Skip to content

Commit ba6a94f

Browse files
UEFI-codeUEFI-code
committed
Pretty Code
1 parent c4b1762 commit ba6a94f

2 files changed

Lines changed: 65 additions & 45 deletions

File tree

MonikaHijack/HijackMainThread_Returnable.cpp

Lines changed: 65 additions & 45 deletions
Original file line numberDiff line numberDiff line change
@@ -260,61 +260,81 @@ void GetTargetMsgBoxA_Routine()
260260

261261
int main()
262262
{
263+
// Update Gidget_Shellcode with function addresses
263264
*(UINT64 *)(Gidget_Shellcode + 20) = (UINT64)LoadLibraryA;
264265
*(UINT64 *)(Gidget_Shellcode + 45) = (UINT64)GetProcAddress;
265266

266267
const char* targetProcessName = "target.exe"; // Replace with your target process name
268+
269+
// Get the target process ID
267270
GetProcessIdByName(targetProcessName);
268271

269-
if (targetGalgame.processId)
272+
if (!targetGalgame.processId)
270273
{
271-
printf("Target process \"%s\" found with PID %lu\n", targetProcessName, targetGalgame.processId);
272-
targetGalgame.hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, targetGalgame.processId);
273-
if (!targetGalgame.hProcess)
274-
{
275-
printf("Failed to open process handle\n");
276-
return 0;
277-
}
278-
GetTargetMsgBoxA_Routine();
279-
// Update MonikaPayload with Target MessageBoxA address
280-
*(UINT64 *)(MonikaPayload + 55) = *(UINT64 *)(Gidget_Shellcode + sizeof(Gidget_Shellcode) - 8);
281-
// Inject MonikaPayload and get the remote memory address
282-
InjectShellcode();
283-
if (targetGalgame.remotePayloadMemory)
284-
{
285-
printf("Shellcode injected successfully.\n");
286-
// Get the main thread ID
287-
GetMainThreadId();
288-
if (targetGalgame.mainThreadId)
289-
{
290-
printf("Main thread found with TID %lu\n", targetGalgame.mainThreadId);
291-
292-
// Hijack the main thread
293-
HijackMainThread();
294-
if (targetGalgame.hThread)
295-
printf("Main thread hijacked successfully.\n");
296-
else
297-
printf("Failed to hijack main thread.\n");
298-
}
299-
else
300-
{
301-
printf("Failed to find main thread.\n");
302-
}
303-
// clean up, this might cause the target process glitch due to RWX memory being released
304-
//VirtualFreeEx(targetGalgame.hProcess, targetGalgame.remotePayloadMemory, 0, MEM_RELEASE);
305-
//targetGalgame.remotePayloadMemory = NULL;
306-
CloseHandle(targetGalgame.hProcess);
307-
targetGalgame.hProcess = NULL;
308-
}
309-
else
310-
{
311-
printf("Failed to inject MonikaPayload.\n");
312-
}
274+
printf("Target process \"%s\" not found.\n", targetProcessName);
275+
return 0;
276+
}
277+
278+
printf("Target process \"%s\" found with PID %lu\n", targetProcessName, targetGalgame.processId);
279+
280+
targetGalgame.hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, targetGalgame.processId);
281+
if (!targetGalgame.hProcess)
282+
{
283+
printf("Failed to open process handle\n");
284+
return 0;
285+
}
286+
287+
// Retrieve the target MessageBoxA routine
288+
GetTargetMsgBoxA_Routine();
289+
290+
// Update MonikaPayload with the Target MessageBoxA address
291+
*(UINT64 *)(MonikaPayload + 55) = *(UINT64 *)(Gidget_Shellcode + sizeof(Gidget_Shellcode) - 8);
292+
293+
// Inject MonikaPayload and get the remote memory address
294+
InjectShellcode();
295+
296+
if (!targetGalgame.remotePayloadMemory)
297+
{
298+
printf("Failed to inject MonikaPayload.\n");
299+
CloseHandle(targetGalgame.hProcess);
300+
targetGalgame.hProcess = NULL;
301+
return 0;
302+
}
303+
304+
printf("Shellcode injected successfully.\n");
305+
306+
// Get the main thread ID
307+
GetMainThreadId();
308+
309+
if (!targetGalgame.mainThreadId)
310+
{
311+
printf("Failed to find main thread.\n");
312+
CloseHandle(targetGalgame.hProcess);
313+
targetGalgame.hProcess = NULL;
314+
return 0;
315+
}
316+
317+
printf("Main thread found with TID %lu\n", targetGalgame.mainThreadId);
318+
319+
// Hijack the main thread
320+
HijackMainThread();
321+
322+
if (!targetGalgame.hThread)
323+
{
324+
printf("Failed to hijack main thread.\n");
313325
}
314326
else
315327
{
316-
printf("Target process \"%s\" not found.\n", targetProcessName);
328+
printf("Main thread hijacked successfully.\n");
317329
}
318330

331+
// Clean up
332+
// Note: Releasing RWX memory may cause glitches in the target process
333+
// VirtualFreeEx(targetGalgame.hProcess, targetGalgame.remotePayloadMemory, 0, MEM_RELEASE);
334+
// targetGalgame.remotePayloadMemory = NULL;
335+
336+
CloseHandle(targetGalgame.hProcess);
337+
targetGalgame.hProcess = NULL;
338+
319339
return 0;
320-
}
340+
}

MonikaHijack/HijackMainThread_Returnable.exe

0 Bytes
Binary file not shown.

0 commit comments

Comments
 (0)