hello I cannot understand why this is leading to when I delete this char buffer that the program is returning heap corruption. I made sure I am calling delete correctly for the correct type. I can only think that maybe ReadProcessMemory is causing problem. Furthermore, I am not sure though why this is happening .
#include "includes.h"
HANDLE pHandle;
//F2 ?? 0F 38 F1 ??
// { 0xF2, 0x48, 0x49, 0x0F, 0x38, 0xF1, 0x1C, 0xC2 }
struct crc32Values {
byte first;
byte skip;
byte skip2;
byte third1;
byte third2;
byte third3;
byte lastskip;
byte lastskip2;
};
HANDLE Cr32Scanner::LaunchSuspendedProcess(char* cmd, PHANDLE ptr_thread) // cleaned up a bit, but no RAII
{
if (ptr_thread == nullptr) return nullptr;
PROCESS_INFORMATION pi;
STARTUPINFOA si{}; // initialize with zeroes.
si.cb = sizeof(STARTUPINFOA);
if (!CreateProcessA(nullptr, cmd, nullptr, nullptr, false, CREATE_SUSPENDED,
nullptr, nullptr, std::addressof(si), std::addressof(pi)))
{
std::cerr << "CreateProcess failed, " << GetLastError() << '\n';
*ptr_thread = nullptr;
return nullptr;
}
*ptr_thread = pi.hThread;
return pi.hProcess;
}
void PrintAddress(unsigned char* value)
{
std::cout << std::hex << value << std::dec;
}
void Cr32Scanner::EnableDebugPriv()
{
HANDLE hToken;
LUID luid;
TOKEN_PRIVILEGES tkp;
OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &hToken);
LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &luid);
tkp.PrivilegeCount = 1;
tkp.Privileges[0].Luid = luid;
tkp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
AdjustTokenPrivileges(hToken, false, &tkp, sizeof(tkp), NULL, NULL);
CloseHandle(hToken);
}
void Cr32Scanner::GetVirtuInfo(HANDLE hprocess)
{
MEMORY_BASIC_INFORMATION mbi;
unsigned char* addr = 0;
while (VirtualQueryEx(hprocess, addr, &mbi, sizeof(mbi)))
{
if (mbi.State == MEM_COMMIT && mbi.Protect != PAGE_NOACCESS && mbi.Protect != PAGE_GUARD)
{
//std::cout << "base : 0x" << std::hex << mbi.BaseAddress << " end : 0x" << std::hex << (uintptr_t)mbi.BaseAddress + mbi.RegionSize << "\n";
this->InsertNodeAtLastPosition(&this->s_vmap, (uintptr_t)mbi.BaseAddress, (uintptr_t)mbi.BaseAddress + mbi.RegionSize, mbi.RegionSize);
}
addr += mbi.RegionSize;
}
//this->printList(this->s_vmap);
}
//F2 ?? 0F38F1 ?? ??
//F2 48 0F38F1 1C C2
//F2 49 0F38F1 04 C8
//F2 49 0F38F1 0C C0
//F2 48 0F38F1 3C C6
//F2 48 0F38F1 34 C7
//F2 48 0F38F1 3C C3
//F2 48 0F38F1 1C C7
bool found = false;
int main()
{
std::shared_ptr <Cr32Scanner> p_cr32scanner(new Cr32Scanner());
MEMORY_BASIC_INFORMATION MemInfo;
crc32Values s_crc32values = { 0xF2, 0x48, 0x49, 0x0F, 0x38, 0xF1, 0x1C, 0xC2 };
bool Is64Bit = false;
// set current process with admin token
p_cr32scanner->EnableDebugPriv();
char cmd[] = "C:\\Users\\Scd\\Desktop\\Testremmy_patched.exe"; // #notepad.exe"; // note: non-const (writeable array)
HANDLE thread = nullptr;
unsigned char* addr = 0;
std::cout << "Creating Process for " << cmd << std::endl;
HANDLE hprocess = p_cr32scanner->LaunchSuspendedProcess(cmd, std::addressof(thread));
p_cr32scanner->GetVirtuInfo(hprocess);
if (hprocess)
{
//GET NEXT blocks
VirtualAddressMap::vmap *currentNode = p_cr32scanner->s_vmap;
while(currentNode != nullptr){
long long StartAddress = currentNode->StartAddress;
long long EndAddress = currentNode->EndAddress;
size_t MemBlockSize = currentNode->RegionSize;
// CHECK BLOCK SIZES
std::cout << "Start Addr: " << std::hex << currentNode->StartAddress << " EndAddress " << std::hex << currentNode->EndAddress << " BlockSize " << currentNode->RegionSize << std::endl;
char* Buffer = new char[MemBlockSize + 1];
memset(&Buffer[0], 0, MemBlockSize + 1);
if (ReadProcessMemory(hprocess, (LPCVOID)(StartAddress), &Buffer, MemBlockSize, nullptr))
{
printf("[-] Error Occured - Failed to Read Memory. At Address -- 0x%llx 0x%08X \n", StartAddress, GetLastError());
break;
}
for (unsigned int i = 0; i < MemBlockSize; i++) {
if (Buffer[i] == s_crc32values.first) {
if (Buffer[i + 1] == s_crc32values.skip || Buffer[i + 1] == s_crc32values.skip2) {
if (Buffer[i + 2] == s_crc32values.third1) {
if (Buffer[i + 3] == s_crc32values.third2) {
if (Buffer[i + 4] == s_crc32values.third3) {
printf("CRC32 Found! at 0x%llx\n", StartAddress + i);
//found = true;
//break;
}
}
}
}
}
}
currentNode = currentNode->Next;
// crash here.
// delete[] Buffer;
}
std::cout << "press enter to resume process... " && std::cin.get();
ResumeThread(thread);
CloseHandle(thread);
CloseHandle(hprocess);
}
}
if (ReadProcessMemory(hprocess, (LPCVOID)(StartAddress), &Buffer, MemBlockSize, nullptr))
The third parameter to ReadProcessMemory
is supposed to be a pointer to the buffer, not a pointer to the address of the buffer.