-
Notifications
You must be signed in to change notification settings - Fork 9
/
Copy pathloadll.cpp
executable file
·152 lines (115 loc) · 3.91 KB
/
loadll.cpp
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
#include "inject.h"
HMODULE WINAPI LoadDll(pdata *points){
fLdrLoadDll _LdrLoadDll=(fLdrLoadDll)points->p1;
UNICODE_STRING str;
str= points->p2;
HANDLE DllHandle;
_LdrLoadDll(0, 0,(PUNICODE_STRING)&str, &DllHandle);
return (HMODULE)DllHandle;
}
void LoadDLL_stub()
{
return;
}
MYWORD WINAPI LoadDll2(PVOID p)
{
PMANUAL_INJECT ManualInject;
HMODULE hModule;
MYWORD i,Function,count,delta;
PDWORD ptr;
PWORD list;
PIMAGE_BASE_RELOCATION pIBR;
PIMAGE_IMPORT_DESCRIPTOR pIID;
PIMAGE_IMPORT_BY_NAME pIBN;
PIMAGE_THUNK_DATA FirstThunk,OrigFirstThunk;
PDLL_MAIN EntryPoint;
ManualInject=(PMANUAL_INJECT)p;
pIBR=ManualInject->BaseRelocation;
delta=(MYWORD)ManualInject->ImageBase - (MYWORD)ManualInject->NtHeaders->OptionalHeader.ImageBase;// Calculate the delta
// Relocate the image
while(pIBR->VirtualAddress)
{
if(pIBR->SizeOfBlock>=sizeof(IMAGE_BASE_RELOCATION))
{
count=(pIBR->SizeOfBlock-sizeof(IMAGE_BASE_RELOCATION))/sizeof(WORD);
list=(PWORD)(pIBR+1);
for(i=0;i<count;i++)
{
if(list[i])
{
ptr=(PDWORD)((LPBYTE)ManualInject->ImageBase+(pIBR->VirtualAddress+(list[i] & 0xFFF)));
*ptr+=delta;
}
}
}
pIBR=(PIMAGE_BASE_RELOCATION)((LPBYTE)pIBR+pIBR->SizeOfBlock);
}
pIID=ManualInject->ImportDirectory;
// Resolve DLL imports
i=-1;
//i--;
while(pIID->Characteristics)
{
OrigFirstThunk=(PIMAGE_THUNK_DATA)((LPBYTE)ManualInject->ImageBase+pIID->OriginalFirstThunk);
FirstThunk=(PIMAGE_THUNK_DATA)((LPBYTE)ManualInject->ImageBase+pIID->FirstThunk);
hModule=ManualInject->fnLoadLibraryA((LPCSTR)ManualInject->ImageBase+pIID->Name);
if(!hModule)
{
return 0;
}
while(OrigFirstThunk->u1.AddressOfData)
{
if(OrigFirstThunk->u1.Ordinal & IMAGE_ORDINAL_FLAG)
{
// Import by ordinal
Function=(MYWORD)ManualInject->fnGetProcAddress(hModule,(LPCSTR)(OrigFirstThunk->u1.Ordinal & i)); // i era 0xffff antes!
if(!Function)
{
return 0;
}
FirstThunk->u1.Function=Function;
}
else
{
// Import by name
pIBN=(PIMAGE_IMPORT_BY_NAME)((LPBYTE)ManualInject->ImageBase+OrigFirstThunk->u1.AddressOfData);
Function=(MYWORD)ManualInject->fnGetProcAddress(hModule,(LPCSTR)pIBN->Name);
if(!Function)
{
return 0;
}
FirstThunk->u1.Function=Function;
}
OrigFirstThunk++;
FirstThunk++;
}
pIID++;
}
// TLS :)
if(ManualInject->NtHeaders->OptionalHeader.NumberOfRvaAndSizes>9)
{
PIMAGE_TLS_DIRECTORY tls;
PIMAGE_TLS_CALLBACK* callback;
tls = (PIMAGE_TLS_DIRECTORY) ((MYWORD)ManualInject->ImageBase + ManualInject->NtHeaders->OptionalHeader.DataDirectory[9].VirtualAddress);
callback = (PIMAGE_TLS_CALLBACK *) tls->AddressOfCallBacks;
if (callback)
while (*callback)
{
(*callback)((LPVOID) ManualInject->ImageBase, DLL_PROCESS_ATTACH, NULL);
callback++;
}
}
//OptionalHeader.NumberOfRvaAndSizes
if(ManualInject->NtHeaders->OptionalHeader.AddressOfEntryPoint)
{
EntryPoint=(PDLL_MAIN)((LPBYTE)ManualInject->ImageBase+ManualInject->NtHeaders->OptionalHeader.AddressOfEntryPoint);
//asm volatile ("mov %esp,%ebp");
return EntryPoint((HMODULE)ManualInject->ImageBase,DLL_PROCESS_ATTACH,NULL); // Call the entry point
// return (DWORD) ManualInject->ImageBase;
}
return 0;
}
void WINAPI LoadDllEnd()
{
return;
}