search

DarthTon / Blackbone

Windows memory hacking library
MIT License
4.83k stars 1.34k forks source link

Add check, when ZwAllocateVirtualMemory == STATUS_DYNAMIC_CODE_BLOCKED #476

Open Kosmonit opened 3 years ago

Kosmonit commented 3 years ago

Comrades, thanks for the cool project!

There are several errors that I have found. Please make changes to the code.

Functions BBGetWow64Code() and BBGetNativeCode() (in file Inject.c) may return 0. It happens when: _status = ZwAllocateVirtualMemory == STATUS_DYNAMIC_CODEBLOCKED Please add check, I did it like this:

[Inject.c]


...

    SIZE_T size = 0;
    PINJECT_BUFFER pUserBuf = isWow64 ? BBGetWow64Code( LdrLoadDll, &ustrPath ) : BBGetNativeCode( LdrLoadDll, &ustrPath );

    //////////////////////////////////////////////////////////////////////////
    // MY_PATCH
    //////////////////////////////////////////////////////////////////////////
    // Failed allocate memory
    if (pUserBuf == NULL)
    {
      pData->type = -1;
      status = STATUS_DYNAMIC_CODE_BLOCKED;
    }
    //////////////////////////////////////////////////////////////////////////

...

    else if (pData->type == IT_Apc)
    {
        status = BBApcInject( pUserBuf, pProcess, pData->initRVA, pData->initArg );
    }
    //////////////////////////////////////////////////////////////////////////
    // MY_PATCH
    //////////////////////////////////////////////////////////////////////////
    else if (pData->type == -1)
    {
      DPRINT("[BlackBone][-] Failed injection process return - STATUS_DYNAMIC_CODE_BLOCKED \n");
    }
    //////////////////////////////////////////////////////////////////////////
    else
    {
        DPRINT( "BlackBone: %s: Invalid injection type specified - %d\n", __FUNCTION__, pData->type );
        status = STATUS_INVALID_PARAMETER;
    }

...

                __except (EXCEPTION_EXECUTE_HANDLER)
                {
                    DPRINT( "BlackBone: %s: Exception during PE header erease: 0x%X\n", __FUNCTION__, GetExceptionCode() );
                }
            }
        }

        //////////////////////////////////////////////////////////////////////////
        // MY_PATCH
        //////////////////////////////////////////////////////////////////////////
        if (pUserBuf)
          ZwFreeVirtualMemory( ZwCurrentProcess(), &pUserBuf, &size, MEM_RELEASE );
        //////////////////////////////////////////////////////////////////////////
    }
Fplyth0ner-Combie commented 2 years ago

Thank you