Not able to update memory protection

[hexnov]

When trying to execute ProcessHollowing.exe, there is always the same error message for me.
I have played with different fake and real parameters and tested it on Windows 10 and 11.

Example:

ProcessHollowing.exe --fake C:\Windows\system32\svchost.exe --real C:\white\artifact64.exe

[*] Got target information.
    [*] Image Path Name : C:\Windows\system32\svchost.exe
    [*] Architecture    : x64
    [*] Command Line    : C:\Windows\system32\svchost.exe
[>] Analyzing PE image data.
[+] Image data is analyzed.
    [*] Architecture  : x64
    [*] Image Size    : 0xC000
    [*] Section Count : 9
[>] Trying to create hollowing process.
[+] Hollowing process is created successfully.
[*] ntdll!_PEB for the hollowing process is 0x000000650F2BC000.
[*] Image base address for the hollowing process is 0x00007FF7945C0000.
[*] Allocated 0xC000 bytes memory at 0x00000177FFD30000 in the hollowing process.
[>] Trying to write image data in the hollowing process.
[-] Failed to memory protection for PE headers.

Since this message is called after the Helpers.UpdateMemoryProtection() function, I assume it failed to "update" the memory protection for PE headers. I am not sure why this occurs and it is most probably a user problem, but maybe you can help me (and potential others) with this.

Thanks for your awesome work!

[CaledoniaProject]

Try patch the helper function and log the ntstatus and Win32 last error somewhere

TangledWinExec/GhostlyHollowing/GhostlyHollowing/Library/Helpers.cs

Line 458 in 7eecbc2

return (ntstatus == Win32Consts.STATUS_SUCCESS);

[daem0nc0re]

@CaledoniaProject Thanks for your help!

@hexnov Thanks for testing my code and kind words!
I guess you tried it with Debug build.
As far as I tested, Release build works correctly.
I have not known the reason yet, but NtProtectVirtualMemory API call in Helpers.UpdateMemoryProtection() returns 0xC0000018 (Conflicting Address Range) for Debug build.
If you want to trace the error message effectively, insert following code after NtProtectVirtualMemory API call in Helpers.UpdateMemoryProtection():

Console.WriteLine(Helpers.GetWin32ErrorMessage(ntstatus, true));

You will see error message as follows:

PS C:\Tools> .\ProcessHollowing-Debug.exe -f notepad.exe -r cmd.exe

[*] Got target information.
    [*] Image Path Name : C:\Windows\SYSTEM32\notepad.exe
    [*] Architecture    : x64
    [*] Command Line    : notepad.exe

--snip--

[*] Allocated 0x6C000 bytes memory at 0x0000023BB7D60000 in the hollowing process.
[>] Trying to write image data in the hollowing process.
[ERROR] Code 0x00000000 : STATUS_SUCCESS
[ERROR] Code 0x00000000 : STATUS_SUCCESS
[ERROR] Code 0xC0000018 : {Conflicting Address Range}
The specified address range conflicts with the address space.
[-] Failed to memory protection for PE headers.

I will add a note for this issue to README.md until fix it, thanks.