Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #include<Windows.h>
- #pragma comment(linker,"/SECTION:.magic,ERW")
- #pragma code_seg(".magic")
- void __declspec(naked) EnterSystemCall() {
- __asm {
- __emit(0xCC);
- __emit(0xCC);
- __emit(0xCC);
- __emit(0xCC);
- __emit(0xCC);
- __emit(0xCC);
- __emit(0xCC);
- }
- }
- #pragma code_seg()
- // you can understand which api is called by checking eax value here
- void __declspec(naked) HookSystemCall() {
- __asm {
- nop
- nop
- nop
- nop
- nop
- nop
- nop
- jmp EnterSystemCall
- }
- }
- bool Install() {
- ULONG_PTR uFsC0 = __readfsdword(0xC0);
- // copy original x86 to x64 switch code
- memcpy_s((void *)EnterSystemCall, 0x07, (void *)uFsC0, 0x07);
- DWORD old;
- if (!VirtualProtect((void *)uFsC0, 0x07, PAGE_EXECUTE_READWRITE, &old)) {
- return false;
- }
- // lock
- *(WORD *)uFsC0 = 0xFEEB;
- // write hook jmp
- *(BYTE *)(uFsC0 + 0x02) = 0xE9;
- *(DWORD *)(uFsC0 + 0x03) = (ULONG_PTR)HookSystemCall - (uFsC0 + 0x02) - 0x05;
- // unlock
- *(WORD *)uFsC0 = 0x00EB;
- if (!VirtualProtect((void *)uFsC0, 0x07, old, &old)) {
- return false;
- }
- return true;
- }
- BOOL WINAPI DllMain(HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpvReserved) {
- if (fdwReason == DLL_PROCESS_ATTACH) {
- DisableThreadLibraryCalls(hinstDLL);
- Install();
- }
- return TRUE;
- }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement