2016-11-13 01:52:46 +08:00
|
|
|
|
// ithsys.cc
|
2016-01-05 23:01:17 +08:00
|
|
|
|
// 8/21/2013 jichi
|
|
|
|
|
// Branch: ITH_SYS/SYS.cpp, rev 126
|
|
|
|
|
//
|
|
|
|
|
// 8/24/2013 TODO:
|
|
|
|
|
// - Clean up the code
|
|
|
|
|
// - Move my old create remote thread for ITH2 here
|
|
|
|
|
|
|
|
|
|
#include "ithsys/ithsys.h"
|
|
|
|
|
|
|
|
|
|
// - Global variables -
|
|
|
|
|
|
|
|
|
|
// jichi 6/12/2015: https://en.wikipedia.org/wiki/Shift_JIS
|
|
|
|
|
// Leading table for SHIFT-JIS encoding
|
|
|
|
|
BYTE LeadByteTable[0x100] = {
|
|
|
|
|
1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,
|
|
|
|
|
1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,
|
|
|
|
|
1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,
|
|
|
|
|
1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,
|
|
|
|
|
1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,
|
|
|
|
|
1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,
|
|
|
|
|
1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,
|
|
|
|
|
1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,
|
|
|
|
|
1,2,2,2,2,2,2,2,2,2,2,2,2,2,2,2,
|
|
|
|
|
2,2,2,2,2,2,2,2,2,2,2,2,2,2,2,2,
|
|
|
|
|
2,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,
|
|
|
|
|
1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,
|
|
|
|
|
1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,
|
|
|
|
|
1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,
|
|
|
|
|
2,2,2,2,2,2,2,2,2,2,2,2,2,2,2,2,
|
|
|
|
|
2,2,2,2,2,2,2,2,2,2,2,2,2,1,1,1
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
// - API functions -
|
|
|
|
|
|
|
|
|
|
extern "C" {
|
|
|
|
|
int FillRange(LPCWSTR name, DWORD *lower, DWORD *upper)
|
|
|
|
|
{
|
|
|
|
|
PLDR_DATA_TABLE_ENTRY it;
|
|
|
|
|
LIST_ENTRY *begin;
|
|
|
|
|
__asm
|
|
|
|
|
{
|
|
|
|
|
mov eax,fs:[0x30]
|
|
|
|
|
mov eax,[eax+0xc]
|
|
|
|
|
mov eax,[eax+0xc]
|
|
|
|
|
mov it,eax
|
|
|
|
|
mov begin,eax
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
while (it->SizeOfImage) {
|
|
|
|
|
if (::_wcsicmp(it->BaseDllName.Buffer, name) == 0) {
|
|
|
|
|
*lower = *upper = (DWORD)it->DllBase;
|
|
|
|
|
MEMORY_BASIC_INFORMATION info = {};
|
|
|
|
|
DWORD l,size;
|
|
|
|
|
size = 0;
|
|
|
|
|
do {
|
|
|
|
|
NtQueryVirtualMemory(NtCurrentProcess(), (LPVOID)(*upper), MemoryBasicInformation, &info, sizeof(info), &l);
|
|
|
|
|
if (info.Protect&PAGE_NOACCESS) {
|
|
|
|
|
it->SizeOfImage=size;
|
|
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
size += info.RegionSize;
|
|
|
|
|
*upper += info.RegionSize;
|
|
|
|
|
} while (size < it->SizeOfImage);
|
|
|
|
|
return 1;
|
|
|
|
|
}
|
|
|
|
|
it = (PLDR_DATA_TABLE_ENTRY)it->InLoadOrderModuleList.Flink;
|
|
|
|
|
if (it->InLoadOrderModuleList.Flink == begin)
|
|
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
DWORD SearchPattern(DWORD base, DWORD base_length, LPCVOID search, DWORD search_length) // KMP
|
|
|
|
|
{
|
|
|
|
|
__asm
|
|
|
|
|
{
|
|
|
|
|
mov eax,search_length
|
|
|
|
|
alloc:
|
|
|
|
|
push 0
|
|
|
|
|
sub eax,1
|
|
|
|
|
jnz alloc
|
|
|
|
|
|
|
|
|
|
mov edi,search
|
|
|
|
|
mov edx,search_length
|
|
|
|
|
mov ecx,1
|
|
|
|
|
xor esi,esi
|
|
|
|
|
build_table:
|
|
|
|
|
mov al,byte ptr [edi+esi]
|
|
|
|
|
cmp al,byte ptr [edi+ecx]
|
|
|
|
|
sete al
|
|
|
|
|
test esi,esi
|
|
|
|
|
jz pre
|
|
|
|
|
test al,al
|
|
|
|
|
jnz pre
|
|
|
|
|
mov esi,[esp+esi*4-4]
|
|
|
|
|
jmp build_table
|
|
|
|
|
pre:
|
|
|
|
|
test al,al
|
|
|
|
|
jz write_table
|
|
|
|
|
inc esi
|
|
|
|
|
write_table:
|
|
|
|
|
mov [esp+ecx*4],esi
|
|
|
|
|
|
|
|
|
|
inc ecx
|
|
|
|
|
cmp ecx,edx
|
|
|
|
|
jb build_table
|
|
|
|
|
|
|
|
|
|
mov esi,base
|
|
|
|
|
xor edx,edx
|
|
|
|
|
mov ecx,edx
|
|
|
|
|
matcher:
|
|
|
|
|
mov al,byte ptr [edi+ecx]
|
|
|
|
|
cmp al,byte ptr [esi+edx]
|
|
|
|
|
sete al
|
|
|
|
|
test ecx,ecx
|
|
|
|
|
jz match
|
|
|
|
|
test al,al
|
|
|
|
|
jnz match
|
|
|
|
|
mov ecx, [esp+ecx*4-4]
|
|
|
|
|
jmp matcher
|
|
|
|
|
match:
|
|
|
|
|
test al,al
|
|
|
|
|
jz pre2
|
|
|
|
|
inc ecx
|
|
|
|
|
cmp ecx,search_length
|
|
|
|
|
je finish
|
|
|
|
|
pre2:
|
|
|
|
|
inc edx
|
|
|
|
|
cmp edx,base_length // search_length
|
|
|
|
|
jb matcher
|
|
|
|
|
mov edx,search_length
|
|
|
|
|
dec edx
|
|
|
|
|
finish:
|
|
|
|
|
mov ecx,search_length
|
|
|
|
|
sub edx,ecx
|
|
|
|
|
lea eax,[edx+1]
|
|
|
|
|
lea ecx,[ecx*4]
|
|
|
|
|
add esp,ecx
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
DWORD IthGetMemoryRange(LPCVOID mem, DWORD *base, DWORD *size)
|
|
|
|
|
{
|
|
|
|
|
DWORD r;
|
|
|
|
|
MEMORY_BASIC_INFORMATION info;
|
|
|
|
|
NtQueryVirtualMemory(NtCurrentProcess(), const_cast<LPVOID>(mem), MemoryBasicInformation, &info, sizeof(info), &r);
|
|
|
|
|
if (base)
|
|
|
|
|
*base = (DWORD)info.BaseAddress;
|
|
|
|
|
if (size)
|
|
|
|
|
*size = info.RegionSize;
|
|
|
|
|
return (info.Type&PAGE_NOACCESS) == 0;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
//Query module export table. Return function address if found.
|
|
|
|
|
//Similar to GetProcAddress
|
|
|
|
|
DWORD GetExportAddress(DWORD hModule,DWORD hash)
|
|
|
|
|
{
|
|
|
|
|
IMAGE_DOS_HEADER *DosHdr;
|
|
|
|
|
IMAGE_NT_HEADERS *NtHdr;
|
|
|
|
|
IMAGE_EXPORT_DIRECTORY *ExtDir;
|
|
|
|
|
UINT uj;
|
|
|
|
|
char* pcExportAddr,*pcFuncPtr,*pcBuffer;
|
|
|
|
|
DWORD dwReadAddr,dwFuncAddr,dwFuncName;
|
|
|
|
|
WORD wOrd;
|
|
|
|
|
DosHdr = (IMAGE_DOS_HEADER*)hModule;
|
|
|
|
|
if (IMAGE_DOS_SIGNATURE==DosHdr->e_magic) {
|
|
|
|
|
dwReadAddr=hModule+DosHdr->e_lfanew;
|
|
|
|
|
NtHdr=(IMAGE_NT_HEADERS*)dwReadAddr;
|
|
|
|
|
if (IMAGE_NT_SIGNATURE == NtHdr->Signature) {
|
|
|
|
|
pcExportAddr = (char*)((DWORD)hModule+
|
|
|
|
|
(DWORD)NtHdr->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress);
|
|
|
|
|
if (!pcExportAddr)
|
|
|
|
|
return 0;
|
|
|
|
|
ExtDir = (IMAGE_EXPORT_DIRECTORY*)pcExportAddr;
|
|
|
|
|
pcExportAddr = (char*)((DWORD)hModule+(DWORD)ExtDir->AddressOfNames);
|
|
|
|
|
|
|
|
|
|
for (uj = 0; uj < ExtDir->NumberOfNames; uj++) {
|
|
|
|
|
dwFuncName = *(DWORD *)pcExportAddr;
|
|
|
|
|
pcBuffer = (char*)((DWORD)hModule+dwFuncName);
|
|
|
|
|
if (GetHash(pcBuffer) == hash) {
|
|
|
|
|
pcFuncPtr = (char*)((DWORD)hModule+(DWORD)ExtDir->AddressOfNameOrdinals+(uj*sizeof(WORD)));
|
|
|
|
|
wOrd = *(WORD*)pcFuncPtr;
|
|
|
|
|
pcFuncPtr = (char*)((DWORD)hModule+(DWORD)ExtDir->AddressOfFunctions+(wOrd*sizeof(DWORD)));
|
|
|
|
|
dwFuncAddr = *(DWORD *)pcFuncPtr;
|
|
|
|
|
return hModule+dwFuncAddr;
|
|
|
|
|
}
|
|
|
|
|
pcExportAddr += sizeof(DWORD);
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
} // extern "C"
|
|
|
|
|
|
2018-06-15 19:43:32 +08:00
|
|
|
|
// EOF
|