API tools faq
paste
Advertisement
es3n1n

heavensgate log pasta

es3n1n
May 13th, 2022
1,065
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
C++ 2.14 KB | None | 0 0
raw download clone embed print report
  1. void* lpJmpRealloc = nullptr;
  2.  
  3. const DWORD_PTR __declspec( naked ) GetGateAddress( ) {
  4.     __asm
  5.     {
  6.         mov eax, dword ptr fs : [0xC0]
  7.         ret
  8.     }
  9. }
  10.  
  11. DWORD tmp_eax = 0x0;
  12.  
  13. __declspec( naked ) void hk_Wow64Trampoline( ) {
  14.     __asm pushad
  15.  
  16.     __asm mov tmp_eax, eax
  17.     printf( "Index: 0x%x\n", tmp_eax );
  18.  
  19.     __asm popad
  20.     __asm jmp lpJmpRealloc
  21. }
  22. //
  23. //void __declspec( naked ) hk_Wow64Trampoline( ) {
  24. //  __asm
  25. //  {
  26. //      cmp eax, 0x3f //64bit Syscall id of NtRVM
  27. //      je hk_NtReadVirtualMemory
  28. //      cmp eax, 0x50 //64bit Syscall id of NtPVM
  29. //      je hk_NtProtectVirtualMemory
  30. //      jmp lpJmpRealloc
  31. //  }
  32. //}
  33.  
  34. const LPVOID CreateNewJump( ) {
  35.     DWORD_PTR Gate = GetGateAddress( );
  36.     lpJmpRealloc = VirtualAlloc( nullptr, 0x1000, MEM_RESERVE | MEM_COMMIT,
  37.                                  PAGE_EXECUTE_READWRITE );
  38.     memcpy( lpJmpRealloc, ( void* )Gate, 9 );
  39.  
  40.     return lpJmpRealloc;
  41. }
  42.  
  43. const void WriteJump( const DWORD_PTR dwWow64Address, const void* pBuffer, size_t ulSize ) {
  44.     DWORD dwOldProtect = 0;
  45.     VirtualProtect( ( LPVOID )dwWow64Address, 0x1000, PAGE_EXECUTE_READWRITE, &dwOldProtect );
  46.     ( void )memcpy( ( void* )dwWow64Address, pBuffer, ulSize );
  47.     VirtualProtect( ( LPVOID )dwWow64Address, 0x1000, dwOldProtect, &dwOldProtect );
  48. }
  49.  
  50.  
  51. const void EnableWow64Redirect( ) {
  52.     LPVOID Hook_Gate = &hk_Wow64Trampoline;
  53.  
  54.     char trampolineBytes[ ] =
  55.     {
  56.         0x68, 0xDD, 0xCC, 0xBB, 0xAA,       /*push 0xAABBCCDD*/
  57.         0xC3,                               /*ret*/
  58.         0xCC, 0xCC, 0xCC                    /*padding*/
  59.     };
  60.     memcpy( &trampolineBytes[ 1 ], &Hook_Gate, 4 );
  61.     WriteJump( GetGateAddress( ), trampolineBytes, sizeof( trampolineBytes ) );
  62. }
  63.  
  64.  
  65. __forceinline static void init(
  66.     uintptr_t base_addr,
  67.     uintptr_t paste_base_addr
  68. ) noexcept {
  69.     log( PREFIX"base_addr: 0x%x | paste_base_addr: 0x%x\n", base_addr, paste_base_addr );
  70.     g::meme_base = base_addr;
  71.     g::paste_base = paste_base_addr;
  72.     g::nt_suspend = ( uintptr_t )GetProcAddress( GetModuleHandleA( "ntdll.dll" ), "NtSuspendProcess" );
  73.  
  74.     log( PREFIX"Gate: %p\n", GetGateAddress( ) );
  75.     log( PREFIX"Trampoline Gate: %p\n", CreateNewJump( ) );
  76.     log( PREFIX"Hook gate: %p\n", hk_Wow64Trampoline );
  77.     EnableWow64Redirect( );
  78. }
  79.  
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!