1

I'm currently trying to implement some sort of a process hollowing (RunPE) technique, using C. Basically what I've done so far, is find the PEB and get the process's (in suspended mode) image base address. Now, I understand I have to use the function NtUnmapViewOfSection to "erase" the virtual memory of the process and replace it with mine.

But, whenever I try to use NtUnmapViewOfSection, it appears as white, and won't let me compile... I included <winternl.h> and in the linker options of Visual Studio 2019, i added the ntdll.lib dependency. But it still won't let me use it, even tho it let's me use other functions from the Native API, such as NtQueryInformationProcess (To find the PEB's address).

Here's the code I have so far, if it's relevant:

#include <windows.h>
#include <stdio.h>
#include <winternl.h>

int main(int argc, char* argv[])
{

    printf("Creating process\r\n");

    LPSTARTUPINFOA si = (LPSTARTUPINFOA)calloc(1, sizeof(STARTUPINFOA));
    LPPROCESS_INFORMATION pi = (LPPROCESS_INFORMATION)calloc(1, sizeof(PROCESS_INFORMATION));

    if (!CreateProcessA
    (
        "C:\\Windows\\sysWOW64\\calc.exe", // Process uses LoadLibraryA and GetProcAddress. TODO: shellcode with LDR.
        NULL,
        NULL,
        NULL,
        NULL,
        CREATE_SUSPENDED,
        NULL,
        NULL,
        si,
        pi
    ))
    {
        printf("Error with CreateProcessA - %d", GetLastError());
        return 1;
    }

    if (!pi->hProcess)
    {
        printf("Error creating process - %d", GetLastError());
        return 1;
    }

    HANDLE hDestProcess = pi->hProcess;

    PROCESS_BASIC_INFORMATION* pbi = (PROCESS_BASIC_INFORMATION*)calloc(1, sizeof(PROCESS_BASIC_INFORMATION));
    DWORD retLen = 0;

    if (NtQueryInformationProcess(hDestProcess, ProcessBasicInformation, pbi, sizeof(PROCESS_BASIC_INFORMATION), &retLen))
    {
        printf("Error finding peb - %d", GetLastError());
        return 1;
    }

    DWORD pebImageBaseOffset = (DWORD)pbi->PebBaseAddress + 0x8;
    printf("Peb offset: %p\n", pebImageBaseOffset);

    LPVOID destImageBase = 0;
    SIZE_T bytesRead;

    if (!ReadProcessMemory(hDestProcess, (LPCVOID)pebImageBaseOffset, &destImageBase, 0x4, &bytesRead))
    {
        printf("Error getting process's image base - %d", GetLastError());
        return 1;
    }

    printf("Process image base: %p\n", destImageBase);

    if (NtUnmapViewOfSection(pi->hProcess, destImageBase))
    {
        printf("Process view unmapping failed");
    }

    // Read other executable file
    HANDLE sourceFile =
        CreateFileA("C:\\Windows\\sysWOW64\\cmd.exe", GENERIC_READ, NULL, NULL, OPEN_EXISTING, NULL, NULL);
    DWORD sourceFileSize = GetFileSize(sourceFile, NULL);
    DWORD fileBytesRead = 0;
    LPVOID sourceFileBytes = (LPVOID)malloc(sourceFileSize);
    ReadFile(sourceFile, sourceFileBytes, sourceFileSize, &fileBytesRead, NULL);


    /*DWORD bytesWritten = 0;
    BOOL writeSuccess = WriteProcessMemory(hDestProcess, entryPointAddr, sourceFileBytes, fileBytesRead, &bytesWritten);
    if (!writeSuccess)
    {
        printf("Problem writing to memory - %d", GetLastError());
        return 1;
    }*/

    // Resume the main thread
    ResumeThread(pi->hThread);
    printf("Process main thread resumed");

    // Close handles
    CloseHandle(pi->hProcess);
    CloseHandle(pi->hThread);

    return 0;
}

Error messages: When i tried to include wdm.h or others:

Severity    Code    Description Project File    Line    Suppression State
Error   C1083   Cannot open include file: 'wdm.h': No such file or directory    process_hollowing_other_exe D:\other_projects\process_hollowing\process_hollowing_other_exe\process_hollowing_other_exe\main.c  4

When i try to use the functions without the headers:

Error   LNK2019 unresolved external symbol _NtUnmapViewOfSection referenced in function _main   process_hollowing_other_exe D:\other_projects\process_hollowing\process_hollowing_other_exe\process_hollowing_other_exe\main.obj    1
nortain32
  • 69
  • 1
  • 7
  • and what error you got ? – RbMm Apr 17 '23 at 21:22
  • The [Requirements](https://learn.microsoft.com/en-us/windows-hardware/drivers/ddi/wdm/nf-wdm-zwunmapviewofsection#requirements) section explains which header files to include. – IInspectable Apr 17 '23 at 21:22
  • @IInspectable Yeah, I tried to include them. But it just shows a red line underneath, meaning that this libraries weren't found? I also added the dependency for `NtosKrnl.lib`. – nortain32 Apr 17 '23 at 21:26
  • The squiggly lines in the code editor are meaningless. Run the compiler to get confirmation on whether it can or cannot see the symbol. Fiddling with linker settings doesn't help you resolve a compiler issue. – IInspectable Apr 17 '23 at 21:27
  • Yeah, i tried building. I including the headers mentioned in Requirements. But it won't compile, since it can't open the source files for this headers. – nortain32 Apr 17 '23 at 21:30
  • You will need to have the DDK installed, and the compiler needs to know where to look for the headers. Posting the error message would *massively* help. – IInspectable Apr 17 '23 at 21:33
  • Oh what's DDK? How do I install it? And how do i tell the compiler where to look for the headers? Also, i updated the question with the erro messages, hope it sufficient. – nortain32 Apr 17 '23 at 21:38
  • simply define NtUnmapViewOfSection by yourself, but you sure that you take correct task for now ? – RbMm Apr 17 '23 at 21:39
  • hm? What do u mean define by myself? – nortain32 Apr 17 '23 at 21:40

1 Answers1

0

As RbMm said, you could define NtUnmapViewOfSection by yourself like this.

using funcNtUnmapViewOfSection = NTSTATUS(WINAPI*)(HANDLE hProcess, PVOID pBaseAddress);
funcNtUnmapViewOfSection NtUnmapViewOfSection = nullptr;
Jeaninez - MSFT
  • 3,210
  • 1
  • 5
  • 20
  • Actually this worked... All I had to do afterwards was call GetModuleHandle on `ntdll` and then `GetProcAddress` on the functions I needed. How didn't I figure it earlier haha. – nortain32 Apr 18 '23 at 14:25
  • @nortain32 This doesn't compile with a C compiler. And it's unclear why you'd want to use run time dynamic linking (including all the error handling that's now *your* business) instead of just using compile time dynamic linking. – IInspectable Apr 18 '23 at 14:48
  • It works for me in Visual Studio 2019. Idk. – nortain32 Apr 18 '23 at 21:18
  • @nortain32 If the code presented here compiles for you, you aren't using a C compiler. But your question claims that you are. Both statements cannot be true at the same time. Regardless, this isn't even half of an answer. – IInspectable Apr 19 '23 at 04:55