LdrLoadDll/LdrGetProcedureAddress

June 6, 2020

//./g++ -fdata-sections -s -g -std=c++14 -masm=intel -m32 -o ldrdll.exe ldrdll.cpp
//./g++ -fdata-sections -s -g -std=c++14 -masm=intel -m64 -o ldrdll.exe ldrdll.cpp


#include <windows.h>
#include <iostream>

typedef struct _UNICODE_STRING
{
USHORT Length;
USHORT MaximumLength;
PVOID Buffer;
} UNICODE_STRING, *PUNICODE_STRING;

typedef struct _ANSI_STRING
{
USHORT Length;
USHORT MaximumLength;
PCHAR Buffer;
} ANSI_STRING, *PANSI_STRING;

typedef void (__stdcall *LdrLoadDll)
(
IN PWCHAR PathToFile OPTIONAL,
IN ULONG Flags OPTIONAL,
IN PUNICODE_STRING ModuleFileName,
OUT HMODULE *ModuleHandle
);

typedef void (__stdcall *LdrGetProcedureAddress)
(
IN HMODULE ModuleHandle,
IN PANSI_STRING FunctionName OPTIONAL,
IN WORD Ordinal OPTIONAL,
OUT PVOID *FunctionAddress
);

typedef void(__stdcall *RtlInitUnicodeString)
(
PUNICODE_STRING DestinationString,
PCWSTR SourceString
);

typedef void(__stdcall *RtlInitAnsiString)
(
PANSI_STRING DestinationString,
PCSTR SourceString
);


WINAPI WinMain (HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpCmdLine, int nShowCmd)
{

HMODULE ntdllHandle = LoadLibrary("ntdll");
LdrLoadDll LdrLoadDllStruct = (LdrLoadDll)GetProcAddress(ntdllHandle,"LdrLoadDll");
LdrGetProcedureAddress LdrGetProcedureAddressStruct = (LdrGetProcedureAddress)GetProcAddress(ntdllHandle,"LdrGetProcedureAddress");
RtlInitUnicodeString RtlInitUnicodeStringStruct = (RtlInitUnicodeString)GetProcAddress(ntdllHandle,"RtlInitUnicodeString");
RtlInitAnsiString RtlInitAnsiStringStruct = (RtlInitAnsiString)GetProcAddress(ntdllHandle,"RtlInitAnsiString");

HMODULE hModule = 0;
UNICODE_STRING unicodestring;
ANSI_STRING ansistring; 
LPVOID addr;

RtlInitUnicodeStringStruct(&unicodestring,L"user32.dll");
RtlInitAnsiStringStruct(&ansistring,"MessageBoxA");
LdrLoadDllStruct(NULL,0,&unicodestring,&hModule);
LdrGetProcedureAddressStruct(hModule,&ansistring,0,&addr);

std::cout<<hModule<<"\n";  //USER32 BASE
getchar();
std::cout<<addr<<"\n"; //USER32 MBOX LOCATION
getchar();

asm(".byte 0xcc\r\n"); //nop it

FARPROC mbox = (FARPROC)addr;


//X64

asm
(
"mov rcx,0x00\r\n"
"mov rdx,0x00\r\n"
"mov r8,0x00\r\n"
"mov r9,0x00\r\n"
);



//X32
/*
asm
(
"push 0x00\r\n"
"push 0x00\r\n"
"push 0x00\r\n"
"push 0x00\r\n"
);
*/

mbox();


}

Edited June 6, 2020 by JMC31337

Sign In

LdrLoadDll/LdrGetProcedureAddress

Recommended Posts

JMC31337

Create an account or sign in to comment

Create an account

Sign in

Community

Search