Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- IMAGE_NT_HEADERS inh;
- IMAGE_DOS_HEADER idh;
- PROCESS_BASIC_INFORMATION pbi;
- PROCESS_INFORMATION pi;
- STARTUPINFO si;
- PEB peb;
- PVOID imagebase;
- LPBYTE addr;
- DWORD entry;
- char old[2];
- CONTEXT ctx;
- MAX_PATH;
- memset(&si, 0, sizeof(si));
- si.cb = sizeof(si);
- if (CreateProcess(file, NULL, NULL, NULL, FALSE, CREATE_SUSPENDED, NULL, NULL, &si, &pi)) {
- NtQueryInformationProcess(pi.hProcess, ProcessBasicInformation, &pbi, sizeof(pbi), NULL);
- if (ReadProcessMemory(pi.hProcess, pbi.PebBaseAddress, &peb, sizeof(peb), NULL))
- printf("PEB read from remote process\n");
- ReadProcessMemory(pi.hProcess, peb.ImageBaseAddress, &idh, sizeof(idh), NULL);
- addr = (LPBYTE)peb.ImageBaseAddress + idh.e_lfanew;
- if (ReadProcessMemory(pi.hProcess, addr, &inh, sizeof(inh), NULL))
- printf("NT_HEADER read from remote process\n");
- printf("%u.%u\n", inh.OptionalHeader.MajorLinkerVersion, inh.OptionalHeader.MinorLinkerVersion);
- entry = inh.OptionalHeader.ImageBase + inh.OptionalHeader.AddressOfEntryPoint;
- printf("entry %d %d\n", peb.ImageBaseAddress, entry);
- ReadProcessMemory(pi.hProcess, (PVOID)entry, old, 2, NULL);
- WriteProcessMemory(pi.hProcess, (PVOID)entry, "\xEB\xFE", 2, NULL);
- ctx.ContextFlags = CONTEXT_CONTROL;
- GetThreadContext(pi.hThread, &ctx);
- ctx.Eip = entry;
- SetThreadContext(pi.hThread, &ctx);
- ResumeThread(pi.hThread);
- // i like dick in my ass
- MessageBox(NULL, L"imdabestmayne", NULL, 0);
- SuspendThread(pi.hThread);
- WriteProcessMemory(pi.hProcess, (PVOID)entry, old, 2, NULL); // restore OEP
- GetThreadContext(pi.hThread, &ctx);
- ctx.Eip = entry;
- SetThreadContext(pi.hThread, &ctx);
- ResumeThread(pi.hThread);
- CloseHandle(pi.hThread);
- CloseHandle(pi.hProcess);
- }
Add Comment
Please, Sign In to add comment
