Add support for ReflectiveLoader

bb107 · bb107 · commit c958100b8b88 · 2023-04-30T16:55:08.000+08:00
diff --git a/MemoryModule/Initialize.cpp b/MemoryModule/Initialize.cpp
@@ -1,5 +1,7 @@
 #include "stdafx.h"
+#include "LoaderPrivate.h"
 #include <wchar.h>
+#include <cassert>
 
 PMMP_GLOBAL_DATA MmpGlobalDataPtr;
 
@@ -489,9 +491,42 @@ NTSTATUS NTAPI Initialize() {
 }
 
 #ifdef _USRDLL
+extern "C" __declspec(dllexport) BOOL WINAPI ReflectiveMapDll(HMODULE hModule) {
+	PIMAGE_NT_HEADERS headers = RtlImageNtHeader(hModule);
+
+	headers->OptionalHeader.ImageBase = (SIZE_T)hModule;
+
+	NTSTATUS status = MmpInitializeStructure(0, nullptr, headers);
+	if (!NT_SUCCESS(status))return FALSE;
+
+	PMEMORYMODULE module = MapMemoryModuleHandle(hModule);
+	if (!module)return FALSE;
+
+	PLDR_DATA_TABLE_ENTRY ModuleEntry;
+	status = LdrMapDllMemory(hModule, 0, nullptr, nullptr, &ModuleEntry);
+	if (!NT_SUCCESS(status))return FALSE;
+
+	status = RtlInsertInvertedFunctionTable(hModule, headers->OptionalHeader.SizeOfImage);
+	if (!NT_SUCCESS(status)) return FALSE;
+
+	module->InsertInvertedFunctionTableEntry = true;
+	module->MappedDll = true;
+	module->LdrEntry = ModuleEntry;
+
+	return TRUE;
+}
+
 BOOL APIENTRY DllMain(HMODULE hModule, DWORD  ul_reason_for_call, LPVOID lpReserved) {
 	if (ul_reason_for_call == DLL_PROCESS_ATTACH) {
-		return NT_SUCCESS(Initialize());
+		if (NT_SUCCESS(Initialize())) {
+			if (lpReserved == (PVOID)-1) {
+				assert(ReflectiveMapDll(hModule));
+			}
+
+			return TRUE;
+		}
+
+		return FALSE;
 	}
 
 	return TRUE;
diff --git a/MemoryModule/Loader.cpp b/MemoryModule/Loader.cpp
@@ -1,6 +1,6 @@
 #include "stdafx.h"
 
-static NTSTATUS NTAPI LdrMapDllMemory(
+NTSTATUS NTAPI LdrMapDllMemory(
 	_In_ HMEMORYMODULE ViewBase,
 	_In_ DWORD dwFlags,
 	_In_opt_ PCWSTR DllName,
diff --git a/MemoryModule/LoaderPrivate.h b/MemoryModule/LoaderPrivate.h
@@ -0,0 +1,9 @@
+#pragma once
+
+NTSTATUS NTAPI LdrMapDllMemory(
+	_In_ HMEMORYMODULE ViewBase,
+	_In_ DWORD dwFlags,
+	_In_opt_ PCWSTR DllName,
+	_In_opt_ PCWSTR lpFullDllName,
+	_Out_opt_ PLDR_DATA_TABLE_ENTRY* DataTableEntry
+);
diff --git a/MemoryModule/MemoryModule.cpp b/MemoryModule/MemoryModule.cpp
@@ -55,6 +55,36 @@ BOOL WINAPI IsValidMemoryModuleHandle(HMEMORYMODULE hModule) {
 	return MapMemoryModuleHandle(hModule) != nullptr;
 }
 
+NTSTATUS MmpInitializeStructure(DWORD ImageFileSize, LPCVOID ImageFileBuffer, PIMAGE_NT_HEADERS ImageHeaders) {
+
+	if (!ImageHeaders)return STATUS_ACCESS_VIOLATION;
+
+	//
+	// Make sure there have enough free space to embed our structure.
+	//
+	int sizeOfHeaders = MmpSizeOfImageHeadersUnsafe((PVOID)ImageHeaders->OptionalHeader.ImageBase);
+	PIMAGE_SECTION_HEADER pSections = IMAGE_FIRST_SECTION(ImageHeaders);
+	for (int i = 0; i < ImageHeaders->FileHeader.NumberOfSections; ++i) {
+		if (pSections[i].VirtualAddress < sizeOfHeaders + sizeof(MEMORYMODULE)) {
+			return STATUS_NOT_SUPPORTED;
+		}
+	}
+
+	//
+	// Setup MemoryModule structure.
+	//
+	PMEMORYMODULE hMemoryModule = (PMEMORYMODULE)(ImageHeaders->OptionalHeader.ImageBase + sizeOfHeaders);
+	RtlZeroMemory(hMemoryModule, sizeof(MEMORYMODULE));
+	hMemoryModule->codeBase = (PBYTE)ImageHeaders->OptionalHeader.ImageBase;
+	hMemoryModule->dwImageFileSize = ImageFileSize;
+	hMemoryModule->Signature = MEMORY_MODULE_SIGNATURE;
+	hMemoryModule->SizeofHeaders = ImageHeaders->OptionalHeader.SizeOfHeaders;
+	hMemoryModule->lpReserved = (LPVOID)ImageFileBuffer;
+	hMemoryModule->dwReferenceCount = 1;
+
+	return STATUS_SUCCESS;
+}
+
 
 NTSTATUS MemoryResolveImportTable(
 	_In_ LPBYTE base,
@@ -280,31 +310,13 @@ NTSTATUS MemoryLoadLibrary(
 	);
 	new_header->OptionalHeader.ImageBase = (size_t)base;
 
-	//
-	// Make sure there have enough free space to embed our structure.
-	//
-	int sizeOfHeaders = MmpSizeOfImageHeadersUnsafe(base);
-	PIMAGE_SECTION_HEADER pSections = IMAGE_FIRST_SECTION(new_header);
-	for (int i = 0; i < new_header->FileHeader.NumberOfSections; ++i) {
-		if (pSections[i].VirtualAddress < sizeOfHeaders + sizeof(MEMORYMODULE)) {
-			status = STATUS_NOT_SUPPORTED;
-			return status;
-		}
-	}
-
-	//
-	// Setup MemoryModule structure.
-	//
-	PMEMORYMODULE hMemoryModule = (PMEMORYMODULE)(base + sizeOfHeaders);
-	RtlZeroMemory(hMemoryModule, sizeof(MEMORYMODULE));
-	hMemoryModule->codeBase = base;
-	hMemoryModule->dwImageFileSize = size;
-	hMemoryModule->Signature = MEMORY_MODULE_SIGNATURE;
-	hMemoryModule->SizeofHeaders = old_header->OptionalHeader.SizeOfHeaders;
-	hMemoryModule->lpReserved = (LPVOID)data;
-	hMemoryModule->dwReferenceCount = 1;
-
 	do {
+		//
+		// Setup MEMORYMODULE structure.
+		//
+		status = MmpInitializeStructure(size, data, new_header);
+		if (!NT_SUCCESS(status)) break;
+
 		//
 		// Allocate and copy sections
 		//
diff --git a/MemoryModule/MemoryModule.h b/MemoryModule/MemoryModule.h
@@ -88,6 +88,12 @@ extern "C" {
 
 	PMEMORYMODULE WINAPI MapMemoryModuleHandle(HMEMORYMODULE hModule);
 
+	NTSTATUS MmpInitializeStructure(
+		DWORD ImageFileSize,
+		LPCVOID ImageFileBuffer,
+		PIMAGE_NT_HEADERS ImageHeaders
+	);
+
 #ifdef __cplusplus
 }
 #endif
diff --git a/MemoryModule/MemoryModule.vcxproj b/MemoryModule/MemoryModule.vcxproj
@@ -55,6 +55,20 @@
     <ClCompile Include="InvertedFunctionTable.cpp" />
     <ClCompile Include="LdrEntry.cpp" />
     <ClCompile Include="BaseAddressIndex.cpp" />
+    <ClCompile Include="ReflectiveLoader.c">
+      <SupportJustMyCode Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">false</SupportJustMyCode>
+      <SupportJustMyCode Condition="'$(Configuration)|$(Platform)'=='DebugDll|Win32'">false</SupportJustMyCode>
+      <SupportJustMyCode Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">false</SupportJustMyCode>
+      <SupportJustMyCode Condition="'$(Configuration)|$(Platform)'=='DebugDll|x64'">false</SupportJustMyCode>
+      <BufferSecurityCheck Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">false</BufferSecurityCheck>
+      <BufferSecurityCheck Condition="'$(Configuration)|$(Platform)'=='ReleaseDll|Win32'">false</BufferSecurityCheck>
+      <BufferSecurityCheck Condition="'$(Configuration)|$(Platform)'=='DebugDll|Win32'">false</BufferSecurityCheck>
+      <BufferSecurityCheck Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">false</BufferSecurityCheck>
+      <BufferSecurityCheck Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">false</BufferSecurityCheck>
+      <BufferSecurityCheck Condition="'$(Configuration)|$(Platform)'=='ReleaseDll|x64'">false</BufferSecurityCheck>
+      <BufferSecurityCheck Condition="'$(Configuration)|$(Platform)'=='DebugDll|x64'">false</BufferSecurityCheck>
+      <BufferSecurityCheck Condition="'$(Configuration)|$(Platform)'=='Release|x64'">false</BufferSecurityCheck>
+    </ClCompile>
     <ClCompile Include="Utils.cpp" />
   </ItemGroup>
   <ItemGroup>
@@ -92,6 +106,7 @@
     <ClInclude Include="..\3rdparty\phnt\include\subprocesstag.h" />
     <ClInclude Include="..\3rdparty\phnt\include\winsta.h" />
     <ClInclude Include="LoadDllMemoryApi.h" />
+    <ClInclude Include="LoaderPrivate.h" />
     <ClInclude Include="MemoryModule.h" />
     <ClInclude Include="MmpDotNet.h" />
     <ClInclude Include="MmpGlobalData.h" />
@@ -100,6 +115,8 @@
     <ClInclude Include="BaseAddressIndex.h" />
     <ClInclude Include="InvertedFunctionTable.h" />
     <ClInclude Include="LdrEntry.h" />
+    <ClInclude Include="ReflectiveDLLInjection.h" />
+    <ClInclude Include="ReflectiveLoader.h" />
     <ClInclude Include="stdafx.h" />
     <ClInclude Include="Utils.h" />
   </ItemGroup>
diff --git a/MemoryModule/MemoryModule.vcxproj.filters b/MemoryModule/MemoryModule.vcxproj.filters
@@ -28,6 +28,12 @@
     <Filter Include="Header Files\3rdparty\phnt">
       <UniqueIdentifier>{e1243ce3-529c-401e-83a4-fe009cda27b1}</UniqueIdentifier>
     </Filter>
+    <Filter Include="Header Files\3rdparty\ReflectiveLoader">
+      <UniqueIdentifier>{3e49fb44-9cfb-4a48-b497-6fe396e1a258}</UniqueIdentifier>
+    </Filter>
+    <Filter Include="Source Files\3rdparty\ReflectiveLoader">
+      <UniqueIdentifier>{4bbbea53-468a-49af-9b66-b61471058da1}</UniqueIdentifier>
+    </Filter>
   </ItemGroup>
   <ItemGroup>
     <ClCompile Include="MemoryModule.cpp">
@@ -93,6 +99,9 @@
     <ClCompile Include="MmpLdrpTls.cpp">
       <Filter>Source Files</Filter>
     </ClCompile>
+    <ClCompile Include="ReflectiveLoader.c">
+      <Filter>Source Files\3rdparty\ReflectiveLoader</Filter>
+    </ClCompile>
   </ItemGroup>
   <ItemGroup>
     <ClInclude Include="MemoryModule.h">
@@ -227,6 +236,15 @@
     <ClInclude Include="MmpGlobalData.h">
       <Filter>Header Files</Filter>
     </ClInclude>
+    <ClInclude Include="ReflectiveLoader.h">
+      <Filter>Header Files\3rdparty\ReflectiveLoader</Filter>
+    </ClInclude>
+    <ClInclude Include="ReflectiveDLLInjection.h">
+      <Filter>Header Files\3rdparty\ReflectiveLoader</Filter>
+    </ClInclude>
+    <ClInclude Include="LoaderPrivate.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
   </ItemGroup>
   <ItemGroup>
     <None Include="..\README.md">
diff --git a/MemoryModule/ReflectiveDLLInjection.h b/MemoryModule/ReflectiveDLLInjection.h
@@ -0,0 +1,51 @@
+//===============================================================================================//
+// Copyright (c) 2012, Stephen Fewer of Harmony Security (www.harmonysecurity.com)
+// All rights reserved.
+// 
+// Redistribution and use in source and binary forms, with or without modification, are permitted 
+// provided that the following conditions are met:
+// 
+//     * Redistributions of source code must retain the above copyright notice, this list of 
+// conditions and the following disclaimer.
+// 
+//     * Redistributions in binary form must reproduce the above copyright notice, this list of 
+// conditions and the following disclaimer in the documentation and/or other materials provided 
+// with the distribution.
+// 
+//     * Neither the name of Harmony Security nor the names of its contributors may be used to
+// endorse or promote products derived from this software without specific prior written permission.
+// 
+// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR 
+// IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND
+// FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR 
+// CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 
+// CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 
+// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 
+// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR 
+// OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 
+// POSSIBILITY OF SUCH DAMAGE.
+//===============================================================================================//
+#ifndef _REFLECTIVEDLLINJECTION_REFLECTIVEDLLINJECTION_H
+#define _REFLECTIVEDLLINJECTION_REFLECTIVEDLLINJECTION_H
+//===============================================================================================//
+#define WIN32_LEAN_AND_MEAN
+#include <windows.h>
+
+// we declare some common stuff in here...
+
+#define DLL_QUERY_HMODULE		6
+
+#define DEREF( name )*(UINT_PTR *)(name)
+#define DEREF_64( name )*(DWORD64 *)(name)
+#define DEREF_32( name )*(DWORD *)(name)
+#define DEREF_16( name )*(WORD *)(name)
+#define DEREF_8( name )*(BYTE *)(name)
+
+typedef ULONG_PTR(WINAPI* REFLECTIVELOADER)(VOID);
+typedef BOOL(WINAPI* DLLMAIN)(HINSTANCE, DWORD, LPVOID);
+
+#define DLLEXPORT   __declspec( dllexport ) 
+
+//===============================================================================================//
+#endif
+//===============================================================================================//
diff --git a/MemoryModule/ReflectiveLoader.c b/MemoryModule/ReflectiveLoader.c
diff --git a/MemoryModule/ReflectiveLoader.h b/MemoryModule/ReflectiveLoader.h
diff --git a/test/test.cpp b/test/test.cpp
