OK
Re: C++ TO PUB
Maybe this will help you a little:
But you will also need to translate wow64ext.h to fix errors for missing functions and structures. Good luck.
Code: Select all
Macro FNFAIL(a)
PrintN(a+" failed")
EndMacro
Macro _016I64X(n)
RSet(Hex(n,#PB_Quad),16,"0")
EndMacro
Macro _08X(n)
RSet(Hex(n,#PB_Long),8,"0")
EndMacro
Procedure AllocTest(hProcess)
PrintN("Requesting 0x1000 bytes of memory at 0x70000020000 ...")
Protected mem.q = VirtualAllocEx64(hProcess, $70000020000, $1000, #MEM_COMMIT | #MEM_RESERVE, #PAGE_READWRITE)
If (0 = mem)
PrintN("VirtualAllocEx64 failed.")
ProcedureReturn
EndIf
PrintN("Memory allocated at: "+_016I64X(mem))
Protected mbi64.MEMORY_BASIC_INFORMATION64
VirtualQueryEx64(hProcess, mem, @mbi64, SizeOf(mbi64))
PrintN("Query memory: "+_016I64X(mbi64\BaseAddress)+" "+_016I64X(mbi64\RegionSize)+" "+_08X(mbi64\Protect)+" "+_08X(mbi64\Type)+" "+_08X(mbi64\State))
If VirtualFreeEx64(hProcess, mem, 0, #MEM_RELEASE)
PrintN("Freeing memory: success")
Else
PrintN("Freeing memory: failure")
EndIf
VirtualQueryEx64(hProcess, mem, @mbi64, SizeOf(mbi64))
PrintN("Query memory: "+_016I64X(mbi64\BaseAddress)+" "+_016I64X(mbi64\RegionSize)+" "+_08X(mbi64\Protect)+" "+_08X(mbi64\Type)+" "+_08X(mbi64\State))
EndProcedure
Procedure main()
OpenConsole()
Protected s.q = GetProcAddress64(GetModuleHandle64("wow64cpu.dll"),"TurboDispatchJumpAddressStart")
PrintN("tt:"+_016I64X(s))
If (2 <> CountProgramParameters())
PrintN(~"Usage:\n\t"+GetFilePart(ProgramFilename())+" hex_process_ID")
ProcedureReturn 0
EndIf
Protected procID.l = Val("$"+ProgramParameter())
If (procID = 0)
PrintN("Invalid process ID.")
ProcedureReturn 0
EndIf
PrintN("Process ID: "+_08X(procID))
Protected hProcess = OpenProcess_(#PROCESS_ALL_ACCESS, #False, procID)
If (0 = hProcess)
PrintN("Can't open process "+_08X(procID))
ProcedureReturn 0
EndIf
Protected mbi64.MEMORY_BASIC_INFORMATION64
Protected crAddr.q = 0
Protected printMemMap.b = #True
While (VirtualQueryEx64(hProcess, crAddr, @mbi64, SizeOf(mbi64)))
If (mbi64\Protect And Not(mbi64\Protect & (#PAGE_NOACCESS | #PAGE_GUARD)))
If (printMemMap)
PrintN("[D] : ")
EndIf
Protected *mem = VirtualAlloc_(0, mbi64\RegionSize, #MEM_COMMIT, #PAGE_READWRITE)
If (*mem = 0)
FNFAIL("VirtualAlloc")
crAddr + mbi64\RegionSize
Continue
EndIf
If (0 = ReadProcessMemory64(hProcess, mbi64\BaseAddress, *mem, mbi64\RegionSize, 0))
If (printMemMap)
PrintN(_016I64X(mbi64\BaseAddress)+" : "+_016I64X(mbi64\RegionSize)+" : "+_08X(mbi64\Protect)+" :")
EndIf
FNFAIL("ReadProcessMemory")
VirtualFree_(*mem, 0, #MEM_RELEASE)
crAddr + mbi64\RegionSize
Continue
EndIf
Protected fName.s=_08X(procID)+"_"+_016I64X(mbi64\BaseAddress)
Protected hFile = CreateFile_(@fName, #GENERIC_WRITE, #FILE_SHARE_READ, 0, #CREATE_ALWAYS, #FILE_ATTRIBUTE_NORMAL, 0)
Protected tmp.l = 0
WriteFile_(hFile, *mem, mbi64\RegionSize, @tmp, 0)
CloseHandle_(hFile)
VirtualFree_(*mem, 0, #MEM_RELEASE)
Else
If (printMemMap)
PrintN("[ ] : ")
EndIf
EndIf
If (printMemMap)
PrintN(_016I64X(mbi64\BaseAddress)+" : "+_016I64X(mbi64\RegionSize)+" : "+_08X(mbi64\Protect))
EndIf
crAddr + mbi64\RegionSize
Wend
Protected ntdll64.q = GetModuleHandle64("ntdll.dll")
PrintN("NTDLL64: "+_016I64X(ntdll64))
Protected rtlcrc32.q = GetProcAddress64(ntdll64, "RtlComputeCrc32")
PrintN("RtlComputeCrc32 address: "+_016I64X(rtlcrc32))
If (0 <> rtlcrc32)
Protected ret.q = X64Call(rtlcrc32, 3, 0, @"ReWolf", 6)
PrintN(~"CRC32(\"ReWolf\") = "+_016I64X(ret))
EndIf
PrintN("Alloc/Free test:")
AllocTest(hProcess)
PrintN("Alloc/Free over 4GB inside WoW64 test:")
AllocTest(GetCurrentProcess_())
PrintN("Get/Set Context test:")
Protected ctx._CONTEXT64
ctx\ContextFlags = #CONTEXT64_ALL
GetThreadContext64(GetCurrentThread_(), @ctx)
PrintN("rsp: "+_016I64X(ctx\Rsp))
PrintN("rip: "+_016I64X(ctx\Rip))
PrintN("r8: "+_016I64X(ctx\R8))
PrintN("r9: "+_016I64X(ctx\R9))
PrintN("r12: "+_016I64X(ctx\R12))
;//below code will crash application, it is sufficient prove that SetThreadContext64 is working fine :)
;//ctx.Rip = 0;
;//SetThreadContext64(GetCurrentThread(), &ctx);
CloseHandle_(hProcess)
ProcedureReturn 0
EndProcedure
Re: C++ TO PUB
cas wrote:Maybe this will help you a little:But you will also need to translate wow64ext.h to fix errors for missing functions and structures. Good luck.Code: Select all
Macro FNFAIL(a) PrintN(a+" failed") EndMacro Macro _016I64X(n) RSet(Hex(n,#PB_Quad),16,"0") EndMacro Macro _08X(n) RSet(Hex(n,#PB_Long),8,"0") EndMacro Procedure AllocTest(hProcess) PrintN("Requesting 0x1000 bytes of memory at 0x70000020000 ...") Protected mem.q = VirtualAllocEx64(hProcess, $70000020000, $1000, #MEM_COMMIT | #MEM_RESERVE, #PAGE_READWRITE) If (0 = mem) PrintN("VirtualAllocEx64 failed.") ProcedureReturn EndIf PrintN("Memory allocated at: "+_016I64X(mem)) Protected mbi64.MEMORY_BASIC_INFORMATION64 VirtualQueryEx64(hProcess, mem, @mbi64, SizeOf(mbi64)) PrintN("Query memory: "+_016I64X(mbi64\BaseAddress)+" "+_016I64X(mbi64\RegionSize)+" "+_08X(mbi64\Protect)+" "+_08X(mbi64\Type)+" "+_08X(mbi64\State)) If VirtualFreeEx64(hProcess, mem, 0, #MEM_RELEASE) PrintN("Freeing memory: success") Else PrintN("Freeing memory: failure") EndIf VirtualQueryEx64(hProcess, mem, @mbi64, SizeOf(mbi64)) PrintN("Query memory: "+_016I64X(mbi64\BaseAddress)+" "+_016I64X(mbi64\RegionSize)+" "+_08X(mbi64\Protect)+" "+_08X(mbi64\Type)+" "+_08X(mbi64\State)) EndProcedure Procedure main() OpenConsole() Protected s.q = GetProcAddress64(GetModuleHandle64("wow64cpu.dll"),"TurboDispatchJumpAddressStart") PrintN("tt:"+_016I64X(s)) If (2 <> CountProgramParameters()) PrintN(~"Usage:\n\t"+GetFilePart(ProgramFilename())+" hex_process_ID") ProcedureReturn 0 EndIf Protected procID.l = Val("$"+ProgramParameter()) If (procID = 0) PrintN("Invalid process ID.") ProcedureReturn 0 EndIf PrintN("Process ID: "+_08X(procID)) Protected hProcess = OpenProcess_(#PROCESS_ALL_ACCESS, #False, procID) If (0 = hProcess) PrintN("Can't open process "+_08X(procID)) ProcedureReturn 0 EndIf Protected mbi64.MEMORY_BASIC_INFORMATION64 Protected crAddr.q = 0 Protected printMemMap.b = #True While (VirtualQueryEx64(hProcess, crAddr, @mbi64, SizeOf(mbi64))) If (mbi64\Protect And Not(mbi64\Protect & (#PAGE_NOACCESS | #PAGE_GUARD))) If (printMemMap) PrintN("[D] : ") EndIf Protected *mem = VirtualAlloc_(0, mbi64\RegionSize, #MEM_COMMIT, #PAGE_READWRITE) If (*mem = 0) FNFAIL("VirtualAlloc") crAddr + mbi64\RegionSize Continue EndIf If (0 = ReadProcessMemory64(hProcess, mbi64\BaseAddress, *mem, mbi64\RegionSize, 0)) If (printMemMap) PrintN(_016I64X(mbi64\BaseAddress)+" : "+_016I64X(mbi64\RegionSize)+" : "+_08X(mbi64\Protect)+" :") EndIf FNFAIL("ReadProcessMemory") VirtualFree_(*mem, 0, #MEM_RELEASE) crAddr + mbi64\RegionSize Continue EndIf Protected fName.s=_08X(procID)+"_"+_016I64X(mbi64\BaseAddress) Protected hFile = CreateFile_(@fName, #GENERIC_WRITE, #FILE_SHARE_READ, 0, #CREATE_ALWAYS, #FILE_ATTRIBUTE_NORMAL, 0) Protected tmp.l = 0 WriteFile_(hFile, *mem, mbi64\RegionSize, @tmp, 0) CloseHandle_(hFile) VirtualFree_(*mem, 0, #MEM_RELEASE) Else If (printMemMap) PrintN("[ ] : ") EndIf EndIf If (printMemMap) PrintN(_016I64X(mbi64\BaseAddress)+" : "+_016I64X(mbi64\RegionSize)+" : "+_08X(mbi64\Protect)) EndIf crAddr + mbi64\RegionSize Wend Protected ntdll64.q = GetModuleHandle64("ntdll.dll") PrintN("NTDLL64: "+_016I64X(ntdll64)) Protected rtlcrc32.q = GetProcAddress64(ntdll64, "RtlComputeCrc32") PrintN("RtlComputeCrc32 address: "+_016I64X(rtlcrc32)) If (0 <> rtlcrc32) Protected ret.q = X64Call(rtlcrc32, 3, 0, @"ReWolf", 6) PrintN(~"CRC32(\"ReWolf\") = "+_016I64X(ret)) EndIf PrintN("Alloc/Free test:") AllocTest(hProcess) PrintN("Alloc/Free over 4GB inside WoW64 test:") AllocTest(GetCurrentProcess_()) PrintN("Get/Set Context test:") Protected ctx._CONTEXT64 ctx\ContextFlags = #CONTEXT64_ALL GetThreadContext64(GetCurrentThread_(), @ctx) PrintN("rsp: "+_016I64X(ctx\Rsp)) PrintN("rip: "+_016I64X(ctx\Rip)) PrintN("r8: "+_016I64X(ctx\R8)) PrintN("r9: "+_016I64X(ctx\R9)) PrintN("r12: "+_016I64X(ctx\R12)) ;//below code will crash application, it is sufficient prove that SetThreadContext64 is working fine :) ;//ctx.Rip = 0; ;//SetThreadContext64(GetCurrentThread(), &ctx); CloseHandle_(hProcess) ProcedureReturn 0 EndProcedure
https://github.com/rwfpl/rewolf-wow64ext