Hi, I am from Belarus, That's why I don't write well in English. I am not good at programming, just learning how it works and trying modify ur code. So, I have some questions related to manual mapping topic. I will be gratefull for any answers!
I readed somewhere that erasing of the dll entry point will make injection harder to detect. Do u think this may help? I tried to implement it. The code is below. Check it please. Is I doing right? Unfortunately I dont know how to check it.
Also I discovered that I can erase PE header like this in the end of Shellcode function:
MappingData->DllEntryFunction(MappingData->TargetBase, DLL_PROCESS_ATTACH, nullptr);
MappingData->ModuleHandle = reinterpret_cast<HINSTANCE>(MappingData->TargetBase);
int i = 1024;
unsigned char* ptr = (unsigned char*)MappingData->TargetBase;
while (i-- > 0) //working
{
*ptr++ = 0;
}
while (ImageOptionalHeader->SizeOfHeaders-- > 0) //also working
{
*ptr++ = 0;
}
unsigned char* ptr = (unsigned char*)MappingData->TargetBase;
int i = ImageOptionalHeader->SizeOfHeaders;
while (i-- > 0) //dont work
{
*ptr++ = 0;
}
Its just memset implemention. By bruteforce method I found "1024" which erases all page and target working correctly. But sadly I cant understand how its working. When I pass "4096" or "SizeOfHeaders" my target crashes. The same situation with entry point erasing with the same memset method. Do u see the problem?
What "adjust sections protection" acctually do? As far as I understand when we wrote sections they all got "RWX" permessions after using "NtWriteVirtualMemory". And this function restore "needed" permissions to be a bit sleathier. Correct me if I am wrong please.
Is it profitable to allocate "RW" each time I allocate memory, then change it via "NtProtectVirtualMemory" to needed ... do some work ... and set it to RW or R when finished injection? I tried to do this, but when I exploring memory in ProcessHacker I see 2 "RWX" regions that created after injection. There are shellcode and my dll without headers, so its easy to find by "RWX" cuz its only RW, R and so on in my target process.
Still cant write my custom GetProcAddress correctly into remote process. Its crashes. I replaced "strcmp", Its working in local process, but not in remote. Would you like to update your project and add this feature? :D
Hi, I am from Belarus, That's why I don't write well in English. I am not good at programming, just learning how it works and trying modify ur code. So, I have some questions related to manual mapping topic. I will be gratefull for any answers!
NtWriteVirtualMemory(ProcessHandle, (BYTE*)TargetBase + ImageOptionalHeader->AddressOfEntryPoint, ZeroBuffer, 32, &oldp);
Also I discovered that I can erase PE header like this in the end of Shellcode function:
Its just memset implemention. By bruteforce method I found "1024" which erases all page and target working correctly. But sadly I cant understand how its working. When I pass "4096" or "SizeOfHeaders" my target crashes. The same situation with entry point erasing with the same memset method. Do u see the problem?
What "adjust sections protection" acctually do? As far as I understand when we wrote sections they all got "RWX" permessions after using "NtWriteVirtualMemory". And this function restore "needed" permissions to be a bit sleathier. Correct me if I am wrong please.
Is it profitable to allocate "RW" each time I allocate memory, then change it via "NtProtectVirtualMemory" to needed ... do some work ... and set it to RW or R when finished injection? I tried to do this, but when I exploring memory in ProcessHacker I see 2 "RWX" regions that created after injection. There are shellcode and my dll without headers, so its easy to find by "RWX" cuz its only RW, R and so on in my target process.
Still cant write my custom GetProcAddress correctly into remote process. Its crashes. I replaced "strcmp", Its working in local process, but not in remote. Would you like to update your project and add this feature? :D
Thank u!