### Example Usage of Memory String Functions Source: https://context7.com/jdu2600/cfg-findhiddenshellcode/llms.txt Demonstrates how to use TypeString and ProtectionString functions by querying the memory information of the current process's main function. Requires Windows.h and printf. ```cpp // Example usage: int main() { MEMORY_BASIC_INFORMATION mbi = {}; VirtualQuery((PVOID)main, &mbi, sizeof(mbi)); printf("Memory type: %s\n", TypeString(&mbi)); printf("Current protection: %s\n", ProtectionString(mbi.Protect, mbi.State)); printf("Allocation protection: %s\n", ProtectionString(mbi.AllocationProtect, 0)); return 0; } // Expected output: // Memory type: MEM_IMAGE // Current protection: R-X // Allocation protection: R-X ``` -------------------------------- ### System-Wide Process Scanning Source: https://context7.com/jdu2600/cfg-findhiddenshellcode/llms.txt Enumerates all running processes using the Toolhelp32 API to detect hidden shellcode across the entire system. ```cpp #include #include #include #include SYSTEM_INFO g_sysinfo{}; int main(int argc, char* argv[]) { bool bAggressive = false; // Set true for thorough scanning with more FPs GetSystemInfo(&g_sysinfo); printf("===== Hidden Executable Pages - %s scanning all processes =====\n", bAggressive ? "aggressively" : "quickly"); // Create snapshot of all processes HANDLE hProcessSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0); assert(hProcessSnap != INVALID_HANDLE_VALUE); PROCESSENTRY32 pe32 = {}; pe32.dwSize = sizeof(PROCESSENTRY32); if (!Process32First(hProcessSnap, &pe32)) { CloseHandle(hProcessSnap); return 1; } do { HANDLE hProcess = OpenProcess( PROCESS_VM_READ | PROCESS_QUERY_INFORMATION, FALSE, pe32.th32ProcessID ); if (hProcess == NULL) continue; // Access denied, skip this process std::vector hiddenAllocations = GetProcessPreviouslyExecutableRegions(hProcess, bAggressive); if (hiddenAllocations.size() > 0) { printf("%ls(%d) - %zu hidden allocations\n", pe32.szExeFile, pe32.th32ProcessID, hiddenAllocations.size()); DumpHiddenExecutableAllocations(hProcess, hiddenAllocations); } CloseHandle(hProcess); } while (Process32Next(hProcessSnap, &pe32)); CloseHandle(hProcessSnap); return 0; } ``` -------------------------------- ### Scan Process for Hidden Executable Regions (C++) Source: https://context7.com/jdu2600/cfg-findhiddenshellcode/llms.txt Scans a process's virtual address space to find memory regions that were previously executable but are now marked non-executable. Use 'false' for a quick scan or 'true' for an aggressive scan that may include more false positives. Requires HANDLE to the target process. ```cpp #include #include // Function prototype std::vector GetProcessPreviouslyExecutableRegions(HANDLE hProcess, bool bAggressive = false); // Example: Scan a specific process for hidden executable regions int main() { DWORD targetPid = 1234; // Target process ID HANDLE hProcess = OpenProcess( PROCESS_VM_READ | PROCESS_QUERY_INFORMATION, FALSE, targetPid ); if (hProcess == NULL) { printf("Failed to open process: %d\n", GetLastError()); return 1; } // Quick scan - skips some likely false positives std::vector hiddenRegions = GetProcessPreviouslyExecutableRegions(hProcess, false); printf("Found %zu hidden executable regions:\n", hiddenRegions.size()); for (const auto& region : hiddenRegions) { printf(" Hidden region at: %p\n", region); } // Aggressive scan - includes potential false positives for thorough analysis std::vector allRegions = GetProcessPreviouslyExecutableRegions(hProcess, true); printf("Aggressive scan found %zu regions\n", allRegions.size()); CloseHandle(hProcess); return 0; } // Expected output: // Found 1 hidden executable regions: // Hidden region at: 0x00007FF6A0010000 // Aggressive scan found 3 regions ``` -------------------------------- ### Convert Memory Protection to String Source: https://context7.com/jdu2600/cfg-findhiddenshellcode/llms.txt Converts memory protection flags and state to a human-readable string representation. Handles various PAGE_* constants and MEM_RESERVE state. Returns '' for unhandled combinations. ```cpp const char* ProtectionString(DWORD protection, DWORD state) { if (state == MEM_RESERVE) return "MEM_RESERVE"; switch (protection) { case PAGE_EXECUTE: return "--X"; case PAGE_EXECUTE_READ: return "R-X"; case PAGE_EXECUTE_WRITECOPY: return "RCX"; case PAGE_EXECUTE_READWRITE: return "RWX"; case PAGE_READWRITE: return "RW-"; case PAGE_READONLY: return "R--"; case PAGE_WRITECOPY: return "RC-"; case PAGE_NOACCESS: return "---"; } return ""; } ``` -------------------------------- ### Retrieve CFG Bitmap for Process (C++) Source: https://context7.com/jdu2600/cfg-findhiddenshellcode/llms.txt Retrieves the Control Flow Guard (CFG) bitmap base address for a target process. This function locates the bitmap by parsing the LdrControlFlowGuardEnforced function in ntdll.dll. Requires HANDLE to the target process. CFG may not be enabled if the bitmap cannot be located. ```cpp #include #include // Function prototypes PVOID GetCfgBitmapPointer(); PULONG_PTR GetCfgBitmap(HANDLE hProcess); // Example: Retrieve and validate CFG bitmap for a process int main() { DWORD targetPid = GetCurrentProcessId(); HANDLE hProcess = OpenProcess( PROCESS_VM_READ | PROCESS_QUERY_INFORMATION, FALSE, targetPid ); PULONG_PTR pCfgBitmap = GetCfgBitmap(hProcess); if (pCfgBitmap != NULL) { printf("CFG Bitmap located at: %p\n", pCfgBitmap); // Verify bitmap characteristics MEMORY_BASIC_INFORMATION mbi = {}; if (VirtualQueryEx(hProcess, pCfgBitmap, &mbi, sizeof(mbi))) { printf(" Allocation Base: %p\n", mbi.AllocationBase); printf(" Region Size: 0x%zx\n", mbi.RegionSize); printf(" Type: %s\n", (mbi.Type == MEM_MAPPED) ? "MEM_MAPPED" : "OTHER"); } } else { printf("Failed to locate CFG bitmap - CFG may not be enabled\n"); } CloseHandle(hProcess); return 0; } // Expected output: // CFG Bitmap located at: 0x00007DF000000000 // Allocation Base: 0x00007DF000000000 // Region Size: 0x1000 // Type: MEM_MAPPED ``` -------------------------------- ### GetProcessPreviouslyExecutableRegions Source: https://context7.com/jdu2600/cfg-findhiddenshellcode/llms.txt Scans a process's virtual address space to find memory regions that were previously executable but are now marked non-executable. This is the primary detection function that walks the CFG bitmap and compares it against current memory protection states. ```APIDOC ## GetProcessPreviouslyExecutableRegions ### Description Scans a process's virtual address space to find memory regions that were previously executable but are now marked non-executable. This function compares the CFG bitmap against current memory protection states. ### Method Not Applicable (This is a function within a tool, not a network API endpoint) ### Endpoint Not Applicable ### Parameters #### Path Parameters None #### Query Parameters None #### Request Body None ### Request Example ```cpp #include #include // Function prototype std::vector GetProcessPreviouslyExecutableRegions(HANDLE hProcess, bool bAggressive = false); // Example: Scan a specific process for hidden executable regions int main() { DWORD targetPid = 1234; // Target process ID HANDLE hProcess = OpenProcess( PROCESS_VM_READ | PROCESS_QUERY_INFORMATION, FALSE, targetPid ); if (hProcess == NULL) { printf("Failed to open process: %d\n", GetLastError()); return 1; } // Quick scan - skips some likely false positives std::vector hiddenRegions = GetProcessPreviouslyExecutableRegions(hProcess, false); printf("Found %zu hidden executable regions:\n", hiddenRegions.size()); for (const auto& region : hiddenRegions) { printf(" Hidden region at: %p\n", region); } // Aggressive scan - includes potential false positives for thorough analysis std::vector allRegions = GetProcessPreviouslyExecutableRegions(hProcess, true); printf("Aggressive scan found %zu regions\n", allRegions.size()); CloseHandle(hProcess); return 0; } ``` ### Response #### Success Response (200) - **hiddenRegions** (std::vector) - A vector containing pointers to the start of previously executable memory regions that are now non-executable. #### Response Example ```json { "hiddenRegions": [ "0x00007FF6A0010000" ] } ``` ``` -------------------------------- ### GetCfgBitmap Source: https://context7.com/jdu2600/cfg-findhiddenshellcode/llms.txt Retrieves the CFG bitmap base address for a target process. The CFG bitmap is a 2TB MEM_MAPPED region that tracks valid call targets for Control Flow Guard enforcement. ```APIDOC ## GetCfgBitmap ### Description Retrieves the Control Flow Guard (CFG) bitmap base address for a target process. This function locates the bitmap by parsing the LdrControlFlowGuardEnforced function in ntdll.dll. ### Method Not Applicable (This is a function within a tool, not a network API endpoint) ### Endpoint Not Applicable ### Parameters #### Path Parameters None #### Query Parameters None #### Request Body None ### Request Example ```cpp #include #include // Function prototypes PVOID GetCfgBitmapPointer(); PULONG_PTR GetCfgBitmap(HANDLE hProcess); // Example: Retrieve and validate CFG bitmap for a process int main() { DWORD targetPid = GetCurrentProcessId(); HANDLE hProcess = OpenProcess( PROCESS_VM_READ | PROCESS_QUERY_INFORMATION, FALSE, targetPid ); PULONG_PTR pCfgBitmap = GetCfgBitmap(hProcess); if (pCfgBitmap != NULL) { printf("CFG Bitmap located at: %p\n", pCfgBitmap); // Verify bitmap characteristics MEMORY_BASIC_INFORMATION mbi = {}; if (VirtualQueryEx(hProcess, pCfgBitmap, &mbi, sizeof(mbi))) { printf(" Allocation Base: %p\n", mbi.AllocationBase); printf(" Region Size: 0x%zx\n", mbi.RegionSize); printf(" Type: %s\n", (mbi.Type == MEM_MAPPED) ? "MEM_MAPPED" : "OTHER"); } } else { printf("Failed to locate CFG bitmap - CFG may not be enabled\n"); } CloseHandle(hProcess); return 0; } ``` ### Response #### Success Response (200) - **pCfgBitmap** (PULONG_PTR) - A pointer to the base address of the CFG bitmap for the target process. - **mbi** (MEMORY_BASIC_INFORMATION) - Structure containing information about the memory region of the CFG bitmap, including AllocationBase, RegionSize, and Type. #### Response Example ```json { "pCfgBitmap": "0x00007DF000000000", "mbi": { "AllocationBase": "0x00007DF000000000", "RegionSize": "0x1000", "Type": "MEM_MAPPED" } } ``` ``` -------------------------------- ### Convert Memory Type to String Source: https://context7.com/jdu2600/cfg-findhiddenshellcode/llms.txt Converts the MEMORY_BASIC_INFORMATION Type field to a human-readable string. Handles MEM_PRIVATE, MEM_MAPPED, and MEM_IMAGE types. Returns '' for unhandled types. ```cpp #include const char* TypeString(MEMORY_BASIC_INFORMATION* pMbi) { switch (pMbi->Type) { case MEM_PRIVATE: return "MEM_PRIVATE"; case MEM_MAPPED: return "MEM_MAPPED"; case MEM_IMAGE: return "MEM_IMAGE"; } if (pMbi->State == MEM_FREE) return "MEM_FREE"; return ""; } ``` -------------------------------- ### Dump Hidden Executable Allocations Source: https://context7.com/jdu2600/cfg-findhiddenshellcode/llms.txt Outputs forensic details for identified hidden memory regions, including protection states and potential false positive indicators. ```cpp #include #include // Function prototype void DumpHiddenExecutableAllocations( HANDLE hProcess, const std::vector& hiddenExecutableAllocations ); // Example: Full analysis of hidden regions in a process int main() { DWORD targetPid = 5678; HANDLE hProcess = OpenProcess( PROCESS_VM_READ | PROCESS_QUERY_INFORMATION, FALSE, targetPid ); if (hProcess == NULL) { printf("Access denied to process %d\n", targetPid); return 1; } // First, detect hidden regions std::vector hiddenAllocations = GetProcessPreviouslyExecutableRegions(hProcess, true); if (hiddenAllocations.size() > 0) { printf("Process %d - %zu hidden allocations found\n", targetPid, hiddenAllocations.size()); // Dump detailed information about each hidden region DumpHiddenExecutableAllocations(hProcess, hiddenAllocations); } CloseHandle(hProcess); return 0; } ``` === COMPLETE CONTENT === This response contains all available snippets from this library. No additional content exists. Do not make further requests.