Created
April 23, 2019 02:13
-
-
Save devdilson/b550d1c224c709a4f230bf8e352db58f to your computer and use it in GitHub Desktop.
A simple Win32 API loader that does based on PEB Kernel base
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| namespace Win32 { | |
| DWORD* GetPEB() { | |
| __asm { | |
| push 0x30 | |
| pop esi | |
| mov eax, fs:[esi] | |
| ret | |
| } | |
| } | |
| DWORD GetKernel32Address() | |
| { | |
| DWORD dwAddr = 0; | |
| __asm | |
| { | |
| mov ebx, fs:[0x30] | |
| mov ebx, [ebx + 0x0C] | |
| mov ebx, [ebx + 0x14] | |
| mov ebx, [ebx] | |
| mov ebx, [ebx] | |
| mov ebx, [ebx + 0x10] | |
| mov dwAddr, ebx | |
| } | |
| return dwAddr; | |
| } | |
| LPVOID WINAPI GetFuncAddress(DWORD baseAddress, const char *func) { | |
| IMAGE_DOS_HEADER *dos_header = reinterpret_cast<IMAGE_DOS_HEADER*>(baseAddress); | |
| IMAGE_NT_HEADERS *nt_header = PIMAGE_NT_HEADERS(baseAddress + dos_header->e_lfanew); | |
| DWORD export_rva = nt_header->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress; | |
| if (export_rva == 0) { | |
| return NULL; | |
| } | |
| PIMAGE_EXPORT_DIRECTORY img_export_dir = PIMAGE_EXPORT_DIRECTORY(baseAddress + export_rva); | |
| PDWORD Address = (PDWORD)((LPBYTE)baseAddress + img_export_dir->AddressOfFunctions); | |
| PDWORD Name = (PDWORD)((LPBYTE)baseAddress + img_export_dir->AddressOfNames); | |
| PWORD Ordinal = (PWORD)((LPBYTE)baseAddress + img_export_dir->AddressOfNameOrdinals); | |
| for (int i = 0; i < img_export_dir->AddressOfFunctions; i++) { | |
| if (!strcmp(func, (char*)baseAddress + Name[i])) { | |
| return (PVOID)((LPBYTE)baseAddress + Address[Ordinal[i]]); | |
| } | |
| } | |
| return NULL; | |
| } | |
| void _memcpy(void *dest, void *src, size_t n){ | |
| char *csrc = (char *)src; | |
| char *cdest = (char *)dest; | |
| for (int i = 0; i < n; i++) | |
| cdest[i] = csrc[i]; | |
| } | |
| template<class T> | |
| T GetKernel32Function(const char *name) { | |
| return reinterpret_cast<T>(GetFuncAddress(GetKernel32Address(), name)); | |
| } | |
| void OutputDebug(const char *msg) { | |
| Win32::GetKernel32Function<decltype(&OutputDebugStringA)>("OutputDebugStringA")(msg); | |
| } | |
| template<class T> | |
| T GetNtFunction(const char *name) { | |
| OutputDebug("Loading NT DLL function."); | |
| OutputDebug(name); | |
| auto _LoadLibrary = Win32::GetKernel32Function<decltype(&LoadLibraryA)>("LoadLibraryA"); | |
| if (!_LoadLibrary) { | |
| OutputDebug("Could not load LoadLibraryA."); | |
| return NULL; | |
| } | |
| HMODULE hModule = _LoadLibrary("ntdll.dll"); | |
| if (!_LoadLibrary) { | |
| OutputDebug("Could not load ntdll.dll."); | |
| return NULL; | |
| } | |
| auto _func = reinterpret_cast<T>(GetFuncAddress((DWORD)hModule, name)); | |
| if (!_func) { | |
| OutputDebug("Could not load NT dll function"); | |
| OutputDebug(name); | |
| return NULL; | |
| } | |
| OutputDebug("Loaded NT DLL with success"); | |
| return _func; | |
| } | |
| } | |
| void usage(){ | |
| auto _LoadLibrary = Win32::GetKernel32Function<decltype(&LoadLibraryA)>("LoadLibraryA"); | |
| _LoadLibrary("client.dll"); | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment