Categories

JavaScriptPHPHTMLCssPythonWordPressWeb developmentLinuxMySQLAndroidWindowsJavaC++ / C#LayoutReactUbuntuYiiDjangoProgramming1C-BitrixLaravelSystem administrationTelegramJSONDebianPostgreSQLIOSGoogleHtaccessWindows ServerGitMacOSGoogle ChromeCMSWooСommerceBootstrapNginxSQLUnityAPI
Make a leaderReport
T
T
Ternick2020-07-18 15:40:41
C++ / C#
Ternick, 2020-07-18 15:40:41

Why does an error appear every other time when I try to run an exe file by (Run PE From Memory)?

Hello :)
I was interested in the topic of programs that protect applications (PROTECTORS) and I wanted to write something minimally similar to such programs. <As I believe, it will not work to protect something serious in this way, but any experience can be useful> :)

THE CODE
#define _CRT_SECURE_NO_WARNINGS
#include <Windows.h>
#include <string>

using namespace std;

BOOL RunPortableExecutable(void* Image)
{
  IMAGE_DOS_HEADER* DOSHeader;
  IMAGE_NT_HEADERS* NtHeader;
  IMAGE_SECTION_HEADER* SectionHeader;

  PROCESS_INFORMATION   PI;
  STARTUPINFOW SI;

  CONTEXT* CTX;

  DWORD* ImageBase;
  void* pImageBase;

  int count;
  wchar_t CurrentFilePath[1024];

  DOSHeader = PIMAGE_DOS_HEADER(Image);
  NtHeader = PIMAGE_NT_HEADERS(DWORD(Image) + DOSHeader->e_lfanew);

  GetModuleFileName(NULL, CurrentFilePath, 1024);

  if (NtHeader->Signature == IMAGE_NT_SIGNATURE)
  {
    ZeroMemory(&PI, sizeof(PI));
    ZeroMemory(&SI, sizeof(SI));

    if (CreateProcess(CurrentFilePath, NULL, NULL, NULL, FALSE, CREATE_SUSPENDED, NULL, NULL, &SI, &PI))
    {
      CTX = LPCONTEXT(VirtualAlloc(NULL, sizeof(CTX), MEM_COMMIT, PAGE_READWRITE));
      CTX->ContextFlags = CONTEXT_FULL;

      if (GetThreadContext(PI.hThread, LPCONTEXT(CTX)))
      {
        ReadProcessMemory(PI.hProcess, LPCVOID(CTX->Ebx + 8), LPVOID(&ImageBase), 4, 0);

        pImageBase = VirtualAllocEx(PI.hProcess, LPVOID(NtHeader->OptionalHeader.ImageBase),
          NtHeader->OptionalHeader.SizeOfImage, 0x3000, PAGE_EXECUTE_READWRITE);

        WriteProcessMemory(PI.hProcess, pImageBase, Image, NtHeader->OptionalHeader.SizeOfHeaders, NULL);

        for (count = 0; count < NtHeader->FileHeader.NumberOfSections; count++)
        {
          SectionHeader = PIMAGE_SECTION_HEADER(DWORD(NtHeader) + sizeof(IMAGE_NT_HEADERS) + IMAGE_SIZEOF_SECTION_HEADER * count);

          WriteProcessMemory(PI.hProcess, LPVOID(DWORD(pImageBase) + SectionHeader->VirtualAddress),
            LPVOID(DWORD(Image) + SectionHeader->PointerToRawData), SectionHeader->SizeOfRawData, 0);
        }
        WriteProcessMemory(PI.hProcess, LPVOID(CTX->Ebx + 8), LPVOID(&NtHeader->OptionalHeader.ImageBase), 4, 0);

        CTX->Eax = DWORD(pImageBase) + NtHeader->OptionalHeader.AddressOfEntryPoint;
        SetThreadContext(PI.hThread, LPCONTEXT(CTX));
        ResumeThread(PI.hThread);

        return TRUE;
      }
    }
  }
  return FALSE;
}

int main() {
  FILE* payload = _wfopen(L"toProtect.exe", L"rb"); //Only x32 apps

  fseek(payload, 0, SEEK_END);
  size_t size = (size_t)ftell(payload);
  rewind(payload);

  LPVOID* image = (LPVOID*)malloc(size);
  ZeroMemory(image, size);

  fread(image, size, 1, payload);
  fclose(payload);

  RunPortableExecutable(image);

  free(image);
  return 0;
}


Problem

Через раз получается такая штука:
image489f34ec2723f785.png

Thanks :)

Reply
Answer the question

Answer the question

In order to leave comments, you need to log in

0 answer(s)
Similar questions
@
@YAnri2018-11-13 22:03:10
Why b = 10 and not 11? 4Reply
R
Robotex2012-11-16 12:50:49
Why does this CUDA kernel produce different results than the CPU version? 2Reply
E
eliasum2020-05-31 15:16:32
Is String a class or an object class? 1Reply
A
Alvaro2012-11-19 14:13:42
Insert operations in MongoDB 3Reply
E
eRKa2015-12-23 18:52:37
.exe file does not start from Debug, vs? 3Reply

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question