forked from benheise/ANGRYORCHARD
-
Notifications
You must be signed in to change notification settings - Fork 0
/
String.c
88 lines (74 loc) · 2.75 KB
/
String.c
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
/*!
*
* Exploit
*
* GuidePoint Security LLC
*
* Threat and Attack Simulation
*
!*/
#include "Common.h"
typedef struct
{
D_API( RtlAnsiStringToUnicodeString );
D_API( RtlxAnsiStringToUnicodeSize );
D_API( NtAllocateVirtualMemory );
D_API( NtFreeVirtualMemory );
D_API( RtlInitAnsiString );
D_API( _vsnprintf );
} API ;
#define H_API_RTLANSISTRINGTOUNICODESTRING 0x6c606cba /* RtlAnsiStringToUnicodeString */
#define H_API_RTLANSISTRINGTOUNICODESIZE 0xd7aa575e /* RtlAnsiStringToUnicodeSize */
#define H_API_NTALLOCATEVIRTUALMEMORY 0xf783b8ec /* NtAllocateVirtualMemory */
#define H_API_NTFREEVIRTUALMEMORY 0x2802c609 /* NtFreeVirtualMemory */
#define H_API_RTLINITANSISTRING 0xa0c8436d /* RtlInitAnsiString */
#define H_API_VSNPRINTF 0xa59022ce /* _vsnprintf */
#define H_LIB_NTDLL 0x1edab0ed /* ntdll.dll */
/*!
*
* Purpose:
*
* Creates a formatted string, and converts it
* to Unicode.
*
!*/
D_SEC( C ) LPWSTR StringPrintfAToW( _In_ LPSTR Format, ... )
{
SIZE_T Len = 0;
SIZE_T ALn = 0;
PCHAR ASz = NULL;
PWCHAR WSz = NULL;
va_list Lst = NULL;
API Api;
ANSI_STRING Ani;
UNICODE_STRING Uni;
RtlSecureZeroMemory( &Api, sizeof( Api ) );
RtlSecureZeroMemory( &Ani, sizeof( Ani ) );
RtlSecureZeroMemory( &Uni, sizeof( Uni ) );
Api.RtlAnsiStringToUnicodeString = PeGetFuncEat( PebGetModule( H_LIB_NTDLL ), H_API_RTLANSISTRINGTOUNICODESTRING );
Api.RtlxAnsiStringToUnicodeSize = PeGetFuncEat( PebGetModule( H_LIB_NTDLL ), H_API_RTLANSISTRINGTOUNICODESIZE );
Api.NtAllocateVirtualMemory = PeGetFuncEat( PebGetModule( H_LIB_NTDLL ), H_API_NTALLOCATEVIRTUALMEMORY );
Api.NtFreeVirtualMemory = PeGetFuncEat( PebGetModule( H_LIB_NTDLL ), H_API_NTFREEVIRTUALMEMORY );
Api.RtlInitAnsiString = PeGetFuncEat( PebGetModule( H_LIB_NTDLL ), H_API_RTLINITANSISTRING );
Api._vsnprintf = PeGetFuncEat( PebGetModule( H_LIB_NTDLL ), H_API_VSNPRINTF );
va_start( Lst, Format );
Len = Api._vsnprintf( NULL, 0, Format, Lst );
va_end( Lst );
ALn = Len + sizeof( CHAR );
if ( NT_SUCCESS( Api.NtAllocateVirtualMemory( NtCurrentProcess(), &ASz, 0, &ALn, MEM_COMMIT, PAGE_READWRITE ) ) ) {
va_start( Lst, Format );
Api._vsnprintf( ASz, Len, Format, Lst );
va_end( Lst );
Api.RtlInitAnsiString( &Ani, ASz );
Uni.MaximumLength = Api.RtlxAnsiStringToUnicodeSize( &Ani );
Uni.Length = Api.RtlxAnsiStringToUnicodeSize( &Ani );
ALn = Api.RtlxAnsiStringToUnicodeSize( &Ani ) + sizeof( WCHAR );
if ( NT_SUCCESS( Api.NtAllocateVirtualMemory( NtCurrentProcess(), &Uni.Buffer, 0, &ALn, MEM_COMMIT, PAGE_READWRITE ) ) ) {
Api.RtlAnsiStringToUnicodeString( &Uni, &Ani, FALSE );
WSz = Uni.Buffer;
};
ALn = 0;
Api.NtFreeVirtualMemory( NtCurrentProcess(), &ASz, &ALn, MEM_RELEASE );
};
return WSz;
};