Sign in to follow this  
Followers 0
DesireDenied

Making MemoryRW undetectable

2 posts in this topic

as far as i know gameguard software such as GameGuard, Hackshield, etc. is preventing users from hackin watched processes by intercepting specific asm code responsible for many useful system functions. i know as well there is a way to bypass gameguard software, for example: by using pChar mode in order to hide imported sys functions from beeing intercepted, while pChar mode is:

- Help! I'm still getting detected!

If you are still getting detected even after you've changed your settings, it's time to PCHAR the windowskernel's. Pchar is a method to split up certain strings, and put them together with a simple 'calculation'. The reason why you should only pchar the windowskernel strings, is because these commands can't be changed to something random. These commands are Windows commands and thus need to stay the same at all times. The windowskernel strings can be found in the 'NewKernelHandler.pas'. You only have to change them here.

Here is a short example of how to use pchar:

var 
   G : string; 
   H : string; 
procedure DontUseDBKQueryMemoryRegion; 
begin 
  G := 'VirtualQu'; 
  H := 'eryEx'; 
  VirtualQueryEx:=GetProcAddress(WindowsKernel,pchar(G+H)); 
  usedbkquery:=false; 
  if usephysical then DbkPhysicalMemory; 
  if usefileasmemory then dbkfileasmemory; 
end;

Use this method on all the windowskernel strings. I've listed them below:

- VirtualQueryEx 
- ReadProcessMemory 
- WriteProcessMemory 
- VirtualAllocEx 
- OpenProcess 
- GetThreadContext 
- SetThreadContext 
- SuspendThread 
- ResumeThread 
- WaitForDebugEvent 
- ContinueDebugEvent 
- DebugActiveProcess 
- VirtualProtect 
- VirtualProtectEx 
- CreateRemoteThread 
- OpenThread

...
please verify me if im wrong but to me this UCE solution isn't working at all.

i've tried to do something like that but no succes, my dllcall returns 0 anytime i use it on guarded process, and works fine if i target non_protected process.

Func _OP($iAccess, $bInherit, $iProcessID)
    $XX20 = 'Ker'
    $XX21 = 'nel3'
    $XX22 = '2.dll'
    
    $XX52 = 'Ope'
    $XX53 = 'nPro'
    $XX54 = 'cess'
    Local $aResult = DllCall($XX20&$XX21&$XX22, "int", $XX52&$XX53&$XX54, "int", $iAccess, "int", $bInherit, "int", $iProcessID)
    If @error Or Not IsArray($aResult) Then Return SetError(-1, -1, 0)
    Return $aResult[0]
EndFunc  ;==>_OpenProcess

would you like to explain to me how to solve my problem in autoit?


Share this post


Link to post
Share on other sites



Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0