/// <summary>
/// Free memory
/// </summary>
/// <param name="pAddr">Memory address to release.</param>
/// <param name="size">Region size</param>
/// <param name="freeType">Release/decommit</param>
/// <returns>Status</returns>
NTSTATUS ProcessMemory::Free( ptr_t pAddr, size_t size /*= 0*/, DWORD freeType /*= MEM_RELEASE*/ )
{
#ifdef _DEBUG
assert( freeType != MEM_RELEASE || size == 0 );
if (freeType == MEM_DECOMMIT) {
BLACKBONE_TRACE( L"Free: Decommit at address 0x%p (0x%x bytes)", static_cast<uintptr_t>(pAddr), size );
} else {
BLACKBONE_TRACE( L"Free: Free at address 0x%p", static_cast<uintptr_t>(pAddr) );
}
#endif
return _core.native()->VirtualFreeExT( pAddr, size, freeType );
}
/// <summary>
/// Reload driver
/// </summary>
/// <param name="path">Path to the driver file</param>
/// <returns>Status code</returns>
NTSTATUS DriverControl::Reload( std::wstring path /*= L"" */ )
{
Unload();
// Use default path
if (path.empty())
{
const wchar_t* filename = nullptr;
if (IsWindows10OrGreater())
filename = BLACKBONE_FILE_NAME_10;
else if (IsWindows8Point1OrGreater())
filename = BLACKBONE_FILE_NAME_81;
else if (IsWindows8OrGreater())
filename = BLACKBONE_FILE_NAME_8;
else if (IsWindows7OrGreater())
filename = BLACKBONE_FILE_NAME_7;
else
filename = BLACKBONE_FILE_NAME;
path = Utils::GetExeDirectory() + L"\\" + filename;
}
_loadStatus = LoadDriver( DRIVER_SVC_NAME, path );
if (!NT_SUCCESS( _loadStatus ))
{
BLACKBONE_TRACE( L"Failed to load driver %ls. Status 0x%X", path.c_str(), _loadStatus );
return _loadStatus;
}
_hDriver = CreateFileW(
BLACKBONE_DEVICE_FILE,
GENERIC_READ | GENERIC_WRITE,
FILE_SHARE_READ | FILE_SHARE_WRITE,
NULL, OPEN_EXISTING, 0, NULL
);
if (!_hDriver)
{
_loadStatus = LastNtStatus();
BLACKBONE_TRACE( L"Failed to open driver handle. Status 0x%X", _loadStatus );
return _loadStatus;
}
return _loadStatus;
}
std::vector<ModuleDataPtr> Native::EnumModulesT()
{
NTSTATUS status = STATUS_SUCCESS;
_PEB_T<T> peb = { };
_PEB_LDR_DATA2_T<T> ldr = { };
std::vector<ModuleDataPtr> result;
if (getPEB( &peb ) != 0 && ReadProcessMemoryT( peb.Ldr, &ldr, sizeof( ldr ), 0 ) == STATUS_SUCCESS)
{
for (T head = ldr.InLoadOrderModuleList.Flink;
NT_SUCCESS( status ) && head != (peb.Ldr + FIELD_OFFSET( _PEB_LDR_DATA2_T<T>, InLoadOrderModuleList ));
status = ReadProcessMemoryT( static_cast<ptr_t>(head), &head, sizeof( head ) ))
{
ModuleData data;
wchar_t localPath[512] = { 0 };
_LDR_DATA_TABLE_ENTRY_BASE_T<T> localdata = { { 0 } };
ReadProcessMemoryT( head, &localdata, sizeof( localdata ), 0 );
ReadProcessMemoryT( localdata.FullDllName.Buffer, localPath, localdata.FullDllName.Length );
data.baseAddress = localdata.DllBase;
data.size = localdata.SizeOfImage;
data.fullPath = Utils::ToLower( localPath );
data.name = Utils::StripPath( data.fullPath );
data.type = (sizeof( T ) < sizeof( uint64_t )) ? mt_mod32 : mt_mod64;
data.ldrPtr = static_cast<ptr_t>(head);
data.manual = false;
result.emplace_back( std::make_shared<const ModuleData>( data ) );
}
}
else
{
BLACKBONE_TRACE( L"NativeModules: Failed to get PEB/LDR address. Not yet initialized" );
}
return result;
}
