Исходник MEmanualmapper - Bypass hooks & allocation detections

Пользователь
Статус
Оффлайн
Регистрация
21 Авг 2020
Сообщения
115
Реакции[?]
45
Поинты[?]
0
All credits to [USER = 106804] WeakRecords [/ USER] (just repost here)

"I wrote a manual mapper 3 months ago that bypasses anticheat hooks since the calls come from a legit module. I use it for games like csgo, reversing and h1z1 (needs some additional steps that I will describe later)

0x86 and 0x64 compatible. Compile same as game version

What you should watch / know before reading further:
1. Basics like getting handle to processes (
Пожалуйста, авторизуйтесь для просмотра ссылки.
)
2. WinApi (Read, Write, AllocateMem etc.) (
Пожалуйста, авторизуйтесь для просмотра ссылки.
)
3. Slight knowledge of the PE format (PEB, LDR) (check my hook detection thread)
4. Knowledge about pages, sizes, allocation base
5. How does manual mapping work? (
Пожалуйста, авторизуйтесь для просмотра ссылки.
)

What does the mapper do?
1. Opens a handle to target process
2. Loads our dll to a local buffer
3. Finds the peb address and enumerates modules (target process)
4. Searches for not allocated memory at the end of a module
5. Checks if memory can be allocated + if there is no memory at the end of our current positon + the size of our dll
6. If not it walks the module till it finds space to allocate
7. Now it increases the size of the image (LDR_ENTRY and Optionalheader) + allocates memory there (memory is at a legit space)
8.After that it maps the sections and out shellcode and creates a thread in the target process (legit context)

Pros
- Dll thread runs in a legit context
- Calls that will be checked come from a legit module

Cons
What could they detect?
If allocation_base! = Module.baseaddress -> flag
if size_last! = Size_current -> flag

How can I bypass BE?
Well just replace the "NtApi" functions like NtVirtualAlloc (which I used here) etc with the NTAPI in your driver.

Idk I thought that a vid tutorial would be too overkill. But let me know. "

[URL unfurl = "true"]
Пожалуйста, авторизуйтесь для просмотра ссылки.
[/ URL]
 

Вложения

Забаненный
Статус
Оффлайн
Регистрация
30 Сен 2019
Сообщения
17
Реакции[?]
0
Поинты[?]
0
Обратите внимание, пользователь заблокирован на форуме. Не рекомендуется проводить сделки.
I tried to inject DLL, but it didn't work.
 
Сверху Снизу