boolean test_seed(population *pop, entity *adam){
int i;
/* Checks. */
if (!pop) die("Null pointer to population structure passed.");
if (!adam) die("Null pointer to entity structure passed.");
/* Seeding. */
for(i = 0;i<TSIZE(amp);i++){
((double *)adam->chromosome[0])[i] = real_out->r[i]*(1-random_double(0.1));
((double *)adam->chromosome[0])[TSIZE(amp)+i] = real_out->c[i]*(1.0-random_double(0.1));
}
return TRUE;
}
boolean test_generation_callback(int generation, population *pop){
double * img = (double *)pop->entity_iarray[0]->chromosome[0];
int i;
char buffer[1024];
real support_threshold;
for(i = 0;i<TSIZE(amp);i++){
real_out->image[i] = sqrt(img[i]*img[i]+img[TSIZE(amp)+i]*img[TSIZE(amp)+i]);
}
printf("%d: fitness = %f\n",generation,pop->entity_iarray[0]->fitness);
if(opts->iterations && opts->cur_iteration%opts->iterations == opts->iterations-1){
sprintf(buffer,"real_out-%05d.png",opts->cur_iteration);
write_png(real_out,buffer,COLOR_JET);
freeimg(prev_support);
prev_support = imgcpy(support);
freeimg(support);
support_threshold = get_newsupport_level(real_out,&support_size,radius,&my_log,opts);
my_log.threshold = support_threshold;
if(support_threshold > 0){
/* support = get_newsupport(real_out,support_threshold, radius,opts);*/
support = get_filtered_support(real_out,support_threshold, radius,opts);
}else{
if(opts->support_update_algorithm == REAL_ERROR_CAPPED){
exit(0);
}else{
abort();
}
}
if(opts->cur_iteration <= opts->iterations_to_min_blur){
radius = get_blur_radius(opts);
}
if(/*opts->cur_iteration > 50 ||*/ (opts->automatic && opts->algorithm == RAAR && my_log.Ereal < 0.2)){
stop++;
}
if(stop > stop_threshold){
exit(0);
}
sprintf(buffer,"support-%05d.png",opts->cur_iteration);
write_png(support,buffer,COLOR_JET);
}
/* restore original amplitudes */
for(i = 0;i<TSIZE(amp);i++){
real_out->image[i] = norm(real_out,i);
}
opts->cur_iteration++;
return TRUE;
}
boolean test_score(population *pop, entity *entity){
int i;
double * img = (double *)entity->chromosome[0];
Image * fc;
for(i = 0;i<TSIZE(amp);i++){
if(!support->image[i]){
entity->fitness -= sqrt(img[i]*img[i]+img[TSIZE(amp)+i]*img[TSIZE(amp)+i]);
}
}
for(i = 0;i<TSIZE(amp);i++){
real_out->r[i] = img[i];
real_out->c[i] = img[i+TSIZE(amp)];
real_out->image[i] = norm(real_out,i);
}
fc = image_fft(real_out);
entity->fitness = 0;
for(i = 0;i<TSIZE(fc);i++){
if(amp->mask[i]){
entity->fitness -= fabs(fc->image[i] - amp->image[i]);
}
/* if(!support->image[i]){
entity->fitness -= real_out->image[i];
}*/
}
fprintf(stderr,"Fitness - %f\n",entity->fitness);
freeimg(fc);
return TRUE;
}
entity *test_adaptation(population *pop, entity *child){
entity *adult; /* Adapted solution. */
double * img;
Image * fc;
int i;
/*
* We must generate a new solution by copying the original solution.
* This function copys all genomic, and if appropriate, phenomic data.
* It is never safe to adapt the solution in place.
*/
adult = ga_entity_clone(pop, child);
img = (double *)adult->chromosome[0];
for(i = 0;i<TSIZE(amp);i++){
real_in->r[i] = img[i];
real_in->c[i] = img[i+TSIZE(amp)];
real_in->image[i] = norm(real_in,i);
}
freeimg(real_out);
if(get_algorithm(opts,&my_log) == HIO){
real_out = basic_hio_iteration(amp, real_in, support,opts,&my_log);
}else if(get_algorithm(opts,&my_log) == RAAR){
real_out = basic_raar_iteration(amp,exp_sigma, real_in, support,opts,&my_log);
}else if(get_algorithm(opts,&my_log) == HPR){
real_out = basic_hpr_iteration(amp, real_in, support,opts,&my_log);
}
adult->fitness = 0;
fc = image_fft(real_out);
for(i = 0;i<TSIZE(amp);i++){
img[i] = real_out->r[i];
img[i+TSIZE(amp)] = real_out->c[i];
adult->fitness -= fabs(fc->image[i] - amp->image[i]);
}
freeimg(fc);
return adult;
}
void InjectDLL32( LPPROCESS_INFORMATION ppi, LPCTSTR dll )
{
CONTEXT context;
DWORD len;
LPVOID mem;
DWORD mem32;
#define CODESIZE 20
BYTE code[CODESIZE+TSIZE(MAX_PATH)];
union
{
PBYTE pB;
PDWORD pL;
} ip;
#ifdef IMPORT_WOW64
if (Wow64GetThreadContext == 0)
{
#define GETPROC( proc ) proc = (T##proc)GetProcAddress( hKernel, #proc )
HMODULE hKernel = GetModuleHandle( L"kernel32.dll" );
GETPROC( Wow64GetThreadContext );
GETPROC( Wow64SetThreadContext );
// Assume if one is defined, so is the other.
if (Wow64GetThreadContext == 0)
{
DEBUGSTR( 1, L"Failed to get pointer to Wow64GetThreadContext." );
return;
}
}
#endif
len = TSIZE(lstrlen( dll ) + 1);
if (len > TSIZE(MAX_PATH))
return;
if (LLW32 == 0)
{
#ifdef _WIN64
STARTUPINFO si;
PROCESS_INFORMATION pi;
ZeroMemory( &si, sizeof(si) );
si.cb = sizeof(si);
// ...ANSI32.dll\0
CopyMemory( code, dll, len - TSIZE(7) );
// ...ANSI-LLW.exe\0
CopyMemory( code + len - TSIZE(7), L"-LLW.exe", TSIZE(9) );
if (!CreateProcess( (LPCTSTR)code, NULL, NULL, NULL, FALSE, 0, NULL, NULL,
&si, &pi ))
{
DEBUGSTR( 1, L"Failed to execute \"%s\".", (LPCTSTR)code );
return;
}
WaitForSingleObject( pi.hProcess, INFINITE );
GetExitCodeProcess( pi.hProcess, &LLW32 );
CloseHandle( pi.hProcess );
CloseHandle( pi.hThread );
#else
LLW32 = (DWORD)GetProcAddress( GetModuleHandle( L"kernel32.dll" ),
"LoadLibraryW" );
#endif
}
CopyMemory( code + CODESIZE, dll, len );
len += CODESIZE;
context.ContextFlags = CONTEXT_CONTROL;
GetThreadContext( ppi->hThread, &context );
mem = VirtualAllocEx( ppi->hProcess, NULL, len, MEM_COMMIT,
PAGE_EXECUTE_READWRITE );
mem32 = (DWORD)(DWORD_PTR)mem;
ip.pB = code;
*ip.pB++ = 0x68; // push eip
*ip.pL++ = context.Eip;
*ip.pB++ = 0x9c; // pushf
*ip.pB++ = 0x60; // pusha
*ip.pB++ = 0x68; // push L"path\to\ANSI32.dll"
*ip.pL++ = mem32 + CODESIZE;
*ip.pB++ = 0xe8; // call LoadLibraryW
*ip.pL++ = LLW32 - (mem32 + (DWORD)(ip.pB+4 - code));
*ip.pB++ = 0x61; // popa
*ip.pB++ = 0x9d; // popf
*ip.pB++ = 0xc3; // ret
WriteProcessMemory( ppi->hProcess, mem, code, len, NULL );
FlushInstructionCache( ppi->hProcess, mem, len );
context.Eip = mem32;
SetThreadContext( ppi->hThread, &context );
}
void InjectDLL64( LPPROCESS_INFORMATION ppi )
{
CONTEXT context;
DWORD len;
LPVOID mem;
DWORD64 LLW;
union
{
PBYTE pB;
PDWORD64 pL;
} ip;
#define CODESIZE 92
static BYTE code[CODESIZE+TSIZE(MAX_PATH)] = {
0,0,0,0,0,0,0,0, // original rip
0,0,0,0,0,0,0,0, // LoadLibraryW
0x9C, // pushfq
0x50, // push rax
0x51, // push rcx
0x52, // push rdx
0x53, // push rbx
0x55, // push rbp
0x56, // push rsi
0x57, // push rdi
0x41,0x50, // push r8
0x41,0x51, // push r9
0x41,0x52, // push r10
0x41,0x53, // push r11
0x41,0x54, // push r12
0x41,0x55, // push r13
0x41,0x56, // push r14
0x41,0x57, // push r15
0x48,0x83,0xEC,0x28, // sub rsp, 40
0x48,0x8D,0x0D,41,0,0,0, // lea ecx, L"path\to\errout64.dll"
0xFF,0x15,-49,-1,-1,-1, // call LoadLibraryW
0x48,0x83,0xC4,0x28, // add rsp, 40
0x41,0x5F, // pop r15
0x41,0x5E, // pop r14
0x41,0x5D, // pop r13
0x41,0x5C, // pop r12
0x41,0x5B, // pop r11
0x41,0x5A, // pop r10
0x41,0x59, // pop r9
0x41,0x58, // pop r8
0x5F, // pop rdi
0x5E, // pop rsi
0x5D, // pop rbp
0x5B, // pop rbx
0x5A, // pop rdx
0x59, // pop rcx
0x58, // pop rax
0x9D, // popfq
0xFF,0x25,-91,-1,-1,-1, // jmp original Rip
0, // dword alignment for LLW, fwiw
};
len = TSIZE(lstrlen( hDllName ) + 1);
if (len > TSIZE(MAX_PATH))
return;
CopyMemory( code + CODESIZE, hDllName, len );
len += CODESIZE;
context.ContextFlags = CONTEXT_CONTROL;
GetThreadContext( ppi->hThread, &context );
mem = VirtualAllocEx( ppi->hProcess, NULL, len, MEM_COMMIT,
PAGE_EXECUTE_READWRITE );
LLW = (DWORD64)LoadLibraryW;
ip.pB = code;
*ip.pL++ = context.Rip;
*ip.pL++ = LLW;
WriteProcessMemory( ppi->hProcess, mem, code, len, NULL );
FlushInstructionCache( ppi->hProcess, mem, len );
context.Rip = (DWORD64)mem + 16;
SetThreadContext( ppi->hThread, &context );
}
void genetic_reconstruction(Image * _amp, Image * initial_support, Image * _exp_sigma,
Options * _opts, char * dir){
char prev_dir[1024];
real support_threshold = _opts->new_level;
population *pop; /* Population of solutions. */
random_seed(23091975);
stop_threshold = 10;
stop = 0;
support_size = -support_threshold;
opts = _opts;
amp = _amp;
exp_sigma = _exp_sigma;
init_log(&my_log);
my_log.threshold = support_threshold;
opts->cur_iteration = 0;
opts->flog = NULL;
if(opts->automatic){
opts->algorithm = HIO;
}
support = imgcpy(initial_support);
prev_support = imgcpy(initial_support);
/* Set the initial guess */
if(opts->image_guess){
real_in = imgcpy(opts->image_guess);
}else{
real_in = imgcpy(support);
}
/* make sure we make the input complex */
rephase(real_in);
/* Set random phases if needed */
if(opts->rand_phases){
/* set_rand_phases(real_in,img);*/
set_rand_ints(real_in,amp);
}
getcwd(prev_dir,1024);
mkdir(dir,0755);
chdir(dir);
write_png(support,"support.png",COLOR_JET);
write_png(real_in,"initial_guess.png",COLOR_JET);
write_png(initial_support,"initial_support.png",COLOR_JET);
if(get_algorithm(opts,&my_log) == HIO){
real_out = basic_hio_iteration(amp, real_in, support,opts,&my_log);
}else if(get_algorithm(opts,&my_log) == RAAR){
real_out = basic_raar_iteration(amp,exp_sigma, real_in, support,opts,&my_log);
}else if(get_algorithm(opts,&my_log) == HPR){
real_out = basic_hpr_iteration(amp, real_in, support,opts,&my_log);
}else{
fprintf(stderr,"Error: Undefined algorithm!\n");
exit(-1);
}
radius = opts->max_blur_radius;
pop = ga_genesis_double(
3, /* const int population_size */
1, /* const int num_chromo */
TSIZE(amp)*2, /* const int len_chromo */
test_generation_callback,/* GAgeneration_hook generation_hook */
NULL, /* GAiteration_hook iteration_hook */
NULL, /* GAdata_destructor data_destructor */
NULL, /* GAdata_ref_incrementor data_ref_incrementor */
test_score, /* GAevaluate evaluate */
test_seed, /* GAseed seed */
test_adaptation, /* GAadapt adapt */
ga_select_one_bestof2, /* GAselect_one select_one */
ga_select_two_bestof2, /* GAselect_two select_two */
ga_mutate_double_singlepoint_drift, /* GAmutate mutate */
ga_crossover_double_doublepoints, /* GAcrossover crossover */
NULL, /* GAreplace replace */
NULL /* vpointer User data */
);
ga_population_set_parameters(
pop, /* population *pop */
GA_SCHEME_LAMARCK_ALL, /* const ga_scheme_type scheme */
GA_ELITISM_PARENTS_SURVIVE, /* const ga_elitism_type elitism */
0.8, /* double crossover */
0.2, /* double mutation */
0.0 /* double migration */
);
ga_evolution(
pop, /* population *pop */
500 /* const int max_generations */
);
ga_extinction(pop);
exit(EXIT_SUCCESS);
}
void InjectDLL32( LPPROCESS_INFORMATION ppi )
{
CONTEXT context;
DWORD ep;
DWORD len;
LPVOID mem;
DWORD mem32;
DWORD pr;
BYTE code[CODE32SIZE+GLOBAL32SIZE+TSIZE(MAX_PATH)];
union
{
PBYTE pB;
PWORD pW;
PDWORD pL;
} ip;
#ifdef _WIN64
BOOL entry = FALSE;
#endif
#ifdef IMPORT_WOW64
if (Wow64GetThreadContext == 0)
{
#define GETPROC( proc ) proc = (T##proc)GetProcAddress( hKernel, #proc )
HMODULE hKernel = GetModuleHandle( L"kernel32.dll" );
GETPROC( Wow64GetThreadContext );
GETPROC( Wow64SetThreadContext );
// Assume if one is defined, so is the other.
if (Wow64GetThreadContext == 0)
return;
}
#endif
len = TSIZE(lstrlen( hDllName ) + 1);
if (len > TSIZE(MAX_PATH))
return;
CopyMemory( code + CODE32SIZE + GLOBAL32SIZE, hDllName, len );
len += CODE32SIZE + GLOBAL32SIZE;
context.ContextFlags = CONTEXT_CONTROL | CONTEXT_INTEGER;
GetThreadContext( ppi->hThread, &context );
mem = VirtualAllocEx( ppi->hProcess, NULL, len, MEM_COMMIT,
PAGE_READWRITE );
mem32 = (DWORD)(DWORD_PTR)mem;
ip.pB = code;
ep = context.Eip;
if (LLW32 == 0)
{
#ifndef _WIN64
LLW32 = (DWORD)GetProcAddress( GetModuleHandle( L"kernel32.dll" ),
"LoadLibraryW" );
#else
struct unicode_string
{
USHORT Length;
USHORT MaximumLength;
DWORD Buffer;
};
struct ldr_module // incomplete definition
{
DWORD next, prev;
DWORD baseAddress;
DWORD entryPoint;
DWORD sizeOfImage;
struct unicode_string fullDllName;
struct unicode_string baseDllName;
} ldr;
WCHAR basename[MAX_PATH];
if (!get_LLW32())
return;
// Determine the base address of the 32-bit kernel32.dll.
// Use the PEB to walk the loaded modules.
// When a process is created suspended, EAX has the entry point and EBX
// points to the PEB.
if (!ReadProcessMemory( ppi->hProcess, UIntToPtr( context.Ebx + 0x0C ),
ip.pL, 4, NULL ))
{
return;
}
// In case we're a bit slow (which seems to be unlikely), set up an
// infinite loop as the entry point.
WriteProcessMemory( ppi->hProcess, mem, "\xEB\xFE", 2, NULL );
FlushInstructionCache( ppi->hProcess, mem, 2 );
ep = context.Eax;
context.Eax = mem32;
SetThreadContext( ppi->hThread, &context );
VirtualProtectEx( ppi->hProcess, mem, len, PAGE_EXECUTE, &pr );
// Now resume the thread, as the PEB hasn't even been created yet.
ResumeThread( ppi->hThread );
while (*ip.pL == 0)
{
Sleep( 0 );
ReadProcessMemory( ppi->hProcess, UIntToPtr( context.Ebx + 0x0C ),
ip.pL, 4, NULL );
}
// Read PEB_LDR_DATA.InInitializationOrderModuleList.Flink.
ReadProcessMemory( ppi->hProcess, UIntToPtr( *ip.pL + 0x1c ),
&ip.pL[1], 4, NULL );
// Sometimes we're so quick ntdll.dll is the only one present, so keep
// looping until kernel32.dll shows up.
for (;;)
{
ldr.next = ip.pL[1];
do
{
ReadProcessMemory( ppi->hProcess, UIntToPtr( ldr.next ),
&ldr, sizeof(ldr), NULL );
ReadProcessMemory( ppi->hProcess, UIntToPtr( ldr.baseDllName.Buffer ),
basename, ldr.baseDllName.MaximumLength, NULL );
if (_wcsicmp( basename, L"kernel32.dll" ) == 0)
{
LLW32 += ldr.baseAddress;
goto gotit;
}
} while (ldr.next != *ip.pL + 0x1c);
}
gotit:
SuspendThread( ppi->hThread );
VirtualProtectEx( ppi->hProcess, mem, len, pr, &pr );
entry = TRUE;
#endif
}
*ip.pB++ = 0x68; // push ep
*ip.pL++ = ep;
*ip.pB++ = 0x9c; // pushf
*ip.pB++ = 0x60; // pusha
*ip.pB++ = 0x68; // push L"path\to\errout32.dll"
*ip.pL++ = mem32 + CODE32SIZE + GLOBAL32SIZE;
*ip.pB++ = 0xe8; // call LoadLibraryW
*ip.pL++ = LLW32 - (mem32 + (DWORD)(ip.pB+4 - code));
*ip.pB++ = 0x61; // popa
*ip.pB++ = 0x9d; // popf
*ip.pB++ = 0xc3; // ret
// Should probably now use shared memory rather than a shared section.
*ip.pL++ = PtrToUint( global.hStdOut );
*ip.pL++ = PtrToUint( global.hStdCon );
*ip.pL++ = PtrToUint( global.hFilOut );
*ip.pL++ = PtrToUint( global.hFilErr );
*ip.pL++ = PtrToUint( global.hFilCon );
*ip.pW++ = global.console;
*ip.pW++ = global.errcol;
WriteProcessMemory( ppi->hProcess, mem, code, len, NULL );
FlushInstructionCache( ppi->hProcess, mem, len );
VirtualProtectEx( ppi->hProcess, mem, len, PAGE_EXECUTE, &pr );
#ifdef _WIN64
if (entry)
return;
#endif
context.Eip = mem32;
SetThreadContext( ppi->hThread, &context );
}
