bool mod_mimikatz_winmine::giveHandleAndAddr(structHandleAndAddr * monHandleAndAddr)
{
BYTE patternStartGame[] = {0x6a, 0x04, 0xeb, 0x02, 0x6a, 0x06, 0x5b, 0xa3};
BYTE patternPause[] = {0x02, 0x75, 0x0a, 0xa1};
BYTE patternReprise[] = {0x01, 0x74, 0x0a, 0xa1};
BYTE patternStart[] = {0x53, 0x56, 0x57, 0x33, 0xff, 0x3b, 0x05};
RtlZeroMemory(monHandleAndAddr, sizeof(structHandleAndAddr));
wstring nomDemineur(L"winmine.exe");
mod_process::KIWI_PROCESSENTRY32 monDemineur;
if(mod_process::getUniqueForName(&monDemineur, &nomDemineur))
{
monHandleAndAddr->pidWinmine = monDemineur.th32ProcessID;
mod_process::KIWI_MODULEENTRY32 monModule;
if(mod_process::getUniqueModuleForName(&monModule, NULL, &monDemineur.th32ProcessID))
{
PBYTE limit = monModule.modBaseAddr + monModule.modBaseSize, ptrTemp = NULL;
if(monHandleAndAddr->hWinmine = OpenProcess(PROCESS_CREATE_THREAD | PROCESS_QUERY_INFORMATION | PROCESS_VM_OPERATION | PROCESS_VM_WRITE | PROCESS_VM_READ, false, monDemineur.th32ProcessID))
{
if(mod_memory::searchMemory(monModule.modBaseAddr, limit, patternStartGame, &ptrTemp, sizeof(patternStartGame), true, monHandleAndAddr->hWinmine))
if(mod_memory::readMemory(ptrTemp + sizeof(patternStartGame), &ptrTemp, sizeof(ULONG), monHandleAndAddr->hWinmine)) // high bits of ptrTemp are already at 00000000
monHandleAndAddr->addrMonDemineur = reinterpret_cast<structMonDemineur *>(ptrTemp - sizeof(ULONG));
if(mod_memory::searchMemory(monModule.modBaseAddr, limit, patternPause, &ptrTemp, sizeof(patternPause), true, monHandleAndAddr->hWinmine))
monHandleAndAddr->addrPause = reinterpret_cast<PTHREAD_START_ROUTINE>(ptrTemp - 11);
if(mod_memory::searchMemory(monModule.modBaseAddr, limit, patternReprise, &ptrTemp, sizeof(patternReprise), true, monHandleAndAddr->hWinmine))
monHandleAndAddr->addrResume = reinterpret_cast<PTHREAD_START_ROUTINE>(ptrTemp - 6);
if(mod_memory::searchMemory(monModule.modBaseAddr, limit, patternStart, &ptrTemp, sizeof(patternStart), true, monHandleAndAddr->hWinmine))
monHandleAndAddr->addrStart = reinterpret_cast<PTHREAD_START_ROUTINE>(ptrTemp - 11);
}
}
}
bool reussite = monHandleAndAddr->hWinmine && monHandleAndAddr->addrMonDemineur && monHandleAndAddr->addrStart && monHandleAndAddr->addrPause && monHandleAndAddr->addrResume;
if(!reussite && monHandleAndAddr->hWinmine)
CloseHandle(monHandleAndAddr->hWinmine);
return reussite;
}
bool mod_mimikatz_minesweeper::giveHandleAndAddr(structHandleAndAddr * monHandleAndAddr)
{
#ifdef _M_X64
BYTE PTRN_WIN6_Game_SafeGetSingleton[] = {0x48, 0x89, 0x44, 0x24, 0x70, 0x48, 0x85, 0xc0, 0x74, 0x0a, 0x48, 0x8b, 0xc8, 0xe8};
LONG OFFS_WIN6_ToG = -(5 + 5 + 6 + 4 + 1);
#elif defined _M_IX86
BYTE PTRN_WIN6_Game_SafeGetSingleton[] = {0x84, 0xc0, 0x75, 0x07, 0x6a, 0x67, 0xe8};
LONG OFFS_WIN6_ToG = sizeof(PTRN_WIN6_Game_SafeGetSingleton) + 4 + 1;
#endif
RtlZeroMemory(monHandleAndAddr, sizeof(structHandleAndAddr));
wstring nomDemineur(L"minesweeper.exe");
mod_process::KIWI_PROCESSENTRY32 monDemineur;
if(mod_process::getUniqueForName(&monDemineur, &nomDemineur))
{
monHandleAndAddr->pidMineSweeper = monDemineur.th32ProcessID;
mod_process::KIWI_MODULEENTRY32 monModule;
if(mod_process::getUniqueModuleForName(&monModule, NULL, &monDemineur.th32ProcessID))
{
PBYTE limit = monModule.modBaseAddr + monModule.modBaseSize, ptrTemp = NULL;
if(monHandleAndAddr->hMineSweeper = OpenProcess(PROCESS_VM_READ, false, monHandleAndAddr->pidMineSweeper))
if(mod_memory::searchMemory(monModule.modBaseAddr, limit, PTRN_WIN6_Game_SafeGetSingleton, &ptrTemp, sizeof(PTRN_WIN6_Game_SafeGetSingleton), true, monHandleAndAddr->hMineSweeper))
{
#ifdef _M_X64
long offsetTemp = 0;
if(mod_memory::readMemory(ptrTemp + OFFS_WIN6_ToG, &offsetTemp, sizeof(offsetTemp), monHandleAndAddr->hMineSweeper))
mod_memory::readMemory((ptrTemp + OFFS_WIN6_ToG) + sizeof(long) + offsetTemp + 1, &monHandleAndAddr->G, sizeof(monHandleAndAddr->G), monHandleAndAddr->hMineSweeper);
#elif defined _M_IX86
if(mod_memory::readMemory(ptrTemp + OFFS_WIN6_ToG, &ptrTemp, sizeof(ptrTemp), monHandleAndAddr->hMineSweeper))
mod_memory::readMemory(ptrTemp, &monHandleAndAddr->G, sizeof(monHandleAndAddr->G), monHandleAndAddr->hMineSweeper);
#endif
}
}
}
bool reussite = monHandleAndAddr->hMineSweeper && monHandleAndAddr->G;
if(!reussite && monHandleAndAddr->hMineSweeper)
CloseHandle(monHandleAndAddr->hMineSweeper);
return reussite;
}
