Public-Mirror/Textractor
1
0
Fork 1
mirror of https://github.com/Artikash/Textractor.git synced 2024-12-24 01:14:12 +08:00
Code Issues Projects Releases Wiki Activity

remove more stuff from ntdll

Browse Source
This commit is contained in:
Akash Mozumdar 2018-06-13 21:52:45 -04:00
parent c393d29115
commit d89cc56d6f
7 changed files with 42 additions and 60 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
vnr/ntinspect/ntinspect.cc
View File

@ -76,7 +76,7 @@ BOOL getModuleMemoryRange(LPCWSTR moduleName, DWORD *lowerBound, DWORD *upperBou
do { do {
DWORD len; DWORD len;
// Nt function is needed instead of VirtualQuery, which only works for the current process // Nt function is needed instead of VirtualQuery, which only works for the current process
::NtQueryVirtualMemory(NtCurrentProcess(), (LPVOID)upper, MemoryBasicInformation, &mbi, sizeof(mbi), &len); ::NtQueryVirtualMemory(GetCurrentProcess(), (LPVOID)upper, MemoryBasicInformation, &mbi, sizeof(mbi), &len);
if (mbi.Protect & PAGE_NOACCESS) { if (mbi.Protect & PAGE_NOACCESS) {
it->SizeOfImage = size; it->SizeOfImage = size;
break; break;

22
vnr/vnrhook/src/engine/engine.cc
View File

@ -5932,7 +5932,7 @@ bool InsertWaffleDynamicHook(LPVOID addr, DWORD frame, DWORD stack)
// str = *(DWORD*)stack; // str = *(DWORD*)stack;
// if ((str >> 16) != (stack >> 16)) // if ((str >> 16) != (stack >> 16))
// { // {
// status = NtQueryVirtualMemory(NtCurrentProcess(),(PVOID)str,MemoryBasicInformation,&info,sizeof(info),0); // status = NtQueryVirtualMemory(GetCurrentProcess(),(PVOID)str,MemoryBasicInformation,&info,sizeof(info),0);
// if (!NT_SUCCESS(status) || info.Protect & PAGE_NOACCESS) continue; //Accessible // if (!NT_SUCCESS(status) || info.Protect & PAGE_NOACCESS) continue; //Accessible
// } // }
// if (*(WORD*)(str + 4) == ch) break; // if (*(WORD*)(str + 4) == ch) break;
@ -8188,7 +8188,7 @@ bool IsPensilSetup()
IO_STATUS_BLOCK ios; IO_STATUS_BLOCK ios;
LPVOID buffer = nullptr; LPVOID buffer = nullptr;
NtQueryInformationFile(hFile, &ios, &info, sizeof(info), FileStandardInformation); NtQueryInformationFile(hFile, &ios, &info, sizeof(info), FileStandardInformation);
NtAllocateVirtualMemory(NtCurrentProcess(), &buffer, 0, NtAllocateVirtualMemory(GetCurrentProcess(), &buffer, 0,
&info.AllocationSize.LowPart, MEM_RESERVE|MEM_COMMIT, PAGE_READWRITE); &info.AllocationSize.LowPart, MEM_RESERVE|MEM_COMMIT, PAGE_READWRITE);
NtReadFile(hFile, 0,0,0, &ios, buffer, info.EndOfFile.LowPart, 0, 0); NtReadFile(hFile, 0,0,0, &ios, buffer, info.EndOfFile.LowPart, 0, 0);
CloseHandle(hFile); CloseHandle(hFile);
@ -8199,7 +8199,7 @@ bool IsPensilSetup()
b[len] = 0; b[len] = 0;
b[len + 1] = 0; b[len + 1] = 0;
bool ret = wcsstr((LPWSTR)buffer, L"PENSIL") || wcsstr((LPWSTR)buffer, L"Pensil"); bool ret = wcsstr((LPWSTR)buffer, L"PENSIL") || wcsstr((LPWSTR)buffer, L"Pensil");
NtFreeVirtualMemory(NtCurrentProcess(), &buffer, &info.AllocationSize.LowPart, MEM_RELEASE); NtFreeVirtualMemory(GetCurrentProcess(), &buffer, &info.AllocationSize.LowPart, MEM_RELEASE);
return ret; return ret;
} }
#endif // if 0 #endif // if 0
@ -8853,23 +8853,23 @@ MEMORY_WORKING_SET_LIST *GetWorkingSet()
NTSTATUS status; NTSTATUS status;
LPVOID buffer = 0; LPVOID buffer = 0;
len = 0x4000; len = 0x4000;
status = NtAllocateVirtualMemory(NtCurrentProcess(), &buffer, 0, &len, MEM_RESERVE|MEM_COMMIT, PAGE_READWRITE); status = NtAllocateVirtualMemory(GetCurrentProcess(), &buffer, 0, &len, MEM_RESERVE|MEM_COMMIT, PAGE_READWRITE);
if (!NT_SUCCESS(status)) return 0; if (!NT_SUCCESS(status)) return 0;
status = NtQueryVirtualMemory(NtCurrentProcess(), 0, MemoryWorkingSetList, buffer, len, &retl); status = NtQueryVirtualMemory(GetCurrentProcess(), 0, MemoryWorkingSetList, buffer, len, &retl);
if (status == STATUS_INFO_LENGTH_MISMATCH) { if (status == STATUS_INFO_LENGTH_MISMATCH) {
len = *(DWORD*)buffer; len = *(DWORD*)buffer;
len = ((len << 2) & 0xfffff000) + 0x4000; len = ((len << 2) & 0xfffff000) + 0x4000;
retl = 0; retl = 0;
NtFreeVirtualMemory(NtCurrentProcess(), &buffer, &retl, MEM_RELEASE); NtFreeVirtualMemory(GetCurrentProcess(), &buffer, &retl, MEM_RELEASE);
buffer = 0; buffer = 0;
status = NtAllocateVirtualMemory(NtCurrentProcess(), &buffer, 0, &len, MEM_RESERVE|MEM_COMMIT, PAGE_READWRITE); status = NtAllocateVirtualMemory(GetCurrentProcess(), &buffer, 0, &len, MEM_RESERVE|MEM_COMMIT, PAGE_READWRITE);
if (!NT_SUCCESS(status)) return 0; if (!NT_SUCCESS(status)) return 0;
status = NtQueryVirtualMemory(NtCurrentProcess(), 0, MemoryWorkingSetList, buffer, len, &retl); status = NtQueryVirtualMemory(GetCurrentProcess(), 0, MemoryWorkingSetList, buffer, len, &retl);
if (!NT_SUCCESS(status)) return 0; if (!NT_SUCCESS(status)) return 0;
return (MEMORY_WORKING_SET_LIST*)buffer; return (MEMORY_WORKING_SET_LIST*)buffer;
} else { } else {
retl = 0; retl = 0;
NtFreeVirtualMemory(NtCurrentProcess(), &buffer, &retl, MEM_RELEASE); NtFreeVirtualMemory(GetCurrentProcess(), &buffer, &retl, MEM_RELEASE);
return 0; return 0;
} }
@ -8920,7 +8920,7 @@ BOOL FindCharacteristInstruction(MEMORY_WORKING_SET_LIST *list)
else { else {
if (size > 0x2000) { if (size > 0x2000) {
addr = base & ~0xfff; addr = base & ~0xfff;
status = NtQueryVirtualMemory(NtCurrentProcess(),(PVOID)addr, status = NtQueryVirtualMemory(GetCurrentProcess(),(PVOID)addr,
MemorySectionName,text_buffer_prev,0x1000,&retl); MemorySectionName,text_buffer_prev,0x1000,&retl);
if (!NT_SUCCESS(status)) { if (!NT_SUCCESS(status)) {
k = addr + size - 4; k = addr + size - 4;
@ -8962,7 +8962,7 @@ bool InsertAB2TryHook()
ConsoleOutput("vnreng:AB2Try: cannot find characteristic sequence"); ConsoleOutput("vnreng:AB2Try: cannot find characteristic sequence");
//L"Make sure you have start the game and have seen some text on the screen."); //L"Make sure you have start the game and have seen some text on the screen.");
DWORD size = 0; DWORD size = 0;
NtFreeVirtualMemory(NtCurrentProcess(), (PVOID *)&list, &size, MEM_RELEASE); NtFreeVirtualMemory(GetCurrentProcess(), (PVOID *)&list, &size, MEM_RELEASE);
return ret; return ret;
} }

5
vnr/vnrhook/src/engine/match.cc
View File

@ -885,7 +885,7 @@ bool DetermineEngineType()
// //
HANDLE hijackThread; HANDLE hijackThread;
void hijackThreadProc(LPVOID unused) DWORD WINAPI hijackThreadProc(LPVOID unused)
{ {
//CC_UNUSED(lpThreadParameter); //CC_UNUSED(lpThreadParameter);
@ -901,6 +901,7 @@ void hijackThreadProc(LPVOID unused)
FillRange(process_name_, &module_base_, &module_limit_); FillRange(process_name_, &module_base_, &module_limit_);
DetermineEngineType(); DetermineEngineType();
return 0;
} }
}} // namespace Engine unnamed }} // namespace Engine unnamed
@ -914,7 +915,7 @@ void Engine::hijack()
{ {
if (!hijackThread) { if (!hijackThread) {
ConsoleOutput("vnreng: hijack process"); ConsoleOutput("vnreng: hijack process");
hijackThread = IthCreateThread(hijackThreadProc, 0); hijackThread = CreateRemoteThread(GetCurrentProcess(), nullptr, 0, hijackThreadProc, 0, 0, nullptr);
} }
} }

24
vnr/vnrhook/src/hijack/texthook.cc
View File

@ -584,7 +584,7 @@ int TextHook::UnsafeInsertHookCode()
// Verify hp.address. // Verify hp.address.
MEMORY_BASIC_INFORMATION info = {}; MEMORY_BASIC_INFORMATION info = {};
NtQueryVirtualMemory(NtCurrentProcess(), (LPVOID)hp.address, MemoryBasicInformation, &info, sizeof(info), nullptr); NtQueryVirtualMemory(GetCurrentProcess(), (LPVOID)hp.address, MemoryBasicInformation, &info, sizeof(info), nullptr);
if (info.Type & PAGE_NOACCESS) { if (info.Type & PAGE_NOACCESS) {
ConsoleOutput("vnrcli:UnsafeInsertHookCode: FAILED: page no access"); ConsoleOutput("vnrcli:UnsafeInsertHookCode: FAILED: page no access");
return no; return no;
@ -661,13 +661,13 @@ int TextHook::UnsafeInsertHookCode()
// See: http://undocumented.ntinternals.net/UserMode/Undocumented%20Functions/Memory%20Management/Virtual%20Memory/NtProtectVirtualMemory.html // See: http://undocumented.ntinternals.net/UserMode/Undocumented%20Functions/Memory%20Management/Virtual%20Memory/NtProtectVirtualMemory.html
// See: http://doxygen.reactos.org/d8/d6b/ndk_2mmfuncs_8h_af942709e0c57981d84586e74621912cd.html // See: http://doxygen.reactos.org/d8/d6b/ndk_2mmfuncs_8h_af942709e0c57981d84586e74621912cd.html
DWORD addr = hp.address; DWORD addr = hp.address;
NtProtectVirtualMemory(NtCurrentProcess(), (PVOID *)&addr, &t, PAGE_EXECUTE_READWRITE, &old); NtProtectVirtualMemory(GetCurrentProcess(), (PVOID *)&addr, &t, PAGE_EXECUTE_READWRITE, &old);
NtWriteVirtualMemory(NtCurrentProcess(), (BYTE *)hp.address, inst, 5, &t); NtWriteVirtualMemory(GetCurrentProcess(), (BYTE *)hp.address, inst, 5, &t);
len = hp.recover_len - 5; len = hp.recover_len - 5;
if (len) if (len)
NtWriteVirtualMemory(NtCurrentProcess(), (BYTE *)hp.address + 5, int3, len, &t); NtWriteVirtualMemory(GetCurrentProcess(), (BYTE *)hp.address + 5, int3, len, &t);
NtFlushInstructionCache(NtCurrentProcess(), (LPVOID)hp.address, hp.recover_len); NtFlushInstructionCache(GetCurrentProcess(), (LPVOID)hp.address, hp.recover_len);
NtFlushInstructionCache(NtCurrentProcess(), (LPVOID)::hookman, 0x1000); NtFlushInstructionCache(GetCurrentProcess(), (LPVOID)::hookman, 0x1000);
//ConsoleOutput("vnrcli:UnsafeInsertHookCode: leave: succeed"); //ConsoleOutput("vnrcli:UnsafeInsertHookCode: leave: succeed");
return 0; return 0;
} }
@ -719,8 +719,8 @@ int TextHook::RemoveHook()
//with_seh({ // jichi 9/17/2013: might crash >< //with_seh({ // jichi 9/17/2013: might crash ><
// jichi 12/25/2013: Actually, __try cannot catch such kind of exception // jichi 12/25/2013: Actually, __try cannot catch such kind of exception
ITH_TRY { ITH_TRY {
NtWriteVirtualMemory(NtCurrentProcess(), (LPVOID)hp.address, original, hp.recover_len, &l); NtWriteVirtualMemory(GetCurrentProcess(), (LPVOID)hp.address, original, hp.recover_len, &l);
NtFlushInstructionCache(NtCurrentProcess(), (LPVOID)hp.address, hp.recover_len); NtFlushInstructionCache(GetCurrentProcess(), (LPVOID)hp.address, hp.recover_len);
} ITH_EXCEPT {} } ITH_EXCEPT {}
//}); //});
hp.hook_len = 0; hp.hook_len = 0;
@ -839,9 +839,9 @@ EXCEPTION_DISPOSITION ExceptHandler(EXCEPTION_RECORD *ExceptionRecord,
//swprintf(str, L"Exception code: 0x%.8X", ExceptionRecord->ExceptionCode); //swprintf(str, L"Exception code: 0x%.8X", ExceptionRecord->ExceptionCode);
//ConsoleOutput(str); //ConsoleOutput(str);
//MEMORY_BASIC_INFORMATION info; //MEMORY_BASIC_INFORMATION info;
//if (NT_SUCCESS(NtQueryVirtualMemory(NtCurrentProcess(),(PVOID)ContextRecord->Eip, //if (NT_SUCCESS(NtQueryVirtualMemory(GetCurrentProcess(),(PVOID)ContextRecord->Eip,
// MemoryBasicInformation,&info,sizeof(info),0)) && // MemoryBasicInformation,&info,sizeof(info),0)) &&
// NT_SUCCESS(NtQueryVirtualMemory(NtCurrentProcess(),(PVOID)ContextRecord->Eip, // NT_SUCCESS(NtQueryVirtualMemory(GetCurrentProcess(),(PVOID)ContextRecord->Eip,
// MemorySectionName,name,0x200,0))) { // MemorySectionName,name,0x200,0))) {
// swprintf(str, L"Exception offset: 0x%.8X:%s", // swprintf(str, L"Exception offset: 0x%.8X:%s",
// ContextRecord->Eip-(DWORD)info.AllocationBase, // ContextRecord->Eip-(DWORD)info.AllocationBase,
@ -866,9 +866,9 @@ EXCEPTION_DISPOSITION ExceptHandler(EXCEPTION_RECORD *ExceptionRecord,
//swprintf(str, L"Exception code: 0x%.8X", ExceptionRecord->ExceptionCode); //swprintf(str, L"Exception code: 0x%.8X", ExceptionRecord->ExceptionCode);
//ConsoleOutput(str); //ConsoleOutput(str);
//MEMORY_BASIC_INFORMATION info; //MEMORY_BASIC_INFORMATION info;
//if (NT_SUCCESS(NtQueryVirtualMemory(NtCurrentProcess(),(PVOID)ContextRecord->Eip, //if (NT_SUCCESS(NtQueryVirtualMemory(GetCurrentProcess(),(PVOID)ContextRecord->Eip,
// MemoryBasicInformation,&info,sizeof(info),0)) && // MemoryBasicInformation,&info,sizeof(info),0)) &&
// NT_SUCCESS(NtQueryVirtualMemory(NtCurrentProcess(),(PVOID)ContextRecord->Eip, // NT_SUCCESS(NtQueryVirtualMemory(GetCurrentProcess(),(PVOID)ContextRecord->Eip,
// MemorySectionName,name,0x200,0))) { // MemorySectionName,name,0x200,0))) {
// swprintf(str, L"Exception offset: 0x%.8X:%s", // swprintf(str, L"Exception offset: 0x%.8X:%s",
// ContextRecord->Eip-(DWORD)info.AllocationBase, // ContextRecord->Eip-(DWORD)info.AllocationBase,

21
vnr/vnrhook/src/main.cc
View File

@ -68,6 +68,7 @@ HANDLE
hFile, hFile,
hMutex, hMutex,
hmMutex; hmMutex;
HMODULE currentModule;
//DWORD current_process_id; //DWORD current_process_id;
extern DWORD enter_count; extern DWORD enter_count;
//extern LPWSTR current_dir; //extern LPWSTR current_dir;
@ -157,27 +158,26 @@ BOOL WINAPI DllMain(HINSTANCE hModule, DWORD fdwReason, LPVOID unused)
IthInitSystemService(); IthInitSystemService();
swprintf(hm_section, ITH_SECTION_ L"%d", current_process_id); swprintf(hm_section, ITH_SECTION_ L"%d", GetCurrentProcessId());
// jichi 9/25/2013: Interprocedural communication with vnrsrv. // jichi 9/25/2013: Interprocedural communication with vnrsrv.
hSection = CreateFileMappingW(INVALID_HANDLE_VALUE, nullptr, PAGE_EXECUTE_READWRITE, 0, HOOK_SECTION_SIZE, hm_section); hSection = CreateFileMappingW(INVALID_HANDLE_VALUE, nullptr, PAGE_EXECUTE_READWRITE, 0, HOOK_SECTION_SIZE, hm_section);
::hookman = (TextHook*)MapViewOfFile(hSection, FILE_MAP_ALL_ACCESS, 0, 0, HOOK_SECTION_SIZE / 2); ::hookman = (TextHook*)MapViewOfFile(hSection, FILE_MAP_ALL_ACCESS, 0, 0, HOOK_SECTION_SIZE / 2);
GetProcessName(::processName); GetProcessName(::processName);
FillRange(::processName, &::processStartAddress, &::processStopAddress); ::processStartAddress = (DWORD)GetModuleHandleW(nullptr);
//NtInspect::getProcessMemoryRange(&::processStartAddress, &::processStopAddress);
{ {
wchar_t hm_mutex[0x100]; wchar_t hm_mutex[0x100];
swprintf(hm_mutex, ITH_HOOKMAN_MUTEX_ L"%d", current_process_id); swprintf(hm_mutex, ITH_HOOKMAN_MUTEX_ L"%d", GetCurrentProcessId());
::hmMutex = IthCreateMutex(hm_mutex, FALSE); ::hmMutex = CreateMutexW(nullptr, FALSE, hm_mutex);
} }
{ {
wchar_t dll_mutex[0x100]; wchar_t dll_mutex[0x100];
swprintf(dll_mutex, ITH_PROCESS_MUTEX_ L"%d", current_process_id); swprintf(dll_mutex, ITH_PROCESS_MUTEX_ L"%d", GetCurrentProcessId());
DWORD exists; DWORD exists;
::hMutex = IthCreateMutex(dll_mutex, TRUE, &exists); // jichi 9/18/2013: own is true, make sure the injected dll is singleton ::hMutex = CreateMutexW(nullptr, TRUE, dll_mutex); // jichi 9/18/2013: own is true, make sure the injected dll is singleton
if (exists) if (GetLastError() == ERROR_ALREADY_EXISTS)
return FALSE; return FALSE;
} }
@ -186,8 +186,9 @@ BOOL WINAPI DllMain(HINSTANCE hModule, DWORD fdwReason, LPVOID unused)
::tree = new AVLTree<char, FunctionInfo, SCMP, SCPY, SLEN>; ::tree = new AVLTree<char, FunctionInfo, SCMP, SCPY, SLEN>;
AddAllModules(); AddAllModules();
InitFilterTable(); InitFilterTable();
::currentModule = hModule;
pipeThread = IthCreateThread(PipeManager, 0); pipeThread = CreateRemoteThread(GetCurrentProcess(), nullptr, 0, PipeManager, 0, 0, nullptr);
} break; } break;
case DLL_PROCESS_DETACH: case DLL_PROCESS_DETACH:
{ {
@ -211,7 +212,7 @@ BOOL WINAPI DllMain(HINSTANCE hModule, DWORD fdwReason, LPVOID unused)
for (TextHook *man = ::hookman; man->RemoveHook(); man++); for (TextHook *man = ::hookman; man->RemoveHook(); man++);
//LARGE_INTEGER lint = {-10000, -1}; //LARGE_INTEGER lint = {-10000, -1};
while (::enter_count) while (::enter_count)
IthSleep(1); // jichi 9/28/2013: sleep for 1 ms Sleep(1); // jichi 9/28/2013: sleep for 1 ms
//NtDelayExecution(0, &lint); //NtDelayExecution(0, &lint);
for (TextHook *man = ::hookman; man < ::hookman + MAX_HOOK; man++) for (TextHook *man = ::hookman; man < ::hookman + MAX_HOOK; man++)
man->ClearHook(); man->ClearHook();

6
vnr/vnrhook/src/pipe.cc
View File

@ -17,6 +17,7 @@
#include <cstdio> // for swprintf #include <cstdio> // for swprintf
HANDLE hookPipe; HANDLE hookPipe;
extern HMODULE currentModule;
DWORD WINAPI PipeManager(LPVOID unused) DWORD WINAPI PipeManager(LPVOID unused)
{ {
@ -41,7 +42,8 @@ DWORD WINAPI PipeManager(LPVOID unused)
} }
} }
WriteFile(::hookPipe, &::current_process_id, sizeof(::current_process_id), nullptr, nullptr); *(DWORD*)buffer = GetCurrentProcessId();
WriteFile(::hookPipe, buffer, sizeof(DWORD), nullptr, nullptr);
for (int i = 0, count = 0; count < ::currentHook; i++) for (int i = 0, count = 0; count < ::currentHook; i++)
{ {
@ -112,7 +114,7 @@ DWORD WINAPI PipeManager(LPVOID unused)
CloseHandle(::hookPipe); CloseHandle(::hookPipe);
CloseHandle(hostPipe); CloseHandle(hostPipe);
} }
Util::unloadCurrentModule(); FreeLibraryAndExitThread(::currentModule, 0);
return 0; return 0;
} }

22
vnr/vnrhook/src/util/util.cc
View File

@ -302,26 +302,4 @@ termin:
} }
} }
EXTERN_C IMAGE_DOS_HEADER __ImageBase;
// See: http://stackoverflow.com/questions/3410130/dll-unloading-itself
// TODO: This doesn't always work. Fix it.
bool Util::unloadCurrentModule()
{
auto fun = ::FreeLibrary;
//auto fun = ::LdrUnloadDll;
if (HANDLE h = ::IthCreateThread(fun, (DWORD)&__ImageBase)) {
//const LONGLONG timeout = -50000000; // in nanoseconds = 5 seconds
//NtWaitForSingleObject(h, 0, (PLARGE_INTEGER)&timeout);
CloseHandle(h);
return true;
}
// CreateThread does not always work on Windows XP. Use IthCreateThread (i.e. CreateRemoteThread under the water) instead.
//if (HANDLE h = ::CreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)fun, &__ImageBase, 0, NULL)) {
// ::CloseHandle(h);
// return true;
//}
return false;
}
// EOF // EOF