CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/external/source/byakugan/injectsu/noxheap.c
Views: 11779
1
#include <windows.h>

2
#include <detours.h>

3
#define NTSTATUS ULONG

4


5
#include "../heapStructs.h"

6


7
/* NoxHeapINT(ELLiGENCE) - because heap stupidity means no 0day

8
 * (or Tenketsu)

9
 * ------------------------------------------------------------

10
 * By Lin0xx / Pusscat

11
 * ------------------------------------------------------------

12
 * This dll is intended to be injected into a target

13
 * application whose heap allocations, reallocations, and frees

14
 * need to be tracked.  The end goal for this program is to be

15
 * able to communicate to a visualization server that will draw

16
 * the heap as it is in real time.  This view of the heap can

17
 * then be diff'd via walking the heap by finding the heap base

18
 * in the process environment block.  By doing this, one will

19
 * be able to understand how an application is molding the heap

20
 * along with the nature of the overflow in question.  

21
 */

22


23
#define NTSTATUS	ULONG

24
#define BUFSIZE		4096

25
/* UNDOCUMENTED HEAP STRUCTURES */

26


27
typedef struct _RTL_HEAP_DEFINITION {

28
  ULONG                   Length;

29
  ULONG                   Unknown1;

30
  ULONG                   Unknown2;

31
  ULONG                   Unknown3;

32
  ULONG                   Unknown4;

33
  ULONG                   Unknown5;

34
  ULONG                   Unknown6;

35
  ULONG                   Unknown7;

36
  ULONG                   Unknown8;

37
  ULONG                   Unknown9;

38
  ULONG                   Unknown10;

39
  ULONG                   Unknown11;

40
  ULONG                   Unknown12;

41
} RTL_HEAP_DEFINITION, *PRTL_HEAP_DEFINITION;

42


43


44
LPTSTR	lpszPipename	= TEXT("\\\\.\\pipe\\tenketsu"); 

45
HANDLE	hPipe;			

46
DWORD	dwMode			= PIPE_READMODE_MESSAGE;

47
DWORD	bytesWritten;

48


49
/* Functions to be hooked */

50
PVOID (WINAPI *realRtlAllocateHeap)(PVOID heapHandle, ULONG flags, ULONG size);

51
PVOID (WINAPI *realRtlReallocateHeap)(PVOID heapHandle, ULONG flags, PVOID memoryPointer, ULONG size);

52
PVOID (WINAPI *realRtlFreeHeap)(PVOID heapHandle, ULONG flags, PVOID memoryPointer);

53


54
PVOID (WINAPI *realRtlCreateHeap)(ULONG flags, PVOID base, ULONG reserve, ULONG commit, BOOLEAN lock, PRTL_HEAP_DEFINITION RtlHeapParams);

55


56
NTSTATUS (WINAPI *realRtlDestroyHeap)(PVOID heapHandle);

57
PVOID (WINAPI *realRtlpCoalesceFreeBlocks)(PVOID, ULONG, ULONG, ULONG);

58


59
/* TO ADD:

60
 * RtlAllocateMemoryBlockLookaside

61
 * RtlpCoalesceFreeBlocks

62
 */

63


64
/* End hooking section */

65


66
PVOID WINAPI noxRtlFreeHeap(PVOID heapHandle, ULONG flags, PVOID memoryPointer){

67
	PVOID	ret;

68
	struct FreeStruct	freeinfo;

69


70
	ret = (*realRtlFreeHeap)(heapHandle, flags, memoryPointer);

71


72
	freeinfo.type			= FREESTRUCT;

73
	freeinfo.heapHandle		= heapHandle;

74
	freeinfo.flags			= flags;

75
	freeinfo.memoryPointer	= memoryPointer;

76
	freeinfo.ret			= ret;

77


78
	__asm 

79
	{ 

80
		push ebx

81
		mov ebx, [ebp+4]

82
		mov freeinfo.caller, ebx

83
		pop ebx

84
	}

85


86
	WriteFile(hPipe, &freeinfo, sizeof(struct FreeStruct), &bytesWritten, NULL);

87
	

88
	return (ret);

89


90
}

91


92
PVOID WINAPI noxRtlReallocateHeap(PVOID heapHandle, ULONG flags, PVOID memoryPointer, ULONG size){

93
	PVOID	ret;

94
	struct	ReallocateStruct	reallocinfo;

95
	

96
	ret = (*realRtlReallocateHeap)(heapHandle, flags, memoryPointer, size);

97
    reallocinfo.type          = REALLOCATESTRUCT;

98
    reallocinfo.heapHandle    = heapHandle;

99
    reallocinfo.flags         = flags;

100
    reallocinfo.memoryPointer = memoryPointer;

101
    reallocinfo.size          = size;

102
    reallocinfo.ret           = ret;

103


104
    __asm 

105
    { 

106
        push ebx 

107
        mov ebx, [ebp+4]            

108
        mov reallocinfo.caller, ebx

109
        pop ebx 

110
    }

111


112
    WriteFile(hPipe, &reallocinfo, sizeof(struct ReallocateStruct), &bytesWritten, NULL);

113


114
	return (ret);

115
}

116


117
PVOID WINAPI noxRtlAllocateHeap(PVOID heapHandle, ULONG flags, ULONG size){

118
	PVOID	ret;

119
	struct	AllocateStruct allocinfo;

120


121
	ret = (*realRtlAllocateHeap)(heapHandle, flags, size);

122


123
	allocinfo.type			= ALLOCATESTRUCT;

124
	allocinfo.heapHandle	= heapHandle;

125
	allocinfo.flags			= flags;

126
	allocinfo.size			= size;

127
	allocinfo.ret			= ret;

128


129
    __asm 

130
    { 

131
        push ebx 

132
        mov ebx, [ebp+4]            

133
        mov allocinfo.caller, ebx

134
        pop ebx 

135
    }

136


137
	WriteFile(hPipe, &allocinfo, sizeof(struct AllocateStruct), &bytesWritten, NULL);

138


139
	return (ret);

140
}

141


142
PVOID WINAPI noxRtlCreateHeap(	ULONG flags, 

143
								PVOID base, 

144
								ULONG reserve, 

145
								ULONG commit, 

146
								BOOLEAN lock, 

147
								PRTL_HEAP_DEFINITION RtlHeapParams) {

148
	PVOID	ret;

149
	struct	CreateStruct	createinfo;

150


151
	ret = (*realRtlCreateHeap)(flags, base, reserve, commit, lock, RtlHeapParams);

152


153
	createinfo.type				= CREATESTRUCT;

154
	createinfo.flags			= flags;

155
	createinfo.base				= base;

156
	createinfo.reserve			= reserve;

157
	createinfo.commit			= commit;

158
	createinfo.lock				= lock;

159
	createinfo.RtlHeapParams	= RtlHeapParams;

160
	createinfo.ret				= ret;

161


162
	WriteFile(hPipe, &createinfo, sizeof(struct CreateStruct), &bytesWritten, NULL);

163


164
	return (ret);

165
}

166


167
NTSTATUS WINAPI noxRtlDestroyHeap(PVOID heapHandle) {

168
	NTSTATUS	ret;

169
	struct 	DestroyStruct	destroyinfo;

170


171
	ret = (*realRtlDestroyHeap)(heapHandle);

172


173
	destroyinfo.type		= DESTROYSTRUCT;

174
	destroyinfo.heapHandle	= heapHandle;

175
	destroyinfo.ret			= ret;

176


177
	WriteFile(hPipe, &destroyinfo, sizeof(struct DestroyStruct), &bytesWritten, NULL);

178
	

179
	return (ret);

180
}

181


182
// PLACEHOLDER FUNCTION

183
PVOID WINAPI noxRtlpCoalesceFreeBlocks(PVOID heapHandle, ULONG arg2, ULONG arg3, ULONG arg4) {

184
	struct CoalesceStruct	coalesceinfo;

185
	PVOID					ret;

186


187
	coalesceinfo.type		= COALESCESTRUCT;

188
	coalesceinfo.heapHandle	= heapHandle;

189
	coalesceinfo.arg2		= arg2;

190
	coalesceinfo.arg3		= arg3;

191
	coalesceinfo.arg4		= arg4;

192


193
	WriteFile(hPipe, &coalesceinfo, sizeof(struct CoalesceStruct), &bytesWritten, NULL);

194


195
	ret = (*realRtlpCoalesceFreeBlocks)(heapHandle, arg2, arg3, arg4);

196


197
	return (ret);

198
}

199


200
BOOL WINAPI DllMain(HINSTANCE hInstance, DWORD attachReason, LPVOID reserved) {

201
	ULONG		bytesRead;

202
	TCHAR		buf[BUFSIZE];

203
	NTSTATUS	fSuccess;

204


205
	if(attachReason == DLL_PROCESS_ATTACH){

206
		DetourTransactionBegin();

207
		DetourUpdateThread(GetCurrentThread());

208


209
		/* There's no other way to find these addresses than dynamically */

210
		realRtlAllocateHeap = DetourFindFunction("ntdll.dll", "RtlAllocateHeap");

211
		realRtlReallocateHeap = DetourFindFunction("ntdll.dll", "RtlReAllocateHeap");

212
		realRtlFreeHeap = DetourFindFunction("ntdll.dll", "RtlFreeHeap");

213
		realRtlCreateHeap = DetourFindFunction("ntdll.dll", "RtlCreateHeap");

214
		realRtlDestroyHeap = DetourFindFunction("ntdll.dll", "RtlDestroyHeap");

215
	

216
		

217


218
		/* Start hooking */

219
		DetourAttach(&(PVOID)realRtlAllocateHeap, noxRtlAllocateHeap);

220
		DetourAttach(&(PVOID)realRtlReallocateHeap, noxRtlReallocateHeap);

221
		DetourAttach(&(PVOID)realRtlFreeHeap, noxRtlFreeHeap);

222
		DetourAttach(&(PVOID)realRtlCreateHeap, noxRtlCreateHeap);

223
		DetourAttach(&(PVOID)realRtlDestroyHeap, noxRtlDestroyHeap);

224
		//while (1) {

225
			hPipe = CreateFile(	lpszPipename,

226
								GENERIC_READ | GENERIC_WRITE,

227
								0,

228
								NULL,

229
								OPEN_EXISTING,

230
								0,

231
								NULL);

232


233
			if (hPipe == INVALID_HANDLE_VALUE)	// got a handle, so we're done

234
				__asm {int 3}

235


236
		//	WaitNamedPipe(lpszPipename, 2000);	// Wait two seconds before retry

237
		//}

238
		SetNamedPipeHandleState(hPipe, &dwMode, NULL, NULL);

239
		

240
		// Get addresses of unexposed heap functions if the debugger has symbols

241
		ReadFile(	hPipe,

242
                    &realRtlpCoalesceFreeBlocks,

243
                    //BUFSIZE*sizeof(TCHAR),

244
                    4,

245
					&bytesRead,

246
                    NULL);

247
		if (realRtlpCoalesceFreeBlocks != NULL)

248
			DetourAttach(&(PVOID)realRtlpCoalesceFreeBlocks, noxRtlpCoalesceFreeBlocks);

249
		

250
		//FlushFileBuffers(hPipe);

251


252
		DetourTransactionCommit();

253


254
	}

255


256
	if(attachReason == DLL_PROCESS_DETACH){

257
		DetourTransactionBegin();

258
		DetourUpdateThread(GetCurrentThread());

259
		

260
		/* Start unhooking */

261
		DetourDetach(&(PVOID)realRtlAllocateHeap, noxRtlAllocateHeap);

262
		DetourDetach(&(PVOID)realRtlReallocateHeap, noxRtlReallocateHeap);

263
		DetourDetach(&(PVOID)realRtlFreeHeap, noxRtlFreeHeap);

264
		DetourDetach(&(PVOID)realRtlCreateHeap, noxRtlCreateHeap);

265
		DetourDetach(&(PVOID)realRtlDestroyHeap, noxRtlDestroyHeap);

266


267
		DetourTransactionCommit();

268
	}

269


270
	return TRUE;

271
}

272


273


274


275