- Moderatör
- #1
aka panic.rs
Kurucu
base source:
Bağlantıları görmek için lütfen
Giriş Yap
C++:
#include <windows.h>
#include <subauth.h>
#include <stdio.h>
#include <locale>
// modified by leftspace
/* Windows structures */
typedef struct _PEB_LDR_DATA {
BYTE Reserved1[8];
PVOID Reserved2[3];
LIST_ENTRY InMemoryOrderModuleList;
} PEB_LDR_DATA, * PPEB_LDR_DATA;
typedef struct _RTL_USER_PROCESS_PARAMETERS {
UCHAR Reserved1[16];
PVOID Reserved2[10];
UNICODE_STRING ImagePathName;
UNICODE_STRING CommandLine;
} RTL_USER_PROCESS_PARAMETERS, * PRTL_USER_PROCESS_PARAMETERS;
typedef struct _LDR_DATA_TABLE_ENTRY {
LIST_ENTRY InLoadOrderLinks;
LIST_ENTRY InMemoryOrderModuleList;
LIST_ENTRY InInitializationOrderModuleList;
PVOID DllBase;
PVOID EntryPoint;
ULONG SizeOfImage;
UNICODE_STRING FullDllName;
UNICODE_STRING BaseDllName;
ULONG Flags;
USHORT LoadCount;
USHORT TlsIndex;
union {
LIST_ENTRY HashLinks;
struct
{
PVOID SectionPointer;
ULONG CheckSum;
};
};
union {
ULONG TimeDateStamp;
PVOID LoadedImports;
};
PVOID EntryPointActivationContext;
PVOID PatchInformation;
} LDR_DATA_TABLE_ENTRY, * PLDR_DATA_TABLE_ENTRY;
typedef struct _PEB {
BYTE Reserved1[2];
BYTE BeingDebugged;
BYTE Reserved2[1];
PVOID Reserved3[2];
PPEB_LDR_DATA Ldr;
PRTL_USER_PROCESS_PARAMETERS ProcessParameters;
BYTE Reserved4[104];
PVOID Reserved5[52];
PVOID PostProcessInitRoutine;
BYTE Reserved6[128];
PVOID Reserved7[1];
ULONG SessionId;
} PEB, * PPEB;
// MODULE_ENTRY contains basic information about a module
typedef struct _MODULE_ENTRY {
UNICODE_STRING BaseName; // BaseName of the module
UNICODE_STRING FullName; // FullName of the module
ULONG SizeOfImage; // Size in bytes of the module
PVOID BaseAddress; // Base address of the module
PVOID EntryPoint; // Entrypoint of the module
} MODULE_ENTRY, * PMODULE_ENTRY;
// MODULE_INFORMATION_TABLE contains basic information about all the modules of a given process
typedef struct _MODULE_INFORMATION_TABLE {
ULONG Pid; // PID of the process
ULONG ModuleCount; // Modules count for the above pointer
MODULE_ENTRY* Modules; // Pointer to 0...* modules
} MODULE_INFORMATION_TABLE, * PMODULE_INFORMATION_TABLE;
PPEB
GetCurrentPebProcess(
void
) {
PPEB pPeb = reinterpret_cast<PPEB>(__readfsdword(0x30));
return pPeb;
}
PMODULE_INFORMATION_TABLE
CreateModuleInformation(
IN PPEB pPeb
) {
ULONG Count = 0;
ULONG CurCount = 0;
PLIST_ENTRY pEntry = NULL;
PLIST_ENTRY pHeadEntry = NULL;
PPEB_LDR_DATA pLdrData = NULL;
PMODULE_ENTRY CurModule = NULL;
PLDR_DATA_TABLE_ENTRY pLdrEntry = NULL;
PMODULE_INFORMATION_TABLE pModuleInformationTable = NULL;
pLdrData = pPeb->Ldr;
pHeadEntry = &pLdrData->InMemoryOrderModuleList;
// Count user modules : iterate through the entire list
pEntry = pHeadEntry->Flink;
while (pEntry != pHeadEntry) {
Count++;
pEntry = pEntry->Flink;
}
// Allocate a MODULE_INFORMATION_TABLE
if ((pModuleInformationTable = (PMODULE_INFORMATION_TABLE)malloc(sizeof(MODULE_INFORMATION_TABLE))) == NULL) {
printf("Cannot allocate a MODULE_INFORMATION_TABLE.\n");
return NULL;
}
// Allocate the correct amount of memory depending of the modules count
if ((pModuleInformationTable->Modules = (PMODULE_ENTRY)malloc(Count * sizeof(MODULE_ENTRY))) == NULL) {
printf("Cannot allocate a MODULE_INFORMATION_TABLE.\n");
return NULL;
}
// Fill the basic information of MODULE_INFORMATION_TABLE
pModuleInformationTable->ModuleCount = Count;
// Fill all the modules information in the table
pEntry = pHeadEntry->Flink;
while (pEntry != pHeadEntry)
{
// Retrieve the current MODULE_ENTRY
CurModule = &pModuleInformationTable->Modules[CurCount++];
// Retrieve the current LDR_DATA_TABLE_ENTRY
pLdrEntry = CONTAINING_RECORD(pEntry, LDR_DATA_TABLE_ENTRY, InMemoryOrderModuleList);
// Fill the MODULE_ENTRY with the LDR_DATA_TABLE_ENTRY information
RtlCopyMemory(&CurModule->BaseName, &pLdrEntry->BaseDllName, sizeof(CurModule->BaseName));
RtlCopyMemory(&CurModule->FullName, &pLdrEntry->FullDllName, sizeof(CurModule->FullName));
RtlCopyMemory(&CurModule->SizeOfImage, &pLdrEntry->SizeOfImage, sizeof(CurModule->SizeOfImage));
RtlCopyMemory(&CurModule->BaseAddress, &pLdrEntry->DllBase, sizeof(CurModule->BaseAddress));
RtlCopyMemory(&CurModule->EntryPoint, &pLdrEntry->EntryPoint, sizeof(CurModule->EntryPoint));
// Iterate to the next entry
pEntry = pEntry->Flink;
}
return pModuleInformationTable;
}
PMODULE_INFORMATION_TABLE
QueryModuleInformationProcess(
void
) {
PPEB pPeb = NULL;
PMODULE_INFORMATION_TABLE pModuleInformationTable = NULL;
// Read the PEB from the current process
if ((pPeb = GetCurrentPebProcess()) == NULL) {
printf("GetPebCurrentProcess failed.\n");
return NULL;
}
// Convert the PEB into a MODULE_INFORMATION_TABLE
if ((pModuleInformationTable = CreateModuleInformation(pPeb)) == NULL) {
printf("CreateModuleInformation failed.");
return NULL;
}
return pModuleInformationTable;
}
/*Extensions*/
std::string w2s(const std::wstring& var)
{
static std::locale loc("");
auto& facet = std::use_facet<std::codecvt<wchar_t, char, std::mbstate_t>>(loc);
return std::wstring_convert<std::remove_reference<decltype(facet)>::type, wchar_t>(&facet).to_bytes(var);
}
std::wstring s2w(const std::string& var)
{
static std::locale loc("");
auto& facet = std::use_facet<std::codecvt<wchar_t, char, std::mbstate_t>>(loc);
return std::wstring_convert<std::remove_reference<decltype(facet)>::type, wchar_t>(&facet).from_bytes(var);
}
MODULE_ENTRY* GetModuleEntryPEB(const char* Module)
{
MODULE_INFORMATION_TABLE* moduleTable = QueryModuleInformationProcess();
if (!moduleTable) {
printf("Module table not found.\n");
return NULL;
}
// Iterate through modules table
size_t moduleIndex;
for (moduleIndex = 0; moduleIndex < moduleTable->ModuleCount; moduleIndex++)
{
MODULE_ENTRY* moduleEntry = &moduleTable->Modules[moduleIndex];
PVOID baseAddress = moduleEntry->BaseAddress;
DWORD sizeOfModule = (DWORD)moduleEntry->SizeOfImage;
if (moduleEntry->BaseName.Length == 0)
continue;
if (Module == NULL)
{
#if DEBUGPEB
printf("%-15S : 0x%08x -> 0x%08x (%S)\n", moduleEntry->BaseName.Buffer, baseAddress, (DWORD)baseAddress + sizeOfModule, moduleEntry->FullName.Buffer);
#endif
return moduleEntry;
}
auto current = w2s(moduleEntry->BaseName.Buffer);
if (current == std::string(Module))
{
#if DEBUGPEB
printf("%-15S : 0x%08x -> 0x%08x (%S)\n", moduleEntry->BaseName.Buffer, baseAddress, (DWORD)baseAddress + sizeOfModule, moduleEntry->FullName.Buffer);
#endif
return moduleEntry;
}
}
return NULL;
}
HMODULE GetModuleHandlePEB(const char* Module)
{
if (auto Entry = GetModuleEntryPEB(Module); Entry)
return (HMODULE)Entry->BaseAddress;
return NULL;
}
SIZE_T GetModuleSizePEB(const char* Module)
{
if (auto Entry = GetModuleEntryPEB(Module); Entry)
return (SIZE_T)Entry->SizeOfImage;
return NULL;
}
/*Extensions*/
