1.9.3
This commit is contained in:
parent
51d2ca4063
commit
8391574061
|
@ -99,7 +99,7 @@ _FX BOOLEAN Process_Low_Inject(
|
|||
SVC_PROCESS_MSG msg;
|
||||
ULONG_PTR is_wow64 = 0;
|
||||
NTSTATUS status = STATUS_SUCCESS;
|
||||
BOOLEAN sbielow_loaded = FALSE;
|
||||
BOOLEAN done = FALSE;
|
||||
KIRQL irql;
|
||||
|
||||
//
|
||||
|
@ -179,7 +179,7 @@ _FX BOOLEAN Process_Low_Inject(
|
|||
|
||||
if (proc && proc->create_time == create_time) {
|
||||
|
||||
sbielow_loaded = proc->sbielow_loaded;
|
||||
done = proc->sbielow_loaded || proc->terminated;
|
||||
|
||||
if (! is_wow64)
|
||||
proc->ntdll32_base = -1;
|
||||
|
@ -188,7 +188,7 @@ _FX BOOLEAN Process_Low_Inject(
|
|||
ExReleaseResourceLite(Process_ListLock);
|
||||
KeLowerIrql(irql);
|
||||
|
||||
if (sbielow_loaded)
|
||||
if (done)
|
||||
break;
|
||||
|
||||
time.QuadPart = -(SECONDS(1) / 4); // 250ms*40 = 10s
|
||||
|
@ -197,7 +197,7 @@ _FX BOOLEAN Process_Low_Inject(
|
|||
++retries;
|
||||
}
|
||||
|
||||
if (! sbielow_loaded) // if no response from SbieSvc
|
||||
if (! done) // if no response from SbieSvc
|
||||
status = STATUS_TIMEOUT;
|
||||
}
|
||||
|
||||
|
@ -254,14 +254,14 @@ _FX NTSTATUS Process_Low_Api_InjectComplete(PROCESS *proc, ULONG64 *parms)
|
|||
KIRQL irql;
|
||||
PROCESS *proc = Process_Find(ProcessId, &irql);
|
||||
|
||||
if (proc)
|
||||
proc->sbielow_loaded = TRUE;
|
||||
|
||||
ExReleaseResourceLite(Process_ListLock);
|
||||
KeLowerIrql(irql);
|
||||
|
||||
if (proc) {
|
||||
|
||||
ULONG error = (ULONG)parms[3];
|
||||
if (error)
|
||||
Process_SetTerminated(proc, 3);
|
||||
else
|
||||
proc->sbielow_loaded = TRUE;
|
||||
|
||||
//
|
||||
// the service dynamically allocates a per box SID to be used,
|
||||
// if no SID is provided this feature is either disabled or failed
|
||||
|
@ -284,6 +284,12 @@ _FX NTSTATUS Process_Low_Api_InjectComplete(PROCESS *proc, ULONG64 *parms)
|
|||
} __except (EXCEPTION_EXECUTE_HANDLER) {
|
||||
status = GetExceptionCode();
|
||||
}
|
||||
}
|
||||
|
||||
ExReleaseResourceLite(Process_ListLock);
|
||||
KeLowerIrql(irql);
|
||||
|
||||
if (proc) {
|
||||
|
||||
KeSetEvent(Process_Low_Event, 0, FALSE);
|
||||
status = STATUS_SUCCESS;
|
||||
|
|
|
@ -68,8 +68,10 @@ static NTSTATUS Syscall_DeviceIoControlFile(
|
|||
static NTSTATUS Syscall_DuplicateHandle(
|
||||
PROCESS *proc, SYSCALL_ENTRY *syscall_entry, ULONG_PTR *user_args);
|
||||
|
||||
#ifdef _M_AMD64
|
||||
static BOOLEAN Syscall_QuerySystemInfo_SupportProcmonStack(
|
||||
PROCESS *proc, SYSCALL_ENTRY *syscall_entry, ULONG_PTR *user_args);
|
||||
#endif
|
||||
|
||||
|
||||
//---------------------------------------------------------------------------
|
||||
|
@ -169,8 +171,10 @@ _FX BOOLEAN Syscall_Init(void)
|
|||
if (!Syscall_Set1("DeviceIoControlFile", Syscall_DeviceIoControlFile))
|
||||
return FALSE;
|
||||
|
||||
#ifdef _M_AMD64
|
||||
if (!Syscall_Set3("QuerySystemInformation", Syscall_QuerySystemInfo_SupportProcmonStack))
|
||||
return FALSE;
|
||||
#endif
|
||||
|
||||
//
|
||||
// set API handlers
|
||||
|
@ -338,7 +342,9 @@ _FX BOOLEAN Syscall_Init_List(void)
|
|||
entry->ntos_func = ntos_addr;
|
||||
entry->handler1_func = NULL;
|
||||
entry->handler2_func = NULL;
|
||||
#ifdef _M_AMD64
|
||||
entry->handler3_func_support_procmon = NULL;
|
||||
#endif
|
||||
entry->approved = (Syscall_HookMapMatch(name, name_len, &approved_syscalls) != 0);
|
||||
entry->name_len = (USHORT)name_len;
|
||||
memcpy(entry->name, name, name_len);
|
||||
|
@ -526,7 +532,7 @@ _FX BOOLEAN Syscall_Set1(const UCHAR *name, P_Syscall_Handler1 handler_func)
|
|||
// Syscall_Set3
|
||||
//---------------------------------------------------------------------------
|
||||
|
||||
|
||||
#ifdef _M_AMD64
|
||||
_FX BOOLEAN Syscall_Set3(const UCHAR *name, P_Syscall_Handler3_Support_Procmon_Stack handler_func)
|
||||
{
|
||||
SYSCALL_ENTRY *entry = Syscall_GetByName(name);
|
||||
|
@ -535,7 +541,7 @@ _FX BOOLEAN Syscall_Set3(const UCHAR *name, P_Syscall_Handler3_Support_Procmon_S
|
|||
entry->handler3_func_support_procmon = handler_func;
|
||||
return TRUE;
|
||||
}
|
||||
|
||||
#endif
|
||||
|
||||
//---------------------------------------------------------------------------
|
||||
// Syscall_ErrorForAsciiName
|
||||
|
@ -598,7 +604,7 @@ _FX NTSTATUS Syscall_Api_Invoke(PROCESS *proc, ULONG64 *parms)
|
|||
SYSCALL_ENTRY *entry;
|
||||
ULONG syscall_index;
|
||||
NTSTATUS status;
|
||||
#ifdef _WIN64
|
||||
#ifdef _M_AMD64
|
||||
volatile ULONG_PTR ret = 0;
|
||||
volatile ULONG_PTR UserStack = 0;
|
||||
|
||||
|
@ -690,7 +696,10 @@ _FX NTSTATUS Syscall_Api_Invoke(PROCESS *proc, ULONG64 *parms)
|
|||
const ULONG args_len = entry->param_count * sizeof(ULONG_PTR);
|
||||
#ifdef _WIN64
|
||||
ProbeForRead(user_args, args_len, sizeof(ULONG_PTR));
|
||||
|
||||
#else ! _WIN64
|
||||
ProbeForRead(user_args, args_len, sizeof(UCHAR));
|
||||
#endif _WIN64
|
||||
#ifdef _M_AMD64
|
||||
// default - support procmon stack if handler3_func_support_procmon is null.
|
||||
if (!entry->handler3_func_support_procmon
|
||||
|| entry->handler3_func_support_procmon(proc, entry, user_args)
|
||||
|
@ -700,33 +709,22 @@ _FX NTSTATUS Syscall_Api_Invoke(PROCESS *proc, ULONG64 *parms)
|
|||
|
||||
pTrapFrame = (PKTRAP_FRAME) *(ULONG_PTR*)((UCHAR*)pThread + g_TrapFrameOffset);
|
||||
if (pTrapFrame) {
|
||||
#ifdef _M_ARM64
|
||||
//ret = pTrapFrame->Pc;
|
||||
//UserStack = pTrapFrame->Sp;
|
||||
//pTrapFrame->Sp = pTrapFrame->Fp;
|
||||
//pTrapFrame->Pc = pTrapFrame->X27;
|
||||
#else
|
||||
ret = pTrapFrame->Rip;
|
||||
UserStack = pTrapFrame->Rsp;
|
||||
pTrapFrame->Rsp = pTrapFrame->Rbp; //*pRbp;
|
||||
pTrapFrame->Rip = pTrapFrame->Rbx; //*pRbx;
|
||||
}
|
||||
}
|
||||
else
|
||||
{
|
||||
pTrapFrame = NULL;
|
||||
}
|
||||
}
|
||||
else
|
||||
{
|
||||
pTrapFrame = NULL;
|
||||
}
|
||||
#endif
|
||||
}
|
||||
}
|
||||
else
|
||||
{
|
||||
pTrapFrame = NULL;
|
||||
}
|
||||
}
|
||||
else
|
||||
{
|
||||
pTrapFrame = NULL;
|
||||
}
|
||||
|
||||
#else ! _WIN64
|
||||
ProbeForRead(user_args, args_len, sizeof(UCHAR));
|
||||
#endif _WIN64
|
||||
|
||||
|
||||
//if (proc->ipc_trace & (TRACE_ALLOW | TRACE_DENY))
|
||||
//{
|
||||
|
@ -846,16 +844,11 @@ _FX NTSTATUS Syscall_Api_Invoke(PROCESS *proc, ULONG64 *parms)
|
|||
}
|
||||
}
|
||||
|
||||
#ifdef _WIN64
|
||||
#ifdef _M_AMD64
|
||||
if (g_TrapFrameOffset) {
|
||||
if (pTrapFrame) {
|
||||
#ifdef _M_ARM64
|
||||
//pTrapFrame->Pc = ret;
|
||||
//pTrapFrame->Sp = UserStack;
|
||||
#else
|
||||
pTrapFrame->Rip = ret;
|
||||
pTrapFrame->Rsp = UserStack;
|
||||
#endif
|
||||
}
|
||||
}
|
||||
#endif
|
||||
|
@ -1040,7 +1033,7 @@ _FX void Syscall_Update_Lockdown()
|
|||
// Syscall_QuerySystemInfo_SupportProcmonStack
|
||||
//---------------------------------------------------------------------------
|
||||
|
||||
|
||||
#ifdef _M_AMD64
|
||||
_FX BOOLEAN Syscall_QuerySystemInfo_SupportProcmonStack(
|
||||
PROCESS *proc, SYSCALL_ENTRY *syscall_entry, ULONG_PTR *user_args)
|
||||
{
|
||||
|
@ -1066,7 +1059,7 @@ _FX BOOLEAN Syscall_QuerySystemInfo_SupportProcmonStack(
|
|||
|
||||
return bRet;
|
||||
}
|
||||
|
||||
#endif
|
||||
|
||||
//---------------------------------------------------------------------------
|
||||
// 32-bit and 64-bit code
|
||||
|
|
|
@ -53,8 +53,10 @@ typedef NTSTATUS (*P_Syscall_Handler2)(
|
|||
PROCESS *proc, void *Object, UNICODE_STRING *Name,
|
||||
ULONG Operation, ACCESS_MASK GrantedAccess);
|
||||
|
||||
#ifdef _M_AMD64
|
||||
typedef BOOLEAN (*P_Syscall_Handler3_Support_Procmon_Stack)(
|
||||
PROCESS *proc, SYSCALL_ENTRY *syscall_entry, ULONG_PTR *user_args);
|
||||
#endif
|
||||
|
||||
|
||||
struct _SYSCALL_ENTRY {
|
||||
|
@ -66,7 +68,9 @@ struct _SYSCALL_ENTRY {
|
|||
void *ntos_func;
|
||||
P_Syscall_Handler1 handler1_func;
|
||||
P_Syscall_Handler2 handler2_func;
|
||||
#ifdef _M_AMD64
|
||||
P_Syscall_Handler3_Support_Procmon_Stack handler3_func_support_procmon;
|
||||
#endif
|
||||
UCHAR approved;
|
||||
USHORT name_len;
|
||||
UCHAR name[1];
|
||||
|
@ -89,7 +93,9 @@ BOOLEAN Syscall_Set1(const UCHAR *name, P_Syscall_Handler1 handler_func);
|
|||
|
||||
BOOLEAN Syscall_Set2(const UCHAR *name, P_Syscall_Handler2 handler_func);
|
||||
|
||||
#ifdef _M_AMD64
|
||||
BOOLEAN Syscall_Set3(const UCHAR *name, P_Syscall_Handler3_Support_Procmon_Stack handler_func);
|
||||
#endif
|
||||
|
||||
NTSTATUS Syscall_Invoke(SYSCALL_ENTRY *entry, ULONG_PTR *stack);
|
||||
|
||||
|
|
|
@ -363,7 +363,9 @@ _FX BOOLEAN Syscall_Init_List32(void)
|
|||
entry->ntos_func = ntos_addr;
|
||||
entry->handler1_func = NULL;
|
||||
entry->handler2_func = NULL;
|
||||
#ifdef _M_AMD64
|
||||
entry->handler3_func_support_procmon = NULL;
|
||||
#endif
|
||||
entry->approved = (Syscall_HookMapMatch(name, name_len, &approved_syscalls) != 0);
|
||||
entry->name_len = (USHORT)name_len;
|
||||
memcpy(entry->name, name, name_len);
|
||||
|
@ -470,7 +472,7 @@ _FX NTSTATUS Syscall_Api_Invoke32(PROCESS* proc, ULONG64* parms)
|
|||
SYSCALL_ENTRY *entry;
|
||||
ULONG syscall_index;
|
||||
NTSTATUS status;
|
||||
#ifdef _WIN64
|
||||
#ifdef _M_AMD64
|
||||
volatile ULONG_PTR ret = 0;
|
||||
volatile ULONG_PTR UserStack = 0;
|
||||
|
||||
|
@ -537,7 +539,10 @@ _FX NTSTATUS Syscall_Api_Invoke32(PROCESS* proc, ULONG64* parms)
|
|||
const ULONG args_len = entry->param_count * sizeof(ULONG_PTR);
|
||||
#ifdef _WIN64
|
||||
ProbeForRead(user_args, args_len, sizeof(ULONG_PTR));
|
||||
|
||||
#else ! _WIN64
|
||||
ProbeForRead(user_args, args_len, sizeof(UCHAR));
|
||||
#endif _WIN64
|
||||
#ifdef _M_AMD64
|
||||
// default - support procmon stack if handler3_func_support_procmon is null.
|
||||
if (!entry->handler3_func_support_procmon
|
||||
|| entry->handler3_func_support_procmon(proc, entry, user_args)
|
||||
|
@ -547,30 +552,22 @@ _FX NTSTATUS Syscall_Api_Invoke32(PROCESS* proc, ULONG64* parms)
|
|||
|
||||
pTrapFrame = (PKTRAP_FRAME) *(ULONG_PTR*)((UCHAR*)pThread + g_TrapFrameOffset);
|
||||
if (pTrapFrame) {
|
||||
#ifdef _M_ARM64
|
||||
ret = pTrapFrame->Pc;
|
||||
UserStack = pTrapFrame->Sp;
|
||||
#else
|
||||
ret = pTrapFrame->Rip;
|
||||
UserStack = pTrapFrame->Rsp;
|
||||
pTrapFrame->Rsp = pTrapFrame->Rbp; //*pRbp;
|
||||
pTrapFrame->Rip = pTrapFrame->Rbx; //*pRbx;
|
||||
}
|
||||
}
|
||||
else
|
||||
{
|
||||
pTrapFrame = NULL;
|
||||
}
|
||||
}
|
||||
else
|
||||
{
|
||||
pTrapFrame = NULL;
|
||||
}
|
||||
#endif
|
||||
}
|
||||
}
|
||||
else
|
||||
{
|
||||
pTrapFrame = NULL;
|
||||
}
|
||||
}
|
||||
else
|
||||
{
|
||||
pTrapFrame = NULL;
|
||||
}
|
||||
|
||||
#else ! _WIN64
|
||||
ProbeForRead(user_args, args_len, sizeof(UCHAR));
|
||||
#endif _WIN64
|
||||
|
||||
if (entry->handler1_func) {
|
||||
|
||||
|
@ -607,16 +604,11 @@ _FX NTSTATUS Syscall_Api_Invoke32(PROCESS* proc, ULONG64* parms)
|
|||
strings, lengths, PsGetCurrentProcessId(), PsGetCurrentThreadId());
|
||||
}
|
||||
|
||||
#ifdef _WIN64
|
||||
#ifdef _M_AMD64
|
||||
if (g_TrapFrameOffset) {
|
||||
if (pTrapFrame) {
|
||||
#ifdef _M_ARM64
|
||||
pTrapFrame->Pc = ret;
|
||||
pTrapFrame->Sp = UserStack;
|
||||
#else
|
||||
pTrapFrame->Rip = ret;
|
||||
pTrapFrame->Rsp = UserStack;
|
||||
#endif
|
||||
}
|
||||
}
|
||||
#endif
|
||||
|
|
|
@ -150,8 +150,10 @@ finish:
|
|||
|
||||
if (hProcess) {
|
||||
|
||||
if (errlvl)
|
||||
TerminateProcess(hProcess, 1);
|
||||
if (errlvl) {
|
||||
SbieApi_Call(API_INJECT_COMPLETE, 3, (ULONG_PTR)msg->process_id, NULL, errlvl);
|
||||
//TerminateProcess(hProcess, 1);
|
||||
}
|
||||
|
||||
CloseHandle(hProcess);
|
||||
}
|
||||
|
|
Loading…
Reference in New Issue