From e8ce3dffd37fcdba330634a301bb2671df28cec1 Mon Sep 17 00:00:00 2001 From: Jason Hood Date: Wed, 9 May 2018 11:37:34 +1000 Subject: [PATCH] Fixes Fix RemoteLoad32 on 64-bit. Better method to skip logging in ProcessType. --- ANSI.c | 2 +- ansicon.c | 2 +- injdll.c | 10 +++++++--- proctype.c | 44 ++++++++++++++++++++------------------------ readme.txt | 4 ++-- 5 files changed, 31 insertions(+), 31 deletions(-) diff --git a/ANSI.c b/ANSI.c index 91c5c92..37eb325 100644 --- a/ANSI.c +++ b/ANSI.c @@ -197,7 +197,7 @@ v1.83, 16 February, 2018: create the flush thread on first use. - v1.84-wip, 17 February, 26 April to 8 May, 2018: + v1.84-wip, 17 February, 26 April to 9 May, 2018: close the flush handles on detach; dynamically load WINMM.DLL; use sprintf/_snprintf/_snwprintf instead of wsprintf, avoiding USER32.DLL; diff --git a/ansicon.c b/ansicon.c index ba541bb..7d94d0a 100644 --- a/ansicon.c +++ b/ansicon.c @@ -94,7 +94,7 @@ import the DLL. */ -#define PDATE L"8 May, 2018" +#define PDATE L"9 May, 2018" #include "ansicon.h" #include "version.h" diff --git a/injdll.c b/injdll.c index a0278b3..992f747 100644 --- a/injdll.c +++ b/injdll.c @@ -90,11 +90,11 @@ void InjectDLL( LPPROCESS_INFORMATION ppi, PBYTE pBase ) get_os_version() >= 0x602) { #ifdef _WIN64 - RemoteLoad64( ppi ); + RemoteLoad64( ppi ); #else - RemoteLoad32( ppi ); + RemoteLoad32( ppi ); #endif - return; + return; } import_size = sizeof_imports( ppi, pBase, NTHeader.IMPORTDIR.VirtualAddress ); @@ -349,6 +349,7 @@ void RemoteLoad64( LPPROCESS_INFORMATION ppi ) *ip.pD++ = 0; // padding *ip.pL++ = pMem + 56; // UNICODE_STRING.Buffer WriteProcMem( pMem, code, ip.pB - code ); + *(PDWORD)DllNameType = 0x340036/*L'46'*/; WriteProcMem( pMem + (ip.pB - code), DllName, len ); thread = CreateRemoteThread( ppi->hProcess, NULL, 4096, (LPTHREAD_START_ROUTINE)(pMem + 8), NULL, 0, NULL ); @@ -414,6 +415,9 @@ void RemoteLoad32( LPPROCESS_INFORMATION ppi ) *ip.pS++ = (USHORT)len; // UNICODE_STRING.MaximumLength *ip.pD++ = bMem + 28; // UNICODE_STRING.Buffer WriteProcMem( pMem, code, ip.pB - code ); +#ifdef _WIN64 + *(PDWORD)DllNameType = 0x320033/*L'23'*/; +#endif WriteProcMem( pMem + (ip.pB - code), DllName, len ); thread = CreateRemoteThread( ppi->hProcess, NULL, 4096, (LPTHREAD_START_ROUTINE)pMem, NULL, 0, NULL ); diff --git a/proctype.c b/proctype.c index 5c72be6..d3ef4f9 100644 --- a/proctype.c +++ b/proctype.c @@ -48,19 +48,19 @@ int ProcessType( LPPROCESS_INFORMATION ppi, PBYTE* pBase, BOOL* gui ) IMAGE_NT_HEADERS nt_header; PBYTE dummy_base; BOOL dummy_gui; - BOOL skip_log; + int log; - // There's no need to log if we're only getting one value. - skip_log = FALSE; + // Don't log if we're only getting one value, as it's already been logged. + log = 1; if (pBase == NULL) { pBase = &dummy_base; - skip_log = TRUE; + log = 128; } if (gui == NULL) { gui = &dummy_gui; - skip_log = TRUE; + log = 128; } *pBase = NULL; @@ -102,52 +102,48 @@ int ProcessType( LPPROCESS_INFORMATION ppi, PBYTE* pBase, BOOL* gui ) if ((ComHeader.Flags & COMIMAGE_FLAGS_ILONLY) && !(ComHeader.Flags & COMIMAGE_FLAGS_32BITREQUIRED)) { -#if defined(_WIN64) || !defined(W32ON64) // W32ON64 will log due to -P - DEBUGSTR( 1, " AnyCPU %s (base = %q)", - (*gui) ? "GUI" : "console", minfo.BaseAddress ); -#endif + DEBUGSTR( log, " AnyCPU %s (base = %q)", + (*gui) ? "GUI" : "console", minfo.BaseAddress ); #if defined(_WIN64) || defined(W32ON64) return 48; #else if (ProcessIs64( ppi->hProcess )) { - DEBUGSTR( 1, " Unsupported (use x64\\ansicon)" ); + DEBUGSTR( log, " Unsupported (use x64\\ansicon)" ); return 0; } return 32; #endif } } - if (!skip_log) - DEBUGSTR( 1, " 32-bit %s (base = %q)", + DEBUGSTR( log, " 32-bit %s (base = %q)", (*gui) ? "GUI" : "console", minfo.BaseAddress ); return 32; } if (nt_header.FileHeader.Machine == IMAGE_FILE_MACHINE_AMD64) { #ifdef _WIN64 - if (!skip_log) - DEBUGSTR( 1, " 64-bit %s (base = %p)", + DEBUGSTR( log, " 64-bit %s (base = %p)", (*gui) ? "GUI" : "console", minfo.BaseAddress ); return 64; #else - DEBUGSTR( 1, " 64-bit %s (base = %P)", - (*gui) ? "GUI" : "console", minfo.BaseAddress ); + DEBUGSTR( log, " 64-bit %s (base = %P)", + (*gui) ? "GUI" : "console", minfo.BaseAddress ); #if defined(W32ON64) return 64; #else - DEBUGSTR( 1, " Unsupported (use x64\\ansicon)" ); + DEBUGSTR( log, " Unsupported (use x64\\ansicon)" ); return 0; #endif #endif } - DEBUGSTR( 1, " Ignoring unsupported machine (0x%X)", - nt_header.FileHeader.Machine ); + DEBUGSTR( log, " Ignoring unsupported machine (0x%X)", + nt_header.FileHeader.Machine ); } else { - DEBUGSTR( 1, " Ignoring unsupported subsystem (%u)", - nt_header.OptionalHeader.Subsystem ); + DEBUGSTR( log, " Ignoring unsupported subsystem (%u)", + nt_header.OptionalHeader.Subsystem ); } return 0; } @@ -157,16 +153,16 @@ int ProcessType( LPPROCESS_INFORMATION ppi, PBYTE* pBase, BOOL* gui ) if (((DWORD)ptr >> 12) + ((DWORD)minfo.RegionSize >> 12) >= 0x100000) { #ifdef W32ON64 - DEBUGSTR( 1, " Pointer overflow: assuming 64-bit" ); + DEBUGSTR( log, " Pointer overflow: assuming 64-bit" ); return 64; #else - DEBUGSTR( 1, " Ignoring apparent 64-bit process (use x64\\ansicon)" ); + DEBUGSTR( log, " Ignoring apparent 64-bit process (use x64\\ansicon)" ); return 0; #endif } #endif } - DEBUGSTR( 1, " Ignoring non-Windows process" ); + DEBUGSTR( log, " Ignoring non-Windows process" ); return 0; } diff --git a/readme.txt b/readme.txt index 52f9380..85aae99 100644 --- a/readme.txt +++ b/readme.txt @@ -339,7 +339,7 @@ Version History Legend: + added, - bug-fixed, * changed. - 1.84-wip - 8 May, 2018: + 1.84-wip - 9 May, 2018: - close the flush handles on detach; - WriteFile wasn't properly testing if its handle was for a console; - use remote load on Win8+ if the process has no IAT; @@ -625,4 +625,4 @@ Distribution ======================== -Jason Hood, 8 May, 2018. +Jason Hood, 9 May, 2018.