PHP Code:
#include<Windows.h>
#include<TlHelp32.h>
#include<iostream>
using namespace std;
DWORD getPid(LPWSTR procName);
int privileges();
static DWORD Stub_for_mgsbox();
int MyMessageBoxW(IN HWND hWnd, IN LPWSTR lpText, IN LPWSTR lpCaption, IN UINT uType)
{
return true;
}
static DWORD Stub_for_mgsbox(){
return 0;
}
DWORD HookFunction(HANDLE Process, LPVOID lpFunction, unsigned char *lpBackup)
{
DWORD dwAddr = (DWORD)::GetProcAddress(::GetModuleHandleA("user32.dll"), "MessageBoxW");
BYTE jmp[5] = { 0xE9,0x00, 0x00, 0x00, 0x00 };
ReadProcessMemory(Process, (LPVOID)dwAddr, lpBackup, 6, 0);
DWORD dwCalc = ((DWORD)lpFunction - dwAddr - 5);
DWORD pPrevious = 0;
VirtualProtectEx(Process,(void*)dwAddr, 6, PAGE_EXECUTE_READWRITE, &pPrevious);
memcpy(&jmp[1], &dwCalc, 4);
WriteProcessMemory(Process, (LPVOID)dwAddr, jmp, 6, 0);
VirtualProtectEx(Process, (void*)dwAddr, 6, pPrevious, &pPrevious);
return dwAddr;
}
__declspec(naked) int RMesage(IN HWND hWnd, IN LPWSTR lpText, IN LPWSTR lpCaption, IN UINT uType)
{
__asm
{
ret 0x10
}
}
int main()
{
DWORD Pid = getPid(L"test.exe");
if (Pid == 0) return 10;
HANDLE OpenProc = OpenProcess(PROCESS_ALL_ACCESS, false, Pid);
if (OpenProc == 0) return 20;
DWORD szHookFSize = (PBYTE)Stub_for_mgsbox - (PBYTE)RMesage;
LPVOID szHookFAddr = VirtualAllocEx(OpenProc, 0, szHookFSize, MEM_RESERVE | MEM_COMMIT, PAGE_READWRITE);
WriteProcessMemory(OpenProc, szHookFAddr, (void*)RMesage, szHookFSize, 0);
BYTE hook[6];
HookFunction(OpenProc, szHookFAddr, hook);
return ERROR_SUCCESS;
}
int privileges(){
HANDLE Token;
TOKEN_PRIVILEGES tp;
if (OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &Token))
{
LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &tp.Privileges[0].Luid);
tp.PrivilegeCount = 1;
tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
if (AdjustTokenPrivileges(Token, 0, &tp, sizeof(tp), NULL, NULL) == 0){
return 1;
}
else{
return 0;
}
}
return 1;
}
DWORD getPid(LPWSTR procName){
HANDLE hsnap;
PROCESSENTRY32 pt;
hsnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
pt.dwSize = sizeof(PROCESSENTRY32);
do{
if (!lstrcmpW(pt.szExeFile, procName)){
DWORD pid = pt.th32ProcessID;
CloseHandle(hsnap);
return pid;
}
} while (Process32Next(hsnap, &pt));
CloseHandle(hsnap);
return 0;
}