static void Main(string[] args)
{
NIStartupOptions opts = new NIStartupOptions();
opts.executable = @"C:\Users\Timothy\Documents\Visual Studio 2013\Projects\HelloCPP\x64\Release\HelloCPP.exe";
opts.resumeOnCreate = false;
debug.Execute(opts);
ChangeAllSetText();
Console.WriteLine("Press any key to exit...");
Console.ReadKey();
}
static void ChangeAllSetText()
{
NIStartupOptions opts = new NonIntrusive.NIStartupOptions();
opts.executable = @"c:\windows\system32\notepad.exe";
opts.resumeOnCreate = false;
debug.Execute(opts)
.AllocateMemory(100, out memoryCave)
.WriteString(memoryCave, "Welcome To NIDebugger", Encoding.Unicode)
.While(IsStillRunning,OverwriteText)
.Detach();
}
static void ChangeAllSetText()
{
NIStartupOptions opts = new NonIntrusive.NIStartupOptions();
opts.executable = @"c:\windows\system32\notepad.exe";
opts.resumeOnCreate = false;
debug.Execute(opts)
.AllocateMemory(100, out memoryCave)
.WriteString(memoryCave, "Welcome To NIDebugger", Encoding.Unicode)
.While(IsStillRunning, OverwriteText)
.Detach();
}
static void MassiveSingleStep()
{
NIStartupOptions opts = new NonIntrusive.NIStartupOptions();
opts.executable = @"c:\windows\system32\notepad.exe";
opts.resumeOnCreate = false;
debug.Execute(opts);
debug.StepIntoCalls = false;
while (debug.Process.HasExited == false)
{
debug.SingleStep();
}
}
static void ChangeTitle()
{
NIStartupOptions opts = new NonIntrusive.NIStartupOptions();
opts.executable = @"c:\windows\system32\notepad.exe";
opts.resumeOnCreate = false;
uint oldValue;
String oldString;
debug.Execute(opts)
.AllocateMemory(100, out memoryCave)
.WriteString(memoryCave, "Welcome To NIDebugger", Encoding.Unicode)
.SetProcBP("user32.dll","SetWindowTextW")
.Continue()
.ReadStackValue(8, out oldValue)
.ReadString(oldValue, 100, Encoding.Unicode, out oldString)
.WriteStackValue(8, memoryCave)
.Detach();
}
static void ChangeTitle()
{
NIStartupOptions opts = new NonIntrusive.NIStartupOptions();
opts.executable = @"c:\windows\system32\notepad.exe";
opts.resumeOnCreate = false;
uint oldValue;
String oldString;
debug.Execute(opts)
.AllocateMemory(100, out memoryCave)
.WriteString(memoryCave, "Welcome To NIDebugger", Encoding.Unicode)
.SetProcBP("user32.dll", "SetWindowTextW")
.Continue()
.ReadStackValue(8, out oldValue)
.ReadString(oldValue, 100, Encoding.Unicode, out oldString)
.WriteStackValue(8, memoryCave)
.Detach();
}
static void Main(string[] args)
{
NIStartupOptions opts = new NIStartupOptions();
opts.executable = @"c:\windows\system32\notepad.exe";
opts.resumeOnCreate = false;
debug.Execute(opts);
Console.WriteLine("Installing VEH");
debug.InstallHardVEH();
Console.WriteLine("Setting HWBP on Execute");
debug.SetHardBreakPoint(0xc562a8, HWBP_MODE.MODE_LOCAL, HWBP_TYPE.TYPE_EXECUTE, HWBP_SIZE.SIZE_1);
Console.WriteLine("Generating Hello World String in Target");
uint memoryCave;
debug.AllocateMemory(100, out memoryCave);
debug.WriteString(memoryCave, "Welcome to NIDebugger HWBPs", Encoding.Unicode);
Console.WriteLine("Running...");
debug.Continue();
// hope and pray
Console.WriteLine("Our EIP after HWBP is: " + debug.Context.Eip.ToString("X8"));
Console.WriteLine("Setting EAX to new String address");
String oldString;
debug.ReadString(debug.Context.Eax, 100, Encoding.Unicode, out oldString);
debug.Context.Eax = memoryCave;
debug.Detach();
//debug.Detach();
//ChangeAllSetText();
Console.WriteLine("Press any key to exit...");
// Console.ReadKey();
}
static void MassiveSingleStep()
{
NIStartupOptions opts = new NonIntrusive.NIStartupOptions();
opts.executable = @"c:\windows\system32\notepad.exe";
opts.resumeOnCreate = false;
debug.Execute(opts);
debug.StepIntoCalls = false;
while (debug.Process.HasExited == false)
{
debug.SingleStep();
}
}
/// <summary>
/// Begins the debugging process of an executable.
/// </summary>
/// <param name="opts">The StartupOptions to be used during Execute().</param>
/// <returns></returns>
public NIDebugger Execute(NIStartupOptions opts)
{
Win32.SECURITY_ATTRIBUTES sa1 = new Win32.SECURITY_ATTRIBUTES();
sa1.nLength = Marshal.SizeOf(sa1);
Win32.SECURITY_ATTRIBUTES sa2 = new Win32.SECURITY_ATTRIBUTES();
sa2.nLength = Marshal.SizeOf(sa2);
Win32.STARTUPINFO si = new Win32.STARTUPINFO();
debuggedProcessInfo = new Win32.PROCESS_INFORMATION();
int ret = Win32.CreateProcess(opts.executable, opts.commandLine, ref sa1, ref sa2, 0, 0x00000200 | Win32.CREATE_SUSPENDED, 0, null, ref si, ref debuggedProcessInfo);
debuggedProcess = Process.GetProcessById(debuggedProcessInfo.dwProcessId);
threadHandles.Add(debuggedProcessInfo.dwThreadId, new IntPtr(debuggedProcessInfo.hThread));
if (opts.resumeOnCreate)
{
Win32.ResumeThread((IntPtr)debuggedProcessInfo.hThread);
}
else
{
getContext(getCurrentThreadId());
uint OEP = Context.Eax;
SetBreakpoint(OEP);
Continue();
ClearBreakpoint(OEP);
Console.WriteLine("We should be at OEP");
}
if (opts.patchTickCount && opts.incrementTickCount == false)
{
byte[] patchData = new byte[] { 0xB8, 0x01, 0x00, 0x00, 0x00, 0xC3 };
WriteData(FindProcAddress("kernel32.dll", "GetTickCount"), patchData);
} else if (opts.patchTickCount && opts.incrementTickCount)
{
byte[] patchData = new byte[] { 0x51, 0xB8, 0x01, 0x00, 0x00, 0x00, 0xE8, 0x00, 0x00, 0x00, 0x00, 0x59, 0x83, 0xE9, 0x09, 0xFF, 0x01, 0x59, 0xC3 };
uint memoryCave;
byte[] opcodes;
uint hookAddr = FindProcAddress("kernelbase.dll", "GetTickCount");
if (hookAddr == 0)
{
hookAddr = FindProcAddress("kernel32.dll", "GetTickCount");
}
// work
AllocateMemory(100, out memoryCave);
WriteData(memoryCave, patchData);
InsertHook(hookAddr, memoryCave, out opcodes);
}
return this;
}