nefarius/Domito
1
0
Fork 0
Code Issues Activity

Started splitting code into more modular forms

Browse Source
This commit is contained in:
Benjamin Höglinger-Stelzer 2023-07-02 18:42:52 +02:00
parent 47c1e3c0a8
commit 98104e8120
6 changed files with 218 additions and 157 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
include/Domito.h
View File

@ -3,9 +3,12 @@
#include <Domito.MinCrypt.h> #include <Domito.MinCrypt.h>
/******************************************************************************** /* __ __ __ __ _
* Memory management * * | \/ |___ _ __ ___ _ _ _ _ | \/ |__ _ _ _ __ _ __ _ ___ _ __ ___ _ _| |_
********************************************************************************/ * | |\/| / -_) ' \/ _ \ '_| || | | |\/| / _` | ' \/ _` / _` / -_) ' \/ -_) ' \ _|
* |_| |_\___|_|_|_\___/_| \_, | |_| |_\__,_|_||_\__,_\__, \___|_|_|_\___|_||_\__|
* |__/ |___/
*/
// //
// Allocator function the library uses. // Allocator function the library uses.
@ -64,9 +67,12 @@ DomitoSetMemoryFunctions(
); );
/******************************************************************************** /* ___ _ _
* Cryptography * * / __|_ _ _ _ _ __| |_ ___ __ _ _ _ __ _ _ __| |_ _ _
********************************************************************************/ * | (__| '_| || | '_ \ _/ _ \/ _` | '_/ _` | '_ \ ' \ || |
* \___|_| \_, | .__/\__\___/\__, |_| \__,_| .__/_||_\_, |
* |__/|_| |___/ |_| |__/
*/
// //
// This structure encapsulates a signature used in verifying executable files. // This structure encapsulates a signature used in verifying executable files.

120
src/Domito.Internal.h Normal file
View File

@ -0,0 +1,120 @@
/* ___ _ _ _
* |_ _|_ _| |_ ___ _ _ _ _ __ _| | | |_ _ _ _ __ ___ ___
* | || ' \ _/ -_) '_| ' \/ _` | | | _| || | '_ \/ -_|_-<
* |___|_||_\__\___|_| |_||_\__,_|_| \__|\_, | .__/\___/__/
* |__/|_|
*/
#pragma once
#include <ntifs.h>
#include <ntintsafe.h>
#include <ntimage.h>
#include <bcrypt.h>
#include "Domito.h"
#include "Domito.MinCrypt.h"
/* _ _ _ ___ _ _ _
* | \| | |_| \| | | ___| |_ __
* | .` | _| |) | | | / -_) _/ _|_
* |_|\_|\__|___/|_|_| \___|\__\__(_)
*
*/
// Structure representing a loaded module
typedef struct _SYSTEM_MODULE_INFORMATION_ENTRY
{
PVOID Unknown1;
PVOID Unknown2;
PVOID Base;
ULONG Size;
ULONG Flags;
USHORT Index;
USHORT NameLength;
USHORT LoadCount;
USHORT PathLength;
CHAR ImageName[256];
} SYSTEM_MODULE_INFORMATION_ENTRY, * PSYSTEM_MODULE_INFORMATION_ENTRY;
// Structure representing the loaded module information
typedef struct _SYSTEM_MODULE_INFORMATION
{
ULONG Count;
SYSTEM_MODULE_INFORMATION_ENTRY Module[ANYSIZE_ARRAY];
} SYSTEM_MODULE_INFORMATION, * PSYSTEM_MODULE_INFORMATION;
// Function prototype for ZwQuerySystemInformation
NTSYSAPI NTSTATUS NTAPI ZwQuerySystemInformation(
ULONG SystemInformationClass,
PVOID SystemInformation,
ULONG SystemInformationLength,
PULONG ReturnLength
);
typedef struct _LDR_DATA_TABLE_ENTRY
{
LIST_ENTRY64 InLoadOrderLinks;
PVOID ExceptionTable;
ULONG ExceptionTableSize;
PVOID GpValue;
PVOID NonPagedDebugInfo;
PVOID ImageBase;
PVOID EntryPoint;
ULONG SizeOfImage;
UNICODE_STRING FullImageName;
UNICODE_STRING BaseImageName;
ULONG Flags;
USHORT LoadCount;
USHORT TlsIndex;
LIST_ENTRY64 HashLinks;
PVOID SectionPointer;
ULONG CheckSum;
ULONG TimeDateStamp;
PVOID LoadedImports;
PVOID EntryPointActivationContext;
PVOID PatchInformation;
} LDR_DATA_TABLE_ENTRY, * PLDR_DATA_TABLE_ENTRY;
typedef PVOID(NTAPI* t_RtlImageDirectoryEntryToData)(
IN PVOID Base,
IN BOOLEAN MappedAsImage,
IN USHORT DirectoryEntry,
OUT PULONG Size
);
typedef NTSTATUS(*QUERY_INFO_PROCESS) (
__in HANDLE ProcessHandle,
__in PROCESSINFOCLASS ProcessInformationClass,
__out_bcount(ProcessInformationLength) PVOID ProcessInformation,
__in ULONG ProcessInformationLength,
__out_opt PULONG ReturnLength
);
/* __ __ __ __ _
* | \/ |___ _ __ ___ _ _ _ _ | \/ |__ _ _ _ __ _ __ _ ___ _ __ ___ _ _| |_
* | |\/| / -_) ' \/ _ \ '_| || | | |\/| / _` | ' \/ _` / _` / -_) ' \/ -_) ' \ _|
* |_| |_\___|_|_|_\___/_| \_, | |_| |_\__,_|_||_\__,_\__, \___|_|_|_\___|_||_\__|
* |__/ |___/
*/
//
// Default pool tag
//
#define DOMITO_POOL_TAG 'imoD'
//
// Function pointers for malloc/free variants
//
typedef struct
{
PFN_DOMITO_ALLOCATE_ROUTINE Allocate;
PFN_DOMITO_FREE_ROUTINE Free;
} DOMITO_MEMORY;
//
// Global instance, individual field can be adjusted by the caller
//
extern DOMITO_MEMORY G_Memory;

77
src/Domito.Memory.cpp Normal file
View File

@ -0,0 +1,77 @@
/* __ __ __ __ _
* | \/ |___ _ __ ___ _ _ _ _ | \/ |__ _ _ _ __ _ __ _ ___ _ __ ___ _ _| |_
* | |\/| / -_) ' \/ _ \ '_| || | | |\/| / _` | ' \/ _` / _` / -_) ' \/ -_) ' \ _|
* |_| |_\___|_|_|_\___/_| \_, | |_| |_\__,_|_||_\__,_\__, \___|_|_|_\___|_||_\__|
* |__/ |___/
*/
#include "Domito.Internal.h"
static PVOID NTAPI DomitoDefaultMalloc(size_t s)
{
#pragma warning(disable:4996)
return ExAllocatePoolWithTag(NonPagedPool, s, DOMITO_POOL_TAG);
#pragma warninf(default:4996)
}
static void NTAPI DomitoDefaultFree(PVOID p)
{
ExFreePoolWithTag(p, DOMITO_POOL_TAG);
}
DOMITO_MEMORY G_Memory = {
DomitoDefaultMalloc,
DomitoDefaultFree
};
void
DomitoGetOriginalMemoryFunctions(
_Out_opt_ PFN_DOMITO_ALLOCATE_ROUTINE* Allocator,
_Out_opt_ PFN_DOMITO_FREE_ROUTINE* Free
)
{
if (Allocator)
{
*Allocator = DomitoDefaultMalloc;
}
if (Free)
{
*Free = DomitoDefaultFree;
}
}
void
DomitoGetMemoryFunctions(
_Out_opt_ PFN_DOMITO_ALLOCATE_ROUTINE* Allocator,
_Out_opt_ PFN_DOMITO_FREE_ROUTINE* Free
)
{
if (Allocator)
{
*Allocator = G_Memory.Allocate;
}
if (Free)
{
*Free = G_Memory.Free;
}
}
void
DomitoSetMemoryFunctions(
_In_opt_ PFN_DOMITO_ALLOCATE_ROUTINE Allocator,
_In_opt_ PFN_DOMITO_FREE_ROUTINE Free
)
{
if (Allocator)
{
G_Memory.Allocate = Allocator;
}
if (Free)
{
G_Memory.Free = Free;
}
}

152
src/Domito.cpp
View File

@ -1,84 +1,5 @@
#include <ntifs.h> #include "Domito.Internal.h"
#include <ntintsafe.h>
#include <ntimage.h>
#include <bcrypt.h>
#include "Domito.h"
#include "Domito.MinCrypt.h"
/********************************************************************************
* NtDll and other internal types *
********************************************************************************/
// Structure representing a loaded module
typedef struct _SYSTEM_MODULE_INFORMATION_ENTRY
{
PVOID Unknown1;
PVOID Unknown2;
PVOID Base;
ULONG Size;
ULONG Flags;
USHORT Index;
USHORT NameLength;
USHORT LoadCount;
USHORT PathLength;
CHAR ImageName[256];
} SYSTEM_MODULE_INFORMATION_ENTRY, * PSYSTEM_MODULE_INFORMATION_ENTRY;
// Structure representing the loaded module information
typedef struct _SYSTEM_MODULE_INFORMATION
{
ULONG Count;
SYSTEM_MODULE_INFORMATION_ENTRY Module[ANYSIZE_ARRAY];
} SYSTEM_MODULE_INFORMATION, * PSYSTEM_MODULE_INFORMATION;
// Function prototype for ZwQuerySystemInformation
NTSYSAPI NTSTATUS NTAPI ZwQuerySystemInformation(
ULONG SystemInformationClass,
PVOID SystemInformation,
ULONG SystemInformationLength,
PULONG ReturnLength
);
typedef struct _LDR_DATA_TABLE_ENTRY
{
LIST_ENTRY64 InLoadOrderLinks;
PVOID ExceptionTable;
ULONG ExceptionTableSize;
PVOID GpValue;
PVOID NonPagedDebugInfo;
PVOID ImageBase;
PVOID EntryPoint;
ULONG SizeOfImage;
UNICODE_STRING FullImageName;
UNICODE_STRING BaseImageName;
ULONG Flags;
USHORT LoadCount;
USHORT TlsIndex;
LIST_ENTRY64 HashLinks;
PVOID SectionPointer;
ULONG CheckSum;
ULONG TimeDateStamp;
PVOID LoadedImports;
PVOID EntryPointActivationContext;
PVOID PatchInformation;
} LDR_DATA_TABLE_ENTRY, * PLDR_DATA_TABLE_ENTRY;
typedef PVOID(NTAPI* t_RtlImageDirectoryEntryToData)(
IN PVOID Base,
IN BOOLEAN MappedAsImage,
IN USHORT DirectoryEntry,
OUT PULONG Size
);
typedef NTSTATUS(*QUERY_INFO_PROCESS) (
__in HANDLE ProcessHandle,
__in PROCESSINFOCLASS ProcessInformationClass,
__out_bcount(ProcessInformationLength) PVOID ProcessInformation,
__in ULONG ProcessInformationLength,
__out_opt PULONG ReturnLength
);
static QUERY_INFO_PROCESS ZwQueryInformationProcess; static QUERY_INFO_PROCESS ZwQueryInformationProcess;
@ -87,80 +8,9 @@ static QUERY_INFO_PROCESS ZwQueryInformationProcess;
* Memory management * * Memory management *
********************************************************************************/ ********************************************************************************/
#define DOMITO_POOL_TAG 'imoD'
static PVOID NTAPI DomitoDefaultMalloc(size_t s)
{
#pragma warning(disable:4996)
return ExAllocatePoolWithTag(NonPagedPool, s, DOMITO_POOL_TAG);
#pragma warninf(default:4996)
}
static void NTAPI DomitoDefaultFree(PVOID p)
{
ExFreePoolWithTag(p, DOMITO_POOL_TAG);
}
static struct
{
PFN_DOMITO_ALLOCATE_ROUTINE Allocate;
PFN_DOMITO_FREE_ROUTINE Free;
} G_Memory = {
DomitoDefaultMalloc,
DomitoDefaultFree
};
void
DomitoGetOriginalMemoryFunctions(
_Out_opt_ PFN_DOMITO_ALLOCATE_ROUTINE* Allocator,
_Out_opt_ PFN_DOMITO_FREE_ROUTINE* Free
)
{
if (Allocator)
{
*Allocator = DomitoDefaultMalloc;
}
if (Free)
{
*Free = DomitoDefaultFree;
}
}
void
DomitoGetMemoryFunctions(
_Out_opt_ PFN_DOMITO_ALLOCATE_ROUTINE* Allocator,
_Out_opt_ PFN_DOMITO_FREE_ROUTINE* Free
)
{
if (Allocator)
{
*Allocator = G_Memory.Allocate;
}
if (Free)
{
*Free = G_Memory.Free;
}
}
void
DomitoSetMemoryFunctions(
_In_opt_ PFN_DOMITO_ALLOCATE_ROUTINE Allocator,
_In_opt_ PFN_DOMITO_FREE_ROUTINE Free
)
{
if (Allocator)
{
G_Memory.Allocate = Allocator;
}
if (Free)
{
G_Memory.Free = Free;
}
}
/******************************************************************************** /********************************************************************************

2
src/Domito.vcxproj
View File

@ -118,10 +118,12 @@
</ItemGroup> </ItemGroup>
<ItemGroup> <ItemGroup>
<ClCompile Include="Domito.cpp" /> <ClCompile Include="Domito.cpp" />
<ClCompile Include="Domito.Memory.cpp" />
</ItemGroup> </ItemGroup>
<ItemGroup> <ItemGroup>
<ClInclude Include="..\include\Domito.MinCrypt.h" /> <ClInclude Include="..\include\Domito.MinCrypt.h" />
<ClInclude Include="..\include\Domito.h" /> <ClInclude Include="..\include\Domito.h" />
<ClInclude Include="Domito.Internal.h" />
</ItemGroup> </ItemGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" /> <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
<ImportGroup Label="ExtensionTargets"> <ImportGroup Label="ExtensionTargets">

6
src/Domito.vcxproj.filters
View File

@ -22,6 +22,9 @@
<ClCompile Include="Domito.cpp"> <ClCompile Include="Domito.cpp">
<Filter>Source Files</Filter> <Filter>Source Files</Filter>
</ClCompile> </ClCompile>
<ClCompile Include="Domito.Memory.cpp">
<Filter>Source Files</Filter>
</ClCompile>
</ItemGroup> </ItemGroup>
<ItemGroup> <ItemGroup>
<ClInclude Include="..\include\Domito.h"> <ClInclude Include="..\include\Domito.h">
@ -30,5 +33,8 @@
<ClInclude Include="..\include\Domito.MinCrypt.h"> <ClInclude Include="..\include\Domito.MinCrypt.h">
<Filter>Header Files</Filter> <Filter>Header Files</Filter>
</ClInclude> </ClInclude>
<ClInclude Include="Domito.Internal.h">
<Filter>Header Files</Filter>
</ClInclude>
</ItemGroup> </ItemGroup>
</Project> </Project>