tcp.direct
/
vxug-WinAPI-Tricks
13
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Delete GetModulesWithoutTebOrPeb.cpp 

doesnt work lol
This commit is contained in:
vxunderground 2021-11-13 00:36:44 -06:00 committed by GitHub
parent bd23b8d769
commit d44de46a6c
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 0 additions and 55 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

55
NtApi/GetModulesWithoutTebOrPeb.cpp
View File

@ -1,55 +0,0 @@
// memBruteforce.cpp by aaaddress1@chroot.org
// brute search loaded moudules in memory
// rewrite from https://www.exploit-db.com/exploits/45293
#include <Windows.h>
#include <iostream>
#pragma warning(disable:4996)
bool isMemExist(size_t addr) {
int retv;
__asm {
xor ebx, ebx
push[addr]
push ebx
push ebx
push ebx
mov eax, 0x29 // ZwAccessCheckAndAuditAlarm
call dword ptr fs : [0xc0] // Heaven's Gate
add esp, 0x0c
pop edx
mov[retv], eax
}
return char(retv) != 5;
}
size_t bruteSearch_WinAPI(PCSTR apiName) {
for (size_t addr = 0x1000; addr < 0xFF000000; addr += 0x1000)
if (isMemExist(addr)) {
if (PIMAGE_DOS_HEADER(addr)->e_magic == IMAGE_DOS_SIGNATURE) {
char modulePath[MAX_PATH];
GetModuleFileNameA(HMODULE(addr), modulePath, sizeof(modulePath));
printf("[+] detect %s at %p\n", modulePath, addr);
// parse export table
auto nth = PIMAGE_NT_HEADERS(addr + PIMAGE_DOS_HEADER(addr)->e_lfanew);
if (auto rva = nth->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress) {
auto eat = PIMAGE_EXPORT_DIRECTORY(addr + rva);
auto nameArr = PDWORD(addr + eat->AddressOfNames);
auto funcArr = PDWORD(addr + eat->AddressOfFunctions);
auto nameOrd = PWORD(addr + eat->AddressOfNameOrdinals);
for (size_t i = 0; i < eat->NumberOfFunctions; i++)
if (!stricmp(PCHAR(addr + nameArr[i]), apiName))
return addr + funcArr[nameOrd[i]];
}
}
}
return 0;
}
int main() {
if (auto ptrWinExec = bruteSearch_WinAPI("WinExec"))
(decltype(&WinExec)(ptrWinExec))("cmd /c whoami && pause", 1);
return 0;
}