Created
July 11, 2022 22:02
-
-
Save RedTeams/bdf6bf730236a187194efcf5033d6525 to your computer and use it in GitHub Desktop.
Locate msv1_0!NtlmFunctionTable by parsing .rdata section.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #define _GNU_SOURCE | |
| #define _WIN32_LEAN_AND_MEAN | |
| #include <windows.h> | |
| #include <string.h> | |
| #include <stdio.h> | |
| #include "ssp.h" | |
| BOOL | |
| DllMain( _In_ HINSTANCE hInstance, | |
| _In_ DWORD fdwReason, | |
| _In_ LPVOID lpParameter ) | |
| { | |
| switch(fdwReason) | |
| { | |
| case DLL_PROCESS_ATTACH: | |
| if ( LocateFunctionTable() != NULL ) | |
| OutputDebugString("[+] Found Function Table\n"); | |
| break; | |
| case DLL_PROCESS_DETACH: | |
| case DLL_THREAD_ATTACH: | |
| case DLL_THREAD_DETACH: | |
| break; | |
| }; | |
| return FALSE; | |
| }; |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #define SECURITY_WIN32 | |
| #define _WIN32_LEAN_AND_MEAN | |
| #include <windows.h> | |
| #include <winternl.h> | |
| #include <sspi.h> | |
| #include <ntsecpkg.h> | |
| #define PTR(x) ((ULONG_PTR)x) | |
| #define NT_HEADER(x) (PIMAGE_NT_HEADERS)(PTR(x) + ((PIMAGE_DOS_HEADER)x)->e_lfanew) | |
| LPVOID LocateFunctionTable(VOID) | |
| { | |
| HMODULE ImageDosHeader = NULL; | |
| PIMAGE_NT_HEADERS ImageNtsHeader = NULL; | |
| PIMAGE_SECTION_HEADER ImageSecHeader = NULL; | |
| LPVOID *ImageSecAddress = NULL; | |
| LPVOID SpInitializeExp = NULL; | |
| SIZE_T ImageSecLength = 0; | |
| PSECPKG_FUNCTION_TABLE SecPkgTablePtr = NULL; | |
| GetModuleHandleExA(0x2, "msv1_0.dll", &ImageDosHeader); | |
| if ( ImageDosHeader != NULL ) | |
| { | |
| ImageNtsHeader = NT_HEADER(ImageDosHeader); | |
| ImageSecHeader = IMAGE_FIRST_SECTION(ImageNtsHeader); | |
| for ( int i = 0 ; i<ImageNtsHeader->FileHeader.NumberOfSections ; i++ ) | |
| { | |
| if ( strncmp((PCHAR)&ImageSecHeader[i].Name, (PCHAR)".rdata", 8) == 0 ) | |
| ImageSecAddress = ( LPVOID *)( PTR(ImageDosHeader) + ImageSecHeader[i].PointerToRawData ); | |
| }; | |
| SecPkgTablePtr = (PSECPKG_FUNCTION_TABLE)ImageSecAddress; | |
| SpInitializeExp = GetProcAddress(ImageDosHeader, "SpInitialize"); | |
| while ( PTR(SecPkgTablePtr->Initialize) != PTR(SpInitializeExp) ) | |
| SecPkgTablePtr = (PSECPKG_FUNCTION_TABLE)( ImageSecAddress++ ); | |
| SpInitializeExp = ( LPVOID )( SecPkgTablePtr ); | |
| }; | |
| return (LPVOID)SpInitializeExp; | |
| }; |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #ifndef _SSP_H_ | |
| #define _SSP_H_ | |
| /** | |
| * | |
| * LocateFunctionTable() | |
| * Locates the PSECPKG_FUNCTION_TABLE from the .rdata section | |
| * of msv1_0.dll module - on success, it returns a pointer. | |
| * On failure, albeit unlikely, it returns NULL; | |
| * | |
| **/ | |
| LPVOID LocateFunctionTable(VOID); | |
| #endif |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment