Recently also learning to modify the source code gh0st remote control, the source code to avoid the killing is still convenient, simple, effective and simple point. For the input and output table staring at the relatively tight anti-virus software, the most effective or dynamic call to the function. That is to find the original definition of the function, including the value type and parameters, and so on, and then call the function to redefine the function, in fact, only to change the name of the function, for example:
CreateRemoteThread function is to create a far-away thread, assuming that the antivirus software is now killed in this function, we will do so, first in the code right click on the CreateRemoteThread function--> go to the definition, find the prototype of the function:
The function prototype is as follows:
Winbaseapi
__out
HANDLE
WinAPI
CreateRemoteThread (
__in HANDLE hprocess,
__in_opt Lpsecurity_attributes Lpthreadattributes,
__in size_t Dwstacksize,
__in Lpthread_start_routine lpstartaddress,
__in_opt LPVoid Lpparameter,
__in DWORD dwCreationFlags,
__out_opt Lpdword Lpthreadid
);
The modified function model is as follows:
typedef HANDLE (WINAPI *createremotethreadxx)
(
__in HANDLE hprocess,
__in_opt Lpsecurity_attributes Lpthreadattributes,
__in size_t Dwstacksize,
__in Lpthread_start_routine lpstartaddress,
__in_opt LPVoid Lpparameter,
__in DWORD dwCreationFlags,
__out_opt Lpdword Lpthreadid
);
Createremotethreadxx yycreateremotethread= (createremotethreadxx) GetProcAddress (LoadLibrary ("Kernel32.dll"), " CreateRemoteThread ");
Add: Some function prototypes have the last side of a and W, if your compilation environment is the ANSI environment to select the part with a, if your environment is a Unicode environment, then choose the part with W. For example: GetUserName's prototype has two kinds of definitions: GetUserNameA and Getusernamew, depending on the actual situation to choose the corresponding function prototype to modify.
The modified function name is changed from CreateRemoteThread to Yycreateremotethread, the red part is a custom part, whatever you rename, but pay attention to consistency. The blue part can again use the string concatenation method to detach after the connection, after this processing, the anti-virus software cannot find createremotethread this function. This is the place where the file is not to be killed. A little note, share to everyone, laughed.
PostScript: Read a lot of tutorials, are said how to change, did not say why to change, also did not say how to change, not to say what the limit of change. A look at the tutorial first after the function of a l, and then in the definition of the new function in front of the addition of a p, then a lot of people who have seen the tutorial changed to the two, the tutorial is also in the tutorial to frighten people to say "do not move, these two places to change to do it", sometimes some things are not difficult, not terrible, Most of the difficulties and horrors come from others ' sensational and fear of the unknown. Finally hope that everyone can open their hands and feet, do big business! Made a garbage station to make a point outside the block, I hope we can support.
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
