Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- [DllImport("kernel32.dll", CharSet = CharSet.Ansi, ExactSpelling = true)]
- static extern UIntPtr GetProcAddress(IntPtr hModule, string procName);
- [DllImport("kernel32.dll", CharSet = CharSet.Auto)]
- static extern IntPtr GetModuleHandle(string lpModuleName);
- [DllImport("kernel32.dll", SetLastError = true, PreserveSig = true)]
- [return: MarshalAs(UnmanagedType.Bool)]
- static extern bool ReadProcessMemory(IntPtr hProcess, IntPtr lpBaseAddress, byte[] lpBuffer, UIntPtr nSize, /*out*/ int lpNumberOfBytesRead);
- [DllImport("kernel32.dll")]
- static extern IntPtr GetCurrentProcess();
- [DllImport("kernel32.dll")]
- static extern bool WriteProcessMemory(IntPtr hProcess, IntPtr lpBaseAddress, byte[] lpBuffer, uint nSize, /*out*/ int lpNumberOfBytesWritten);
- [DllImport("kernel32.dll")]
- static extern IntPtr LoadLibrary(string lpFileName);
- public static void AntiWPEPro()
- {
- LoadLibrary("WS2_32.dll");
- //Anti-WPEPro coded by a59, ported to C# by Ember/vH! 2k9
- //bool bHooked;
- byte[] szBuffer = new byte[8];
- // First 6 bytes of of Send/Recv
- /*
- byte[] bOriginal = { 0x55, // PUSH EBP
- 0x8B, 0xEC, 0x83, // MOV EBP, ESP
- 0xEC, 0x10 }; // SUB ESP, 10
- */
- byte[] bOriginal = {0x8B, 0xFF, 0x55, 0x8B, 0xEC, 0x83}; //these were the correct first 6 bytes of the functions in WS2_32.dll (Ember)
- int i;
- UInt32 dwRecvCall = (UInt32)GetProcAddress(GetModuleHandle("WS2_32.dll"), "recv");
- UInt32 dwSendCall = (UInt32)GetProcAddress(GetModuleHandle("WS2_32.dll"), "send");
- for (;;)
- {
- ReadProcessMemory(GetCurrentProcess(), (IntPtr)dwRecvCall, szBuffer, (UIntPtr)6, 0);
- for(i = 0; i < 6; i++)
- {
- // If we find one part missing, write the original bytes back and break the loop
- if(bOriginal[i] != szBuffer[i])
- {
- WriteProcessMemory(GetCurrentProcess(), (IntPtr) dwRecvCall, bOriginal, 6, 0);
- break;
- }
- }
- ReadProcessMemory(GetCurrentProcess(), (IntPtr)dwSendCall, szBuffer, (UIntPtr)6, 0);
- for (i = 0; i < 6; i++)
- {
- // If we find one part missing, write the original bytes back and break the loop
- if (bOriginal[i] != szBuffer[i])
- {
- WriteProcessMemory(GetCurrentProcess(), (IntPtr)dwSendCall, bOriginal, 6, 0);
- break;
- }
- }
- Thread.Sleep(600);
- }
- //return 0;
- }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement