[kmd]

hi all
recenlty was looking on l33t sources from well-known wasm troll #1 indy clerk and came across this method

Code: Select all

	.686
	.model flat, stdcall
	option casemap :none

	include \masm32\include\ntdll.inc
	includelib \masm32\lib\ntdll.lib

.code
MAXIMUM_SECTION_NUMBER	equ 128

REGION_INFORMATION struct
RegionRva		PVOID ?
RegionSize	ULONG ?
Protect		ULONG ?
REGION_INFORMATION ends
PREGION_INFORMATION typedef ptr REGION_INFORMATION

MAP struct
Handle	HANDLE ?
MapBase	PVOID ?
MAP ends
PMAP typedef ptr MAP

PsProtectImage proc uses ebx esi edi ProcessHandle:HANDLE, ImageBase:PVOID, Map:PVOID
Local RegionTable[MAXIMUM_SECTION_NUMBER]:REGION_INFORMATION
Local ObjAttr:OBJECT_ATTRIBUTES
Local SectionHandle:HANDLE
Local SectionSize:LARGE_INTEGER, SectionOffset:LARGE_INTEGER, ViewSize:ULONG
Local RegionNumber:ULONG
Local MapAddress:PVOID
Local MemoryInformation:MEMORY_BASIC_INFORMATION
Local TargetMapAddress:PVOID
	lea edi,RegionTable
	assume edi:PREGION_INFORMATION
	invoke ZwQueryVirtualMemory, ProcessHandle, ImageBase, MemoryBasicInformation, addr MemoryInformation, sizeof(MEMORY_BASIC_INFORMATION), NULL
	test eax,eax
	jnz Exit
	mov eax,STATUS_UNSUCCESSFUL
	cmp MemoryInformation._Type,MEM_IMAGE
	mov ebx,MemoryInformation.AllocationBase
	jne Exit
	mov ImageBase,ebx
	xor esi,esi
	.repeat
		invoke ZwQueryVirtualMemory, ProcessHandle, Ebx, MemoryBasicInformation, addr MemoryInformation, sizeof(MEMORY_BASIC_INFORMATION), NULL
		test eax,eax
		jnz Exit
		mov ecx,ImageBase
		mov eax,STATUS_UNSUCCESSFUL
		cmp MemoryInformation.BaseAddress,ebx
		jne Exit
		cmp MemoryInformation.AllocationBase,ecx
		jne Last
		cmp MemoryInformation._Type,MEM_IMAGE
		jne Exit
		cmp MemoryInformation.State,MEM_COMMIT
		jne Exit
		mov ecx,ebx
		mov eax,MemoryInformation.RegionSize
		sub ecx,ImageBase
		mov edx,MemoryInformation.Protect
		mov [edi].RegionSize,eax
		mov [edi].RegionRva,ecx
		mov [edi].Protect,edx
		add edi,sizeof(REGION_INFORMATION)
		add ebx,eax
		inc esi
	.until Esi >= MAXIMUM_SECTION_NUMBER
	mov eax,STATUS_BUFFER_TOO_SMALL
	jmp Exit
Last:
	sub ebx,ImageBase
	xor eax,eax
	mov ObjAttr.uLength,sizeof(OBJECT_ATTRIBUTES)
	mov dword ptr [SectionSize],ebx
	mov dword ptr [SectionSize + 4],eax
	mov ObjAttr.hRootDirectory,eax
	mov ObjAttr.pObjectName,eax
	mov ObjAttr.uAttributes,eax
	mov ObjAttr.pSecurityDescriptor,eax
	mov ObjAttr.pSecurityQualityOfService,eax
	mov dword ptr [SectionOffset],eax
	mov dword ptr [SectionOffset + 4],eax
	invoke ZwCreateSection, addr SectionHandle, SECTION_ALL_ACCESS, addr ObjAttr, addr SectionSize, PAGE_EXECUTE_READWRITE, SEC_COMMIT, Eax
	test eax,eax
	mov RegionNumber,esi
 	jnz Exit
	mov ViewSize,eax
	mov MapAddress,eax
	invoke ZwMapViewOfSection, SectionHandle, NtCurrentProcess, addr MapAddress, NULL, NULL, addr SectionOffset, addr ViewSize, ViewShare, Eax, PAGE_EXECUTE_READWRITE
	test eax,eax
	lea edi,RegionTable
	jnz ErrMap
	.repeat
		mov ebx,ImageBase
		mov edx,MapAddress
		add ebx,[edi].RegionRva
		add edx,[edi].RegionRva
		invoke ZwReadVirtualMemory, ProcessHandle, Ebx, Edx, [edi].RegionSize, NULL
		test eax,eax
		jnz ErrRead
		add edi,sizeof(REGION_INFORMATION)
		dec esi
	.until Zero?
	invoke ZwUnmapViewOfSection, ProcessHandle, ImageBase
	test eax,eax
	lea edi,RegionTable
	jnz ErrRead
	mov dword ptr [SectionOffset + 4],eax
	.repeat
		mov eax,[edi].RegionRva
		mov ecx,[edi].RegionSize
		mov ebx,ImageBase
		mov ViewSize,ecx
		add ebx,eax
		mov dword ptr [SectionOffset],eax
		mov TargetMapAddress,ebx
		test [edi].Protect,PAGE_WRITECOPY
		.if !Zero?
			and [edi].Protect,NOT(PAGE_WRITECOPY)
			or [edi].Protect,PAGE_READWRITE
		.endif
		invoke ZwMapViewOfSection, SectionHandle, ProcessHandle, addr TargetMapAddress, NULL, NULL, addr SectionOffset, addr ViewSize, ViewShare, AT_ROUND_TO_PAGE, [edi].Protect
		test eax,eax
		jnz ErrRead
		add edi,sizeof(REGION_INFORMATION)
		dec RegionNumber
	.until Zero?
	mov ecx,SectionHandle
	mov edx,MapAddress
	mov ebx,Map
	xor eax,eax
	assume ebx:PMAP
	mov [ebx].Handle,ecx
	mov [ebx].MapBase,edx
	jmp Exit
ErrRead:
	push eax
	invoke ZwUnmapViewOfSection, NtCurrentProcess, MapAddress
	pop eax
ErrMap:
	push eax
	invoke ZwClose, SectionHandle
	pop eax
Exit:
	ret
PsProtectImage endp

	assume fs:nothing
Entry proc
Local Map:MAP
	mov eax,fs:[TEB.Peb]
	mov eax,PEB.Ldr[eax]
	mov eax,PEB_LDR_DATA.InLoadOrderModuleList.Flink[eax]
	mov eax,LDR_DATA_TABLE_ENTRY.InLoadOrderModuleList.Flink[eax]
	mov ecx,LDR_DATA_TABLE_ENTRY.InLoadOrderModuleList.Flink[eax]
	invoke PsProtectImage, NtCurrentProcess, LDR_DATA_TABLE_ENTRY.DllBase[Ecx], addr Map
	jmp $
Entry endp
end Entry

tl;dr
Remapping image by sections with different protection, disallowing code modification. How reliable this method? i was looking to translate this to c++ and test...

[EP_X0FF]

This

Code: Select all

test [edi].Protect,PAGE_WRITECOPY
      .if !Zero?
         and [edi].Protect,NOT(PAGE_WRITECOPY)
         or [edi].Protect,PAGE_READWRITE
      .endif
      invoke ZwMapViewOfSection, SectionHandle, ProcessHandle, addr TargetMapAddress, NULL, NULL, addr SectionOffset, addr ViewSize, ViewShare, AT_ROUND_TO_PAGE, [edi].Protect

will never work on modern Windows. This code maps pieces of section with 4K granularity (and requires this), while Windows uses 64K page granularity. And this flag AT_ROUND_TO_PAGE long time ago removed.

As you probably know this guy is fat troll running Windows XP SP2 on his P4 PC and coding all his stuff for it. You can forget about this x86 windows xp trash.

[kmd]

NtMapViewOfSection returns STATUS_INVALID_PARAMETER_9 hehe. x64, wow64 does not work.

[EP_X0FF]

NtMapViewOfSection returns STATUS_INVALID_PARAMETER_9 hehe. x64, wow64 does not work.

I told you this will work only on 32 bit Windows XP.

This code was dead since 2006