Hola, estoy de nuevo aquí, hace mucho tiempo, decidido actualizar el tema de "Trainers/Ingames"
Empezamos con evadir servicios, como OpenServiceW, StartServiceW, principalmente estos drivers, están protegiendo la memoria, NtOpenProcess, NtQueryVirtualMemory, NtReadVirtualMemory.
Explico mejor como funciona esto, el OpenService identifica si StartService, coloca los servicios en Start y Stopped, si es Start retorna al OpenService ejecuta la función. Principalmente vamos atacar al OpenService es la peor vulnerabilidad que tiene. xD
Aquí dejare un ejemplo de impedir al OpenService no identifique el "xhunter.sys" si esta Stopped o Start, con esta funciona lo identificara como Stopped, no ejecutara nada.
Esto es opcional si quieren añadir una GUI después. Pero recomiendo empezar de cero.
Funciones:
Empezamos con evadir servicios, como OpenServiceW, StartServiceW, principalmente estos drivers, están protegiendo la memoria, NtOpenProcess, NtQueryVirtualMemory, NtReadVirtualMemory.
Explico mejor como funciona esto, el OpenService identifica si StartService, coloca los servicios en Start y Stopped, si es Start retorna al OpenService ejecuta la función. Principalmente vamos atacar al OpenService es la peor vulnerabilidad que tiene. xD
Aquí dejare un ejemplo de impedir al OpenService no identifique el "xhunter.sys" si esta Stopped o Start, con esta funciona lo identificara como Stopped, no ejecutara nada.
- Code:
#include <ButtonConstants.au3>
#include <GUIConstantsEx.au3>
#include <WindowsConstants.au3>
#include "NomadMemory.au3"
#Include <WinAPI.au3>
;Bypass Memory
Global $Address1 = _WinAPI_GetProcAddress(_WinAPI_LoadLibrary("ADVAPI32.dll"),"OpenServiceW")
Do
Sleep(10)
Until ProcessExists("S4Client.exe") ;Proceso es visible
MsgBox(0,"HS4L","Bypass Address: " & $Address1,2) ;Cierra en 2 segundos
_MemoryWrite($Address1,_MemoryOpen(ProcessExists("S4Client.exe")),"0xB801000000C20C00","byte[8]")
Esto es opcional si quieren añadir una GUI después. Pero recomiendo empezar de cero.
- Code:
#Region ### START Koda GUI section ### Form=
$Form1 = GUICreate("Form1", 181, 94, 225, 175)
$Checkbox1 = GUICtrlCreateCheckbox("Reverse jump", 40, 16, 137, 17)
$Checkbox2 = GUICtrlCreateCheckbox("Read value jump", 40, 40, 129, 17)
GUISetState(@SW_SHOW)
#EndRegion ### END Koda GUI section ###
While 1
$nMsg = GUIGetMsg()
Switch $nMsg
Case $GUI_EVENT_CLOSE
Exit
Case $Checkbox1
if (GUICtrlRead($Checkbox1) = 1) Then ;Write Memory
HS4LMemory("S4Client.exe",0x210603,"0x6A00","BYTE[2]") ;S4Client.exe+210603
else
HS4LMemory("S4Client.exe",0x210603,"0x6A02","BYTE[2]") ;S4Client.exe+210603
EndIf
Case $Checkbox2
if (GUICtrlRead($Checkbox2) = 1) then ;Write Memory
MsgBox(0,"",Hex(HS4LMemoryRead("S4Client.exe",0x210603,"BYTE[2]"))) ;S4Client.exe+210603
EndIf
EndSwitch
WEnd
Funciones:
- Code:
Func HS4LMemory($ProcName,$Address,$value,$Type)
Local $OPEN = _MemoryOpen(ProcessExists($ProcName))
Local $HS4LMemoryAddress="0x"&hex(_MemoryModuleGetBaseAddress(ProcessExists($ProcName), $ProcName)+$Address) ; Base: "S4Client.exe"
_MemoryWrite($HS4LMemoryAddress,$OPEN, $value ,$Type)
EndFunc
Func HS4LMemoryRead($ProcName,$Address,$Type)
Local $OPEN = _MemoryOpen(ProcessExists($ProcName))
Local $HS4LMemoryAddress="0x"&hex(_MemoryModuleGetBaseAddress(ProcessExists($ProcName), $ProcName)+0x210603) ; Base: "S4Client.exe"
Local $read = _MemoryRead($HS4LMemoryAddress,$OPEN,$Type)
return $read
EndFunc
Func _MemoryOpen($iv_Pid, $iv_DesiredAccess = 0x1F0FFF, $iv_InheritHandle = 1)
If Not ProcessExists($iv_Pid) Then
SetError(1)
Return 0
EndIf
Local $ah_Handle[2] = [DllOpen('kernel32.dll')]
If @error Then
SetError(2)
Return 0
EndIf
Local $av_OpenProcess = DllCall($ah_Handle[0], 'int', 'OpenProcess', 'int', $iv_DesiredAccess, 'int', $iv_InheritHandle, 'int', $iv_Pid)
If @error Then
DllClose($ah_Handle[0])
SetError(3)
Return 0
EndIf
$ah_Handle[1] = $av_OpenProcess[0]
Return $ah_Handle
EndFunc ;==>_MemoryOpen
;==================================================================================
; Function: _MemoryRead($iv_Address, $ah_Handle[, $sv_Type])
; Description: Reads the value located in the memory address specified.
; Parameter(s): $iv_Address - The memory address you want to read from. It must
; be in hex format (0x00000000).
; $ah_Handle - An array containing the Dll handle and the handle
; of the open process as returned by _MemoryOpen().
; $sv_Type - (optional) The "Type" of value you intend to read.
; This is set to 'dword'(32bit(4byte) signed integer)
; by default. See the help file for DllStructCreate
; for all types. An example: If you want to read a
; word that is 15 characters in length, you would use
; 'char[16]' since a 'char' is 8 bits (1 byte) in size.
; Return Value(s): On Success - Returns the value located at the specified address.
; On Failure - Returns 0
; @Error - 0 = No error.
; 1 = Invalid $ah_Handle.
; 2 = $sv_Type was not a string.
; 3 = $sv_Type is an unknown data type.
; 4 = Failed to allocate the memory needed for the DllStructure.
; 5 = Error allocating memory for $sv_Type.
; 6 = Failed to read from the specified process.
; Author(s): Nomad
; Note(s): Values returned are in Decimal format, unless specified as a
; 'char' type, then they are returned in ASCII format. Also note
; that size ('char[size]') for all 'char' types should be 1
; greater than the actual size.
;==================================================================================
Func _MemoryRead($iv_Address, $ah_Handle, $sv_Type = 'dword')
If Not IsArray($ah_Handle) Then
SetError(1)
Return 0
EndIf
Local $v_Buffer = DllStructCreate($sv_Type)
If @error Then
SetError(@error + 1)
Return 0
EndIf
DllCall($ah_Handle[0], 'int', 'ReadProcessMemory', 'int', $ah_Handle[1], 'int', $iv_Address, 'ptr', DllStructGetPtr($v_Buffer), 'int', DllStructGetSize($v_Buffer), 'int', '')
If Not @error Then
Local $v_Value = DllStructGetData($v_Buffer, 1)
Return $v_Value
Else
SetError(6)
Return 0
EndIf
EndFunc ;==>_MemoryRead
;==================================================================================
; Function: _MemoryWrite($iv_Address, $ah_Handle, $v_Data[, $sv_Type])
; Description: Writes data to the specified memory address.
; Parameter(s): $iv_Address - The memory address which you want to write to.
; It must be in hex format (0x00000000).
; $ah_Handle - An array containing the Dll handle and the handle
; of the open process as returned by _MemoryOpen().
; $v_Data - The data to be written.
; $sv_Type - (optional) The "Type" of value you intend to write.
; This is set to 'dword'(32bit(4byte) signed integer)
; by default. See the help file for DllStructCreate
; for all types. An example: If you want to write a
; word that is 15 characters in length, you would use
; 'char[16]' since a 'char' is 8 bits (1 byte) in size.
; Return Value(s): On Success - Returns 1
; On Failure - Returns 0
; @Error - 0 = No error.
; 1 = Invalid $ah_Handle.
; 2 = $sv_Type was not a string.
; 3 = $sv_Type is an unknown data type.
; 4 = Failed to allocate the memory needed for the DllStructure.
; 5 = Error allocating memory for $sv_Type.
; 6 = $v_Data is not in the proper format to be used with the
; "Type" selected for $sv_Type, or it is out of range.
; 7 = Failed to write to the specified process.
; Author(s): Nomad
; Note(s): Values sent must be in Decimal format, unless specified as a
; 'char' type, then they must be in ASCII format. Also note
; that size ('char[size]') for all 'char' types should be 1
; greater than the actual size.
;==================================================================================
Func _MemoryWrite($iv_Address, $ah_Handle, $v_Data, $sv_Type = 'dword')
If Not IsArray($ah_Handle) Then
SetError(1)
Return 0
EndIf
Local $v_Buffer = DllStructCreate($sv_Type)
If @error Then
SetError(@error + 1)
Return 0
Else
DllStructSetData($v_Buffer, 1, $v_Data)
If @error Then
SetError(6)
Return 0
EndIf
EndIf
DllCall($ah_Handle[0], 'int', 'WriteProcessMemory', 'int', $ah_Handle[1], 'int', $iv_Address, 'ptr', DllStructGetPtr($v_Buffer), 'int', DllStructGetSize($v_Buffer), 'int', '')
If Not @error Then
Return 1
Else
SetError(7)
Return 0
EndIf
EndFunc ;==>_MemoryWrite
- Attachments