Skip to content

Unhook kernel32!BaseThreadInitThunk #17

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 3 commits into
base: master
Choose a base branch
from
Open

Unhook kernel32!BaseThreadInitThunk #17

Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
64091af
Fix kernel32!BaseThreadInitThunk if hooked in the target process
Mar 12, 2019
45af01c
Clean up indentation in Rva2Offset.
Mar 12, 2019
f5457c7
Respect coding style.
Mar 12, 2019
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
52 changes: 41 additions & 11 deletions inject/src/LoadLibraryR.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -38,16 +38,16 @@ DWORD Rva2Offset( DWORD dwRva, UINT_PTR uiBaseAddress )

pSectionHeader = (PIMAGE_SECTION_HEADER)((UINT_PTR)(&pNtHeaders->OptionalHeader) + pNtHeaders->FileHeader.SizeOfOptionalHeader);

if( dwRva < pSectionHeader[0].PointerToRawData )
return dwRva;

for( wIndex=0 ; wIndex < pNtHeaders->FileHeader.NumberOfSections ; wIndex++ )
{
if( dwRva >= pSectionHeader[wIndex].VirtualAddress && dwRva < (pSectionHeader[wIndex].VirtualAddress + pSectionHeader[wIndex].SizeOfRawData) )
return ( dwRva - pSectionHeader[wIndex].VirtualAddress + pSectionHeader[wIndex].PointerToRawData );
}
return 0;
if( dwRva < pSectionHeader[0].PointerToRawData )
return dwRva;

for( wIndex=0 ; wIndex < pNtHeaders->FileHeader.NumberOfSections ; wIndex++ )
{
if( dwRva >= pSectionHeader[wIndex].VirtualAddress && dwRva < (pSectionHeader[wIndex].VirtualAddress + pSectionHeader[wIndex].SizeOfRawData) )
return ( dwRva - pSectionHeader[wIndex].VirtualAddress + pSectionHeader[wIndex].PointerToRawData );
}

return 0;
}
//===============================================================================================//
DWORD GetReflectiveLoaderOffset( VOID * lpReflectiveDllBuffer )
Expand Down Expand Up @@ -214,7 +214,37 @@ HANDLE WINAPI LoadRemoteLibraryR( HANDLE hProcess, LPVOID lpBuffer, DWORD dwLeng
// write the image into the host process...
if( !WriteProcessMemory( hProcess, lpRemoteLibraryBuffer, lpBuffer, dwLength, NULL ) )
break;


// check if kernel32!BaseThreadInitThunk is patched in the target process...
LPVOID lpBaseThreadInitThunk = GetProcAddress( GetModuleHandle( "kernel32" ), "BaseThreadInitThunk" );
if( lpBaseThreadInitThunk != NULL ) {
UCHAR ubCleanBytes[16];
SIZE_T szNumberRead = 0, szNumberWritten = 0;
BOOL bSuccess = FALSE;
DWORD dwOldProtect = 0;

// read our version of kernel32!BaseThreadInitThunk...
bSuccess = ReadProcessMemory( GetCurrentProcess( ), lpBaseThreadInitThunk, ubCleanBytes, sizeof( ubCleanBytes ), &szNumberRead );
if(bSuccess && szNumberRead == sizeof( ubCleanBytes )) {
// make the code writeable...
bSuccess = VirtualProtectEx(hProcess, lpBaseThreadInitThunk, sizeof( ubCleanBytes ), PAGE_EXECUTE_READWRITE, &dwOldProtect );
}

if( bSuccess ) {
// patch the bytes back...
bSuccess = WriteProcessMemory( hProcess, lpBaseThreadInitThunk, ubCleanBytes, sizeof( ubCleanBytes ), &szNumberWritten );
}

if( bSuccess && szNumberWritten == sizeof( ubCleanBytes ) ) {
// restore the page properties...
bSuccess = VirtualProtectEx( hProcess, lpBaseThreadInitThunk, sizeof( ubCleanBytes ), dwOldProtect, &dwOldProtect );
}

if( !bSuccess ) {
break;
}
}

// add the offset to ReflectiveLoader() to the remote library address...
lpReflectiveLoader = (LPTHREAD_START_ROUTINE)( (ULONG_PTR)lpRemoteLibraryBuffer + dwReflectiveLoaderOffset );

Expand Down