-
Notifications
You must be signed in to change notification settings - Fork 26
/
LdrHotPatchRoutine.c
58 lines (52 loc) · 1.61 KB
/
LdrHotPatchRoutine.c
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
//
// File: LdrHotPatchRoutine.c
// Author: tombkeeper
// Date: 2010.11.3
// Description: LdrHotPatchRoutine testing
//
#include <windows.h>
typedef struct _HotPatchBuffer
{
ULONG Unknown01; // &0x20000000 must not be 0
ULONG Unknown02;
USHORT PatcherNameOffset;
USHORT PatcherNameLen; // must be even, obviously
USHORT PatcheeNameOffset;
USHORT PatcheeNameLen; // must not be 0
USHORT UnknownNameOffset;
USHORT UnknownNameLen; // must be even, obviously
USHORT PatcherName[0x10]; //
USHORT PatcheeName[0x10]; //
} HotPatchBuffer, PHotPatchBuffer;
HotPatchBuffer hpb;
USHORT Patcher[] = L"hello.dll";
USHORT Patchee[] = L"ntdll.dll";
int main( int argc, char **argv )
{
FARPROC pLdrHotPatchRoutine;
FARPROC pRtlUserThreadStart;
// pLdrHotPatchRoutine = GetProcAddress( LoadLibrary("ntdll.dll"), "LdrHotPatchRoutine" );
pLdrHotPatchRoutine = (FARPROC)*(DWORD*)(0x7ffe0350);
pRtlUserThreadStart = (FARPROC)*(DWORD*)(0x7ffe0360);
hpb.Unknown01 = 0x20000000;
hpb.Unknown02 = 0x00000000;
hpb.PatcherNameOffset = 0x14;
hpb.PatcherNameLen = sizeof(Patcher)-2;
hpb.PatcheeNameOffset = 0x34;
hpb.PatcheeNameLen = sizeof(Patchee)-2;
hpb.UnknownNameOffset = 0x1212;
hpb.UnknownNameLen = 0x4;
wcsncpy( hpb.PatcherName, Patcher, 0x10 );
wcsncpy( hpb.PatcheeName, Patchee, 0x10 );
__asm int 3
pLdrHotPatchRoutine(&hpb);
/*
__asm
{
mov eax, dword ptr ds:[0x7ffe0350] //LdrHotPatchRoutine
lea ebx, hpb
jmp dword ptr ds:[0x7ffe0360] //RtlUserThreadStart
}
*/
return 0;
}