├── BEShellcodeDumper.sln
├── BEShellcodeDumper
├── BEShellcodeDumper.vcxproj
├── BEShellcodeDumper.vcxproj.filters
├── BEShellcodeDumper.vcxproj.user
├── main.cpp
├── utils.cpp
└── utils.h
└── README.md
/BEShellcodeDumper.sln:
--------------------------------------------------------------------------------
1 |
2 | Microsoft Visual Studio Solution File, Format Version 12.00
3 | # Visual Studio Version 16
4 | VisualStudioVersion = 16.0.31624.102
5 | MinimumVisualStudioVersion = 10.0.40219.1
6 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "BEShellcodeDumper", "BEShellcodeDumper\BEShellcodeDumper.vcxproj", "{5315AA30-6441-47A3-99BE-063EFDEF2052}"
7 | EndProject
8 | Global
9 | GlobalSection(SolutionConfigurationPlatforms) = preSolution
10 | Debug|x64 = Debug|x64
11 | Debug|x86 = Debug|x86
12 | Release|x64 = Release|x64
13 | Release|x86 = Release|x86
14 | EndGlobalSection
15 | GlobalSection(ProjectConfigurationPlatforms) = postSolution
16 | {5315AA30-6441-47A3-99BE-063EFDEF2052}.Debug|x64.ActiveCfg = Debug|x64
17 | {5315AA30-6441-47A3-99BE-063EFDEF2052}.Debug|x64.Build.0 = Debug|x64
18 | {5315AA30-6441-47A3-99BE-063EFDEF2052}.Debug|x86.ActiveCfg = Debug|Win32
19 | {5315AA30-6441-47A3-99BE-063EFDEF2052}.Debug|x86.Build.0 = Debug|Win32
20 | {5315AA30-6441-47A3-99BE-063EFDEF2052}.Release|x64.ActiveCfg = Release|x64
21 | {5315AA30-6441-47A3-99BE-063EFDEF2052}.Release|x64.Build.0 = Release|x64
22 | {5315AA30-6441-47A3-99BE-063EFDEF2052}.Release|x86.ActiveCfg = Release|Win32
23 | {5315AA30-6441-47A3-99BE-063EFDEF2052}.Release|x86.Build.0 = Release|Win32
24 | EndGlobalSection
25 | GlobalSection(SolutionProperties) = preSolution
26 | HideSolutionNode = FALSE
27 | EndGlobalSection
28 | GlobalSection(ExtensibilityGlobals) = postSolution
29 | SolutionGuid = {3A2099F4-8276-4486-AD7C-F88E1F33C932}
30 | EndGlobalSection
31 | EndGlobal
32 |
--------------------------------------------------------------------------------
/BEShellcodeDumper/BEShellcodeDumper.vcxproj:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | Debug
6 | Win32
7 |
8 |
9 | Release
10 | Win32
11 |
12 |
13 | Debug
14 | x64
15 |
16 |
17 | Release
18 | x64
19 |
20 |
21 |
22 | 16.0
23 | Win32Proj
24 | {5315aa30-6441-47a3-99be-063efdef2052}
25 | BEShellcodeDumper
26 | 10.0
27 |
28 |
29 |
30 | Application
31 | true
32 | v142
33 | Unicode
34 |
35 |
36 | Application
37 | false
38 | v142
39 | true
40 | Unicode
41 |
42 |
43 | Application
44 | true
45 | v142
46 | Unicode
47 |
48 |
49 | DynamicLibrary
50 | false
51 | v142
52 | true
53 | Unicode
54 |
55 |
56 |
57 |
58 |
59 |
60 |
61 |
62 |
63 |
64 |
65 |
66 |
67 |
68 |
69 |
70 |
71 |
72 |
73 |
74 |
75 | true
76 |
77 |
78 | false
79 |
80 |
81 | true
82 |
83 |
84 | false
85 | false
86 |
87 |
88 |
89 | Level3
90 | true
91 | WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)
92 | true
93 |
94 |
95 | Console
96 | true
97 |
98 |
99 |
100 |
101 | Level3
102 | true
103 | true
104 | true
105 | WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)
106 | true
107 |
108 |
109 | Console
110 | true
111 | true
112 | true
113 |
114 |
115 |
116 |
117 | Level3
118 | true
119 | _DEBUG;_CONSOLE;%(PreprocessorDefinitions)
120 | true
121 |
122 |
123 | Console
124 | true
125 |
126 |
127 |
128 |
129 | Level3
130 | true
131 | false
132 | true
133 | NDEBUG;_CONSOLE;%(PreprocessorDefinitions)
134 | true
135 | MultiThreadedDLL
136 | false
137 |
138 |
139 | Console
140 | true
141 | true
142 | true
143 |
144 |
145 | false
146 | ntdll.lib;%(AdditionalDependencies)
147 |
148 |
149 |
150 |
151 |
152 |
153 |
154 |
155 |
156 |
157 |
158 |
159 |
160 |
--------------------------------------------------------------------------------
/BEShellcodeDumper/BEShellcodeDumper.vcxproj.filters:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF}
6 | cpp;c;cc;cxx;c++;cppm;ixx;def;odl;idl;hpj;bat;asm;asmx
7 |
8 |
9 | {93995380-89BD-4b04-88EB-625FBE52EBFB}
10 | h;hh;hpp;hxx;h++;hm;inl;inc;ipp;xsd
11 |
12 |
13 | {95705bc3-0e3c-4abe-802b-0fa2bb812b95}
14 |
15 |
16 |
17 |
18 | Quelldateien
19 |
20 |
21 | Quelldateien\utils
22 |
23 |
24 |
25 |
26 | Quelldateien\utils
27 |
28 |
29 |
--------------------------------------------------------------------------------
/BEShellcodeDumper/BEShellcodeDumper.vcxproj.user:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
--------------------------------------------------------------------------------
/BEShellcodeDumper/main.cpp:
--------------------------------------------------------------------------------
1 | #include "utils.h"
2 | #include
3 | #include
4 | #include
5 |
6 | using GetProcAddy_t = FARPROC(__stdcall*)(_In_ HMODULE hModule,_In_ LPCSTR lpProcName);
7 | using CreateHook_t = uint64_t(__fastcall*)(LPVOID, LPVOID, LPVOID*);
8 | using EnableHook_t = uint64_t(__fastcall*)(LPVOID, bool);
9 | using EnableHookQueu_t = uint64_t(__stdcall*)(VOID);
10 | CreateHook_t CreateHook = nullptr;
11 | EnableHook_t EnableHook = nullptr;
12 | EnableHookQueu_t EnableHookQue = nullptr;
13 | bool init = false;
14 | bool discord_hook(uintptr_t original, uintptr_t hook, uintptr_t tramp)
15 | {
16 | if (!init) {
17 | uintptr_t discord_base = (uintptr_t)GetModuleHandleA("DiscordHook64.dll");
18 | PIMAGE_NT_HEADERS nt = (PIMAGE_NT_HEADERS)(((PIMAGE_DOS_HEADER)discord_base)->e_lfanew + discord_base);
19 | DWORD discord_size = nt->OptionalHeader.SizeOfImage;
20 | CreateHook = (CreateHook_t)utils::scanpattern(discord_base, discord_size, "41 57 41 56 56 57 55 53 48 83 EC 68 4D 89 C6 49 89 D7");
21 | EnableHook = (EnableHook_t)utils::scanpattern(discord_base, discord_size,"41 56 56 57 53 48 83 EC 28 49 89 CE BF 01 00 00 00 31 C0 F0 ? ? ? ? ? ? ? 74");
22 | EnableHookQue = (EnableHookQueu_t)utils::scanpattern(discord_base, discord_size, "41 57 41 56 41 55 41 54 56 57 55 53 48 83 EC 38 48 ? ? ? ? ? ? 48 31 E0 48 89 44 24 30 BE 01 00 00 00 31 C0 F0 ? ? ? ? ? ? ? 74 2B" );
23 | init = true;
24 | }
25 | if (CreateHook((LPVOID)original, (LPVOID)hook, (LPVOID*)tramp) == 0)
26 | {
27 | if (EnableHook((LPVOID)original, true) == 0)
28 | {
29 | if (EnableHookQue() == 0)
30 | {
31 | return true;
32 | }
33 | }
34 | }
35 |
36 | return false;
37 | }
38 | std::vectordumped_shellcodes;
39 | GetProcAddy_t origalgetproc;
40 | LPVOID hookproc(
41 | _In_ HMODULE hModule,
42 | _In_ LPCSTR lpProcName) {
43 | uintptr_t retaddy = (uintptr_t)_ReturnAddress();
44 | MEMORY_BASIC_INFORMATION mbi{ 0 };
45 | size_t return_length{ 0 };
46 | if (NtQueryVirtualMemory((HANDLE)-1, (PVOID)retaddy, MemoryBasicInformation, &mbi, sizeof(mbi), &return_length) == 0) {
47 | if (
48 | mbi.State == MEM_COMMIT &&
49 | mbi.Protect == PAGE_EXECUTE_READWRITE && mbi.RegionSize > 0x1000
50 | )
51 | {
52 | if (std::find(dumped_shellcodes.begin(), dumped_shellcodes.end(), (uintptr_t)mbi.AllocationBase) == dumped_shellcodes.end()) {
53 | std::string to_stream = "C:\\Users\\weak\\Desktop\\r6dmps\\shellcode\\" + std::to_string((uintptr_t)mbi.BaseAddress) + ".dat"; //R6 has no admin rights so dont use paths like C:\file.dat
54 | printf("Call from be-shellcode dumping: %s\n", to_stream.c_str());
55 | uintptr_t possible_shellcode_start = utils::scanpattern((uintptr_t)mbi.BaseAddress, mbi.RegionSize, "4C 89");
56 | printf("Possible entry-rva: %x\n", possible_shellcode_start - (uintptr_t)mbi.BaseAddress);
57 | utils::CreateFileFromMemory(to_stream, (char*)mbi.BaseAddress, mbi.RegionSize);
58 | dumped_shellcodes.push_back((uintptr_t)mbi.AllocationBase);
59 | }
60 | }
61 | }
62 | return origalgetproc(hModule, lpProcName);
63 | }
64 |
65 | BOOL WINAPI DllMain(
66 | HINSTANCE hinstDLL,
67 | DWORD fdwReason,
68 | LPVOID lpReserved)
69 | {
70 | switch (fdwReason)
71 | {
72 | case DLL_PROCESS_ATTACH: {
73 | AllocConsole();
74 | freopen("CONOUT$", "w", stdout);
75 | if (discord_hook((uintptr_t)GetProcAddress, (uintptr_t)hookproc, (uintptr_t)&origalgetproc))
76 | printf("Hook success\n");
77 | else
78 | printf("Hook failed\n");
79 | break;
80 | }
81 | }
82 | return TRUE;
83 | }
84 |
--------------------------------------------------------------------------------
/BEShellcodeDumper/utils.cpp:
--------------------------------------------------------------------------------
1 | #include "utils.h"
2 |
3 | uintptr_t utils::scanpattern(uintptr_t base, int size, const char* signature)
4 | {
5 | static auto patternToByte = [](const char* pattern)
6 | {
7 | auto bytes = std::vector{};
8 | const auto start = const_cast(pattern);
9 | const auto end = const_cast(pattern) + strlen(pattern);
10 |
11 | for (auto current = start; current < end; ++current)
12 | {
13 | if (*current == '?')
14 | {
15 | ++current;
16 | if (*current == '?')
17 | ++current;
18 | bytes.push_back(-1);
19 | }
20 | else { bytes.push_back(strtoul(current, ¤t, 16)); }
21 | }
22 | return bytes;
23 | };
24 | auto patternBytes = patternToByte(signature);
25 | const auto scanBytes = reinterpret_cast(base);
26 |
27 | const auto s = patternBytes.size();
28 | const auto d = patternBytes.data();
29 |
30 | for (auto i = 0ul; i < size - s; ++i)
31 | {
32 | bool found = true;
33 | for (auto j = 0ul; j < s; ++j)
34 | {
35 | if (scanBytes[i + j] != d[j] && d[j] != -1)
36 | {
37 | found = false;
38 | break;
39 | }
40 | }
41 | if (found) { return reinterpret_cast(&scanBytes[i]); }
42 | }
43 | return NULL;
44 | }
45 |
46 | bool utils::CreateFileFromMemory(const std::string& desired_file_path, const char* address, size_t size) {
47 | std::ofstream file_ofstream(desired_file_path.c_str(), std::ios_base::out | std::ios_base::binary);
48 |
49 | if (!file_ofstream.write(address, size)) {
50 | file_ofstream.close();
51 | return false;
52 | }
53 |
54 | file_ofstream.close();
55 | return true;
56 | }
57 |
58 |
--------------------------------------------------------------------------------
/BEShellcodeDumper/utils.h:
--------------------------------------------------------------------------------
1 | #pragma once
2 | #include
3 | #include
4 | #include
5 | #include
6 | namespace utils {
7 | uintptr_t scanpattern(uintptr_t base, int size, const char* signature);
8 | bool CreateFileFromMemory(const std::string& desired_file_path, const char* address, size_t size);
9 | }
10 | typedef enum _MEMORY_INFORMATION_CLASS {
11 | MemoryBasicInformation
12 | } MEMORY_INFORMATION_CLASS;
13 | extern "C" NTSYSCALLAPI NTSTATUS NtQueryVirtualMemory(
14 | HANDLE ProcessHandle,
15 | PVOID BaseAddress,
16 | MEMORY_INFORMATION_CLASS MemoryInformationClass,
17 | PVOID MemoryInformation,
18 | SIZE_T MemoryInformationLength,
19 | PSIZE_T ReturnLength
20 | );
21 |
--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | # BEShellcodeDumper
2 | Dump Battleyes shellcode by checking the return address of GetProcAddress
3 |
--------------------------------------------------------------------------------