forked from kaisersoju/Eac-Bypass
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathmap.cpp
201 lines (157 loc) · 6.33 KB
/
map.cpp
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
#include "stdafx.h"
// CBA to make this cleaner
namespace Map {
PIMAGE_SECTION_HEADER TranslateRawSection(PIMAGE_NT_HEADERS nt, DWORD rva) {
auto section = IMAGE_FIRST_SECTION(nt);
for (auto i = 0; i < nt->FileHeader.NumberOfSections; ++i, ++section) {
if (rva >= section->VirtualAddress && rva < section->VirtualAddress + section->Misc.VirtualSize) {
return section;
}
}
return NULL;
}
PVOID TranslateRaw(PBYTE base, PIMAGE_NT_HEADERS nt, DWORD rva) {
auto section = TranslateRawSection(nt, rva);
if (!section) {
return NULL;
}
return base + section->PointerToRawData + (rva - section->VirtualAddress);
}
BOOLEAN ResolveImports(Comm::Process& process, PBYTE base, PIMAGE_NT_HEADERS nt) {
auto rva = nt->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress;
if (!rva) {
return TRUE;
}
auto importDescriptor = reinterpret_cast<PIMAGE_IMPORT_DESCRIPTOR>(TranslateRaw(base, nt, rva));
if (!importDescriptor) {
return TRUE;
}
for (; importDescriptor->FirstThunk; ++importDescriptor) {
auto moduleName = reinterpret_cast<PCHAR>(TranslateRaw(base, nt, importDescriptor->Name));
if (!moduleName) {
break;
}
auto module = LoadLibraryA(moduleName);
if (!module) {
//errorf("failed to load module: %s\n", moduleName);
return FALSE;
}
PBYTE processModuleBase = NULL;
DWORD processModuleSize = 0;
if (process.Module(StrToWStr(moduleName), &processModuleBase, &processModuleSize) != ERROR_SUCCESS) {
//errorf("target process does not have %s loaded\n", moduleName);
return FALSE;
}
for (auto thunk = reinterpret_cast<PIMAGE_THUNK_DATA>(TranslateRaw(base, nt, importDescriptor->FirstThunk)); thunk->u1.AddressOfData; ++thunk) {
auto importByName = reinterpret_cast<PIMAGE_IMPORT_BY_NAME>(TranslateRaw(base, nt, static_cast<DWORD>(thunk->u1.AddressOfData)));
thunk->u1.Function = reinterpret_cast<UINT_PTR>(processModuleBase + (reinterpret_cast<PBYTE>(GetProcAddress(module, importByName->Name)) - reinterpret_cast<PBYTE>(module)));
}
}
return TRUE;
}
VOID ResolveRelocations(PBYTE base, PIMAGE_NT_HEADERS nt, PBYTE mapped) {
auto& baseRelocDir = nt->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC];
if (!baseRelocDir.VirtualAddress) {
return;
}
auto reloc = reinterpret_cast<PIMAGE_BASE_RELOCATION>(TranslateRaw(base, nt, baseRelocDir.VirtualAddress));
if (!reloc) {
return;
}
for (auto currentSize = 0UL; currentSize < baseRelocDir.Size; ) {
auto relocCount = (reloc->SizeOfBlock - sizeof(IMAGE_BASE_RELOCATION)) / sizeof(WORD);
auto relocData = reinterpret_cast<PWORD>(reinterpret_cast<PBYTE>(reloc) + sizeof(IMAGE_BASE_RELOCATION));
auto relocBase = reinterpret_cast<PBYTE>(TranslateRaw(base, nt, reloc->VirtualAddress));
for (auto i = 0UL; i < relocCount; ++i, ++relocData) {
auto data = *relocData;
auto type = data >> 12;
auto offset = data & 0xFFF;
if (type == IMAGE_REL_BASED_DIR64) {
*reinterpret_cast<PBYTE*>(relocBase + offset) += (mapped - reinterpret_cast<PBYTE>(nt->OptionalHeader.ImageBase));
}
}
currentSize += reloc->SizeOfBlock;
reloc = reinterpret_cast<PIMAGE_BASE_RELOCATION>(relocData);
}
}
BOOLEAN MapHeaders(Comm::Process& process, PBYTE base, PIMAGE_NT_HEADERS nt, PBYTE mapped) {
return process.Write(mapped, base, sizeof(nt->Signature) + sizeof(nt->FileHeader) + nt->FileHeader.SizeOfOptionalHeader) == ERROR_SUCCESS;
}
BOOLEAN MapSections(Comm::Process& process, PBYTE base, PIMAGE_NT_HEADERS nt, PBYTE mapped) {
auto section = IMAGE_FIRST_SECTION(nt);
for (auto i = 0; i < nt->FileHeader.NumberOfSections; ++i, ++section) {
auto sectionSize = min(section->SizeOfRawData, section->Misc.VirtualSize);
if (!sectionSize) {
continue;
}
auto mappedSection = mapped + section->VirtualAddress;
if (process.Write(mappedSection, base + section->PointerToRawData, sectionSize) != ERROR_SUCCESS) {
//errorf("failed to map section %s at %p (%x)\n", section->Name, mappedSection, sectionSize);
return FALSE;
}
}
return TRUE;
}
PBYTE ExtendModule(Comm::Process& process, PIMAGE_NT_HEADERS nt, LPCWSTR module) {
PBYTE moduleBase = NULL;
DWORD moduleSize = 0;
//printf("[-] extending %ws\n", module);
auto status = process.Module(module, &moduleBase, &moduleSize);
if (status != ERROR_SUCCESS || !moduleBase) {
//errorf("failed to find module %ws (%X)\n", module, status);
return NULL;
}
status = process.Extend(module, nt->OptionalHeader.SizeOfImage);
if (status != ERROR_SUCCESS) {
//errorf("module %ws does not having enough free trailing memory (%X)\n", module, status);
return NULL;
}
//printf("[+] extended %ws to %x\n", module, moduleSize + nt->OptionalHeader.SizeOfImage);
return moduleBase + moduleSize;
}
PVOID ExtendMap(Comm::Process& process, PBYTE base, LPCWSTR module) {
auto dos = reinterpret_cast<PIMAGE_DOS_HEADER>(base);
if (dos->e_magic != IMAGE_DOS_SIGNATURE) {
//errorf("invalid DOS signature\n");
return NULL;
}
auto nt = reinterpret_cast<PIMAGE_NT_HEADERS>(base + dos->e_lfanew);
if (nt->Signature != IMAGE_NT_SIGNATURE) {
//errorf("invalid NT signature\n");
return NULL;
}
nt->Signature = dos->e_magic = 0;
auto mapped = ExtendModule(process, nt, module);
if (!mapped) {
return NULL;
}
//printf("[+] mapped base: %p\n", mapped);
if (!ResolveImports(process, base, nt)) {
return NULL;
}
ResolveRelocations(base, nt, mapped);
if (!MapHeaders(process, base, nt, mapped)) {
//errorf("failed to map headers\n");
return NULL;
}
if (!MapSections(process, base, nt, mapped)) {
return NULL;
}
return mapped + nt->OptionalHeader.AddressOfEntryPoint;
}
PVOID ExtendMap(Comm::Process& process, LPCWSTR filePath, LPCWSTR module) {
std::ifstream file(filePath, std::ios::ate | std::ios::binary);
if (!file) {
//errorf("failed to open file: \"%ws\"\n", filePath);
return NULL;
}
auto size = file.tellg();
auto buffer = new BYTE[size];
file.seekg(0, std::ios::beg);
file.read(reinterpret_cast<PCHAR>(buffer), size);
file.close();
auto entryPoint = ExtendMap(process, buffer, module);
delete[] buffer;
return entryPoint;
}
}