forked from NytroRST/ShellcodeCompiler
-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathDeclaredFunctions.cpp
More file actions
191 lines (156 loc) · 5.4 KB
/
DeclaredFunctions.cpp
File metadata and controls
191 lines (156 loc) · 5.4 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
#include "DeclaredFunctions.h"
// Global data
size_t DeclaredFunctions::AllDeclaredFunctionsNr;
vector<DeclaredFunctions::DeclaredFunction> DeclaredFunctions::AllDeclaredFunctions;
size_t DeclaredFunctions::NrBasesToStack = 0;
size_t DeclaredFunctions::NrFunctionsToStack = 0;
// Add function name
void DeclaredFunctions::AddFunctionName(string p_sFunctionName)
{
DeclaredFunction Function;
Function.Name = p_sFunctionName;
AllDeclaredFunctions.push_back(Function);
}
// Add function DLL name
void DeclaredFunctions::AddFunctionDLLName(string p_sDLLName)
{
AllDeclaredFunctions[AllDeclaredFunctionsNr].DLL = p_sDLLName;
AllDeclaredFunctionsNr++;
}
// Generate a call to LoadLibrary("string")
string DeclaredFunctions::GenerateLoadLibraryCall(string p_sDLLName)
{
string sContent = "";
size_t Len = p_sDLLName.length();
// Check if the DLL was already loades
if (DLLBaseAddress::DLLBaseExists(p_sDLLName)) return "";
if (Len % 4 == 0)
{
sContent = "xor eax, eax ; EAX = 0 \r\n";
sContent += "push eax ; NULL on the stack \r\n";
}
else if (Len % 4 == 1)
{
sContent = "xor eax, eax\r\n";
sContent += "mov al, 0x";
sContent += Utils::CharToHexString(p_sDLLName[Len - 1]);
sContent += "\r\n";
sContent += "push eax\r\n";
}
else if (Len % 4 == 2)
{
sContent = "xor eax, eax\r\n";
sContent += "mov ax, 0x";
sContent += Utils::CharToHexString(p_sDLLName[Len - 1]);
sContent += Utils::CharToHexString(p_sDLLName[Len - 2]);
sContent += "\r\n";
sContent += "push eax\r\n";
}
else if (Len % 4 == 3)
{
sContent = "xor eax, eax\r\n";
sContent += "mov eax, 0x23";
sContent += Utils::CharToHexString(p_sDLLName[Len - 1]);
sContent += Utils::CharToHexString(p_sDLLName[Len - 2]);
sContent += Utils::CharToHexString(p_sDLLName[Len - 3]);
sContent += "\r\n";
sContent += "push eax\r\n";
sContent += "sub dword [esp + 3], 0x23\r\n";
}
else cout << "Imaginary number?" << endl;
// Put the string as hex data pushes on the stack
size_t Times = Len / 4;
for (size_t i = Times; i > 0; i--)
{
sContent += "push 0x";
for (size_t j = 4; j > 0; j--)
{
sContent += Utils::CharToHexString(p_sDLLName[i * 4 - 4 + j - 1]);
}
sContent += "\r\n";
}
// LoadLibrary function call
sContent += "push esp ; String on the stack \r\n";
sContent += "call dword [esp + ";
sContent += to_string(((Times + 2) * 4) + NrBasesToStack * 4);
sContent += "]\r\n";
sContent += "add esp, ";
sContent += to_string(((Times + 1) * 4));
sContent += "\r\n";
sContent += "push eax ; DLL base on the stack \r\n\r\n";
// Add DLL to base list and increment bases on stack number
DLLBaseAddress::AddDLLBase(p_sDLLName);
NrBasesToStack++;
return sContent;
}
// Generate a call to GetProcAddress(DLLBase, "FunctionName")
string DeclaredFunctions::GenerateGetProcAddressCall(string p_sDLLName, string p_sFunctionName)
{
string sContent = "";
size_t Len = p_sFunctionName.length();
// Check if the function address was already found
if (FunctionOffsetAddress::FunctionOffsetExists(p_sFunctionName)) return "";
if (Len % 4 == 0)
{
sContent = "xor eax, eax ; EAX = 0 \r\n";
sContent += "push eax ; NULL on the stack \r\n";
}
else if (Len % 4 == 1)
{
sContent = "xor eax, eax\r\n";
sContent += "mov al, 0x";
sContent += Utils::CharToHexString(p_sFunctionName[Len - 1]);
sContent += "\r\n";
sContent += "push eax\r\n";
}
else if (Len % 4 == 2)
{
sContent = "xor eax, eax\r\n";
sContent += "mov ax, 0x";
sContent += Utils::CharToHexString(p_sFunctionName[Len - 1]);
sContent += Utils::CharToHexString(p_sFunctionName[Len - 2]);
sContent += "\r\n";
sContent += "push eax\r\n";
}
else if (Len % 4 == 3)
{
sContent = "xor eax, eax\r\n";
sContent += "mov eax, 0x23";
sContent += Utils::CharToHexString(p_sFunctionName[Len - 1]);
sContent += Utils::CharToHexString(p_sFunctionName[Len - 2]);
sContent += Utils::CharToHexString(p_sFunctionName[Len - 3]);
sContent += "\r\n";
sContent += "push eax\r\n";
sContent += "sub dword [esp + 3], 0x23\r\n";
}
else cout << "Imaginary number?" << endl;
// Put the string as hex data pushes on the stack
size_t Times = Len / 4;
for (size_t i = Times; i > 0; i--)
{
sContent += "push 0x";
for (size_t j = 4; j > 0; j--)
{
sContent += Utils::CharToHexString(p_sFunctionName[i * 4 - 4 + j - 1]);
}
sContent += "\r\n";
}
// LoadLibrary function call
sContent += "push esp ; String on the stack \r\n";
sContent += "push dword [esp + ";
sContent += to_string((NrFunctionsToStack * 4) + ((NrBasesToStack + 3 - DLLBaseAddress::GetDLLBase(p_sDLLName)) * 4) + ((Times + 2) * 4));
sContent += "] \r\n";
// Call GetProcAddress
sContent += "call dword [esp + ";
sContent += to_string(((NrFunctionsToStack + 1) * 4) + ((NrBasesToStack + 1) * 4) + ((Times + 2) * 4));
sContent += "]\r\n";
sContent += "add esp, ";
sContent += to_string(((Times + 1) * 4));
sContent += "\r\n";
sContent += "push eax ; Function address on the stack \r\n\r\n";
// Add function address to the list and increment nr of functions on stack number
FunctionOffsetAddress::AddFunctionOffset(p_sFunctionName);
NrFunctionsToStack++;
// Do it!
return sContent;
}