Exemple #1
0
	/// <summary>
	/// Get existing module or map it if absent
	/// </summary>
	/// <param name="path">Image path</param>
	/// <param name="buffer">Image data buffer</param>
	/// <param name="size">Buffer size.</param>
	/// <param name="asImage">If set to true - buffer has image memory layout</param>
	/// <param name="flags">Mapping flags</param>
	/// <returns>Module info</returns>
	const ModuleData* MMap::FindOrMapModule(
		const std::wstring& path,
		void* buffer, size_t size, bool asImage,
		eLoadFlags flags /*= NoFlags*/
		) {
		NTSTATUS status = STATUS_SUCCESS;
		std::unique_ptr<ImageContext> pImage(new ImageContext());
		pImage->FilePath = path;
		pImage->FileName = Utils::StripPath(pImage->FilePath);
		pImage->flags = flags;
		// Load and parse image
		status = buffer ? pImage->peImage.Load(buffer, size, !asImage) : pImage->peImage.Load(path, flags & NoSxS ? true : false);
		if(!NT_SUCCESS(status)) {
			BLACBONE_TRACE(L"ManualMap: Failed to load image '%ls'/0x%p. Status 0x%X", path.c_str(), buffer, status);
			pImage->peImage.Release();
			return nullptr;
		}
		// Check if already loaded
		if(auto hMod = _process.Modules().GetModule(path, LdrList, pImage->peImage.ImageType())) {
			pImage->peImage.Release();
			return hMod;
		}
		BLACBONE_TRACE(L"ManualMap: Loading new image '%ls'", path.c_str());
		// Try to map image in high (>4GB) memory range
		if(flags & MapInHighMem) {
			AllocateInHighMem(pImage->imgMem, pImage->peImage.ImageSize());
		}
		// Try to map image at it's original ASRL-aware base
		else if(flags & HideVAD) {
			ptr_t base = pImage->peImage.ImageBase();
			ptr_t isize = pImage->peImage.ImageSize();
			if(!NT_SUCCESS(Driver().EnsureLoaded())) {
				pImage->peImage.Release();
				return nullptr;
			}
			// Allocate as physical at desired base
			status = Driver().AllocateMem(_process.Id(), base, isize, MEM_COMMIT, PAGE_EXECUTE_READWRITE, true);
			// Allocate at any base
			if(!NT_SUCCESS(status)) {
				base = 0;
				size = pImage->peImage.ImageSize();
				status = Driver().AllocateMem(_process.Id(), base, isize, MEM_COMMIT, PAGE_EXECUTE_READWRITE, true);
			}
			// Store allocated region
			if(NT_SUCCESS(status)) {
				pImage->imgMem = MemBlock(&_process.Memory(), base, static_cast<size_t>(isize), PAGE_EXECUTE_READWRITE, true, true);
			}
			// Stop mapping
			else {
				//flags &= ~HideVAD;
				BLACBONE_TRACE(L"ManualMap: Failed to allocate physical memory for image, status 0x%d", status);
				pImage->peImage.Release();
				return nullptr;
			}
		}
		// Allocate normally if something went wrong
		if(pImage->imgMem == 0)
			pImage->imgMem = _process.Memory().Allocate(pImage->peImage.ImageSize(), PAGE_EXECUTE_READWRITE, pImage->peImage.ImageBase());
		BLACBONE_TRACE(L"ManualMap: Image base allocated at 0x%p", pImage->imgMem.Ptr<size_t>());
		if(!pImage->imgMem.Valid())
			return nullptr;
		// Create Activation context for SxS
		if(pImage->peImage.ManifestID() == 0)
			flags |= NoSxS;
		if(!(flags & NoSxS))
			CreateActx(pImage->peImage.ManifestFile(), pImage->peImage.ManifestID(), !pImage->peImage.NoPhysFile());
		// Core image mapping operations
		if(!CopyImage(pImage.get()) || !RelocateImage(pImage.get())) {
			pImage->peImage.Release();
			return nullptr;
		}
		auto mt = pImage->peImage.ImageType();
		auto pMod = _process.Modules().AddManualModule(pImage->FilePath, pImage->imgMem.Ptr<module_t>(), pImage->imgMem.Size(), mt);
		// Import tables
		if(!ResolveImport(pImage.get()) || (!(flags & NoDelayLoad) && !ResolveImport(pImage.get(), true))) {
			pImage->peImage.Release();
			_process.Modules().RemoveManualModule(pImage->FileName, mt);
			return nullptr;
		}
		// Apply proper memory protection for sections
		if(!(flags & HideVAD))
			ProtectImageMemory(pImage.get());
		// Make exception handling possible (C and C++)
		if(!(flags & NoExceptions)) {
			status = EnableExceptions(pImage.get());
			if(!NT_SUCCESS(status) && status != STATUS_NOT_FOUND) {
				BLACBONE_TRACE(L"ManualMap: Failed to enable exception handling for image %ls", pImage->FileName.c_str());
				pImage->peImage.Release();
				_process.Modules().RemoveManualModule(pImage->FileName, mt);
				return nullptr;
			}
		}
		// Unlink image from VAD list
		if(flags & HideVAD && !NT_SUCCESS(ConcealVad(pImage->imgMem))) {
			pImage->peImage.Release();
			_process.Modules().RemoveManualModule(pImage->FileName, mt);
			return nullptr;
		}
		// Initialize security cookie
		if(!InitializeCookie(pImage.get())) {
			pImage->peImage.Release();
			_process.Modules().RemoveManualModule(pImage->FileName, mt);
			return nullptr;
		}
		// Get entry point
		pImage->EntryPoint = pImage->peImage.EntryPoint(pImage->imgMem.Ptr<ptr_t>());
		// Create reference for native loader functions
		LdrRefFlags ldrFlags = flags & CreateLdrRef ? Ldr_All : Ldr_None;
		if(_mapCallback != nullptr) {
			auto mapData = _mapCallback(PostCallback, _userContext, _process, *pMod);
			ldrFlags = mapData.ldrFlags;
		}
		if(ldrFlags != Ldr_None) {
			_process.NativeLdr().CreateNTReference(
				pImage->imgMem.Ptr<HMODULE>(),
				pImage->peImage.ImageSize(),
				pImage->FilePath,
				static_cast<size_t>(pImage->EntryPoint),
				ldrFlags
				);
		}
		// Static TLS data
		if(!(flags & NoTLS) && !InitStaticTLS(pImage.get())) {
			pImage->peImage.Release();
			_process.Modules().RemoveManualModule(pImage->FileName, mt);
			return nullptr;
		}
		// Fill TLS callbacks
		pImage->peImage.GetTLSCallbacks(pImage->imgMem.Ptr<ptr_t>(), pImage->tlsCallbacks);
		// Unload local copy
		pImage->peImage.Release();
		// Release ownership of image memory block
		pImage->imgMem.Release();
		// Store image
		_images.emplace_back(std::move(pImage));
		return pMod;
	}
Exemple #2
0
void Win32DllLoader::OverrideImports(const std::string &dll)
{
  std::wstring strdllW;
  g_charsetConverter.utf8ToW(CSpecialProtocol::TranslatePath(dll), strdllW, false);
  BYTE* image_base = (BYTE*)GetModuleHandleW(strdllW.c_str());

  if (!image_base)
  {
    CLog::Log(LOGERROR, "%s - unable to GetModuleHandle for dll %s", __FUNCTION__, dll.c_str());
    return;
  }

  PIMAGE_DOS_HEADER dos_header = (PIMAGE_DOS_HEADER)image_base;
  PIMAGE_NT_HEADERS nt_header = (PIMAGE_NT_HEADERS)(image_base + dos_header->e_lfanew); // e_lfanew = value at 0x3c

  PIMAGE_IMPORT_DESCRIPTOR imp_desc = (PIMAGE_IMPORT_DESCRIPTOR)(
    image_base + nt_header->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress);

  if (!imp_desc)
  {
    CLog::Log(LOGERROR, "%s - unable to get import directory for dll %s", __FUNCTION__, dll.c_str());
    return;
  }

  // loop over all imported dlls
  for (int i = 0; imp_desc[i].Characteristics != 0; i++)
  {
    char *dllName = (char*)(image_base + imp_desc[i].Name);

    // check whether this is one of our dll's.
    if (NeedsHooking(dllName))
    {
      // this will do a loadlibrary on it, which should effectively make sure that it's hooked
      // Note that the library has obviously already been loaded by the OS (as it's implicitly linked)
      // so all this will do is insert our hook and make sure our DllLoaderContainer knows about it
      HMODULE hModule = dllLoadLibraryA(dllName);
      if (hModule)
        m_referencedDlls.push_back(hModule);
    }

    PIMAGE_THUNK_DATA orig_first_thunk = (PIMAGE_THUNK_DATA)(image_base + imp_desc[i].OriginalFirstThunk);
    PIMAGE_THUNK_DATA first_thunk = (PIMAGE_THUNK_DATA)(image_base + imp_desc[i].FirstThunk);

    // and then loop over all imported functions
    for (int j = 0; orig_first_thunk[j].u1.Function != 0; j++)
    {
      void *fixup = NULL;
      if (orig_first_thunk[j].u1.Function & 0x80000000)
        ResolveOrdinal(dllName, (orig_first_thunk[j].u1.Ordinal & 0x7fffffff), &fixup);
      else
      { // resolve by name
        PIMAGE_IMPORT_BY_NAME orig_imports_by_name = (PIMAGE_IMPORT_BY_NAME)(
          image_base + orig_first_thunk[j].u1.AddressOfData);

        ResolveImport(dllName, (char*)orig_imports_by_name->Name, &fixup);
      }/*
      if (!fixup)
      { // create a dummy function for tracking purposes
        PIMAGE_IMPORT_BY_NAME orig_imports_by_name = (PIMAGE_IMPORT_BY_NAME)(
          image_base + orig_first_thunk[j].u1.AddressOfData);
        fixup = CreateDummyFunction(dllName, (char*)orig_imports_by_name->Name);
      }*/
      if (fixup)
      {
        // save the old function
        Import import;
        import.table = &first_thunk[j].u1.Function;
        import.function = first_thunk[j].u1.Function;
        m_overriddenImports.push_back(import);

        DWORD old_prot = 0;

        // change to protection settings so we can write to memory area
        VirtualProtect((PVOID)&first_thunk[j].u1.Function, 4, PAGE_EXECUTE_READWRITE, &old_prot);

        // patch the address of function to point to our overridden version
        first_thunk[j].u1.Function = (DWORD)fixup;

        // reset to old settings
        VirtualProtect((PVOID)&first_thunk[j].u1.Function, 4, old_prot, &old_prot);
      }
    }
  }
}
Exemple #3
0
/// <summary>
/// Get existing module or map it if absent
/// </summary>
/// <param name="path">Image path</param>
/// <param name="flags">Mapping flags</param>
/// <returns>Module info</returns>
const ModuleData* MMap::FindOrMapModule( const std::wstring& path, int flags /*= NoFlags*/ )
{
    std::unique_ptr<ImageContext> pImage( new ImageContext() );

    pImage->FilePath = path;
    pImage->FileName = Utils::StripPath( pImage->FilePath );
    pImage->flags = static_cast<eLoadFlags>(flags);

    // Load and parse image
    if (!pImage->FileImage.Project( path ) || !pImage->PEImage.Parse( pImage->FileImage, pImage->FileImage.isPlainData() ))
        return nullptr;

    // Check if already loaded
    if (auto hMod = _process.modules().GetModule( path, LdrList, pImage->PEImage.mType() ))
        return hMod;

    // Try to map image in high memory range
    if (flags & MapInHighMem)
    {
        if (AllocateInHighMem( pImage->imgMem, pImage->PEImage.imageSize() ) == false)
            pImage->imgMem = _process.memory().Allocate( pImage->PEImage.imageSize( ), 
                                                         PAGE_EXECUTE_READWRITE, pImage->PEImage.imageBase() );
    }
    // Try to map image at it's original ASRL-aware base
    else
    {
        pImage->imgMem = _process.memory().Allocate( pImage->PEImage.imageSize(), 
                                                     PAGE_EXECUTE_READWRITE, pImage->PEImage.imageBase() );
    }

    if (!pImage->imgMem.valid())
        return nullptr;

    // Create Activation context for SxS
    // .exe files usually contain manifest under id of 1
    // .dll files have manifest under id of 2
    if (!(flags & NoSxS))
        CreateActx( path, pImage->FileImage.manifestID() );

    // Manual Debug tests only
    /*if (!(flags & NoExceptions))
    {
        MExcept::pImageBase = pImage->image.ptr<void*>( );
        MExcept::imageSize = pImage->PEImage.imageSize( );
    }*/

    // Core image mapping operations
    if (!CopyImage( pImage.get() ) || !RelocateImage( pImage.get() ))
        return nullptr;

    auto mt = pImage->PEImage.mType();
    auto pMod = _process.modules().AddManualModule( pImage->FilePath, 
                                                    pImage->imgMem.ptr<module_t>(),
                                                    pImage->imgMem.size(), mt );

    // Import tables
    if (!ResolveImport( pImage.get() ) || (!(flags & NoDelayLoad) && !ResolveImport( pImage.get(), true )))
    {
        _process.modules().RemoveManualModule( pImage->FileName, mt );
        return nullptr;
    }

    // Apply proper memory protection for sections
    ProtectImageMemory( pImage.get() );

    // Make exception handling possible (C and C++)
    if (!(flags & NoExceptions) && !EnableExceptions( pImage.get() ))
    {
        _process.modules().RemoveManualModule( pImage->FileName, mt );
        return nullptr;
    }

    // Unlink image from VAD list
    if (flags & UnlinkVAD)
        UnlinkVad( pImage->imgMem );

    // Initialize security cookie
    if (!InitializeCookie( pImage.get() ))
    {
        _process.modules().RemoveManualModule( pImage->FileName, mt );
        return nullptr;
    }

    // Create reference for native loader functions
    if (flags & CreateLdrRef)
        _process.nativeLdr().CreateNTReference( pImage->imgMem.ptr<HMODULE>(), pImage->PEImage.imageSize(), pImage->FilePath );


    // Static TLS data
    if (!(flags & NoTLS) &&! InitStaticTLS( pImage.get( ) ))
    {
        _process.modules().RemoveManualModule( pImage->FileName, mt );
        return nullptr;
    }
    
    // Fill TLS callbacks
    pImage->PEImage.GetTLSCallbacks( pImage->imgMem.ptr<ptr_t>(), pImage->tlsCallbacks );

    // Get entry point
    pImage->EntryPoint = pImage->PEImage.entryPoint( pImage->imgMem.ptr<ptr_t>() );

    // Unload local copy
    pImage->FileImage.Release();

    // Release image
    pImage->imgMem.Release();

    // Store image
    _images.emplace_back( std::move( pImage ) );
    return pMod;
}