API tools faq
paste
Advertisement
Guest User

Untitled

a guest
Aug 12th, 2020
499
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 2.71 KB | None | 0 0
raw download clone embed print report
  1. extern "C" NTKERNELAPI PVOID NTAPI PsGetProcessWow64Process(IN PEPROCESS Process);
  2.  
  3. typedef struct _PEB_LDR_DATA32
  4. {
  5. ULONG Length;
  6. UCHAR Initialized;
  7. ULONG SsHandle;
  8. LIST_ENTRY32 InLoadOrderModuleList;
  9. LIST_ENTRY32 InMemoryOrderModuleList;
  10. LIST_ENTRY32 InInitializationOrderModuleList;
  11. } PEB_LDR_DATA32, * PPEB_LDR_DATA32;
  12.  
  13. typedef struct _LDR_DATA_TABLE_ENTRY32
  14. {
  15. LIST_ENTRY32 InLoadOrderLinks;
  16. LIST_ENTRY32 InMemoryOrderLinks;
  17. LIST_ENTRY32 InInitializationOrderLinks;
  18. ULONG DllBase;
  19. ULONG EntryPoint;
  20. ULONG SizeOfImage;
  21. UNICODE_STRING32 FullDllName;
  22. UNICODE_STRING32 BaseDllName;
  23. ULONG Flags;
  24. USHORT LoadCount;
  25. USHORT TlsIndex;
  26. LIST_ENTRY32 HashLinks;
  27. ULONG TimeDateStamp;
  28. } LDR_DATA_TABLE_ENTRY32, * PLDR_DATA_TABLE_ENTRY32;
  29.  
  30. typedef struct _PEB32
  31. {
  32. UCHAR InheritedAddressSpace;
  33. UCHAR ReadImageFileExecOptions;
  34. UCHAR BeingDebugged;
  35. UCHAR BitField;
  36. ULONG Mutant;
  37. ULONG ImageBaseAddress;
  38. ULONG Ldr;
  39. ULONG ProcessParameters;
  40. ULONG SubSystemData;
  41. ULONG ProcessHeap;
  42. ULONG FastPebLock;
  43. ULONG AtlThunkSListPtr;
  44. ULONG IFEOKey;
  45. ULONG CrossProcessFlags;
  46. ULONG UserSharedInfoPtr;
  47. ULONG SystemReserved;
  48. ULONG AtlThunkSListPtr32;
  49. ULONG ApiSetMap;
  50. } PEB32, * PPEB32;
  51.  
  52. LARGE_INTEGER time = { 0 };
  53. time.QuadPart = -250ll * 10 * 1000;
  54.  
  55. KAPC_STATE apc;
  56. PEPROCESS targetproc;
  57.  
  58. PsLookupProcessByProcessId((HANDLE)buffer->pid, &targetproc);
  59. KeStackAttachProcess(targetproc, &apc);
  60.  
  61. // Get PEB
  62. PPEB32 pPeb32 = (PPEB32)PsGetProcessWow64Process(targetproc);
  63.  
  64. if (pPeb32 == NULL)
  65. {
  66. return NULL;
  67. }
  68.  
  69. // Wait for loader a bit
  70. for (INT i = 0; !pPeb32->Ldr && i < 10; i++)
  71. {
  72. KeDelayExecutionThread(KernelMode, TRUE, &time);
  73. }
  74.  
  75. // Still no loader
  76. if (!pPeb32->Ldr)
  77. {
  78. return NULL;
  79. }
  80.  
  81. // Search in InLoadOrderModuleList
  82. for (PLIST_ENTRY32 pListEntry = (PLIST_ENTRY32)((PPEB_LDR_DATA32)pPeb32->Ldr)->InLoadOrderModuleList.Flink;
  83. pListEntry != &((PPEB_LDR_DATA32)pPeb32->Ldr)->InLoadOrderModuleList;
  84. pListEntry = (PLIST_ENTRY32)pListEntry->Flink)
  85. {
  86. UNICODE_STRING ustr;
  87. PLDR_DATA_TABLE_ENTRY32 pEntry = CONTAINING_RECORD(pListEntry, LDR_DATA_TABLE_ENTRY32, InLoadOrderLinks);
  88.  
  89. RtlUnicodeStringInit(&ustr, (PWCH)pEntry->BaseDllName.Buffer);
  90.  
  91. UNICODE_STRING shait;
  92. RtlUnicodeStringInit(&shait, L"client.dll");
  93.  
  94. if (RtlCompareUnicodeString(&ustr, &shait, TRUE) == 0)
  95. buffer->data = (PVOID)pEntry->DllBase;
  96. }
  97.  
  98. ObfDereferenceObject(targetproc);
  99.  
  100. // Detach target process
  101. KeUnstackDetachProcess(&apc);
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!