changeofpace/Self-Remapping-Code changeofpace/Self-Remapping-Code

  • Stars
    star
    558
  • Rank 79,819 (Top 2 %)
  • Language
    C++
  • License
    GNU General Publi...
  • Created almost 8 years ago
  • Updated over 5 years ago
Twitter logo Share LinkedIn logo Share Facebook logo Share
changeofpace/Self-Remapping-Code
github

changeofpace

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

This program remaps its image to prevent the page protection of pages contained in the image from being modified via NtProtectVirtualMemory.

Self-Remapping Code

Summary

This program remaps its image to prevent the page protection of pages contained in the image from being modified via NtProtectVirtualMemory.

Motivation

This technique can be utilized as an anti-debugging and anti-dumping mechanism.

Implementation

The remapping technique uses the following strategy:

  1. The image is copied to an executable buffer referred to as the 'remap region'.

  2. The remap routine inside the remap region is located and invoked.

  3. The remap routine creates a page-file-backed section to store the remapped image.

  4. The remap routine maps a view of the entire section and copies the contents of the image to the view. This view is then unmapped.

  5. The remap routine maps a view for each pe section in the image using the relative virtual address of the pe section as the section offset for the view. Each view is mapped using the 'SEC_NO_CHANGE' allocation type to prevent page protection changes.

  6. The remap routine completes and execution returns to the remapped image.

The following tables are examples of the memory layout of an image before and after it has been remapped using this technique:

Before
Address          Size             Info                          Type   Protect  Initial
=======================================================================================
0000000140000000 0000000000001000 selfremappingcode.exe         IMG    -R---    ERWC-
0000000140001000 000000000000F000 Reserved (0000000140000000)   IMG             ERWC-
0000000140010000 0000000000002000  ".text"                      IMG    ER---    ERWC-
0000000140012000 000000000000E000 Reserved (0000000140000000)   IMG             ERWC-
0000000140020000 0000000000002000  ".rdata"                     IMG    -R---    ERWC-
0000000140022000 000000000000E000 Reserved (0000000140000000)   IMG             ERWC-
0000000140030000 0000000000001000  ".data"                      IMG    -RW--    ERWC-
0000000140031000 000000000000F000 Reserved (0000000140000000)   IMG             ERWC-
0000000140040000 0000000000001000  ".pdata"                     IMG    -R---    ERWC-
0000000140041000 000000000000F000 Reserved (0000000140000000)   IMG             ERWC-
0000000140050000 0000000000001000  ".rsrc"                      IMG    -R---    ERWC-
0000000140051000 000000000000F000 Reserved (0000000140000000)   IMG             ERWC-
After
Address          Size             Info                          Type   Protect  Initial
=======================================================================================
0000000140000000 0000000000001000                               MAP    -R---    -R---
0000000140010000 0000000000002000                               MAP    ER---    ER---
0000000140020000 0000000000002000                               MAP    -R---    -R---
0000000140030000 0000000000001000                               MAP    -RW--    -RW--
0000000140040000 0000000000001000                               MAP    -R---    -R---
0000000140050000 0000000000001000                               MAP    -R---    -R---

Requirements

  • Each pe section in the image must be aligned to the system allocation granularity. This program uses the /ALIGN linker option to achieve this alignment.

More Repositories

1

VivienneVMM

VivienneVMM is a stealthy debugging framework implemented via an Intel VT-x hypervisor.
C++
775
star
2

MouClassInputInjection

MouClassInputInjection implements a kernel interface for injecting mouse input data packets into the input data stream of HID USB mouse devices.
C++
286
star
3

Overwatch-Dump-Fix

x64dbg plugin which removes anti-dumping and obfuscation techniques from the popular FPS game Overwatch.
C
240
star
4

MouHidInputHook

MouHidInputHook enables users to filter, modify, and inject mouse input data packets into the input data stream of HID USB mouse devices without modifying the mouse device stacks.
C++
239
star
5

Force-Page-Protection

This x64dbg plugin sets the page protection for memory mapped views in scenarios which cause NtProtectVirtualMemory to fail.
C
106
star
6

PE-Header-Dump-Utilities

This x64dbg plugin adds several commands for dumping PE header information by address.
C
60
star
7

Hex-Rays-Deep-Compile

Improves Hex-Rays output through batch decompilation.
C++
45
star
8

x64dbg-Anti-Debug-POC

viewing page boundaries of pages with PAGE_NOACCESS protection reveals the presence of x64dbg.
C++
21
star
9

Remote-Process-Cookie-for-Windows-7

Obtain remote process cookies by performing a brute-force attack on ntdll.RtlDecodePointer using known pointer encodings.
C++
21
star
10

Simple-Injector

basic dll injector using Qt
C++
17
star
11

Find-Exported-Xrefs

Given a global name in IDA Pro, find all xrefs which are contained in an exported function.
Python
10
star
12

Enumerate-GetKeyState-Calls-Using-Varying-nVirtKey

IDAPython script. Bookmark all instances of calls to GetAsyncKeyState and GetKeyState which use a varying value (e.g. not const shift/ctrl/alt modifiers) for the nVirtKey arg.
Python
4
star