i added get_peb to VDM and translated the modules base address

3 years ago · 80cd4b1faa
parent 489772464a
commit 80cd4b1faa
3 changed files with 59 additions and 53 deletions
--- a/README.md
+++ b/README.md
@ -31,52 +31,4 @@ and thus keep the PML4's synced.
 You can call functions that do not reference absolute addresses. This last sentence is pretty ambigous but in short, when the process is injected into another the space between the PML4E's
 is not the same (nor is the PML4E index the same).

-My suggestion is you call only small functions if you want to call functions. 
-
-# Example
-
-Since all of the processes memory is mapped into your process you can simply walk the processes PEB for loaded modules. Here is an example of how to do that.
-
-```cpp
-auto get_module_base(vdm::vdm_ctx* v_ctx, nasa::injector_ctx* rinjector, 
-	std::uint32_t pid, const wchar_t* module_name) -> std::uintptr_t
-{
-	const auto ppeb = 
-		reinterpret_cast<PPEB>(
-			rinjector->translate(
-				reinterpret_cast<std::uintptr_t>(v_ctx->get_peb(pid))));
-
-	const auto ldr_data = 
-		reinterpret_cast<PPEB_LDR_DATA>(
-			rinjector->translate(reinterpret_cast<std::uintptr_t>(ppeb->Ldr)));
-
-	auto current_entry = 
-		reinterpret_cast<LIST_ENTRY*>(
-			rinjector->translate(reinterpret_cast<std::uintptr_t>(
-				ldr_data->InMemoryOrderModuleList.Flink)));
-
-	while (current_entry != &ldr_data->InMemoryOrderModuleList)
-	{
-		const auto current_entry_data =
-			reinterpret_cast<PLDR_DATA_TABLE_ENTRY>(
-				reinterpret_cast<std::uintptr_t>(current_entry) - sizeof LIST_ENTRY);
-
-                // shit looks like a stair case LMFAO?
-                // need an elevator for this...
-		const auto entry_module_name =
-			reinterpret_cast<const wchar_t*>(
-				rinjector->translate(
-					reinterpret_cast<std::uintptr_t>(
-						reinterpret_cast<PUNICODE_STRING>(
-							reinterpret_cast<std::uintptr_t>(
-								&current_entry_data->FullDllName) + sizeof UNICODE_STRING)->Buffer)));
-
-		if (!_wcsicmp(entry_module_name, module_name))
-			return reinterpret_cast<std::uintptr_t>(current_entry_data->DllBase);
-
-		current_entry = reinterpret_cast<LIST_ENTRY*>(
-			rinjector->translate(reinterpret_cast<std::uintptr_t>(current_entry->Flink)));
-	}
-	return {};
-}
-```
+My suggestion is you call only small functions if you want to call functions. 
--- a/reverse-injector/main.cpp
+++ b/reverse-injector/main.cpp
@ -3,6 +3,50 @@
 #include "injector_ctx/injector_ctx.hpp"
 #include "set_mgr/set_mgr.hpp"

+auto get_module_base(vdm::vdm_ctx* v_ctx, nasa::injector_ctx* rinjector,
+	std::uint32_t pid, const wchar_t* module_name) -> std::uintptr_t
+{
+	const auto ppeb =
+		reinterpret_cast<PPEB>(
+			rinjector->translate(
+				reinterpret_cast<std::uintptr_t>(v_ctx->get_peb(pid))));
+
+	const auto ldr_data =
+		reinterpret_cast<PPEB_LDR_DATA>(
+			rinjector->translate(reinterpret_cast<std::uintptr_t>(ppeb->Ldr)));
+
+	auto current_entry =
+		reinterpret_cast<LIST_ENTRY*>(
+			rinjector->translate(reinterpret_cast<std::uintptr_t>(
+				ldr_data->InMemoryOrderModuleList.Flink)));
+
+	while (current_entry != &ldr_data->InMemoryOrderModuleList)
+	{
+		const auto current_entry_data =
+			reinterpret_cast<PLDR_DATA_TABLE_ENTRY>(
+				reinterpret_cast<std::uintptr_t>(current_entry) - sizeof LIST_ENTRY);
+
+		// shit looks like a stair case LMFAO?
+		// need an elevator for this...
+		const auto entry_module_name =
+			reinterpret_cast<const wchar_t*>(
+				rinjector->translate(
+					reinterpret_cast<std::uintptr_t>(
+						reinterpret_cast<PUNICODE_STRING>(
+							reinterpret_cast<std::uintptr_t>(
+								&current_entry_data->FullDllName) + sizeof UNICODE_STRING)->Buffer)));
+
+		if (!_wcsicmp(entry_module_name, module_name))
+			return rinjector->translate(
+				reinterpret_cast<std::uintptr_t>(
+					current_entry_data->DllBase));
+
+		current_entry = reinterpret_cast<LIST_ENTRY*>(
+			rinjector->translate(reinterpret_cast<std::uintptr_t>(current_entry->Flink)));
+	}
+	return {};
+}
+
 int __cdecl main(int argc, char** argv)
 {
 	if (argc < 3 || strcmp(argv[1], "--pid"))
@ -74,11 +118,11 @@ int __cdecl main(int argc, char** argv)
 	}

 	const auto ntdll_base = 
-		reinterpret_cast<std::uintptr_t>(
-			GetModuleHandleA("ntdll.dll"));
+		get_module_base(&vdm, &injector,
+			std::atoi(argv[2]), L"ntdll.dll");

-	const auto ntdll_base_injected = injector.translate(ntdll_base);
-	std::printf("[+] ntdll base -> 0x%p\n", ntdll_base_injected);
+	std::printf("[+] ntdll reverse injected base -> 0x%p\n", ntdll_base);
+	std::printf("[+] ntdll reverse injected MZ -> 0x%p\n", *(short*)ntdll_base);
 	std::printf("[+] press any key to close...\n");
 	std::getchar();
 }
--- a/reverse-injector/vdm_ctx/vdm_ctx.hpp
+++ b/reverse-injector/vdm_ctx/vdm_ctx.hpp
@ -114,6 +114,16 @@ namespace vdm
 			return peproc;
 		}

+		__forceinline auto get_peb(std::uint32_t pid) -> PPEB
+		{
+			static const auto ps_get_peb = 
+				util::get_kmodule_export(
+					"ntoskrnl.exe", "PsGetProcessPeb");
+
+			return this->syscall<PPEB(*)(PEPROCESS)>(
+				ps_get_peb, get_peprocess(pid));
+		}
+
 	private:
 		void locate_syscall(std::uintptr_t begin, std::uintptr_t end) const;
 		bool valid_syscall(void* syscall_addr) const;