+- +-

+-User

Welcome, Guest.
Please login or register.
 
 
 
Forgot your password?

+-Stats

Members
Total Members: 130
Latest: REEG
New This Month: 1
New This Week: 0
New Today: 0
Stats
Total Posts: 319
Total Topics: 160
Most Online Today: 2
Most Online Ever: 159
(June 29, 2021, 10:20:55 pm)
Users Online
Members: 0
Guests: 1
Total: 1

Author Topic: help C++ Dll Relocation (zwclose7)  (Read 378 times)

leftspace

  • Newbie
  • *
  • Posts: 2
    • View Profile
help C++ Dll Relocation (zwclose7)
« on: April 17, 2017, 04:26:16 pm »
Code: [Select]
DWORD copymodule(HMODULE target)
{
PVOID buffer=0;
MODULEINFO modinfo={0};
GetModuleInformation(GetCurrentProcess(),target, &modinfo,sizeof(MODULEINFO));
buffer=VirtualAlloc(NULL,modinfo.SizeOfImage,MEM_COMMIT|MEM_RESERVE,PAGE_EXECUTE_READWRITE);
memcpy(buffer,reinterpret_cast<void*>(modinfo.lpBaseOfDll),modinfo.SizeOfImage);
return (DWORD)buffer;
}

Hello zwclose7 , I share this topic on rohitab but rohitab  so  slow approve posts..

My Problem I Copied module to Allocmem , but call's , jmp's go to wrong adresess.

I Try make , Stealth edit , without patch Bytes , Redirect Memory Region to my Relocated module..
This codes works some , Processes, but something wrong..

I writed this code but is wrong  & amazing:
Code: [Select]
        PUCHAR ptr;
        DWORD delta = (DWORD)buffer - modinfo.lpBaseOfDll;
ptr=(PUCHAR)buffer;
for (DWORD i = (DWORD)buffer; i < modinfo.SizeOfImage+(DWORD)buffer; i++)
{
                            if(*ptr==0xE8)
{
*(PULONG)(ptr+1) +=delta;
}
if(*ptr==0xE9)
{
*(PULONG)(ptr+1) +=delta;
}
         ptr++;
        }


and I Writed this code :

Code: [Select]

uint32_t adresal(PDISCPUSTATE pCpu,OP_PARAMETER *pParam1, OP_PARAMETER *pParam2, OP_PARAMETER *pParam3)
{

int32_t disp;
uint32_t addr;
if(pParam1->flags & USE_IMMEDIATE8_REL)
{
disp = (int32_t)(char)pParam1->parval;
}
else
if(pParam1->flags & USE_IMMEDIATE16_REL)
{
disp = (int32_t)(uint16_t)pParam1->parval;
}
else
if(pParam1->flags & USE_IMMEDIATE32_REL)
{
disp = (int32_t)pParam1->parval;
}
else
{
printf("failed\n");
return 0;
}
addr = (uint32_t)(pCpu->opaddr + pCpu->opsize) + disp;
return addr;
}


        DWORD srcadr =(DWORD)buffer;
for (DWORD i = (DWORD)modinfo.lpBaseOfDll; i < modinfo.SizeOfImage+(DWORD)modinfo.lpBaseOfDll; i++)
{
DWORD st_aralık = (i-(DWORD)modinfo.lpBaseOfDll); // + dan sonraki adres.

if(( *(BYTE*)srcadr==0xE8) || (*(BYTE*)srcadr==0xE9))
{

                 RTUINTPTR pInstr = (RTUINTPTR)i;// This  adress original module location..
 
         /// I Using Sun VirtualBoxDisassembler Lib..
  /* local variables */     
  DISCPUSTATE   cpu;
  char          szOutput[256];
  unsigned      cb = 0;
  /* --------------------------- */

  /* init */
  RtlZeroMemory(&cpu,sizeof(cpu));

  cpu.mode = CPUMODE_32BIT;
  /* --------------------------- */

  /* disassembler */
  if(!DISInstr(&cpu, pInstr, 0, &cb, szOutput))
  {
  if(cpu.opsize==5)
  {

  DWORD adrescall = (DWORD)adresal(&cpu,&cpu.param1,&cpu.param2,&cpu.param3); // this is example : call 1235678 - this code return 1234568
  *(DWORD*)(srcadr+1) = ((DWORD)adrescall - (DWORD)srcadr - 5); // this code patch buffer , original call adress.. call 12121212 to >  call 12345678
  }
  }
  else
  {
  printf("failed\n");
  return -1;
  }
                 }
srcadr++;
}


I Try My 3 method , but result = Failed relocation..

pls help me relocation code , Target module packet winlicense or themida..



code pictures :









My stealth code :
--------------------------------------------------------------------








Regard's LeftSpace

Sorry For my bad english..

leftspace

  • Newbie
  • *
  • Posts: 2
    • View Profile
Re: help C++ Dll Relocation (zwclose7)
« Reply #1 on: April 20, 2017, 04:42:44 am »
Fixed this problem..

 

+-Recent Topics

Independent Call Girls in Chandigarh by dilpreetkaur
June 21, 2021, 01:02:52 pm

Hi zwclose7. How to create process by using NT apis? by zwclose7
June 01, 2021, 03:09:52 pm

Poison of the Day by zwclose7
March 16, 2020, 06:45:08 pm

IRC by AzeS
February 17, 2020, 08:18:01 am

Native API tutorial by hMihaiDavid
January 08, 2019, 02:11:02 am

The properties of GP nerve agent by xchg
October 19, 2018, 07:40:57 pm

A new route of synthesis for G-series agents by Basquyatti
October 15, 2018, 06:12:57 am

Synthesis of Methylisobutylcarbinylsarin (GH) by APC process by Basquyatti
October 14, 2018, 07:55:33 am

Synthesis conventional of Sarin by Basquyatti
October 02, 2018, 07:57:32 am

Reaction CX-7 (Experimental) by zwclose7
October 02, 2018, 12:46:47 am