Memory patcher (loader) to deal with Address Space Layout Randomization (ASLR)
PHP Code:
#include <windows.h>
#include <stdio.h>
#ifdef _WIN64
#define CAPTION "atomos - memory patcher for chimera #01 (64-bit)"
#define EXENAME "target64.exe"
#else
#define CAPTION "atomos - memory patcher for chimera #01 (32-bit)"
#define EXENAME "target32.exe"
#endif
int iWinMain() {
PROCESS_INFORMATION lpProcessInfo = {0};
CONTEXT lpContext = {0};
STARTUPINFO lpStartupInfo = {0};
printf("%s\nFilename: %s\n\n", CAPTION, EXENAME);
if(CreateProcessA(EXENAME,
NULL,
NULL,
NULL,
0,
CREATE_SUSPENDED,
NULL,
NULL,
&lpStartupInfo,
&lpProcessInfo)) {
lpContext.ContextFlags = CONTEXT_FULL;
GetThreadContext(lpProcessInfo.hThread, &lpContext);
#ifdef _WIN64
ULONG_PTR* peb = (ULONG_PTR*)lpContext.Rdx;
#else
ULONG_PTR* peb = (ULONG_PTR*)lpContext.Ebx;
#endif
ULONG_PTR ImageBaseAddress = NULL;
ReadProcessMemory(lpProcessInfo.hProcess,
&peb[2],
(LPVOID)&ImageBaseAddress,
sizeof(ULONG_PTR),
NULL);
printf("[-] ImageBase Address = 0x%p\n", ImageBaseAddress);
#ifdef _WIN64
printf("[-] EntryPoint Address = 0x%p\n", lpContext.Rcx);
printf("[-] Process (PEB Address) = 0x%p\n", lpContext.Rdx);
#else
printf("[-] EntryPoint Address = 0x%p\n", lpContext.Eax);
printf("[-] Process (PEB Address) = 0x%p\n", lpContext.Ebx);
#endif
#ifdef _WIN64
ULONG_PTR uTargetAddress = lpContext.Rcx + 0x7E;
const char newByte = 0x75;
#else
ULONG_PTR uTargetAddress = lpContext.Eax + 0x64;
const char newByte = 0x74;
#endif
WriteProcessMemory(lpProcessInfo.hProcess,
(LPVOID)uTargetAddress,
&newByte,
1,
NULL);
ResumeThread(lpProcessInfo.hThread);
WaitForSingleObject(lpProcessInfo.hThread, INFINITE);
}
return 0;
}
Attached file contains (source and binary (32bit/64bit) for testing purposes)