├── .gitignore
├── README.md
├── ShellCodeLoader.c
├── ShellCodeLoader.vcxproj
├── ShellCodeLoader.vcxproj.filters
├── global.h
├── ntstatus_22000.h
├── pe.h
├── peb.h
├── resolver.c
├── resolver.h
├── string_handling.c
├── string_handling.h
├── utils.c
├── utils.h
└── windeftypes.h


/.gitignore:
--------------------------------------------------------------------------------
  1 | # Created by https://www.toptal.com/developers/gitignore/api/visualstudio,c
  2 | # Edit at https://www.toptal.com/developers/gitignore?templates=visualstudio,c
  3 | 
  4 | ### C ###
  5 | # Prerequisites
  6 | *.d
  7 | 
  8 | # Object files
  9 | *.o
 10 | *.ko
 11 | *.obj
 12 | *.elf
 13 | 
 14 | # Linker output
 15 | *.ilk
 16 | *.map
 17 | *.exp
 18 | 
 19 | # Precompiled Headers
 20 | *.gch
 21 | *.pch
 22 | 
 23 | # Libraries
 24 | *.lib
 25 | *.a
 26 | *.la
 27 | *.lo
 28 | 
 29 | # Shared objects (inc. Windows DLLs)
 30 | *.dll
 31 | *.so
 32 | *.so.*
 33 | *.dylib
 34 | 
 35 | # Executables
 36 | *.exe
 37 | *.out
 38 | *.app
 39 | *.i*86
 40 | *.x86_64
 41 | *.hex
 42 | 
 43 | # Debug files
 44 | *.dSYM/
 45 | *.su
 46 | *.idb
 47 | *.pdb
 48 | 
 49 | # Kernel Module Compile Results
 50 | *.mod*
 51 | *.cmd
 52 | .tmp_versions/
 53 | modules.order
 54 | Module.symvers
 55 | Mkfile.old
 56 | dkms.conf
 57 | 
 58 | ### VisualStudio ###
 59 | ## Ignore Visual Studio temporary files, build results, and
 60 | ## files generated by popular Visual Studio add-ons.
 61 | ##
 62 | ## Get latest from https://github.com/github/gitignore/blob/main/VisualStudio.gitignore
 63 | 
 64 | # User-specific files
 65 | *.rsuser
 66 | *.suo
 67 | *.user
 68 | *.userosscache
 69 | *.sln.docstates
 70 | 
 71 | # User-specific files (MonoDevelop/Xamarin Studio)
 72 | *.userprefs
 73 | 
 74 | # Mono auto generated files
 75 | mono_crash.*
 76 | 
 77 | # Build results
 78 | [Dd]ebug/
 79 | [Dd]ebugPublic/
 80 | [Rr]elease/
 81 | [Rr]eleases/
 82 | x64/
 83 | x86/
 84 | [Ww][Ii][Nn]32/
 85 | [Aa][Rr][Mm]/
 86 | [Aa][Rr][Mm]64/
 87 | bld/
 88 | [Bb]in/
 89 | [Oo]bj/
 90 | [Ll]og/
 91 | [Ll]ogs/
 92 | 
 93 | # Visual Studio 2015/2017 cache/options directory
 94 | .vs/
 95 | # Uncomment if you have tasks that create the project's static files in wwwroot
 96 | #wwwroot/
 97 | 
 98 | # Visual Studio 2017 auto generated files
 99 | Generated\ Files/
100 | 
101 | # MSTest test Results
102 | [Tt]est[Rr]esult*/
103 | [Bb]uild[Ll]og.*
104 | 
105 | # NUnit
106 | *.VisualState.xml
107 | TestResult.xml
108 | nunit-*.xml
109 | 
110 | # Build Results of an ATL Project
111 | [Dd]ebugPS/
112 | [Rr]eleasePS/
113 | dlldata.c
114 | 
115 | # Benchmark Results
116 | BenchmarkDotNet.Artifacts/
117 | 
118 | # .NET Core
119 | project.lock.json
120 | project.fragment.lock.json
121 | artifacts/
122 | 
123 | # ASP.NET Scaffolding
124 | ScaffoldingReadMe.txt
125 | 
126 | # StyleCop
127 | StyleCopReport.xml
128 | 
129 | # Files built by Visual Studio
130 | *_i.c
131 | *_p.c
132 | *_h.h
133 | *.meta
134 | *.iobj
135 | *.ipdb
136 | *.pgc
137 | *.pgd
138 | *.rsp
139 | *.sbr
140 | *.tlb
141 | *.tli
142 | *.tlh
143 | *.tmp
144 | *.tmp_proj
145 | *_wpftmp.csproj
146 | *.log
147 | *.tlog
148 | *.vspscc
149 | *.vssscc
150 | .builds
151 | *.pidb
152 | *.svclog
153 | *.scc
154 | 
155 | # Chutzpah Test files
156 | _Chutzpah*
157 | 
158 | # Visual C++ cache files
159 | ipch/
160 | *.aps
161 | *.ncb
162 | *.opendb
163 | *.opensdf
164 | *.sdf
165 | *.cachefile
166 | *.VC.db
167 | *.VC.VC.opendb
168 | 
169 | # Visual Studio profiler
170 | *.psess
171 | *.vsp
172 | *.vspx
173 | *.sap
174 | 
175 | # Visual Studio Trace Files
176 | *.e2e
177 | 
178 | # TFS 2012 Local Workspace
179 | $tf/
180 | 
181 | # Guidance Automation Toolkit
182 | *.gpState
183 | 
184 | # ReSharper is a .NET coding add-in
185 | _ReSharper*/
186 | *.[Rr]e[Ss]harper
187 | *.DotSettings.user
188 | 
189 | # TeamCity is a build add-in
190 | _TeamCity*
191 | 
192 | # DotCover is a Code Coverage Tool
193 | *.dotCover
194 | 
195 | # AxoCover is a Code Coverage Tool
196 | .axoCover/*
197 | !.axoCover/settings.json
198 | 
199 | # Coverlet is a free, cross platform Code Coverage Tool
200 | coverage*.json
201 | coverage*.xml
202 | coverage*.info
203 | 
204 | # Visual Studio code coverage results
205 | *.coverage
206 | *.coveragexml
207 | 
208 | # NCrunch
209 | _NCrunch_*
210 | .*crunch*.local.xml
211 | nCrunchTemp_*
212 | 
213 | # MightyMoose
214 | *.mm.*
215 | AutoTest.Net/
216 | 
217 | # Web workbench (sass)
218 | .sass-cache/
219 | 
220 | # Installshield output folder
221 | [Ee]xpress/
222 | 
223 | # DocProject is a documentation generator add-in
224 | DocProject/buildhelp/
225 | DocProject/Help/*.HxT
226 | DocProject/Help/*.HxC
227 | DocProject/Help/*.hhc
228 | DocProject/Help/*.hhk
229 | DocProject/Help/*.hhp
230 | DocProject/Help/Html2
231 | DocProject/Help/html
232 | 
233 | # Click-Once directory
234 | publish/
235 | 
236 | # Publish Web Output
237 | *.[Pp]ublish.xml
238 | *.azurePubxml
239 | # Note: Comment the next line if you want to checkin your web deploy settings,
240 | # but database connection strings (with potential passwords) will be unencrypted
241 | *.pubxml
242 | *.publishproj
243 | 
244 | # Microsoft Azure Web App publish settings. Comment the next line if you want to
245 | # checkin your Azure Web App publish settings, but sensitive information contained
246 | # in these scripts will be unencrypted
247 | PublishScripts/
248 | 
249 | # NuGet Packages
250 | *.nupkg
251 | # NuGet Symbol Packages
252 | *.snupkg
253 | # The packages folder can be ignored because of Package Restore
254 | **/[Pp]ackages/*
255 | # except build/, which is used as an MSBuild target.
256 | !**/[Pp]ackages/build/
257 | # Uncomment if necessary however generally it will be regenerated when needed
258 | #!**/[Pp]ackages/repositories.config
259 | # NuGet v3's project.json files produces more ignorable files
260 | *.nuget.props
261 | *.nuget.targets
262 | 
263 | # Microsoft Azure Build Output
264 | csx/
265 | *.build.csdef
266 | 
267 | # Microsoft Azure Emulator
268 | ecf/
269 | rcf/
270 | 
271 | # Windows Store app package directories and files
272 | AppPackages/
273 | BundleArtifacts/
274 | Package.StoreAssociation.xml
275 | _pkginfo.txt
276 | *.appx
277 | *.appxbundle
278 | *.appxupload
279 | 
280 | # Visual Studio cache files
281 | # files ending in .cache can be ignored
282 | *.[Cc]ache
283 | # but keep track of directories ending in .cache
284 | !?*.[Cc]ache/
285 | 
286 | # Others
287 | ClientBin/
288 | ~$*
289 | *~
290 | *.dbmdl
291 | *.dbproj.schemaview
292 | *.jfm
293 | *.pfx
294 | *.publishsettings
295 | orleans.codegen.cs
296 | 
297 | # Including strong name files can present a security risk
298 | # (https://github.com/github/gitignore/pull/2483#issue-259490424)
299 | #*.snk
300 | 
301 | # Since there are multiple workflows, uncomment next line to ignore bower_components
302 | # (https://github.com/github/gitignore/pull/1529#issuecomment-104372622)
303 | #bower_components/
304 | 
305 | # RIA/Silverlight projects
306 | Generated_Code/
307 | 
308 | # Backup & report files from converting an old project file
309 | # to a newer Visual Studio version. Backup files are not needed,
310 | # because we have git ;-)
311 | _UpgradeReport_Files/
312 | Backup*/
313 | UpgradeLog*.XML
314 | UpgradeLog*.htm
315 | ServiceFabricBackup/
316 | *.rptproj.bak
317 | 
318 | # SQL Server files
319 | *.mdf
320 | *.ldf
321 | *.ndf
322 | 
323 | # Business Intelligence projects
324 | *.rdl.data
325 | *.bim.layout
326 | *.bim_*.settings
327 | *.rptproj.rsuser
328 | *- [Bb]ackup.rdl
329 | *- [Bb]ackup ([0-9]).rdl
330 | *- [Bb]ackup ([0-9][0-9]).rdl
331 | 
332 | # Microsoft Fakes
333 | FakesAssemblies/
334 | 
335 | # GhostDoc plugin setting file
336 | *.GhostDoc.xml
337 | 
338 | # Node.js Tools for Visual Studio
339 | .ntvs_analysis.dat
340 | node_modules/
341 | 
342 | # Visual Studio 6 build log
343 | *.plg
344 | 
345 | # Visual Studio 6 workspace options file
346 | *.opt
347 | 
348 | # Visual Studio 6 auto-generated workspace file (contains which files were open etc.)
349 | *.vbw
350 | 
351 | # Visual Studio 6 auto-generated project file (contains which files were open etc.)
352 | *.vbp
353 | 
354 | # Visual Studio 6 workspace and project file (working project files containing files to include in project)
355 | *.dsw
356 | *.dsp
357 | 
358 | # Visual Studio 6 technical files
359 | 
360 | # Visual Studio LightSwitch build output
361 | **/*.HTMLClient/GeneratedArtifacts
362 | **/*.DesktopClient/GeneratedArtifacts
363 | **/*.DesktopClient/ModelManifest.xml
364 | **/*.Server/GeneratedArtifacts
365 | **/*.Server/ModelManifest.xml
366 | _Pvt_Extensions
367 | 
368 | # Paket dependency manager
369 | .paket/paket.exe
370 | paket-files/
371 | 
372 | # FAKE - F# Make
373 | .fake/
374 | 
375 | # CodeRush personal settings
376 | .cr/personal
377 | 
378 | # Python Tools for Visual Studio (PTVS)
379 | __pycache__/
380 | *.pyc
381 | 
382 | # Cake - Uncomment if you are using it
383 | # tools/**
384 | # !tools/packages.config
385 | 
386 | # Tabs Studio
387 | *.tss
388 | 
389 | # Telerik's JustMock configuration file
390 | *.jmconfig
391 | 
392 | # BizTalk build output
393 | *.btp.cs
394 | *.btm.cs
395 | *.odx.cs
396 | *.xsd.cs
397 | 
398 | # OpenCover UI analysis results
399 | OpenCover/
400 | 
401 | # Azure Stream Analytics local run output
402 | ASALocalRun/
403 | 
404 | # MSBuild Binary and Structured Log
405 | *.binlog
406 | 
407 | # NVidia Nsight GPU debugger configuration file
408 | *.nvuser
409 | 
410 | # MFractors (Xamarin productivity tool) working folder
411 | .mfractor/
412 | 
413 | # Local History for Visual Studio
414 | .localhistory/
415 | 
416 | # Visual Studio History (VSHistory) files
417 | .vshistory/
418 | 
419 | # BeatPulse healthcheck temp database
420 | healthchecksdb
421 | 
422 | # Backup folder for Package Reference Convert tool in Visual Studio 2017
423 | MigrationBackup/
424 | 
425 | # Ionide (cross platform F# VS Code tools) working folder
426 | .ionide/
427 | 
428 | # Fody - auto-generated XML schema
429 | FodyWeavers.xsd
430 | 
431 | # VS Code files for those working on multiple tools
432 | .vscode/*
433 | !.vscode/settings.json
434 | !.vscode/tasks.json
435 | !.vscode/launch.json
436 | !.vscode/extensions.json
437 | *.code-workspace
438 | 
439 | # Local History for Visual Studio Code
440 | .history/
441 | 
442 | # Windows Installer files from build outputs
443 | *.cab
444 | *.msi
445 | *.msix
446 | *.msm
447 | *.msp
448 | 
449 | # JetBrains Rider
450 | *.sln.iml
451 | 
452 | ### VisualStudio Patch ###
453 | # Additional files built by Visual Studio
454 | 
455 | # End of https://www.toptal.com/developers/gitignore/api/visualstudio,c


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | # ShellCodeExec
 2 | 
 3 | ### This shellcode loader works without any imports and uses my own headers to parse PE, strings...
 4 | 
 5 | * Use NT functions
 6 | * Resolve nt functions with custom GetProcAddress and GetModuleHandle
 7 | * Use a 'custom' malloc function with NtAllocateVirtualMemoy
 8 | * Works for both x86 (WoW64) & x64
 9 | 
10 | Thx to :
11 | 
12 | * Sektor7 for custom GetProcAddress (Sektor7 Malware Development Intermediate Section 2. PE madness)
13 | * @arbiter34 for strings handling : [github](https://github.com/arbiter34/GetProcAddress/blob/master/GetProcAddress/GetProcAddress.cpp)
14 | 
15 | ![64](https://user-images.githubusercontent.com/42241901/224010127-2fdfd26c-e6bc-40f3-af19-27a671924a5c.png)
16 | 
17 | ![86](https://user-images.githubusercontent.com/42241901/224010134-77ee865a-f5db-4519-9fe9-a79c8db30b9d.png)
18 | 


--------------------------------------------------------------------------------
/ShellCodeLoader.c:
--------------------------------------------------------------------------------
 1 | #pragma comment(linker, "/entry:main ")
 2 | #include "global.h"
 3 | 
 4 | /*
 5 | || AUTHOR Arsium ||
 6 | || github : https://github.com/arsium       ||
 7 | 
 8 |     string_manip functions : https://github.com/arbiter34/GetProcAddress/blob/master/GetProcAddress/GetProcAddress.cpp
 9 |     The function "GetProcedureAddressNt" is a rework of function of Sektor7 Malware Development Intermediate Section 2. PE madness
10 | */
11 | 
12 | //https://gist.github.com/kkent030315/b508e56a5cb0e3577908484fa4978f12
13 | char shellcode_x64[] = "\x48\x83\xEC\x28\x48\x83\xE4\xF0\x48\x8D\x15\x66\x00\x00\x00"
14 | "\x48\x8D\x0D\x52\x00\x00\x00\xE8\x9E\x00\x00\x00\x4C\x8B\xF8"
15 | "\x48\x8D\x0D\x5D\x00\x00\x00\xFF\xD0\x48\x8D\x15\x5F\x00\x00"
16 | "\x00\x48\x8D\x0D\x4D\x00\x00\x00\xE8\x7F\x00\x00\x00\x4D\x33"
17 | "\xC9\x4C\x8D\x05\x61\x00\x00\x00\x48\x8D\x15\x4E\x00\x00\x00"
18 | "\x48\x33\xC9\xFF\xD0\x48\x8D\x15\x56\x00\x00\x00\x48\x8D\x0D"
19 | "\x0A\x00\x00\x00\xE8\x56\x00\x00\x00\x48\x33\xC9\xFF\xD0\x4B"
20 | "\x45\x52\x4E\x45\x4C\x33\x32\x2E\x44\x4C\x4C\x00\x4C\x6F\x61"
21 | "\x64\x4C\x69\x62\x72\x61\x72\x79\x41\x00\x55\x53\x45\x52\x33"
22 | "\x32\x2E\x44\x4C\x4C\x00\x4D\x65\x73\x73\x61\x67\x65\x42\x6F"
23 | "\x78\x41\x00\x48\x65\x6C\x6C\x6F\x20\x77\x6F\x72\x6C\x64\x00"
24 | "\x4D\x65\x73\x73\x61\x67\x65\x00\x45\x78\x69\x74\x50\x72\x6F"
25 | "\x63\x65\x73\x73\x00\x48\x83\xEC\x28\x65\x4C\x8B\x04\x25\x60"
26 | "\x00\x00\x00\x4D\x8B\x40\x18\x4D\x8D\x60\x10\x4D\x8B\x04\x24"
27 | "\xFC\x49\x8B\x78\x60\x48\x8B\xF1\xAC\x84\xC0\x74\x26\x8A\x27"
28 | "\x80\xFC\x61\x7C\x03\x80\xEC\x20\x3A\xE0\x75\x08\x48\xFF\xC7"
29 | "\x48\xFF\xC7\xEB\xE5\x4D\x8B\x00\x4D\x3B\xC4\x75\xD6\x48\x33"
30 | "\xC0\xE9\xA7\x00\x00\x00\x49\x8B\x58\x30\x44\x8B\x4B\x3C\x4C"
31 | "\x03\xCB\x49\x81\xC1\x88\x00\x00\x00\x45\x8B\x29\x4D\x85\xED"
32 | "\x75\x08\x48\x33\xC0\xE9\x85\x00\x00\x00\x4E\x8D\x04\x2B\x45"
33 | "\x8B\x71\x04\x4D\x03\xF5\x41\x8B\x48\x18\x45\x8B\x50\x20\x4C"
34 | "\x03\xD3\xFF\xC9\x4D\x8D\x0C\x8A\x41\x8B\x39\x48\x03\xFB\x48"
35 | "\x8B\xF2\xA6\x75\x08\x8A\x06\x84\xC0\x74\x09\xEB\xF5\xE2\xE6"
36 | "\x48\x33\xC0\xEB\x4E\x45\x8B\x48\x24\x4C\x03\xCB\x66\x41\x8B"
37 | "\x0C\x49\x45\x8B\x48\x1C\x4C\x03\xCB\x41\x8B\x04\x89\x49\x3B"
38 | "\xC5\x7C\x2F\x49\x3B\xC6\x73\x2A\x48\x8D\x34\x18\x48\x8D\x7C"
39 | "\x24\x30\x4C\x8B\xE7\xA4\x80\x3E\x2E\x75\xFA\xA4\xC7\x07\x44"
40 | "\x4C\x4C\x00\x49\x8B\xCC\x41\xFF\xD7\x49\x8B\xCC\x48\x8B\xD6"
41 | "\xE9\x14\xFF\xFF\xFF\x48\x03\xC3\x48\x83\xC4\x28\xC3";
42 | 
43 | //https://www.exploit-db.com/exploits/37758
44 | char shellcode_x86[] = "\x33\xc9\x64\x8b\x49\x30\x8b\x49\x0c\x8b"
45 | "\x49\x1c\x8b\x59\x08\x8b\x41\x20\x8b\x09"
46 | "\x80\x78\x0c\x33\x75\xf2\x8b\xeb\x03\x6d"
47 | "\x3c\x8b\x6d\x78\x03\xeb\x8b\x45\x20\x03"
48 | "\xc3\x33\xd2\x8b\x34\x90\x03\xf3\x42\x81"
49 | "\x3e\x47\x65\x74\x50\x75\xf2\x81\x7e\x04"
50 | "\x72\x6f\x63\x41\x75\xe9\x8b\x75\x24\x03"
51 | "\xf3\x66\x8b\x14\x56\x8b\x75\x1c\x03\xf3"
52 | "\x8b\x74\x96\xfc\x03\xf3\x33\xff\x57\x68"
53 | "\x61\x72\x79\x41\x68\x4c\x69\x62\x72\x68"
54 | "\x4c\x6f\x61\x64\x54\x53\xff\xd6\x33\xc9"
55 | "\x57\x66\xb9\x33\x32\x51\x68\x75\x73\x65"
56 | "\x72\x54\xff\xd0\x57\x68\x6f\x78\x41\x01"
57 | "\xfe\x4c\x24\x03\x68\x61\x67\x65\x42\x68"
58 | "\x4d\x65\x73\x73\x54\x50\xff\xd6\x57\x68"
59 | "\x72\x6c\x64\x21\x68\x6f\x20\x57\x6f\x68"
60 | "\x48\x65\x6c\x6c\x8b\xcc\x57\x57\x51\x57"
61 | "\xff\xd0\x57\x68\x65\x73\x73\x01\xfe\x4c"
62 | "\x24\x03\x68\x50\x72\x6f\x63\x68\x45\x78"
63 | "\x69\x74\x54\x53\xff\xd6\x57\xff\xd0";
64 | 
65 | int main(void)
66 | {
67 |     LPNTALLOCATEVIRTUALMEMORY pNtAllocateProc = GetProcedureAddressNt(ntAllocate);
68 | 
69 |     _PVOID pAllocated = NULL_PTR;
70 |     int sizeInt = 0;
71 | #if defined(_WIN64)
72 |     sizeInt = sizeof(shellcode_x64) / sizeof(char*);
73 | #else
74 |     sizeInt = sizeof(shellcode_x86) / sizeof(char*);
75 | #endif
76 |   
77 |     _SIZE_T size = (_SIZE_T)sizeInt;
78 |     pNtAllocateProc((_HANDLE)(-1), &pAllocated, 0, &size, _MEM_RESERVE | _MEM_COMMIT, _PAGE_EXECUTE_READWRITE);
79 | 
80 |     LPNTWRITEVIRTUALMEMORY pNtWriteProc = GetProcedureAddressNt(ntWriteVirtual);
81 |     pNtWriteProc((_HANDLE)(-1), pAllocated, shellcode_x86, (_DWORD)size, NULL_PTR);
82 | 
83 | #if defined(_WIN64)
84 |     pNtWriteProc((_HANDLE)(-1), pAllocated, shellcode_x64, (_DWORD)size, NULL_PTR);
85 | #else
86 |     pNtWriteProc((_HANDLE)(-1), pAllocated, shellcode_x86, (_DWORD)size, NULL_PTR);
87 | #endif
88 |     ((void(*)())pAllocated)();
89 |     return 0;
90 | }


--------------------------------------------------------------------------------
/ShellCodeLoader.vcxproj:
--------------------------------------------------------------------------------
  1 | <?xml version="1.0" encoding="utf-8"?>
  2 | <Project DefaultTargets="Build" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
  3 |   <ItemGroup Label="ProjectConfigurations">
  4 |     <ProjectConfiguration Include="Debug|Win32">
  5 |       <Configuration>Debug</Configuration>
  6 |       <Platform>Win32</Platform>
  7 |     </ProjectConfiguration>
  8 |     <ProjectConfiguration Include="Release|Win32">
  9 |       <Configuration>Release</Configuration>
 10 |       <Platform>Win32</Platform>
 11 |     </ProjectConfiguration>
 12 |     <ProjectConfiguration Include="Debug|x64">
 13 |       <Configuration>Debug</Configuration>
 14 |       <Platform>x64</Platform>
 15 |     </ProjectConfiguration>
 16 |     <ProjectConfiguration Include="Release|x64">
 17 |       <Configuration>Release</Configuration>
 18 |       <Platform>x64</Platform>
 19 |     </ProjectConfiguration>
 20 |   </ItemGroup>
 21 |   <PropertyGroup Label="Globals">
 22 |     <VCProjectVersion>16.0</VCProjectVersion>
 23 |     <Keyword>Win32Proj</Keyword>
 24 |     <ProjectGuid>{142e76de-e9b3-4f8c-ba6a-d22e6a26b343}</ProjectGuid>
 25 |     <RootNamespace>ShellCodeLoader</RootNamespace>
 26 |     <WindowsTargetPlatformVersion>10.0</WindowsTargetPlatformVersion>
 27 |   </PropertyGroup>
 28 |   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
 29 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
 30 |     <ConfigurationType>Application</ConfigurationType>
 31 |     <UseDebugLibraries>true</UseDebugLibraries>
 32 |     <PlatformToolset>v143</PlatformToolset>
 33 |     <CharacterSet>Unicode</CharacterSet>
 34 |   </PropertyGroup>
 35 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
 36 |     <ConfigurationType>Application</ConfigurationType>
 37 |     <UseDebugLibraries>false</UseDebugLibraries>
 38 |     <PlatformToolset>v143</PlatformToolset>
 39 |     <WholeProgramOptimization>true</WholeProgramOptimization>
 40 |     <CharacterSet>Unicode</CharacterSet>
 41 |   </PropertyGroup>
 42 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
 43 |     <ConfigurationType>Application</ConfigurationType>
 44 |     <UseDebugLibraries>true</UseDebugLibraries>
 45 |     <PlatformToolset>v143</PlatformToolset>
 46 |     <CharacterSet>Unicode</CharacterSet>
 47 |   </PropertyGroup>
 48 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
 49 |     <ConfigurationType>Application</ConfigurationType>
 50 |     <UseDebugLibraries>false</UseDebugLibraries>
 51 |     <PlatformToolset>v143</PlatformToolset>
 52 |     <WholeProgramOptimization>true</WholeProgramOptimization>
 53 |     <CharacterSet>Unicode</CharacterSet>
 54 |   </PropertyGroup>
 55 |   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
 56 |   <ImportGroup Label="ExtensionSettings">
 57 |   </ImportGroup>
 58 |   <ImportGroup Label="Shared">
 59 |   </ImportGroup>
 60 |   <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
 61 |     <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
 62 |   </ImportGroup>
 63 |   <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
 64 |     <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
 65 |   </ImportGroup>
 66 |   <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
 67 |     <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
 68 |   </ImportGroup>
 69 |   <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
 70 |     <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
 71 |   </ImportGroup>
 72 |   <PropertyGroup Label="UserMacros" />
 73 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
 74 |     <ClCompile>
 75 |       <WarningLevel>Level3</WarningLevel>
 76 |       <SDLCheck>true</SDLCheck>
 77 |       <PreprocessorDefinitions>WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
 78 |       <ConformanceMode>true</ConformanceMode>
 79 |     </ClCompile>
 80 |     <Link>
 81 |       <SubSystem>Console</SubSystem>
 82 |       <GenerateDebugInformation>true</GenerateDebugInformation>
 83 |     </Link>
 84 |   </ItemDefinitionGroup>
 85 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
 86 |     <ClCompile>
 87 |       <WarningLevel>Level3</WarningLevel>
 88 |       <FunctionLevelLinking>true</FunctionLevelLinking>
 89 |       <IntrinsicFunctions>true</IntrinsicFunctions>
 90 |       <SDLCheck>true</SDLCheck>
 91 |       <PreprocessorDefinitions>WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
 92 |       <ConformanceMode>true</ConformanceMode>
 93 |       <ExceptionHandling>false</ExceptionHandling>
 94 |       <BufferSecurityCheck>false</BufferSecurityCheck>
 95 |     </ClCompile>
 96 |     <Link>
 97 |       <SubSystem>Console</SubSystem>
 98 |       <EnableCOMDATFolding>true</EnableCOMDATFolding>
 99 |       <OptimizeReferences>true</OptimizeReferences>
100 |       <GenerateDebugInformation>true</GenerateDebugInformation>
101 |     </Link>
102 |   </ItemDefinitionGroup>
103 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
104 |     <ClCompile>
105 |       <WarningLevel>Level3</WarningLevel>
106 |       <SDLCheck>true</SDLCheck>
107 |       <PreprocessorDefinitions>_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
108 |       <ConformanceMode>true</ConformanceMode>
109 |     </ClCompile>
110 |     <Link>
111 |       <SubSystem>Console</SubSystem>
112 |       <GenerateDebugInformation>true</GenerateDebugInformation>
113 |     </Link>
114 |   </ItemDefinitionGroup>
115 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
116 |     <ClCompile>
117 |       <WarningLevel>Level3</WarningLevel>
118 |       <FunctionLevelLinking>true</FunctionLevelLinking>
119 |       <IntrinsicFunctions>true</IntrinsicFunctions>
120 |       <SDLCheck>true</SDLCheck>
121 |       <PreprocessorDefinitions>NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
122 |       <ConformanceMode>true</ConformanceMode>
123 |       <ExceptionHandling>false</ExceptionHandling>
124 |       <BufferSecurityCheck>false</BufferSecurityCheck>
125 |     </ClCompile>
126 |     <Link>
127 |       <SubSystem>Console</SubSystem>
128 |       <EnableCOMDATFolding>true</EnableCOMDATFolding>
129 |       <OptimizeReferences>true</OptimizeReferences>
130 |       <GenerateDebugInformation>true</GenerateDebugInformation>
131 |     </Link>
132 |   </ItemDefinitionGroup>
133 |   <ItemGroup>
134 |     <ClCompile Include="resolver.c" />
135 |     <ClCompile Include="ShellCodeLoader.c" />
136 |     <ClCompile Include="string_handling.c" />
137 |     <ClCompile Include="utils.c" />
138 |   </ItemGroup>
139 |   <ItemGroup>
140 |     <ClInclude Include="global.h" />
141 |     <ClInclude Include="ntstatus_22000.h" />
142 |     <ClInclude Include="pe.h" />
143 |     <ClInclude Include="peb.h" />
144 |     <ClInclude Include="resolver.h" />
145 |     <ClInclude Include="string_handling.h" />
146 |     <ClInclude Include="utils.h" />
147 |     <ClInclude Include="windeftypes.h" />
148 |   </ItemGroup>
149 |   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
150 |   <ImportGroup Label="ExtensionTargets">
151 |   </ImportGroup>
152 | </Project>


--------------------------------------------------------------------------------
/ShellCodeLoader.vcxproj.filters:
--------------------------------------------------------------------------------
 1 | <?xml version="1.0" encoding="utf-8"?>
 2 | <Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
 3 |   <ItemGroup>
 4 |     <Filter Include="Fichiers sources">
 5 |       <UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>
 6 |       <Extensions>cpp;c;cc;cxx;c++;cppm;ixx;def;odl;idl;hpj;bat;asm;asmx</Extensions>
 7 |     </Filter>
 8 |     <Filter Include="Fichiers d%27en-tête">
 9 |       <UniqueIdentifier>{93995380-89BD-4b04-88EB-625FBE52EBFB}</UniqueIdentifier>
10 |       <Extensions>h;hh;hpp;hxx;h++;hm;inl;inc;ipp;xsd</Extensions>
11 |     </Filter>
12 |     <Filter Include="Fichiers de ressources">
13 |       <UniqueIdentifier>{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}</UniqueIdentifier>
14 |       <Extensions>rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms</Extensions>
15 |     </Filter>
16 |   </ItemGroup>
17 |   <ItemGroup>
18 |     <ClCompile Include="ShellCodeLoader.c">
19 |       <Filter>Fichiers sources</Filter>
20 |     </ClCompile>
21 |     <ClCompile Include="resolver.c">
22 |       <Filter>Fichiers sources</Filter>
23 |     </ClCompile>
24 |     <ClCompile Include="string_handling.c">
25 |       <Filter>Fichiers sources</Filter>
26 |     </ClCompile>
27 |     <ClCompile Include="utils.c">
28 |       <Filter>Fichiers sources</Filter>
29 |     </ClCompile>
30 |   </ItemGroup>
31 |   <ItemGroup>
32 |     <ClInclude Include="global.h">
33 |       <Filter>Fichiers d%27en-tête</Filter>
34 |     </ClInclude>
35 |     <ClInclude Include="ntstatus_22000.h">
36 |       <Filter>Fichiers d%27en-tête</Filter>
37 |     </ClInclude>
38 |     <ClInclude Include="pe.h">
39 |       <Filter>Fichiers d%27en-tête</Filter>
40 |     </ClInclude>
41 |     <ClInclude Include="peb.h">
42 |       <Filter>Fichiers d%27en-tête</Filter>
43 |     </ClInclude>
44 |     <ClInclude Include="windeftypes.h">
45 |       <Filter>Fichiers d%27en-tête</Filter>
46 |     </ClInclude>
47 |     <ClInclude Include="resolver.h">
48 |       <Filter>Fichiers d%27en-tête</Filter>
49 |     </ClInclude>
50 |     <ClInclude Include="string_handling.h">
51 |       <Filter>Fichiers d%27en-tête</Filter>
52 |     </ClInclude>
53 |     <ClInclude Include="utils.h">
54 |       <Filter>Fichiers d%27en-tête</Filter>
55 |     </ClInclude>
56 |   </ItemGroup>
57 | </Project>


--------------------------------------------------------------------------------
/global.h:
--------------------------------------------------------------------------------
 1 | #pragma once
 2 | 
 3 | /*
 4 | || AUTHOR Arsium ||
 5 | || github : https://github.com/arsium       ||
 6 | */
 7 | 
 8 | #include "windeftypes.h"
 9 | #include "resolver.h"
10 | #include "peb.h"
11 | #include "pe.h"
12 | #include "utils.h"
13 | #include "string_handling.h"
14 | 
15 | static _PWSTR dll = L"ntdll.dll\0";
16 | static char ntAllocate[] = { 'N','t','A','l','l','o','c','a','t','e','V','i','r','t','u','a','l','M','e','m','o','r','y', '\0' };//"NtAllocateVirtualMemory\0";
17 | static char ntWriteVirtual[] = { 'N','t','W','r','i','t','e','V','i','r','t','u','a','l','M','e','m','o','r','y','\0' };//"NtWriteVirtualMemory\0";
18 | static char ntProtect[] = { 'N','t','P','r','o','t','e','c','t','V','i','r','t','u','a','l','M','e','m','o','r','y','\0' };//"NtProtectVirtualMemory\0";
19 | static char ntFree[] = { 'N','t','F','r','e','e','V','i','r','t','u','a','l','M','e','m','o','r','y','\0' };//"NtFreeVirtualMemory\0";


--------------------------------------------------------------------------------
/pe.h:
--------------------------------------------------------------------------------
  1 | #pragma once
  2 | #include "global.h"
  3 | 
  4 | /*
  5 | || AUTHOR Arsium ||
  6 | || github : https://github.com/arsium       ||
  7 | */
  8 | 
  9 | typedef struct IMAGE_DOS_HEADER
 10 | {
 11 |     _WORD   e_magic;
 12 |     _WORD   e_cblp;
 13 |     _WORD   e_cp;
 14 |     _WORD   e_crlc;
 15 |     _WORD   e_cparhdr;
 16 |     _WORD   e_minalloc;
 17 |     _WORD   e_maxalloc;
 18 |     _WORD   e_ss;
 19 |     _WORD   e_sp;
 20 |     _WORD   e_csum;
 21 |     _WORD   e_ip;
 22 |     _WORD   e_cs;
 23 |     _WORD   e_lfarlc;
 24 |     _WORD   e_ovno;
 25 |     _WORD   e_res[4];
 26 |     _WORD   e_oemid;
 27 |     _WORD   e_oeminfo;
 28 |     _WORD   e_res2[10];
 29 |     _LONG   e_lfanew;
 30 | } _IMAGE_DOS_HEADER, * _PIMAGE_DOS_HEADER;
 31 | 
 32 | typedef struct IMAGE_DATA_DIRECTORY
 33 | {
 34 |     _DWORD   VirtualAddress;
 35 |     _DWORD   Size;
 36 | } _IMAGE_DATA_DIRECTORY, * _PIMAGE_DATA_DIRECTORY;
 37 | 
 38 | typedef struct IMAGE_OPTIONAL_HEADER
 39 | {
 40 |     _WORD    Magic;
 41 |     _BYTE    MajorLinkerVersion;
 42 |     _BYTE    MinorLinkerVersion;
 43 |     _DWORD   SizeOfCode;
 44 |     _DWORD   SizeOfInitializedData;
 45 |     _DWORD   SizeOfUninitializedData;
 46 |     _DWORD   AddressOfEntryPoint;
 47 |     _DWORD   BaseOfCode;
 48 |     _DWORD   BaseOfData;
 49 |     _DWORD   ImageBase;
 50 |     _DWORD   SectionAlignment;
 51 |     _DWORD   FileAlignment;
 52 |     _WORD    MajorOperatingSystemVersion;
 53 |     _WORD    MinorOperatingSystemVersion;
 54 |     _WORD    MajorImageVersion;
 55 |     _WORD    MinorImageVersion;
 56 |     _WORD    MajorSubsystemVersion;
 57 |     _WORD    MinorSubsystemVersion;
 58 |     _DWORD   Win32VersionValue;
 59 |     _DWORD   SizeOfImage;
 60 |     _DWORD   SizeOfHeaders;
 61 |     _DWORD   CheckSum;
 62 |     _WORD    Subsystem;
 63 |     _WORD    DllCharacteristics;
 64 |     _DWORD   SizeOfStackReserve;
 65 |     _DWORD   SizeOfStackCommit;
 66 |     _DWORD   SizeOfHeapReserve;
 67 |     _DWORD   SizeOfHeapCommit;
 68 |     _DWORD   LoaderFlags;
 69 |     _DWORD   NumberOfRvaAndSizes;
 70 |     _IMAGE_DATA_DIRECTORY DataDirectory[_IMAGE_NUMBEROF_DIRECTORY_ENTRIES];
 71 | } _IMAGE_OPTIONAL_HEADER32, * _PIMAGE_OPTIONAL_HEADER32;
 72 | 
 73 | typedef struct IMAGE_OPTIONAL_HEADER64
 74 | {
 75 |     _WORD        Magic;
 76 |     _BYTE        MajorLinkerVersion;
 77 |     _BYTE        MinorLinkerVersion;
 78 |     _DWORD       SizeOfCode;
 79 |     _DWORD       SizeOfInitializedData;
 80 |     _DWORD       SizeOfUninitializedData;
 81 |     _DWORD       AddressOfEntryPoint;
 82 |     _DWORD       BaseOfCode;
 83 |     _ULONGLONG   ImageBase;
 84 |     _DWORD       SectionAlignment;
 85 |     _DWORD       FileAlignment;
 86 |     _WORD        MajorOperatingSystemVersion;
 87 |     _WORD        MinorOperatingSystemVersion;
 88 |     _WORD        MajorImageVersion;
 89 |     _WORD        MinorImageVersion;
 90 |     _WORD        MajorSubsystemVersion;
 91 |     _WORD        MinorSubsystemVersion;
 92 |     _DWORD       Win32VersionValue;
 93 |     _DWORD       SizeOfImage;
 94 |     _DWORD       SizeOfHeaders;
 95 |     _DWORD       CheckSum;
 96 |     _WORD        Subsystem;
 97 |     _WORD        DllCharacteristics;
 98 |     _ULONGLONG   SizeOfStackReserve;
 99 |     _ULONGLONG   SizeOfStackCommit;
100 |     _ULONGLONG   SizeOfHeapReserve;
101 |     _ULONGLONG   SizeOfHeapCommit;
102 |     _DWORD       LoaderFlags;
103 |     _DWORD       NumberOfRvaAndSizes;
104 |     _IMAGE_DATA_DIRECTORY DataDirectory[_IMAGE_NUMBEROF_DIRECTORY_ENTRIES];
105 | } _IMAGE_OPTIONAL_HEADER64, * _PIMAGE_OPTIONAL_HEADER64;
106 | 
107 | 
108 | #if defined(_M_MRX000) || defined(_M_ALPHA) || defined(_M_PPC) || defined(_M_IA64) || defined(_M_AMD64) || defined(_M_ARM) || defined(_M_ARM64)
109 | #define _ALIGNMENT_MACHINE
110 | #define _UNALIGNED __unaligned
111 | #if defined(_WIN64)
112 | #define _UNALIGNED64 __unaligned
113 | #else
114 | #define _UNALIGNED64
115 | #endif
116 | #else
117 | #undef _ALIGNMENT_MACHINE
118 | #define _UNALIGNED
119 | #define _UNALIGNED64
120 | #endif
121 | 
122 | typedef struct IMAGE_FILE_HEADER
123 | {
124 |     _WORD    Machine;
125 |     _WORD    NumberOfSections;
126 |     _DWORD   TimeDateStamp;
127 |     _DWORD   PointerToSymbolTable;
128 |     _DWORD   NumberOfSymbols;
129 |     _WORD    SizeOfOptionalHeader;
130 |     _WORD    Characteristics;
131 | } _IMAGE_FILE_HEADER, * _PIMAGE_FILE_HEADER;
132 | 
133 | typedef struct IMAGE_NT_HEADERS64
134 | {
135 |     _DWORD Signature;
136 |     _IMAGE_FILE_HEADER FileHeader;
137 |     _IMAGE_OPTIONAL_HEADER64 OptionalHeader;
138 | } _IMAGE_NT_HEADERS64, * _PIMAGE_NT_HEADERS64;
139 | 
140 | typedef struct IMAGE_NT_HEADERS
141 | {
142 |     _DWORD Signature;
143 |     _IMAGE_FILE_HEADER FileHeader;
144 |     _IMAGE_OPTIONAL_HEADER32 OptionalHeader;
145 | } _IMAGE_NT_HEADERS32, * _PIMAGE_NT_HEADERS32;
146 | 
147 | typedef struct IMAGE_SECTION_HEADER {
148 |     _BYTE    Name[_IMAGE_SIZEOF_SHORT_NAME];
149 |     union {
150 |         _DWORD   PhysicalAddress;
151 |         _DWORD   VirtualSize;
152 |     } Misc;
153 |     _DWORD   VirtualAddress;
154 |     _DWORD   SizeOfRawData;
155 |     _DWORD   PointerToRawData;
156 |     _DWORD   PointerToRelocations;
157 |     _DWORD   PointerToLinenumbers;
158 |     _WORD    NumberOfRelocations;
159 |     _WORD    NumberOfLinenumbers;
160 |     _DWORD   Characteristics;
161 | } _IMAGE_SECTION_HEADER, * _PIMAGE_SECTION_HEADER;
162 | 
163 | typedef struct IMAGE_IMPORT_DESCRIPTOR
164 | {
165 |     union {
166 |         _DWORD   Characteristics;            // 0 for terminating null import descriptor
167 |         _DWORD   OriginalFirstThunk;         // RVA to original unbound IAT (PIMAGE_THUNK_DATA)
168 |     } DUMMYUNIONNAME;
169 |     _DWORD   TimeDateStamp;                  // 0 if not bound,
170 |     // -1 if bound, and real date\time stamp
171 |     //     in IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT (new BIND)
172 |     // O.W. date/time stamp of DLL bound to (Old BIND)
173 | 
174 |     _DWORD   ForwarderChain;                 // -1 if no forwarders
175 |     _DWORD   Name;
176 |     _DWORD   FirstThunk;                     // RVA to IAT (if bound this IAT has actual addresses)
177 | } _IMAGE_IMPORT_DESCRIPTOR;
178 | typedef _IMAGE_IMPORT_DESCRIPTOR _UNALIGNED* _PIMAGE_IMPORT_DESCRIPTOR;
179 | 
180 | //@[comment("MVI_tracked")]
181 | typedef struct IMAGE_IMPORT_BY_NAME
182 | {
183 |     _WORD    Hint;
184 |     _CHAR   Name[1];
185 | } _IMAGE_IMPORT_BY_NAME, * _PIMAGE_IMPORT_BY_NAME;
186 | 
187 | //@[comment("MVI_tracked")]
188 | typedef struct IMAGE_THUNK_DATA64
189 | {
190 |     union {
191 |         _ULONGLONG ForwarderString;  // PBYTE 
192 |         _ULONGLONG Function;         // PDWORD
193 |         _ULONGLONG Ordinal;
194 |         _ULONGLONG AddressOfData;    // PIMAGE_IMPORT_BY_NAME
195 |     } u1;
196 | } _IMAGE_THUNK_DATA64;
197 | typedef _IMAGE_THUNK_DATA64* _PIMAGE_THUNK_DATA64;
198 | 
199 | //@[comment("MVI_tracked")]
200 | typedef struct IMAGE_THUNK_DATA32
201 | {
202 |     union {
203 |         _DWORD ForwarderString;      // PBYTE 
204 |         _DWORD Function;             // PDWORD
205 |         _DWORD Ordinal;
206 |         _DWORD AddressOfData;        // PIMAGE_IMPORT_BY_NAME
207 |     } u1;
208 | } _IMAGE_THUNK_DATA32;
209 | typedef _IMAGE_THUNK_DATA32* _PIMAGE_THUNK_DATA32;
210 | 
211 | typedef struct IMAGE_TLS_DIRECTORY64
212 | {
213 |     _ULONGLONG StartAddressOfRawData;
214 |     _ULONGLONG EndAddressOfRawData;
215 |     _ULONGLONG AddressOfIndex;         // PDWORD
216 |     _ULONGLONG AddressOfCallBacks;     // PIMAGE_TLS_CALLBACK *;
217 |     _DWORD SizeOfZeroFill;
218 |     union {
219 |         _DWORD Characteristics;
220 |         struct {
221 |             _DWORD Reserved0 : 20;
222 |             _DWORD Alignment : 4;
223 |             _DWORD Reserved1 : 8;
224 |         } _DUMMYSTRUCTNAME;
225 |     } _DUMMYUNIONNAME;
226 | 
227 | } _IMAGE_TLS_DIRECTORY64;
228 | 
229 | typedef _IMAGE_TLS_DIRECTORY64* _PIMAGE_TLS_DIRECTORY64;
230 | 
231 | typedef struct IMAGE_TLS_DIRECTORY32
232 | {
233 |     _DWORD   StartAddressOfRawData;
234 |     _DWORD   EndAddressOfRawData;
235 |     _DWORD   AddressOfIndex;             // PDWORD
236 |     _DWORD   AddressOfCallBacks;         // PIMAGE_TLS_CALLBACK *
237 |     _DWORD   SizeOfZeroFill;
238 |     union {
239 |         _DWORD Characteristics;
240 |         struct {
241 |             _DWORD Reserved0 : 20;
242 |             _DWORD Alignment : 4;
243 |             _DWORD Reserved1 : 8;
244 |         } _DUMMYSTRUCTNAME;
245 |     } _DUMMYUNIONNAME;
246 | 
247 | } _IMAGE_TLS_DIRECTORY32;
248 | typedef _IMAGE_TLS_DIRECTORY32* _PIMAGE_TLS_DIRECTORY32;
249 | 
250 | typedef struct IMAGE_BASE_RELOCATION
251 | {
252 |     _DWORD   VirtualAddress;
253 |     _DWORD   SizeOfBlock;
254 |     //  WORD    TypeOffset[1];
255 | } _IMAGE_BASE_RELOCATION;
256 | typedef _IMAGE_BASE_RELOCATION _UNALIGNED* _PIMAGE_BASE_RELOCATION;
257 | 
258 | typedef struct IMAGE_EXPORT_DIRECTORY
259 | {
260 |     _DWORD   Characteristics;
261 |     _DWORD   TimeDateStamp;
262 |     _WORD    MajorVersion;
263 |     _WORD    MinorVersion;
264 |     _DWORD   Name;
265 |     _DWORD   Base;
266 |     _DWORD   NumberOfFunctions;
267 |     _DWORD   NumberOfNames;
268 |     _DWORD   AddressOfFunctions;     // RVA from base of image
269 |     _DWORD   AddressOfNames;         // RVA from base of image
270 |     _DWORD   AddressOfNameOrdinals;  // RVA from base of image
271 | } _IMAGE_EXPORT_DIRECTORY, * _PIMAGE_EXPORT_DIRECTORY;
272 | 
273 | 
274 | #ifdef _WIN64
275 | typedef _IMAGE_NT_HEADERS64                 _IMAGE_NT_HEADERS;
276 | typedef _PIMAGE_NT_HEADERS64                _PIMAGE_NT_HEADERS;
277 | typedef _IMAGE_OPTIONAL_HEADER64            _IMAGE_OPTIONAL_HEADER;
278 | typedef _PIMAGE_OPTIONAL_HEADER64           _PIMAGE_OPTIONAL_HEADER;
279 | #define _IMAGE_NT_OPTIONAL_HDR_MAGIC        _IMAGE_NT_OPTIONAL_HDR64_MAGIC
280 | 
281 | #define _IMAGE_ORDINAL_FLAG                 _IMAGE_ORDINAL_FLAG64
282 | #define _IMAGE_ORDINAL(Ordinal)             _IMAGE_ORDINAL64(Ordinal)
283 | typedef _IMAGE_THUNK_DATA64                 _IMAGE_THUNK_DATA;
284 | typedef _PIMAGE_THUNK_DATA64                _PIMAGE_THUNK_DATA;
285 | #define _IMAGE_SNAP_BY_ORDINAL(Ordinal)     _IMAGE_SNAP_BY_ORDINAL64(Ordinal)
286 | typedef _IMAGE_TLS_DIRECTORY64              _IMAGE_TLS_DIRECTORY;
287 | typedef _PIMAGE_TLS_DIRECTORY64             _PIMAGE_TLS_DIRECTORY;
288 | 
289 | #else
290 | typedef _IMAGE_NT_HEADERS32                 _IMAGE_NT_HEADERS;
291 | typedef _PIMAGE_NT_HEADERS32                _PIMAGE_NT_HEADERS;
292 | typedef _IMAGE_OPTIONAL_HEADER32            _IMAGE_OPTIONAL_HEADER;
293 | typedef _PIMAGE_OPTIONAL_HEADER32           _PIMAGE_OPTIONAL_HEADER;
294 | #define _IMAGE_NT_OPTIONAL_HDR_MAGIC        _IMAGE_NT_OPTIONAL_HDR32_MAGIC
295 | 
296 | #define _IMAGE_ORDINAL_FLAG                 _IMAGE_ORDINAL_FLAG32
297 | #define _IMAGE_ORDINAL(Ordinal)             _IMAGE_ORDINAL32(Ordinal)
298 | typedef _IMAGE_THUNK_DATA32                 _IMAGE_THUNK_DATA;
299 | typedef _PIMAGE_THUNK_DATA32                _PIMAGE_THUNK_DATA;
300 | #define IMAGE_SNAP_BY_ORDINAL(Ordinal)      _IMAGE_SNAP_BY_ORDINAL32(Ordinal)
301 | typedef _IMAGE_TLS_DIRECTORY32              _IMAGE_TLS_DIRECTORY;
302 | typedef _PIMAGE_TLS_DIRECTORY32             _PIMAGE_TLS_DIRECTORY;
303 | #endif


--------------------------------------------------------------------------------
/peb.h:
--------------------------------------------------------------------------------
  1 | #pragma once
  2 | #include "global.h"
  3 | 
  4 | /*
  5 | || AUTHOR Arsium ||
  6 | || github : https://github.com/arsium       ||
  7 | */
  8 | 
  9 | typedef struct LIST_ENTRY
 10 | {
 11 |     struct _LIST_ENTRY* Flink;
 12 |     struct _LIST_ENTRY* Blink;
 13 | } _LIST_ENTRY, * _PLIST_ENTRY;
 14 | 
 15 | typedef struct _PEB_LDR_DATA
 16 | {
 17 |     _ULONG                  Length;
 18 |     _BOOLEAN                Initialized;
 19 |     _PVOID                  SsHandle;
 20 |     _LIST_ENTRY             InLoadOrderModuleList;
 21 |     _LIST_ENTRY             InMemoryOrderModuleList;
 22 |     _LIST_ENTRY             InInitializationOrderModuleList;
 23 |     _PVOID                  EntryInProgress;
 24 | } _PEB_LDR_DATA, * _PPEB_LDR_DATA;
 25 | 
 26 | typedef struct _LDR_DATA_ENTRY
 27 | {
 28 |     _LIST_ENTRY             InLoadOrderModuleList;
 29 |     _LIST_ENTRY             InMemoryOrderModuleList;
 30 |     _LIST_ENTRY             InInitializationOrderModuleList;
 31 |     _PVOID                  BaseAddress;
 32 |     _PVOID                  EntryPoint;
 33 |     _ULONG                  SizeOfImage;
 34 |     _UNICODE_STRING         FullDllName;
 35 |     _UNICODE_STRING         BaseDllName;
 36 |     _ULONG                  Flags;
 37 |     _WORD                   LoadCount;
 38 |     _WORD                   TlsIndex;
 39 |     _LIST_ENTRY             HashLinks;
 40 |     _ULONG                  TimeDateStamp;
 41 |     _HANDLE                 ActivationContext;
 42 |     _PVOID                  PatchInformation;
 43 |     _LIST_ENTRY             ForwarderLinks;
 44 |     _LIST_ENTRY             ServiceTagLinks;
 45 |     _LIST_ENTRY             StaticLinks;
 46 |     _PVOID                  ContextInformation;
 47 |     _ULONG_PTR              OriginalBase;
 48 |     _LARGE_INTEGER          LoadTime;
 49 | } _LDR_DATA_ENTRY, * _PLDR_DATA_ENTRY;//_LDR_MODULE
 50 | 
 51 | typedef struct RTL_BITMAP
 52 | {
 53 |     _ULONG  SizeOfBitMap;
 54 |     _PULONG Buffer;
 55 | } _RTL_BITMAP, * _PRTL_BITMAP;
 56 | 
 57 | typedef struct RTL_DRIVE_LETTER_CURDIR
 58 | {
 59 |     _USHORT              Flags;
 60 |     _USHORT              Length;
 61 |     _ULONG               TimeStamp;
 62 |     _UNICODE_STRING      DosPath;
 63 | } _RTL_DRIVE_LETTER_CURDIR, * _PRTL_DRIVE_LETTER_CURDIR;
 64 | 
 65 | typedef struct CURDIR
 66 | {
 67 |     _UNICODE_STRING     DosPath;
 68 |     _PVOID              Handle;
 69 | } _CURDIR, * _PCURDIR;
 70 | 
 71 | typedef struct RTL_USER_PROCESS_PARAMETERS
 72 | {
 73 |     _ULONG                      AllocationSize;
 74 |     _ULONG                      Size;
 75 |     _ULONG                      Flags;
 76 |     _ULONG                      DebugFlags;
 77 |     _HANDLE                     ConsoleHandle;
 78 |     _ULONG                      ConsoleFlags;
 79 |     _HANDLE                     hStdInput;
 80 |     _HANDLE                     hStdOutput;
 81 |     _HANDLE                     hStdError;
 82 |     _CURDIR                     CurrentDirectory;
 83 |     _UNICODE_STRING             DllPath;
 84 |     _UNICODE_STRING             ImagePathName;
 85 |     _UNICODE_STRING             CommandLine;
 86 |     _PWSTR                      Environment;
 87 |     _ULONG                      dwX;
 88 |     _ULONG                      dwY;
 89 |     _ULONG                      dwXSize;
 90 |     _ULONG                      dwYSize;
 91 |     _ULONG                      dwXCountChars;
 92 |     _ULONG                      dwYCountChars;
 93 |     _ULONG                      dwFillAttribute;
 94 |     _ULONG                      dwFlags;
 95 |     _ULONG                      wShowWindow;
 96 |     _UNICODE_STRING             WindowTitle;
 97 |     _UNICODE_STRING             Desktop;
 98 |     _UNICODE_STRING             ShellInfo;
 99 |     _UNICODE_STRING             RuntimeInfo;
100 |     _RTL_DRIVE_LETTER_CURDIR    DLCurrentDirectory[0x20];
101 | } _RTL_USER_PROCESS_PARAMETERS, * _PRTL_USER_PROCESS_PARAMETERS;
102 | 
103 | typedef struct RTL_CRITICAL_SECTION_DEBUG
104 | {
105 |     _WORD                               Type;
106 |     _WORD                               CreatorBackTraceIndex;
107 |     struct _RTL_CRITICAL_SECTION* CriticalSection;
108 |     _LIST_ENTRY                         ProcessLocksList;
109 |     _DWORD                              EntryCount;
110 |     _DWORD                              ContentionCount;
111 |     _DWORD                              Flags;
112 |     _WORD                               CreatorBackTraceIndexHigh;
113 |     _WORD                               Identifier;
114 | } _RTL_CRITICAL_SECTION_DEBUG, * _PRTL_CRITICAL_SECTION_DEBUG, _RTL_RESOURCE_DEBUG, * _PRTL_RESOURCE_DEBUG;
115 | 
116 | typedef struct RTL_CRITICAL_SECTION
117 | {
118 |     _PRTL_CRITICAL_SECTION_DEBUG DebugInfo;
119 |     _LONG LockCount;
120 |     _LONG RecursionCount;
121 |     _HANDLE OwningThread;
122 |     _HANDLE LockSemaphore;
123 |     _ULONG_PTR SpinCount;
124 | } _RTL_CRITICAL_SECTION, * _PRTL_CRITICAL_SECTION;
125 | 
126 | 
127 | typedef struct PEB
128 | {                                                                 /* win32/win64 */
129 |     _BOOLEAN                        InheritedAddressSpace;             /* 000/000 */
130 |     _BOOLEAN                        ReadImageFileExecOptions;          /* 001/001 */
131 |     _BOOLEAN                        BeingDebugged;                     /* 002/002 */
132 |     _BOOLEAN                        SpareBool;                         /* 003/003 */
133 |     _HANDLE                         Mutant;                            /* 004/008 */
134 |     _PVOID                          ImageBaseAddress;                  /* 008/010 */
135 |     _PPEB_LDR_DATA                  LdrData;
136 |     _RTL_USER_PROCESS_PARAMETERS* ProcessParameters;                 /* 010/020 */
137 |     _PVOID                          SubSystemData;                     /* 014/028 */
138 |     _HANDLE                         ProcessHeap;                       /* 018/030 */
139 |     _PRTL_CRITICAL_SECTION          FastPebLock;                       /* 01c/038 */
140 |     _PVOID /*PPEBLOCKROUTINE*/      FastPebLockRoutine;                /* 020/040 */
141 |     _PVOID /*PPEBLOCKROUTINE*/      FastPebUnlockRoutine;              /* 024/048 */
142 |     _ULONG                          EnvironmentUpdateCount;            /* 028/050 */
143 |     _PVOID                          KernelCallbackTable;               /* 02c/058 */
144 |     _ULONG                          Reserved[2];                       /* 030/060 */
145 |     _PVOID /*PPEB_FREE_BLOCK*/      FreeList;                          /* 038/068 */
146 |     _ULONG                          TlsExpansionCounter;               /* 03c/070 */
147 |     _PRTL_BITMAP                    TlsBitmap;                         /* 040/078 */
148 |     _ULONG                          TlsBitmapBits[2];                  /* 044/080 */
149 |     _PVOID                          ReadOnlySharedMemoryBase;          /* 04c/088 */
150 |     _PVOID                          ReadOnlySharedMemoryHeap;          /* 050/090 */
151 |     _PVOID* ReadOnlyStaticServerData;          /* 054/098 */
152 |     _PVOID                          AnsiCodePageData;                  /* 058/0a0 */
153 |     _PVOID                          OemCodePageData;                   /* 05c/0a8 */
154 |     _PVOID                          UnicodeCaseTableData;              /* 060/0b0 */
155 |     _ULONG                          NumberOfProcessors;                /* 064/0b8 */
156 |     _ULONG                          NtGlobalFlag;                      /* 068/0bc */
157 |     _LARGE_INTEGER                  CriticalSectionTimeout;            /* 070/0c0 */
158 |     _ULONG_PTR                      HeapSegmentReserve;                /* 078/0c8 */
159 |     _ULONG_PTR                      HeapSegmentCommit;                 /* 07c/0d0 */
160 |     _ULONG_PTR                      HeapDeCommitTotalFreeThreshold;    /* 080/0d8 */
161 |     _ULONG_PTR                      HeapDeCommitFreeBlockThreshold;    /* 084/0e0 */
162 |     _ULONG                          NumberOfHeaps;                     /* 088/0e8 */
163 |     _ULONG                          MaximumNumberOfHeaps;              /* 08c/0ec */
164 |     _PVOID* ProcessHeaps;                      /* 090/0f0 */
165 |     _PVOID                          GdiSharedHandleTable;              /* 094/0f8 */
166 |     _PVOID                          ProcessStarterHelper;              /* 098/100 */
167 |     _PVOID                          GdiDCAttributeList;                /* 09c/108 */
168 |     _PVOID                          LoaderLock;                        /* 0a0/110 */
169 |     _ULONG                          OSMajorVersion;                    /* 0a4/118 */
170 |     _ULONG                          OSMinorVersion;                    /* 0a8/11c */
171 |     _ULONG                          OSBuildNumber;                     /* 0ac/120 */
172 |     _ULONG                          OSPlatformId;                      /* 0b0/124 */
173 |     _ULONG                          ImageSubSystem;                    /* 0b4/128 */
174 |     _ULONG                          ImageSubSystemMajorVersion;        /* 0b8/12c */
175 |     _ULONG                          ImageSubSystemMinorVersion;        /* 0bc/130 */
176 |     _ULONG                          ImageProcessAffinityMask;          /* 0c0/134 */
177 |     _HANDLE                         GdiHandleBuffer[28];               /* 0c4/138 */
178 |     _ULONG                          unknown[6];                        /* 134/218 */
179 |     _PVOID                          PostProcessInitRoutine;            /* 14c/230 */
180 |     _PRTL_BITMAP                    TlsExpansionBitmap;                /* 150/238 */
181 |     _ULONG                          TlsExpansionBitmapBits[32];        /* 154/240 */
182 |     _ULONG                          SessionId;                         /* 1d4/2c0 */
183 |     _ULARGE_INTEGER                 AppCompatFlags;                    /* 1d8/2c8 */
184 |     _ULARGE_INTEGER                 AppCompatFlagsUser;                /* 1e0/2d0 */
185 |     _PVOID                          ShimData;                          /* 1e8/2d8 */
186 |     _PVOID                          AppCompatInfo;                     /* 1ec/2e0 */
187 |     _UNICODE_STRING                 CSDVersion;                        /* 1f0/2e8 */
188 |     _PVOID                          ActivationContextData;             /* 1f8/2f8 */
189 |     _PVOID                          ProcessAssemblyStorageMap;         /* 1fc/300 */
190 |     _PVOID                          SystemDefaultActivationData;       /* 200/308 */
191 |     _PVOID                          SystemAssemblyStorageMap;          /* 204/310 */
192 |     _ULONG_PTR                      MinimumStackCommit;                /* 208/318 */
193 |     _PVOID* FlsCallback;                       /* 20c/320 */
194 |     _LIST_ENTRY                     FlsListHead;                       /* 210/328 */
195 |     _PRTL_BITMAP                    FlsBitmap;                         /* 218/338 */
196 |     _ULONG                          FlsBitmapBits[4];                  /* 21c/340 */
197 | } _PEB, * _PPEB;


--------------------------------------------------------------------------------
/resolver.c:
--------------------------------------------------------------------------------
 1 | #include "global.h"
 2 | 
 3 | /*
 4 | || AUTHOR Arsium ||
 5 | || github : https://github.com/arsium       ||
 6 | */
 7 | 
 8 | _LPVOID _CBASE NtCurrentPeb(void)
 9 | {
10 | #if defined(_WIN64)
11 |     _UINT64 pPebLocation = __readgsqword(0x60);
12 |     return (_LPVOID)pPebLocation;
13 | #else
14 |     _UINT32 pPebLocation = __readfsdword(0x30);
15 |     return (_LPVOID)pPebLocation;
16 | #endif
17 | }
18 | 
19 | _PVOID _CBASE GetModuleBaseAddress(_PWSTR name)
20 | {
21 |     _PPEB pPeb = (_PPEB)NtCurrentPeb();
22 |     _PPEB_LDR_DATA pLdrData = (_PPEB_LDR_DATA)pPeb->LdrData;
23 | 
24 |     for (_PLDR_DATA_ENTRY pLdrDataEntry = (_PLDR_DATA_ENTRY)pLdrData->InLoadOrderModuleList.Flink; pLdrDataEntry->BaseAddress != NULL_PTR; pLdrDataEntry = (_PLDR_DATA_ENTRY)pLdrDataEntry->InLoadOrderModuleList.Flink)
25 |     {
26 |         if (CompareUnicode(name, pLdrDataEntry->BaseDllName.Buffer))
27 |             return pLdrDataEntry->BaseAddress;
28 |     }
29 |     return NULL_PTR;
30 | }
31 | 
32 | _LPVOID _CBASE GetProcedureAddressNt(char* sProcName)
33 | {
34 |     _DWORD_PTR pBaseAddr = (_DWORD_PTR)GetModuleBaseAddress(dll);
35 | 
36 |     _IMAGE_DOS_HEADER* pDosHdr = (_IMAGE_DOS_HEADER*)pBaseAddr;
37 |     _IMAGE_NT_HEADERS* pNTHdr = (_IMAGE_NT_HEADERS*)(pBaseAddr + pDosHdr->e_lfanew);
38 |     _IMAGE_OPTIONAL_HEADER* pOptionalHdr = &pNTHdr->OptionalHeader;
39 |     _IMAGE_DATA_DIRECTORY* pExportDataDir = (_IMAGE_DATA_DIRECTORY*)(&pOptionalHdr->DataDirectory[_IMAGE_DIRECTORY_ENTRY_EXPORT]);
40 |     _IMAGE_EXPORT_DIRECTORY* pExportDirAddr = (_IMAGE_EXPORT_DIRECTORY*)(pBaseAddr + pExportDataDir->VirtualAddress);
41 | 
42 |     _DWORD* pEAT = (_DWORD*)(pBaseAddr + pExportDirAddr->AddressOfFunctions);
43 |     _DWORD* pFuncNameTbl = (_DWORD*)(pBaseAddr + pExportDirAddr->AddressOfNames);
44 |     _WORD* pHintsTbl = (_WORD*)(pBaseAddr + pExportDirAddr->AddressOfNameOrdinals);
45 | 
46 |     if (((_DWORD_PTR)sProcName >> 16) == 0)
47 |     {
48 |         _WORD ordinal = (_WORD)sProcName & 0xFFFF;	
49 |         _DWORD Base = pExportDirAddr->Base;			
50 | 
51 |         if (ordinal < Base || ordinal >= Base + pExportDirAddr->NumberOfFunctions)
52 |             return NULL_PTR;
53 | 
54 |         return (_PVOID)(pBaseAddr + (_DWORD_PTR)pEAT[ordinal - Base]);
55 |     }
56 |     else
57 |     {
58 |         for (_DWORD i = 0; i < pExportDirAddr->NumberOfNames; i++)
59 |         {
60 |             char* sTmpFuncName = (char*)(pBaseAddr + (_DWORD_PTR)pFuncNameTbl[i]);
61 | 
62 |             if (CompareAnsi(sProcName, sTmpFuncName) == TRUE)
63 |             {
64 |                 return (_LPVOID)(pBaseAddr + (_DWORD_PTR)pEAT[pHintsTbl[i]]);
65 |             }
66 |         }
67 |     }
68 | }


--------------------------------------------------------------------------------
/resolver.h:
--------------------------------------------------------------------------------
1 | #pragma once
2 | 
3 | /*
4 | || AUTHOR Arsium ||
5 | || github : https://github.com/arsium       ||
6 | */
7 | 
8 | _PVOID	_CBASE GetModuleBaseAddress(_PWSTR);
9 | _LPVOID _CBASE GetProcedureAddressNt(char*);


--------------------------------------------------------------------------------
/string_handling.c:
--------------------------------------------------------------------------------
  1 | #include "global.h"
  2 | 
  3 | /*
  4 | || AUTHOR Arsium ||
  5 | || github : https://github.com/arsium       ||
  6 | */
  7 | 
  8 | _BOOLEAN CompareUnicode(_PWSTR u1, _PWSTR u2)
  9 | {
 10 |     for (int i = 0; i < StringLengthW(u1); i++)
 11 |     {
 12 |         if (ToLowerW(u1[i]) != ToLowerW(u2[i]))
 13 |             return FALSE;
 14 |     }
 15 |     return TRUE;
 16 | }
 17 | 
 18 | _BOOLEAN CompareAnsi(char* u1, char* u2)
 19 | {
 20 |     for (int i = 0; i < StringLengthA(u1); i++)
 21 |     {
 22 |         if (ToLowerA(u1[i]) != ToLowerA(u2[i]))
 23 |             return FALSE;
 24 |     }
 25 |     return TRUE;
 26 | }
 27 | 
 28 | char* Separator(char* full_name)
 29 | {
 30 |     _size_t len = strlen(full_name);
 31 | 
 32 |     for (_size_t i = 0; i < len; i++)
 33 |     {
 34 |         if (full_name[i] == '.')
 35 |         {
 36 |             return &full_name[i + 1];
 37 |         }
 38 |     }
 39 |     return NULL_PTR;
 40 | }
 41 | 
 42 | char* ReverseSeparator(char* full_name)
 43 | {
 44 |     _size_t len = StringLengthA(full_name);
 45 | 
 46 |     int indexPoint = 5;//. d l l \0
 47 | 
 48 |     for (_size_t i = 0; i < len; i++)
 49 |     {
 50 |         if (full_name[i] == '.')
 51 |         {
 52 |             indexPoint += i;
 53 |             break;
 54 |         }
 55 |     }
 56 |     _DWORD_PTR size = (_DWORD_PTR)((sizeof(char) * indexPoint));
 57 |     char* name = (char*)MallocCustom(&size);
 58 |     if (name != NULL_PTR)
 59 |     {
 60 |         for (int i = 0; i < indexPoint; i++)
 61 |             name[i] = full_name[i];
 62 | 
 63 |         name[indexPoint - 5] = '.';
 64 |         name[indexPoint - 4] = 'd';
 65 |         name[indexPoint - 3] = 'l';
 66 |         name[indexPoint - 2] = 'l';
 67 |         name[indexPoint - 1] = '\0';
 68 |         return name;
 69 |     }
 70 |     return NULL_PTR;
 71 | }
 72 | 
 73 | _WCHAR* CharToWCharT(char* str)
 74 | {
 75 |     int length = StringLengthA(str);
 76 | 
 77 |     _DWORD_PTR size = (_DWORD_PTR)(sizeof(_WCHAR) * length + 2);
 78 |     _WCHAR* wStr = (_WCHAR*)MallocCustom(&size);
 79 | 
 80 |     if (wStr != NULL_PTR)
 81 |     {
 82 |         for (int i = 0; i < length; i++)
 83 |         {
 84 |             wStr[i] = (_WCHAR)(str[i]);
 85 |         }
 86 |         wStr[length] = '\0';
 87 |         return (_WCHAR*)wStr;
 88 |     }
 89 |     return NULL_PTR;
 90 | }
 91 | 
 92 | _WCHAR ToLowerW(_WCHAR ch)
 93 | {
 94 |     if (ch > 0x40 && ch < 0x5B)
 95 |     {
 96 |         return ch + 0x20;
 97 |     }
 98 |     return ch;
 99 | }
100 | 
101 | char ToLowerA(char ch)
102 | {
103 |     if (ch > 96 && ch < 123)
104 |     {
105 |         ch -= 32;
106 |     }
107 |     return ch;
108 | }
109 | 
110 | int StringLengthA(char* str)
111 | {
112 |     int length;
113 |     for (length = 0; str[length] != '\0'; length++) {}
114 |     return length;
115 | }
116 | 
117 | int StringLengthW(_WCHAR* str) {
118 |     int length;
119 |     for (length = 0; str[length] != '\0'; length++) {}
120 |     return length;
121 | }
122 | 
123 | _BOOL StringMatches(_WCHAR* str1, _WCHAR* str2)
124 | {
125 |     if (str1 == NULL_PTR || str2 == NULL_PTR || StringLengthW(str1) != StringLengthW(str2))
126 |     {
127 |         return FALSE;
128 |     }
129 | 
130 |     for (int i = 0; str1[i] != '\0' && str2[i] != '\0'; i++)
131 |     {
132 |         if (ToLowerW(str1[i]) != ToLowerW(str2[i]))
133 |         {
134 |             return FALSE;
135 |         }
136 |     }
137 |     return TRUE;
138 | }


--------------------------------------------------------------------------------
/string_handling.h:
--------------------------------------------------------------------------------
 1 | #pragma once
 2 | #include "global.h"
 3 | 
 4 | /*
 5 | || AUTHOR Arsium ||
 6 | || github : https://github.com/arsium       ||
 7 | */
 8 | 
 9 | _BOOLEAN	CompareUnicode(_PWSTR, _PWSTR);
10 | char*		Separator(char*);
11 | char*		ReverseSeparator(char*);
12 | char		ToLowerA(char);
13 | _WCHAR		ToLowerW(_WCHAR);
14 | int			StringLengthA(char*);
15 | int			StringLengthW(_WCHAR*);
16 | _BOOL		StringMatches(_WCHAR*, _WCHAR*);
17 | _WCHAR*		CharToWCharT(char*);
18 | _BOOLEAN	CompareAnsi(char*, char*);


--------------------------------------------------------------------------------
/utils.c:
--------------------------------------------------------------------------------
 1 | #include "global.h"
 2 | 
 3 | /*
 4 | || AUTHOR Arsium ||
 5 | || github : https://github.com/arsium       ||
 6 | */
 7 | 
 8 | _PVOID MallocCustom(_PSIZE_T size)
 9 | {
10 |     LPNTALLOCATEVIRTUALMEMORY pNtAllocate = GetProcedureAddressNt(ntAllocate);
11 |     _PVOID pAllocated = NULL_PTR;
12 |     pNtAllocate((_HANDLE)(-1), &pAllocated, 0, size, _MEM_RESERVE | _MEM_COMMIT, _PAGE_READWRITE);
13 |     return pAllocated;
14 | }


--------------------------------------------------------------------------------
/utils.h:
--------------------------------------------------------------------------------
1 | #pragma once
2 | #include "global.h"
3 | 
4 | /*
5 | || AUTHOR Arsium ||
6 | || github : https://github.com/arsium       ||
7 | */
8 | _PVOID MallocCustom(_PDWORD_PTR);


--------------------------------------------------------------------------------
/windeftypes.h:
--------------------------------------------------------------------------------
  1 | #pragma once
  2 | #include "global.h"
  3 | 
  4 | /*
  5 | || AUTHOR Arsium ||
  6 | || github : https://github.com/arsium       ||
  7 | */
  8 | 
  9 | //-----------------START Windows Defines-----------------//
 10 | #ifndef _OPTIONAL
 11 | #define _OPTIONAL
 12 | #endif
 13 | 
 14 | #define _DUMMYUNIONNAME
 15 | #define _DUMMYSTRUCTNAME
 16 | #define NULL_PTR                                    (void*)0
 17 | #define _VOID                                       void
 18 | #define _NTAPI                                      __stdcall
 19 | #define _WINAPI                                     __stdcall
 20 | #define _CBASE                                      __cdecl
 21 | #define _APIENTRY                                   WINAPI
 22 | 
 23 | #ifndef FALSE
 24 | #define FALSE                                       0
 25 | #endif
 26 | 
 27 | #ifndef TRUE
 28 | #define TRUE                                        1
 29 | #endif
 30 | 
 31 | #define 	_FILE_SUPERSEDE                         0x00000000
 32 | #define 	_FILE_OPEN                              0x00000001
 33 | #define 	_FILE_CREATE                            0x00000002
 34 | #define 	_FILE_OPEN_IF                           0x00000003
 35 | #define 	_FILE_OVERWRITE                         0x00000004
 36 | #define 	_FILE_MAXIMUM_DISPOSITION               0x00000005
 37 | #define 	_FILE_DIRECTORY_FILE                    0x00000001
 38 | #define 	_FILE_WRITE_THROUGH                     0x00000002
 39 | #define 	_FILE_SEQUENTIAL_ONLY                   0x00000004
 40 | #define 	_FILE_NO_INTERMEDIATE_BUFFERING         0x00000008
 41 | #define 	_FILE_SYNCHRONOUS_IO_ALERT              0x00000010
 42 | #define 	_FILE_SYNCHRONOUS_IO_NONALERT           0x00000020
 43 | #define 	_FILE_NON_DIRECTORY_FILE                0x00000040
 44 | #define 	_FILE_CREATE_TREE_CONNECTION            0x00000080
 45 | #define 	_FILE_COMPLETE_IF_OPLOCKED              0x00000100
 46 | #define 	_FILE_NO_EA_KNOWLEDGE                   0x00000200
 47 | #define 	_FILE_OPEN_FOR_RECOVERY                 0x00000400
 48 | #define 	_FILE_RANDOM_ACCESS                     0x00000800
 49 | #define 	_FILE_DELETE_ON_CLOSE                   0x00001000
 50 | #define 	_FILE_OPEN_BY_FILE_ID                   0x00002000
 51 | #define 	_FILE_OPEN_FOR_BACKUP_INTENT            0x00004000
 52 | #define 	_FILE_NO_COMPRESSION                    0x00008000
 53 | #define 	_FILE_OPEN_REQUIRING_OPLOCK             0x00010000
 54 | #define 	_FILE_DISALLOW_EXCLUSIVE                0x00020000
 55 | #define 	_FILE_SESSION_AWARE                     0x00040000
 56 | #define 	_FILE_RESERVE_OPFILTER                  0x00100000
 57 | #define 	_FILE_OPEN_REPARSE_POINT                0x00200000
 58 | #define 	_FILE_OPEN_NO_RECALL                    0x00400000
 59 | #define 	_FILE_OPEN_FOR_FREE_SPACE_QUERY         0x00800000
 60 | #define 	_FILE_COPY_STRUCTURED_STORAGE           0x00000041
 61 | #define 	_FILE_STRUCTURED_STORAGE                0x00000441
 62 | #define 	_FILE_SUPERSEDED                        0x00000000
 63 | #define 	_FILE_OPENED                            0x00000001
 64 | #define 	_FILE_CREATED                           0x00000002
 65 | #define 	_FILE_OVERWRITTEN                       0x00000003
 66 | #define 	_FILE_EXISTS                            0x00000004
 67 | #define 	_FILE_DOES_NOT_EXIST                    0x00000005
 68 | #define 	_FILE_WRITE_TO_END_OF_FILE              0xffffffff
 69 | #define 	_FILE_USE_FILE_POINTER_POSITION         0xfffffffe
 70 | 
 71 | #define _FILE_SHARE_READ                            0x00000001  
 72 | #define _FILE_SHARE_WRITE                           0x00000002  
 73 | #define _FILE_SHARE_DELETE                          0x00000004  
 74 | #define _FILE_ATTRIBUTE_READONLY                    0x00000001  
 75 | #define _FILE_ATTRIBUTE_HIDDEN                      0x00000002  
 76 | #define _FILE_ATTRIBUTE_SYSTEM                      0x00000004  
 77 | #define _FILE_ATTRIBUTE_DIRECTORY                   0x00000010  
 78 | #define _FILE_ATTRIBUTE_ARCHIVE                     0x00000020  
 79 | #define _FILE_ATTRIBUTE_DEVICE                      0x00000040  
 80 | #define _FILE_ATTRIBUTE_NORMAL                      0x00000080  
 81 | #define _FILE_ATTRIBUTE_TEMPORARY                   0x00000100  
 82 | #define _FILE_ATTRIBUTE_SPARSE_FILE                 0x00000200  
 83 | #define _FILE_ATTRIBUTE_REPARSE_POINT               0x00000400  
 84 | #define _FILE_ATTRIBUTE_COMPRESSED                  0x00000800  
 85 | #define _FILE_ATTRIBUTE_OFFLINE                     0x00001000  
 86 | #define _FILE_ATTRIBUTE_NOT_CONTENT_INDEXED         0x00002000  
 87 | #define _FILE_ATTRIBUTE_ENCRYPTED                   0x00004000  
 88 | #define _FILE_ATTRIBUTE_INTEGRITY_STREAM            0x00008000  
 89 | #define _FILE_ATTRIBUTE_VIRTUAL                     0x00010000  
 90 | #define _FILE_ATTRIBUTE_NO_SCRUB_DATA               0x00020000  
 91 | #define _FILE_ATTRIBUTE_EA                          0x00040000  
 92 | #define _FILE_ATTRIBUTE_PINNED                      0x00080000  
 93 | #define _FILE_ATTRIBUTE_UNPINNED                    0x00100000  
 94 | #define _FILE_ATTRIBUTE_RECALL_ON_OPEN              0x00040000  
 95 | #define _FILE_ATTRIBUTE_RECALL_ON_DATA_ACCESS       0x00400000 
 96 | 
 97 | #define 	_OBJ_INHERIT                            0x00000002
 98 | #define 	_OBJ_PERMANENT                          0x00000010
 99 | #define 	_OBJ_EXCLUSIVE                          0x00000020
100 | #define 	_OBJ_CASE_INSENSITIVE                   0x00000040
101 | #define 	_OBJ_OPENIF                             0x00000080
102 | #define 	_OBJ_OPENLINK                           0x00000100
103 | #define 	_OBJ_KERNEL_HANDLE                      0x00000200
104 | #define 	_OBJ_FORCE_ACCESS_CHECK                 0x00000400
105 | #define 	_OBJ_VALID_ATTRIBUTES                   0x000007f2
106 | 
107 | #define _IMAGE_FILE_MACHINE_UNKNOWN                 0x0000
108 | #define _IMAGE_FILE_MACHINE_TARGET_HOST             0x0001
109 | #define _IMAGE_FILE_MACHINE_I386                    0x014c// Intel 386.
110 | #define _IMAGE_FILE_MACHINE_R3000                   0x0162
111 | #define _IMAGE_FILE_MACHINE_R4000                   0x0166  
112 | #define _IMAGE_FILE_MACHINE_R10000                  0x0168 
113 | #define _IMAGE_FILE_MACHINE_WCEMIPSV2               0x0169  
114 | #define _IMAGE_FILE_MACHINE_ALPHA                   0x0184  
115 | #define _IMAGE_FILE_MACHINE_SH3                     0x01a2 
116 | #define _IMAGE_FILE_MACHINE_SH3DSP                  0x01a3
117 | #define _IMAGE_FILE_MACHINE_SH3E                    0x01a4
118 | #define _IMAGE_FILE_MACHINE_SH4                     0x01a6
119 | #define _IMAGE_FILE_MACHINE_SH5                     0x01a8
120 | #define _IMAGE_FILE_MACHINE_ARM                     0x01c0
121 | #define _IMAGE_FILE_MACHINE_THUMB                   0x01c2
122 | #define _IMAGE_FILE_MACHINE_ARMNT                   0x01c4
123 | #define _IMAGE_FILE_MACHINE_AM33                    0x01d3
124 | #define _IMAGE_FILE_MACHINE_POWERPC                 0x01F0
125 | #define _IMAGE_FILE_MACHINE_POWERPCFP               0x01f1
126 | #define _IMAGE_FILE_MACHINE_IA64                    0x0200// Intel 64
127 | #define _IMAGE_FILE_MACHINE_MIPS16                  0x0266
128 | #define _IMAGE_FILE_MACHINE_ALPHA64                 0x0284
129 | #define _IMAGE_FILE_MACHINE_MIPSFPU                 0x0366
130 | #define _IMAGE_FILE_MACHINE_MIPSFPU16               0x0466
131 | #define _IMAGE_FILE_MACHINE_AXP64                   _IMAGE_FILE_MACHINE_ALPHA64
132 | #define _IMAGE_FILE_MACHINE_TRICORE                 0x0520
133 | #define _IMAGE_FILE_MACHINE_CEF                     0x0CEF
134 | #define _IMAGE_FILE_MACHINE_EBC                     0x0EBC
135 | #define _IMAGE_FILE_MACHINE_AMD64                   0x8664// AMD64 (K8)
136 | #define _IMAGE_FILE_MACHINE_M32R                    0x9041
137 | #define _IMAGE_FILE_MACHINE_ARM64                   0xAA64
138 | #define _IMAGE_FILE_MACHINE_CEE                     0xC0EE
139 | 
140 | #define _IMAGE_SUBSYSTEM_UNKNOWN                    0   // Unknown subsystem.
141 | #define _IMAGE_SUBSYSTEM_NATIVE                     1   // Image doesn't require a subsystem.
142 | #define _IMAGE_SUBSYSTEM_WINDOWS_GUI                2   // Image runs in the Windows GUI subsystem.
143 | #define _IMAGE_SUBSYSTEM_WINDOWS_CUI                3   // Image runs in the Windows character subsystem.
144 | #define _IMAGE_SUBSYSTEM_OS2_CUI                    5   // image runs in the OS/2 character subsystem.
145 | #define _IMAGE_SUBSYSTEM_POSIX_CUI                  7   // image runs in the Posix character subsystem.
146 | #define _IMAGE_SUBSYSTEM_NATIVE_WINDOWS             8   // image is a native Win9x driver.
147 | #define _IMAGE_SUBSYSTEM_WINDOWS_CE_GUI             9   // Image runs in the Windows CE subsystem.
148 | #define _IMAGE_SUBSYSTEM_EFI_APPLICATION            10  //
149 | #define _IMAGE_SUBSYSTEM_EFI_BOOT_SERVICE_DRIVER    11   //
150 | #define _IMAGE_SUBSYSTEM_EFI_RUNTIME_DRIVER         12  //
151 | #define _IMAGE_SUBSYSTEM_EFI_ROM                    13
152 | #define _IMAGE_SUBSYSTEM_XBOX                       14
153 | #define _IMAGE_SUBSYSTEM_WINDOWS_BOOT_APPLICATION   16
154 | #define _IMAGE_SUBSYSTEM_XBOX_CODE_CATALOG          17
155 | 
156 | #define _IMAGE_LIBRARY_PROCESS_INIT                             0x0001     // Reserved.
157 | #define _IMAGE_LIBRARY_PROCESS_TERM                             0x0002     // Reserved.
158 | #define _IMAGE_LIBRARY_THREAD_INIT                              0x0004     // Reserved.
159 | #define _IMAGE_LIBRARY_THREAD_TERM                              0x0008     // Reserved.
160 | #define _IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA               0x0020//64-bit  
161 | #define _IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE                  0x0040    
162 | #define _IMAGE_DLLCHARACTERISTICS_FORCE_INTEGRITY               0x0080     
163 | #define _IMAGE_DLLCHARACTERISTICS_NX_COMPAT                     0x0100// DEP
164 | #define _IMAGE_DLLCHARACTERISTICS_NO_ISOLATION                  0x0200     
165 | #define _IMAGE_DLLCHARACTERISTICS_NO_SEH                        0x0400     
166 | #define _IMAGE_DLLCHARACTERISTICS_NO_BIND                       0x0800    
167 | #define _IMAGE_DLLCHARACTERISTICS_APPCONTAINER                  0x1000 
168 | #define _IMAGE_DLLCHARACTERISTICS_WDM_DRIVER                    0x2000   
169 | #define _IMAGE_DLLCHARACTERISTICS_GUARD_CF                      0x4000
170 | #define _IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE         0x8000
171 | 
172 | #define _IMAGE_FILE_RELOCS_STRIPPED                             0x0001  // Relocation info stripped from file.
173 | #define _IMAGE_FILE_EXECUTABLE_IMAGE                            0x0002  // File is executable  (i.e. no unresolved external references).
174 | #define _IMAGE_FILE_LINE_NUMS_STRIPPED                          0x0004  // Line nunbers stripped from file.
175 | #define _IMAGE_FILE_LOCAL_SYMS_STRIPPED                         0x0008  // Local symbols stripped from file.
176 | #define _IMAGE_FILE_AGGRESIVE_WS_TRIM                           0x0010  // Aggressively trim working set
177 | #define _IMAGE_FILE_LARGE_ADDRESS_AWARE                         0x0020  // App can handle >2gb addresses
178 | #define _IMAGE_FILE_BYTES_REVERSED_LO                           0x0080  // Bytes of machine word are reversed.
179 | #define _IMAGE_FILE_32BIT_MACHINE                               0x0100  // 32 bit word machine.
180 | #define _IMAGE_FILE_DEBUG_STRIPPED                              0x0200  // Debugging info stripped from file in .DBG file
181 | #define _IMAGE_FILE_REMOVABLE_RUN_FROM_SWAP                     0x0400  // If Image is on removable media, copy and run from the swap file.
182 | #define _IMAGE_FILE_NET_RUN_FROM_SWAP                           0x0800  // If Image is on Net, copy and run from the swap file.
183 | #define _IMAGE_FILE_SYSTEM                                      0x1000  // System File.
184 | #define _IMAGE_FILE_DLL                                         0x2000  // File is a DLL.
185 | #define _IMAGE_FILE_UP_SYSTEM_ONLY                              0x4000  // File should only be run on a UP machine
186 | #define _IMAGE_FILE_BYTES_REVERSED_HI                           0x8000  // Bytes of machine word are reversed.
187 | 
188 | #define _MEM_COMMIT                                             0x00001000  
189 | #define _MEM_RESERVE                                            0x00002000  
190 | #define _MEM_REPLACE_PLACEHOLDER                                0x00004000  
191 | #define _MEM_RESERVE_PLACEHOLDER                                0x00040000  
192 | #define _MEM_RESET                                              0x00080000  
193 | #define _MEM_TOP_DOWN                                           0x00100000  
194 | #define _MEM_WRITE_WATCH                                        0x00200000  
195 | #define _MEM_PHYSICAL                                           0x00400000  
196 | #define _MEM_ROTATE                                             0x00800000  
197 | #define _MEM_DIFFERENT_IMAGE_BASE_OK                            0x00800000  
198 | #define _MEM_RESET_UNDO                                         0x01000000  
199 | #define _MEM_LARGE_PAGES                                        0x20000000  
200 | #define _MEM_4MB_PAGES                                          0x80000000  
201 | #define _MEM_64K_PAGES                                          (MEM_LARGE_PAGES | MEM_PHYSICAL)  
202 | #define _MEM_UNMAP_WITH_TRANSIENT_BOOST                         0x00000001  
203 | #define _MEM_COALESCE_PLACEHOLDERS                              0x00000001  
204 | #define _MEM_PRESERVE_PLACEHOLDER                               0x00000002  
205 | #define _MEM_DECOMMIT                                           0x00004000  
206 | #define _MEM_RELEASE                                            0x00008000  
207 | #define _MEM_FREE                                               0x00010000  
208 | 
209 | #define _PAGE_NOACCESS                                          0x01    
210 | #define _PAGE_READONLY                                          0x02    
211 | #define _PAGE_READWRITE                                         0x04    
212 | #define _PAGE_WRITECOPY                                         0x08    
213 | #define _PAGE_EXECUTE                                           0x10    
214 | #define _PAGE_EXECUTE_READ                                      0x20    
215 | #define _PAGE_EXECUTE_READWRITE                                 0x40    
216 | #define _PAGE_EXECUTE_WRITECOPY                                 0x80    
217 | #define _PAGE_GUARD                                             0x100    
218 | #define _PAGE_NOCACHE                                           0x200    
219 | #define _PAGE_WRITECOMBINE                                      0x400    
220 | #define _PAGE_GRAPHICS_NOACCESS                                 0x0800    
221 | #define _PAGE_GRAPHICS_READONLY                                 0x1000    
222 | #define _PAGE_GRAPHICS_READWRITE                                0x2000    
223 | #define _PAGE_GRAPHICS_EXECUTE                                  0x4000    
224 | #define _PAGE_GRAPHICS_EXECUTE_READ                             0x8000    
225 | #define _PAGE_GRAPHICS_EXECUTE_READWRITE                        0x10000    
226 | #define _PAGE_GRAPHICS_COHERENT                                 0x20000    
227 | #define _PAGE_GRAPHICS_NOCACHE                                  0x40000    
228 | #define _PAGE_ENCLAVE_THREAD_CONTROL                            0x80000000  
229 | #define _PAGE_REVERT_TO_FILE_MAP                                0x80000000  
230 | #define _PAGE_TARGETS_NO_UPDATE                                 0x40000000  
231 | #define _PAGE_TARGETS_INVALID                                   0x40000000  
232 | #define _PAGE_ENCLAVE_UNVALIDATED                               0x20000000  
233 | #define _PAGE_ENCLAVE_MASK                                      0x10000000  
234 | #define _PAGE_ENCLAVE_DECOMMIT                                  (_PAGE_ENCLAVE_MASK | 0) 
235 | #define _PAGE_ENCLAVE_SS_FIRST                                  (_PAGE_ENCLAVE_MASK | 1) 
236 | #define _PAGE_ENCLAVE_SS_REST                                   (_PAGE_ENCLAVE_MASK | 2) 
237 | 
238 | #define _DLL_PROCESS_ATTACH                                     0x1    
239 | #define _DLL_THREAD_ATTACH                                      0x2    
240 | #define _DLL_THREAD_DETACH                                      0x3    
241 | #define _DLL_PROCESS_DETACH                                     0x0    
242 | 
243 | #define _IMAGE_DIRECTORY_ENTRY_EXPORT                           0   // Export Directory
244 | #define _IMAGE_DIRECTORY_ENTRY_IMPORT                           1   // Import Directory
245 | #define _IMAGE_DIRECTORY_ENTRY_RESOURCE                         2   // Resource Directory
246 | #define _IMAGE_DIRECTORY_ENTRY_EXCEPTION                        3   // Exception Directory
247 | #define _IMAGE_DIRECTORY_ENTRY_SECURITY                         4   // Security Directory
248 | #define _IMAGE_DIRECTORY_ENTRY_BASERELOC                        5   // Base Relocation Table
249 | #define _IMAGE_DIRECTORY_ENTRY_DEBUG                            6   // Debug Directory
250 | //      IMAGE_DIRECTORY_ENTRY_COPYRIGHT       7   // (X86 usage)
251 | #define _IMAGE_DIRECTORY_ENTRY_ARCHITECTURE                     7   // Architecture Specific Data
252 | #define _IMAGE_DIRECTORY_ENTRY_GLOBALPTR                        8   // RVA of GP
253 | #define _IMAGE_DIRECTORY_ENTRY_TLS                              9   // TLS Directory
254 | #define _IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG                      10   // Load Configuration Directory
255 | #define _IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT                     11   // Bound Import Directory in headers
256 | #define _IMAGE_DIRECTORY_ENTRY_IAT                              12   // Import Address Table
257 | #define _IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT                     13   // Delay Load Import Descriptors
258 | #define _IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR                   14   // COM Runtime descriptor
259 | 
260 | #define _IMAGE_REL_BASED_ABSOLUTE                               0
261 | #define _IMAGE_REL_BASED_HIGH                                   1
262 | #define _IMAGE_REL_BASED_LOW                                    2
263 | #define _IMAGE_REL_BASED_HIGHLOW                                3
264 | #define _IMAGE_REL_BASED_HIGHADJ                                4
265 | #define _IMAGE_REL_BASED_MACHINE_SPECIFIC_5                     5
266 | #define _IMAGE_REL_BASED_RESERVED                               6
267 | #define _IMAGE_REL_BASED_MACHINE_SPECIFIC_7                     7
268 | #define _IMAGE_REL_BASED_MACHINE_SPECIFIC_8                     8
269 | #define _IMAGE_REL_BASED_MACHINE_SPECIFIC_9                     9
270 | #define _IMAGE_REL_BASED_DIR64                                  10
271 | 
272 | #define _IMAGE_SCN_TYPE_REG                                     0x00000000  // Reserved.
273 | #define _IMAGE_SCN_TYPE_DSECT                                   0x00000001  // Reserved.
274 | #define _IMAGE_SCN_TYPE_NOLOAD                                  0x00000002  // Reserved.
275 | #define _IMAGE_SCN_TYPE_GROUP                                   0x00000004  // Reserved.
276 | #define _IMAGE_SCN_TYPE_NO_PAD                                  0x00000008  // Reserved.
277 | #define _IMAGE_SCN_TYPE_COPY                                    0x00000010  // Reserved.
278 | 
279 | #define _IMAGE_SCN_CNT_CODE                                     0x00000020  
280 | #define _IMAGE_SCN_CNT_INITIALIZED_DATA                         0x00000040  
281 | #define _IMAGE_SCN_CNT_UNINITIALIZED_DATA                       0x00000080 
282 | 
283 | #define _IMAGE_SCN_LNK_OTHER                                    0x00000100  // Reserved.
284 | #define _IMAGE_SCN_LNK_INFO                                     0x00000200 
285 | #define _IMAGE_SCN_TYPE_OVER                                    0x00000400  // Reserved.
286 | #define _IMAGE_SCN_LNK_REMOVE                                   0x00000800  
287 | #define _IMAGE_SCN_LNK_COMDAT                                   0x00001000  
288 | //                                           0x00002000  // Reserved.
289 | #define _IMAGE_SCN_MEM_PROTECTED                                0x00004000//- Obsolete
290 | #define _IMAGE_SCN_NO_DEFER_SPEC_EXC                            0x00004000  
291 | #define _IMAGE_SCN_GPREL                                        0x00008000  
292 | #define _IMAGE_SCN_MEM_FARDATA                                  0x00008000
293 | #define _IMAGE_SCN_MEM_SYSHEAP                                  0x00010000//- Obsolete
294 | #define _IMAGE_SCN_MEM_PURGEABLE                                0x00020000
295 | #define _IMAGE_SCN_MEM_16BIT                                    0x00020000
296 | #define _IMAGE_SCN_MEM_LOCKED                                   0x00040000
297 | #define _IMAGE_SCN_MEM_PRELOAD                                  0x00080000
298 | 
299 | #define _IMAGE_SCN_ALIGN_1BYTES                                 0x00100000  
300 | #define _IMAGE_SCN_ALIGN_2BYTES                                 0x00200000  
301 | #define _IMAGE_SCN_ALIGN_4BYTES                                 0x00300000  
302 | #define _IMAGE_SCN_ALIGN_8BYTES                                 0x00400000  
303 | #define _IMAGE_SCN_ALIGN_16BYTES                                0x00500000  
304 | #define _IMAGE_SCN_ALIGN_32BYTES                                0x00600000  
305 | #define _IMAGE_SCN_ALIGN_64BYTES                                0x00700000  
306 | #define _IMAGE_SCN_ALIGN_128BYTES                               0x00800000  
307 | #define _IMAGE_SCN_ALIGN_256BYTES                               0x00900000  
308 | #define _IMAGE_SCN_ALIGN_512BYTES                               0x00A00000  
309 | #define _IMAGE_SCN_ALIGN_1024BYTES                              0x00B00000  
310 | #define _IMAGE_SCN_ALIGN_2048BYTES                              0x00C00000  
311 | #define _IMAGE_SCN_ALIGN_4096BYTES                              0x00D00000  
312 | #define _IMAGE_SCN_ALIGN_8192BYTES                              0x00E00000  
313 | // Unused                                    0x00F00000
314 | #define _IMAGE_SCN_ALIGN_MASK                                   0x00F00000
315 | 
316 | #define _IMAGE_SCN_LNK_NRELOC_OVFL                              0x01000000  
317 | #define _IMAGE_SCN_MEM_DISCARDABLE                              0x02000000 
318 | #define _IMAGE_SCN_MEM_NOT_CACHED                               0x04000000 
319 | #define _IMAGE_SCN_MEM_NOT_PAGED                                0x08000000  
320 | #define _IMAGE_SCN_MEM_SHARED                                   0x10000000  
321 | #define _IMAGE_SCN_MEM_EXECUTE                                  0x20000000  
322 | #define _IMAGE_SCN_MEM_READ                                     0x40000000 
323 | #define _IMAGE_SCN_MEM_WRITE                                    0x80000000  
324 | 
325 | #define _DELETE                                                 0x00010000L
326 | #define _READ_CONTROL                                           0x00020000L
327 | #define _WRITE_DAC                                              0x00040000L
328 | #define _WRITE_OWNER                                            0x00080000L
329 | #define _SYNCHRONIZE                                            0x00100000L
330 | #define _STANDARD_RIGHTS_REQUIRED                               0x000F0000L
331 | #define _STANDARD_RIGHTS_READ                                   _READ_CONTROL
332 | #define _STANDARD_RIGHTS_WRITE                                  _READ_CONTROL
333 | #define _STANDARD_RIGHTS_EXECUTE                                _READ_CONTROL
334 | #define _STANDARD_RIGHTS_ALL                                    0x001F0000L
335 | #define _SPECIFIC_RIGHTS_ALL                                    0x0000FFFFL
336 | #define _ACCESS_SYSTEM_SECURITY                                 0x01000000L
337 | #define _MAXIMUM_ALLOWED                                        0x02000000L
338 | #define _GENERIC_READ                                           0x80000000L
339 | #define _GENERIC_WRITE                                          0x40000000L
340 | #define _GENERIC_EXECUTE                                        0x20000000L
341 | #define _GENERIC_ALL                                            0x10000000L
342 | 
343 | #define _PROCESS_TERMINATE                                       0x0001
344 | #define _PROCESS_CREATE_THREAD                                   0x0002
345 | #define _PROCESS_SET_SESSIONID                                   0x0004
346 | #define _PROCESS_VM_OPERATION                                    0x0008
347 | #define _PROCESS_VM_READ                                         0x0010
348 | #define _PROCESS_VM_WRITE                                        0x0020
349 | #define _PROCESS_CREATE_PROCESS                                  0x0080
350 | #define _PROCESS_SET_QUOTA                                       0x0100
351 | #define _PROCESS_SET_INFORMATION                                 0x0200
352 | #define _PROCESS_QUERY_INFORMATION                               0x0400
353 | #define _PROCESS_SUSPEND_RESUME                                  0x0800
354 | #define _PROCESS_QUERY_LIMITED_INFORMATION                       0x1000
355 | 
356 | #if (NTDDI_VERSION >= NTDDI_LONGHORN)
357 | #define _PROCESS_ALL_ACCESS                      (_STANDARD_RIGHTS_REQUIRED | \
358 |                                                  _SYNCHRONIZE | \
359 |                                                  0xFFFF)
360 | #else
361 | #define _PROCESS_ALL_ACCESS                      (_STANDARD_RIGHTS_REQUIRED | \
362 |                                                  _SYNCHRONIZE | \
363 |                                                  0xFFF)
364 | #endif
365 | 
366 | #define _IMAGE_DOS_SIGNATURE                                    0x5A4D      //MZ
367 | #define _IMAGE_NT_SIGNATURE                                     0x50450000  //PE00
368 | 
369 | #define _IMAGE_SIZEOF_FILE_HEADER                               20
370 | #define _IMAGE_SIZEOF_SECTION_HEADER                            40
371 | #define _IMAGE_NUMBEROF_DIRECTORY_ENTRIES                       16
372 | #define _IMAGE_SIZEOF_SHORT_NAME                                8
373 | 
374 | #define _IMAGE_NT_OPTIONAL_HDR32_MAGIC                          0x10b
375 | #define _IMAGE_NT_OPTIONAL_HDR64_MAGIC                          0x20b
376 | 
377 | #define _IMAGE_ORDINAL_FLAG64                                   0x8000000000000000
378 | #define _IMAGE_ORDINAL_FLAG32                                   0x80000000
379 | #define _IMAGE_ORDINAL64(Ordinal) (Ordinal & 0xffff)
380 | #define _IMAGE_ORDINAL32(Ordinal) (Ordinal & 0xffff)
381 | #define _IMAGE_SNAP_BY_ORDINAL64(Ordinal) ((Ordinal & _IMAGE_ORDINAL_FLAG64) != 0)
382 | #define _IMAGE_SNAP_BY_ORDINAL32(Ordinal) ((Ordinal & _IMAGE_ORDINAL_FLAG32) != 0)
383 | //-----------------END Windows Defines-----------------//
384 | 
385 | //-----------------START Windows Base Types-----------------//
386 | #if defined(_WIN64)
387 | typedef unsigned __int64            _size_t;
388 | typedef unsigned __int64            _ULONG_PTR;
389 | typedef unsigned __int64            _ULONGLONG;
390 | typedef __int64                     _LONGLONG;
391 | 
392 | typedef unsigned long long          _BASESIZE;
393 | typedef unsigned long long* _PBASESIZE;
394 | #else
395 | typedef unsigned int                _size_t;
396 | typedef unsigned long            _ULONG_PTR;
397 | typedef unsigned __int32            _ULONGLONG; //NO SHITTY typedef double ULONGLONG;
398 | typedef __int32                     _LONGLONG;  //NO SHITTY typedef double LONGLONG;
399 | 
400 | typedef unsigned long               _BASESIZE;
401 | typedef unsigned long* _PBASESIZE;
402 | #endif
403 | 
404 | typedef char                        _CHAR;
405 | typedef unsigned char               _BYTE;
406 | typedef unsigned char               _UCHAR;
407 | 
408 | typedef short                       _SHORT;
409 | typedef unsigned short              _USHORT;
410 | typedef unsigned short              _WORD;
411 | typedef unsigned short              _WCHAR;    // wc,   16-bit UNICODE character
412 | //typedef wchar_t  _WCHAR;
413 | 
414 | typedef int                         _BOOL;
415 | typedef unsigned int                _UINT32;
416 | typedef unsigned int                _UINT;
417 | 
418 | typedef long                        _LONG;
419 | typedef unsigned long               _DWORD;
420 | typedef unsigned long               _ULONG;
421 | 
422 | typedef unsigned __int64            _UINT64;
423 | typedef unsigned __int64            _QWORD;
424 | 
425 | typedef void* _PVOID;
426 | typedef void* _LPVOID;
427 | 
428 | typedef _PVOID                      _HANDLE;
429 | typedef _ULONG_PTR                  _DWORD_PTR, * _PDWORD_PTR;
430 | typedef _ULONG_PTR                  _SIZE_T, * _PSIZE_T;
431 | typedef _ULONG* _PULONG;
432 | typedef _HANDLE                     _HINSTANCE;
433 | typedef _HINSTANCE                  _HMODULE;
434 | typedef _HANDLE* _PHANDLE;
435 | typedef _DWORD                      _ACCESS_MASK;
436 | typedef _ACCESS_MASK* _PACCESS_MASK;
437 | typedef _WCHAR* _PCWSTR;
438 | typedef _WORD* _PWORD;
439 | typedef _UCHAR* _PUCHAR;
440 | typedef _BYTE                       _BOOLEAN;
441 | typedef _DWORD* _PDWORD;
442 | typedef _BYTE* _LPBYTE;
443 | 
444 | typedef _WCHAR* _LPCWSTR;
445 | typedef _CHAR* _LPCSTR;//__nullterminated  
446 | typedef _WCHAR* _PWSTR;//__nullterminated  
447 | typedef _CHAR* _LPSTR;//__nullterminated  
448 | 
449 | typedef _LONG _KPRIORITY;
450 | 
451 | #ifdef UNICODE
452 | typedef _LPCWSTR                    _LPCTSTR;
453 | #else
454 | typedef _LPCSTR                     _LPCTSTR;
455 | #endif
456 | 
457 | #define _MAKEINTRESOURCEA(i) ((LPSTR)((ULONG_PTR)((WORD)(i))))
458 | 
459 | typedef _LONG _NTSTATUS;
460 | typedef _LONG NTSTATUS;
461 | #define _NT_SUCCESS(Status) ((_NTSTATUS)(Status) == _STATUS_SUCCESS)
462 | //-----------------END Windows Base Types-----------------//
463 | 
464 | //-----------------START Windows Types-----------------//
465 | typedef union LARGE_INTEGER
466 | {
467 |     struct {
468 |         _DWORD LowPart;
469 |         _LONG  HighPart;
470 |     } _DUMMYSTRUCTNAME;
471 |     struct {
472 |         _DWORD LowPart;
473 |         _LONG  HighPart;
474 |     } u;
475 |     _LONGLONG QuadPart;
476 | } _LARGE_INTEGER, * _PLARGE_INTEGER;
477 | 
478 | typedef union ULARGE_INTEGER
479 | {
480 |     struct {
481 |         _DWORD LowPart;
482 |         _DWORD HighPart;
483 |     } _DUMMYSTRUCTNAME;
484 |     struct {
485 |         _DWORD LowPart;
486 |         _DWORD HighPart;
487 |     } u;
488 |     _ULONGLONG QuadPart;
489 | } _ULARGE_INTEGER, * _PULARGE_INTEGER;
490 | 
491 | typedef struct _UNICODE_STRING
492 | {
493 |     _USHORT Length;
494 |     _USHORT MaximumLength;
495 |     _PWSTR  Buffer;
496 | }_UNICODE_STRING, * _PUNICODE_STRING;
497 | 
498 | 
499 | //-----------------END Windows Types-----------------//
500 | 
501 | 
502 | typedef _NTSTATUS _NTAPI NTALLOCATEVIRTUALMEMORY(
503 |     _HANDLE     ProcessHandle,
504 |     _PVOID* BaseAddress,
505 |     _ULONG_PTR  ZeroBits,
506 |     _PSIZE_T    RegionSize,
507 |     _ULONG      AllocationType,
508 |     _ULONG      Protect
509 | ); typedef NTALLOCATEVIRTUALMEMORY* LPNTALLOCATEVIRTUALMEMORY;
510 | 
511 | typedef _NTSTATUS _NTAPI NTFREEVIRTUALMEMORY(
512 |     _HANDLE     ProcessHandle,
513 |     _PVOID* BaseAddress,
514 |     _PSIZE_T    RegionSize,
515 |     _ULONG      FreeType
516 | ); typedef NTFREEVIRTUALMEMORY* LPNTFREEVIRTUALMEMORY;
517 | 
518 | 
519 | typedef _NTSTATUS _NTAPI NTWRITEVIRTUALMEMORY(
520 |     _HANDLE ProcessHandle,
521 |     _PVOID BaseAddress,
522 |     _PVOID Buffer,
523 |     _ULONG NumberOfBytesToWrite,
524 |     _PULONG NumberOfBytesWritten _OPTIONAL
525 | ); typedef NTWRITEVIRTUALMEMORY* LPNTWRITEVIRTUALMEMORY;


--------------------------------------------------------------------------------