search

Nitr0-G / PeVisor

A project on the Unicorn emulator to emulate the code of Pe files in windows
MIT License
19 stars 7 forks source link

Started to initialize PEB structure #1

Open nogitsune-youkai opened 3 months ago

nogitsune-youkai commented 3 months ago

I started to initialize fields of PEB structure in InitTebPeb(), do not merge, this is work in progress

nogitsune-youkai commented 3 months ago

It seems that PEB_LDR_DATA structure fields are initialized in 

void PeEmulation::InitLdrModuleList()
nogitsune-youkai commented 2 months ago 
peb.ProcessHeap = (PVOID)m_HeapBase; // this is initialized to 0x0000000010000000

peb.ProcessHeap = NtCurrentPeb()->ProcessHeap; // // this is intialized to 0x000002413f480000. Which one to keep?

Which peb.ProcessHeap should i keep? This field gets overwritten in peb.ProcessHeap = NtCurrentPeb()->ProcessHeap; but the values are different. It seems that first time it's initialized with heap base address, but next time it's getting initialized with simple address of ProcessHeap. Is there a big difference and do we really need it???

Nitr0-G commented 2 months ago

so we need to use dynamic addr of heap peb.ProcessHeap = NtCurrentPeb()->ProcessHeap; // this is intialized to 0x000002413f480000. Which one to keep? to prevent detection of pevisor and also u need to emulate Heap structure for avoiding of debugger detection by heap

nogitsune-youkai commented 2 months ago

so we need to use dynamic addr of heap peb.ProcessHeap = NtCurrentPeb()->ProcessHeap; // this is intialized to 0x000002413f480000. Which one to keep? to prevent detection of pevisor and also u need to emulate Heap structure for avoiding of debugger detection by heap

So if i get this right, we should go with my solution and use NtCurrentPeb()->ProcessHeap; instead of peb.ProcessHeap = (PVOID)m_HeapBase;. Right? Just to clarify

Nitr0-G commented 2 months ago

so we need to use dynamic addr of heap peb.ProcessHeap = NtCurrentPeb()->ProcessHeap; // this is intialized to 0x000002413f480000. Which one to keep? to prevent detection of pevisor and also u need to emulate Heap structure for avoiding of debugger detection by heap

So if i get this right, we should go with my solution and use NtCurrentPeb()->ProcessHeap; instead of peb.ProcessHeap = (PVOID)m_HeapBase;. Right? Just to clarify

Yeah, but for errorless and bugless code check all places which using static m_HeapBase or peb.ProcessHeap

nogitsune-youkai commented 2 months ago

so we need to use dynamic addr of heap peb.ProcessHeap = NtCurrentPeb()->ProcessHeap; // this is intialized to 0x000002413f480000. Which one to keep? to prevent detection of pevisor and also u need to emulate Heap structure for avoiding of debugger detection by heap

So if i get this right, we should go with my solution and use NtCurrentPeb()->ProcessHeap; instead of peb.ProcessHeap = (PVOID)m_HeapBase;. Right? Just to clarify

Yeah, but for errorless and bugless code check all places which using static m_HeapBase or peb.ProcessHeap

Gotcha

nogitsune-youkai commented 2 months ago

Hmm, it seems that i forgot to initialize fields inside unions, need to fix it