Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
//===============================================================================================//
2
// Copyright (c) 2012, Stephen Fewer of Harmony Security (www.harmonysecurity.com)
3
// All rights reserved.
4
// 
5
// Redistribution and use in source and binary forms, with or without modification, are permitted 
6
// provided that the following conditions are met:
7
// 
8
//     * Redistributions of source code must retain the above copyright notice, this list of 
9
// conditions and the following disclaimer.
10
// 
11
//     * Redistributions in binary form must reproduce the above copyright notice, this list of 
12
// conditions and the following disclaimer in the documentation and/or other materials provided 
13
// with the distribution.
14
// 
15
//     * Neither the name of Harmony Security nor the names of its contributors may be used to
16
// endorse or promote products derived from this software without specific prior written permission.
17
// 
18
// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR 
19
// IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND
20
// FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR 
21
// CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 
22
// CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 
23
// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 
24
// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR 
25
// OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 
26
// POSSIBILITY OF SUCH DAMAGE.
27
//===============================================================================================//
28
#ifndef _REFLECTIVEDLLINJECTION_REFLECTIVELOADER_H
29
#define _REFLECTIVEDLLINJECTION_REFLECTIVELOADER_H
30
//===============================================================================================//
31
#define WIN32_LEAN_AND_MEAN
32
#include <windows.h>
33
#include <Winsock2.h>
34
#include <intrin.h>
35

36
#define DLL_QUERY_HMODULE		6
37

38
#define DEREF( name )*(UINT_PTR *)(name)
39
#define DEREF_64( name )*(DWORD64 *)(name)
40
#define DEREF_32( name )*(DWORD *)(name)
41
#define DEREF_16( name )*(WORD *)(name)
42
#define DEREF_8( name )*(BYTE *)(name)
43

44
typedef ULONG_PTR(WINAPI * REFLECTIVELOADER)(VOID);
45
typedef BOOL(WINAPI * DLLMAIN)(HINSTANCE, DWORD, LPVOID);
46

47
#define DLLEXPORT   __declspec( dllexport ) 
48

49
typedef HMODULE (WINAPI * LOADLIBRARYA)( LPCSTR );
50
typedef FARPROC (WINAPI * GETPROCADDRESS)( HMODULE, LPCSTR );
51
typedef LPVOID  (WINAPI * VIRTUALALLOC)( LPVOID, SIZE_T, DWORD, DWORD );
52
typedef DWORD  (NTAPI * NTFLUSHINSTRUCTIONCACHE)( HANDLE, PVOID, ULONG );
53

54
#define KERNEL32DLL_HASH				0x6A4ABC5B
55
#define NTDLLDLL_HASH					0x3CFA685D
56

57
#define LOADLIBRARYA_HASH				0xEC0E4E8E
58
#define GETPROCADDRESS_HASH				0x7C0DFCAA
59
#define VIRTUALALLOC_HASH				0x91AFCA54
60
#define NTFLUSHINSTRUCTIONCACHE_HASH	0x534C0AB8
61

62
#define IMAGE_REL_BASED_ARM_MOV32A		5
63
#define IMAGE_REL_BASED_ARM_MOV32T		7
64

65
#define ARM_MOV_MASK					(DWORD)(0xFBF08000)
66
#define ARM_MOV_MASK2					(DWORD)(0xFBF08F00)
67
#define ARM_MOVW						0xF2400000
68
#define ARM_MOVT						0xF2C00000
69

70
#define HASH_KEY						13
71
//===============================================================================================//
72
#pragma intrinsic( _rotr )
73

74
__forceinline DWORD ror( DWORD d )
75
{
76
	return _rotr( d, HASH_KEY );
77
}
78

79
__forceinline DWORD hash( char * c )
80
{
81
    register DWORD h = 0;
82
	do
83
	{
84
		h = ror( h );
85
        h += *c;
86
	} while( *++c );
87

88
    return h;
89
}
90
//===============================================================================================//
91
typedef struct _UNICODE_STR
92
{
93
  USHORT Length;
94
  USHORT MaximumLength;
95
  PWSTR pBuffer;
96
} UNICODE_STR, *PUNICODE_STR;
97

98
// WinDbg> dt -v ntdll!_LDR_DATA_TABLE_ENTRY
99
//__declspec( align(8) ) 
100
typedef struct _LDR_DATA_TABLE_ENTRY
101
{
102
	//LIST_ENTRY InLoadOrderLinks; // As we search from PPEB_LDR_DATA->InMemoryOrderModuleList we dont use the first entry.
103
	LIST_ENTRY InMemoryOrderModuleList;
104
	LIST_ENTRY InInitializationOrderModuleList;
105
	PVOID DllBase;
106
	PVOID EntryPoint;
107
	ULONG SizeOfImage;
108
	UNICODE_STR FullDllName;
109
	UNICODE_STR BaseDllName;
110
	ULONG Flags;
111
	SHORT LoadCount;
112
	SHORT TlsIndex;
113
	LIST_ENTRY HashTableEntry;
114
	ULONG TimeDateStamp;
115
} LDR_DATA_TABLE_ENTRY, *PLDR_DATA_TABLE_ENTRY;
116

117
// WinDbg> dt -v ntdll!_PEB_LDR_DATA
118
typedef struct _PEB_LDR_DATA //, 7 elements, 0x28 bytes
119
{
120
   DWORD dwLength;
121
   DWORD dwInitialized;
122
   LPVOID lpSsHandle;
123
   LIST_ENTRY InLoadOrderModuleList;
124
   LIST_ENTRY InMemoryOrderModuleList;
125
   LIST_ENTRY InInitializationOrderModuleList;
126
   LPVOID lpEntryInProgress;
127
} PEB_LDR_DATA, * PPEB_LDR_DATA;
128

129
// WinDbg> dt -v ntdll!_PEB_FREE_BLOCK
130
typedef struct _PEB_FREE_BLOCK // 2 elements, 0x8 bytes
131
{
132
   struct _PEB_FREE_BLOCK * pNext;
133
   DWORD dwSize;
134
} PEB_FREE_BLOCK, * PPEB_FREE_BLOCK;
135

136
// struct _PEB is defined in Winternl.h but it is incomplete
137
// WinDbg> dt -v ntdll!_PEB
138
typedef struct __PEB // 65 elements, 0x210 bytes
139
{
140
   BYTE bInheritedAddressSpace;
141
   BYTE bReadImageFileExecOptions;
142
   BYTE bBeingDebugged;
143
   BYTE bSpareBool;
144
   LPVOID lpMutant;
145
   LPVOID lpImageBaseAddress;
146
   PPEB_LDR_DATA pLdr;
147
   LPVOID lpProcessParameters;
148
   LPVOID lpSubSystemData;
149
   LPVOID lpProcessHeap;
150
   PRTL_CRITICAL_SECTION pFastPebLock;
151
   LPVOID lpFastPebLockRoutine;
152
   LPVOID lpFastPebUnlockRoutine;
153
   DWORD dwEnvironmentUpdateCount;
154
   LPVOID lpKernelCallbackTable;
155
   DWORD dwSystemReserved;
156
   DWORD dwAtlThunkSListPtr32;
157
   PPEB_FREE_BLOCK pFreeList;
158
   DWORD dwTlsExpansionCounter;
159
   LPVOID lpTlsBitmap;
160
   DWORD dwTlsBitmapBits[2];
161
   LPVOID lpReadOnlySharedMemoryBase;
162
   LPVOID lpReadOnlySharedMemoryHeap;
163
   LPVOID lpReadOnlyStaticServerData;
164
   LPVOID lpAnsiCodePageData;
165
   LPVOID lpOemCodePageData;
166
   LPVOID lpUnicodeCaseTableData;
167
   DWORD dwNumberOfProcessors;
168
   DWORD dwNtGlobalFlag;
169
   LARGE_INTEGER liCriticalSectionTimeout;
170
   DWORD dwHeapSegmentReserve;
171
   DWORD dwHeapSegmentCommit;
172
   DWORD dwHeapDeCommitTotalFreeThreshold;
173
   DWORD dwHeapDeCommitFreeBlockThreshold;
174
   DWORD dwNumberOfHeaps;
175
   DWORD dwMaximumNumberOfHeaps;
176
   LPVOID lpProcessHeaps;
177
   LPVOID lpGdiSharedHandleTable;
178
   LPVOID lpProcessStarterHelper;
179
   DWORD dwGdiDCAttributeList;
180
   LPVOID lpLoaderLock;
181
   DWORD dwOSMajorVersion;
182
   DWORD dwOSMinorVersion;
183
   WORD wOSBuildNumber;
184
   WORD wOSCSDVersion;
185
   DWORD dwOSPlatformId;
186
   DWORD dwImageSubsystem;
187
   DWORD dwImageSubsystemMajorVersion;
188
   DWORD dwImageSubsystemMinorVersion;
189
   DWORD dwImageProcessAffinityMask;
190
   DWORD dwGdiHandleBuffer[34];
191
   LPVOID lpPostProcessInitRoutine;
192
   LPVOID lpTlsExpansionBitmap;
193
   DWORD dwTlsExpansionBitmapBits[32];
194
   DWORD dwSessionId;
195
   ULARGE_INTEGER liAppCompatFlags;
196
   ULARGE_INTEGER liAppCompatFlagsUser;
197
   LPVOID lppShimData;
198
   LPVOID lpAppCompatInfo;
199
   UNICODE_STR usCSDVersion;
200
   LPVOID lpActivationContextData;
201
   LPVOID lpProcessAssemblyStorageMap;
202
   LPVOID lpSystemDefaultActivationContextData;
203
   LPVOID lpSystemAssemblyStorageMap;
204
   DWORD dwMinimumStackCommit;
205
} _PEB, * _PPEB;
206

207
typedef struct
208
{
209
	WORD	offset:12;
210
	WORD	type:4;
211
} IMAGE_RELOC, *PIMAGE_RELOC;
212
//===============================================================================================//
213
#endif
214
//===============================================================================================//
215

216