From 04c70ae7cb8c28e1a8eaf513ffc553b5fcf34373 Mon Sep 17 00:00:00 2001 From: _xeroxz Date: Mon, 8 Mar 2021 08:32:21 +0000 Subject: [PATCH] Update README.md --- README.md | 29 +++++++++++++++++++++++++++++ 1 file changed, 29 insertions(+) diff --git a/README.md b/README.md index d373345..1488f92 100644 --- a/README.md +++ b/README.md @@ -296,6 +296,35 @@ theo::resolve_symbol_t resolve_symbol = }; ``` +Another example of this lambda can be viewed in the usermode examples. This routine simply loops over every single module mapped into the specific process you want to map/link with. + +```cpp +theo::resolve_symbol_t _resolver = + [&, &extern_symbols = extern_symbols](const char* symbol_name) -> std::uintptr_t +{ + auto loaded_modules = std::make_unique(64); + std::uintptr_t result = 0u, loaded_module_sz = 0u; + + if (!EnumProcessModules(phandle, + loaded_modules.get(), 512, (PDWORD)&loaded_module_sz)) + return {}; + + for (auto i = 0u; i < loaded_module_sz / 8u; i++) + { + wchar_t file_name[MAX_PATH] = L""; + if (!GetModuleFileNameExW(phandle, + loaded_modules.get()[i], file_name, _countof(file_name))) + continue; + + if ((result = reinterpret_cast( + GetProcAddress(LoadLibrary(file_name), symbol_name)))) + break; + } + + return result; +}; +``` + # Obfuscation The usage of the word obfuscation in this project is use to define any changes made to code, this includes code flow. `obfuscation::obfuscate`, a base class, which is inherited and expanded upon by `obfuscation::mutation`, obfuscates code flow by inserting `JMP [RIP+0x0]` instructions after every single instruction. This allows for a routine to be broken up into unique allocations of memory and thus provides more canvas room for creative ideas.