Jump to content

CF PH DIP Hook Detection Bypass ( Only in CSHELL Security )


XorEax

Recommended Posts

  • Administrator

CShell build: 6-17-20

 

m_DIPHook : 74 42 8A 09 80 F9 E9 ( Anti DIP Hook Detection )

 

To Bypass:

  • todo_1 : Change 74 (JE) to EB (JMP)
  • todo_2 : Detour before the JE and jump to neutral code

 

Sample Bypass Code of todo_2:

DWORD DETADR = (CSHELL + 0x22CFF0);
DWORD NEUTRALADR = (CSHELL + 0x22D039);

__declspec(naked) void __Bypass_Todo_2()
{
	__asm
	{
		MOV ECX, [EDI+EAX*4]
		TEST ECX,ECX
		JMP [NEUTRALADR]
	}
}

Detour(DETADR,__Bypass_Todo_2);

 

Link to comment
Share on other sites

  • 3 months later...
  • 6 months later...
  • 1 month later...
On 7/2/2020 at 9:25 AM, XorEax said:

CShell build: 6-17-20

 


m_DIPHook : 74 42 8A 09 80 F9 E9 ( Anti DIP Hook Detection )

 

To Bypass:

  • todo_1 : Change 74 (JE) to EB (JMP)
  • todo_2 : Detour before the JE and jump to neutral code

 

Sample Bypass Code of todo_2:


DWORD DETADR = (CSHELL + 0x22CFF0);
DWORD NEUTRALADR = (CSHELL + 0x22D039);

__declspec(naked) void __Bypass_Todo_2()
{
	__asm
	{
		MOV ECX, [EDI+EAX*4]
		TEST ECX,ECX
		JMP [NEUTRALADR]
	}
}

Detour(DETADR,__Bypass_Todo_2);

 

Thanks for this but I have a question if this AOB(74 42 8A 09 80 F9 E9) is for DETADR how did you get the NEUTRALADR? 

Link to comment
Share on other sites

  • 5 weeks later...
  • 5 weeks later...
  • Kaiii locked this topic

Archived

This topic is now archived and is closed to further replies.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...

Important Information

By using this site, you agree to our Terms of Use.

 

AdBlock Extension Detected!

depositphotos_220325684-stock-illustration-hand-holding-mobile-with-ad.jpg

 

Our website is made possible by displaying online Advertisements to our members.

Please disable AdBlock browser Extension first, to be able to use our Community.

You won't be able to access this page.

I've Disabled AdBlock