Recently, we are also learning to modify the source code of the Gh0st remote control. It is convenient, simple, effective, and simple to remove the source code. For anti-virus software that focuses on input and output tables, function dynamic calling is the most effective. That is to say, to find the original definition of the function, including the value type and parameters, and then re-define the function at the place where the function is called, it is actually just to change the function name. the following example:
CreateRemoteThread is used to create a remote thread. If anti-virus software is killed on this function now, we can do this. First, right-click the CreateRemoteThread function in the code --> to go to the definition, find the function prototype:
The function prototype is as follows:
WINBASEAPI
_ Out
HANDLE
WINAPI
CreateRemoteThread (
_ In HANDLE hProcess,
_ In_opt LPSECURITY_ATTRIBUTES lpThreadAttributes,
_ In SIZE_T dwStackSize,
_ In LPTHREAD_START_ROUTINE lpStartAddress,
_ In_opt LPVOID lpParameter,
_ In DWORD dwCreationFlags,
_ Out_opt LPDWORD lpThreadId
);
The modified function model is as follows:
Typedef HANDLE (WINAPI * CreateRemoteThreadxx)
(
_ In HANDLE hProcess,
_ In_opt LPSECURITY_ATTRIBUTES lpThreadAttributes,
_ In SIZE_T dwStackSize,
_ In LPTHREAD_START_ROUTINE lpStartAddress,
_ In_opt LPVOID lpParameter,
_ In DWORD dwCreationFlags,
_ Out_opt LPDWORD lpThreadId
);
CreateRemoteThreadxx yyCreateRemoteThread = (CreateRemoteThreadxx) GetProcAddress (LoadLibrary ("kernel32.dll"), "CreateRemoteThread ");
Supplement: some function prototypes have both A and W at the end. If your compiling environment is an ANSI environment, select the part with A. If your environment is A Unicode environment, select the part with W. For example, the GetUserName prototype has two definitions: GetUserNameA and GetUserNameW. Select the corresponding function prototype as needed.
After the modification, the name of the called function is changed from CreateRemoteThread to yyCreateRemoteThread, and the red part is the custom part. You can rename it as needed, but be sure to ensure consistency. The blue part can be separated and connected by string connection. After processing, the anti-virus software cannot find the CreateRemoteThread function. At this point, the file will not be killed. A little note. I am so happy to share it with you.
Postscript: I have read a lot of tutorials about how to change it. I didn't say why it should be changed or how it can be changed, let alone what the limit is. First, add an L to the end of the function in the tutorial, and then add p to the front of the new function after definition. Then, many people who have read the tutorial have changed to those two, the tutorials also scare people in the teaching process and say, "Don't change anything else. You can change these two places to this." Sometimes some things are not difficult, and they are not terrible, most of the difficulties and fears come from other people's sensational and fear of unknown things. Finally, I hope everyone will be able to do whatever they want to do! I have made a waste station to earn extra money. I hope you can support it.