Replaced dummy variable references with NULL in inject.c
Apparently the crashes were an artifact of a different thing, and don't actually happen under normal conditions
This commit is contained in:
parent
6b5e303df6
commit
f8c4c5ad82
@ -21,15 +21,12 @@ static inline void write_protected_process_memory(HANDLE process, void *address,
|
|||||||
DWORD oldProtect;
|
DWORD oldProtect;
|
||||||
VirtualProtectEx(process, address, size, PAGE_EXECUTE_READWRITE, &oldProtect);
|
VirtualProtectEx(process, address, size, PAGE_EXECUTE_READWRITE, &oldProtect);
|
||||||
|
|
||||||
size_t bytesWritten;
|
WriteProcessMemory(process, address, buf, size, NULL);
|
||||||
WriteProcessMemory(process, address, buf, size, &bytesWritten);
|
|
||||||
|
|
||||||
VirtualProtectEx(process, address, size, oldProtect, &oldProtect);
|
VirtualProtectEx(process, address, size, oldProtect, &oldProtect);
|
||||||
}
|
}
|
||||||
|
|
||||||
void inject(HANDLE process, const void *payload, size_t payloadSize, const wchar_t *dllPath) {
|
void inject(HANDLE process, const void *payload, size_t payloadSize, const wchar_t *dllPath) {
|
||||||
size_t _; // Contrary to the docs, {Write,Read}ProcessMemory likes to crash if the last arg is NULL
|
|
||||||
|
|
||||||
// Find the EXE header in the process
|
// Find the EXE header in the process
|
||||||
char exeHeader[1024];
|
char exeHeader[1024];
|
||||||
IMAGE_DOS_HEADER *dosHeader = NULL;
|
IMAGE_DOS_HEADER *dosHeader = NULL;
|
||||||
@ -38,7 +35,7 @@ void inject(HANDLE process, const void *payload, size_t payloadSize, const wchar
|
|||||||
MEMORY_BASIC_INFORMATION memoryInfo;
|
MEMORY_BASIC_INFORMATION memoryInfo;
|
||||||
char *currentAddress = 0x0;
|
char *currentAddress = 0x0;
|
||||||
while (VirtualQueryEx(process, currentAddress, &memoryInfo, sizeof(memoryInfo))) {
|
while (VirtualQueryEx(process, currentAddress, &memoryInfo, sizeof(memoryInfo))) {
|
||||||
ReadProcessMemory(process, currentAddress, exeHeader, sizeof(exeHeader), &_);
|
ReadProcessMemory(process, currentAddress, exeHeader, sizeof(exeHeader), NULL);
|
||||||
|
|
||||||
dosHeader = (IMAGE_DOS_HEADER*)exeHeader;
|
dosHeader = (IMAGE_DOS_HEADER*)exeHeader;
|
||||||
|
|
||||||
@ -84,8 +81,8 @@ void inject(HANDLE process, const void *payload, size_t payloadSize, const wchar
|
|||||||
char *remoteAlloc = VirtualAllocEx(process, NULL, allocSize, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
|
char *remoteAlloc = VirtualAllocEx(process, NULL, allocSize, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
|
||||||
|
|
||||||
// Write the assembly payload and dll path
|
// Write the assembly payload and dll path
|
||||||
WriteProcessMemory(process, remoteAlloc, payload, payloadSize, &_);
|
WriteProcessMemory(process, remoteAlloc, payload, payloadSize, NULL);
|
||||||
WriteProcessMemory(process, remoteAlloc + payloadSize, dllPath, dllPathSize, &_);
|
WriteProcessMemory(process, remoteAlloc + payloadSize, dllPath, dllPathSize, NULL);
|
||||||
|
|
||||||
|
|
||||||
// Modify the executable to run the assembly payload
|
// Modify the executable to run the assembly payload
|
||||||
@ -97,7 +94,7 @@ void inject(HANDLE process, const void *payload, size_t payloadSize, const wchar
|
|||||||
|
|
||||||
// Save the original entry point address and bytes
|
// Save the original entry point address and bytes
|
||||||
rd.entryPointAddress = entryPoint;
|
rd.entryPointAddress = entryPoint;
|
||||||
ReadProcessMemory(process, rd.entryPointAddress, rd.entryPointData, sizeof(rd.entryPointData), &_);
|
ReadProcessMemory(process, rd.entryPointAddress, rd.entryPointData, sizeof(rd.entryPointData), NULL);
|
||||||
|
|
||||||
// Replace the entry point with a jump to the assembly payload
|
// Replace the entry point with a jump to the assembly payload
|
||||||
write_protected_process_memory(process, entryPoint, JUMP_INST, sizeof(JUMP_INST));
|
write_protected_process_memory(process, entryPoint, JUMP_INST, sizeof(JUMP_INST));
|
||||||
@ -110,7 +107,7 @@ void inject(HANDLE process, const void *payload, size_t payloadSize, const wchar
|
|||||||
|
|
||||||
// Save the original descriptor address and bytes
|
// Save the original descriptor address and bytes
|
||||||
rd.importDescriptorAddress = importDescriptors;
|
rd.importDescriptorAddress = importDescriptors;
|
||||||
ReadProcessMemory(process, rd.importDescriptorAddress, &rd.importDescriptorData, sizeof(rd.importDescriptorData), &_);
|
ReadProcessMemory(process, rd.importDescriptorAddress, &rd.importDescriptorData, sizeof(rd.importDescriptorData), NULL);
|
||||||
|
|
||||||
// Overwrite with zeroes
|
// Overwrite with zeroes
|
||||||
IMAGE_IMPORT_DESCRIPTOR firstDescriptor;
|
IMAGE_IMPORT_DESCRIPTOR firstDescriptor;
|
||||||
@ -122,12 +119,12 @@ void inject(HANDLE process, const void *payload, size_t payloadSize, const wchar
|
|||||||
|
|
||||||
// Save the original value
|
// Save the original value
|
||||||
rd.sizeFieldAddress = ddAddr;
|
rd.sizeFieldAddress = ddAddr;
|
||||||
ReadProcessMemory(process, rd.sizeFieldAddress, &rd.sizeFieldData, sizeof(rd.sizeFieldData), &_);
|
ReadProcessMemory(process, rd.sizeFieldAddress, &rd.sizeFieldData, sizeof(rd.sizeFieldData), NULL);
|
||||||
|
|
||||||
// Set to 0
|
// Set to 0
|
||||||
DWORD newSize = 0;
|
DWORD newSize = 0;
|
||||||
write_protected_process_memory(process, ddAddr, &newSize, sizeof(newSize));
|
write_protected_process_memory(process, ddAddr, &newSize, sizeof(newSize));
|
||||||
|
|
||||||
// Write recovery data to the allocation
|
// Write recovery data to the allocation
|
||||||
WriteProcessMemory(process, remoteAlloc + payloadSize + dllPathSize, &rd, sizeof(rd), &_);
|
WriteProcessMemory(process, remoteAlloc + payloadSize + dllPathSize, &rd, sizeof(rd), NULL);
|
||||||
}
|
}
|
||||||
|
Loading…
Reference in New Issue
Block a user