From 9e375b43b459aaddff57a0dc477380a6508ee105 Mon Sep 17 00:00:00 2001 From: Solomon Sklash Date: Fri, 18 Jun 2021 14:54:41 -0700 Subject: [PATCH 1/6] Added stddef.h include for mingw. --- DarkLoadLibrary/include/pebutils.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/DarkLoadLibrary/include/pebutils.h b/DarkLoadLibrary/include/pebutils.h index f6ad4d6..4772202 100644 --- a/DarkLoadLibrary/include/pebutils.h +++ b/DarkLoadLibrary/include/pebutils.h @@ -1,5 +1,5 @@ #include - +#include #include "pebstructs.h" #include "darkloadlibrary.h" From 5c187b7177374f7c5413cbc0b636c021402d962c Mon Sep 17 00:00:00 2001 From: Solomon Sklash Date: Fri, 18 Jun 2021 15:10:55 -0700 Subject: [PATCH 2/6] Added a new header for the _DARKMODULE struct, and added some function definitions to remove warnings. --- DarkLoadLibrary/include/darkloadlibrary.h | 37 +++++++++++++++++------ DarkLoadLibrary/include/darkmodule.h | 12 ++++++++ DarkLoadLibrary/include/ldrutils.h | 8 +++-- DarkLoadLibrary/include/pebutils.h | 35 ++++++++++++++++++++- 4 files changed, 78 insertions(+), 14 deletions(-) create mode 100644 DarkLoadLibrary/include/darkmodule.h diff --git a/DarkLoadLibrary/include/darkloadlibrary.h b/DarkLoadLibrary/include/darkloadlibrary.h index f0806a7..3ad9925 100644 --- a/DarkLoadLibrary/include/darkloadlibrary.h +++ b/DarkLoadLibrary/include/darkloadlibrary.h @@ -1,21 +1,24 @@ +#pragma once #include #include +#include "darkmodule.h" +#include "pebutils.h" +#include "ldrutils.h" #define LOAD_LOCAL_FILE 0x00000001 #define LOAD_REMOTE_FILE 0x00000002 #define LOAD_MEMORY 0x00000003 #define NO_LINK 0x00000004 -#pragma once -typedef struct _DARKMODULE { - BOOL bSuccess; - LPWSTR ErrorMsg; - PBYTE pbDllData; - DWORD dwDllDataLen; - LPWSTR LocalDLLName; - PWCHAR CrackedDLLName; - ULONG_PTR ModuleBase; -} DARKMODULE, *PDARKMODULE; +// typedef struct _DARKMODULE { +// BOOL bSuccess; +// LPWSTR ErrorMsg; +// PBYTE pbDllData; +// DWORD dwDllDataLen; +// LPWSTR LocalDLLName; +// PWCHAR CrackedDLLName; +// ULONG_PTR ModuleBase; +// } DARKMODULE, *PDARKMODULE; DARKMODULE DarkLoadLibrary( DWORD dwFlags, @@ -23,4 +26,18 @@ DARKMODULE DarkLoadLibrary( LPVOID lpFileBuffer, DWORD dwLen, LPCWSTR lpwName +); + +BOOL ParseFileName( + PDARKMODULE pdModule, + LPWSTR lpwFileName +); + +BOOL ReadFileToBuffer( + PDARKMODULE pdModule +); + +BOOL ConcealLibrary( + PDARKMODULE pdModule, + BOOL bConceal ); \ No newline at end of file diff --git a/DarkLoadLibrary/include/darkmodule.h b/DarkLoadLibrary/include/darkmodule.h new file mode 100644 index 0000000..2c8982e --- /dev/null +++ b/DarkLoadLibrary/include/darkmodule.h @@ -0,0 +1,12 @@ +#pragma once +#include + +typedef struct _DARKMODULE { + BOOL bSuccess; + LPWSTR ErrorMsg; + PBYTE pbDllData; + DWORD dwDllDataLen; + LPWSTR LocalDLLName; + PWCHAR CrackedDLLName; + ULONG_PTR ModuleBase; +} DARKMODULE, *PDARKMODULE; diff --git a/DarkLoadLibrary/include/ldrutils.h b/DarkLoadLibrary/include/ldrutils.h index d909a63..fa29894 100644 --- a/DarkLoadLibrary/include/ldrutils.h +++ b/DarkLoadLibrary/include/ldrutils.h @@ -1,7 +1,7 @@ +#pragma once #include - #include "pebutils.h" -#include "darkloadlibrary.h" +#include "darkmodule.h" #define RVA(type, base_addr, rva) (type)((ULONG_PTR) base_addr + rva) @@ -14,4 +14,6 @@ typedef BOOL(WINAPI * DLLMAIN)(HINSTANCE, DWORD, LPVOID); typedef NTSTATUS(WINAPI *LDRGETPROCADDRESS)(HMODULE, PANSI_STRING, WORD, PVOID*); BOOL IsValidPE(PBYTE pbData); -BOOL MapSections(PDARKMODULE pdModule); \ No newline at end of file +BOOL MapSections(PDARKMODULE pdModule); +BOOL ResolveImports(PDARKMODULE pdModule); +BOOL BeginExecution(PDARKMODULE pdModule); \ No newline at end of file diff --git a/DarkLoadLibrary/include/pebutils.h b/DarkLoadLibrary/include/pebutils.h index 4772202..706eb68 100644 --- a/DarkLoadLibrary/include/pebutils.h +++ b/DarkLoadLibrary/include/pebutils.h @@ -1,6 +1,8 @@ +#pragma once #include #include #include "pebstructs.h" +#include "darkmodule.h" #include "darkloadlibrary.h" #ifdef _WIN32 @@ -25,4 +27,35 @@ #define LDR_HASH_TABLE_ENTRIES 32 HMODULE IsModulePresent(LPCWSTR lpwName); -BOOL LinkModuleToPEB(PDARKMODULE pdModule); \ No newline at end of file +BOOL LinkModuleToPEB(PDARKMODULE pdModule); +ULONG LdrHashEntry(UNICODE_STRING UniName, BOOL XorHash); +PLDR_DATA_TABLE_ENTRY2 FindLdrTableEntry( + PCWSTR BaseName +); +PRTL_RB_TREE FindModuleBaseAddressIndex(); +BOOL AddBaseAddressEntry( + PLDR_DATA_TABLE_ENTRY2 pLdrEntry, + PVOID lpBaseAddr +); +PLIST_ENTRY FindHashTable(); +VOID InsertTailList( + PLIST_ENTRY ListHead, + PLIST_ENTRY Entry +); +BOOL AddHashTableEntry( + PLDR_DATA_TABLE_ENTRY2 pLdrEntry +); + +NTSTATUS RtlHashUnicodeString( + PCUNICODE_STRING String, + BOOLEAN CaseInSensitive, + ULONG HashAlgorithm, + PULONG HashValue +); + +void RtlRbInsertNodeEx( + RTL_RB_TREE *Tree, + RTL_BALANCED_NODE *Parent, + BOOLEAN Right, + RTL_BALANCED_NODE *Node +); From 79656b898db6d51364ec609d2f38ab034927ff04 Mon Sep 17 00:00:00 2001 From: Solomon Sklash Date: Fri, 18 Jun 2021 15:25:06 -0700 Subject: [PATCH 3/6] Changed ANSI string to Unicode string. --- DarkLoadLibrary/src/darkloadlibrary.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/DarkLoadLibrary/src/darkloadlibrary.c b/DarkLoadLibrary/src/darkloadlibrary.c index c650bb3..4b7ae52 100644 --- a/DarkLoadLibrary/src/darkloadlibrary.c +++ b/DarkLoadLibrary/src/darkloadlibrary.c @@ -58,12 +58,12 @@ BOOL ParseFileName( return FALSE; } - PCHAR lpCpy = wcscpy( + PWCHAR lpCpy = wcscpy( pdModule->CrackedDLLName, lpwFilename ); - PCHAR lpCat = wcscat( + PWCHAR lpCat = wcscat( pdModule->CrackedDLLName, lpwExt ); From b89eb120f40023524bc9e7152dc2a15a7dd71c00 Mon Sep 17 00:00:00 2001 From: Solomon Sklash Date: Fri, 18 Jun 2021 15:27:14 -0700 Subject: [PATCH 4/6] Initialize integer values with integers to remove warnings. --- DarkLoadLibrary/src/pebutils.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/DarkLoadLibrary/src/pebutils.c b/DarkLoadLibrary/src/pebutils.c index 489f49c..8cd6c4b 100644 --- a/DarkLoadLibrary/src/pebutils.c +++ b/DarkLoadLibrary/src/pebutils.c @@ -58,7 +58,7 @@ PLDR_DATA_TABLE_ENTRY2 FindLdrTableEntry( PRTL_RB_TREE FindModuleBaseAddressIndex() { - SIZE_T stEnd = NULL; + SIZE_T stEnd = 0; PRTL_BALANCED_NODE pNode = NULL; PRTL_RB_TREE pModBaseAddrIndex = NULL; @@ -73,8 +73,8 @@ PRTL_RB_TREE FindModuleBaseAddressIndex() if (!pNode->Red) { - DWORD dwLen = NULL; - SIZE_T stBegin = NULL; + DWORD dwLen = 0; + SIZE_T stBegin = 0; PIMAGE_NT_HEADERS pNtHeaders = RVA( PIMAGE_NT_HEADERS, From 879fad76ebdcae1baca0ec1c18a9e714edb4372d Mon Sep 17 00:00:00 2001 From: Solomon Sklash Date: Fri, 18 Jun 2021 15:28:13 -0700 Subject: [PATCH 5/6] Initialize integer values with integers to remove warnings. --- DarkLoadLibrary/src/pebutils.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/DarkLoadLibrary/src/pebutils.c b/DarkLoadLibrary/src/pebutils.c index 8cd6c4b..820161b 100644 --- a/DarkLoadLibrary/src/pebutils.c +++ b/DarkLoadLibrary/src/pebutils.c @@ -58,7 +58,7 @@ PLDR_DATA_TABLE_ENTRY2 FindLdrTableEntry( PRTL_RB_TREE FindModuleBaseAddressIndex() { - SIZE_T stEnd = 0; + SIZE_T stEnd = NULL; PRTL_BALANCED_NODE pNode = NULL; PRTL_RB_TREE pModBaseAddrIndex = NULL; From 16f1af9c517d280559ef4b797a2af689f91fbe66 Mon Sep 17 00:00:00 2001 From: Solomon Sklash Date: Fri, 18 Jun 2021 15:28:35 -0700 Subject: [PATCH 6/6] Revert previous commit. --- DarkLoadLibrary/src/pebutils.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/DarkLoadLibrary/src/pebutils.c b/DarkLoadLibrary/src/pebutils.c index 820161b..489f49c 100644 --- a/DarkLoadLibrary/src/pebutils.c +++ b/DarkLoadLibrary/src/pebutils.c @@ -73,8 +73,8 @@ PRTL_RB_TREE FindModuleBaseAddressIndex() if (!pNode->Red) { - DWORD dwLen = 0; - SIZE_T stBegin = 0; + DWORD dwLen = NULL; + SIZE_T stBegin = NULL; PIMAGE_NT_HEADERS pNtHeaders = RVA( PIMAGE_NT_HEADERS,