Skip to content

Commit

Permalink
fixed (maybe) pt.2: redeclaration error in nt.hpp
Browse files Browse the repository at this point in the history
  • Loading branch information
@hideckies
hideckies committed May 27, 2024
1 parent fc8872e commit 82c350c
Show file tree
Hide file tree
Showing 9 changed files with 1,685 additions and 1,680 deletions.
3,193 changes: 1,599 additions & 1,594 deletions payload/win/implant/include/core/nt.hpp
View file

Large diffs are not rendered by default.

46 changes: 23 additions & 23 deletions payload/win/implant/include/core/procs.hpp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -207,77 +207,77 @@ namespace Procs
// **NATIVE APIs**

// LdrLoadDll
typedef NTSTATUS (NTAPI* LPPROC_LDRLOADDLL)(PWSTR DllPath, PULONG DllCharacteristics, PUNICODE_STRING DllName, PVOID *DllHandle);
typedef NTSTATUS (NTAPI* LPPROC_LDRLOADDLL)(PWSTR DllPath, PULONG DllCharacteristics, Nt::PUNICODE_STRING DllName, PVOID *DllHandle);
// NtAdjustPrivilegesToken
typedef NTSTATUS (NTAPI* LPPROC_NTADJUSTPRIVILEGESTOKEN)(HANDLE TokenHandle, BOOLEAN DisableAllPrivileges, PTOKEN_PRIVILEGES NewState, ULONG BufferLength, PTOKEN_PRIVILEGES PreviousState, PULONG ReturnLength);
// NtAllocateVirtualMemory
typedef NTSTATUS (NTAPI* LPPROC_NTALLOCATEVIRTUALMEMORY)(HANDLE ProcessHandle, PVOID* BaseAddress, ULONG ZeroBits, PSIZE_T RegionSize, ULONG AllocationType, ULONG Protect);
// NtClose
typedef NTSTATUS (NTAPI* LPPROC_NTCLOSE)(HANDLE Handle);
// NtCreateFile
typedef NTSTATUS (NTAPI* LPPROC_NTCREATEFILE)(PHANDLE FileHandle, ACCESS_MASK DesiredAccess, POBJECT_ATTRIBUTES ObjectAttributes, PIO_STATUS_BLOCK IoStatusBlock, PLARGE_INTEGER AllocationSize, ULONG FileAttributes, ULONG ShareAccess, ULONG CreateDisposition, ULONG CreateOptions, PVOID EaBuffer, ULONG EaLength);
typedef NTSTATUS (NTAPI* LPPROC_NTCREATEFILE)(PHANDLE FileHandle, ACCESS_MASK DesiredAccess, Nt::POBJECT_ATTRIBUTES ObjectAttributes, Nt::PIO_STATUS_BLOCK IoStatusBlock, PLARGE_INTEGER AllocationSize, ULONG FileAttributes, ULONG ShareAccess, ULONG CreateDisposition, ULONG CreateOptions, PVOID EaBuffer, ULONG EaLength);
// NtCreateNamedPipeFile
typedef NTSTATUS (NTAPI* LPPROC_NTCREATENAMEDPIPEFILE)(PHANDLE FileHandle, ULONG DesiredAccess, POBJECT_ATTRIBUTES ObjectAttributes, PIO_STATUS_BLOCK IoStatusBlock, ULONG ShareAccess, ULONG CreateDisposition, ULONG CreateOptions, ULONG NamedPipeType, ULONG ReadMode, ULONG CompletionMode, ULONG MaximumInstances, ULONG InboundQuota, ULONG OutboundQuota, PLARGE_INTEGER DefaultTimeout);
typedef NTSTATUS (NTAPI* LPPROC_NTCREATENAMEDPIPEFILE)(PHANDLE FileHandle, ULONG DesiredAccess, Nt::POBJECT_ATTRIBUTES ObjectAttributes, Nt::PIO_STATUS_BLOCK IoStatusBlock, ULONG ShareAccess, ULONG CreateDisposition, ULONG CreateOptions, ULONG NamedPipeType, ULONG ReadMode, ULONG CompletionMode, ULONG MaximumInstances, ULONG InboundQuota, ULONG OutboundQuota, PLARGE_INTEGER DefaultTimeout);
// NtCreateProcessEx
typedef NTSTATUS (NTAPI* LPPROC_NTCREATEPROCESSEX)(PHANDLE ProcessHandle, ACCESS_MASK DesiredAccess, POBJECT_ATTRIBUTES ObjectAttributes, HANDLE ParentProcess, ULONG Flags, HANDLE SectionHandle, HANDLE DebugPort, HANDLE TokenHandle, ULONG Reserved);
typedef NTSTATUS (NTAPI* LPPROC_NTCREATEPROCESSEX)(PHANDLE ProcessHandle, ACCESS_MASK DesiredAccess, Nt::POBJECT_ATTRIBUTES ObjectAttributes, HANDLE ParentProcess, ULONG Flags, HANDLE SectionHandle, HANDLE DebugPort, HANDLE TokenHandle, ULONG Reserved);
// NtCreateThreadEx
typedef NTSTATUS (NTAPI* LPPROC_NTCREATETHREADEX)(PHANDLE ThreadHandle, ACCESS_MASK DesiredAccess, POBJECT_ATTRIBUTES ObjectAttributes, HANDLE ProcessHandle, LPTHREAD_START_ROUTINE StartRoutine, PVOID Argument, ULONG CreateFlags, SIZE_T ZeroBits, SIZE_T StackSize, SIZE_T MaximumStackSize, PPS_ATTRIBUTE_LIST AttributeList);
typedef NTSTATUS (NTAPI* LPPROC_NTCREATETHREADEX)(PHANDLE ThreadHandle, ACCESS_MASK DesiredAccess, Nt::POBJECT_ATTRIBUTES ObjectAttributes, HANDLE ProcessHandle, LPTHREAD_START_ROUTINE StartRoutine, PVOID Argument, ULONG CreateFlags, SIZE_T ZeroBits, SIZE_T StackSize, SIZE_T MaximumStackSize, Nt::PPS_ATTRIBUTE_LIST AttributeList);
// NtDeleteFile
typedef NTSTATUS (NTAPI* LPPROC_NTDELETEFILE)(POBJECT_ATTRIBUTES ObjectAttributes);
typedef NTSTATUS (NTAPI* LPPROC_NTDELETEFILE)(Nt::POBJECT_ATTRIBUTES ObjectAttributes);
// NtDuplicateObject
typedef NTSTATUS (NTAPI* LPPROC_NTDUPLICATEOBJECT)(HANDLE SourceProcessHandle, HANDLE SourceHandle, HANDLE TargetProcessHandle, PHANDLE TargetHandle, ACCESS_MASK DesiredAccess, ULONG HandleAttributes, ULONG Options);
// NtGetContextThread
typedef NTSTATUS (NTAPI* LPPROC_NTGETCONTEXTTHREAD)(HANDLE ThreadHandle, PCONTEXT ThreadContext);
// NtEnumerateValueKey
typedef NTSTATUS (NTAPI* LPPROC_NTENUMERATEVALUEKEY)(HANDLE KeyHandle, ULONG Index, KEY_VALUE_INFORMATION_CLASS KeyValueInformationClass, PVOID KeyValueInformation, ULONG Length, PULONG ResultLength);
typedef NTSTATUS (NTAPI* LPPROC_NTENUMERATEVALUEKEY)(HANDLE KeyHandle, ULONG Index, Nt::KEY_VALUE_INFORMATION_CLASS KeyValueInformationClass, PVOID KeyValueInformation, ULONG Length, PULONG ResultLength);
// NtFlushInstructionCache
typedef NTSTATUS (NTAPI* LPPROC_NTFLUSHINSTRUCTIONCACHE)(HANDLE ProcessHandle, PVOID BaseAddress, SIZE_T Length);
// NtFreeVirtualMemory
typedef NTSTATUS (NTAPI* LPPROC_NTFREEVIRTUALMEMORY)(HANDLE ProcessHandle, PVOID* BaseAddress, PSIZE_T RegionSize, ULONG FreeType);
// NtOpenFile
typedef NTSTATUS (NTAPI* LPPROC_NTOPENFILE)(PHANDLE FileHandle, ACCESS_MASK DesiredAccess, POBJECT_ATTRIBUTES ObjectAttributes, PIO_STATUS_BLOCK IoStatusBlock, ULONG ShareAccess, ULONG OpenOptions);
typedef NTSTATUS (NTAPI* LPPROC_NTOPENFILE)(PHANDLE FileHandle, ACCESS_MASK DesiredAccess, Nt::POBJECT_ATTRIBUTES ObjectAttributes, Nt::PIO_STATUS_BLOCK IoStatusBlock, ULONG ShareAccess, ULONG OpenOptions);
// NtOpenProcess
typedef NTSTATUS (NTAPI* LPPROC_NTOPENPROCESS)(PHANDLE ProcessHandle, ACCESS_MASK DesiredAccess, POBJECT_ATTRIBUTES ObjectAttributes, PCLIENT_ID ClientId);
typedef NTSTATUS (NTAPI* LPPROC_NTOPENPROCESS)(PHANDLE ProcessHandle, ACCESS_MASK DesiredAccess, Nt::POBJECT_ATTRIBUTES ObjectAttributes, Nt::PCLIENT_ID ClientId);
// NtOpenProcessToken
typedef NTSTATUS (NTAPI* LPPROC_NTOPENPROCESSTOKEN)(HANDLE ProcessHandle, ACCESS_MASK DesiredAccess, PHANDLE TokenHandle);
// NtOpenKeyEx
typedef NTSTATUS (NTAPI* LPPROC_NTOPENKEYEX)(PHANDLE KeyHandle, ACCESS_MASK DesiredAccess, POBJECT_ATTRIBUTES ObjectAttributes, ULONG OpenOptions);
typedef NTSTATUS (NTAPI* LPPROC_NTOPENKEYEX)(PHANDLE KeyHandle, ACCESS_MASK DesiredAccess, Nt::POBJECT_ATTRIBUTES ObjectAttributes, ULONG OpenOptions);
// NtPrivilegeCheck
typedef NTSTATUS (NTAPI* LPPROC_NTPRIVILEGECHECK)(HANDLE ClientToken, PPRIVILEGE_SET RequiredPrivileges, PBOOLEAN Result);
// NtProtectVirtualMemory
typedef NTSTATUS (NTAPI* LPPROC_NTPROTECTVIRTUALMEMORY)(HANDLE ProcessHandle, PVOID *BaseAddress, PSIZE_T RegionSize, ULONG NewProtect, PULONG OldProtect);
// NtQueryInformationFile
typedef NTSTATUS (NTAPI* LPPROC_NTQUERYINFORMATIONFILE)(HANDLE FileHandle, PIO_STATUS_BLOCK IoStatusBlock, PVOID FileInformation, ULONG Length, FILE_INFORMATION_CLASS FileInformationClass);
typedef NTSTATUS (NTAPI* LPPROC_NTQUERYINFORMATIONFILE)(HANDLE FileHandle, Nt::PIO_STATUS_BLOCK IoStatusBlock, PVOID FileInformation, ULONG Length, Nt::FILE_INFORMATION_CLASS FileInformationClass);
// NtQueryInformationProcess
typedef NTSTATUS (NTAPI* LPPROC_NTQUERYINFORMATIONPROCESS)(HANDLE ProcessHandle, PROCESSINFOCLASS ProcessInformationClass, PVOID ProcessInformation, ULONG ProcessInformationLength, PULONG ReturnLength);
typedef NTSTATUS (NTAPI* LPPROC_NTQUERYINFORMATIONPROCESS)(HANDLE ProcessHandle, Nt::PROCESSINFOCLASS ProcessInformationClass, PVOID ProcessInformation, ULONG ProcessInformationLength, PULONG ReturnLength);
// NtQueryInformationToken
typedef NTSTATUS (NTAPI* LPPROC_NTQUERYINFORMATIONTOKEN)(HANDLE HandleToken, TOKEN_INFORMATION_CLASS TokenInformationClass, PVOID TokenInformation, ULONG TokenInformationLength, PULONG ReturnLength);
// NtQueryKey
typedef NTSTATUS (NTAPI* LPPROC_NTQUERYKEY)(HANDLE KeyHandle, KEY_INFORMATION_CLASS KeyInformationClass, PVOID KeyInformation, ULONG Length, PULONG ResultLength);
typedef NTSTATUS (NTAPI* LPPROC_NTQUERYKEY)(HANDLE KeyHandle, Nt::KEY_INFORMATION_CLASS KeyInformationClass, PVOID KeyInformation, ULONG Length, PULONG ResultLength);
// NtQuerySystemInformation
typedef NTSTATUS (NTAPI* LPPROC_NTQUERYSYSTEMINFORMATION)(SYSTEM_INFORMATION_CLASS SystemInformationClass, PVOID SystemInformation, ULONG SystemInformationLength, PULONG ReturnLength);
typedef NTSTATUS (NTAPI* LPPROC_NTQUERYSYSTEMINFORMATION)(Nt::SYSTEM_INFORMATION_CLASS SystemInformationClass, PVOID SystemInformation, ULONG SystemInformationLength, PULONG ReturnLength);
// NtReadFile
typedef NTSTATUS (NTAPI* LPPROC_NTREADFILE)(HANDLE FileHandle, HANDLE Event, PIO_APC_ROUTINE ApcRoutine, PVOID ApcContext, PIO_STATUS_BLOCK IoStatusBlock, PVOID Buffer, ULONG Length, PLARGE_INTEGER ByteOffset, PULONG Key);
typedef NTSTATUS (NTAPI* LPPROC_NTREADFILE)(HANDLE FileHandle, HANDLE Event, Nt::PIO_APC_ROUTINE ApcRoutine, PVOID ApcContext, Nt::PIO_STATUS_BLOCK IoStatusBlock, PVOID Buffer, ULONG Length, PLARGE_INTEGER ByteOffset, PULONG Key);
// NtReadVirtualMemory
typedef NTSTATUS (NTAPI* LPPROC_NTREADVIRTUALMEMORY)(HANDLE ProcessHandle, PVOID BaseAddress, PVOID Buffer, SIZE_T BufferSize, PSIZE_T NumberOfBytesRead);
// NtResumeThread
typedef NTSTATUS (NTAPI* LPPROC_NTRESUMETHREAD)(HANDLE ThreadHandle, PULONG PreviousSuspendCount);
// NtSetContextThread
typedef NTSTATUS (NTAPI* LPPROC_NTSETCONTEXTTHREAD)(HANDLE ThreadHandle, PCONTEXT ThreadContext);
// NtSetInformationFile
typedef NTSTATUS (NTAPI* LPPROC_NTSETINFORMATIONFILE)(HANDLE FileHandle, PIO_STATUS_BLOCK IoStatusBlock, PVOID FileInformation, ULONG Length, FILE_INFORMATION_CLASS FileInformationClass);
typedef NTSTATUS (NTAPI* LPPROC_NTSETINFORMATIONFILE)(HANDLE FileHandle, Nt::PIO_STATUS_BLOCK IoStatusBlock, PVOID FileInformation, ULONG Length, Nt::FILE_INFORMATION_CLASS FileInformationClass);
// NtSetInformationProcess
typedef NTSTATUS (NTAPI* LPPROC_NTSETINFORMATIONPROCESS)(HANDLE ProcessHandle, PROCESSINFOCLASS ProcessInformationClass, PVOID ProcessInformation, ULONG ProcessInformationLength);
typedef NTSTATUS (NTAPI* LPPROC_NTSETINFORMATIONPROCESS)(HANDLE ProcessHandle, Nt::PROCESSINFOCLASS ProcessInformationClass, PVOID ProcessInformation, ULONG ProcessInformationLength);
// NtSystemDebugControl
typedef NTSTATUS (NTAPI* LPPROC_NTSYSTEMDEBUGCONTROL)(SYSDBG_COMMAND Command, PVOID InputBuffer, ULONG InputBufferLength, PVOID OutputBuffer, ULONG OutputBufferLength, PULONG ReturnLength);
typedef NTSTATUS (NTAPI* LPPROC_NTSYSTEMDEBUGCONTROL)(Nt::SYSDBG_COMMAND Command, PVOID InputBuffer, ULONG InputBufferLength, PVOID OutputBuffer, ULONG OutputBufferLength, PULONG ReturnLength);
// NtTerminateProcess
typedef NTSTATUS (NTAPI* LPPROC_NTTERMINATEPROCESS)(HANDLE ProcessHandle, NTSTATUS ExitStatus);
// NtUnmapViewOfSection
typedef NTSTATUS (NTAPI* LPPROC_NTUNMAPVIEWOFSECTION)(HANDLE ProcessHandle, PVOID BaseAddress);
// NtWaitForSingleObject
typedef NTSTATUS (NTAPI* LPPROC_NTWAITFORSINGLEOBJECT)(HANDLE Handle, BOOLEAN Alertable, PLARGE_INTEGER Timeout);
// NtWriteFile
typedef NTSTATUS (NTAPI* LPPROC_NTWRITEFILE)(HANDLE FileHandle, HANDLE Event, PIO_APC_ROUTINE ApcRoutine, PVOID ApcContext, PIO_STATUS_BLOCK IoStatusBlock, PVOID Buffer, ULONG Length, PLARGE_INTEGER ByteOffset, PULONG Key);
typedef NTSTATUS (NTAPI* LPPROC_NTWRITEFILE)(HANDLE FileHandle, HANDLE Event, Nt::PIO_APC_ROUTINE ApcRoutine, PVOID ApcContext, Nt::PIO_STATUS_BLOCK IoStatusBlock, PVOID Buffer, ULONG Length, PLARGE_INTEGER ByteOffset, PULONG Key);
// NtWriteVirtualMemory
typedef NTSTATUS (NTAPI* LPPROC_NTWRITEVIRTUALMEMORY)(HANDLE ProcessHandle, PVOID BaseAddress, PVOID Buffer, SIZE_T NumberOfBytesToWrite, PSIZE_T NumberOfBytesWritten);
// RtlAllocateHeap
Expand All @@ -289,11 +289,11 @@ namespace Procs
// RtlGetFullPathName_U
typedef NTSTATUS (NTAPI* LPPROC_RTLGETFULLPATHNAME_U)(PCWSTR FileName, ULONG BufferLength, PWSTR Buffer, PWSTR *FilePart);
// RtlInitUnicodeString
typedef NTSTATUS (NTAPI* LPPROC_RTLINITUNICODESTRING)(PUNICODE_STRING DestinationString, PCWSTR SourceString);
typedef NTSTATUS (NTAPI* LPPROC_RTLINITUNICODESTRING)(Nt::PUNICODE_STRING DestinationString, PCWSTR SourceString);
// RtlQuerySystemInformation
typedef NTSTATUS (NTAPI* LPPROC_RTLQUERYSYSTEMINFORMATION)(SYSTEM_INFORMATION_CLASS SystemInformationClass, PVOID SystemInformation, ULONG SystemInformationLength, PULONG ReturnLength);
typedef NTSTATUS (NTAPI* LPPROC_RTLQUERYSYSTEMINFORMATION)(Nt::SYSTEM_INFORMATION_CLASS SystemInformationClass, PVOID SystemInformation, ULONG SystemInformationLength, PULONG ReturnLength);
// RtlSetCurrentDirectory_U
typedef NTSTATUS (NTAPI* LPPROC_RTLSETCURRENTDIRECTORY_U)(PUNICODE_STRING PathName);
typedef NTSTATUS (NTAPI* LPPROC_RTLSETCURRENTDIRECTORY_U)(Nt::PUNICODE_STRING PathName);
// RtlStringCchCatW
typedef NTSTATUS (NTAPI* LPPROC_RTLSTRINGCCHCATW)(LPWSTR pszDest, SIZE_T cchDest, LPCWSTR pszSrc);
// RtlStringCchCopyW
Expand Down Expand Up @@ -484,7 +484,7 @@ namespace Procs
// RtlCopyMemory
typedef VOID (WINAPI* LPPROC_RTLCOPYMEMORY)(void* Destination, const void* Source, size_t Length);
// SetFileInformationByHandle
typedef BOOL (WINAPI* LPPROC_SETFILEINFORMATIONBYHANDLE)(HANDLE hFile, FILE_INFO_BY_HANDLE_CLASS FileInformationClass, LPVOID lpFileInformation, DWORD dwBufferSize);
typedef BOOL (WINAPI* LPPROC_SETFILEINFORMATIONBYHANDLE)(HANDLE hFile, Nt::FILE_INFO_BY_HANDLE_CLASS FileInformationClass, LPVOID lpFileInformation, DWORD dwBufferSize);
// SetHandleInformation
typedef BOOL (WINAPI* LPPROC_SETHANDLEINFORMATION)(HANDLE hObject, DWORD dwMask, DWORD dwFlags);
// SetThreadContext
Expand Down
6 changes: 3 additions & 3 deletions payload/win/implant/include/core/state.hpp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -19,12 +19,12 @@ namespace State
{
struct STATE
{
// Thread environment block
Nt::PTEB pTeb;

// Crypto
Crypt::PCRYPT pCrypt;

// Thread environment block
PTEB pTeb;

// Module handlers
Modules::PMODULES pModules;

Expand Down
12 changes: 6 additions & 6 deletions payload/win/implant/src/core/modules.cpp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -39,13 +39,13 @@ namespace Modules

PVOID GetModuleByHash(DWORD dwHash)
{
PTEB pTeb = NtCurrentTeb();
Nt::PTEB pTeb = (Nt::PTEB)NtCurrentTeb();
// PPEB pPeb = (PPEB)PPEB_PTR;
PPEB pPeb = pTeb->ProcessEnvironmentBlock;
PPEB_LDR_DATA pLdr = (PPEB_LDR_DATA)pPeb->Ldr;
Nt::PPEB pPeb = (Nt::PPEB)pTeb->ProcessEnvironmentBlock;
Nt::PPEB_LDR_DATA pLdr = (Nt::PPEB_LDR_DATA)pPeb->Ldr;

// Get the first entry
PLDR_DATA_TABLE_ENTRY pDte = (PLDR_DATA_TABLE_ENTRY)pLdr->InLoadOrderModuleList.Flink;
Nt::PLDR_DATA_TABLE_ENTRY pDte = (Nt::PLDR_DATA_TABLE_ENTRY)pLdr->InLoadOrderModuleList.Flink;

while (pDte)
{
Expand All @@ -55,7 +55,7 @@ namespace Modules
}

// Get the next entry
pDte = *(PLDR_DATA_TABLE_ENTRY*)(pDte);
pDte = *(Nt::PLDR_DATA_TABLE_ENTRY*)(pDte);
}

return nullptr;
Expand All @@ -72,7 +72,7 @@ namespace Modules
for (wStr2 = lpcDllName; *wStr2; ++wStr2);
USHORT uDllNameLen = (wStr2 - lpcDllName) * sizeof(WCHAR);

UNICODE_STRING usDllName = {0};
Nt::UNICODE_STRING usDllName = {0};
usDllName.Buffer = lpDllName;
usDllName.Length = uDllNameLen;
usDllName.MaximumLength = uDllNameLen + sizeof(WCHAR);
Expand Down
Loading

0 comments on commit 82c350c

Please sign in to comment.