crash.software
Projects
Pull Requests
Issues
Builds
BananaPhone
Code
Files
Commits
Branches
Tags
Pull Requests
Code Comments
Code Compare
Issues
Builds
Statistics
Child Projects
cra.sh
RESTful API
Projects STRLCPY BananaPhone Commits 6585e591
🤬

  • fix up auto mode, add halos gate to readme

  • Loading...
  • C-Sto committed 2 years ago
    6585e591
    1 parent 9d5c05b4
  • ■ ■ ■ ■ ■ ■
    README.md
    skipped 18 lines
    19 19  - `WriteMemory` take a byte slice, and write it to a certain memory address (may panic if not writable etc lol)
    20 20  - ~A handful of predefined kernel calls like `NtAllocateVirtualMemory` etc. See source for more details and whatnot.~
    21 21  - A direct version of `mkwinsyscall` (`mkdirectwinsyscall`in the cmd dir) which should make it easy for you to resolve and use syscalls, and now I don't have to support them :).
     22 +- Halo's gate implementation by @nodauf
     23 +- When using auto mode, BananaPhone will first try to get the syscall ID from memory using the exported function name, then fail over to Halo's Gate, then Fail over to reading ntdll from disk. The Disk read is *not* done with any MapViewOfSection functions, so detection must be conducted using handles to the ntdll file.
    22 24   
    23 25  All of the PE parsing and extraction of interesting information is provided by https://github.com/Binject/debug, which adds on to the stdlib `pe` library in some very cool ways.
    24 26   
    skipped 27 lines
  • ■ ■ ■ ■
    example/testhook/main.go
    skipped 48 lines
    49 49   fmt.Printf("[!] Error on VirtualProtect:", errVirtualProtectEx, "\n")
    50 50   }
    51 51   //overwrite in memory function bits to try and trigger bp to do smarts
    52  - bananaphone.WriteMemory([]byte{0x90, 0x90, 0x90, 0x90}, uintptr(mess))
     52 + bananaphone.WriteMemory([]byte{0x90, 0x90, 0x4c, 0x8b, 0xd1, 0xb8, 0xc1, 0x00, 0x00, 0x00, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90}, uintptr(mess))
    53 53   fmt.Println("Messed up the NTCreateThreadEx function, gl launching calc!")
    54 54   //resolve the functions and extract the syscalls
    55 55   alloc, e := bp.GetSysID("NtAllocateVirtualMemory")
    skipped 77 lines
  • ■ ■ ■ ■ ■
    pkg/BananaPhone/bananaphone.go
    skipped 123 lines
    124 124   
    125 125  //GetSysID resolves the provided function name into a sysid.
    126 126  func (b *BananaPhone) GetSysID(funcname string) (uint16, error) {
    127  - r, e := b.getSysID(funcname, 0, false, b.mode == HalosGateBananaPhoneMode)
     127 + useneighbor := false
     128 + switch b.mode {
     129 + case HalosGateBananaPhoneMode:
     130 + fallthrough
     131 + case AutoBananaPhoneMode:
     132 + useneighbor = true
     133 + }
     134 + r, e := b.getSysID(funcname, 0, false, useneighbor)
    128 135   if e != nil {
    129 136   var err MayBeHookedError
    130 137   // error is some other error besides an indicator that we are being hooked
    skipped 16 lines
    147 154   
    148 155  //GetSysIDOrd resolves the provided ordinal into a sysid.
    149 156  func (b *BananaPhone) GetSysIDOrd(ordinal uint32) (uint16, error) {
    150  - r, e := b.getSysID("", ordinal, true, b.mode == HalosGateBananaPhoneMode)
     157 + useneighbor := false
     158 + switch b.mode {
     159 + case HalosGateBananaPhoneMode:
     160 + fallthrough
     161 + case AutoBananaPhoneMode:
     162 + useneighbor = true
     163 + }
     164 + 
     165 + r, e := b.getSysID("", ordinal, true, useneighbor)
    151 166   if e != nil {
    152 167   var err MayBeHookedError
    153 168   //error that is not hooked error
    skipped 89 lines
Please wait...
Page is in error, reload to recover