Advertisement
es3n1n

heavensgate log pasta

May 13th, 2022
499
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. void* lpJmpRealloc = nullptr;
  2.  
  3. const DWORD_PTR __declspec( naked ) GetGateAddress( ) {
  4.     __asm
  5.     {
  6.         mov eax, dword ptr fs : [0xC0]
  7.         ret
  8.     }
  9. }
  10.  
  11. DWORD tmp_eax = 0x0;
  12.  
  13. __declspec( naked ) void hk_Wow64Trampoline( ) {
  14.     __asm pushad
  15.  
  16.     __asm mov tmp_eax, eax
  17.     printf( "Index: 0x%x\n", tmp_eax );
  18.  
  19.     __asm popad
  20.     __asm jmp lpJmpRealloc
  21. }
  22. //
  23. //void __declspec( naked ) hk_Wow64Trampoline( ) {
  24. //  __asm
  25. //  {
  26. //      cmp eax, 0x3f //64bit Syscall id of NtRVM
  27. //      je hk_NtReadVirtualMemory
  28. //      cmp eax, 0x50 //64bit Syscall id of NtPVM
  29. //      je hk_NtProtectVirtualMemory
  30. //      jmp lpJmpRealloc
  31. //  }
  32. //}
  33.  
  34. const LPVOID CreateNewJump( ) {
  35.     DWORD_PTR Gate = GetGateAddress( );
  36.     lpJmpRealloc = VirtualAlloc( nullptr, 0x1000, MEM_RESERVE | MEM_COMMIT,
  37.                                  PAGE_EXECUTE_READWRITE );
  38.     memcpy( lpJmpRealloc, ( void* )Gate, 9 );
  39.  
  40.     return lpJmpRealloc;
  41. }
  42.  
  43. const void WriteJump( const DWORD_PTR dwWow64Address, const void* pBuffer, size_t ulSize ) {
  44.     DWORD dwOldProtect = 0;
  45.     VirtualProtect( ( LPVOID )dwWow64Address, 0x1000, PAGE_EXECUTE_READWRITE, &dwOldProtect );
  46.     ( void )memcpy( ( void* )dwWow64Address, pBuffer, ulSize );
  47.     VirtualProtect( ( LPVOID )dwWow64Address, 0x1000, dwOldProtect, &dwOldProtect );
  48. }
  49.  
  50.  
  51. const void EnableWow64Redirect( ) {
  52.     LPVOID Hook_Gate = &hk_Wow64Trampoline;
  53.  
  54.     char trampolineBytes[ ] =
  55.     {
  56.         0x68, 0xDD, 0xCC, 0xBB, 0xAA,       /*push 0xAABBCCDD*/
  57.         0xC3,                               /*ret*/
  58.         0xCC, 0xCC, 0xCC                    /*padding*/
  59.     };
  60.     memcpy( &trampolineBytes[ 1 ], &Hook_Gate, 4 );
  61.     WriteJump( GetGateAddress( ), trampolineBytes, sizeof( trampolineBytes ) );
  62. }
  63.  
  64.  
  65. __forceinline static void init(
  66.     uintptr_t base_addr,
  67.     uintptr_t paste_base_addr
  68. ) noexcept {
  69.     log( PREFIX"base_addr: 0x%x | paste_base_addr: 0x%x\n", base_addr, paste_base_addr );
  70.     g::meme_base = base_addr;
  71.     g::paste_base = paste_base_addr;
  72.     g::nt_suspend = ( uintptr_t )GetProcAddress( GetModuleHandleA( "ntdll.dll" ), "NtSuspendProcess" );
  73.  
  74.     log( PREFIX"Gate: %p\n", GetGateAddress( ) );
  75.     log( PREFIX"Trampoline Gate: %p\n", CreateNewJump( ) );
  76.     log( PREFIX"Hook gate: %p\n", hk_Wow64Trampoline );
  77.     EnableWow64Redirect( );
  78. }
  79.  
Advertisement
Advertisement
Advertisement
RAW Paste Data Copied
Advertisement