Skip to content

Instantly share code, notes, and snippets.

@RedTeams
Created July 11, 2022 22:02
Show Gist options
  • Select an option

  • Save RedTeams/bdf6bf730236a187194efcf5033d6525 to your computer and use it in GitHub Desktop.

Select an option

Save RedTeams/bdf6bf730236a187194efcf5033d6525 to your computer and use it in GitHub Desktop.
Locate msv1_0!NtlmFunctionTable by parsing .rdata section.
#define _GNU_SOURCE
#define _WIN32_LEAN_AND_MEAN
#include <windows.h>
#include <string.h>
#include <stdio.h>
#include "ssp.h"
BOOL
DllMain( _In_ HINSTANCE hInstance,
_In_ DWORD fdwReason,
_In_ LPVOID lpParameter )
{
switch(fdwReason)
{
case DLL_PROCESS_ATTACH:
if ( LocateFunctionTable() != NULL )
OutputDebugString("[+] Found Function Table\n");
break;
case DLL_PROCESS_DETACH:
case DLL_THREAD_ATTACH:
case DLL_THREAD_DETACH:
break;
};
return FALSE;
};
#define SECURITY_WIN32
#define _WIN32_LEAN_AND_MEAN
#include <windows.h>
#include <winternl.h>
#include <sspi.h>
#include <ntsecpkg.h>
#define PTR(x) ((ULONG_PTR)x)
#define NT_HEADER(x) (PIMAGE_NT_HEADERS)(PTR(x) + ((PIMAGE_DOS_HEADER)x)->e_lfanew)
LPVOID LocateFunctionTable(VOID)
{
HMODULE ImageDosHeader = NULL;
PIMAGE_NT_HEADERS ImageNtsHeader = NULL;
PIMAGE_SECTION_HEADER ImageSecHeader = NULL;
LPVOID *ImageSecAddress = NULL;
LPVOID SpInitializeExp = NULL;
SIZE_T ImageSecLength = 0;
PSECPKG_FUNCTION_TABLE SecPkgTablePtr = NULL;
GetModuleHandleExA(0x2, "msv1_0.dll", &ImageDosHeader);
if ( ImageDosHeader != NULL )
{
ImageNtsHeader = NT_HEADER(ImageDosHeader);
ImageSecHeader = IMAGE_FIRST_SECTION(ImageNtsHeader);
for ( int i = 0 ; i<ImageNtsHeader->FileHeader.NumberOfSections ; i++ )
{
if ( strncmp((PCHAR)&ImageSecHeader[i].Name, (PCHAR)".rdata", 8) == 0 )
ImageSecAddress = ( LPVOID *)( PTR(ImageDosHeader) + ImageSecHeader[i].PointerToRawData );
};
SecPkgTablePtr = (PSECPKG_FUNCTION_TABLE)ImageSecAddress;
SpInitializeExp = GetProcAddress(ImageDosHeader, "SpInitialize");
while ( PTR(SecPkgTablePtr->Initialize) != PTR(SpInitializeExp) )
SecPkgTablePtr = (PSECPKG_FUNCTION_TABLE)( ImageSecAddress++ );
SpInitializeExp = ( LPVOID )( SecPkgTablePtr );
};
return (LPVOID)SpInitializeExp;
};
#ifndef _SSP_H_
#define _SSP_H_
/**
*
* LocateFunctionTable()
* Locates the PSECPKG_FUNCTION_TABLE from the .rdata section
* of msv1_0.dll module - on success, it returns a pointer.
* On failure, albeit unlikely, it returns NULL;
*
**/
LPVOID LocateFunctionTable(VOID);
#endif
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment