SaveText.Ru

Без имени
  1.  
  2.         uintptr_t patch_addr;
  3.  
  4.         FARPROC nt_protect = GetProcAddress( GetModuleHandleA( "ntdll.dll" ), "NtProtectVirtualMemory" );
  5.         while ( *(BYTE*)nt_protect == 0xE9 )
  6.         {
  7.             Sleep( 100 );
  8.         }
  9.  
  10.         Sleep( 500 );
  11.  
  12.         unsigned char shell_syscall[] = {
  13.             0xB8, 0x50, 0x00, 0x00, 0x00, // mov eax, number ($+0x00)
  14.             0xBA, 0x40, 0x8D, 0x70, 0x77, // mov edx, Wow64Transition ($+0x05)
  15.             0xFF, 0xD2,                      // call edx ($+0x0A)
  16.             0xC2, 0x14, 0x00              // ret 0x14 ($+0x0C)
  17.         };
  18.  
  19.         uintptr_t shell_mem = (uintptr_t)VirtualAlloc( 0, 0x1000, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE );
  20.         memcpy( (void*)shell_mem, shell_syscall, sizeof( shell_syscall ) );
  21.         *(uint32_t*)( shell_mem + 0x1 ) = GetSystemNumber( "NtProtectVirtualMemory" );
  22.         *(uintptr_t*)( shell_mem + 0x6 ) = *(uintptr_t*)( GetProcAddress( GetModuleHandleA( "ntdll.dll" ), "Wow64Transition" ) );
  23.  
  24.         t_NtProtectVirtualMemory m_NtProtectVirtualMemory = (t_NtProtectVirtualMemory)shell_mem;
  25.         memset( (void*)patch_addr, 0x90, 1 ); //nop
  26.  

Share with your friends:

Print