implement ability to seperate HMDM entry point from driver entry point

hmdm_entry
TomSie 3 years ago
parent 8cde1226fa
commit b055ac8189

@ -79,7 +79,7 @@ namespace drv
{
reinterpret_cast<std::uintptr_t>(alloc_base),
reinterpret_cast<std::uintptr_t>(alloc_base +
nt_header->OptionalHeader.AddressOfEntryPoint)
locateEntrypoint(image_mapped))
};
}
@ -142,6 +142,38 @@ namespace drv
}
}
auto hmdm_ctx::locateEntrypoint(drv_buffer_t& drv_buffer) const -> DWORD
{
const auto dos_header =
reinterpret_cast<PIMAGE_DOS_HEADER>(drv_buffer.data());
const auto nt_header =
reinterpret_cast<PIMAGE_NT_HEADERS>(
drv_buffer.data() + dos_header->e_lfanew);
DWORD entryPoint = nt_header->OptionalHeader.AddressOfEntryPoint;
ULONG size;
auto export_dir = static_cast<PIMAGE_EXPORT_DIRECTORY>(
::ImageDirectoryEntryToData(drv_buffer.data(),
TRUE, IMAGE_DIRECTORY_ENTRY_EXPORT, &size));
if (export_dir) {
for (DWORD i = 0; i < export_dir->NumberOfFunctions; i++)
{
DWORD funcnameaddr = *reinterpret_cast<DWORD*>(drv_buffer.data() + export_dir->AddressOfNames + (i * sizeof(DWORD)));
char* funcname = reinterpret_cast<char*>(drv_buffer.data() + funcnameaddr);
if (strcmp(funcname, "drv_entry") == 0) {
entryPoint = *reinterpret_cast<DWORD*>(drv_buffer.data() + export_dir->AddressOfFunctions + (i * sizeof(DWORD)));
break;
}
}
}
return entryPoint;
}
auto hmdm_ctx::resolve_imports(drv_buffer_t& drv_buffer) const -> void
{
ULONG size;

@ -26,5 +26,6 @@ namespace drv
private:
auto resolve_imports(drv_buffer_t& drv_buffer) const -> void;
auto fix_relocs(drv_buffer_t& drv_buffer, uint8_t* alloc_base) const -> void;
auto locateEntrypoint(drv_buffer_t& drv_buffer) const->DWORD;
};
}

@ -79,7 +79,7 @@ namespace drv
{
reinterpret_cast<std::uintptr_t>(alloc_base),
reinterpret_cast<std::uintptr_t>(alloc_base +
nt_header->OptionalHeader.AddressOfEntryPoint)
locateEntrypoint(image_mapped))
};
}
@ -142,6 +142,38 @@ namespace drv
}
}
auto hmdm_ctx::locateEntrypoint(drv_buffer_t& drv_buffer) const -> DWORD
{
const auto dos_header =
reinterpret_cast<PIMAGE_DOS_HEADER>(drv_buffer.data());
const auto nt_header =
reinterpret_cast<PIMAGE_NT_HEADERS>(
drv_buffer.data() + dos_header->e_lfanew);
DWORD entryPoint = nt_header->OptionalHeader.AddressOfEntryPoint;
ULONG size;
auto export_dir = static_cast<PIMAGE_EXPORT_DIRECTORY>(
::ImageDirectoryEntryToData(drv_buffer.data(),
TRUE, IMAGE_DIRECTORY_ENTRY_EXPORT, &size));
if (export_dir) {
for (DWORD i = 0; i < export_dir->NumberOfFunctions; i++)
{
DWORD funcnameaddr = *reinterpret_cast<DWORD*>(drv_buffer.data() + export_dir->AddressOfNames + (i * sizeof(DWORD)));
char* funcname = reinterpret_cast<char*>(drv_buffer.data() + funcnameaddr);
if (strcmp(funcname, "drv_entry") == 0) {
entryPoint = *reinterpret_cast<DWORD*>(drv_buffer.data() + export_dir->AddressOfFunctions + (i * sizeof(DWORD)));
break;
}
}
}
return entryPoint;
}
auto hmdm_ctx::resolve_imports(drv_buffer_t& drv_buffer) const -> void
{
ULONG size;

@ -26,5 +26,6 @@ namespace drv
private:
auto resolve_imports(drv_buffer_t& drv_buffer) const -> void;
auto fix_relocs(drv_buffer_t& drv_buffer, uint8_t* alloc_base) const -> void;
auto locateEntrypoint(drv_buffer_t& drv_buffer) const->DWORD;
};
}
Loading…
Cancel
Save