NO_IAT_PROGRAM

1. #include<Windows.h>
2. #include<winternl.h>
3.  
4. /*
5. bool __stdcall checkwstr(wchar_t *s1, wchar_t *s2) {
6.     for (int i = 0; s1[i] && s2[i]; i++) {
7.         if (s1[i] != s2[i]) {
8.             return false;
9.         }
10.     }
11.     return true;
12. }
13. */
14. wchar_t target[128] = { 0 };
15. wchar_t search_name[128] = { 0 };
16. bool __stdcall check_module_wstr(wchar_t *s1, wchar_t *s2) {
17.     wchar_t *s1_name = s1;
18.  
19.  
20.     for (int i = 0; s2[i] && i < 127; i++) {
21.         search_name[i] = (L'a' <= s2[i] && s2[i] <= L'z') ? ((WORD)s2[i] - 0x20) : s2[i];
22.     }
23.  
24.     for (int i = 0; s1[i] && i < 256; i++) {
25.         if (s1[i] == L'\\') {
26.             s1_name = &s1[i + 1];
27.         }
28.     }
29.  
30.     for (int i = 0; s1_name[i] && i < 127; i++) {
31.         target[i] = (L'a' <= s1_name[i] && s1_name[i] <= L'z') ? ((WORD)s1_name[i] - 0x20) : s1_name[i];
32.     }
33.  
34.     for (int i = 0; target[i] && search_name[i]; i++) {
35.         if (target[i] != search_name[i]) {
36.             return false;
37.         }
38.     }
39.  
40.  
41.     return true;
42. }
43.  
44. bool __stdcall checkstr(char *s1, char *s2) {
45.     for (int i = 0; s1[i] && s2[i]; i++) {
46.         if (s1[i] != s2[i]) {
47.             return false;
48.         }
49.     }
50.     return true;
51. }
52.  
53. ULONG_PTR FindModule(WCHAR *wName) {
54.     PEB *peb = (PEB *)__readfsdword(0x30);
55.     PEB_LDR_DATA *ldr = peb->Ldr;
56.     LIST_ENTRY *entry = &ldr->InMemoryOrderModuleList;
57.     LDR_DATA_TABLE_ENTRY *table_entry = 0;
58.     for (entry = entry->Flink->Flink; ; entry = entry->Flink) {
59.         LDR_DATA_TABLE_ENTRY  *table_entry = (LDR_DATA_TABLE_ENTRY *)((ULONG_PTR)entry - 0x08);
60.         if (!table_entry->DllBase) {
61.             break;
62.         }
63.         if (check_module_wstr(table_entry->FullDllName.Buffer, wName)) {
64.             return (ULONG_PTR)table_entry->DllBase;
65.         }
66.     }
67.     return 0;
68. }
69.  
70. /*
71. ULONG_PTR FindAPI(ULONG_PTR uDll, ULONG_PTR number) {
72.     IMAGE_DOS_HEADER *image_dos_header = (decltype(image_dos_header))uDll;
73.     IMAGE_NT_HEADERS *image_nt_headers = (decltype(image_nt_headers))((ULONG_PTR)image_dos_header + image_dos_header->e_lfanew);
74.     IMAGE_OPTIONAL_HEADER *image_optional_header = &image_nt_headers->OptionalHeader;
75.     IMAGE_EXPORT_DIRECTORY *image_export_directory = (decltype(image_export_directory))(uDll + (ULONG_PTR)image_optional_header->DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress);
76.     ULONG_PTR *function_rva = (ULONG_PTR *)(uDll + image_export_directory->AddressOfFunctions);
77.     return uDll + function_rva[number - image_export_directory->Base];
78. }
79. */
80.  
81. ULONG_PTR FindAPI_byName(ULONG_PTR uDll, char *cAPI) {
82.     IMAGE_DOS_HEADER *image_dos_header = (decltype(image_dos_header))uDll;
83.     IMAGE_NT_HEADERS *image_nt_headers = (decltype(image_nt_headers))((ULONG_PTR)image_dos_header + image_dos_header->e_lfanew);
84.     IMAGE_OPTIONAL_HEADER *image_optional_header = &image_nt_headers->OptionalHeader;
85.     IMAGE_EXPORT_DIRECTORY *image_export_directory = (decltype(image_export_directory))(uDll + (ULONG_PTR)image_optional_header->DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress);
86.     ULONG_PTR *name_rva = (ULONG_PTR *)(uDll + image_export_directory->AddressOfNames);
87.     ULONG_PTR *function_rva = (ULONG_PTR *)(uDll + image_export_directory->AddressOfFunctions);
88.     WORD *name_ordinal = (WORD *)(uDll + image_export_directory->AddressOfNameOrdinals);
89.     for (DWORD i = 0; i < image_export_directory->NumberOfNames; i++) {
90.         if (checkstr((char *)(uDll + name_rva[i]), cAPI)) {
91.             return uDll + function_rva[name_ordinal[i]];
92.         }
93.     }
94.     return 0;
95. }
96.  
97. // kernel32.dll LoadLibraryW 0x3CA, LoadLibraryA 0x3C7
98. // user32.dll MessageBoxW 0x86C, MessageBoxA 0x865
99. // change visual studio project option's entry point to start function, please
100. int WINAPI start() {
101.     /*
102.     ULONG_PTR uDll = FindModule((WCHAR *)L"C:\\WINDOWS\\System32\\KERNEL32.DLL");
103.     if (!uDll) {
104.         uDll = FindModule((WCHAR *)L"C:\\Windows\\syswow64\\kernel32.dll");
105.         if (!uDll) {
106.             return 1;
107.         }
108.     }
109.     */
110.     ULONG_PTR uDll = FindModule((WCHAR *)L"kernel32.dll");
111.     if (!uDll) {
112.         return 1;
113.     }
114.     HMODULE(WINAPI *_LoadLibraryW)(LPCWSTR) = 0;
115.     //_LoadLibraryW = (decltype(_LoadLibraryW))FindAPI(uDll, 0x3CA);
116.     _LoadLibraryW = (decltype(_LoadLibraryW))FindAPI_byName(uDll, (char *)"LoadLibraryW");
117.  
118.     if (!_LoadLibraryW) {
119.         return 2;
120.     }
121.  
122.     HMODULE hUser32 = _LoadLibraryW(L"user32.dll");
123.  
124.     if (!hUser32) {
125.         return 3;
126.     }
127.  
128.     int (WINAPI *_MessageBoxW)(HWND, LPCWSTR, LPCWSTR, UINT) = 0;
129.     //_MessageBoxW = (decltype(_MessageBoxW))FindAPI((ULONG_PTR)hUser32, 0x86C);
130.     _MessageBoxW = (decltype(_MessageBoxW))FindAPI_byName((ULONG_PTR)hUser32, (char *)"MessageBoxW");
131.  
132.     if (!_MessageBoxW) {
133.         return 3;
134.     }
135.  
136.     _MessageBoxW(NULL, L"HELLO WORLD!", L"TEST", MB_OK);
137.  
138.     void (WINAPI *_ExitProcess)(UINT) = 0;
139.     _ExitProcess = (decltype(_ExitProcess))FindAPI_byName(uDll, (char *)"ExitProcess");
140.  
141.     if (_ExitProcess) {
142.         _ExitProcess(0); // OK
143.     }
144.  
145.     // some OS won't kill the process after executing return 0;
146.     __asm {
147.         int 3
148.     }
149.  
150.     return 0;
151. }