├── nullpage.cpp ├── emet.h ├── heapspary.cpp ├── main.cpp ├── .gitattributes ├── bottomuprand.cpp ├── DEP.cpp ├── apply_emet.cpp ├── util.h ├── emet.vcxproj.filters ├── .gitignore ├── aslr_util.cpp ├── emet.vcxproj ├── util.cpp ├── eaf.cpp ├── sehop.cpp └── aslr.cpp /nullpage.cpp: -------------------------------------------------------------------------------- 1 | #include "util.h" 2 | 3 | //allocate the memory in 0x00000000 4 | int nullpage_apply() 5 | { 6 | return alloc_virtual_mem((void*)1, 1024); 7 | } -------------------------------------------------------------------------------- /emet.h: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | int bottomuprand_apply(); 4 | 5 | void enableDEP(); 6 | 7 | void heapspray_apply(); 8 | 9 | int nullpage_apply(); 10 | 11 | 12 | void hook_eat(LPCWSTR lpModuleName); 13 | 14 | PVOID set_ceh_handler(); 15 | 16 | int set_sehop_ceh_handler(); 17 | 18 | void apply_emet(HMODULE pHandle, int a2); -------------------------------------------------------------------------------- /heapspary.cpp: -------------------------------------------------------------------------------- 1 | #include "util.h" 2 | 3 | int heapspray_num = 0; 4 | DWORD heapspray_table1[1000]; 5 | 6 | void heapspray_apply() 7 | { 8 | unsigned int i; 9 | 10 | i = 0; 11 | if ( heapspray_num ){ 12 | do{ 13 | alloc_virtual_mem((void*)heapspray_table1[i++], 0x400); 14 | } 15 | while ( i < heapspray_num ); 16 | } 17 | } -------------------------------------------------------------------------------- /main.cpp: -------------------------------------------------------------------------------- 1 | #include "emet.h" 2 | #include "util.h" 3 | #include "windows.h" 4 | 5 | 6 | int main() 7 | { 8 | 9 | HMODULE m_ntdll = LoadLibrary(L"ntdll.dll"); 10 | m_NtQueryInformationThread = (FPTR_NtQueryInformationThread)GetProcAddress(m_ntdll,"NtQueryInformationThread"); 11 | 12 | try { 13 | 14 | apply_emet(GetModuleHandle(NULL), false); 15 | }catch(...){ 16 | } 17 | return 0; 18 | } -------------------------------------------------------------------------------- /.gitattributes: -------------------------------------------------------------------------------- 1 | # Auto detect text files and perform LF normalization 2 | * text=auto 3 | 4 | # Custom for Visual Studio 5 | *.cs diff=csharp 6 | *.sln merge=union 7 | *.csproj merge=union 8 | *.vbproj merge=union 9 | *.fsproj merge=union 10 | *.dbproj merge=union 11 | 12 | # Standard to msysgit 13 | *.doc diff=astextplain 14 | *.DOC diff=astextplain 15 | *.docx diff=astextplain 16 | *.DOCX diff=astextplain 17 | *.dot diff=astextplain 18 | *.DOT diff=astextplain 19 | *.pdf diff=astextplain 20 | *.PDF diff=astextplain 21 | *.rtf diff=astextplain 22 | *.RTF diff=astextplain 23 | -------------------------------------------------------------------------------- /bottomuprand.cpp: -------------------------------------------------------------------------------- 1 | #include 2 | #include "util.h" 3 | 4 | int bottomuprand_apply() 5 | { 6 | int v2; 7 | //DWORD random_value; 8 | 9 | // random_value = GetTickCount() ^ GetCurrentProcessId(); 10 | 11 | HMODULE m_ntdll = LoadLibrary(L"ntdll.dll"); 12 | m_RtlRandom = (FPTR_RtlRandom)GetProcAddress(m_ntdll,"RtlRandom"); 13 | ULONG seed = GetTickCount() ^ GetCurrentProcessId(); 14 | int result = (unsigned __int8)m_RtlRandom(&seed); 15 | FreeLibrary(m_ntdll); 16 | if ( result ){ 17 | v2 = result; 18 | do{ 19 | result = alloc_virtual_mem(0, 65536); 20 | --v2; 21 | } 22 | while ( v2 ); 23 | } 24 | return result; 25 | } -------------------------------------------------------------------------------- /DEP.cpp: -------------------------------------------------------------------------------- 1 | #include 2 | // 3 | //typedef bool (*FPTR_SetProcessDEPPolicy)(DWORD dwFlags); 4 | //typedef bool (*FPTR_GetProcessDEPPolicy)(HANDLE hProcess,LPDWORD lpFlags,PBOOL lpPermanent); 5 | // 6 | void enableDEP() 7 | { 8 | HMODULE result; 9 | HMODULE v1; 10 | // FPTR_SetProcessDEPPolicy func_SetProcessDEPPolicy; 11 | //FPTR_GetProcessDEPPolicy func_GetProcessDEPPolicy; 12 | HANDLE v4; // eax@4 13 | DWORD lpFlags; 14 | BOOL lpPermanent; 15 | 16 | HMODULE handle = GetModuleHandleW(L"Kernel32.dll"); 17 | v1 = result; 18 | if ( handle ){ 19 | 20 | v4 = GetCurrentProcess(); 21 | DWORD new_setting; 22 | bool ret = GetProcessDEPPolicy(GetCurrentProcess(), &lpFlags, &lpPermanent); 23 | if ( ret ){ 24 | if ( lpFlags & 0x1 ) // // dep is enabled 25 | new_setting = lpFlags; 26 | else 27 | new_setting = true; 28 | ret = SetProcessDEPPolicy(new_setting);// enableDEP 29 | 30 | } 31 | } 32 | } 33 | -------------------------------------------------------------------------------- /apply_emet.cpp: -------------------------------------------------------------------------------- 1 | #include 2 | #include "emet.h" 3 | #include "util.h" 4 | 5 | bool setting_heapspray = true; 6 | bool setting_bottomuprand = true; 7 | bool setting_nullpage = true; 8 | bool setting_dep = true; 9 | bool setting_sehop = true; 10 | bool setting_eaf = true; 11 | bool enable_sehop = false; 12 | 13 | bool has_new_thread = false; 14 | 15 | extern void StartAddress(); 16 | 17 | HANDLE thread_lock; 18 | 19 | void apply_emet(HMODULE pHandle, int a2) 20 | { 21 | // has this point 22 | if ( setting_heapspray ) 23 | heapspray_apply(); 24 | if ( setting_bottomuprand ) 25 | bottomuprand_apply(); 26 | if ( setting_nullpage ) 27 | nullpage_apply(); 28 | if ( setting_dep ) 29 | enableDEP(); 30 | if ( setting_sehop ){ 31 | getModuleHandleEx(pHandle); 32 | set_sehop_ceh_handler(); 33 | enable_sehop = 1; 34 | } 35 | if ( setting_eaf ){ 36 | hook_eat(L"kernel32.dll"); 37 | hook_eat(L"ntdll.dll"); 38 | HMODULE handle; 39 | getModuleHandleEx(handle); 40 | set_ceh_handler(); 41 | HANDLE thread_lock = CreateMutexW(0, 1, 0); 42 | thread_count = 0; 43 | ReleaseMutex(thread_lock); 44 | CreateThread(0, 0, (LPTHREAD_START_ROUTINE)StartAddress, 0, 0, 0); 45 | has_new_thread = true; 46 | save_current_threadid(); 47 | } 48 | } -------------------------------------------------------------------------------- /util.h: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | 4 | ULONG RtlRandom( 5 | __inout PULONG Seed 6 | ); 7 | 8 | int alloc_virtual_mem(void* address, int flags); 9 | 10 | bool find_invalid_execute(PCONTEXT contextrecord, int errorcode); 11 | 12 | static int thread_count = 0; 13 | static DWORD threadid_list[1000]; 14 | 15 | void * save_current_threadid(); 16 | void enable_aslr(HMODULE hd); 17 | bool getModuleHandleEx(HMODULE phModule); 18 | 19 | typedef NTSYSAPI NTSTATUS (*FPTR_NtAllocateVirtualMemory)( 20 | IN HANDLE ProcessHandle, 21 | IN OUT PVOID *BaseAddress, 22 | IN ULONG ZeroBits, 23 | IN OUT PULONG RegionSize, 24 | IN ULONG AllocationType, 25 | IN ULONG Protect ); 26 | 27 | typedef NTSYSAPI NTSTATUS (*FPTR_NtQueryInformationThread)( 28 | HANDLE ThreadHandle, 29 | THREADINFOCLASS ThreadInformationClass, 30 | PVOID ThreadInformation, 31 | ULONG ThreadInformationLength, 32 | PULONG ReturnLength 33 | ); 34 | 35 | typedef ULONG (*FPTR_RtlRandom)(ULONG *); 36 | typedef NTSTATUS (*FPTR_NtUnmapViewOfSection)(void *,void *); 37 | 38 | static FPTR_NtUnmapViewOfSection m_NtUnmapViewOfSection; 39 | static FPTR_RtlRandom m_RtlRandom; 40 | static FPTR_NtAllocateVirtualMemory m_NtAllocateVirtualMemory; 41 | static FPTR_NtQueryInformationThread m_NtQueryInformationThread; 42 | 43 | NTSYSAPI 44 | NTSTATUS 45 | NTAPI 46 | NtUnmapViewOfSection( 47 | IN HANDLE ProcessHandle, 48 | IN PVOID BaseAddress ); 49 | -------------------------------------------------------------------------------- /emet.vcxproj.filters: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF} 6 | cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx 7 | 8 | 9 | {93995380-89BD-4b04-88EB-625FBE52EBFB} 10 | h;hpp;hxx;hm;inl;inc;xsd 11 | 12 | 13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} 14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms 15 | 16 | 17 | 18 | 19 | Source Files 20 | 21 | 22 | Source Files 23 | 24 | 25 | Source Files 26 | 27 | 28 | Source Files 29 | 30 | 31 | Source Files 32 | 33 | 34 | Source Files 35 | 36 | 37 | Source Files 38 | 39 | 40 | Source Files 41 | 42 | 43 | Source Files 44 | 45 | 46 | Source Files 47 | 48 | 49 | Source Files 50 | 51 | 52 | 53 | 54 | Header Files 55 | 56 | 57 | Header Files 58 | 59 | 60 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | ################# 2 | ## Eclipse 3 | ################# 4 | 5 | *.pydevproject 6 | .project 7 | .metadata 8 | bin/ 9 | tmp/ 10 | *.tmp 11 | *.bak 12 | *.swp 13 | *~.nib 14 | local.properties 15 | .classpath 16 | .settings/ 17 | .loadpath 18 | 19 | # External tool builders 20 | .externalToolBuilders/ 21 | 22 | # Locally stored "Eclipse launch configurations" 23 | *.launch 24 | 25 | # CDT-specific 26 | .cproject 27 | 28 | # PDT-specific 29 | .buildpath 30 | 31 | 32 | ################# 33 | ## Visual Studio 34 | ################# 35 | 36 | ## Ignore Visual Studio temporary files, build results, and 37 | ## files generated by popular Visual Studio add-ons. 38 | 39 | # User-specific files 40 | *.suo 41 | *.user 42 | *.sln.docstates 43 | 44 | # Build results 45 | [Dd]ebug/ 46 | [Rr]elease/ 47 | *_i.c 48 | *_p.c 49 | *.ilk 50 | *.meta 51 | *.obj 52 | *.pch 53 | *.pdb 54 | *.pgc 55 | *.pgd 56 | *.rsp 57 | *.sbr 58 | *.tlb 59 | *.tli 60 | *.tlh 61 | *.tmp 62 | *.vspscc 63 | .builds 64 | *.dotCover 65 | 66 | ## TODO: If you have NuGet Package Restore enabled, uncomment this 67 | #packages/ 68 | 69 | # Visual C++ cache files 70 | ipch/ 71 | *.aps 72 | *.ncb 73 | *.opensdf 74 | *.sdf 75 | 76 | # Visual Studio profiler 77 | *.psess 78 | *.vsp 79 | 80 | # ReSharper is a .NET coding add-in 81 | _ReSharper* 82 | 83 | # Installshield output folder 84 | [Ee]xpress 85 | 86 | # DocProject is a documentation generator add-in 87 | DocProject/buildhelp/ 88 | DocProject/Help/*.HxT 89 | DocProject/Help/*.HxC 90 | DocProject/Help/*.hhc 91 | DocProject/Help/*.hhk 92 | DocProject/Help/*.hhp 93 | DocProject/Help/Html2 94 | DocProject/Help/html 95 | 96 | # Click-Once directory 97 | publish 98 | 99 | # Others 100 | [Bb]in 101 | [Oo]bj 102 | sql 103 | TestResults 104 | *.Cache 105 | ClientBin 106 | stylecop.* 107 | ~$* 108 | *.dbmdl 109 | Generated_Code #added for RIA/Silverlight projects 110 | 111 | # Backup & report files from converting an old project file to a newer 112 | # Visual Studio version. Backup files are not needed, because we have git ;-) 113 | _UpgradeReport_Files/ 114 | Backup*/ 115 | UpgradeLog*.XML 116 | 117 | 118 | 119 | ############ 120 | ## Windows 121 | ############ 122 | 123 | # Windows image file caches 124 | Thumbs.db 125 | 126 | # Folder config file 127 | Desktop.ini 128 | 129 | 130 | ############# 131 | ## Python 132 | ############# 133 | 134 | *.py[co] 135 | 136 | # Packages 137 | *.egg 138 | *.egg-info 139 | dist 140 | build 141 | eggs 142 | parts 143 | bin 144 | var 145 | sdist 146 | develop-eggs 147 | .installed.cfg 148 | 149 | # Installer logs 150 | pip-log.txt 151 | 152 | # Unit test / coverage reports 153 | .coverage 154 | .tox 155 | 156 | #Translations 157 | *.mo 158 | 159 | #Mr Developer 160 | .mr.developer.cfg 161 | 162 | # Mac crap 163 | .DS_Store 164 | -------------------------------------------------------------------------------- /aslr_util.cpp: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | DWORD g_new_addr; 4 | extern LPVOID lpAddress; 5 | 6 | DWORD alloc_new_addr(DWORD old_base_addr) 7 | { 8 | DWORD lowest,highest; 9 | if ( old_base_addr <= 0x7FF80000 ) 10 | lowest = 0x10000; 11 | else 12 | lowest = old_base_addr - 0x7FF80000; 13 | if ( old_base_addr >= 0x80000000 ) 14 | highest = 0xFFF80000; 15 | else 16 | highest = old_base_addr + 0x7FF80000; 17 | 18 | LPVOID new_addr; 19 | new_addr = (LPVOID)g_new_addr; 20 | if ( g_new_addr ){ 21 | DWORD v2 = *((DWORD *)new_addr + 2); 22 | if ( v2 && v2 >= lowest && v2 <= highest ) { 23 | } 24 | } 25 | 26 | DWORD new_base_addr; 27 | struct _MEMORY_BASIC_INFORMATION basic_info_buffer; 28 | if ( new_base_addr <= lowest ){ 29 | LABEL_39: 30 | while ( new_base_addr < highest ) 31 | { 32 | if ( new_base_addr - 0x70000000u <= 0x10000000 ) 33 | new_base_addr = 0x80010000u; 34 | memset(&basic_info_buffer, 0, 7); 35 | if ( !VirtualQuery((LPCVOID)new_base_addr, (PMEMORY_BASIC_INFORMATION)&basic_info_buffer, sizeof(MEMORY_BASIC_INFORMATION )) ) 36 | break; 37 | if ( basic_info_buffer.State == 0x10000 && basic_info_buffer.RegionSize >= 0x10000 ){ 38 | if ( new_base_addr & 0xFFFF ){ 39 | basic_info_buffer.RegionSize -= 0x10000 - (new_base_addr & 0xFFFF); 40 | basic_info_buffer.BaseAddress += 0x10000 - (new_base_addr & 0xFFFF);// base_info_buffer.BaseAddress 41 | new_base_addr = (DWORD)basic_info_buffer.BaseAddress; 42 | } 43 | new_addr = VirtualAlloc((LPVOID)new_base_addr, 0x10000u, 0x3000u, PAGE_EXECUTE_READWRITE); 44 | g_new_addr = (DWORD)new_addr; 45 | if ( new_addr ) 46 | goto LABEL_42; 47 | } 48 | new_base_addr = (DWORD)basic_info_buffer.BaseAddress + basic_info_buffer.RegionSize; 49 | } 50 | return 0; 51 | } 52 | 53 | struct _MEMORY_BASIC_INFORMATION Buffer; 54 | while ( 1 ){ 55 | if ( new_base_addr - 0x70000000u <= 0x10000000 ) 56 | new_base_addr = 0x6FFF0000u; 57 | memset(&Buffer, 0, sizeof(Buffer)); 58 | if ( !VirtualQuery((LPCVOID)new_base_addr, &Buffer, 0x1Cu) ) 59 | goto LABEL_29; 60 | if ( Buffer.State == 0x10000 && Buffer.RegionSize >= 0x10000 ) 61 | break; 62 | new_base_addr = (int)((char *)Buffer.AllocationBase - 0x10000); 63 | if ( (char *)Buffer.AllocationBase - 0x10000 <= (PVOID)lowest ) 64 | goto LABEL_29; 65 | } 66 | new_addr = VirtualAlloc((LPVOID)new_base_addr, 0x10000, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE); 67 | g_new_addr = (int)new_addr; 68 | if ( !new_addr ){ 69 | new_base_addr = old_base_addra; 70 | 71 | } 72 | 73 | 74 | } 75 | 76 | HANDLE refresh_code_inmemory() 77 | { 78 | DWORD flOldProtect; 79 | 80 | HANDLE processhd = GetCurrentProcess(); 81 | DWORD baseAddress = (DWORD)lpAddress; 82 | for ( HANDLE hProcess = processhd; baseAddress; baseAddress = *(DWORD *)(baseAddress + 4) ) 83 | { 84 | VirtualProtect((LPVOID)baseAddress, 0x10000, PAGE_EXECUTE_READ, &flOldProtect); 85 | processhd = (void *)FlushInstructionCache(hProcess, (LPCVOID)baseAddress, 0x10000);// let cpu execute the new code 86 | } 87 | return processhd; 88 | } 89 | 90 | 91 | bool isJmp(PBYTE lpAddress) 92 | { 93 | char ch = lpAddress[0]; 94 | return ch == 0xEB 95 | || ch == 0xE9 96 | || ch == 0xE0 97 | || ch == 0xC2 98 | || ch == 0xC3 99 | || ch == 0xCC 100 | || ( ch == 0xFF && lpAddress[1] == 0x25 ) 101 | || ( ( ch == 0x26 || ch == 0x2E || ch == 0x36 || ch == 0xE3 || ch == 0x64 || ch == 0x65) 102 | && lpAddress[1]== 0xFF 103 | && lpAddress[2] == 0x25 ); 104 | } 105 | 106 | void* move_to_end(void* start, void* end) 107 | { 108 | if ( (DWORD)start < (DWORD)end ){ 109 | memset(start,0xCC,(DWORD)end - (DWORD)start); 110 | return end; 111 | } 112 | return start; 113 | 114 | } -------------------------------------------------------------------------------- /emet.vcxproj: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | Debug 6 | Win32 7 | 8 | 9 | Release 10 | Win32 11 | 12 | 13 | 14 | {B72B1DA7-1423-4882-BB1D-569840B05C50} 15 | Win32Proj 16 | emet 17 | 18 | 19 | 20 | Application 21 | true 22 | Unicode 23 | 24 | 25 | Application 26 | false 27 | true 28 | Unicode 29 | 30 | 31 | 32 | 33 | 34 | 35 | 36 | 37 | 38 | 39 | 40 | 41 | true 42 | 43 | 44 | false 45 | 46 | 47 | 48 | 49 | 50 | Level3 51 | Disabled 52 | WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions) 53 | Default 54 | 55 | 56 | Console 57 | true 58 | %(AdditionalDependencies) 59 | 60 | 61 | 62 | 63 | Level3 64 | 65 | 66 | MaxSpeed 67 | true 68 | true 69 | WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions) 70 | 71 | 72 | Console 73 | true 74 | true 75 | true 76 | 77 | 78 | 79 | 80 | 81 | 82 | 83 | 84 | 85 | 86 | 87 | 88 | 89 | 90 | 91 | 92 | 93 | 94 | 95 | 96 | 97 | 98 | -------------------------------------------------------------------------------- /util.cpp: -------------------------------------------------------------------------------- 1 | #include 2 | #include "TlHelp32.h" 3 | #include "util.h" 4 | 5 | extern HANDLE thread_lock; 6 | 7 | void enable_aslr(HMODULE hd) {}; 8 | 9 | int alloc_virtual_mem(void* address, int size) 10 | { 11 | HMODULE m_ntdll = LoadLibrary(L"ntdll.dll"); 12 | m_NtAllocateVirtualMemory = (FPTR_NtAllocateVirtualMemory)GetProcAddress(m_ntdll,"NtAllocateVirtualMemory"); 13 | FreeLibrary(m_ntdll); 14 | return m_NtAllocateVirtualMemory(GetCurrentProcess(), &address, 0, (PULONG)&size, MEM_COMMIT , 1); 15 | } 16 | 17 | bool find_invalid_execute(PCONTEXT contextrecord, int errorcode) 18 | { 19 | struct _EXCEPTION_RECORD exception_record; 20 | exception_record.ExceptionCode = errorcode; 21 | exception_record.ExceptionFlags = 0; 22 | exception_record.ExceptionRecord = NULL; 23 | //v2 = *(_DWORD *)(contextrecord + 184); 24 | 25 | struct _EXCEPTION_POINTERS ExceptionInfo; 26 | ExceptionInfo.ContextRecord = contextrecord; 27 | ExceptionInfo.ExceptionRecord = (PEXCEPTION_RECORD)&exception_record; 28 | 29 | UnhandledExceptionFilter(&ExceptionInfo); 30 | return TerminateProcess(GetCurrentProcess(), 0xC000040Au); 31 | } 32 | 33 | 34 | 35 | static BOOL save_thread_id(int threadid) 36 | { 37 | WaitForSingleObject(thread_lock, 0xFFFFFFFF); 38 | if ( (unsigned int)thread_count < 0x100 ) 39 | threadid_list[thread_count++] = threadid; 40 | return ReleaseMutex(thread_lock); 41 | } 42 | 43 | void * save_current_threadid() 44 | { 45 | THREADENTRY32 te; // [sp+4h] [bp-1Ch]@2 46 | 47 | HANDLE hd = CreateToolhelp32Snapshot(TH32CS_SNAPTHREAD, 0); 48 | if ( hd ) 49 | { 50 | te.dwSize = 28; 51 | for (int i = Thread32First(hd, &te); i; i = Thread32Next(hd, &te) ) 52 | { 53 | if ( te.th32OwnerProcessID == GetCurrentProcessId() ) 54 | save_thread_id(te.th32ThreadID); 55 | } 56 | hd = (void *)CloseHandle(hd); 57 | } 58 | return hd; 59 | } 60 | 61 | bool getModuleHandleEx(HMODULE phModule) 62 | { 63 | return GetModuleHandleEx(GET_MODULE_HANDLE_EX_FLAG_FROM_ADDRESS|GET_MODULE_HANDLE_EX_FLAG_PIN, (LPCWSTR)&enable_aslr,&phModule); 64 | } 65 | 66 | bool isValidAddress(PBYTE lpAddress, DWORD address) 67 | { 68 | struct _MEMORY_BASIC_INFORMATION Buffer; 69 | 70 | //has __try/__except 71 | VirtualQuery(lpAddress, &Buffer, 0x1Cu); 72 | PIMAGE_DOS_HEADER dos_header = reinterpret_cast(Buffer.AllocationBase); 73 | // Get pointer to NT header 74 | PIMAGE_NT_HEADERS pNtHeader = reinterpret_cast(reinterpret_cast(dos_header) + dos_header->e_lfanew); 75 | IMAGE_OPTIONAL_HEADER32 option = (IMAGE_OPTIONAL_HEADER32)(pNtHeader->OptionalHeader); 76 | if ( dos_header->e_magic != IMAGE_DOS_SIGNATURE 77 | || pNtHeader->Signature != IMAGE_NT_SIGNATURE 78 | || address < option.SizeOfImage 79 | || address > option.SizeOfHeaders ) { 80 | return false; 81 | } else { 82 | return true; 83 | } 84 | 85 | } 86 | 87 | 88 | // Writes code at pbCode that jumps to pbJumpTo. Will attempt to do this 89 | // in as few bytes as possible. Important on x64 where the long jump 90 | // (0xff 0x25 ....) can take up 14 bytes. 91 | char* getNextCommand(PBYTE lpAddress, DWORD a2) 92 | { 93 | if ( !lpAddress ) 94 | return NULL; 95 | if ( a2 ) 96 | *(DWORD *)a2 = 0; 97 | if (lpAddress[0] == 0xff && lpAddress[1] == 0x25) { 98 | DWORD pbTarget = *(DWORD *)((char *)lpAddress + 2); 99 | if ( isValidAddress(lpAddress, *(DWORD *)((char *)lpAddress + 2)) ) 100 | return *(char **)pbTarget; 101 | } 102 | if (lpAddress[0] != 0xE8) 103 | return (char*)lpAddress; 104 | char *result = (char*)lpAddress + lpAddress[1] + 2; 105 | if (result[0] == 0xE9) 106 | result = (char *)lpAddress + lpAddress[1] + *(DWORD *)((char *)lpAddress + lpAddress[1] + 3) + 2; 107 | return result; 108 | } 109 | 110 | bool need_remove(DWORD address) 111 | { 112 | PIMAGE_DOS_HEADER dos_header = reinterpret_cast(address); 113 | PIMAGE_NT_HEADERS pNtHeader = reinterpret_cast(reinterpret_cast(dos_header) + dos_header->e_lfanew); 114 | _IMAGE_OPTIONAL_HEADER optionHeader = pNtHeader->OptionalHeader; 115 | if ( optionHeader.Magic != 0x10B && optionHeader.Magic != 0x20B ) 116 | return true; 117 | if ( optionHeader.DllCharacteristics & IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE ) 118 | return true; 119 | 120 | return false; 121 | } 122 | 123 | int unmap_module(HANDLE processhd, DWORD* address) 124 | { 125 | NTSTATUS status = 0/*STATUS_SUCCESS*/; 126 | struct _MEMORY_BASIC_INFORMATION Buffer; 127 | 128 | //status = dword_1C408(a1, processhd, address, a4, a5, a6, a7, a8, a9, a10); 129 | if ( (int)status >= 0 ){ 130 | memset(&Buffer.AllocationBase, 0, sizeof(struct _MEMORY_BASIC_INFORMATION)); 131 | if ( VirtualQuery((LPCVOID)(*address), &Buffer, 0x1C) ){ 132 | if ( Buffer.Type == MEM_IMAGE ) { 133 | if ( !need_remove((*address)) ) { // if aslr is enabled , not unmap it 134 | HMODULE m_ntdll = LoadLibrary(L"ntdll.dll"); 135 | m_NtUnmapViewOfSection = (FPTR_NtUnmapViewOfSection)GetProcAddress(m_ntdll,"NtUnmapViewOfSection"); 136 | 137 | 138 | status = m_NtUnmapViewOfSection(processhd, (PVOID)(*address)); 139 | FreeLibrary(m_ntdll); 140 | if ( (int)status >= 0 ){ 141 | alloc_virtual_mem((void*)*address, 0x400);// set the orignal memory as mem_reserverd 142 | *address = 0; 143 | //status = dword_1C408(a1, processhd, address, a4, a5, a6, a7, a8, a9, a10); 144 | } 145 | } 146 | } 147 | } 148 | } 149 | return status; 150 | } -------------------------------------------------------------------------------- /eaf.cpp: -------------------------------------------------------------------------------- 1 | #include 2 | #include "util.h" 3 | 4 | static int hw_break_count = 0; 5 | #define HW_BREAK_COUNT_MAX 4 6 | static int hw_break_table[HW_BREAK_COUNT_MAX]; 7 | extern HANDLE thread_lock; 8 | 9 | void hook_eat(LPCWSTR lpModuleName) 10 | { 11 | HMODULE handle; // eax@2 12 | int v2; // edx@3 13 | int v3; // ecx@3 14 | 15 | if ( hw_break_count != 4 ) 16 | { 17 | HMODULE handle = GetModuleHandleW(lpModuleName); 18 | if ( handle ) 19 | { 20 | //what is this mean 21 | v2 = *(DWORD *)((char *)handle + *((DWORD *)handle + 15) + 120); 22 | v3 = hw_break_count++; 23 | hw_break_table[v3] = (int)((char *)handle + v2 + 28); 24 | } 25 | } 26 | } 27 | 28 | void ClearHardwareBPS(HANDLE hThread) 29 | { 30 | CONTEXT lpcontext; 31 | memset(&lpcontext, 0, sizeof(CONTEXT)); 32 | lpcontext.ContextFlags = 0x10010; 33 | if ( GetThreadContext(GetCurrentThread(), (LPCONTEXT)&lpcontext) ) 34 | { 35 | if ( lpcontext.Dr0 ) 36 | lpcontext.Dr7 &= 0xFFFFFFFE; 37 | if ( lpcontext.Dr1 ) 38 | lpcontext.Dr7 &= 0xFFFFFFFB; 39 | if ( lpcontext.Dr2 ) 40 | lpcontext.Dr7 &= 0xFFFFFFEF; 41 | if ( lpcontext.Dr3 ) 42 | lpcontext.Dr7 &= 0xFFFFFFBF; 43 | lpcontext.ContextFlags = 0x10010; // set ContextFlags 44 | SetThreadContext(hThread, (const CONTEXT *)&lpcontext); 45 | } 46 | } 47 | 48 | void SetHardwareBPS(HANDLE hThread) 49 | { 50 | CONTEXT lpcontext; 51 | memset(&lpcontext, 0, sizeof(CONTEXT)); 52 | lpcontext.ContextFlags = 0x10010; 53 | if ( GetThreadContext(GetCurrentThread(), (LPCONTEXT)&lpcontext) ) 54 | { 55 | if ( lpcontext.Dr0 ) 56 | lpcontext.Dr7 |= 0x1; 57 | if ( lpcontext.Dr1 ) 58 | lpcontext.Dr7 |= 0x4; 59 | if ( lpcontext.Dr2 ) 60 | lpcontext.Dr7 |= 0x10; 61 | if ( lpcontext.Dr3 ) 62 | lpcontext.Dr7 |= 0x40; 63 | lpcontext.ContextFlags = 0x10010; // set ContextFlags 64 | SetThreadContext(hThread, (const CONTEXT *)&lpcontext); 65 | } 66 | } 67 | 68 | int ceh_handler(PEXCEPTION_POINTERS ExceptionInfo) 69 | { 70 | HMODULE phModule = NULL; 71 | bool result; 72 | if ( ExceptionInfo->ExceptionRecord->ExceptionCode == STATUS_SINGLE_STEP ) 73 | { 74 | ClearHardwareBPS(GetCurrentThread()); 75 | PCONTEXT context = ExceptionInfo->ContextRecord; 76 | if ( context->Dr6 & 0x11 ){ 77 | if ( !GetModuleHandleExW(6u, *(LPCWSTR *)(context->Eip), &phModule) )// check eip should in one of the module 78 | find_invalid_execute(context, 0xC0000409u);// terminate execution 79 | if ( !phModule ) 80 | find_invalid_execute(context, 0xC0000409u); 81 | } 82 | CONTEXT lpcontext; 83 | memset(&lpcontext, 0, sizeof(CONTEXT)); 84 | lpcontext.ContextFlags = 0x10010; 85 | GetThreadContext(GetCurrentThread(), (LPCONTEXT)&lpcontext); 86 | lpcontext.Dr6 = 0; 87 | lpcontext.ContextFlags = 0x10010; 88 | SetThreadContext(GetCurrentThread(), (const CONTEXT *)&lpcontext); 89 | SetHardwareBPS(GetCurrentThread()); 90 | result = -1; 91 | } else { 92 | result = 0; 93 | } 94 | return result; 95 | } 96 | 97 | PVOID set_ceh_handler() 98 | { 99 | return AddVectoredExceptionHandler(0x1, (PVECTORED_EXCEPTION_HANDLER)ceh_handler); 100 | } 101 | 102 | BOOL __stdcall set_bp2(void *handle, int index) 103 | { 104 | int bp_address; 105 | bool result; 106 | 107 | bp_address = hw_break_table[index]; 108 | CONTEXT lpcontext; 109 | memset(&lpcontext, 0, sizeof(CONTEXT)); 110 | lpcontext.ContextFlags = 0x10010; 111 | if ( GetThreadContext(handle, (LPCONTEXT)&lpcontext) ) 112 | { 113 | unsigned int new_Dr7 = lpcontext.Dr7; 114 | if ( index ) 115 | { 116 | switch ( index ) 117 | { 118 | case 1: 119 | lpcontext.Dr1 = bp_address; 120 | new_Dr7 = lpcontext.Dr7 & 0xFFFFFFF7 | 0xF00004; 121 | break; 122 | case 2: 123 | lpcontext.Dr2 = bp_address; 124 | new_Dr7 = lpcontext.Dr7 & 0xFFFFFFDF | 0xF000010; 125 | break; 126 | case 3: 127 | lpcontext.Dr3 = bp_address; 128 | new_Dr7 = lpcontext.Dr7 & 0xFFFFFF7F | 0xF0000040; 129 | break; 130 | } 131 | } 132 | else 133 | { 134 | lpcontext.Dr0 = bp_address; 135 | new_Dr7 = lpcontext.Dr7 & 0xFFFFFFFD | 0xF0001; 136 | } 137 | lpcontext.Dr7 = new_Dr7 | 0x500; // set 4 bit length? 138 | lpcontext.ContextFlags = 0x10010; 139 | result = SetThreadContext(handle, (const CONTEXT *)&lpcontext); 140 | } 141 | return result; 142 | } 143 | 144 | void *set_bp(DWORD dwThreadId) 145 | { 146 | unsigned int index; 147 | void *result; 148 | void *threadhd; 149 | bool suspended; 150 | 151 | index = 0; 152 | result = OpenThread(THREAD_SUSPEND_RESUME | THREAD_GET_CONTEXT | THREAD_SET_CONTEXT | THREAD_QUERY_INFORMATION, false, dwThreadId); 153 | threadhd = result; 154 | if ( result ){ 155 | suspended = SuspendThread(result) != -1; 156 | if ( (unsigned int)hw_break_count > 0 ){ 157 | do 158 | set_bp2(threadhd, index++); 159 | while ( index < hw_break_count ); 160 | } 161 | if ( suspended ) 162 | ResumeThread(threadhd); 163 | result = (void *)CloseHandle(threadhd); 164 | } 165 | return result; 166 | } 167 | 168 | void StartAddress() 169 | { 170 | while ( 1 ){ 171 | Sleep(0x64); 172 | WaitForSingleObject(thread_lock, 0xFFFFFFFF); 173 | for (int i = thread_count; i; --i ) 174 | { 175 | if ( threadid_list[i] != GetCurrentThreadId() ) 176 | set_bp(threadid_list[i]); 177 | } 178 | thread_count = 0; 179 | ReleaseMutex(thread_lock); 180 | } 181 | } -------------------------------------------------------------------------------- /sehop.cpp: -------------------------------------------------------------------------------- 1 | #include 2 | #include "util.h" 3 | #include "TlHelp32.h" 4 | #include "Winternl.h" 5 | 6 | typedef struct EXCEPTION_REGISTRATION { 7 | struct EXCEPTION_REGISTRATION* next; 8 | PVOID handler; 9 | }EXCEPTION_REGISTRATION , *PEXCEPTION_REGISTRATION; 10 | 11 | typedef struct _CLIENT_ID { 12 | HANDLE UniqueProcess; 13 | HANDLE UniqueThread; 14 | } CLIENT_ID; 15 | typedef CLIENT_ID *PCLIENT_ID; 16 | 17 | typedef struct _THREAD_BASIC_INFORMATION { // Information Class 0 18 | LONG ExitStatus; 19 | PVOID TebBaseAddress; 20 | CLIENT_ID ClientId; 21 | LONG AffinityMask; 22 | LONG Priority; 23 | LONG BasePriority; 24 | } THREAD_BASIC_INFORMATION, *PTHREAD_BASIC_INFORMATION; 25 | 26 | bool isSEHOP_enable() 27 | { 28 | //emet will check the register 29 | return true; 30 | } 31 | 32 | static bool set_sehop_hanlder_flag = false; 33 | 34 | PEXCEPTION_REGISTRATION end_exception_chain; 35 | 36 | int module_default_handle_flag() 37 | { 38 | //BOOL threadinfoclass; // esi@1 39 | // HMODULE hd_ntdll; // eax@1 40 | //HANDLE handle; // eax@1 41 | bool suspended; // ebx@4 42 | HANDLE threadhd; // edi@5 43 | int v5; // esi@11 44 | //PVOID threadinfo; // [sp+4h] [bp-48h]@6 45 | THREADENTRY32 te; // [sp+20h] [bp-2Ch]@2 46 | DWORD ExitCode; // [sp+3Ch] [bp-10h]@9 47 | 48 | 49 | 50 | 51 | THREAD_BASIC_INFORMATION threadinfo; 52 | THREADINFOCLASS threadinfoclass = THREADINFOCLASS(0); 53 | bool ret = false; 54 | HANDLE hObject = CreateToolhelp32Snapshot(4u, 0); // TH32CS_SNAPTHREAD 55 | if ( !hObject ) 56 | return ret; 57 | te.dwSize = 0x1c; 58 | bool value = Thread32First(hObject, &te); 59 | if ( !value ){ 60 | CloseHandle(hObject); 61 | return ret; 62 | } 63 | ret = true; 64 | while ( 1 ) 65 | { 66 | suspended = 0; 67 | if ( te.th32OwnerProcessID == GetCurrentProcessId() ) 68 | break; 69 | if ( !Thread32Next(hObject, &te) ) { 70 | CloseHandle(hObject); 71 | return ret; 72 | } 73 | } 74 | threadhd = OpenThread(THREAD_QUERY_INFORMATION | THREAD_SUSPEND_RESUME , false, te.th32ThreadID); 75 | ULONG ReturnLength; 76 | 77 | 78 | 79 | if ( threadhd != (HANDLE)threadinfoclass 80 | && m_NtQueryInformationThread(threadhd,threadinfoclass, &threadinfo,sizeof(THREAD_BASIC_INFORMATION),&ReturnLength) ) 81 | { 82 | if ( te.th32ThreadID != GetCurrentThreadId() ) 83 | suspended = SuspendThread(threadhd) != -1; 84 | if ( GetExitCodeThread(threadhd, &ExitCode) && ExitCode == (WAIT_TIMEOUT|0x1) )// still active 85 | { 86 | PEXCEPTION_REGISTRATION Exception_header = (PEXCEPTION_REGISTRATION)&(threadinfo.TebBaseAddress); // threadinfo->TebBaseAddress, get current exceptoin_header 87 | if ( (DWORD)Exception_header == 0xFFFFFFFF ) 88 | { 89 | threadinfo.TebBaseAddress = DecodePointer(end_exception_chain); 90 | } 91 | else 92 | { 93 | while ( (DWORD)Exception_header != 0xFFFFFFFF ) // find the last one 94 | Exception_header = Exception_header->next; 95 | Exception_header = (PEXCEPTION_REGISTRATION)DecodePointer(end_exception_chain); 96 | } 97 | if ( suspended ) 98 | ResumeThread(threadhd); 99 | CloseHandle(threadhd); 100 | // threadinfoclass = 0; 101 | } 102 | else 103 | { 104 | CloseHandle(threadhd); 105 | } 106 | if ( !Thread32Next(hObject, &te) ) { 107 | CloseHandle(hObject); 108 | return ret; 109 | } 110 | } 111 | // FreeLibrary(m_ntdll); 112 | ret = threadinfoclass; // threadinfolength 113 | CloseHandle(hObject); 114 | return ret; 115 | } 116 | 117 | 118 | __declspec( naked ) int default_handler() 119 | { 120 | __asm{ 121 | xor eax, eax 122 | inc eax 123 | retn 10h 124 | } 125 | } 126 | 127 | bool get_default_handle_flag() 128 | { 129 | DWORD v0; 130 | LPVOID mem; 131 | bool result = false; 132 | int random_number; 133 | DWORD flOldProtect; 134 | // DWORD random_value; 135 | 136 | // random_value = GetTickCount() ^ GetCurrentProcessId(); 137 | mem = VirtualAlloc(0, 0x1000u, 0x1000u, 4u); // MEM_COMMIT PAGE_READWRITE 138 | if ( mem || (result = malloc(0x1000u), result != NULL ) ) 139 | { 140 | HMODULE m_ntdll = LoadLibrary(L"ntdll.dll"); 141 | m_RtlRandom = (FPTR_RtlRandom)GetProcAddress(m_ntdll,"RtlRandom"); 142 | ULONG seed = GetTickCount() ^ GetCurrentProcessId(); 143 | random_number = (unsigned __int8)m_RtlRandom(&seed); 144 | random_number = random_number & 0xFFF; 145 | FreeLibrary(m_ntdll); 146 | if ( (unsigned int)random_number > 8 ) 147 | random_number -= 8; 148 | end_exception_chain = (PEXCEPTION_REGISTRATION)( (char *)mem + random_number ); 149 | end_exception_chain->next = (PEXCEPTION_REGISTRATION)0xFFFFFFFF; 150 | end_exception_chain->handler = &default_handler; 151 | VirtualProtect(end_exception_chain, 1u, 2u, &flOldProtect);// PAGE_READONLY 152 | end_exception_chain = (PEXCEPTION_REGISTRATION)EncodePointer(end_exception_chain); 153 | VirtualProtect(&end_exception_chain, 1u, 2u, &flOldProtect); 154 | result = true; 155 | } 156 | return result; 157 | } 158 | 159 | bool sehop_checker(PEXCEPTION_POINTERS ExceptionInfo) 160 | { 161 | void *next_record; 162 | struct _MEMORY_BASIC_INFORMATION Buffer; 163 | 164 | if ( __readfsdword(0x10) < MEM_FREE ) { 165 | //check it 166 | PEXCEPTION_REGISTRATION address = (PEXCEPTION_REGISTRATION)__readfsdword(0x0); 167 | while ( (DWORD)address->next != 0xFFFFFFFF 168 | && VirtualQuery((LPCVOID )address->next, &Buffer, 0x1C) && Buffer.State != MEM_FREE ) { 169 | if ( address == DecodePointer(end_exception_chain) ) 170 | return 0; 171 | address = address->next; 172 | } 173 | find_invalid_execute(ExceptionInfo->ContextRecord, 0xC0000409u); 174 | } 175 | return 0; 176 | } 177 | 178 | int set_sehop_ceh_handler() 179 | { 180 | if ( isSEHOP_enable() ) 181 | { 182 | if ( get_default_handle_flag() ) // change default exception handler flag to random value to avoid use faked chain 183 | { 184 | if ( module_default_handle_flag() ) 185 | { 186 | bool ret = (int)AddVectoredExceptionHandler(0x1, (PVECTORED_EXCEPTION_HANDLER)sehop_checker); 187 | if ( ret ) 188 | set_sehop_hanlder_flag = 1; 189 | } 190 | } 191 | } 192 | return set_sehop_hanlder_flag; 193 | } 194 | 195 | 196 | int change_default_exception_flag(PEXCEPTION_REGISTRATION exception_header) 197 | { 198 | int result; 199 | 200 | if ( set_sehop_hanlder_flag ){ 201 | if ( exception_header == (void *)0xFFFFFFFF ){ 202 | DecodePointer(end_exception_chain); 203 | }else{ 204 | while ( (unsigned int)exception_header->next != (unsigned int)0xFFFFFFFF ) 205 | exception_header = exception_header->next;// get next 206 | //check it 207 | if ( exception_header != DecodePointer(end_exception_chain) ) 208 | exception_header->handler = DecodePointer(end_exception_chain); 209 | } 210 | result = 1; 211 | } else{ 212 | result = 0; 213 | } 214 | return result; 215 | } -------------------------------------------------------------------------------- /aslr.cpp: -------------------------------------------------------------------------------- 1 | #include 2 | #include "util.h" 3 | 4 | bool setting_aslr = true; 5 | OSVERSIONINFOW VersionInformation; 6 | #define WINDOWS_VISTA 6 7 | 8 | typedef struct _thread_info 9 | { 10 | struct _thread_info *next; 11 | void *handler; 12 | }thread_info; 13 | thread_info* module_header = NULL; 14 | 15 | static int LastError; 16 | 17 | int __stdcall init_thread_info(HANDLE hThread) 18 | { 19 | int ret; // eax@1 20 | thread_info *current_thread; // esi@4 21 | DWORD v3; // edi@5 22 | 23 | ret = LastError; 24 | if ( !LastError ) 25 | { 26 | if ( hThread == GetCurrentThread() ) 27 | return 0; 28 | current_thread = new thread_info(); 29 | if ( !current_thread ) // new failed 30 | { 31 | dword_1C898 = 0; 32 | LastError = ERROR_NOT_ENOUGH_MEMORY; //8 33 | return LastError; 34 | } 35 | if ( SuspendThread(hThread) == -1 ) 36 | { 37 | delete current_thread; 38 | dword_1C898 = 0; 39 | LastError = GetLastError(); 40 | return LastError; 41 | } 42 | current_thread->next = module_header;// current_module->next = module_header 43 | current_thread->handler = hThread; // current_module->handle = hThread 44 | module_header = current_thread; 45 | ret = 0; 46 | } 47 | return ret; 48 | } 49 | 50 | typedef struct _aslr_struct2{ 51 | }aslr_struct2; 52 | 53 | typedef struct _aslr_struct 54 | { 55 | struct _aslr_struct *next; 56 | void *param1; 57 | void *param2; 58 | void *new_add; 59 | aslr_struct2 *aslr_struct2; //define later 60 | int old_VP_flag; 61 | }aslr_struct; 62 | aslr_struct* struct_header; 63 | 64 | volatile LONG CurrentThreadID; 65 | LPVOID lpAddress; 66 | 67 | void* dword_1C88C; 68 | int dword_1C898; 69 | 70 | unsigned int enable_execute() 71 | { 72 | unsigned int result; 73 | DWORD flOldProtect; 74 | if ( CurrentThreadID || InterlockedCompareExchange(&CurrentThreadID, GetCurrentThreadId(), 0) ){ 75 | result = ERROR_INVALID_OPERATION;//0x10DDu; 76 | }else { 77 | LPVOID address = lpAddress; 78 | dword_1C88C = 0; 79 | struct_header = NULL; 80 | module_header = NULL; 81 | LastError = 0; 82 | dword_1C898 = 0; 83 | while(address){ 84 | VirtualProtect(address, 0x10000u, PAGE_EXECUTE_READWRITE, &flOldProtect); 85 | address = (LPVOID)*((DWORD *)address + 1); 86 | } 87 | } 88 | return result; 89 | } 90 | 91 | int prepare_new_data2(void* a1, LPCVOID lpAddress, void* addr1, void* addr2, void* addr3) 92 | { 93 | if ( addr1 ) 94 | *addr1 = 0; 95 | if (addr2) 96 | *addr2 = 0; 97 | if ( addr3) 98 | *addr3 = 0; 99 | if ( CurrentThreadID != GetCurrentThreadId() ) 100 | return ERROR_INVALID_OPERATION;//0x10DDu; 101 | 102 | } 103 | 104 | int prepare_new_data(void *a1, LPCVOID lpAddress) 105 | { 106 | return prepare_new_data2(a1, lpAddress, NULL, NULL, NULL); 107 | } 108 | 109 | void enable_aslr(HMODULE hd){ 110 | 111 | memset( &VersionInformation, 0, sizeof(VersionInformation) ); 112 | VersionInformation.dwOSVersionInfoSize = 284; 113 | GetVersionExW((LPOSVERSIONINFOW)&VersionInformation); 114 | 115 | if ( setting_aslr ){ 116 | getModuleHandleEx(hd); 117 | if ( VersionInformation.dwMajorVersion >= WINDOWS_VISTA ){ 118 | enable_execute(); 119 | init_thread_info(GetCurrentThread()); 120 | prepare_new_data((int)&dword_1C408, lpAddress); 121 | apply_aslr(NULL); 122 | } 123 | } 124 | } 125 | 126 | 127 | extern HANDLE refresh_code_inmemory(); 128 | 129 | int refresh_and_resume(DWORD flOldProtect) 130 | { 131 | int result = 0; 132 | if ( CurrentThreadID == GetCurrentThreadId() ){ 133 | //release all struct_header 134 | if ( struct_header ) { 135 | aslr_struct* header = (aslr_struct *)struct_header; 136 | do { 137 | VirtualProtect(header->new_add, *((BYTE *)header->aslr_struct2 + 30), header->old_VP_flag, &flOldProtect); 138 | if ( header->param1 ){ 139 | if ( header->aslr_struct2 ){ 140 | release_struct2(header->aslr_struct2); 141 | header->aslr_struct2 = NULL; 142 | } 143 | } 144 | aslr_struct *temp = header->next; 145 | delete header; 146 | header = temp; 147 | }while(header); 148 | } 149 | struct_header = 0; 150 | refresh_code_inmemory(); 151 | 152 | 153 | if ( module_header ){ 154 | thread_info* header = (thread_info *)module_header; 155 | do { 156 | ResumeThread(header->handler); 157 | thread_info* temp = header->next; 158 | delete header; 159 | header = temp; 160 | }while(header); 161 | } 162 | module_header = NULL; 163 | CurrentThreadID = NULL; 164 | result = 0; 165 | } else { 166 | result = ERROR_INVALID_OPERATION;//0x10DD; 167 | } 168 | return result; 169 | } 170 | 171 | int apply_aslr(void* a1) 172 | { 173 | DWORD flOldProtect; 174 | 175 | if ( a1 ) 176 | *(DWORD*)a1 = dword_1C898; 177 | 178 | if ( CurrentThreadID != GetCurrentThreadId() ) 179 | return 0x10DD; 180 | if ( !LastError ) { 181 | for (aslr_struct* i = (aslr_struct *)struct_header; i; i = i->next ){ 182 | aslr_struct2* struct2 = i->aslr_struct2; 183 | if ( i->param1 ){ 184 | memcpy(i->new_add, (char *)struct2 + 32, *((BYTE *)struct2 + 54)); 185 | 186 | }else { 187 | //TODO : not implement 188 | } 189 | }//end of for 190 | if ( !module_header ){ 191 | Cleanup: 192 | aslr_struct* header = struct_header; 193 | if ( struct_header != NULL ){ 194 | do{ 195 | VirtualProtect(header->new_add, *((BYTE *)header->aslr_struct2 + 30), header->old_VP_flag, &flOldProtect); 196 | FlushInstructionCache(GetCurrentProcess(), header->new_add, *((BYTE *)header->aslr_struct2 + 30)); 197 | if ( header->param1 != NULL ){ 198 | if ( header->aslr_struct2 ){ 199 | release_struct2(header->aslr_struct2); 200 | header->aslr_struct2 = NULL; 201 | } 202 | } 203 | aslr_struct* temp = header->next; 204 | delete header; 205 | header = temp; 206 | }while( header ); 207 | } 208 | 209 | struct_header = NULL; 210 | refresh_code_inmemory(); 211 | if ( module_header != NULL ){ 212 | thread_info* header = (thread_info *)module_header; 213 | do { 214 | ResumeThread(header->handler); 215 | thread_info* temp = header->next; 216 | delete header; 217 | header = temp; 218 | }while(header); 219 | } 220 | module_header = NULL; 221 | CurrentThreadID = NULL; 222 | return LastError; 223 | } 224 | 225 | 226 | thread_info* header = (thread_info *)module_header; 227 | CONTEXT context ; 228 | while(1){ 229 | HANDLE handler = (HANDLE)header->handler; 230 | context.ContextFlags = 0x10001; 231 | if ( GetThreadContext(handler, &context) ) 232 | break; 233 | header = header->next; 234 | if ( !header ) 235 | goto Cleanup; 236 | } //end of while 237 | for ( aslr_struct* j = (aslr_struct*)struct_header; ; j = j->next ) //adjust eip 238 | { 239 | if ( !j ) { 240 | header = header->next; 241 | if ( !header ) 242 | goto Cleanup; 243 | } 244 | if ( j->param1 ){ 245 | int addr = (int)j->new_add; 246 | if ( context.Eip >= (unsigned int)addr && context.Eip < j->aslr_struct2->module_size ){ 247 | context.Eip -= (DWORD)addr; 248 | context.Eip += (DWORD)(j->new_add); 249 | SetThreadContext((HANDLE)header->handler, &context); 250 | continue; 251 | } else { 252 | int addr = (int)j->new_add; 253 | if ( context.Eip >= (unsigned int)addr 254 | && context.Eip < (unsigned int)((char *)addr + *((BYTE *)j->aslr_struct2 + 30)) ) 255 | { 256 | context.Eip -= (DWORD)addr; //old_base_addr 257 | context.Eip += (DWORD)(j->aslr_struct2); 258 | SetThreadContext((HANDLE)header->handler, &context); 259 | continue; 260 | } 261 | } 262 | } 263 | } 264 | } 265 | } 266 | 267 | --------------------------------------------------------------------------------