commit 9d0b75534009a3137fab17af534b7944e22aab73 Author: Joshua Sigona Date: Thu Oct 21 13:20:26 2021 +0900 Setup Rabi Ribi memory detection diff --git a/bin/sig/MemoryUtils.class b/bin/sig/MemoryUtils.class new file mode 100644 index 0000000..d2bf460 Binary files /dev/null and b/bin/sig/MemoryUtils.class differ diff --git a/bin/sig/RabiRandomTeleportation.class b/bin/sig/RabiRandomTeleportation.class new file mode 100644 index 0000000..82f9608 Binary files /dev/null and b/bin/sig/RabiRandomTeleportation.class differ diff --git a/bin/sig/utils/Module.class b/bin/sig/utils/Module.class new file mode 100644 index 0000000..7cbece9 Binary files /dev/null and b/bin/sig/utils/Module.class differ diff --git a/bin/sig/utils/MyKernel32.class b/bin/sig/utils/MyKernel32.class new file mode 100644 index 0000000..9c75bb7 Binary files /dev/null and b/bin/sig/utils/MyKernel32.class differ diff --git a/bin/sig/utils/MyUser32.class b/bin/sig/utils/MyUser32.class new file mode 100644 index 0000000..64b1731 Binary files /dev/null and b/bin/sig/utils/MyUser32.class differ diff --git a/bin/sig/utils/Psapi$LPMODULEINFO.class b/bin/sig/utils/Psapi$LPMODULEINFO.class new file mode 100644 index 0000000..7816ac6 Binary files /dev/null and b/bin/sig/utils/Psapi$LPMODULEINFO.class differ diff --git a/bin/sig/utils/Psapi.class b/bin/sig/utils/Psapi.class new file mode 100644 index 0000000..a0cf470 Binary files /dev/null and b/bin/sig/utils/Psapi.class differ diff --git a/bin/sig/utils/PsapiTools.class b/bin/sig/utils/PsapiTools.class new file mode 100644 index 0000000..899b67d Binary files /dev/null and b/bin/sig/utils/PsapiTools.class differ diff --git a/lib/jna-4.5.0.jar b/lib/jna-4.5.0.jar new file mode 100644 index 0000000..2e4eaeb Binary files /dev/null and b/lib/jna-4.5.0.jar differ diff --git a/lib/jna-platform-4.5.0.jar b/lib/jna-platform-4.5.0.jar new file mode 100644 index 0000000..e1063a6 Binary files /dev/null and b/lib/jna-platform-4.5.0.jar differ diff --git a/src/sig/MemoryUtils.java b/src/sig/MemoryUtils.java new file mode 100644 index 0000000..8a64c83 --- /dev/null +++ b/src/sig/MemoryUtils.java @@ -0,0 +1,37 @@ +package sig; + +import com.sun.jna.Native; +import com.sun.jna.platform.win32.Advapi32; +import com.sun.jna.platform.win32.Kernel32; +import com.sun.jna.platform.win32.WinNT; +import com.sun.jna.platform.win32.WinDef.DWORD; +import com.sun.jna.platform.win32.WinNT.HANDLEByReference; + +public class MemoryUtils { + /** + * Enables debug privileges for this process, required for OpenProcess() to + * get processes other than the current user + */ + public static void enableDebugPrivilege() { + HANDLEByReference hToken = new HANDLEByReference(); + boolean success = Advapi32.INSTANCE.OpenProcessToken(Kernel32.INSTANCE.GetCurrentProcess(), + WinNT.TOKEN_QUERY | WinNT.TOKEN_ADJUST_PRIVILEGES, hToken); + if (!success) { + System.out.println("OpenProcessToken failed. Error: {}" + Native.getLastError()); + return; + } + WinNT.LUID luid = new WinNT.LUID(); + success = Advapi32.INSTANCE.LookupPrivilegeValue(null, WinNT.SE_DEBUG_NAME, luid); + if (!success) { + System.out.println("LookupprivilegeValue failed. Error: {}" + Native.getLastError()); + return; + } + WinNT.TOKEN_PRIVILEGES tkp = new WinNT.TOKEN_PRIVILEGES(1); + tkp.Privileges[0] = new WinNT.LUID_AND_ATTRIBUTES(luid, new DWORD(WinNT.SE_PRIVILEGE_ENABLED)); + success = Advapi32.INSTANCE.AdjustTokenPrivileges(hToken.getValue(), false, tkp, 0, null, null); + if (!success) { + System.out.println("AdjustTokenPrivileges failed. Error: {}" + Native.getLastError()); + } + Kernel32.INSTANCE.CloseHandle(hToken.getValue()); + } +} \ No newline at end of file diff --git a/src/sig/RabiRandomTeleportation.java b/src/sig/RabiRandomTeleportation.java new file mode 100644 index 0000000..c30681b --- /dev/null +++ b/src/sig/RabiRandomTeleportation.java @@ -0,0 +1,61 @@ +package sig; +import sig.utils.PsapiTools; + +import java.util.List; + +import com.sun.jna.Memory; +import com.sun.jna.Pointer; +import com.sun.jna.platform.win32.Kernel32; +import com.sun.jna.platform.win32.WinNT; +import com.sun.jna.platform.win32.WinNT.HANDLE; +import sig.utils.Module; + +public class RabiRandomTeleportation { + final int PROCESS_PERMISSIONS = WinNT.PROCESS_QUERY_INFORMATION | WinNT.PROCESS_VM_READ | WinNT.PROCESS_VM_WRITE; + public HANDLE rabiribiProcess = null; + int rabiRibiPID = -1; + + private void CheckRabiRibiClient() { + List pids; + try { + pids = PsapiTools.getInstance().enumProcesses(); + boolean found=false; + for (Integer pid : pids) { + HANDLE process = Kernel32.INSTANCE.OpenProcess(PROCESS_PERMISSIONS, true, pid); + List hModules; + try { + hModules = PsapiTools.getInstance().EnumProcessModules(process); + for(Module m: hModules){ + //System.out.println(m.getFileName()+":"+m.getEntryPoint()); + if (m.getFileName().contains("rabiribi")) { + found=true; + long rabiRibiMemOffset = Pointer.nativeValue(m.getLpBaseOfDll().getPointer()); + System.out.println("Found an instance of Rabi-Ribi at 0x"+Long.toHexString(rabiRibiMemOffset)+" | File:"+m.getFileName()+","+m.getBaseName()); + rabiRibiPID=pid; + rabiribiProcess=process; + break; + } + } + if (found) { + break; + } + } catch (Exception e) { + e.printStackTrace(); + } + if (process!=null) { + Kernel32.INSTANCE.CloseHandle(process); + } + } + if (!found) { + System.out.println("Rabi-Ribi process lost."); + } + } catch (Exception e) { + e.printStackTrace(); + } + } + + public static void main(String[] args) { + RabiRandomTeleportation app = new RabiRandomTeleportation(); + app.CheckRabiRibiClient(); + } +} diff --git a/src/sig/utils/Module.java b/src/sig/utils/Module.java new file mode 100644 index 0000000..648565c --- /dev/null +++ b/src/sig/utils/Module.java @@ -0,0 +1,64 @@ +package sig.utils; + +import sig.utils.Psapi.LPMODULEINFO; +import com.sun.jna.platform.win32.WinDef.HMODULE; +import com.sun.jna.platform.win32.WinNT.HANDLE; + +public class Module { + private HANDLE hProcess; + private HMODULE hModule; + private HANDLE lpBaseOfDll = null; + private int SizeOfImage = 0; + private HANDLE EntryPoint = null; + + private PsapiTools psapi = PsapiTools.getInstance(); + + protected Module() { + } + + public Module(HANDLE hProcess, HMODULE hModule) { + this.hProcess = hProcess; + this.hModule = hModule; + } + + public HMODULE getPointer() { + return hModule; + } + + public String getFileName() { + return psapi.GetModuleFileNameExA(hProcess, hModule); + } + + public String getBaseName() { + return psapi.GetModuleBaseNameA(hProcess, hModule); + } + + private void GetModuleInformation() { + if (lpBaseOfDll == null) { + try { + LPMODULEINFO x = psapi.GetModuleInformation(hProcess, hModule); + lpBaseOfDll = x.lpBaseOfDll; + SizeOfImage = x.SizeOfImage; + EntryPoint = x.EntryPoint; + } catch (Exception e) { + e.printStackTrace(); + } + } + } + + public HANDLE getLpBaseOfDll() { + GetModuleInformation(); + return lpBaseOfDll; + } + + public int getSizeOfImage() { + GetModuleInformation(); + return SizeOfImage; + } + + public HANDLE getEntryPoint() { + GetModuleInformation(); + return EntryPoint; + } + +} diff --git a/src/sig/utils/MyKernel32.java b/src/sig/utils/MyKernel32.java new file mode 100644 index 0000000..af90dbf --- /dev/null +++ b/src/sig/utils/MyKernel32.java @@ -0,0 +1,81 @@ +package sig.utils; + +import com.sun.jna.Memory; +import com.sun.jna.Native; +import com.sun.jna.platform.win32.Kernel32; +import com.sun.jna.ptr.IntByReference; + +public interface MyKernel32 extends Kernel32 { + final Kernel32 INSTANCE = (Kernel32) Native.loadLibrary ("kernel32", Kernel32.class); + +// BOOL WINAPI WriteProcessMemory( +// __in HANDLE hProcess, +// __in LPVOID lpBaseAddress, +// __in LPCVOID lpBuffer, +// __in SIZE_T nSize, +// __out SIZE_T *lpNumberOfBytesWritten +// ); + boolean WriteProcessMemory(HANDLE p, int address, HANDLE buffer, int size, IntByReference written); + + +// BOOL WINAPI ReadProcessMemory( +// __in HANDLE hProcess, +// __in LPCVOID lpBaseAddress, +// __out LPVOID lpBuffer, +// __in SIZE_T nSize, +// __out SIZE_T *lpNumberOfBytesRead +// ); + boolean ReadProcessMemory(HANDLE hProcess, int inBaseAddress, Memory outputBuffer, int nSize, IntByReference outNumberOfBytesRead); + + +// HANDLE WINAPI OpenProcess( +// __in DWORD dwDesiredAccess, +// __in BOOL bInheritHandle, +// __in DWORD dwProcessId +// ); + HANDLE OpenProcess(int desired, boolean inherit, int pid); + + +// BOOL WINAPI EnumProcessModules( +// _In_ HANDLE hProcess, +// _Out_ HMODULE *lphModule, +// _In_ DWORD cb, +// _Out_ LPDWORD lpcbNeeded +// ); + boolean EnumProcessModules(HANDLE hProcess, HMODULE lphModule, int cb, int lpcbNeeded); + + +// DWORD WINAPI GetModuleFileName( +// _In_opt_ HMODULE hModule, +// _Out_ LPTSTR lpFilename, +// _In_ DWORD nSize +// ); + + int GetModuleFileName(HMODULE hModule, String lpFilename, int size); + +// DWORD WINAPI GetModuleFileNameEx( +// _In_ HANDLE hProcess, +// _In_opt_ HMODULE hModule, +// _Out_ LPTSTR lpFilename, +// _In_ DWORD nSize +// ); + + +// BOOL WINAPI GetModuleHandleEx( +// _In_ DWORD dwFlags, +// _In_opt_ LPCTSTR lpModuleName, +// _Out_ HMODULE *phModule +// ); + + int GetModuleHandleExA(int permissions, String lpFilename, HMODULE module); + +// BOOL WINAPI EnumProcesses( +// _Out_ DWORD *pProcessIds, +// _In_ DWORD cb, +// _Out_ DWORD *pBytesReturned +// ); + + boolean EnumProcesses(int[] processIds, int cb, int bytesReturned); + + int GetLastError(); +} \ No newline at end of file diff --git a/src/sig/utils/MyUser32.java b/src/sig/utils/MyUser32.java new file mode 100644 index 0000000..cd5aa1c --- /dev/null +++ b/src/sig/utils/MyUser32.java @@ -0,0 +1,12 @@ +package sig.utils; + +import com.sun.jna.Native; +import com.sun.jna.platform.win32.User32; + +public interface MyUser32 extends User32 { + final User32 INSTANCE = (User32) Native.loadLibrary ("user32", User32.class); + boolean ShowWindow(HWND hWnd, int nCmdShow); + boolean SetForegroundWindow(HWND hWnd); + HWND FindWindowA(String lpClassName, String lpWindowName); + +} diff --git a/src/sig/utils/Psapi.java b/src/sig/utils/Psapi.java new file mode 100644 index 0000000..ac65ed3 --- /dev/null +++ b/src/sig/utils/Psapi.java @@ -0,0 +1,57 @@ +package sig.utils; + +import java.util.Arrays; +import java.util.List; + +import com.sun.jna.Native; +import com.sun.jna.Structure; +import com.sun.jna.platform.win32.WinDef.HMODULE; +import com.sun.jna.platform.win32.WinNT.HANDLE; +import com.sun.jna.ptr.IntByReference; +import com.sun.jna.win32.StdCallLibrary; + +public interface Psapi extends StdCallLibrary{ + Psapi INSTANCE = (Psapi) Native.loadLibrary("Psapi", Psapi.class); + + /* + * http://msdn.microsoft.com/en-us/library/ms682629(VS.85).aspx + */ + boolean EnumProcesses(int[] pProcessIds, int cb, IntByReference pBytesReturned); + + + /* + * http://msdn.microsoft.com/en-us/library/ms682631(VS.85).aspx + */ + boolean EnumProcessModules(HANDLE hProcess, HMODULE[] lphModule, int cb, IntByReference lpcbNeededs); + + boolean EnumProcessModulesEx(HANDLE hProcess, HMODULE[] lphModule, int cb, IntByReference lpcbNeededs, int flags); + + + /* + * http://msdn.microsoft.com/en-us/library/ms683198(VS.85).aspx + */ + int GetModuleFileNameExA(HANDLE hProcess, HMODULE hModule, byte[] lpImageFileName, int nSize); + + int GetModuleBaseNameA(HANDLE hProcess, HMODULE hModule, byte[] lpImageFileName, int nSize); + + + /* + * http://msdn.microsoft.com/en-us/library/ms684229(VS.85).aspx + */ + public static class LPMODULEINFO extends Structure { + public HANDLE lpBaseOfDll; + public int SizeOfImage; + public HANDLE EntryPoint; + @Override + protected List getFieldOrder() { + return Arrays.asList(new String[] { "lpBaseOfDll", "SizeOfImage", "EntryPoint"}); + } +} + + /* + * http://msdn.microsoft.com/en-us/library/ms683201(VS.85).aspx + */ + boolean GetModuleInformation(HANDLE hProcess, HMODULE hModule, LPMODULEINFO lpmodinfo, int cb); + + +} diff --git a/src/sig/utils/PsapiTools.java b/src/sig/utils/PsapiTools.java new file mode 100644 index 0000000..d32cac1 --- /dev/null +++ b/src/sig/utils/PsapiTools.java @@ -0,0 +1,104 @@ +package sig.utils; + +import java.util.LinkedList; +import java.util.List; + +import sig.utils.Psapi.LPMODULEINFO; +import com.sun.jna.Native; +import com.sun.jna.platform.win32.Kernel32; +import com.sun.jna.platform.win32.WinDef.HMODULE; +import com.sun.jna.platform.win32.WinNT.HANDLE; +import com.sun.jna.ptr.IntByReference; + +public class PsapiTools { + private static PsapiTools INSTANCE=null; + private static Psapi psapi = Psapi.INSTANCE; + private static Kernel32 k32 = MyKernel32.INSTANCE; + + private PsapiTools(){} + + public static PsapiTools getInstance(){ + if (INSTANCE==null) + INSTANCE=new PsapiTools(); + return INSTANCE; + } + + + public List enumProcesses() throws Exception{ + List list = new LinkedList(); + + int[] pProcessIds = new int[1024]; + IntByReference pBytesReturned = new IntByReference(); + boolean success = psapi.EnumProcesses(pProcessIds, pProcessIds.length*Integer.SIZE/8, pBytesReturned); + if (!success){ + int err=k32.GetLastError(); + throw new Exception("EnumProcesses failed. Error: "+err); + } + + int size = (pBytesReturned.getValue()/(Integer.SIZE/8)); + for (int i=0;i EnumProcessModules(HANDLE hProcess) throws Exception{ + List list = new LinkedList(); + + HMODULE[] lphModule = new HMODULE[1024]; + IntByReference lpcbNeededs= new IntByReference(); + boolean success = psapi.EnumProcessModules(hProcess, lphModule, lphModule.length, lpcbNeededs); + if (!success){ + int err=k32.GetLastError(); + if (err!=6 && err!=299) { + throw new Exception("EnumProcessModules failed. Error: "+err); + } + } + for (int i = 0; i < lpcbNeededs.getValue()/4; i++) { + list.add(new Module(hProcess, lphModule[i])); + } + + return list; + } + + public List EnumProcessModulesEx(HANDLE hProcess, int flags) throws Exception{ + List list = new LinkedList(); + + HMODULE[] lphModule = new HMODULE[1024]; + IntByReference lpcbNeededs= new IntByReference(); + boolean success = psapi.EnumProcessModulesEx(hProcess, lphModule, lphModule.length, lpcbNeededs, flags); + if (!success){ + int err=k32.GetLastError(); + throw new Exception("EnumProcessModules failed. Error: "+err); + } + for (int i = 0; i < lpcbNeededs.getValue()/4; i++) { + list.add(new Module(hProcess, lphModule[i])); + } + + return list; +} + + public String GetModuleFileNameExA(HANDLE hProcess, HMODULE hModule){ + byte[] lpImageFileName= new byte[256]; + psapi.GetModuleFileNameExA(hProcess, hModule, lpImageFileName, 256); + return Native.toString(lpImageFileName); + } + + public String GetModuleBaseNameA(HANDLE hProcess, HMODULE hModule){ + byte[] lpImageFileName= new byte[256]; + psapi.GetModuleBaseNameA(hProcess, hModule, lpImageFileName, 256); + return Native.toString(lpImageFileName); +} + + public LPMODULEINFO GetModuleInformation(HANDLE hProcess, HMODULE hModule) throws Exception{ + LPMODULEINFO lpmodinfo = new LPMODULEINFO(); + + boolean success = psapi.GetModuleInformation(hProcess, hModule, lpmodinfo, lpmodinfo.size()); + if (!success){ + int err=k32.GetLastError(); + throw new Exception("GetModuleInformation failed. Error: "+err); + } + return lpmodinfo; + } + +}