nefarius/Domito
1
0
Fork 0
Code Issues 1 Activity

Started splitting code into more modular forms

Browse Source
This commit is contained in:
Benjamin Höglinger-Stelzer
2023-07-02 18:42:52 +02:00
parent 47c1e3c0a8
commit 98104e8120
6 changed files with 218 additions and 157 deletions
Download Patch File Download Diff File Expand all files Collapse all files
src/Domito.cpp
+1 -151
View File
@@ -1,84 +1,5 @@
#include <ntifs.h>
#include <ntintsafe.h>
#include <ntimage.h>
#include <bcrypt.h>
#include "Domito.Internal.h"
#include "Domito.h"
#include "Domito.MinCrypt.h"
/********************************************************************************
* NtDll and other internal types *
********************************************************************************/
// Structure representing a loaded module
typedef struct _SYSTEM_MODULE_INFORMATION_ENTRY
{
PVOID Unknown1;
PVOID Unknown2;
PVOID Base;
ULONG Size;
ULONG Flags;
USHORT Index;
USHORT NameLength;
USHORT LoadCount;
USHORT PathLength;
CHAR ImageName[256];
} SYSTEM_MODULE_INFORMATION_ENTRY, * PSYSTEM_MODULE_INFORMATION_ENTRY;
// Structure representing the loaded module information
typedef struct _SYSTEM_MODULE_INFORMATION
{
ULONG Count;
SYSTEM_MODULE_INFORMATION_ENTRY Module[ANYSIZE_ARRAY];
} SYSTEM_MODULE_INFORMATION, * PSYSTEM_MODULE_INFORMATION;
// Function prototype for ZwQuerySystemInformation
NTSYSAPI NTSTATUS NTAPI ZwQuerySystemInformation(
ULONG SystemInformationClass,
PVOID SystemInformation,
ULONG SystemInformationLength,
PULONG ReturnLength
);
typedef struct _LDR_DATA_TABLE_ENTRY
{
LIST_ENTRY64 InLoadOrderLinks;
PVOID ExceptionTable;
ULONG ExceptionTableSize;
PVOID GpValue;
PVOID NonPagedDebugInfo;
PVOID ImageBase;
PVOID EntryPoint;
ULONG SizeOfImage;
UNICODE_STRING FullImageName;
UNICODE_STRING BaseImageName;
ULONG Flags;
USHORT LoadCount;
USHORT TlsIndex;
LIST_ENTRY64 HashLinks;
PVOID SectionPointer;
ULONG CheckSum;
ULONG TimeDateStamp;
PVOID LoadedImports;
PVOID EntryPointActivationContext;
PVOID PatchInformation;
} LDR_DATA_TABLE_ENTRY, * PLDR_DATA_TABLE_ENTRY;
typedef PVOID(NTAPI* t_RtlImageDirectoryEntryToData)(
IN PVOID Base,
IN BOOLEAN MappedAsImage,
IN USHORT DirectoryEntry,
OUT PULONG Size
);
typedef NTSTATUS(*QUERY_INFO_PROCESS) (
__in HANDLE ProcessHandle,
__in PROCESSINFOCLASS ProcessInformationClass,
__out_bcount(ProcessInformationLength) PVOID ProcessInformation,
__in ULONG ProcessInformationLength,
__out_opt PULONG ReturnLength
);
static QUERY_INFO_PROCESS ZwQueryInformationProcess;
@@ -87,80 +8,9 @@ static QUERY_INFO_PROCESS ZwQueryInformationProcess;
* Memory management *
********************************************************************************/
#define DOMITO_POOL_TAG 'imoD'
static PVOID NTAPI DomitoDefaultMalloc(size_t s)
{
#pragma warning(disable:4996)
return ExAllocatePoolWithTag(NonPagedPool, s, DOMITO_POOL_TAG);
#pragma warninf(default:4996)
}
static void NTAPI DomitoDefaultFree(PVOID p)
{
ExFreePoolWithTag(p, DOMITO_POOL_TAG);
}
static struct
{
PFN_DOMITO_ALLOCATE_ROUTINE Allocate;
PFN_DOMITO_FREE_ROUTINE Free;
} G_Memory = {
DomitoDefaultMalloc,
DomitoDefaultFree
};
void
DomitoGetOriginalMemoryFunctions(
_Out_opt_ PFN_DOMITO_ALLOCATE_ROUTINE* Allocator,
_Out_opt_ PFN_DOMITO_FREE_ROUTINE* Free
)
{
if (Allocator)
{
*Allocator = DomitoDefaultMalloc;
}
if (Free)
{
*Free = DomitoDefaultFree;
}
}
void
DomitoGetMemoryFunctions(
_Out_opt_ PFN_DOMITO_ALLOCATE_ROUTINE* Allocator,
_Out_opt_ PFN_DOMITO_FREE_ROUTINE* Free
)
{
if (Allocator)
{
*Allocator = G_Memory.Allocate;
}
if (Free)
{
*Free = G_Memory.Free;
}
}
void
DomitoSetMemoryFunctions(
_In_opt_ PFN_DOMITO_ALLOCATE_ROUTINE Allocator,
_In_opt_ PFN_DOMITO_FREE_ROUTINE Free
)
{
if (Allocator)
{
G_Memory.Allocate = Allocator;
}
if (Free)
{
G_Memory.Free = Free;
}
}
/********************************************************************************