Advertisement
vovan333

meme dkom with umplib

Nov 9th, 2017
253
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. #include <Windows.h>
  2. #include <Winternl.h>
  3. #include <TlHelp32.h>
  4. #include <PSAPI.h>
  5. #include <SHLWAPI.h>
  6. #include <thread>
  7. #include <string>
  8. #include <vector>
  9. #include <codecvt>
  10. #include <algorithm>
  11. #include <iostream>
  12. #include <unordered_map>
  13. #include "PMemHelper.h"
  14.  
  15. using namespace std;
  16.  
  17. #define A(s) Util::ToA(s)
  18. #define W(s) Util::ToW(s)
  19. #define LC(s) Util::ToLower(s)
  20.  
  21. class Util
  22. {
  23. public:
  24.  
  25.     static wstring ToW(string str)
  26.     {
  27.         wstring_convert<codecvt_utf8_utf16<wchar_t>> converter;
  28.         return converter.from_bytes(str);
  29.     }
  30.  
  31.     static string ToA(wstring wstr)
  32.     {
  33.         wstring_convert<codecvt_utf8_utf16<wchar_t>> converter;
  34.         return converter.to_bytes(wstr);
  35.     }
  36.  
  37.     static string ToLower(string str)
  38.     {
  39.         transform(str.begin(), str.end(), str.begin(), tolower);
  40.         return str;
  41.     }
  42.  
  43.     static wstring ToLower(wstring str)
  44.     {
  45.         transform(str.begin(), str.end(), str.begin(), tolower);
  46.         return str;
  47.     }
  48.  
  49.     static DWORD GetProcessIdByName(string name)
  50.     {
  51.         DWORD pid = false;
  52.         HANDLE snap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
  53.         PROCESSENTRY32 entry;
  54.         entry.dwSize = sizeof(entry);
  55.         if (!Process32First(snap, &entry)) return false;
  56.         do
  57.         {
  58.             if (LC(entry.szExeFile) == LC(W(name)))
  59.             {
  60.                 pid = entry.th32ProcessID;
  61.             }
  62.         } while (Process32Next(snap, &entry));
  63.         CloseHandle(snap);
  64.         return pid;
  65.     }
  66. };
  67.  
  68. void main()
  69. {
  70.     PMemHelper* mem = new PMemHelper();
  71.  
  72.     start:
  73.     printf("\n\n");
  74.     string tgt;
  75.     printf("Enter target process name nigger\n");
  76.     getline(cin, tgt);
  77.  
  78.     auto targetPid = Util::GetProcessIdByName(tgt);
  79.     if (!targetPid)
  80.     {
  81.         printf("process doesn't exist, try again pls\n");
  82.         goto start;
  83.     }
  84.     printf("got target process Id: %d\n", targetPid);
  85.  
  86.     auto targetDirbase = mem->GetDirBase(targetPid);
  87.     auto targetBase = mem->GetProcessBase(targetPid);
  88.     auto kernelDirbase = mem->GetKernelDirBase();
  89.     auto ntoskrnlBase = SFGetModuleBase("ntoskrnl.exe");
  90.  
  91.     printf("target dirbase: 0x%X, target proc base: 0x%X\nkernel dirbase: 0x%X, kernel base:0x%X\n", targetDirbase, targetBase, kernelDirbase, ntoskrnlBase);
  92.  
  93.     // memory read test
  94.     char buff[255];
  95.     auto res = mem->ReadVirtual(targetDirbase, targetBase, (uint8_t*)(buff), 255);
  96.     buff[2] = '\0';
  97.     if (!res || buff != "MZ"s)
  98.     {
  99.         printf("memory read test failed\n");
  100.         return;
  101.     }
  102.     printf("memory read test success, buff: %s\n", buff);
  103.  
  104.     auto pTargetProcessEntry = mem->GetEProcess(targetPid);// SFGetEProcess(targetPid);
  105.    
  106.     if (!pTargetProcessEntry)
  107.     {
  108.         printf("can't get EPROCESS address for given PID\n");
  109.         goto start;
  110.     }
  111.     printf("got target EPROCESS address: 0x%X\n", pTargetProcessEntry);
  112.  
  113.     printf("press enter to do DKOM magic lol\n");
  114.     string s;
  115.     getline(cin, s);
  116.     if (s != "")
  117.     {
  118.         printf("aborting...\n");
  119.         goto start;
  120.     }
  121.  
  122.     askagain:
  123.     printf("enter new ProcessId for %s:\n", tgt.c_str());
  124.     uintptr_t newPid;
  125.     cin >> newPid;
  126.     printf("Setting new ProcessId...\n");
  127.     res = mem->WriteVirtual(kernelDirbase, pTargetProcessEntry + mem->EPPidOffset, (uint8_t*)&newPid, 8);
  128.  
  129.     uint8_t oldProtek;
  130.     mem->ReadVirtual(kernelDirbase, pTargetProcessEntry + 0x6CA, &oldProtek, 1);
  131.     printf("Old protection: %d\n", oldProtek);
  132.    
  133.     printf("Lol enter new protection lol:\n");
  134.     uint8_t newProtection = 0;
  135.     cin >> newProtection;
  136.     printf("Setting protection...\n");
  137.     auto res1 = mem->WriteVirtual(kernelDirbase, pTargetProcessEntry + 0x6CA, &newProtection, 1);
  138.  
  139.     if (!res || !res1)
  140.     {
  141.         printf("magic failed\n");
  142.         goto start;
  143.     }
  144.     printf("magic suceeded.\n");
  145.     printf("Trying to open the process..\n");
  146.     auto htarget = OpenProcess(PROCESS_ALL_ACCESS, 0, newPid);
  147.     printf("hTarget: 0x%X\n", htarget);
  148.     getchar();
  149.     goto start;
  150.     getchar();
  151.     return;
  152. }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement