├── .gitignore
├── .gitmodules
├── LICENSE
├── README.md
├── anymapper.sln
├── anymapper
├── anymapper.hpp
├── anymapper.vcxproj
├── anymapper.vcxproj.filters
├── filebuf.hpp
├── helper.hpp
├── kernel.hpp
├── main.cpp
├── nt.hpp
├── pe.cpp
└── pe.hpp
├── image.png
└── logo.png
/.gitignore:
--------------------------------------------------------------------------------
1 | ## Ignore Visual Studio temporary files, build results, and
2 | ## files generated by popular Visual Studio add-ons.
3 | ##
4 | ## Get latest from https://github.com/github/gitignore/blob/master/VisualStudio.gitignore
5 |
6 | # User-specific files
7 | *.rsuser
8 | *.suo
9 | *.user
10 | *.userosscache
11 | *.sln.docstates
12 |
13 | # User-specific files (MonoDevelop/Xamarin Studio)
14 | *.userprefs
15 |
16 | # Mono auto generated files
17 | mono_crash.*
18 |
19 | # Build results
20 | [Dd]ebug/
21 | [Dd]ebugPublic/
22 | [Rr]elease/
23 | [Rr]eleases/
24 | x64/
25 | x86/
26 | [Aa][Rr][Mm]/
27 | [Aa][Rr][Mm]64/
28 | bld/
29 | [Bb]in/
30 | [Oo]bj/
31 | [Ll]og/
32 | [Ll]ogs/
33 |
34 | # Visual Studio 2015/2017 cache/options directory
35 | .vs/
36 | # Uncomment if you have tasks that create the project's static files in wwwroot
37 | #wwwroot/
38 |
39 | # Visual Studio 2017 auto generated files
40 | Generated\ Files/
41 |
42 | # MSTest test Results
43 | [Tt]est[Rr]esult*/
44 | [Bb]uild[Ll]og.*
45 |
46 | # NUnit
47 | *.VisualState.xml
48 | TestResult.xml
49 | nunit-*.xml
50 |
51 | # Build Results of an ATL Project
52 | [Dd]ebugPS/
53 | [Rr]eleasePS/
54 | dlldata.c
55 |
56 | # Benchmark Results
57 | BenchmarkDotNet.Artifacts/
58 |
59 | # .NET Core
60 | project.lock.json
61 | project.fragment.lock.json
62 | artifacts/
63 |
64 | # StyleCop
65 | StyleCopReport.xml
66 |
67 | # Files built by Visual Studio
68 | *_i.c
69 | *_p.c
70 | *_h.h
71 | *.ilk
72 | *.meta
73 | *.obj
74 | *.iobj
75 | *.pch
76 | *.pdb
77 | *.ipdb
78 | *.pgc
79 | *.pgd
80 | *.rsp
81 | *.sbr
82 | *.tlb
83 | *.tli
84 | *.tlh
85 | *.tmp
86 | *.tmp_proj
87 | *_wpftmp.csproj
88 | *.log
89 | *.vspscc
90 | *.vssscc
91 | .builds
92 | *.pidb
93 | *.svclog
94 | *.scc
95 |
96 | # Chutzpah Test files
97 | _Chutzpah*
98 |
99 | # Visual C++ cache files
100 | ipch/
101 | *.aps
102 | *.ncb
103 | *.opendb
104 | *.opensdf
105 | *.sdf
106 | *.cachefile
107 | *.VC.db
108 | *.VC.VC.opendb
109 |
110 | # Visual Studio profiler
111 | *.psess
112 | *.vsp
113 | *.vspx
114 | *.sap
115 |
116 | # Visual Studio Trace Files
117 | *.e2e
118 |
119 | # TFS 2012 Local Workspace
120 | $tf/
121 |
122 | # Guidance Automation Toolkit
123 | *.gpState
124 |
125 | # ReSharper is a .NET coding add-in
126 | _ReSharper*/
127 | *.[Rr]e[Ss]harper
128 | *.DotSettings.user
129 |
130 | # TeamCity is a build add-in
131 | _TeamCity*
132 |
133 | # DotCover is a Code Coverage Tool
134 | *.dotCover
135 |
136 | # AxoCover is a Code Coverage Tool
137 | .axoCover/*
138 | !.axoCover/settings.json
139 |
140 | # Visual Studio code coverage results
141 | *.coverage
142 | *.coveragexml
143 |
144 | # NCrunch
145 | _NCrunch_*
146 | .*crunch*.local.xml
147 | nCrunchTemp_*
148 |
149 | # MightyMoose
150 | *.mm.*
151 | AutoTest.Net/
152 |
153 | # Web workbench (sass)
154 | .sass-cache/
155 |
156 | # Installshield output folder
157 | [Ee]xpress/
158 |
159 | # DocProject is a documentation generator add-in
160 | DocProject/buildhelp/
161 | DocProject/Help/*.HxT
162 | DocProject/Help/*.HxC
163 | DocProject/Help/*.hhc
164 | DocProject/Help/*.hhk
165 | DocProject/Help/*.hhp
166 | DocProject/Help/Html2
167 | DocProject/Help/html
168 |
169 | # Click-Once directory
170 | publish/
171 |
172 | # Publish Web Output
173 | *.[Pp]ublish.xml
174 | *.azurePubxml
175 | # Note: Comment the next line if you want to checkin your web deploy settings,
176 | # but database connection strings (with potential passwords) will be unencrypted
177 | *.pubxml
178 | *.publishproj
179 |
180 | # Microsoft Azure Web App publish settings. Comment the next line if you want to
181 | # checkin your Azure Web App publish settings, but sensitive information contained
182 | # in these scripts will be unencrypted
183 | PublishScripts/
184 |
185 | # NuGet Packages
186 | *.nupkg
187 | # NuGet Symbol Packages
188 | *.snupkg
189 | # The packages folder can be ignored because of Package Restore
190 | **/[Pp]ackages/*
191 | # except build/, which is used as an MSBuild target.
192 | !**/[Pp]ackages/build/
193 | # Uncomment if necessary however generally it will be regenerated when needed
194 | #!**/[Pp]ackages/repositories.config
195 | # NuGet v3's project.json files produces more ignorable files
196 | *.nuget.props
197 | *.nuget.targets
198 |
199 | # Microsoft Azure Build Output
200 | csx/
201 | *.build.csdef
202 |
203 | # Microsoft Azure Emulator
204 | ecf/
205 | rcf/
206 |
207 | # Windows Store app package directories and files
208 | AppPackages/
209 | BundleArtifacts/
210 | Package.StoreAssociation.xml
211 | _pkginfo.txt
212 | *.appx
213 | *.appxbundle
214 | *.appxupload
215 |
216 | # Visual Studio cache files
217 | # files ending in .cache can be ignored
218 | *.[Cc]ache
219 | # but keep track of directories ending in .cache
220 | !?*.[Cc]ache/
221 |
222 | # Others
223 | ClientBin/
224 | ~$*
225 | *~
226 | *.dbmdl
227 | *.dbproj.schemaview
228 | *.jfm
229 | *.pfx
230 | *.publishsettings
231 | orleans.codegen.cs
232 |
233 | # Including strong name files can present a security risk
234 | # (https://github.com/github/gitignore/pull/2483#issue-259490424)
235 | #*.snk
236 |
237 | # Since there are multiple workflows, uncomment next line to ignore bower_components
238 | # (https://github.com/github/gitignore/pull/1529#issuecomment-104372622)
239 | #bower_components/
240 |
241 | # RIA/Silverlight projects
242 | Generated_Code/
243 |
244 | # Backup & report files from converting an old project file
245 | # to a newer Visual Studio version. Backup files are not needed,
246 | # because we have git ;-)
247 | _UpgradeReport_Files/
248 | Backup*/
249 | UpgradeLog*.XML
250 | UpgradeLog*.htm
251 | ServiceFabricBackup/
252 | *.rptproj.bak
253 |
254 | # SQL Server files
255 | *.mdf
256 | *.ldf
257 | *.ndf
258 |
259 | # Business Intelligence projects
260 | *.rdl.data
261 | *.bim.layout
262 | *.bim_*.settings
263 | *.rptproj.rsuser
264 | *- [Bb]ackup.rdl
265 | *- [Bb]ackup ([0-9]).rdl
266 | *- [Bb]ackup ([0-9][0-9]).rdl
267 |
268 | # Microsoft Fakes
269 | FakesAssemblies/
270 |
271 | # GhostDoc plugin setting file
272 | *.GhostDoc.xml
273 |
274 | # Node.js Tools for Visual Studio
275 | .ntvs_analysis.dat
276 | node_modules/
277 |
278 | # Visual Studio 6 build log
279 | *.plg
280 |
281 | # Visual Studio 6 workspace options file
282 | *.opt
283 |
284 | # Visual Studio 6 auto-generated workspace file (contains which files were open etc.)
285 | *.vbw
286 |
287 | # Visual Studio LightSwitch build output
288 | **/*.HTMLClient/GeneratedArtifacts
289 | **/*.DesktopClient/GeneratedArtifacts
290 | **/*.DesktopClient/ModelManifest.xml
291 | **/*.Server/GeneratedArtifacts
292 | **/*.Server/ModelManifest.xml
293 | _Pvt_Extensions
294 |
295 | # Paket dependency manager
296 | .paket/paket.exe
297 | paket-files/
298 |
299 | # FAKE - F# Make
300 | .fake/
301 |
302 | # CodeRush personal settings
303 | .cr/personal
304 |
305 | # Python Tools for Visual Studio (PTVS)
306 | __pycache__/
307 | *.pyc
308 |
309 | # Cake - Uncomment if you are using it
310 | # tools/**
311 | # !tools/packages.config
312 |
313 | # Tabs Studio
314 | *.tss
315 |
316 | # Telerik's JustMock configuration file
317 | *.jmconfig
318 |
319 | # BizTalk build output
320 | *.btp.cs
321 | *.btm.cs
322 | *.odx.cs
323 | *.xsd.cs
324 |
325 | # OpenCover UI analysis results
326 | OpenCover/
327 |
328 | # Azure Stream Analytics local run output
329 | ASALocalRun/
330 |
331 | # MSBuild Binary and Structured Log
332 | *.binlog
333 |
334 | # NVidia Nsight GPU debugger configuration file
335 | *.nvuser
336 |
337 | # MFractors (Xamarin productivity tool) working folder
338 | .mfractor/
339 |
340 | # Local History for Visual Studio
341 | .localhistory/
342 |
343 | # BeatPulse healthcheck temp database
344 | healthchecksdb
345 |
346 | # Backup folder for Package Reference Convert tool in Visual Studio 2017
347 | MigrationBackup/
348 |
349 | # Ionide (cross platform F# VS Code tools) working folder
350 | .ionide/
351 |
--------------------------------------------------------------------------------
/.gitmodules:
--------------------------------------------------------------------------------
1 | [submodule "anycall"]
2 | path = anycall
3 | url = https://github.com/kkent030315/anycall
4 |
--------------------------------------------------------------------------------
/LICENSE:
--------------------------------------------------------------------------------
1 | MIT License
2 |
3 | Copyright (c) 2021 Kento Oki
4 |
5 | Permission is hereby granted, free of charge, to any person obtaining a copy
6 | of this software and associated documentation files (the "Software"), to deal
7 | in the Software without restriction, including without limitation the rights
8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
9 | copies of the Software, and to permit persons to whom the Software is
10 | furnished to do so, subject to the following conditions:
11 |
12 | The above copyright notice and this permission notice shall be included in all
13 | copies or substantial portions of the Software.
14 |
15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
21 | SOFTWARE.
22 |
--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 |
2 | 
3 |
4 |
5 |
6 | 
7 | 
8 | 
9 |
10 |
11 | # anymapper
12 |
13 | x64 Windows kernel driver mapper, inject unsigned driver using anycall
14 |
15 |
16 | 
17 |
18 |
19 | This project is WIP.
20 |
21 | # Todo
22 |
23 | - Fix: Can't make API calls from IAT nor function pointer
24 |
25 | # License
26 |
27 | MIT copyright Kento Oki \
28 |
--------------------------------------------------------------------------------
/anymapper.sln:
--------------------------------------------------------------------------------
1 |
2 | Microsoft Visual Studio Solution File, Format Version 12.00
3 | # Visual Studio Version 16
4 | VisualStudioVersion = 16.0.31321.278
5 | MinimumVisualStudioVersion = 10.0.40219.1
6 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "anymapper", "anymapper\anymapper.vcxproj", "{DA181F81-807E-4453-B34C-D1DBE9686D04}"
7 | EndProject
8 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "libanycall", "..\anycall\libanycall\libanycall.vcxproj", "{4C9429AE-EAC9-473E-B8E0-0ADA1A2A7DDF}"
9 | EndProject
10 | Global
11 | GlobalSection(SolutionConfigurationPlatforms) = preSolution
12 | Debug|x64 = Debug|x64
13 | Debug|x86 = Debug|x86
14 | Release|x64 = Release|x64
15 | Release|x86 = Release|x86
16 | EndGlobalSection
17 | GlobalSection(ProjectConfigurationPlatforms) = postSolution
18 | {DA181F81-807E-4453-B34C-D1DBE9686D04}.Debug|x64.ActiveCfg = Debug|x64
19 | {DA181F81-807E-4453-B34C-D1DBE9686D04}.Debug|x64.Build.0 = Debug|x64
20 | {DA181F81-807E-4453-B34C-D1DBE9686D04}.Debug|x86.ActiveCfg = Debug|Win32
21 | {DA181F81-807E-4453-B34C-D1DBE9686D04}.Debug|x86.Build.0 = Debug|Win32
22 | {DA181F81-807E-4453-B34C-D1DBE9686D04}.Release|x64.ActiveCfg = Release|x64
23 | {DA181F81-807E-4453-B34C-D1DBE9686D04}.Release|x64.Build.0 = Release|x64
24 | {DA181F81-807E-4453-B34C-D1DBE9686D04}.Release|x86.ActiveCfg = Release|Win32
25 | {DA181F81-807E-4453-B34C-D1DBE9686D04}.Release|x86.Build.0 = Release|Win32
26 | {4C9429AE-EAC9-473E-B8E0-0ADA1A2A7DDF}.Debug|x64.ActiveCfg = Debug|x64
27 | {4C9429AE-EAC9-473E-B8E0-0ADA1A2A7DDF}.Debug|x64.Build.0 = Debug|x64
28 | {4C9429AE-EAC9-473E-B8E0-0ADA1A2A7DDF}.Debug|x86.ActiveCfg = Debug|Win32
29 | {4C9429AE-EAC9-473E-B8E0-0ADA1A2A7DDF}.Debug|x86.Build.0 = Debug|Win32
30 | {4C9429AE-EAC9-473E-B8E0-0ADA1A2A7DDF}.Release|x64.ActiveCfg = Release|x64
31 | {4C9429AE-EAC9-473E-B8E0-0ADA1A2A7DDF}.Release|x64.Build.0 = Release|x64
32 | {4C9429AE-EAC9-473E-B8E0-0ADA1A2A7DDF}.Release|x86.ActiveCfg = Release|Win32
33 | {4C9429AE-EAC9-473E-B8E0-0ADA1A2A7DDF}.Release|x86.Build.0 = Release|Win32
34 | EndGlobalSection
35 | GlobalSection(SolutionProperties) = preSolution
36 | HideSolutionNode = FALSE
37 | EndGlobalSection
38 | GlobalSection(ExtensibilityGlobals) = postSolution
39 | SolutionGuid = {5AF6E88B-DE60-4AC5-B722-43DAD9906037}
40 | EndGlobalSection
41 | EndGlobal
42 |
--------------------------------------------------------------------------------
/anymapper/anymapper.hpp:
--------------------------------------------------------------------------------
1 | /*
2 |
3 | MIT License
4 |
5 | Copyright (c) 2021 Kento Oki
6 |
7 | Permission is hereby granted, free of charge, to any person obtaining a copy
8 | of this software and associated documentation files (the "Software"), to deal
9 | in the Software without restriction, including without limitation the rights
10 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
11 | copies of the Software, and to permit persons to whom the Software is
12 | furnished to do so, subject to the following conditions:
13 |
14 | The above copyright notice and this permission notice shall be included in all
15 | copies or substantial portions of the Software.
16 |
17 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
18 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
19 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
20 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
21 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
22 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
23 | SOFTWARE.
24 |
25 | */
26 |
27 | #pragma once
28 | #include
29 | #include
30 | #include
31 |
32 | #include "nt.hpp"
33 | #include "pe.hpp"
34 | #include "kernel.hpp"
35 | #include "filebuf.hpp"
36 | #include "helper.hpp"
37 | #include "../anycall/libanycall/libanycall.h"
38 |
39 | #define ANYMAPPER_POOL_TAG 'myna'
40 |
41 | namespace anymapper
42 | {
43 | bool inject_driver(
44 | const std::wstring_view driver_path )
45 | {
46 | if ( !std::filesystem::exists( driver_path ) )
47 | {
48 | printf( "[!] %ls does not exists\n", driver_path.data() );
49 | return false;
50 | }
51 |
52 | printf( "[~] loading: %ls\n", driver_path.data() );
53 |
54 | std::vector file_buffer;
55 |
56 | if ( !filebuf::copy_file_to_buffer( driver_path, file_buffer )
57 | || !file_buffer.size() )
58 | {
59 | printf( "[!] failed to prepare buffer\n" );
60 | return false;
61 | }
62 |
63 | const auto file_buf_PE = pe::pe( file_buffer.data() );
64 |
65 | if ( !file_buf_PE.is_dos_header_valid() )
66 | {
67 | printf( "[!] \033[0;101;30minvalid dos signature: 0x%lX\033[0m\n",
68 | file_buf_PE.pdos_header->e_magic );
69 | return false;
70 | }
71 |
72 | if ( !file_buf_PE.is_nt_headers_valid() )
73 | {
74 | printf( "[!] \033[0;101;30minvalid nt headers signature: 0x%lX\033[0m\n",
75 | file_buf_PE.pnt_headers->Signature );
76 | return false;
77 | }
78 |
79 | void* buffer = VirtualAlloc(
80 | NULL,
81 | file_buf_PE.pnt_headers->OptionalHeader.SizeOfImage,
82 | MEM_RESERVE | MEM_COMMIT,
83 | PAGE_READWRITE );
84 |
85 | if ( !buffer )
86 | {
87 | printf( "[!] failed to allocate user buffer (0x%lX)\n", GetLastError() );
88 | return false;
89 | }
90 |
91 | printf( "[+] user buffer allocated @ 0x%p\n", buffer );
92 |
93 | memcpy( buffer, &file_buffer.data()[ 0 ], file_buffer.size() );
94 |
95 | printf( "[+] image mapped to 0x%p\n", buffer );
96 |
97 | auto PE = pe::pe( buffer );
98 |
99 | if ( !PE.is_dos_header_valid() )
100 | {
101 | printf( "[!] \033[0;101;30minvalid dos signature: 0x%lX\033[0m\n",
102 | PE.pdos_header->e_magic );
103 | return false;
104 | }
105 |
106 | if ( !PE.is_nt_headers_valid() )
107 | {
108 | printf( "[!] \033[0;101;30minvalid nt headers signature: 0x%lX\033[0m\n",
109 | PE.pnt_headers->Signature );
110 | return false;
111 | }
112 |
113 | if ( !PE.is_64bit_image() )
114 | {
115 | printf( "[!] \033[0;101;30mimage type must be 64-bit: 0x%lX\033[0m\n",
116 | PE.pnt_headers->OptionalHeader.Magic );
117 | return false;
118 | }
119 |
120 | printf( "[~] image: 0x%llX -> 0x%llX\n",
121 | ( uint64_t )buffer, ( uint64_t )buffer + PE.image_size );
122 | printf( "[~] image size: 0x%llX\n", PE.image_size );
123 |
124 | const std::size_t section_size =
125 | IMAGE_FIRST_SECTION( PE.pnt_headers )->VirtualAddress;
126 |
127 | const std::size_t size_to_alloc =
128 | PE.image_size - section_size;
129 |
130 | printf( "[+] allocating kernel buffer with size of 0x%llX\n",
131 | size_to_alloc );
132 |
133 | //
134 | // invoke ExAllocatePoolWithTag to
135 | // allocate kernel non-paged pool
136 | //
137 | void* kbuffer = ANYCALL_INVOKE(
138 | ExAllocatePoolWithTag,
139 | NonPagedPool, size_to_alloc, ANYMAPPER_POOL_TAG );
140 |
141 | if ( !kbuffer )
142 | {
143 | printf( "[!] \033[0;101;30mfailed to allocate kernel buffer\033[0m\n" );
144 | return false;
145 | }
146 |
147 | printf( "[+] kernel buffer allocated @ 0x%p\n", kbuffer );
148 |
149 | const auto delta =
150 | ( uint64_t )kbuffer - PE.pnt_headers->OptionalHeader.ImageBase - section_size;
151 |
152 | printf( "[+] fixing sections...\n" );
153 |
154 | if ( !PE.fix_sections( file_buffer.data() ) )
155 | {
156 | printf( "[!] \033[0;101;30mfailed to fix image sections\033[0m\n" );
157 | ANYCALL_INVOKE( ExFreePool, kbuffer );
158 | return false;
159 | }
160 |
161 | printf( "[+] relocating image with delta 0x%llX...\n", delta );
162 |
163 | if ( !PE.relocate_image( delta ) )
164 | {
165 | printf( "[!] \033[0;101;30mfailed to relocate image\033[0m\n" );
166 | ANYCALL_INVOKE( ExFreePool, kbuffer );
167 | return false;
168 | }
169 |
170 | const pe::pe::pre_callback_t pre_callback = [](
171 | std::string_view module_name ) -> bool
172 | {
173 | if ( module_name.empty() )
174 | return false;
175 |
176 | printf( "[~] -> import module: %s\n", module_name.data() );
177 |
178 | return !!libanycall::find_sysmodule( module_name ).base_address;
179 | };
180 |
181 | const pe::pe::post_callback_t post_callback = [](
182 | std::string_view module_name,
183 | void* func_addr, std::string_view func_name ) -> bool
184 | {
185 | if ( module_name.empty() || func_name.empty() )
186 | return false;
187 |
188 | printf( "[~] --> import function: %s @ ", func_name.data() );
189 |
190 | const auto routine_address = module_name == "ntoskrnl.exe" ?
191 | kernel::find_routine_address( helper::s2ws( func_name.data() ) ) : 0;
192 |
193 | if ( !routine_address )
194 | return false;
195 |
196 | *( uint64_t* )( func_addr ) = routine_address;
197 |
198 | return true;
199 | };
200 |
201 | printf( "[+] resolving imports...\n" );
202 |
203 | if ( !PE.resolve_imports( pre_callback, post_callback, true, true ) )
204 | {
205 | printf( "[!] \033[0;101;30mfailed to resolve imports\033[0m\n" );
206 | ANYCALL_INVOKE( ExFreePool, kbuffer );
207 | return false;
208 | }
209 |
210 | printf( "[+] copying payload to the kernel buffer...\n" );
211 |
212 | kernel::memcpy(
213 | kbuffer,
214 | ( void* )( ( uint64_t )buffer + 0 ),
215 | size_to_alloc );
216 |
217 | printf( "[+] payload sent to 0x%p\n", kbuffer );
218 |
219 | const auto entry_point_rva =
220 | PE.pnt_headers->OptionalHeader.AddressOfEntryPoint;
221 |
222 | const auto entry_point_addr =
223 | ( uint64_t )kbuffer +
224 | ( uint64_t )entry_point_rva - 0;
225 |
226 | printf( "[+] entry point rva: 0x%lX\n", entry_point_rva );
227 | printf( "[+] entry point @ 0x%llX\n", entry_point_addr );
228 |
229 | //
230 | // MmGetSystemRoutineAddress's pointer
231 | //
232 | const auto MmGetSystemRoutineAddress =
233 | kernel::find_routine_address( L"MmGetSystemRoutineAddress" );
234 |
235 | printf( "[+] MmGetSystemRoutineAddress @ 0x%llX\n",
236 | MmGetSystemRoutineAddress );
237 |
238 | const auto RtlInitUnicodeString =
239 | kernel::find_routine_address( L"RtlInitUnicodeString" );
240 |
241 | printf( "[+] RtlInitUnicodeString @ 0x%llX\n",
242 | RtlInitUnicodeString );
243 |
244 | //
245 | // invoke driver's entry point
246 | //
247 | const NTSTATUS nt_status =
248 | libanycall::invoke< DriverEntry >(
249 | ( void* )entry_point_addr,
250 | ( PVOID )MmGetSystemRoutineAddress, // pass MmGetSystemRoutineAddress pointer to 2nd parameter
251 | ( PVOID )RtlInitUnicodeString ); // usually RegistryPath but we don't use
252 |
253 | printf( "[+] DriverEntry returned 0x%lx\n", nt_status );
254 |
255 | printf( "[+] done!\n" );
256 | ANYCALL_INVOKE( ExFreePool, kbuffer );
257 | return true;
258 | }
259 | } // namespace anymapper
--------------------------------------------------------------------------------
/anymapper/anymapper.vcxproj:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | Debug
6 | Win32
7 |
8 |
9 | Release
10 | Win32
11 |
12 |
13 | Debug
14 | x64
15 |
16 |
17 | Release
18 | x64
19 |
20 |
21 |
22 | 16.0
23 | Win32Proj
24 | {da181f81-807e-4453-b34c-d1dbe9686d04}
25 | anymapper
26 | 10.0
27 |
28 |
29 |
30 | Application
31 | true
32 | v142
33 | Unicode
34 |
35 |
36 | Application
37 | false
38 | v142
39 | true
40 | Unicode
41 |
42 |
43 | Application
44 | true
45 | v142
46 | Unicode
47 |
48 |
49 | Application
50 | false
51 | v142
52 | true
53 | Unicode
54 |
55 |
56 |
57 |
58 |
59 |
60 |
61 |
62 |
63 |
64 |
65 |
66 |
67 |
68 |
69 |
70 |
71 |
72 |
73 |
74 | true
75 |
76 |
77 | false
78 |
79 |
80 | true
81 |
82 |
83 | false
84 |
85 |
86 |
87 | Level3
88 | true
89 | WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)
90 | true
91 |
92 |
93 | Console
94 | true
95 |
96 |
97 |
98 |
99 | Level3
100 | true
101 | true
102 | true
103 | WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)
104 | true
105 |
106 |
107 | Console
108 | true
109 | true
110 | true
111 |
112 |
113 |
114 |
115 | Level3
116 | true
117 | _DEBUG;_CONSOLE;%(PreprocessorDefinitions)
118 | true
119 |
120 |
121 | Console
122 | true
123 |
124 |
125 |
126 |
127 | Level3
128 | true
129 | true
130 | true
131 | NDEBUG;_CONSOLE;%(PreprocessorDefinitions)
132 | true
133 | stdcpp17
134 |
135 |
136 | Console
137 | true
138 | true
139 | true
140 | libanycall64.lib;%(AdditionalDependencies)
141 | $(OutDir)
142 |
143 |
144 |
145 |
146 |
147 |
148 |
149 |
150 |
151 |
152 |
153 |
154 |
155 |
156 |
157 |
158 |
159 |
160 |
--------------------------------------------------------------------------------
/anymapper/anymapper.vcxproj.filters:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF}
6 | cpp;c;cc;cxx;c++;cppm;ixx;def;odl;idl;hpj;bat;asm;asmx
7 |
8 |
9 | {93995380-89BD-4b04-88EB-625FBE52EBFB}
10 | h;hh;hpp;hxx;h++;hm;inl;inc;ipp;xsd
11 |
12 |
13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01}
14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms
15 |
16 |
17 |
18 |
19 | Source Files
20 |
21 |
22 | Source Files
23 |
24 |
25 |
26 |
27 | Header Files
28 |
29 |
30 | Header Files
31 |
32 |
33 | Header Files
34 |
35 |
36 | Header Files
37 |
38 |
39 | Header Files
40 |
41 |
42 | Header Files
43 |
44 |
45 | Header Files
46 |
47 |
48 |
--------------------------------------------------------------------------------
/anymapper/filebuf.hpp:
--------------------------------------------------------------------------------
1 | #pragma once
2 | #include
3 | #include
4 | #include
5 |
6 | namespace filebuf
7 | {
8 | bool copy_file_to_buffer( const std::wstring_view file_path, std::vector< uint8_t >& buffer )
9 | {
10 | if ( !std::filesystem::exists( file_path ) )
11 | return false;
12 |
13 | std::ifstream fstream( file_path, std::ios::binary );
14 |
15 | if ( !fstream )
16 | return false;
17 |
18 | buffer.assign(
19 | std::istreambuf_iterator( fstream ),
20 | std::istreambuf_iterator() );
21 |
22 | fstream.close();
23 | return true;
24 | }
25 | } // namespace filebuf
--------------------------------------------------------------------------------
/anymapper/helper.hpp:
--------------------------------------------------------------------------------
1 | #pragma once
2 | #include
3 | #include
4 |
5 | namespace helper
6 | {
7 | //
8 | // https://stackoverflow.com/questions/215963/how-do-you-properly-use-widechartomultibyte/3999597#3999597
9 | //
10 | std::wstring s2ws( const std::string& str )
11 | {
12 | std::wstring wstrTo;
13 | wchar_t* wszTo = new wchar_t[ str.length() + 1 ];
14 | wszTo[ str.size() ] = L'\0';
15 | MultiByteToWideChar( CP_ACP, 0, str.c_str(), -1, wszTo, ( int )str.length() );
16 | wstrTo = wszTo;
17 | delete[] wszTo;
18 | return wstrTo;
19 | }
20 | } // namespace helper
--------------------------------------------------------------------------------
/anymapper/kernel.hpp:
--------------------------------------------------------------------------------
1 | /*
2 |
3 | MIT License
4 |
5 | Copyright (c) 2021 Kento Oki
6 |
7 | Permission is hereby granted, free of charge, to any person obtaining a copy
8 | of this software and associated documentation files (the "Software"), to deal
9 | in the Software without restriction, including without limitation the rights
10 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
11 | copies of the Software, and to permit persons to whom the Software is
12 | furnished to do so, subject to the following conditions:
13 |
14 | The above copyright notice and this permission notice shall be included in all
15 | copies or substantial portions of the Software.
16 |
17 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
18 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
19 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
20 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
21 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
22 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
23 | SOFTWARE.
24 |
25 | */
26 |
27 | #pragma once
28 | #include
29 |
30 | #include "../anycall/libanycall/libanycall.h"
31 |
32 | #pragma comment( lib, "ntdll.lib" ) // RtlInitUnicodeString
33 |
34 | namespace kernel
35 | {
36 | //
37 | // this pointer holds ntoskrnl's exported memcpy
38 | // not rva, absolute address
39 | //
40 | inline void* ntoskrnl_memcpy = {};
41 |
42 | //
43 | // memcpy of kernel virtual memory
44 | // invoke memcpy inside ntoskrnl
45 | //
46 | void memcpy( void* dst, void* src, size_t size )
47 | {
48 | if ( !ntoskrnl_memcpy )
49 | ntoskrnl_memcpy = ( void* )
50 | libanycall::find_ntoskrnl_export( "memcpy" );
51 |
52 | libanycall::invoke
53 | ( ntoskrnl_memcpy, dst, src, size );
54 | }
55 |
56 | //
57 | // find system routine by MmGetSystemRoutineAddress
58 | //
59 | uint64_t find_routine_address( const std::wstring_view routine_name )
60 | {
61 | UNICODE_STRING routine_name_us;
62 | RtlInitUnicodeString( &routine_name_us, routine_name.data() );
63 | return ( uint64_t )ANYCALL_INVOKE( MmGetSystemRoutineAddress, &routine_name_us );
64 | }
65 | }
--------------------------------------------------------------------------------
/anymapper/main.cpp:
--------------------------------------------------------------------------------
1 | /*
2 |
3 | MIT License
4 |
5 | Copyright (c) 2021 Kento Oki
6 |
7 | Permission is hereby granted, free of charge, to any person obtaining a copy
8 | of this software and associated documentation files (the "Software"), to deal
9 | in the Software without restriction, including without limitation the rights
10 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
11 | copies of the Software, and to permit persons to whom the Software is
12 | furnished to do so, subject to the following conditions:
13 |
14 | The above copyright notice and this permission notice shall be included in all
15 | copies or substantial portions of the Software.
16 |
17 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
18 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
19 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
20 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
21 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
22 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
23 | SOFTWARE.
24 |
25 | */
26 |
27 | #include
28 | #include
29 |
30 | #include "anymapper.hpp"
31 |
32 | int wmain( int argc, const wchar_t** argv, const wchar_t** envp )
33 | {
34 | if ( argc < 2 )
35 | {
36 | printf( "[=] usage: bin.exe [driver_path]\n" );
37 | return EXIT_FAILURE;
38 | }
39 |
40 | const auto driver_path = argv[ 1 ];
41 |
42 | if ( !libanycall::init( "ntdll.dll", "NtTraceControl" ) )
43 | {
44 | printf( "[!] failed to init libanycall\n" );
45 | return EXIT_FAILURE;
46 | }
47 |
48 | if ( !anymapper::inject_driver( driver_path ) )
49 | {
50 | printf( "[!] failed to map driver\n" );
51 | return EXIT_FAILURE;
52 | }
53 |
54 | return EXIT_SUCCESS;
55 | }
--------------------------------------------------------------------------------
/anymapper/nt.hpp:
--------------------------------------------------------------------------------
1 | /*
2 |
3 | MIT License
4 |
5 | Copyright (c) 2021 Kento Oki
6 |
7 | Permission is hereby granted, free of charge, to any person obtaining a copy
8 | of this software and associated documentation files (the "Software"), to deal
9 | in the Software without restriction, including without limitation the rights
10 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
11 | copies of the Software, and to permit persons to whom the Software is
12 | furnished to do so, subject to the following conditions:
13 |
14 | The above copyright notice and this permission notice shall be included in all
15 | copies or substantial portions of the Software.
16 |
17 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
18 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
19 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
20 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
21 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
22 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
23 | SOFTWARE.
24 |
25 | */
26 |
27 | #pragma once
28 | #include
29 | #include
30 |
31 | typedef LARGE_INTEGER PHYSICAL_ADDRESS;
32 |
33 | typedef enum _MEMORY_CACHING_TYPE
34 | {
35 | MmNonCached,
36 | MmCached,
37 | MmWriteCombined,
38 | MmHardwareCoherentCached,
39 | MmNonCachedUnordered,
40 | MmUSWCCached,
41 | MmMaximumCacheType,
42 | MmNotMapped
43 | } MEMORY_CACHING_TYPE;
44 |
45 | typedef enum _POOL_TYPE
46 | {
47 | NonPagedPool,
48 | NonPagedPoolExecute = NonPagedPool,
49 | PagedPool,
50 | NonPagedPoolMustSucceed = NonPagedPool + 2,
51 | DontUseThisType,
52 | NonPagedPoolCacheAligned = NonPagedPool + 4,
53 | PagedPoolCacheAligned,
54 | NonPagedPoolCacheAlignedMustS = NonPagedPool + 6,
55 | MaxPoolType,
56 | NonPagedPoolBase = 0,
57 | NonPagedPoolBaseMustSucceed = NonPagedPoolBase + 2,
58 | NonPagedPoolBaseCacheAligned = NonPagedPoolBase + 4,
59 | NonPagedPoolBaseCacheAlignedMustS = NonPagedPoolBase + 6,
60 | NonPagedPoolSession = 32,
61 | PagedPoolSession = NonPagedPoolSession + 1,
62 | NonPagedPoolMustSucceedSession = PagedPoolSession + 1,
63 | DontUseThisTypeSession = NonPagedPoolMustSucceedSession + 1,
64 | NonPagedPoolCacheAlignedSession = DontUseThisTypeSession + 1,
65 | PagedPoolCacheAlignedSession = NonPagedPoolCacheAlignedSession + 1,
66 | NonPagedPoolCacheAlignedMustSSession = PagedPoolCacheAlignedSession + 1,
67 | NonPagedPoolNx = 512,
68 | NonPagedPoolNxCacheAligned = NonPagedPoolNx + 4,
69 | NonPagedPoolSessionNx = NonPagedPoolNx + 32,
70 | } POOL_TYPE;
71 |
72 | using MmMapIoSpace = PVOID( __fastcall* )(
73 | PHYSICAL_ADDRESS, SIZE_T, MEMORY_CACHING_TYPE );
74 |
75 | using ExAllocatePoolWithTag =
76 | PVOID( __fastcall* )( POOL_TYPE, SIZE_T, ULONG );
77 |
78 | using ExFreePool =
79 | void( __fastcall* )( PVOID );
80 |
81 | using DriverEntry =
82 | NTSTATUS( __fastcall* )( PVOID, PVOID );
83 |
84 | using MmGetSystemRoutineAddress =
85 | PVOID( __fastcall* )( PUNICODE_STRING );
--------------------------------------------------------------------------------
/anymapper/pe.cpp:
--------------------------------------------------------------------------------
1 | #include "pe.hpp"
2 |
3 | pe::pe::pe( void* image_buffer )
4 | {
5 | image_base = image_buffer;
6 |
7 | pdos_header = ( PIMAGE_DOS_HEADER )image_buffer;
8 |
9 | if ( !is_dos_header_valid() )
10 | return;
11 |
12 | pnt_headers = ( PIMAGE_NT_HEADERS )
13 | ( ( uint64_t )image_buffer + pdos_header->e_lfanew );
14 |
15 | if ( !is_nt_headers_valid() )
16 | return;
17 |
18 | image_size = pnt_headers->OptionalHeader.SizeOfImage;
19 | }
20 |
21 | pe::pe::~pe()
22 | {
23 | }
24 |
25 | bool pe::pe::fix_sections( void* raw )
26 | {
27 | const PIMAGE_SECTION_HEADER section =
28 | IMAGE_FIRST_SECTION( this->pnt_headers );
29 |
30 | for (
31 | auto i = 0;
32 | i < this->pnt_headers->FileHeader.NumberOfSections;
33 | i++ )
34 | {
35 | //section->PointerToRawData = section->VirtualAddress;
36 | //section->SizeOfRawData = section->Misc.VirtualSize;
37 |
38 | memcpy(
39 | ( void* )( ( uint64_t )image_base + section[ i ].VirtualAddress ),
40 | ( void* )( ( uint64_t )raw + section[ i ].PointerToRawData ),
41 | section[ i ].SizeOfRawData );
42 | }
43 |
44 | return true;
45 | }
46 |
47 | bool pe::pe::relocate_image( uint64_t delta ) const noexcept
48 | {
49 | if ( !delta )
50 | return false;
51 |
52 | if ( !pnt_headers )
53 | return false;
54 |
55 | const auto relocation_data =
56 | pnt_headers->OptionalHeader
57 | .DataDirectory[ IMAGE_DIRECTORY_ENTRY_BASERELOC ];
58 |
59 | if ( !relocation_data.Size || !relocation_data.VirtualAddress )
60 | return false;
61 |
62 | PIMAGE_BASE_RELOCATION relocation_entry =
63 | reinterpret_cast< PIMAGE_BASE_RELOCATION >(
64 | ( uint64_t )image_base + relocation_data.VirtualAddress );
65 |
66 | __try
67 | {
68 | volatile auto ptr_valid = relocation_entry->VirtualAddress;
69 | }
70 | __except ( EXCEPTION_EXECUTE_HANDLER )
71 | {
72 | return false;
73 | }
74 |
75 | const auto relocation_range =
76 | ( uint64_t )( ( uint64_t )relocation_entry + relocation_data.Size );
77 |
78 | if ( IsBadReadPtr( relocation_entry, sizeof( uint64_t ) ) == TRUE )
79 | return false;
80 |
81 | while (
82 | IsBadReadPtr( relocation_entry, sizeof( uint64_t ) ) == FALSE &&
83 | relocation_entry->VirtualAddress &&
84 | relocation_entry->VirtualAddress < relocation_range &&
85 | relocation_entry->SizeOfBlock )
86 | {
87 | const auto ibr_size = sizeof( IMAGE_BASE_RELOCATION );
88 |
89 | const auto address = ( uint64_t )( ( uint64_t )this->image_base + relocation_entry->VirtualAddress );
90 | const auto count = ( relocation_entry->SizeOfBlock - ibr_size ) / sizeof( uint16_t );
91 | const auto list = reinterpret_cast< uint16_t* >( ( uint64_t )relocation_entry + ibr_size );
92 |
93 | static_assert( sizeof( uint16_t ) == 2, "must be 2, this is due to non-64bit" );
94 |
95 | for ( auto i = 0; i < count; i++ )
96 | {
97 | const uint16_t type = list[ i ] >> 12;
98 | const uint16_t offset = list[ i ] & 0xFFF;
99 |
100 | if ( type == IMAGE_REL_BASED_DIR64 )
101 | {
102 | *( uint64_t* )( address + offset ) += delta;
103 | }
104 | }
105 |
106 | relocation_entry =
107 | reinterpret_cast< PIMAGE_BASE_RELOCATION >(
108 | ( uint64_t )relocation_entry + relocation_entry->SizeOfBlock );
109 | }
110 |
111 | return true;
112 | }
113 |
114 | bool pe::pe::resolve_imports(
115 | pre_callback_t pre_callback,
116 | post_callback_t post_callback,
117 | bool ret_on_pre_fail,
118 | bool ret_on_post_fail ) const noexcept
119 | {
120 | if ( !pnt_headers )
121 | return false;
122 |
123 | const auto import_data =
124 | pnt_headers->OptionalHeader
125 | .DataDirectory[ IMAGE_DIRECTORY_ENTRY_IMPORT ];
126 |
127 | // this image does not have imports
128 | if ( !import_data.Size )
129 | return true;
130 |
131 | const auto base_import = import_data.VirtualAddress;
132 |
133 | if ( !base_import )
134 | return false;
135 |
136 | auto import_entry =
137 | reinterpret_cast< PIMAGE_IMPORT_DESCRIPTOR >(
138 | ( uint64_t )pdos_header + base_import );
139 |
140 | while ( import_entry->FirstThunk )
141 | {
142 | const auto module_name =
143 | std::string(
144 | reinterpret_cast< char* >(
145 | ( uint64_t )pdos_header + import_entry->Name ) );
146 |
147 | if ( pre_callback )
148 | {
149 | const bool result = pre_callback( module_name );
150 |
151 | if ( !result && ret_on_pre_fail )
152 | return result;
153 | }
154 |
155 | auto first_thunk =
156 | reinterpret_cast< PIMAGE_THUNK_DATA64 >(
157 | ( uint64_t )pdos_header + import_entry->FirstThunk );
158 |
159 | auto first_thunk_original =
160 | reinterpret_cast< PIMAGE_THUNK_DATA64 >(
161 | ( uint64_t )pdos_header + import_entry->OriginalFirstThunk );
162 |
163 | while ( first_thunk_original->u1.Function )
164 | {
165 | auto thunk_data =
166 | reinterpret_cast< PIMAGE_IMPORT_BY_NAME >(
167 | ( uint64_t )pdos_header + first_thunk_original->u1.AddressOfData );
168 |
169 | if ( post_callback )
170 | {
171 | const bool result = post_callback(
172 | module_name,
173 | &first_thunk_original->u1.Function,
174 | thunk_data->Name );
175 |
176 | if ( !result && ret_on_post_fail )
177 | return result;
178 | }
179 |
180 | first_thunk++;
181 | first_thunk_original++;
182 | }
183 |
184 | import_entry++;
185 | }
186 |
187 | return true;
188 | }
189 |
190 | bool pe::pe::valid() const noexcept
191 | {
192 | return this->is_dos_header_valid() && this->is_nt_headers_valid();
193 | }
194 |
195 | bool pe::pe::is_dos_header_valid() const noexcept
196 | {
197 | if ( !pdos_header )
198 | return false;
199 |
200 | return pdos_header->e_magic == IMAGE_DOS_SIGNATURE;
201 | }
202 |
203 | bool pe::pe::is_nt_headers_valid() const noexcept
204 | {
205 | if ( !pnt_headers )
206 | return false;
207 |
208 | return pnt_headers->Signature == IMAGE_NT_SIGNATURE;
209 | }
210 |
211 | bool pe::pe::is_64bit_image() const noexcept
212 | {
213 | return pnt_headers->OptionalHeader.Magic == IMAGE_NT_OPTIONAL_HDR64_MAGIC;
214 | }
215 |
216 | bool pe::pe::valid_ptr( void* ptr ) const
217 | {
218 | // TODO: implement
219 | return true;
220 | }
221 |
--------------------------------------------------------------------------------
/anymapper/pe.hpp:
--------------------------------------------------------------------------------
1 | #pragma once
2 | #include
3 | #include
4 | #include
5 |
6 | namespace pe
7 | {
8 | class pe
9 | {
10 | public:
11 | using pre_callback_t = bool( * )( std::string_view module_name );
12 | using post_callback_t =
13 | bool( * )(
14 | std::string_view module_name,
15 | void* func_addr,
16 | std::string_view func_name );
17 |
18 | void* image_base;
19 | std::size_t image_size;
20 | PIMAGE_DOS_HEADER pdos_header;
21 | PIMAGE_NT_HEADERS pnt_headers;
22 |
23 | pe( void* image_buffer );
24 | ~pe();
25 |
26 | bool fix_sections( void* raw );
27 | bool relocate_image( uint64_t delta ) const noexcept;
28 | bool resolve_imports(
29 | pre_callback_t pre_callback,
30 | post_callback_t post_callback,
31 | bool ret_on_pre_fail,
32 | bool ret_on_post_fail ) const noexcept;
33 |
34 | bool valid() const noexcept;
35 | bool is_dos_header_valid() const noexcept;
36 | bool is_nt_headers_valid() const noexcept;
37 | bool is_64bit_image() const noexcept;
38 |
39 | bool valid_ptr( void* ptr ) const;
40 | private:
41 | };
42 | } // namespace pe
--------------------------------------------------------------------------------
/image.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/kkent030315/anymapper/6bbb27f4b92fee210e3afe93f23976813f1097c3/image.png
--------------------------------------------------------------------------------
/logo.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/kkent030315/anymapper/6bbb27f4b92fee210e3afe93f23976813f1097c3/logo.png
--------------------------------------------------------------------------------