Skip to content

Commit ff8a663

Browse files
bb107bb107
committed
refactoring
1 parent 1af4e81 commit ff8a663

21 files changed

Lines changed: 584 additions & 403 deletions

MemoryModule/BaseAddressIndex.cpp

Lines changed: 4 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,8 @@
11
#include "stdafx.h"
22

3-
NTSTATUS NTAPI RtlInsertModuleBaseAddressIndexNode(IN PLDR_DATA_TABLE_ENTRY DataTableEntry, IN PVOID BaseAddress) {
3+
NTSTATUS NTAPI RtlInsertModuleBaseAddressIndexNode(
4+
_In_ PLDR_DATA_TABLE_ENTRY DataTableEntry,
5+
_In_ PVOID BaseAddress) {
46
auto LdrpModuleBaseAddressIndex = MmpGlobalDataPtr->MmpBaseAddressIndex.LdrpModuleBaseAddressIndex;
57
if (!LdrpModuleBaseAddressIndex)return STATUS_UNSUCCESSFUL;
68

@@ -32,7 +34,7 @@ NTSTATUS NTAPI RtlInsertModuleBaseAddressIndexNode(IN PLDR_DATA_TABLE_ENTRY Data
3234
return STATUS_SUCCESS;
3335
}
3436

35-
NTSTATUS NTAPI RtlRemoveModuleBaseAddressIndexNode(IN PLDR_DATA_TABLE_ENTRY DataTableEntry) {
37+
NTSTATUS NTAPI RtlRemoveModuleBaseAddressIndexNode(_In_ PLDR_DATA_TABLE_ENTRY DataTableEntry) {
3638
static auto tree{ MmpGlobalDataPtr->MmpBaseAddressIndex.LdrpModuleBaseAddressIndex };
3739
if (!tree->Root)return STATUS_UNSUCCESSFUL;
3840
RtlRbRemoveNode(tree, &PLDR_DATA_TABLE_ENTRY_WIN8(DataTableEntry)->BaseAddressIndexNode);

MemoryModule/BaseAddressIndex.h

Lines changed: 5 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,8 @@
11
#pragma once
22

3-
NTSTATUS NTAPI RtlInsertModuleBaseAddressIndexNode(IN PLDR_DATA_TABLE_ENTRY DataTableEntry, IN PVOID BaseAddress);
3+
NTSTATUS NTAPI RtlInsertModuleBaseAddressIndexNode(
4+
_In_ PLDR_DATA_TABLE_ENTRY DataTableEntry,
5+
_In_ PVOID BaseAddress
6+
);
47

5-
NTSTATUS NTAPI RtlRemoveModuleBaseAddressIndexNode(IN PLDR_DATA_TABLE_ENTRY DataTableEntry);
8+
NTSTATUS NTAPI RtlRemoveModuleBaseAddressIndexNode(_In_ PLDR_DATA_TABLE_ENTRY DataTableEntry);

MemoryModule/Initialize.cpp

Lines changed: 142 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -3,16 +3,10 @@
33

44
PMMP_GLOBAL_DATA MmpGlobalDataPtr;
55

6-
#ifdef _WIN64
7-
#define FindLdrpInvertedFunctionTable FindLdrpInvertedFunctionTable64
8-
#else
9-
#define FindLdrpInvertedFunctionTable FindLdrpInvertedFunctionTable32
10-
#endif
11-
126
BOOLEAN MmpBuildSectionName(_Out_ PUNICODE_STRING SectionName) {
137
WCHAR buffer[128];
148

15-
swprintf(buffer, L"\\Sessions\\%d\\BaseNamedObjects\\MMPP*%08X", NtCurrentPeb()->SessionId, (unsigned int)NtCurrentProcessId());
9+
swprintf_s(buffer, L"\\Sessions\\%d\\BaseNamedObjects\\MMPP*%08X", NtCurrentPeb()->SessionId, (unsigned int)(ULONG_PTR)NtCurrentProcessId());
1610
return RtlCreateUnicodeString(SectionName, buffer);
1711
}
1812

@@ -51,6 +45,7 @@ static __forceinline bool IsModuleUnloaded(PLDR_DATA_TABLE_ENTRY entry) {
5145
}
5246
}
5347

48+
#ifndef _WIN64
5449
PVOID FindLdrpInvertedFunctionTable32() {
5550
// _RTL_INVERTED_FUNCTION_TABLE x86
5651
// Count +0x0 ????????
@@ -103,6 +98,8 @@ PVOID FindLdrpInvertedFunctionTable32() {
10398
return nullptr;
10499
}
105100

101+
#define FindLdrpInvertedFunctionTable FindLdrpInvertedFunctionTable32
102+
#else
106103
PVOID FindLdrpInvertedFunctionTable64() {
107104
// _RTL_INVERTED_FUNCTION_TABLE x64
108105
// Count +0x0 ????????
@@ -165,6 +162,9 @@ PVOID FindLdrpInvertedFunctionTable64() {
165162
return nullptr;
166163
}
167164

165+
#define FindLdrpInvertedFunctionTable FindLdrpInvertedFunctionTable64
166+
#endif
167+
168168
PLIST_ENTRY FindLdrpHashTable() {
169169
PLIST_ENTRY list = nullptr;
170170
PLIST_ENTRY head = &NtCurrentPeb()->Ldr->InInitializationOrderModuleList, entry = head->Flink;
@@ -183,6 +183,94 @@ PLIST_ENTRY FindLdrpHashTable() {
183183
return list;
184184
}
185185

186+
VOID InitializeWindowsVersion() {
187+
188+
WINDOWS_VERSION version = WINDOWS_VERSION::invalid;
189+
190+
switch (MmpGlobalDataPtr->NtVersions.MajorVersion) {
191+
case 5: {
192+
switch (MmpGlobalDataPtr->NtVersions.MinorVersion) {
193+
case 1:
194+
version = MmpGlobalDataPtr->NtVersions.BuildNumber == 2600 ? WINDOWS_VERSION::xp : WINDOWS_VERSION::invalid;
195+
break;
196+
197+
case 2:
198+
version = MmpGlobalDataPtr->NtVersions.BuildNumber == 3790 ? WINDOWS_VERSION::xp : WINDOWS_VERSION::invalid;
199+
break;
200+
}
201+
break;
202+
}
203+
204+
case 6: {
205+
switch (MmpGlobalDataPtr->NtVersions.MinorVersion) {
206+
case 0: {
207+
switch (MmpGlobalDataPtr->NtVersions.BuildNumber) {
208+
case 6000:
209+
case 6001:
210+
case 6002:
211+
version = WINDOWS_VERSION::vista;
212+
break;
213+
}
214+
break;
215+
}
216+
217+
case 1: {
218+
switch (MmpGlobalDataPtr->NtVersions.BuildNumber) {
219+
case 7600:
220+
case 7601:
221+
version = WINDOWS_VERSION::win7;
222+
break;
223+
}
224+
break;
225+
}
226+
227+
case 2: {
228+
if (MmpGlobalDataPtr->NtVersions.BuildNumber == 9200) version = WINDOWS_VERSION::win8;
229+
break;
230+
}
231+
232+
case 3: {
233+
if (MmpGlobalDataPtr->NtVersions.BuildNumber == 9600) version = WINDOWS_VERSION::win8_1;
234+
break;
235+
}
236+
237+
}
238+
break;
239+
}
240+
241+
case 10: {
242+
if (MmpGlobalDataPtr->NtVersions.MinorVersion)break;
243+
switch (MmpGlobalDataPtr->NtVersions.BuildNumber) {
244+
case 10240:
245+
case 10586:
246+
version = WINDOWS_VERSION::win10;
247+
break;
248+
249+
case 14393:
250+
version = WINDOWS_VERSION::win10_1;
251+
break;
252+
253+
case 15063:
254+
case 16299:
255+
case 17134:
256+
case 17763:
257+
case 18362:
258+
version = WINDOWS_VERSION::win10_2;
259+
break;
260+
261+
default:
262+
if (RtlIsWindowsVersionOrGreater(MmpGlobalDataPtr->NtVersions.MajorVersion, MmpGlobalDataPtr->NtVersions.MinorVersion, 15063)) version = WINDOWS_VERSION::win10_2;
263+
break;
264+
}
265+
266+
break;
267+
}
268+
269+
}
270+
271+
MmpGlobalDataPtr->WindowsVersion = version;
272+
}
273+
186274
NTSTATUS InitializeLockHeld() {
187275
NTSTATUS status = STATUS_UNSUCCESSFUL;
188276
HANDLE hSection = nullptr;
@@ -255,6 +343,53 @@ NTSTATUS InitializeLockHeld() {
255343

256344
GetSystemInfo(&MmpGlobalDataPtr->SystemInfo);
257345

346+
RtlGetNtVersionNumbers(
347+
&MmpGlobalDataPtr->NtVersions.MajorVersion,
348+
&MmpGlobalDataPtr->NtVersions.MinorVersion,
349+
&MmpGlobalDataPtr->NtVersions.BuildNumber
350+
);
351+
if (MmpGlobalDataPtr->NtVersions.BuildNumber & 0xf0000000)MmpGlobalDataPtr->NtVersions.BuildNumber &= 0xffff;
352+
353+
InitializeWindowsVersion();
354+
355+
switch (MmpGlobalDataPtr->WindowsVersion) {
356+
case WINDOWS_VERSION::xp:
357+
MmpGlobalDataPtr->LdrDataTableEntrySize = sizeof(LDR_DATA_TABLE_ENTRY_XP);
358+
break;
359+
360+
case WINDOWS_VERSION::vista:
361+
MmpGlobalDataPtr->LdrDataTableEntrySize = sizeof(LDR_DATA_TABLE_ENTRY_VISTA);
362+
break;
363+
364+
case WINDOWS_VERSION::win7:
365+
MmpGlobalDataPtr->LdrDataTableEntrySize = sizeof(LDR_DATA_TABLE_ENTRY_WIN7);
366+
break;
367+
368+
case WINDOWS_VERSION::win8:
369+
MmpGlobalDataPtr->LdrDataTableEntrySize = sizeof(LDR_DATA_TABLE_ENTRY_WIN8);
370+
break;
371+
372+
case WINDOWS_VERSION::win8_1:
373+
MmpGlobalDataPtr->LdrDataTableEntrySize = sizeof(LDR_DATA_TABLE_ENTRY_WIN8_1);
374+
break;
375+
376+
case WINDOWS_VERSION::win10:
377+
MmpGlobalDataPtr->LdrDataTableEntrySize = sizeof(LDR_DATA_TABLE_ENTRY_WIN10);
378+
break;
379+
380+
case WINDOWS_VERSION::win10_1:
381+
MmpGlobalDataPtr->LdrDataTableEntrySize = sizeof(LDR_DATA_TABLE_ENTRY_WIN10_1);
382+
break;
383+
384+
case WINDOWS_VERSION::win10_2:
385+
MmpGlobalDataPtr->LdrDataTableEntrySize = sizeof(LDR_DATA_TABLE_ENTRY_WIN10_2);
386+
break;
387+
388+
default:
389+
MmpGlobalDataPtr->LdrDataTableEntrySize = sizeof(LDR_DATA_TABLE_ENTRY_WIN10_2);
390+
break;
391+
}
392+
258393
MmpGlobalDataPtr->MmpBaseAddressIndex.NtdllLdrEntry = RtlFindLdrTableEntryByBaseName(L"ntdll.dll");
259394
MmpGlobalDataPtr->MmpBaseAddressIndex.LdrpModuleBaseAddressIndex = FindLdrpModuleBaseAddressIndex();
260395

MemoryModule/InvertedFunctionTable.cpp

Lines changed: 12 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,9 @@
11
#include "stdafx.h"
22

3-
static VOID NTAPI RtlpInsertInvertedFunctionTable(IN PRTL_INVERTED_FUNCTION_TABLE InvertedTable, IN PVOID ImageBase, IN ULONG SizeOfImage) {
3+
static VOID RtlpInsertInvertedFunctionTable(
4+
_In_ PRTL_INVERTED_FUNCTION_TABLE InvertedTable,
5+
_In_ PVOID ImageBase,
6+
_In_ ULONG SizeOfImage) {
47
#ifdef _WIN64
58
ULONG CurrentSize;
69
PIMAGE_RUNTIME_FUNCTION_ENTRY FunctionTable;
@@ -86,7 +89,9 @@ static VOID NTAPI RtlpInsertInvertedFunctionTable(IN PRTL_INVERTED_FUNCTION_TABL
8689
return;
8790
}
8891

89-
static VOID NTAPI RtlpRemoveInvertedFunctionTable(IN PRTL_INVERTED_FUNCTION_TABLE InvertedTable, IN PVOID ImageBase) {
92+
static VOID RtlpRemoveInvertedFunctionTable(
93+
_In_ PRTL_INVERTED_FUNCTION_TABLE InvertedTable,
94+
_In_ PVOID ImageBase) {
9095
ULONG CurrentSize;
9196
ULONG Index;
9297
//bool need = RtlIsWindowsVersionOrGreater(6, 2, 0);
@@ -136,7 +141,7 @@ static VOID NTAPI RtlpRemoveInvertedFunctionTable(IN PRTL_INVERTED_FUNCTION_TABL
136141
return;
137142
}
138143

139-
static NTSTATUS NTAPI RtlProtectMrdata(IN SIZE_T Protect) {
144+
static NTSTATUS RtlProtectMrdata(_In_ ULONG Protect) {
140145
static PVOID MrdataBase = nullptr;
141146
static SIZE_T size = 0;
142147
NTSTATUS status;
@@ -157,7 +162,9 @@ static NTSTATUS NTAPI RtlProtectMrdata(IN SIZE_T Protect) {
157162
return NtProtectVirtualMemory(GetCurrentProcess(), &tmp, &tmp_len, Protect, &old);
158163
}
159164

160-
NTSTATUS NTAPI RtlInsertInvertedFunctionTable(IN PVOID BaseAddress, IN size_t ImageSize) {
165+
NTSTATUS NTAPI RtlInsertInvertedFunctionTable(
166+
_In_ PVOID BaseAddress,
167+
_In_ ULONG ImageSize) {
161168
auto table = PRTL_INVERTED_FUNCTION_TABLE(MmpGlobalDataPtr->MmpInvertedFunctionTable.LdrpInvertedFunctionTable);
162169
if (!table)return STATUS_NOT_SUPPORTED;
163170
bool need_virtual_protect = RtlIsWindowsVersionOrGreater(6, 3, 0);
@@ -176,7 +183,7 @@ NTSTATUS NTAPI RtlInsertInvertedFunctionTable(IN PVOID BaseAddress, IN size_t Im
176183
STATUS_NO_MEMORY : STATUS_SUCCESS;
177184
}
178185

179-
NTSTATUS NTAPI RtlRemoveInvertedFunctionTable(IN PVOID ImageBase) {
186+
NTSTATUS NTAPI RtlRemoveInvertedFunctionTable(_In_ PVOID ImageBase) {
180187
auto table = PRTL_INVERTED_FUNCTION_TABLE(MmpGlobalDataPtr->MmpInvertedFunctionTable.LdrpInvertedFunctionTable);
181188
bool need_virtual_protect = RtlIsWindowsVersionOrGreater(6, 3, 0);
182189
NTSTATUS status;

MemoryModule/InvertedFunctionTable.h

Lines changed: 6 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -52,5 +52,9 @@ typedef RTL_INVERTED_FUNCTION_TABLE_WIN7_32 _RTL_INVERTED_FUNCTION_TABLE, RTL_IN
5252
typedef _RTL_INVERTED_FUNCTION_TABLE_ENTRY_WIN7_32 _RTL_INVERTED_FUNCTION_TABLE_ENTRY, RTL_INVERTED_FUNCTION_TABLE_ENTRY, * PRTL_INVERTED_FUNCTION_TABLE_ENTRY;
5353
#endif
5454

55-
NTSTATUS NTAPI RtlInsertInvertedFunctionTable(IN PVOID BaseAddress, IN size_t ImageSize);
56-
NTSTATUS NTAPI RtlRemoveInvertedFunctionTable(IN PVOID ImageBase);
55+
NTSTATUS NTAPI RtlInsertInvertedFunctionTable(
56+
_In_ PVOID BaseAddress,
57+
_In_ ULONG ImageSize
58+
);
59+
60+
NTSTATUS NTAPI RtlRemoveInvertedFunctionTable(_In_ PVOID ImageBase);

0 commit comments

Comments
 (0)