asd

From mcraxker, 10 Months ago, written in C++.

Embed

Download Paste or View Raw
Hits: 125

#include <windows.h>

int main()

{

PDWORD functionAddress = (PDWORD)0;

HMODULE libraryBase = LoadLibraryA(OBFUSCATE("ntdll"));

PIMAGE_DOS_HEADER dosHeader = (PIMAGE_DOS_HEADER)libraryBase;

PIMAGE_NT_HEADERS imageNTHeaders = (PIMAGE_NT_HEADERS)((DWORD_PTR)libraryBase + dosHeader->e_lfanew);

DWORD_PTR exportDirectoryRVA = imageNTHeaders->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress;

PIMAGE_EXPORT_DIRECTORY imageExportDirectory = (PIMAGE_EXPORT_DIRECTORY)((DWORD_PTR)libraryBase + exportDirectoryRVA);

PDWORD addresOfFunctionsRVA = (PDWORD)((DWORD_PTR)libraryBase + imageExportDirectory->AddressOfFunctions);

PDWORD addressOfNamesRVA = (PDWORD)((DWORD_PTR)libraryBase + imageExportDirectory->AddressOfNames);

PWORD addressOfNameOrdinalsRVA = (PWORD)((DWORD_PTR)libraryBase + imageExportDirectory->AddressOfNameOrdinals);

for (DWORD i = 0; i < imageExportDirectory->NumberOfNames; i++)

{

DWORD functionNameRVA = addressOfNamesRVA[i];

DWORD_PTR functionNameVA = (DWORD_PTR)libraryBase + functionNameRVA;

char *functionName = (char *)functionNameVA;

DWORD_PTR functionAddressRVA = 0;

functionAddressRVA = addresOfFunctionsRVA[addressOfNameOrdinalsRVA[i]];

functionAddress = (PDWORD)((DWORD_PTR)libraryBase + functionAddressRVA);

unsigned char syscallPrologue[4] = {0x4c, 0x8b, 0xd1, 0xb8};

if (strncmp(functionName, (char *)OBFUSCATE("Nt"), 2) == 0 || strncmp(functionName, (char *)OBFUSCATE("Zw"), 2) == 0)

{

if (memcmp(functionAddress, syscallPrologue, 4) != 0)

{

if (*((unsigned char *)functionAddress) == 0xE9)

{

DWORD jumpTargetRelative = *((PDWORD)((char *)functionAddress + 1));

PDWORD jumpTarget = functionAddress + 5 + jumpTargetRelative;

char moduleNameBuffer[512];

GetMappedFileNameA(GetCurrentProcess(), jumpTarget, moduleNameBuffer, 512);

ExitProcess(-1);

}

}

}

}

}

Author

Title

Language

Your paste - Paste your paste here

#include &lt;windows.h&gt;

int main()
{
      PDWORD functionAddress = (PDWORD)0;

HMODULE libraryBase = LoadLibraryA(OBFUSCATE(&quot;ntdll&quot;));

PIMAGE_DOS_HEADER dosHeader = (PIMAGE_DOS_HEADER)libraryBase;
    PIMAGE_NT_HEADERS imageNTHeaders = (PIMAGE_NT_HEADERS)((DWORD_PTR)libraryBase + dosHeader-&gt;e_lfanew);

DWORD_PTR exportDirectoryRVA = imageNTHeaders-&gt;OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress;
    PIMAGE_EXPORT_DIRECTORY imageExportDirectory = (PIMAGE_EXPORT_DIRECTORY)((DWORD_PTR)libraryBase + exportDirectoryRVA);

PDWORD addresOfFunctionsRVA = (PDWORD)((DWORD_PTR)libraryBase + imageExportDirectory-&gt;AddressOfFunctions);
    PDWORD addressOfNamesRVA = (PDWORD)((DWORD_PTR)libraryBase + imageExportDirectory-&gt;AddressOfNames);
    PWORD addressOfNameOrdinalsRVA = (PWORD)((DWORD_PTR)libraryBase + imageExportDirectory-&gt;AddressOfNameOrdinals);

for (DWORD i = 0; i &lt; imageExportDirectory-&gt;NumberOfNames; i++)
    {
        DWORD functionNameRVA = addressOfNamesRVA[i];
        DWORD_PTR functionNameVA = (DWORD_PTR)libraryBase + functionNameRVA;
        char *functionName = (char *)functionNameVA;

DWORD_PTR functionAddressRVA = 0;
        functionAddressRVA = addresOfFunctionsRVA[addressOfNameOrdinalsRVA[i]];
        functionAddress = (PDWORD)((DWORD_PTR)libraryBase + functionAddressRVA);

unsigned char syscallPrologue[4] = {0x4c, 0x8b, 0xd1, 0xb8};

if (strncmp(functionName, (char *)OBFUSCATE(&quot;Nt&quot;), 2) == 0 || strncmp(functionName, (char *)OBFUSCATE(&quot;Zw&quot;), 2) == 0)
        {
            if (memcmp(functionAddress, syscallPrologue, 4) != 0)
            {

if (*((unsigned char *)functionAddress) == 0xE9)
                {
                    DWORD jumpTargetRelative = *((PDWORD)((char *)functionAddress + 1));
                    PDWORD jumpTarget = functionAddress + 5 + jumpTargetRelative;
                    char moduleNameBuffer[512];
                    GetMappedFileNameA(GetCurrentProcess(), jumpTarget, moduleNameBuffer, 512);

ExitProcess(-1);
                }
            }
        }
    }
}

Private - Private paste aren't shown in recent listings.

Delete After - When should we delete your paste?

Spam protection -

{"html5":"htmlmixed","css":"css","javascript":"javascript","php":"php","python":"python","ruby":"ruby","lua":"text\/x-lua","bash":"text\/x-sh","go":"go","c":"text\/x-csrc","cpp":"text\/x-c++src","diff":"diff","latex":"stex","sql":"sql","xml":"xml","apl":"apl","asterisk":"asterisk","c_loadrunner":"text\/x-csrc","c_mac":"text\/x-csrc","coffeescript":"text\/x-coffeescript","csharp":"text\/x-csharp","d":"d","ecmascript":"javascript","erlang":"erlang","groovy":"text\/x-groovy","haskell":"text\/x-haskell","haxe":"text\/x-haxe","html4strict":"htmlmixed","java":"text\/x-java","java5":"text\/x-java","jquery":"javascript","mirc":"mirc","mysql":"sql","ocaml":"text\/x-ocaml","pascal":"text\/x-pascal","perl":"perl","perl6":"perl","plsql":"sql","properties":"text\/x-properties","q":"text\/x-q","scala":"scala","scheme":"text\/x-scheme","tcl":"text\/x-tcl","vb":"text\/x-vb","verilog":"text\/x-verilog","yaml":"text\/x-yaml","z80":"text\/x-z80"}

Reply to "asd"