[C/C++] Memory patcher to deal with (ASLR)

Insid3Code · #1 10-21-2015, 02:20

Code snippet updated to support Wow64 for 64bit patcher to patch 32bit target...

PHP Code:


			
#include <windows.h>

#include <stdio.h>



#ifdef _WIN64

#define CAPTION "atomos - memory patcher for chimera #01 (64-bit)"

#define EXENAME "target64.exe" // change it to target "target32.exe" for Wow64 test.

#else

#define CAPTION "atomos - memory patcher for chimera #01 (32-bit)"

#define EXENAME "target32.exe"

#endif



int iWinMain() {

    PROCESS_INFORMATION lpProcessInfo = {0};

    STARTUPINFO lpStartupInfo = {0};



    printf("%s\nFilename: %s\n\n", CAPTION, EXENAME);



    if(CreateProcessA(EXENAME,

                      NULL,

                      NULL,

                      NULL,

                      0,

                      CREATE_SUSPENDED,

                      NULL,

                      NULL,

                      &lpStartupInfo,

                      &lpProcessInfo))    {



#ifdef _WIN64  // 64bit Application

        DWORD64* peb64bit;

        DWORD32* wowPeb;



        CONTEXT lpContext64bit = {0};

        WOW64_CONTEXT lpWoWContext = {0};



        DWORD64 uTargetAddress64bit;

        char newByte64bit;



        DWORD64 uTargetAddressWow64;

        char newByteWow64;



        BOOL  Wow64Process = FALSE;



        IsWow64Process(lpProcessInfo.hProcess, &Wow64Process);



        if (Wow64Process) { // Wow64 Process

            lpWoWContext.ContextFlags = CONTEXT_FULL;

            Wow64GetThreadContext(lpProcessInfo.hThread, &lpWoWContext);

            wowPeb = (DWORD32*)lpWoWContext.Ebx;



            DWORD32 ImageBaseAddress = NULL;

            ReadProcessMemory(lpProcessInfo.hProcess,

                              &wowPeb[2],

                              (LPVOID)&ImageBaseAddress,

                              sizeof(DWORD32),

                              NULL);



            printf("[-] Wow64 ImageBase Address     = 0x%08X\n", ImageBaseAddress);

            printf("[-] Wow64 EntryPoint Address    = 0x%08X\n", lpWoWContext.Eax);

            printf("[-] Wow64 Process (PEB Address) = 0x%08X\n", lpWoWContext.Ebx);



            uTargetAddressWow64 = lpWoWContext.Eax + 0x64;

            newByteWow64 = 0x74;



            WriteProcessMemory(lpProcessInfo.hProcess,

                               (LPVOID)uTargetAddressWow64,

                               &newByteWow64,

                               1,

                               NULL);

        } else { // 64bit Process



            lpContext64bit.ContextFlags = CONTEXT_FULL;

            GetThreadContext(lpProcessInfo.hThread, &lpContext64bit);

            peb64bit = (DWORD64*)lpContext64bit.Rdx;



            DWORD64 ImageBaseAddress = NULL;

            ReadProcessMemory(lpProcessInfo.hProcess,

                              &peb64bit[2],

                              (LPVOID)&ImageBaseAddress,

                              sizeof(DWORD64),

                              NULL);



            printf("[-] 64bit ImageBase Address     = 0x%p\n", ImageBaseAddress);

            printf("[-] 64bit EntryPoint Address    = 0x%p\n", lpContext64bit.Rcx);

            printf("[-] 64bit Process (PEB Address) = 0x%p\n", lpContext64bit.Rdx);



            uTargetAddress64bit = lpContext64bit.Rcx + 0x7E;

            newByte64bit = 0x75;



            WriteProcessMemory(lpProcessInfo.hProcess,

                               (LPVOID)uTargetAddress64bit,

                               &newByte64bit,

                               1,

                               NULL);



        }



        ResumeThread(lpProcessInfo.hThread);

        WaitForSingleObject(lpProcessInfo.hThread, INFINITE);



#else // 32bit Application

        DWORD32* peb32bit;

        CONTEXT lpContext32bit = {0};



        DWORD32 uTargetAddress32bit;

        char newByte32bit;



        lpContext32bit.ContextFlags = CONTEXT_FULL;

        GetThreadContext(lpProcessInfo.hThread, &lpContext32bit);

        peb32bit = (DWORD32*)lpContext32bit.Ebx;



        DWORD32 ImageBaseAddress = NULL;

        ReadProcessMemory(lpProcessInfo.hProcess,

                          &peb32bit[2],

                          (LPVOID)&ImageBaseAddress,

                          sizeof(DWORD32),

                          NULL);



        printf("[-] 32bit ImageBase Address     = 0x%08X\n", ImageBaseAddress);

        printf("[-] 32bit EntryPoint Address    = 0x%08X\n", lpContext32bit.Eax);

        printf("[-] 32bit Process (PEB Address) = 0x%08X\n", lpContext32bit.Ebx);



        uTargetAddress32bit = lpContext32bit.Eax + 0x64;

        newByte32bit = 0x74;



        WriteProcessMemory(lpProcessInfo.hProcess,

                           (LPVOID)uTargetAddress32bit,

                           &newByte32bit,

                           1,

                           NULL);



        ResumeThread(lpProcessInfo.hThread);

        WaitForSingleObject(lpProcessInfo.hThread, INFINITE);

#endif



    }



    return 0;

}

Attached file contains (source and binary (32bit/64bit and Wow64) for testing purposes)

Thread Tools
Show Printable Version Email this Page
Display Modes
Switch to Linear Mode Hybrid Mode Switch to Threaded Mode

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
[Delphi] Check if ASLR is enabled	Agmcz	Source Code	15	06-11-2018 09:09
How to deal with threads ?	bcl25	General Discussion	4	03-29-2003 06:22

The Following 2 Users Gave Reputation+1 to Insid3Code For This Useful Post:
giv (10-21-2015), niculaita (10-21-2015)

The Following 12 Users Say Thank You to Insid3Code For This Useful Post:
b30wulf (10-21-2015), besoeso (10-21-2015), elephant (11-15-2015), giv (10-21-2015), Kjacky (10-21-2015), niculaita (10-21-2015), nikkapedd (10-22-2015), Sn!per X (11-27-2015), uel888 (11-28-2015), zeuscane (10-21-2015)