Arcane
October 19th, 2008, 01:01
while i was doing some Research i stumpled on something which i found very interesting , i was attempting to Change the Location of Peb->ProcessHeap , which i did successfully , but the application still continued to use the Old Heap , which i dident want , so i startet digging and came across something ive never seen before.
in the Api LocalAlloc i found that it keeps a Constant copy of Peb->ProcessHeap inside Kernel32 itself.
7C809A63 FF35 A453887C PUSH DWORD PTR DS:[7C8853A4] -> contains copy of Peb->ProcessHeap
so modifying the PEB only had limited success , but changeing this Value aswell . fixed my problem.
i guess pretty clearly this Push ..should have been a call GetProcessHeap() instead , or somebody else has a view why windows would do like this ?
enjoy
disavowed
October 23rd, 2008, 13:29
optimization maybe?
deroko
October 23rd, 2008, 16:00
Just follow xref and load symbols into IDA here ->
Code:
.text:7C8178B6 mov eax, large fs:18h
.text:7C8178BC mov eax, [eax+30h]
.text:7C8178BF mov eax, [eax+18h]
.text:7C8178C2 push offset _BaseHeapHandleTable
.text:7C8178C7 push 8
.text:7C8178C9 push 0FFFFh
.text:7C8178CE mov _BaseHeap, eax
.text:7C8178D3 call ds:__imp__RtlInitializeHandleTable@12 ; RtlInitializeHandleTable(x,x,x)
.text:7C8178D9 push 0
So what you should do is to update heap in PEB before kernel32.dll is loaded, BaseHeap is variable you are looking for...
blabberer
October 24th, 2008, 11:25
well deroko already answered but ill supplement
here is the LocalAlloc in ollydbg
7C8099BD kernel32.LocalAlloc PUSH 1C
7C8099BF PUSH kernel32.7C809A28
7C8099C4 CALL kernel32._SEH_prolog
7C8099C9 TEST DWORD PTR SS:[EBP+8], FFFFF08D
7C8099D0 JNZ kernel32.7C839D56
7C8099D6 XOR EDI, EDI
7C8099D8 MOV DWORD PTR SS:[EBP-1C], EDI
7C8099DB TEST BYTE PTR SS:[EBP+8], 40
7C8099DF JE SHORT kernel32.7C8099E8
7C8099E1 MOV DWORD PTR SS:[EBP-1C], 8
7C8099E8 TEST BYTE PTR SS:[EBP+8], 2
7C8099EC JNZ kernel32.7C82327A
7C8099F2 PUSH DWORD PTR SS:[EBP+C] ; /Arg3 = 7C900000
7C8099F5 MOV EAX, DWORD PTR DS:[BaseDllTag] ; |
7C8099FA ADD EAX, 140000 ; |
7C8099FF OR EAX, DWORD PTR SS:[EBP-1C] ; |
7C809A02 PUSH EAX ; |Arg2 = 00141EB4
7C809A03 PUSH DWORD PTR DS:[BaseHeap] ; |Arg1 = 00560000
7C809A09 CALL NEAR DWORD PTR DS:[<&ntdll.RtlAllocateHeap>] ; \RtlAllocateHeap
7C809A0F MOV ESI, EAX
7C809A11 CMP ESI, EDI
7C809A13 JE kernel32.7C839D64
7C809A19 MOV EAX, ESI
7C809A1B CALL kernel32._SEH_epilog
7C809A20 RETN 8
yes that's with symbols
now you can ask ollydbg to find referance for baseheap
rightclick -> find referance -> addr constant
you will get all referances like below
References in kernel32:.text to BaseHeap
Address Disassembly Comment
7C80997C PUSH DWORD PTR DS:[BaseHeap] DS:[7C8833A4]=00560000
7C809A03 PUSH DWORD PTR DS:[BaseHeap] (Initial CPU selection)
7C80FE5C PUSH DWORD PTR DS:[BaseHeap] DS:[7C8833A4]=00560000
7C80FEA3 PUSH DWORD PTR DS:[BaseHeap] DS:[7C8833A4]=00560000
7C80FEBB PUSH DWORD PTR DS:[BaseHeap] DS:[7C8833A4]=00560000
7C80FEF3 PUSH DWORD PTR DS:[BaseHeap] DS:[7C8833A4]=00560000
7C80FF5F PUSH DWORD PTR DS:[BaseHeap] DS:[7C8833A4]=00560000
7C80FFAB PUSH DWORD PTR DS:[BaseHeap] DS:[7C8833A4]=00560000
7C80FFCA PUSH DWORD PTR DS:[BaseHeap] DS:[7C8833A4]=00560000
7C80FFDA PUSH DWORD PTR DS:[BaseHeap] DS:[7C8833A4]=00560000
7C810063 PUSH DWORD PTR DS:[BaseHeap] DS:[7C8833A4]=00560000
7C81009D PUSH DWORD PTR DS:[BaseHeap] DS:[7C8833A4]=00560000
7C8100F1 PUSH DWORD PTR DS:[BaseHeap] DS:[7C8833A4]=00560000
7C810131 PUSH DWORD PTR DS:[BaseHeap] DS:[7C8833A4]=00560000
7C810185 PUSH DWORD PTR DS:[BaseHeap] DS:[7C8833A4]=00560000
7C81260D PUSH DWORD PTR DS:[BaseHeap] DS:[7C8833A4]=00560000
7C812690 PUSH DWORD PTR DS:[BaseHeap] DS:[7C8833A4]=00560000
7C8126B9 PUSH DWORD PTR DS:[BaseHeap] DS:[7C8833A4]=00560000
7C817525 MOV DWORD PTR DS:[BaseHeap], EAX
7C81E2F3 PUSH DWORD PTR DS:[BaseHeap] DS:[7C8833A4]=00560000
7C81E326 PUSH DWORD PTR DS:[BaseHeap] DS:[7C8833A4]=00560000
7C81E341 PUSH DWORD PTR DS:[BaseHeap] DS:[7C8833A4]=00560000
7C81F0B7 PUSH DWORD PTR DS:[BaseHeap] DS:[7C8833A4]=00560000
7C81F0D6 PUSH DWORD PTR DS:[BaseHeap] DS:[7C8833A4]=00560000
7C822391 PUSH DWORD PTR DS:[BaseHeap] DS:[7C8833A4]=00560000
7C8223BB PUSH DWORD PTR DS:[BaseHeap] DS:[7C8833A4]=00560000
7C8223D7 PUSH DWORD PTR DS:[BaseHeap] DS:[7C8833A4]=00560000
7C8223F3 PUSH DWORD PTR DS:[BaseHeap] DS:[7C8833A4]=00560000
7C822DA0 PUSH DWORD PTR DS:[BaseHeap] DS:[7C8833A4]=00560000
7C822DF4 PUSH DWORD PTR DS:[BaseHeap] DS:[7C8833A4]=00560000
7C822E3E PUSH DWORD PTR DS:[BaseHeap] DS:[7C8833A4]=00560000
7C822E8D PUSH DWORD PTR DS:[BaseHeap] DS:[7C8833A4]=00560000
7C822F69 PUSH DWORD PTR DS:[BaseHeap] DS:[7C8833A4]=00560000
7C822FB0 PUSH DWORD PTR DS:[BaseHeap] DS:[7C8833A4]=00560000
7C822FC8 PUSH DWORD PTR DS:[BaseHeap] DS:[7C8833A4]=00560000
7C823266 PUSH DWORD PTR DS:[BaseHeap] DS:[7C8833A4]=00560000
7C82327A PUSH DWORD PTR DS:[BaseHeap] DS:[7C8833A4]=00560000
7C8232CD PUSH DWORD PTR DS:[BaseHeap] DS:[7C8833A4]=00560000
7C8232EC PUSH DWORD PTR DS:[BaseHeap] DS:[7C8833A4]=00560000
7C8232FC PUSH DWORD PTR DS:[BaseHeap] DS:[7C8833A4]=00560000
7C8233B3 PUSH DWORD PTR DS:[BaseHeap] DS:[7C8833A4]=00560000
7C827904 PUSH DWORD PTR DS:[BaseHeap] DS:[7C8833A4]=00560000
7C82796D PUSH DWORD PTR DS:[BaseHeap] DS:[7C8833A4]=00560000
7C838658 PUSH DWORD PTR DS:[BaseHeap] DS:[7C8833A4]=00560000
7C8386E8 PUSH DWORD PTR DS:[BaseHeap] DS:[7C8833A4]=00560000
7C838704 PUSH DWORD PTR DS:[BaseHeap] DS:[7C8833A4]=00560000
7C838F42 PUSH DWORD PTR DS:[BaseHeap] DS:[7C8833A4]=00560000
7C838F64 PUSH DWORD PTR DS:[BaseHeap] DS:[7C8833A4]=00560000
7C838F8F PUSH DWORD PTR DS:[BaseHeap] DS:[7C8833A4]=00560000
7C83917B PUSH DWORD PTR DS:[BaseHeap] DS:[7C8833A4]=00560000
7C8391BE PUSH DWORD PTR DS:[BaseHeap] DS:[7C8833A4]=00560000
7C8391D1 PUSH DWORD PTR DS:[BaseHeap] DS:[7C8833A4]=00560000
7C83A684 PUSH DWORD PTR DS:[BaseHeap] DS:[7C8833A4]=00560000
7C83A6BD PUSH DWORD PTR DS:[BaseHeap] DS:[7C8833A4]=00560000
7C83A6D8 PUSH DWORD PTR DS:[BaseHeap] DS:[7C8833A4]=00560000
7C83FFF2 PUSH DWORD PTR DS:[BaseHeap] DS:[7C8833A4]=00560000
7C840041 PUSH DWORD PTR DS:[BaseHeap] DS:[7C8833A4]=00560000
7C840088 PUSH DWORD PTR DS:[BaseHeap] DS:[7C8833A4]=00560000
7C8400AE PUSH DWORD PTR DS:[BaseHeap] DS:[7C8833A4]=00560000
7C8400EA PUSH DWORD PTR DS:[BaseHeap] DS:[7C8833A4]=00560000
7C840125 PUSH DWORD PTR DS:[BaseHeap] DS:[7C8833A4]=00560000
7C8402B8 PUSH DWORD PTR DS:[BaseHeap] DS:[7C8833A4]=00560000
7C8557FA PUSH DWORD PTR DS:[BaseHeap] DS:[7C8833A4]=00560000
7C855823 PUSH DWORD PTR DS:[BaseHeap] DS:[7C8833A4]=00560000
7C8558B9 PUSH DWORD PTR DS:[BaseHeap] DS:[7C8833A4]=00560000
7C8558ED PUSH DWORD PTR DS:[BaseHeap] DS:[7C8833A4]=00560000
7C85590F PUSH DWORD PTR DS:[BaseHeap] DS:[7C8833A4]=00560000
7C85595F PUSH DWORD PTR DS:[BaseHeap] DS:[7C8833A4]=00560000
7C85E452 PUSH DWORD PTR DS:[BaseHeap] DS:[7C8833A4]=00560000
7C85E664 PUSH DWORD PTR DS:[BaseHeap] DS:[7C8833A4]=00560000
there is only one assignment
References in kernel32:.text to BaseHeap, item 18
Address=7C817525
Disassembly=MOV DWORD PTR DS:[BaseHeap], EAX
you can find when it is being assigned by double clicking on that line
you will land here
7C81750D kernel32.BaseDllInitializeMemoryManager MOV EAX, DWORD PTR FS:[18]
7C817513 MOV EAX, DWORD PTR DS:[EAX+30]
7C817516 MOV EAX, DWORD PTR DS:[EAX+18]
7C817519 PUSH OFFSET kernel32.BaseHeapHandleTable ; /Arg3 = 7C8830E0
7C81751E PUSH 8 ; |Arg2 = 00000008
7C817520 PUSH 0FFFF ; |Arg1 = 0000FFFF
7C817525 MOV DWORD PTR DS:[BaseHeap], EAX ; |
7C81752A CALL NEAR DWORD PTR DS:[<&ntdll.RtlInitializeHandle>; \RtlInitializeHandleTable
7C817530 PUSH 0 ; /pReqsize = NULL
7C817532 PUSH 4 ; |Bufsize = 4
7C817534 PUSH OFFSET kernel32.SystemRangeStart ; |Buffer = OFFSET kernel32.SystemRangeStart
7C817539 PUSH 32 ; |InfoType = 50.
7C81753B CALL NEAR DWORD PTR DS:[<&ntdll.NtQuerySystemInform>; \ZwQuerySystemInformation
7C817541 RETN
if you look at the call tree you can see this is being called from one place only (statically i mean )
Call tree
Called from Procedure Calls Comment
kernel32.7C817D86 kernel32.BaseDllInitializeMemoryManager ntdll.ZwQuerySystemInformation Sys
ntdll.RtlInitializeHandleTable Sys
the local call is a part of switchcase
7C817D3A PUSH EBX ; Case 1 of switch 7C80B4A0
7C817D3B CALL kernel32.RtlEncodePointer ; JMP to ntdll.RtlEncodePointer
7C817D40 PUSH kernel32.BaseExitThreadPoolThread
7C817D45 PUSH kernel32.BaseCreateThreadPoolThread
7C817D4A MOV DWORD PTR DS:[BasepCurrentTopLevelFilter], EAX
7C817D4F CALL kernel32.RtlSetThreadPoolStartFunc ; JMP to ntdll.RtlSetThreadPoolStartFunc
7C817D54 PUSH kernel32.BasepProbeForDllManifest
7C817D59 CALL kernel32.LdrSetDllManifestProber ; JMP to ntdll.LdrSetDllManifestProber
7C817D5E MOV EAX, DWORD PTR FS:[18]
7C817D64 MOV EAX, DWORD PTR DS:[EAX+30]
7C817D67 PUSH kernel32.7C817F08 ; UNICODE "TMP"
7C817D6C PUSH kernel32.7C817EF4 ; UNICODE "BASEDLL!"
7C817D71 PUSH EBX
7C817D72 PUSH DWORD PTR DS:[EAX+18]
7C817D75 CALL NEAR DWORD PTR DS:[<&ntdll.RtlCreateTagHeap>] ; ntdll.RtlCreateTagHeap
7C817D7B MOV DWORD PTR DS:[BaseDllTag], EAX
7C817D80 MOV DWORD PTR DS:[BaseIniFileUpdateCount], EBX
7C817D86 CALL kernel32.BaseDllInitializeMemoryManager
and following using right click -> goto -> switchbase ->
you can see it is a part of Kernel32->DllInitialize
7C80B436 kernel32.<ModuleEntryPoint> MOV EDI, EDI
7C80B438 PUSH EBP
7C80B439 MOV EBP, ESP
7C80B43B CMP DWORD PTR SS:[EBP+C], 1
7C80B43F JE kernel32.7C8186C7
7C80B445 POP EBP ; ntdll.7C93EDC0
7C80B446 NOP
7C80B447 NOP
7C80B448 NOP
7C80B449 NOP
7C80B44A NOP
7C80B44B kernel32._BaseDllInitialize MOV EDI, EDI
7C80B44D PUSH EBP
7C80B44E MOV EBP, ESP
7C80B450 SUB ESP, 420
7C80B456 MOV EAX, DWORD PTR DS:[__security_cookie]
7C80B45B MOV ECX, DWORD PTR SS:[EBP+8]
7C80B45E PUSH EBX
7C80B45F PUSH ESI
7C80B460 MOV DWORD PTR SS:[EBP-4], EAX
7C80B463 PUSH EDI
7C80B464 MOV DWORD PTR SS:[EBP-420], ECX
7C80B46A MOV EAX, DWORD PTR FS:[18]
7C80B470 MOV EAX, DWORD PTR DS:[EAX+30]
7C80B473 MOV EAX, DWORD PTR DS:[EAX+1D4] ; OLLYDBG.00530057
7C80B479 MOV DWORD PTR DS:[SessionId], EAX
7C80B47E MOV DWORD PTR DS:[BaseDllHandle], ECX
7C80B484 MOV EAX, DWORD PTR FS:[18]
7C80B48A MOV ESI, DWORD PTR DS:[EAX+30]
7C80B48D MOV EAX, DWORD PTR SS:[EBP+C] ; ntdll.7C900000
7C80B490 XOR EBX, EBX
7C80B492 SUB EAX, EBX
7C80B494 MOV DWORD PTR SS:[EBP-41C], ESI
7C80B49A JE kernel32.7C81CA84
7C80B4A0 DEC EAX ; Switch (cases 1..3)
7C80B4A1 JE kernel32.7C817D3A
7C80B4A7 DEC EAX
the jumps in start is security cookie crap
7C8186C7 CALL kernel32.__security_init_cookie
7C8186CC JMP kernel32.7C80B445
and kernel32 init is called when process is created
you can use windbg and stop on LoadModule event on kernel32
ollydbg ignores all initial module loads but you can write a plugin to make it stop on Createprocess Event and initModuleload Event
[CODE]
0:000> g
ModLoad: 7c800000 7c8f4000 C:\WINDOWS\system32\kernel32.dll
eax=00000200 ebx=00000000 ecx=7ffdf000 edx=00190608 esi=00000000 edi=00000000
eip=7c90eb94 esp=0006f750 ebp=0006f844 iopl=0 nv up ei pl nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202
ntdll!KiFastSystemCallRet:
7c90eb94 c3 ret
and then
0:000> bp ntdll!LdrpRunInitializeRoutines
0:000> bp kernel32!_BaseDllInitialize
0:000> g
Breakpoint 0 hit
eax=00192010 ebx=0006fa94 ecx=7c8171bb edx=00000000 esi=00000001 edi=00000000
eip=7c91c9e4 esp=0006fa44 ebp=0006faf0 iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246
ntdll!LdrpRunInitializeRoutines:
7c91c9e4 68d4000000 push 0D4h
0:000> g
Breakpoint 1 hit
eax=ffff3a37 ebx=7c80b436 ecx=0000ea99 edx=7c90eb94 esi=0006f92c edi=00000001
eip=7c80b44b esp=0006f91c ebp=0006f938 iopl=0 nv up ei pl nz na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000206
kernel32!_BaseDllInitialize:
7c80b44b 8bff mov edi,edi
[CODE]
7c817d86 e882f7ffff call kernel32!BaseDllInitializeMemoryManager (7c81750d)
0:000> t
eax=00000000 ebx=00000000 ecx=7c9227ab edx=7c90eb94 esi=7ffd9000 edi=00000001
eip=7c81750d esp=0006f4e8 ebp=0006f918 iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246
kernel32!BaseDllInitializeMemoryManager:
7c81750d 64a118000000 mov eax,dword ptr fs:[00000018h] fs:003b:00000018=7ffdf000
0:000> p
eax=7ffdf000 ebx=00000000 ecx=7c9227ab edx=7c90eb94 esi=7ffd9000 edi=00000001
eip=7c817513 esp=0006f4e8 ebp=0006f918 iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246
kernel32!BaseDllInitializeMemoryManager+0x6:
7c817513 8b4030 mov eax,dword ptr [eax+30h] ds:0023:7ffdf030=7ffd9000
0:000>
eax=7ffd9000 ebx=00000000 ecx=7c9227ab edx=7c90eb94 esi=7ffd9000 edi=00000001
eip=7c817516 esp=0006f4e8 ebp=0006f918 iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246
kernel32!BaseDllInitializeMemoryManager+0x9:
7c817516 8b4018 mov eax,dword ptr [eax+18h] ds:0023:7ffd9018=00090000
0:000>
eax=00090000 ebx=00000000 ecx=7c9227ab edx=7c90eb94 esi=7ffd9000 edi=00000001
eip=7c817519 esp=0006f4e8 ebp=0006f918 iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246
kernel32!BaseDllInitializeMemoryManager+0xc:
7c817519 68e030887c push offset kernel32!BaseHeapHandleTable (7c8830e0)
0:000>
eax=00090000 ebx=00000000 ecx=7c9227ab edx=7c90eb94 esi=7ffd9000 edi=00000001
eip=7c81751e esp=0006f4e4 ebp=0006f918 iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246
kernel32!BaseDllInitializeMemoryManager+0x11:
7c81751e 6a08 push 8
0:000>
eax=00090000 ebx=00000000 ecx=7c9227ab edx=7c90eb94 esi=7ffd9000 edi=00000001
eip=7c817520 esp=0006f4e0 ebp=0006f918 iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246
kernel32!BaseDllInitializeMemoryManager+0x13:
7c817520 68ffff0000 push 0FFFFh
0:000>
eax=00090000 ebx=00000000 ecx=7c9227ab edx=7c90eb94 esi=7ffd9000 edi=00000001
eip=7c817525 esp=0006f4dc ebp=0006f918 iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246
kernel32!BaseDllInitializeMemoryManager+0x18:
7c817525 a3a433887c mov dword ptr [kernel32!BaseHeap (7c8833a4)],eax ds:0023:7c8833a4=00000000
you probably have to patch here
at this point
Powered by vBulletin® Version 4.2.2 Copyright © 2018 vBulletin Solutions, Inc. All rights reserved.
