From d89cc56d6f9715dcd104937a1e60330ec1217306 Mon Sep 17 00:00:00 2001 From: Akash Mozumdar Date: Wed, 13 Jun 2018 21:52:45 -0400 Subject: [PATCH] remove more stuff from ntdll --- vnr/ntinspect/ntinspect.cc | 2 +- vnr/vnrhook/src/engine/engine.cc | 22 +++++++++++----------- vnr/vnrhook/src/engine/match.cc | 5 +++-- vnr/vnrhook/src/hijack/texthook.cc | 24 ++++++++++++------------ vnr/vnrhook/src/main.cc | 21 +++++++++++---------- vnr/vnrhook/src/pipe.cc | 6 ++++-- vnr/vnrhook/src/util/util.cc | 22 ---------------------- 7 files changed, 42 insertions(+), 60 deletions(-) diff --git a/vnr/ntinspect/ntinspect.cc b/vnr/ntinspect/ntinspect.cc index 935c8e9..ea44161 100644 --- a/vnr/ntinspect/ntinspect.cc +++ b/vnr/ntinspect/ntinspect.cc @@ -76,7 +76,7 @@ BOOL getModuleMemoryRange(LPCWSTR moduleName, DWORD *lowerBound, DWORD *upperBou do { DWORD len; // Nt function is needed instead of VirtualQuery, which only works for the current process - ::NtQueryVirtualMemory(NtCurrentProcess(), (LPVOID)upper, MemoryBasicInformation, &mbi, sizeof(mbi), &len); + ::NtQueryVirtualMemory(GetCurrentProcess(), (LPVOID)upper, MemoryBasicInformation, &mbi, sizeof(mbi), &len); if (mbi.Protect & PAGE_NOACCESS) { it->SizeOfImage = size; break; diff --git a/vnr/vnrhook/src/engine/engine.cc b/vnr/vnrhook/src/engine/engine.cc index efdcc34..7e42cf8 100644 --- a/vnr/vnrhook/src/engine/engine.cc +++ b/vnr/vnrhook/src/engine/engine.cc @@ -5932,7 +5932,7 @@ bool InsertWaffleDynamicHook(LPVOID addr, DWORD frame, DWORD stack) // str = *(DWORD*)stack; // if ((str >> 16) != (stack >> 16)) // { -// status = NtQueryVirtualMemory(NtCurrentProcess(),(PVOID)str,MemoryBasicInformation,&info,sizeof(info),0); +// status = NtQueryVirtualMemory(GetCurrentProcess(),(PVOID)str,MemoryBasicInformation,&info,sizeof(info),0); // if (!NT_SUCCESS(status) || info.Protect & PAGE_NOACCESS) continue; //Accessible // } // if (*(WORD*)(str + 4) == ch) break; @@ -8188,7 +8188,7 @@ bool IsPensilSetup() IO_STATUS_BLOCK ios; LPVOID buffer = nullptr; NtQueryInformationFile(hFile, &ios, &info, sizeof(info), FileStandardInformation); - NtAllocateVirtualMemory(NtCurrentProcess(), &buffer, 0, + NtAllocateVirtualMemory(GetCurrentProcess(), &buffer, 0, &info.AllocationSize.LowPart, MEM_RESERVE|MEM_COMMIT, PAGE_READWRITE); NtReadFile(hFile, 0,0,0, &ios, buffer, info.EndOfFile.LowPart, 0, 0); CloseHandle(hFile); @@ -8199,7 +8199,7 @@ bool IsPensilSetup() b[len] = 0; b[len + 1] = 0; bool ret = wcsstr((LPWSTR)buffer, L"PENSIL") || wcsstr((LPWSTR)buffer, L"Pensil"); - NtFreeVirtualMemory(NtCurrentProcess(), &buffer, &info.AllocationSize.LowPart, MEM_RELEASE); + NtFreeVirtualMemory(GetCurrentProcess(), &buffer, &info.AllocationSize.LowPart, MEM_RELEASE); return ret; } #endif // if 0 @@ -8853,23 +8853,23 @@ MEMORY_WORKING_SET_LIST *GetWorkingSet() NTSTATUS status; LPVOID buffer = 0; len = 0x4000; - status = NtAllocateVirtualMemory(NtCurrentProcess(), &buffer, 0, &len, MEM_RESERVE|MEM_COMMIT, PAGE_READWRITE); + status = NtAllocateVirtualMemory(GetCurrentProcess(), &buffer, 0, &len, MEM_RESERVE|MEM_COMMIT, PAGE_READWRITE); if (!NT_SUCCESS(status)) return 0; - status = NtQueryVirtualMemory(NtCurrentProcess(), 0, MemoryWorkingSetList, buffer, len, &retl); + status = NtQueryVirtualMemory(GetCurrentProcess(), 0, MemoryWorkingSetList, buffer, len, &retl); if (status == STATUS_INFO_LENGTH_MISMATCH) { len = *(DWORD*)buffer; len = ((len << 2) & 0xfffff000) + 0x4000; retl = 0; - NtFreeVirtualMemory(NtCurrentProcess(), &buffer, &retl, MEM_RELEASE); + NtFreeVirtualMemory(GetCurrentProcess(), &buffer, &retl, MEM_RELEASE); buffer = 0; - status = NtAllocateVirtualMemory(NtCurrentProcess(), &buffer, 0, &len, MEM_RESERVE|MEM_COMMIT, PAGE_READWRITE); + status = NtAllocateVirtualMemory(GetCurrentProcess(), &buffer, 0, &len, MEM_RESERVE|MEM_COMMIT, PAGE_READWRITE); if (!NT_SUCCESS(status)) return 0; - status = NtQueryVirtualMemory(NtCurrentProcess(), 0, MemoryWorkingSetList, buffer, len, &retl); + status = NtQueryVirtualMemory(GetCurrentProcess(), 0, MemoryWorkingSetList, buffer, len, &retl); if (!NT_SUCCESS(status)) return 0; return (MEMORY_WORKING_SET_LIST*)buffer; } else { retl = 0; - NtFreeVirtualMemory(NtCurrentProcess(), &buffer, &retl, MEM_RELEASE); + NtFreeVirtualMemory(GetCurrentProcess(), &buffer, &retl, MEM_RELEASE); return 0; } @@ -8920,7 +8920,7 @@ BOOL FindCharacteristInstruction(MEMORY_WORKING_SET_LIST *list) else { if (size > 0x2000) { addr = base & ~0xfff; - status = NtQueryVirtualMemory(NtCurrentProcess(),(PVOID)addr, + status = NtQueryVirtualMemory(GetCurrentProcess(),(PVOID)addr, MemorySectionName,text_buffer_prev,0x1000,&retl); if (!NT_SUCCESS(status)) { k = addr + size - 4; @@ -8962,7 +8962,7 @@ bool InsertAB2TryHook() ConsoleOutput("vnreng:AB2Try: cannot find characteristic sequence"); //L"Make sure you have start the game and have seen some text on the screen."); DWORD size = 0; - NtFreeVirtualMemory(NtCurrentProcess(), (PVOID *)&list, &size, MEM_RELEASE); + NtFreeVirtualMemory(GetCurrentProcess(), (PVOID *)&list, &size, MEM_RELEASE); return ret; } diff --git a/vnr/vnrhook/src/engine/match.cc b/vnr/vnrhook/src/engine/match.cc index 3d95589..c058298 100644 --- a/vnr/vnrhook/src/engine/match.cc +++ b/vnr/vnrhook/src/engine/match.cc @@ -885,7 +885,7 @@ bool DetermineEngineType() // HANDLE hijackThread; -void hijackThreadProc(LPVOID unused) +DWORD WINAPI hijackThreadProc(LPVOID unused) { //CC_UNUSED(lpThreadParameter); @@ -901,6 +901,7 @@ void hijackThreadProc(LPVOID unused) FillRange(process_name_, &module_base_, &module_limit_); DetermineEngineType(); + return 0; } }} // namespace Engine unnamed @@ -914,7 +915,7 @@ void Engine::hijack() { if (!hijackThread) { ConsoleOutput("vnreng: hijack process"); - hijackThread = IthCreateThread(hijackThreadProc, 0); + hijackThread = CreateRemoteThread(GetCurrentProcess(), nullptr, 0, hijackThreadProc, 0, 0, nullptr); } } diff --git a/vnr/vnrhook/src/hijack/texthook.cc b/vnr/vnrhook/src/hijack/texthook.cc index e5eb269..aa9d168 100644 --- a/vnr/vnrhook/src/hijack/texthook.cc +++ b/vnr/vnrhook/src/hijack/texthook.cc @@ -584,7 +584,7 @@ int TextHook::UnsafeInsertHookCode() // Verify hp.address. MEMORY_BASIC_INFORMATION info = {}; - NtQueryVirtualMemory(NtCurrentProcess(), (LPVOID)hp.address, MemoryBasicInformation, &info, sizeof(info), nullptr); + NtQueryVirtualMemory(GetCurrentProcess(), (LPVOID)hp.address, MemoryBasicInformation, &info, sizeof(info), nullptr); if (info.Type & PAGE_NOACCESS) { ConsoleOutput("vnrcli:UnsafeInsertHookCode: FAILED: page no access"); return no; @@ -661,13 +661,13 @@ int TextHook::UnsafeInsertHookCode() // See: http://undocumented.ntinternals.net/UserMode/Undocumented%20Functions/Memory%20Management/Virtual%20Memory/NtProtectVirtualMemory.html // See: http://doxygen.reactos.org/d8/d6b/ndk_2mmfuncs_8h_af942709e0c57981d84586e74621912cd.html DWORD addr = hp.address; - NtProtectVirtualMemory(NtCurrentProcess(), (PVOID *)&addr, &t, PAGE_EXECUTE_READWRITE, &old); - NtWriteVirtualMemory(NtCurrentProcess(), (BYTE *)hp.address, inst, 5, &t); + NtProtectVirtualMemory(GetCurrentProcess(), (PVOID *)&addr, &t, PAGE_EXECUTE_READWRITE, &old); + NtWriteVirtualMemory(GetCurrentProcess(), (BYTE *)hp.address, inst, 5, &t); len = hp.recover_len - 5; if (len) - NtWriteVirtualMemory(NtCurrentProcess(), (BYTE *)hp.address + 5, int3, len, &t); - NtFlushInstructionCache(NtCurrentProcess(), (LPVOID)hp.address, hp.recover_len); - NtFlushInstructionCache(NtCurrentProcess(), (LPVOID)::hookman, 0x1000); + NtWriteVirtualMemory(GetCurrentProcess(), (BYTE *)hp.address + 5, int3, len, &t); + NtFlushInstructionCache(GetCurrentProcess(), (LPVOID)hp.address, hp.recover_len); + NtFlushInstructionCache(GetCurrentProcess(), (LPVOID)::hookman, 0x1000); //ConsoleOutput("vnrcli:UnsafeInsertHookCode: leave: succeed"); return 0; } @@ -719,8 +719,8 @@ int TextHook::RemoveHook() //with_seh({ // jichi 9/17/2013: might crash >< // jichi 12/25/2013: Actually, __try cannot catch such kind of exception ITH_TRY { - NtWriteVirtualMemory(NtCurrentProcess(), (LPVOID)hp.address, original, hp.recover_len, &l); - NtFlushInstructionCache(NtCurrentProcess(), (LPVOID)hp.address, hp.recover_len); + NtWriteVirtualMemory(GetCurrentProcess(), (LPVOID)hp.address, original, hp.recover_len, &l); + NtFlushInstructionCache(GetCurrentProcess(), (LPVOID)hp.address, hp.recover_len); } ITH_EXCEPT {} //}); hp.hook_len = 0; @@ -839,9 +839,9 @@ EXCEPTION_DISPOSITION ExceptHandler(EXCEPTION_RECORD *ExceptionRecord, //swprintf(str, L"Exception code: 0x%.8X", ExceptionRecord->ExceptionCode); //ConsoleOutput(str); //MEMORY_BASIC_INFORMATION info; - //if (NT_SUCCESS(NtQueryVirtualMemory(NtCurrentProcess(),(PVOID)ContextRecord->Eip, + //if (NT_SUCCESS(NtQueryVirtualMemory(GetCurrentProcess(),(PVOID)ContextRecord->Eip, // MemoryBasicInformation,&info,sizeof(info),0)) && - // NT_SUCCESS(NtQueryVirtualMemory(NtCurrentProcess(),(PVOID)ContextRecord->Eip, + // NT_SUCCESS(NtQueryVirtualMemory(GetCurrentProcess(),(PVOID)ContextRecord->Eip, // MemorySectionName,name,0x200,0))) { // swprintf(str, L"Exception offset: 0x%.8X:%s", // ContextRecord->Eip-(DWORD)info.AllocationBase, @@ -866,9 +866,9 @@ EXCEPTION_DISPOSITION ExceptHandler(EXCEPTION_RECORD *ExceptionRecord, //swprintf(str, L"Exception code: 0x%.8X", ExceptionRecord->ExceptionCode); //ConsoleOutput(str); //MEMORY_BASIC_INFORMATION info; - //if (NT_SUCCESS(NtQueryVirtualMemory(NtCurrentProcess(),(PVOID)ContextRecord->Eip, + //if (NT_SUCCESS(NtQueryVirtualMemory(GetCurrentProcess(),(PVOID)ContextRecord->Eip, // MemoryBasicInformation,&info,sizeof(info),0)) && - // NT_SUCCESS(NtQueryVirtualMemory(NtCurrentProcess(),(PVOID)ContextRecord->Eip, + // NT_SUCCESS(NtQueryVirtualMemory(GetCurrentProcess(),(PVOID)ContextRecord->Eip, // MemorySectionName,name,0x200,0))) { // swprintf(str, L"Exception offset: 0x%.8X:%s", // ContextRecord->Eip-(DWORD)info.AllocationBase, diff --git a/vnr/vnrhook/src/main.cc b/vnr/vnrhook/src/main.cc index 36bae95..d0f3d17 100644 --- a/vnr/vnrhook/src/main.cc +++ b/vnr/vnrhook/src/main.cc @@ -68,6 +68,7 @@ HANDLE hFile, hMutex, hmMutex; +HMODULE currentModule; //DWORD current_process_id; extern DWORD enter_count; //extern LPWSTR current_dir; @@ -157,27 +158,26 @@ BOOL WINAPI DllMain(HINSTANCE hModule, DWORD fdwReason, LPVOID unused) IthInitSystemService(); - swprintf(hm_section, ITH_SECTION_ L"%d", current_process_id); + swprintf(hm_section, ITH_SECTION_ L"%d", GetCurrentProcessId()); // jichi 9/25/2013: Interprocedural communication with vnrsrv. hSection = CreateFileMappingW(INVALID_HANDLE_VALUE, nullptr, PAGE_EXECUTE_READWRITE, 0, HOOK_SECTION_SIZE, hm_section); ::hookman = (TextHook*)MapViewOfFile(hSection, FILE_MAP_ALL_ACCESS, 0, 0, HOOK_SECTION_SIZE / 2); GetProcessName(::processName); - FillRange(::processName, &::processStartAddress, &::processStopAddress); - //NtInspect::getProcessMemoryRange(&::processStartAddress, &::processStopAddress); + ::processStartAddress = (DWORD)GetModuleHandleW(nullptr); { wchar_t hm_mutex[0x100]; - swprintf(hm_mutex, ITH_HOOKMAN_MUTEX_ L"%d", current_process_id); - ::hmMutex = IthCreateMutex(hm_mutex, FALSE); + swprintf(hm_mutex, ITH_HOOKMAN_MUTEX_ L"%d", GetCurrentProcessId()); + ::hmMutex = CreateMutexW(nullptr, FALSE, hm_mutex); } { wchar_t dll_mutex[0x100]; - swprintf(dll_mutex, ITH_PROCESS_MUTEX_ L"%d", current_process_id); + swprintf(dll_mutex, ITH_PROCESS_MUTEX_ L"%d", GetCurrentProcessId()); DWORD exists; - ::hMutex = IthCreateMutex(dll_mutex, TRUE, &exists); // jichi 9/18/2013: own is true, make sure the injected dll is singleton - if (exists) + ::hMutex = CreateMutexW(nullptr, TRUE, dll_mutex); // jichi 9/18/2013: own is true, make sure the injected dll is singleton + if (GetLastError() == ERROR_ALREADY_EXISTS) return FALSE; } @@ -186,8 +186,9 @@ BOOL WINAPI DllMain(HINSTANCE hModule, DWORD fdwReason, LPVOID unused) ::tree = new AVLTree; AddAllModules(); InitFilterTable(); + ::currentModule = hModule; - pipeThread = IthCreateThread(PipeManager, 0); + pipeThread = CreateRemoteThread(GetCurrentProcess(), nullptr, 0, PipeManager, 0, 0, nullptr); } break; case DLL_PROCESS_DETACH: { @@ -211,7 +212,7 @@ BOOL WINAPI DllMain(HINSTANCE hModule, DWORD fdwReason, LPVOID unused) for (TextHook *man = ::hookman; man->RemoveHook(); man++); //LARGE_INTEGER lint = {-10000, -1}; while (::enter_count) - IthSleep(1); // jichi 9/28/2013: sleep for 1 ms + Sleep(1); // jichi 9/28/2013: sleep for 1 ms //NtDelayExecution(0, &lint); for (TextHook *man = ::hookman; man < ::hookman + MAX_HOOK; man++) man->ClearHook(); diff --git a/vnr/vnrhook/src/pipe.cc b/vnr/vnrhook/src/pipe.cc index a92794f..55475f4 100644 --- a/vnr/vnrhook/src/pipe.cc +++ b/vnr/vnrhook/src/pipe.cc @@ -17,6 +17,7 @@ #include // for swprintf HANDLE hookPipe; +extern HMODULE currentModule; DWORD WINAPI PipeManager(LPVOID unused) { @@ -41,7 +42,8 @@ DWORD WINAPI PipeManager(LPVOID unused) } } - WriteFile(::hookPipe, &::current_process_id, sizeof(::current_process_id), nullptr, nullptr); + *(DWORD*)buffer = GetCurrentProcessId(); + WriteFile(::hookPipe, buffer, sizeof(DWORD), nullptr, nullptr); for (int i = 0, count = 0; count < ::currentHook; i++) { @@ -112,7 +114,7 @@ DWORD WINAPI PipeManager(LPVOID unused) CloseHandle(::hookPipe); CloseHandle(hostPipe); } - Util::unloadCurrentModule(); + FreeLibraryAndExitThread(::currentModule, 0); return 0; } diff --git a/vnr/vnrhook/src/util/util.cc b/vnr/vnrhook/src/util/util.cc index 67d774f..5834428 100644 --- a/vnr/vnrhook/src/util/util.cc +++ b/vnr/vnrhook/src/util/util.cc @@ -302,26 +302,4 @@ termin: } } -EXTERN_C IMAGE_DOS_HEADER __ImageBase; -// See: http://stackoverflow.com/questions/3410130/dll-unloading-itself -// TODO: This doesn't always work. Fix it. -bool Util::unloadCurrentModule() -{ - auto fun = ::FreeLibrary; - //auto fun = ::LdrUnloadDll; - if (HANDLE h = ::IthCreateThread(fun, (DWORD)&__ImageBase)) { - //const LONGLONG timeout = -50000000; // in nanoseconds = 5 seconds - //NtWaitForSingleObject(h, 0, (PLARGE_INTEGER)&timeout); - CloseHandle(h); - return true; - } - - // CreateThread does not always work on Windows XP. Use IthCreateThread (i.e. CreateRemoteThread under the water) instead. - //if (HANDLE h = ::CreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)fun, &__ImageBase, 0, NULL)) { - // ::CloseHandle(h); - // return true; - //} - return false; -} - // EOF