Last active
August 3, 2022 21:59
-
-
Save s3rb31/a4025588db146eae81de11b852d1b93d to your computer and use it in GitHub Desktop.
Revisions
-
s3rb31 revised this gist
Nov 9, 2018 . 1 changed file with 1 addition and 1 deletion.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -34,7 +34,7 @@ typedef struct _OBJECT_ATTRIBUTES { typedef struct _EXT_PARAMS { DWORD64 Type; // enum 1-5 PVOID Addr; } EXT_PARAMS, *PEXT_PARAMS; -
Nov 8, 2018 . 1 changed file with 1 addition and 1 deletion.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -48,7 +48,7 @@ typedef struct _EXT_PARAMS_ALLOCATE_MAP PVOID EndAddr = 0; // EndAddr < 0x7ffffffeffff && // (EndAddr+1) & 0xFFF == 0 // (EndAddr - StartAddr) + 1 // < 0x020000000000 (2048 GB) -
Nov 8, 2018 . 1 changed file with 3 additions and 5 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -12,8 +12,6 @@ T GetNTDLLProc(LPCSTR ProcName) return reinterpret_cast<T>(GetProcAddress(hMod, ProcName)); } typedef enum _SECTION_INHERIT { ViewShare = 1, ViewUnmap = 2 @@ -36,8 +34,8 @@ typedef struct _OBJECT_ATTRIBUTES { typedef struct _EXT_PARAMS { DWORD64 Type; // or count? PVOID Addr; } EXT_PARAMS, *PEXT_PARAMS; typedef struct _EXT_PARAMS_ALLOCATE_MAP @@ -53,7 +51,7 @@ typedef struct _EXT_PARAMS_ALLOCATE_MAP // EndAddr+1 & 0xFFF == 0 // (EndAddr - StartAddr) + 1 // < 0x020000000000 (2048 GB) // on fail: STATUS_NO_MEMORY (0xC0000017 ) -
Nov 8, 2018 . 1 changed file with 91 additions and 91 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -8,21 +8,21 @@ template<typename T> T GetNTDLLProc(LPCSTR ProcName) { static HMODULE hMod = GetModuleHandleA("ntdll.dll"); return reinterpret_cast<T>(GetProcAddress(hMod, ProcName)); } #define ALIGN8 __declspec(align(8)) typedef enum _SECTION_INHERIT { ViewShare = 1, ViewUnmap = 2 } SECTION_INHERIT; typedef struct _UNICODE_STRING { USHORT Length; USHORT MaximumLength; PWCH Buffer; } UNICODE_STRING, *PUNICODE_STRING; typedef struct _OBJECT_ATTRIBUTES { @@ -35,29 +35,29 @@ typedef struct _OBJECT_ATTRIBUTES { } OBJECT_ATTRIBUTES, *POBJECT_ATTRIBUTES; typedef struct _EXT_PARAMS { ALIGN8 DWORD64 Type; // or count? ALIGN8 PVOID Addr; } EXT_PARAMS, *PEXT_PARAMS; typedef struct _EXT_PARAMS_ALLOCATE_MAP { PVOID StartAddr = 0; // (EndAddr != 0) StartAddr < EndAddr // ELSE StartAddr < 0x7ffffffeffff PVOID EndAddr = 0; // EndAddr < 0x7ffffffeffff && // EndAddr+1 & 0xFFF == 0 // (EndAddr - StartAddr) + 1 // < 0x020000000000 // on fail: STATUS_NO_MEMORY (0xC0000017 ) DWORD64 _null = 0; } EXT_PARAMS_ALLOCATE_MAP, *PEXT_PARAMS_ALLOCATE_MAP; typedef NTSTATUS (NTAPI *NtCreateSection_t)(PHANDLE, ACCESS_MASK, POBJECT_ATTRIBUTES, PLARGE_INTEGER, ULONG, ULONG, HANDLE); @@ -75,75 +75,75 @@ typedef NTSTATUS (NTAPI *NtMapViewOfSectionEx_t)( int main() { HANDLE hSection = NULL; NTSTATUS status = STATUS_SUCCESS; NtCreateSection_t NtCreateSection = GetNTDLLProc<NtCreateSection_t>("NtCreateSection"); NtMapViewOfSectionEx_t NtMapViewOfSectionEx = GetNTDLLProc<NtMapViewOfSectionEx_t>("NtMapViewOfSectionEx"); if (NtCreateSection && NtMapViewOfSectionEx) { LARGE_INTEGER maxSize; maxSize.HighPart = 0; maxSize.LowPart = 0x1000; if ((status = NtCreateSection( &hSection, SECTION_ALL_ACCESS, NULL, &maxSize, PAGE_EXECUTE_READWRITE, SEC_COMMIT, NULL)) != STATUS_SUCCESS) { printf("ZwCreateSection failed, status : %x\n", status); return 0; } printf("Section handle: %p\n", hSection); printf("Mapping the section ...\n"); PVOID pBase = NULL; // must be NULL SIZE_T viewSize = 0; HANDLE hMod = GetModuleHandle(NULL); EXT_PARAMS_ALLOCATE_MAP map_params; map_params.StartAddr = hMod; map_params.EndAddr = (PBYTE)hMod+0x1000FFF; EXT_PARAMS ext_params; ext_params.Type = 1; ext_params.Addr = &map_params; if ((status = NtMapViewOfSectionEx( hSection, GetCurrentProcess(), &pBase, NULL, &viewSize, NULL, PAGE_EXECUTE_READWRITE, &ext_params, 1)) != STATUS_SUCCESS) { printf("NtMapViewOfSection failed, status : %x\n", status); return 0; } printf("Module base: %p\r\n", hMod); printf("Success! BaseAddress: %p\n", pBase); return 0; } printf("ERROR! NtCreateSection: %p, NtMapViewOfSectionEx: %p\r\n", NtCreateSection, NtMapViewOfSectionEx); return 0; } -
Nov 8, 2018 . 1 changed file with 2 additions and 0 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -1,6 +1,8 @@ #include <windows.h> #include <cstdio> // credits: s3rb31 #define STATUS_SUCCESS 0x00000000 template<typename T> -
Nov 8, 2018 .There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -0,0 +1,147 @@ #include <windows.h> #include <cstdio> #define STATUS_SUCCESS 0x00000000 template<typename T> T GetNTDLLProc(LPCSTR ProcName) { static HMODULE hMod = GetModuleHandleA("ntdll.dll"); return reinterpret_cast<T>(GetProcAddress(hMod, ProcName)); } #define ALIGN8 __declspec(align(8)) typedef enum _SECTION_INHERIT { ViewShare = 1, ViewUnmap = 2 } SECTION_INHERIT; typedef struct _UNICODE_STRING { USHORT Length; USHORT MaximumLength; PWCH Buffer; } UNICODE_STRING, *PUNICODE_STRING; typedef struct _OBJECT_ATTRIBUTES { ULONG Length; HANDLE RootDirectory; PUNICODE_STRING ObjectName; ULONG Attributes; PVOID SecurityDescriptor; // SECURITY_DESCRIPTOR PVOID SecurityQualityOfService; // SECURITY_QUALITY_OF_SERVICE } OBJECT_ATTRIBUTES, *POBJECT_ATTRIBUTES; typedef struct _EXT_PARAMS { ALIGN8 DWORD64 Type; // or count? ALIGN8 PVOID Addr; } EXT_PARAMS, *PEXT_PARAMS; typedef struct _EXT_PARAMS_ALLOCATE_MAP { PVOID StartAddr = 0; // (EndAddr != 0) StartAddr < EndAddr // ELSE StartAddr < 0x7ffffffeffff PVOID EndAddr = 0; // EndAddr < 0x7ffffffeffff && // EndAddr+1 & 0xFFF == 0 // (EndAddr - StartAddr) + 1 // < 0x020000000000 // on fail: STATUS_NO_MEMORY (0xC0000017 ) DWORD64 _null = 0; } EXT_PARAMS_ALLOCATE_MAP, *PEXT_PARAMS_ALLOCATE_MAP; typedef NTSTATUS (NTAPI *NtCreateSection_t)(PHANDLE, ACCESS_MASK, POBJECT_ATTRIBUTES, PLARGE_INTEGER, ULONG, ULONG, HANDLE); typedef NTSTATUS (NTAPI *NtMapViewOfSectionEx_t)( IN HANDLE SectionHandle, IN HANDLE ProcessHandle, IN OUT PVOID *BaseAddress, IN OUT PLARGE_INTEGER SectionOffset OPTIONAL, IN OUT PSIZE_T ViewSize, IN ULONG AllocationType, IN ULONG Win32Protect, IN PEXT_PARAMS ExtParameters OPTIONAL, IN ULONG ExtParametersCount ); int main() { HANDLE hSection = NULL; NTSTATUS status = STATUS_SUCCESS; NtCreateSection_t NtCreateSection = GetNTDLLProc<NtCreateSection_t>("NtCreateSection"); NtMapViewOfSectionEx_t NtMapViewOfSectionEx = GetNTDLLProc<NtMapViewOfSectionEx_t>("NtMapViewOfSectionEx"); if (NtCreateSection && NtMapViewOfSectionEx) { LARGE_INTEGER maxSize; maxSize.HighPart = 0; maxSize.LowPart = 0x1000; if ((status = NtCreateSection( &hSection, SECTION_ALL_ACCESS, NULL, &maxSize, PAGE_EXECUTE_READWRITE, SEC_COMMIT, NULL)) != STATUS_SUCCESS) { printf("ZwCreateSection failed, status : %x\n", status); return 0; } printf("Section handle: %p\n", hSection); printf("Mapping the section ...\n"); PVOID pBase = NULL; // must be NULL SIZE_T viewSize = 0; HANDLE hMod = GetModuleHandle(NULL); EXT_PARAMS_ALLOCATE_MAP map_params; map_params.StartAddr = hMod; map_params.EndAddr = (PBYTE)hMod+0x1000FFF; EXT_PARAMS ext_params; ext_params.Type = 1; ext_params.Addr = &map_params; if ((status = NtMapViewOfSectionEx( hSection, GetCurrentProcess(), &pBase, NULL, &viewSize, NULL, PAGE_EXECUTE_READWRITE, &ext_params, 1)) != STATUS_SUCCESS) { printf("NtMapViewOfSection failed, status : %x\n", status); return 0; } printf("Module base: %p\r\n", hMod); printf("Success! BaseAddress: %p\n", pBase); return 0; } printf("ERROR! NtCreateSection: %p, NtMapViewOfSectionEx: %p\r\n", NtCreateSection, NtMapViewOfSectionEx); return 0; }