├── README.md
├── LICENSE
└── stub.cpp
/README.md:
--------------------------------------------------------------------------------
1 | # packerPE32
2 | Simple PE packer with RtlCompressBuffer
3 |
4 | TODO :
5 | - Reloc stub at prefered imagebase
6 | - Clean this spaghetti code
7 | - ???
8 | - Profit
9 |
--------------------------------------------------------------------------------
/LICENSE:
--------------------------------------------------------------------------------
1 | GNU LESSER GENERAL PUBLIC LICENSE
2 | Version 3, 29 June 2007
3 |
4 | Copyright (C) 2007 Free Software Foundation, Inc.
5 | Everyone is permitted to copy and distribute verbatim copies
6 | of this license document, but changing it is not allowed.
7 |
8 |
9 | This version of the GNU Lesser General Public License incorporates
10 | the terms and conditions of version 3 of the GNU General Public
11 | License, supplemented by the additional permissions listed below.
12 |
13 | 0. Additional Definitions.
14 |
15 | As used herein, "this License" refers to version 3 of the GNU Lesser
16 | General Public License, and the "GNU GPL" refers to version 3 of the GNU
17 | General Public License.
18 |
19 | "The Library" refers to a covered work governed by this License,
20 | other than an Application or a Combined Work as defined below.
21 |
22 | An "Application" is any work that makes use of an interface provided
23 | by the Library, but which is not otherwise based on the Library.
24 | Defining a subclass of a class defined by the Library is deemed a mode
25 | of using an interface provided by the Library.
26 |
27 | A "Combined Work" is a work produced by combining or linking an
28 | Application with the Library. The particular version of the Library
29 | with which the Combined Work was made is also called the "Linked
30 | Version".
31 |
32 | The "Minimal Corresponding Source" for a Combined Work means the
33 | Corresponding Source for the Combined Work, excluding any source code
34 | for portions of the Combined Work that, considered in isolation, are
35 | based on the Application, and not on the Linked Version.
36 |
37 | The "Corresponding Application Code" for a Combined Work means the
38 | object code and/or source code for the Application, including any data
39 | and utility programs needed for reproducing the Combined Work from the
40 | Application, but excluding the System Libraries of the Combined Work.
41 |
42 | 1. Exception to Section 3 of the GNU GPL.
43 |
44 | You may convey a covered work under sections 3 and 4 of this License
45 | without being bound by section 3 of the GNU GPL.
46 |
47 | 2. Conveying Modified Versions.
48 |
49 | If you modify a copy of the Library, and, in your modifications, a
50 | facility refers to a function or data to be supplied by an Application
51 | that uses the facility (other than as an argument passed when the
52 | facility is invoked), then you may convey a copy of the modified
53 | version:
54 |
55 | a) under this License, provided that you make a good faith effort to
56 | ensure that, in the event an Application does not supply the
57 | function or data, the facility still operates, and performs
58 | whatever part of its purpose remains meaningful, or
59 |
60 | b) under the GNU GPL, with none of the additional permissions of
61 | this License applicable to that copy.
62 |
63 | 3. Object Code Incorporating Material from Library Header Files.
64 |
65 | The object code form of an Application may incorporate material from
66 | a header file that is part of the Library. You may convey such object
67 | code under terms of your choice, provided that, if the incorporated
68 | material is not limited to numerical parameters, data structure
69 | layouts and accessors, or small macros, inline functions and templates
70 | (ten or fewer lines in length), you do both of the following:
71 |
72 | a) Give prominent notice with each copy of the object code that the
73 | Library is used in it and that the Library and its use are
74 | covered by this License.
75 |
76 | b) Accompany the object code with a copy of the GNU GPL and this license
77 | document.
78 |
79 | 4. Combined Works.
80 |
81 | You may convey a Combined Work under terms of your choice that,
82 | taken together, effectively do not restrict modification of the
83 | portions of the Library contained in the Combined Work and reverse
84 | engineering for debugging such modifications, if you also do each of
85 | the following:
86 |
87 | a) Give prominent notice with each copy of the Combined Work that
88 | the Library is used in it and that the Library and its use are
89 | covered by this License.
90 |
91 | b) Accompany the Combined Work with a copy of the GNU GPL and this license
92 | document.
93 |
94 | c) For a Combined Work that displays copyright notices during
95 | execution, include the copyright notice for the Library among
96 | these notices, as well as a reference directing the user to the
97 | copies of the GNU GPL and this license document.
98 |
99 | d) Do one of the following:
100 |
101 | 0) Convey the Minimal Corresponding Source under the terms of this
102 | License, and the Corresponding Application Code in a form
103 | suitable for, and under terms that permit, the user to
104 | recombine or relink the Application with a modified version of
105 | the Linked Version to produce a modified Combined Work, in the
106 | manner specified by section 6 of the GNU GPL for conveying
107 | Corresponding Source.
108 |
109 | 1) Use a suitable shared library mechanism for linking with the
110 | Library. A suitable mechanism is one that (a) uses at run time
111 | a copy of the Library already present on the user's computer
112 | system, and (b) will operate properly with a modified version
113 | of the Library that is interface-compatible with the Linked
114 | Version.
115 |
116 | e) Provide Installation Information, but only if you would otherwise
117 | be required to provide such information under section 6 of the
118 | GNU GPL, and only to the extent that such information is
119 | necessary to install and execute a modified version of the
120 | Combined Work produced by recombining or relinking the
121 | Application with a modified version of the Linked Version. (If
122 | you use option 4d0, the Installation Information must accompany
123 | the Minimal Corresponding Source and Corresponding Application
124 | Code. If you use option 4d1, you must provide the Installation
125 | Information in the manner specified by section 6 of the GNU GPL
126 | for conveying Corresponding Source.)
127 |
128 | 5. Combined Libraries.
129 |
130 | You may place library facilities that are a work based on the
131 | Library side by side in a single library together with other library
132 | facilities that are not Applications and are not covered by this
133 | License, and convey such a combined library under terms of your
134 | choice, if you do both of the following:
135 |
136 | a) Accompany the combined library with a copy of the same work based
137 | on the Library, uncombined with any other library facilities,
138 | conveyed under the terms of this License.
139 |
140 | b) Give prominent notice with the combined library that part of it
141 | is a work based on the Library, and explaining where to find the
142 | accompanying uncombined form of the same work.
143 |
144 | 6. Revised Versions of the GNU Lesser General Public License.
145 |
146 | The Free Software Foundation may publish revised and/or new versions
147 | of the GNU Lesser General Public License from time to time. Such new
148 | versions will be similar in spirit to the present version, but may
149 | differ in detail to address new problems or concerns.
150 |
151 | Each version is given a distinguishing version number. If the
152 | Library as you received it specifies that a certain numbered version
153 | of the GNU Lesser General Public License "or any later version"
154 | applies to it, you have the option of following the terms and
155 | conditions either of that published version or of any later version
156 | published by the Free Software Foundation. If the Library as you
157 | received it does not specify a version number of the GNU Lesser
158 | General Public License, you may choose any version of the GNU Lesser
159 | General Public License ever published by the Free Software Foundation.
160 |
161 | If the Library as you received it specifies that a proxy can decide
162 | whether future versions of the GNU Lesser General Public License shall
163 | apply, that proxy's public statement of acceptance of any version is
164 | permanent authorization for you to choose that version for the
165 | Library.
166 |
167 |
--------------------------------------------------------------------------------
/stub.cpp:
--------------------------------------------------------------------------------
1 | /*
2 | This program is free software: you can redistribute it and/or modify
3 | it under the terms of the GNU General Public License as published by
4 | the Free Software Foundation, either version 3 of the License, or
5 | (at your option) any later version.
6 |
7 | This program is distributed in the hope that it will be useful,
8 | but WITHOUT ANY WARRANTY; without even the implied warranty of
9 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10 | GNU General Public License for more details.
11 |
12 | You should have received a copy of the GNU General Public License
13 | along with this program. If not, see
14 | https://www.livecoding.tv/owerosu/
15 | */
16 |
17 |
18 | #include
19 |
20 | /*
21 | void shellcode(DWORD imageBaseStub,DWORD ptrImageBase,
22 | DWORD ptrImageBaseBuffer,DWORD sizeImageBase,
23 | DWORD ptrVirtualAlloc,DWORD ptrUnmapViewOfFile,DWORD OEP)
24 | {
25 |
26 | typedef BOOL(WINAPI *XVirtualAlloc)(
27 | LPVOID lpAddress,
28 | SIZE_T dwSize,
29 | DWORD flAllocationType,
30 | DWORD flProtect
31 | );
32 | typedef BOOL(WINAPI *XUnmapViewOfFile)(
33 | LPCVOID lpBaseAddress
34 | );
35 | PIMAGE_DOS_HEADER dosHeaderStub = NULL;
36 | PIMAGE_NT_HEADERS ntHeaderStub = NULL;
37 | PIMAGE_SECTION_HEADER sectionHeaderStub = NULL;
38 | PIMAGE_FILE_HEADER fileHeaderStub = NULL;
39 | DWORD nbSectionsStub;
40 | XVirtualAlloc xVirtualAlloc = (XVirtualAlloc)ptrVirtualAlloc;
41 | XUnmapViewOfFile xUnmapViewOfFile = (XUnmapViewOfFile)ptrUnmapViewOfFile;
42 |
43 |
44 | dosHeaderStub = (PIMAGE_DOS_HEADER)imageBaseStub;
45 | ntHeaderStub = (PIMAGE_NT_HEADERS)((PUCHAR)dosHeaderStub + dosHeaderStub->e_lfanew);
46 | sectionHeaderStub = (PIMAGE_SECTION_HEADER)IMAGE_FIRST_SECTION(ntHeaderStub);
47 | fileHeaderStub = (PIMAGE_FILE_HEADER)&ntHeaderStub->FileHeader;
48 | nbSectionsStub = fileHeaderStub->NumberOfSections;
49 | xUnmapViewOfFile((PBYTE)imageBaseStub);
50 | xVirtualAlloc((PBYTE)ptrImageBase, sizeImageBase, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
51 | for (DWORD i = 0;i < sizeImageBase;i++)
52 | *(PBYTE)(ptrImageBase + i) = *(PBYTE)(ptrImageBaseBuffer + i);
53 | __asm {
54 |
55 | jmp OEP;
56 | }
57 | }
58 | */
59 | void CopyMemory2(PBYTE out, PBYTE in, DWORD size)// Original Name
60 | {
61 | for (DWORD i = 0;i < size;i++)
62 | *(out + i) = *(in + i);
63 | }
64 | int main()
65 | {
66 | unsigned char data[228] = {
67 | 0x55, 0x8B, 0xEC, 0x83, 0xEC, 0x20, 0xC7, 0x45, 0xF4, 0x00, 0x00, 0x00, 0x00, 0xC7, 0x45, 0xF8,
68 | 0x00, 0x00, 0x00, 0x00, 0xC7, 0x45, 0xEC, 0x00, 0x00, 0x00, 0x00, 0xC7, 0x45, 0xF0, 0x00, 0x00,
69 | 0x00, 0x00, 0x8B, 0x45, 0x18, 0x89, 0x45, 0xE4, 0x8B, 0x4D, 0x1C, 0x89, 0x4D, 0xE8, 0x8B, 0x55,
70 | 0x08, 0x89, 0x55, 0xF4, 0x8B, 0x45, 0xF4, 0x8B, 0x4D, 0xF4, 0x03, 0x48, 0x3C, 0x89, 0x4D, 0xF8,
71 | 0x8B, 0x55, 0xF8, 0x0F, 0xB7, 0x42, 0x14, 0x8B, 0x4D, 0xF8, 0x8D, 0x54, 0x01, 0x18, 0x89, 0x55,
72 | 0xEC, 0x8B, 0x45, 0xF8, 0x83, 0xC0, 0x04, 0x89, 0x45, 0xF0, 0x8B, 0x4D, 0xF0, 0x0F, 0xB7, 0x51,
73 | 0x02, 0x89, 0x55, 0xE0, 0x8B, 0x45, 0x08, 0x50, 0xFF, 0x55, 0xE8, 0x6A, 0x40, 0x68, 0x00, 0x30,
74 | 0x00, 0x00, 0x8B, 0x4D, 0x14, 0x51, 0x8B, 0x55, 0x0C, 0x52, 0xFF, 0x55, 0xE4, 0xC7, 0x45, 0xFC,
75 | 0x00, 0x00, 0x00, 0x00, 0xEB, 0x09, 0x8B, 0x45, 0xFC, 0x83, 0xC0, 0x01, 0x89, 0x45, 0xFC, 0x8B,
76 | 0x4D, 0xFC, 0x3B, 0x4D, 0x14, 0x73, 0x12, 0x8B, 0x55, 0x0C, 0x03, 0x55, 0xFC, 0x8B, 0x45, 0x10,
77 | 0x03, 0x45, 0xFC, 0x8A, 0x08, 0x88, 0x0A, 0xEB, 0xDD, 0xFF, 0x65, 0x20, 0x8B, 0xE5, 0x5D, 0xC3,
78 | 0x55, 0x8B, 0xEC, 0x51, 0xC7, 0x45, 0xFC, 0x00, 0x00, 0x00, 0x00, 0xEB, 0x09, 0x8B, 0x45, 0xFC,
79 | 0x83, 0xC0, 0x01, 0x89, 0x45, 0xFC, 0x8B, 0x4D, 0xFC, 0x3B, 0x4D, 0x10, 0x73, 0x12, 0x8B, 0x55,
80 | 0x08, 0x03, 0x55, 0xFC, 0x8B, 0x45, 0x0C, 0x03, 0x45, 0xFC, 0x8A, 0x08, 0x88, 0x0A, 0xEB, 0xDD,
81 | 0x8B, 0xE5, 0x5D, 0xC3
82 | };
83 | // This time less check we need to win spaces as this is the stub
84 | //////////////////
85 | typedef NTSTATUS (WINAPI *XRtlDecompressBuffer)(
86 | USHORT CompressionFormat,
87 | PUCHAR UncompressedBuffer,
88 | ULONG UncompressedBufferSize,
89 | PUCHAR CompressedBuffer,
90 | ULONG CompressedBufferSize,
91 | PULONG FinalUncompressedSize
92 | );
93 | //////
94 | ///////////////////
95 | HMODULE imageBaseStub;
96 | DWORD imageBase;
97 | PIMAGE_DOS_HEADER dosHeaderStub = NULL;
98 | PIMAGE_NT_HEADERS ntHeaderStub = NULL;
99 | PIMAGE_SECTION_HEADER sectionHeaderStub = NULL;
100 | PIMAGE_FILE_HEADER fileHeaderStub = NULL;
101 | PIMAGE_DOS_HEADER dosHeader = NULL;
102 | PIMAGE_NT_HEADERS ntHeader = NULL;
103 | PIMAGE_SECTION_HEADER sectionHeader = NULL;
104 | PIMAGE_FILE_HEADER fileHeader = NULL;
105 | DWORD nbSectionsStub,nbSections;
106 | DWORD sizeHeaders;
107 | DWORD sizeImage;
108 | DWORD decompressedSize = 0;
109 | DWORD ptrCompressedData = 0;
110 | DWORD oldAccess;
111 | DWORD sectionAlignement;
112 | DWORD OEP;
113 | LPVOID ptrDecompressedData = NULL;
114 | DWORD ptrImageBase=0;
115 | XRtlDecompressBuffer xRtlDecompressBuffer = (XRtlDecompressBuffer)GetProcAddress(
116 | GetModuleHandle("ntdll.dll"), "RtlDecompressBuffer");
117 | ///////////////////
118 | imageBaseStub = GetModuleHandle(0);
119 | dosHeaderStub = (PIMAGE_DOS_HEADER)imageBaseStub;
120 | ntHeaderStub = (PIMAGE_NT_HEADERS)((PUCHAR)dosHeaderStub + dosHeaderStub->e_lfanew);
121 | sectionHeaderStub = (PIMAGE_SECTION_HEADER)IMAGE_FIRST_SECTION(ntHeaderStub);
122 | fileHeaderStub = (PIMAGE_FILE_HEADER)&ntHeaderStub->FileHeader;
123 | nbSectionsStub = fileHeaderStub->NumberOfSections;
124 | nbSectionsStub = fileHeaderStub->NumberOfSections;
125 | // We look for the section containing compressed data
126 | DWORD oldState;
127 | //VirtualProtect(imageBaseStub, 0x1000, PAGE_EXECUTE_READWRITE, &oldState);
128 |
129 | for (DWORD i = 0;i < nbSectionsStub;i++)
130 | {
131 | /*
132 | DWORD sectionAlignementStub = ntHeaderStub->OptionalHeader.SectionAlignment;
133 | DWORD sectionSizeVirtual = sectionHeaderStub[i].SizeOfRawData / sectionAlignementStub;
134 | DWORD sectionVirtualAddress = sectionHeaderStub[i].VirtualAddress;
135 | sectionVirtualAddress += (DWORD)imageBaseStub;
136 | sectionSizeVirtual = (sectionSizeVirtual + 1)*sectionAlignementStub;
137 | VirtualProtect((PBYTE)sectionVirtualAddress, sectionSizeVirtual, PAGE_EXECUTE_READWRITE, &oldState);
138 | */
139 | if (!strcmp((const char*)sectionHeaderStub[i].Name, ".pack3"))
140 | {
141 | //ptrCompressedData = (LPVOID)(sectionHeaderStub[i].VirtualAddress) ;
142 | // Decompression
143 | ptrCompressedData = (DWORD)imageBaseStub;
144 | ptrCompressedData = ptrCompressedData + sectionHeaderStub[i].VirtualAddress;
145 |
146 | DWORD add = (DWORD)imageBaseStub;
147 | do
148 | {
149 | ptrDecompressedData = VirtualAlloc((PBYTE)((DWORD)imageBaseStub + add), sectionHeaderStub[i].SizeOfRawData * 4,
150 | MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);
151 | add += 0x1000;
152 | } while (!ptrDecompressedData);
153 |
154 |
155 | xRtlDecompressBuffer(COMPRESSION_FORMAT_LZNT1 | COMPRESSION_ENGINE_MAXIMUM,
156 | (PUCHAR)ptrDecompressedData, sectionHeaderStub[i].SizeOfRawData * 4,
157 | (PUCHAR)ptrCompressedData, sectionHeaderStub[i].SizeOfRawData,
158 | &decompressedSize);
159 | ////////
160 | }
161 | }
162 | /////// Usefull stuff we need to get
163 | dosHeader = (PIMAGE_DOS_HEADER)ptrDecompressedData;
164 | ntHeader = (PIMAGE_NT_HEADERS)((PUCHAR)dosHeader + dosHeader->e_lfanew);
165 | sectionHeader = (PIMAGE_SECTION_HEADER)IMAGE_FIRST_SECTION(ntHeader);
166 | fileHeader = (PIMAGE_FILE_HEADER)&ntHeader->FileHeader;
167 | nbSections = fileHeader->NumberOfSections;
168 | sizeHeaders = ntHeader->OptionalHeader.SizeOfHeaders;
169 | imageBase = ntHeader->OptionalHeader.ImageBase;
170 | sizeImage = ntHeader->OptionalHeader.SizeOfImage;
171 | sectionAlignement = ntHeader->OptionalHeader.SectionAlignment;
172 | OEP = imageBase + ntHeader->OptionalHeader.AddressOfEntryPoint;
173 | //////////
174 |
175 | //////// Allocate memory space and map the PE
176 |
177 | // Hmm, we could get proper rights for each section
178 | // So let's do a buffer per sections instead
179 | // So the allocation for headers :
180 | //0x400000
181 | //0x2D000
182 | //VirtualFree((PBYTE)imageBase - 0x10000, sizeImage + 0x10000, MEM_DECOMMIT | MEM_RELEASE);
183 | DWORD add = (DWORD)imageBaseStub;
184 | do
185 | {
186 | ptrImageBase = (DWORD)VirtualAlloc((PBYTE)((DWORD)imageBaseStub + sizeImage + add), sizeImage,
187 | MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);
188 | add += 0x1000;
189 | } while (!ptrImageBase);
190 | //CopyMemory(ptrImageBase, ptrDecompressedData, sizeHeaders);
191 | // Ok we can't use CopyMemory without linking the runtime C which will bloat our stub ..
192 | // Let's do our own Copy memory !
193 | CopyMemory2((PBYTE)ptrImageBase, (PBYTE)ptrDecompressedData, sizeHeaders);
194 | //VirtualProtect(ptrImageBase, sizeHeaders, PAGE_READONLY, &oldAccess);
195 |
196 | // Sections !
197 | for (DWORD i;i < nbSections;i++)
198 | {
199 | DWORD ptrSection = ptrImageBase + sectionHeader[i].VirtualAddress;
200 |
201 | DWORD ptrRawData = (DWORD)ptrDecompressedData + sectionHeader[i].PointerToRawData;
202 | DWORD sizeRawData = sectionHeader[i].SizeOfRawData;
203 | /*/
204 | I have some trouble to allocate contiguous memory for some reasons
205 | So, I allocate one big memory space for all the unpacked PE
206 | I'll try to figure out later why I can't.
207 | if (ptrSection != (DWORD)VirtualAlloc((LPVOID)ptrSection,
208 | sectionSizeVirtual, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE)) // For now we'll put
209 | // executables rights, then we'll read characteristics to put the right ones
210 | ExitProcess(-2);
211 | */
212 | CopyMemory2((PBYTE)ptrSection, (PBYTE)ptrRawData, sizeRawData);
213 | }
214 | // Ok now we need to rebuild IAT
215 | ////////////////// Use the new mapped headers instead of old ones ...
216 | dosHeader = (PIMAGE_DOS_HEADER)ptrImageBase;
217 | ntHeader = (PIMAGE_NT_HEADERS)((PUCHAR)dosHeader + dosHeader->e_lfanew);
218 | sectionHeader = (PIMAGE_SECTION_HEADER)IMAGE_FIRST_SECTION(ntHeader);
219 | fileHeader = (PIMAGE_FILE_HEADER)&ntHeader->FileHeader;
220 | //////////////////
221 | //(PIMAGE_IMPORT_DESCRIPTOR)imageBase +
222 | IMAGE_OPTIONAL_HEADER* optionalHeader = (&(ntHeader->OptionalHeader));
223 | DWORD va = optionalHeader->DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress;
224 | DWORD ptrImport = ptrImageBase + va;
225 | if (!va)
226 | ExitProcess(-5);
227 | if (!ptrImport)
228 | ExitProcess(-5);
229 |
230 | while (((IMAGE_IMPORT_DESCRIPTOR*)ptrImport)->FirstThunk)
231 | {
232 |
233 | DWORD ptrThunkData;
234 | char* dllName = (char*)ptrImageBase + ((IMAGE_IMPORT_DESCRIPTOR*)ptrImport)->Name;
235 |
236 |
237 | ptrThunkData= ptrImageBase + ((IMAGE_IMPORT_DESCRIPTOR*)ptrImport)->FirstThunk;
238 |
239 | while (((IMAGE_THUNK_DATA*)ptrThunkData)->u1.AddressOfData)
240 | {
241 | // First we'll only resolve by name. Import by ordinal will come later
242 |
243 | if (((IMAGE_THUNK_DATA*)ptrThunkData)->u1.Ordinal & IMAGE_ORDINAL_FLAG32)
244 | {
245 | DWORD ordinal = ((IMAGE_THUNK_DATA*)ptrThunkData)->u1.Ordinal & 0xFFFF;
246 | ((IMAGE_THUNK_DATA*)ptrThunkData)->u1.Function = (DWORD)GetProcAddress(LoadLibraryA(dllName), (char*)ordinal);
247 | }
248 | else
249 | {
250 | DWORD ptrImageByName;
251 | char* functionName;
252 | ptrImageByName = ptrImageBase + ((IMAGE_THUNK_DATA*)ptrThunkData)->u1.AddressOfData;
253 | functionName = ((IMAGE_IMPORT_BY_NAME*)ptrImageByName)->Name;
254 | ((IMAGE_THUNK_DATA*)ptrThunkData)->u1.Function = (DWORD)GetProcAddress(LoadLibraryA(dllName), functionName);
255 | }
256 |
257 | ptrThunkData += sizeof(IMAGE_THUNK_DATA); // next Thunk_Data
258 | }
259 |
260 | ptrImport += sizeof(IMAGE_IMPORT_DESCRIPTOR); // next IMAGE_IMPORT_DESCRIPTOR
261 | }
262 | // Support .reloc section
263 |
264 | //
265 | // Try
266 | /*
267 | void shellcode(DWORD imageBaseStub,DWORD ptrImageBase,
268 | DWORD ptrImageBaseBuffer,DWORD sizeImageBase,DWORD ptrVirtualFree,
269 | DWORD ptrVirtualAlloc,DWORD OEP)
270 | */
271 | DWORD ptrVirtualAlloc = (DWORD)GetProcAddress(GetModuleHandleA("kernel32.dll"), "VirtualAlloc");
272 |
273 | DWORD ptrUnmap = (DWORD)GetProcAddress(GetModuleHandleA("kernel32.dll"), "UnmapViewOfFile");
274 | //shellcode(0, 0, 0, 0, 0, 0, 0, 0);
275 | BOOL bReloc = FALSE;
276 | for (DWORD i = 0;i < nbSections;i++)
277 | {
278 | if (!strcmp((const char*)sectionHeader[i].Name, ".reloc"))
279 | bReloc = TRUE;
280 | }
281 | /*
282 | If we can allocate at prefered imagebase then we just jump on eop
283 | elseif
284 | If we can do reloc, we'll allocate anywhere and just reloc.
285 | elseif
286 | If we can't, we'll do the shellcode trick to run packed executable at
287 | stub's memory space.
288 | Stub we'll be reallocated at the packed .exe's prefered image base by the builder (todo)
289 | */
290 | DWORD ptrNewImageBase = 0;
291 | do // Allocate buffer at any location
292 | {
293 | ptrNewImageBase = (DWORD)VirtualAlloc((PBYTE)imageBase + add, sizeImage, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
294 | add += 0x1000;
295 | } while (!ptrNewImageBase);
296 | if (ptrNewImageBase == imageBase) // If we get lucky and same imagebase than prefered image base.
297 | {
298 | VirtualFree(ptrDecompressedData, sectionHeaderStub[3].SizeOfRawData * 4, MEM_DECOMMIT | MEM_RELEASE);
299 | CopyMemory2((PBYTE)ptrNewImageBase, (PBYTE)ptrImageBase, sizeImage);
300 | VirtualFree((PBYTE)ptrImageBase, sizeImage, MEM_DECOMMIT | MEM_RELEASE);
301 | __asm {
302 | jmp OEP;
303 | }
304 | }
305 | else if (bReloc) // If we a .reloc section
306 | {
307 |
308 | CopyMemory2((PBYTE)ptrNewImageBase, (PBYTE)ptrImageBase, sizeImage);
309 | OEP = ptrNewImageBase + ntHeader->OptionalHeader.AddressOfEntryPoint;
310 | DWORD add = 0;
311 | DWORD delta = 0;
312 | DWORD dirSize = 0;
313 | PIMAGE_DATA_DIRECTORY pRelocEntry;
314 | PIMAGE_BASE_RELOCATION pBaseReloc,pEndReloc;
315 | pRelocEntry = &ntHeader->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC];
316 | pBaseReloc = (PIMAGE_BASE_RELOCATION)(PBYTE)(ptrImageBase + pRelocEntry->VirtualAddress);
317 | dirSize = pRelocEntry->Size;
318 | delta = ptrNewImageBase - imageBase;
319 | pEndReloc = (PIMAGE_BASE_RELOCATION)(PBYTE)(pBaseReloc + dirSize);
320 |
321 | while (pBaseReloc < pEndReloc && pBaseReloc->VirtualAddress)
322 | {
323 | int count = (pBaseReloc->SizeOfBlock - sizeof(IMAGE_BASE_RELOCATION)) / sizeof(WORD);
324 | PWORD entry = (PWORD)(pBaseReloc + 1);
325 | void *pageVa = (void*)((PBYTE)ptrNewImageBase + pBaseReloc->VirtualAddress);
326 | while (count--)
327 | {
328 | if (*entry >> 12 == IMAGE_REL_BASED_HIGHLOW)
329 | *(PDWORD)((PBYTE)pageVa + (*entry & 0x0fff)) += delta;
330 | entry++;
331 | }
332 | pBaseReloc = (PIMAGE_BASE_RELOCATION)((PBYTE)pBaseReloc + pBaseReloc->SizeOfBlock);
333 | }
334 | VirtualFree(ptrDecompressedData, sectionHeaderStub[3].SizeOfRawData * 4, MEM_DECOMMIT | MEM_RELEASE);
335 | VirtualFree((PBYTE)ptrImageBase, sizeImage, MEM_DECOMMIT | MEM_RELEASE);
336 | __asm {
337 | jmp OEP;
338 | }
339 | }
340 | else // Shellcode trick
341 | {
342 | DWORD buffCopy = (DWORD)VirtualAlloc((LPVOID)0, 182, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
343 | CopyMemory2((PBYTE)buffCopy, data, 182);
344 | VirtualFree(ptrDecompressedData, sectionHeaderStub[3].SizeOfRawData * 4, MEM_DECOMMIT | MEM_RELEASE);
345 | __asm {
346 | push OEP
347 | push ptrUnmap
348 | push ptrVirtualAlloc
349 | push sizeImage
350 | push ptrImageBase
351 | push imageBase
352 | push imageBaseStub
353 | call buffCopy
354 | };
355 | }
356 | /////////////////
357 | // We jump on Original Entry Point (OEP)
358 |
359 | return 0;
360 | }
361 |
--------------------------------------------------------------------------------