This commit is contained in:
DavidXanatos 2023-05-07 22:00:01 +02:00
parent 51d2ca4063
commit 8391574061
5 changed files with 52 additions and 53 deletions

View File

@ -99,7 +99,7 @@ _FX BOOLEAN Process_Low_Inject(
SVC_PROCESS_MSG msg; SVC_PROCESS_MSG msg;
ULONG_PTR is_wow64 = 0; ULONG_PTR is_wow64 = 0;
NTSTATUS status = STATUS_SUCCESS; NTSTATUS status = STATUS_SUCCESS;
BOOLEAN sbielow_loaded = FALSE; BOOLEAN done = FALSE;
KIRQL irql; KIRQL irql;
// //
@ -179,7 +179,7 @@ _FX BOOLEAN Process_Low_Inject(
if (proc && proc->create_time == create_time) { if (proc && proc->create_time == create_time) {
sbielow_loaded = proc->sbielow_loaded; done = proc->sbielow_loaded || proc->terminated;
if (! is_wow64) if (! is_wow64)
proc->ntdll32_base = -1; proc->ntdll32_base = -1;
@ -188,7 +188,7 @@ _FX BOOLEAN Process_Low_Inject(
ExReleaseResourceLite(Process_ListLock); ExReleaseResourceLite(Process_ListLock);
KeLowerIrql(irql); KeLowerIrql(irql);
if (sbielow_loaded) if (done)
break; break;
time.QuadPart = -(SECONDS(1) / 4); // 250ms*40 = 10s time.QuadPart = -(SECONDS(1) / 4); // 250ms*40 = 10s
@ -197,7 +197,7 @@ _FX BOOLEAN Process_Low_Inject(
++retries; ++retries;
} }
if (! sbielow_loaded) // if no response from SbieSvc if (! done) // if no response from SbieSvc
status = STATUS_TIMEOUT; status = STATUS_TIMEOUT;
} }
@ -254,14 +254,14 @@ _FX NTSTATUS Process_Low_Api_InjectComplete(PROCESS *proc, ULONG64 *parms)
KIRQL irql; KIRQL irql;
PROCESS *proc = Process_Find(ProcessId, &irql); PROCESS *proc = Process_Find(ProcessId, &irql);
if (proc)
proc->sbielow_loaded = TRUE;
ExReleaseResourceLite(Process_ListLock);
KeLowerIrql(irql);
if (proc) { if (proc) {
ULONG error = (ULONG)parms[3];
if (error)
Process_SetTerminated(proc, 3);
else
proc->sbielow_loaded = TRUE;
// //
// the service dynamically allocates a per box SID to be used, // the service dynamically allocates a per box SID to be used,
// if no SID is provided this feature is either disabled or failed // if no SID is provided this feature is either disabled or failed
@ -284,6 +284,12 @@ _FX NTSTATUS Process_Low_Api_InjectComplete(PROCESS *proc, ULONG64 *parms)
} __except (EXCEPTION_EXECUTE_HANDLER) { } __except (EXCEPTION_EXECUTE_HANDLER) {
status = GetExceptionCode(); status = GetExceptionCode();
} }
}
ExReleaseResourceLite(Process_ListLock);
KeLowerIrql(irql);
if (proc) {
KeSetEvent(Process_Low_Event, 0, FALSE); KeSetEvent(Process_Low_Event, 0, FALSE);
status = STATUS_SUCCESS; status = STATUS_SUCCESS;

View File

@ -68,8 +68,10 @@ static NTSTATUS Syscall_DeviceIoControlFile(
static NTSTATUS Syscall_DuplicateHandle( static NTSTATUS Syscall_DuplicateHandle(
PROCESS *proc, SYSCALL_ENTRY *syscall_entry, ULONG_PTR *user_args); PROCESS *proc, SYSCALL_ENTRY *syscall_entry, ULONG_PTR *user_args);
#ifdef _M_AMD64
static BOOLEAN Syscall_QuerySystemInfo_SupportProcmonStack( static BOOLEAN Syscall_QuerySystemInfo_SupportProcmonStack(
PROCESS *proc, SYSCALL_ENTRY *syscall_entry, ULONG_PTR *user_args); PROCESS *proc, SYSCALL_ENTRY *syscall_entry, ULONG_PTR *user_args);
#endif
//--------------------------------------------------------------------------- //---------------------------------------------------------------------------
@ -169,8 +171,10 @@ _FX BOOLEAN Syscall_Init(void)
if (!Syscall_Set1("DeviceIoControlFile", Syscall_DeviceIoControlFile)) if (!Syscall_Set1("DeviceIoControlFile", Syscall_DeviceIoControlFile))
return FALSE; return FALSE;
#ifdef _M_AMD64
if (!Syscall_Set3("QuerySystemInformation", Syscall_QuerySystemInfo_SupportProcmonStack)) if (!Syscall_Set3("QuerySystemInformation", Syscall_QuerySystemInfo_SupportProcmonStack))
return FALSE; return FALSE;
#endif
// //
// set API handlers // set API handlers
@ -338,7 +342,9 @@ _FX BOOLEAN Syscall_Init_List(void)
entry->ntos_func = ntos_addr; entry->ntos_func = ntos_addr;
entry->handler1_func = NULL; entry->handler1_func = NULL;
entry->handler2_func = NULL; entry->handler2_func = NULL;
#ifdef _M_AMD64
entry->handler3_func_support_procmon = NULL; entry->handler3_func_support_procmon = NULL;
#endif
entry->approved = (Syscall_HookMapMatch(name, name_len, &approved_syscalls) != 0); entry->approved = (Syscall_HookMapMatch(name, name_len, &approved_syscalls) != 0);
entry->name_len = (USHORT)name_len; entry->name_len = (USHORT)name_len;
memcpy(entry->name, name, name_len); memcpy(entry->name, name, name_len);
@ -526,7 +532,7 @@ _FX BOOLEAN Syscall_Set1(const UCHAR *name, P_Syscall_Handler1 handler_func)
// Syscall_Set3 // Syscall_Set3
//--------------------------------------------------------------------------- //---------------------------------------------------------------------------
#ifdef _M_AMD64
_FX BOOLEAN Syscall_Set3(const UCHAR *name, P_Syscall_Handler3_Support_Procmon_Stack handler_func) _FX BOOLEAN Syscall_Set3(const UCHAR *name, P_Syscall_Handler3_Support_Procmon_Stack handler_func)
{ {
SYSCALL_ENTRY *entry = Syscall_GetByName(name); SYSCALL_ENTRY *entry = Syscall_GetByName(name);
@ -535,7 +541,7 @@ _FX BOOLEAN Syscall_Set3(const UCHAR *name, P_Syscall_Handler3_Support_Procmon_S
entry->handler3_func_support_procmon = handler_func; entry->handler3_func_support_procmon = handler_func;
return TRUE; return TRUE;
} }
#endif
//--------------------------------------------------------------------------- //---------------------------------------------------------------------------
// Syscall_ErrorForAsciiName // Syscall_ErrorForAsciiName
@ -598,7 +604,7 @@ _FX NTSTATUS Syscall_Api_Invoke(PROCESS *proc, ULONG64 *parms)
SYSCALL_ENTRY *entry; SYSCALL_ENTRY *entry;
ULONG syscall_index; ULONG syscall_index;
NTSTATUS status; NTSTATUS status;
#ifdef _WIN64 #ifdef _M_AMD64
volatile ULONG_PTR ret = 0; volatile ULONG_PTR ret = 0;
volatile ULONG_PTR UserStack = 0; volatile ULONG_PTR UserStack = 0;
@ -690,7 +696,10 @@ _FX NTSTATUS Syscall_Api_Invoke(PROCESS *proc, ULONG64 *parms)
const ULONG args_len = entry->param_count * sizeof(ULONG_PTR); const ULONG args_len = entry->param_count * sizeof(ULONG_PTR);
#ifdef _WIN64 #ifdef _WIN64
ProbeForRead(user_args, args_len, sizeof(ULONG_PTR)); ProbeForRead(user_args, args_len, sizeof(ULONG_PTR));
#else ! _WIN64
ProbeForRead(user_args, args_len, sizeof(UCHAR));
#endif _WIN64
#ifdef _M_AMD64
// default - support procmon stack if handler3_func_support_procmon is null. // default - support procmon stack if handler3_func_support_procmon is null.
if (!entry->handler3_func_support_procmon if (!entry->handler3_func_support_procmon
|| entry->handler3_func_support_procmon(proc, entry, user_args) || entry->handler3_func_support_procmon(proc, entry, user_args)
@ -700,33 +709,22 @@ _FX NTSTATUS Syscall_Api_Invoke(PROCESS *proc, ULONG64 *parms)
pTrapFrame = (PKTRAP_FRAME) *(ULONG_PTR*)((UCHAR*)pThread + g_TrapFrameOffset); pTrapFrame = (PKTRAP_FRAME) *(ULONG_PTR*)((UCHAR*)pThread + g_TrapFrameOffset);
if (pTrapFrame) { if (pTrapFrame) {
#ifdef _M_ARM64
//ret = pTrapFrame->Pc;
//UserStack = pTrapFrame->Sp;
//pTrapFrame->Sp = pTrapFrame->Fp;
//pTrapFrame->Pc = pTrapFrame->X27;
#else
ret = pTrapFrame->Rip; ret = pTrapFrame->Rip;
UserStack = pTrapFrame->Rsp; UserStack = pTrapFrame->Rsp;
pTrapFrame->Rsp = pTrapFrame->Rbp; //*pRbp; pTrapFrame->Rsp = pTrapFrame->Rbp; //*pRbp;
pTrapFrame->Rip = pTrapFrame->Rbx; //*pRbx; pTrapFrame->Rip = pTrapFrame->Rbx; //*pRbx;
}
}
else
{
pTrapFrame = NULL;
}
}
else
{
pTrapFrame = NULL;
}
#endif #endif
}
}
else
{
pTrapFrame = NULL;
}
}
else
{
pTrapFrame = NULL;
}
#else ! _WIN64
ProbeForRead(user_args, args_len, sizeof(UCHAR));
#endif _WIN64
//if (proc->ipc_trace & (TRACE_ALLOW | TRACE_DENY)) //if (proc->ipc_trace & (TRACE_ALLOW | TRACE_DENY))
//{ //{
@ -846,16 +844,11 @@ _FX NTSTATUS Syscall_Api_Invoke(PROCESS *proc, ULONG64 *parms)
} }
} }
#ifdef _WIN64 #ifdef _M_AMD64
if (g_TrapFrameOffset) { if (g_TrapFrameOffset) {
if (pTrapFrame) { if (pTrapFrame) {
#ifdef _M_ARM64
//pTrapFrame->Pc = ret;
//pTrapFrame->Sp = UserStack;
#else
pTrapFrame->Rip = ret; pTrapFrame->Rip = ret;
pTrapFrame->Rsp = UserStack; pTrapFrame->Rsp = UserStack;
#endif
} }
} }
#endif #endif
@ -1040,7 +1033,7 @@ _FX void Syscall_Update_Lockdown()
// Syscall_QuerySystemInfo_SupportProcmonStack // Syscall_QuerySystemInfo_SupportProcmonStack
//--------------------------------------------------------------------------- //---------------------------------------------------------------------------
#ifdef _M_AMD64
_FX BOOLEAN Syscall_QuerySystemInfo_SupportProcmonStack( _FX BOOLEAN Syscall_QuerySystemInfo_SupportProcmonStack(
PROCESS *proc, SYSCALL_ENTRY *syscall_entry, ULONG_PTR *user_args) PROCESS *proc, SYSCALL_ENTRY *syscall_entry, ULONG_PTR *user_args)
{ {
@ -1066,7 +1059,7 @@ _FX BOOLEAN Syscall_QuerySystemInfo_SupportProcmonStack(
return bRet; return bRet;
} }
#endif
//--------------------------------------------------------------------------- //---------------------------------------------------------------------------
// 32-bit and 64-bit code // 32-bit and 64-bit code

View File

@ -53,8 +53,10 @@ typedef NTSTATUS (*P_Syscall_Handler2)(
PROCESS *proc, void *Object, UNICODE_STRING *Name, PROCESS *proc, void *Object, UNICODE_STRING *Name,
ULONG Operation, ACCESS_MASK GrantedAccess); ULONG Operation, ACCESS_MASK GrantedAccess);
#ifdef _M_AMD64
typedef BOOLEAN (*P_Syscall_Handler3_Support_Procmon_Stack)( typedef BOOLEAN (*P_Syscall_Handler3_Support_Procmon_Stack)(
PROCESS *proc, SYSCALL_ENTRY *syscall_entry, ULONG_PTR *user_args); PROCESS *proc, SYSCALL_ENTRY *syscall_entry, ULONG_PTR *user_args);
#endif
struct _SYSCALL_ENTRY { struct _SYSCALL_ENTRY {
@ -66,7 +68,9 @@ struct _SYSCALL_ENTRY {
void *ntos_func; void *ntos_func;
P_Syscall_Handler1 handler1_func; P_Syscall_Handler1 handler1_func;
P_Syscall_Handler2 handler2_func; P_Syscall_Handler2 handler2_func;
#ifdef _M_AMD64
P_Syscall_Handler3_Support_Procmon_Stack handler3_func_support_procmon; P_Syscall_Handler3_Support_Procmon_Stack handler3_func_support_procmon;
#endif
UCHAR approved; UCHAR approved;
USHORT name_len; USHORT name_len;
UCHAR name[1]; UCHAR name[1];
@ -89,7 +93,9 @@ BOOLEAN Syscall_Set1(const UCHAR *name, P_Syscall_Handler1 handler_func);
BOOLEAN Syscall_Set2(const UCHAR *name, P_Syscall_Handler2 handler_func); BOOLEAN Syscall_Set2(const UCHAR *name, P_Syscall_Handler2 handler_func);
#ifdef _M_AMD64
BOOLEAN Syscall_Set3(const UCHAR *name, P_Syscall_Handler3_Support_Procmon_Stack handler_func); BOOLEAN Syscall_Set3(const UCHAR *name, P_Syscall_Handler3_Support_Procmon_Stack handler_func);
#endif
NTSTATUS Syscall_Invoke(SYSCALL_ENTRY *entry, ULONG_PTR *stack); NTSTATUS Syscall_Invoke(SYSCALL_ENTRY *entry, ULONG_PTR *stack);

View File

@ -363,7 +363,9 @@ _FX BOOLEAN Syscall_Init_List32(void)
entry->ntos_func = ntos_addr; entry->ntos_func = ntos_addr;
entry->handler1_func = NULL; entry->handler1_func = NULL;
entry->handler2_func = NULL; entry->handler2_func = NULL;
#ifdef _M_AMD64
entry->handler3_func_support_procmon = NULL; entry->handler3_func_support_procmon = NULL;
#endif
entry->approved = (Syscall_HookMapMatch(name, name_len, &approved_syscalls) != 0); entry->approved = (Syscall_HookMapMatch(name, name_len, &approved_syscalls) != 0);
entry->name_len = (USHORT)name_len; entry->name_len = (USHORT)name_len;
memcpy(entry->name, name, name_len); memcpy(entry->name, name, name_len);
@ -470,7 +472,7 @@ _FX NTSTATUS Syscall_Api_Invoke32(PROCESS* proc, ULONG64* parms)
SYSCALL_ENTRY *entry; SYSCALL_ENTRY *entry;
ULONG syscall_index; ULONG syscall_index;
NTSTATUS status; NTSTATUS status;
#ifdef _WIN64 #ifdef _M_AMD64
volatile ULONG_PTR ret = 0; volatile ULONG_PTR ret = 0;
volatile ULONG_PTR UserStack = 0; volatile ULONG_PTR UserStack = 0;
@ -537,7 +539,10 @@ _FX NTSTATUS Syscall_Api_Invoke32(PROCESS* proc, ULONG64* parms)
const ULONG args_len = entry->param_count * sizeof(ULONG_PTR); const ULONG args_len = entry->param_count * sizeof(ULONG_PTR);
#ifdef _WIN64 #ifdef _WIN64
ProbeForRead(user_args, args_len, sizeof(ULONG_PTR)); ProbeForRead(user_args, args_len, sizeof(ULONG_PTR));
#else ! _WIN64
ProbeForRead(user_args, args_len, sizeof(UCHAR));
#endif _WIN64
#ifdef _M_AMD64
// default - support procmon stack if handler3_func_support_procmon is null. // default - support procmon stack if handler3_func_support_procmon is null.
if (!entry->handler3_func_support_procmon if (!entry->handler3_func_support_procmon
|| entry->handler3_func_support_procmon(proc, entry, user_args) || entry->handler3_func_support_procmon(proc, entry, user_args)
@ -547,30 +552,22 @@ _FX NTSTATUS Syscall_Api_Invoke32(PROCESS* proc, ULONG64* parms)
pTrapFrame = (PKTRAP_FRAME) *(ULONG_PTR*)((UCHAR*)pThread + g_TrapFrameOffset); pTrapFrame = (PKTRAP_FRAME) *(ULONG_PTR*)((UCHAR*)pThread + g_TrapFrameOffset);
if (pTrapFrame) { if (pTrapFrame) {
#ifdef _M_ARM64
ret = pTrapFrame->Pc;
UserStack = pTrapFrame->Sp;
#else
ret = pTrapFrame->Rip; ret = pTrapFrame->Rip;
UserStack = pTrapFrame->Rsp; UserStack = pTrapFrame->Rsp;
pTrapFrame->Rsp = pTrapFrame->Rbp; //*pRbp; pTrapFrame->Rsp = pTrapFrame->Rbp; //*pRbp;
pTrapFrame->Rip = pTrapFrame->Rbx; //*pRbx; pTrapFrame->Rip = pTrapFrame->Rbx; //*pRbx;
}
}
else
{
pTrapFrame = NULL;
}
}
else
{
pTrapFrame = NULL;
}
#endif #endif
}
}
else
{
pTrapFrame = NULL;
}
}
else
{
pTrapFrame = NULL;
}
#else ! _WIN64
ProbeForRead(user_args, args_len, sizeof(UCHAR));
#endif _WIN64
if (entry->handler1_func) { if (entry->handler1_func) {
@ -607,16 +604,11 @@ _FX NTSTATUS Syscall_Api_Invoke32(PROCESS* proc, ULONG64* parms)
strings, lengths, PsGetCurrentProcessId(), PsGetCurrentThreadId()); strings, lengths, PsGetCurrentProcessId(), PsGetCurrentThreadId());
} }
#ifdef _WIN64 #ifdef _M_AMD64
if (g_TrapFrameOffset) { if (g_TrapFrameOffset) {
if (pTrapFrame) { if (pTrapFrame) {
#ifdef _M_ARM64
pTrapFrame->Pc = ret;
pTrapFrame->Sp = UserStack;
#else
pTrapFrame->Rip = ret; pTrapFrame->Rip = ret;
pTrapFrame->Rsp = UserStack; pTrapFrame->Rsp = UserStack;
#endif
} }
} }
#endif #endif

View File

@ -150,8 +150,10 @@ finish:
if (hProcess) { if (hProcess) {
if (errlvl) if (errlvl) {
TerminateProcess(hProcess, 1); SbieApi_Call(API_INJECT_COMPLETE, 3, (ULONG_PTR)msg->process_id, NULL, errlvl);
//TerminateProcess(hProcess, 1);
}
CloseHandle(hProcess); CloseHandle(hProcess);
} }