// UN-protect memory



__asm

{

	push eax

	mov eax, CR0

	and eax, 0FFFEFFFFh

	mov CR0, eax

	pop eax

}



// Do something here



// RE-protect memory



__asm

{

	push eax

	mov eax, CR0

	or eax, NOT 0FFFEFFFFh

	mov CR0, eax

	pop eax

}

BYTE push_0[2] = {0x6a,0x00};

BYTE push_eax = 0x50;            

BYTE push_Condw[2] = {0xff,0x35};

BYTE push_dwptr[2] = {0xff,0x75};

BYTE push_8[2] = {0x6a,0x08};            

BYTE _call = 0xe8;

//6a00             push    0x0

//8d45e4           lea     eax,[ebp-0x1c]

//50               push    eax

//ff75d4           push    dword ptr [ebp-0x2c]

//ff3558145680     push    dword ptr [nt!PsProcessType (80561458)]

//6a08             push    0x8

//ff7508           push    dword ptr [ebp+0x8]

//e8732effff       call    nt!ObReferenceObjectByHandle (80564be8)

// 50               push    eax

// ff7514           push    dword ptr [ebp+0x14]

// 8d45e0           lea     eax,[ebp-0x20]

// 50               push    eax

// 8d45dc           lea     eax,[ebp-0x24]

// 50               push    eax

// ff75e4           push    dword ptr [ebp-0x1c]

// e88dfdffff       call    nt!MiProtectVirtualMemory (80571b2d)

typedef struct _C_ID

{

    _C_ID *_next;

    void *_def_sig;

    ULONG Size;

}C_ID,*PC_ID;

HANDLE hHeap = 0;

int Cycle = 0;



void Find_Addr()

{

      ULONG StartAddress = 0;

      C_ID CallId = {0};

      CallId = InitC_ID((BYTE*)&push_0,sizeof(push_0));

      CallId = AddC_ID(&Cycle,(BYTE*)&push_eax,sizeof(push_eax));

      CallId = AddC_ID(&Cycle,(BYTE*)&push_Condw,sizeof(push_dwptr));

      CallId = AddC_ID(&Cycle,(BYTE*)&push_8,sizeof(push_8));

      CallId = AddC_ID(&Cycle,(BYTE*)&_call,sizeof(_call));

      CallId = AddC_ID(&Cycle,(BYTE*)&push_eax,sizeof(push_eax));

      CallId = AddC_ID(&Cycle,(BYTE*)&push_eax,sizeof(push_eax));

      CallId = AddC_ID(&Cycle,(BYTE*)&push_eax,sizeof(push_eax));

      CallId = AddC_ID(&Cycle,(BYTE*)&push_dwptr,sizeof(push_dwptr));

      CallId = AddC_ID(&Cycle,(BYTE*)&_call,sizeof(_call));

      //StartAddress = Get nt!NtProtectVirtualMemory Address;

      Find_CallSigChain(StartAddress,(C_ID*)hHeap);

}



C_ID *AddC_ID(int *Cycle,BYTE* _sig,ULONG Size,C_ID *CallId)

{

      if(*Cycle == 0)

      {

      	hHeap = RtlCreateHeap(HEAP_ZERO_MEMORY|HEAP_GROWABLE,0,sizeof(C_ID)*20,sizeof(C_ID),false,0);

      	CallId = (C_ID*)hHeap;

        CallId->_def_sig = _sig;

      	CallId->Size = Size;

	Cycle++;

      	return CallId;

      }

      else

      {

        CallId->_next =  RtlAllocateHeap(hHeap,0,sizeof(C_ID));

        CallId = CallId->_next;

        CallId->_def_sig = _sig;

        CallId->Size = Size;

        Cycle++;

	return CallId;

      }

}

C_ID *InitC_ID(BYTE* _sig,ULONG Size)

{

     C_ID CallId = 0;

     return AddC_ID(_sig,Size,&CallId);

}       	

ULONG Find_CallSigChain(void*StartAddress,C_ID*Call_Id)

{

	size_t szFunc = 0;

	size_t szInstr = 0;

	int fid = 0;

	int sid = 0;

        ULONG CallAddr = 0;

	szFunc = GetFunctionLength(StartAddress);

CheckC_ID:

	if(Call_Id._def_sig != 0)

	{



	     do

	     {

		//szInstr += mlde32(StartAddress);

		sid = strcmp(Call_Id._def_sig,_call);

		if(sid == 0)

		{

		    fid = memcmp(StartAddress,Call_Id._def_sig,Call_Id.Size);		

		    StartAddress++;

                }

		else

                {

		    fid = memcmp(StartAddress,Call_Id._def_sig,Call_Id.Size);		

		    StartAddress++;

		}

                

	     }while(fid != 0);

	     if(sid == 0)

	     {

		return (ULONG)StartAddress+1;

	     }

	     else

             {

		goto NextC_ID;

             }  

	}

	else

	{

	     return 0;

        }



NextC_ID:

	if(Call_Id._next != 0)

	{

	     Call_Id = Call_Id._next;

	     goto CheckC_ID;

	}

	else

	{

	     return 0;

	}

return 0;

}     

      C_ID CallId = {0};

      CallId = InitC_ID((BYTE*)&push_0,sizeof(push_0));//ObReferenceObByHandle (push 0)

      CallId = AddC_ID(&Cycle,(BYTE*)&push_eax,sizeof(push_eax));//ObReferenceObByHandle (push eax)

      CallId = AddC_ID(&Cycle,(BYTE*)&push_dwds,sizeof(push_dwds));//ObReferenceObByHandle (push ds:_PsProcessType) but we only seek the push ds..

      CallId = AddC_ID(&Cycle,(BYTE*)&push_8,sizeof(push_8)); //PROCESS_VM_OPERATION constant didnt change..

      CallId = AddC_ID(&Cycle,(BYTE*)&_call,sizeof(_call));//this should be the call to ObReferenceObByHandle in NtProtectVirtualMemory

      CallId = AddC_ID(&Cycle,(BYTE*)&push_dwptr,sizeof(push_dwptr));//the constant occurance of 0xff,0x75 was chosen here as this opcode sequence doesn't happen until the scanner is past the call for KeStackAttachProcess in RC 7..

      CallId = AddC_ID(&Cycle,(BYTE*)&push_eax,sizeof(push_eax));in the preamble to the call to MiProtectVirtualMemory

      CallId = AddC_ID(&Cycle,(BYTE*)&push_eax,sizeof(push_eax));in the preamble to the call to MiProtectVirtualMemory

      CallId = AddC_ID(&Cycle,(BYTE*)&_call,sizeof(_call));

BYTE MOV_EDX8[5] = {0xBA,0x08 ,0x00,0x00,0x00};  //in the preamble to the ObReferenceObjectByHandleWithTag

BYTE TEST_EAX[2] = {0x85,0xC0};//just after the call to ObReferenceObjectByHandleWithTag

BYTE XOR_ESI[2] = {0x33,0xF6};//just before the preamble to the call for MiProtectVirtualMemory

BYTE MOV_R9DEDI[3] = {0x44, 0x8B, 0xCF}

BYTE _call = 0xe8;

char push_0[2] = {0x6a,0x00};

char push_eax = 0x50;            

char push_dwds[2] = {0xff,0x35};

char push_dwptr[2] = {0xff,0x75};

char push_8[2] = {0x6a,0x08};            

char _call = 0xe8;

char XP_SP3[0x16f] = {0x6a,0x44,0x68,0x68,0xa4,0x4e,0x80,0xe8,0x7e,0x07,0xf7,0xff,0x33,0xdb,\

0x89,0x5d,0xd8,0x8b,0x4d,0x14,0xe8,0x64,0x27,0xf7,0xff,0x83,0xf8,0xff,\

0x0f,0x84,0x89,0x17,0x08,0x00,0x64,0xa1,0x24,0x01,0x00,0x00,0x8b,0x48,0x44,\

0x89,0x4d,0xcc,0x8a,0x80,0x40,0x01,0x00,0x00,0x88,0x45,0xd4,0x84,0xc0,\

0x0f,0x84,0x86,0xcb,0x04,0x00,0x89,0x5d,0xfc,0x8b,0x7d,0x0c,0xa1,0xd4,0xfb,0x55,0x80,\

0x3b,0xf8,0x0f,0x83,0x63,0x17,0x08,0x00,0x8b,0x07,0x89,0x07,0x8b,0x75,0x10,\

0xa1,0xd4,0xfb,0x55,0x80,0x3b,0xf0,0x0f,0x83,0x56,0x17,0x08,0x00,0x8b,0x06,\

0x89,0x06,0x8b,0x5d,0x18,0xa1,0xd4,0xfb,0x55,0x80,0x3b,0xd8,0x0f,0x83,0x49,0x17,0x08,0x00,\

0x8b,0x03,0x89,0x03,0x8b,0x0f,0x89,0x4d,0xdc,0x8b,0x16,0x89,0x55,0xe0,\

0x83,0x4d,0xfc,0xff,0xa1,0xdc,0xfb,0x55,0x80,0x3b,0xc8,0x0f,0x87,0x5c,0x17,0x08,0x00,\

0x2b,0xc1,0x3b,0xc2,0x0f,0x82,0x5c,0x17,0x08,0x00,0x85,0xd2,0x0f,0x84,0x54,0x17,0x08,0x00,\

0x6a,0x00,0x8d,0x45,0xe4,0x50,0xff,0x75,0xd4,0xff,0x35,0x58,0x14,0x56,0x80,0x6a,0x08,\

0xff,0x75,0x08,0xe8,0x73,0x2e,0xff,0xff,0x85,0xc0,0x0f,0x8c,0x8e,0x00,0x00,0x00,\

0x8b,0x45,0xe4,0x39,0x45,0xcc,0x0f,0x85,0x9e,0xec,0x01,0x00,0x8d,0x45,0xc8,\

0x50,0xff,0x75,0x14,0x8d,0x45,0xe0,0x50,0x8d,0x45,0xdc,0x50,0xff,0x75,0xe4,\

0xe8,0x8d,0xfd,0xff,0xff,0x89,0x45,0xc4,0x83,0x7d,0xd8,0x00,0x0f,0x85,0x6c,0xec,0x01,0x00,\

0x8b,0x4d,0xe4,0xe8,0x9b,0x72,0xf6,0xff,0xc7,0x45,0xfc,0x01,0x00,0x00,0x00,\

0x80,0x7d,0xd4,0x00,0x74,0x33,0xa1,0xd4,0xfb,0x55,0x80,0x3b,0xf8,0x0f,0x83,0xeb,0x16,0x08,0x00,\

0x8b,0x07,0x89,0x07,0xa1,0xd4,0xfb,0x55,0x80,0x3b,0xf0,0x0f,0x83,0xe5,0x16,0x08,0x00,\

0x8b,0x06,0x89,0x06,0xa1,0xd4,0xfb,0x55,0x80,0x3b,0xd8,0x0f,0x83,0xdf,0x16,0x08,0x00,\

0x8b,0x03,0x89,0x03,0x8b,0x45,0xe0,0x89,0x06,0x8b,0x45,0xdc,0x89,0x07,0x8b,0x45,0xc8,\

0x89,0x03,0x83,0x4d,0xfc,0xff,0x8b,0x45,0xc4,0xe8,0x66,0x06,0xf7,0xff,0xc2,0x14,0x00};



typedef struct _C_ID

{

    _C_ID *_next;

    char *_def_sig;

    ULONG Size;

}C_ID,*PC_ID;



C_ID *InitC_ID(char* _sig,ULONG Size,C_ID *CallId);

C_ID *AddC_ID(char* _sig,ULONG Size,C_ID *CallId);

ULONG Find_CallSigChain(ULONG StartAddress,C_ID *CallId);

int Cycle = 0;

ULONG StartC_ID = 0;



void Find_Addr()

{

      ULONG StartAddress = 0;

      ULONG CallAddress = 0;

      C_ID *CallId = {0};

	  StartAddress = (ULONG)RtlAllocateHeap(RtlProcessHeap(),HEAP_ZERO_MEMORY|HEAP_GROWABLE,sizeof(XP_SP3));

      RtlCopyMemory((void*)StartAddress,(void*)&XP_SP3,sizeof(XP_SP3));

	  CallId = InitC_ID((char*)push_0,sizeof(push_0),CallId);

      CallId = AddC_ID((char*)push_dwds,sizeof(push_dwds),CallId);

      CallId = AddC_ID((char*)push_8,sizeof(push_8),CallId);

      CallId = AddC_ID((char*)_call,sizeof(_call),CallId);

      CallId = AddC_ID((char*)push_dwptr,sizeof(push_dwptr),CallId);

      CallId = AddC_ID((char*)_call,sizeof(_call),CallId);

      //StartAddress = Get NtProtectVirtualMemory Address;

      CallAddress = Find_CallSigChain(StartAddress,(C_ID*)StartC_ID);

}



C_ID *AddC_ID(char *_sig,ULONG Size,C_ID *CallId)

{

      if(Cycle == 0)

      {

      	  StartC_ID = (ULONG)RtlAllocateHeap(RtlProcessHeap(),HEAP_ZERO_MEMORY,sizeof(C_ID)); 

          CallId = (C_ID*)StartC_ID;

		  CallId->_def_sig = _sig;

      	  CallId->Size = Size;

		  Cycle++;

      	  return CallId;

      }

      else

      {

		  if(Size != 1)

		  {

			  CallId->_next =  (_C_ID*)RtlAllocateHeap(RtlProcessHeap(),HEAP_ZERO_MEMORY,sizeof(C_ID));

			  CallId = CallId->_next;

			  CallId->_def_sig = _sig;

			  CallId->Size = Size;

			  Cycle++;

			  return CallId;

		  }

		  else

		  {

			  CallId->_next = (C_ID*)RtlAllocateHeap(RtlProcessHeap(),HEAP_ZERO_MEMORY,sizeof(C_ID));

			  CallId = CallId->_next;

			  memset(&CallId->_def_sig,0xe8,1);

			  CallId->Size = Size;

			  Cycle++;

			  return CallId;

		  }

      }

}

C_ID *InitC_ID(char* _sig,ULONG Size,C_ID *CallId)

{

	return AddC_ID(_sig,Size,CallId);

}       	

ULONG Find_CallSigChain(ULONG StartAddress,C_ID *CallId)

{

	int fid = 0;

	ULONG CallAddr = 0;

CheckC_ID:

	if(CallId->_def_sig != 0)

	{

		do

     	{

			if(CallId->_def_sig == (char*)0xe8)

			{

				fid = memcmp((void*)StartAddress,(void*)&CallId->_def_sig,CallId->Size);

				StartAddress++;

            }

			else

            {

				fid = memcmp((void*)StartAddress,CallId->_def_sig,CallId->Size);		

				StartAddress++;

			}

		}while(fid != 0);

		if(CallId->_next == 0)

		{

			return *(ULONG*)StartAddress;

		}

		else

		{

			goto NextC_ID;

		}  

	}

    else

    {

		return 0;

	}

NextC_ID:

    if(CallId->_next != 0)

	{

		CallId = CallId->_next;

		goto CheckC_ID;

    }

	else

	{

		return 0;

	}

return 0;

}