourceManagement
        ProcessCookie
        ProcessImageInformation
        MaxProcessInfoClass
    End Enum
     _
    Public Function NtQueryInformationProcess(ByVal handle As IntPtr, ByVal processinformationclass As UInteger, ByRef ProcessInformation As Process_Basic_Information, ByVal ProcessInformationLength As Integer, ByRef ReturnLength As UInteger) As Integer
    End Function

    Public Sub ByPassHS_InlineHook()
        '
        '             
        '              _asm
        '             {
        '              mov eax,fs:[0x30]    //eax points to PEB
        '              mov eax,[eax+0x010]  //eax points to _PEB->_RTL_USER_PROCESS_PARAMETERS
        '              add eax,0x38         //eax points to ImagePathName(UNICODE_STRING)
        '              add eax,0x4    //UNICODE_STRING.Buffer
        '              mov ebx,wszImagePathName
        '              mov [eax],ebx
        '              mov eax,[eax]
        '             }
        '            

        Dim PBI As New Process_Basic_Information()
        Dim nsize As Integer

        NtQueryInformationProcess(-1, PROCESSINFOCLASS.ProcessBasicInformation, PBI, Marshal.SizeOf(GetType(Process_Basic_Information)), nsize)
        Dim PEBBaseAddress As Integer = PBI.PebBaseAddress

        Dim RTL_USER_PROCESS_PARAMETERS As Integer
        Dim ImagePathName_UNICODE_STRING As Integer
        Dim UNICODE_STRING_Buffer As Integer


        Dim architecture As Integer = Runtime.InteropServices.Marshal.SizeOf(GetType(IntPtr)) * 8

        PEBBaseAddress = PBI.PebBaseAddress

        Select Case architecture
            Case 32

                RTL_USER_PROCESS_PARAMETERS = Marshal.ReadInt32(PEBBaseAddress + &H10)
                ImagePathName_UNICODE_STRING = RTL_USER_PROCESS_PARAMETERS + &H38
                UNICODE_STRING_Buffer = ImagePathName_UNICODE_STRING + &H4
            Case 64
                RTL_USER_PROCESS_PARAMETERS = Marshal.ReadInt32(PEBBaseAddress + &H20)
                ImagePathName_UNICODE_STRING = RTL_USER_PROCESS_PARAMETERS + &H60
                UNICODE_STRING_Buffer = ImagePathName_UNICODE_STRING + &H8
        End Select

        '儲存字串所在位址的Buffer
        Dim FakeTaskMgr As IntPtr = Marshal.StringToHGlobalAuto(Environment.SystemDirectory + "\taskmgr.exe")
        Marshal.WriteIntPtr(UNICODE_STRING_Buffer, FakeTaskMgr)
        '置換成自己偽裝的位址
    End Sub

End Module

第二個因該是 Inndy 大神寫的版本
Imports System.Runtime.InteropServices
Imports System.Text

Module ByPassHS
     Private Function CallWindowProc(ByVal lpPrevWndFunc As IntPtr, ByVal Param1 As Integer, ByVal Param2 As Integer, ByVal Param3 As Integer, ByVal Param4 As Integer) As Integer
    End Function

    Public Sub ByPassHS_InlineHook()
        Dim PEBBaseAddress As Integer
        Dim RTL_USER_PROCESS_PARAMETERS As Integer
        Dim ImagePathName_UNICODE_STRING As Integer
        Dim UNICODE_STRING_Buffer As Integer
        Dim TaskMgrPath As Byte() = Encoding.Unicode.GetBytes(Environment.SystemDirectory & "\taskmgr.exe ")
        Dim MaxBufferLength As Integer = TaskMgrPath.Length
        Dim BufferLength As Integer = MaxBufferLength - 2
        Dim FakeTaskMgr As IntPtr = Marshal.AllocHGlobal(MaxBufferLength)
        Dim WritedLength As Integer = (MaxBufferLength << 16) Or BufferLength

        Dim architecture As Integer = Runtime.InteropServices.Marshal.SizeOf(GetType(IntPtr)) * 8

        Select Case architecture
            Case 32
                PEBBaseAddress = GetPEBx86()
                RTL_USER_PROCESS_PARAMETERS = ReadMe(PEBBaseAddress + &H10)
                ImagePathName_UNICODE_STRING = RTL_USER_PROCESS_PARAMETERS + &H38
                UNICODE_STRING_Buffer = ImagePathName_UNICODE_STRING + 4

            Case 64
                PEBBaseAddress = GetPEBx64()
                RTL_USER_PROCESS_PARAMETERS = ReadMe(PEBBaseAddress + &H20)
                ImagePathName_UNICODE_STRING = RTL_USER_PROCESS_PARAMETERS + &H60
                UNICODE_STRING_Buffer = ImagePathName_UNICODE_STRING + 8
        End Select


        TaskMgrPath(MaxBufferLength - 1) = 0
        TaskMgrPath(MaxBufferLength - 2) = 0
        Marshal.Copy(TaskMgrPath, 0, FakeTaskMgr, TaskMgrPath.Length)
        WriteMe(ImagePathName_UNICODE_STRING, WritedLength)
        WriteMe(UNICODE_STRING_Buffer, FakeTaskMgr.ToInt32)
    End Sub

    Private Function GetPEBx86() As Integer
        Return ShellASM(New Byte() {&H64, &HA1, &H30, 0, 0, 0, &HC2, &H10, 0})
    End Function

    Private Function GetPEBx64() As Integer
        Return ShellASM(New Byte() {&H64, &HA1, &H60, 0, 0, 0, &HC2, &H10, 0})
    End Function

    Private Sub WriteMe(ByVal Address As Integer, ByVal Value As Integer)
        ShellASM(New Byte() {&H53, &H8B, &H5C, &H24, &HC, &H8B, &H44, &H24, &H8, &H89, &H18, &H5B, &HC2, &H10, 0}, Address, Value)
    End Sub

    Private Function ReadMe(ByVal Address As Integer) As Integer
        Return ShellASM(New Byte() {&H8B, &H44, &H24, &H4, &H8B, &H0, &HC2, &H10, 0}, Address)
    End Function

    Private Function ShellASM(ByRef ASM() As Byte, Optional ByVal Param1 As Integer = 0, Optional ByVal Param2 As Integer = 0, Optional ByVal Param3 As Integer = 0, Optional ByVal Param4 As Integer = 0) As Integer
        Dim ASM_Block As IntPtr = Marshal.AllocHGlobal(ASM.Length)
        Marshal.Copy(ASM, 0, ASM_Block, ASM.Length)
        ShellASM = CallWindowProc(ASM_Block, Param1, Param2, Param3, Param4)
        Marshal.FreeHGlobal(ASM_Block)
    End Function
End Module
至於為什麼要 PO 兩個版本... 因為印象中以前用的時候其中一個有些電腦可能會爆錯,可是我想不起來是哪個 OTZ

留言

張貼留言

本月最夯

偷用電腦,怎知?事件檢視器全記錄!(開機時間、啟動項時間...)

作者: knowlet -
圖片
想知道你的電腦在你不使用的時候是否被開機過嗎?小朋友是不是趁家長不在家的時候偷偷完電腦啊?常常懷疑家裡或公司的電腦被人偷偷開來亂弄東西,可以用下面的方法檢查一下電腦在什麼時候有被開機、登入使用過。 Windows 系統裡的「事件檢視器」會紀錄很多電腦的相關資訊,包含什麼時候開機、登入、登出,或者系統發生哪些錯誤或其他的特殊事件等等,通通會紀錄在「事件檢視器」的日誌中。如果你只是想知道電腦什麼時候開機過的話,可以很輕易的從「事件檢視器」裡查到電腦確實的開機、關機時間。
閱讀完整內容