NtLoader.h

#pragma once

#include "../../Include/Winheaders.h"
#include "../../PE/PEImage.h"
#include "../../Include/NativeStructures.h"
#include "../../Include/Macro.h"

namespace blackbone
{

enum LdrRefFlags
{
    Ldr_None      = 0x00,   // Do not create any reference
    Ldr_ModList   = 0x01,   // Add to module list -  LdrpModuleIndex( win8 only ), InMemoryOrderModuleList( win7 only )
    Ldr_HashTable = 0x02,   // Add to LdrpHashTable
    Ldr_ThdCall   = 0x04,   // Add to thread callback list (dllmain will be called with THREAD_ATTACH/DETACH reasons)
    Ldr_All       = 0xFF    // Add to everything
};

ENUM_OPS( LdrRefFlags )


class NtLdr
{
public:
    BLACKBONE_API NtLdr( class Process& proc );
    BLACKBONE_API ~NtLdr( void );

    BLACKBONE_API bool Init();

    BLACKBONE_API bool CreateNTReference(
        HMODULE hMod,
        size_t ImageSize,
        const std::wstring& DllBasePath,
        size_t entryPoint,
        LdrRefFlags flags = Ldr_All
        );

    BLACKBONE_API bool AddStaticTLSEntry( void* pModule, IMAGE_TLS_DIRECTORY *pTls );

    BLACKBONE_API bool InsertInvertedFunctionTable( void* ModuleBase, size_t ImageSize, bool& safeseh );

    BLACKBONE_API bool Unlink( ptr_t baseAddress, const std::wstring& name, eModType type );

    // 
    // Get some not exported values
    //
    BLACKBONE_API inline size_t LdrpInvertedFunctionTable( ) const { return _LdrpInvertedFunctionTable; }
    BLACKBONE_API inline size_t LdrKernel32PatchAddress() const { return _LdrKernel32PatchAddress; }
    BLACKBONE_API inline size_t APC64PatchAddress() const { return _APC64PatchAddress; }

private:

    bool FindLdrpHashTable();

    bool FindLdrpModuleIndexBase();

    bool ScanPatterns();

    bool FindLdrHeap();

    _LDR_DATA_TABLE_ENTRY_W8* InitW8Node(
        void* ModuleBase,
        size_t ImageSize,
        const std::wstring& dllpath,
        size_t entryPoint,
        ULONG& outHash
        );

    _LDR_DATA_TABLE_ENTRY_W7* InitW7Node(
        void* ModuleBase,
        size_t ImageSize,
        const std::wstring& dllpath,
        size_t entryPoint,
        ULONG& outHash
        );

    void InsertTreeNode( _LDR_DATA_TABLE_ENTRY_W8* pNode, size_t modBase );

    void InsertHashNode( size_t pNodeLink, ULONG hash );

    void InsertMemModuleNode( size_t pNodeMemoryOrderLink, size_t pNodeLoadOrderLink, size_t pNodeInitOrderLink );

    void InsertTailList( size_t ListHead, size_t Entry );

    ULONG HashString( const std::wstring& str );

    template<typename T>
    T* SetNode( T* ptr, void* pModule );

    template<typename T> 
    ptr_t UnlinkFromLdr( ptr_t baseAddress, const std::wstring& name );

    template<typename T> 
    ptr_t UnlinkListEntry( _LIST_ENTRY_T<T> pListEntry, ptr_t head, size_t ofst, ptr_t baseAddress );

    template<typename T>
    void UnlinkListEntry( ptr_t pListLink );

    ptr_t UnlinkTreeNode( ptr_t ldrEntry );

    NtLdr( const NtLdr& ) = delete;
    NtLdr& operator =(const NtLdr&) = delete;

private:
    class Process& _process;                        // Process memory routines

    size_t _LdrpHashTable = 0;                      // LdrpHashTable address
    size_t _LdrpModuleIndexBase = 0;                // LdrpModuleIndex address
    size_t _LdrpModuleBase = 0;                     // PEB->Ldr->InLoadOrderModuleList address
    size_t _LdrHeapBase = 0;                        // Loader heap base address
    size_t _LdrKernel32PatchAddress = 0;            // Address to patch to enable kernel32 loading under win7
    size_t _APC64PatchAddress = 0;                  // Address to patch to x64->WOW64 APC dispatching under win7
    size_t _LdrpHandleTlsData = 0;                  // LdrpHandleTlsData address
    size_t _LdrpInvertedFunctionTable = 0;          // LdrpInvertedFunctionTable address
    size_t _RtlInsertInvertedFunctionTable = 0;     // RtlInsertInvertedFunctionTable address

    std::map<HMODULE, void*> _nodeMap;              // Allocated native structures
};

}