forked from SolomonSklash/netntlm
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathheap.c
48 lines (41 loc) · 936 Bytes
/
heap.c
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
/**
*
* Captures incoming Net-NTLMv1/v2 hashes
* for incoming authentication attempts
* via NTLM.
*
* GuidePoint Security LLC
* Threat and Attack Simulation
*
**/
#include "common.h"
/**
*
* @brief: Checks if the region is a heap pointer.
*
* @param: Pointer to the API structure.
* @param: Pointer.
* @param: Length of the valid heap.
*
**/
D_SEC( E ) BOOL IsHeapPtr( _In_ PAPI Api, _In_ PVOID Heap, _Out_ PULONG Len )
{
BOOL Ret = FALSE;
PVOID Mgr = NULL;
PROCESS_HEAP_ENTRY Ent;
*Len = 0; Ret = FALSE; Ent.lpData = NULL;
Mgr = NtCurrentTeb()->ProcessEnvironmentBlock->ProcessHeap;
if ( Api->HeapLock( Mgr ) ) {
RtlSecureZeroMemory( &Ent, sizeof( Ent ) );
Ent.lpData = NULL;
while ( Api->HeapWalk( Mgr, &Ent ) ) {
if ( Ent.wFlags & PROCESS_HEAP_ENTRY_BUSY ) {
if ( Ent.lpData == Heap ) {
Ret = TRUE; *Len = Ent.cbData;
};
};
};
Api->HeapUnlock( Mgr );
};
return Ret;
};