CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/external/source/exploits/CVE-2015-2426/dll/src/ReflectiveLoader.h
Views: 11789
1
//===============================================================================================//

2
// Copyright (c) 2013, Stephen Fewer of Harmony Security (www.harmonysecurity.com)

3
// All rights reserved.

4
// 

5
// Redistribution and use in source and binary forms, with or without modification, are permitted 

6
// provided that the following conditions are met:

7
// 

8
//     * Redistributions of source code must retain the above copyright notice, this list of 

9
// conditions and the following disclaimer.

10
// 

11
//     * Redistributions in binary form must reproduce the above copyright notice, this list of 

12
// conditions and the following disclaimer in the documentation and/or other materials provided 

13
// with the distribution.

14
// 

15
//     * Neither the name of Harmony Security nor the names of its contributors may be used to

16
// endorse or promote products derived from this software without specific prior written permission.

17
// 

18
// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR 

19
// IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND

20
// FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR 

21
// CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 

22
// CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 

23
// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 

24
// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR 

25
// OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 

26
// POSSIBILITY OF SUCH DAMAGE.

27
//===============================================================================================//

28
#ifndef _REFLECTIVEDLLINJECTION_REFLECTIVELOADER_H

29
#define _REFLECTIVEDLLINJECTION_REFLECTIVELOADER_H

30
//===============================================================================================//

31
#define WIN32_LEAN_AND_MEAN

32
#include <windows.h>

33
#include <Winsock2.h>

34
#include <intrin.h>

35


36
#include "ReflectiveDLLInjection.h"

37


38
// Enable this define to turn on OutputDebugString support

39
//#define ENABLE_OUTPUTDEBUGSTRING 1

40


41
// Enable this define to turn on locking of memory to prevent paging

42
#define ENABLE_STOPPAGING 1

43


44
#define EXITFUNC_SEH		0xEA320EFE

45
#define EXITFUNC_THREAD		0x0A2A1DE0

46
#define EXITFUNC_PROCESS	0x56A2B5F0

47


48
typedef HMODULE (WINAPI * LOADLIBRARYA)( LPCSTR );

49
typedef FARPROC (WINAPI * GETPROCADDRESS)( HMODULE, LPCSTR );

50
typedef LPVOID  (WINAPI * VIRTUALALLOC)( LPVOID, SIZE_T, DWORD, DWORD );

51
typedef DWORD  (NTAPI * NTFLUSHINSTRUCTIONCACHE)( HANDLE, PVOID, ULONG );

52


53
#define KERNEL32DLL_HASH				0x6A4ABC5B

54
#define NTDLLDLL_HASH					0x3CFA685D

55


56
#define LOADLIBRARYA_HASH				0xEC0E4E8E

57
#define GETPROCADDRESS_HASH				0x7C0DFCAA

58
#define VIRTUALALLOC_HASH				0x91AFCA54

59
#define NTFLUSHINSTRUCTIONCACHE_HASH	0x534C0AB8

60


61
#ifdef ENABLE_STOPPAGING

62
typedef LPVOID  (WINAPI * VIRTUALLOCK)( LPVOID, SIZE_T );

63
#define VIRTUALLOCK_HASH				0x0EF632F2

64
#endif

65


66
#ifdef ENABLE_OUTPUTDEBUGSTRING

67
typedef LPVOID  (WINAPI * OUTPUTDEBUG)( LPCSTR );

68
#define OUTPUTDEBUG_HASH				0x470D22BC

69
#endif

70


71
#define IMAGE_REL_BASED_ARM_MOV32A		5

72
#define IMAGE_REL_BASED_ARM_MOV32T		7

73


74
#define ARM_MOV_MASK					(DWORD)(0xFBF08000)

75
#define ARM_MOV_MASK2					(DWORD)(0xFBF08F00)

76
#define ARM_MOVW						0xF2400000

77
#define ARM_MOVT						0xF2C00000

78


79
#define HASH_KEY						13

80
//===============================================================================================//

81
#pragma intrinsic( _rotr )

82


83
__forceinline DWORD ror( DWORD d )

84
{

85
	return _rotr( d, HASH_KEY );

86
}

87


88
__forceinline DWORD _hash( char * c )

89
{

90
    register DWORD h = 0;

91
	do

92
	{

93
		h = ror( h );

94
        h += *c;

95
	} while( *++c );

96


97
    return h;

98
}

99
//===============================================================================================//

100
typedef struct _UNICODE_STR

101
{

102
  USHORT Length;

103
  USHORT MaximumLength;

104
  PWSTR pBuffer;

105
} UNICODE_STR, *PUNICODE_STR;

106


107
// WinDbg> dt -v ntdll!_LDR_DATA_TABLE_ENTRY

108
//__declspec( align(8) ) 

109
typedef struct _LDR_DATA_TABLE_ENTRY

110
{

111
	//LIST_ENTRY InLoadOrderLinks; // As we search from PPEB_LDR_DATA->InMemoryOrderModuleList we dont use the first entry.

112
	LIST_ENTRY InMemoryOrderModuleList;

113
	LIST_ENTRY InInitializationOrderModuleList;

114
	PVOID DllBase;

115
	PVOID EntryPoint;

116
	ULONG SizeOfImage;

117
	UNICODE_STR FullDllName;

118
	UNICODE_STR BaseDllName;

119
	ULONG Flags;

120
	SHORT LoadCount;

121
	SHORT TlsIndex;

122
	LIST_ENTRY HashTableEntry;

123
	ULONG TimeDateStamp;

124
} LDR_DATA_TABLE_ENTRY, *PLDR_DATA_TABLE_ENTRY;

125


126
// WinDbg> dt -v ntdll!_PEB_LDR_DATA

127
typedef struct _PEB_LDR_DATA //, 7 elements, 0x28 bytes

128
{

129
   DWORD dwLength;

130
   DWORD dwInitialized;

131
   LPVOID lpSsHandle;

132
   LIST_ENTRY InLoadOrderModuleList;

133
   LIST_ENTRY InMemoryOrderModuleList;

134
   LIST_ENTRY InInitializationOrderModuleList;

135
   LPVOID lpEntryInProgress;

136
} PEB_LDR_DATA, * PPEB_LDR_DATA;

137


138
// WinDbg> dt -v ntdll!_PEB_FREE_BLOCK

139
typedef struct _PEB_FREE_BLOCK // 2 elements, 0x8 bytes

140
{

141
   struct _PEB_FREE_BLOCK * pNext;

142
   DWORD dwSize;

143
} PEB_FREE_BLOCK, * PPEB_FREE_BLOCK;

144


145
// struct _PEB is defined in Winternl.h but it is incomplete

146
// WinDbg> dt -v ntdll!_PEB

147
typedef struct __PEB // 65 elements, 0x210 bytes

148
{

149
   BYTE bInheritedAddressSpace;

150
   BYTE bReadImageFileExecOptions;

151
   BYTE bBeingDebugged;

152
   BYTE bSpareBool;

153
   LPVOID lpMutant;

154
   LPVOID lpImageBaseAddress;

155
   PPEB_LDR_DATA pLdr;

156
   LPVOID lpProcessParameters;

157
   LPVOID lpSubSystemData;

158
   LPVOID lpProcessHeap;

159
   PRTL_CRITICAL_SECTION pFastPebLock;

160
   LPVOID lpFastPebLockRoutine;

161
   LPVOID lpFastPebUnlockRoutine;

162
   DWORD dwEnvironmentUpdateCount;

163
   LPVOID lpKernelCallbackTable;

164
   DWORD dwSystemReserved;

165
   DWORD dwAtlThunkSListPtr32;

166
   PPEB_FREE_BLOCK pFreeList;

167
   DWORD dwTlsExpansionCounter;

168
   LPVOID lpTlsBitmap;

169
   DWORD dwTlsBitmapBits[2];

170
   LPVOID lpReadOnlySharedMemoryBase;

171
   LPVOID lpReadOnlySharedMemoryHeap;

172
   LPVOID lpReadOnlyStaticServerData;

173
   LPVOID lpAnsiCodePageData;

174
   LPVOID lpOemCodePageData;

175
   LPVOID lpUnicodeCaseTableData;

176
   DWORD dwNumberOfProcessors;

177
   DWORD dwNtGlobalFlag;

178
   LARGE_INTEGER liCriticalSectionTimeout;

179
   DWORD dwHeapSegmentReserve;

180
   DWORD dwHeapSegmentCommit;

181
   DWORD dwHeapDeCommitTotalFreeThreshold;

182
   DWORD dwHeapDeCommitFreeBlockThreshold;

183
   DWORD dwNumberOfHeaps;

184
   DWORD dwMaximumNumberOfHeaps;

185
   LPVOID lpProcessHeaps;

186
   LPVOID lpGdiSharedHandleTable;

187
   LPVOID lpProcessStarterHelper;

188
   DWORD dwGdiDCAttributeList;

189
   LPVOID lpLoaderLock;

190
   DWORD dwOSMajorVersion;

191
   DWORD dwOSMinorVersion;

192
   WORD wOSBuildNumber;

193
   WORD wOSCSDVersion;

194
   DWORD dwOSPlatformId;

195
   DWORD dwImageSubsystem;

196
   DWORD dwImageSubsystemMajorVersion;

197
   DWORD dwImageSubsystemMinorVersion;

198
   DWORD dwImageProcessAffinityMask;

199
   DWORD dwGdiHandleBuffer[34];

200
   LPVOID lpPostProcessInitRoutine;

201
   LPVOID lpTlsExpansionBitmap;

202
   DWORD dwTlsExpansionBitmapBits[32];

203
   DWORD dwSessionId;

204
   ULARGE_INTEGER liAppCompatFlags;

205
   ULARGE_INTEGER liAppCompatFlagsUser;

206
   LPVOID lppShimData;

207
   LPVOID lpAppCompatInfo;

208
   UNICODE_STR usCSDVersion;

209
   LPVOID lpActivationContextData;

210
   LPVOID lpProcessAssemblyStorageMap;

211
   LPVOID lpSystemDefaultActivationContextData;

212
   LPVOID lpSystemAssemblyStorageMap;

213
   DWORD dwMinimumStackCommit;

214
} _PEB, * _PPEB;

215


216
typedef struct

217
{

218
	WORD	offset:12;

219
	WORD	type:4;

220
} IMAGE_RELOC, *PIMAGE_RELOC;

221
//===============================================================================================//

222
#endif

223
//===============================================================================================//

224


225