Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Started to initialize PEB structure #1

Open
wants to merge 6 commits into
base: master
Choose a base branch
from

Conversation

nogitsune-youkai
Copy link

@nogitsune-youkai nogitsune-youkai commented Sep 1, 2024

I started to initialize fields of PEB structure in InitTebPeb(), do not merge, this is work in progress

@nogitsune-youkai nogitsune-youkai marked this pull request as draft September 1, 2024 16:35
@nogitsune-youkai
Copy link
Author

nogitsune-youkai commented Sep 1, 2024

It seems that PEB_LDR_DATA structure fields are initialized in

void PeEmulation::InitLdrModuleList()

@nogitsune-youkai
Copy link
Author

nogitsune-youkai commented Sep 5, 2024

peb.ProcessHeap = (PVOID)m_HeapBase; // this is initialized to 0x0000000010000000

peb.ProcessHeap = NtCurrentPeb()->ProcessHeap; // // this is intialized to 0x000002413f480000. Which one to keep?

Which peb.ProcessHeap should i keep? This field gets overwritten in peb.ProcessHeap = NtCurrentPeb()->ProcessHeap; but the values are different. It seems that first time it's initialized with heap base address, but next time it's getting initialized with simple address of ProcessHeap. Is there a big difference and do we really need it???

@Nitr0-G
Copy link
Owner

Nitr0-G commented Sep 5, 2024

so we need to use dynamic addr of heap peb.ProcessHeap = NtCurrentPeb()->ProcessHeap; // this is intialized to 0x000002413f480000. Which one to keep? to prevent detection of pevisor and also u need to emulate Heap structure for avoiding of debugger detection by heap

@nogitsune-youkai
Copy link
Author

so we need to use dynamic addr of heap peb.ProcessHeap = NtCurrentPeb()->ProcessHeap; // this is intialized to 0x000002413f480000. Which one to keep? to prevent detection of pevisor and also u need to emulate Heap structure for avoiding of debugger detection by heap

So if i get this right, we should go with my solution and use NtCurrentPeb()->ProcessHeap; instead of peb.ProcessHeap = (PVOID)m_HeapBase;. Right? Just to clarify

@Nitr0-G
Copy link
Owner

Nitr0-G commented Sep 5, 2024

so we need to use dynamic addr of heap peb.ProcessHeap = NtCurrentPeb()->ProcessHeap; // this is intialized to 0x000002413f480000. Which one to keep? to prevent detection of pevisor and also u need to emulate Heap structure for avoiding of debugger detection by heap

So if i get this right, we should go with my solution and use NtCurrentPeb()->ProcessHeap; instead of peb.ProcessHeap = (PVOID)m_HeapBase;. Right? Just to clarify

Yeah, but for errorless and bugless code check all places which using static m_HeapBase or peb.ProcessHeap

@nogitsune-youkai
Copy link
Author

so we need to use dynamic addr of heap peb.ProcessHeap = NtCurrentPeb()->ProcessHeap; // this is intialized to 0x000002413f480000. Which one to keep? to prevent detection of pevisor and also u need to emulate Heap structure for avoiding of debugger detection by heap

So if i get this right, we should go with my solution and use NtCurrentPeb()->ProcessHeap; instead of peb.ProcessHeap = (PVOID)m_HeapBase;. Right? Just to clarify

Yeah, but for errorless and bugless code check all places which using static m_HeapBase or peb.ProcessHeap

Gotcha

@nogitsune-youkai nogitsune-youkai marked this pull request as ready for review September 13, 2024 15:09
@nogitsune-youkai
Copy link
Author

Hmm, it seems that i forgot to initialize fields inside unions, need to fix it

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants