Problem
Whenever running gabh.MemHgate
, it was always returning sysID by reading ntdll from disk. As the code to check for neighbour sysIDs was malfunctioned and was not making right address to look for 4c8bd1b8
bytes.
By using Memcpy(uintptr(unsafe.Pointer(&buff[0])), uintptr(exp.VirtualAddress), 10)
, we are storing data on exp.VirtualAddress
in buffer
and to check neighbour calls we are using,
*(*byte)(unsafe.Pointer(uintptr(unsafe.Pointer(&buff[0])) + idx*IDX))
, which is actually referencing the buff
variable (correct me if i am wrong).
Solution
In the for idx := uintptr(1); idx <= 500; idx++
loop, i used exp.VirtualAddress
to copy data from address to buff in each iteration, Memcpy(uintptr(unsafe.Pointer(&buff[0])), uintptr(exp.VirtualAddress + idx*IDX), 10)
and then checked for unhooked byte code like this.
if buff[0] == 0x4c && //76
buff[1] == 0x8b && //139
buff[2] == 0xd1 && //209
buff[3] == 0xb8 && //184
buff[6] == 0x00 &&
buff[7] == 0x00 {
//buff[4] = *(*byte)(unsafe.Pointer(uintptr(unsafe.Pointer(&buff[4])) + idx*IDX))
//buff[5] = *(*byte)(unsafe.Pointer(uintptr(unsafe.Pointer(&buff[5])) + idx*IDX))
fmt.Print("Bypassed with Hallo's Gate:: ", exp.Name,"\n")
return Uint16Down(buff[4:8], uint16(idx)), nil
}