diff --git a/build.rs b/build.rs index d202d5f..f40f031 100644 --- a/build.rs +++ b/build.rs @@ -25,8 +25,12 @@ fn main() { "cargo:rustc-link-search=native={}", out_dir.to_str().unwrap() ); - Command::new("c_aes/make.bat").status().unwrap(); - Command::new("c_verification/make.bat").status().unwrap(); + Command::new("c_aes/make_microsoft_no_crt.bat") + .status() + .unwrap(); + Command::new("c_verification/make_microsoft_no_crt.bat") + .status() + .unwrap(); /* embed_resource::compile("c_aes/res1.rc"); embed_resource::compile("c_verification/res2.rc"); */ println!("cargo:rustc-link-lib=static=tricks"); diff --git a/c_aes/aes_dll.c b/c_aes/aes_dll.c index ba3ea67..a4e504c 100644 --- a/c_aes/aes_dll.c +++ b/c_aes/aes_dll.c @@ -4,14 +4,22 @@ extern void stub(); -int __declspec(noinline) - EventLoop(unsigned char *keyArray, ULONGLONG volatile *status, - PVOID *workAddress) { +HANDLE console = NULL; + +int __declspec(noinline) EventLoop(unsigned char *keyArray, + ULONGLONG volatile *status, + PVOID *workAddress) { + DWORD trash = 0; + while (1) { if (*status != 0) { if (*status == 2) { + + // WriteConsole(console, "[C] STOPPED ENCRYPT\n", 22, &trash, NULL); return 0; } + + // WriteConsole(console, "[C] DECRYPTED BLOCK\n", 22, &trash, NULL); Decrypt(*workAddress, keyArray); *status = 0; } @@ -35,6 +43,8 @@ DWORD WINAPI Initialise() { while (*status != 0) { } *workAddress = (PVOID)1; + DWORD trash = 0; + // WriteConsole(console, "[C] INIT COMPLETE\n", 18, &trash, NULL); EventLoop(keyArray, status, workAddress); return 0; @@ -43,6 +53,7 @@ DWORD WINAPI Initialise() { BOOL WINAPI DllMain(HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpvReserved) { switch (fdwReason) { case DLL_PROCESS_ATTACH: + console = GetStdHandle(STD_OUTPUT_HANDLE); CreateThread(NULL, 0, Initialise, NULL, 0, NULL); break; diff --git a/c_aes/make_microsoft_no_crt.bat b/c_aes/make_microsoft_no_crt.bat index 53ef4ba..8f76439 100644 --- a/c_aes/make_microsoft_no_crt.bat +++ b/c_aes/make_microsoft_no_crt.bat @@ -1,8 +1,8 @@ @echo off REM Compile C files with Microsoft cl -cl /c /W4 /MD /GS- aes_dll.c /Fo:aes_dll.obj /I"C:\Program Files (x86)\Windows Kits\10\Include\10.0.22621.0\um" /I"C:\Program Files (x86)\Windows Kits\10\Include\10.0.22621.0\shared" /I"C:\Program Files (x86)\Microsoft Visual Studio\2022\BuildTools\VC\Tools\MSVC\14.39.33519\include" /I"C:\Program Files (x86)\Windows Kits\10\Include\10.0.22621.0\ucrt" -cl /c /W4 /MD /GS- aes_lib/aes.c /Fo:aes.obj /I"C:\Program Files (x86)\Windows Kits\10\Include\10.0.22621.0\um" /I"C:\Program Files (x86)\Windows Kits\10\Include\10.0.22621.0\shared" /I"C:\Program Files (x86)\Microsoft Visual Studio\2022\BuildTools\VC\Tools\MSVC\14.39.33519\include" /I"C:\Program Files (x86)\Windows Kits\10\Include\10.0.22621.0\ucrt" +cl /c /W4 /MT /GS- aes_dll.c /Fo:aes_dll.obj /I"C:\Program Files (x86)\Windows Kits\10\Include\10.0.22621.0\um" /I"C:\Program Files (x86)\Windows Kits\10\Include\10.0.22621.0\shared" /I"C:\Program Files (x86)\Microsoft Visual Studio\2022\BuildTools\VC\Tools\MSVC\14.39.33519\include" /I"C:\Program Files (x86)\Windows Kits\10\Include\10.0.22621.0\ucrt" +cl /c /W4 /MT /GS- aes_lib/aes.c /Fo:aes.obj /I"C:\Program Files (x86)\Windows Kits\10\Include\10.0.22621.0\um" /I"C:\Program Files (x86)\Windows Kits\10\Include\10.0.22621.0\shared" /I"C:\Program Files (x86)\Microsoft Visual Studio\2022\BuildTools\VC\Tools\MSVC\14.39.33519\include" /I"C:\Program Files (x86)\Windows Kits\10\Include\10.0.22621.0\ucrt" nasm -fwin64 -o stub.obj stub.asm REM Assemble the assembly file with nasm nasm -f win64 aes_lib/fast.asm -o fast.obj diff --git a/c_aes/stub.obj b/c_aes/stub.obj index 10a9ee4..ac981f1 100644 Binary files a/c_aes/stub.obj and b/c_aes/stub.obj differ diff --git a/c_verification/make_microsoft_nocrt.bat b/c_verification/make_microsoft_nocrt.bat index 07bf3a4..4379673 100644 --- a/c_verification/make_microsoft_nocrt.bat +++ b/c_verification/make_microsoft_nocrt.bat @@ -1,5 +1,5 @@ nasm -fwin64 -o hook.obj hook.asm -cl /c /O2 /MD /W4 /GS- verification.c /Fo:verification.obj /I"C:\Program Files (x86)\Windows Kits\10\Include\10.0.22621.0\um" /I"C:\Program Files (x86)\Windows Kits\10\Include\10.0.22621.0\shared" /I"C:\Program Files (x86)\Microsoft Visual Studio\2022\BuildTools\VC\Tools\MSVC\14.39.33519\include" /I"C:\Program Files (x86)\Windows Kits\10\Include\10.0.22621.0\ucrt" +cl /c /O2 /MT /W4 /GS- verification.c /Fo:verification.obj /I"C:\Program Files (x86)\Windows Kits\10\Include\10.0.22621.0\um" /I"C:\Program Files (x86)\Windows Kits\10\Include\10.0.22621.0\shared" /I"C:\Program Files (x86)\Microsoft Visual Studio\2022\BuildTools\VC\Tools\MSVC\14.39.33519\include" /I"C:\Program Files (x86)\Windows Kits\10\Include\10.0.22621.0\ucrt" link /DLL /ENTRY:DllMain /NODEFAULTLIB /OUT:mod2_nocrt.dll verification.obj hook.obj /SUBSYSTEM:CONSOLE /LIBPATH:"C:\Program Files (x86)\Windows Kits\10\Lib\10.0.22621.0\um\x64" /LIBPATH:"C:\Program Files\Microsoft Visual Studio\2022\Community\VC\Tools\MSVC\14.39.33519\lib\x64" /LIBPATH:"C:\Program Files (x86)\Windows Kits\10\Lib\10.0.22621.0\ucrt\x64" Kernel32.lib User32.lib del verification.obj hook.obj python .\encrypter.py diff --git a/c_verification/mod2.dll.enc b/c_verification/mod2.dll.enc index cd5b3fd..d980fb6 100644 Binary files a/c_verification/mod2.dll.enc and b/c_verification/mod2.dll.enc differ diff --git a/key.txt b/key.txt new file mode 100644 index 0000000..85e2ea8 --- /dev/null +++ b/key.txt @@ -0,0 +1 @@ +{7h3_h4nd_0f_90d_h0v321n9_480v3} \ No newline at end of file diff --git a/src/main.rs b/src/main.rs index c3b6bef..ad0d0b3 100644 --- a/src/main.rs +++ b/src/main.rs @@ -1,4 +1,7 @@ +//{7h3_h4nd_0f_90d_h0v321n9_480v3} + mod asm_macros; +mod warden; mod winapi_cs; use std::arch::asm; @@ -27,115 +30,6 @@ use winapi_cs::core::*; use crate::winapi_cs::reflective_dll::*; -#[repr(C)] -struct warden_args { - f: *const fn(), - status: *mut Arc<(Mutex, Condvar)>, - _workAddress: *mut Arc<(Mutex, Condvar)>, -} - -extern "C" { - - pub fn wardenCallback(arg: *mut u8); -} - -#[derive(Debug)] -enum StatusEnum { - Idle, - Work, - Phase2, -} - -static DECOY: AtomicUsize = AtomicUsize::new(0); -unsafe extern "stdcall" fn warden_spawner(args: *mut warden_args) { - if DECOY.fetch_and(1, Ordering::SeqCst) == 1 { - let status: u64 = transmute_copy(&((*args).status)); - let workAddress: u64 = transmute_copy(&((*args)._workAddress)); - thread::spawn(move || warden(status, workAddress)); - } -} - -unsafe fn warden(_status: u64, _workAddress: u64) { - let status: *mut Arc<(Mutex, Condvar)> = transmute(_status); - let workAddress: *mut Arc<(Mutex<*mut *mut u8>, Condvar)> = transmute(_workAddress); - let (_ntStr, pntStr) = string_to_lpcwstr(String::from("C:\\Windows\\System32\\ntdll.dll")); - let (_ker32strw, pker32strw) = - string_to_lpcwstr(String::from("C:\\Windows\\System32\\kernel32.dll")); - let (_virtProtStr, pvirtProtStr) = string_to_lpcstr(String::from("VirtualProtect")); - let ntdll = GetModuleHandle(pntStr).unwrap(); - let (_DBreakStr, pDBreakStr) = string_to_lpcstr(String::from("DbgBreakPoint")); - let (_DRemoteStr, pDRemoteStr) = string_to_lpcstr(String::from("RtlUserThreadStart")); - let _kernel32: HMODULE = GetModuleHandle(pker32strw).unwrap(); - let VirtualProtect: pVirtualProtect = GetProcAddress_(_kernel32, pvirtProtStr).unwrap(); - let Cstatus: *mut u64 = GetProcAddress_(ntdll, pDBreakStr).unwrap(); - let CworkAddress: *mut *const u8 = GetProcAddress_(ntdll, pDRemoteStr).unwrap(); - let mut _oldProtect: DWORD = 0; - VirtualProtect( - Cstatus as PVOID, - 8, - PAGE_EXECUTE_READWRITE, - &mut _oldProtect as *mut u32, - ); - VirtualProtect( - CworkAddress as PVOID, - 8, - PAGE_EXECUTE_READWRITE, - &mut _oldProtect as *mut u32, - ); - *Cstatus = 0; - while *CworkAddress != 1 as *const u8 { - decoy(&mut (*CworkAddress as u64)); - } - 'mainloop: loop { - let (status_lock, cvar) = &**status; - { - let mut status = status_lock.lock().unwrap(); - - loop { - status = match *status { - StatusEnum::Idle => cvar.wait(status).unwrap(), - StatusEnum::Work => { - break; - } - StatusEnum::Phase2 => { - break 'mainloop; - } - }; - } - - let (data_lock, _) = &**workAddress; - let work_address = data_lock.lock().unwrap(); - - *CworkAddress = **work_address as *const u8; - *Cstatus = 1; - *status = StatusEnum::Idle; - } - while *Cstatus == 1 { - decoy(&mut (Cstatus as u64)); - } - - cvar.notify_one(); - } - let (status_lock, cvar) = &**status; - - let (data_lock, _) = &**workAddress; - { - let work_address = data_lock.lock().unwrap(); - let mut status = status_lock.lock().unwrap(); - *status = StatusEnum::Idle; - *CworkAddress = **work_address; - } - *Cstatus = 2; - - cvar.notify_one(); -} - -fn decoy(data: &mut u64) { - unsafe { - let temp = core::ptr::read_volatile(data); - core::ptr::write_volatile(data, temp); - } -} static mut stWA: u64 = 0; unsafe extern "system" fn exception_handler(_exception_info: *mut EXCEPTION_POINTERS) -> i32 { // Return EXCEPTION_CONTINUE_SEARCH to allow other handlers to process this exception, @@ -143,7 +37,7 @@ unsafe extern "system" fn exception_handler(_exception_info: *mut EXCEPTION_POIN match (*((*_exception_info).ExceptionRecord)).ExceptionCode { 0xC0000095 => (), _ => { - println!("Uh oh..."); + println!("You have reached a race condition!!!"); return EXCEPTION_CONTINUE_SEARCH; } } @@ -160,7 +54,7 @@ unsafe extern "system" fn exception_handler(_exception_info: *mut EXCEPTION_POIN let wa: PVOID = transmute(stWA); TpAllocWork( &mut workReturn as *mut PTP_WORK, - transmute(wardenCallback as *const ()), + transmute(warden::wardenCallback as *const ()), wa, null_mut(), ); @@ -182,7 +76,6 @@ typedef VOID (NTAPI* TPPOSTWORK)(PTP_WORK); typedef VOID (NTAPI* TPRELEASEWORK)(PTP_WORK);*/ fn main() { - //{7h3_h4nd_0f_90d_h0v321n9_480v3} fake_exit!(); let (_ker32strw, pker32strw) = string_to_lpcwstr(String::from("C:\\Windows\\System32\\kernel32.dll")); @@ -198,8 +91,9 @@ fn main() { let WriteConsole: pWriteConsole = GetProcAddress_(_kernel32, pWriteConsStr).unwrap(); let verif_data_sec = include_bytes!("../c_verification/mod2.dll.enc"); let mut _oldProtect: DWORD = 0; - let data = Arc::new((Mutex::new(0 as u64), Condvar::new())); - let status = Arc::new((Mutex::new(StatusEnum::Idle), Condvar::new())); + let condvar = Condvar::new(); + let data = Arc::new((Mutex::new(0 as u64), condvar)); + let status = Arc::new((Mutex::new(warden::StatusEnum::Idle), Condvar::new())); VirtualProtect( verif_data_sec.as_ptr() as PVOID, verif_data_sec.len() * 2, @@ -217,46 +111,63 @@ fn main() { let mut data_th2 = data.clone(); let mut status_th2 = status.clone(); fake_exit!(); - let mut wa = warden_args { - f: warden as *const fn(), - status: &mut status_th2 as *mut Arc<(Mutex, Condvar)>, + let mut wa = warden::warden_args { + f: warden::warden as *const fn(), + status: &mut status_th2 as *mut Arc<(Mutex, Condvar)>, _workAddress: &mut data_th2 as *mut Arc<(Mutex, Condvar)>, }; - stWA = (&mut wa as *mut warden_args) as u64; + stWA = (&mut wa as *mut warden::warden_args) as u64; let _handle = AddVectoredExceptionHandler(1, Some(exception_handler)); - asm!(".2byte 0x04cd"); let (_userStr, puserStr) = string_to_lpcstr(user_input); + asm!(".2byte 0x04cd"); ReflectiveLoadDll(aes_ptr.as_ptr() as *mut u8, false); - let (data_lock, _) = &*data; let console = GetStdHandle(STD_OUTPUT_HANDLE); + + let (data_lock, _) = &*data; let (status_lock, cvar) = &*status; + { + // Waiting for C to initialise its code + cvar.wait(status_lock.lock().unwrap()); + } + for i in 0..(verif_data_sec.len() / 16) { - let (_ds, pds) = string_to_lpcstr(String::from(format!("{i}"))); - let mut cnt: DWORD = 0; + /* + let (_ds, pds) = string_to_lpcstr(String::from(format!("{i}"))); + let mut cnt: DWORD = 0; + WriteConsole(console, pds, 0, &mut cnt as *mut u32, null_mut()); + */ + // The lines above exist so that this loop is not optimised away fake_exit!(); - WriteConsole(console, pds, 0, &mut cnt as *mut u32, null_mut()); let data_ptr = verif_data_sec.as_ptr().offset(i as isize * 16) as *const u8; { let mut mut_work_mutex = data_lock.lock().unwrap(); *mut_work_mutex = transmute::<*const *const u8, u64>(&data_ptr as *const *const u8); + //Writing to the shared pointer and then locking so the warden can pass it further } { let mut status_mutex = status_lock.lock().unwrap(); - *status_mutex = StatusEnum::Work; + *status_mutex = warden::StatusEnum::Work; + //Setting the mutex to status WORK, that is so that warden knows what to do } + //Sending to notification to condvar connected to status, that it could be unlocked cvar.notify_one(); { hide!(); - let mut status_mutex = status_lock.lock().unwrap(); - status_mutex = match *status_mutex { - StatusEnum::Work => cvar.wait(status_mutex).unwrap(), - _ => break, - }; + + // Waiting while the warden is wokring + loop { + let mut status_mutex = status_lock.lock().unwrap(); + status_mutex = match *status_mutex { + warden::StatusEnum::Work => cvar.wait(status_mutex).unwrap(), + _ => break, + }; + } } } + //Writing the user string for c_verification unit to verify let data_ptr = puserStr as *const u8; { let mut work_mutex = data_lock.lock().unwrap(); @@ -264,13 +175,13 @@ fn main() { } { let mut status_mutex = status_lock.lock().unwrap(); - *status_mutex = StatusEnum::Phase2; + *status_mutex = warden::StatusEnum::Phase2; } cvar.notify_one(); { let mut status_mutex = status_lock.lock().unwrap(); status_mutex = match *status_mutex { - StatusEnum::Phase2 => cvar.wait(status_mutex).unwrap(), + warden::StatusEnum::Phase2 => cvar.wait(status_mutex).unwrap(), _ => status_mutex, }; } diff --git a/src/warden.rs b/src/warden.rs new file mode 100644 index 0000000..3f6b8f8 --- /dev/null +++ b/src/warden.rs @@ -0,0 +1,149 @@ +use std::mem::{transmute, transmute_copy}; +use std::sync::atomic::{AtomicUsize, Ordering}; +use std::sync::{Arc, Condvar, Mutex}; + +use std::arch::asm; +use std::thread; +use winapi::shared::basetsd::SIZE_T; +use winapi::shared::minwindef::{DWORD, HMODULE}; +use winapi::shared::ntdef::PVOID; + +use winapi::um::winnt::PAGE_EXECUTE_READWRITE; + +use crate::winapi_cs::core::*; +type pVirtualProtect = fn(PVOID, SIZE_T, DWORD, *mut DWORD) -> bool; + +#[repr(C)] +pub struct warden_args { + pub f: *const fn(), + pub status: *mut Arc<(Mutex, Condvar)>, + pub _workAddress: *mut Arc<(Mutex, Condvar)>, +} + +extern "C" { + + pub fn wardenCallback(arg: *mut u8); +} + +#[derive(Debug)] +pub enum StatusEnum { + Idle, + Work, + Phase2, +} +macro_rules! wait_for_zero { + ($ptr:expr) => {{ + let ptr = $ptr as *mut i32; + unsafe { + asm!( + "2:", + "mov rax, 0", // Load a non-zero value into EAX + "lock cmpxchg [{0}], rax", // Compare and exchange with a locked bus, but don't change the value + "jnz 2b", // Jump back to the start of the loop if *ptr was not zero + in(reg) ptr, + out("rax") _, + options(nostack ) + ); + } + }}; +} +static DECOY: AtomicUsize = AtomicUsize::new(0); +unsafe extern "stdcall" fn warden_spawner(args: *mut warden_args) { + if DECOY.fetch_and(1, Ordering::SeqCst) == 1 { + let status: u64 = transmute_copy(&((*args).status)); + let workAddress: u64 = transmute_copy(&((*args)._workAddress)); + thread::spawn(move || warden(status, workAddress)); + } +} + +pub unsafe fn warden(_status: u64, _workAddress: u64) { + let status: *mut Arc<(Mutex, Condvar)> = transmute(_status); + let workAddress: *mut Arc<(Mutex<*mut *mut u8>, Condvar)> = transmute(_workAddress); + let (_ntStr, pntStr) = string_to_lpcwstr(String::from("C:\\Windows\\System32\\ntdll.dll")); + let (_ker32strw, pker32strw) = + string_to_lpcwstr(String::from("C:\\Windows\\System32\\kernel32.dll")); + let (_virtProtStr, pvirtProtStr) = string_to_lpcstr(String::from("VirtualProtect")); + let ntdll = GetModuleHandle(pntStr).unwrap(); + let (_DBreakStr, pDBreakStr) = string_to_lpcstr(String::from("DbgBreakPoint")); + let (_DRemoteStr, pDRemoteStr) = string_to_lpcstr(String::from("RtlUserThreadStart")); + let _kernel32: HMODULE = GetModuleHandle(pker32strw).unwrap(); + let VirtualProtect: pVirtualProtect = GetProcAddress_(_kernel32, pvirtProtStr).unwrap(); + let Cstatus: *mut u64 = GetProcAddress_(ntdll, pDBreakStr).unwrap(); + let CworkAddress: *mut *const u8 = GetProcAddress_(ntdll, pDRemoteStr).unwrap(); + let mut _oldProtect: DWORD = 0; + VirtualProtect( + Cstatus as PVOID, + 8, + PAGE_EXECUTE_READWRITE, + &mut _oldProtect as *mut u32, + ); + VirtualProtect( + CworkAddress as PVOID, + 8, + PAGE_EXECUTE_READWRITE, + &mut _oldProtect as *mut u32, + ); + *Cstatus = 0; + while *CworkAddress != 1 as *const u8 { + decoy(&mut (*CworkAddress as u64)); + } + + // C thread initialised => notifying main thread it can proceed + let (_, cvar) = &**status; + cvar.notify_one(); + 'mainloop: loop { + let (status_lock, cvar) = &**status; + { + let mut status = status_lock.lock().unwrap(); + + // Waiting for the status to become work to decrypt stuff or Phase2 To exit + loop { + status = match *status { + StatusEnum::Idle => cvar.wait(status).unwrap(), + StatusEnum::Work => { + //Notification recieved and we can send the data to C code + break; + } + StatusEnum::Phase2 => { + break 'mainloop; + } + }; + } + + let (data_lock, _) = &**workAddress; + let work_address = data_lock.lock().unwrap(); + + // Putting the work address in + *CworkAddress = **work_address as *const u8; + // Setting the status (This is a mutex for C code) + *Cstatus = 1; + wait_for_zero!(Cstatus); + //upon receiving work set status back to idle + *status = StatusEnum::Idle; + } + //notify the main thread that the block is decyprted + + cvar.notify_one(); + } + // This is only reached when Phase2 Starts + + let (status_lock, cvar) = &**status; + + let (data_lock, _) = &**workAddress; + { + let work_address = data_lock.lock().unwrap(); + let mut status = status_lock.lock().unwrap(); + *status = StatusEnum::Idle; + *CworkAddress = **work_address; + } + *Cstatus = 2; + + cvar.notify_one(); +} + +fn decoy(data: &mut u64) { + unsafe { + let temp = core::ptr::read_volatile(data); + core::ptr::write_volatile(data, temp); + } +} diff --git a/src/winapi_cs/reflective_dll.rs b/src/winapi_cs/reflective_dll.rs index e4ce21e..5725da0 100644 --- a/src/winapi_cs/reflective_dll.rs +++ b/src/winapi_cs/reflective_dll.rs @@ -12,7 +12,6 @@ use winapi::shared::minwindef::HINSTANCE; use winapi::shared::minwindef::{BYTE, DWORD, HMODULE}; use winapi::shared::ntdef::{LPCSTR, PVOID}; - use winapi::um::libloaderapi::GetProcAddress; use winapi::um::libloaderapi::LoadLibraryA; use winapi::um::winnt::DLL_PROCESS_ATTACH; @@ -23,7 +22,6 @@ use winapi::um::winnt::MEM_COMMIT; use winapi::um::winnt::MEM_RESERVE; use winapi::um::winnt::PAGE_EXECUTE_READWRITE; - type pVirtualAlloc = fn(PVOID, SIZE_T, DWORD, DWORD) -> *mut BYTE; type pDllEntry = extern "system" fn(HINSTANCE, DWORD, PVOID) -> bool; @@ -40,6 +38,7 @@ pub unsafe fn ReflectiveLoadDll(dllBytes: *mut BYTE, debug: bool) -> Option<*mut let dosHeaders = dllBytes as *const IMAGE_DOS_HEADER; let ntHeaders = dllBytes.wrapping_offset((*dosHeaders).e_lfanew as isize) as *const IMAGE_NT_HEADERS64; + let dllImageSize = (*ntHeaders).OptionalHeader.SizeOfImage; let (_ker32strw, pker32strw) = string_to_lpcwstr(String::from("C:\\Windows\\System32\\kernel32.dll")); @@ -51,7 +50,7 @@ pub unsafe fn ReflectiveLoadDll(dllBytes: *mut BYTE, debug: bool) -> Option<*mut let VirtualAlloc: pVirtualAlloc = std::mem::transmute(GetProcAddress(kernel32, pvirtAllocStr)); let temp = VirtualAlloc( (*ntHeaders).OptionalHeader.ImageBase, - dllImageSize as usize + 0x1000, + 2 * dllImageSize as usize, MEM_RESERVE | MEM_COMMIT, PAGE_EXECUTE_READWRITE, ); @@ -59,7 +58,7 @@ pub unsafe fn ReflectiveLoadDll(dllBytes: *mut BYTE, debug: bool) -> Option<*mut if temp == 0 as *mut u8 { VirtualAlloc( 0 as PVOID, - dllImageSize as usize + 0x1000, + 2 * dllImageSize as usize, MEM_RESERVE | MEM_COMMIT, PAGE_EXECUTE_READWRITE, ) @@ -67,15 +66,8 @@ pub unsafe fn ReflectiveLoadDll(dllBytes: *mut BYTE, debug: bool) -> Option<*mut temp } }; - dllBase = if (dllBase as usize) % 0x1000 != 0 { - // Adjust `dllBase` to the next multiple of 0x1000 - (dllBase as usize + 0x1000 - (dllBase as usize) % 0x1000) as *mut u8 - } else { - // If no adjustment is needed, just reuse the old value - dllBase - }; - let deltaImageBase = dllBase as usize - (*ntHeaders).OptionalHeader.ImageBase as usize; - copy(dllBytes, dllBase, dllImageSize as usize); + let deltaImageBase: isize = dllBase as isize - (*ntHeaders).OptionalHeader.ImageBase as isize; + copy(dllBytes, dllBase, 1000); let mut section = image_first_section(ntHeaders); let mut sectionDestination; let mut sectionBytes;