-
Notifications
You must be signed in to change notification settings - Fork 1
Expand file tree
/
Copy pathmain.c
More file actions
32 lines (29 loc) · 1.11 KB
/
main.c
File metadata and controls
32 lines (29 loc) · 1.11 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
#include <stdio.h>
#include <windows.h>
#include <winternl.h>
#include "iat.h"
int main(){
const char patch[8]="\x90\x90\x90\x90\x90\x90\xc3";
size_t jonk = 0;
//sample hook
void* ntwvm = GetProcAddress(GetModuleHandleA("ntdll.dll"), "NtWriteVirtualMemory");
printf("Original NtWriteVirtualMemory:\n");
for(int i=0;i<10;i++) printf("\\x%02x", ((unsigned char*)ntwvm)[i]);
printf("\n");
WriteProcessMemory(GetCurrentProcess(), ntwvm, patch, 7, &jonk);
printf("patched\n\n");
char jonklr = 'j';
char tojonk = 'k';
WriteProcessMemory(GetCurrentProcess(), &jonklr, &tojonk, 1, &jonk);
printf("Byte (unchanged): %c\nPatched NtWriteVirtualMemory:\n", jonklr);
for(int i=0;i<10;i++) printf("\\x%02x", ((unsigned char*)ntwvm)[i]);
printf("\n\n");
unhook();
printf("unhooked\n");
WriteProcessMemory(GetCurrentProcess(), &jonklr, &tojonk, 1, &jonk);
printf("Byte (changed): %c\nUnhooked NtWriteVirtualMemory - what the EDR sees:\n", jonklr);
for(int i=0;i<10;i++) printf("\\x%02x", ((unsigned char*)ntwvm)[i]);
printf("\n");
getchar();
return 0;
}