remove more stuff from ntdll
This commit is contained in:
parent
c393d29115
commit
d89cc56d6f
@ -76,7 +76,7 @@ BOOL getModuleMemoryRange(LPCWSTR moduleName, DWORD *lowerBound, DWORD *upperBou
|
||||
do {
|
||||
DWORD len;
|
||||
// Nt function is needed instead of VirtualQuery, which only works for the current process
|
||||
::NtQueryVirtualMemory(NtCurrentProcess(), (LPVOID)upper, MemoryBasicInformation, &mbi, sizeof(mbi), &len);
|
||||
::NtQueryVirtualMemory(GetCurrentProcess(), (LPVOID)upper, MemoryBasicInformation, &mbi, sizeof(mbi), &len);
|
||||
if (mbi.Protect & PAGE_NOACCESS) {
|
||||
it->SizeOfImage = size;
|
||||
break;
|
||||
|
@ -5932,7 +5932,7 @@ bool InsertWaffleDynamicHook(LPVOID addr, DWORD frame, DWORD stack)
|
||||
// str = *(DWORD*)stack;
|
||||
// if ((str >> 16) != (stack >> 16))
|
||||
// {
|
||||
// status = NtQueryVirtualMemory(NtCurrentProcess(),(PVOID)str,MemoryBasicInformation,&info,sizeof(info),0);
|
||||
// status = NtQueryVirtualMemory(GetCurrentProcess(),(PVOID)str,MemoryBasicInformation,&info,sizeof(info),0);
|
||||
// if (!NT_SUCCESS(status) || info.Protect & PAGE_NOACCESS) continue; //Accessible
|
||||
// }
|
||||
// if (*(WORD*)(str + 4) == ch) break;
|
||||
@ -8188,7 +8188,7 @@ bool IsPensilSetup()
|
||||
IO_STATUS_BLOCK ios;
|
||||
LPVOID buffer = nullptr;
|
||||
NtQueryInformationFile(hFile, &ios, &info, sizeof(info), FileStandardInformation);
|
||||
NtAllocateVirtualMemory(NtCurrentProcess(), &buffer, 0,
|
||||
NtAllocateVirtualMemory(GetCurrentProcess(), &buffer, 0,
|
||||
&info.AllocationSize.LowPart, MEM_RESERVE|MEM_COMMIT, PAGE_READWRITE);
|
||||
NtReadFile(hFile, 0,0,0, &ios, buffer, info.EndOfFile.LowPart, 0, 0);
|
||||
CloseHandle(hFile);
|
||||
@ -8199,7 +8199,7 @@ bool IsPensilSetup()
|
||||
b[len] = 0;
|
||||
b[len + 1] = 0;
|
||||
bool ret = wcsstr((LPWSTR)buffer, L"PENSIL") || wcsstr((LPWSTR)buffer, L"Pensil");
|
||||
NtFreeVirtualMemory(NtCurrentProcess(), &buffer, &info.AllocationSize.LowPart, MEM_RELEASE);
|
||||
NtFreeVirtualMemory(GetCurrentProcess(), &buffer, &info.AllocationSize.LowPart, MEM_RELEASE);
|
||||
return ret;
|
||||
}
|
||||
#endif // if 0
|
||||
@ -8853,23 +8853,23 @@ MEMORY_WORKING_SET_LIST *GetWorkingSet()
|
||||
NTSTATUS status;
|
||||
LPVOID buffer = 0;
|
||||
len = 0x4000;
|
||||
status = NtAllocateVirtualMemory(NtCurrentProcess(), &buffer, 0, &len, MEM_RESERVE|MEM_COMMIT, PAGE_READWRITE);
|
||||
status = NtAllocateVirtualMemory(GetCurrentProcess(), &buffer, 0, &len, MEM_RESERVE|MEM_COMMIT, PAGE_READWRITE);
|
||||
if (!NT_SUCCESS(status)) return 0;
|
||||
status = NtQueryVirtualMemory(NtCurrentProcess(), 0, MemoryWorkingSetList, buffer, len, &retl);
|
||||
status = NtQueryVirtualMemory(GetCurrentProcess(), 0, MemoryWorkingSetList, buffer, len, &retl);
|
||||
if (status == STATUS_INFO_LENGTH_MISMATCH) {
|
||||
len = *(DWORD*)buffer;
|
||||
len = ((len << 2) & 0xfffff000) + 0x4000;
|
||||
retl = 0;
|
||||
NtFreeVirtualMemory(NtCurrentProcess(), &buffer, &retl, MEM_RELEASE);
|
||||
NtFreeVirtualMemory(GetCurrentProcess(), &buffer, &retl, MEM_RELEASE);
|
||||
buffer = 0;
|
||||
status = NtAllocateVirtualMemory(NtCurrentProcess(), &buffer, 0, &len, MEM_RESERVE|MEM_COMMIT, PAGE_READWRITE);
|
||||
status = NtAllocateVirtualMemory(GetCurrentProcess(), &buffer, 0, &len, MEM_RESERVE|MEM_COMMIT, PAGE_READWRITE);
|
||||
if (!NT_SUCCESS(status)) return 0;
|
||||
status = NtQueryVirtualMemory(NtCurrentProcess(), 0, MemoryWorkingSetList, buffer, len, &retl);
|
||||
status = NtQueryVirtualMemory(GetCurrentProcess(), 0, MemoryWorkingSetList, buffer, len, &retl);
|
||||
if (!NT_SUCCESS(status)) return 0;
|
||||
return (MEMORY_WORKING_SET_LIST*)buffer;
|
||||
} else {
|
||||
retl = 0;
|
||||
NtFreeVirtualMemory(NtCurrentProcess(), &buffer, &retl, MEM_RELEASE);
|
||||
NtFreeVirtualMemory(GetCurrentProcess(), &buffer, &retl, MEM_RELEASE);
|
||||
return 0;
|
||||
}
|
||||
|
||||
@ -8920,7 +8920,7 @@ BOOL FindCharacteristInstruction(MEMORY_WORKING_SET_LIST *list)
|
||||
else {
|
||||
if (size > 0x2000) {
|
||||
addr = base & ~0xfff;
|
||||
status = NtQueryVirtualMemory(NtCurrentProcess(),(PVOID)addr,
|
||||
status = NtQueryVirtualMemory(GetCurrentProcess(),(PVOID)addr,
|
||||
MemorySectionName,text_buffer_prev,0x1000,&retl);
|
||||
if (!NT_SUCCESS(status)) {
|
||||
k = addr + size - 4;
|
||||
@ -8962,7 +8962,7 @@ bool InsertAB2TryHook()
|
||||
ConsoleOutput("vnreng:AB2Try: cannot find characteristic sequence");
|
||||
//L"Make sure you have start the game and have seen some text on the screen.");
|
||||
DWORD size = 0;
|
||||
NtFreeVirtualMemory(NtCurrentProcess(), (PVOID *)&list, &size, MEM_RELEASE);
|
||||
NtFreeVirtualMemory(GetCurrentProcess(), (PVOID *)&list, &size, MEM_RELEASE);
|
||||
return ret;
|
||||
}
|
||||
|
||||
|
@ -885,7 +885,7 @@ bool DetermineEngineType()
|
||||
//
|
||||
|
||||
HANDLE hijackThread;
|
||||
void hijackThreadProc(LPVOID unused)
|
||||
DWORD WINAPI hijackThreadProc(LPVOID unused)
|
||||
{
|
||||
//CC_UNUSED(lpThreadParameter);
|
||||
|
||||
@ -901,6 +901,7 @@ void hijackThreadProc(LPVOID unused)
|
||||
|
||||
FillRange(process_name_, &module_base_, &module_limit_);
|
||||
DetermineEngineType();
|
||||
return 0;
|
||||
}
|
||||
|
||||
}} // namespace Engine unnamed
|
||||
@ -914,7 +915,7 @@ void Engine::hijack()
|
||||
{
|
||||
if (!hijackThread) {
|
||||
ConsoleOutput("vnreng: hijack process");
|
||||
hijackThread = IthCreateThread(hijackThreadProc, 0);
|
||||
hijackThread = CreateRemoteThread(GetCurrentProcess(), nullptr, 0, hijackThreadProc, 0, 0, nullptr);
|
||||
}
|
||||
}
|
||||
|
||||
|
@ -584,7 +584,7 @@ int TextHook::UnsafeInsertHookCode()
|
||||
|
||||
// Verify hp.address.
|
||||
MEMORY_BASIC_INFORMATION info = {};
|
||||
NtQueryVirtualMemory(NtCurrentProcess(), (LPVOID)hp.address, MemoryBasicInformation, &info, sizeof(info), nullptr);
|
||||
NtQueryVirtualMemory(GetCurrentProcess(), (LPVOID)hp.address, MemoryBasicInformation, &info, sizeof(info), nullptr);
|
||||
if (info.Type & PAGE_NOACCESS) {
|
||||
ConsoleOutput("vnrcli:UnsafeInsertHookCode: FAILED: page no access");
|
||||
return no;
|
||||
@ -661,13 +661,13 @@ int TextHook::UnsafeInsertHookCode()
|
||||
// See: http://undocumented.ntinternals.net/UserMode/Undocumented%20Functions/Memory%20Management/Virtual%20Memory/NtProtectVirtualMemory.html
|
||||
// See: http://doxygen.reactos.org/d8/d6b/ndk_2mmfuncs_8h_af942709e0c57981d84586e74621912cd.html
|
||||
DWORD addr = hp.address;
|
||||
NtProtectVirtualMemory(NtCurrentProcess(), (PVOID *)&addr, &t, PAGE_EXECUTE_READWRITE, &old);
|
||||
NtWriteVirtualMemory(NtCurrentProcess(), (BYTE *)hp.address, inst, 5, &t);
|
||||
NtProtectVirtualMemory(GetCurrentProcess(), (PVOID *)&addr, &t, PAGE_EXECUTE_READWRITE, &old);
|
||||
NtWriteVirtualMemory(GetCurrentProcess(), (BYTE *)hp.address, inst, 5, &t);
|
||||
len = hp.recover_len - 5;
|
||||
if (len)
|
||||
NtWriteVirtualMemory(NtCurrentProcess(), (BYTE *)hp.address + 5, int3, len, &t);
|
||||
NtFlushInstructionCache(NtCurrentProcess(), (LPVOID)hp.address, hp.recover_len);
|
||||
NtFlushInstructionCache(NtCurrentProcess(), (LPVOID)::hookman, 0x1000);
|
||||
NtWriteVirtualMemory(GetCurrentProcess(), (BYTE *)hp.address + 5, int3, len, &t);
|
||||
NtFlushInstructionCache(GetCurrentProcess(), (LPVOID)hp.address, hp.recover_len);
|
||||
NtFlushInstructionCache(GetCurrentProcess(), (LPVOID)::hookman, 0x1000);
|
||||
//ConsoleOutput("vnrcli:UnsafeInsertHookCode: leave: succeed");
|
||||
return 0;
|
||||
}
|
||||
@ -719,8 +719,8 @@ int TextHook::RemoveHook()
|
||||
//with_seh({ // jichi 9/17/2013: might crash ><
|
||||
// jichi 12/25/2013: Actually, __try cannot catch such kind of exception
|
||||
ITH_TRY {
|
||||
NtWriteVirtualMemory(NtCurrentProcess(), (LPVOID)hp.address, original, hp.recover_len, &l);
|
||||
NtFlushInstructionCache(NtCurrentProcess(), (LPVOID)hp.address, hp.recover_len);
|
||||
NtWriteVirtualMemory(GetCurrentProcess(), (LPVOID)hp.address, original, hp.recover_len, &l);
|
||||
NtFlushInstructionCache(GetCurrentProcess(), (LPVOID)hp.address, hp.recover_len);
|
||||
} ITH_EXCEPT {}
|
||||
//});
|
||||
hp.hook_len = 0;
|
||||
@ -839,9 +839,9 @@ EXCEPTION_DISPOSITION ExceptHandler(EXCEPTION_RECORD *ExceptionRecord,
|
||||
//swprintf(str, L"Exception code: 0x%.8X", ExceptionRecord->ExceptionCode);
|
||||
//ConsoleOutput(str);
|
||||
//MEMORY_BASIC_INFORMATION info;
|
||||
//if (NT_SUCCESS(NtQueryVirtualMemory(NtCurrentProcess(),(PVOID)ContextRecord->Eip,
|
||||
//if (NT_SUCCESS(NtQueryVirtualMemory(GetCurrentProcess(),(PVOID)ContextRecord->Eip,
|
||||
// MemoryBasicInformation,&info,sizeof(info),0)) &&
|
||||
// NT_SUCCESS(NtQueryVirtualMemory(NtCurrentProcess(),(PVOID)ContextRecord->Eip,
|
||||
// NT_SUCCESS(NtQueryVirtualMemory(GetCurrentProcess(),(PVOID)ContextRecord->Eip,
|
||||
// MemorySectionName,name,0x200,0))) {
|
||||
// swprintf(str, L"Exception offset: 0x%.8X:%s",
|
||||
// ContextRecord->Eip-(DWORD)info.AllocationBase,
|
||||
@ -866,9 +866,9 @@ EXCEPTION_DISPOSITION ExceptHandler(EXCEPTION_RECORD *ExceptionRecord,
|
||||
//swprintf(str, L"Exception code: 0x%.8X", ExceptionRecord->ExceptionCode);
|
||||
//ConsoleOutput(str);
|
||||
//MEMORY_BASIC_INFORMATION info;
|
||||
//if (NT_SUCCESS(NtQueryVirtualMemory(NtCurrentProcess(),(PVOID)ContextRecord->Eip,
|
||||
//if (NT_SUCCESS(NtQueryVirtualMemory(GetCurrentProcess(),(PVOID)ContextRecord->Eip,
|
||||
// MemoryBasicInformation,&info,sizeof(info),0)) &&
|
||||
// NT_SUCCESS(NtQueryVirtualMemory(NtCurrentProcess(),(PVOID)ContextRecord->Eip,
|
||||
// NT_SUCCESS(NtQueryVirtualMemory(GetCurrentProcess(),(PVOID)ContextRecord->Eip,
|
||||
// MemorySectionName,name,0x200,0))) {
|
||||
// swprintf(str, L"Exception offset: 0x%.8X:%s",
|
||||
// ContextRecord->Eip-(DWORD)info.AllocationBase,
|
||||
|
@ -68,6 +68,7 @@ HANDLE
|
||||
hFile,
|
||||
hMutex,
|
||||
hmMutex;
|
||||
HMODULE currentModule;
|
||||
//DWORD current_process_id;
|
||||
extern DWORD enter_count;
|
||||
//extern LPWSTR current_dir;
|
||||
@ -157,27 +158,26 @@ BOOL WINAPI DllMain(HINSTANCE hModule, DWORD fdwReason, LPVOID unused)
|
||||
|
||||
IthInitSystemService();
|
||||
|
||||
swprintf(hm_section, ITH_SECTION_ L"%d", current_process_id);
|
||||
swprintf(hm_section, ITH_SECTION_ L"%d", GetCurrentProcessId());
|
||||
|
||||
// jichi 9/25/2013: Interprocedural communication with vnrsrv.
|
||||
hSection = CreateFileMappingW(INVALID_HANDLE_VALUE, nullptr, PAGE_EXECUTE_READWRITE, 0, HOOK_SECTION_SIZE, hm_section);
|
||||
::hookman = (TextHook*)MapViewOfFile(hSection, FILE_MAP_ALL_ACCESS, 0, 0, HOOK_SECTION_SIZE / 2);
|
||||
|
||||
GetProcessName(::processName);
|
||||
FillRange(::processName, &::processStartAddress, &::processStopAddress);
|
||||
//NtInspect::getProcessMemoryRange(&::processStartAddress, &::processStopAddress);
|
||||
::processStartAddress = (DWORD)GetModuleHandleW(nullptr);
|
||||
|
||||
{
|
||||
wchar_t hm_mutex[0x100];
|
||||
swprintf(hm_mutex, ITH_HOOKMAN_MUTEX_ L"%d", current_process_id);
|
||||
::hmMutex = IthCreateMutex(hm_mutex, FALSE);
|
||||
swprintf(hm_mutex, ITH_HOOKMAN_MUTEX_ L"%d", GetCurrentProcessId());
|
||||
::hmMutex = CreateMutexW(nullptr, FALSE, hm_mutex);
|
||||
}
|
||||
{
|
||||
wchar_t dll_mutex[0x100];
|
||||
swprintf(dll_mutex, ITH_PROCESS_MUTEX_ L"%d", current_process_id);
|
||||
swprintf(dll_mutex, ITH_PROCESS_MUTEX_ L"%d", GetCurrentProcessId());
|
||||
DWORD exists;
|
||||
::hMutex = IthCreateMutex(dll_mutex, TRUE, &exists); // jichi 9/18/2013: own is true, make sure the injected dll is singleton
|
||||
if (exists)
|
||||
::hMutex = CreateMutexW(nullptr, TRUE, dll_mutex); // jichi 9/18/2013: own is true, make sure the injected dll is singleton
|
||||
if (GetLastError() == ERROR_ALREADY_EXISTS)
|
||||
return FALSE;
|
||||
}
|
||||
|
||||
@ -186,8 +186,9 @@ BOOL WINAPI DllMain(HINSTANCE hModule, DWORD fdwReason, LPVOID unused)
|
||||
::tree = new AVLTree<char, FunctionInfo, SCMP, SCPY, SLEN>;
|
||||
AddAllModules();
|
||||
InitFilterTable();
|
||||
::currentModule = hModule;
|
||||
|
||||
pipeThread = IthCreateThread(PipeManager, 0);
|
||||
pipeThread = CreateRemoteThread(GetCurrentProcess(), nullptr, 0, PipeManager, 0, 0, nullptr);
|
||||
} break;
|
||||
case DLL_PROCESS_DETACH:
|
||||
{
|
||||
@ -211,7 +212,7 @@ BOOL WINAPI DllMain(HINSTANCE hModule, DWORD fdwReason, LPVOID unused)
|
||||
for (TextHook *man = ::hookman; man->RemoveHook(); man++);
|
||||
//LARGE_INTEGER lint = {-10000, -1};
|
||||
while (::enter_count)
|
||||
IthSleep(1); // jichi 9/28/2013: sleep for 1 ms
|
||||
Sleep(1); // jichi 9/28/2013: sleep for 1 ms
|
||||
//NtDelayExecution(0, &lint);
|
||||
for (TextHook *man = ::hookman; man < ::hookman + MAX_HOOK; man++)
|
||||
man->ClearHook();
|
||||
|
@ -17,6 +17,7 @@
|
||||
#include <cstdio> // for swprintf
|
||||
|
||||
HANDLE hookPipe;
|
||||
extern HMODULE currentModule;
|
||||
|
||||
DWORD WINAPI PipeManager(LPVOID unused)
|
||||
{
|
||||
@ -41,7 +42,8 @@ DWORD WINAPI PipeManager(LPVOID unused)
|
||||
}
|
||||
}
|
||||
|
||||
WriteFile(::hookPipe, &::current_process_id, sizeof(::current_process_id), nullptr, nullptr);
|
||||
*(DWORD*)buffer = GetCurrentProcessId();
|
||||
WriteFile(::hookPipe, buffer, sizeof(DWORD), nullptr, nullptr);
|
||||
|
||||
for (int i = 0, count = 0; count < ::currentHook; i++)
|
||||
{
|
||||
@ -112,7 +114,7 @@ DWORD WINAPI PipeManager(LPVOID unused)
|
||||
CloseHandle(::hookPipe);
|
||||
CloseHandle(hostPipe);
|
||||
}
|
||||
Util::unloadCurrentModule();
|
||||
FreeLibraryAndExitThread(::currentModule, 0);
|
||||
return 0;
|
||||
}
|
||||
|
||||
|
@ -302,26 +302,4 @@ termin:
|
||||
}
|
||||
}
|
||||
|
||||
EXTERN_C IMAGE_DOS_HEADER __ImageBase;
|
||||
// See: http://stackoverflow.com/questions/3410130/dll-unloading-itself
|
||||
// TODO: This doesn't always work. Fix it.
|
||||
bool Util::unloadCurrentModule()
|
||||
{
|
||||
auto fun = ::FreeLibrary;
|
||||
//auto fun = ::LdrUnloadDll;
|
||||
if (HANDLE h = ::IthCreateThread(fun, (DWORD)&__ImageBase)) {
|
||||
//const LONGLONG timeout = -50000000; // in nanoseconds = 5 seconds
|
||||
//NtWaitForSingleObject(h, 0, (PLARGE_INTEGER)&timeout);
|
||||
CloseHandle(h);
|
||||
return true;
|
||||
}
|
||||
|
||||
// CreateThread does not always work on Windows XP. Use IthCreateThread (i.e. CreateRemoteThread under the water) instead.
|
||||
//if (HANDLE h = ::CreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)fun, &__ImageBase, 0, NULL)) {
|
||||
// ::CloseHandle(h);
|
||||
// return true;
|
||||
//}
|
||||
return false;
|
||||
}
|
||||
|
||||
// EOF
|
||||
|
Loading…
x
Reference in New Issue
Block a user