Page Menu
Home
desp's stash
Search
Configure Global Search
Log In
Files
F547773
PECompact.cpp
No One
Temporary
Actions
Download File
Edit File
Delete File
View Transforms
Subscribe
Mute Notifications
Award Token
Flag For Later
Size
4 KB
Subscribers
None
PECompact.cpp
View Options
#include
"ScyllaPlugin.h"
//remove c runtime library
//#pragma comment(linker, "/ENTRY:DllMain")
const
char
logFileName
[]
=
"logfile_scylla_plugin.txt"
;
BOOL
writeToLogFile
(
const
char
*
text
);
HANDLE
hMapFile
=
0
;
LPVOID
lpViewOfFile
=
0
;
BOOL
getMappedView
();
void
cleanUp
();
void
resolveImports
();
#define PLUGIN_NAME "PECompact v2.x"
BOOL
WINAPI
DllMain
(
HINSTANCE
hinstDLL
,
DWORD
fdwReason
,
LPVOID
lpvReserved
)
{
switch
(
fdwReason
)
{
case
DLL_PROCESS_ATTACH
:
// Initialize once for each new process.
// Return FALSE to fail DLL load.
writeToLogFile
(
"DLL attached - Injection successful
\r\n
"
);
if
(
getMappedView
())
//open file mapping
{
writeToLogFile
(
"Open mapping successful
\r\n
"
);
resolveImports
();
//resolve imports
cleanUp
();
//clean up handles
}
break
;
case
DLL_THREAD_ATTACH
:
// Do thread-specific initialization.
break
;
case
DLL_THREAD_DETACH
:
// Do thread-specific cleanup.
break
;
case
DLL_PROCESS_DETACH
:
// Perform any necessary cleanup.
writeToLogFile
(
"DLL successfully detached
\r\n
"
);
break
;
}
return
TRUE
;
// Successful DLL_PROCESS_ATTACH.
}
BOOL
getMappedView
()
{
hMapFile
=
OpenFileMappingA
(
FILE_MAP_ALL_ACCESS
,
0
,
FILE_MAPPING_NAME
);
//open named file mapping object
if
(
hMapFile
==
0
)
{
writeToLogFile
(
"OpenFileMappingA failed
\r\n
"
);
return
FALSE
;
}
lpViewOfFile
=
MapViewOfFile
(
hMapFile
,
FILE_MAP_ALL_ACCESS
,
0
,
0
,
0
);
//map the view with full access
if
(
lpViewOfFile
==
0
)
{
CloseHandle
(
hMapFile
);
//close mapping handle
hMapFile
=
0
;
writeToLogFile
(
"MapViewOfFile failed
\r\n
"
);
return
FALSE
;
}
else
{
return
TRUE
;
}
}
void
cleanUp
()
{
if
(
lpViewOfFile
!=
0
)
{
UnmapViewOfFile
(
lpViewOfFile
);
//close map view
}
if
(
hMapFile
!=
0
)
{
CloseHandle
(
hMapFile
);
//close mapping handle
}
}
void
resolveImports
()
{
DWORD_PTR
invalidApiAddress
=
0
;
PSCYLLA_EXCHANGE
scyllaExchange
=
0
;
PUNRESOLVED_IMPORT
unresolvedImport
=
0
;
scyllaExchange
=
(
PSCYLLA_EXCHANGE
)
lpViewOfFile
;
unresolvedImport
=
(
PUNRESOLVED_IMPORT
)((
DWORD_PTR
)
scyllaExchange
+
scyllaExchange
->
offsetUnresolvedImportsArray
);
scyllaExchange
->
status
=
SCYLLA_STATUS_SUCCESS
;
while
(
unresolvedImport
->
ImportTableAddressPointer
!=
0
)
//last element is a nulled struct
{
//get real WINAPI address
//overwrite the existing wrong value with the good api address
invalidApiAddress
=
unresolvedImport
->
InvalidApiAddress
;
//PECompact example
//01BF01FF B8 45128275 MOV EAX,kernel32.GetModuleHandleA
//01BF0204 - FFE0 JMP EAX
if
(
*
((
BYTE
*
)
invalidApiAddress
)
==
0xB8
)
//is it pe compact?
{
invalidApiAddress
++
;
//increase 1 opcode
//write right value to struct
unresolvedImport
->
InvalidApiAddress
=
*
((
DWORD_PTR
*
)
invalidApiAddress
);
}
else
{
writeToLogFile
(
"Unsupported opcode found
\r\n
"
);
scyllaExchange
->
status
=
SCYLLA_STATUS_UNSUPPORTED_PROTECTION
;
break
;
}
unresolvedImport
++
;
//next pointer to struct
}
}
BOOL
writeToLogFile
(
const
char
*
text
)
{
DWORD
lpNumberOfBytesWritten
=
0
;
size_t
i
=
0
;
BOOL
wfRet
=
0
;
HANDLE
hFile
=
0
;
char
buffer
[
260
];
if
(
!
GetModuleFileNameA
(
0
,
buffer
,
sizeof
(
buffer
)))
//get full path of exe
{
return
FALSE
;
}
for
(
i
=
(
lstrlenA
(
buffer
)
-
1
);
i
>=
0
;
i
--
)
//remove the exe file name from full path
{
if
(
buffer
[
i
]
==
'\\'
)
{
buffer
[
i
+
1
]
=
0x00
;
break
;
}
}
if
(
lstrcatA
(
buffer
,
logFileName
)
==
0
)
//append log file name to path
{
return
FALSE
;
}
hFile
=
CreateFileA
(
buffer
,
GENERIC_WRITE
,
0
,
0
,
OPEN_ALWAYS
,
FILE_ATTRIBUTE_NORMAL
,
0
);
//open log file for writing
if
(
hFile
==
INVALID_HANDLE_VALUE
)
{
return
FALSE
;
}
SetFilePointer
(
hFile
,
0
,
0
,
FILE_END
);
//set file pointer to the end of file
if
(
WriteFile
(
hFile
,
text
,
(
DWORD
)
lstrlenA
(
text
),
&
lpNumberOfBytesWritten
,
0
))
//write message to logfile
{
wfRet
=
TRUE
;
}
else
{
wfRet
=
FALSE
;
}
CloseHandle
(
hFile
);
return
wfRet
;
}
#ifdef UNICODE
DllExport
wchar_t
*
__cdecl
ScyllaPluginNameW
()
{
return
TEXT
(
PLUGIN_NAME
);
}
#else
DllExport
char
*
__cdecl
ScyllaPluginNameA
()
{
return
PLUGIN_NAME
;
}
#endif
File Metadata
Details
Attached
Mime Type
text/x-c
Expires
Wed, Jan 28, 6:12 PM (1 d, 21 h)
Storage Engine
local-disk
Storage Format
Raw Data
Storage Handle
24/94/45bfc24e8e280c5a073033c69168
Attached To
rSCY Scylla
Event Timeline
Log In to Comment