Cracked5pider/LdrModuleKnown.c

## LdrModuleKnown.c
/*!
 * @brief
 *  Loads a module from KnownDlls using
 *  NtOpenSection & NtMapViewSection
 *
 * @param ModuleName
 *  Wide String name of module to
 *  load from KnownDlls
 *
 * @return
 *  mapped module from \KnownDlls\
 */
FUNC PVOID LdrModuleKnown(
    _In_ LPSTR ModuleName
) {
    INSTANCE_NAMESPACE

    PVOID             Module           = { 0 };
    HANDLE            Section          = { 0 };
    UNICODE_STRING    String           = { 0 };
    OBJECT_ATTRIBUTES ObjAttr          = { 0 };
    USHORT            MaxSize          = { 0 };
    SIZE_T            Length           = { 0 };
    WCHAR             Name[ MAX_PATH ] = { 0 };
    WCHAR             Path[ MAX_PATH ] = { 0 };

    /* check if args are specified and
     * required functions are loaded */
    if ( ! ModuleName                         ||
         ! Instance->Win32.NtOpenSection      ||
         ! Instance->Win32.NtMapViewOfSection
    ) {
        return NULL;
    }

    /* decrypt strings to the stack */
    OBF_WSTRING( Known,  L"\\KnownDlls\\" );
    OBF_WSTRING( DllExt, L".dll" );

    /* zero memory the structs */
    MemZero( Path,     sizeof( Path    ) );
    MemZero( Name,     sizeof( Name    ) );
    MemZero( &String,  sizeof( String ) );
    MemZero( &ObjAttr, sizeof( ObjAttr ) );

    /* get given module name size */
    MaxSize = StringLengthA( ModuleName );

    /* convert given ascii string to wide string */
    if ( ( CharStringToWCharString( Name, ModuleName, MaxSize ) ) ) {

        /* real wide string size */
        MaxSize = MaxSize * sizeof( WCHAR );

        /* create path to module */
        MemCopy( C_PTR( U_PTR( Path ) ), C_DEF( Known ), LDR_KNOWNDLL_PATH_SIZE );
        MemCopy( C_PTR( U_PTR( Path ) + LDR_KNOWNDLL_PATH_SIZE ), Name, MaxSize );
        MemCopy( C_PTR( U_PTR( Path ) + LDR_KNOWNDLL_PATH_SIZE + MaxSize ), C_DEF( DllExt ), sizeof( DllExt ) );

        /* init unicode struct */
        MaxSize              = ( ( sizeof( Known ) - sizeof( WCHAR ) ) + MaxSize + ( sizeof( DllExt ) - sizeof( WCHAR ) ) );
        String.Length        = MaxSize;
        String.MaximumLength = MaxSize + sizeof( WCHAR );
        String.Buffer        = Path;

        PRINTF( "Trying to load %s from \\KnownDlls\\ :: %ls", ModuleName, String.Buffer );

        /* init object attributes */
        InitializeObjectAttributes(
            &ObjAttr,
            &String,
            OBJ_CASE_INSENSITIVE,
            NULL,
            NULL
        );

        /* open section */
        if ( ! NT_SUCCESS( Instance->Win32.NtOpenSection(
            &Section,
            SECTION_MAP_EXECUTE | SECTION_MAP_READ,
            &ObjAttr
        ) ) ) {
            goto END;
        }

        /* map section */
        if ( ! NT_SUCCESS( Instance->Win32.NtMapViewOfSection(
            Section,
            NtCurrentProcess(),
            &Module,
            0,
            0,
            NULL,
            &Length,
            ViewUnmap,
            0,
            PAGE_READONLY
        ) ) ) {
            goto END;
        }
    }

END:
    /* close section handle */
    if ( Section ) {
        Instance->Win32.NtClose( Section );
        Section = NULL;
    }

    /* clear enc data from stack */
    MemZero( C_DEF( Known  ), sizeof( Known  ) );
    MemZero( C_DEF( DllExt ), sizeof( DllExt ) );

    /* clear data from stack */
    MemZero( Path,     sizeof( Path    ) );
    MemZero( Name,     sizeof( Name    ) );
    MemZero( &String,  sizeof( String  ) );
    MemZero( &ObjAttr, sizeof( ObjAttr ) );

    return Module;
}
	/*!
	* @brief
	* Loads a module from KnownDlls using
	* NtOpenSection & NtMapViewSection
	*
	* @param ModuleName
	* Wide String name of module to
	* load from KnownDlls
	*
	* @return
	* mapped module from \KnownDlls\
	*/
	FUNC PVOID LdrModuleKnown(
	_In_ LPSTR ModuleName
	) {
	INSTANCE_NAMESPACE

	PVOID Module = { 0 };
	HANDLE Section = { 0 };
	UNICODE_STRING String = { 0 };
	OBJECT_ATTRIBUTES ObjAttr = { 0 };
	USHORT MaxSize = { 0 };
	SIZE_T Length = { 0 };
	WCHAR Name[ MAX_PATH ] = { 0 };
	WCHAR Path[ MAX_PATH ] = { 0 };

	/* check if args are specified and
	* required functions are loaded */
	if ( ! ModuleName \|\|
	! Instance->Win32.NtOpenSection \|\|
	! Instance->Win32.NtMapViewOfSection
	) {
	return NULL;
	}

	/* decrypt strings to the stack */
	OBF_WSTRING( Known, L"\\KnownDlls\\" );
	OBF_WSTRING( DllExt, L".dll" );

	/* zero memory the structs */
	MemZero( Path, sizeof( Path ) );
	MemZero( Name, sizeof( Name ) );
	MemZero( &String, sizeof( String ) );
	MemZero( &ObjAttr, sizeof( ObjAttr ) );

	/* get given module name size */
	MaxSize = StringLengthA( ModuleName );

	/* convert given ascii string to wide string */
	if ( ( CharStringToWCharString( Name, ModuleName, MaxSize ) ) ) {

	/* real wide string size */
	MaxSize = MaxSize * sizeof( WCHAR );

	/* create path to module */
	MemCopy( C_PTR( U_PTR( Path ) ), C_DEF( Known ), LDR_KNOWNDLL_PATH_SIZE );
	MemCopy( C_PTR( U_PTR( Path ) + LDR_KNOWNDLL_PATH_SIZE ), Name, MaxSize );
	MemCopy( C_PTR( U_PTR( Path ) + LDR_KNOWNDLL_PATH_SIZE + MaxSize ), C_DEF( DllExt ), sizeof( DllExt ) );

	/* init unicode struct */
	MaxSize = ( ( sizeof( Known ) - sizeof( WCHAR ) ) + MaxSize + ( sizeof( DllExt ) - sizeof( WCHAR ) ) );
	String.Length = MaxSize;
	String.MaximumLength = MaxSize + sizeof( WCHAR );
	String.Buffer = Path;

	PRINTF( "Trying to load %s from \\KnownDlls\\ :: %ls", ModuleName, String.Buffer );

	/* init object attributes */
	InitializeObjectAttributes(
	&ObjAttr,
	&String,
	OBJ_CASE_INSENSITIVE,
	NULL,
	NULL
	);

	/* open section */
	if ( ! NT_SUCCESS( Instance->Win32.NtOpenSection(
	&Section,
	SECTION_MAP_EXECUTE \| SECTION_MAP_READ,
	&ObjAttr
	) ) ) {
	goto END;
	}

	/* map section */
	if ( ! NT_SUCCESS( Instance->Win32.NtMapViewOfSection(
	Section,
	NtCurrentProcess(),
	&Module,
	0,
	0,
	NULL,
	&Length,
	ViewUnmap,
	0,
	PAGE_READONLY
	) ) ) {
	goto END;
	}
	}

	END:
	/* close section handle */
	if ( Section ) {
	Instance->Win32.NtClose( Section );
	Section = NULL;
	}

	/* clear enc data from stack */
	MemZero( C_DEF( Known ), sizeof( Known ) );
	MemZero( C_DEF( DllExt ), sizeof( DllExt ) );

	/* clear data from stack */
	MemZero( Path, sizeof( Path ) );
	MemZero( Name, sizeof( Name ) );
	MemZero( &String, sizeof( String ) );
	MemZero( &ObjAttr, sizeof( ObjAttr ) );

	return Module;
	}