I have been trying to read all memory addresses within a process range only, (see question: C++ read memory addresses within process range only). I succeeded with reading from memory and it seems like I received the correct baseaddress for the process. The problem I was having was to find specific values which I assumed the program would have.
For example if I played a game and had the score 500, I wanted to find 500 in the memory. I stepped through all the addresses but could not find the value. So I decided to read my own program (which is 64-bit) and set a value to 500, print its address and manually search and see if I found it.
int number = 500;
std::cout << &number;
For some reason the address it was written to was out of bounds of the process range.
I calculate the address range with:
uintptr_t moduleBase = GetModuleBaseAddress(procId, L"x.exe");
uintptr_t moduleSize = GetModuleSize(procId, L"x.exe");
// Set base and last address and print them for user
uintptr_t dynamicPtrBaseAddr = moduleBase;
uintptr_t dynamicPtrLastAddr = (moduleBase + moduleSize);
Methods used:
uintptr_t GetModuleSize(DWORD procId, const wchar_t* modName) {
uintptr_t modBaseSize = 0;
HANDLE hSnap = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE | 0x10, procId);
if(hSnap != INVALID_HANDLE_VALUE) {
MODULEENTRY32 modEntry;
modEntry.dwSize = sizeof(modEntry);
if(Module32First(hSnap, &modEntry)) {
do {
if(!_wcsicmp(modEntry.szModule, modName)) {
modBaseSize = (uintptr_t)modEntry.modBaseSize;
break;
}
} while(Module32Next(hSnap, &modEntry));
}
}
CloseHandle(hSnap);
return modBaseSize;
}
and
uintptr_t GetModuleBaseAddress(DWORD procId, const wchar_t* modName) {
uintptr_t modBaseAddr = 0;
HANDLE hSnap = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE | 0x10, procId);
if(hSnap != INVALID_HANDLE_VALUE) {
MODULEENTRY32 modEntry;
modEntry.dwSize = sizeof(modEntry);
if(Module32First(hSnap, &modEntry)) {
do {
if(!_wcsicmp(modEntry.szModule, modName)) {
modBaseAddr = (uintptr_t)modEntry.modBaseAddr;
break;
}
} while(Module32Next(hSnap, &modEntry));
}
}
CloseHandle(hSnap);
return modBaseAddr;
}
Since the value of number is written out of bounds I assume that GetModuleSize, might be incorrect.
Last address for me is: 0x4F4628,
std::cout << &number; gives me 0x6DFDD4
My questions are:
Is GetModuleSize an incorrect way of calculating the last address for
the application? If so, can I correct it?
By multiplying the last address with 2, I was able to read the value
of &number. Is this because modulesize gives me a 32-bit range or is this giving me addresses out of bounds for the process?
I compile with: g++ main.cpp -o x -lpsapi -DUNICODE -m64, and had to add libgcc_s_seh-1.dll to my path in order to run my program.
My entire project on github: https://github.com/Darclander/memory-reading
(Not sure if it is better for me to post the entire code on here).
As #para said, the module is a image of PE file.
The variable you want to read is stored on the current thread stack, you will need to get the base address and limit address of the stack, with NtQueryInformationThread
#include <windows.h>
#include <iostream>
#include <winternl.h>
#include <tlhelp32.h>
#pragma warning(disable : 4996)
using namespace std;
typedef enum _mTHREADINFOCLASS {
ThreadBasicInformation = 0
} mTHREADINFOCLASS;
typedef struct _mTEB {
NT_TIB Tib;
PVOID EnvironmentPointer;
CLIENT_ID Cid;
PVOID ActiveRpcInfo;
PVOID ThreadLocalStoragePointer;
PPEB Peb;
ULONG LastErrorValue;
ULONG CountOfOwnedCriticalSections;
PVOID CsrClientThread;
PVOID Win32ThreadInfo;
ULONG Win32ClientInfo[0x1F];
PVOID WOW32Reserved;
ULONG CurrentLocale;
ULONG FpSoftwareStatusRegister;
PVOID SystemReserved1[0x36];
PVOID Spare1;
ULONG ExceptionCode;
ULONG SpareBytes1[0x28];
PVOID SystemReserved2[0xA];
ULONG GdiRgn;
ULONG GdiPen;
ULONG GdiBrush;
CLIENT_ID RealClientId;
PVOID GdiCachedProcessHandle;
ULONG GdiClientPID;
ULONG GdiClientTID;
PVOID GdiThreadLocaleInfo;
PVOID UserReserved[5];
PVOID GlDispatchTable[0x118];
ULONG GlReserved1[0x1A];
PVOID GlReserved2;
PVOID GlSectionInfo;
PVOID GlSection;
PVOID GlTable;
PVOID GlCurrentRC;
PVOID GlContext;
NTSTATUS LastStatusValue;
UNICODE_STRING StaticUnicodeString;
WCHAR StaticUnicodeBuffer[0x105];
PVOID DeallocationStack;
PVOID TlsSlots[0x40];
LIST_ENTRY TlsLinks;
PVOID Vdm;
PVOID ReservedForNtRpc;
PVOID DbgSsReserved[0x2];
ULONG HardErrorDisabled;
PVOID Instrumentation[0x10];
PVOID WinSockData;
ULONG GdiBatchCount;
ULONG Spare2;
ULONG Spare3;
ULONG Spare4;
PVOID ReservedForOle;
ULONG WaitingOnLoaderLock;
PVOID StackCommit;
PVOID StackCommitMax;
PVOID StackReserved;
} mTEB;
typedef NTSTATUS (WINAPI *fpNtQueryInformationThread)(
IN HANDLE ThreadHandle,
IN mTHREADINFOCLASS ThreadInformationClass,
OUT PVOID ThreadInformation,
IN ULONG ThreadInformationLength,
OUT PULONG ReturnLength
);
typedef struct _THREAD_BASIC_INFORMATION {
NTSTATUS ExitStatus;
mTEB* TebBaseAddress;
CLIENT_ID ClientId;
KAFFINITY AffinityMask;
KPRIORITY Priority;
KPRIORITY BasePriority;
} THREAD_BASIC_INFORMATION, * PTHREAD_BASIC_INFORMATION;
void fun()
{
return;
}
int main()
{
DWORD pid = 21112;//process id
DWORD tid = 5512;//thread id
HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS, false, pid);
if (hProcess == NULL)
{
int error = GetLastError();
cout << "OpenProcess error: " << error << endl;
}
HANDLE hThread = OpenThread(THREAD_ALL_ACCESS,false, tid);
if (hThread == NULL)
{
int error = GetLastError();
cout << "OpenThread error: " << error << endl;
}
HMODULE h = LoadLibrary(L"ntdll.dll");
fpNtQueryInformationThread NtQueryInformationThread = (fpNtQueryInformationThread)GetProcAddress(h,"NtQueryInformationThread");
THREAD_BASIC_INFORMATION info = { 0 };
NTSTATUS ret = NtQueryInformationThread(hThread, ThreadBasicInformation, &info, sizeof(THREAD_BASIC_INFORMATION), NULL);
NT_TIB tib = { 0 };
if (!ReadProcessMemory(hProcess, info.TebBaseAddress, &tib, sizeof(NT_TIB), nullptr))
{
int error = GetLastError();
cout << "ReadProcessMemory error: " << error << endl;
}
cout << tib.StackLimit << " to " << tib.StackBase << endl;
return 0;
}
Process module sample:
#include <windows.h>
#include <iostream>
int main()
{
int number = 500;
std::cout << &number << std::endl;
std::cout << "Pid = " << GetCurrentProcessId() << std::endl;
std::cout << "Tid = " << GetCurrentThreadId() << std::endl;
getchar();
return 0;
}
Result:
If you do not know the specific thread ID, you can refer to this document to Traversing the Thread List
(Note: NtQueryInformationThread may be altered or unavailable in future versions of Windows. )
A "module" in WIN32 terms is an executable image file. This image contains things like code, static variables, stack unwind tables and more. The value you are attempting to read is a local variable and thus will be allocated on the stack. The stack is not part of the image, so you won't find it there.
What you need to do is find the address and size of the stack. See How can I locate a process' global and stack areas in Win32? on how to do that.
You probably also want to read the heap in addition to the stack, you can find all open heaps by using GetProcessHeaps and get the addresses/sizes with HeapSummary.
Related
I'm making an anti cheat module that checks all open handles directed to the current process and the module should return all open handles whether they are from the system, from the user or whatever.
The problem is that it is returning only 1 handle and it is from the process itself.
Simultaneously with ProcessExplorer I am analyzing the current process and through ProcessExplorer I receive all the handles directed to it, example: ProcessExplorer, csrss, lsrss, svhost and etc.
Could someone help me to make the code return all the handles directed to the process like in ProcessExplorer?
I look forward to any contact.
Grateful.
#include <iostream>
#include <string>
#include <Windows.h>
#include <TlHelp32.h>
#include <Psapi.h>
#include <Shlwapi.h>
using namespace std;
#pragma comment(lib, "shlwapi.lib")
#pragma comment(lib, "psapi.lib")
#pragma region NT Structures
#define NT_SUCCESS(x) ((x) >= 0)
#define STATUS_INFO_LENGTH_MISMATCH 0xc0000004
#define SystemHandleInformation 16
#define ObjectBasicInformation 0
#define ObjectNameInformation 1
#define ObjectTypeInformation 2
#define PROCESS_QUERY (0x1400)
#define PROCESS_FULL_CONTROL (0x1fffff)
typedef NTSTATUS(NTAPI* _NtQuerySystemInformation)(
ULONG SystemInformationClass,
PVOID SystemInformation,
ULONG SystemInformationLength,
PULONG ReturnLength
);
typedef NTSTATUS(NTAPI* _NtDuplicateObject)(
HANDLE SourceProcessHandle,
HANDLE SourceHandle,
HANDLE TargetProcessHandle,
PHANDLE TargetHandle,
ACCESS_MASK DesiredAccess,
ULONG Attributes,
ULONG Options
);
typedef NTSTATUS(NTAPI* _NtQueryObject)(
HANDLE ObjectHandle,
ULONG ObjectInformationClass,
PVOID ObjectInformation,
ULONG ObjectInformationLength,
PULONG ReturnLength
);
typedef struct _UNICODE_STRING
{
USHORT Length;
USHORT MaximumLength;
PWSTR Buffer;
} UNICODE_STRING, * PUNICODE_STRING;
typedef struct _SYSTEM_HANDLE
{
ULONG ProcessId;
BYTE ObjectTypeNumber;
BYTE Flags;
USHORT Handle;
PVOID Object;
ACCESS_MASK GrantedAccess;
} SYSTEM_HANDLE, * PSYSTEM_HANDLE;
typedef struct _SYSTEM_HANDLE_INFORMATION
{
ULONG HandleCount;
SYSTEM_HANDLE Handles[1];
} SYSTEM_HANDLE_INFORMATION, * PSYSTEM_HANDLE_INFORMATION;
typedef enum _POOL_TYPE
{
NonPagedPool,
PagedPool,
NonPagedPoolMustSucceed,
DontUseThisType,
NonPagedPoolCacheAligned,
PagedPoolCacheAligned,
NonPagedPoolCacheAlignedMustS
} POOL_TYPE, * PPOOL_TYPE;
typedef struct _OBJECT_TYPE_INFORMATION
{
UNICODE_STRING Name;
ULONG TotalNumberOfObjects;
ULONG TotalNumberOfHandles;
ULONG TotalPagedPoolUsage;
ULONG TotalNonPagedPoolUsage;
ULONG TotalNamePoolUsage;
ULONG TotalHandleTableUsage;
ULONG HighWaterNumberOfObjects;
ULONG HighWaterNumberOfHandles;
ULONG HighWaterPagedPoolUsage;
ULONG HighWaterNonPagedPoolUsage;
ULONG HighWaterNamePoolUsage;
ULONG HighWaterHandleTableUsage;
ULONG InvalidAttributes;
GENERIC_MAPPING GenericMapping;
ULONG ValidAccess;
BOOLEAN SecurityRequired;
BOOLEAN MaintainHandleCount;
USHORT MaintainTypeList;
POOL_TYPE PoolType;
ULONG PagedPoolUsage;
ULONG NonPagedPoolUsage;
} OBJECT_TYPE_INFORMATION, * POBJECT_TYPE_INFORMATION;
#pragma endregion
// for getting an address of a procedure in memory.
PVOID GetLibraryProcAddress(PSTR LibraryName, PSTR ProcName)
{
return GetProcAddress(GetModuleHandleA(LibraryName), ProcName);
}
void EnableDebugPrivilege()
{
HANDLE token;
LUID luid;
TOKEN_PRIVILEGES tp;
OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES, &token);
LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &luid);
tp.PrivilegeCount = 1;
tp.Privileges[0].Luid = luid;
tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
AdjustTokenPrivileges(token, FALSE, &tp, sizeof(tp), NULL, NULL);
CloseHandle(token);
}
int Handle_Scan()
{
EnableDebugPrivilege();
while (1)
{
DWORD pid = GetCurrentProcessId();
_NtQuerySystemInformation NtQuerySystemInformation =
(_NtQuerySystemInformation)GetLibraryProcAddress("ntdll.dll", "NtQuerySystemInformation");
_NtDuplicateObject NtDuplicateObject =
(_NtDuplicateObject)GetLibraryProcAddress("ntdll.dll", "NtDuplicateObject");
_NtQueryObject NtQueryObject =
(_NtQueryObject)GetLibraryProcAddress("ntdll.dll", "NtQueryObject");
NTSTATUS status;
PSYSTEM_HANDLE_INFORMATION handleInfo;
ULONG handleInfoSize = 0x10000;
HANDLE processHandle;
ULONG i;
processHandle = OpenProcess(PROCESS_QUERY | PROCESS_FULL_CONTROL | PROCESS_DUP_HANDLE | PROCESS_ALL_ACCESS | PROCESS_QUERY_LIMITED_INFORMATION | PROCESS_QUERY_INFORMATION | PROCESS_VM_READ, FALSE, pid);
handleInfo = (PSYSTEM_HANDLE_INFORMATION)malloc(handleInfoSize);
while ((status = NtQuerySystemInformation(SystemHandleInformation, handleInfo, handleInfoSize, NULL)) == STATUS_INFO_LENGTH_MISMATCH)
handleInfo = (PSYSTEM_HANDLE_INFORMATION)realloc(handleInfo, handleInfoSize *= 2);
for (i = 0; i < handleInfo->HandleCount; i++)
{
SYSTEM_HANDLE handle = handleInfo->Handles[i];
HANDLE dupHandle = NULL;
POBJECT_TYPE_INFORMATION objectTypeInfo;
PVOID objectNameInfo;
UNICODE_STRING objectName;
ULONG returnLength;
if (handle.ProcessId != pid)
continue;
NT_SUCCESS(NtDuplicateObject(processHandle, (HANDLE)handle.Handle, GetCurrentProcess(), &dupHandle, 0, 0, 0));
objectTypeInfo = (POBJECT_TYPE_INFORMATION)malloc(0x1000);
NT_SUCCESS(NtQueryObject(dupHandle, ObjectTypeInformation, objectTypeInfo, 0x1000, NULL));
if (handle.GrantedAccess == 0x0012019f)
{
std::free(objectTypeInfo);
CloseHandle(dupHandle);
continue;
}
objectNameInfo = malloc(0x1000);
if (!NT_SUCCESS(NtQueryObject(dupHandle, ObjectNameInformation, objectNameInfo, 0x1000, &returnLength)))
{
objectNameInfo = realloc(objectNameInfo, returnLength);
if (!NT_SUCCESS(NtQueryObject(
dupHandle,
ObjectNameInformation,
objectNameInfo,
returnLength,
NULL
)))
{
std::free(objectTypeInfo);
std::free(objectNameInfo);
CloseHandle(dupHandle);
continue;
}
}
objectName = *(PUNICODE_STRING)objectNameInfo;
wstring ObjectBuffer = objectTypeInfo->Name.Buffer;
// We are only interested about handles to files & processes
if (ObjectBuffer.find(L"File") != wstring::npos || ObjectBuffer.find(L"Process") != wstring::npos)
{
HANDLE CurrentProcess = GetCurrentProcess();
HANDLE procHandle = OpenProcess(PROCESS_QUERY | PROCESS_FULL_CONTROL | PROCESS_DUP_HANDLE | PROCESS_ALL_ACCESS | PROCESS_QUERY_LIMITED_INFORMATION | PROCESS_QUERY_INFORMATION | PROCESS_VM_READ, false, handle.ProcessId);
HANDLE DuplicatedHandle = 0;
// Duplicating the handle, now we can do basically anything with it.
if (DuplicateHandle(procHandle, (HANDLE)handle.Handle, CurrentProcess, &DuplicatedHandle, 0, false, DUPLICATE_SAME_ACCESS))
{
WCHAR NameBlock[256];
wstring block = NameBlock;
K32GetProcessImageFileNameW(DuplicatedHandle, NameBlock, 256);
PathStripPathW(NameBlock);
wcout << L"Handle to " << ObjectBuffer << ": " << NameBlock << " Id: " << handle.ProcessId << endl;
}
}
std::free(objectTypeInfo);
std::free(objectNameInfo);
CloseHandle(dupHandle);
}
std::free(handleInfo);
CloseHandle(processHandle);
cin.get();
}
return 0;
}
void DetectHandle() {
CreateThread(NULL, NULL, LPTHREAD_START_ROUTINE(Handle_Scan), NULL, 0, 0);
}
I tried to add SetDebugPrivilege but it didn't help, I also tried to add more parameters in OpenProcess with the hope of a lack of permissions but I was unsuccessful again.
I'm new to C++ kernel structs. My ULONG code doesnt convert. My code, It gaves me error of bottom of the page. I tried convert to ULONG64 but nothing works. I may be missing a simple mistake as I haven't worked on a project like this before. But I couldn't understand why my project couldn't convert. Could you correct my code and tell me where I made the mistake? This kind of information really helps me learn.
typedef struct _SYSTEM_BIGPOOL_ENTRY {
union {
PVOID VirtualAddress;
ULONG_PTR NonPaged : 1;
};
ULONG_PTR SizeInBytes;
union {
UCHAR Tag[4];
ULONG64 TagULong;
};
} SYSTEM_BIGPOOL_ENTRY, * PSYSTEM_BIGPOOL_ENTRY;
typedef struct _SYSTEM_BIGPOOL_INFORMATION {
ULONG64 Count;
SYSTEM_BIGPOOL_ENTRY AllocatedInfo[ANYSIZE_ARRAY];
} SYSTEM_BIGPOOL_INFORMATION, * PSYSTEM_BIGPOOL_INFORMATION;
typedef enum _SYSTEM_INFORMATION_CLASS {
SystemBigPoolInformation
} SYSTEM_INFORMATION_CLASS;
typedef NTSTATUS(WINAPI* fNtQuerySystemInformation)(SYSTEM_INFORMATION_CLASS SystemInformationClass, PVOID SystemInformation,
ULONG64 SystemInformationLength, PULONG ReturnLength);
NTSTATUS
ZwQuerySystemInformation(
ULONG64 SystemInformationClass,
PSYSTEM_BIGPOOL_INFORMATION SystemInformation,
ULONG64 SystemInformationLength,
ULONG64* ReturnLength);
PVOID ExPool() {
ULONG64 infoLen = 0;
NTSTATUS status = ZwQuerySystemInformation(SystemBigPoolInformation, &infoLen, 0, &infoLen);
PSYSTEM_BIGPOOL_INFORMATION pPoolInfo = 0;
while (status == STATUS_INFO_LENGTH_MISMATCH)
{
DbgPrintEx(0, 0, "Length : %lX", infoLen);
if (pPoolInfo)
ExFreePool(pPoolInfo);
pPoolInfo = (PSYSTEM_BIGPOOL_INFORMATION)ExAllocatePool(NonPagedPool, infoLen);
status = ZwQuerySystemInformation(SystemBigPoolInformation, pPoolInfo, infoLen, &infoLen);
}
if (pPoolInfo)
{
DbgPrintEx(0, 0, "status : %lX", status);
DbgPrintEx(0, 0, "Count : %lu", pPoolInfo->Count);
for (int i = 0; i < pPoolInfo->Count; i++)
{
SYSTEM_BIGPOOL_ENTRY* Entry = &pPoolInfo->AllocatedInfo[i];
PVOID VirtualAddress = (PVOID)((uintptr_t)Entry->VirtualAddress & ~1ull);
SIZE_T SizeInBytes = Entry->SizeInBytes;
BOOLEAN NonPaged = Entry->NonPaged;
if (NonPaged && SizeInBytes == 0x200000)
{
DbgPrintEx(0, 0, "NonPagedPool : %p - %p", VirtualAddress, SizeInBytes);
}
}
ExFreePool(pPoolInfo);
}
}
argument of type "ULONG64 *" is incompatible with parameter of type "PSYSTEM_BIGPOOL_INFORMATION"
'NTSTATUS ZwQuerySystemInformation(ULONG64,PSYSTEM_BIGPOOL_INFORMATION,ULONG64,ULONG64 *)': cannot convert argument 2 from 'ULONG64' to 'PSYSTEM_BIGPOOL_INFORMATION'```
I'm trying to implement some anti-debugging/anti-reversing techinques in order to prevent my (python) executable to be debugged/reversed, but when I try to launch it from x32dbg or python -m pdb they don't work, letting x32gdb/pdb to access my code and execute the executable/script.
The techniques I'm using are written in c++; I import the c++ code in my python code through a dll generated thorugh Visual Studio 2019, and everything works fine, meaning that I can call the functions in my dll from the executable/python without any error/exception.
I found the techniques online, I didn't wrote them, but also the simplest technique (isDebuggerPresent() function from debugapi.h windows library) does not work, and this is only a call to a function.
Here are the techniques I implemented in my dll
int isThereADebugger()
{
if (IsDebuggerPresent())
{
cout << "Stop debugging program!" << endl;
exit(-1);
}
return 0;
}
// Current PEB for 64bit and 32bit processes accordingly
PVOID GetPEB()
{
#ifdef _WIN64
return (PVOID)__readgsqword(0x0C * sizeof(PVOID));
#else
return (PVOID)__readfsdword(0x0C * sizeof(PVOID));
#endif
}
// Get PEB for WOW64 Process
PVOID GetPEB64()
{
PVOID pPeb = 0;
#ifndef _WIN64
BOOL isWow64 = FALSE;
typedef BOOL(WINAPI* pfnIsWow64Process)(HANDLE hProcess, PBOOL isWow64);
pfnIsWow64Process fnIsWow64Process = (pfnIsWow64Process)
GetProcAddress(GetModuleHandleA("Kernel32.dll"), "IsWow64Process");
if (fnIsWow64Process(GetCurrentProcess(), &isWow64))
{
if (isWow64)
{
pPeb = (PVOID)__readfsdword(0x0C * sizeof(PVOID));
pPeb = (PVOID)((PBYTE)pPeb + 0x1000);
}
}
#endif
return pPeb;
}
#define FLG_HEAP_ENABLE_TAIL_CHECK 0x10
#define FLG_HEAP_ENABLE_FREE_CHECK 0x20
#define FLG_HEAP_VALIDATE_PARAMETERS 0x40
#define NT_GLOBAL_FLAG_DEBUGGED (FLG_HEAP_ENABLE_TAIL_CHECK | FLG_HEAP_ENABLE_FREE_CHECK | FLG_HEAP_VALIDATE_PARAMETERS)
void CheckNtGlobalFlag()
{
PVOID pPeb = GetPEB();
PVOID pPeb64 = GetPEB64();
DWORD offsetNtGlobalFlag = 0;
#ifdef _WIN64
offsetNtGlobalFlag = 0xBC;
#else
offsetNtGlobalFlag = 0x68;
#endif
DWORD NtGlobalFlag = *(PDWORD)((PBYTE)pPeb + offsetNtGlobalFlag);
if (NtGlobalFlag & NT_GLOBAL_FLAG_DEBUGGED)
{
std::cout << "Stop debugging program!" << std::endl;
exit(-1);
}
if (pPeb64)
{
DWORD NtGlobalFlagWow64 = *(PDWORD)((PBYTE)pPeb64 + 0xBC);
if (NtGlobalFlagWow64 & NT_GLOBAL_FLAG_DEBUGGED)
{
std::cout << "Stop debugging program!" << std::endl;
exit(-1);
}
}
}
PIMAGE_NT_HEADERS GetImageNtHeaders(PBYTE pImageBase)
{
PIMAGE_DOS_HEADER pImageDosHeader = (PIMAGE_DOS_HEADER)pImageBase;
return (PIMAGE_NT_HEADERS)(pImageBase + pImageDosHeader->e_lfanew);
}
PIMAGE_SECTION_HEADER FindRDataSection(PBYTE pImageBase)
{
static const std::string rdata = ".rdata";
PIMAGE_NT_HEADERS pImageNtHeaders = GetImageNtHeaders(pImageBase);
PIMAGE_SECTION_HEADER pImageSectionHeader = IMAGE_FIRST_SECTION(pImageNtHeaders);
int n = 0;
for (; n < pImageNtHeaders->FileHeader.NumberOfSections; ++n)
{
if (rdata == (char*)pImageSectionHeader[n].Name)
{
break;
}
}
return &pImageSectionHeader[n];
}
void CheckGlobalFlagsClearInProcess()
{
PBYTE pImageBase = (PBYTE)GetModuleHandle(NULL);
PIMAGE_NT_HEADERS pImageNtHeaders = GetImageNtHeaders(pImageBase);
PIMAGE_LOAD_CONFIG_DIRECTORY pImageLoadConfigDirectory = (PIMAGE_LOAD_CONFIG_DIRECTORY)(pImageBase
+ pImageNtHeaders->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG].VirtualAddress);
if (pImageLoadConfigDirectory->GlobalFlagsClear != 0)
{
std::cout << "Stop debugging program!" << std::endl;
exit(-1);
}
}
void CheckGlobalFlagsClearInFile()
{
HANDLE hExecutable = INVALID_HANDLE_VALUE;
HANDLE hExecutableMapping = NULL;
PBYTE pMappedImageBase = NULL;
__try
{
PBYTE pImageBase = (PBYTE)GetModuleHandle(NULL);
PIMAGE_SECTION_HEADER pImageSectionHeader = FindRDataSection(pImageBase);
TCHAR pszExecutablePath[MAX_PATH];
DWORD dwPathLength = GetModuleFileName(NULL, pszExecutablePath, MAX_PATH);
if (0 == dwPathLength) __leave;
hExecutable = CreateFile(pszExecutablePath, GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, 0, NULL);
if (INVALID_HANDLE_VALUE == hExecutable) __leave;
hExecutableMapping = CreateFileMapping(hExecutable, NULL, PAGE_READONLY, 0, 0, NULL);
if (NULL == hExecutableMapping) __leave;
pMappedImageBase = (PBYTE)MapViewOfFile(hExecutableMapping, FILE_MAP_READ, 0, 0,
pImageSectionHeader->PointerToRawData + pImageSectionHeader->SizeOfRawData);
if (NULL == pMappedImageBase) __leave;
PIMAGE_NT_HEADERS pImageNtHeaders = GetImageNtHeaders(pMappedImageBase);
PIMAGE_LOAD_CONFIG_DIRECTORY pImageLoadConfigDirectory = (PIMAGE_LOAD_CONFIG_DIRECTORY)(pMappedImageBase
+ (pImageSectionHeader->PointerToRawData
+ (pImageNtHeaders->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG].VirtualAddress - pImageSectionHeader->VirtualAddress)));
if (pImageLoadConfigDirectory->GlobalFlagsClear != 0)
{
std::cout << "Stop debugging program!" << std::endl;
exit(-1);
}
}
__finally
{
if (NULL != pMappedImageBase)
UnmapViewOfFile(pMappedImageBase);
if (NULL != hExecutableMapping)
CloseHandle(hExecutableMapping);
if (INVALID_HANDLE_VALUE != hExecutable)
CloseHandle(hExecutable);
}
}
int GetHeapFlagsOffset(bool x64)
{
return x64 ?
TRUE ? 0x70 : 0x14 : //x64 offsets
TRUE ? 0x40 : 0x0C; //x86 offsets
}
int GetHeapForceFlagsOffset(bool x64)
{
return x64 ?
TRUE ? 0x74 : 0x18 : //x64 offsets
TRUE ? 0x44 : 0x10; //x86 offsets
}
void CheckHeap()
{
PVOID pPeb = GetPEB();
PVOID pPeb64 = GetPEB64();
PVOID heap = 0;
DWORD offsetProcessHeap = 0;
PDWORD heapFlagsPtr = 0, heapForceFlagsPtr = 0;
BOOL x64 = FALSE;
#ifdef _WIN64
x64 = TRUE;
offsetProcessHeap = 0x30;
#else
offsetProcessHeap = 0x18;
#endif
heap = (PVOID) * (PDWORD_PTR)((PBYTE)pPeb + offsetProcessHeap);
heapFlagsPtr = (PDWORD)((PBYTE)heap + GetHeapFlagsOffset(x64));
heapForceFlagsPtr = (PDWORD)((PBYTE)heap + GetHeapForceFlagsOffset(x64));
if (*heapFlagsPtr & ~HEAP_GROWABLE || *heapForceFlagsPtr != 0)
{
std::cout << "Stop debugging program!" << std::endl;
exit(-1);
}
if (pPeb64)
{
heap = (PVOID) * (PDWORD_PTR)((PBYTE)pPeb64 + 0x30);
heapFlagsPtr = (PDWORD)((PBYTE)heap + GetHeapFlagsOffset(true));
heapForceFlagsPtr = (PDWORD)((PBYTE)heap + GetHeapForceFlagsOffset(true));
if (*heapFlagsPtr & ~HEAP_GROWABLE || *heapForceFlagsPtr != 0)
{
std::cout << "Stop debugging program!" << std::endl;
exit(-1);
}
}
}
void trapCheckFlag() {
BOOL isDebugged = TRUE;
__try
{
__asm
{
pushfd
or dword ptr[esp], 0x100 // set the Trap Flag
popfd // Load the value into EFLAGS register
nop
}
}
__except (EXCEPTION_EXECUTE_HANDLER)
{
// If an exception has been raised – debugger is not present
isDebugged = FALSE;
}
if (isDebugged)
{
std::cout << "Stop debugging program!" << std::endl;
exit(-1);
}
}
int isRemoteDebuggerPresent() {
BOOL isDebuggerPresent = FALSE;
if (CheckRemoteDebuggerPresent(GetCurrentProcess(), &isDebuggerPresent))
{
if (isDebuggerPresent)
{
std::cout << "Stop debugging program!" << std::endl;
exit(-1);
}
}
return 0;
}
typedef NTSTATUS(NTAPI* pfnNtQueryInformationProcess)(
_In_ HANDLE ProcessHandle,
_In_ UINT ProcessInformationClass,
_Out_ PVOID ProcessInformation,
_In_ ULONG ProcessInformationLength,
_Out_opt_ PULONG ReturnLength
);
//const UINT ProcessDebugPort = 7;
int ntQueryInfoProc()
{
pfnNtQueryInformationProcess NtQueryInformationProcess = NULL;
NTSTATUS status;
DWORD isDebuggerPresent = 0;
HMODULE hNtDll = LoadLibrary(TEXT("ntdll.dll"));
if (NULL != hNtDll)
{
NtQueryInformationProcess = (pfnNtQueryInformationProcess)GetProcAddress(hNtDll, "NtQueryInformationProcess");
if (NULL != NtQueryInformationProcess)
{
status = NtQueryInformationProcess(
GetCurrentProcess(),
7,
&isDebuggerPresent,
sizeof(DWORD),
NULL);
if (status == 0x00000000 && isDebuggerPresent != 0)
{
std::cout << "Stop debugging program!" << std::endl;
exit(-1);
}
}
}
return 0;
}
typedef NTSTATUS(NTAPI* pfnNtSetInformationThread)(
_In_ HANDLE ThreadHandle,
_In_ ULONG ThreadInformationClass,
_In_ PVOID ThreadInformation,
_In_ ULONG ThreadInformationLength
);
const ULONG ThreadHideFromDebugger = 0x11;
void HideFromDebugger()
{
HMODULE hNtDll = LoadLibrary(TEXT("ntdll.dll"));
pfnNtSetInformationThread NtSetInformationThread = (pfnNtSetInformationThread)
GetProcAddress(hNtDll, "NtSetInformationThread");
NTSTATUS status = NtSetInformationThread(GetCurrentThread(),
ThreadHideFromDebugger, NULL, 0);
}
EXCEPTION_DISPOSITION ExceptionRoutine(
PEXCEPTION_RECORD ExceptionRecord,
PVOID EstablisherFrame,
PCONTEXT ContextRecord,
PVOID DispatcherContext)
{
if (EXCEPTION_INVALID_HANDLE == ExceptionRecord->ExceptionCode)
{
std::cout << "Stop debugging program!" << std::endl;
exit(-1);
}
return ExceptionContinueExecution;
}
int handleTracing() {
__asm
{
// set SEH handler
push ExceptionRoutine
push dword ptr fs : [0]
mov dword ptr fs : [0] , esp
}
CloseHandle((HANDLE)0xBAAD);
__asm
{
// return original SEH handler
mov eax, [esp]
mov dword ptr fs : [0] , eax
add esp, 8
}
return 0;
}
#define DBG_PRINTEXCEPTION_WIDE_C 0x4001000A
void dbgMessages() {
WCHAR* outputString = (WCHAR*)L"Any text";
ULONG_PTR args[4] = { 0 };
args[0] = (ULONG_PTR)wcslen(outputString) + 1;
args[1] = (ULONG_PTR)outputString;
__try
{
RaiseException(DBG_PRINTEXCEPTION_WIDE_C, 0, 4, args);
printf("Debugger detected");
exit(-1);
}
__except (EXCEPTION_EXECUTE_HANDLER)
{
printf("Debugger NOT detected");
}
}
void DoSmth()
{
Sleep(1000);
}
int timeApproach() {
const int g_doSmthExecutionTime = 1050;
SYSTEMTIME sysTimeStart;
SYSTEMTIME sysTimeEnd;
FILETIME timeStart, timeEnd;
GetSystemTime(&sysTimeStart);
DoSmth();
GetSystemTime(&sysTimeEnd);
SystemTimeToFileTime(&sysTimeStart, &timeStart);
SystemTimeToFileTime(&sysTimeEnd, &timeEnd);
double timeExecution = (timeEnd.dwLowDateTime - timeStart.dwLowDateTime) / 10000.0;
if (timeExecution < g_doSmthExecutionTime)
{
std::cout << "Debugger not present";
}
else
{
std::cout << "Debugger present";
}
return 0;
}
In my python script I call those function sequentially at the entry point, like
if __name__ == "__main__":
antiDebugger = ctypes.CDLL('C:\\absolute\\path\\to\\antiDebugger.dll')
antiDebugger.isThereADebugger()
antiDebugger.CheckNtGlobalFlag()
antiDebugger.CheckGlobalFlagsClearInProcess()
antiDebugger.CheckGlobalFlagsClearInFile()
antiDebugger.CheckHeap()
antiDebugger.trapCheckFlag()
antiDebugger.isRemoteDebuggerPresent()
antiDebugger.ntQueryInfoProc()
antiDebugger.timeApproach()
antiDebugger.handleTracing()
antiDebugger.HideFromDebugger()
antiDebugger.dbgMessages()
customFunction()
Actually, I also tried to put them at the beginning of every function in my python script, but also that didn't work.
I generate the executable with pyarmor combined with pyinstaller using the --onefile option
My windows version is the x64 windows 10 Pro, while my python version is 3.8.2
I know that all those techniques might be too much, but I just want them to work in order to try to break them, specifically the executable side.
Can anyone tell me how to make this techniques work?
I am trying to fiddle around with CounterStrike in order to learn something about memory editing in C++. I used an offset dumper in order to obtain the static pointers and offsets that will lead to the temporary adresses of the dw_LocalPlayer, m_fFlags and dw_ForceJump. I am not using any memory editing classes like VAMemory.dll, just ReadProcessMemory. I found out that when the player is in the air, the value of m_fFlags is "256". When he is on the ground it is "257". However, I am not able to read these to values once I obtained a temporary adress. Here is the code:
// ConsoleApplication1.cpp : Definiert den Einstiegspunkt für die Konsolenanwendung.
//
#include "stdafx.h"
#include <iostream>
#include <Windows.h>
#include <cstdint>
#define dwLocalPlayer 0xAB06EC
#define dwForceJump 0x4D6A684
#define fFlags 0x100
int main()
{
HWND hwnd = FindWindowA(NULL, "Counter-Strike: Global Offensive");
if (hwnd == NULL)
{
std::cout << "Error!" << std::endl;
exit(-1);
system("PAUSE");
}
else
{
DWORD pid = GetWindowThreadProcessId(hwnd, &pid);
HANDLE pHandle = OpenProcess(PROCESS_ALL_ACCESS, FALSE, pid);
DWORD tempadress;
ReadProcessMemory(pHandle, (PBYTE*)dwLocalPlayer, &tempadress, sizeof(tempadress), NULL);
DWORD fl_Onground = tempadress + fFlags;
std::cout << fl_Onground << "\n" << &fl_Onground << std::endl;
system("PAUSE");
}
return 0;
}
I would really appreciate some help and suggestions to the code since Im stuck on this since a few days. I am only trying to gain knowledge on C++ here, I do not want to code any cheats or whatnot...
You are not using the offsets correctly. The offsets that are supplied by the dumper need to be added to other addresses, such as the base address of the module.
dwLocalPlayer is not a pointer to the local player, it's an offset. You have to add it to the address of client_panorama.dll.
Secondly:
DWORD fl_Onground = tempadress + fFlags;
This gives you the address of fl_Onground but you never read it's value, your subsequent std::cout will print the address not the value.
Fixed code here:
#include <iostream>
#include <Windows.h>
#include <cstdint>
#include <TlHelp32.h>
#define dwLocalPlayer 0xD30B94
#define dwForceJump 0x51EE680
#define m_fFlags 0x104
uintptr_t GetModuleBaseAddress(DWORD procId, const wchar_t* modName)
{
uintptr_t modBaseAddr = 0;
HANDLE hSnap = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE | TH32CS_SNAPMODULE32, procId);
if (hSnap != INVALID_HANDLE_VALUE)
{
MODULEENTRY32 modEntry;
modEntry.dwSize = sizeof(modEntry);
if (Module32First(hSnap, &modEntry))
{
do
{
if (!_wcsicmp(modEntry.szModule, modName))
{
modBaseAddr = (uintptr_t)modEntry.modBaseAddr;
break;
}
} while (Module32Next(hSnap, &modEntry));
}
}
CloseHandle(hSnap);
return modBaseAddr;
}
int main()
{
HWND hwnd = FindWindowA(NULL, "Counter-Strike: Global Offensive");
if (hwnd == NULL)
{
std::cout << "Error!\n" << std::endl;
exit(-1);
system("PAUSE");
}
else
{
DWORD pid = GetWindowThreadProcessId(hwnd, &pid);
HANDLE pHandle = OpenProcess(PROCESS_ALL_ACCESS, FALSE, pid);
uintptr_t dllBaseAddress = 0;
dllBaseAddress = GetModuleBaseAddress(pid, L"client_panorama.dll");
DWORD tempadress;
ReadProcessMemory(pHandle, (BYTE*)(dllBaseAddress + dwLocalPlayer), &tempadress, sizeof(tempadress), NULL);
BYTE fl_Onground = 0;
ReadProcessMemory(pHandle, (BYTE*)(tempadress + m_fFlags), &fl_Onground, sizeof(fl_Onground), NULL);
std::cout << fl_Onground << "\n" << &fl_Onground << std::endl;
getchar();
}
return 0;
}
i'm trying to make exe packer
5
extract exe to buffer(in my case: vector)
add new section
get offset of new EP and run
but after call newmain i got 0xC0000005
main.cpp:
pastebin
#define WIN32_LEAN_AND_MEAN
#include <windows.h>
#include "main.h"
typedef struct _BASE_RELOCATION_ENTRY
{
WORD Offset : 12;
WORD Type : 4;
} BASE_RELOCATION_ENTRY;
BOOL applyRelocBlock(BASE_RELOCATION_ENTRY* block, size_t entriesNum, DWORD page, PVOID newBase)
{
PVOID ImageBaseAddress = NtCurrentTeb()->Peb->ImageBaseAddress;
BASE_RELOCATION_ENTRY* entry = block;
for (int i = 0; i < entriesNum; i++)
{
DWORD offset = entry->Offset;
DWORD type = entry->Type;
if (entry == NULL || type == 0 || offset == 0)
{
//printf("Applied relocations: %d\n", i);
return TRUE; //finish
}
if (type != 3)
{
printf("Not supported relocations format at %d: %d\n", i, type);
return FALSE;
}
uint32_t* relocateAddr = (uint32_t*)((ULONG_PTR)newBase + page + offset);
(*relocateAddr) = ((*relocateAddr) - (ULONG_PTR)ImageBaseAddress) + (ULONG_PTR)newBase;
entry = (BASE_RELOCATION_ENTRY*)((ULONG_PTR)entry + sizeof(uint16_t));
}
return TRUE;
}
BOOL applyRelocations(PIMAGE_NT_HEADERS NtHeaders, PVOID newBase)
{
PVOID ImageBaseAddress = NtCurrentTeb()->Peb->ImageBaseAddress;
//fetch relocation table from current image:
IMAGE_DATA_DIRECTORY relocDir = NtHeaders->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC];
if (relocDir.VirtualAddress == NULL)
{
printf("Cannot relocate - application have no relocation table!");
return FALSE;
}
DWORD maxSize = relocDir.Size;
DWORD parsedSize = 0;
DWORD relocAddr = relocDir.VirtualAddress;
IMAGE_BASE_RELOCATION* reloc = NULL;
while (parsedSize < maxSize)
{
reloc = (IMAGE_BASE_RELOCATION*)(relocAddr + parsedSize + (ULONG_PTR)ImageBaseAddress);
parsedSize += reloc->SizeOfBlock;
if (reloc->VirtualAddress == NULL || reloc->SizeOfBlock == 0)
{
continue;
}
printf("RelocBlock: %p %p\n", reloc->VirtualAddress, reloc->SizeOfBlock);
size_t entriesNum = (reloc->SizeOfBlock - 2 * sizeof(uint32_t)) / sizeof(uint16_t);
DWORD page = reloc->VirtualAddress;
BASE_RELOCATION_ENTRY* block = (BASE_RELOCATION_ENTRY*)((ULONG_PTR)reloc + sizeof(uint32_t) + sizeof(uint32_t));
if (applyRelocBlock(block, entriesNum, page, newBase) == FALSE)
{
return FALSE;
}
}
return TRUE;
}
bool checkLibs()
{
return load_ntdll_functions() && load_kernel32_functions();
}
bool mapAndRun()
{
HANDLE hSection = NULL;
PVOID ImageBaseAddress = NtCurrentTeb()->Peb->ImageBaseAddress;
PIMAGE_NT_HEADERS NtHeaders = RtlImageNtHeader(ImageBaseAddress);
if (NtHeaders == NULL)
{
printf("[ERROR] RtlImageNtHeader failed, error : %d\n", GetLastError());
return false;
}
LARGE_INTEGER MaximumSize;
ULONG ImageSize = NtHeaders->OptionalHeader.SizeOfImage;
MaximumSize.LowPart = ImageSize;
MaximumSize.HighPart = 0;
NTSTATUS Status = NULL;
if ((Status = ZwCreateSection(&hSection, SECTION_ALL_ACCESS, NULL, &MaximumSize, PAGE_EXECUTE_READWRITE, SEC_COMMIT, NULL)) != STATUS_SUCCESS)
{
printf("[ERROR] ZwCreateSection failed, status : %x\n", Status);
system("pause");
return false;
}
printf("Section handle: %x\n", hSection);
HANDLE hProcess = NULL;
PVOID pSectionBaseAddress = NULL;
SIZE_T ViewSize = 0;
DWORD dwInheritDisposition = 1; //VIEW_SHARE
// map the section in context of current process:
if ((Status = NtMapViewOfSection(hSection, GetCurrentProcess(), &pSectionBaseAddress, NULL, NULL, NULL, &ViewSize, dwInheritDisposition, NULL, PAGE_EXECUTE_READWRITE)) != STATUS_SUCCESS)
{
printf("[ERROR] NtMapViewOfSection failed, status : %x\n", Status);
system("pause");
return false;
}
printf("Created new section, BaseAddress: %p ViewSize: %p\n", pSectionBaseAddress, ViewSize);
printf("Mapping into: %p <- current image: %p %p\n", pSectionBaseAddress, ImageBaseAddress, ImageSize);
RtlCopyMemory(pSectionBaseAddress, ImageBaseAddress, ImageSize);
ZwClose(hSection);
hSection = NULL;
if (applyRelocations(NtHeaders, pSectionBaseAddress) == FALSE) {
printf("Applying relocations failed, cannot continue!");
ZwTerminateProcess(GetCurrentProcess(), STATUS_FAILURE);
}
printf("Applied relocations!\n");
//
std::vector<unsigned char> extractedData = unpackExe(); //packe exe
IMAGE_NT_HEADERS INH;
IMAGE_DOS_HEADER IDH;
memcpy(&IDH, &extractedData[0], sizeof(IDH));
memcpy(&INH, (void*)((DWORD)&extractedData[0] + IDH.e_lfanew), sizeof(INH));
LARGE_INTEGER MaximumSizeEX;
ULONG ImageSizeEX = INH.OptionalHeader.SizeOfImage;
MaximumSizeEX.LowPart = ImageSizeEX;
MaximumSizeEX.HighPart = 0;
ULONG_PTR exEP = INH.OptionalHeader.AddressOfEntryPoint;
ULONG_PTR offsetFromBase = exEP - (ULONG_PTR)ImageBaseAddress;
printf("extracted EP offset: %p\n", offsetFromBase);
ULONG_PTR newMain = ((ULONG_PTR)pSectionBaseAddress + offsetFromBase);
printf("extracted EP address in new section: %p\n", newMain);
__asm {
call newMain
};
return true;
}
bool mapAndExecute()
{
if (checkLibs())
{
if (mapAndRun())
{
}
}
return true;
}
int main()
{
mapAndExecute();
std::cin.get();
}
main.h:pastebin: pastebin.com/Spc5WTsQ
#pragma once
#include <stdio.h>
#define WIN32_LEAN_AND_MEAN
#include <Windows.h>
#if !defined NTSTATUS
typedef LONG NTSTATUS;
#endif
#define STATUS_SUCCESS 0
#define STATUS_FAILURE (-1)
#define NtCurrentProcess() ((HANDLE)-1)
typedef struct _CLIENT_ID
{
HANDLE UniqueProcess;
HANDLE UniqueThread;
} CLIENT_ID, *PCLIENT_ID;
typedef LONG NTSTATUS, *PNTSTATUS;
typedef struct _UNICODE_STRING {
USHORT Length;
USHORT MaximumLength;
PWSTR Buffer;
} UNICODE_STRING, *PUNICODE_STRING;
typedef struct _PEB_LDR_DATA
{
ULONG Length;
BOOLEAN Initialized;
PVOID SsHandle;
LIST_ENTRY InLoadOrderModuleList;
LIST_ENTRY InMemoryOrderModuleList;
LIST_ENTRY InInitializationOrderModuleList;
} PEB_LDR_DATA, *PPEB_LDR_DATA;
typedef struct _PEB
{
BYTE Reserved1[2]; /* 00 */
BYTE BeingDebugged; /* 02 */
BYTE Reserved2[5]; /* 03 */
HMODULE ImageBaseAddress; /* 08 */
PPEB_LDR_DATA LdrData; /* 0c */
DWORD ProcessParameters; /* 10 */
PVOID __pad_14; /* 14 */
HANDLE ProcessHeap; /* 18 */
BYTE __pad_1c[36]; /* 1c */
DWORD TlsBitmap; /* 40 */
ULONG TlsBitmapBits[2]; /* 44 */
BYTE __pad_4c[24]; /* 4c */
ULONG NumberOfProcessors; /* 64 */
BYTE __pad_68[128]; /* 68 */
PVOID Reserved3[59]; /* e8 */
ULONG SessionId; /* 1d4 */
} PEB, *PPEB;
typedef struct _TEB
{
NT_TIB Tib; /* 000 */
PVOID EnvironmentPointer; /* 01c */
CLIENT_ID ClientId; /* 020 */
PVOID ActiveRpcHandle; /* 028 */
PVOID ThreadLocalStoragePointer; /* 02c */
PPEB Peb; /* 030 */
ULONG LastErrorValue; /* 034 */
BYTE __pad038[140]; /* 038 */
ULONG CurrentLocale; /* 0c4 */
BYTE __pad0c8[1752]; /* 0c8 */
PVOID Reserved2[278]; /* 7a0 */
UNICODE_STRING StaticUnicodeString; /* bf8 used by advapi32 */
WCHAR StaticUnicodeBuffer[261]; /* c00 used by advapi32 */
PVOID DeallocationStack; /* e0c */
PVOID TlsSlots[64]; /* e10 */
LIST_ENTRY TlsLinks; /* f10 */
PVOID Reserved4[26]; /* f18 */
PVOID ReservedForOle; /* f80 Windows 2000 only */
PVOID Reserved5[4]; /* f84 */
PVOID TlsExpansionSlots; /* f94 */
} TEB, *PTEB;
typedef
void
(*PKNORMAL_ROUTINE) (
void* NormalContext,
void* SystemArgument1,
void* SystemArgument2
);
typedef struct {
int info;
PKNORMAL_ROUTINE fun;
} *PIO_STATUS_BLOCK;
// Make sure we print the __stdcall properly
typedef
void
(__stdcall *PIO_APC_ROUTINE) (
void* ApcContext,
PIO_STATUS_BLOCK IoStatusBlock,
long Reserved
);
#if !defined PROCESSINFOCLASS
typedef LONG PROCESSINFOCLASS;
#endif
#if !defined THREADINFOCLASS
typedef LONG THREADINFOCLASS;
#endif
#if !defined PPEB
typedef struct _PEB *PPEB;
#endif
#if !defined PROCESS_BASIC_INFORMATION
typedef struct _PROCESS_BASIC_INFORMATION {
PVOID Reserved1;
PPEB PebBaseAddress;
PVOID Reserved2[2];
ULONG_PTR UniqueProcessId;
PVOID Reserved3;
} PROCESS_BASIC_INFORMATION;
#endif;
/*
typedef LONG NTSTATUS, *PNTSTATUS;
typedef struct _UNICODE_STRING {
USHORT Length;
USHORT MaximumLength;
PWSTR Buffer;
} UNICODE_STRING, *PUNICODE_STRING;
*/
typedef struct _OBJECT_ATTRIBUTES {
ULONG Length;
HANDLE RootDirectory;
PUNICODE_STRING ObjectName;
ULONG Attributes;
PVOID SecurityDescriptor;
PVOID SecurityQualityOfService;
} OBJECT_ATTRIBUTES, *POBJECT_ATTRIBUTES;
typedef NTSTATUS(WINAPI * PFN_ZWQUERYINFORMATIONPROCESS)(HANDLE, PROCESSINFOCLASS,
PVOID, ULONG, PULONG);
//ntdll api:
NTSTATUS(NTAPI *ZwQueryInformationProcess)(
HANDLE ProcessHandle,
PROCESSINFOCLASS ProcessInformationClass,
PVOID ProcessInformation,
ULONG ProcessInformationLength,
PULONG ReturnLength OPTIONAL
);
NTSTATUS(NTAPI *ZwCreateSection)(
__out PHANDLE SectionHandle,
__in ACCESS_MASK DesiredAccess,
__in POBJECT_ATTRIBUTES ObjectAttributes,
__in PLARGE_INTEGER MaximumSize,
__in ULONG SectionPageProtection,
__in ULONG AllocationAttributes,
__in HANDLE FileHandle
);
NTSTATUS(NTAPI *NtMapViewOfSection)(
__in HANDLE SectionHandle,
__in HANDLE ProcessHandle,
__inout PVOID *BaseAddress,
__in ULONG_PTR ZeroBits,
__in SIZE_T CommitSize,
__inout PLARGE_INTEGER SectionOffset,
__inout PSIZE_T ViewSize,
__in DWORD InheritDisposition,
__in ULONG AllocationType,
__in ULONG Win32Protect
);
NTSTATUS(NTAPI *ZwCreateThreadEx) (
__out PHANDLE ThreadHandle,
__in ACCESS_MASK DesiredAccess,
__in POBJECT_ATTRIBUTES ObjectAttributes,
__in HANDLE ProcessHandle,
__in PVOID StartRoutine,
__in PVOID Argument,
__in ULONG CreateFlags,
__in ULONG_PTR ZeroBits,
__in SIZE_T StackSize,
__in SIZE_T MaximumStackSize,
__in PVOID AttributeList
);
NTSTATUS(NTAPI *ZwUnmapViewOfSection) (
__in HANDLE ProcessHandle,
__in PVOID BaseAddress
);
NTSTATUS(NTAPI *ZwClose) (
__in HANDLE Handle
);
NTSTATUS(NTAPI *ZwTerminateProcess) (
__in HANDLE ProcessHandle,
__in NTSTATUS ExitStatus
);
NTSTATUS(NTAPI *NtQueueApcThread)(
__in HANDLE ThreadHandle,
__in PVOID ApcRoutine,
__in PVOID ApcRoutineContext OPTIONAL,
__in PVOID ApcStatusBlock OPTIONAL,
__in ULONG ApcReserved OPTIONAL
);
NTSTATUS(NTAPI *ZwSetInformationThread) (
__in HANDLE ThreadHandle,
__in THREADINFOCLASS ThreadInformationClass,
__in PVOID ThreadInformation,
__in ULONG ThreadInformationLength
);
PIMAGE_NT_HEADERS(NTAPI *RtlImageNtHeader) (
__in PVOID ModuleAddress
);
//kernel32 api
BOOL
(WINAPI *CreateProcessInternalW)(HANDLE hToken,
LPCWSTR lpApplicationName,
LPWSTR lpCommandLine,
LPSECURITY_ATTRIBUTES lpProcessAttributes,
LPSECURITY_ATTRIBUTES lpThreadAttributes,
BOOL bInheritHandles,
DWORD dwCreationFlags,
LPVOID lpEnvironment,
LPCWSTR lpCurrentDirectory,
LPSTARTUPINFOW lpStartupInfo,
LPPROCESS_INFORMATION lpProcessInformation,
PHANDLE hNewToken
);
trying to adoptate source from here
https://github.com/hasherezade/snippets/tree/master/inject4
The data you have loaded is in the loading application's data space and execution of data is blocked in modern memory protected operating systems - because that was previously a common and rather easy exploit for viruses.
In order to run, an executable must have been loaded and located by the operating system.
Not sure how to post a large code snippet in response to a request that was a remark. Michael Haephrati asked for an x64 example of executing data as x64 code. Here's the code (x64 only for this code, the calling conventions differ in 32 bit code):
#include <windows.h>
#include <iostream>
typedef int(*PMULFUNC)(int l, int r);
PMULFUNC buildFunction()
{
LPVOID pMem = VirtualAlloc(NULL, 6, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
unsigned char *pNext = (unsigned char *)pMem;
*pNext = 0x8b; ++pNext; // mov eax, ecx
*pNext = 0xc1; ++pNext;
*pNext = 0x0f; ++pNext; // imul eax, edx
*pNext = 0xaf; ++pNext;
*pNext = 0xc2; ++pNext;
*pNext = 0xc3; ++pNext; // ret
return (PMULFUNC)pMem;
}
int main()
{
using namespace std;
PMULFUNC pMul = buildFunction();
int l = 5;
for (int r=1; r<=12; ++r)
{
cout << l << "x" << r << "=" << (*pMul)(l, r) << endl;
}
return 0;
}
typedef int(__stdcall *PMULFUNC)(int l, int r);
PMULFUNC buildFunction()
{
LPVOID pMem = VirtualAlloc(NULL, 6, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
unsigned char *pNext = (unsigned char *)pMem;
*pNext = 0x8b; ++pNext; // mov eax, ecx
*pNext = 0xc1; ++pNext;
*pNext = 0x0f; ++pNext; // imul eax, edx
*pNext = 0xaf; ++pNext;
*pNext = 0xc2; ++pNext;
*pNext = 0xc3; ++pNext; // ret
return (PMULFUNC)pMem;
}
int main()
{
using namespace std;
PMULFUNC pMul = buildFunction();
int l = 5;
for (int r=1; r<=12; ++r)
{
cout << l << "x" << r << "=" << (*pMul)(l, r) << endl;
}
return 0;
}
In response to the specific question, it's possible but advanced. EXEs aren't simply copied into memory: references to other DLL's are resolved, sections that are adjacent in the image may be separated in memory, and many other things. In short you would have to re-implement the loader. But one thing is certain, if a page has the correct permissions it can be executed,
It would be impossible to run an executable from memory without having the executable data reside in a physical file. Windows won't allow it. No windows API provides mechanism to execute file directly from memory. All windows API like CreateProcess() or ShellExcute() require a physical file to be present. If there is a way, it would be considered a vulnerability and will be soon patched.