rfl890 · October 29, 2025 21:45
diff --git a/helloworld.c b/helloworld.c
 // Compile: cl /O2 /GS- helloworld.c chkstk.obj /link /NODEFAULTLIB /SUBSYSTEM:CONSOLE /ENTRY:entry

 #include <stdint.h>
 #include <stdbool.h>

 #include <Windows.h>
 #include <winternl.h>

 typedef HMODULE (*fp_LoadLibraryA)(LPCSTR);
 typedef HANDLE  (*fp_GetStdHandle)(DWORD);
 typedef BOOL    (*fp_WriteConsoleW)(HANDLE, const VOID *, DWORD, LPDWORD, LPVOID);

 size_t str_len(char *str) {
    size_t length = 0;
    while (*(str++)) {
        length++;
    }
    return length;
 }

 #define mem_cpy __movsb
 #define mem_set __stosb

 void wcs_to_str(char *dst, wchar_t *src, size_t length) {
    for (size_t i = 0; i < (length / 2); i++) {
        dst[i] = (char)src[i];
    }
 }

 bool mem_compare(char *a, char *b, size_t length, bool case_insensitive) {
    for (size_t i = 0; i < length; i++) {
        char c_a = a[i];
        char c_b = b[i];

        if (case_insensitive) {
            if ((c_a >= 97) && (c_a <= 122)) {
                c_a -= 32;
            }

            if ((c_b >= 97) && (c_b <= 122)) {
                c_b -= 32;
            }
        }

        if (c_a != c_b) { 
            return false;
        }
    }

    return true;
 }

 bool str_compare(char *a, char *b, bool case_insensitive) {
    size_t len_a = str_len(a);
    size_t len_b = str_len(b);

    if (len_a != len_b) return false;
    return mem_compare(a, b, len_a, case_insensitive);
 }

 char *path_to_filename(char *path) {
    char* last = path;

    while (*path) {
        if (*path == '\\' || *path == '/') {
            last = path + 1;
        }
        path++;
    }

    return last;
 }

 char *filename_without_ext(char *filename) {
    char* last = filename;

    while (*filename) {
        if (*filename == '.') {
            *filename = 0;
        }
        filename++;
    }

    return last;
 }


 void *get_proc_address(char *function_name, char *dll_name) {
    PEB *peb = (PEB *)__readgsqword(0x60);
    
    LIST_ENTRY *current_entry = peb->Ldr->InMemoryOrderModuleList.Flink->Flink;
    char *dll_base = NULL;
    char *owned_dll_name = _alloca(str_len(dll_name) + 1);
    
    mem_cpy(owned_dll_name, dll_name, str_len(dll_name) + 1);
    owned_dll_name = filename_without_ext(owned_dll_name);

    char m_dll_entry_name[MAX_PATH];
    char *dll_entry_name = m_dll_entry_name;

    while (1) {
        if (current_entry == &peb->Ldr->InMemoryOrderModuleList) {
            break;
        }

        LDR_DATA_TABLE_ENTRY *dll_entry = (LDR_DATA_TABLE_ENTRY *)(((char *)current_entry) - sizeof(LIST_ENTRY));
        
        mem_set(dll_entry_name, 0, MAX_PATH);
        wcs_to_str(dll_entry_name, dll_entry->FullDllName.Buffer, dll_entry->FullDllName.Length);

        dll_entry_name = path_to_filename(dll_entry_name);
        dll_entry_name = filename_without_ext(dll_entry_name);

        if (str_compare(owned_dll_name, dll_entry_name, true)) {
            dll_base = dll_entry->DllBase;
            break;
        }

        current_entry = current_entry->Flink;
    }

    if (dll_base == NULL) {
        return dll_base;
    }

    IMAGE_NT_HEADERS *nt_headers = (IMAGE_NT_HEADERS *)(dll_base + ((IMAGE_DOS_HEADER *)dll_base)->e_lfanew);
    IMAGE_EXPORT_DIRECTORY *export_directory = (IMAGE_EXPORT_DIRECTORY *)(dll_base + nt_headers->OptionalHeader.DataDirectory[0].VirtualAddress);

    // array of RVAs to names
    DWORD *names = (DWORD *)(dll_base + export_directory->AddressOfNames);

    // mapping of name index to ordinals
    WORD *ordinals = (WORD *)(dll_base + export_directory->AddressOfNameOrdinals);

    // array of RVAs to function pointers
    DWORD *functions = (DWORD *)(dll_base + export_directory->AddressOfFunctions);

    int i;
    int index = -1;

    for (i = 0; i < export_directory->NumberOfNames; i++) {
        if (str_compare(dll_base + names[i], function_name, false)) {  
            index = i;
            break;
        }
    }

    if (index == -1) {
        return NULL;
    }

    WORD ordinal = ordinals[index];
    DWORD func_rva = functions[ordinal];

    if ((func_rva >= nt_headers->OptionalHeader.DataDirectory[0].VirtualAddress) && (func_rva <= (nt_headers->OptionalHeader.DataDirectory[0].VirtualAddress + nt_headers->OptionalHeader.DataDirectory[0].Size))) {
        // Redirected symbol
        char *redir_name_owned = _alloca(str_len(dll_base + func_rva) + 1);
        mem_cpy((unsigned char *)redir_name_owned, (unsigned char *)(dll_base + func_rva), str_len(dll_base + func_rva) + 1);
        
        char *dll_name = filename_without_ext(redir_name_owned);
        char *func_name = redir_name_owned + str_len(dll_name) + 1;

        // Load the dll
        ((fp_LoadLibraryA)get_proc_address("LoadLibraryA", "kernel32.dll"))(dll_name);

        return get_proc_address(func_name, dll_name);
    }

    return dll_base + func_rva;
 }

 int __stdcall entry() {
    fp_GetStdHandle GetStdHandle = get_proc_address("GetStdHandle", "kernel32.dll");
    fp_WriteConsoleW WriteConsoleW = get_proc_address("WriteConsoleW", "kernel32.dll");

    WriteConsoleW(GetStdHandle(STD_OUTPUT_HANDLE), L"Hello, world!\n", 14, NULL, NULL);

    return 0;
 }
	// Compile: cl /O2 /GS- helloworld.c chkstk.obj /link /NODEFAULTLIB /SUBSYSTEM:CONSOLE /ENTRY:entry

	#include <stdint.h>
	#include <stdbool.h>

	#include <Windows.h>
	#include <winternl.h>

	typedef HMODULE (*fp_LoadLibraryA)(LPCSTR);
	typedef HANDLE (*fp_GetStdHandle)(DWORD);
	typedef BOOL (fp_WriteConsoleW)(HANDLE, const VOID , DWORD, LPDWORD, LPVOID);

	size_t str_len(char *str) {
	size_t length = 0;
	while (*(str++)) {
	length++;
	}
	return length;
	}

	#define mem_cpy __movsb
	#define mem_set __stosb

	void wcs_to_str(char dst, wchar_t src, size_t length) {
	for (size_t i = 0; i < (length / 2); i++) {
	dst[i] = (char)src[i];
	}
	}

	bool mem_compare(char a, char b, size_t length, bool case_insensitive) {
	for (size_t i = 0; i < length; i++) {
	char c_a = a[i];
	char c_b = b[i];

	if (case_insensitive) {
	if ((c_a >= 97) && (c_a <= 122)) {
	c_a -= 32;
	}

	if ((c_b >= 97) && (c_b <= 122)) {
	c_b -= 32;
	}
	}

	if (c_a != c_b) {
	return false;
	}
	}

	return true;
	}

	bool str_compare(char a, char b, bool case_insensitive) {
	size_t len_a = str_len(a);
	size_t len_b = str_len(b);

	if (len_a != len_b) return false;
	return mem_compare(a, b, len_a, case_insensitive);
	}

	char path_to_filename(char path) {
	char* last = path;

	while (*path) {
	if (path == '\\' \|\| path == '/') {
	last = path + 1;
	}
	path++;
	}

	return last;
	}

	char filename_without_ext(char filename) {
	char* last = filename;

	while (*filename) {
	if (*filename == '.') {
	*filename = 0;
	}
	filename++;
	}

	return last;
	}


	void get_proc_address(char function_name, char *dll_name) {
	PEB peb = (PEB )__readgsqword(0x60);

	LIST_ENTRY *current_entry = peb->Ldr->InMemoryOrderModuleList.Flink->Flink;
	char *dll_base = NULL;
	char *owned_dll_name = _alloca(str_len(dll_name) + 1);

	mem_cpy(owned_dll_name, dll_name, str_len(dll_name) + 1);
	owned_dll_name = filename_without_ext(owned_dll_name);

	char m_dll_entry_name[MAX_PATH];
	char *dll_entry_name = m_dll_entry_name;

	while (1) {
	if (current_entry == &peb->Ldr->InMemoryOrderModuleList) {
	break;
	}

	LDR_DATA_TABLE_ENTRY dll_entry = (LDR_DATA_TABLE_ENTRY )(((char *)current_entry) - sizeof(LIST_ENTRY));

	mem_set(dll_entry_name, 0, MAX_PATH);
	wcs_to_str(dll_entry_name, dll_entry->FullDllName.Buffer, dll_entry->FullDllName.Length);

	dll_entry_name = path_to_filename(dll_entry_name);
	dll_entry_name = filename_without_ext(dll_entry_name);

	if (str_compare(owned_dll_name, dll_entry_name, true)) {
	dll_base = dll_entry->DllBase;
	break;
	}

	current_entry = current_entry->Flink;
	}

	if (dll_base == NULL) {
	return dll_base;
	}

	IMAGE_NT_HEADERS nt_headers = (IMAGE_NT_HEADERS )(dll_base + ((IMAGE_DOS_HEADER *)dll_base)->e_lfanew);
	IMAGE_EXPORT_DIRECTORY export_directory = (IMAGE_EXPORT_DIRECTORY )(dll_base + nt_headers->OptionalHeader.DataDirectory[0].VirtualAddress);

	// array of RVAs to names
	DWORD names = (DWORD )(dll_base + export_directory->AddressOfNames);

	// mapping of name index to ordinals
	WORD ordinals = (WORD )(dll_base + export_directory->AddressOfNameOrdinals);

	// array of RVAs to function pointers
	DWORD functions = (DWORD )(dll_base + export_directory->AddressOfFunctions);

	int i;
	int index = -1;

	for (i = 0; i < export_directory->NumberOfNames; i++) {
	if (str_compare(dll_base + names[i], function_name, false)) {
	index = i;
	break;
	}
	}

	if (index == -1) {
	return NULL;
	}

	WORD ordinal = ordinals[index];
	DWORD func_rva = functions[ordinal];

	if ((func_rva >= nt_headers->OptionalHeader.DataDirectory[0].VirtualAddress) && (func_rva <= (nt_headers->OptionalHeader.DataDirectory[0].VirtualAddress + nt_headers->OptionalHeader.DataDirectory[0].Size))) {
	// Redirected symbol
	char *redir_name_owned = _alloca(str_len(dll_base + func_rva) + 1);
	mem_cpy((unsigned char )redir_name_owned, (unsigned char )(dll_base + func_rva), str_len(dll_base + func_rva) + 1);

	char *dll_name = filename_without_ext(redir_name_owned);
	char *func_name = redir_name_owned + str_len(dll_name) + 1;

	// Load the dll
	((fp_LoadLibraryA)get_proc_address("LoadLibraryA", "kernel32.dll"))(dll_name);

	return get_proc_address(func_name, dll_name);
	}

	return dll_base + func_rva;
	}

	int __stdcall entry() {
	fp_GetStdHandle GetStdHandle = get_proc_address("GetStdHandle", "kernel32.dll");
	fp_WriteConsoleW WriteConsoleW = get_proc_address("WriteConsoleW", "kernel32.dll");

	WriteConsoleW(GetStdHandle(STD_OUTPUT_HANDLE), L"Hello, world!\n", 14, NULL, NULL);

	return 0;
	}
No results found