void EV_cbVirtualProtect() { unsigned int sec_addr=0; unsigned int sec_size=0; unsigned int esp_addr=0; BYTE* sec_data=0; esp_addr=(long)GetContextData(UE_ESP); ReadProcessMemory(EV_fdProcessInfo->hProcess, (const void*)((esp_addr)+4), &sec_addr, 4, 0); ReadProcessMemory(EV_fdProcessInfo->hProcess, (const void*)((esp_addr)+8), &sec_size, 4, 0); BYTE* header_code=(BYTE*)malloc2(0x1000); ReadProcessMemory(EV_fdProcessInfo->hProcess, (void*)(sec_addr-0x1000), header_code, 0x1000, 0); if(*(unsigned short*)header_code != 0x5A4D) //not a PE file { free2(header_code); return; } free2(header_code); DeleteAPIBreakPoint((char*)"kernel32.dll", (char*)"VirtualProtect", UE_APISTART); sec_data=(BYTE*)malloc2(sec_size); ReadProcessMemory(EV_fdProcessInfo->hProcess, (const void*)sec_addr, sec_data, sec_size, 0); unsigned int SetEnvA=0,SetEnvW=0; SetEnvW=EV_FindSetEnvPattern(sec_data, sec_size, false)+sec_addr; if(!(SetEnvW-sec_addr)) { SetEnvW=EV_FindSetEnvPatternOld(sec_data, sec_size, false)+sec_addr; if(!(SetEnvW-sec_addr)) { SetEnvW=EV_FindSetEnvPatternOldOld(sec_data, sec_size, false)+sec_addr; if(!(SetEnvW-sec_addr)) EV_FatalError("Could not locate the SetEnvW function, please contact Mr. eXoDia..."); } } //SetHardwareBreakPoint(SetEnvW, UE_DR1, UE_HARDWARE_EXECUTE, UE_HARDWARE_SIZE_1, (void*)EV_cbSetEnvW); SetBPX(SetEnvW, UE_BREAKPOINT, (void*)EV_cbSetEnvW); SetEnvA=EV_FindSetEnvPattern(sec_data, sec_size, true)+sec_addr; if(!(SetEnvA-sec_addr)) { SetEnvA=EV_FindSetEnvPatternOld(sec_data, sec_size, true)+sec_addr; if(!(SetEnvA-sec_addr)) { SetEnvA=EV_FindSetEnvPatternOldOld(sec_data, sec_size, true)+sec_addr; if(!(SetEnvA-sec_addr)) EV_FatalError("Could not locate the SetEnvA function, please contact Mr. eXoDia..."); } } //SetHardwareBreakPoint(SetEnvA, UE_DR0, UE_HARDWARE_EXECUTE, UE_HARDWARE_SIZE_1, (void*)EV_cbSetEnvA); SetBPX(SetEnvW, UE_BREAKPOINT, (void*)EV_cbSetEnvA); }
void EV_cbVirtualProtect() { DeleteAPIBreakPoint((char*)"kernel32.dll", (char*)"VirtualProtect", UE_APISTART); unsigned int sec_addr=0; unsigned int sec_size=0; unsigned int esp_addr=0; BYTE* sec_data=0; esp_addr=(long)GetContextData(UE_ESP); ReadProcessMemory(EV_fdProcessInfo->hProcess, (const void*)((esp_addr)+4), &sec_addr, 4, 0); ReadProcessMemory(EV_fdProcessInfo->hProcess, (const void*)((esp_addr)+8), &sec_size, 4, 0); sec_data=(BYTE*)malloc2(sec_size); ReadProcessMemory(EV_fdProcessInfo->hProcess, (const void*)sec_addr, sec_data, sec_size, 0); unsigned int SetEnvA=0,SetEnvW=0; SetEnvW=EV_FindSetEnvPattern(sec_data, sec_size, false)+sec_addr; if(!(SetEnvW-sec_addr)) { SetEnvW=EV_FindSetEnvPatternOld(sec_data, sec_size, false)+sec_addr; if(!(SetEnvW-sec_addr)) { SetEnvW=EV_FindSetEnvPatternOldOld(sec_data, sec_size, false)+sec_addr; if(!(SetEnvW-sec_addr)) EV_FatalError("Could not locate the SetEnvW function, please contact Mr. eXoDia..."); } } SetHardwareBreakPoint(SetEnvW, UE_DR1, UE_HARDWARE_EXECUTE, UE_HARDWARE_SIZE_1, (void*)EV_cbSetEnvW); SetEnvA=EV_FindSetEnvPattern(sec_data, sec_size, true)+sec_addr; if(!(SetEnvA-sec_addr)) { SetEnvA=EV_FindSetEnvPatternOld(sec_data, sec_size, true)+sec_addr; if(!(SetEnvA-sec_addr)) { SetEnvA=EV_FindSetEnvPatternOldOld(sec_data, sec_size, true)+sec_addr; if(!(SetEnvA-sec_addr)) EV_FatalError("Could not locate the SetEnvA function, please contact Mr. eXoDia..."); } } SetHardwareBreakPoint(SetEnvA, UE_DR0, UE_HARDWARE_EXECUTE, UE_HARDWARE_SIZE_1, (void*)EV_cbSetEnvA); }