winpe_memGetProcAddress(LoadLibraryA("kernel32.dll"), "GetProcessMitigationPolicy"); - Githubissues

YuriSizuku / win-MemoryModule

A flexible PE loader, loading module in memory. Most of the functions can be inline, compatible for shellcode.

MIT License

172 stars 66 forks source link

winpe_memGetProcAddress(LoadLibraryA("kernel32.dll"), "GetProcessMitigationPolicy"); #6

Closed icyfox168168 closed 2 years ago

icyfox168168 commented 2 years ago

This function gets error, infinite loop

YuriSizuku commented 2 years ago

This might because this function will forward more than once. And this function is very weird , it seems that kerenl32.dll, GetProcessMitigationPolicy -> api-ms-win-core-processthreads-l1-1-1.dll -> kerenl32.dll, GetProcessMitigationPolicy. This function forward makes a loop. I think that's the reason.

00007FFB1DC716B6  61 70 69 2D 6D 73 2D 77 69 6E 2D 63 6F 72 65 2D  api-ms-win-core-  
00007FFB1DC716C6  70 72 6F 63 65 73 73 74 68 72 65 61 64 73 2D 6C  processthreads-l  
00007FFB1DC716D6  31 2D 31 2D 31 2E 47 65 74 50 72 6F 63 65 73 73  1-1-1.GetProcess  
00007FFB1DC716E6  4D 69 74 69 67 61 74 69 6F 6E 50 6F 6C 69 63 79  MitigationPolicy

icyfox168168 commented 2 years ago

kernel32.dll

static const char* pass_func[] = { "CreateRemoteThreadEx", "DeleteProcThreadAttributeList", "GetCurrentThreadStackLimits", "GetOverlappedResultEx", "GetProcessDefaultCpuSets", "GetProcessMitigationPolicy", "GetSystemCpuSetInformation", "GetThreadDescription", "GetThreadSelectedCpuSets", "InitializeProcThreadAttributeList", "IsProcessCritical", "OpenProcessToken", "OpenThreadToken", "QueryProtectedPolicy", "SetProcessDefaultCpuSets", "SetProcessDynamicEHContinuationTargets", "SetProcessMitigationPolicy", "SetProtectedPolicy", "SetThreadDescription", "SetThreadSelectedCpuSets", "SetThreadToken", "UpdateProcThreadAttribute", NULL };

icyfox168168 commented 2 years ago

The latest version I tested, GetProcessMitigationPolicy, still loops infinitely

YuriSizuku commented 2 years ago

The winpe.h file is in submodule, do you use git submodule update --remote --recursive to update the submodule ? I think I have fixed this problem. This code shoud be worked.

@@ -185,9 +185,19 @@ void test_exp()
    printf("winpe_findkernel32, winpe_findmodulea(kernel32) %p passed!\n", hmod);
    hmod3 = winpe_findmodulea("invalid.dll");
    assert(hmod3==NULL);

    // test some weird function
    hmod = LoadLibraryA("kernel32.dll");
    void* func = winpe_memGetProcAddress(hmod, "GetProcessMitigationPolicy");
    assert(func == GetProcAddress(hmod, "GetProcessMitigationPolicy"));
    printf("winpe_memGetProcAddress, GetProcessMitigationPolicy %p passed!\n", func);

    // test findexp and forwardexp
    hmod = LoadLibraryA("kernel32.dll");
    test_getfunc(hmod, "LoadLibraryA");
    test_getfunc(hmod, "InitializeSListHead");
    test_getfunc(hmod, "GetSystemTimeAsFileTime");

    printf("test_exp passed!\n\n");
}

icyfox168168 commented 2 years ago

ok

vs2022 clang

util\include\winpe.h(411,11): error : cannot initialize a variable of type 'char ' with an lvalue of type 'void '

INLINE void _winpeinl_memset(void buf, int ch, size_t n) { char p = (char)buf; for(size_t i=0;i<n;i++) p[i] = (char)ch; return buf; }

icyfox168168 commented 2 years ago

return 0

printf("%p %p\n",GetModuleHandleA("kernel32"), winpe_findmodulea("kernel32"));

YuriSizuku commented 2 years ago

I tested on clang with msvc14 and vs2019, and not tested vs2022 yet. Maybe it is better to use char *p = (char *)buf;, as explicit convert.