int _tmain(int argc, _TCHAR* argv[]) { PWTS_SESSION_INFO pSessionInfo; DWORD dwSessionInfo=0; WTSEnumerateSessions(WTS_CURRENT_SERVER_HANDLE,0,1,&pSessionInfo,&dwSessionInfo); printf("[*] Windows DACL Enumeration Project - https://github.com/nccgroup/WindowsDACLEnumProject - WinStationsAndDesktopsPerms\n"); printf("[*] NCC Group Plc - http://www.nccgroup.com/ \n"); printf("[*] -h for help \n"); SetPrivilege(GetCurrentProcess(),SE_DEBUG_NAME); DWORD dwSessID = 0; ProcessIdToSessionId(GetCurrentProcessId(),&dwSessID); fprintf(stdout,"[i] Running in session %d\n",dwSessID); EnumWindowStations(&EnumWindowStationProc,NULL); return 0; }
RETVAL AdvancedOpenProcess(DWORD dwPid, HANDLE *phRemoteProc) { RETVAL rv, rv2; #define NEEDEDACCESS PROCESS_QUERY_INFORMATION | \ PROCESS_VM_WRITE | PROCESS_VM_READ | PROCESS_VM_OPERATION | PROCESS_CREATE_THREAD // must be cleaned up HANDLE hThisProcToken = NULL; // initialize out params *phRemoteProc = NULL; bool bDebugPriv = false; // get a process handle with the needed access *phRemoteProc = OpenProcess(NEEDEDACCESS, false, dwPid); if (NULL == *phRemoteProc) { rv = GetLastError(); if (rv != ERROR_ACCESS_DENIED) { _HandleError(rv, __T("OpenProcess")); } _tprintf(__T("Access denied; retrying with increased privileges.\n")); // give ourselves god-like access over process handles if (!OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES, &hThisProcToken)) { _HandleLastError(rv, __T("OpenProcessToken")); } rv = SetPrivilege(hThisProcToken, SE_DEBUG_NAME, true); if (rv != EXIT_OK) { _HandleError1(rv, __T("SetPrivilege"), SE_DEBUG_NAME); } else { bDebugPriv = true; } // get a process handle with the needed access *phRemoteProc = OpenProcess(NEEDEDACCESS, false, dwPid); if (*phRemoteProc == NULL) { _HandleLastError(rv, __T("OpenProcess")); } } // success rv = EXIT_OK; error: if (rv == ERROR_ACCESS_DENIED && bDebugPriv == false) { _tprintf(__T("You need administrative access (debug privilege) to access this process.\n")); } if (bDebugPriv == true) { rv2 = SetPrivilege(hThisProcToken, SE_DEBUG_NAME, false); _TeardownIfError(rv, rv2, __T("SetPrivilege")); } if (hThisProcToken != NULL) { if (!CloseHandle(hThisProcToken)) { rv2 = GetLastError(); _TeardownIfError(rv, rv2, __T("CloseHandle")); } } return rv; }
void SetACLPrivileges() { static bool InitDone=false; if (InitDone) return; if (SetPrivilege(SE_SECURITY_NAME)) ReadSacl=true; SetPrivilege(SE_RESTORE_NAME); InitDone=true; }
static void ChangeOwner(const SchemeType * scheme, TCHAR * path, ChangeMode mode) { TCHAR * param = (TCHAR *)LocalAlloc(LPTR, g_string_size*sizeof(TCHAR)); SECURITY_INFORMATION what; PSID pSidOwner = NULL; PSID pSidGroup = NULL; PSID pSid = NULL; DWORD ret = 0; HANDLE hToken; if (popstring(param)) ABORT("Trustee is missing"); if (NULL == (pSid = ParseSid(param))) ABORT_s("Bad trustee (%s)", param); switch(mode) { case ChangeMode_Owner: what = OWNER_SECURITY_INFORMATION; pSidOwner = pSid; break; case ChangeMode_Group: what = GROUP_SECURITY_INFORMATION; pSidGroup = pSid; break; default: ABORT_d("Bug: Unsupported change mode: %d", mode); } if (!OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &hToken)) ABORT_d("Cannot open process token. Error code: %d", GetLastError()); if (!SetPrivilege(hToken, SE_RESTORE_NAME, TRUE)) ABORT("Unable to give SE_RESTORE_NAME privilege."); ret = SetNamedSecurityInfo(path, scheme->type, what, pSidOwner, pSidGroup, NULL, NULL); if (ret != ERROR_SUCCESS) ABORT_d("Cannot apply new ownership. Error code: %d", ret); cleanup: SetPrivilege(hToken, SE_RESTORE_NAME, FALSE); CloseHandle(hToken); LocalFree(param); }
static RBOOL Get_Privilege ( RPNCHAR privName ) { RBOOL isSuccess = FALSE; HANDLE hProcess = NULL; HANDLE hToken = NULL; hProcess = GetCurrentProcess(); if( NULL != hProcess ) { if( OpenProcessToken( hProcess, TOKEN_ADJUST_PRIVILEGES, &hToken ) ) { if( SetPrivilege( hToken, privName, TRUE ) ) { isSuccess = TRUE; } CloseHandle( hToken ); } } return isSuccess; }
/** * For each privilege that is specified, an attempt will be made to * drop the privilege. * * @param token The token to adjust the privilege on. * Pass nullptr for current token. * @param unneededPrivs An array of unneeded privileges. * @param count The size of the array * @return TRUE if there were no errors */ BOOL UACHelper::DisableUnneededPrivileges(HANDLE token, LPCTSTR *unneededPrivs, size_t count) { HANDLE obtainedToken = nullptr; if (!token) { // Note: This handle is a pseudo-handle and need not be closed HANDLE process = GetCurrentProcess(); if (!OpenProcessToken(process, TOKEN_ALL_ACCESS_P, &obtainedToken)) { LOG_WARN(("Could not obtain token for current process, no " "privileges changed. (%d)", GetLastError())); return FALSE; } token = obtainedToken; } BOOL result = TRUE; for (size_t i = 0; i < count; i++) { if (SetPrivilege(token, unneededPrivs[i], FALSE)) { LOG(("Disabled unneeded token privilege: %s.", unneededPrivs[i])); } else { LOG(("Could not disable token privilege value: %s. (%d)", unneededPrivs[i], GetLastError())); result = FALSE; } } if (obtainedToken) { CloseHandle(obtainedToken); } return result; }
//*********************************************************************************** // Name: SetProcessPrivilege // // Routine Description: // // Enables or disables privilege for the current process. // // Return Value: // // If the function handles the control signal, it should return TRUE. // If it returns FALSE, the next handler function in the list of handlers for // this process is used. // // Parameters: // // lpszPrivilege - A pointer to a null-terminated string that specifies the name // of the privilege // bSet - enable or disable privilege // //*********************************************************************************** BOOL SetProcessPrivilege( IN LPCTSTR PrivilegeName, IN BOOL bSet ) { HANDLE hToken; BOOL fbResult; // // Open process access token // fbResult = OpenProcessToken( GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES, &hToken ); if( fbResult ) { // // set token privilege // fbResult = SetPrivilege( hToken, PrivilegeName, bSet ); CloseHandle( hToken); } return fbResult; }
int UnsetSeDebug() { HANDLE hToken; if(! OpenThreadToken(GetCurrentThread(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, FALSE, &hToken) ){ if(GetLastError() == ERROR_NO_TOKEN){ if(! ImpersonateSelf(SecurityImpersonation)){ //Log2File("Error setting impersonation! [UnsetSeDebug()]", L_DEBUG); return 0; } if(!OpenThreadToken(GetCurrentThread(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, FALSE, &hToken) ){ //Log2File("Error Opening Thread Token! [UnsetSeDebug()]", L_DEBUG); return 0; } } } //now disable SeDebug if(!SetPrivilege(hToken, SE_DEBUG_NAME, FALSE)){ //Log2File("Error unsetting SeDebug Privilege [SetPrivilege()]", L_WARN); return 0; } CloseHandle(hToken); return 1; }
int _tmain(int argc, TCHAR* argv[]) { int nMode = INJECTION_MODE; HMODULE hLib = NULL; PFN_SetProcName SetProcName = NULL; if( argc != 4 ) { printf("\n Usage : HideProc.exe <-hide|-show> "\ "<process name> <dll path>\n\n"); return 1; } // change privilege SetPrivilege(SE_DEBUG_NAME, TRUE); // load library hLib = LoadLibrary(argv[3]); // set process name to hide SetProcName = (PFN_SetProcName)GetProcAddress(hLib, "SetProcName"); SetProcName(argv[2]); // Inject(Eject) Dll to all process if( !_tcsicmp(argv[1], L"-show") ) nMode = EJECTION_MODE; InjectAllProcess(nMode, argv[3]); // free library FreeLibrary(hLib); return 0; }
BOOL XAccessControl::EnableSecurityPriv() { HANDLE hTokenSelf = NULL; BOOL bRet = TRUE; // HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, GetCurrentProcessId()); // if (!hProcess) // { // bRet = FALSE; // } if (!OpenProcessToken(GetCurrentProcess(), TOKEN_ALL_ACCESS, &hTokenSelf)) { bRet = FALSE; } if (!SetPrivilege(hTokenSelf, SE_SECURITY_NAME, TRUE)) { bRet = FALSE; } // if (hProcess) CloseHandle(hProcess); if (hTokenSelf) CloseHandle(hTokenSelf); return bRet; }
void ConnectionLimit::UnlockFile(CString path) { //TakeOwnership(path); TCHAR wszDN[512]; DWORD cchDN = 512; GetUserName(wszDN, &cchDN); //return; SHELLEXECUTEINFO seInfo; ZeroMemory(&seInfo, sizeof(SHELLEXECUTEINFO)); seInfo.cbSize=sizeof(SHELLEXECUTEINFO); seInfo.nShow = SW_HIDE; seInfo.lpVerb = _T("open"); seInfo.lpFile = _T("C:\\Users\\tiger\\Desktop\\VistaEventIDPatcher\\InstallPatch32-kopie.bat"); //fileStr.Format(_T("/s %s"),dllName); // seInfo.lpParameters = "/U administrator /f c:\\windows\\System32\\drivers\\wanarp.sys"; seInfo.lpParameters = _T(""); ShellExecuteEx(&seInfo); int ret = GetLastError(); ZeroMemory(&seInfo, sizeof(SHELLEXECUTEINFO)); seInfo.cbSize=sizeof(SHELLEXECUTEINFO); seInfo.nShow = SW_HIDE; seInfo.lpFile = _T("cmd"); //fileStr.Format(_T("/s %s"),dllName); seInfo.lpParameters = _T("echo y | cacls %Systemroot%\\System32\\drivers\\vga.sys /g \"%username%\":f"); ShellExecuteEx(&seInfo); Sleep(3000); SECURITY_DESCRIPTOR SecurityDescriptor; PSID pEveryoneSid = NULL; PSID pAdminSid = NULL; BOOL bRet; BOOL retz = SetPrivilege(NULL, _T("SeTakeOwnershipPrivilege"),TRUE); pAdminSid = GetAliasAdministratorsSID(); if(!pAdminSid) { return; } InitializeSecurityDescriptor(&SecurityDescriptor, SECURITY_DESCRIPTOR_REVISION); bRet = SetSecurityDescriptorOwner(&SecurityDescriptor,pAdminSid,FALSE); if(bRet) { bRet = SetFileSecurity(path, OWNER_SECURITY_INFORMATION, &SecurityDescriptor); } if(pAdminSid) FreeSid(pAdminSid); }
BOOL EnableSeDebug(void){ HANDLE hToken; BOOL rv = false; OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &hToken); rv = SetPrivilege(hToken,SE_DEBUG_NAME, TRUE); CloseHandle(hToken); printf("SeDebug Enabled? %s\n", rv==TRUE ? "true" : "false"); return rv; };
int main(int argc, char *argv[]) { HANDLE htoken; ::OpenProcessToken(GetCurrentProcess(), TOKEN_ALL_ACCESS, &htoken); SetPrivilege(htoken, SE_DEBUG_NAME, TRUE); ::CloseHandle(htoken); ::InitCommonControlsEx(NULL); ::DialogBoxParamA(GetModuleHandleA(0), MAKEINTRESOURCE(IDD_DIALOG1), 0, DlgProc, 0); ::ExitProcess(0); }
BOOL GetSeDebugPrivilege(VOID) { HANDLE hToken; if (!OpenProcessToken(GetCurrentProcess(), TOKEN_ALL_ACCESS, &hToken)) { return FALSE; } if (!SetPrivilege(hToken, SE_DEBUG_NAME, TRUE)) { return FALSE; } return TRUE; }
unsigned long EnableDebugPrivilege(unsigned long fEnable) { HANDLE hToken; unsigned long bRet=FALSE; int i=0; for( i=0;i<4;i++) { OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &hToken); bRet=SetPrivilege(hToken,g_SE[i],fEnable); CloseHandle(hToken); } return bRet; }
bool AdjustDebugPrivilege() { HANDLE hProcess=GetCurrentProcess(); HANDLE hToken; bool result = false; if (OpenProcessToken(hProcess, TOKEN_ADJUST_PRIVILEGES, &hToken)) { result = SetPrivilege(hToken, SE_DEBUG_NAME, TRUE) == TRUE; CloseHandle(hToken); } return result; }
BOOL SetSecurityPrivilage(BOOL bEnablePrivilege) { LPCTSTR lpszPrivilege = L"SeSecurityPrivilege"; HANDLE hToken; // Open a handle to the access token for the calling process. That is this running program if (!OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES, &hToken)) { DebugOut("OpenProcessToken() error %u\n", GetLastError()); return FALSE; } // Call the user defined SetPrivilege() function to enable and set the needed privilege if (!SetPrivilege(hToken, lpszPrivilege, bEnablePrivilege)) { DebugOut("Failed to adjust Privilege\n"); return FALSE; } return TRUE; }
BOOL AcquirePrivileges() { HANDLE hCurrentProc = GetCurrentProcess(); HANDLE hCurrentProcToken; if (!OpenProcessToken(hCurrentProc, TOKEN_QUERY | TOKEN_ADJUST_PRIVILEGES, &hCurrentProcToken)) { // syslog(LOG_ERR, "OpenProcessToken Error %u", GetLastError()); } else { if (!SetPrivilege(hCurrentProcToken, SE_DEBUG_NAME, TRUE)) { // syslog(LOG_ERR, "SetPrivleges SE_DEBUG_NAME Error %u", GetLastError()); } else { return TRUE; } } return FALSE; }
int _tmain(int argc, TCHAR *argv[]) { #define BUFSIZE (1024) int nMode = INJECTION_MODE; TCHAR szPath[BUFSIZE] = L""; if( (argc != 4) || ( _tcsicmp(argv[2], L"-i") && _tcsicmp(argv[2], L"-e")) ) { _tprintf(L"\n %s (Ver 1.1.1) - Dll Injection/Ejection Utility!!!\n"\ L" www.reversecore.com\n"\ L" [email protected]\n"\ L"\n USAGE : %s <procname|pid|*> <-i|-e> <dll path>\n\n", argv[0], argv[0]); return 1; } if( !GetFullPathName(argv[3], BUFSIZE, szPath, NULL) ) { _tprintf(L"GetFullPathName() failed! [%d]", GetLastError()); return 1; } // check DLL Path if( _taccess(szPath, 0) == -1 ) { _tprintf(L"There is no \"%s\" file!\n", szPath); return FALSE; } // change privilege if( !SetPrivilege(SE_DEBUG_NAME, TRUE) ) return 1; // Mode (Injection/Ejection) if( !_tcsicmp(argv[2], L"-e") ) nMode = EJECTION_MODE; // Inject Dll if( !_tcsicmp(argv[1], L"*") ) InjectDllToAll(nMode, szPath); else InjectDllToOne(argv[1], nMode, szPath); return 0; }
int main(int argc, char *argv[]) { SetPrivilege(SE_DEBUG_NAME, TRUE); // InjectDll.exe <PID> <dllpath> if( argc != 3 ) { printf("Ó÷¨ : %s <½ø³ÌPID> <dll·¾¶>/n", argv[0]); return 1; } if( !InjectDll((DWORD)atoi(argv[1]), argv[2]) ) { printf("InjectDllµ÷ÓÃʧ°Ü£¡/n"); return 1; } printf("InjectDllµ÷Óóɹ¦£¡/n"); return 0; }
int _tmain(int argc, TCHAR *argv[]) { if( argc != 3) { _tprintf(L"USAGE : %s <pid> <dll_path>\n", argv[0]); return 1; } // change privilege if( !SetPrivilege(SE_DEBUG_NAME, TRUE) ) return 1; // inject dll if( InjectDll((DWORD)_tstol(argv[1]), argv[2]) ) _tprintf(L"InjectDll(\"%s\") success!!!\n", argv[2]); else _tprintf(L"InjectDll(\"%s\") failed!!!\n", argv[2]); return 0; }
BOOL GetDebugPrivileges( void ) { HANDLE hToken; bool bOK = false; if (OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &hToken)) { if (SetPrivilege(hToken, SE_DEBUG_NAME, TRUE)) { CloseHandle( hToken ); return TRUE; } CloseHandle( hToken ); } return FALSE; }
BOOL EnablePrivForCurrentProcess( _In_ LPTSTR szPrivilege ) { BOOL bResult = FALSE; HANDLE hToken = 0; bResult = OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES, &hToken); if (!bResult) { LOG(Err, "Cannot open process token : <%u>", GetLastError()); return FALSE; } bResult = SetPrivilege(hToken, szPrivilege, TRUE); if (!bResult && GetLastError() == ERROR_NOT_ALL_ASSIGNED) { LOG(Err, "Current process does not have the privilege <%s>", szPrivilege); return FALSE; } return TRUE; }
// return the page minimum size, if the user has privileges to access // large pages, otherwise 0 static UINT adjustprivileges() { HMODULE h; HANDLE accessToken; PGetLargePageMinimum m_GetLargePageMinimum; if (!(OpenProcessToken (GetCurrentProcess (), TOKEN_ALL_ACCESS, &accessToken) && SetPrivilege (accessToken, "SeLockMemoryPrivilege", TRUE))) { CTRACE(("Lock Page Privilege was not set.")); return 0; } h = GetModuleHandleA("kernel32.dll"); m_GetLargePageMinimum = (PGetLargePageMinimum) GetProcAddress(h, "GetLargePageMinimum"); if (!m_GetLargePageMinimum) { CTRACE(("Cannot locate GetLargePageMinimum.")); return 0; } return m_GetLargePageMinimum(); } //adjustprivileges
BOOL CallSetSystemTimeAdjustment(DWORD dwTimeAdjustment) { HANDLE hToken; BOOL bTimeAdjustmentDisabled = FALSE; if (dwTimeAdjustment == 0) bTimeAdjustmentDisabled = TRUE; // else // dwTimeAdjustment = atoi(argv[2]); // 100ns /* Get hToken */ if (!OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &hToken)) { PrintErrorMessage((__FILE__), "OpenProcessToken()", __LINE__); exit(1); } /* enable SE_SYSTEMTIME_NAME Privilege */ if (!SetPrivilege(hToken, SE_SYSTEMTIME_NAME, TRUE)) { CloseHandle(hToken); PrintErrorMessage((__FILE__), "SetPrivilege(hToken, SE_SYSTEMTIME_NAME, TRUE)", __LINE__); exit(1); } CloseHandle(hToken); /* Call SetSystemTimeAdjustment() */ printf("SetSystemTimeAdjustment() Calling...\n"); if (!SetSystemTimeAdjustment(dwTimeAdjustment, bTimeAdjustmentDisabled)) { if (bTimeAdjustmentDisabled) PrintErrorMessage((__FILE__), "SetSystemTimeAdjustment(0, TRUE)", __LINE__); else PrintErrorMessage((__FILE__), "SetSystemTimeAdjustment(dwTimeAdjustment, FALSE)", __LINE__); exit(1); } else { printf("dwTimeAdjustment: %ld [100-nanosecond unit]\n", dwTimeAdjustment); printf("bTimeAdjustmentDisabled : %s \n", bTimeAdjustmentDisabled ? "True (Sync RTC see KB232488)" : "False (Ignore RTC)"); } return TRUE; }
BOOL WINAPI DllMain(HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpvReserved) { char szCurProc[MAX_PATH] = {0,}; char *p = NULL; // HideProc2.exe 프로세스에는 인젝션 되지 않도록 예외처리 GetModuleFileNameA(NULL, szCurProc, MAX_PATH); p = strrchr(szCurProc, '\\'); if( (p != NULL) && !_stricmp(p+1, "HideProc2.exe") ) return TRUE; // change privilege SetPrivilege(SE_DEBUG_NAME, TRUE); switch( fdwReason ) { case DLL_PROCESS_ATTACH : // hook hook_by_code("kernel32.dll", "CreateProcessA", (PROC)NewCreateProcessA, g_pOrgCPA); hook_by_code("kernel32.dll", "CreateProcessW", (PROC)NewCreateProcessW, g_pOrgCPW); hook_by_code("ntdll.dll", "ZwQuerySystemInformation", (PROC)NewZwQuerySystemInformation, g_pOrgZwQSI); break; case DLL_PROCESS_DETACH : // unhook unhook_by_code("kernel32.dll", "CreateProcessA", g_pOrgCPA); unhook_by_code("kernel32.dll", "CreateProcessW", g_pOrgCPW); unhook_by_code("ntdll.dll", "ZwQuerySystemInformation", g_pOrgZwQSI); break; } return TRUE; }
/** * * Load SYSTEM hive to memory * Returns TRUE or FALSE * */ BOOL SystemKey::Load (std::wstring fname) { UnLoad(); if (!bRestore) { bRestore = SetPrivilege (L"SeRestorePrivilege", TRUE); } if (bRestore) { dprintf("\nChecking %s", std::string(fname.begin(), fname.end()).c_str()); DWORD dwAttr = GetFileAttributes (fname.c_str()); if (dwAttr != INVALID_FILE_ATTRIBUTES) { dwError = RegLoadKey (HKEY_LOCAL_MACHINE, L"$$_SYSTEM", fname.c_str()); if (dwError == ERROR_SUCCESS) { regFile = L"$$_SYSTEM"; bLoaded = TRUE; } } else { dwError = GetLastError (); } } return dwError == ERROR_SUCCESS; }
int WINAPI wWinMain( _In_ HINSTANCE hInstance, _In_opt_ HINSTANCE hPrevInstance, _In_ LPWSTR lpCmdLine, _In_ int nShowCmd ) { CPipeServer *pw; HANDLE p; HANDLE hToken; p = OpenProcess( PROCESS_QUERY_INFORMATION, FALSE, GetCurrentProcessId() ); OpenProcessToken( p, TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &hToken ); SetPrivilege( hToken, SE_DEBUG_NAME, TRUE ); CoInitialize(NULL); MSG m; PeekMessage(&m, (HWND)-1, 0,0,PM_REMOVE); //this will tell windows that the app hasn't crashed if ((lpCmdLine) && (wcslen(lpCmdLine))) { int r; pw=new CPipeServer(lpCmdLine); r=pw->Start(); delete pw; return r; } else { MessageBoxA(0, "No pipename provided","dotNET Data Collector", MB_ICONERROR); return 1; } return 0; }
int main() { HANDLE hProc = GetCurrentProcess(); HANDLE hToken = NULL; if (!OpenProcessToken(hProc, TOKEN_ADJUST_PRIVILEGES, &hToken)) printf("Failed to open access token\n"); if (!SetPrivilege(hToken, SE_DEBUG_NAME, TRUE)) printf("Failed to set debug privilege\n"); DWORD pid = 5356; HANDLE hTargetProc = OpenProcess(PROCESS_ALL_ACCESS, FALSE, pid); if (!hTargetProc) printf("Failed to open process: %u\n", GetLastError()); DWORD_PTR address = 0x001E0000; WriteDword(hTargetProc, address, 0xDEADBEEF); printf("Result of reading dword at 0x%llx address = 0x%x\n", address, ReadDword(hTargetProc, address)); CloseHandle(hTargetProc); return 0; }
BOOL WINAPI DllMain(HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpvReserved) { // change privilege SetPrivilege(SE_DEBUG_NAME, TRUE); switch( fdwReason ) { case DLL_PROCESS_ATTACH : // hook hook_by_hotpatch("kernel32.dll", "CreateProcessA", (PROC)NewCreateProcessA); hook_by_hotpatch("kernel32.dll", "CreateProcessW", (PROC)NewCreateProcessW); break; case DLL_PROCESS_DETACH : // unhook unhook_by_hotpatch("kernel32.dll", "CreateProcessA"); unhook_by_hotpatch("kernel32.dll", "CreateProcessW"); break; } return TRUE; }