hook

1 files changed, 39 insertions, 18 deletions

diff --git a/loader/client/syscall.cpp b/loader/client/syscall.cpp
index 7257456..880eabf 100644
--- a/loader/client/syscall.cpp
+++ b/loader/client/syscall.cpp
@@ -2,10 +2,10 @@
 #include <vector>

 #include <fstream>

 

-//fuck balloon head

+// fuck balloon head

 namespace syscall {

-	uint8_t *c_syscall_mgr::load_ntdll() {
-		//load ntdll from disk
+	file_t c_syscall_mgr::load_ntdll() {
+		// load ntdll from disk
 		char path[MAX_PATH];
 		GetSystemDirectoryA(path, MAX_PATH);
 
@@ -14,7 +14,7 @@ namespace syscall {
 
 		FILE* file;
 		if (fopen_s(&file, ntdll_path.c_str(), "rb") != 0)
-			return nullptr;
+			return file_t{ nullptr, 0 };
 
 		fseek(file, 0, SEEK_END);
 		size_t ntdll_size = ftell(file);
@@ -24,16 +24,23 @@ namespace syscall {
 		fread(ntdll, ntdll_size, 1, file);
 		fclose(file);
 
-		return ntdll;

+		return file_t{ ntdll, ntdll_size };

 	}

 

 	bool c_syscall_mgr::start() {

-		uint8_t* ntdll = load_ntdll();
+		// thing
+		const auto ntdll_file = load_ntdll();
+
+		// other thing
+		const auto ntdll = ntdll_file.first;
+		const auto ntdll_size = ntdll_file.second;
+
 		if (!ntdll)
 			return false;
 
-		IMAGE_DOS_HEADER*     dos_header = (IMAGE_DOS_HEADER*)(&ntdll[0]);
-		IMAGE_NT_HEADERS*     nt_header = (IMAGE_NT_HEADERS*)(&ntdll[dos_header->e_lfanew]);
+		// read pe
+		IMAGE_DOS_HEADER* dos_header = (IMAGE_DOS_HEADER*)(&ntdll[0]);
+		IMAGE_NT_HEADERS* nt_header = (IMAGE_NT_HEADERS*)(&ntdll[dos_header->e_lfanew]);
 
 		if (dos_header->e_magic != IMAGE_DOS_SIGNATURE) {
 			delete[] ntdll;
@@ -45,6 +52,7 @@ namespace syscall {
 			return false;
 		}
 
+		// find section
 		IMAGE_SECTION_HEADER* section_header = (IMAGE_SECTION_HEADER*)(&ntdll[dos_header->e_lfanew + sizeof(IMAGE_NT_HEADERS)]);
 		uintptr_t export_rva = nt_header->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress;
 
@@ -54,15 +62,15 @@ namespace syscall {
 				delta = section_header[i].VirtualAddress - section_header[i].PointerToRawData;
 		}
 
-		//exports
+		// aaa exports
 		IMAGE_EXPORT_DIRECTORY* export_directory = (IMAGE_EXPORT_DIRECTORY*)(&ntdll[export_rva - delta]);
 
-		size_t number_of_functions = export_directory->NumberOfFunctions;
+		int number_of_functions = export_directory->NumberOfFunctions;
 		uintptr_t names = export_directory->AddressOfNames - delta;
 		uintptr_t funcs = export_directory->AddressOfFunctions - delta;
 		uintptr_t ords = export_directory->AddressOfNameOrdinals - delta;
-
-		for (size_t i = 0; i < number_of_functions; i++) {
+		int i = 0;
+		for (; i < number_of_functions; i++) {
 			uint32_t name_rva = *(uint32_t*)(&ntdll[names + i * sizeof(uint32_t)]) - delta;
 			char* name = (char*)(&ntdll[name_rva]);
 
@@ -70,27 +78,40 @@ namespace syscall {
 			uint32_t func_rva = *(uint32_t*)(&ntdll[funcs + ordinal * sizeof(uint32_t)]);
 
 			uint32_t func_delta = 0;
-			for (size_t j = 0; j < nt_header->FileHeader.NumberOfSections; j++) {
+			for (int j = 0; j < nt_header->FileHeader.NumberOfSections; j++) {
 				if (func_rva > section_header[j].VirtualAddress)
 					func_delta = section_header[j].VirtualAddress - section_header[j].PointerToRawData;
 			}
 
 			func_rva -= func_delta;
 
-			uint32_t code = *(uint32_t*)(&ntdll[func_rva + 0]);//crashes here?
+			// hAHAHAHAHAHAHAHAHHAHA
+			// okay this isn't code genius
+			//if (m_syscalls.size() >= 865)
+			//	break;
+
+			// okay now this is epic
+			const auto offset = (uintptr_t)ntdll + func_rva;
+			const auto ntdll_bound = (uintptr_t)ntdll + ntdll_size;
+
+			if (offset >= ntdll_bound)
+				break;
+
+			uint32_t code = *(uint32_t*)(&ntdll[func_rva + 0]);
 			uint32_t index = *(uint32_t*)(&ntdll[func_rva + 4]);
 
-			//syscall
-			if (code == 0xB8D18B4C)
-			{
+			// syscall
+			if (code == 0xB8D18B4C) {
 				m_syscalls[hash::fnv1a(name)].set_index(index);
+				printf("n:%s h:%08x i:%08x\n", name, hash::fnv1a(name), index);
 			}
 		}
 
 		delete[] ntdll;
 
-		// check if we succesfully got the syscalls
+		// check if we successfully got the syscalls
 		hash_t hash = fnv("ZwWriteVirtualMemory");
+
 		if (m_syscalls.find(hash) != m_syscalls.end())
 			return m_syscalls[hash].validate();