Created
February 28, 2024 17:56
-
-
Save WKL-Sec/f097ee605d52695bb8e7c2a31d376394 to your computer and use it in GitHub Desktop.
Demonstrates dynamic resolution of OpenProcess API to bypass IAT, suitable for advanced payload development.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // White Knight Labs - Offensive Development Course | |
| // IAT Table Bypass - GetProcAddress | |
| #include <windows.h> | |
| #include <iostream> | |
| // Typedef for the OpenProcess function | |
| typedef HANDLE (WINAPI *pOpenProcess)(DWORD dwDesiredAccess, BOOL bInheritHandle, DWORD dwProcessId); | |
| int main() { | |
| HMODULE hKernel32; | |
| pOpenProcess dynOpenProcess; | |
| // Get a handle to the kernel32.dll module | |
| hKernel32 = GetModuleHandleA("kernel32.dll"); | |
| if (!hKernel32) { | |
| std::cerr << "Failed to get handle to kernel32.dll" << std::endl; | |
| return 1; | |
| } | |
| // Get the address of OpenProcess function | |
| dynOpenProcess = (pOpenProcess)GetProcAddress(hKernel32, "OpenProcess"); | |
| if (!dynOpenProcess) { | |
| std::cerr << "Failed to get address of OpenProcess" << std::endl; | |
| return 1; | |
| } | |
| // Use GetCurrentProcessId to target the current process | |
| DWORD processID = GetCurrentProcessId(); | |
| HANDLE hProcess = dynOpenProcess(PROCESS_ALL_ACCESS, FALSE, processID); | |
| if (hProcess == NULL) { | |
| std::cerr << "Failed to open the current process" << std::endl; | |
| return 1; | |
| } | |
| std::cout << "Successfully obtained a handle to the current process" << std::endl; | |
| CloseHandle(hProcess); | |
| return 0; | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment