├── BEShellcodeDumper.sln
├── BEShellcodeDumper
    ├── BEShellcodeDumper.vcxproj
    ├── BEShellcodeDumper.vcxproj.filters
    ├── BEShellcodeDumper.vcxproj.user
    ├── main.cpp
    ├── utils.cpp
    └── utils.h
└── README.md


/BEShellcodeDumper.sln:
--------------------------------------------------------------------------------
 1 | 
 2 | Microsoft Visual Studio Solution File, Format Version 12.00
 3 | # Visual Studio Version 16
 4 | VisualStudioVersion = 16.0.31624.102
 5 | MinimumVisualStudioVersion = 10.0.40219.1
 6 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "BEShellcodeDumper", "BEShellcodeDumper\BEShellcodeDumper.vcxproj", "{5315AA30-6441-47A3-99BE-063EFDEF2052}"
 7 | EndProject
 8 | Global
 9 | 	GlobalSection(SolutionConfigurationPlatforms) = preSolution
10 | 		Debug|x64 = Debug|x64
11 | 		Debug|x86 = Debug|x86
12 | 		Release|x64 = Release|x64
13 | 		Release|x86 = Release|x86
14 | 	EndGlobalSection
15 | 	GlobalSection(ProjectConfigurationPlatforms) = postSolution
16 | 		{5315AA30-6441-47A3-99BE-063EFDEF2052}.Debug|x64.ActiveCfg = Debug|x64
17 | 		{5315AA30-6441-47A3-99BE-063EFDEF2052}.Debug|x64.Build.0 = Debug|x64
18 | 		{5315AA30-6441-47A3-99BE-063EFDEF2052}.Debug|x86.ActiveCfg = Debug|Win32
19 | 		{5315AA30-6441-47A3-99BE-063EFDEF2052}.Debug|x86.Build.0 = Debug|Win32
20 | 		{5315AA30-6441-47A3-99BE-063EFDEF2052}.Release|x64.ActiveCfg = Release|x64
21 | 		{5315AA30-6441-47A3-99BE-063EFDEF2052}.Release|x64.Build.0 = Release|x64
22 | 		{5315AA30-6441-47A3-99BE-063EFDEF2052}.Release|x86.ActiveCfg = Release|Win32
23 | 		{5315AA30-6441-47A3-99BE-063EFDEF2052}.Release|x86.Build.0 = Release|Win32
24 | 	EndGlobalSection
25 | 	GlobalSection(SolutionProperties) = preSolution
26 | 		HideSolutionNode = FALSE
27 | 	EndGlobalSection
28 | 	GlobalSection(ExtensibilityGlobals) = postSolution
29 | 		SolutionGuid = {3A2099F4-8276-4486-AD7C-F88E1F33C932}
30 | 	EndGlobalSection
31 | EndGlobal
32 | 


--------------------------------------------------------------------------------
/BEShellcodeDumper/BEShellcodeDumper.vcxproj:
--------------------------------------------------------------------------------
  1 | <?xml version="1.0" encoding="utf-8"?>
  2 | <Project DefaultTargets="Build" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
  3 |   <ItemGroup Label="ProjectConfigurations">
  4 |     <ProjectConfiguration Include="Debug|Win32">
  5 |       <Configuration>Debug</Configuration>
  6 |       <Platform>Win32</Platform>
  7 |     </ProjectConfiguration>
  8 |     <ProjectConfiguration Include="Release|Win32">
  9 |       <Configuration>Release</Configuration>
 10 |       <Platform>Win32</Platform>
 11 |     </ProjectConfiguration>
 12 |     <ProjectConfiguration Include="Debug|x64">
 13 |       <Configuration>Debug</Configuration>
 14 |       <Platform>x64</Platform>
 15 |     </ProjectConfiguration>
 16 |     <ProjectConfiguration Include="Release|x64">
 17 |       <Configuration>Release</Configuration>
 18 |       <Platform>x64</Platform>
 19 |     </ProjectConfiguration>
 20 |   </ItemGroup>
 21 |   <PropertyGroup Label="Globals">
 22 |     <VCProjectVersion>16.0</VCProjectVersion>
 23 |     <Keyword>Win32Proj</Keyword>
 24 |     <ProjectGuid>{5315aa30-6441-47a3-99be-063efdef2052}</ProjectGuid>
 25 |     <RootNamespace>BEShellcodeDumper</RootNamespace>
 26 |     <WindowsTargetPlatformVersion>10.0</WindowsTargetPlatformVersion>
 27 |   </PropertyGroup>
 28 |   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
 29 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
 30 |     <ConfigurationType>Application</ConfigurationType>
 31 |     <UseDebugLibraries>true</UseDebugLibraries>
 32 |     <PlatformToolset>v142</PlatformToolset>
 33 |     <CharacterSet>Unicode</CharacterSet>
 34 |   </PropertyGroup>
 35 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
 36 |     <ConfigurationType>Application</ConfigurationType>
 37 |     <UseDebugLibraries>false</UseDebugLibraries>
 38 |     <PlatformToolset>v142</PlatformToolset>
 39 |     <WholeProgramOptimization>true</WholeProgramOptimization>
 40 |     <CharacterSet>Unicode</CharacterSet>
 41 |   </PropertyGroup>
 42 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
 43 |     <ConfigurationType>Application</ConfigurationType>
 44 |     <UseDebugLibraries>true</UseDebugLibraries>
 45 |     <PlatformToolset>v142</PlatformToolset>
 46 |     <CharacterSet>Unicode</CharacterSet>
 47 |   </PropertyGroup>
 48 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
 49 |     <ConfigurationType>DynamicLibrary</ConfigurationType>
 50 |     <UseDebugLibraries>false</UseDebugLibraries>
 51 |     <PlatformToolset>v142</PlatformToolset>
 52 |     <WholeProgramOptimization>true</WholeProgramOptimization>
 53 |     <CharacterSet>Unicode</CharacterSet>
 54 |   </PropertyGroup>
 55 |   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
 56 |   <ImportGroup Label="ExtensionSettings">
 57 |     <Import Project="$(VCTargetsPath)\BuildCustomizations\masm.props" />
 58 |   </ImportGroup>
 59 |   <ImportGroup Label="Shared">
 60 |   </ImportGroup>
 61 |   <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
 62 |     <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
 63 |   </ImportGroup>
 64 |   <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
 65 |     <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
 66 |   </ImportGroup>
 67 |   <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
 68 |     <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
 69 |   </ImportGroup>
 70 |   <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
 71 |     <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
 72 |   </ImportGroup>
 73 |   <PropertyGroup Label="UserMacros" />
 74 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
 75 |     <LinkIncremental>true</LinkIncremental>
 76 |   </PropertyGroup>
 77 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
 78 |     <LinkIncremental>false</LinkIncremental>
 79 |   </PropertyGroup>
 80 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
 81 |     <LinkIncremental>true</LinkIncremental>
 82 |   </PropertyGroup>
 83 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
 84 |     <LinkIncremental>false</LinkIncremental>
 85 |     <GenerateManifest>false</GenerateManifest>
 86 |   </PropertyGroup>
 87 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
 88 |     <ClCompile>
 89 |       <WarningLevel>Level3</WarningLevel>
 90 |       <SDLCheck>true</SDLCheck>
 91 |       <PreprocessorDefinitions>WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
 92 |       <ConformanceMode>true</ConformanceMode>
 93 |     </ClCompile>
 94 |     <Link>
 95 |       <SubSystem>Console</SubSystem>
 96 |       <GenerateDebugInformation>true</GenerateDebugInformation>
 97 |     </Link>
 98 |   </ItemDefinitionGroup>
 99 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
100 |     <ClCompile>
101 |       <WarningLevel>Level3</WarningLevel>
102 |       <FunctionLevelLinking>true</FunctionLevelLinking>
103 |       <IntrinsicFunctions>true</IntrinsicFunctions>
104 |       <SDLCheck>true</SDLCheck>
105 |       <PreprocessorDefinitions>WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
106 |       <ConformanceMode>true</ConformanceMode>
107 |     </ClCompile>
108 |     <Link>
109 |       <SubSystem>Console</SubSystem>
110 |       <EnableCOMDATFolding>true</EnableCOMDATFolding>
111 |       <OptimizeReferences>true</OptimizeReferences>
112 |       <GenerateDebugInformation>true</GenerateDebugInformation>
113 |     </Link>
114 |   </ItemDefinitionGroup>
115 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
116 |     <ClCompile>
117 |       <WarningLevel>Level3</WarningLevel>
118 |       <SDLCheck>true</SDLCheck>
119 |       <PreprocessorDefinitions>_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
120 |       <ConformanceMode>true</ConformanceMode>
121 |     </ClCompile>
122 |     <Link>
123 |       <SubSystem>Console</SubSystem>
124 |       <GenerateDebugInformation>true</GenerateDebugInformation>
125 |     </Link>
126 |   </ItemDefinitionGroup>
127 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
128 |     <ClCompile>
129 |       <WarningLevel>Level3</WarningLevel>
130 |       <FunctionLevelLinking>true</FunctionLevelLinking>
131 |       <IntrinsicFunctions>false</IntrinsicFunctions>
132 |       <SDLCheck>true</SDLCheck>
133 |       <PreprocessorDefinitions>NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
134 |       <ConformanceMode>true</ConformanceMode>
135 |       <RuntimeLibrary>MultiThreadedDLL</RuntimeLibrary>
136 |       <BufferSecurityCheck>false</BufferSecurityCheck>
137 |     </ClCompile>
138 |     <Link>
139 |       <SubSystem>Console</SubSystem>
140 |       <EnableCOMDATFolding>true</EnableCOMDATFolding>
141 |       <OptimizeReferences>true</OptimizeReferences>
142 |       <GenerateDebugInformation>true</GenerateDebugInformation>
143 |       <EntryPointSymbol>
144 |       </EntryPointSymbol>
145 |       <IgnoreAllDefaultLibraries>false</IgnoreAllDefaultLibraries>
146 |       <AdditionalDependencies>ntdll.lib;%(AdditionalDependencies)</AdditionalDependencies>
147 |     </Link>
148 |   </ItemDefinitionGroup>
149 |   <ItemGroup>
150 |     <ClCompile Include="main.cpp" />
151 |     <ClCompile Include="utils.cpp" />
152 |   </ItemGroup>
153 |   <ItemGroup>
154 |     <ClInclude Include="utils.h" />
155 |   </ItemGroup>
156 |   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
157 |   <ImportGroup Label="ExtensionTargets">
158 |     <Import Project="$(VCTargetsPath)\BuildCustomizations\masm.targets" />
159 |   </ImportGroup>
160 | </Project>


--------------------------------------------------------------------------------
/BEShellcodeDumper/BEShellcodeDumper.vcxproj.filters:
--------------------------------------------------------------------------------
 1 | <?xml version="1.0" encoding="utf-8"?>
 2 | <Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
 3 |   <ItemGroup>
 4 |     <Filter Include="Quelldateien">
 5 |       <UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>
 6 |       <Extensions>cpp;c;cc;cxx;c++;cppm;ixx;def;odl;idl;hpj;bat;asm;asmx</Extensions>
 7 |     </Filter>
 8 |     <Filter Include="Headerdateien">
 9 |       <UniqueIdentifier>{93995380-89BD-4b04-88EB-625FBE52EBFB}</UniqueIdentifier>
10 |       <Extensions>h;hh;hpp;hxx;h++;hm;inl;inc;ipp;xsd</Extensions>
11 |     </Filter>
12 |     <Filter Include="Quelldateien\utils">
13 |       <UniqueIdentifier>{95705bc3-0e3c-4abe-802b-0fa2bb812b95}</UniqueIdentifier>
14 |     </Filter>
15 |   </ItemGroup>
16 |   <ItemGroup>
17 |     <ClCompile Include="main.cpp">
18 |       <Filter>Quelldateien</Filter>
19 |     </ClCompile>
20 |     <ClCompile Include="utils.cpp">
21 |       <Filter>Quelldateien\utils</Filter>
22 |     </ClCompile>
23 |   </ItemGroup>
24 |   <ItemGroup>
25 |     <ClInclude Include="utils.h">
26 |       <Filter>Quelldateien\utils</Filter>
27 |     </ClInclude>
28 |   </ItemGroup>
29 | </Project>


--------------------------------------------------------------------------------
/BEShellcodeDumper/BEShellcodeDumper.vcxproj.user:
--------------------------------------------------------------------------------
1 | <?xml version="1.0" encoding="utf-8"?>
2 | <Project ToolsVersion="Current" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
3 |   <PropertyGroup />
4 | </Project>


--------------------------------------------------------------------------------
/BEShellcodeDumper/main.cpp:
--------------------------------------------------------------------------------
 1 | #include "utils.h"
 2 | #include <fstream>
 3 | #include <intrin.h>
 4 | #include <string>
 5 | 
 6 | using GetProcAddy_t = FARPROC(__stdcall*)(_In_ HMODULE hModule,_In_ LPCSTR lpProcName);
 7 | using CreateHook_t = uint64_t(__fastcall*)(LPVOID, LPVOID, LPVOID*);
 8 | using EnableHook_t = uint64_t(__fastcall*)(LPVOID, bool);
 9 | using EnableHookQueu_t = uint64_t(__stdcall*)(VOID);
10 | CreateHook_t CreateHook = nullptr;
11 | EnableHook_t EnableHook = nullptr;
12 | EnableHookQueu_t EnableHookQue = nullptr;
13 | bool init = false;
14 | bool discord_hook(uintptr_t original, uintptr_t hook, uintptr_t tramp)
15 | {
16 |     if (!init) {
17 |         uintptr_t discord_base = (uintptr_t)GetModuleHandleA("DiscordHook64.dll");
18 |         PIMAGE_NT_HEADERS nt = (PIMAGE_NT_HEADERS)(((PIMAGE_DOS_HEADER)discord_base)->e_lfanew + discord_base);
19 |         DWORD discord_size = nt->OptionalHeader.SizeOfImage;
20 |         CreateHook = (CreateHook_t)utils::scanpattern(discord_base, discord_size, "41 57 41 56 56 57 55 53 48 83 EC 68 4D 89 C6 49 89 D7");
21 |         EnableHook = (EnableHook_t)utils::scanpattern(discord_base, discord_size,"41 56 56 57 53 48 83 EC 28 49 89 CE BF 01 00 00 00 31 C0 F0 ? ? ? ? ? ? ? 74");
22 |         EnableHookQue = (EnableHookQueu_t)utils::scanpattern(discord_base, discord_size, "41 57 41 56 41 55 41 54 56 57 55 53 48 83 EC 38 48 ? ? ? ? ? ? 48 31 E0 48 89 44 24 30 BE 01 00 00 00 31 C0 F0 ? ? ? ? ? ? ? 74 2B" );
23 |         init = true;
24 |     }
25 |     if (CreateHook((LPVOID)original, (LPVOID)hook, (LPVOID*)tramp) == 0)
26 |     {
27 |         if (EnableHook((LPVOID)original, true) == 0)
28 |         {
29 |             if (EnableHookQue() == 0)
30 |             {
31 |                 return true;
32 |             }
33 |         }
34 |     }
35 | 
36 |     return false;
37 | }
38 | std::vector<uintptr_t>dumped_shellcodes;
39 | GetProcAddy_t origalgetproc;
40 | LPVOID hookproc(
41 |     _In_ HMODULE hModule,
42 |     _In_ LPCSTR lpProcName) {
43 |     uintptr_t retaddy = (uintptr_t)_ReturnAddress();
44 |     MEMORY_BASIC_INFORMATION mbi{ 0 };
45 |     size_t return_length{ 0 };
46 |     if (NtQueryVirtualMemory((HANDLE)-1, (PVOID)retaddy, MemoryBasicInformation, &mbi, sizeof(mbi), &return_length) == 0) {
47 |         if (
48 |             mbi.State == MEM_COMMIT &&
49 |             mbi.Protect == PAGE_EXECUTE_READWRITE && mbi.RegionSize > 0x1000
50 |             )
51 |         {
52 |             if (std::find(dumped_shellcodes.begin(), dumped_shellcodes.end(), (uintptr_t)mbi.AllocationBase) == dumped_shellcodes.end()) {
53 |                 std::string to_stream = "C:\\Users\\weak\\Desktop\\r6dmps\\shellcode\\" + std::to_string((uintptr_t)mbi.BaseAddress) + ".dat"; //R6 has no admin rights so dont use paths like C:\file.dat
54 |                 printf("Call from be-shellcode dumping: %s\n", to_stream.c_str());
55 |                 uintptr_t possible_shellcode_start = utils::scanpattern((uintptr_t)mbi.BaseAddress, mbi.RegionSize, "4C 89");
56 |                 printf("Possible entry-rva: %x\n", possible_shellcode_start - (uintptr_t)mbi.BaseAddress);
57 |                 utils::CreateFileFromMemory(to_stream, (char*)mbi.BaseAddress, mbi.RegionSize);
58 |                 dumped_shellcodes.push_back((uintptr_t)mbi.AllocationBase);
59 |             }      
60 |         }
61 |     }
62 |     return origalgetproc(hModule, lpProcName);
63 | }
64 | 
65 | BOOL WINAPI DllMain(
66 |     HINSTANCE hinstDLL, 
67 |     DWORD fdwReason,  
68 |     LPVOID lpReserved) 
69 | {
70 |     switch (fdwReason)
71 |     {
72 |     case DLL_PROCESS_ATTACH: {
73 |         AllocConsole();
74 |         freopen("CONOUT$", "w", stdout);
75 |         if (discord_hook((uintptr_t)GetProcAddress, (uintptr_t)hookproc, (uintptr_t)&origalgetproc))
76 |             printf("Hook success\n");
77 |         else
78 |             printf("Hook failed\n");
79 |         break;
80 |     }
81 |     }
82 |     return TRUE; 
83 | }
84 | 


--------------------------------------------------------------------------------
/BEShellcodeDumper/utils.cpp:
--------------------------------------------------------------------------------
 1 | #include "utils.h"
 2 | 
 3 | uintptr_t utils::scanpattern(uintptr_t base, int size, const char* signature)
 4 | {
 5 |     static auto patternToByte = [](const char* pattern)
 6 |     {
 7 |         auto       bytes = std::vector<int>{};
 8 |         const auto start = const_cast<char*>(pattern);
 9 |         const auto end = const_cast<char*>(pattern) + strlen(pattern);
10 | 
11 |         for (auto current = start; current < end; ++current)
12 |         {
13 |             if (*current == '?')
14 |             {
15 |                 ++current;
16 |                 if (*current == '?')
17 |                     ++current;
18 |                 bytes.push_back(-1);
19 |             }
20 |             else { bytes.push_back(strtoul(current, &current, 16)); }
21 |         }
22 |         return bytes;
23 |     };
24 |     auto       patternBytes = patternToByte(signature);
25 |     const auto scanBytes = reinterpret_cast<std::uint8_t*>(base);
26 | 
27 |     const auto s = patternBytes.size();
28 |     const auto d = patternBytes.data();
29 | 
30 |     for (auto i = 0ul; i < size - s; ++i)
31 |     {
32 |         bool found = true;
33 |         for (auto j = 0ul; j < s; ++j)
34 |         {
35 |             if (scanBytes[i + j] != d[j] && d[j] != -1)
36 |             {
37 |                 found = false;
38 |                 break;
39 |             }
40 |         }
41 |         if (found) { return reinterpret_cast<uintptr_t>(&scanBytes[i]); }
42 |     }
43 |     return NULL;
44 | }
45 | 
46 | bool utils::CreateFileFromMemory(const std::string& desired_file_path, const char* address, size_t size) {
47 |     std::ofstream file_ofstream(desired_file_path.c_str(), std::ios_base::out | std::ios_base::binary);
48 | 
49 |     if (!file_ofstream.write(address, size)) {
50 |         file_ofstream.close();
51 |         return false;
52 |     }
53 | 
54 |     file_ofstream.close();
55 |     return true;
56 | }
57 | 
58 | 


--------------------------------------------------------------------------------
/BEShellcodeDumper/utils.h:
--------------------------------------------------------------------------------
 1 | #pragma once
 2 | #include <Windows.h>
 3 | #include <iostream>
 4 | #include <vector>
 5 | #include <fstream>
 6 | namespace utils {
 7 |     uintptr_t scanpattern(uintptr_t base, int size, const char* signature);
 8 |     bool CreateFileFromMemory(const std::string& desired_file_path, const char* address, size_t size);
 9 | }
10 | typedef enum _MEMORY_INFORMATION_CLASS {
11 |     MemoryBasicInformation
12 | } MEMORY_INFORMATION_CLASS;
13 | extern "C" NTSYSCALLAPI NTSTATUS NtQueryVirtualMemory(
14 |     HANDLE                   ProcessHandle,
15 |     PVOID                    BaseAddress,
16 |     MEMORY_INFORMATION_CLASS MemoryInformationClass,
17 |     PVOID                    MemoryInformation,
18 |     SIZE_T                   MemoryInformationLength,
19 |     PSIZE_T                  ReturnLength
20 | );
21 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | # BEShellcodeDumper
2 | Dump Battleyes shellcode by checking the return address of GetProcAddress
3 | 


--------------------------------------------------------------------------------