Last active
May 28, 2023 15:05
-
-
Save tahadraidia/e61274ed0110ac6b2dccbfb60c8ea957 to your computer and use it in GitHub Desktop.
Snippets parts of DWSec blog:
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| DWORD __fastcall sub_140006190() // renamed to golden_function | |
| ... | |
| v12 = sub_140007980(); // Get handle info | |
| if ( v12 ) | |
| { | |
| logger_0(L"Error obtaining handle information: "); | |
| if ( v12 == -1073741790 ) | |
| { | |
| logger_0(L"Access denied\n\n"); | |
| return 2; | |
| } | |
| else | |
| { | |
| if ( v12 == -1073741670 ) | |
| logger_0(L"Insufficient system resources\n\n"); | |
| else | |
| logger_0(L"%X\n\n", v12); | |
| return 2; | |
| } | |
| } | |
| ... |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| char sub_140007A40() // renamed to load_ntdll_symbols | |
| { | |
| ... | |
| ModuleHandleW = GetModuleHandleW(L"ntdll.dll"); | |
| NtQueryInformationProcess = (NTSTATUS (__stdcall *)(HANDLE, PROCESSINFOCLASS, PVOID, ULONG, PULONG))GetProcAddress(ModuleHandleW, "NtQueryInformationProcess"); | |
| if ( !NtQueryInformationProcess ) | |
| return 0; | |
| v1 = GetModuleHandleW(L"ntdll.dll"); | |
| NtQueryInformationThread = (NTSTATUS (__stdcall *)(HANDLE, THREADINFOCLASS, PVOID, ULONG, PULONG))GetProcAddress(v1, "NtQueryInformationThread"); | |
| if ( !NtQueryInformationThread ) | |
| return 0; | |
| v2 = GetModuleHandleW(L"ntdll.dll"); | |
| NtQuerySystemInformation = (NTSTATUS (__stdcall *)(SYSTEM_INFORMATION_CLASS, PVOID, ULONG, PULONG))GetProcAddress(v2, "NtQuerySystemInformation"); | |
| if ( !NtQuerySystemInformation ) | |
| return 0; | |
| v3 = GetModuleHandleW(L"ntdll.dll"); | |
| NtQuerySymbolicLinkObject = (__int64)GetProcAddress(v3, "NtQuerySymbolicLinkObject"); | |
| if ( !NtQuerySymbolicLinkObject ) | |
| return 0; | |
| v4 = GetModuleHandleW(L"ntdll.dll"); | |
| NtQueryDirectoryObject = (__int64)GetProcAddress(v4, "NtQueryDirectoryObject"); | |
| if ( !NtQueryDirectoryObject ) | |
| return 0; | |
| v5 = GetModuleHandleW(L"ntdll.dll"); | |
| ... |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| NTSTATUS sub_140007980() | |
| { | |
| ULONG v0; // ebx | |
| void *v1; // rax | |
| SYSTEM_INFORMATION_CLASS v2; // ecx | |
| NTSTATUS result; // eax | |
| void *v4; // rax | |
| SYSTEM_INFORMATION_CLASS v5; // ecx | |
| ULONG v6; // [rsp+30h] [rbp+8h] BYREF | |
| v0 = 0x4000; | |
| v6 = 0x4000; | |
| v1 = j__malloc_base(0x4000ui64); | |
| v2 = 16; | |
| qword_140064F00 = v1; | |
| if ( byte_140064F08 ) | |
| v2 = 64; | |
| for ( result = NtQuerySystemInformation(v2, v1, v6, &v6); result; result = NtQuerySystemInformation(v5, v4, v6, &v6) ) | |
| { | |
| if ( result == -1073741790 || result == -1073741670 ) | |
| break; | |
| free(qword_140064F00); | |
| v0 *= 2; | |
| v6 = v0; | |
| v4 = j__malloc_base(v0); | |
| v5 = 16; | |
| if ( byte_140064F08 ) | |
| v5 = 64; | |
| qword_140064F00 = v4; | |
| } | |
| return result; | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment