Home Verkennen Help
Inloggen
zhensolid
/
OperatorsKit
1
0
Vork 0
Bestanden Issues 0 Pull-aanvragen 0 Wiki
Boom: 66368f4738
Aftakkingen Labels
OperatorsKit
/
KIT
/
FindLib
/
findlib.c

findlib.c 6.7 KB
Geschiedenis Ruwe

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254 
  1. #include <windows.h>
    2. 

  2. #include <stdio.h>
    3. 

  3. #include <tlhelp32.h>
    4. 

  4. #include <psapi.h>
    5. 

  5. #include <shlwapi.h>
    6. 

  6. #include "findlib.h"
    7. 

  7. #include "beacon.h"
    8. 

  8. 

  9. #pragma comment(lib, "ntdll.lib")
    10. 

  10. #pragma comment(lib, "Shlwapi.lib")
    11. 

  11. 

  12. 

  13. //https://github.com/outflanknl/C2-Tool-Collection/blob/main/BOF/Psx/SOURCE/Psx.c
    14. 

  14. HRESULT BeaconPrintToStreamW(_In_z_ LPCWSTR lpwFormat, ...) {
    15. 

  15. 	HRESULT hr = S_FALSE;
    16. 

  16. 	va_list argList;
    17. 

  17. 	DWORD dwWritten = 0;
    18. 

  18. 

  19. 	if (g_lpStream <= (LPSTREAM)1) {
    20. 

  20. 		hr = OLE32$CreateStreamOnHGlobal(NULL, TRUE, &g_lpStream);
    21. 

  21. 		if (FAILED(hr)) {
    22. 

  22. 			return hr;
    23. 

  23. 		}
    24. 

  24. 	}
    25. 

  25. 

  26. 	if (g_lpwPrintBuffer <= (LPWSTR)1) {
    27. 

  27. 		g_lpwPrintBuffer = (LPWSTR)MSVCRT$calloc(MAX_STRING, sizeof(WCHAR));
    28. 

  28. 		if (g_lpwPrintBuffer == NULL) {
    29. 

  29. 			hr = E_FAIL;
    30. 

  30. 			goto CleanUp;
    31. 

  31. 		}
    32. 

  32. 	}
    33. 

  33. 

  34. 	va_start(argList, lpwFormat);
    35. 

  35. 	if (!MSVCRT$_vsnwprintf_s(g_lpwPrintBuffer, MAX_STRING, MAX_STRING -1, lpwFormat, argList)) {
    36. 

  36. 		hr = E_FAIL;
    37. 

  37. 		goto CleanUp;
    38. 

  38. 	}
    39. 

  39. 

  40. 	if (g_lpStream != NULL) {
    41. 

  41. 		if (FAILED(hr = g_lpStream->lpVtbl->Write(g_lpStream, g_lpwPrintBuffer, (ULONG)MSVCRT$wcslen(g_lpwPrintBuffer) * sizeof(WCHAR), &dwWritten))) {
    42. 

  42. 			goto CleanUp;
    43. 

  43. 		}
    44. 

  44. 	}
    45. 

  45. 

  46. 	hr = S_OK;
    47. 

  47. 

  48. CleanUp:
    49. 

  49. 

  50. 	if (g_lpwPrintBuffer != NULL) {
    51. 

  51. 		MSVCRT$memset(g_lpwPrintBuffer, 0, MAX_STRING * sizeof(WCHAR)); // Clear print buffer.
    52. 

  52. 	}
    53. 

  53. 

  54. 	va_end(argList);
    55. 

  55. 	return hr;
    56. 

  56. }
    57. 

  57. 

  58. //https://github.com/outflanknl/C2-Tool-Collection/blob/main/BOF/Psx/SOURCE/Psx.c
    59. 

  59. VOID BeaconOutputStreamW() {
    60. 

  60. 	STATSTG ssStreamData = { 0 };
    61. 

  61. 	SIZE_T cbSize = 0;
    62. 

  62. 	ULONG cbRead = 0;
    63. 

  63. 	LARGE_INTEGER pos;
    64. 

  64. 	LPWSTR lpwOutput = NULL;
    65. 

  65. 

  66. 	if (FAILED(g_lpStream->lpVtbl->Stat(g_lpStream, &ssStreamData, STATFLAG_NONAME))) {
    67. 

  67. 		return;
    68. 

  68. 	}
    69. 

  69. 

  70. 	cbSize = ssStreamData.cbSize.LowPart;
    71. 

  71. 	lpwOutput = KERNEL32$HeapAlloc(KERNEL32$GetProcessHeap(), HEAP_ZERO_MEMORY, cbSize + 1);
    72. 

  72. 	if (lpwOutput != NULL) {
    73. 

  73. 		pos.QuadPart = 0;
    74. 

  74. 		if (FAILED(g_lpStream->lpVtbl->Seek(g_lpStream, pos, STREAM_SEEK_SET, NULL))) {
    75. 

  75. 			goto CleanUp;
    76. 

  76. 		}
    77. 

  77. 

  78. 		if (FAILED(g_lpStream->lpVtbl->Read(g_lpStream, lpwOutput, (ULONG)cbSize, &cbRead))) {		
    79. 

  79. 			goto CleanUp;
    80. 

  80. 		}
    81. 

  81. 

  82. 		BeaconPrintf(CALLBACK_OUTPUT, "%ls", lpwOutput);
    83. 

  83. 	}
    84. 

  84. 

  85. CleanUp:
    86. 

  86. 

  87. 	if (g_lpStream != NULL) {
    88. 

  88. 		g_lpStream->lpVtbl->Release(g_lpStream);
    89. 

  89. 		g_lpStream = NULL;
    90. 

  90. 	}
    91. 

  91. 

  92. 	if (g_lpwPrintBuffer != NULL) {
    93. 

  93. 		MSVCRT$free(g_lpwPrintBuffer); 
    94. 

  94. 		g_lpwPrintBuffer = NULL;
    95. 

  95. 	}
    96. 

  96. 

  97. 	if (lpwOutput != NULL) {
    98. 

  98. 		KERNEL32$HeapFree(KERNEL32$GetProcessHeap(), 0, lpwOutput);
    99. 

  99. 	}
    100. 

  100. 

  101. 	return;
    102. 

  102. }
    103. 

  103. 

  104. 

  105. 

  106. 

  107. 

  108. WCHAR ConvertToWCHAR(char input) {
    109. 

  109. 	WCHAR output[100];
    110. 

  110. 	KERNEL32$MultiByteToWideChar(CP_ACP, 0, input, -1, output, 100);
    111. 

  111. 	return output;
    112. 

  112. }
    113. 

  113. 

  114. 

  115. 

  116. 

  117. BOOL ListModules(int pid, char *targetModName) {
    118. 

  118.     HANDLE hProcess;
    119. 

  119.     MEMORY_BASIC_INFORMATION mbi;
    120. 

  120.     char * base = NULL;
    121. 

  121. 	BOOL foundModule = FALSE;
    122. 

  122. 

  123.     hProcess = KERNEL32$OpenProcess(PROCESS_QUERY_INFORMATION | PROCESS_VM_READ, FALSE, pid);
    124. 

  124. 	if (hProcess == NULL) return foundModule;
    125. 

  125. 

  126. 	while (KERNEL32$VirtualQueryEx(hProcess, base, &mbi, sizeof(mbi)) == sizeof(MEMORY_BASIC_INFORMATION)) {
    127. 

  127. 		char fqModPath[MAX_PATH];
    128. 

  128. 		char modName[MAX_PATH];
    129. 

  129. 

  130. 		if(targetModName != NULL) {
    131. 

  131. 			// only focus on the base address regions
    132. 

  132. 			if ((mbi.AllocationBase == mbi.BaseAddress) && (mbi.AllocationBase != NULL)) {
    133. 

  133. 				if (KERNEL32$K32GetModuleBaseNameA(hProcess, (HMODULE) mbi.AllocationBase, (LPSTR) modName, sizeof(modName) / sizeof(TCHAR))) {
    134. 

  134. 					if(MSVCRT$strcmp(targetModName, modName) == 0) {
    135. 

  135. 						WCHAR wFqModPath[100];
    136. 

  136. 						KERNEL32$K32GetModuleFileNameExA(hProcess, (HMODULE) mbi.AllocationBase, (LPSTR) fqModPath, sizeof(fqModPath) / sizeof(TCHAR));
    137. 

  137. 						KERNEL32$MultiByteToWideChar(CP_ACP, 0, fqModPath, -1, wFqModPath, 100);
    138. 

  138. 						BeaconPrintToStreamW(L"\nModulePath:\t%s\nModuleAddr:\t%#llx\n", wFqModPath, mbi.AllocationBase);
    139. 

  139. 						foundModule = TRUE;
    140. 

  140. 					}
    141. 

  141. 				}
    142. 

  142. 			}
    143. 

  143. 			// check the next region
    144. 

  144. 			base += mbi.RegionSize;
    145. 

  145. 		}
    146. 

  146. 		else {
    147. 

  147. 			
    148. 

  148. 			// only focus on the base address regions
    149. 

  149. 			if ((mbi.AllocationBase == mbi.BaseAddress) && (mbi.AllocationBase != NULL)) {
    150. 

  150. 				if (KERNEL32$K32GetModuleFileNameExA(hProcess, (HMODULE) mbi.AllocationBase, (LPSTR) fqModPath, sizeof(fqModPath) / sizeof(TCHAR))) {
    151. 

  151. 					WCHAR wFqModPath[100];
    152. 

  152. 					KERNEL32$MultiByteToWideChar(CP_ACP, 0, fqModPath, -1, wFqModPath, 100);
    153. 

  153. 					
    154. 

  154. 					BeaconPrintToStreamW(L"ModulePath [%#llx]: %s\n", mbi.AllocationBase, wFqModPath);
    155. 

  155. 					foundModule = TRUE;
    156. 

  156. 				}
    157. 

  157. 				
    158. 

  158. 			}
    159. 

  159. 			// check the next region
    160. 

  160. 			base += mbi.RegionSize;
    161. 

  161. 		}
    162. 

  162. 	}
    163. 

  163. 	
    164. 

  164. 	KERNEL32$CloseHandle(hProcess);
    165. 

  165. 	return foundModule;
    166. 

  166. }
    167. 

  167. 

  168. 

  169. 

  170. 

  171. BOOL FindProcess(char *targetModName) {
    172. 

  172. 

  173. 	int procID = 0;
    174. 

  174. 	HANDLE currentProc = NULL;
    175. 

  175. 	char procPath[MAX_PATH];
    176. 

  176. 	BOOL foundProc = FALSE;
    177. 

  177. 	BOOL res = FALSE;
    178. 

  178. 	
    179. 

  179. 	// resolve function address
    180. 

  180. 	NtGetNextProcess_t pNtGetNextProcess = (NtGetNextProcess_t) GetProcAddress(GetModuleHandle("ntdll.dll"), "NtGetNextProcess");
    181. 

  181. 	
    182. 

  182. 	
    183. 

  183. 	// loop through all processes
    184. 

  184. 	while (!pNtGetNextProcess(currentProc, MAXIMUM_ALLOWED, 0, 0, &currentProc)) {
    185. 

  185. 		procID = KERNEL32$GetProcessId(currentProc);
    186. 

  186. 		
    187. 

  187. 		if(procID == 4) continue;
    188. 

  188. 		
    189. 

  189. 		if (procID == KERNEL32$GetCurrentProcessId()) continue;
    190. 

  190. 		
    191. 

  191. 		if (procID != 0) foundProc = ListModules(procID, targetModName);
    192. 

  192. 		
    193. 

  193. 		if(foundProc) {
    194. 

  194. 			
    195. 

  195. 			WCHAR wProcName[100];
    196. 

  196. 			WCHAR wProcPath[256];
    197. 

  197. 			
    198. 

  198. 			KERNEL32$K32GetProcessImageFileNameA(currentProc, procPath, MAX_PATH);
    199. 

  199. 			
    200. 

  200. 			KERNEL32$MultiByteToWideChar(CP_ACP, 0, SHLWAPI$PathFindFileNameA(procPath), -1, wProcName, 100);
    201. 

  201. 			KERNEL32$MultiByteToWideChar(CP_ACP, 0, procPath, -1, wProcPath, 256);
    202. 

  202. 			
    203. 

  203. 			BeaconPrintToStreamW(L"ProcName:\t%s\nProcID:\t\t%d\nProcPath:\tC:\%s\n", wProcName, procID, wProcPath);
    204. 

  204. 			
    205. 

  205. 			res = TRUE;
    206. 

  206. 			
    207. 

  207. 		}
    208. 

  208. 		
    209. 

  209. 	}
    210. 

  210. 	return res;
    211. 

  211. }
    212. 

  212. 

  213. 

  214. 

  215. 

  216. 

  217. int go(char *args, int len) {
    218. 

  218. 	int pid = 0;
    219. 

  219. 	BOOL res = NULL;
    220. 

  220. 	CHAR *option;
    221. 

  221. 	CHAR *targetModName;
    222. 

  222. 	datap parser;
    223. 

  223. 	
    224. 

  224. 	BeaconDataParse(&parser, args, len);
    225. 

  225. 	option = BeaconDataExtract(&parser, NULL);
    226. 

  226. 	
    227. 

  227. 	
    228. 

  228. 	if (MSVCRT$strcmp(option, "list") == 0) {
    229. 

  229. 		pid = BeaconDataInt(&parser);
    230. 

  230. 		BeaconPrintf(CALLBACK_OUTPUT, "[*] Start enumerating loaded modules for PID: %d\n\n", pid);
    231. 

  231. 		BeaconPrintToStreamW(L"[+] FOUND MODULES:\n==============================================================\n"); 
    232. 

  232. 		res = ListModules(pid, NULL);
    233. 

  233. 	}
    234. 

  234. 	else if (MSVCRT$strcmp(option, "search") == 0) {
    235. 

  235. 		targetModName = BeaconDataExtract(&parser, NULL);
    236. 

  236. 		BeaconPrintf(CALLBACK_OUTPUT, "[*] Start enumerating processes that loaded module: %s\n[!] Can take some time..\n\n", targetModName);
    237. 

  237. 		BeaconPrintToStreamW(L"[+] FOUND PROCESSES:\n==============================================================\n"); 
    238. 

  238. 		res = FindProcess(targetModName);
    239. 

  239. 	}
    240. 

  240. 	else {
    241. 

  241. 		BeaconPrintf(CALLBACK_ERROR, "This enumeration option isn't supported. Please specify one of the following enumeration options: search | list\n");
    242. 

  242. 		return 0;
    243. 

  243. 	}
    244. 

  244. 

  245. 	if(!res) BeaconPrintf(CALLBACK_ERROR, "No modules found for this search query!\n\n");
    246. 

  246. 	else {
    247. 

  247. 		BeaconOutputStreamW();
    248. 

  248. 		BeaconPrintf(CALLBACK_OUTPUT, "\n[+] DONE");
    249. 

  249. 	}
    250. 

  250. 	return 0;
    251. 

  251. }
    252. 

  252. 

  253. 

  254.