CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!

1
/*
2
 * This code is provided under the 3-clause BSD license below.
3
 * ***********************************************************
4
 *
5
 * Copyright (c) 2013, Matthew Graeber
6
 * All rights reserved.
7
 *
8
 * Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:
9
 *
10
 *   Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
11
 *   Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.
12
 *   The names of its contributors may not be used to endorse or promote products derived from this software without specific prior written permission.
13
 *
14
 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
15
*/
16

17
#ifndef _PAYLOAD_UTIL
18
#define _PAYLOAD_UTIL
19

20
#include <windows.h>
21
#include <winternl.h>
22

23
typedef HMODULE (WINAPI *FuncLoadLibraryA) (
24
	LPTSTR lpFileName
25
);
26

27
// This compiles to a ROR instruction
28
// This is needed because _lrotr() is an external reference
29
// Also, there is not a consistent compiler intrinsic to accomplish this across all three platforms.
30
#define ROTR32(value, shift)	(((DWORD) value >> (BYTE) shift) | ((DWORD) value << (32 - (BYTE) shift)))
31

32
// Redefine PEB structures. The structure definitions in winternl.h are incomplete.
33
typedef struct _MY_PEB_LDR_DATA {
34
  ULONG Length;
35
	BOOL Initialized;
36
	PVOID SsHandle;
37
	LIST_ENTRY InLoadOrderModuleList;
38
  LIST_ENTRY InMemoryOrderModuleList;
39
	LIST_ENTRY InInitializationOrderModuleList;
40
} MY_PEB_LDR_DATA, *PMY_PEB_LDR_DATA;
41

42
typedef struct _MY_LDR_DATA_TABLE_ENTRY
43
{
44
	LIST_ENTRY InLoadOrderLinks;
45
	LIST_ENTRY InMemoryOrderLinks;
46
	LIST_ENTRY InInitializationOrderLinks;
47
	PVOID DllBase;
48
	PVOID EntryPoint;
49
	ULONG SizeOfImage;
50
	UNICODE_STRING FullDllName;
51
	UNICODE_STRING BaseDllName;
52
} MY_LDR_DATA_TABLE_ENTRY, *PMY_LDR_DATA_TABLE_ENTRY;
53

54
HMODULE GetProcAddressWithHash( _In_ DWORD dwModuleFunctionHash )
55
{
56
	PPEB PebAddress;
57
	PMY_PEB_LDR_DATA pLdr;
58
	PMY_LDR_DATA_TABLE_ENTRY pDataTableEntry;
59
	PVOID pModuleBase;
60
	PIMAGE_NT_HEADERS pNTHeader;
61
	DWORD dwExportDirRVA;
62
	PIMAGE_EXPORT_DIRECTORY pExportDir;
63
	PLIST_ENTRY pNextModule;
64
	DWORD dwNumFunctions;
65
	USHORT usOrdinalTableIndex;
66
	PDWORD pdwFunctionNameBase;
67
	PCSTR pFunctionName;
68
	UNICODE_STRING BaseDllName;
69
	DWORD dwModuleHash;
70
	DWORD dwFunctionHash;
71
	PCSTR pTempChar;
72
	DWORD i;
73

74
#if defined(_WIN64)
75
	PebAddress = (PPEB) __readgsqword( 0x60 );
76
#else
77
	PebAddress = (PPEB) __readfsdword( 0x30 );
78
#endif
79

80
	pLdr = (PMY_PEB_LDR_DATA) PebAddress->Ldr;
81
	pNextModule = pLdr->InLoadOrderModuleList.Flink;
82
	pDataTableEntry = (PMY_LDR_DATA_TABLE_ENTRY) pNextModule;
83

84
	while (pDataTableEntry->DllBase != NULL)
85
	{
86
		dwModuleHash = 0;
87
		pModuleBase = pDataTableEntry->DllBase;
88
		BaseDllName = pDataTableEntry->BaseDllName;
89
		pNTHeader = (PIMAGE_NT_HEADERS) ((ULONG_PTR) pModuleBase + ((PIMAGE_DOS_HEADER) pModuleBase)->e_lfanew);
90
		dwExportDirRVA = pNTHeader->OptionalHeader.DataDirectory[0].VirtualAddress;
91

92
		// Get the next loaded module entry
93
		pDataTableEntry = (PMY_LDR_DATA_TABLE_ENTRY) pDataTableEntry->InLoadOrderLinks.Flink;
94

95
		// If the current module does not export any functions, move on to the next module.
96
		if (dwExportDirRVA == 0)
97
		{
98
			continue;
99
		}
100

101
		// Calculate the module hash
102
		for (i = 0; i < BaseDllName.MaximumLength; i++)
103
		{
104
			pTempChar = ((PCSTR) BaseDllName.Buffer + i);
105

106
			dwModuleHash = ROTR32( dwModuleHash, 13 );
107

108
			if ( *pTempChar >= 0x61 )
109
			{
110
				dwModuleHash += *pTempChar - 0x20;
111
			}
112
			else
113
			{
114
				dwModuleHash += *pTempChar;
115
			}
116
		}
117

118
		pExportDir = (PIMAGE_EXPORT_DIRECTORY) ((ULONG_PTR) pModuleBase + dwExportDirRVA);
119

120
		dwNumFunctions = pExportDir->NumberOfNames;
121
		pdwFunctionNameBase = (PDWORD) ((PCHAR) pModuleBase + pExportDir->AddressOfNames);
122

123
		for (i = 0; i < dwNumFunctions; i++)
124
		{
125
			dwFunctionHash = 0;
126
			pFunctionName = (PCSTR) (*pdwFunctionNameBase + (ULONG_PTR) pModuleBase);
127
			pdwFunctionNameBase++;
128

129
			pTempChar = pFunctionName;
130

131
			do
132
			{
133
				dwFunctionHash = ROTR32( dwFunctionHash, 13 );
134
				dwFunctionHash += *pTempChar;
135
				pTempChar++;
136
			} while (*(pTempChar - 1) != 0);
137

138
			dwFunctionHash += dwModuleHash;
139

140
			if (dwFunctionHash == dwModuleFunctionHash)
141
			{
142
				usOrdinalTableIndex = *(PUSHORT)(((ULONG_PTR) pModuleBase + pExportDir->AddressOfNameOrdinals) + (2 * i));
143
				return (HMODULE) ((ULONG_PTR) pModuleBase + *(PDWORD)(((ULONG_PTR) pModuleBase + pExportDir->AddressOfFunctions) + (4 * usOrdinalTableIndex)));
144
			}
145
		}
146
	}
147

148
	// All modules have been exhausted and the function was not found.
149
	return NULL;
150
}
151

152
#endif
153

154