├── License
├── README.md
└── VirtualProtectSyscall.cpp


/License:
--------------------------------------------------------------------------------
 1 | MIT License
 2 | 
 3 | Copyright (c) 2021 Melony
 4 | 
 5 | Permission is hereby granted, free of charge, to any person obtaining a copy
 6 | of this software and associated documentation files (the "Software"), to deal
 7 | in the Software without restriction, including without limitation the rights
 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
 9 | copies of the Software, and to permit persons to whom the Software is
10 | furnished to do so, subject to the following conditions:
11 | 
12 | The above copyright notice and this permission notice shall be included in all
13 | copies or substantial portions of the Software.
14 | 
15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
21 | SOFTWARE.
22 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | # VirtualProtectHookBypass
 2 | 
 3 | ### Bypass IAT Hook via Directly syscall
 4 | 
 5 | ### How can Directly Syscall ?
 6 |   * Copy Function via using assembly
 7 | 
 8 | * Just directly syscalling ZwProtectVirtualMemory instead of calling the export to syscall in ntdll.dll.
 9 | 
10 | * it can't not be hooked by anything except the Hooking man in kernelland
11 | 
12 | * This example is for x86.
13 | 
14 | ### if you want to use on x64
15 | 
16 |  1. Check masm Compile option.
17 |  2. make a .asm file on project
18 |  3. code on .asm file
19 |  4. Profit
20 | 
21 | ### [ Ntdll.dll ] ZwProtectVirtualMemory
22 | 
23 | ![image](https://user-images.githubusercontent.com/13113619/119382779-788a2800-bcfd-11eb-84a9-832bf0563d51.png)
24 | 
25 | ### [ Kernel.dll ] VirtualProtect
26 | 
27 | ![image](https://user-images.githubusercontent.com/13113619/119382654-4bd61080-bcfd-11eb-8e4f-b0577b203271.png)
28 | 
29 | # Credit
30 | me (Ekdms95)
31 | and
32 | I will give some credit for sexyyume
33 | 


--------------------------------------------------------------------------------
/VirtualProtectSyscall.cpp:
--------------------------------------------------------------------------------
 1 | void* NtdllAddress = GetProcAddress(GetModuleHandleA(xorstr_("ntdll.dll")), xorstr_("RtlInterlockedCompareExchange64"));
 2 | void* KernelAddress = GetProcAddress(GetModuleHandleA(xorstr_("kernel.dll")), xorstr_("GetSystemLeapSecondInformation"));
 3 | 
 4 | DWORD ntdll170 = (DWORD)NtdllAddress + 0x170;
 5 | DWORD KernelEC85 = (DWORD)KernelAddress + 0xEC85;
 6 | 
 7 | void __declspec(naked) CopyZwVirtualProtect() // ZwVirtualProtectMemory 함수 복사.
 8 | {
 9 | 	__asm
10 | 	{
11 | 		mov eax, 0x50
12 | 		mov edx, ntdll170 // ntdll.RtlInterlockedCompareExchange64 + 170
13 | 		call edx
14 | 		ret 0x14
15 | 	}
16 | }
17 | 
18 | BOOL __declspec(naked) __cdecl CopyVirtualProtect(LPVOID lpAddress, SIZE_T dwSize, DWORD flNewProtect, PDWORD lpflOldProtect) // VirtualProtect 함수 복사.
19 | {
20 | 	__asm
21 | 	{
22 | 		mov edi, edi
23 | 		push ebp
24 | 		mov ebp, esp
25 | 		push ecx
26 | 		push ecx
27 | 		mov eax, [ebp + 0xC]
28 | 		push esi
29 | 		push[ebp + 0x14]
30 | 		mov[ebp - 4], eax
31 | 		push[ebp + 0x10]
32 | 		mov eax, [ebp + 8]
33 | 		mov[ebp - 8], eax
34 | 		lea eax, [ebp - 4]
35 | 		push eax
36 | 		lea eax, [ebp - 8]
37 | 		push eax
38 | 		push - 1
39 | 		call CopyZwVirtualProtect // asm으로 복사했던 ZwVirtualProtectMemory 함수 호출.
40 | 		mov esi, eax
41 | 		test esi, esi
42 | 		js KK //KERNELBASE.GetSystemLeapSecondInformation + EC85 js 주소 이렇게 안되길래 잔머리를 좀 굴렸습니다.
43 | 		xor eax, eax
44 | 		inc eax
45 | 		pop esi
46 | 		leave
47 | 		ret 0x10
48 | 
49 | 		KK:
50 | 		jmp KernelEC85
51 | 	}
52 | }
53 | 
54 | void WhatTheFuckRiotEAC()
55 | {
56 |   // Simple Example to use
57 |   // CopyVirtualProtect((PVOID*)og_fun, 1, (PAGE_EXECUTE_READ | PAGE_GUARD), &oldProtection);
58 | }
59 | 
60 | BOOL APIENTRY DllMain(HMODULE hModule, DWORD  ul_reason_for_call, LPVOID lpReserved)
61 | {
62 |     if (ul_reason_for_call == DLL_PROCESS_ATTACH)
63 |     {
64 |         DisableThreadLibraryCalls(hModule);
65 |         WhatTheFuckRiotEAC();
66 |     }
67 |     else if (ul_reason_for_call == DLL_PROCESS_DETACH) {}
68 | 
69 |     return TRUE;
70 | }
71 | 


--------------------------------------------------------------------------------