-
-
Save hasherezade/a0b36d6c08fff2f79027c6bd430f60aa to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #include <windows.h> | |
| #include <detours.h> | |
| #include <iostream> | |
| #include <sstream> | |
| DWORD(__fastcall *resolve_func)(DWORD edx_val, DWORD ecx_val) = nullptr; | |
| PVOID(NTAPI *pRtlAddVectoredExceptionHandler)(IN ULONG FirstHandler, IN PVECTORED_EXCEPTION_HANDLER VectoredHandler) = nullptr; | |
| LONG __cdecl my_patch_some_code(struct _EXCEPTION_POINTERS *ExceptionInfo) | |
| { | |
| struct _EXCEPTION_POINTERS *except_ptr = ExceptionInfo; | |
| PCONTEXT v2 = ExceptionInfo->ContextRecord; | |
| DWORD edx_val = v2->Edx; | |
| DWORD ecx_val = v2->Ecx; | |
| DWORD new_eax = resolve_func(edx_val, ecx_val); | |
| if (!new_eax) { | |
| return 0; | |
| } | |
| VirtualProtect((LPVOID)(except_ptr->ContextRecord->Eip - 2), 0x1000u, 0x40u, (PDWORD)&ExceptionInfo); | |
| except_ptr->ContextRecord->Eax = (DWORD)new_eax; | |
| // change all exception to follow the same pattern: | |
| if (*(WORD *)(except_ptr->ContextRecord->Eip) != 0x008B) { | |
| *(WORD *)(except_ptr->ContextRecord->Eip - 2) = 0xC033;// mov eax, [eax] | |
| *(WORD *)(except_ptr->ContextRecord->Eip) = 0x008B;// mov eax, [eax] | |
| } | |
| *(WORD *)(except_ptr->ContextRecord->Eip + 2) = 0x9090;// NOPs | |
| *(WORD *)(except_ptr->ContextRecord->Eip + 3) = 0xD0FF;// CALL EAX | |
| except_ptr->ContextRecord->Eip += 3; | |
| VirtualProtect((LPVOID)(except_ptr->ContextRecord->Eip - 2), 0x1000u, (DWORD)ExceptionInfo, (PDWORD)&ExceptionInfo); | |
| return -1; | |
| } | |
| PVOID NTAPI myRtlAddVectoredExceptionHandler(IN ULONG FirstHandler, IN PVECTORED_EXCEPTION_HANDLER VectoredHandler) | |
| { | |
| std::cout << "RtlAddVectoredExceptionHandler: [" << std::hex << (ULONG_PTR)VectoredHandler << "] replaced with the custom handler..." << std::endl; | |
| return pRtlAddVectoredExceptionHandler(FirstHandler, (PVECTORED_EXCEPTION_HANDLER)my_patch_some_code); | |
| } | |
| void hook_api(bool enable) | |
| { | |
| //load pointers | |
| HANDLE evil = GetModuleHandleA(NULL); | |
| ULONGLONG func_offset = (ULONGLONG)evil + 0x54b0; | |
| resolve_func = (DWORD(__fastcall *) (DWORD, DWORD)) func_offset; | |
| pRtlAddVectoredExceptionHandler = (PVOID(NTAPI *)(IN ULONG, IN PVECTORED_EXCEPTION_HANDLER)) GetProcAddress(LoadLibraryA("ntdll"), "RtlAddVectoredExceptionHandler"); | |
| DetourTransactionBegin(); | |
| DetourUpdateThread(GetCurrentThread()); | |
| // hook the function | |
| DetourAttach(&(PVOID&)pRtlAddVectoredExceptionHandler, myRtlAddVectoredExceptionHandler); | |
| DetourTransactionCommit(); | |
| } | |
| BOOL WINAPI DllMain(HANDLE hinstDLL, DWORD fdwReason, LPVOID lpvReserved) | |
| { | |
| switch (fdwReason) | |
| { | |
| case DLL_PROCESS_ATTACH: | |
| OutputDebugStringA("Hooking the process"); | |
| hook_api(true); | |
| break; | |
| case DLL_THREAD_ATTACH: | |
| case DLL_THREAD_DETACH: | |
| break; | |
| case DLL_PROCESS_DETACH: | |
| break; | |
| } | |
| return TRUE; | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment