diff --git a/HMDM-MSREXEC/hmdm_ctx.cpp b/HMDM-MSREXEC/hmdm_ctx.cpp index 201f172..446022c 100644 --- a/HMDM-MSREXEC/hmdm_ctx.cpp +++ b/HMDM-MSREXEC/hmdm_ctx.cpp @@ -79,7 +79,7 @@ namespace drv { reinterpret_cast(alloc_base), reinterpret_cast(alloc_base + - nt_header->OptionalHeader.AddressOfEntryPoint) + locateEntrypoint(image_mapped)) }; } @@ -142,6 +142,38 @@ namespace drv } } + auto hmdm_ctx::locateEntrypoint(drv_buffer_t& drv_buffer) const -> DWORD + { + const auto dos_header = + reinterpret_cast(drv_buffer.data()); + + const auto nt_header = + reinterpret_cast( + drv_buffer.data() + dos_header->e_lfanew); + + DWORD entryPoint = nt_header->OptionalHeader.AddressOfEntryPoint; + + ULONG size; + auto export_dir = static_cast( + ::ImageDirectoryEntryToData(drv_buffer.data(), + TRUE, IMAGE_DIRECTORY_ENTRY_EXPORT, &size)); + + if (export_dir) { + for (DWORD i = 0; i < export_dir->NumberOfFunctions; i++) + { + DWORD funcnameaddr = *reinterpret_cast(drv_buffer.data() + export_dir->AddressOfNames + (i * sizeof(DWORD))); + char* funcname = reinterpret_cast(drv_buffer.data() + funcnameaddr); + if (strcmp(funcname, "drv_entry") == 0) { + entryPoint = *reinterpret_cast(drv_buffer.data() + export_dir->AddressOfFunctions + (i * sizeof(DWORD))); + + break; + } + } + } + + return entryPoint; + } + auto hmdm_ctx::resolve_imports(drv_buffer_t& drv_buffer) const -> void { ULONG size; diff --git a/HMDM-MSREXEC/hmdm_ctx.h b/HMDM-MSREXEC/hmdm_ctx.h index c2ea269..0acc925 100644 --- a/HMDM-MSREXEC/hmdm_ctx.h +++ b/HMDM-MSREXEC/hmdm_ctx.h @@ -26,5 +26,6 @@ namespace drv private: auto resolve_imports(drv_buffer_t& drv_buffer) const -> void; auto fix_relocs(drv_buffer_t& drv_buffer, uint8_t* alloc_base) const -> void; + auto locateEntrypoint(drv_buffer_t& drv_buffer) const->DWORD; }; } \ No newline at end of file diff --git a/HMDM-VDM/hmdm_ctx.cpp b/HMDM-VDM/hmdm_ctx.cpp index 201f172..8a1a2fb 100644 --- a/HMDM-VDM/hmdm_ctx.cpp +++ b/HMDM-VDM/hmdm_ctx.cpp @@ -79,7 +79,7 @@ namespace drv { reinterpret_cast(alloc_base), reinterpret_cast(alloc_base + - nt_header->OptionalHeader.AddressOfEntryPoint) + locateEntrypoint(image_mapped)) }; } @@ -142,6 +142,38 @@ namespace drv } } + auto hmdm_ctx::locateEntrypoint(drv_buffer_t& drv_buffer) const -> DWORD + { + const auto dos_header = + reinterpret_cast(drv_buffer.data()); + + const auto nt_header = + reinterpret_cast( + drv_buffer.data() + dos_header->e_lfanew); + + DWORD entryPoint = nt_header->OptionalHeader.AddressOfEntryPoint; + + ULONG size; + auto export_dir = static_cast( + ::ImageDirectoryEntryToData(drv_buffer.data(), + TRUE, IMAGE_DIRECTORY_ENTRY_EXPORT, &size)); + + if (export_dir) { + for (DWORD i = 0; i < export_dir->NumberOfFunctions; i++) + { + DWORD funcnameaddr = *reinterpret_cast(drv_buffer.data() + export_dir->AddressOfNames + (i * sizeof(DWORD))); + char* funcname = reinterpret_cast(drv_buffer.data() + funcnameaddr); + if (strcmp(funcname, "drv_entry") == 0) { + entryPoint = *reinterpret_cast(drv_buffer.data() + export_dir->AddressOfFunctions + (i * sizeof(DWORD))); + + break; + } + } + } + + return entryPoint; + } + auto hmdm_ctx::resolve_imports(drv_buffer_t& drv_buffer) const -> void { ULONG size; diff --git a/HMDM-VDM/hmdm_ctx.h b/HMDM-VDM/hmdm_ctx.h index 0540120..2fdcd9f 100644 --- a/HMDM-VDM/hmdm_ctx.h +++ b/HMDM-VDM/hmdm_ctx.h @@ -26,5 +26,6 @@ namespace drv private: auto resolve_imports(drv_buffer_t& drv_buffer) const -> void; auto fix_relocs(drv_buffer_t& drv_buffer, uint8_t* alloc_base) const -> void; + auto locateEntrypoint(drv_buffer_t& drv_buffer) const->DWORD; }; } \ No newline at end of file