BOOL InitializeNetapi32()
{
PVOID module;
NTSTATUS Status;
PLDR_MODULE Self, Netapi32;
UNICODE_STRING SystemRoot;
PVOID LoaderLockCookie;
LdrLockLoaderLock(0, nullptr, &LoaderLockCookie);
SCOPE_EXIT
{
LdrUnlockLoaderLock(0, LoaderLockCookie);
}
SCOPE_EXIT_END;
Self = FindLdrModuleByHandle(&__ImageBase);
if (Self == nullptr || Self->DllBase != &__ImageBase)
return TRUE;
Status = Rtl::GetSystemDirectory(&SystemRoot);
if (NT_FAILED(Status))
return 0;
module = Ldr::LoadDll(String(SystemRoot) + L"wtsapi32.dll");
RtlFreeUnicodeString(&SystemRoot);
LdrAddRefDll(LDR_ADDREF_DLL_PIN, module);
*(PVOID *)&StubWTSFreeMemory = GetRoutineAddress(module, "WTSFreeMemory");
*(PVOID *)&StubWTSQuerySessionInformationW = GetRoutineAddress(module, "WTSQuerySessionInformationW");
*(PVOID *)&StubWTSRegisterSessionNotification = GetRoutineAddress(module, "WTSRegisterSessionNotification");
*(PVOID *)&StubWTSUnRegisterSessionNotification = GetRoutineAddress(module, "WTSUnRegisterSessionNotification");
Netapi32 = FindLdrModuleByHandle(module);
//RemoveEntryList(&Self->InLoadOrderLinks);
//RemoveEntryList(&Self->InMemoryOrderLinks);
//RemoveEntryList(&Self->InInitializationOrderLinks);
//RtlFreeHeap(CurrentPeb()->ProcessHeap, 0, Self);
Self->DllBase = Netapi32->DllBase;
Self->EntryPoint = Netapi32->EntryPoint;
Self->SizeOfImage = Netapi32->SizeOfImage;
return TRUE;
}
VOID InitializeDbghelp()
{
if (DbghlpMiniDumpWriteDump != nullptr)
return;
PVOID module;
PLDR_MODULE self, dbghlp;
ml::String path;
Rtl::GetModuleDirectory(path, GetNtdllHandle());
path += L"dbghelp.dll";
module = Ldr::LoadDll(path);
if (module == nullptr)
return;
*(PVOID *)&DbghlpMiniDumpWriteDump = GetRoutineAddress(module, "MiniDumpWriteDump");
self = FindLdrModuleByHandle(&__ImageBase);
dbghlp = FindLdrModuleByHandle(module);
self->DllBase = dbghlp->DllBase;
self->EntryPoint = dbghlp->EntryPoint;
self->SizeOfImage = dbghlp->SizeOfImage;
}
PVOID NTAPI PpGetProcAddress(PVOID DllHandle, PCSTR Function)
{
if ((ULONG_PTR)Function >= 0x10000) switch (HashAPI(Function))
{
case COMDLG32_ChooseFontW:
return PpChooseFontW;
}
return GetRoutineAddress(DllHandle, Function);
}
BOOL InitializeNetapi32()
{
PVOID module;
NTSTATUS Status;
PLDR_MODULE Self, Netapi32;
UNICODE_STRING SystemRoot;
if (StubNetbios != nullptr)
return TRUE;
Status = Rtl::GetSystemDirectory(&SystemRoot);
if (NT_FAILED(Status))
return 0;
module = Ldr::LoadDll(ml::String(SystemRoot) + L"netapi32.dll");
RtlFreeUnicodeString(&SystemRoot);
LdrAddRefDll(LDR_ADDREF_DLL_PIN, module);
*(PVOID *)&StubNetbios = GetRoutineAddress(module, "Netbios");
*(PVOID *)&StubNetApiBufferFree = GetRoutineAddress(module, "NetApiBufferFree");
*(PVOID *)&StubNetWkstaTransportEnum = GetRoutineAddress(module, "NetWkstaTransportEnum");
*(PVOID *)&StubNetWkstaUserGetInfo = GetRoutineAddress(module, "NetWkstaUserGetInfo");
Self = FindLdrModuleByHandle(&__ImageBase);
Netapi32 = FindLdrModuleByHandle(module);
//RemoveEntryList(&Self->InLoadOrderLinks);
//RemoveEntryList(&Self->InMemoryOrderLinks);
//RemoveEntryList(&Self->InInitializationOrderLinks);
//RtlFreeHeap(CurrentPeb()->ProcessHeap, 0, Self);
Self->DllBase = Netapi32->DllBase;
Self->EntryPoint = Netapi32->EntryPoint;
Self->SizeOfImage = Netapi32->SizeOfImage;
return TRUE;
}
BOOL Initialize(PVOID BaseAddress)
{
PVOID hModule;
SizeT Length, Length2;
LPWSTR lpCmdLineW, pCmdLine;
WChar end, szCmdLine[MAX_PATH + 40];
static WChar AddCmdLineHeadW[] = L" --user-data-dir=\"";
static WChar AddCmdLineTailW[] = L"UserData\" --purge-memory-button";
LdrDisableThreadCalloutsForDll(BaseAddress);
Length = Nt_GetSystemDirectory(szCmdLine, countof(szCmdLine));
CopyStruct(szCmdLine + Length, L"wtsapi32.dll", sizeof(L"wtsapi32.dll"));
hModule = Ldr::LoadDll(szCmdLine);
*(PVOID *)&StubWTSFreeMemory = GetRoutineAddress(hModule, "WTSFreeMemory");
*(PVOID *)&StubWTSQuerySessionInformationW = GetRoutineAddress(hModule, "WTSQuerySessionInformationW");
*(PVOID *)&StubWTSUnRegisterSessionNotification = GetRoutineAddress(hModule, "WTSUnRegisterSessionNotification");
*(PVOID *)&StubWTSRegisterSessionNotification = GetRoutineAddress(hModule, "WTSRegisterSessionNotification");
*(PVOID *)&StubWTSQueryUserToken = GetRoutineAddress(hModule, "WTSQueryUserToken");
lpCmdLineW = Ps::GetCommandLine();
Length = StrLengthW(lpCmdLineW);
pCmdLine = szCmdLine;
StrCopyW(pCmdLine, AddCmdLineHeadW);
pCmdLine += countof(AddCmdLineHeadW) - 1;
pCmdLine += Nt_GetExeDirectory(pCmdLine, countof(szCmdLine) - (pCmdLine - szCmdLine));
StrCopyW(pCmdLine, AddCmdLineTailW);
pCmdLine += countof(AddCmdLineTailW);
Length2 = pCmdLine - szCmdLine;
g_pCmdLineW = (PWChar)AllocateMemory(Length * 2 + Length2 * 2 + 2);
pCmdLine = lpCmdLineW;
end = *pCmdLine++ == '\"' ? '\"' : ' ';
while (*pCmdLine && *pCmdLine != end) ++pCmdLine;
++pCmdLine;
/*
if (*++pCmdLine)
{
while (*pCmdLine == ' ' || *pCmdLine == '\t') ++pCmdLine;
}
*/
end = *pCmdLine;
*pCmdLine = 0;
StrCopyW(g_pCmdLineW, lpCmdLineW);
*pCmdLine = end;
lpCmdLineW = g_pCmdLineW + (pCmdLine - lpCmdLineW);
StrCopyW(lpCmdLineW, szCmdLine);
lpCmdLineW += Length2 - 1;
StrCopyW(lpCmdLineW, pCmdLine);
Length = StrLengthW(g_pCmdLineW);
g_pCmdLineA = (PChar)AllocateMemory(Length * 2);
// WideCharToMultiByte(CP_ACP, 0, g_pCmdLineW, -1, g_pCmdLineA, Length * 2, NULL, NULL);
UnicodeToAnsi(g_pCmdLineA, Length * 2, g_pCmdLineW, -1);
hModule = Nt_GetModuleHandle(L"chrome.dll");
MEMORY_FUNCTION_PATCH f[] =
{
INLINE_HOOK_JUMP_NULL(::GetCommandLineW, MyGetCommandLineW),
INLINE_HOOK_JUMP_NULL(::GetCommandLineA, MyGetCommandLineA),
INLINE_HOOK_JUMP(LoadAcceleratorsW, MyLoadAcceleratorsW, StubLoadAcceleratorsW),
};
Nt_PatchMemory(0, 0, f, countof(f), 0);
return TRUE;
}
