janoglezcampos · August 29, 2022 09:24 · ozcanerensayin · Aug 22, 2022
diff --git a/find_function.cpp b/find_function.cpp
 #include <windows.h>
 #include <stdio.h>
 #include <psapi.h>

 typedef char * (*ParseHeaders)(LPCSTR, int *);

 BOOL bCompare(const BYTE* pData, const BYTE* bMask, const char* szMask)
 {
    for (; *szMask; ++szMask, ++pData, ++bMask)
        if (*szMask == 'x' && *pData != *bMask)  
            return 0;
    
    return (*szMask) == NULL;
 }
 
 DWORD_PTR FindPattern(DWORD_PTR dwAddress, DWORD dwLen, PBYTE bMask, PCHAR szMask)
 {
    for(DWORD i=0; i<dwLen; i++)
            if (bCompare((PBYTE)(dwAddress+i),bMask,szMask))  
                    return (DWORD_PTR)(dwAddress+i);
    return 0;
 }

 DWORD_PTR findFunctionAddr(PCHAR dllPath, PBYTE bMask, PCHAR szMask)
 {
    HMODULE hMod = GetModuleHandleA( TEXT(dllPath) );

    MODULEINFO modinfo = { NULL, };
    GetModuleInformation(GetCurrentProcess(), hMod, &modinfo, sizeof(modinfo));

    DWORD_PTR dwAddress = FindPattern((DWORD_PTR)hMod, modinfo.SizeOfImage, bMask, szMask);
    return dwAddress;
 }

 //M-SEARCH * HTTP/1.1 HOST: 192.168.0.1
 int main(int argc, char** argv)
 {
    PBYTE hdrParserFuncB = (PBYTE)"\x48\x89\x5c\x24\x10\x48\x89\x6c\x24\x18\x56\x57\x41\x56\x48\x83\xec\x20\x4c\x8b\xf2\x48\x8b\xd9\x48\xff\x15\xe1\x24\x03\x00\x0f\x1f\x44\x00\x00\x48\x63\xe8\x48\x8d\x15\x92\x2e\x03\x00\x48\x8b\xcb\x48\x03\xeb\x48\xff\x15\x1d\x27\x03\x00\x0f\x1f\x44\x00\x00\x48\x8b\xf0\x48\x85\xc0\x0f\x84\x4a\x04\x01\x00";
    PCHAR hdrParserFunctMask = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx";

    HMODULE ssdpapi;
    PCHAR dllPath;
    DWORD_PTR ptr;
    ParseHeaders parser;
    int msgType;
    char* result;

    dllPath = "ssdpsrv.dll";
 	  ssdpapi = LoadLibrary(TEXT(dllPath));
    
    ptr = findFunctionAddr(dllPath, hdrParserFuncB, hdrParserFunctMask);
    parser = (ParseHeaders) ptr;

    printf( TEXT("\t [-] Module address is: %p\n"), (void *)ssdpapi);
    printf( TEXT("\t [-] Function address is: %p\n"), (void *)ptr);
    printf( TEXT("\t [-] Trying call to %p\n"), (void *)ptr);
    printf( TEXT("\t [-] Input: %s\n"), argv[1]);

    result = parser(argv[1], &msgType);
    printf( TEXT("\t [-] Call done\n"));
  
    if(result == NULL){
        printf( TEXT("\t [-] Error\n"));
        FreeLibrary(ssdpapi);
        return 1;
    }

    printf( TEXT("\t [-] Ok\n"));
    printf( TEXT("\t [-] Output: %s\n"), result);
  
    FreeLibrary(ssdpapi);
    return 0;
 }
	#include <windows.h>
	#include <stdio.h>
	#include <psapi.h>

	typedef char * (ParseHeaders)(LPCSTR, int );

	BOOL bCompare(const BYTE* pData, const BYTE* bMask, const char* szMask)
	{
	for (; *szMask; ++szMask, ++pData, ++bMask)
	if (szMask == 'x' && pData != *bMask)
	return 0;

	return (*szMask) == NULL;
	}

	DWORD_PTR FindPattern(DWORD_PTR dwAddress, DWORD dwLen, PBYTE bMask, PCHAR szMask)
	{
	for(DWORD i=0; i<dwLen; i++)
	if (bCompare((PBYTE)(dwAddress+i),bMask,szMask))
	return (DWORD_PTR)(dwAddress+i);
	return 0;
	}

	DWORD_PTR findFunctionAddr(PCHAR dllPath, PBYTE bMask, PCHAR szMask)
	{
	HMODULE hMod = GetModuleHandleA( TEXT(dllPath) );

	MODULEINFO modinfo = { NULL, };
	GetModuleInformation(GetCurrentProcess(), hMod, &modinfo, sizeof(modinfo));

	DWORD_PTR dwAddress = FindPattern((DWORD_PTR)hMod, modinfo.SizeOfImage, bMask, szMask);
	return dwAddress;
	}

	//M-SEARCH * HTTP/1.1 HOST: 192.168.0.1
	int main(int argc, char** argv)
	{
	PBYTE hdrParserFuncB = (PBYTE)"\x48\x89\x5c\x24\x10\x48\x89\x6c\x24\x18\x56\x57\x41\x56\x48\x83\xec\x20\x4c\x8b\xf2\x48\x8b\xd9\x48\xff\x15\xe1\x24\x03\x00\x0f\x1f\x44\x00\x00\x48\x63\xe8\x48\x8d\x15\x92\x2e\x03\x00\x48\x8b\xcb\x48\x03\xeb\x48\xff\x15\x1d\x27\x03\x00\x0f\x1f\x44\x00\x00\x48\x8b\xf0\x48\x85\xc0\x0f\x84\x4a\x04\x01\x00";
	PCHAR hdrParserFunctMask = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx";

	HMODULE ssdpapi;
	PCHAR dllPath;
	DWORD_PTR ptr;
	ParseHeaders parser;
	int msgType;
	char* result;

	dllPath = "ssdpsrv.dll";
	ssdpapi = LoadLibrary(TEXT(dllPath));

	ptr = findFunctionAddr(dllPath, hdrParserFuncB, hdrParserFunctMask);
	parser = (ParseHeaders) ptr;

	printf( TEXT("\t [-] Module address is: %p\n"), (void *)ssdpapi);
	printf( TEXT("\t [-] Function address is: %p\n"), (void *)ptr);
	printf( TEXT("\t [-] Trying call to %p\n"), (void *)ptr);
	printf( TEXT("\t [-] Input: %s\n"), argv[1]);

	result = parser(argv[1], &msgType);
	printf( TEXT("\t [-] Call done\n"));

	if(result == NULL){
	printf( TEXT("\t [-] Error\n"));
	FreeLibrary(ssdpapi);
	return 1;
	}

	printf( TEXT("\t [-] Ok\n"));
	printf( TEXT("\t [-] Output: %s\n"), result);

	FreeLibrary(ssdpapi);
	return 0;
	}