diff --git a/.gitignore b/.gitignore index 8173ee7f..f0e7d6de 100644 --- a/.gitignore +++ b/.gitignore @@ -338,4 +338,5 @@ ASALocalRun/ # BeatPulse healthcheck temp database healthchecksdb -/test/a.dll \ No newline at end of file +/test/a.dll +/MemoryModule/DebugDll diff --git a/3rdparty/phnt/include/ntioapi.h b/3rdparty/phnt/include/ntioapi.h index a08f8775..bfcaf20d 100644 --- a/3rdparty/phnt/include/ntioapi.h +++ b/3rdparty/phnt/include/ntioapi.h @@ -774,22 +774,6 @@ typedef struct _FILE_ID_EXTD_BOTH_DIR_INFORMATION WCHAR FileName[1]; } FILE_ID_EXTD_BOTH_DIR_INFORMATION, *PFILE_ID_EXTD_BOTH_DIR_INFORMATION; -// private -typedef struct _FILE_STAT_INFORMATION -{ - LARGE_INTEGER FileId; - LARGE_INTEGER CreationTime; - LARGE_INTEGER LastAccessTime; - LARGE_INTEGER LastWriteTime; - LARGE_INTEGER ChangeTime; - LARGE_INTEGER AllocationSize; - LARGE_INTEGER EndOfFile; - ULONG FileAttributes; - ULONG ReparseTag; - ULONG NumberOfLinks; - ACCESS_MASK EffectiveAccess; -} FILE_STAT_INFORMATION, *PFILE_STAT_INFORMATION; - // private typedef struct _FILE_MEMORY_PARTITION_INFORMATION { @@ -805,43 +789,6 @@ typedef struct _FILE_MEMORY_PARTITION_INFORMATION } Flags; } FILE_MEMORY_PARTITION_INFORMATION, *PFILE_MEMORY_PARTITION_INFORMATION; -// LxFlags -#define LX_FILE_METADATA_HAS_UID 0x1 -#define LX_FILE_METADATA_HAS_GID 0x2 -#define LX_FILE_METADATA_HAS_MODE 0x4 -#define LX_FILE_METADATA_HAS_DEVICE_ID 0x8 -#define LX_FILE_CASE_SENSITIVE_DIR 0x10 - -// private -typedef struct _FILE_STAT_LX_INFORMATION -{ - LARGE_INTEGER FileId; - LARGE_INTEGER CreationTime; - LARGE_INTEGER LastAccessTime; - LARGE_INTEGER LastWriteTime; - LARGE_INTEGER ChangeTime; - LARGE_INTEGER AllocationSize; - LARGE_INTEGER EndOfFile; - ULONG FileAttributes; - ULONG ReparseTag; - ULONG NumberOfLinks; - ACCESS_MASK EffectiveAccess; - ULONG LxFlags; - ULONG LxUid; - ULONG LxGid; - ULONG LxMode; - ULONG LxDeviceIdMajor; - ULONG LxDeviceIdMinor; -} FILE_STAT_LX_INFORMATION, *PFILE_STAT_LX_INFORMATION; - -#define FILE_CS_FLAG_CASE_SENSITIVE_DIR 0x00000001 - -// private -typedef struct _FILE_CASE_SENSITIVE_INFORMATION -{ - ULONG Flags; -} FILE_CASE_SENSITIVE_INFORMATION, *PFILE_CASE_SENSITIVE_INFORMATION; - // private typedef enum _FILE_KNOWN_FOLDER_TYPE { diff --git a/MemoryModule/Initialize.cpp b/MemoryModule/Initialize.cpp index 4733dd98..aa023c8e 100644 --- a/MemoryModule/Initialize.cpp +++ b/MemoryModule/Initialize.cpp @@ -1,7 +1,7 @@ #include "stdafx.h" #include "LoaderPrivate.h" #include -#include +#include PMMP_GLOBAL_DATA MmpGlobalDataPtr; @@ -337,12 +337,21 @@ NTSTATUS MmpAllocateGlobalData() { SIZE_T ViewSize = 0; PTEB teb = NtCurrentTeb(); - swprintf_s( - buffer, - L"\\Sessions\\%d\\BaseNamedObjects\\MMPP*%p", - NtCurrentPeb()->SessionId, - (PVOID)(~(ULONG_PTR)teb->ClientId.UniqueProcess ^ (ULONG_PTR)teb->ProcessEnvironmentBlock->ProcessHeap) - ); + if (NtCurrentPeb()->SessionId == 0) { + swprintf_s( + buffer, + L"\\BaseNamedObjects\\MMPP*%p", + (PVOID)(~(ULONG_PTR)teb->ClientId.UniqueProcess ^ (ULONG_PTR)teb->ProcessEnvironmentBlock->ProcessHeap) + ); + } + else { + swprintf_s( + buffer, + L"\\Sessions\\%d\\BaseNamedObjects\\MMPP*%p", + NtCurrentPeb()->SessionId, + (PVOID)(~(ULONG_PTR)teb->ClientId.UniqueProcess ^ (ULONG_PTR)teb->ProcessEnvironmentBlock->ProcessHeap) + ); + } RtlInitUnicodeString(&us, buffer); InitializeObjectAttributes(&oa, &us, 0, nullptr, nullptr); @@ -429,6 +438,7 @@ NTSTATUS InitializeLockHeld() { status = STATUS_NOT_SUPPORTED; } else { + ++MmpGlobalDataPtr->ReferenceCount; status = STATUS_SUCCESS; } } @@ -439,6 +449,7 @@ NTSTATUS InitializeLockHeld() { MmpGlobalDataPtr->MajorVersion = MEMORY_MODULE_MAJOR_VERSION; MmpGlobalDataPtr->MinorVersion = MEMORY_MODULE_MINOR_VERSION; MmpGlobalDataPtr->BaseAddress = MmpGlobalDataPtr; + MmpGlobalDataPtr->ReferenceCount = 1; GetSystemInfo(&MmpGlobalDataPtr->SystemInfo); @@ -495,16 +506,74 @@ NTSTATUS InitializeLockHeld() { return status; } -NTSTATUS NTAPI Initialize() { +NTSTATUS NTAPI MmInitialize() { NTSTATUS status; - RtlAcquirePebLock(); - status = InitializeLockHeld(); - RtlReleasePebLock(); + PVOID cookie; + LdrLockLoaderLock(LDR_LOCK_LOADER_LOCK_FLAG_RAISE_ON_ERRORS, nullptr, &cookie); + + __try { + status = InitializeLockHeld(); + } + __finally { + LdrUnlockLoaderLock(LDR_UNLOCK_LOADER_LOCK_FLAG_RAISE_ON_ERRORS, cookie); + } return status; } +NTSTATUS CleanupLockHeld() { + + PLIST_ENTRY ListHead = &NtCurrentPeb()->Ldr->InLoadOrderModuleList, ListEntry = ListHead->Flink; + PLDR_DATA_TABLE_ENTRY CurEntry; + + while (ListEntry != ListHead) { + CurEntry = CONTAINING_RECORD(ListEntry, LDR_DATA_TABLE_ENTRY, InLoadOrderLinks); + ListEntry = ListEntry->Flink; + + if (IsValidMemoryModuleHandle((HMEMORYMODULE)CurEntry->DllBase)) { + + // + // Make sure all memory module is unloaded. + // + + return STATUS_NOT_SUPPORTED; + } + } + + if (--MmpGlobalDataPtr->ReferenceCount > 0) { + return STATUS_SUCCESS; + } + + MmpTlsCleanup(); + MmpCleanupDotNetHooks(); + + NtUnmapViewOfSection(NtCurrentProcess(), MmpGlobalDataPtr->BaseAddress); + MmpGlobalDataPtr = nullptr; + return STATUS_SUCCESS; +} + +NTSTATUS NTAPI MmCleanup() { + NTSTATUS status; + PVOID cookie; + LdrLockLoaderLock(LDR_LOCK_LOADER_LOCK_FLAG_RAISE_ON_ERRORS, nullptr, &cookie); + + __try { + + if (MmpGlobalDataPtr == nullptr) { + status = STATUS_ACCESS_VIOLATION; + __leave; + } + + status = CleanupLockHeld(); + } + __finally { + LdrUnlockLoaderLock(LDR_UNLOCK_LOADER_LOCK_FLAG_RAISE_ON_ERRORS, cookie); + } + + return status; +} + #ifdef _USRDLL extern "C" __declspec(dllexport) BOOL WINAPI ReflectiveMapDll(HMODULE hModule) { PIMAGE_NT_HEADERS headers = RtlImageNtHeader(hModule); @@ -533,19 +602,25 @@ extern "C" __declspec(dllexport) BOOL WINAPI ReflectiveMapDll(HMODULE hModule) { BOOL APIENTRY DllMain(HMODULE hModule, DWORD ul_reason_for_call, LPVOID lpReserved) { if (ul_reason_for_call == DLL_PROCESS_ATTACH) { - if (NT_SUCCESS(Initialize())) { +#ifdef _HAS_AUTO_INITIALIZE + if (NT_SUCCESS(MmInitialize())) { if (lpReserved == (PVOID)-1) { - assert(ReflectiveMapDll(hModule)); + if (!ReflectiveMapDll(hModule)) { + RtlRaiseStatus(STATUS_NOT_SUPPORTED); + } } return TRUE; } return FALSE; +#endif } return TRUE; } #else -const NTSTATUS Initializer = Initialize(); +#ifdef _HAS_AUTO_INITIALIZE +const NTSTATUS Initializer = MmInitialize(); +#endif #endif diff --git a/MemoryModule/Initialize.h b/MemoryModule/Initialize.h new file mode 100644 index 00000000..655df6ed --- /dev/null +++ b/MemoryModule/Initialize.h @@ -0,0 +1,9 @@ +#pragma once + +NTSTATUS NTAPI MmInitialize(); +NTSTATUS NTAPI MmCleanup(); + +// +// This function is available only if the MMPP is compiled as a DLL. +// +BOOL WINAPI ReflectiveMapDll(HMODULE hModule); diff --git a/MemoryModule/LdrEntry.cpp b/MemoryModule/LdrEntry.cpp index c03d710c..a0e8fbfe 100644 --- a/MemoryModule/LdrEntry.cpp +++ b/MemoryModule/LdrEntry.cpp @@ -152,7 +152,7 @@ BOOL NTAPI RtlInitializeLdrDataTableEntry( if (IsWin8) ((_LDR_DDAG_NODE_WIN8*)(entry->DdagNode))->ReferenceCount = 1; entry->ImageDll = entry->LoadNotificationsSent = entry->EntryProcessed = entry->InLegacyLists = entry->InIndexes = true; - entry->ProcessAttachCalled = headers->OptionalHeader.AddressOfEntryPoint != 0; + entry->ProcessAttachCalled = false; entry->InExceptionTable = !(dwFlags & LOAD_FLAGS_NOT_ADD_INVERTED_FUNCTION); entry->CorImage = CorImage; entry->CorILOnly = CorIL; @@ -187,8 +187,6 @@ BOOL NTAPI RtlInitializeLdrDataTableEntry( if (!FlagsProcessed) { LdrEntry->Flags = LDRP_IMAGE_DLL | LDRP_ENTRY_INSERTED | LDRP_ENTRY_PROCESSED; - if (headers->OptionalHeader.AddressOfEntryPoint != 0)LdrEntry->Flags |= LDRP_PROCESS_ATTACH_CALLED; - if (CorImage)LdrEntry->Flags |= LDRP_COR_IMAGE; } InitializeListHead(&LdrEntry->HashLinks); diff --git a/MemoryModule/LoadDllMemoryApi.cpp b/MemoryModule/LoadDllMemoryApi.cpp index 3e61cdf9..01aaeb65 100644 --- a/MemoryModule/LoadDllMemoryApi.cpp +++ b/MemoryModule/LoadDllMemoryApi.cpp @@ -51,7 +51,7 @@ HMEMORYMODULE WINAPI LoadLibraryMemoryExA( mbstowcs_s(nullptr, _DllFullName, size, DllFullName, size); } - result = LoadLibraryMemoryExW(BufferAddress, 0, _DllName, _DllFullName, 0); + result = LoadLibraryMemoryExW(BufferAddress, 0, _DllName, _DllFullName, Flags); } while (false); RtlFreeHeap(heap, 0, _DllName); diff --git a/MemoryModule/LoadDllMemoryApi.h b/MemoryModule/LoadDllMemoryApi.h index 54d8368a..0a413b50 100644 --- a/MemoryModule/LoadDllMemoryApi.h +++ b/MemoryModule/LoadDllMemoryApi.h @@ -3,6 +3,7 @@ typedef HMODULE HMEMORYMODULE; #include "Loader.h" +#include "Initialize.h" #define MemoryModuleToModule(_hMemoryModule_) (_hMemoryModule_) @@ -10,25 +11,29 @@ typedef HMODULE HMEMORYMODULE; #define NT_SUCCESS(Status) (((NTSTATUS)(Status)) >= 0) #endif -HMEMORYMODULE WINAPI LoadLibraryMemory(_In_ PVOID BufferAddress); - -HMEMORYMODULE WINAPI LoadLibraryMemoryExA( - _In_ PVOID BufferAddress, - _In_ size_t Reserved, - _In_opt_ LPCSTR DllBaseName, - _In_opt_ LPCSTR DllFullName, - _In_ DWORD Flags -); - -HMEMORYMODULE WINAPI LoadLibraryMemoryExW( - _In_ PVOID BufferAddress, - _In_ size_t Reserved, - _In_opt_ LPCWSTR DllBaseName, - _In_opt_ LPCWSTR DllFullName, - _In_ DWORD Flags -); - -BOOL WINAPI FreeLibraryMemory(_In_ HMEMORYMODULE hMemoryModule); +extern "C" { + + HMEMORYMODULE WINAPI LoadLibraryMemory(_In_ PVOID BufferAddress); + + HMEMORYMODULE WINAPI LoadLibraryMemoryExA( + _In_ PVOID BufferAddress, + _In_ size_t Reserved, + _In_opt_ LPCSTR DllBaseName, + _In_opt_ LPCSTR DllFullName, + _In_ DWORD Flags + ); + + HMEMORYMODULE WINAPI LoadLibraryMemoryExW( + _In_ PVOID BufferAddress, + _In_ size_t Reserved, + _In_opt_ LPCWSTR DllBaseName, + _In_opt_ LPCWSTR DllFullName, + _In_ DWORD Flags + ); + + BOOL WINAPI FreeLibraryMemory(_In_ HMEMORYMODULE hMemoryModule); + +} #define NtLoadDllMemory LdrLoadDllMemory #define NtLoadDllMemoryExA LdrLoadDllMemoryExA diff --git a/MemoryModule/Loader.cpp b/MemoryModule/Loader.cpp index a3f2a130..846ad818 100644 --- a/MemoryModule/Loader.cpp +++ b/MemoryModule/Loader.cpp @@ -1,6 +1,16 @@ #include "stdafx.h" #include +#ifdef _USRDLL +#if (defined(_WIN64) || defined(_M_ARM)) +#pragma comment(linker,"/export:LdrUnloadDllMemoryAndExitThread") +#pragma comment(linker,"/export:FreeLibraryMemoryAndExitThread=LdrUnloadDllMemoryAndExitThread") +#else +#pragma comment(linker,"/export:LdrUnloadDllMemoryAndExitThread=_LdrUnloadDllMemoryAndExitThread@8") +#pragma comment(linker,"/export:FreeLibraryMemoryAndExitThread=_LdrUnloadDllMemoryAndExitThread@8") +#endif +#endif + NTSTATUS NTAPI LdrMapDllMemory( _In_ HMEMORYMODULE ViewBase, _In_ DWORD dwFlags, @@ -51,7 +61,14 @@ NTSTATUS NTAPI LdrLoadDllMemoryExW( __try { *BaseAddress = nullptr; if (LdrEntry)*LdrEntry = nullptr; - if (!RtlIsValidImageBuffer(BufferAddress, &BufferSize) && !(dwFlags & LOAD_FLAGS_PASS_IMAGE_CHECK))status = STATUS_INVALID_IMAGE_FORMAT; + + if (!RtlIsValidImageBuffer(BufferAddress, &BufferSize) && !(dwFlags & LOAD_FLAGS_PASS_IMAGE_CHECK)) { + status = STATUS_INVALID_IMAGE_FORMAT; + } + + if (MmpGlobalDataPtr == nullptr) { + status = STATUS_INVALID_PARAMETER; + } } __except (EXCEPTION_EXECUTE_HANDLER) { status = GetExceptionCode(); @@ -219,6 +236,11 @@ NTSTATUS NTAPI LdrUnloadDllMemory(_In_ HMEMORYMODULE BaseAddress) { break; } + if (MmpGlobalDataPtr == nullptr) { + status = STATUS_INVALID_PARAMETER; + break; + } + //Mapping dll failed if (!module->MappedDll) { module->underUnload = true; diff --git a/MemoryModule/Loader.h b/MemoryModule/Loader.h index 9ce45eda..a71afe7f 100644 --- a/MemoryModule/Loader.h +++ b/MemoryModule/Loader.h @@ -9,9 +9,6 @@ #define MEMORY_FEATURE_LDRP_RELEASE_TLS_ENTRY 0x00000040 #define MEMORY_FEATURE_ALL 0x0000007f -//Get the implementation of the currently running operating system. -NTSTATUS NTAPI LdrQuerySystemMemoryModuleFeatures(_Out_ PDWORD pFeatures); - /* LdrLoadDllMemoryEx dwFlags @@ -47,31 +44,24 @@ NTSTATUS NTAPI LdrQuerySystemMemoryModuleFeatures(_Out_ PDWORD pFeatures); //Hook for dotnet dlls #define LOAD_FLAGS_HOOK_DOT_NET 0x00000010 +extern "C" { -NTSTATUS NTAPI LdrLoadDllMemoryExW( - _Out_ HMEMORYMODULE* BaseAddress, // Output module base address - _Out_opt_ PVOID* LdrEntry, // Receive a pointer to the LDR node of the module - _In_ DWORD dwFlags, // Flags - _In_ LPVOID BufferAddress, // Pointer to the dll file data buffer - _In_ size_t Reserved, // Reserved parameter, must be 0 - _In_opt_ LPCWSTR DllName, // Module file name - _In_opt_ LPCWSTR DllFullName // Module file full path -); - -//Unload modules previously loaded from memory -NTSTATUS NTAPI LdrUnloadDllMemory(_In_ HMEMORYMODULE BaseAddress); - -#ifndef _USRDLL -#ifdef _WIN64 -#pragma comment(linker,"/export:LdrUnloadDllMemoryAndExitThread") -#pragma comment(linker,"/export:FreeLibraryMemoryAndExitThread=LdrUnloadDllMemoryAndExitThread") -#else -#pragma comment(linker,"/export:LdrUnloadDllMemoryAndExitThread=_LdrUnloadDllMemoryAndExitThread@8") -#pragma comment(linker,"/export:FreeLibraryMemoryAndExitThread=_LdrUnloadDllMemoryAndExitThread@8") -#endif -#endif + //Get the implementation of the currently running operating system. + NTSTATUS NTAPI LdrQuerySystemMemoryModuleFeatures(_Out_ PDWORD pFeatures); + + NTSTATUS NTAPI LdrLoadDllMemoryExW( + _Out_ HMEMORYMODULE* BaseAddress, // Output module base address + _Out_opt_ PVOID* LdrEntry, // Receive a pointer to the LDR node of the module + _In_ DWORD dwFlags, // Flags + _In_ LPVOID BufferAddress, // Pointer to the dll file data buffer + _In_ size_t Reserved, // Reserved parameter, must be 0 + _In_opt_ LPCWSTR DllName, // Module file name + _In_opt_ LPCWSTR DllFullName // Module file full path + ); + + //Unload modules previously loaded from memory + NTSTATUS NTAPI LdrUnloadDllMemory(_In_ HMEMORYMODULE BaseAddress); -extern "C" { __declspec(noreturn) VOID NTAPI LdrUnloadDllMemoryAndExitThread( _In_ HMEMORYMODULE BaseAddress, _In_ DWORD dwExitCode diff --git a/MemoryModule/MemoryModule.cpp b/MemoryModule/MemoryModule.cpp index e990a16b..34573acf 100644 --- a/MemoryModule/MemoryModule.cpp +++ b/MemoryModule/MemoryModule.cpp @@ -1,6 +1,10 @@ #include "stdafx.h" -#ifdef _WIN64 +#if defined(_M_ARM64) +#define HOST_MACHINE IMAGE_FILE_MACHINE_ARM64 +#elif defined(_M_ARM) +#define HOST_MACHINE IMAGE_FILE_MACHINE_ARM +#elif defined(_WIN64) #define HOST_MACHINE IMAGE_FILE_MACHINE_AMD64 #else #define HOST_MACHINE IMAGE_FILE_MACHINE_I386 @@ -8,7 +12,7 @@ #define GET_HEADER_DICTIONARY(headers, idx) &headers->OptionalHeader.DataDirectory[idx] -#define AlignValueUp(value, alignment) ((size_t(value) + size_t(alignment) + 1) & ~(size_t(alignment) - 1)) +#define AlignValueUp(value, alignment) ((size_t(value) + size_t(alignment) - 1) & ~(size_t(alignment) - 1)) #define OffsetPointer(data, offset) LPVOID(LPBYTE(data) + ptrdiff_t(offset)) @@ -91,35 +95,19 @@ NTSTATUS MemorySetSectionProtection( NTSTATUS status = STATUS_SUCCESS; PIMAGE_SECTION_HEADER section = IMAGE_FIRST_SECTION(lpNtHeaders); - // - // Determine whether it is a .NET assembly - // - auto& com = lpNtHeaders->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR]; - bool CorImage = com.Size && com.VirtualAddress; - for (DWORD i = 0; i < lpNtHeaders->FileHeader.NumberOfSections; ++i, ++section) { LPVOID address = LPBYTE(base) + section->VirtualAddress; SIZE_T size = AlignValueUp(section->Misc.VirtualSize, lpNtHeaders->OptionalHeader.SectionAlignment); - if (section->Characteristics & IMAGE_SCN_MEM_DISCARDABLE && !CorImage) { - // - // If it is a .NET assembly, we cannot release this memory block - // -#pragma warning(disable:6250) - VirtualFree(address, size, MEM_DECOMMIT); -#pragma warning(default:6250) - } - else { - BOOL executable = (section->Characteristics & IMAGE_SCN_MEM_EXECUTE) != 0, - readable = (section->Characteristics & IMAGE_SCN_MEM_READ) != 0, - writeable = (section->Characteristics & IMAGE_SCN_MEM_WRITE) != 0; - DWORD protect = ProtectionFlags[executable][readable][writeable], oldProtect; + BOOL executable = (section->Characteristics & IMAGE_SCN_MEM_EXECUTE) != 0, + readable = (section->Characteristics & IMAGE_SCN_MEM_READ) != 0, + writeable = (section->Characteristics & IMAGE_SCN_MEM_WRITE) != 0; + DWORD protect = ProtectionFlags[executable][readable][writeable], oldProtect; - if (section->Characteristics & IMAGE_SCN_MEM_NOT_CACHED) protect |= PAGE_NOCACHE; + if (section->Characteristics & IMAGE_SCN_MEM_NOT_CACHED) protect |= PAGE_NOCACHE; - status = NtProtectVirtualMemory(NtCurrentProcess(), &address, &size, protect, &oldProtect); - if (!NT_SUCCESS(status))break; - } + status = NtProtectVirtualMemory(NtCurrentProcess(), &address, &size, protect, &oldProtect); + if (!NT_SUCCESS(status))break; } return status; @@ -297,7 +285,7 @@ NTSTATUS MemoryLoadLibrary( PIMAGE_BASE_RELOCATION_HEADER relocation = (PIMAGE_BASE_RELOCATION_HEADER)(LPBYTE(base) + dir->VirtualAddress); if (dir->Size && dir->VirtualAddress) { - while (relocation->VirtualAddress > 0) { + while ((LPBYTE(relocation) < LPBYTE(base) + dir->VirtualAddress + dir->Size) && relocation->VirtualAddress > 0) { auto relInfo = (_REBASE_INFO*)&relocation->TypeOffset; for (DWORD i = 0; i < relocation->TypeOffsetCount(); ++i, ++relInfo) { switch (relInfo->Type) { diff --git a/MemoryModule/MemoryModule.vcxproj b/MemoryModule/MemoryModule.vcxproj index b152c6d4..ebcea8da 100644 --- a/MemoryModule/MemoryModule.vcxproj +++ b/MemoryModule/MemoryModule.vcxproj @@ -1,6 +1,14 @@ + + DebugDll + ARM + + + DebugDll + ARM64 + DebugDll Win32 @@ -9,10 +17,26 @@ DebugDll x64 + + Debug + ARM + + + Debug + ARM64 + Debug Win32 + + ReleaseDll + ARM + + + ReleaseDll + ARM64 + ReleaseDll Win32 @@ -21,6 +45,14 @@ ReleaseDll x64 + + Release + ARM + + + Release + ARM64 + Release Win32 @@ -59,17 +91,29 @@ false + false false + false false + false false + false false + false false + false false + false false + false false + false false + false false + false false + false @@ -108,6 +152,7 @@ + @@ -144,12 +189,24 @@ v142 Unicode + + StaticLibrary + true + v142 + Unicode + DynamicLibrary true v142 Unicode + + DynamicLibrary + true + v142 + Unicode + StaticLibrary false @@ -157,6 +214,13 @@ true Unicode + + StaticLibrary + false + v142 + true + Unicode + DynamicLibrary false @@ -164,6 +228,13 @@ true Unicode + + DynamicLibrary + false + v142 + true + Unicode + StaticLibrary true @@ -171,6 +242,13 @@ Unicode false + + StaticLibrary + true + v142 + Unicode + false + DynamicLibrary true @@ -178,6 +256,13 @@ Unicode false + + DynamicLibrary + true + v142 + Unicode + false + StaticLibrary false @@ -185,6 +270,13 @@ true Unicode + + StaticLibrary + false + v142 + true + Unicode + DynamicLibrary false @@ -192,6 +284,13 @@ true Unicode + + DynamicLibrary + false + v142 + true + Unicode + @@ -201,71 +300,127 @@ + + + + + + + + + + + + + + + + + + + + + + + + true $(VC_IncludePath);$(WindowsSDK_IncludePath);$(SolutionDir); $(SolutionDir)$(Configuration)\ + + true + $(VC_IncludePath);$(WindowsSDK_IncludePath);$(SolutionDir); + true $(VC_IncludePath);$(WindowsSDK_IncludePath);$(SolutionDir); $(SolutionDir)Debug\ + + true + $(VC_IncludePath);$(WindowsSDK_IncludePath);$(SolutionDir); + true $(VC_IncludePath);$(WindowsSDK_IncludePath);$(SolutionDir); + + true + $(VC_IncludePath);$(WindowsSDK_IncludePath);$(SolutionDir); + true $(VC_IncludePath);$(WindowsSDK_IncludePath);$(SolutionDir); $(SolutionDir)$(Platform)\Debug\ + + true + $(VC_IncludePath);$(WindowsSDK_IncludePath);$(SolutionDir); + false $(VC_IncludePath);$(WindowsSDK_IncludePath);$(SolutionDir); + + false + $(VC_IncludePath);$(WindowsSDK_IncludePath);$(SolutionDir); + false $(VC_IncludePath);$(WindowsSDK_IncludePath);$(SolutionDir); $(SolutionDir)Release\ + + false + $(VC_IncludePath);$(WindowsSDK_IncludePath);$(SolutionDir); + false $(VC_IncludePath);$(WindowsSDK_IncludePath);$(SolutionDir); + + false + $(VC_IncludePath);$(WindowsSDK_IncludePath);$(SolutionDir); + false $(VC_IncludePath);$(WindowsSDK_IncludePath);$(SolutionDir); $(SolutionDir)$(Platform)\Release\ + + false + $(VC_IncludePath);$(WindowsSDK_IncludePath);$(SolutionDir); + NotUsing Level3 true - WIN32;_DEBUG;_LIB;%(PreprocessorDefinitions) + _MEMORY_MODULE;_HAS_AUTO_INITIALIZE;WIN32;_DEBUG;_LIB;%(PreprocessorDefinitions) true @@ -278,12 +433,50 @@ MemoryModulePP.def + + + NotUsing + Level3 + true + _MEMORY_MODULE;_HAS_AUTO_INITIALIZE;WIN32;_DEBUG;_LIB;%(PreprocessorDefinitions) + true + + + + + MultiThreadedDebug + + + Windows + true + MemoryModulePP.def + + NotUsing Level3 true - WIN32;_DEBUG;_USRDLL;%(PreprocessorDefinitions) + _MEMORY_MODULE;_HAS_AUTO_INITIALIZE;WIN32;_DEBUG;_USRDLL;%(PreprocessorDefinitions) + true + + + + + MultiThreadedDebug + + + Windows + true + MemoryModulePP.def + + + + + NotUsing + Level3 + true + _MEMORY_MODULE;_HAS_AUTO_INITIALIZE;WIN32;_DEBUG;_USRDLL;%(PreprocessorDefinitions) true @@ -302,7 +495,7 @@ NotUsing Level3 true - _DEBUG;_LIB;%(PreprocessorDefinitions) + _MEMORY_MODULE;_HAS_AUTO_INITIALIZE;_DEBUG;_LIB;%(PreprocessorDefinitions) true @@ -315,12 +508,50 @@ MemoryModulePP.def + + + NotUsing + Level3 + true + _MEMORY_MODULE;_HAS_AUTO_INITIALIZE;_DEBUG;_LIB;%(PreprocessorDefinitions) + true + + + + + MultiThreadedDebug + + + Windows + true + MemoryModulePP.def + + NotUsing Level3 true - _DEBUG;_USRDLL;%(PreprocessorDefinitions) + _MEMORY_MODULE;_HAS_AUTO_INITIALIZE;_DEBUG;_USRDLL;%(PreprocessorDefinitions) + true + + + + + MultiThreadedDebug + + + Windows + true + MemoryModulePP.def + + + + + NotUsing + Level3 + true + _MEMORY_MODULE;_HAS_AUTO_INITIALIZE;_DEBUG;_USRDLL;%(PreprocessorDefinitions) true @@ -341,7 +572,7 @@ true true true - WIN32;NDEBUG;_LIB;%(PreprocessorDefinitions) + _MEMORY_MODULE;_HAS_AUTO_INITIALIZE;WIN32;NDEBUG;_LIB;%(PreprocessorDefinitions) true @@ -356,6 +587,29 @@ MemoryModulePP.def + + + NotUsing + Level3 + true + true + true + _MEMORY_MODULE;_HAS_AUTO_INITIALIZE;WIN32;NDEBUG;_LIB;%(PreprocessorDefinitions) + true + + + + + MultiThreaded + + + Windows + true + true + true + MemoryModulePP.def + + NotUsing @@ -363,7 +617,30 @@ true true true - WIN32;NDEBUG;_USRDLL;%(PreprocessorDefinitions) + _MEMORY_MODULE;_HAS_AUTO_INITIALIZE;WIN32;NDEBUG;_USRDLL;%(PreprocessorDefinitions) + true + + + + + MultiThreaded + + + Windows + true + true + true + MemoryModulePP.def + + + + + NotUsing + Level3 + true + true + true + _MEMORY_MODULE;_HAS_AUTO_INITIALIZE;WIN32;NDEBUG;_USRDLL;%(PreprocessorDefinitions) true @@ -386,7 +663,7 @@ true true true - NDEBUG;_LIB;%(PreprocessorDefinitions) + _MEMORY_MODULE;_HAS_AUTO_INITIALIZE;NDEBUG;_LIB;%(PreprocessorDefinitions) true @@ -401,6 +678,29 @@ MemoryModulePP.def + + + NotUsing + Level3 + true + true + true + _MEMORY_MODULE;_HAS_AUTO_INITIALIZE;NDEBUG;_LIB;%(PreprocessorDefinitions) + true + + + + + MultiThreaded + + + Windows + true + true + true + MemoryModulePP.def + + NotUsing @@ -408,7 +708,30 @@ true true true - NDEBUG;_USRDLL;%(PreprocessorDefinitions) + _MEMORY_MODULE;_HAS_AUTO_INITIALIZE;NDEBUG;_USRDLL;%(PreprocessorDefinitions) + true + + + + + MultiThreaded + + + Windows + true + true + true + MemoryModulePP.def + + + + + NotUsing + Level3 + true + true + true + _MEMORY_MODULE;_HAS_AUTO_INITIALIZE;NDEBUG;_USRDLL;%(PreprocessorDefinitions) true diff --git a/MemoryModule/MemoryModule.vcxproj.filters b/MemoryModule/MemoryModule.vcxproj.filters index 9413f3cc..e38f9fdb 100644 --- a/MemoryModule/MemoryModule.vcxproj.filters +++ b/MemoryModule/MemoryModule.vcxproj.filters @@ -260,6 +260,9 @@ Header Files + + Header Files + diff --git a/MemoryModule/MemoryModulePP.def b/MemoryModule/MemoryModulePP.def index 7491bc1e..fcbae96d 100644 --- a/MemoryModule/MemoryModulePP.def +++ b/MemoryModule/MemoryModulePP.def @@ -1,5 +1,9 @@ LIBRARY EXPORTS + +MmInitialize +MmCleanup + LoadLibraryMemory LoadLibraryMemoryExA LoadLibraryMemoryExW diff --git a/MemoryModule/MmpDotNet.cpp b/MemoryModule/MmpDotNet.cpp index 5f5e9585..ca8bcc1c 100644 --- a/MemoryModule/MmpDotNet.cpp +++ b/MemoryModule/MmpDotNet.cpp @@ -443,3 +443,38 @@ BOOL WINAPI MmpInitializeHooksForDotNet() { return FALSE; } + +VOID WINAPI MmpCleanupDotNetHooks() { + EnterCriticalSection(NtCurrentPeb()->FastPebLock); + + if (MmpGlobalDataPtr->MmpDotNet->PreHooked) { + DetourTransactionBegin(); + DetourUpdateThread(NtCurrentThread()); + + DetourDetach((PVOID*)&MmpGlobalDataPtr->MmpDotNet->Hooks.OriginCreateFileW, HookCreateFileW); + DetourDetach((PVOID*)&MmpGlobalDataPtr->MmpDotNet->Hooks.OriginGetFileInformationByHandle, HookGetFileInformationByHandle); + DetourDetach((PVOID*)&MmpGlobalDataPtr->MmpDotNet->Hooks.OriginGetFileAttributesExW, HookGetFileAttributesExW); + DetourDetach((PVOID*)&MmpGlobalDataPtr->MmpDotNet->Hooks.OriginGetFileSize, HookGetFileSize); + DetourDetach((PVOID*)&MmpGlobalDataPtr->MmpDotNet->Hooks.OriginGetFileSizeEx, HookGetFileSizeEx); + DetourDetach((PVOID*)&MmpGlobalDataPtr->MmpDotNet->Hooks.OriginCreateFileMappingW, HookCreateFileMappingW); + DetourDetach((PVOID*)&MmpGlobalDataPtr->MmpDotNet->Hooks.OriginMapViewOfFileEx, HookMapViewOfFileEx); + DetourDetach((PVOID*)&MmpGlobalDataPtr->MmpDotNet->Hooks.OriginMapViewOfFile, HookMapViewOfFile); + DetourDetach((PVOID*)&MmpGlobalDataPtr->MmpDotNet->Hooks.OriginUnmapViewOfFile, HookUnmapViewOfFile); + DetourDetach((PVOID*)&MmpGlobalDataPtr->MmpDotNet->Hooks.OriginCloseHandle, HookCloseHandle); + DetourDetach((PVOID*)&MmpGlobalDataPtr->MmpDotNet->Hooks.OriginGetFileVersion2, HookGetFileVersion); + + DetourTransactionCommit(); + + MmpGlobalDataPtr->MmpDotNet->PreHooked = FALSE; + } + + if (MmpGlobalDataPtr->MmpDotNet->Initialized) { + DetourTransactionBegin(); + DetourUpdateThread(NtCurrentThread()); + DetourDetach((PVOID*)&MmpGlobalDataPtr->MmpDotNet->Hooks.OriginGetFileVersion1, HookGetFileVersion); + DetourTransactionCommit(); + MmpGlobalDataPtr->MmpDotNet->Initialized = FALSE; + } + + LeaveCriticalSection(NtCurrentPeb()->FastPebLock); +} diff --git a/MemoryModule/MmpDotNet.h b/MemoryModule/MmpDotNet.h index 14253e58..be433b04 100644 --- a/MemoryModule/MmpDotNet.h +++ b/MemoryModule/MmpDotNet.h @@ -8,4 +8,5 @@ typedef HRESULT(WINAPI* GetFileVersion_T)( ); BOOL WINAPI MmpPreInitializeHooksForDotNet(); -BOOL WINAPI MmpInitializeHooksForDotNet(); \ No newline at end of file +BOOL WINAPI MmpInitializeHooksForDotNet(); +VOID WINAPI MmpCleanupDotNetHooks(); diff --git a/MemoryModule/MmpGlobalData.h b/MemoryModule/MmpGlobalData.h index 35752ecd..2a986b0e 100644 --- a/MemoryModule/MmpGlobalData.h +++ b/MemoryModule/MmpGlobalData.h @@ -100,7 +100,7 @@ typedef enum class _WINDOWS_VERSION :BYTE { #define MEMORY_MODULE_GET_MINOR_VERSION(MinorVersion) (~0x8000&(MinorVersion)) #define MEMORY_MODULE_MAJOR_VERSION 2 -#define MEMORY_MODULE_MINOR_VERSION MEMORY_MODULE_MAKE_PREVIEW(0) +#define MEMORY_MODULE_MINOR_VERSION MEMORY_MODULE_MAKE_PREVIEW(2) typedef struct _MMP_GLOBAL_DATA { @@ -137,6 +137,8 @@ typedef struct _MMP_GLOBAL_DATA { PMMP_IAT_DATA MmpIat; + DWORD ReferenceCount; + }MMP_GLOBAL_DATA, * PMMP_GLOBAL_DATA; #define MMP_GLOBAL_DATA_SIZE (\ diff --git a/MemoryModule/MmpLdrpTls.cpp b/MemoryModule/MmpLdrpTls.cpp index 9b97cf60..286ddd51 100644 --- a/MemoryModule/MmpLdrpTls.cpp +++ b/MemoryModule/MmpLdrpTls.cpp @@ -6,35 +6,13 @@ static bool stdcall; static PVOID LdrpHandleTlsData; static PVOID LdrpReleaseTlsEntry; -static NTSTATUS NTAPI RtlFindLdrpHandleTlsData() { +static NTSTATUS NTAPI RtlFindLdrpHandleTlsDataOld() { NTSTATUS status = STATUS_SUCCESS; LPCVOID Feature = nullptr; BYTE Size = 0; WORD OffsetOfFunctionBegin = 0; switch (MmpGlobalDataPtr->NtVersions.MajorVersion) { - case 10: { - if (MmpGlobalDataPtr->NtVersions.MinorVersion)return STATUS_NOT_SUPPORTED; - - if (MmpGlobalDataPtr->NtVersions.BuildNumber >= 22621) { -#ifdef _WIN64 - Feature = "\x39\x1D\x23\xFC\x17\x00\x74\x37\x44\x8D\x43\x09\x44\x39\x81\x0C\x01\x00\x00\x74\x2A"; - Size = 22; - OffsetOfFunctionBegin = 0x43; -#else - return STATUS_NOT_SUPPORTED; -#endif - } - // - // Add more conditions here. - // - // else if (MmpGlobalDataPtr->NtVersions.BuildNumber >= XXXXXXXXX) - else { - return STATUS_NOT_SUPPORTED; - } - - break; - } case 6: { switch (MmpGlobalDataPtr->NtVersions.MinorVersion) { //8.1 @@ -94,6 +72,83 @@ static NTSTATUS NTAPI RtlFindLdrpHandleTlsData() { return status; } +static NTSTATUS NTAPI RtlFindLdrpHandleTlsData10() { + LPVOID DllBase = MmpGlobalDataPtr->MmpBaseAddressIndex->NtdllLdrEntry->DllBase; +#ifdef _WIN64 + // search for LdrpHandleTls string literal + SEARCH_CONTEXT SearchContext{ SearchContext.SearchPattern = LPBYTE("LdrpHandleTlsData\x00"), SearchContext.PatternSize = 18 }; + if (!NT_SUCCESS(RtlFindMemoryBlockFromModuleSection(HMODULE(DllBase), ".rdata", &SearchContext))) + return STATUS_NOT_SUPPORTED; + LPBYTE StringOffset = SearchContext.Result; + + SearchContext.Result = nullptr; + SearchContext.PatternSize = 3; + SearchContext.SearchPattern = LPBYTE("\x48\x8D\x15"); + LPBYTE ExceptionBlock = nullptr; + + // Search for lea rdx,[rip+0x????] + // ???? is the relative offset from RIP to LdrpHandleTls string literal + while (NT_SUCCESS(RtlFindMemoryBlockFromModuleSection(HMODULE(DllBase), ".text", &SearchContext))) { + DWORD InsOff = *(DWORD*)(SearchContext.Result + 3); + if (StringOffset == SearchContext.Result + InsOff + 7) { + ExceptionBlock = SearchContext.Result; + break; + } + } + if (!ExceptionBlock) return STATUS_NOT_SUPPORTED; + + // Search back for exception block function header + while (*ExceptionBlock != 0xcc) { + // Normally ~13 bytes, but just in case... + if (SearchContext.Result - ExceptionBlock > 0x50) return STATUS_NOT_SUPPORTED; + ExceptionBlock--; + } + ExceptionBlock++; + + // search for C_SCOPE_TABLE + union Converter { + BYTE Bytes[4]; + DWORD Dword; + }; + Converter ExceptionBlockAddress{}; // { .Dword = DWORD(ExceptionBlock - LPBYTE(DllBase)) }; + ExceptionBlockAddress.Dword = DWORD(ExceptionBlock - LPBYTE(DllBase)); + + SearchContext.Result = nullptr; + SearchContext.PatternSize = 4; + SearchContext.SearchPattern = ExceptionBlockAddress.Bytes; + if (!NT_SUCCESS(RtlFindMemoryBlockFromModuleSection(HMODULE(DllBase), ".rdata", &SearchContext))) + return STATUS_NOT_SUPPORTED; + + // C_SCOPE_TABLE$$Begin + LPDWORD LdrpHandleTlsBlock = LPDWORD(*(LPDWORD)(SearchContext.Result - 8) + LPBYTE(DllBase)); + // Pad to 0x04 + LdrpHandleTlsBlock = LPDWORD(LONGLONG(LdrpHandleTlsBlock) / 0x04 * 0x04); + LPDWORD LdrpHandleTlsBlockBackup = LdrpHandleTlsBlock; + + // Search back for LdrpHandleTls + // Search up for 4 consecutive 0xCC + while (*LdrpHandleTlsBlock != 0xcccccccc) { + // Normally ~0x140 bytes + if (LdrpHandleTlsBlockBackup - LdrpHandleTlsBlock > 0x400) return STATUS_NOT_SUPPORTED; + LdrpHandleTlsBlock--; + } + LdrpHandleTlsBlock++; + LdrpHandleTlsData = LdrpHandleTlsBlock; + return STATUS_SUCCESS; +#else + return STATUS_NOT_SUPPORTED; +#endif +} + +static NTSTATUS NTAPI RtlFindLdrpHandleTlsData() { + if (MmpGlobalDataPtr->NtVersions.MajorVersion >= 10) { + return RtlFindLdrpHandleTlsData10(); + } + else { + return RtlFindLdrpHandleTlsDataOld(); + } +} + static NTSTATUS NTAPI RtlFindLdrpReleaseTlsEntry() { NTSTATUS status = STATUS_SUCCESS; LPCVOID Feature = nullptr; @@ -104,23 +159,12 @@ static NTSTATUS NTAPI RtlFindLdrpReleaseTlsEntry() { case 10: { if (MmpGlobalDataPtr->NtVersions.MinorVersion) return STATUS_NOT_SUPPORTED; - if (MmpGlobalDataPtr->NtVersions.BuildNumber >= 22621) { #ifdef _WIN64 - Feature = "\x74\x34\x48\x8B\x08\x48\x39\x41\x08\x75\x65\x48\x8B\x40\x08\x48\x39\x18\x75\x5C\x48\x89\x08"; - Size = 24; - OffsetOfFunctionBegin = 0x2F; + Feature = "\x48\x89\x5c\x24\x08\x57\x48\x83\xec\x20\x48\x8b\xfa\x48\x8b\xd9\x48\x85\xd2\x75\x0c"; + Size = 21; #else - return STATUS_NOT_SUPPORTED; + return STATUS_NOT_SUPPORTED; #endif - } - // - // Add more conditions here. - // - // else if (MmpGlobalDataPtr->NtVersions.BuildNumber >= XXXXXXXXX) - else { - return STATUS_NOT_SUPPORTED; - } - break; } default: @@ -150,6 +194,10 @@ BOOL NTAPI MmpTlsInitialize() { return TRUE; } +VOID NTAPI MmpTlsCleanup() { + ; +} + NTSTATUS NTAPI MmpReleaseTlsEntry(_In_ PLDR_DATA_TABLE_ENTRY lpModuleEntry) { typedef NTSTATUS(__stdcall* STDCALL)(PLDR_DATA_TABLE_ENTRY, PVOID*); typedef NTSTATUS(__thiscall* THISCALL)(PLDR_DATA_TABLE_ENTRY, PVOID*); diff --git a/MemoryModule/MmpTls.cpp b/MemoryModule/MmpTls.cpp index 112847a3..71f7d358 100644 --- a/MemoryModule/MmpTls.cpp +++ b/MemoryModule/MmpTls.cpp @@ -7,6 +7,7 @@ #include #include #include <3rdparty/Detours/detours.h> +#include PVOID NTAPI MmpQuerySystemInformation( @@ -109,11 +110,14 @@ DWORD NTAPI MmpGetThreadCount() { PMMP_TLSP_RECORD MmpFindTlspRecordLockHeld() { PLIST_ENTRY entry = MmpGlobalDataPtr->MmpTls->MmpThreadLocalStoragePointer.Flink; + PTEB teb = NtCurrentTeb(); + while (entry != &MmpGlobalDataPtr->MmpTls->MmpThreadLocalStoragePointer) { auto p = CONTAINING_RECORD(entry, MMP_TLSP_RECORD, InMmpThreadLocalStoragePointer); + if (p->UniqueThread == NtCurrentThreadId()) { - assert(p->TlspMmpBlock == NtCurrentTeb()->ThreadLocalStoragePointer); + assert(p->TlspMmpBlock == teb->ThreadLocalStoragePointer); return p; } @@ -123,23 +127,10 @@ PMMP_TLSP_RECORD MmpFindTlspRecordLockHeld() { return nullptr; } -DWORD NTAPI MmpUserThreadStart(LPVOID lpThreadParameter) { - - THREAD_CONTEXT Context; +DWORD MmpAllocateTlsLockHeld() { bool success = false; PMMP_TLSP_RECORD record = nullptr; - __try { - RtlCopyMemory( - &Context, - lpThreadParameter, - sizeof(Context) - ); - } - __except (EXCEPTION_EXECUTE_HANDLER) { - return GetExceptionCode(); - } - if (!NtCurrentTeb()->ThreadLocalStoragePointer) { goto __skip_tls; } @@ -228,10 +219,38 @@ DWORD NTAPI MmpUserThreadStart(LPVOID lpThreadParameter) { InterlockedIncrement(&MmpGlobalDataPtr->MmpTls->MmpActiveThreadCount); __skip_tls: + return ERROR_SUCCESS; +} + +DWORD NTAPI MmpUserThreadStart(LPVOID lpThreadParameter) { + + THREAD_CONTEXT Context; + + __try { + RtlCopyMemory( + &Context, + lpThreadParameter, + sizeof(Context) + ); + } + __except (EXCEPTION_EXECUTE_HANDLER) { + return GetExceptionCode(); + } + + PVOID cookie; + LdrLockLoaderLock(LDR_LOCK_LOADER_LOCK_FLAG_RAISE_ON_ERRORS, nullptr, &cookie); + + __try { + MmpAllocateTlsLockHeld(); + } + __finally { + LdrUnlockLoaderLock(LDR_UNLOCK_LOADER_LOCK_FLAG_RAISE_ON_ERRORS, cookie); + } + return Context.ThreadStartRoutine(Context.ThreadParameter); } -#ifdef _WIN64 +#if (defined(_WIN64) || defined(_M_ARM)) VOID NTAPI HookRtlUserThreadStart( _In_ PTHREAD_START_ROUTINE Function, _In_ PVOID Parameter) { @@ -256,7 +275,7 @@ HookRtlUserThreadStart( // Context.ThreadParameter = Parameter; mov dword ptr ds : [esp + 4] , ebx; - + mov eax, MmpUserThreadStart; mov ebx, esp; @@ -384,6 +403,96 @@ BOOL NTAPI PreHookNtSetInformationProcess() { return success; } +int MmpSyncThreadTlsData() { + PSYSTEM_PROCESS_INFORMATION pspi = (PSYSTEM_PROCESS_INFORMATION)MmpQuerySystemInformation(SYSTEM_INFORMATION_CLASS::SystemProcessInformation, nullptr); + PSYSTEM_PROCESS_INFORMATION current = pspi; + std::setthreads; + int count = 0; + + // + // Build thread id set. + // + + PLIST_ENTRY entry = MmpGlobalDataPtr->MmpTls->MmpThreadLocalStoragePointer.Flink; + while (entry != &MmpGlobalDataPtr->MmpTls->MmpThreadLocalStoragePointer) { + PMMP_TLSP_RECORD j = CONTAINING_RECORD(entry, MMP_TLSP_RECORD, InMmpThreadLocalStoragePointer); + threads.insert(j->UniqueThread); + + entry = entry->Flink; + } + + while (pspi) { + + if (current->UniqueProcessId == NtCurrentTeb()->ClientId.UniqueProcess) { + + for (ULONG index = 0; index < current->NumberOfThreads; ++index) { + CLIENT_ID cid = current->Threads[index].ClientId; + + if (threads.find(cid.UniqueThread) == threads.end()) { + + HANDLE hThread; + OBJECT_ATTRIBUTES oa{}; + NTSTATUS status = NtOpenThread(&hThread, THREAD_QUERY_INFORMATION, &oa, &cid); + if (NT_SUCCESS(status)) { + + THREAD_BASIC_INFORMATION tbi{}; + status = NtQueryInformationThread(hThread, THREADINFOCLASS::ThreadBasicInformation, &tbi, sizeof(tbi), nullptr); + if (NT_SUCCESS(status)) { + + PTEB teb = tbi.TebBaseAddress; + if (teb->ThreadLocalStoragePointer) { + + // + // Allocate TLS record + // + + auto record = PMMP_TLSP_RECORD(RtlAllocateHeap(RtlProcessHeap(), 0, sizeof(MMP_TLSP_RECORD))); + if (record) { + record->TlspLdrBlock = (PVOID*)teb->ThreadLocalStoragePointer; + record->TlspMmpBlock = (PVOID*)MmpAllocateTlsp(); + record->UniqueThread = cid.UniqueThread; + if (record->TlspMmpBlock) { + record->TlspMmpBlock = ((PTLS_VECTOR)record->TlspMmpBlock)->ModuleTlsData; + + auto size = CONTAINING_RECORD(record->TlspLdrBlock, TLS_VECTOR, ModuleTlsData)->Length; + if ((HANDLE)(ULONG_PTR)size != record->UniqueThread) { + RtlCopyMemory( + record->TlspMmpBlock, + record->TlspLdrBlock, + size * sizeof(PVOID) + ); + } + + teb->ThreadLocalStoragePointer = record->TlspMmpBlock; + InsertTailList(&MmpGlobalDataPtr->MmpTls->MmpThreadLocalStoragePointer, &record->InMmpThreadLocalStoragePointer); + InterlockedIncrement(&MmpGlobalDataPtr->MmpTls->MmpActiveThreadCount); + + ++count; + } + else { + RtlFreeHeap(RtlProcessHeap(), 0, record); + } + } + } + } + + NtClose(hThread); + } + + } + } + + break; + } + + if (!current->NextEntryOffset)break; + current = (PSYSTEM_PROCESS_INFORMATION)((PBYTE)current + current->NextEntryOffset); + } + + RtlFreeHeap(RtlProcessHeap(), 0, pspi); + return count; +} + NTSTATUS NTAPI HookNtSetInformationProcess( _In_opt_ HANDLE ProcessHandle, _In_ PROCESSINFOCLASS ProcessInformationClass, @@ -405,6 +514,12 @@ NTSTATUS NTAPI HookNtSetInformationProcess( PPROCESS_TLS_INFORMATION Tls = nullptr; NTSTATUS status = STATUS_SUCCESS; + // + // Sync thread data with ntdll!Ldr. + // + + MmpSyncThreadTlsData(); + do { if (ProcessTlsInformation->OperationType >= MaxProcessTlsOperation) { status = STATUS_INVALID_PARAMETER; @@ -438,7 +553,7 @@ NTSTATUS NTAPI HookNtSetInformationProcess( break; } - // reserved 0x50 PVOID for ntdll loader + // reserved 0x80 PVOID for ntdll loader if (ProcessTlsInformation->TlsVectorLength >= MMP_START_TLS_INDEX) { status = STATUS_NO_MEMORY; break; @@ -478,53 +593,55 @@ NTSTATUS NTAPI HookNtSetInformationProcess( // EnterCriticalSection(&MmpGlobalDataPtr->MmpTls->MmpTlspLock); for (ULONG i = 0; i < Tls->ThreadDataCount; ++i) { - BOOL found = FALSE; - PLIST_ENTRY entry = MmpGlobalDataPtr->MmpTls->MmpThreadLocalStoragePointer.Flink; - // Find thread-spec tlsp - while (entry != &MmpGlobalDataPtr->MmpTls->MmpThreadLocalStoragePointer) { + if (Tls->ThreadData[i].Flags == 2) { - PMMP_TLSP_RECORD j = CONTAINING_RECORD(entry, MMP_TLSP_RECORD, InMmpThreadLocalStoragePointer); + BOOL found = FALSE; + PLIST_ENTRY entry = MmpGlobalDataPtr->MmpTls->MmpThreadLocalStoragePointer.Flink; - if (ProcessTlsInformation->OperationType == ProcessTlsReplaceVector) { - if (j->TlspMmpBlock[ProcessTlsInformation->TlsVectorLength] == ProcessTlsInformation->ThreadData[i].TlsVector[ProcessTlsInformation->TlsVectorLength]) { - found = TRUE; + // Find thread-spec tlsp + while (entry != &MmpGlobalDataPtr->MmpTls->MmpThreadLocalStoragePointer) { - // Copy old data to new pointer - RtlCopyMemory( - ProcessTlsInformation->ThreadData[i].TlsVector, - j->TlspMmpBlock, - sizeof(PVOID) * ProcessTlsInformation->TlsVectorLength - ); + PMMP_TLSP_RECORD j = CONTAINING_RECORD(entry, MMP_TLSP_RECORD, InMmpThreadLocalStoragePointer); - // Swap the tlsp - std::swap( - j->TlspLdrBlock, - ProcessTlsInformation->ThreadData[i].TlsVector - ); + if (ProcessTlsInformation->OperationType == ProcessTlsReplaceVector) { + if (j->TlspMmpBlock[ProcessTlsInformation->TlsVectorLength] == ProcessTlsInformation->ThreadData[i].TlsVector[ProcessTlsInformation->TlsVectorLength]) { + found = TRUE; + + // Copy old data to new pointer + RtlCopyMemory( + ProcessTlsInformation->ThreadData[i].TlsVector, + j->TlspMmpBlock, + sizeof(PVOID) * ProcessTlsInformation->TlsVectorLength + ); + + // Swap the tlsp + std::swap( + j->TlspLdrBlock, + ProcessTlsInformation->ThreadData[i].TlsVector + ); + } } - } - else { - if (j->TlspMmpBlock[ProcessTlsInformation->TlsIndex] == ProcessTlsInformation->ThreadData[i].TlsModulePointer) { - found = TRUE; + else { + if (j->TlspMmpBlock[ProcessTlsInformation->TlsIndex] == ProcessTlsInformation->ThreadData[i].TlsModulePointer) { + found = TRUE; + + if (ProcessHandle) { + j->TlspLdrBlock[ProcessTlsInformation->TlsIndex] = ProcessTlsInformation->ThreadData[i].TlsModulePointer; + } - if (ProcessHandle) { - j->TlspLdrBlock[ProcessTlsInformation->TlsIndex] = ProcessTlsInformation->ThreadData[i].TlsModulePointer; + ProcessTlsInformation->ThreadData[i].TlsModulePointer = Tls->ThreadData[i].TlsModulePointer; } - - ProcessTlsInformation->ThreadData[i].TlsModulePointer = Tls->ThreadData[i].TlsModulePointer; } - } - if (found)break; - entry = entry->Flink; - } + if (found)break; + entry = entry->Flink; + } - //assert(found); - if (found) { ProcessTlsInformation->ThreadData[i].Flags = Tls->ThreadData[i].Flags; ProcessTlsInformation->ThreadData[i].ThreadId = Tls->ThreadData[i].ThreadId; } + } LeaveCriticalSection(&MmpGlobalDataPtr->MmpTls->MmpTlspLock); @@ -783,4 +900,15 @@ BOOL NTAPI MmpTlsInitialize() { return TRUE; } +VOID NTAPI MmpTlsCleanup() { + + DetourTransactionBegin(); + DetourUpdateThread(NtCurrentThread()); + DetourDetach((PVOID*)&MmpGlobalDataPtr->MmpTls->Hooks.OriginLdrShutdownThread, HookLdrShutdownThread); + DetourDetach((PVOID*)&MmpGlobalDataPtr->MmpTls->Hooks.OriginNtSetInformationProcess, HookNtSetInformationProcess); + DetourDetach((PVOID*)&MmpGlobalDataPtr->MmpTls->Hooks.OriginRtlUserThreadStart, HookRtlUserThreadStart); + DetourTransactionCommit(); + +} + #endif diff --git a/MemoryModule/MmpTls.h b/MemoryModule/MmpTls.h index 33de5c9c..4c2fe0e3 100644 --- a/MemoryModule/MmpTls.h +++ b/MemoryModule/MmpTls.h @@ -2,6 +2,8 @@ BOOL NTAPI MmpTlsInitialize(); +VOID NTAPI MmpTlsCleanup(); + NTSTATUS NTAPI MmpReleaseTlsEntry(_In_ PLDR_DATA_TABLE_ENTRY lpModuleEntry); NTSTATUS NTAPI MmpHandleTlsData(_In_ PLDR_DATA_TABLE_ENTRY lpModuleEntry); diff --git a/MemoryModule/MmpTlsFiber.cpp b/MemoryModule/MmpTlsFiber.cpp index 60b89dc1..7ea4d8c9 100644 --- a/MemoryModule/MmpTlsFiber.cpp +++ b/MemoryModule/MmpTlsFiber.cpp @@ -3,6 +3,7 @@ #include "MmpTlsFiber.h" #include +#include typedef struct _MMP_POSTPONED_TLS { @@ -27,42 +28,47 @@ DWORD WINAPI MmpReleasePostponedTlsWorker(PVOID) { EnterCriticalSection(&MmpPostponedTlsLock); - auto iter = MmpPostponedTlsList->begin(); + if (MmpPostponedTlsList) { + auto iter = MmpPostponedTlsList->begin(); - while (iter != MmpPostponedTlsList->end()) { - const auto& item = *iter; - GetExitCodeThread(item.hThread, &code); + while (iter != MmpPostponedTlsList->end()) { + GetExitCodeThread(iter->hThread, &code); - if (code == STILL_ACTIVE) { - ++iter; - } - else { + if (code == STILL_ACTIVE) { + ++iter; + } + else { - RtlAcquireSRWLockExclusive(&MmpGlobalDataPtr->MmpTls->MmpTlsListLock); + RtlAcquireSRWLockExclusive(&MmpGlobalDataPtr->MmpTls->MmpTlsListLock); - auto TlspMmpBlock = (PVOID*)item.lpOldTlsVector->ModuleTlsData; - auto entry = MmpGlobalDataPtr->MmpTls->MmpTlsList.Flink; - while (entry != &MmpGlobalDataPtr->MmpTls->MmpTlsList) { + auto TlspMmpBlock = (PVOID*)iter->lpOldTlsVector->ModuleTlsData; + auto entry = MmpGlobalDataPtr->MmpTls->MmpTlsList.Flink; + while (entry != &MmpGlobalDataPtr->MmpTls->MmpTlsList) { - auto p = CONTAINING_RECORD(entry, TLS_ENTRY, TlsEntryLinks); - RtlFreeHeap(RtlProcessHeap(), 0, TlspMmpBlock[p->TlsDirectory.Characteristics]); + auto p = CONTAINING_RECORD(entry, TLS_ENTRY, TlsEntryLinks); + RtlFreeHeap(RtlProcessHeap(), 0, TlspMmpBlock[p->TlsDirectory.Characteristics]); - entry = entry->Flink; - } + entry = entry->Flink; + } - RtlFreeHeap(RtlProcessHeap(), 0, CONTAINING_RECORD(item.lpTlsRecord->TlspLdrBlock, TLS_VECTOR, TLS_VECTOR::ModuleTlsData)); - RtlFreeHeap(RtlProcessHeap(), 0, item.lpTlsRecord); - RtlFreeHeap(RtlProcessHeap(), 0, item.lpOldTlsVector); + RtlFreeHeap(RtlProcessHeap(), 0, CONTAINING_RECORD(iter->lpTlsRecord->TlspLdrBlock, TLS_VECTOR, TLS_VECTOR::ModuleTlsData)); + RtlFreeHeap(RtlProcessHeap(), 0, iter->lpTlsRecord); + RtlFreeHeap(RtlProcessHeap(), 0, iter->lpOldTlsVector); - RtlReleaseSRWLockExclusive(&MmpGlobalDataPtr->MmpTls->MmpTlsListLock); + RtlReleaseSRWLockExclusive(&MmpGlobalDataPtr->MmpTls->MmpTlsListLock); + + CloseHandle(iter->hThread); + iter = MmpPostponedTlsList->erase(iter); + } - CloseHandle(item.hThread); - iter = MmpPostponedTlsList->erase(iter); } + waitTime = MmpPostponedTlsList->empty() ? INFINITE : 1000; + } + else { + LeaveCriticalSection(&MmpPostponedTlsLock); + break; } - - waitTime = MmpPostponedTlsList->empty() ? INFINITE : 1000; LeaveCriticalSection(&MmpPostponedTlsLock); } @@ -89,6 +95,7 @@ VOID WINAPI MmpQueuePostponedTls(PMMP_TLSP_RECORD record) { ); item.lpOldTlsVector = MmpAllocateTlsp(); + assert(item.lpOldTlsVector); item.lpTlsRecord = record; @@ -100,16 +107,35 @@ VOID WINAPI MmpQueuePostponedTls(PMMP_TLSP_RECORD record) { EnterCriticalSection(&MmpPostponedTlsLock); - MmpPostponedTlsList->push_back(item); - SetEvent(MmpPostponedTlsEvent); + if (MmpPostponedTlsList) { + MmpPostponedTlsList->push_back(item); + SetEvent(MmpPostponedTlsEvent); + } + else { + RtlFreeHeap(RtlProcessHeap(), 0, item.lpOldTlsVector); + } LeaveCriticalSection(&MmpPostponedTlsLock); } +VOID OnExit() { + EnterCriticalSection(&MmpPostponedTlsLock); + + MmpPostponedTlsList->~vector(); + HeapFree(RtlProcessHeap(), 0, MmpPostponedTlsList); + MmpPostponedTlsList = nullptr; + + CloseHandle(MmpPostponedTlsEvent); + + LeaveCriticalSection(&MmpPostponedTlsLock); +} + VOID MmpTlsFiberInitialize() { InitializeCriticalSection(&MmpPostponedTlsLock); MmpPostponedTlsEvent = CreateEvent(nullptr, FALSE, FALSE, nullptr); MmpPostponedTlsList = new(HeapAlloc(GetProcessHeap(), 0, sizeof(std::vector))) std::vector(); + + atexit(OnExit); CreateThread(nullptr, 0, MmpReleasePostponedTlsWorker_Wrap, nullptr, 0, nullptr); } diff --git a/MemoryModule/ReflectiveLoader.c b/MemoryModule/ReflectiveLoader.c index 7044911b..a51750b7 100644 --- a/MemoryModule/ReflectiveLoader.c +++ b/MemoryModule/ReflectiveLoader.c @@ -1,4 +1,4 @@ -#ifdef _USRDLL +#if !(defined(_M_ARM) || defined(_M_ARM64) || !defined(_USRDLL)) //===============================================================================================// // Copyright (c) 2012, Stephen Fewer of Harmony Security (www.harmonysecurity.com) diff --git a/MemoryModule/Utils.cpp b/MemoryModule/Utils.cpp index a150cf5a..3e4e4dac 100644 --- a/MemoryModule/Utils.cpp +++ b/MemoryModule/Utils.cpp @@ -140,6 +140,16 @@ BOOL NTAPI LdrpCallInitializers(PMEMORYMODULE module, DWORD dwReason) { // notify library about attaching to process if (((PLDR_INIT_ROUTINE)(module->codeBase + headers->OptionalHeader.AddressOfEntryPoint))((HINSTANCE)module->codeBase, dwReason, 0)) { module->initialized = TRUE; + + if (dwReason == DLL_PROCESS_ATTACH) { + if (MmpGlobalDataPtr->WindowsVersion <= WINDOWS_VERSION::winBlue) { + PLDR_DATA_TABLE_ENTRY_WINBLUE(module->LdrEntry)->ProcessAttachCalled = TRUE; + } + else { + PLDR_DATA_TABLE_ENTRY(module->LdrEntry)->Flags |= LDRP_PROCESS_ATTACH_CALLED; + } + } + return TRUE; } SetLastError(ERROR_DLL_INIT_FAILED); diff --git a/MemoryModule/Utils.h b/MemoryModule/Utils.h index bd1a2418..d110a04b 100644 --- a/MemoryModule/Utils.h +++ b/MemoryModule/Utils.h @@ -34,13 +34,14 @@ BOOLEAN NTAPI RtlIsValidImageBuffer( BOOLEAN NTAPI VirtualAccessCheck(LPCVOID pBuffer, size_t size, ACCESS_MASK protect); BOOLEAN NTAPI VirtualAccessCheckNoException(LPCVOID pBuffer, size_t size, ACCESS_MASK protect); -#define ProbeForRead(pBuffer, size) VirtualAccessCheck(pBuffer, size, PAGE_READONLY | PAGE_READWRITE | PAGE_EXECUTE_READ | PAGE_EXECUTE_READWRITE) -#define ProbeForWrite(pBuffer, size) VirtualAccessCheck(pBuffer, size, PAGE_READWRITE | PAGE_EXECUTE_WRITECOPY | PAGE_WRITECOPY | PAGE_EXECUTE_READWRITE) -#define ProbeForReadWrite(pBuffer, size) VirtualAccessCheck(pBuffer, size, PAGE_EXECUTE_READWRITE | PAGE_READWRITE) +#define ProbeForRead(pBuffer, size) VirtualAccessCheck(pBuffer, size, PAGE_READONLY | PAGE_READWRITE | PAGE_EXECUTE | PAGE_EXECUTE_READ | PAGE_EXECUTE_READWRITE | PAGE_EXECUTE_WRITECOPY | PAGE_WRITECOPY) +#define ProbeForWrite(pBuffer, size) VirtualAccessCheck(pBuffer, size, PAGE_READWRITE | PAGE_WRITECOPY | PAGE_EXECUTE_READWRITE | PAGE_EXECUTE_WRITECOPY) +#define ProbeForReadWrite ProbeForWrite #define ProbeForExecute(pBuffer, size) VirtualAccessCheck(pBuffer, size, PAGE_EXECUTE | PAGE_EXECUTE_READ | PAGE_EXECUTE_READWRITE | PAGE_EXECUTE_WRITECOPY) -#define _ProbeForRead(pBuffer, size) VirtualAccessCheckNoException(pBuffer, size, PAGE_READONLY | PAGE_READWRITE | PAGE_EXECUTE_READ | PAGE_EXECUTE_READWRITE) -#define _ProbeForWrite(pBuffer, size) VirtualAccessCheckNoException(pBuffer, size, PAGE_READWRITE | PAGE_EXECUTE_WRITECOPY | PAGE_WRITECOPY | PAGE_EXECUTE_READWRITE) -#define _ProbeForReadWrite(pBuffer, size) VirtualAccessCheckNoException(pBuffer, size, PAGE_EXECUTE_READWRITE | PAGE_READWRITE) + +#define _ProbeForRead(pBuffer, size) VirtualAccessCheckNoException(pBuffer, size, PAGE_READONLY | PAGE_READWRITE | PAGE_EXECUTE | PAGE_EXECUTE_READ | PAGE_EXECUTE_READWRITE | PAGE_EXECUTE_WRITECOPY | PAGE_WRITECOPY) +#define _ProbeForWrite(pBuffer, size) VirtualAccessCheckNoException(pBuffer, size, PAGE_READWRITE | PAGE_WRITECOPY | PAGE_EXECUTE_READWRITE | PAGE_EXECUTE_WRITECOPY) +#define _ProbeForReadWrite _ProbeForWrite #define _ProbeForExecute(pBuffer, size) VirtualAccessCheckNoException(pBuffer, size, PAGE_EXECUTE | PAGE_EXECUTE_READ | PAGE_EXECUTE_READWRITE | PAGE_EXECUTE_WRITECOPY) #define RtlClearBit(BitMapHeader,BitNumber) RtlClearBits((BitMapHeader),(BitNumber),1) diff --git a/MemoryModulePP.sln b/MemoryModulePP.sln index 0b985a5c..3df6af94 100644 --- a/MemoryModulePP.sln +++ b/MemoryModulePP.sln @@ -1,7 +1,7 @@  Microsoft Visual Studio Solution File, Format Version 12.00 -# Visual Studio Version 16 -VisualStudioVersion = 16.0.29709.97 +# Visual Studio Version 17 +VisualStudioVersion = 17.7.34202.233 MinimumVisualStudioVersion = 10.0.40219.1 Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "MemoryModule", "MemoryModule\MemoryModule.vcxproj", "{5B1F46DB-036E-4A50-AF5F-F5D6584D42C6}" EndProject @@ -11,34 +11,62 @@ Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "a", "a\a.vcxproj", "{DA79C6 EndProject Global GlobalSection(SolutionConfigurationPlatforms) = preSolution + Debug|ARM = Debug|ARM + Debug|ARM64 = Debug|ARM64 Debug|x64 = Debug|x64 Debug|x86 = Debug|x86 + Release|ARM = Release|ARM + Release|ARM64 = Release|ARM64 Release|x64 = Release|x64 Release|x86 = Release|x86 EndGlobalSection GlobalSection(ProjectConfigurationPlatforms) = postSolution + {5B1F46DB-036E-4A50-AF5F-F5D6584D42C6}.Debug|ARM.ActiveCfg = Debug|ARM + {5B1F46DB-036E-4A50-AF5F-F5D6584D42C6}.Debug|ARM.Build.0 = Debug|ARM + {5B1F46DB-036E-4A50-AF5F-F5D6584D42C6}.Debug|ARM64.ActiveCfg = Debug|ARM64 + {5B1F46DB-036E-4A50-AF5F-F5D6584D42C6}.Debug|ARM64.Build.0 = Debug|ARM64 {5B1F46DB-036E-4A50-AF5F-F5D6584D42C6}.Debug|x64.ActiveCfg = Debug|x64 {5B1F46DB-036E-4A50-AF5F-F5D6584D42C6}.Debug|x64.Build.0 = Debug|x64 {5B1F46DB-036E-4A50-AF5F-F5D6584D42C6}.Debug|x86.ActiveCfg = Debug|Win32 {5B1F46DB-036E-4A50-AF5F-F5D6584D42C6}.Debug|x86.Build.0 = Debug|Win32 + {5B1F46DB-036E-4A50-AF5F-F5D6584D42C6}.Release|ARM.ActiveCfg = Release|ARM + {5B1F46DB-036E-4A50-AF5F-F5D6584D42C6}.Release|ARM.Build.0 = Release|ARM + {5B1F46DB-036E-4A50-AF5F-F5D6584D42C6}.Release|ARM64.ActiveCfg = Release|ARM64 + {5B1F46DB-036E-4A50-AF5F-F5D6584D42C6}.Release|ARM64.Build.0 = Release|ARM64 {5B1F46DB-036E-4A50-AF5F-F5D6584D42C6}.Release|x64.ActiveCfg = Release|x64 {5B1F46DB-036E-4A50-AF5F-F5D6584D42C6}.Release|x64.Build.0 = Release|x64 {5B1F46DB-036E-4A50-AF5F-F5D6584D42C6}.Release|x86.ActiveCfg = Release|Win32 {5B1F46DB-036E-4A50-AF5F-F5D6584D42C6}.Release|x86.Build.0 = Release|Win32 + {5B3131BA-178A-4A28-BD54-315A45C97ED1}.Debug|ARM.ActiveCfg = Debug|ARM + {5B3131BA-178A-4A28-BD54-315A45C97ED1}.Debug|ARM.Build.0 = Debug|ARM + {5B3131BA-178A-4A28-BD54-315A45C97ED1}.Debug|ARM64.ActiveCfg = Debug|ARM64 + {5B3131BA-178A-4A28-BD54-315A45C97ED1}.Debug|ARM64.Build.0 = Debug|ARM64 {5B3131BA-178A-4A28-BD54-315A45C97ED1}.Debug|x64.ActiveCfg = Debug|x64 {5B3131BA-178A-4A28-BD54-315A45C97ED1}.Debug|x64.Build.0 = Debug|x64 {5B3131BA-178A-4A28-BD54-315A45C97ED1}.Debug|x64.Deploy.0 = Debug|x64 {5B3131BA-178A-4A28-BD54-315A45C97ED1}.Debug|x86.ActiveCfg = Debug|Win32 {5B3131BA-178A-4A28-BD54-315A45C97ED1}.Debug|x86.Build.0 = Debug|Win32 {5B3131BA-178A-4A28-BD54-315A45C97ED1}.Debug|x86.Deploy.0 = Debug|Win32 + {5B3131BA-178A-4A28-BD54-315A45C97ED1}.Release|ARM.ActiveCfg = Release|ARM + {5B3131BA-178A-4A28-BD54-315A45C97ED1}.Release|ARM.Build.0 = Release|ARM + {5B3131BA-178A-4A28-BD54-315A45C97ED1}.Release|ARM64.ActiveCfg = Release|ARM64 + {5B3131BA-178A-4A28-BD54-315A45C97ED1}.Release|ARM64.Build.0 = Release|ARM64 {5B3131BA-178A-4A28-BD54-315A45C97ED1}.Release|x64.ActiveCfg = Release|x64 {5B3131BA-178A-4A28-BD54-315A45C97ED1}.Release|x64.Build.0 = Release|x64 {5B3131BA-178A-4A28-BD54-315A45C97ED1}.Release|x86.ActiveCfg = Release|Win32 {5B3131BA-178A-4A28-BD54-315A45C97ED1}.Release|x86.Build.0 = Release|Win32 + {DA79C619-BDAC-4CF1-A38C-B1F5E05F4485}.Debug|ARM.ActiveCfg = Debug|ARM + {DA79C619-BDAC-4CF1-A38C-B1F5E05F4485}.Debug|ARM.Build.0 = Debug|ARM + {DA79C619-BDAC-4CF1-A38C-B1F5E05F4485}.Debug|ARM64.ActiveCfg = Debug|ARM64 + {DA79C619-BDAC-4CF1-A38C-B1F5E05F4485}.Debug|ARM64.Build.0 = Debug|ARM64 {DA79C619-BDAC-4CF1-A38C-B1F5E05F4485}.Debug|x64.ActiveCfg = Debug|x64 {DA79C619-BDAC-4CF1-A38C-B1F5E05F4485}.Debug|x64.Build.0 = Debug|x64 {DA79C619-BDAC-4CF1-A38C-B1F5E05F4485}.Debug|x86.ActiveCfg = Debug|Win32 {DA79C619-BDAC-4CF1-A38C-B1F5E05F4485}.Debug|x86.Build.0 = Debug|Win32 + {DA79C619-BDAC-4CF1-A38C-B1F5E05F4485}.Release|ARM.ActiveCfg = Release|ARM + {DA79C619-BDAC-4CF1-A38C-B1F5E05F4485}.Release|ARM.Build.0 = Release|ARM + {DA79C619-BDAC-4CF1-A38C-B1F5E05F4485}.Release|ARM64.ActiveCfg = Release|ARM64 + {DA79C619-BDAC-4CF1-A38C-B1F5E05F4485}.Release|ARM64.Build.0 = Release|ARM64 {DA79C619-BDAC-4CF1-A38C-B1F5E05F4485}.Release|x64.ActiveCfg = Release|x64 {DA79C619-BDAC-4CF1-A38C-B1F5E05F4485}.Release|x64.Build.0 = Release|x64 {DA79C619-BDAC-4CF1-A38C-B1F5E05F4485}.Release|x86.ActiveCfg = Release|Win32 diff --git a/a/a.vcxproj b/a/a.vcxproj index 2bdc7fc0..b157e902 100644 --- a/a/a.vcxproj +++ b/a/a.vcxproj @@ -1,10 +1,26 @@ + + Debug + ARM + + + Debug + ARM64 + Debug Win32 + + Release + ARM + + + Release + ARM64 + Release Win32 @@ -33,6 +49,13 @@ Unicode false + + DynamicLibrary + true + v142 + Unicode + false + DynamicLibrary false @@ -40,12 +63,25 @@ true Unicode + + DynamicLibrary + false + v142 + true + Unicode + DynamicLibrary true v142 Unicode + + DynamicLibrary + true + v142 + Unicode + DynamicLibrary false @@ -53,6 +89,13 @@ true Unicode + + DynamicLibrary + false + v142 + true + Unicode + @@ -61,28 +104,52 @@ + + + + + + + + + + + + true + + true + true + + true + false + + false + false + + false + NotUsing @@ -104,6 +171,29 @@ true + + + NotUsing + Level3 + true + WIN32;_DEBUG;A_EXPORTS;_WINDOWS;_USRDLL;%(PreprocessorDefinitions) + true + + + MultiThreadedDebug + + + Sync + + + Windows + true + false + m.def + + + + NotUsing @@ -123,6 +213,26 @@ m.def + + + NotUsing + Level3 + true + _DEBUG;A_EXPORTS;_WINDOWS;_USRDLL;%(PreprocessorDefinitions) + true + + + MultiThreadedDebug + + + + + Windows + true + false + m.def + + NotUsing @@ -146,6 +256,30 @@ m.def + + + NotUsing + Level3 + true + true + true + WIN32;NDEBUG;A_EXPORTS;_WINDOWS;_USRDLL;%(PreprocessorDefinitions) + true + + + MultiThreaded + + + + + Windows + true + true + true + false + m.def + + NotUsing @@ -170,13 +304,36 @@ m.def + + + NotUsing + Level3 + true + true + true + NDEBUG;A_EXPORTS;_WINDOWS;_USRDLL;%(PreprocessorDefinitions) + true + + + MultiThreaded + Sync + + + + + Windows + true + true + true + false + m.def + + - - @@ -188,11 +345,6 @@ - - - {5b1f46db-036e-4a50-af5f-f5d6584d42c6} - - diff --git a/a/a.vcxproj.filters b/a/a.vcxproj.filters index 3cd8839c..6239210a 100644 --- a/a/a.vcxproj.filters +++ b/a/a.vcxproj.filters @@ -18,18 +18,12 @@ Source Files - - Source Files - Source Files Source Files - - Source Files - Source Files diff --git a/a/load.cpp b/a/load.cpp deleted file mode 100644 index 72babcbe..00000000 --- a/a/load.cpp +++ /dev/null @@ -1,51 +0,0 @@ -#include "../MemoryModule/stdafx.h" -#include - -static PVOID ReadDllFile(LPCSTR FileName) { - LPVOID buffer; - size_t size; - FILE* f; - fopen_s(&f, FileName, "rb"); - if (!f)return 0; - _fseeki64(f, 0, SEEK_END); - if (!(size = _ftelli64(f))) { - fclose(f); - return 0; - } - _fseeki64(f, 0, SEEK_SET); - fread(buffer = new char[size], 1, size, f); - fclose(f); - return buffer; -} - -int __stdcall test_user32() { - HMODULE hModule; - NTSTATUS status; - PVOID buffer = ReadDllFile("C:\\Windows\\System32\\user32.dll"); - if (!buffer) return 0; - - hModule = GetModuleHandleA("user32.dll"); - if (hModule)return 0; - - status = LdrLoadDllMemoryExW( - &hModule, // ModuleHandle - nullptr, // LdrEntry - 0, // Flags - buffer, // Buffer - 0, // Reserved - L"user32.dll", // DllBaseName - L"C:\\Windows\\System32\\user32.dll" // DllFullName - ); - if (NT_SUCCESS(status) && status != STATUS_IMAGE_MACHINE_TYPE_MISMATCH) { - - auto _MessageBoxW = (decltype(&MessageBoxW))GetProcAddress(hModule, "MessageBoxW"); - _MessageBoxW(nullptr, L"Hello, from memory user32!", L"Caption", MB_OK); - - // - // After calling MessageBox, we can't free it. - // - //LdrUnloadDllMemory(hModule); - } - - return 0; -} diff --git a/a/m.def b/a/m.def index 545acdc0..95aaa7bb 100644 --- a/a/m.def +++ b/a/m.def @@ -4,6 +4,4 @@ test = __test__ thread Socket = ws2_32.WSASocketW VerifyTruse = wintrust.WinVerifyTrust -test_user32 -unhandled_exception GdiplusTest \ No newline at end of file diff --git a/a/unhandled_exception.cpp b/a/unhandled_exception.cpp deleted file mode 100644 index f442ed2a..00000000 --- a/a/unhandled_exception.cpp +++ /dev/null @@ -1,49 +0,0 @@ -#include -#include - -#ifdef _WIN64 -DWORD Value; -volatile LPDWORD lpAddr; - -LONG WINAPI Filter(_In_ struct _EXCEPTION_POINTERS* ExceptionInfo) { - - if (ExceptionInfo->ExceptionRecord->ExceptionCode == STATUS_ACCESS_VIOLATION) { - - lpAddr = &Value; - - // +++++++ - // begin compiler specific - // +++++++ - - //ExceptionInfo->ContextRecord->Rip -= 7; - ExceptionInfo->ContextRecord->Rax = (ULONG_PTR)lpAddr; - - // +++++++ - // end compiler specific - // +++++++ - - return EXCEPTION_CONTINUE_EXECUTION; - } - - return EXCEPTION_CONTINUE_SEARCH; -} -#endif - -int unhandled_exception() { -#ifdef _WIN64 - auto filter = SetUnhandledExceptionFilter(Filter); - auto ff = SetUnhandledExceptionFilter(filter); - - if (ff != Filter) { - printf("%p\t%p\t%p\nfailed\n", filter, ff, Filter); - return 0; - } - - filter = SetUnhandledExceptionFilter(Filter); - lpAddr = nullptr; - *lpAddr = 1; - SetUnhandledExceptionFilter(filter); -#endif - - return 1234; -} diff --git a/test/test.cpp b/test/test.cpp index 98d5b49c..e5c964af 100644 --- a/test/test.cpp +++ b/test/test.cpp @@ -1,8 +1,7 @@ #include "../MemoryModule/stdafx.h" #include "../MemoryModule/LoadDllMemoryApi.h" #include - -//PMMP_GLOBAL_DATA MmpGlobalDataPtr = *(PMMP_GLOBAL_DATA*)GetProcAddress(GetModuleHandleA("MemoryModule.dll"), "MmpGlobalDataPtr"); +#pragma comment(lib,"ntdll.lib") static void DisplayStatus() { printf( @@ -41,7 +40,10 @@ static PVOID ReadDllFile(LPCSTR FileName) { return 0; } _fseeki64(f, 0, SEEK_SET); - fread(buffer = new char[size], 1, size, f); + + buffer = VirtualAlloc(0, size, MEM_COMMIT, PAGE_EXECUTE_READWRITE); + + fread(buffer, 1, size, f); fclose(f); return buffer; } @@ -62,62 +64,75 @@ PVOID ReadDllFile2(LPCSTR FileName) { return nullptr; } -#define LIBRARY_PATH "\\\\DESKTOP-1145141919810\\Debug\\" +int test() { + LPVOID buffer = ReadDllFile2("a.dll"); + + HMODULE hModule = nullptr; + FARPROC pfn = nullptr; + + typedef int(*_exception)(int code); + _exception exception = nullptr; + HRSRC hRsrc; + DWORD SizeofRes; + HGLOBAL gRes; + char str[10]; -HMODULE WINAPI MyLoadLibrary(LPCSTR lpModuleName) { - HMODULE hModule; - PVOID buffer; + if (!NT_SUCCESS(LdrLoadDllMemoryExW(&hModule, nullptr, 0, buffer, 0, L"kernel64", nullptr))) goto end; - if (0 == _stricmp(lpModuleName, "CTestClassLibrary1.dll")) { - buffer = ReadDllFile(LIBRARY_PATH"CTestClassLibrary1.dll"); + //forward export + pfn = (decltype(pfn))(GetProcAddress(hModule, "Socket")); //ws2_32.WSASocketW + pfn = (decltype(pfn))(GetProcAddress(hModule, "VerifyTruse")); //wintrust.WinVerifyTrust + + //exception + exception = (_exception)GetProcAddress(hModule, "exception"); + if (exception) { + for (int i = 0; i < 5; ++i)exception(i); } - else if (0 == _stricmp(lpModuleName, "CTestClassLibrary2.dll")) { - buffer = ReadDllFile(LIBRARY_PATH"CTestClassLibrary2.dll"); + + //tls + pfn = GetProcAddress(hModule, "thread"); + if (pfn && pfn()) { + printf("thread test failed.\n"); } - else if (0 == _stricmp(lpModuleName, "CTestClassLibrary1Dep.dll")) { - buffer = ReadDllFile(LIBRARY_PATH"CTestClassLibrary1Dep.dll"); + + //resource + if (!LoadStringA(hModule, 101, str, 10)) { + printf("load string failed.\n"); } else { - return nullptr; + printf("%s\n", str); } - - hModule = LoadLibraryMemoryExA(buffer, 0, lpModuleName, nullptr, 0); - delete[]buffer; - return hModule; -} - -VOID TestImportTableResolver() { - - // - // Register the import table resolver. - // - HANDLE hResolver = MmRegisterImportTableResolver(MyLoadLibrary, FreeLibraryMemory); - - // - // |-> CTestClassLibrary1.dll -> CTestClassLibrary1Dep.dll - // CTestClient.dll -| - // |-> CTestClassLibrary2.dll - // - - PVOID Client = ReadDllFile2("CTestClient.dll"); - HMODULE hm = LoadLibraryMemoryEx(Client, 0, TEXT("CTestClient.dll"), nullptr, 0); - delete[]Client; - - if (hm) { - auto pfn = GetProcAddress(hm, "TestProc"); - if (pfn) { - pfn(); + if (!(hRsrc = FindResourceA(hModule, MAKEINTRESOURCEA(102), "BINARY"))) { + printf("find binary resource failed.\n"); + } + else { + if ((SizeofRes = SizeofResource(hModule, hRsrc)) != 0x10) { + printf("invalid res size.\n"); + } + else { + if (!(gRes = LoadResource(hModule, hRsrc))) { + printf("load res failed.\n"); + } + else { + if (!LockResource(gRes))printf("lock res failed.\n"); + else { + printf("resource test success.\n"); + } + } } - - FreeLibraryMemory(hm); } - MmRemoveImportTableResolver(hResolver); +end: + LdrUnloadDllMemory(hModule); + VirtualFree(buffer, 0, MEM_RELEASE); + return 0; } int main() { + DisplayStatus(); - TestImportTableResolver(); + + test(); return 0; } diff --git a/test/test.vcxproj b/test/test.vcxproj index e0883c90..aee15d34 100644 --- a/test/test.vcxproj +++ b/test/test.vcxproj @@ -1,10 +1,26 @@ + + Debug + ARM + + + Debug + ARM64 + Debug Win32 + + Release + ARM + + + Release + ARM64 + Release Win32 @@ -23,7 +39,7 @@ {5B3131BA-178A-4A28-BD54-315A45C97ED1} Win32Proj test - 10.0 + 10.0.22621.0 @@ -32,6 +48,12 @@ v142 Unicode + + Application + true + v142 + Unicode + Application false @@ -39,12 +61,25 @@ true Unicode + + Application + false + v142 + true + Unicode + Application true v142 Unicode + + Application + true + v142 + Unicode + Application false @@ -52,6 +87,13 @@ true Unicode + + Application + false + v142 + true + Unicode + @@ -60,28 +102,52 @@ + + + + + + + + + + + + true + + true + true + + true + false + + false + false + + false + @@ -97,6 +163,21 @@ true + + + + + Level3 + true + _DEBUG;_CONSOLE;%(PreprocessorDefinitions) + true + MultiThreadedDebug + + + Console + true + + @@ -112,6 +193,21 @@ true + + + + + Level3 + true + WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions) + true + MultiThreadedDebug + + + Console + true + + @@ -131,6 +227,25 @@ true + + + + + Level3 + true + true + true + WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions) + true + MultiThreaded + + + Console + true + true + true + + @@ -152,16 +267,45 @@ + + + + + Level3 + true + true + true + NDEBUG;_CONSOLE;%(PreprocessorDefinitions) + true + MultiThreaded + + + Console + true + true + true + + + + + + + + + + + +