forked from zxd1994/vt-debuuger
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathHeap.cpp
81 lines (69 loc) · 2.2 KB
/
Heap.cpp
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
#pragma warning( disable : 4201 4100 4101 4244 4333 4245 4366)
//#include <ntddk.h>
#include <ntifs.h>
#include "Ntapi.h"
#include "Log.h"
#include "Heap.h"
#include "Peb.h"
#define HEAP_SKIP_VALIDATION_CHECKS 0x10000000
#define HEAP_VALIDATE_PARAMETERS_ENABLED 0x40000000
BOOLEAN ClearHeapFlags(PEPROCESS TargetProcess)
{
PPEB Peb = (PPEB)PsGetProcessPeb(TargetProcess);
PPEB32 Peb32 = (PPEB32)PsGetProcessWow64Process(TargetProcess);
// https://ctf-wiki.github.io/ctf-wiki/reverse/windows/anti-debug/heap-flags/
// In all versions of Windows, the value of the Flags
// field is normally set to HEAP_GROWABLE(2),
// and the ForceFlags field is normally set to 0
// 32-bit process.Both of these default values depend on the[subsystem] of its host process
if (Peb32 != NULL)
{
KAPC_STATE State;
KeStackAttachProcess((PRKPROCESS)TargetProcess, &State);
__try
{
for (size_t i = 0; i < Peb32->NumberOfHeaps; i++)
{
ULONG Heap = *(ULONG*)(Peb32->ProcessHeaps + 4 * i);
// Heap Flags
*(ULONG*)(Heap + 0x40) &= ~(HEAP_TAIL_CHECKING_ENABLED | HEAP_FREE_CHECKING_ENABLED | HEAP_SKIP_VALIDATION_CHECKS | HEAP_VALIDATE_PARAMETERS_ENABLED);
// Heap Force Flags
*(ULONG*)(Heap + 0x44) &= ~(HEAP_TAIL_CHECKING_ENABLED | HEAP_FREE_CHECKING_ENABLED | HEAP_VALIDATE_PARAMETERS_ENABLED);
}
}
__except (EXCEPTION_EXECUTE_HANDLER)
{
LogError("Access violation");
KeUnstackDetachProcess(&State);
return FALSE;
}
KeUnstackDetachProcess(&State);
}
if (Peb != NULL)
{
KAPC_STATE State;
KeStackAttachProcess((PRKPROCESS)TargetProcess, &State);
__try
{
for (size_t i = 0; i < Peb->NumberOfHeaps; i++)
{
PHEAP Heap = (PHEAP)Peb->ProcessHeaps;
Heap->Flags &= ~(HEAP_TAIL_CHECKING_ENABLED | HEAP_FREE_CHECKING_ENABLED | HEAP_SKIP_VALIDATION_CHECKS | HEAP_VALIDATE_PARAMETERS_ENABLED);
Heap->ForceFlags &= ~(HEAP_TAIL_CHECKING_ENABLED | HEAP_FREE_CHECKING_ENABLED | HEAP_VALIDATE_PARAMETERS_ENABLED);
}
}
__except (EXCEPTION_EXECUTE_HANDLER)
{
LogError("Access violation");
KeUnstackDetachProcess(&State);
return FALSE;
}
KeUnstackDetachProcess(&State);
}
else
{
LogError("Both Peb and Peb32 doesn't exist");
return FALSE;
}
return TRUE;
}