finish removeing ntdll dependence in core hijacking code

This commit is contained in:
Akash Mozumdar 2018-08-07 12:49:20 -04:00
parent c3707de5b5
commit 4b70c62d64
3 changed files with 30 additions and 51 deletions

View File

@ -436,10 +436,9 @@ int TextHook::UnsafeInsertHookCode()
} }
// Verify hp.address. // Verify hp.address.
MEMORY_BASIC_INFORMATION info = {}; if (!IthGetMemoryRange((LPCVOID)hp.address, nullptr, nullptr))
NtQueryVirtualMemory(GetCurrentProcess(), (LPVOID)hp.address, MemoryBasicInformation, &info, sizeof(info), nullptr); {
if (info.Type & PAGE_NOACCESS) { ConsoleOutput("NextHooker: FAILED: cannot access requested memory");
ConsoleOutput("vnrcli:UnsafeInsertHookCode: FAILED: page no access");
return no; return no;
} }
@ -453,7 +452,7 @@ int TextHook::UnsafeInsertHookCode()
BYTE inst[] = // jichi 9/27/2013: Why 8? Only 5 bytes will be written using NtWriteVirtualMemory BYTE inst[] = // jichi 9/27/2013: Why 8? Only 5 bytes will be written using NtWriteVirtualMemory
{ {
0xe9, 0, 0, 0, 0, // jmp recover 0xe9, 0, 0, 0, 0, // jmp recover
0, 0, 0 // ??? 0xcc, 0xcc, 0xcc // int3
}; };
void* relRecover = (void*)(recover - (BYTE*)hp.address - 5); void* relRecover = (void*)(recover - (BYTE*)hp.address - 5);
memcpy(inst + 1, &relRecover, sizeof(void*)); memcpy(inst + 1, &relRecover, sizeof(void*));
@ -495,24 +494,13 @@ int TextHook::UnsafeInsertHookCode()
} }
} }
} }
// Insert hook and flush instruction cache.
enum {c8 = 0xcccccccc}; DWORD old;
DWORD int3[] = {c8, c8}; LPVOID addr = (void*)hp.address;
DWORD t = 0x100, VirtualProtect(addr, sizeof(inst), PAGE_EXECUTE_READWRITE, &old);
old, memcpy(addr, inst, hp.recover_len);
len; FlushInstructionCache(GetCurrentProcess(), addr, hp.recover_len);
// jichi 9/27/2013: Overwrite the memory with inst
// See: http://undocumented.ntinternals.net/UserMode/Undocumented%20Functions/Memory%20Management/Virtual%20Memory/NtProtectVirtualMemory.html
// See: http://doxygen.reactos.org/d8/d6b/ndk_2mmfuncs_8h_af942709e0c57981d84586e74621912cd.html
DWORD addr = hp.address;
NtProtectVirtualMemory(GetCurrentProcess(), (PVOID *)&addr, &t, PAGE_EXECUTE_READWRITE, &old);
NtWriteVirtualMemory(GetCurrentProcess(), (BYTE *)hp.address, inst, 5, &t);
len = hp.recover_len - 5;
if (len)
NtWriteVirtualMemory(GetCurrentProcess(), (BYTE *)hp.address + 5, int3, len, &t);
NtFlushInstructionCache(GetCurrentProcess(), (LPVOID)hp.address, hp.recover_len);
NtFlushInstructionCache(GetCurrentProcess(), (LPVOID)::hookman, 0x1000);
//ConsoleOutput("vnrcli:UnsafeInsertHookCode: leave: succeed");
return 0; return 0;
} }
@ -538,14 +526,9 @@ int TextHook::RemoveHookCode()
return no; return no;
DWORD l = hp.hook_len; DWORD l = hp.hook_len;
//with_seh({ // jichi 9/17/2013: might crash ><
// jichi 12/25/2013: Actually, __try cannot catch such kind of exception memcpy((void*)hp.address, original, hp.recover_len);
ITH_TRY { FlushInstructionCache(GetCurrentProcess(), (void*)hp.address, hp.recover_len);
NtWriteVirtualMemory(GetCurrentProcess(), (LPVOID)hp.address, original, hp.recover_len, &l);
NtFlushInstructionCache(GetCurrentProcess(), (LPVOID)hp.address, hp.recover_len);
}
ITH_EXCEPT {}
//});
return yes; return yes;
} }

View File

@ -76,19 +76,16 @@ BOOL WINAPI DllMain(HINSTANCE hModule, DWORD fdwReason, LPVOID unused)
// jichi 9/25/2013: Interprocedural communication with vnrsrv. // jichi 9/25/2013: Interprocedural communication with vnrsrv.
hSection = CreateFileMappingW(INVALID_HANDLE_VALUE, nullptr, PAGE_EXECUTE_READWRITE, 0, HOOK_SECTION_SIZE, hm_section); hSection = CreateFileMappingW(INVALID_HANDLE_VALUE, nullptr, PAGE_EXECUTE_READWRITE, 0, HOOK_SECTION_SIZE, hm_section);
::hookman = nullptr; ::hookman = (TextHook*)MapViewOfFile(hSection, FILE_MAP_ALL_ACCESS | FILE_MAP_EXECUTE, 0, 0, HOOK_BUFFER_SIZE);
NtMapViewOfSection(hSection, NtCurrentProcess(),
(LPVOID *)&::hookman, 0, hook_buff_len, 0, &hook_buff_len, ViewUnmap, 0,
PAGE_EXECUTE_READWRITE);
// Artikash 6/20/2018: This crashes certain games (https://vndb.org/v7738). No idea why.
//::hookman = (TextHook*)MapViewOfFile(hSection, FILE_MAP_READ | FILE_MAP_WRITE, 0, 0, HOOK_SECTION_SIZE / 2);
::processStartAddress = (DWORD)GetModuleHandleW(nullptr); ::processStartAddress = ::processStopAddress = (DWORD)GetModuleHandleW(nullptr);
// Artikash 7/1/2018: No idea how the everliving fuck this works, but it finds the process stop address. MEMORY_BASIC_INFORMATION info;
PROCESS_BASIC_INFORMATION info; do
NtQueryInformationProcess(GetCurrentProcess(), ProcessBasicInformation, &info, sizeof(PROCESS_BASIC_INFORMATION), 0); {
::processStopAddress = ::processStartAddress + ((LDR_DATA_TABLE_ENTRY*)&info.PebBaseAddress->Ldr->InLoadOrderModuleList.Flink->Flink)->SizeOfImage; VirtualQuery((void*)::processStopAddress, &info, sizeof(info));
::processStopAddress = (DWORD)info.BaseAddress + info.RegionSize;
} while (info.Protect);
{ {
wchar_t hm_mutex[0x100]; wchar_t hm_mutex[0x100];

View File

@ -60,14 +60,13 @@ DWORD SearchPattern(DWORD base, DWORD base_length, LPCVOID search, DWORD search_
DWORD IthGetMemoryRange(LPCVOID mem, DWORD *base, DWORD *size) DWORD IthGetMemoryRange(LPCVOID mem, DWORD *base, DWORD *size)
{ {
DWORD r;
MEMORY_BASIC_INFORMATION info; MEMORY_BASIC_INFORMATION info;
NtQueryVirtualMemory(NtCurrentProcess(), const_cast<LPVOID>(mem), MemoryBasicInformation, &info, sizeof(info), &r); VirtualQuery(mem, &info, sizeof(info));
if (base) if (base)
*base = (DWORD)info.BaseAddress; *base = (DWORD)info.BaseAddress;
if (size) if (size)
*size = info.RegionSize; *size = info.RegionSize;
return (info.Type&PAGE_NOACCESS) == 0; return info.Protect;
} }
inline DWORD GetHash(LPSTR str) inline DWORD GetHash(LPSTR str)