-
Notifications
You must be signed in to change notification settings - Fork 10
/
Copy pathveh_shell.cpp
98 lines (79 loc) · 2.04 KB
/
veh_shell.cpp
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
#include "includes.hpp"
LONG CODE_SEG(".veh$1") CALLBACK VEHShell(EXCEPTION_POINTERS* EP)
{
volatile auto* data = (VEH_SHELL_DATA*)(VEH_DATA_SIG32);
EXCEPTION_REGISTRATION_RECORD* ex_reg_rec = (EXCEPTION_REGISTRATION_RECORD*)__readfsdword(0x00);
if (!ex_reg_rec)
{
return 0;
}
RTL_INVERTED_FUNCTION_TABLE_ENTRY* entry = nullptr;
if (data->os_version == g_Win7)
{
entry = &((RTL_INVERTED_FUNCTION_TABLE_WIN7*)data->_LdrpInvertedFunctionTable)->Entries[0];
}
else
{
entry = &data->_LdrpInvertedFunctionTable->Entries[0];
}
for (DWORD i = 0; i < data->_LdrpInvertedFunctionTable->Count; ++i)
{
if (entry[i].ImageBase == data->image_base)
{
entry = &entry[i];
break;
}
}
DWORD ptr_dec = DecodeSystemPtr((DWORD)entry->ExceptionDirectory);
DWORD* start = (DWORD*)ptr_dec;
if (data->os_version >= g_Win81)
{
data->_LdrProtectMrdata(FALSE);
}
for (; ex_reg_rec && ex_reg_rec != (EXCEPTION_REGISTRATION_RECORD*)(0xFFFFFFFF) && ex_reg_rec->Next != (EXCEPTION_REGISTRATION_RECORD*)(0xFFFFFFFF); ex_reg_rec = ex_reg_rec->Next)
{
if ((BYTE*)ex_reg_rec->Handler < data->image_base || (BYTE*)ex_reg_rec->Handler >= data->image_base + data->image_size)
{
continue;
}
bool new_handler = false;
for (DWORD* rva = start; rva != nullptr && rva < start + 0x100; ++rva)
{
if (*rva == 0)
{
*rva = (DWORD)ex_reg_rec->Handler - (DWORD)entry->ImageBase;
++entry->ExceptionDirectorySize;
new_handler = true;
break;
}
else if (*rva == (DWORD)ex_reg_rec->Handler - (DWORD)entry->ImageBase)
{
break;
}
}
if (new_handler)
{
for (DWORD i = 0; i < entry->ExceptionDirectorySize; ++i)
{
for (DWORD j = entry->ExceptionDirectorySize - 1; j > i; --j)
{
if (start[j - 1] > start[j])
{
start[j - 1] ^= start[j];
start[j] ^= start[j - 1];
start[j - 1] ^= start[j];
}
}
}
}
}
if (data->os_version >= g_Win81)
{
data->_LdrProtectMrdata(TRUE);
}
return EXCEPTION_CONTINUE_SEARCH;
}
LONG CODE_SEG(".veh$2") CALLBACK VEHShell_End()
{
return 0;
}