Если нужно проверить напиши тогда в личку, запущу на динчеке, там win 10 x64 если-что вроде.
Слушай, а изнутри динчека можно как-то информацию вывести. Я хочу перечислить все функции из ключевых библиотек, которые похучены текущим авером на динчеке. Может в файл сдропнуть или запрос в сеть сделать. Динчек позволит эту инфу скачать потом? Как знаешь исследовали виртуалки вирустотала, типа брали там имя всю информацию и делали get запросы с данными в урлах. Потом с веб интерфейса забирали эти урлы и расшифровывали. На динчеке мы можем что-нить такое сделать.
Это там в платном аке только, точно не помню, по моему 100 баксов чтоли стоит, но там можно включить сеть, вытянуть инфу оттуда, только если через сеть наверное можно.
Ну ладно тогда, забей. Я просто хотел статистику собрать, какие аверы какие функции хучат в юзермоде.
А что в вашем понимании "Отключить антивирус", все сервисы защитных решений хорошо защищены, их никак не выгрузить, по крайне-мере из юзермода.
У всех антивирусов есть функция удаления или временные отключение,можно ли его запустить скрытно?
Нет, даже сейчас в новой бесятке дефендер нельзя отключить.)
Наивно полагать, что у вас это получится. Антивирусы, наверное, специально для вас оставили эту возможность
Ну в общем я погонял чуток на антивирусах тулзу, и как то я немного разочарован, я ожидал увидеть больше юзермодных хуков. Вот примеры вывода тулзы, попробуйте угадать, какой из них к какому антивирусу относится. Сами тулзы тоже прикрепил, если интересно будет, то погоняйте на своих антивирусах и закиньте результат сюда. Сейчас тулзы выводят информацию в stdout, я правильно понимаю, что чтобы протестить на динчеке надо в OutputDebugString писать?
Original NtAlpcCreatePort:
00000000`02339410 4c8bd1 mov r10,rcx
00000000`02339413 b872000000 mov eax,72h
00000000`02339418 0f05 syscall
Changed NtAlpcCreatePort:
00000000`772b9fd0 b870672300 mov eax,236770h
00000000`772b9fd5 4863c0 movsxd rax,eax
00000000`772b9fd8 ffe0 jmp rax
Original NtCreatePort:
00000000`023396c0 4c8bd1 mov r10,rcx
00000000`023396c3 b89d000000 mov eax,9Dh
00000000`023396c8 0f05 syscall
Changed NtCreatePort:
00000000`772ba280 b820672300 mov eax,236720h
00000000`772ba285 4863c0 movsxd rax,eax
00000000`772ba288 ffe0 jmp rax
Original NtCreateSection:
00000000`02339160 4c8bd1 mov r10,rcx
00000000`02339163 b847000000 mov eax,47h
00000000`02339168 0f05 syscall
Changed NtCreateSection:
00000000`772b9d20 b820782300 mov eax,237820h
00000000`772b9d25 4863c0 movsxd rax,eax
00000000`772b9d28 ffe0 jmp rax
Original NtCreateThread:
00000000`023391a0 4c8bd1 mov r10,rcx
00000000`023391a3 b84b000000 mov eax,4Bh
00000000`023391a8 0f05 syscall
Changed NtCreateThread:
00000000`772b9d60 b8f06c2300 mov eax,236CF0h
00000000`772b9d65 4863c0 movsxd rax,eax
00000000`772b9d68 ffe0 jmp rax
Original NtCreateThreadEx:
00000000`02339740 4c8bd1 mov r10,rcx
00000000`02339743 b8a5000000 mov eax,0A5h
00000000`02339748 0f05 syscall
Changed NtCreateThreadEx:
00000000`772ba300 b8506e2300 mov eax,236E50h
00000000`772ba305 4863c0 movsxd rax,eax
00000000`772ba308 ffe0 jmp rax
Original NtLoadDriver:
00000000`02339ab0 4c8bd1 mov r10,rcx
00000000`02339ab3 b8dc000000 mov eax,0DCh
00000000`02339ab8 0f05 syscall
Changed NtLoadDriver:
00000000`772ba670 b8b0672300 mov eax,2367B0h
00000000`772ba675 4863c0 movsxd rax,eax
00000000`772ba678 ffe0 jmp rax
Original NtMakeTemporaryObject:
00000000`02339b40 4c8bd1 mov r10,rcx
00000000`02339b43 b8e5000000 mov eax,0E5h
00000000`02339b48 0f05 syscall
Changed NtMakeTemporaryObject:
00000000`772ba700 b8e07b2300 mov eax,237BE0h
00000000`772ba705 4863c0 movsxd rax,eax
00000000`772ba708 ffe0 jmp rax
Original NtMapViewOfSection:
00000000`02338f40 4c8bd1 mov r10,rcx
00000000`02338f43 b825000000 mov eax,25h
00000000`02338f48 0f05 syscall
Changed NtMapViewOfSection:
00000000`772b9b00 b870732300 mov eax,237370h
00000000`772b9b05 4863c0 movsxd rax,eax
00000000`772b9b08 ffe0 jmp rax
Original NtQueueApcThread:
00000000`02339110 4c8bd1 mov r10,rcx
00000000`02339113 b842000000 mov eax,42h
00000000`02339118 0f05 syscall
Changed NtQueueApcThread:
00000000`772b9cd0 b800702300 mov eax,237000h
00000000`772b9cd5 4863c0 movsxd rax,eax
00000000`772b9cd8 ffe0 jmp rax
Original NtQueueApcThreadEx:
00000000`02339fd0 4c8bd1 mov r10,rcx
00000000`02339fd3 b82e010000 mov eax,12Eh
00000000`02339fd8 0f05 syscall
Changed NtQueueApcThreadEx:
00000000`772bab90 b810712300 mov eax,237110h
00000000`772bab95 4863c0 movsxd rax,eax
00000000`772bab98 ffe0 jmp rax
Original NtSetContextThread:
00000000`0233a1f0 4c8bd1 mov r10,rcx
00000000`0233a1f3 b850010000 mov eax,150h
00000000`0233a1f8 0f05 syscall
Changed NtSetContextThread:
00000000`772badb0 b840762300 mov eax,237640h
00000000`772badb5 4863c0 movsxd rax,eax
00000000`772badb8 ffe0 jmp rax
Original NtSetInformationThread:
00000000`02338d90 4c8bd1 mov r10,rcx
00000000`02338d93 b80a000000 mov eax,0Ah
00000000`02338d98 0f05 syscall
Changed NtSetInformationThread:
00000000`772b9950 b820772300 mov eax,237720h
00000000`772b9955 4863c0 movsxd rax,eax
00000000`772b9958 ffe0 jmp rax
Original NtSetSystemInformation:
00000000`0233a3b0 4c8bd1 mov r10,rcx
00000000`0233a3b3 b86c010000 mov eax,16Ch
00000000`0233a3b8 0f05 syscall
Changed NtSetSystemInformation:
00000000`772baf70 b8307a2300 mov eax,237A30h
00000000`772baf75 4863c0 movsxd rax,eax
00000000`772baf78 ffe0 jmp rax
Original NtSetSystemTime:
00000000`0233a3d0 4c8bd1 mov r10,rcx
00000000`0233a3d3 b86e010000 mov eax,16Eh
00000000`0233a3d8 0f05 syscall
Changed NtSetSystemTime:
00000000`772baf90 b8107b2300 mov eax,237B10h
00000000`772baf95 4863c0 movsxd rax,eax
00000000`772baf98 ffe0 jmp rax
Original NtUnmapViewOfSection:
00000000`02338f60 4c8bd1 mov r10,rcx
00000000`02338f63 b827000000 mov eax,27h
00000000`02338f68 0f05 syscall
Changed NtUnmapViewOfSection:
00000000`772b9b20 b8b0752300 mov eax,2375B0h
00000000`772b9b25 4863c0 movsxd rax,eax
00000000`772b9b28 ffe0 jmp rax
Original NtWriteVirtualMemory:
00000000`02339060 4c8bd1 mov r10,rcx
00000000`02339063 b837000000 mov eax,37h
00000000`02339068 0f05 syscall
Changed NtWriteVirtualMemory:
00000000`772b9c20 b8e06b2300 mov eax,236BE0h
00000000`772b9c25 4863c0 movsxd rax,eax
00000000`772b9c28 ffe0 jmp rax
Original ZwAlpcCreatePort:
00000000`02339410 4c8bd1 mov r10,rcx
00000000`02339413 b872000000 mov eax,72h
00000000`02339418 0f05 syscall
Changed ZwAlpcCreatePort:
00000000`772b9fd0 b870672300 mov eax,236770h
00000000`772b9fd5 4863c0 movsxd rax,eax
00000000`772b9fd8 ffe0 jmp rax
Original ZwCreatePort:
00000000`023396c0 4c8bd1 mov r10,rcx
00000000`023396c3 b89d000000 mov eax,9Dh
00000000`023396c8 0f05 syscall
Changed ZwCreatePort:
00000000`772ba280 b820672300 mov eax,236720h
00000000`772ba285 4863c0 movsxd rax,eax
00000000`772ba288 ffe0 jmp rax
Original ZwCreateSection:
00000000`02339160 4c8bd1 mov r10,rcx
00000000`02339163 b847000000 mov eax,47h
00000000`02339168 0f05 syscall
Changed ZwCreateSection:
00000000`772b9d20 b820782300 mov eax,237820h
00000000`772b9d25 4863c0 movsxd rax,eax
00000000`772b9d28 ffe0 jmp rax
Original ZwCreateThread:
00000000`023391a0 4c8bd1 mov r10,rcx
00000000`023391a3 b84b000000 mov eax,4Bh
00000000`023391a8 0f05 syscall
Changed ZwCreateThread:
00000000`772b9d60 b8f06c2300 mov eax,236CF0h
00000000`772b9d65 4863c0 movsxd rax,eax
00000000`772b9d68 ffe0 jmp rax
Original ZwCreateThreadEx:
00000000`02339740 4c8bd1 mov r10,rcx
00000000`02339743 b8a5000000 mov eax,0A5h
00000000`02339748 0f05 syscall
Changed ZwCreateThreadEx:
00000000`772ba300 b8506e2300 mov eax,236E50h
00000000`772ba305 4863c0 movsxd rax,eax
00000000`772ba308 ffe0 jmp rax
Original ZwLoadDriver:
00000000`02339ab0 4c8bd1 mov r10,rcx
00000000`02339ab3 b8dc000000 mov eax,0DCh
00000000`02339ab8 0f05 syscall
Changed ZwLoadDriver:
00000000`772ba670 b8b0672300 mov eax,2367B0h
00000000`772ba675 4863c0 movsxd rax,eax
00000000`772ba678 ffe0 jmp rax
Original ZwMakeTemporaryObject:
00000000`02339b40 4c8bd1 mov r10,rcx
00000000`02339b43 b8e5000000 mov eax,0E5h
00000000`02339b48 0f05 syscall
Changed ZwMakeTemporaryObject:
00000000`772ba700 b8e07b2300 mov eax,237BE0h
00000000`772ba705 4863c0 movsxd rax,eax
00000000`772ba708 ffe0 jmp rax
Original ZwMapViewOfSection:
00000000`02338f40 4c8bd1 mov r10,rcx
00000000`02338f43 b825000000 mov eax,25h
00000000`02338f48 0f05 syscall
Changed ZwMapViewOfSection:
00000000`772b9b00 b870732300 mov eax,237370h
00000000`772b9b05 4863c0 movsxd rax,eax
00000000`772b9b08 ffe0 jmp rax
Original ZwQueueApcThread:
00000000`02339110 4c8bd1 mov r10,rcx
00000000`02339113 b842000000 mov eax,42h
00000000`02339118 0f05 syscall
Changed ZwQueueApcThread:
00000000`772b9cd0 b800702300 mov eax,237000h
00000000`772b9cd5 4863c0 movsxd rax,eax
00000000`772b9cd8 ffe0 jmp rax
Original ZwQueueApcThreadEx:
00000000`02339fd0 4c8bd1 mov r10,rcx
00000000`02339fd3 b82e010000 mov eax,12Eh
00000000`02339fd8 0f05 syscall
Changed ZwQueueApcThreadEx:
00000000`772bab90 b810712300 mov eax,237110h
00000000`772bab95 4863c0 movsxd rax,eax
00000000`772bab98 ffe0 jmp rax
Original ZwSetContextThread:
00000000`0233a1f0 4c8bd1 mov r10,rcx
00000000`0233a1f3 b850010000 mov eax,150h
00000000`0233a1f8 0f05 syscall
Changed ZwSetContextThread:
00000000`772badb0 b840762300 mov eax,237640h
00000000`772badb5 4863c0 movsxd rax,eax
00000000`772badb8 ffe0 jmp rax
Original ZwSetInformationThread:
00000000`02338d90 4c8bd1 mov r10,rcx
00000000`02338d93 b80a000000 mov eax,0Ah
00000000`02338d98 0f05 syscall
Changed ZwSetInformationThread:
00000000`772b9950 b820772300 mov eax,237720h
00000000`772b9955 4863c0 movsxd rax,eax
00000000`772b9958 ffe0 jmp rax
Original ZwSetSystemInformation:
00000000`0233a3b0 4c8bd1 mov r10,rcx
00000000`0233a3b3 b86c010000 mov eax,16Ch
00000000`0233a3b8 0f05 syscall
Changed ZwSetSystemInformation:
00000000`772baf70 b8307a2300 mov eax,237A30h
00000000`772baf75 4863c0 movsxd rax,eax
00000000`772baf78 ffe0 jmp rax
Original ZwSetSystemTime:
00000000`0233a3d0 4c8bd1 mov r10,rcx
00000000`0233a3d3 b86e010000 mov eax,16Eh
00000000`0233a3d8 0f05 syscall
Changed ZwSetSystemTime:
00000000`772baf90 b8107b2300 mov eax,237B10h
00000000`772baf95 4863c0 movsxd rax,eax
00000000`772baf98 ffe0 jmp rax
Original ZwUnmapViewOfSection:
00000000`02338f60 4c8bd1 mov r10,rcx
00000000`02338f63 b827000000 mov eax,27h
00000000`02338f68 0f05 syscall
Changed ZwUnmapViewOfSection:
00000000`772b9b20 b8b0752300 mov eax,2375B0h
00000000`772b9b25 4863c0 movsxd rax,eax
00000000`772b9b28 ffe0 jmp rax
Original ZwWriteVirtualMemory:
00000000`02339060 4c8bd1 mov r10,rcx
00000000`02339063 b837000000 mov eax,37h
00000000`02339068 0f05 syscall
Changed ZwWriteVirtualMemory:
00000000`772b9c20 b8e06b2300 mov eax,236BE0h
00000000`772b9c25 4863c0 movsxd rax,eax
00000000`772b9c28 ffe0 jmp raxOriginal NlsAnsiCodePage:
01a25d70 0000 add byte ptr [eax],al
Changed NlsAnsiCodePage:
77dc8150 e404 in al,4
Original NtCreateProcess:
01994640 b84f000000 mov eax,4Fh
Changed NtCreateProcess:
77d35220 e9dbad5388 jmp 00270000
Original NtCreateProcessEx:
01994650 b850000000 mov eax,50h
Changed NtCreateProcessEx:
77d35230 e9cbbd5388 jmp 00271000
Original NtCreateUserProcess:
01994720 b85d000000 mov eax,5Dh
Changed NtCreateUserProcess:
77d35300 e9fbcc5388 jmp 00272000
Original ZwCreateProcess:
01994640 b84f000000 mov eax,4Fh
Changed ZwCreateProcess:
77d35220 e9dbad5388 jmp 00270000
Original ZwCreateProcessEx:
01994650 b850000000 mov eax,50h
Changed ZwCreateProcessEx:
77d35230 e9cbbd5388 jmp 00271000
Original ZwCreateUserProcess:
01994720 b85d000000 mov eax,5Dh
Changed ZwCreateUserProcess:
77d35300 e9fbcc5388 jmp 00272000
Original CopyFileExW:
0198b4a8 6a18 push 18h
0198b4aa 68f0b4e177 push offset ntdll!LdrSystemDllInitBlock+0x4bc28 (77e1b4f0)
Changed CopyFileExW:
76e8b488 e9731b3f89 jmp 0027d000
76e8b48d e876e8bc19 call 90a59d08
Original CreateDirectoryExW:
019d7fe1 8bff mov edi,edi
019d7fe3 55 push ebp
019d7fe4 8bec mov ebp,esp
Changed CreateDirectoryExW:
76ed7fc1 e93a603a89 jmp 0027e000
Original OpenMutexA:
01990632 8bff mov edi,edi
01990634 55 push ebp
01990635 8bec mov ebp,esp
Changed OpenMutexA:
76e90612 e9e9a93e89 jmp 0027b000Original NtCreateFile:
00000000`02539210 4c8bd1 mov r10,rcx
00000000`02539213 b852000000 mov eax,52h
Changed NtCreateFile:
00000000`77029dd0 e938fd76fd jmp SYSFER+0x19b0d (00000000`74799b0d)
Original NtCreateKey:
00000000`02538e90 4c8bd1 mov r10,rcx
00000000`02538e93 b81a000000 mov eax,1Ah
Changed NtCreateKey:
00000000`77029a50 e9f40077fd jmp SYSFER+0x19b49 (00000000`74799b49)
Original NtCreateUserProcess:
00000000`02539790 4c8bd1 mov r10,rcx
00000000`02539793 b8aa000000 mov eax,0AAh
Changed NtCreateUserProcess:
00000000`7702a350 e930f876fd jmp SYSFER+0x19b85 (00000000`74799b85)
Original NtDeleteFile:
00000000`02539810 4c8bd1 mov r10,rcx
00000000`02539813 b8b2000000 mov eax,0B2h
Changed NtDeleteFile:
00000000`7702a3d0 e9ecf776fd jmp SYSFER+0x19bc1 (00000000`74799bc1)
Original NtDeleteKey:
00000000`02539820 4c8bd1 mov r10,rcx
00000000`02539823 b8b3000000 mov eax,0B3h
Changed NtDeleteKey:
00000000`7702a3e0 e944f976fd jmp SYSFER+0x19d29 (00000000`74799d29)
Original NtDeleteValueKey:
00000000`02539850 4c8bd1 mov r10,rcx
00000000`02539853 b8b6000000 mov eax,0B6h
Changed NtDeleteValueKey:
00000000`7702a410 e9e8f776fd jmp SYSFER+0x19bfd (00000000`74799bfd)
Original NtMapViewOfSection:
00000000`02538f40 4c8bd1 mov r10,rcx
00000000`02538f43 b825000000 mov eax,25h
Changed NtMapViewOfSection:
00000000`77029b00 e9340177fd jmp SYSFER+0x19c39 (00000000`74799c39)
Original NtOpenFile:
00000000`02538ff0 4c8bd1 mov r10,rcx
00000000`02538ff3 b830000000 mov eax,30h
Changed NtOpenFile:
00000000`77029bb0 e9c00077fd jmp SYSFER+0x19c75 (00000000`74799c75)
Original NtOpenKey:
00000000`02538de0 4c8bd1 mov r10,rcx
00000000`02538de3 b80f000000 mov eax,0Fh
Changed NtOpenKey:
00000000`770299a0 e90c0377fd jmp SYSFER+0x19cb1 (00000000`74799cb1)
Original NtOpenKeyEx:
00000000`02539c10 4c8bd1 mov r10,rcx
00000000`02539c13 b8f2000000 mov eax,0F2h
Changed NtOpenKeyEx:
00000000`7702a7d0 e918f576fd jmp SYSFER+0x19ced (00000000`74799ced)
Original NtRenameKey:
00000000`0253a0a0 4c8bd1 mov r10,rcx
00000000`0253a0a3 b83b010000 mov eax,13Bh
Changed NtRenameKey:
00000000`7702ac60 e900f176fd jmp SYSFER+0x19d65 (00000000`74799d65)
Original NtSetInformationFile:
00000000`02538f30 4c8bd1 mov r10,rcx
00000000`02538f33 b824000000 mov eax,24h
Changed NtSetInformationFile:
00000000`77029af0 e9ac0277fd jmp SYSFER+0x19da1 (00000000`74799da1)
Original NtSetValueKey:
00000000`025392c0 4c8bd1 mov r10,rcx
00000000`025392c3 b85d000000 mov eax,5Dh
Changed NtSetValueKey:
00000000`77029e80 e958ff76fd jmp SYSFER+0x19ddd (00000000`74799ddd)
Original NtTerminateProcess:
00000000`02538f80 4c8bd1 mov r10,rcx
00000000`02538f83 b829000000 mov eax,29h
Changed NtTerminateProcess:
00000000`77029b40 e9d40277fd jmp SYSFER+0x19e19 (00000000`74799e19)
Original NtTerminateThread:
00000000`025391f0 4c8bd1 mov r10,rcx
00000000`025391f3 b850000000 mov eax,50h
Changed NtTerminateThread:
00000000`77029db0 e9a00077fd jmp SYSFER+0x19e55 (00000000`74799e55)
Original ZwCreateFile:
00000000`02539210 4c8bd1 mov r10,rcx
00000000`02539213 b852000000 mov eax,52h
Changed ZwCreateFile:
00000000`77029dd0 e938fd76fd jmp SYSFER+0x19b0d (00000000`74799b0d)
Original ZwCreateKey:
00000000`02538e90 4c8bd1 mov r10,rcx
00000000`02538e93 b81a000000 mov eax,1Ah
Changed ZwCreateKey:
00000000`77029a50 e9f40077fd jmp SYSFER+0x19b49 (00000000`74799b49)
Original ZwCreateUserProcess:
00000000`02539790 4c8bd1 mov r10,rcx
00000000`02539793 b8aa000000 mov eax,0AAh
Changed ZwCreateUserProcess:
00000000`7702a350 e930f876fd jmp SYSFER+0x19b85 (00000000`74799b85)
Original ZwDeleteFile:
00000000`02539810 4c8bd1 mov r10,rcx
00000000`02539813 b8b2000000 mov eax,0B2h
Changed ZwDeleteFile:
00000000`7702a3d0 e9ecf776fd jmp SYSFER+0x19bc1 (00000000`74799bc1)
Original ZwDeleteKey:
00000000`02539820 4c8bd1 mov r10,rcx
00000000`02539823 b8b3000000 mov eax,0B3h
Changed ZwDeleteKey:
00000000`7702a3e0 e944f976fd jmp SYSFER+0x19d29 (00000000`74799d29)
Original ZwDeleteValueKey:
00000000`02539850 4c8bd1 mov r10,rcx
00000000`02539853 b8b6000000 mov eax,0B6h
Changed ZwDeleteValueKey:
00000000`7702a410 e9e8f776fd jmp SYSFER+0x19bfd (00000000`74799bfd)
Original ZwMapViewOfSection:
00000000`02538f40 4c8bd1 mov r10,rcx
00000000`02538f43 b825000000 mov eax,25h
Changed ZwMapViewOfSection:
00000000`77029b00 e9340177fd jmp SYSFER+0x19c39 (00000000`74799c39)
Original ZwOpenFile:
00000000`02538ff0 4c8bd1 mov r10,rcx
00000000`02538ff3 b830000000 mov eax,30h
Changed ZwOpenFile:
00000000`77029bb0 e9c00077fd jmp SYSFER+0x19c75 (00000000`74799c75)
Original ZwOpenKey:
00000000`02538de0 4c8bd1 mov r10,rcx
00000000`02538de3 b80f000000 mov eax,0Fh
Changed ZwOpenKey:
00000000`770299a0 e90c0377fd jmp SYSFER+0x19cb1 (00000000`74799cb1)
Original ZwOpenKeyEx:
00000000`02539c10 4c8bd1 mov r10,rcx
00000000`02539c13 b8f2000000 mov eax,0F2h
Changed ZwOpenKeyEx:
00000000`7702a7d0 e918f576fd jmp SYSFER+0x19ced (00000000`74799ced)
Original ZwRenameKey:
00000000`0253a0a0 4c8bd1 mov r10,rcx
00000000`0253a0a3 b83b010000 mov eax,13Bh
Changed ZwRenameKey:
00000000`7702ac60 e900f176fd jmp SYSFER+0x19d65 (00000000`74799d65)
Original ZwSetInformationFile:
00000000`02538f30 4c8bd1 mov r10,rcx
00000000`02538f33 b824000000 mov eax,24h
Changed ZwSetInformationFile:
00000000`77029af0 e9ac0277fd jmp SYSFER+0x19da1 (00000000`74799da1)
Original ZwSetValueKey:
00000000`025392c0 4c8bd1 mov r10,rcx
00000000`025392c3 b85d000000 mov eax,5Dh
Changed ZwSetValueKey:
00000000`77029e80 e958ff76fd jmp SYSFER+0x19ddd (00000000`74799ddd)
Original ZwTerminateProcess:
00000000`02538f80 4c8bd1 mov r10,rcx
00000000`02538f83 b829000000 mov eax,29h
Changed ZwTerminateProcess:
00000000`77029b40 e9d40277fd jmp SYSFER+0x19e19 (00000000`74799e19)
Original ZwTerminateThread:
00000000`025391f0 4c8bd1 mov r10,rcx
00000000`025391f3 b850000000 mov eax,50h
Changed ZwTerminateThread:
00000000`77029db0 e9a00077fd jmp SYSFER+0x19e55 (00000000`74799e55)Думаю-да, честно неразу не использовал дичек для этой цели.
Ну просто находишь mov eax, <dword>, это дворд, следующий за байтом 0xb8, так?
Ну-да, там очень просто всё оказалось, прям на удивление легко...
mov r10, rcxmov eax, number_syscallstatic unsigned char GetSysCallNumber(uintptr_t module, char *name_api)
{
unsigned char call_number = 0;
PIMAGE_DOS_HEADER pDosHeader = (PIMAGE_DOS_HEADER) module;
PIMAGE_NT_HEADERS pNtHeader = (PIMAGE_NT_HEADERS)((LPBYTE)pDosHeader + pDosHeader->e_lfanew);
if (pDosHeader->e_magic != IMAGE_DOS_SIGNATURE || pNtHeader->Signature != IMAGE_NT_SIGNATURE)
{
printf("+++ Error header\n");
return -1;
}
PIMAGE_EXPORT_DIRECTORY pExportDirectory = (PIMAGE_EXPORT_DIRECTORY)((LPBYTE)pDosHeader + pNtHeader->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress);
if (!pExportDirectory)
{
printf("+++ Error export dir\n");
return -1;
}
PDWORD dwAddress = (PDWORD)((LPBYTE)pDosHeader + pExportDirectory->AddressOfFunctions);
PDWORD dwName = (PDWORD)((LPBYTE)pDosHeader + pExportDirectory->AddressOfNames);
PWORD dwOrdinal = (PWORD)((LPBYTE)pDosHeader + pExportDirectory->AddressOfNameOrdinals);
unsigned char pBuf[32] = { 0 };
const unsigned char pSig[4] = { 0x4C, 0x8B, 0xD1, 0xB8 };
for (DWORD i = 0; i < pExportDirectory->NumberOfFunctions; i++)
{
memset(&pBuf, 0, 32);
PVOID pAddr = (PVOID)((LPBYTE)pDosHeader + dwAddress[dwOrdinal[i]]);
char* szName = (char*)pDosHeader + dwName[i];
memcpy(&pBuf, pAddr, 32);
if (!pAddr || !szName)
break;
for (int x = 0; x < sizeof(pSig); x++)
{
if (pBuf[x] != pSig[x])
break;
if (x == sizeof(pSig) - 1) {
if (!strcmp(name_api, szName))
{
call_number = pBuf[4];
break;
}
}
}
}
return call_number;
}Аваст:
Z:\>cmd.exe
Microsoft Windows [Version 10.0.17763.1158]
(c) Корпорация Майкрософт (Microsoft Corporation), 2018. Все права защищены.
Z:\>analyze64.exe
Original KiUserInvertedFunctionTable:
00000000`02308510 0100 add dword ptr [rax],eax
Changed KiUserInvertedFunctionTable:
00007ffa`870684d0 2000 and byte ptr [rax],al
Original LdrLoadDll:
00000000`021dec20 48895c2410 mov qword ptr [rsp+10h],rbx
00000000`021dec25 56 push rsi
Changed LdrLoadDll:
00007ffa`86f357e0 e9d3ae03c0 jmp 00007ffa`46f706b8
00007ffa`86f357e5 cc int 3
Original NtCreateEvent:
00000000`02239490 4c8bd1 mov r10,rcx
00000000`02239493 b848000000 mov eax,48h
Changed NtCreateEvent:
00007ffa`86f90050 e9a302febf jmp 00007ffa`46f702f8
00007ffa`86f90055 cc int 3
00007ffa`86f90056 cc int 3
00007ffa`86f90057 cc int 3
Original NtCreateMutant:
00000000`0223a140 4c8bd1 mov r10,rcx
00000000`0223a143 b8ae000000 mov eax,0AEh
Changed NtCreateMutant:
00007ffa`86f90d00 e953f6fdbf jmp 00007ffa`46f70358
00007ffa`86f90d05 cc int 3
00007ffa`86f90d06 cc int 3
00007ffa`86f90d07 cc int 3
Original NtCreateSection:
00000000`022394d0 4c8bd1 mov r10,rcx
00000000`022394d3 b84a000000 mov eax,4Ah
Changed NtCreateSection:
00007ffa`86f90090 e98306febf jmp 00007ffa`46f70718
00007ffa`86f90095 cc int 3
00007ffa`86f90096 cc int 3
00007ffa`86f90097 cc int 3
Original NtCreateSemaphore:
00000000`0223a2c0 4c8bd1 mov r10,rcx
00000000`0223a2c3 b8ba000000 mov eax,0BAh
Changed NtCreateSemaphore:
00007ffa`86f90e80 e933f5fdbf jmp 00007ffa`46f703b8
00007ffa`86f90e85 cc int 3
00007ffa`86f90e86 cc int 3
00007ffa`86f90e87 cc int 3
Original NtCreateUserProcess:
00000000`0223a3e0 4c8bd1 mov r10,rcx
00000000`0223a3e3 b8c3000000 mov eax,0C3h
Changed NtCreateUserProcess:
00007ffa`86f90fa0 e973f4fdbf jmp 00007ffa`46f70418
00007ffa`86f90fa5 cc int 3
00007ffa`86f90fa6 cc int 3
00007ffa`86f90fa7 cc int 3
Original NtMapViewOfSection:
00000000`02239090 4c8bd1 mov r10,rcx
00000000`02239093 b828000000 mov eax,28h
Changed NtMapViewOfSection:
00007ffa`86f8fc50 e9e305febf jmp 00007ffa`46f70238
00007ffa`86f8fc55 cc int 3
00007ffa`86f8fc56 cc int 3
00007ffa`86f8fc57 cc int 3
Original NtOpenEvent:
00000000`02239390 4c8bd1 mov r10,rcx
00000000`02239393 b840000000 mov eax,40h
Changed NtOpenEvent:
00007ffa`86f8ff50 e92305febf jmp 00007ffa`46f70478
00007ffa`86f8ff55 cc int 3
00007ffa`86f8ff56 cc int 3
00007ffa`86f8ff57 cc int 3
Original NtOpenMutant:
00000000`0223af40 4c8bd1 mov r10,rcx
00000000`0223af43 b81e010000 mov eax,11Eh
Changed NtOpenMutant:
00007ffa`86f91b00 e9d3e9fdbf jmp 00007ffa`46f704d8
00007ffa`86f91b05 cc int 3
00007ffa`86f91b06 cc int 3
00007ffa`86f91b07 cc int 3
Original NtOpenSection:
00000000`02239270 4c8bd1 mov r10,rcx
00000000`02239273 b837000000 mov eax,37h
Changed NtOpenSection:
00007ffa`86f8fe30 e94309febf jmp 00007ffa`46f70778
00007ffa`86f8fe35 cc int 3
00007ffa`86f8fe36 cc int 3
00007ffa`86f8fe37 cc int 3
Original NtOpenSemaphore:
00000000`0223b020 4c8bd1 mov r10,rcx
00000000`0223b023 b825010000 mov eax,125h
Changed NtOpenSemaphore:
00007ffa`86f91be0 e953e9fdbf jmp 00007ffa`46f70538
00007ffa`86f91be5 cc int 3
00007ffa`86f91be6 cc int 3
00007ffa`86f91be7 cc int 3
Original NtOpenThread:
00000000`0223b080 4c8bd1 mov r10,rcx
00000000`0223b083 b828010000 mov eax,128h
Changed NtOpenThread:
00007ffa`86f91c40 e993ebfdbf jmp 00007ffa`46f707d8
00007ffa`86f91c45 cc int 3
00007ffa`86f91c46 cc int 3
00007ffa`86f91c47 cc int 3
Original NtProtectVirtualMemory:
00000000`02239590 4c8bd1 mov r10,rcx
00000000`02239593 b850000000 mov eax,50h
Changed NtProtectVirtualMemory:
00007ffa`86f90150 e98300febf jmp 00007ffa`46f701d8
00007ffa`86f90155 cc int 3
00007ffa`86f90156 cc int 3
00007ffa`86f90157 cc int 3
Original NtQueryInformationProcess:
00000000`02238eb0 4c8bd1 mov r10,rcx
00000000`02238eb3 b819000000 mov eax,19h
Changed NtQueryInformationProcess:
00007ffa`86f8fa70 e9e30bfebf jmp 00007ffa`46f70658
00007ffa`86f8fa75 cc int 3
00007ffa`86f8fa76 cc int 3
00007ffa`86f8fa77 cc int 3
Original NtResumeThread:
00000000`022395d0 4c8bd1 mov r10,rcx
00000000`022395d3 b852000000 mov eax,52h
Changed NtResumeThread:
00007ffa`86f90190 e90301febf jmp 00007ffa`46f70298
00007ffa`86f90195 cc int 3
00007ffa`86f90196 cc int 3
00007ffa`86f90197 cc int 3
Original NtSuspendProcess:
00000000`0223c200 4c8bd1 mov r10,rcx
00000000`0223c203 b8b4010000 mov eax,1B4h
Changed NtSuspendProcess:
00007ffa`86f92dc0 e9d3dafdbf jmp 00007ffa`46f70898
00007ffa`86f92dc5 cc int 3
00007ffa`86f92dc6 cc int 3
00007ffa`86f92dc7 cc int 3
Original NtTerminateProcess:
00000000`02239110 4c8bd1 mov r10,rcx
00000000`02239113 b82c000000 mov eax,2Ch
Changed NtTerminateProcess:
00007ffa`86f8fcd0 e9630bfebf jmp 00007ffa`46f70838
00007ffa`86f8fcd5 cc int 3
00007ffa`86f8fcd6 cc int 3
00007ffa`86f8fcd7 cc int 3
Original NtWriteVirtualMemory:
00000000`022392d0 4c8bd1 mov r10,rcx
00000000`022392d3 b83a000000 mov eax,3Ah
Changed NtWriteVirtualMemory:
00007ffa`86f8fe90 e9e302febf jmp 00007ffa`46f70178
00007ffa`86f8fe95 cc int 3
00007ffa`86f8fe96 cc int 3
00007ffa`86f8fe97 cc int 3
Original RtlDecompressBuffer:
00000000`0228dcd0 48895c2408 mov qword ptr [rsp+8],rbx
00000000`0228dcd5 57 push rdi
Changed RtlDecompressBuffer:
00007ffa`86fe4890 e903bdf8bf jmp 00007ffa`46f70598
00007ffa`86fe4895 cc int 3
Original RtlQueryEnvironmentVariable:
00000000`021dd1b0 4c8bdc mov r11,rsp
00000000`021dd1b3 49895b08 mov qword ptr [r11+8],rbx
Changed RtlQueryEnvironmentVariable:
00007ffa`86f33d70 e983c803c0 jmp 00007ffa`46f705f8
00007ffa`86f33d75 cc int 3
00007ffa`86f33d76 cc int 3
Original ZwCreateEvent:
00000000`02239490 4c8bd1 mov r10,rcx
00000000`02239493 b848000000 mov eax,48h
Changed ZwCreateEvent:
00007ffa`86f90050 e9a302febf jmp 00007ffa`46f702f8
00007ffa`86f90055 cc int 3
00007ffa`86f90056 cc int 3
00007ffa`86f90057 cc int 3
Original ZwCreateMutant:
00000000`0223a140 4c8bd1 mov r10,rcx
00000000`0223a143 b8ae000000 mov eax,0AEh
Changed ZwCreateMutant:
00007ffa`86f90d00 e953f6fdbf jmp 00007ffa`46f70358
00007ffa`86f90d05 cc int 3
00007ffa`86f90d06 cc int 3
00007ffa`86f90d07 cc int 3
Original ZwCreateSection:
00000000`022394d0 4c8bd1 mov r10,rcx
00000000`022394d3 b84a000000 mov eax,4Ah
Changed ZwCreateSection:
00007ffa`86f90090 e98306febf jmp 00007ffa`46f70718
00007ffa`86f90095 cc int 3
00007ffa`86f90096 cc int 3
00007ffa`86f90097 cc int 3
Original ZwCreateSemaphore:
00000000`0223a2c0 4c8bd1 mov r10,rcx
00000000`0223a2c3 b8ba000000 mov eax,0BAh
Changed ZwCreateSemaphore:
00007ffa`86f90e80 e933f5fdbf jmp 00007ffa`46f703b8
00007ffa`86f90e85 cc int 3
00007ffa`86f90e86 cc int 3
00007ffa`86f90e87 cc int 3
Original ZwCreateUserProcess:
00000000`0223a3e0 4c8bd1 mov r10,rcx
00000000`0223a3e3 b8c3000000 mov eax,0C3h
Changed ZwCreateUserProcess:
00007ffa`86f90fa0 e973f4fdbf jmp 00007ffa`46f70418
00007ffa`86f90fa5 cc int 3
00007ffa`86f90fa6 cc int 3
00007ffa`86f90fa7 cc int 3
Original ZwMapViewOfSection:
00000000`02239090 4c8bd1 mov r10,rcx
00000000`02239093 b828000000 mov eax,28h
Changed ZwMapViewOfSection:
00007ffa`86f8fc50 e9e305febf jmp 00007ffa`46f70238
00007ffa`86f8fc55 cc int 3
00007ffa`86f8fc56 cc int 3
00007ffa`86f8fc57 cc int 3
Original ZwOpenEvent:
00000000`02239390 4c8bd1 mov r10,rcx
00000000`02239393 b840000000 mov eax,40h
Changed ZwOpenEvent:
00007ffa`86f8ff50 e92305febf jmp 00007ffa`46f70478
00007ffa`86f8ff55 cc int 3
00007ffa`86f8ff56 cc int 3
00007ffa`86f8ff57 cc int 3
Original ZwOpenMutant:
00000000`0223af40 4c8bd1 mov r10,rcx
00000000`0223af43 b81e010000 mov eax,11Eh
Changed ZwOpenMutant:
00007ffa`86f91b00 e9d3e9fdbf jmp 00007ffa`46f704d8
00007ffa`86f91b05 cc int 3
00007ffa`86f91b06 cc int 3
00007ffa`86f91b07 cc int 3
Original ZwOpenSection:
00000000`02239270 4c8bd1 mov r10,rcx
00000000`02239273 b837000000 mov eax,37h
Changed ZwOpenSection:
00007ffa`86f8fe30 e94309febf jmp 00007ffa`46f70778
00007ffa`86f8fe35 cc int 3
00007ffa`86f8fe36 cc int 3
00007ffa`86f8fe37 cc int 3
Original ZwOpenSemaphore:
00000000`0223b020 4c8bd1 mov r10,rcx
00000000`0223b023 b825010000 mov eax,125h
Changed ZwOpenSemaphore:
00007ffa`86f91be0 e953e9fdbf jmp 00007ffa`46f70538
00007ffa`86f91be5 cc int 3
00007ffa`86f91be6 cc int 3
00007ffa`86f91be7 cc int 3
Original ZwOpenThread:
00000000`0223b080 4c8bd1 mov r10,rcx
00000000`0223b083 b828010000 mov eax,128h
Changed ZwOpenThread:
00007ffa`86f91c40 e993ebfdbf jmp 00007ffa`46f707d8
00007ffa`86f91c45 cc int 3
00007ffa`86f91c46 cc int 3
00007ffa`86f91c47 cc int 3
Original ZwProtectVirtualMemory:
00000000`02239590 4c8bd1 mov r10,rcx
00000000`02239593 b850000000 mov eax,50h
Changed ZwProtectVirtualMemory:
00007ffa`86f90150 e98300febf jmp 00007ffa`46f701d8
00007ffa`86f90155 cc int 3
00007ffa`86f90156 cc int 3
00007ffa`86f90157 cc int 3
Original ZwQueryInformationProcess:
00000000`02238eb0 4c8bd1 mov r10,rcx
00000000`02238eb3 b819000000 mov eax,19h
Changed ZwQueryInformationProcess:
00007ffa`86f8fa70 e9e30bfebf jmp 00007ffa`46f70658
00007ffa`86f8fa75 cc int 3
00007ffa`86f8fa76 cc int 3
00007ffa`86f8fa77 cc int 3
Original ZwResumeThread:
00000000`022395d0 4c8bd1 mov r10,rcx
00000000`022395d3 b852000000 mov eax,52h
Changed ZwResumeThread:
00007ffa`86f90190 e90301febf jmp 00007ffa`46f70298
00007ffa`86f90195 cc int 3
00007ffa`86f90196 cc int 3
00007ffa`86f90197 cc int 3
Original ZwSuspendProcess:
00000000`0223c200 4c8bd1 mov r10,rcx
00000000`0223c203 b8b4010000 mov eax,1B4h
Changed ZwSuspendProcess:
00007ffa`86f92dc0 e9d3dafdbf jmp 00007ffa`46f70898
00007ffa`86f92dc5 cc int 3
00007ffa`86f92dc6 cc int 3
00007ffa`86f92dc7 cc int 3
Original ZwTerminateProcess:
00000000`02239110 4c8bd1 mov r10,rcx
00000000`02239113 b82c000000 mov eax,2Ch
Changed ZwTerminateProcess:
00007ffa`86f8fcd0 e9630bfebf jmp 00007ffa`46f70838
00007ffa`86f8fcd5 cc int 3
00007ffa`86f8fcd6 cc int 3
00007ffa`86f8fcd7 cc int 3
Original ZwWriteVirtualMemory:
00000000`022392d0 4c8bd1 mov r10,rcx
00000000`022392d3 b83a000000 mov eax,3Ah
Changed ZwWriteVirtualMemory:
00007ffa`86f8fe90 e9e302febf jmp 00007ffa`46f70178
00007ffa`86f8fe95 cc int 3
00007ffa`86f8fe96 cc int 3
00007ffa`86f8fe97 cc int 3
Z:\>
Z:\>analyze32.exe
Original LdrLoadDll:
024577a0 8bff mov edi,edi
024577a2 55 push ebp
024577a3 8bec mov ebp,esp
Changed LdrLoadDll:
76edd380 e9db6451fc jmp aswhook+0x3860 (733f3860)
Original NtCreateEvent:
0247af20 b848000000 mov eax,48h
Changed NtCreateEvent:
76f00b00 e9bb254ffc jmp aswhook+0x30c0 (733f30c0)
Original NtCreateMutant:
0247b580 b8ae000000 mov eax,0AEh
Changed NtCreateMutant:
76f01160 e99b1f4ffc jmp aswhook+0x3100 (733f3100)
Original NtCreateSection:
0247af40 b84a000000 mov eax,4Ah
Changed NtCreateSection:
76f00b20 e9ab2e4ffc jmp aswhook+0x39d0 (733f39d0)
Original NtCreateSemaphore:
0247b640 b8ba000000 mov eax,0BAh
Changed NtCreateSemaphore:
76f01220 e91b1f4ffc jmp aswhook+0x3140 (733f3140)
Original NtCreateUserProcess:
0247b6d0 b8c3000000 mov eax,0C3h
Changed NtCreateUserProcess:
76f012b0 e9cb1e4ffc jmp aswhook+0x3180 (733f3180)
Original NtMapViewOfSection:
0247ad20 b828000000 mov eax,28h
Changed NtMapViewOfSection:
76f00900 e94b224ffc jmp aswhook+0x2b50 (733f2b50)
Original NtOpenEvent:
0247aea0 b840000000 mov eax,40h
Changed NtOpenEvent:
76f00a80 e95b264ffc jmp aswhook+0x30e0 (733f30e0)
Original NtOpenMutant:
0247bc80 b81e010000 mov eax,11Eh
Changed NtOpenMutant:
76f01860 e9bb184ffc jmp aswhook+0x3120 (733f3120)
Original NtOpenSection:
0247ae10 b837000000 mov eax,37h
Changed NtOpenSection:
76f009f0 e92b304ffc jmp aswhook+0x3a20 (733f3a20)
Original NtOpenSemaphore:
0247bcf0 b825010000 mov eax,125h
Changed NtOpenSemaphore:
76f018d0 e98b184ffc jmp aswhook+0x3160 (733f3160)
Original NtOpenThread:
0247bd20 b828010000 mov eax,128h
Changed NtOpenThread:
76f01900 e9eb144ffc jmp aswhook+0x2df0 (733f2df0)
Original NtProtectVirtualMemory:
0247afa0 b850000000 mov eax,50h
Changed NtProtectVirtualMemory:
76f00b80 e97b1f4ffc jmp aswhook+0x2b00 (733f2b00)
Original NtQueryInformationProcess:
0247ac10 b819000000 mov eax,19h
Changed NtQueryInformationProcess:
76f007f0 e9eb2c4ffc jmp aswhook+0x34e0 (733f34e0)
Original NtResumeThread:
0247afc0 b852000700 mov eax,70052h
Changed NtResumeThread:
76f00ba0 e9db234ffc jmp aswhook+0x2f80 (733f2f80)
Original NtSuspendProcess:
0247c5e0 b8b4010300 mov eax,301B4h
Changed NtSuspendProcess:
76f021c0 e94b1b4ffc jmp aswhook+0x3d10 (733f3d10)
Original NtTerminateProcess:
0247ad60 b82c000700 mov eax,7002Ch
Changed NtTerminateProcess:
76f00940 e95b324ffc jmp aswhook+0x3ba0 (733f3ba0)
Original NtWriteVirtualMemory:
0247ae40 b83a000000 mov eax,3Ah
Changed NtWriteVirtualMemory:
76f00a20 e91b204ffc jmp aswhook+0x2a40 (733f2a40)
Original RtlDecompressBuffer:
024e1970 8bff mov edi,edi
024e1972 55 push ebp
024e1973 8bec mov ebp,esp
Changed RtlDecompressBuffer:
76f67550 e92bbd48fc jmp aswhook+0x3280 (733f3280)
Original RtlQueryEnvironmentVariable:
0245c160 8bff mov edi,edi
0245c162 55 push ebp
0245c163 8bec mov ebp,esp
Changed RtlQueryEnvironmentVariable:
76ee1d40 e9eb1651fc jmp aswhook+0x3430 (733f3430)
Original ZwCreateEvent:
0247af20 b848000000 mov eax,48h
Changed ZwCreateEvent:
76f00b00 e9bb254ffc jmp aswhook+0x30c0 (733f30c0)
Original ZwCreateMutant:
0247b580 b8ae000000 mov eax,0AEh
Changed ZwCreateMutant:
76f01160 e99b1f4ffc jmp aswhook+0x3100 (733f3100)
Original ZwCreateSection:
0247af40 b84a000000 mov eax,4Ah
Changed ZwCreateSection:
76f00b20 e9ab2e4ffc jmp aswhook+0x39d0 (733f39d0)
Original ZwCreateSemaphore:
0247b640 b8ba000000 mov eax,0BAh
Changed ZwCreateSemaphore:
76f01220 e91b1f4ffc jmp aswhook+0x3140 (733f3140)
Original ZwCreateUserProcess:
0247b6d0 b8c3000000 mov eax,0C3h
Changed ZwCreateUserProcess:
76f012b0 e9cb1e4ffc jmp aswhook+0x3180 (733f3180)
Original ZwMapViewOfSection:
0247ad20 b828000000 mov eax,28h
Changed ZwMapViewOfSection:
76f00900 e94b224ffc jmp aswhook+0x2b50 (733f2b50)
Original ZwOpenEvent:
0247aea0 b840000000 mov eax,40h
Changed ZwOpenEvent:
76f00a80 e95b264ffc jmp aswhook+0x30e0 (733f30e0)
Original ZwOpenMutant:
0247bc80 b81e010000 mov eax,11Eh
Changed ZwOpenMutant:
76f01860 e9bb184ffc jmp aswhook+0x3120 (733f3120)
Original ZwOpenSection:
0247ae10 b837000000 mov eax,37h
Changed ZwOpenSection:
76f009f0 e92b304ffc jmp aswhook+0x3a20 (733f3a20)
Original ZwOpenSemaphore:
0247bcf0 b825010000 mov eax,125h
Changed ZwOpenSemaphore:
76f018d0 e98b184ffc jmp aswhook+0x3160 (733f3160)
Original ZwOpenThread:
0247bd20 b828010000 mov eax,128h
Changed ZwOpenThread:
76f01900 e9eb144ffc jmp aswhook+0x2df0 (733f2df0)
Original ZwProtectVirtualMemory:
0247afa0 b850000000 mov eax,50h
Changed ZwProtectVirtualMemory:
76f00b80 e97b1f4ffc jmp aswhook+0x2b00 (733f2b00)
Original ZwQueryInformationProcess:
0247ac10 b819000000 mov eax,19h
Changed ZwQueryInformationProcess:
76f007f0 e9eb2c4ffc jmp aswhook+0x34e0 (733f34e0)
Original ZwResumeThread:
0247afc0 b852000700 mov eax,70052h
Changed ZwResumeThread:
76f00ba0 e9db234ffc jmp aswhook+0x2f80 (733f2f80)
Original ZwSuspendProcess:
0247c5e0 b8b4010300 mov eax,301B4h
Changed ZwSuspendProcess:
76f021c0 e94b1b4ffc jmp aswhook+0x3d10 (733f3d10)
Original ZwTerminateProcess:
0247ad60 b82c000700 mov eax,7002Ch
Changed ZwTerminateProcess:
76f00940 e95b324ffc jmp aswhook+0x3ba0 (733f3ba0)
Original ZwWriteVirtualMemory:
0247ae40 b83a000000 mov eax,3Ah
Changed ZwWriteVirtualMemory:
76f00a20 e91b204ffc jmp aswhook+0x2a40 (733f2a40)
Original Wow64Transition:
0067dfac 104982 adc byte ptr [ecx-7Eh],cl
0067dfaf 6bf002 imul esi,eax,2
Changed Wow64Transition:
75df1f8c 0060e8 add byte ptr [eax-18h],ah
75df1f8f 76f0 jbe KERNEL32!WerpLaunchAeDebug+0x1ea81 (75df1f81)На самом деле об этом канеш много уже написано, ну попробую на выходных что-то оформить. Копирование сискола из файла на диске работает для нативных приложений (32-битных на 32-битных осях, 64-битных на 64-битных осях, само собой не работает для wow64, но в этом случае можно воспользоваться хевенсгейтом, вряд ли аверы настолько харкорны, что будут перехватывать и 64-битный ntdll.dll). Получения номера сискола тоже работает, но я чет не могу понять, как на сишечке сделать унтверсальную функцию для вызова сисколла по номеру. Не натыкался на такую реализацию?
