RunPE странное поведение NtUnmapViewOfSection

[arsarsov]

Собственно код самый обычный - классик RunPE, делает NtUnmapViewOfSection если базы образов совпадают, после этого выделяет память; если базы не совпадают то сразу выделяет память по нужной базе
подопытные notepad.exe и ProcessHacker
инжект ProcessHacker в notepad

x64:
так как включен ASLR то базы образов не совпадают, NtUnmapViewOfSection не вызывается, процхакер успешно загружается в адресное пространство и стартует, работает без нареканий, все идеально
НО, если я специально комментриую условие вызова NtUnmapViewOfSection по адресу старой базы, то он в любом случае вызывается и очищает память по старой базе процесса в который идет инжект
В таком случае процхакер загружается в память, появляется его интерфейс, интерфейс функционирует, можно клацать по кнопкам, заходить в пункты меню, открывать about и так далее, но ничего не показывает касательно системной информации, 0 процессов, 0 коннектов и так далее

x32:
Если повторить такой же эксперимент на 32 битах, то процхакер вообще не запускается - вылет с кодом ошибки 0xC0000005, странно что на 64 битах работает, хотя только частично и с этим глюком интерфейса
//=======//
Чем может быть обьяснено такое поведение ? По сути NtUnmapViewOfSection мы вызываем по старой базе и никак не затрагиваем новый образ, потому что его еще не существует, на данном этапе даже память под него еще не выделена
Может при этом затрагиваются какие-то важные структуры процесса ? Кто что думает ?

 

[arsarsov]

UPD:
x64 и x32:
Если вызывать NtUnmapViewOfSection после вызова ResumeThread когда заинжекченый образ уже на месте и настроен, то проблема пропадает, все работает шикарно, но нужен sleep, буквально 100мс после ResumeThread, тогда работает корректно и стабильно
Теперь стало еще интереснее в чем же заключается эта особенность

UPD:
Под отадчиком проверил, NtUnmapViewOfSection вызывается корректно, память старого образа стирается после вызова, вопрос только почему если это делать до вызова ResumeThread это вызывает глюки

 

[IPirateS6]

Релоки и TLS обработал?

 

[arsarsov]

Релоки и TLS обработал?

Чувак это RunPE, не LoadPE, зачем этот высер если ты не втыкаешь, что при RunPE не надо все это обрабатывать
Русским по белому написано

Собственно код самый обычный - классик RunPE

А что это может значить ? А то что
1) CreateProcessA(..., CREATE_SUSPENDED, ...)
2) GetThreadContext
3) ReadProcessMemory // imageBase из PEB
4) если база уже занята то NtUnmapViewOfSection старого образа
5) VirtualAllocEx // для нового образа
6) WriteProcessMemory // хидер и секции + новую базу в PEB
7) SetThreadContext
8) ResumeThread

Это прекрасно работает если базы не совпадают и 4 пункт не вызывается, если же убрать условие что бы 4 пункт выполнялся всегда и чистил память старого образа, то это вызывает глюки
Если переместить пункт 4 под пункт 8, то это работает и не вызывает глюков, при условии небольшой задержки после 8 пункта
А ты похоже не читал мои сообщениея вообще, либо тебе не хватило знаний понять написанного
Я жду аргументированного ответа от разбирающегося человека, зачем писать хрень

Спойлер: Secret code

#include <stdio.h>

int mas_size = 15;
volatile unsigned char seed = 206;
unsigned char Function_0 (unsigned char x) {return (unsigned char)((unsigned char)(~(unsigned char)((unsigned char)((unsigned char)((unsigned char)((unsigned char)(~((unsigned char)x))|(unsigned char)50)<<(unsigned char)1)-1)|(unsigned char)((unsigned char)((unsigned char)((unsigned char)((unsigned char)((unsigned char)((unsigned char)(((unsigned char)x)*(unsigned char)31)+(unsigned char)216)+(unsigned char)(~(unsigned char)(((unsigned char)x)*(unsigned char)57)))&(unsigned char)195)|(unsigned char)83)+(unsigned char)((unsigned char)((unsigned char)((unsigned char)((unsigned char)(((unsigned char)x)-1)|(unsigned char)211)^(unsigned char)(~((unsigned char)x)))|(unsigned char)173)^(unsigned char)181))*(unsigned char)233)))^(unsigned char)67);}
unsigned char Function_1 (unsigned char x) {return (unsigned char)((unsigned char)((unsigned char)((unsigned char)((unsigned char)((unsigned char)((unsigned char)((unsigned char)((unsigned char)((unsigned char)((unsigned char)((unsigned char)((unsigned char)((unsigned char)(-(unsigned char)((unsigned char)((unsigned char)((unsigned char)(-((unsigned char)x))&(unsigned char)87)|(unsigned char)(-(unsigned char)((unsigned char)(-((unsigned char)x))-(unsigned char)(((unsigned char)x)|(unsigned char)197))))+(unsigned char)99))-(unsigned char)((unsigned char)((unsigned char)((unsigned char)((unsigned char)((unsigned char)(((unsigned char)x)>>(unsigned char)3)|(unsigned char)(((unsigned char)x)-(unsigned char)43))<<(unsigned char)1)-(unsigned char)((unsigned char)((unsigned char)(((unsigned char)x)*(unsigned char)145)^(unsigned char)(((unsigned char)x)&(unsigned char)198))&(unsigned char)131))^(unsigned char)119)|(unsigned char)200))^(unsigned char)109)^(unsigned char)(~(unsigned char)(((unsigned char)x)-1)))&(unsigned char)78)-(unsigned char)((unsigned char)((unsigned char)(((unsigned char)x)*(unsigned char)14)-1)*(unsigned char)46))<<(unsigned char)1)*(unsigned char)241)-(unsigned char)((unsigned char)((unsigned char)(-(unsigned char)((unsigned char)(((unsigned char)x)&(unsigned char)172)>>(unsigned char)2))>>(unsigned char)3)-(unsigned char)174))&(unsigned char)227)+1)|(unsigned char)((unsigned char)((unsigned char)((unsigned char)((unsigned char)((unsigned char)((unsigned char)((unsigned char)((unsigned char)((unsigned char)(((unsigned char)x)&(unsigned char)252)-(unsigned char)(((unsigned char)x)+1))&(unsigned char)40)|(unsigned char)26)^(unsigned char)((unsigned char)(((unsigned char)x)+1)-(unsigned char)244))>>(unsigned char)4)^(unsigned char)((unsigned char)((unsigned char)(((unsigned char)x)>>(unsigned char)3)^(unsigned char)((unsigned char)(((unsigned char)x)<<(unsigned char)3)|(unsigned char)138))&(unsigned char)138))+1)^(unsigned char)((unsigned char)((unsigned char)((unsigned char)((unsigned char)((unsigned char)((unsigned char)((unsigned char)((unsigned char)((unsigned char)((unsigned char)((unsigned char)(((unsigned char)x)^(unsigned char)237)&(unsigned char)(((unsigned char)x)+(unsigned char)105))-(unsigned char)93)-(unsigned char)(((unsigned char)x)+(unsigned char)159))*(unsigned char)87)^(unsigned char)((unsigned char)((unsigned char)(((unsigned char)x)<<(unsigned char)3)<<(unsigned char)4)+1))*(unsigned char)178)|(unsigned char)172)-1)*(unsigned char)218)|(unsigned char)((unsigned char)((unsigned char)(~(unsigned char)(((unsigned char)x)&(unsigned char)136))*(unsigned char)190)&(unsigned char)221))<<(unsigned char)1))>>(unsigned char)3))^(unsigned char)199)^(unsigned char)184);}
unsigned char Function_2 (unsigned char x) {return (unsigned char)((unsigned char)((unsigned char)((unsigned char)((unsigned char)((unsigned char)((unsigned char)((unsigned char)((unsigned char)((unsigned char)((unsigned char)(((unsigned char)x)+1)+(unsigned char)(~((unsigned char)x)))*(unsigned char)200)*(unsigned char)((unsigned char)((unsigned char)(-((unsigned char)x))-(unsigned char)(((unsigned char)x)^(unsigned char)96))+1))|(unsigned char)112)&(unsigned char)247)>>(unsigned char)1)|(unsigned char)3)&(unsigned char)((unsigned char)((unsigned char)((unsigned char)((unsigned char)(~(unsigned char)((unsigned char)(((unsigned char)x)&(unsigned char)141)-(unsigned char)(((unsigned char)x)|(unsigned char)27)))^(unsigned char)((unsigned char)((unsigned char)(((unsigned char)x)*(unsigned char)202)*(unsigned char)(((unsigned char)x)+1))|(unsigned char)160))*(unsigned char)8)&(unsigned char)173)|(unsigned char)43))-1)^(unsigned char)67);}
unsigned char Function_3 (unsigned char x) {return (unsigned char)((unsigned char)(-(unsigned char)((unsigned char)(~(unsigned char)((unsigned char)(-(unsigned char)(-(unsigned char)((unsigned char)((unsigned char)(((unsigned char)x)>>(unsigned char)3)-1)*(unsigned char)(-(unsigned char)(((unsigned char)x)<<(unsigned char)3)))))+(unsigned char)131))-(unsigned char)(-(unsigned char)((unsigned char)((unsigned char)(((unsigned char)x)-(unsigned char)229)>>(unsigned char)3)-1))))^(unsigned char)103);}
unsigned char Function_4 (unsigned char x) {return (unsigned char)((unsigned char)((unsigned char)((unsigned char)((unsigned char)((unsigned char)((unsigned char)(~(unsigned char)(((unsigned char)x)-1))+(unsigned char)52)^(unsigned char)13)|(unsigned char)137)&(unsigned char)((unsigned char)((unsigned char)((unsigned char)((unsigned char)((unsigned char)((unsigned char)((unsigned char)((unsigned char)((unsigned char)((unsigned char)(((unsigned char)x)-1)|(unsigned char)(((unsigned char)x)&(unsigned char)119))+(unsigned char)128)-1)|(unsigned char)((unsigned char)((unsigned char)(((unsigned char)x)<<(unsigned char)1)-(unsigned char)18)-1))^(unsigned char)236)-1)&(unsigned char)((unsigned char)((unsigned char)((unsigned char)((unsigned char)((unsigned char)((unsigned char)((unsigned char)((unsigned char)(((unsigned char)x)&(unsigned char)7)*(unsigned char)148)^(unsigned char)((unsigned char)(((unsigned char)x)-1)-(unsigned char)215))|(unsigned char)42)*(unsigned char)((unsigned char)((unsigned char)((unsigned char)((unsigned char)(((unsigned char)x)>>(unsigned char)2)|(unsigned char)(((unsigned char)x)>>(unsigned char)2))|(unsigned char)39)^(unsigned char)233)-1))+1)-(unsigned char)187)+(unsigned char)(~(unsigned char)((unsigned char)((unsigned char)((unsigned char)(-(unsigned char)(((unsigned char)x)&(unsigned char)204))&(unsigned char)((unsigned char)(((unsigned char)x)*(unsigned char)69)-(unsigned char)51))|(unsigned char)15)*(unsigned char)43)))-1))^(unsigned char)16)+(unsigned char)((unsigned char)((unsigned char)((unsigned char)((unsigned char)((unsigned char)((unsigned char)((unsigned char)(~(unsigned char)((unsigned char)(-((unsigned char)x))^(unsigned char)(((unsigned char)x)|(unsigned char)200)))<<(unsigned char)1)-(unsigned char)103)-1)>>(unsigned char)3)|(unsigned char)((unsigned char)((unsigned char)((unsigned char)((unsigned char)((unsigned char)(((unsigned char)x)^(unsigned char)246)^(unsigned char)(-((unsigned char)x)))^(unsigned char)167)+(unsigned char)71)*(unsigned char)150)+1))^(unsigned char)101)&(unsigned char)163))-1))+(unsigned char)82)^(unsigned char)128);}
unsigned char Function_5 (unsigned char x) {return (unsigned char)((unsigned char)((unsigned char)((unsigned char)((unsigned char)(-(unsigned char)(-(unsigned char)((unsigned char)((unsigned char)((unsigned char)(~(unsigned char)((unsigned char)(((unsigned char)x)+(unsigned char)71)<<(unsigned char)3))>>(unsigned char)3)>>(unsigned char)2)+(unsigned char)((unsigned char)((unsigned char)(~(unsigned char)((unsigned char)((unsigned char)((unsigned char)(((unsigned char)x)>>(unsigned char)4)>>(unsigned char)2)>>(unsigned char)1)*(unsigned char)((unsigned char)((unsigned char)((unsigned char)(((unsigned char)x)+1)-1)&(unsigned char)(((unsigned char)x)<<(unsigned char)3))>>(unsigned char)4)))^(unsigned char)((unsigned char)((unsigned char)((unsigned char)((unsigned char)(((unsigned char)x)*(unsigned char)100)+(unsigned char)109)+(unsigned char)179)+1)-(unsigned char)90))-(unsigned char)188))))*(unsigned char)185)^(unsigned char)((unsigned char)((unsigned char)((unsigned char)((unsigned char)((unsigned char)(-(unsigned char)((unsigned char)((unsigned char)((unsigned char)(((unsigned char)x)-1)*(unsigned char)(~((unsigned char)x)))>>(unsigned char)1)^(unsigned char)((unsigned char)((unsigned char)(~((unsigned char)x))<<(unsigned char)3)<<(unsigned char)4)))^(unsigned char)103)^(unsigned char)((unsigned char)((unsigned char)((unsigned char)((unsigned char)((unsigned char)(~(unsigned char)(~(unsigned char)((unsigned char)(((unsigned char)x)&(unsigned char)62)-(unsigned char)(-((unsigned char)x)))))^(unsigned char)((unsigned char)((unsigned char)(((unsigned char)x)-1)-(unsigned char)236)<<(unsigned char)4))>>(unsigned char)2)|(unsigned char)50)-(unsigned char)92)<<(unsigned char)3))-1)*(unsigned char)((unsigned char)((unsigned char)((unsigned char)((unsigned char)(-(unsigned char)((unsigned char)((unsigned char)((unsigned char)(((unsigned char)x)^(unsigned char)145)&(unsigned char)102)-1)+1))*(unsigned char)((unsigned char)((unsigned char)((unsigned char)((unsigned char)(((unsigned char)x)+1)^(unsigned char)206)<<(unsigned char)3)+1)|(unsigned char)138))-1)<<(unsigned char)3)<<(unsigned char)1))+(unsigned char)147))+(unsigned char)123)^(unsigned char)181);}
unsigned char Function_6 (unsigned char x) {return (unsigned char)((unsigned char)((unsigned char)((unsigned char)((unsigned char)((unsigned char)((unsigned char)(~(unsigned char)((unsigned char)((unsigned char)((unsigned char)((unsigned char)(((unsigned char)x)+1)&(unsigned char)((unsigned char)(((unsigned char)x)|(unsigned char)79)|(unsigned char)107))+1)^(unsigned char)213)>>(unsigned char)1))+(unsigned char)206)&(unsigned char)((unsigned char)((unsigned char)((unsigned char)(-(unsigned char)((unsigned char)(~(unsigned char)((unsigned char)((unsigned char)((unsigned char)((unsigned char)(((unsigned char)x)+1)<<(unsigned char)4)-(unsigned char)(((unsigned char)x)+(unsigned char)208))*(unsigned char)217)+(unsigned char)90))|(unsigned char)(-(unsigned char)((unsigned char)((unsigned char)((unsigned char)((unsigned char)(((unsigned char)x)|(unsigned char)79)+1)+1)+(unsigned char)60)-(unsigned char)((unsigned char)((unsigned char)((unsigned char)(((unsigned char)x)>>(unsigned char)3)+1)+1)*(unsigned char)242)))))*(unsigned char)((unsigned char)((unsigned char)((unsigned char)((unsigned char)((unsigned char)((unsigned char)(((unsigned char)x)+1)-1)>>(unsigned char)4)-(unsigned char)((unsigned char)((unsigned char)(-((unsigned char)x))^(unsigned char)204)<<(unsigned char)3))-1)^(unsigned char)184)^(unsigned char)102))|(unsigned char)226)-1))-1)^(unsigned char)((unsigned char)((unsigned char)((unsigned char)((unsigned char)((unsigned char)((unsigned char)((unsigned char)((unsigned char)(-(unsigned char)(-(unsigned char)((unsigned char)(((unsigned char)x)-(unsigned char)140)|(unsigned char)(((unsigned char)x)<<(unsigned char)3))))+1)*(unsigned char)((unsigned char)(-(unsigned char)((unsigned char)(((unsigned char)x)<<(unsigned char)1)^(unsigned char)190))|(unsigned char)126))>>(unsigned char)2)+(unsigned char)178)-1)^(unsigned char)((unsigned char)((unsigned char)(-(unsigned char)((unsigned char)((unsigned char)((unsigned char)((unsigned char)(((unsigned char)x)*(unsigned char)115)|(unsigned char)(((unsigned char)x)+(unsigned char)62))-1)*(unsigned char)(~((unsigned char)x)))*(unsigned char)216))<<(unsigned char)4)-(unsigned char)204))+(unsigned char)42)&(unsigned char)45))<<(unsigned char)4)^(unsigned char)21);}
unsigned char Function_7 (unsigned char x) {return (unsigned char)((unsigned char)((unsigned char)((unsigned char)(-(unsigned char)((unsigned char)((unsigned char)((unsigned char)((unsigned char)(-(unsigned char)(((unsigned char)x)-(unsigned char)126))<<(unsigned char)1)^(unsigned char)(-(unsigned char)((unsigned char)((unsigned char)(((unsigned char)x)-1)|(unsigned char)216)&(unsigned char)(~(unsigned char)((unsigned char)(-((unsigned char)x))-(unsigned char)(((unsigned char)x)^(unsigned char)77))))))<<(unsigned char)4)&(unsigned char)((unsigned char)((unsigned char)((unsigned char)((unsigned char)((unsigned char)(-((unsigned char)x))*(unsigned char)47)*(unsigned char)((unsigned char)(((unsigned char)x)+(unsigned char)15)|(unsigned char)226))-1)|(unsigned char)(~(unsigned char)(-(unsigned char)(((unsigned char)x)|(unsigned char)65))))+1)))*(unsigned char)((unsigned char)(-(unsigned char)(-(unsigned char)(((unsigned char)x)+1)))<<(unsigned char)2))-1)^(unsigned char)172);}
unsigned char Function_8 (unsigned char x) {return (unsigned char)((unsigned char)(~(unsigned char)((unsigned char)((unsigned char)((unsigned char)((unsigned char)((unsigned char)(~(unsigned char)(-(unsigned char)((unsigned char)((unsigned char)(((unsigned char)x)-(unsigned char)134)^(unsigned char)(((unsigned char)x)*(unsigned char)118))-1)))+(unsigned char)224)|(unsigned char)153)^(unsigned char)(-(unsigned char)(~(unsigned char)((unsigned char)((unsigned char)((unsigned char)(~((unsigned char)x))|(unsigned char)(((unsigned char)x)>>(unsigned char)2))-1)<<(unsigned char)2))))|(unsigned char)161)*(unsigned char)(-(unsigned char)((unsigned char)((unsigned char)((unsigned char)((unsigned char)(~((unsigned char)x))|(unsigned char)38)*(unsigned char)70)*(unsigned char)124)+(unsigned char)205))))^(unsigned char)90);}
unsigned char Function_9 (unsigned char x) {return (unsigned char)((unsigned char)((unsigned char)((unsigned char)((unsigned char)((unsigned char)((unsigned char)((unsigned char)((unsigned char)((unsigned char)((unsigned char)(~(unsigned char)((unsigned char)((unsigned char)((unsigned char)((unsigned char)(~((unsigned char)x))|(unsigned char)16)+(unsigned char)125)<<(unsigned char)3)^(unsigned char)((unsigned char)(~(unsigned char)(((unsigned char)x)&(unsigned char)41))&(unsigned char)139)))>>(unsigned char)2)^(unsigned char)85)>>(unsigned char)2)+1)&(unsigned char)222)|(unsigned char)227)-1)^(unsigned char)((unsigned char)((unsigned char)((unsigned char)((unsigned char)((unsigned char)((unsigned char)((unsigned char)((unsigned char)((unsigned char)((unsigned char)(((unsigned char)x)<<(unsigned char)4)|(unsigned char)161)-(unsigned char)80)*(unsigned char)((unsigned char)((unsigned char)((unsigned char)(((unsigned char)x)>>(unsigned char)4)|(unsigned char)63)+1)+1))^(unsigned char)206)&(unsigned char)((unsigned char)((unsigned char)((unsigned char)((unsigned char)((unsigned char)((unsigned char)((unsigned char)(((unsigned char)x)-1)-1)<<(unsigned char)2)-(unsigned char)((unsigned char)((unsigned char)((unsigned char)((unsigned char)(((unsigned char)x)>>(unsigned char)2)&(unsigned char)147)^(unsigned char)((unsigned char)(((unsigned char)x)-1)<<(unsigned char)4))+1)-(unsigned char)53))-(unsigned char)222)|(unsigned char)((unsigned char)((unsigned char)((unsigned char)(((unsigned char)x)*(unsigned char)224)*(unsigned char)143)+(unsigned char)211)+(unsigned char)43))-1)-(unsigned char)111))-1)*(unsigned char)166)*(unsigned char)237)|(unsigned char)((unsigned char)((unsigned char)((unsigned char)((unsigned char)((unsigned char)((unsigned char)((unsigned char)((unsigned char)((unsigned char)((unsigned char)((unsigned char)(((unsigned char)x)|(unsigned char)230)+1)+1)*(unsigned char)133)|(unsigned char)(-(unsigned char)((unsigned char)((unsigned char)(((unsigned char)x)<<(unsigned char)1)+(unsigned char)177)+1)))+(unsigned char)251)|(unsigned char)((unsigned char)((unsigned char)((unsigned char)(((unsigned char)x)*(unsigned char)74)-(unsigned char)((unsigned char)(((unsigned char)x)-(unsigned char)234)+(unsigned char)78))+1)^(unsigned char)12))&(unsigned char)15)+(unsigned char)240)+(unsigned char)26)&(unsigned char)195)&(unsigned char)49))-(unsigned char)46))&(unsigned char)172)^(unsigned char)140);}
unsigned char Function_10 (unsigned char x) {return (unsigned char)((unsigned char)((unsigned char)((unsigned char)((unsigned char)((unsigned char)((unsigned char)((unsigned char)((unsigned char)((unsigned char)((unsigned char)(((unsigned char)x)>>(unsigned char)4)-(unsigned char)228)+(unsigned char)(((unsigned char)x)<<(unsigned char)2))+1)^(unsigned char)137)^(unsigned char)157)&(unsigned char)((unsigned char)(~(unsigned char)((unsigned char)((unsigned char)((unsigned char)(~((unsigned char)x))|(unsigned char)(((unsigned char)x)^(unsigned char)92))>>(unsigned char)3)<<(unsigned char)2))&(unsigned char)193))-(unsigned char)1)-(unsigned char)(~(unsigned char)((unsigned char)((unsigned char)((unsigned char)(((unsigned char)x)<<(unsigned char)1)>>(unsigned char)3)*(unsigned char)24)-(unsigned char)250)))|(unsigned char)192)^(unsigned char)169);}
unsigned char Function_11 (unsigned char x) {return (unsigned char)((unsigned char)((unsigned char)((unsigned char)((unsigned char)((unsigned char)((unsigned char)((unsigned char)((unsigned char)(-(unsigned char)((unsigned char)((unsigned char)(((unsigned char)x)+1)&(unsigned char)((unsigned char)((unsigned char)(((unsigned char)x)<<(unsigned char)2)&(unsigned char)(((unsigned char)x)>>(unsigned char)4))-1))|(unsigned char)157))*(unsigned char)106)*(unsigned char)143)*(unsigned char)214)|(unsigned char)(~(unsigned char)((unsigned char)((unsigned char)((unsigned char)((unsigned char)((unsigned char)(-(unsigned char)((unsigned char)(((unsigned char)x)|(unsigned char)233)&(unsigned char)(((unsigned char)x)^(unsigned char)33)))|(unsigned char)((unsigned char)((unsigned char)(-((unsigned char)x))^(unsigned char)(-((unsigned char)x)))-(unsigned char)226))>>(unsigned char)4)&(unsigned char)185)+1)*(unsigned char)(-(unsigned char)(-(unsigned char)((unsigned char)((unsigned char)(((unsigned char)x)^(unsigned char)170)^(unsigned char)119)<<(unsigned char)2))))))-(unsigned char)88)^(unsigned char)((unsigned char)((unsigned char)((unsigned char)(~(unsigned char)((unsigned char)(((unsigned char)x)&(unsigned char)38)+(unsigned char)71))-(unsigned char)((unsigned char)((unsigned char)(((unsigned char)x)<<(unsigned char)3)&(unsigned char)135)|(unsigned char)9))|(unsigned char)140)+1))-1)^(unsigned char)47);}
unsigned char Function_12 (unsigned char x) {return (unsigned char)((unsigned char)((unsigned char)((unsigned char)((unsigned char)((unsigned char)(~(unsigned char)((unsigned char)((unsigned char)((unsigned char)(((unsigned char)x)-(unsigned char)86)>>(unsigned char)4)<<(unsigned char)2)^(unsigned char)(~((unsigned char)x))))+1)>>(unsigned char)1)|(unsigned char)((unsigned char)((unsigned char)((unsigned char)((unsigned char)((unsigned char)(((unsigned char)x)+(unsigned char)157)-(unsigned char)223)&(unsigned char)(-(unsigned char)((unsigned char)(((unsigned char)x)+1)+1)))>>(unsigned char)4)*(unsigned char)96)>>(unsigned char)4))<<(unsigned char)3)^(unsigned char)223);}
unsigned char Function_13 (unsigned char x) {return (unsigned char)((unsigned char)(~(unsigned char)((unsigned char)((unsigned char)((unsigned char)((unsigned char)((unsigned char)((unsigned char)((unsigned char)((unsigned char)(((unsigned char)x)-(unsigned char)30)-(unsigned char)(((unsigned char)x)-(unsigned char)55))+1)-(unsigned char)((unsigned char)((unsigned char)(((unsigned char)x)&(unsigned char)98)^(unsigned char)(((unsigned char)x)+1))+1))<<(unsigned char)3)+1)-(unsigned char)((unsigned char)((unsigned char)(((unsigned char)x)+1)&(unsigned char)43)|(unsigned char)123))+(unsigned char)151)-(unsigned char)((unsigned char)((unsigned char)((unsigned char)((unsigned char)((unsigned char)(((unsigned char)x)-(unsigned char)183)>>(unsigned char)4)<<(unsigned char)3)+(unsigned char)(~(unsigned char)((unsigned char)((unsigned char)(((unsigned char)x)>>(unsigned char)2)-(unsigned char)62)&(unsigned char)((unsigned char)(((unsigned char)x)*(unsigned char)48)+(unsigned char)37))))+(unsigned char)157)^(unsigned char)204)))^(unsigned char)31);}
unsigned char Function_14 (unsigned char x) {return (unsigned char)((unsigned char)((unsigned char)((unsigned char)(~(unsigned char)((unsigned char)((unsigned char)((unsigned char)((unsigned char)(-(unsigned char)(((unsigned char)x)<<(unsigned char)2))+(unsigned char)(((unsigned char)x)*(unsigned char)89))^(unsigned char)233)&(unsigned char)((unsigned char)((unsigned char)(((unsigned char)x)>>(unsigned char)2)|(unsigned char)(((unsigned char)x)+1))*(unsigned char)114))-(unsigned char)107))-(unsigned char)((unsigned char)((unsigned char)((unsigned char)((unsigned char)((unsigned char)(((unsigned char)x)&(unsigned char)183)*(unsigned char)(~((unsigned char)x)))>>(unsigned char)1)+1)+1)&(unsigned char)94))-1)^(unsigned char)217);}


int main()
{
    char mas[15] = {0};
    mas[0] = Function_0(seed);
    mas[1] = Function_1(mas[0]);
    mas[2] = Function_2(mas[1]);
    mas[3] = Function_3(mas[2]);
    mas[4] = Function_4(mas[3]);
    mas[5] = Function_5(mas[4]);
    mas[6] = Function_6(mas[5]);
    mas[7] = Function_7(mas[6]);
    mas[8] = Function_8(mas[7]);
    mas[9] = Function_9(mas[8]);
    mas[10] = Function_10(mas[9]);
    mas[11] = Function_11(mas[10]);
    mas[12] = Function_12(mas[11]);
    mas[13] = Function_13(mas[12]);
    mas[14] = Function_14(mas[13]);
  
    printf("%s\n Good day ...\n", mas);

    return 0;
}

 

[arsarsov]

Вопрос остается открытым, все еще интересует причина этого поведения

 

[parag0n]

попробуй пофиксить PEB.ImageBaseAddress

 

[arsarsov]

попробуй пофиксить PEB.ImageBaseAddress

Это есть, чекай 6 пункт после //

5) VirtualAllocEx // для нового образа
6) WriteProcessMemory // хидер и секции + новую базу в PEB
7) SetThreadContext

Я инжектил только Process Hacker в notepad, возможно это случается потому что Process Hacker творит много недокументированной херни, еще не проверял будут ли такие глюки если инжектить какой-то RAT или даже HelloWorld

 

[Quake3]

Вообще, глюк интерфейса , это по идее что-то с CSRSS , но вообще, это гадание вилами по воде. Потести на других софтах. Мб РН и в самом деле творит какой-то андок.
По хорошему, надо дебажить , будет время соберу какой-то RunPE и тестану.

 

[arsarsov]

Вообще, глюк интерфейса , это по идее что-то с CSRSS , но вообще, это гадание вилами по воде. Потести на других софтах. Мб РН и в самом деле творит какой-то андок.
По хорошему, надо дебажить , будет время соберу какой-то RunPE и тестану.

Да, если сделать анмап ненужного куска памяти уже после запуска процесса через буквально 100 мс, то PH стартует и финкционирует прекрасно