Jump to content
Tuts 4 You
Sign in to follow this  
LCF-AT

How to get base of new created process?

Recommended Posts

LCF-AT

Hi again,


 


so I have again a little question and I don't remember the answer anymore.Main question is just how to get the base of new created process X.Thats all already.So I just remember to use CreateProcessA (filename / notepad.exe) (suspend) and now I use CreateToolhelp32Snapshot (TH32CS_SNAPPROCESS & PID of new notepad.exe) and then I use Process32First & Process32Next and check for the process name of notepad.exe.All ok so far but what now to get the actually used base of the file what I created (notepad)?


 


Maybe you can help again. :) Small exsample file would be also welcome etc if possible.


 


Thank you


 


Share this post


Link to post
kao

One way would be to use Module32First/Module32Next.

Alternative way, since you're doing CreateProcess and therefore already have handle to the process, is to use NtQueryInformationProcess to get PEB address, then ReadProcessMemory to read PEB and extract ImageBase from it. Sample code in C: http://stackoverflow.com/a/8341210

EDIT: typo

Edited by kao (see edit history)

Share this post


Link to post
LCF-AT

Hi,


 


thanks for the answer kao.I thought already that you would answer first but as always are your answers not very good for me as no coder etc you know what I mean right. :)


 


Is there no other way without to read PEB?Some more simple stuff I mean.Why is there no API as GetModuleHandle|Ex or LordLibrary|Ex (I dont have it) as other Ex APIs where you can do some stuff?


 


PS: Module32First <-- so what I have to enter in the stuct?Only found a size of 128 but its only working for Process32First but not for Module32First.


 


greetz


Share this post


Link to post
LCF-AT

Hi again,


 


thank you too simple for the files. :)


 


1.) CreateFile/CreateFileMapping/MapViewOfFile <--- No!


2.) I use CreateProcess API also to create a new process which I wanna start and patch later.So in this case nothing with mapping etc.


 


Now I checked your process.exe but also here I get no actually base of the new created process I did start in suspend mode [quick multiasm code then undo again] before execute your process.exe



PROCESS NAME: Process.exe
Process ID = 0x00000E0C
Thread count = 1
Parent process ID = 0x00000290
Priority base = 8
Priority class = 32 MODULE NAME: Process.exe
Executable = C:\Process.exe
Process ID = 0x00000E0C
Ref count (g) = 0xFFFF
Ref count (p) = 0xFFFF
Base address = 0x00400000
Base size = 299008 PROCESS NAME: testfile.exe
Process ID = 0x00000F78
Thread count = 1
Parent process ID = 0x00000E0C
Priority base = 8
Priority class = 32

Process.exe I loaded in Olly then I execute CreateProcess (testfile.exe) in suspend.Now I run the process.exe and above you see what I got (all xy modules not written into now).About the testfile.exe I get just some basic datas as PID etc.


 


If I keep the file running in suspend mode and start any tool which does list all processes then I can also find my process inside and if I check now the module informations of this one process then the tool does list testfile.exe with base and ntdll too.Only these 2 at this point.


 


PS: Just wanna get the actually base XY of my new created process thats all. :) Why are the simplest things always so hard to handle? :)


 


greetz


Share this post


Link to post
simple

ok i try agin. uses CreateProcess(notepad, CREATE_SUSPENDED) then GetThreadContext / ReadProcMemory to get imagebase from PEB. i quickly edited this, if crashes just give any cli arg to fix, so peb.exe AAAAAAAAA, etc


 


(for answer on why process.exe mods are invisible make a search engine for "Process/Module32Next / CreateToolHelp32Snapshot suspended process" to see why)


 


http://s000.tinyupload.com/?file_id=01097893905543426446


  • Like 1

Share this post


Link to post
LCF-AT

Hi again,


 


thanks again too for the new file so I have checked this too. :) Its working so far on that way but also again with direct reading the PEB.Is there no other way to get the base directly in buffer back just using any API combo XY (only using PID / Handle etc) without to be dependent of any PEB addresses to read them manually?So if not then I need to use this PEB reading stuff again.


 


Thanks again so far.


Share this post


Link to post
simple

u can debug via CreateProcess and get ep dynamically but i dont think youd like that


 


or delete CREATE_SUSPENDED flag, and for 'delay' effect write a bp to ep, and Module32First/Next CreateToolSnapshot way will work 100%


 


whats wrong w/peb dependency? peb way very basic only 3 api call. imo this is easiest. probably many other ways too



CreateProc(process, NULL, NULL, NULL, NULL, CREATE_SUSPENDED, NULL, NULL, &start, &procInfo) GetThreadContext(processInfo.hThread, &ctx); ReadProcMemory(processInfo.hProcess, (void*)(ctx.Ebx+8), &base, 4, &bytes ); pritnf ("Base = %08x\n", base);

Share this post


Link to post
LCF-AT

Yes but I was looking for a other way without to read any direct addresses from PEB+XY you know.But it seems there is not other way to read the base from PEB. :( Anyway so then I will read PEB again.


 


Thank you again.


Share this post


Link to post
mrexodia

Hi,

You can get the PID using GetModuleInformation and VirtualQueryEx:

 

#include <windows.h>#include <stdio.h>#include <psapi.h>LPVOID GetProcessImageBase(DWORD pid){    printf("PID: %X\n", pid);    HANDLE hProcess = OpenProcess(PROCESS_QUERY_INFORMATION|PROCESS_VM_READ, 0, pid);    printf("hProcess: %p\n", hProcess);    if(!hProcess) //OpenProcess failed...    {        return 0;    }    MODULEINFO modinfo;    DWORD result = GetModuleInformation(hProcess, 0, &modinfo, sizeof(MODULEINFO));    printf("GetModuleInformation: %X\n", result);    if(!result) //GetModuleInformation failed...    {        CloseHandle(hProcess);        return 0;    }    LPVOID EntryPoint = modinfo.EntryPoint;    printf("EntryPoint: %p\n", EntryPoint);    MEMORY_BASIC_INFORMATION mbi;    result = VirtualQueryEx(hProcess, EntryPoint, &mbi, sizeof(MEMORY_BASIC_INFORMATION));    printf("VirtualQueryEx: %X\n", result);    if(!result) //VirtualQueryEx failed...    {        CloseHandle(hProcess);        return 0;    }    LPVOID ImageBase = mbi.AllocationBase;    printf("ImageBase: %p\n", ImageBase);    CloseHandle(hProcess);    return ImageBase;}int main(){    GetProcessImageBase(0x1314);    return 0;}
Compiled EXE (unoptimized):

https://mega.co.nz/#!ulQGlQiK!cljnM-60YZZDYKghuj__9PXwXcw9Rnm9LtXRSFri-tQ

Greetings,

Mr. eXoDia

  • Like 3

Share this post


Link to post
simple

if(!CreateProcess("C:\\WINDOWS\\system32\\notepad.exe", NULL, NULL, NULL, (int)NULL, CREATE_SUSPENDED, NULL, NULL, &startup, &processInfo))

{

FAIL

}

printf("%08x\n", processInfo.dwProcessId);

GetProcessImageBase(processInfo.dwProcessId);

output

----------------------

GetModuleInformation() - 0 fails because of CREATE_SUSPENDED flag

mr exodia - x64dbg good i use almost everyday

Share this post


Link to post
mrexodia

@simple: In that case the only option indeed would be to use NtQueryInformationProcess to read the PEB...

Greetings

Share this post


Link to post
LCF-AT

Hi again,


 


thanks eXoDia so this was it. :) OpenProcess ,PSAPI dll and VQEx. :) All working so far without to grab any PEB etc.Only small disadvantage is that I need to load the PSAPI extra.Anyway so thanks again for the answer.


 


greetz


 


Share this post


Link to post
simple

@simple: In that case the only option indeed would be to use NtQueryInformationProcess to read the PEB...

Greetings

 

thats wrong

 

first u can read PEB other way besides NtQueryInfoProc, second theres still several other ways to get base image from suspended process, especially from kernel. i avoid showing to try to get lcf-at to make effort for own question ;)

Share this post


Link to post
mrexodia

@simple: You're right, I should have said 'the only other option I know'. But I'm getting interested in the other ways of obtaining the image base from a suspended process from the kernel :D

Greetings

Share this post


Link to post
simple

ok i havent personally done exactly this, only ideas, but should work (excuse any misinfo)


 


KPROCESS, EPROCESS or ETHREAD could have several diff ways (peb, StartAddress, more)


 


PsGetProcPeb()


 


i see several ways to 'create proc from scratch' and give it a known ImageBase, or change PPEB to ur own look here - http://i-web.i.u-tokyo.ac.jp/edu/training/ss/lecture/new-documents/Lectures/13-Processes/Processes.pdf


 


probably many more too. a bit off topic, nor did i test it, but i see maybe 2 or 3 month ago some blog claims to have find stable, non-patch approach for PG bypass on x64, so w/that u should be able to use dkom for stable proccess hiding on x64. dont know but from kernel u do anything


Share this post


Link to post
mrexodia

@simple: That's some interesting info, I will read that. Also the non-patch approach for PatchGuard, I think there was a way to intercept some exceptions using some system trap instructions, but I didn't read about it very well. The main problem is bypassing driver signature verification though, for this you still need to patch the kernel, or boot in test mode or somethgin.

Greetings

Edited by Mr. eXoDia (see edit history)

Share this post


Link to post
dangducluan
Posted (edited)

@LCF-AT 

Hi, bro

I'm also having the same problem when using CreateProcess CREATE_SUSPENDED flag delphi. I want make loader ARLS target, you can give same demo code Delphi get Base Image when CreateProcess SUSPENDED, thank ☺️

Edited by dangducluan (see edit history)

Share this post


Link to post
LCF-AT

Hi,

hmmm,long time ago already.Dont remember anymore about that.I just checked my codes and seen that I was using the PEB reading method like this...

local STARTUP:STARTUPINFO 
local PI:PROCESS_INFORMATION
local PIS:PROCESS_BASIC_INFORMATION
local BASEADDRESS:DWORD

    invoke RtlZeroMemory,addr STARTUP,sizeof STARTUP
    invoke RtlZeroMemory,addr PI,sizeof PI
    invoke RtlZeroMemory,addr PIS,sizeof PIS
    mov STARTUP.STARTUPINFO.cb ,sizeof STARTUPINFO


    invoke CreateProcess,addr TARGETNAMEPATHBUF,NULL,NULL,NULL,FALSE,CREATE_SUSPENDED,NULL,NULL,addr STARTUP,addr PI
    .if eax == 0h ; fails
        ret
    .endif   
     
    invoke NtQueryInformationProcess,PI.PROCESS_INFORMATION.hProcess,ProcessBasicInformation,addr PIS,sizeof PIS,NULL
    .if eax != 0h ; fails
        @@:
        invoke TerminateProcess,PI.PROCESS_INFORMATION.hProcess,0
        .if eax != 1  ; fails
        .endif
        mov eax, 0h
        ret       
    .endif

    mov esi,PIS.PROCESS_BASIC_INFORMATION.PebBaseAddress
    add esi,8
    invoke ReadProcessMemory,PI.PROCESS_INFORMATION.hProcess,esi,addr BASEADDRESS,sizeof BASEADDRESS,NULL
    .if eax != 1  ; fails
        jmp @B
    .endif


    mov esi, BASEADDRESS

greetz

  • Like 2

Share this post


Link to post

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  
×
×
  • Create New...