Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #include <windows.h>
- #include <winternl.h>
- #include <array>
- #include <iostream>
- BOOL APIENTRY DllMain(HMODULE hModule, DWORD ul_reason_for_call, LPVOID lpReserved)
- {
- switch (ul_reason_for_call)
- {
- case DLL_PROCESS_ATTACH:
- AllocConsole();
- std::array<unsigned char, 11> NtProtectVirtualMemoryBytes =
- {
- 0x4C, 0x8B, 0xD1, /*mov r10, rcx*/
- 0xB8, 0x50, 0x00, 0x00, 0x00, /*mov eax, 0x50*/
- 0x0F, 0x05, /*syscall*/
- 0xC3 /*ret*/
- };
- auto* NtProtectVirtualMemoryStub{ VirtualAlloc(nullptr,
- NtProtectVirtualMemoryBytes.size(),
- MEM_RESERVE | MEM_COMMIT, PAGE_EXECUTE_READWRITE) };
- memcpy(NtProtectVirtualMemoryStub, NtProtectVirtualMemoryBytes.data(),
- NtProtectVirtualMemoryBytes.size());
- using NtProtectVirtualMemoryFnc = NTSTATUS(NTAPI*)(HANDLE, PVOID*, SIZE_T*, ULONG, PULONG);
- auto NtProtectVirtualMemory{
- reinterpret_cast<NtProtectVirtualMemoryFnc>(NtProtectVirtualMemoryStub) };
- static void* NtOpenProcessAddress{ GetProcAddress(GetModuleHandleA("ntdll.dll"), "ZwOpenProcess") };
- DWORD oldPermissions{};
- SIZE_T allocSize = 4096;
- auto result{ NtProtectVirtualMemory(GetCurrentProcess(), &NtOpenProcessAddress, &allocSize,
- PAGE_WRITECOPY | PAGE_GUARD, &oldPermissions) };
- printf("NtProtectVirtualMemory NTSTATUS: %016I64x\n", result);
- return TRUE;
- }
- return TRUE;
- }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement