예제 #1
0
        static void Main(string[] args)
        {
            NIStartupOptions opts = new NIStartupOptions();
            opts.executable = @"C:\Users\Timothy\Documents\Visual Studio 2013\Projects\HelloCPP\x64\Release\HelloCPP.exe";
            opts.resumeOnCreate = false;
            debug.Execute(opts);

            ChangeAllSetText();

            Console.WriteLine("Press any key to exit...");
            Console.ReadKey();
        }
예제 #2
0
        static void ChangeAllSetText()
        {
            NIStartupOptions opts = new NonIntrusive.NIStartupOptions();
            opts.executable = @"c:\windows\system32\notepad.exe";
            opts.resumeOnCreate = false;

            debug.Execute(opts)
                .AllocateMemory(100, out memoryCave)
                .WriteString(memoryCave, "Welcome To NIDebugger", Encoding.Unicode)
                .While(IsStillRunning,OverwriteText)
                .Detach();
        }
예제 #3
0
        static void ChangeAllSetText()
        {
            NIStartupOptions opts = new NonIntrusive.NIStartupOptions();

            opts.executable     = @"c:\windows\system32\notepad.exe";
            opts.resumeOnCreate = false;

            debug.Execute(opts)
            .AllocateMemory(100, out memoryCave)
            .WriteString(memoryCave, "Welcome To NIDebugger", Encoding.Unicode)
            .While(IsStillRunning, OverwriteText)
            .Detach();
        }
예제 #4
0
        static void MassiveSingleStep()
        {
            NIStartupOptions opts = new NonIntrusive.NIStartupOptions();

            opts.executable     = @"c:\windows\system32\notepad.exe";
            opts.resumeOnCreate = false;

            debug.Execute(opts);
            debug.StepIntoCalls = false;

            while (debug.Process.HasExited == false)
            {
                debug.SingleStep();
            }
        }
예제 #5
0
        static void ChangeTitle()
        {
            NIStartupOptions opts = new NonIntrusive.NIStartupOptions();
            opts.executable = @"c:\windows\system32\notepad.exe";
            opts.resumeOnCreate = false;

            uint oldValue;
            String oldString;
            debug.Execute(opts)
                .AllocateMemory(100, out memoryCave)
                .WriteString(memoryCave, "Welcome To NIDebugger", Encoding.Unicode)
                .SetProcBP("user32.dll","SetWindowTextW")
                .Continue()
                .ReadStackValue(8, out oldValue)
                .ReadString(oldValue, 100, Encoding.Unicode, out oldString)
                .WriteStackValue(8, memoryCave)
                .Detach();
        }
예제 #6
0
        static void ChangeTitle()
        {
            NIStartupOptions opts = new NonIntrusive.NIStartupOptions();

            opts.executable     = @"c:\windows\system32\notepad.exe";
            opts.resumeOnCreate = false;

            uint   oldValue;
            String oldString;

            debug.Execute(opts)
            .AllocateMemory(100, out memoryCave)
            .WriteString(memoryCave, "Welcome To NIDebugger", Encoding.Unicode)
            .SetProcBP("user32.dll", "SetWindowTextW")
            .Continue()
            .ReadStackValue(8, out oldValue)
            .ReadString(oldValue, 100, Encoding.Unicode, out oldString)
            .WriteStackValue(8, memoryCave)
            .Detach();
        }
예제 #7
0
        static void Main(string[] args)
        {
            NIStartupOptions opts = new NIStartupOptions();
            opts.executable = @"c:\windows\system32\notepad.exe";
            opts.resumeOnCreate = false;
            debug.Execute(opts);

            Console.WriteLine("Installing VEH");
            debug.InstallHardVEH();

            Console.WriteLine("Setting HWBP on Execute");
            debug.SetHardBreakPoint(0xc562a8, HWBP_MODE.MODE_LOCAL, HWBP_TYPE.TYPE_EXECUTE, HWBP_SIZE.SIZE_1);

            Console.WriteLine("Generating Hello World String in Target");
            uint memoryCave;
            debug.AllocateMemory(100, out memoryCave);

            debug.WriteString(memoryCave, "Welcome to NIDebugger HWBPs", Encoding.Unicode);

            Console.WriteLine("Running...");

            debug.Continue();

            // hope and pray
            Console.WriteLine("Our EIP after HWBP is: " + debug.Context.Eip.ToString("X8"));

            Console.WriteLine("Setting EAX to new String address");
            String oldString;
            debug.ReadString(debug.Context.Eax, 100, Encoding.Unicode, out oldString);

            debug.Context.Eax = memoryCave;

            debug.Detach();
            //debug.Detach();

            //ChangeAllSetText();

            Console.WriteLine("Press any key to exit...");
               // Console.ReadKey();
        }
예제 #8
0
        static void MassiveSingleStep()
        {
            NIStartupOptions opts = new NonIntrusive.NIStartupOptions();
            opts.executable = @"c:\windows\system32\notepad.exe";
            opts.resumeOnCreate = false;

            debug.Execute(opts);
            debug.StepIntoCalls = false;

            while (debug.Process.HasExited == false)
            {
                debug.SingleStep();
            }
        }
예제 #9
0
        /// <summary>
        /// Begins the debugging process of an executable.
        /// </summary>
        /// <param name="opts">The StartupOptions to be used during Execute().</param>
        /// <returns></returns>
        public NIDebugger Execute(NIStartupOptions opts)
        {
            Win32.SECURITY_ATTRIBUTES sa1 = new Win32.SECURITY_ATTRIBUTES();
            sa1.nLength = Marshal.SizeOf(sa1);
            Win32.SECURITY_ATTRIBUTES sa2 = new Win32.SECURITY_ATTRIBUTES();
            sa2.nLength = Marshal.SizeOf(sa2);
            Win32.STARTUPINFO si = new Win32.STARTUPINFO();
            debuggedProcessInfo = new Win32.PROCESS_INFORMATION();
            int ret = Win32.CreateProcess(opts.executable, opts.commandLine, ref sa1, ref sa2, 0, 0x00000200 | Win32.CREATE_SUSPENDED, 0, null, ref si, ref debuggedProcessInfo);

            debuggedProcess = Process.GetProcessById(debuggedProcessInfo.dwProcessId);
            threadHandles.Add(debuggedProcessInfo.dwThreadId, new IntPtr(debuggedProcessInfo.hThread));
            if (opts.resumeOnCreate)
            {
                Win32.ResumeThread((IntPtr)debuggedProcessInfo.hThread);
            }
            else
            {
                getContext(getCurrentThreadId());

                uint OEP = Context.Eax;
                SetBreakpoint(OEP);
                Continue();
                ClearBreakpoint(OEP);

                Console.WriteLine("We should be at OEP");

            }

            if (opts.patchTickCount && opts.incrementTickCount == false)
            {
                byte[] patchData = new byte[] { 0xB8, 0x01, 0x00, 0x00, 0x00, 0xC3 };
                WriteData(FindProcAddress("kernel32.dll", "GetTickCount"), patchData);
            } else if (opts.patchTickCount && opts.incrementTickCount)
            {
                byte[] patchData = new byte[] { 0x51, 0xB8, 0x01, 0x00, 0x00, 0x00, 0xE8, 0x00, 0x00, 0x00, 0x00, 0x59, 0x83, 0xE9, 0x09, 0xFF, 0x01, 0x59, 0xC3 };
                uint memoryCave;
                byte[] opcodes;

                uint hookAddr = FindProcAddress("kernelbase.dll", "GetTickCount");
                if (hookAddr == 0)
                {
                    hookAddr = FindProcAddress("kernel32.dll", "GetTickCount");
                }

                // work
                    AllocateMemory(100, out memoryCave);
                    WriteData(memoryCave, patchData);
                    InsertHook(hookAddr, memoryCave, out opcodes);
            }

            return this;
        }