189 lines
4.9 KiB
C
189 lines
4.9 KiB
C
|
|
||
|
/*
|
||
|
* libloader.h -- misc. defines for libloader
|
||
|
* Jarkko Turkulainen <jt[at]klake.org>
|
||
|
*
|
||
|
*/
|
||
|
|
||
|
|
||
|
|
||
|
#include <stdio.h>
|
||
|
#include <windows.h>
|
||
|
|
||
|
|
||
|
/* NTSTATUS values */
|
||
|
|
||
|
#define STATUS_SUCCESS 0x00000000
|
||
|
#define STATUS_IMAGE_NOT_AT_BASE 0x40000003
|
||
|
|
||
|
|
||
|
/* Time values */
|
||
|
#define HIGH_TIME 0x01C422FA
|
||
|
#define LOW_TIME_1 0x7E275CE0
|
||
|
#define LOW_TIME_2 0x8E275CE0
|
||
|
|
||
|
|
||
|
|
||
|
/* Some defines ripped off from DDK */
|
||
|
|
||
|
typedef struct _FILE_BASIC_INFORMATION {
|
||
|
LARGE_INTEGER CreationTime;
|
||
|
LARGE_INTEGER LastAccessTime;
|
||
|
LARGE_INTEGER LastWriteTime;
|
||
|
LARGE_INTEGER ChangeTime;
|
||
|
ULONG FileAttributes;
|
||
|
} FILE_BASIC_INFORMATION, *PFILE_BASIC_INFORMATION;
|
||
|
|
||
|
typedef enum _SECTION_INFORMATION_CLASS {
|
||
|
SectionBasicInformation,
|
||
|
SectionImageInformation
|
||
|
} SECTION_INFORMATION_CLASS;
|
||
|
|
||
|
typedef LARGE_INTEGER PHYSICAL_ADDRESS, *PPHYSICAL_ADDRESS;
|
||
|
|
||
|
typedef LONG NTSTATUS;
|
||
|
#define NT_SUCCESS(Status) ((NTSTATUS)(Status) >= 0)
|
||
|
|
||
|
typedef struct _IO_STATUS_BLOCK {
|
||
|
NTSTATUS Status;
|
||
|
ULONG Information;
|
||
|
} IO_STATUS_BLOCK, *PIO_STATUS_BLOCK;
|
||
|
|
||
|
typedef struct _UNICODE_STRING {
|
||
|
USHORT Length;
|
||
|
USHORT MaximumLength;
|
||
|
#ifdef MIDL_PASS
|
||
|
[size_is(MaximumLength / 2), length_is((Length) / 2) ] USHORT * Buffer;
|
||
|
#else
|
||
|
PWSTR Buffer;
|
||
|
#endif
|
||
|
} UNICODE_STRING;
|
||
|
typedef UNICODE_STRING *PUNICODE_STRING;
|
||
|
|
||
|
typedef struct _ANSI_STRING {
|
||
|
USHORT Length;
|
||
|
USHORT MaximumLength;
|
||
|
PWSTR Buffer;
|
||
|
} ANSI_STRING, *PANSI_STRING, STRING, *PSTRING;
|
||
|
|
||
|
typedef enum _SECTION_INHERIT {
|
||
|
ViewShare = 1,
|
||
|
ViewUnmap = 2
|
||
|
} SECTION_INHERIT;
|
||
|
|
||
|
typedef struct _OBJECT_ATTRIBUTES {
|
||
|
ULONG Length;
|
||
|
HANDLE RootDirectory;
|
||
|
PUNICODE_STRING ObjectName;
|
||
|
ULONG Attributes;
|
||
|
PVOID SecurityDescriptor;
|
||
|
PVOID SecurityQualityOfService;
|
||
|
} OBJECT_ATTRIBUTES;
|
||
|
typedef OBJECT_ATTRIBUTES *POBJECT_ATTRIBUTES;
|
||
|
|
||
|
|
||
|
/* Funtion definitions */
|
||
|
|
||
|
/* kernel32 */
|
||
|
typedef VOID (WINAPI *f_ExitProcess)(UINT);
|
||
|
typedef DWORD (WINAPI *f_LoadLibrary)(LPCTSTR);
|
||
|
typedef FARPROC (WINAPI *f_GetProcAddress)(HMODULE, LPCTSTR);
|
||
|
typedef LPVOID (WINAPI *f_VirtualAlloc)(LPVOID, SIZE_T, DWORD, DWORD);
|
||
|
typedef BOOL (WINAPI *f_VirtualFree)(LPVOID, SIZE_T, DWORD);
|
||
|
typedef DWORD (WINAPI *f_VirtualQuery)(LPCVOID, PMEMORY_BASIC_INFORMATION, SIZE_T);
|
||
|
typedef BOOL (WINAPI *f_VirtualProtect)(LPVOID, SIZE_T, DWORD, PDWORD);
|
||
|
typedef BOOL (WINAPI *f_FlushInstructionCache)(HANDLE, LPCVOID, SIZE_T);
|
||
|
typedef BOOL (WINAPI *f_WriteProcessMemory)(HANDLE, LPVOID, LPCVOID, SIZE_T, SIZE_T *);
|
||
|
|
||
|
/* ntdll */
|
||
|
typedef NTSTATUS (NTAPI *f_NtOpenSection)(PHANDLE, ACCESS_MASK, POBJECT_ATTRIBUTES);
|
||
|
typedef NTSTATUS (NTAPI *f_NtQueryAttributesFile)(POBJECT_ATTRIBUTES, PFILE_BASIC_INFORMATION);
|
||
|
typedef void (NTAPI *f_NtOpenFile)(PHANDLE, ACCESS_MASK, POBJECT_ATTRIBUTES,
|
||
|
PIO_STATUS_BLOCK, ULONG ShareAccess, ULONG);
|
||
|
typedef NTSTATUS (NTAPI *f_NtCreateSection)(PHANDLE, ULONG, POBJECT_ATTRIBUTES, PLARGE_INTEGER,
|
||
|
ULONG, ULONG, HANDLE);
|
||
|
typedef NTSTATUS (NTAPI *f_NtMapViewOfSection)(HANDLE, HANDLE, PVOID *, ULONG, ULONG,
|
||
|
PLARGE_INTEGER, PULONG, SECTION_INHERIT, ULONG, ULONG);
|
||
|
|
||
|
|
||
|
/* ws2_32 */
|
||
|
typedef int (WINAPI *f_recv)(SOCKET, char *, int, int);
|
||
|
|
||
|
|
||
|
|
||
|
/* Funtion hashes */
|
||
|
|
||
|
/* kernel32 */
|
||
|
#define HASH_LoadLibraryA 0xec0e4e8e
|
||
|
#define HASH_GetProcAddress 0x7c0dfcaa
|
||
|
#define HASH_ExitProcess 0x73e2d87e
|
||
|
#define HASH_VirtualAlloc 0x91afca54
|
||
|
#define HASH_VirtualFree 0x030633ac
|
||
|
#define HASH_VirtualQuery 0xa3c8c8aa
|
||
|
#define HASH_VirtualProtect 0x7946c61b
|
||
|
#define HASH_FlushInstructionCache 0x53120980
|
||
|
#define HASH_WriteProcessMemory 0xd83d6aa1
|
||
|
|
||
|
/* ntdll */
|
||
|
#define HASH_NtOpenSection 0x92b5dd95
|
||
|
#define HASH_NtQueryAttributesFile 0x494a7890
|
||
|
#define HASH_NtOpenFile 0x852974b8
|
||
|
#define HASH_NtCreateSection 0x5bb29bcb
|
||
|
#define HASH_NtMapViewOfSection 0xd5159b94
|
||
|
|
||
|
/* ws2_32 */
|
||
|
#define HASH_recv 0xe71819b6
|
||
|
#define HASH_getpeername 0x95066ef2
|
||
|
|
||
|
|
||
|
|
||
|
typedef struct _SHELLCODE_CTX {
|
||
|
|
||
|
/* File descriptor */
|
||
|
SOCKET sd;
|
||
|
/* Library name */
|
||
|
char libname[256];
|
||
|
int liblen;
|
||
|
/* Global offset */
|
||
|
DWORD offset;
|
||
|
/* Allocated memory sections */
|
||
|
DWORD file_address;
|
||
|
DWORD mapped_address;
|
||
|
|
||
|
/* Hook stub functions */
|
||
|
unsigned char s_NtOpenSection[10];
|
||
|
unsigned char s_NtQueryAttributesFile[10];
|
||
|
unsigned char s_NtOpenFile[10];
|
||
|
unsigned char s_NtCreateSection[10];
|
||
|
unsigned char s_NtMapViewOfSection[10];
|
||
|
/* Hooked functions */
|
||
|
DWORD NtOpenSection;
|
||
|
DWORD NtQueryAttributesFile;
|
||
|
DWORD NtOpenFile;
|
||
|
DWORD NtCreateSection;
|
||
|
DWORD NtMapViewOfSection;
|
||
|
|
||
|
/* function pointers, kernel32 */
|
||
|
f_LoadLibrary LoadLibrary;
|
||
|
f_GetProcAddress GetProcAddress;
|
||
|
f_ExitProcess ExitProcess;
|
||
|
f_VirtualAlloc VirtualAlloc;
|
||
|
f_VirtualFree VirtualFree;
|
||
|
f_VirtualQuery VirtualQuery;
|
||
|
f_VirtualProtect VirtualProtect;
|
||
|
f_FlushInstructionCache FlushInstructionCache;
|
||
|
f_WriteProcessMemory WriteProcessMemory;
|
||
|
/* function pointers, ntdll */
|
||
|
f_NtOpenSection p_NtOpenSection;
|
||
|
f_NtQueryAttributesFile p_NtQueryAttributesFile;
|
||
|
f_NtOpenFile p_NtOpenFile;
|
||
|
f_NtCreateSection p_NtCreateSection;
|
||
|
f_NtMapViewOfSection p_NtMapViewOfSection;
|
||
|
/* function pointers, ws2_32 */
|
||
|
f_recv recv;
|
||
|
|
||
|
|
||
|
} SHELLCODE_CTX;
|
||
|
|
||
|
|