BOOL InitializeNetapi32() { PVOID module; NTSTATUS Status; PLDR_MODULE Self, Netapi32; UNICODE_STRING SystemRoot; PVOID LoaderLockCookie; LdrLockLoaderLock(0, nullptr, &LoaderLockCookie); SCOPE_EXIT { LdrUnlockLoaderLock(0, LoaderLockCookie); } SCOPE_EXIT_END; Self = FindLdrModuleByHandle(&__ImageBase); if (Self == nullptr || Self->DllBase != &__ImageBase) return TRUE; Status = Rtl::GetSystemDirectory(&SystemRoot); if (NT_FAILED(Status)) return 0; module = Ldr::LoadDll(String(SystemRoot) + L"wtsapi32.dll"); RtlFreeUnicodeString(&SystemRoot); LdrAddRefDll(LDR_ADDREF_DLL_PIN, module); *(PVOID *)&StubWTSFreeMemory = GetRoutineAddress(module, "WTSFreeMemory"); *(PVOID *)&StubWTSQuerySessionInformationW = GetRoutineAddress(module, "WTSQuerySessionInformationW"); *(PVOID *)&StubWTSRegisterSessionNotification = GetRoutineAddress(module, "WTSRegisterSessionNotification"); *(PVOID *)&StubWTSUnRegisterSessionNotification = GetRoutineAddress(module, "WTSUnRegisterSessionNotification"); Netapi32 = FindLdrModuleByHandle(module); //RemoveEntryList(&Self->InLoadOrderLinks); //RemoveEntryList(&Self->InMemoryOrderLinks); //RemoveEntryList(&Self->InInitializationOrderLinks); //RtlFreeHeap(CurrentPeb()->ProcessHeap, 0, Self); Self->DllBase = Netapi32->DllBase; Self->EntryPoint = Netapi32->EntryPoint; Self->SizeOfImage = Netapi32->SizeOfImage; return TRUE; }
VOID InitializeDbghelp() { if (DbghlpMiniDumpWriteDump != nullptr) return; PVOID module; PLDR_MODULE self, dbghlp; ml::String path; Rtl::GetModuleDirectory(path, GetNtdllHandle()); path += L"dbghelp.dll"; module = Ldr::LoadDll(path); if (module == nullptr) return; *(PVOID *)&DbghlpMiniDumpWriteDump = GetRoutineAddress(module, "MiniDumpWriteDump"); self = FindLdrModuleByHandle(&__ImageBase); dbghlp = FindLdrModuleByHandle(module); self->DllBase = dbghlp->DllBase; self->EntryPoint = dbghlp->EntryPoint; self->SizeOfImage = dbghlp->SizeOfImage; }
PVOID NTAPI PpGetProcAddress(PVOID DllHandle, PCSTR Function) { if ((ULONG_PTR)Function >= 0x10000) switch (HashAPI(Function)) { case COMDLG32_ChooseFontW: return PpChooseFontW; } return GetRoutineAddress(DllHandle, Function); }
BOOL InitializeNetapi32() { PVOID module; NTSTATUS Status; PLDR_MODULE Self, Netapi32; UNICODE_STRING SystemRoot; if (StubNetbios != nullptr) return TRUE; Status = Rtl::GetSystemDirectory(&SystemRoot); if (NT_FAILED(Status)) return 0; module = Ldr::LoadDll(ml::String(SystemRoot) + L"netapi32.dll"); RtlFreeUnicodeString(&SystemRoot); LdrAddRefDll(LDR_ADDREF_DLL_PIN, module); *(PVOID *)&StubNetbios = GetRoutineAddress(module, "Netbios"); *(PVOID *)&StubNetApiBufferFree = GetRoutineAddress(module, "NetApiBufferFree"); *(PVOID *)&StubNetWkstaTransportEnum = GetRoutineAddress(module, "NetWkstaTransportEnum"); *(PVOID *)&StubNetWkstaUserGetInfo = GetRoutineAddress(module, "NetWkstaUserGetInfo"); Self = FindLdrModuleByHandle(&__ImageBase); Netapi32 = FindLdrModuleByHandle(module); //RemoveEntryList(&Self->InLoadOrderLinks); //RemoveEntryList(&Self->InMemoryOrderLinks); //RemoveEntryList(&Self->InInitializationOrderLinks); //RtlFreeHeap(CurrentPeb()->ProcessHeap, 0, Self); Self->DllBase = Netapi32->DllBase; Self->EntryPoint = Netapi32->EntryPoint; Self->SizeOfImage = Netapi32->SizeOfImage; return TRUE; }
BOOL Initialize(PVOID BaseAddress) { PVOID hModule; SizeT Length, Length2; LPWSTR lpCmdLineW, pCmdLine; WChar end, szCmdLine[MAX_PATH + 40]; static WChar AddCmdLineHeadW[] = L" --user-data-dir=\""; static WChar AddCmdLineTailW[] = L"UserData\" --purge-memory-button"; LdrDisableThreadCalloutsForDll(BaseAddress); Length = Nt_GetSystemDirectory(szCmdLine, countof(szCmdLine)); CopyStruct(szCmdLine + Length, L"wtsapi32.dll", sizeof(L"wtsapi32.dll")); hModule = Ldr::LoadDll(szCmdLine); *(PVOID *)&StubWTSFreeMemory = GetRoutineAddress(hModule, "WTSFreeMemory"); *(PVOID *)&StubWTSQuerySessionInformationW = GetRoutineAddress(hModule, "WTSQuerySessionInformationW"); *(PVOID *)&StubWTSUnRegisterSessionNotification = GetRoutineAddress(hModule, "WTSUnRegisterSessionNotification"); *(PVOID *)&StubWTSRegisterSessionNotification = GetRoutineAddress(hModule, "WTSRegisterSessionNotification"); *(PVOID *)&StubWTSQueryUserToken = GetRoutineAddress(hModule, "WTSQueryUserToken"); lpCmdLineW = Ps::GetCommandLine(); Length = StrLengthW(lpCmdLineW); pCmdLine = szCmdLine; StrCopyW(pCmdLine, AddCmdLineHeadW); pCmdLine += countof(AddCmdLineHeadW) - 1; pCmdLine += Nt_GetExeDirectory(pCmdLine, countof(szCmdLine) - (pCmdLine - szCmdLine)); StrCopyW(pCmdLine, AddCmdLineTailW); pCmdLine += countof(AddCmdLineTailW); Length2 = pCmdLine - szCmdLine; g_pCmdLineW = (PWChar)AllocateMemory(Length * 2 + Length2 * 2 + 2); pCmdLine = lpCmdLineW; end = *pCmdLine++ == '\"' ? '\"' : ' '; while (*pCmdLine && *pCmdLine != end) ++pCmdLine; ++pCmdLine; /* if (*++pCmdLine) { while (*pCmdLine == ' ' || *pCmdLine == '\t') ++pCmdLine; } */ end = *pCmdLine; *pCmdLine = 0; StrCopyW(g_pCmdLineW, lpCmdLineW); *pCmdLine = end; lpCmdLineW = g_pCmdLineW + (pCmdLine - lpCmdLineW); StrCopyW(lpCmdLineW, szCmdLine); lpCmdLineW += Length2 - 1; StrCopyW(lpCmdLineW, pCmdLine); Length = StrLengthW(g_pCmdLineW); g_pCmdLineA = (PChar)AllocateMemory(Length * 2); // WideCharToMultiByte(CP_ACP, 0, g_pCmdLineW, -1, g_pCmdLineA, Length * 2, NULL, NULL); UnicodeToAnsi(g_pCmdLineA, Length * 2, g_pCmdLineW, -1); hModule = Nt_GetModuleHandle(L"chrome.dll"); MEMORY_FUNCTION_PATCH f[] = { INLINE_HOOK_JUMP_NULL(::GetCommandLineW, MyGetCommandLineW), INLINE_HOOK_JUMP_NULL(::GetCommandLineA, MyGetCommandLineA), INLINE_HOOK_JUMP(LoadAcceleratorsW, MyLoadAcceleratorsW, StubLoadAcceleratorsW), }; Nt_PatchMemory(0, 0, f, countof(f), 0); return TRUE; }