반응형
Notice
Recent Posts
Recent Comments
Link
| 일 | 월 | 화 | 수 | 목 | 금 | 토 |
|---|---|---|---|---|---|---|
| 1 | 2 | 3 | 4 | 5 | 6 | 7 |
| 8 | 9 | 10 | 11 | 12 | 13 | 14 |
| 15 | 16 | 17 | 18 | 19 | 20 | 21 |
| 22 | 23 | 24 | 25 | 26 | 27 | 28 |
| 29 | 30 |
Tags
- pcap packet capture
- 해킹
- apphelp.dll
- windows kernel debugging
- packet capture
- pwnable
- 개발하기
- 윈도우 커널 드라이버
- arudino
- HackCTF
- hacking
- Msvcrt.dll
- 윈도우 커널 디버깅
- Windows Kernel Debug
- 개발 환경 준비
- IAT Hooking
- Network Byte Order
- C언어 패킷캡쳐
- 시스템해킹
- pcap packet
- vcruntime140.dll
- vcruntime.dll
- Windows Kernel
- 네트워크 바이트 오더
- Windows
- 포너블
- 바이트 오더
- Windows Kernel Driver
- ucrtbase.dll
- 윈도우 커널
Archives
- Today
- Total
미친해커
[C] Rlibloaderapi.h - GetRemoteModuleFileName 본문
반응형
GetModuleFileName
GetModuleFileName 함수는 인자로 들어온 HMODULE의 전체 경로를 반환해주는 함수이다. 즉 HMODULE(ImageBase)는 가지고 있지만 해당 HMODULE이 어떤 DLL인지 모를때 사용하면 유용한 함수이다.
GetRemoteModuleFileName
DWORD GetRemoteModuleFileNameA(HANDLE ProcessHandle, HMODULE hModule, LPSTR lpFilename, DWORD nSize)
{
ZeroMemory(lpFilename, nSize);
wchar_t Filename[MAX_PATH];
DWORD Size = GetRemoteModuleFileNameW(ProcessHandle, hModule, Filename, MAX_PATH);
int FilenameLength = WideCharToMultiByte(CP_ACP, 0, Filename, -1, NULL, 0, NULL, NULL);
WideCharToMultiByte(CP_ACP, 0, Filename, -1, lpFilename, FilenameLength <= nSize ? FilenameLength : nSize, NULL, NULL);
return FilenameLength <= nSize ? FilenameLength : nSize;
}
DWORD GetRemoteModuleFileNameW(HANDLE ProcessHandle, HMODULE hModule, LPWSTR lpFilename, DWORD nSize)
{
#ifdef _WIN64
BOOL bWow64Process;
IsWow64Process(ProcessHandle, &bWow64Process);
size_t SizeOfPointer = bWow64Process ? 4 : 8;
#else
size_t SizeOfPointer = 4;
#endif
nSize -= 2;
DWORD Size = 0;
PVOID PebBaseAddress = GetRemotePeb(ProcessHandle);
if (PebBaseAddress == NULL)
return Size;
PVOID PebLdrData = NULL;
if (ReadProcessMemory(ProcessHandle,
#ifdef _WIN64
(ULONG_PTR)PebBaseAddress + (bWow64Process ? Peb_LdrOffset32 : Peb_LdrOffset64),
#else
(ULONG_PTR)PebBaseAddress + Peb_LdrOffset32,
#endif
&PebLdrData,
SizeOfPointer,
NULL) == FALSE)
return hModule;
#ifdef _WIN64
PVOID LdrDataTableEntry = (ULONG_PTR)PebLdrData + (bWow64Process ? PebLdrData_LOMLOffset32 : PebLdrData_LOMLOffset64);
#else
PVOID LdrDataTableEntry = (ULONG_PTR)PebLdrData + PebLdrData_LOMLOffset32;
#endif
for (; ReadProcessMemory(ProcessHandle, LdrDataTableEntry, &LdrDataTableEntry, SizeOfPointer, NULL)
&&
#ifdef _WIN64
(ULONG_PTR)PebLdrData + (bWow64Process ? PebLdrData_LOMLOffset32 : PebLdrData_LOMLOffset64) != LdrDataTableEntry
#else
(ULONG_PTR)PebLdrData + PebLdrData_LOMLOffset32 != LdrDataTableEntry
#endif
;)
{
PVOID DllBase;
if (ReadProcessMemory(ProcessHandle,
#ifdef _WIN64
(ULONG_PTR)LdrDataTableEntry + (bWow64Process ? LdrDataTableEntry_DllBase32 : LdrDataTableEntry_DllBase64),
#else
(ULONG_PTR)LdrDataTableEntry + LdrDataTableEntry_DllBase32,
#endif
&DllBase,
SizeOfPointer,
NULL) == FALSE)
return Size;
if (DllBase != hModule)
continue;
#ifdef _WIN64
size_t SizeOfUnicodeString = bWow64Process ? sizeof(UNICODE_STRING32) : sizeof(UNICODE_STRING64);
#else
size_t SizeOfUnicodeString = sizeof(UNICODE_STRING);
#endif
BYTE *UnicodeString = calloc(1, SizeOfUnicodeString);
if (ReadProcessMemory(ProcessHandle,
#ifdef _WIN64
(ULONG_PTR)LdrDataTableEntry + (bWow64Process ? LdrDatatableEntry_FullDllName32 : LdrDatatableEntry_FullDllName64),
#else
(ULONG_PTR)LdrDataTableEntry + LdrDatatableEntry_FullDllName32,
#endif
UnicodeString,
SizeOfUnicodeString,
NULL) == FALSE)
return Size;
ZeroMemory(lpFilename, nSize + 2);
if (ReadProcessMemory(ProcessHandle,
#ifdef _WIN64
bWow64Process ? ((UNICODE_STRING32 *)UnicodeString)->Buffer : ((UNICODE_STRING64 *)UnicodeString)->Buffer,
lpFilename,
bWow64Process ? ((UNICODE_STRING32 *)UnicodeString)->Length <= nSize ? ((UNICODE_STRING32 *)UnicodeString)->Length : nSize : ((UNICODE_STRING64 *)UnicodeString)->Length <= nSize ? ((UNICODE_STRING64 *)UnicodeString)->Length : nSize, // UnicodeString.Length <= nSize ? UnicodeString.Length : nSize,
#else
((UNICODE_STRING *)UnicodeString)->Buffer,
lpFilename,
((UNICDOE_STRING *)UnicodeString)->Length <= nSize ? ((UNICDOE_STRING *)UnicodeString)->Length : nSize,
#endif
&Size) == FALSE && (RtlFreeHeap(_get_heap_handle(), 0, UnicodeString) || 1))
return Size;
free(UnicodeString);
break;
}
return Size;
}사용예시
#include <stdio.h>
#include "Rlibloaderapi.h"
int main()
{
DWORD PID;
printf("PID : ");
scanf("%d", &PID);
HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, PID);
if (hProcess == NULL)
{
printf("OpenProcess Failed\n");
printf("GetLastError : %d\n", GetLastError());
return -1;
}
char buffer[MAX_PATH];
HMODULE hModule = GetRemoteModuleHandleA(hProcess, "kernel32.dll");
GetRemoteModuleFileNameA(hProcess, hModule, buffer, MAX_PATH);
printf("%s\n", buffer);
return 0;
}반응형
'C > Remote libloaderapi.h' 카테고리의 다른 글
| [C] Rlibloaderapi.h - GetRemoteProcAddress (0) | 2022.02.17 |
|---|---|
| [C] Rlibloaderapi.h - GetModuleHandle (0) | 2022.02.17 |
| [C] Rlibloaderapi.h - GetRemotePeb (0) | 2022.02.17 |
| [C] Remote libloaderapi.h 는 무엇인가... (0) | 2022.02.17 |
Comments