forked from ilovecsad/veh_hide_memory
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathHideMemory.cpp
127 lines (100 loc) · 3.42 KB
/
HideMemory.cpp
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
#include "globals.h"
#include "HideMemory.h"
#include "loadLibary.h"
std::vector<PROTECTEDMEMORY>PagesOfNoAccessOfData;
//只想读写的话可以打开这个锁
std::mutex m;
PSHARE_VEH pInfo = NULL;
//DeFault Encrypt/Decrypt
void EncryptData(DWORD64 lpAddress, size_t size)
{
for (int i = 0; i < size; i++)
{
((char*)lpAddress)[i] = ((char*)lpAddress)[i] ^ 'b';
}
}
LONG NTAPI VehExceptionHandler(EXCEPTION_POINTERS* ExceptionInfo)
{
DWORD OldProtect = 0;
if (ExceptionInfo->ExceptionRecord->ExceptionCode == EXCEPTION_ACCESS_VIOLATION)
{
for (auto it = PagesOfNoAccessOfData.begin(); it != PagesOfNoAccessOfData.end(); it++)
{
if (ExceptionInfo->ExceptionRecord->ExceptionInformation[1] <= (*it).lpAddress + (*it).dwSize &&
ExceptionInfo->ExceptionRecord->ExceptionInformation[1] >= (*it).lpAddress)
{
m.lock();
//Restore Page Protection and Decrypt
(*it).Protected = FALSE;//Not Protected
VirtualProtect((LPVOID)(*it).lpAddress, (*it).dwSize, PAGE_EXECUTE_READWRITE, &OldProtect);
if ((*it).Decrypt)
(*it).Decrypt((*it).lpAddress, (*it).dwSize);
else
EncryptData((*it).lpAddress, (*it).dwSize);//Decrypt
ExceptionInfo->ContextRecord->EFlags |= 0x100;//Do a single step
return EXCEPTION_CONTINUE_EXECUTION;
}
}
}
if (ExceptionInfo->ExceptionRecord->ExceptionCode == STATUS_SINGLE_STEP)
{
for (auto it = PagesOfNoAccessOfData.begin(); it != PagesOfNoAccessOfData.end(); it++)
{
if ((*it).Protected == FALSE)
{
if ((*it).Encrypt)
(*it).Encrypt((*it).lpAddress, (*it).dwSize);
else
EncryptData((*it).lpAddress, (*it).dwSize);//加密
VirtualProtect((LPVOID)(*it).lpAddress, (*it).dwSize, PAGE_NOACCESS, &OldProtect);
m.unlock();
return EXCEPTION_CONTINUE_EXECUTION;
}
}
}
return EXCEPTION_CONTINUE_SEARCH;
}
BOOL Init()
{
return AddVectoredExceptionHandler(TRUE, VehExceptionHandler) == NULL ? FALSE : TRUE;
}
DWORD64 AllocateHiddenMemory(LPVOID lpAddress, SIZE_T dwSize,ENCRYPTDATAPROC Encrypt, DECRYPTDATAPROC Decrypt)
{
pInfo = my_loadLibrary(DLL_NAME);
printf("DllBase: %llx\n", pInfo->DllBase);
printf("Dll_OEP: %llx\n", pInfo->DllOfEntryPoint);
printf("export_fun: %llx\n", pInfo->export_fun);
dwSize = pInfo->DllImageSize;
PVOID allocated = (PVOID)pInfo->DllBase; //VirtualAlloc(lpAddress, dwSize, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
if (allocated != NULL)
{
DWORD OldProtect = 0;
dwSize = ((dwSize-1) & 0xfffffffffffff000) + 0x1000;//size是0 就走不到这里
PROTECTEDMEMORY protected_mem = { 0 };
protected_mem.lpAddress = (DWORD64)allocated;
protected_mem.dwSize = dwSize;
protected_mem.ExecutingProtection = FALSE;
protected_mem.Protected = TRUE;
protected_mem.Encrypt = Encrypt;
protected_mem.Decrypt = Decrypt;
if(!Encrypt)
EncryptData((DWORD64)allocated, dwSize);
else
Encrypt((DWORD64)allocated, dwSize);
PagesOfNoAccessOfData.push_back(protected_mem);
BOOL bRet = VirtualProtect(allocated, dwSize, PAGE_NOACCESS, &OldProtect);
}
return (DWORD64)allocated;
}
BOOL FreeHiddenMemory(DWORD64 lpAddress)
{
for (auto it = PagesOfNoAccessOfData.begin(); it != PagesOfNoAccessOfData.end(); it++)
{
if ((*it).lpAddress == lpAddress)
{
PagesOfNoAccessOfData.erase(it);
return VirtualFree((LPVOID)lpAddress, 0, MEM_RELEASE);
}
}
return FALSE;
}