分类
游戏安全

轻松安排断链VAD的内存块

DWORD GetBlockMemorySize(HANDLE h,PVOID BaseAddress) {
    DWORD size = 0;
    while (true)
    {
        DWORD context = 0X10086;

        if (ReadProcessMemory(h, (PUCHAR)BaseAddress + size, &context, sizeof(context), NULL)) {
            MEMORY_BASIC_INFORMATION info;
            if (NT_SUCCESS(PhGetMemoryBasicInfor(h, (PUCHAR)BaseAddress + size,&info)))
            {
                if (info.AllocationBase)
                {
                    break;
                }

            }
            size += 0x1000;

        }
        else
        {
            break;
        }
    }
    return size;
}

std::string GetOrignalProtectByWorkingSet(HANDLE h,PVOID BaseAddress,DWORD size) {

    PMEMORY_WORKING_SET_INFORMATION wsi;
    std::string ret="Not Found!";
    if (NT_SUCCESS(PhGetProcessWorkingSetInformation(h, &wsi)))
    {
        for (size_t i = 0; i < wsi->NumberOfEntries; i++)
        {
            __int64 protection = (*(__int64*)&wsi->WorkingSetInfo[i]) & 0x1f;
            __int64 address = ((*(__int64*)&wsi->WorkingSetInfo[i]) & 0xFFFFFFFFFFFFF000ui64);
            if (address> (__int64)BaseAddress && address< (__int64)(PUCHAR)BaseAddress+size)
            {
                ret = WorkingSet[protection];
                break;
            }
        }
    }
    return ret;
}
VOID GetOrignalProtectByPageTable(HANDLE h, PVOID BaseAddress, DWORD size) {

}
VOID DectionKernelMappedPages(HANDLE h) {
    printf("DectionKernelMappedPages Begin!n");
    //can be detection novad noworkingset kernelmapped pages
    __int64 MmHighestUserAddress = 0x00007fffffffffff;
    __int64 check_address = 0x1000;

    while ((check_address) < MmHighestUserAddress)
    {

        MEMORY_BASIC_INFORMATION info;

        bool skip_addr = false;
        if (NT_SUCCESS(PhGetMemoryBasicInfor(h, (PVOID)check_address, &info)))
        {
            if (!info.AllocationBase)
            {

                DWORD context;
                if (ReadProcessMemory(h, (PVOID)check_address, &context, sizeof(context), NULL))
                {
                    DWORD Block_Size = GetBlockMemorySize(h, (PVOID)check_address);
                    printf("Detection NoVad NoWorkingSet Pages address:%p Size:0x%x GetOrignalProtectByWorkingSet:[%s]n", check_address, Block_Size, GetOrignalProtectByWorkingSet(h,(PVOID)check_address, Block_Size));
                    skip_addr = TRUE;
                }

            }
            if (skip_addr)
            {
                check_address += GetBlockMemorySize(h, (PVOID)check_address);
            }
            else {
                check_address += info.RegionSize;
            }

        }
        else
        {
            break;
        }
    }

    printf("DectionKernelMappedPages End!n");
}
VOID DetectionUnlinkVad_Pages(HANDLE h ) {
    printf("DetectionUnlinkVad_Pages Begin!n");
    InitWorkingSetMap();
    PMEMORY_WORKING_SET_INFORMATION wsi;

    if (NT_SUCCESS(PhGetProcessWorkingSetInformation(h, &wsi)) )
    {
        for (size_t i = 0; i < wsi->NumberOfEntries; i++)
        {
            __int64 protection = (*(__int64*)&wsi->WorkingSetInfo[i]) & 0x1f;
            __int64 address = ((*(__int64*)&wsi->WorkingSetInfo[i]) & 0xFFFFFFFFFFFFF000ui64);
            PUNICODE_STRING FileName;
            if (strstr(WorkingSet[protection].c_str(), "xecutable"))
            {
                printf("%p %sn", address, WorkingSet[protection].c_str());
            }
            /**
            if (strstr(WorkingSet[protection].c_str(),"xecutable"))
            {
                if (NT_SUCCESS(PhGetMemoryMappedFileName(h, (PVOID)address, &FileName)))
                {
                    if (!find_and_insert_one(FileName->Buffer))
                    {
                        //printf("MappedModule:%Sn", FileName->Buffer);
                    }

                }
                else
                {
                    MEMORY_BASIC_INFORMATION BasicInfo = { 0 };

                    if (NT_SUCCESS(PhGetMemoryBasicInfor(h, (PVOID)address, &BasicInfo)))
                    {
                        if (!BasicInfo.AllocationBase)
                        {
                            printf("Detection UnlinkVad Page address:%p protection:[%s]n", address, WorkingSet[protection].c_str());
                        }

                    }
                    else
                    {
                        DWORD Protect = 0;

                        if (BasicInfo.Protect==0)
                        {
                            Protect = BasicInfo.AllocationProtect;

                        }
                        else
                        {
                            Protect = BasicInfo.Protect;
                        }

                        if (!IsPageExecutable(Protect))
                        {
                            printf("NoImage address:%p VAD:[does not have execute] Page_protection:[%s]n", address, WorkingSet[protection].c_str());
                        }
                        else
                        {
                            printf("NoImage address:%p protection:[%s]n", address, WorkingSet[protection].c_str());
                        }

                    }

                }
            }
           */

        }
        free(wsi);

    }

    printf("DetectionUnlinkVad_Pages End!n");

}
0 0 vote
文章评分

由FAKE

Через тернии к звездам,
через радость и слезы
Мы проложим дорогу

Subscribe
提醒
guest
你的昵称 用于分别你是谁
你的电子邮箱 用于被回复时通知
0 评论
Inline Feedbacks
View all comments