Skip to content

Commit

Permalink
new cached offset finder to replace hardcoded offsets!
Browse files Browse the repository at this point in the history
  • Loading branch information
@wiktorwiktor12
wiktorwiktor12 committed Jun 22, 2024
1 parent 55304c9 commit b7c5a08
Show file tree
Hide file tree
Showing 10 changed files with 229 additions and 63 deletions.
1 change: 1 addition & 0 deletions ConsoleLogonHook/ConsoleLogonHook.vcxproj
View file
Original file line number Diff line number Diff line change
Expand Up @@ -281,6 +281,7 @@
<ClInclude Include="ui\ui_statusview.h" />
<ClInclude Include="ui\ui_userselect.h" />
<ClInclude Include="util\interop.h" />
<ClInclude Include="util\memory_man.h" />
<ClInclude Include="util\util.h" />
</ItemGroup>
<ItemGroup>
Expand Down
3 changes: 3 additions & 0 deletions ConsoleLogonHook/ConsoleLogonHook.vcxproj.filters
View file
Original file line number Diff line number Diff line change
Expand Up @@ -396,6 +396,9 @@
<ClInclude Include="util\interop.h">
<Filter>Header Files</Filter>
</ClInclude>
<ClInclude Include="util\memory_man.h">
<Filter>Header Files</Filter>
</ClInclude>
</ItemGroup>
<ItemGroup>
<ClCompile Include="dllmain.cpp">
Expand Down
36 changes: 23 additions & 13 deletions ConsoleLogonHook/init/init.cpp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,7 @@
#include "ui/ui_selectedcredentialview.h"
#include "ui/ui_userselect.h"
#include "util\interop.h"
#include "util\memory_man.h"

namespace init
{
Expand All @@ -35,17 +36,20 @@ namespace init
spdlog::flush_every(std::chrono::microseconds(100));
}

__int64(__fastcall* EditControl__Repaint)(void* a1);
__int64 EditControl__Repaint_Hook(void* a1)
__int64(__fastcall* ControlBase__PaintArea)(void* a1, __int64 a2, unsigned int a3, __int64 a4, unsigned int a5);
__int64 ControlBase__PaintArea_Hook(void* a1, __int64 a2, unsigned int a3, __int64 a4, unsigned int a5)
{
if (bLogonConsoleShown)
return ControlBase__PaintArea(a1,a2,a3,a4,a5);

if (!a1) return 0;

if (IsBadReadPtr(a1, 8)) return 0;

if (IsBadReadPtr(*(uintptr_t**)(__int64(a1) + 0x20), 8)) return 0;
if (IsBadReadPtr(**(void***)(__int64(a1) + 0x20), 8)) return 0;

return EditControl__Repaint(a1);
return ControlBase__PaintArea(a1,a2,a3,a4,a5);
}

void(__stdcall* fOutputDebugStringW)(LPCWSTR lpoutputstring);
Expand All @@ -67,12 +71,10 @@ namespace init
auto baseaddress = (uintptr_t)LoadLibraryW(L"C:\\Windows\\System32\\ConsoleLogon.dll");
if (!baseaddress)
MessageBox(0, L"FAILED TO LOAD", L"FAILED TO LOAD", 0);
//MessageBox(0,L"1",L"1",0);
//check we are running correct consolelogon, very very low chance will this check pass if diff version dll
auto SecurityOptionsView__RuntimeClassIntialise = (uint8_t*)(baseaddress + 0x36EB4);
if (SecurityOptionsView__RuntimeClassIntialise[0] != 0x48 || SecurityOptionsView__RuntimeClassIntialise[1] != 0x89 || SecurityOptionsView__RuntimeClassIntialise[2] != 0x5C)
return;
//MessageBox(0,L"2",L"2",0);

memory::LoadOffsetCache();
memory::CheckCache();
//MessageBox(0, L"dbg1", 0, 0);
MinimizeLogonConsole();
//MessageBox(0,L"3",L"3",0);

Expand All @@ -87,21 +89,29 @@ namespace init
fWindowsDeleteString = decltype(fWindowsDeleteString)(GetProcAddress(stringdll, "WindowsDeleteString"));
fWindowsCreateString = decltype(fWindowsCreateString)(GetProcAddress(stringdll, "WindowsCreateString"));
}
//MessageBox(0, L"dbg2", 0, 0);

fOutputDebugStringW = decltype(fOutputDebugStringW)(GetProcAddress(GetModuleHandle(L"api-ms-win-core-debug-l1-1-0.dll"), "OutputDebugStringW"));
Hook(fOutputDebugStringW, OutputDebugStringW_Hook);
EditControl__Repaint = (decltype(EditControl__Repaint))(baseaddress + 0x44528);
Hook(EditControl__Repaint, EditControl__Repaint_Hook);

//EditControl__Repaint = (decltype(EditControl__Repaint))(baseaddress + 0x44528);
ControlBase__PaintArea = memory::FindPatternCached<decltype(ControlBase__PaintArea)>("ControlBasePaintArea","48 89 5C 24 10 48 89 6C 24 18 56 57 41 54 41 56 41 57 48 83 EC 40");
Hook(ControlBase__PaintArea, ControlBase__PaintArea_Hook);
//MessageBox(0, L"dbg3", 0, 0);
external::InitExternal();
uiSecurityControl::InitHooks(baseaddress);
//MessageBox(0, L"dbg3.1", 0, 0);
uiMessageView::InitHooks(baseaddress);
//MessageBox(0, L"dbg3.2", 0, 0);
uiStatusView::InitHooks(baseaddress);
//MessageBox(0, L"dbg3.3", 0, 0);
uiUserSelect::InitHooks(baseaddress);
//MessageBox(0, L"dbg3.4", 0, 0);
uiSelectedCredentialView::InitHooks(baseaddress);
//MessageBox(0, L"dbg4", 0, 0);
memory::SaveOffsetCache();

MinimizeLogonConsole();

//MessageBox(0, L"dbg5", 0, 0);
external::InitUI();
//MessageBox(0,L"4",L"4",0);
}
Expand Down
14 changes: 8 additions & 6 deletions ConsoleLogonHook/ui/ui_messageview.cpp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,7 @@
#include "../util/util.h"
#include <winstring.h>
#include <util/interop.h>
#include <util/memory_man.h>

__int64 (__fastcall* MessageOptionControl__v_HandleKeyInput)(void* _this, const struct _KEY_EVENT_RECORD* a2, int* a3);

Expand Down Expand Up @@ -94,13 +95,14 @@ __int64 MessageOptionControl__Destructor_Hook(void* _this, char a2)

void uiMessageView::InitHooks(uintptr_t baseaddress)
{
MessageView__RuntimeClassInitialize = decltype(MessageView__RuntimeClassInitialize)(baseaddress + 0x389B0);
MessageView__RuntimeClassInitialize = memory::FindPatternCached<decltype(MessageView__RuntimeClassInitialize)>("MessageView__RuntimeClassInitialize","48 89 5C 24 10 48 89 74 24 18 55 57 41 54 41 56 41 57 48 8B EC 48 83 EC 50 41 8B F9");
//CredUIViewManager__ShowCredentialView = decltype(CredUIViewManager__ShowCredentialView)(baseaddress + 0x201BC);
BasicTextControl__RuntimeClassInitialize1 = decltype(BasicTextControl__RuntimeClassInitialize1)(baseaddress + 0x43FB8);
BasicTextControl__RuntimeClassInitialize2 = decltype(BasicTextControl__RuntimeClassInitialize2)(baseaddress + 0x44104);
MessageOptionControl__RuntimeClassInitialize = decltype(MessageOptionControl__RuntimeClassInitialize)(baseaddress + 0x40D38);
MessageOptionControl__Destructor = decltype(MessageOptionControl__Destructor)(baseaddress + 0x402A0);
MessageOptionControl__v_HandleKeyInput = decltype(MessageOptionControl__v_HandleKeyInput)(baseaddress + 0x41040);
BasicTextControl__RuntimeClassInitialize1 = memory::FindPatternCached<decltype(BasicTextControl__RuntimeClassInitialize1)>("BasicTextControl__RuntimeClassInitialize1", "48 8B C4 48 89 58 08 48 89 68 10 48 89 70 18 48 89 78 20 41 56 48 83 EC 20 48 8B F9 44 88 49 58");
BasicTextControl__RuntimeClassInitialize2 = memory::FindPatternCached<decltype(BasicTextControl__RuntimeClassInitialize2)>("BasicTextControl__RuntimeClassInitialize2", "48 89 5C 24 08 48 89 74 24 10 57 48 83 EC 20 48 8B F2 48 8B F9 48 83 C1");
//MessageOptionControl__RuntimeClassInitialize = memory::FindPatternCached<decltype(MessageOptionControl__RuntimeClassInitialize)>("MessageOptionControl__RuntimeClassInitialize", "48 8B C4 48 89 58 08 48 89 68 10 48 89 70 18 4C 89 48 20 57 41 56 41 57 48 83 EC 20 49 8B D9 41 8B F8 4C 8B FA 48 8B F1 44 89 41 70");
MessageOptionControl__RuntimeClassInitialize = memory::FindPatternCached<decltype(MessageOptionControl__RuntimeClassInitialize)>("MessageOptionControl__RuntimeClassInitialize", "48 8B C4 48 89 58 08 48 89 68 10 48 89 70 18 4C 89 48 20 57 41 56 41 57 48 83 EC 20 49 8B D9 41 8B F8 4C 8B FA 48 8B F1 44 89 41 70");
MessageOptionControl__Destructor = memory::FindPatternCached<decltype(MessageOptionControl__Destructor)>("MessageOptionControl__Destructor", "48 89 5C 24 08 48 89 74 24 10 57 48 83 EC 20 8B F2 48 8B D9 48 8B 79 68 48 83 61 68 00");
MessageOptionControl__v_HandleKeyInput = memory::FindPatternCached<decltype(MessageOptionControl__v_HandleKeyInput)>("MessageOptionControl__v_HandleKeyInput", "48 89 5C 24 10 55 56 57 41 56 41 57 48 8B EC 48 83 EC 60 48 8B 05 ?? ?? ?? ?? 48 33 C4");


Hook(MessageView__RuntimeClassInitialize, MessageView__RuntimeClassInitialize_Hook);
Expand Down
29 changes: 16 additions & 13 deletions ConsoleLogonHook/ui/ui_securitycontrol.cpp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,7 @@
#include "../util/util.h"
#include <winstring.h>
#include <util/interop.h>
#include <util/memory_man.h>

//std::vector<SecurityOptionControlWrapper> buttonsList;

Expand Down Expand Up @@ -142,8 +143,8 @@ __int64 CredUIManager__ShowCredentialView_Hook(void* _this, HSTRING a2)
return CredUIManager__ShowCredentialView(_this,a2);
}

__int64(__fastcall* SecurityOptionsView__Destructor)(__int64 a1, unsigned int a2);
__int64 SecurityOptionsView__Destructor_Hook(__int64 a1, unsigned int a2)
__int64(__fastcall* SecurityOptionsView__Destructor)(__int64 a1, char a2);
__int64 SecurityOptionsView__Destructor_Hook(__int64 a1, char a2)
{
//auto securityControl = uiRenderer::Get()->GetWindowOfTypeId<uiSecurityControl>(2);
//if (securityControl)
Expand Down Expand Up @@ -185,27 +186,29 @@ const wchar_t* external::SecurityOptionControl_getString(void* actualInstance)

void uiSecurityControl::InitHooks(uintptr_t baseaddress)
{
LogonViewManager__ShowSecurityOptionsUIThread = decltype(LogonViewManager__ShowSecurityOptionsUIThread)(baseaddress + 0x2BFC0);
LogonViewManager__ShowSecurityOptions = decltype(LogonViewManager__ShowSecurityOptions)(baseaddress + 0x2964C);
MakeAndInitialize_SecurityOptionControl = decltype(MakeAndInitialize_SecurityOptionControl)(baseaddress + 0x37774);
SecurityOptionControlHandleKeyInput = decltype(SecurityOptionControlHandleKeyInput)(baseaddress + 0x40680);
LogonViewManager__ShowSecurityOptionsUIThread = memory::FindPatternCached<decltype(LogonViewManager__ShowSecurityOptionsUIThread)>("LogonViewManager__ShowSecurityOptionsUIThread","48 89 5C 24 08 4C 89 44 24 18 55 56 57 41 56 41 57 48 8B EC 48 83 EC 40");
LogonViewManager__ShowSecurityOptions = memory::FindPatternCached<decltype(LogonViewManager__ShowSecurityOptions)>("LogonViewManager__ShowSecurityOptions", "48 89 5C 24 10 4C 89 44 24 18 55 56 57 41 54 41 55 41 56 41 57");
auto adr = memory::FindPatternCached<uintptr_t>("MakeAndInitialize_SecurityOptionControl", "E8 ?? ?? ?? ?? 44 8B F0 85 C0 79 ?? 48 8B 4D ?? 44 8B C8 4C 8D 05 ?? ?? ?? ?? BA ?? ?? ?? ?? E8 ?? ?? ?? ?? 90");
MakeAndInitialize_SecurityOptionControl = (decltype(MakeAndInitialize_SecurityOptionControl))(REL(adr,1));
SecurityOptionControlHandleKeyInput = memory::FindPatternCached<decltype(SecurityOptionControlHandleKeyInput)>("SecurityOptionControlHandleKeyInput", "48 89 5C 24 10 48 89 74 24 20 55 57 41 56 48 8B EC 48 83 EC 70 48 8B 05 ?? ?? ?? ?? 48 33 C4");
//SecurityOptionControlHandleKeyInput = decltype(SecurityOptionControlHandleKeyInput)(baseaddress + 0x44490);
//ConsoleUIView__Initialize = decltype(ConsoleUIView__Initialize)(baseaddress + 0x42710);
//ConsoleUIView__HandleKeyInput = decltype(ConsoleUIView__HandleKeyInput)(baseaddress + 0x43530);
SecurityOptionControl_Destructor = decltype(SecurityOptionControl_Destructor)(baseaddress + 0x40C40);
SecurityOptionsView__RuntimeClassInitialize = decltype(SecurityOptionsView__RuntimeClassInitialize)(baseaddress + 0x36EB4);
CredUIManager__ShowCredentialView = decltype(CredUIManager__ShowCredentialView)(baseaddress + 0x201BC);
SecurityOptionsView__Destructor = decltype(SecurityOptionsView__Destructor)(baseaddress + 0x37880);



void** SecurityOptionControlVtable = (void**)REL(memory::FindPatternCached<uintptr_t>("SecurityOptionControlVtable", "48 8D 05 ?? ?? ?? ?? 48 83 63 48 00 48 83 63 50 00 48 83 63 58 00 48 83 63 68 00 83 63 70 00 48 89 43 08"),3);

SecurityOptionControl_Destructor = (decltype(SecurityOptionControl_Destructor))(SecurityOptionControlVtable[7]);
SecurityOptionsView__RuntimeClassInitialize = memory::FindPatternCached<decltype(SecurityOptionsView__RuntimeClassInitialize)>("SecurityOptionsView__RuntimeClassInitialize", "48 89 5C 24 10 4C 89 44 24 18 55 56 57 41 56 41 57 48 8B EC 48 83 EC 30");
//CredUIManager__ShowCredentialView = memory::FindPatternCached<decltype(CredUIManager__ShowCredentialView)>("CredUIManager__ShowCredentialView", "48 89 5C 24 08 55 56 57 41 54 41 55 41 56 41 57 48 8B EC");
SecurityOptionsView__Destructor = memory::FindPatternCached<decltype(SecurityOptionsView__Destructor)>("SecurityOptionsView__Destructor", "48 89 5C 24 08 48 89 74 24 10 57 48 83 EC 20 8B F2 48 8B D9 48 8B 79 78 48 83 61 78 00");

Hook(LogonViewManager__ShowSecurityOptionsUIThread, LogonViewManager__ShowSecurityOptionsUIThread_Hook);
Hook(LogonViewManager__ShowSecurityOptions, LogonViewManager__ShowSecurityOptions_Hook);
Hook(MakeAndInitialize_SecurityOptionControl, MakeAndInitialize_SecurityOptionControl_Hook);
Hook(SecurityOptionControlHandleKeyInput, SecurityOptionControlHandleKeyInput_Hook);
Hook(SecurityOptionControl_Destructor, SecurityOptionControl_Destructor_Hook);
Hook(SecurityOptionsView__RuntimeClassInitialize, SecurityOptionsView__RuntimeClassInitialize_Hook);
Hook(CredUIManager__ShowCredentialView, CredUIManager__ShowCredentialView_Hook);
//Hook(CredUIManager__ShowCredentialView, CredUIManager__ShowCredentialView_Hook);
Hook(SecurityOptionsView__Destructor, SecurityOptionsView__Destructor_Hook);

//Hook(ConsoleUIView__Initialize, ConsoleUIView__Initialize_Hook);
Expand Down
19 changes: 10 additions & 9 deletions ConsoleLogonHook/ui/ui_selectedcredentialview.cpp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,7 @@
#include <vector>
#include "ui_securitycontrol.h"
#include "util/interop.h"
#include "util/memory_man.h"

//std::vector<EditControlWrapper> editControls;

Expand Down Expand Up @@ -119,15 +120,15 @@ GUID guid;

void uiSelectedCredentialView::InitHooks(uintptr_t baseaddress)
{
SelectedCredentialView__v_OnKeyInput = decltype(SelectedCredentialView__v_OnKeyInput)(baseaddress + 0x38720);
CredUISelectedCredentialView__RuntimeClassInitialize = decltype(CredUISelectedCredentialView__RuntimeClassInitialize)(baseaddress + 0x338CC);
SelectedCredentialView__RuntimeClassInitialize = decltype(SelectedCredentialView__RuntimeClassInitialize)(baseaddress + 0x37EE0);
EditControl__RuntimeClassInitialize = decltype(EditControl__RuntimeClassInitialize)(baseaddress + 0x3E8F0);
CheckboxControl__Destructor = decltype(CheckboxControl__Destructor)(baseaddress + 0x3C3AC);
CredentialFieldControlBase__GetVisibility = decltype(CredentialFieldControlBase__GetVisibility)(baseaddress + 0x4162C);
EditControl__v_HandleKeyInput = decltype(EditControl__v_HandleKeyInput)(baseaddress + 0x3EF20);

uint8_t* focusPatch = (uint8_t*)(baseaddress + 0x38793); //to patch the check for the bottom most field being selected when pressing enter
SelectedCredentialView__v_OnKeyInput = memory::FindPatternCached<decltype(SelectedCredentialView__v_OnKeyInput)>("SelectedCredentialView__v_OnKeyInput","48 89 5C 24 08 57 48 83 EC 20 41 83 20 00 49 8B F8 66 83 7A 06 08 48 8B D9 74");
CredUISelectedCredentialView__RuntimeClassInitialize = memory::FindPatternCached<decltype(CredUISelectedCredentialView__RuntimeClassInitialize)>("CredUISelectedCredentialView__RuntimeClassInitialize", "48 8B C4 48 89 58 18 48 89 70 20 48 89 50 10 55 57 41 54 41 56 41 57");
SelectedCredentialView__RuntimeClassInitialize = memory::FindPatternCached<decltype(SelectedCredentialView__RuntimeClassInitialize)>("SelectedCredentialView__RuntimeClassInitialize", "48 8B C4 48 89 58 10 48 89 70 18 48 89 78 20 55 41 54 41 55 41 56 41 57 48 8D 68 B8 48 81 EC 20 01 00 00");
EditControl__RuntimeClassInitialize = memory::FindPatternCached<decltype(EditControl__RuntimeClassInitialize)>("EditControl__RuntimeClassInitialize", "48 8B C4 48 89 58 08 48 89 68 10 48 89 70 18 48 89 78 20 41 56 48 83 EC 30 49 8B F0 4C 8B F2 48 8B F9 48 8D 59 70 48 8B 0B 48 85 C9 74 ?? 48 83 23 00 48 8B 01 48 8B 40 10 FF 15 ?? ?? ?? ?? 48 8B 06 4C 8B C3 48 8D 15 ?? ?? ?? ?? 48 8B CE 48 8B 00 FF 15 ?? ?? ?? ?? 8B D8 85 C0 79 ?? BA 18 00 00 00"); // fucking kill me
CheckboxControl__Destructor = memory::FindPatternCached<decltype(CheckboxControl__Destructor)>("CheckboxControl__Destructor", "48 89 5C 24 08 57 48 83 EC 20 8B FA 48 8B D9 48 8B 49 70 48 85 C9 74 ?? 48 83 ?? ?? ?? 48 8B 01 48 8B 40 10 FF 15 ?? ?? ?? ?? 90 48 8B CB");
CredentialFieldControlBase__GetVisibility = memory::FindPatternCached<decltype(CredentialFieldControlBase__GetVisibility)>("CredentialFieldControlBase__GetVisibility", "48 89 5C 24 18 55 56 57 48 83 EC 20 48 8B E9 48 8B F2");
EditControl__v_HandleKeyInput = memory::FindPatternCached<decltype(EditControl__v_HandleKeyInput)>("EditControl__v_HandleKeyInput", "48 89 5C 24 10 55 56 57 41 56 41 57 48 8B EC 48 83 EC 70 48 8B 05 ?? ?? ?? ?? 48 33 C4");

uint8_t* focusPatch = memory::FindPatternCached<uint8_t*>("focusPatch", "74 ?? 48 8B 4B ?? 48 8B 01 48 8B 80"); //to patch the check for the bottom most field being selected when pressing enter

DWORD old;
VirtualProtect(focusPatch,2,PAGE_EXECUTE_READWRITE,&old);
Expand Down
5 changes: 3 additions & 2 deletions ConsoleLogonHook/ui/ui_statusview.cpp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,7 @@
#include "../util/util.h"
#include <winstring.h>
#include <util/interop.h>
#include <util/memory_man.h>

__int64(__fastcall* StatusView__RuntimeClassInitialize)(/*StatusView*/void* _this, HSTRING a2, /*IUser*/void* a3);
__int64 StatusView__RuntimeClassInitialize_Hook(/*StatusView*/void* _this, HSTRING a2, /*IUser*/void* a3)
Expand Down Expand Up @@ -71,8 +72,8 @@ void* StatusView__Destructor_Hook(void* _this, char a2)

void uiStatusView::InitHooks(uintptr_t baseaddress)
{
StatusView__RuntimeClassInitialize = decltype(StatusView__RuntimeClassInitialize)(baseaddress + 0x387D0);
StatusView__Destructor = decltype(StatusView__Destructor)(baseaddress + 0x224F8);
StatusView__RuntimeClassInitialize = memory::FindPatternCached<decltype(StatusView__RuntimeClassInitialize)>("StatusView__RuntimeClassInitialize","48 89 5C 24 10 48 89 74 24 18 55 57 41 56 48 8B EC 48 83 EC 40");
StatusView__Destructor = memory::FindPatternCached<decltype(StatusView__Destructor)>("StatusView__Destructor", "48 89 5C 24 08 57 48 83 EC 20 8B DA 48 8B F9 E8 ?? ?? ?? ?? F6 C3 01 74 ?? BA 78 00 00 00 48 8B CF E8 ?? ?? ?? ?? 48 8B 5C 24 30");

Hook(StatusView__RuntimeClassInitialize, StatusView__RuntimeClassInitialize_Hook);
Hook(StatusView__Destructor, StatusView__Destructor_Hook);
Expand Down
Loading

0 comments on commit b7c5a08

Please sign in to comment.