View Single Post
  #8  
Old 02-04-2021, 18:41
mcr4ck mcr4ck is offline
Friend
 
Join Date: Nov 2019
Location: iran
Posts: 45
Rept. Given: 0
Rept. Rcvd 1 Time in 1 Post
Thanks Given: 33
Thanks Rcvd at 21 Times in 15 Posts
mcr4ck Reputation: 1
Quote:
Originally Posted by raduga_fb View Post
If the target has more than one protection layer, you need to patch them in order. Try to hook to WINAPI which is being used by program during unpacking (HeapAlloc, VirtualAlloc, CreateFile ...)

Below sample uses ms detours to hook to DeviceIOControl to check the memory of target. When memory compare is equal, then patching first layer. If you need to more patching after first layer unpacking, you have to continue to check the memory of program. After final patching, you can detach DeviceIOControl.



Code:
// dllmain.cpp : Defines the entry point for the DLL application.
#include "pch.h"

#include <iostream>
#include <vector>
#include <Windows.h>
#include <tlhelp32.h>

#include "detours.h"

#pragma comment(lib, "detours.lib")

using namespace std;

BOOL WINAPI My_DeviceIoControl(
    HANDLE       hDevice,
    DWORD        dwIoControlCode,
    LPVOID       lpInBuffer,
    DWORD        nInBufferSize,
    LPVOID       lpOutBuffer,
    DWORD        nOutBufferSize,
    LPDWORD      lpBytesReturned,
    LPOVERLAPPED lpOverlapped
);

static BOOL(WINAPI* Ori_DeviceIoControl) (
    HANDLE       hDevice,
    DWORD        dwIoControlCode,
    LPVOID       lpInBuffer,
    DWORD        nInBufferSize,
    LPVOID       lpOutBuffer,
    DWORD        nOutBufferSize,
    LPDWORD      lpBytesReturned,
    LPOVERLAPPED lpOverlapped
    ) = NULL;



BYTE bytes_written_1[] = { 0x33, 0xC0, 0xC2, 0x0C, 0x00, 0x90 }; 
BYTE bytes_written_2[] = { 0x33, 0xC0, 0xC2, 0x0C, 0x00, 0x90x 0x90 }; 


DWORD GetProcId(const wchar_t* procName)
{
    DWORD procId = 0;
    HANDLE hSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
    if (hSnap != INVALID_HANDLE_VALUE)
    {
        PROCESSENTRY32 procEntry;
        procEntry.dwSize = sizeof(procEntry);

        if (Process32First(hSnap, &procEntry))
        {
            do
            {
                if (!_wcsicmp(procEntry.szExeFile, procName))
                {
                    procId = procEntry.th32ProcessID;
                    break;
                }
            } while (Process32Next(hSnap, &procEntry));

        }
    }
    CloseHandle(hSnap);
    return procId;
}

DWORD GetModuleBaseAddress(DWORD procId, const wchar_t* modName)
{
    DWORD modBaseAddr = 0;
    HANDLE hSnap = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE | TH32CS_SNAPMODULE32, procId);
    if (hSnap != INVALID_HANDLE_VALUE)
    {
        MODULEENTRY32 modEntry;
        modEntry.dwSize = sizeof(modEntry);
        if (Module32First(hSnap, &modEntry))
        {
            do
            {
                if (!_wcsicmp(modEntry.szModule, modName))
                {
                    modBaseAddr = (DWORD)modEntry.modBaseAddr;
                    break;
                }
            } while (Module32Next(hSnap, &modEntry));
        }
    }
    CloseHandle(hSnap);
    return modBaseAddr;
}




BOOL APIENTRY DllMain(HMODULE hDLL,
    DWORD  ul_reason_for_call,
    LPVOID lpReserved
)
{
    HMODULE dll_module_1 = GetModuleHandleA("kernel32.dll");

    if (!dll_module_1)
    {
        DWORD dw = GetLastError();
        MessageBox(NULL, L"The library could not load", L"ERROR", MB_OK);
    }

    {
        switch (ul_reason_for_call)
        {
        case DLL_PROCESS_ATTACH:

            DetourRestoreAfterWith();

            Ori_DeviceIoControl = (BOOL(WINAPI*) (HANDLE, DWORD, LPVOID, DWORD, LPVOID, DWORD, LPDWORD, LPOVERLAPPED)) DetourFindFunction("kernel32.dll", "DeviceIoControl");

            DisableThreadLibraryCalls(hDLL);
            DetourTransactionBegin();
            DetourUpdateThread(GetCurrentThread());

            DetourAttach(&(PVOID&)Ori_DeviceIoControl, My_DeviceIoControl);

            if (DetourTransactionCommit() != NO_ERROR)
                MessageBox(NULL, L"Detour Attach Error", NULL, MB_OK);

                break;

        case DLL_THREAD_ATTACH:
        case DLL_THREAD_DETACH:
        case DLL_PROCESS_DETACH:

            DetourTransactionBegin();
            DetourUpdateThread(GetCurrentThread());
            DetourDetach(&(PVOID&)Ori_DeviceIoControl, My_DeviceIoControl);
            DetourTransactionCommit();

            break;
        }
        return TRUE;
    }
}

BOOL WINAPI My_DeviceIoControl(
    HANDLE       hDevice,
    DWORD        dwIoControlCode,
    LPVOID       lpInBuffer,
    DWORD        nInBufferSize,
    LPVOID       lpOutBuffer,
    DWORD        nOutBufferSize,
    LPDWORD      lpBytesReturned,
    LPOVERLAPPED lpOverlapped
)

{

    DWORD processID = GetProcId(L"??????.exe");
    HANDLE hProcess = OpenProcess(PROCESS_VM_OPERATION | PROCESS_VM_READ | PROCESS_VM_WRITE, FALSE, processID);
    DWORD moduleBase = GetModuleBaseAddress(processID, L"?????.exe");

    if (moduleBase != 0)
    {
        DWORD target_adres = moduleBase + ??????;
        DWORD* target_adres_ = 0;
        DWORD dwLen_ = 0;
        BOOL sonuc = false;

        DWORD* control_1 = (DWORD*)0x0???????;
        DWORD* control_2 = (DWORD*)0x0???????;

        DWORD oldprotect;

        if (target_adres != 0)
        {
            ReadProcessMemory(hProcess, (LPVOID)target_adres, (LPVOID)&target_adres_, 4, NULL);

            if (target_adres_ == control_1)
            {
                unsigned int length_ = 6;

                VirtualProtectEx(hProcess, (LPVOID)target_adres, length_, PAGE_EXECUTE_READWRITE, &oldprotect);
                sonuc = WriteProcessMemory(hProcess, (LPVOID)target_adres, &bytes_written_1, length_, &dwLen_);		// 1st patch (1st Layer)
                VirtualProtectEx(hProcess, (LPVOID)target_adres, length_, oldprotect, &oldprotect);

		...
		...


                if (sonuc)
                {
                    //MessageBox(NULL, L"patched", NULL, MB_OK);			// 1st layer is OK, patched
                }
            }
        }

        target_adres = moduleBase + 0x0???;						// 2nd layer (if needed)

        if (target_adres != 0)
        {
            ReadProcessMemory(hProcess, (LPVOID)target_adres, (LPVOID)&target_adres_, 4, NULL);

            if (target_adres_ == control_2)
            {
                unsigned int length_= 7;

                VirtualProtectEx(hProcess, (LPVOID)hedef_adres, uzunluk, PAGE_EXECUTE_READWRITE, &oldprotect);
                sonuc = WriteProcessMemory(hProcess, (LPVOID)hedef_adres, &bytes_written_4, uzunluk, &dwLen_);		// 2nd patch (2nd layer)
                VirtualProtectEx(hProcess, (LPVOID)hedef_adres, uzunluk, oldprotect, &oldprotect);
		
		...
		...


            DetourTransactionBegin();											// JOB is done, it is time to Detach
            DetourUpdateThread(GetCurrentThread());
            DetourDetach(&(PVOID&)Ori_DeviceIoControl, My_DeviceIoControl);
            DetourTransactionCommit();

  
            }
        }

    }


    BOOL fake_handle = false;

    fake_handle = Ori_DeviceIoControl(hDevice, dwIoControlCode, lpInBuffer, nInBufferSize, lpOutBuffer, nOutBufferSize, lpBytesReturned, lpOverlapped);

    return fake_handle;

}
Please send the following files as well
pch.h
detours.h

and
Programming IDE and compiler

thanks
Reply With Quote
The Following User Says Thank You to mcr4ck For This Useful Post:
countryboy (09-22-2021)