TheWover/DInvoke

A few Memory and handle leaks

JohnLaTwC opened this issue · 0 comments

JohnLaTwC commented

Issue 1

Handle leak: CreateSection returns the handle from NtCreateSection as sectionAddress but this handle is never closed and is leaked as a result

        public IntPtr Allocate(PICPayload Payload, Process Process, IntPtr PreferredAddress)
        {
            // Get a convenient handle for the target process.
            IntPtr procHandle = Process.Handle;

            // Create a section to hold our payload
            IntPtr sectionAddress = CreateSection((uint)Payload.Payload.Length, sectionAttributes);
! No call to CloseHandle on sectionAddress 

            // Map a view of the section into our current process with RW permissions

DInvoke/DInvoke/DInvoke/Injection/Allocation.cs

Line 171 in ee256ba

IntPtr sectionAddress = CreateSection((uint)Payload.Payload.Length, sectionAttributes);

Issue 2

Handle leak calling NtCreateSection in MapModuleFromDisk

            // Create section from hFile
            IntPtr hSection = IntPtr.Zero;
            ulong MaxSize = 0;
            Data.Native.NTSTATUS ret = DynamicInvoke.Native.NtCreateSection(
                ref hSection,
! No call to CloseHandle on hSection
                (UInt32)Data.Win32.WinNT.ACCESS_MASK.SECTION_ALL_ACCESS,
                IntPtr.Zero,
                ref MaxSize,
                Data.Win32.WinNT.PAGE_READONLY,
                Data.Win32.WinNT.SEC_IMAGE,
                hFile
            );

DInvoke/DInvoke/DInvoke/ManualMap/Map.cs

Line 60 in ee256ba

Data.Native.NTSTATUS ret = DynamicInvoke.Native.NtCreateSection(

Issue 3

Memory leak with pObjectName due to missing call to FreeHGlobal

        public static Data.PE.PE_MANUAL_MAP MapModuleFromDisk(string DLLPath)
        {
            IntPtr pObjectName = Marshal.AllocHGlobal(Marshal.SizeOf(ObjectName));
! No call to Marshall.FreeHGlobal for this object

DInvoke/DInvoke/DInvoke/ManualMap/Map.cs

Line 33 in ee256ba

IntPtr pObjectName = Marshal.AllocHGlobal(Marshal.SizeOf(ObjectName));

Issue 4

Memory leak due to failure to call Marshal.FreeHGlobal in exception path

        public static Data.PE.PE_MANUAL_MAP MapModuleToMemory(IntPtr pModule, IntPtr pImage, Data.PE.PE_META_DATA PEINFO)
        {
...
            // Write PE header to memory
            UInt32 SizeOfHeaders = PEINFO.Is32Bit ? PEINFO.OptHeader32.SizeOfHeaders : PEINFO.OptHeader64.SizeOfHeaders;
            UInt32 BytesWritten = DynamicInvoke.Native.NtWriteVirtualMemory((IntPtr)(-1), pImage, pModule, SizeOfHeaders);

            // Write sections to memory
            foreach (Data.PE.IMAGE_SECTION_HEADER ish in PEINFO.Sections)
            {
                // Calculate offsets
                IntPtr pVirtualSectionBase = (IntPtr)((UInt64)pImage + ish.VirtualAddress);
                IntPtr pRawSectionBase = (IntPtr)((UInt64)pModule + ish.PointerToRawData);

                // Write data
                BytesWritten = DynamicInvoke.Native.NtWriteVirtualMemory((IntPtr)(-1), pVirtualSectionBase, pRawSectionBase, ish.SizeOfRawData);
                if (BytesWritten != ish.SizeOfRawData)
                {
+                    Marshal.FreeHGlobal(pModule);
                    throw new InvalidOperationException("Failed to write to memory.");
                }
            }

            // Perform relocations
            RelocateModule(PEINFO, pImage);

            // Rewrite IAT
            RewriteModuleIAT(PEINFO, pImage);

            // Set memory protections
            SetModuleSectionPermissions(PEINFO, pImage);

            // Free temp HGlobal
            Marshal.FreeHGlobal(pModule);

DInvoke/DInvoke/DInvoke/ManualMap/Map.cs

Line 500 in ee256ba

throw new InvalidOperationException("Failed to write to memory.");