Merge branch 'devel1'

Author: hasherezade

loader_v2/.gitignore

@@ -0,0 +1,3 @@
+*.asm
+*.obj
+*.lnk

loader_v2/peb_lookup.h

@@ -41,6 +41,7 @@ inline DWORD calc_checksum(CHAR_TYPE* curr_name, bool case_sensitive)
     }
     return ~crc;
 }
+
 inline LPVOID get_module_by_checksum(DWORD checksum)
 {
     PEB *peb;

loader_v2/peloader.cpp

@@ -92,14 +92,17 @@ bool load_imports(t_mini_iat iat, IMAGE_DATA_DIRECTORY importsDirectory, BYTE* i
         while (thunk->u1.AddressOfData != NULL)
         {
             FIELD_PTR functionAddress = NULL;
+            LPCSTR functionName = NULL;
             if (IMAGE_SNAP_BY_ORDINAL(thunk->u1.Ordinal)) {
-                LPCSTR functionOrdinal = (LPCSTR)IMAGE_ORDINAL(thunk->u1.Ordinal);
-                functionAddress = (FIELD_PTR)iat._GetProcAddress(library, functionOrdinal);
+                functionName = (LPCSTR)IMAGE_ORDINAL(thunk->u1.Ordinal);
             }
             else {
-                PIMAGE_IMPORT_BY_NAME functionName = (PIMAGE_IMPORT_BY_NAME)((FIELD_PTR)image + thunk->u1.AddressOfData);
-                functionAddress = (FIELD_PTR)iat._GetProcAddress(library, functionName->Name);
+                PIMAGE_IMPORT_BY_NAME functionByName = (PIMAGE_IMPORT_BY_NAME)((FIELD_PTR)image + thunk->u1.AddressOfData);
+                functionName = functionByName->Name;
             }
+            if (!functionName) return false;
+
+            functionAddress = (FIELD_PTR)iat._GetProcAddress(library, functionName);
             if (!functionAddress) return false;
 
             thunk->u1.Function = functionAddress;
@@ -120,7 +123,8 @@ bool run_tls_callbacks(IMAGE_DATA_DIRECTORY& tlsDir, BYTE* image)
         FIELD_PTR callback_va = *callbacks_ptr;
         if (!callback_va) break;
 
-        void(NTAPI * callback_func)(PVOID DllHandle, DWORD dwReason, PVOID) = (void(NTAPI*)(PVOID, DWORD, PVOID)) callback_va;
+        void(NTAPI * callback_func)(PVOID DllHandle, DWORD dwReason, PVOID) 
+            = (void(NTAPI*)(PVOID, DWORD, PVOID)) callback_va;
         callback_func(image, DLL_PROCESS_ATTACH, NULL);
 
         callbacks_ptr++;

pe2shc/main.cpp

@@ -4,7 +4,7 @@
 #include "peconv.h"
 #include "resource.h"
 
-#define VERSION "1.0"
+#define VERSION "1.1"
 
 bool overwrite_hdr(BYTE *my_exe, size_t exe_size, DWORD raw, bool is64b)
 {
@@ -17,23 +17,23 @@ bool overwrite_hdr(BYTE *my_exe, size_t exe_size, DWORD raw, bool is64b)
 		"\x45" //inc ebp
 		"\x52" //push edx
 		"\xE8\x00\x00\x00\x00" //call <next_line>
-		"\x5B" // pop ebx
-		"\x48\x83\xEB\x09" // sub ebx,9
-		"\x53" // push ebx (Image Base)
-		"\x48\x81\xC3" // add ebx,
+		"\x58" // pop eax
+		"\x83\xE8\x09" // sub eax,9
+		"\x50" // push eax (Image Base)
+		"\x05" // add eax,
 		"\x59\x04\x00\x00" // value
-		"\xFF\xD3" // call ebx
+		"\xFF\xD0" // call ebx
 		"\xc3"; // ret
 
 	BYTE redir_code64[] = "\x4D\x5A" //pop r10
 		"\x45\x52" //push r10
 		"\xE8\x00\x00\x00\x00" //call <next_line>
 		"\x59" // pop rcx
 		"\x48\x83\xE9\x09" // sub rcx,9 (rcx -> Image Base)
-		"\x48\x8B\xD9" // mov rbx,rcx 
-		"\x48\x81\xC3" // add ebx,
+		"\x48\x8B\xC1" // mov rax,rcx 
+		"\x48\x05" // add eax,
 		"\x59\x04\x00\x00" // value
-		"\xFF\xD3" // call ebx
+		"\xFF\xD0" // call eax
 		"\xc3"; // ret
 
 	redir_code = redir_code32;