-
-
Save hasherezade/5154d608da0ff92a2f599f62284182f9 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#include <windows.h> | |
#include <iostream> | |
#include <detours.h> | |
const size_t EVIL_SIZE = 0x2d8000; | |
HMODULE evil = NULL; | |
//---- | |
PVOID(NTAPI *pRtlAddVectoredExceptionHandler)(IN ULONG FirstHandler, IN PVECTORED_EXCEPTION_HANDLER VectoredHandler) = nullptr; | |
DWORD(__fastcall *resolve_func)(DWORD edx_val, DWORD ecx_val) = nullptr; | |
//---- | |
LONG __cdecl my_patch_some_code(struct _EXCEPTION_POINTERS *ExceptionInfo) | |
{ | |
struct _EXCEPTION_POINTERS *except_ptr = ExceptionInfo; | |
PCONTEXT v2 = ExceptionInfo->ContextRecord; | |
DWORD edx_val = v2->Edx; | |
DWORD ecx_val = v2->Ecx; | |
DWORD new_eax = resolve_func(edx_val, ecx_val); | |
if (!new_eax) { | |
return 0; | |
} | |
VirtualProtect((LPVOID)(except_ptr->ContextRecord->Eip-2), 0x1000u, 0x40u, (PDWORD)&ExceptionInfo); | |
except_ptr->ContextRecord->Eax = (DWORD)new_eax; | |
if (*(WORD *)(except_ptr->ContextRecord->Eip) != 0x008B) { | |
std::cout << "Changed...\n"; | |
*(WORD *)(except_ptr->ContextRecord->Eip - 2) = 0xC033;// mov eax, [eax] | |
*(WORD *)(except_ptr->ContextRecord->Eip) = 0x008B;// mov eax, [eax] | |
} | |
*(WORD *)(except_ptr->ContextRecord->Eip + 2) = 0x9090;// NOPs | |
*(WORD *)(except_ptr->ContextRecord->Eip + 3) = 0xD0FF;// CALL EAX | |
except_ptr->ContextRecord->Eip += 3; | |
VirtualProtect((LPVOID)(except_ptr->ContextRecord->Eip-2), 0x1000u, (DWORD)ExceptionInfo, (PDWORD)&ExceptionInfo); | |
return -1; | |
} | |
PVOID NTAPI myRtlAddVectoredExceptionHandler(IN ULONG FirstHandler, IN PVECTORED_EXCEPTION_HANDLER VectoredHandler) | |
{ | |
std::cout << "RtlAddVectoredExceptionHandler: [" << std::hex << (ULONG_PTR)VectoredHandler << "] replaced with the custom handler..." << std::endl; | |
return pRtlAddVectoredExceptionHandler(FirstHandler, (PVECTORED_EXCEPTION_HANDLER)my_patch_some_code); | |
} | |
void hook_apis() | |
{ | |
DetourTransactionBegin(); | |
DetourUpdateThread(GetCurrentThread()); | |
DetourAttach(&(PVOID&)pRtlAddVectoredExceptionHandler, myRtlAddVectoredExceptionHandler); | |
DetourTransactionCommit(); | |
} | |
int main(int argc, char *argv[]) | |
{ | |
if (argc < 2) { | |
std::cout << "Args: <IP>" << std::endl; | |
system("pause"); | |
return 0; | |
} | |
LPCSTR evil_path = "evil.dll"; //evil.exe DLL converted into DLL | |
std::cout << "Reading module from: " << evil_path << std::endl; | |
evil = LoadLibraryA(evil_path); | |
if (!evil) { | |
return -1; | |
} | |
std::cout << "Loaded at: " << std::hex << (ULONGLONG) evil << std::endl; | |
ULONGLONG func_offset = (ULONGLONG)evil + 0x54b0; | |
resolve_func = (DWORD(__fastcall *) (DWORD, DWORD)) func_offset; | |
pRtlAddVectoredExceptionHandler = (PVOID(NTAPI *)(IN ULONG , IN PVECTORED_EXCEPTION_HANDLER )) GetProcAddress(LoadLibraryA("ntdll"),"RtlAddVectoredExceptionHandler"); | |
hook_apis(); | |
ULONGLONG ep_offset = (ULONGLONG)evil + 0x26bd8; | |
int(__stdcall *start)() = nullptr; | |
start = (int(__stdcall *)()) ep_offset; | |
std::cout << "Calling start...\n"; | |
start(); | |
system("pause"); | |
return 0; | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment