Пользователь
-
Автор темы
- #1
All credits to [USER = 106804] WeakRecords [/ USER] (just repost here)
"I wrote a manual mapper 3 months ago that bypasses anticheat hooks since the calls come from a legit module. I use it for games like csgo, reversing and h1z1 (needs some additional steps that I will describe later)
0x86 and 0x64 compatible. Compile same as game version
What you should watch / know before reading further:
1. Basics like getting handle to processes (
2. WinApi (Read, Write, AllocateMem etc.) (
3. Slight knowledge of the PE format (PEB, LDR) (check my hook detection thread)
4. Knowledge about pages, sizes, allocation base
5. How does manual mapping work? (
What does the mapper do?
1. Opens a handle to target process
2. Loads our dll to a local buffer
3. Finds the peb address and enumerates modules (target process)
4. Searches for not allocated memory at the end of a module
5. Checks if memory can be allocated + if there is no memory at the end of our current positon + the size of our dll
6. If not it walks the module till it finds space to allocate
7. Now it increases the size of the image (LDR_ENTRY and Optionalheader) + allocates memory there (memory is at a legit space)
8.After that it maps the sections and out shellcode and creates a thread in the target process (legit context)
Pros
- Dll thread runs in a legit context
- Calls that will be checked come from a legit module
Cons
What could they detect?
If allocation_base! = Module.baseaddress -> flag
if size_last! = Size_current -> flag
How can I bypass BE?
Well just replace the "NtApi" functions like NtVirtualAlloc (which I used here) etc with the NTAPI in your driver.
Idk I thought that a vid tutorial would be too overkill. But let me know. "
[URL unfurl = "true"]
"I wrote a manual mapper 3 months ago that bypasses anticheat hooks since the calls come from a legit module. I use it for games like csgo, reversing and h1z1 (needs some additional steps that I will describe later)
0x86 and 0x64 compatible. Compile same as game version
What you should watch / know before reading further:
1. Basics like getting handle to processes (
Пожалуйста, авторизуйтесь для просмотра ссылки.
)2. WinApi (Read, Write, AllocateMem etc.) (
Пожалуйста, авторизуйтесь для просмотра ссылки.
)3. Slight knowledge of the PE format (PEB, LDR) (check my hook detection thread)
4. Knowledge about pages, sizes, allocation base
5. How does manual mapping work? (
Пожалуйста, авторизуйтесь для просмотра ссылки.
)What does the mapper do?
1. Opens a handle to target process
2. Loads our dll to a local buffer
3. Finds the peb address and enumerates modules (target process)
4. Searches for not allocated memory at the end of a module
5. Checks if memory can be allocated + if there is no memory at the end of our current positon + the size of our dll
6. If not it walks the module till it finds space to allocate
7. Now it increases the size of the image (LDR_ENTRY and Optionalheader) + allocates memory there (memory is at a legit space)
8.After that it maps the sections and out shellcode and creates a thread in the target process (legit context)
Pros
- Dll thread runs in a legit context
- Calls that will be checked come from a legit module
Cons
What could they detect?
If allocation_base! = Module.baseaddress -> flag
if size_last! = Size_current -> flag
How can I bypass BE?
Well just replace the "NtApi" functions like NtVirtualAlloc (which I used here) etc with the NTAPI in your driver.
Idk I thought that a vid tutorial would be too overkill. But let me know. "
[URL unfurl = "true"]
Пожалуйста, авторизуйтесь для просмотра ссылки.
[/ URL]
