Last active
May 3, 2024 22:14
-
-
Save aaaddress1/d466570eaf4586835366caf0ff42b508 to your computer and use it in GitHub Desktop.
VEH Monitor
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
// VEH Montior by aaaddress1@chroot.org | |
#include <stdio.h> | |
#include <windows.h> | |
#pragma warning( disable : 4996 ) | |
LONG __stdcall TrapFilter(PEXCEPTION_POINTERS pexinf) { | |
if (pexinf->ExceptionRecord->ExceptionCode == EXCEPTION_ACCESS_VIOLATION && ((DWORD)pexinf->ExceptionRecord->ExceptionAddress & 0x80000000)) | |
pexinf->ContextRecord->Eip = pexinf->ContextRecord->Eip ^ 0x80000000; | |
else if (pexinf->ExceptionRecord->ExceptionCode != EXCEPTION_SINGLE_STEP) | |
return EXCEPTION_CONTINUE_SEARCH; | |
if (!strncmp((PCHAR)pexinf->ContextRecord->Eip, "\xB8\xEF\xBE\xAD\xDE", 5)) { | |
pexinf->ContextRecord->Eip += 12; | |
pexinf->ContextRecord->Ebx = 0x1337; | |
} | |
if (!strncmp((PCHAR)pexinf->ContextRecord->Eip, "\xCC", 1)) | |
pexinf->ContextRecord->Eip += 1; | |
else if (*(PBYTE)pexinf->ContextRecord->Eip != 0xea && *(PWORD)(pexinf->ContextRecord->Eip + 5) != 0x33) | |
pexinf->ContextRecord->EFlags |= 0x100; | |
return EXCEPTION_CONTINUE_EXECUTION; | |
} | |
int main(int argc, char* argv[]) { | |
puts("what's the answer of (0xdeadbeef ^ 0xcafecafe) ?"); | |
HANDLE veh = AddVectoredExceptionHandler(0, TrapFilter); | |
_asm { | |
pushfd | |
or dword ptr[esp], 0x100 | |
popfd | |
} | |
int answer = 0; | |
_asm { | |
mov eax, 0xdeadbeef | |
mov ebx, 0xcafecafe | |
xor ebx, eax | |
mov answer, ebx | |
} | |
_asm int 3; | |
printf("Answer should be... %x!\n", answer); | |
return 0; | |
} | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment