admin/CowInjecter
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

添加项目文件。

Browse Source
This commit is contained in:
Huoji's
2021-01-01 13:54:35 +08:00
parent 7820c31aeb
commit 0c587f9dc5
10 changed files with 958 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

51
CowInject.sln Normal file
View File

@@ -0,0 +1,51 @@

Microsoft Visual Studio Solution File, Format Version 12.00
# Visual Studio Version 16
VisualStudioVersion = 16.0.29613.14
MinimumVisualStudioVersion = 10.0.40219.1
Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "CowInject", "CowInject\CowInject.vcxproj", "{8E8EC6B8-E5C6-4B06-A8F2-9F0F5EA685BB}"
EndProject
Global
GlobalSection(SolutionConfigurationPlatforms) = preSolution
Debug|ARM = Debug|ARM
Debug|ARM64 = Debug|ARM64
Debug|x64 = Debug|x64
Debug|x86 = Debug|x86
Release|ARM = Release|ARM
Release|ARM64 = Release|ARM64
Release|x64 = Release|x64
Release|x86 = Release|x86
EndGlobalSection
GlobalSection(ProjectConfigurationPlatforms) = postSolution
{8E8EC6B8-E5C6-4B06-A8F2-9F0F5EA685BB}.Debug|ARM.ActiveCfg = Debug|ARM
{8E8EC6B8-E5C6-4B06-A8F2-9F0F5EA685BB}.Debug|ARM.Build.0 = Debug|ARM
{8E8EC6B8-E5C6-4B06-A8F2-9F0F5EA685BB}.Debug|ARM.Deploy.0 = Debug|ARM
{8E8EC6B8-E5C6-4B06-A8F2-9F0F5EA685BB}.Debug|ARM64.ActiveCfg = Debug|ARM64
{8E8EC6B8-E5C6-4B06-A8F2-9F0F5EA685BB}.Debug|ARM64.Build.0 = Debug|ARM64
{8E8EC6B8-E5C6-4B06-A8F2-9F0F5EA685BB}.Debug|ARM64.Deploy.0 = Debug|ARM64
{8E8EC6B8-E5C6-4B06-A8F2-9F0F5EA685BB}.Debug|x64.ActiveCfg = Debug|x64
{8E8EC6B8-E5C6-4B06-A8F2-9F0F5EA685BB}.Debug|x64.Build.0 = Debug|x64
{8E8EC6B8-E5C6-4B06-A8F2-9F0F5EA685BB}.Debug|x64.Deploy.0 = Debug|x64
{8E8EC6B8-E5C6-4B06-A8F2-9F0F5EA685BB}.Debug|x86.ActiveCfg = Debug|Win32
{8E8EC6B8-E5C6-4B06-A8F2-9F0F5EA685BB}.Debug|x86.Build.0 = Debug|Win32
{8E8EC6B8-E5C6-4B06-A8F2-9F0F5EA685BB}.Debug|x86.Deploy.0 = Debug|Win32
{8E8EC6B8-E5C6-4B06-A8F2-9F0F5EA685BB}.Release|ARM.ActiveCfg = Release|ARM
{8E8EC6B8-E5C6-4B06-A8F2-9F0F5EA685BB}.Release|ARM.Build.0 = Release|ARM
{8E8EC6B8-E5C6-4B06-A8F2-9F0F5EA685BB}.Release|ARM.Deploy.0 = Release|ARM
{8E8EC6B8-E5C6-4B06-A8F2-9F0F5EA685BB}.Release|ARM64.ActiveCfg = Release|ARM64
{8E8EC6B8-E5C6-4B06-A8F2-9F0F5EA685BB}.Release|ARM64.Build.0 = Release|ARM64
{8E8EC6B8-E5C6-4B06-A8F2-9F0F5EA685BB}.Release|ARM64.Deploy.0 = Release|ARM64
{8E8EC6B8-E5C6-4B06-A8F2-9F0F5EA685BB}.Release|x64.ActiveCfg = Release|x64
{8E8EC6B8-E5C6-4B06-A8F2-9F0F5EA685BB}.Release|x64.Build.0 = Release|x64
{8E8EC6B8-E5C6-4B06-A8F2-9F0F5EA685BB}.Release|x64.Deploy.0 = Release|x64
{8E8EC6B8-E5C6-4B06-A8F2-9F0F5EA685BB}.Release|x86.ActiveCfg = Release|Win32
{8E8EC6B8-E5C6-4B06-A8F2-9F0F5EA685BB}.Release|x86.Build.0 = Release|Win32
{8E8EC6B8-E5C6-4B06-A8F2-9F0F5EA685BB}.Release|x86.Deploy.0 = Release|Win32
EndGlobalSection
GlobalSection(SolutionProperties) = preSolution
HideSolutionNode = FALSE
EndGlobalSection
GlobalSection(ExtensibilityGlobals) = postSolution
SolutionGuid = {8B54FB70-B3D2-4C49-87D4-AED93842E605}
EndGlobalSection
EndGlobal

32
CowInject/CowInject.inf Normal file
View File

@@ -0,0 +1,32 @@
;
; CowInject.inf
;
[Version]
Signature="$WINDOWS NT$"
Class=System
ClassGuid={4d36e97d-e325-11ce-bfc1-08002be10318}
Provider=%ManufacturerName%
DriverVer=
CatalogFile=CowInject.cat
[DestinationDirs]
DefaultDestDir = 12
[SourceDisksNames]
1 = %DiskName%,,,""
[SourceDisksFiles]
[Manufacturer]
%ManufacturerName%=Standard,NT$ARCH$
[Standard.NT$ARCH$]
[Strings]
ManufacturerName="<Your manufacturer name>" ;TODO: Replace with your manufacturer name
ClassName=""
DiskName="CowInject Source Disk"

166
CowInject/CowInject.vcxproj Normal file
View File

@@ -0,0 +1,166 @@
<?xml version="1.0" encoding="utf-8"?>
<Project DefaultTargets="Build" ToolsVersion="12.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<ItemGroup Label="ProjectConfigurations">
<ProjectConfiguration Include="Debug|Win32">
<Configuration>Debug</Configuration>
<Platform>Win32</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Release|Win32">
<Configuration>Release</Configuration>
<Platform>Win32</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Debug|x64">
<Configuration>Debug</Configuration>
<Platform>x64</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Release|x64">
<Configuration>Release</Configuration>
<Platform>x64</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Debug|ARM">
<Configuration>Debug</Configuration>
<Platform>ARM</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Release|ARM">
<Configuration>Release</Configuration>
<Platform>ARM</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Debug|ARM64">
<Configuration>Debug</Configuration>
<Platform>ARM64</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Release|ARM64">
<Configuration>Release</Configuration>
<Platform>ARM64</Platform>
</ProjectConfiguration>
</ItemGroup>
<PropertyGroup Label="Globals">
<ProjectGuid>{8E8EC6B8-E5C6-4B06-A8F2-9F0F5EA685BB}</ProjectGuid>
<TemplateGuid>{dd38f7fc-d7bd-488b-9242-7d8754cde80d}</TemplateGuid>
<TargetFrameworkVersion>v4.5</TargetFrameworkVersion>
<MinimumVisualStudioVersion>12.0</MinimumVisualStudioVersion>
<Configuration>Debug</Configuration>
<Platform Condition="'$(Platform)' == ''">Win32</Platform>
<RootNamespace>CowInject</RootNamespace>
</PropertyGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
<TargetVersion>Windows10</TargetVersion>
<UseDebugLibraries>true</UseDebugLibraries>
<PlatformToolset>WindowsKernelModeDriver10.0</PlatformToolset>
<ConfigurationType>Driver</ConfigurationType>
<DriverType>WDM</DriverType>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
<TargetVersion>Windows10</TargetVersion>
<UseDebugLibraries>false</UseDebugLibraries>
<PlatformToolset>WindowsKernelModeDriver10.0</PlatformToolset>
<ConfigurationType>Driver</ConfigurationType>
<DriverType>WDM</DriverType>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
<TargetVersion>Windows10</TargetVersion>
<UseDebugLibraries>true</UseDebugLibraries>
<PlatformToolset>WindowsKernelModeDriver10.0</PlatformToolset>
<ConfigurationType>Driver</ConfigurationType>
<DriverType>WDM</DriverType>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
<TargetVersion>Windows7</TargetVersion>
<UseDebugLibraries>false</UseDebugLibraries>
<PlatformToolset>WindowsKernelModeDriver10.0</PlatformToolset>
<ConfigurationType>Driver</ConfigurationType>
<DriverType>WDM</DriverType>
<SpectreMitigation>false</SpectreMitigation>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|ARM'" Label="Configuration">
<TargetVersion>Windows10</TargetVersion>
<UseDebugLibraries>true</UseDebugLibraries>
<PlatformToolset>WindowsKernelModeDriver10.0</PlatformToolset>
<ConfigurationType>Driver</ConfigurationType>
<DriverType>WDM</DriverType>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|ARM'" Label="Configuration">
<TargetVersion>Windows10</TargetVersion>
<UseDebugLibraries>false</UseDebugLibraries>
<PlatformToolset>WindowsKernelModeDriver10.0</PlatformToolset>
<ConfigurationType>Driver</ConfigurationType>
<DriverType>WDM</DriverType>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|ARM64'" Label="Configuration">
<TargetVersion>Windows10</TargetVersion>
<UseDebugLibraries>true</UseDebugLibraries>
<PlatformToolset>WindowsKernelModeDriver10.0</PlatformToolset>
<ConfigurationType>Driver</ConfigurationType>
<DriverType>WDM</DriverType>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|ARM64'" Label="Configuration">
<TargetVersion>Windows10</TargetVersion>
<UseDebugLibraries>false</UseDebugLibraries>
<PlatformToolset>WindowsKernelModeDriver10.0</PlatformToolset>
<ConfigurationType>Driver</ConfigurationType>
<DriverType>WDM</DriverType>
</PropertyGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
<ImportGroup Label="ExtensionSettings">
</ImportGroup>
<ImportGroup Label="PropertySheets">
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
</ImportGroup>
<PropertyGroup Label="UserMacros" />
<PropertyGroup />
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
<DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
<DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
<DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
<DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
<EnableInf2cat>false</EnableInf2cat>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|ARM'">
<DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|ARM'">
<DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|ARM64'">
<DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|ARM64'">
<DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
</PropertyGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
<ClCompile>
<TreatWarningAsError>false</TreatWarningAsError>
<BufferSecurityCheck>false</BufferSecurityCheck>
<Optimization>MinSpace</Optimization>
<FavorSizeOrSpeed>Size</FavorSizeOrSpeed>
<IntrinsicFunctions>true</IntrinsicFunctions>
<WholeProgramOptimization>false</WholeProgramOptimization>
</ClCompile>
</ItemDefinitionGroup>
<ItemGroup>
<Inf Include="CowInject.inf" />
</ItemGroup>
<ItemGroup>
<FilesToPackage Include="$(TargetPath)" />
</ItemGroup>
<ItemGroup>
<ClCompile Include="helper.cpp" />
<ClCompile Include="main.cpp" />
<ClCompile Include="shell_code_end.cpp" />
<ClCompile Include="shell_code_start.cpp" />
</ItemGroup>
<ItemGroup>
<ClInclude Include="head.h" />
<ClInclude Include="main.h" />
</ItemGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
<ImportGroup Label="ExtensionTargets">
</ImportGroup>
</Project>

54
CowInject/CowInject.vcxproj.filters Normal file
View File

@@ -0,0 +1,54 @@
<?xml version="1.0" encoding="utf-8"?>
<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<ItemGroup>
<Filter Include="Source Files">
<UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>
<Extensions>cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx</Extensions>
</Filter>
<Filter Include="Header Files">
<UniqueIdentifier>{93995380-89BD-4b04-88EB-625FBE52EBFB}</UniqueIdentifier>
<Extensions>h;hpp;hxx;hm;inl;inc;xsd</Extensions>
</Filter>
<Filter Include="Resource Files">
<UniqueIdentifier>{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}</UniqueIdentifier>
<Extensions>rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms</Extensions>
</Filter>
<Filter Include="Driver Files">
<UniqueIdentifier>{8E41214B-6785-4CFE-B992-037D68949A14}</UniqueIdentifier>
<Extensions>inf;inv;inx;mof;mc;</Extensions>
</Filter>
<Filter Include="Source Files\Shellcode">
<UniqueIdentifier>{41db35f4-72e8-49d7-81ea-9a18fea3e160}</UniqueIdentifier>
</Filter>
<Filter Include="Source Files\ThirdParty">
<UniqueIdentifier>{9e17b26d-f5cd-4288-962a-5943271da071}</UniqueIdentifier>
</Filter>
</ItemGroup>
<ItemGroup>
<Inf Include="CowInject.inf">
<Filter>Driver Files</Filter>
</Inf>
</ItemGroup>
<ItemGroup>
<ClInclude Include="head.h">
<Filter>Header Files</Filter>
</ClInclude>
<ClInclude Include="main.h">
<Filter>Header Files</Filter>
</ClInclude>
</ItemGroup>
<ItemGroup>
<ClCompile Include="main.cpp">
<Filter>Source Files</Filter>
</ClCompile>
<ClCompile Include="shell_code_start.cpp">
<Filter>Source Files\Shellcode</Filter>
</ClCompile>
<ClCompile Include="shell_code_end.cpp">
<Filter>Source Files\Shellcode</Filter>
</ClCompile>
<ClCompile Include="helper.cpp">
<Filter>Source Files\ThirdParty</Filter>
</ClCompile>
</ItemGroup>
</Project>

232
CowInject/head.h Normal file
View File

@@ -0,0 +1,232 @@
#pragma once
#include <ntifs.h>
#include <ntstrsafe.h>
#include <ntimage.h>
#include <WinDef.h>
#include <intrin.h>
#define DebugPrintA(...) DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL,__VA_ARGS__)
#define HUOJI_POOL_TAG 'huoJ'
#define CALCSIZE(n,f) (ULONG_PTR)f - (ULONG_PTR)n
#define PAGE_ALIGN(Va) ((PVOID)((ULONG_PTR)(Va) & ~(PAGE_SIZE - 1)))
#define DEREF( name )*(UINT_PTR *)(name)
#define DEREF_64( name )*(unsigned __int64 *)(name)
#define DEREF_32( name )*(unsigned long *)(name)
#define DEREF_16( name )*(unsigned short *)(name)
#define DEREF_8( name )*(UCHAR *)(name)
typedef HMODULE(WINAPI* LOADLIBRARYA)(LPCSTR);
typedef FARPROC(WINAPI* GETPROCADDRESS)(HMODULE, LPCSTR);
typedef LPVOID(WINAPI* VIRTUALALLOC)(LPVOID, SIZE_T, DWORD, DWORD);
typedef DWORD(NTAPI* NTFLUSHINSTRUCTIONCACHE)(HANDLE, PVOID, ULONG);
typedef BOOL(WINAPI* ReadFileT)(HANDLE, LPVOID, DWORD, LPDWORD, PVOID);
typedef DWORD(WINAPI* GetFileSizeT)(HANDLE, LPDWORD);
typedef BOOL(WINAPI* CloseHandleT)(HANDLE);
#define KERNEL32DLL_HASH 0x6A4ABC5B
#define NTDLLDLL_HASH 0x3CFA685D
#define LOADLIBRARYA_HASH 0xEC0E4E8E
#define GETPROCADDRESS_HASH 0x7C0DFCAA
#define VIRTUALALLOC_HASH 0x91AFCA54
#define NTFLUSHINSTRUCTIONCACHE_HASH 0x534C0AB8
#define HASH_KEY 13
#define DLL_PROCESS_ATTACH 1
#define DLL_THREAD_ATTACH 2
#define DLL_THREAD_DETACH 3
#define DLL_PROCESS_DETACH 0
typedef enum _SYSTEM_INFORMATION_CLASS
{
SystemBasicInformation, // 0x00 SYSTEM_BASIC_INFORMATION
SystemProcessorInformation, // 0x01 SYSTEM_PROCESSOR_INFORMATION
SystemPerformanceInformation, // 0x02
SystemTimeOfDayInformation, // 0x03
SystemPathInformation, // 0x04
SystemProcessInformation, // 0x05
SystemCallCountInformation, // 0x06
SystemDeviceInformation, // 0x07
SystemProcessorPerformanceInformation, // 0x08
SystemFlagsInformation, // 0x09
SystemCallTimeInformation, // 0x0A
SystemModuleInformation, // 0x0B SYSTEM_MODULE_INFORMATION
SystemLocksInformation, // 0x0C
SystemStackTraceInformation, // 0x0D
SystemPagedPoolInformation, // 0x0E
SystemNonPagedPoolInformation, // 0x0F
SystemHandleInformation, // 0x10
SystemObjectInformation, // 0x11
SystemPageFileInformation, // 0x12
SystemVdmInstemulInformation, // 0x13
SystemVdmBopInformation, // 0x14
SystemFileCacheInformation, // 0x15
SystemPoolTagInformation, // 0x16
SystemInterruptInformation, // 0x17
SystemDpcBehaviorInformation, // 0x18
SystemFullMemoryInformation, // 0x19
SystemLoadGdiDriverInformation, // 0x1A
SystemUnloadGdiDriverInformation, // 0x1B
SystemTimeAdjustmentInformation, // 0x1C
SystemSummaryMemoryInformation, // 0x1D
SystemNextEventIdInformation, // 0x1E
SystemEventIdsInformation, // 0x1F
SystemCrashDumpInformation, // 0x20
SystemExceptionInformation, // 0x21
SystemCrashDumpStateInformation, // 0x22
SystemKernelDebuggerInformation, // 0x23
SystemContextSwitchInformation, // 0x24
SystemRegistryQuotaInformation, // 0x25
SystemExtendServiceTableInformation, // 0x26
SystemPrioritySeperation, // 0x27
SystemPlugPlayBusInformation, // 0x28
SystemDockInformation, // 0x29
//SystemPowerInformation, // 0x2A
//SystemProcessorSpeedInformation, // 0x2B
//SystemCurrentTimeZoneInformation, // 0x2C
//SystemLookasideInformation // 0x2D
} SYSTEM_INFORMATION_CLASS, * PSYSTEM_INFORMATION_CLASS;
typedef BOOL(WINAPI* DLLMAIN)(HINSTANCE, DWORD, LPVOID);
typedef struct _LDR_DATA_TABLE_ENTRY {
LIST_ENTRY InLoadOrderLinks;
LIST_ENTRY InMemoryOrderLinks;
LIST_ENTRY InInitializationOrderLinks;
PVOID DllBase;
PVOID EntryPoint;
ULONG SizeOfImages;
UNICODE_STRING FullDllName;
UNICODE_STRING BaseDllName;
ULONG Flags;
USHORT LoadCount;
USHORT TlsIndex;
union {
LIST_ENTRY HashLinks;
struct {
PVOID SectionPointer;
ULONG CheckSum;
};
};
union {
struct {
ULONG TimeDateStamp;
};
struct {
PVOID LoadedImports;
};
};
}LDR_DATA_TABLE_ENTRY, * PLDR_DATA_TABLE_ENTRY;
typedef struct
{
WORD offset : 12;
WORD type : 4;
} IMAGE_RELOC, * PIMAGE_RELOC;
typedef struct _NT_PROC_THREAD_ATTRIBUTE_ENTRY
{
ULONG Attribute; // PROC_THREAD_ATTRIBUTE_XXX
SIZE_T Size;
ULONG_PTR Value;
ULONG Unknown;
} NT_PROC_THREAD_ATTRIBUTE_ENTRY, * NT_PPROC_THREAD_ATTRIBUTE_ENTRY;
typedef struct _NT_PROC_THREAD_ATTRIBUTE_LIST
{
ULONG Length;
NT_PROC_THREAD_ATTRIBUTE_ENTRY Entry[1];
} NT_PROC_THREAD_ATTRIBUTE_LIST, * PNT_PROC_THREAD_ATTRIBUTE_LIST;
typedef struct _SECURITY_ATTRIBUTES {
DWORD nLength;
LPVOID lpSecurityDescriptor;
BOOL bInheritHandle;
} SECURITY_ATTRIBUTES, * PSECURITY_ATTRIBUTES, * LPSECURITY_ATTRIBUTES;
typedef HANDLE(WINAPI* CreateFileWT)(
_In_ LPCWSTR lpFileName,
_In_ DWORD dwDesiredAccess,
_In_ DWORD dwShareMode,
_In_opt_ LPSECURITY_ATTRIBUTES lpSecurityAttributes,
_In_ DWORD dwCreationDisposition,
_In_ DWORD dwFlagsAndAttributes,
_In_opt_ HANDLE hTemplateFile
);
typedef DWORD(WINAPI* GetModuleFileNameWT)(HMODULE hModule, LPCWSTR lpFilename, DWORD nSize);
typedef wchar_t* (WINAPI* wcsstrAt)(wchar_t const* _String1, wchar_t const* _String);
typedef HMODULE(WINAPI* LoadLibraryWT)(_In_ LPCWSTR lpLibFileName);
#ifdef __cplusplus
extern "C"
{
#endif
#include <NTDDK.h>
NTSYSAPI
NTSTATUS
NTAPI
ZwQuerySystemInformation(
IN SYSTEM_INFORMATION_CLASS SystemInformationClass,
OUT PVOID SystemInformation,
IN ULONG SystemInformationLength,
OUT PULONG ReturnLength OPTIONAL
);
NTKERNELAPI
NTSTATUS
ObReferenceObjectByName(
IN PUNICODE_STRING ObjectName,
IN ULONG Attributes,
IN PACCESS_STATE PassedAccessState,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_TYPE ObjectType,
IN KPROCESSOR_MODE AccessMode,
IN OUT PVOID ParseContext,
OUT PVOID* Object
);
extern POBJECT_TYPE* IoDriverObjectType;
ULONG
NTAPI
KeCapturePersistentThreadState(
IN PCONTEXT Context,
IN PKTHREAD Thread,
IN ULONG BugCheckCode,
IN ULONG BugCheckParameter1,
IN ULONG BugCheckParameter2,
IN ULONG BugCheckParameter3,
IN ULONG BugCheckParameter4,
OUT PVOID VirtualAddress
);
NTSYSAPI
PVOID
NTAPI
RtlImageDirectoryEntryToData(
PVOID ImageBase,
BOOLEAN MappedAsImage,
USHORT DirectoryEntry,
PULONG Size
);
NTKERNELAPI
PPEB
NTAPI
PsGetProcessPeb(IN PEPROCESS Process);
NTKERNELAPI PVOID NTAPI PsGetProcessWow64Process(IN PEPROCESS Process);
NTSYSAPI
NTSTATUS
NTAPI
ZwProtectVirtualMemory(
IN HANDLE ProcessHandle,
IN OUT PVOID* BaseAddress,
IN OUT SIZE_T* NumberOfBytesToProtect,
IN ULONG NewAccessProtection,
OUT PULONG OldAccessProtection
);
NTSYSAPI
NTSTATUS
NTAPI
ZwQueryInformationThread(
IN HANDLE ThreadHandle,
IN THREADINFOCLASS ThreadInformationClass,
OUT PVOID ThreadInformation,
IN ULONG ThreadInformationLength,
OUT PULONG ReturnLength OPTIONAL
);
#ifdef __cplusplus
}
#endif

143
CowInject/helper.cpp Normal file
View File

@@ -0,0 +1,143 @@
#include "head.h"
/*
from google
*/
ULONG_PTR GetProcAddressR(ULONG_PTR hModule, const char* lpProcName, BOOL x64Module)
{
UINT_PTR uiLibraryAddress = 0;
ULONG_PTR fpResult = NULL;
if (hModule == NULL)
return NULL;
// a module handle is really its base address
uiLibraryAddress = (UINT_PTR)hModule;
__try
{
UINT_PTR uiAddressArray = 0;
UINT_PTR uiNameArray = 0;
UINT_PTR uiNameOrdinals = 0;
PIMAGE_NT_HEADERS32 pNtHeaders32 = NULL;
PIMAGE_NT_HEADERS64 pNtHeaders64 = NULL;
PIMAGE_DATA_DIRECTORY pDataDirectory = NULL;
PIMAGE_EXPORT_DIRECTORY pExportDirectory = NULL;
// get the VA of the modules NT Header
pNtHeaders32 = (PIMAGE_NT_HEADERS32)(uiLibraryAddress + ((PIMAGE_DOS_HEADER)uiLibraryAddress)->e_lfanew);
pNtHeaders64 = (PIMAGE_NT_HEADERS64)(uiLibraryAddress + ((PIMAGE_DOS_HEADER)uiLibraryAddress)->e_lfanew);
if (x64Module)
{
pDataDirectory = (PIMAGE_DATA_DIRECTORY)&pNtHeaders64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT];
}
else
{
pDataDirectory = (PIMAGE_DATA_DIRECTORY)&pNtHeaders32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT];
}
// get the VA of the export directory
pExportDirectory = (PIMAGE_EXPORT_DIRECTORY)(uiLibraryAddress + pDataDirectory->VirtualAddress);
// get the VA for the array of addresses
uiAddressArray = (uiLibraryAddress + pExportDirectory->AddressOfFunctions);
// get the VA for the array of name pointers
uiNameArray = (uiLibraryAddress + pExportDirectory->AddressOfNames);
// get the VA for the array of name ordinals
uiNameOrdinals = (uiLibraryAddress + pExportDirectory->AddressOfNameOrdinals);
// test if we are importing by name or by ordinal...
if ((PtrToUlong(lpProcName) & 0xFFFF0000) == 0x00000000)
{
// import by ordinal...
// use the import ordinal (- export ordinal base) as an index into the array of addresses
uiAddressArray += ((IMAGE_ORDINAL(PtrToUlong(lpProcName)) - pExportDirectory->Base) * sizeof(unsigned long));
// resolve the address for this imported function
fpResult = (ULONG_PTR)(uiLibraryAddress + DEREF_32(uiAddressArray));
}
else
{
// import by name...
unsigned long dwCounter = pExportDirectory->NumberOfNames;
while (dwCounter--)
{
char* cpExportedFunctionName = (char*)(uiLibraryAddress + DEREF_32(uiNameArray));
// test if we have a match...
if (strcmp(cpExportedFunctionName, lpProcName) == 0)
{
// use the functions name ordinal as an index into the array of name pointers
uiAddressArray += (DEREF_16(uiNameOrdinals) * sizeof(unsigned long));
// calculate the virtual address for the function
fpResult = (ULONG_PTR)(uiLibraryAddress + DEREF_32(uiAddressArray));
// finish...
break;
}
// get the next exported function name
uiNameArray += sizeof(unsigned long);
// get the next exported function name ordinal
uiNameOrdinals += sizeof(unsigned short);
}
}
}
__except (EXCEPTION_EXECUTE_HANDLER)
{
fpResult = NULL;
}
return fpResult;
}
/*
from blackbone
*/
LONG BlackBoneSafeSearchString(IN PUNICODE_STRING source, IN PUNICODE_STRING target, IN BOOLEAN CaseInSensitive)
{
ASSERT(source != NULL && target != NULL);
if (source == NULL || target == NULL || source->Buffer == NULL || target->Buffer == NULL)
return STATUS_INVALID_PARAMETER;
// Size mismatch
if (source->Length < target->Length)
return -1;
USHORT diff = source->Length - target->Length;
for (USHORT i = 0; i <= (diff / sizeof(WCHAR)); i++)
{
if (RtlCompareUnicodeStrings(
source->Buffer + i,
target->Length / sizeof(WCHAR),
target->Buffer,
target->Length / sizeof(WCHAR),
CaseInSensitive
) == 0)
{
return i;
}
}
return -1;
}
/*
from windows explorer
*/
bool _memcpy(PVOID address, PVOID target_address, ULONG length)
{
bool result = false;
PHYSICAL_ADDRESS physicial_address;
physicial_address = MmGetPhysicalAddress(address);
if (physicial_address.QuadPart)
{
PVOID maped_mem = MmMapIoSpace(physicial_address, length, MmNonCached);
if (maped_mem)
{
memcpy(maped_mem, target_address, length);
MmUnmapIoSpace(maped_mem, length);
result = true;
}
}
return result;
}

240
CowInject/main.cpp Normal file
View File

@@ -0,0 +1,240 @@
#include "head.h"
#include "main.h"
struct moudle_info
{
uintptr_t bsae;
uintptr_t size;
};
bool get_moudle_base(PEPROCESS process, moudle_info* kernel32, moudle_info* ntdll, moudle_info* kernelbase) {
PPEB peb = PsGetProcessPeb(process);
bool result = false;
if (peb == NULL)
return result;
DebugPrintA("process peb: %p \n", peb);
//PEB + 0x18 = PEB.Ldr
auto peb_ldr = *(PDWORD64)((PUCHAR)peb + 0x18);
//Pebldr + 0x10 = InLoadOrderModuleList
PLIST_ENTRY module_list_head = (PLIST_ENTRY)((PUCHAR)peb_ldr + 0x10);
PLIST_ENTRY moudle = module_list_head->Flink;
/*
win7: kernel32.dll
win10: KERNEL32.DLL
*/
wchar_t moudle_list[][15] = {
{L"kernel32.dll"},
{L"ntdll.dll"},
{L"kernelbase.dll"},
};
while (module_list_head != moudle)
{
PLDR_DATA_TABLE_ENTRY info = (PLDR_DATA_TABLE_ENTRY)moudle;
UNICODE_STRING str_moudle_name;
for (size_t i = 0; i < sizeof(moudle_list); i++)
{
RtlInitUnicodeString(&str_moudle_name, moudle_list[i]);
if (BlackBoneSafeSearchString(&info->BaseDllName, &str_moudle_name, true) != -1)
{
DebugPrintA("MoudleBase %p Size %p Name %wZ\n", info->DllBase, info->SizeOfImages, info->BaseDllName);
if (i == 0) {
kernel32->bsae = (uintptr_t)info->DllBase;
kernel32->size = (uintptr_t)info->SizeOfImages;
}
if (i == 1) {
ntdll->bsae = (uintptr_t)info->DllBase;
ntdll->size = (uintptr_t)info->SizeOfImages;
}
if (i == 2) {
kernelbase->bsae = (uintptr_t)info->DllBase;
kernelbase->size = (uintptr_t)info->SizeOfImages;
}
break;
}
}
if (kernel32->bsae && ntdll->bsae && kernelbase->bsae)
break;
moudle = moudle->Flink;
}
result = kernel32->bsae != NULL && ntdll->bsae != NULL && kernelbase->bsae != NULL;
DebugPrintA("kernel32->bsae %p sizeof:%p ntdll->bsae %p kernelbase->bsae %p result: %d \n", kernel32->bsae, kernel32->size, ntdll->bsae, kernelbase->bsae, result);
return result;
}
uintptr_t get_free_speace(uintptr_t base, size_t size, size_t need_size) {
size_t return_length;
for (uintptr_t address = (uintptr_t)base; address <= (uintptr_t)base + size; address += sizeof(uintptr_t)) {
__try
{
ProbeForRead((void*)address, need_size, 0x1);
if (*(uintptr_t*)address == 0x00 || *(uintptr_t*)address == 0x90)
{
MEMORY_BASIC_INFORMATION memory_information = { 0 };
NTSTATUS status = ZwQueryVirtualMemory(NtCurrentProcess(), (PVOID)address, (MEMORY_INFORMATION_CLASS)0, &memory_information, need_size, &return_length);
if (NT_SUCCESS(status)) {
if ((memory_information.Protect == PAGE_EXECUTE || memory_information.Protect == PAGE_EXECUTE_READ || memory_information.Protect == PAGE_EXECUTE_READWRITE || memory_information.Protect == PAGE_EXECUTE_WRITECOPY) == false) {
continue;
}
}
DebugPrintA("address : %p \n", address);
uintptr_t count = 0;
bool is_good = true;
uintptr_t max_count = 0;
for (; count < need_size && is_good; count += sizeof(uintptr_t))
{
max_count++;
auto check_ptr = (uintptr_t*)((PUCHAR)address + count);
if (*check_ptr != 0x0 && *check_ptr != 0x90)
{
is_good = false;
break;
}
}
if (is_good) {
DebugPrintA("location Cow virtual address : %p \n", address);
return address;
}
}
}
__except (EXCEPTION_EXECUTE_HANDLER)
{
continue;
}
}
return NULL;
}
VOID DriverUnload(PDRIVER_OBJECT driver)
{
DebugPrintA("[DebugMessage] Unload Driver");
}
extern "C" NTSTATUS DriverEntry(PDRIVER_OBJECT driver, PUNICODE_STRING reg_path)
{
DebugPrintA("init Driver \n");
/*
<09><>ʼ<EFBFBD><CABC>shellcode
*/
//uintptr_t size_of_shellcode = CALCSIZE(HkCreateFileW, ShellCodeEnd);
uintptr_t size_of_shellcode = sizeof(HookCode);
DebugPrintA("shell code size: %p \n", size_of_shellcode);
/*
get a x64 process
*/
for (uintptr_t i = 8; i < 100000000; i = i + 4)
{
PEPROCESS _eprocess = NULL;
NTSTATUS nt_status = PsLookupProcessByProcessId((HANDLE)i, &_eprocess);
if (NT_SUCCESS(nt_status) && _eprocess != NULL)
{
ObDereferenceObject(_eprocess);
bool is_x64_process = PsGetProcessWow64Process(_eprocess) == NULL;
if (is_x64_process) {
KAPC_STATE apc;
KeStackAttachProcess(_eprocess, &apc);
moudle_info kernel32 = {0};
moudle_info ntdll = { 0 };
moudle_info kernelbase = { 0 };
/*
is x64 process, get kernel32.dll and kernelbase.dll and ntdll.dll base
*/
if (get_moudle_base(_eprocess, &kernel32, &ntdll, &kernelbase)) {
uintptr_t kernel32_loadlibrary = GetProcAddressR(kernel32.bsae, "LoadLibraryW", TRUE);
uintptr_t ntdll_wcsstr = GetProcAddressR(ntdll.bsae, "wcsstr", TRUE);
uintptr_t kernelbase_GetModuleFileNameW = GetProcAddressR(kernelbase.bsae, "GetModuleFileNameW", TRUE);
uintptr_t kernelbase_CreateFileW = GetProcAddressR(kernelbase.bsae, "CreateFileW", TRUE);
if (kernel32_loadlibrary && ntdll_wcsstr && kernelbase_GetModuleFileNameW && kernelbase_CreateFileW) {
uintptr_t hook_function = get_free_speace(kernel32.bsae, kernel32.size, size_of_shellcode + sizeof(void*) + sizeof(CreateFileWT));
if (hook_function) {
/*
Copy shellcode to freespeace
*/
_memcpy((PVOID)hook_function, (PVOID)HookCode, size_of_shellcode);
/*
hook
*/
BYTE _mov_rax[] = {
0x48, 0xB8 // mov rax, [xxx]
};
BYTE _jmp_rax[] = {
0xFF, 0xE0, // jmp rax
};
BYTE shell_code_jmp_back[] = {
0xCC, 0xCC, //mov rax
0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, //void*
0xCC, 0xCC, //jmp rax
};
uintptr_t function_offset = kernelbase_CreateFileW;
//backup
_memcpy(shell_code_jmp_back, (void*)function_offset, sizeof(shell_code_jmp_back));
/*
hook_function -> origin_code
*/
function_offset = hook_function + size_of_shellcode;
uintptr_t jmp_back = function_offset;
_memcpy((void*)function_offset, shell_code_jmp_back, sizeof(shell_code_jmp_back));
function_offset += sizeof(shell_code_jmp_back);
/*
origin_code -> jmp CreateFileW
*/
uintptr_t jmp_offset = kernelbase_CreateFileW + sizeof(_mov_rax) + sizeof(_jmp_rax) + sizeof(void*);
_memcpy((void*)function_offset, _mov_rax, sizeof(_mov_rax));
function_offset += sizeof(_mov_rax);
_memcpy((void*)function_offset, &jmp_offset, sizeof(void*));
function_offset += sizeof(void*);
_memcpy((void*)function_offset, _jmp_rax, sizeof(_jmp_rax));
/*
location shellcode function
*/
for (int i = 0; i < size_of_shellcode; i++)
{
auto write_ptr = (uintptr_t*)((PUCHAR)hook_function + i);
if (*write_ptr == 0x1234567812345678)
{
_memcpy((void*)write_ptr, (void*)&jmp_back, sizeof(uintptr_t));
DebugPrintA("[jmp_back]Fix KernelBase.CreateFileW %p \n", jmp_back);
}
if (*write_ptr == 0x1234567891ABCDEF)
{
_memcpy((void*)write_ptr, (void*)&ntdll_wcsstr, sizeof(uintptr_t));
DebugPrintA("Fix Ntdll.wcsstr %p \n", ntdll_wcsstr);
}
if (*write_ptr == 0x1337567891ABCDEF)
{
_memcpy((void*)write_ptr, (void*)&kernelbase_GetModuleFileNameW, sizeof(uintptr_t));
DebugPrintA("Fix KernelBase.GetModuleFileNameW %p \n", kernelbase_GetModuleFileNameW);
}
if (*write_ptr == 0x1234567891AB1337)
{
_memcpy((void*)write_ptr, (void*)&kernel32_loadlibrary, sizeof(uintptr_t));
DebugPrintA("Fix kernel32.loadlibrary %p \n", kernel32_loadlibrary);
}
}
/*
CreateFileW -> hook_function
*/
function_offset = kernelbase_CreateFileW;
_memcpy((void*)function_offset, _mov_rax, sizeof(_mov_rax));
function_offset += sizeof(_mov_rax);
_memcpy((void*)function_offset, &hook_function, sizeof(void*));
function_offset += sizeof(void*);
_memcpy((void*)function_offset, _jmp_rax, sizeof(_jmp_rax));
DebugPrintA("success hooked at: %p \n", hook_function);
} else {
DebugPrintA("can not get free speace for shellcode \n");
}
}
else {
DebugPrintA("can not get export function\n");
}
}
KeUnstackDetachProcess(&apc);
break;
}
}
}
driver->DriverUnload = DriverUnload;
return STATUS_UNSUCCESSFUL;
}

11
CowInject/main.h Normal file
View File

@@ -0,0 +1,11 @@
#pragma once
extern HANDLE __stdcall HkCreateFileW(LPCWSTR lpFileName, DWORD dwDesiredAccess, DWORD dwShareMode, LPSECURITY_ATTRIBUTES lpSecurityAttributes, DWORD dwCreationDisposition, DWORD dwFlagsAndAttributes, HANDLE hTemplateFile);
extern int __stdcall ShellCodeEnd();
extern ULONG_PTR GetProcAddressR(ULONG_PTR hModule, const char* lpProcName, BOOL x64Module);
extern LONG BlackBoneSafeSearchString(IN PUNICODE_STRING source, IN PUNICODE_STRING target, IN BOOLEAN CaseInSensitive);
extern bool _memcpy(PVOID address, PVOID target_address, ULONG length);
//see shell_code_start ,fuck gcc, aways broken shellcode
static BYTE HookCode[] = {
0x48,0x8B,0xC4,0x48,0x89,0x58,0x08,0x48,0x89,0x70,0x10,0x48,0x89,0x78,0x18,0x55,0x41,0x54,0x41,0x55,0x41,0x56,0x41,0x57,0x48,0x8D,0xA8,0xF8,0xFD,0xFF,0xFF,0x48,0x81,0xEC,0xE0,0x02,0x00,0x00,0x45,0x33,0xED,0xC7,0x44,0x24,0x40,0x43,0x00,0x3A,0x00,0x41,0x8B,0xF0,0x66,0x44,0x89,0x6C,0x24,0x58,0x44,0x8B,0xF2,0x66,0x44,0x89,0x6C,0x24,0x78,0x48,0x8B,0xD9,0x66,0x44,0x89,0x6D,0xC0,0x41,0xB8,0x04,0x01,0x00,0x00,0xC7,0x44,0x24,0x44,0x5C,0x00,0x68,0x00,0x48,0x8D,0x55,0xD0,0xC7,0x44,0x24,0x48,0x75,0x00,0x6F,0x00,0x33,0xC9,0xC7,0x44,0x24,0x4C,0x6A,0x00,0x69,0x00,0x48,0xB8,0xEF,0xCD,0xAB,0x91,0x78,0x56,0x37,0x13,0xC7,0x44,0x24,0x50,0x2E,0x00,0x64,0x00,0x49,0x8B,0xF9,0xC7,0x44,0x24,0x54,0x6C,0x00,0x6C,0x00,0xC7,0x44,0x24,0x60,0x43,0x00,0x3A,0x00,0xC7,0x44,0x24,0x64,0x5C,0x00,0x6E,0x00,0xC7,0x44,0x24,0x68,0x74,0x00,0x64,0x00,0xC7,0x44,0x24,0x6C,0x6C,0x00,0x6C,0x00,0xC7,0x44,0x24,0x70,0x2E,0x00,0x64,0x00,0xC7,0x44,0x24,0x74,0x6C,0x00,0x6C,0x00,0xC7,0x45,0xA0,0x43,0x00,0x6F,0x00,0xC7,0x45,0xA4,0x6E,0x00,0x61,0x00,0xC7,0x45,0xA8,0x6E,0x00,0x53,0x00,0xC7,0x45,0xAC,0x61,0x00,0x6E,0x00,0xC7,0x45,0xB0,0x64,0x00,0x62,0x00,0xC7,0x45,0xB4,0x6F,0x00,0x78,0x00,0xC7,0x45,0xB8,0x2E,0x00,0x65,0x00,0xC7,0x45,0xBC,0x78,0x00,0x65,0x00,0xC7,0x45,0x80,0x42,0x00,0x45,0x00,0xC7,0x45,0x84,0x53,0x00,0x65,0x00,0xC7,0x45,0x88,0x72,0x00,0x76,0x00,0xC7,0x45,0x8C,0x69,0x00,0x63,0x00,0xC7,0x45,0x90,0x65,0x00,0x2E,0x00,0xC7,0x45,0x94,0x65,0x00,0x78,0x00,0xC7,0x45,0x98,0x65,0x00,0x00,0x00,0xFF,0xD0,0x48,0x8D,0x55,0xA0,0x49,0xBF,0xEF,0xCD,0xAB,0x91,0x78,0x56,0x34,0x12,0x48,0x8D,0x4D,0xD0,0x41,0xFF,0xD7,0x48,0x85,0xC0,0x74,0x11,0x48,0x8D,0x4C,0x24,0x40,0x48,0xB8,0x37,0x13,0xAB,0x91,0x78,0x56,0x34,0x12,0xFF,0xD0,0x48,0x8D,0x55,0x80,0x48,0x8D,0x4D,0xD0,0x41,0xFF,0xD7,0x48,0x8B,0xCB,0x48,0x85,0xC0,0x74,0x14,0x48,0x8D,0x54,0x24,0x40,0x41,0xFF,0xD7,0x48,0x85,0xC0,0x48,0x8D,0x4C,0x24,0x60,0x48,0x0F,0x44,0xCB,0x48,0x8B,0x85,0x40,0x02,0x00,0x00,0x4C,0x8B,0xCF,0x48,0x89,0x44,0x24,0x30,0x44,0x8B,0xC6,0x8B,0x85,0x38,0x02,0x00,0x00,0x41,0x8B,0xD6,0x89,0x44,0x24,0x28,0x8B,0x85,0x30,0x02,0x00,0x00,0x89,0x44,0x24,0x20,0x48,0xB8,0x78,0x56,0x34,0x12,0x78,0x56,0x34,0x12,0xFF,0xD0,0x4C,0x8D,0x9C,0x24,0xE0,0x02,0x00,0x00,0x49,0x8B,0x5B,0x30,0x49,0x8B,0x73,0x38,0x49,0x8B,0x7B,0x40,0x49,0x8B,0xE3,0x41,0x5F,0x41,0x5E,0x41,0x5D,0x41,0x5C,0x5D,0xC3,0xCC,
};

1
CowInject/shell_code_end.cpp Normal file
View File

@@ -0,0 +1 @@
#include "head.h"

28
CowInject/shell_code_start.cpp Normal file
View File

@@ -0,0 +1,28 @@
#include "head.h"
//shellcode just like:
/*
HANDLE __stdcall HookCreateFileW(LPCWSTR lpFileName,DWORD dwDesiredAccess,DWORD dwShareMode,LPSECURITY_ATTRIBUTES lpSecurityAttributes,DWORD dwCreationDisposition,DWORD dwFlagsAndAttributes,HANDLE hTemplateFile) {
CreateFileWT oCreateFileW = (CreateFileWT)0x1234567812345678;
wcsstrAt oWcsstr = (wcsstrAt)0x1234567891ABCDEF;
GetModuleFileNameWT oGetModuleFileNameW = (GetModuleFileNameWT)0x1337567891ABCDEF;
LoadLibraryWT oLoadLibraryW = (LoadLibraryWT)0x1234567891AB1337;
wchar_t CheatPath[] = { 'C',':','\\','h','u','o','j','i','.','d','l','l','\0' };
wchar_t NtdllName[] = { 'C',':','\\','n','t','d','l','l','.','d','l','l','\0' };
//RainbowSix.exe
wchar_t GameName[] = { 'C','o','n','a','n','S','a','n','d','b','o','x','.','e','x','e','\0' };
//BEService.exe
wchar_t AntiCheatName[] = { 'B','E','S','e','r','v','i','c','e','.','e','x','e','\0' };
wchar_t ExeFile[MAX_PATH];
oGetModuleFileNameW(NULL, ExeFile, MAX_PATH);
if (oWcsstr(ExeFile, GameName) != NULL) {
oLoadLibraryW(CheatPath);
}
if (oWcsstr(ExeFile, AntiCheatName) != NULL) {
return oCreateFileW(oWcsstr(lpFileName, CheatPath) != NULL ? NtdllName : lpFileName, dwDesiredAccess, dwShareMode, lpSecurityAttributes, dwCreationDisposition, dwFlagsAndAttributes, hTemplateFile);
}
return oCreateFileW(lpFileName, dwDesiredAccess, dwShareMode, lpSecurityAttributes, dwCreationDisposition, dwFlagsAndAttributes, hTemplateFile);
}
int __stdcall ShellCodeEnd() {
return 0x1337;
}*/