/// <summary> /// Free memory /// </summary> /// <param name="pAddr">Memory address to release.</param> /// <param name="size">Region size</param> /// <param name="freeType">Release/decommit</param> /// <returns>Status</returns> NTSTATUS ProcessMemory::Free( ptr_t pAddr, size_t size /*= 0*/, DWORD freeType /*= MEM_RELEASE*/ ) { #ifdef _DEBUG assert( freeType != MEM_RELEASE || size == 0 ); if (freeType == MEM_DECOMMIT) { BLACKBONE_TRACE( L"Free: Decommit at address 0x%p (0x%x bytes)", static_cast<uintptr_t>(pAddr), size ); } else { BLACKBONE_TRACE( L"Free: Free at address 0x%p", static_cast<uintptr_t>(pAddr) ); } #endif return _core.native()->VirtualFreeExT( pAddr, size, freeType ); }
/// <summary> /// Reload driver /// </summary> /// <param name="path">Path to the driver file</param> /// <returns>Status code</returns> NTSTATUS DriverControl::Reload( std::wstring path /*= L"" */ ) { Unload(); // Use default path if (path.empty()) { const wchar_t* filename = nullptr; if (IsWindows10OrGreater()) filename = BLACKBONE_FILE_NAME_10; else if (IsWindows8Point1OrGreater()) filename = BLACKBONE_FILE_NAME_81; else if (IsWindows8OrGreater()) filename = BLACKBONE_FILE_NAME_8; else if (IsWindows7OrGreater()) filename = BLACKBONE_FILE_NAME_7; else filename = BLACKBONE_FILE_NAME; path = Utils::GetExeDirectory() + L"\\" + filename; } _loadStatus = LoadDriver( DRIVER_SVC_NAME, path ); if (!NT_SUCCESS( _loadStatus )) { BLACKBONE_TRACE( L"Failed to load driver %ls. Status 0x%X", path.c_str(), _loadStatus ); return _loadStatus; } _hDriver = CreateFileW( BLACKBONE_DEVICE_FILE, GENERIC_READ | GENERIC_WRITE, FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, OPEN_EXISTING, 0, NULL ); if (!_hDriver) { _loadStatus = LastNtStatus(); BLACKBONE_TRACE( L"Failed to open driver handle. Status 0x%X", _loadStatus ); return _loadStatus; } return _loadStatus; }
std::vector<ModuleDataPtr> Native::EnumModulesT() { NTSTATUS status = STATUS_SUCCESS; _PEB_T<T> peb = { }; _PEB_LDR_DATA2_T<T> ldr = { }; std::vector<ModuleDataPtr> result; if (getPEB( &peb ) != 0 && ReadProcessMemoryT( peb.Ldr, &ldr, sizeof( ldr ), 0 ) == STATUS_SUCCESS) { for (T head = ldr.InLoadOrderModuleList.Flink; NT_SUCCESS( status ) && head != (peb.Ldr + FIELD_OFFSET( _PEB_LDR_DATA2_T<T>, InLoadOrderModuleList )); status = ReadProcessMemoryT( static_cast<ptr_t>(head), &head, sizeof( head ) )) { ModuleData data; wchar_t localPath[512] = { 0 }; _LDR_DATA_TABLE_ENTRY_BASE_T<T> localdata = { { 0 } }; ReadProcessMemoryT( head, &localdata, sizeof( localdata ), 0 ); ReadProcessMemoryT( localdata.FullDllName.Buffer, localPath, localdata.FullDllName.Length ); data.baseAddress = localdata.DllBase; data.size = localdata.SizeOfImage; data.fullPath = Utils::ToLower( localPath ); data.name = Utils::StripPath( data.fullPath ); data.type = (sizeof( T ) < sizeof( uint64_t )) ? mt_mod32 : mt_mod64; data.ldrPtr = static_cast<ptr_t>(head); data.manual = false; result.emplace_back( std::make_shared<const ModuleData>( data ) ); } } else { BLACKBONE_TRACE( L"NativeModules: Failed to get PEB/LDR address. Not yet initialized" ); } return result; }