-
Notifications
You must be signed in to change notification settings - Fork 0
/
eh.js
79 lines (75 loc) · 2.42 KB
/
eh.js
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
Interceptor.attach(Module.getExportByName('kernelbase.dll', 'DeriveCapabilitySidsFromName'), {
onLeave(retval) {
retval.replace(0);
}
});
Interceptor.attach(Module.getExportByName('kernel32.dll', 'DeviceIoControl'), {
onEnter(args) {
this.shit = null;
if (args[1].toInt32() === 3080195)
{
if (args[2].add(16).readUInt() == 4)
this.shit = args[4];
//console.log(args[1].toInt32());
/*console.log(hexdump(args[2], {
length: 4,
ansi: true
}))*/
//console.log(args[2].readByteArray(4).unwrap().toInt32());
}
},
onLeave(retval) {
if (this.shit) {
console.log(hexdump(this.shit));
}
}
});
const CloseHandle = new NativeFunction(Module.findExportByName("kernelbase.dll", "CloseHandle"), 'long', ['pointer']);
Interceptor.attach(Module.getExportByName('kernelbase.dll', 'CreateFileW'), {
onEnter(args) {
this.block = !args[0].readUtf16String().includes("REARLINEOUTWAVE3");
if (0)
{
console.log(args[0].readUtf16String());
console.log(args[1].toInt32());
console.log(args[2].toInt32());
console.log(args[4].toInt32());
console.log(args[5].toInt32());
}
},
onLeave(retval) {
if (this.block) {
CloseHandle(retval);
retval.replace(-1);
}
}
});
const mods = ["audioses", "rtkcfg64", "mmdevapi"];
const FreeLibrary = new NativeFunction(Module.findExportByName("kernelbase.dll", "FreeLibrary"), 'long', ['pointer']);
Interceptor.attach(Module.getExportByName('kernelbase.dll', 'LoadLibraryExW'), {
onEnter(args) {
const lpLibFileName = args[0].readUtf16String().toLowerCase();
this.block = mods.some(el => lpLibFileName.includes(el));
},
onLeave(retval) {
if (this.block) {
FreeLibrary(retval);
retval.replace(NULL);
}
}
});
// const ghidraImageBase = 0x140000000; // example value get the real value in Ghidra from Window -> Memory map -> Set Image Base
// const moduleName = "RtkAudUService64.exe";
// const moduleBaseAddress = Module.findBaseAddress(moduleName);
// const functionRealAddress = moduleBaseAddress.add(0x140027fd0 - ghidraImageBase);
// Interceptor.attach(functionRealAddress, {
// onEnter: function(args) {
// const x = args[0].readUtf16String();
// if (x === "%s %d nDriverEventIndex=%d")
// {
// console.log(args[1].readUtf16String());
// console.log(args[2].toInt32());
// console.log(args[3].toInt32());
// }
// }
// });