Exetools  

Go Back   Exetools > General > General Discussion

Notices

Reply
 
Thread Tools Display Modes
  #16  
Old 07-30-2021, 18:11
mcr4ck mcr4ck is offline
Friend
 
Join Date: Nov 2019
Location: iran
Posts: 36
Rept. Given: 0
Rept. Rcvd 1 Time in 1 Post
Thanks Given: 29
Thanks Rcvd at 16 Times in 12 Posts
mcr4ck Reputation: 1
Quote:
comment it out and configure your project not to use precompiled headers

hope this helps
I did not catch you
Can you explain in full?
Or compile this at all and tell me the method
Thankful
Reply With Quote
The Following User Says Thank You to mcr4ck For This Useful Post:
countryboy (09-22-2021)
  #17  
Old 07-30-2021, 19:30
xobor xobor is offline
Friend
 
Join Date: May 2002
Location: Slovakia
Posts: 107
Rept. Given: 6
Rept. Rcvd 4 Times in 4 Posts
Thanks Given: 2
Thanks Rcvd at 15 Times in 10 Posts
xobor Reputation: 5
it is a precompiled header file

look at

Quote:
https://docs.microsoft.com/en-us/cpp/build/creating-precompiled-header-files?view=msvc-160
BR
Reply With Quote
The Following 2 Users Say Thank You to xobor For This Useful Post:
countryboy (09-22-2021), niculaita (07-30-2021)
  #18  
Old 07-31-2021, 19:32
mcr4ck mcr4ck is offline
Friend
 
Join Date: Nov 2019
Location: iran
Posts: 36
Rept. Given: 0
Rept. Rcvd 1 Time in 1 Post
Thanks Given: 29
Thanks Rcvd at 16 Times in 12 Posts
mcr4ck Reputation: 1
I din't notice
If possible, compile this completely and send it to me
Because I do not know much about C or C++ language
Thanks to friends who know me for compiling this and sending it to me
Reply With Quote
The Following User Says Thank You to mcr4ck For This Useful Post:
countryboy (09-22-2021)
  #19  
Old 08-04-2021, 20:17
dosprog dosprog is online now
Friend
 
Join Date: Feb 2018
Posts: 99
Rept. Given: 0
Rept. Rcvd 14 Times in 13 Posts
Thanks Given: 30
Thanks Rcvd at 138 Times in 70 Posts
dosprog Reputation: 14
See example - Loader for WIN32-PE (no ASLR!) - Sources for MSVC.

For packed program set in source code:
Quote:
DWORD wait_for_unpack = 1000; //millis - set it if need
- Then waits 1 sec while program unpacks itself.


Last edited by dosprog; 08-05-2021 at 01:36.
Reply With Quote
The Following 2 Users Say Thank You to dosprog For This Useful Post:
countryboy (09-22-2021), niculaita (08-04-2021)
  #20  
Old 08-05-2021, 04:36
mcr4ck mcr4ck is offline
Friend
 
Join Date: Nov 2019
Location: iran
Posts: 36
Rept. Given: 0
Rept. Rcvd 1 Time in 1 Post
Thanks Given: 29
Thanks Rcvd at 16 Times in 12 Posts
mcr4ck Reputation: 1
Thanks a lot
But I want to compile this code
Did anyone compile this code?
Quote:
// dllmain.cpp : Defines the entry point for the DLL application.
#include "pch.h"

#include <iostream>
#include <vector>
#include <Windows.h>
#include <tlhelp32.h>

#include "detours.h"

#pragma comment(lib, "detours.lib")

using namespace std;

BOOL WINAPI My_DeviceIoControl(
HANDLE hDevice,
DWORD dwIoControlCode,
LPVOID lpInBuffer,
DWORD nInBufferSize,
LPVOID lpOutBuffer,
DWORD nOutBufferSize,
LPDWORD lpBytesReturned,
LPOVERLAPPED lpOverlapped
);

static BOOL(WINAPI* Ori_DeviceIoControl) (
HANDLE hDevice,
DWORD dwIoControlCode,
LPVOID lpInBuffer,
DWORD nInBufferSize,
LPVOID lpOutBuffer,
DWORD nOutBufferSize,
LPDWORD lpBytesReturned,
LPOVERLAPPED lpOverlapped
) = NULL;



BYTE bytes_written_1[] = { 0x33, 0xC0, 0xC2, 0x0C, 0x00, 0x90 };
BYTE bytes_written_2[] = { 0x33, 0xC0, 0xC2, 0x0C, 0x00, 0x90x 0x90 };


DWORD GetProcId(const wchar_t* procName)
{
DWORD procId = 0;
HANDLE hSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
if (hSnap != INVALID_HANDLE_VALUE)
{
PROCESSENTRY32 procEntry;
procEntry.dwSize = sizeof(procEntry);

if (Process32First(hSnap, &procEntry))
{
do
{
if (!_wcsicmp(procEntry.szExeFile, procName))
{
procId = procEntry.th32ProcessID;
break;
}
} while (Process32Next(hSnap, &procEntry));

}
}
CloseHandle(hSnap);
return procId;
}

DWORD GetModuleBaseAddress(DWORD procId, const wchar_t* modName)
{
DWORD modBaseAddr = 0;
HANDLE hSnap = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE | TH32CS_SNAPMODULE32, procId);
if (hSnap != INVALID_HANDLE_VALUE)
{
MODULEENTRY32 modEntry;
modEntry.dwSize = sizeof(modEntry);
if (Module32First(hSnap, &modEntry))
{
do
{
if (!_wcsicmp(modEntry.szModule, modName))
{
modBaseAddr = (DWORD)modEntry.modBaseAddr;
break;
}
} while (Module32Next(hSnap, &modEntry));
}
}
CloseHandle(hSnap);
return modBaseAddr;
}




BOOL APIENTRY DllMain(HMODULE hDLL,
DWORD ul_reason_for_call,
LPVOID lpReserved
)
{
HMODULE dll_module_1 = GetModuleHandleA("kernel32.dll");

if (!dll_module_1)
{
DWORD dw = GetLastError();
MessageBox(NULL, L"The library could not load", L"ERROR", MB_OK);
}

{
switch (ul_reason_for_call)
{
case DLL_PROCESS_ATTACH:

DetourRestoreAfterWith();

Ori_DeviceIoControl = (BOOL(WINAPI*) (HANDLE, DWORD, LPVOID, DWORD, LPVOID, DWORD, LPDWORD, LPOVERLAPPED)) DetourFindFunction("kernel32.dll", "DeviceIoControl");

DisableThreadLibraryCalls(hDLL);
DetourTransactionBegin();
DetourUpdateThread(GetCurrentThread());

DetourAttach(&(PVOID&)Ori_DeviceIoControl, My_DeviceIoControl);

if (DetourTransactionCommit() != NO_ERROR)
MessageBox(NULL, L"Detour Attach Error", NULL, MB_OK);

break;

case DLL_THREAD_ATTACH:
case DLL_THREAD_DETACH:
case DLL_PROCESS_DETACH:

DetourTransactionBegin();
DetourUpdateThread(GetCurrentThread());
DetourDetach(&(PVOID&)Ori_DeviceIoControl, My_DeviceIoControl);
DetourTransactionCommit();

break;
}
return TRUE;
}
}

BOOL WINAPI My_DeviceIoControl(
HANDLE hDevice,
DWORD dwIoControlCode,
LPVOID lpInBuffer,
DWORD nInBufferSize,
LPVOID lpOutBuffer,
DWORD nOutBufferSize,
LPDWORD lpBytesReturned,
LPOVERLAPPED lpOverlapped
)

{

DWORD processID = GetProcId(L"??????.exe");
HANDLE hProcess = OpenProcess(PROCESS_VM_OPERATION | PROCESS_VM_READ | PROCESS_VM_WRITE, FALSE, processID);
DWORD moduleBase = GetModuleBaseAddress(processID, L"?????.exe");

if (moduleBase != 0)
{
DWORD target_adres = moduleBase + ??????;
DWORD* target_adres_ = 0;
DWORD dwLen_ = 0;
BOOL sonuc = false;

DWORD* control_1 = (DWORD*)0x0???????;
DWORD* control_2 = (DWORD*)0x0???????;

DWORD oldprotect;

if (target_adres != 0)
{
ReadProcessMemory(hProcess, (LPVOID)target_adres, (LPVOID)&target_adres_, 4, NULL);

if (target_adres_ == control_1)
{
unsigned int length_ = 6;

VirtualProtectEx(hProcess, (LPVOID)target_adres, length_, PAGE_EXECUTE_READWRITE, &oldprotect);
sonuc = WriteProcessMemory(hProcess, (LPVOID)target_adres, &bytes_written_1, length_, &dwLen_); // 1st patch (1st Layer)
VirtualProtectEx(hProcess, (LPVOID)target_adres, length_, oldprotect, &oldprotect);

...
...


if (sonuc)
{
//MessageBox(NULL, L"patched", NULL, MB_OK); // 1st layer is OK, patched
}
}
}

target_adres = moduleBase + 0x0???; // 2nd layer (if needed)

if (target_adres != 0)
{
ReadProcessMemory(hProcess, (LPVOID)target_adres, (LPVOID)&target_adres_, 4, NULL);

if (target_adres_ == control_2)
{
unsigned int length_= 7;

VirtualProtectEx(hProcess, (LPVOID)hedef_adres, uzunluk, PAGE_EXECUTE_READWRITE, &oldprotect);
sonuc = WriteProcessMemory(hProcess, (LPVOID)hedef_adres, &bytes_written_4, uzunluk, &dwLen_); // 2nd patch (2nd layer)
VirtualProtectEx(hProcess, (LPVOID)hedef_adres, uzunluk, oldprotect, &oldprotect);

...
...


DetourTransactionBegin(); // JOB is done, it is time to Detach
DetourUpdateThread(GetCurrentThread());
DetourDetach(&(PVOID&)Ori_DeviceIoControl, My_DeviceIoControl);
DetourTransactionCommit();


}
}

}


BOOL fake_handle = false;

fake_handle = Ori_DeviceIoControl(hDevice, dwIoControlCode, lpInBuffer, nInBufferSize, lpOutBuffer, nOutBufferSize, lpBytesReturned, lpOverlapped);

return fake_handle;

}
Reply With Quote
The Following User Says Thank You to mcr4ck For This Useful Post:
countryboy (09-22-2021)
  #21  
Old 08-05-2021, 05:22
niculaita's Avatar
niculaita niculaita is offline
Family
 
Join Date: Jun 2011
Location: here
Posts: 1,261
Rept. Given: 910
Rept. Rcvd 87 Times in 59 Posts
Thanks Given: 3,367
Thanks Rcvd at 466 Times in 329 Posts
niculaita Reputation: 87
Parts are missing
...
...
__________________
Decode and Conquer
Reply With Quote
  #22  
Old 08-05-2021, 20:46
mcr4ck mcr4ck is offline
Friend
 
Join Date: Nov 2019
Location: iran
Posts: 36
Rept. Given: 0
Rept. Rcvd 1 Time in 1 Post
Thanks Given: 29
Thanks Rcvd at 16 Times in 12 Posts
mcr4ck Reputation: 1
Why do you say parts are missing?
please help
Reply With Quote
  #23  
Old 08-05-2021, 23:15
dosprog dosprog is online now
Friend
 
Join Date: Feb 2018
Posts: 99
Rept. Given: 0
Rept. Rcvd 14 Times in 13 Posts
Thanks Given: 30
Thanks Rcvd at 138 Times in 70 Posts
dosprog Reputation: 14
Quote:
Originally Posted by mcr4ck View Post
Why do you say parts are missing?
please help
Because parts are missing.
U must have "detours" package with "detours.lib" file for compile this code.
As minimum.

And then replace strings "???????" with valid values.

But.
See my previous post with example of WIN32-PE patch-loader.
Its simple and independent code, works fine on several tasks.

Detours package i do not use, no need.


Last edited by dosprog; 08-06-2021 at 02:40.
Reply With Quote
The Following User Says Thank You to dosprog For This Useful Post:
niculaita (08-06-2021)
  #24  
Old 08-07-2021, 00:46
mcr4ck mcr4ck is offline
Friend
 
Join Date: Nov 2019
Location: iran
Posts: 36
Rept. Given: 0
Rept. Rcvd 1 Time in 1 Post
Thanks Given: 29
Thanks Rcvd at 16 Times in 12 Posts
mcr4ck Reputation: 1
"detours" package
https://mega.nz/file/SAwS2TzA#RHRKsixO1Eq2vP1589raQrB3sJYoWOFbHHH8fHAMl-A

Quote:
// dllmain.cpp : Defines the entry point for the DLL application.
#include "pch.h"

#include <iostream>
#include <vector>
#include <Windows.h>
#include <tlhelp32.h>

#include "detours.h"

#pragma comment(lib, "detours.lib")

using namespace std;

BOOL WINAPI My_DeviceIoControl(
HANDLE hDevice,
DWORD dwIoControlCode,
LPVOID lpInBuffer,
DWORD nInBufferSize,
LPVOID lpOutBuffer,
DWORD nOutBufferSize,
LPDWORD lpBytesReturned,
LPOVERLAPPED lpOverlapped
);

static BOOL(WINAPI* Ori_DeviceIoControl) (
HANDLE hDevice,
DWORD dwIoControlCode,
LPVOID lpInBuffer,
DWORD nInBufferSize,
LPVOID lpOutBuffer,
DWORD nOutBufferSize,
LPDWORD lpBytesReturned,
LPOVERLAPPED lpOverlapped
) = NULL;



BYTE bytes_written_1[] = { 0x33, 0xC0, 0xC2, 0x0C, 0x00, 0x90 };
BYTE bytes_written_2[] = { 0x33, 0xC0, 0xC2, 0x0C, 0x00, 0x90x 0x90 };


DWORD GetProcId(const wchar_t* procName)
{
DWORD procId = 0;
HANDLE hSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
if (hSnap != INVALID_HANDLE_VALUE)
{
PROCESSENTRY32 procEntry;
procEntry.dwSize = sizeof(procEntry);

if (Process32First(hSnap, &procEntry))
{
do
{
if (!_wcsicmp(procEntry.szExeFile, procName))
{
procId = procEntry.th32ProcessID;
break;
}
} while (Process32Next(hSnap, &procEntry));

}
}
CloseHandle(hSnap);
return procId;
}

DWORD GetModuleBaseAddress(DWORD procId, const wchar_t* modName)
{
DWORD modBaseAddr = 0;
HANDLE hSnap = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE | TH32CS_SNAPMODULE32, procId);
if (hSnap != INVALID_HANDLE_VALUE)
{
MODULEENTRY32 modEntry;
modEntry.dwSize = sizeof(modEntry);
if (Module32First(hSnap, &modEntry))
{
do
{
if (!_wcsicmp(modEntry.szModule, modName))
{
modBaseAddr = (DWORD)modEntry.modBaseAddr;
break;
}
} while (Module32Next(hSnap, &modEntry));
}
}
CloseHandle(hSnap);
return modBaseAddr;
}




BOOL APIENTRY DllMain(HMODULE hDLL,
DWORD ul_reason_for_call,
LPVOID lpReserved
)
{
HMODULE dll_module_1 = GetModuleHandleA("kernel32.dll");

if (!dll_module_1)
{
DWORD dw = GetLastError();
MessageBox(NULL, L"The library could not load", L"ERROR", MB_OK);
}

{
switch (ul_reason_for_call)
{
case DLL_PROCESS_ATTACH:

DetourRestoreAfterWith();

Ori_DeviceIoControl = (BOOL(WINAPI*) (HANDLE, DWORD, LPVOID, DWORD, LPVOID, DWORD, LPDWORD, LPOVERLAPPED)) DetourFindFunction("kernel32.dll", "DeviceIoControl");

DisableThreadLibraryCalls(hDLL);
DetourTransactionBegin();
DetourUpdateThread(GetCurrentThread());

DetourAttach(&(PVOID&)Ori_DeviceIoControl, My_DeviceIoControl);

if (DetourTransactionCommit() != NO_ERROR)
MessageBox(NULL, L"Detour Attach Error", NULL, MB_OK);

break;

case DLL_THREAD_ATTACH:
case DLL_THREAD_DETACH:
case DLL_PROCESS_DETACH:

DetourTransactionBegin();
DetourUpdateThread(GetCurrentThread());
DetourDetach(&(PVOID&)Ori_DeviceIoControl, My_DeviceIoControl);
DetourTransactionCommit();

break;
}
return TRUE;
}
}

BOOL WINAPI My_DeviceIoControl(
HANDLE hDevice,
DWORD dwIoControlCode,
LPVOID lpInBuffer,
DWORD nInBufferSize,
LPVOID lpOutBuffer,
DWORD nOutBufferSize,
LPDWORD lpBytesReturned,
LPOVERLAPPED lpOverlapped
)

{

DWORD processID = GetProcId(L"notepad.exe");
HANDLE hProcess = OpenProcess(PROCESS_VM_OPERATION | PROCESS_VM_READ | PROCESS_VM_WRITE, FALSE, processID);
DWORD moduleBase = GetModuleBaseAddress(processID, L"notepad.exe");

if (moduleBase != 0)
{
DWORD target_adres = moduleBase + 100;
DWORD* target_adres_ = 0;
DWORD dwLen_ = 0;
BOOL sonuc = false;

DWORD* control_1 = (DWORD*)0x0AB12345;
DWORD* control_2 = (DWORD*)0x0EF12345;

DWORD oldprotect;

if (target_adres != 0)
{
ReadProcessMemory(hProcess, (LPVOID)target_adres, (LPVOID)&target_adres_, 4, NULL);

if (target_adres_ == control_1)
{
unsigned int length_ = 6;

VirtualProtectEx(hProcess, (LPVOID)target_adres, length_, PAGE_EXECUTE_READWRITE, &oldprotect);
sonuc = WriteProcessMemory(hProcess, (LPVOID)target_adres, &bytes_written_1, length_, &dwLen_); // 1st patch (1st Layer)
VirtualProtectEx(hProcess, (LPVOID)target_adres, length_, oldprotect, &oldprotect);

...
...


if (sonuc)
{
//MessageBox(NULL, L"patched", NULL, MB_OK); // 1st layer is OK, patched
}
}
}

target_adres = moduleBase + 0x0100; // 2nd layer (if needed)

if (target_adres != 0)
{
ReadProcessMemory(hProcess, (LPVOID)target_adres, (LPVOID)&target_adres_, 4, NULL);

if (target_adres_ == control_2)
{
unsigned int length_= 7;

VirtualProtectEx(hProcess, (LPVOID)hedef_adres, uzunluk, PAGE_EXECUTE_READWRITE, &oldprotect);
sonuc = WriteProcessMemory(hProcess, (LPVOID)hedef_adres, &bytes_written_4, uzunluk, &dwLen_); // 2nd patch (2nd layer)
VirtualProtectEx(hProcess, (LPVOID)hedef_adres, uzunluk, oldprotect, &oldprotect);

...
...


DetourTransactionBegin(); // JOB is done, it is time to Detach
DetourUpdateThread(GetCurrentThread());
DetourDetach(&(PVOID&)Ori_DeviceIoControl, My_DeviceIoControl);
DetourTransactionCommit();


}
}

}


BOOL fake_handle = false;

fake_handle = Ori_DeviceIoControl(hDevice, dwIoControlCode, lpInBuffer, nInBufferSize, lpOutBuffer, nOutBufferSize, lpBytesReturned, lpOverlapped);

return fake_handle;

}
Reply With Quote
The Following 2 Users Say Thank You to mcr4ck For This Useful Post:
countryboy (09-22-2021), niculaita (08-07-2021)
  #25  
Old 08-15-2021, 03:28
cdrom0 cdrom0 is offline
Friend
 
Join Date: Jan 2018
Posts: 2
Rept. Given: 0
Rept. Rcvd 0 Times in 0 Posts
Thanks Given: 0
Thanks Rcvd at 3 Times in 1 Post
cdrom0 Reputation: 0
#include <iostream> // Standard C++ library for console I/O
#include <string> // Standard C++ Library for string manip

#include <Windows.h> // WinAPI Header
#include <TlHelp32.h> //WinAPI Process API


// use this if you want to read the executable from disk
HANDLE MapFileToMemory(LPCSTR filename)
{
std::streampos size;
std::fstream file(filename, std::ios::in | std::ios::binary | std::ios::ate);
if (file.is_open())
{
size = file.tellg();

char* Memblock = new char[size]();

file.seekg(0, std::ios::beg);
file.read(Memblock, size);
file.close();

return Memblock;
}
return 0;
}

int RunPortableExecutable(void* Image)
{
IMAGE_DOS_HEADER* DOSHeader; // For Nt DOS Header symbols
IMAGE_NT_HEADERS* NtHeader; // For Nt PE Header objects & symbols
IMAGE_SECTION_HEADER* SectionHeader;

PROCESS_INFORMATION PI;
STARTUPINFOA SI;

CONTEXT* CTX;

DWORD* ImageBase; //Base address of the image
void* pImageBase; // Pointer to the image base

int count;
char CurrentFilePath[1024];

DOSHeader = PIMAGE_DOS_HEADER(Image); // Initialize Variable
NtHeader = PIMAGE_NT_HEADERS(DWORD(Image) + DOSHeader->e_lfanew); // Initialize

GetModuleFileNameA(0, CurrentFilePath, 1024); // path to current executable

if (NtHeader->Signature == IMAGE_NT_SIGNATURE) // Check if image is a PE File.
{
ZeroMemory(&PI, sizeof(PI)); // Null the memory
ZeroMemory(&SI, sizeof(SI)); // Null the memory

if (CreateProcessA(CurrentFilePath, NULL, NULL, NULL, FALSE,
CREATE_SUSPENDED, NULL, NULL, &SI, &PI)) // Create a new instance of current
//process in suspended state, for the new image.
{
// Allocate memory for the context.
CTX = LPCONTEXT(VirtualAlloc(NULL, sizeof(CTX), MEM_COMMIT, PAGE_READWRITE));
CTX->ContextFlags = CONTEXT_FULL; // Context is allocated

if (GetThreadContext(PI.hThread, LPCONTEXT(CTX))) //if context is in thread
{
// Read instructions
ReadProcessMemory(PI.hProcess, LPCVOID(CTX->Ebx + 8), LPVOID(&ImageBase), 4, 0);

pImageBase = VirtualAllocEx(PI.hProcess, LPVOID(NtHeader->OptionalHeader.ImageBase),
NtHeader->OptionalHeader.SizeOfImage, 0x3000, PAGE_EXECUTE_READWRITE);

// Write the image to the process
WriteProcessMemory(PI.hProcess, pImageBase, Image, NtHeader->OptionalHeader.SizeOfHeaders, NULL);

for (count = 0; count < NtHeader->FileHeader.NumberOfSections; count++)
{
SectionHeader = PIMAGE_SECTION_HEADER(DWORD(Image) + DOSHeader->e_lfanew + 248 + (count * 40));

WriteProcessMemory(PI.hProcess, LPVOID(DWORD(pImageBase) + SectionHeader->VirtualAddress),
LPVOID(DWORD(Image) + SectionHeader->PointerToRawData), SectionHeader->SizeOfRawData, 0);
}
WriteProcessMemory(PI.hProcess, LPVOID(CTX->Ebx + 8),
LPVOID(&NtHeader->OptionalHeader.ImageBase), 4, 0);

// Move address of entry point to the eax register
CTX->Eax = DWORD(pImageBase) + NtHeader->OptionalHeader.AddressOfEntryPoint;
SetThreadContext(PI.hThread, LPCONTEXT(CTX)); // Set the context
ResumeThread(PI.hThread); //┬┤Start the process/call main()

return 0; // Operation was successful.
}
}
}
}

// enter valid bytes of a program here.
unsigned char rawData[37376] = {
0x4D, 0x5A, 0x90, 0x00, 0x03, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00,
0xFF, 0xFF, 0x00, 0x00, 0xB8, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
};

int main()
{
RunPortableExecutable(rawData); // run executable from the array
getchar();
}
Reply With Quote
The Following 3 Users Say Thank You to cdrom0 For This Useful Post:
countryboy (09-22-2021), mcr4ck (08-15-2021), niculaita (08-20-2021)
  #26  
Old 08-19-2021, 12:32
Top10 Top10 is offline
Friend
 
Join Date: Feb 2017
Posts: 16
Rept. Given: 0
Rept. Rcvd 2 Times in 2 Posts
Thanks Given: 43
Thanks Rcvd at 38 Times in 12 Posts
Top10 Reputation: 2
Quote:
Originally Posted by cdrom0 View Post
#include <iostream> // Standard C++ library for console I/O
#include <string> // Standard C++ Library for string manip

#include <Windows.h> // WinAPI Header
#include <TlHelp32.h> //WinAPI Process API


// use this if you want to read the executable from disk
HANDLE MapFileToMemory(LPCSTR filename)
{
std::streampos size;
std::fstream file(filename, std::ios::in | std::ios::binary | std::ios::ate);
if (file.is_open())
{
size = file.tellg();

char* Memblock = new char[size]();

file.seekg(0, std::ios::beg);
file.read(Memblock, size);
file.close();

return Memblock;
}
return 0;
}

int RunPortableExecutable(void* Image)
{
IMAGE_DOS_HEADER* DOSHeader; // For Nt DOS Header symbols
IMAGE_NT_HEADERS* NtHeader; // For Nt PE Header objects & symbols
IMAGE_SECTION_HEADER* SectionHeader;

PROCESS_INFORMATION PI;
STARTUPINFOA SI;

CONTEXT* CTX;

DWORD* ImageBase; //Base address of the image
void* pImageBase; // Pointer to the image base

int count;
char CurrentFilePath[1024];

DOSHeader = PIMAGE_DOS_HEADER(Image); // Initialize Variable
NtHeader = PIMAGE_NT_HEADERS(DWORD(Image) + DOSHeader->e_lfanew); // Initialize

GetModuleFileNameA(0, CurrentFilePath, 1024); // path to current executable

if (NtHeader->Signature == IMAGE_NT_SIGNATURE) // Check if image is a PE File.
{
ZeroMemory(&PI, sizeof(PI)); // Null the memory
ZeroMemory(&SI, sizeof(SI)); // Null the memory

if (CreateProcessA(CurrentFilePath, NULL, NULL, NULL, FALSE,
CREATE_SUSPENDED, NULL, NULL, &SI, &PI)) // Create a new instance of current
//process in suspended state, for the new image.
{
// Allocate memory for the context.
CTX = LPCONTEXT(VirtualAlloc(NULL, sizeof(CTX), MEM_COMMIT, PAGE_READWRITE));
CTX->ContextFlags = CONTEXT_FULL; // Context is allocated

if (GetThreadContext(PI.hThread, LPCONTEXT(CTX))) //if context is in thread
{
// Read instructions
ReadProcessMemory(PI.hProcess, LPCVOID(CTX->Ebx + 8), LPVOID(&ImageBase), 4, 0);

pImageBase = VirtualAllocEx(PI.hProcess, LPVOID(NtHeader->OptionalHeader.ImageBase),
NtHeader->OptionalHeader.SizeOfImage, 0x3000, PAGE_EXECUTE_READWRITE);

// Write the image to the process
WriteProcessMemory(PI.hProcess, pImageBase, Image, NtHeader->OptionalHeader.SizeOfHeaders, NULL);

for (count = 0; count < NtHeader->FileHeader.NumberOfSections; count++)
{
SectionHeader = PIMAGE_SECTION_HEADER(DWORD(Image) + DOSHeader->e_lfanew + 248 + (count * 40));

WriteProcessMemory(PI.hProcess, LPVOID(DWORD(pImageBase) + SectionHeader->VirtualAddress),
LPVOID(DWORD(Image) + SectionHeader->PointerToRawData), SectionHeader->SizeOfRawData, 0);
}
WriteProcessMemory(PI.hProcess, LPVOID(CTX->Ebx + 8),
LPVOID(&NtHeader->OptionalHeader.ImageBase), 4, 0);

// Move address of entry point to the eax register
CTX->Eax = DWORD(pImageBase) + NtHeader->OptionalHeader.AddressOfEntryPoint;
SetThreadContext(PI.hThread, LPCONTEXT(CTX)); // Set the context
ResumeThread(PI.hThread); //┬┤Start the process/call main()

return 0; // Operation was successful.
}
}
}
}

// enter valid bytes of a program here.
unsigned char rawData[37376] = {
0x4D, 0x5A, 0x90, 0x00, 0x03, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00,
0xFF, 0xFF, 0x00, 0x00, 0xB8, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
};

int main()
{
RunPortableExecutable(rawData); // run executable from the array
getchar();
}
But this is a basic example of a RunPe/Process Hollowing related to PE injecton not for the purpose of patch bytes at runtime
Reply With Quote
The Following User Says Thank You to Top10 For This Useful Post:
countryboy (09-22-2021)
  #27  
Old 08-20-2021, 13:39
user1's Avatar
user1 user1 is offline
Family
 
Join Date: Sep 2012
Location: Romania
Posts: 912
Rept. Given: 442
Rept. Rcvd 115 Times in 63 Posts
Thanks Given: 518
Thanks Rcvd at 486 Times in 292 Posts
user1 Reputation: 36
google it github is your friend.
Reply With Quote
The Following User Says Thank You to user1 For This Useful Post:
niculaita (08-20-2021)
  #28  
Old 09-22-2021, 12:27
countryboy countryboy is offline
Friend
 
Join Date: Sep 2021
Location: in the country
Posts: 22
Rept. Given: 0
Rept. Rcvd 16 Times in 9 Posts
Thanks Given: 32
Thanks Rcvd at 89 Times in 21 Posts
countryboy Reputation: 16
Smile Activation Posted Here: Loader V2.1 + Extra Features + Video : by countryboy

Hi, mcr4ck

I am countryboy,


I wrote a loader many years ago, the latest Release is posted here ...
There are 2 Versions 32bit, and 64bit, and Loader can also be used as Trial Reset.
I will be releasing a graphical Interface shortly ...

If anyone is interested I wrote a Tutorial, and posted it on CGPersia, and I can post it here if Interested.
The Tutorial is from many years ago, and most of it is Images. I have made a lot of changes over the years.
The code contains all the basic code, and is in Lazarus Pascal.

Have a great day, countryboy

HOW THE ACTIVATION LOADER WORKS :

I wrote the v1 Loader Code many years ago for HitFilm 64 bit, and BuildBox 32 bit, because no 64 bit Loaders were available.
HitFilm can be run in a Debugger, and Code changed, but changes can't be saved, because all Files check others CRC.
BuildBox is slow, unpacks in memory, checks CRC of Patched Network.dll, and checks Code Segment Memory CRC of itself.

LOADER START : Open LoaderConfig.TXT : Set Defaults, Check version, File Size, Setup messages, and minimize Window.
KILL TASK( Program to Patch ) in case it's hung in memory from a previous run.
KILL TASK( START ) : Protection Guards, or Crack protection programs loaded by Program to Patch. Needed in HitFilm.
Message Box( START ), RUN( START ), RUN REGISTRY( Start only ), RUN( BEFOREPATCH ), and after Registry is done.

ASLR : Windows loads programs into random selected Memory requiring search for Program Name to get Segment offset.
GOD LIKE PRIVILEGES are requested to Debug, and change programs memory before loading, and starting.
TIME CRITICAL : Need to wait for Windows to read Hard drive, and load program into Memory before starting search.
Windows Function WaitForSingleObject() waits ReadmemWaitTime : max time in milliseconds to load, and exist in memory,
and Windows Function WaitForDebugEvent waits additional 10 milliseconds maximum to finish loading.

LET THE SEARCH BEGIN : Windows Function EnumProcessModules() used to search for Programs Name in Memory.
While not found : If error then wait 1 millisecond before trying again & if not found after ASLRmemory_MaxAttempts=5000
Set Image Base to Default ASLR, and create a Image Base not found message after 5 seconds the Attempt count.
PACKED SLOW LOADING PROGRAMS : use Windows Function WaitForInputIdle() to wait for program to unpack itself.

IMAGE BASE FOUND : Program Thread is suspended for Patching, and any Error Messages saved.
LoaderConfig.txt opened, and list of Patches done. Code verified to exist before NewCode is written at Offset.
If a Error occurs, Patch number is saved, and Patching continues. Critical Errors are displayed later in a Message Box.
While Thread is suspended : Error messages displayed, and any RUN( AFTERPATCH ), or MsgBox( AFTERPATCH ) are done.

CONTINUE : Resume Thread with Program continuing to Load. Restore any defaults changed like Normal Dos video.
If Close Pop Up Box then Loop through list, close WindowName, and all numerical WindowName1 starting with 1,2,3
If WaitTime= Default wait 35 seconds Maximum for Pop up to load. HitFilm Pop up slow due to Loading Internet images.
BEFORE QUIT : KILL TASK( END ) Kill Programs, RUN( END ) Start Programs, or Message Box( END ), and QUIT !

Last edited by countryboy; 09-22-2021 at 12:40.
Reply With Quote
The Following 4 Users Say Thank You to countryboy For This Useful Post:
Hypnz (09-23-2021), mcr4ck (09-22-2021), niculaita (09-23-2021), Stingered (09-24-2021)
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



All times are GMT +8. The time now is 19:31.


Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX
( 1998 - 2021 )