Setup Rabi Ribi memory detection

2021-10-21 13:20:26 +09:00 · 2021-10-21 13:20:26 +09:00 · 9d0b755340
commit 9d0b755340
17 changed files with 416 additions and 0 deletions
--- a/bin/sig/MemoryUtils.class
+++ b/bin/sig/MemoryUtils.class
--- a/bin/sig/RabiRandomTeleportation.class
+++ b/bin/sig/RabiRandomTeleportation.class
--- a/bin/sig/utils/Module.class
+++ b/bin/sig/utils/Module.class
--- a/bin/sig/utils/MyKernel32.class
+++ b/bin/sig/utils/MyKernel32.class
--- a/bin/sig/utils/MyUser32.class
+++ b/bin/sig/utils/MyUser32.class
--- a/bin/sig/utils/Psapi$LPMODULEINFO.class
+++ b/bin/sig/utils/Psapi$LPMODULEINFO.class
--- a/bin/sig/utils/Psapi.class
+++ b/bin/sig/utils/Psapi.class
--- a/bin/sig/utils/PsapiTools.class
+++ b/bin/sig/utils/PsapiTools.class
--- a/lib/jna-4.5.0.jar
+++ b/lib/jna-4.5.0.jar
--- a/lib/jna-platform-4.5.0.jar
+++ b/lib/jna-platform-4.5.0.jar
--- a/src/sig/MemoryUtils.java
+++ b/src/sig/MemoryUtils.java
@ -0,0 +1,37 @@
+package sig;
+
+import com.sun.jna.Native;
+import com.sun.jna.platform.win32.Advapi32;
+import com.sun.jna.platform.win32.Kernel32;
+import com.sun.jna.platform.win32.WinNT;
+import com.sun.jna.platform.win32.WinDef.DWORD;
+import com.sun.jna.platform.win32.WinNT.HANDLEByReference;
+
+public class MemoryUtils {
+	/**
+	 * Enables debug privileges for this process, required for OpenProcess() to
+	 * get processes other than the current user
+	 */
+	public static void enableDebugPrivilege() {
+	    HANDLEByReference hToken = new HANDLEByReference();
+	    boolean success = Advapi32.INSTANCE.OpenProcessToken(Kernel32.INSTANCE.GetCurrentProcess(),
+	            WinNT.TOKEN_QUERY | WinNT.TOKEN_ADJUST_PRIVILEGES, hToken);
+	    if (!success) {
+	        System.out.println("OpenProcessToken failed. Error: {}" + Native.getLastError());
+	        return;
+	    }
+	    WinNT.LUID luid = new WinNT.LUID();
+	    success = Advapi32.INSTANCE.LookupPrivilegeValue(null, WinNT.SE_DEBUG_NAME, luid);
+	    if (!success) {
+	    	System.out.println("LookupprivilegeValue failed. Error: {}" + Native.getLastError());
+	        return;
+	    }
+	    WinNT.TOKEN_PRIVILEGES tkp = new WinNT.TOKEN_PRIVILEGES(1);
+	    tkp.Privileges[0] = new WinNT.LUID_AND_ATTRIBUTES(luid, new DWORD(WinNT.SE_PRIVILEGE_ENABLED));
+	    success = Advapi32.INSTANCE.AdjustTokenPrivileges(hToken.getValue(), false, tkp, 0, null, null);
+	    if (!success) {
+	    	System.out.println("AdjustTokenPrivileges failed. Error: {}" + Native.getLastError());
+	    }
+	    Kernel32.INSTANCE.CloseHandle(hToken.getValue());
+	}
+}
--- a/src/sig/RabiRandomTeleportation.java
+++ b/src/sig/RabiRandomTeleportation.java
@ -0,0 +1,61 @@
+package sig;
+import sig.utils.PsapiTools;
+
+import java.util.List;
+
+import com.sun.jna.Memory;
+import com.sun.jna.Pointer;
+import com.sun.jna.platform.win32.Kernel32;
+import com.sun.jna.platform.win32.WinNT;
+import com.sun.jna.platform.win32.WinNT.HANDLE;
+import sig.utils.Module;
+
+public class RabiRandomTeleportation {
+	final int PROCESS_PERMISSIONS = WinNT.PROCESS_QUERY_INFORMATION | WinNT.PROCESS_VM_READ | WinNT.PROCESS_VM_WRITE;
+	public HANDLE rabiribiProcess = null;
+	int rabiRibiPID = -1;
+	
+	private void CheckRabiRibiClient() {
+		List<Integer> pids;
+		try {
+			pids = PsapiTools.getInstance().enumProcesses();	
+			boolean found=false;	
+			for (Integer pid : pids) {
+				HANDLE process = Kernel32.INSTANCE.OpenProcess(PROCESS_PERMISSIONS, true, pid);
+		        List<Module> hModules;
+				try {
+					hModules = PsapiTools.getInstance().EnumProcessModules(process);
+					for(Module m: hModules){
+						//System.out.println(m.getFileName()+":"+m.getEntryPoint());
+						if (m.getFileName().contains("rabiribi")) {
+							found=true;
+							long rabiRibiMemOffset = Pointer.nativeValue(m.getLpBaseOfDll().getPointer());
+							System.out.println("Found an instance of Rabi-Ribi at 0x"+Long.toHexString(rabiRibiMemOffset)+" | File:"+m.getFileName()+","+m.getBaseName());
+							rabiRibiPID=pid;
+							rabiribiProcess=process;
+							break;
+						}
+			        }
+					if (found) {
+						break;
+					}
+				} catch (Exception e) {
+					e.printStackTrace();
+				}
+				if (process!=null) {
+					Kernel32.INSTANCE.CloseHandle(process);
+				}
+			}
+			if (!found) {
+				System.out.println("Rabi-Ribi process lost.");
+			}
+		} catch (Exception e) {
+			e.printStackTrace();
+		}
+	}
+	
+	public static void main(String[] args) {
+		RabiRandomTeleportation app = new RabiRandomTeleportation();
+		app.CheckRabiRibiClient();
+	}
+}
--- a/src/sig/utils/Module.java
+++ b/src/sig/utils/Module.java
@ -0,0 +1,64 @@
+package sig.utils;
+
+import sig.utils.Psapi.LPMODULEINFO;
+import com.sun.jna.platform.win32.WinDef.HMODULE;
+import com.sun.jna.platform.win32.WinNT.HANDLE;
+
+public class Module {
+	private HANDLE hProcess;
+	private HMODULE hModule;
+	private HANDLE lpBaseOfDll = null;
+	private int SizeOfImage = 0;
+	private HANDLE EntryPoint = null;
+
+	private PsapiTools psapi = PsapiTools.getInstance();
+
+	protected Module() {
+	}
+
+	public Module(HANDLE hProcess, HMODULE hModule) {
+		this.hProcess = hProcess;
+		this.hModule = hModule;
+	}
+
+	public HMODULE getPointer() {
+		return hModule;
+	}
+
+	public String getFileName() {
+		return psapi.GetModuleFileNameExA(hProcess, hModule);
+	}
+	
+	public String getBaseName() {
+		return psapi.GetModuleBaseNameA(hProcess, hModule);
+	}
+
+	private void GetModuleInformation() {
+		if (lpBaseOfDll == null) {
+			try {
+				LPMODULEINFO x = psapi.GetModuleInformation(hProcess, hModule);
+				lpBaseOfDll = x.lpBaseOfDll;
+				SizeOfImage = x.SizeOfImage;
+				EntryPoint = x.EntryPoint;
+			} catch (Exception e) {
+				e.printStackTrace();
+			}
+		}
+	}
+
+	public HANDLE getLpBaseOfDll() {
+		GetModuleInformation();
+		return lpBaseOfDll;
+	}
+
+	public int getSizeOfImage() {
+		GetModuleInformation();
+		return SizeOfImage;
+	}
+
+	public HANDLE getEntryPoint() {
+		GetModuleInformation();
+		return EntryPoint;
+	}
+
+}
--- a/src/sig/utils/MyKernel32.java
+++ b/src/sig/utils/MyKernel32.java
@ -0,0 +1,81 @@
+package sig.utils;
+
+import com.sun.jna.Memory;
+import com.sun.jna.Native;
+import com.sun.jna.platform.win32.Kernel32;
+import com.sun.jna.ptr.IntByReference;
+
+public interface MyKernel32 extends Kernel32 {
+	final Kernel32 INSTANCE = (Kernel32) Native.loadLibrary ("kernel32", Kernel32.class);
+	
+//    BOOL WINAPI WriteProcessMemory(  
+//    __in   HANDLE hProcess,  
+//    __in   LPVOID lpBaseAddress,  
+//    __in   LPCVOID lpBuffer,  
+//    __in   SIZE_T nSize,  
+//    __out  SIZE_T *lpNumberOfBytesWritten  
+//    );  
+    boolean WriteProcessMemory(HANDLE p, int address, HANDLE buffer, int size, IntByReference written);  
+     
+     
+//    BOOL WINAPI ReadProcessMemory(  
+//              __in   HANDLE hProcess,  
+//              __in   LPCVOID lpBaseAddress,  
+//              __out  LPVOID lpBuffer,  
+//              __in   SIZE_T nSize,  
+//              __out  SIZE_T *lpNumberOfBytesRead  
+//            );  
+    boolean ReadProcessMemory(HANDLE hProcess, int inBaseAddress, Memory outputBuffer, int nSize, IntByReference outNumberOfBytesRead);  
+     
+     
+//    HANDLE WINAPI OpenProcess(  
+//      __in  DWORD dwDesiredAccess,  
+//      __in  BOOL bInheritHandle,  
+//      __in  DWORD dwProcessId  
+//    );  
+    HANDLE OpenProcess(int desired, boolean inherit, int pid);  
+     
+    
+//    BOOL WINAPI EnumProcessModules(
+//    		  _In_   HANDLE hProcess,
+//    		  _Out_  HMODULE *lphModule,
+//    		  _In_   DWORD cb,
+//    		  _Out_  LPDWORD lpcbNeeded
+//    );
+    boolean EnumProcessModules(HANDLE hProcess, HMODULE lphModule, int cb, int lpcbNeeded);
+    
+    
+//    DWORD WINAPI GetModuleFileName(
+//    		  _In_opt_  HMODULE hModule,
+//    		  _Out_     LPTSTR lpFilename,
+//    		  _In_      DWORD nSize
+//    );
+
+    int GetModuleFileName(HMODULE hModule, String lpFilename, int size);
+    
+//    DWORD WINAPI GetModuleFileNameEx(
+//    		  _In_      HANDLE hProcess,
+//    		  _In_opt_  HMODULE hModule,
+//    		  _Out_     LPTSTR lpFilename,
+//    		  _In_      DWORD nSize
+//    );
+    
+    
+//    BOOL WINAPI GetModuleHandleEx(
+//    		  _In_      DWORD dwFlags,
+//    		  _In_opt_  LPCTSTR lpModuleName,
+//    		  _Out_     HMODULE *phModule
+//    );
+
+    int GetModuleHandleExA(int permissions, String lpFilename, HMODULE module);
+    
+//    BOOL WINAPI EnumProcesses(
+//    		  _Out_  DWORD *pProcessIds,
+//    		  _In_   DWORD cb,
+//    		  _Out_  DWORD *pBytesReturned
+//    );
+
+    boolean EnumProcesses(int[] processIds, int cb, int bytesReturned);
+    
+    int GetLastError();  
+}
--- a/src/sig/utils/MyUser32.java
+++ b/src/sig/utils/MyUser32.java
@ -0,0 +1,12 @@
+package sig.utils;
+
+import com.sun.jna.Native;
+import com.sun.jna.platform.win32.User32;
+
+public interface MyUser32 extends User32 {
+    final User32 INSTANCE = (User32) Native.loadLibrary ("user32", User32.class);
+    boolean ShowWindow(HWND hWnd, int nCmdShow);
+    boolean SetForegroundWindow(HWND hWnd);
+    HWND FindWindowA(String lpClassName, String lpWindowName);
+
+}
--- a/src/sig/utils/Psapi.java
+++ b/src/sig/utils/Psapi.java
@ -0,0 +1,57 @@
+package sig.utils;
+
+import java.util.Arrays;
+import java.util.List;
+
+import com.sun.jna.Native;
+import com.sun.jna.Structure;
+import com.sun.jna.platform.win32.WinDef.HMODULE;
+import com.sun.jna.platform.win32.WinNT.HANDLE;
+import com.sun.jna.ptr.IntByReference;
+import com.sun.jna.win32.StdCallLibrary;
+
+public interface Psapi extends StdCallLibrary{
+    Psapi INSTANCE = (Psapi) Native.loadLibrary("Psapi", Psapi.class);
+
+    /*
+     * http://msdn.microsoft.com/en-us/library/ms682629(VS.85).aspx
+     */
+    boolean EnumProcesses(int[] pProcessIds, int cb, IntByReference pBytesReturned);
+    
+    
+    /*
+     * http://msdn.microsoft.com/en-us/library/ms682631(VS.85).aspx
+     */
+    boolean EnumProcessModules(HANDLE hProcess, HMODULE[] lphModule, int cb, IntByReference lpcbNeededs);
+    
+    boolean EnumProcessModulesEx(HANDLE hProcess, HMODULE[] lphModule, int cb, IntByReference lpcbNeededs, int flags);
+
+    
+    /*
+     * http://msdn.microsoft.com/en-us/library/ms683198(VS.85).aspx
+     */
+    int GetModuleFileNameExA(HANDLE hProcess, HMODULE hModule, byte[] lpImageFileName, int nSize);
+    
+    int GetModuleBaseNameA(HANDLE hProcess, HMODULE hModule, byte[] lpImageFileName, int nSize);
+
+    
+    /*
+     * http://msdn.microsoft.com/en-us/library/ms684229(VS.85).aspx
+     */
+    public static class LPMODULEINFO extends Structure {
+            public HANDLE lpBaseOfDll;
+            public int  SizeOfImage;
+            public HANDLE EntryPoint;
+			@Override
+			protected List getFieldOrder() {
+				return Arrays.asList(new String[] { "lpBaseOfDll", "SizeOfImage", "EntryPoint"});
+			}
+}
+    
+    /*
+     * http://msdn.microsoft.com/en-us/library/ms683201(VS.85).aspx
+     */
+    boolean GetModuleInformation(HANDLE hProcess, HMODULE hModule, LPMODULEINFO lpmodinfo, int cb);
+
+    
+}
--- a/src/sig/utils/PsapiTools.java
+++ b/src/sig/utils/PsapiTools.java
@ -0,0 +1,104 @@
+package sig.utils;
+
+import java.util.LinkedList;
+import java.util.List;
+
+import sig.utils.Psapi.LPMODULEINFO;
+import com.sun.jna.Native;
+import com.sun.jna.platform.win32.Kernel32;
+import com.sun.jna.platform.win32.WinDef.HMODULE;
+import com.sun.jna.platform.win32.WinNT.HANDLE;
+import com.sun.jna.ptr.IntByReference;
+
+public class PsapiTools {
+    private static PsapiTools  INSTANCE=null;
+    private static Psapi psapi = Psapi.INSTANCE;
+    private static Kernel32 k32 = MyKernel32.INSTANCE;
+
+    private PsapiTools(){}
+    
+    public static PsapiTools getInstance(){
+            if (INSTANCE==null)
+                    INSTANCE=new PsapiTools();
+            return INSTANCE;
+    }       
+
+    
+    public List<Integer> enumProcesses() throws Exception{
+            List<Integer> list = new LinkedList<Integer>();
+            
+            int[] pProcessIds = new int[1024];
+            IntByReference pBytesReturned = new IntByReference(); 
+            boolean success = psapi.EnumProcesses(pProcessIds, pProcessIds.length*Integer.SIZE/8, pBytesReturned); 
+            if (!success){
+		        int err=k32.GetLastError();
+		        throw new Exception("EnumProcesses failed. Error: "+err);
+		    }
+    
+            int size = (pBytesReturned.getValue()/(Integer.SIZE/8)); 
+            for (int i=0;i<size;i++)
+                    list.add(pProcessIds[i]);
+            
+            return list;
+    }
+     
+    public List<Module> EnumProcessModules(HANDLE hProcess) throws Exception{
+            List<Module> list = new LinkedList<Module>();
+            
+            HMODULE[] lphModule = new HMODULE[1024];
+            IntByReference lpcbNeededs= new IntByReference();
+            boolean success = psapi.EnumProcessModules(hProcess, lphModule, lphModule.length, lpcbNeededs);
+            if (!success){
+	            int err=k32.GetLastError();
+	            if (err!=6 && err!=299) {
+	            	throw new Exception("EnumProcessModules failed. Error: "+err);
+	            }
+            }
+            for (int i = 0; i < lpcbNeededs.getValue()/4; i++) {
+                    list.add(new Module(hProcess, lphModule[i]));
+            }
+            
+            return list;
+    }
+    
+    public List<Module> EnumProcessModulesEx(HANDLE hProcess, int flags) throws Exception{
+        List<Module> list = new LinkedList<Module>();
+        
+        HMODULE[] lphModule = new HMODULE[1024];
+        IntByReference lpcbNeededs= new IntByReference();
+        boolean success = psapi.EnumProcessModulesEx(hProcess, lphModule, lphModule.length, lpcbNeededs, flags);
+        if (!success){
+            int err=k32.GetLastError();
+            throw new Exception("EnumProcessModules failed. Error: "+err);
+        }
+        for (int i = 0; i < lpcbNeededs.getValue()/4; i++) {
+                list.add(new Module(hProcess, lphModule[i]));
+        }
+        
+        return list;
+}
+    
+    public String GetModuleFileNameExA(HANDLE hProcess, HMODULE hModule){
+            byte[] lpImageFileName= new byte[256];
+            psapi.GetModuleFileNameExA(hProcess, hModule, lpImageFileName, 256);
+            return Native.toString(lpImageFileName);
+    }
+    
+    public String GetModuleBaseNameA(HANDLE hProcess, HMODULE hModule){
+        byte[] lpImageFileName= new byte[256];
+        psapi.GetModuleBaseNameA(hProcess, hModule, lpImageFileName, 256);
+        return Native.toString(lpImageFileName);
+}
+    
+    public LPMODULEINFO GetModuleInformation(HANDLE hProcess, HMODULE hModule) throws Exception{
+            LPMODULEINFO lpmodinfo = new LPMODULEINFO();
+            
+            boolean success = psapi.GetModuleInformation(hProcess, hModule, lpmodinfo, lpmodinfo.size());
+            if (!success){
+            int err=k32.GetLastError();
+        throw new Exception("GetModuleInformation failed. Error: "+err);
+    }
+            return lpmodinfo;
+    }
+
+}