-
Notifications
You must be signed in to change notification settings - Fork 23
/
Copy pathMemory.c
129 lines (104 loc) · 3 KB
/
Memory.c
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
/*!
*
* ROGUE
*
* GuidePoint Security LLC
*
* Threat and Attack Simulation Team
*
!*/
#include "Common.h"
typedef struct
{
D_API( RtlReAllocateHeap );
D_API( RtlAllocateHeap );
D_API( RtlCompactHeap );
D_API( RtlFreeHeap );
D_API( RtlSizeHeap );
D_API( RtlZeroHeap );
} API ;
/* API Hashes */
#define H_API_RTLREALLOCATEHEAP 0xaf740371 /* RtlReAllocateHeap */
#define H_API_RTLALLOCATEHEAP 0x3be94c5a /* RtlAllocateHeap */
#define H_API_RTLCOMPACTHEAP 0xccd9c63c /* RtlCompactHeap */
#define H_API_RTLFREEHEAP 0x73a9e4d7 /* RtlFreeHeap */
#define H_API_RTLSIZEHEAP 0xef31e6b0 /* RtlSizeHeap */
#define H_API_RTLZEROHEAP 0x1f2175d5 /* RtlZeroHeap */
/* LIB Hashes */
#define H_LIB_NTDLL 0x1edab0ed /* ntdll.dll */
/*!
*
* Purpose:
*
* Re-allocates a buffer.
*
!*/
D_SEC( B ) PVOID MemoryReAlloc( _In_ PVOID Buffer, _In_ SIZE_T Length )
{
API Api;
PVOID Mem = NULL;
/* Zero out stack structures */
RtlZeroMemory( &Api, sizeof( Api ) );
/* Get pointer and execute */
Api.RtlReAllocateHeap = PeGetFuncEat( PebGetModule( E_HSH( H_LIB_NTDLL ) ), E_HSH( H_API_RTLREALLOCATEHEAP ) );
Mem = Api.RtlReAllocateHeap( NtCurrentPeb()->ProcessHeap, HEAP_ZERO_MEMORY, Buffer, Length );
/* Zero out stack structures */
RtlZeroMemory( &Api, sizeof( Api ) );
/* Return a pointer */
return C_PTR( Mem );
};
/*!
*
* Purpose:
*
* Allocate a buffer.
*
!*/
D_SEC( B ) PVOID MemoryAlloc( _In_ SIZE_T Length )
{
API Api;
PVOID Mem = NULL;
/* Zero out stack structures */
RtlZeroMemory( &Api, sizeof( Api ) );
/* Get pointer and execute */
Api.RtlAllocateHeap = PeGetFuncEat( PebGetModule( E_HSH( H_LIB_NTDLL ) ), E_HSH( H_API_RTLALLOCATEHEAP ) );
Mem = Api.RtlAllocateHeap( NtCurrentPeb()->ProcessHeap, HEAP_ZERO_MEMORY, Length );
/* Zero out stack structures */
RtlZeroMemory( &Api, sizeof( Api ) );
/* Return a pointer */
return C_PTR( Mem );
};
/*!
*
* Purpose:
*
* Free a buffer.
*
!*/
D_SEC( B ) BOOL MemoryFree( _In_ PVOID Buffer )
{
API Api;
SIZE_T Len = 0;
BOOLEAN Ret = FALSE;
/* Zero out stack structures */
RtlZeroMemory( &Api, sizeof( Api ) );
Api.RtlCompactHeap = PeGetFuncEat( PebGetModule( E_HSH( H_LIB_NTDLL ) ), E_HSH( H_API_RTLCOMPACTHEAP ) );
Api.RtlFreeHeap = PeGetFuncEat( PebGetModule( E_HSH( H_LIB_NTDLL ) ), E_HSH( H_API_RTLFREEHEAP ) );
Api.RtlSizeHeap = PeGetFuncEat( PebGetModule( E_HSH( H_LIB_NTDLL ) ), E_HSH( H_API_RTLSIZEHEAP ) );
Api.RtlZeroHeap = PeGetFuncEat( PebGetModule( E_HSH( H_LIB_NTDLL ) ), E_HSH( H_API_RTLZEROHEAP ) );
/* Is this a valid buffer? */
if ( ( Len = Api.RtlSizeHeap( NtCurrentPeb()->ProcessHeap, 0, Buffer ) ) != -1 ) {
/* Zero out the buffer */
RtlZeroMemory( Buffer, Len );
/* Free the buffer */
Ret = Api.RtlFreeHeap( NtCurrentPeb()->ProcessHeap, 0, Buffer );
};
/* Compcat the heap */
Api.RtlCompactHeap( NtCurrentPeb()->ProcessHeap, 0 );
/* Zero out the heap */
Api.RtlZeroHeap( NtCurrentPeb()->ProcessHeap, 0 );
/* Zero out stack structures */
RtlZeroMemory( &Api, sizeof( Api ) );
/* Return a value */
return Ret;
};