diff --git a/client/common/Python-dynload.c b/client/common/Python-dynload.c index 3e008261..3e28b97d 100644 --- a/client/common/Python-dynload.c +++ b/client/common/Python-dynload.c @@ -153,8 +153,9 @@ BOOL initialize_python(int argc, char *argv[], BOOL is_shared_object) { Py_IncRef(py_argv); - for (i = 0; iaddress == sectionData->alignedAddress && (sectionData->last || module->headers->OptionalHeader.SectionAlignment == module->pageSize || - (sectionData->size % module->pageSize) == 0) - ) { + (sectionData->size % module->pageSize) == 0)) + { // Only allowed to decommit whole pages + dprint( + "VirtualFree: %p - %p (%lu)\n", + sectionData->address, (PCHAR) sectionData->address + sectionData->size, sectionData->size + ); + VirtualFree(sectionData->address, sectionData->size, MEM_DECOMMIT); } return TRUE; @@ -213,6 +218,10 @@ FinalizeSection(PMEMORYMODULE module, PSECTIONFINALIZEDATA sectionData) { } // change memory access flags + dprint( + "VirtualProtect: %p - %p (%lu) %08x\n", + sectionData->address, (PCHAR) sectionData->address + sectionData->size, sectionData->size, protect + ); if (VirtualProtect(sectionData->address, sectionData->size, protect, &oldProtect) == 0) { #ifdef DEBUG_OUTPUT OutputLastError("Error protecting memory page"); @@ -285,7 +294,8 @@ ExecuteTLS(PMEMORYMODULE module) PIMAGE_TLS_DIRECTORY tls; PIMAGE_TLS_CALLBACK* callback; - PIMAGE_DATA_DIRECTORY directory = GET_HEADER_DICTIONARY(module, IMAGE_DIRECTORY_ENTRY_TLS); + PIMAGE_DATA_DIRECTORY directory = GET_HEADER_DICTIONARY( + module, IMAGE_DIRECTORY_ENTRY_TLS); if (directory->VirtualAddress == 0) { return TRUE; } @@ -294,6 +304,7 @@ ExecuteTLS(PMEMORYMODULE module) callback = (PIMAGE_TLS_CALLBACK *) tls->AddressOfCallBacks; if (callback) { while (*callback) { + dprint("Call TLS Callback %p\n", callback); (*callback)((LPVOID) codeBase, DLL_PROCESS_ATTACH, NULL); callback++; } @@ -809,10 +820,12 @@ HMEMORYMODULE MemoryLoadLibraryEx( dprint("MemoryLoadLibraryEx: Library loaded\n"); +#ifndef DEBUG // Cleanup PE headers CleanupHeaders(result); dprint("MemoryLoadLibraryEx: headers cleaned up\n"); +#endif return (HMEMORYMODULE)result; diff --git a/client/sources/MemoryModule.h b/client/sources/MemoryModule.h index 24d8fafe..490c4e9c 100644 --- a/client/sources/MemoryModule.h +++ b/client/sources/MemoryModule.h @@ -39,14 +39,14 @@ typedef void *HCUSTOMMODULE; extern "C" { #endif -typedef HMODULE (*CustomGetModuleHandleA)(LPCSTR); -typedef HMODULE (*CustomGetModuleHandleW)(LPCWSTR); -typedef HMODULE (*CustomLoadLibraryExA)(LPCSTR, HANDLE, DWORD); -typedef HMODULE (*CustomLoadLibraryExW)(LPCWSTR, HANDLE, DWORD); -typedef HCUSTOMMODULE (*CustomLoadLibraryW)(LPCWSTR); -typedef HCUSTOMMODULE (*CustomLoadLibraryA)(LPCSTR); -typedef FARPROC (*CustomGetProcAddress)(HCUSTOMMODULE, LPCSTR); -typedef void (*CustomFreeLibraryFunc)(HCUSTOMMODULE); +typedef HMODULE (CALLBACK *CustomGetModuleHandleA)(LPCSTR); +typedef HMODULE (CALLBACK *CustomGetModuleHandleW)(LPCWSTR); +typedef HMODULE (CALLBACK *CustomLoadLibraryExA)(LPCSTR, HANDLE, DWORD); +typedef HMODULE (CALLBACK *CustomLoadLibraryExW)(LPCWSTR, HANDLE, DWORD); +typedef HCUSTOMMODULE (CALLBACK *CustomLoadLibraryW)(LPCWSTR); +typedef HCUSTOMMODULE (CALLBACK *CustomLoadLibraryA)(LPCSTR); +typedef FARPROC (CALLBACK *CustomGetProcAddress)(HCUSTOMMODULE, LPCSTR); +typedef void (CALLBACK *CustomFreeLibraryFunc)(HCUSTOMMODULE); /** * Load EXE/DLL from memory location. @@ -85,14 +85,6 @@ FARPROC MemoryGetProcAddress(HMEMORYMODULE, LPCSTR); */ void MemoryFreeLibrary(HMEMORYMODULE); -HMODULE MyGetModuleHandleA(LPCSTR name); -HMODULE MyGetModuleHandleW(LPCWSTR name); -HMODULE MyLoadLibraryA(LPCSTR name); -HMODULE MyLoadLibraryW(LPCWSTR name); - -HMODULE MyLoadLibraryExA(LPCSTR lpLibFileName, HANDLE hFile, DWORD dwFlags); -HMODULE MyLoadLibraryExW(LPCWSTR lpLibFileName, HANDLE hFile, DWORD dwFlags); - #ifdef __cplusplus } #endif diff --git a/client/sources/MyLoadLibrary.c b/client/sources/MyLoadLibrary.c index 07043a5a..5a87236a 100644 --- a/client/sources/MyLoadLibrary.c +++ b/client/sources/MyLoadLibrary.c @@ -252,7 +252,7 @@ static PHCUSTOMLIBRARY _AddMemoryModule( /**************************************************************** * Public functions */ -HMODULE MyGetModuleHandleA(LPCSTR name) +HMODULE CALLBACK MyGetModuleHandleA(LPCSTR name) { PHCUSTOMLIBRARY lib; @@ -331,7 +331,8 @@ BOOL _CreateModuleMapping(HMODULE hModule, HANDLE *phMapping, PVOID *ppvMem) return TRUE; } -HMODULE MyLoadLibraryEx(LPCSTR name, void *bytes, void *dllmainArg, BOOL blPrivate) +HMODULE +MyLoadLibraryEx(LPCSTR name, void *bytes, void *dllmainArg, BOOL blPrivate) { HMODULE hLoadedModule = NULL; @@ -402,7 +403,7 @@ HMODULE MyLoadLibraryEx(LPCSTR name, void *bytes, void *dllmainArg, BOOL blPriva return LoadLibrary(name); } -HMODULE MyGetModuleHandleW(LPCWSTR name) { +HMODULE CALLBACK MyGetModuleHandleW(LPCWSTR name) { PSTR pszName = NULL; HMODULE hResult = NULL; DWORD dwRequiredSize = WideCharToMultiByte( @@ -435,7 +436,7 @@ HMODULE MyGetModuleHandleW(LPCWSTR name) { return GetModuleHandleW(name); } -HMODULE MyLoadLibraryExA(LPCSTR name, HANDLE hFile, DWORD dwFlags) { +HMODULE CALLBACK MyLoadLibraryExA(LPCSTR name, HANDLE hFile, DWORD dwFlags) { HMODULE hModule = MyGetModuleHandleA(name); if (hModule) return hModule; @@ -443,7 +444,7 @@ HMODULE MyLoadLibraryExA(LPCSTR name, HANDLE hFile, DWORD dwFlags) { return LoadLibraryExA(name, hFile, dwFlags); } -HMODULE MyLoadLibraryExW(LPCWSTR name, HANDLE hFile, DWORD dwFlags) { +HMODULE CALLBACK MyLoadLibraryExW(LPCWSTR name, HANDLE hFile, DWORD dwFlags) { HMODULE hModule = MyGetModuleHandleW(name); if (hModule) return hModule; @@ -451,7 +452,7 @@ HMODULE MyLoadLibraryExW(LPCWSTR name, HANDLE hFile, DWORD dwFlags) { return LoadLibraryExW(name, hFile, dwFlags); } -HMODULE MyLoadLibraryA(LPCSTR name) { +HMODULE CALLBACK MyLoadLibraryA(LPCSTR name) { HMODULE hModule = MyGetModuleHandleA(name); if (hModule) return hModule; @@ -459,7 +460,7 @@ HMODULE MyLoadLibraryA(LPCSTR name) { return LoadLibraryA(name); } -HMODULE MyLoadLibraryW(LPCWSTR name) { +HMODULE CALLBACK MyLoadLibraryW(LPCWSTR name) { HMODULE hModule = MyGetModuleHandleW(name); if (hModule) return hModule; @@ -467,7 +468,7 @@ HMODULE MyLoadLibraryW(LPCWSTR name) { return LoadLibraryW(name); } -BOOL MyFreeLibrary(HMODULE module) +BOOL CALLBACK MyFreeLibrary(HMODULE module) { PHCUSTOMLIBRARY lib = _FindMemoryModule(NULL, module); if (lib) { @@ -540,7 +541,7 @@ BOOL isAllowedSymbol(PHCUSTOMLIBRARY lib, LPCSTR procname) { return FALSE; } -FARPROC MyGetProcAddress(HMODULE module, LPCSTR procname) +FARPROC CALLBACK MyGetProcAddress(HMODULE module, LPCSTR procname) { PHCUSTOMLIBRARY lib; FARPROC fpFunc = NULL; diff --git a/client/sources/MyLoadLibrary.h b/client/sources/MyLoadLibrary.h index 71c1feb5..9119477f 100644 --- a/client/sources/MyLoadLibrary.h +++ b/client/sources/MyLoadLibrary.h @@ -3,16 +3,22 @@ #include +#ifndef CALLBACK +#define CALLBACK WINAPI +#endif + HMODULE MyLoadLibrary(LPCSTR, void *, void *); HMODULE MyLoadLibraryEx(LPCSTR, void *, void *, BOOL); -HMODULE MyGetModuleHandle(LPCSTR); -BOOL MyFreeLibrary(HMODULE); +HMODULE CALLBACK MyLoadLibraryA(LPCSTR); +HMODULE CALLBACK MyLoadLibraryW(LPCWSTR); +HMODULE CALLBACK MyLoadLibraryExA(LPCSTR name, HANDLE hFile, DWORD dwFlags); +HMODULE CALLBACK MyLoadLibraryExW(LPCWSTR name, HANDLE hFile, DWORD dwFlags); +HMODULE CALLBACK MyGetModuleHandleA(LPCSTR name); +HMODULE CALLBACK MyGetModuleHandleW(LPCWSTR name); +FARPROC CALLBACK MyGetProcAddress(HMODULE, LPCSTR); +BOOL CALLBACK MyFreeLibrary(HMODULE module); -HMODULE MyLoadLibraryA(LPCSTR); -HMODULE MyLoadLibraryW(LPCWSTR); - -FARPROC MyGetProcAddress(HMODULE, LPCSTR); FARPROC MyFindProcAddress(LPCSTR modulename, LPCSTR procname); VOID MySetLibraries(PVOID pLibraries); diff --git a/client/sources/Python-dynload-os.h b/client/sources/Python-dynload-os.h index 2836269a..b5e8bbba 100644 --- a/client/sources/Python-dynload-os.h +++ b/client/sources/Python-dynload-os.h @@ -14,10 +14,10 @@ #define PATH_MAX 260 #endif -typedef FARPROC (*resolve_symbol_t) (HMODULE hModule, const char *name); +typedef FARPROC (WINAPI *resolve_symbol_t) (HMODULE hModule, const char *name); static char *OSGetProgramName() { - static char *program_name = NULL; + static const char *program_name = ""; static BOOL is_set = FALSE; wchar_t exe[PATH_MAX]; diff --git a/client/sources/pupy_load.c b/client/sources/pupy_load.c index 1e54b98e..ecf6f5bf 100644 --- a/client/sources/pupy_load.c +++ b/client/sources/pupy_load.c @@ -166,6 +166,30 @@ static const PSTR Kernel32AllowedPrefixes[] = { "Write", "Read", "Terminate", "Resume", "Virtual", "Reg", NULL }; + +typedef BOOL (WINAPI *LPFN_ISWOW64PROCESS) (HANDLE, PBOOL); +LPFN_ISWOW64PROCESS fnIsWow64Process; + +BOOL IsWow64() +{ +#ifdef WIN_X86 + BOOL bIsWow64 = TRUE; + + //IsWow64Process is not available on all supported versions of Windows. + //Use GetModuleHandle to get a handle to the DLL that contains the function + //and GetProcAddress to get a pointer to the function if available. + + fnIsWow64Process = (LPFN_ISWOW64PROCESS) GetProcAddress( + GetModuleHandle("kernel32"),"IsWow64Process"); + + if(NULL != fnIsWow64Process) + fnIsWow64Process(GetCurrentProcess(),&bIsWow64); + + return bIsWow64; +#else + return FALSE; +#endif +} #endif void initialize(BOOL isDll, on_exit_session_t *cb) { @@ -185,9 +209,13 @@ void initialize(BOOL isDll, on_exit_session_t *cb) { dprint("TEMPLATE REV: %s\n", GIT_REVISION_HEAD); #ifdef _PUPY_PRIVATE_NT - hNtDll = GetModuleHandleA("NTDLL.DLL"); - hKernelBase = GetModuleHandleA("KERNELBASE.DLL"); - hKernel32 = GetModuleHandleA("KERNEL32.DLL"); + if (IsWow64()) { + dprint("WOW64 + _PUPY_PRIVATE_NT known to be broken right now\n"); + } else { + hNtDll = GetModuleHandleA("NTDLL.DLL"); + hKernelBase = GetModuleHandleA("KERNELBASE.DLL"); + hKernel32 = GetModuleHandleA("KERNEL32.DLL"); + } if (hNtDll && hKernel32 && hKernelBase) { HMODULE hPrivate;