1.9.3
This commit is contained in:
parent
51d2ca4063
commit
8391574061
|
@ -99,7 +99,7 @@ _FX BOOLEAN Process_Low_Inject(
|
||||||
SVC_PROCESS_MSG msg;
|
SVC_PROCESS_MSG msg;
|
||||||
ULONG_PTR is_wow64 = 0;
|
ULONG_PTR is_wow64 = 0;
|
||||||
NTSTATUS status = STATUS_SUCCESS;
|
NTSTATUS status = STATUS_SUCCESS;
|
||||||
BOOLEAN sbielow_loaded = FALSE;
|
BOOLEAN done = FALSE;
|
||||||
KIRQL irql;
|
KIRQL irql;
|
||||||
|
|
||||||
//
|
//
|
||||||
|
@ -179,7 +179,7 @@ _FX BOOLEAN Process_Low_Inject(
|
||||||
|
|
||||||
if (proc && proc->create_time == create_time) {
|
if (proc && proc->create_time == create_time) {
|
||||||
|
|
||||||
sbielow_loaded = proc->sbielow_loaded;
|
done = proc->sbielow_loaded || proc->terminated;
|
||||||
|
|
||||||
if (! is_wow64)
|
if (! is_wow64)
|
||||||
proc->ntdll32_base = -1;
|
proc->ntdll32_base = -1;
|
||||||
|
@ -188,7 +188,7 @@ _FX BOOLEAN Process_Low_Inject(
|
||||||
ExReleaseResourceLite(Process_ListLock);
|
ExReleaseResourceLite(Process_ListLock);
|
||||||
KeLowerIrql(irql);
|
KeLowerIrql(irql);
|
||||||
|
|
||||||
if (sbielow_loaded)
|
if (done)
|
||||||
break;
|
break;
|
||||||
|
|
||||||
time.QuadPart = -(SECONDS(1) / 4); // 250ms*40 = 10s
|
time.QuadPart = -(SECONDS(1) / 4); // 250ms*40 = 10s
|
||||||
|
@ -197,7 +197,7 @@ _FX BOOLEAN Process_Low_Inject(
|
||||||
++retries;
|
++retries;
|
||||||
}
|
}
|
||||||
|
|
||||||
if (! sbielow_loaded) // if no response from SbieSvc
|
if (! done) // if no response from SbieSvc
|
||||||
status = STATUS_TIMEOUT;
|
status = STATUS_TIMEOUT;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -254,14 +254,14 @@ _FX NTSTATUS Process_Low_Api_InjectComplete(PROCESS *proc, ULONG64 *parms)
|
||||||
KIRQL irql;
|
KIRQL irql;
|
||||||
PROCESS *proc = Process_Find(ProcessId, &irql);
|
PROCESS *proc = Process_Find(ProcessId, &irql);
|
||||||
|
|
||||||
if (proc)
|
|
||||||
proc->sbielow_loaded = TRUE;
|
|
||||||
|
|
||||||
ExReleaseResourceLite(Process_ListLock);
|
|
||||||
KeLowerIrql(irql);
|
|
||||||
|
|
||||||
if (proc) {
|
if (proc) {
|
||||||
|
|
||||||
|
ULONG error = (ULONG)parms[3];
|
||||||
|
if (error)
|
||||||
|
Process_SetTerminated(proc, 3);
|
||||||
|
else
|
||||||
|
proc->sbielow_loaded = TRUE;
|
||||||
|
|
||||||
//
|
//
|
||||||
// the service dynamically allocates a per box SID to be used,
|
// the service dynamically allocates a per box SID to be used,
|
||||||
// if no SID is provided this feature is either disabled or failed
|
// if no SID is provided this feature is either disabled or failed
|
||||||
|
@ -284,6 +284,12 @@ _FX NTSTATUS Process_Low_Api_InjectComplete(PROCESS *proc, ULONG64 *parms)
|
||||||
} __except (EXCEPTION_EXECUTE_HANDLER) {
|
} __except (EXCEPTION_EXECUTE_HANDLER) {
|
||||||
status = GetExceptionCode();
|
status = GetExceptionCode();
|
||||||
}
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
ExReleaseResourceLite(Process_ListLock);
|
||||||
|
KeLowerIrql(irql);
|
||||||
|
|
||||||
|
if (proc) {
|
||||||
|
|
||||||
KeSetEvent(Process_Low_Event, 0, FALSE);
|
KeSetEvent(Process_Low_Event, 0, FALSE);
|
||||||
status = STATUS_SUCCESS;
|
status = STATUS_SUCCESS;
|
||||||
|
|
|
@ -68,8 +68,10 @@ static NTSTATUS Syscall_DeviceIoControlFile(
|
||||||
static NTSTATUS Syscall_DuplicateHandle(
|
static NTSTATUS Syscall_DuplicateHandle(
|
||||||
PROCESS *proc, SYSCALL_ENTRY *syscall_entry, ULONG_PTR *user_args);
|
PROCESS *proc, SYSCALL_ENTRY *syscall_entry, ULONG_PTR *user_args);
|
||||||
|
|
||||||
|
#ifdef _M_AMD64
|
||||||
static BOOLEAN Syscall_QuerySystemInfo_SupportProcmonStack(
|
static BOOLEAN Syscall_QuerySystemInfo_SupportProcmonStack(
|
||||||
PROCESS *proc, SYSCALL_ENTRY *syscall_entry, ULONG_PTR *user_args);
|
PROCESS *proc, SYSCALL_ENTRY *syscall_entry, ULONG_PTR *user_args);
|
||||||
|
#endif
|
||||||
|
|
||||||
|
|
||||||
//---------------------------------------------------------------------------
|
//---------------------------------------------------------------------------
|
||||||
|
@ -169,8 +171,10 @@ _FX BOOLEAN Syscall_Init(void)
|
||||||
if (!Syscall_Set1("DeviceIoControlFile", Syscall_DeviceIoControlFile))
|
if (!Syscall_Set1("DeviceIoControlFile", Syscall_DeviceIoControlFile))
|
||||||
return FALSE;
|
return FALSE;
|
||||||
|
|
||||||
|
#ifdef _M_AMD64
|
||||||
if (!Syscall_Set3("QuerySystemInformation", Syscall_QuerySystemInfo_SupportProcmonStack))
|
if (!Syscall_Set3("QuerySystemInformation", Syscall_QuerySystemInfo_SupportProcmonStack))
|
||||||
return FALSE;
|
return FALSE;
|
||||||
|
#endif
|
||||||
|
|
||||||
//
|
//
|
||||||
// set API handlers
|
// set API handlers
|
||||||
|
@ -338,7 +342,9 @@ _FX BOOLEAN Syscall_Init_List(void)
|
||||||
entry->ntos_func = ntos_addr;
|
entry->ntos_func = ntos_addr;
|
||||||
entry->handler1_func = NULL;
|
entry->handler1_func = NULL;
|
||||||
entry->handler2_func = NULL;
|
entry->handler2_func = NULL;
|
||||||
|
#ifdef _M_AMD64
|
||||||
entry->handler3_func_support_procmon = NULL;
|
entry->handler3_func_support_procmon = NULL;
|
||||||
|
#endif
|
||||||
entry->approved = (Syscall_HookMapMatch(name, name_len, &approved_syscalls) != 0);
|
entry->approved = (Syscall_HookMapMatch(name, name_len, &approved_syscalls) != 0);
|
||||||
entry->name_len = (USHORT)name_len;
|
entry->name_len = (USHORT)name_len;
|
||||||
memcpy(entry->name, name, name_len);
|
memcpy(entry->name, name, name_len);
|
||||||
|
@ -526,7 +532,7 @@ _FX BOOLEAN Syscall_Set1(const UCHAR *name, P_Syscall_Handler1 handler_func)
|
||||||
// Syscall_Set3
|
// Syscall_Set3
|
||||||
//---------------------------------------------------------------------------
|
//---------------------------------------------------------------------------
|
||||||
|
|
||||||
|
#ifdef _M_AMD64
|
||||||
_FX BOOLEAN Syscall_Set3(const UCHAR *name, P_Syscall_Handler3_Support_Procmon_Stack handler_func)
|
_FX BOOLEAN Syscall_Set3(const UCHAR *name, P_Syscall_Handler3_Support_Procmon_Stack handler_func)
|
||||||
{
|
{
|
||||||
SYSCALL_ENTRY *entry = Syscall_GetByName(name);
|
SYSCALL_ENTRY *entry = Syscall_GetByName(name);
|
||||||
|
@ -535,7 +541,7 @@ _FX BOOLEAN Syscall_Set3(const UCHAR *name, P_Syscall_Handler3_Support_Procmon_S
|
||||||
entry->handler3_func_support_procmon = handler_func;
|
entry->handler3_func_support_procmon = handler_func;
|
||||||
return TRUE;
|
return TRUE;
|
||||||
}
|
}
|
||||||
|
#endif
|
||||||
|
|
||||||
//---------------------------------------------------------------------------
|
//---------------------------------------------------------------------------
|
||||||
// Syscall_ErrorForAsciiName
|
// Syscall_ErrorForAsciiName
|
||||||
|
@ -598,7 +604,7 @@ _FX NTSTATUS Syscall_Api_Invoke(PROCESS *proc, ULONG64 *parms)
|
||||||
SYSCALL_ENTRY *entry;
|
SYSCALL_ENTRY *entry;
|
||||||
ULONG syscall_index;
|
ULONG syscall_index;
|
||||||
NTSTATUS status;
|
NTSTATUS status;
|
||||||
#ifdef _WIN64
|
#ifdef _M_AMD64
|
||||||
volatile ULONG_PTR ret = 0;
|
volatile ULONG_PTR ret = 0;
|
||||||
volatile ULONG_PTR UserStack = 0;
|
volatile ULONG_PTR UserStack = 0;
|
||||||
|
|
||||||
|
@ -690,7 +696,10 @@ _FX NTSTATUS Syscall_Api_Invoke(PROCESS *proc, ULONG64 *parms)
|
||||||
const ULONG args_len = entry->param_count * sizeof(ULONG_PTR);
|
const ULONG args_len = entry->param_count * sizeof(ULONG_PTR);
|
||||||
#ifdef _WIN64
|
#ifdef _WIN64
|
||||||
ProbeForRead(user_args, args_len, sizeof(ULONG_PTR));
|
ProbeForRead(user_args, args_len, sizeof(ULONG_PTR));
|
||||||
|
#else ! _WIN64
|
||||||
|
ProbeForRead(user_args, args_len, sizeof(UCHAR));
|
||||||
|
#endif _WIN64
|
||||||
|
#ifdef _M_AMD64
|
||||||
// default - support procmon stack if handler3_func_support_procmon is null.
|
// default - support procmon stack if handler3_func_support_procmon is null.
|
||||||
if (!entry->handler3_func_support_procmon
|
if (!entry->handler3_func_support_procmon
|
||||||
|| entry->handler3_func_support_procmon(proc, entry, user_args)
|
|| entry->handler3_func_support_procmon(proc, entry, user_args)
|
||||||
|
@ -700,33 +709,22 @@ _FX NTSTATUS Syscall_Api_Invoke(PROCESS *proc, ULONG64 *parms)
|
||||||
|
|
||||||
pTrapFrame = (PKTRAP_FRAME) *(ULONG_PTR*)((UCHAR*)pThread + g_TrapFrameOffset);
|
pTrapFrame = (PKTRAP_FRAME) *(ULONG_PTR*)((UCHAR*)pThread + g_TrapFrameOffset);
|
||||||
if (pTrapFrame) {
|
if (pTrapFrame) {
|
||||||
#ifdef _M_ARM64
|
|
||||||
//ret = pTrapFrame->Pc;
|
|
||||||
//UserStack = pTrapFrame->Sp;
|
|
||||||
//pTrapFrame->Sp = pTrapFrame->Fp;
|
|
||||||
//pTrapFrame->Pc = pTrapFrame->X27;
|
|
||||||
#else
|
|
||||||
ret = pTrapFrame->Rip;
|
ret = pTrapFrame->Rip;
|
||||||
UserStack = pTrapFrame->Rsp;
|
UserStack = pTrapFrame->Rsp;
|
||||||
pTrapFrame->Rsp = pTrapFrame->Rbp; //*pRbp;
|
pTrapFrame->Rsp = pTrapFrame->Rbp; //*pRbp;
|
||||||
pTrapFrame->Rip = pTrapFrame->Rbx; //*pRbx;
|
pTrapFrame->Rip = pTrapFrame->Rbx; //*pRbx;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
else
|
||||||
|
{
|
||||||
|
pTrapFrame = NULL;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
else
|
||||||
|
{
|
||||||
|
pTrapFrame = NULL;
|
||||||
|
}
|
||||||
#endif
|
#endif
|
||||||
}
|
|
||||||
}
|
|
||||||
else
|
|
||||||
{
|
|
||||||
pTrapFrame = NULL;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
else
|
|
||||||
{
|
|
||||||
pTrapFrame = NULL;
|
|
||||||
}
|
|
||||||
|
|
||||||
#else ! _WIN64
|
|
||||||
ProbeForRead(user_args, args_len, sizeof(UCHAR));
|
|
||||||
#endif _WIN64
|
|
||||||
|
|
||||||
|
|
||||||
//if (proc->ipc_trace & (TRACE_ALLOW | TRACE_DENY))
|
//if (proc->ipc_trace & (TRACE_ALLOW | TRACE_DENY))
|
||||||
//{
|
//{
|
||||||
|
@ -846,16 +844,11 @@ _FX NTSTATUS Syscall_Api_Invoke(PROCESS *proc, ULONG64 *parms)
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
#ifdef _WIN64
|
#ifdef _M_AMD64
|
||||||
if (g_TrapFrameOffset) {
|
if (g_TrapFrameOffset) {
|
||||||
if (pTrapFrame) {
|
if (pTrapFrame) {
|
||||||
#ifdef _M_ARM64
|
|
||||||
//pTrapFrame->Pc = ret;
|
|
||||||
//pTrapFrame->Sp = UserStack;
|
|
||||||
#else
|
|
||||||
pTrapFrame->Rip = ret;
|
pTrapFrame->Rip = ret;
|
||||||
pTrapFrame->Rsp = UserStack;
|
pTrapFrame->Rsp = UserStack;
|
||||||
#endif
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
#endif
|
#endif
|
||||||
|
@ -1040,7 +1033,7 @@ _FX void Syscall_Update_Lockdown()
|
||||||
// Syscall_QuerySystemInfo_SupportProcmonStack
|
// Syscall_QuerySystemInfo_SupportProcmonStack
|
||||||
//---------------------------------------------------------------------------
|
//---------------------------------------------------------------------------
|
||||||
|
|
||||||
|
#ifdef _M_AMD64
|
||||||
_FX BOOLEAN Syscall_QuerySystemInfo_SupportProcmonStack(
|
_FX BOOLEAN Syscall_QuerySystemInfo_SupportProcmonStack(
|
||||||
PROCESS *proc, SYSCALL_ENTRY *syscall_entry, ULONG_PTR *user_args)
|
PROCESS *proc, SYSCALL_ENTRY *syscall_entry, ULONG_PTR *user_args)
|
||||||
{
|
{
|
||||||
|
@ -1066,7 +1059,7 @@ _FX BOOLEAN Syscall_QuerySystemInfo_SupportProcmonStack(
|
||||||
|
|
||||||
return bRet;
|
return bRet;
|
||||||
}
|
}
|
||||||
|
#endif
|
||||||
|
|
||||||
//---------------------------------------------------------------------------
|
//---------------------------------------------------------------------------
|
||||||
// 32-bit and 64-bit code
|
// 32-bit and 64-bit code
|
||||||
|
|
|
@ -53,8 +53,10 @@ typedef NTSTATUS (*P_Syscall_Handler2)(
|
||||||
PROCESS *proc, void *Object, UNICODE_STRING *Name,
|
PROCESS *proc, void *Object, UNICODE_STRING *Name,
|
||||||
ULONG Operation, ACCESS_MASK GrantedAccess);
|
ULONG Operation, ACCESS_MASK GrantedAccess);
|
||||||
|
|
||||||
|
#ifdef _M_AMD64
|
||||||
typedef BOOLEAN (*P_Syscall_Handler3_Support_Procmon_Stack)(
|
typedef BOOLEAN (*P_Syscall_Handler3_Support_Procmon_Stack)(
|
||||||
PROCESS *proc, SYSCALL_ENTRY *syscall_entry, ULONG_PTR *user_args);
|
PROCESS *proc, SYSCALL_ENTRY *syscall_entry, ULONG_PTR *user_args);
|
||||||
|
#endif
|
||||||
|
|
||||||
|
|
||||||
struct _SYSCALL_ENTRY {
|
struct _SYSCALL_ENTRY {
|
||||||
|
@ -66,7 +68,9 @@ struct _SYSCALL_ENTRY {
|
||||||
void *ntos_func;
|
void *ntos_func;
|
||||||
P_Syscall_Handler1 handler1_func;
|
P_Syscall_Handler1 handler1_func;
|
||||||
P_Syscall_Handler2 handler2_func;
|
P_Syscall_Handler2 handler2_func;
|
||||||
|
#ifdef _M_AMD64
|
||||||
P_Syscall_Handler3_Support_Procmon_Stack handler3_func_support_procmon;
|
P_Syscall_Handler3_Support_Procmon_Stack handler3_func_support_procmon;
|
||||||
|
#endif
|
||||||
UCHAR approved;
|
UCHAR approved;
|
||||||
USHORT name_len;
|
USHORT name_len;
|
||||||
UCHAR name[1];
|
UCHAR name[1];
|
||||||
|
@ -89,7 +93,9 @@ BOOLEAN Syscall_Set1(const UCHAR *name, P_Syscall_Handler1 handler_func);
|
||||||
|
|
||||||
BOOLEAN Syscall_Set2(const UCHAR *name, P_Syscall_Handler2 handler_func);
|
BOOLEAN Syscall_Set2(const UCHAR *name, P_Syscall_Handler2 handler_func);
|
||||||
|
|
||||||
|
#ifdef _M_AMD64
|
||||||
BOOLEAN Syscall_Set3(const UCHAR *name, P_Syscall_Handler3_Support_Procmon_Stack handler_func);
|
BOOLEAN Syscall_Set3(const UCHAR *name, P_Syscall_Handler3_Support_Procmon_Stack handler_func);
|
||||||
|
#endif
|
||||||
|
|
||||||
NTSTATUS Syscall_Invoke(SYSCALL_ENTRY *entry, ULONG_PTR *stack);
|
NTSTATUS Syscall_Invoke(SYSCALL_ENTRY *entry, ULONG_PTR *stack);
|
||||||
|
|
||||||
|
|
|
@ -363,7 +363,9 @@ _FX BOOLEAN Syscall_Init_List32(void)
|
||||||
entry->ntos_func = ntos_addr;
|
entry->ntos_func = ntos_addr;
|
||||||
entry->handler1_func = NULL;
|
entry->handler1_func = NULL;
|
||||||
entry->handler2_func = NULL;
|
entry->handler2_func = NULL;
|
||||||
|
#ifdef _M_AMD64
|
||||||
entry->handler3_func_support_procmon = NULL;
|
entry->handler3_func_support_procmon = NULL;
|
||||||
|
#endif
|
||||||
entry->approved = (Syscall_HookMapMatch(name, name_len, &approved_syscalls) != 0);
|
entry->approved = (Syscall_HookMapMatch(name, name_len, &approved_syscalls) != 0);
|
||||||
entry->name_len = (USHORT)name_len;
|
entry->name_len = (USHORT)name_len;
|
||||||
memcpy(entry->name, name, name_len);
|
memcpy(entry->name, name, name_len);
|
||||||
|
@ -470,7 +472,7 @@ _FX NTSTATUS Syscall_Api_Invoke32(PROCESS* proc, ULONG64* parms)
|
||||||
SYSCALL_ENTRY *entry;
|
SYSCALL_ENTRY *entry;
|
||||||
ULONG syscall_index;
|
ULONG syscall_index;
|
||||||
NTSTATUS status;
|
NTSTATUS status;
|
||||||
#ifdef _WIN64
|
#ifdef _M_AMD64
|
||||||
volatile ULONG_PTR ret = 0;
|
volatile ULONG_PTR ret = 0;
|
||||||
volatile ULONG_PTR UserStack = 0;
|
volatile ULONG_PTR UserStack = 0;
|
||||||
|
|
||||||
|
@ -537,7 +539,10 @@ _FX NTSTATUS Syscall_Api_Invoke32(PROCESS* proc, ULONG64* parms)
|
||||||
const ULONG args_len = entry->param_count * sizeof(ULONG_PTR);
|
const ULONG args_len = entry->param_count * sizeof(ULONG_PTR);
|
||||||
#ifdef _WIN64
|
#ifdef _WIN64
|
||||||
ProbeForRead(user_args, args_len, sizeof(ULONG_PTR));
|
ProbeForRead(user_args, args_len, sizeof(ULONG_PTR));
|
||||||
|
#else ! _WIN64
|
||||||
|
ProbeForRead(user_args, args_len, sizeof(UCHAR));
|
||||||
|
#endif _WIN64
|
||||||
|
#ifdef _M_AMD64
|
||||||
// default - support procmon stack if handler3_func_support_procmon is null.
|
// default - support procmon stack if handler3_func_support_procmon is null.
|
||||||
if (!entry->handler3_func_support_procmon
|
if (!entry->handler3_func_support_procmon
|
||||||
|| entry->handler3_func_support_procmon(proc, entry, user_args)
|
|| entry->handler3_func_support_procmon(proc, entry, user_args)
|
||||||
|
@ -547,30 +552,22 @@ _FX NTSTATUS Syscall_Api_Invoke32(PROCESS* proc, ULONG64* parms)
|
||||||
|
|
||||||
pTrapFrame = (PKTRAP_FRAME) *(ULONG_PTR*)((UCHAR*)pThread + g_TrapFrameOffset);
|
pTrapFrame = (PKTRAP_FRAME) *(ULONG_PTR*)((UCHAR*)pThread + g_TrapFrameOffset);
|
||||||
if (pTrapFrame) {
|
if (pTrapFrame) {
|
||||||
#ifdef _M_ARM64
|
|
||||||
ret = pTrapFrame->Pc;
|
|
||||||
UserStack = pTrapFrame->Sp;
|
|
||||||
#else
|
|
||||||
ret = pTrapFrame->Rip;
|
ret = pTrapFrame->Rip;
|
||||||
UserStack = pTrapFrame->Rsp;
|
UserStack = pTrapFrame->Rsp;
|
||||||
pTrapFrame->Rsp = pTrapFrame->Rbp; //*pRbp;
|
pTrapFrame->Rsp = pTrapFrame->Rbp; //*pRbp;
|
||||||
pTrapFrame->Rip = pTrapFrame->Rbx; //*pRbx;
|
pTrapFrame->Rip = pTrapFrame->Rbx; //*pRbx;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
else
|
||||||
|
{
|
||||||
|
pTrapFrame = NULL;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
else
|
||||||
|
{
|
||||||
|
pTrapFrame = NULL;
|
||||||
|
}
|
||||||
#endif
|
#endif
|
||||||
}
|
|
||||||
}
|
|
||||||
else
|
|
||||||
{
|
|
||||||
pTrapFrame = NULL;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
else
|
|
||||||
{
|
|
||||||
pTrapFrame = NULL;
|
|
||||||
}
|
|
||||||
|
|
||||||
#else ! _WIN64
|
|
||||||
ProbeForRead(user_args, args_len, sizeof(UCHAR));
|
|
||||||
#endif _WIN64
|
|
||||||
|
|
||||||
if (entry->handler1_func) {
|
if (entry->handler1_func) {
|
||||||
|
|
||||||
|
@ -607,16 +604,11 @@ _FX NTSTATUS Syscall_Api_Invoke32(PROCESS* proc, ULONG64* parms)
|
||||||
strings, lengths, PsGetCurrentProcessId(), PsGetCurrentThreadId());
|
strings, lengths, PsGetCurrentProcessId(), PsGetCurrentThreadId());
|
||||||
}
|
}
|
||||||
|
|
||||||
#ifdef _WIN64
|
#ifdef _M_AMD64
|
||||||
if (g_TrapFrameOffset) {
|
if (g_TrapFrameOffset) {
|
||||||
if (pTrapFrame) {
|
if (pTrapFrame) {
|
||||||
#ifdef _M_ARM64
|
|
||||||
pTrapFrame->Pc = ret;
|
|
||||||
pTrapFrame->Sp = UserStack;
|
|
||||||
#else
|
|
||||||
pTrapFrame->Rip = ret;
|
pTrapFrame->Rip = ret;
|
||||||
pTrapFrame->Rsp = UserStack;
|
pTrapFrame->Rsp = UserStack;
|
||||||
#endif
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
#endif
|
#endif
|
||||||
|
|
|
@ -150,8 +150,10 @@ finish:
|
||||||
|
|
||||||
if (hProcess) {
|
if (hProcess) {
|
||||||
|
|
||||||
if (errlvl)
|
if (errlvl) {
|
||||||
TerminateProcess(hProcess, 1);
|
SbieApi_Call(API_INJECT_COMPLETE, 3, (ULONG_PTR)msg->process_id, NULL, errlvl);
|
||||||
|
//TerminateProcess(hProcess, 1);
|
||||||
|
}
|
||||||
|
|
||||||
CloseHandle(hProcess);
|
CloseHandle(hProcess);
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in New Issue