void RemoteCallSubscriptionHandler::OnEvent(std::string method, std::vector<std::string> ¶ms) { if(registered_events.count(method) == 0) { return; } std::string func = "On." + method; std::vector<std::string> &conns = registered_events[method]; if(conns.size() > 0) { auto iter = conns.begin(); while(iter != conns.end()) { RemoteCall((*iter), func, params); ++iter; } } }
BOOL Process::RedirectConsole(void) { DWORD oldprot, dummy = 0; DWORD bread, bwrite; IMAGE_DOS_HEADER DosHeader; IMAGE_NT_HEADERS NTHeader; IMAGE_IMPORT_DESCRIPTOR ImportDesc; IMAGE_THUNK_DATA Thunk; PROC pfnOriginalProc; const char kernel32[] = "kernel32.dll"; char pszModName[] = "XXXXXXXXXXXX"; size_t lk32 = strlen(kernel32); HMODULE k32 = GetModuleHandleA(kernel32); pfnOriginalProc = GetProcAddress(k32, "WriteConsoleA"); ULONG_PTR base = RemoteCall((LPTHREAD_START_ROUTINE) GetModuleHandleA, NULL); if (!base) return FALSE; if (!ReadProcessMemory(m_pi.hProcess, (LPCVOID) base, &DosHeader, sizeof(DosHeader), &bread)) return FALSE; if (DosHeader.e_magic != IMAGE_DOS_SIGNATURE) return FALSE; if (!ReadProcessMemory(m_pi.hProcess, (LPCVOID) (base + DosHeader.e_lfanew), &NTHeader, sizeof(NTHeader), &bread)) return FALSE; if (NTHeader.Signature != IMAGE_NT_SIGNATURE) return FALSE; UINT_PTR impdesc = base + NTHeader.OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress; do { if (!ReadProcessMemory(m_pi.hProcess, (LPCVOID) impdesc, &ImportDesc, sizeof(ImportDesc), &bread)) return FALSE; if (!ReadProcessMemory(m_pi.hProcess, (LPCVOID) (base + ImportDesc.Name), pszModName, lk32, &bread)) return FALSE; if (_stricmp(pszModName, kernel32) == 0) break; impdesc += sizeof(ImportDesc); } while (ImportDesc.Name); if (!ImportDesc.Name) return FALSE; UINT_PTR thunk = base + ImportDesc.FirstThunk; do { if (!ReadProcessMemory(m_pi.hProcess, (LPCVOID) thunk, &Thunk, sizeof(Thunk), &bread)) return FALSE; if (Thunk.u1.Function == (LONG_PTR) pfnOriginalProc) { DWORD rel; unsigned char code[] = { 0x6a, 0xf5, /* push STD_OUTPUT_HANDLE */ 0xe8, 0x00, 0x00, 0x00, 0x00, /* call GetStdhandle */ 0x89, 0x44, 0x24, 0x04, /* mov [esp + 4], eax */ 0xe9, 0x00, 0x00, 0x00, 0x00 /* jmp WriteFile */ }; DWORD rcode = (ULONG_PTR) VirtualAllocEx(m_pi.hProcess, NULL, sizeof(code), MEM_RESERVE | MEM_COMMIT, PAGE_EXECUTE_READWRITE); rel = (DWORD) GetProcAddress(k32, "GetStdHandle") - (rcode + 2) - 5; memcpy(&code[3], &rel, sizeof(DWORD)); rel = (DWORD) GetProcAddress(k32, "WriteFile") - (rcode + 11) - 5; memcpy(&code[12], &rel, sizeof(DWORD)); if (!WriteProcessMemory(m_pi.hProcess, (LPVOID) rcode, code, sizeof(code), &bwrite)) return FALSE; if (!VirtualProtectEx(m_pi.hProcess, (LPVOID) thunk, sizeof(DWORD), PAGE_EXECUTE_READWRITE, &oldprot)) return FALSE; if (!WriteProcessMemory(m_pi.hProcess, (LPVOID) thunk, &rcode, sizeof(DWORD), &bwrite)) return FALSE; VirtualProtectEx(m_pi.hProcess, (LPVOID) thunk, sizeof(DWORD), oldprot, &dummy); return TRUE; } thunk += sizeof(Thunk); } while (Thunk.u1.Function); return TRUE; }