diff --git a/include/Domito.h b/include/Domito.h index da79dda..cd44ba2 100644 --- a/include/Domito.h +++ b/include/Domito.h @@ -3,9 +3,12 @@ #include -/******************************************************************************** - * Memory management * - ********************************************************************************/ +/* __ __ __ __ _ + * | \/ |___ _ __ ___ _ _ _ _ | \/ |__ _ _ _ __ _ __ _ ___ _ __ ___ _ _| |_ + * | |\/| / -_) ' \/ _ \ '_| || | | |\/| / _` | ' \/ _` / _` / -_) ' \/ -_) ' \ _| + * |_| |_\___|_|_|_\___/_| \_, | |_| |_\__,_|_||_\__,_\__, \___|_|_|_\___|_||_\__| + * |__/ |___/ + */ // // Allocator function the library uses. @@ -64,9 +67,12 @@ DomitoSetMemoryFunctions( ); -/******************************************************************************** - * Cryptography * - ********************************************************************************/ +/* ___ _ _ + * / __|_ _ _ _ _ __| |_ ___ __ _ _ _ __ _ _ __| |_ _ _ + * | (__| '_| || | '_ \ _/ _ \/ _` | '_/ _` | '_ \ ' \ || | + * \___|_| \_, | .__/\__\___/\__, |_| \__,_| .__/_||_\_, | + * |__/|_| |___/ |_| |__/ + */ // // This structure encapsulates a signature used in verifying executable files. diff --git a/src/Domito.Internal.h b/src/Domito.Internal.h new file mode 100644 index 0000000..76d416a --- /dev/null +++ b/src/Domito.Internal.h @@ -0,0 +1,120 @@ +/* ___ _ _ _ + * |_ _|_ _| |_ ___ _ _ _ _ __ _| | | |_ _ _ _ __ ___ ___ + * | || ' \ _/ -_) '_| ' \/ _` | | | _| || | '_ \/ -_|_-< + * |___|_||_\__\___|_| |_||_\__,_|_| \__|\_, | .__/\___/__/ + * |__/|_| + */ + +#pragma once + +#include +#include +#include +#include + +#include "Domito.h" +#include "Domito.MinCrypt.h" + + +/* _ _ _ ___ _ _ _ + * | \| | |_| \| | | ___| |_ __ + * | .` | _| |) | | | / -_) _/ _|_ + * |_|\_|\__|___/|_|_| \___|\__\__(_) + * + */ + + // Structure representing a loaded module +typedef struct _SYSTEM_MODULE_INFORMATION_ENTRY +{ + PVOID Unknown1; + PVOID Unknown2; + PVOID Base; + ULONG Size; + ULONG Flags; + USHORT Index; + USHORT NameLength; + USHORT LoadCount; + USHORT PathLength; + CHAR ImageName[256]; +} SYSTEM_MODULE_INFORMATION_ENTRY, * PSYSTEM_MODULE_INFORMATION_ENTRY; + +// Structure representing the loaded module information +typedef struct _SYSTEM_MODULE_INFORMATION +{ + ULONG Count; + SYSTEM_MODULE_INFORMATION_ENTRY Module[ANYSIZE_ARRAY]; +} SYSTEM_MODULE_INFORMATION, * PSYSTEM_MODULE_INFORMATION; + +// Function prototype for ZwQuerySystemInformation +NTSYSAPI NTSTATUS NTAPI ZwQuerySystemInformation( + ULONG SystemInformationClass, + PVOID SystemInformation, + ULONG SystemInformationLength, + PULONG ReturnLength +); + +typedef struct _LDR_DATA_TABLE_ENTRY +{ + LIST_ENTRY64 InLoadOrderLinks; + PVOID ExceptionTable; + ULONG ExceptionTableSize; + PVOID GpValue; + PVOID NonPagedDebugInfo; + PVOID ImageBase; + PVOID EntryPoint; + ULONG SizeOfImage; + UNICODE_STRING FullImageName; + UNICODE_STRING BaseImageName; + ULONG Flags; + USHORT LoadCount; + USHORT TlsIndex; + LIST_ENTRY64 HashLinks; + PVOID SectionPointer; + ULONG CheckSum; + ULONG TimeDateStamp; + PVOID LoadedImports; + PVOID EntryPointActivationContext; + PVOID PatchInformation; +} LDR_DATA_TABLE_ENTRY, * PLDR_DATA_TABLE_ENTRY; + +typedef PVOID(NTAPI* t_RtlImageDirectoryEntryToData)( + IN PVOID Base, + IN BOOLEAN MappedAsImage, + IN USHORT DirectoryEntry, + OUT PULONG Size + ); + +typedef NTSTATUS(*QUERY_INFO_PROCESS) ( + __in HANDLE ProcessHandle, + __in PROCESSINFOCLASS ProcessInformationClass, + __out_bcount(ProcessInformationLength) PVOID ProcessInformation, + __in ULONG ProcessInformationLength, + __out_opt PULONG ReturnLength + ); + +/* __ __ __ __ _ + * | \/ |___ _ __ ___ _ _ _ _ | \/ |__ _ _ _ __ _ __ _ ___ _ __ ___ _ _| |_ + * | |\/| / -_) ' \/ _ \ '_| || | | |\/| / _` | ' \/ _` / _` / -_) ' \/ -_) ' \ _| + * |_| |_\___|_|_|_\___/_| \_, | |_| |_\__,_|_||_\__,_\__, \___|_|_|_\___|_||_\__| + * |__/ |___/ + */ + +// +// Default pool tag +// +#define DOMITO_POOL_TAG 'imoD' + +// +// Function pointers for malloc/free variants +// +typedef struct +{ + PFN_DOMITO_ALLOCATE_ROUTINE Allocate; + + PFN_DOMITO_FREE_ROUTINE Free; +} DOMITO_MEMORY; + +// +// Global instance, individual field can be adjusted by the caller +// +extern DOMITO_MEMORY G_Memory; diff --git a/src/Domito.Memory.cpp b/src/Domito.Memory.cpp new file mode 100644 index 0000000..f724e4e --- /dev/null +++ b/src/Domito.Memory.cpp @@ -0,0 +1,77 @@ +/* __ __ __ __ _ + * | \/ |___ _ __ ___ _ _ _ _ | \/ |__ _ _ _ __ _ __ _ ___ _ __ ___ _ _| |_ + * | |\/| / -_) ' \/ _ \ '_| || | | |\/| / _` | ' \/ _` / _` / -_) ' \/ -_) ' \ _| + * |_| |_\___|_|_|_\___/_| \_, | |_| |_\__,_|_||_\__,_\__, \___|_|_|_\___|_||_\__| + * |__/ |___/ + */ + +#include "Domito.Internal.h" + + +static PVOID NTAPI DomitoDefaultMalloc(size_t s) +{ +#pragma warning(disable:4996) + return ExAllocatePoolWithTag(NonPagedPool, s, DOMITO_POOL_TAG); +#pragma warninf(default:4996) +} + +static void NTAPI DomitoDefaultFree(PVOID p) +{ + ExFreePoolWithTag(p, DOMITO_POOL_TAG); +} + +DOMITO_MEMORY G_Memory = { + DomitoDefaultMalloc, + DomitoDefaultFree +}; + +void +DomitoGetOriginalMemoryFunctions( + _Out_opt_ PFN_DOMITO_ALLOCATE_ROUTINE* Allocator, + _Out_opt_ PFN_DOMITO_FREE_ROUTINE* Free +) +{ + if (Allocator) + { + *Allocator = DomitoDefaultMalloc; + } + + if (Free) + { + *Free = DomitoDefaultFree; + } +} + +void +DomitoGetMemoryFunctions( + _Out_opt_ PFN_DOMITO_ALLOCATE_ROUTINE* Allocator, + _Out_opt_ PFN_DOMITO_FREE_ROUTINE* Free +) +{ + if (Allocator) + { + *Allocator = G_Memory.Allocate; + } + + if (Free) + { + *Free = G_Memory.Free; + } +} + +void +DomitoSetMemoryFunctions( + _In_opt_ PFN_DOMITO_ALLOCATE_ROUTINE Allocator, + _In_opt_ PFN_DOMITO_FREE_ROUTINE Free +) +{ + if (Allocator) + { + G_Memory.Allocate = Allocator; + } + + if (Free) + { + G_Memory.Free = Free; + } +} diff --git a/src/Domito.cpp b/src/Domito.cpp index 7cf0eab..1810f9f 100644 --- a/src/Domito.cpp +++ b/src/Domito.cpp @@ -1,84 +1,5 @@ -#include -#include -#include -#include +#include "Domito.Internal.h" -#include "Domito.h" -#include "Domito.MinCrypt.h" - - -/******************************************************************************** - * NtDll and other internal types * - ********************************************************************************/ - -// Structure representing a loaded module -typedef struct _SYSTEM_MODULE_INFORMATION_ENTRY -{ - PVOID Unknown1; - PVOID Unknown2; - PVOID Base; - ULONG Size; - ULONG Flags; - USHORT Index; - USHORT NameLength; - USHORT LoadCount; - USHORT PathLength; - CHAR ImageName[256]; -} SYSTEM_MODULE_INFORMATION_ENTRY, * PSYSTEM_MODULE_INFORMATION_ENTRY; - -// Structure representing the loaded module information -typedef struct _SYSTEM_MODULE_INFORMATION -{ - ULONG Count; - SYSTEM_MODULE_INFORMATION_ENTRY Module[ANYSIZE_ARRAY]; -} SYSTEM_MODULE_INFORMATION, * PSYSTEM_MODULE_INFORMATION; - -// Function prototype for ZwQuerySystemInformation -NTSYSAPI NTSTATUS NTAPI ZwQuerySystemInformation( - ULONG SystemInformationClass, - PVOID SystemInformation, - ULONG SystemInformationLength, - PULONG ReturnLength -); - -typedef struct _LDR_DATA_TABLE_ENTRY -{ - LIST_ENTRY64 InLoadOrderLinks; - PVOID ExceptionTable; - ULONG ExceptionTableSize; - PVOID GpValue; - PVOID NonPagedDebugInfo; - PVOID ImageBase; - PVOID EntryPoint; - ULONG SizeOfImage; - UNICODE_STRING FullImageName; - UNICODE_STRING BaseImageName; - ULONG Flags; - USHORT LoadCount; - USHORT TlsIndex; - LIST_ENTRY64 HashLinks; - PVOID SectionPointer; - ULONG CheckSum; - ULONG TimeDateStamp; - PVOID LoadedImports; - PVOID EntryPointActivationContext; - PVOID PatchInformation; -} LDR_DATA_TABLE_ENTRY, * PLDR_DATA_TABLE_ENTRY; - -typedef PVOID(NTAPI* t_RtlImageDirectoryEntryToData)( - IN PVOID Base, - IN BOOLEAN MappedAsImage, - IN USHORT DirectoryEntry, - OUT PULONG Size - ); - -typedef NTSTATUS(*QUERY_INFO_PROCESS) ( - __in HANDLE ProcessHandle, - __in PROCESSINFOCLASS ProcessInformationClass, - __out_bcount(ProcessInformationLength) PVOID ProcessInformation, - __in ULONG ProcessInformationLength, - __out_opt PULONG ReturnLength - ); static QUERY_INFO_PROCESS ZwQueryInformationProcess; @@ -87,80 +8,9 @@ static QUERY_INFO_PROCESS ZwQueryInformationProcess; * Memory management * ********************************************************************************/ -#define DOMITO_POOL_TAG 'imoD' -static PVOID NTAPI DomitoDefaultMalloc(size_t s) -{ -#pragma warning(disable:4996) - return ExAllocatePoolWithTag(NonPagedPool, s, DOMITO_POOL_TAG); -#pragma warninf(default:4996) -} -static void NTAPI DomitoDefaultFree(PVOID p) -{ - ExFreePoolWithTag(p, DOMITO_POOL_TAG); -} -static struct -{ - PFN_DOMITO_ALLOCATE_ROUTINE Allocate; - - PFN_DOMITO_FREE_ROUTINE Free; -} G_Memory = { - DomitoDefaultMalloc, - DomitoDefaultFree -}; - -void -DomitoGetOriginalMemoryFunctions( - _Out_opt_ PFN_DOMITO_ALLOCATE_ROUTINE* Allocator, - _Out_opt_ PFN_DOMITO_FREE_ROUTINE* Free -) -{ - if (Allocator) - { - *Allocator = DomitoDefaultMalloc; - } - - if (Free) - { - *Free = DomitoDefaultFree; - } -} - -void -DomitoGetMemoryFunctions( - _Out_opt_ PFN_DOMITO_ALLOCATE_ROUTINE* Allocator, - _Out_opt_ PFN_DOMITO_FREE_ROUTINE* Free -) -{ - if (Allocator) - { - *Allocator = G_Memory.Allocate; - } - - if (Free) - { - *Free = G_Memory.Free; - } -} - -void -DomitoSetMemoryFunctions( - _In_opt_ PFN_DOMITO_ALLOCATE_ROUTINE Allocator, - _In_opt_ PFN_DOMITO_FREE_ROUTINE Free -) -{ - if (Allocator) - { - G_Memory.Allocate = Allocator; - } - - if (Free) - { - G_Memory.Free = Free; - } -} /******************************************************************************** diff --git a/src/Domito.vcxproj b/src/Domito.vcxproj index 82e11bb..d7e7f0f 100644 --- a/src/Domito.vcxproj +++ b/src/Domito.vcxproj @@ -118,10 +118,12 @@ + + diff --git a/src/Domito.vcxproj.filters b/src/Domito.vcxproj.filters index 9d8d3f1..e50ca77 100644 --- a/src/Domito.vcxproj.filters +++ b/src/Domito.vcxproj.filters @@ -22,6 +22,9 @@ Source Files + + Source Files + @@ -30,5 +33,8 @@ Header Files + + Header Files + \ No newline at end of file