Relocate the image with No ASLR

2022-09-11 15:52:18 +02:00 · 2022-09-11 15:52:18 +02:00 · e005ba44b6
parent 259f1e88e3
commit e005ba44b6
1 changed files with 112 additions and 1 deletions
--- a/TitanEngine/TitanEngine.Debugger.cpp
+++ b/TitanEngine/TitanEngine.Debugger.cpp
@ -43,6 +43,115 @@ __declspec(dllexport) void* TITCALL InitDebug(char* szFileName, char* szCommandL
    }
 }

+static bool ProcessRelocations(char* imageCopy, ULONG_PTR imageSize, ULONG_PTR newImageBase, ULONG_PTR & oldImageBase)
+{
+    auto pnth = RtlImageNtHeader(imageCopy);
+    if(pnth == nullptr)
+        return false;
+
+    // Put the new base in the header
+    oldImageBase = pnth->OptionalHeader.ImageBase;
+    pnth->OptionalHeader.ImageBase = newImageBase;
+
+    // Nothing to do if relocations are stripped
+    if(pnth->FileHeader.Characteristics & IMAGE_FILE_RELOCS_STRIPPED)
+        return true;
+
+    // Nothing to do if there are no relocations
+    const auto & relocDir = pnth->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC];
+    if(relocDir.Size == 0 || relocDir.VirtualAddress == 0)
+        return true;
+
+    // Process the relocations
+    auto delta = newImageBase - oldImageBase;
+    auto relocationItr = (PIMAGE_BASE_RELOCATION)((ULONG_PTR)imageCopy + relocDir.VirtualAddress);
+    auto relocationEnd = (PIMAGE_BASE_RELOCATION)((ULONG_PTR)relocationItr + relocDir.Size);
+
+    while(relocationItr < relocationEnd && relocationItr->SizeOfBlock > 0)
+    {
+        auto count = (relocationItr->SizeOfBlock - sizeof(IMAGE_BASE_RELOCATION)) / sizeof(USHORT);
+        auto address = (ULONG_PTR)imageCopy + relocationItr->VirtualAddress;
+        auto typeOffset = (PUSHORT)(relocationItr + 1);
+
+        relocationItr = LdrProcessRelocationBlock(address, (ULONG)count, typeOffset, delta);
+        if(relocationItr == nullptr)
+            return false;
+    }
+    return true;
+}
+
+static bool RelocateImage(HANDLE hProcess, PVOID imageBase, SIZE_T imageSize)
+{
+    constexpr auto pageSize = 0x1000;
+    std::vector<bool> writeback(imageSize / pageSize);
+    // allocate a local copy of the mapped image
+    auto imageCopy = (char*)VirtualAlloc(0, imageSize, MEM_COMMIT, PAGE_READWRITE);
+    if(imageCopy == nullptr)
+        return false;
+
+    // read all the pages
+    for(size_t i = 0; i < writeback.size(); i++)
+    {
+        auto offset = i * pageSize;
+        SIZE_T read = 0;
+        if(NT_SUCCESS(NtReadVirtualMemory(hProcess, (char*)imageBase + offset, imageCopy + offset, pageSize, &read)))
+            writeback[i] = true;
+    }
+
+    // perform the actual relocations
+    ULONG_PTR oldImageBase = 0;
+    auto success = ProcessRelocations(imageCopy, imageSize, (ULONG_PTR)imageBase, oldImageBase);
+
+    // write back the pages
+    auto memWrite = [hProcess](PVOID ptr, LPCVOID data, SIZE_T size)
+    {
+        // Make the page writable
+        ULONG oldProtect = 0;
+        if(NT_SUCCESS(NtProtectVirtualMemory(hProcess, &ptr, &size, PAGE_READWRITE, &oldProtect)))
+        {
+            // Write the memory
+            SIZE_T written = 0;
+            if(NT_SUCCESS(NtWriteVirtualMemory(hProcess, ptr, data, size, &written)))
+            {
+                // Restore the old protection
+                return NT_SUCCESS(NtProtectVirtualMemory(hProcess, &ptr, &size, oldProtect, &oldProtect));
+            }
+        }
+        return false;
+    };
+    for(size_t i = 0; i < writeback.size(); i++)
+    {
+        if(writeback[i])
+        {
+            auto offset = pageSize * i;
+            if(!memWrite((char*)imageBase + offset, imageCopy + offset, pageSize))
+                success = false;
+        }
+    }
+
+    // Create a copy of the header at the original image base
+    // The kernel uses it in ZwCreateThread to get the stack size for example
+    if(success)
+    {
+        success = false;
+        auto oldPage = (LPVOID)oldImageBase;
+        if(VirtualAllocEx(hProcess, oldPage, pageSize, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE))
+        {
+            if(memWrite(oldPage, imageCopy, pageSize))
+            {
+                DWORD oldProtect = 0;
+                if(VirtualProtectEx(hProcess, oldPage, pageSize, PAGE_READONLY, &oldProtect))
+                    success = true;
+            }
+        }
+    }
+
+    // Free the copy of the image
+    VirtualFree(imageCopy, imageSize, MEM_DECOMMIT);
+
+    return success;
+}
+
 static bool HollowProcessWithoutASLR(const wchar_t* szFileName, PROCESS_INFORMATION & pi)
 {
    bool success = false;
@ -92,7 +201,9 @@ static bool HollowProcessWithoutASLR(const wchar_t* szFileName, PROCESS_INFORMAT
                            }
                            if (status == STATUS_SUCCESS || status == STATUS_IMAGE_NOT_AT_BASE)
                            {
-                                if (WriteProcessMemory(pi.hProcess, (char*)pebRegister + offsetof(PEB, ImageBaseAddress), &imageBase, sizeof(PVOID), nullptr))
+                                auto pebOk = WriteProcessMemory(pi.hProcess, (char*)pebRegister + offsetof(PEB, ImageBaseAddress), &imageBase, sizeof(PVOID), nullptr);
+                                auto relocatedOk = RelocateImage(pi.hProcess, imageBase, viewSize);
+                                if (pebOk && relocatedOk)
                                {
                                    auto expectedBase = DebugModuleImageBase == ULONG_PTR(imageBase);
                                    DebugModuleImageBase = ULONG_PTR(imageBase);