2020-01-02 12:44:51 +00:00
|
|
|
#pragma once
|
|
|
|
|
|
|
|
|
|
namespace MWR::Loader::UnexportedWinApi
|
|
|
|
|
{
|
|
|
|
|
struct UNICODE_STR
|
|
|
|
|
{
|
|
|
|
|
USHORT Length;
|
|
|
|
|
USHORT MaximumLength;
|
|
|
|
|
PWSTR pBuffer;
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
struct LDR_DATA_TABLE_ENTRY
|
|
|
|
|
{
|
|
|
|
|
LIST_ENTRY InLoadOrderLinks;
|
|
|
|
|
LIST_ENTRY InMemoryOrderModuleList;
|
|
|
|
|
LIST_ENTRY InInitializationOrderModuleList;
|
|
|
|
|
PVOID DllBase;
|
|
|
|
|
PVOID EntryPoint;
|
|
|
|
|
ULONG SizeOfImage;
|
|
|
|
|
UNICODE_STR FullDllName;
|
|
|
|
|
UNICODE_STR BaseDllName;
|
|
|
|
|
ULONG Flags;
|
|
|
|
|
SHORT LoadCount;
|
|
|
|
|
SHORT TlsIndex;
|
|
|
|
|
LIST_ENTRY HashTableEntry;
|
|
|
|
|
ULONG TimeDateStamp;
|
|
|
|
|
};
|
|
|
|
|
|
2020-01-10 10:15:22 +00:00
|
|
|
#if defined _WIN64
|
2020-01-02 12:44:51 +00:00
|
|
|
typedef DWORD(NTAPI* LdprHandleTlsData)(LDR_DATA_TABLE_ENTRY*);
|
2020-01-10 10:15:22 +00:00
|
|
|
#elif defined _WIN32
|
|
|
|
|
typedef DWORD(__thiscall* LdprHandleTlsData)(LDR_DATA_TABLE_ENTRY*);
|
2020-01-10 15:35:39 +00:00
|
|
|
typedef void(__fastcall* RtlInsertInvertedFunctionTableWin8Point1OrGreater)(void* baseAddr, DWORD sizeOfImage);
|
|
|
|
|
typedef void(_stdcall* RtlInsertInvertedFunctionTableWin8OrGreater)(void* baseAddr, DWORD sizeOfImage);
|
|
|
|
|
typedef void(_stdcall* RtlInsertInvertedFunctionTableWin7OrGreater)(void* ldrpInvertedFunctionTable, void* baseAddr, DWORD sizeOfImage);
|
2020-01-10 10:15:22 +00:00
|
|
|
#else
|
|
|
|
|
#error Unsupported architecture
|
|
|
|
|
#endif
|
2020-01-02 12:44:51 +00:00
|
|
|
|
|
|
|
|
inline DWORD GetSizeOfImage(UINT_PTR baseAddress)
|
|
|
|
|
{
|
|
|
|
|
auto ntHeader = baseAddress + ((PIMAGE_DOS_HEADER)baseAddress)->e_lfanew;
|
|
|
|
|
return reinterpret_cast<PIMAGE_NT_HEADERS>(ntHeader)->OptionalHeader.SizeOfImage;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
LdprHandleTlsData GetLdrpHandleTlsData();
|
2020-01-10 15:35:39 +00:00
|
|
|
void* GetRtlInsertInvertedFunctionTable();
|
2020-01-02 12:44:51 +00:00
|
|
|
}
|
