-
Notifications
You must be signed in to change notification settings - Fork 3
/
native.h
96 lines (77 loc) · 2.53 KB
/
native.h
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
#ifndef DLL_HIJACK_NATIVE_H
#define DLL_HIJACK_NATIVE_H
#include <stdbool.h>
#include <winternl.h>
typedef LPVOID (WINAPI *pCoTaskMemAlloc)(SIZE_T cb);
typedef HRESULT (WINAPI *pSHParseDisplayName)(
PCWSTR pszName,
IBindCtx *pbc,
PIDLIST_ABSOLUTE *ppidl,
SFGAOF sfgaoIn,
SFGAOF *psfgaoOut);
typedef struct _HookTable {
void *original;
void *hook;
char *name;
} HookTable;
typedef struct _ModulePathBuffer {
size_t lengthA;
size_t lengthW;
char pathA[MAX_PATH];
wchar_t pathW[MAX_PATH];
} ModulePathBuffer;
static bool NtCreateDirectoryW(PCWSTR pszFileName) {
NTSTATUS Status;
UNICODE_STRING FileName;
HANDLE DirectoryHandle;
IO_STATUS_BLOCK IoStatus;
OBJECT_ATTRIBUTES ObjectAttributes;
if (!RtlDosPathNameToNtPathName_U(pszFileName, &FileName, NULL, NULL)) {
return false;
}
InitializeObjectAttributes(&ObjectAttributes, &FileName, OBJ_CASE_INSENSITIVE, NULL, NULL);
Status = NtCreateFile(&DirectoryHandle,
FILE_LIST_DIRECTORY | SYNCHRONIZE,
&ObjectAttributes,
&IoStatus,
NULL,
FILE_ATTRIBUTE_NORMAL,
FILE_SHARE_READ | FILE_SHARE_WRITE,
FILE_CREATE,
FILE_DIRECTORY_FILE | FILE_SYNCHRONOUS_IO_NONALERT,
NULL,
0);
RtlFreeUnicodeString(&FileName);
if (NT_SUCCESS(Status)) {
NtClose(DirectoryHandle);
return true;
}
return false;
}
static inline bool NtCreateDirectoryA(PCSTR pszFileName) {
WCHAR buffer[MAX_PATH];
UNICODE_STRING pathW = {0, sizeof(buffer), buffer};
ANSI_STRING pathA;
RtlInitAnsiString(&pathA, pszFileName);
if (!NT_SUCCESS(RtlAnsiStringToUnicodeString(&pathW, &pathA, FALSE))) {
return false;
}
buffer[pathW.Length / sizeof(wchar_t)] = L'\0';
return NtCreateDirectoryW(buffer);
}
static void *LdrGetDllFunction(const wchar_t *dll, const char *fn) {
UNICODE_STRING dllName;
RtlInitUnicodeString(&dllName, dll);
PVOID handle;
NTSTATUS status = LdrGetDllHandle(NULL, NULL, &dllName, &handle);
if (!NT_SUCCESS(status))
status = LdrLoadDll(NULL, NULL, &dllName, &handle);
if (!NT_SUCCESS(status))
return NULL;
ANSI_STRING fnName;
RtlInitAnsiString(&fnName, fn);
PVOID proc;
status = LdrGetProcedureAddress(handle, &fnName, 0, &proc);
return NT_SUCCESS(status) ? proc : NULL;
}
#endif //DLL_HIJACK_NATIVE_H