GithubHelp home page GithubHelp logo

smap's Introduction

Scatter Manual Mapper

A DLL manual mapper with two main purposes:

  • Bypass heuristic and pattern detection by scattering the instructions.
  • Allow hooks on protected functions by placing the hook functions (specified as an export) within existing modules.

This mapper is designed for an x64 target process and DLL.

Procedure

  1. Scan the target process for executable alignments that are not inside of any module's .text or .rdata section.
  2. Analyze and adjust the DLL's executable code so that it could be scattered to 1 instruction per page - change all relative instructions and jump tables so that they reference absolute addresses.
  3. If the DLL has exports, then place as many instructions of the exports as possible into the found alignments. The alignments are split evenly across the exports so each export can be guaranteed to at least have its starting address in a valid module. For all other instructions, scatter them across newly allocated RX regions.
  4. Hijack control flow temporarily to call the DLL's entry.

Usage

smap [OPTIONS] <PID|PROCESS> <DLL>

Options:

  • -s int
    • The threshold for scattering instructions to a new region.
    • The default is 1, so an entire page will be used for 1 instruction followed by a jump to the next.
    • For example: -s 10000 will put 10000 instructions in a RX region before a jump to the next.
  • -i
    • Use an IAT change to hijack control flow.
    • By default, a temporary hook is used.
  • -m string
    • The name of the module to use for IAT change or hook.
    • For hook, the default is user32.dll.
    • For IAT, the default is the process' base module.
  • -n string
    • The target function name for hijacking control flow.
    • For hook, this is the name of the module's export to target.
    • For IAT, this is the name of the module's import to target.
    • The default is PeekMessageW.

Example

The DLL used can be found in the example directory. It consists of a basic D3D11 hook using MinHook and ImGui to showcase hooks on protected functions (IDXGISwapChain::Present and IDXGISwapChain::ResizeBuffers). If you want to use this project on protected games, a bypass for RW handle access is required or consider using access.

Fortnite

Apex

smap's People

Contributors

btbd avatar

Watchers

James Cloos avatar

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.