API tools faq
paste
Advertisement
CorrM

Untitled

CorrM
Dec 28th, 2018
280
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 3.96 KB | None | 0 0
raw download clone embed print report
  1. #pragma once
  2. #include "Driver.h"
  3. #include "KProcessHacker.h"
  4.  
  5. #define KPH_DEVICE_TYPE 0x9999
  6. #define KPH_CTL_CODE(x) CTL_CODE(KPH_DEVICE_TYPE, 0x800 + x, METHOD_NEITHER, FILE_ANY_ACCESS)
  7. #define KPH_READVIRTUALMEMORYUNSAFE KPH_CTL_CODE(58)
  8. #define KPH_READVIRTUALMEMORY KPH_CTL_CODE(56)
  9. #define KPH_WRITEVIRTUALMEMORY KPH_CTL_CODE(57)
  10.  
  11. #define PHACKER_DRIVER_FILE "kprocesshacker.sys"
  12. #define PHACKER_SERVICE_NAME "KProcessHacker2"
  13. #define PHACKER_DEVICE_NAME "\\Device\\KProcessHacker2"
  14.  
  15. class BypaPH
  16. {
  17. public:
  18. HANDLE m_hTarget = nullptr;
  19.  
  20. BypaPH(DWORD dwTargetPid = NULL)
  21. {
  22. SetPrivilege(SE_DEBUG_NAME, TRUE);
  23. m_drv = new Driver(PHACKER_DRIVER_FILE, PHACKER_DEVICE_NAME, PHACKER_SERVICE_NAME, KProcessHacker, KProcessHackerSize);
  24. if (dwTargetPid)
  25. Attach(dwTargetPid);
  26. }
  27.  
  28. ~BypaPH()
  29. {
  30. delete m_drv;
  31. if (m_hTarget)
  32. CloseHandle(m_hTarget);
  33. SetPrivilege(SE_DEBUG_NAME, FALSE);
  34. }
  35.  
  36. NTSTATUS RWVM(HANDLE ProcessHandle, PVOID BaseAddress, PVOID Buffer, SIZE_T BufferSize, PSIZE_T NumberOfBytesReadOrWritten = nullptr, bool read = true, bool unsafe = false)
  37. {
  38. // ProcessHandle may be NULL if reading kernel memory >= 0x8*
  39.  
  40. if (!m_drv->GetHandle())
  41. return STATUS_ABANDONED;
  42.  
  43. struct
  44. {
  45. HANDLE ProcessHandle;
  46. PVOID BaseAddress;
  47. PVOID Buffer;
  48. SIZE_T BufferSize;
  49. PSIZE_T NumberOfBytesRead;
  50. } input = { ProcessHandle, BaseAddress, Buffer, BufferSize, NumberOfBytesReadOrWritten };
  51.  
  52. IO_STATUS_BLOCK isb;
  53.  
  54. ULONG ioctrlCode = 0;
  55. if (!read && unsafe) // There is no write unsafe
  56. return STATUS_ABANDONED;
  57. if (read && unsafe)
  58. ioctrlCode = KPH_READVIRTUALMEMORYUNSAFE;
  59. if (read && !unsafe)
  60. ioctrlCode = KPH_READVIRTUALMEMORY;
  61. if (!read && !unsafe)
  62. ioctrlCode = KPH_WRITEVIRTUALMEMORY;
  63.  
  64. return NtDeviceIoControlFile(m_drv->GetHandle(), nullptr, nullptr, nullptr, &isb, ioctrlCode, &input, sizeof(input), nullptr, 0);
  65. // If status == 0xC0000004 (STATUS_INFO_LENGTH_MISMATCH) you are most likely using the x64 driver from an x86 process.
  66. // We could have it working by having the struct at the right size though.
  67. }
  68.  
  69. template <class T> T RVMu(HANDLE ProcessHandle, PVOID BaseAddress, PSIZE_T NumberOfBytesRead = nullptr)
  70. {
  71. T response = {};
  72. RWVM(ProcessHandle, BaseAddress, &response, sizeof(T), NumberOfBytesRead, true, true);
  73. return response;
  74. }
  75.  
  76. template <class T> T qRVMu(PVOID BaseAddress, PSIZE_T NumberOfBytesRead = nullptr)
  77. {
  78. if (!m_hTarget)
  79. {
  80. *NumberOfBytesRead = 0;
  81. return T{};
  82. }
  83. return RVMu<T>(m_hTarget, BaseAddress, NumberOfBytesRead);
  84. }
  85.  
  86. template <class T> T RVM(HANDLE ProcessHandle, PVOID BaseAddress, PSIZE_T NumberOfBytesRead = nullptr)
  87. {
  88. T response = {};
  89. RWVM(ProcessHandle, BaseAddress, &response, sizeof(T), NumberOfBytesRead, true, false);
  90. return response;
  91. }
  92.  
  93. template <class T> T qRVM(PVOID BaseAddress, PSIZE_T NumberOfBytesRead = nullptr)
  94. {
  95. if (!m_hTarget)
  96. {
  97. *NumberOfBytesRead = 0;
  98. return T{};
  99. }
  100. return RVM<T>(m_hTarget, BaseAddress, NumberOfBytesRead);
  101. }
  102.  
  103. NTSTATUS WVM(HANDLE ProcessHandle, PVOID BaseAddress, PVOID Buffer, SIZE_T BufferSize, PSIZE_T NumberOfBytesWritten = nullptr)
  104. {
  105. return RWVM(ProcessHandle, BaseAddress, Buffer, BufferSize, NumberOfBytesWritten, false, false);
  106. }
  107.  
  108. NTSTATUS qWVM(PVOID BaseAddress, PVOID Buffer, SIZE_T BufferSize, PSIZE_T NumberOfBytesWritten = nullptr)
  109. {
  110. if (!m_hTarget)
  111. {
  112. *NumberOfBytesWritten = 0;
  113. return STATUS_ABANDONED;
  114. }
  115. return WVM(m_hTarget, BaseAddress, Buffer, BufferSize, NumberOfBytesWritten);
  116. }
  117.  
  118. bool Attach(DWORD dwPid)
  119. {
  120. if (m_hTarget)
  121. if (!CloseHandle(m_hTarget))
  122. return false;
  123. m_hTarget = OpenProcess(SYNCHRONIZE, FALSE, dwPid); // Read will work whatever the handle permission.
  124. return m_hTarget != nullptr;
  125. }
  126.  
  127. bool Detach(DWORD dwPid)
  128. {
  129. if (m_hTarget)
  130. if (!CloseHandle(m_hTarget))
  131. return false;
  132. m_hTarget = nullptr;
  133. return true;
  134. }
  135.  
  136. private:
  137. Driver* m_drv = nullptr;
  138. };
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!