286 lines
14 KiB
Plaintext
286 lines
14 KiB
Plaintext
; @file HELLSGATE.INC
|
|
; @data 07-08-2020
|
|
; @author Paul Laîné (@am0nsec)
|
|
; @version 1.0
|
|
; @brief Dynamically extracting and invoking syscalls from in-memory modules.
|
|
; @details
|
|
; @link https://ntamonsec.blogspot.com/
|
|
; @copyright This project has been released under the GNU Public License v3 license.
|
|
|
|
VXTableEntrySize EQU SIZEOF VX_TABLE_ENTRY
|
|
VXTableSize EQU SIZEOF VX_TABLE
|
|
|
|
VX_TABLE_ENTRY struct
|
|
pAddress QWORD ? ; 0x0000
|
|
dwHash DWORD ? ; 0x0008
|
|
wSystemCall WORD ? ; 0x000C
|
|
BYTE 2 dup(?) ; padding
|
|
VX_TABLE_ENTRY ends
|
|
|
|
VX_TABLE struct
|
|
NtAllocateVirtualMemory VX_TABLE_ENTRY <> ; 0x0000
|
|
NtProtectVirtualMemory VX_TABLE_ENTRY <> ; 0x0010
|
|
NtCreateThreadEx VX_TABLE_ENTRY <> ; 0x0020
|
|
NtWaitForSingleObject VX_TABLE_ENTRY <> ; 0x0030
|
|
VX_TABLE ends
|
|
|
|
LARGE_INTEGER struct
|
|
LowPart DWORD ? ; 0x0000
|
|
HighPart DWORD ? ; 0x0004
|
|
LARGE_INTEGER ends
|
|
|
|
ULARGE_INTEGER struct
|
|
LowPart DWORD ? ; 0x0000
|
|
HighPart DWORD ? ; 0x0004
|
|
ULARGE_INTEGER ends
|
|
|
|
UNICODE_STRING struct
|
|
_Length WORD ? ; 0x0000
|
|
MaximumLength WORD ? ; 0x0002
|
|
BYTE 4 dup(?) ; padding
|
|
Buffer QWORD ? ; 0x0008
|
|
UNICODE_STRING ends
|
|
|
|
LIST_ENTRY struct
|
|
Flink QWORD ? ; 0x0000
|
|
BLink QWORD ? ; 0x0008
|
|
LIST_ENTRY ends
|
|
|
|
PEB struct
|
|
InheritedAddressSpace BYTE ? ; 0x0000
|
|
ReadImageFileExecOptions BYTE ? ; 0x0001
|
|
BeingDebugged BYTE ? ; 0x0002
|
|
BitField BYTE ? ; 0x0003
|
|
Padding0 BYTE 4 dup(?) ; 0x0004
|
|
Mutant QWORD ? ; 0x0008
|
|
ImageBaseAddress QWORD ? ; 0x0010
|
|
Ldr QWORD ? ; 0x0018
|
|
ProcessParameters QWORD ? ; 0x0020
|
|
SubSystemData QWORD ? ; 0x0028
|
|
ProcessHeap QWORD ? ; 0x0030
|
|
FastPebLock QWORD ? ; 0x0038
|
|
AtlThunkSListPtr QWORD ? ; 0x0040
|
|
IFEOKey QWORD ? ; 0x0048
|
|
CrossProcessFlags DWORD ? ; 0x0050
|
|
Padding1 BYTE 4 dup(?) ; 0x0054
|
|
UserSharedInfoPtr QWORD ? ; 0x0058
|
|
SystemReserved DWORD ? ; 0x0060
|
|
AtlThunkSListPtr32 DWORD ? ; 0x0064
|
|
ApiSetMap QWORD ? ; 0x0068
|
|
TlsExpansionCounter DWORD ? ; 0x0070
|
|
Padding2 BYTE 4 dup(?) ; 0x0074
|
|
TlsBitmap QWORD ? ; 0x0078
|
|
TlsBitmapBits DWORD 2 dup(?) ; 0x0080
|
|
ReadOnlySharedMemoryBase QWORD ? ; 0x0088
|
|
SharedData QWORD ? ; 0x0090
|
|
ReadOnlyStaticServerData QWORD ? ; 0x0098
|
|
AnsiCodePageData QWORD ? ; 0x00A0
|
|
OemCodePageData QWORD ? ; 0x00A8
|
|
UnicodeCaseTableData QWORD ? ; 0x00B0
|
|
NumberOfProcessors DWORD ? ; 0x00B9
|
|
NtGlobalFlag DWORD ? ; 0x00BC
|
|
CriticalSectionTimeout LARGE_INTEGER <> ; 0x00C0
|
|
HeapSegmentReserve QWORD ? ; 0x00C8
|
|
HeapSegmentCommit QWORD ? ; 0x00D0
|
|
HeapDeCommitTotalFreeThreshold QWORD ? ; 0x00D8
|
|
HeapDeCommitFreeBlockThreshold QWORD ? ; 0x00E0
|
|
NumberOfHeaps DWORD ? ; 0x00E8
|
|
MaximumNumberOfHeaps DWORD ? ; 0x00EC
|
|
ProcessHeaps QWORD ? ; 0x00F0
|
|
GdiSharedHandleTable QWORD ? ; 0x00F8
|
|
ProcessStarterHelper QWORD ? ; 0x0100
|
|
GdiDCAttributeList DWORD ? ; 0x0108
|
|
Padding3 BYTE 4 dup(?) ; 0x010C
|
|
LoaderLock QWORD ? ; 0x0110
|
|
OSMajorVersion DWORD ? ; 0x0118
|
|
OSMinorVersion DWORD ? ; 0x011C
|
|
OSBuildNumber WORD ? ; 0x0120
|
|
OSCSDVersion WORD ? ; 0x0122
|
|
OSPlatformId DWORD ? ; 0x0124
|
|
ImageSubsystem DWORD ? ; 0x0128
|
|
ImageSubsystemMajorVersion DWORD ? ; 0x012C
|
|
ImageSubsystemMinorVersion DWORD ? ; 0x0130
|
|
Padding4 BYTE 4 dup(?) ; 0x0134
|
|
ActiveProcessAffinityMask QWORD ? ; 0x0138
|
|
GdiHandleBuffer DWORD 60 dup(?) ; 0x0140
|
|
PostProcessInitRoutine QWORD ? ; 0x0230
|
|
TlsExpansionBitmap QWORD ? ; 0x0238
|
|
TlsExpansionBitmapBits DWORD 32 dup(?) ; 0x0240
|
|
SessionId DWORD ? ; 0x02C0
|
|
Padding5 BYTE 4 dup(?) ; 0x02C4
|
|
AppCompatFlags ULARGE_INTEGER <> ; 0x02C8
|
|
AppCompatFlagsUser ULARGE_INTEGER <> ; 0x02D0
|
|
pShimData QWORD ? ; 0x02D8
|
|
AppCompatInfo QWORD ? ; 0x02E0
|
|
CSDVersion UNICODE_STRING <> ; 0x02E8
|
|
ActivationContextData QWORD ? ; 0x02F8
|
|
ProcessAssemblyStorageMap QWORD ? ; 0x0300
|
|
SystemDefaultActivationContextData QWORD ? ; 0x0308
|
|
SystemAssemblyStorageMap QWORD ? ; 0x0310
|
|
MinimumStackCommit QWORD ? ; 0x0318
|
|
SparePointers QWORD 4 dup(?) ; 0x0320
|
|
SpareUlongs DWORD 5 dup(?) ; 0x0340
|
|
BYTE 4 dup(?)
|
|
WerRegistrationData QWORD ? ; 0x0358
|
|
WerShipAssertPtr QWORD ? ; 0x0360
|
|
pUnused QWORD ? ; 0x0368
|
|
pImageHeaderHash QWORD ? ; 0x0370
|
|
TracingFlags DWORD ? ; 0x0378
|
|
Padding6 BYTE 4 dup(?) ; 0x037c
|
|
CsrServerReadOnlySharedMemoryBase QWORD ? ; 0x0380
|
|
TppWorkerpListLock QWORD ? ; 0x0388
|
|
TppWorkerpList LIST_ENTRY <> ; 0x0390
|
|
WaitOnAddressHashTable QWORD 128 dup(?) ; 0x03A0
|
|
TelemetryCoverageHeader QWORD ? ; 0x07A0
|
|
CloudFileFlags DWORD ? ; 0x07A8
|
|
CloudFileDiagFlags DWORD ? ; 0x07AC
|
|
PlaceholderCompatibilityMode BYTE ? ; 0x07B0
|
|
PlaceholderCompatibilityModeReserved BYTE 7 dup(?) ; 0x07B1
|
|
LeapSecondData QWORD ? ; 0x07B8
|
|
LeapSecondFlags DWORD ? ; 0x07c0
|
|
NtGlobalFlag2 DWORD ? ; 0x07c4
|
|
PEB ends
|
|
|
|
PEB_LDR_DATA struct
|
|
_Length DWORD ? ; 0x0000
|
|
Initialized BYTE ? ; 0x0004
|
|
BYTE 3 dup(?) ; padding
|
|
SsHandle QWORD ? ; 0x0008
|
|
InLoadOrderModuleList LIST_ENTRY <> ; 0x0010
|
|
InMemoryOrderModuleList LIST_ENTRY <> ; 0x0020
|
|
InInitializationOrderModuleList LIST_ENTRY <> ; 0x0030
|
|
EntryInProgress QWORD ? ; 0x0040
|
|
ShutdownInProgress BYTE ? ; 0x0048
|
|
BYTE 7 dup(?) ; padding
|
|
ShutdownThreadId QWORD ? ; 0x0050
|
|
PEB_LDR_DATA ends
|
|
|
|
RTL_BALANCED_NODE struct
|
|
_Dummy BYTE 24 dup(?)
|
|
RTL_BALANCED_NODE ends
|
|
|
|
LDR_DATA_TABLE_ENTRY struct
|
|
InLoadOrderLinks LIST_ENTRY <> ; 0x0000
|
|
InMemoryOrderLinks LIST_ENTRY <> ; 0x0010
|
|
InInitializationOrderLinks LIST_ENTRY <> ; 0x0020
|
|
DllBase QWORD ? ; 0x0030
|
|
EntryPoint QWORD ? ; 0x0038
|
|
SizeOfImage DWORD ? ; 0x0040
|
|
BYTE 4 dup(?) ; padding
|
|
FullDllName UNICODE_STRING <> ; 0x0048
|
|
BaseDllName UNICODE_STRING <> ; 0x0058
|
|
FlagGroup BYTE 4 dup(?) ; 0x0068
|
|
ObsoleteLoadCount WORD ? ; 0x006C
|
|
TlsIndex WORD ? ; 0x006E
|
|
HashLinks LIST_ENTRY <> ; 0x0070
|
|
TimeDateStamp DWORD ? ; 0x0080
|
|
BYTE 4 dup(?) ; padding
|
|
EntryPointActivationContext QWORD ? ; 0x0088
|
|
_Lock QWORD ? ; 0x0090
|
|
DdagNode QWORD ? ; 0x0098
|
|
NodeModuleLink LIST_ENTRY <> ; 0x00A0
|
|
LoadContext QWORD ? ; 0x00B0
|
|
ParentDllBase QWORD ? ; 0x00B8
|
|
SwitchBackContext QWORD ? ; 0x00C0
|
|
BaseAddressIndexNode RTL_BALANCED_NODE <> ; 0x00C8
|
|
MappingInfoIndexNode RTL_BALANCED_NODE <> ; 0x00E0
|
|
OriginalBase QWORD ? ; 0x00F8
|
|
LoadTime LARGE_INTEGER <> ; 0x0100
|
|
BaseNameHashValue DWORD ? ; 0x0108
|
|
LoadReason DWORD ? ; 0x010C
|
|
ImplicitPathOptions DWORD ? ; 0x0110
|
|
ReferenceCount DWORD ? ; 0x0114
|
|
DependentLoadFlags DWORD ? ; 0x0118
|
|
SigningLevel BYTE ? ; 0x011C
|
|
LDR_DATA_TABLE_ENTRY ends
|
|
|
|
IMAGE_DOS_HEADER struct
|
|
e_magic WORD ? ; 0x0000
|
|
e_cblp WORD ? ; 0x0002
|
|
e_cp WORD ? ; 0x0004
|
|
e_crlc WORD ? ; 0x0006
|
|
e_cparhdr WORD ? ; 0x0008
|
|
e_minalloc WORD ? ; 0x000A
|
|
e_maxalloc WORD ? ; 0x000C
|
|
e_ss WORD ? ; 0x000E
|
|
e_sp WORD ? ; 0x0010
|
|
e_csum WORD ? ; 0x0012
|
|
e_ip WORD ? ; 0x0014
|
|
e_cs WORD ? ; 0x0016
|
|
e_lfarlc WORD ? ; 0x0018
|
|
e_ovno WORD ? ; 0x001A
|
|
e_res WORD 4 dup(?) ; 0x001C
|
|
e_oemid WORD ? ; 0x0024
|
|
e_oeminfo WORD ? ; 0x0026
|
|
e_res2 WORD 10 dup(?) ; 0x0028
|
|
e_lfanew DWORD ? ; 0x003C
|
|
IMAGE_DOS_HEADER ends
|
|
|
|
IMAGE_FILE_HEADER struct
|
|
Machine WORD ? ; 0x0000
|
|
NumberOfSections WORD ? ; 0x0002
|
|
TimeDateStamp DWORD ? ; 0x0004
|
|
PointerToSymbolTable DWORD ? ; 0x0008
|
|
NumberOfSymbols DWORD ? ; 0x000c
|
|
SizeOfOptionalHeader WORD ? ; 0x0010
|
|
Characteristics WORD ? ; 0x0012
|
|
IMAGE_FILE_HEADER ends
|
|
|
|
IMAGE_DATA_DIRECTORY struct
|
|
VirtualAddress DWORD ? ; 0x0000
|
|
_Size DWORD ? ; 0x0004
|
|
IMAGE_DATA_DIRECTORY ends
|
|
|
|
IMAGE_OPTIONAL_HEADER64 struct
|
|
Magic WORD ? ; 0x0000
|
|
MajorLinkerVersion BYTE ? ; 0x0002
|
|
MinorLinkerVersion BYTE ? ; 0x0003
|
|
SizeOfCode DWORD ? ; 0x0004
|
|
SizeOfInitializedData DWORD ? ; 0x0008
|
|
SizeOfUninitializedData DWORD ? ; 0x000C
|
|
AddressOfEntryPoint DWORD ? ; 0x0010
|
|
BaseOfCode DWORD ? ; 0x0014
|
|
ImageBase QWORD ? ; 0x0018
|
|
SectionAlignment DWORD ? ; 0x0020
|
|
FileAlignment DWORD ? ; 0x0024
|
|
MajorOperatingSystemVersion WORD ? ; 0x0028
|
|
MinorOperatingSystemVersion WORD ? ; 0x002a
|
|
MajorImageVersion WORD ? ; 0x002C
|
|
MinorImageVersion WORD ? ; 0x002E
|
|
MajorSubsystemVersion WORD ? ; 0x0030
|
|
MinorSubsystemVersion WORD ? ; 0x0032
|
|
Win32VersionValue DWORD ? ; 0x0034
|
|
SizeOfImage DWORD ? ; 0x0038
|
|
SizeOfHeaders DWORD ? ; 0x003c
|
|
CheckSum DWORD ? ; 0x0040
|
|
Subsystem WORD ? ; 0x0044
|
|
DllCharacteristics WORD ? ; 0x0046
|
|
SizeOfStackReserve QWORD ? ; 0x0048
|
|
SizeOfStackCommit QWORD ? ; 0x0050
|
|
SizeOfHeapReserve QWORD ? ; 0x0058
|
|
SizeOfHeapCommit QWORD ? ; 0x0060
|
|
LoaderFlags DWORD ? ; 0x0068
|
|
NumberOfRvaAndSizes DWORD ? ; 0x006C
|
|
DataDirectory IMAGE_DATA_DIRECTORY 16 dup(<>) ; 0x0070
|
|
IMAGE_OPTIONAL_HEADER64 ends
|
|
|
|
IMAGE_NT_HEADERS64 struct
|
|
Signature DWORD ? ; 0x0000
|
|
FileHeader IMAGE_FILE_HEADER <> ; 0x0004
|
|
OptionalHeader IMAGE_OPTIONAL_HEADER64 <> ; 0x0018
|
|
IMAGE_NT_HEADERS64 ends
|
|
|
|
IMAGE_EXPORT_DIRECTORY struct
|
|
Characteristics DWORD ? ; 0x0000
|
|
TimeDateStamp DWORD ? ; 0x0004
|
|
MajorVersion WORD ? ; 0x0008
|
|
MinorVersion WORD ? ; 0x000A
|
|
_Name DWORD ? ; 0x000C
|
|
Base DWORD ? ; 0x0010
|
|
NumberOfFunctions DWORD ? ; 0x0014
|
|
NumberOfNames DWORD ? ; 0x0018
|
|
AddressOfFunctions DWORD ? ; 0x001C
|
|
AddressOfNames DWORD ? ; 0x0020
|
|
AddressOfNameOrdinals DWORD ? ; 0x0024
|
|
IMAGE_EXPORT_DIRECTORY ends
|