Started security.

author: auth12 <[email protected]> 2020-08-01 11:15:55 -0700
committer: auth12 <[email protected]> 2020-08-01 11:15:55 -0700
commit: 5bbda279685f52693d4f5d9cb1500e295e06fc1e (patch)
tree: 87cc4aa993afe879f8b5dffbbe7013dcf8e5dc44 /client/src/util
parent: Added server support for both x64 and x32 images with automatic selection. (diff)
download: loader-5bbda279685f52693d4f5d9cb1500e295e06fc1e.tar.xz
loader-5bbda279685f52693d4f5d9cb1500e295e06fc1e.zip
7 files changed, 49 insertions, 153 deletions
diff --git a/client/src/util/apiset.h b/client/src/util/apiset.h
index a13f3bb..9fad501 100644
--- a/client/src/util/apiset.h
+++ b/client/src/util/apiset.h
@@ -5,7 +5,7 @@ class apiset {
 public:
 	apiset();
 
-	bool operator()(std::string &mod) {
+	bool find(std::string &mod) {
 		auto it = std::find_if(m_apimap.begin(), m_apimap.end(), [&](const std::pair<std::string, std::string>& pair) {
 			return mod.find(pair.first) != std::string::npos;
 		});
diff --git a/client/src/util/io.cpp b/client/src/util/io.cpp
index 7e783c2..47d9dbe 100644
--- a/client/src/util/io.cpp
+++ b/client/src/util/io.cpp
@@ -1,10 +1,10 @@
 #include "../include.h"
 #include "io.h"
 
-bool io::read_file(const std::string_view name, std::vector<char>& out) {
-	std::ifstream file(name.data(), std::ios::binary);
+bool io::read_file(const std::string_view path, std::vector<char>& out) {
+	std::ifstream file(path.data(), std::ios::binary);
 	if (!file.good()) {
-		log_error("{} isnt valid.", name);
+		log_error("{} isnt valid.", path);
 		return false;
 	}
 
diff --git a/client/src/util/io.h b/client/src/util/io.h
index 03d6964..adb63f7 100644
--- a/client/src/util/io.h
+++ b/client/src/util/io.h
@@ -3,7 +3,6 @@
 #include <fmt/format.h>
 #include <fmt/color.h>
 
-
 namespace io {
 	template<typename... Args>
 	void log(const std::string_view str, Args... params) {
@@ -31,5 +30,5 @@ namespace io {
 		fmt::print(msg, std::forward<Args>(params)...);
 	}
 
-	bool read_file(const std::string_view name, std::vector<char>& out);
+	bool read_file(const std::string_view path, std::vector<char>& out);
 };  // namespace io
diff --git a/client/src/util/native.h b/client/src/util/native.h
index 9c8cef7..31348ee 100644
--- a/client/src/util/native.h
+++ b/client/src/util/native.h
@@ -60,12 +60,11 @@ namespace native {
 		UNICODE_STRING			BaseDllName;
 	};
 
-	template<bool x64, typename base_type = typename std::conditional<x64, IMAGE_NT_HEADERS64, IMAGE_NT_HEADERS32>::type>
-	struct nt_headers_t : base_type {};
-
 	template<class P>
 	struct peb_t {
-		std::uint8_t _ignored[4];
+		uint8_t _ignored[2];
+		uint8_t being_debugged;
+		uint8_t bitfield;
 		P            _ignored2[2];
 		P            Ldr;
 	};
@@ -86,8 +85,8 @@ namespace native {
 
 	template<class P>
 	struct unicode_string_t {
-		std::uint16_t Length;
-		std::uint16_t MaximumLength;
+		uint16_t Length;
+		uint16_t MaximumLength;
 		P             Buffer;
 	};
 
@@ -105,141 +104,6 @@ namespace native {
 		unicode_string_t<P> FullDllName;
 	};
 
-
-#pragma pack(push, 4)
-	struct reloc_entry_t {
-		uint16_t                    offset  : 12;
-		uint16_t                    type    : 4;
-	};
-
-	struct reloc_block_t {
-		uint32_t                    base_rva;
-		uint32_t                    size_block;
-		reloc_entry_t               entries[ 1 ];   // Variable length array
-
-
-		inline reloc_block_t* get_next() { return ( reloc_block_t* ) ( ( char* ) this + this->size_block ); }
-		inline uint32_t num_entries() { return ( reloc_entry_t* ) get_next() - &entries[ 0 ]; }
-	};
-
-	struct image_named_import_t
-	{
-		uint16_t            hint;
-		char                name[ 1 ];
-	};
-
-#pragma pack(push, 8)
-	struct image_thunk_data_x64_t
-	{
-		union
-		{
-			uint64_t        forwarder_string;
-			uint64_t        function;
-			uint64_t        address;                   // -> image_named_import_t
-			struct
-			{
-				uint64_t    ordinal     : 16;
-				uint64_t    _reserved0  : 47;
-				uint64_t    is_ordinal  : 1;
-			};
-		};
-	};
-#pragma pack(pop)
-
-	struct image_thunk_data_x86_t
-	{
-		union
-		{
-			uint32_t        forwarder_string;
-			uint32_t        function;
-			uint32_t        address;                   // -> image_named_import_t
-			struct
-			{
-				uint32_t    ordinal     : 16;
-				uint32_t    _reserved0  : 15;
-				uint32_t    is_ordinal  : 1;
-			};
-		};
-	};
-#pragma pack(pop)
-
-	template<bool x64,
-		typename base_type = typename std::conditional<x64, image_thunk_data_x64_t, image_thunk_data_x86_t>::type>
-		struct image_thunk_data_t : base_type {};
-
-	typedef struct _PROCESS_EXTENDED_BASIC_INFORMATION
-	{
-		SIZE_T Size; // set to sizeof structure on input
-		PROCESS_BASIC_INFORMATION BasicInfo;
-		union
-		{
-			ULONG Flags;
-			struct
-			{
-				ULONG IsProtectedProcess : 1;
-				ULONG IsWow64Process : 1;
-				ULONG IsProcessDeleting : 1;
-				ULONG IsCrossSessionCreate : 1;
-				ULONG IsFrozen : 1;
-				ULONG IsBackground : 1;
-				ULONG IsStronglyNamed : 1;
-				ULONG IsSecureProcess : 1;
-				ULONG IsSubsystemProcess : 1;
-				ULONG SpareBits : 23;
-			};
-		};
-	} PROCESS_EXTENDED_BASIC_INFORMATION, *PPROCESS_EXTENDED_BASIC_INFORMATION;
-
-
-	typedef enum _SYSTEM_INFORMATION_CLASS {
-		SystemBasicInformation,
-		SystemProcessorInformation,
-		SystemPerformanceInformation,
-		SystemTimeOfDayInformation,
-		SystemPathInformation,
-		SystemProcessInformation,
-		SystemCallCountInformation,
-		SystemDeviceInformation,
-		SystemProcessorPerformanceInformation,
-		SystemFlagsInformation,
-		SystemCallTimeInformation,
-		SystemModuleInformation,
-		SystemLocksInformation,
-		SystemStackTraceInformation,
-		SystemPagedPoolInformation,
-		SystemNonPagedPoolInformation,
-		SystemHandleInformation,
-		SystemObjectInformation,
-		SystemPageFileInformation,
-		SystemVdmInstemulInformation,
-		SystemVdmBopInformation,
-		SystemFileCacheInformation,
-		SystemPoolTagInformation,
-		SystemInterruptInformation,
-		SystemDpcBehaviorInformation,
-		SystemFullMemoryInformation,
-		SystemLoadGdiDriverInformation,
-		SystemUnloadGdiDriverInformation,
-		SystemTimeAdjustmentInformation,
-		SystemSummaryMemoryInformation,
-		SystemNextEventIdInformation,
-		SystemEventIdsInformation,
-		SystemCrashDumpInformation,
-		SystemExceptionInformation,
-		SystemCrashDumpStateInformation,
-		SystemKernelDebuggerInformation,
-		SystemContextSwitchInformation,
-		SystemRegistryQuotaInformation,
-		SystemExtendServiceTableInformation,
-		SystemPrioritySeperation,
-		SystemPlugPlayBusInformation,
-		SystemDockInformation,
-		SystemPowerInformation,
-		SystemProcessorSpeedInformation,
-		SystemCurrentTimeZoneInformation,
-		SystemLookasideInformation
-	} SYSTEM_INFORMATION_CLASS, *PSYSTEM_INFORMATION_CLASS;
-
 	typedef struct _SYSTEM_HANDLE_TABLE_ENTRY_INFO {
 		USHORT UniqueProcessId;
 		USHORT CreatorBackTraceIndex;
@@ -287,15 +151,23 @@ namespace native {
 		ULONG Unk[2];
 	};
 
-	using NtQuerySystemInformation = NTSTATUS(__stdcall*)(native::SYSTEM_INFORMATION_CLASS, PVOID, SIZE_T, PULONG);
+	struct PROCESS_EXTENDED_BASIC_INFORMATION {
+		SIZE_T Size; // set to sizeof structure on input
+		PROCESS_BASIC_INFORMATION BasicInfo;
+		uint8_t Flags;
+	};
+
+	using NtQuerySystemInformation = NTSTATUS(__stdcall*)(SYSTEM_INFORMATION_CLASS, PVOID, SIZE_T, PULONG);
 	using NtOpenProcess = NTSTATUS(__stdcall*)(PHANDLE, ACCESS_MASK, POBJECT_ATTRIBUTES, CLIENT_ID*);
+	using NtOpenThread = NTSTATUS(__stdcall*)(PHANDLE, ACCESS_MASK, POBJECT_ATTRIBUTES, CLIENT_ID*);
 	using NtReadVirtualMemory = NTSTATUS(__stdcall*)(HANDLE, PVOID, PVOID, SIZE_T, PULONG);
 	using NtAllocateVirtualMemory = NTSTATUS(__stdcall*)(HANDLE, PVOID*, ULONG_PTR, PSIZE_T, ULONG, ULONG);
-	using NtWiteVirtualMemory = NTSTATUS(__stdcall*)(HANDLE, PVOID, PVOID, ULONG, PULONG);
+	using NtWriteVirtualMemory = NTSTATUS(__stdcall*)(HANDLE, PVOID, PVOID, ULONG, PULONG);
 	using NtClose = NTSTATUS(__stdcall*)(HANDLE);
 	using NtFreeVirtualMemory = NTSTATUS(__stdcall*)(HANDLE, PVOID*, PSIZE_T, ULONG);
 	using NtQueryInformationProcess = NTSTATUS(__stdcall*)(HANDLE, PROCESSINFOCLASS, PVOID, SIZE_T, PULONG);
 	using NtWaitForSingleObject = NTSTATUS(__stdcall*)(HANDLE, BOOLEAN, PLARGE_INTEGER);
 	using NtCreateThreadEx = NTSTATUS(__stdcall*)(PHANDLE, ACCESS_MASK, PVOID, HANDLE, LPTHREAD_START_ROUTINE, PVOID, ULONG, ULONG_PTR, SIZE_T, SIZE_T, PVOID);
+	using NtGetContextThread = NTSTATUS(__stdcall*)(HANDLE, PCONTEXT);
 
 };  // namespace native
 \ No newline at end of file
diff --git a/client/src/util/syscalls.cpp b/client/src/util/syscalls.cpp
index 96036a3..a755d22 100644
--- a/client/src/util/syscalls.cpp
+++ b/client/src/util/syscalls.cpp
@@ -9,9 +9,9 @@ syscalls::syscalls() {
 	m_call_table = VirtualAlloc(0, 0x100000, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
 	std::memset(m_call_table, 0x90, 0x100000);
 
-	io::log("syscalls call table : {:#x}", uintptr_t(m_call_table));
+	io::log("syscalls call table : {:x}", uintptr_t(m_call_table));
 
-	static auto nt = pe::virtual_image("ntdll.dll");
+	static auto nt = pe::ntdll();
 	for (auto& exp : nt.exports()) {
 		auto addr = exp.second;
 
diff --git a/client/src/util/syscalls.h b/client/src/util/syscalls.h
index 713e24c..0855d18 100644
--- a/client/src/util/syscalls.h
+++ b/client/src/util/syscalls.h
@@ -17,6 +17,10 @@ public:
 		return reinterpret_cast<T>(uintptr_t(m_call_table) + (m_indexes[func.data()].first * m_stub.size()));
 	};
 
+	uintptr_t operator()(const std::string_view func) {
+		return uintptr_t(m_call_table) + (m_indexes[func.data()].first * m_stub.size());
+	}
+
 	uintptr_t operator()() {
 		return uintptr_t(m_call_table);
 	}
diff --git a/client/src/util/util.cpp b/client/src/util/util.cpp
index 1847780..fab886e 100644
--- a/client/src/util/util.cpp
+++ b/client/src/util/util.cpp
@@ -15,7 +15,7 @@ std::string util::wide_to_multibyte(const std::wstring& str) {
 	str_len = WideCharToMultiByte(CP_UTF8, 0, &str[0], str.size(), 0, 0, 0, 0);
 
 	// setup return value
-	ret = std::string(str_len, 0);
+	ret.resize(str_len);
 
 	// final conversion
 	WideCharToMultiByte(CP_UTF8, 0, &str[0], str.size(), &ret[0], str_len, 0, 0);
@@ -40,7 +40,7 @@ std::wstring util::multibyte_to_wide(const std::string& str) {
 
 bool util::close_handle(HANDLE handle) {
 	if (!handle) {
-		io::log_error("invalid handle specified to close.");
+		io::log_error("invalid handle to close.");
 		return false;
 	}
 
@@ -54,3 +54,24 @@ bool util::close_handle(HANDLE handle) {
 
 	return true;
 }
+
+
+void pe::get_all_modules(std::unordered_map<std::string, virtual_image>& modules) {
+	auto peb = util::peb();
+	if (!peb) return;
+
+	if (!peb->Ldr->InMemoryOrderModuleList.Flink) return;
+
+	auto* list = &peb->Ldr->InMemoryOrderModuleList;
+
+	for (auto i = list->Flink; i != list; i = i->Flink) {
+		auto entry = CONTAINING_RECORD(i, native::LDR_DATA_TABLE_ENTRY, InMemoryOrderLinks);
+		if (!entry)
+			continue;
+
+		auto name = util::wide_to_multibyte(entry->BaseDllName.Buffer);
+		std::transform(name.begin(), name.end(), name.begin(), ::tolower);
+
+		modules[name] = virtual_image(entry->DllBase);
+	}
+}
+\ No newline at end of file
author	auth12 <[email protected]>	2020-08-01 11:15:55 -0700
committer	auth12 <[email protected]>	2020-08-01 11:15:55 -0700
commit	5bbda279685f52693d4f5d9cb1500e295e06fc1e (patch)
tree	87cc4aa993afe879f8b5dffbbe7013dcf8e5dc44 /client/src/util
parent	Added server support for both x64 and x32 images with automatic selection. (diff)
download	loader-5bbda279685f52693d4f5d9cb1500e295e06fc1e.tar.xz loader-5bbda279685f52693d4f5d9cb1500e295e06fc1e.zip