def add_module_to_peb(self, proc_obj: EmuProcess, mod_name: str):
new_ldte = ntos.LDR_DATA_TABLE_ENTRY(self.ptr_size)
new_ldte.DllBase = pydll.SYSTEM_DLL_BASE[mod_name]
new_ldte.Length = ntos.LDR_DATA_TABLE_ENTRY(self.ptr_size).sizeof()
self.new_unicode_string(proc_obj, new_ldte.BaseDllName, mod_name)
self.new_unicode_string(proc_obj, new_ldte.FullDllName,
"C:\\Windows\\System32\\" + mod_name + ".dll")
pNew_ldte = self.mem_manager.alloc_heap(proc_obj.peb_heap,
new_ldte.sizeof())
list_type = ntos.LIST_ENTRY(self.ptr_size)
# Link created list_entry to LDR_MODULE
if not proc_obj.ldr_entries:
pEntry, prev = proc_obj.peb.Ldr, proc_obj.peb_ldr_data
prev.InLoadOrderModuleList.Flink = pNew_ldte
prev.InMemoryOrderModuleList.Flink = pNew_ldte + list_type.sizeof()
prev.InInitializationOrderModuleList.Flink = 0
else:
pEntry, prev = proc_obj.ldr_entries[-1]
prev.InLoadOrderLinks.Flink = pNew_ldte
prev.InMemoryOrderLinks.Flink = pNew_ldte + list_type.sizeof()
prev.InInitializationOrderLinks.Flink = 0
# Not implement Blink
new_ldte.InLoadOrderLinks.Flink = proc_obj.peb.Ldr + 0xC
new_ldte.InMemoryOrderLinks.Flink = proc_obj.peb.Ldr + 0xC + list_type.sizeof(
)
proc_obj.add_ldr_entry((pNew_ldte, new_ldte))
proc_obj.write_mem_self(pNew_ldte, new_ldte.get_bytes())
proc_obj.write_mem_self(pEntry, prev.get_bytes())
proc_obj.write_mem_self(proc_obj.peb_base, proc_obj.peb.get_bytes())
proc_obj.write_mem_self(proc_obj.peb.Ldr,
proc_obj.peb_ldr_data.get_bytes())
pass
def init_peb(self, proc_obj: EmuProcess):
# create new PEB & PEB_LDR & Process Image LDR_ENTRY
peb = ntos.PEB(self.ptr_size)
new_ldte = ntos.LDR_DATA_TABLE_ENTRY(self.ptr_size)
peb_ldr_data = ntos.PEB_LDR_DATA(self.ptr_size)
peb.BeingDebugged = 0
peb.ImageBaseAddress = proc_obj.image_base
peb.ProcessHeap = proc_obj.proc_default_heap.get_base_addr()
# allocate memory space for PEB and PEB_LDR & Process Image LDR_ENTRY
peb.Ldr = self.mem_manager.alloc_heap(proc_obj.peb_heap,
peb_ldr_data.sizeof())
pNew_ldte = self.mem_manager.alloc_heap(proc_obj.peb_heap,
new_ldte.sizeof())
# setup Process Image LDR_ENTRY
new_ldte.SizeOfImage = proc_obj.parsed_pe.OPTIONAL_HEADER.SizeOfImage
new_ldte.DllBase = proc_obj.parsed_pe.OPTIONAL_HEADER.ImageBase
new_ldte.LoadCount = 1
self.new_unicode_string(proc_obj, new_ldte.BaseDllName, proc_obj.name)
self.new_unicode_string(proc_obj, new_ldte.FullDllName, proc_obj.path)
# link PEB_LDR and Process Image LDR_ENTRY
size_of_list_etry = ntos.LIST_ENTRY(self.ptr_size).sizeof()
peb_ldr_data.InLoadOrderModuleList.Flink = pNew_ldte
peb_ldr_data.InMemoryOrderModuleList.Flink = pNew_ldte + size_of_list_etry
new_ldte.InLoadOrderLinks.Flink = peb.Ldr + 0xC
new_ldte.InMemoryOrderLinks.Flink = peb.Ldr + 0xC + size_of_list_etry
proc_obj.write_mem_self(pNew_ldte, new_ldte.get_bytes())
proc_obj.write_mem_self(peb.Ldr, peb_ldr_data.get_bytes())
proc_obj.write_mem_self(proc_obj.peb_base, peb.get_bytes())
proc_obj.add_ldr_entry((pNew_ldte, new_ldte))
proc_obj.set_peb_ldr(peb_ldr_data)
proc_obj.set_peb(peb)
pass