Retrieve True Bytes of a Function

c++ / delphi package - dll injection and api hooking

Re: Retrieve True Bytes of a Function

Postby pambol » Wed Jul 18, 2018 3:29 am

iconic wrote:I've already explained how to do this in my previous post. As Madshi mentioned earlier as well, you can use WriteProcessMemory on the target process (you don't need a previous call to VirtualProtectEx because WriteProcessMemory already does this internally by protecting with PAGE_EXECUTE_READWRITE and will also even flush the icache after modifying the memory). Map the target module as executable in your process, adjust the RVA to the new mapped base in your process and then read in the original bytes. After this is done simply write these original bytes back to the target(s) in the other process(es). That's it


--Iconic


i already do it, i just think have another way.
thanks.

you know how query a handle to get their name? when i query a handle who ObjectType = 7 (Process).
i need know what PID their are openning.

something like that:

pReturnSize2 := @ReturnSize2;
NtQueryObject(hObject, ObjectNameInformation, nil, 0, pReturnSize2);
ONI2 := VirtualAlloc(nil, ReturnSize2, MEM_COMMIT, PAGE_READWRITE);
if (Assigned(ONI2)) then
begin
Status2 := NtQueryObject(hObject, ObjectNameInformation, ONI2, ReturnSize2, pReturnSize2);
if (NT_SUCCESS(Status2)) then
begin
SetLength(Result2, ONI2^.name.Length);
Result2 := ONI2^.name.Buffer
end;
VirtualFree(ONI2, 0, MEM_RELEASE);
end;

but to retrieve the PID who this (Process) handle are openning.
pambol
 
Posts: 23
Joined: Sat Jun 23, 2018 1:15 am

Re: Retrieve True Bytes of a Function

Postby iconic » Wed Jul 18, 2018 8:00 am

iconic
 
Posts: 840
Joined: Wed Jun 08, 2005 5:08 am

Re: Retrieve True Bytes of a Function

Postby madshi » Wed Jul 18, 2018 8:02 am

Iconic is right, of course. And there's also this:

http://help.madshi.net/mchTools.htm#ProcessIdToFileName
madshi
Site Admin
 
Posts: 9774
Joined: Sun Mar 21, 2004 5:25 pm

Re: Retrieve True Bytes of a Function

Postby pambol » Thu Jul 19, 2018 1:01 am

iconic wrote:http://help.madshi.net/ProcessHandleToId.htm

--Iconic



That's exactly what i'm looking for, you know if MCH have some function to enumerate all open handles instead use NTQuerySystemInformation with SystemHandleInformation ?
pambol
 
Posts: 23
Joined: Sat Jun 23, 2018 1:15 am

Re: Retrieve True Bytes of a Function

Postby madshi » Thu Jul 19, 2018 6:47 am

Nope.
madshi
Site Admin
 
Posts: 9774
Joined: Sun Mar 21, 2004 5:25 pm

Re: Retrieve True Bytes of a Function

Postby iconic » Thu Jul 19, 2018 5:54 pm

@pambol

Google search is your friend

https://stackoverflow.com/questions/157 ... pplication

--Iconic
iconic
 
Posts: 840
Joined: Wed Jun 08, 2005 5:08 am

Re: Retrieve True Bytes of a Function

Postby pambol » Thu Jul 19, 2018 7:07 pm

iconic wrote:@pambol

Google search is your friend

https://stackoverflow.com/questions/157 ... pplication

--Iconic


Already solved thanks.
Another little question, it's possible determine if a process X are from windows? like explorer to retrieve if others peoples run some application with same name as used for windows.
Using his patch it's one method and check if are c:\Windows\explorer.exe, since are impossible put 2 explorer.exe on windows folder.
pambol
 
Posts: 23
Joined: Sat Jun 23, 2018 1:15 am

Re: Retrieve True Bytes of a Function

Postby iconic » Fri Jul 20, 2018 6:15 am

iconic
 
Posts: 840
Joined: Wed Jun 08, 2005 5:08 am

Re: Retrieve True Bytes of a Function

Postby pambol » Sat Jul 21, 2018 1:16 pm

iconic wrote:https://docs.microsoft.com/en-us/windows/desktop/api/sfc/nf-sfc-sfcisfileprotected

--Iconic


You know why the same handles who are listed on x86 application don't list on x64 application?
i build a example on x86 who show some handles, and the same application as x64 don't show the same handles as from x86.

:(
pambol
 
Posts: 23
Joined: Sat Jun 23, 2018 1:15 am

Re: Retrieve True Bytes of a Function

Postby iconic » Sun Jul 22, 2018 4:38 am

@pambol,

You're likely not using the proper structure member sizes. On x64 you need ULONG_PTR for most of it, even if the target is 32-bit, otherwise the underlying OS has no idea what the bitdepth is of whatever value you're attempting to acquire from 32-bit world within a 64-bit process. Keep in mind the memory addressing and address space itself in 64-bit mode is VERY different as opposed to your familiar x86/32-bit world. I think at this point this topic has gone off topic and no longer reflects questions about madCodeHook's RestoreCode() API. Best of luck to you


--Iconic
iconic
 
Posts: 840
Joined: Wed Jun 08, 2005 5:08 am

Re: Retrieve True Bytes of a Function

Postby pambol » Mon Jul 23, 2018 10:55 pm

iconic wrote:@pambol,

You're likely not using the proper structure member sizes. On x64 you need ULONG_PTR for most of it, even if the target is 32-bit, otherwise the underlying OS has no idea what the bitdepth is of whatever value you're attempting to acquire from 32-bit world within a 64-bit process. Keep in mind the memory addressing and address space itself in 64-bit mode is VERY different as opposed to your familiar x86/32-bit world. I think at this point this topic has gone off topic and no longer reflects questions about madCodeHook's RestoreCode() API. Best of luck to you


--Iconic


changed structure vars to x64 but still don't showing the same results as x86.
pambol
 
Posts: 23
Joined: Sat Jun 23, 2018 1:15 am

Previous

Return to madCodeHook

Who is online

Users browsing this forum: No registered users and 3 guests