Add files

Author: daedsidog

.gitignore

@@ -1,3 +1,6 @@
+# IDE
+.clangd
+
 # Prerequisites
 *.d
 

src/defs.h

@@ -0,0 +1,9 @@
+#define PE_BASE 0xA40000 // This address is the current PE base of prog_cpp.exe, and will change if you compile the binary yourself.
+
+#define DEREF(x) (*((int *)base_addr + ((int*)x - (int*)PE_BASE)))
+#define OFFSET(x) (int*)(base_addr + ((int*)x - (int*)PE_BASE))
+#define LOWORD_ALT(x) (*((unsigned short*)&(x)))
+
+#define PTR_FUNC(x) (((void *(*)())OFFSET(x)))
+#define INT_FUNC(x) (((int (*)())OFFSET(x)))
+#define CHAR_FUNC(x) (((char (*)())OFFSET(x)))

src/dllmain.c

@@ -0,0 +1,54 @@
+#include <stdio.h>
+#include <windows.h>
+
+#include "defs.h"
+#include "hooks.h"
+
+// Push DWORD then ret.
+BYTE REDIR_OPCODE[] = {0x68, 0x00, 0x00, 0x00, 0x00, 0xc3};
+
+LPVOID redirect_func(LPVOID func_base_addr, LPVOID dst) {
+    LPVOID func_addr = func_base_addr - PE_BASE;
+    LPVOID base_addr = GetModuleHandle(0);
+    LPVOID target_addr =
+        (LPVOID)((uintptr_t)base_addr + (uintptr_t)func_addr);
+    DWORD previous_protection;
+    VirtualProtect((LPVOID)target_addr, sizeof(REDIR_OPCODE),
+                   PAGE_EXECUTE_READWRITE, &previous_protection);
+    memcpy(&REDIR_OPCODE[1], &dst, sizeof(DWORD));
+    printf("Opcode: ");
+    for (int i = 0; i < sizeof(REDIR_OPCODE); ++i) {
+        printf("0x%02x ", REDIR_OPCODE[i]);
+    }
+    printf("\n");
+    if (!WriteProcessMemory(GetCurrentProcess(), target_addr, REDIR_OPCODE,
+                            sizeof(REDIR_OPCODE), 0)) {
+        fprintf(stderr, "WriteProcessMemory error: %ld\n", GetLastError());
+    }
+    VirtualProtect((void *)func_addr, sizeof(REDIR_OPCODE),
+                   previous_protection, &previous_protection);
+    FlushInstructionCache(GetCurrentProcess(), 0, 0);
+    printf("Redirected function 0x%p + 0x%p (0x%p) to 0x%p.\n", base_addr,
+           func_addr, target_addr, dst);
+    return func_addr;
+}
+
+BOOL WINAPI DllMain(HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpvReserved) {
+    switch (fdwReason) {
+    case DLL_PROCESS_ATTACH:
+        // Code to run when the DLL is loaded
+        redirect_func((LPVOID*)FUNC_ADDR, func);
+        printf("DLL loaded successfully.\n");
+        break;
+    case DLL_PROCESS_DETACH:
+        // Code to run when the DLL is freed
+        break;
+    case DLL_THREAD_ATTACH:
+        // Code to run when a thread is created during the DLL's lifetime
+        break;
+    case DLL_THREAD_DETACH:
+        // Code to run when a thread ends normally.
+        break;
+    }
+    return TRUE;
+}

src/hooks.c

@@ -0,0 +1,33 @@
+#include <windows.h>
+
+#include "hooks.h"
+#include "defs.h"
+
+void *__thiscall func(void *_this) {
+    int v1;                                 // eax@1
+    int v3;                                 // [sp+0h] [bp-43Ch]@1
+    int v4;                                 // [sp+8h] [bp-434h]@1
+    int v5;                                 // [sp+Ch] [bp-430h]@1
+    int v6;                                 // [sp+10h] [bp-42Ch]@1
+    char v7[1032];                          // [sp+14h] [bp-428h]@1, 1032 = 0x408
+    int v8;                                 // [sp+41Ch] [bp-20h]@1
+    int *v9;                                // [sp+420h] [bp-1Ch]@1
+    void *v10;                              // [sp+424h] [bp-18h]@1
+    int(__cdecl * v11)(int, int, int, int); // [sp+428h] [bp-14h]@1
+    int v12;                                // [sp+42Ch] [bp-10h]@1
+
+    int *base_addr = (int *)GetModuleHandle(NULL);
+
+    v9 = &v3;
+    v12 = -1;
+    v11 = INT_FUNC(0xA41200);
+    v10 = _this;
+    v1 = INT_FUNC(0xA41280)(v7); // Segmentation fault
+    v12 = 0;
+    v6 = v1;
+    v5 = INT_FUNC(0xA413F0)(0xA7B300, "One missisipi ");
+    v4 = INT_FUNC(0xA41810)(v8);
+    INT_FUNC(0xA41AB0)(INT_FUNC(0xA41AD0));
+    INT_FUNC(0xA41B30)();
+    return v10;
+}

src/hooks.h

@@ -0,0 +1,5 @@
+#define FUNC_ADDR 0xA41000 // Address of func() from IDA. Will change if you compile the binary yourself. The relative address offset is 0x1000.
+
+void* __thiscall func(void *_this);
+
+

src/loader.c

@@ -0,0 +1,51 @@
+#include <stdio.h>
+#include <windows.h>
+
+#define PROGRAM_NAME "prog_cpp.exe"
+#define DLL_NAME "my_dll.dll"
+#define BUFSIZE 1024
+
+int main(int argc, char *argv[]) {
+    STARTUPINFO start_info = {sizeof(start_info)};
+    PROCESS_INFORMATION process_info;
+    char cmd[BUFSIZE];
+
+    // Format passed down to loader to pass to process.
+    snprintf(cmd, BUFSIZE, "%s", PROGRAM_NAME);
+    for (int i = 1; i < argc; ++i) {
+        snprintf(cmd, BUFSIZE, "%s %s", cmd, argv[i]);
+    }
+
+    if (CreateProcess(NULL, cmd, NULL, NULL, FALSE, CREATE_SUSPENDED, NULL,
+                      NULL, &start_info, &process_info)) {
+        LPVOID page = VirtualAllocEx(process_info.hProcess, NULL, BUFSIZE,
+                                     MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);
+        if (page == NULL) {
+            fprintf(stderr, "VirtualAllocEx error: %ld\n", GetLastError());
+            return 1;
+        }
+        if (WriteProcessMemory(process_info.hProcess, page, DLL_NAME,
+                               sizeof(DLL_NAME), NULL) == 0) {
+            fprintf(stderr, "WriteProcessMemory error: %ld\n", GetLastError());
+            return 1;
+        }
+        HANDLE thread = CreateRemoteThread(process_info.hProcess, NULL, 0,
+                                           (LPTHREAD_START_ROUTINE)LoadLibraryA,
+                                           page, 0, NULL);
+        if (thread == NULL) {
+            fprintf(stderr, "CreateRemoteThread error: %ld\n", GetLastError());
+            return 1;
+        }
+        if (WaitForSingleObject(thread, INFINITE) == WAIT_FAILED) {
+            fprintf(stderr, "WaitForSingleObject error: %ld\n", GetLastError());
+            return 1;
+        }
+        CloseHandle(thread);
+        if (ResumeThread(process_info.hThread) == -1) {
+            fprintf(stderr, "ResumeThread error: %ld\n", GetLastError());
+            return 1;
+        }
+        CloseHandle(process_info.hProcess);
+        VirtualFreeEx(process_info.hProcess, page, BUFSIZE, MEM_RELEASE);
+    }
+}

src/main.cpp

@@ -0,0 +1,67 @@
+// Source code of prog_cpp.exe. A compiled version is provided in the releases. If you compile this yourself, be sure you update PE_BASE in defs.h and FUNC_ADDR in hooks.h.
+
+#include <iostream>
+
+class C {
+    public:
+    int a = 0;
+    int b = 0;
+    int c[255];
+    int *d = nullptr;
+    int stuff = 0;
+    C(){
+        std::cout << d << std::endl;
+        d = new int[300];
+        std::cout << d << std::endl;
+        ++stuff;
+        for(int i = 1; i < 255; ++i){
+            c[i] = i;
+            if( i == 254){
+                c[i] = 0;
+            }
+        }
+        for(int i = 1; i < 300; ++i){
+            d[i] = i;
+            if( i == 299){
+                d[i] = 0;
+            }
+        }
+    }
+    ~C(){
+        std::cout << d << std::endl;
+        delete[] d;
+        std::cout << d << std::endl;
+        ++stuff;
+    }
+
+    void play(){
+        bool c_stop, d_stop;
+        c_stop = false;
+        d_stop = false;
+        for(int i = 0;;++i){
+            if(c[i] == 0 && !c_stop){
+                std::cout << "C had " << i + 1<< std::endl;
+                c_stop = true;
+            }
+            if(d[i] == 0 && !d_stop){
+                std::cout << "D had " << i + 1 << std::endl;
+                d_stop = true;
+            }
+            if(d_stop && c_stop){
+                break;
+            }
+        }
+    }
+};
+
+void func(){
+    C clae;
+    std::cout << "One missisipi " << clae.stuff << std::endl;
+}
+
+int main(){
+    func();
+    C clae;
+    std::cout << clae.stuff << std::endl;
+    clae.play();
+}