s3rb31 · August 3, 2022 21:59
diff --git a/Testing NtMapViewOfSectionEx range functionality b/Testing NtMapViewOfSectionEx range functionality
 #include <windows.h>
 #include <cstdio>

 // credits: s3rb31

 #define STATUS_SUCCESS 0x00000000

 template<typename T>
 T GetNTDLLProc(LPCSTR ProcName)
 {
    static HMODULE hMod = GetModuleHandleA("ntdll.dll");
    return reinterpret_cast<T>(GetProcAddress(hMod, ProcName));
 }

 typedef enum _SECTION_INHERIT {
    ViewShare = 1,
    ViewUnmap = 2
 } SECTION_INHERIT;

 typedef struct _UNICODE_STRING {
    USHORT Length;
    USHORT MaximumLength;
    PWCH   Buffer;
 } UNICODE_STRING, *PUNICODE_STRING;

 typedef struct _OBJECT_ATTRIBUTES {
    ULONG Length;
    HANDLE RootDirectory;
    PUNICODE_STRING ObjectName;
    ULONG Attributes;
    PVOID SecurityDescriptor;        // SECURITY_DESCRIPTOR
    PVOID SecurityQualityOfService;  // SECURITY_QUALITY_OF_SERVICE
 } OBJECT_ATTRIBUTES, *POBJECT_ATTRIBUTES;

 typedef struct _EXT_PARAMS
 {
    DWORD64 Type; // enum 1-5
    PVOID Addr;
 } EXT_PARAMS, *PEXT_PARAMS;

 typedef struct _EXT_PARAMS_ALLOCATE_MAP
 {
    PVOID StartAddr = 0;

    // (EndAddr != 0) StartAddr < EndAddr
    // ELSE StartAddr < 0x7ffffffeffff

    PVOID EndAddr = 0;

    // EndAddr < 0x7ffffffeffff &&
    //  (EndAddr+1) & 0xFFF == 0

    // (EndAddr - StartAddr) + 1
    //   < 0x020000000000 (2048 GB)

    // on fail: STATUS_NO_MEMORY (0xC0000017 )

    DWORD64 _null = 0;
 } EXT_PARAMS_ALLOCATE_MAP, *PEXT_PARAMS_ALLOCATE_MAP;

 typedef NTSTATUS (NTAPI *NtCreateSection_t)(PHANDLE, ACCESS_MASK, POBJECT_ATTRIBUTES, PLARGE_INTEGER, ULONG, ULONG, HANDLE);
 typedef NTSTATUS (NTAPI *NtMapViewOfSectionEx_t)(
    IN HANDLE               SectionHandle,
    IN HANDLE               ProcessHandle,
    IN OUT PVOID            *BaseAddress,
    IN OUT PLARGE_INTEGER   SectionOffset OPTIONAL,
    IN OUT PSIZE_T          ViewSize,
    IN ULONG                AllocationType,
    IN ULONG                Win32Protect,
    IN PEXT_PARAMS          ExtParameters OPTIONAL,
    IN ULONG                ExtParametersCount
 );

 int main()
 {
    HANDLE hSection = NULL;
    NTSTATUS status = STATUS_SUCCESS;

    NtCreateSection_t NtCreateSection =
        GetNTDLLProc<NtCreateSection_t>("NtCreateSection");

    NtMapViewOfSectionEx_t NtMapViewOfSectionEx =
        GetNTDLLProc<NtMapViewOfSectionEx_t>("NtMapViewOfSectionEx");

    if (NtCreateSection && NtMapViewOfSectionEx)
    {
        LARGE_INTEGER maxSize;

        maxSize.HighPart = 0;
        maxSize.LowPart = 0x1000;

        if ((status = NtCreateSection(
                &hSection,
                SECTION_ALL_ACCESS,
                NULL,
                &maxSize,
                PAGE_EXECUTE_READWRITE,
                SEC_COMMIT,
                NULL)) !=
            STATUS_SUCCESS)
        {
            printf("ZwCreateSection failed, status : %x\n", status);
            return 0;
        }

        printf("Section handle: %p\n", hSection);
        printf("Mapping the section ...\n");

        PVOID pBase = NULL; // must be NULL
        SIZE_T viewSize = 0;

        HANDLE hMod = GetModuleHandle(NULL);

        EXT_PARAMS_ALLOCATE_MAP map_params;
        map_params.StartAddr = hMod;
        map_params.EndAddr = (PBYTE)hMod+0x1000FFF;

        EXT_PARAMS ext_params;
        ext_params.Type = 1;
        ext_params.Addr = &map_params;

        if ((status = NtMapViewOfSectionEx(
                hSection,
                GetCurrentProcess(),
                &pBase,
                NULL,
                &viewSize,
                NULL,
                PAGE_EXECUTE_READWRITE,
                &ext_params,
                1)) !=
            STATUS_SUCCESS)
        {
            printf("NtMapViewOfSection failed, status : %x\n", status);
            return 0;
        }

        printf("Module base: %p\r\n", hMod);
        printf("Success! BaseAddress: %p\n", pBase);

        return 0;
    }

    printf("ERROR! NtCreateSection: %p, NtMapViewOfSectionEx: %p\r\n", NtCreateSection, NtMapViewOfSectionEx);

    return 0;
 }
	#include <windows.h>
	#include <cstdio>

	// credits: s3rb31

	#define STATUS_SUCCESS 0x00000000

	template<typename T>
	T GetNTDLLProc(LPCSTR ProcName)
	{
	static HMODULE hMod = GetModuleHandleA("ntdll.dll");
	return reinterpret_cast<T>(GetProcAddress(hMod, ProcName));
	}

	typedef enum _SECTION_INHERIT {
	ViewShare = 1,
	ViewUnmap = 2
	} SECTION_INHERIT;

	typedef struct _UNICODE_STRING {
	USHORT Length;
	USHORT MaximumLength;
	PWCH Buffer;
	} UNICODE_STRING, *PUNICODE_STRING;

	typedef struct _OBJECT_ATTRIBUTES {
	ULONG Length;
	HANDLE RootDirectory;
	PUNICODE_STRING ObjectName;
	ULONG Attributes;
	PVOID SecurityDescriptor; // SECURITY_DESCRIPTOR
	PVOID SecurityQualityOfService; // SECURITY_QUALITY_OF_SERVICE
	} OBJECT_ATTRIBUTES, *POBJECT_ATTRIBUTES;

	typedef struct _EXT_PARAMS
	{
	DWORD64 Type; // enum 1-5
	PVOID Addr;
	} EXT_PARAMS, *PEXT_PARAMS;

	typedef struct _EXT_PARAMS_ALLOCATE_MAP
	{
	PVOID StartAddr = 0;

	// (EndAddr != 0) StartAddr < EndAddr
	// ELSE StartAddr < 0x7ffffffeffff

	PVOID EndAddr = 0;

	// EndAddr < 0x7ffffffeffff &&
	// (EndAddr+1) & 0xFFF == 0

	// (EndAddr - StartAddr) + 1
	// < 0x020000000000 (2048 GB)

	// on fail: STATUS_NO_MEMORY (0xC0000017 )

	DWORD64 _null = 0;
	} EXT_PARAMS_ALLOCATE_MAP, *PEXT_PARAMS_ALLOCATE_MAP;

	typedef NTSTATUS (NTAPI *NtCreateSection_t)(PHANDLE, ACCESS_MASK, POBJECT_ATTRIBUTES, PLARGE_INTEGER, ULONG, ULONG, HANDLE);
	typedef NTSTATUS (NTAPI *NtMapViewOfSectionEx_t)(
	IN HANDLE SectionHandle,
	IN HANDLE ProcessHandle,
	IN OUT PVOID *BaseAddress,
	IN OUT PLARGE_INTEGER SectionOffset OPTIONAL,
	IN OUT PSIZE_T ViewSize,
	IN ULONG AllocationType,
	IN ULONG Win32Protect,
	IN PEXT_PARAMS ExtParameters OPTIONAL,
	IN ULONG ExtParametersCount
	);

	int main()
	{
	HANDLE hSection = NULL;
	NTSTATUS status = STATUS_SUCCESS;

	NtCreateSection_t NtCreateSection =
	GetNTDLLProc<NtCreateSection_t>("NtCreateSection");

	NtMapViewOfSectionEx_t NtMapViewOfSectionEx =
	GetNTDLLProc<NtMapViewOfSectionEx_t>("NtMapViewOfSectionEx");

	if (NtCreateSection && NtMapViewOfSectionEx)
	{
	LARGE_INTEGER maxSize;

	maxSize.HighPart = 0;
	maxSize.LowPart = 0x1000;

	if ((status = NtCreateSection(
	&hSection,
	SECTION_ALL_ACCESS,
	NULL,
	&maxSize,
	PAGE_EXECUTE_READWRITE,
	SEC_COMMIT,
	NULL)) !=
	STATUS_SUCCESS)
	{
	printf("ZwCreateSection failed, status : %x\n", status);
	return 0;
	}

	printf("Section handle: %p\n", hSection);
	printf("Mapping the section ...\n");

	PVOID pBase = NULL; // must be NULL
	SIZE_T viewSize = 0;

	HANDLE hMod = GetModuleHandle(NULL);

	EXT_PARAMS_ALLOCATE_MAP map_params;
	map_params.StartAddr = hMod;
	map_params.EndAddr = (PBYTE)hMod+0x1000FFF;

	EXT_PARAMS ext_params;
	ext_params.Type = 1;
	ext_params.Addr = &map_params;

	if ((status = NtMapViewOfSectionEx(
	hSection,
	GetCurrentProcess(),
	&pBase,
	NULL,
	&viewSize,
	NULL,
	PAGE_EXECUTE_READWRITE,
	&ext_params,
	1)) !=
	STATUS_SUCCESS)
	{
	printf("NtMapViewOfSection failed, status : %x\n", status);
	return 0;
	}

	printf("Module base: %p\r\n", hMod);
	printf("Success! BaseAddress: %p\n", pBase);

	return 0;
	}

	printf("ERROR! NtCreateSection: %p, NtMapViewOfSectionEx: %p\r\n", NtCreateSection, NtMapViewOfSectionEx);

	return 0;
	}