/// <summary>
/// Unmap all manually mapped modules
/// </summary>
/// <returns>true on success</returns>
bool MMap::UnmapAllModules()
{
for (auto iter = _images.rbegin(); iter != _images.rend(); iter++)
{
ImageContext *pImage = iter->get();
// Call main
RunModuleInitializers( pImage, DLL_PROCESS_DETACH );
// Remove VEH
if (!(pImage->flags & NoExceptions))
DisableExceptions( pImage );
// Free memory
pImage->imgMem.Free();
// Remove reference from local modules list
_process.modules().RemoveManualModule( pImage->FilePath, pImage->PEImage.mType() );
}
// Free activation context memory
_pAContext.Free();
// Terminate worker thread
_process.remote().TerminateWorker();
_images.clear();
return true;
}
/// <summary>
/// Manually map PE image into underlying target process
/// </summary>
/// <param name="path">Image path</param>
/// <param name="flags">Image mapping flags</param>
/// <returns>Mapped image info</returns>
const ModuleData* MMap::MapImage( const std::wstring& path, int flags /*= NoFlags*/ )
{
// Already loaded
if (auto hMod = _process.modules().GetModule( path ))
return hMod;
// Prepare target process
if (_process.remote().CreateRPCEnvironment() != STATUS_SUCCESS)
return nullptr;
// No need to support exceptions if DEP is disabled
if (_process.core().DEP() == false)
flags |= NoExceptions;
// Ignore MapInHighMem for native x64 process
if (!_process.core().isWow64())
flags &= ~MapInHighMem;
// Map module and all dependencies
auto mod = FindOrMapModule( path, flags );
if (mod == nullptr)
return nullptr;
// Change process base module address if needed
if (flags & RebaseProcess && !_images.empty() && _images.rbegin()->get()->PEImage.IsExe())
_process.memory().Write( _process.core().peb() + 2 * WordSize, _images.rbegin()->get()->imgMem.ptr<size_t>() );
// Run initializers
for (auto& img : _images)
{
// Init once
if (!img->initialized)
{
if (!RunModuleInitializers( img.get(), DLL_PROCESS_ATTACH ))
return nullptr;
// Wipe header
if (img->flags & WipeHeader)
img->imgMem.Free( img->PEImage.headersSize() );
img->initialized = true;
}
}
return mod;
}
/// <summary>
/// Unmap all manually mapped modules
/// </summary>
/// <returns>true on success</returns>
bool MMap::UnmapAllModules() {
for(auto img = _images.rbegin(); img != _images.rend(); ++img) {
auto pImage = img->get();
BLACBONE_TRACE(L"ManualMap: Unmapping image '%ls'", pImage->FileName.c_str());
// Call main
RunModuleInitializers(pImage, DLL_PROCESS_DETACH);
// Remove VEH
if(!(pImage->flags & NoExceptions))
DisableExceptions(pImage);
// Remove from loader
auto mod = _process.Modules().GetModule(pImage->FileName);
_process.Modules().Unlink(mod);
// Free memory
pImage->imgMem.Free();
// Remove reference from local modules list
_process.Modules().RemoveManualModule(pImage->FilePath, pImage->peImage.ImageType());
}
Cleanup();
Reset();
return true;
}
const ModuleData* MMap::MapImageInternal(
const std::wstring& path,
void* buffer, size_t size,
bool asImage /*= false*/,
eLoadFlags flags /*= NoFlags*/,
MapCallback mapCallback /*= nullptr*/,
void* context /*= nullptr*/
) {
// Already loaded
if(auto hMod = _process.Modules().GetModule(path))
return hMod;
// Prepare target process
if(!NT_SUCCESS(_process.Remote().CreateRPCEnvironment())) {
Cleanup();
return nullptr;
}
// No need to support exceptions if DEP is disabled
if(_process.Core().DEP() == false)
flags |= NoExceptions;
// Ignore MapInHighMem for native x64 process
if(!_process.Core().IsWOW64())
flags &= ~MapInHighMem;
// Set native loader callback
_mapCallback = mapCallback;
_userContext = context;
BLACBONE_TRACE(L"ManualMap: Mapping image '%ls' with flags 0x%x", path.c_str(), flags);
// Map module and all dependencies
auto mod = FindOrMapModule(path, buffer, size, asImage, flags);
if(mod == nullptr) {
Cleanup();
return nullptr;
}
// Change process base module address if needed
if(flags & RebaseProcess && !_images.empty() && _images.rbegin()->get()->peImage.IsExecutable()) {
BLACBONE_TRACE(L"ManualMap: Rebasing process to address 0x%p", static_cast<size_t>(mod->baseAddress));
// Managed path fix
if(_images.rbegin()->get()->peImage.PureIL() && !path.empty())
FixManagedPath(_process.Memory().Read<size_t>(_process.Core().GetPEB() + 2 * WordSize), path);
_process.Memory().Write(_process.Core().GetPEB() + 2 * WordSize, WordSize, &mod->baseAddress);
}
auto wipeMemory = [](Process& proc, ImageContext* img, size_t offset, size_t size)
{
size = Align(size, 0x1000);
std::unique_ptr<uint8_t[]> zeroBuf(new uint8_t[size]());
if(img->flags & HideVAD) {
Driver().WriteMem(proc.Id(), img->imgMem.Ptr() + offset, size, zeroBuf.get());
} else {
img->imgMem.Write(offset, size, zeroBuf.get());
if(!NT_SUCCESS(proc.Memory().Free(img->imgMem.Ptr() + offset, size)))
proc.Memory().Protect(img->imgMem.Ptr() + offset, size, PAGE_NOACCESS);
}
};
// Run initializers
for(auto& img : _images) {
// Init once
if(!img->initialized) {
// Hack for IL dlls
if(!img->peImage.IsExecutable() && img->peImage.PureIL()) {
DWORD flOld = 0;
auto flg = img->imgMem.Read(img->peImage.ILFlagOffset(), 0);
img->imgMem.Protect(PAGE_EXECUTE_READWRITE, img->peImage.ILFlagOffset(), sizeof(flg), &flOld);
img->imgMem.Write(img->peImage.ILFlagOffset(), flg & ~COMIMAGE_FLAGS_ILONLY);
img->imgMem.Protect(flOld, img->peImage.ILFlagOffset(), sizeof(flg), &flOld);
}
if(!RunModuleInitializers(img.get(), DLL_PROCESS_ATTACH))
return nullptr;
// Wipe header
if(img->flags & WipeHeader)
wipeMemory(_process, img.get(), 0, img->peImage.HeadersSize());
// Wipe discardable sections for non pure IL images
for(auto& sec : img->peImage.Sections())
if(sec.Characteristics & IMAGE_SCN_MEM_DISCARDABLE)
wipeMemory(_process, img.get(), sec.VirtualAddress, sec.Misc.VirtualSize);
img->initialized = true;
}
}
Cleanup();
return mod;
}
