├── .gitattributes
├── .gitignore
├── README.md
├── remap.sln
├── remap
    ├── ep.cpp
    ├── exports.def
    ├── remap.cpp
    ├── remap.vcxproj
    ├── remap.vcxproj.filters
    ├── remap.vcxproj.user
    ├── stdafx.cpp
    └── stdafx.h
└── x64
    └── Release
        ├── remap.dll
        └── test.bat


/.gitattributes:
--------------------------------------------------------------------------------
1 | # Auto detect text files and perform LF normalization
2 | * text=auto
3 | 


--------------------------------------------------------------------------------
/.gitignore:
--------------------------------------------------------------------------------
1 | .vs
2 | *.pdb
3 | tmp
4 | *.obj
5 | *.lib
6 | *.exp
7 | *.aps
8 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | # remap
 2 | 
 3 | break link between dll and it file on disk
 4 | 
 5 | we can do next:
 6 | 
 7 | - create section backed by the paging file.
 8 | - map this section at any address
 9 | - copy self image to this section
10 | - call special func inside new mapped section
11 | - this func unmap our image section and then map new section at this address 
12 | 
13 | possibilite that some another code allocate memory at this range after we unmap image and before map new section in practic zero
14 | virtual alloc not allocate memory with this (dll/exe) range, if not specify exactly address
15 | 
16 | - return back to dll normal address range (now it already on paged section)
17 | - unmap first (temporary) view of page section and close it
18 | 
19 | dll code still full functional (exceptions, cfg) all is work ok
20 | we can delete dll from disk, or modify it code after this
21 | 
22 | one drawback of this method is if we debug the code - after we unmap image section - debugger get notify about it and usually no more support symbol/src code debugging of dll.
23 | to solve this problem - we can create a thread and hide it from the debugger
24 | and unmap image section from this thread. however this need only during code debug
25 | 


--------------------------------------------------------------------------------
/remap.sln:
--------------------------------------------------------------------------------
 1 | 
 2 | Microsoft Visual Studio Solution File, Format Version 12.00
 3 | # Visual Studio Version 17
 4 | VisualStudioVersion = 17.6.33723.286
 5 | MinimumVisualStudioVersion = 10.0.40219.1
 6 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "remap", "remap\remap.vcxproj", "{EF8D1C34-5D14-E565-3D1E-C26038B139A2}"
 7 | EndProject
 8 | Global
 9 | 	GlobalSection(SolutionConfigurationPlatforms) = preSolution
10 | 		Release|x64 = Release|x64
11 | 		Release|x86 = Release|x86
12 | 	EndGlobalSection
13 | 	GlobalSection(ProjectConfigurationPlatforms) = postSolution
14 | 		{EF8D1C34-5D14-E565-3D1E-C26038B139A2}.Release|x64.ActiveCfg = Release|x64
15 | 		{EF8D1C34-5D14-E565-3D1E-C26038B139A2}.Release|x64.Build.0 = Release|x64
16 | 		{EF8D1C34-5D14-E565-3D1E-C26038B139A2}.Release|x86.ActiveCfg = Release|Win32
17 | 		{EF8D1C34-5D14-E565-3D1E-C26038B139A2}.Release|x86.Build.0 = Release|Win32
18 | 	EndGlobalSection
19 | 	GlobalSection(SolutionProperties) = preSolution
20 | 		HideSolutionNode = FALSE
21 | 	EndGlobalSection
22 | 	GlobalSection(ExtensibilityGlobals) = postSolution
23 | 		    SolutionGuid = {02CBAC98-6E29-4905-AFD0-58F888300D18}
24 | 		        SolutionGuid = {57A26A32-842E-4E42-A665-AEA0F9F88593}
25 | 	EndGlobalSection
26 | EndGlobal
27 | 


--------------------------------------------------------------------------------
/remap/ep.cpp:
--------------------------------------------------------------------------------
 1 | #include "stdafx.h"
 2 | 
 3 | void RemapSelf();
 4 | 
 5 | VOID NTAPI OnApc(
 6 | 	_In_ ULONG_PTR Parameter
 7 | )
 8 | {
 9 | 	DbgPrint("%hs(%hs)\n", __FUNCTION__, Parameter);
10 | }
11 | 
12 | LONG OnException(PEXCEPTION_POINTERS pep)
13 | {
14 | 	switch (pep->ExceptionRecord->ExceptionCode)
15 | 	{
16 | 	case DBG_RIPEXCEPTION:
17 | 		return EXCEPTION_CONTINUE_EXECUTION;
18 | 	case STATUS_ACCESS_VIOLATION:
19 | 		return EXCEPTION_EXECUTE_HANDLER;
20 | 	}
21 | 
22 | 	return EXCEPTION_CONTINUE_SEARCH;
23 | }
24 | 
25 | STDAPI DllUnregisterServer()
26 | {
27 | 	OBJECT_ATTRIBUTES oa = { sizeof(oa), 0, 0, OBJ_CASE_INSENSITIVE };
28 | 
29 | 	NTSTATUS status = STATUS_NO_MEMORY;
30 | 
31 | 	if (oa.ObjectName = (PUNICODE_STRING)LocalAlloc(LMEM_FIXED, 0x10000))
32 | 	{
33 | 		SIZE_T s;
34 | 		if (0 <= (status = ZwQueryVirtualMemory(NtCurrentProcess(), &__ImageBase, 
35 | 			MemoryMappedFilenameInformation, oa.ObjectName, 0x10000  - sizeof(WCHAR), &s)))
36 | 		{
37 | 			*(PWSTR)RtlOffsetToPointer(oa.ObjectName->Buffer, oa.ObjectName->Length) = 0;
38 | 			MessageBoxW(0, oa.ObjectName->Buffer, L"RemapSelf", MB_ICONINFORMATION);
39 | 			if (IsDebuggerPresent()) __debugbreak();
40 | 			RemapSelf();
41 | 			status = ZwDeleteFile(&oa);
42 | 		}
43 | 		LocalFree(oa.ObjectName);
44 | 	}
45 | 
46 | 	WCHAR sz[64];
47 | 
48 | 	swprintf_s(sz, _countof(sz), L"DeleteFile=%x", status);
49 | 	MessageBoxW(0, sz, sz, 0 > status ? MB_ICONWARNING : MB_ICONINFORMATION);
50 | 
51 | 	if (0 <= status)
52 | 	{
53 | 		// check exceptions
54 | 		__try 
55 | 		{
56 | 			RaiseException(DBG_RIPEXCEPTION, 0, 0, 0);
57 | 			DbgPrint("...\n");
58 | 			*(int*)0 = 0;
59 | 		}
60 | 		__except (OnException(exception_info())) 
61 | 		{
62 | 			DbgPrint("!! %x\r", exception_code());
63 | 		}
64 | 
65 | 		// check CFG still work
66 | 		QueueUserAPC(OnApc, NtCurrentThread(), (ULONG_PTR)"Parameter");
67 | 		NtTestAlert();
68 | 	}
69 | 	
70 | 	return status;
71 | }


--------------------------------------------------------------------------------
/remap/exports.def:
--------------------------------------------------------------------------------
1 | EXPORTS
2 | 
3 | DllUnregisterServer PRIVATE
4 | 


--------------------------------------------------------------------------------
/remap/remap.cpp:
--------------------------------------------------------------------------------
 1 | #include "stdafx.h"
 2 | 
 3 | typedef NTSTATUS
 4 | (NTAPI * MapViewOfSection)(
 5 | 						   _In_ HANDLE SectionHandle,
 6 | 						   _In_ HANDLE ProcessHandle,
 7 | 						   _Outptr_result_bytebuffer_(*ViewSize) PVOID *BaseAddress,
 8 | 						   _In_ ULONG_PTR ZeroBits,
 9 | 						   _In_ SIZE_T CommitSize,
10 | 						   _Inout_opt_ PLARGE_INTEGER SectionOffset,
11 | 						   _Inout_ PSIZE_T ViewSize,
12 | 						   _In_ SECTION_INHERIT InheritDisposition,
13 | 						   _In_ ULONG AllocationType,
14 | 						   _In_ ULONG Win32Protect
15 | 						   );
16 | 
17 | void RemapSelf_I(PVOID ImageBase, HANDLE hSection, MapViewOfSection Map)
18 | {
19 | 	if (0 <= ZwUnmapViewOfSection(NtCurrentProcess(), ImageBase))
20 | 	{
21 | 		SIZE_T ViewSize = 0;
22 | 		if (0 > Map(hSection, NtCurrentProcess(), &ImageBase, 0, 0, 0, &ViewSize, ViewUnmap, 0, PAGE_EXECUTE_READWRITE))
23 | 		{
24 | 			__debugbreak();
25 | 		}
26 | 	}
27 | }
28 | 
29 | struct DTP {
30 | 	HANDLE hSection;
31 | 	union {
32 | 		PVOID pfn;
33 | 		void (*remap) (PVOID, HANDLE, MapViewOfSection);
34 | 	};
35 | };
36 | 
37 | NTSTATUS NTAPI RemapSelf_T(DTP * params)
38 | {
39 | 	params->remap(&__ImageBase, params->hSection, ZwMapViewOfSection);
40 | 	return 0;
41 | }
42 | 
43 | void RemapSelf()
44 | {
45 | 	if (PIMAGE_NT_HEADERS pinth = RtlImageNtHeader(&__ImageBase))
46 | 	{
47 | 		ULONG SizeOfImage = pinth->OptionalHeader.SizeOfImage;
48 | 		DTP params;
49 | 		LARGE_INTEGER size = { SizeOfImage };
50 | 		if (0 <= ZwCreateSection(&params.hSection, SECTION_ALL_ACCESS, 0, &size, PAGE_EXECUTE_READWRITE, SEC_COMMIT, 0))
51 | 		{
52 | 			PVOID BaseAddress = 0;
53 | 			SIZE_T ViewSize = 0;
54 | 			if (0 <= ZwMapViewOfSection(params.hSection, NtCurrentProcess(), &BaseAddress, 
55 | 				0, 0, 0, &ViewSize, ViewUnmap, 0, PAGE_EXECUTE_READWRITE))
56 | 			{
57 | 				memcpy(BaseAddress, &__ImageBase, SizeOfImage);
58 | 
59 | 				params.pfn = RtlOffsetToPointer(BaseAddress, RtlPointerToOffset(&__ImageBase, RemapSelf_I));
60 | 
61 | 				if (IsDebuggerPresent())
62 | 				{
63 | 					HANDLE hThread;
64 | 					if (0 <= RtlCreateUserThread(NtCurrentProcess(), 0, TRUE, 0, 0x1000, 0x1000, 
65 | 						(PUSER_THREAD_START_ROUTINE)RemapSelf_T, &params, &hThread, 0))
66 | 					{
67 | 						ZwSetInformationThread(hThread, ThreadHideFromDebugger, 0, 0);
68 | 						if (0 > ZwResumeThread(hThread, 0) ||
69 | 							WAIT_OBJECT_0 != ZwWaitForSingleObject(hThread, FALSE, 0))
70 | 						{
71 | 							__debugbreak();
72 | 						}
73 | 
74 | 						NtClose(hThread);
75 | 					}
76 | 				}
77 | 				else
78 | 				{
79 | 					RemapSelf_T(&params);
80 | 				}
81 | 
82 | 				ZwUnmapViewOfSection(NtCurrentProcess(), BaseAddress);
83 | 			}
84 | 
85 | 			NtClose(params.hSection);
86 | 		}
87 | 	}
88 | }
89 | 


--------------------------------------------------------------------------------
/remap/remap.vcxproj:
--------------------------------------------------------------------------------
 1 | <?xml version="1.0" encoding="utf-8"?>
 2 | <Project DefaultTargets="Build" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
 3 |   <ItemGroup Label="ProjectConfigurations">
 4 |     <ProjectConfiguration Include="Release|Win32">
 5 |       <Configuration>Release</Configuration>
 6 |       <Platform>Win32</Platform>
 7 |     </ProjectConfiguration>
 8 |     <ProjectConfiguration Include="Release|x64">
 9 |       <Configuration>Release</Configuration>
10 |       <Platform>x64</Platform>
11 |     </ProjectConfiguration>
12 |   </ItemGroup>
13 |   <PropertyGroup Label="Globals">
14 |     <VCProjectVersion>16.0</VCProjectVersion>
15 |     <Keyword>Win32Proj</Keyword>
16 |     <ProjectGuid>{EF8D1C34-5d14-E565-3D1E-C26038B139A2}</ProjectGuid>
17 |     <RootNamespace>remap</RootNamespace>
18 |     <WindowsTargetPlatformVersion>10.0</WindowsTargetPlatformVersion>
19 |     <UserRootDir>$(SolutionDir)..\MSBuild\v4.0</UserRootDir>
20 |   </PropertyGroup>
21 |   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
22 |   <PropertyGroup Label="Configuration">
23 |     <ConfigurationType>DynamicLibrary</ConfigurationType>
24 |     <UseDebugLibraries>false</UseDebugLibraries>
25 |     <PlatformToolset>v143</PlatformToolset>
26 |     <CharacterSet>Unicode</CharacterSet>
27 |     <WholeProgramOptimization>true</WholeProgramOptimization>
28 |   </PropertyGroup>
29 |   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
30 |   <ImportGroup Label="ExtensionSettings">
31 |   </ImportGroup>
32 |   <ImportGroup Label="Shared">
33 |   </ImportGroup>
34 |   <ImportGroup Label="PropertySheets">
35 |     <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Label="LocalAppDataPlatform" />
36 |   </ImportGroup>
37 |   <PropertyGroup Label="UserMacros" />
38 |   <PropertyGroup>
39 |     <LinkIncremental>false</LinkIncremental>
40 |   </PropertyGroup>
41 |   <ItemDefinitionGroup>
42 |     <ClCompile>
43 |       <WarningLevel>Level4</WarningLevel>
44 |       <FunctionLevelLinking>true</FunctionLevelLinking>
45 |       <Optimization>MaxSpeed</Optimization>
46 |       <AdditionalIncludeDirectories Condition="'$(Configuration)|$(Platform)'=='Release|x64'">../../pnth</AdditionalIncludeDirectories>
47 |     </ClCompile>
48 |     <Link>
49 |       <SubSystem>Windows</SubSystem>
50 |       <EnableCOMDATFolding>true</EnableCOMDATFolding>
51 |       <OptimizeReferences>true</OptimizeReferences>
52 |       <GenerateDebugInformation>true</GenerateDebugInformation>
53 |       <EnableUAC>false</EnableUAC>
54 |       <EntryPointSymbol>
55 |       </EntryPointSymbol>
56 |       <AdditionalOptions>/EMITPOGOPHASEINFO /EMITVOLATILEMETADATA:NO  /guard:cf %(AdditionalOptions)</AdditionalOptions>
57 |       <NoEntryPoint Condition="'$(Configuration)|$(Platform)'=='Release|x64'">true</NoEntryPoint>
58 |       <ModuleDefinitionFile Condition="'$(Configuration)|$(Platform)'=='Release|x64'">exports.def</ModuleDefinitionFile>
59 |       <ModuleDefinitionFile Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">exports.def</ModuleDefinitionFile>
60 |     </Link>
61 |   </ItemDefinitionGroup>
62 |   <ItemGroup>
63 |     <ClInclude Include="stdafx.h" />
64 |   </ItemGroup>
65 |   <ItemGroup>
66 |     <ClCompile Include="ep.cpp" />
67 |     <ClCompile Include="remap.cpp" />
68 |     <ClCompile Include="stdafx.cpp">
69 |       <PrecompiledHeader>Create</PrecompiledHeader>
70 |     </ClCompile>
71 |   </ItemGroup>
72 |   <ItemGroup>
73 |     <None Include="exports.def" />
74 |   </ItemGroup>
75 |   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
76 |   <ImportGroup Label="ExtensionTargets">
77 |   </ImportGroup>
78 | </Project>


--------------------------------------------------------------------------------
/remap/remap.vcxproj.filters:
--------------------------------------------------------------------------------
 1 | <?xml version="1.0" encoding="utf-8"?>
 2 | <Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
 3 |   <ItemGroup>
 4 |     <Filter Include="Source Files">
 5 |       <UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>
 6 |       <Extensions>cpp;c;cc;cxx;c++;def;odl;idl;hpj;bat;asm;asmx</Extensions>
 7 |     </Filter>
 8 |     <Filter Include="Header Files">
 9 |       <UniqueIdentifier>{93995380-89BD-4b04-88EB-625FBE52EBFB}</UniqueIdentifier>
10 |       <Extensions>h;hh;hpp;hxx;h++;hm;inl;inc;ipp;xsd</Extensions>
11 |     </Filter>
12 |     <Filter Include="Resource Files">
13 |       <UniqueIdentifier>{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}</UniqueIdentifier>
14 |       <Extensions>rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms</Extensions>
15 |     </Filter>
16 |   </ItemGroup>
17 |   <ItemGroup>
18 |     <ClCompile Include="stdafx.cpp">
19 |       <Filter>Source Files</Filter>
20 |     </ClCompile>
21 |     <ClCompile Include="ep.cpp">
22 |       <Filter>Source Files</Filter>
23 |     </ClCompile>
24 |     <ClCompile Include="remap.cpp">
25 |       <Filter>Source Files</Filter>
26 |     </ClCompile>
27 |   </ItemGroup>
28 |   <ItemGroup>
29 |     <ClInclude Include="stdafx.h">
30 |       <Filter>Header Files</Filter>
31 |     </ClInclude>
32 |   </ItemGroup>
33 |   <ItemGroup>
34 |     <None Include="exports.def">
35 |       <Filter>Source Files</Filter>
36 |     </None>
37 |   </ItemGroup>
38 | </Project>


--------------------------------------------------------------------------------
/remap/remap.vcxproj.user:
--------------------------------------------------------------------------------
1 | <?xml version="1.0" encoding="utf-8"?>
2 | <Project ToolsVersion="Current" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
3 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
4 |     <LocalDebuggerCommand>C:\WINDOWS\SYSTEM32\regsvr32.exe</LocalDebuggerCommand>
5 |     <LocalDebuggerCommandArguments>/u "$(TargetPath)"</LocalDebuggerCommandArguments>
6 |     <DebuggerFlavor>WindowsLocalDebugger</DebuggerFlavor>
7 |   </PropertyGroup>
8 | </Project>


--------------------------------------------------------------------------------
/remap/stdafx.cpp:
--------------------------------------------------------------------------------
 1 | #include "stdafx.h"
 2 | 
 3 | void* __cdecl operator new[](size_t ByteSize)
 4 | {
 5 |   return HeapAlloc(GetProcessHeap(), 0, ByteSize);
 6 | }
 7 | 
 8 | void* __cdecl operator new(size_t ByteSize)
 9 | {
10 |   return HeapAlloc(GetProcessHeap(), 0, ByteSize);
11 | }
12 | 
13 | void __cdecl operator delete(void* Buffer)
14 | {
15 |   HeapFree(GetProcessHeap(), 0, Buffer);
16 | }
17 | 
18 | void __cdecl operator delete(void* Buffer, size_t)
19 | {
20 |   HeapFree(GetProcessHeap(), 0, Buffer);
21 | }
22 | 
23 | void __cdecl operator delete[](void* Buffer)
24 | {
25 |   HeapFree(GetProcessHeap(), 0, Buffer);
26 | }
27 | 
28 | void __cdecl operator delete[](void* Buffer, size_t)
29 | {
30 |   HeapFree(GetProcessHeap(), 0, Buffer);
31 | }


--------------------------------------------------------------------------------
/remap/stdafx.h:
--------------------------------------------------------------------------------
 1 | #define DECLSPEC_DEPRECATED_DDK
 2 | 
 3 | #define _CRT_SECURE_NO_DEPRECATE
 4 | #define _CRT_NON_CONFORMING_SWPRINTFS
 5 | #define _NO_CRT_STDIO_INLINE
 6 | #define _CRT_SECURE_CPP_OVERLOAD_SECURE_NAMES 0
 7 | #define _ALLOW_COMPILER_AND_STL_VERSION_MISMATCH
 8 | #define __EDG__
 9 | #define USE_ATL_THUNK2
10 | 
11 | #ifndef DECLSPEC_IMPORT
12 | #define DECLSPEC_IMPORT __declspec(dllimport)
13 | #endif
14 | 
15 | #define DPAPI_IMP DECLSPEC_IMPORT
16 | #define _CRTIMP DECLSPEC_IMPORT
17 | #define _CRTIMP_ALT DECLSPEC_IMPORT
18 | 
19 | 
20 | #define CMSG_SIGNED_ENCODE_INFO_HAS_CMS_FIELDS
21 | #define CMSG_SIGNER_ENCODE_INFO_HAS_CMS_FIELDS
22 | #define CRYPT_OID_INFO_HAS_EXTRA_FIELDS
23 | 
24 | #pragma warning(disable : 4073 4074 4075 4097 4514 4005 4200 4201 4238 4307 4324 4392 4480 4530 4706 5040)
25 | #include <stdlib.h>
26 | //#include <wchar.h>
27 | #include <stdio.h>
28 | #include <string.h>
29 | 
30 | #include <WinSock2.h>
31 | #include <intrin.h>
32 | #include <windowsx.h>
33 | #undef WIN32_NO_STATUS
34 | #include <ntstatus.h>
35 | #include <winioctl.h>
36 | #include <Commctrl.h>
37 | 
38 | //#include <atlbase.h>
39 | //#include <atlwin.h>
40 | 
41 | EXTERN_C IMAGE_DOS_HEADER __ImageBase;
42 | 
43 | #ifndef PHNT_MODE
44 | #define PHNT_MODE PHNT_MODE_USER
45 | #endif
46 | 
47 | #ifndef PHNT_VERSION
48 | #define PHNT_VERSION PHNT_WIN11_22H2
49 | #endif
50 | 
51 | #define _NTLSA_
52 | 
53 | #if PHNT_MODE == PHNT_MODE_USER
54 | #define SECURITY_WIN32
55 | #endif
56 | 
57 | #pragma warning(disable : 4073 4074 4075 4097 4514 4005 4200 4201 4238 4307 4324 4471 4480 4530 4706 5040)
58 | 
59 | typedef GUID* PGUID;
60 | 
61 | #define PHNT_NO_INLINE_INIT_STRING
62 | #include "phnt.h"
63 | 
64 | #pragma warning(default : 4392)
65 | 


--------------------------------------------------------------------------------
/x64/Release/remap.dll:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rbmm/remap/efeaaa05518c730c73c48c6c3a85f28186eb55d4/x64/Release/remap.dll


--------------------------------------------------------------------------------
/x64/Release/test.bat:
--------------------------------------------------------------------------------
1 | regsvr32 /u remap.dll


--------------------------------------------------------------------------------