Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Not able to update memory protection #1

Closed
hexnov opened this issue Sep 12, 2022 · 2 comments
Closed

Not able to update memory protection #1

hexnov opened this issue Sep 12, 2022 · 2 comments

Comments

@hexnov
Copy link

hexnov commented Sep 12, 2022

When trying to execute ProcessHollowing.exe, there is always the same error message for me.
I have played with different fake and real parameters and tested it on Windows 10 and 11.

Example:

ProcessHollowing.exe --fake C:\Windows\system32\svchost.exe --real C:\white\artifact64.exe

[*] Got target information.
    [*] Image Path Name : C:\Windows\system32\svchost.exe
    [*] Architecture    : x64
    [*] Command Line    : C:\Windows\system32\svchost.exe
[>] Analyzing PE image data.
[+] Image data is analyzed.
    [*] Architecture  : x64
    [*] Image Size    : 0xC000
    [*] Section Count : 9
[>] Trying to create hollowing process.
[+] Hollowing process is created successfully.
[*] ntdll!_PEB for the hollowing process is 0x000000650F2BC000.
[*] Image base address for the hollowing process is 0x00007FF7945C0000.
[*] Allocated 0xC000 bytes memory at 0x00000177FFD30000 in the hollowing process.
[>] Trying to write image data in the hollowing process.
[-] Failed to memory protection for PE headers.

Since this message is called after the Helpers.UpdateMemoryProtection() function, I assume it failed to "update" the memory protection for PE headers. I am not sure why this occurs and it is most probably a user problem, but maybe you can help me (and potential others) with this.

Thanks for your awesome work!
@CaledoniaProject
Copy link

Try patch the helper function and log the ntstatus and Win32 last error somewhere

TangledWinExec/GhostlyHollowing/GhostlyHollowing/Library/Helpers.cs

Line 458 in 7eecbc2

return (ntstatus == Win32Consts.STATUS_SUCCESS);

@daem0nc0re
Copy link
Owner

@CaledoniaProject Thanks for your help!

@hexnov Thanks for testing my code and kind words!
I guess you tried it with Debug build.
As far as I tested, Release build works correctly.
I have not known the reason yet, but NtProtectVirtualMemory API call in Helpers.UpdateMemoryProtection() returns 0xC0000018 (Conflicting Address Range) for Debug build.
If you want to trace the error message effectively, insert following code after NtProtectVirtualMemory API call in Helpers.UpdateMemoryProtection():

Console.WriteLine(Helpers.GetWin32ErrorMessage(ntstatus, true));

You will see error message as follows:

PS C:\Tools> .\ProcessHollowing-Debug.exe -f notepad.exe -r cmd.exe

[*] Got target information.
    [*] Image Path Name : C:\Windows\SYSTEM32\notepad.exe
    [*] Architecture    : x64
    [*] Command Line    : notepad.exe

--snip--

[*] Allocated 0x6C000 bytes memory at 0x0000023BB7D60000 in the hollowing process.
[>] Trying to write image data in the hollowing process.
[ERROR] Code 0x00000000 : STATUS_SUCCESS
[ERROR] Code 0x00000000 : STATUS_SUCCESS
[ERROR] Code 0xC0000018 : {Conflicting Address Range}
The specified address range conflicts with the address space.
[-] Failed to memory protection for PE headers.

I will add a note for this issue to README.md until fix it, thanks.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@CaledoniaProject @daem0nc0re @hexnov