main.cpp

1. #include <Windows.h>
2. #include <tlHelp32.h>
3. #include <conio.h>
4. #include <iostream>
5. #include <subauth.h>
6. using namespace std;
7. ULONG GetDebugPrivileges();
8.  
9. typedef struct _CLIENT_ID
10. {
11.     PVOID UniqueProcess;
12.     PVOID UniqueThread;
13. } CLIENT_ID, *PCLIENT_ID;
14. typedef struct _OBJECT_ATTRIBUTES
15. {
16.     ULONG           Length;
17.     HANDLE          RootDirectory;
18.     PUNICODE_STRING ObjectName;
19.     ULONG           Attributes;
20.     PVOID           SecurityDescriptor;
21.     PVOID           SecurityQualityOfService;
22. }  OBJECT_ATTRIBUTES, *POBJECT_ATTRIBUTES;
23.  
24. #define InitializeObjectAttributes(p, n, a, r, s) \
25. { \
26.     (p)->Length = sizeof(OBJECT_ATTRIBUTES); \
27.     (p)->RootDirectory = r; \
28.     (p)->Attributes = a; \
29.     (p)->ObjectName = n; \
30.     (p)->SecurityDescriptor = s; \
31.     (p)->SecurityQualityOfService = NULL; \
32. }
33. typedef NTSTATUS(NTAPI* NTOPENPROCESS)(PHANDLE ProcessHandle, ACCESS_MASK AccessMask, POBJECT_ATTRIBUTES ObjectAttributes, PCLIENT_ID ClientID);
34.  
35.  
36. int main()
37. {
38.     GetDebugPrivileges();
39.  
40.     CLIENT_ID pCID;
41.     OBJECT_ATTRIBUTES pATTRIBUTES;
42.     DWORD pID;
43.     HANDLE pHANDLE;
44.     ZeroMemory(&pATTRIBUTES, sizeof(pATTRIBUTES));
45.     HMODULE ntdll = LoadLibrary(__TEXT("ntdll.dll"));
46.     DWORD processID=11512; //Dışardan Gelen PID
47.  
48.     pCID.UniqueProcess = (HANDLE)processID;
49.     pCID.UniqueThread = 0;
50.  
51.     printf("ID:: %d\n", processID);
52.  
53.     InitializeObjectAttributes(&pATTRIBUTES, NULL, 0, NULL, NULL);
54.  
55.     NTOPENPROCESS NtOpenProcess = (NTOPENPROCESS)GetProcAddress(ntdll, "NtOpenProcess");
56.     NTSTATUS state = NtOpenProcess(&pHANDLE, PROCESS_VM_READ, &pATTRIBUTES, &pCID);
57.  
58.     if (!NT_SUCCESS(state))
59.         printf("Error:: %d\n", GetLastError());
60.     else
61.         printf("HANDLE:: %x\n", pHANDLE);
62.  
63.     printf("\n\n");
64.      
65.     DWORD address = 0x0E7A720;
66.     int value = 0;
67.  
68.  
69.     ReadProcessMemory(pHANDLE, (void*)address, &value, sizeof(value), 0);
70.     cout << value << "\n";
71.     //TerminateProcess(pHANDLE, 0);
72.     FreeLibrary(ntdll);
73.  
74.     _getch();
75.     return 0;
76. }
77.  
78. ULONG GetDebugPrivileges()
79. {
80.     TOKEN_PRIVILEGES tokenPrvlgs;
81.     HANDLE hToken = 0;
82.  
83.     if (!OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES, &hToken))
84.         return 0;
85.  
86.     if (!LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &tokenPrvlgs.Privileges[0].Luid))
87.         return 0;
88.  
89.     tokenPrvlgs.PrivilegeCount = 1;
90.     tokenPrvlgs.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
91.     if (!AdjustTokenPrivileges(hToken, FALSE, &tokenPrvlgs, 0, NULL, NULL))
92.     {
93.         return 0;
94.     }
95.  
96.     CloseHandle(hToken);
97.     return 1;
98. }