News:

Masm32 SDK description, downloads and other helpful links
Message to All Guests

Main Menu

RtlCompression - Windows Run Time Library Compression

Started by fearless, November 06, 2023, 01:23:14 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions

fearless

November 06, 2023, 01:23:14 PM
Continuing the work started in the CD Utility and inspired by the modexp post from odzhan: https://modexp.wordpress.com/2019/12/08/shellcode-compression/#ntdll

I created two RtlCompression libraries (one for x86 and the other for x64) using dll2def.exe on ntdll.dll, editing the ntdll.def file for just the required Run Time Library functions and renamed them RtlCompression_x86.def and RtlCompression_x64.def. Then I used lib.exe to create the import libraries and finally using lib2inc.exe to generate the include files which I edited for completeness and added the constants etc. Also I created radasm api files for both.

Note: The RtlCompression_x86.def file requires @size after the function names for stdcall (x86), but not for fastcall (x64) in the RtlCompression_x64.def file.

x86:
Code Select
lib /def:RtlCompression_x86.def /out:RtlCompression_x86.lib /machine:x86
lib2inc RtlCompression_x86.lib -s
x64:
Code Select
lib /def:RtlCompression_x64.def /out:RtlCompression_x64.lib /machine:x64
lib2inc RtlCompression_x64.lib -s
I also created two test radasm projects just as examples to verify that the libraries worked: RtlCompTest_x86 and RtlCompTest_x64.

Note: I opted to just use the LZNT1 compression as this is available from WinXP+, the Xpress and Xpress with Huffman compression and decompression require Windows 8+ and the use of the RtlDecompressBufferEx, which I did not include in the include files or libraries so that they can be used on WinXP+

For more information, please refer to the Rtl functions:

RtlGetCompressionWorkSpaceSize
RtlCompressBuffer
RtlDecompressBuffer
RtlDecompressFragment

HSE

#1
November 06, 2023, 11:13:08 PM
Hi fearless!

Fantastic work!!

Quote from: fearless on November 06, 2023, 01:23:14 PMtwo test radasm projects just as examples

I think can be helpful a little readme.txt explaining your settings, libraries and links where to obtain what is not in the test package. Then put that readme.txt in each package with same settings.

I'm sure I have here most of your stuff, but that was obtained along the time.  :thumbsup:

Regards, HSE.


Equations in Assembly: SmplMath

jj2007

#2
November 07, 2023, 01:05:43 AM
Did you zip the four attachments above with your own RtlCompression library?  :thumbsup:

fearless

#3
November 07, 2023, 01:13:11 AM
No, lol, just plain old zip files using winrar to do the zipping (paid for a license for winrar :D a while ago after many years of using it, so may as well use it)

jj2007

#4
November 07, 2023, 01:33:16 AM
I was contemplating to use RtlCompressBuffer for an installer but...
Code Select
8653 µs for compressing Windows.inc to 332944 bytes
1013 ms for compressing Windows.inc to 285775 bytes
84 ms  for compressing Windows.inc to 194000 bytes using ZipFiles
I'm not compressed :cool:

Same with 7zip's proprietary *.7z format: 145846 bytes
Print
Go Up Pages1
User actions