Is there a way to read the the import table of another process?
The function ImageNtHeader won't help me here, because it applies only to my process and not to the other process.
I know I can read the entire file and parse its PE header, but I'm afraid it will take a lot of time if the file is large.
Is there a way to do it using the process's memory directly and not reading from the file?
Any other easy and nice way to do it will be great as well :)
just use psapi or toolhlp32 to find the memory addresses of the processes modules you are interested in. once you have that you can use ReadProcessMemory get the required info. else just pretend to be a debugger and attach to the target process so you have full access to it's memory, then you can use the windows PE macros.
Related
I need to automatically analyse dump files from a process. If I have the process running, I can just check where a specifc dll is and work from there. But how can I get this working if I only have the dump? Read the whole file and... ? I am somehow out of ideas currently... I think what I need would be a way to map the dump as process(?). Maybe somebody here has an idea.
(if important, dmp is created from task manager, but that shouldn't matter I think).
Greetings
I'm trying to write a utility that allows me to read the memory from a process that is currently running in windows. I have used CreateToolhelp32Snapshot to build a current PID list for all programs running on the computer and I open a handle via OpenProcess with the vm_read flags without any issues. The roadblock I am running into is the readprocessmemory function of the windows API fails to read anything if the base address given is not currently readable. That being said what method can I use to determine the readable sections of a process.
My only idea on the matter is that I could iterate over the readprocessmemory function starting at the midway point of (size of process in memory)/2 and continue until I find the specific location that will allow me to read but I believe this would be terribly inefficient for large processes (o(n/2)), and even if it is the only user-mode option how would I even find the total size of the process in memory?
If this question is not meant for stackoverflow let me know and I will close it, please do not down-vote me I have been attempting to solve my problem myself for several hours now.
You can call VirtualQueryEx for each range of pages in the address space to find out if the address is in use. If the other process is not suspended then there will obviously be a chance that a pages status changes between your query and read operations.
Hello and happy new year.
I need a little guide through process of loading a XML DOM from disk to memory with C++, on windows.
Microsoft provide this example, but it doesn't cover the actual process of what ntKernel Functions are being used to do this, and it doesn't explain what process is behind the actual load .
Does the main process make a call to kernel function to load xml from disk to mem?
VariantFromString(L"stocks.xml", varFileName);
pXMLDom->load(varFileName, &varStatus);
Or there is global process that handle request's to load, and then after it load xml via Kernel Functions, it make's a link to DOM Object, and return it to the process were it was asking.
I want to know what Kernel Function does the job for loading .xml file from disk ?
Thanks !
There is no kernel function for 'loading XML' (at least not one used by the DOMDocument60 coclass.
Instead it simply uses generic file reading calls (in the kernel this is ZwReadFile), the DOMDocument60 code then parses the file content into whatever internal representation it uses.
The only context switch involved will be between user and kernel mode not between one process, kernel mode and another process (unless perhaps some kind of user-mode file system is involved but if it were you likely wouldn't need to be asking this question).
I am a novice security researcher trying to learn about PE injection using droppers/stagers, very much like a cryptolocker would operate.
We are setting up a fire drill for our blue team that handles our QRadar SIEM and we would like to launch some custom malware on it.
So now, for my question :). I understand the general concept op PE injection, but almost all tutorials I have found inject the current EXE (so usually by invoking GetModuleHandle(NULL))
I was wondering how you would go about injecting an EXE from a remote resource (e.g. a HTTP download).
Basically my goal is this:
STAGER file downloads EXE in memory
STAGER file inject EXE using PE method in process X
I do not expect a full answer here, but if you could point me in the right direction, that would be great :).
Note that this code will not be used for malicious purposes.
Best regards!
Very simple actually. All you need to do is download the remote EXE/DLL into a buffer, (i.e. from memory), from this point you have a few options.
You originally need to check for MZ signature, and that it is a valid PE file. You can do this with PIMAGE_NT_HEADERS, checking against Optional.Signature (if valid PE file), and e_magic in PIMAGE_DOS_HEADER (MZ signature)
Now the question is if you wish to inject a dll, load it from memory, search its export table for a given function, get the code and execute i in remote process, or execute EXE from memory.
Assuming you just want to get the ImageBase of the image, as you said you read some tutorials online which talked about it via GetModuleHandle, you first need to map the downloaded buffer.
You can do this via
CreateFileW (for reading), CreateFileMapping (pass handle from createfile), MapViewOfFile (pass returned handle from createfilemapping).
After this you will obtain base image address from MapViewOfFile. You can now do many things with the file, you can inject it from memory, or execute it from memory.
You will need to look into PE fixups (export, and import address table functions), and base relocation via the direct image directory, RVA -> base.
Take note, if you are executing the image in a remote process after mapping the file, use ZwQueueApcThread injection method instead of the more dull ones like RtlCreateUserThread/CreateRemoteThread.
If you are executing the code from memory. After fixing the offsets through relocations, make sure to execute the code via VirtualProtectEx, optionally ZwAllocateVirtualMemory (passing PAGE_WRITECOPY instead of PAGE_EXECUTE_READWRITE) instead of ZwWriteVirtualMemory - WriteProcessMemory as it is much stealthier!
Also, I'm sure you can figure out some other approaches, this is just from the top of my head.
Under Windows is there a way to modify a file/executable opened by another process using c++?
Is there a way to modify an open executable in windows?
No.
Is there a way to modify an open file in windows using c++?
Yes. If it has been opened with the proper share permissions. See http://msdn.microsoft.com/en-us/library/aa363858(VS.85).aspx FILE_SHARE_WRITE
It may be possible but perhaps not easy to achieve. You need inject thread in destination process and know PE format for correctly edit opened file and modify it.
All information is on web.
Good Luck.
I find this freeware tool, it proposes to unlock files and folders.
The OS holds the executable file open for read-only sharing as long as it's running, so there's no way to modify it directly. You can, however, open it for reading (if you specify read-sharing in your CreateFile call), and make a modified copy of it, while it's running.
I don't know if that's what you had in mind, but if it's your own program you're doing this to, you can start the new copy and have it pick up where the previous one left off... not straightforward, but not all that difficult either.