API tools faq
paste
Advertisement
Guest User

Untitled

a guest
Jan 16th, 2017
165
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
C++ (WinAPI) 1.45 KB | None | 0 0
raw download clone embed print report
  1. _declspec(naked) NTSTATUS callgatex64(int id, ...) {
  2.     DWORD savedEBP;
  3.     DWORD savedESP;
  4.  
  5.     __asm
  6.     {
  7.         pop     ecx;
  8.  
  9.         mov     savedEBP, ebp;
  10.         mov     savedESP, esp;
  11.  
  12.         pop     eax;
  13.         mov[esp + 0x4], ecx;
  14.         pop     ecx;
  15.         push    ecx;
  16.         push    ecx;
  17.         add     esp, 0x8;
  18.         xor     ecx, ecx;
  19.  
  20.         call    DWORD ptr fs : [0xC0]; //syscall
  21.  
  22.         mov     ebx, dword ptr[esp];
  23.         //push  ebx;
  24.         //push  ebx;
  25.  
  26.         mov     ebp, savedEBP;
  27.         mov     esp, savedESP;
  28.  
  29.         push    ebx;
  30.         ret;
  31.     }
  32. }
  33.  
  34. _declspec(naked) NTSTATUS callgatex86(int id, ...) {
  35.     DWORD savedEBP;
  36.     DWORD savedESP;
  37.  
  38.     __asm {
  39.         pop     ecx;
  40.  
  41.         mov     savedEBP, ebp;
  42.         mov     savedESP, esp;
  43.  
  44.         pop     eax;
  45.         mov[esp + 0x4], ecx;
  46.         pop     ecx;
  47.         push    ecx;
  48.         push    ecx;
  49.         add     esp, 0x8;
  50.         xor     ecx, ecx;
  51.         mov     edx, __FINAL;
  52.         push    edx;
  53.         mov     edx, esp;
  54.  
  55.         _emit   0x0f;       //sysenter
  56.         _emit   0x34;
  57.  
  58. __FINAL:
  59.         mov     ebx, dword ptr[esp];
  60.         //push  ebx;
  61.         //push  ebx;
  62.  
  63.         mov     ebp, savedEBP;
  64.         mov     esp, savedESP;
  65.  
  66.         push    ebx;
  67.         ret;
  68.     }
  69. }
  70.  
  71. _declspec(naked) int isWOW64() {
  72.     __asm {
  73.         mov     eax, fs:[0xC0];
  74.         ret;
  75.     }
  76. }
  77.  
  78. NTSTATUS __stdcall ZwProtectVirtualMemory(int sdtIndex, HANDLE ProcessHandle, PVOID* BaseAddress, PULONG ProtectSize,
  79.                                           ULONG NewProtect, PULONG OldProtect) {
  80.     if (isWOW64()) {
  81.         return callgatex64(sdtIndex, 5, 0, ProcessHandle, BaseAddress, ProtectSize, NewProtect, OldProtect);
  82.     } else {
  83.         return callgatex86(sdtIndex, 5, 0, ProcessHandle, BaseAddress, ProtectSize, NewProtect, OldProtect);
  84.     }
  85. }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!