HackShield Method ByPass

I-WantLearn demiş ki:All Credit Going To : Disav0w Aka VirtualProtect- King7 Aka RoBerTo

We are glad to post.
for about 1 years we used this bypass method bypass
We made ahnlabs crazy. after 1 years they was able to patch it!
this was our method to bypass hackshield by checking ahns remote answer!
Why ahnlabs wasnt able to patch it ? because they never understand how we manage it! 


Now we can manage HACKSHIELD BY DRIVER (NT Eagle.sys) , we have more and more way to BYPASS it, with out touch code or do modify to hackshield code!


Enjoy hope will be use full for somebody!

Kod:


DWORD dwAhnHS_MakeResponse_JMPBack = 0;
DWORD dwAhnHS_EndOfMakeResponse_HookStart = 0;
DWORD HS_Place = 0;

__declspec(naked) void __cdecl hkAhnHS_MakeResponse ( DWORD a1, char* a2, char* a3 )
{
     __asm
     {
          push ebp
          mov ebp,esp
          push 0xFF
          pushad
          pushfd
     }
             if ( a1 == 0xD )
             {
                     *(BYTE*)(HS_Place)     = 0x33;
                     *(BYTE*)(HS_Place+0x1) = 0xD0;
             }
     __asm
     {
          popfd
          popad
          jmp dwAhnHS_MakeResponse_JMPBack
     }
}
 __declspec(naked) void __cdecl hkAhnHS_EndOfMakeResponse()
{
     __asm
     {
         pushad
                   pushfd
     }
                     *(BYTE*)(HS_Place)     = 0x85;
                     *(BYTE*)(HS_Place+0x1) = 0xD2;
     __asm
     {
         popfd
         popad
         retn 0x0C
     }
}



int DetouringHackShield (void)
{   
       int hEhSvc, OK = 1337;
       do
       {
         hEhSvc = (int)Tools.oWnGetModuleHandle("EhSvc.dll");
         Sleep(1000);
       } while(!hEhSvc);
       
       if( hEhSvc > 0 )
       {
           unsigned long MProtection;
           if ( ProtectVirtualProtect((void*)hEhSvc,0x00125000,0x04,&MProtection) ) // Our own virtual protect api to prevent stealer
           {


                 HS_Place = (hEhSvc+0x******);
                // CRC
                *(BYTE*)(hEhSvc+0x******) = 0x31;
                // Detection
                *(BYTE*)(hEhSvc+0x******) = 0xC3;
                // Detection
                *(BYTE*)(hEhSvc+0x******) = 0xC3;


                dwAhnHS_MakeResponse_JMPBack = (hEhSvc+0x******0+0x5);
                Detour->Create((PBYTE)(hEhSvc+0x******),(LPBYTE)hkAhnHS_MakeResponse,DETOUR_TYPE_JMP,DETOUR_LEN_AUTO);
                Detour->Create((PBYTE)(hEhSvc+0x******),(LPBYTE)hkAhnHS_EndOfMakeResponse,DETOUR_TYPE_JMP,DETOUR_LEN_AUTO);


           ProtectVirtualProtect((void*)hEhSvc,0x00125000,MProtection,0); // Our own virtual protect api to prevent stealer
           }
       }
       return OK;
}

We used to initiliaze it like this

DWORD IntiliazieBP = DetouringHackShield();
if ( IntiliazieBP == 1337 )
{
    //  starting hook code etc etc

}