View Single Post
  #6  
Old 02-04-2021, 15:32
raduga_fb raduga_fb is offline
Family
 
Join Date: Nov 2012
Posts: 69
Rept. Given: 3
Rept. Rcvd 121 Times in 21 Posts
Thanks Given: 1
Thanks Rcvd at 128 Times in 32 Posts
raduga_fb Reputation: 100-199 raduga_fb Reputation: 100-199
Patching by Hooking

If the target has more than one protection layer, you need to patch them in order. Try to hook to WINAPI which is being used by program during unpacking (HeapAlloc, VirtualAlloc, CreateFile ...)

Below sample uses ms detours to hook to DeviceIOControl to check the memory of target. When memory compare is equal, then patching first layer. If you need to more patching after first layer unpacking, you have to continue to check the memory of program. After final patching, you can detach DeviceIOControl.



Code:
// dllmain.cpp : Defines the entry point for the DLL application.
#include "pch.h"

#include <iostream>
#include <vector>
#include <Windows.h>
#include <tlhelp32.h>

#include "detours.h"

#pragma comment(lib, "detours.lib")

using namespace std;

BOOL WINAPI My_DeviceIoControl(
    HANDLE       hDevice,
    DWORD        dwIoControlCode,
    LPVOID       lpInBuffer,
    DWORD        nInBufferSize,
    LPVOID       lpOutBuffer,
    DWORD        nOutBufferSize,
    LPDWORD      lpBytesReturned,
    LPOVERLAPPED lpOverlapped
);

static BOOL(WINAPI* Ori_DeviceIoControl) (
    HANDLE       hDevice,
    DWORD        dwIoControlCode,
    LPVOID       lpInBuffer,
    DWORD        nInBufferSize,
    LPVOID       lpOutBuffer,
    DWORD        nOutBufferSize,
    LPDWORD      lpBytesReturned,
    LPOVERLAPPED lpOverlapped
    ) = NULL;



BYTE bytes_written_1[] = { 0x33, 0xC0, 0xC2, 0x0C, 0x00, 0x90 }; 
BYTE bytes_written_2[] = { 0x33, 0xC0, 0xC2, 0x0C, 0x00, 0x90x 0x90 }; 


DWORD GetProcId(const wchar_t* procName)
{
    DWORD procId = 0;
    HANDLE hSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
    if (hSnap != INVALID_HANDLE_VALUE)
    {
        PROCESSENTRY32 procEntry;
        procEntry.dwSize = sizeof(procEntry);

        if (Process32First(hSnap, &procEntry))
        {
            do
            {
                if (!_wcsicmp(procEntry.szExeFile, procName))
                {
                    procId = procEntry.th32ProcessID;
                    break;
                }
            } while (Process32Next(hSnap, &procEntry));

        }
    }
    CloseHandle(hSnap);
    return procId;
}

DWORD GetModuleBaseAddress(DWORD procId, const wchar_t* modName)
{
    DWORD modBaseAddr = 0;
    HANDLE hSnap = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE | TH32CS_SNAPMODULE32, procId);
    if (hSnap != INVALID_HANDLE_VALUE)
    {
        MODULEENTRY32 modEntry;
        modEntry.dwSize = sizeof(modEntry);
        if (Module32First(hSnap, &modEntry))
        {
            do
            {
                if (!_wcsicmp(modEntry.szModule, modName))
                {
                    modBaseAddr = (DWORD)modEntry.modBaseAddr;
                    break;
                }
            } while (Module32Next(hSnap, &modEntry));
        }
    }
    CloseHandle(hSnap);
    return modBaseAddr;
}




BOOL APIENTRY DllMain(HMODULE hDLL,
    DWORD  ul_reason_for_call,
    LPVOID lpReserved
)
{
    HMODULE dll_module_1 = GetModuleHandleA("kernel32.dll");

    if (!dll_module_1)
    {
        DWORD dw = GetLastError();
        MessageBox(NULL, L"The library could not load", L"ERROR", MB_OK);
    }

    {
        switch (ul_reason_for_call)
        {
        case DLL_PROCESS_ATTACH:

            DetourRestoreAfterWith();

            Ori_DeviceIoControl = (BOOL(WINAPI*) (HANDLE, DWORD, LPVOID, DWORD, LPVOID, DWORD, LPDWORD, LPOVERLAPPED)) DetourFindFunction("kernel32.dll", "DeviceIoControl");

            DisableThreadLibraryCalls(hDLL);
            DetourTransactionBegin();
            DetourUpdateThread(GetCurrentThread());

            DetourAttach(&(PVOID&)Ori_DeviceIoControl, My_DeviceIoControl);

            if (DetourTransactionCommit() != NO_ERROR)
                MessageBox(NULL, L"Detour Attach Error", NULL, MB_OK);

                break;

        case DLL_THREAD_ATTACH:
        case DLL_THREAD_DETACH:
        case DLL_PROCESS_DETACH:

            DetourTransactionBegin();
            DetourUpdateThread(GetCurrentThread());
            DetourDetach(&(PVOID&)Ori_DeviceIoControl, My_DeviceIoControl);
            DetourTransactionCommit();

            break;
        }
        return TRUE;
    }
}

BOOL WINAPI My_DeviceIoControl(
    HANDLE       hDevice,
    DWORD        dwIoControlCode,
    LPVOID       lpInBuffer,
    DWORD        nInBufferSize,
    LPVOID       lpOutBuffer,
    DWORD        nOutBufferSize,
    LPDWORD      lpBytesReturned,
    LPOVERLAPPED lpOverlapped
)

{

    DWORD processID = GetProcId(L"??????.exe");
    HANDLE hProcess = OpenProcess(PROCESS_VM_OPERATION | PROCESS_VM_READ | PROCESS_VM_WRITE, FALSE, processID);
    DWORD moduleBase = GetModuleBaseAddress(processID, L"?????.exe");

    if (moduleBase != 0)
    {
        DWORD target_adres = moduleBase + ??????;
        DWORD* target_adres_ = 0;
        DWORD dwLen_ = 0;
        BOOL sonuc = false;

        DWORD* control_1 = (DWORD*)0x0???????;
        DWORD* control_2 = (DWORD*)0x0???????;

        DWORD oldprotect;

        if (target_adres != 0)
        {
            ReadProcessMemory(hProcess, (LPVOID)target_adres, (LPVOID)&target_adres_, 4, NULL);

            if (target_adres_ == control_1)
            {
                unsigned int length_ = 6;

                VirtualProtectEx(hProcess, (LPVOID)target_adres, length_, PAGE_EXECUTE_READWRITE, &oldprotect);
                sonuc = WriteProcessMemory(hProcess, (LPVOID)target_adres, &bytes_written_1, length_, &dwLen_);		// 1st patch (1st Layer)
                VirtualProtectEx(hProcess, (LPVOID)target_adres, length_, oldprotect, &oldprotect);

		...
		...


                if (sonuc)
                {
                    //MessageBox(NULL, L"patched", NULL, MB_OK);			// 1st layer is OK, patched
                }
            }
        }

        target_adres = moduleBase + 0x0???;						// 2nd layer (if needed)

        if (target_adres != 0)
        {
            ReadProcessMemory(hProcess, (LPVOID)target_adres, (LPVOID)&target_adres_, 4, NULL);

            if (target_adres_ == control_2)
            {
                unsigned int length_= 7;

                VirtualProtectEx(hProcess, (LPVOID)hedef_adres, uzunluk, PAGE_EXECUTE_READWRITE, &oldprotect);
                sonuc = WriteProcessMemory(hProcess, (LPVOID)hedef_adres, &bytes_written_4, uzunluk, &dwLen_);		// 2nd patch (2nd layer)
                VirtualProtectEx(hProcess, (LPVOID)hedef_adres, uzunluk, oldprotect, &oldprotect);
		
		...
		...


            DetourTransactionBegin();											// JOB is done, it is time to Detach
            DetourUpdateThread(GetCurrentThread());
            DetourDetach(&(PVOID&)Ori_DeviceIoControl, My_DeviceIoControl);
            DetourTransactionCommit();

  
            }
        }

    }


    BOOL fake_handle = false;

    fake_handle = Ori_DeviceIoControl(hDevice, dwIoControlCode, lpInBuffer, nInBufferSize, lpOutBuffer, nOutBufferSize, lpBytesReturned, lpOverlapped);

    return fake_handle;

}
Reply With Quote
The Following 5 Users Say Thank You to raduga_fb For This Useful Post:
countryboy (09-22-2021), mcr4ck (02-04-2021), niculaita (07-22-2021), sh3dow (07-26-2021), user1 (07-31-2021)