-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathhelpers.cpp
127 lines (95 loc) · 4.31 KB
/
helpers.cpp
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
/*
Red Team Operator helper functions
author: reenz0h (twitter: @SEKTOR7net)
credits: zerosum0x0, speedi13
*/
#include "PEstructs.h"
#include "helpers.h"
#include <stdio.h>
typedef HMODULE (WINAPI * LoadLibrary_t)(LPCSTR lpFileName);
LoadLibrary_t pLoadLibraryA = NULL;
HMODULE WINAPI hlpGetModuleHandle(LPCWSTR sModuleName) {
// get the offset of Process Environment Block
#ifdef _M_IX86
PEB * ProcEnvBlk = (PEB *) __readfsdword(0x30);
#else
PEB * ProcEnvBlk = (PEB *)__readgsqword(0x60);
#endif
// return base address of a calling module
if (sModuleName == NULL)
return (HMODULE) (ProcEnvBlk->ImageBaseAddress);
PEB_LDR_DATA * Ldr = ProcEnvBlk->Ldr;
LIST_ENTRY * ModuleList = NULL;
ModuleList = &Ldr->InMemoryOrderModuleList;
LIST_ENTRY * pStartListEntry = ModuleList->Flink;
for (LIST_ENTRY * pListEntry = pStartListEntry; // start from beginning of InMemoryOrderModuleList
pListEntry != ModuleList; // walk all list entries
pListEntry = pListEntry->Flink) {
// get current Data Table Entry
LDR_DATA_TABLE_ENTRY * pEntry = (LDR_DATA_TABLE_ENTRY *) ((BYTE *) pListEntry - sizeof(LIST_ENTRY));
// check if module is found and return its base address
if (lstrcmpiW(pEntry->BaseDllName.Buffer, sModuleName) == 0)
return (HMODULE) pEntry->DllBase;
}
// otherwise:
return NULL;
}
FARPROC WINAPI hlpGetProcAddress(HMODULE hMod, LPCSTR sProcName) {
char * pBaseAddr = (char *) hMod;
// get pointers to main headers/structures
IMAGE_DOS_HEADER * pDosHdr = (IMAGE_DOS_HEADER *) pBaseAddr;
IMAGE_NT_HEADERS * pNTHdr = (IMAGE_NT_HEADERS *) (pBaseAddr + pDosHdr->e_lfanew);
IMAGE_OPTIONAL_HEADER * pOptionalHdr = &pNTHdr->OptionalHeader;
IMAGE_DATA_DIRECTORY * pExportDataDir = (IMAGE_DATA_DIRECTORY *) (&pOptionalHdr->DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT]);
IMAGE_EXPORT_DIRECTORY * pExportDirAddr = (IMAGE_EXPORT_DIRECTORY *) (pBaseAddr + pExportDataDir->VirtualAddress);
// resolve addresses to Export Address Table, table of function names and "table of ordinals"
DWORD * pEAT = (DWORD *) (pBaseAddr + pExportDirAddr->AddressOfFunctions);
DWORD * pFuncNameTbl = (DWORD *) (pBaseAddr + pExportDirAddr->AddressOfNames);
WORD * pHintsTbl = (WORD *) (pBaseAddr + pExportDirAddr->AddressOfNameOrdinals);
// function address we're looking for
void *pProcAddr = NULL;
// resolve function by ordinal
if (((DWORD_PTR)sProcName >> 16) == 0) {
WORD ordinal = (WORD) sProcName & 0xFFFF; // convert to WORD
DWORD Base = pExportDirAddr->Base; // first ordinal number
// check if ordinal is not out of scope
if (ordinal < Base || ordinal >= Base + pExportDirAddr->NumberOfFunctions)
return NULL;
// get the function virtual address = RVA + BaseAddr
pProcAddr = (FARPROC) (pBaseAddr + (DWORD_PTR) pEAT[ordinal - Base]);
}
// resolve function by name
else {
// parse through table of function names
for (DWORD i = 0; i < pExportDirAddr->NumberOfNames; i++) {
char * sTmpFuncName = (char *) pBaseAddr + (DWORD_PTR) pFuncNameTbl[i];
if (strcmp(sProcName, sTmpFuncName) == 0) {
// found, get the function virtual address = RVA + BaseAddr
pProcAddr = (FARPROC) (pBaseAddr + (DWORD_PTR) pEAT[pHintsTbl[i]]);
break;
}
}
}
// check if found VA is forwarded to external library.function
if ((char *) pProcAddr >= (char *) pExportDirAddr &&
(char *) pProcAddr < (char *) (pExportDirAddr + pExportDataDir->Size)) {
char * sFwdDLL = _strdup((char *) pProcAddr); // get a copy of library.function string
if (!sFwdDLL) return NULL;
// get external function name
char * sFwdFunction = strchr(sFwdDLL, '.');
*sFwdFunction = 0; // set trailing null byte for external library name -> library\x0function
sFwdFunction++; // shift a pointer to the beginning of function name
// resolve LoadLibrary function pointer, keep it as global variable
if (pLoadLibraryA == NULL) {
pLoadLibraryA = (LoadLibrary_t) hlpGetProcAddress(hlpGetModuleHandle(L"KERNEL32.DLL"), "LoadLibraryA");
if (pLoadLibraryA == NULL) return NULL;
}
// load the external library
HMODULE hFwd = pLoadLibraryA(sFwdDLL);
free(sFwdDLL); // release the allocated memory for lib.func string copy
if (!hFwd) return NULL;
// get the address of function the original call is forwarded to
pProcAddr = hlpGetProcAddress(hFwd, sFwdFunction);
}
return (FARPROC) pProcAddr;
}