DesireDenied Posted September 19, 2007 Share Posted September 19, 2007 as far as i know gameguard software such as GameGuard, Hackshield, etc. is preventing users from hackin watched processes by intercepting specific asm code responsible for many useful system functions. i know as well there is a way to bypass gameguard software, for example: by using pChar mode in order to hide imported sys functions from beeing intercepted, while pChar mode is: - Help! I'm still getting detected! If you are still getting detected even after you've changed your settings, it's time to PCHAR the windowskernel's. Pchar is a method to split up certain strings, and put them together with a simple 'calculation'. The reason why you should only pchar the windowskernel strings, is because these commands can't be changed to something random. These commands are Windows commands and thus need to stay the same at all times. The windowskernel strings can be found in the 'NewKernelHandler.pas'. You only have to change them here. Here is a short example of how to use pchar: var G : string; H : string; procedure DontUseDBKQueryMemoryRegion; begin G := 'VirtualQu'; H := 'eryEx'; VirtualQueryEx:=GetProcAddress(WindowsKernel,pchar(G+H)); usedbkquery:=false; if usephysical then DbkPhysicalMemory; if usefileasmemory then dbkfileasmemory; end; Use this method on all the windowskernel strings. I've listed them below: - VirtualQueryEx - ReadProcessMemory - WriteProcessMemory - VirtualAllocEx - OpenProcess - GetThreadContext - SetThreadContext - SuspendThread - ResumeThread - WaitForDebugEvent - ContinueDebugEvent - DebugActiveProcess - VirtualProtect - VirtualProtectEx - CreateRemoteThread - OpenThread ... please verify me if im wrong but to me this UCE solution isn't working at all. i've tried to do something like that but no succes, my dllcall returns 0 anytime i use it on guarded process, and works fine if i target non_protected process. Func _OP($iAccess, $bInherit, $iProcessID) $XX20 = 'Ker' $XX21 = 'nel3' $XX22 = '2.dll' $XX52 = 'Ope' $XX53 = 'nPro' $XX54 = 'cess' Local $aResult = DllCall($XX20&$XX21&$XX22, "int", $XX52&$XX53&$XX54, "int", $iAccess, "int", $bInherit, "int", $iProcessID) If @error Or Not IsArray($aResult) Then Return SetError(-1, -1, 0) Return $aResult[0] EndFunc ;==>_OpenProcess would you like to explain to me how to solve my problem in autoit? Link to comment Share on other sites More sharing options...
weaponx Posted September 19, 2007 Share Posted September 19, 2007 See reply: http://www.autoitscript.com/forum/index.ph...f=2&t=53582 Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now