Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #include <Windows.h>
- #include <stdio.h>
- void _log(UINT64 data) {
- char text[200];
- sprintf_s(text, "%p", data);
- MessageBoxA(0, text, "123", 0);
- }
- typedef struct _UNICODE_STRING_WOW64 {
- USHORT Length;
- USHORT MaximumLength;
- PVOID64 Buffer;
- } UNICODE_STRING;
- typedef struct {
- LIST_ENTRY Orders[3];
- PVOID64 base;
- PVOID64 EntryPoint;
- UINT Size;
- UNICODE_STRING dllFullPath;
- UNICODE_STRING dllname;
- } LDR_ENTRY;
- void _logStr(CHAR* data) {
- char text[200];
- sprintf_s(text, "%s", data);
- MessageBoxA(0, text, "123", 0);
- }
- PVOID64 GetModuleBase(LPWSTR moduleName) {
- UINT64 peb = (UINT64)__readgsqword(0x60);
- UINT64 moduleListAddr = *(UINT64*)(peb + 0x18);
- PVOID64 start = *(PVOID64*)(moduleListAddr + 0x18);
- LDR_ENTRY *mod = (LDR_ENTRY*)start;
- mod = (LDR_ENTRY*)mod->Orders[0].Flink;
- while ((UINT64)start != (UINT64)mod) {
- if (mod->base != NULL)
- {
- if (!lstrcmpiW((LPCWSTR)mod->dllname.Buffer, moduleName))
- {
- return mod->base;
- }
- }
- mod = (LDR_ENTRY*)mod->Orders[0].Flink;
- }
- return 0;
- }
- UINT64 GetFunction(UINT64 base, LPCSTR function) {
- IMAGE_DOS_HEADER *dosHeader = (IMAGE_DOS_HEADER*)base;
- IMAGE_NT_HEADERS64 *ntHeaders = (IMAGE_NT_HEADERS64*)(base + dosHeader->e_lfanew);
- IMAGE_EXPORT_DIRECTORY *exportTable =
- (IMAGE_EXPORT_DIRECTORY*)(base + ntHeaders->OptionalHeader.DataDirectory[0].VirtualAddress);
- DWORD* functions = (DWORD*)(base + exportTable->AddressOfFunctions);
- WORD* ords = (WORD*)(base + exportTable->AddressOfNameOrdinals);
- DWORD* names = (DWORD*)(base + exportTable->AddressOfNames);
- for (int i = 0; i < exportTable->NumberOfNames; i++) {
- char* data = (char*)(base + (UINT64)names[i]);
- if (lstrcmpA(function, data) == 0) {
- return base + (UINT64)functions[ords[i]];
- }
- }
- return 0;
- }
- int main() {
- UINT64 p = (UINT64)GetModuleBase((LPWSTR)L"ntdll.dll");
- UINT64 func = GetFunction(p, "NtCreateThreadEx");
- printf("%p\n", func);
- system("pause");
- return 0;
- }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement