diff --git a/Src/CebuLoader/AccessPayload.h b/Src/CebuLoader/AccessPayload.h index c624bd5..3da85e4 100644 --- a/Src/CebuLoader/AccessPayload.h +++ b/Src/CebuLoader/AccessPayload.h @@ -43,5 +43,5 @@ inline size_t GetExportNameSize(void* startOfResource) inline const char* GetExportName(void* startOfResource) { - return (char*)GetPayloadEnd(startOfResource) + 4; -} \ No newline at end of file + return (char*)GetPayloadEnd(startOfResource) + 4; // 4 bytes size +} diff --git a/Src/CebuLoader/CebuLoaderMain.cpp b/Src/CebuLoader/CebuLoaderMain.cpp index 0bb8500..89ea5be 100644 --- a/Src/CebuLoader/CebuLoaderMain.cpp +++ b/Src/CebuLoader/CebuLoaderMain.cpp @@ -89,25 +89,22 @@ int LoadPe(void* dllData, std::string_view callExport) auto sectionHeader = IMAGE_FIRST_SECTION(ntHeaders); DWORD lastSectionEnd = 0; DWORD endOfSection; - for (size_t i = 0; i < ntHeaders->FileHeader.NumberOfSections; i++, sectionHeader++) { - if (sectionHeader->SizeOfRawData == 0) { + for (size_t i = 0; i < ntHeaders->FileHeader.NumberOfSections; i++, sectionHeader++) + { + if (sectionHeader->SizeOfRawData == 0) endOfSection = sectionHeader->VirtualAddress + ntHeaders->OptionalHeader.SectionAlignment; - } - else { + else endOfSection = sectionHeader->VirtualAddress + sectionHeader->SizeOfRawData; - } - if (endOfSection > lastSectionEnd) { + if (endOfSection > lastSectionEnd) lastSectionEnd = endOfSection; - } } SYSTEM_INFO sysInfo; GetNativeSystemInfo(&sysInfo); auto alignedImageSize = AlignValueUp(ntHeaders->OptionalHeader.SizeOfImage, sysInfo.dwPageSize); - if (alignedImageSize != AlignValueUp(lastSectionEnd, sysInfo.dwPageSize)) { + if (alignedImageSize != AlignValueUp(lastSectionEnd, sysInfo.dwPageSize)) return 1; - } UINT_PTR baseAddress = (UINT_PTR)VirtualAlloc(NULL, alignedImageSize, MEM_RESERVE | MEM_COMMIT, PAGE_EXECUTE_READWRITE); if (!baseAddress) @@ -133,14 +130,17 @@ int LoadPe(void* dllData, std::string_view callExport) auto baseOffset = (UINT_PTR)baseAddress - ntHeaders->OptionalHeader.ImageBase; auto dataDir = &ntHeaders->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC]; - if (baseOffset && dataDir->Size) { + if (baseOffset && dataDir->Size) + { auto relocation = Rva2Va(baseAddress, dataDir->VirtualAddress); - while (relocation->VirtualAddress) { + while (relocation->VirtualAddress) + { auto relocList = (PIMAGE_RELOC)(relocation + 1); - while ((PBYTE)relocList != (PBYTE)relocation + relocation->SizeOfBlock) { + while ((PBYTE)relocList != (PBYTE)relocation + relocation->SizeOfBlock) + { if (relocList->type == IMAGE_REL_BASED_DIR64) *(PULONG_PTR)((PBYTE)baseAddress + relocation->VirtualAddress + relocList->offset) += baseOffset; @@ -180,7 +180,6 @@ int LoadPe(void* dllData, std::string_view callExport) // iterate through all imported functions, importing by ordinal if no name present for (; origFirstThunk->u1.Function; firstThunk++, origFirstThunk++) { - if (IMAGE_SNAP_BY_ORDINAL(origFirstThunk->u1.Ordinal)) { firstThunk->u1.Function = (ULONG_PTR)GetProcAddress((HMODULE)libraryAddress, (LPCSTR)IMAGE_ORDINAL(origFirstThunk->u1.Ordinal)); @@ -204,18 +203,21 @@ int LoadPe(void* dllData, std::string_view callExport) { auto delayDesc = RVA(PIMAGE_DELAYLOAD_DESCRIPTOR, baseAddress, dataDir->VirtualAddress); - for (; delayDesc->DllNameRVA; delayDesc++) { - + for (; delayDesc->DllNameRVA; delayDesc++) + { auto libraryAddress = (PBYTE)LoadLibraryA((LPCSTR)(baseAddress + delayDesc->DllNameRVA)); auto firstThunk = RVA(PIMAGE_THUNK_DATA, baseAddress, delayDesc->ImportAddressTableRVA); auto origFirstThunk = RVA(PIMAGE_THUNK_DATA, baseAddress, delayDesc->ImportNameTableRVA); // iterate through all imported functions, importing by ordinal if no name present - for (; firstThunk->u1.Function; firstThunk++, origFirstThunk++) { - if (IMAGE_SNAP_BY_ORDINAL(origFirstThunk->u1.Ordinal)) { + for (; firstThunk->u1.Function; firstThunk++, origFirstThunk++) + { + if (IMAGE_SNAP_BY_ORDINAL(origFirstThunk->u1.Ordinal)) + { firstThunk->u1.Function = (ULONG_PTR)GetProcAddress((HMODULE)libraryAddress, (LPCSTR)IMAGE_ORDINAL(origFirstThunk->u1.Ordinal)); } - else { + else + { auto importByName = RVA(PIMAGE_IMPORT_BY_NAME, baseAddress, origFirstThunk->u1.AddressOfData); firstThunk->u1.Function = (ULONG_PTR)GetProcAddress((HMODULE)libraryAddress, importByName->Name); } @@ -228,10 +230,10 @@ int LoadPe(void* dllData, std::string_view callExport) /// sectionHeader = IMAGE_FIRST_SECTION(ntHeaders); - for (int i = 0; i < ntHeaders->FileHeader.NumberOfSections; i++, sectionHeader++) { - - if (sectionHeader->SizeOfRawData) { - + for (int i = 0; i < ntHeaders->FileHeader.NumberOfSections; i++, sectionHeader++) + { + if (sectionHeader->SizeOfRawData) + { // determine protection flags based on characteristics bool executable = (sectionHeader->Characteristics & IMAGE_SCN_MEM_EXECUTE) != 0; bool readable = (sectionHeader->Characteristics & IMAGE_SCN_MEM_READ) != 0; @@ -255,9 +257,8 @@ int LoadPe(void* dllData, std::string_view callExport) else if (executable && readable && writeable) protect = PAGE_EXECUTE_READWRITE; - if (sectionHeader->Characteristics & IMAGE_SCN_MEM_NOT_CACHED) { + if (sectionHeader->Characteristics & IMAGE_SCN_MEM_NOT_CACHED) protect |= PAGE_NOCACHE; - } // change memory access flags VirtualProtect(RVA(LPVOID, baseAddress, sectionHeader->VirtualAddress), sectionHeader->SizeOfRawData, protect, &protect); @@ -270,12 +271,14 @@ int LoadPe(void* dllData, std::string_view callExport) /// // STEP 7.1: Set static TLS values /// - using namespace MWR::Loader; - UnexportedWinApi::LDR_DATA_TABLE_ENTRY ldrDataTableEntry{}; - ldrDataTableEntry.DllBase = (void*)baseAddress; - auto ldrpHandleTlsData = UnexportedWinApi::GetLdrpHandleTlsData(); - ldrpHandleTlsData(&ldrDataTableEntry); + using namespace MWR::Loader; + { + UnexportedWinApi::LDR_DATA_TABLE_ENTRY ldrDataTableEntry{}; + ldrDataTableEntry.DllBase = (void*)baseAddress; + auto ldrpHandleTlsData = UnexportedWinApi::GetLdrpHandleTlsData(); + ldrpHandleTlsData(&ldrDataTableEntry); + } /// // STEP 8: execute TLS callbacks /// @@ -286,16 +289,14 @@ int LoadPe(void* dllData, std::string_view callExport) auto tlsDir = RVA(PIMAGE_TLS_DIRECTORY, baseAddress, dataDir->VirtualAddress); auto callback = (PIMAGE_TLS_CALLBACK*)(tlsDir->AddressOfCallBacks); - for (; *callback; callback++) { + for (; *callback; callback++) (*callback)((LPVOID)baseAddress, DLL_PROCESS_ATTACH, NULL); - } } // // STEP 8.1: Add Exception handling // #if defined _WIN64 - // STEP 6.1: Set up Structured Exception Handling (SEH) auto pImageEntryException = &ntHeaders->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXCEPTION]; if (pImageEntryException->Size > 0) @@ -320,7 +321,7 @@ int LoadPe(void* dllData, std::string_view callExport) else if (IsWindows8OrGreater()) ((UnexportedWinApi::RtlInsertInvertedFunctionTableWin8OrGreater)rtlInsertInvertedFunctionTable)((void*)baseAddress, ntHeaders->OptionalHeader.SizeOfImage); else - abort(); // TODO + abort(); // TODO #endif @@ -335,7 +336,6 @@ int LoadPe(void* dllData, std::string_view callExport) /// if (!callExport.empty()) { - do { dataDir = &ntHeaders->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT]; @@ -349,8 +349,8 @@ int LoadPe(void* dllData, std::string_view callExport) auto expName = RVA(PDWORD, baseAddress, exportDir->AddressOfNames); auto expOrdinal = RVA(PWORD, baseAddress, exportDir->AddressOfNameOrdinals); - for (size_t i = 0; i < exportDir->NumberOfNames; i++, expName++, expOrdinal++) { - + for (size_t i = 0; i < exportDir->NumberOfNames; i++, expName++, expOrdinal++) + { auto expNameStr = RVA(LPCSTR, baseAddress, *expName); if (!expNameStr) diff --git a/Src/CebuLoader/Stdafx.h b/Src/CebuLoader/Stdafx.h index ada2398..be2c3b6 100644 --- a/Src/CebuLoader/Stdafx.h +++ b/Src/CebuLoader/Stdafx.h @@ -21,4 +21,4 @@ #include //< For VEH constants: EH_MAGIC_NUMBER1, EH_PURE_MAGIC_NUMBER1, EH_EXCEPTION_NUMBER. #include //< For _ReturnAddress(). -#include \ No newline at end of file +#include diff --git a/Src/CebuLoader/UnexportedWinApi.cpp b/Src/CebuLoader/UnexportedWinApi.cpp index dde8ed3..2f0a526 100644 --- a/Src/CebuLoader/UnexportedWinApi.cpp +++ b/Src/CebuLoader/UnexportedWinApi.cpp @@ -16,8 +16,6 @@ namespace MWR::Loader::UnexportedWinApi #if defined _WIN64 if (IsWindows10RS3OrGreater()) { - // LdrpHandleTlsData - // 74 33 44 8D 43 09 auto offset = 0x43; if (IsWindows10RS6OrGreater()) offset = 0x46; @@ -27,30 +25,15 @@ namespace MWR::Loader::UnexportedWinApi return { "\x74\x33\x44\x8d\x43\x09"s, offset }; } else if (IsWindows10RS2OrGreater()) - { - // LdrpHandleTlsData - // 74 33 44 8D 43 09 return { "\x74\x33\x44\x8d\x43\x09"s, 0x43 }; - } else if (IsWindows8Point1OrGreater()) - { - // LdrpHandleTlsData - // 44 8D 43 09 4C 8D 4C 24 38 return { "\x44\x8d\x43\x09\x4c\x8d\x4c\x24\x38"s, 0x43 }; - } else if (IsWindows8OrGreater()) - { - // LdrpHandleTlsData - // 48 8B 79 30 45 8D 66 01 return { "\x48\x8b\x79\x30\x45\x8d\x66\x01"s, 0x49 }; - } else if (IsWindows7OrGreater()) { //const bool update1 = WinVer().revision > 24059; const bool update1 = true; // FIXME handle Win7 revisions - - // LdrpHandleTlsData - // 41 B8 09 00 00 00 48 8D 44 24 38 return { "\x41\xb8\x09\x00\x00\x00\x48\x8d\x44\x24\x38"s, update1 ? 0x23 : 0x27 }; } else @@ -73,21 +56,13 @@ namespace MWR::Loader::UnexportedWinApi return { pattern, offset }; } else if (IsWindows10RS2OrGreater()) - { return { "\x8b\xc1\x8d\x4d\xbc\x51"s, 0x18 }; - } else if (IsWindows8Point1OrGreater()) - { return { "\x50\x6a\x09\x6a\x01\x8b\xc1"s, 0x1B }; - } else if (IsWindows8OrGreater()) - { return { "\x8b\x45\x08\x89\x45\xa0"s, 0xC }; - } else if (IsWindows7OrGreater()) - { return { "\x74\x20\x8d\x45\xd4\x50\x6a\x09"s, 0x14 }; - } else abort(); // TODO #else @@ -99,25 +74,15 @@ namespace MWR::Loader::UnexportedWinApi { #if defined _WIN32 if (IsWindows10RS3OrGreater()) - { return { "\x53\x56\x57\x8d\x45\xf8\x8b\xfa"s, 0x8 }; - } else if (IsWindows10RS2OrGreater()) - { return { "\x8d\x45\xf0\x89\x55\xf8\x50\x8d\x55\xf4"s, 0xB }; - } else if (IsWindows8Point1OrGreater()) - { return { "\x53\x56\x57\x8b\xda\x8b\xf9\x50"s, 0xB }; - } else if (IsWindows8OrGreater()) - { return { "\x8b\xff\x55\x8b\xec\x51\x51\x53\x57\x8b\x7d\x08\x8d"s, 0 }; - } else if (IsWindows7OrGreater()) - { return { "\x8b\xff\x55\x8b\xec\x56\x68"s, 0 }; - } else abort(); // TODO #else diff --git a/Src/CebuLoader/WindowsVersion.cpp b/Src/CebuLoader/WindowsVersion.cpp index 18389fe..29347fe 100644 --- a/Src/CebuLoader/WindowsVersion.cpp +++ b/Src/CebuLoader/WindowsVersion.cpp @@ -28,7 +28,7 @@ namespace MWR::Loader auto fullver = (g_WinVer.native.dwMajorVersion << 8) | g_WinVer.native.dwMinorVersion; switch (fullver) { - case _WIN32_WINNT_WIN10: + case Win32WinNtWIN10: if (g_WinVer.native.dwBuildNumber >= Build_RS6) g_WinVer.ver = Win10_RS6; else if (g_WinVer.native.dwBuildNumber >= Build_RS5) @@ -45,19 +45,19 @@ namespace MWR::Loader g_WinVer.ver = Win10; break; - case _WIN32_WINNT_WINBLUE: + case Win32WinNtWINBLUE: g_WinVer.ver = Win8Point1; break; - case _WIN32_WINNT_WIN8: + case Win32WinNtWIN8: g_WinVer.ver = Win8; break; - case _WIN32_WINNT_WIN7: + case Win32WinNtWIN7: g_WinVer.ver = Win7; break; - case _WIN32_WINNT_WINXP: + case Win32WinNtWINXP: g_WinVer.ver = WinXP; break; diff --git a/Src/CebuLoader/WindowsVersion.h b/Src/CebuLoader/WindowsVersion.h index 2e0a76d..58c346c 100644 --- a/Src/CebuLoader/WindowsVersion.h +++ b/Src/CebuLoader/WindowsVersion.h @@ -7,20 +7,23 @@ namespace MWR::Loader { -#define _WIN32_WINNT_NT4 0x0400 -#define _WIN32_WINNT_WIN2K 0x0500 -#define _WIN32_WINNT_WINXP 0x0501 -#define _WIN32_WINNT_WS03 0x0502 -#define _WIN32_WINNT_WIN6 0x0600 -#define _WIN32_WINNT_VISTA 0x0600 -#define _WIN32_WINNT_WS08 0x0600 -#define _WIN32_WINNT_LONGHORN 0x0600 -#define _WIN32_WINNT_WIN7 0x0601 -#define _WIN32_WINNT_WIN8 0x0602 -#define _WIN32_WINNT_WINBLUE 0x0603 -#define _WIN32_WINNT_WIN10 0x0A00 + enum Win32WinNt + { + Win32WinNtNT4 = 0x0400, + Win32WinNtWIN2K = 0x0500, + Win32WinNtWINXP = 0x0501, + Win32WinNtWS03 = 0x0502, + Win32WinNtWIN6 = 0x0600, + Win32WinNtVISTA = 0x0600, + Win32WinNtWS08 = 0x0600, + Win32WinNtLONGHORN = 0x0600, + Win32WinNtWIN7 = 0x0601, + Win32WinNtWIN8 = 0x0602, + Win32WinNtWINBLUE = 0x0603, + Win32WinNtWIN10 = 0x0A00, + }; - enum eBuildThreshold + enum BuildThreshold { Build_RS0 = 10586, Build_RS1 = 14393, @@ -32,7 +35,7 @@ namespace MWR::Loader Build_RS_MAX = 99999, }; - enum eVerShort + enum VerShort { WinUnsupported, // Unsupported OS WinXP, // Windows XP @@ -50,7 +53,7 @@ namespace MWR::Loader struct WinVersion { - eVerShort ver = WinUnsupported; + VerShort ver = WinUnsupported; uint32_t revision = 0; RTL_OSVERSIONINFOEXW native = { }; }; @@ -90,92 +93,92 @@ namespace MWR::Loader inline bool IsWindowsXPOrGreater() { - return IsWindowsVersionOrGreater(HIBYTE(_WIN32_WINNT_WINXP), LOBYTE(_WIN32_WINNT_WINXP), 0, 0); + return IsWindowsVersionOrGreater(HIBYTE(Win32WinNtWINXP), LOBYTE(Win32WinNtWINXP), 0, 0); } inline bool IsWindowsXPSP1OrGreater() { - return IsWindowsVersionOrGreater(HIBYTE(_WIN32_WINNT_WINXP), LOBYTE(_WIN32_WINNT_WINXP), 1, 0); + return IsWindowsVersionOrGreater(HIBYTE(Win32WinNtWINXP), LOBYTE(Win32WinNtWINXP), 1, 0); } inline bool IsWindowsXPSP2OrGreater() { - return IsWindowsVersionOrGreater(HIBYTE(_WIN32_WINNT_WINXP), LOBYTE(_WIN32_WINNT_WINXP), 2, 0); + return IsWindowsVersionOrGreater(HIBYTE(Win32WinNtWINXP), LOBYTE(Win32WinNtWINXP), 2, 0); } inline bool IsWindowsXPSP3OrGreater() { - return IsWindowsVersionOrGreater(HIBYTE(_WIN32_WINNT_WINXP), LOBYTE(_WIN32_WINNT_WINXP), 3, 0); + return IsWindowsVersionOrGreater(HIBYTE(Win32WinNtWINXP), LOBYTE(Win32WinNtWINXP), 3, 0); } inline bool IsWindowsVistaOrGreater() { - return IsWindowsVersionOrGreater(HIBYTE(_WIN32_WINNT_VISTA), LOBYTE(_WIN32_WINNT_VISTA), 0, 0); + return IsWindowsVersionOrGreater(HIBYTE(Win32WinNtVISTA), LOBYTE(Win32WinNtVISTA), 0, 0); } inline bool IsWindowsVistaSP1OrGreater() { - return IsWindowsVersionOrGreater(HIBYTE(_WIN32_WINNT_VISTA), LOBYTE(_WIN32_WINNT_VISTA), 1, 0); + return IsWindowsVersionOrGreater(HIBYTE(Win32WinNtVISTA), LOBYTE(Win32WinNtVISTA), 1, 0); } inline bool IsWindowsVistaSP2OrGreater() { - return IsWindowsVersionOrGreater(HIBYTE(_WIN32_WINNT_VISTA), LOBYTE(_WIN32_WINNT_VISTA), 2, 0); + return IsWindowsVersionOrGreater(HIBYTE(Win32WinNtVISTA), LOBYTE(Win32WinNtVISTA), 2, 0); } inline bool IsWindows7OrGreater() { - return IsWindowsVersionOrGreater(HIBYTE(_WIN32_WINNT_WIN7), LOBYTE(_WIN32_WINNT_WIN7), 0, 0); + return IsWindowsVersionOrGreater(HIBYTE(Win32WinNtWIN7), LOBYTE(Win32WinNtWIN7), 0, 0); } inline bool IsWindows7SP1OrGreater() { - return IsWindowsVersionOrGreater(HIBYTE(_WIN32_WINNT_WIN7), LOBYTE(_WIN32_WINNT_WIN7), 1, 0); + return IsWindowsVersionOrGreater(HIBYTE(Win32WinNtWIN7), LOBYTE(Win32WinNtWIN7), 1, 0); } inline bool IsWindows8OrGreater() { - return IsWindowsVersionOrGreater(HIBYTE(_WIN32_WINNT_WIN8), LOBYTE(_WIN32_WINNT_WIN8), 0, 0); + return IsWindowsVersionOrGreater(HIBYTE(Win32WinNtWIN8), LOBYTE(Win32WinNtWIN8), 0, 0); } inline bool IsWindows8Point1OrGreater() { - return IsWindowsVersionOrGreater(HIBYTE(_WIN32_WINNT_WINBLUE), LOBYTE(_WIN32_WINNT_WINBLUE), 0, 0); + return IsWindowsVersionOrGreater(HIBYTE(Win32WinNtWINBLUE), LOBYTE(Win32WinNtWINBLUE), 0, 0); } inline bool IsWindows10OrGreater() { - return IsWindowsVersionOrGreater(HIBYTE(_WIN32_WINNT_WIN10), LOBYTE(_WIN32_WINNT_WIN10), 0, 0); + return IsWindowsVersionOrGreater(HIBYTE(Win32WinNtWIN10), LOBYTE(Win32WinNtWIN10), 0, 0); } inline bool IsWindows10RS1OrGreater() { - return IsWindowsVersionOrGreater(HIBYTE(_WIN32_WINNT_WIN10), LOBYTE(_WIN32_WINNT_WIN10), 0, Build_RS1); + return IsWindowsVersionOrGreater(HIBYTE(Win32WinNtWIN10), LOBYTE(Win32WinNtWIN10), 0, Build_RS1); } inline bool IsWindows10RS2OrGreater() { - return IsWindowsVersionOrGreater(HIBYTE(_WIN32_WINNT_WIN10), LOBYTE(_WIN32_WINNT_WIN10), 0, Build_RS2); + return IsWindowsVersionOrGreater(HIBYTE(Win32WinNtWIN10), LOBYTE(Win32WinNtWIN10), 0, Build_RS2); } inline bool IsWindows10RS3OrGreater() { - return IsWindowsVersionOrGreater(HIBYTE(_WIN32_WINNT_WIN10), LOBYTE(_WIN32_WINNT_WIN10), 0, Build_RS3); + return IsWindowsVersionOrGreater(HIBYTE(Win32WinNtWIN10), LOBYTE(Win32WinNtWIN10), 0, Build_RS3); } inline bool IsWindows10RS4OrGreater() { - return IsWindowsVersionOrGreater(HIBYTE(_WIN32_WINNT_WIN10), LOBYTE(_WIN32_WINNT_WIN10), 0, Build_RS4); + return IsWindowsVersionOrGreater(HIBYTE(Win32WinNtWIN10), LOBYTE(Win32WinNtWIN10), 0, Build_RS4); } inline bool IsWindows10RS5OrGreater() { - return IsWindowsVersionOrGreater(HIBYTE(_WIN32_WINNT_WIN10), LOBYTE(_WIN32_WINNT_WIN10), 0, Build_RS5); + return IsWindowsVersionOrGreater(HIBYTE(Win32WinNtWIN10), LOBYTE(Win32WinNtWIN10), 0, Build_RS5); } inline bool IsWindows10RS6OrGreater() { - return IsWindowsVersionOrGreater(HIBYTE(_WIN32_WINNT_WIN10), LOBYTE(_WIN32_WINNT_WIN10), 0, Build_RS6); + return IsWindowsVersionOrGreater(HIBYTE(Win32WinNtWIN10), LOBYTE(Win32WinNtWIN10), 0, Build_RS6); } inline bool IsWindowsServer()