darthton / blackbone Goto Github PK

View Code? Open in Web Editor NEW

4.6K 253.0 1.3K 8.08 MB

Windows memory hacking library

License: MIT License

C++ 61.51% C 37.17% CMake 0.94% Assembly 0.06% Python 0.32%

blackbone's People

Stargazers

Watchers

Forkers

topoiogist pyq881120 techvoltage suto iljavs tyrelbaux xkeeper d4nnyk rmallof wchen-r7 hezzrrah misoag qiaohang galaris topblast heruix kkoopa jalona safe3 killvxk yongaru wyrover rafzi firenetby joshneal68 hulucc zenixyang blaquee anymaster itsxactly a18a00 rookie-rebot minhbq idkwim manicstreetcoders creativcoder guardianrg dke2015 jwc1zkj demonxjj peta909 bletchley13 retord crazevil dev-zzo yzx65 anarkyx01 drptbl itoonx karliky shennong esoterix m4rm0k code4bones yuang1516 qwerty01 slooney codecrack3 dthongvl parkitectnexus cainiaocome ioutside dooooon chubbymaggie dxre 453483289 sh1nu11bi sjosegarcia arkanoid1 injectiondev jaycem6 darkwrat lovewitty mierchristian whb224117 nsxz mattbielbs shitabc ethobis caidongyun cynocoder fatenocaster ioxuy vic4key tempbottle manuelmessner icew4y eyalfishler hanshaze darkdsch jameshzc coldreader88 shako1 richinseattle zys924 konditer42 bughoho m0n0ph1 maximillianbrain gfxox3jj3cqr0rmy

blackbone's Issues

Can't build the project

Hi All

I downloaded the entire repo and used Visual Studio 2013 to build the project, but I can't because of this error:

Error 3 error C1083: Cannot open include file: 'atlbase.h': No such file or directory

Are there any build instructions out there?

Thanks in advance

Conceal memory bug

Pages allocated using 'Conceal memory' manual map option aren't preserved if driver is unloaded before target process is terminated.

Help! Hooking by memory address

Ok so it's time for my next question (sorry! it's probably stupid).

I am manually mapping a DLL into a remote process; this works fine and all is well, however, I am trying to detour a function with a known, static address. Having disassembled the function in IDA pro it has this function signature:
int function1()
The way I'm trying to detour it is like this:

int HK() {
...
}

...

typedef int hook1();
Detour<decltype(hook1)> detour1;
ptr_t addr = 0x12345;
hook1* t = (hook1*)addr;
detour1.Hook(t, &HK, HookType::Inline, CallOrder::HookFirst, ReturnMethod::UseOriginal);

When I do this, however, the hook is never applied - no bytes are changed, and HK is never called. Happens using all combinations of HookType and CallOrder. I don't know what is going wrong to be honest (C++ is not what I usually use so it's possible I'm missing something really simple here). I am also checking the page protection is correct, and the Hook is returning true which I assume means it thinks it is being correctly applied?

I'm going to stick with manually writing bytes for now but it would be awesome if you could point me in the direction of what is going wrong.

Cheers

Using BlackBone in Node.js

Hello

I'm trying to use BlackBone in Node.js so I can use BlackBone in a javascript environment and then I'll add support to my library Craziness.js https://github.com/karliky/CrazinessJS

I'm using cmake-js (https://github.com/unbornchikken/cmake-js) in order to build the project as Node.js uses node-gyp instead of cmake-js

Here is my CMakeList.txt updated with the cmake-js requirements:

cmake_minimum_required (VERSION 2.8)
project (BlackBone)

include_directories(../../Contrib)
include_directories(${CMAKE_JS_INC})
add_definitions(-DBLACKBONE_STATIC)

##########################################################
set(SOURCE_ASMJIT   ../../contrib/asmjit/base/assembler.cpp
                    ../../contrib/Asmjit/base/codegen.cpp
                    ../../contrib/Asmjit/base/constpool.cpp
                    ../../contrib/Asmjit/base/containers.cpp
                    ../../contrib/Asmjit/base/cpuinfo.cpp
                    ../../contrib/Asmjit/base/cputicks.cpp
                    ../../contrib/Asmjit/base/error.cpp
                    ../../contrib/Asmjit/base/globals.cpp
                    ../../contrib/Asmjit/base/operand.cpp
                    ../../contrib/Asmjit/base/runtime.cpp
                    ../../contrib/Asmjit/base/string.cpp
                    ../../contrib/Asmjit/base/vmem.cpp
                    ../../contrib/Asmjit/base/zone.cpp
                    ../../contrib/Asmjit/x86/x86assembler.cpp
                    ../../contrib/Asmjit/x86/x86cpuinfo.cpp
                    ../../contrib/Asmjit/x86/x86inst.cpp
                    ../../contrib/Asmjit/x86/x86operand.cpp
                    ../../contrib/Asmjit/x86/x86operand_regs.cpp)

set (HEADER_ASMJIT  ../../contrib/Asmjit/apibegin.h
                    ../../contrib/Asmjit/apiend.h
                    ../../contrib/Asmjit/asmjit.h
                    ../../contrib/Asmjit/base.h
                    ../../contrib/Asmjit/build.h
                    ../../contrib/Asmjit/config.h
                    ../../contrib/Asmjit/host.h
                    ../../contrib/Asmjit/x86.h
                    ../../contrib/Asmjit/base/assembler.h
                    ../../contrib/Asmjit/base/codegen.h
                    ../../contrib/Asmjit/base/compiler.h
                    ../../contrib/Asmjit/base/constpool.h
                    ../../contrib/Asmjit/base/containers.h
                    ../../contrib/Asmjit/base/context_p.h
                    ../../contrib/Asmjit/base/cpuinfo.h
                    ../../contrib/Asmjit/base/cputicks.h
                    ../../contrib/Asmjit/base/error.h
                    ../../contrib/Asmjit/base/globals.h
                    ../../contrib/Asmjit/base/intutil.h
                    ../../contrib/Asmjit/base/lock.h
                    ../../contrib/Asmjit/base/logger.h
                    ../../contrib/Asmjit/base/operand.h
                    ../../contrib/Asmjit/base/runtime.h
                    ../../contrib/Asmjit/base/string.h
                    ../../contrib/Asmjit/base/vectypes.h
                    ../../contrib/Asmjit/base/vmem.h
                    ../../contrib/Asmjit/base/zone.h
                    ../../contrib/Asmjit/x86/x86assembler.h
                    ../../contrib/Asmjit/x86/x86compiler.h
                    ../../contrib/Asmjit/x86/x86context_p.h
                    ../../contrib/Asmjit/x86/x86cpuinfo.h
                    ../../contrib/Asmjit/x86/x86inst.h
                    ../../contrib/Asmjit/x86/x86operand.h
                    ../../contrib/Asmjit/x86/x86scheduler_p.h)

FILE(GLOB AsmJit ${SOURCE_ASMJIT} ${HEADER_ASMJIT})
source_group(AsmJit\\Core FILES ${AsmJit})

##########################################################
set(SOURCE_HELPERS  Asm/AsmHelper32.cpp
                    Asm/AsmHelper64.cpp
                    Asm/LDasm.c)

set(HEADER_HELPERS  Asm/AsmHelper.h
                    Asm/AsmHelper32.h
                    Asm/AsmHelper64.h
                    Asm/AsmHelperBase.h
                    Asm/AsmStack.hpp
                    Asm/AsmVariant.hpp
                    Asm/LDasm.h)

FILE(GLOB AsmJitHelpers ${SOURCE_HELPERS} ${HEADER_HELPERS})
source_group(AsmJit\\Helpers FILES ${AsmJitHelpers})

##########################################################
set(SOURCE_DRV      DriverControl/DriverControl.cpp)
set(HEADER_DRV      DriverControl/DriverControl.h)

FILE(GLOB DriverControl ${SOURCE_DRV} ${HEADER_DRV})
source_group(DriverControl FILES ${DriverControl})

##########################################################
set(HEADER_INCLUDE  Include/FunctionTypes.h
                    Include/Macro.h
                    Include/NativeStructures.h
                    Include/Types.h
                    Include/Win7Specific.h
                    Include/Win8Specific.h
                    Include/Winheaders.h
                    Include/WinXPSpecific.h)

FILE(GLOB Include ${HEADER_INCLUDE})
source_group(Include FILES ${Include})

##########################################################
set(SOURCE_LOCALHK  LocalHook/LocalHookBase.cpp
                    LocalHook/TraceHook.cpp)

set(HEADER_LOCALHK  LocalHook/HookHandlerCdecl.h
                    LocalHook/HookHandlerFastcall.h
                    LocalHook/HookHandlers.h
                    LocalHook/HookHandlerStdcall.h
                    LocalHook/HookHandlerThiscall.h
                    LocalHook/LocalHook.hpp
                    LocalHook/LocalHookBase.h
                    LocalHook/TraceHook.h
                    LocalHook/VTableHook.hpp)

FILE(GLOB LocalHook ${SOURCE_LOCALHK} ${HEADER_LOCALHK})
source_group(LocalHook FILES ${LocalHook})

##########################################################
set(SOURCE_MMAP     ManualMap/MExcept.cpp
                    ManualMap/MMap.cpp
                    ManualMap/Native/NtLoader.cpp)

set(HEADER_MMAP     ManualMap/MExcept.h
                    ManualMap/MMap.h
                    ManualMap/Native/NtLoader.h)

FILE(GLOB ManualMap ${SOURCE_MMAP} ${HEADER_MMAP})
source_group(ManualMap FILES ${ManualMap})

##########################################################
set(SOURCE_MISC     Misc/DynImport.cpp
                    Misc/NameResolve.cpp
                    Misc/Utils.cpp)

set(HEADER_MISC     Misc/DynImport.h
                    Misc/NameResolve.h
                    Misc/Thunk.hpp
                    Misc/Trace.hpp
                    Misc/Utils.h)

FILE(GLOB Misc ${SOURCE_MISC} ${HEADER_MISC})
source_group(Misc FILES ${Misc})

##########################################################
set(SOURCE_PATTERN  Patterns/PatternSearch.cpp)
set(HEADER_PATTERN  Patterns/PatternSearch.h)

FILE(GLOB Patterns ${SOURCE_PATTERN} ${HEADER_PATTERN})
source_group(Patterns FILES ${Patterns})

##########################################################
set(SOURCE_PE       PE/ImageNET.cpp PE/PEImage.cpp)
set(HEADER_PE       PE/ImageNET.h   PE/PEImage.h)

FILE(GLOB PE ${SOURCE_PE} ${HEADER_PE})
source_group(PE FILES ${PE})

##########################################################
set(SOURCE_PROCESS  Process/MemBlock.cpp
                    Process/Process.cpp
                    Process/ProcessCore.cpp
                    Process/ProcessMemory.cpp
                    Process/ProcessModules.cpp)

set(HEADER_PROCESS  Process/MemBlock.h
                    Process/Process.h
                    Process/ProcessCore.h
                    Process/ProcessMemory.h
                    Process/ProcessModules.h)

FILE(GLOB Process ${SOURCE_PROCESS} ${HEADER_PROCESS})
source_group(Process FILES ${Process})

##########################################################
set(SOURCE_RPC      Process/RPC/RemoteExec.cpp
                    Process/RPC/RemoteHook.cpp
                    Process/RPC/RemoteLocalHook.cpp
                    Process/RPC/RemoteMemory.cpp)

set(HEADER_RPC      Process/RPC/RemoteContext.hpp
                    Process/RPC/RemoteExec.h
                    Process/RPC/RemoteFunction.hpp
                    Process/RPC/RemoteHook.h
                    Process/RPC/RemoteLocalHook.h
                    Process/RPC/RemoteMemory.h)

FILE(GLOB RPC ${SOURCE_RPC} ${HEADER_RPC})
source_group(Process\\Remote FILES ${RPC})

##########################################################
set(SOURCE_THREADS  Process/Threads/Thread.cpp Process/Threads/Threads.cpp)
set(HEADER_THREADS  Process/Threads/Thread.h   Process/Threads/Threads.h)

FILE(GLOB Threads ${SOURCE_THREADS} ${HEADER_THREADS})
source_group(Process\\Threads FILES ${Threads})

##########################################################
set(SOURCE_ADDON  addon/addon.cc addon/addon.cc)
set(SOURCE_ADDON  addon/async.cc addon/async.cc)
set(HEADER_ADDON  addon/async.h   addon/async.h)
set(SOURCE_ADDON  addon/sync.cc addon/sync.cc)
set(HEADER_ADDON  addon/sync.h   addon/sync.h)

FILE(GLOB Addon ${SOURCE_ADDON} ${HEADER_ADDON})
source_group(Addon FILES ${Addon})

##########################################################
set(SOURCE_SUB      Subsystem/NativeSubsystem.cpp
                    Subsystem/Wow64Local.cpp
                    Subsystem/Wow64Subsystem.cpp
                    Subsystem/x86Subsystem.cpp)

set(HEADER_SUB      Subsystem/NativeSubsystem.h
                    Subsystem/Wow64Local.h
                    Subsystem/Wow64Subsystem.h
                    Subsystem/x86Subsystem.h)

FILE(GLOB Subsystem ${SOURCE_SUB} ${HEADER_SUB})
source_group(Subsystem FILES ${Subsystem})

##########################################################
set (HEADER_MAIN    Config.h )

##########################################################
set(SOURCE_LIB      ${SOURCE_ASMJIT}
                    ${SOURCE_HELPERS}
                    ${SOURCE_DRV}
                    ${SOURCE_LOCALHK}
                    ${SOURCE_MMAP}
                    ${SOURCE_MISC}
                    ${SOURCE_PATTERN}
                    ${SOURCE_PE}
                    ${SOURCE_PROCESS}
                    ${SOURCE_RPC}
                    ${SOURCE_THREADS}
                    ${SOURCE_ADDON}
                    ${SOURCE_SUB})

set(HEADER_LIB      ${HEADER_ASMJIT}
                    ${HEADER_HELPERS}
                    ${HEADER_DRV}
                    ${HEADER_INCLUDE}
                    ${HEADER_LOCALHK}
                    ${HEADER_MMAP}
                    ${HEADER_MISC}
                    ${HEADER_PATTERN}
                    ${HEADER_PE}
                    ${HEADER_PROCESS}
                    ${HEADER_RPC}
                    ${HEADER_THREADS}
                    ${HEADER_ADDON}
                    ${HEADER_SUB}
                    ${HEADER_MAIN})

add_library("BlackBone" SHARED ${SOURCE_LIB} ${HEADER_LIB})

# This line will give our library file a .node extension without any "lib" prefix
set_target_properties(BlackBone PROPERTIES PREFIX "" SUFFIX ".node")

# Essential library files to link to a node addon,
# you should add this line in every CMake.js based project.
target_link_libraries(BlackBone ${CMAKE_JS_LIB})

I think that the problem occurs when building the project as a SHARED library instead of static and this is a node.js requirement, so I can't use it as STATIC.

Here is the error I get when tryin to build the library:

C:\Users\WobCraft\Documents\node\test>npm install
npm WARN package.json [email protected] No description
npm WARN package.json [email protected] No repository field.
npm WARN package.json [email protected] No README data
-
> [email protected] install C:\Users\WobCraft\Documents\node\test\node_modules\blackbone-node
> cmake-js rebuild

info CFG Applying CMake.js config from root package.json:
info CFG {"arch":"ia32"}
info CMD CLEAN
info RUN cmake -E remove_directory "C:\Users\WobCraft\Documents\node\test\node_modules\blackbone-node\build"
info CMD CONFIGURE
info RUN cmake "C:\Users\WobCraft\Documents\node\test\node_modules\blackbone-node" --no-warn-unused-cli -DCMAKE_BUILD_TYPE="Release" -DCMAKE_JS_INC="C:\Users\WobCraft\.cmake-js\node-ia32\v0.12.7\src;C:\Users\WobCraft\.cmake-js\node-ia32\v0.12.7\deps\v8\include;C:\Users\WobCraft\.cmake-js\node-ia32\v0.12.7\deps\uv\include;C:\Users\WobCraft\Documents\node\test\node_modules\blackbone-node\node_modules\nan" -DNODE_RUNTIME="node" -DNODE_RUNTIMEVERSION="0.12.7" -DNODE_ARCH="ia32" -DCMAKE_JS_LIB="C:\Users\WobCraft\.cmake-js\node-ia32\v0.12.7\node.lib" -DCMAKE_SHARED_LINKER_FLAGS="/SAFESEH:NO"
Not searching for unused variables given on the command line.
-- Building for: Visual Studio 12 2013
-- The C compiler identification is MSVC 18.0.40629.0
-- The CXX compiler identification is MSVC 18.0.40629.0
-- Check for working C compiler using: Visual Studio 12 2013
-- Check for working C compiler using: Visual Studio 12 2013 -- works
-- Detecting C compiler ABI info
-- Detecting C compiler ABI info - done
-- Check for working CXX compiler using: Visual Studio 12 2013
-- Check for working CXX compiler using: Visual Studio 12 2013 -- works
-- Detecting CXX compiler ABI info
-- Detecting CXX compiler ABI info - done
-- Detecting CXX compile features
-- Detecting CXX compile features - done
-- Configuring done
-- Generating done
-- Build files have been written to: C:/Users/WobCraft/Documents/node/test/node_modules/blackbone-node/build
info CMD BUILD
info RUN cmake --build "C:\Users\WobCraft\Documents\node\test\node_modules\blackbone-node\build" --config Release
Microsoft (R) Build Engine, versión 12.0.40629.0
[Microsoft .NET Framework, versión 4.0.30319.42000]
Copyright (C) Microsoft Corporation. Todos los derechos reservados.

Compilación iniciada a las 08/08/2015 10:05:27.
Proyecto "C:\Users\WobCraft\Documents\node\test\node_modules\blackbone-node\build\ALL_BUILD.vcxproj" en nodo 1 (destino
s predeterminados).
El proyecto "C:\Users\WobCraft\Documents\node\test\node_modules\blackbone-node\build\ALL_BUILD.vcxproj" (1) está compil
ando "C:\Users\WobCraft\Documents\node\test\node_modules\blackbone-node\build\src\BlackBone\BlackBone.vcxproj" (2) en e
l nodo 1 (destinos predeterminados).
El proyecto "C:\Users\WobCraft\Documents\node\test\node_modules\blackbone-node\build\src\BlackBone\BlackBone.vcxproj" (
2) está compilando "C:\Users\WobCraft\Documents\node\test\node_modules\blackbone-node\build\ZERO_CHECK.vcxproj" (3) en
el nodo 1 (destinos predeterminados).
PrepareForBuild:
  Creando directorio "Win32\Release\ZERO_CHECK\".
  Creando directorio "C:\Users\WobCraft\Documents\node\test\node_modules\blackbone-node\build\Release\".
  Creando directorio "Win32\Release\ZERO_CHECK\ZERO_CHECK.tlog\".
InitializeBuildStatus:
  Se creará "Win32\Release\ZERO_CHECK\ZERO_CHECK.tlog\unsuccessfulbuild" porque se especificó "AlwaysCreate".
CustomBuild:
  Checking Build System
  CMake does not need to re-run because C:/Users/WobCraft/Documents/node/test/node_modules/blackbone-node/build/CMakeFi
  les/generate.stamp is up-to-date.
  CMake does not need to re-run because C:/Users/WobCraft/Documents/node/test/node_modules/blackbone-node/build/src/CMa
  keFiles/generate.stamp is up-to-date.
  CMake does not need to re-run because C:/Users/WobCraft/Documents/node/test/node_modules/blackbone-node/build/src/Bla
  ckBone/CMakeFiles/generate.stamp is up-to-date.
FinalizeBuildStatus:
  Se eliminará el archivo "Win32\Release\ZERO_CHECK\ZERO_CHECK.tlog\unsuccessfulbuild".
  Aplicando tarea Touch a "Win32\Release\ZERO_CHECK\ZERO_CHECK.tlog\ZERO_CHECK.lastbuildstate".
Compilación del proyecto terminada "C:\Users\WobCraft\Documents\node\test\node_modules\blackbone-node\build\ZERO_CHECK.
vcxproj" (destinos predeterminados).

PrepareForBuild:
  Creando directorio "BlackBone.dir\Release\".
  Creando directorio "C:\Users\WobCraft\Documents\node\test\node_modules\blackbone-node\build\src\BlackBone\Release\".
  Creando directorio "BlackBone.dir\Release\BlackBone.tlog\".
InitializeBuildStatus:
  Se creará "BlackBone.dir\Release\BlackBone.tlog\unsuccessfulbuild" porque se especificó "AlwaysCreate".
CustomBuild:
  Building Custom Rule C:/Users/WobCraft/Documents/node/test/node_modules/blackbone-node/src/BlackBone/CMakeLists.txt
  CMake does not need to re-run because C:\Users\WobCraft\Documents\node\test\node_modules\blackbone-node\build\src\Bla
  ckBone\CMakeFiles\generate.stamp is up-to-date.
ClCompile:
  C:\Program Files (x86)\Microsoft Visual Studio 12.0\VC\bin\CL.exe /c /I"C:\Users\WobCraft\Documents\node\test\node_mo
  dules\blackbone-node\src\BlackBone\..\..\Contrib" /I"C:\Users\WobCraft\.cmake-js\node-ia32\v0.12.7\src" /I"C:\Users\W
  obCraft\.cmake-js\node-ia32\v0.12.7\deps\v8\include" /I"C:\Users\WobCraft\.cmake-js\node-ia32\v0.12.7\deps\uv\include
  " /I"C:\Users\WobCraft\Documents\node\test\node_modules\blackbone-node\node_modules\nan" /nologo /W3 /WX- /O2 /Ob2 /O
  y- /D WIN32 /D _WINDOWS /D NDEBUG /D BLACKBONE_STATIC /D "CMAKE_INTDIR=\"Release\"" /D BlackBone_EXPORTS /D _WINDLL /
  D _MBCS /Gm- /EHsc /MD /GS /fp:precise /Zc:wchar_t /Zc:forScope /GR /Fo"BlackBone.dir\Release\\" /Fd"BlackBone.dir\Re
  lease\vc120.pdb" /Gd /TP /analyze- /errorReport:queue "C:\Users\WobCraft\Documents\node\test\node_modules\blackbone-n
  ode\contrib\AsmJit\base\assembler.cpp" "C:\Users\WobCraft\Documents\node\test\node_modules\blackbone-node\contrib\Asm
  Jit\base\codegen.cpp" "C:\Users\WobCraft\Documents\node\test\node_modules\blackbone-node\contrib\AsmJit\base\constpoo
  l.cpp" "C:\Users\WobCraft\Documents\node\test\node_modules\blackbone-node\contrib\AsmJit\base\containers.cpp" "C:\Use
  rs\WobCraft\Documents\node\test\node_modules\blackbone-node\contrib\AsmJit\base\cpuinfo.cpp" "C:\Users\WobCraft\Docum
  ents\node\test\node_modules\blackbone-node\contrib\AsmJit\base\cputicks.cpp" "C:\Users\WobCraft\Documents\node\test\n
  ode_modules\blackbone-node\contrib\AsmJit\base\error.cpp" "C:\Users\WobCraft\Documents\node\test\node_modules\blackbo
  ne-node\contrib\AsmJit\base\globals.cpp" "C:\Users\WobCraft\Documents\node\test\node_modules\blackbone-node\contrib\A
  smJit\base\operand.cpp" "C:\Users\WobCraft\Documents\node\test\node_modules\blackbone-node\contrib\AsmJit\base\runtim
  e.cpp" "C:\Users\WobCraft\Documents\node\test\node_modules\blackbone-node\contrib\AsmJit\base\string.cpp" "C:\Users\W
  obCraft\Documents\node\test\node_modules\blackbone-node\contrib\AsmJit\base\vmem.cpp" "C:\Users\WobCraft\Documents\no
  de\test\node_modules\blackbone-node\contrib\AsmJit\base\zone.cpp" "C:\Users\WobCraft\Documents\node\test\node_modules
  \blackbone-node\contrib\AsmJit\x86\x86assembler.cpp" "C:\Users\WobCraft\Documents\node\test\node_modules\blackbone-no
  de\contrib\AsmJit\x86\x86cpuinfo.cpp" "C:\Users\WobCraft\Documents\node\test\node_modules\blackbone-node\contrib\AsmJ
  it\x86\x86inst.cpp" "C:\Users\WobCraft\Documents\node\test\node_modules\blackbone-node\contrib\AsmJit\x86\x86operand.
  cpp" "C:\Users\WobCraft\Documents\node\test\node_modules\blackbone-node\contrib\AsmJit\x86\x86operand_regs.cpp" "C:\U
  sers\WobCraft\Documents\node\test\node_modules\blackbone-node\src\BlackBone\Asm\AsmHelper32.cpp" "C:\Users\WobCraft\D
  ocuments\node\test\node_modules\blackbone-node\src\BlackBone\Asm\AsmHelper64.cpp" "C:\Users\WobCraft\Documents\node\t
  est\node_modules\blackbone-node\src\BlackBone\DriverControl\DriverControl.cpp" "C:\Users\WobCraft\Documents\node\test
  \node_modules\blackbone-node\src\BlackBone\LocalHook\LocalHookBase.cpp" "C:\Users\WobCraft\Documents\node\test\node_m
  odules\blackbone-node\src\BlackBone\LocalHook\TraceHook.cpp" "C:\Users\WobCraft\Documents\node\test\node_modules\blac
  kbone-node\src\BlackBone\ManualMap\MExcept.cpp" "C:\Users\WobCraft\Documents\node\test\node_modules\blackbone-node\sr
  c\BlackBone\ManualMap\MMap.cpp" "C:\Users\WobCraft\Documents\node\test\node_modules\blackbone-node\src\BlackBone\Manu
  alMap\Native\NtLoader.cpp" "C:\Users\WobCraft\Documents\node\test\node_modules\blackbone-node\src\BlackBone\Misc\DynI
  mport.cpp" "C:\Users\WobCraft\Documents\node\test\node_modules\blackbone-node\src\BlackBone\Misc\NameResolve.cpp" "C:
  \Users\WobCraft\Documents\node\test\node_modules\blackbone-node\src\BlackBone\Misc\Utils.cpp" "C:\Users\WobCraft\Docu
  ments\node\test\node_modules\blackbone-node\src\BlackBone\Patterns\PatternSearch.cpp" "C:\Users\WobCraft\Documents\no
  de\test\node_modules\blackbone-node\src\BlackBone\PE\ImageNET.cpp" "C:\Users\WobCraft\Documents\node\test\node_module
  s\blackbone-node\src\BlackBone\PE\PEImage.cpp" "C:\Users\WobCraft\Documents\node\test\node_modules\blackbone-node\src
  \BlackBone\Process\MemBlock.cpp" "C:\Users\WobCraft\Documents\node\test\node_modules\blackbone-node\src\BlackBone\Pro
  cess\Process.cpp" "C:\Users\WobCraft\Documents\node\test\node_modules\blackbone-node\src\BlackBone\Process\ProcessCor
  e.cpp" "C:\Users\WobCraft\Documents\node\test\node_modules\blackbone-node\src\BlackBone\Process\ProcessMemory.cpp" "C
  :\Users\WobCraft\Documents\node\test\node_modules\blackbone-node\src\BlackBone\Process\ProcessModules.cpp" "C:\Users\
  WobCraft\Documents\node\test\node_modules\blackbone-node\src\BlackBone\Process\RPC\RemoteExec.cpp" "C:\Users\WobCraft
  \Documents\node\test\node_modules\blackbone-node\src\BlackBone\Process\RPC\RemoteHook.cpp" "C:\Users\WobCraft\Documen
  ts\node\test\node_modules\blackbone-node\src\BlackBone\Process\RPC\RemoteLocalHook.cpp" "C:\Users\WobCraft\Documents\
  node\test\node_modules\blackbone-node\src\BlackBone\Process\RPC\RemoteMemory.cpp" "C:\Users\WobCraft\Documents\node\t
  est\node_modules\blackbone-node\src\BlackBone\Process\Threads\Thread.cpp" "C:\Users\WobCraft\Documents\node\test\node
  _modules\blackbone-node\src\BlackBone\Process\Threads\Threads.cpp" "C:\Users\WobCraft\Documents\node\test\node_module
  s\blackbone-node\src\BlackBone\addon\sync.cc" "C:\Users\WobCraft\Documents\node\test\node_modules\blackbone-node\src\
  BlackBone\Subsystem\NativeSubsystem.cpp" "C:\Users\WobCraft\Documents\node\test\node_modules\blackbone-node\src\Black
  Bone\Subsystem\Wow64Local.cpp" "C:\Users\WobCraft\Documents\node\test\node_modules\blackbone-node\src\BlackBone\Subsy
  stem\Wow64Subsystem.cpp" "C:\Users\WobCraft\Documents\node\test\node_modules\blackbone-node\src\BlackBone\Subsystem\x
  86Subsystem.cpp"
  assembler.cpp
  codegen.cpp
  constpool.cpp
  containers.cpp
  cpuinfo.cpp
  cputicks.cpp
  error.cpp
  globals.cpp
  operand.cpp
  runtime.cpp
  string.cpp
  vmem.cpp
  zone.cpp
  x86assembler.cpp
  x86cpuinfo.cpp
  x86inst.cpp
  x86operand.cpp
  x86operand_regs.cpp
  AsmHelper32.cpp
  AsmHelper64.cpp
  Generating Code...
  Compiling...
  DriverControl.cpp
  LocalHookBase.cpp
  TraceHook.cpp
  MExcept.cpp
  MMap.cpp
  NtLoader.cpp
  DynImport.cpp
  NameResolve.cpp
  Utils.cpp
  PatternSearch.cpp
  ImageNET.cpp
  PEImage.cpp
  MemBlock.cpp
  Process.cpp
  ProcessCore.cpp
  ProcessMemory.cpp
  ProcessModules.cpp
  RemoteExec.cpp
  RemoteHook.cpp
  RemoteLocalHook.cpp
  Generating Code...
  Compiling...
  RemoteMemory.cpp
  Thread.cpp
  Threads.cpp
  sync.cc
  NativeSubsystem.cpp
  Wow64Local.cpp
  Wow64Subsystem.cpp
  x86Subsystem.cpp
  Generating Code...
  C:\Program Files (x86)\Microsoft Visual Studio 12.0\VC\bin\CL.exe /c /I"C:\Users\WobCraft\Documents\node\test\node_mo
  dules\blackbone-node\src\BlackBone\..\..\Contrib" /I"C:\Users\WobCraft\.cmake-js\node-ia32\v0.12.7\src" /I"C:\Users\W
  obCraft\.cmake-js\node-ia32\v0.12.7\deps\v8\include" /I"C:\Users\WobCraft\.cmake-js\node-ia32\v0.12.7\deps\uv\include
  " /I"C:\Users\WobCraft\Documents\node\test\node_modules\blackbone-node\node_modules\nan" /nologo /W3 /WX- /O2 /Ob2 /O
  y- /D WIN32 /D _WINDOWS /D NDEBUG /D BLACKBONE_STATIC /D "CMAKE_INTDIR=\"Release\"" /D BlackBone_EXPORTS /D _WINDLL /
  D _MBCS /Gm- /EHsc /MD /GS /fp:precise /Zc:wchar_t /Zc:forScope /GR /Fo"BlackBone.dir\Release\\" /Fd"BlackBone.dir\Re
  lease\vc120.pdb" /Gd /TC /analyze- /errorReport:queue "C:\Users\WobCraft\Documents\node\test\node_modules\blackbone-n
  ode\src\BlackBone\Asm\LDasm.c"
  LDasm.c
Link:
  C:\Program Files (x86)\Microsoft Visual Studio 12.0\VC\bin\link.exe /ERRORREPORT:QUEUE /OUT:"C:\Users\WobCraft\Docume
  nts\node\test\node_modules\blackbone-node\build\src\BlackBone\Release\BlackBone.node" /INCREMENTAL:NO /NOLOGO kernel3
  2.lib user32.lib gdi32.lib winspool.lib shell32.lib ole32.lib oleaut32.lib uuid.lib comdlg32.lib advapi32.lib "C:\Use
  rs\WobCraft\.cmake-js\node-ia32\v0.12.7\node.lib" /MANIFEST /MANIFESTUAC:"level='asInvoker' uiAccess='false'" /manife
  st:embed /PDB:"C:/Users/WobCraft/Documents/node/test/node_modules/blackbone-node/build/src/BlackBone/Release/BlackBon
  e.pdb" /SUBSYSTEM:CONSOLE /TLBID:1 /DYNAMICBASE /NXCOMPAT /IMPLIB:"C:/Users/WobCraft/Documents/node/test/node_modules
  /blackbone-node/build/src/BlackBone/Release/BlackBone.lib" /MACHINE:X86 /SAFESEH:NO /DLL BlackBone.dir\Release\assemb
  ler.obj
  BlackBone.dir\Release\codegen.obj
  BlackBone.dir\Release\constpool.obj
  BlackBone.dir\Release\containers.obj
  BlackBone.dir\Release\cpuinfo.obj
  BlackBone.dir\Release\cputicks.obj
  BlackBone.dir\Release\error.obj
  BlackBone.dir\Release\globals.obj
  BlackBone.dir\Release\operand.obj
  BlackBone.dir\Release\runtime.obj
  BlackBone.dir\Release\string.obj
  BlackBone.dir\Release\vmem.obj
  BlackBone.dir\Release\zone.obj
  BlackBone.dir\Release\x86assembler.obj
  BlackBone.dir\Release\x86cpuinfo.obj
  BlackBone.dir\Release\x86inst.obj
  BlackBone.dir\Release\x86operand.obj
  BlackBone.dir\Release\x86operand_regs.obj
  BlackBone.dir\Release\AsmHelper32.obj
  BlackBone.dir\Release\AsmHelper64.obj
  BlackBone.dir\Release\LDasm.obj
  BlackBone.dir\Release\DriverControl.obj
  BlackBone.dir\Release\LocalHookBase.obj
  BlackBone.dir\Release\TraceHook.obj
  BlackBone.dir\Release\MExcept.obj
  BlackBone.dir\Release\MMap.obj
  BlackBone.dir\Release\NtLoader.obj
  BlackBone.dir\Release\DynImport.obj
  BlackBone.dir\Release\NameResolve.obj
  BlackBone.dir\Release\Utils.obj
  BlackBone.dir\Release\PatternSearch.obj
  BlackBone.dir\Release\ImageNET.obj
  BlackBone.dir\Release\PEImage.obj
  BlackBone.dir\Release\MemBlock.obj
  BlackBone.dir\Release\Process.obj
  BlackBone.dir\Release\ProcessCore.obj
  BlackBone.dir\Release\ProcessMemory.obj
  BlackBone.dir\Release\ProcessModules.obj
  BlackBone.dir\Release\RemoteExec.obj
  BlackBone.dir\Release\RemoteHook.obj
  BlackBone.dir\Release\RemoteLocalHook.obj
  BlackBone.dir\Release\RemoteMemory.obj
  BlackBone.dir\Release\Thread.obj
  BlackBone.dir\Release\Threads.obj
  BlackBone.dir\Release\sync.obj
  BlackBone.dir\Release\NativeSubsystem.obj
  BlackBone.dir\Release\Wow64Local.obj
  BlackBone.dir\Release\Wow64Subsystem.obj
  BlackBone.dir\Release\x86Subsystem.obj
TraceHook.obj : error LNK2019: unresolved external symbol __imp__Disasm@4 referenced in function "private: bool __thisc
all blackbone::TraceHook::CheckBranching(struct blackbone::HookContext const &,unsigned int,unsigned int)" (?CheckBranc
hing@TraceHook@blackbone@@AAE_NABUHookContext@2@II@Z) [C:\Users\WobCraft\Documents\node\test\node_modules\blackbone-nod
e\build\src\BlackBone\BlackBone.vcxproj]
sync.obj : error LNK2019: unresolved external symbol "double __cdecl Estimate(int)" (?Estimate@@YANH@Z) referenced in f
unction "void __cdecl CalculateSync(class Nan::FunctionCallbackInfo<class v8::Value> const &)" (?CalculateSync@@YAXABV?
$FunctionCallbackInfo@VValue@v8@@@Nan@@@Z) [C:\Users\WobCraft\Documents\node\test\node_modules\blackbone-node\build\src
\BlackBone\BlackBone.vcxproj]
C:\Users\WobCraft\Documents\node\test\node_modules\blackbone-node\build\src\BlackBone\Release\BlackBone.node : fatal er
ror LNK1120: 2 unresolved externals [C:\Users\WobCraft\Documents\node\test\node_modules\blackbone-node\build\src\BlackB
one\BlackBone.vcxproj]
Compilación del proyecto terminada "C:\Users\WobCraft\Documents\node\test\node_modules\blackbone-node\build\src\BlackBo
ne\BlackBone.vcxproj" (destinos predeterminados) -- ERROR.

Compilación del proyecto terminada "C:\Users\WobCraft\Documents\node\test\node_modules\blackbone-node\build\ALL_BUILD.v
cxproj" (destinos predeterminados) -- ERROR.


ERROR al compilar.

"C:\Users\WobCraft\Documents\node\test\node_modules\blackbone-node\build\ALL_BUILD.vcxproj" (destino predeterminado) (1
) ->
"C:\Users\WobCraft\Documents\node\test\node_modules\blackbone-node\build\src\BlackBone\BlackBone.vcxproj" (destino pred
eterminado) (2) ->
(Link destino) ->
  TraceHook.obj : error LNK2019: unresolved external symbol __imp__Disasm@4 referenced in function "private: bool __thi
scall blackbone::TraceHook::CheckBranching(struct blackbone::HookContext const &,unsigned int,unsigned int)" (?CheckBra
nching@TraceHook@blackbone@@AAE_NABUHookContext@2@II@Z) [C:\Users\WobCraft\Documents\node\test\node_modules\blackbone-n
ode\build\src\BlackBone\BlackBone.vcxproj]
  sync.obj : error LNK2019: unresolved external symbol "double __cdecl Estimate(int)" (?Estimate@@YANH@Z) referenced in
 function "void __cdecl CalculateSync(class Nan::FunctionCallbackInfo<class v8::Value> const &)" (?CalculateSync@@YAXAB
V?$FunctionCallbackInfo@VValue@v8@@@Nan@@@Z) [C:\Users\WobCraft\Documents\node\test\node_modules\blackbone-node\build\s
rc\BlackBone\BlackBone.vcxproj]
  C:\Users\WobCraft\Documents\node\test\node_modules\blackbone-node\build\src\BlackBone\Release\BlackBone.node : fatal
error LNK1120: 2 unresolved externals [C:\Users\WobCraft\Documents\node\test\node_modules\blackbone-node\build\src\Blac
kBone\BlackBone.vcxproj]

    0 Advertencia(s)
    3 Errores

Tiempo transcurrido 00:00:26.02
ERR! OMG Process terminated: 1
npm ERR! Windows_NT 6.3.9600
npm ERR! argv "C:\\Program Files\\nodejs\\\\node.exe" "C:\\Program Files\\nodejs\\node_modules\\npm\\bin\\npm-cli.js" "install"
npm ERR! node v0.12.7
npm ERR! npm  v2.11.3
npm ERR! code ELIFECYCLE

npm ERR! [email protected] install: `cmake-js rebuild`
npm ERR! Exit status 1
npm ERR!
npm ERR! Failed at the [email protected] install script 'cmake-js rebuild'.
npm ERR! This is most likely a problem with the blackbone-node package,
npm ERR! not with npm itself.
npm ERR! Tell the author that this fails on your system:
npm ERR!     cmake-js rebuild
npm ERR! You can get their info via:
npm ERR!     npm owner ls blackbone-node
npm ERR! There is likely additional logging output above.

npm ERR! Please include the following file with any support request:
npm ERR!     C:\Users\WobCraft\Documents\node\test\npm-debug.log

As you can see there are 2 unresolved externals.

Could you give me any advice on how to solve this?

I can upload my project to github if you need it.

New features sugestion

Hey, congratulations that's a very nice lib, but I have a couple of questions:

1 - Will inline hooking be available for remote hooking?
2 - Is it possible to hook functions inside x64 process from x86 one(using heaven's gate)? will this feature be implemented in a near future?
3 - I'm trying to build the project for WinXP(v120_xp) and I got a lot of errors, is there any way to build it for WinXP?

RVA Error in MMap.cpp

The relocation does not work if you force "isPlainData = true".

reinterpret_cast<size_t>(pImage->FileImage.base()) + fixoffset + fixrec->PageRVA) //Line 395

This is not a valid memory offset for plain mapped data. You need to wrap it in ResolveRVAToVA.

MMap without entrypoint

When manual mapping a DLL into a process, how do I map it in such a way so the entry point is not called? Apologies if I'm missing a flag/setting

DriverControl depends on Process

I'm experimenting with DriverControl and I'm getting an exception in UnloadDriver at the following call.

GET_IMPORT( RtlInitUnicodeString )(&Ustr, regPath.c_str());

This is because I haven't instantiated NameResolve. I noticed that this class gets instantiated along with the Process class which I'm not using.

There are a couple potential bugs here.

The GET_IMPORT macro doesn't protect against "calling" a NULL function pointer.
The DriverControl class doesn't ensure NameResolve has RtlInitUnicodeString mapped.

P.S. - I'm working on a Node.js extension for Blackbone. I'm focusing on DriverControl initially because that is the feature of Blackbone I'm most interested in. I'll release the code once it is stable.

Conceal Memory isn't working wifhout testmode

Using: Windows 8.1

I've signed the BlackBoneDrv by an valid CA and now I got the problem that conceal memory isn't working after selecting it.

All breakpoint methods from CheatEngine

Hello,

Can You add all features from CheatEngine to this project? CheatEngine have very good breakpoint methods with works on every game that i tried. I'm asking because game that i'm playing somehow deletes all hw breakpointes every time method is called (probably clears CONTEXT of stack) and ofc breakpoints from Cheatengine works everytime.

If not, just throw this "Issue" to trash.

Windows 10 #9926 - Injector not starting

The injector is not starting on the last W10 technical preview build.

.dmp file:

Dump Summary
------------
Dump File:  Xenos.exe_2015.03.06.14.52.56.dmp :F:\RamDisk\TMPFS\Xenos-master\Xenos\build\Win32\Debug\Xenos.exe_2015.03.06.14.52.56.dmp
Last Write Time:    3/6/2015 2:53:12 PM
Process Name:   Xenos.exe F:\RamDisk\TMPFS\Xenos-master\Xenos\build\Win32\Debug\Xenos.exe
Process Architecture:   x86
Exception Code: 0xC0000005
Exception Information:  The thread tried to read from or write to a virtual address for which it does not have the appropriate access.
Heap Information:   Present

System Information
------------------
OS Version: 10.0.9926
CLR Version(s): 

Modules
-------
Module Name Module Path Module Version
----------- ----------- --------------
Xenos.exe   F:\RamDisk\TMPFS\Xenos-master\Xenos\build\Win32\Debug\Xenos.exe 2.1.2.0
ntdll.dll   C:\Windows\System32\ntdll.dll   10.0.9926.0
kernel32.dll    C:\Windows\System32\kernel32.dll    10.0.9926.0
KERNELBASE.dll  C:\Windows\System32\KERNELBASE.dll  10.0.9926.0
apphelp.dll C:\Windows\System32\apphelp.dll 10.0.9926.0
bcrypt.dll  C:\Windows\System32\bcrypt.dll  10.0.9926.0
shlwapi.dll C:\Windows\System32\shlwapi.dll 10.0.9926.0
msvcrt.dll  C:\Windows\System32\msvcrt.dll  7.0.9926.0
combase.dll C:\Windows\System32\combase.dll 10.0.9926.0
rpcrt4.dll  C:\Windows\System32\rpcrt4.dll  10.0.9926.0
sspicli.dll C:\Windows\System32\sspicli.dll 10.0.9926.0
CRYPTBASE.dll   C:\Windows\System32\CRYPTBASE.dll   10.0.9926.0
bcryptPrimitives.dll    C:\Windows\System32\bcryptPrimitives.dll    10.0.9926.0
sechost.dll C:\Windows\System32\sechost.dll 10.0.9926.0
gdi32.dll   C:\Windows\System32\gdi32.dll   10.0.9926.0
user32.dll  C:\Windows\System32\user32.dll  10.0.9926.0
comdlg32.dll    C:\Windows\System32\comdlg32.dll    10.0.9926.0
SHCore.dll  C:\Windows\System32\SHCore.dll  10.0.9926.0
dbghelp.dll C:\Windows\System32\dbghelp.dll 10.0.9926.0
shell32.dll C:\Windows\System32\shell32.dll 10.0.9926.0
advapi32.dll    C:\Windows\System32\advapi32.dll    10.0.9926.0
ole32.dll   C:\Windows\System32\ole32.dll   10.0.9926.0
MSVCP120D.dll   C:\Windows\System32\MSVCP120D.dll   12.0.21005.1
MSVCR120D.dll   C:\Windows\System32\MSVCR120D.dll   12.0.21005.1
comctl32.dll    C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9926.0_none_2203b4f072dcfff0\comctl32.dll  6.10.9926.0
imm32.dll   C:\Windows\System32\imm32.dll   10.0.9926.0
msctf.dll   C:\Windows\System32\msctf.dll   10.0.9926.0
oleaut32.dll    C:\Windows\System32\oleaut32.dll    10.0.9926.0

Is anyone experiencing the same issue?

vcxproj.user file should be ignored

If you removed the BlackBoneDrv.vcxproj.user file from the repo, and added it to your .gitignore file, it would make using Blackbone in a git submodule easier. In order to build the driver with my certificate I have to modify that user file.

While you are at it, the .gitignore file should ignore *.idb files.

Cannot get inline hook to work.

typedef void(__fastcall *t_InvalidPtrCheck)(ptr_t *address);

ptr_t protectionAddress = (DWORD_PTR)GetModuleHandle(NULL) +(FrameScript_InvalidPtrCheckAddr - 0x140000000);

void __fastcall hookInvalidPtrCheck(ptr_t* &address)
{
Log("Hooked::InvalidPtrCheck");
}

Detour<t_InvalidPtrCheck> det2;
t_InvalidPtrCheck t = (t_InvalidPtrCheck)protectionAddress;
if (det2.Hook(t, &hookInvalidPtrCheck, HookType::Inline))
{
Log("Detour applied");
}

I've tried a few different approaches here and cannot get this code to work. My Detour is applied as the method returns true but from what I can tell in cheat engine the bytes are not written. I looked at some older issues created and made sure I have the latest copy of the lib. I just added the TestApp project so I'm confident in my project set up. This is my last ditch effort to have it solved. I really like this lib :) Great work.

Processor Mode Switching from x86 to x64

This isn't really an issue more of a suggestion, but I think it is something that should be added. It would allow you to manage every process from a 32 bit process on a 64 bit os, whether the target process is 64 bit or not.

Crash on manualmap right after CreateProcessW .. bad timing ?

Hi, although we spent several days trying to debug the problem, we are not 100% sure it comes from the lib itself, but since we are out of options, I'm just asking :)
It is very hard to reproduce, on several computers everything works fine, just on specific ones (fast ones?) it caused a crash. It seems to happen only on win 8.1 x64 bit, at least we haven't seen it on any other OS.
We load the to-be-injected-dll into memory and use manual mapping to inject it into the process which was created (CreateProcessW) just a few lines before the injection takes place. We use Process.Attach() and check for Process.valid.

If the process.mmap().MapImage(..) injection uses the NoExceptions-Flag, everything runs fine, without that flag it crashes shortly after the dll was injected.
Injecting "a bit later" / when the process is already fully started, also works fine (also without the noexception flag).

So to us this looks like some problem with the target process not yet being fully initialized and registering the exception handler makes it go boom.

Here is some blackbone debug output, but everything looks ok:
http://pastebin.com/8vmgH8vm

The dll's ATTACH_PROCESS gets called everytime fine, but it crashes shortly after (the dll itself does nothing, we also tried different dlls and at least 2 other programs we injected into)

Sorry for the long post, love your work & maybe you have an idea :)

Add support for windows XP

how can i map 32bit dll to 32bit process in 64bit process

any way or can i modify to support it?

I need help from you (Source inject)

You can give me your email address or skype not?
Thank

Windows 10 Build 9926

Hi...

Seems the newer versions from from Windows 10 changed their Major and Minor version.

I can confirm this behavior on Windows 10 Preview x64 Build 9926.

You can confirm the information here:
http://www.windowscentral.com/microsoft-confirms-nt-kernel-version-windows-10-will-go-100
http://en.wikipedia.org/wiki/Windows_10#Version_history
https://social.msdn.microsoft.com/Forums/windowsdesktop/en-US/6f22c643-7a33-4581-9fbb-5462c1602f8b/windows-10-getversionex?forum=windowssdk

Not sure if this helps, but you can check it later:

// Windows 10, technical preview, build 9926
pData->KExecOpt         = 0x1BF; // same
pData->Protection       = 0x69A;
pData->ObjTable         = 0x418;
pData->VadRoot          = 0x5F8;
pData->NtCreateThdIndex = 0xB2;
pData->NtTermThdIndex   = 0x53; // same
pData->PrevMode         = 0x232; // same
pData->ExitStatus       = 0x6E0;
pData->MiAllocPage      = 0;    // not sure
pData->ExRemoveTable    = 0;    // not sure

Thanks

Could do with a hand

Hi,

Great work you have done on your projects, very interesting =)
I have been looking at the wow64dm project of yours and have seen the LoadLibraryRemoteWOW64 function, I am attempting to re-work it per say so it works in the opposite manner..

Goal is to inject an x64 DLL image into an x64 process from an x86 process.
I have slightly modified your original function, and commented out the enter/leave x64 portions inside the "code" variable. Everything is working as expected almost!! The x86 process is successful in writing and executing the "code" variable thus causing the remote x64 process to load the x64 DLL image (I have an OutputDebugString inside of the x64 DLL being injected so can see it is successfully triggering DLL_PROCESS_ATTACH), anyway after that it basically crashes the process that was injected.
I was wondering if you would have any idea's as to why that is ? It seems ntdll is causing the crash.

[question] how to setup properly this lib?

hi, I tried to use blackbone in my project - but I cannot compile any projects with it - I keep receiving errors as I include files - first, I'm receiving error that let's say enum x is undefined - fine, I include one more file, and then... 1940 (that's real number) errors show up, that x is undefined, y is wrong size, bla bla bla, I can't even compile test app, I don't know what's wrong, I'm using visual studio 2013 ultimate. Can you help me in any way?

[C#] DeviceIOControl

Hey DarthTon, I was implementing some of the driver features from your BlackBone library and driver using c# signature imports for CreateFile and DriverIOControl. However, it seems that the DataPack is sent and can be read by the driver but as soon as the driver updates the localbuf for the memory it doesn't update.

Signature for deviceiocontrol:

        [DllImport("Kernel32.dll", SetLastError = false, CharSet = CharSet.Auto)]
        public static extern bool DeviceIoControl(
           SafeFileHandle hDevice,
           uint IoControlCode,
           [MarshalAs(UnmanagedType.AsAny)]
           [In] object InBuffer,
           uint nInBufferSize,
           [MarshalAs(UnmanagedType.AsAny)]
           [Out] object OutBuffer,
           uint nOutBufferSize,
           ref uint pBytesReturned,
           IntPtr Overlapped
        );

I have tried
[Out] object InBuffer
[In][Out]
[Out][In]
but no luck :(

I added debug messages that showed me the function is getting called but the localBuf wasn't updating. I would be grateful if you could help me set this up. I do not normally code in c# because annoying things like this happen but I want to learn how to overcome these things. C++ is my main language when it comes to memory manipulation and it probably shows.

Thanks in advance,
thomhughes

PatternSearch Appears not to be working

All my attempts to use the remote pattern search thus far have failed; I've tried so many different things I've lost count. Perhaps you could give a working example of how to use it, since it's likely I'm making a silly mistake somewhere?

AsmJit

With my project I get errors to do with
"#include <AsmJit/asmjit.h>" saying it doesn't exist. How do I configure my project to include this?

(Question) Conditional detour return method

Hey. Apologies for the mouthful of a title - I don't really know what else to call this.

Lets say I have detoured a function. If the parameter is a certain value, I want to "transparently" pass it to the original function, and use the original return method. Otherwise, I want to instead use my detoured function's return method. How can I accomplish this?

Example pseudocode:

int detouredFunction(int a1) {
    if (a1 == 0) {
        return originalFunction(a1); //Doing this will just call the detour again... right?
    } else {
        //do stuff here
        return whatever;
    }
}

I hope what I'm writing makes sense...

Cheers, and great library by the way!

How could i build BlackBoneDrv for x86?

Hi.

In Configuration Manager, there is no option for x86 platform.

Does BlackBoneDrv supports x86? (In the code, seems only for x64)

CSRSS is a protected process

TestApp attempts to perform a remote function call on CSRSS, but on Windows 8.1 this process is protected. Picking a different process would probably make for a better demonstration.

Remote function call test
Searching for csrss.exe... Found. Attaching to process 608
Can't attach to process, status code -1073741790 aborting

-1073741790 = STATUS_ACCESS_DENIED

Application Verifier stop

TestApp causes an appverif stop.

APPLICATION_VERIFIER_HANDLES_NULL_HANDLE (303)
NULL handle passed as parameter. A valid handle must be used.
This stop is generated if the function on the top of the stack passed a
NULL handle to system routines.
Arguments:
Arg1: 00000000, Not used.
Arg2: 00000000, Not used.
Arg3: 00000000, Not used.
Arg4: 00000000, Not used.

STACK_TEXT:
0046fb14 5d7c7085 5d7d0c28 00000303 00000000 vrfcore!VerifierStopMessageEx+0x57b
0046fb34 5d7c778c 0046fbe0 6a17e28b 0046fb7c vfbasics!AVrfpHandleSanityChecks+0x24
0046fb44 75949ae7 00000000 00000000 0046fb60 vfbasics!AVrfpNtQueryInformationThread+0x2c
0046fb7c 012203d9 00000000 0046fba0 0046fbc4 KERNELBASE!GetThreadId+0x1b
0046fb8c 0122c535 00000000 0046fbf8 36405889 TestApp!blackbone::Thread::Thread+0x19
0046fbc4 0124f482 0046fbf8 0046fbf8 0046fdc4 TestApp!blackbone::RemoteExec::reset+0x45
0046fbd4 01205dc1 000049c0 0000057b 36405e89 TestApp!blackbone::Process::Attach+0x22
0046fdc4 01285849 00000001 009b6fd8 009c4ef8 TestApp!wmain+0x81
0046fe14 0128598d 0046fe28 770d495d 7ecba000 TestApp!__tmainCRTStartup+0x199
0046fe1c 770d495d 7ecba000 0046fe6c 775698ee TestApp!wmainCRTStartup+0xd
0046fe28 775698ee 7ecba000 400a8e06 00000000 KERNEL32!BaseThreadInitThunk+0xe
0046fe6c 775698c4 ffffffff 7755e0c0 00000000 ntdll!__RtlUserThreadStart+0x20
0046fe7c 00000000 01285980 7ecba000 00000000 ntdll!_RtlUserThreadStart+0x1b

FAULTING_SOURCE_CODE:
15: Thread::Thread( HANDLE handle, ProcessCore* core )
16: : _handle( handle )
17: , _core( core )
18: , _id( GetThreadId( handle ) )

19: {
20: }
21:
22: Thread::Thread( const Thread& other )
23: : _handle( other._handle )
24: , _id( other._id )

Application Verifier crash

Running TestApp under appverif (and skipping the null handle stop) causes a crash under both x86 and x64.

May not be the fault of Blackbone, but maybe it is. Probably deserves further investigation. Unfortunately I don't have the time to root-cause this right now.

I've uploaded dump files of the issues (along with the binaries and PDBs).
x86: http://1drv.ms/1mYx5H0
x64: http://1drv.ms/1mYx06p

XP support

Will it ever be possible?

can not inject 64bit dll to explorer.exe (64bit)

(Question) Hooking __thiscall

Hey.

The library is working fantastic so far, but unfortunately I'm having issues hooking what I believe is a __thiscall function with this signature
void __thiscall oFunction(int a1)
Now, I read around about hooking these types of functions because it seems to be quite complicated, and found out about using fastcall with an extra two arguments, so amongst many other things the code that I feel is getting me closest is this:

void __fastcall hFunction(void* &_this, void* &unused, int &a1) {
    ...
}
...
typedef void (__fastcall *tFunction)(void*&, void*&, int&);
DWORD aFunction = 0x123456; //Address of original function
tFunction oFunction = (tFunction)aFunction;
Detour<tFunction> det1;
det1.Hook(oFunction, &hFunction, HookType::Inline);

The instant det1.Hook is called, however, the program crashes, instantly. Before the program even calls the hook (from what I can see, the hook doesn't actually get applied). I'm working from an injected dll. I don't think this is a library bug, more my inexperience showing. If at all possible, could you let me know the correct way to hook this function?

Cheers

kernel manuelmapping issue because of blackbone::Driver().Unload(); ?

~~hello, sorry for thats me again, but i cant find a solution on my own with the following problem.~~

for some reasons i get an "APC_INDEX_MISMATCH" bluescreen (stopping at ntoskrnl.exe+xxx) if i disable the "hiding modul from the VAD list" feature while im (kernel) manualmapping inside a (x86) usermode process (on win8.1 b9600). besides that for another reason my usermode application i want to inject my image via. kernel-mm crashes if i close the GUI (injector), it reacts like a SetWindowsHookEx injection, it cant stand without the "parent process" (the injector, properly caused by the driver unload?).

~~the results are the same with the usermode manualmapping injection. its the frist time since i updated to the newest version of bb-library that i experienced that "issue".~~

~~you as creator of this beauty properly know whats about it - may you can give a look at it.~~

~~thanks alot!~~

my kernel manuelmapping "issue" is caused by bb-driverunloading. but since i dont get a dea why ?
beginning at this comment:
DarthTon/Xenos@f44474c

Is it possible to hook without injection?

I have my own injection method which does what it's supposed to do, and I was going to use your library within my dll, but it seems that it's not possible to Hook into the local memory space.

Program loads my DLL into it, I just need to be able to run hooks and patternsearch.

linker warnings/errors since update? [question]

hello, im following your project for months now. today i tried to move to your newest version, including the last fixes/updates. i tried to compile the lastet version under MS-VS2013 update 4, including WDK, etc (as like always). im getting a huge amount of linking errors (C2011, C2027, C2039, C2059, C2065, ... up to C4430) ~ over 1300. double checked everything, linker settings, the files, compiler settings, and so on. do i need the LLVM compiler since you added the clang support?

thanks alot!

Add Manual Mapping support into the driver

A manual mapping support into the driver would be awesome ^_^

Question: Will you do ManualMapping from a byte array?

The question is in the title.

I need to map a DLL file in a x86/x64 process and call the entry point.

MMap::MapImage maps image twice on Win10x64

On Windows 10 x64, manually mapping a buffer into a remote process works, however the image is mapped twice (or two threads are created, not sure which). I have been using this on Windows 7 x64 for months without this double mapping.

The issue is easily reproduced by using TestMMapFromMem() in the TestApp executable. There, cmd is mapped into the current process. After 30s control is given back to the parent, and one can see "Successfully mapped image, unmapping", however at that point the image is mapped a second time. Here is the application trace:

Manual image mapping from buffer test
Trying to map C:\windows\system32\cmd.exe into current process
BlackBone: ManualMap: Mapping image 'MemoryImage_0x01020000' with flags 0x4042
BlackBone: ManualMap: Loading new image 'MemoryImage_0x01020000'
BlackBone: ManualMap: Image base allocated at 0x011C0000
BlackBone: ManualMap: Performing image copy
BlackBone: ManualMap: Relocating image 'MemoryImage_0x01020000'
BlackBone: ManualMap: Enabling exception support for image 'MemoryImage_0x01020000'
BlackBone: ManualMap: Performing security cookie initializtion for image 'MemoryImage_0x01020000'
BlackBone: ManualMap: Rebasing process to address 0x011C0000
BlackBone: ManualMap: Calling entry point for 'MemoryImage_0x01020000', Reason: 1
The system cannot find message text for message number 0x2350 in the message file for Application.

(c) 2015 Microsoft Corporation. All rights reserved.

C:\reversing\Blackbone\build\Win32\Debug>

Successfully mapped, unmapping
BlackBone: ManualMap: Unmapping image 'MemoryImage_0x01020000'
BlackBone: ManualMap: Calling entry point for 'MemoryImage_0x01020000', Reason: 0
The system cannot find message text for message number 0x2350 in the message file for Application.

(c) 2015 Microsoft Corporation. All rights reserved.

C:\reversing\Blackbone\build\Win32\Debug>

BlackBone: ManualMap: Disabling exception support for image 'MemoryImage_0x01020000'


C:\reversing\Blackbone\build\Win32\Debug>

Windows 10 official release issue with ManualMap and exception handling.

Here is the tracelog for when I attempt to use ManualMap with ManualImports and exception handling. Works fine with NoExceptions. Perhaps the sigs changed again?

NativeLdr: LdrHeapBase not found
ManualMap: Mapping image 'MemoryImage_0x0311E020' with flags 0x4005
ManualMap: Loading new image 'MemoryImage_0x0311E020'
ManualMap: Image base allocated at 0x07CE0000
ManualMap: Performing image copy
ManualMap: Relocating image 'MemoryImage_0x0311E020'
ManualMap: Loading new dependency 'd3dx9_43.dll'
ManualMap: Dependency path resolved to 'C:\WINDOWS\system32\d3dx9_43.dll'
ManualMap: Loading new image 'C:\WINDOWS\system32\d3dx9_43.dll'
ManualMap: Image base allocated at 0x087F0000
ManualMap: Performing image copy
ManualMap: Relocating image 'C:\WINDOWS\system32\d3dx9_43.dll'
ManualMap: Enabling exception support for image 'd3dx9_43.dll'
ManualMap: Failed to enable exception handling for image d3dx9_43.dll
ManualMap: Failed to load dependency 'C:\WINDOWS\system32\d3dx9_43.dll'. Status = 0x0

x86 RemoteCall problems

I wanted to write a mono assembly injector with your library but I encountered multiple problems:

RemoteFunction doesn't support functions with 0 arguments or multiple argument types for example int
ExecuteInAnyThread does not record the returned value

Example Code that should work but does not: http://hastebin.com/qomejekini.avrasm

btw Intellisense (2013) is pretty fucked at the RemoteFunction declarations :D

Win 10, Unknown Problem

Hi DarthTon,
So I finally had the opportunity to do some more testings on a Win10 Computer where we keep having rare issues of being unable to attach our dll to the exe process. The computer I finally could look at, had Windows 10 updated and nothing weird running or installed either. Default Win10 Antivirus too. No other anti malware or similar software running.
The code looks like this:
Process proc;
if( proc.Attach(Pid) == 0 ){

proc.EnsureInit();
blackbone::eLoadFlags flags = NoFlags ;
if (proc.mmap().MapImage(DLLSize2, (void*)ostreamDll2.str().c_str(), false,flags) == 0)
{
// all goood
}
}

This code works for 99% of the people running win 10. I enabled blackbone trace but it didn't even create the log file on that computer (verified that it normally creates a log on my computer).
The code freezes/hangs at "proc.EnsureInit()", if I take that line out, it does the same at "proc.mmap().MapImage".
It injects the dll fine if I use another injection method, so the actual dll is good, the ostreamDll2 as well. Like I said, it works fine for everyone but a few rare cases.

Do you have any idea where I could put more debug logging or anything that could help tracing down the cause of the problem, or maybe some other hints what I could try ?

Thanks a lot in advance!
fx

Hooks with CallOrder:NoOriginal call only the original function.

instead they should call the callback function only.

Clear hooks in RemoteHook::Reset?

Should _hooks.clear() be called in RemoteHook::Reset? Eventhough Restore( hook.second, hook.first ); is called, but _hooks still keeps it.

Unlinking VAD entry question

Would unlinking a VAD entry, in an attempt to hide virtual memory in a usermode process, crash the process when it executes memory belonging to VAD?

vtable hook

blackbone::VTableDetour<void(__stdcall *)(ID3D11DeviceContext*, UINT, UINT, INT)> vdtDrawIndexed;

produced this:

d:\projects\repos\blackbone\src\blackbone\localhook\hookhandlerstdcall.h(56): error C2440: 'return' : cannot convert from 'void' to 'int'
1> Expressions of type void cannot be converted to other types
1> d:\projects\repos\blackbone\src\blackbone\localhook\hookhandlerstdcall.h(55) : while compiling class template member function 'int blackbone::HookHandler<Fn,C>::CallOriginal(ID3D11DeviceContext *&&,UINT &&,UINT &&,INT &&)'
1> with
1> [
1> Fn=void (__stdcall *)(ID3D11DeviceContext *,UINT,UINT,INT)
1> , C=blackbone::NoClass
1> ]
1> d:\projects\skynet\clearsky\clearsky.cpp(65) : see reference to function template instantiation 'int blackbone::HookHandler<Fn,C>::CallOriginal(ID3D11DeviceContext *&&,UINT &&,UINT &&,INT &&)' being compiled
1> with
1> [
1> Fn=void (__stdcall *)(ID3D11DeviceContext *,UINT,UINT,INT)
1> , C=blackbone::NoClass
1> ]
1> d:\projects\repos\blackbone\src\blackbone\localhook\localhook.hpp(11) : see reference to class template instantiation 'blackbone::HookHandler<Fn,C>' being compiled
1> with
1> [
1> Fn=void (__stdcall *)(ID3D11DeviceContext *,UINT,UINT,INT)
1> , C=blackbone::NoClass
1> ]
1> d:\projects\repos\blackbone\src\blackbone\localhook\vtablehook.hpp(10) : see reference to class template instantiation 'blackbone::Detour<Fn,C>' being compiled
1> with
1> [
1> Fn=void (__stdcall *)(ID3D11DeviceContext *,UINT,UINT,INT)
1> , C=blackbone::NoClass
1> ]
1> d:\projects\skynet\clearsky\clearsky.cpp(16) : see reference to class template instantiation 'blackbone::VTableDetour<void (__stdcall *)(ID3D11DeviceContext *,UINT,UINT,INT),blackbone::NoClass>' being compiled

Maybe Im doing it wrong.

X64Call Crash Windows 10 (CreateRemoteThread)

When attempting to manually map in Windows 10, I get a crash when attempting to restore the esp register. Am I the only one? Or has anybody else experienced this?

Edit: As a side note, it traces back to either Process::Attach or NativeWow64::CreateRemoteThreadT

Edit 2: This issue only seems to happen when trying to manually map a 32bit application into a 32bit process. But going from 64bit to 64bit has no issues. Could it be an issue with loading the 64bit CreateRemoteThread from the system32/ntdll.dll instead of the 32bit version from SysWOW64/ntdll.dll?

Edit 3: Managed to narrow it down to CreateRemoteThread. It appears to not like Windows 10, whether it be a lack of rights between my process and the target process or I'm just not able to grab a valid handle to CreateRemoteThread

Win7 handle access

Bugs in Win7 handle rights escalation routine.

std::mutex alternative CriticalSection

Hey,

I was looking over this and I was wondering

https://github.com/DarthTon/Blackbone/blob/master/src/BlackBone/Misc/Utils.h

Shouldn't you be using LeaveCriticalSection inside of the destructor? Or else won't it still be "locked"? Just like how std::unique_lock/std::lock_guard seem to destroy the mutex when out of scope.

CMake build system (future porting to winelib)

Current build system is limited to msvc, but It will be great, if this library would build on *nix using wine compiller.

Windows XP fix i think

RegDeleteTreeW was added on Vista and older, if you wanna XP support, then do like that:

Old Code in BlackBone\DriverControl\DriverControl.cpp:

NTSTATUS DriverControl::UnloadDriver( const std::wstring& svcName )
{
    UNICODE_STRING Ustr = { 0 };

    std::wstring regPath = L"\\registry\\machine\\SYSTEM\\CurrentControlSet\\Services\\" + svcName;
    SAFE_CALL( RtlInitUnicodeString, &Ustr, regPath.c_str() );

    // Remove previously loaded instance, if any
    NTSTATUS status = SAFE_NATIVE_CALL( NtUnloadDriver, &Ustr );
    RegDeleteTreeW(HKEY_LOCAL_MACHINE, (L"SYSTEM\\CurrentControlSet\\Services\\" + svcName).c_str());

    return status;
}

Fixed:

NTSTATUS DriverControl::UnloadDriver( const std::wstring& svcName )
{
    UNICODE_STRING Ustr = { 0 };

    std::wstring regPath = L"\\registry\\machine\\SYSTEM\\CurrentControlSet\\Services\\" + svcName;
    SAFE_CALL( RtlInitUnicodeString, &Ustr, regPath.c_str() );

    // Remove previously loaded instance, if any
    NTSTATUS status = SAFE_NATIVE_CALL( NtUnloadDriver, &Ustr );
    SHDeleteKeyW(HKEY_LOCAL_MACHINE, (L"SYSTEM\\CurrentControlSet\\Services\\" + svcName).c_str());

    return status;
}

darthton / blackbone Goto Github PK

blackbone's People

Stargazers

Watchers

Forkers

blackbone's Issues

Recommend Projects

Recommend Topics

Recommend Org