Last active
October 29, 2015 08:08
-
-
Save dohvis/f27585756b66bfa3a52c to your computer and use it in GitHub Desktop.
sdf
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#include <stdio.h> | |
#include <Windows.h> | |
#include <tlhelp32.h> | |
DWORD GetPIDByName(LPCTSTR szProcessName) | |
{ | |
DWORD PID = 0xFFFFFFFF; | |
HANDLE hSnapShot = INVALID_HANDLE_VALUE; | |
PROCESSENTRY32 pe; | |
char proc_name[260]; | |
pe.dwSize = sizeof(PROCESSENTRY32); | |
hSnapShot = CreateToolhelp32Snapshot(TH32CS_SNAPALL, NULL); | |
Process32First(hSnapShot, &pe); | |
do | |
{ | |
strncpy(proc_name, pe.szExeFile, strlen(pe.szExeFile)); | |
if (!_strnicmp(szProcessName, proc_name, strlen(szProcessName))) | |
{ | |
PID = pe.th32ProcessID; | |
break; | |
} | |
} while (Process32Next(hSnapShot, &pe)); | |
CloseHandle(hSnapShot); | |
return PID; | |
} | |
DWORD GetModuleBaseAddrByPID(int pid) | |
{ | |
HANDLE hSnapshot; | |
MODULEENTRY32 me32; | |
DWORD dwAddress = 0xFFFFFFFF; | |
hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE, pid); | |
if (!hSnapshot) | |
return FALSE; | |
me32.dwSize = sizeof(MODULEENTRY32); | |
if (!Module32First(hSnapshot, &me32)) | |
return FALSE; | |
do { | |
if (me32.th32ProcessID == pid) | |
{ | |
dwAddress = me32.modBaseAddr; | |
break; | |
} | |
} while (Module32Next(hSnapshot, &me32)); | |
return dwAddress; | |
} | |
void main() | |
{ | |
DWORD old, BaseAddr, Read, TargetAddr, MulAddr; | |
BYTE ReadBytes[20]; | |
int pid = GetPIDByName("target"); | |
printf(" PID : %d\n", pid); | |
HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, pid); | |
BaseAddr = GetModuleBaseAddrByPID(pid); | |
if (!hProcess) | |
{ | |
printf("Error : %d", GetLastError()); | |
exit(0); | |
} | |
TargetAddr = BaseAddr + 0x110FA; | |
// MulAddr = BaseAddr + ; | |
ReadProcessMemory(hProcess, TargetAddr, &ReadBytes, 5 ,&Read); | |
printf("OPCODE : %x \n", ReadBytes[1]); // E9 | |
// target addr + 5(jmp opcode) + 쓰여질 주소 == 점프할 주소 | |
// 쓰여질 주소 = 점프할 주소(overwrite 될 함수주소) - TargetAddr - 4(E9 제외) | |
VirtualProtectEx(hProcess, (LPVOID)TargetAddr, 1, PAGE_EXECUTE_READWRITE, &old); | |
WriteProcessMemory(hProcess, (LPVOID)(TargetAddr+1), MulAddr-TargetAddr-4, 4, &old); | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment