peternguyen93/windows_lfh.cpp

## windows_lfh.cpp
// SimpleHooking.cpp : Defines the entry point for the console application.
// Author : peternguyen

#include "stdafx.h"
#include <string>
#include <iostream>
#include <stdlib.h>

using namespace std;

class Human
{
protected:
	string name;
	int age;
public:
	Human(string name, int age);
	Human();
	void operator= (Human& h);
	void operator= (Human h);
	virtual void sayHello();
	void setName(string name);
	void setAge(int age);
	string getName();
	int getAge();
};

class Man : public Human
{
public:
	Man() { Human(); }
	Man(string name, int age) { Human(name, age); }
	void sayHello();
};

Human::Human()
{
	this->name = "No name";
	this->age = 0;
}

void Human::operator=(Human& h)
{
	this->name = h->name;
	this->age = h->age;
}

void Human::operator=(Human h)
{
	this->name = h.name;
	this->age = h.age;
}

Human::Human(string name, int age)
{
	this->name = name;
	this->age = age;
}

void Human::sayHello()
{
	cout << "Hi, my name is " << this->name <<"\n";
}

void Man::sayHello()
{
	cout << "Hi, my name is " << this->name << ", I'm a man\n";
}

void Human::setName(string name)
{
	this->name = name;
}

void Human::setAge(int age)
{
	this->age = age;
}

string Human::getName()
{
	return this->name;
}

int Human::getAge()
{
	return this->age;
}

void calc_function()
{
	system("calc.exe");
}

int main()
{
	Man *h = new Man();

	h->setName("CLGT");
	h->setAge(1234);

	h->sayHello();

	delete h;
	char *p = 0;
	int count = 0;
	// default windows LFH is enable
	do {
		p = new char[sizeof(Man)];
		memset(p, 'A', sizeof(Man));
		count++;
	} while ((int)p != (int)(h));

	int *fake_vtable = new int[2];
	fake_vtable[0] = (int)calc_function;

	cout << "After spray heap " << count << " times\n `p` and `h` now is the same\n";
	*((int *)p) = (int)fake_vtable;

	h->sayHello(); // # trigger use after free

	getchar();
    return 0;
}
	// SimpleHooking.cpp : Defines the entry point for the console application.
	// Author : peternguyen

	#include "stdafx.h"
	#include <string>
	#include <iostream>
	#include <stdlib.h>

	using namespace std;

	class Human
	{
	protected:
	string name;
	int age;
	public:
	Human(string name, int age);
	Human();
	void operator= (Human& h);
	void operator= (Human h);
	virtual void sayHello();
	void setName(string name);
	void setAge(int age);
	string getName();
	int getAge();
	};

	class Man : public Human
	{
	public:
	Man() { Human(); }
	Man(string name, int age) { Human(name, age); }
	void sayHello();
	};

	Human::Human()
	{
	this->name = "No name";
	this->age = 0;
	}

	void Human::operator=(Human& h)
	{
	this->name = h->name;
	this->age = h->age;
	}

	void Human::operator=(Human h)
	{
	this->name = h.name;
	this->age = h.age;
	}

	Human::Human(string name, int age)
	{
	this->name = name;
	this->age = age;
	}

	void Human::sayHello()
	{
	cout << "Hi, my name is " << this->name <<"\n";
	}

	void Man::sayHello()
	{
	cout << "Hi, my name is " << this->name << ", I'm a man\n";
	}

	void Human::setName(string name)
	{
	this->name = name;
	}

	void Human::setAge(int age)
	{
	this->age = age;
	}

	string Human::getName()
	{
	return this->name;
	}

	int Human::getAge()
	{
	return this->age;
	}

	void calc_function()
	{
	system("calc.exe");
	}

	int main()
	{
	Man *h = new Man();

	h->setName("CLGT");
	h->setAge(1234);

	h->sayHello();

	delete h;
	char *p = 0;
	int count = 0;
	// default windows LFH is enable
	do {
	p = new char[sizeof(Man)];
	memset(p, 'A', sizeof(Man));
	count++;
	} while ((int)p != (int)(h));

	int *fake_vtable = new int[2];
	fake_vtable[0] = (int)calc_function;

	cout << "After spray heap " << count << " times\n `p` and `h` now is the same\n";
	((int )p) = (int)fake_vtable;

	h->sayHello(); // # trigger use after free

	getchar();
	return 0;
	}