sbtoonz
sbtoonz
/ detect_dll_hijack.cpp
Created
November 18, 2022 21:29
— forked from veil-ivy/detect_dll_hijack.cpp
detect dll hijacking attempts
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #include <Windows.h> | |
| #include <stdio.h> | |
| #include <iostream> | |
| LPVOID original_func = NULL; | |
| PIMAGE_IMPORT_DESCRIPTOR import_descriptor = NULL; | |
| const wchar_t* back = L"\\"; | |
| wchar_t current_directory[MAX_PATH]; | |
| typedef HMODULE(WINAPI * loadlibrary_def)( | |
| LPCWSTR lpLibFileName |
sbtoonz
/ block_create_process.cpp
Created
November 18, 2022 21:28
— forked from veil-ivy/block_create_process.cpp
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #include <ntddk.h> | |
| #define BLOCK_PROCESS "notepad.exe" | |
| static OB_CALLBACK_REGISTRATION obcallback_registration; | |
| static OB_OPERATION_REGISTRATION oboperation_callback; | |
| #define PROCESS_CREATE_THREAD (0x0002) | |
| #define PROCESS_CREATE_PROCESS (0x0080) | |
| #define PROCESS_TERMINATE (0x0001) | |
| #define PROCESS_VM_WRITE (0x0020) | |
| #define PROCESS_VM_READ (0x0010) | |
| #define PROCESS_VM_OPERATION (0x0008) |
sbtoonz
/ [1] Description
Created
November 14, 2022 01:43
— forked from Little-Ki/[1] Description
[Code] [Kernel] ObRegisterCallbacks
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // The ObRegisterCallbacks routine registers a list of callback routines for thread, process, and desktop handle operations. | |
| // This function is a most public method used by anti cheat / anti virus software. | |
| // Offical document: | |
| // https://docs.microsoft.com/en-us/windows-hardware/drivers/ddi/wdm/nf-wdm-obregistercallbacks | |
| // Function syntax: | |
| // NTSTATUS ObRegisterCallbacks( | |
| // POB_CALLBACK_REGISTRATION CallbackRegistration, | |
| // PVOID *RegistrationHandle |