Created
February 18, 2024 19:34
-
-
Save Donaldduck8/efa55260ece2bfdc5aebd75df1d21cc4 to your computer and use it in GitHub Desktop.
x64dbg API script
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
// Unpacking APIs | |
// static extern NTSTATUS NtProtectVirtualMemory( | |
// IntPtr ProcessHandle, | |
// ref IntPtr BaseAddress, | |
// ref UInt32 NumberOfBytesToProtect, | |
// UInt32 NewAccessProtection, | |
// ref UInt32 OldAccessProtection | |
// ); | |
// This can be very noisy during normal operation. Uncomment when needed. | |
//bp NtProtectVirtualMemory | |
// static extern NTSTATUS NtProtectVirtualMemory( | |
// IntPtr ProcessHandle, | |
// ref IntPtr BaseAddress, | |
// ref UInt32 NumberOfBytesToProtect, | |
// UInt32 NewAccessProtection, | |
// ref UInt32 OldAccessProtection | |
// ); | |
bp NtUnmapViewOfSection | |
// NTSYSAPI NTSTATUS ZwMapViewOfSection( | |
// [in] HANDLE SectionHandle, | |
// [in] HANDLE ProcessHandle, | |
// [in, out] PVOID *BaseAddress, | |
// [in] ULONG_PTR ZeroBits, | |
// [in] SIZE_T CommitSize, | |
// [in, out, optional] PLARGE_INTEGER SectionOffset, | |
// [in, out] PSIZE_T ViewSize, | |
// [in] SECTION_INHERIT InheritDisposition, | |
// [in] ULONG AllocationType, | |
// [in] ULONG Win32Protect | |
// ); | |
// This can be very noisy during normal operation. Uncomment when needed. | |
//bp NtMapViewOfSection | |
// __kernel_entry NTSYSCALLAPI NTSTATUS NtCreateSection( | |
// [out] PHANDLE SectionHandle, | |
// [in] ACCESS_MASK DesiredAccess, | |
// [in, optional] POBJECT_ATTRIBUTES ObjectAttributes, | |
// [in, optional] PLARGE_INTEGER MaximumSize, | |
// [in] ULONG SectionPageProtection, | |
// [in] ULONG AllocationAttributes, | |
// [in, optional] HANDLE FileHandle | |
// ); | |
// This can be very noisy during normal operation. Uncomment when needed. | |
//bp NtCreateSection | |
// static extern NTSTATUS NtCreateThreadEx( | |
// ref IntPtr threadHandle, | |
// UInt32 desiredAccess, | |
// IntPtr objectAttributes, | |
// IntPtr processHandle, | |
// IntPtr startAddress, | |
// IntPtr parameter, | |
// bool inCreateSuspended, | |
// Int32 stackZeroBits, | |
// Int32 sizeOfStack, | |
// Int32 maximumStackSize, | |
// IntPtr attributeList | |
// ); | |
bp NtCreateThreadEx | |
// NtCreateThread( | |
// OUT PHANDLE ThreadHandle, | |
// IN ACCESS_MASK DesiredAccess, | |
// IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, | |
// IN HANDLE ProcessHandle, | |
// OUT PCLIENT_ID ClientId, | |
// IN PCONTEXT ThreadContext, | |
// IN PINITIAL_TEB InitialTeb, | |
// IN BOOLEAN CreateSuspended | |
//); | |
bp NtCreateThread | |
// NTSTATUS NtAllocateVirtualMemory( | |
// [in] HANDLE ProcessHandle, | |
// [in, out] PVOID *BaseAddress, | |
// [in] ULONG_PTR ZeroBits, | |
// [in, out] PSIZE_T RegionSize, | |
// [in] ULONG AllocationType, | |
// [in] ULONG Protect | |
//); | |
// This can be very noisy during normal operation, however, | |
// all lower level memory allocation APIs will eventually call this | |
// so it can provide great insight into what memory allocation APIs | |
// are being used by the sample. | |
//bp NtAllocateVirtualMemory | |
//Higher level APIs from Kernel32 | |
// LPVOID VirtualAllocEx( | |
// [in] HANDLE hProcess, | |
// [in, optional] LPVOID lpAddress, | |
// [in] SIZE_T dwSize, | |
// [in] DWORD flAllocationType, | |
// [in] DWORD flProtect | |
// ); | |
bp VirtualAllocEx | |
// LPVOID VirtualAlloc( | |
// [in, optional] LPVOID lpAddress, | |
// [in] SIZE_T dwSize, | |
// [in] DWORD flAllocationType, | |
// [in] DWORD flProtect | |
// ); | |
bp VirtualAlloc | |
// BOOL VirtualProtect( | |
// [in] LPVOID lpAddress, | |
// [in] SIZE_T dwSize, | |
// [in] DWORD flNewProtect, | |
// [out] PDWORD lpflOldProtect | |
// ); | |
bp VirtualProtect | |
// BOOL VirtualProtectEx( | |
// [in] HANDLE hProcess, | |
// [in] LPVOID lpAddress, | |
// [in] SIZE_T dwSize, | |
// [in] DWORD flNewProtect, | |
// [out] PDWORD lpflOldProtect | |
//); | |
bp VirtualProtectEx | |
// Injection APIs | |
// BOOL CreateProcessW( | |
// [in, optional] LPCWSTR lpApplicationName, | |
// [in, out, optional] LPWSTR lpCommandLine, | |
// [in, optional] LPSECURITY_ATTRIBUTES lpProcessAttributes, | |
// [in, optional] LPSECURITY_ATTRIBUTES lpThreadAttributes, | |
// [in] BOOL bInheritHandles, | |
// [in] DWORD dwCreationFlags, | |
// [in, optional] LPVOID lpEnvironment, | |
// [in, optional] LPCWSTR lpCurrentDirectory, | |
// [in] LPSTARTUPINFOW lpStartupInfo, | |
// [out] LPPROCESS_INFORMATION lpProcessInformation | |
// ); | |
bp CreateProcessW | |
//BOOL CreateProcessA( | |
// [in, optional] LPCSTR lpApplicationName, | |
// [in, out, optional] LPSTR lpCommandLine, | |
// [in, optional] LPSECURITY_ATTRIBUTES lpProcessAttributes, | |
// [in, optional] LPSECURITY_ATTRIBUTES lpThreadAttributes, | |
// [in] BOOL bInheritHandles, | |
// [in] DWORD dwCreationFlags, | |
// [in, optional] LPVOID lpEnvironment, | |
// [in, optional] LPCSTR lpCurrentDirectory, | |
// [in] LPSTARTUPINFOA lpStartupInfo, | |
// [out] LPPROCESS_INFORMATION lpProcessInformation | |
//); | |
bp CreateProcessA | |
// UINT WinExec( | |
// [in] LPCSTR lpCmdLine, | |
// [in] UINT uCmdShow | |
// ); | |
bp WinExec | |
// HANDLE CreateToolhelp32Snapshot( | |
// [in] DWORD dwFlags, | |
// [in] DWORD th32ProcessID | |
// ); | |
bp CreateToolhelp32Snapshot | |
// BOOL Process32First( | |
// [in] HANDLE hSnapshot, | |
// [in, out] LPPROCESSENTRY32 lppe | |
// ); | |
bp Process32First | |
// BOOL Process32Next( | |
// [in] HANDLE hSnapshot, | |
// [out] LPPROCESSENTRY32 lppe | |
// ); | |
bp Process32Next | |
// HANDLE OpenProcess( | |
// [in] DWORD dwDesiredAccess, | |
// [in] BOOL bInheritHandle, | |
// [in] DWORD dwProcessId | |
// ); | |
bp OpenProcess | |
// BOOL WriteProcessMemory( | |
// [in] HANDLE hProcess, | |
// [in] LPVOID lpBaseAddress, | |
// [in] LPCVOID lpBuffer, | |
// [in] SIZE_T nSize, | |
// [out] SIZE_T *lpNumberOfBytesWritten | |
// ); | |
bp WriteProcessMemory | |
// BOOL ReadProcessMemory( | |
// [in] HANDLE hProcess, | |
// [in] LPCVOID lpBaseAddress, | |
// [out] LPVOID lpBuffer, | |
// [in] SIZE_T nSize, | |
// [out] SIZE_T *lpNumberOfBytesRead | |
// ); | |
bp ReadProcessMemory | |
// HANDLE CreateRemoteThread( | |
// [in] HANDLE hProcess, | |
// [in] LPSECURITY_ATTRIBUTES lpThreadAttributes, | |
// [in] SIZE_T dwStackSize, | |
// [in] LPTHREAD_START_ROUTINE lpStartAddress, | |
// [in] LPVOID lpParameter, | |
// [in] DWORD dwCreationFlags, | |
// [out] LPDWORD lpThreadId | |
// ); | |
bp CreateRemoteThread | |
// HANDLE CreateThread( | |
// [in, optional] LPSECURITY_ATTRIBUTES lpThreadAttributes, | |
// [in] SIZE_T dwStackSize, | |
// [in] LPTHREAD_START_ROUTINE lpStartAddress, | |
// [in, optional] __drv_aliasesMem LPVOID lpParameter, | |
// [in] DWORD dwCreationFlags, | |
// [out, optional] LPDWORD lpThreadId | |
// ); | |
bp CreateThread | |
// BOOL SetThreadContext( | |
// [in] HANDLE hThread, | |
// [in] const CONTEXT *lpContext | |
// ); | |
bp SetThreadContext | |
// NTSYSAPI NTSTATUS NTAPI NtSetContextThread( | |
// IN HANDLE ThreadHandle, | |
// IN PCONTEXT Context ); | |
//bp ZwSetThreadContext | |
// DWORD ResumeThread( | |
// [in] HANDLE hThread | |
// ); | |
bp ResumeThread | |
// Often there are other payloads that can be written to disk in between stages | |
// HANDLE CreateFileA( | |
// [in] LPCSTR lpFileName, | |
// [in] DWORD dwDesiredAccess, | |
// [in] DWORD dwShareMode, | |
// [in, optional] LPSECURITY_ATTRIBUTES lpSecurityAttributes, | |
// [in] DWORD dwCreationDisposition, | |
// [in] DWORD dwFlagsAndAttributes, | |
// [in, optional] HANDLE hTemplateFile | |
// ); | |
bp CreateFileA | |
// HANDLE CreateFileW( | |
// [in] LPCWSTR lpFileName, | |
// [in] DWORD dwDesiredAccess, | |
// [in] DWORD dwShareMode, | |
// [in, optional] LPSECURITY_ATTRIBUTES lpSecurityAttributes, | |
// [in] DWORD dwCreationDisposition, | |
// [in] DWORD dwFlagsAndAttributes, | |
// [in, optional] HANDLE hTemplateFile | |
// ); | |
bp CreateFileW | |
// BOOL WriteFile( | |
// [in] HANDLE hFile, | |
// [in] LPCVOID lpBuffer, | |
// [in] DWORD nNumberOfBytesToWrite, | |
// [out, optional] LPDWORD lpNumberOfBytesWritten, | |
// [in, out, optional] LPOVERLAPPED lpOverlapped | |
// ); | |
bp WriteFile | |
msg "Unpacking, Injection and File Operation API breakpoints set!" |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment