I'm currently trying to implement some sort of a process hollowing (RunPE) technique, using C.
Basically what I've done so far, is find the PEB and get the process's (in suspended mode) image base address.
Now, I understand I have to use the function NtUnmapViewOfSection to "erase" the virtual memory of the process and replace it with mine.
But, whenever I try to use NtUnmapViewOfSection, it appears as white, and won't let me compile...
I included <winternl.h> and in the linker options of Visual Studio 2019, i added the ntdll.lib dependency. But it still won't let me use it, even tho it let's me use other functions from the Native API, such as NtQueryInformationProcess (To find the PEB's address).
Here's the code I have so far, if it's relevant:
#include <windows.h>
#include <stdio.h>
#include <winternl.h>
int main(int argc, char* argv[])
{
printf("Creating process\r\n");
LPSTARTUPINFOA si = (LPSTARTUPINFOA)calloc(1, sizeof(STARTUPINFOA));
LPPROCESS_INFORMATION pi = (LPPROCESS_INFORMATION)calloc(1, sizeof(PROCESS_INFORMATION));
if (!CreateProcessA
(
"C:\\Windows\\sysWOW64\\calc.exe", // Process uses LoadLibraryA and GetProcAddress. TODO: shellcode with LDR.
NULL,
NULL,
NULL,
NULL,
CREATE_SUSPENDED,
NULL,
NULL,
si,
pi
))
{
printf("Error with CreateProcessA - %d", GetLastError());
return 1;
}
if (!pi->hProcess)
{
printf("Error creating process - %d", GetLastError());
return 1;
}
HANDLE hDestProcess = pi->hProcess;
PROCESS_BASIC_INFORMATION* pbi = (PROCESS_BASIC_INFORMATION*)calloc(1, sizeof(PROCESS_BASIC_INFORMATION));
DWORD retLen = 0;
if (NtQueryInformationProcess(hDestProcess, ProcessBasicInformation, pbi, sizeof(PROCESS_BASIC_INFORMATION), &retLen))
{
printf("Error finding peb - %d", GetLastError());
return 1;
}
DWORD pebImageBaseOffset = (DWORD)pbi->PebBaseAddress + 0x8;
printf("Peb offset: %p\n", pebImageBaseOffset);
LPVOID destImageBase = 0;
SIZE_T bytesRead;
if (!ReadProcessMemory(hDestProcess, (LPCVOID)pebImageBaseOffset, &destImageBase, 0x4, &bytesRead))
{
printf("Error getting process's image base - %d", GetLastError());
return 1;
}
printf("Process image base: %p\n", destImageBase);
if (NtUnmapViewOfSection(pi->hProcess, destImageBase))
{
printf("Process view unmapping failed");
}
// Read other executable file
HANDLE sourceFile =
CreateFileA("C:\\Windows\\sysWOW64\\cmd.exe", GENERIC_READ, NULL, NULL, OPEN_EXISTING, NULL, NULL);
DWORD sourceFileSize = GetFileSize(sourceFile, NULL);
DWORD fileBytesRead = 0;
LPVOID sourceFileBytes = (LPVOID)malloc(sourceFileSize);
ReadFile(sourceFile, sourceFileBytes, sourceFileSize, &fileBytesRead, NULL);
/*DWORD bytesWritten = 0;
BOOL writeSuccess = WriteProcessMemory(hDestProcess, entryPointAddr, sourceFileBytes, fileBytesRead, &bytesWritten);
if (!writeSuccess)
{
printf("Problem writing to memory - %d", GetLastError());
return 1;
}*/
// Resume the main thread
ResumeThread(pi->hThread);
printf("Process main thread resumed");
// Close handles
CloseHandle(pi->hProcess);
CloseHandle(pi->hThread);
return 0;
}
Error messages: When i tried to include wdm.h or others:
Severity Code Description Project File Line Suppression State
Error C1083 Cannot open include file: 'wdm.h': No such file or directory process_hollowing_other_exe D:\other_projects\process_hollowing\process_hollowing_other_exe\process_hollowing_other_exe\main.c 4
When i try to use the functions without the headers:
Error LNK2019 unresolved external symbol _NtUnmapViewOfSection referenced in function _main process_hollowing_other_exe D:\other_projects\process_hollowing\process_hollowing_other_exe\process_hollowing_other_exe\main.obj 1
As RbMm said, you could define
NtUnmapViewOfSectionby yourself like this.