API tools faq
paste
Advertisement
Guest User

Untitled

a guest
Jan 20th, 2020
100
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 3.03 KB | None | 0 0
raw download clone embed print report
  1. bool AddressValidRw(ULONG_PTR address, SIZE_T list_size = 0) {
  2. typedef struct _MEMORY_WORKING_SET_EX_BLOCK
  3. {
  4. union
  5. {
  6. struct
  7. {
  8. ULONG_PTR Valid : 1;
  9. ULONG_PTR ShareCount : 3;
  10. ULONG_PTR Win32Protection : 11;
  11. ULONG_PTR Shared : 1;
  12. ULONG_PTR Node : 6;
  13. ULONG_PTR Locked : 1;
  14. ULONG_PTR LargePage : 1;
  15. ULONG_PTR Priority : 3;
  16. ULONG_PTR Reserved : 3;
  17. ULONG_PTR SharedOriginal : 1;
  18. ULONG_PTR Bad : 1;
  19. ULONG_PTR ReservedUlong : 32;
  20. };
  21. struct
  22. {
  23. ULONG_PTR Valid : 1;
  24. ULONG_PTR Reserved0 : 14;
  25. ULONG_PTR Shared : 1;
  26. ULONG_PTR Reserved1 : 5;
  27. ULONG_PTR PageTable : 1;
  28. ULONG_PTR Location : 2;
  29. ULONG_PTR Priority : 3;
  30. ULONG_PTR ModifiedList : 1;
  31. ULONG_PTR Reserved2 : 2;
  32. ULONG_PTR SharedOriginal : 1;
  33. ULONG_PTR Bad : 1;
  34. ULONG_PTR ReservedUlong : 32;
  35. } Invalid;
  36. };
  37. } MEMORY_WORKING_SET_EX_BLOCK, * PMEMORY_WORKING_SET_EX_BLOCK;
  38. typedef struct _MEMORY_WORKING_SET_EX_INFORMATION
  39. {
  40. PVOID VirtualAddress;
  41. union
  42. {
  43. MEMORY_WORKING_SET_EX_BLOCK VirtualAttributes;
  44. ULONG_PTR Long;
  45. } u1;
  46. } MEMORY_WORKING_SET_EX_INFORMATION, * PMEMORY_WORKING_SET_EX_INFORMATION;
  47.  
  48.  
  49. if (!address)
  50. return false;
  51.  
  52. static CONTEXT drs = { 0 };
  53. if (!drs.Dr0 || !drs.Dr1 || !drs.Dr2 || !drs.Dr3) {
  54. if (HANDLE hThread = OpenThread(THREAD_ALL_ACCESS, FALSE, Global::firstTid)) {
  55. drs.ContextFlags = CONTEXT_DEBUG_REGISTERS;
  56. if (!GetThreadContext(hThread, &drs)){
  57. CloseHandle(hThread);
  58. return false;
  59. }
  60. CloseHandle(hThread);
  61. }
  62. else
  63. return false;
  64.  
  65. if (!drs.Dr0 || !drs.Dr1 || !drs.Dr2 || !drs.Dr3)
  66. return false;
  67. }
  68.  
  69. auto addressInside = [](ULONG_PTR addr) {
  70. return (addr >= drs.Dr0 && addr < drs.Dr0 + sizeof(ULONG))
  71. || (addr >= drs.Dr1 && addr < drs.Dr1 + sizeof(ULONG))
  72. || (addr >= drs.Dr2 && addr < drs.Dr2 + sizeof(ULONG))
  73. || (addr >= drs.Dr3 && addr < drs.Dr3 + sizeof(ULONG));
  74. };
  75.  
  76. if (addressInside((ULONG_PTR)address)) {
  77. sp("addressinside trap!!");
  78. return false;
  79. }
  80.  
  81. MEMORY_WORKING_SET_EX_INFORMATION mwse = { 0 };
  82. mwse.VirtualAddress = (PVOID)address;
  83. SIZE_T retLen = 0;
  84.  
  85. static PVOID FAddr = nullptr;
  86. if (!FAddr)
  87. FAddr = EPtr(GetProcAddress(GetModuleHandleA(E("ntdll.dll")), E("NtQueryVirtualMemory")));
  88. NTSTATUS status = reinterpret_cast<NTSTATUS(*)(HANDLE, PVOID, ULONGLONG, PVOID, SIZE_T, PSIZE_T)>(EPtr(FAddr))((HANDLE)(-1), (PVOID)address, 4, &mwse, sizeof(mwse), &retLen);
  89.  
  90. if (!NT_SUCCESS(status)
  91. || !mwse.u1.VirtualAttributes.Valid
  92. || mwse.u1.VirtualAttributes.Bad
  93. || mwse.u1.VirtualAttributes.Win32Protection != PAGE_READWRITE) {
  94. sp("trappage!!");
  95. return false;
  96. }
  97.  
  98. if (list_size) {
  99. MEMORY_BASIC_INFORMATION mbi = { 0 };
  100. status = reinterpret_cast<NTSTATUS(*)(HANDLE, PVOID, ULONGLONG, PVOID, SIZE_T, PSIZE_T)>(EPtr(FAddr))((HANDLE)(-1), (PVOID)address, 0, &mbi, sizeof(mbi), &retLen);
  101. if (!NT_SUCCESS(status)
  102. || mbi.RegionSize < list_size) {
  103. sp("dividedlist!!");
  104. return false;
  105. }
  106. }
  107.  
  108. return true;
  109. }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!