Skip to content

Commit 114d766

Browse files
author
Josh Lospinoso
committed
Fixed Release linker dependency on version.lib; few C++ tweaks for Issue JLospinoso#3 
1 parent 6d6a7ea commit 114d766

File tree

2 files changed

+17
-18
lines changed

2 files changed

+17
-18
lines changed

Gargoyle.vcxproj

+1
Original file line numberDiff line numberDiff line change
@@ -91,6 +91,7 @@
9191
<EnableCOMDATFolding>true</EnableCOMDATFolding>
9292
<OptimizeReferences>true</OptimizeReferences>
9393
<GenerateDebugInformation>true</GenerateDebugInformation>
94+
<AdditionalDependencies>version.lib;kernel32.lib;user32.lib;gdi32.lib;winspool.lib;comdlg32.lib;advapi32.lib;shell32.lib;ole32.lib;oleaut32.lib;uuid.lib;odbc32.lib;odbccp32.lib;%(AdditionalDependencies)</AdditionalDependencies>
9495
</Link>
9596
</ItemDefinitionGroup>
9697
<ItemGroup>

main.cpp

+16-18
Original file line numberDiff line numberDiff line change
@@ -3,6 +3,7 @@
33
#include <fstream>
44
#include "Windows.h"
55
#include <psapi.h>
6+
#include <vector>
67

78
using namespace std;
89

@@ -17,7 +18,7 @@ namespace {
1718
uint32_t relative_offset;
1819
};
1920

20-
VersionToOffset mshtml_gadget_offset_map[] = {
21+
vector<VersionToOffset> mshtml_gadget_offset_map = {
2122
{ 11, 0, 14393, 953, 0x003CBD4D },
2223
{ 0, 0, 0, 0, 0x006D55DD } // Provides the default ROP gadget offset (for Windows v8.1?)
2324
};
@@ -85,29 +86,26 @@ uint32_t get_mshtml_gadget_relative_offset(const char *mshtml_filename) {
8586
auto version_info_size = GetFileVersionInfoSizeA(mshtml_filename, &version_handle);
8687
if (version_info_size == 0) throw runtime_error("[-] Couldn't GetFileVersionInfoSize: " + GetLastError());
8788

88-
LPSTR version_data = new char[version_info_size];
89-
auto result = GetFileVersionInfoA(mshtml_filename, version_handle, version_info_size, version_data);
89+
vector<char> version_data(version_info_size);
90+
auto result = GetFileVersionInfoA(mshtml_filename, version_handle, version_info_size, &version_data[0]);
9091
if (!result) {
91-
delete[] version_data;
9292
throw runtime_error("[-] Couldn't GetFileVersionInfo: " + GetLastError());
9393
}
9494

9595
LPBYTE version_info_buffer;
9696
UINT version_info_buffer_size;
97-
result = VerQueryValueA(version_data, "\\", (VOID FAR* FAR*)&version_info_buffer, &version_info_buffer_size);
97+
result = VerQueryValueA(&version_data[0], "\\", reinterpret_cast<VOID FAR* FAR*>(&version_info_buffer), &version_info_buffer_size);
9898
if (!result) {
99-
delete[] version_data;
10099
throw runtime_error("[-] Couldn't VerQueryValue: " + GetLastError());
101100
}
102101

103-
VS_FIXEDFILEINFO *version_info = (VS_FIXEDFILEINFO *)version_info_buffer;
102+
auto *version_info = reinterpret_cast<VS_FIXEDFILEINFO *>(version_info_buffer);
104103
WORD unpacked_file_version_words[4] = {
105104
(version_info->dwFileVersionMS >> 16) & 0xffff,
106105
(version_info->dwFileVersionMS >> 0) & 0xffff,
107106
(version_info->dwFileVersionLS >> 16) & 0xffff,
108107
(version_info->dwFileVersionLS >> 0) & 0xffff };
109-
DWORDLONG unpacked_file_version = *(DWORDLONG *)unpacked_file_version_words;
110-
delete[] version_data;
108+
auto unpacked_file_version = *reinterpret_cast<DWORDLONG *>(unpacked_file_version_words);
111109

112110
printf("[ ] Found %s version %d.%d.%d.%d.\n",
113111
mshtml_filename,
@@ -118,30 +116,30 @@ uint32_t get_mshtml_gadget_relative_offset(const char *mshtml_filename) {
118116

119117
uint32_t relative_offset = 0;
120118
auto using_default = false;
121-
int entry_num = 0;
119+
auto entry_num = 0;
122120
while (relative_offset == 0) {
123-
VersionToOffset *version_entry = &mshtml_gadget_offset_map[entry_num];
124-
if (*(DWORDLONG *)version_entry->file_version == unpacked_file_version
125-
|| *(DWORDLONG *)version_entry->file_version == 0)
121+
auto* version_entry = &mshtml_gadget_offset_map[entry_num];
122+
if (*reinterpret_cast<DWORDLONG *>(version_entry->file_version) == unpacked_file_version
123+
|| *reinterpret_cast<DWORDLONG *>(version_entry->file_version) == 0)
126124
relative_offset = version_entry->relative_offset;
127-
using_default = *(DWORDLONG *)version_entry->file_version == 0;
125+
using_default = *reinterpret_cast<DWORDLONG *>(version_entry->file_version) == 0;
128126
++entry_num;
129127
}
130128

131129
if (using_default) {
132-
printf("[*] WARNING: Unrecognized version, so using default relative offset.\n");
130+
printf("[*] WARNING: Unrecognized version, so using default relative offset.\n");
133131
}
134-
printf("[ ] %s ROP gadget is at relative offset 0x%p.\n", mshtml_filename, (void *)relative_offset);
132+
printf("[ ] %s ROP gadget is at relative offset 0x%p.\n", mshtml_filename, reinterpret_cast<void *>(relative_offset));
135133

136134
return relative_offset;
137135
}
138136

139137
void* get_mshtml_gadget() {
140-
LPCSTR mshtml_filename = "mshtml.dll";
138+
auto mshtml_filename = "mshtml.dll";
141139
printf("[ ] Loading %s.\n", mshtml_filename);
142140
auto mshtml_gadget_offset = get_mshtml_gadget_relative_offset(mshtml_filename);
143141
auto mshtml_base = reinterpret_cast<uint8_t*>(LoadLibraryA(mshtml_filename));
144-
if (mshtml_base == 0) throw runtime_error("[-] Couldn't LoadLibrary: " + GetLastError());
142+
if (!mshtml_base) throw runtime_error("[-] Couldn't LoadLibrary: " + GetLastError());
145143

146144
printf("[+] Loaded %s into memory at 0x%p.\n", mshtml_filename, mshtml_base);
147145
return mshtml_base + mshtml_gadget_offset;

0 commit comments

Comments
 (0)