API tools faq
paste
Advertisement
Guest User

Untitled

a guest
Jun 24th, 2017
62
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 2.87 KB | None | 0 0
raw download clone embed print report
  1. [DllImport("kernel32.dll", CharSet = CharSet.Ansi, ExactSpelling = true)]
  2. static extern UIntPtr GetProcAddress(IntPtr hModule, string procName);
  3. [DllImport("kernel32.dll", CharSet = CharSet.Auto)]
  4. static extern IntPtr GetModuleHandle(string lpModuleName);
  5. [DllImport("kernel32.dll", SetLastError = true, PreserveSig = true)]
  6. [return: MarshalAs(UnmanagedType.Bool)]
  7. static extern bool ReadProcessMemory(IntPtr hProcess, IntPtr lpBaseAddress, byte[] lpBuffer, UIntPtr nSize, /*out*/ int lpNumberOfBytesRead);
  8. [DllImport("kernel32.dll")]
  9. static extern IntPtr GetCurrentProcess();
  10. [DllImport("kernel32.dll")]
  11. static extern bool WriteProcessMemory(IntPtr hProcess, IntPtr lpBaseAddress, byte[] lpBuffer, uint nSize, /*out*/ int lpNumberOfBytesWritten);
  12. [DllImport("kernel32.dll")]
  13. static extern IntPtr LoadLibrary(string lpFileName);
  14.  
  15. public static void AntiWPEPro()
  16. {
  17. LoadLibrary("WS2_32.dll");
  18. //Anti-WPEPro coded by a59, ported to C# by Ember/vH! 2k9
  19. //bool bHooked;
  20. byte[] szBuffer = new byte[8];
  21. // First 6 bytes of of Send/Recv
  22. /*
  23. byte[] bOriginal = { 0x55, // PUSH EBP
  24. 0x8B, 0xEC, 0x83, // MOV EBP, ESP
  25. 0xEC, 0x10 }; // SUB ESP, 10
  26. */
  27. byte[] bOriginal = {0x8B, 0xFF, 0x55, 0x8B, 0xEC, 0x83}; //these were the correct first 6 bytes of the functions in WS2_32.dll (Ember)
  28. int i;
  29. UInt32 dwRecvCall = (UInt32)GetProcAddress(GetModuleHandle("WS2_32.dll"), "recv");
  30. UInt32 dwSendCall = (UInt32)GetProcAddress(GetModuleHandle("WS2_32.dll"), "send");
  31. for (;;)
  32. {
  33. ReadProcessMemory(GetCurrentProcess(), (IntPtr)dwRecvCall, szBuffer, (UIntPtr)6, 0);
  34. for(i = 0; i < 6; i++)
  35. {
  36. // If we find one part missing, write the original bytes back and break the loop
  37. if(bOriginal[i] != szBuffer[i])
  38. {
  39. WriteProcessMemory(GetCurrentProcess(), (IntPtr) dwRecvCall, bOriginal, 6, 0);
  40. break;
  41. }
  42. }
  43. ReadProcessMemory(GetCurrentProcess(), (IntPtr)dwSendCall, szBuffer, (UIntPtr)6, 0);
  44. for (i = 0; i < 6; i++)
  45. {
  46. // If we find one part missing, write the original bytes back and break the loop
  47. if (bOriginal[i] != szBuffer[i])
  48. {
  49. WriteProcessMemory(GetCurrentProcess(), (IntPtr)dwSendCall, bOriginal, 6, 0);
  50. break;
  51. }
  52. }
  53. Thread.Sleep(600);
  54. }
  55. //return 0;
  56. }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!