-
-
Save gavz/71dc5b69da50b61cb41048932ca1d1e1 to your computer and use it in GitHub Desktop.
VEH Monitor
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // VEH Montior by aaaddress1@chroot.org | |
| #include <stdio.h> | |
| #include <windows.h> | |
| #pragma warning( disable : 4996 ) | |
| LONG __stdcall TrapFilter(PEXCEPTION_POINTERS pexinf) { | |
| if (pexinf->ExceptionRecord->ExceptionCode == EXCEPTION_ACCESS_VIOLATION && ((DWORD)pexinf->ExceptionRecord->ExceptionAddress & 0x80000000)) | |
| pexinf->ContextRecord->Eip = pexinf->ContextRecord->Eip ^ 0x80000000; | |
| else if (pexinf->ExceptionRecord->ExceptionCode != EXCEPTION_SINGLE_STEP) | |
| return EXCEPTION_CONTINUE_SEARCH; | |
| if (!strncmp((PCHAR)pexinf->ContextRecord->Eip, "\xB8\xEF\xBE\xAD\xDE", 5)) { | |
| pexinf->ContextRecord->Eip += 12; | |
| pexinf->ContextRecord->Ebx = 0x1337; | |
| } | |
| if (!strncmp((PCHAR)pexinf->ContextRecord->Eip, "\xCC", 1)) | |
| pexinf->ContextRecord->Eip += 1; | |
| else if (*(PBYTE)pexinf->ContextRecord->Eip != 0xea && *(PWORD)(pexinf->ContextRecord->Eip + 5) != 0x33) | |
| pexinf->ContextRecord->EFlags |= 0x100; | |
| return EXCEPTION_CONTINUE_EXECUTION; | |
| } | |
| int main(int argc, char* argv[]) { | |
| puts("what's the answer of (0xdeadbeef ^ 0xcafecafe) ?"); | |
| HANDLE veh = AddVectoredExceptionHandler(0, TrapFilter); | |
| _asm { | |
| pushfd | |
| or dword ptr[esp], 0x100 | |
| popfd | |
| } | |
| int answer = 0; | |
| _asm { | |
| mov eax, 0xdeadbeef | |
| mov ebx, 0xcafecafe | |
| xor ebx, eax | |
| mov answer, ebx | |
| } | |
| _asm int 3; | |
| printf("Answer should be... %x!\n", answer); | |
| return 0; | |
| } | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment