-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathH9_x64.cpp
172 lines (111 loc) · 4.41 KB
/
H9_x64.cpp
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
#include <stdio.h>
#include <Windows.h>
#include <tlhelp32.h>
#include <shlwapi.h>
#include <winternl.h>
#include <dbghelp.h>
#include <map>
#include <string>
#include "x64Structs.h"
//#pragma comment(lib, "Kernel32.lib")
#pragma comment(lib, "Shlwapi.lib")
//#pragma comment(lib, "Ntdll.dll")
//#pragma comment(lib, "Dbghelp.dll")
#define MAX_FUNC_NAME_SIZE 100 // maximum size of the each element/string in the array
#define MAX_BLACKLISTED_FUNCS 25 // maximum number of elements/strings in the array
extern char* blackListedFunctionNames;
typedef NTSTATUS(__stdcall* NtQueryInfoType)
(
HANDLE ProcessHandle,
PROCESSINFOCLASS ProcessInformationClass,
PVOID ProcessInformation,
ULONG ProcessInformationLength,
PULONG ReturnLength
);
typedef NTSTATUS(__stdcall* ReadVMem64Type)
(
HANDLE hProcess,
uint64_t lpBaseAddress,
LPVOID lpBuffer,
uint64_t nSize,
uint64_t* lpNumberOfBytesRead
);
NtQueryInfoType NtWow64QueryInformationProcess64 = NULL;
ReadVMem64Type NtWow64ReadVirtualMemory64 = NULL; // read process memory for the 32
void Initialisex64Functions() {
HMODULE ntDllBaseAddress = GetModuleHandle(L"ntdll.dll");//?hmodule
NtWow64QueryInformationProcess64 = (NtQueryInfoType)GetProcAddress(ntDllBaseAddress, "NtWow64QueryInformationProcess64");
NtWow64ReadVirtualMemory64 = (ReadVMem64Type)GetProcAddress(ntDllBaseAddress, "NtWow64ReadVirtualMemory64");
}
//1.2 call NtQueryInformationProcess to get PROCESS_BASIC_INFORMATION
uint64_t GetBaseAddressx64(HANDLE oP) {
_PROCESS_BASIC_INFORMATIONx64 basic_infox64;
DWORD adding;
NTSTATUS status = NtWow64QueryInformationProcess64(oP, ProcessBasicInformation, &basic_infox64,sizeof(basic_infox64), &adding);
#define STATUS_SUCCESS 0x0
if (status != STATUS_SUCCESS) {
printf("GetFunctionAddressOfInsideNtllsx64 is failed\n");
}
//pebx64 part
_PEBx64 peb_x64;
if (NtWow64ReadVirtualMemory64(oP, (uint64_t)basic_infox64.PebBaseAddress, &peb_x64, sizeof(peb_x64), NULL) != STATUS_SUCCESS) {
printf("Get PEB_x64 PebBaseAddress is failed");
}
uint64_t getBaseAddressx64 = peb_x64.ImageBaseAddress;
return getBaseAddressx64;
}
void DetectSuspiciousFunctionAProcessx64(uint64_t getBaseAddressx64, HANDLE handleProcess) {
//IMAGE_Dos
_IMAGE_DOS_HEADER dos;
if (NtWow64ReadVirtualMemory64(handleProcess, (uint64_t)getBaseAddressx64, &dos, sizeof(dos), NULL) != STATUS_SUCCESS) {
printf("Get DOSx64 is failed");
}
//ntHeader
uint64_t NTbaseAddress_x64 = getBaseAddressx64 + dos.e_lfanew;
IMAGE_NT_HEADERS64 ntHeader_x64;
if (NtWow64ReadVirtualMemory64(handleProcess, (uint64_t)NTbaseAddress_x64, &ntHeader_x64, sizeof(ntHeader_x64), NULL) != STATUS_SUCCESS) {
printf("Get ntHeader_x64 is failed");
}
//discriptor
uint64_t discriptor_64 = ntHeader_x64.OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress + getBaseAddressx64;
IMAGE_IMPORT_DESCRIPTOR imageDescriptor_x64;
for (; discriptor_64;) {
if (NtWow64ReadVirtualMemory64(handleProcess, (uint64_t)discriptor_64, &imageDescriptor_x64, sizeof(imageDescriptor_x64), NULL) != STATUS_SUCCESS) {
printf("Get imageDescriptor_x64 is failed\n");
return;
}
if (!imageDescriptor_x64.Name) {
printf("the discriptor is done\n");
break;
}
uint64_t orginalThunk_64 = imageDescriptor_x64.OriginalFirstThunk + getBaseAddressx64;
IMAGE_THUNK_DATA thunk_x64;
char nameFunction[100];
while (orginalThunk_64) {
if (NtWow64ReadVirtualMemory64(handleProcess, (uint64_t)orginalThunk_64, &thunk_x64, sizeof(thunk_x64), NULL) != STATUS_SUCCESS) {
printf("Get thunk_x64 is failed\n");
return;
}
if (thunk_x64.u1.Function == 0) {
break;
}
uint64_t functionNameAddress_64 = thunk_x64.u1.Function + getBaseAddressx64 + sizeof(WORD);
if (NtWow64ReadVirtualMemory64(handleProcess, (uint64_t)functionNameAddress_64, &nameFunction, 100, NULL) != STATUS_SUCCESS) {
printf("Get nameFunction_64 is failed\n");
return;
}
printf("the name of funcation %s\n", nameFunction);
for (int i = 0; i < MAX_BLACKLISTED_FUNCS; i++)
{
char* blacklistedFunctionName = blackListedFunctionNames + i * MAX_FUNC_NAME_SIZE;
if (*blacklistedFunctionName != '\0') {
if (strcmp(nameFunction, blacklistedFunctionName) == 0) {
printf("\n! %s is blacklisted\n\n", nameFunction);
}
}
}
orginalThunk_64 += sizeof(thunk_x64);
}
discriptor_64 += sizeof(imageDescriptor_x64);
}
}