slyd0g/LOADER_SNIPPET_STOMP.c

## LOADER_SNIPPET_STOMP.c
		MapImg = MemAllocateStomped( &fTable, ImgLen );

		if ( !MapImg ) {
			sParam.ImgMod = TRUE;
			MapImg = MemAllocateVirtual( &fTable, ImgLen );
		};
		InlineZeroMemory( MapImg, ImgLen );

		SecHdr = IMAGE_FIRST_SECTION( NtsHdr );
		for ( INT i = 0 ; i < NtsHdr->FileHeader.NumberOfSections ; ++i ) {
			InlineCopyMemory( (LPVOID)(DEF_PTR(MapImg) + SecHdr[i].VirtualAddress),
					  (LPVOID)(DEF_PTR(pImage) + SecHdr[i].PointerToRawData),
					  (DWORD)(SecHdr[i].SizeOfRawData) );
		};

## memalloc.c
#define LOADER_INTERNAL
#include "common.h"

/**
 *
 * Allocates memory using the traditional
 * VirtualAlloc() method that Stephen Fewer's
 * and sRDI leverages.
 *
 * @ param [in] PFUNC_TABLE fTable : Pointer
 * to the initialized function table.
 *
 * @ param [in] ULONG Length : Length of the
 * images header.
 *
**/
PVOID MemAllocateVirtual( IN PFUNC_TABLE fTable, IN ULONG Length ) {
	return fTable->VirtualAlloc( NULL,
				     Length,
				     MEM_COMMIT|MEM_RESERVE,
				     PAGE_READWRITE );
};

/**
 *
 * Allocates memory using the untraditional
 * LoadLibraryExA() call that Cobalt attempts
 * to use to stomp an existing PE.
 *
 * @ param [in] PFUNC_TABLE fTable : Pointer
 * to the initialized function table.
 *
 * @ param [in] ULONG Length : Length of the
 * images header.
 *
**/
PVOID MemAllocateStomped( IN PFUNC_TABLE fTable, IN ULONG Length ) {
	PVOID ImgPtr     = 0;
	DWORD dwPerm     = 0;
	BYTE  ImgStr[24] = { 0 };

	ImgStr[0]  = 'm';
	ImgStr[1]  = 'i';
	ImgStr[2]  = 's';
	ImgStr[3]  = 'p';
	ImgStr[4]  = 'a';
	ImgStr[5]  = 'c';
	ImgStr[6]  = 'e';
	ImgStr[7]  = '.';
	ImgStr[8]  = 'd';
	ImgStr[9]  = 'l';
	ImgStr[10] = 'l';
	ImgStr[11] = '\0';

	if ( fTable->GetModuleHandleA(ImgStr) != NULL ) {
		return NULL;
	};

	ImgPtr = fTable->LoadLibraryExA(ImgStr, NULL, DONT_RESOLVE_DLL_REFERENCES);
	if ( ImgPtr != NULL ) {
		fTable->VirtualProtect(( LPVOID )( DEF_PTR(ImgPtr) ),
				       ( ULONG  )( Length ),
				       ( ULONG  )( PAGE_READWRITE ),
				       ( PULONG )( & dwPerm ));
	};
	return ImgPtr;
};
	MapImg = MemAllocateStomped( &fTable, ImgLen );

	if ( !MapImg ) {
	sParam.ImgMod = TRUE;
	MapImg = MemAllocateVirtual( &fTable, ImgLen );
	};
	InlineZeroMemory( MapImg, ImgLen );

	SecHdr = IMAGE_FIRST_SECTION( NtsHdr );
	for ( INT i = 0 ; i < NtsHdr->FileHeader.NumberOfSections ; ++i ) {
	InlineCopyMemory( (LPVOID)(DEF_PTR(MapImg) + SecHdr[i].VirtualAddress),
	(LPVOID)(DEF_PTR(pImage) + SecHdr[i].PointerToRawData),
	(DWORD)(SecHdr[i].SizeOfRawData) );
	};
	#define LOADER_INTERNAL
	#include "common.h"

	/**
	*
	* Allocates memory using the traditional
	* VirtualAlloc() method that Stephen Fewer's
	* and sRDI leverages.
	*
	* @ param [in] PFUNC_TABLE fTable : Pointer
	* to the initialized function table.
	*
	* @ param [in] ULONG Length : Length of the
	* images header.
	*
	**/
	PVOID MemAllocateVirtual( IN PFUNC_TABLE fTable, IN ULONG Length ) {
	return fTable->VirtualAlloc( NULL,
	Length,
	MEM_COMMIT\|MEM_RESERVE,
	PAGE_READWRITE );
	};

	/**
	*
	* Allocates memory using the untraditional
	* LoadLibraryExA() call that Cobalt attempts
	* to use to stomp an existing PE.
	*
	* @ param [in] PFUNC_TABLE fTable : Pointer
	* to the initialized function table.
	*
	* @ param [in] ULONG Length : Length of the
	* images header.
	*
	**/
	PVOID MemAllocateStomped( IN PFUNC_TABLE fTable, IN ULONG Length ) {
	PVOID ImgPtr = 0;
	DWORD dwPerm = 0;
	BYTE ImgStr[24] = { 0 };

	ImgStr[0] = 'm';
	ImgStr[1] = 'i';
	ImgStr[2] = 's';
	ImgStr[3] = 'p';
	ImgStr[4] = 'a';
	ImgStr[5] = 'c';
	ImgStr[6] = 'e';
	ImgStr[7] = '.';
	ImgStr[8] = 'd';
	ImgStr[9] = 'l';
	ImgStr[10] = 'l';
	ImgStr[11] = '\0';

	if ( fTable->GetModuleHandleA(ImgStr) != NULL ) {
	return NULL;
	};

	ImgPtr = fTable->LoadLibraryExA(ImgStr, NULL, DONT_RESOLVE_DLL_REFERENCES);
	if ( ImgPtr != NULL ) {
	fTable->VirtualProtect(( LPVOID )( DEF_PTR(ImgPtr) ),
	( ULONG )( Length ),
	( ULONG )( PAGE_READWRITE ),
	( PULONG )( & dwPerm ));
	};
	return ImgPtr;
	};