Created
April 24, 2022 23:59
-
-
Save Cracked5pider/a296dd755e97f5138e5668673bc85ab5 to your computer and use it in GitHub Desktop.
Lol
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| MapImg = MemAllocateStomped( &fTable, ImgLen ); | |
| if ( !MapImg ) { | |
| sParam.ImgMod = TRUE; | |
| MapImg = MemAllocateVirtual( &fTable, ImgLen ); | |
| }; | |
| InlineZeroMemory( MapImg, ImgLen ); | |
| SecHdr = IMAGE_FIRST_SECTION( NtsHdr ); | |
| for ( INT i = 0 ; i < NtsHdr->FileHeader.NumberOfSections ; ++i ) { | |
| InlineCopyMemory( (LPVOID)(DEF_PTR(MapImg) + SecHdr[i].VirtualAddress), | |
| (LPVOID)(DEF_PTR(pImage) + SecHdr[i].PointerToRawData), | |
| (DWORD)(SecHdr[i].SizeOfRawData) ); | |
| }; |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #define LOADER_INTERNAL | |
| #include "common.h" | |
| /** | |
| * | |
| * Allocates memory using the traditional | |
| * VirtualAlloc() method that Stephen Fewer's | |
| * and sRDI leverages. | |
| * | |
| * @ param [in] PFUNC_TABLE fTable : Pointer | |
| * to the initialized function table. | |
| * | |
| * @ param [in] ULONG Length : Length of the | |
| * images header. | |
| * | |
| **/ | |
| PVOID MemAllocateVirtual( IN PFUNC_TABLE fTable, IN ULONG Length ) { | |
| return fTable->VirtualAlloc( NULL, | |
| Length, | |
| MEM_COMMIT|MEM_RESERVE, | |
| PAGE_READWRITE ); | |
| }; | |
| /** | |
| * | |
| * Allocates memory using the untraditional | |
| * LoadLibraryExA() call that Cobalt attempts | |
| * to use to stomp an existing PE. | |
| * | |
| * @ param [in] PFUNC_TABLE fTable : Pointer | |
| * to the initialized function table. | |
| * | |
| * @ param [in] ULONG Length : Length of the | |
| * images header. | |
| * | |
| **/ | |
| PVOID MemAllocateStomped( IN PFUNC_TABLE fTable, IN ULONG Length ) { | |
| PVOID ImgPtr = 0; | |
| DWORD dwPerm = 0; | |
| BYTE ImgStr[24] = { 0 }; | |
| ImgStr[0] = 'm'; | |
| ImgStr[1] = 'i'; | |
| ImgStr[2] = 's'; | |
| ImgStr[3] = 'p'; | |
| ImgStr[4] = 'a'; | |
| ImgStr[5] = 'c'; | |
| ImgStr[6] = 'e'; | |
| ImgStr[7] = '.'; | |
| ImgStr[8] = 'd'; | |
| ImgStr[9] = 'l'; | |
| ImgStr[10] = 'l'; | |
| ImgStr[11] = '\0'; | |
| if ( fTable->GetModuleHandleA(ImgStr) != NULL ) { | |
| return NULL; | |
| }; | |
| ImgPtr = fTable->LoadLibraryExA(ImgStr, NULL, DONT_RESOLVE_DLL_REFERENCES); | |
| if ( ImgPtr != NULL ) { | |
| fTable->VirtualProtect(( LPVOID )( DEF_PTR(ImgPtr) ), | |
| ( ULONG )( Length ), | |
| ( ULONG )( PAGE_READWRITE ), | |
| ( PULONG )( & dwPerm )); | |
| }; | |
| return ImgPtr; | |
| }; |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment