-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathMemory.c
129 lines (100 loc) · 3.15 KB
/
Memory.c
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
/*!
*
* GRIMREAPER
*
* Austin Hudson
*
* suspicious.actor
*
!*/
#include "Common.h"
typedef struct
{
D_API( RtlReAllocateHeap );
D_API( RtlAllocateHeap );
D_API( RtlCompactHeap );
D_API( RtlFreeHeap );
D_API( RtlZeroHeap );
D_API( RtlSizeHeap );
} API ;
/*!
*
* Purpose:
*
* Mimic's realloc and returns the allocated block of heap memory.
*
!*/
D_SEC( B ) PVOID MemoryReAlloc( _In_ PVOID Memory, _In_ SIZE_T Length )
{
API Api;
PVOID Ptr = NULL;
/* Zero out stack structures */
RtlSecureZeroMemory( &Api, sizeof( Api ) );
Api.RtlReAllocateHeap = PeGetFuncEat( PebGetModule( OBF_HASH_MAKE( "ntdll.dll" ) ), OBF_HASH_MAKE( "RtlReAllocateHeap" ) );
Api.RtlCompactHeap = PeGetFuncEat( PebGetModule( OBF_HASH_MAKE( "ntdll.dll" ) ), OBF_HASH_MAKE( "RtlCompactHeap" ) );
Api.RtlZeroHeap = PeGetFuncEat( PebGetModule( OBF_HASH_MAKE( "ntdll.dll" ) ), OBF_HASH_MAKE( "RtlZeroHeap" ) );
/* Allocate a block of memory */
Ptr = Api.RtlReAllocateHeap( NtCurrentPeb()->ProcessHeap, HEAP_ZERO_MEMORY, Memory, Length );
if ( Ptr != NULL ) {
/* Zero the unused blocks of memory */
Api.RtlZeroHeap( NtCurrentPeb()->ProcessHeap, 0 );
/* Compact the heap */
Api.RtlCompactHeap( NtCurrentPeb()->ProcessHeap, 0 );
};
/* Zero out stack structures */
RtlSecureZeroMemory( &Api, sizeof( Api ) );
/* Return the pointer */
return Ptr;
};
/*!
*
* Purpose:
*
* Mimic's malloc and returns a allocated block of heap memory.
*
!*/
D_SEC( B ) PVOID MemoryAlloc( _In_ SIZE_T Length )
{
API Api;
PVOID Ptr = NULL;
/* Zero out stack structures */
RtlSecureZeroMemory( &Api, sizeof( Api ) );
Api.RtlAllocateHeap = PeGetFuncEat( PebGetModule( OBF_HASH_MAKE( "ntdll.dll" ) ), OBF_HASH_MAKE( "RtlAllocateHeap" ) );
/* Return the pointer to the heap */
Ptr = Api.RtlAllocateHeap( NtCurrentPeb()->ProcessHeap, HEAP_ZERO_MEMORY, Length );
/* Zero out stack structures */
RtlSecureZeroMemory( &Api, sizeof( Api ) );
/* Return the pointer */
return Ptr;
}
/*!
*
* Purpose:
*
* Frees the block of memory.
*
!*/
D_SEC( B ) VOID MemoryFree( _In_ PVOID Buffer )
{
API Api;
SIZE_T Len = 0;
/* Zero out stack structures */
RtlSecureZeroMemory( &Api, sizeof( Api ) );
Api.RtlCompactHeap = PeGetFuncEat( PebGetModule( OBF_HASH_MAKE( "ntdll.dll" ) ), OBF_HASH_MAKE( "RtlCompactHeap" ) );
Api.RtlFreeHeap = PeGetFuncEat( PebGetModule( OBF_HASH_MAKE( "ntdll.dll" ) ), OBF_HASH_MAKE( "RtlFreeHeap" ) );
Api.RtlZeroHeap = PeGetFuncEat( PebGetModule( OBF_HASH_MAKE( "ntdll.dll" ) ), OBF_HASH_MAKE( "RtlZeroHeap" ) );
Api.RtlSizeHeap = PeGetFuncEat( PebGetModule( OBF_HASH_MAKE( "ntdll.dll" ) ), OBF_HASH_MAKE( "RtlSizeHeap" ) );
/* Lookup the length of the buffer */
if ( ( Len = Api.RtlSizeHeap( NtCurrentPeb()->ProcessHeap, 0, Buffer ) ) != -1 ) {
/* Zero the entire heap buffer */
__builtin_memset( Buffer, 0, Len );
/* Free the heap buffer */
Api.RtlFreeHeap( NtCurrentPeb()->ProcessHeap, 0, Buffer );
/* Zero all allocations */
Api.RtlZeroHeap( NtCurrentPeb()->ProcessHeap, 0 );
/* Comparess the heap */
Api.RtlCompactHeap( NtCurrentPeb()->ProcessHeap, 0 );
};
/* Zero out stack structures */
RtlSecureZeroMemory( &Api, sizeof( Api ) );
};