-
Notifications
You must be signed in to change notification settings - Fork 32
/
Copy pathmain.cpp
149 lines (131 loc) · 4.29 KB
/
main.cpp
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
#include <Windows.h>
#include <iostream>
#include <stdio.h>
#include "ntddk.h"
#include "ntdll_undoc.h"
#include "util.h"
#include "peb_lookup.h"
#include <psapi.h>
#pragma comment(lib, "Ntdll.lib")
template <typename PEB_TYPE, typename PARAMS_TYPE>
bool update_my_peb(PEB_TYPE local_peb, PARAMS_TYPE new_params)
{
if (!memcpy(&local_peb->ProcessParameters, &new_params, sizeof(PVOID))) {
std::cout << "Cannot update Params!" << std::endl;
return false;
}
return true;
}
template <typename UNIC_STR_TYPE>
bool setup_ustring(UNIC_STR_TYPE *uStr, wchar_t *wstr)
{
size_t wstr_len = wcslen(wstr);
size_t byte_len = wstr_len * 2;
if (byte_len > uStr->MaximumLength) {
std::cerr << "The input string is too long" << std::endl;
return false;
}
memset(uStr->Buffer, 0, uStr->MaximumLength);
memcpy(uStr->Buffer, wstr, byte_len);
uStr->Length = byte_len;
return true;
}
template <typename PARAMS_TYPE>
bool overwrite_params(PARAMS_TYPE new_params, LPWSTR targetPath)
{
if (!setup_ustring(&new_params->ImagePathName, targetPath)) return false;
if (!setup_ustring(&new_params->CommandLine, targetPath)) return false;
if (!setup_ustring(&new_params->WindowTitle, targetPath)) return false;
wchar_t dirPath[MAX_PATH] = { 0 };
get_directory(targetPath, dirPath, MAX_PATH);
if (!setup_ustring(&new_params->CurrentDirectory.DosPath, dirPath)) return false;
return true;
}
PPEB64 get_peb64(HANDLE hProcess, OUT PROCESS_BASIC_INFORMATION_WOW64 &pbi64)
{
if (NtWow64QueryInformationProcess64 == nullptr) {
return false;
}
//reset structure:
memset(&pbi64,0, sizeof(PROCESS_BASIC_INFORMATION_WOW64));
ULONG outLength = 0;
NTSTATUS status = NtWow64QueryInformationProcess64(
hProcess,
ProcessBasicInformation,
&pbi64,
sizeof(PROCESS_BASIC_INFORMATION_WOW64),
&outLength
);
if (status != STATUS_SUCCESS) {
return nullptr;
}
return (PPEB64) pbi64.PebBaseAddress;
}
bool update_params_in_peb(bool isWow64, PPEB myPeb, wchar_t *targetPath)
{
PPEB64 pebWow64 = nullptr;
if (isWow64) {
PROCESS_BASIC_INFORMATION_WOW64 pbi64 = { 0 };
pebWow64 = get_peb64(GetCurrentProcess(), pbi64);
if (pebWow64 == nullptr) {
std::cerr << "Fetching PEB64 failed!" << std::endl;
return false;
}
PRTL_USER_PROCESS_PARAMETERS64 params64 = pebWow64->ProcessParameters;
if (!overwrite_params<PRTL_USER_PROCESS_PARAMETERS64>(params64, targetPath)) {
return -1;
}
if (!update_my_peb(pebWow64, params64)) {
return false;
}
}
PRTL_USER_PROCESS_PARAMETERS params = myPeb->ProcessParameters;
if (!overwrite_params<PRTL_USER_PROCESS_PARAMETERS>(params, targetPath)) {
return -1;
}
if (!update_my_peb(myPeb, params)) {
return false;
}
if (!set_module_name(params->ImagePathName)) {
return false;
}
return true;
}
int wmain()
{
BOOL isWow64 = FALSE;
IsWow64Process(GetCurrentProcess(), &isWow64);
std::cout << "IsWow64" << " : " << isWow64 << std::endl;
if (init_ntdll_func(isWow64) == false) {
printf("Cannot load functions!\n");
return -1;
}
wchar_t calcPath[MAX_PATH] = { 0 };
ExpandEnvironmentStringsW(L"%SystemRoot%\\system32\\calc.exe", calcPath, MAX_PATH);
wchar_t *targetPath = calcPath;
wchar_t my_name[MAX_PATH] = { 0 };
GetModuleFileNameW(NULL, my_name, MAX_PATH);
PTEB myTeb = NtCurrentTeb();
PPEB myPeb = myTeb->ProcessEnvironmentBlock;
//>
if (RtlEnterCriticalSection(myPeb->FastPebLock) != STATUS_SUCCESS) {
return -2;
}
bool is_ok = update_params_in_peb(isWow64, myPeb, targetPath);
RtlLeaveCriticalSection(myPeb->FastPebLock);
//<
if (!is_ok) {
return -1;
}
MessageBoxW(GetDesktopWindow(), L"My momma calls me calc :D", L"Hello", MB_OK);
//read the real path:
wchar_t real_path[MAX_PATH] = { 0 };
GetProcessImageFileNameW(NtCurrentProcess(), real_path, MAX_PATH);
//display the real path:
MessageBoxW(GetDesktopWindow(), real_path, L"Real path:", MB_OK);
return 0;
}
int WINAPI wWinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, PWSTR pCmdLine, int nCmdShow)
{
return wmain();
}