Zorenium/Memory & Main.cpp old never used code

1. /* WAS Given to me by a 'alias' i recruited to work on the projec,t
2.  * For me to later find out, the code he took, was from a public website,
3.  * So here it is, for you'all to read over,
4.  * For those of you that cant code, Its a remote_thread, application for running executables
5.  */
6.  
7. #include <windows.h>
8. #include <tchar.h>
9. #include <detours.h>
10. #include <stdio.h>
11. #include <tchar.h>
12.  
13.  
14. #define NTSIGNATURE(ptr) ((LPVOID)((BYTE *)(ptr) + ((PIMAGE_DOS_HEADER)(ptr))->e_lfanew))
15. #define SIZE_OF_NT_SIGNATURE (sizeof(DWORD))
16. #define PEFHDROFFSET(ptr) ((LPVOID)((BYTE *)(ptr)+((PIMAGE_DOS_HEADER)(ptr))->e_lfanew+SIZE_OF_NT_SIGNATURE))
17. #define OPTHDROFFSET(ptr) ((LPVOID)((BYTE *)(ptr)+((PIMAGE_DOS_HEADER)(ptr))->e_lfanew+SIZE_OF_NT_SIGNATURE+sizeof(IMAGE_FILE_HEADER)))
18. #define SECHDROFFSET(ptr) ((LPVOID)((BYTE *)(ptr)+((PIMAGE_DOS_HEADER)(ptr))->e_lfanew+SIZE_OF_NT_SIGNATURE+sizeof(IMAGE_FILE_HEADER)+sizeof(IMAGE_OPTIONAL_HEADER)))
19. #define RVATOVA(base,offset) ((LPVOID)((DWORD)(base)+(DWORD)(offset)))
20. #define VATORVA(base,offset) ((LPVOID)((DWORD)(offset)-(DWORD)(base)))
21.  
22.  
23. typedef enum _SECTION_INHERIT {
24.     ViewShare = 1,
25.     ViewUnmap = 2
26. } SECTION_INHERIT;
27.  
28. typedef DWORD (WINAPI *PFN_NtMapViewOfSection)( HANDLE SectionHandle,
29.                                                 HANDLE ProcessHandle,
30.                                                 PVOID *BaseAddress,
31.                                                 ULONG ZeroBits,
32.                                                 ULONG CommitSize,
33.                                                 PLARGE_INTEGER SectionOffset,
34.                                                 PULONG ViewSize,
35.                                                 SECTION_INHERIT InheritDisposition,
36.                                                 ULONG AllocationType,
37.                                                 ULONG Protect
38.                                             );
39.  
40.  
41. CRITICAL_SECTION _cs;
42. UINT _nInitCount = 0;
43. BOOL _fModified;
44. WORD _OriginalCharacteristics;
45. BYTE _abTrampolineNtMapViewOfSection[DETOUR_TRAMPOLINE_SIZE];
46. BYTE _abTrampolineDllMain[DETOUR_TRAMPOLINE_SIZE];
47.  
48. static BOOL APIENTRY PseudoDllMain( HMODULE hModule, DWORD  dwReason, LPVOID lpReserved ){
49.     if( dwReason == DLL_PROCESS_ATTACH )
50.         ::DisableThreadLibraryCalls( hModule );
51.     return TRUE;
52. }
53.  
54. static BOOL SetImageCharacteristics( PVOID hModule, WORD dwAdded, WORD dwRemoved, WORD* OldCharacteristics ){
55.     PIMAGE_FILE_HEADER pfh;
56.     PIMAGE_OPTIONAL_HEADER poh;
57.     pfh = (PIMAGE_FILE_HEADER)PEFHDROFFSET(hModule);
58.     poh=(PIMAGE_OPTIONAL_HEADER) OPTHDROFFSET(hModule);
59.     WORD newCharacteristics = pfh->Characteristics;
60.     if( OldCharacteristics != NULL )
61.         *OldCharacteristics = newCharacteristics;
62.     newCharacteristics |= dwAdded;
63.     newCharacteristics &= ~dwRemoved;
64.     DWORD newProtect, oldProtect;
65.     newProtect = PAGE_EXECUTE_WRITECOPY;
66.     VirtualProtect(hModule,poh->SizeOfHeaders,newProtect,&oldProtect);
67.     pfh->Characteristics = newCharacteristics;
68.     VirtualProtect(hModule,poh->SizeOfHeaders,oldProtect,&newProtect);
69.     return TRUE;
70. }
71.  
72. static DWORD WINAPI Mine_NtMapViewOfSection(
73.     HANDLE SectionHandle,
74.     HANDLE ProcessHandle,
75.     PVOID *BaseAddress,
76.     ULONG ZeroBits,
77.     ULONG CommitSize,
78.     PLARGE_INTEGER SectionOffset,
79.     PULONG ViewSize,
80.     SECTION_INHERIT InheritDisposition,
81.     ULONG AllocationType,
82.     ULONG Protect
83.     )
84. {
85.     PFN_NtMapViewOfSection fnNtMapViewOfSection =(PFN_NtMapViewOfSection)&_abTrampolineNtMapViewOfSection[0];
86.     DWORD retval = fnNtMapViewOfSection( SectionHandle,
87.                                     ProcessHandle,
88.                                     BaseAddress,
89.                                     ZeroBits,
90.                                     CommitSize,
91.                                     SectionOffset,
92.                                     ViewSize,
93.                                     InheritDisposition,
94.                                     AllocationType,
95.                                     Protect
96.                                 );
97.  
98.     if( _fModified )
99.         return retval;
100.     _fModified = TRUE;
101.     PVOID hImage = *BaseAddress;
102.     SetImageCharacteristics( hImage, IMAGE_FILE_DLL, IMAGE_FILE_EXECUTABLE_IMAGE, &_OriginalCharacteristics );
103.     PIMAGE_OPTIONAL_HEADER poh;
104.     poh=(PIMAGE_OPTIONAL_HEADER) OPTHDROFFSET(hImage);
105.     DetourFunctionWithEmptyTrampoline( _abTrampolineDllMain,(PBYTE)((DWORD)hImage+poh->AddressOfEntryPoint),(PBYTE)PseudoDllMain );
106.     return retval;
107. }
108.  
109.  
110. BOOL init(){
111.     if( _nInitCount++ == 0 )
112.         ::InitializeCriticalSection( &_cs );
113.     return TRUE;
114. }
115.  
116. BOOL Uninit(){
117.     if( --_nInitCount == 0 )
118.         ::DeleteCriticalSection( &_cs );
119.     return TRUE;
120. }
121.  
122. HMODULE WINAPI wLoadEW( LPCWSTR lpszExePath ){
123.     ::EnterCriticalSection( &_cs );
124.     FARPROC NtMapViewOfSection = ::GetProcAddress( GetModuleHandleW( L"NTDLL.DLL" ), "NtMapViewOfSection" );
125.     memset( _abTrampolineNtMapViewOfSection, 0x90, sizeof(_abTrampolineNtMapViewOfSection) );
126.     memset( _abTrampolineDllMain, 0x90, sizeof(_abTrampolineDllMain) );
127.     DetourFunctionWithEmptyTrampoline( _abTrampolineNtMapViewOfSection,(PBYTE)NtMapViewOfSection,(PBYTE)Mine_NtMapViewOfSection );
128.     _fModified = FALSE;
129.     HMODULE h = LoadLibraryW(lpszExePath);
130.     _fModified = TRUE;
131.     DetourRemove( _abTrampolineDllMain, (PBYTE)PseudoDllMain );
132.     DetourRemove( _abTrampolineNtMapViewOfSection, (PBYTE)Mine_NtMapViewOfSection );
133.     if( h != NULL )
134.         SetImageCharacteristics( h, _OriginalCharacteristics, IMAGE_FILE_DLL, NULL );
135.     ::LeaveCriticalSection( &_cs );
136.     return h;
137. }
138.  
139. HMODULE WINAPI wLoadEA( LPCSTR lpszExePath ){
140.     WCHAR szPath[MAX_PATH];
141.     ::MultiByteToWideChar( CP_ACP, 0,
142.         lpszExePath, -1,
143.         szPath, sizeof(szPath) );
144.     return wLoadEW(szPath);
145. }
146.  
147.  
148. BOOL WINAPI wFreebin( HMODULE hModule ){
149.     ::EnterCriticalSection( &_cs );
150.     memset( _abTrampolineDllMain, 0x90, sizeof(_abTrampolineDllMain) );
151.     PIMAGE_OPTIONAL_HEADER poh;
152.     poh=(PIMAGE_OPTIONAL_HEADER) OPTHDROFFSET(hModule);
153.     DetourFunctionWithEmptyTrampoline( _abTrampolineDllMain,(PBYTE)((DWORD)hModule+poh->AddressOfEntryPoint),(PBYTE)PseudoDllMain );
154.     FreeLibrary( hModule );
155.     ::LeaveCriticalSection( &_cs );
156.     return TRUE;
157. }
158.  
159.  
160. #include <Windows.h>
161.  
162.  
163. // Non Member Functions
164. NtOpenSectionPtr NtOpenSection = NULL;
165. NtClosePtr NtClose = NULL;
166. NtMapViewOfSectionPtr NtMapViewOfSection = NULL;
167. NtUnmapViewOfSectionPtr NtUnmapViewOfSection = NULL;
168. RtlInitUnicodeStringPtr RtlInitUnicodeString = NULL;
169. ZwSystemDebugControlPtr ZwSystemDebugControl = NULL;
170.  
171. EnumSystemFirmwareTablesPtr EnumSystemFirmwareTables = NULL;
172. GetSystemFirmwareTablePtr GetSystemFirmwareTable = NULL;
173. u8 * CBlockBuffer = NULL;
174. u8 * EBlockBuffer = NULL;
175.  
176.  
177.  
178. int wsFuncLoad(void){
179.     HMODULE hNtdll;
180.     HMODULE hKerneldll;
181.     hNtdll = GetModuleHandle(L"ntdll.dll");
182.     hKerneldll = GetModuleHandle( L"kernel32.dll" );
183.     if (!(hNtdll && hKerneldll))
184.         return FALSE;
185.     NtOpenSection        = (NtOpenSectionPtr) GetProcAddress(hNtdll, "NtOpenSection");
186.     NtClose              = (NtClosePtr) GetProcAddress(hNtdll, "NtClose");
187.     NtMapViewOfSection   = (NtMapViewOfSectionPtr) GetProcAddress(hNtdll, "NtMapViewOfSection");
188.     NtUnmapViewOfSection = (NtUnmapViewOfSectionPtr) GetProcAddress(hNtdll, "NtUnmapViewOfSection");
189.     RtlInitUnicodeString = (RtlInitUnicodeStringPtr) GetProcAddress(hNtdll, "RtlInitUnicodeString");
190.     ZwSystemDebugControl = (ZwSystemDebugControlPtr) GetProcAddress(hNtdll, "ZwSystemDebugControl");
191.     EnumSystemFirmwareTables = (EnumSystemFirmwareTablesPtr) GetProcAddress(hKerneldll, "EnumSystemFirmwareTables");
192.     GetSystemFirmwareTable = (GetSystemFirmwareTablePtr) GetProcAddress(hKerneldll, "GetSystemFirmwareTable");
193.  
194.     return TRUE;
195. }
196.  
197. HANDLE OpenMemAccess(void){
198.     UNICODE_STRING usDevmem;
199.     OBJECT_ATTRIBUTES oaAttrs;
200.     NTSTATUS status;
201.     HANDLE hPhysMem = NULL;
202.     RtlInitUnicodeString(&usDevmem, L"\\device\\physicalmemory");
203.     InitializeObjectAttributes(&oaAttrs, &usDevmem, OBJ_CASE_INSENSITIVE, NULL, NULL);
204.     status = NtOpenSection(&hPhysMem, SECTION_MAP_READ, &oaAttrs);
205.     if (!NT_SUCCESS(status)){
206.         hPhysMem = NULL;
207.     }
208.  
209.     return hPhysMem;
210. }
211.  
212. int CloseMemAccess(HANDLE hPhysMem){
213.     NTSTATUS status;
214.     status = NtClose(hPhysMem);
215.     if (!NT_SUCCESS(status)){
216.         return FALSE;
217.     }
218.  
219.     return TRUE;
220. }
221.  
222. int MapMem(HANDLE hPhysMem, PVOID pBaseAddr, PDWORD pPhysAddr, PDWORD pSize){
223.     NTSTATUS status;
224.     PHYSICAL_ADDRESS paAddr;
225.  
226.     * (DWORD *) pBaseAddr = (DWORD) NULL;
227.     paAddr.HighPart = 0;
228.     paAddr.LowPart = *pPhysAddr;
229.     00119         status = NtMapViewOfSection(hPhysMem, NtCurrentProcess(), (PVOID *) pBaseAddr, 0L,
230.         *pSize, &paAddr, pSize, ViewShare, 0, PAGE_READONLY);
231.  
232.     if (!NT_SUCCESS(status))
233.     {
234.         hPhysMem = NULL;
235.         return FALSE;
236.     }
237.  
238.     *pPhysAddr = paAddr.LowPart;
239.     return TRUE;
240. }
241.  
242. int UnMapMem(PVOID pBaseAddr){
243.     NTSTATUS status;
244.     status = NtUnmapViewOfSection(NtCurrentProcess(), pBaseAddr);
245.     if (!NT_SUCCESS(status)){
246.         return FALSE;
247.     }
248.  
249.     return TRUE;
250. }
251.  
252. static BOOL setPrivilege(LPCTSTR privilegeName, BOOL enable){
253.     HANDLE              hToken;
254.     HANDLE              hCurrentProcess;
255.     DWORD               err;
256.     TOKEN_PRIVILEGES    tkprivs;
257.     hCurrentProcess = GetCurrentProcess();
258.     if(OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &hToken)){
259.         LookupPrivilegeValue(NULL, privilegeName, &tkprivs.Privileges[0].Luid);
260.         tkprivs.PrivilegeCount = 1;  // one privilege to set
261.         tkprivs.Privileges[0].Attributes = enable ? SE_PRIVILEGE_ENABLED : 0;
262.         AdjustTokenPrivileges(hToken, FALSE, &tkprivs, 0, (PTOKEN_PRIVILEGES)NULL, NULL);
263.     }
264.     err = GetLastError();
265.     return err == ERROR_SUCCESS;
266. }