GoBypassAV icon indicating copy to clipboard operation
GoBypassAV copied to clipboard
verified publisher icon TideSec

procCryptProtectMemory api的调用有问题

Open breaking153 opened this issue 3 years ago • 1 comments

CryptProtectMemory这个API调用其实出错了,没有效果 图片 图片

breaking153 avatar Sep 23 '22 07:09 breaking153

图片 发现问题了,加密大小必须为16的倍数,修改后的代码: shellcode, _ := hex.DecodeString(scxor) var BlockNum = len(shellcode) / 16 if len(shellcode)%16 != 0 { BlockNum += 1 } _, _, err = procCryptProtectMemory.Call(uintptr(unsafe.Pointer(&shellcode)), uintptr(BlockNum*16), uintptr(0x00))

breaking153 avatar Sep 23 '22 08:09 breaking153