lib/usage.cpp at main · ohtox/lib · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
#define NT_TRAMP_IMPL
#include "lib.h"
#include <stdio.h>
#include <cstring>

const u8 test_payload[] = {
    0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
    0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
    0xC3
};

void print_header(const char* test_name) {
    printf("\n[%s]\n", test_name);
}

int main() {
    printf("\nNT Native API - Complete Test Suite\n");
    printf("===================================\n");

    print_header("INITIALIZATION & MODULE DISCOVERY");

    nt_init();
    printf("[+] NT cache initialized\n");

    void* ntdll = find_ntdll();
    if (!ntdll) {
        printf("[-] Failed to find ntdll\n");
        return 1;
    }
    printf("[+] ntdll found at 0x%p\n", ntdll);

    void* kernel32 = find_module(HASH_WIDE_CT(L"KERNEL32.DLL"));
    if (kernel32) printf("[+] kernel32 found at 0x%p\n", kernel32);

    void* kernelbase = find_module(HASH_WIDE_CT(L"KERNELBASE.dll"));
    if (kernelbase) printf("[+] kernelbase found at 0x%p\n", kernelbase);

    print_header("EXPORT RESOLUTION");

    void* alloc_fn = resolve_ntdll_export(ntdll, HASH_CT("NtAllocateVirtualMemory"));
    if (alloc_fn) printf("[+] NtAllocateVirtualMemory at 0x%p\n", alloc_fn);

    void* protect_fn = resolve_ntdll_export(ntdll, HASH_CT("NtProtectVirtualMemory"));
    if (protect_fn) printf("[+] NtProtectVirtualMemory at 0x%p\n", protect_fn);

    void* exit_fn = resolve_ntdll_export(ntdll, HASH_CT("RtlExitUserProcess"));
    if (exit_fn) printf("[+] RtlExitUserProcess at 0x%p\n", exit_fn);

    print_header("SYSCALL STUB ANALYSIS");

    u16 alloc_ssn = find_ssn_halo(ntdll, HASH_CT("NtAllocateVirtualMemory"));
    printf("[+] NtAllocateVirtualMemory SSN: 0x%04x\n", alloc_ssn);

    u16 write_ssn = find_ssn_halo(ntdll, HASH_CT("NtWriteVirtualMemory"));
    printf("[+] NtWriteVirtualMemory SSN: 0x%04x\n", write_ssn);

    u32 hooked_count = audit_syscall_stubs(ntdll);
    printf("[*] Hooked syscalls detected: %u\n", hooked_count);

    bool is_hooked = nt_stub_is_hooked(ntdll, HASH_CT("NtAllocateVirtualMemory"));
    printf("[*] NtAllocateVirtualMemory hooked: %s\n", is_hooked ? "YES" : "NO");

    print_header("GADGET MANAGEMENT");

    printf("[*] Total gadgets found: %u\n", g_nt_cache.gadget_count);
    if (g_nt_cache.gadget_count > 0) {
        printf("[+] Current gadget: 0x%llx\n", g_nt_cache.gadget);

        nt_refresh_gadget();
        printf("[+] Refreshed gadget: 0x%llx\n", g_nt_cache.gadget);

        if (g_nt_cache.jmp_rbx_gadget)
            printf("[+] JMP RBX gadget: 0x%llx\n", g_nt_cache.jmp_rbx_gadget);
    }

    print_header("BASIC MEMORY OPERATIONS");

    void* mem1 = virtual_alloc(nullptr, 0x2000, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);
    if (!mem1) {
        printf("[-] Allocation failed\n");
        return 1;
    }
    printf("[+] Allocated 0x2000 at 0x%p\n", mem1);

    const char* test_str = "Test Data for NT API";
    char* ptr = (char*)mem1;
    for (int i = 0; test_str[i]; i++) ptr[i] = test_str[i];
    printf("[+] Data written: %s\n", ptr);

    DWORD old_prot = 0;
    if (virtual_protect(mem1, 0x2000, PAGE_READONLY, &old_prot)) {
        printf("[+] Protection changed to PAGE_READONLY (was 0x%lx)\n", old_prot);
    }

    DWORD tmp = 0;
    virtual_protect(mem1, 0x2000, PAGE_READWRITE, &tmp);
    printf("[+] Protection restored\n");

    if (virtual_free(mem1, MEM_RELEASE)) {
        printf("[+] Memory freed\n");
    }

    print_header("MODULE STOMPING");

    void* stomp_dll = nt_load_library(L"shlwapi.dll");
    if (stomp_dll) {
        printf("[+] shlwapi.dll loaded at 0x%p\n", stomp_dll);

        stomp_result sr = module_stomp(L"shlwapi.dll", test_payload, sizeof(test_payload));
        if (sr.ok) {
            printf("[+] Module stomp successful\n");
            printf("    Decoy base: 0x%p\n", sr.decoy_base);
            printf("    RX pointer: 0x%p\n", sr.rx_ptr);
            printf("    Payload size: 0x%llx\n", sr.payload_size);

            if (register_fake_unwind(sr)) {
                printf("[+] Fake unwind registered\n");
            }
        }
    }

    print_header("PEB MANIPULATION");

    harden_peb_anti_debug();
    printf("[+] PEB hardened\n");

    void* test_module = find_module(HASH_WIDE_CT(L"shlwapi.dll"));
    if (test_module) {
        if (peb_unlink(test_module)) {
            printf("[+] shlwapi.dll unlinked from PEB\n");
        }
    }

    print_header("DEBUGGING & THREAD CONTROL");

    if (hide_thread_from_debugger()) {
        printf("[+] Thread hidden from debugger\n");
    }

    if (set_hwbp_self(0, alloc_fn)) {
        printf("[+] Hardware breakpoint 0 set\n");
    }

    if (set_hwbp_self(1, protect_fn)) {
        printf("[+] Hardware breakpoint 1 set\n");
    }

    print_header("TIMING & PERFORMANCE");

    u64 perf1 = nt_perf_counter();
    printf("[+] Performance counter: 0x%llx\n", perf1);

    nt_sleep_ms(100);
    printf("[+] Slept 100ms\n");

    u64 perf2 = nt_perf_counter();
    printf("[+] Performance counter: 0x%llx (delta: 0x%llx)\n", perf2, perf2 - perf1);

    print_header("DLL NOTIFICATION BLINDING");

    blind_dll_notifications();
    printf("[+] DLL notifications blinded\n");

    print_header("PROCESS EXIT PATCHING");

    patch_exit_process();
    printf("[+] RtlExitUserProcess patched\n");

    print_header("HANDLE OPERATIONS");

    void* proc_handle = reinterpret_cast<void*>(-1LL);
    if (nt_close_handle(proc_handle) >= 0) {
        printf("[+] Handle operation completed\n");
    }

    print_header("CONTEXT OPERATIONS");

    alignas(16) u8 ctx[0x500];
    memset(ctx, 0, sizeof(ctx));
    *reinterpret_cast<u32*>(ctx + 0x30) = 0x0010001F;

    if (nt_get_ctx_raw(reinterpret_cast<void*>(-2LL), ctx) >= 0) {
        printf("[+] Thread context retrieved\n");
        u64 rip = *reinterpret_cast<u64*>(ctx + 0xF8);
        printf("    RIP: 0x%llx\n", rip);
    }

    print_header("CLEANUP & FINALIZATION");

    cleanup();
    printf("[+] Cleanup completed\n");
    printf("    VEH handler removed\n");
    printf("    Hardware breakpoints cleared\n");
    printf("    Exit process patches applied\n");
    printf("    DLL notifications blinded\n");

    printf("\n");
    printf("===================================\n");
    printf("Test Suite Completed\n");
    printf("===================================\n\n");

    return 0;
}