Page 2 of 2

Re: Retrieve True Bytes of a Function

Posted: Wed Jul 18, 2018 3:29 am
by pambol
iconic wrote:I've already explained how to do this in my previous post. As Madshi mentioned earlier as well, you can use WriteProcessMemory on the target process (you don't need a previous call to VirtualProtectEx because WriteProcessMemory already does this internally by protecting with PAGE_EXECUTE_READWRITE and will also even flush the icache after modifying the memory). Map the target module as executable in your process, adjust the RVA to the new mapped base in your process and then read in the original bytes. After this is done simply write these original bytes back to the target(s) in the other process(es). That's it


--Iconic
i already do it, i just think have another way.
thanks.

you know how query a handle to get their name? when i query a handle who ObjectType = 7 (Process).
i need know what PID their are openning.

something like that:

pReturnSize2 := @ReturnSize2;
NtQueryObject(hObject, ObjectNameInformation, nil, 0, pReturnSize2);
ONI2 := VirtualAlloc(nil, ReturnSize2, MEM_COMMIT, PAGE_READWRITE);
if (Assigned(ONI2)) then
begin
Status2 := NtQueryObject(hObject, ObjectNameInformation, ONI2, ReturnSize2, pReturnSize2);
if (NT_SUCCESS(Status2)) then
begin
SetLength(Result2, ONI2^.name.Length);
Result2 := ONI2^.name.Buffer
end;
VirtualFree(ONI2, 0, MEM_RELEASE);
end;

but to retrieve the PID who this (Process) handle are openning.

Re: Retrieve True Bytes of a Function

Posted: Wed Jul 18, 2018 8:00 am
by iconic

Re: Retrieve True Bytes of a Function

Posted: Wed Jul 18, 2018 8:02 am
by madshi
Iconic is right, of course. And there's also this:

http://help.madshi.net/mchTools.htm#ProcessIdToFileName

Re: Retrieve True Bytes of a Function

Posted: Thu Jul 19, 2018 1:01 am
by pambol

That's exactly what i'm looking for, you know if MCH have some function to enumerate all open handles instead use NTQuerySystemInformation with SystemHandleInformation ?

Re: Retrieve True Bytes of a Function

Posted: Thu Jul 19, 2018 6:47 am
by madshi
Nope.

Re: Retrieve True Bytes of a Function

Posted: Thu Jul 19, 2018 5:54 pm
by iconic
@pambol

Google search is your friend

https://stackoverflow.com/questions/157 ... pplication

--Iconic

Re: Retrieve True Bytes of a Function

Posted: Thu Jul 19, 2018 7:07 pm
by pambol
iconic wrote:@pambol

Google search is your friend

https://stackoverflow.com/questions/157 ... pplication

--Iconic
Already solved thanks.
Another little question, it's possible determine if a process X are from windows? like explorer to retrieve if others peoples run some application with same name as used for windows.
Using his patch it's one method and check if are c:\Windows\explorer.exe, since are impossible put 2 explorer.exe on windows folder.

Re: Retrieve True Bytes of a Function

Posted: Fri Jul 20, 2018 6:15 am
by iconic

Re: Retrieve True Bytes of a Function

Posted: Sat Jul 21, 2018 1:16 pm
by pambol
You know why the same handles who are listed on x86 application don't list on x64 application?
i build a example on x86 who show some handles, and the same application as x64 don't show the same handles as from x86.

:(

Re: Retrieve True Bytes of a Function

Posted: Sun Jul 22, 2018 4:38 am
by iconic
@pambol,

You're likely not using the proper structure member sizes. On x64 you need ULONG_PTR for most of it, even if the target is 32-bit, otherwise the underlying OS has no idea what the bitdepth is of whatever value you're attempting to acquire from 32-bit world within a 64-bit process. Keep in mind the memory addressing and address space itself in 64-bit mode is VERY different as opposed to your familiar x86/32-bit world. I think at this point this topic has gone off topic and no longer reflects questions about madCodeHook's RestoreCode() API. Best of luck to you


--Iconic

Re: Retrieve True Bytes of a Function

Posted: Mon Jul 23, 2018 10:55 pm
by pambol
iconic wrote:@pambol,

You're likely not using the proper structure member sizes. On x64 you need ULONG_PTR for most of it, even if the target is 32-bit, otherwise the underlying OS has no idea what the bitdepth is of whatever value you're attempting to acquire from 32-bit world within a 64-bit process. Keep in mind the memory addressing and address space itself in 64-bit mode is VERY different as opposed to your familiar x86/32-bit world. I think at this point this topic has gone off topic and no longer reflects questions about madCodeHook's RestoreCode() API. Best of luck to you


--Iconic
changed structure vars to x64 but still don't showing the same results as x86.