[ create a new paste ] login | about

Link: http://codepad.org/RqNiH3Ly    [ raw code | fork ]

C++, pasted on May 14: 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65

#include <windows.h>
#include <stdio.h>

//original code by waliedassar

#pragma pack(push,1)
struct opcode
{
#ifdef _WIN64
    unsigned short int mov;
#else
    unsigned char mov;
#endif
    ULONG_PTR addr;
    unsigned char push;
    unsigned char ret;
};
#pragma pack(pop)

int main()
{
    //set helpful title
    char title[256]="";
#ifdef _WIN64
    sprintf(title, "anti-attach x64, PID: 0x%X (%u)", GetCurrentProcessId(), GetCurrentProcessId());
#else //x86
    sprintf(title, "anti-attach x86, PID: 0x%X (%u)", GetCurrentProcessId(), GetCurrentProcessId());
#endif // _WIN64
    SetConsoleTitleA(title);

    //get ExitProcess address
    ULONG_PTR pExitProcess = (ULONG_PTR)GetProcAddress(GetModuleHandleA("kernel32.dll"), "ExitProcess");
    if(!pExitProcess)
    {
        puts("ExitProcess not found!");
        return -1;
    }

    //setup hook opcodes
    opcode hook;
#ifdef _WIN64
    hook.mov = 0xB848;
#else
    hook.mov = 0xB8;
#endif
    hook.addr = pExitProcess;
    hook.push = 0x50;
    hook.ret = 0xc3;

    //write hook to process memory
    if(!WriteProcessMemory(GetCurrentProcess(), (void*)GetProcAddress(GetModuleHandleA("ntdll.dll"), "DbgUiRemoteBreakin"), &hook, sizeof(opcode), 0))
    {
        puts("WriteProcessMemory failed!");
        return -1;
    }

    //wallie
    while(1)
    {
        puts("wallied");
        Sleep(1000);
    }

    return 0;
}


Create a new paste based on this one


Comments: