├── BEShellcodeDumper.sln ├── BEShellcodeDumper ├── BEShellcodeDumper.vcxproj ├── BEShellcodeDumper.vcxproj.filters ├── BEShellcodeDumper.vcxproj.user ├── main.cpp ├── utils.cpp └── utils.h └── README.md /BEShellcodeDumper.sln: -------------------------------------------------------------------------------- 1 |  2 | Microsoft Visual Studio Solution File, Format Version 12.00 3 | # Visual Studio Version 16 4 | VisualStudioVersion = 16.0.31624.102 5 | MinimumVisualStudioVersion = 10.0.40219.1 6 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "BEShellcodeDumper", "BEShellcodeDumper\BEShellcodeDumper.vcxproj", "{5315AA30-6441-47A3-99BE-063EFDEF2052}" 7 | EndProject 8 | Global 9 | GlobalSection(SolutionConfigurationPlatforms) = preSolution 10 | Debug|x64 = Debug|x64 11 | Debug|x86 = Debug|x86 12 | Release|x64 = Release|x64 13 | Release|x86 = Release|x86 14 | EndGlobalSection 15 | GlobalSection(ProjectConfigurationPlatforms) = postSolution 16 | {5315AA30-6441-47A3-99BE-063EFDEF2052}.Debug|x64.ActiveCfg = Debug|x64 17 | {5315AA30-6441-47A3-99BE-063EFDEF2052}.Debug|x64.Build.0 = Debug|x64 18 | {5315AA30-6441-47A3-99BE-063EFDEF2052}.Debug|x86.ActiveCfg = Debug|Win32 19 | {5315AA30-6441-47A3-99BE-063EFDEF2052}.Debug|x86.Build.0 = Debug|Win32 20 | {5315AA30-6441-47A3-99BE-063EFDEF2052}.Release|x64.ActiveCfg = Release|x64 21 | {5315AA30-6441-47A3-99BE-063EFDEF2052}.Release|x64.Build.0 = Release|x64 22 | {5315AA30-6441-47A3-99BE-063EFDEF2052}.Release|x86.ActiveCfg = Release|Win32 23 | {5315AA30-6441-47A3-99BE-063EFDEF2052}.Release|x86.Build.0 = Release|Win32 24 | EndGlobalSection 25 | GlobalSection(SolutionProperties) = preSolution 26 | HideSolutionNode = FALSE 27 | EndGlobalSection 28 | GlobalSection(ExtensibilityGlobals) = postSolution 29 | SolutionGuid = {3A2099F4-8276-4486-AD7C-F88E1F33C932} 30 | EndGlobalSection 31 | EndGlobal 32 | -------------------------------------------------------------------------------- /BEShellcodeDumper/BEShellcodeDumper.vcxproj: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | Debug 6 | Win32 7 | 8 | 9 | Release 10 | Win32 11 | 12 | 13 | Debug 14 | x64 15 | 16 | 17 | Release 18 | x64 19 | 20 | 21 | 22 | 16.0 23 | Win32Proj 24 | {5315aa30-6441-47a3-99be-063efdef2052} 25 | BEShellcodeDumper 26 | 10.0 27 | 28 | 29 | 30 | Application 31 | true 32 | v142 33 | Unicode 34 | 35 | 36 | Application 37 | false 38 | v142 39 | true 40 | Unicode 41 | 42 | 43 | Application 44 | true 45 | v142 46 | Unicode 47 | 48 | 49 | DynamicLibrary 50 | false 51 | v142 52 | true 53 | Unicode 54 | 55 | 56 | 57 | 58 | 59 | 60 | 61 | 62 | 63 | 64 | 65 | 66 | 67 | 68 | 69 | 70 | 71 | 72 | 73 | 74 | 75 | true 76 | 77 | 78 | false 79 | 80 | 81 | true 82 | 83 | 84 | false 85 | false 86 | 87 | 88 | 89 | Level3 90 | true 91 | WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions) 92 | true 93 | 94 | 95 | Console 96 | true 97 | 98 | 99 | 100 | 101 | Level3 102 | true 103 | true 104 | true 105 | WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions) 106 | true 107 | 108 | 109 | Console 110 | true 111 | true 112 | true 113 | 114 | 115 | 116 | 117 | Level3 118 | true 119 | _DEBUG;_CONSOLE;%(PreprocessorDefinitions) 120 | true 121 | 122 | 123 | Console 124 | true 125 | 126 | 127 | 128 | 129 | Level3 130 | true 131 | false 132 | true 133 | NDEBUG;_CONSOLE;%(PreprocessorDefinitions) 134 | true 135 | MultiThreadedDLL 136 | false 137 | 138 | 139 | Console 140 | true 141 | true 142 | true 143 | 144 | 145 | false 146 | ntdll.lib;%(AdditionalDependencies) 147 | 148 | 149 | 150 | 151 | 152 | 153 | 154 | 155 | 156 | 157 | 158 | 159 | 160 | -------------------------------------------------------------------------------- /BEShellcodeDumper/BEShellcodeDumper.vcxproj.filters: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF} 6 | cpp;c;cc;cxx;c++;cppm;ixx;def;odl;idl;hpj;bat;asm;asmx 7 | 8 | 9 | {93995380-89BD-4b04-88EB-625FBE52EBFB} 10 | h;hh;hpp;hxx;h++;hm;inl;inc;ipp;xsd 11 | 12 | 13 | {95705bc3-0e3c-4abe-802b-0fa2bb812b95} 14 | 15 | 16 | 17 | 18 | Quelldateien 19 | 20 | 21 | Quelldateien\utils 22 | 23 | 24 | 25 | 26 | Quelldateien\utils 27 | 28 | 29 | -------------------------------------------------------------------------------- /BEShellcodeDumper/BEShellcodeDumper.vcxproj.user: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | -------------------------------------------------------------------------------- /BEShellcodeDumper/main.cpp: -------------------------------------------------------------------------------- 1 | #include "utils.h" 2 | #include 3 | #include 4 | #include 5 | 6 | using GetProcAddy_t = FARPROC(__stdcall*)(_In_ HMODULE hModule,_In_ LPCSTR lpProcName); 7 | using CreateHook_t = uint64_t(__fastcall*)(LPVOID, LPVOID, LPVOID*); 8 | using EnableHook_t = uint64_t(__fastcall*)(LPVOID, bool); 9 | using EnableHookQueu_t = uint64_t(__stdcall*)(VOID); 10 | CreateHook_t CreateHook = nullptr; 11 | EnableHook_t EnableHook = nullptr; 12 | EnableHookQueu_t EnableHookQue = nullptr; 13 | bool init = false; 14 | bool discord_hook(uintptr_t original, uintptr_t hook, uintptr_t tramp) 15 | { 16 | if (!init) { 17 | uintptr_t discord_base = (uintptr_t)GetModuleHandleA("DiscordHook64.dll"); 18 | PIMAGE_NT_HEADERS nt = (PIMAGE_NT_HEADERS)(((PIMAGE_DOS_HEADER)discord_base)->e_lfanew + discord_base); 19 | DWORD discord_size = nt->OptionalHeader.SizeOfImage; 20 | CreateHook = (CreateHook_t)utils::scanpattern(discord_base, discord_size, "41 57 41 56 56 57 55 53 48 83 EC 68 4D 89 C6 49 89 D7"); 21 | EnableHook = (EnableHook_t)utils::scanpattern(discord_base, discord_size,"41 56 56 57 53 48 83 EC 28 49 89 CE BF 01 00 00 00 31 C0 F0 ? ? ? ? ? ? ? 74"); 22 | EnableHookQue = (EnableHookQueu_t)utils::scanpattern(discord_base, discord_size, "41 57 41 56 41 55 41 54 56 57 55 53 48 83 EC 38 48 ? ? ? ? ? ? 48 31 E0 48 89 44 24 30 BE 01 00 00 00 31 C0 F0 ? ? ? ? ? ? ? 74 2B" ); 23 | init = true; 24 | } 25 | if (CreateHook((LPVOID)original, (LPVOID)hook, (LPVOID*)tramp) == 0) 26 | { 27 | if (EnableHook((LPVOID)original, true) == 0) 28 | { 29 | if (EnableHookQue() == 0) 30 | { 31 | return true; 32 | } 33 | } 34 | } 35 | 36 | return false; 37 | } 38 | std::vectordumped_shellcodes; 39 | GetProcAddy_t origalgetproc; 40 | LPVOID hookproc( 41 | _In_ HMODULE hModule, 42 | _In_ LPCSTR lpProcName) { 43 | uintptr_t retaddy = (uintptr_t)_ReturnAddress(); 44 | MEMORY_BASIC_INFORMATION mbi{ 0 }; 45 | size_t return_length{ 0 }; 46 | if (NtQueryVirtualMemory((HANDLE)-1, (PVOID)retaddy, MemoryBasicInformation, &mbi, sizeof(mbi), &return_length) == 0) { 47 | if ( 48 | mbi.State == MEM_COMMIT && 49 | mbi.Protect == PAGE_EXECUTE_READWRITE && mbi.RegionSize > 0x1000 50 | ) 51 | { 52 | if (std::find(dumped_shellcodes.begin(), dumped_shellcodes.end(), (uintptr_t)mbi.AllocationBase) == dumped_shellcodes.end()) { 53 | std::string to_stream = "C:\\Users\\weak\\Desktop\\r6dmps\\shellcode\\" + std::to_string((uintptr_t)mbi.BaseAddress) + ".dat"; //R6 has no admin rights so dont use paths like C:\file.dat 54 | printf("Call from be-shellcode dumping: %s\n", to_stream.c_str()); 55 | uintptr_t possible_shellcode_start = utils::scanpattern((uintptr_t)mbi.BaseAddress, mbi.RegionSize, "4C 89"); 56 | printf("Possible entry-rva: %x\n", possible_shellcode_start - (uintptr_t)mbi.BaseAddress); 57 | utils::CreateFileFromMemory(to_stream, (char*)mbi.BaseAddress, mbi.RegionSize); 58 | dumped_shellcodes.push_back((uintptr_t)mbi.AllocationBase); 59 | } 60 | } 61 | } 62 | return origalgetproc(hModule, lpProcName); 63 | } 64 | 65 | BOOL WINAPI DllMain( 66 | HINSTANCE hinstDLL, 67 | DWORD fdwReason, 68 | LPVOID lpReserved) 69 | { 70 | switch (fdwReason) 71 | { 72 | case DLL_PROCESS_ATTACH: { 73 | AllocConsole(); 74 | freopen("CONOUT$", "w", stdout); 75 | if (discord_hook((uintptr_t)GetProcAddress, (uintptr_t)hookproc, (uintptr_t)&origalgetproc)) 76 | printf("Hook success\n"); 77 | else 78 | printf("Hook failed\n"); 79 | break; 80 | } 81 | } 82 | return TRUE; 83 | } 84 | -------------------------------------------------------------------------------- /BEShellcodeDumper/utils.cpp: -------------------------------------------------------------------------------- 1 | #include "utils.h" 2 | 3 | uintptr_t utils::scanpattern(uintptr_t base, int size, const char* signature) 4 | { 5 | static auto patternToByte = [](const char* pattern) 6 | { 7 | auto bytes = std::vector{}; 8 | const auto start = const_cast(pattern); 9 | const auto end = const_cast(pattern) + strlen(pattern); 10 | 11 | for (auto current = start; current < end; ++current) 12 | { 13 | if (*current == '?') 14 | { 15 | ++current; 16 | if (*current == '?') 17 | ++current; 18 | bytes.push_back(-1); 19 | } 20 | else { bytes.push_back(strtoul(current, ¤t, 16)); } 21 | } 22 | return bytes; 23 | }; 24 | auto patternBytes = patternToByte(signature); 25 | const auto scanBytes = reinterpret_cast(base); 26 | 27 | const auto s = patternBytes.size(); 28 | const auto d = patternBytes.data(); 29 | 30 | for (auto i = 0ul; i < size - s; ++i) 31 | { 32 | bool found = true; 33 | for (auto j = 0ul; j < s; ++j) 34 | { 35 | if (scanBytes[i + j] != d[j] && d[j] != -1) 36 | { 37 | found = false; 38 | break; 39 | } 40 | } 41 | if (found) { return reinterpret_cast(&scanBytes[i]); } 42 | } 43 | return NULL; 44 | } 45 | 46 | bool utils::CreateFileFromMemory(const std::string& desired_file_path, const char* address, size_t size) { 47 | std::ofstream file_ofstream(desired_file_path.c_str(), std::ios_base::out | std::ios_base::binary); 48 | 49 | if (!file_ofstream.write(address, size)) { 50 | file_ofstream.close(); 51 | return false; 52 | } 53 | 54 | file_ofstream.close(); 55 | return true; 56 | } 57 | 58 | -------------------------------------------------------------------------------- /BEShellcodeDumper/utils.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | #include 3 | #include 4 | #include 5 | #include 6 | namespace utils { 7 | uintptr_t scanpattern(uintptr_t base, int size, const char* signature); 8 | bool CreateFileFromMemory(const std::string& desired_file_path, const char* address, size_t size); 9 | } 10 | typedef enum _MEMORY_INFORMATION_CLASS { 11 | MemoryBasicInformation 12 | } MEMORY_INFORMATION_CLASS; 13 | extern "C" NTSYSCALLAPI NTSTATUS NtQueryVirtualMemory( 14 | HANDLE ProcessHandle, 15 | PVOID BaseAddress, 16 | MEMORY_INFORMATION_CLASS MemoryInformationClass, 17 | PVOID MemoryInformation, 18 | SIZE_T MemoryInformationLength, 19 | PSIZE_T ReturnLength 20 | ); 21 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # BEShellcodeDumper 2 | Dump Battleyes shellcode by checking the return address of GetProcAddress 3 | --------------------------------------------------------------------------------