The sharpunhooker from getrektboy724

sharpunhooker's Introduction

Hi there, Im GetRektBoy724 👋

🔭 I’m currently working on my maldriver.
🌱 I’m currently learning about pentesting, malware development, and reverse engineering.
👯 I’m looking to collaborate on anything i find interesting
🤔 I’m looking for help for fixing my mental issues
💬 Ask me about anything around malware development
📫 How to reach me: Use Discord for quick response, my ID is : GetRektBoy724#6773
⚡ Fun fact: Sometimes, age doesn't determine your abilities
💵 You want to buy me an ice cream? :
- Donate BTC at bc1qe7snl4azqydn4juz42n8sfus323rwe8ytfprrr
- Donate USDT or ETH at 0x404213eB012B095Ee4e11336ef90d4649639dba5 (ERC-20)
💻 You want me to make a custom program? Contact me at Discord : grb#6773

sharpunhooker's Issues

System.AccessViolationException

With GameGuard:

[+++] NTDLL.DLL IS UNHOOKED!
[+++] NTDLL.DLL EXPORTS ARE CLEANSED!
[+++] KERNEL32.DLL IS UNHOOKED!
[+++] KERNEL32.DLL EXPORTS ARE CLEANSED!
[+++] KERNEL32.DLL IMPORTS ARE CLEANSED!
[+++] KERNELBASE.DLL IS UNHOOKED!
[+++] KERNELBASE.DLL EXPORTS ARE CLEANSED!
Fatal error. System.AccessViolationException: Attempted to read or write protected memory. This is often an indication that other memory is corrupt.
at System.SpanHelpers.IndexOf(Byte ByRef, Byte, Int32)
at System.String.Ctor(SByte*)
at System.Runtime.InteropServices.Marshal.PtrToStringAnsi(IntPtr)
at SharpUnhooker.IATUnhooker(System.String)
at SharpUnhooker.Main()

Access Violation with JMP unhooking.

I get an Access Violation when attempting to write the original dll bytes back over to the section in memory:
Marshal.Copy(originalTextSectionBytes, 0, moduleTextSectionAddress, originalTextSectionBytes.Length);

Above that, we try and set the protection of this section to writeable. We set the new protection to 0x40 (PAGE_EXECUTE_READWRITE) and the old one is 0x20 (PAGE_EXECUTE_READ). However, when I query the protection of that section again, it comes back as 0x80 (PAGE_EXECUTE_WRITECOPY). Per this article, that seems correct as this section is a memory-mapped file. In theory, writes to this section should create a copy of it that is used in this process. However, I'm not sure if that's what's causing the AV and a crash.

Anyone else seeing this?

EDR Test SylantStrike not bypassed?

Hey,
I'm trying to bypass the example https://github.com/CCob/SylantStrike .
The below is my code snipper using SharpUnhooker:

public class SUUsageExample{
.....
public static void Main()
    {
        SharpUnhooker.Mein();
        byte[] buf = new byte[285] { 0xfc,0x48,0x81,0xe4,0xf0,0....... }; // just message box
        run(buf);
    }

    public static void run(byte[] ShellcodeBytes)
    {
        SharpUnhooker.Mein();
        IntPtr ProcessHandle = new IntPtr(-1); // pseudo-handle for current process
        IntPtr ShellcodeBytesLength = new IntPtr(ShellcodeBytes.Length);
        IntPtr AllocationAddress = new IntPtr();
        IntPtr ZeroBitsThatZero = IntPtr.Zero;
        UInt32 AllocationTypeUsed = (UInt32)AllocationType.Commit | (UInt32)AllocationType.Reserve;
        Console.WriteLine("[*] Allocating memory...");
        NtAllocateVirtualMemory(ProcessHandle, ref AllocationAddress, ZeroBitsThatZero, ref ShellcodeBytesLength, AllocationTypeUsed, 0x04);
        Console.WriteLine("[*] Copying Shellcode...");
        Marshal.Copy(ShellcodeBytes, 0, AllocationAddress, ShellcodeBytes.Length);
        Console.WriteLine("[*] Changing memory protection setting...");
        UInt32 newProtect = 0;
        Sleep(1000);
        Console.WriteLine("[*] ...");
        NtProtectVirtualMemory(ProcessHandle, ref AllocationAddress, ref ShellcodeBytesLength, 0x40, ref newProtect);
        Console.WriteLine("[*] Passed...");

When hooking with SylantStrike on the process created with the above code, SylantStrike still detects the following call from NTDLL: NtProtectVirtualMemory(ProcessHandle, ref AllocationAddress, ref ShellcodeBytesLength, 0x40, ref newProtect);

This is the output when running the process:

ShellAnuuked.exe
[------------------------------------------]
[SharpUnhookerV4 - C# Based WinAPI Unhooker]
[         Written By GetRektBoy724         ]
[------------------------------------------]
[++++++++++++!SEQUENCE=STARTED!++++++++++++]
----------PHASE 1 == API UNHOOKING----------
[+++] NTDLL.DLL IS UNHOOKED!
[+++] NTDLL.DLL EXPORTS ARE CLEANSED!
[+++] KERNEL32.DLL IS UNHOOKED!
[+++] KERNEL32.DLL EXPORTS ARE CLEANSED!
[+++] KERNELBASE.DLL IS UNHOOKED!
[+++] KERNELBASE.DLL EXPORTS ARE CLEANSED!
[+++] ADVAPI32.DLL IS UNHOOKED!
[+++] ADVAPI32.DLL EXPORTS ARE CLEANSED!
------PHASE 2 == PATCHING AMSI AND ETW------
[*] !AMSI.DLL NOT DETECTED! [*]

[+++] !ETW PATCHED! [+++]
[+++++++++++!SEQUENCE==FINISHED!+++++++++++]
[------------------------------------------]
[SharpUnhookerV4 - C# Based WinAPI Unhooker]
[         Written By GetRektBoy724         ]
[------------------------------------------]
[++++++++++++!SEQUENCE=STARTED!++++++++++++]
----------PHASE 1 == API UNHOOKING----------
[+++] NTDLL.DLL IS UNHOOKED!
[+++] NTDLL.DLL EXPORTS ARE CLEANSED!
[+++] KERNEL32.DLL IS UNHOOKED!
[+++] KERNEL32.DLL EXPORTS ARE CLEANSED!
[+++] KERNELBASE.DLL IS UNHOOKED!
[+++] KERNELBASE.DLL EXPORTS ARE CLEANSED!
[+++] ADVAPI32.DLL IS UNHOOKED!
[+++] ADVAPI32.DLL EXPORTS ARE CLEANSED!
------PHASE 2 == PATCHING AMSI AND ETW------
[*] !AMSI.DLL NOT DETECTED! [*]

[+++] !ETW PATCHED! [+++]
[+++++++++++!SEQUENCE==FINISHED!+++++++++++]
[*] Allocating memory...
[*] Copying Shellcode...
[*] Changing memory protection setting...
[*] ...

This is SylantStrike output:

SylantStrikeInject.exe --dll=SylantStrike.dll --process=ShellAnuuked.exe
Waiting for process events
+ Listening for the following processes: shellanuuked.exe

 Injecting process ShellAnuuked.exe(10520) with DLL SylantStrike.dll

Shouldn't NTDLL be unhooked by the time NtProtectVirtualMemory(ProcessHandle, ref AllocationAddress, ref ShellcodeBytesLength, 0x40, ref newProtect); is called?

Recommend Projects

getrektboy724 / sharpunhooker Goto Github PK

sharpunhooker's Introduction

Hi there, Im GetRektBoy724 👋

sharpunhooker's People

Contributors

Stargazers

Watchers

Forkers

sharpunhooker's Issues

System.AccessViolationException

Access Violation with JMP unhooking.

EDR Test SylantStrike not bypassed?

Recommend Projects

React

Vue.js

Typescript

TensorFlow

Django

Laravel

D3

Recommend Topics

javascript

web

server

Machine learning

Visualization

Game

Recommend Org

Facebook

Microsoft

Google

Alibaba

D3

Tencent