- 18
- 37
ловите рофланебало байпасс(работает)
C++:
namespace bypass
{
typedef NTSTATUS(NTAPI *NtQuerySystemInformation_t)(ULONG SystemInformationClass, PVOID SystemInformation, ULONG SystemInformationLength, PULONG ReturnLength);
typedef NTSTATUS(NTAPI *NtDuplicateObject_t)(HANDLE SourceProcessHandle, HANDLE SourceHandle, HANDLE TargetProcessHandle, PHANDLE TargetHandle, ACCESS_MASK DesiredAccess, ULONG Attributes, ULONG Options );
typedef NTSTATUS(NTAPI *NtQueryObject_t)(HANDLE ObjectHandle, ULONG ObjectInformationClass, PVOID ObjectInformation, ULONG ObjectInformationLength, PULONG ReturnLength);
typedef struct _UNICODE_STRING
{
USHORT Length;
USHORT MaximumLength;
PWSTR Buffer;
} UNICODE_STRING, *PUNICODE_STRING;
typedef struct _SYSTEM_HANDLE
{
ULONG ProcessId;
BYTE ObjectTypeNumber;
BYTE Flags;
USHORT Handle;
PVOID Object;
ACCESS_MASK GrantedAccess;
} SYSTEM_HANDLE, *PSYSTEM_HANDLE;
typedef struct _SYSTEM_HANDLE_INFORMATION
{
ULONG HandleCount;
SYSTEM_HANDLE Handles[1];
} SYSTEM_HANDLE_INFORMATION, *PSYSTEM_HANDLE_INFORMATION;
typedef enum _POOL_TYPE
{
NonPagedPool,
PagedPool,
NonPagedPoolMustSucceed,
DontUseThisType,
NonPagedPoolCacheAligned,
PagedPoolCacheAligned,
NonPagedPoolCacheAlignedMustS
} POOL_TYPE, *PPOOL_TYPE;
typedef struct _OBJECT_TYPE_INFORMATION
{
UNICODE_STRING Name;
ULONG TotalNumberOfObjects;
ULONG TotalNumberOfHandles;
ULONG TotalPagedPoolUsage;
ULONG TotalNonPagedPoolUsage;
ULONG TotalNamePoolUsage;
ULONG TotalHandleTableUsage;
ULONG HighWaterNumberOfObjects;
ULONG HighWaterNumberOfHandles;
ULONG HighWaterPagedPoolUsage;
ULONG HighWaterNonPagedPoolUsage;
ULONG HighWaterNamePoolUsage;
ULONG HighWaterHandleTableUsage;
ULONG InvalidAttributes;
GENERIC_MAPPING GenericMapping;
ULONG ValidAccess;
BOOLEAN SecurityRequired;
BOOLEAN MaintainHandleCount;
USHORT MaintainTypeList;
POOL_TYPE PoolType;
ULONG PagedPoolUsage;
ULONG NonPagedPoolUsage;
} OBJECT_TYPE_INFORMATION, *POBJECT_TYPE_INFORMATION;
bool activate_meme()
{
char filePath[MAX_PATH]; SIZE_T handleInfoSize = 0x10000; ULONG returnLength; NTSTATUS status;
NtQuerySystemInformation_t NtQuerySystemInformation = reinterpret_cast<NtQuerySystemInformation_t>(filter::get_proc_address("ntdll.dll", "NtQuerySystemInformation"));
NtDuplicateObject_t NtDuplicateObject = reinterpret_cast<NtDuplicateObject_t>(filter::get_proc_address("ntdll.dll", "NtDuplicateObject"));
NtQueryObject_t NtQueryObject = reinterpret_cast<NtQueryObject_t>(filter::get_proc_address("ntdll.dll", "NtQueryObject"));
auto handleInfo = reinterpret_cast<PSYSTEM_HANDLE_INFORMATION>(malloc(handleInfoSize));
while ((status = NtQuerySystemInformation(16, handleInfo, handleInfoSize, NULL)) == 0xC0000004)
handleInfo = reinterpret_cast<PSYSTEM_HANDLE_INFORMATION>(realloc(handleInfo, handleInfoSize *= 2));
if (!NT_SUCCESS(status))
return false;
for (int i = 0; i < handleInfo->HandleCount; i++)
{
HANDLE handle = reinterpret_cast<HANDLE>(handleInfo->Handles[i].Handle);
if (handleInfo->Handles[i].ProcessId != GetCurrentProcessId())
continue;
auto objectTypeInfo = reinterpret_cast<POBJECT_TYPE_INFORMATION>(malloc(0x1000));
if (!NT_SUCCESS(NtQueryObject(handle, ObjectTypeInformation, objectTypeInfo, 0x1000, NULL)))
{
free(objectTypeInfo); continue;
}
if (handleInfo->Handles[i].GrantedAccess == 0x0012019f)
continue;
auto objectNameInfo = malloc(0x1000);
if (!NT_SUCCESS(NtQueryObject(handle, 1, objectNameInfo, 0x1000, &returnLength)))
{
objectNameInfo = realloc(objectNameInfo, returnLength);
if (!NT_SUCCESS(NtQueryObject(handle, 1, objectNameInfo, returnLength, NULL)))
{
free(objectTypeInfo);
free(objectNameInfo);
continue;
}
}
auto objectName = *reinterpret_cast<UNICODE_STRING*>(objectNameInfo);
if (objectName.Length)
{
wchar_t buff[1024];
ZeroMemory(buff, sizeof(buff));
memcpy(buff, objectName.Buffer, objectName.Length);
*(wchar_t*)(buff + objectName.Length + 2) = L'\0';
if (wcsstr(buff, L"AntiStealer") && (wcsstr(buff, L".LOG") || wcsstr(buff, L".log"))) // А ШТО ЖЕ ЭТО?
{
CloseHandle(handle);
return true;
}
}
}
return false;
}
}
