Fixes
Fix RemoteLoad32 on 64-bit. Better method to skip logging in ProcessType.
This commit is contained in:
Jason Hood
parent
9260451684
commit
e8ce3dffd3
2
ANSI.c
2
ANSI.c
@ -197,7 +197,7 @@
|
||||
v1.83, 16 February, 2018:
|
||||
create the flush thread on first use.
|
||||
|
||||
v1.84-wip, 17 February, 26 April to 8 May, 2018:
|
||||
v1.84-wip, 17 February, 26 April to 9 May, 2018:
|
||||
close the flush handles on detach;
|
||||
dynamically load WINMM.DLL;
|
||||
use sprintf/_snprintf/_snwprintf instead of wsprintf, avoiding USER32.DLL;
|
||||
|
||||
@ -94,7 +94,7 @@
|
||||
import the DLL.
|
||||
*/
|
||||
|
||||
#define PDATE L"8 May, 2018"
|
||||
#define PDATE L"9 May, 2018"
|
||||
|
||||
#include "ansicon.h"
|
||||
#include "version.h"
|
||||
|
||||
4
injdll.c
4
injdll.c
@ -349,6 +349,7 @@ void RemoteLoad64( LPPROCESS_INFORMATION ppi )
|
||||
*ip.pD++ = 0; // padding
|
||||
*ip.pL++ = pMem + 56; // UNICODE_STRING.Buffer
|
||||
WriteProcMem( pMem, code, ip.pB - code );
|
||||
*(PDWORD)DllNameType = 0x340036/*L'46'*/;
|
||||
WriteProcMem( pMem + (ip.pB - code), DllName, len );
|
||||
thread = CreateRemoteThread( ppi->hProcess, NULL, 4096,
|
||||
(LPTHREAD_START_ROUTINE)(pMem + 8), NULL, 0, NULL );
|
||||
@ -414,6 +415,9 @@ void RemoteLoad32( LPPROCESS_INFORMATION ppi )
|
||||
*ip.pS++ = (USHORT)len; // UNICODE_STRING.MaximumLength
|
||||
*ip.pD++ = bMem + 28; // UNICODE_STRING.Buffer
|
||||
WriteProcMem( pMem, code, ip.pB - code );
|
||||
#ifdef _WIN64
|
||||
*(PDWORD)DllNameType = 0x320033/*L'23'*/;
|
||||
#endif
|
||||
WriteProcMem( pMem + (ip.pB - code), DllName, len );
|
||||
thread = CreateRemoteThread( ppi->hProcess, NULL, 4096,
|
||||
(LPTHREAD_START_ROUTINE)pMem, NULL, 0, NULL );
|
||||
|
||||
36
proctype.c
36
proctype.c
@ -48,19 +48,19 @@ int ProcessType( LPPROCESS_INFORMATION ppi, PBYTE* pBase, BOOL* gui )
|
||||
IMAGE_NT_HEADERS nt_header;
|
||||
PBYTE dummy_base;
|
||||
BOOL dummy_gui;
|
||||
BOOL skip_log;
|
||||
int log;
|
||||
|
||||
// There's no need to log if we're only getting one value.
|
||||
skip_log = FALSE;
|
||||
// Don't log if we're only getting one value, as it's already been logged.
|
||||
log = 1;
|
||||
if (pBase == NULL)
|
||||
{
|
||||
pBase = &dummy_base;
|
||||
skip_log = TRUE;
|
||||
log = 128;
|
||||
}
|
||||
if (gui == NULL)
|
||||
{
|
||||
gui = &dummy_gui;
|
||||
skip_log = TRUE;
|
||||
log = 128;
|
||||
}
|
||||
|
||||
*pBase = NULL;
|
||||
@ -102,51 +102,47 @@ int ProcessType( LPPROCESS_INFORMATION ppi, PBYTE* pBase, BOOL* gui )
|
||||
if ((ComHeader.Flags & COMIMAGE_FLAGS_ILONLY) &&
|
||||
!(ComHeader.Flags & COMIMAGE_FLAGS_32BITREQUIRED))
|
||||
{
|
||||
#if defined(_WIN64) || !defined(W32ON64) // W32ON64 will log due to -P
|
||||
DEBUGSTR( 1, " AnyCPU %s (base = %q)",
|
||||
DEBUGSTR( log, " AnyCPU %s (base = %q)",
|
||||
(*gui) ? "GUI" : "console", minfo.BaseAddress );
|
||||
#endif
|
||||
#if defined(_WIN64) || defined(W32ON64)
|
||||
return 48;
|
||||
#else
|
||||
if (ProcessIs64( ppi->hProcess ))
|
||||
{
|
||||
DEBUGSTR( 1, " Unsupported (use x64\\ansicon)" );
|
||||
DEBUGSTR( log, " Unsupported (use x64\\ansicon)" );
|
||||
return 0;
|
||||
}
|
||||
return 32;
|
||||
#endif
|
||||
}
|
||||
}
|
||||
if (!skip_log)
|
||||
DEBUGSTR( 1, " 32-bit %s (base = %q)",
|
||||
DEBUGSTR( log, " 32-bit %s (base = %q)",
|
||||
(*gui) ? "GUI" : "console", minfo.BaseAddress );
|
||||
return 32;
|
||||
}
|
||||
if (nt_header.FileHeader.Machine == IMAGE_FILE_MACHINE_AMD64)
|
||||
{
|
||||
#ifdef _WIN64
|
||||
if (!skip_log)
|
||||
DEBUGSTR( 1, " 64-bit %s (base = %p)",
|
||||
DEBUGSTR( log, " 64-bit %s (base = %p)",
|
||||
(*gui) ? "GUI" : "console", minfo.BaseAddress );
|
||||
return 64;
|
||||
#else
|
||||
DEBUGSTR( 1, " 64-bit %s (base = %P)",
|
||||
DEBUGSTR( log, " 64-bit %s (base = %P)",
|
||||
(*gui) ? "GUI" : "console", minfo.BaseAddress );
|
||||
#if defined(W32ON64)
|
||||
return 64;
|
||||
#else
|
||||
DEBUGSTR( 1, " Unsupported (use x64\\ansicon)" );
|
||||
DEBUGSTR( log, " Unsupported (use x64\\ansicon)" );
|
||||
return 0;
|
||||
#endif
|
||||
#endif
|
||||
}
|
||||
DEBUGSTR( 1, " Ignoring unsupported machine (0x%X)",
|
||||
DEBUGSTR( log, " Ignoring unsupported machine (0x%X)",
|
||||
nt_header.FileHeader.Machine );
|
||||
}
|
||||
else
|
||||
{
|
||||
DEBUGSTR( 1, " Ignoring unsupported subsystem (%u)",
|
||||
DEBUGSTR( log, " Ignoring unsupported subsystem (%u)",
|
||||
nt_header.OptionalHeader.Subsystem );
|
||||
}
|
||||
return 0;
|
||||
@ -157,16 +153,16 @@ int ProcessType( LPPROCESS_INFORMATION ppi, PBYTE* pBase, BOOL* gui )
|
||||
if (((DWORD)ptr >> 12) + ((DWORD)minfo.RegionSize >> 12) >= 0x100000)
|
||||
{
|
||||
#ifdef W32ON64
|
||||
DEBUGSTR( 1, " Pointer overflow: assuming 64-bit" );
|
||||
DEBUGSTR( log, " Pointer overflow: assuming 64-bit" );
|
||||
return 64;
|
||||
#else
|
||||
DEBUGSTR( 1, " Ignoring apparent 64-bit process (use x64\\ansicon)" );
|
||||
DEBUGSTR( log, " Ignoring apparent 64-bit process (use x64\\ansicon)" );
|
||||
return 0;
|
||||
#endif
|
||||
}
|
||||
#endif
|
||||
}
|
||||
|
||||
DEBUGSTR( 1, " Ignoring non-Windows process" );
|
||||
DEBUGSTR( log, " Ignoring non-Windows process" );
|
||||
return 0;
|
||||
}
|
||||
|
||||
@ -339,7 +339,7 @@ Version History
|
||||
|
||||
Legend: + added, - bug-fixed, * changed.
|
||||
|
||||
1.84-wip - 8 May, 2018:
|
||||
1.84-wip - 9 May, 2018:
|
||||
- close the flush handles on detach;
|
||||
- WriteFile wasn't properly testing if its handle was for a console;
|
||||
- use remote load on Win8+ if the process has no IAT;
|
||||
@ -625,4 +625,4 @@ Distribution
|
||||
|
||||
|
||||
========================
|
||||
Jason Hood, 8 May, 2018.
|
||||
Jason Hood, 9 May, 2018.
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user