// ithsys.cc // 8/21/2013 jichi // Branch: ITH_SYS/SYS.cpp, rev 126 // // 8/24/2013 TODO: // - Clean up the code // - Move my old create remote thread for ITH2 here #include "ithsys/ithsys.h" // - Global variables - // jichi 6/12/2015: https://en.wikipedia.org/wiki/Shift_JIS // Leading table for SHIFT-JIS encoding BYTE LeadByteTable[0x100] = { 1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1, 1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1, 1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1, 1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1, 1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1, 1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1, 1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1, 1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1, 1,2,2,2,2,2,2,2,2,2,2,2,2,2,2,2, 2,2,2,2,2,2,2,2,2,2,2,2,2,2,2,2, 2,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1, 1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1, 1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1, 1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1, 2,2,2,2,2,2,2,2,2,2,2,2,2,2,2,2, 2,2,2,2,2,2,2,2,2,2,2,2,2,1,1,1 }; // - API functions - extern "C" { int FillRange(LPCWSTR name, DWORD *lower, DWORD *upper) { PLDR_DATA_TABLE_ENTRY it; LIST_ENTRY *begin; __asm { mov eax,fs:[0x30] mov eax,[eax+0xc] mov eax,[eax+0xc] mov it,eax mov begin,eax } while (it->SizeOfImage) { if (::_wcsicmp(it->BaseDllName.Buffer, name) == 0) { *lower = *upper = (DWORD)it->DllBase; MEMORY_BASIC_INFORMATION info = {}; DWORD l,size; size = 0; do { NtQueryVirtualMemory(NtCurrentProcess(), (LPVOID)(*upper), MemoryBasicInformation, &info, sizeof(info), &l); if (info.Protect&PAGE_NOACCESS) { it->SizeOfImage=size; break; } size += info.RegionSize; *upper += info.RegionSize; } while (size < it->SizeOfImage); return 1; } it = (PLDR_DATA_TABLE_ENTRY)it->InLoadOrderModuleList.Flink; if (it->InLoadOrderModuleList.Flink == begin) break; } return 0; } DWORD SearchPattern(DWORD base, DWORD base_length, LPCVOID search, DWORD search_length) // KMP { __asm { mov eax,search_length alloc: push 0 sub eax,1 jnz alloc mov edi,search mov edx,search_length mov ecx,1 xor esi,esi build_table: mov al,byte ptr [edi+esi] cmp al,byte ptr [edi+ecx] sete al test esi,esi jz pre test al,al jnz pre mov esi,[esp+esi*4-4] jmp build_table pre: test al,al jz write_table inc esi write_table: mov [esp+ecx*4],esi inc ecx cmp ecx,edx jb build_table mov esi,base xor edx,edx mov ecx,edx matcher: mov al,byte ptr [edi+ecx] cmp al,byte ptr [esi+edx] sete al test ecx,ecx jz match test al,al jnz match mov ecx, [esp+ecx*4-4] jmp matcher match: test al,al jz pre2 inc ecx cmp ecx,search_length je finish pre2: inc edx cmp edx,base_length // search_length jb matcher mov edx,search_length dec edx finish: mov ecx,search_length sub edx,ecx lea eax,[edx+1] lea ecx,[ecx*4] add esp,ecx } } DWORD IthGetMemoryRange(LPCVOID mem, DWORD *base, DWORD *size) { DWORD r; MEMORY_BASIC_INFORMATION info; NtQueryVirtualMemory(NtCurrentProcess(), const_cast(mem), MemoryBasicInformation, &info, sizeof(info), &r); if (base) *base = (DWORD)info.BaseAddress; if (size) *size = info.RegionSize; return (info.Type&PAGE_NOACCESS) == 0; } //Query module export table. Return function address if found. //Similar to GetProcAddress DWORD GetExportAddress(DWORD hModule,DWORD hash) { IMAGE_DOS_HEADER *DosHdr; IMAGE_NT_HEADERS *NtHdr; IMAGE_EXPORT_DIRECTORY *ExtDir; UINT uj; char* pcExportAddr,*pcFuncPtr,*pcBuffer; DWORD dwReadAddr,dwFuncAddr,dwFuncName; WORD wOrd; DosHdr = (IMAGE_DOS_HEADER*)hModule; if (IMAGE_DOS_SIGNATURE==DosHdr->e_magic) { dwReadAddr=hModule+DosHdr->e_lfanew; NtHdr=(IMAGE_NT_HEADERS*)dwReadAddr; if (IMAGE_NT_SIGNATURE == NtHdr->Signature) { pcExportAddr = (char*)((DWORD)hModule+ (DWORD)NtHdr->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress); if (!pcExportAddr) return 0; ExtDir = (IMAGE_EXPORT_DIRECTORY*)pcExportAddr; pcExportAddr = (char*)((DWORD)hModule+(DWORD)ExtDir->AddressOfNames); for (uj = 0; uj < ExtDir->NumberOfNames; uj++) { dwFuncName = *(DWORD *)pcExportAddr; pcBuffer = (char*)((DWORD)hModule+dwFuncName); if (GetHash(pcBuffer) == hash) { pcFuncPtr = (char*)((DWORD)hModule+(DWORD)ExtDir->AddressOfNameOrdinals+(uj*sizeof(WORD))); wOrd = *(WORD*)pcFuncPtr; pcFuncPtr = (char*)((DWORD)hModule+(DWORD)ExtDir->AddressOfFunctions+(wOrd*sizeof(DWORD))); dwFuncAddr = *(DWORD *)pcFuncPtr; return hModule+dwFuncAddr; } pcExportAddr += sizeof(DWORD); } } } return 0; } } // extern "C" // EOF