Been working on my own UDRL and using your project as the reference, and I'm curious if there's a reason you were using SizeOfRawData to get the size of the region needed to set to RX with VirtualProtect on these two lines?
https://github.com/kyleavery/AceLdr/blob/main/src/ace.c#L184-L185
...
Reg.Exec += IMAGE_FIRST_SECTION( Reg.NT )->SizeOfRawData;
Status = Api.ntdll.NtProtectVirtualMemory( ( HANDLE )-1, &MemoryBuffer, &Reg.Exec, PAGE_EXECUTE_READ, &OldProtection );
...
I notice in SystemInformer when I try to replicate this with my own compiled payloads and I inject into a process, one page of Beacon's .text section is excluded, and does not get changed to RX. To remedy this, in my implementation I had to change the Reg.Exec += ... line to the following:
...
// make stub + mapped beacon RX
reg.Exec += IMAGE_FIRST_SECTION(reg.NT)->VirtualAddress + IMAGE_FIRST_SECTION(reg.NT)->Misc.VirtualSize; pMemAddrs->stompExecSize = reg.Exec;
DWORD oldProt = 0;
if (apis.k32.pVirtualProtect(dllBase, reg.Exec, PAGE_EXECUTE_READ, &oldProt)) {
...
and after doing this the page alignment in System Informer was clean, where the UDRL stub and Beacon's .text were set to RX and the other sections stayed RW.
Not sure if this is a bug and it is still working because in your project's case the raw size still aligns to the virtual size, or if there is another intentional reason for it.
Been working on my own UDRL and using your project as the reference, and I'm curious if there's a reason you were using SizeOfRawData to get the size of the region needed to set to RX with VirtualProtect on these two lines?
https://github.com/kyleavery/AceLdr/blob/main/src/ace.c#L184-L185
I notice in SystemInformer when I try to replicate this with my own compiled payloads and I inject into a process, one page of Beacon's .text section is excluded, and does not get changed to RX. To remedy this, in my implementation I had to change the
Reg.Exec += ...line to the following:and after doing this the page alignment in System Informer was clean, where the UDRL stub and Beacon's .text were set to RX and the other sections stayed RW.
Not sure if this is a bug and it is still working because in your project's case the raw size still aligns to the virtual size, or if there is another intentional reason for it.