-
Notifications
You must be signed in to change notification settings - Fork 15
Expand file tree
/
Copy pathrestorentdll.cpp
More file actions
99 lines (82 loc) · 2 KB
/
restorentdll.cpp
File metadata and controls
99 lines (82 loc) · 2 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
#include <Windows.h>
#include <winternl.h>
#include <filesystem>
#include <string.h>
#include <stdio.h>
#include <vector>
#include <intrin.h>
#include <TlHelp32.h>
#include <string>
#include <string_view>
#include <iostream>
#include <filesystem>
#include "libs/minhook/include/MinHook.h"
void util_copy(void* place, const void* data, const size_t length)
{
DWORD old_protect{};
VirtualProtect(place, length, PAGE_EXECUTE_READWRITE, &old_protect);
std::memmove(place, data, length);
VirtualProtect(place, length, old_protect, &old_protect);
FlushInstructionCache(GetCurrentProcess(), place, length);
}
void RestoreNtdllDbgFunctions()
{
static const char* functions[] = {
"DbgBreakPoint",
"DbgUserBreakPoint",
"DbgUiConnectToDbg",
"DbgUiContinue",
"DbgUiConvertStateChangeStructure",
"DbgUiDebugActiveProcess",
"DbgUiGetThreadDebugObject",
"DbgUiIssueRemoteBreakin",
"DbgUiRemoteBreakin",
"DbgUiSetThreadDebugObject",
"DbgUiStopDebugging",
"DbgUiWaitStateChange",
"DbgPrintReturnControlC",
"DbgPrompt",
};
using buffer = uint8_t[15];
static buffer buffers[ARRAYSIZE(functions)] = {};
static bool loaded = false;
for (auto i = 0u; i < ARRAYSIZE(functions); ++i)
{
void* functionAddr = (void*)GetProcAddress(GetModuleHandle("ntdll.dll"), functions[i]);
if (!functionAddr)
{
continue;
}
if (!loaded)
{
memcpy(buffers[i], functionAddr, sizeof(buffer));
}
else
{
util_copy(functionAddr, buffers[i], sizeof(buffer));
}
}
loaded = true;
}
bool EnableDebugPrivilege()
{
bool bResult = false;
HANDLE hToken = NULL;
DWORD ec = 0;
do
{
if (!OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES, &hToken))
break;
TOKEN_PRIVILEGES tp;
tp.PrivilegeCount = 1;
if (!LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &tp.Privileges[0].Luid))
break;
tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
if (!AdjustTokenPrivileges(hToken, FALSE, &tp, sizeof(tp), NULL, NULL))
break;
bResult = true;
} while (0);
if (hToken)
CloseHandle(hToken);
return bResult;
}