// ithsys.cc // 8/21/2013 jichi // Branch: ITH_SYS/SYS.cpp, rev 126 // // 8/24/2013 TODO: // - Clean up the code // - Move my old create remote thread for ITH2 here #include "ithsys/ithsys.h" //#include "vnrhook/src/util/growl.h" //#define ITH_SYS_SECTION L"ITH_SysSection" #define ITH_THREADMAN_SECTION L"VNR_SYS_THREAD" // jichi 9/28/2013: Weither use NtThread or RemoteThread // RemoteThread works on both Windows 7 or Wine, while NtThread does not work on wine #define ITH_ENABLE_THREADMAN (!IthIsWindows8OrGreater() && !IthIsWine()) //#define ITH_ENABLE_THREADMAN true //#define ITH_ENABLE_WINAPI // jichi: prefer Win32 API to NTDLL API // Helpers // jichi 2/3/2015: About GetVersion // Windows XP SP3: 5.1 // Windows 7: 6.1, 0x1db10106 // Windows 8: 6.2, 0x23f00206 // Windows 10: 6.2, 0x23f00206 (build 9926): BOOL IthIsWindowsXp() { static BOOL ret = -1; // cached if (ret < 0) { // http://msdn.microsoft.com/en-us/library/windows/desktop/ms724439%28v=vs.85%29.aspx DWORD v = ::GetVersion(); BYTE major = LOBYTE(LOWORD(v)); //DWORD minor = (DWORD)(HIBYTE(LOWORD(v))); // Windows XP = 5.1 //ret = major < 6 ? 1 : 0; ret = major < 6; } return ret; } // https://msdn.microsoft.com/en-us/library/windows/desktop/dn424972%28v=vs.85%29.aspx // The same as IsWindows8OrGreater, which I don't know if the function is available to lower Windows. static BOOL IthIsWindows8OrGreater() // this function is not exported { static BOOL ret = -1; // cached if (ret < 0) { // http://msdn.microsoft.com/en-us/library/windows/desktop/ms724439%28v=vs.85%29.aspx DWORD v = ::GetVersion(); BYTE major = LOBYTE(LOWORD(v)), minor = HIBYTE(LOWORD(v)); //DWORD minor = (DWORD)(HIBYTE(LOWORD(v))); // Windows 8/10 = 6.2 ret = major > 6 || (major == 6 && minor >= 2); } return ret; } BOOL IthIsWine() { static BOOL ret = -1; // cached if (ret < 0) { const wchar_t *path; wchar_t buffer[MAX_PATH]; if (UINT sz = ::GetSystemDirectoryW(buffer, MAX_PATH)) { path = buffer; ::wcscpy(buffer + sz, L"\\winecfg.exe"); } else path = L"C:\\Windows\\System32\\winecfg.exe"; //ITH_MSG(path); ret = ::GetFileAttributesW(path) != INVALID_FILE_ATTRIBUTES ? TRUE : FALSE; } return ret; } // jichi 9/28/2013: prevent parallelization in wine void IthCoolDown() { // http://undocumented.ntinternals.net/UserMode/Undocumented%20Functions/NT%20Objects/Thread/NtDelayExecution.html //const LONGLONG timeout = -10000; // in 100ns, i.e. 1ms //NtDelayExecution(FALSE, (PLARGE_INTEGER)&timeout); //NtFlushInstructionCache(NtCurrentProcess(), (LPVOID)hp.addr, hp.recover_len); // Flush the instruction cache line, and prevent wine from rending things in parallel if (IthIsWine()) IthSleep(1); // sleep for 1 ms //__asm //{ // //mov eax,0x2710 // = 10000 // mov ecx,time // mul ecx // neg eax // adc edx,0 // neg edx // push edx // push eax // push esp // push 0 // call dword ptr [NtDelayExecution] // add esp,8 //} } // jichi 9/23/2013: wine deficenciy on mapping sections // Whe set to false, do not map sections. //static bool ith_has_section = true; //#ifdef ITH_WINE //# include "winddk/winddk.h" //#endif // ITH_WINE //#define SEC_BASED 0x200000 // jichi 8/24/2013: emoved // jichi 10/6/2013 // See: http://stackoverflow.com/questions/557081/how-do-i-get-the-hmodule-for-the-currently-executing-code // See: http://www.codeproject.com/Articles/16598/Get-Your-DLL-s-Path-Name EXTERN_C IMAGE_DOS_HEADER __ImageBase; #define CURRENT_MODULE_HANDLE ((HINSTANCE)&__ImageBase) size_t IthGetCurrentModulePath(wchar_t *buf, size_t len) { return ::GetModuleFileNameW(CURRENT_MODULE_HANDLE, buf, len); } // - Global variables - #ifdef ITH_HAS_HEAP HANDLE hHeap; // used in ith/common/memory.h #endif // ITH_HAS_HEAP DWORD current_process_id; DWORD debug; BYTE launch_time[0x10]; LPVOID page; // jichi 6/12/2015: https://en.wikipedia.org/wiki/Shift_JIS // Leading table for SHIFT-JIS encoding BYTE LeadByteTable[0x100] = { 1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1, 1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1, 1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1, 1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1, 1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1, 1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1, 1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1, 1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1, 1,2,2,2,2,2,2,2,2,2,2,2,2,2,2,2, 2,2,2,2,2,2,2,2,2,2,2,2,2,2,2,2, 2,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1, 1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1, 1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1, 1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1, 2,2,2,2,2,2,2,2,2,2,2,2,2,2,2,2, 2,2,2,2,2,2,2,2,2,2,2,2,2,1,1,1 }; namespace { // unnamed WCHAR file_path[MAX_PATH] = L"\\??\\"; LPWSTR current_dir; DWORD page_locale; HANDLE root_obj, dir_obj, codepage_section, thread_man_section; BYTE file_info[0x1000]; // - Helper functions - inline DWORD GetShareMemory() { __asm { mov eax,fs:[0x30] mov eax,[eax+0x4C] } } inline LARGE_INTEGER *GetTimeBias() { __asm mov eax,0x7ffe0020 } //Get full path of current process. //inline LPWSTR GetModulePath() //{ // __asm // { // mov eax,fs:[0x30] // mov eax,[eax+0xC] // mov eax,[eax+0xC] // mov eax,[eax+0x28] // } //} // - Singleton classes - BYTE normal_routine[0x14] = { 0x51,0x52,0x64,0x89,0x23,0x55,0xff,0xd0,0x50,0x6a,0xfe,0xff,0x15,0x14,0x00,0x00,0x00 }; BYTE except_routine[0xe0] = { 0xba,0x08,0x00,0x00,0x00,0x8b,0xc1,0x83,0xe0,0x0f,0x83,0xf8,0x0a,0x72,0x02,0x04, 0x07,0x04,0x30,0x66,0xab,0xc1,0xc9,0x04,0x4a,0x75,0xea,0xc3,0x00,0x00,0x00,0x00, 0x8b,0x44,0xe4,0x04,0x31,0xf6,0x8b,0x28,0x8b,0x4c,0xe4,0x0c,0x8b,0x99,0xb8,0x00, 0x00,0x00,0x81,0xec,0x40,0x02,0x00,0x00,0x8d,0x7c,0xe4,0x40,0x89,0xe0,0x56,0x6a, 0x1c,0x50,0x56,0x53,0x6a,0xff,0xff,0x15,0x18,0x00,0x00,0x00,0x85,0xc0,0x75,0x98, 0x89,0xe0,0x50,0x68,0x00,0x02,0x00,0x00,0x57,0x6a,0x02,0x53,0x6a,0xff,0xff,0x15, 0x18,0x00,0x00,0x00,0x85,0xc0,0x75,0xe6,0x5e,0x0f,0xc1,0xf7,0xfd,0xb0,0x5c,0x66, 0xf2,0xaf,0x66,0xc7,0x47,0x02,0x3a,0x00,0x89,0xd9,0x2b,0x0c,0xe4,0xe8,0x7e,0xff, 0xff,0xff,0x47,0x47,0x87,0xfe,0x89,0xe9,0xe8,0x73,0xff,0xff,0xff,0x47,0x47,0x31, 0xc0,0x89,0x47,0x10,0x6a,0x00,0x57,0x56,0x6a,0x00,0xfc,0xff,0x15,0x1c,0x00,0x00, 0x00,0x83,0xc8,0xff,0xeb,0xbe }; // jichi 8/24/2013: Could be initialized using NtMapViewOfSection/ZwMapViewOfSection // This class cannot have constructor / destructor struct _ThreadView { UINT_PTR mutex, count; DWORD proc_record[1]; }; class : private _ThreadView { // ThreadStartManager enum { ADDR0 = 0xD , ADDR1 = 0x48 , ADDR2 = 0x60 , ADDR3 = 0x9D }; public: LPVOID GetProcAddr(HANDLE hProc) { AcquireLock(); DWORD pid,addr,len; if (hProc == NtCurrentProcess()) pid = ::current_process_id; else { PROCESS_BASIC_INFORMATION info; NtQueryInformationProcess(hProc, ProcessBasicInformation, &info, sizeof(info), &len); pid=info.uUniqueProcessId; } pid >>= 2; for (UINT_PTR i = 0; i < count; i++) if (pid == (proc_record[i] & 0xfff)) { addr = proc_record[i] & ~0xfff; ReleaseLock(); return (LPVOID)addr; } len = 0x1000; NtAllocateVirtualMemory(hProc, (PVOID *)(proc_record + count), 0, &len, MEM_COMMIT,PAGE_EXECUTE_READWRITE); DWORD base = proc_record[count]; proc_record[count] |= pid; union { LPVOID buffer; DWORD b; }; b = base; LPVOID fun_table[3]; *(DWORD *)(normal_routine + ADDR0) += base; NtWriteVirtualMemory(hProc, buffer, normal_routine, 0x14, 0); *(DWORD *)(normal_routine + ADDR0) -= base; b += 0x14; fun_table[0] = NtTerminateThread; fun_table[1] = NtQueryVirtualMemory; fun_table[2] = MessageBoxW; NtWriteVirtualMemory(hProc, buffer, fun_table, 0xC, 0); b += 0xc; *(DWORD *)(except_routine + ADDR1) += base; *(DWORD *)(except_routine + ADDR2) += base; *(DWORD *)(except_routine + ADDR3) += base; NtWriteVirtualMemory(hProc, buffer, except_routine, 0xE0, 0); *(DWORD *)(except_routine + ADDR1) -= base; *(DWORD *)(except_routine + ADDR2) -= base; *(DWORD *)(except_routine + ADDR3) -= base; count++; ReleaseLock(); return (LPVOID)base; } void ReleaseProcessMemory(HANDLE hProc) { DWORD pid,addr,len; AcquireLock(); if (hProc==NtCurrentProcess()) pid = ::current_process_id; else { PROCESS_BASIC_INFORMATION info; NtQueryInformationProcess(hProc,ProcessBasicInformation,&info,sizeof(info),&len); pid = info.uUniqueProcessId; } pid >>= 2; //NtWaitForSingleObject(thread_man_mutex,0,0); for (UINT_PTR i = 0; i < count; i++) { if ((proc_record[i]&0xfff) == pid) { addr = proc_record[i] & ~0xfff; DWORD size=0x1000; NtFreeVirtualMemory(hProc, (PVOID *)&addr, &size, MEM_RELEASE); count--; for (UINT_PTR j = i; j < count; j++) proc_record[j] = proc_record[j + 1]; proc_record[count] = 0; ReleaseLock(); //NtReleaseMutant(thread_man_mutex,0); return; } } ReleaseLock(); //NtReleaseMutant(thread_man_mutex,0); } void CheckProcessMemory() { UINT_PTR i, j, flag, addr; DWORD len; CLIENT_ID id; OBJECT_ATTRIBUTES oa = {}; HANDLE hProc; BYTE buffer[8]; AcquireLock(); id.UniqueThread = 0; oa.uLength = sizeof(oa); for (i = 0; i < count ; i++) { id.UniqueProcess = (proc_record[i]&0xfff)<<2; addr = proc_record[i] & ~0xfff; flag = 0; if (NT_SUCCESS(NtOpenProcess(&hProc, PROCESS_VM_OPERATION|PROCESS_VM_READ, &oa, &id))) { if (NT_SUCCESS(NtReadVirtualMemory(hProc, (PVOID)addr, buffer, 8, &len))) if (::memcmp(buffer, normal_routine, 4) == 0) flag = 1; CloseHandle(hProc); } if (flag == 0) { for (j = i; j < count; j++) proc_record[j] = proc_record[j + 1]; count--; i--; } } ReleaseLock(); } void AcquireLock() { LONG *p = (LONG *)&mutex; while (_interlockedbittestandset(p,0)) YieldProcessor(); } void ReleaseLock() { LONG *p = (LONG*)&mutex; _interlockedbittestandreset(p, 0); } } *thread_man_ = nullptr; // global singleton } // unnamed namespace // - API functions - extern "C" { void FreeThreadStart(HANDLE hProc) { if (thread_man_) ::thread_man_->ReleaseProcessMemory(hProc); } void CheckThreadStart() { if (thread_man_) ::thread_man_->CheckProcessMemory(); // jichi 2/2/2015: This function is only used to wait for injected threads vnrhost. // Sleep for 100 ms to wait for remote thread to start //IthSleep(100); //IthCoolDown(); } void IthSleep(int time) { __asm { mov eax,0x2710 // jichi = 10000 mov ecx,time mul ecx neg eax adc edx,0 neg edx push edx push eax push esp push 0 call dword ptr [NtDelayExecution] add esp,8 } } void IthSystemTimeToLocalTime(LARGE_INTEGER *time) { time->QuadPart -= GetTimeBias()->QuadPart; } int FillRange(LPCWSTR name, DWORD *lower, DWORD *upper) { PLDR_DATA_TABLE_ENTRY it; LIST_ENTRY *begin; __asm { mov eax,fs:[0x30] mov eax,[eax+0xc] mov eax,[eax+0xc] mov it,eax mov begin,eax } while (it->SizeOfImage) { if (::_wcsicmp(it->BaseDllName.Buffer, name) == 0) { *lower = *upper = (DWORD)it->DllBase; MEMORY_BASIC_INFORMATION info = {}; DWORD l,size; size = 0; do { NtQueryVirtualMemory(NtCurrentProcess(), (LPVOID)(*upper), MemoryBasicInformation, &info, sizeof(info), &l); if (info.Protect&PAGE_NOACCESS) { it->SizeOfImage=size; break; } size += info.RegionSize; *upper += info.RegionSize; } while (size < it->SizeOfImage); return 1; } it = (PLDR_DATA_TABLE_ENTRY)it->InLoadOrderModuleList.Flink; if (it->InLoadOrderModuleList.Flink == begin) break; } return 0; } DWORD SearchPattern(DWORD base, DWORD base_length, LPCVOID search, DWORD search_length) // KMP { __asm { mov eax,search_length alloc: push 0 sub eax,1 jnz alloc mov edi,search mov edx,search_length mov ecx,1 xor esi,esi build_table: mov al,byte ptr [edi+esi] cmp al,byte ptr [edi+ecx] sete al test esi,esi jz pre test al,al jnz pre mov esi,[esp+esi*4-4] jmp build_table pre: test al,al jz write_table inc esi write_table: mov [esp+ecx*4],esi inc ecx cmp ecx,edx jb build_table mov esi,base xor edx,edx mov ecx,edx matcher: mov al,byte ptr [edi+ecx] cmp al,byte ptr [esi+edx] sete al test ecx,ecx jz match test al,al jnz match mov ecx, [esp+ecx*4-4] jmp matcher match: test al,al jz pre2 inc ecx cmp ecx,search_length je finish pre2: inc edx cmp edx,base_length // search_length jb matcher mov edx,search_length dec edx finish: mov ecx,search_length sub edx,ecx lea eax,[edx+1] lea ecx,[ecx*4] add esp,ecx } } // jichi 2/5/2014: '?' = 0xff // See: http://sakuradite.com/topic/124 DWORD SearchPatternEx(DWORD base, DWORD base_length, LPCVOID search, DWORD search_length, BYTE wildcard) // KMP { __asm { // jichi 2/5/2014 BEGIN mov bl,wildcard // jichi 2/5/2014 END mov eax,search_length alloc: push 0 sub eax,1 jnz alloc // jichi 2/5/2014: this will also set %eax to zero mov edi,search mov edx,search_length mov ecx,1 xor esi,esi build_table: mov al,byte ptr [edi+esi] cmp al,byte ptr [edi+ecx] sete al test esi,esi jz pre test al,al jnz pre mov esi,[esp+esi*4-4] jmp build_table pre: test al,al jz write_table inc esi write_table: mov [esp+ecx*4],esi inc ecx cmp ecx,edx jb build_table mov esi,base xor edx,edx mov ecx,edx matcher: mov al,byte ptr [edi+ecx] // search // jichi 2/5/2014 BEGIN mov bh,al // save loaded byte to reduce cache access. %ah is not used and always zero cmp al,bl // %bl is the wildcard byte sete al test al,al jnz wildcard_matched mov al,bh // restore the loaded byte // jichi 2/5/2014 END cmp al,byte ptr [esi+edx] // base sete al // jichi 2/5/2014 BEGIN wildcard_matched: // jichi 2/5/2014 END test ecx,ecx jz match test al,al jnz match mov ecx, [esp+ecx*4-4] jmp matcher match: test al,al jz pre2 inc ecx cmp ecx,search_length je finish pre2: inc edx cmp edx,base_length // search_length jb matcher mov edx,search_length dec edx finish: mov ecx,search_length sub edx,ecx lea eax,[edx+1] lea ecx,[ecx*4] add esp,ecx } } DWORD IthGetMemoryRange(LPCVOID mem, DWORD *base, DWORD *size) { DWORD r; MEMORY_BASIC_INFORMATION info; NtQueryVirtualMemory(NtCurrentProcess(), const_cast(mem), MemoryBasicInformation, &info, sizeof(info), &r); if (base) *base = (DWORD)info.BaseAddress; if (size) *size = info.RegionSize; return (info.Type&PAGE_NOACCESS) == 0; } // jichi 9/25/2013 // See: http://publib.boulder.ibm.com/infocenter/pseries/v5r3/index.jsp?topic=/com.ibm.aix.nls/doc/nlsgdrf/multi-byte_widechar_subr.htm // SJIS->Unicode. 'mb' must be null-terminated. 'wc' should have enough space ( 2*strlen(mb) is safe). //#ifdef ITH_WINE //int MB_WC(char *mb, wchar_t *wc) //{ return mbstowcs(wc, mb, 0x100); } // //#else int MB_WC(char *mb, wchar_t *wc) { __asm { mov esi,mb mov edi,wc mov edx,page lea ebx,LeadByteTable add edx,0x220 push 0 _mb_translate: movzx eax,word ptr [esi] test al,al jz _mb_fin movzx ecx,al xlat test al,1 cmovnz cx, word ptr [ecx*2+edx-0x204] jnz _mb_next mov cx,word ptr [ecx*2+edx] mov cl,ah mov cx, word ptr [ecx*2+edx] _mb_next: mov [edi],cx add edi,2 movzx eax,al add esi,eax inc dword ptr [esp] jmp _mb_translate _mb_fin: pop eax } } // Count characters of 'mb' string. 'mb_length' is max length. // jichi 9/25/2013: This function is not used //int MB_WC_count(char *mb, int mb_length) //{ // __asm // { // xor eax,eax // xor edx,edx // mov esi,mb // mov edi,mb_length // lea ebx,LeadByteTable //_mbc_count: // mov dl,byte ptr [esi] // test dl,dl // jz _mbc_finish // movzx ecx, byte ptr [ebx+edx] // add esi,ecx // inc eax // sub edi,ecx // ja _mbc_count //_mbc_finish: // } //} // jichi 9/25/2013 // See: http://publib.boulder.ibm.com/infocenter/pseries/v5r3/index.jsp?topic=/com.ibm.aix.nls/doc/nlsgdrf/multi-byte_widechar_subr.htm // Unicode->SJIS. Analogous to MB_WC. //#ifdef ITH_WINE //int WC_MB(wchar_t *wc, char *mb) //{ return wcstombs(mb, wc, 0x100); } // //#else int WC_MB(wchar_t *wc, char *mb) { __asm { mov esi,wc mov edi,mb mov edx,page add edx,0x7c22 xor ebx,ebx _wc_translate: movzx eax,word ptr [esi] test eax,eax jz _wc_fin mov cx,word ptr [eax*2+edx] test ch,ch jz _wc_single mov [edi+ebx],ch inc ebx _wc_single: mov [edi+ebx],cl inc ebx add esi,2 jmp _wc_translate _wc_fin: mov eax,ebx } } //Initialize environment for NT native calls. Not thread safe so only call it once in one module. //1. Create new heap. Future memory requests are handled by this heap. //Destroying this heap will completely release all dynamically allocated memory, thus prevent memory leaks on unload. //2. Create handle to root directory of process objects (section/event/mutex/semaphore). //NtCreate* calls will use this handle as base directory. //3. Load SJIS code page. First check for Japanese locale. If not then load from 'C_932.nls' in system folder. //MB_WC & WC_MB use this code page for translation. //4. Locate current NT path (start with \??\). //NtCreateFile requires full path or a root handle. But this handle is different from object. //5. Map shared memory for ThreadStartManager into virtual address space. //This will allow IthCreateThread function properly. BOOL IthInitSystemService() { PPEB peb; //NTSTATUS status; DWORD size; ULONG LowFragmentHeap; UNICODE_STRING us; OBJECT_ATTRIBUTES oa = {sizeof(oa), 0, &us, OBJ_CASE_INSENSITIVE, 0, 0}; IO_STATUS_BLOCK ios; HANDLE codepage_file; LARGE_INTEGER sec_size = {0x1000, 0}; __asm { mov eax,fs:[0x18] mov ecx,[eax+0x20] mov eax,[eax+0x30] mov peb,eax mov current_process_id,ecx } debug = peb->BeingDebugged; LowFragmentHeap = 2; #ifdef ITH_HAS_HEAP ::hHeap = RtlCreateHeap(0x1002, 0, 0, 0, 0, 0); RtlSetHeapInformation(::hHeap, HeapCompatibilityInformation, &LowFragmentHeap, sizeof(LowFragmentHeap)); #endif // ITH_HAS_HEAP LPWSTR t = nullptr, // jichi: path to system32, such as "c:\windows\system32" obj = nullptr; // jichi: path to current kernel session, such as "Sessions\\1\\BaseNamedObjects" // jichi 9/22/2013: This would crash wine with access violation exception. if (!IthIsWine()) { // jichi 9/22/2013: For ChuSingura46+1 on Windows 7 // t = L"C:\\Windows\\system32"; // obj = L"\\Sessions\\1\\BaseNamedObjects"; // On Windows XP // t = L"C:\\WINDOWS\\system32"; // obj = L"\\BaseNamedObjects"; MEMORY_BASIC_INFORMATION info; if (!NT_SUCCESS(NtQueryVirtualMemory(NtCurrentProcess(), peb->ReadOnlySharedMemoryBase, MemoryBasicInformation, &info, sizeof(info), &size))) return FALSE; DWORD base = (DWORD)peb->ReadOnlySharedMemoryBase; DWORD end = base + info.RegionSize - 0x40; // I_Jemin 13/11/2016 // Prevent redirecting SYSWOW64 to receive Shift-JIS PVOID OldValue; Wow64DisableWow64FsRedirection(&OldValue); static WCHAR system32[] = L"system32"; for (;base < end; base += 2) if (::memcmp((PVOID)base, system32, 0x10) == 0) { t = (LPWSTR)base; while (*t-- != L':'); obj = (LPWSTR)base; while (*obj != L'\\') obj++; break; } // Eguni 13/11/2016 // Dispose redirection Wow64EnableWow64FsRedirection(FALSE); if (base == end) return FALSE; } //ITH_MSG(t); //ITH_MSG(obj); LDR_DATA_TABLE_ENTRY *ldr_entry = (LDR_DATA_TABLE_ENTRY*)peb->Ldr->InLoadOrderModuleList.Flink; // jichi 7/12/2015: This will fail when the file path is a remote path such as: // Original remote file path: \\??\\\\\\psf\\Host\\Local\\Windows\\Games\\ShinaRio\\Ayakashibito_trial\\"); // Correct UNC path: \\??\\\\UNC\\psf\\Host\\Local\\Windows\\Games\\ShinaRio\\Ayakashibito_trial\\"); //RtlInitUnicodeString(&us, L"\\??\\UNC\\psf\\Host\\Local\\Windows\\Games\\ShinaRio\\Ayakashibito_trial\\"); //WCHAR file_path[MAX_PATH] = L"\\??\\"; LPCWSTR modulePath = ldr_entry->FullDllName.Buffer; if (modulePath[0] == '\\' && modulePath[1] == '\\') { // This is a remote path ::file_path[4] = 'U'; ::file_path[5] = 'N'; ::file_path[6] = 'C'; ::wcscpy(::file_path + 7, modulePath + 1); } else ::wcscpy(::file_path + 4, modulePath); current_dir = ::wcsrchr(::file_path, L'\\') + 1; *current_dir = 0; //GROWL(::file_path); RtlInitUnicodeString(&us, ::file_path); if (!NT_SUCCESS(NtOpenFile(&dir_obj,FILE_LIST_DIRECTORY|FILE_TRAVERSE|SYNCHRONIZE, &oa,&ios,FILE_SHARE_READ|FILE_SHARE_WRITE,FILE_DIRECTORY_FILE|FILE_SYNCHRONOUS_IO_NONALERT))) return FALSE; // jichi 9/22/2013: Get kernel object session ID // See: http://www.brianbondy.com/blog/id/100/ // It seems that on sessionId is 0 on Windows XP, and 1 on Windows Vista and later // I assume that sessionId is in [0,9] // For ChuSingura46+1 on Windows 7 // obj = L"\\Sessions\\1\\BaseNamedObjects"; // On Windows XP // obj = L"\\BaseNamedObjects"; //ITH_MSG(obj); { if (obj) RtlInitUnicodeString(&us, obj); else { // jichi ITH is on Wine // Get session ID in PEB // See: http://msdn.microsoft.com/en-us/library/bb432286%28v=vs.85%29.aspx DWORD sessionId = peb->SessionId; if (!sessionId) // Windows XP RtlInitUnicodeString(&us, L"\\BaseNamedObjects"); else { // Windows Vista + wchar_t path[] = L"\\Sessions\\0\\BaseNamedObjects"; path[10] += (wchar_t)sessionId; // replace 0 with the session ID RtlInitUnicodeString(&us, path); } } } if (!NT_SUCCESS(NtOpenDirectoryObject(&::root_obj, READ_CONTROL|0xf, &oa))) return FALSE; ::page = peb->InitAnsiCodePageData; enum { CP932 = 932 }; // jichi 9/23/2013: Access violation on Wine if (IthIsWine()) // One wine, there is no C_932.nls //page_locale = 0x4e4; // 1252, English //page_locale = GetACP(); // This will return 932 when LC_ALL=ja_JP.UTF-8 on wine // Always set locale to CP932 on Wine, since C_932.nls could be missing. ::page_locale = CP932; else ::page_locale = *(DWORD *)page >> 16; if (::page_locale == CP932) { oa.hRootDirectory = ::root_obj; oa.uAttributes |= OBJ_OPENIF; } else { // Unreachable or wine //#ifdef ITH_WINE // // jichi 9/22/2013: For ChuSingura46+1 on Windows 7 // //t = L"C:\\Windows\\system32"; // wchar_t buffer[MAX_PATH]; // if (!t) { // jichi 9/22/2013: ITH is one wine // if (UINT sz = ::GetSystemDirectoryW(buffer, MAX_PATH)) { // buffer[sz] = 0; // t = buffer; // } else // t = L"C:\\Windows\\System32"; // jichi 9/29/2013: sth is wrong here // } //#endif // ITH_WINE ::wcscpy(::file_path + 4, t); t = ::file_path; while(*++t); if (*(t-1)!=L'\\') *t++=L'\\'; ::wcscpy(t,L"C_932.nls"); RtlInitUnicodeString(&us, ::file_path); if (!NT_SUCCESS(NtOpenFile(&codepage_file, FILE_READ_DATA, &oa, &ios,FILE_SHARE_READ,0))) return FALSE; oa.hRootDirectory = ::root_obj; oa.uAttributes |= OBJ_OPENIF; RtlInitUnicodeString(&us, L"JPN_CodePage"); if (!NT_SUCCESS(NtCreateSection(&codepage_section, SECTION_MAP_READ, &oa,0, PAGE_READONLY, SEC_COMMIT, codepage_file))) return FALSE; CloseHandle(codepage_file); size = 0; ::page = nullptr; if (!NT_SUCCESS(NtMapViewOfSection(::codepage_section, NtCurrentProcess(), &::page, 0, 0, 0, &size, ViewUnmap, 0, PAGE_READONLY))) return FALSE; } if (ITH_ENABLE_THREADMAN) { RtlInitUnicodeString(&us, ITH_THREADMAN_SECTION); if (!NT_SUCCESS(NtCreateSection(&thread_man_section, SECTION_ALL_ACCESS, &oa, &sec_size, PAGE_EXECUTE_READWRITE, SEC_COMMIT, 0))) return FALSE; size = 0; // http://undocumented.ntinternals.net/UserMode/Undocumented%20Functions/NT%20Objects/Section/NtMapViewOfSection.html thread_man_ = nullptr; if (!NT_SUCCESS(NtMapViewOfSection(thread_man_section, NtCurrentProcess(), (LPVOID *)&thread_man_, 0,0,0, &size, ViewUnmap, 0, PAGE_EXECUTE_READWRITE))) return FALSE; } return TRUE; } //Release resources allocated by IthInitSystemService. //After destroying the heap, all memory allocated by ITH module is returned to system. void IthCloseSystemService() { if (::page_locale != 0x3a4) { NtUnmapViewOfSection(NtCurrentProcess(), ::page); CloseHandle(::codepage_section); } if (ITH_ENABLE_THREADMAN) { NtUnmapViewOfSection(NtCurrentProcess(), ::thread_man_); CloseHandle(::thread_man_section); } CloseHandle(::root_obj); #ifdef ITH_HAS_HEAP RtlDestroyHeap(::hHeap); #endif // ITH_HAS_HEAP } //Check for existence of a file in current folder. Thread safe after init. //For ITH main module, it's ITH folder. For target process it's the target process's current folder. BOOL IthCheckFile(LPCWSTR file) { //return PathFileExistsW(file); // jichi: need Shlwapi.lib //return (dwAttrib != INVALID_FILE_ATTRIBUTES && !(dwAttrib & FILE_ATTRIBUTE_DIRECTORY)); //return GetFileAttributesW(file) != INVALID_FILE_ATTRIBUTES; // jichi: does not consider the current app's path // jichi 9/22/2013: Following code does not work in Wine // See: http://stackoverflow.com/questions/3828835/how-can-we-check-if-a-file-exists-or-not-using-win32-program //WIN32_FIND_DATA FindFileData; //HANDLE handle = FindFirstFileW(file, &FindFileData); //if (handle != INVALID_HANDLE_VALUE) { // FindClose(handle); // return TRUE; //} //return FALSE; if (IthIsWine()) { HANDLE hFile = CreateFileW(file, GENERIC_READ, FILE_SHARE_READ, nullptr, OPEN_EXISTING, 0, 0); if (hFile != INVALID_HANDLE_VALUE) { CloseHandle(hFile); return TRUE; } } else { // not wine HANDLE hFile; IO_STATUS_BLOCK isb; UNICODE_STRING us; RtlInitUnicodeString(&us, file); OBJECT_ATTRIBUTES oa = { sizeof(oa), dir_obj, &us, 0, 0, 0}; // jichi 9/22/2013: Following code does not work in Wine if (NT_SUCCESS(NtCreateFile(&hFile, FILE_READ_DATA, &oa, &isb, 0, 0, FILE_SHARE_READ, FILE_OPEN, 0, 0, 0))) { CloseHandle(hFile); return TRUE; } } return FALSE; //return IthGetFileInfo(file,file_info); //wcscpy(current_dir,file); } //Check for existence of files in current folder. //Unlike IthCheckFile, this function allows wildcard character. BOOL IthFindFile(LPCWSTR file) { NTSTATUS status; HANDLE h; UNICODE_STRING us; OBJECT_ATTRIBUTES oa = {sizeof(oa), dir_obj, &us, OBJ_CASE_INSENSITIVE, 0, 0}; us.Buffer = const_cast(file); LPCWSTR path = wcsrchr(file, L'\\'); if (path) { us.Length = (path - file) << 1; us.MaximumLength = us.Length; } else { us.Length = 0; us.MaximumLength = 0; } IO_STATUS_BLOCK ios; if (NT_SUCCESS(NtOpenFile(&h,FILE_LIST_DIRECTORY|SYNCHRONIZE, &oa,&ios,FILE_SHARE_READ,FILE_DIRECTORY_FILE|FILE_SYNCHRONOUS_IO_NONALERT))) { BYTE info[0x400]; if (path) RtlInitUnicodeString(&us, path + 1); else RtlInitUnicodeString(&us, file); status = NtQueryDirectoryFile(h,0,0,0,&ios,info,0x400,FileBothDirectoryInformation,TRUE,&us,TRUE); CloseHandle(h); return NT_SUCCESS(status); } return FALSE; } //Analogous to IthFindFile, but return detail information in 'info'. BOOL IthGetFileInfo(LPCWSTR file, LPVOID info, DWORD size) { NTSTATUS status; HANDLE h; UNICODE_STRING us; LPCWSTR path = wcsrchr(file, L'\\'); us.Buffer = const_cast(file); if (path) { us.Length = (path - file) << 1; us.MaximumLength = us.Length; } else { us.Length = 0; us.MaximumLength = 0; } //RtlInitUnicodeString(&us,file); OBJECT_ATTRIBUTES oa = {sizeof(oa), dir_obj, &us, OBJ_CASE_INSENSITIVE, 0, 0}; IO_STATUS_BLOCK ios; if (NT_SUCCESS(NtOpenFile(&h,FILE_LIST_DIRECTORY|SYNCHRONIZE, &oa,&ios,FILE_SHARE_READ,FILE_DIRECTORY_FILE|FILE_SYNCHRONOUS_IO_NONALERT))) { RtlInitUnicodeString(&us,file); status = NtQueryDirectoryFile(h,0,0,0,&ios,info,size,FileBothDirectoryInformation,0,&us,0); status = NT_SUCCESS(status); CloseHandle(h); } else status = FALSE; return status; } //Check for existence of a file with full NT path(start with \??\). BOOL IthCheckFileFullPath(LPCWSTR file) { UNICODE_STRING us; RtlInitUnicodeString(&us, file); OBJECT_ATTRIBUTES oa = { sizeof(oa), 0, &us, OBJ_CASE_INSENSITIVE, 0, 0}; HANDLE hFile; IO_STATUS_BLOCK isb; if (NT_SUCCESS(NtCreateFile(&hFile,FILE_READ_DATA,&oa,&isb,0,0,FILE_SHARE_READ,FILE_OPEN,0,0,0))) { CloseHandle(hFile); return TRUE; } else return FALSE; } //Create or open file in current folder. Analogous to Win32 CreateFile. //option: GENERIC_READ / GENERIC_WRITE. //share: FILE_SHARE_READ / FILE_SHARE_WRITE / FILE_SHARE_DELETE. 0 for exclusive access. //disposition: FILE_OPEN / FILE_OPEN_IF. //Use FILE_OPEN instead of OPEN_EXISTING and FILE_OPEN_IF for CREATE_ALWAYS. HANDLE IthCreateFile(LPCWSTR name, DWORD option, DWORD share, DWORD disposition) { UNICODE_STRING us; RtlInitUnicodeString(&us, name); OBJECT_ATTRIBUTES oa = { sizeof(oa), dir_obj, &us, OBJ_CASE_INSENSITIVE, 0, 0 }; HANDLE hFile; IO_STATUS_BLOCK isb; return NT_SUCCESS(NtCreateFile(&hFile, option|FILE_READ_ATTRIBUTES|SYNCHRONIZE, &oa,&isb,0,0,share,disposition, FILE_SYNCHRONOUS_IO_NONALERT|FILE_NON_DIRECTORY_FILE,0,0)) ? hFile : INVALID_HANDLE_VALUE; } //Create a directory file in current folder. HANDLE IthCreateDirectory(LPCWSTR name) { UNICODE_STRING us; RtlInitUnicodeString(&us,name); OBJECT_ATTRIBUTES oa = {sizeof(oa), dir_obj, &us, OBJ_CASE_INSENSITIVE, 0, 0}; HANDLE hFile; IO_STATUS_BLOCK isb; return NT_SUCCESS(NtCreateFile(&hFile,FILE_LIST_DIRECTORY|FILE_TRAVERSE|SYNCHRONIZE,&oa,&isb,0,0, FILE_SHARE_READ|FILE_SHARE_WRITE,FILE_OPEN_IF,FILE_DIRECTORY_FILE|FILE_SYNCHRONOUS_IO_NONALERT,0,0)) ? hFile : INVALID_HANDLE_VALUE; } HANDLE IthCreateFileInDirectory(LPCWSTR name, HANDLE dir, DWORD option, DWORD share, DWORD disposition) { UNICODE_STRING us; RtlInitUnicodeString(&us,name); if (dir == 0) dir = dir_obj; OBJECT_ATTRIBUTES oa = {sizeof(oa), dir, &us, OBJ_CASE_INSENSITIVE, 0, 0}; HANDLE hFile; IO_STATUS_BLOCK isb; return NT_SUCCESS(NtCreateFile(&hFile, option|FILE_READ_ATTRIBUTES|SYNCHRONIZE, &oa,&isb,0,0,share,disposition, FILE_SYNCHRONOUS_IO_NONALERT|FILE_NON_DIRECTORY_FILE,0,0)) ? hFile : INVALID_HANDLE_VALUE; } //Analogous to IthCreateFile, but with full NT path. HANDLE IthCreateFileFullPath(LPCWSTR path, DWORD option, DWORD share, DWORD disposition) { UNICODE_STRING us; RtlInitUnicodeString(&us,path); OBJECT_ATTRIBUTES oa = {sizeof(oa), 0, &us, OBJ_CASE_INSENSITIVE, 0, 0}; HANDLE hFile; IO_STATUS_BLOCK isb; return NT_SUCCESS(NtCreateFile(&hFile, option|FILE_READ_ATTRIBUTES|SYNCHRONIZE, &oa,&isb,0,0,share,disposition, FILE_SYNCHRONOUS_IO_NONALERT|FILE_NON_DIRECTORY_FILE,0,0)) ? hFile : INVALID_HANDLE_VALUE; } //Create section object for sharing memory between processes. //Similar to CreateFileMapping. HANDLE IthCreateSection(LPCWSTR name, DWORD size, DWORD right) { // jichi 9/25/2013: GENERIC_ALL does NOT work one wine // See ZwCreateSection: http://msdn.microsoft.com/en-us/library/windows/hardware/ff566428%28v=vs.85%29.aspx //#ifdef ITH_WINE enum { DesiredAccess = SECTION_ALL_ACCESS }; //#else // enum { DesiredAccess = GENERIC_ALL }; // jichi 9/25/2013: not sure whhy ITH is usin GENERIC_ALL //#endif // ITH_WINE #define eval (NT_SUCCESS(NtCreateSection(&hSection, DesiredAccess, poa, &s, \ right, SEC_COMMIT, 0)) ? hSection : INVALID_HANDLE_VALUE) HANDLE hSection; LARGE_INTEGER s = {size, 0}; OBJECT_ATTRIBUTES *poa = nullptr; // jichi 9/25/2013: What the fxxx?! poa in the orignal source code of ITH // is pointed to freed object on the stack?! This will crash wine! if (name) { UNICODE_STRING us; RtlInitUnicodeString(&us, name); OBJECT_ATTRIBUTES oa = {sizeof(oa), root_obj, &us,OBJ_OPENIF,0,0}; poa = &oa; return eval; } else return eval; #undef retval } //Create event object. Similar to CreateEvent. HANDLE IthCreateEvent(LPCWSTR name, DWORD auto_reset, DWORD init_state) { #define eval (NT_SUCCESS(NtCreateEvent(&hEvent, EVENT_ALL_ACCESS, poa, auto_reset, init_state)) ? \ hEvent : INVALID_HANDLE_VALUE) HANDLE hEvent; OBJECT_ATTRIBUTES *poa = nullptr; // jichi 9/25/2013: What the fxxx?! poa in the orignal source code of ITH // is pointed to freed object on the stack?! This will crash wine! if (name) { UNICODE_STRING us; RtlInitUnicodeString(&us,name); OBJECT_ATTRIBUTES oa = {sizeof(oa), root_obj, &us, OBJ_OPENIF, 0, 0}; poa = &oa; return eval; } else return eval; #undef eval } HANDLE IthOpenEvent(LPCWSTR name) { UNICODE_STRING us; RtlInitUnicodeString(&us, name); OBJECT_ATTRIBUTES oa = { sizeof(oa), root_obj, &us, 0, 0, 0 }; HANDLE hEvent; return NT_SUCCESS(NtOpenEvent(&hEvent, EVENT_ALL_ACCESS, &oa)) ? hEvent : INVALID_HANDLE_VALUE; } void IthSetEvent(HANDLE hEvent) { NtSetEvent(hEvent, 0); } void IthResetEvent(HANDLE hEvent) { NtClearEvent(hEvent); } //Create mutex object. Similar to CreateMutex. //If 'exist' is not null, it will be written 1 if mutex exist. HANDLE IthCreateMutex(LPCWSTR name, BOOL InitialOwner, DWORD *exist) { #ifdef ITH_ENABLE_WINAPI HANDLE ret = ::CreateMutexW(nullptr, InitialOwner, name); if (exist) *exist = ret == INVALID_HANDLE_VALUE || ::GetLastError() == ERROR_ALREADY_EXISTS; return ret; #else #define eval NtCreateMutant(&hMutex, MUTEX_ALL_ACCESS, poa, InitialOwner) UNICODE_STRING us; HANDLE hMutex; NTSTATUS status; OBJECT_ATTRIBUTES *poa = nullptr; // jichi 9/25/2013: What the fxxx?! poa in the orignal source code of ITH // is pointed to freed object on the stack?! This will crash wine! if (name) { //GROWL(name); RtlInitUnicodeString(&us, name); OBJECT_ATTRIBUTES oa = {sizeof(oa), root_obj, &us, OBJ_OPENIF, 0, 0}; poa = &oa; status = eval; //GROWL_DWORD(status); } else status = eval; if (NT_SUCCESS(status)) { if (exist) *exist = status == STATUS_OBJECT_NAME_EXISTS; return hMutex; } else return INVALID_HANDLE_VALUE; #undef eval #endif // ITH_ENABLE_WINAPI } HANDLE IthOpenMutex(LPCWSTR name) { #ifdef ITH_ENABLE_WINAPI return ::OpenMutexW(MUTEX_ALL_ACCESS, FALSE, name); #else UNICODE_STRING us; RtlInitUnicodeString(&us, name); OBJECT_ATTRIBUTES oa = {sizeof(oa), root_obj, &us, 0, 0, 0}; HANDLE hMutex; if (NT_SUCCESS(NtOpenMutant(&hMutex, MUTEX_ALL_ACCESS, &oa))) return hMutex; else return INVALID_HANDLE_VALUE; #endif // ITH_ENABLE_WINAPI } BOOL IthReleaseMutex(HANDLE hMutex) { return NT_SUCCESS(NtReleaseMutant(hMutex, 0)); } //Create new thread. 'hProc' must have following right. //PROCESS_CREATE_THREAD, PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE. HANDLE IthCreateThread(LPCVOID start_addr, DWORD param, HANDLE hProc) { HANDLE hThread; // jichi 9/27/2013: NtCreateThread is not implemented in Wine 1.7 if (thread_man_) { // Windows XP // jichi 9/29/2013: Reserved && commit stack size // See: http://msdn.microsoft.com/en-us/library/windows/desktop/aa366803%28v=vs.85%29.aspx // See: http://msdn.microsoft.com/en-us/library/ms810627.aspx enum { DEFAULT_STACK_LIMIT = 0x400000 }; enum { DEFAULT_STACK_COMMIT = 0x10000 }; enum { PAGE_SIZE = 0x1000 }; CLIENT_ID id; LPVOID protect; USER_STACK stack = {}; CONTEXT ctx = {CONTEXT_FULL}; DWORD size = DEFAULT_STACK_LIMIT, commit = DEFAULT_STACK_COMMIT; if (!NT_SUCCESS(NtAllocateVirtualMemory(hProc, &stack.ExpandableStackBottom, 0, &size, MEM_RESERVE, PAGE_READWRITE))) return INVALID_HANDLE_VALUE; stack.ExpandableStackBase = (char *)stack.ExpandableStackBottom + size; stack.ExpandableStackLimit = (char *)stack.ExpandableStackBase - commit; size = PAGE_SIZE; commit += size; protect = (char *)stack.ExpandableStackBase - commit; NtAllocateVirtualMemory(hProc, &protect, 0, &commit, MEM_COMMIT, PAGE_READWRITE); DWORD oldAccess; // jichi 9/29/2013: unused NtProtectVirtualMemory(hProc, &protect, &size, PAGE_READWRITE|PAGE_GUARD, &oldAccess); ctx.SegGs = 0; ctx.SegFs = 0x38; ctx.SegEs = 0x20; ctx.SegDs = 0x20; ctx.SegSs = 0x20; ctx.SegCs = 0x18; ctx.EFlags = 0x3000; ctx.Eip = (DWORD)thread_man_->GetProcAddr(hProc); ctx.Eax = (DWORD)start_addr; ctx.Ecx = ctx.Eip + 0x40; ctx.Edx = 0xffffffff; ctx.Esp = (DWORD)stack.ExpandableStackBase - 0x10; ctx.Ebp = param; // NTSYSAPI // NTSTATUS // NTAPI // NtCreateThread( // _Out_ PHANDLE ThreadHandle, // _In_ ACCESS_MASK DesiredAccess, // _In_ POBJECT_ATTRIBUTES ObjectAttributes, // _In_ HANDLE ProcessHandle, // _Out_ PCLIENT_ID ClientId, // _In_ PCONTEXT ThreadContext, // _In_ PUSER_STACK UserStack, // _In_ BOOLEAN CreateSuspended // ); if (NT_SUCCESS(NtCreateThread( &hThread, // _Out_ PHANDLE ThreadHandle, THREAD_ALL_ACCESS, // _In_ ACCESS_MASK DesiredAccess, nullptr, // _In_ POBJECT_ATTRIBUTES ObjectAttributes, hProc, // _In_ HANDLE ProcessHandle, &id, // _Out_ PCLIENT_ID ClientId, &ctx, // _In_ PCONTEXT ThreadContext, &stack, // _In_ PUSER_STACK UserStack, TRUE // _In_ BOOLEAN CreateSuspended ))) { // On x64 Windows, NtCreateThread in ntdll calls NtCreateThread in ntoskrnl via WOW64, // which maps 32-bit system call to the correspond 64-bit version. // This layer doesn't correctly copy whole CONTEXT structure, so we must set it manually // after the thread is created. // On x86 Windows, this step is not necessary. NtSetContextThread(hThread, &ctx); NtResumeThread(hThread, 0); } else hThread = INVALID_HANDLE_VALUE; } else { // jichi 9/27/2013: CreateRemoteThread works on both Wine and Windows 7 // Use CreateRemoteThread instead // FIXME 10/5/2031: Though sometimes works, CreateRemoteThread randomly crashes on wine. // See: // - http://www.unknowncheats.me/forum/c-and-c/64775-createremotethread-dll-injection.html // - http://source.winehq.org/WineAPI/CreateRemoteThread.html // - http://msdn.microsoft.com/en-us/library/windows/desktop/ms682437%28v=vs.85%29.aspx // HANDLE WINAPI CreateRemoteThread( // _In_ HANDLE hProcess, // _In_ LPSECURITY_ATTRIBUTES lpThreadAttributes, // _In_ SIZE_T dwStackSize, // _In_ LPTHREAD_START_ROUTINE lpStartAddress, // _In_ LPVOID lpParameter, // _In_ DWORD dwCreationFlags, // _Out_ LPDWORD lpThreadId // ); //ITH_TRY { if (hProc == INVALID_HANDLE_VALUE) hProc = GetCurrentProcess(); //DWORD dwThreadId; hThread = CreateRemoteThread( hProc, // _In_ HANDLE hProcess, nullptr, // _In_ LPSECURITY_ATTRIBUTES lpThreadAttributes, 0, // _In_ SIZE_T dwStackSize, (LPTHREAD_START_ROUTINE)start_addr, // _In_ LPTHREAD_START_ROUTINE lpStartAddress, (LPVOID)param, // _In_ LPVOID lpParameter, 0, //STACK_SIZE_PARAM_IS_A_RESERVATION // _In_ DWORD dwCreationFlags, nullptr // _Out_ LPDWORD lpThreadId ); if (!hThread) // jichi: this function returns nullptr instead of -1 hThread = INVALID_HANDLE_VALUE; //} ITH_EXCEPT { // ITH_WARN(L"exception"); // hThread = INVALID_HANDLE_VALUE; //} } /* else { // jichi 9/29/2013: Also work on Wine and Windows 7 // See: http://waleedassar.blogspot.com/2012/06/createremotethread-vs.html CLIENT_ID id; //DWORD size = DEFAULT_STACK_LIMIT, // commit = DEFAULT_STACK_COMMIT; DWORD reserve = 0, commit = 0; // http://undocumented.ntinternals.net/UserMode/Undocumented%20Functions/Executable%20Images/RtlCreateUserThread.html // NTSYSAPI // NTSTATUS // NTAPI // RtlCreateUserThread( // IN HANDLE ProcessHandle, // IN PSECURITY_DESCRIPTOR SecurityDescriptor OPTIONAL, // IN BOOLEAN CreateSuspended, // IN ULONG StackZeroBits, // IN OUT PULONG StackReserved, // IN OUT PULONG StackCommit, // IN PVOID StartAddress, // IN PVOID StartParameter OPTIONAL, // OUT PHANDLE ThreadHandle, // OUT PCLIENT_ID ClientID); if (!NT_SUCCESS(RtlCreateUserThread( hProc, // HANDLE hProcess, nullptr, // IN PSECURITY_DESCRIPTOR SecurityDescriptor OPTIONAL, FALSE, // IN BOOLEAN CreateSuspended, 0, // IN ULONG StackZeroBits, &reserve, // IN OUT PULONG StackReserved, &commit, // IN OUT PULONG StackCommit, (LPVOID)start_addr, // IN PVOID StartAddress, (LPVOID)param,// IN PVOID StartParameter OPTIONAL, &hThread, // OUT PHANDLE ThreadHandle, &id // OUT PCLIENT_ID ClientID ))) hThread = INVALID_HANDLE_VALUE; } */ return hThread; } //Query module export table. Return function address if found. //Similar to GetProcAddress DWORD GetExportAddress(DWORD hModule,DWORD hash) { IMAGE_DOS_HEADER *DosHdr; IMAGE_NT_HEADERS *NtHdr; IMAGE_EXPORT_DIRECTORY *ExtDir; UINT uj; char* pcExportAddr,*pcFuncPtr,*pcBuffer; DWORD dwReadAddr,dwFuncAddr,dwFuncName; WORD wOrd; DosHdr = (IMAGE_DOS_HEADER*)hModule; if (IMAGE_DOS_SIGNATURE==DosHdr->e_magic) { dwReadAddr=hModule+DosHdr->e_lfanew; NtHdr=(IMAGE_NT_HEADERS*)dwReadAddr; if (IMAGE_NT_SIGNATURE == NtHdr->Signature) { pcExportAddr = (char*)((DWORD)hModule+ (DWORD)NtHdr->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress); if (!pcExportAddr) return 0; ExtDir = (IMAGE_EXPORT_DIRECTORY*)pcExportAddr; pcExportAddr = (char*)((DWORD)hModule+(DWORD)ExtDir->AddressOfNames); for (uj = 0; uj < ExtDir->NumberOfNames; uj++) { dwFuncName = *(DWORD *)pcExportAddr; pcBuffer = (char*)((DWORD)hModule+dwFuncName); if (GetHash(pcBuffer) == hash) { pcFuncPtr = (char*)((DWORD)hModule+(DWORD)ExtDir->AddressOfNameOrdinals+(uj*sizeof(WORD))); wOrd = *(WORD*)pcFuncPtr; pcFuncPtr = (char*)((DWORD)hModule+(DWORD)ExtDir->AddressOfFunctions+(wOrd*sizeof(DWORD))); dwFuncAddr = *(DWORD *)pcFuncPtr; return hModule+dwFuncAddr; } pcExportAddr += sizeof(DWORD); } } } return 0; } } // extern "C" // EOF /*__declspec(naked) void normal_asm() { __asm { push ecx push edx mov fs:[0],esp push ebp call eax _terminate: push eax push -2 call dword ptr [NtTerminateThread] } }*/ /* __declspec(naked) void RegToStrAsm() { __asm { mov edx, 8 _cvt_loop: mov eax, ecx and eax, 0xF cmp eax, 0xA jb _below_ten add al,7 _below_ten: add al,0x30 stosw ror ecx,4 dec edx jne _cvt_loop retn } } __declspec(naked) void except_asm() { __asm { mov eax,[esp + 4] xor esi,esi mov ebp,[eax] mov ecx,[esp + 0xC] mov ebx,[ecx + 0xB8] sub esp,0x240 lea edi,[esp + 0x40] mov eax,esp push esi push 0x1C push eax push esi push ebx push -1 call dword ptr [NtQueryVirtualMemory] test eax,eax jne _terminate mov eax,esp push eax push 0x200 push edi push 2 push ebx push -1 call dword ptr [NtQueryVirtualMemory] test eax,eax jne _terminate pop esi xadd edi,esi std mov al,0x5C repen scasw mov word ptr [edi + 2], 0x3A mov ecx,ebx sub ecx,[esp] call RegToStrAsm inc edi inc edi xchg esi,edi mov ecx,ebp call RegToStrAsm inc edi inc edi xor eax,eax mov [edi + 0x10], eax push 0 push edi push esi push 0 call dword ptr [MessageBoxW] or eax, -1 jmp _terminate } } //Prompt for file name. HANDLE IthPromptCreateFile(DWORD option, DWORD share, DWORD disposition) { OPENFILENAME ofn = {sizeof(ofn)}; // common dialog box structure WCHAR szFile[MAX_PATH]; // buffer for file name wcscpy(current_dir,L"ITH_export.txt"); wcscpy(szFile,file_path); //szFile[0]=0; ofn.lpstrFile = szFile + 4; ofn.nMaxFile = MAX_PATH; ofn.lpstrFilter = L"Text\0*.txt"; BOOL result; if (disposition==FILE_OPEN) result=GetOpenFileName(&ofn); else result=GetSaveFileName(&ofn); if (result) { LPWSTR s=szFile+wcslen(szFile) - 4; if (_wcsicmp(s,L".txt")!=0) wcscpy(s + 4,L".txt"); return IthCreateFileFullPath(szFile,option,share,disposition); } else return INVALID_HANDLE_VALUE; } */