UACME/Source/Yuubari/sup.c

/*******************************************************************************
*
*  (C) COPYRIGHT AUTHORS, 2014 - 2017
*
*  TITLE:       SUP.C
*
*  VERSION:     1.0F
*
*  DATE:        13 Feb 2017
*
* THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF
* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED
* TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A
* PARTICULAR PURPOSE.
*
*******************************************************************************/
#include "global.h"

/*
* supIsCorImageFile
*
* Purpose:
*
* Return true if image has CliHeader entry, false otherwise.
*
*/
BOOL supIsCorImageFile(
    PVOID ImageBase
    )
{
    BOOL                bResult = FALSE;
    ULONG               sz = 0;
    IMAGE_COR20_HEADER *CliHeader;

    if (ImageBase) {
        CliHeader = RtlImageDirectoryEntryToData(ImageBase, TRUE,
            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR, &sz);

        if ((CliHeader == NULL) || (sz < sizeof(IMAGE_COR20_HEADER)))
            return bResult;
        bResult = TRUE;
    }
    return bResult;
}

/*
* supReadKeyString
*
* Purpose:
*
* Read string value from registry key.
*
*/
LPWSTR supReadKeyString(
    HKEY hKey,
    LPWSTR KeyValue,
    PDWORD pdwDataSize
    )
{
    LRESULT lRet;
    LPWSTR  lpString = NULL;

    if (pdwDataSize == NULL)
        return NULL;

    lRet = RegQueryValueEx(hKey, KeyValue, NULL,
        NULL, NULL, pdwDataSize);
    if (lRet == ERROR_SUCCESS) {
        lpString = HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, *pdwDataSize);
        if (lpString != NULL) {
            lRet = RegQueryValueEx(hKey, KeyValue, NULL,
                NULL, (LPBYTE)lpString, pdwDataSize);
            if (lRet != ERROR_SUCCESS) {
                HeapFree(GetProcessHeap(), 0, lpString);
                lpString = NULL;
            }
        }
    }
    return lpString;
}

/*
* supQueryKeyName
*
* Purpose:
*
* Get key name from handle.
*
*/
PVOID supQueryKeyName(
    HKEY hKey,
    PSIZE_T ReturnedLength
    )
{
    NTSTATUS    status;
    ULONG       ulen = 0;
    SIZE_T      sz = 0;
    PVOID       ReturnBuffer = NULL;

    POBJECT_NAME_INFORMATION pObjName = NULL;

    NtQueryObject(hKey, ObjectNameInformation, NULL, 0, &ulen);
    pObjName = (POBJECT_NAME_INFORMATION)HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, ulen);
    if (pObjName) {
        status = NtQueryObject(hKey, ObjectNameInformation, pObjName, ulen, NULL);
        if (NT_SUCCESS(status)) {
            if ((pObjName->Name.Buffer != NULL) && (pObjName->Name.Length > 0)) {
                sz = (_strlen(pObjName->Name.Buffer) * sizeof(WCHAR)) + sizeof(UNICODE_NULL);
                ReturnBuffer = HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, sz);
                if (ReturnBuffer) {
                    _strncpy((LPTSTR)ReturnBuffer, sz / sizeof(WCHAR), pObjName->Name.Buffer, sz / sizeof(WCHAR));
                    if (ReturnedLength)
                        *ReturnedLength = sz;
                }
            }
        }
        HeapFree(GetProcessHeap(), 0, pObjName);
    }
    return ReturnBuffer;
}

/*
* supIsProcess32bit
*
* Purpose:
*
* Return TRUE if given process is under WOW64, FALSE otherwise.
*
*/
BOOLEAN supIsProcess32bit(
    _In_ HANDLE hProcess
    )
{
    NTSTATUS status;
    PROCESS_EXTENDED_BASIC_INFORMATION pebi;

    if (hProcess == NULL) {
        return FALSE;
    }

    //query if this is wow64 process
    RtlSecureZeroMemory(&pebi, sizeof(pebi));
    pebi.Size = sizeof(PROCESS_EXTENDED_BASIC_INFORMATION);
    status = NtQueryInformationProcess(hProcess, ProcessBasicInformation, &pebi, sizeof(pebi), NULL);
    if (NT_SUCCESS(status)) {
        return (pebi.IsWow64Process == 1);
    }
    return FALSE;
}

/*
* supFindPattern
*
* Purpose:
*
* Lookup pattern in buffer.
*
*/
PVOID supFindPattern(
    CONST PBYTE Buffer,
    SIZE_T BufferSize,
    CONST PBYTE Pattern,
    SIZE_T PatternSize
    )
{
    PBYTE	p = Buffer;

    if (PatternSize == 0)
        return NULL;
    if (BufferSize < PatternSize)
        return NULL;
    BufferSize -= PatternSize;

    do {
        p = memchr(p, Pattern[0], BufferSize - (p - Buffer));
        if (p == NULL)
            break;

        if (memcmp(p, Pattern, PatternSize) == 0)
            return p;

        p++;
    } while (BufferSize - (p - Buffer) > 0); //-V555

    return NULL;
}

/*
* supRegReadDword
*
* Purpose:
*
* Read DWORD value from given key.
*
*/
LRESULT supRegReadDword(
    _In_ HKEY hKey,
    _In_ LPWSTR lpValueName,
    _In_ LPDWORD Value
)
{
    LRESULT lResult;
    DWORD dwValue = 0, bytesIO;

    bytesIO = sizeof(DWORD);
    lResult = RegQueryValueEx(hKey, lpValueName,
        NULL, NULL,
        (LPBYTE)&dwValue, &bytesIO);

    if (lResult == ERROR_SUCCESS) {
        if (Value)
            *Value = dwValue;
    }
    return lResult;
}

/*
* supQueryNtBuildNumber
*
* Purpose:
*
* Query NtBuildNumber value from ntoskrnl image.
*
*/
BOOL supQueryNtBuildNumber(
    _Inout_ PULONG BuildNumber
)
{
    BOOL bResult = FALSE;
    HMODULE hModule;
    PVOID Ptr;
    WCHAR szBuffer[MAX_PATH * 2];

    RtlSecureZeroMemory(szBuffer, sizeof(szBuffer));
    _strcpy(szBuffer, USER_SHARED_DATA->NtSystemRoot);
    _strcat(szBuffer, L"\\system32\\ntoskrnl.exe");

    hModule = LoadLibraryEx(szBuffer, NULL, DONT_RESOLVE_DLL_REFERENCES);
    if (hModule == NULL)
        return bResult;

#pragma warning(push)
#pragma warning(disable: 4054)//code to data
    Ptr = (PVOID)GetProcAddress(hModule, "NtBuildNumber");
#pragma warning(pop)
    if (Ptr) {
        *BuildNumber = (*(PULONG)Ptr & 0xffff);
        bResult = TRUE;
    }
    FreeLibrary(hModule);
    return bResult;
}
v 2.5.6 Kongou removed from main executable, see ucmGWX function description for more info, made Yuubari module public, rearranged readme file. 2017-02-19 05:48:36 +00:00			`/*******************************************************************************`
			`*`
			`* (C) COPYRIGHT AUTHORS, 2014 - 2017`
			`*`
			`* TITLE: SUP.C`
			`*`
			`* VERSION: 1.0F`
			`*`
			`* DATE: 13 Feb 2017`
			`*`
			`* THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF`
			`* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED`
			`* TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A`
			`* PARTICULAR PURPOSE.`
			`*`
			`*******************************************************************************/`
			`#include "global.h"`

			`/*`
			`* supIsCorImageFile`
			`*`
			`* Purpose:`
			`*`
			`* Return true if image has CliHeader entry, false otherwise.`
			`*`
			`*/`
			`BOOL supIsCorImageFile(`
			`PVOID ImageBase`
			`)`
			`{`
			`BOOL bResult = FALSE;`
			`ULONG sz = 0;`
			`IMAGE_COR20_HEADER *CliHeader;`

			`if (ImageBase) {`
			`CliHeader = RtlImageDirectoryEntryToData(ImageBase, TRUE,`
			`IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR, &sz);`

			`if ((CliHeader == NULL) \|\| (sz < sizeof(IMAGE_COR20_HEADER)))`
			`return bResult;`
			`bResult = TRUE;`
			`}`
			`return bResult;`
			`}`

			`/*`
			`* supReadKeyString`
			`*`
			`* Purpose:`
			`*`
			`* Read string value from registry key.`
			`*`
			`*/`
			`LPWSTR supReadKeyString(`
			`HKEY hKey,`
			`LPWSTR KeyValue,`
			`PDWORD pdwDataSize`
			`)`
			`{`
			`LRESULT lRet;`
			`LPWSTR lpString = NULL;`

			`if (pdwDataSize == NULL)`
			`return NULL;`

			`lRet = RegQueryValueEx(hKey, KeyValue, NULL,`
			`NULL, NULL, pdwDataSize);`
			`if (lRet == ERROR_SUCCESS) {`
			`lpString = HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, *pdwDataSize);`
			`if (lpString != NULL) {`
			`lRet = RegQueryValueEx(hKey, KeyValue, NULL,`
			`NULL, (LPBYTE)lpString, pdwDataSize);`
			`if (lRet != ERROR_SUCCESS) {`
			`HeapFree(GetProcessHeap(), 0, lpString);`
			`lpString = NULL;`
			`}`
			`}`
			`}`
			`return lpString;`
			`}`

			`/*`
			`* supQueryKeyName`
			`*`
			`* Purpose:`
			`*`
			`* Get key name from handle.`
			`*`
			`*/`
			`PVOID supQueryKeyName(`
			`HKEY hKey,`
			`PSIZE_T ReturnedLength`
			`)`
			`{`
			`NTSTATUS status;`
			`ULONG ulen = 0;`
			`SIZE_T sz = 0;`
			`PVOID ReturnBuffer = NULL;`

			`POBJECT_NAME_INFORMATION pObjName = NULL;`

			`NtQueryObject(hKey, ObjectNameInformation, NULL, 0, &ulen);`
			`pObjName = (POBJECT_NAME_INFORMATION)HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, ulen);`
			`if (pObjName) {`
			`status = NtQueryObject(hKey, ObjectNameInformation, pObjName, ulen, NULL);`
			`if (NT_SUCCESS(status)) {`
			`if ((pObjName->Name.Buffer != NULL) && (pObjName->Name.Length > 0)) {`
			`sz = (_strlen(pObjName->Name.Buffer) * sizeof(WCHAR)) + sizeof(UNICODE_NULL);`
			`ReturnBuffer = HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, sz);`
			`if (ReturnBuffer) {`
			`_strncpy((LPTSTR)ReturnBuffer, sz / sizeof(WCHAR), pObjName->Name.Buffer, sz / sizeof(WCHAR));`
			`if (ReturnedLength)`
			`*ReturnedLength = sz;`
			`}`
			`}`
			`}`
			`HeapFree(GetProcessHeap(), 0, pObjName);`
			`}`
			`return ReturnBuffer;`
			`}`

			`/*`
			`* supIsProcess32bit`
			`*`
			`* Purpose:`
			`*`
			`* Return TRUE if given process is under WOW64, FALSE otherwise.`
			`*`
			`*/`
			`BOOLEAN supIsProcess32bit(`
			`_In_ HANDLE hProcess`
			`)`
			`{`
			`NTSTATUS status;`
			`PROCESS_EXTENDED_BASIC_INFORMATION pebi;`

			`if (hProcess == NULL) {`
			`return FALSE;`
			`}`

			`//query if this is wow64 process`
			`RtlSecureZeroMemory(&pebi, sizeof(pebi));`
			`pebi.Size = sizeof(PROCESS_EXTENDED_BASIC_INFORMATION);`
			`status = NtQueryInformationProcess(hProcess, ProcessBasicInformation, &pebi, sizeof(pebi), NULL);`
			`if (NT_SUCCESS(status)) {`
			`return (pebi.IsWow64Process == 1);`
			`}`
			`return FALSE;`
			`}`

			`/*`
			`* supFindPattern`
			`*`
			`* Purpose:`
			`*`
			`* Lookup pattern in buffer.`
			`*`
			`*/`
			`PVOID supFindPattern(`
			`CONST PBYTE Buffer,`
			`SIZE_T BufferSize,`
			`CONST PBYTE Pattern,`
			`SIZE_T PatternSize`
			`)`
			`{`
			`PBYTE p = Buffer;`

			`if (PatternSize == 0)`
			`return NULL;`
			`if (BufferSize < PatternSize)`
			`return NULL;`
			`BufferSize -= PatternSize;`

			`do {`
			`p = memchr(p, Pattern[0], BufferSize - (p - Buffer));`
			`if (p == NULL)`
			`break;`

			`if (memcmp(p, Pattern, PatternSize) == 0)`
			`return p;`

			`p++;`
v 2.7.0 Wow64 logger added as #30, newest Enigma0x3 method added as #31, overall program redesign and rewrite of several methods, fixes and Simda method #5 works again (fixed regression of previous builds), Yuubari updated for Win10 rs2 15063. 2017-03-25 12:39:31 +00:00			`} while (BufferSize - (p - Buffer) > 0); //-V555`
v 2.5.6 Kongou removed from main executable, see ucmGWX function description for more info, made Yuubari module public, rearranged readme file. 2017-02-19 05:48:36 +00:00
			`return NULL;`
			`}`
Yuubari update COMAutoApprovalList dumping for RS1+, verbose mode (/v), more appinfo settings display,15046 appinfo support, some corrections 2017-03-02 04:19:49 +00:00
			`/*`
			`* supRegReadDword`
			`*`
			`* Purpose:`
			`*`
			`* Read DWORD value from given key.`
			`*`
			`*/`
			`LRESULT supRegReadDword(`
			`_In_ HKEY hKey,`
			`_In_ LPWSTR lpValueName,`
			`_In_ LPDWORD Value`
			`)`
			`{`
			`LRESULT lResult;`
			`DWORD dwValue = 0, bytesIO;`

			`bytesIO = sizeof(DWORD);`
			`lResult = RegQueryValueEx(hKey, lpValueName,`
			`NULL, NULL,`
			`(LPBYTE)&dwValue, &bytesIO);`

			`if (lResult == ERROR_SUCCESS) {`
			`if (Value)`
			`*Value = dwValue;`
			`}`
			`return lResult;`
			`}`
v 2.8.1 Windows 10 RS4 compatibility changes 2017-10-30 03:30:38 +00:00
			`/*`
			`* supQueryNtBuildNumber`
			`*`
			`* Purpose:`
			`*`
			`* Query NtBuildNumber value from ntoskrnl image.`
			`*`
			`*/`
			`BOOL supQueryNtBuildNumber(`
			`_Inout_ PULONG BuildNumber`
			`)`
			`{`
			`BOOL bResult = FALSE;`
			`HMODULE hModule;`
			`PVOID Ptr;`
			`WCHAR szBuffer[MAX_PATH * 2];`

			`RtlSecureZeroMemory(szBuffer, sizeof(szBuffer));`
			`_strcpy(szBuffer, USER_SHARED_DATA->NtSystemRoot);`
			`_strcat(szBuffer, L"\\system32\\ntoskrnl.exe");`

			`hModule = LoadLibraryEx(szBuffer, NULL, DONT_RESOLVE_DLL_REFERENCES);`
			`if (hModule == NULL)`
			`return bResult;`

			`#pragma warning(push)`
			`#pragma warning(disable: 4054)//code to data`
			`Ptr = (PVOID)GetProcAddress(hModule, "NtBuildNumber");`
			`#pragma warning(pop)`
			`if (Ptr) {`
			`BuildNumber = ((PULONG)Ptr & 0xffff);`
			`bResult = TRUE;`
			`}`
			`FreeLibrary(hModule);`
			`return bResult;`
			`}`