bb107
diff --git a/‎MemoryModule/MemoryModule.cpp‎
Lines changed: 60 additions & 54 deletions b/‎MemoryModule/MemoryModule.cpp‎
Lines changed: 60 additions & 54 deletions
diff --git a/‎MemoryModule/MemoryModule.h‎
Lines changed: 1 addition & 1 deletion b/‎MemoryModule/MemoryModule.h‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎MemoryModule/Native.cpp‎
Lines changed: 21 additions & 0 deletions b/‎MemoryModule/Native.cpp‎
Lines changed: 21 additions & 0 deletions
diff --git a/‎MemoryModule/Native.h‎
Lines changed: 81 additions & 0 deletions b/‎MemoryModule/Native.h‎
Lines changed: 81 additions & 0 deletions
@@ -4,6 +4,7 @@
 #include <tchar.h>
 #include "rtltype.h"
 #include "ntstatus.h"
+#include "Native.h"
 #include <algorithm>
 
 #if _MSC_VER
@@ -134,7 +135,7 @@ static BOOL CheckSize(size_t size, size_t expected) {
 	return TRUE;
 }
 
-static BOOL CopySections(const unsigned char* data, size_t size, PMEMORYMODULE module) {
+static BOOL CopySections(const unsigned char* data, PMEMORYMODULE module) {
 	LPBYTE codeBase = module->codeBase;
 	LPVOID dest;
 	PIMAGE_NT_HEADERS headers = GetImageNtHeaders(module);
@@ -145,7 +146,12 @@ static BOOL CopySections(const unsigned char* data, size_t size, PMEMORYMODULE m
 		alloc_size = headers->OptionalHeader.SectionAlignment;
 		cp = false;
 		if (section->SizeOfRawData) {
-			if (!CheckSize(size, static_cast<size_t>(section->PointerToRawData) + section->SizeOfRawData)) return FALSE;
+			__try {
+				ProbeForRead(data, static_cast<size_t>(section->PointerToRawData) + section->SizeOfRawData);
+			}
+			__except (EXCEPTION_EXECUTE_HANDLER) {
+				return FALSE;
+			}
 			alloc_size = section->SizeOfRawData;
 			cp = true;
 		}
@@ -354,15 +360,23 @@ static BOOL BuildImportTable(PMEMORYMODULE module) {
 	return result;
 }
 
-HMEMORYMODULE MemoryLoadLibrary(const void* data, size_t size) {
+//static BOOL PerformForwardExport(PMEMORYMODULE module) {
+//	PIMAGE_EXPORT_DIRECTORY exports;
+//	PIMAGE_NT_HEADERS headers = GetImageNtHeaders(module);
+//	PIMAGE_DATA_DIRECTORY directory = GET_HEADER_DICTIONARY(headers, IMAGE_DIRECTORY_ENTRY_EXPORT);
+//	if (!directory->Size)return TRUE;
+//	return FALSE;
+//
+//}
+
+HMEMORYMODULE MemoryLoadLibrary(const void* data) {
 	PMEMORYMODULE hMemoryModule = nullptr;
 	PIMAGE_DOS_HEADER dos_header, new_dos_header;
 	PIMAGE_NT_HEADERS old_header, new_header;
-	unsigned char* code;
+	unsigned char* base;
 	ptrdiff_t locationDelta;
-	SYSTEM_INFO sysInfo;
+	static SYSTEM_INFO sysInfo{};
 	PIMAGE_SECTION_HEADER section;
-	DWORD i;
 	size_t optionalSectionSize;
 	size_t lastSectionEnd = 0;
 	size_t alignedImageSize;
@@ -371,40 +385,36 @@ HMEMORYMODULE MemoryLoadLibrary(const void* data, size_t size) {
 	POINTER_LIST* blockedMemory = nullptr;
 #endif
 
-	if (!CheckSize(size, sizeof(IMAGE_DOS_HEADER))) return nullptr;
-	dos_header = (PIMAGE_DOS_HEADER)data;
-	if (dos_header->e_magic != IMAGE_DOS_SIGNATURE) {
-		SetLastError(ERROR_BAD_EXE_FORMAT);
-		return nullptr;
-	}
-
-	if (!CheckSize(size, dos_header->e_lfanew + sizeof(IMAGE_NT_HEADERS))) return nullptr;
-	old_header = (PIMAGE_NT_HEADERS) & ((const unsigned char*)(data))[dos_header->e_lfanew];
-	if (old_header->Signature != IMAGE_NT_SIGNATURE) {
-		SetLastError(ERROR_BAD_EXE_FORMAT);
-		return nullptr;
-	}
-
-	if (old_header->FileHeader.Machine != HOST_MACHINE) {
-		SetLastError(ERROR_BAD_EXE_FORMAT);
-		return nullptr;
-	}
-
-	if (old_header->OptionalHeader.SectionAlignment & 1) {
-		// Only support section alignments that are a multiple of 2
-		SetLastError(ERROR_BAD_EXE_FORMAT);
-		return nullptr;
+	__try {
+		ProbeForRead(data, sizeof(IMAGE_DOS_HEADER));
+		dos_header = (PIMAGE_DOS_HEADER)data;
+		if (dos_header->e_magic != IMAGE_DOS_SIGNATURE) {
+			SetLastError(ERROR_BAD_EXE_FORMAT);
+			return nullptr;
+		}
+		ProbeForRead(data, dos_header->e_lfanew + sizeof(IMAGE_NT_HEADERS));
+		old_header = (PIMAGE_NT_HEADERS)((size_t)data + dos_header->e_lfanew);
+		if (old_header->Signature != IMAGE_NT_SIGNATURE ||
+			!ProbeForRead(data, old_header->OptionalHeader.SizeOfHeaders) ||
+			old_header->FileHeader.Machine != HOST_MACHINE ||
+			old_header->OptionalHeader.SectionAlignment & 1) {
+			SetLastError(ERROR_BAD_EXE_FORMAT);
+			return nullptr;
+		}
+		//only dll image support
+		if (!(old_header->FileHeader.Characteristics & IMAGE_FILE_DLL)) {
+			SetLastError(ERROR_NOT_SUPPORTED);
+			return nullptr;
+		}
 	}
-
-	//only dll image support
-	if (!(old_header->FileHeader.Characteristics & IMAGE_FILE_DLL)) {
-		SetLastError(ERROR_NOT_SUPPORTED);
+	__except (EXCEPTION_EXECUTE_HANDLER) {
+		SetLastError(ERROR_INVALID_DATA);
 		return nullptr;
 	}
-
+	
 	section = IMAGE_FIRST_SECTION(old_header);
 	optionalSectionSize = old_header->OptionalHeader.SectionAlignment;
-	for (i = 0; i < old_header->FileHeader.NumberOfSections; i++, section++) {
+	for (DWORD i = 0; i < old_header->FileHeader.NumberOfSections; i++, section++) {
 		size_t endOfSection;
 		if (section->SizeOfRawData == 0) {
 			// Section without data in the DLL
@@ -419,7 +429,7 @@ HMEMORYMODULE MemoryLoadLibrary(const void* data, size_t size) {
 		}
 	}
 
-	GetNativeSystemInfo(&sysInfo);
+	if (!sysInfo.dwPageSize)GetNativeSystemInfo(&sysInfo);
 	alignedImageSize = AlignValueUp(old_header->OptionalHeader.SizeOfImage, sysInfo.dwPageSize);
 	if (alignedImageSize != AlignValueUp(lastSectionEnd, sysInfo.dwPageSize)) {
 		SetLastError(ERROR_BAD_EXE_FORMAT);
@@ -430,45 +440,45 @@ HMEMORYMODULE MemoryLoadLibrary(const void* data, size_t size) {
 	// reserve memory for image of library
 	// XXX: is it correct to commit the complete memory region at once?
 	//      calling DllEntry raises an exception if we don't...
-	if (!(code = (LPBYTE)VirtualAlloc((LPVOID)(old_header->OptionalHeader.ImageBase), alignedImageSize, MEM_RESERVE | MEM_COMMIT, PAGE_READWRITE))) {
+	if (!(base = (LPBYTE)VirtualAlloc((LPVOID)(old_header->OptionalHeader.ImageBase), alignedImageSize, MEM_RESERVE | MEM_COMMIT, PAGE_READWRITE))) {
 		if (!(old_header->OptionalHeader.DllCharacteristics & IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE)) {
 			SetLastError(ERROR_BAD_EXE_FORMAT);
 			return nullptr;
 		}
-		if (!(code = (LPBYTE)VirtualAlloc(nullptr, alignedImageSize, MEM_RESERVE | MEM_COMMIT, PAGE_READWRITE))) {
+		if (!(base = (LPBYTE)VirtualAlloc(nullptr, alignedImageSize, MEM_RESERVE | MEM_COMMIT, PAGE_READWRITE))) {
 			SetLastError(ERROR_OUTOFMEMORY);
 			return nullptr;
 		}
 	}
 
 #ifdef _WIN64
 	// Memory block may not span 4 GB boundaries.
-	while ((((uintptr_t)code) >> 32) < (((uintptr_t)(code + alignedImageSize)) >> 32)) {
+	while ((((uintptr_t)base) >> 32) < (((uintptr_t)(base + alignedImageSize)) >> 32)) {
 		POINTER_LIST* node = new POINTER_LIST;
 		if (!node) {
-			VirtualFree(code, 0, MEM_RELEASE);
+			VirtualFree(base, 0, MEM_RELEASE);
 			FreePointerList(blockedMemory);
 			SetLastError(ERROR_OUTOFMEMORY);
 			return nullptr;
 		}
 
 		node->next = blockedMemory;
-		node->address = code;
+		node->address = base;
 		blockedMemory = node;
 
-		if (!(code = (LPBYTE)VirtualAlloc(nullptr, alignedImageSize, MEM_RESERVE | MEM_COMMIT, PAGE_READWRITE))) {
+		if (!(base = (LPBYTE)VirtualAlloc(nullptr, alignedImageSize, MEM_RESERVE | MEM_COMMIT, PAGE_READWRITE))) {
 			FreePointerList(blockedMemory);
 			SetLastError(ERROR_OUTOFMEMORY);
 			return nullptr;
 		}
 	}
 #endif
 
-	new_dos_header = (PIMAGE_DOS_HEADER)code;
-	new_header = (PIMAGE_NT_HEADERS)(code + dos_header->e_lfanew);
-	hMemoryModule = (PMEMORYMODULE)(code + old_header->OptionalHeader.SizeOfHeaders);
+	new_dos_header = (PIMAGE_DOS_HEADER)base;
+	new_header = (PIMAGE_NT_HEADERS)(base + dos_header->e_lfanew);
+	hMemoryModule = (PMEMORYMODULE)(base + old_header->OptionalHeader.SizeOfHeaders);
 	RtlZeroMemory(hMemoryModule, sizeof(MEMORYMODULE));
-	hMemoryModule->codeBase = code;
+	hMemoryModule->codeBase = base;
 	hMemoryModule->pageSize = sysInfo.dwPageSize;
 	hMemoryModule->Signature = MEMORY_MODULE_SIGNATURE;
 	hMemoryModule->SizeofHeaders = old_header->OptionalHeader.SizeOfHeaders;
@@ -477,18 +487,14 @@ HMEMORYMODULE MemoryLoadLibrary(const void* data, size_t size) {
 	hMemoryModule->blockedMemory = blockedMemory;
 #endif
 
-	if (!CheckSize(size, old_header->OptionalHeader.SizeOfHeaders)) {
-		goto error;
-	}
-
 	// copy PE header to code
 	memcpy(new_dos_header, dos_header, old_header->OptionalHeader.SizeOfHeaders);
 	new_header->OptionalHeader.SizeOfImage = (DWORD)(alignedImageSize);
-	new_header->OptionalHeader.ImageBase = (size_t)code;
+	new_header->OptionalHeader.ImageBase = (size_t)base;
 	new_header->OptionalHeader.BaseOfCode = headers_align;
 
 	// copy sections from DLL file block to new memory location
-	if (!CopySections((LPBYTE)data, size, hMemoryModule)) goto error;
+	if (!CopySections((LPBYTE)data, hMemoryModule)) goto error;
 
 	// adjust base address of imported data
 	locationDelta = (ptrdiff_t)(hMemoryModule->codeBase - old_header->OptionalHeader.ImageBase);
@@ -509,7 +515,7 @@ HMEMORYMODULE MemoryLoadLibrary(const void* data, size_t size) {
 	if (new_header->OptionalHeader.AddressOfEntryPoint) {
 		__try {
 			// notify library about attaching to process
-			if (!((DllEntryProc)(code + new_header->OptionalHeader.AddressOfEntryPoint))((HINSTANCE)code, DLL_PROCESS_ATTACH, 0)) {
+			if (!((DllEntryProc)(base + new_header->OptionalHeader.AddressOfEntryPoint))((HINSTANCE)base, DLL_PROCESS_ATTACH, 0)) {
 				SetLastError(ERROR_DLL_INIT_FAILED);
 				goto error;
 			}
@@ -521,7 +527,7 @@ HMEMORYMODULE MemoryLoadLibrary(const void* data, size_t size) {
 		hMemoryModule->initialized = TRUE;
 	}
 
-	return code;
+	return base;
 error:
 	// cleanup
 	MemoryFreeLibrary(hMemoryModule);
 
@@ -101,7 +101,7 @@ extern "C" {
      * All dependencies are resolved using default LoadLibrary/GetProcAddress
      * calls through the Windows API.
      */
-    HMEMORYMODULE MemoryLoadLibrary(const void*, size_t);
+    HMEMORYMODULE MemoryLoadLibrary(const void*);
 
     /**
      * Get address of exported method. Supports loading both by name and by
 
@@ -364,3 +364,24 @@ PVOID NTAPI RtlEncodeSystemPointer(PVOID Pointer) {
 PVOID NTAPI RtlDecodeSystemPointer(PVOID Pointer) {
 	return decltype(&RtlDecodeSystemPointer)(RtlGetNtProcAddress("RtlDecodeSystemPointer"))(Pointer);
 }
+
+BOOLEAN NTAPI VirtualAccessCheck(LPCVOID pBuffer, size_t size, ACCESS_MASK protect) {
+	MEMORY_BASIC_INFORMATION mbi{};
+	SIZE_T len = 0;
+	if (!NT_SUCCESS(NtQueryVirtualMemory(NtCurrentProcess(), const_cast<PVOID>(pBuffer), MemoryBasicInformation, &mbi, sizeof(mbi), &len)) ||
+		!(mbi.Protect & protect)) {
+		RaiseException(EXCEPTION_ACCESS_VIOLATION, 0, 0, nullptr);
+		return FALSE;
+	}
+	return TRUE;
+}
+
+NTSTATUS NTAPI LdrLockLoaderLock(size_t Flags, size_t* State, size_t* Cookie) {
+	return (decltype(&LdrLockLoaderLock)(RtlGetNtProcAddress("LdrLockLoaderLock")))(Flags, State, Cookie);
+}
+NTSTATUS NTAPI LdrUnlockLoaderLock(size_t Flags, size_t Cookie) {
+	return (decltype(&LdrUnlockLoaderLock)(RtlGetNtProcAddress("LdrUnlockLoaderLock")))(Flags, Cookie);
+}
+NTSTATUS NTAPI LdrUnloadDll(IN HANDLE ModuleHandle) {
+	return (decltype(&LdrUnloadDll)(RtlGetNtProcAddress("LdrUnloadDll")))(ModuleHandle);
+}
@@ -372,6 +372,60 @@ typedef enum _PROCESSINFOCLASS {
 	ProcessLeapSecondInformation, // PROCESS_LEAP_SECOND_INFORMATION
 	MaxProcessInfoClass
 } PROCESSINFOCLASS;
+typedef enum _THREADINFOCLASS {
+	ThreadBasicInformation, // q: THREAD_BASIC_INFORMATION
+	ThreadTimes, // q: KERNEL_USER_TIMES
+	ThreadPriority, // s: KPRIORITY
+	ThreadBasePriority, // s: LONG
+	ThreadAffinityMask, // s: KAFFINITY
+	ThreadImpersonationToken, // s: HANDLE
+	ThreadDescriptorTableEntry, // q: DESCRIPTOR_TABLE_ENTRY (or WOW64_DESCRIPTOR_TABLE_ENTRY)
+	ThreadEnableAlignmentFaultFixup, // s: BOOLEAN
+	ThreadEventPair,
+	ThreadQuerySetWin32StartAddress, // q: PVOID
+	ThreadZeroTlsCell, // 10
+	ThreadPerformanceCount, // q: LARGE_INTEGER
+	ThreadAmILastThread, // q: ULONG
+	ThreadIdealProcessor, // s: ULONG
+	ThreadPriorityBoost, // qs: ULONG
+	ThreadSetTlsArrayAddress,
+	ThreadIsIoPending, // q: ULONG
+	ThreadHideFromDebugger, // s: void
+	ThreadBreakOnTermination, // qs: ULONG
+	ThreadSwitchLegacyState,
+	ThreadIsTerminated, // q: ULONG // 20
+	ThreadLastSystemCall, // q: THREAD_LAST_SYSCALL_INFORMATION
+	ThreadIoPriority, // qs: IO_PRIORITY_HINT
+	ThreadCycleTime, // q: THREAD_CYCLE_TIME_INFORMATION
+	ThreadPagePriority, // q: ULONG
+	ThreadActualBasePriority,
+	ThreadTebInformation, // q: THREAD_TEB_INFORMATION (requires THREAD_GET_CONTEXT + THREAD_SET_CONTEXT)
+	ThreadCSwitchMon,
+	ThreadCSwitchPmu,
+	ThreadWow64Context, // q: WOW64_CONTEXT
+	ThreadGroupInformation, // q: GROUP_AFFINITY // 30
+	ThreadUmsInformation, // q: THREAD_UMS_INFORMATION
+	ThreadCounterProfiling,
+	ThreadIdealProcessorEx, // q: PROCESSOR_NUMBER
+	ThreadCpuAccountingInformation, // since WIN8
+	ThreadSuspendCount, // since WINBLUE
+	ThreadHeterogeneousCpuPolicy, // q: KHETERO_CPU_POLICY // since THRESHOLD
+	ThreadContainerId, // q: GUID
+	ThreadNameInformation, // qs: THREAD_NAME_INFORMATION
+	ThreadSelectedCpuSets,
+	ThreadSystemThreadInformation, // q: SYSTEM_THREAD_INFORMATION // 40
+	ThreadActualGroupAffinity, // since THRESHOLD2
+	ThreadDynamicCodePolicyInfo,
+	ThreadExplicitCaseSensitivity, // qs: ULONG; s: 0 disables, otherwise enables
+	ThreadWorkOnBehalfTicket,
+	ThreadSubsystemInformation, // q: SUBSYSTEM_INFORMATION_TYPE // since REDSTONE2
+	ThreadDbgkWerReportActive,
+	ThreadAttachContainer,
+	ThreadManageWritesToExecutableMemory, // MANAGE_WRITES_TO_EXECUTABLE_MEMORY // since REDSTONE3
+	ThreadPowerThrottlingState, // THREAD_POWER_THROTTLING_STATE
+	ThreadWorkloadClass, // THREAD_WORKLOAD_CLASS // since REDSTONE5 // 50
+	MaxThreadInfoClass
+} THREADINFOCLASS;
 typedef struct _SYSTEM_PROCESS {
 	ULONG NextEntryOffset;//relative offset
 	ULONG ThreadCount;
@@ -998,6 +1052,13 @@ typedef struct _SECURITY__LOGON_SESSION_DATA {
 	LARGE_INTEGER PasswordMustChange;
 }SECURITY_LOGON_SESSION_DATA, *PSECURITY_LOGON_SESSION_DATA,
 LOGON_SESSION_DATA, *PLOGON_SESSION_DATA;
+typedef struct _INITIAL_TEB {
+	PVOID                StackBase;
+	PVOID                StackLimit;
+	PVOID                StackCommit;
+	PVOID                StackCommitMax;
+	PVOID                StackReserved;
+} INITIAL_TEB, * PINITIAL_TEB;
 
 NTSTATUS NTAPI NtQueryObject(
 	IN HANDLE               ObjectHandle,
@@ -1340,3 +1401,23 @@ typedef struct _UNWIND_INFO {
 NTSTATUS NTAPI NtQuerySystemTime(PLARGE_INTEGER SystemTime);
 PVOID NTAPI RtlEncodeSystemPointer(PVOID Pointer);
 PVOID NTAPI RtlDecodeSystemPointer(PVOID Pointer);
+
+#define NtCurrentProcess()	(HANDLE)-1
+#define NtCurrentThread()	(HANDLE)-2
+
+BOOLEAN NTAPI VirtualAccessCheck(LPCVOID pBuffer, size_t size, ACCESS_MASK protect);
+#define ProbeForRead(pBuffer, size)			VirtualAccessCheck(pBuffer, size, PAGE_READONLY | PAGE_READWRITE | PAGE_EXECUTE_READ | PAGE_EXECUTE_READWRITE)
+#define ProbeForWrite(pBuffer, size)		VirtualAccessCheck(pBuffer, size, PAGE_READWRITE | PAGE_EXECUTE_WRITECOPY | PAGE_WRITECOPY | PAGE_EXECUTE_READWRITE)
+#define ProbeForReadWrite(pBuffer, size)	VirtualAccessCheck(pBuffer, size, PAGE_EXECUTE_READWRITE | PAGE_READWRITE)
+#define ProbeForExecute(pBuffer, size)		VirtualAccessCheck(pBuffer, size, PAGE_EXECUTE | PAGE_EXECUTE_READ | PAGE_EXECUTE_READWRITE | PAGE_EXECUTE_WRITECOPY)
+
+//Flags
+#define LOCK_RAISE_EXCEPTION 1
+#define LOCK_NO_WAIT_IF_BUSY 2
+//State
+#define LOCK_STATE_NO_ENTER  0
+#define LOCK_STATE_ENTERED   1
+#define LOCK_STATE_LOCK_BUSY 2
+NTSTATUS NTAPI LdrLockLoaderLock(size_t Flags, size_t* State, size_t* Cookie);
+NTSTATUS NTAPI LdrUnlockLoaderLock(size_t Flags, size_t Cookie);
+NTSTATUS NTAPI LdrUnloadDll(IN HANDLE ModuleHandle);