Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Windows 10 wrong calculate reloc addr #55

Open
jazzybecker opened this issue Sep 26, 2016 · 0 comments
Open

Windows 10 wrong calculate reloc addr #55

jazzybecker opened this issue Sep 26, 2016 · 0 comments

Comments

@jazzybecker
Copy link

Got problem again in windows 10 updated. Here is the code

typedef LONG(NTAPI *tNtProtectVirtualMemory)(
    IN HANDLE ProcessHandle,
    IN OUT PVOID *BaseAddress,
    IN OUT PULONG NumberOfBytesToProtect,
    IN ULONG NewAccessProtection,
    OUT PULONG OldAccessProtection);

tNtProtectVirtualMemory pNtProtectVirtualMemory;

void LoadFromMemory(void)
{
    void *data;
    size_t size;
    HMEMORYMODULE handle;
    addNumberProc addNumber;
    HMEMORYRSRC resourceInfo;
    DWORD resourceSize;
    LPVOID resourceData;
    TCHAR buffer[100];

    data = ReadLibrary(&size);
    if (data == NULL)
    {
        return;
    }

    handle = MemoryLoadLibrary(data, size);
    if (handle == NULL)
    {
        _tprintf(_T("Can't load library from memory.\n"));
        goto exit;
    }

    pNtProtectVirtualMemory = (tNtProtectVirtualMemory)MemoryGetProcAddress(handle, "NtProtectVirtualMemory");
    PVOID pAddr = (PVOID)GetModuleHandleA("Test.exe");
    ULONG pSize = (ULONG)4;
    DWORD Old;
    //pNtProtectVirtualMemory(GetCurrentProcess(), &pAddr, &pSize, PAGE_EXECUTE_READWRITE, &Old); //Crashed

    _tprintf(_T("From memory: %X\n"), pNtProtectVirtualMemory);

    resourceInfo = MemoryFindResource(handle, MAKEINTRESOURCE(VS_VERSION_INFO), RT_VERSION);
    _tprintf(_T("MemoryFindResource returned 0x%p\n"), resourceInfo);

    resourceSize = MemorySizeofResource(handle, resourceInfo);
    resourceData = MemoryLoadResource(handle, resourceInfo);
    _tprintf(_T("Memory resource data: %ld bytes at 0x%p\n"), resourceSize, resourceData);

    MemoryLoadString(handle, 1, buffer, sizeof(buffer));
    _tprintf(_T("String1: %s\n"), buffer);

    MemoryLoadString(handle, 20, buffer, sizeof(buffer));
    _tprintf(_T("String2: %s\n"), buffer);

    //MemoryFreeLibrary(handle);

exit:
    Sleep(0);
    //free(data);
}

Its load successfully, but when i use

PVOID pAddr = (PVOID)GetModuleHandleA("Test.exe");
ULONG pSize = (ULONG)4;
DWORD Old;

pNtProtectVirtualMemory(GetCurrentProcess(), &pAddr, &pSize, PAGE_EXECUTE_READWRITE, &Old);

it's crashed. then i check is pNtProtectVirtualMemory address correct, here the result.

SS1 : http://prnt.sc/cmfgbk
SS2 : http://prnt.sc/cmfgeh

The relocation address wrong. it pointed to the null.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@jazzybecker