View Single Post
  #24  
Old 08-07-2021, 00:46
mcr4ck mcr4ck is offline
Friend
 
Join Date: Nov 2019
Location: iran
Posts: 40
Rept. Given: 0
Rept. Rcvd 1 Time in 1 Post
Thanks Given: 32
Thanks Rcvd at 16 Times in 12 Posts
mcr4ck Reputation: 1
"detours" package
https://mega.nz/file/SAwS2TzA#RHRKsixO1Eq2vP1589raQrB3sJYoWOFbHHH8fHAMl-A

Quote:
// dllmain.cpp : Defines the entry point for the DLL application.
#include "pch.h"

#include <iostream>
#include <vector>
#include <Windows.h>
#include <tlhelp32.h>

#include "detours.h"

#pragma comment(lib, "detours.lib")

using namespace std;

BOOL WINAPI My_DeviceIoControl(
HANDLE hDevice,
DWORD dwIoControlCode,
LPVOID lpInBuffer,
DWORD nInBufferSize,
LPVOID lpOutBuffer,
DWORD nOutBufferSize,
LPDWORD lpBytesReturned,
LPOVERLAPPED lpOverlapped
);

static BOOL(WINAPI* Ori_DeviceIoControl) (
HANDLE hDevice,
DWORD dwIoControlCode,
LPVOID lpInBuffer,
DWORD nInBufferSize,
LPVOID lpOutBuffer,
DWORD nOutBufferSize,
LPDWORD lpBytesReturned,
LPOVERLAPPED lpOverlapped
) = NULL;



BYTE bytes_written_1[] = { 0x33, 0xC0, 0xC2, 0x0C, 0x00, 0x90 };
BYTE bytes_written_2[] = { 0x33, 0xC0, 0xC2, 0x0C, 0x00, 0x90x 0x90 };


DWORD GetProcId(const wchar_t* procName)
{
DWORD procId = 0;
HANDLE hSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
if (hSnap != INVALID_HANDLE_VALUE)
{
PROCESSENTRY32 procEntry;
procEntry.dwSize = sizeof(procEntry);

if (Process32First(hSnap, &procEntry))
{
do
{
if (!_wcsicmp(procEntry.szExeFile, procName))
{
procId = procEntry.th32ProcessID;
break;
}
} while (Process32Next(hSnap, &procEntry));

}
}
CloseHandle(hSnap);
return procId;
}

DWORD GetModuleBaseAddress(DWORD procId, const wchar_t* modName)
{
DWORD modBaseAddr = 0;
HANDLE hSnap = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE | TH32CS_SNAPMODULE32, procId);
if (hSnap != INVALID_HANDLE_VALUE)
{
MODULEENTRY32 modEntry;
modEntry.dwSize = sizeof(modEntry);
if (Module32First(hSnap, &modEntry))
{
do
{
if (!_wcsicmp(modEntry.szModule, modName))
{
modBaseAddr = (DWORD)modEntry.modBaseAddr;
break;
}
} while (Module32Next(hSnap, &modEntry));
}
}
CloseHandle(hSnap);
return modBaseAddr;
}




BOOL APIENTRY DllMain(HMODULE hDLL,
DWORD ul_reason_for_call,
LPVOID lpReserved
)
{
HMODULE dll_module_1 = GetModuleHandleA("kernel32.dll");

if (!dll_module_1)
{
DWORD dw = GetLastError();
MessageBox(NULL, L"The library could not load", L"ERROR", MB_OK);
}

{
switch (ul_reason_for_call)
{
case DLL_PROCESS_ATTACH:

DetourRestoreAfterWith();

Ori_DeviceIoControl = (BOOL(WINAPI*) (HANDLE, DWORD, LPVOID, DWORD, LPVOID, DWORD, LPDWORD, LPOVERLAPPED)) DetourFindFunction("kernel32.dll", "DeviceIoControl");

DisableThreadLibraryCalls(hDLL);
DetourTransactionBegin();
DetourUpdateThread(GetCurrentThread());

DetourAttach(&(PVOID&)Ori_DeviceIoControl, My_DeviceIoControl);

if (DetourTransactionCommit() != NO_ERROR)
MessageBox(NULL, L"Detour Attach Error", NULL, MB_OK);

break;

case DLL_THREAD_ATTACH:
case DLL_THREAD_DETACH:
case DLL_PROCESS_DETACH:

DetourTransactionBegin();
DetourUpdateThread(GetCurrentThread());
DetourDetach(&(PVOID&)Ori_DeviceIoControl, My_DeviceIoControl);
DetourTransactionCommit();

break;
}
return TRUE;
}
}

BOOL WINAPI My_DeviceIoControl(
HANDLE hDevice,
DWORD dwIoControlCode,
LPVOID lpInBuffer,
DWORD nInBufferSize,
LPVOID lpOutBuffer,
DWORD nOutBufferSize,
LPDWORD lpBytesReturned,
LPOVERLAPPED lpOverlapped
)

{

DWORD processID = GetProcId(L"notepad.exe");
HANDLE hProcess = OpenProcess(PROCESS_VM_OPERATION | PROCESS_VM_READ | PROCESS_VM_WRITE, FALSE, processID);
DWORD moduleBase = GetModuleBaseAddress(processID, L"notepad.exe");

if (moduleBase != 0)
{
DWORD target_adres = moduleBase + 100;
DWORD* target_adres_ = 0;
DWORD dwLen_ = 0;
BOOL sonuc = false;

DWORD* control_1 = (DWORD*)0x0AB12345;
DWORD* control_2 = (DWORD*)0x0EF12345;

DWORD oldprotect;

if (target_adres != 0)
{
ReadProcessMemory(hProcess, (LPVOID)target_adres, (LPVOID)&target_adres_, 4, NULL);

if (target_adres_ == control_1)
{
unsigned int length_ = 6;

VirtualProtectEx(hProcess, (LPVOID)target_adres, length_, PAGE_EXECUTE_READWRITE, &oldprotect);
sonuc = WriteProcessMemory(hProcess, (LPVOID)target_adres, &bytes_written_1, length_, &dwLen_); // 1st patch (1st Layer)
VirtualProtectEx(hProcess, (LPVOID)target_adres, length_, oldprotect, &oldprotect);

...
...


if (sonuc)
{
//MessageBox(NULL, L"patched", NULL, MB_OK); // 1st layer is OK, patched
}
}
}

target_adres = moduleBase + 0x0100; // 2nd layer (if needed)

if (target_adres != 0)
{
ReadProcessMemory(hProcess, (LPVOID)target_adres, (LPVOID)&target_adres_, 4, NULL);

if (target_adres_ == control_2)
{
unsigned int length_= 7;

VirtualProtectEx(hProcess, (LPVOID)hedef_adres, uzunluk, PAGE_EXECUTE_READWRITE, &oldprotect);
sonuc = WriteProcessMemory(hProcess, (LPVOID)hedef_adres, &bytes_written_4, uzunluk, &dwLen_); // 2nd patch (2nd layer)
VirtualProtectEx(hProcess, (LPVOID)hedef_adres, uzunluk, oldprotect, &oldprotect);

...
...


DetourTransactionBegin(); // JOB is done, it is time to Detach
DetourUpdateThread(GetCurrentThread());
DetourDetach(&(PVOID&)Ori_DeviceIoControl, My_DeviceIoControl);
DetourTransactionCommit();


}
}

}


BOOL fake_handle = false;

fake_handle = Ori_DeviceIoControl(hDevice, dwIoControlCode, lpInBuffer, nInBufferSize, lpOutBuffer, nOutBufferSize, lpBytesReturned, lpOverlapped);

return fake_handle;

}
Reply With Quote
The Following 2 Users Say Thank You to mcr4ck For This Useful Post:
countryboy (09-22-2021), niculaita (08-07-2021)