fixed DarthTon#295

Author: DarthTon

src/BlackBone/Process/RPC/RemoteContext.hpp

@@ -134,7 +134,7 @@ class RemoteContext
                 return _ctx.R9;
 
             default:
-                return _memory.Read<DWORD64>( _ctx.Rsp + 0x30 + (index - 4) * _wordSize ).result( 0 );
+                return _memory.Read<DWORD64>( _ctx.Rsp + 0x28 + (index - 4) * _wordSize ).result( 0 );
             }
         }
         else
@@ -173,7 +173,7 @@ class RemoteContext
                 break;
 
             default:
-                return (_memory.Write( _ctx.Rsp + 0x30 + (index - 4) * _wordSize, val ) == STATUS_SUCCESS);
+                return (_memory.Write( _ctx.Rsp + 0x28 + (index - 4) * _wordSize, val ) == STATUS_SUCCESS);
             }
 
             return true;

src/BlackBoneTest/TestRemoteHook.cpp

@@ -4,7 +4,7 @@ namespace Testing
 {
     struct HookClass
     {
-        void HookFn( RemoteContext& context )
+        void HookNtOpenProcess( RemoteContext& context )
         {
             //
             // Get process ID
@@ -26,6 +26,18 @@ namespace Testing
             }
         }
 
+        void HookNtAllocateVirtualMemory( RemoteContext& context )
+        {
+            AssertEx::AreEqual( reinterpret_cast<HANDLE>(context.getArg( 0 )), GetCurrentProcess() );
+            AssertEx::AreNotEqual( context.getArg( 1 ), DWORD64( 0 ) );
+            AssertEx::AreEqual( context.getArg( 2 ), DWORD64( 0 ) );
+            AssertEx::AreNotEqual( context.getArg( 3 ), DWORD64( 0 ) );
+            AssertEx::AreEqual( context.getArg( 4 ), DWORD64( MEM_RESERVE | MEM_COMMIT ) );
+            AssertEx::AreEqual( context.getArg( 5 ), DWORD64( PAGE_EXECUTE_READWRITE ) );
+
+            calls++;
+        }
+
         Process process;
         int calls = 0;
     };
@@ -54,7 +66,7 @@ namespace Testing
             AssertEx::IsTrue( pHookFn.success() );
 
             // Hook and try to terminate from remote process
-            AssertEx::NtSuccess( hooker.process.hooks().Apply( RemoteHook::hwbp, pHookFn->procAddress, &HookClass::HookFn, hooker ) );
+            AssertEx::NtSuccess( hooker.process.hooks().Apply( RemoteHook::hwbp, pHookFn->procAddress, &HookClass::HookNtOpenProcess, hooker ) );
 
             auto terminate = MakeRemoteFunction<long( *)(DWORD)>( hooker.process, terminatePtr->procAddress );
             auto result = terminate( GetCurrentProcessId() );
@@ -65,5 +77,33 @@ namespace Testing
             AssertEx::AreEqual( ERROR_ACCESS_DENIED, result.result() );
             AssertEx::AreEqual( 1, hooker.calls );
         }
+
+        TEST_METHOD( NtAllocateVirtualMemory )
+        {
+            HookClass hooker;
+
+            auto path = GetTestHelperHost();
+            AssertEx::IsFalse( path.empty() );
+
+            // Give process some time to initialize
+            AssertEx::NtSuccess( hooker.process.CreateAndAttach( path ) );
+            Sleep( 100 );
+
+            // Get function
+            auto pHookFn = hooker.process.modules().GetNtdllExport( "NtAllocateVirtualMemory" );
+            AssertEx::IsTrue( pHookFn.success() );
+
+            PVOID base = nullptr;
+            SIZE_T size = 0xDEAD;
+            auto NtAllocateVirtualMemory = MakeRemoteFunction<NTSTATUS( __stdcall * )(HANDLE, PVOID*, ULONG_PTR, PSIZE_T, ULONG, ULONG)>( hooker.process, pHookFn->procAddress );
+
+            // Hook and try to call
+            AssertEx::NtSuccess( hooker.process.hooks().Apply( RemoteHook::hwbp, pHookFn->procAddress, &HookClass::HookNtAllocateVirtualMemory, hooker ) );
+            auto result = NtAllocateVirtualMemory.Call( { GetCurrentProcess(), &base, 0, &size, MEM_RESERVE | MEM_COMMIT, PAGE_EXECUTE_READWRITE } );
+
+            hooker.process.Terminate();
+
+            AssertEx::AreEqual( 1, hooker.calls );
+        }
     };
 }