From 61e80977b6270a4831262ee62e1a0789a69dabe7 Mon Sep 17 00:00:00 2001 From: Spencer McIntyre Date: Fri, 9 Sep 2022 12:37:13 -0400 Subject: [PATCH 1/8] Fix compiler warnings Fix compiler warnings 4018, 4047, 4244, and 4267 --- COFFLoader.c | 12 ++++++------ beacon_compatibility.c | 12 ++++-------- 2 files changed, 10 insertions(+), 14 deletions(-) diff --git a/COFFLoader.c b/COFFLoader.c index 2dc9fbe..ef10bca 100644 --- a/COFFLoader.c +++ b/COFFLoader.c @@ -35,7 +35,7 @@ unsigned char* unhexlify(unsigned char* value, int *outlen) { unsigned char* retval = NULL; char byteval[3] = { 0 }; - int counter = 0; + unsigned int counter = 0; int counter2 = 0; char character = 0; if (value == NULL) { @@ -55,7 +55,7 @@ unsigned char* unhexlify(unsigned char* value, int *outlen) { counter2 = 0; for (counter = 0; counter < strlen((char*)value); counter += 2) { memcpy(byteval, value + counter, 2); - character = strtol(byteval, NULL, 16); + character = (char)strtol(byteval, NULL, 16); memcpy(retval + counter2, &character, 1); counter2++; } @@ -73,7 +73,7 @@ unsigned char* unhexlify(unsigned char* value, int *outlen) { unsigned char* getContents(char* filepath, uint32_t* outsize) { FILE *fin = NULL; uint32_t fsize = 0; - uint32_t readsize = 0; + size_t readsize = 0; unsigned char* buffer = NULL; unsigned char* tempbuffer = NULL; @@ -168,11 +168,11 @@ int RunCOFF(char* functionname, unsigned char* coff_data, uint32_t filesize, uns int retcode = 0; int counter = 0; int reloccount = 0; - int tempcounter = 0; + unsigned int tempcounter = 0; uint32_t symptr = 0; #ifdef _WIN32 void* funcptrlocation = NULL; - int32_t offsetvalue = 0; + size_t offsetvalue = 0; #endif char* entryfuncname = functionname; #if defined(__x86_64__) || defined(_WIN64) @@ -411,7 +411,7 @@ int RunCOFF(char* functionname, unsigned char* coff_data, uint32_t filesize, uns #ifdef _WIN32 /* So for some reason VS 2017 doesn't like this, but char* casting works, so just going to do that */ #ifdef _MSC_VER - foo = (char*)(sectionMapping[coff_sym_ptr[tempcounter].SectionNumber - 1] + coff_sym_ptr[tempcounter].Value); + foo = (void(__cdecl*)(char*, unsigned long))(sectionMapping[coff_sym_ptr[tempcounter].SectionNumber - 1] + coff_sym_ptr[tempcounter].Value); #else foo = (void(*)(char *, unsigned long))(sectionMapping[coff_sym_ptr[tempcounter].SectionNumber - 1] + coff_sym_ptr[tempcounter].Value); #endif diff --git a/beacon_compatibility.c b/beacon_compatibility.c index 079b00c..9d270dd 100644 --- a/beacon_compatibility.c +++ b/beacon_compatibility.c @@ -291,19 +291,15 @@ void BeaconGetSpawnTo(BOOL x86, char* buffer, int length) { } if (x86) { tempBufferPath = "C:\\Windows\\"X86PATH"\\"DEFAULTPROCESSNAME; - if (strlen(tempBufferPath) > length) { - return; - } - memcpy(buffer, tempBufferPath, strlen(tempBufferPath)); } else { tempBufferPath = "C:\\Windows\\"X64PATH"\\"DEFAULTPROCESSNAME; - if (strlen(tempBufferPath) > length) { - return; - } - memcpy(buffer, tempBufferPath, strlen(tempBufferPath)); + } + if ((int)strlen(tempBufferPath) > length) { + return; } + memcpy(buffer, tempBufferPath, strlen(tempBufferPath)); return; } From 30af08ba1b3857f45a7a42112ccd1ca8249decf6 Mon Sep 17 00:00:00 2001 From: Spencer McIntyre Date: Fri, 23 Sep 2022 09:54:04 -0400 Subject: [PATCH 2/8] Add toWideChar --- beacon_compatibility.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/beacon_compatibility.c b/beacon_compatibility.c index 9d270dd..6273f0b 100644 --- a/beacon_compatibility.c +++ b/beacon_compatibility.c @@ -331,8 +331,9 @@ void BeaconCleanupProcess(PROCESS_INFORMATION* pInfo) { } BOOL toWideChar(char* src, wchar_t* dst, int max) { - /* Leaving this to be implemented by people needing/wanting it */ - return FALSE; + if (max < sizeof(wchar_t)) + return FALSE; + return MultiByteToWideChar(CP_ACP, MB_ERR_INVALID_CHARS, src, -1, dst, max / sizeof(wchar_t)); } char* BeaconGetOutputData(int *outsize) { From 5a5a56dfd72230d6a913ad82ca98e1c71adc2247 Mon Sep 17 00:00:00 2001 From: Kevin Haubris Date: Wed, 30 Nov 2022 18:47:05 -0600 Subject: [PATCH 3/8] Attempted fix for invoke assembly --- COFFLoader.c | 28 ++++++++++++++++++++++++++-- 1 file changed, 26 insertions(+), 2 deletions(-) diff --git a/COFFLoader.c b/COFFLoader.c index ef10bca..dace1f2 100644 --- a/COFFLoader.c +++ b/COFFLoader.c @@ -333,13 +333,21 @@ int RunCOFF(char* functionname, unsigned char* coff_data, uint32_t filesize, uns /* This is the code to handle functions themselves, so using a makeshift Global Offset Table for it */ #ifdef _WIN32 funcptrlocation = process_symbol(((char*)(coff_sym_ptr + coff_header_ptr->NumberOfSymbols)) + symptr); - if (funcptrlocation == NULL) { + if (funcptrlocation == NULL && coff_sym_ptr[coff_reloc_ptr->SymbolTableIndex].SectionNumber == 0) { DEBUG_PRINT("Failed to resolve symbol\n"); retcode = 1; goto cleanup; } #ifdef _WIN64 - if (coff_reloc_ptr->Type == IMAGE_REL_AMD64_REL32 && funcptrlocation != NULL) { + if (coff_reloc_ptr->Type == IMAGE_REL_AMD64_ADDR64) { + memcpy(&longoffsetvalue, sectionMapping[counter] + coff_reloc_ptr->VirtualAddress, sizeof(uint64_t)); + DEBUG_PRINT("\tReadin longOffsetValue : 0x%llX\n", longoffsetvalue); + longoffsetvalue = (uint64_t)(sectionMapping[coff_sym_ptr[coff_reloc_ptr->SymbolTableIndex].SectionNumber - 1] + (uint64_t)longoffsetvalue); + DEBUG_PRINT("\tModified longOffsetValue : 0x%llX Base Address: %p\n", longoffsetvalue, sectionMapping[coff_sym_ptr[coff_reloc_ptr->SymbolTableIndex].SectionNumber - 1]); + memcpy(sectionMapping[counter] + coff_reloc_ptr->VirtualAddress, &longoffsetvalue, sizeof(uint64_t)); + } + + else if (coff_reloc_ptr->Type == IMAGE_REL_AMD64_REL32 && funcptrlocation != NULL) { /* This is Type == 4 relocation code */ DEBUG_PRINT("Doing function relocation\n"); if (((functionMapping + (functionMappingCount * 8)) - (sectionMapping[counter] + coff_reloc_ptr->VirtualAddress + 4)) > 0xffffffff) { @@ -367,6 +375,22 @@ int RunCOFF(char* functionname, unsigned char* coff_data, uint32_t filesize, uns DEBUG_PRINT("\t\tRelative address: 0x%X\n", offsetvalue); memcpy(sectionMapping[counter] + coff_reloc_ptr->VirtualAddress, &offsetvalue, sizeof(uint32_t)); } + else if (coff_reloc_ptr->Type == IMAGE_REL_AMD64_ADDR32NB) { + memcpy(&offsetvalue, sectionMapping[counter] + coff_reloc_ptr->VirtualAddress, sizeof(int32_t)); + DEBUG_PRINT("\tReadin OffsetValue : 0x%0X\n", offsetvalue); + DEBUG_PRINT("\t\tReferenced Section: 0x%X\n", sectionMapping[coff_sym_ptr[coff_reloc_ptr->SymbolTableIndex].SectionNumber - 1] + offsetvalue); + DEBUG_PRINT("\t\tEnd of Relocation Bytes: 0x%X\n", sectionMapping[counter] + coff_reloc_ptr->VirtualAddress + 4); + if (((char*)(sectionMapping[coff_sym_ptr[coff_reloc_ptr->SymbolTableIndex].SectionNumber - 1] + offsetvalue) - (char*)(sectionMapping[counter] + coff_reloc_ptr->VirtualAddress + 4)) > 0xffffffff) { + DEBUG_PRINT("Relocations > 4 gigs away, exiting\n"); + retcode = 1; + goto cleanup; + } + offsetvalue = ((char*)(sectionMapping[coff_sym_ptr[coff_reloc_ptr->SymbolTableIndex].SectionNumber - 1] + offsetvalue) - (char*)(sectionMapping[counter] + coff_reloc_ptr->VirtualAddress + 4)); + DEBUG_PRINT("\tOffsetValue : 0x%0X\n", offsetvalue); + DEBUG_PRINT("\t\tSetting 0x%X to %X\n", sectionMapping[counter] + coff_reloc_ptr->VirtualAddress, &offsetvalue); + memcpy(sectionMapping[counter] + coff_reloc_ptr->VirtualAddress, &offsetvalue, sizeof(uint32_t)); + } + else { DEBUG_PRINT("No code for relocation type: %d\n", coff_reloc_ptr->Type); } From adab77631bc56d75bb83aed415934e982b099890 Mon Sep 17 00:00:00 2001 From: Kevin Haubris Date: Wed, 7 Dec 2022 09:52:56 -0600 Subject: [PATCH 4/8] Should work with VS compiled object files now --- COFFLoader.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/COFFLoader.c b/COFFLoader.c index dace1f2..5fccebe 100644 --- a/COFFLoader.c +++ b/COFFLoader.c @@ -309,6 +309,7 @@ int RunCOFF(char* functionname, unsigned char* coff_data, uint32_t filesize, uns goto cleanup; } offsetvalue += (sectionMapping[coff_sym_ptr[coff_reloc_ptr->SymbolTableIndex].SectionNumber - 1] - (sectionMapping[counter] + coff_reloc_ptr->VirtualAddress + 4)); + offsetvalue += coff_sym_ptr[coff_reloc_ptr->SymbolTableIndex].Value; DEBUG_PRINT("\t\tRelative address: 0x%X\n", offsetvalue); memcpy(sectionMapping[counter] + coff_reloc_ptr->VirtualAddress, &offsetvalue, sizeof(uint32_t)); } @@ -370,8 +371,11 @@ int RunCOFF(char* functionname, unsigned char* coff_data, uint32_t filesize, uns retcode = 1; goto cleanup; } + DEBUG_PRINT("\t\tReferenced Section: 0x%X\n", sectionMapping[coff_sym_ptr[coff_reloc_ptr->SymbolTableIndex].SectionNumber - 1] + offsetvalue); DEBUG_PRINT("\t\tReadin offset value: 0x%X\n", offsetvalue); + DEBUG_PRINT("\t\tVirtualAddressOffset: 0x%X\n", (sectionMapping[counter] + coff_reloc_ptr->VirtualAddress + 4)); offsetvalue += (sectionMapping[coff_sym_ptr[coff_reloc_ptr->SymbolTableIndex].SectionNumber - 1] - (sectionMapping[counter] + coff_reloc_ptr->VirtualAddress + 4)); + offsetvalue += coff_sym_ptr[coff_reloc_ptr->SymbolTableIndex].Value; DEBUG_PRINT("\t\tRelative address: 0x%X\n", offsetvalue); memcpy(sectionMapping[counter] + coff_reloc_ptr->VirtualAddress, &offsetvalue, sizeof(uint32_t)); } From f088d02eb36e20bc9ab7d7780bd5a974af054332 Mon Sep 17 00:00:00 2001 From: Kevin Haubris Date: Wed, 7 Dec 2022 10:15:39 -0600 Subject: [PATCH 5/8] Added vs support for x86 too --- COFFLoader.c | 39 ++++++++++++++++++++++++++++++--------- 1 file changed, 30 insertions(+), 9 deletions(-) diff --git a/COFFLoader.c b/COFFLoader.c index 5fccebe..edc4918 100644 --- a/COFFLoader.c +++ b/COFFLoader.c @@ -318,10 +318,21 @@ int RunCOFF(char* functionname, unsigned char* coff_data, uint32_t filesize, uns } #else /* This is Type == IMAGE_REL_I386_DIR32 relocation code */ - memcpy(&offsetvalue, sectionMapping[counter] + coff_reloc_ptr->VirtualAddress, sizeof(int32_t)); - DEBUG_PRINT("\tReadin OffsetValue : 0x%0X\n", offsetvalue); - offsetvalue = (uint32_t)(sectionMapping[coff_sym_ptr[coff_reloc_ptr->SymbolTableIndex].SectionNumber - 1]) + offsetvalue; - memcpy(sectionMapping[counter] + coff_reloc_ptr->VirtualAddress, &offsetvalue, sizeof(uint32_t)); + if (coff_reloc_ptr->Type == IMAGE_REL_I386_DIR32){ + memcpy(&offsetvalue, sectionMapping[counter] + coff_reloc_ptr->VirtualAddress, sizeof(int32_t)); + DEBUG_PRINT("\tReadin OffsetValue : 0x%0X\n", offsetvalue); + offsetvalue = (uint32_t)(sectionMapping[coff_sym_ptr[coff_reloc_ptr->SymbolTableIndex].SectionNumber - 1]) + offsetvalue; + offsetvalue += coff_sym_ptr[coff_reloc_ptr->SymbolTableIndex].Value; + memcpy(sectionMapping[counter] + coff_reloc_ptr->VirtualAddress, &offsetvalue, sizeof(uint32_t)); + } + else if (coff_reloc_ptr->Type == IMAGE_REL_I386_REL32){ + memcpy(&offsetvalue, sectionMapping[counter] + coff_reloc_ptr->VirtualAddress, sizeof(int32_t)); + DEBUG_PRINT("\tReadin OffsetValue : 0x%0X\n", offsetvalue); + offsetvalue += (sectionMapping[coff_sym_ptr[coff_reloc_ptr->SymbolTableIndex].SectionNumber - 1] - (sectionMapping[counter] + coff_reloc_ptr->VirtualAddress + 4)); + offsetvalue += coff_sym_ptr[coff_reloc_ptr->SymbolTableIndex].Value; + memcpy(sectionMapping[counter] + coff_reloc_ptr->VirtualAddress, &offsetvalue, sizeof(uint32_t)); + + } #endif //WIN64 statement close #endif //WIN32 statement close } @@ -399,11 +410,21 @@ int RunCOFF(char* functionname, unsigned char* coff_data, uint32_t filesize, uns DEBUG_PRINT("No code for relocation type: %d\n", coff_reloc_ptr->Type); } #else - /* This is Type == IMAGE_REL_I386_DIR32 relocation code */ - memcpy(functionMapping + (functionMappingCount * 4), &funcptrlocation, sizeof(uint32_t)); - offsetvalue = (int32_t)(functionMapping + (functionMappingCount * 4)); - memcpy(sectionMapping[counter] + coff_reloc_ptr->VirtualAddress, &offsetvalue, sizeof(uint32_t)); - functionMappingCount++; + if (coff_reloc_ptr->Type == IMAGE_REL_I386_DIR32){ + /* This is Type == IMAGE_REL_I386_DIR32 relocation code */ + memcpy(functionMapping + (functionMappingCount * 4), &funcptrlocation, sizeof(uint32_t)); + offsetvalue = (int32_t)(functionMapping + (functionMappingCount * 4)); + memcpy(sectionMapping[counter] + coff_reloc_ptr->VirtualAddress, &offsetvalue, sizeof(uint32_t)); + functionMappingCount++; + } + else if (coff_reloc_ptr->Type == IMAGE_REL_I386_REL32){ + memcpy(&offsetvalue, sectionMapping[counter] + coff_reloc_ptr->VirtualAddress, sizeof(int32_t)); + DEBUG_PRINT("\tReadin OffsetValue : 0x%0X\n", offsetvalue); + offsetvalue += (sectionMapping[coff_sym_ptr[coff_reloc_ptr->SymbolTableIndex].SectionNumber - 1] - (sectionMapping[counter] + coff_reloc_ptr->VirtualAddress + 4)); + offsetvalue += coff_sym_ptr[coff_reloc_ptr->SymbolTableIndex].Value; + memcpy(sectionMapping[counter] + coff_reloc_ptr->VirtualAddress, &offsetvalue, sizeof(uint32_t)); + + } #endif #endif } From e119103f8d1c567d15b174f8ee4cb9c57ef91b6d Mon Sep 17 00:00:00 2001 From: Spencer McIntyre Date: Wed, 7 Dec 2022 17:40:20 -0500 Subject: [PATCH 6/8] Fix debug relocation debug output --- COFFLoader.c | 12 +++++------- 1 file changed, 5 insertions(+), 7 deletions(-) diff --git a/COFFLoader.c b/COFFLoader.c index edc4918..b3d3f53 100644 --- a/COFFLoader.c +++ b/COFFLoader.c @@ -295,8 +295,7 @@ int RunCOFF(char* functionname, unsigned char* coff_data, uint32_t filesize, uns goto cleanup; } offsetvalue = ((char*)(sectionMapping[coff_sym_ptr[coff_reloc_ptr->SymbolTableIndex].SectionNumber - 1] + offsetvalue) - (char*)(sectionMapping[counter] + coff_reloc_ptr->VirtualAddress + 4)); - DEBUG_PRINT("\tOffsetValue : 0x%0X\n", offsetvalue); - DEBUG_PRINT("\t\tSetting 0x%X to %X\n", sectionMapping[counter] + coff_reloc_ptr->VirtualAddress, &offsetvalue); + DEBUG_PRINT("\tSetting 0x%p to OffsetValue: 0x%X\n", sectionMapping[counter] + coff_reloc_ptr->VirtualAddress, offsetvalue); memcpy(sectionMapping[counter] + coff_reloc_ptr->VirtualAddress, &offsetvalue, sizeof(uint32_t)); } /* This is Type == 4 relocation code, needed to make global variables to work correctly */ @@ -310,7 +309,7 @@ int RunCOFF(char* functionname, unsigned char* coff_data, uint32_t filesize, uns } offsetvalue += (sectionMapping[coff_sym_ptr[coff_reloc_ptr->SymbolTableIndex].SectionNumber - 1] - (sectionMapping[counter] + coff_reloc_ptr->VirtualAddress + 4)); offsetvalue += coff_sym_ptr[coff_reloc_ptr->SymbolTableIndex].Value; - DEBUG_PRINT("\t\tRelative address: 0x%X\n", offsetvalue); + DEBUG_PRINT("\t\tSetting 0x%p to relative address: 0x%X\n", sectionMapping[counter] + coff_reloc_ptr->VirtualAddress, offsetvalue); memcpy(sectionMapping[counter] + coff_reloc_ptr->VirtualAddress, &offsetvalue, sizeof(uint32_t)); } else { @@ -369,7 +368,7 @@ int RunCOFF(char* functionname, unsigned char* coff_data, uint32_t filesize, uns } memcpy(functionMapping + (functionMappingCount * 8), &funcptrlocation, sizeof(uint64_t)); offsetvalue = (int32_t)((functionMapping + (functionMappingCount * 8)) - (sectionMapping[counter] + coff_reloc_ptr->VirtualAddress + 4)); - DEBUG_PRINT("\t\tRelative address : 0x%x\n", offsetvalue); + DEBUG_PRINT("\t\tSetting 0x%p to relative address: 0x%X\n", sectionMapping[counter] + coff_reloc_ptr->VirtualAddress, offsetvalue); memcpy(sectionMapping[counter] + coff_reloc_ptr->VirtualAddress, &offsetvalue, sizeof(uint32_t)); functionMappingCount++; } @@ -387,7 +386,7 @@ int RunCOFF(char* functionname, unsigned char* coff_data, uint32_t filesize, uns DEBUG_PRINT("\t\tVirtualAddressOffset: 0x%X\n", (sectionMapping[counter] + coff_reloc_ptr->VirtualAddress + 4)); offsetvalue += (sectionMapping[coff_sym_ptr[coff_reloc_ptr->SymbolTableIndex].SectionNumber - 1] - (sectionMapping[counter] + coff_reloc_ptr->VirtualAddress + 4)); offsetvalue += coff_sym_ptr[coff_reloc_ptr->SymbolTableIndex].Value; - DEBUG_PRINT("\t\tRelative address: 0x%X\n", offsetvalue); + DEBUG_PRINT("\t\tSetting 0x%p to relative address: 0x%X\n", sectionMapping[counter] + coff_reloc_ptr->VirtualAddress, offsetvalue); memcpy(sectionMapping[counter] + coff_reloc_ptr->VirtualAddress, &offsetvalue, sizeof(uint32_t)); } else if (coff_reloc_ptr->Type == IMAGE_REL_AMD64_ADDR32NB) { @@ -401,8 +400,7 @@ int RunCOFF(char* functionname, unsigned char* coff_data, uint32_t filesize, uns goto cleanup; } offsetvalue = ((char*)(sectionMapping[coff_sym_ptr[coff_reloc_ptr->SymbolTableIndex].SectionNumber - 1] + offsetvalue) - (char*)(sectionMapping[counter] + coff_reloc_ptr->VirtualAddress + 4)); - DEBUG_PRINT("\tOffsetValue : 0x%0X\n", offsetvalue); - DEBUG_PRINT("\t\tSetting 0x%X to %X\n", sectionMapping[counter] + coff_reloc_ptr->VirtualAddress, &offsetvalue); + DEBUG_PRINT("\tSetting 0x%p to OffsetValue: 0x%X\n", sectionMapping[counter] + coff_reloc_ptr->VirtualAddress, offsetvalue); memcpy(sectionMapping[counter] + coff_reloc_ptr->VirtualAddress, &offsetvalue, sizeof(uint32_t)); } From f6cb5ab61689a692f481d598fd632f190a08cf4f Mon Sep 17 00:00:00 2001 From: Spencer McIntyre Date: Thu, 8 Dec 2022 15:18:39 -0500 Subject: [PATCH 7/8] Fix some i386 issues --- COFFLoader.c | 32 +++++++++++++++++++++++++------- 1 file changed, 25 insertions(+), 7 deletions(-) diff --git a/COFFLoader.c b/COFFLoader.c index b3d3f53..0dac832 100644 --- a/COFFLoader.c +++ b/COFFLoader.c @@ -103,6 +103,10 @@ unsigned char* getContents(char* filepath, uint32_t* outsize) { return buffer; } +static inline BOOL starts_with(const char* string, const char* substring) { + return strncmp(string, substring, strlen(substring)) == 0; +} + /* Helper function to process a symbol string, determine what function and * library its from, and return the right function pointer. Will need to * implement in the loading of the beacon internal functions, or any other @@ -117,10 +121,10 @@ void* process_symbol(char* symbolstring) { HMODULE llHandle = NULL; #endif - memcpy(localcopy, symbolstring, strlen(symbolstring)); - if (strncmp(symbolstring, PREPENDSYMBOLVALUE"Beacon", strlen(PREPENDSYMBOLVALUE"Beacon")) == 0 || strncmp(symbolstring, PREPENDSYMBOLVALUE"toWideChar", strlen(PREPENDSYMBOLVALUE"toWideChar")) == 0 || - strncmp(symbolstring, PREPENDSYMBOLVALUE"GetProcAddress", strlen(PREPENDSYMBOLVALUE"GetProcAddress")) == 0 || strncmp(symbolstring, PREPENDSYMBOLVALUE"LoadLibraryA", strlen(PREPENDSYMBOLVALUE"LoadLibraryA")) == 0 || - strncmp(symbolstring, PREPENDSYMBOLVALUE"GetModuleHandleA", strlen(PREPENDSYMBOLVALUE"GetModuleHandleA")) == 0 || strncmp(symbolstring, PREPENDSYMBOLVALUE"FreeLibrary", strlen(PREPENDSYMBOLVALUE"FreeLibrary")) == 0) { + strncpy(localcopy, symbolstring, sizeof(localcopy) - 1); + if (starts_with(symbolstring, PREPENDSYMBOLVALUE"Beacon") || starts_with(symbolstring, PREPENDSYMBOLVALUE"toWideChar") || + starts_with(symbolstring, PREPENDSYMBOLVALUE"GetProcAddress") || starts_with(symbolstring, PREPENDSYMBOLVALUE"LoadLibraryA") || + starts_with(symbolstring, PREPENDSYMBOLVALUE"GetModuleHandleA") || starts_with(symbolstring, PREPENDSYMBOLVALUE"FreeLibrary")) { localfunc = symbolstring + strlen(PREPENDSYMBOLVALUE); DEBUG_PRINT("\t\tInternalFunction: %s\n", localfunc); /* TODO: Get internal symbol here and set to functionaddress, then @@ -128,7 +132,7 @@ void* process_symbol(char* symbolstring) { #if defined(_WIN32) for (tempcounter = 0; tempcounter < 29; tempcounter++) { if (InternalFunctions[tempcounter][0] != NULL) { - if (strcmp(localfunc, (char*)(InternalFunctions[tempcounter][0])) == 0) { + if (starts_with(localfunc, (char*)(InternalFunctions[tempcounter][0]))) { functionaddress = (void*)InternalFunctions[tempcounter][1]; return functionaddress; } @@ -322,6 +326,7 @@ int RunCOFF(char* functionname, unsigned char* coff_data, uint32_t filesize, uns DEBUG_PRINT("\tReadin OffsetValue : 0x%0X\n", offsetvalue); offsetvalue = (uint32_t)(sectionMapping[coff_sym_ptr[coff_reloc_ptr->SymbolTableIndex].SectionNumber - 1]) + offsetvalue; offsetvalue += coff_sym_ptr[coff_reloc_ptr->SymbolTableIndex].Value; + DEBUG_PRINT("\tSetting 0x%p to: 0x%X\n", sectionMapping[counter] + coff_reloc_ptr->VirtualAddress, offsetvalue); memcpy(sectionMapping[counter] + coff_reloc_ptr->VirtualAddress, &offsetvalue, sizeof(uint32_t)); } else if (coff_reloc_ptr->Type == IMAGE_REL_I386_REL32){ @@ -329,6 +334,7 @@ int RunCOFF(char* functionname, unsigned char* coff_data, uint32_t filesize, uns DEBUG_PRINT("\tReadin OffsetValue : 0x%0X\n", offsetvalue); offsetvalue += (sectionMapping[coff_sym_ptr[coff_reloc_ptr->SymbolTableIndex].SectionNumber - 1] - (sectionMapping[counter] + coff_reloc_ptr->VirtualAddress + 4)); offsetvalue += coff_sym_ptr[coff_reloc_ptr->SymbolTableIndex].Value; + DEBUG_PRINT("\tSetting 0x%p to relative address: 0x%X\n", sectionMapping[counter] + coff_reloc_ptr->VirtualAddress, offsetvalue); memcpy(sectionMapping[counter] + coff_reloc_ptr->VirtualAddress, &offsetvalue, sizeof(uint32_t)); } @@ -403,26 +409,38 @@ int RunCOFF(char* functionname, unsigned char* coff_data, uint32_t filesize, uns DEBUG_PRINT("\tSetting 0x%p to OffsetValue: 0x%X\n", sectionMapping[counter] + coff_reloc_ptr->VirtualAddress, offsetvalue); memcpy(sectionMapping[counter] + coff_reloc_ptr->VirtualAddress, &offsetvalue, sizeof(uint32_t)); } - else { DEBUG_PRINT("No code for relocation type: %d\n", coff_reloc_ptr->Type); } #else - if (coff_reloc_ptr->Type == IMAGE_REL_I386_DIR32){ + if (coff_reloc_ptr->Type == IMAGE_REL_I386_DIR32 && funcptrlocation != NULL){ /* This is Type == IMAGE_REL_I386_DIR32 relocation code */ memcpy(functionMapping + (functionMappingCount * 4), &funcptrlocation, sizeof(uint32_t)); offsetvalue = (int32_t)(functionMapping + (functionMappingCount * 4)); + DEBUG_PRINT("\tSetting 0x%p to virtual address: 0x%X\n", sectionMapping[counter] + coff_reloc_ptr->VirtualAddress, offsetvalue); memcpy(sectionMapping[counter] + coff_reloc_ptr->VirtualAddress, &offsetvalue, sizeof(uint32_t)); functionMappingCount++; } + else if (coff_reloc_ptr->Type == IMAGE_REL_I386_DIR32) { + memcpy(&offsetvalue, sectionMapping[counter] + coff_reloc_ptr->VirtualAddress, sizeof(int32_t)); + DEBUG_PRINT("\tReadin OffsetValue : 0x%0X\n", offsetvalue); + offsetvalue = (uint32_t)(sectionMapping[coff_sym_ptr[coff_reloc_ptr->SymbolTableIndex].SectionNumber - 1]) + offsetvalue; + offsetvalue += coff_sym_ptr[coff_reloc_ptr->SymbolTableIndex].Value; + DEBUG_PRINT("\tSetting 0x%p to virtual address: 0x%X\n", sectionMapping[counter] + coff_reloc_ptr->VirtualAddress, offsetvalue); + memcpy(sectionMapping[counter] + coff_reloc_ptr->VirtualAddress, &offsetvalue, sizeof(uint32_t)); + } else if (coff_reloc_ptr->Type == IMAGE_REL_I386_REL32){ memcpy(&offsetvalue, sectionMapping[counter] + coff_reloc_ptr->VirtualAddress, sizeof(int32_t)); DEBUG_PRINT("\tReadin OffsetValue : 0x%0X\n", offsetvalue); offsetvalue += (sectionMapping[coff_sym_ptr[coff_reloc_ptr->SymbolTableIndex].SectionNumber - 1] - (sectionMapping[counter] + coff_reloc_ptr->VirtualAddress + 4)); offsetvalue += coff_sym_ptr[coff_reloc_ptr->SymbolTableIndex].Value; + DEBUG_PRINT("\tSetting 0x%p to relative address: 0x%X\n", sectionMapping[counter] + coff_reloc_ptr->VirtualAddress, offsetvalue); memcpy(sectionMapping[counter] + coff_reloc_ptr->VirtualAddress, &offsetvalue, sizeof(uint32_t)); } + else { + DEBUG_PRINT("No code for relocation type: %d\n", coff_reloc_ptr->Type); + } #endif #endif } From ade610103c2e46b722e6774ab79af7ff8530252b Mon Sep 17 00:00:00 2001 From: Spencer McIntyre Date: Fri, 9 Dec 2022 12:50:45 -0500 Subject: [PATCH 8/8] Remove the inline compiler directive Apparently VS2013 did not accept the function signature --- COFFLoader.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/COFFLoader.c b/COFFLoader.c index 0dac832..2f1df4a 100644 --- a/COFFLoader.c +++ b/COFFLoader.c @@ -103,7 +103,7 @@ unsigned char* getContents(char* filepath, uint32_t* outsize) { return buffer; } -static inline BOOL starts_with(const char* string, const char* substring) { +static BOOL starts_with(const char* string, const char* substring) { return strncmp(string, substring, strlen(substring)) == 0; }