Added error checks for wow64 processes

EmadYaY · Jan 30, 2024 · f5edf4c · f5edf4c
1 parent b20de8d
commit f5edf4c
Show file tree

Hide file tree

Showing 7 changed files with 69 additions and 1 deletion.
diff --git a/CookieKatz-BOF/ChromeKatz/Process.cpp b/CookieKatz-BOF/ChromeKatz/Process.cpp
@@ -365,4 +365,19 @@ extern "C" {
         }
         return TRUE;
     }
+
+    BOOL IsWow64(HANDLE hProcess) {
+        BOOL isBrowserWow64 = FALSE;
+        if (!IsWow64Process(hProcess, &isBrowserWow64)) {
+            BeaconPrintf(CALLBACK_ERROR, "IsWow64Process failed for browser process, Error: %i\n", GetLastError());
+            CloseHandle(hProcess);
+            return TRUE;
+        }
+        if (isBrowserWow64) {
+            CloseHandle(hProcess);
+            return TRUE;
+        }
+
+        return FALSE;
+    }
 }
diff --git a/CookieKatz-BOF/CookieKatzBOF.cpp b/CookieKatz-BOF/CookieKatzBOF.cpp
@@ -57,6 +57,11 @@ extern "C" {
         banner();
         BeaconPrintf(CALLBACK_OUTPUT, "Kittens love cookies too! >:3\n");
 
+#ifndef _WIN64
+        BeaconPrintf(CALLBACK_OUTPUT, "32bit version is not currently supported.\n");
+        return 1;
+#endif // !_WIN64
+
         DWORD chromePid = 0;
         LPCSTR targetConfig = NULL;
         datap parser;
@@ -127,6 +132,12 @@ extern "C" {
             BeaconPrintf(CALLBACK_OUTPUT, "Targeting PID: %d\n", chromePid);
         }
 
+        if (IsWow64(hChrome))
+        {
+            BeaconPrintf(CALLBACK_ERROR, "Target process is 32bit. Only 64bit browsers are supported!\n");
+            return;
+        }
+
         uintptr_t baseAddress = 0;
         DWORD moduleSize = 0;
         if (!GetRemoteModuleBaseAddress(hChrome, dllName, baseAddress, &moduleSize)) {

diff --git a/CookieKatz-BOF/DFR.h b/CookieKatz-BOF/DFR.h
@@ -35,6 +35,9 @@ DFR(KERNEL32, K32GetModuleBaseNameW)
 DFR(KERNEL32, K32GetModuleInformation)
 #define K32GetModuleInformation KERNEL32$K32GetModuleInformation
 
+DFR(KERNEL32, IsWow64Process)
+#define IsWow64Process KERNEL32$IsWow64Process
+
 DFR(MSVCRT, memcpy)
 #define memcpy MSVCRT$memcpy
 DFR(MSVCRT, malloc)

diff --git a/CookieKatz-BOF/FindChromeProcess.cpp b/CookieKatz-BOF/FindChromeProcess.cpp
@@ -43,6 +43,11 @@ extern "C" {
         banner();
         BeaconPrintf(CALLBACK_OUTPUT, "Kittens love cookies too! >:3\n\n");
 
+#ifndef _WIN64
+        BeaconPrintf(CALLBACK_OUTPUT, "32bit version is not currently supported.\n");
+        return 1;
+#endif // !_WIN64
+
         datap parser;
         BeaconDataParse(&parser, args, len);
         if (parser.original == 0)

diff --git a/CookieKatz/Main.cpp b/CookieKatz/Main.cpp
@@ -50,6 +50,11 @@ int main(int argc, char* argv[]) {
     banner();
 	printf("Kittens love cookies too!\n\n");
 
+#ifndef _WIN64
+    printf("[-] 32bit version is not currently supported.\n");
+    return 1;
+#endif // !_WIN64
+
     BOOL chrome = TRUE;
     BOOL ProcessList = FALSE;
     DWORD pid = 0;
@@ -97,6 +102,12 @@ int main(int argc, char* argv[]) {
             printf("[-] Failed to get process handle to PID: %lu\n", pid);
             return 1;
         }
+
+        if (IsWow64(hChrome))
+        {
+            printf("[-] Target process is 32bit. Only 64bit browsers are supported!\n");
+            return 1;
+        }
     }
 
     LPCWSTR processName;
@@ -151,6 +162,12 @@ int main(int argc, char* argv[]) {
             printf("[-] Failed to find right process\n");
             return 1;
         }
+
+        if (IsWow64(hChrome))
+        {
+            printf("[-] Target process is 32bit. Only 64bit browsers are supported!\n");
+            return 1;
+        }
     }
 #ifdef _DEBUG
     wprintf(TEXT("[*] Targeting process PID: %d\n"), pid);

diff --git a/CookieKatz/Process.cpp b/CookieKatz/Process.cpp
@@ -318,4 +318,20 @@ BOOL GetProcessHandle(DWORD pid, HANDLE* hProcess) {
     }
     *hProcess = hHandle;
     return TRUE;
+}
+
+BOOL IsWow64(HANDLE hProcess) {
+    BOOL isBrowserWow64 = FALSE;
+    if (!IsWow64Process(hProcess, &isBrowserWow64)) {
+        DebugPrintErrorWithMessage(TEXT("IsWow64Process failed for browser process"));
+        CloseHandle(hProcess);
+        return TRUE;
+    }
+    if (isBrowserWow64) {
+        DebugPrint(TEXT("[-] Target process is 32bit. Only 64bit browsers are supported!"));
+        CloseHandle(hProcess);
+        return TRUE;
+    }
+
+    return FALSE;
 }
diff --git a/CookieKatz/Process.h b/CookieKatz/Process.h
@@ -6,4 +6,5 @@ BOOL FindCorrectProcessPID(LPCWSTR processName, DWORD* pid, HANDLE* hProcess);
 BOOL GetRemoteModuleBaseAddress(HANDLE hProcess, const wchar_t* moduleName, uintptr_t& baseAddress, DWORD* moduleSize);
 
 BOOL GetProcessHandle(DWORD pid, HANDLE* hProcess);
-BOOL GetProcessName(HANDLE hProcess, BOOL& chrome);
+BOOL GetProcessName(HANDLE hProcess, BOOL& chrome);
+BOOL IsWow64(HANDLE hProcess);