MemoryModule icon indicating copy to clipboard operation
MemoryModule copied to clipboard
verified publisher icon fancycode

Windows 10 wrong calculate reloc addr

Open jazzybecker opened this issue 9 years ago • 0 comments

Got problem again in windows 10 updated. Here is the code

typedef LONG(NTAPI *tNtProtectVirtualMemory)(
    IN HANDLE ProcessHandle,
    IN OUT PVOID *BaseAddress,
    IN OUT PULONG NumberOfBytesToProtect,
    IN ULONG NewAccessProtection,
    OUT PULONG OldAccessProtection);

tNtProtectVirtualMemory pNtProtectVirtualMemory;

void LoadFromMemory(void)
{
    void *data;
    size_t size;
    HMEMORYMODULE handle;
    addNumberProc addNumber;
    HMEMORYRSRC resourceInfo;
    DWORD resourceSize;
    LPVOID resourceData;
    TCHAR buffer[100];

    data = ReadLibrary(&size);
    if (data == NULL)
    {
        return;
    }

    handle = MemoryLoadLibrary(data, size);
    if (handle == NULL)
    {
        _tprintf(_T("Can't load library from memory.\n"));
        goto exit;
    }

    pNtProtectVirtualMemory = (tNtProtectVirtualMemory)MemoryGetProcAddress(handle, "NtProtectVirtualMemory");
    PVOID pAddr = (PVOID)GetModuleHandleA("Test.exe");
    ULONG pSize = (ULONG)4;
    DWORD Old;
    //pNtProtectVirtualMemory(GetCurrentProcess(), &pAddr, &pSize, PAGE_EXECUTE_READWRITE, &Old); //Crashed

    _tprintf(_T("From memory: %X\n"), pNtProtectVirtualMemory);

    resourceInfo = MemoryFindResource(handle, MAKEINTRESOURCE(VS_VERSION_INFO), RT_VERSION);
    _tprintf(_T("MemoryFindResource returned 0x%p\n"), resourceInfo);

    resourceSize = MemorySizeofResource(handle, resourceInfo);
    resourceData = MemoryLoadResource(handle, resourceInfo);
    _tprintf(_T("Memory resource data: %ld bytes at 0x%p\n"), resourceSize, resourceData);

    MemoryLoadString(handle, 1, buffer, sizeof(buffer));
    _tprintf(_T("String1: %s\n"), buffer);

    MemoryLoadString(handle, 20, buffer, sizeof(buffer));
    _tprintf(_T("String2: %s\n"), buffer);

    //MemoryFreeLibrary(handle);

exit:
    Sleep(0);
    //free(data);
}

Its load successfully, but when i use

PVOID pAddr = (PVOID)GetModuleHandleA("Test.exe");
ULONG pSize = (ULONG)4;
DWORD Old;

pNtProtectVirtualMemory(GetCurrentProcess(), &pAddr, &pSize, PAGE_EXECUTE_READWRITE, &Old);

it's crashed. then i check is pNtProtectVirtualMemory address correct, here the result.

SS1 : http://prnt.sc/cmfgbk SS2 : http://prnt.sc/cmfgeh

The relocation address wrong. it pointed to the null.

jazzybecker avatar Sep 26 '16 07:09 jazzybecker