Feature: Support converting PE using pe_to_shellcode

2025-11-13 05:23:01 +08:00
parent 924aa1d7e1
commit 086afb36b4
49 changed files with 2664 additions and 10 deletions
--- a/server/2015Remote/libpeconv/peconv/hooks.h
+++ b/server/2015Remote/libpeconv/peconv/hooks.h
@@ -0,0 +1,146 @@
+/**
+* @file
+* @brief   Functions related to hooking the loaded PE. Reditecting/replacing a functions with another.
+*/
+
+#pragma once
+
+#include <windows.h>
+#include "function_resolver.h"
+
+#include <iostream>
+#include <string>
+#include <map>
+#include "peconv/buffer_util.h"
+
+namespace peconv {
+
+    /**
+    A buffer storing a binary patch, that can be applied on a module. Used as a restorable backup in case of function patching.
+    */
+    class PatchBackup {
+    public:
+        /**
+        Creates an empty backup.
+        */
+        PatchBackup()
+            : buffer(nullptr), bufferSize(0), sourcePtr(nullptr)
+        {
+        }
+
+        ~PatchBackup() {
+            deleteBackup();
+        }
+
+        /**
+        Destroys the backup and resets internal fields.
+        */
+        void deleteBackup()
+        {
+            if (buffer) {
+                delete[] buffer;
+                bufferSize = 0;
+                sourcePtr = nullptr;
+            }
+        }
+
+        /**
+        Reads bytes from the binary to the backup. The source buffer must be within the current process.
+        */
+        bool makeBackup(BYTE *patch_ptr, size_t patch_size);
+
+        /**
+        Applies the backup back to the pointer from which it was read.
+        */
+        bool applyBackup();
+
+        /**
+        Checks if the buffer was filled.
+        */
+        bool isBackup()
+        {
+            return buffer != nullptr;
+        }
+
+    protected:
+        BYTE *buffer;
+        size_t bufferSize;
+
+        BYTE *sourcePtr;
+    };
+
+
+    /**
+    A functions resolver that can be used for hooking IAT. Allows for defining functions that are supposed to be replaced.
+    */
+    class hooking_func_resolver : peconv::default_func_resolver {
+    public:
+        /**
+        Define a function that will be replaced.
+        \param name : a name of the function that will be replaced
+        \param function : an address of the replacement function
+        */
+        void add_hook(const std::string &name, FARPROC function)
+        {
+            hooks_map[name] = function;
+        }
+
+        /**
+        Define a DLL that will be replaced.
+        \param dll_name : a name of the DLL to be replaced
+        \param new_dll  : a name of the new DLL that will be loaded instead
+        */
+        void replace_dll(std::string dll_name, const std::string &new_dll)
+        {
+            dll_replacements_map[dll_name] = new_dll;
+        }
+
+        /**
+        Get the address (VA) of the function with the given name, from the given DLL. If the function was hooked, it retrieves the address of the replacement function instead.
+        \param func_name : the name of the function
+        \param lib_name : the name of the DLL
+        \return Virtual Address of the exported function, or the address of the replacement function.
+        */
+        virtual FARPROC resolve_func(LPCSTR lib_name, LPCSTR func_name);
+
+    private:
+        std::map<std::string, FARPROC> hooks_map;
+        std::map<std::string, std::string> dll_replacements_map;
+    };
+
+    /**
+    Installs inline hook at the given ptr. Returns the number of bytes overwriten.
+    64 bit version.
+    \param ptr : pointer to the function to be replaced
+    \param new_offset : VA of the new function
+    \param backup : (optional) backup that can be used to reverse the changes
+    \return size of the applied patch
+    */
+    size_t redirect_to_local64(void *ptr, ULONGLONG new_offset, PatchBackup* backup = nullptr);
+
+    /**
+    Installs inline hook at the given ptr. Returns the number of bytes overwriten.
+    32 bit version.
+    \param ptr : pointer to the function to be replaced
+    \param new_offset : VA of the new function
+    \param backup : (optional) backup that can be used to reverse the changes
+    \return size of the applied patch
+    */
+    size_t redirect_to_local32(void *ptr, DWORD new_offset, PatchBackup* backup = nullptr);
+
+    /**
+    Installs inline hook at the given ptr. Returns the number of bytes overwriten.
+    Uses bitness of the current applications for the bitness of the intalled hook.
+    \param ptr : pointer to the function to be replaced
+    \param new_function_ptr : pointer to the new function
+    \param backup : (optional) backup that can be used to reverse the changes
+    \return size of the applied patch
+    */
+    size_t redirect_to_local(void *ptr, void* new_function_ptr, PatchBackup* backup = nullptr);
+
+    /**
+    Replaces a target address of JMP [DWORD] or CALL [DWORD]
+    */
+    bool replace_target(BYTE *ptr, ULONGLONG dest_addr);
+
+};//namespace peconv