Skip to content

Commit 8e01bbb

Browse files
bb107bb107
committed
refactoring
1 parent e64ee25 commit 8e01bbb

File tree

6 files changed

+104
-80
lines changed

6 files changed

+104
-80
lines changed

MemoryModule/BaseAddressIndex.cpp

Lines changed: 22 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -1,25 +1,43 @@
11
#include "stdafx.h"
22

3+
VOID RtlRbInsertNodeEx(
4+
_In_ PRTL_RB_TREE Tree,
5+
_In_ PRTL_BALANCED_NODE Parent,
6+
_In_ BOOLEAN Right,
7+
_Out_ PRTL_BALANCED_NODE Node) {
8+
RtlZeroMemory(Node, sizeof(*Node));
9+
10+
if (!MmpGlobalDataPtr->MmpBaseAddressIndex->_RtlRbInsertNodeEx)return;
11+
return decltype(&RtlRbInsertNodeEx)(MmpGlobalDataPtr->MmpBaseAddressIndex->_RtlRbInsertNodeEx)(Tree, Parent, Right, Node);
12+
}
13+
14+
VOID RtlRbRemoveNode(
15+
_In_ PRTL_RB_TREE Tree,
16+
_In_ PRTL_BALANCED_NODE Node) {
17+
if (!MmpGlobalDataPtr->MmpBaseAddressIndex->_RtlRbRemoveNode)return;
18+
return decltype(&RtlRbRemoveNode)(MmpGlobalDataPtr->MmpBaseAddressIndex->_RtlRbRemoveNode)(Tree, Node);
19+
}
20+
321
NTSTATUS NTAPI RtlInsertModuleBaseAddressIndexNode(
422
_In_ PLDR_DATA_TABLE_ENTRY DataTableEntry,
523
_In_ PVOID BaseAddress) {
624
auto LdrpModuleBaseAddressIndex = MmpGlobalDataPtr->MmpBaseAddressIndex->LdrpModuleBaseAddressIndex;
725
if (!LdrpModuleBaseAddressIndex)return STATUS_UNSUCCESSFUL;
826

9-
PLDR_DATA_TABLE_ENTRY_WIN8 LdrNode = decltype(LdrNode)((size_t)LdrpModuleBaseAddressIndex - offsetof(LDR_DATA_TABLE_ENTRY_WIN8, BaseAddressIndexNode));
27+
PLDR_DATA_TABLE_ENTRY_WIN8 LdrNode = CONTAINING_RECORD(LdrpModuleBaseAddressIndex, LDR_DATA_TABLE_ENTRY_WIN8, BaseAddressIndexNode);
1028
bool bRight = false;
11-
const auto i = offsetof(LDR_DATA_TABLE_ENTRY_WIN8, BaseAddressIndexNode);
29+
1230
while (true) {
1331
if (BaseAddress < LdrNode->DllBase) {
1432
if (!LdrNode->BaseAddressIndexNode.Left)break;
15-
LdrNode = decltype(LdrNode)((size_t)LdrNode->BaseAddressIndexNode.Left - offsetof(LDR_DATA_TABLE_ENTRY_WIN8, BaseAddressIndexNode));
33+
LdrNode = CONTAINING_RECORD(LdrNode->BaseAddressIndexNode.Left, LDR_DATA_TABLE_ENTRY_WIN8, BaseAddressIndexNode);
1634
}
1735
else if (BaseAddress > LdrNode->DllBase) {
1836
if (!LdrNode->BaseAddressIndexNode.Right) {
1937
bRight = true;
2038
break;
2139
}
22-
LdrNode = decltype(LdrNode)((size_t)LdrNode->BaseAddressIndexNode.Right - offsetof(LDR_DATA_TABLE_ENTRY_WIN8, BaseAddressIndexNode));
40+
LdrNode = CONTAINING_RECORD(LdrNode->BaseAddressIndexNode.Right, LDR_DATA_TABLE_ENTRY_WIN8, BaseAddressIndexNode);
2341
}
2442
else {
2543
LdrNode->DdagNode->LoadCount++;

MemoryModule/Initialize.cpp

Lines changed: 5 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -269,7 +269,7 @@ VOID InitializeWindowsVersion() {
269269
}
270270
}
271271
else {
272-
// [13494, 15063)
272+
// [14393, 15063)
273273
version = WINDOWS_VERSION::win10_1;
274274
LdrDataTableEntrySize = sizeof(LDR_DATA_TABLE_ENTRY_WIN10_1);
275275
}
@@ -415,12 +415,11 @@ NTSTATUS InitializeLockHeld() {
415415
MmpGlobalDataPtr->MmpTls = (PMMP_TLS_DATA)((LPBYTE)MmpGlobalDataPtr->MmpLdrEntry + sizeof(MMP_LDR_ENTRY_DATA));
416416
MmpGlobalDataPtr->MmpDotNet = (PMMP_DOT_NET_DATA)((LPBYTE)MmpGlobalDataPtr->MmpTls + sizeof(MMP_TLS_DATA));
417417

418-
MmpGlobalDataPtr->MmpBaseAddressIndex->NtdllLdrEntry = RtlFindLdrTableEntryByBaseName(L"ntdll.dll");
418+
PLDR_DATA_TABLE_ENTRY pNtdllEntry = RtlFindLdrTableEntryByBaseName(L"ntdll.dll");
419+
MmpGlobalDataPtr->MmpBaseAddressIndex->NtdllLdrEntry = pNtdllEntry;
419420
MmpGlobalDataPtr->MmpBaseAddressIndex->LdrpModuleBaseAddressIndex = FindLdrpModuleBaseAddressIndex();
420-
421-
HMODULE hNtdll = (HMODULE)MmpGlobalDataPtr->MmpBaseAddressIndex->NtdllLdrEntry->DllBase;
422-
MmpGlobalDataPtr->MmpLdrEntry->_RtlRbInsertNodeEx = decltype(&RtlRbInsertNodeEx)(GetProcAddress(hNtdll, "RtlRbInsertNodeEx"));
423-
MmpGlobalDataPtr->MmpLdrEntry->_RtlRbRemoveNode = decltype(&RtlRbRemoveNode)(GetProcAddress(hNtdll, "RtlRbRemoveNode"));
421+
MmpGlobalDataPtr->MmpBaseAddressIndex->_RtlRbInsertNodeEx = GetProcAddress((HMODULE)pNtdllEntry->DllBase, "RtlRbInsertNodeEx");
422+
MmpGlobalDataPtr->MmpBaseAddressIndex->_RtlRbRemoveNode = GetProcAddress((HMODULE)pNtdllEntry->DllBase, "RtlRbRemoveNode");
424423

425424
MmpGlobalDataPtr->MmpLdrEntry->LdrpHashTable = FindLdrpHashTable();
426425

MemoryModule/LdrEntry.cpp

Lines changed: 0 additions & 18 deletions
Original file line numberDiff line numberDiff line change
@@ -281,24 +281,6 @@ VOID NTAPI RtlInsertMemoryTableEntry(_In_ PLDR_DATA_TABLE_ENTRY LdrEntry) {
281281
InsertTailList(&PebData->InInitializationOrderModuleList, &LdrEntry->InInitializationOrderLinks);
282282
}
283283

284-
VOID NTAPI RtlRbInsertNodeEx(
285-
_In_ PRTL_RB_TREE Tree,
286-
_In_ PRTL_BALANCED_NODE Parent,
287-
_In_ BOOLEAN Right,
288-
_Out_ PRTL_BALANCED_NODE Node) {
289-
RtlZeroMemory(Node, sizeof(*Node));
290-
291-
if (!MmpGlobalDataPtr->MmpLdrEntry->_RtlRbInsertNodeEx)return;
292-
return MmpGlobalDataPtr->MmpLdrEntry->_RtlRbInsertNodeEx(Tree, Parent, Right, Node);
293-
}
294-
295-
VOID NTAPI RtlRbRemoveNode(
296-
_In_ PRTL_RB_TREE Tree,
297-
_In_ PRTL_BALANCED_NODE Node) {
298-
if (!MmpGlobalDataPtr->MmpLdrEntry->_RtlRbRemoveNode)return;
299-
return MmpGlobalDataPtr->MmpLdrEntry->_RtlRbRemoveNode(Tree, Node);
300-
}
301-
302284
PLDR_DATA_TABLE_ENTRY NTAPI RtlFindLdrTableEntryByHandle(_In_ PVOID BaseAddress) {
303285
PLIST_ENTRY ListHead = &NtCurrentPeb()->Ldr->InLoadOrderModuleList, ListEntry = ListHead->Flink;
304286
PLDR_DATA_TABLE_ENTRY CurEntry;

MemoryModule/LdrEntry.h

Lines changed: 0 additions & 12 deletions
Original file line numberDiff line numberDiff line change
@@ -62,18 +62,6 @@ PLDR_DATA_TABLE_ENTRY NTAPI RtlFindLdrTableEntryByBaseName(_In_z_ PCWSTR BaseNam
6262
#define LDR_GET_HASH_ENTRY(x) (RtlUpcaseUnicodeChar((x)) & (LDR_HASH_TABLE_ENTRIES - 1))
6363
#define LDR_HASH_TABLE_ENTRIES 32
6464

65-
VOID NTAPI RtlRbInsertNodeEx(
66-
_In_ PRTL_RB_TREE Tree,
67-
_In_ PRTL_BALANCED_NODE Parent,
68-
_In_ BOOLEAN Right,
69-
_Out_ PRTL_BALANCED_NODE Node
70-
);
71-
72-
VOID NTAPI RtlRbRemoveNode(
73-
_In_ PRTL_RB_TREE Tree,
74-
_In_ PRTL_BALANCED_NODE Node
75-
);
76-
7765
struct _LDR_DDAG_NODE_WIN8 {
7866
_LIST_ENTRY Modules; //0x0
7967
_LDR_SERVICE_TAG_RECORD* ServiceTagList; //0x10

MemoryModule/MmpGlobalData.h

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -4,6 +4,9 @@
44
typedef struct _MMP_BASE_ADDRESS_INDEX_DATA {
55
PRTL_RB_TREE LdrpModuleBaseAddressIndex;
66
PLDR_DATA_TABLE_ENTRY NtdllLdrEntry;
7+
8+
PVOID _RtlRbInsertNodeEx;
9+
PVOID _RtlRbRemoveNode;
710
}MMP_BASE_ADDRESS_INDEX_DATA, * PMMP_BASE_ADDRESS_INDEX_DATA;
811

912
//InvertedFunctionTable.cpp
@@ -14,9 +17,6 @@ typedef struct _MMP_INVERTED_FUNCTION_TABLE_DATA {
1417
//LdrEntry.cpp
1518
typedef struct _MMP_LDR_ENTRY_DATA {
1619
PLIST_ENTRY LdrpHashTable;
17-
18-
decltype(&RtlRbInsertNodeEx)_RtlRbInsertNodeEx;
19-
decltype(&RtlRbRemoveNode)_RtlRbRemoveNode;
2020
}MMP_LDR_ENTRY_DATA, * PMMP_LDR_ENTRY_DATA;
2121

2222
//MmpTls.cpp

test/test.cpp

Lines changed: 74 additions & 37 deletions
Original file line numberDiff line numberDiff line change
@@ -19,52 +19,89 @@ static PVOID ReadDllFile(LPCSTR FileName) {
1919
}
2020

2121
int test() {
22-
HMODULE hModule;
23-
NTSTATUS status;
24-
PVOID buffer = ReadDllFile("a.dll");
25-
if (!buffer) return 0;
22+
LPVOID buffer = ReadDllFile("a.dll");
2623

27-
status = LdrLoadDllMemoryExW(
28-
&hModule, // ModuleHandle
29-
nullptr, // LdrEntry
30-
0, // Flags
31-
buffer, // Buffer
32-
0, // Reserved
33-
nullptr, // DllBaseName
34-
nullptr // DllFullName
35-
);
36-
if (NT_SUCCESS(status) && status != STATUS_IMAGE_MACHINE_TYPE_MISMATCH) {
24+
HMEMORYMODULE m1 = nullptr, m2 = m1;
25+
HMODULE hModule = nullptr;
26+
FARPROC pfn = nullptr;
27+
DWORD MemoryModuleFeatures = 0;
3728

38-
typedef int(__stdcall* func)();
39-
func test_user32 = (func)GetProcAddress(hModule, "test_user32");
40-
test_user32();
29+
typedef int(*_exception)(int code);
30+
_exception exception = nullptr;
31+
HRSRC hRsrc;
32+
DWORD SizeofRes;
33+
HGLOBAL gRes;
34+
char str[10];
4135

42-
//
43-
// After calling MessageBox, we can't free it.
44-
//
45-
//LdrUnloadDllMemory(hModule);
36+
LdrQuerySystemMemoryModuleFeatures(&MemoryModuleFeatures);
37+
if (MemoryModuleFeatures != MEMORY_FEATURE_ALL) {
38+
printf("not support all features on this version of windows.\n");
4639
}
4740

48-
return 0;
49-
}
41+
if (!NT_SUCCESS(LdrLoadDllMemoryExW(&m1, nullptr, 0, buffer, 0, L"kernel64", nullptr))) goto end;
42+
LoadLibraryW(L"wininet.dll");
43+
if (!NT_SUCCESS(LdrLoadDllMemoryExW(&m2, nullptr, 0, buffer, 0, L"kernel128", nullptr))) goto end;
5044

51-
int main() {
52-
if (MmpGlobalDataPtr->WindowsVersion == WINDOWS_VERSION::win11) {
53-
auto head = &NtCurrentPeb()->Ldr->InLoadOrderModuleList;
54-
auto entry = head->Flink;
55-
while (entry != head) {
56-
PLDR_DATA_TABLE_ENTRY_WIN11 __entry = CONTAINING_RECORD(entry, LDR_DATA_TABLE_ENTRY_WIN11, InLoadOrderLinks);
57-
wprintf(L"%s\t0x%08X, 0x%08X, 0x%p, %d\n",
58-
__entry->BaseDllName.Buffer,
59-
__entry->CheckSum,
60-
RtlImageNtHeader(__entry->DllBase)->OptionalHeader.CheckSum,
61-
__entry->ActivePatchImageBase,
62-
__entry->HotPatchState
63-
);
45+
//forward export
46+
hModule = (HMODULE)m1;
47+
pfn = (decltype(pfn))(GetProcAddress(hModule, "Socket")); //ws2_32.WSASocketW
48+
pfn = (decltype(pfn))(GetProcAddress(hModule, "VerifyTruse")); //wintrust.WinVerifyTrust
49+
hModule = (HMODULE)m2;
50+
pfn = (decltype(pfn))(GetProcAddress(hModule, "Socket"));
51+
pfn = (decltype(pfn))(GetProcAddress(hModule, "VerifyTruse"));
52+
53+
//exception
54+
hModule = (HMODULE)m1;
55+
exception = (_exception)GetProcAddress(hModule, "exception");
56+
if (exception) {
57+
for (int i = 0; i < 5; ++i)exception(i);
58+
}
6459

65-
entry = entry->Flink;
60+
//tls
61+
pfn = GetProcAddress(hModule, "thread");
62+
if (pfn && pfn()) {
63+
printf("thread test failed.\n");
64+
}
65+
66+
//resource
67+
if (!LoadStringA(hModule, 101, str, 10)) {
68+
printf("load string failed.\n");
69+
}
70+
else {
71+
printf("%s\n", str);
72+
}
73+
if (!(hRsrc = FindResourceA(hModule, MAKEINTRESOURCEA(102), "BINARY"))) {
74+
printf("find binary resource failed.\n");
75+
}
76+
else {
77+
if ((SizeofRes = SizeofResource(hModule, hRsrc)) != 0x10) {
78+
printf("invalid res size.\n");
79+
}
80+
else {
81+
if (!(gRes = LoadResource(hModule, hRsrc))) {
82+
printf("load res failed.\n");
83+
}
84+
else {
85+
if (!LockResource(gRes))printf("lock res failed.\n");
86+
else {
87+
printf("resource test success.\n");
88+
}
89+
}
6690
}
6791
}
6892

93+
end:
94+
delete[]buffer;
95+
if (m1)LdrUnloadDllMemory(m1);
96+
FreeLibrary(LoadLibraryW(L"wininet.dll"));
97+
FreeLibrary(GetModuleHandleW(L"wininet.dll"));
98+
if (m2)LdrUnloadDllMemory(m2);
99+
100+
return 0;
101+
}
102+
103+
int main() {
104+
test();
105+
69106
return 0;
70107
}

0 commit comments

Comments
 (0)