i'm trying to make exe packer
5
extract exe to buffer(in my case: vector)
add new section
get offset of new EP and run
but after call newmain i got 0xC0000005
main.cpp:
pastebin
#define WIN32_LEAN_AND_MEAN
#include <windows.h>
#include "main.h"
typedef struct _BASE_RELOCATION_ENTRY
{
WORD Offset : 12;
WORD Type : 4;
} BASE_RELOCATION_ENTRY;
BOOL applyRelocBlock(BASE_RELOCATION_ENTRY* block, size_t entriesNum, DWORD page, PVOID newBase)
{
PVOID ImageBaseAddress = NtCurrentTeb()->Peb->ImageBaseAddress;
BASE_RELOCATION_ENTRY* entry = block;
for (int i = 0; i < entriesNum; i++)
{
DWORD offset = entry->Offset;
DWORD type = entry->Type;
if (entry == NULL || type == 0 || offset == 0)
{
//printf("Applied relocations: %d\n", i);
return TRUE; //finish
}
if (type != 3)
{
printf("Not supported relocations format at %d: %d\n", i, type);
return FALSE;
}
uint32_t* relocateAddr = (uint32_t*)((ULONG_PTR)newBase + page + offset);
(*relocateAddr) = ((*relocateAddr) - (ULONG_PTR)ImageBaseAddress) + (ULONG_PTR)newBase;
entry = (BASE_RELOCATION_ENTRY*)((ULONG_PTR)entry + sizeof(uint16_t));
}
return TRUE;
}
BOOL applyRelocations(PIMAGE_NT_HEADERS NtHeaders, PVOID newBase)
{
PVOID ImageBaseAddress = NtCurrentTeb()->Peb->ImageBaseAddress;
//fetch relocation table from current image:
IMAGE_DATA_DIRECTORY relocDir = NtHeaders->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC];
if (relocDir.VirtualAddress == NULL)
{
printf("Cannot relocate - application have no relocation table!");
return FALSE;
}
DWORD maxSize = relocDir.Size;
DWORD parsedSize = 0;
DWORD relocAddr = relocDir.VirtualAddress;
IMAGE_BASE_RELOCATION* reloc = NULL;
while (parsedSize < maxSize)
{
reloc = (IMAGE_BASE_RELOCATION*)(relocAddr + parsedSize + (ULONG_PTR)ImageBaseAddress);
parsedSize += reloc->SizeOfBlock;
if (reloc->VirtualAddress == NULL || reloc->SizeOfBlock == 0)
{
continue;
}
printf("RelocBlock: %p %p\n", reloc->VirtualAddress, reloc->SizeOfBlock);
size_t entriesNum = (reloc->SizeOfBlock - 2 * sizeof(uint32_t)) / sizeof(uint16_t);
DWORD page = reloc->VirtualAddress;
BASE_RELOCATION_ENTRY* block = (BASE_RELOCATION_ENTRY*)((ULONG_PTR)reloc + sizeof(uint32_t) + sizeof(uint32_t));
if (applyRelocBlock(block, entriesNum, page, newBase) == FALSE)
{
return FALSE;
}
}
return TRUE;
}
bool checkLibs()
{
return load_ntdll_functions() && load_kernel32_functions();
}
bool mapAndRun()
{
HANDLE hSection = NULL;
PVOID ImageBaseAddress = NtCurrentTeb()->Peb->ImageBaseAddress;
PIMAGE_NT_HEADERS NtHeaders = RtlImageNtHeader(ImageBaseAddress);
if (NtHeaders == NULL)
{
printf("[ERROR] RtlImageNtHeader failed, error : %d\n", GetLastError());
return false;
}
LARGE_INTEGER MaximumSize;
ULONG ImageSize = NtHeaders->OptionalHeader.SizeOfImage;
MaximumSize.LowPart = ImageSize;
MaximumSize.HighPart = 0;
NTSTATUS Status = NULL;
if ((Status = ZwCreateSection(&hSection, SECTION_ALL_ACCESS, NULL, &MaximumSize, PAGE_EXECUTE_READWRITE, SEC_COMMIT, NULL)) != STATUS_SUCCESS)
{
printf("[ERROR] ZwCreateSection failed, status : %x\n", Status);
system("pause");
return false;
}
printf("Section handle: %x\n", hSection);
HANDLE hProcess = NULL;
PVOID pSectionBaseAddress = NULL;
SIZE_T ViewSize = 0;
DWORD dwInheritDisposition = 1; //VIEW_SHARE
// map the section in context of current process:
if ((Status = NtMapViewOfSection(hSection, GetCurrentProcess(), &pSectionBaseAddress, NULL, NULL, NULL, &ViewSize, dwInheritDisposition, NULL, PAGE_EXECUTE_READWRITE)) != STATUS_SUCCESS)
{
printf("[ERROR] NtMapViewOfSection failed, status : %x\n", Status);
system("pause");
return false;
}
printf("Created new section, BaseAddress: %p ViewSize: %p\n", pSectionBaseAddress, ViewSize);
printf("Mapping into: %p <- current image: %p %p\n", pSectionBaseAddress, ImageBaseAddress, ImageSize);
RtlCopyMemory(pSectionBaseAddress, ImageBaseAddress, ImageSize);
ZwClose(hSection);
hSection = NULL;
if (applyRelocations(NtHeaders, pSectionBaseAddress) == FALSE) {
printf("Applying relocations failed, cannot continue!");
ZwTerminateProcess(GetCurrentProcess(), STATUS_FAILURE);
}
printf("Applied relocations!\n");
//
std::vector<unsigned char> extractedData = unpackExe(); //packe exe
IMAGE_NT_HEADERS INH;
IMAGE_DOS_HEADER IDH;
memcpy(&IDH, &extractedData[0], sizeof(IDH));
memcpy(&INH, (void*)((DWORD)&extractedData[0] + IDH.e_lfanew), sizeof(INH));
LARGE_INTEGER MaximumSizeEX;
ULONG ImageSizeEX = INH.OptionalHeader.SizeOfImage;
MaximumSizeEX.LowPart = ImageSizeEX;
MaximumSizeEX.HighPart = 0;
ULONG_PTR exEP = INH.OptionalHeader.AddressOfEntryPoint;
ULONG_PTR offsetFromBase = exEP - (ULONG_PTR)ImageBaseAddress;
printf("extracted EP offset: %p\n", offsetFromBase);
ULONG_PTR newMain = ((ULONG_PTR)pSectionBaseAddress + offsetFromBase);
printf("extracted EP address in new section: %p\n", newMain);
__asm {
call newMain
};
return true;
}
bool mapAndExecute()
{
if (checkLibs())
{
if (mapAndRun())
{
}
}
return true;
}
int main()
{
mapAndExecute();
std::cin.get();
}
main.h:pastebin: pastebin.com/Spc5WTsQ
#pragma once
#include <stdio.h>
#define WIN32_LEAN_AND_MEAN
#include <Windows.h>
#if !defined NTSTATUS
typedef LONG NTSTATUS;
#endif
#define STATUS_SUCCESS 0
#define STATUS_FAILURE (-1)
#define NtCurrentProcess() ((HANDLE)-1)
typedef struct _CLIENT_ID
{
HANDLE UniqueProcess;
HANDLE UniqueThread;
} CLIENT_ID, *PCLIENT_ID;
typedef LONG NTSTATUS, *PNTSTATUS;
typedef struct _UNICODE_STRING {
USHORT Length;
USHORT MaximumLength;
PWSTR Buffer;
} UNICODE_STRING, *PUNICODE_STRING;
typedef struct _PEB_LDR_DATA
{
ULONG Length;
BOOLEAN Initialized;
PVOID SsHandle;
LIST_ENTRY InLoadOrderModuleList;
LIST_ENTRY InMemoryOrderModuleList;
LIST_ENTRY InInitializationOrderModuleList;
} PEB_LDR_DATA, *PPEB_LDR_DATA;
typedef struct _PEB
{
BYTE Reserved1[2]; /* 00 */
BYTE BeingDebugged; /* 02 */
BYTE Reserved2[5]; /* 03 */
HMODULE ImageBaseAddress; /* 08 */
PPEB_LDR_DATA LdrData; /* 0c */
DWORD ProcessParameters; /* 10 */
PVOID __pad_14; /* 14 */
HANDLE ProcessHeap; /* 18 */
BYTE __pad_1c[36]; /* 1c */
DWORD TlsBitmap; /* 40 */
ULONG TlsBitmapBits[2]; /* 44 */
BYTE __pad_4c[24]; /* 4c */
ULONG NumberOfProcessors; /* 64 */
BYTE __pad_68[128]; /* 68 */
PVOID Reserved3[59]; /* e8 */
ULONG SessionId; /* 1d4 */
} PEB, *PPEB;
typedef struct _TEB
{
NT_TIB Tib; /* 000 */
PVOID EnvironmentPointer; /* 01c */
CLIENT_ID ClientId; /* 020 */
PVOID ActiveRpcHandle; /* 028 */
PVOID ThreadLocalStoragePointer; /* 02c */
PPEB Peb; /* 030 */
ULONG LastErrorValue; /* 034 */
BYTE __pad038[140]; /* 038 */
ULONG CurrentLocale; /* 0c4 */
BYTE __pad0c8[1752]; /* 0c8 */
PVOID Reserved2[278]; /* 7a0 */
UNICODE_STRING StaticUnicodeString; /* bf8 used by advapi32 */
WCHAR StaticUnicodeBuffer[261]; /* c00 used by advapi32 */
PVOID DeallocationStack; /* e0c */
PVOID TlsSlots[64]; /* e10 */
LIST_ENTRY TlsLinks; /* f10 */
PVOID Reserved4[26]; /* f18 */
PVOID ReservedForOle; /* f80 Windows 2000 only */
PVOID Reserved5[4]; /* f84 */
PVOID TlsExpansionSlots; /* f94 */
} TEB, *PTEB;
typedef
void
(*PKNORMAL_ROUTINE) (
void* NormalContext,
void* SystemArgument1,
void* SystemArgument2
);
typedef struct {
int info;
PKNORMAL_ROUTINE fun;
} *PIO_STATUS_BLOCK;
// Make sure we print the __stdcall properly
typedef
void
(__stdcall *PIO_APC_ROUTINE) (
void* ApcContext,
PIO_STATUS_BLOCK IoStatusBlock,
long Reserved
);
#if !defined PROCESSINFOCLASS
typedef LONG PROCESSINFOCLASS;
#endif
#if !defined THREADINFOCLASS
typedef LONG THREADINFOCLASS;
#endif
#if !defined PPEB
typedef struct _PEB *PPEB;
#endif
#if !defined PROCESS_BASIC_INFORMATION
typedef struct _PROCESS_BASIC_INFORMATION {
PVOID Reserved1;
PPEB PebBaseAddress;
PVOID Reserved2[2];
ULONG_PTR UniqueProcessId;
PVOID Reserved3;
} PROCESS_BASIC_INFORMATION;
#endif;
/*
typedef LONG NTSTATUS, *PNTSTATUS;
typedef struct _UNICODE_STRING {
USHORT Length;
USHORT MaximumLength;
PWSTR Buffer;
} UNICODE_STRING, *PUNICODE_STRING;
*/
typedef struct _OBJECT_ATTRIBUTES {
ULONG Length;
HANDLE RootDirectory;
PUNICODE_STRING ObjectName;
ULONG Attributes;
PVOID SecurityDescriptor;
PVOID SecurityQualityOfService;
} OBJECT_ATTRIBUTES, *POBJECT_ATTRIBUTES;
typedef NTSTATUS(WINAPI * PFN_ZWQUERYINFORMATIONPROCESS)(HANDLE, PROCESSINFOCLASS,
PVOID, ULONG, PULONG);
//ntdll api:
NTSTATUS(NTAPI *ZwQueryInformationProcess)(
HANDLE ProcessHandle,
PROCESSINFOCLASS ProcessInformationClass,
PVOID ProcessInformation,
ULONG ProcessInformationLength,
PULONG ReturnLength OPTIONAL
);
NTSTATUS(NTAPI *ZwCreateSection)(
__out PHANDLE SectionHandle,
__in ACCESS_MASK DesiredAccess,
__in POBJECT_ATTRIBUTES ObjectAttributes,
__in PLARGE_INTEGER MaximumSize,
__in ULONG SectionPageProtection,
__in ULONG AllocationAttributes,
__in HANDLE FileHandle
);
NTSTATUS(NTAPI *NtMapViewOfSection)(
__in HANDLE SectionHandle,
__in HANDLE ProcessHandle,
__inout PVOID *BaseAddress,
__in ULONG_PTR ZeroBits,
__in SIZE_T CommitSize,
__inout PLARGE_INTEGER SectionOffset,
__inout PSIZE_T ViewSize,
__in DWORD InheritDisposition,
__in ULONG AllocationType,
__in ULONG Win32Protect
);
NTSTATUS(NTAPI *ZwCreateThreadEx) (
__out PHANDLE ThreadHandle,
__in ACCESS_MASK DesiredAccess,
__in POBJECT_ATTRIBUTES ObjectAttributes,
__in HANDLE ProcessHandle,
__in PVOID StartRoutine,
__in PVOID Argument,
__in ULONG CreateFlags,
__in ULONG_PTR ZeroBits,
__in SIZE_T StackSize,
__in SIZE_T MaximumStackSize,
__in PVOID AttributeList
);
NTSTATUS(NTAPI *ZwUnmapViewOfSection) (
__in HANDLE ProcessHandle,
__in PVOID BaseAddress
);
NTSTATUS(NTAPI *ZwClose) (
__in HANDLE Handle
);
NTSTATUS(NTAPI *ZwTerminateProcess) (
__in HANDLE ProcessHandle,
__in NTSTATUS ExitStatus
);
NTSTATUS(NTAPI *NtQueueApcThread)(
__in HANDLE ThreadHandle,
__in PVOID ApcRoutine,
__in PVOID ApcRoutineContext OPTIONAL,
__in PVOID ApcStatusBlock OPTIONAL,
__in ULONG ApcReserved OPTIONAL
);
NTSTATUS(NTAPI *ZwSetInformationThread) (
__in HANDLE ThreadHandle,
__in THREADINFOCLASS ThreadInformationClass,
__in PVOID ThreadInformation,
__in ULONG ThreadInformationLength
);
PIMAGE_NT_HEADERS(NTAPI *RtlImageNtHeader) (
__in PVOID ModuleAddress
);
//kernel32 api
BOOL
(WINAPI *CreateProcessInternalW)(HANDLE hToken,
LPCWSTR lpApplicationName,
LPWSTR lpCommandLine,
LPSECURITY_ATTRIBUTES lpProcessAttributes,
LPSECURITY_ATTRIBUTES lpThreadAttributes,
BOOL bInheritHandles,
DWORD dwCreationFlags,
LPVOID lpEnvironment,
LPCWSTR lpCurrentDirectory,
LPSTARTUPINFOW lpStartupInfo,
LPPROCESS_INFORMATION lpProcessInformation,
PHANDLE hNewToken
);
trying to adoptate source from here
https://github.com/hasherezade/snippets/tree/master/inject4
The data you have loaded is in the loading application's data space and execution of data is blocked in modern memory protected operating systems - because that was previously a common and rather easy exploit for viruses.
In order to run, an executable must have been loaded and located by the operating system.
Not sure how to post a large code snippet in response to a request that was a remark. Michael Haephrati asked for an x64 example of executing data as x64 code. Here's the code (x64 only for this code, the calling conventions differ in 32 bit code):
#include <windows.h>
#include <iostream>
typedef int(*PMULFUNC)(int l, int r);
PMULFUNC buildFunction()
{
LPVOID pMem = VirtualAlloc(NULL, 6, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
unsigned char *pNext = (unsigned char *)pMem;
*pNext = 0x8b; ++pNext; // mov eax, ecx
*pNext = 0xc1; ++pNext;
*pNext = 0x0f; ++pNext; // imul eax, edx
*pNext = 0xaf; ++pNext;
*pNext = 0xc2; ++pNext;
*pNext = 0xc3; ++pNext; // ret
return (PMULFUNC)pMem;
}
int main()
{
using namespace std;
PMULFUNC pMul = buildFunction();
int l = 5;
for (int r=1; r<=12; ++r)
{
cout << l << "x" << r << "=" << (*pMul)(l, r) << endl;
}
return 0;
}
typedef int(__stdcall *PMULFUNC)(int l, int r);
PMULFUNC buildFunction()
{
LPVOID pMem = VirtualAlloc(NULL, 6, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
unsigned char *pNext = (unsigned char *)pMem;
*pNext = 0x8b; ++pNext; // mov eax, ecx
*pNext = 0xc1; ++pNext;
*pNext = 0x0f; ++pNext; // imul eax, edx
*pNext = 0xaf; ++pNext;
*pNext = 0xc2; ++pNext;
*pNext = 0xc3; ++pNext; // ret
return (PMULFUNC)pMem;
}
int main()
{
using namespace std;
PMULFUNC pMul = buildFunction();
int l = 5;
for (int r=1; r<=12; ++r)
{
cout << l << "x" << r << "=" << (*pMul)(l, r) << endl;
}
return 0;
}
In response to the specific question, it's possible but advanced. EXEs aren't simply copied into memory: references to other DLL's are resolved, sections that are adjacent in the image may be separated in memory, and many other things. In short you would have to re-implement the loader. But one thing is certain, if a page has the correct permissions it can be executed,
It would be impossible to run an executable from memory without having the executable data reside in a physical file. Windows won't allow it. No windows API provides mechanism to execute file directly from memory. All windows API like CreateProcess() or ShellExcute() require a physical file to be present. If there is a way, it would be considered a vulnerability and will be soon patched.
Related
I'm making an anti cheat module that checks all open handles directed to the current process and the module should return all open handles whether they are from the system, from the user or whatever.
The problem is that it is returning only 1 handle and it is from the process itself.
Simultaneously with ProcessExplorer I am analyzing the current process and through ProcessExplorer I receive all the handles directed to it, example: ProcessExplorer, csrss, lsrss, svhost and etc.
Could someone help me to make the code return all the handles directed to the process like in ProcessExplorer?
I look forward to any contact.
Grateful.
#include <iostream>
#include <string>
#include <Windows.h>
#include <TlHelp32.h>
#include <Psapi.h>
#include <Shlwapi.h>
using namespace std;
#pragma comment(lib, "shlwapi.lib")
#pragma comment(lib, "psapi.lib")
#pragma region NT Structures
#define NT_SUCCESS(x) ((x) >= 0)
#define STATUS_INFO_LENGTH_MISMATCH 0xc0000004
#define SystemHandleInformation 16
#define ObjectBasicInformation 0
#define ObjectNameInformation 1
#define ObjectTypeInformation 2
#define PROCESS_QUERY (0x1400)
#define PROCESS_FULL_CONTROL (0x1fffff)
typedef NTSTATUS(NTAPI* _NtQuerySystemInformation)(
ULONG SystemInformationClass,
PVOID SystemInformation,
ULONG SystemInformationLength,
PULONG ReturnLength
);
typedef NTSTATUS(NTAPI* _NtDuplicateObject)(
HANDLE SourceProcessHandle,
HANDLE SourceHandle,
HANDLE TargetProcessHandle,
PHANDLE TargetHandle,
ACCESS_MASK DesiredAccess,
ULONG Attributes,
ULONG Options
);
typedef NTSTATUS(NTAPI* _NtQueryObject)(
HANDLE ObjectHandle,
ULONG ObjectInformationClass,
PVOID ObjectInformation,
ULONG ObjectInformationLength,
PULONG ReturnLength
);
typedef struct _UNICODE_STRING
{
USHORT Length;
USHORT MaximumLength;
PWSTR Buffer;
} UNICODE_STRING, * PUNICODE_STRING;
typedef struct _SYSTEM_HANDLE
{
ULONG ProcessId;
BYTE ObjectTypeNumber;
BYTE Flags;
USHORT Handle;
PVOID Object;
ACCESS_MASK GrantedAccess;
} SYSTEM_HANDLE, * PSYSTEM_HANDLE;
typedef struct _SYSTEM_HANDLE_INFORMATION
{
ULONG HandleCount;
SYSTEM_HANDLE Handles[1];
} SYSTEM_HANDLE_INFORMATION, * PSYSTEM_HANDLE_INFORMATION;
typedef enum _POOL_TYPE
{
NonPagedPool,
PagedPool,
NonPagedPoolMustSucceed,
DontUseThisType,
NonPagedPoolCacheAligned,
PagedPoolCacheAligned,
NonPagedPoolCacheAlignedMustS
} POOL_TYPE, * PPOOL_TYPE;
typedef struct _OBJECT_TYPE_INFORMATION
{
UNICODE_STRING Name;
ULONG TotalNumberOfObjects;
ULONG TotalNumberOfHandles;
ULONG TotalPagedPoolUsage;
ULONG TotalNonPagedPoolUsage;
ULONG TotalNamePoolUsage;
ULONG TotalHandleTableUsage;
ULONG HighWaterNumberOfObjects;
ULONG HighWaterNumberOfHandles;
ULONG HighWaterPagedPoolUsage;
ULONG HighWaterNonPagedPoolUsage;
ULONG HighWaterNamePoolUsage;
ULONG HighWaterHandleTableUsage;
ULONG InvalidAttributes;
GENERIC_MAPPING GenericMapping;
ULONG ValidAccess;
BOOLEAN SecurityRequired;
BOOLEAN MaintainHandleCount;
USHORT MaintainTypeList;
POOL_TYPE PoolType;
ULONG PagedPoolUsage;
ULONG NonPagedPoolUsage;
} OBJECT_TYPE_INFORMATION, * POBJECT_TYPE_INFORMATION;
#pragma endregion
// for getting an address of a procedure in memory.
PVOID GetLibraryProcAddress(PSTR LibraryName, PSTR ProcName)
{
return GetProcAddress(GetModuleHandleA(LibraryName), ProcName);
}
void EnableDebugPrivilege()
{
HANDLE token;
LUID luid;
TOKEN_PRIVILEGES tp;
OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES, &token);
LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &luid);
tp.PrivilegeCount = 1;
tp.Privileges[0].Luid = luid;
tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
AdjustTokenPrivileges(token, FALSE, &tp, sizeof(tp), NULL, NULL);
CloseHandle(token);
}
int Handle_Scan()
{
EnableDebugPrivilege();
while (1)
{
DWORD pid = GetCurrentProcessId();
_NtQuerySystemInformation NtQuerySystemInformation =
(_NtQuerySystemInformation)GetLibraryProcAddress("ntdll.dll", "NtQuerySystemInformation");
_NtDuplicateObject NtDuplicateObject =
(_NtDuplicateObject)GetLibraryProcAddress("ntdll.dll", "NtDuplicateObject");
_NtQueryObject NtQueryObject =
(_NtQueryObject)GetLibraryProcAddress("ntdll.dll", "NtQueryObject");
NTSTATUS status;
PSYSTEM_HANDLE_INFORMATION handleInfo;
ULONG handleInfoSize = 0x10000;
HANDLE processHandle;
ULONG i;
processHandle = OpenProcess(PROCESS_QUERY | PROCESS_FULL_CONTROL | PROCESS_DUP_HANDLE | PROCESS_ALL_ACCESS | PROCESS_QUERY_LIMITED_INFORMATION | PROCESS_QUERY_INFORMATION | PROCESS_VM_READ, FALSE, pid);
handleInfo = (PSYSTEM_HANDLE_INFORMATION)malloc(handleInfoSize);
while ((status = NtQuerySystemInformation(SystemHandleInformation, handleInfo, handleInfoSize, NULL)) == STATUS_INFO_LENGTH_MISMATCH)
handleInfo = (PSYSTEM_HANDLE_INFORMATION)realloc(handleInfo, handleInfoSize *= 2);
for (i = 0; i < handleInfo->HandleCount; i++)
{
SYSTEM_HANDLE handle = handleInfo->Handles[i];
HANDLE dupHandle = NULL;
POBJECT_TYPE_INFORMATION objectTypeInfo;
PVOID objectNameInfo;
UNICODE_STRING objectName;
ULONG returnLength;
if (handle.ProcessId != pid)
continue;
NT_SUCCESS(NtDuplicateObject(processHandle, (HANDLE)handle.Handle, GetCurrentProcess(), &dupHandle, 0, 0, 0));
objectTypeInfo = (POBJECT_TYPE_INFORMATION)malloc(0x1000);
NT_SUCCESS(NtQueryObject(dupHandle, ObjectTypeInformation, objectTypeInfo, 0x1000, NULL));
if (handle.GrantedAccess == 0x0012019f)
{
std::free(objectTypeInfo);
CloseHandle(dupHandle);
continue;
}
objectNameInfo = malloc(0x1000);
if (!NT_SUCCESS(NtQueryObject(dupHandle, ObjectNameInformation, objectNameInfo, 0x1000, &returnLength)))
{
objectNameInfo = realloc(objectNameInfo, returnLength);
if (!NT_SUCCESS(NtQueryObject(
dupHandle,
ObjectNameInformation,
objectNameInfo,
returnLength,
NULL
)))
{
std::free(objectTypeInfo);
std::free(objectNameInfo);
CloseHandle(dupHandle);
continue;
}
}
objectName = *(PUNICODE_STRING)objectNameInfo;
wstring ObjectBuffer = objectTypeInfo->Name.Buffer;
// We are only interested about handles to files & processes
if (ObjectBuffer.find(L"File") != wstring::npos || ObjectBuffer.find(L"Process") != wstring::npos)
{
HANDLE CurrentProcess = GetCurrentProcess();
HANDLE procHandle = OpenProcess(PROCESS_QUERY | PROCESS_FULL_CONTROL | PROCESS_DUP_HANDLE | PROCESS_ALL_ACCESS | PROCESS_QUERY_LIMITED_INFORMATION | PROCESS_QUERY_INFORMATION | PROCESS_VM_READ, false, handle.ProcessId);
HANDLE DuplicatedHandle = 0;
// Duplicating the handle, now we can do basically anything with it.
if (DuplicateHandle(procHandle, (HANDLE)handle.Handle, CurrentProcess, &DuplicatedHandle, 0, false, DUPLICATE_SAME_ACCESS))
{
WCHAR NameBlock[256];
wstring block = NameBlock;
K32GetProcessImageFileNameW(DuplicatedHandle, NameBlock, 256);
PathStripPathW(NameBlock);
wcout << L"Handle to " << ObjectBuffer << ": " << NameBlock << " Id: " << handle.ProcessId << endl;
}
}
std::free(objectTypeInfo);
std::free(objectNameInfo);
CloseHandle(dupHandle);
}
std::free(handleInfo);
CloseHandle(processHandle);
cin.get();
}
return 0;
}
void DetectHandle() {
CreateThread(NULL, NULL, LPTHREAD_START_ROUTINE(Handle_Scan), NULL, 0, 0);
}
I tried to add SetDebugPrivilege but it didn't help, I also tried to add more parameters in OpenProcess with the hope of a lack of permissions but I was unsuccessful again.
I'm new to C++ kernel structs. My ULONG code doesnt convert. My code, It gaves me error of bottom of the page. I tried convert to ULONG64 but nothing works. I may be missing a simple mistake as I haven't worked on a project like this before. But I couldn't understand why my project couldn't convert. Could you correct my code and tell me where I made the mistake? This kind of information really helps me learn.
typedef struct _SYSTEM_BIGPOOL_ENTRY {
union {
PVOID VirtualAddress;
ULONG_PTR NonPaged : 1;
};
ULONG_PTR SizeInBytes;
union {
UCHAR Tag[4];
ULONG64 TagULong;
};
} SYSTEM_BIGPOOL_ENTRY, * PSYSTEM_BIGPOOL_ENTRY;
typedef struct _SYSTEM_BIGPOOL_INFORMATION {
ULONG64 Count;
SYSTEM_BIGPOOL_ENTRY AllocatedInfo[ANYSIZE_ARRAY];
} SYSTEM_BIGPOOL_INFORMATION, * PSYSTEM_BIGPOOL_INFORMATION;
typedef enum _SYSTEM_INFORMATION_CLASS {
SystemBigPoolInformation
} SYSTEM_INFORMATION_CLASS;
typedef NTSTATUS(WINAPI* fNtQuerySystemInformation)(SYSTEM_INFORMATION_CLASS SystemInformationClass, PVOID SystemInformation,
ULONG64 SystemInformationLength, PULONG ReturnLength);
NTSTATUS
ZwQuerySystemInformation(
ULONG64 SystemInformationClass,
PSYSTEM_BIGPOOL_INFORMATION SystemInformation,
ULONG64 SystemInformationLength,
ULONG64* ReturnLength);
PVOID ExPool() {
ULONG64 infoLen = 0;
NTSTATUS status = ZwQuerySystemInformation(SystemBigPoolInformation, &infoLen, 0, &infoLen);
PSYSTEM_BIGPOOL_INFORMATION pPoolInfo = 0;
while (status == STATUS_INFO_LENGTH_MISMATCH)
{
DbgPrintEx(0, 0, "Length : %lX", infoLen);
if (pPoolInfo)
ExFreePool(pPoolInfo);
pPoolInfo = (PSYSTEM_BIGPOOL_INFORMATION)ExAllocatePool(NonPagedPool, infoLen);
status = ZwQuerySystemInformation(SystemBigPoolInformation, pPoolInfo, infoLen, &infoLen);
}
if (pPoolInfo)
{
DbgPrintEx(0, 0, "status : %lX", status);
DbgPrintEx(0, 0, "Count : %lu", pPoolInfo->Count);
for (int i = 0; i < pPoolInfo->Count; i++)
{
SYSTEM_BIGPOOL_ENTRY* Entry = &pPoolInfo->AllocatedInfo[i];
PVOID VirtualAddress = (PVOID)((uintptr_t)Entry->VirtualAddress & ~1ull);
SIZE_T SizeInBytes = Entry->SizeInBytes;
BOOLEAN NonPaged = Entry->NonPaged;
if (NonPaged && SizeInBytes == 0x200000)
{
DbgPrintEx(0, 0, "NonPagedPool : %p - %p", VirtualAddress, SizeInBytes);
}
}
ExFreePool(pPoolInfo);
}
}
argument of type "ULONG64 *" is incompatible with parameter of type "PSYSTEM_BIGPOOL_INFORMATION"
'NTSTATUS ZwQuerySystemInformation(ULONG64,PSYSTEM_BIGPOOL_INFORMATION,ULONG64,ULONG64 *)': cannot convert argument 2 from 'ULONG64' to 'PSYSTEM_BIGPOOL_INFORMATION'```
I'm trying to hook GetVolumeInformationW on a simple HWID lock using trampoline hook to return a specific value for serial number(123456789). When I inject the dll the program crashes instantly. I tried to start hwid lock also from the programs 86 folder but it crashes anyway. I tried the trampoline hook on SendBoxMessageA, SwapBuffers and it works perfectly.
This is the HWID lock code.
#include <iostream>
#include <Windows.h>
#include <tchar.h>
int main()
{
std::cout << "Checking...\n";
TCHAR volumeName[MAX_PATH + 1] = { 0 };
TCHAR fileSystemName[MAX_PATH + 1] = { 0 };
DWORD serialNumber = 0;
DWORD maxComponentLen = 0;
DWORD fileSystemFlags = 0;
if (GetVolumeInformation(
_T("C:\\"),
volumeName,
ARRAYSIZE(volumeName),
&serialNumber,
&maxComponentLen,
&fileSystemFlags,
fileSystemName,
ARRAYSIZE(fileSystemName)
))
{
Sleep(1000000);
DWORD acceptedSerial = 123456789;
if (serialNumber == acceptedSerial) {
std::cout << "Welcome to my app!" << std::endl;
}
else {
std::cout << "You are not in the system!" << std::endl;
Sleep(4000);
return 0;
}
}
}
And this is the code of the dll
#include <iostream>
#include <Windows.h>
#include <tchar.h>
bool Detour32(char* src, char* dst, const intptr_t len)
{
if (len < 5) return false;
DWORD curProtection;
VirtualProtect(src, len, PAGE_EXECUTE_READWRITE, &curProtection);
intptr_t relativeAddress = (intptr_t)(dst - (intptr_t)src) - 5;
*src = (char)'\xE9';
*(intptr_t*)((intptr_t)src + 1) = relativeAddress;
VirtualProtect(src, len, curProtection, &curProtection);
return true;
}
char* TrampHook32(char* src, char* dst, const intptr_t len)
{
// Make sure the length is greater than 5
if (len < 5) return 0;
// Create the gateway (len + 5 for the overwritten bytes + the jmp)
void* gateway = VirtualAlloc(0, len + 5, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
//Write the stolen bytes into the gateway
memcpy(gateway, src, len);
// Get the gateway to destination addy
intptr_t gatewayRelativeAddr = ((intptr_t)src - (intptr_t)gateway) - 5;
// Add the jmp opcode to the end of the gateway
*(char*)((intptr_t)gateway + len) = 0xE9;
// Add the address to the jmp
*(intptr_t*)((intptr_t)gateway + len + 1) = gatewayRelativeAddr;
// Perform the detour
Detour32(src, dst, len);
return (char*)gateway;
}
typedef BOOL(__stdcall* tGetVolumeInformation)
(
LPCWSTR lpRootPathName,
LPWSTR lpVolumeNameBuffer,
DWORD nVolumeNameSize,
LPDWORD lpVolumeSerialNumber,
LPDWORD lpMaximumComponentLength,
LPDWORD lpFileSystemFlags,
LPWSTR lpFileSystemNameBuffer,
DWORD nFileSystemNameSize
);
tGetVolumeInformation oGetVolumeInformation = nullptr;
BOOL __stdcall hkGetVolumeInformation
(
LPCWSTR lpRootPathName,
LPWSTR lpVolumeNameBuffer,
DWORD nVolumeNameSize,
LPDWORD lpVolumeSerialNumber,
LPDWORD lpMaximumComponentLength,
LPDWORD lpFileSystemFlags,
LPWSTR lpFileSystemNameBuffer,
DWORD nFileSystemNameSize
)
{
*lpVolumeSerialNumber = 0x123456789;
return oGetVolumeInformation
(
lpRootPathName,
lpVolumeNameBuffer,
nVolumeNameSize,
lpVolumeSerialNumber,
lpMaximumComponentLength,
lpFileSystemFlags,
lpFileSystemNameBuffer,
nFileSystemNameSize
);
}
DWORD WINAPI Thread(HMODULE hModule)
{
//Create Console
AllocConsole();
FILE* f;
freopen_s(&f, "CONOUT$", "w", stdout);
std::cout << "HWID Unlock\n";
// Hook
oGetVolumeInformation = (tGetVolumeInformation)GetProcAddress(GetModuleHandleA("Kernel32.dll"), "GetVolumeInformationW");
oGetVolumeInformation = (tGetVolumeInformation)TrampHook32((char*)oGetVolumeInformation, (char*)hkGetVolumeInformation, 5);
TCHAR volumeName[MAX_PATH + 1] = { 0 };
TCHAR fileSystemName[MAX_PATH + 1] = { 0 };
DWORD serialNumber = 0;
DWORD maxComponentLen = 0;
DWORD fileSystemFlags = 0;
GetVolumeInformation(_T("C:\\"), volumeName, ARRAYSIZE(volumeName), &serialNumber, &maxComponentLen, &fileSystemFlags, fileSystemName, ARRAYSIZE(fileSystemName));
std::cout << serialNumber << std::endl;
//
fclose(f);
FreeConsole();
return 0;
}
BOOL APIENTRY DllMain( HMODULE hModule,
DWORD ul_reason_for_call,
LPVOID lpReserved
)
{
switch (ul_reason_for_call)
{
case DLL_PROCESS_ATTACH:
CloseHandle(CreateThread(nullptr, 0, (LPTHREAD_START_ROUTINE)Thread, hModule, 0, nullptr));
case DLL_THREAD_ATTACH:
case DLL_THREAD_DETACH:
case DLL_PROCESS_DETACH:
break;
}
return TRUE;
}
Someone can help me?
Using the NtQuerySystemInformationEx() API, I made a DLL that hides the Notepad process in 64bit.
But in 64bit, when I inject this DLL, nothing happens. But the DLL injector does not have a problem. Because other 64bit DLLs are injected ok.
What's the problem? I am trying to inject this DLL into the Process Explorer 64bit program. I want to hide the Notepad process from that Process Explorer.
The reason I used this API is that there is no Nt(Zw)QueryInformation() in Process Explorer x64, so I used the most similar Nt(Zw)QueryinformationEx().
#include <Windows.h>
#include <tchar.h>
#define STR_MODULE_NAME (L"hide.dll")
#define STR_HIDE_PROCESS_NAME (L"notepad.exe")
#define STATUS_SUCCESS (0x00000000L)
typedef LONG NTSTATUS;
typedef enum _SYSTEM_INFORMATION_CLASS {
SystemBasicInformation = 0,
SystemPerformanceInformation = 2,
SystemTimeOfDayInformation = 3,
SystemProcessInformation = 5,
SystemProcessorPerformanceInformation = 8,
SystemInterruptInformation = 23,
SystemExceptionInformation = 33,
SystemRegistryQuotaInformation = 37,
SystemLookasideInformation = 45
} SYSTEM_INFORMATION_CLASS;
typedef struct _SYSTEM_PROCESS_INFORMATION {
ULONG NextEntryOffset;
BYTE Reserved1[52];
PVOID Reserved2[3];
HANDLE UniqueProcessId;
} SYSTEM_PROCESS_INFORMATION, * PSYSTEM_PROCESS_INFORMATION;
typedef NTSTATUS(WINAPI* PFNTQUERYSYSTEMINFORMATIONEX)(
SYSTEM_INFORMATION_CLASS SystemInformationClass,
PVOID InputBuffer,
ULONG InputBufferLength,
PVOID SystemInformation,
ULONG SystemInformationLength,
PULONG ReturnLength);
BYTE g_pOrgZwQSI[16] = { 0, };
BOOL hook64_by_code(LPCSTR szDllName, LPCSTR szFuncName, PROC pfnNew, PBYTE pOrgBytes)
{
FARPROC pFunc;
DWORD dwOldProtect, dwlowAddress, dwhighAddress, dwmov;
BYTE pBuf[14] = { 0x68, 0, };
PBYTE pByte;
pFunc = (FARPROC)GetProcAddress(GetModuleHandleA(szDllName), szFuncName);
pByte = (PBYTE)pFunc;
if (pByte[0] == 0x68)
return FALSE;
VirtualProtect((LPVOID)pFunc, 16, PAGE_EXECUTE_READWRITE, &dwOldProtect);
memcpy(pOrgBytes, pFunc, 16);
memset(pFunc, 0x90, 16);
dwlowAddress = (DWORD)((DWORD64)pfnNew & 0xffffffff);
memcpy(&pBuf[1], &dwlowAddress, 4);
dwmov = 0x042444C7;
memcpy(&pBuf[5],&dwmov , 4);
dwhighAddress = (DWORD64)pfnNew >> 32;
memcpy(&pBuf[9],&dwhighAddress , 4);
pBuf[13] = 0xC3;
memcpy(pFunc, &pBuf, 14);
VirtualProtect((LPVOID)pFunc, 16, dwOldProtect, &dwOldProtect);
return TRUE;
}
BOOL unhook64_by_code(LPCSTR szDllName, LPCSTR szFuncName, PBYTE pOrgBytes)
{
FARPROC pFunc;
DWORD dwOldProtect;
PBYTE pByte;
pFunc = (FARPROC)GetProcAddress(GetModuleHandleA(szDllName), szFuncName);
pByte = (PBYTE)pFunc;
if (pByte[0] != 0x68)
return FALSE;
VirtualProtect((LPVOID)pFunc, 16, PAGE_EXECUTE_READWRITE, &dwOldProtect);
memcpy(pFunc, pOrgBytes, 16);
VirtualProtect((LPVOID)pFunc, 16, dwOldProtect, &dwOldProtect);
return TRUE;
}
NTSTATUS WINAPI NewNtQuerySystemInformationEx(
SYSTEM_INFORMATION_CLASS SystemInformationClass,
PVOID InputBuffer,
ULONG InputBufferLength,
PVOID SystemInformation,
ULONG SystemInformationLength,
PULONG ReturnLength)
{
NTSTATUS status;
FARPROC pFunc;
PSYSTEM_PROCESS_INFORMATION pCur, pPrev = 0;
char szProcName[MAX_PATH] = { 0, };
unhook64_by_code("ntdll.dll", "NtQuerySystemInformationEx", g_pOrgZwQSI);
pFunc = GetProcAddress(GetModuleHandleA("ntdll.dll"),
"NtQuerySystemInformationEx");
status = ((PFNTQUERYSYSTEMINFORMATIONEX)pFunc)
(SystemInformationClass, InputBuffer,
InputBufferLength, SystemInformation,
SystemInformationLength, ReturnLength);
if (status != STATUS_SUCCESS)
goto __NTQUERYSYSTEMINFORMATION_END;
if (SystemInformationClass == SystemProcessInformation)
{
pCur = (PSYSTEM_PROCESS_INFORMATION)SystemInformation;
while (TRUE)
{
if (pCur->Reserved2[1] != NULL)
{
if (!_tcsicmp((PWSTR)pCur->Reserved2[2], STR_HIDE_PROCESS_NAME))
{
if (pCur->NextEntryOffset == 0)
pPrev->NextEntryOffset = 0;
else
pPrev->NextEntryOffset += pCur->NextEntryOffset;
}
else
pPrev = pCur; // 원하는 프로세스를 못 찾은 경우만 pPrev 세팅
}
if (pCur->NextEntryOffset == 0)
break;
pCur = (PSYSTEM_PROCESS_INFORMATION)((uintptr_t)pCur + pCur->NextEntryOffset);
}
}
__NTQUERYSYSTEMINFORMATION_END:
hook64_by_code("ntdll.dll", "NtQuerySystemInformationEx",
(PROC)NewNtQuerySystemInformationEx, g_pOrgZwQSI);
return status;
}
BOOL WINAPI DllMain(HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpvReserved)
{
switch (fdwReason)
{
case DLL_PROCESS_ATTACH:
hook64_by_code("ntdll.dll", "NtQuerySystemInformationEx",
(PROC)NewNtQuerySystemInformationEx, g_pOrgZwQSI);
break;
case DLL_PROCESS_DETACH:
unhook64_by_code("ntdll.dll", "NtQuerySystemInformationEx",
g_pOrgZwQSI);
break;
}
return TRUE;
}
I have been trying to read all memory addresses within a process range only, (see question: C++ read memory addresses within process range only). I succeeded with reading from memory and it seems like I received the correct baseaddress for the process. The problem I was having was to find specific values which I assumed the program would have.
For example if I played a game and had the score 500, I wanted to find 500 in the memory. I stepped through all the addresses but could not find the value. So I decided to read my own program (which is 64-bit) and set a value to 500, print its address and manually search and see if I found it.
int number = 500;
std::cout << &number;
For some reason the address it was written to was out of bounds of the process range.
I calculate the address range with:
uintptr_t moduleBase = GetModuleBaseAddress(procId, L"x.exe");
uintptr_t moduleSize = GetModuleSize(procId, L"x.exe");
// Set base and last address and print them for user
uintptr_t dynamicPtrBaseAddr = moduleBase;
uintptr_t dynamicPtrLastAddr = (moduleBase + moduleSize);
Methods used:
uintptr_t GetModuleSize(DWORD procId, const wchar_t* modName) {
uintptr_t modBaseSize = 0;
HANDLE hSnap = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE | 0x10, procId);
if(hSnap != INVALID_HANDLE_VALUE) {
MODULEENTRY32 modEntry;
modEntry.dwSize = sizeof(modEntry);
if(Module32First(hSnap, &modEntry)) {
do {
if(!_wcsicmp(modEntry.szModule, modName)) {
modBaseSize = (uintptr_t)modEntry.modBaseSize;
break;
}
} while(Module32Next(hSnap, &modEntry));
}
}
CloseHandle(hSnap);
return modBaseSize;
}
and
uintptr_t GetModuleBaseAddress(DWORD procId, const wchar_t* modName) {
uintptr_t modBaseAddr = 0;
HANDLE hSnap = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE | 0x10, procId);
if(hSnap != INVALID_HANDLE_VALUE) {
MODULEENTRY32 modEntry;
modEntry.dwSize = sizeof(modEntry);
if(Module32First(hSnap, &modEntry)) {
do {
if(!_wcsicmp(modEntry.szModule, modName)) {
modBaseAddr = (uintptr_t)modEntry.modBaseAddr;
break;
}
} while(Module32Next(hSnap, &modEntry));
}
}
CloseHandle(hSnap);
return modBaseAddr;
}
Since the value of number is written out of bounds I assume that GetModuleSize, might be incorrect.
Last address for me is: 0x4F4628,
std::cout << &number; gives me 0x6DFDD4
My questions are:
Is GetModuleSize an incorrect way of calculating the last address for
the application? If so, can I correct it?
By multiplying the last address with 2, I was able to read the value
of &number. Is this because modulesize gives me a 32-bit range or is this giving me addresses out of bounds for the process?
I compile with: g++ main.cpp -o x -lpsapi -DUNICODE -m64, and had to add libgcc_s_seh-1.dll to my path in order to run my program.
My entire project on github: https://github.com/Darclander/memory-reading
(Not sure if it is better for me to post the entire code on here).
As #para said, the module is a image of PE file.
The variable you want to read is stored on the current thread stack, you will need to get the base address and limit address of the stack, with NtQueryInformationThread
#include <windows.h>
#include <iostream>
#include <winternl.h>
#include <tlhelp32.h>
#pragma warning(disable : 4996)
using namespace std;
typedef enum _mTHREADINFOCLASS {
ThreadBasicInformation = 0
} mTHREADINFOCLASS;
typedef struct _mTEB {
NT_TIB Tib;
PVOID EnvironmentPointer;
CLIENT_ID Cid;
PVOID ActiveRpcInfo;
PVOID ThreadLocalStoragePointer;
PPEB Peb;
ULONG LastErrorValue;
ULONG CountOfOwnedCriticalSections;
PVOID CsrClientThread;
PVOID Win32ThreadInfo;
ULONG Win32ClientInfo[0x1F];
PVOID WOW32Reserved;
ULONG CurrentLocale;
ULONG FpSoftwareStatusRegister;
PVOID SystemReserved1[0x36];
PVOID Spare1;
ULONG ExceptionCode;
ULONG SpareBytes1[0x28];
PVOID SystemReserved2[0xA];
ULONG GdiRgn;
ULONG GdiPen;
ULONG GdiBrush;
CLIENT_ID RealClientId;
PVOID GdiCachedProcessHandle;
ULONG GdiClientPID;
ULONG GdiClientTID;
PVOID GdiThreadLocaleInfo;
PVOID UserReserved[5];
PVOID GlDispatchTable[0x118];
ULONG GlReserved1[0x1A];
PVOID GlReserved2;
PVOID GlSectionInfo;
PVOID GlSection;
PVOID GlTable;
PVOID GlCurrentRC;
PVOID GlContext;
NTSTATUS LastStatusValue;
UNICODE_STRING StaticUnicodeString;
WCHAR StaticUnicodeBuffer[0x105];
PVOID DeallocationStack;
PVOID TlsSlots[0x40];
LIST_ENTRY TlsLinks;
PVOID Vdm;
PVOID ReservedForNtRpc;
PVOID DbgSsReserved[0x2];
ULONG HardErrorDisabled;
PVOID Instrumentation[0x10];
PVOID WinSockData;
ULONG GdiBatchCount;
ULONG Spare2;
ULONG Spare3;
ULONG Spare4;
PVOID ReservedForOle;
ULONG WaitingOnLoaderLock;
PVOID StackCommit;
PVOID StackCommitMax;
PVOID StackReserved;
} mTEB;
typedef NTSTATUS (WINAPI *fpNtQueryInformationThread)(
IN HANDLE ThreadHandle,
IN mTHREADINFOCLASS ThreadInformationClass,
OUT PVOID ThreadInformation,
IN ULONG ThreadInformationLength,
OUT PULONG ReturnLength
);
typedef struct _THREAD_BASIC_INFORMATION {
NTSTATUS ExitStatus;
mTEB* TebBaseAddress;
CLIENT_ID ClientId;
KAFFINITY AffinityMask;
KPRIORITY Priority;
KPRIORITY BasePriority;
} THREAD_BASIC_INFORMATION, * PTHREAD_BASIC_INFORMATION;
void fun()
{
return;
}
int main()
{
DWORD pid = 21112;//process id
DWORD tid = 5512;//thread id
HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS, false, pid);
if (hProcess == NULL)
{
int error = GetLastError();
cout << "OpenProcess error: " << error << endl;
}
HANDLE hThread = OpenThread(THREAD_ALL_ACCESS,false, tid);
if (hThread == NULL)
{
int error = GetLastError();
cout << "OpenThread error: " << error << endl;
}
HMODULE h = LoadLibrary(L"ntdll.dll");
fpNtQueryInformationThread NtQueryInformationThread = (fpNtQueryInformationThread)GetProcAddress(h,"NtQueryInformationThread");
THREAD_BASIC_INFORMATION info = { 0 };
NTSTATUS ret = NtQueryInformationThread(hThread, ThreadBasicInformation, &info, sizeof(THREAD_BASIC_INFORMATION), NULL);
NT_TIB tib = { 0 };
if (!ReadProcessMemory(hProcess, info.TebBaseAddress, &tib, sizeof(NT_TIB), nullptr))
{
int error = GetLastError();
cout << "ReadProcessMemory error: " << error << endl;
}
cout << tib.StackLimit << " to " << tib.StackBase << endl;
return 0;
}
Process module sample:
#include <windows.h>
#include <iostream>
int main()
{
int number = 500;
std::cout << &number << std::endl;
std::cout << "Pid = " << GetCurrentProcessId() << std::endl;
std::cout << "Tid = " << GetCurrentThreadId() << std::endl;
getchar();
return 0;
}
Result:
If you do not know the specific thread ID, you can refer to this document to Traversing the Thread List
(Note: NtQueryInformationThread may be altered or unavailable in future versions of Windows. )
A "module" in WIN32 terms is an executable image file. This image contains things like code, static variables, stack unwind tables and more. The value you are attempting to read is a local variable and thus will be allocated on the stack. The stack is not part of the image, so you won't find it there.
What you need to do is find the address and size of the stack. See How can I locate a process' global and stack areas in Win32? on how to do that.
You probably also want to read the heap in addition to the stack, you can find all open heaps by using GetProcessHeaps and get the addresses/sizes with HeapSummary.