From da652648b56fd3fc863182d17981e3e45590d9d8 Mon Sep 17 00:00:00 2001
From: Samuel Tulach <samtulach@gmail.com>
Date: Tue, 14 Apr 2020 20:32:26 +0200
Subject: [PATCH] Tue, Apr 14, 2020  8:32:26 PM

---
 client/client/client/client.cpp | 26 ++++++++++++++++----------
 client/client/client/helper.h   | 21 ++++++++++++++++++++-
 client/client/client/utils.h    | 24 ------------------------
 3 files changed, 36 insertions(+), 35 deletions(-)

diff --git a/client/client/client/client.cpp b/client/client/client/client.cpp
index d8acc2a..4c4e06b 100644
--- a/client/client/client/client.cpp
+++ b/client/client/client/client.cpp
@@ -29,6 +29,7 @@
 #include "helper.h"
 
 #define EXPLORER_EXE L"explorer.exe"
+#define PRINT_HEX(x) std::hex << std::setw(8) << std::setfill('0') << std::uppercase << x << std::nouppercase << std::dec
 
 int main()
 {
@@ -55,6 +56,7 @@ int main()
         std::cout << "[-] Failed to get current process" << std::endl;
         return -1;
     }
+    std::cout << "[+] Current PEPROCESS 0x" << PRINT_HEX(current) << std::endl;
     
     std::cout << "[>] Getting explorer.exe PEPROCESS..." << std::endl;
     int pid = Utils::Find(EXPLORER_EXE);
@@ -71,21 +73,25 @@ int main()
         std::cout << "[-] Failed to get explorer.exe PEPROCESS" << std::endl;
         return -1;
     }
+    std::cout << "[+] Target PEPROCESS 0x" << PRINT_HEX(explorer) << std::endl;
 
-    std::cout << "[>] Reading DOS header..." << std::endl;
-    uintptr_t baseaddress = Utils::GetModuleBaseAddress(pid, EXPLORER_EXE);
-    if (!baseaddress) 
+    std::cout << "[>] Getting process base..." << std::endl;
+    uintptr_t baseaddress = Helper::GetSectionBase(explorer);
+    if (!baseaddress)
     {
-        std::cout << "[-] Failed to get explorer.exe base address" << std::endl;
+        std::cout << "[-] Failed to get base address" << std::endl;
         return -1;
     }
-    
-    IMAGE_DOS_HEADER header = { 0 };
+    std::cout << "[+] Explorer.exe base 0x" << PRINT_HEX(baseaddress) << std::endl;
+
+    std::cout << "[>] Reading DOS header..." << std::endl;
+    IMAGE_DOS_HEADER* header = new IMAGE_DOS_HEADER;
     SIZE_T retsize = 0;
-    NTSTATUS copystatus = Helper::CopyVirtualMemory(explorer, baseaddress, current, (uintptr_t)&header, sizeof(IMAGE_DOS_HEADER), 0, &retsize);
+    NTSTATUS copystatus = Helper::CopyVirtualMemory(explorer, baseaddress, current, (uintptr_t)header, sizeof(IMAGE_DOS_HEADER), 0, &retsize);
 
     std::cout << "[+] Test read:" << std::endl;
-    std::cout << "\tStatus: " << std::hex << std::setw(8) << std::setfill('0') << std::uppercase << copystatus << std::nouppercase << std::dec << std::endl;
-    std::cout << "\tDOS magic: " << header.e_magic << std::endl;
-    std::cout << "\tNT offset: " << header.e_lfanew << std::endl;
+    std::cout << "\tStatus:     0x" << PRINT_HEX(copystatus) << std::endl;
+    std::cout << "\tRead:       0x" << PRINT_HEX(retsize) << std::endl;
+    std::cout << "\tDOS magic:  0x" << PRINT_HEX(header->e_magic) << std::endl;
+    std::cout << "\tNT offset:  0x" << PRINT_HEX(header->e_lfanew) << std::endl;
 }
diff --git a/client/client/client/helper.h b/client/client/client/helper.h
index f361ee6..73e1eac 100644
--- a/client/client/client/helper.h
+++ b/client/client/client/helper.h
@@ -63,7 +63,26 @@ namespace Helper
 		return status;
 	}
 
-	NTSTATUS CopyVirtualMemory(uintptr_t sourceprocess, 
+	uint64_t GetSectionBase(uintptr_t peprocess)
+	{
+		if (!peprocess)
+			return 0;
+
+		static uint64_t kernel_PsGetProcessSectionBaseAddress = 0;
+
+		if (!kernel_PsGetProcessSectionBaseAddress)
+			kernel_PsGetProcessSectionBaseAddress = Utils::GetKernelModuleExport(Utils::GetKernelModuleAddress("ntoskrnl.exe"), "PsGetProcessSectionBaseAddress");
+
+		uint64_t baseaddr = 0;
+
+		if (!Utils::CallKernelFunction(&baseaddr, kernel_PsGetProcessSectionBaseAddress, peprocess))
+			return 0;
+
+		return baseaddr;
+	}
+
+	NTSTATUS CopyVirtualMemory(
+		uintptr_t sourceprocess, 
 		uintptr_t sourceaddress, 
 		uintptr_t destinationprocess, 
 		uintptr_t destinationaddress, 
diff --git a/client/client/client/utils.h b/client/client/client/utils.h
index 96c0b77..5dc6c1e 100644
--- a/client/client/client/utils.h
+++ b/client/client/client/utils.h
@@ -18,30 +18,6 @@ namespace Utils
 		CloseHandle(snapshot);
 		return 0;
 	}
-	
-	uint64_t GetModuleBaseAddress(uint32_t procId, const wchar_t* modName)
-	{
-		uintptr_t modBaseAddr = 0;
-		HANDLE hSnap = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE | TH32CS_SNAPMODULE32, procId);
-		if (hSnap != INVALID_HANDLE_VALUE)
-		{
-			MODULEENTRY32 modEntry;
-			modEntry.dwSize = sizeof(modEntry);
-			if (Module32First(hSnap, &modEntry))
-			{
-				do
-				{
-					if (!_wcsicmp(modEntry.szModule, modName))
-					{
-						modBaseAddr = (uintptr_t)modEntry.modBaseAddr;
-						break;
-					}
-				} while (Module32Next(hSnap, &modEntry));
-			}
-		}
-		CloseHandle(hSnap);
-		return modBaseAddr;
-	}
 
 	uint64_t GetKernelModuleAddress(const std::string& module_name)
 	{