├── README.md ├── ReadMe.txt ├── dllmain.cpp ├── runpedmp.cpp ├── runpedmp.sln ├── runpedmp.vcxproj ├── runpedmp.vcxproj.filters ├── stdafx.cpp ├── stdafx.h └── targetver.h /README.md: -------------------------------------------------------------------------------- 1 | # runpedmp 2 | -------------------------------------------------------------------------------- /ReadMe.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hidd3ncod3s/runpedmp/940bb0f049fcafa62fe0bfe838f3165faa1b1e84/ReadMe.txt -------------------------------------------------------------------------------- /dllmain.cpp: -------------------------------------------------------------------------------- 1 | // dllmain.cpp : Defines the entry point for the DLL application. 2 | #include "stdafx.h" 3 | #include 4 | #include 5 | #include "detours.h" 6 | #include 7 | #include 8 | #include 9 | #include 10 | 11 | #pragma comment(lib, "detours") 12 | #pragma comment(lib, "syelog") 13 | 14 | #define DEBUG 1 15 | 16 | //#define PRINT2CONSOLE 1 17 | #define SYELOG 1 18 | //#define OUTPUT2FILE 1 19 | 20 | #ifdef PRINT2CONSOLE 21 | #define OUTPUTME(...) printf(__VA_ARGS__) 22 | //#define OUTPUTME(...) wprintf(__VA_ARGS__) 23 | #elif SYELOG 24 | #define OUTPUTME(...) Syelog(SYELOG_SEVERITY_NOTICE, __VA_ARGS__) 25 | #elif OUTPUT2FILE 26 | #define OUTPUTME(...) fprintf(ofp, __VA_ARGS__) 27 | #endif 28 | 29 | extern "C" { 30 | 31 | HANDLE ( WINAPI * 32 | Real_CreateFileW)(LPCWSTR a0, 33 | DWORD a1, 34 | DWORD a2, 35 | LPSECURITY_ATTRIBUTES a3, 36 | DWORD a4, 37 | DWORD a5, 38 | HANDLE a6) 39 | = CreateFileW; 40 | 41 | BOOL ( WINAPI * 42 | Real_WriteFile)(HANDLE hFile, 43 | LPCVOID lpBuffer, 44 | DWORD nNumberOfBytesToWrite, 45 | LPDWORD lpNumberOfBytesWritten, 46 | LPOVERLAPPED lpOverlapped) 47 | = WriteFile; 48 | BOOL ( WINAPI * 49 | Real_FlushFileBuffers)(HANDLE hFile) 50 | = FlushFileBuffers; 51 | BOOL ( WINAPI * 52 | Real_CloseHandle)(HANDLE hObject) 53 | = CloseHandle; 54 | 55 | BOOL ( WINAPI * 56 | Real_WaitNamedPipeW)(LPCWSTR lpNamedPipeName, DWORD nTimeOut) 57 | = WaitNamedPipeW; 58 | BOOL ( WINAPI * 59 | Real_SetNamedPipeHandleState)(HANDLE hNamedPipe, 60 | LPDWORD lpMode, 61 | LPDWORD lpMaxCollectionCount, 62 | LPDWORD lpCollectDataTimeout) 63 | = SetNamedPipeHandleState; 64 | 65 | DWORD ( WINAPI * 66 | Real_GetCurrentProcessId)(VOID) 67 | = GetCurrentProcessId; 68 | VOID ( WINAPI * 69 | Real_GetSystemTimeAsFileTime)(LPFILETIME lpSystemTimeAsFileTime) 70 | = GetSystemTimeAsFileTime; 71 | 72 | VOID ( WINAPI * 73 | Real_InitializeCriticalSection)(LPCRITICAL_SECTION lpSection) 74 | = InitializeCriticalSection; 75 | VOID ( WINAPI * 76 | Real_EnterCriticalSection)(LPCRITICAL_SECTION lpSection) 77 | = EnterCriticalSection; 78 | VOID ( WINAPI * 79 | Real_LeaveCriticalSection)(LPCRITICAL_SECTION lpSection) 80 | = LeaveCriticalSection; 81 | } 82 | 83 | DWORD WINAPI CreateProcessInternalW( 84 | __in DWORD unknown1, // always (?) NULL 85 | __in_opt LPCTSTR lpApplicationName, 86 | __inout_opt LPTSTR lpCommandLine, 87 | __in_opt LPSECURITY_ATTRIBUTES lpProcessAttributes, 88 | __in_opt LPSECURITY_ATTRIBUTES lpThreadAttributes, 89 | __in BOOL bInheritHandles, 90 | __in DWORD dwCreationFlags, 91 | __in_opt LPVOID lpEnvironment, 92 | __in_opt LPCTSTR lpCurrentDirectory, 93 | __in LPSTARTUPINFO lpStartupInfo, 94 | __out LPPROCESS_INFORMATION lpProcessInformation, 95 | __in DWORD unknown2 // always (?) NULL 96 | ); 97 | 98 | __declspec(dllexport) VOID __cdecl dummy() 99 | { 100 | return; 101 | } 102 | 103 | typedef DWORD (WINAPI *_CreateProcessInternalW)(DWORD unknown1, LPCTSTR lpApplicationName, LPTSTR lpCommandLine, LPSECURITY_ATTRIBUTES lpProcessAttributes, LPSECURITY_ATTRIBUTES lpThreadAttributes, BOOL bInheritHandles, DWORD dwCreationFlags, LPVOID lpEnvironment, LPCTSTR lpCurrentDirectory, LPSTARTUPINFO lpStartupInfo, LPPROCESS_INFORMATION lpProcessInformation, DWORD unknown2); 104 | static _CreateProcessInternalW original_CreateProcessInternalW; 105 | 106 | typedef NTSTATUS (WINAPI *_ZwAllocateVirtualMemory)(HANDLE ProcessHandle, PVOID *BaseAddress, ULONG_PTR ZeroBits, PSIZE_T RegionSize, ULONG AllocationType, ULONG Protect); 107 | static _ZwAllocateVirtualMemory original_ZwAllocateVirtualMemory; 108 | 109 | typedef NTSTATUS (WINAPI *_ZwWriteVirtualMemory)(HANDLE ProcessHandle, PVOID BaseAddress, PVOID Buffer, SIZE_T NumberOfBytesToWrite, PSIZE_T NumberOfBytesWritten); 110 | static _ZwWriteVirtualMemory original_ZwWriteVirtualMemory; 111 | 112 | typedef enum _SECTION_INHERIT { 113 | ViewShare=1, 114 | ViewUnmap=2 115 | } SECTION_INHERIT, *PSECTION_INHERIT; 116 | 117 | typedef NTSTATUS (WINAPI *_ZwMapViewOfSection)(HANDLE SectionHandle, HANDLE ProcessHandle, PVOID *BaseAddress, ULONG_PTR ZeroBits, SIZE_T CommitSize, PLARGE_INTEGER SectionOffset, PSIZE_T ViewSize, SECTION_INHERIT InheritDisposition, ULONG AllocationType, ULONG Win32Protect); 118 | static _ZwMapViewOfSection original_ZwMapViewOfSection; 119 | 120 | typedef NTSTATUS (WINAPI* _NtUnmapViewOfSection)(HANDLE ProcessHandle, PVOID BaseAddress); 121 | static _NtUnmapViewOfSection original_NtUnmapViewOfSection; 122 | 123 | typedef NTSTATUS (WINAPI *_NtGetContextThread)(HANDLE ThreadHandle, PCONTEXT pContext ); 124 | static _NtGetContextThread original_NtGetContextThread; 125 | 126 | typedef NTSTATUS (WINAPI *_NtSetContextThread)(HANDLE ThreadHandle, PCONTEXT pContext ); 127 | static _NtSetContextThread original_NtSetContextThread; 128 | 129 | typedef NTSTATUS (WINAPI *_ZwResumeProcess)(HANDLE ProcessHandle); 130 | static _ZwResumeProcess original_ZwResumeProcess; 131 | 132 | typedef NTSTATUS (WINAPI *_ZwResumeThread)(HANDLE ThreadHandle, PULONG SuspendCount); 133 | static _ZwResumeThread original_ZwResumeThread; 134 | 135 | typedef NTSTATUS (WINAPI *_NtAlertResumeThread)(HANDLE ThreadHandle, PULONG SuspendCount); 136 | static _NtAlertResumeThread original_NtAlertResumeThread; 137 | 138 | typedef NTSTATUS (WINAPI *_ZwTerminateProcess)(HANDLE ProcessHandle, NTSTATUS ExitStatus); 139 | static _ZwTerminateProcess original_ZwTerminateProcess; 140 | 141 | HANDLE rProcessHandle; 142 | HANDLE rThreadHandle; 143 | 144 | LPVOID r_lpAddress; 145 | DWORD r_Size; 146 | DWORD gDumpCounter; 147 | DWORD g_PrevWriteProcessMemory; 148 | BOOL bInjected= false; 149 | LPCVOID glpBuffer; 150 | DWORD g_r_Size; 151 | LPVOID g_r_lpAddress; 152 | 153 | __forceinline void AttachtoDebuggernow() 154 | { 155 | __asm 156 | { 157 | int 3 158 | } 159 | } 160 | 161 | __forceinline void loopmenow() 162 | { 163 | start: 164 | goto start; 165 | } 166 | 167 | VOID DumpMemory(HANDLE hProcess, LPVOID lpTargetAddr, DWORD bSize, LPVOID lpNewImageBase, bool fixme) 168 | { 169 | CHAR szFilePath[MAX_PATH + 1]; 170 | HANDLE hFile; 171 | DWORD bWritten= 0; 172 | CHAR *bBuffer= NULL; 173 | 174 | #ifdef DEBUG 175 | OUTPUTME("DumpMemory process handle %08x\n\tAddress= %08x\n\tsize= %d\n" , hProcess, lpTargetAddr, bSize); 176 | #endif 177 | 178 | if (lpTargetAddr == NULL || bSize == 0){ 179 | #ifdef DEBUG 180 | OUTPUTME("DumpMemory(): Not dumping now.\n"); 181 | #endif 182 | return; 183 | } 184 | 185 | bBuffer= (CHAR*) calloc(1, bSize); 186 | if (!bBuffer){ 187 | #ifdef DEBUG 188 | OUTPUTME("Error in allocating memory."); 189 | #endif 190 | return; 191 | } 192 | 193 | if (hProcess != NULL){ 194 | if(!ReadProcessMemory(hProcess, lpTargetAddr, bBuffer, bSize, &bWritten)){ 195 | free(bBuffer); 196 | bBuffer= NULL; 197 | #ifdef DEBUG 198 | OUTPUTME("Error in reading memory."); 199 | #endif 200 | return; 201 | } 202 | } else { 203 | int index=0; 204 | __try 205 | { 206 | for(index=0; index < bSize; index++){ 207 | //printf("index= %d\n", index); 208 | bBuffer[index]= ((char*)lpTargetAddr)[index]; 209 | } 210 | } 211 | __except (EXCEPTION_EXECUTE_HANDLER) 212 | { 213 | #ifdef DEBUG 214 | OUTPUTME("Exception handler %lX\n", _exception_code()); 215 | #endif 216 | //Sleep(2000); 217 | } 218 | 219 | bSize= index; 220 | //bBuffer= (CHAR*)lpTargetAddr; 221 | } 222 | 223 | if (bSize > 1024){ 224 | // Lets do a fix. 225 | PIMAGE_DOS_HEADER pidosh = (PIMAGE_DOS_HEADER)bBuffer; 226 | if (pidosh->e_magic == 0x5A4D){ 227 | PIMAGE_NT_HEADERS pinth = (PIMAGE_NT_HEADERS)((BYTE*)pidosh + pidosh->e_lfanew); 228 | if( pinth->Signature == 0x4550){ 229 | 230 | PIMAGE_OPTIONAL_HEADER pioh = (PIMAGE_OPTIONAL_HEADER)&pinth->OptionalHeader; 231 | #ifdef DEBUG 232 | OUTPUTME("Imagebase= %08x\n", pioh->ImageBase); 233 | #endif 234 | if (pioh->ImageBase == (DWORD)lpNewImageBase){ 235 | #ifdef DEBUG 236 | OUTPUTME("ImageBase is same\n"); 237 | #endif 238 | if (fixme) 239 | pioh->ImageBase= 0x00400000; 240 | } 241 | } 242 | } 243 | 244 | 245 | //PIMAGE_FILE_HEADER pifh = (PIMAGE_FILE_HEADER)&pinth->FileHeader; 246 | // 247 | } 248 | 249 | _snprintf(szFilePath, MAX_PATH, "ph_%08x_%08x_%d.exe_", hProcess, (DWORD) lpTargetAddr, gDumpCounter++); 250 | 251 | hFile = CreateFileA(szFilePath, GENERIC_WRITE, 0, NULL, CREATE_ALWAYS, 0, NULL); 252 | if(hFile == INVALID_HANDLE_VALUE) { 253 | #ifdef DEBUG 254 | OUTPUTME("Error in dumping the memory\n"); 255 | #endif 256 | return; 257 | } 258 | 259 | #ifdef DEBUG 260 | OUTPUTME("DumpMemory \n\tbSize= %d\n" , bSize); 261 | #endif 262 | WriteFile(hFile, bBuffer, bSize, &bWritten, NULL); 263 | 264 | CloseHandle(hFile); 265 | if(bBuffer) 266 | free(bBuffer); 267 | } 268 | 269 | static DWORD WINAPI HookedCreateProcessInternalW(DWORD unknown1, LPCTSTR lpApplicationName, LPTSTR lpCommandLine, LPSECURITY_ATTRIBUTES lpProcessAttributes, LPSECURITY_ATTRIBUTES lpThreadAttributes, BOOL bInheritHandles, DWORD dwCreationFlags, LPVOID lpEnvironment, LPCTSTR lpCurrentDirectory, LPSTARTUPINFO lpStartupInfo, LPPROCESS_INFORMATION lpProcessInformation, DWORD unknown2) 270 | { 271 | DWORD retvalue; 272 | 273 | if( dwCreationFlags & CREATE_SUSPENDED){ 274 | //loopmenow(); 275 | if (lpCommandLine != NULL){ 276 | #ifdef DEBUG 277 | DWORD length= wcslen(lpCommandLine) + 2; 278 | char *MB = (char *)calloc( 1, length ); 279 | if (MB){ 280 | wcstombs(MB, lpCommandLine, length); 281 | OUTPUTME("Creating process in suspended stage: %s\n" , MB); 282 | free(MB); 283 | } 284 | #endif 285 | } else { 286 | #ifdef DEBUG 287 | DWORD length= wcslen(lpApplicationName) + 2; 288 | char *MB = (char *)calloc( 1, length ); 289 | if (MB){ 290 | wcstombs(MB, lpApplicationName, length); 291 | OUTPUTME("Creating process/app in suspended stage: %s\n" , MB); 292 | free(MB); 293 | } 294 | #endif 295 | } 296 | } 297 | 298 | //Syelog(SYELOG_SEVERITY_NOTICE, "Hooked CreateProcessInternalW(): %s", asciistr); 299 | retvalue = original_CreateProcessInternalW(unknown1, lpApplicationName, lpCommandLine, lpProcessAttributes, lpThreadAttributes, bInheritHandles, dwCreationFlags, lpEnvironment, lpCurrentDirectory, lpStartupInfo, lpProcessInformation, unknown2); 300 | 301 | if( dwCreationFlags & CREATE_SUSPENDED){ 302 | #ifdef DEBUG 303 | OUTPUTME("\tCreated processes process handle %08x\n" , lpProcessInformation->hProcess); 304 | OUTPUTME("\tCreated processes thread handle %08x\n" , lpProcessInformation->hThread); 305 | #endif 306 | 307 | rProcessHandle= lpProcessInformation->hProcess; 308 | rThreadHandle= lpProcessInformation->hThread; 309 | 310 | //AttachtoDebuggernow(); 311 | //loopmenow(); 312 | 313 | } 314 | 315 | 316 | return retvalue; 317 | } 318 | 319 | NTSTATUS WINAPI HookedZwMapViewOfSection(HANDLE SectionHandle, HANDLE ProcessHandle, PVOID *BaseAddress, ULONG_PTR ZeroBits, SIZE_T CommitSize, PLARGE_INTEGER SectionOffset, PSIZE_T ViewSize, SECTION_INHERIT InheritDisposition, ULONG AllocationType, ULONG Win32Protect) 320 | { 321 | if ((ProcessHandle != (HANDLE)-1) && ProcessHandle != ::GetCurrentProcess()){ 322 | #ifdef DEBUG 323 | OUTPUTME("ZwMapViewOfSection on a remote process handle %08x\n\tAddress= %08x\n\tSectionOffset= %08x\n\tViewSize= %08x\n\tAllocationType= %08x\n\tWin32Protect= %08x\n" , ProcessHandle, *BaseAddress, SectionOffset, ViewSize, AllocationType, Win32Protect); 324 | #endif 325 | //loopmenow(); 326 | 327 | __try 328 | { 329 | DWORD local_BaseAddress= 0; 330 | LARGE_INTEGER local_sectionoffset; 331 | SIZE_T local_viewsize= 0; 332 | 333 | if(SectionOffset){ 334 | local_sectionoffset.HighPart = SectionOffset->HighPart; 335 | local_sectionoffset.LowPart = SectionOffset->LowPart; 336 | } 337 | 338 | NTSTATUS returnvalue= original_ZwMapViewOfSection(SectionHandle, GetCurrentProcess(), 339 | (PVOID *)&local_BaseAddress, ZeroBits, 340 | CommitSize, 341 | SectionOffset == NULL? NULL: &local_sectionoffset, 342 | &local_viewsize, InheritDisposition, 343 | AllocationType, Win32Protect); 344 | 345 | #ifdef DEBUG 346 | OUTPUTME("After our mapping processHandle= %08x\n\tAddress= %08x\n\ViewSize= %08x\n\tAllocationType= %08x\n\tWin32Protect= %08x\n" , ProcessHandle, local_BaseAddress, local_viewsize, AllocationType, Win32Protect); 347 | #endif 348 | 349 | if(returnvalue == 0){ 350 | DumpMemory(NULL, (LPVOID)local_BaseAddress, local_viewsize, (LPVOID)0x0 /* FIXME */, FALSE); 351 | } else { 352 | #ifdef DEBUG 353 | OUTPUTME("Failed to map the section. %lX\n", returnvalue); 354 | #endif 355 | } 356 | } 357 | __except (EXCEPTION_EXECUTE_HANDLER) 358 | { 359 | #ifdef DEBUG 360 | OUTPUTME("Exception handler(@ HookedZwMapViewOfSection) %lX\n", _exception_code()); 361 | #endif 362 | //Sleep(2000); 363 | } 364 | } 365 | 366 | return original_ZwMapViewOfSection(SectionHandle, ProcessHandle, BaseAddress, ZeroBits, CommitSize, SectionOffset, ViewSize, InheritDisposition, AllocationType, Win32Protect); 367 | } 368 | 369 | 370 | NTSTATUS WINAPI Hooked_NtUnmapViewOfSection(HANDLE ProcessHandle, PVOID BaseAddress) 371 | { 372 | if ((ProcessHandle != GetCurrentProcess()) && ProcessHandle != ::GetCurrentProcess()){ 373 | #ifdef DEBUG 374 | OUTPUTME("NtUnmapViewOfSection on a remote process handle %08x \n\tAddress= %08x\n" , ProcessHandle, BaseAddress); 375 | #endif 376 | //loopmenow(); 377 | } 378 | 379 | return original_NtUnmapViewOfSection(ProcessHandle, BaseAddress); 380 | } 381 | 382 | NTSTATUS WINAPI HookedZwAllocateVirtualMemory(HANDLE ProcessHandle, PVOID *BaseAddress, ULONG_PTR ZeroBits, PSIZE_T RegionSize, ULONG AllocationType, ULONG Protect) 383 | { 384 | PVOID lpAddr= 0x0; 385 | NTSTATUS returnValue= 0; //STATUS_SUCCESS 386 | 387 | if ((ProcessHandle != (HANDLE)-1) && ProcessHandle != ::GetCurrentProcess() && (*RegionSize > 4 * 4 * 1024)){ 388 | #ifdef DEBUG 389 | OUTPUTME("ZwAllocateVirtualMemory on a remote process handle %08x\n\tAddress= %08x\n\tsize= %d\n" , ProcessHandle, *BaseAddress, *RegionSize); 390 | #endif 391 | lpAddr= *BaseAddress; 392 | } 393 | 394 | returnValue= original_ZwAllocateVirtualMemory(ProcessHandle, BaseAddress, ZeroBits, RegionSize, AllocationType, Protect); 395 | 396 | if (returnValue == 0 && (ProcessHandle != (HANDLE)-1) && ProcessHandle != ::GetCurrentProcess() && (*RegionSize > 4 * 4 * 1024) ){ 397 | #ifdef DEBUG 398 | OUTPUTME("ZwAllocateVirtualMemory(Return) on a remote process handle %08x\n\tAddress= %08x\n\tsize= %d\n\treturn=0x%08x\n" , ProcessHandle, *BaseAddress, *RegionSize, returnValue); 399 | #endif 400 | r_lpAddress= *BaseAddress; 401 | r_Size= *RegionSize; 402 | 403 | //if (lpAddr== *BaseAddress) 404 | // ;//loopmenow(); 405 | } 406 | 407 | //AttachtoDebuggernow(); 408 | //loopmenow(); 409 | return returnValue; 410 | } 411 | 412 | NTSTATUS WINAPI HookedZwWriteVirtualMemory(HANDLE ProcessHandle, PVOID lpBaseAddress, PVOID lpBuffer, SIZE_T nSize, SIZE_T *lpNumberOfBytesWritten) 413 | { 414 | if (ProcessHandle != ::GetCurrentProcess() /*&& nSize > 4*/){ 415 | #ifdef DEBUG 416 | //OUTPUTME("WriteProcessMemory on a remote process handle %08x\n\tAddress= %08x\n\tsize= %d\n" , ProcessHandle, lpBaseAddress, nSize); 417 | #endif 418 | //if (nSize == 4){ 419 | // current write size is 4. 420 | //if (g_PrevWriteProcessMemory != nSize){ 421 | if (r_lpAddress == lpBaseAddress) { 422 | #ifdef DEBUG 423 | OUTPUTME("ZwWriteVirtualMemory on a remote process handle %08x\n\tLocal Address= %08x\n\tRemote Address= %08x\n\tsize= %d\n" , ProcessHandle, lpBuffer, lpBaseAddress, nSize); 424 | #endif 425 | //DumpMemory(rProcessHandle, r_lpAddress, r_Size); 426 | // or you can save these addresses and get the dump in the resumethread() 427 | glpBuffer= lpBuffer; 428 | g_r_Size= r_Size; 429 | g_r_lpAddress= r_lpAddress; 430 | DumpMemory(NULL, (LPVOID)lpBuffer, r_Size, (LPVOID)r_lpAddress, TRUE); 431 | DumpMemory(NULL, (LPVOID)lpBuffer, r_Size, (LPVOID)r_lpAddress, FALSE); 432 | } 433 | //} 434 | g_PrevWriteProcessMemory= nSize; 435 | } 436 | return original_ZwWriteVirtualMemory(ProcessHandle, lpBaseAddress, lpBuffer, nSize, lpNumberOfBytesWritten); 437 | } 438 | 439 | NTSTATUS WINAPI HookedNtGetContextThread(HANDLE ThreadHandle, PCONTEXT pContext ) 440 | { 441 | if (ThreadHandle == rThreadHandle){ 442 | #ifdef DEBUG 443 | OUTPUTME("Getting the Thread context of the remote handle %08x\n", ThreadHandle); 444 | #endif 445 | } 446 | return original_NtGetContextThread(ThreadHandle, pContext); 447 | } 448 | 449 | NTSTATUS WINAPI HookedNtSetContextThread(HANDLE ThreadHandle, PCONTEXT pContext ) 450 | { 451 | if (ThreadHandle == rThreadHandle){ 452 | #ifdef DEBUG 453 | OUTPUTME("Setting the Thread context of the remote handle %08x\n", ThreadHandle); 454 | #endif 455 | } 456 | return original_NtSetContextThread(ThreadHandle, pContext); 457 | } 458 | 459 | static NTSTATUS WINAPI HookedZwTerminateProcess(HANDLE ProcessHandle, NTSTATUS ExitStatus) 460 | { 461 | #ifdef DEBUG 462 | OUTPUTME("Terminating the process.\n\tProcessHandle= %08x\n\tExitStatus= %08x\n", ProcessHandle, ExitStatus); 463 | #endif 464 | return original_ZwTerminateProcess(ProcessHandle, ExitStatus); 465 | } 466 | 467 | NTSTATUS WINAPI HookedZwResumeThread(HANDLE ThreadHandle, PULONG SuspendCount) 468 | { 469 | if (ThreadHandle == rThreadHandle){ 470 | #ifdef DEBUG 471 | OUTPUTME("Resuming the Thread using ZwResumeThread() of the remote handle %08x\n", ThreadHandle); 472 | #endif 473 | DumpMemory(NULL, (LPVOID)glpBuffer, g_r_Size, (LPVOID)g_r_lpAddress, FALSE); 474 | } 475 | 476 | return original_ZwResumeThread(ThreadHandle, SuspendCount); 477 | } 478 | 479 | 480 | NTSTATUS WINAPI HookedNtAlertResumeThread(HANDLE ThreadHandle, PULONG SuspendCount) 481 | { 482 | if (ThreadHandle == rThreadHandle){ 483 | #ifdef DEBUG 484 | OUTPUTME("Resuming the Thread using NtAlertResumeThread() of the remote handle %08x\n", ThreadHandle); 485 | #endif 486 | DumpMemory(NULL, (LPVOID)glpBuffer, g_r_Size, (LPVOID)g_r_lpAddress, FALSE); 487 | } 488 | 489 | return original_NtAlertResumeThread(ThreadHandle, SuspendCount); 490 | //return false; 491 | } 492 | 493 | 494 | #define BUF_SIZE 2048 495 | BOOL WINAPI DllMain(HINSTANCE hinst, DWORD dwReason, LPVOID reserved) 496 | { 497 | LONG error; 498 | (void)hinst; 499 | (void)reserved; 500 | 501 | if (DetourIsHelperProcess()) { 502 | return TRUE; 503 | } 504 | 505 | if (dwReason == DLL_PROCESS_ATTACH) { 506 | DetourRestoreAfterWith(); 507 | 508 | /*CHAR buffer[BUF_SIZE]; 509 | if(GetModuleFileNameA(NULL,&buffer[0],sizeof(buffer)) == ERROR_INSUFFICIENT_BUFFER){ 510 | buffer[BUF_SIZE-1]= '\0'; 511 | //Syelog(SYELOG_SEVERITY_NOTICE, "Not injection any hooks to %s", buffer); 512 | return TRUE; 513 | } 514 | 515 | buffer[BUF_SIZE-1]= '\0'; 516 | if(false && strstr(buffer, "runme") == NULL){ 517 | //Syelog(SYELOG_SEVERITY_NOTICE, "I am not interested in this process. %s", buffer); 518 | return TRUE; 519 | }*/ 520 | 521 | #ifdef SYELOG 522 | SyelogOpen("runpedmp", SYELOG_FACILITY_APPLICATION); 523 | #endif 524 | 525 | if (!original_CreateProcessInternalW){ 526 | original_CreateProcessInternalW= (_CreateProcessInternalW)::GetProcAddress(::LoadLibraryW(L"kernel32.dll"), "CreateProcessInternalW"); 527 | OUTPUTME("CreateProcessInternalW() @ 0x%08x\n", original_CreateProcessInternalW); 528 | } 529 | 530 | if(!original_NtUnmapViewOfSection){ 531 | original_NtUnmapViewOfSection= (_NtUnmapViewOfSection)::GetProcAddress(::LoadLibraryW(L"ntdll.dll"), "NtUnmapViewOfSection"); 532 | OUTPUTME("NtUnmapViewOfSection() @ 0x%08x\n", original_NtUnmapViewOfSection); 533 | } 534 | 535 | if(!original_ZwAllocateVirtualMemory){ 536 | original_ZwAllocateVirtualMemory= (_ZwAllocateVirtualMemory)::GetProcAddress(::LoadLibraryW(L"ntdll.dll"), "ZwAllocateVirtualMemory"); 537 | OUTPUTME("ZwAllocateVirtualMemory() @ 0x%08x\n", original_ZwAllocateVirtualMemory); 538 | } 539 | 540 | if(!original_ZwWriteVirtualMemory){ 541 | original_ZwWriteVirtualMemory= (_ZwWriteVirtualMemory)::GetProcAddress(::LoadLibraryW(L"ntdll.dll"), "ZwWriteVirtualMemory"); 542 | OUTPUTME("ZwWriteVirtualMemory() @ 0x%08x\n", original_ZwWriteVirtualMemory); 543 | } 544 | 545 | if(!original_NtGetContextThread){ 546 | original_NtGetContextThread= (_NtGetContextThread)::GetProcAddress(::LoadLibraryW(L"ntdll.dll"), "NtGetContextThread"); 547 | OUTPUTME("NtGetContextThread() @ 0x%08x\n", original_NtGetContextThread); 548 | } 549 | 550 | if(!original_NtSetContextThread){ 551 | original_NtSetContextThread= (_NtSetContextThread)::GetProcAddress(::LoadLibraryW(L"ntdll.dll"), "NtSetContextThread"); 552 | OUTPUTME("NtSetContextThread() @ 0x%08x\n", original_NtSetContextThread); 553 | } 554 | 555 | if(!original_ZwResumeThread){ 556 | original_ZwResumeThread= (_ZwResumeThread)::GetProcAddress(::LoadLibraryW(L"ntdll.dll"), "ZwResumeThread"); 557 | OUTPUTME("ZwResumeThread() @ 0x%08x\n", original_ZwResumeThread); 558 | } 559 | 560 | if(!original_NtAlertResumeThread){ 561 | original_NtAlertResumeThread= (_NtAlertResumeThread)::GetProcAddress(::LoadLibraryW(L"ntdll.dll"), "NtAlertResumeThread"); 562 | OUTPUTME("NtAlertResumeThread() @ 0x%08x\n", original_NtAlertResumeThread); 563 | } 564 | 565 | if(!original_ZwMapViewOfSection){ 566 | original_ZwMapViewOfSection= (_ZwMapViewOfSection)::GetProcAddress(::LoadLibraryW(L"ntdll.dll"), "ZwMapViewOfSection"); 567 | OUTPUTME("ZwMapViewOfSection() @ 0x%08x\n", original_ZwMapViewOfSection); 568 | } 569 | 570 | if(!original_ZwTerminateProcess){ 571 | original_ZwTerminateProcess= (_ZwTerminateProcess)::GetProcAddress(::LoadLibraryW(L"ntdll.dll"), "ZwTerminateProcess"); 572 | OUTPUTME("ZwTerminateProcess() @ 0x%08x\n", original_ZwTerminateProcess); 573 | } 574 | 575 | DetourTransactionBegin(); 576 | DetourUpdateThread(GetCurrentThread()); 577 | DetourAttach(&(PVOID&)original_CreateProcessInternalW, HookedCreateProcessInternalW); 578 | DetourAttach(&(PVOID&)original_ZwAllocateVirtualMemory, HookedZwAllocateVirtualMemory); 579 | DetourAttach(&(PVOID&)original_ZwWriteVirtualMemory, HookedZwWriteVirtualMemory); 580 | DetourAttach(&(PVOID&)original_ZwMapViewOfSection, HookedZwMapViewOfSection); 581 | DetourAttach(&(PVOID&)original_NtUnmapViewOfSection, Hooked_NtUnmapViewOfSection); 582 | DetourAttach(&(PVOID&)original_NtGetContextThread, HookedNtGetContextThread); 583 | DetourAttach(&(PVOID&)original_NtSetContextThread, HookedNtSetContextThread); 584 | DetourAttach(&(PVOID&)original_NtAlertResumeThread, HookedNtAlertResumeThread); 585 | DetourAttach(&(PVOID&)original_ZwResumeThread, HookedZwResumeThread); 586 | DetourAttach(&(PVOID&)original_ZwTerminateProcess, HookedZwTerminateProcess); 587 | error = DetourTransactionCommit(); 588 | 589 | if (error == NO_ERROR) { 590 | #ifdef DEBUG 591 | OUTPUTME("All the hooks are installed\n"); 592 | #endif 593 | } 594 | else { 595 | #ifdef DEBUG 596 | OUTPUTME("Error occurred while initializing Hook (GLE: %d)", GetLastError()); 597 | #endif 598 | } 599 | 600 | bInjected= true; 601 | 602 | } 603 | else if (dwReason == DLL_PROCESS_DETACH) { 604 | if (!bInjected) 605 | return TRUE; 606 | 607 | DetourTransactionBegin(); 608 | DetourUpdateThread(GetCurrentThread()); 609 | DetourDetach(&(PVOID&)original_CreateProcessInternalW, HookedCreateProcessInternalW); 610 | DetourDetach(&(PVOID&)original_ZwAllocateVirtualMemory, HookedZwAllocateVirtualMemory); 611 | DetourDetach(&(PVOID&)original_ZwWriteVirtualMemory, HookedZwWriteVirtualMemory); 612 | DetourDetach(&(PVOID&)original_ZwMapViewOfSection, HookedZwMapViewOfSection); 613 | DetourDetach(&(PVOID&)original_NtUnmapViewOfSection, Hooked_NtUnmapViewOfSection); 614 | DetourDetach(&(PVOID&)original_NtGetContextThread, HookedNtGetContextThread); 615 | DetourDetach(&(PVOID&)original_NtSetContextThread, HookedNtSetContextThread); 616 | DetourDetach(&(PVOID&)original_NtAlertResumeThread, HookedNtAlertResumeThread); 617 | DetourDetach(&(PVOID&)original_ZwResumeThread, HookedZwResumeThread); 618 | DetourDetach(&(PVOID&)original_ZwTerminateProcess, HookedZwTerminateProcess); 619 | error = DetourTransactionCommit(); 620 | if (error == NO_ERROR) { 621 | #ifdef DEBUG 622 | OUTPUTME("All the hooks are uninstalled\n"); 623 | #endif 624 | } 625 | else { 626 | #ifdef DEBUG 627 | OUTPUTME("Error occurred while uninitializing Hook (GLE: %d)", GetLastError()); 628 | #endif 629 | } 630 | 631 | #ifdef SYELOG 632 | SyelogClose(false); 633 | #endif 634 | } 635 | return TRUE; 636 | } 637 | -------------------------------------------------------------------------------- /runpedmp.cpp: -------------------------------------------------------------------------------- 1 | // runpedmp.cpp : Defines the exported functions for the DLL application. 2 | // 3 | 4 | #include "stdafx.h" 5 | 6 | 7 | -------------------------------------------------------------------------------- /runpedmp.sln: -------------------------------------------------------------------------------- 1 |  2 | Microsoft Visual Studio Solution File, Format Version 11.00 3 | # Visual Studio 2010 4 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "runpedmp", "runpedmp.vcxproj", "{3171DD28-1992-4F64-9BA8-F2047D5AE7A9}" 5 | EndProject 6 | Global 7 | GlobalSection(SolutionConfigurationPlatforms) = preSolution 8 | Debug|Win32 = Debug|Win32 9 | Release|Win32 = Release|Win32 10 | EndGlobalSection 11 | GlobalSection(ProjectConfigurationPlatforms) = postSolution 12 | {3171DD28-1992-4F64-9BA8-F2047D5AE7A9}.Debug|Win32.ActiveCfg = Debug|Win32 13 | {3171DD28-1992-4F64-9BA8-F2047D5AE7A9}.Debug|Win32.Build.0 = Debug|Win32 14 | {3171DD28-1992-4F64-9BA8-F2047D5AE7A9}.Release|Win32.ActiveCfg = Release|Win32 15 | {3171DD28-1992-4F64-9BA8-F2047D5AE7A9}.Release|Win32.Build.0 = Release|Win32 16 | EndGlobalSection 17 | GlobalSection(SolutionProperties) = preSolution 18 | HideSolutionNode = FALSE 19 | EndGlobalSection 20 | EndGlobal 21 | -------------------------------------------------------------------------------- /runpedmp.vcxproj: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | Debug 6 | Win32 7 | 8 | 9 | Release 10 | Win32 11 | 12 | 13 | 14 | {3171DD28-1992-4F64-9BA8-F2047D5AE7A9} 15 | Win32Proj 16 | runpedmp 17 | 18 | 19 | 20 | DynamicLibrary 21 | true 22 | Unicode 23 | 24 | 25 | DynamicLibrary 26 | false 27 | true 28 | Unicode 29 | 30 | 31 | 32 | 33 | 34 | 35 | 36 | 37 | 38 | 39 | 40 | 41 | true 42 | C:\Tools\Microsoft Research\Detours Express 3.0\include;$(IncludePath) 43 | C:\Tools\Microsoft Research\Detours Express 3.0\lib.X86;$(LibraryPath) 44 | 45 | 46 | false 47 | C:\Tools\Microsoft Research\Detours Express 3.0\include;$(IncludePath) 48 | C:\Tools\Microsoft Research\Detours Express 3.0\lib.X86;$(LibraryPath) 49 | 50 | 51 | 52 | Use 53 | Level3 54 | Disabled 55 | WIN32;_DEBUG;_WINDOWS;_USRDLL;RUNPEDMP_EXPORTS;%(PreprocessorDefinitions) 56 | EnableFastChecks 57 | 58 | 59 | Windows 60 | true 61 | %(AdditionalDependencies) 62 | 63 | 64 | 65 | 66 | Level3 67 | Use 68 | Disabled 69 | true 70 | true 71 | WIN32;NDEBUG;_WINDOWS;_USRDLL;RUNPEDMP_EXPORTS;%(PreprocessorDefinitions) 72 | 73 | 74 | Windows 75 | true 76 | true 77 | true 78 | 79 | 80 | 81 | 82 | 83 | 84 | 85 | 86 | 87 | 88 | 89 | false 90 | 91 | 92 | false 93 | 94 | 95 | 96 | 97 | 98 | Create 99 | Create 100 | 101 | 102 | 103 | 104 | 105 | -------------------------------------------------------------------------------- /runpedmp.vcxproj.filters: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF} 6 | cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx 7 | 8 | 9 | {93995380-89BD-4b04-88EB-625FBE52EBFB} 10 | h;hpp;hxx;hm;inl;inc;xsd 11 | 12 | 13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} 14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | Header Files 23 | 24 | 25 | Header Files 26 | 27 | 28 | 29 | 30 | Source Files 31 | 32 | 33 | Source Files 34 | 35 | 36 | Source Files 37 | 38 | 39 | -------------------------------------------------------------------------------- /stdafx.cpp: -------------------------------------------------------------------------------- 1 | // stdafx.cpp : source file that includes just the standard includes 2 | // runpedmp.pch will be the pre-compiled header 3 | // stdafx.obj will contain the pre-compiled type information 4 | 5 | #include "stdafx.h" 6 | 7 | // TODO: reference any additional headers you need in STDAFX.H 8 | // and not in this file 9 | -------------------------------------------------------------------------------- /stdafx.h: -------------------------------------------------------------------------------- 1 | // stdafx.h : include file for standard system include files, 2 | // or project specific include files that are used frequently, but 3 | // are changed infrequently 4 | // 5 | 6 | #pragma once 7 | 8 | #include "targetver.h" 9 | 10 | #define WIN32_LEAN_AND_MEAN // Exclude rarely-used stuff from Windows headers 11 | // Windows Header Files: 12 | #include 13 | 14 | 15 | 16 | // TODO: reference additional headers your program requires here 17 | -------------------------------------------------------------------------------- /targetver.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | // Including SDKDDKVer.h defines the highest available Windows platform. 4 | 5 | // If you wish to build your application for a previous Windows platform, include WinSDKVer.h and 6 | // set the _WIN32_WINNT macro to the platform you wish to support before including SDKDDKVer.h. 7 | 8 | #include 9 | --------------------------------------------------------------------------------