BlackBone
Windows memory hacking library
 All Classes Functions
MMap.h
1 #pragma once
2 
3 #include "../Config.h"
4 #include "../Include/Winheaders.h"
5 #include "../Include/Macro.h"
6 #include "../PE/PEImage.h"
7 
8 #include "../Process/MemBlock.h"
9 #include "MExcept.h"
10 
11 #include <map>
12 #include <stack>
13 
14 namespace blackbone
15 {
16 
17 // Loader flags
18 enum eLoadFlags
19 {
20  NoFlags = 0x00, // No flags
21  ManualImports = 0x01, // Manually map import libraries
22  CreateLdrRef = 0x02, // Create module references for native loader
23  WipeHeader = 0x04, // Wipe image PE headers
24  HideVAD = 0x10, // Make image appear as PAGE_NOACESS region
25  MapInHighMem = 0x20, // Try to map image in address space beyond 4GB limit
26  RebaseProcess = 0x40, // If target image is an .exe file, process base address will be replaced with mapped module value
27 
28  NoExceptions = 0x01000, // Do not create custom exception handler
29  PartialExcept = 0x02000, // Only create Inverted function table, without VEH
30  NoDelayLoad = 0x04000, // Do not resolve delay import
31  NoSxS = 0x08000, // Do not apply SxS activation context
32  NoTLS = 0x10000, // Skip TLS initialization and don't execute TLS callbacks
33 };
34 
35 ENUM_OPS( eLoadFlags )
36 
37 // Native loader flags callback
38 typedef enum LdrRefFlags( *LdrCallback )(void* context, const ModuleData& modInfo);
39 
40 
44 struct ImageContext
45 {
46  typedef std::vector<ptr_t> vecPtr;
47 
48  pe::PEImage peImage; // PE image data
49  MemBlock imgMem; // Target image memory region
50  std::wstring FilePath; // path to image being mapped
51  std::wstring FileName; // File name string
52  vecPtr tlsCallbacks; // TLS callback routines
53  ptr_t pExpTableAddr = 0; // Exception table address (amd64 only)
54  ptr_t EntryPoint = 0; // Target image entry point
55  eLoadFlags flags = NoFlags; // Image loader flags
56  bool initialized = false; // Image entry point was called
57 };
58 
59 typedef std::vector<std::unique_ptr<ImageContext>> vecImageCtx;
60 
64 class MMap : public MExcept
65 {
66 
67 public:
68  BLACKBONE_API MMap( class Process& proc );
69  BLACKBONE_API ~MMap( void );
70 
79  BLACKBONE_API const ModuleData* MapImage(
80  const std::wstring& path,
81  eLoadFlags flags = NoFlags,
82  LdrCallback ldrCallback = nullptr,
83  void* ldrContext = nullptr
84  );
85 
96  BLACKBONE_API const ModuleData* MapImage(
97  void* buffer, size_t size,
98  bool asImage = false,
99  eLoadFlags flags = NoFlags,
100  LdrCallback ldrCallback = nullptr,
101  void* ldrContext = nullptr
102  );
103 
108  BLACKBONE_API bool UnmapAllModules();
109 
114  BLACKBONE_API void Cleanup();
115 
119  BLACKBONE_API inline void reset() { _images.clear(); _pAContext.Reset(); _usedBlocks.clear(); }
120 
121 private:
133  const ModuleData* MapImage(
134  const std::wstring& path,
135  void* buffer, size_t size,
136  bool asImage = false,
137  eLoadFlags flags = NoFlags,
138  LdrCallback ldrCallback = nullptr,
139  void* ldrContext = nullptr
140  );
141 
148  const ModuleData* FindOrMapModule(
149  const std::wstring& path,
150  void* buffer, size_t size, bool asImage,
151  eLoadFlags flags = NoFlags
152  );
153 
165  bool RunModuleInitializers( ImageContext* pImage, DWORD dwReason );
166 
172  bool CopyImage( ImageContext* pImage );
173 
179  bool ProtectImageMemory( ImageContext* pImage );
180 
186  bool RelocateImage( ImageContext* pImage );
187 
194  bool ResolveImport( ImageContext* pImage, bool useDelayed = false );
195 
201  bool InitStaticTLS( ImageContext* pImage );
202 
208  bool EnableExceptions( ImageContext* pImage );
209 
215  bool DisableExceptions( ImageContext* pImage );
216 
228  bool CreateActx( const std::wstring& path, int id = 2, bool asImage = true );
229 
235  bool InitializeCookie( ImageContext* pImage );
236 
242  NTSTATUS ConcealVad( const MemBlock& imageMem );
243 
250  NTSTATUS AllocateInHighMem( MemBlock& imageMem, size_t size );
251 
258  const ModuleData* FindOrMapDependency( ImageContext* pImage, std::wstring& path );
259 
265  module_t MapPureManaged();
266 
272  DWORD GetSectionProt( DWORD characteristics );
273 
274 private:
275  vecImageCtx _images; // Mapped images
276  class Process& _process; // Target process manager
277  MemBlock _pAContext; // SxS activation context memory address
278  LdrCallback _ldrCallback = nullptr; // Loader callback for adding image into loader lists
279  void* _ldrContext = nullptr; // user context for _ldrCallback
280 
281  std::vector<std::pair<ptr_t, size_t>> _usedBlocks; // Used memory blocks
282 };
283 
284 }
285 
blackbone::MExcept
Exception handling support for arbitrary code
Definition: MExcept.h:12
blackbone::MMap::MapImage
BLACKBONE_API const ModuleData * MapImage(const std::wstring &path, eLoadFlags flags=NoFlags, LdrCallback ldrCallback=nullptr, void *ldrContext=nullptr)
Manually map PE image into underlying target process
Definition: MMap.cpp:34
blackbone::ImageContext
Image data
Definition: MMap.h:44
blackbone::Process
Definition: Process.h:43
blackbone::pe::PEImage
Primitive PE parsing class
Definition: PEImage.h:55
blackbone::MMap
Manual image mapper
Definition: MMap.h:64
blackbone::MMap::Cleanup
BLACKBONE_API void Cleanup()
Remove any traces from remote process
Definition: MMap.cpp:1113
blackbone::MemBlock
Definition: MemBlock.h:39
blackbone::MMap::reset
BLACKBONE_API void reset()
Reset local data
Definition: MMap.h:119
blackbone::MMap::UnmapAllModules
BLACKBONE_API bool UnmapAllModules()
Unmap all manually mapped modules
Definition: MMap.cpp:346
blackbone
Definition: AsmHelper32.cpp:6
blackbone::MemBlock::Reset
BLACKBONE_API void Reset()
Try to free memory and reset pointers
Definition: MemBlock.cpp:199
blackbone::ModuleData
Definition: Types.h:56