/*
Try to map cmd.exe into current process from buffer
*/
void MapCmdFromMem()
{
Process thisProc;
thisProc.Attach( GetCurrentProcessId() );
void* buf = nullptr;
auto size = 0;
std::wcout << L"Manual image mapping from buffer test" << std::endl;
std::wcout << L"Trying to map C:\\windows\\system32\\cmd.exe into current process" << std::endl;
// Get image context
HANDLE hFile = CreateFileW( L"C:\\windows\\system32\\cmd.exe", FILE_GENERIC_READ, 0x7, 0, OPEN_EXISTING, 0, 0 );
if (hFile != INVALID_HANDLE_VALUE)
{
DWORD bytes = 0;
size = GetFileSize( hFile, NULL );
buf = VirtualAlloc( NULL, size, MEM_COMMIT, PAGE_READWRITE );
ReadFile( hFile, buf, size, &bytes, NULL );
CloseHandle( hFile );
}
auto image = thisProc.mmap().MapImage( size, buf, false, CreateLdrRef | RebaseProcess | NoDelayLoad );
if (!image)
{
std::wcout << L"Mapping failed with error 0x" << std::hex << image.status
<< L". " << Utils::GetErrorDescription( image.status ) << std::endl << std::endl;
}
else
std::wcout << L"Successfully mapped, unmapping\n";
VirtualFree( buf, 0, MEM_RELEASE );
thisProc.mmap().UnmapAllModules();
}
/// <summary>
/// Restore hooked function
/// </summary>
/// <returns>true on success, false if not hooked</returns>
bool Restore()
{
if (!this->_hooked)
return false;
switch (this->_type)
{
case HookType::Inline:
case HookType::InternalInline:
case HookType::Int3:
WriteProcessMemory( GetCurrentProcess(), this->_original, this->_origCode, this->_origSize, NULL );
break;
case HookType::HWBP:
{
Process thisProc;
thisProc.Attach( GetCurrentProcessId() );
for (auto& thd : thisProc.threads().getAll())
thd.RemoveHWBP( reinterpret_cast<ptr_t>(this->_original) );
this->_hwbpIdx.clear();
}
break;
default:
break;
}
this->_hooked = false;
return true;
}
void TestPatterns()
{
Process explorer;
std::vector<DWORD> procs;
std::vector<ptr_t> results;
std::wcout << L"Remote pattern match test. Using 'explorer.exe as a target'\n";
Process::EnumByName( L"explorer.exe", procs );
if (!procs.empty())
{
explorer.Attach( procs.front() );
auto pMainMod = explorer.modules().GetMainModule();
// Initialize patterns
PatternSearch ps1( "\x48\x89\xD1" );
PatternSearch ps2{ 0x56, 0x57, 0xCC, 0x55 };
// Scan all allocated process memory
std::wcout << L"Searching for '48 89 D1'... ";
ps1.SearchRemoteWhole( explorer, false, 0, results );
std::wcout << L"Found " << results.size() << L" results\n";
results.clear();
// Scan only inside 'explorer.exe' module
std::wcout << L"Searching for '56 57 ?? 55 using CC as a wildcard'... ";
ps2.SearchRemote( explorer, 0xCC, pMainMod->baseAddress, pMainMod->size, results );
std::wcout << L"Found " << results.size() << L" results\n\n";
results.clear();
}
else
std::wcout << L"Can't find explorer.exe, aborting\n\n";
}
/*
Try to map calc.exe into current process
*/
void MapCalcFromFile()
{
Process thisProc;
thisProc.Attach( GetCurrentProcessId() );
nativeMods.clear();
modList.clear();
nativeMods.emplace( L"combase.dll" );
nativeMods.emplace( L"user32.dll" );
if (WinVer().ver == Win7)
{
nativeMods.emplace( L"gdi32.dll" );
nativeMods.emplace( L"msvcr120.dll" );
nativeMods.emplace( L"msvcp120.dll" );
}
modList.emplace( L"windows.storage.dll" );
modList.emplace( L"shell32.dll" );
modList.emplace( L"shlwapi.dll" );
auto callback = []( CallbackType type, void* /*context*/, Process& /*process*/, const ModuleData& modInfo )
{
if(type == PreCallback)
{
if(nativeMods.count(modInfo.name))
return LoadData( MT_Native, Ldr_None );
}
else
{
if (modList.count( modInfo.name ))
return LoadData( MT_Default, Ldr_ModList );
}
return LoadData( MT_Default, Ldr_None );
};
std::wcout << L"Manual image mapping test" << std::endl;
std::wcout << L"Trying to map C:\\windows\\system32\\calc.exe into current process" << std::endl;
auto image = thisProc.mmap().MapImage( L"C:\\windows\\system32\\calc.exe", ManualImports | RebaseProcess, callback );
if (!image)
{
std::wcout << L"Mapping failed with error 0x" << std::hex << image.status
<< L". " << Utils::GetErrorDescription( image.status ) << std::endl << std::endl;
}
else
std::wcout << L"Successfully mapped, unmapping\n";
thisProc.mmap().UnmapAllModules();
}
int main( int /*argc*/, char* /*argv*/[] )
{
Process proc;
proc.Attach( GetCurrentProcessId() );
TestPEB( proc );
TestTEB( proc );
TestMultiPtr();
TestPatterns();
TestLocalHook();
TestRemoteCall();
TestRemoteHook();
TestDriver();
TestRemoteMem();
TestMMap();
return 0;
}
/// <summary>
/// Perform hardware breakpoint hook
/// </summary>
/// <returns>true on success</returns>
bool HookHWBP()
{
Process thisProc;
thisProc.Attach( GetCurrentProcessId() );
// Setup handler
if (this->_vecHandler == nullptr)
this->_vecHandler = AddVectoredExceptionHandler( 1, &DetourBase::VectoredHandler );
if (!this->_vecHandler)
return false;
this->_breakpoints.insert( std::make_pair( this->_original, (DetourBase*)this ) );
// Add breakpoint to every thread
for (auto& thd : thisProc.threads().getAll())
this->_hwbpIdx[thd.id()] = thd.AddHWBP( reinterpret_cast<ptr_t>(this->_original), hwbp_execute, hwbp_1 );
return this->_hooked = true;
}
/// <summary>
/// Restore hooked function
/// </summary>
/// <returns>true on success, false if not hooked</returns>
bool Restore()
{
if (!this->_hooked)
return false;
switch (this->_type)
{
case HookType::Inline:
case HookType::InternalInline:
case HookType::Int3:
{
DWORD flOld = 0;
if (!VirtualProtect(this->_original, this->_origSize, PAGE_EXECUTE_READWRITE, &flOld))
return false;
memcpy(this->_original, this->_origCode, this->_origSize);
VirtualProtect(this->_original, this->_origSize, flOld, &flOld);
}
break;
case HookType::HWBP:
{
Process thisProc;
thisProc.Attach( GetCurrentProcessId() );
for (auto& thd : thisProc.threads().getAll())
thd.RemoveHWBP( reinterpret_cast<ptr_t>(this->_original) );
this->_hwbpIdx.clear();
}
break;
default:
break;
}
this->_hooked = false;
return true;
}