From 64091afe663c3e86654c6c0232a515a4e4d5ea04 Mon Sep 17 00:00:00 2001 From: 0vercl0k <0vercl0k@tuxfamily.org> Date: Mon, 11 Mar 2019 19:27:40 -0700 Subject: [PATCH 1/3] Fix kernel32!BaseThreadInitThunk if hooked in the target process (Firefox does that). --- inject/src/LoadLibraryR.c | 32 +++++++++++++++++++++++++++++++- 1 file changed, 31 insertions(+), 1 deletion(-) diff --git a/inject/src/LoadLibraryR.c b/inject/src/LoadLibraryR.c index db73903..b13bf37 100644 --- a/inject/src/LoadLibraryR.c +++ b/inject/src/LoadLibraryR.c @@ -214,7 +214,37 @@ HANDLE WINAPI LoadRemoteLibraryR( HANDLE hProcess, LPVOID lpBuffer, DWORD dwLeng // write the image into the host process... if( !WriteProcessMemory( hProcess, lpRemoteLibraryBuffer, lpBuffer, dwLength, NULL ) ) break; - + + // check if kernel32!BaseThreadInitThunk is patched in the target process... + LPVOID lpBaseThreadInitThunk = GetProcAddress( GetModuleHandle( "kernel32" ), "BaseThreadInitThunk" ); + if( lpBaseThreadInitThunk != NULL ) { + UCHAR CleanBytes[16]; + SIZE_T szNumberRead = 0, szNumberWritten = 0; + BOOL bSuccess = FALSE; + DWORD dwOldProtect = 0; + + // read our version of kernel32!BaseThreadInitThunk... + bSuccess = ReadProcessMemory( GetCurrentProcess( ), lpBaseThreadInitThunk, CleanBytes, sizeof( CleanBytes ), &szNumberRead ); + if(bSuccess && szNumberRead == sizeof( CleanBytes )) { + // make the code writeable... + bSuccess = VirtualProtectEx(hProcess, lpBaseThreadInitThunk, sizeof( CleanBytes ), PAGE_EXECUTE_READWRITE, &dwOldProtect ); + } + + if( bSuccess ) { + // patch the bytes back... + bSuccess = WriteProcessMemory( hProcess, lpBaseThreadInitThunk, CleanBytes, sizeof( CleanBytes ), &szNumberWritten ); + } + + if( bSuccess && szNumberWritten == sizeof( CleanBytes ) ) { + // restore the page properties... + bSuccess = VirtualProtectEx( hProcess, lpBaseThreadInitThunk, sizeof( CleanBytes ), dwOldProtect, &dwOldProtect ); + } + + if( !bSuccess ) { + break; + } + } + // add the offset to ReflectiveLoader() to the remote library address... lpReflectiveLoader = (LPTHREAD_START_ROUTINE)( (ULONG_PTR)lpRemoteLibraryBuffer + dwReflectiveLoaderOffset ); From 45af01ce1411c8beb1b7e7cfd9f4a96de1ac680d Mon Sep 17 00:00:00 2001 From: 0vercl0k <0vercl0k@tuxfamily.org> Date: Mon, 11 Mar 2019 19:28:21 -0700 Subject: [PATCH 2/3] Clean up indentation in Rva2Offset. --- inject/src/LoadLibraryR.c | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/inject/src/LoadLibraryR.c b/inject/src/LoadLibraryR.c index b13bf37..979553e 100644 --- a/inject/src/LoadLibraryR.c +++ b/inject/src/LoadLibraryR.c @@ -38,16 +38,16 @@ DWORD Rva2Offset( DWORD dwRva, UINT_PTR uiBaseAddress ) pSectionHeader = (PIMAGE_SECTION_HEADER)((UINT_PTR)(&pNtHeaders->OptionalHeader) + pNtHeaders->FileHeader.SizeOfOptionalHeader); - if( dwRva < pSectionHeader[0].PointerToRawData ) - return dwRva; - - for( wIndex=0 ; wIndex < pNtHeaders->FileHeader.NumberOfSections ; wIndex++ ) - { - if( dwRva >= pSectionHeader[wIndex].VirtualAddress && dwRva < (pSectionHeader[wIndex].VirtualAddress + pSectionHeader[wIndex].SizeOfRawData) ) - return ( dwRva - pSectionHeader[wIndex].VirtualAddress + pSectionHeader[wIndex].PointerToRawData ); - } - - return 0; + if( dwRva < pSectionHeader[0].PointerToRawData ) + return dwRva; + + for( wIndex=0 ; wIndex < pNtHeaders->FileHeader.NumberOfSections ; wIndex++ ) + { + if( dwRva >= pSectionHeader[wIndex].VirtualAddress && dwRva < (pSectionHeader[wIndex].VirtualAddress + pSectionHeader[wIndex].SizeOfRawData) ) + return ( dwRva - pSectionHeader[wIndex].VirtualAddress + pSectionHeader[wIndex].PointerToRawData ); + } + + return 0; } //===============================================================================================// DWORD GetReflectiveLoaderOffset( VOID * lpReflectiveDllBuffer ) From f5457c7d4fce5f6f98520a6620347a4b8f1c4fe8 Mon Sep 17 00:00:00 2001 From: 0vercl0k <0vercl0k@tuxfamily.org> Date: Mon, 11 Mar 2019 19:36:01 -0700 Subject: [PATCH 3/3] Respect coding style. --- inject/src/LoadLibraryR.c | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/inject/src/LoadLibraryR.c b/inject/src/LoadLibraryR.c index 979553e..563cf21 100644 --- a/inject/src/LoadLibraryR.c +++ b/inject/src/LoadLibraryR.c @@ -218,26 +218,26 @@ HANDLE WINAPI LoadRemoteLibraryR( HANDLE hProcess, LPVOID lpBuffer, DWORD dwLeng // check if kernel32!BaseThreadInitThunk is patched in the target process... LPVOID lpBaseThreadInitThunk = GetProcAddress( GetModuleHandle( "kernel32" ), "BaseThreadInitThunk" ); if( lpBaseThreadInitThunk != NULL ) { - UCHAR CleanBytes[16]; + UCHAR ubCleanBytes[16]; SIZE_T szNumberRead = 0, szNumberWritten = 0; BOOL bSuccess = FALSE; DWORD dwOldProtect = 0; // read our version of kernel32!BaseThreadInitThunk... - bSuccess = ReadProcessMemory( GetCurrentProcess( ), lpBaseThreadInitThunk, CleanBytes, sizeof( CleanBytes ), &szNumberRead ); - if(bSuccess && szNumberRead == sizeof( CleanBytes )) { + bSuccess = ReadProcessMemory( GetCurrentProcess( ), lpBaseThreadInitThunk, ubCleanBytes, sizeof( ubCleanBytes ), &szNumberRead ); + if(bSuccess && szNumberRead == sizeof( ubCleanBytes )) { // make the code writeable... - bSuccess = VirtualProtectEx(hProcess, lpBaseThreadInitThunk, sizeof( CleanBytes ), PAGE_EXECUTE_READWRITE, &dwOldProtect ); + bSuccess = VirtualProtectEx(hProcess, lpBaseThreadInitThunk, sizeof( ubCleanBytes ), PAGE_EXECUTE_READWRITE, &dwOldProtect ); } if( bSuccess ) { // patch the bytes back... - bSuccess = WriteProcessMemory( hProcess, lpBaseThreadInitThunk, CleanBytes, sizeof( CleanBytes ), &szNumberWritten ); + bSuccess = WriteProcessMemory( hProcess, lpBaseThreadInitThunk, ubCleanBytes, sizeof( ubCleanBytes ), &szNumberWritten ); } - if( bSuccess && szNumberWritten == sizeof( CleanBytes ) ) { + if( bSuccess && szNumberWritten == sizeof( ubCleanBytes ) ) { // restore the page properties... - bSuccess = VirtualProtectEx( hProcess, lpBaseThreadInitThunk, sizeof( CleanBytes ), dwOldProtect, &dwOldProtect ); + bSuccess = VirtualProtectEx( hProcess, lpBaseThreadInitThunk, sizeof( ubCleanBytes ), dwOldProtect, &dwOldProtect ); } if( !bSuccess ) {