GetModuleNameFromAddress
contains a stack buffer overrun because it calls _tcscpy_s
with a byte count instead of a character count. On UNICODE compilations this will cause a stack buffer overrun.
BOOL GetVEHfromProc(HANDLE hProcess, ULONGLONG VEHAddress, TCHAR* cProcess, DWORD dwPID, ULONG Cookie) {
...
! TCHAR strModule[MAX_PATH]; <<< stack buffer of size MAX_PATH characters
if (GetModuleNameFromAddress(hProcess,MemDecodePointer(entry.VectoredHandler3, Cookie),strModule) == FALSE) {
_tcscpy_s(strModule, MAX_PATH * sizeof(TCHAR), _T("UNKNOWN"));
}
BOOL GetModuleNameFromAddress(HANDLE hProcess, PVOID pvPoint, TCHAR *modName) {
DWORD dwRet, dwMods;
HMODULE hModule[4096];
// Enumerate the process modules
if (EnumProcessModules(hProcess, hModule, 4096 * sizeof(HMODULE), &dwRet) == FALSE)
{
fprintf(stderr, "Couldn't enum modules\n");
return FALSE;
}
dwMods = dwRet / sizeof(HMODULE);
// fwprintf(stdout, _TEXT("[d] VEH handler #1 hunt 0x%p %d\n"), pvPoint,dwMods);
DWORD dwCnt = 0;
for (dwCnt = 0; dwCnt < dwMods; dwCnt++) {
TCHAR cModule[MAX_PATH]; // Process name
GetModuleBaseName(hProcess, hModule[dwCnt], cModule, MAX_PATH);
MODULEINFO modNFO;
if (GetModuleInformation(hProcess, hModule[dwCnt], &modNFO, sizeof(modNFO)) == TRUE) {
//fwprintf(stdout, _TEXT("[i] -//-> %p - %d\n"), modNFO.lpBaseOfDll,modNFO.SizeOfImage);
DWORD64 dwAddress = (DWORD64)pvPoint;
// Make sure the function is the expected range
if (dwAddress > (DWORD64)modNFO.lpBaseOfDll && dwAddress < ((DWORD64)modNFO.lpBaseOfDll + modNFO.SizeOfImage)) {
//fwprintf(stdout, _TEXT("\n........................\n"));
! _tcscpy_s(modName, MAX_PATH * sizeof(TCHAR), cModule); <<< in UNICODE compilations this passes in MAX_PATH * sizeof WCHAR which is a byte count not a character count.
return TRUE;
}
}
}
return FALSE;
}
The documentation for _tcscpy_s
says the dest_size parameter takes a unit count
aka a character count, not a byte count.
dest_size
Size of the destination string buffer in char units for narrow and multi-byte functions, and wchar_t units for wide functions. This value must be greater than zero and not greater than RSIZE_MAX. Ensure that this size accounts for the terminating NULL following the string.
https://docs.microsoft.com/en-us/cpp/c-runtime-library/reference/strcpy-s-wcscpy-s-mbscpy-s?view=msvc-170
|
_tcscpy_s(modName, MAX_PATH * sizeof(TCHAR), cModule); |