diff --git a/headers/structs.h b/headers/structs.h new file mode 100644 index 0000000..7f28378 --- /dev/null +++ b/headers/structs.h @@ -0,0 +1,329 @@ +#pragma once + +#ifndef STRUCTS_H +#define STRUCTS_H + +typedef struct SyscallEntry { + INT SSN; + PVOID Address; + PVOID Syscall; +}; + +//0x18 bytes (sizeof) +struct _RTL_BALANCED_NODE { + union + { + struct _RTL_BALANCED_NODE* Children[2]; //0x0 + struct + { + struct _RTL_BALANCED_NODE* Left; //0x0 + struct _RTL_BALANCED_NODE* Right; //0x8 + }; + }; + union + { + struct + { + UCHAR Red : 1; //0x10 + UCHAR Balance : 2; //0x10 + }; + ULONGLONG ParentValue; //0x10 + }; +}; + +//0x138 bytes (sizeof) +typedef struct _LDR_DATA_TABLE_ENTRY_MODIFIED { + struct _LIST_ENTRY InLoadOrderLinks; //0x0 + struct _LIST_ENTRY InMemoryOrderLinks; //0x10 + struct _LIST_ENTRY InInitializationOrderLinks; //0x20 + PVOID DllBase; //0x30 + PVOID EntryPoint; //0x38 + ULONG SizeOfImage; //0x40 + struct _UNICODE_STRING FullDllName; //0x48 + struct _UNICODE_STRING BaseDllName; //0x58 + union + { + UCHAR FlagGroup[4]; //0x68 + ULONG Flags; //0x68 + struct + { + ULONG PackagedBinary : 1; //0x68 + ULONG MarkedForRemoval : 1; //0x68 + ULONG ImageDll : 1; //0x68 + ULONG LoadNotificationsSent : 1; //0x68 + ULONG TelemetryEntryProcessed : 1; //0x68 + ULONG ProcessStaticImport : 1; //0x68 + ULONG InLegacyLists : 1; //0x68 + ULONG InIndexes : 1; //0x68 + ULONG ShimDll : 1; //0x68 + ULONG InExceptionTable : 1; //0x68 + ULONG ReservedFlags1 : 2; //0x68 + ULONG LoadInProgress : 1; //0x68 + ULONG LoadConfigProcessed : 1; //0x68 + ULONG EntryProcessed : 1; //0x68 + ULONG ProtectDelayLoad : 1; //0x68 + ULONG ReservedFlags3 : 2; //0x68 + ULONG DontCallForThreads : 1; //0x68 + ULONG ProcessAttachCalled : 1; //0x68 + ULONG ProcessAttachFailed : 1; //0x68 + ULONG CorDeferredValidate : 1; //0x68 + ULONG CorImage : 1; //0x68 + ULONG DontRelocate : 1; //0x68 + ULONG CorILOnly : 1; //0x68 + ULONG ChpeImage : 1; //0x68 + ULONG ChpeEmulatorImage : 1; //0x68 + ULONG ReservedFlags5 : 1; //0x68 + ULONG Redirected : 1; //0x68 + ULONG ReservedFlags6 : 2; //0x68 + ULONG CompatDatabaseProcessed : 1; //0x68 + }; + }; + USHORT ObsoleteLoadCount; //0x6c + USHORT TlsIndex; //0x6e + struct _LIST_ENTRY HashLinks; //0x70 + ULONG TimeDateStamp; //0x80 + struct _ACTIVATION_CONTEXT* EntryPointActivationContext; //0x88 + PVOID Lock; //0x90 + struct _LDR_DDAG_NODE* DdagNode; //0x98 + struct _LIST_ENTRY NodeModuleLink; //0xa0 + struct _LDRP_LOAD_CONTEXT* LoadContext; //0xb0 + PVOID ParentDllBase; //0xb8 + PVOID SwitchBackContext; //0xc0 + struct _RTL_BALANCED_NODE BaseAddressIndexNode; //0xc8 + struct _RTL_BALANCED_NODE MappingInfoIndexNode; //0xe0 + ULONGLONG OriginalBase; //0xf8 + union _LARGE_INTEGER LoadTime; //0x100 + ULONG BaseNameHashValue; //0x108 + enum _LDR_DLL_LOAD_REASON LoadReason; //0x10c + ULONG ImplicitPathOptions; //0x110 + ULONG ReferenceCount; //0x114 + ULONG DependentLoadFlags; //0x118 + UCHAR SigningLevel; //0x11c + ULONG CheckSum; //0x120 + PVOID ActivePatchImageBase; //0x128 + enum _LDR_HOT_PATCH_STATE HotPatchState; //0x130 +} LDR_DATA_TABLE_ENTRY_MODIFIED, +* PLDR_DATA_TABLE_ENTRY_MODIFIED; + +// Define call stack spoofing structs +typedef struct { + PVOID Fixup; // 0 + PVOID OG_retaddr; // 8 + PVOID rbx; // 16 + PVOID rdi; // 24 + PVOID BTIT_ss; // 32 + PVOID BTIT_retaddr; // 40 + PVOID Gadget_ss; // 48 + PVOID RUTS_ss; // 56 + PVOID RUTS_retaddr; // 64 + PVOID ssn; // 72 + PVOID trampoline; // 80 + PVOID rsi; // 88 + PVOID r12; // 96 + PVOID r13; // 104 + PVOID r14; // 112 + PVOID r15; // 120 +} PRM, +* PPRM; + +typedef union _UNWIND_CODE { + struct { + BYTE CodeOffset; + BYTE UnwindOp : 4; + BYTE OpInfo : 4; + }; + USHORT FrameOffset; +} UNWIND_CODE, +* PUNWIND_CODE; + +typedef struct _UNWIND_INFO { + BYTE Version : 3; + BYTE Flags : 5; + BYTE SizeOfProlog; + BYTE CountOfCodes; + BYTE FrameRegister : 4; + BYTE FrameOffset : 4; + UNWIND_CODE UnwindCode[1]; +} UNWIND_INFO, +* PUNWIND_INFO; + +typedef struct _EXCEPTION_INFO { + UINT64 hModule; + UINT64 pExceptionDirectory; + DWORD dwRuntimeFunctionCount; +}EXCEPTION_INFO, +* PEXCEPTION_INFO; + +typedef struct { + LPCWSTR dllPath; + ULONG offset; + ULONG totalStackSize; + BOOL requiresLoadLibrary; + BOOL setsFramePointer; + PVOID returnAddress; + BOOL pushRbp; + ULONG countOfCodes; + BOOL pushRbpIndex; +} StackFrame, +* PStackFrame; + +typedef struct _FILE_STANDARD_INFORMATION { + LARGE_INTEGER AllocationSize; // The file allocation size in bytes. Usually, this value is a multiple of the sector or cluster size of the underlying physical device. + LARGE_INTEGER EndOfFile; // The end of file location as a byte offset. + ULONG NumberOfLinks; // The number of hard links to the file. + BOOLEAN DeletePending; // The delete pending status. TRUE indicates that a file deletion has been requested. + BOOLEAN Directory; // The file directory status. TRUE indicates the file object represents a directory. +} FILE_STANDARD_INFORMATION, +* PFILE_STANDARD_INFORMATION; + +typedef struct _FILE_RENAME_INFORMATION_EX { + ULONG Flags; + HANDLE RootDirectory; + ULONG FileNameLength; + _Field_size_bytes_(FileNameLength) WCHAR FileName[1]; +} FILE_RENAME_INFORMATION_EX, +* PFILE_RENAME_INFORMATION_EX; + +typedef struct _FILE_DISPOSITION_INFORMATION { + BOOLEAN DeleteFile; +} FILE_DISPOSITION_INFORMATION, +* PFILE_DISPOSITION_INFORMATION; + +typedef struct _KSYSTEM_TIME { + ULONG LowPart; + LONG High1Time; + LONG High2Time; +} KSYSTEM_TIME, +* PKSYSTEM_TIME; + +typedef struct _KUSER_SHARED_DATA { + ULONG TickCountLowDeprecated; + ULONG TickCountMultiplier; + KSYSTEM_TIME InterruptTime; + KSYSTEM_TIME SystemTime; + KSYSTEM_TIME TimeZoneBias; + USHORT ImageNumberLow; + USHORT ImageNumberHigh; + WCHAR NtSystemRoot[260]; + ULONG MaxStackTraceDepth; + ULONG CryptoExponent; + ULONG TimeZoneId; + ULONG LargePageMinimum; + ULONG AitSamplingValue; + ULONG AppCompatFlag; + ULONGLONG RNGSeedVersion; + ULONG GlobalValidationRunlevel; + LONG TimeZoneBiasStamp; + ULONG NtBuildNumber; + NT_PRODUCT_TYPE NtProductType; + BOOLEAN ProductTypeIsValid; + BOOLEAN Reserved0[1]; + USHORT NativeProcessorArchitecture; + ULONG NtMajorVersion; + ULONG NtMinorVersion; + BOOLEAN ProcessorFeatures[PROCESSOR_FEATURE_MAX]; + ULONG Reserved1; + ULONG Reserved3; + ULONG TimeSlip; + ALTERNATIVE_ARCHITECTURE_TYPE AlternativeArchitecture; + ULONG BootId; + LARGE_INTEGER SystemExpirationDate; + ULONG SuiteMask; + BOOLEAN KdDebuggerEnabled; + union { + UCHAR MitigationPolicies; + struct { + UCHAR NXSupportPolicy : 2; + UCHAR SEHValidationPolicy : 2; + UCHAR CurDirDevicesSkippedForDlls : 2; + UCHAR Reserved : 2; + }; + }; + USHORT CyclesPerYield; + ULONG ActiveConsoleId; + ULONG DismountCount; + ULONG ComPlusPackage; + ULONG LastSystemRITEventTickCount; + ULONG NumberOfPhysicalPages; + BOOLEAN SafeBootMode; + union { + UCHAR VirtualizationFlags; + struct { + UCHAR ArchStartedInEl2 : 1; + UCHAR QcSlIsSupported : 1; + }; + }; + UCHAR Reserved12[2]; + union { + ULONG SharedDataFlags; + struct { + ULONG DbgErrorPortPresent : 1; + ULONG DbgElevationEnabled : 1; + ULONG DbgVirtEnabled : 1; + ULONG DbgInstallerDetectEnabled : 1; + ULONG DbgLkgEnabled : 1; + ULONG DbgDynProcessorEnabled : 1; + ULONG DbgConsoleBrokerEnabled : 1; + ULONG DbgSecureBootEnabled : 1; + ULONG DbgMultiSessionSku : 1; + ULONG DbgMultiUsersInSessionSku : 1; + ULONG DbgStateSeparationEnabled : 1; + ULONG SpareBits : 21; + } DUMMYSTRUCTNAME2; + } DUMMYUNIONNAME2; + ULONG DataFlagsPad[1]; + ULONGLONG TestRetInstruction; + LONGLONG QpcFrequency; + ULONG SystemCall; + ULONG Reserved2; + ULONGLONG FullNumberOfPhysicalPages; + ULONGLONG SystemCallPad[1]; + union { + KSYSTEM_TIME TickCount; + ULONG64 TickCountQuad; + struct { + ULONG ReservedTickCountOverlay[3]; + ULONG TickCountPad[1]; + } DUMMYSTRUCTNAME; + } DUMMYUNIONNAME3; + ULONG Cookie; + ULONG CookiePad[1]; + LONGLONG ConsoleSessionForegroundProcessId; + ULONGLONG TimeUpdateLock; + ULONGLONG BaselineSystemTimeQpc; + ULONGLONG BaselineInterruptTimeQpc; + ULONGLONG QpcSystemTimeIncrement; + ULONGLONG QpcInterruptTimeIncrement; + UCHAR QpcSystemTimeIncrementShift; + UCHAR QpcInterruptTimeIncrementShift; + USHORT UnparkedProcessorCount; + ULONG EnclaveFeatureMask[4]; + ULONG TelemetryCoverageRound; + USHORT UserModeGlobalLogger[16]; + ULONG ImageFileExecutionOptions; + ULONG LangGenerationCount; + ULONGLONG Reserved4; + ULONGLONG InterruptTimeBias; + ULONGLONG QpcBias; + ULONG ActiveProcessorCount; + UCHAR ActiveGroupCount; + UCHAR Reserved9; + union { + USHORT QpcData; + struct { + UCHAR QpcBypassEnabled; + UCHAR QpcReserved; + }; + }; + LARGE_INTEGER TimeZoneBiasEffectiveStart; + LARGE_INTEGER TimeZoneBiasEffectiveEnd; + XSTATE_CONFIGURATION XState; + KSYSTEM_TIME FeatureConfigurationChangeStamp; + ULONG Spare; + ULONG64 UserPointerAuthMask; + XSTATE_CONFIGURATION XStateArm64; + ULONG Reserved10[210]; +} KUSER_SHARED_DATA, +* PKUSER_SHARED_DATA; + +#endif \ No newline at end of file diff --git a/headers/syscalls.h b/headers/syscalls.h new file mode 100644 index 0000000..c066680 --- /dev/null +++ b/headers/syscalls.h @@ -0,0 +1,29 @@ +#pragma once + +#ifndef SYSCALLS_H +#define SYSCALLS_H + +EXTERN_C DWORD dwSSN; +EXTERN_C PVOID qwJMP; +EXTERN_C PVOID CallR12(PVOID Function, ULONGLONG nArgs, PVOID r12_gadget, ...); +NTAPI_FUNCTION CallMe(); + +extern PBYTE hNtdll; +extern NTSTATUS status; + +// Super reliable way to find the base address of a given module +PBYTE FindModuleBase(const CHAR* moduleName); + +// Resolve System Service Number (SSN), Address, and Offset for a System Call Name +SyscallEntry SSNLookup(PCHAR syscall); + +// Collect all instances of a given ROP gadget in a given module +std::vector CollectGadgets(const PBYTE gadget, SIZE_T gadgetSize, PBYTE hModule); + +// Choose a random gadget +PVOID GoGoGadget(std::vector gadgets); + +// Checks the bytes immediately before each gadget +VOID CheckGadgetPreBytes(const std::vector& gadgets, SIZE_T gadgetSize, SIZE_T lookbackSize); + +#endif \ No newline at end of file