upd

odzhan · odzhan · commit 7905704e3281 · 2019-05-19T19:20:58.000+01:00
diff --git a/disasm/disasm b/disasm/disasm
diff --git a/disasm/disasm.c b/disasm/disasm.c
@@ -371,7 +371,7 @@ void disasm (disasm_opt *opt)
     // print asm string
     if(insn->address < opt->data && r) printf (" /* %-*s */", asm_max, ins);  
   }
-  printf("\n};");
+  printf("\n};\n");
   
   cs_free(insn, 1);
   cs_close(&handle);  
diff --git a/os/linux/c/ssltls/include.h b/os/linux/c/ssltls/include.h
@@ -187,7 +187,10 @@ void *get_proc_address3(const char *path, uint32_t hash);  // using file path
 void *get_module_handle(const char *module);
 void *get_module_handle1(const char *module);
 void *get_module_handle2(const char *module);
+
 void *get_base(void);
+void *get_base2(void);
+void *get_base3(void);
 
 Elf64_Phdr *elf_get_phdr(void *base, int type);
 Elf64_Dyn *elf_get_dyn(void *base, int tag);
diff --git a/os/win/getapi/dynamic/get_gpa.c b/os/win/getapi/dynamic/get_gpa.c
@@ -0,0 +1,153 @@
+
+#include "getapi.h"
+
+typedef BYTE UBYTE;
+
+typedef enum _UNWIND_OP_CODES {
+    UWOP_PUSH_NONVOL = 0, /* info == register number */
+    UWOP_ALLOC_LARGE,     /* no info, alloc size in next 2 slots */
+    UWOP_ALLOC_SMALL,     /* info == size of allocation / 8 - 1 */
+    UWOP_SET_FPREG,       /* no info, FP = RSP + UNWIND_INFO.FPRegOffset*16 */
+    UWOP_SAVE_NONVOL,     /* info == register number, offset in next slot */
+    UWOP_SAVE_NONVOL_FAR, /* info == register number, offset in next 2 slots */
+    UWOP_SAVE_XMM128 = 8, /* info == XMM reg number, offset in next slot */
+    UWOP_SAVE_XMM128_FAR, /* info == XMM reg number, offset in next 2 slots */
+    UWOP_PUSH_MACHFRAME   /* info == 0: no error-code, 1: error-code */
+} UNWIND_CODE_OPS;
+
+typedef union _UNWIND_CODE {
+    struct {
+        UBYTE CodeOffset;
+        UBYTE UnwindOp : 4;
+        UBYTE OpInfo   : 4;
+    };
+    USHORT FrameOffset;
+} UNWIND_CODE, *PUNWIND_CODE;
+
+typedef struct _UNWIND_INFO {
+    UBYTE Version       : 3;
+    UBYTE Flags         : 5;
+    UBYTE SizeOfProlog;
+    UBYTE CountOfCodes;
+    UBYTE FrameRegister : 4;
+    UBYTE FrameOffset   : 4;
+    UNWIND_CODE UnwindCode[1];
+} UNWIND_INFO, *PUNWIND_INFO;
+
+#define GetUnwindCodeEntry(info, index) \
+    ((info)->UnwindCode[index])
+
+#define GetLanguageSpecificDataPtr(info) \
+    ((PVOID)&GetUnwindCodeEntry((info),((info)->CountOfCodes + 1) & ~1))
+
+#define GetExceptionHandler(base, info) \
+    ((PEXCEPTION_HANDLER)((base) + *(PULONG)GetLanguageSpecificDataPtr(info)))
+
+#define GetChainedFunctionEntry(base, info) \
+    ((PRUNTIME_FUNCTION)((base) + *(PULONG)GetLanguageSpecificDataPtr(info)))
+
+#define GetExceptionDataPtr(info) \
+    ((PVOID)((PULONG)GetLanguageSpecificData(info) + 1)
+    
+LPVOID GetGPA(VOID) {
+    PPEB                          peb;
+    PPEB_LDR_DATA                 ldr;
+    PLDR_DATA_TABLE_ENTRY         dte;
+    LPVOID                        addr=NULL;
+    BYTE                          c;
+    PIMAGE_DOS_HEADER             dos;
+    PIMAGE_NT_HEADERS             nt;
+    PIMAGE_DATA_DIRECTORY         dir;
+    PIMAGE_RUNTIME_FUNCTION_ENTRY rf;
+    DWORD                         i, j, h, rva, ba;
+    PBYTE                         s1, e1, s2, e2;
+    PUNWIND_INFO                  ui;
+    
+    peb = (PPEB) __readgsqword(0x60);
+    ldr = (PPEB_LDR_DATA)peb->Ldr;
+    
+    for (dte=(PLDR_DATA_TABLE_ENTRY)ldr->InLoadOrderModuleList.Flink;
+         dte->DllBase != NULL && addr == NULL; 
+         dte=(PLDR_DATA_TABLE_ENTRY)dte->InLoadOrderLinks.Flink)
+    { 
+      // is this kernelbase.dll?
+      for (h=0, i=0; i<dte->BaseDllName.Length/2; i++) {
+        c = (BYTE)dte->BaseDllName.Buffer[i];
+        h += (c | 0x20);
+        h = ROTR32(h, 13);
+      }
+      // if not, skip it
+      if (h != 0x22901A8D) continue;
+      
+      dos = (PIMAGE_DOS_HEADER)dte->DllBase;  
+      nt  = RVA2VA(PIMAGE_NT_HEADERS, dte->DllBase, dos->e_lfanew);  
+      dir = (PIMAGE_DATA_DIRECTORY)nt->OptionalHeader.DataDirectory;
+      rva = dir[IMAGE_DIRECTORY_ENTRY_EXCEPTION].VirtualAddress;
+      rf  = (PIMAGE_RUNTIME_FUNCTION_ENTRY) RVA2VA(ULONG_PTR, dte->DllBase, rva);
+      
+      // foreach runtime function and address not found
+      for(i=0; rf[i].BeginAddress != 0 && addr == NULL; i++) {
+        ba = rf[i].BeginAddress;
+        // we will search the code between BeginAddress and EndAddress
+        s1 = (PBYTE)RVA2VA(ULONG_PTR, dte->DllBase, rf[i].BeginAddress);
+        e1 = (PBYTE)RVA2VA(ULONG_PTR, dte->DllBase, rf[i].EndAddress);
+        
+        // if chained unwind information is specified in the next entry
+        ui = (PUNWIND_INFO)RVA2VA(ULONG_PTR, dte->DllBase, rf[i+1].UnwindData);
+        
+        if(ui->Flags & UNW_FLAG_CHAININFO) {
+          // find the last entry in the chain
+          for(;;) {
+            i++;
+            e1 = (PBYTE)RVA2VA(ULONG_PTR, dte->DllBase, rf[i].EndAddress);
+            ui = (PUNWIND_INFO)RVA2VA(ULONG_PTR, dte->DllBase, rf[i].UnwindData);
+            if(!(ui->Flags & UNW_FLAG_CHAININFO)) break;
+          }
+        }
+        // for this address range minus the length of a near conditional jump
+        while(s1 < (e1 - 6)) {
+          // is the next instruction a near conditional jump?
+          if(s1[0] == 0x0F && s1[1] >= 0x80 && s1[1] <= 0x8F) {
+            // calculate the relative virtual address of jump
+            rva = (DWORD)(((*(DWORD*)(s1 + 2)) + 6 + s1) - (PBYTE)dte->DllBase);
+            // try find the rva in exception list
+            for(j=0; rf[j].BeginAddress != 0 && addr == NULL; j++) {
+              if(rf[j].BeginAddress == rva) {               
+                s2 = (PBYTE)RVA2VA(ULONG_PTR, dte->DllBase, rf[j].BeginAddress);
+                e2 = (PBYTE)RVA2VA(ULONG_PTR, dte->DllBase, rf[j].EndAddress);
+                // try find the error code in this address range
+                while(s2 < (e2 - 4)) {
+                  // if this is STATUS_ORDINAL_NOT_FOUND
+                  if(*(DWORD*)s2 == 0xC0000138) {
+                    // calculate the virtual address of primary function
+                    addr = (PBYTE)RVA2VA(ULONG_PTR, dte->DllBase, ba);
+                    break;
+                  }
+                  s2++;
+                }
+              }
+            }
+          }
+          s1++;
+        }
+      }
+    }
+    return addr;
+}
+
+int main(void) {
+    LPVOID addr = GetGPA();
+    
+    if(addr == NULL) {
+      printf("unable to locate GetProcAddress\n");
+      return 0;
+    }
+    
+    printf ("GetGPA         : %p\n", addr);
+    printf ("GetProcAddress : %p\n", 
+        GetProcAddress(GetModuleHandle("kernelbase"), "GetProcAddress"));  
+    printf ("GetProcAddressForCaller: %p\n", 
+        GetProcAddress(GetModuleHandle("kernelbase"), "GetProcAddressForCaller"));
+    return 0;
+}
+        
diff --git a/os/win/getapi/dynamic/get_gpa1.c b/os/win/getapi/dynamic/get_gpa1.c
@@ -0,0 +1,72 @@
+
+#include "getapi.h"
+
+LPVOID GetGPA(VOID) {
+    PPEB                  peb;
+    PPEB_LDR_DATA         ldr;
+    PLDR_DATA_TABLE_ENTRY dte;
+    LPVOID                addr=NULL;
+    BYTE                  c;
+    PIMAGE_DOS_HEADER     dos;
+    PIMAGE_NT_HEADERS     nt; 
+    PIMAGE_SECTION_HEADER sh;
+    DWORD                 i, j, h;
+    PBYTE                 cs;
+    
+    peb = (PPEB) __readfsdword(0x30);
+    ldr = (PPEB_LDR_DATA)peb->Ldr;
+    
+    // for each DLL loaded
+    for (dte=(PLDR_DATA_TABLE_ENTRY)ldr->InLoadOrderModuleList.Flink;
+         dte->DllBase != NULL && addr == NULL; 
+         dte=(PLDR_DATA_TABLE_ENTRY)dte->InLoadOrderLinks.Flink)
+    { 
+      // is this kernel32.dll or kernelbase.dll?
+      for (h=i=0; i<dte->BaseDllName.Length/2; i++) {
+        c = dte->BaseDllName.Buffer[i];
+        h += (c | 0x20);
+        h = ROTR32(h, 13);
+      }
+      if (h != 0x22901A8D) continue;
+      
+      dos = (PIMAGE_DOS_HEADER)dte->DllBase;  
+      nt  = RVA2VA(PIMAGE_NT_HEADERS, dte->DllBase, dos->e_lfanew);  
+      sh  = (PIMAGE_SECTION_HEADER)((LPBYTE)&nt->OptionalHeader + 
+             nt->FileHeader.SizeOfOptionalHeader); 
+             
+      for (i=0; i<nt->FileHeader.NumberOfSections && addr == NULL; i++) {
+        if (sh[i].Characteristics & IMAGE_SCN_MEM_EXECUTE) {
+          cs = RVA2VA (PBYTE, dte->DllBase, sh[i].VirtualAddress);
+          for(j=0; j<sh[i].Misc.VirtualSize - 4 && addr == NULL; j++) {
+            // is this STATUS_ORDINAL_NOT_FOUND?
+            if(*(DWORD*)&cs[j] == 0xC0000138) {
+              while(--j) {
+                // is this the prolog?
+                if(cs[j  ] == 0x55 &&
+                   cs[j+1] == 0x8B &&
+                   cs[j+2] == 0xEC) {
+                  addr = &cs[j];
+                  break;
+                }
+              }
+            }
+          }
+        }
+      }
+    }
+    return addr;
+}
+
+int main(void) {
+
+    if (addr != NULL) {
+      printf ("GetProcAddress: %p\n", addr);
+      
+      printf ("GetProcAddress: %p\n", 
+          GetProcAddress("kernelbase", "GetProcAddress"));
+          
+      printf ("GetProcAddressForCaller: %p\n", 
+          GetProcAddress("kernelbase", "GetProcAddressForCaller"));
+    }
+    return 0;
+}
diff --git a/os/win/getapi/dynamic/getapi.h b/os/win/getapi/dynamic/getapi.h

Original file line number	Diff line number	Diff line change
`@@ -371,7 +371,7 @@ void disasm (disasm_opt *opt)`
`371`	`371`	`// print asm string`
`372`	`372`	`if(insn->address < opt->data && r) printf (" /* %-s /", asm_max, ins);`
`373`	`373`	`}`
`374`		`- printf("\n};");`
	`374`	`+ printf("\n};\n");`
`375`	`375`
`376`	`376`	`cs_free(insn, 1);`
`377`	`377`	`cs_close(&handle);`